CCNA Review

Building a Simple Network

Exploring the Functions of Networking

What Is a Network?

Resource-Sharing Functions and Benefits

Data and applications

Resources

Network storage

Backup devices

Characteristics of a Network

Speed

Cost

Security

Availability

Scalability

Reliability

Topology


OSI Layer

Why a Layered Network Model?

Reduces complexity

Standardizes interfaces

Facilitates modular engineering

Ensures interoperable technology

Accelerates evolution

Simplifies teaching and learning

The Seven Layers of the OSI Model

Data Encapsulation

Data De-Encapsulation

Peer-to-Peer Communication

Unshielded Twisted-Pair Cable

Speed and throughput: 10 to 1000 Mb/s

Average cost per node: Least expensive

Media and connector size: Small

Maximum cable length: Varies

RJ-45 Connector

Cable 10BASE-T/

100BASE-TX Straight-Through

Pin Label Pin Label

1

2

3

4

5

6

7

8

TX+

TX-

RX+

NC

NC

RX-

NC

NC

1

2

3

4

5

6

7

8

TX+

TX-

RX+

NC

NC

RX-

NC

NC

Straight-Through Cable

Wires on cable ends

are in same order.

UTP Implementation (Straight-Through)

Cable 10BASE-T or

100BASE-TX Straight-Through Crossover Cable

Some wires on cable

ends are crossed.

Pin Label Pin Label

1

2

3

4

5

6

7

8

TX+

TX-

RX+

NC

NC

RX-

NC

NC

1

2

3

4

5

6

7

8

TX+

TX-

RX+

NC

NC

RX-

NC

NC

EIA/TIA T568A EIA/TIA T568B

UTP Implementation (Crossover)

UTP Implementation: Straight-Through vs. Crossover

Using Varieties of UTP

© 2007 Cisco Systems, Inc. All rights reserved. ICND1 v1.0—2-23


Understanding the Data Link Layer of

OSI

Network Interface Card

MAC Address Components

MAC Addresses

Physical Topology Categories

IP Addressing and Subnetting

Constructing a Network Addressing Scheme

Why IP Addresses?

They uniquely identify each device on an IP network.

Every host (computer, networking device, peripheral) must have a unique address.

Host ID:

– Identifies the individual host

– Is assigned by organizations to individual devices

IP Address Format: Dotted Decimal Notation

The binary-to-decimal and decimal-to-

binary conversion will be detailed later

in this course.

IP Address Classes: The First Octet

IP Address Ranges

*127 (01111111) is a Class A address reserved for loopback testing and cannot be assigned to a network.

Reserved Address

Public IP Addresses

Private IP Addresses

Class Private Address Range

A 10.0.0.0 to 10.255.255.255

B 172.16.0.0 to 172.31.255.255

C 192.168.0.0 to 192.168.255


Internetworking Fundamentals

Internetwork Operating System

Cisco IOS Software

Features to carry the chosen network protocols and functions

Connectivity for high-speed traffic between devices

Security to control access and prohibit unauthorized network use

Scalability to add interfaces and capability as needed for network growth

Reliability to ensure dependable access to networked resources

External Configuration Sources

Configurations can come from many sources.

Configurations will act in device memory.

CLI is used to enter commands.

Operations vary on different internetworking devices.

Users type or paste entries in the console command modes.

Command modes have distinctive prompts.

Enter key instructs device to parse and execute the command.

Two primary EXEC modes are user mode and privileged mode.

Cisco IOS User Interface Functions

There are two main EXEC modes for entering commands.

Cisco IOS Software EXEC Mode (User)

Cisco IOS Software EXEC Mode (Privileged)

Switch Command-Line Help Facilities

Viewing the Configuration

Displays the current and saved configuration

show running-config and show startup-config Commands

Overview of Router Modes

Accessing the Cisco IOS Device Console

Telnet

Aux Port

Configuring Router Identification

Console-Line Commands

RouterX(config)#line console 0 RouterX(config-line)#exec-timeout 20 30

RouterX(config)#line console 0 RouterX(config-line)#logging synchronous

Modifies console session timeout

Redisplays interrupted console input

Configuring a Router Password

RouterX(config)#interface type number

RouterX(config-if)#

type includes serial, ethernet, token ring, fddi, hssi, loopback, dialer, null, async, atm, bri, tunnel, and so on

number is used to identify individual interfaces

RouterX(config-if)#exit

Quits from current interface configuration mode

RouterX(config)#interface type slot/port

RouterX(config-if)#

For modular routers, selects an interface

Configuring an Interface

RouterX(config-if)# description string

string is a comment or a description to help you remember what is attached to this interface.

The maximum number of characters for the string argument is 238.

Configuring an Interface Description

RouterX#configure terminal

RouterX(config)#interface serial 0

RouterX(config-if)#no shutdown

%LINK-3-UPDOWN: Interface Serial0, changed state to up

%LINEPROTO-5-UPDOWN: Line Protocol on Interface Serial0, changed state to up

Enables an interface that is administratively shut down

RouterX#configure terminal

RouterX(config)#interface serial 0

RouterX(config-if)#shutdown

%LINK-5-CHANGED: Interface Serial0, changed state to administratively down

%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to down

Administratively turns off an interface

Disabling or Enabling an Interface

Unique addressing allows communication between end stations

Path choice is based on destination address

Configuring IP Addresses

Saving Configurations

Copies the current configuration to NVRAM

RouterX#

RouterX#copy running-config startup-config

Destination filename [startup-config]?

Building configuration…

RourterX#

Interpreting the Interface Status

Catalyst 2960 Switch LED Indicators

Configuration modes:

Global configuration mode

– SwitchX#configure terminal

– SwitchX(config)#

Interface configuration mode

– SwitchX(config)#interface fa0/1

– SwitchX(config-if)#

Configuring the Switch

Sets the local identity for the switch

Configuring Switch Identification

Example:

SwitchX(config)#interface vlan 1

SwitchX(config-if)#ip address 10.5.5.11 255.255.255.0

SwitchX(config-if)#no shutdown

Note: It is necessary to use the no shutdown command to make the

interface operational.

SwitchX(config)#interface vlan 1

SwitchX(config-if)#ip address {ip address} {mask}

Configuring the Switch IP Address

SwitchX(config)#ip default-gateway 172.20.137.1

Example:

SwitchX(config)#ip default-gateway {ip address}

Configuring the Switch Default Gateway

Saving Configurations

Copies the current configuration to NVRAM

SwitchX

SwitchX copy running-config startup-config

Destination filename [startup-config]?

Building configuration…

SwitchX

Laboratory

Routing Operations

A router needs to do the following:

Know the destination address.

Identify the sources from which the router can learn.

Discover possible routes to the intended destination.

Select the best route.

Maintain and verify routing information.

Router Operations

Routers must learn destinations that are not directly connected.

Router Operations (Cont.)

Static route

Uses a route that a network administrator enters into the router manually

Dynamic route

Uses a route that a network routing protocol adjusts automatically for topology or traffic changes

Identifying Static and Dynamic Routes

Static Routing

Static Routes

Configure unidirectional static routes to and from a stub network to allow communications to occur.

Defines a path to an IP destination network or subnet or host

Address = IP address of the next hop router

Interface = outbound interface of the local router

RouterX(config)# ip route network [mask] {address | interface}[distance] [permanent]

Static Route Configuration

Static Route Example

This is a unidirectional route. You must have a route configured in the

opposite direction.

RouterX(config)# ip route 172.16.1.0 255.255.255.0 172.16.2.1

Router(config)#ip route 172.16.1.0 255.255.255.0 s0/0/0

or

Default Routes

This route allows the stub network to reach all known networks beyond

Router A.

Verifying the Static Route Configuration

RouterX# show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default

U - per-user static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

10.0.0.0/8 is subnetted, 1 subnets

C 10.1.1.0 is directly connected, Serial0/0/0

S* 0.0.0.0/0 is directly connected, Serial0

Example

Laboratory 2

Given the topology below, configure static or default routing so that all network are

reachable.

Variable Length Subnetmasking

Variable Length Subnetmasking

25 hosts

Router A

20 hostsRouter B

12 hostsRouter C

9 hostsRouter D

3 hostsRouter E

HQ

Long Method…

N N N SN SN SN VLS

M 1

VLS

M 2

VLS

M 3

192 . 168 . 5 . X X X X X X X X

SN 1 192 . 168 . 5 . 0 0 0

LAN A (192.168.5.32)

SN 2 192 . 168 . 5 . 0 0 1 0 0 0 0 1 .33

1 1 1 1 0 .62

LAN B (192.168.5.64)

SN 3 192 . 168 . 5 . 0 1 0 0 0 0 0 1 .65

1 1 1 1 0 .94

LAN C (192.168.5.96)

SN 4 192 . 168 . 5 . 0 1 1 0 0 0 0 1 .97

1 1 1 0 .126

LAN D (192.168.5.112)

SN 5 192 . 168 . 5 . 0 1 1 1 0 0 0 1 .113

1 1 1 0 .126

LAN E (192.168.5.128)

SN 6 192 . 168 . 5 . 1 0 0 0 0 0 0 1 .129

1 1 0 .134

WAN A (192.168.5.136)

1 0 0 0 1 0 0 1 .137

1 0 .138

WAN B (192.168.5.140)

1 0 0 0 1 1 0 1 .141

1 0 .142

WAN C (192.168.5.144)

1 0 0 1 0 0 0 1 .145

1 0 .146

WAN D (192.168.5.148)

1 0 0 1 0 1 0 1 .149

1 0 .150

WAN E (192.168.5.152)

1 0 0 1 1 0 0 1 .153

1 0 .154

Shortcut ….. 25 hosts

Router A

20 hostsRouter B

12 hostsRouter C

9 hostsRouter D

3 hostsRouter E

HQ

192.168.5.32/27

192.168.5.64/27

192.168.5.96/28

192.168.5.112/28

192.168.5.128/29

192.168.5.136/30

192.168.5.140/30

192.168.5.144/30

192.168.5.148/30

192.168.5.152/30

No. of host bits

(m)

No. of to accommodate

Network

Address Prefix

hosts hosts required 2m (prev NA + 2m) /(32-m)

LAN A 25 5 32 192.168.5.32 /27

LAN B 20 5 32 192.168.5.64 /27

LAN C 12 4 16 192.168.5.96 /28

LAN D 9 4 16 192.168.5.112 /28

LAN E 3 3 8 192.168.5.128 /29

WAN A 2 2 4 192.168.5.136 /30

WAN B 2 2 4 192.168.5.140 /30

WAN C 2 2 4 192.168.5.144 /30

WAN D 2 2 4 192.168.5.148 /30

WAN E 2 2 4 192.168.5.152 /30

seatwork

A Class C network 192.168.100.0/24

is assigned. You need to create an

IP plan for this network using VLSM.

Please fill-out the vlsm table

No. of

Hbits to

accommodate

Network

Address Prefix

hosts hosts required 2m (prev NA + 2m)

/(32-

m)

LAN A 50

LAN B 27

LAN C 12

LAN D 12

WAN E 2

WAN F 2

WAN G 2

WAN H 2

Enabling RIP

Routing protocols are used between routers to determine paths and maintain routing tables.

After the path is determined, a router can route a routed protocol.

What Is a Routing Protocol?

An autonomous system is a collection of networks under a common administrative domain.

IGPs operate within an autonomous system.

EGPs connect different autonomous systems.

Autonomous Systems: Interior or Exterior Routing Protocols

Classes of Routing Protocols

Administrative Distance: Ranking Routes

Classful Routing Protocol

Classful routing protocols do not include the subnet mask with the route advertisement.

Within the same network, consistency of the subnet masks is assumed.

Summary routes are exchanged between foreign networks.

These are examples of classful routing protocols:

– RIPv1

– IGRP

Classless Routing Protocol

Classless routing protocols include the subnet mask with the route advertisement.

Classless routing protocols support a variable-length subnet mask (VLSM).

Summary routes can be manually controlled within the network.

These are examples of classless routing protocols:

– RIPv2

– EIGRP

– OSPF

– IS-IS

Routers pass periodic copies of their routing table to neighboring routers and accumulate distance vectors

Distance Vector Routing Protocols

Routers discover the best path to destinations from each neighbor.

Sources of Information and Discovering Routes

Maximum is 16 equal-cost paths (default = 4)

Hop-count metric selects the path

Routes update every 30 seconds

RIP Overview

RIPv1 and RIPv2 Comparison

RIPv1 RIPv2

Routing protocol Classful Classless

Supports variable-length subnet mask? No Yes

Sends the subnet mask along with the routing update?

No Yes

Addressing type Broadcast Multicast

Defined in … RFC 1058 RFCs 1721,

1722, and 2453

Supports manual route summarization? No Yes

Authentication support? No Yes

Router configuration

– Select routing protocols

– Specify networks or interfaces

IP Routing Configuration Tasks

Starts the RIP routing process

RouterX(config)# router rip

RouterX(config-router)# network network-number

Selects participating attached networks

Requires a major classful network number

RIP Configuration

Enables RIP version 2

RouterX(config-router)# version 2

RIP Configuration Example

Verifying the RIP Configuration

Routing Protocol is "rip"

Sending updates every 30 seconds, next due in 6 seconds

Invalid after 180 seconds, hold down 180, flushed after 240

Outgoing update filter list for all interfaces is not set

Incoming update filter list for all interfaces is not set

Redistributing: rip

Default version control: send version 2, receive version 2

Interface Send Recv Triggered RIP Key-chain

FastEthernet0/0 2 2

Serial0/0/2 2 2

Automatic network summarization is in effect

Maximum path: 4

Routing for Networks:

10.0.0.0

172.16.0.0

Routing Information Sources:

Gateway Distance Last Update

10.1.1.2 120 00:00:25

Distance: (default is 120)

RouterA#

Displaying the IP Routing Table

RouterA# show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default

U - per-user static route, o - ODR

T - traffic engineered route

Gateway of last resort is not set


C 172.16.1.0 is directly connected, fastethernet0/0


R 10.2.2.0 [120/1] via 10.1.1.2, 00:00:07, Serial0/0/2

C 10.1.1.0 is directly connected, Serial0/0/2

R 192.168.1.0/24 [120/2] via 10.1.1.2, 00:00:07, Serial0/0/2

debug ip rip Command

RouterA# debug ip rip

RIP protocol debugging is on

RouterA#

00:06:24: RIP: received v1 update from 10.1.1.2 on Serial0/0/2

00:06:24: 10.2.2.0 in 1 hops

00:06:24: 192.168.1.0 in 2 hops

00:06:33: RIP: sending v1 update to 255.255.255.255 via FastEthernet0/0 (172.16.1.1)

00:06:34: network 10.0.0.0, metric 1

00:06:34: network 192.168.1.0, metric 3

00:06:34: RIP: sending v1 update to 255.255.255.255 via Serial0/0/2 (10.1.1.1)

00:06:34: network 172.16.0.0, metric 1

Configuring OSPF

Link-State Routing Protocols

After an initial flood of LSAs, link-state routers pass small, event-triggered link-state updates to all other routers.

OSPF Overview

Creates a neighbor relationship by exchanging hello packets

Propagates LSAs rather than routing table updates

– Link: Router interface

– State: Description of an interface and its relationship to neighboring routers

Floods LSAs to all OSPF routers in the area, not just directly connected routers

Pieces together all the LSAs generated by the OSPF routers to create the OSPF link-state database

Uses the SPF algorithm to calculate the shortest path to each destination and places it in the routing table

Benefits of link-state routing:

– Fast convergence:

Changes are reported immediately by the affected source

– Robustness against routing loops:

Routers know the topology

Link-state packets are sequenced and acknowledged

– Hierarchical network design enables optimization of resources.

Drawbacks of link-state routing:

– Significant demands for resources:

Memory (three tables: adjacency, topology, forwarding)

CPU (Dijkstra’s algorithm can be intensive, especially when there are many instabilities)

– Requires very strict network design

– Configuration can be complex when tuning various parameters and when design is complex

Benefits and Drawbacks of Link-State Routing

OSPF Hierarchical Routing

Consists of areas and autonomous systems

Minimizes routing update traffic

SPF Algorithm

Places each router at the root of a tree and calculates the shortest path to each destination based on the cumulative cost

Cost = Reference Bandwidth / Interface Bandwidth (b/s)

10

1

10

1

1

Configuring Single-Area OSPF

network address wildcard-mask area area-id

Assigns networks to a specific OSPF area

router ospf process-id

Defines OSPF as the IP routing protocol

RouterX(config)#

RouterX(config-router)#

Configuring Loopback Interfaces

Router ID:

Number by which the router is known to OSPF

Default: The highest IP address on an active interface at the moment of OSPF process startup

Can be overridden by a loopback interface: Highest IP address of any active loopback interface

Can be set manually using the router-id command

Verifying the OSPF Configuration

RouterX# show ip protocols

Verifies that OSPF is configured


Displays all the routes learned by the router


Codes: I - IGRP derived, R - RIP derived, O - OSPF derived,

C - connected, S - static, E - EGP derived, B - BGP derived,

E2 - OSPF external type 2 route, N1 - OSPF NSSA external type 1 route,

N2 - OSPF NSSA external type 2 route

Gateway of last resort is 10.119.254.240 to network 10.140.0.0

O 10.110.0.0 [110/5] via 10.119.254.6, 0:01:00, Ethernet2

O IA 10.67.10.0 [110/10] via 10.119.254.244, 0:02:22, Ethernet2

O 10.68.132.0 [110/5] via 10.119.254.6, 0:00:59, Ethernet2

O 10.130.0.0 [110/5] via 10.119.254.6, 0:00:59, Ethernet2

O E2 10.128.0.0 [170/10] via 10.119.254.244, 0:02:22, Ethernet2

. . .

Verifying the OSPF Configuration (Cont.)

RouterX# show ip ospf

Routing Process "ospf 50" with ID 10.64.0.2

<output omitted>

Number of areas in this router is 1. 1 normal 0 stub 0 nssa

Number of areas transit capable is 0

External flood list length 0

Area BACKBONE(0)

Area BACKBONE(0)

Area has no authentication

SPF algorithm last executed 00:01:25.028 ago

SPF algorithm executed 7 times

<output omitted>

Displays the OSPF router ID, timers, and statistics

RouterX# show ip ospf

RouterX# show ip ospf interface ethernet 0

Ethernet 0 is up, line protocol is up

Internet Address 192.168.254.202, Mask 255.255.255.0, Area 0.0.0.0

AS 201, Router ID 192.168.99.1, Network Type BROADCAST, Cost: 10

Transmit Delay is 1 sec, State OTHER, Priority 1

Designated Router id 192.168.254.10, Interface address 192.168.254.10

Backup Designated router id 192.168.254.28, Interface addr 192.168.254.28

Timer intervals configured, Hello 10, Dead 60, Wait 40, Retransmit 5

Hello due in 0:00:05

Neighbor Count is 8, Adjacent neighbor count is 2

Adjacent with neighbor 192.168.254.28 (Backup Designated Router)

Adjacent with neighbor 192.168.254.10 (Designated Router)

RouterX# show ip ospf interface


Displays the area ID and adjacency information

RouterX# show ip ospf neighbor

ID Pri State Dead Time Address Interface

10.199.199.137 1 FULL/DR 0:00:31 192.168.80.37 FastEthernet0/0

172.16.48.1 1 FULL/DROTHER 0:00:33 172.16.48.1 FastEthernet0/1

172.16.48.200 1 FULL/DROTHER 0:00:33 172.16.48.200 FastEthernet0/1

10.199.199.137 5 FULL/DR 0:00:33 172.16.48.189 FastEthernet0/1


RouterX# show ip ospf neighbor

Displays the OSPF neighbor information on a per-interface basis

RouterX# debug ip ospf events

OSPF:hello with invalid timers on interface Ethernet0

hello interval received 10 configured 10

net mask received 255.255.255.0 configured 255.255.255.0

dead interval received 40 configured 30

OSPF: rcv. v:2 t:1 l:48 rid:200.0.0.117

aid:0.0.0.0 chk:6AB2 aut:0 auk:

RouterX# debug ip ospf packet

OSPF: rcv. v:2 t:1 l:48 rid:200.0.0.116

aid:0.0.0.0 chk:0 aut:2 keyid:1 seq:0x0

OSPF debug Commands

Laboratory

OSPF Authentication

OSPF supports two types of authentication:

– Plaintext (or simple) password authentication

– MD5 authentication

The router generates and checks every OSPF packet.

The router authenticates the source of each routing update packet that it receives.

Configure a ―key‖ (password); each participating neighbor must have the same key configured.

Configuring OSPF Plaintext Password Authentication

ip ospf authentication-key password

RouterX(config-if)#

Assigns a password to use with neighboring routers

RouterX(config-if)#

ip ospf authentication [message-digest | null]

Specifies the authentication type for an interface (as of Cisco IOS Release 12.0)

RouterX(config-router)#

area area-id authentication [message-digest]

Specifies the authentication type for an area

OR

Plaintext Password Authentication Configuration Example


EIGRP Implementation

Implementing EIGRP

EIGRP Features

Flexible network design

Multicast and unicast instead of broadcast address

Support for VLSM and discontiguous subnets

Manual summarization at any point in the internetwork

Support for multiple network layer protocols

Advanced distance vector

Rapid convergence

100% loop-free classless routing

Easy configuration

Incremental updates

Load balancing across equal- and unequal-cost pathways

EIGRP Tables

EIGRP Path Calculation (Router C)

EIGRP Configuration

RouterX(config)# router eigrp autonomous-system

RouterX(config-router)# network network-number

EIGRP and Discontiguous Networks Default Scenario Configuration

EIGRP, by default, does not advertise subnets and, therefore, cannot support discontiguous subnets.

EIGRP and Discontiguous Networks with no auto-summary

EIGRP with the no auto-summary parameter can advertise subnets and, therefore, can support discontiguous subnets.

RouterX# show ip eigrp interfaces IP EIGRP interfaces for process 109 Xmit Queue Mean Pacing Time Multicast Pending Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes Di0 0 0/0 0 11/434 0 0 Et0 1 0/0 337 0/10 0 0 SE0:1.16 1 0/0 10 1/63 103 0 Tu0 1 0/0 330 0/16 0 0

Verifying the EIGRP Configuration

RouterX# show ip eigrp interfaces Displays information about interfaces configured for EIGRP

RouterX# show ip protocols

RouterX# show ip route eigrp Displays the current EIGRP entries in the routing table

Displays the parameters and current state of the active process

RouterX# show ip eigrp neighbors IP-EIGRP Neighbors for process 77 Address Interface Holdtime Uptime Q Seq SRTT RTO (secs) (h:m:s) Count Num (ms) (ms) 172.16.81.28 Ethernet1 13 0:00:41 0 11 4 20 172.16.80.28 Ethernet0 14 0:02:01 0 10 12 24 172.16.80.31 Ethernet0 12 0:02:02 0 4 5 20

RouterX# show ip eigrp neighbors [detail]

Displays the neighbors discovered by IP EIGRP

Verifying the EIGRP Configuration (Cont.)

RouterX# show ip eigrp topology [all]

Displays the IP EIGRP topology table

Without the [all] parameter, shows successors and feasible successors

RouterX# show ip eigrp topology IP-EIGRP Topology Table for process 77 Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply, r - Reply status P 172.16.90.0 255.255.255.0, 2 successors, FD is 46251776 via 172.16.80.28 (46251776/46226176), Ethernet0 via 172.16.81.28 (46251776/46226176), Ethernet1 via 172.16.80.31 (46277376/46251776), Serial0 P 172.16.81.0 255.255.255.0, 2 successors, FD is 307200 via Connected, Ethernet1 via 172.16.81.28 (307200/281600), Ethernet1 via 172.16.80.28 (307200/281600), Ethernet0 via 172.16.80.31 (332800/307200), Serial0

Verifying the EIGRP Configuration (Cont.)

EIGRP Load Balancing

By default, EIGRP does equal-metric load balancing:

– By default, up to four routes with a metric equal to the minimum metric are installed in the routing table.

There can be up to 16 entries in the routing table for the same destination:

– The number of entries is configurable with the maximum-paths command.

EIGRP Unequal-Cost Load Balancing

variance multiplier RouterX(config-router)#

Allows the router to load-balance across routes with a metric smaller than the multiplier value times the minimum metric route to that destination.

The default variance is 1, which means equal-cost load balancing.

Variance Example

Router E chooses router C to route to network 172.16.0.0 because it has the lowest feasible distance of 20.

With a variance of 2, router E also chooses router B to route to network 172.16.0.0 (20 + 10 = 30) < [2 * (FD) = 40].

Router D is not considered to route to network 172.16.0.0 (because 25 > 20).

Switching Fundamentals

Signals degrade with transmission distance.

Each Ethernet type has a maximum segment length.

LAN Segment Limitations

Extending LAN Segments

Shares bandwidth

Extends cable distances

Repeats or amplifies signal

Collisions

Multiple Collision Domains

Address learning

Forwarding the filtering decisions

Loop avoidance

Ethernet Switches and Bridges

MAC Address Table

• The initial MAC address table is empty.

Learning Addresses

• Station A sends a frame to station C.

• The switch caches the MAC address of station A to port E0 by learning the source address of data frames.

• The frame from station A to station C is flooded out to all ports except port E0 (unknown unicasts are flooded).

Learning Addresses (Cont.)

• Station D sends a frame to station C.

• The switch caches the MAC address of station D to port E3 by learning the source address of data frames.

• The frame from station D to station C is flooded out to all ports except port E3 (unknown unicasts are flooded).

Filtering Frames

• Station A sends a frame to station C.

• The destination is known; the frame is not flooded.

Filtering Frames (Cont.)

• Station A sends a frame to station B.

• The switch has the address for station B in the MAC address table.

• Station D sends a broadcast or multicast frame.

• Broadcast and multicast frames are flooded to all ports other than the originating port.

Broadcast and Multicast Frames

VLAN Operations

VLAN Overview

VLAN = Broadcast Domain = Logical Network (Subnet)

Segmentation

Flexibility

Security

Designing VLANs for an Organization

VLAN design must take into consideration the implementation of a hierarchical network addressing scheme.

The benefits of hierarchical addressing are:

– Ease of management and troubleshooting

– Minimization of errors

– Reduced number of routing table entries

Guidelines for Applying IP Address Space

Allocate one IP subnet per VLAN.

Allocate IP address spaces in contiguous blocks.

• Each logical VLAN is like a separate physical bridge.

• VLANs can span across multiple switches.

• Trunks carry traffic for multiple VLANs.

• Trunks use special encapsulation to distinguish between

different VLANs.

VLAN Operation

VLAN Membership Modes

802.1Q Trunking

802.1Q Frame

Understanding Native VLANs

VTP Features

Cannot create, change, or delete VLANs

Sends and forwards advertisements

Synchronizes

Create VLANs

Modify VLANs

Delete VLANs

Sends and forwards advertisements

Synchronizes

Create local VLANs only

Modify local VLANs only

Delete local VLANs only

Forwards advertisements

Does not synchronize

VTP Modes

VTP Operation

VTP advertisements are sent as multicast frames.

VTP servers and clients are synchronized to the latest revision number.

VTP advertisements are sent every 5 minutes or when there is a change.

VTP Pruning

Configuring VLANs and Trunks

1. Configure and verify VTP.

2. Configure and verify 802.1Q trunks.

3. Create or modify a VLAN on the VTP server switch.

4. Assign switch ports to a VLAN and verify.

5. Execute adds, moves, and changes.

6. Save the VLAN configuration.

VTP defaults for the Cisco Catalyst switch:

– VTP domain name: None

– VTP mode: Server mode

– VTP pruning: Enabled or disabled (model specific)

– VTP password: Null

– VTP version: Version 1

A new switch can automatically become part of a domain once it receives an advertisement from a server.

A VTP client can overwrite a VTP server database if the client has a higher revision number.

A domain name cannot be removed after it is assigned; it can only be reassigned.

VTP Configuration Guidelines

SwitchX# configure terminal

SwitchX(config)# vtp mode [ server | client | transparent ]

SwitchX(config)# vtp domain domain-name

SwitchX(config)# vtp password password

SwitchX(config)# vtp pruning

SwitchX(config)# end

Creating a VTP Domain

SwitchX(config)# vtp domain ICND

Changing VTP domain name to ICND

SwitchX(config)# vtp mode transparent

Setting device to VTP TRANSPARENT mode.

SwitchX(config)# end

SwitchX# show vtp status

VTP Version : 2

Configuration Revision : 0

Maximum VLANs supported locally : 64

Number of existing VLANs : 17

VTP Operating Mode : Transparent

VTP Domain Name : ICND

VTP Pruning Mode : Disabled

VTP V2 Mode : Disabled

VTP Traps Generation : Disabled

MD5 digest : 0x7D 0x6E 0x5E 0x3D 0xAF 0xA0 0x2F 0xAA

Configuration last modified by 10.1.1.4 at 3-3-93 20:08:05

SwitchX#

VTP Configuration and Verification Example

802.1Q Trunking Issues

Make sure that the native VLAN for an 802.1Q trunk is the same on both ends of the trunk link.

Note that native VLAN frames are untagged.

A trunk port cannot be a secure port.

All 802.1Q trunking ports in an EtherChannel group must have the same configuration.

Configuring 802.1Q Trunking

Configures the port as a VLAN trunk

SwitchX(config-if)#

switchport mode trunk

switchport mode {access | dynamic {auto | desirable} | trunk}

SwitchX(config-if)#

Configures the trunking characteristics of the port

SwitchX# show interfaces fa0/11 trunk

Port Mode Encapsulation Status Native vlan

Fa0/11 desirable 802.1q trunking 1

Port Vlans allowed on trunk

Fa0/11 1-4094

Port Vlans allowed and active in management domain

Fa0/11 1-13

SwitchX# show interfaces fa0/11 switchport

Name: Fa0/11

Switchport: Enabled

Administrative Mode: trunk

Operational Mode: down

Administrative Trunking Encapsulation: dot1q

Negotiation of Trunking: On

Access Mode VLAN: 1 (default)

Trunking Native Mode VLAN: 1 (default)

. . .

Verifying a Trunk

SwitchX# show interfaces interface [switchport | trunk]

VLAN Creation Guidelines

The maximum number of VLANs is switch-dependent.

Most Cisco Catalyst desktop switches support 128 separate spanning-tree instances, one per VLAN.

VLAN 1 is the factory default Ethernet VLAN.

Cisco Discovery Protocol and VTP advertisements are sent on VLAN 1.

The Cisco Catalyst switch IP address is in the management VLAN (VLAN 1 by default).

If using VTP, the switch must be in VTP server or transparent mode to add or delete VLANs.

Adding a VLAN


SwitchX(config)# vlan 2

SwitchX(config-vlan)# name switchlab99

SwitchX# show vlan id 2

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

2 switchlab99 active Fa0/2, Fa0/12

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

2 enet 100002 1500 - - - - - 0 0

. . .

SwitchX#

Verifying a VLAN

SwitchX# show vlan [brief | id vlan-id || name vlan-name]

Assigning Switch Ports to a VLAN


SwitchX(config)# interface range fastethernet 0/2 - 4

SwitchX(config-if)# switchport access vlan 2

SwitchX# show vlan


---- -------------------------------- --------- ----------------------

1 default active Fa0/1

2 switchlab99 active Fa0/2, Fa0/3, Fa0/4

switchport access [vlan vlan# | dynamic]

SwitchX(config-if)#

SwitchX# show vlan brief


---- -------------------------------- --------- -------------------------------

1 default active Fa0/1

2 switchlab99 active Fa0/2, Fa0/3, Fa0/4

3 vlan3 active

4 vlan4 active

1002 fddi-default act/unsup

1003 token-ring-default act/unsup


---- -------------------------------- --------- -------------------------------

1004 fddinet-default act/unsup

1005 trnet-default act/unsup

SwitchX# show vlan brief

Verifying VLAN Membership

Verifying VLAN Membership (Cont.)

SwitchX# show interfaces fa0/2 switchport

Name: Fa0/2

Switchport: Enabled

Administrative Mode: dynamic auto

Operational Mode: static access

Administrative Trunking Encapsulation: dot1q

Operational Trunking Encapsulation: native

Negotiation of Trunking: On

Access Mode VLAN: 2 (switchlab99)

Trunking Native Mode VLAN: 1 (default)

--- output omitted ----

show interfaces interface switchport

SwitchX(config-if)#

Laboratory

Vlan

1

Vlan

10

Vlan

20

Vlan

30

Vlan

1

Vlan

10

Vlan

20

Vlan

30

Vlan 10 assigned on Ports Fa0/3-5






Trunk Links assigned on

Fa0/1- 2


Fa0/1- 3


Fa0/1- 3

Fa0/1

Fa0/2Fa0/1

Fa0/2

Fa0/3Fa0/3

Fa0/3

Fa0/1 Fa0/2

Fa0 – no ip adddess

Fa0.1 – 192.168.1.1/24

Fa0.10 – 192.168.10.1/24

Fa0.20 – 192.168.20.1/24

Fa0.30 – 192.168.30.1/24

Vlan 1 – 192.168.1.0/24

Vlan 10 – 192.168.10.0/24

Vlan 20 – 192.168.20.0/24

Vlan 30 – 192.168.30.0/24

VTP Domain – CITS

VTP Server

STP Primary for Vlan 1, 10

STP Secondary for Vlan 20, 30

VTP Server



Implementing STP

Redundant Topology

Redundant topology eliminates single points of failure.

Redundant topology causes broadcast storms, multiple frame copies, and MAC address table instability problems.

Station D sends a broadcast frame.

Broadcast frames are flooded to all ports except the originating port.

Broadcast Frames

Broadcast Storms

Host X sends a broadcast.

Switches continue to propagate broadcast traffic over and over.

Multiple Frame Copies

Host X sends a unicast frame to router Y.

The MAC address of router Y has not been learned by either switch.

Router Y will receive two copies of the same frame.

Host X sends a unicast frame to router Y.

The MAC address of router Y has not been learned by either switch.

Switches A and B learn the MAC address of host X on port 1.

The frame to router Y is flooded.

Switches A and B incorrectly learn the MAC address of host X on port 2.

MAC Database Instability

Provides a loop-free redundant network topology by placing certain ports in the blocking state

Published in the IEEE 802.1D specification

Enhanced with the Cisco PVST+ implementation

Loop Resolution with STP

Spanning-Tree Operation

One root bridge per broadcast domain.

One root port per nonroot bridge.

One designated port per segment.

Nondesignated ports are unused.

STP Root Bridge Selection

BPDU (default = sent every 2 seconds)

Root bridge = bridge with the lowest bridge ID

Bridge ID = Bridge Priority

MAC Address

Spanning tree transits each port through several different states:

Spanning-Tree Port States

Describing PortFast

PortFast is configured on access ports, not trunk ports.

Configuring and Verifying PortFast

spanning-tree portfast

SwitchX(config-if)#

Configures PortFast on an interface

spanning-tree portfast default

SwitchX(config)#

Enables PortFast on all non-trunking interfaces

show running-config interface interface

SwitchX#

Verifies that PortFast has been configured on an interface

OR

Spanning-Tree Operation Example

Spanning-Tree Path Cost

Link Speed Cost (Revised IEEE

Specification) Cost (Previous IEEE

Specification)

10 Gb/s 2 1

1 Gb/s 4 1

100 Mb/s 19 10

10 Mb/s 100 100

Spanning-Tree Recalculation

Per VLAN Spanning Tree Plus

Default Spanning-Tree Configuration

Cisco Catalyst switches support three types of STPs:

– PVST+

– PVRST+

– MSTP

The default STP for Cisco Catalyst switches is PVST+ :

– A separate STP instance for each VLAN

– One root bridge for all VLANs

– No load sharing

PVRST+ Configuration Guidelines

1. Enable PVRST+.

2. Designate and configure a switch to be the root bridge.

3. Designate and configure a switch to be the secondary root bridge.

4. Verify the configuration.

PVRST+ Implementation Commands

spanning-tree mode rapid-pvst

SwitchX(config)#

Configures PVRST+

show spanning-tree vlan vlan# [detail]

SwitchX#

Verifies the spanning-tree configuration

debug spanning-tree pvst+

SwitchX#

Displays PVST+ event debug messages

Verifying PVRST+

The spanning-tree mode is set to PVRST.

SwitchX# show spanning-tree vlan 30

VLAN0030

Spanning tree enabled protocol rstp

Root ID Priority 24606

Address 00d0.047b.2800

This bridge is the root

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 24606 (priority 24576 sys-id-ext 30)

Address 00d0.047b.2800

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 300

Interface Role Sts Cost Prio.Nbr Type

-------- ----- --- --- -------- ----

Gi1/1 Desg FWD 4 128.1 P2p

Gi1/2 Desg FWD 4 128.2 P2p

Gi5/1 Desg FWD 4 128.257 P2p

Configuring the Root and Secondary Bridges

Configuring the Root and Secondary Bridges: SwitchA

spanning-tree vlan 1 root primary

This command forces this switch to be the root for VLAN 1.

spanning-tree vlan 2 root secondary

This command configures this switch to be the secondary root

for VLAN 2.

OR

spanning-tree vlan # priority priority

This command statically configures the priority (increments of 4096).

SwitchA(config)#

SwitchA(config)#

SwitchA(config)#

Configuring the Root and Secondary Bridges: SwitchB

spanning-tree vlan 2 root primary

This command forces the switch to be the root for VLAN 2.

spanning-tree vlan 1 root secondary

This command configures the switch to be the secondary root VLAN 1.

OR

spanning-tree vlan # priority priority

This command statically configures the priority (increments of 4096).

SwitchB(config)#

SwitchB(config)#

SwitchB(config)#

Laboratory

Vlan

1

Vlan

10

Vlan

20

Vlan

30

Vlan

1

Vlan

10

Vlan

20

Vlan

30








Fa0/1- 2


Fa0/1- 3


Fa0/1- 3

Fa0/1

Fa0/2Fa0/1

Fa0/2

Fa0/3Fa0/3

Fa0/3

Fa0/1 Fa0/2


Fa0.1 – 192.168.1.1/24

Fa0.10 – 192.168.10.1/24

Fa0.20 – 192.168.20.1/24

Fa0.30 – 192.168.30.1/24

Vlan 1 – 192.168.1.0/24

Vlan 10 – 192.168.10.0/24

Vlan 20 – 192.168.20.0/24

Vlan 30 – 192.168.30.0/24

VTP Domain – CITS

VTP Server



VTP Server



Inter-Vlan Routing

VLAN-to-VLAN Overview

Network layer devices combine multiple broadcast domains.

Dividing a Physical Interface into Subinterfaces

Physical interfaces can be divided into multiple subinterfaces.

Routing Between VLANs with 802.1Q Trunks

interface fastethernet 0/0

ip address 10.1.1.1 255.255.255.0

interface fastethernet 0/0.2

ip address 10.2.2.1 255.255.255.0

encapsulation dot1q 2

Laboratory

Vlan

1

Vlan

10

Vlan

20

Vlan

30

Vlan

1

Vlan

10

Vlan

20

Vlan

30








Fa0/1- 2


Fa0/1- 3


Fa0/1- 3

Fa0/1

Fa0/2Fa0/1

Fa0/2

Fa0/3Fa0/3

Fa0/3

Fa0/1 Fa0/2


Fa0.1 – 192.168.1.1/24

Fa0.10 – 192.168.10.1/24

Fa0.20 – 192.168.20.1/24

Fa0.30 – 192.168.30.1/24

Vlan 1 – 192.168.1.0/24

Vlan 10 – 192.168.10.0/24

Vlan 20 – 192.168.20.0/24

Vlan 30 – 192.168.30.0/24

VTP Domain – CITS

VTP Server



VTP Server



Introducing ACL

Manage IP traffic as network access grows

Filter packets as they pass through the router

Why Use ACLs?

Permit or deny packets moving through the router.

Permit or deny vty access to or from the router.

Without ACLs, all packets could be transmitted onto all parts of your network.

ACL Applications

• Special handling for traffic based on packet tests

Other ACL Uses

• Standard

– Checks source address

– Generally permits or denies entire protocol suite

• Extended

– Checks source and destination address

– Generally permits or denies specific protocols

Types of ACLs

How to Identify ACLs

Standard IP lists (1-99) test conditions of all IP packets from source addresses.

Extended IP lists (100-199) test conditions of source and destination addresses, specific TCP/IP protocols, and destination ports.

Standard IP lists (1300-1999) (expanded range).

Extended IP lists (2000-2699) (expanded range).

Other ACL number ranges test conditions for other networking protocols.

Named ACLs identify IP standard and extended ACLs with an alphanumeric string (name).

Testing Packets with Standard ACLs

Testing Packets with Extended ACLs

Outbound ACL Operation

• If no ACL statement matches, then discard the packet.

A List of Tests: Deny or Permit

0 means check value of corresponding address bit.

1 means ignore value of corresponding address bit.

Wildcard Bits: How to Check the Corresponding Address Bits

172.30.16.29 0.0.0.0 checks all the address bits.

Abbreviate this wildcard mask using the IP address preceded by the keyword host (host 172.30.16.29).

• Check all the address bits (match all).

• Verify an IP host address, for example:

Wildcard Bits to Match a Specific IP Host Address

• Test conditions: Ignore all the address bits (match any).

• An IP host address, for example:

Wildcard Bits to Match Any IP Address

•Accept any address: any

•Abbreviate expression with keyword “any”

• Check for IP subnets 172.30.16.0/24 to 172.30.31.0/24.

Address and wildcard mask:

172.30.16.0 0.0.15.255

Wildcard Bits to Match IP Subnets

Configuring ACL

ACL Configuration Guidelines

ACL numbers indicate which protocol is filtered.

One ACL per interface, per protocol, per direction is allowed.

The order of ACL statements controls testing.

The most restrictive statements go at the top of the list.

The last ACL test is always an implicit deny any statement, so every list needs at least one permit statement.

ACLs must be created before applying them to interfaces.

ACLs filter traffic going through the router. ACLs do not filter traffic originating from the router.

Step 1: Set parameters for this ACL test statement (which can be one of several statements).

Step 2: Enable an interface to use the specified ACL.

Router(config-if)#{protocol} access-group

access-list-number {in | out}

ACL Command Overview

Standard IP lists (1-99)

Extended IP lists (100-199)

Standard IP lists (1300-1999) (expanded range)

Extended IP lists (2000-2699) (expanded range)

Router(config)#access-list access-list-number

{permit | deny} {test conditions}

Activates the list on an interface

Sets inbound or outbound testing

Default = outbound

no ip access-group access-list-number removes ACL from the interface

Router(config-if)#ip access-group

access-list-number {in | out}

• Sets parameters for this list entry

• IP standard ACLs use 1 to 99

• Default wildcard mask = 0.0.0.0

• no access-list access-list-number removes entire ACL

• remark lets you add a description for the ACL


{permit | deny | remark} source [mask]

Standard IP ACL Configuration

• Permit my network only.

Standard IP ACL Example 1

• Deny a specific host.


• Deny a specific subnet.


Router(config-if)#ip access-group access-list-number {in | out}

Extended IP ACL Configuration

• Activates the extended list on an interface

• Sets parameters for this list entry


{permit | deny} protocol source source-wildcard [operator

port] destination destination-wildcard [operator port]

[established] [log]

Extended ACL Example 1

Deny FTP from subnet 172.16.4.0 to subnet 172.16.3.0 out E0.

Permit all other traffic.

Extended ACL Example 2

Deny only Telnet from subnet 172.16.4.0 out E0.

Permit all other traffic.

Router(config)#ip access-list {standard | extended} name

Router(config {std- | ext-}nacl)#{permit | deny}

{ip access list test conditions}

{permit | deny} {ip access list test conditions}

no {permit | deny} {ip access list test conditions}

Router(config-if)#ip access-group name {in | out}

Using Named IP ACL

• Alphanumeric name string must be unique.

• Permit or deny statements have no prepended number.

• “no” removes the specific test from the named ACL.

• Activates the named IP ACL on an interface.

Five virtual terminal lines (0 through 4)

Filter addresses that can access into the router vty ports

Filter vty access originating from the router

Filtering vty Access to a Router

How to Control vty Access

• Set up an IP address filter with a standard ACL

statement.

• Use line configuration mode to filter access with the

access-class command.

• Set identical restrictions on every vty.

• Enters configuration mode for a vty or vty range

• Restricts incoming or outgoing vty connections for

address in the ACL

Router(config-line)#access-class access-list-number

{in | out}

Router(config)#line vty {vty# | vty-range}

vty Commands

• Permits only hosts in network 192.168.1.0 0.0.0.255 to

connect to the router vty

access-list 12 permit 192.168.1.0 0.0.0.255

(implicit deny any)

!

line vty 0 4

access-class 12 in

Controlling Inbound Access

vty Access Example

ACL Configuration Guidelines

The order of ACL statements is crucial.

– Recommended: Use a text editor on a PC to create the ACL statements, then cut and paste them into the router.

– Top-down processing is important.

– Place the more specific test statements first.

Statements cannot be rearranged or removed.

– Use the no access-list number command to remove the entire ACL.

– Exception: Named ACLs permit removal of individual statements.

Implicit deny any will be applied to all packets that do not match any ACL statement unless the ACL ends with an explicit permit any statement.

Place extended ACLs close to the source.

Place standard ACLs close to the destination.

Where to Place IP ACLs

wg_ro_a#show ip interfaces e0

Ethernet0 is up, line protocol is up

Internet address is 10.1.1.11/24

Broadcast address is 255.255.255.255

Address determined by setup command

MTU is 1500 bytes

Helper address is not set

Directed broadcast forwarding is disabled

Outgoing access list is not set

Inbound access list is 1

Proxy ARP is enabled

Security level is default

Split horizon is enabled

ICMP redirects are always sent

ICMP unreachables are always sent

ICMP mask replies are never sent

IP fast switching is enabled

IP fast switching on the same interface is disabled

IP Feature Fast switching turbo vector

IP multicast fast switching is enabled

IP multicast distributed fast switching is disabled

<text ommitted>

Verifying ACLs

Monitoring ACL Statements

wg_ro_a#show access-lists

Standard IP access list 1

permit 10.2.2.1

permit 10.3.3.1

permit 10.4.4.1

permit 10.5.5.1

Extended IP access list 101

permit tcp host 10.22.22.1 any eq telnet

permit tcp host 10.33.33.1 any eq ftp

permit tcp host 10.44.44.1 any eq ftp-data

wg_ro_a#show {protocol} access-list {access-list number}

wg_ro_a#show access-lists {access-list number}

Scaling the Network with NAT/PAT

Network Address Translation

• An IP address is either local or global.

• Local IP addresses are seen in the inside network.

Port Address Translation

Translating Inside Source Addresses

Configuring Static Translation

• Establishes static translation between an inside local address and an inside global address

Router(config)#ip nat inside source static local-ip global-ip

• Marks the interface as connected to the inside

Router(config-if)#ip nat inside

• Marks the interface as connected to the outside

Router(config-if)#ip nat outside

Enabling Static NAT Address Mapping Example

Configuring Dynamic Translation

• Establishes dynamic source translation, specifying the ACL that was defined in the prior step.

Router(config)#ip nat inside source list

access-list-number pool name

• Defines a pool of global addresses to be allocated as needed.

Router(config)#ip nat pool name start-ip end-ip

{netmask netmask | prefix-length prefix-length}

• Defines a standard IP ACL permitting those inside local addresses that are to be translated.

Router(config)#access-list access-list-number permit

source [source-wildcard]

Dynamic Address Translation Example

Overloading an Inside Global Address

Configuring Overloading

• Establishes dynamic source translation, specifying the ACL that was defined in the prior step

Router(config)#ip nat inside source list

access-list-number interface interface overload

• Defines a standard IP ACL that will be permit the inside local addresses that are to be translated

Router(config)#access-list access-list-number permit

source source-wildcard

Overloading an Inside Global Address Example

Clearing the NAT Translation Table

• Clears a simple dynamic translation entry that contains an inside translation or both an inside and outside translation

Router#clear ip nat translation inside global-ip

local-ip [outside local-ip global-ip]

• Clears all dynamic address translation entries

Router#clear ip nat translation *

• Clears a simple dynamic translation entry that contains an outside translation

Router#clear ip nat translation outside

local-ip global-ip

• Clears an extended dynamic translation entry

Router#clear ip nat translation protocol inside global-ip

global-port local-ip local-port [outside local-ip

local-port global-ip global-port]

Displaying Information with show Commands

• Displays translation statistics

Router#show ip nat statistics

• Displays active translations

Router#show ip nat translations

Router#show ip nat translation

Pro Inside global Inside local Outside local Outside global

--- 172.16.131.1 10.10.10.1 --- ---

Router#show ip nat statistics

Total active translations: 1 (1 static, 0 dynamic; 0 extended)

Outside interfaces:

Ethernet0, Serial2.7

Inside interfaces:

Ethernet1

Hits: 5 Misses: 0

…

Sample Problem: Cannot Ping Remote Host

Solution: New Configuration

Using the debug ip nat Command

Router#debug ip nat

NAT: s=192.168.1.95->172.31.233.209, d=172.31.2.132 [6825]

NAT: s=172.31.2.132, d=172.31.233.209->192.168.1.95 [21852]

NAT: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6826]

NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23311]

NAT*: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6827]

NAT*: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6828]

NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23313]

NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23325]

Translation Not Installed in the Translation Table?

Verify that:

The configuration is correct

There are not any inbound ACLs denying the packets entry to the NAT router

The ACL referenced by the NAT command is permitting all necessary networks

There are enough addresses in the NAT pool

The router interfaces are appropriately defined as NAT inside or NAT outside


Wireless LANs

Exploring Wireless Networking

Market Trends

Differences Between WLAN and LAN

WLANs use radio waves as the physical layer.

– WLANs use CSMA/CA instead of CSMA/CD for media access.

– Two-way radio (half-duplex) communication.

Radio waves have problems that are not found on wires.

– Connectivity issues:

Coverage problems

Interference, noise

– Privacy issues

Access points are shared devices similar to an Ethernet hub for shared bandwidth.

WLANs must meet country-specific RF regulations.

Radio Frequency Transmission

Radio frequencies are radiated into the air via an antenna, creating radio waves.

Objects can affect radio wave propagation resulting in:

– Reflection

– Scattering

– Absorption

Higher frequencies allow higher data rates; however, they have a shorter range.

Organizations That Define WLAN

ITU-R:

International Telecommunication Union-Radiocommunication Sector

Regulates the RF used in wireless

IEEE:

Institute of Electrical and Electronic Engineers

802.11 documents wireless technical standards

Wi-Fi Alliance:

Global nonprofit industry trade association

Promote wireless growth through interoperability certification

ITU-R with FCC Wireless

ISM: industry, scientific, and medical frequency band

No license required

No exclusive use

Best-effort

Interference possible

IEEE 802.11 Standards Comparison

802.11b 802.11a 802.11g

Frequency band

2.4 GHz 5 GHz 2.4 GHz

No. of channels

3 Up to 23 3

Transmission

Direct Sequence

Spread Spectrum (DSSS)

Orthogonal Frequency

Division Multiplexing

(OFDM)

Direct Sequence

Spread Spectrum (DSSS)

Orthogonal Frequency

Division Multiplexing

(OFDM)

Data rates [Mb/s]

1, 2, 5.5, 11 6, 9, 12, 18, 24,

36, 48, 54 1, 2, 5.5, 11

6, 9, 12, 18, 24, 36, 48, 54

Wi-Fi Certification

Wi-Fi Alliance certifies interoperability between products.

Products include 802.11a, 802.11b, 802.11g, dual-band products, and security testing.

Provides assurance to customers of migration and integration options.

Cisco is a founding member of the Wi-Fi Alliance.

Certified products can be found at http://www.wi-fi.com.


Wireless LANs

Understanding WLAN Security

Wireless LAN Security Threats

Mitigating the Threats

Control and Integrity Privacy and

Confidentiality Protection and

Availability

Authentication Encryption Intrusion Prevention

System (IPS)

Ensure that legitimate clients associate with trusted access points.

Protect data as it is transmitted and

received.

Track and mitigate unauthorized access and network attacks.

WEP

Basic encryption

No strong authentication

Static, breakable keys

Not scalable

MAC filters and SSID-cloaking also used to complement WEP

Evolution of Wireless LAN Security

1997 2001

802.1x EAP

Dynamic keys

Improved encryption

User authentication

802.1X EAP (LEAP, PEAP)

RADIUS

2003

WPA

Standardized

Improved encryption

Strong, user authentication (such as, LEAP, PEAP, EAP-FAST)

2004 to Present

802.11i / WPA2

AES strong encryption

Authentication

Dynamic key management

Wireless Client Association

Access points send out beacons announcing SSID, data rates, and other information.

Client scans all channels.

Client listens for beacons and responses from access points.

Client associates to access point with strongest signal.

Client will repeat scan if signal becomes low to reassociate to another access point (roaming).

During association, SSID, MAC address, and security settings are sent from the client to the access point and checked by the access point.

How 802.1X Works on the WLAN

WPA and WPA2 Modes

WPA WPA2

Enterprise mode

(Business, education, Government)

Authentication: IEEE 802.1X/EAP

Encryption: TKIP/MIC

Authentication: IEEE 802.1X/EAP

Encryption: AES-CCMP

Personal mode

(SOHO, home and personal)

Authentication: PSK

Encryption: TKIP/MIC

Authentication: PSK

Encryption: AES-CCMP


Wireless LANs

Implementing a WLAN

802.11 Topology Building Blocks

Ad hoc mode:

Independent Basic Service Set (IBSS)

– Mobile clients connect directly without an intermediate access point.

Infrastructure mode:

Basic Service Set (BSS)

– Mobile clients use a single access point for connecting to each other or to wired network resources.

Extended Service Set (ESS):

– Two or more BSSs are connected by a common distribution system .

BSA Wireless Topology— Basic Coverage

ESA Wireless Topology— Extended Cover

Wireless Topology Data Rates—802.11b

Common Wireless Network Issues

Most problems are due to incorrect configuration:

Verify that the access point is running the latest revision of firmware.

Verify the channel configuration. Try channels 1, 6, or 11.

Verify that users have the correct encryption type and password.

Other common problems:

RF interference

Not connected

Radio not enabled

Poor antenna location


WAN Connections

Understanding WAN Technologies

Wide-Area Network

Need for WANs

WANs vs. LANs

WAN Access and the OSI Reference Model

WAN Devices

Routers

Terminal servers

Modems

DSU/CSU

WAN networking devices

– ATM switches

– Frame Relay switches

– PSTN

Physical Layer: WANs

Serial Point-to-Point Connections

WAN—Multiple LANs

WAN Data-Link Protocols

HDLC

PPP

Frame Relay (LAPF)

ATM

WAN Link Options

Packet Switching

DSL Service Types Overview

DSL Considerations

Advantages

Speed

Simultaneous voice and data transmission

Incremental additions

Always-on availability

Backward compatibility with analog phones

Disadvantages

Limited availability

Local phone company requirements

Security risks

Cable-Based WANs


LAN Extension into a WAN

Introducing VPN Solutions

What Is a VPN?

Virtual: Information within a private network is transported over a public network.

Private: The traffic is encrypted to keep the data confidential.

Benefits of VPN

Cost

Security

Scalability

Site-to-Site VPNs

Site-to-site VPN: extension of classic WAN

Remote-Access VPNs

Remote-access VPN: evolution of dial-in networks and ISDN

Cisco Easy VPN

Cisco IOS IPsec SSL VPN (WebVPN)

Integrated security and routing

Browser-based full network SSL VPN access

VPN-Enabled Cisco IOS Routers

Cisco ASA Adaptive Security Appliances

(legacy)

VPN Clients

What Is IPsec?

IPsec acts at the network layer, protecting and authenticating IP packets.

It is a framework of open standards that is algorithm independent.

It provides data confidentiality, data integrity, and origin authentication.

IPsec Security Services

Confidentiality

Data integrity

Authentication

Antireplay protection

Confidentiality (Encryption)

Encryption Algorithms

Encryption algorithms:

DES

AES

3DES

RSA

DH Key Exchange

Diffie-Hellman algorithms:

DH1

DH2

DH5

Data Integrity

Hashing algorithms:

HMAC-MD5

HMAC-SHA-1

Authentication

Peer authentication methods:

PSKs

RSA signatures

IPsec Security Protocols

IPsec Framework

Typical WAN Encapsulation Protocols

An Overview of PPP

PPP can carry packets from several protocol suites using NCP.

PPP controls the setup of several link options using LCP.

PPP Session Establishment

PPP session establishment:

1. Link establishment phase

2. Authentication phase (optional)

Two PPP authentication protocols: PAP and CHAP

3. Network layer protocol phase

PPP Authentication Protocols: PAP

Passwords sent in plaintext

Peer in control of attempts

PPP Authentication Protocols: CHAP

This is an example of the Santa Cruz router authenticating to the HQ router.

Hash values, not actual passwords, are sent across the link.

The local router or external server is in control of authentication attempts.

Configuring PPP and Authentication Overview

Configuring PPP and Authentication

RouterX(config-if)# encapsulation ppp

Enables PPP encapsulation

RouterX(config)# hostname name

Assigns a hostname to your router

RouterX(config)# username name password password

Identifies the username and password of remote router

RouterX(config-if)# ppp authentication

{chap | chap pap | pap chap | pap}

Enables PAP or CHAP authentication

PPP and CHAP Configuration Example

hostname RouterX username RouterY password sameone ! int serial 0 ip address 10.0.1.1 255.255.255.0 encapsulation ppp ppp authentication chap

hostname RouterY username RouterX password sameone ! int serial 0 ip address 10.0.1.2 255.255.255.0 encapsulation ppp ppp authentication chap

Verifying the PPP Encapsulation Configuration

RouterX# show interface s0

Serial0 is up, line protocol is up

Hardware is HD64570


MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255

Encapsulation PPP, loopback not set, keepalive set (10 sec)

LCP Open

Open: IPCP, CDPCP

Last input 00:00:05, output 00:00:05, output hang never

Last clearing of "show interface" counters never

Queueing strategy: fifo

Output queue 0/40, 0 drops; input queue 0/75, 0 drops

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

38021 packets input, 5656110 bytes, 0 no buffer

Received 23488 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

38097 packets output, 2135697 bytes, 0 underruns

0 output errors, 0 collisions, 6045 interface resets

0 output buffer failures, 0 output buffers swapped out

482 carrier transitions

DCD=up DSR=up DTR=up RTS=up CTS=up

Verifying PPP Authentication

RouterX# debug ppp authentication 4d20h: %LINK-3-UPDOWN: Interface Serial0, changed state to up 4d20h: Se0 PPP: Treating connection as a dedicated line 4d20h: Se0 PPP: Phase is AUTHENTICATING, by both 4d20h: Se0 CHAP: O CHALLENGE id 2 len 28 from ”left" 4d20h: Se0 CHAP: I CHALLENGE id 3 len 28 from ”right" 4d20h: Se0 CHAP: O RESPONSE id 3 len 28 from ”left" 4d20h: Se0 CHAP: I RESPONSE id 2 len 28 from ”right" 4d20h: Se0 CHAP: O SUCCESS id 2 len 4 4d20h: Se0 CHAP: I SUCCESS id 3 len 4 4d20h: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to up

The debug ppp authentication command shows successful

CHAP output

Verifying PPP Negotiation

RouterX# debug ppp negotiation

PPP protocol negotiation debugging is on

RouterX#

*Mar 1 00:06:36.645: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up

*Mar 1 00:06:36.661: BR0:1 PPP: Treating connection as a callin

*Mar 1 00:06:36.665: BR0:1 PPP: Phase is ESTABLISHING, Passive Open

*Mar 1 00:06:36.669: BR0:1 LCP: State is Listen

*Mar 1 00:06:37.034: BR0:1 LCP: I CONFREQ [Listen] id 7 len 17

*Mar 1 00:06:37.038: BR0:1 LCP: AuthProto PAP (0x0304C023)

*Mar 1 00:06:37.042: BR0:1 LCP: MagicNumber 0x507A214D (0x0506507A214D)

*Mar 1 00:06:37.046: BR0:1 LCP: Callback 0 (0x0D0300)

*Mar 1 00:06:37.054: BR0:1 LCP: O CONFREQ [Listen] id 4 len 15

*Mar 1 00:06:37.058: BR0:1 LCP: AuthProto CHAP (0x0305C22305)

*Mar 1 00:06:37.062: BR0:1 LCP: MagicNumber 0x1081E7E1 (0x05061081E7E1)

*Mar 1 00:06:37.066: BR0:1 LCP: O CONFREJ [Listen] id 7 len 7

*Mar 1 00:06:37.070: BR0:1 LCP: Callback 0 (0x0D0300)

*Mar 1 00:06:37.098: BR0:1 LCP: I CONFACK [REQsent] id 4 len 15

*Mar 1 00:06:37.102: BR0:1 LCP: AuthProto CHAP (0x0305C22305)

*Mar 1 00:06:37.106: BR0:1 LCP: MagicNumber 0x1081E7E1 (0x05061081E7E1)

*Mar 1 00:06:37.114: BR0:1 LCP: I CONFREQ [ACKrcvd] id 8 len 14

*Mar 1 00:06:37.117: BR0:1 LCP: AuthProto PAP (0x0304C023)

*Mar 1 00:06:37.121: BR0:1 LCP: MagicNumber 0x507A214D (0x0506507A214D)


LAN Extension into a WAN

Establishing a WAN Connection with Frame Relay

Frame Relay Overview

Connections made by virtual circuits

Connection-oriented service

Frame Relay Terminology

Frame Relay default: NBMA

Selecting a Frame Relay Topology

Resolving NBMA Reachability Issues

Split horizon can cause problems in NBMA environments.

Solution: subinterfaces

A single physical interface simulates multiple logical interfaces.

LMI receives locally significant DLCI from the Frame Relay switch.

Inverse ARP maps the local DLCI to the remote router network layer address.

Frame Relay Address Mapping

Frame Relay Signaling

Cisco supports three LMI standards:

Cisco

ANSI T1.617 Annex D

ITU-T Q.933 Annex A

Stages of Inverse ARP and LMI Operation

Stages of Inverse ARP and LMI Operation (Cont.)

Configuring Basic Frame Relay

Configuring a Static Frame Relay Map

Configure a static Frame Relay map when:

A Frame Relay peer does not support Inverse ARP

You want to control broadcast traffic across a PVC

You want to have different Frame Relay encapsulations across PVCs

Configuring Frame Relay Subinterfaces

Point-to-point

– Subinterfaces act like leased lines.

– Each point-to-point subinterface requires its own subnet.

– Point-to-point is applicable to hub-and-spoke topologies.

Multipoint

– Subinterfaces act like NBMA networks, so they do not resolve the split-horizon issues.

– Multipoint can save address space because it uses a single subnet.

– Multipoint is applicable to partial-mesh and full-mesh topologies.

Configuring Frame Relay Point-to-Point Subinterfaces

Configuring Frame Relay Multipoint Subinterfaces

Verifying Frame Relay Operation

RouterX# show interfaces type number

Displays information about Frame Relay DLCIs and the LMI

RouterX# show interfaces s0

Serial0 is up, line protocol is up

Hardware is HD64570


MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255

Encapsulation FRAME-RELAY, loopback not set, keepalive set (10 sec)

LMI enq sent 19, LMI stat recvd 20, LMI upd recvd 0, DTE LMI up

LMI enq recvd 0, LMI stat sent 0, LMI upd sent 0

LMI DLCI 1023 LMI type is CISCO frame relay DTE

FR SVC disabled, LAPF state down

Broadcast queue 0/64, broadcasts sent/dropped 8/0, interface broadcasts 5

Last input 00:00:02, output 00:00:02, output hang never

Last clearing of "show interface" counters never

Queueing strategy: fifo

Output queue 0/40, 0 drops; input queue 0/75, 0 drops

<Output omitted>

Verifying Frame Relay Operation (Cont.)

RouterX# show frame-relay lmi [type number]

Displays LMI statistics

RouterX# show frame-relay lmi

LMI Statistics for interface Serial0 (Frame Relay DTE) LMI TYPE = CISCO

Invalid Unnumbered info 0 Invalid Prot Disc 0

Invalid dummy Call Ref 0 Invalid Msg Type 0

Invalid Status Message 0 Invalid Lock Shift 0

Invalid Information ID 0 Invalid Report IE Len 0

Invalid Report Request 0 Invalid Keep IE Len 0

Num Status Enq. Sent 113100 Num Status msgs Rcvd 113100

Num Update Status Rcvd 0 Num Status Timeouts 0

Displays LMI debug information


RouterX# debug frame-relay lmi

Frame Relay LMI debugging is on

Displaying all Frame Relay LMI data

RouterX#

1w2d: Serial0(out): StEnq, myseq 140, yourseen 139, DTE up

1w2d: datagramstart = 0xE008EC, datagramsize = 13

1w2d: FR encap = 0xFCF10309

1w2d: 00 75 01 01 01 03 02 8C 8B

1w2d:

1w2d: Serial0(in): Status, myseq 140

1w2d: RT IE 1, length 1, type 1

1w2d: KA IE 3, length 2, yourseq 140, myseq 140

1w2d: Serial0(out): StEnq, myseq 141, yourseen 140, DTE up

1w2d: datagramstart = 0xE008EC, datagramsize = 13

1w2d: FR encap = 0xFCF10309

1w2d: 00 75 01 01 01 03 02 8D 8C

1w2d:

1w2d: Serial0(in): Status, myseq 142

1w2d: RT IE 1, length 1, type 0

1w2d: KA IE 3, length 2, yourseq 142, myseq 142

1w2d: PVC IE 0x7 , length 0x6 , dlci 100, status 0x2 , bw 0


RouterX# show frame-relay pvc [type number [dlci]]

Displays PVC statistics

RouterX# show frame-relay pvc 100

PVC Statistics for interface Serial0 (Frame Relay DTE)

DLCI = 100, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0

input pkts 28 output pkts 10 in bytes 8398

out bytes 1198 dropped pkts 0 in FECN pkts 0

in BECN pkts 0 out FECN pkts 0 out BECN pkts 0

in DE pkts 0 out DE pkts 0

out bcast pkts 10 out bcast bytes 1198

pvc create time 00:03:46, last time pvc status changed 00:03:47


RouterX# clear frame-relay-inarp

RouterX# show frame-relay map

Clears dynamically created Frame Relay maps, created by using Inverse ARP

Displays the current Frame Relay map entries

RouterX# show frame-relay map

Serial0 (up): ip 10.140.1.1 dlci 100(0x64,0x1840), dynamic,

broadcast,, status defined, active

RouterX# clear frame-relay-inarp

RouterX# show frame map

RouterX#


Transitioning to IPv6

What is IPv6

Also Known as IPng (next generation)

A new version of the Internet Protocol

– Primarily designed to extend address space

– Enhancement and new feature

History of IPv6

What happened to IPv5

Version 5 in IP header was assigned to ST protocol (Internet Streaming Protocol)

Experimental non-IP real-time streaming protocol

Never widely used

RFC 1819

Challenges in Today’s Internet

IPv4 growth and adoption phenomenal

Exhausting IP address space

Internet Routing table very big

Increasing Need for Security

No uniformity

Multitude of methods for hackers to attack networks

Increasing need for IP mobility

Increasing number of wireless/mobile devices accessing Internet service

Inadequate support for IP mobility in devices (moving seamlessly from one network to another)

Challenges in Today’s Internet

Increased Traffic Flow

New Applications have specific delivery requirements

QOS issues

Multiple methods available

Non-uniformity across network boundaries

Why is IPv6 Here

IPv6 provides a platform for New Internet functionality that will be needed in the immediate future, and provide flexibility for further growth and expansion

IPv4 and IPv6

Currently, there are approximately 1.3 billion usable IPv4 addresses available.

Why Do We Need a Larger Address Space?

Internet population

– Approximately 973 million users in November 2005

– Emerging population and geopolitical address space

Mobile users

– PDA, pen tablet, notepad, and so on

– Approximately 20 million in 2004

Mobile phones

– Already 1 billion mobile phones delivered by the industry

Transportation

– 1 billion automobiles forecast for 2008

– Internet access in planes, for example, Lufthansa

Consumer devices

– Sony mandated that all its products be IPv6-enabled by 2005

– Billions of home and industrial appliances

What IP is Touching

IPv6 Advanced Features

Larger address space:

Global reachability and flexibility

Aggregation

Multihoming

Autoconfiguration

Plug-and-play

End-to-end without NAT

Renumbering

Mobility and security:

Mobile IP RFC-compliant

IPsec mandatory (or native) for IPv6

Simpler header:

Routing efficiency

Performance and forwarding rate scalability

No broadcasts

No checksums

Extension headers

Flow labels

Transition richness:

Dual stack

6to4 and manual tunnels

Translation

IPv6 Terminology

IPv6 Address Representation

Format:

x:x:x:x:x:x:x:x, where x is a 16-bit hexadecimal field

– Case-insensitive for hexadecimal A, B, C, D, E, and F

Leading zeros in a field are optional

Successive fields of zeros can be represented as :: only once per address

Examples:

2031:0000:130F:0000:0000:09C0:876A:130B

– Can be represented as 2031:0:130f::9c0:876a:130b

– Cannot be represented as 2031::130f::9c0:876a:130b

FF01:0:0:0:0:0:0:1 FF01::1

0:0:0:0:0:0:0:1 ::1

0:0:0:0:0:0:0:0 ::

IPv6 Address Types

Unicast:

– Address is for a single interface

– IPv6 has several types (for example, global, reserved, link-local, and site-local)

Multicast:

– One-to-many

– Enables more efficient use of the network

– Uses a larger address range

Anycast:

– One-to-nearest (allocated from unicast address space)

– Multiple devices share the same address

– All anycast nodes should provide uniform service

– Source devices send packets to anycast address

– Routers decide on closest device to reach that destination

– Suitable for load balancing and content delivery services

IPv6 Unicast Addressing

Types of IPv6 unicast addresses:

– Global: Starts with 2000::/3 and assigned by IANA

– Reserved: Used by the IETF

– Private: Link local (starts with FE80::/10)

– Loopback (::1)

– Unspecified (::)

A single interface may be assigned multiple IPv6 addresses of any type: unicast, anycast, or multicast.

IPv6 addressing rules are covered by multiple RFCs.

– Architecture defined by RFC 4291

IPv6 Global Unicast (and Anycast) Addresses

IPv6 has the same address format for global unicast and for anycast addresses.

Uses a global routing prefix—a structure that enables aggregation upward, eventually to the ISP.

A single interface may be assigned multiple addresses of any type (unicast, anycast, multicast).

Every IPv6-enabled interface contains at least one loopback (::1/128) and one link-local address.

Optionally, every interface can have multiple unique local and global addresses.

Link-Local Addresses

Link-local addresses have a scope limited to the link and are dynamically created on all IPv6 interfaces by using a specific link-local prefix FE80::/10 and a 64-bit interface identifier.

Link-local addresses are used for automatic address configuration, neighbor discovery, and router discovery. Link-local addresses are also used by many routing protocols.

Link-local addresses can serve as a way to connect devices on the same local network without needing global addresses.

When communicating with a link-local address, you must specify the outgoing interface because every interface is connected to FE80::/10.

Larger Address Space Enables Address Aggregation

Address aggregation provides the following benefits:

Aggregation of prefixes announced in the global routing table

Efficient and scalable routing

Improved bandwidth and functionality for user traffic

Assigning IPv6 Global Unicast Addresses

Static assignment

– Manual interface ID assignment

– EUI-64 interface ID assignment

Dynamic assignment

Stateless autoconfiguration

DHCPv6 (stateful)

IPv6 EUI-64 Interface Identifier

Cisco can use the EUI-64 format for interface identifiers.

This format expands the 48-bit MAC address to 64 bits by inserting ―FFFE‖ into the middle 16 bits.

To make sure that the chosen address is from a unique Ethernet MAC address, the U/L bit is set to 1 for global scope (0 for local scope).

Stateless Autoconfiguration

DHCPv6 (Stateful)

DHCPv6 is an updated version of DHCP for IPv4:

Supports new addressing

Enables more control than stateless autoconfiguration

Can be used for renumbering

Can be used for automatic domain name registration of hosts using dynamic DNS

DHCPv6 Operation

DHCPv6 operates in a way that is similar to DHCPv4, except:

Client first detects the presence of routers on the link.

If a router is found, the router advertisement is examined to determine if DHCP can be used.

If no router is found, or if the router says DHCP can be used, then:

– A DHCP solicit message is sent to the all-DHCP-agents multicast address.

– The client uses the link-local address as the source address.

IPv6 Routing Protocols

IPv6 routing types:

– Static

– RIPng (RFC 2080)

– OSPFv3 (RFC 2740)

– IS-IS for IPv6

– MP-BGP4 (RFC 2545/2858)

– EIGRP for IPv6

The ipv6 unicast-routing command is required to enable

IPv6 before any routing protocol is configured.

RIPng (RFC 2080)

Similar IPv4 features:

Distance vector, radius of 15 hops, split horizon, and poison reverse

Based on RIPv2

Updated features for IPv6:

IPv6 prefix, next-hop IPv6 address

Uses the multicast group FF02::9, the all-rip-routers multicast group, as the destination address for RIP updates

Uses IPv6 for transport

Named RIPng

IPv4-to-IPv6 Transition

Transition richness means:

No fixed day to convert; no need to convert all at once

Different transition mechanisms are available:

– Dual stack

– Manual tunnel

– 6to4 tunnel

– ISATAP tunnel

– Teredo tunnel

Different compatibility mechanisms:

– Proxying and translation (NAT-PT)

Dual stack is an integration method in which a node has implementation and connectivity to both an IPv4 and IPv6 network.

Cisco IOS Dual Stack

Cisco IOS Dual Stack (Cont.)

When both IPv4 and IPv6 are configured on an interface, the interface is considered dual-stacked.

Tunneling is an integration method in which an IPv6 packet is encapsulated within another protocol, such as IPv4. This method of encapsulation is IPv4.

Includes a 20-byte IPv4 header with no options and an IPv6 header and payload

Requires dual-stack routers

IPv6 Tunneling

Manually Configured IPv6 Tunnel

Configured tunnels require:

Dual-stack endpoints

IPv4 and IPv6 addresses configured at each end

Enabling IPv6 on Cisco Routers

ipv6 unicast-routing

RouterX(config)#

Enables IPv6 traffic forwarding

ipv6 address ipv6prefix/prefix-length eui-64

Configures the interface IPv6 addresses

RouterX(config-if)#

IPv6 Address Configuration Example

Making IPv6 Real

Summary

IPv6 offers many additional benefits to IPv4 including a larger address space, easier address aggregation, and integrated security.

The IPv6 address is 128 bits long and is made up of a 48-bit global prefix, a 16-bit subnet ID, and a 64-bit interface identifier.

There are several ways to assign IPv6 addresses: statically, stateless autoconfiguration, and DHCPv6.

Cisco supports all of the major IPv6 routing protocols: RIPng, OSPFv3, and EIGRP.

Transitioning from IPv4 to IPv6 requires dual stacks, tunneling, and possibly NAT-PT.

Use the ipv6 unicast-routing command to enable IPv6 and the ipv6 address ipv6-address/prefix-length command to assign interface addresses and enable an IPv6 routing protocol.

CCNA Review

Documents

Transcript of CCNA Review