SaigonLAB CCNA Module7 Va Module 8

CCNA
www.saigonlab.vn
Bringing a True-long Stand Vocation
Module 7: NAT and ACLs

www.saigonlab.vn
The purpose and types of ACLs
Configure and apply an ACLs
The basic operation of NAT
Lesson 1: The purpose and types of

ACLs
www.saigonlab.vn
ACL Overview
ACL Applications
Types of ACLs
ACL Operations
ACL Statement Processing
Wildcard Masking Process

ACLs
www.saigonlab.vn
Why Use ACLs?
Manage IP traffic as network access grows

Filter packets as they pass through the router

ACLs
www.saigonlab.vn
ACL Applications
Permit or deny packets moving through the router

Permit or deny vty access to or from the router
Without ACLs, all packets could be transmitted onto all
parts of your network

ACLs
www.saigonlab.vn
Other ACL Uses
Special handling for traffic based on packet tests

ACLs
www.saigonlab.vn
Types of ACLs
Standard ACL
Checks source address
Generally permits or denies entire protocol suite
Extended ACL
Checks source and destination address
Generally permits or denies specific protocols

ACLs
www.saigonlab.vn
How to Identify ACLs
Standard IP lists (1-99) test conditions of all IP

packets from source addresses
Extended IP lists (100-199) test conditions of
source and destination addresses, specific
TCP/IP protocols, and destination ports

ACLs
www.saigonlab.vn
How to Identify ACLs
Standard IP lists (1300-1999) (expanded range)

Extended IP lists (2000-2699) (expanded range)
Other ACL number ranges test conditions for
other networking protocols
Named ACLs identify IP standard and extended
ACLs with an alphanumeric string (name)

ACLs
www.saigonlab.vn
Testing Packets with Standard ACLs
10

ACLs
www.saigonlab.vn
Testing Packets with Extended ACLs
11

ACLs
www.saigonlab.vn
Outbound ACL Operation

Packet
Inbound
Interface
Packet
Outbound
Interfaces
Packet
Packet
Discard
Bucket
Notify Sender
If no ACL statement matches, discard the packet
12

ACLs
www.saigonlab.vn
A List of Tests: Deny or Permit
Packet to Interface(s) in
the Access Group
Destination
Interface(s)
Packet
Discard
Bucket
If no Match deny All
13

ACLs
www.saigonlab.vn
Wildcard Bits: How to Check the

Corresponding Address Bits
0 means check value of corresponding address bit

1 means ignore value of corresponding address bit
14

ACLs
www.saigonlab.vn
Wildcard Bits to Match a Specific IP

Host Address
Check all of the address bits (match all)

Verify an IP host address, for example:
172.30.16.29 0.0.0.0 checks all of the address bits

Abbreviate this wildcard mask using the IP address
preceded by the keyword host (host 172.30.16.29)
15

ACLs
www.saigonlab.vn
Wildcard Bits to Match Any IP Address
Test conditions: Ignore all the address bits

(match any)
An IP host address, for example:
Accept any address: any

Abbreviate expression with keyword any
16

ACLs
www.saigonlab.vn
Wildcard Bits to Match IP Subnets
Check for IP subnets 172.30.16.0/24 to

172.30.31.0/24
Address and wildcard mask: 172.30.16.0
0.0.15.255
17
Lesson 2: Configure and apply an

ACLs
www.saigonlab.vn
Implementing ACLs
Configuring Standard IP ACLs
Configuring Extended IP ACLs
Using Named ACLs
Configuring vty ACLs
Guidelines for Placing ACLs
Verifying the ACL Configuration
18

ACLs
www.saigonlab.vn
ACL Configuration Guidelines
ACL numbers indicate which protocol is filtered

One ACL per interface, per protocol, per
direction is allowed
The order of ACL statements controls testing
The most restrictive statements go at the top of
the list
The last ACL test is always an implicit deny any
statement, so every list needs at least one
permit statement
ACLs must be created before applying them to
interfaces
ACLs filter traffic going through the router. ACLs
do not filter traffic originating from the router
19

ACLs
www.saigonlab.vn
ACL Command
Step 1: Set parameters for this ACL test

statement (which can be one of several
statements)
Router(config)#access-list access-list-number
{permit | deny} {test conditions}
Step 2: Enable an interface to use the

specified ACL
Router(config-if)#{protocol} access-group
access-list-number {in | out}
Standard IP lists (1-99)
Extended IP lists (100-199)
20

ACLs
www.saigonlab.vn
Standard IP ACL Configuration
{permit | deny | remark} source [mask]
Sets parameters for this list entry

IP standard ACLs use 1 to 99
Default wildcard mask = 0.0.0.0
no access-list access-list-number removes entire ACL
remark lets you add a description for the ACL
Router(config-if)#ip access-group
access-list-number {in | out}
Activates the list on an interface

Sets inbound or outbound testing
Default = outbound
no ip access-group access-list-number removes ACL
from the interface
21

ACLs
www.saigonlab.vn
Standard IP ACL - Example 1
Router(config)# access-list 1 permit 172.16.0.0

(Implicit deny all not visible in the List)
(access-list 1 deny 0.0.0.0
255.255.255.255)
Router(config)# interface ethernet 0
Router(config)# ip access-group 1 out
Permit my network only
22
0.0.255.255

ACLs
www.saigonlab.vn
Router(config)# access-list 1 deny

172.16.4.13
Router(config)# access-list 1 permit
0.0.0.0
(implicit e deny all)
(access-list 1 deny 0.0.0.0 255.255.255.255)
Deny a specific host
23
0.0.0.0
255.255.255.255

ACLs
www.saigonlab.vn
Router(config)# access-list 1 deny

172.16.4.0
Router(config)# access-list 1 permit any
(access-list 1 deny 0.0.0.0 255.255.255.255)
Deny a specific subnet
24
0.0.0.255

ACLs
www.saigonlab.vn
Extended IP ACL Configuration
{permit | deny} protocol source source-wildcard
[operator port] destination destination-wildcard
[operator port] [established] [log]
Sets parameters for this list entry
Router(config-if)#ip access-group access-list-number
{in | out}
Activates the extended list on an interface
25

ACLs
www.saigonlab.vn
Extended ACL - Example 1
Router(config)# access-list
(access-list 1 deny 0.0.0.0
101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21

101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20
101 permit ip any any
255.255.255.255 0.0.0.0 255.255.255.255)

Deny FTP from subnet 172.16.4.0 to subnet 172.16.3.0 out E0

Permit all other traffic
26

ACLs
www.saigonlab.vn
Extended ACL - Example 2
Router(config)# access-list 101 deny tcp 172.16.4.0 0.0.0.255 any eq 23

Router(config)# access-list 101 permit ip any any
Deny only Telnet from subnet 172.16.4.0 out E0

Permit all other traffic
27

ACLs
www.saigonlab.vn
Using Named IP ACL
Router(config)#ip access-list {standard | extended} name
Alphanumeric name string must be unique
Router(config {std- | ext-}nacl)#{permit | deny}

{ip access list test conditions}
{permit | deny} {ip access list test conditions}
no {permit | deny} {ip access list test conditions}
Permit or deny statements have no prepended number

no removes the specific test from the named ACL
Router(config-if)#ip access-group name {in | out}
Activates the named IP ACL on an interface
28

ACLs
www.saigonlab.vn
Filtering vty Access to a Router
Five virtual terminal lines (0 through 4)

Filter addresses that can access the router vty ports
Filter vty access originating from the router
29

ACLs
www.saigonlab.vn
How to Control vty Access
Set up an IP address filter with a standard ACL statement

Use line configuration mode to filter access with the accessclass command
Set identical restrictions on every vty
30

ACLs
www.saigonlab.vn
vty Commands
Router(config)#line vty {vty# | vty-range}
Enters configuration mode for a vty or vty range
Router(config-line)#access-class access-listnumber {in | out}
Restricts incoming or outgoing vty connections for

addresses in the ACL
31

ACLs
www.saigonlab.vn
vty Access Example
Controlling Inbound Access
access-list 12 permit 192.168.1.0 0.0.0.255

(implicit deny any)
!
line vty 0 4
access-class 12 in
Permits only hosts in network 192.168.1.0

0.0.0.255 to connect to the router vty
32

ACLs
www.saigonlab.vn
ACL Configuration Guidelines
The order of ACL statements is crucial

Recommended: Use a text editor on a PC to create the ACL
statements, then cut and paste them into the router
Top-down processing is important
Place the more specific test statements first
Statements cannot be rearranged or removed

Use the no access-list number command to remove the
entire ACL
Exception: Named ACLs permit removal of individual
statements
Implicit deny any will be applied to all packets that do

not match any ACL statement unless the ACL ends
with an explicit permit any statement
33

ACLs
www.saigonlab.vn
Where to Place IP ACLs
Place standard ACLs close to the destination

Place extended ACLs close to the source
34

ACLs
www.saigonlab.vn
Monitoring ACL Statements
Sw_2950#show {protocol} access-list {access-list number}
Sw_2950#show access-lists {access-list number}

wg_ro_a# show access-lists
Standard IP access list 1
permit 10.2.2.1
permit 10.3.3.1
permit 10.4.4.1
permit 10.5.5.1
Extended IP access list 101
permit tcp host 10.22.22.1 any eq telnet
permit tcp host 10.33.33.1 any eq ftp
permit tcp host 10.44.44.1 any eq ftp-data16
35
Lesson 3: The basic operation of NAT

www.saigonlab.vn
Introducing NAT and PAT

Translating Inside Source Addresses
Overloading an Inside Global Address
Verifying the NAT and PAT Configuration
Troubleshooting the NAT and PAT Configuration
36

www.saigonlab.vn
Network Address Translation
An IP address is either local or global

Local IP addresses are seen in the inside network
37

www.saigonlab.vn
Port Address Translation
38

www.saigonlab.vn
Translating Inside Source Addresses
39

www.saigonlab.vn
Configuring Static Translation
Router(config)#ip nat inside source static local-ip global-ip
Establishes static translation between an inside

local address and an inside global address
Router(config-if)#ip nat inside
Marks the interface as connected to the inside
Router(config-if)#ip nat outside
Marks the interface as connected to the outside
40

www.saigonlab.vn
Enabling Static NAT Address Mapping Example
Interface s0
ip address 192.168.1.1 255.255.255.0
ip nat outside
!
Interface e0
ip address 10.1.1.1 255.255.255.0
ip nat inside
!
Ip nat inside source static 10.1.1.2 192.168.1.2
41

www.saigonlab.vn
Configuring Dynamic Translation

Router(config)#ip nat pool name start-ip end-ip
{netmask netmask | prefix-length prefix-length}
Defines a pool of global addresses to be allocated as needed
Router(config)#access-list access-list-number permit

source [source-wildcard]
Defines a standard IP ACL permitting those inside local

addresses that are to be translated
Router(config)#ip nat inside source list

access-list-number pool name
Establishes dynamic source translation, specifying the ACL that

was defined in the prior step
42

www.saigonlab.vn
Dynamic Address Translation Example

Ip nat pool net-208 172.69.233.209 171.69.233.222 netmark
255.255.255.240
ip nat inside source list 1 pool net-208
!
Interfave serial 0
ip address 172.69.232.182 255.255.255.240
ip nat outside
!
Interface ethernet 0
ip address 192.168.1.94 255.255.255.0
ip nat inside
!
Access-list 1 permit 192.168.1.0 0.0.0.255
Host C
10.1.1.1
Host A
192.168.1.100
Host B
192.168.1.101
E0
192.168.1.94
S0
171.69.232.182
43
Host D
172.168.1.1

www.saigonlab.vn
Overloading an Inside Global Address
44

www.saigonlab.vn
Configuring Overloading
Router(config)#access-list access-list-number permit
source source-wildcard
Defines a standard IP ACL that will permit the inside

local addresses that are to be translated
Router(config)#ip nat inside source list

access-list-number interface interface overload
Establishes dynamic source translation, specifying

the ACL that was defined in the prior step
45

www.saigonlab.vn
Overloading an Inside Global Address Example
192.168.4.1
2
192.168.3.1
E0
S0
E1
172.17.38.1
192.168.4.1
192.168.4.1
2
46

www.saigonlab.vn
Displaying Information with show Commands

Router#show ip nat translations
Displays active translations

Router#show ip nat translation
Pro Inside global
--- 172.16.131.1
Inside local
10.10.10.1
Outside local
---
Router#show ip nat statistics
Displays translation statistics

Router#show ip nat statistics
Total active translations: 1 (1 static, 0 dynamic; 0 extended)
Outside interfaces:
Ethernet0, Serial2.7
Inside interfaces:
Ethernet1
Hits: 5 Misses: 0
47
Outside global
---

www.saigonlab.vn
Sample Problem: Cannot Ping Remote Host

int e0
ip address 192.168.2.1 255.255.255.0
!
int s0
ip address 10.1.1.2 255.255.255.0
!
Router rip
network 10.0.0.0
network 192.168.2.0
Host A
192.168.1.2
192.168.
10.1.1.2/24
ip nat pool test 172.16.17.20 172.16.17.30

ip nat inside source list 1 pool test
!
int s0
ip address 10.1.1.1 255.255.255.0
ip nat inside
!
int e0
ip address 192.168.1.1 255.255.255.0
ip nat outside
!
Router rip
network 10.0.0.0
network 192.168.1.0
!
Access-list 1 permit 192.168.1.0 255.255.255.0
48
Host B
192.168.2.2
192.168.2.1

www.saigonlab.vn
Solution: New Configuration

Int e0
ip address 192.168.2.1 255.255.255.0
!
Int s0
ip address 10.1.1.2 255.255.255.0
!
Router rip
network 10.0.0.1
network 192.18.2.0
Host A
192.168.1.2
10.1.1.2/24
192.168.1
Host B
192.168.2.2
49
192.168.2.1

www.saigonlab.vn
Using the debug ip nat Command
Router# debug ip nat

NAT: s=192.168.1.95->172.31.233.209, d=172.31.2.132 [6825]
NAT: s=172.31.2.132, d=172.31.233.209->192.168.1.95 [21852]
NAT: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6826]
NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23311]
NAT*: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6827]
NAT*: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6828]
NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23313]
NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23325]
50

www.saigonlab.vn
Translation Not Installed in the

Translation Table?
Verify that:
The configuration is correct
There are not any inbound ACLs denying the packets entry
to the NAT router
The ACL referenced by the NAT command is permitting all
necessary networks
There are enough addresses in the NAT pool
The router interfaces are appropriately defined as NAT
inside or NAT outside
51
Module 8: Implement and verify WAN

links
www.saigonlab.vn
Methods for connecting to a

WAN
Connecting to Remote Networks
PPP connection between Cisco routers
Frame Relay on Cisco routers
VPN Technology
52
Lesson 1: Methods for connecting to a

WAN
www.saigonlab.vn
What
Is a Wide Area Network?

Why Are WANs Necessary?
How Is a WAN Different from a LAN?
WAN Access and the OSI Reference Model
WAN Devices
The Role of Routers in WANs
WAN Data Link Protocols
Multiplexing
WAN Communication Link Options
53

WAN
www.saigonlab.vn
Wide-Area Network
54

WAN
www.saigonlab.vn
Need for WANs
Bussiness Partners
Very Remote Office
Thousands of
Remote Workers
Remote Office
Regional Office
Home Offices
55
Mobile Workers

WAN
www.saigonlab.vn
WANs vs. LANs

WANs
Area
Ownership
56
LANs

WAN
www.saigonlab.vn
WAN Access and the OSI Model
57

WAN
www.saigonlab.vn
WAN Devices
58

WAN
www.saigonlab.vn
WAN Connection Types: Layer 1
59

WAN
www.saigonlab.vn
WANMultiple LANs
60

WAN
www.saigonlab.vn
Interfacing Between WAN Service Providers
Provider assigns connection parameters to subscriber
61

WAN
www.saigonlab.vn
Serial Point-to-Point Connections

Router Connections
End-User Device
DTE
CSU/DSU
DCE
Network Connections at the CSU/DSU

62

WAN
www.saigonlab.vn
Typical WAN Encapsulation Protocols:

Layer 2
63

WAN
www.saigonlab.vn
Multiplexing Technologies
Multiplexer
Time-Division Multiplexing (TDM)

Frequency-Division Multiplexing (FDM)
Statistical Multiplexing
64

WAN
www.saigonlab.vn
WAN Link Options

WAN
Dedicated
Switched
65
Lesson 2: Connecting to Remote

Networks
www.saigonlab.vn
Circuit-Switched
Communication Links
Public Switched Telephone Network
Integrated Digital Services Network
Packet-Switched Communication Links
X.25
Frame Relay
Asynchronous Transfer Mode and Cell Switching
DSL
Cable
Global Internetthe Largest WAN
66

Networks
www.saigonlab.vn
Circuit Switching
67

Networks
www.saigonlab.vn
PSTN
Local Exchange
68

Networks
www.saigonlab.vn
PSTN Considerations
Advantages
Simplicity
Availability
Cost
Disadvantages
Low data rates
Relatively long connection setup time
69

Networks
www.saigonlab.vn
ISDN
70

Networks
www.saigonlab.vn
BRI and PRI
71

Networks
www.saigonlab.vn
ISDN Considerations
Advantages
Speed
Always-on availability
Disadvantages
Limited geographic availability
Cost
72

Networks
www.saigonlab.vn
Packet Switching
Synchronous
Serial
Synchronous
Serial
73

Networks
www.saigonlab.vn
WAN with X.25
74

Networks
www.saigonlab.vn
Frame Relay
DCE or Frame
Relay Switch
Frame Relay works here
75

Networks
www.saigonlab.vn
Frame Relay Devices and Virtual Circuits
76

Networks
www.saigonlab.vn
ATM and Cell Switching

ATM Switch
ATM Switch
Cells
77

Networks
www.saigonlab.vn
DSL
78

Networks
www.saigonlab.vn
DSL Service Types Overview
Down
Down
Up
79
Up

Networks
www.saigonlab.vn
DSL Considerations
Advantages
Speed
Simultaneous voice and data transmission
Incremental additions
Always-on availability
Backward compatibility with analog phones
Disadvantages
Limited availability
Local phone company requirements
Security risks
80

Networks
www.saigonlab.vn
Cable-Based WANs
Cable Modem
Cable
Headend
Cable Router with 4-port Switch
81

Networks
www.saigonlab.vn
How Cable Modems Work

Picasso
Leonard
Einstein
Rosie
Coaxial Cable
Coax
Jimmy
Mom
Pad
Amplifier
Grandpa
Splitter
Tap
Junior
82

Networks
www.saigonlab.vn
The Global Internet
83
Lesson 3: PPP connection between

Cisco routers
www.saigonlab.vn
HDLC
Encapsulation Configuration
PPP Layered Architecture
PPP Configuration
PPP Session Establishment
PPP Authentication Protocols
PPP Authentication Configuration
Serial Encapsulation Configuration Verification
PPP Authentication Configuration Troubleshooting
84

Cisco routers
www.saigonlab.vn
HDLC Frame Format
Uses a proprietary data field to support

multiprotocol environments
Supports only single-protocol environments
85

Cisco routers
www.saigonlab.vn
Configuring HDLC Encapsulation

Router(config-if)#encapsulation hdlc
Enables HDLC encapsulation

Uses the default encapsulation on synchronous
serial interfaces
86

Cisco routers
www.saigonlab.vn
An Overview of PPP
Multiple Protocol
Encapsulations
Using NCPs in PPP
PPP can carry packets from several protocol suites using NCP
PPP controls the setup of several link options using LCP
87

Cisco routers
www.saigonlab.vn
Layering PPP Elements
PPP = Data link with network layer services
88

Cisco routers
www.saigonlab.vn
PPP LCP Configuration Options
89

Cisco routers
www.saigonlab.vn
PPP Session Establishment
Two PPP authentication protocols: PAP and CHAP
90

Cisco routers
www.saigonlab.vn
PPP Authentication Protocols

Remote Router
(santacruz)
PAP
Two-Way Handshake
Central-Site Router
(HQ)
santacruz boardwalk
Host name : santacruz

Password: broadwalk

Password: broadwalk
Passwords sent in clear text

Peer in control of attempts
91

Cisco routers
www.saigonlab.vn
Challenge Handshake Authentication Protocol

Remote Router
(santacruz)

Password: broadwalk
Hash values, not actual passwords, are sent across the link
The local router or external server is in control of attempts
92

Cisco routers
www.saigonlab.vn
Configuring PPP and Authentication Overview
93

Cisco routers
www.saigonlab.vn
Configuring PPP
Router(config-if)#encapsulation ppp
Enables PPP encapsulation
94

Cisco routers
www.saigonlab.vn
Configuring PPP Authentication

Router(config)#hostname name
Assigns a host name to your router
Router(config)#username name password password
Identifies the username and password of

remote router
Router(config-if)#ppp authentication
{chap | chap pap | pap chap | pap}
Enables PAP or CHAP authentication
95

Cisco routers
www.saigonlab.vn
CHAP Configuration Example
96

Cisco routers
www.saigonlab.vn
Verifying the HDLC and PPP

Encapsulation Configuration
Router# show interface s0

Serial0 is up, line protocol is up
Hardware is HD64570
Internet address is 10.140.1.2/24
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation PPP, loopback not set, keepalive set (10 sec)
LCP Open
5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec
38021 packets input, 5656110 bytes, 0 no buffer
Received 23488 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
38097 packets output, 2135697 bytes, 0 underruns
0 output errors, 0 collisions, 6045 interface resets
0 output buffer failures, 0 output buffers swapped out
482 carrier transitions
DCD=up DSR=up DTR=up RTS=up CTS=up
97

Cisco routers
www.saigonlab.vn
Verifying PPP Authentication
Router# debug ppp authentication

4d20h : % LINK-3-UPDOWN : Interface Serial0, changed state to up
4d20h : Se0 PPP : Treating connection as a dedicated line
4d20h : Se0 PPP: Phase is AUTHENTICATING, by both
4d20h : Se0 CHAP : 0 CHALLENGE id 2 len 28 from left
4d20h : Se0 CHAP : I CHALLENGE id 3 len 28 from right
4d20h : Se0 CHAP : I RESPONSE id 3 len 28 from left
4d20h : Se0 CHAP : I RESPONSE id 2 len 28 from right
4d20h : Se0 CHAP : 0 SUCCESS id 2 len 4
4d20h : Se0 CHAP : I SUCCESS id 3 len 4
4d20h : %LINEPROTO-5-UPDOWN : Line Protocol on Interface Serial0, changed
state to up
debug ppp authentication shows successful CHAP output.

98

Cisco routers
www.saigonlab.vn
Verifying PPP Negotiation
Router# debug ppp negotiation

PPP protocol negotiation debugging is on
Router#
*Mar 1 00:06:36.645: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up
*Mar 1 00:06:36.661: BR0:1 PPP: Treating connection as a callin
*Mar 1 00:06:36.665: BR0:1 PPP: Phase is ESTABLISHING, Passive Open
*Mar 1 00:06:36.669: BR0:1 LCP: State is Listen
*Mar 1 00:06:37.034: BR0:1 LCP: I CONFREQ [Listen] id 7 len 17
*Mar 1 00:06:37.038: BR0:1 LCP:
AuthProto PAP (0x0304C023)
*Mar 1 00:06:37.042: BR0:1 LCP:
MagicNumber 0x507A214D (0x0506507A214D)
*Mar 1 00:06:37.046: BR0:1 LCP:
Callback 0 (0x0D0300)
*Mar 1 00:06:37.054: BR0:1 LCP: O CONFREQ [Listen] id 4 len 15
*Mar 1 00:06:37.058: BR0:1 LCP:
AuthProto CHAP (0x0305C22305)
*Mar 1 00:06:37.062: BR0:1 LCP:
MagicNumber 0x1081E7E1 (0x05061081E7E1)
*Mar 1 00:06:37.066: BR0:1 LCP: O CONFREJ [Listen] id 7 len 7
*Mar 1 00:06:37.070: BR0:1 LCP:
Callback 0 (0x0D0300)
*Mar 1 00:06:37.098: BR0:1 LCP: I CONFACK [REQsent] id 4 len 15
*Mar 1 00:06:37.102: BR0:1 LCP:
AuthProto CHAP (0x0305C22305)
*Mar 1 00:06:37.106: BR0:1 LCP:
MagicNumber 0x1081E7E1 (0x05061081E7E1)
*Mar 1 00:06:37.114: BR0:1 LCP: I CONFREQ [ACKrcvd] id 8 len 14
*Mar 1 00:06:37.117: BR0:1 LCP:
AuthProto PAP (0x0304C023)
*Mar 1 00:06:37.121: BR0:1 LCP:
MagicNumber 0x507A214D (0x0506507A214D)
99
Lesson 4: Frame Relay on Cisco

routers
www.saigonlab.vn
Frame
Relay Overview
Frame Relay Stack Layered Support
Frame Relay Terminology
Frame Relay Topologies
Reachability Issues in Frame Relay
Reachability Issue Resolution
Frame Relay Address Mapping
Frame Relay Signaling
How Service Providers Map Frame Relay DLCIs
Service Provider Frame Relay-to-ATM Interworking
100

routers
www.saigonlab.vn
Frame Relay Overview
Connections made by virtual circuits

Connection-oriented service
101

routers
www.saigonlab.vn
Frame Relay Stack

OSI Reference Model
Frame Relay
Application
Presentation
Session
Transport
Network
IP/IPX/AppleTalk, etc.
Data Link
Frame Relay
Physical
EIA/TIA-232,
EIA/TIA-449, V.35,
X.21, EIA/TIA-530
102

routers
www.saigonlab.vn
Frame Relay Terminology

PVC
Router A
Router B
DLCL: 100
DLCL: 400
Local
Access
Loop = T1
Local Access
Loop = 64 kbps
DLCI - Data-link connection identifier

LMI - Local Management Interface
103

routers
www.saigonlab.vn
Selecting a Frame Relay Topology
Frame Relay default: NBMA
104

routers
www.saigonlab.vn
Reachability Issues with Routing Updates
Problem:
Broadcast traffic must be replicated for each active
connection
Split horizon rule prevents routing updates received on an
interface from being forwarded out the same interface
105

routers
www.saigonlab.vn
Resolving Reachability Issues
Split horizon can cause problems in NBMA

environments
Subinterfaces can resolve split-horizon issues
Solution: A single physical interface simulates multiple
logical interfaces
106

routers
www.saigonlab.vn
Frame Relay Address Mapping
Use LMI to get locally significant DLCI from the Frame Relay switch
Use Inverse ARP to map the local DLCI to the remote router network
layer address
107

routers
www.saigonlab.vn
Frame Relay Signaling
Cisco supports three LMI standards:

Cisco
ANSI T1.617 Annex D
ITU-T Q.933 Annex A
108

routers
www.saigonlab.vn
Frame Relay Inverse ARP and LMI Signaling
109

routers
www.saigonlab.vn
Stages of Inverse ARP and LMI Operation
110

routers
www.saigonlab.vn
Configuring Basic Frame Relay
111

routers
www.saigonlab.vn
Configuring a Static Frame Relay Map
112

routers
www.saigonlab.vn
Configuring Subinterfaces
Point-to-point
Subinterfaces act like leased lines
Each point-to-point subinterface requires its own subnet
Point-to-point is applicable to hub-and-spoke topologies
Multipoint
Subinterfaces act like NBMA networks, so they do not
resolve the split horizon issues
Multipoint can save address space because it uses a
single subnet
Multipoint is applicable to partial mesh and full mesh
topologies
113

routers
www.saigonlab.vn
Configuring Point-to-Point Subinterfaces
114

routers
www.saigonlab.vn
Multipoint Subinterfaces Configuration Example

S2.1=10.17.0.2/24
S2.2=10.17.0.1/24
S2.1=10.17.0.3/24
S2.1=10.17.0.4/24
115

routers
www.saigonlab.vn
Verifying Frame Relay Operation

Router# show interfaces type number
Displays information about Frame Relay DLCIs and the LMI
Router# show interfaces s0

Serial0 is up, line protocol is up
Hardware is HD64570
Internet address is 10.140.1.2/24
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation FRAME-RELAY, loopback not set, keepalive set (10 sec)
LMI enq sent 19, LMI stat recvd 20, LMI upd recvd 0, DTE LMI up
LMI enq recvd 0, LMI stat sent 0, LMI upd sent 0
LMI DLCI 1023 LMI type is CISCO frame relay DTE
FR SVC disabled, LAPF state down
Broadcast queue 0/64, broadcasts sent/dropped 8/0, interface broadcasts 5
Last input 00:00:02, output 00:00:02, output hang never
Last clearing of "show interface" counters never
Queueing strategy: fifo
Output queue 0/40, 0 drops; input queue 0/75, 0 drops
<Output omitted>
116

routers
www.saigonlab.vn
Router# show frame-relay lmi [type number]
Displays LMI statistics
Router# show frame-relay lmi

LMI Statistics for interface Serial0 (Frame Relay DTE)
LMI TYPE = CISCO
Invalid Unnumbered info 0 Invalid Prot Disc 0
Invalid dummy Call Ref 0 Invalid Msg Type 0
Invalid Status Message 0 Invalid Lock Shift 0
Invalid Information ID 0 Invalid Report IE Len 0
Invalid Report Request 0 Invalid Keep IE Len 0
Num Status Enq. Sent 113100 Num Status msgs Rcvd 113100
Num Update Status Rcvd 0 Num Status Timeouts 0
117

routers
www.saigonlab.vn

Router# show frame-relay pvc [type number [dlci]]
Displays PVC statistics
Router# show frame-relay pvc 100

PVC Statistics for interface Serial0 (Frame Relay DTE)
DLCI = 100, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0
input pkts 28
output pkts 10
in bytes 8398
out bytes 1198
dropped pkts 0
in FECN pkts 0
in BECN pkts 0
out FECN pkts 0
out BECN pkts 0
in DE pkts 0
out DE pkts 0
out bcast pkts 10
out bcast bytes 1198
pvc create time 00:03:46, last time pvc status changed 00:03:47
118

routers
www.saigonlab.vn

Router# show frame-relay map
Displays the current Frame Relay map entries

Router# clear frame-relay-inarp
Clears dynamically created Frame Relay maps,

created by using Inverse ARP
Router# show frame-relay map
Serial0 (up): ip 10.140.1.1 dlci 100(0x64,0x1840), dynamic,
broadcast,, status defined, active
Router# clear frame-relay-inarp
Router# show frame map
Router#
119

routers
www.saigonlab.vn
Troubleshooting Basic Frame Relay

Operations
Router# debug frame-relay lmi

Frame Relay LMI debugging is on
Displaying all Frame Relay LMI data
Router#
1w2d: Serial0(out): StEnq, myseq 140, yourseen 139, DTE up
1w2d: datagramstart = 0xE008EC, datagramsize = 13
1w2d: FR encap = 0xFCF10309
1w2d: 00 75 01 01 01 03 02 8C 8B
1w2d:
1w2d: Serial0(in): Status, myseq 140
1w2d: RT IE 1, length 1, type 1
1w2d: KA IE 3, length 2, yourseq 140, myseq 140
1w2d: Serial0(out): StEnq, myseq 141, yourseen 140, DTE up
1w2d: datagramstart = 0xE008EC, datagramsize = 13
1w2d: FR encap = 0xFCF10309
1w2d: 00 75 01 01 01 03 02 8D 8C
1w2d:
1w2d: Serial0(in): Status, myseq 142
1w2d: RT IE 1, length 1, type 0
1w2d: KA IE 3, length 2, yourseq 142, myseq 142
1w2d: PVC IE 0x7 , length 0x6 , dlci 100, status 0x2 , bw 0
Displays LMI debug information
120
Lesson 5: VPN Technology

www.saigonlab.vn
VPN
Definition
Remote Access VPNs
Site-to-Site VPNs
Tunneling Protocols GRE
Tunneling Protocols IPSec
Tunneling Protocols L2F and L2TP
121

www.saigonlab.vn
VPN Definition
Virtual private network (VPN)an encrypted

connection between private networks over a
public network such as the Internet
122

www.saigonlab.vn
Remote Access VPNs
123

www.saigonlab.vn
Site-to-Site VPNs
Site-to-Site VPN Extension of classic WAN
124

www.saigonlab.vn
Tunneling Protocols GRE (Generic Routing

Encapsulation)
Ciscos multiprotocol carrier that can encapsulate IP, CLNP,

IPX, AppleTalk, DECnet, and XNS inside IP tunnels
Best for site-to-site VPNs
Typically used to tunnel multicast packets such as routing
protocols
Does not support data encryption or packet integrity
Encapsulates all traffic regardless of source/destination
125

www.saigonlab.vn
Tunneling Protocols IPSec (IP Security)
Most commonly used tunneling protocol with VPNs

Can be used in combination with GRE or L2TP (Layer 2
Tunneling Protocol) when there is a need to support
tunneling multicast packets
Uses IKE to manage exchange of security keys
Replay protection someone capturing packets and
replaying them later to gain access
Data origin authentication (Make
sure the packets are authentic)
Confidentiality Encryption is
used to hide the IP header of the
original packet
126

www.saigonlab.vn
Tunneling Protocols L2F (Layer 2 Forwarding) and

L2TP (Layer 2 Tunneling Protocol)
Ciscos protocol that was used before L2TP (Layer 2

Tunneling Protocol) was established
It is not forward compatible with L2TP
L2TP is a combination of Ciscos L2F and Microsofts PPTP
(Point-to-Point Tunneling Protocol)
L2TP is used to create a media-independent, multiprotocol
VPDN (Virtual Private Dial Network) which allows users to
invoke corporate security policies across a VPN or VPDN
link as an extension of their internal network
L2TP is good for remote-access VPNs that require
multiprotocol support (or GRE)
127
www.saigonlab.vn

SaigonLAB CCNA Module7 Va Module 8

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

SaigonLAB CCNA Module7 Va Module 8

Hochgeladen von

Copyright:

Verfügbare Formate

CCNA

Bringing a True-long Stand Vocation

Module 7: NAT and ACLs

The purpose and types of ACLs

Configure and apply an ACLs

The basic operation of NAT

Bringing a True-long Stand Vocation

Lesson 1: The purpose and types of

Bringing a True-long Stand Vocation

Lesson 1: The purpose and types of

Why Use ACLs?

Manage IP traffic as network access grows

Bringing a True-long Stand Vocation

Lesson 1: The purpose and types of

Permit or deny packets moving through the router

Bringing a True-long Stand Vocation

Lesson 1: The purpose and types of

Other ACL Uses

Special handling for traffic based on packet tests

Bringing a True-long Stand Vocation

Lesson 1: The purpose and types of

Bringing a True-long Stand Vocation

Lesson 1: The purpose and types of

How to Identify ACLs

Standard IP lists (1-99) test conditions of all IP

Bringing a True-long Stand Vocation

Lesson 1: The purpose and types of

How to Identify ACLs

Standard IP lists (1300-1999) (expanded range)

Bringing a True-long Stand Vocation

Lesson 1: The purpose and types of

Testing Packets with Standard ACLs

Bringing a True-long Stand Vocation

Lesson 1: The purpose and types of

Testing Packets with Extended ACLs

Bringing a True-long Stand Vocation

Lesson 1: The purpose and types of

Outbound ACL Operation

If no ACL statement matches, discard the packet

Bringing a True-long Stand Vocation

Lesson 1: The purpose and types of

A List of Tests: Deny or Permit

If no Match deny All

Lesson 1: The purpose and types of

Wildcard Bits: How to Check the

0 means check value of corresponding address bit

Bringing a True-long Stand Vocation

Lesson 1: The purpose and types of

Wildcard Bits to Match a Specific IP

Check all of the address bits (match all)

172.30.16.29 0.0.0.0 checks all of the address bits

Lesson 1: The purpose and types of

Wildcard Bits to Match Any IP Address

Test conditions: Ignore all the address bits

Accept any address: any

Lesson 1: The purpose and types of

Wildcard Bits to Match IP Subnets

Check for IP subnets 172.30.16.0/24 to

Bringing a True-long Stand Vocation

Lesson 2: Configure and apply an

Bringing a True-long Stand Vocation

Lesson 2: Configure and apply an

ACL Configuration Guidelines

ACL numbers indicate which protocol is filtered