2500 Routers Layer 2 is MAC Address Based; data is in frames. Layer 3 is IP Based; data is in packets.
NAT; three versions: · 1:1 NAT – SNAT · Many: Several – Queue based for several Links · Many:1 – Port based
NAT changes source MAC address on NAT’d traffic.
Sometimes called ‘PAT’.
Data flow: · Host > ARP > MAC Address > Finds router’s MAC as dest. is out of subnet. · Router stores Source IP, Source Port, Destination IP and Destination Port in NAT Table and removes MAC Addressing. · Router > ARP > MAC Address destination · Frame is delivered with source MAC address set as router, but IP set as the original source.
Source port is random number generated by host.
|
Routes & Routing Protocols You can use either Static Routes or Dynamic Routes.
To add a static route: # ip route 172.22.10.0 255.255.255.0 172.22.1.1 (The last address is the next hop) To set the default gateway: # ip route 0.0.0.0 0.0.0.0 10.0.0.3 (The last address is the next hop) Routing Protocols; three types:
· Distance Vector Algorithm – both the distance (hops) and direction to take is given to other routers. RIP, IGRP · Links State – provides information about the topology of the network in its immediate vicinity. Link State Advertisements. Other routers decide the best route. OSPF · Hybrid – EIGRP
Linkstate has a much greater overhead as routers have to work out the best route. It is faster in the event of a failure because they work out the SPF, but also the next shortest path. Passes only updates when changes are made. Metric is the path cost.
Distance Vector protocols like RIP send out the entire routing table at regular intervals, even if no changes have taken place. Metric is the number of hops. RIP is broadcast.
Path cost is established upon manually set bandwidth variables on the interfaces. |
Routing Protocols Continued – RIP / EIGRP Autonomous Systems (AS)- groups of routers used with EIGRP and OSPF to define where updates are sent to. This way updates are multicast not broadcast.
Administrative distance: trustworthiness of a routing table entry: · EIGRP – 90 · IGRP – 100 · OSPF – 110 · RIP – 120 · Static – 1
Problems: RIP – Count to Infinity
Solutions: Separate Horizons – advertised on the interface from where it was received. Poison Reverse – Set infinity to a low variable, i.e. 16
To enable RIP: # router rip # network 172.22.0.0 – only class full portion of network
To enable EIGRP: # router eigrp 100 – 100 is AS group # network 172.22.0.0 – again only class full portion of network
For classless addressing: # network 172.22.0.0 mask 0.0.0.255 |
||
Routing Protocols RIP – Metric is number of hops.
OSPF is a Link State Routing Protocol that is cross-vendor compliant. Uses AS.
EIGRP – Cisco Proprietary, fast in large network environments. Replaces IGRP. Uses multicast, only sends updates when things change. Based on configured bandwidth value. Also supports AppleTalk and IP IPX. Uses AS.
Passive interfaces can be setup in order to prevent routing protocol data being sent out.
RIP does not support Variable Length Subnet Masks (VLSM) – EIGRP / OSPF / RIPv2 do.
Use sh ip protocols to view metric calc. for EIGRP. |
ISDN – In the UK the ISDN switch type is basic-net3 Two types of ISDN: BRI – Basic Rate Interface – 64K B Channel, 16K D Channel PRI – Primary Rate Interface – Multiple B Channels, 64K D Channel
NO modulation / demodulation needed – digital connection from end-to-end.
Call setup is almost instant, expensive to run but cheap to own. A good backup line.
Line is divided into channels, a signalling channel known as ‘D’ and a data channel known as ‘B.’
PRI uses 30 ‘B’ channels in the UK and 23 in the US.
ACL’s are used to define ‘interesting traffic’ so that traffic such as RIP packets will not active a costly dial-up interface such as ISDN. This type of ACL is called a dialer-list. |
ISDN Continued ISDN Configuration:
|
||
Access Lists Two types: · Standard – 1 – 99. Uses only Source IP Address For Filtering · Extended – 100 – 199. Uses Source or Destination IP and Port
Used to: · Filtering and Security · Define interesting traffic for use in dialup connections. · Used for QOS
A single interface can have two ACL’s, one inbound and one outbound.
Inbound: the ACL is processed prior to inspection of the routing table. If a match is found it is either dropped if deny is in use, or sent to be routed.
Outbound: the ACL is processed after the packet has been routed and is passed out of an interface.
Implicit Deny All exists at the end of all ACL’s and is not visible when viewed on the device.
Keywords such as ‘any’ and ‘telnet’ can be used in extended ACl’s |
Access Lists cont. As well as numbered ACL’s it is possible to have named ACL’s.
Two approaches: · Permit with Implicit Deny All · Deny with Permit All
Numbered ACL’s cannot be modified, named ACL’s can be modified. In order to modify a numbered ACL it must be recreated from scratch.
A standard ACL: # access-list 10 permit 172.22.10.0 0.0.0.255 (implicit deny all)
An extended ACL: # access-list 101 permit tcp 172.22.10.0 0.0.0.0 any eq 23 # access-lists 101 permit tcp any any eq 80 (implicit deny all)
It is possible to assign ACL’s to VTY’s:
# access-list 12 permit 172.22.10.0 0.0.0.255 # line vty 0 4 # access-class 12 in
To view an ACL: # show access-lists 101 – will display hits on ACL |
Troubleshooting: Telnet – Try to telnet device and view configuration.
Ping – See if the device is active and functioning.
Trace – Find where traffic is stopping.
Debug – Very usefully, heavy overhead if too much debug is enabled. # debug dialer – will debug dialler-events # debug ppp authentication – debug ppp-authentication issues # debug ppp negotiation – debug ppp encapsulation negotation # debug idsn q921 – debug layer2 ISDN # debug isdn q931 – debug layer3 ISDN
To enable correct vty output of debug use terminal monitor
Inband / outband access
UP / UP – Interface is working UP / DOWN – Interface is up but the other end is not connected / no clock pulse / no helo pulse DOWN / DOWN – Not connected / configured Administratively Down – Shut by ADMIN |
||
IP Addressing / Subnetting IP Address Range Class: · Class A: 1.0.0.0 – 127.255.255.255 · Class B: 128.0.0.0 – 191.255.255.255 · Class C: 192.0.0.0 – 223.255.255.255
An IP Address is comprised of 32 Bits, or 4 octets.
|
HEX / DEC / BIN Notes of conversion form HEX > DEC, DEC > BIN, BIN > HEX |
CDP Cisco Discovery Protocol; will Find any directly attached Cisco Devices and tell you · IP · Device Model · Connecting Port
NOT routed, will only see directly attached devices.
Both devices need CDP to be running:
To enable CDP: # run cdp
To view connected devices: # show cdp neigbors |
Serial Links & WAN Protocols Three types of WAN: · Point to Point Leased Line · Dialup / Switched · Packet Switching
One end is DCE end, the other is DTE. AT the DCE end there is a clock rate, at the DTE end no clock is set.
To see which end is DCE / DTE end: # show controllers s0
Supports multiple encapsulation: · PPP – Industry Standard, all manufacturers · HDLC – Cisco Proprietary · Frame–relay – Used in packet switching
|
WAN Protocols PPP has two elements: · LCP – Link Control Protocol – establishes connection – ie authentication, compression. · NCP – Network Control Protocol – establishes protocol and physical connection.
LCP allows for Authentication, Compression and Multilink (the use of multiple lines as a single virtual line)
PAP !Clear text passwords !No Challenge !One time only authentication
CHAP Encrypted Passwords Challenge Response Regular Authentication Password challenge varies each time (uses random number) |
PPP Configuration PPP is commonly used on WAN connections and is manufacturer wide compatible whereas hdlc is Cisco proprietary.
To enable ppp: # encapsulation ppp
To enable PAP authentication: # ppp authentication pap
To enable CHAP authentication: # ppp authentication chap
It is necessary to set usernames and passwords within global configuration like so: (config)# username router2 password cisco
Where ‘router2’ is the remote router to which you want to connect to. |
Frame-Relay Uses Virtual Connections (VC) to link sites, therefore low cost. FR uses Packet Switching for data transmission.
Two Types of VC: Permanent (PVC) – fixed cost Switched (SWC) – Pay As You Go
Committed Information Rate (CIR) – user purchases a guaranteed bandwidth level but can transfer data at higher speed if capacity exists within FR network. If the network is under heavy load this data is discarded. Data sent over the CIR is marked Discharge Eligible (DE)
Router is connected to a frame switch which uses LMI Protocol: · Used to send configuration data and status information · LMI is local. It only runs between the local router and FR Switch, it does not traverse the cloud.
LMI is used for reverse ARP to find the DLCI number of the next hop.
Data is encapsulated over the FR network.
Three speeds in FR: Delivery to cloud Time to cross cloud Delivery to destination
|
Frame Relay – Contd. DLCI – data-link connection identifiers – Addressing system is given to source for delivery to destination, the destination address is not associated with the destination itself rather the connection used to reach the destination.
Congestion-Control Mechanisms: · Forward-explicit congestion notification (FECN) · Backward-explicit congestion notification (BECN)
http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/frame.htm
Data flow: Local router only knows DLCI of remote router: DLCI is used to find IP using LMI reverse ARP
|
Security
To use an ACL to filter access to the router via telnet use the following commands: # access-list 12 permit 192.168.1.0 0.0.0.255 (config)#line vty 0 4 (config)#access-class 12 in
To set a password for enable mode:
To set an encrypted password for enable mode: |