Beruflich Dokumente
Kultur Dokumente
By Tom Price
Network Foundations
What is a network?
Cabling
Ethernet - used to connect PC's, servers to wall jacks/switches. 100m max distance. Cost efficient.
Fibre - gives much greater bandwidth than Ethernet and much greater distance. Used for connecting servers to switches and fast
Internet connections.
Serial - still used by ISP's to connect to a CSU/DSU. Being phased out and now uncommon.
Speed
Networks handle speed in bits per second (eg. 100Mbps).
Bit (smallest unit)
Byte (8 Bits)
Kilobyte (1024 Bytes)
Megabyte (1024KB)
Gigabyte (1024MB)
Terabyte (1024)
REMEMBER - don’t get confused with megabytes per second (MBps) and megabits per second (Mbps)...you would need to divide
Mbps by 8 to give the MBps speed!!
With the overhead of sending data in packets we would estimate the time taken to save the 10MB picture would be 10
seconds!!!
OSI Model
It is a standard architecture defining network communication providing a system to "break down" network communication.
Protocols
OSI was an actual protocol and competed with TCP/IP protocol (like VHS and Betamax!).
Simpler addressing in TCP/IP and so TCP/IP was chosen as the standard.
7 Application
6 Presentation
5 Session
4 Transport
3 Network
2 Data Link
1 Physical
Remember!!
**Please Do Not Throw Sausage Pizza Away**
Note
Routers and switches also need to be able to send bits (Layer 1).
Example
Make an online payment via Bank Website
NOTE
Switches sit at Layer 2 - Data Link.
They learn physical addresses (MAC). Hubs worked at the physical layer but could not learn MAC addresses and just flooded all
ports with broadcasts.
Routers sit at Layer 3 - Network.
They look at IP addresses and use their Routing table to decide where to send.
TCP/IP Model
The TCP/IP network model is a four-layer model. It is effectively a reduced version of the OSI model.
However, the OSI model is more widely used as it breaks down the network layers into greater depth and gives a better
explanation of data flow.
TCP/IP Model
4 Application
3 Transport
2 Internet
1 Network Interface
Spells NITA!
Application - defines TCP/IP protocols and how programs interface with transport layer. Eg. HTTP, Telnet, DNS, FTP
Transport - provides session management and transport protocol. Eg. TCP, UDP, ICMP, RTP.
Internet - packages data into IP datagrams and performs routing. Eg. ARP, IP.
Network Interface - how data is physically sent through the network. Eg. Ethernet, Token ring
A runt is a frame which is less than 64 bytes in size and a giant is a frame which is greater than 1518 bytes in size...both are
discarded by a switch! !
PC to Router Crossover
PC to Switch Straight-Through
Crossover Cables
These are commonly used to connect two hosts together. Eg. Router to Router, Switch to Switch or PC to PC.
Pin 1 to Pin 3
Pin 2 to Pin 6
Pin 3 to Pin 1
Pin 4 to Pin 7
Pin 5 to Pin 8
Etc…
Rollover/Console Cables
These are used to connect a PC to a switch/router for management purposes.
Pin 1 to Pin 8
Pin 2 to Pin 7
Pin 3 to Pin 6
Pin 4 to Pin 5
Etc…
IP Addressing
IPv4
32 bit address
Consists of four octets - 0 to 255 - eg 192.168.0.100 (In binary = 11000000.10101000.00000000.01100100 = 32 bits)
Combines with default gateway and subnet mask.
Eg.
IP Address: 192.168.0.100
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.0.1
PC1 (192.168.0.4) types 'ping 192.168.0.5' in command prompt. This is IP address of PC2.
This initiates an ARP request which is sent to the switch. The switch then sends this to all ports apart from the port PC1 is
connected to. PC2 with the address 192.168.0.5 sends back its MAC address using a Unicast message. PC1 then sends the actual
ping to PC2 once it knows its MAC. The switch also remembers the MAC addresses of each device and the port which they are
connected to.
MAC address - 12 character (48 bit or 6 byte) hexadecimal address (eg. 1E:4T:FG:15:6F:8D). Each character is 4 bits (eg 1001).
These are assigned to each NIC (network interface card).
They have to be unique on the LAN (and they should be when assigned by manufacturer!) but in theory they could be the same
on different LANs across a WAN link.
Default Gateway - is a router which takes us off our network and onto the Internet (or just another subnet within our network.)
NOTE
If the above ping was sent to a device which was on a different network to our own (eg. 11.25.200.46) then PC1 would have
recognised that this IP is in a different network and would have sent an ARP for the MAC address of its default gateway (router).
When sending data routers strip off the MAC addresses and adds a new source and destination MAC address.
IP addresses never change in the packet.
Assigning IP Addresses
Static
Servers, Routers, printers.
We can rename network connections to give a meaningful name (Go to Ctrl Panel -> Network Adapter -> Advanced).
DHCP
This is a server role - we define an IP address scope - eg. LAN PC's.
When PC's boot up they send a broadcast for IP address. The DHCP server is listening using ports 67,68.
We can add exclusions into scopes for any IP addresses which we may have defined statically (and also add reservations too). A
router can also be a DHCP server.
DHCP Relay
If we have lots of remote offices we can run DHCP from a central point. We can enable DHCP relay on a router to allow DHCP
broadcasts to grab IP addresses from the main office server. As remember...routers discard broadcasts by default
Automatic (APIPA)
Assigned when PC cannot contact DHCP server.
169.254.0.0 -> 169.254.255.255
Special Addresses
The first address of the subnet is the network ID.
The last address of a subnet is the broadcast address.
Eg.
Network ID = 192.168.1.0/24
Broadcast = 192.168.1.255
NAT is used so private addresses can be used on the Internet. It translates all private addresses to the external IP address given
by your ISP.
Classes of Addresses
Cisco advises not having a network with >500 devices due to broadcast traffic!
Classless Addressing
This is where we can use a Class C subnet mask with a Class A network.
Eg.
Class A network - 10.0.0.0
Subnet Mask - 255.255.255.0 (This gives us 254 useable addresses)
Types of messages
Unicast - message sent to 1 device
Multicast - message sent to a group of devices (devices tune into a specific IP address in the class D range)
Broadcast - message sent to all devices
The handshake process uses sequence numbers that increment when sending data.
Note:
The ACK is always 1 more than the sequence number (see above for example!)
TCP Communication always starts with a 3 way handshake before any actual data is transmitted.
1. SYN,
2. SYN + ACK
3. ACK
TCP Windowing
This is the process where data is sent in groups of packets to speed up a download/copy process.
Eg. You'll notice when we save a large file to a file server it will initially say '10 hours' then '6 hours' etc to copy. This is because
sending PC will gradually increase the number of packets it sends at one time until the server says "No...that's enough
packets...don't send any more than that at any one time"...and so the PC will stop increasing the number of packets it sends at
one time. This is why the ETA always varies.
22 SSH
23 Telnet
25 SMTP
53 DNS Server
80 HTTP
110 POP3
443 HTTPS
We can use port numbers to restrict access. Eg. Block Internet access - port 80, 443.
Need these ports allowed on the firewall if we are allowed the traffic.
Switching
Hubs
1980's
Uses CSMA/CD - to recover from collisions
Sit at the physical layer
One collision domain
Half duplex - only 1 person can send or receive at any one time
No intelligence!
The hub sends all packets to all network ports (broadcast)
No security
Bridge
1990's
Broke network into multiple collision domains
Limited ports
Separated hubs
Learned MAC addresses (sit at layer 2)
Sofware based - was very slow (not ASIC based like cisco routers/switches)
Switch
2000's
Every port is its own collision domain - eg. 24 port switch will have 24 collision domains
Full Duplex - everyone can send and receive at the same time!
ASIC based (Application Specific Integrated Circuit) - hardware based and very fast.
Varying port speeds Eg. 100Mbps, 1000Mbps
Managed, Intelligent - can configure ports, VLAN's etc
Learns MAC addresses of all connected devices
Fibre Optic
Common to connect switches together
Need SFP module on switch
Multi mode - plastic, cheap
Single mode - glass, expensive
Example
When a PC pings another PC using IP address on same network
ARP broadcast (FFFF:FFFF:FFFF is the broadcast address) is sent to find out MAC address of PC2 using its IP address.
This is sent to all ports on the switch.
Port with the matching IP replies with its MAC address using Unicast message
Switch learns the MAC address of the sender & receiver of the ping message - stores the MAC address and
Port/interface in its CAM table!
Entries in the CAM have a lifespan of 5 minutes.
Broadcast domains
If we have several switches connected together we still only have 1 broadcast domain.
Each port would still be in its own collision domain.
Store-and-Forward Switching
The switch copies each Frame into it's memory and performs a CRC check (Cyclic Redundancy Check) for errors. If a CRC error is
found then the Frame is discarded. If the Frame is error free then the switch forwards the frame out of the relevant interface.
Bad CRC
A Frame is discarded if it is smaller than 64 bytes in length, a runt, or if the Frame is larger than 1518 bytes in length - called a
giant.
Cut-Through Switching
The switch copies into memory only the destination MAC address which is located within the first 6 bytes of the Frame. The
switch then looks up the MAC address in its CAM table and forwards out of the relevant interface. This method reduces delay as
the Frames are not checked for errors and are forwarded as soon as the MAC address is read and the outgoing interface
determined.
However, bad frames are still forwarded. The destination will receive this bad frame and then performs a CRC and realises it is
bad, and will then request for it to be re-sent. This wastes bandwidth and can cause slow network performance.
NOTE
Todays switches are better suited for a store-and-forward environment.
Cisco IOS
Console Connection
Allows us to configure a Cisco device using console cable and terminal program eg. Putty
Console cable - RJ45-to-serial
Console ports are normally 'blue'
NOTE - configuring the incorrect BAUD rate results in unreadable characters on screen while accessing the Cisco CLI!
Base Configuration
Console Password
Switch(config)# line console 0
Switches only have 1 console port
Switch(config-line)# password cisco
Switch(config)# login <- REMEMBER THIS LINE
This stops all status alerts from inserting into any command we may be typing!
Switch(config)# line con 0
Switch(config-line)# logging synchronous
Management (VLAN) IP Address
A switch needs an IP address to be managed remotely. Default VLAN is VLAN 1.
We need to create a VLAN interface called an SVI (Switch Virtual Interface) .
Switch(config)# interface vlan 1
Switch(config-if)ip address 10.1.1.10 255.255.255.0
Default Gateway
For us to manage the above switch we would need to be logged onto a PC in VLAN 1 in the same subnet.
So to manage the switch from another network we would need to configure a default gateway. If we need to do troubleshooting
on a switch (eg. Ping, tracert) then we need this configured.
Switch(config)# ip default gateway 10.1.1.1
Logon Banner
We can create a banner message to be displayed for all logins.
Switch(config)# banner motd + *****CENTRESOFT NETWORK - SWITCH 1*****+
NOTE: '+' is the delimiting character...anything we type in between the + will be used as the banner!!
We could have used banner login but this only displays when there is login required/configured for the
connection.
Saving Configurations
Running config is saved in RAM...which is volatile and lost if switch is rebooted!
Startup config is stored in NVRAM...which is non volatile and safe if switch loses power!
Switch# copy running-config startup-config
OR
Switch# write memory (this method is no longer officially supported!)
1. Configure hostname
2. Configure domain name
a. Switch(config)# ip domain-name nugget-lab.com
3. Generate encryption keys
a. Switch(config)# crypto key generate RSA 1024
4. Create local user accounts
a. switch(config)# username user secret cisco
5. Choose to allow telnet + SSH
a. Switch(config)# line vty 0 15
b. Switch(config-line)# transport input ssh telnet
6. Enable local logins
a. Switch(config-line)# login local
NTP Stratum - this is the measure of hops away from the source.
Configuration Backups
Creating a backup
We can use TFTP to backup switch configs.
1. Download and install TFTPD32 - freeware.
2. Ensure port 69 inbound is allowed on PC firewall.
3. Ensure Everyone group has access to the save file location in TFTPD32.
4. Switch# copy running-config tftp
5. Enter IP address of PC you are copying config to.
Restoring a backup
Make sure you are connected via Ethernet and the switch/router has an IP address...may need to assign one before we restore
config (eg. Assign management IP of switch).
1. Switch# copy tftp running-config
Port Security
Useful Commands
Switch# show port-security
o This will show us any ports with port-security enabled and any violations etc…
If a port has been shut down if we do a show ip int brief the port status will show as ERR-DISABLE
o We then need to 'shutdown' and then 'no shutdown' the port to bring it back up!
Network is slow...
Its common for users to complain that the network is slow!!
This can be due to speed and duplex issues on the switch.
Switches are set to auto-detect speed and duplex but with 100Mbps switches it is always best to hard code them!
Most of the time auto-detect works fine...if both switch interface and PC network adapter are set to auto-detect.
NOTE - If we hard code either speed or duplex then we must hard code both of them!
On the Server/PC we would go into the Network Adapter settings -> Advanced and choose the Speed/duplex option and set it
there.
Finding devices
Ping IP address of device and then do an arp -a command to find out MAC address.
We can then go to the switch and view the MAC address table
Switch# show mac address-table | mac-address
Extended Ping
o If we type ping and press enter we can then specify several other parameters. EG. Protocol, repeat count,
timeout period, datagram size.
A "Normal Switch"
Multiple collision domains (Eg. 24 port switch will have 24 collision domains)
One broadcast domain (inc. switches which are daisy chained)
One IP network subnet for all of its hosts
o Eg. 192.168.1.0/24
One failure domain
Limited security
VLAN Foundations
A VLAN logically groups users
o It can separate a switch into separate networks
It segments the broadcast domain
o Will only broadcast on its own VLAN
Offers subnet correlation
o Eg. 192.168.1.0/24 and 192.168.2.0/24
Access control
Quality of service (QoS)
o We can give VLAN's higher priority than another (eg. Voice over internet)
Can give us Layer 3 control - L3 Switch!
Switch adds a Frame tag which identifies which VLAN id the frame belongs to - these are carried over trunk links
between switches
VLAN's limit broadcast propagation!
Trunk Ports
A trunk carries all VLAN's and is used to connect switches together.
Normally set to 1Gbps ports.
Flexibility of VLAN's
Can group devices together. Eg…
o Servers in a VLAN
o Computers in a VLAN
o Phones in a VLAN
Can separate buildings/office into separate VLAN's
o Feels good and reduces broadcast traffic!
Can separate Ethernet and WiFi traffic.
Server Virtualization. Eg...
o We can setup a trunk on the interface connected to the DHCP server
o Server can then communicate with all VLAN's, devices and saves us having a server on each VLAN
Trunking is the ability to link multiple switches together and pass VLAN info between them. Aka tagging.
Trunking places VLAN info into each frame (4 bit).
802.1Q is the language used to tag packets with VLAN info.
Trunking is a Layer 2 feature (Data Link).
Native VLAN
This is used to send info between switches which is not tagged with VLAN info.
Eg. Telnet, SSH and CDP traffic.
The native VLAN must match on connecting switches. As default the native VLAN is 1.
If the native VLAN's on switches do not match then we have a native VLAN mismatch. We could have a situation where VLAN 10
is the native VLAN on one switch and VLAN 20 is the native VLAN on another switch. And so, both of these VLANS would be
sending unnecessary broadcasts to each other due to the native VLAN mismatch!!
We configure the native VLAN on trunk port.
Eg. To change the native vlan to VLAN 2…
switch(config)#int fa0/20
switch(config-if)#switchport trunk native vlan 2
Note
802.1q does not encapsulate Ethernet frames. Instead it inserts a header afer the destination and source MAC address!
VTP Modes
Server (Default)
Gives the power to change VLAN info
Sends and receives VTP updates
Saves VLAN config
Client
Cannot change VLAN info - gets updates from the server
Sends and receives VTP updates
Does not save VLAN config
VLAN Pruning
This keeps unnecessary broadcast traffic from crossing trunk links. Traffic will only be forwarded across a trunk link if that VLAN
exists on the switch.
Only works on VTP Servers.
All switches need to be servers.
Configuring VLAN's
Reminder - we use VLAN's to separate users and devices to reduce broadcast traffic.
Useful command
We can also use the show vlan id x command to tell us what ports are tagged to that VLAN.
Switch# show vlan id 10
Note - VLAN's are stored in a database called VLAN.dat. The database survives a write erase and so to completely delete we
need to run the below..
Erase startup-config
Delete vlan.dat
Reload
VLAN Interfaces
On L3 switches we can create VLAN interfaces for each VLAN so they can communicate without a router.
As remember - each VLAN is a different network/subnet and we need a L3 assistant to be able to communicate.
Switch(config)# int vlan 50
Switch(config-if)# ip address 10.1.50.10 255.255.255.0
Switch(config-if)# no shutdown
We could now set the above IP as the default gateway of a PC to communicate on our network. Has to be a L3 Switch.
NOTE
Transparent mode disables VTP
New switches will auto join the domain and download VLAN's etc so that’s why its important we disable dynamic mode
on each port!
Best practice is not use VTP and create VLANs manually on each Switch!!
Dynamic Trunking Protocol allows for the creation of trunks between two switches. When two connected ports are configured in
dynamic mode, and at least one of the ports is configured as desirable then the two switches will form a trunk across the link.
Switch (config-if)# switchport mode dynamic desirable/auto
DTP is enabled by default on all modern switches. However this is bad design as we could have ports forming trunk links and
causing a security risk.
Configure all ports as access ports. We can then configure any trunk ports as we need them which is best practice…
However, even when a port is statically configured as an access port as above, DTP is still active on the port. If we setup a trunk
between two switches in different VTP domains then we would get the below error...
%DTP-5-DOMAINMISMATCH: Unable to perform trunk negotiation on port Fa0/1 because of VTP domain mismatch.
DTP advertisements include the VTP domain name and so the trunk will not form if the VTP domain names are different. We can
kill DTP once and for all with the below command…
Routing Overview
When a packet is sent for an outside network it is sent to the router (the default gateway).
The router looks at the packet and see's that it is not for itself (by IP address) and then looks at its routing table.
It will know where to forward next due to the routes stored in its table (static, OSPF or default route etc)
Note
When packets go over a serial data link (across a WAN) they do not add the source and destination MAC Address. They use HDLC
or PPP. HDLC uses the Type field in a packet so receiving devices can see what is encapsulated. It uses L2 headers for any next
hop routers in a path.
Routers
CEF enhanced (Cisco Express Forwarding) - software based - (not ASIC based like Switches) very fast and powerful
Not as fast as switches!!
IOS is the brain-power behind the routing process
Popular model is 2800 series
Normally 1U - take up 1 space on a rack
Normally have 2 Ethernet interfaces
WIC - Wan Interface Card to receive Internet line from the outside.
'Blue' ports are console ports
Example
We have 1 router, 1 switch, 2 VLAN's (VLAN10, VLAN20)
1. Create sub interfaces on router for each VLAN
o Router(config)# int fa0/0.10
2. Set encapsulation using dot1q to allow VLAN 10 traffic in this case
o Router(config-if)# encapsulation dot1q 10
3. Set IP address of interface (same range as all PC's in VLAN etc)
a. Router(config-if)# ip address 10.1.1.100 255.255.255.0
4. Set the interface on the switch to a trunk port
a. Switch(config-if)# switchport mode trunk
b. Switch(config-if)# switchport trunk allowed vlan 1,10,20
This option is much faster than using a router-on-a-stick as it has ASIC (Application Specific Integrated Circuitry) support - routes
at wire speed.
VLAN Routing on Layer 3 Switch
1. Create the VLANs and VLAN interfaces (SVI - Switch Virtual Interface) on the L3 switch (all client PC's in each VLAN have
the VLAN interface IP address as it's default gateway)
2. Then create a default route (0.0.0.0 etc) to the routers connected interface on the switch. Make sure we have an
interface configured for the connection from the L3 switch to the router (use ip routing and no switchport command on
switch interface to router to give L3 functionality).
http://www.cisco.com/c/en/us/support/docs/lan-switching/inter-vlan-routing/41860-howto-L3-intervlanrouting.html
So...we would have SALES VLAN 20 configured on a switch….and we would have an interface configured on the router with IP
address 192.168.20.1 255.255.255.0 (or we would use a L3 switch with VLAN interfaces configured). The lease command defines
how long the assignment will last for until the router reassigns the IP address (lease days hours minutes). The command is
optional...the default lease is 1 day.
Any PC which is connected to a port in VLAN 20 would pick up an IP in the 192.168.20.xx range!!
Excluded Addresses
We can exclude addresses so that they are not used in any DHCP pools.
Router(config)# ip dhcp excluded-address 192.168.20.10 192.168.20.20
o This would exclude any addresses in the range 192.168.20.10 - 20!
We can use a server that routers and switches can use to authenticate logons to. This provides a central location of a user
directory, authentication auditing and access control...it is much easier to manage.
We can either use a RADIUS or TACACS+ server.
RADIUS Server
Uses UDP
Encrypts only the password during transmission
Combines authentication and authorization
Is open standard and more interoperable than TACACS+
Uses less memory and CPU cycles on routers
Offers interoperability...it's supported by everyone!
Excellent performance - very light on routers and switches
TACACS+ server
Uses TCP
Encrypts the entire session
Separates Authentication, Authorization and Accountability.
Only supported by Cisco
Uses more memory than RADIUS
Offers excellent security - more secure than RADIUS as whole session is encrypted
Flexibility - TCP is much more flexible than UDP and can do much more in advanced networks
Most Enterprise networks use RADIUS over TACACS+ as it is light on routers/switches and everything supports it!!
IP Subnetting
Binary basics
IPv4 address is a 4 octet address
Class A, B, C
A = 255.0.0.0
B = 255.255.0.0
C = 255.255.255.0
8 bits in a byte with values as below…
128 64 32 16 8 4 2 1
A bit is a 1 or 0...on or off!!
Example 2
Class A: 10.0.0.0
Need: 100 networks
Example 1
Class C: 216.21.5.0
Hosts: 30 per network
4. Hosts = 32 -2 = 30
Networks = 2^3 = 8
Subnet Zero
You may have noticed the ip subnet zero default command in running config. The subnet zero (or zero subnet) is the first subnet
of a subnetted network.
EG. Class B: 172.16.0.0. Need 50 hosts per network.
1. Hosts = 50 = 00110010 = 110010 = 6 bits
2. Subnet mask = 255.255.11000000.000000
3. Ranges…
a. 172.16.0.0 -> 172.16.31.255
b. 172.16.32.0 -> 172.16.63.255
c. 172.16.64.0 -> 172.16.95.255
d. 172.16.96.0 -> 172.16.127.255
We can use several different subnet masks if we need several networks of different sizes.
We would this exactly in the same way accept we work out the subnet mask for the biggest network first (number of hosts) and
then work out the next biggest etc.
Example
Network ID: 192.168.1.0/24
Number of networks = 3
Hosts per network = 60, 30 20
Start with the largest subnet first...then work your way down in host size.
1. 30 = 00011110 = 5 bits
3. Inc = 32, so the range for this network is….remember to carry off where the 1st network ended…
1. 20 = 00010100 = 5 bits
3. Inc = 32, so the range for this network is….remember to carry off where the 1st network ended…
NOTE: Variable Length Subnet Masks allow us to make more efficient use of available IP addresses.
Purpose of Routing
Stopping broadcasts - helps reduce traffic (eg. DHCP requests, ARP requests)
Find the best possible path to a destination
Move unicast traffic between networks
o Allows PC's on different subnets to communicate directly
Static Routing
Routers have no config out of the box!! They only know how to connect to networks configured on the router!!
Each router has to have each network defined on an interface to be able to talk back and forth.
Default route acts as "catch-all"...it sends any traffic which it does not have a route for to the Internet.
RULE - the more specific a route is the better...it will be chosen first!!
Example
1. Router(config)# ip route 192.168.3.0 255.255.255.0 192.168.2.2
2. Router(config)# ip route 0.0.0.0 0.0.0.0 68.25.121.199
Route 1 would be chosen by the router as it is more specific...it states that the network is class C as it supplies a more
specific subnet. If a more specific subnet mask appears in the routing table then that route will take precedence.
USEFUL COMMAND
Show ip route
o This shows every network which the router know how to reach.
Static Routes are good for small networks with a couple of offices.
They don’t work so well for larger networks as there are more routers, networks involved and would require lots of config on
each router!
Dest Network Subnet Mask Interface of connected router
Routing Protocols
Routing protocols allow routers to tell connected routers of it's known routes!
"Tell your friend what you know!!"
Each router in a network tells all the other routers about it's networks.
They are/offer…
Dynamic - automatically build routing table
Redundancy - can have several routes in case a path is lost...failover automatically
Best path - based on what protocol is used they can automatically determine best path (they use a metric).
RIP
Like Fiat Punto!! Not Fast!!
Default "Hello" advertising cycle is 30 secs
o Says hello and tells routers about its routing table every 30 secs...not efficient!
Recovery - 90 secs
Metric - best path - uses hop count - number of routers - not efficient!!
Only pro is that all devices support it!
Distance Vector protocol
Inefficient as it keeps sending full routing table even if there has been no changes!
RIPng for IPv6
IGRP
Cisco created to replace RIP
Now obsolete as "hello" was set to 90 secs and recovery set to 270 secs!!
THIS PROTOCOL CAN BE IGNORED!!
OSPF
Open Shortest Path First
Most popular routing protocol
Like a Corvette!! Does routing very well!!
Uses Dijkstra's Algorithm!
Default hello is 10 secs
o Afer initial hello it only says "Hi" to each router instead of the whole routing table...if the routing table
changes it will tell the router of the change...it is efficient!!
o Metric: cost/bandwidth <- uses fastest speed!
100/bandwidth. Eg. 100/1.44 (Mbps) = 69.4444
o Uses the fastest route (which would be the lowest value)!!!
o Maintains a topology map
Link state routing protocol
OSPFv2 for IPv4
OSPFv3 for IPv6
IS-IS
Like a 1967 Corvette!!
Was competitor to OSPF - used for OSI!!
o OSPF won as it was used for TCP/IP
Excellent protocol!!
Rarely used...requires expertise!!
EIGRP
Like a Ferrari!!
Very fast protocol…but uncommon.
Created by Cisco for Cisco...easy to configure.
Metric - can include reliability, MTU, delay on packets...uses 'K' value.
BGP
Border Gateway Protocol
Like a Hummer!! Not fast but very robust!!
Used for the Internet
Handles thousands of routes
Not for LAN's...used in ISP's
NOTE:
We can use a mixture of each protocol in our network….if a router has learned routes via different protocols then administrative
distance is used. This tells us how believable the routing protocol is.
Administrative Distances
Each protocol has an administrative distance to tell us how believable it is!
RIP 120
IS-IS 115
OSPF 110
EIGRP 90
BGP 20
Static Route 1
Connected Interface 0
Configuring OSPF
On Router 1
1. Turn on OSPF
a. R1(config)# router ospf 1
i. The 1 is the Process ID (1-65535)...just use 1! The process ID is just the same as on Windows...each
program has an ID so we can kill it via task manager etc...they don't need to match other routers and only
have local significance.
2. Tell it what interfaces to use and what networks to advertise…the command does both things!!!!
Best practice is to define the exact IP address of the interface we want to send hello packets on.
Areas must match. Areas define how many routers to cover - summarize entries in the routing table (eg. 192.168.0.0/16
instead of 192.168.1.0/24 and 192.168.2.0/24).
a. R1(config-router)# network 192.168.2.0 0.0.0.255 area 0
i. BUT IT IS BETTER TO DEFINE THE EXACT INTERFACE IP...
1. R1(config-router)# 192.168.2.1 0.0.0.0 area 0
The wildcard bits tell us to "ignore the zeroes and look at the ones!!"
The above commands turns on "hello" packets on that interface and also advertises
192.168.2.0 network to it's neighbours!
On Router 2
1. Turn on OSPF
a. R2(config)# router ospf 1
2. Tell it what interfaces to use
a. R2(config-router)# network 192.168.2.2 0.0.0.0 area 0
On Router 1
1. Set interface as passive
a. R1(config-router)# passive interface fa0/0
2. Tell it to advertise network
a. R1(config-router)# network 192.168.1.1 0.0.0.0 area 0
On Router 2
1. Set interface as passive
a. R2(config-router)# passive interface fa0/0
2. Tell it to advertise network
a. R2(config-router)# network 192.168.3.1 0.0.0.0 area 0
**USEFUL COMMANDS**
Router ID
The router ID is the highest (loopback) IP address configured on a router (unless a router ID has been manually configured). If no
loopback IP address is set then the Router uses the highest IP address configured on its active interfaces.
Route Preference…
Be aware that a more specific subnet mask beats administrative distance!!
So... an RIP /26 learned route will beat an EIGRP /24 learned route!!!
Deny 192.168.1.0/24
The list is read from top to bottom and stops at the first match.
There is an implicit deny at the end of the list….all IP's are denied access unless there has been a permit statement in
the list!
An ACL can be applied to an interface inbound or outbound.
Inbound is traffic coming into the router
Outbound is the traffic coming out of the router
Extended
Matches based on source/destination IP address, protocol, source/destination port number
o Eg. TCP/IP - TCP allow, UDP deny, ICMP allow
Higher processor utilization
Syntax takes some time to learn
Apply as close to the source as possible!
Reflexive (established)
Allows traffic to be returned for any requests made from our local network
o Eg. Users accesses Google.com - the webpage would be allowed to be sent back/received.
Example 1
Use a standard access list to block 10.1.1.1 from reaching 10.1.1.6 and 192.168.1.0/24.
Afer looking at the network diagram I can see that we need to block R3 from reaching R1. Remember standard access
lists can only block source IP address - in this case 10.1.1.1. We need to go as close as possible to the destination so we are
not affecting any other network flow. In this case it will be best to create the access list on R1 and apply on S0/0 inbound.
1. Configuration
R1(config)# access-list 1 deny host 10.1.1.1
Each line we create in an access list has a sequence number which determines the order in which rules are
evaluated. We can squeeze lines in where necessary!
Remember there is an implicit deny at the end of an access list.
We need to add a permit any statement.
R1(config)# access-list 1 permit any
This will add another step to the access list before the implicit deny!
2. Application
We need to apply the access list to S0/0 inbound on R1.
R1(config)# int s0/0
R1(config-if)# ip access-group 1 in
Important we apply this in the correct direction!
ALL DONE!! We have now configured and applied the access list. We would test by pinging and using telnets etc.
Example 2
Use a standard access list to block access to the 192.168.1.0/24 from 192.168.2.128/25
1. Configuration
Get as close to the destination as possible. Looking at diagram it will be best to create the access list on R1 and apply on
the Fa0/0 interface outbound.
2. Application
We need to apply the access list to Fa0/0 outbound on R1
R1(config)# int fa0/0
R1(config-if)# ip access-group 2 out
All done...we would test with pings etc to ensure all working OK!
1. Configuration
Looking at the diagram it would be most efficient to apply on R2 S0/1 outbound. We could apply on R3 S0/0 inbound but
this would be creating unnecessary network traffic.
R2(config)# ip access-list standard BLOCK_PC2_ACL
If we use the ip access-list command then we can give it a meaningful name!! Must better way to create access
lists!
R2(config-std-nacl)# deny 192.168.2.50
R2(config-std-nacl)# permit any
Remember this!!
2. Application
We need to apply to R2 S0/1 outbound.
R2(config)# int s0/1
R2(config-if)# ip access-group BLOCK_PC2_ACL out
The name is case sensitive
ALL DONE!! Again test with pings etc to ensure we have desired effect.
All done!!
Remember that extended access control lists gives us more flexibility and control...we can block using source/destination IP
address, protocol, source/destination port number!!
Scenario
**Assume all Ethernet ports are Fa0/0**
Example 1
Use an extended ACL to block 192.168.1.0/24 from reaching 192.168.2.128/25.
We need to apply as close to the source as possible...and so in this case it would be most efficient to apply on R1 Fa0/0
inbound!
1. Config
R1(config)# access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.128 0.0.0.127
Extended access lists have a number between 100-199...or we could just use ip access-list command to create a
named access list.
Source address comes first and then destination address
R1(config)# access-list 100 permit ip any any
Remember we need the permit any statement
2. Application
R1(config)# int fa0/0
R1(config-if)# ip access-group 100 in
Example 2
Block 192.168.1.50 from reaching 192.168.2.50 on https or http.
In this case we can just edit the previous access list! We will need to insert the commands to block http and https before
the permit any statement. We can do this using the sequence number...use show ip access-list to see what sequence
number we should use.
1. Config
R1(config)# ip access-list extended 100
R1(config-ext-nacl)# 11 deny tcp host 192.168.1.50 host 192.168.2.50 eq 80
R1(config-ext-nacl)# 12 deny tcp host 192.168.1.50 host 192.168.2.50 eq 443
This will add two commands before the permit any command to block http (80) and https (443)!!
We can then run the show ip-access-list on R1 to see how many packets have been dropped!
2. Application
We already applied the ACL in Example 1 :).
Example 3
Permit 192.168.2.0/25 to access 10.1.1.1 using only telnet and SSH.
We need to configure as close to the source and so it will be most efficient to configure and apply on R2 Fa0/0 inbound.
Telnet port is 23, SSH is 22.
1. Config
R2(config)# ip access-list extended R3_TELNET_SSH
R2(config-ext-nacl)# permit tcp 192.168.2.0 0.0.0.127 host 10.1.1.1 eq 22
R2(config-ext-nacl)# permit tcp 192.168.2.0 0.0.0.127 host 10.1.1.1 eq 23
R2(config-ext-nacl)# deny ip 192.168.2.0 0.0.0.127 host 10.1.1.1
This denies all other traffic from 192.168.2.0 as we only want to allow SSH and Telnet as per above commands!
R2(config-ext-nacl)# permit any any
2. Application
R2(config)# int fa0/0
R2(config-if)# ip access-group R3_TELNET_SSH in
All done!! Just to confirm that the 192.168.2.0 would still be able to access the 192.168.2.128 network...it can still go through
R3...just simply only able to telnet and SSH the 10.1.1.1 WAN Ip address!! The 192.168.2.128 network is a completely different
subnet/network!
Example 4
Block 192.168.1.0/24 from reaching any WAN IP address.
So we need to block access to 10.1.1xx...all of the WAN links!
Apply as close to the source as possible and so it will be best to apply on R1 Fa0/0 inbound.
1. Config
R1(config)# ip access-list extended BLOCK_WAN
R1(config-ext-nacl)# deny ip 192.168.1.0. 0.0.0.255 10.1.1.4 0.0.0.3
R1(config-ext-nacl)# deny ip 192.168.1.0. 0.0.0.255 10.1.1.0 0.0.0.3
R1(config-ext-nacl)# permit ip any any
2. Application
R1(config)# int fa0/0
R1(config-if)# ip access-group BLOCK_WAN in
NOTE
The 192.168.1.0 will still be able to access all of the LAN networks...eg 192.168.2.0 and 192.168.2.128...which is what we want!
The network will just be unable to contact the WAN IP's directly! They can still pass through them though.
Example 5
Permit access to 192.168.2.50 using only SMTP (25), POP3(110) and IMAP(143) from anywhere.
As we do not know the source we will need to apply as close to destination as possible….so it would be most efficient to
apply on R2 Fa0/0 outbound.
1. Config
R2(config)# ip access-list extended EMAIL_FILTER_R2
R2(config-ext-nacl)# permit tcp any host 192.168.2.50 eq 25
R2(config-ext-nacl)# permit tcp any host 192.168.2.50 eq 110
R2(config-ext-nacl)# permit tcp any host 192.168.2.50 eq 143
R2(config-ext-nacl)# deny ip any host 192.168.2.50
Ensure we get no other traffic coming to 192.168.2.50 (as imagine it is an email/Exch server)
R2(config-ext-nacl)# permit ip any any
We need this command as we would have other PC's/devices on the 192.168.2.0 network and we wouldn't want to
block all traffic to these devices!
2. Application
R2(config)# int fa0/0
R2(config-if)# ip access-group EMAIL_FILTER_R2 out
NOTE:
We can also use 'gt' or 'lt' instead of 'eq' if we want to specify a port with is greater than or less than the port specified.
Eg.
R2(config-ext-nacl)# permit tcp any host 192.168.20.50 gt 100
This would allow all traffic to host 192.168.20.50 on a destination port greater than 100.
If we issue another show ip access -list command we will see the command has been inserted between the previous two
entries…
To remove a line from an access list we can issue the no command as follows in ACL config mode…
R2(config-ext-nacl)# no 20
This would remove just the '20 permit udp any any' line
To remove an access list completely we would issue the below command in global config mode…
R2(config)# no access-list BLOCK_TRAFFIC
NAT Concepts
Dynamic NAT
This creates one-to-one mappings.
We can have a pool of private and public addresses and do one-to-one mappings.
Eg. 10 public and 10 private IP's.
We don't save any IP addresses in this case
Used for overlapping addresses - where we temporarily use the same private IP address in an organisation - router sits
in between and does NAT.
Not used very ofen!
Static NAT
This also creates one-to-one mappings.
Eg. Used for a mail server or a web server.
o MX record (A/www record for website) points to the public IP
o On the internal router we configure it to forward port 25/80/443 traffic to the internal IP of the mail
server/web server
o Called port forwarding
NAT Configuration
Scenario
PAT
Static NAT
R1(config)# ip nat inside source static 192.168.1.51 208.53.91.7
IP of server Public IP Address
Can add in port numbers to direct traffic to web server etc.
R1(config)# ip nat inside source static tcp 192.168.1.53 80 208.53.91.7 80
IPv6 Concepts
IPv6 Addressing
Address size moved from 32 bit (IPv4) to 128 bit (IPv6)
Provides a ridiculously high number of addresses! We could assign an IP address to each atom on the surface of the
Earth x 100!!!
Addresses are hexadecimal (0-9, A-F)
o Divided into 8 group of 4 hex characters - each character is 4 bits in length
o EG. 2001:0050:0000:0000:0000:0AB4:1E2B:98AA
o So each octet = 4 x 4 = 16 and the whole address = 16 x 8 = 128 bits!!
64 bits 64 bits
NETWORK HOST
FE80:0000:0000:0000 02FE:4GFF:FE8A:CH1F
Global Address
Same as public IPv4 address
High level 3 bits set to 001 (2000::/3) (0010 in binary)
Global routing prefix is 48 bits or less
Global Addresses begin with 2000::/3
IANA dish out the UIP addresses to all organizations!! They would decide the global routing prefix!
Example
The Subnet ID is comprised of bits lef over afer the global routing prefix.
The primary address expected to comprise the IPv6 internet are from the 2001::/16 subnet.
IPv6 Configuration
Scenario
Assigning Addresses
R1(config)# int fa0/0
R1(config-if)# ipv6 address 2001:55::1/64
R1(config-if)# no shutdown
R1(config)# int s0/0
R1(config-if)# ipv6 address 2001:210:10:1::1/64
R1(config-if)# no shutdown
Verify Addresses
R1# show ipv6 int brief
R1# ping ipv6 ip-address
All done!
All done!!