Вы находитесь на странице: 1из 210

CCNA

What is a computer network? A group of two or more computers that are linked together is called a computer network Why Networking? Computers networked for the following reasons Data sharing Resource sharing Problem Solving Access the World Wide Web Data Networks Sharing data through the use of floppy disks is not an efficient or cost-effective manner in which to operate businesses. Businesses needed a solution that would successfully address the following three problems: How to avoid duplication of equipment and resources How to communicate efficiently How to set up and manage a network Businesses realized that networking technology could increase productivity while saving money. Networking Devices Equipment that connects directly to a network segment is referred to as a device. These devices are broken up into two classifications. end-user devices network devices End-user devices include computers, printers, scanners, and other devices that provide services directly to the user. Network devices include all the devices that connect the end-user devices together to allow them to communicate. Network Interface Card A network interface card (NIC) is a printed circuit board that provides network communication capabilities to and from a personal computer. Also called a LAN adapter.

The Networking Media

LAN Physical Layer Various symbols are used to represent media types. The function of media is to carry a flow of information through a LAN.Networking media are considered Layer 1, or physical layer, components of LANs. Each media has advantages and disadvantages. Some of the advantage or disadvantage comparisons concern: Cable length Cost Ease of installation Susceptibility to interference Coaxial cable, optical fiber, and even free space can carry network signals. However, the principal medium that will be studied is Category 5 unshielded twisted-pair cable (Cat 5 UTP)

Unshielded Twisted Pair (UTP) Cable

UTP Implementation EIA/TIA specifies an RJ-45 connector for UTP cable. The RJ-45 transparent end connector shows eight colored wires. Four of the wires carry the voltage and are considered tip (T1 through T4). The other four wires are grounded and are called ring (R1 through R4). The wires in the first pair in a cable or a connector are designated as T1 & R1

Connection Media The registered jack (RJ-45) connector and jack are the most common.

In some cases t e t e of connector on a net ork interface card (NIC does not match the media that it needs to connect to. The attachment unit interface (AUI) connector allows different media to connect when used with the appropriate transcei er. A transcei er is an adapter that converts one t pe of connection to another Ethernet Standards The Ethernet standard specifies that each of the pins on an R connector have a particular purpose. A NIC transmits si nals on pins 1 & 2, and it receives si nals on pins 3 & 6.

Remember connector have a particular The Ethernet standard specifies that each of the pins on an R purpose. A NIC transmits si nals on pins 1 & 2, and it receives si nals on pins 3 & 6.

Strai ht-Thru or Crossover Use strai ht through cables for the following cabling: Switch to router Switch to PC or server Hub to PC or server Use crossover cables for the following cabling: Switch to switch Switch to hub Hub to hub Router to router PC to PC Router to PC Sources of Noise on Copper Media Noise is any electrical energy on the transmission cable that makes it difficul for a receiver t to interpret the data sent from the transmitter. TIA/EIA-568-B certification of a cable now requires testing for a variety of types of noise.Twisted-pair cable is designed to take advantage of the effects of crosstalk in order to minimi e noise. In twisted-pair cable, a pair of wires is used to transmit one signal.The wire pair is twisted so that each wire experiences similar crosstalk. Because a noise signal on one wire will appear identically on the other wire, this noise be easily detected and filtered at receiver.Twisting one pair of wires in a cable also helps to reduce crosstalk of data or noise signals from adjacent wires.

Shielded T isted Pair (STP) Cable

Coaxial Cable

Fiber Optic Cable

Fiber Optic Connectors Connectors are attached to the fiber ends so that the fibers can be connected to the ports on the transmitter and receiver.

The type of connector most commonly used with multimode fiber is the Subscriber Connector (SC connector).On single-mode fiber, the Straight Tip (ST) connector is frequently used

Fiber Optic Patch Panels Fiber patch panels similar to the patch panels used with copper cable.

Cable Specifications 10BASE-T The T stands for twisted pair. 10BASE5

The 5 represents the fact that a signal can travel for approximately 500 meters 10BASE5 is often referred to as Thicknet. 10BA E2 The 2 represents the fact that a signal can travel for approximately 200 meters 10BASE2 is often referred to as Thinnet. All 3 of these specifications refer to the speed of transmission at 10 Mbps and a type of transmission that is baseband, or digitally interpreted. Thinnet and Thicknet are actually a type of networks, while 10BASE2 & 10BASE5 are the types of cabling used in these networks.

Ethernet Media Connector Requirements

LAN Physical Layer Implementation

Ethernet in the Campus

WAN Physical Layer

WAN Serial Connection Options

Serial Implementation of DTE & DCE

When connecting directly to a service provider, or to a device such as a CSU/DSU that will perform signal clocking, the router is a DTE and needs a DTE serial cable. This is typically the case for routers.

Back-to-Back Serial Connection When performing a back-to-back router scenario in a test environment, one of the routers will be a DTE and the other will be a DCE.

Repeater A repeater is a network device used to regenerate a signal. Repeaters regenerate analog or digital signals distorted by transmission loss due to attenuation.Repeater is a Physical Layer device

The 4 Repeater Rule The Four Repeater Rule for 10-Mbps Ethernet should be used as a standard when extending LAN segments. This rule states that no more than four repeaters can be used between hosts on a LAN. This rule is used to limit latency added to frame travel by each repeater. Hub Hubs concentrate connections.In other words, they take a group of hosts and allow the network to see them as a single unit. Hub is a physical layer device.

Network Interface Card The function of a NIC is to connect a host device to the network medium. A NIC is a printed circuit board that fits into the expansion slot on the motherboard or peripheral device of a computer. The NIC is also referred to as a network adapter. NICs are considered Data Link Layer devices because each NIC carries a uni ue code called a MAC address.

MAC Address MAC address is 48 bits in length and expressed as twelve hexadecimal digits.MAC addresses are sometimes referred to as burned-in addresses (BIA) because they are burned into readonly memory (ROM) and are copied into random-access memory (RAM) when the NIC initiali es.

Bridge Bridges are Data Link layer devices.Connected host addresses are learned and stored on a MAC address table.Each bridge port has a unique MAC address

Bridges

Bridging Graphic

Switch Switches are Data Link layer devices.

Each Switch port has a unique MAC address. Connected host MAC addresses are learned and stored on a MAC address table.

Switching Modes cut-through A switch starts to transfer the frame as soon as the destination MAC address is received. No error checking is available. Must use synchronous switching. store-and-forward At the other extreme, the switch can receive the entire frame before sending it out the destination port. This gives the switch software an opportunity to verify the Frame Check Sum (FCS) to ensure that the frame was reliably received before sending it to the destination. Must be used with asynchronous switching. fragment-free A compromise between the cut-through and store-and-forward modes. Fragment-free reads the first 64 bytes, which includes the frame header, and switching begins before the entire data field and checksum are read. Full Duplex Another capability emerges when only two nodes are connected. In a network that uses twisted-pair cabling, one pair is used to carry the transmitted signal from one node to the other node. A separate pair is used for the return or received signal. It is possible for signals to pass through both pairs simultaneously. The capability of communication in both directions at once is known as full duplex.

Switches MAC Tables

Switches Parallel Communication

Microsegmentation A switch is simply a bridge with many ports. When only one node is connected to a switch port, the collision domain on the shared media contains only two nodes. The two nodes in this small segment, or collision domain, consist of the switch port and the host connected to it. These small physical segments are called micro segments.

Peer-to-Peer Network In a peer-to-peer network, networked computers act as equal partners, or peers.

As peers, each computer can take on the client function or the server function. At one time, computer A may make a request for a file from computer B, which responds by serving the file to computer A. Computer A functions as client, while B functions as the server. At a later time, computers A and B can reverse roles. In a peer-to-peer network, individual users control their own resources. Peer-to-peer networks are relatively easy to install and operate. As networks grow, peer-to-peer relationships become increasingly difficult to coordinate.

Client/Server Network In a client/server arrangement, network services are located on a dedicated computer called a server. The server responds to the requests of clients. The server is a central computer that is continuously available to respond to requests from clients for file, print, application, and other services. Most network operating systems adopt the form of a client/server relationship.

Networking Device Icons

Repeater A repeater is a network device used to regenerate a signal. Repeaters regenerate analog or digital signals distorted by transmission loss due to attenuation. A repeater does not perform intelligent routing

Hub Hubs concentrate connections. In other words, they take a group of hosts and allow the network to see them as a single unit. This is done passively, without any other effect on the data transmission. Active hubs not only concentrate hosts, but they also regenerate signals.

Bridge Bridges convert network transmission data formats as well as perform basic data transmission management. Bridges, as the name implies, provide connections between LANs. Not only do

bridges connect LANs, but they also perform a check on the data to determine whether it should cross the bridge or not. This makes each part of the network more efficient.

Workgroup Switch Workgroup switches add more intelligence to data transfer management. Switches can determine whether data should remain on a LAN or not, and they can transfer the data to the connection that needs that data.

Router Routers have all capabilities of the previous devices. Routers can regenerate signals, concentrate multiple connections, convert data transmission formats, and manage data transfers.They can also connect to a WAN, which allows them to connect LANs that are separated by great distances.

The Cloud The cloud is used in diagrams to represent where the connectionto the internet is. It also represents all of the devices on the internet.

Network Topologies Network topology defines the structure of the network. One part of the topology definition is the physical topology, which is the actual layout of the wire or media. The other part is the logical topology,which defines how the media is accessed by the hosts for sending data. Physical Topologies

Bus Topology A bus topology uses a single backbone cable that is terminated at both ends. All the hosts connect directly to this backbone.

Ring Topology A ring topology connects one host to the next and the last host to the first. This creates a physical ring of cable.

Star Topology A star topology connects all cables to a central point of concentration.

Extended Star Topology An extended star topology links individual stars together by connecting the hubs and/or switches.This topology can extend the scope and coverage of the network.

Hierarchical Topology A hierarchical topology is similar to an extended star

Mesh Topology A mesh topology is implemented to provide as much protection as possible from interruption of service. Each host has its own connections to all other hosts. Although the Internet has multiple paths to any one location, it does not adopt the full mesh topology.

LANs, MANs, & WANs One early solution was the creation of local-area network (LAN) standards which provided an open set of guidelines for creating network hardware and software, making equipment from different companies compatible. What was needed was a way for information to move efficiently and quickly, not only within a company, but also from one business to another. The solution was the creation of metropolitan-area networks (MANs) and wide-area networks (WANs). Examples of Data Networks

LANs

Wireless LAN Organizations and Standards In cabled networks, IEEE is the prime issuer of standards for wireless networks. The standards have been created within the framework of the regulations created by the Federal Communications Commission (FCC). A key technology contained within the 802.11 standard is Direct Sequence Spread Spectrum (DSSS). Cellular Topology for Wireless

WANs

SANs A SAN is a dedicated, high-performance network used to move data between servers and storage resources. Because it is a separate, dedicated network, it avoids any traffic conflict between clients and servers.

Virtual Private Network A VPN is a private network that is constructed within a public network infrastructure such as the global Internet. Using VPN, a telecommuter can access the network of the company headquarters through the Internet by building a secure tunnel between the telecommuters PC and a VPN router in the headquarters.

Bandwidth

Measuring Bandwidth

The OSI Model


Why do we need the OSI Model?

To address the problem of networks increasing in si e and in number, the International Organi ation for Standardi ation (ISO) researched many network schemes and recogni ed that there was a need to create a network model that would help network builders implement networks that could communicate and work together and therefore, released the OSI reference model in 1984. Dont Get Confused. ISO - International Organi ation for Standardi ation OSI - Open System Interconnection IOS - Internetwork Operating System The ISO created the OSI to make the IOS more efficient. The ISO acronym is correct as shown. To avoid confusion, some people say International Standard Organi ation. The OSI Reference Model

7 Application Presentation Transport Network Link

The OSI Model will be used throughout your entirenetworking career!

M rizeit e mo !

Layer 7 - The Application Layer

7 Appli tion 6 5 4 s nt tion6 ssion5 nspo t4 ssion

his l d l ith n t o in ppli tions. Ex y y pl s: E il Web b o sers

3 N t o 3 2 D t Lin 2 D t 1 h si l1 h si l
Layer 6 - The Presentation Layer

PDU - User D t

7 Appli tion 6 5 4 s nt tion ssion nspo t

3 N t o 2 D t Lin 1 h si l

This l er is responsible for presentin the d t in the required format whi h may in lude: y En ryption y Compression PDU - Formatted Data

Layer 5 - The Session Layer

7 Appli ation 6 Presentation 5 Session 4 Transport 3 Network 2 Data Link 1 Physi al


Layer 4 - The Transport Layer

This layer establishes, manages, and terminates sessions between two communicating hosts. Example: y Client Software ( Used for logging in) PDU - Formatted Data

7 Appli ation Application 6 Presentation 5 Session 4 Transport 3 Network 2 Data Link 1 Physi al
Layer 3 - The Network Layer

This layer breaks up the data from the sending host and then reassembles it in the receiver. It also is used to insure reliable data transport across the network. PDU - Segments

7 Appli ation 6 Presentation 5 Session 4 Transport 3 Network 2 Data Link 1 Physi al

Sometimes referred to as the Cisco Layer . Makes Best Path Determination decisions based on logical addresses (usually IP addresses). PDU - Packets

Layer 2 - The Data Link Layer

7 Application 6 Presentation 5 Session 4 Transport 3 Network 2 Data Link 1 Physical


Layer 1 - The Physical Layer

This layer provides reliable transit of data across a physical link. Makes decisions based on physical addresses (usually MAC addresses). PDU - Frames

7 Application 6 Presentation 5 Session 4 Transport 3 Network 2 Data Link 1 Physical

This is the physical media through which the data, represented as electronic signals, is sent from the source host to the destination host. Examples: y CAT5 (what we have) y Coaxial (like cable TV) y Fiber optic PDU - Bits

OSI Model Analogy Application Layer - Source Host

After riding your new bicycle a few times in NewYork, you decide that you want to give it to a friend who lives in Munich,Germany. OSI Model Analogy Presentation Layer - Source Host

Make sure you have the proper directions to disassemble and reassemble the bicycle. OSI Model Analogy Session Layer - Source Host

Call your friend and make sure you have his correct address.

OSI Model Analogy Transport Layer - Source Host

Disassemble the bicycle and put different pieces in different boxes. The boxes are labeled 1 of 3, 2 of 3, and 3 of 3. OSI Model Analogy Network Layer - Source Host

Put your friend's complete mailing address (and yours) on each box.Since the packages are too big for your mailbox (and since you dont have enough stamps) you determine that you need to go to the post office OSI Model Analogy Data Link Layer Source Host

NewYork post office takes possession of the boxes. OSI Model Analogy Physical Layer Media

The boxes are flown from USA to Germany. OSI Model Analogy Data Link Layer Destination

Munich post office receives your boxes.

OSI Model Analogy Network Layer - Destination

Upon examining the destination address, Munich post office determines that your boxes should be delivered to your written home address. OSI Model Analogy Transport Layer Destination

Your friend calls you and tells you he got all 3 boxes and he is having another friend named BOB reassemble the bicycle.

OSI Model Analogy Session Layer Destination

Your friend hangs up because he is done talking to you.

OSI Model Analogy Presentation Layer - Destination

BOB is finished and presents the bicycle to your friend. Another way to say it is that your friend is finally getting him present. OSI Model Analogy Application Layer - Destination

Your friend enjoys riding his new bicycle in Munich.

Host Layers

7 Application 6 Presentation 5 Session 4 Transport 3 Network 2 Data Link 1 Physical

These layers only exist in the source and destination host computers.

Media Layers

7 Application 6 Presentation 5 Session 4 Transport 3 Network 2 Data Link 1 Physical These layers manage the information out in the LAN or WAN between the source and destination hosts.

The OSI Layers Communications

Encapsulation Process

Data Flow Through a Network

The TCP/IP Model


Why Another Model? Although the OSI reference model is universally recognized, the historical and technical open standard of the Internet is Transmission Control Protocol / Internet Protocol (TCP/IP). The TCP/IP reference model and the TCP/IP protocol stack make data communication possible between any two computers, anywhere in the world, at nearly the speed of light. The U.S. Department of Defense (DoD) created the TCP/IP reference model because it wanted a network that could survive any conditions, even a nuclear war. Dont Confuse the Models

7 Application 6 Presentation 5 Session 4 Transport 3 Network 2 Data Link 1 Physical

Application

Transport Internet Network Access

2 Models Side-By-Side

7 Application 6 Presentation 5 Session 4 Transport 3 Network 2 Data Link 1 Physical

Application

Transport Internet Network Access

The Application Layer The application layer of the TCP/IP model handles high-level protocols, issues of representation, encoding, and dialog control.

The Transport Layer The transport layer provides transport services from the source host to the destination host. It constitutes a logical connection between these endpoints of the network. Transport protocols segment and reassemble upper-layer applications into the same data stream between endpoints. The transport layer data stream provides end-to-end transport services.

The Internet Layer The purpose of the Internet layer is to select the best path through the network for packets to travel. The main protocol that functions at this layer is the Internet Protocol (IP). Best path determination and packet switching occur at this layer.

The Network Access Layer The network access layer is also called the host-to-network layer. It the layer that is concerned with all of the issues that an IP packet requires to actually make a physical link to the network media. It includes LAN and WAN details, and all the details contained in the OSI physical and data-link layers. NOTE: ARP & RARP work at both the Internet and Network Access Layers.

Comparing TCP/IP & OSI Models NOTE: TCP/IP transport layer using UDP does not always guarantee reliable delivery of packets as the transport layer in the OSI model does.

Introduction to the Transport Layer The primary duties of the transport layer, Layer 4 of the OSI model, are to transport and regulate the flow of information from the source to the destination, reliably and accurately. End-to-end control and reliability are provided by sliding windows, sequencing numbers, and acknowledgments.

More on The Transport Layer The transport layer provides transport services from the source host to the destination host. It establishes a logical connection between the endpoints of the network. Transport services include the following basic services: Segmentation of upper-layer application data Establishment of end-to-end operations Transport of segments from one end host to another end host Flow control provided by sliding windows Reliability provided by sequence numbers and acknowledgments Flow Control As the transport layer sends data segments, it tries to ensure that data is not lost. A receiving host that is unable to process data as quickly as it arrives could be a cause of data loss. Flow control avoids the problem of a transmitting host overflowing the buffers in the receiving host.

3-Way Handshake TCP requires connection establishment before data transfer begins.

For a connection to be established or initialized, the two hosts must synchronize their Initial Sequence Numbers (ISNs).

Basic Windowing Data packets must be delivered to the recipient in the same order in which they were transmitted to have a reliable, connection-oriented data transfer. The protocol fails if any data packets are lost, damaged, duplicated, or received in a different order. An easy solution is to have a recipient acknowledge the receipt of each packet before the next packet is sent.

Sliding Window

Sliding Window with Different Window Si es

TCP Sequence & Acknowledgement

TCP Transmission Control Protocol (TCP) is a connection-oriented Layer 4 protocol that provides reliable full-duplex data transmission. TCP is part of the TCP/IP protocol stack. In a connection-oriented environment, a connection is established between both ends before the transfer of information can begin. TCP is responsible for breaking messages into segments, reassembling them at the destination station, resending anything that is not received, and reassembling messages from the segments.TCP supplies a virtual circuit between end-user applications. The protocols that use TCP include: FTP (File Transfer Protocol) HTTP (Hypertext Transfer Protocol) SMTP (Simple Mail Transfer Protocol) Telnet TCP Segment Format

UDP User Datagram Protocol (UDP) is the connectionless transport protocol in the TCP/IP protocol stack. UDP is a simple protocol that exchanges datagrams, without acknowledgments or guaranteed delivery. Error processing and retransmission must be handled by higher layer protocols. UDP uses no windowing or acknowledgments so reliability, if needed, is provided by application layer protocols. UDP is designed for applications that do not need to put sequences of segments together. The protocols that use UDP include: TFTP (Trivial File Transfer Protocol) SNMP (Simple Network Management Protocol) DHCP (Dynamic Host Control Protocol) DNS (Domain Name System) UDP Segment Format

WellKnownPort Numbers The following port numbers should be memorized: NOTE: The curriculum forgot to mention one of the most important port numbers. Port 80 is used for HTTP or WWW protocols. (Essentially access to the internet.)

URL

SNMP Managed Network

TCP/IP Math
Base 2 Number System 101102 = (1 x 24 = 16) + (0 x 23 = 0) + (1 x 22 = 4) + (1 x 21 = 2) + (0 x 20 = 0) = 22

Converting Decimal to Binary Convert 20110 to binary: 201 / 2 = 100 remainder 1 100 / 2 = 50 remainder 0 50 / 2 = 25 remainder 0 25 / 2 = 12 remainder 1 12 / 2 = 6 remainder 0 6 / 2 = 3 remainder 0 3 / 2 = 1 remainder 1 1 / 2 = 0 remainder 1 When the quotient is 0, take all the remainders in reverse order for your answer: 20110 = 110010012

IP Addressing
Network and Host Addressing Using the IP address of the destination network, a router can deliver a packet to the correct network. When the packet arrives at a router connected to the destination network, the router uses the IP address to locate the particular computer connected to that network. Accordingly, every IP address has two parts.

Network Layer Communication Path

A router forwards packets from the originating network to the destination network using the IP protocol. The packets must include an identifier for both the source and destination networks.

Internet Addresses IP Addressing is a hierarchical structure.An IP address combines two identifiers into one number. This number must be a unique number, because duplicate addresses would make routing impossible.The first part identifies the system's network address.The second part, called the host part, identifies which particular machine it is on the network.

IP Address Classes IP addresses are divided into classes to define the large, medium, and small networks. Class A addresses are assigned to larger networks. Class B addresses are used for medium-sized networks, & Class C for small networks.

Identifying Address Classes

Address Class Prefixes To accommodate different size networks and aid in classifying these networks, IP addresses are divided into groups called classes.This is classful addressing.

Network and Host Division Each complete 32-bit IP address is broken down into a network part and a host part. A bit or bit sequence at the start of each address determines the class of the address. There are 5 IP address classes.

Class A Addresses The Class A address was designed to support extremely large networks, with more than 16 million host addresses available. Class A IP addresses use only the first octet to indicate the network address. The remaining three octets provide for host addresses.

Class B Addresses The Class B address was designed to support the needs of moderate to large ed -si networks.A Class B IP address uses the first two of the four octets to indicate the network address. The other two octets specify host addresses.

Class C Addresses The Class C address space is the most commonly used of the original address classes.This address space was intended to support small networks with a maximum of 254 hosts.

Class D Addresses The Class D address class was created to enable multicasting in an IP address. A multicast address is a unique network address that directs packets with that destination address to predefined groups of IP addresses. Therefore, a single station can simultaneously transmit a single stream of data to multiple recipients.

Class E Addresses A Class E address has been defined. However, the Internet Engineering Task Force (IETF) reserves these addresses for its own research. Therefore, no Class E addresses have been released for use in the Internet.

IP AddressRanges The graphic below shows the IP address range of the first octet both in decimal and binary for each IP address class.

IPv4 As early as 1992, the Internet Engineering Task Force (IETF) identified two specific concerns: Exhaustion of the remaining, unassigned IPv4 network addresses and the increase in the size of Internet routing tables. Over the past two decades, numerous extensions to IPv4 have been developed. Two of the more important of these are subnet masks and classless interdomain routing (CIDR).

Finding the Network Address with ANDing By ANDing the Host address of 192.168.10.2 with 255.255.255.0 (its network mask) we obtain the network address of 192.168.10.0

Network Address

Broadcast Address

Network/Broadcast Addresses at the Binary Level An IP address that has binary 0s in all host bit positions is reserved for the network address, which identifies the network. An IP address that has binary 1s in all host bit positions is reserved for the broadcast address, which is used to send data to all hosts on the network. Here are some examples:

Class A B C

Network Address 100.0.0.0 150.75.0.0 200.100.50.0

Broadcast Address 100.255.255.255 150.75.255.255 200.100.50.255

Public IP Addresses Unique addresses are required for each device on a network. Originally, an organization known as the InternetNetworkInformationCenter (InterNIC) handled this procedure. InterNIC no longer exists and has been succeeded by the Internet Assigned Numbers Authority (IANA). No two machines that connect to a public network can have the same IP address because public IP addresses are global and standardized. All machines connected to the Internet agree to conform to the system. Public IP addresses must be obtained from an Internet service provider (ISP) or a registry at some expense. Private IP Addresses Private IP addresses are another solution to the problem of the impending exhaustion of public IP addresses.As mentioned, public networks require hosts to have unique IP addresses. However, private networks that are not connected to the Internet may use any host addresses, as long as each host within the private network is unique.

Mixing Public and Private IP Addresses Private IP addresses can be intermixed, as shown in the graphic, with public IP addresses.This will conserve the number of addresses used for internal connections. Connecting a network using private addresses to the Internet requires translation of the

private addresses to public addresses. This translation process is referred to as Network Address Translation (NAT).

Introduction to Subnetting Subnetting a network means to use the subnet mask to divide the network and break a large network up into smaller, more efficient and manageable segments, or subnets. With subnetting, the network is not limited to the default Class A, B, or C network masks and there is more flexibility in the network design. Subnet addresses include the network portion, plus a subnet field and a host field.The ability to decide how to divide the original host portion into the new subnet and host fields provides addressing flexibility for the network administrator. The 32-Bit Binary IP Address

Numbers That Show p In Subnet Masks (Memori e Them!)

Addressing with Subnetworks

Obtaining an Internet Address

Static Assignment of an IP Address Static assignment works best on small networks. The administrator manually assigns and tracks IP addresses for each computer, printer, or server on the intranet. Network printers, application servers, and routers should be assigned static IP addresses.

ARP (Address Resolution Protocol)

Host A ARP Request - Broadcast to all hosts What is the hardware address for IP address 128 0 1 0 4?
S I MN NED R X OF I ES

ARP Reply

S IM N EEF I OS NXD R

IE E S MNS NDO F X I R

Host B IP Address: 128.0.10.4 HW Address: 080020021545

1 Network = 1 Broadcast Domain

Broadcast: ARP request

2 Networks = 2 Broadcast Domains

Router

Broadcast: ARP request

B A B

R outer R I take c are, to forward IP pac kets to B

B roadc as t Mes s ag e to all: If your IP addres s matc hes then pleas e tell me your E thernet addres s

Y es , I know the des tination network, let me g ive you my E thernet addres s

59

RARP Reverse Address Resolution Protocol (RARP) associates a known MAC addresses with an IP addresses. A network device, such as a diskless workstation, might know its MAC address but not its IP address. RARP allows the device to make a request to learn its IP address. evices using RARP require that a RARP server be present on the network to answer RARP requests.

BootP The bootstrap protocol (BOOTP) operates in a client-server environment and only requires a single packet exchange to obtain IP information. However, unlike RARP, BOOTP packets can include the IP address, as well as the address of a router, the address of a server, and vendor-specific information. One problem with BOOTP, however, is that it was not designed to provide dynamic address assignment. With BOOTP, a network administrator creates a configuration file that specifies the parameters for each device.The administrator must add hosts and maintain the BOOTP database. Even though the addresses are dynamically assigned, there is still a one to one relationship between the number of IP addresses and the number of hosts. This means that for every host on the network there must be a BOOTP profile with an IP address assignment in it. No two profiles can have the same IP address. DHCP Dynamic host configuration protocol (DHCP) is the successor to BOOTP. Unlike BOOTP, DHCP allows a host to obtain an IP address dynamically without the network administrator having to set up an individual profile for each device. All that is required when using DHCP is a defined range of IP addresses on a DHCP server.As hosts come online, they contact the DHCP server and request an address. The DHCP server chooses an address and leases it to that host. With DHCP, the entire network configuration of a computer can be obtained in one message.

This includes all of the data supplied by the BOOTP message, plus a leased IP address and a subnet mask. The major advantage that DHCP has over BOOTP is that it allows users to be mobile.

Routers & Cisco IOS


Introduction to Routers A router is a special type of computer. It has the same basic components as a standard desktop PC. However, routers are designed to perform some very specific functions. Just as computers need operating systems to run software applications, routers need the Internetwork Operating System software (IOS) to run configuration files. These configuration files contain

the instructions and parameters that control the flow of traffic in and out of the routers. The many parts of a router are shown below:

RAM Random Access Memory, also called dynamic RAM (DRAM) RAM has the following characteristics and functions: Stores routing tables Holds ARP cache Holds fast-switching cache Performs packet buffering (shared RAM) Maintains packet-hold queues Provides temporary memory for the configuration file of the router is powered on Loses content when router is powered down or restarted NVRAM Non-Volatile RAM NVRAM has the following characteristics and functions: Provides storage for the startup configuration file Retains content when router is powered down or Flash Flash memory has the following characteristics and functions: Holds the operating system image (IOS)

the router while

restarted

Allows software to be updated without removing and replacing chips on the processor Retains content when router is powered down or restarted Can store multiple versions of IOS software Is a type of electronically erasable, programmable ROM (EEPROM) ROM Read-Only Memory ROM has the following characteristics and functions: Maintains instructions for power-on self test (POST) diagnostics Stores bootstrap program and basic operating system software Requires replacing pluggable chips on the motherboard for software upgrades Interfaces Interfaces have the following characteristics and functions: Connect router to network for frame entry and exit Can be on the motherboard or on a separate module Types of interfaces: Ethernet Fast Ethernet Serial Token ring ISDN BRI Loopback Console Aux Internal Components of a 2600 Router

External Components of a 2600 Router

External Connections

Fixed Interfaces When cabling routers for serial connectivity, the routers will either have fixed or modular ports. The type of port being used will affect the syntax used later to configure each interface. Interfaces on routers with fixed serial ports are labeled for port type and port number.

ModularSerialPort Interfaces Interfaces on routers with modular serial ports are labeled for port type, slot, and port number.The slot is the location of the module.To configure a port on a modular card, it is necessary to specify the interface using the syntax port type slot number/port number. Use the label serial 0/1, when the interface is serial, the slot number where the module is installed is slot 0, and the port that is being referenced is port 1.

Routers & DSL Connections The Cisco 827 ADSL router has one asymmetric digital subscriber line (ADSL) interface. To connect a router for DSL service, use a phone cable with RJ-11 connectors. DSL works over standard telephone lines using pins 3 and 4 on a standard RJ-11 connector.

Computer/Terminal Console Connection

Modem Connection to Console/Aux Port

HyperTerminal Session Properties

Establishing a HyperTerminal Session Take the following steps to connect a terminal to the console port on the router: First, connect the terminal using the RJ-45 to RJ-45 rollover cable and an RJ-45 to DB-9 or RJ-45 to DB-25 adapter. Then, configure the terminal or PC terminal emulation software for 9600 baud, 8 data bits, no parity, 1 stop bit, and no flow control.

Cisco IOS Cisco technology is built around the Cisco Internetwork Operating System (IOS), which is the software that controls the routing and switching functions of internetworking devices. A solid understanding of the IOS is essential for a network administrator. The Purpose of Cisco IOS As with a computer, a router or switch cannot function without an operating system. Cisco calls its operating system the Cisco Internetwork Operating System or Cisco IOS. It is the embedded software architecture in all of the Cisco routers and is also the operating system of the Catalyst switches. Without an operating system, the hardware does not have any capabilities. The Cisco IOS provides the following network services: Basic routing and switching functions Reliable and secure access to networked resources Network scalability Router Command Line Interface

Setup Mode Setup is not intended as the mode for entering complex protocol features in the router. The purpose of the setup mode is to permit the administrator to install a minimal configuration for a router, unable to locate a configuration from another source. In the setup mode, default answers appear in square brackets [ ] following the question. Press the Enter key to use these defaults. During the setup process, Ctrl-C can be pressed at any time to terminate the process. When setup is terminated using Ctrl-C, all interfaces will be administratively shutdown.

When the configuration process is completed in setup mode, the following options will be displayed: [0] Go to the IOS command prompt without saving this config. [1] Return back to the setup without saving this config. [2] Save this configuration to nvram and exit. Enter your selection [2]: Operation of Cisco IOS Software The Cisco IOS devices have three distinct operating environments or modes: ROM monitor Boot ROM Cisco IOS The startup process of the router normally loads into RAM and executes one of these operating environments. The configuration register setting can be used by the system administrator to control the default start up mode for the router.

To see the IOS image and version that is running, use the show version command, which also indicates the configuration register setting.

IOS File System Overview

Initial Startup of Cisco Routers A router initializes by loading the bootstrap, the operating system, and a configuration file. If the router cannot find a configuration file, it enters setup mode. Upon completion of the setup mode a backup copy of the configuration file may be saved to nonvolatile RAM (NVRAM). The goal of the startup routines for Cisco IOS software is to start the router operations. To do this, the startup routines must accomplish the following: Make sure that the router hardware is tested and functional. Find and load the Cisco IOS software. Find and apply the startup configuration file or enter the setup mode.

When a Cisco router powers up, it performs a power-on self test (POST). uring this self test, the router executes diagnostics from ROM on all hardware modules After the Post After the POST, the following events occur as the router initiali es: Step 1 The generic bootstrap loader in ROM executes. A bootstrap is a simple set of instructions that tests hardware and initiali es the IOS for operation. Step 2 The IOS can be found in several places. The boot field of the configuration register determines the location to be used in loading the IOS. If the boot field indicates a flash or network load, boot system commands in the configuration file ind icate the exact name and location of the image. Step 3 The operating system image is loaded. Step 4 The configuration file saved in N RAM is loaded into main memory and executed one line at a time. The configuration commands start routing processes, supply addresses for interfaces, and define other operating characteristics of the router. Step 5 If no valid configuration file exists in N RAM, the operating system searches for an available TFTP server. If no TFTP server is found, the setup dialog is initiated. Step in Router Initiali ation

Router LED Indicators

Cisco routers use LED indicators to provide status information. Depending upon the Cisco router model, the LED indicators will vary. An interface LED indicates the activity of the corresponding interface. If an LED is off when the interface is active and the interface is correctly connected, a problem may be indicated. If an interface is extremely busy, its LED will always be on. The green OK LED to the right of the AUX port will be on after the system initializes correctly.

Enhanced Cisco IOS Commands

The show version Command The show version command displays information about the Cisco IOS software version that is currently running on the router. This includes the configuration register and the boot field settings. The following information is available from the show version command: IOS version and descriptive information Bootstrap ROM version Boot ROM version Router up time Last restart method System image file and location Router platform Configuration register setting

Use the show version command to identify router IOS image and boot source. To find out the amount of flash memory, issue the show flash command. Checking File System Information with show version command

ROUTING CONFIGURATION
Router User Interface Modes The Cisco command-line interface (CLI) uses a hierarchical structure. This structure requires entry into different modes to accomplish particular tasks. Each configuration mode is indicated with a distinctive prompt and allows only commands that are appropriate for that mode. As a security feature the Cisco IOS software separates sessions into two access levels, user EXEC mode and privileged EXEC mode. The privileged EXEC mode is also known as enable mode.

Overview of Router Modes

Router Modes

User Mode Commands

Privileged Mode Commands NOTE: There are many more commands available in privileged mode.

Specific Configuration Modes

CLI Command Modes All command-line interface (CLI) configuration changes to a Cisco router are made from the global configuration mode. Other more specific modes are entered depending upon the configuration change that is required.

Global configuration mode commands are used in a router to apply configuration statements that affect the system as a whole. The following command moves the router into global configuration mode Router#configure terminal Router(config)# (or config t)

When specific configuration modes are entered, the router prompt changes to indicate the current configuration mode. Typing exit from one of these specific configuration modes will return the router to global configuration mode. Pressing Ctrl-Z returns the router to all the way back privileged EXEC mode. Configuring a Routers Name A router should be given a unique name as one of the first configuration tasks. This task is accomplished in global configuration mode using the following commands: Router(config)#hostname Tokyo Tokyo(config)# As soon as the Enter key is pressed, the prompt changes from the default host name (Router) to the newly configured host name (which is Tokyo in the example above). Setting the Clock with Help

Message Of The Day (MOTD) A message-of-the-day (MOT ) banner can be displayed on all connected terminals. Enter global configuration mode by using the command config t Enter the command banner motd # The message of the day goes here # . Save changes by issuing the command copy run start

Configuring a Console Password Passwords restrict access to routers. Passwords should always be configured for virtual terminal lines and the console line.

Passwords are also used to control access to privileged EXEC mode so that only authorized users may make changes to the configuration file. The following commands are used to set an optional but recommended password on the console line: Router(config)#line console 0 Router(config-line)#password <password> Router(config-line)#login Configuring a Modem Password If configuring a router via a modem you are most likely connected to the aux port. The method for configuring the aux port is very similar to configuring the console port. Router(config)#line aux 0 Router(config-line)#password <password> Router(config-line)#login Configuring Interfaces An interface needs an IP Address and a Subnet Mask to be configured. All interfaces are shutdown by default. The DCE end of a serial interface needs a clock rate. Router#config t Router(config)#interface serial 0/1 Router(config-if)#ip address 200.100.50.75 255.255.255.240 Router(config-if)#clock rate 56000 (required for serial DCE only) Router(config-if)#no shutdown Router(config-if)#exit Router(config)#int f0/0 Router(config-if)#ip address 150.100.50.25 255.255.255.0 Router(config-if)#no shutdown Router(config-if)#exit Router(config)#exit Router# On older routers, Serial 0/1 would be just Serial 1 and f0/0 would be e0. s = serial e = Ethernet f = fast Ethernet Configuring a Telnet Password A password must be set on one or more of the virtual terminal (VTY) lines for users to gain remote access to the router using Telnet. Typically Cisco routers support five VTY lines numbered 0 through 4. The following commands are used to set the same password on all of the VTY lines:

Router(config)#line vty 0 4 Router(config-line)#password <password> Router(config-line)#login Examining the show Commands There are many show commands that can be used to examine the contents of files in the router and for troubleshooting. In both privileged EXEC and user EXEC modes, the command show ?provides a list of available show commands. The list is considerably longer in privileged EXEC mode than it is in user EXEC mode. show interfaces Displays all the statistics for all the interfaces on the router. show int s0/1 Displays statistics for interface Serial 0/1 show controllers serial Displays information-specific to the interface hardware show clock Shows the time set in the router show hosts Displays a cached list of host names and addresses show users Displays all users who are connected to the router show history Displays a history of commands that have been entered show flash Displays info about flash memory and what IOS files are stored there show version Displays info about the router and the IOS that is running in RAM show ARP Displays the ARP table of the router show start Displays the saved configuration located in NVRAM show run Displays the configuration currently running in RAM show protocol Displays the global and interface specific status of any configured Layer 3 protocols

The copy run tftp Command

ETHERNET FUNDAMENTALS
Ethernet Overview Ethernet is now the dominant LAN technology in the world. Ethernet is not one technology but a family of LAN technologies. All LANs must deal with the basic issue of how individual stations (nodes) are named, and Ethernet is no exception. Ethernet specifications support different media, bandwidths, and other Layer 1 and 2 variations. However, the basic frame format and addressing scheme is the same for all varieties of Ethernet. Ethernet and the OSI Model Ethernet operates in two areas of the OSI model, the lower half of the data link layer, known as the MAC sublayer and the physical layer

Ethernet Technologies Mapped to the OSI Model

Layer 2 Framing Framing is the Layer 2 encapsulation process.

A frame is the Layer 2 protocol data unit. The frame format diagram shows different groupings of bits (fields) that perform other functions.

Ethernet and IEEE Frame Formats are Very Similar

3 Common Layer 2 Technologies Ethernet Uses CSMA/CD logical bus topology (information flow is on a linear bus) physical star or extended star (wired as a star) Token Ring logical ring topology (information flow is controlled in a ring) and a physical star topology (in other words, it is wired as a star) FDDI logical ring topology (information flow is controlled in a ring) and physical dual-ring topology(wired as a dual-ring)

Collision Domains To move data between one Ethernet station and another, the data often passes through a repeater. All other stations in the same collision domain see traffic that passes through a repeater. A collision domain is then a shared resource. Problems originating in one part of the collision domain will usually impact the entire collision domain. CSMA/CD Graphic

Backoff After a collision occurs and all stations allow the cable to become idle (each waits the full interframe spacing), then the stations that collided must wait an additional and potentially progressively longer period of time before attempting to retransmit the collided frame. The waiting period is intentionally designed to be random so that two stations do not delay for the same amount of time before retransmitting, which would result in more collisions.

ADVANCED IP ADDRESSING Hierarchical Addressing Using Variable -Length Subnet Masks


Prefix Length and Network Mask Range of Addresses: 192.168.1.64 through 192.168.1.79 Have the first 28 bits in common, which is represented by a /28 prefix length 28 bits in common can also be represented in dotted decimal as 255.255.255.240 Binary ones in the network mask represent network bits in the accompanying IP address; binary zeros represent host bits 11000000.10101000.00000001.0100 xxxx IP Address 11111111.11111111.11111111.11110000 Network Mask

In the IP network number that accompanies the network mask, when the host bits of the IP network number are: All binary zeros that address is the bottom of the address range All binary ones that address is the top of the address range Fourth Octet 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79

01000000 01000001 01000010 01000011 01000100 01000101 01000110 01000111 01001000 01001001 01001010 01001011 01001100 01001101 01001110 01001111

Implementing VLSM

Range Of Addresses for VLSM

Breakdown Address Space for Largest Subnet

Breakdown Address Space for Ethernets at Remote Sites

Break Down Remaining Address Space for Serial Subnets

Calculating VLSM: Binary

Route Summarization and Classless Interdomain Routing What Is Route Summarization?

Summarizing Within an Octet

Summarizing Addresses in a VLSM-Designed Network

Classless Interdomain Routing CIDR is a mechanism developed to alleviate exhaustion of addresses and reduce routing table size. Block addresses can be summarized into single entries without regard to the classful boundary of the network number. Summarized blocks are installed in routing tables. What Is CIDR?

Addresses are the same as in the route summarization figure, except that Class B network 172 has been replaced by Class C network 192. CIDR Example

ROUTING
Anatomy of an IP Packet IP packets consist of the data from upper layers plus an IP header. The IP header consists of the following:

Introducing Routing Routing is the process that a router uses to forward packets toward the destination network. A router makes decisions based upon the destination IP address of a packet. All devices along the way use the destination IP address to point the packet in the correct direction so that the packet eventually arrives at its destination. In order to make the correct decisions, routers must learn the direction to remote networks.

Configuring Static Routes by Specifying Outgoing Interfaces

Configuring Static Routes by Specifying Next-Hop Addresses

Administrative Distance The administrative distance is an optional parameter that gives a measure of the reliability of the route. The range of an AD is 0-255 where smaller numbers are more desireable. The default administrative distance when using next-hop address is 1, while the default administrative distance when using the outgoing interface is 0. You can statically assign an AD as follows: Router(config)#ip route 172.16.3.0 255.255.255.0 172.16.4.1 130 Sometimes static routes are used for backup purposes. A static route can be configured on a router that will only be used when the dynamically learned route has failed. To use a static route in this manner, simply set the administrative distance higher than that of the dynamic routing protocol being used. Configuring Default Routes Default routes are used to route packets with destinations that do not match any of the other routes in the routing table. A default route is actually a special static route that uses this format: ip route 0.0.0.0 0.0.0.0 [next-hop-address | outgoing interface] This is sometimes referred to as a Quad-Zero route. Example using next hop address: Router(config)#ip route 0.0.0.0 0.0.0.0172.16.4.1 Example using the exit interface: Router(config)#ip route 0.0.0.0 0.0.0.0s0/0 Verifying Static Route Configuration After static routes are configured it is important to verify that they are present in the routing table and that routing is working as expected. The command show running-config is used to view the active configuration in RAM to verify that the static route was entered correctly.

The show ip route command is used to make sure that the static route is present in the routing table. Trouble Shooting Static Route Configuration

Path Determination Graphic

R outing P rotoc ol
R outer S witc h

R outer R outer S witc h R outer

R outer

What is What is an optimal an optimal route ? route ?

11

Routing Protocols Routing protocols includes the following: processes for sharing route information allows routers to communicate with other routers to update and maintain the routing tables Examples of routing protocols that support the IP routed protocol are: RIP, IGRP, OSPF, BGP, and EIGRP.

Routed Protocols Protocols used at the network layer that transfer data from one host to another across a router are called routed or routable protocols. The Internet Protocol (IP) and Novell's Internetwork Packet Exchange (IPX) are examples of routed protocols. Routers use routing protocols to exchange routing tables and share routing information. In other words, routing protocols enable routers to route routed protocols.

EGP
E xterior G ateway P rotocols are used for routing between Autonomous ystems

AS

AS

IG P AS
Interior G ateway P rotocol are used for routing decisions within an Autono ous ystem.

ig.

IG P and E G P (TI1332E U 2 TI_0004 The Network Layer, 67)

A S 1000 GP IG P GP

GP

A S 2000

F ig. 49 The us e of IG P and E G P protocols (TI1332E U02TI_0004 The Network L ayer, 67)

IGP and EGP

In terior G ateway P roto c ol (IG P )

x terio r G ateway P ro to c ol ( G P )

In terior G ateway P roto c ol (IG P )

A S 3000

17

A utonomous S ys tem

An Autonomous ystem (A ) is a grou of IP networks, which has a single and clearly defined external routing policy.

 

16

An autonomous system is a network or set of networks under common administrative control, such as the cisco.com domain.

Categories of Routing Protocols Most routing algorithms can be classified into one of two categories: distance vector link-state The distance vector routing approach determines the direction (vector) and distance to any link in the internetwork. The link-state approach, also called shortest path first, recreates the exact topology of the entire internetwork. Distance Vector Routing Concepts

Distance Vector Routing (DVR)


Routing table contains the addresses of destinations and the distance of the way to this destination

2 Ho s

1 Ho
Router A

1 Ho
Router B

Router C

Router D

192.16.1. 0

Flow of routing information 192.16.5. 0

192.16.7. 0

Routing Tables Graphic

Destination 192 16 1 0 192 16 5 0 192 16 7 0

Distance 1 1 2

     

Distance Vector Topology Changes

Router Metric Components

Distance Vector Routing (DVR)


192.16.3.0 192.16.2.0
Router A Router B Router C

192.16.6.0
Router D

192.16.4.0 192.16.1.0 192.16.5.0 192.16.7.0

192.16.1. 0 192.16.2. 0

0 0

L L

192.16.2. 0 192.16.3. 0 192.16.4. 0 192.16.2. 0 192.16.3. 0 192.16.4. 0 192.16.1. 0 192.16.5. 0 192.16.6. 0

0 0 0 0 0 0 1 1 1

L L L L L L A C C

192.16.4. 0 192.16.5. 0 192.16.6. 0 192.16.4. 0 192.16.5. 0 192.16.6. 0 192.16.3. 0 192.16.2. 0 192.16.7. 0

0 0 0 0 0 0 1 1 1

L L L L L L B B D

192.16.6. 0 192.16.7. 0

0 0

L L

192.16.1. 0 192.16.2. 0 192.16.3. 0 192.16.4. 0 L Locally connected

0 0 1 1

L L B B

192.16.6. 0 192.16.7. 0 192.16.5. 0 192.16.4. 0

0 0 1 1

L L C C

Dis tanc e Vec tor R outing (DVR )


192.16.1.0 192.16.1.0 192.16.2.0 192.16.2.0 192.16.3.0 192.16.3.0 192.16.4.0 192.16.4.0 192.16.5.0 192.16.5.0 192.16.6.0 192.16.6.0 0 0 0 0 1 1 1 1 2 2 2 2 L L L L B B B B B B B B 192.16.2.0 192.16.2.0 192.16.3.0 192.16.3.0 192.16.4.0 192.16.4.0 192.16.1.0 192.16.1.0 192.16.5.0 192.16.5.0 192.16.6.0 192.16.6.0 192.16.7.0 192.16.7.0 0 0 0 0 0 0 1 1 1 1 1 1 2 2 L L L L L L A A C C C C C C 192.16.4.0 192.16.4.0 192.16.5.0 192.16.5.0 192.16.6.0 192.16.6.0 192.16.3.0 192.16.3.0 192.16.2.0 192.16.2.0 192.16.7.0 192.16.7.0 192.16.1.0 192.16.1.0 0 0 0 0 0 0 1 1 1 1 1 1 2 2 L L L L L L B B B B D D B B 192.16.6.0 192.16.6.0 192.16.7.0 192.16.7.0 192.16.5.0 192.16.5.0 192.16.4.0 192.16.4.0 192.16.3.0 192.16.3.0 192.16.2.0 192.16.2.0 0 0 0 0 1 1 1 1 2 2 2 2 L L L L C C C C C C C C

192.16.1.0 192.16.1.0 192.16.2.0 192.16.2.0 192.16.3.0 192.16.3.0 192.16.4.0 192.16.4.0 192.16.5.0 192.16.5.0 192.16.6.0 192.16.6.0 192.16.7.0 192.16.7.0

0 0 0 0 1 1 1 1 2 2 2 2 3 3

L L L L B B B B B B B B B B

192.16.2.0 192.16.2.0 192.16.3.0 192.16.3.0 192.16.4.0 192.16.4.0 192.16.1.0 192.16.1.0 192.16.5.0 192.16.5.0 192.16.6.0 192.16.6.0 192.16.7.0 192.16.7.0

0 0 0 0 0 0 1 1 1 1 1 1 2 2

L L L L L L A A C C C C C C

192.16.4.0 192.16.4.0 192.16.5.0 192.16.5.0 192.16.6.0 192.16.6.0 192.16.3.0 192.16.3.0 192.16.2.0 192.16.2.0 192.16.7.0 192.16.7.0 192.16.1.0 192.16.1.0

0 0 0 0 0 0 1 1 1 1 1 1 2 2

L L L L L L B B B B D D B B

192.16.6.0 192.16.6.0 192.16.7.0 192.16.7.0 192.16.5.0 192.16.5.0 192.16.4.0 192.16.4.0 192.16.3.0 192.16.3.0 192.16.2.0 192.16.2.0 192.16.1.0 192.16.1.0

0 0 0 0 1 1 1 1 2 2 2 2 3 3

L L L L C C C C C C C C C C

26
F ig. 53 Dis tribution of routing information with dis tance vector routing protocol (cont.) (TI1332E U02TI_0004 The Network L ayer, 71)

R IP v1
Dis tanc e V ector R outing P rotoc ol, clas s ful Dis tribution of R outing T ables via broadc as t to adjac ent routers O nly one kind of metric : Number of H ops C onnections with different bandwidth c an not be weighted R outing loops c an occur -> bad c onvergenc e in c as e of a failure C ount to infinity problem (infinity = 16) Maximum network s iz e is limited by the number of hops
, 81)

27

RIP Characteristics

RIP-1 permits only a Single Subnet Mask

F ig. 59 P roperties of R IPv1 (TI1332E U02TI_0004 The Network Layer

Port 1 Port 1 130.24.13.1/24 130.24.13.1/24 130.24.13.0/24 130.24.13.0/24

R IP -1: 130.24.36.0
130.24.25.0/24 130.24.25.0/24
R outer A

R IP -1: 130.24.36.0

R IP -1: 130.24.0.0
Port 2 Port 2 200.14.13.2/24 200.14.13.2/24 200.14.13.0/24 200.14.13.0/24

130.24.36.0/24 130.24.36.0/24

29
F ig. 60 R IP -1 permits only a s ingle s ubnet ma s k (TI1332E U02TI_0004 The Network L ayer, 83)

Router Configuration The router command starts a routing process. The network command is required because it enables the routing process to determine which interfaces participate in the sending and receiving of routing updates. An example of a routing configuration is: GAD(config)#router rip GAD(config-router)#network 172.16.0.0 The network numbers are based on the network class addresses, not subnet addresses or individual host addresses. Configuring RIP Example

Verifying RIP Configuration

The debug ip rip Command Most of the RIP configuration errors involve an incorrect network statement, discontiguous subnets, or split horizons. One highly effective command for finding RIP update issues is the debug ip rip command. The debug ip rip command displays RIP routing updates as they are sent and received.

Problem: Routing Loops Routing loops can occur when inconsistent routing tables are not updated due to slow convergence in a changing network.

Problem: Counting to Infinity

Solution: Define a Maximum

Solution: Split Horizon

Route Poisoning Route poisoning is used by various distance vector protocols in order to overcome large routing loops and offer explicit information when a subnet or network is not accessible. This is usually accomplished by setting the hop count to one more than the maximum.

Triggered Updates New routing tables are sent to neighboring routers on a regular basis. For example, RIP updates occur every 30 seconds. However a triggered update is sent immediately in response to some change in the routing table.

The router that detects a topology change immediately sends an update message to adjacent routers that, in turn, generate triggered updates notifying their adjacent neighbors of the change. When a route fails, an update is sent immediately rather than waiting on the update timer to expire. Triggered updates, used in conjunction with route poisoning, ensure that all routers know of failed routes before any holddown timers can expire. Triggered Updates Graphic

Solution: Holddown Timers

IGRP Interior Gateway Routing Protocol (IGRP) is a proprietary protocol developed by Cisco. Some of the IGRP key design characteristics emphasize the following: It is a distance vector routing protocol. Routing updates are broadcast every 90 seconds. Bandwidth, load, delay and reliability are used to

create a composite metric. IGRP Stability Features IGRP has a number of features that are designed to enhance its stability, such as: Holddowns Split horizons Poison reverse updates Holddowns Holddowns are used to prevent regular update messages from inappropriately reinstating a route that may not be up. Split horizons Split horizons are derived from the premise that it is usually not useful to send information about a route back in the direction from which it came. Poison reverse updates Split horizons prevent routing loops between adjacent routers, but poison reverse updates are necessary to defeat larger routing loops. Today, IGRP is showing its age, it lacks support for variable length subnet masks (VLSM). Rather than develop an IGRP version 2 to correct this problem, Cisco has built upon IGRP's legacy of success with Enhanced IGRP. Configuring IGRP

Routing Metrics Graphics

LinkState Concepts

LinkState Topology Changes

LinkState Routing (LSR)

L ink S tate R outing (L S R )


LS P: My links to R 2 and R 4 are up

S PF R outin g T able

LS P: My links to R 1 and R 3 are up. My link to R 2 is down.

R outer 1

R outer 4

R outer 2 L S P : My links to R 1 and R 3 are up, my link to R 4 is down.

R outer 3 L S P : My links to R 2 and R 4 are up.

L S P ....link s tate packet S P F ... s hortes t path firs t

48

LinkState Concerns

Link State Routing (LSR)

1 1

2 2 4 4

2 2 1 1 R outer D n k S tate D ata a s e A -- 1 A 1 D -- 2 D 2 E -- 4 E 4

B -- 2 B 2 C -- 1 C 1 R outer A

A -- 2 A 2 D -- 4 D 4 R outer

A A

B B

C C D E D E A B

A C

D E

LinkState Routing Features Link-state algorithms are also known as Dijkstras algorithm or as SPF (shortest path first) algorithms.

R outer

#"

R outer

R outer D


C -- 2 C 2 B -- 4 B 4 E -- 1 E 1 E

R outer A

R outer

4 4

R outer E

C -- 4 C 4 D -- 1 D 1 R outer E

D D

C A

50

Link-state routing algorithms maintain a complex database of topology information. The distance vector algorithm are also known as Bellman-Ford algorithms. They have nonspecific information about distant networks and no knowledge of distant routers. A link-state routing algorithm maintains full knowledge of distant routers and how they interconnect. Link-state routing uses: Link-state advertisements (LSAs) A link-state advertisement (LSA) is a small packet of routing information that is sent between routers. Topological database A topological database is a collection of information gathered from LSAs. SPF algorithm The shortest path first (SPF) algorithm is a calculation performed on the database resulting in the SPF tree. Routing tables A list of the known paths and interfaces. LinkState Routing

Comparing Routing Methods

OSPF (Open Shortest Path First) Protocol


OSPF is a Link-State Routing Protocols Link-state (LS) routers recognize much more information about the network than their distance-vector counterparts,Consequently LS routers tend to make more accurate decisions. Link-state routers keep track of the following: Their neighbours All routers within the same area Best paths toward a destination Link-State Data Structures Neighbor table: Also known as the adjacency database (list of recognized neighbors) Topology table: Typically referred to as LSDB (routers and links in the area or network) All routers within an area have an identical LSDB Routing table: Commonly named a forwarding database (list of best paths to destinations) OSPF vs. RIP

RIP is limited to 15 hops, it converges slowly, and it s ometimes chooses slow routes because it ignores critical factors such as bandwidth in route determination. OSPF overcomes these limitations and proves to be a robust and scalable routing protocol suitable for the networks of today.

OSPF Terminology The next several slides explain various OSPF terms -one per slide.

OSPF Term: Link

OSPF Term: LinkState

OSPF Term: Area

Link-State Data Structure: Network Hierarchy Link-state routing requires a hierachical network structure that is enforced by OSPF. This two-level hierarchy consists of the following: Transit area (backbone or area 0) Regular areas (nonbackbone areas)

OSPF Areas

Area Terminology

LS Data Structures: Adjacency Database Routers discover neighbors by exchanging hello packets. Routers declare neighbors to be up after checking certain parameters or options in the hello packet. Point-to-point WAN links: Both neighbors become fully adjacent. LAN links: Neighbors form an adjacency with the DR and BDR. Maintain two-way state with the other routers (DROTHERs). Routing updates and topology information are only passed between adjacent routers. OSPF Adjacencies

Routers build logical adjacencies between each other using the Hello Protocol. Once an adjacency is formed: LS database packets are exchanged to synchronize each others LS databases. LSAs are flooded reliably throughout the area or network using these adjacencies. LinkState Routing Graphic

Open Shortest Path First Calculation Routers find the best paths to destinations by applying Dijkstras SPF algorithm to the link-state database as follows: Every router in an area has the identical link-state database. Each router in the area places itself into the root of the tree that is built. The best path is calculated with respect to the lowest total cost of links to a specific destination. Best routes are put into the forwarding database.

OSPF Packet Types

OSPF Packet Header Format

Neighborship

Establishing Bidirectional Communication

Discovering the Network Routes

Adding the Link-State Entries

Maintaining Routing Information

Router A notifies all OSPF DRs on 224.0.0.6

Router A notifies all OSPF DRs on 224.0.0.6 DR notifies others on 224.0.0.5

Router A notifies all OSPF DRs on 224.0.0.6 DR notifies others on 224.0.0.5

Router A notifies all OSPF DRs on 224.0.0.6 DR notifies others on 224.0.0.5

Configuring Basic OSPF: Single Area


Router(config)# router ospf process-id

Turns on one or more OSPF routing processes in the IOS software.


Router(config-router)# networkaddress inverse-maskarea [area-id]

Router OSPF subordinate command that defines the interfaces (by network number) that OSPF will run on. Each network number must be defined to a specific area. Configuring OSPF on Internal Routers of a Single Area

Verifying OSPF Operation


Router# show ip protocols

Verifies the configured IP routing protocol processes, parameters and statistics

Router# show ip route ospf

Displays all OSPF routes learned by the router


Router# show ip ospf interface

Displays the OSPF router ID, area ID and adjacency information


Router# show ip ospf

Displays the OSPF router ID, timers, and statistics Router#


show ip ospf neighbor [detail]

Displays information about the OSPF neighbors, including Designated Router (DR) and Backup Designated Router (BDR) information on broadcast networks

The show ip route ospf Command


RouterA# show ip route ospf Codes: C - connected, S - static, I - IGRP, R - RIP, M mobile, B - BGP, D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area, E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP, i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default Gateway of last resort is not set 10.0.0.0 255.255.255.0 is subnetted, 2 subnets O 10.2.1.0 [110/10] via 10.64.0.2, 00:00:50, Ethernet0

The show ip ospf interface Command


RouterA# show ip ospf interface e0 Ethernet0 is up, line protocol is up Internet Address 10.64.0.1/24, Area 0 Process ID 1, Router ID 10.64.0.1, Network Type BROADCAST, Cost: 10 Transmit Delay is 1 sec, State DROTHER, Priority 1 Designated Router (ID) 10.64.0.2, Interface address 10.64.0.2 Backup Designated router (ID) 10.64.0.1, Interface address 10.64.0.1 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:04 Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 10.64.0.2 (Designated Router) Suppress hello for 0 neighbor(s)

The show ip ospf neighbor Command


RouterB# show ip ospf neighbor Neighbor ID Interface 10.64.1.1 Ethernet0 10.2.1.1 Serial0 Pri 1 1 State FULL/BDR FULL/Dead Time 00:00:31 00:00:38 Address 10.64.1.1 10.2.1.1

show ip protocol

show ip route

show ip ospf neighbor detail

show ip ospf database

OSPF Network Types 1

Point-to-Point Links

Usually a serial interface running either PPP or HDLC May also be a point-to-point subinterface running Frame Relay or ATM No DR or BDR election required OSPF autodetects this interface type OSPF packets are sent using multicast 224.0.0.5 Multi-access Broadcast Network

Generally LAN technologies like Ethernet and Token Ring DR and BDR selection required All neighbor routers form full adjacencies with the DR and BDR only

Packets to the DR use 224.0.0.6 Packets from DR to all other routers use 224.0.0.5 Electing the DR and BDR

Hello packets are exchanged via IP multicast. The router with the highest OSPF priority is selected as the DR. Use the OSPF router ID as the tie breaker. The DR election is nonpreemptive. Setting Priority for DR Election
Router(config-if)# ip ospf priority number

This interface configuration command assigns the OSPF priority to an interface. Different interfaces on a router may be assigned different values. The default priority is 1. The range is from 0 to 255. 0 means the router is a DROTHER; it cant be the DR or BDR. OSPF Network Types - 2

Creation of Adjacencies
RouterA# debug ip ospf adj Point-to-point interfaces coming up: No election %LINK-3-UPDOWN: Interface Serial1, changed sta te to up OSPF: Interface Serial1 going Up OSPF: Rcv hello from 192.168.0.11 area 0 from Serial1 10.1.1.2 OSPF: End of hello processing OSPF: Build router LSA for area 0, router ID 192.168.0.10 OSPF: Rcv DBD from 192.168.0.11 on Serial1 seq 0x20C4 opt 0x2 flag 0x7 len 32 state INIT OSPF: 2 Way Communication to 192.168.0.11 on Serial1, state 2WAY OSPF: Send DBD to 192.168.0.11 on Serial1 seq 0x167F opt 0x2 flag 0x7 len 32 OSPF: NBR Negotiation Do ne. We are the SLAVE OSPF: Send DBD to 192.168.0.11 on Serial1 seq 0x20C4 opt 0x2 flag 0x2 len 72 RouterA# debug ip ospf adj Ethernet interface coming up: Election OSPF: 2 Way Communication to 192.168.0.10 on Ethernet0, state 2WAY OSPF: end of Wait on in terface Ethernet0 OSPF: DR/BDR election on Ethernet0 OSPF: Elect BDR 192.168.0.12 OSPF: Elect DR 192.168.0.12 DR: 192.168.0.12 (Id) BDR: 192.168.0.12 (Id) OSPF: Send DBD to 192.168.0.12 on Ethernet0 seq 0x546 opt 0x2 flag 0x7 len 32

<> OSPF: DR/BDR election on Ethernet0 OSPF: Elect BDR 192.168.0.11 OSPF: Elect DR 192.168.0.12 DR: 192.168.0.12 (Id) BDR: 192.168.0.11 (Id)

EIGRP
Overview Enhanced Interior Gateway Routing Protocol (EIGRP) is a Cisco-proprietary routing protocol based on Interior Gateway Routing Protocol (IGRP).

Unlike IGRP, which is a classful routing protocol, EIGRP supports CIDR and VLSM. Compared to IGRP, EIGRP boasts faster convergence times, improved scalability, and superior handling of routing loops. Furthermore, EIGRP can replace Novell Routing Information Protocol (RIP) and AppleTalk Routing Table Maintenance Protocol (RTMP), serving both IPX and AppleTalk networks with powerful efficiency. EIGRP is often described as a hybrid routing protocol, offering the best of distance vector and link-state algorithms. Comparing EIGRP with IGRP IGRP and EIGRP are compatible with each other. EIGRP offers multiprotocol support, but IGRP does not. EIGRP and IGRP use different metric calculations. EIGRP scales the metric of IGRP by a factor of 256. IGRP has a maximum hop count of 255. EIGRP has a maximum hop count limit of 224. Enabling dissimilar routing protocols such as OSPF and RIP to share information requires advanced configuration. Redistribution, the sharing of routes, is automatic between IGRP and EIGRP as long as both processes use the same autonomous system (AS) number. EIGRP & IGRP Metric Calculation

Comparing EIGRP with IGRP

Comparing EIGRP with IGRP

EIGRP Concepts & Terminology EIGRP routers keep route and topology information readily available in RAM, so they can react quickly to changes.

Like OSPF, EIGRP saves this information in several tables and databases. EIGRP saves routes that are learned in specific ways. Routes are given a particular status and can be tagged to provide additional useful information. EIGRP maintains three tables: Neighbor table Topology table Routing table Neighbor Table The neighbor table is the most important table in EIGRP. Each EIGRP router maintains a neighbor table that lists adjacent routers. This table is comparable to the adjacency database used by OSPF. There is a neighbor table for each protocol that EIGRP supports. When a neighbor sends a hello packet, it advertises a hold time. The hold time is the amount of time a router treats a neighbor as reachable and operational. In other words, if a hello packet is not heard within the hold time, then the hold time expires. When the hold time expires, the Diffusing Update Algorithm (DUAL), which is the EIGRP distance vector algorithm, is informed of the topology change and must recalculate the new topology. Topology Table The topology table is made up of all the EIGRP routing tables in the autonomous system. DUAL takes the information supplied in the neighbor table and the topology table and calculates the lowest cost routes to each destination. By tracking this information, EIGRP routers can identify and switch to alternate routes quickly. The information that the router learns from the DUAL is used to determine the successor route, which is the term used to identify the primary or best route. A copy is also placed in the topology table. Every EIGRP router maintains a topology table for each configured network protocol. All learned routes to a destination are maintained in the topology table. Routing Table The EIGRP routing table holds the best routes to a destination. This information is retrieved from the topology table. Each EIGRP router maintains a routing table for each network protocol.

A successor is a route selected as the primary route to use to reach a destination.DUAL identifies this route from the information contained in the neighbor and topology tables and places it in the routing table. There can be up to four successor routes for any particular route. These can be of equal or unequal cost and are identified as the best loop-free paths to a given destination. A copy of the successor routes is also placed in the topology table. A feasible successor (FS) is a backup route.These routes are identified at the same time the successors are identified, but they are only kept in the topology table. Multiple feasible successors for a destination can be retained in the topology table although it is not mandatory. EIGRP Data Structure Like OSPF, EIGRP relies on different types of packets to maintain its various tables and establish complex relationships with neighbor routers. The five EIGRP packet types are: Hello Acknowledgment Update Query Reply EIGRP relies on hello packets to discover, verify, and rediscover neighbor routers. Rediscovery occurs if EIGRP routers do not receive hellos from each other for a hold time interval but then re-establish communication. EIGRP routers send hellos at a fixed but configurable interval, called the hello interval. The default hello interval depends on the bandwidth of the interface. On IP networks, EIGRP routers send hellos to the multicast IP address 224.0.0.10. Default Hello Intervals and Hold Times for EIGRP

EIGRP Algorithm The sophisticated UAL algorithm results in the exceptionally fast convergence of EIGRP. Each router constructs a topology table that contains information about how to route to a destination network. Each topology table identifies the following: The routing protocol or EIGRP The lowest cost of the route, which is called Feasible istance The cost of the route as advertised by the neighboring router, called Reported istance

which is

The Topology heading identifies the preferred primary route, called the successor route (Successor), and, where identified, the backup route, called the feasible successor (FS). Note that it is not necessary to have an identified feasible successor. FS Route Selection Rules

D AL Example

Configuring EIGRP

Configuring EIGRP Summari ation EIGRP automatically summari es routes at the classful boundary. This is the boundary where the network address ends, as defined by class -based addressing.

This means that even though RTC is connected only to the subnet 2.1.1.0, it will advertise that it is connected to the entire Class A network, 2.0.0.0. In most cases auto summarization is beneficial because it keeps routing tables as compact as possible.

Configuring EIGRP no-summary However, automatic summarization may not be the preferred option in certain instances. To turn off auto-summarization, use the following command: router(config-router)#no autosummary

Configuring EIGRP Summary Addersses Manually With EIGRP, a summary address can be manually configured by configuring a prefix network. Manual summary routes are configured on a per-interface basis. router(config-if)#ip summary-address eigrpautonomous-system-number ip-address mask administrative-distance EIGRP summary routes have an administrative distance of 5 by default. In the graphic below, RTC can be configured using the commands shown: RTC(config)#router eigrp 2446 RTC(config-router)#no auto-summary

RTC(config-router)#exit RTC(config)#interface serial 0/0 RTC(config-if)#ip summary-address eigrp 2446 2.1.0.0 255.255.0.0

Verifying the EIGRP Configuration To verify the EIGRP configuration a number of show and debug commands are available. These commands are shown on the next few slides. show ip eigrp neighbors

show ip eigrp interfaces

show ip eigrp topology

show ip eigrp topology [active | pending | successors]

show ip eigrp topology all -links

show ip eigrp traffic

Administrative Distances

Classful and Classless Routing Protocols

Access Control Lists


Reasons to Create ACLs The following are some of the primary reasons to create ACLs:

Limit network traffic and increase network performance. Provide traffic flow control. Provide a basic level of security for network access. Decide which types of traffic are forwarded or blocked at the router interfaces. For example: Permit e-mail traffic to be routed, but block all telnet traffic. Allow an administrator to control what areas a client can access on a network. If ACLs are not configured on the router, all packets passing through the router will be allowed onto all parts of the network. ACLs Filter Traffic Graphic

How ACLs Filter Traffic

One List per Port, per Destination, per Protocol...

How ACLs work.

Creating ACLs ACLs are created in the global configuration mode. There are many different types of ACLs including standard, extended, IPX, AppleTalk, and others. When configuring ACLs on a router, each ACL must be uniquely identified by assigning a number to it. This number identifies the type of access list created and must fall within the specific range of numbers that is valid for that type of list. Since IP is by far the most popular routed protocol, addition ACL numbers have been added to newer router IOSs. Standard IP: 1300-1999 Extended IP: 2000-2699

The access-list command

The ip access-group command

{ in | out }

ACL Example

Basic Rules for ACLs These basic rules should be followed when creating and applying access lists: One access list per protocol per direction. Standard IP access lists should be applied closest to the destination. Extended IP access lists should be applied closest to the source. Use the inbound or outbound interface reference as if looking at the port from inside the router. Statements are processed sequentially from the top of list to the bottom until a match is found, if no match is found then the packet is denied. There is an implicit deny at the end of all access lists. This will not appear in the configuration listing. Access list entries should filter in the order from specific to general. Specific hosts should be denied first, and groups or general filters should come last. Never work with an access list that is actively applied. New lines are always added to the end of the access list. A no access-listx command will remove the whole list. It is not possible to selectively add and remove lines with numbered ACLs. Outbound filters do not affect traffic originating from the local router. Wildcard Mask Examples 5 Examples follow that demonstrate how a wildcard mask can be used to permit or deny certain IP addresses, or IP address ranges. While subnet masks start with binary 1s and end with binary 0s, wildcard masks are the reverse meaning they typically start with binary 0s and end with binary 1s. In the examples that follow Cisco has chosen to represent the binary 1s in the wilcard masks with Xs to focus on the specific bits being shown in each example.

You will see that while subnet masks were AN ed with ip addresse wildcard masks are s, ORed with IP addresses. Wildcard Mask Example #1

Wildcard Mask Example #2

Wildcard Mask Example #3

Wildcard Mask Example #4 - Even IPs

Wildcard Mask Example #5 - Odd IP#s

The any and host Keywords

Verifying ACLs There are many show commands that will verify the content and placement of ACLs on the router. The show ip interface command displays IP interface information and indicates whether any ACLs are set. The show access-lists command displays the contents of all ACLs on the router. show access-list 1 shows just access-list 1. The show running-config command will also reveal the access lists on a router and the interface assignment information. Standard ACLs Standard ACLs check the source address of IP packets that are routed. The comparison will result in either permit or deny access for an entire protocol suite, based on the network, subnet, and host addresses. The standard version of the access-list global configuration command is used to define a standard ACL with a number in the range of 1 to 99 (also from 1300 to 1999 in recent IOS). If there is no wildcard mask.the default mask is used, which is 0.0.0.0. (This only works with Standard ACLs and is the same thing as using host.) The full syntax of the standard ACL command is: Router(config)#access-listaccess-list-number {deny | permit} source [source-wildcard ] [log]

The no form of this command is used to remove a standard ACL. This is the syntax: Router(config)#no access-listaccess-list-number Extended ACLs Extended ACLs are used more often than standard ACLs because they provide a greater range of control. Extended ACLs check the source and destination packet addresses as well as being able to check for protocols and port numbers. The syntax for the extended ACL statement can get very long and often will wrap in the terminal window. The wildcards also have the option of using the host or any keywords in the command. At the end of the extended ACL statement, additional precision is gained from a field that specifies the optional Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) port number. Logical operations may be specified such as, equal (eq), not equal (neq), greater than (gt), and less than (lt), that the extended ACL will perform on specific protocols. Extended ACLs use an access-list-number in the range 100 to 199 (also from 2000 to 2699 in recent IOS). Extended ACL Syntax

WellKnownPort Numbers

Dont forget that WWW or HTTP is 80 and POP3 is 110.

Extended ACL Example This extended ACL will allow people in network 200.100.50.0 to surfing the internet, but not allow any other protocols like email, ftp, etc.

access-list 101 permit tcp 200.100.50.0 0.0.0.255 any eq 80 or access-list 101 permit tcp 200.100.50.0 0.0.0.255 any eq www or access-list 101 permit tcp 200.100.50.0 0.0.0.255 any eq http NOTE: Just like all Standard ACLs end with an implicit "deny any", all Extended ACLs end with an implicit "deny ip any any" which means deny the entire internet from anywhere to anywhere. ip access-group The ip access-group command links an existing standard or extended ACL to an interface. Remember that only one ACL per interface, per direction, per protocol is allowed. The format of the command is: Router(config-if)#ip access-group access-list-number {in | out} Named ACLs IP named ACLs were introduced in Cisco IOS Software Release 11.2, allowing standard and extended ACLs to be given names instead of numbers. The advantages that a named access list provides are: Intuitively identify an ACL using an alphanumeric name. Eliminate the limit of 798 simple and 799 extended ACLs Named ACLs provide the ability to modify ACLs without deleting them completely and then reconfiguring them. Named ACLs are not compatible with Cisco IOS releases prior to Release 11.2. The same name may not be used for multiple ACLs.

Named ACL Example

Placing ACLs The general rule is to put the extended ACLs as close as possible to the source of the traffic denied. Standard ACLs do not specify destination addresses, so they should be placed as close to the destination as possible. For example, in the graphic a standard ACL should be placed on Fa0/0 of Router D to prevent traffic from Router A.

Standard ACLs: Permitting/Denying Hosts, Networks and Subnets


Permitting a Single Host Router(config)# access-list 1 permit 200.100.50.23 0.0.0.0 or Router(config)# access-list 1 permit host 200.100.50.23

or Router(config)# access-list 1 permit 200.100.50.23 (The implicit deny any ensures that everyone else is denied.) Router(config)# int e0 Router(config-if)# ip access-group 1 in or Router(config-if)# ip access-group 1 out Denying a Single Host Router(config)# access-list 1 deny 200.100.50.23 0.0.0.0 Router(config)# access-list 1 permit 0.0.0.0 255.255.255.255 or Router(config)# access-list 1 deny host 200.100.50.23 Router(config)# access-list 1 permit any (The implicit deny any is still present, but totally irrelevant.) Router(config)# int e0 Router(config-if)# ip access-group 1 in or Router(config-if)# ip access-group 1 out Permitting a Single Network Class C Router(config)# access-list 1 permit 200.100.50.0 0.0.0.255 or Class B Router(config)# access-list 1 permit 150.75.0.0 0.0.255.255 or Class A Router(config)# access-list 1 permit 13.0.0.0 0.255.255.255 (The implicit deny any ensures that everyone else is denied.) Router(config)# int e0 Router(config-if)# ip access-group 1 in or Router(config-if)# ip access-group 1 out Denying a Single Network Class C Router(config)# access-list 1 deny 200.100.50.0 0.0.0.255 Router(config)# access-list 1 permit any or Class B

Router(config)# access-list 1 deny 150.75.0.0 0.0.255.255 Router(config)# access-list 1 permit any or Class A Router(config)# access-list 1 deny 13.0.0.0 0.255.255.255 Router(config)# access-list 1 permit any (The implicit deny any is still present, but totally irrelevant.) Permitting a Class C Subnet Network Address/Subnet Mask: Desired Subnet: 200.100.50.0/28 3rd

Process: 32-28=4 2^4 = 16 1st Usable Subnet address range it 200.100.50.16-31 2nd Usable Subnet address range it 200.100.50.32-47 3rd Usable Subnet address range it 200.100.50.48-63 Subnet Mask is 255.255.255.240 Inverse Mask is 0.0.0.15 or subtract 200.100.50.48 from 200.100.50.63 to get 0.0.0.15 Router(config)# access-list 1 permit 200.100.50.48 0.0.0.15 (The implicit deny any ensures that everyone else is denied.) Denying a Class C Subnet Network Address/Subnet Mask: Undesired Subnet: 192.68.72.0/27 2nd

Process: 32-27=5 2^5=32 1st Usable Subnet address range it 192.68.72.32-63 2nd Usable Subnet address range it 192.68.72.64-95 Subnet Mask is 255.255.255.224 Inverse Mask is 0.0.0.31 or subtract 192.68.72.64 from 192.68.72.95 to get 0.0.0.31 Router(config)# access-list 1 deny 192.68.72.64 0.0.0.31 Router(config)# access-list 1 permit any (The implicit deny any is still present, but totally irrelevant.) Permitting a Class B Subnet Network Address/Subnet Mask: Desired Subnet: 150.75.0.0/24 129th

Process: Since exactly 8 bits are borrowed the 3rd octet will denote the subnet number. 129th Usable Subnet address range it 150.75.129.0-255

Subnet Mask is 255.255.255.0 Inverse Mask is 0.0.0.255 or subtract 150.75.129.0 from 150.75.129.255 to get 0.0.0.255 Router(config)# access-list 1 permit 150.75.129.0 0.0.0.255 (The implicit deny any ensures that everyone else is denied.)

Denying a Class B Subnet Network Address/Subnet Mask: Undesired Subnet: 160.88.0.0/22 50th

Process: 32-22=10 (more than 1 octet) 10-8=2 2^2=4 1st Usable Subnet address range it 160.88.4.0-160.88.7.255 2nd Usable Subnet address range it 160.88.8.0-160.88.11.255 50 * 4 = 200 50th subnet is 160.88.200.0 -160.88.203.255

Subnet Mask is 255.255.252.0 Inverse Mask is 0.0.3.255 or subtract 160.88.200.0 from 160.88.203.255 to get 0.0.3.255 Router(config)# access-list 1 deny 160.88.200.0 0.0.3.255 Router(config)# access-list 1 permit any Permitting a Class A Subnet Network Address/Subnet Mask: Desired Subnet: 111.0.0.0/12 13th

Process: 32-12=20 20-16=4 2^4=16 1st Usable Subnet address range is 111.16.0.0-111.31.255.255 13*16=208 13th Usable Subnet address range is 111.208.0.0-111.223.255.255 Subnet Mask is 255.240.0.0 Inverse Mask is 0.15.255.255 or subtract 111.208.0.0 from 111.223.255.255 to get 0.15.255.255 Router(config)# access-list 1 permit 111.208.0.0 0.15.255.255 (The implicit deny any ensures that everyone else is denied.) Denying a Class A Subnet

Network Address/Subnet Mask: Undesired Subnet:

40.0.0.0/24 500th

Process: Since exactly 16 bits were borrowed the 2nd and 3rd octet will denote the subnet. 1st Usable Subnet address range is 40.0.1.0-40.0.1.255 255th Usable Subnet address range is 40.0.255.0-40.0.255.255 256th Usable Subnet address range is 40.1.0.0-40.1.0.255 300th Usable Subnet address range is 40.1.44.0-40.1.44.255 500th Usable Subnet address range is 40.1.244.0-40.1.244.255 Router(config)# access-list 1 deny 40.1.244.0 0 0.0.0.255 Router(config)# access-list 1 permit any

Standard ACLs: Permitting/Denying Ranges of Addresses that cross subnets.


Permit 200.100.50.24-100 Plan A This would get very tedious! access-list 1 permit host 200.100.50.24 access-list 1 permit host 200.100.50.25 access-list 1 permit host 200.100.50.26 access-list 1 permit host 200.100.50.27 access-list 1 permit host 200.100.50.28 : : : : : : access-list 1 permit host 200.100.50.96 access-list 1 permit host 200.100.50.97 access-list 1 permit host 200.100.50.98 access-list 1 permit host 200.100.50.99 access-list 1 permit host 200.100.50.100

Permit 200.100.50.24-100 Plan B access-list 1 permit 200.100.50.24 0.0.0.7 access-list 1 permit 200.100.50.32 0.0.0.31 access-list 1 permit 200.100.50.64 0.0.0.31 access-list 1 permit 200.100.50.96 0.0.0.3 access-list 1 permit host 200.100.50.100 (24-31) (32-63) (64-95) (96-99) (100)

(The implicit deny any ensures that everyone else is denied.) Permit 200.100.50.16-127 Plan A access-list 1 permit 200.100.50.16 0.0.0.15 (16-31) access-list 1 permit 200.100.50.32 0.0.0.31 (32-63) access-list 1 permit 200.100.50.64 0.0.0.63 (64-127)

(The implicit deny any ensures that everyone else is denied.) Permit 200.100.50.16-127 Plan B access-list 1 deny 200.100.50.0 0.0.0.15 (0-15) access-list 1 permit 200.100.50.0 0.0.0.127 (0-127) First we make sure that addresses 0-15 are denied. Then we can permit any address in the range 0-127. Since only the first matching statement in an ACL is applied an address in the range of 0-15 will be denied by the first statement before it has a chance to be permitted by the second. (The implicit deny any ensures that everyone else is denied.) Permit 200.100.50.1,5,13,29,42,77 access-list 1 permit host 200.100.50.1 access-list 1 permit host 200.100.50.5 access-list 1 permit host 200.100.50.13 access-list 1 permit host 200.100.50.29 access-list 1 permit host 200.100.50.42 access-list 1 permit host 200.100.50.77 Sometimes a group of addresses has no pattern and the best way to deal with them is individually. (The implicit deny any ensures that everyone else is denied.)

Extended ACLs: Permitting/Denying Source Addresses, Destination Addresses, and Protocols


Permit Source Network access-list 101 permit ip 200.100.50.0 0.0.0.255 0.0.0.0 255.255.255.255 or access-list 101 permit ip 200.100.50.0 0.0.0.255 any Implicit deny ip any any Deny Source Network access-list 101 deny ip 200.100.50.0 0.0.0.255 0.0.0.0 255.255.255.255 access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 or access-list 101 deny ip 200.100.50.0 0.0.0.255 any

access-list 101 permit ip any any Implicit deny ip any any is present but irrelevant. Permit Destination Network access-list 101 permit ip 0.0.0.0 255.255.255.255 200.100.50.0 0.0.0.255 or access-list 101 permit ip any 200.100.50.0 0.0.0.255 Implicit deny ip any any Deny Destination Network access-list 101 deny ip 0.0.0.0 255.255.255.255 200.100.50.0 0.0.0.255 access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 or access-list 101 deny ip any 200.100.50.0 0.0.0.255 access-list 101 permit ip any any Implicit deny ip any any is present but irrelevant. Permit one Source Network to another Destination Network Assume the only traffic you want is traffic from network 200.100.50.0 to network 150.75.0.0 access-list 101 permit ip 200.100.50.0 0.0.0.255 150.75.0.0 0.0.255.255 Implicit deny ip any any To allow 2 way traffic between the networks add this statement: access-list 101 permit ip 150.75.0.0 0.0.255.255 200.100.50.0 0.0.0.255 Deny one Source Network to another Destination Network Assume you want to allow all traffic EXCEPT from network 200.100.50.0 to network 150.75.0.0 access-list 101 deny ip 200.100.50.0 0.0.0.255 150.75.0.0 0.0.255.255 access-list 101 permit ip any any To deny 2 way traffic between the networks add this statement: access-list 101 deny ip 150.75.0.0 0.0.255.255 200.100.50.0 0.0.0.255 Deny FTP

Assume you do not want anyone FTPing on the network. access-list 101 deny tcp any any eq 21 access-list 101 permit ip any any or access-list 101 deny tcp any any eq ftp access-list 101 permit ip any any Deny Telnet Assume you do not want anyone telnetting on the network. access-list 101 deny tcp any any eq 23 access-list 101 permit ip any any or access-list 101 deny tcp any any eq telnet access-list 101 permit ip any any Deny Web Surfing Assume you do not want anyone surfing the internet. access-list 101 deny tcp any any eq 80 access-list 101 permit ip any any or access-list 101 deny tcp any any eq www access-list 101 permit ip any any You can also use http instead of www. Complicated Example #1 Suppose you have the following conditions: y No one from Network 200.100.50.0 is allowed to FTP anywhere y Only hosts from network 150.75.0.0 may telnet to network 50.0.0.0 y Subnetwork 100.100.100.0/24 is not allowed to surf the internet

access-list 101 deny tcp 200.100.50.0 0.0.0.255 any eq 21 access-list 101 permit tcp 150.75.0.0 0.0.255.255 50.0.0.0 0.255.255.255 eq 23 access-list 101 deny tcp any any eq 23 access-list 101 deny tcp 100.100.100.0 0.0.0.255 any eq 80 access-list 101 permit ip any any Complicated Example #2 Suppose you are the admin of network 200.100.50.0. You want to permit Email only between your network and network 150.75.0.0. You wish to place no restriction on other protocols like web surfing, ftp, telnet, etc. y Email server send/receive Protocol: SMTP, port 25 y User Check Email Protocol: POP3, port 110 This example assumes the your Email server is at addresses 200.100.50.25 access-list 101 permit tcp 200.100.50.0 0.0.0.255 150.75.0.0 0.0.255.255 eq 25 access-list 101 permit tcp 150.75.0.0 0.0.255.255 200.100.50.0 0.0.0.255 eq 25 access-list 101 permit tcp 200.100.50.0 0.0.0.255 200.100.50.0 0.0.0.255eq 110 access-list 101 deny tcp any any smtp access-list 101 deny tcp any any pop3 access-list 101 permit ip any any

Network address translation


From Wikipedia, the free encyclopedia

Jump to: navigation, search "NAT" redirects here. For other uses, see Nat (disambiguation). In computer networking, network address translation (NAT) is the process of modifying network address information in datagram (IP) packet headers while in transit across a traffic routing device for the purpose of remapping one IP address space into another. Most often today, NAT is used in conjunction with network masquerading (or IP masquerading) which is a technique that hides an entire IP address space, usually consisting of private network IP addresses (RFC 1918), behind a single IP address in another, often public address space. This mechanism is implemented in a routing device that uses stateful translation tables to map the "hidden" addresses into a single IP address and then readdresses the outgoing Internet Protocol (IP) packets on exit so that they appear to originate from the router. In the reverse communications path, responses are mapped back to the originating IP address using the rules ("state") stored in the translation tables. The translation table rules established in this fashion are flushed after a short period without new traffic refreshing their state. As described, the method enables communication through the router only when the conversation originates in the masqueraded network, since this establishes the translation tables. For example, a web browser in the masqueraded network can browse a website outside, but a web browser outside could not browse a web site in the masqueraded network. However, most NAT devices today allow the network administrator to configure translation table entries for permanent use. This feature is often referred to as "static NAT" or port forwarding and allows traffic originating in the 'outside' network to reach designated hosts in the masqueraded network. Because of the popularity of this technique (see below), the term NAT has become virtually synonymous with the method of IP masquerading. Network address translation has serious consequences, both drawbacks and benefits, on the quality of Internet connectivity and requires careful attention to the details of its implementation. As a result, many methods have been devised to alleviate the issues encountered. See article on NAT traversal.

Contents
[hide]

y y y y y y y y y y y y y y

1 Overview 2 Basic NAT and PAT 3 Types of NAT 4 NAT and TCP/UDP 5 Destination network address translation (DNAT) 6 SNAT 7 Dynamic network address translation 8 Applications affected by NAT 9 Drawbacks 10 Benefits 11 Examples of NAT software 12 See also 13 References 14 External links

[edit] Overview
In the mid-1990s NAT became a popular tool for alleviating the IPv4 address exhaustion. It has become a standard, indispensable feature in routers for home and small-office Internet connections. Most systems using NAT do so in order to enable multiple hosts on a private network to access the Internet using a single public IP address (see gateway). However, NAT breaks the originally envisioned model of IP end-to-end connectivity across the Internet, introduces complications in communication between hosts, and affects performance. NAT obscures an internal network's structure: all traffic appears to outside parties as if it originated from the gateway machine. Network address translation involves over-writing the source or destination IP address and usually also the TCP/UDP port numbers of IPpackets as they pass through the router. Checksums (both IP and TCP/UDP) must also be rewritten to take account of the changes. In a typical configuration, a local network uses one of the designated "private" IP address subnets (the RFC 1918). Private Network Addresses are 192.168.x.x, 172.16.x.x through 172.31.x.x, and 10.x.x.x (or using CIDR notation, 192.168/16, 172.16/12, and 10/8), and a router on that network has a private address (such as 192.168.0.1) in that address space. The router is also connected to the Internet with a single "public" address (known as "overloaded" NAT) or multiple "public" addresses assigned by an ISP. As traffic passes from the local network to the Internet, the source address in each packet is translated on the fly from the private addresses to the public address(es). The router tracks basic data about each active connection (particularly the destination address and port). When a reply returns to the router, it uses the connection tracking data it stored during the outbound phase to determine where on the internal network to forward the reply; the TCP or UDP client port numbers are used to demultiplex the packets in the case of overloaded NAT, or IP address and port number when multiple public addresses are available, on packet return. To a host on the Internet, the router itself appears to be the source/destination for this traffic.

[edit] Basic NAT and PAT


There are two levels of network address translation.
y y

Basic NAT. This involves IP address translation only, not port mapping. PAT (Port Address Translation). Also called simply "NAT" or "Network Address Port Translation, NAPT". This involves the translation of both IP addresses and port numbers.

All Internet packets have a source IP address and a destination IP address. Both or either of the source and destination addresses may be translated. Some Internet packets do not have port numbers. For example, ICMP packets have no port numbers. However, the vast bulk of Internet traffic is TCP and UDP packets, which do have port numbers. Packets which do have port numbers have both a source port number and a destination port number. Both or either of the source and destination ports may be translated. NAT which involves translation of the source IP address and/or source port is called source NAT or SNAT. This re-writes the IP address and/or port number of the computer which originated the packet. NAT which involves translation of the destination IP address and/or destination port number is called destination NAT or DNAT. This re-writes the IP address and/or port number corresponding to the destination computer. SNAT and DNAT may be applied simultaneously to Internet packets.

[edit] Types of NAT


Network address translation is implemented in a variety of schemes of translating addresses and port numbers, each affecting application communication protocols differently. In some application protocols that use IP address information, the application running on a node in the masqueraded network needs to determine the external address of the NAT, i.e., the address that its communication peers detect, and, furthermore, often needs to examine and categorize the type of mapping in use. For this purpose, the Simple traversal of UDP over NATs (STUN) protocol was developed (RFC 3489, March 2003). It classified NAT implementation as full cone NAT, (address) restricted cone NAT, port restricted cone NAT or symmetric NAT[1] and proposed a methodology for testing a device accordingly. However, these procedures have since been deprecated from standards status, as the methods have proven faulty and inadequate to correctly assess many devices. New methods have been standardized in RFC 5389 (October 2008) and the STUN acronym now represents the new title of the specification: Session Traversal Utilities for NAT.

Full cone NAT, also known as one-to-one NAT


y

Once an internal address (iAddr:iPort) is mapped to an external address (eAddr:ePort), any packets from iAddr:iPort will be sent through eAddr:ePort. Any external host can send packets to iAddr:iPort by sending packets to eAddr:ePort.

(Address) Restricted cone NAT


y

Once an internal address (iAddr:iPort) is mapped to an external address (eAddr:ePort), any packets from iAddr:iPort will be sent through eAddr:ePort. An external host (hAddr:any) can send packets to iAddr:iPort by sending packets to eAddr:ePort only if iAddr:iPort had previously sent a packet to hAddr:any. "any" means the port number doesn't matter.

Port-Restricted cone NAT Like an (Address) Restricted cone NAT, but the restriction includes port numbers.
y

Once an internal address (iAddr:iPort) is mapped to an external address (eAddr:ePort), any packets from iAddr:iPort will be sent through eAddr:ePort. An external host (hAddr:hPort) can send packets to iAddr:iPort by sending packets to eAddr:ePort only if iAddr:iPort had previously sent a packet to hAddr:hPort.

Symmetric NAT
y

Each request from the same internal IP address and port to a specific destination IP address and port is mapped to a unique external source IP address and port. (this is ambiguous) If the same internal host sends a packet even with the same source address and port but to a different destination, a different mapping is used. (this is not clear) Only an external host that receives a packet from an internal host can send a packet back.

This terminology has been the source of much confusion, as it has proven inadequate at describing real-life NAT behavior.[2] Many NAT implementations combine these types, and it is therefore better to refer to specific individual NAT behaviors instead of using the Cone/Symmetric terminology. Especially, most NAT translators combine symmetric NAT for outgoing connections with static port mapping, where incoming packets to the external address and port are redirected to a specific internal address and port. Some products can redirect packets to several internal hosts, e.g. to divide the load between a few servers. However, this introduces problems with more sophisticated communications that have many interconnected packets, and thus is rarely used. Many NAT implementations follow the port preservation design. For most communications, they use the same values as internal and external port numbers. However, if two internal hosts attempt to communicate with the same external host using the same port number, the external port number used by the second host will be chosen at random. Such NAT will be sometimes perceived as (address) restricted cone NAT and other times as symmetric NAT.

[edit] NAT and TCP/UDP


"Pure NAT", operating on IP alone, may or may not correctly parse protocols that are totally concerned with IP information, such as ICMP, depending on whether the payload is interpreted by a host on the "inside" or "outside" of translation. As soon as the protocol stack is climbed, even with such basic protocols as TCP and UDP, the protocols will break unless NAT takes action beyond the network layer. IP has a checksum in each packet header, which provides error detection only for the header. IP datagrams may become fragmented and it is necessary for a NAT to reassemble these fragments to allow correct recalculation of higher level checksums and correct tracking of which packets belong to which connection. The major transport layer protocols, TCP and UDP, have a checksum that covers all the data they carry, as well as the TCP/UDP header, plus a "pseudo-header" that contains the source and destination IP addresses of the packet carrying the TCP/UDP header. For an originating NAT to successfully pass TCP or UDP, it must recompute the TCP/UDP header checksum based on the translated IP addresses, not the original ones, and put that checksum into the TCP/UDP header of the first packet of the fragmented set of packets. The receiving NAT must recompute the IP checksum on every packet it passes to the destination host, and also recognize and recompute the TCP/UDP header using the retranslated addresses and pseudoheader. This is not a completely solved problem. One solution is for the receiving NAT to reassemble the entire segment and then recompute a checksum calculated across all packets. Originating host may perform Maximum transmission unit (MTU) path discovery (RFC 1191) to determine the packet size that can be transmitted without fragmentation, and then set the "don't fragment" bit in the appropriate packet header field.

[edit] Destination network address translation (DNAT)

DNAT is a technique for transparently changing the destination IP address of an en-route packet and performing the inverse function for any replies. Any router situated between two endpoints can perform this transformation of the packet. DNAT is commonly used to publish a service located in a private network on a publicly accessible IP address. This use of DNAT is also called port forwarding.

[edit] SNAT
The usage of the term SNAT varies by vendor. Many vendors have proprietary definitions for SNAT. A common definition is Source NAT, the counterpart of Destination NAT (DNAT). Microsoft uses the term for Secure NAT, in regard to the ISA Server extension discussed below. For Cisco Systems, SNAT means Stateful NAT. The Internet Engineering Task Force (IETF) defines SNAT as Softwires Network Address Translation. This type of NAT is named after the Softwires working group that is charged with the standardization of discovery, control and encapsulation methods for connecting IPv4 networks across IPv6 networks and IPv6 networks across IPv4 networks.

[edit] Dynamic network address translation


Dynamic NAT, just like static NAT, is not common in smaller networks but is found within larger corporations with complex networks. The way dynamic NAT differs from static NAT is that where static NAT provides a one-to-one internal to public static IP address mapping, dynamic NAT doesn't make the mapping to the public IP address static and usually uses a group of available public IP addresses.

[edit] Applications affected by NAT


Some Application Layer protocols (such as FTP and SIP) send explicit network addresses within their application data. FTP in active mode, for example, uses separate connections for control traffic (commands) and for data traffic (file contents). When requesting a file transfer, the host making the request identifies the corresponding data connection by its network layer and transport layer addresses. If the host making the request lies behind a simple NAT firewall, the translation of the IP address and/or TCP port number makes the information received by the server invalid. The Session Initiation Protocol (SIP) controls Voice over IP (VoIP) communications and suffers the same problem. SIP may use multiple ports to set up a connection and transmit voice stream via RTP. IP addresses and port numbers are encoded in the payload data and must be known prior to the traversal of NATs. Without special techniques, such as STUN, NAT behavior is unpredictable and communications may fail. Application Layer Gateway (ALG) software or hardware may correct these problems. An ALG software module running on a NAT firewall device updates any payload data made invalid by address translation. ALGs obviously need to understand the higher-layer protocol that they need to fix, and so each protocol with this problem requires a separate ALG.

Another possible solution to this problem is to use NAT traversal techniques using protocols such as STUN or ICE or proprietary approaches in a session border controller. NAT traversal is possible in both TCP- and UDP-based applications, but the UDP-based technique is simpler, more widely understood, and more compatible with legacy NATs. In either case, the high level protocol must be designed with NAT traversal in mind, and it does not work reliably across symmetric NATs or other poorly-behaved legacy NATs. Other possibilities are UPnP (Universal Plug and Play) or Bonjour (NAT-PMP), but these require the cooperation of the NAT device. Most traditional client-server protocols (FTP being the main exception), however, do not send layer 3 contact information and therefore do not require any special treatment by NATs. In fact, avoiding NAT complications is practically a requirement when designing new higherlayer protocols today. NATs can also cause problems where IPsec encryption is applied and in cases where multiple devices such as SIP phones are located behind a NAT. Phones which encrypt their signaling with IPsec encapsulate the port information within the IPsec packet meaning that NA(P)T devices cannot access and translate the port. In these cases the NA(P)T devices revert to simple NAT operation. This means that all traffic returning to the NAT will be mapped onto one client causing the service to fail. There are a couple of solutions to this problem, one is to use TLS which operates at level 4 in the OSI Reference Model and therefore does not mask the port number, or to Encapsulate the IPsec within UDP - the latter being the solution chosen by TISPAN to achieve secure NAT traversal. The DNS protocol vulnerability announced by Dan Kaminsky on 2008 July 8 is indirectly affected by NAT port mapping. To avoid DNS server cache poisoning, it is highly desirable to not translate UDP source port numbers of outgoing DNS requests from any DNS server which is behind a firewall which implements NAT. The recommended work-around for the DNS vulnerability is to make all caching DNS servers use randomized UDP source ports. If the NAT function de-randomizes the UDP source ports, the DNS server will be made vulnerable.

[edit] Drawbacks
Hosts behind NAT-enabled routers do not have end-to-end connectivity and cannot participate in some Internet protocols. Services that require the initiation of TCP connections from the outside network, or stateless protocols such as those using UDP, can be disrupted. Unless the NAT router makes a specific effort to support such protocols, incoming packets cannot reach their destination. Some protocols can accommodate one instance of NAT between participating hosts ("passive mode" FTP, for example), sometimes with the assistance of an application-level gateway (see below), but fail when both systems are separated from the Internet by NAT. Use of NAT also complicates tunneling protocols such as IPsec because NAT modifies values in the headers which interfere with the integrity checks done by IPsec and other tunneling protocols. End-to-end connectivity has been a core principle of the Internet, supported for example by the Internet Architecture Board. Current Internet architectural documents observe that NAT is a violation of the End-to-End Principle, but that NAT does have a valid role in careful

design.[3] There is considerably more concern with the use of IPv6 NAT, and many IPv6 architects believe IPv6 was intended to remove the need for NAT.[4] Because of the short-lived nature of the stateful translation tables in NAT routers, devices on the internal network lose IP connectivity typically within a very short period of time unless they implement NAT keep-alive mechanisms by frequently accessing outside hosts. This dramatically shortens the power reserves on battery-operated hand-held devices and has thwarted more widespread deployment of such IP-native Internet-enabled devices. Some Internet service providers (ISPs), especially in Russia, Asia and other "developing" regions provide their customers only with "local" IP addresses, due to limited number of external IP addresses allocated to those entities.[citation needed] Thus, these customers must access services external to the ISP's network through NAT. As a result, the customers cannot achieve true end-to-end connectivity, in violation of the core principles of the Internet as laid out by the Internet Architecture Board.

[edit] Benefits
The primary benefit of IP-masquerading NAT is that it has been a practical solution to the impending exhaustion of IPv4 address space. Even large networks can be connected to the Internet with as little as a single IP address. The more common arrangement is having machines that require end-to-end connectivity supplied with a routable IP address, while having machines that do not provide services to outside users behind NAT with only a few IP addresses used to enable Internet access. Some[5] have also called this exact benefit a major drawback, since it delays the need for the implementation of IPv6, quote: "... it is possible that its [NAT] widespread use will significantly delay the need to deploy IPv6. ... It is probably safe to say that networks would be better off without NAT, ..."

[edit] Examples of NAT software


y y y y y

IPFilter PF (firewall): The OpenBSD Packet Filter. Netfilter NAT engine Internet Connection Sharing (ICS) WinGate

WANS Contents Remote access overview WAN Connection Types Defining WAN Encapsulation Protocols Determining the WAN Type to Use OSI Layer-2 Point-to-Point WANs PPP HDLC Frame Relay Remote Access Overview A WAN is a data communications network covering a relatively broad geographical area. A network administrator designing a remote network must weight issues concerning users needs such as bandwidth and cost of the variable available technologies.

WAN Connection Types

WAN Connection Types Leasedlines It is a pre-established WAN communications path from the CPE, through the DCE switch, to the CPE of the remote site, allowing DTE networks to communicate at any time with no setup procedures before transmitting data. Circuit switching Sets up line like a phone call. No data can transfer before the end-to-end connection is established. Packet switching WAN switching method that allows you to share bandwidth with other companies to save money. As long as you are not constantly transmitting data and are instead using bursty data transfers, packet switching can save you a lot of money. However, if you have constant data transfers, then you will need to get a leased line. Frame Relay and X.25 are packet switching technologies Defining WAN Encapsulation Protocols Each WAN connection uses an encapsulation protocol to encapsulate traffic while it crossing the WAN link. The choice of the encapsulation protocol depends on the underlying WAN technology and the communicating equipment

Typical WAN encapsulation types include the following:

Point-to-Point Protocol (PPP) Serial Line Internet Protocol (SLIP) High-Level Data Link Control Protocol (HDLC) X.25 / Link Access Procedure Balanced (LAPB) Frame Relay Asynchronous Transfer Mode (ATM) Determining the WAN Type to Use Availability Each type of service may be available in certain geographical areas. Bandwidth Determining usage over the WAN is important to evaluate the most costeffective WAN service. Cost Making a compromise between the traffic you need to transfer and the type of service with the available cost that will suit you. Ease of Management Connection management includes both the initial start-up configuration and the outgoing configuration of the normal operation. Application Traffic Traffic may be as small as during a terminal session , or very large packets as during file transfer.

Max. WAN Speeds for WAN Connections

WAN Type

Maximum Speed

Asynchronous Dial-Up X.25, ISDN BRI ISDN PRI Leased Line / Frame Relay

56-64 Kbps 128 Kbps E1 / T1 E3 / T3

OSI Layer-2 Point-to-Point WANs WAN protocols used on Point-to-Point serial links provide the basic function of data delivery across that one link.

The two most popular data link protocols used today are Point-to-Point Protocol (PPP) and High-Level Data Link Control (HDLC).

HDLC HDLC performs OSI Layer-2 functions. It determines when it is appropriate to use the physical medium. Ensures that the correct recipient receives and processes the data that is sent. Determines whether the sent data was received correctly or not (error detection). HDLC Frame Format

The original HDLC didnt include any Protocol Type field, every company (including Cisco) added its own field, so it became a proprietary protocol that can be used between only Cisco routers.

Point-to-Point Protocol (PPP) PPP is a standard encapsulation protocol for the transport of different Network Layer protocols (including, but not limited to, IP). It has the following main functional components Link Control Protocol (LCP) that establishes, authenticates, and tests the data link connection. Network Control Protocols (NCPs) that establishes and configure different network layer protocols. PPP discards frames that do not pass the error check. PPP is a standard protocol, and so it can be used with all types of routers (not Cisco Proprietary).

PPP LCP Features Authentication Compression Multilink PPP Error Detection Looped Link Detection

PAP Authentication

CHAP Authentication

Compression Compression enables higher data throughput across the link. Different compression schemes are available: Predictor : checks if the data was already compressed. Stacker : it looks at the data stream and only sends each type of data once with information about where the type occurs and then the receiving side uses this information to reassemble the data stream. MPPC (Microsoft Point-to-Point Compression) : allows Cisco routers to compress data with Microsoft clients. PPP Multilink PPP Multilink provides load balancing over dialer interfaces-including ISDN, synchronous, and asynchronous interfaces.

This can improve throughput and reduce latency between systems by splitting packets and sending fragments over parallel circuits

Error Detection PPP can take down a link based on the value of what is called LQM (Link Quality Monitor) as it gets the ratio of corrupted packets to the total number of sent packets, and according to a predetermined value, the link can be brought down if it is thought that its performance is beyond limits accepted.

Looped Link Detection PPP can detect looped links (that are sometimes done by Teleco companies) using what is called Magic Number. Every router will have a magic number, and if packets were received having the same routers magic number, then the link is looped.

PPP Configuration Commands To enable PPP Router(config-if)#encapsulation ppp To configure PAP authentication Router(Config-if)#ppp authentication pap Router(Config-if)#ppp pap username .. password .. To configure Compression Router(Config-if)#compress [predictor|stack|mppc]

Frame Relay Frame Relay Components

Frame Relay The switch examines the frame sent by the router that has a header containing an address called DLCI (Data Link Control Identifier) and then switches the frame based on the DLCI till it reaches the router on the other side of the network.

Frame Relay networks use permanent virtual circuits (PVCs) or switched virtual circuits (SVCs) but most nowadays Frame Relay networks use permanent virtual circuits (PVCs). The logical path between each pair of routers is called a Virtual Circuit (VC). VCs share the access link and the frame relay network. Each VC is committed to a CIR (Committed Information Rate) which is a guarantee by the provider that a particular VC gets at least this much of BW.

PC CPE UNI Controller Router ISDN dial-up connection or direct connection (V.35, E , RS 3 ) Por t

PV C PV C PV C SV C

PBX

Video

Desktop & LAN

Network access

Formats packets in frames

LMI and Encapsulation Types The LMI is a definition of the messages used between the DTE and the DCE. The encapsulation defines the headers used by a DTE to communicate some information to the DTE on the other end of a VC. The switch and its connected router care about using the same LMI; the switch does not care about the encapsulation. The endpoint routers (DTEs) do care about the encapsulation.

LMI The most important LMI message is the LMI status inquiry message. Status messages perform two key functions: Perform a keepalive function between the DTE and DCE. If the access link has a problem, the absence of keepalive messages implies that the link is down. Signal whether a PVC is active or inactive. Even though each PVC is predefined, its status can change. Three LMI protocol options are available in Cisco IOS software: Cisco, ITU, and ANSI.

&&

Switch

Frame Relay Network

Each LMI option is slightly different and therefore is incompatible with the other two.

LAPF A Frame Relay-connected router encapsulates each Layer 3 packet inside a Frame Relay header and trailer before it is sent out an access link. The header and trailer are defined by the Link Access Procedure Frame Bearer Services (LAPF) specification. The LAPF framing provides error detection with an FCS in the trailer, as well as the DLCI, DE, FECN, and BECN fields in the header. DTEs use and react to the fields specified by these two types of encapsulation, but Frame Relay switches ignore these fields. Because the frames flow from DTE to DTE, both DTEs must agree to the encapsulation used. However, each VC can use a different encapsulation. In the configuration, the encapsulation created by Cisco is called cisco, and the other one is called ietf.

DLCI Addressing Details The logical path between a pair of DTEs is called a virtual circuit (VC). The data-link connection identifier (DLCI) identifies each individual PVC. When multiple VCs use the same access link, the Frame Relay switches know how to forward the frames to the correct remote sites.

The DLCI is the Frame Relay address describing a Virtual Circuit

L I=3

L I=3

tua

ut

dge

F a e ea

DLCI Addressing Details The difference between layer-2 addressing and DLCI addressing is mainly because the fact that the header has a single DLCI field, not both Source and Destination DLCI fields.

Global DLCI Addressing Frame Relay DLCIs are locally significant; this means that the addresses need to be unique only on the local access link. Global addressing is simply a way of choosing DLCI numbers when planning a Frame Relay network so that working with DLCIs is much easier. Because local addressing is a fact, global addressing does not change these rules. Global addressing just makes DLCI assignment more obvious.

'

41 76 3 ) 5 2

oute

wt h

DE B C

L I=

'D C B

1 421 4 3 21 0

'D C B

L I= 7

A@

98

L I=

netwo

L I=

L I=

L I= 7

E CB

E CB 12( ) ) (

'D C B C B

The final key to global addressing is that the Frame Relay switches actually change the DLCI value before delivering the frame. The sender treats the DLCI field as a destination address, using the destinations global DLCI in the header. The receiver thinks of the DLCI field as the source address, because it contains the global DLCI of the frames sender.

Layer 3 Addressing Ciscos Frame Relay implementation defines three different options for assigning subnets and IP addresses on Frame Relay interfaces: One subnet containing all Frame Relay DTEs One subnet per VC A hybrid of the first two options

One Subnet Containing All Frame Relay DTEs The single-subnet option is typically used when a full mesh of VCs exists. In a full mesh, each router has a VC to every other router, meaning that each router can send frames directly to every other router

One Subnet Per VC The single-subnet-per-VC alternative, works better with a partially meshed Frame Relay network.

Hybrid Terminology Point-to-point subinterfaces are used when a single VC is considered to be all that is in the groupfor instance, between Routers A and D and between Routers A and E. Multipoint subinterfaces are used when more than two routers are considered to be in the same group for instance, with Routers A, B, and C.

Frame Relay Address Mapping Mapping creates a correlation between a Layer-3 address (IP Address) and its corresponding Layer-2 address (DLCI in Frame Relay). It is used so that after the router receives the packet with the intended IP address could be able to handle it to the right Frame Relay switch (with the appropriate DLCI)

Mapping Methods Mapping can be done either two ways: Dynamic Mapping Using the Inverse ARP that is enabled by default on Cisco routers.

Static Mapping Using the frame-relay map command but you should first disable the inverse arp using the command no frame-relay inverse-arp

Inverse ARP Process

Frame Relay Configuration

Frame Relay Verification

Integrated Services Digital Network (ISDN) ISDN Protocols

BRI & PRI B and D Channels

LAPD & PPP on D and B Channels

LAPD is used as a data-link protocol across an ISDN D channel. Essentially, a router with an ISDN interface needs to send and receive signaling messages to and from the local ISDN switch to which it is connected. LAPD provides the data-link protocol that allows delivery of messages across that D channel to the local switch. The call setup and teardown messages themselves are defined by the Q.931 protocol. So, the local switch can receive a Q.931 call setup request from a router over the

LAPD-controlled D channel, and it should react to that Q.931 message by setting up a circuit over the public network. An ISDN switch often requires some form of authentication with the device connecting to it. Switches use a free-form decimal value, call the service profile identifier (SPID), to perform authentication. In short, before any Q.931 call setup messages are accepted, the switch asks for the configured SPID values. If the values match what is configured in the switch, call setup flows are accepted.

PRI Encoding and Framing ISDN PRI in North America is based on a digital T1 circuit. T1 circuits use two different encoding schemesAlternate Mark Inversion (AMI) and Binary 8 with Zero Substitution (B8ZS). The two options for framing on T1s are to use either Extended Super Frame (ESF) or the older optionSuper Frame (SF). In most cases today, new T1s use ESF.

DDR (Dial On Demand Routing) You can configure DDR in several ways, including Legacy DDR and DDR dialer profiles. The main difference between the two is that Legacy DDR associates dial details with a physical interface, whereas DDR dialer profiles disassociate the dial configuration from a physical interface, allowing a great deal of flexibility.

Legacy DDR Operation 1. 2. 3. 4. Route packets out the interface to be dialed. Determine the subset of the packets that trigger the dialing process. Dial (signal). Determine when the connection is terminated.

DDR Step 1: Routing Packets Out the Interface to Be Dialed DDR does not dial until some traffic is directed (routed) out the dial interface. The router needs to route packets so that they are queued to go out the dial interface. Ciscos design for DDR defines that the router receives some user-generated traffic and, through normal routing processes, decides to route the traffic out the interface to be dialed. The router (SanFrancisco) can receive a packet that must be routed out BRI0; routing the packet out BRI0 triggers the Cisco IOS software, causing the dial to occur. DDR Step 2: Determining the Interesting Traffic Packets that are worthy of causing the device to dial are called interesting packets. Two different methods can be used to define interesting packets. In the first method, interesting is defined as all packets of one or more Layer 3 protocols. The second method allows you to define packets as interesting if they are permitted by an access list.

DDR Step 3: Dialing (Signaling) Defining the phone number to be dialed. The command is dialer string ,where string is the phone number (used when dialing only one site).

The dialer map command maps the different dialer numbers to the equivalent IP addresses of the routers to be dialed.

Configuring SPIDs You might need to configure the Service Profile Identifier (SPID) for one or both B channels, depending on the switchs expectations. When the telco switch has configured SPIDs, it might not allow the BRI line to work unless the router announces the correct SPID values to the switch. SPIDs, when used, provide a basic authentication feature.

ISDN PRI Configuration 1. Configure the type of ISDN switch to which this router is connected. 2. Configure the T1 or E1 encoding and framing options (controller configuration mode). 3. Configure the T1 or E1 channel range for the DS0 channels used on this PRI (controller configuration mode). 4. Configure any interface settings (for example, PPP encapsulation and IP address) on the interface representing the D channel. PRI Configuration Commands

ISDN Switch Types

Configuring a T1 or E1 Controller Your service provider will tell you what encoding and framing to configure on the router. Also, in almost every case, you will use all 24 DS0 channels in the PRI23 B channels and the D channel.

DDR With Dialer Profiles Dialer profiles pool the physical interfaces so that the router uses any available B channel on any of the BRIs or PRIs in the pool. Dialer profiles configuration moves most of the DDR interface configuration to a virtual interface called a dialer interface.

Dialer Profiles Configuration

Dialer Profiles Configuration