Scribd
Upload
212 views375 pages

CCNA Review

Computer Networking

Uploaded by

Emanuel Gabriel
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
212 views375 pages

CCNA Review

Computer Networking

Uploaded by

Emanuel Gabriel
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 375

Building a Simple Network

Exploring the Functions of Networking

What Is a Network?

Resource-Sharing Functions and Benefits

Data and applications Resources Network storage Backup devices

Characteristics of a Network
Speed Cost Security

Availability
Scalability Reliability Topology

Building a Simple Network

OSI Layer

Why a Layered Network Model?


Reduces complexity

Standardizes interfaces
Facilitates modular engineering Ensures interoperable technology

Accelerates evolution
Simplifies teaching and learning

The Seven Layers of the OSI Model

The Seven Layers of the OSI Model

The Seven Layers of the OSI Model

The Seven Layers of the OSI Model

The Seven Layers of the OSI Model

The Seven Layers of the OSI Model

The Seven Layers of the OSI Model

Data Encapsulation

Data De-Encapsulation

Peer-to-Peer Communication

Unshielded Twisted-Pair Cable

Speed and throughput: 10 to 1000 Mb/s Average cost per node: Least expensive Media and connector size: Small Maximum cable length: Varies

RJ-45 Connector

UTP Implementation (Straight-Through)


Cable 10BASE-T/ 100BASE-TX Straight-Through
Straight-Through Cable

Pin Label 1 2 3 4 5 6 7 8 TX+ TXRX+ NC NC RXNC NC 1 2 3 4 5 6 7 8

Pin Label TX+ TXRX+ NC NC RXNC NC

Wires on cable ends are in same order.

UTP Implementation (Crossover)


Cable 10BASE-T or 100BASE-TX Straight-Through
Crossover Cable

EIA/TIA T568A

EIA/TIA T568B

Pin Label 1 2 3 4 5 6 7 8 TX+ TXRX+ NC NC RXNC NC 1 2 3 4 5 6 7 8

Pin Label TX+ TXRX+ NC NC RXNC NC

Some wires on cable ends are crossed.

UTP Implementation: Straight-Through vs. Crossover

Using Varieties of UTP

Understanding the Data Link Layer of OSI

Building a Simple Network

2007 Cisco Systems, Inc. All rights reserved.

ICND1 v1.02-23

Network Interface Card

MAC Address Components

MAC Addresses

Physical Topology Categories

IP Addressing and Subnetting

Constructing a Network Addressing Scheme

Why IP Addresses?
They uniquely identify each device on an IP network. Every host (computer, networking device, peripheral) must have a unique address.

Host ID:
Identifies the individual host Is assigned by organizations to individual devices

IP Address Format: Dotted Decimal Notation

The binary-to-decimal and decimal-tobinary conversion will be detailed later in this course.

IP Address Classes: The First Octet

IP Address Ranges

*127 (01111111) is a Class A address reserved for loopback testing and cannot be assigned to a network.

Reserved Address

Public IP Addresses

Private IP Addresses

Class

Private Address Range

10.0.0.0 to 10.255.255.255

172.16.0.0 to 172.31.255.255

192.168.0.0 to 192.168.255

Internetworking Fundamentals

2007 Cisco Systems, Inc. All rights reserved.

ICND1 v1.02-36

Internetwork Operating System

Cisco IOS Software

Features to carry the chosen network protocols and functions Connectivity for high-speed traffic between devices Security to control access and prohibit unauthorized network use Scalability to add interfaces and capability as needed for network growth Reliability to ensure dependable access to networked resources

External Configuration Sources

Configurations can come from many sources. Configurations will act in device memory.

Cisco IOS User Interface Functions


CLI is used to enter commands. Operations vary on different internetworking devices. Users type or paste entries in the console command modes. Command modes have distinctive prompts. Enter key instructs device to parse and execute the command. Two primary EXEC modes are user mode and privileged mode.

Cisco IOS Software EXEC Mode (User)


There are two main EXEC modes for entering commands.

Cisco IOS Software EXEC Mode (Privileged)

Switch Command-Line Help Facilities

Viewing the Configuration

show running-config and show startupconfig Commands

Displays the current and saved configuration

Overview of Router Modes

Accessing the Cisco IOS Device


Console Telnet Aux Port

Configuring Router Identification

Console-Line Commands

RouterX(config)#line console 0 RouterX(config-line)#exec-timeout 20 30

Modifies console session timeout

RouterX(config)#line console 0 RouterX(config-line)#logging synchronous

Redisplays interrupted console input

Configuring a Router Password

Configuring an Interface
RouterX(config)#interface type number RouterX(config-if)#

type includes serial, ethernet, token ring, fddi, hssi, loopback, dialer, null, async, atm, bri, tunnel, and so on number is used to identify individual interfaces
RouterX(config)#interface type slot/port RouterX(config-if)#

For modular routers, selects an interface


RouterX(config-if)#exit

Quits from current interface configuration mode

Configuring an Interface Description


RouterX(config-if)# description string

string is a comment or a description to help you remember what is attached to this interface. The maximum number of characters for the string argument is 238.

Disabling or Enabling an Interface


RouterX#configure terminal RouterX(config)#interface serial 0 RouterX(config-if)#shutdown %LINK-5-CHANGED: Interface Serial0, changed state to administratively down %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to down

Administratively turns off an interface


RouterX#configure terminal RouterX(config)#interface serial 0 RouterX(config-if)#no shutdown %LINK-3-UPDOWN: Interface Serial0, changed state to up %LINEPROTO-5-UPDOWN: Line Protocol on Interface Serial0, changed state to up

Enables an interface that is administratively shut down

Configuring IP Addresses

Unique addressing allows communication between end stations Path choice is based on destination address

Saving Configurations

RouterX# RouterX#copy running-config startup-config Destination filename [startup-config]? Building configuration RourterX#

Copies the current configuration to NVRAM

Interpreting the Interface Status

Catalyst 2960 Switch LED Indicators

Configuring the Switch


Configuration modes:
Global configuration mode SwitchX#configure terminal SwitchX(config)#

Interface configuration mode SwitchX(config)#interface fa0/1


SwitchX(config-if)#

Configuring Switch Identification

Sets the local identity for the switch

Configuring the Switch IP Address


SwitchX(config)#interface vlan 1 SwitchX(config-if)#ip address {ip address} {mask}

Example:
SwitchX(config)#interface vlan 1 SwitchX(config-if)#ip address 10.5.5.11 255.255.255.0 SwitchX(config-if)#no shutdown Note: It is necessary to use the no shutdown command to make the interface operational.

Configuring the Switch Default Gateway

SwitchX(config)#ip default-gateway {ip address}

Example:
SwitchX(config)#ip default-gateway 172.20.137.1

Saving Configurations

SwitchX
SwitchX copy running-config startup-config Destination filename [startup-config]? Building configuration SwitchX

Copies the current configuration to NVRAM

Laboratory

Routing Operations

Router Operations

A router needs to do the following: Know the destination address. Identify the sources from which the router can learn. Discover possible routes to the intended destination. Select the best route. Maintain and verify routing information.

Router Operations (Cont.)

Routers must learn destinations that are not directly connected.

Identifying Static and Dynamic Routes

Static route Uses a route that a network administrator enters into the router manually

Dynamic route Uses a route that a network routing protocol adjusts automatically for topology or traffic changes

Static Routing

Static Routes

Configure unidirectional static routes to and from a stub network to allow communications to occur.

Static Route Configuration

RouterX(config)# ip route network [mask] {address | interface}[distance] [permanent]

Defines a path to an IP destination network or subnet or host


Address = IP address of the next hop router Interface = outbound interface of the local router

Static Route Example

RouterX(config)# ip route 172.16.1.0 255.255.255.0 172.16.2.1

or
Router(config)#ip route 172.16.1.0 255.255.255.0 s0/0/0

This is a unidirectional route. You must have a route configured in the opposite direction.

Default Routes

This route allows the stub network to reach all known networks beyond Router A.

Verifying the Static Route Configuration

RouterX# show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default U - per-user static route Gateway of last resort is 0.0.0.0 to network 0.0.0.0 10.0.0.0/8 is subnetted, 1 subnets 10.1.1.0 is directly connected, Serial0/0/0 0.0.0.0/0 is directly connected, Serial0

C S*

Example

Laboratory 2
Given the topology below, configure static or default routing so that all network are reachable.

Variable Length Subnetmasking

Variable Length Subnetmasking


25 hosts Router A

20 hosts

Router B

12 hosts

Router C

HQ

9 hosts

Router D

3 hosts

Router E

Long Method
VLSM 1 VLSM 2 N 192 SN 1 192 LAN A (192.168.5.32) SN 2 192 LAN B (192.168.5.64) SN 3 192 LAN C (192.168.5.96) SN 4 192 LAN D (192.168.5.112) SN 5 192 LAN E (192.168.5.128) SN 6 192 WAN A (192.168.5.136) 1 WAN B (192.168.5.140) 1 WAN C (192.168.5.144) 1 WAN D (192.168.5.148) 1 WAN E (192.168.5.152) 1 0 0 1 1 0 0 1 1 0 .153 .154 0 0 1 0 1 0 1 1 0 .149 .150 0 0 1 0 0 0 1 1 0 .145 .146 0 0 0 1 1 0 1 1 0 .141 .142 0 0 0 1 0 0 1 1 0 .137 .138 . . . N 168 168 168 . . . N 5 5 5 . . . SN X 0 0 SN X 0 0 SN X 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 1 0 1 0 1 0 1 0 1 0 .33 .62 .65 .94 .97 .126 .113 .126 .129 .134 X X X VLSM 3 X X

168

168

168

168

Shortcut ..
25 hosts 192.168.5.32/27 Router A 192.168.5.136/30

No. of host bits (m) No. of to accommodate hosts required 5 5 4 4 3 2 2 2 2 2 2m 32 32 16 16 8 4 4 4 4 4 Network Address (prev NA + 2m) 192.168.5.32 192.168.5.64 192.168.5.96 192.168.5.112 192.168.5.128 192.168.5.136 192.168.5.140 192.168.5.144 192.168.5.148 192.168.5.152 Prefix /(32-m) /27 /27 /28 /28 /29 /30 /30 /30 /30 /30

20 hosts 192.168.5.64/27

Router B 192.168.5.140/30

hosts LAN A LAN B 25 20 12 9 3 2 2 2 2 2

12 hosts 192.168.5.96/28

Router C 192.168.5.144/30

HQ

LAN C LAN D LAN E

9 hosts 192.168.5.112/28

Router D

WAN A
192.168.5.148/30

WAN B WAN C

3 hosts 192.168.5.128/29

Router E 192.168.5.152/30

WAN D WAN E

seatwork
No. of

Hbits to accommodate hosts required 2m

Network Address (prev NA + 2m)

A Class C network 192.168.100.0/24 is assigned. You need to create an IP plan for this network using VLSM. Please fill-out the vlsm table

hosts LAN A LAN B LAN C LAN D WAN E WAN F WAN G WAN H 50 27 12 12 2 2 2 2

Prefix /(32m)

Enabling RIP

What Is a Routing Protocol?

Routing protocols are used between routers to determine paths and maintain routing tables. After the path is determined, a router can route a routed protocol.

Autonomous Systems: Interior or Exterior Routing Protocols

An autonomous system is a collection of networks under a common administrative domain.

IGPs operate within an autonomous system.


EGPs connect different autonomous systems.

Classes of Routing Protocols

Administrative Distance: Ranking Routes

Classful Routing Protocol


Classful routing protocols do not include the subnet mask with the route advertisement. Within the same network, consistency of the subnet masks is assumed.

Summary routes are exchanged between foreign networks.


These are examples of classful routing protocols: RIPv1 IGRP

Classless Routing Protocol


Classless routing protocols include the subnet mask with the route advertisement. Classless routing protocols support a variable-length subnet mask (VLSM).

Summary routes can be manually controlled within the network.


These are examples of classless routing protocols: RIPv2 EIGRP

OSPF
IS-IS

Distance Vector Routing Protocols

Routers pass periodic copies of their routing table to neighboring routers and accumulate distance vectors

Sources of Information and Discovering Routes

Routers discover the best path to destinations from each neighbor.

RIP Overview

Maximum is 16 equal-cost paths (default = 4) Hop-count metric selects the path Routes update every 30 seconds

RIPv1 and RIPv2 Comparison

RIPv1 Routing protocol Supports variable-length subnet mask? Sends the subnet mask along with the routing update? Addressing type Defined in Supports manual route summarization? Authentication support? Classful No No Broadcast RFC 1058 No No

RIPv2 Classless Yes Yes Multicast RFCs 1721, 1722, and 2453 Yes Yes

IP Routing Configuration Tasks

Router configuration Select routing protocols

Specify networks or interfaces

RIP Configuration
RouterX(config)# router rip

Starts the RIP routing process


RouterX(config-router)# version 2

Enables RIP version 2

RouterX(config-router)# network network-number

Selects participating attached networks

Requires a major classful network number

RIP Configuration Example

Verifying the RIP Configuration

Routing Protocol is "rip" Sending updates every 30 seconds, next due in 6 seconds Invalid after 180 seconds, hold down 180, flushed after 240 Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Redistributing: rip Default version control: send version 2, receive version 2 Interface Send Recv Triggered RIP Key-chain FastEthernet0/0 2 2 Serial0/0/2 2 2 Automatic network summarization is in effect Maximum path: 4 Routing for Networks: 10.0.0.0 172.16.0.0 Routing Information Sources: Gateway Distance Last Update 10.1.1.2 120 00:00:25 Distance: (default is 120) RouterA#

Displaying the IP Routing Table

RouterA# show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default U - per-user static route, o - ODR T - traffic engineered route Gateway of last resort is not set 172.16.0.0/24 is subnetted, 1 subnets 172.16.1.0 is directly connected, fastethernet0/0 10.0.0.0/24 is subnetted, 2 subnets 10.2.2.0 [120/1] via 10.1.1.2, 00:00:07, Serial0/0/2 10.1.1.0 is directly connected, Serial0/0/2 192.168.1.0/24 [120/2] via 10.1.1.2, 00:00:07, Serial0/0/2

C R C R

debug ip rip Command

RouterA# debug ip rip RIP protocol debugging is on RouterA# 00:06:24: RIP: received v1 update from 10.1.1.2 on Serial0/0/2 00:06:24: 10.2.2.0 in 1 hops 00:06:24: 192.168.1.0 in 2 hops 00:06:33: RIP: sending v1 update to 255.255.255.255 via FastEthernet0/0 (172.16.1.1) 00:06:34: network 10.0.0.0, metric 1 00:06:34: network 192.168.1.0, metric 3 00:06:34: RIP: sending v1 update to 255.255.255.255 via Serial0/0/2 (10.1.1.1) 00:06:34: network 172.16.0.0, metric 1

Configuring OSPF

Link-State Routing Protocols

After an initial flood of LSAs, link-state routers pass small, event-triggered link-state updates to all other routers.

OSPF Overview
Creates a neighbor relationship by exchanging hello packets Propagates LSAs rather than routing table updates Link: Router interface State: Description of an interface and its relationship to neighboring routers Floods LSAs to all OSPF routers in the area, not just directly connected routers Pieces together all the LSAs generated by the OSPF routers to create the OSPF link-state database Uses the SPF algorithm to calculate the shortest path to each destination and places it in the routing table

Benefits and Drawbacks of Link-State Routing


Benefits of link-state routing:
Fast convergence: Changes are reported immediately by the affected source Robustness against routing loops: Routers know the topology Link-state packets are sequenced and acknowledged Hierarchical network design enables optimization of resources.

Drawbacks of link-state routing:


Significant demands for resources:
Memory (three tables: adjacency, topology, forwarding) CPU (Dijkstras algorithm can be intensive, especially when there are many instabilities)

Requires very strict network design Configuration can be complex when tuning various parameters and when design is complex

OSPF Hierarchical Routing

Consists of areas and autonomous systems Minimizes routing update traffic

SPF Algorithm

10 10 1 1

Places each router at the root of a tree and calculates the shortest path to each destination based on the cumulative cost

Cost = Reference Bandwidth / Interface Bandwidth (b/s)

Configuring Single-Area OSPF


RouterX(config)# router ospf process-id Defines OSPF as the IP routing protocol RouterX(config-router)# network address wildcard-mask area area-id Assigns networks to a specific OSPF area

Configuring Loopback Interfaces

Router ID:
Number by which the router is known to OSPF Default: The highest IP address on an active interface at the moment of OSPF process startup Can be overridden by a loopback interface: Highest IP address of any active loopback interface Can be set manually using the router-id command

Verifying the OSPF Configuration


RouterX# show ip protocols Verifies that OSPF is configured RouterX# show ip route

Displays all the routes learned by the router


RouterX# show ip route Codes: I - IGRP derived, R - RIP derived, O - OSPF derived, C - connected, S - static, E - EGP derived, B - BGP derived, E2 - OSPF external type 2 route, N1 - OSPF NSSA external type 1 route, N2 - OSPF NSSA external type 2 route Gateway of last resort is 10.119.254.240 to network 10.140.0.0 O 10.110.0.0 [110/5] via 10.119.254.6, 0:01:00, Ethernet2 O IA 10.67.10.0 [110/10] via 10.119.254.244, 0:02:22, Ethernet2 O 10.68.132.0 [110/5] via 10.119.254.6, 0:00:59, Ethernet2 O 10.130.0.0 [110/5] via 10.119.254.6, 0:00:59, Ethernet2 O E2 10.128.0.0 [170/10] via 10.119.254.244, 0:02:22, Ethernet2 ...

Verifying the OSPF Configuration (Cont.)


RouterX# show ip ospf

Displays the OSPF router ID, timers, and statistics

RouterX# show ip ospf


Routing Process "ospf 50" with ID 10.64.0.2 <output omitted>

Number of areas in this router is 1. 1 normal 0 stub 0 nssa Number of areas transit capable is 0 External flood list length 0 Area BACKBONE(0) Area BACKBONE(0) Area has no authentication SPF algorithm last executed 00:01:25.028 ago SPF algorithm executed 7 times <output omitted>

Verifying the OSPF Configuration (Cont.)


RouterX# show ip ospf interface Displays the area ID and adjacency information

RouterX# show ip ospf interface ethernet 0

Ethernet 0 is up, line protocol is up Internet Address 192.168.254.202, Mask 255.255.255.0, Area 0.0.0.0 AS 201, Router ID 192.168.99.1, Network Type BROADCAST, Cost: 10 Transmit Delay is 1 sec, State OTHER, Priority 1

Designated Router id 192.168.254.10, Interface address 192.168.254.10


Backup Designated router id 192.168.254.28, Interface addr 192.168.254.28 Timer intervals configured, Hello 10, Dead 60, Wait 40, Retransmit 5 Hello due in 0:00:05 Neighbor Count is 8, Adjacent neighbor count is 2 Adjacent with neighbor 192.168.254.28 (Backup Designated Router) Adjacent with neighbor 192.168.254.10 (Designated Router)

Verifying the OSPF Configuration (Cont.)


RouterX# show ip ospf neighbor

Displays the OSPF neighbor information on a per-interface basis

RouterX# show ip ospf neighbor

ID 10.199.199.137

Pri State 1 FULL/DR

Dead Time 0:00:31

Address 192.168.80.37

Interface FastEthernet0/0

172.16.48.1
172.16.48.200 10.199.199.137

1 FULL/DROTHER
1 FULL/DROTHER 5 FULL/DR

0:00:33
0:00:33 0:00:33

172.16.48.1
172.16.48.200 172.16.48.189

FastEthernet0/1
FastEthernet0/1 FastEthernet0/1

OSPF debug Commands

RouterX# debug ip ospf events

OSPF:hello with invalid timers on interface Ethernet0

hello interval received 10 configured 10


net mask received 255.255.255.0 configured 255.255.255.0 dead interval received 40 configured 30

OSPF: rcv. v:2 t:1 l:48 rid:200.0.0.117 aid:0.0.0.0 chk:6AB2 aut:0 auk:

RouterX# debug ip ospf packet

OSPF: rcv. v:2 t:1 l:48 rid:200.0.0.116 aid:0.0.0.0 chk:0 aut:2 keyid:1 seq:0x0

Laboratory

OSPF Authentication
OSPF supports two types of authentication: Plaintext (or simple) password authentication

MD5 authentication
The router generates and checks every OSPF packet. The router authenticates the source of each routing update packet that it receives.

Configure a key (password); each participating neighbor must have the same key configured.

Configuring OSPF Plaintext Password Authentication


RouterX(config-if)# ip ospf authentication-key password

Assigns a password to use with neighboring routers


RouterX(config-if)# ip ospf authentication [message-digest | null]

Specifies the authentication type for an interface (as of Cisco IOS Release 12.0) OR
RouterX(config-router)# area area-id authentication [message-digest]

Specifies the authentication type for an area

Plaintext Password Authentication Configuration Example

Implementing EIGRP

EIGRP Implementation

2007 Cisco Systems, Inc. All rights reserved.

ICND1 v1.02-119

EIGRP Features

Advanced distance vector Flexible network design Rapid convergence Multicast and unicast instead of broadcast address 100% loop-free classless routing Support for VLSM and discontiguous subne Easy configuration Manual summarization at any point in the Incremental updates internetwork Load balancing across equaland unequal-cost pathways Support for multiple network layer protocol

EIGRP Tables

EIGRP Path Calculation (Router C)

EIGRP Configuration
RouterX(config)# router eigrp autonomous-system RouterX(config-router)# network network-number

EIGRP and Discontiguous Networks Default Scenario Configuration

EIGRP, by default, does not advertise subnets and, therefore, cannot support discontiguous subnets.

EIGRP and Discontiguous Networks with no auto-summary

EIGRP with the no auto-summary parameter can advertise subnets and, therefore, can support discontiguous subnets.

Verifying the EIGRP Configuration


RouterX# show ip route eigrp
Displays the current EIGRP entries in the routing table

RouterX# show ip protocols


Displays the parameters and current state of the active process

RouterX# show ip eigrp interfaces


Displays information about interfaces configured for EIGRP
RouterX# show ip eigrp interfaces IP EIGRP interfaces for process 109 Interface Di0 Et0 SE0:1.16 Tu0 Xmit Queue Mean Pacing Time Multicast Pending Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes 0 0/0 0 11/434 0 0 1 0/0 337 0/10 0 0 1 0/0 10 1/63 103 0 1 0/0 330 0/16 0 0

Verifying the EIGRP Configuration (Cont.)


RouterX# show ip eigrp neighbors [detail]

Displays the neighbors discovered by IP EIGRP


RouterX# show ip eigrp neighbors IP-EIGRP Neighbors for process 77 Address Interface Holdtime Uptime Q (secs) (h:m:s) Count Num 172.16.81.28 Ethernet1 13 0:00:41 0 172.16.80.28 Ethernet0 14 0:02:01 0 172.16.80.31 Ethernet0 12 0:02:02 0

Seq SRTT RTO (ms) (ms) 11 4 20 10 12 24 4 5 20

Verifying the EIGRP Configuration (Cont.)


RouterX# show ip eigrp topology [all]

Displays the IP EIGRP topology table


RouterX# show ip eigrp topology IP-EIGRP Topology Table for process 77 Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply, r - Reply status P 172.16.90.0 255.255.255.0, 2 successors, FD is 46251776 via 172.16.80.28 (46251776/46226176), Ethernet0 via 172.16.81.28 (46251776/46226176), Ethernet1 via 172.16.80.31 (46277376/46251776), Serial0 P 172.16.81.0 255.255.255.0, 2 successors, FD is 307200 via Connected, Ethernet1 via 172.16.81.28 (307200/281600), Ethernet1 via 172.16.80.28 (307200/281600), Ethernet0 via 172.16.80.31 (332800/307200), Serial0

Without the [all] parameter, shows successors and feasible successor

EIGRP Load Balancing


By default, EIGRP does equal-metric load balancing: By default, up to four routes with a metric equal to the minimum metric are installed in the routing table. There can be up to 16 entries in the routing table for the same destination: The number of entries is configurable with the maximum-paths command.

EIGRP Unequal-Cost Load Balancing


RouterX(config-router)# variance multiplier
Allows the router to load-balance across routes with a metric smaller than the multiplier value times the minimum metric route to that destination.

The default variance is 1, which means equal-cost load balancing.

Variance Example

Router E chooses router C to route to network 172.16.0.0 because it has the lowest feasible distance of 20. With a variance of 2, router E also chooses router B to route to network 172.16.0.0 (20 + 10 = 30) < [2 * (FD) = 40]. Router D is not considered to route to network 172.16.0.0 (because 25 > 20).

Switching Fundamentals

LAN Segment Limitations

Signals degrade with transmission distance. Each Ethernet type has a maximum segment length.

Extending LAN Segments

Shares bandwidth

Extends cable distances


Repeats or amplifies signal

Collisions

Multiple Collision Domains

Ethernet Switches and Bridges

Address learning Forwarding the filtering decisions Loop avoidance

MAC Address Table

The initial MAC address table is empty.

Learning Addresses

Station A sends a frame to station C. The switch caches the MAC address of station A to port E0 by learning the source address of data frames. The frame from station A to station C is flooded out to all ports except port E0 (unknown unicasts are flooded).

Learning Addresses (Cont.)

Station D sends a frame to station C. The switch caches the MAC address of station D to port E3 by learning the source address of data frames. The frame from station D to station C is flooded out to all ports except port E3 (unknown unicasts are flooded).

Filtering Frames

Station A sends a frame to station C. The destination is known; the frame is not flooded.

Filtering Frames (Cont.)

Station A sends a frame to station B.

The switch has the address for station B in the MAC address table.

Broadcast and Multicast Frames

Station D sends a broadcast or multicast frame.

Broadcast and multicast frames are flooded to all ports other than the originating port.

VLAN Operations

VLAN Overview
Segmentation Flexibility Security

VLAN = Broadcast Domain = Logical Network (Subnet)

Designing VLANs for an Organization


VLAN design must take into consideration the implementation of a hierarchical network addressing scheme. The benefits of hierarchical addressing are: Ease of management and troubleshooting Minimization of errors Reduced number of routing table entries

Guidelines for Applying IP Address Space

Allocate one IP subnet per VLAN. Allocate IP address spaces in contiguous blocks.

VLAN Operation

Each logical VLAN is like a separate physical bridge. VLANs can span across multiple switches. Trunks carry traffic for multiple VLANs.

Trunks use special encapsulation to distinguish between different VLANs.

VLAN Membership Modes

802.1Q Trunking

802.1Q Frame

Understanding Native VLANs

VTP Features

VTP Modes

Create VLANs Modify VLANs Delete VLANs Sends and forwards advertisements Synchronizes

Cannot create, change, or delete VLANs


Sends and forwards advertisements

Create local VLANs only


Modify local VLANs only Delete local VLANs only Forwards advertisements Does not synchronize

Synchronizes

VTP Operation
VTP advertisements are sent as multicast frames. VTP servers and clients are synchronized to the latest revision number.

VTP advertisements are sent every 5 minutes or when there is a change.

VTP Pruning

Configuring VLANs and Trunks


1. Configure and verify VTP. 2. Configure and verify 802.1Q trunks. 3. Create or modify a VLAN on the VTP server switch. 4. Assign switch ports to a VLAN and verify. 5. Execute adds, moves, and changes. 6. Save the VLAN configuration.

VTP Configuration Guidelines


VTP defaults for the Cisco Catalyst switch: VTP domain name: None VTP mode: Server mode VTP pruning: Enabled or disabled (model specific) VTP password: Null VTP version: Version 1 A new switch can automatically become part of a domain once it receives an advertisement from a server. A VTP client can overwrite a VTP server database if the client has a higher revision number. A domain name cannot be removed after it is assigned; it can only be reassigned.

Creating a VTP Domain

SwitchX# configure terminal SwitchX(config)# vtp mode [ server | client | transparent ] SwitchX(config)# vtp domain domain-name SwitchX(config)# vtp password password SwitchX(config)# vtp pruning SwitchX(config)# end

VTP Configuration and Verification Example


SwitchX(config)# vtp domain ICND Changing VTP domain name to ICND SwitchX(config)# vtp mode transparent Setting device to VTP TRANSPARENT mode. SwitchX(config)# end SwitchX# show vtp status VTP Version : 2 Configuration Revision : 0 Maximum VLANs supported locally : 64 Number of existing VLANs : 17 VTP Operating Mode : Transparent VTP Domain Name : ICND VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0x7D 0x6E 0x5E 0x3D 0xAF 0xA0 0x2F 0xAA Configuration last modified by 10.1.1.4 at 3-3-93 20:08:05 SwitchX#

802.1Q Trunking Issues


Make sure that the native VLAN for an 802.1Q trunk is the same on both ends of the trunk link. Note that native VLAN frames are untagged. A trunk port cannot be a secure port. All 802.1Q trunking ports in an EtherChannel group must have the same configuration.

Configuring 802.1Q Trunking


SwitchX(config-if)#

switchport mode {access |

dynamic {auto | desirable} | trunk}

Configures the trunking characteristics of the port

SwitchX(config-if)#

switchport mode trunk

Configures the port as a VLAN trunk

Verifying a Trunk
SwitchX# show interfaces interface [switchport | trunk] SwitchX# show interfaces fa0/11 switchport Name: Fa0/11 Switchport: Enabled Administrative Mode: trunk Operational Mode: down Administrative Trunking Encapsulation: dot1q Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) . . . SwitchX# show interfaces fa0/11 trunk Port Fa0/11 Port Fa0/11 Port Fa0/11 Mode desirable Encapsulation 802.1q Status trunking Native vlan 1

Vlans allowed on trunk 1-4094 Vlans allowed and active in management domain 1-13

VLAN Creation Guidelines


The maximum number of VLANs is switch-dependent. Most Cisco Catalyst desktop switches support 128 separate spanning-tree instances, one per VLAN. VLAN 1 is the factory default Ethernet VLAN. Cisco Discovery Protocol and VTP advertisements are sent on VLAN 1. The Cisco Catalyst switch IP address is in the management VLAN (VLAN 1 by default).

If using VTP, the switch must be in VTP server or transparent mode to add or delete VLANs.

Adding a VLAN

SwitchX# configure terminal SwitchX(config)# vlan 2 SwitchX(config-vlan)# name switchlab99

Verifying a VLAN

SwitchX# show vlan [brief | id vlan-id || name vlan-name]

SwitchX# show vlan id 2 VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------2 switchlab99 active Fa0/2, Fa0/12 VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ -----2 enet 100002 1500 0 0 . . . SwitchX#

Assigning Switch Ports to a VLAN


SwitchX(config-if)# switchport access [vlan vlan# | dynamic]

SwitchX# configure terminal SwitchX(config)# interface range fastethernet 0/2 - 4 SwitchX(config-if)# switchport access vlan 2 SwitchX# show vlan VLAN ---1 2 Name Status Ports -------------------------------- --------- ---------------------default active Fa0/1 switchlab99 active Fa0/2, Fa0/3, Fa0/4

Verifying VLAN Membership


SwitchX# show vlan brief

SwitchX# show vlan brief VLAN Name ---- -------------------------------1 default 2 switchlab99 3 vlan3 4 vlan4 1002 fddi-default 1003 token-ring-default VLAN ---1004 1005 Name -------------------------------fddinet-default trnet-default

Status --------active active active active act/unsup act/unsup

Ports ------------------------------Fa0/1 Fa0/2, Fa0/3, Fa0/4

Status Ports --------- ------------------------------act/unsup act/unsup

Verifying VLAN Membership (Cont.)


SwitchX(config-if)#

show interfaces interface switchport

SwitchX# show interfaces fa0/2 switchport Name: Fa0/2 Switchport: Enabled Administrative Mode: dynamic auto Operational Mode: static access Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: native Negotiation of Trunking: On Access Mode VLAN: 2 (switchlab99) Trunking Native Mode VLAN: 1 (default) --- output omitted ----

Laboratory
VTP Domain CITS Fa0 no ip adddess Fa0.1 192.168.1.1/24 Fa0.10 192.168.10.1/24 Fa0.20 192.168.20.1/24 Fa0.30 192.168.30.1/24 Fa0/3 Trunk Links assigned on Fa0/1- 3 Fa0/1 Fa0/2 Vlan 1 192.168.1.0/24 Vlan 10 192.168.10.0/24 Vlan 20 192.168.20.0/24 Vlan 30 192.168.30.0/24

Fa0/3 VTP Server STP Primary for Vlan 1, 10 STP Secondary for Vlan 20, 30 Trunk Links assigned on Fa0/1- 3

Fa0/3 VTP Server STP Primary for Vlan 20, 30 STP Secondary for Vlan 1, 10

Vlan 1

Fa0/1 Vlan 10 Fa0/2 Fa0/1

Fa0/2

Vlan 1

Trunk Links assigned on Fa0/1- 2 Vlan 30 Vlan 20 Vlan 30

Vlan 10 Vlan 10 assigned on Ports Fa0/3-5 Vlan 20 assigned on Ports Fa0/6-8 Vlan 30 assigned on Ports Fa0/9-12

Vlan 10 assigned on Ports Fa0/3-5 Vlan 20 assigned on Ports Fa0/6-8 Vlan Vlan 30 assigned on Ports Fa0/9-12 20

Implementing STP

Redundant Topology

Redundant topology eliminates single points of failure. Redundant topology causes broadcast storms, multiple frame copies, and MAC address table instability problems.

Broadcast Frames

Station D sends a broadcast frame.


Broadcast frames are flooded to all ports except the originating port.

Broadcast Storms

Host X sends a broadcast. Switches continue to propagate broadcast traffic over and over.

Multiple Frame Copies

Host X sends a unicast frame to router Y. The MAC address of router Y has not been learned by either switch. Router Y will receive two copies of the same frame.

MAC Database Instability

Host X sends a unicast frame to router Y. The MAC address of router Y has not been learned by either switch. Switches A and B learn the MAC address of host X on port 1. The frame to router Y is flooded. Switches A and B incorrectly learn the MAC address of host X on port 2.

Loop Resolution with STP

Provides a loop-free redundant network topology by placing certain ports in the blocking state

Published in the IEEE 802.1D specification


Enhanced with the Cisco PVST+ implementation

Spanning-Tree Operation
One root bridge per broadcast domain. One root port per nonroot bridge.

One designated port per segment.


Nondesignated ports are unused.

STP Root Bridge Selection

BPDU (default = sent every 2 seconds) Root bridge = bridge with the lowest bridge ID Bridge ID = Priority
Bridge MAC Address

Spanning-Tree Port States


Spanning tree transits each port through several different states:

Describing PortFast

PortFast is configured on access ports, not trunk ports.

Configuring and Verifying PortFast


SwitchX(config-if)#

spanning-tree portfast

Configures PortFast on an interface OR


SwitchX(config)#

spanning-tree portfast default

Enables PortFast on all non-trunking interfaces


SwitchX#

show running-config interface interface

Verifies that PortFast has been configured on an interface

Spanning-Tree Operation Example

Spanning-Tree Path Cost

Link Speed

Cost (Revised IEEE Specification)

Cost (Previous IEEE Specification)

10 Gb/s 1 Gb/s 100 Mb/s 10 Mb/s

2 4 19 100

1 1 10 100

Spanning-Tree Recalculation

Per VLAN Spanning Tree Plus

Default Spanning-Tree Configuration


Cisco Catalyst switches support three types of STPs: PVST+ PVRST+ MSTP The default STP for Cisco Catalyst switches is PVST+ : A separate STP instance for each VLAN One root bridge for all VLANs

No load sharing

PVRST+ Configuration Guidelines


1. Enable PVRST+. 2. Designate and configure a switch to be the root bridge. 3. Designate and configure a switch to be the secondary root bridge. 4. Verify the configuration.

PVRST+ Implementation Commands


SwitchX(config)#

spanning-tree mode rapid-pvst

Configures PVRST+
SwitchX#

show spanning-tree vlan vlan# [detail]

Verifies the spanning-tree configuration


SwitchX#

debug spanning-tree pvst+

Displays PVST+ event debug messages

Verifying PVRST+
SwitchX# show spanning-tree vlan 30 VLAN0030 Spanning tree enabled protocol rstp Root ID Priority 24606 Address 00d0.047b.2800 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 24606 (priority 24576 sys-id-ext 30) Address 00d0.047b.2800 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio.Nbr Type -------- ----- --- --- -------- ---Gi1/1 Desg FWD 4 128.1 P2p Gi1/2 Desg FWD 4 128.2 P2p Gi5/1 Desg FWD 4 128.257 P2p

The spanning-tree mode is set to PVRST.

Configuring the Root and Secondary Bridges

Configuring the Root and Secondary Bridges: SwitchA


SwitchA(config)#

spanning-tree vlan 1 root primary

This command forces this switch to be the root for VLAN 1.


SwitchA(config)#

spanning-tree vlan 2 root secondary

This command configures this switch to be the secondary root for VLAN 2.

OR
SwitchA(config)#

spanning-tree vlan # priority priority

This command statically configures the priority (increments of 4096).

Configuring the Root and Secondary Bridges: SwitchB


SwitchB(config)# spanning-tree vlan 2 root primary

This command forces the switch to be the root for VLAN 2.


SwitchB(config)# spanning-tree vlan 1 root secondary

This command configures the switch to be the secondary root VLAN 1.


OR
SwitchB(config)# spanning-tree vlan # priority priority

This command statically configures the priority (increments of 4096).

Laboratory
VTP Domain CITS Fa0 no ip adddess Fa0.1 192.168.1.1/24 Fa0.10 192.168.10.1/24 Fa0.20 192.168.20.1/24 Fa0.30 192.168.30.1/24 Fa0/3 Trunk Links assigned on Fa0/1- 3 Fa0/1 Fa0/2 Vlan 1 192.168.1.0/24 Vlan 10 192.168.10.0/24 Vlan 20 192.168.20.0/24 Vlan 30 192.168.30.0/24

Fa0/3 VTP Server STP Primary for Vlan 1, 10 STP Secondary for Vlan 20, 30 Trunk Links assigned on Fa0/1- 3

Fa0/3 VTP Server STP Primary for Vlan 20, 30 STP Secondary for Vlan 1, 10

Vlan 1

Fa0/1 Vlan 10 Fa0/2 Fa0/1

Fa0/2

Vlan 1

Trunk Links assigned on Fa0/1- 2 Vlan 30 Vlan 20 Vlan 30

Vlan 10 Vlan 10 assigned on Ports Fa0/3-5 Vlan 20 assigned on Ports Fa0/6-8 Vlan 30 assigned on Ports Fa0/9-12

Vlan 10 assigned on Ports Fa0/3-5 Vlan 20 assigned on Ports Fa0/6-8 Vlan Vlan 30 assigned on Ports Fa0/9-12 20

Inter-Vlan Routing

VLAN-to-VLAN Overview

Network layer devices combine multiple broadcast domains.

Dividing a Physical Interface into Subinterfaces

Physical interfaces can be divided into multiple subinterfaces.

Routing Between VLANs with 802.1Q Trunks

interface fastethernet 0/0 ip address 10.1.1.1 255.255.255.0 interface fastethernet 0/0.2 ip address 10.2.2.1 255.255.255.0 encapsulation dot1q 2

Laboratory
VTP Domain CITS Fa0 no ip adddess Fa0.1 192.168.1.1/24 Fa0.10 192.168.10.1/24 Fa0.20 192.168.20.1/24 Fa0.30 192.168.30.1/24 Fa0/3 Trunk Links assigned on Fa0/1- 3 Fa0/1 Fa0/2 Vlan 1 192.168.1.0/24 Vlan 10 192.168.10.0/24 Vlan 20 192.168.20.0/24 Vlan 30 192.168.30.0/24

Fa0/3 VTP Server STP Primary for Vlan 1, 10 STP Secondary for Vlan 20, 30 Trunk Links assigned on Fa0/1- 3

Fa0/3 VTP Server STP Primary for Vlan 20, 30 STP Secondary for Vlan 1, 10

Vlan 1

Fa0/1 Vlan 10 Fa0/2 Fa0/1

Fa0/2

Vlan 1

Trunk Links assigned on Fa0/1- 2 Vlan 30 Vlan 20 Vlan 30

Vlan 10 Vlan 10 assigned on Ports Fa0/3-5 Vlan 20 assigned on Ports Fa0/6-8 Vlan 30 assigned on Ports Fa0/9-12

Vlan 10 assigned on Ports Fa0/3-5 Vlan 20 assigned on Ports Fa0/6-8 Vlan Vlan 30 assigned on Ports Fa0/9-12 20

Introducing ACL

Why Use ACLs?

Manage IP traffic as network access grows

Filter packets as they pass through the router

ACL Applications

Permit or deny packets moving through the router. Permit or deny vty access to or from the router. Without ACLs, all packets could be transmitted onto all parts of your network.

Other ACL Uses

Special handling for traffic based on packet tests

Types of ACLs

Standard Checks source address

Generally permits or denies entire protocol suite


Extended Checks source and destination address Generally permits or denies specific protocols

How to Identify ACLs

Standard IP lists (1-99) test conditions of all IP packets from source addresses. Extended IP lists (100-199) test conditions of source and destination addresses, specific TCP/IP protocols, and destination ports. Standard IP lists (1300-1999) (expanded range). Extended IP lists (2000-2699) (expanded range). Other ACL number ranges test conditions for other networking protocols. Named ACLs identify IP standard and extended ACLs with an alphanumeric string (name).

Testing Packets with Standard ACLs

Testing Packets with Extended ACLs

Outbound ACL Operation

If no ACL statement matches, then discard the packet.

A List of Tests: Deny or Permit

Wildcard Bits: How to Check the Corresponding Address Bits

0 means check value of corresponding address bit. 1 means ignore value of corresponding address bit.

Wildcard Bits to Match a Specific IP Host Address


Check all the address bits (match all). Verify an IP host address, for example:

172.30.16.29 0.0.0.0 checks all the address bits. Abbreviate this wildcard mask using the IP address preceded by the keyword host (host 172.30.16.29).

Wildcard Bits to Match Any IP Address


Test conditions: Ignore all the address bits (match any). An IP host address, for example:

Accept any address: any Abbreviate expression with keyword any

Wildcard Bits to Match IP Subnets


Check for IP subnets 172.30.16.0/24 to 172.30.31.0/24.
Address and wildcard mask: 172.30.16.0 0.0.15.255

Configuring ACL

ACL Configuration Guidelines


ACL numbers indicate which protocol is filtered. One ACL per interface, per protocol, per direction is allowed. The order of ACL statements controls testing. The most restrictive statements go at the top of the list. The last ACL test is always an implicit deny any statement, so every list needs at least one permit statement. ACLs must be created before applying them to interfaces. ACLs filter traffic going through the router. ACLs do not filter traffic originating from the router.

ACL Command Overview


Step 1: Set parameters for this ACL test statement (which can be one of several statements).
Router(config)#access-list access-list-number

{permit | deny} {test conditions}

Step 2: Enable an interface to use the specified ACL.


Router(config-if)#{protocol} access-group access-list-number {in | out}

Standard IP lists (1-99) Extended IP lists (100-199) Standard IP lists (1300-1999) (expanded range) Extended IP lists (2000-2699) (expanded range)

Standard IP ACL Configuration


Router(config)#access-list access-list-number {permit | deny | remark} source [mask]

Sets parameters for this list entry IP standard ACLs use 1 to 99 Default wildcard mask = 0.0.0.0 no access-list access-list-number removes entire ACL remark lets you add a description for the ACL

Router(config-if)#ip access-group access-list-number {in | out}


Activates the list on an interface Sets inbound or outbound testing Default = outbound no ip access-group access-list-number removes ACL from the interface

Standard IP ACL Example 1

Permit my network only.

Standard IP ACL Example 2

Deny a specific host.

Standard IP ACL Example 3

Deny a specific subnet.

Extended IP ACL Configuration

Router(config)#access-list access-list-number {permit | deny} protocol source source-wildcard [operator port] destination destination-wildcard [operator port] [established] [log]

Sets parameters for this list entry

Router(config-if)#ip access-group access-list-number

{in | out}

Activates the extended list on an interface

Extended ACL Example 1

Deny FTP from subnet 172.16.4.0 to subnet 172.16.3.0 out E0. Permit all other traffic.

Extended ACL Example 2

Deny only Telnet from subnet 172.16.4.0 out E0. Permit all other traffic.

Using Named IP ACL


Router(config)#ip access-list {standard | extended} name

Alphanumeric name string must be unique.


Router(config {std- | ext-}nacl)#{permit | deny} {ip access list test conditions} {permit | deny} {ip access list test conditions} no {permit | deny} {ip access list test conditions}

Permit or deny statements have no prepended number. no removes the specific test from the named ACL.
Router(config-if)#ip access-group name {in | out}

Activates the named IP ACL on an interface.

Filtering vty Access to a Router

Five virtual terminal lines (0 through 4) Filter addresses that can access into the router vty ports Filter vty access originating from the router

How to Control vty Access

Set up an IP address filter with a standard ACL statement. Use line configuration mode to filter access with the access-class command. Set identical restrictions on every vty.

vty Commands

Router(config)#line vty {vty# | vty-range}

Enters configuration mode for a vty or vty range

Router(config-line)#access-class access-list-number {in | out}

Restricts incoming or outgoing vty connections for address in the ACL

vty Access Example


Controlling Inbound Access
access-list 12 permit 192.168.1.0 0.0.0.255 (implicit deny any) ! line vty 0 4 access-class 12 in

Permits only hosts in network 192.168.1.0 0.0.0.255 to connect to the router vty

ACL Configuration Guidelines


The order of ACL statements is crucial. Recommended: Use a text editor on a PC to create the ACL statements, then cut and paste them into the router. Top-down processing is important. Place the more specific test statements first. Statements cannot be rearranged or removed. Use the no access-list number command to remove the entire ACL. Exception: Named ACLs permit removal of individual statements. Implicit deny any will be applied to all packets that do not match any ACL statement unless the ACL ends with an explicit permit any statement.

Where to Place IP ACLs

Place extended ACLs close to the source. Place standard ACLs close to the destination.

Verifying ACLs
wg_ro_a#show ip interfaces e0 Ethernet0 is up, line protocol is up Internet address is 10.1.1.11/24 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is 1 Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP Feature Fast switching turbo vector IP multicast fast switching is enabled IP multicast distributed fast switching is disabled <text ommitted>

Monitoring ACL Statements


wg_ro_a#show {protocol} access-list {access-list number}

wg_ro_a#show access-lists {access-list number}

wg_ro_a#show access-lists Standard IP access list 1 permit 10.2.2.1 permit 10.3.3.1 permit 10.4.4.1 permit 10.5.5.1 Extended IP access list 101 permit tcp host 10.22.22.1 any eq telnet permit tcp host 10.33.33.1 any eq ftp permit tcp host 10.44.44.1 any eq ftp-data

Scaling the Network with NAT/PAT

Network Address Translation

An IP address is either local or global. Local IP addresses are seen in the inside network.

Port Address Translation

Translating Inside Source Addresses

Configuring Static Translation


Router(config)#ip nat inside source static local-ip global-ip

Establishes static translation between an inside local address and an inside global address

Router(config-if)#ip nat inside

Marks the interface as connected to the inside

Router(config-if)#ip nat outside

Marks the interface as connected to the outside

Enabling Static NAT Address Mapping Example

Configuring Dynamic Translation


Router(config)#ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}

Defines a pool of global addresses to be allocated as needed.


Router(config)#access-list access-list-number permit source [source-wildcard]

Defines a standard IP ACL permitting those inside local addresses that are to be translated.
Router(config)#ip nat inside source list access-list-number pool name

Establishes dynamic source translation, specifying the ACL that was defined in the prior step.

Dynamic Address Translation Example

Overloading an Inside Global Address

Configuring Overloading
Router(config)#access-list access-list-number permit source source-wildcard

Defines a standard IP ACL that will be permit the inside local addresses that are to be translated

Router(config)#ip nat inside source list access-list-number interface interface overload

Establishes dynamic source translation, specifying the ACL that was defined in the prior step

Overloading an Inside Global Address Example

Clearing the NAT Translation Table


Router#clear ip nat translation *

Clears all dynamic address translation entries


Router#clear ip nat translation inside global-ip local-ip [outside local-ip global-ip]

Clears a simple dynamic translation entry that contains an inside translation or both an inside and outside translation
Router#clear ip nat translation outside local-ip global-ip

Clears a simple dynamic translation entry that contains an outside translation


Router#clear ip nat translation protocol inside global-ip global-port local-ip local-port [outside local-ip local-port global-ip global-port]

Clears an extended dynamic translation entry

Displaying Information with show Commands


Router#show ip nat translations

Displays active translations


Router#show ip nat translation Pro Inside global Inside local --- 172.16.131.1 10.10.10.1 Outside local --Outside global ---

Router#show ip nat statistics

Displays translation statistics


Router#show ip nat statistics Total active translations: 1 (1 static, 0 dynamic; 0 extended) Outside interfaces: Ethernet0, Serial2.7 Inside interfaces: Ethernet1 Hits: 5 Misses: 0

Sample Problem: Cannot Ping Remote Host

Solution: New Configuration

Using the debug ip nat Command

Router#debug ip nat NAT: s=192.168.1.95->172.31.233.209, d=172.31.2.132 [6825] NAT: s=172.31.2.132, d=172.31.233.209->192.168.1.95 [21852] NAT: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6826] NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23311] NAT*: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6827] NAT*: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6828] NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23313] NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23325]

Translation Not Installed in the Translation Table?


Verify that:
The configuration is correct There are not any inbound ACLs denying the packets entry to the NAT router The ACL referenced by the NAT command is permitting all necessary networks There are enough addresses in the NAT pool The router interfaces are appropriately defined as NAT inside or NAT outside

Exploring Wireless Networking

Wireless LANs

2007 Cisco Systems, Inc. All rights reserved.

ICND1 v1.02-250

Market Trends

Differences Between WLAN and LAN


WLANs use radio waves as the physical layer. WLANs use CSMA/CA instead of CSMA/CD for media access. Two-way radio (half-duplex) communication. Radio waves have problems that are not found on wires. Connectivity issues: Coverage problems Interference, noise Privacy issues Access points are shared devices similar to an Ethernet hub for shared bandwidth. WLANs must meet country-specific RF regulations.

Radio Frequency Transmission


Radio frequencies are radiated into the air via an antenna, creating radio waves. Objects can affect radio wave propagation resulting in: Reflection Scattering Absorption Higher frequencies allow higher data rates; however, they have a shorter range.

Organizations That Define WLAN


ITU-R:

International Telecommunication UnionRadiocommunication Sector Regulates the RF used in wireless


IEEE:

Institute of Electrical and Electronic Engineers 802.11 documents wireless technical standards
Wi-Fi Alliance:

Global nonprofit industry trade association Promote wireless growth through interoperability certification

ITU-R with FCC Wireless

ISM: industry, scientific, and medical frequency band


No license required

No exclusive use
Best-effort Interference possible

IEEE 802.11 Standards Comparison


802.11b 802.11a 5 GHz Up to 23 802.11g 2.4 GHz 3

Frequency band
No. of channels

2.4 GHz 3

Transmission

Direct Sequence Spread Spectrum (DSSS)


1, 2, 5.5, 11

Orthogonal Frequency Division Multiplexing (OFDM)


6, 9, 12, 18, 24, 36, 48, 54

Direct Sequence Spread Spectrum (DSSS)


1, 2, 5.5, 11

Orthogonal Frequency Division Multiplexing (OFDM)


6, 9, 12, 18, 24, 36, 48, 54

Data rates [Mb/s]

Wi-Fi Certification
Wi-Fi Alliance certifies interoperability between products.
Products include 802.11a, 802.11b, 802.11g, dual-band products, and security testing. Provides assurance to customers of migration and integration options.

Cisco is a founding member of the Wi-Fi Alliance. Certified products can be found at http://www.wi-fi.com.

Understanding WLAN Security

Wireless LANs

2007 Cisco Systems, Inc. All rights reserved.

ICND1 v1.02-258

Wireless LAN Security Threats

Mitigating the Threats

Control and Integrity Authentication

Privacy and Confidentiality


Encryption

Protection and Availability


Intrusion Prevention System (IPS) Track and mitigate unauthorized access and network attacks.

Ensure that legitimate clients associate with trusted access points.

Protect data as it is transmitted and received.

Evolution of Wireless LAN Security


1997 2001 2003 2004 to Present

WEP
Basic encryption

802.1x EAP
Dynamic keys Improved encryption User authentication 802.1X EAP (LEAP, PEAP) RADIUS

WPA
Standardized Improved encryption Strong, user authentication (such as, LEAP, PEAP, EAPFAST)

802.11i / WPA2
AES strong encryption

No strong authentication
Static, breakable keys Not scalable MAC filters and SSID-cloaking also used to complement WEP

Authentication
Dynamic key management

Wireless Client Association


Access points send out beacons announcing SSID, data rates, and other information. Client scans all channels. Client listens for beacons and responses from access points. Client associates to access point with strongest signal. Client will repeat scan if signal becomes low to reassociate to another access point (roaming). During association, SSID, MAC address, and security settings are sent from the client to the access point and checked by the access point.

How 802.1X Works on the WLAN

WPA and WPA2 Modes

WPA
Enterprise mode (Business, education, Government) Authentication: IEEE 802.1X/EAP Encryption: TKIP/MIC

WPA2
Authentication: IEEE 802.1X/EAP Encryption: AES-CCMP

Personal mode
(SOHO, home and personal)

Authentication: PSK
Encryption: TKIP/MIC

Authentication: PSK
Encryption: AES-CCMP

Implementing a WLAN

Wireless LANs

2007 Cisco Systems, Inc. All rights reserved.

ICND1 v1.02-265

802.11 Topology Building Blocks


Ad hoc mode: Independent Basic Service Set (IBSS)
Mobile clients connect directly without an intermediate access point.

Infrastructure mode:

Basic Service Set (BSS)


Mobile clients use a single access point for connecting to each other or to wired network resources.

Extended Service Set (ESS):


Two or more BSSs are connected by a common distribution system .

BSA Wireless Topology Basic Coverage

ESA Wireless Topology Extended Cover

Wireless Topology Data Rates802.11b

Common Wireless Network Issues


Most problems are due to incorrect configuration:
Verify that the access point is running the latest revision of firmware. Verify the channel configuration. Try channels 1, 6, or 11. Verify that users have the correct encryption type and password.

Other common problems:


RF interference

Not connected
Radio not enabled Poor antenna location

Understanding WAN Technologies

WAN Connections

2007 Cisco Systems, Inc. All rights reserved.

ICND1 v1.02-271

Wide-Area Network

Need for WANs

WANs vs. LANs

WAN Access and the OSI Reference Model

WAN Devices

Routers Terminal servers Modems DSU/CSU WAN networking devices ATM switches Frame Relay switches PSTN

Physical Layer: WANs

Serial Point-to-Point Connections

WANMultiple LANs

WAN Data-Link Protocols


HDLC PPP Frame Relay (LAPF) ATM

WAN Link Options

Packet Switching

DSL

DSL Service Types Overview

DSL Considerations
Advantages
Speed Simultaneous voice and data transmission

Incremental additions
Always-on availability Backward compatibility with analog phones

Disadvantages
Limited availability
Local phone company requirements Security risks

Cable-Based WANs

Introducing VPN Solutions

LAN Extension into a WAN

2007 Cisco Systems, Inc. All rights reserved.

ICND1 v1.02-287

What Is a VPN?

Virtual: Information within a private network is transported over a public network. Private: The traffic is encrypted to keep the data confidential.

Benefits of VPN

Cost Security Scalability

Site-to-Site VPNs

Site-to-site VPN: extension of classic WAN

Remote-Access VPNs

Remote-access VPN: evolution of dial-in networks and ISDN

Cisco Easy VPN

Cisco IOS IPsec SSL VPN (WebVPN)


Integrated security and routing Browser-based full network SSL VPN access

VPN-Enabled Cisco IOS Routers

Cisco ASA Adaptive Security Appliances

VPN Clients

(legacy)

What Is IPsec?

IPsec acts at the network layer, protecting and authenticating IP packets


It is a framework of open standards that is algorithm independent. It provides data confidentiality, data integrity, and origin authentication.

IPsec Security Services


Confidentiality Data integrity Authentication Antireplay protection

Confidentiality (Encryption)

Encryption Algorithms

Encryption algorithms:
DES AES 3DES RSA

DH Key Exchange

Diffie-Hellman algorithms:
DH1 DH2

DH5

Data Integrity

Hashing algorithms:
HMAC-MD5
HMAC-SHA-1

Authentication

Peer authentication methods:


PSKs RSA signatures

IPsec Security Protocols

IPsec Framework

Typical WAN Encapsulation Protocols

An Overview of PPP

PPP can carry packets from several protocol suites using NCP. PPP controls the setup of several link options using LCP.

PPP Session Establishment

PPP session establishment:


1. Link establishment phase 2. Authentication phase (optional)

Two PPP authentication protocols: PAP and CHAP


3. Network layer protocol phase

PPP Authentication Protocols: PAP

Passwords sent in plaintext Peer in control of attempts

PPP Authentication Protocols: CHAP

This is an example of the Santa Cruz router authenticating to the HQ router Hash values, not actual passwords, are sent across the link. The local router or external server is in control of authentication attempts.

Configuring PPP and Authentication Overview

Configuring PPP and Authentication


RouterX(config-if)# encapsulation ppp

Enables PPP encapsulation


RouterX(config)# hostname name

Assigns a hostname to your router


RouterX(config)# username name password password

Identifies the username and password of remote router


RouterX(config-if)# ppp authentication {chap | chap pap | pap chap | pap}

Enables PAP or CHAP authentication

PPP and CHAP Configuration Example

hostname RouterX username RouterY password sameone ! int serial 0 ip address 10.0.1.1 255.255.255.0 encapsulation ppp ppp authentication chap

hostname RouterY username RouterX password sameone ! int serial 0 ip address 10.0.1.2 255.255.255.0 encapsulation ppp ppp authentication chap

Verifying the PPP Encapsulation Configuration


RouterX# show interface s0 Serial0 is up, line protocol is up Hardware is HD64570 Internet address is 10.140.1.2/24 MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255 Encapsulation PPP, loopback not set, keepalive set (10 sec) LCP Open Open: IPCP, CDPCP Last input 00:00:05, output 00:00:05, output hang never Last clearing of "show interface" counters never Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 38021 packets input, 5656110 bytes, 0 no buffer Received 23488 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 38097 packets output, 2135697 bytes, 0 underruns 0 output errors, 0 collisions, 6045 interface resets 0 output buffer failures, 0 output buffers swapped out 482 carrier transitions DCD=up DSR=up DTR=up RTS=up CTS=up

Verifying PPP Authentication

RouterX# debug ppp authentication 4d20h: %LINK-3-UPDOWN: Interface Serial0, changed state to up 4d20h: Se0 PPP: Treating connection as a dedicated line 4d20h: Se0 PPP: Phase is AUTHENTICATING, by both 4d20h: Se0 CHAP: O CHALLENGE id 2 len 28 from left" 4d20h: Se0 CHAP: I CHALLENGE id 3 len 28 from right" 4d20h: Se0 CHAP: O RESPONSE id 3 len 28 from left" 4d20h: Se0 CHAP: I RESPONSE id 2 len 28 from right" 4d20h: Se0 CHAP: O SUCCESS id 2 len 4 4d20h: Se0 CHAP: I SUCCESS id 3 len 4 4d20h: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to up

The debug ppp authentication command shows successful CHAP output

Verifying PPP Negotiation


RouterX# debug ppp negotiation PPP protocol negotiation debugging is on RouterX# *Mar 1 00:06:36.645: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up *Mar 1 00:06:36.661: BR0:1 PPP: Treating connection as a callin *Mar 1 00:06:36.665: BR0:1 PPP: Phase is ESTABLISHING, Passive Open *Mar 1 00:06:36.669: BR0:1 LCP: State is Listen *Mar 1 00:06:37.034: BR0:1 LCP: I CONFREQ [Listen] id 7 len 17 *Mar 1 00:06:37.038: BR0:1 LCP: AuthProto PAP (0x0304C023) *Mar 1 00:06:37.042: BR0:1 LCP: MagicNumber 0x507A214D (0x0506507A214D) *Mar 1 00:06:37.046: BR0:1 LCP: Callback 0 (0x0D0300) *Mar 1 00:06:37.054: BR0:1 LCP: O CONFREQ [Listen] id 4 len 15 *Mar 1 00:06:37.058: BR0:1 LCP: AuthProto CHAP (0x0305C22305) *Mar 1 00:06:37.062: BR0:1 LCP: MagicNumber 0x1081E7E1 (0x05061081E7E1) *Mar 1 00:06:37.066: BR0:1 LCP: O CONFREJ [Listen] id 7 len 7 *Mar 1 00:06:37.070: BR0:1 LCP: Callback 0 (0x0D0300) *Mar 1 00:06:37.098: BR0:1 LCP: I CONFACK [REQsent] id 4 len 15 *Mar 1 00:06:37.102: BR0:1 LCP: AuthProto CHAP (0x0305C22305) *Mar 1 00:06:37.106: BR0:1 LCP: MagicNumber 0x1081E7E1 (0x05061081E7E1) *Mar 1 00:06:37.114: BR0:1 LCP: I CONFREQ [ACKrcvd] id 8 len 14 *Mar 1 00:06:37.117: BR0:1 LCP: AuthProto PAP (0x0304C023) *Mar 1 00:06:37.121: BR0:1 LCP: MagicNumber 0x507A214D (0x0506507A214D

Establishing a WAN Connection with Frame Relay

LAN Extension into a WAN

2007 Cisco Systems, Inc. All rights reserved.

ICND1 v1.02-317

Frame Relay Overview

Connections made by virtual circuits Connection-oriented service

Frame Relay Terminology

Selecting a Frame Relay Topology

Frame Relay default: NBMA

Resolving NBMA Reachability Issues

Split horizon can cause problems in NBMA environments.


Solution: subinterfaces

A single physical interface simulates multiple logical interfaces.

Frame Relay Address Mapping

LMI receives locally significant DLCI from the Frame Relay switch. Inverse ARP maps the local DLCI to the remote router network layer address.

Frame Relay Signaling

Cisco supports three LMI standards:


Cisco ANSI T1.617 Annex D ITU-T Q.933 Annex A

Stages of Inverse ARP and LMI Operation

Stages of Inverse ARP and LMI Operation (Cont.)

Configuring Basic Frame Relay

Configuring a Static Frame Relay Map

Configure a static Frame Relay map when:


A Frame Relay peer does not support Inverse ARP You want to control broadcast traffic across a PVC You want to have different Frame Relay encapsulations across PVCs

Configuring Frame Relay Subinterfaces


Point-to-point Subinterfaces act like leased lines. Each point-to-point subinterface requires its own subnet. Point-to-point is applicable to hub-and-spoke topologies. Multipoint Subinterfaces act like NBMA networks, so they do not resolve the split-horizon issues. Multipoint can save address space because it uses a single subnet. Multipoint is applicable to partial-mesh and full-mesh topologies.

Configuring Frame Relay Point-to-Point Subinterfaces

Configuring Frame Relay Multipoint Subinterfaces

Verifying Frame Relay Operation


RouterX# show interfaces type number

Displays information about Frame Relay DLCIs and the LMI

RouterX# show interfaces s0 Serial0 is up, line protocol is up Hardware is HD64570 Internet address is 10.140.1.2/24 MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255 Encapsulation FRAME-RELAY, loopback not set, keepalive set (10 sec) LMI enq sent 19, LMI stat recvd 20, LMI upd recvd 0, DTE LMI up LMI enq recvd 0, LMI stat sent 0, LMI upd sent 0 LMI DLCI 1023 LMI type is CISCO frame relay DTE FR SVC disabled, LAPF state down Broadcast queue 0/64, broadcasts sent/dropped 8/0, interface broadcasts 5 Last input 00:00:02, output 00:00:02, output hang never Last clearing of "show interface" counters never Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops <Output omitted>

Verifying Frame Relay Operation (Cont.)


RouterX# show frame-relay lmi [type number]

Displays LMI statistics

RouterX# show frame-relay lmi


LMI Statistics for interface Serial0 (Frame Relay DTE) LMI TYPE = CISCO Invalid Unnumbered info 0 Invalid Prot Disc 0 Invalid dummy Call Ref 0 Invalid Msg Type 0 Invalid Status Message 0 Invalid Lock Shift 0 Invalid Information ID 0 Invalid Report IE Len 0 Invalid Report Request 0 Invalid Keep IE Len 0 Num Status Enq. Sent 113100 Num Status msgs Rcvd 113100 Num Update Status Rcvd 0 Num Status Timeouts 0

Verifying Frame Relay Operation (Cont.)


RouterX# debug frame-relay lmi Frame Relay LMI debugging is on Displaying all Frame Relay LMI data RouterX# 1w2d: Serial0(out): StEnq, myseq 140, yourseen 139, DTE up 1w2d: datagramstart = 0xE008EC, datagramsize = 13 1w2d: FR encap = 0xFCF10309 1w2d: 00 75 01 01 01 03 02 8C 8B 1w2d: 1w2d: Serial0(in): Status, myseq 140 1w2d: RT IE 1, length 1, type 1 1w2d: KA IE 3, length 2, yourseq 140, myseq 140 1w2d: Serial0(out): StEnq, myseq 141, yourseen 140, DTE up 1w2d: datagramstart = 0xE008EC, datagramsize = 13 1w2d: FR encap = 0xFCF10309 1w2d: 00 75 01 01 01 03 02 8D 8C 1w2d: 1w2d: Serial0(in): Status, myseq 142 1w2d: RT IE 1, length 1, type 0 1w2d: KA IE 3, length 2, yourseq 142, myseq 142 1w2d: PVC IE 0x7 , length 0x6 , dlci 100, status 0x2

bw 0

Displays LMI debug information

Verifying Frame Relay Operation (Cont.)


RouterX# show frame-relay pvc [type number [dlci]]

Displays PVC statistics

RouterX# show frame-relay pvc 100


PVC Statistics for interface Serial0 (Frame Relay DTE) DLCI = 100, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0 input pkts 28 output pkts 10 in bytes 8398 out bytes 1198 dropped pkts 0 in FECN pkts 0 in BECN pkts 0 out FECN pkts 0 out BECN pkts 0 in DE pkts 0 out DE pkts 0 out bcast pkts 10 out bcast bytes 1198 pvc create time 00:03:46, last time pvc status changed 00:03:47

Verifying Frame Relay Operation (Cont.)


RouterX# show frame-relay map

Displays the current Frame Relay map entries

RouterX# clear frame-relay-inarp

Clears dynamically created Frame Relay maps, created by using Inverse ARP

RouterX# show frame-relay map Serial0 (up): ip 10.140.1.1 dlci 100(0x64,0x1840), dynamic, broadcast,, status defined, active RouterX# clear frame-relay-inarp RouterX# show frame map RouterX#

Transitioning to IPv6

2007 Cisco Systems, Inc. All rights reserved.

ICND1 v1.02-336

What is IPv6
Also Known as IPng (next generation) A new version of the Internet Protocol Primarily designed to extend address space

Enhancement and new feature

History of IPv6
What happened to IPv5 Version 5 in IP header was assigned to ST protocol (Internet Streaming Protocol)

Experimental non-IP real-time streaming protocol


Never widely used RFC 1819

Challenges in Todays Internet


IPv4 growth and adoption phenomenal Exhausting IP address space Internet Routing table very big

Increasing Need for Security


No uniformity Multitude of methods for hackers to attack networks Increasing need for IP mobility Increasing number of wireless/mobile devices accessing Internet service Inadequate support for IP mobility in devices (moving seamlessly from one network to another)

Challenges in Todays Internet


Increased Traffic Flow New Applications have specific delivery requirements QOS issues Multiple methods available Non-uniformity across network boundaries

Why is IPv6 Here


IPv6 provides a platform for New Internet functionality that will be needed in the immediate future, and provide flexibility for further growth and expansion

IPv4 and IPv6

Currently, there are approximately 1.3 billion usable IPv4 addresses available.

Why Do We Need a Larger Address Space?


Internet population Approximately 973 million users in November 2005 Emerging population and geopolitical address space Mobile users

PDA, pen tablet, notepad, and so on


Approximately 20 million in 2004 Mobile phones Already 1 billion mobile phones delivered by the industry Transportation 1 billion automobiles forecast for 2008 Internet access in planes, for example, Lufthansa Consumer devices Sony mandated that all its products be IPv6-enabled by 2005

Billions of home and industrial appliances

What IP is Touching

IPv6 Advanced Features


Larger address space:
Global reachability and flexibility Aggregation Multihoming Autoconfiguration Plug-and-play End-to-end without NAT Renumbering

Simpler header:
Routing efficiency Performance and forwarding rate scalability

No broadcasts
No checksums Extension headers Flow labels

Mobility and security:


Mobile IP RFC-compliant IPsec mandatory (or native) for IPv6

Transition richness:
Dual stack 6to4 and manual tunnels Translation

IPv6 Terminology

IPv6 Terminology

IPv6 Terminology

IPv6 Terminology

IPv6 Terminology

IPv6 Terminology

IPv6 Terminology

IPv6 Terminology

IPv6 Address Representation


Format:
x:x:x:x:x:x:x:x, where x is a 16-bit hexadecimal field Case-insensitive for hexadecimal A, B, C, D, E, and F Leading zeros in a field are optional Successive fields of zeros can be represented as :: only once per address

Examples:
2031:0000:130F:0000:0000:09C0:876A:130B Can be represented as 2031:0:130f::9c0:876a:130b Cannot be represented as 2031::130f::9c0:876a:130b FF01:0:0:0:0:0:0:1 0:0:0:0:0:0:0:1 0:0:0:0:0:0:0:0 ::1 :: FF01::1

IPv6 Address Types


Unicast: Address is for a single interface IPv6 has several types (for example, global, reserved, link-local, and site-local) Multicast:

One-to-many
Enables more efficient use of the network Uses a larger address range Anycast: One-to-nearest (allocated from unicast address space)

Multiple devices share the same address


All anycast nodes should provide uniform service Source devices send packets to anycast address Routers decide on closest device to reach that destination Suitable for load balancing and content delivery services

IPv6 Unicast Addressing


Types of IPv6 unicast addresses: Global: Starts with 2000::/3 and assigned by IANA Reserved: Used by the IETF Private: Link local (starts with FE80::/10) Loopback (::1) Unspecified (::) A single interface may be assigned multiple IPv6 addresses of any type: unicast, anycast, or multicast. IPv6 addressing rules are covered by multiple RFCs. Architecture defined by RFC 4291

IPv6 Global Unicast (and Anycast) Addresses

IPv6 has the same address format for global unicast and for anycast addresses.
Uses a global routing prefixa structure that enables aggregation upward, eventually to the ISP.

A single interface may be assigned multiple addresses of any type (unicast, anycast, multicast).
Every IPv6-enabled interface contains at least one loopback (::1/128) and one link-local address. Optionally, every interface can have multiple unique local and global addresses.

Link-Local Addresses

Link-local addresses have a scope limited to the link and are dynamically created on all IPv6 interfaces by using a specific link-local prefix FE80::/10 and a 64-bit interface identifier. Link-local addresses are used for automatic address configuration, neighbor discovery, and router discovery. Link-local addresses are also used by many routing protocols. Link-local addresses can serve as a way to connect devices on the same local network without needing global addresses. When communicating with a link-local address, you must specify the outgoing interface because every interface is connected to FE80::/10.

Larger Address Space Enables Address Aggregation

Address aggregation provides the following benefits:


Aggregation of prefixes announced in the global routing table Efficient and scalable routing Improved bandwidth and functionality for user traffic

Assigning IPv6 Global Unicast Addresses

Static assignment
Manual interface ID assignment EUI-64 interface ID assignment Dynamic assignment Stateless autoconfiguration DHCPv6 (stateful)

IPv6 EUI-64 Interface Identifier

Cisco can use the EUI-64 format for interface identifiers. This format expands the 48-bit MAC address to 64 bits by inserting FFFE into the middle 16 bits. To make sure that the chosen address is from a unique Ethernet MAC address, the U/L bit is set to 1 for global scope (0 for local scope).

Stateless Autoconfiguration

DHCPv6 (Stateful)
DHCPv6 is an updated version of DHCP for IPv4:
Supports new addressing Enables more control than stateless autoconfiguration

Can be used for renumbering


Can be used for automatic domain name registration of hosts using dynamic DNS

DHCPv6 Operation
DHCPv6 operates in a way that is similar to DHCPv4, except:
Client first detects the presence of routers on the link. If a router is found, the router advertisement is examined to determine if DHCP can be used. If no router is found, or if the router says DHCP can be used, then: A DHCP solicit message is sent to the all-DHCP-agents multicast address. The client uses the link-local address as the source address.

IPv6 Routing Protocols

IPv6 routing types: Static RIPng (RFC 2080) OSPFv3 (RFC 2740) IS-IS for IPv6 MP-BGP4 (RFC 2545/2858) EIGRP for IPv6 The ipv6 unicast-routing command is required to enable IPv6 before any routing protocol is configured.

RIPng (RFC 2080)


Similar IPv4 features:
Distance vector, radius of 15 hops, split horizon, and poison reverse Based on RIPv2

Updated features for IPv6:


IPv6 prefix, next-hop IPv6 address Uses the multicast group FF02::9, the all-rip-routers multicast group, as the destination address for RIP updates Uses IPv6 for transport Named RIPng

IPv4-to-IPv6 Transition

Transition richness means:


No fixed day to convert; no need to convert all at once Different transition mechanisms are available: Dual stack Manual tunnel 6to4 tunnel ISATAP tunnel Teredo tunnel Different compatibility mechanisms: Proxying and translation (NAT-PT)

Cisco IOS Dual Stack

Dual stack is an integration method in which a node has implementation and connectivity to both an IPv4 and IPv6 network.

Cisco IOS Dual Stack (Cont.)

When both IPv4 and IPv6 are configured on an interface, the interface is considered dual-stacked.

IPv6 Tunneling

Tunneling is an integration method in which an IPv6 packet is encapsulated within another protocol, such as IPv4. This method of encapsulation is IPv4.
Includes a 20-byte IPv4 header with no options and an IPv6 header and payload Requires dual-stack routers

Manually Configured IPv6 Tunnel

Configured tunnels require: Dual-stack endpoints IPv4 and IPv6 addresses configured at each end

Enabling IPv6 on Cisco Routers


RouterX(config)#

ipv6 unicast-routing

Enables IPv6 traffic forwarding

RouterX(config-if)#

ipv6 address ipv6prefix/prefix-length eui-64

Configures the interface IPv6 addresses

IPv6 Address Configuration Example

Making IPv6 Real

Summary
IPv6 offers many additional benefits to IPv4 including a larger address space, easier address aggregation, and integrated security. The IPv6 address is 128 bits long and is made up of a 48-bit global prefix, a 16-bit subnet ID, and a 64-bit interface identifier.

There are several ways to assign IPv6 addresses: statically, stateless autoconfiguration, and DHCPv6.
Cisco supports all of the major IPv6 routing protocols: RIPng, OSPFv3, and EIGRP. Transitioning from IPv4 to IPv6 requires dual stacks, tunneling, and possibly NAT-PT. Use the ipv6 unicast-routing command to enable IPv6 and the ipv6 address ipv6-address/prefix-length command to assign interface addresses and enable an IPv6 routing protocol.

You might also like