Beruflich Dokumente
Kultur Dokumente
Student prerequisite knowledge/skills Experienced PC user Operational knowledge of Ethernet 802.1D standard 802.1Q standard
Topics not covered in this course In depth discussion of 802.1D TCP/IP Network design Wireless NetSight NMS Dragon STP In depth discussion of the following Protocols, OSPF, DVMRP, IGMP, and VRRP or other routing protocols.
Enterprise Routing
Switch packets between different physical networks, based upon Network-layer addressing Do not flood MAC-layer broadcasts from one attached network to another Are protocol dependent (IP routed to IP; IPX routed to IPX, etc.) Support packet fragmentation Support multiple Physical- and Mac-layer packet encapsulation types and have the ability to types, translate from one type to another
When communication is needed between VLANs When MAC-layer multicast/broadcast traffic is adversely effecting network performance When packet switching based upon upper-layer protocols (ie. -- IP, IPX, AppleTalk, etc.) is desired Where multiple active paths between systems is required
The following Enterasys switch products support both Layer 2 (the Data Link layer of the OSI model) switching and Layer 3 (the Network layer) IP routing functionality:
- SecureStack B3/C2/C3 - Matrix E1 - G Series - Matrix N-Series DFE Matrix Gold Matrix Platinum Matrix Diamond - Matrix X
B3 Supports only basic IP layer 3 routing (static routes, RIP, basic ACLs) C2/C3 Series Supports basic IP layer 3 routing (static routes, RIP, basic ACLs) Optional License C2 L3-LIC (Layer 3 Routing License)
Enables OSPF, PIM, DVMRP, VRRP. License will need to be re-entered if configuration is cleared g Enables OSPF, PIM, DVMRP, VRRP. Requires the purchase and activation of a advance routing license for each unit in a stack. License will NOT need to be re-entered if configuration is cleared re entered
Matrix E1
Matrix X
* Requires advanced routing features software license. ** Requires extended memory of 256 MB *** Supported only the SecureStack C3 and G-Series
2007 Enterasys Networks, Inc. All rights reserved.
X 1024 64 2000 100 3 128k 128k 21,600 1,024 1,024 2,048 32,000 * ~265k 4 2,048 10,000
N -Plat Plat 256 50 2,000 2 000 20 16k 1 16k 14,400 1,024 198 999 5,000 25,000 2 8 1,024 3,000
3 4
N -Gold Gold 96 50 2000 20 4k 1 4k 14,400 512 198 999 1,000 10,000 4 512 1,000
N -Dia Dia 256 50 2,000 2 000 20 16k1/32k4 16k1/32k4 14,400 1,024 198 999 5,000 25,000 2 8 1,024 3,000
E1 256 8 2048 20 8.5k 8k 14,40 0 512 199 999 1,000 10,00 0 8 512 1,000
C2/C3 24 31 744 13 2,048 2,024 14,400 512 100 9 100 2,500 4 64 2,500
Includes internal loopback of 127.0.0.1 per chassis *Dependant on the number of forwarding engines per chassis 10
Feature OSPF Areas Total OSPF LSA LSDB Type 1 LSAs Type 2 LSAs Type 3 LSAs Type 4 LSAs Type 5 LSAs Type 7 LSAs Type 9 LSAs Type 10 LSAs Type 11 LSAs yp OSPF Neighbors Router Links per area
1 128 2 256
X 16 30,048 1024 1024 6000 6000 8000 8000 n/s n/s n/s / 24 24
N -Gold 4 10k 100 400 2,000 2,000 3,000 3,000 3 000 64 512 64 60 100
C2/C3 4 2,500 2,500 2,500 2,500 2,500 2,500 2,500 2 500 n/s n/s n/s /
No hardwar e limit No hardwar e limit
MB RAM MB RAM
2007 Enterasys Networks, Inc. All rights reserved.
11
Feature VRRP IDs VRRP IPs per Interface VRRP IDs per Interface IGMP Groups DVMRP Routes Multicast Flows IP Helper Address / router IP Helper Address / IF DHCP Server Leases
12
- IP protocols running over L3, for example UDP and TCP, do not change with IPv6.
For this reason, a single CPU stack is used for transport of both IPv4 and IPv6, and a single sockets interface provides access to both.
- Routing protocols are capable of computing routes for either IP version or both.
This release will provide unicast routing using OSPFv3 and static routes.
13
Enterprise Routing
Basic Routing Configuration - VLAN Review - Router Configuration / Direct Routes - Static Routes - Rip Routes - ARP Configuration - File Management - Additional information
15
SecureStackC2(su)-> set port vlan fe.1.6 15 Then answer Y to add port to the egress list and clear the existing PVID OR 3. Assign ports to the VLAN SecureStackC2(su)-> set port vlan fe.1.6 15 Then answer N to not add port to the egress list and not clear the PVID 4. Assign ports to the VLANs egress list
VLAN id Port String St i
SecureStackC2(su)-> set vlan egress 15 fe.1.6 untagged 5. Remove (default) ports from default VLAN 1s egress list SecureStackC2(su)-> clear vlan egress 1 fe.1.2-10
VLAN id Port String
16
IP interfaces bound to VLANs are referenced in Matrix X-series CLI with syntax vlan.<bridgeDomain>.<vid>
Matrix X-series currently supports one bridge domain, defaulting to a value of 1.
17
Basic Routing Configuration - VLAN Review - Router Configuration / Direct Routes - Static Routes - Rip Routes - ARP Configuration - File Management - Additional information
18
2.
Matrix X
1. Optionally set Spanning Tree state per port f the ports t be assigned to the VLAN 1 O ti ll tS i T t t t for th t to b i d t th from the switch CLI 1. matrix-x(switch-rw)-> set spantree portadmin ge.1.1 disable 2. Optionally set GVRP state per port for the ports to be assigned to the VLAN from the 2 O ti ll t t t t f th t t b i d t th f th switch CLI. 1. matrix-x(switch-rw)-> set gvrp disable ge.1.1 disable
19
As soon as 2 or more Routing interfaces are created, routing between VLANs is available.
Enter Router mode
- matrix(su)->router matrix(su) >router
VLAN 10
VLAN 5
20
By default, when IP interfaces on a loopback is created on SecureStack, N, X, & E1, E1 the interface is in a down state. state
Therefore, no shutdown must be entered to bring up the loopback.
Loopback interfaces are not associated with any VLAN. The loopback can be used for remote administration of the router in lieu of the host interface. You must use a routing protocol or static routing Use the loopback IP address for BGP router identifier
21
Basic Routing Configuration - VLAN Review - Router Configuration / Direct Routes - Static Routes - Rip Routes - ARP Configuration - File Management - Additional information
22
Dynamic Routes
- Dynamic routes are learned when routers send routing table information to each other. - The three forms of dynamic routing that are most commonly used are Distance Vector, Link State and Path vector protocols. Distance Vector Protocols - RIPv1 and RIPv2 - DVMRP, PIM-SM, PIM-SSM (multicast) Link State Protocols - OSPFv2 - IS-IS Path Vector Protocols - BGP4
23
Configuring Static Routes - Static routes are manually configured and entered into a devices routing table.
Destination Network Mask Next Hop
matrix-x(router-config)# ip route prefix {mask | masklen} {ipv4 address {ipv4-address | interface-name | next-hop} [distance] [tag interface name next hop} tag] [metric value] [unicast] [multicast] [noinstall] [reject] [retain] [blackhole]
2007 Enterasys Networks, Inc. All rights reserved.
24
There are two show ip route commands, one in switch mode and one in router mode Switch mode- show ip route command shows Host routes:
SecureStackC2(su)->show ip route
ROUTE TABLE Destination Gateway Mask Tos Flags Refcnt Use Interface
----------------------------------------------------------------------------default 127.0.0.1 192.168.0.0 192.168.0.1 127.0.0.1 192.168.0.2 00000000 00000000 ffffff00 0 0 0 UGC UH UC 0 0 1 0 0 0 host loopback host
-----------------------------------------------------------------------------
The host interface maintains a separate routing table from the VLAN interfaces Each can be separately viewed and maintained Each can have a separate and distinct default route
25
Codes: C - connected, S - static, R - RIP, O - OSPF, IA - OSPF interarea N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 E - EGP, i - IS-IS, L1 - IS-IS level-1, LS - IS-IS level-2 * - candidate default, U - per user static route
C C C C S S
10.1.50.0/24 [cost 0] directly connected, Vlan 5 10.1.100.0/24 [cost 0] directly connected, Vlan 10 10.1.150.0/24 [cost 0] directly connected, Vlan 15 172.16.0.0/24 [cost 0] directly connected, Vlan 123 192.168.1.0/24 [cost 0] via 172.16.0.51, Vlan 123 192.168.100.0/24 [cost 0] via 172.16.0.37, Vlan 123
26
Basic Routing Configuration - VLAN Review - Router Configuration / Direct Routes - Static Routes - RIP Routes - ARP Configuration - File Management - Additional information
27
RIP is a standard based form of distance vector routing using the standard-based distance-vector routing, Bellman-Ford algorithm. Two versions of RIP available today:
RIP version 1, defined by RFC 1058 (STD 34) 6/88 , y ( ) / RIP version 2, defined by RFC 2453 (STD 56) 8/99
RIP updates occur every 30 seconds and sends the entire routing table contents.
IP/UDP port 520 Up to 25 routes per packet
Subsequent to topology change, convergence time increases significantly with network size
28
29
Router1>Router(config)# interface vlan 11 Router1>Router(config-if(Vlan 11))# ip address 10.1.1.1/24 Router1>Router(config-if(Vlan 11))# no shutdown Router1>Router(config-if(Vlan 11))# exit Router1>Router(config) R t 1>R t ( fi ) Router1>Router(config)# interface vlan 12 Router1>Router(config-if(Vlan 12))# ip address 10.1.2.1/24 Router1>Router(config-if(Vlan 12))# no shutdown Router1>Router(config-if(Vlan 12))# exit ( g ( )) Router1>Router(config) Router1>Router(config)# router rip Router1>Router(config-router)# network 10.1.1.0 Router1>Router(config-router)# network 10.1.2.0 Router1>Router(config-router)# Router1>Router(config router)# exit Router1>Router(config) Note: Matrix E1 all IP interfaces are automatically enabled for RIP
Router1>Router#show running-config interface vlan 11 ip address 10.1.1.1 255.255.255.0 p no shutdown interface vlan 12 ip address 10.1.2.1 255.255.255.0 no shutdown ! router rip network 10.1.1.0 network 10.1.2.0
30
Basic Routing Configuration - VLAN Review - Router Configuration / Direct Routes - Static Routes - Rip Routes - ARP Configuration - File Management - Additional information
31
show config - Use this command to display the system configuration or write the configuration to a file.
show config [all | facility] [outfile {configs/filename}]
C3( ) > h C3(rw)->show config all outfile configs/save_config2 fi ll tfil fi / fi 2 C3(rw)->show config port
32
configure - Use this command to execute a previously downloaded configuration file stored on the device.
configure filename [append]
copy - Use this command to upload or download an image or a CLI configuration file.
copy source destination
delete - Use this command to remove an image or a CLI configuration file from the Matrix system.
delete filename
C3(su)->delete configs/Jan1_2004.cfg
33
Example - show file The following example displays the contents of a text file named myfile in the public/ directory on the active CM: matrix-x(switch-su)-> show file public/myfile set width 150 set banner motd "no message today" set prompt "matrix-x matrix x
34
configure - This command executes a configuration file stored on the X Router or on a remote server. (Matrix X only)
configure {public | local}/filename [append] configure standby:local/filename [append] configure service://[username@]remote-host/path-to-remote-file [append] g [ @] p [ pp ] configure usb:pathname configure standby:usb:pathname
write file This command saves the router configuration (E1 and N Series)
- write file
35
Basic Routing Configuration - VLAN Review - Router Configuration / Direct Routes - Static Routes - Rip Routes - ARP Configuration - File Management - Additional information
36
37
Enterprise Routing
OSPF Configurations
39
- It is open in that its specification is in the public domain - It is based on Dijkstras Shortest Path First algorithm
Developed by the Interior Gateway Protocol ( p y y (IGP) working group of the IETF (mid) gg p ( 1980s)
- RFC 2328 - RFC 1583
OSPF was created because RIP was increasingly unable to serve large, heterogeneous networks
- Routing loops occurred with sudden topology changes - Using distance metric to determine reachability resulted in count to Infinity delays - Slow convergence
40
Faster convergence than distance vector algorithms A more descriptive routing metric
- Configurable per outbound interface - Interface value between 1 and 65,535
Equal-cost multipath
- If multiple equal cost paths to a destination exist, the paths are inserted in routing table oad balancing among the routes ga o g ou s - Load ba a
Routing Hierarchy
- Routing domain can be divided into areas for ease of management and control pp gg g y - Support for route summarization and aggregation by area
Security
- Simple or MD5 Authentication
41
42
Th network topology must appear consistent - th li k state database must be The t kt l t i t t the link t t d t b tb identical on all routers All entities in the routing domain use unique 32 bit numbers for identification
- Routers are assigned a router ID normally based on their IP address router ID - Networks either use their network id or IP address of a router interface on that network - Areas are strictly administratively assigned
Routers use OSPF Hello protocol to identify neighbors and maintain neighbor relationships Only Routers in an adjacency state of are permitted to exchange link state information
- The necessity of ensuring consistency in the LSDB prohibits simple broadcasting on route information. - Flooding information uses a split horizon technique
In multi-access networks, a Designated Router (DR) is elected to ensure reliable distribution of LSA s. LSAs
- Backup Designated Router (BDR) is also elected
43
- Each routers interface belongs to only 1 area; therefore, - Each network belongs to only 1 area - A router may belong to multiple areas having interfaces in different areas - Multiple networks and router interfaces may b l l l k d f belong to a single area l
Example:
AREA 0.0.0.34
10.10.10.1/24 AREA: 0.0.0.34 AREA 0 0 0 34 10.10.10.2/24 AREA: 0.0.0.34 10.10.10.0/24
AREA 0.0.0.0
20.30.20.1/24 20 30 20 1/24 20.30.20.2/24 20 30 20 2/24 AREA: 0.0.0.0 AREA: 0.0.0.0 50.30.20.2/24 50 30 20 2/24 AREA: 0.0.0.0
20.30.20.0/24
50.30.20.0/24
44
- Internal Router:
Routers interfaces completed contained within an OSPF area
Example:
AREA 0.0.0.0
20.30.20.1/24 20 30 20 1/24 AREA: 0.0.0.0 20.30.20.2/24 20 30 20 2/24 AREA: 0.0.0.0 50.30.20.2/24 50 30 20 2/24 AREA: 0.0.0.0
50.30.20.0/24 50 30 20 0/24
Area 0.0.3.5
Area 0.0.0.12
D
Area 1.0.4.232
46
50.0.0.0/24
Area 0.0.0.1
Intra-Area Routes 50.0.0.0/24 60.0.0.0/24 Inter-Area Routes 10.0.0.0/24 20.0.0.0/24 30.0.0.0/24 40.0.0.0/24
30.0.0.0/24 40.0.0.0/24
A
Area 0.0.0.2
Area 0.0.0.0
Intra-Area I t A Route 10.0.0.0/24 20.0.0.0/24 Inter-Area I t A Route 30.0.0.0/24 40.0.0.0/24 50.0.0.0/24 60.0.0.0/24
47
2007 Enterasys Networks, Inc. All rights reserved.
Router A
Example:
- Router A has new routing information, in the form of an LSA, to flood to all on-link routers, but Router A is adjacent to DR and BDR, not all on-link routes - Router A floods an OSPF packet that includes the LSA to DR (and BDR) by using the AllDRouters multicast address of 224.0.0.6
Only DR and BDR OSPF routers listen to the AllDRouters multicast address
- DR floods LSA to all on-link OSPF routers by using the AllSPFRouters multicast address of 224.0.0.5 - BDR monitors the LSA flooding from the DR and will flood the LSA itself if it does not receive the LSA from the DRs flooding if a certain amount of time - Note that all routing information exchange occurred over established adjacencies
48
2 4 2 4 2 2
1.1.1.3
1 1 1 1 6 2 2
6 8 8
1.1.1.5
Iteration
1
5 6
50
- Timers
Hello Dead Transmit Interval Transmit delay spf
- Redistribution
Static Rip Direct BGP * IS-IS* Aggregate* OSPF* OSPF ASE* OSPF-ASE*
- Passive Interface
51
52
53
From router config mode(C2/C3) The C2 requires an advanced license to Route OSPF - router# license advanced 140b7d4541c8812c Create an OSPF instance - router ospf 10 Create a Router ID - Router id 5.5.5.5 F From each vlan interface (C2/C3) h l i t f Create an ip-proxy-arp default-route - ip proxy-arp default-route Associate the vlan to an area - ip ospf areaid 0.0.0.0 Be sure to enable OSPF on each VLAN - ip ospf enable
54
From router config mode Create an OSPF instance - router ospf 10 p Create an ospf network associated it with a subnet use a reverse mask and tell it which area it is a part of. - network 20.1.2.0 0.0.0.255 area 0.0.0.0 - network 20.1.3.0 0.0.0.255 area 1
Note: For N-Series routers ensure that that the advanced router license is installed
55
56
57
Router1>Router(config)# New Path Cost Router1>Router(config)# router ospf 10 Router1>Router(config-router)# redistribute static metric 22 subnets Router1>Router(config-router)# exit Include all subnets Router1>Router(config)#
58
Router1>Router(config)# Router1>Router(config)# interface loopback 2 Router1>Router(config-if(Lpbk 2))# ip address 1.1.1.1 255.255.255.255 Router1>Router(config-if(Lpbk 2))# no shutdown Router1>Router(config-if(Lpbk 2))# exit Router1>Router(config)# R t 1>R t ( fi )# Router1>Router(config)# router id 1.1.1.1
59
Router1>Router(config)# interface vlan 12 Router1>Router(config-if(Vlan 12))#ip ospf priority 100 Router1>Router(config-if(Vlan 12))#exit
60
Router1>Router(config)# router ospf 10 ( g) p Router1>Router(config-router)# area 0.0.0.1 range 20.1.0.0 255.255.0.0 Router1>Router(config-router)# exit
61
Router1>Router(config)# router ospf 10 ( g ) Router1>Router(config-router)# area 0.0.0.1 authentication simple Router1>Router(config-router)# exit
Router1>Router(config)# interface vlan 12 Router1>Router(config-if(Vlan 12))#ip ospf authentication redsox Router1>Router(config-if(Vlan 12))#exit
2007 Enterasys Networks, Inc. All rights reserved.
62
All Others Router3(rw)->Router1(config)#router ospf 10 Router3(rw)->Router1(config-router)#area 0.0.0.2 authentication message-digest Router3(rw)->Router1(config-router)#exit R t 3( ) >R t 1( fi t )# it Router3(rw)->Router1(config)#interface vlan 32 Router3(rw)->Router1(config-if(Vlan 32))#ip ospf message-digest-key 22 md5 p ( ) ( g ( )) p p g g y pats05 Router3(rw)->Router1(config-if(Vlan 32))#exit
63
Enterprise Routing
ACL Configurations
65
66
Access Control List (ACL) Configuration An ACL Filters traffic to permit or deny on a packet basis Support for inbound or outbound filtering based on platform Configuration Limits
Only O l one ACL standard or extended, may be statically applied per interface. ACL, d d d d b i ll li d i f An ACL can contain up to a set maximum number of rules plus the implicit deny all rule. ACL rules are added and deleted to an ACL group through CLI commands from router configuration CLI mode. On Matrix X, each layer 2 classification rule configured on an IOM subtracts from total number of supported layer 3 ACLs
67
Example:
SecureStackC2(su)->router(Config)# access-list 15 deny 172.158.12.23
Example:
SecureStackC2(su)->router(Config)# access-list 101 permit ip any any
Valid number values are between 100 and 199 for extended ACLs.
68
69
SecureStack C2/C3
ACLs can only be applied to packets inbound on IP interfaces. ACLs are applied to VLAN-based IP interfaces. To apply an access list to an interface, use the following commands from the router interface configuration mode router(Config)# interface vlan vlan-id router(Config if(Vlan router(Config-if(Vlan id))# ip access-group number in access group To remove an ACL from an interface router(Config-if(Vlan id))#no ip access-group number in g y Rule changes take effect immediately
70
71
Example: SecureStackC2(su)->router> show access-lists Standard IP access-list 10 1: permit 192.168.100.0 0 0 0 255 192 168 100 0 0.0.0.255 2: permit 192.168.200.0 0.0.0.255 3: permit host 192.168.30.1 4: deny 192.168.0.0 0.0.255.255 5: deny 172.16.0.0 0 0 2 2 6 0 0 0.0.255.255 2 6: permit any Extended IP access list 110 1: permit tcp host 10.1.2.3 eq 17 any 2: deny udp host 14.9.123.52 eq 512 14.0.0.0 0.255.255.255 3: permit tcp host 125.34.12.4 eq 25 host 15.23.19.3
72
*
5,000 999
*
1,000 999
1,000 999
100 9
32,000 2,048
Depending on the product ACLs may be applied as access groups either inbound, outbound or both
- Example DFE Configuration:
access-list 100 permit udp interface vlan 92 ip address 171.1.0.1 255.255.255.0 ip access-group 100 in ip access-group 100 out
2007 Enterasys Networks, Inc. All rights reserved.
access-list 100 permit udp 171.1.0.0 0.0.0.255 host 140.2.1.10 range 161 162
73