OSI Model A P S T N D P: Routing Protocols

Download as doc, pdf, or txt
Download as doc, pdf, or txt
You are on page 1of 11

OSI Model A P S T N D P it is faster and more efficient since it doesn’t have

Upper layers7, 6, 5 don’t deal with data delivery, provide standardization acknowledgements.
of how applications share data and communicate with one another.
7. Application – Doesn’t provide services to the other layers, but Routing Protocols
it does communicate with user applications and selects the
appropriate network application for those applications.
Distance Vector Routing - Routing protocols that send
6. Presentation - Data representation, encryption, and their routing tables to their neighbors; uses the distance to
compression. Supports different protocols for text, data, a remote network to find the best path (RIP and IGRP)
sound, graphics, and images. (ASCII, EBCDIC, MIDI, MPEG, Counting to Infinity - Distance vector routing error that
GIF, JPEG, PICT, TIFF) can be remedied by Maximum Hop Count, Split
5. Session – Establishes, manages and terminates sessions Horizons, Route Poisoning, and Hold-Down timers.
between apps. A session is a dialog between Presentation Link State Routing - Sends the state of its own interfaces
layers of two or more systems. Protocols include NFS, SQL, to every router in the network; determines the entire
ASP, and RPC. network topology, then uses SPF (Shortest Path First)
Middle provides end-to-end data transportation services to the upper
layers algorithm to find best route. (OSPF,EIGRP(hybrid DV+LS))
4. Transport- Performs flow control by buffering, multiplexing, Link State routing problems - Router resource usage,
and parallelization. Provides end-to-end services by bandwidth consumption, and update synchronization.
segmenting upper layers, establishing end-to-end Solutions - Lengthening the update frequency,
connection, sending segments, and ensuring reliable data exchanging route summaries, using time stamps, or
transport. Data Unit is Segments. using sequence numbers can remedy the problems.
Lower
3. Network – Determines the best path from one network to Routing Problems:
another (path determination), packet switching, also known
Convergence – Time it takes all routers to receive an
as the domain of routing. Routers work at this layer. Uses
routing protocols (RIP, OSPF), and routed protocols (IP, IPX) update and agree on optimal routes through the
to provide logical addresses. Data Unit is Packets internetwork.
2. Data Link - Made up of the LLC and MAC sublayers. Routing Loops - When two or more routers have not yet
Bridges/switches work at this layer. Allows upper layers to converged and are broadcasting inaccurate routes.
work independently of the physical media. Performs physical
hardware addressing, Optional flow control, and error Routing Problems’ Solutions:
notification. LLC (Logical Link Control) is where framing Hold-downs - Prevent regular update messages from
occurs by the IEEE standards. MAC sublayer deals with reinstating a route that is down.
hardware functions and maintains the physical address (48 Route Poisoning - If a router's connected network goes
bits, burned onto card by manufacturer) of the network card
down, it sets its hop count to the maximum amount to
going into each host or gateway. Data Unit is Frames.
1. Physical - Where signals are converted to bits for transport make the network unreachable.
across a LAN. Mechanical and electrical functions of the OSI Split Horizons - Specify that a router can't send
model. Communicate with peer layers regarding activating, information about a route out the interface they originated
maintaining, and deactivating a circuit. Data Unit is Bits. from.
Maximum Hop Count - DV (RIP) permits hot count of up
Devices at the OSI Layers to 15. So a packet that is caught in a routing loop will only
Device Layer Data Unit travel 15 hops, on the 16th the network is deemed
Router Network Packets unreachable and the packet is discarded.
Bridge Data Link Frames
Switch Data Link Frames Configuring Routing Protocols
Hubs Physical Bits Configuring Static Routes
Syntax:
ip route [dest] [mask] [next_hop | exit_int]
5 Steps of data encapsulation:
Example:
1. User information is converted to data (App – Session) R_3(config)#ip route 192.168.1.0 255.255.255.0 serial0
2. Data is converted to segments (Transport) Configuring RIP (Routing Information Protocol):
3. Segments are converted to packets (Network) Syntax:
4. Packets are converted to frames (Data Link) Router(config)#router rip
5. Frames are converted to bits (Physical) Router(config-router)#network <network #>
Example:
Router(config)#router rip
Connection Oriented vs. Connectionless (Transport) Router(config-router)#network 10.0.0.0
Connection Oriented requires a unique session or pipe to Router(config-router)#network 192.168.1.0
be established (TCP). Setup and maintenance procedures Configuring IGRP (Interior Gateway Routing Protocol)
are performed to ensure delivery of messages. Establishes Syntax:
a Virtual Connection between the two devices. Router(config)#router igrp <autonomous system #>
Connectionless can be sent any time to any destination Router(config-router)#network <network #>
without any setup or acknowledgement (UDP). It is up to Example:
the application to determine if the data gets to the Router(config)#router igrp 200
Router(config-router)#network 10.128.22.0
destination, instead of the protocols. The advantage is that Router(config-router)#network 192.168.1.0

-1-
Checking Router Status Commands debug ipx routing Displays messages relating to IPX
activity routing activity.
Command Effect debug ipx routing Displays messages relating to IPX
Basic Router Operations events routing events.
enable | disable Enter privileged mode | exit to usr debug ipx sap Debug IPX sap packets
Ctrl+P Previous command
Backup Configurations
Ctrl+N Next command copy run start Copy current config to NVRAM
Ctrl+A Move to beginning of the line copy start run Copy config from NVRAM to RAM
Ctrl+E Move to the end of the line copy run tftp Copy config to TFTP server
Ctrl+F Forward one character copy tftp run Restore config from Server
Ctrl+B Back one character copy flash tftp Backup IOS to TFTP server
Esc+B Moves back one word at a time copy tftp flash Restore IOS from TFTP server
Esc+A Moves forward one word at a time boot system flash Tells router which IOS file in flash
<shift>+<ctrl>+6 X Shift between telnet sessions [filename] to boot.
<tab> Completes commands boot system tftp Tells router which IOS file to
Viewing Router Information [filename] request from tftp server
show version IOS Version Information Set Passwords (Global Config Mode)
show memory Memory statistics. line con 0 -Selects Console
show protocols Active network routing protocols. line aux 0 -Selects Auxiliary
show running-config Current config in RAM. line vty 0 4 -Selects Telnet
show startup-config Saved config in NVRAM. login -Allows logins and
password cisco -sets the password to cisco
show interfaces Interface status + config.
enable password cisco -Set password for privilege mode
show flash IOS file and free space. to cisco
Cisco Discovery Protocol (CDP) enable secret cisco2 -Set encrypted password to cisco2
show cdp cdp info (broadcast holdtime).
show cdp neighbor This shows all devices directly
connected to the router, hold time, Configure Logical Addresses
local and remote port, ID, platform TCP/IP -32 bits
and capability info. Syntax:
show cdp neighbor Adds IP / IPX addresses to above Router#configure terminal
detail info. Router(config)#interface <type> <Number>
show cdp entry Shows info for all entries ( *) or Router(config-if)#ip address <addr> <mask>
[*(all) | NAME] only one (NAME). Router(config-if)#no shut
show cdp traffic Shows traffic statistics. Example:
show cdp interface Display info about the interfaces on Router(config)#interface Ethernet 0
[type number] which CDP is enabled Router(config-if)#ip address 192.168.1.100
cdp run Enables CDP (global configuration) 255.255.255.0
cdp enable Enables CDP for an interface Router(config-if)#no shutdown
(interface configuration mode) IPX (only configure network ID, MAC is used for host ID) –80 bits
cdp timer seconds Specifies CDP updates frequency. Syntax:
cdp holdtime seconds Specifies the hold time to be sent in Router#configure terminal
the CDP update packets. Router(config)#ipx routing
TCP/IP Router(config)#interface <type> <Number>
no ip routing Disables IP routing. Router(config-if)#ipx network <#> encapsulation
show ip route View IP routing table. <type>
show ip interface IP interface info (IP access lists) Router(config-if)#no shutdown
debug ip rip Shows routing updates as they are Example:
received and sent. Router(config)#ipx routing
debug igrp events Shows a summary of the IGRP Router(config)#interface Ethernet 0
routing info that is running on the Router(config-if)#ipx network 2aa encap arpa
network. Router(config-if)#no shutdown
debug igrp Show message requests from Subinterfaces (For IP or IPX)
transactions neighbor routers asking for Syntax:
updates and the broadcasts sent to Router(config)#int <type> <#.subinterface #>
them. Examples:
IPX/SPX IP
ipx routing Enables IPX and (enables RIP Router#configure terminal
routing automatically). Router(config)#interface serial 0.1
ipx maximum-paths <1-512> IPX load balancing. (default 1) Router(config-subif)#ip address 192.168.1.1
show ipx route Views IPX routing tables. 255.255.255.0
show ipx interface IPX interface info (IPX access lists) IPX
show ipx servers Lists the IPX servers discovered Router(config)#int ethernet0.1
through SAP. Router(config-subif)#ipx network 1 encap snap
show ipx traffic View info about the number and Router(config-subif)#int ethernet0.2
type of IPX packets transmitted Router(config-subif)#ipx network 2 encap sap
and received.
-2-
Configure DCE Serial Interface bandwidth 56 Bandwidth in Kilobits.
no shutdown Brings up the interface.
Command or Prompt Level Effect of Command
Ctrl+Z Exits Global Configuration mode.
1. Prompt is Router>
5. Prompt changes to Router#
enable Enters privileged mode.
show interface s1 Shows interface status and
2. Prompt changes to Router#
configuration.
show controllers Tells you information about the
serial 1 physical interface itself, it also gives FRAME RELAY
you the cable type and whether it is Viewing Configurations
a DTE or DCE interface.
show frame-relay pvc Lists all PVCs and DLCIs Type,
configure terminal Enter Global Configuration mode. [type number [dlci]] number, & DLCI optional.
3. Changes prompt to Router(config)# show interface serial 0 View DLCI and LMI info.
interface serial 1 Enter interface configuration mode. show frame-relay map Display the current Frame Relay
4. Changes prompt to Router(config­if)# map entries.
clock rate 64000 Changes clock rate to 64000 bits per show frame-relay lmi View LMI statistics.
second. Enabling Frame Relay
encapsulation frame-relay <type> Enables Frame
Relay
keepalive <seconds> Defines the keepalive interval, must
be less than the switch default 10 sec
Frame Relay Encapsulation Types
cisco Default
ietf Used for connecting to non-
Cisco equipment
Specifying LMI Type
frame-relay lmi-type <type> Specifies LMI type
LMI Types
cisco LMI defined by the Gang of Four (default).
ansi ANSI standard T1.617 Annex D provides for
976 virtual circuit addresses and uses DLCI 0
as the management circuit.
q933a ITU-T Q.933 Annex A, similar to ANSI T1.617
Annex D, uses DLCI 0 as a management
circuit.
-LMI is a standard signaling mechanism between CPE (usually a
router) and the Frame Relay connection. It provides the CPE with
a local DLCI number and gives that DLCI number network-wide or
local significance.
-IOS 11.2 and up, supports LMI autosense, which enables the
interface to automatically determine the LMI type.

PPP Point-to-Point Protocol


Point-to-Point protocol is a Data Link layer protocol that can be
used over asynchronous serial (dial-up) and synchronous
serial (ISDN) media and that uses the LCP (Link Control Protocol)
to build and maintain data-link connections. The basic purpose of
PPP is to transport layer-3 packets over a Data Link layer point-
to-point link. PPP consists of two main components, LCP (Link
Control Protocol - used to establish, configure, and test the
connection) and NCP (Network Control Protocol - configures
many different layer protocols).

NCP - A PPP protocol for negotiating OSI Layer 3 (the network


layer) parameters.

HDLC -A method for encapsulating datagrams over serial links.

LCP -A protocol that establishes, configures, and tests data link


connections used by the PPP Link Control Protocol offers PPP
encapsulation different options, including the following:
-3-
Authentication - options includes PAP and CHAP
Compression -Data compression increases the throughput on a
network link, by reducing the amount of data that must be
Setting Banners
transmitted. Syntax:
Error Detection -Quality and Magic numbers are used by PPP to Router(config)#banner ?
ensure a reliable, loop-free data link. LINE c banner-text c, where 'c' is a
Multilink -Supported in IOS 11.1 and later, multilink is supported delimiting character
on PPP links between Cisco routers. This splits the load for PPP exec Set EXEC process creation banner
over two or more parallel circuits and is called a bundle. incoming Set incoming terminal line banner
login Set login banner
motd Set Message of the Day banner
PPP Session Establishment
Example:
Link-establishment phase -LCP packets are sent by each PPP Router(config)#banner motd #
device to configure and test the link. The LCP packets contain a Enter TEXT message. End with the character '#'.
field called the Configuration Option that allows each device to THIS IS THE MESSAGE OF THE DAY BANNER
see the size of the data, compression, and authentication. If no #
Configuration Options are set, then the default config is used. Disable Banner:
Authentication -If configured, either CHAP or PAP can be used Router#conf t
to authenticate a link. Authentication only takes place before Router(config)#no banner motd
Network layer protocol information is read.
Network layer protocol phase -PPP uses the Network Control
Protocol to allow multiple Network layer protocols to be Interface Descriptions
encapsulated and sent over a PPP data link. An interface description is limited to 80 characters and typically
describes the function of the interface.
R2(config)#interface serial 1
Configuring PPP R2(config-if)#description Link to East Office
Router3(config)#int s0
Router3(config-if)#encapsulation ppp
Router3(config-if)#exit ISDN Integrated Services Digital Network
Router3(config)#username Router2 password cisco ISDN is a circuit-switched service provided by Telco providers
After you set the encapsulation to PPP, you have to exit to to allow voice, data, and video and audio transmissions over
global configuration mode to set the username and password. existing digital telephone lines. ISDN is often used as a low cost
The username is the hostname of the remote host connecting via alternative to Frame Relay or T1 connections, while still offering a
PPP on the serial line; the password and encapsulation type must higher connection speed than an analog modem. ISDN service is
be the same for both routers. offered at two levels: Basic Rate Interface (BRI) and Primary
Rate Interface (PRI). BRI is typically used in small offices or for
Setting PPP Authentication home connection, and PRI is used in larger environments
because it provides higher bandwidth.
PAP-less secure of the two (sends passwords as plain text) and
CHAP -uses a three-way handshake to force remote hosts to
identify themselves after the link establishment phase is ISDN Bandwidth
complete. The local router sends a challenge request to the BRI -3 channels: 2 B-channels at 64 Kbps and 1 D-channel at 16
remote device and the remote device sends a value calculated Kbps for a maximum data throughput of 128Kbps.
using a one-way hash function called MD5 (encryption). PRI -23 B-channels and 1 64Kbps D-channel for bit rate of up to
Router3(config)# int s0 1.544Mbps.
Router3(config-if)#ppp authentication chap pap European ISDN PRI -30 64Kbps B-channels and 1 64Kbps D-
This tells the router to first use CHAP and then go to PAP if channel for a total interface rate of 2.048 Mbps.
CHAP isn't available. In both ISDN BRI and PRI, a single D-channel is used for
signaling information, and the B-channels are used to carry the
data. Because the control communications are conducted on a
PPP Commands channel that is separate from the data transfer, ISDN is said to be
out of band signaling.
Command Description
Shows encapsulation, open LCPs
LAPD
show interface serial 0 and more.
Layer 2 of the ISDN signaling protocol is Link Access
Procedure, D channel, it is used by ISDN to pass the signaling
View authentication process. messages between the router and the ISDN switch at the local
CO. LAPD is similar to HDLC and LAPB. As the expansion of the
debug ppp
LAPD acronym indicates, it is used across the D-channel to
authentication
ensure that control and signaling information flows and is
received properly.
Specifies chap hostname.
ppp chap hostname ISDN Protocol Series
router2 Protocol
Description Examples
Series
Specifies chap password. E Telephone and network E.163 - Telephone
ppp chap password cisco standards. numbering
E.164- ISDN addressing

-4-
I Methods, terminology, I.100 - Terminology,
concepts, and interfaces. structure, + concepts Settings SPIDS
I.300 - Networking The following commands show an ISDN BRI connection (two
recommendations SPIDS for 2 B-channels):
R3(config)#isdn switch-type dms-100
Q Signaling and switching Q.921 - Data Link layer R3(config)#interface bri 0
standards LAPD procedures R3(config-if)#isdn spid1 0835866201 8358662
Q.931 - Network layer R3(config-if)#isdn spid2 0835866401 8358664
functions
If you want your Cisco router to answer incoming calls over your
ISDN Functions and Devices ISDN line, you can configure an ISDN subaddress. When multiple
Terminal Adapter (TA) --- A converter device that allows non- devices are attached to an ISDN BRI, you can ensure that only a
ISDN devices to operate on an ISDN network. single device answers an incoming call by verifying the number or
Terminal Equipment 1(TE1) --- A device that supports ISDN subaddress in the incoming call against the device's configured
standards and that can be connected directly to an ISDN network number or subaddress or both.
connection. For example, ISDN telephones, personal computers,
R3(config-if)#isdn answer 52069145241010 5551212
or videophones could function as TE1s.
Terminal Equipment 2(TE2) --- A non-ISDN device, such as an
analog phone or modem, which requires a TA in order to connect DDR Dial on Demand Routing
to an ISDN network. Dial-on-demand routing (DDR), is used to allow two or more
Network Termination 1 (NT1) --- A small connection box that is Cisco routers to dial an ISDN dial-up connection on an as-
attached to ISDN BRI lines. This device terminates the needed basis. DDR is only used for low-volume, periodic network
connection from the Central Office (CO). connections using either a PSTN or ISDN. This was designed to
Network Termination 2 (NT2) --- A device that provides reduce WAN cost if you have to pay on a per-minute or per-
switching services for the internal network. This type of interface packet basis. DDR configuration commands define host and
is typically used with PRI lines, when they need to be divided for ISDN connection information. An access list and DDR dialer
several functions. For example, some channels may be used for group define what kind of traffic should initiate an ISDN call. You
WAN data communications and others for the telephone system can configure multiple access lists to look for different types of
and/or video tele-conferencing. interesting traffic. Interesting traffic is traffic that (when it arrives
at the router) triggers the router to initiate the ISDN connection

Steps of How DDR Works


1.) Route to the destination network is determined.
2.) Interesting packet dictates a DDR call.
3.) Dialer information is looked up.
4.) Traffic is transmitted.
5.) Call is terminated when no more traffic is being transmitted
over a link and the idle-timeout period ends.

Configuring a DDR Connection


R_3(config-if)#dial wait-for-carrier time 15
R_3(config-if)#dialer idle-timeout 300
R_3(config-if)#dialer load-threshold 125 either
R_3(config-if)#dialer map ip 192.168.52.1 name
ISDN Reference Points CORP speed 56 5205551212
R -- The R-interface is the wire or circuit that connects the TE2 to
the TA. Specifying Interesting Traffic (allows IP, but not IGRP)
S -- The S-interface is a four-wire cable from TE1 or TA to the R_3(config)#dialer-list 1 protocol ip list 110
NT1 or NT2, which is a two-wire termination point. R_3(config)#access-list 110 deny igrp any any
T -- The point between the NT1 and NT2, which is also the T- R_3(config)#access-list 110 permit ip any any
interface. This four-wire cable is used to divide the normal R_3(config)#int bri0
telephone company two-wire cable into four-wire, which then R_3(config-if)#dialer-group 1
allows the connection of up to eight ISDN devices.
S/T -- When NT2 is not used on a connection that uses NT1, the Sample ISDN Configuration
connection from the router or TA to the NT1 connection is typically The routers are both using PPP encapsulation and CHAP
called S/T. This is essentially the combination of the S and T authentication. The username has been set for the opposite
reference points. router in each configuration and the password is the same on
U -- The U-interface is the actual two-wire cable, also called the both. Each router has the ability to dial the other. The CORP
local loop, which connects the CPE to the Telco provider. router is located at the corporate network, which has other
connections and uses IGRP to transfer routing tables on the
Service Profile Identifiers (SPIDs) corporate network. However, IGRP is not desired on the ISDN
Many Telco providers utilize ISDN switches, which require SPIDs connection, so the CORP router has an access list specifically
for dial-in access. An ISDN device can access each ISDN denying IGRP on the ISDN link. Both routers permit all IP traffic
channel via its SPID number. You can configure the router to on the ISDN link and all IP traffic will be considered interesting or
utilize a single or multiple SPIDs when making a connection to the worth activating the ISDN link for. Multilink is enabled on both
ISDN provider. The ISDN provider must assign the SPID numbers routers, and they will dial their additional lines when there is 50%
for each channel, which is usually an 8 to 14-digit number. (load-threshold uses a number between 1 and 255, with 255
-5-
being 100%) or more utilization on the first channel. The link will debug q921 Used to see layer-2 information only
be terminated if there is no interesting traffic for 600 seconds (10 debug q931 Show the call setup and teardown
minutes). The IP routes are configured such that all traffic show ip route Show all routes the router knows about
destined from the corporate network to 192.168.24.0 will be sent
to the REMOTE router. Since the REMOTE router is a remote show isdn active Displays the status of the ISDN
branch with no other connections, all traffic that is not specifically connection while the call is in progress
destined for 192.168.24.0 will be sent to the CORP router. Note show isdn status Gives status information for ISDN
that each router has its dialer mapped to the IP address of the connections
other router. show interface bri 0 Shows you the configuration statistics
and speed of your ISDN BRI interface
Remote Network
Router Configuration: Supported ISDN Switch Types
Name: REMOTE
E0 IP address:192.168.24.1 Identifier Description
Local Network:192.168.24.0
BRI 0 IP address:192.168.49.2 basic-nil AT&T basic rate switches
REMOTE(config)#hostname corp password 123pass332 basic-5ess AT&T 5ESS basic rate switches
REMOTE(config)#isdn switch-type dms-100
REMOTE(config)#interface bri 0 basic-dms100 Nortel DMS-100 basic rate switches
REMOTE(config-if)#encapsulation ppp
REMOTE(config-if)#ppp authentication chap basic-4ess AT&T 4ESS primary rate switches
REMOTE(config-if)#spid1 5208881111 5270936
REMOTE(config-if)#spid2 5208881212 5270956
REMOTE(config-if)#ip address 192.168.49.2 255.255.255.0 primary-5ess AT&T 5ESS primary rate switches
REMOTE(config-if)#dialer idle-timeout 600
REMOTE(config-if)#dialer map ip 192.168.49.1 name corp primary-dms100 Nortel DMS-100 primary rate switches
7045551212
REMOTE(config-if)#dialer load-threshold 125 either vn2 French VN2 ISDN switches
REMOTE(config-if)#ppp multilink
REMOTE(config-if)#dialer-group 1 vn3 French VN3 ISDN switches
REMOTE(config-if)#exit
REMOTE(config)#dialer-list 1 protocol ip permit ntt Japanese NTT ISDN switches
REMOTE(config)#ip route 0.0.0.0 0.0.0.0 192.168.49.1
REMOTE(config)#ip route 192.168.49.0 255.255.255.0 basic-1tr6 German 1TR6 ISDN switches
192.168.49.1

Corporate network Access Lists


Router Configuration: Access List Type Number
Name: CORP
BRI 1 IP address:192.168.49.1 Standard IP Access Lists 1-99
CORP(config)#hostname remote password 123pass332 Extended IP Access Lists 100-199
CORP(config)#isdn switch-type dms-100
CORP(config)#interface bri 1 Standard IPX Access Lists 800-899
CORP(config-if)#encapsulation ppp
CORP(config-if)#ppp authentication chap Extended IPX Access Lists 900-999
CORP(config-if)#spid1 7047773333 5265933
CORP(config-if)#spid2 7047774444 5265944 IPX SAP Filters 1000-1099
CORP(config-if)#ip address 192.168.49.1 255.255.255.0
CORP(config-if)#dialer idle-timeout 600
CORP(config-if)#dialer map ip 192.168.49.2 name remote Standard IP Access List
5205551212 Syntax:
CORP(config-if)#dialer load-threshold 125 either access-list 1-99 [permit|deny] [source address]
CORP(config-if)#ppp multilink
[source wildcard mask]
CORP(config-if)#dialer-group 1
CORP(config-if)#exit Example:
CORP(config)#ip route 192.168.24.0 255.255.255.0 Router(config)#access-list 1 deny 192.168.1.0
192.168.49.2 0.0.0.255
CORP(config)#dialer-list 1 protocol ip list 110 Router(config)#access-list 1 permit 0.0.0.0
CORP(config)#access-list 110 deny igrp any any 255.255.255.255 (same as any)
CORP(config)#access-list 110 permit ip any any
Apply the Access List:
Router(config)#int e0
Router(config-if)#ip access-group 1 out

ISDN Commands
Command Description Standard IPX Access List
clear interface Disconnects all current connections Syntax:
show dialer Shows the current dialer status, access-list 800-899 [permit|deny] [source net/
including the time that the link has been node address] [dest network/ dest address]
active Example:
debug dialer Displays the configuration and operation Router(config)#access-list 800 deny 500 200
of the dialer Router(config)#access-list 800 permit -1 -1

-6-
Apply the Access List: This command doesn't show which
Router(config)#int e0 interface the list is configured on.
Router(config-if)#ipx access-group 800 in show access-list Shows only the parameters for the
[list#] access list specified. This command
Extended IP Access List does not show you the interface the list
Syntax: is configured on.
access-list 100-199[permit|deny][protocol][src show ip access-list Shows only the IP access lists
IP addr][src wildcard mask][dest IP addr][dest configured on the router.
IP addr][dest wildcardmask][operator][port][log] show ipx access-list Shows only the IPX access lists
Example: configured on the router.
Router(config)#access-list 100 deny tcp host
show ip interface Shows which interfaces have IP access
192.168.1.10 host 192.168.2.2 eq www
Router(config)#access-list 100 permit ip any any lists on them.
Router(config)#int e0 show ipx interface Shows which interfaces have IPX
Router(config-if)#ip access-group 100 in access lists on them.
This access list will block 192.168.1.10 from accessing TCP port show running-config Shows the access lists and which
www (http[80]) on host 192.168.2.2. The host is a short cut to use interfaces have access lists set.
the 0.0.0.0 wildcard mask. Since extended IP access lists use any Keyword used to represent all hosts or
destination addresses, the list should be applied as close to the networks, replaces 0.0.0.0
source as possible to reduce unnecessary traffic on the network. 255.255.255.255 in access list.
host Keyword that specifies that an address
Extended IPX Access list should have a wildcard mask of 0.0.0.0.
Syntax: (i.e. will match only 1 host)
access-list 900-999 [permit|deny] [protocol] clear access-list Clears extended access lists counter of
[source network/node address] [socket] [dest counter [list#] the number of matches per line of the
network/node addr] [socket] access list.
Example: -1 Applies to any IPX network or any
R_1(config)#access-list 900 deny -1 500 0 200 0
protocol when used in extended IPX
R_1(config)#access-list 900 permit -1 -1 0 -1 0
access lists.
R_1(config)#int e0
0 Used for all sockets in extended IPX
R_1(config-if)#ipx access-group 900 in
Extended IPX access lists allow you to filter based on source access lists.
ip access-group Applies an IP access list to an interface.
and destination network or node address, IPX protocol type (a -1
specifies all IPX protocols), and IPX socket #. ipx access-group Applies an IPX access list to an
interface.
IPX SAP Filters ipx input-sap-filter Applies an inbound IPX SAP filter to an
Syntax: interface.
access-list 1000-1099 [permit|deny] [src network ipx output-sap-filter Applies an outbound IPX SAP filter to
/ node addr] [service-type] an interface.
Example:
Router(config)#access-list 1000 200 0
Router(config)#access-list 1000 permit -1 0 Cisco Hierarchical Model
There are three layers to the Cisco hierarchical model
To apply a SAP filter to an int. for inbound filtering use the cmd: 1. The core (Backbone) layer provides optimal transport
Router(config)#int e0 between sites.
Router(config-if)#ipx input-sap-filter [list#] 2. The distribution layer provides policy-based
Or for outbound filtering use the cmd: connectivity.
Router(config)#int e0 3. The local-access layer provides workgroup/user
Router(config-if)#ipx output-sap-filter [list#] access to the network.
This would block all advertisements from network 200 from
being passed to other routers on the internetwork. Again you can Core Layer
use the command show access-list to see the access lists. Responsible for transporting large amounts of traffic reliably and
quickly. Only purpose is to switch traffic as fast as possible
(speed and latency are factors). Failure at the Core layer can
Controlling VTY Access affect every user.
Example: Design specifications:
R_2(config)#access-list 15 permit 192.168.1.71 Don't Do at this layer
R_2(config)#line vty 0 4 oDon't use access lists, packet filtering, or VLAN Routing.
R_2(config-line)#access-class 15 in
oDon't support workgroup access here.
This will stop all hosts except 192.168.1.71 from telneting into
oDon't expand (more devices) upgrade instead (faster
the router. This is accomplished by only allowing one host and
then not permitting any other hosts since there is an implicit deny devices)
at the end of all access lists. Do at this layer
 Design for high reliability (FDDI, Fast Ethernet with redundant
links, or ATM).
Access List Commands
 Design for speed and low latency.
Command Description  Use routing protocols with low convergence times.
show access-lists Displays all access lists and their
parameters configured on the router. Distribution Layer
-7-
Also called workgroup layer, is the communication point between Fddi_raw novell-fddi
access and core layers. Primary function, routing, filtering, WAN
access, and determine how packets can access the Core layer if
necessary. Determine fastest/best path and send request to Core Routing Protocols’ Administrative Distances
layer. Core layer will then quickly transport the request to the
correct service. Place to implement network policies. Route Source Default Distance
Network Policies
 Access lists, packet filtering, queuing Connected interface 0
 Security and network policies such as address Static Route 1
translation and firewalling.
 Redistribution between routing protocols including static EIGRP 90
routing.
IGRP 100
 Routing between VLANs and other workgroup support
functions. OSPF 110
 Definition of broadcast and multicast domains.
RIP 120
Access Layer
External EIGRP 170
- Controls user and workgroup access to internetwork
resources. Unknown 255
- Also called desktop layer.
- The resources most user need will be available locally. Changing the Configuration Register
- Distribution layer handles traffic for remote services. To change the configuration register while running the system
software, follow these steps:
- Continued access control and policies.
Step 1 - At the privileged EXEC prompt (Router#), enter the
- Creation of separate collision domains (segmentation) configure terminal command to enter global configuration
- Workgroup connectivity in Distribution layer mode.
- Technologies such as DDR and Ethernet switching are Router#configure terminal
Router(config)#
seen in the Access layer
- Static routing is here. Step 2 - Set the contents of the configuration register by entering
the config-register value configuration command, where
Configuring IPX Encapsulation value is a hexadecimal number preceded by 0x as in the
To enable IPX routing on interface Ethernet 0 using arpa following example:
(Ethernet_II) encapsulation use the command: Router(config)# config-register 0x2142
Router3(config)#ipx routing
Router3(config)#interface Ethernet 0 Step 3 - Press Ctrl-Z to exit configuration mode.
Router3(config-if)#ipx network 2 encap arpa
Step 4 - Display the current configuration register value, which
You can assign multiple networks with different encapsulation will be used at the next system reload, by entering the show
types by using the commands: version command.
The value is displayed on the last line of the screen display, as
R3(config)#int e0.1 in the following example:
R3(config-subif)#ipx network 1 encapsulation sap
R3(config-subif)#int e0.2 Configuration register is 0x2102 (will be 0x2142 at
R3(config-subif)#ipx net 2 encap novell-ether next reload)

Step 5 - Restart the router. Changes to the configuration register


Novell Frame Encapsulation take effect only when the system reloads.
NetWare Frame Type Cisco Keyword
Configuration Register Boot Field
Ethernet Frames
Boot
Ethernet_802.3 novell-ether (default) Meaning Used For:
Field
Ethernet_802.2 Sap
To boot to ROM monitor mode, set the
Ethernet_II arpa configuration register to 2100. You must
ROM monitor
00 then manually boot the router with the b
Ethernet_SNAP snap mode
command. The router will show a
Token Ring Frames rommon> prompt.

Token-Ring sap (default) To boot an IOS image stored in ROM, set


Boot image the configuration register to 2101. The
01
Token-Ring_snap snap from ROM router will show the router(boot)>
prompt.
FDDI Frames
Specifies a Any value from 2102 to 210F tells the
Fddi_snap snap (default) 02 to
default boot router to use the boot commands specified
0F
Fddi_802.2 sap filename in NVRAM.

-8-
Name Resolution Blocking - doesn't forward any frames, listens to BPDUs. Ports
default to blocking when the switch powers on. Used to prevent
Creating a Host Table
network loops. If a blocked port is to become the designated port,
Syntax: it will first enter listening state.
ip host name <tcp port #> <ip address> Listening - listens to BPDUs to ensure no loops occur on the
network before passing data frames.
The example turns off domain lookups and doesn’t specify a port Learning - learns MAC addresses and builds filter table, doesn't
number because port 23 ( telnet ) is used by default. forward frames.
Example: Forwarding - sends and receives all data on bridge ports.
Router_2#configure terminal
Router_2(config)#no ip domain-lookup
Router_2(config)#ip host router_3 192.168.1.6 LAN Switching Modes
Store and Forward - the entire frame is copied into its buffer and
Using DNS lookups computes the Cyclic Redundancy Check (CRC). Since it copies
Router_2(config)#ip domain-lookup the entire frame, latency varies with frame length. If the frame
Router_2(config)#ip name server 192.168.1.5 has a CRC error, is too short (<64 bytes), or is too long (>1518
Router_2(config)#ip domain-name foo.bar bytes) it is discarded. If no error, the destination address (MAC)
is looked up in the filter table and is sent to the appropriate
interface. Is the default state for 5000 series switches
Layer 2 Switching Cut Through - fastest switching mode as only the destination
Layer 2 switching is hardware based, and tends to be faster address is copied. It will then look up the address in its filter table
than routers, because they don't look at the logical addressing and send the frame to the appropriate interface.
(Network layer headers), they instead use the hardware address Fragment Free - modified form of Cut Through switching. The
defined at the Data Link (MAC) layer to decide whether to forward switch waits for the first 64 bytes to pass before forwarding the
or discard the frame. Switches use Application Specific Integrated frame. If the packet has an error, it usually occurs in the first 64
Circuits (ASIC) to build and maintain filter tables. bytes of the frame. Default mode for 1900 switches.
Layer two switching is so efficient because it doesn't modify the
data packet only the frame encapsulating the packet also causes
it to be less error prone Virtual Local Area Networks
VLANs are formed to group related users together regardless
Three functions of Layer 2 Switching of the physical connections of their hosts to the network. The
1.) Address learning - layer 2 switches retain, in their filter users can be spread across a campus network or even across
tables, the source hardware address and port interface it was geographically isolated locations. Users can be organized into
received on. separate VLANs according to their department, location, function,
2.) Forward/Filter decisions - when a frame is received, the application, or protocol used. The goal with VLANs is to group
switch looks at the destination hardware address and finds the users into separate VLANs so their traffic will stay within the
interface it is on, in the filter table. If the address is unknown, the VLAN.
frame is broadcast on all interfaces except the one it was Benefits of VLANs
received on. Broadcast Control - VLANs provide logical collision and
3.) Loop Avoidance - if multiple connections between switches broadcast domains that confine broadcast and multicast traffic to
exist for redundancy, network loops can occur. Spanning Tree the bridging domain
Protocol is used to stop loops and allows redundancy. Security - If a router is not used, no user outside the VLAN can
communicate with users or access resources within a VLAN.
Restrictions can also be placed on hardware addresses,
Spanning Tree Protocol (STP) protocols, and applications
IEEE 802.1d. Main task is to stop network loops from occurring Performance - You can isolate users that require high
on layer 2 devices. It monitors the network to find all the links and performance networks for bandwidth intensive projects, VLANs
shuts down redundant ones to prevent loops. can isolate them from the rest of the network.
It first elects a root bridge (only 1 per network), root bridge Network Management - Software on the switch allows you to
ports are called designated ports, which operate in what are reconfigure the logical layout of the LAN without having to
called forwarding-state ports. Forwarding-state ports can send change cable connections.
and receive traffic. Other switches in your network are non-root
bridges. VLAN Memberships
The non-root bridges with the fastest link to the root bridge is
Static VLANs - are the typical method of creating VLANs and
called the root port, sends and receives traffic.
are the most secure. The switch port you assign a VLAN
Ports that have the lowest cost to the root bridge are called
association to always maintains that association until an
designated ports. The other ports on the bridge are considered
administrator changes the port assignment.
non-designated and will not send or receive traffic, (blocking
Dynamic VLANs - determine a node's VLAN assignment
mode).
automatically. Using intelligent management software, you can
Switches or bridges running STP, exchange information with
enable MAC addresses, protocols, of even applications to create
what are called Bridge Protocol Data Units (BPDU) every 2
dynamic VLANs
seconds. BPDUs send configuration information using multicast
frames, BPDUs are also used to send the bridge ID of each
Frame Tagging
device to other devices. The bridge ID is used to determine the
root bridge in the network and to determine the root port. The Switches use frame tagging to keep track of users and frames
Bridge ID is 8 bytes long, includes priority and MAC address. as they travel the switch fabric and VLANs. Switch fabric is a
Priority of IEEE STP version is 32,768. group of connected switches. Frame tagging assigns a unique
user-defined ID to each frame. Also called VLAN ID or color.
STP Port States
Types of Links

-9-
Access Links - are only part of 1 VLAN are referred to as the o Integration of ISL, 802.10, and ATM LAN-based VLANs.
native VLAN of the port. Any device attached to an access link is o Auto-intelligence within the switches for configuring VLANs.
unaware of a VLAN membership. This device just assumes that o Configuration consistency across the network.
it is part of broadcast domain, without any understanding of the o An auto-mapping scheme for going across mixed-media
physical network. Switches remove any VLAN information backbones.
before it is sent to an access link device. Access link devices o Accurate tracking and monitoring of VLANs.
can't communicate with any devices outside their VLAN without a o Dynamic reporting of added VLANs across the network.
router or layer 3 device.
o Plug-and-Play setup and configuration when adding new
Trunk Links - can carry multiple VLANs and are used to
VLANs.
connect switches to other switches, to routers, or servers. Trunk
To allow VTP to manage your VLANs across the network, you
links are only supported on Fast or Gigabit Ethernet (100 or
must first create a VTP server. All servers that need to share
1000Mbps). Cisco switches support two ways to identify which
VLAN information must use the same domain name, and a
VLAN a frame belongs to: ISL and 802.1q. Trunk links have a
switch can only be in one domain at a time. If all your
native or default VLAN that is used if the trunk link fails. Trunked
switches are in the same VLAN then you don't need to use VTP.
links carry the traffic of multiple VLANs from 1 to 1005 at a time.
VTP information is sent via a trunk port. Switches advertise VTP
Trunking allows you to make a single port a part of multiple
management domain information, as well as configuration
VLANs, so you can be in more than one broadcast domain at a
time. When connecting switches together, trunk links can carry revision number and all known VLANs with any specific
some or all VLAN information across the link. If you don't trunk parameters.
the links then the switch will only carry VLAN 1 information
across the link. Cisco switches use the Dynamic Trunking Modes of VTP
Protocol (DTP) to manage trunks. DTP is a PPP that was Server - default mode for all catalyst switches. You need at
created to send trunk information across 802.1q trunks. least one to propagate VLAN data throughout the domain. The
switch must be in server mode to create, add, or delete VLANs in
Trunk types a VTP domain. Advertisements are sent every 5 minutes or
Inter-Switch Link - ISL is a Cisco proprietary protocol for whenever there is a change.
interconnecting multiple switches and maintaining VLAN Client - receives information from VTP servers and sends and
information as traffic goes between switches. ISL is similar to receives updates, but can't make any changes. To add a port on
802.10 as they both multiplex bridge groups over a high-speed a switch to a VLAN, first make it a client to update the database,
backbone (ISL runs only on Fast Ethernet). ISL is an external then change it to a server to make the changes and have them
tagging process (original frame is encapsulated in a 26 byte ISL advertised.
header with a 4 byte FCS at the end, 2 bytes are for the VLAN Transparent - doesn't participate in the VTP domain, but will
ID). Since the frame is encapsulated, only devices running ISL still forward VTP advertisements through the configured trunk
can read it. If you need a protocol for other than Cisco Switches links. Can add and create VLANs as it doesn't share its
use 802.1q. ISL frames can be up to 1522 bytes long. database with any other switch, but the VLANs will only be
IEEE 802.1q - Created by the IEEE as a standard method of considered locally significant.
frame tagging. It actually inserts a field into the frame to identify
the VLAN. If you are trunking between a Cisco switch and a non- VTP Pruning
Cisco switch, you will need to use 802.1q for the trunk to work. It is disabled by default. Pruning is configuring VTP to reduce
Local Area Network Emulation (LANE) - LANE is a service the amount of broadcasts, multicasts, and other unicast packets
that provides interoperability between ATM-based workstations to help conserve bandwidth. When you enable VTP pruning on a
and devices connected to existing LAN technology. LANE uses server, you enable it for the entire domain. VLAN 1 can never
MAC encapsulation because this approach supports the largest prune because it is an administrative VLAN.
number of existing OSI layer 3 protocols. The end result is that
all devices attached to an emulated LAN appear to be on one Cisco Discovery Protocol (CDP)
bridged segment. In ATM LANE environments, the ATM switch
CDP is a media- and protocol-independent protocol that runs
handles traffic that belongs to the same emulated LAN and
on all Cisco-manufactured equipment including routers, bridges,
routers handle inter LANE traffic.
access and communication servers, and switches. Using CDP,
IEEE 802.10 - Defines a method for securing bridging of data
you can view information about all the Cisco devices directly
across a shared MAN backbone. The coloring (VLAN ID) of
attached to the device. In addition, CDP detects native VLAN and
traffic across the FDDI backbone is achieved by inserting a 16-
port duplex mismatches.
byte header between the source MAC and the Link Service
CDP runs on all media that support Subnetwork Access
Access Point (LSAP) of frames leaving a switch. This header
Protocol (SNAP). CDP runs over the data link layer only. Cisco
contains the 4-byte VLAN ID or "color". The receiving switch
devices never forward CDP packets. When new CDP information
removes the header and forwards the frame to interfaces that
is received, Cisco devices discard old information.
match the VLAN color.

Inter VLAN Communications CDP Default Configuration


To communicate between VLANs you need to have a router Feature Default Value
with an interface for each VLAN or a router that supports ISL
routing. The lowest Cisco router that supports ISL routing is the
2600 series. If you're using a router with one interface and ISL CDP global enable state Enabled
the interface should be at least 100Mbps (Fast Ethernet).

VLAN Trunking Protocol CDP port enable state Enabled on all ports
Developed by Cisco, it is the industry's first protocol
implementation specifically designed for large VLAN deployments.
CDP message interval 60 seconds
VTP enhances VLAN deployment by providing the following:
- 10 -
Router(config-line)#login
Router(config-line)#password ccna
CDP holdtime 180 seconds
CDP Commands are listed on page 2. Setting the Virtual Terminal (Telnet) password:
Router(config)#line vty 0 4
Router(config-line)#login
CDP Neighbor Information includes
Router(config-line)#password ccna
 Neighbor's device ID
 Local port type and number
 Holdtime value (in seconds) Subnet Masking
 Neighbor's hardware platform Process
 Neighbor's network device capability 1.) How many subnets?
 Neighbor's remote port type and number 2(masked bits) - 2 = Subnets
2.) How many valid hosts per subnet?
2(unmasked bits) - 2 = Hosts
CDP Neighbor Detail Information includes
3.) What are the valid subnets?
Additional detail is shown about neighbors, including network 256-(subnet base)=Base number
address, enabled protocols, and software version. 4.) What are the valid hosts in the subnets?
All numbers between subnets minus the all 1s (.255) and all
High-Level Data Link Control 0s (.0) host addresses.
HDLC is the default encapsulation used by Cisco routers over 5.) What is broadcast address of the subnet?
synchronous serial links. HDLC is a bit-oriented ISO standard All the host bits turned on.
Data Link layer protocol. It specifies a method to encapsulate Example
data over synchronous serial links using frame characters and 255.255.255.192 = 11111111.1111111.1111111.11000000
checksums. HDLC is a point-to-point protocol used on leased
lines between Cisco devices. If you need to establish a link 1.) (22)-2 = 2 Subnets
between a Cisco device and a non-Cisco device, you must use 2.) (26)-2 = 62 Hosts per subnet
PPP encapsulation instead of HDLC. No authentication can be 3.) 256 - 192 = 64 (.01000000) {For the first subnet}
used with HDLC. The reason each vendor has a proprietary 4.) 65 to 126 (.01000001 to .01111110) Valid hosts in the subnets
encapsulation of HDLC is that they each have a different way for 5.) 127 (.01111111) Broadcast
the HDLC protocol to communicate with the Network layer
protocols, and the ISO standard doesn't allow for multiple
protocols on a single link.

Ethernet Frames
Used at the Data Link layer to encapsulate packets handed down
from the Network layer for transmission on a medium.
There are four types
1.) Ethernet_II frames have a type field in their frame

2.) IEEE 802.3 frames have a length field in their frame,

3.) IEEE 802.2 802.3 frame can't contain information about the
upper layer protocols (Network Layer), so it is combined with the
802.2 (LLC) frame to provide this function.

4.) 802.2 SNAP (Subnetwork Architecture Protocol)


 SNAP was created because not all protocols worked
well with the 802.3 frame, which has no ether-type field.
 802.2 frame is an 802.3 frame with the LLC info in the
data field of the header (has DSAP and SSAP).
 SNAP frame's DSAP and SSAP are always set to AA
with the command field set to 3.
 SNAP is mostly seen with proprietary protocols such as
AppleTalk and the Cisco CDP.

Setting Passwords
Setting the enable and enable secret password:
Router(config)#enable ccna
Router(config)#enable secret ccna2

Setting the auxiliary port password:


Router(config)#line aux 0
Router(config-line)#login
Router(config-line)#password ccna

Setting the console password:


Router(config)#line con 0

- 11 -

You might also like