Bevezetés a Cisco routerek konfigurálásába

Bevezetés a Cisco routerek konfigurálásába

E-mail: zsolt.varga@synergon.hu
Varga Zsolt

Tematika I. A 7 rétegű OSI modell Az alkalmazási és a felsõbb rétegek
A fizikai és adatkapcsolati réteg A hálózati réteg és az útvonal-meghatározás A routerek felhasználói intefésze Routing alapok A router kiindulási konfigurációja

Tematika II. Konfigurálási módszerek és módok
A Cisco IOS szoftver betöltésének módjai TCP/IP áttekintés IP címek beállítása IP routing beállítása A Novell IPX beállítása Az AppleTalk beállítása

Tematika III. Szűrőlisták használata Soros vonali alapok
Az ISDN BRI használata X.25 alapok Frame Relay alapok Az Autoinstall opció Egyéb protokollok

The Internetworking model
The Layered Model

Why a Layered Network Model?
7 6 5 4 3 2 1 Application Presentation Session Transport Network Data Link Physical Reduces complexity Standardizes interfaces Facilitates modular engineering Ensure interoperable technology Accelerates evolution Simplifies teaching and learning Most communication environments separate the communication functions and application processing. This separation of networking functions is called layering. For the OSI model, seven numbered layers indicate distinct functions. Within the Transmission Control Protocol/Internet Protocol (TCP/IP), for example, distinct functions fit into five named layers. Regardless of the number of layers, the reasons for this division of network functions include the following: Divide the interrelated aspects of network operation into less complex elements. Define standard interfaces for plug-and-play compatibility and multivendor integration. Enable engineers to specialize design and development efforts on modular functions. Promote symmetry in the different internetwork modular functions so they interoperate. Prevent changes in one area from impacting other areas, so each area can evolve more quickly. Divide the complexity of internetworking into discrete, more easily learned operation subsets. Note A layered model does not define or constrain an implementation; it provides a framework. Implementations, therefore, do not conform to the OSI reference model, but they do conform to the standards developed from the OSI reference model principles.

Layer Functions 7 6 5 4 3 2 1 Application Presentation Session
Transport Network Data Link Physical Network processes to applications Data representation Interhost communication End-to-end connections Addresses and best path Access to media Binary transmission Each layer of the ISO model serves a specific function. Those functions are defined by the OSI and can be used by any network products vendor. The functions are: · Application-The application layer provides network services to user applications. For example, a word processing application is serviced by file transfer services at this layer. · Presentation-This layer provides data representation and code formatting. It ensures that the data that arrives from the network can be used by the application, and it ensures that information sent by the application can be transmitted on the network. · Session-This layer establishes, maintains, and manages sessions between applications. · Transport-This layer segments and reassembles data into a data stream. · Network-This layer determines the best way to move data from one place to another. It manages device addressing and tracks the location of devices on the network. The router operates at this layer. · Data Link-This layer provides physical transmission across the medium. It handles error notification, network topology, and flow control. · Physical-This layer provides the electrical, mechanical, procedural, and functional means for activating and maintaining the physical link between systems.

Peer-to-Peer Communication
HOST A HOST B Application Presentation Session Transport Network Data Link Physical Application Presentation Session Transport Network Data Link Physical segments packets frames Each layer uses its own layer protocol to communicate with its peer layer in the other system. Each layer's protocol exchanges information, called protocol data units (PDUs), between peer layers. A given layer can use a more specific name for its PDU. For example, in TCP/IP the transport layer of TCP communicates with the peer TCP function using segments. This peer-layer protocol communication is achieved by using the services of the layers below it. The layer below any current layer provides its services to the current layer. Each lower-layer service takes upper-layer information as part of the lower-layer PDUs it exchanges with its layer peer. Thus, the TCP segments become part of the network layer packets (also called datagrams) exchanged between IP peers. In turn, the IP packets must become part of the data link frames exchanged between directly connected devices. Ultimately, these frames must become bits as the data is finally transmitted by the physical-layer protocol using hardware. bits

Data Encapsulation Application Application Presentation Presentation
Session Transport Network Data Link Physical Application Presentation Session Transport Network Data Link Physical DATA Network Header DATA Frame Header Network Header Frame Trailer DATA Each layer depends on the service function of the ISO/OSI layer below it. To provide this service, the lower layer uses encapsulation to put the PDU from the upper layer into its data field; then it can add whatever headers and trailers the layer will use to perform its function. For example, the network layer provides a service to the transport layer, and the transport layer presents "data" to the internetwork subsystem. The network layer has the task of moving that data through the internetwork. It accomplishes this task by encapsulating the data within a header. This header contains information required to complete the transfer, such as source and destination logical addresses. The data link layer in turn provides a service to the network layer. It encapsulates the network layer information in a frame. The frame header contains information required to complete the data link functions. For example, the frame header contains physical addresses. The physical layer also provides a service to the data link layer. This service includes encoding the data link frame into a pattern of ones and zeros for transmission on the medium (usually a wire).

Data Encapsulation Example
message Data DATA Segment Segment Header DATA Packet Network Header Segment Header DATA Frame Frame Header Network Header Segment Header Frame Trailer DATA (Medium dependent) Bits As internetworks perform services for users, the flow and packaging of the information changes. In this example of internetworking, five conversion steps occur: Step 1 As a user sends an message, its alphanumeric characters are converted to use the internetwork. This is the data. Step 2 One change packages the message "data" for the internetwork transport subsystem. By using segments, the transport function ensures that the message hosts at both ends of the system can reliably communicate. Step 3 The next change prepares the data so they can use the internetwork by putting the data into a packet or datagram that contains a network header with source and destination logical addresses. These addresses help network devices send the packets across the network along a chosen path. Step 4 Each network device must put the packet into a frame so it can communicate over its interface to the network. The frame allows connection to the next directly connected network device on the link. Each device in the chosen network path requires framing to connect to the next device. Step 5 The frame must be converted into a pattern of 1 s and Os for transmission on the medium (usually a wire). Some clocking function enables the devices to distinguish these bits as they traverse the medium. The medium on the physical internetwork can vary along the path used. For example, the message can originate on a LAN, cross a campus backbone, go out a low-speed WAN link, and use a higher-speed WAN link until it reaches its destination on another remote LAN.

Remaining Chapter Sequence
7 6 5 4 3 2 1 Application Presentation Session transport Network Data Link Physical Network Applications End-to-end services Routing Data Transmission Now you have reviewed the evolution leading to the modern networks. You have seen the use of a model and have been introduced to the operations and functions at each layer. The remaining three chapters of this "Introduction to Internetworking" (I2I) module will proceed as follows: "Applications and Upper Layers"-Network applications layers and how they provide application, data presentation, and session functions; also the upper layer that provides end-to-end services between hosts using transport layer services. "Physical and Data Link Layers"-Data transmission services provided by lower-layer functions with specific variations for LAN and WAN framing and media. "Network Layer and Path Determination"-Routing using Layer 3 services of the network layer and other processes; Layer 3 is the primary domain of the router.

Summary The OSI reference model organizes network functions into seven categories called layers Data flows from upper-level user applications to lower-level bits transmitted over network media Peer-to-Peer functions use encapsulation and de-encapsulation at layer interfaces Most network manager task configure the lower three layers

Application and Upper Layers

Objectives Upon complention of this chapter, you will be able to:
Name and describe computer, network, and internetwork applications Describe the OSI presentation functions and identify common standards Describe the OSI session functions and identify common standards Describe the OSI transport functions for end-to-end network services Identify common processes for establishing connections, flow control, and windowing This chapter discusses the upper four layers of the OSI reference model: application, presentation, session, and transport. It briefly explains the function of the application, presentation, and session layers. The transport layer is covered in more detail, explaining how data is transmitted between the sender and the receiver. Sections: Application, Presentation, and Session Layers Transport Layer Answers to Exercises

Application, Presentation and Session Layers

Application Layer Spreadsheet Remote Access COMPUTER NETWORK
APPLICATIONS Word processing Presentation Graphics Spreadsheet Database Design/Manufacturing Project Planning Others NETWORK APPLICATIONS Electronic Mail File transfer Remote Access Client/Server Process Information Location Network Management Others In the context of the OSI reference model, the application layer supports the communicating component of an application. Computer applications can require only desktop resources. However, an application might incorporate a communicating component from one or more network applications. Several types of network applications are listed in the right column, Network Applications. An application must have a communicating component to be relevant to a discussion of internetworking. For example, a word processor might incorporate a file transfer component that allows a document to be transferred electronically over telecommunication facilities. This file transfer component qualifies the word processor as an application in the OSI context and belongs in Layer 7 of the OSI reference model. Selects network application to support user’s application

Application Layer (cont.)
NETWORK APPLICATIONS Electronic Mail File transfer Remote Access Client/Server Process Information Location Network Management Others INTERNETWORK APPLICATIONS Electronic Data Interchange World Wide Web Gateways Special-Interest Bulletin Boards Financial Transaction Services Internet Navigation Utilities Conferencing (Video, Voice, Data) Others Many of the network applications offer services for enterprise communication. However, a growing requirement for internetworking in the 1990s and later extends beyond the enterprise. Information exchanges and commerce between organizations increasingly involve internetworking applications such as those listed in the right column of the graphic. Electronic data interchange (EDI) offers specialized standards and processes to improve the flow of orders, shipments, inventories, and accounting between businesses. The World Wide Web (WWW) links thousands of servers using a variety of formats including text, graphics, video, and sound. Browsers such as Mosaic and Netscape simplify access and viewing. The gateways might use the X.400 standard or Simple Mail Transfer Protocol (SMTP) to pass messages between different applications. Thousands of special-interest bulletin boards connect people who can chat with each other, post messages, and share public-domain software. Transaction services aimed at the financial community obtain and sell information including investment, market, commodity, currency, and credit data to subscribers. Special-purpose applications such as Gopher, Fetch, and Wide Area Information Server (WAIS) help navigate the way to resources on the Internet. People located in different regions use conferencing applications to communicate with live and prefilmed video, voice, data, and fax exchange. Internetwork applications can extend beyond the enterprise

Presentation Layer Text Data ASCII Graphics Visual Images PICT TIFF
EBCDIC Encrypted Graphics Visual Images PICT TIFF JPEG GIF Sound Video MIDI MPEG QuickTime The presentation layer provides code formatting and conversion. Code formatting ensures that applications have meaningful information to process. If necessary, the presentation layer translates between multiple data representation formats. The presentation layer concerns itself not only with the format and representation of actual user data, but also with data structure used by programs; therefore, the presentation layer negotiates data transfer syntax for the application layer. For example, the presentation layer is responsible for syntax conversion between systems that have differing text and data character representations, such as EBCDIC and ASCII. Presentation-layer functions also include data encryption. Processes and codes convert data so that the data can be transmitted with its information content protected from unauthorized receivers. Other routines compress text or convert graphic images into bit streams for transmission across a network. Other Layer 6 standards guide graphic and visual image presentation. PICT is a picture format used to transfer QuickDraw graphics between Macintosh or PowerPC programs. Tagged Image File Format (TIFF) is a standard graphics format for high-resolution, bit-mapped images. JPEG standards come from the Joint Photographic Experts Group. For sound and movies, presentation layer standards include Musical Instrument Digital Interface (MIDI) for digitized music; also, there is growing acceptance of the Motion Picture Experts Group's (MPEG) standard for compression and coding of motion video for CDs, digital storage, and bit rates up to 1.5 Mbps. QuickTime handles audio and video for Macintosh or PowerPC programs. Provides code formatting and conversion for applications

Session Layer Network File System (NFS)
Structured Query Language (SQL) X Window System AppleTalk Session Protocol (ASP) DNA Session Control Protocol (SCP) Service Request The session layer establishes, manages, and terminates sessions between applications. Essentially, the session layer coordinates service requests and responses that occur when applications communicate between different hosts. Following are examples of session-layer protocols and interfaces: Network File System (NFS)-Distributed files system developed by Sun Microsystems to allow transparent access to remote network-based resources; used with TCP/IP and UNIX workstations. Structured Query Language (SQL)-Database language developed by IBM to give users an easier way to specify their information needs on local and remote systems. Remote procedure call (RPC)-General redirection mechanism for distributed service environments. RPC procedures are built on clients, then executed on servers. X Window System-Popular protocol that permits intelligent terminals to communicate with remote UNIX computers as if they were directly attached monitors. AppleTalk Session Protocol (ASP)-Establishes and maintains sessions between an AppleTalk client and a server. Digital Network Architecture Session Control Protocol (DNA SCP)-DECnet session-layer protocol. Service Reply Coordinates applications as they interact on different hosts

Transport Layer

Transport Layer Overview
Segments upper-layer applications Establishes an end-to-end connection Sends segments from one end host to another Optionally, ensures data reliability Transport services allow users to segment and reassemble several upper-layer applications onto the same transport-layer data stream. This transport-layer data stream provides end-to-end transport services. It constitutes a logical connection between the endpoints of the internetwork: the originating or sender host and the destination or receiving host. As the transport layer sends its segments, it can also ensure data integrity. One method provides flow control. Flow control avoids the problem of a host at one side of the connection overflowing the buffers in the host at the other side. Overflows can cause lost data. Transport services also allow users to request reliable data transport between communicating end systems. Reliable transport uses a connection-oriented relationship between the communicating end systems to accomplish the following: Ensure that segments delivered will be acknowledged back to the sender Provide for retransmission of any segments that are not acknowledged Put segments back into their correct sequence at the destination Provide congestion avoidance and control A more detailed discussion of reliable transport occurs later in this chapter.

Segment Upper-Layer Applications
Presentation Session Transport Electronic Mail Application Data Application Data port port Segments File Transfer Terminal Session One reason for different layers in the OSI reference model is to allow multiple applications to share a transport connection. Transport functionality is accomplished segment by segment. Each segment is autonomous. Different applications can send successive segments on a first-come, first-served basis. These segments can be intended for the same destination host or many different destination hosts. For example, several applications from a source host can communicate with corresponding applications on the same destination host, or several applications on an originating host may communicate with corresponding applications on many different destination hosts. Software in the source machine must set the necessary port number for each software application 'before transmission. When sending a message, the source computer includes extra bits that encode the message type, originating program, and protocols used. Then each software application that sends a data stream segment uses the same previously defined port number. When the destination computer receives the data stream, it can separate and rejoin each application's segments, allowing the transport layer to pass the data up to its destination peer application. Transport segments share traffic stream

Establishes Connection
SENDER RECEIVER Synchronize Negotiate Connection Synchronize To use the reliable transport services, one user of the transport layer must establish a connection-oriented session with its peer system. For data transfer to begin, both the sending and receiving application programs inform their respective operating systems that a connection will be initiated. In concept, one machine places a call that must be accepted by the other. Protocol software modules in the two operating systems communicate by sending messages across the network to verify that the transfer is authorized and that both sides are ready. After all synchronization has occurred, a connection is said to be established, and the transfer of information begins. During transfer, the two machines continue to communicate with their protocol software to verify that data is received correctly. The graphic depicts a typical connection between sending and receiving systems. The first handshake segment requests synchronization. The second and third segments acknowledge the initial synchronization request, as well as synchronize connection parameters in the opposite direction. The final handshake segment is an acknowledgment used to inform the destination that both sides agree that a connection has been established. Once the connection has been established, data transfer begins. Acknowledge Connection Established Data Transfer (Send Segments)

Sends Segments with Flow Control
Transmit SENDER RECEIVER Buffer Full Process Segments Buffer OK Stop Not Ready Go Ready Once data transfer is in progress, congestion can arise for two different reasons. First, a high-speed computer might be able to generate traffic faster than a network can transfer it. Second, if many computers simultaneously need to send datagrams through a single gateway or to a single destination, that gateway or destination can experience congestion, even though no single source caused the problem. When datagrams arrive too quickly for a host or gateway to process, they are stored in memory temporarily. If the datagrams are part of a small burst, this buffering solves the problem. If the traffic continues, the host or gateway eventually exhausts its memory and must discard additional datagrams that arrive. Instead of allowing data to be lost, the transport function can issue a "not ready" indicator to the sender. Acting like a stop sign, this indicator signals the sender to stop sending segment traffic to its peer. When the peer receiver can handle additional segments, the receiver sends a "ready" transport indicator, which is like a go signal. When it receives this indicator, the sender can resume segment transmission. Resume Transmission

Reliability with Windowing
Receive 1 Ack 2 Send 1 SENDER Send 2 Receive 2 Ack 3 RECEIVER Window size = 3 Receive 1 Send 1 Receive 2 Send 2 Receive 3 Send 3 In the most basic form of reliable connection-oriented data transfer, data segments must be delivered to the recipient in the same sequence that they were transmitted. The protocol in question fails if any data segments are lost, damaged, duplicated, or received in a different order. The basic solution is to have a recipient acknowledge the receipt of every data segment. If the sender has to wait for an acknowledgment after sending each segment, throughput will be low. Because time is available after the sender finishes transmitting the data segment and before the sender finishes processing any received acknowledgment, the interval is used for transmitting more data. The number of data segments the sender is allowed to have outstanding-without yet receiving an acknowledgment-is known as the window. Windowing is a method to control the amount of information transferred end-to-end. Some protocols measure information in terms of the number of packets; TCP/IP measures information in terms of the number of bytes. In the graphic's examples, a window size of 1 is shown, followed by a window size of 3. With a window size of 1, the sender waits for an acknowledgment for every data segment transmitted. With a window size of 3, the sender can transmit three data segments before expecting an acknowledgment. Windowing is an end-to-end facility between sender and receiver. In the graphic's example, sender and receiver are workstations. Unlike in this simplified graphic, there is a high probability that acknowledgments and packets will intermix as they communicate across the network through routers. In this example, routers do not intervene in the windowing function between these workstations. Ack 4 SENDER RECEIVER Send 4

An Acknowledgment Technique
SENDER RECEIVER 1 2 3 4 5 6 1 2 3 4 5 6 Send 1 Send 2 Send 3 Ack 4 Send 4 Send 5 Reliable delivery guarantees that a stream of data sent from one machine will be delivered through a functioning data link to another machine without duplication or data loss. Positive acknowledgment with retransmission is one technique that guarantees reliable delivery of data streams. Positive acknowledgment requires a recipient to communicate with the source, sending back an acknowledgment message when it receives data. The sender keeps a record of each segment it sends and waits for an acknowledgment before sending the next segment, The sender also starts a timer when it sends a segment, and it retransmits a segment if the timer expires before an acknowledgment arrives. The graphic shows the sender transmitting segment 1, 2, and 3. The receiver acknowledges receipt of the segments by requesting segment number 4. The sender, upon receiving the acknowledgment, sends segments 4, 5, and 6. If segment number 5 does not arrive at the destination, the receiver acknowledges with a request to resend segment number 5. The sender resends segment number 5 and must receive an acknowledgment to continue with the transmission of segment number 7. Send 6 Ack 5 Send 5 Ack 7

Transport to Network Layer
End-to-end segments In this chapter, you have learned the upper-layer aspects of network functioning. As each of the upper levels performs its own functions, it depends on lower-layer services as needed. All four upper layers-application (Layer 7), presentation (Layer 6), session (Layer 5), and transport (Layer 4)-can encapsulate data in end-to-end segments. The transport layer assumes it can use the network as a given cloud as segments cross from sender source to receiver destination. If we open up the functions inside the cloud, we reveal issues such as "Which of several paths is best for a given route?" We see the role that routers perform in this process, and we see the segments of Layer 4 transport further encapsulated into packets. These issues constitute the focus of the final chapter in this module. Routed packets

Summary The ISO/OSI reference model describes network applications
Presentation layer formats and converts network application data to represent text, graphics, images, video, and audio Session-layer functions coordinate communication interactions between applications Reliable transport-layer functions include Multiplexing Connection synchronization Flow control Error recovery Reliability through windowing

Physical and Data Link Layers

Objectives Upon completion of this chapter, you will be able to perform the following tasks: Identify and describe the data link sublayers and their functions Explain the use of MAC addresses Describe the topology and functionally of LANs Differentiate between LAN and WAN protocols Describe the characteristics of WAN based protocols This chapter discusses the physical and data link layers of the OSI reference model. It also discusses the operation of the three most commonly used LAN topologies: Ethernet, Token Ring, and FDDI. Following the LAN discussion, common WAN technologies are explained. The previous chapter presented the top four layers of the OSI reference model. This chapter presents the bottom two layers. The remaining layer, the network layer, is discussed in the next chapter. Sections: Physical and Data Link Layers Common LAN Technologies Common WAN Technologies

Physical and Data Link Layers

Physical and Data-link standards
WAN X.25 Link 802.2 LLC ISDN Dial on Demand Data Link (frames) SDLC HDLC Ethernet Frame Relay PPP 802.3 802.5 FDDI V.24 EAI/TIA-232 Physical (bits, signals, clocking) G.703 V.35 The data link layer provides data transport across a physical link. To do so, the data link layer handles physical addressing, network topology, line discipline, error notification, orderly delivery of frames, and optional flow control. The physical layer specifies the electrical, mechanical, procedural, and functional requirements for activating, maintaining, and deactivating the physical link between end systems. The physical layer specifies characteristics such as voltage levels, data rates, maximum transmission distances, and physical connectors. These requirements and characteristics are codified into standards. For example, EIA/TIA-232 standardizes a physical connection to voice-grade access. You can best understand physical and data link layers by considering WAN and LAN protocols separately. As the graphic shows, certain layer standards are used with LAN links, and certain other layer standards are used by WAN links. For example, a dial-on-demand protocol places a WAN call based on protocol traffic defined as "interesting." However, the dial-on-demand protocol, opening a WAN call for WAN bandwidth, has no direct interface with the LAN physical or data-link operations where that traffic might have originated. Instead of LAN operations and framing, dial-on-demand routing (DDR) opens and controls a "pipe" of bandwidth on a WAN physical interfaces. For instance, DDR might place a call over the physical interface of V.35, which is recommended for high-speed WAN access. EAI/TIA-449 EAI-530 HSSI Separate physical and data link layers for LAN and WAN

LAN Data Link Sublayer Network Data Link LLC Physical MAC
Logical Link Control Network Data Link Physical LLC MAC Media Access Control MAC Frame 802.2 LLC Packet or Datagram LAN protocols occupy the bottom two layers of the OSI reference model: the physical layer and data link layer. The Institute of Electrical and Electronic Engineers (IEEE) 802 committee subdivided the data fink layer into two sublayers: the logical link control (LLC) sublayer and the media access control (MAC) sublayer. The graphic illustrates the layers. We will cover each sublayer in sequence. The LLC sublayer provides for environments that need connectionless or connection-oriented services at the data link layer. The MAC sublayer provides access to the LAN medium in an orderly manner LLC refers upward to higher-layer software functions MAC refers downward to lower-layer hardware functions

LLC Sublayer Functions
Enable upper layer to gain independence over LAN media access Allow service access point (SAPs) from interface sublayers to upper-layer functions Provide optional connection, flow control, and sequencing service The LLC sublayer rests on top of the other 802 protocols to provide interface flexibility. Upper-layer protocols, for example IP at Layer 3, can operate autonomously without regard for the specific type of LAN media. This independence occurs because, unlike the MAC sublayer, LLC is not limited to a specific 802 MAC protocol. Instead, the LLC sublayer can depend on lower layers to provide access to the media. From the perspective of these lower MAC sublayers, the SAP process provides a convenient interface to the upper OSI layers. These SAP entries simplify access to the shared channel up to the specified upper-layer service identified by LLC SAP entities. LLC sublayer options include support for connections between applications running on the LAN, flow control to the upper layer by means of ready/not ready codes, and sequence control bits.

MAC Address 24 bits 24 bits Vendor Code Serial Number 0000.0c ROM RAM For multiple stations to share the same medium and still uniquely identify each other, the MAC sublayer defines a hardware or data-link address called the MAC address. The MAC address is unique for each LAN interface. On most LAN-interface cards, the MAC address is burned into ROM-hence the term burned-in address (BIA). When the network interface card initializes, this address is copied into RAM. The MAC address is a 48-bit address expressed as 12 hexadecimal digits. The first 6 hexadecimal digits of a MAC address contain a manufacturer identification (vendor code) also known as the Organizational Unique Identifier (OUI). To ensure vendor uniqueness, the IEEE administers OUIs. The last 6 hexadecimal digits are administered by each vendor and often represent the interface serial number. MAC address is burned into ROM on a network interface card

Finding the MAC address
Host Y Host Z ARP Request Host Z MAC ? Broadcast Host Z ARP Reply Example 1: TCP/IP destination local Host Y MAC Host Z MAC Host Y ARP Request Host Z Host Z MAC ? Broadcast Host Z ARP Reply Example 2: TCP/IP destination not local Host Y MAC Router MAC Before a frame is exchanged with a directly connected device, the sending device needs to have a MAC address it can use as a destination address. One way to discover a device's MAC address is to use an address resolution protocol. The graphic illustrates two ways in which a TCP/IP example, ARP, is used to discover a MAC address. In the first example, host Y and host Z are on the same LAN. Host Y broadcasts an ARP request to the LAN looking for host Z. Because host Y has sent out a broadcast, all devices including host Z will process the request; however, only host Z will respond with its MAC address. HostY receives host Z's reply and saves the MAC address in local memory, often called an ARP cache. The next time host Y needs to directly communicate with host Z, it recalls host Z's stored MAC address. In the second example, host Y and host Z are on different LANs, but can access each other through muter A. When host Y broadcasts its ARP request, router A determines that host Z cannot recognize the request because router A knows that host Z is on a different LAN. Because router A further determines that any packets for host Z must be relayed, router A provides its own MAC address as a proxy reply to the ARP request. Host Y receives the router's response and saves the MAC address in its ARP cache memory. The next time host Y needs to communicate with host Z, it recalls the stored MAC address of router A. An Example:TCP/IP Address Resolution Protocol (ARP) ARP find the MAC address for a data-link connection

Common LAN Technologies

LAN Technology Overview
Ethernet Token Ring FDDI You will now learn specific information about the common LAN technologies. The three LAN technologies shown in the graphic account for virtually all deployed LANs: Ethernet The first of the major LAN technologies, it runs the largest number of LANs. Token Ring-From IBM, it followed Ethernet and is now widely used in a large number of IBM networks. FDDI-Also using tokens, it is now a popular campus LAN. Pages that follow introduce each technology and describe the physical and data-link details of each.

Ethernet and IEEE 802.s Xerox performed initial development of Ethernet and was joined by the Digital Equipment Corporation (Digital) and Intel to define the Ethernet 1 specification in The same group subsequently released the Ethernet II specification in The Ethernet specification describes a carrier sense multiple access collision detect (CSMA/CD) LAN. The IEEE subcommittee adopted Ethernet as its model for its CSMA/CD LAN specification. As a result, Ethernet II and IEEE are identical in the way they use the physical medium. However, the two specifications differ in their descriptions of the data link layer. These differences do not prohibit manufacturers from developing network interface cards that support the common physical layer, MAC addressing, and software that recognizes the differences between the two logical link control layers. Several framing variations exist for this common LAN technology

Physical Layer: Ethernet/802.3
HUB 10Base2 - Thin Ethernet 10Base5 - Thick Ethernet 10BaseT- Twisted Pair PC Sun Sun Mac The Ethernet and IEEE standards define a bus-topology LAN that operates at a baseband signaling rate of 10 Mbps. (An earlier version of Ethernet that operated at 3 Mbps is now obsolete. Newer versions operating at higher speeds are under development.) The graphic illustrates the three defined wiring standards: l0Base2-Known as thin Ethernet-allows network segments up to 185 meters on coaxial cable. l0Base5-Known as thick Ethernet-allows network segments up to 500 meters on coaxial cable. l0BaseT-Carries Ethernet frames on inexpensive twisted-pair wiring. The l0Base5 and l0Base2 standards provide access for several stations on the same segment. Stations are attached to the segment by a cable that runs from an attachment unit interface (AUI) in the station to a transceiver that is directly attached to the Ethernet coaxial cable. In some interfaces, the AUI and the transceiver are collocated in the station itself, in which case no cable is required. Because the l0BaseT standard provides access for a single station only, stations attached to an Ethernet LAN by l0BaseT are almost always connected to a hub. In a hub arrangement, the hub is analogous to an Ethernet segment.

The Ethernet/802.3 Interface
c.34d5 a56 Cisco router’s data link to Ethernet/802.3 uses an interface named E plus a number (for example, E0) The Ethernet and data links provide data transport across the physical link joining two devices. For example, as this graphic shows, the three devices can be directly attached to each other over the Ethernet LAN. The Apple Macintosh on the left and the Intel-based PC in the middle show MAC addresses used by the data-link framing. The router on the right also uses MAC addresses for each of its LAN side interfaces. For indicating the interface on the router, you will use the Cisco IOS interface type abbreviation E followed by an interface number (for example, 0, as shown in the graphic).

Ethernet/802.3 Operation A B C D D B and C Application Presentation
Session Transport Network Data Link Physical Application Presentation Session Transport Network Data Link Physical In a CSMA/CD network, one node's transmission traverses the entire network and is received and examined by every node. When the signal reaches the end of a segment, terminators absorb it to prevent it from going back onto the segment.

Ethernet/802.3 Broadcast Application Presentation Session Transport
Network Data Link Physical Application Presentation Session Transport Network Data Link Physical Application Presentation Session Transport Network Data Link Physical Application Presentation Session Transport Network Data Link Physical Broadcasting is a powerful tool that sends a single frame to many stations at the same time. Broadcasting uses a data-link destination address of all ones (FFFF.FFFF.FFFF in hexadecimal). As the graphic shows, if station A transmits a frame with a destination address of all ones, stations B, C, and D will all receive and pass the frame to their respective upper layers for further processing. When improperly used, however, broadcasting can seriously impact the performance of stations by interrupting them unnecessarily. For this reason, broadcasts should be used only when the MAC address of the destination is unknown or when the destination is all stations. A multicast address is a MAC address used to identify a group of destinations and is indicated by the first transmitted bit of the destination address being set to 1. For Ethernet, this bit may appear as the low-order bit (for example, xxxx.xxxl).

Ethernet Frame Variations
Preamble DA SA Type Data FCS 4 Ethernet Frame Preamble DA SA Length Header FCS and Data 4 Both Ethernet and IEEE frames begin with an alternating pattern of ones and zeros called a preamble. The preamble tells receiving stations that a frame is coming. Immediately following the preamble in both Ethernet and IEEE LANs are the destination and source physical address fields. Both Ethernet and IEEE addresses are six bytes long. Addresses are contained in hardware on the Ethernet and IEEE interface cards. The first three bytes are specified by the Ethernet or IEEE vendor. The source address is always a unicast (single node) address, while the destination address may be unicast, multicast (group), or broadcast (all nodes). In Ethernet frames, the two-byte field following the source address is a type field. This field specifies the upper-layer protocol to receive the data after Ethernet processing is complete. In IEEE frames, the two-byte field following the source address is a length field, which indicates the number of bytes of data that follow this field and precede the frame check sequence (FCS) field. The actual data contained in the frame follows the type/length field. After physical layer and link-layer processing is complete, this data will eventually be sent to an upper-layer protocol. Following the data field is a four-byte FCS field containing a cyclic redundancy check (CRC) value. The CRC is created by the sending device and recalculated by the receiving device to check for damage that might have occurred to the frame in transit. Following the length field there is usually an header for LLC. 802.3 Frame

Ethernet/802.3 Reliability
C D Collosion A B C D JAM JAM JAM JAM JAM JAM CSMA/CD works in the following way: When a station wishes to transmit, it checks the network to determine whether another station is currently transmitting. If the network is not being used, the station proceeds with the transmission. While sending, the station monitors the network to ensure that no other station is transmitting. Two stations might start transmitting at approximately the same time if they determine that the network is available. If two stations send at the same time, a collision occurs, as illustrated in the upper part of the graphic. When a transmitting node recognizes a collision, it transmits a jam signal that causes the collision to last long enough for all other nodes to recognize it. All transmitting nodes then stop sending frames for a randomly selected time period before attempting to retransmit. If subsequent attempts also result in collisions, the node tries to retransmit up to 15 times before giving up. The clocks indicate different backoff timers. If the two timers are sufficiently different, one station will succeed the next rime. The mean backoff time doubles with each consecutive collision, thereby reducing the chance of collision by the inverse power of 2. Carrier sense multiple access collision detect (CSMA/CD)

High-Speed Ethernet Options
100BaseFX,100BaseTX 100BaseVG AnyLAN 1000BaseSX,1000BaseLX 1000BaseCX New applications can cause end users to experience delay and other problems such as insufficient bandwidth between end stations. In response to these problems, Ethernet networks are poised to move forward again, with the availability of new, 100-Mbps technologies, such as these: 100BaseFX-A 100-Mbps implementation of Ethernet over fiber-optic cable. The MAC layer is compatible with the MAC layer. 100BaseT4-A 100-Mbps implementation of Ethernet using four-pair Category 3, 4, or 5 cabling. The MAC layer is compatible with the MAC layer. 100BaseTX-A 100-Mbps implementation of Ethernet over Category 5 and Type 1 cabling. The MAC layer is compatible with the MAC layer. 100BaseVG AnyLAN-The IEEE specification for 100-Mbps implementation of Ethernet and Token Ring over four-pair UTP. The MAC layer is not compatible with the MAC layer. These high-speed options do not use CSMA/CD like lower-speed Ethernet. Instead, they use 4B/5B signalling

Token Ring and IEEE 802.5 IBM’s Token Ring is equivalent to IEEE 802.5
Token Ring was developed by IBM in the 1970s. It is still IBM's primary LAN technology and is second only to Ethernet/IEEE in popularity. The IEEE specification is almost identical to, and completely compatible with, IBM's Token Ring. Both Token Ring specifications are now administered by the IEEE committee. The term Token Ring is generally used to refer to both IBM's Token Ring network and IEEE networks. IBM’s Token Ring is equivalent to IEEE 802.5

Physical Layer: Token Ring/802.5
Logical Technology MAU Shielded or Unshielded Twisted Pair The logical topology of an network is a ring in which each station receives signals from its nearest active upstream neighbor (NAUN) and repeats those signals to its downstream neighbor. Physically, however, networks are laid out as stars, with each station connecting to a central hub called a multistation access unit (MSAU). This configuration is illustrated in the graphic. The stations connect to the central hub through shielded or unshielded twisted-pair wire. Typically, an MSAU connects up to eight Token Ring stations. If a Token Ring network has more stations than a MSAU can handle, or if stations are located in different parts of a building for example, on different floors-MSAUs can be chained together to create an extended ring. When installing an extended ring, you must ensure that the MSAUs themselves are oriented in a ring. Otherwise, the Token Ring will have a break in it and will not operate. Logically a ring, but physically a star configuration to MAU relays

The Token Ring/802.5 Interface
The IEEE Token Ring protocol parallels IEEE by providing MAC sublayer and physical layer services. Token Ring relies on the IEEE Logical Link Control (LLC) sublayer and upper-layer protocols for point-to-point services. Token Ring differs considerably from in its use of the LAN medium. All Token Ring stations use MAC addresses, including the router on the right of the graphic. For indicating the interface on the router, you will use the Cisco IOS software interface type abbreviation for token ring (To) followed by an interface number (for example, 0, as shown in the graphic). Cisco router’s data link to Token Ring/802.5 uses interface named To plus a number (for example, To0)

Token Ring/802.5 Operation T T = 0 T = 0 T T = 1 T Data Station access to a Token Ring is deterministic; a station can transmit only when it receives a special frame called a token. Although exceptions can be negotiated, stations are allowed to transmit a single frame when they possess the token. Because no station can dominate the cable as it can in a contention-based access (CSMA/CD) network, administrators can quite accurately determine and plan network performance. If a station receiving the token has no information to send, it simply passes the token to the next station. If a station possessing the token has information to transmit, it claims the token by altering one bit of the frame, the T bit. The station then appends the information it wishes to transmit and sends the information frame to the next station on the Token Ring. The information frame circulates the ring until it reaches the destination station, where the frame is copied by the station and tagged as having been copied. The information frame continues around the ring until it returns to the station that originated it, and is removed. Unless early token release is used on the Token Ring, only one frame can be circling the Token Ring at any one time; other stations wishing to transmit must wait. With early token release, a station that seizes a token can transmit a new token onto the Token Ring after first sending its information frame. Because frames proceed serially around the ring, and because a station must claim the token before transmitting, collisions are not expected in a Token Ring network. Broadcasting for source-route bridging is supported in the form of a special mechanism known as explorer packets. These are used to locate a route to a destination through one or more source-route bridges. Token Ring LANs continuously pass a token or a Token Ring frame

Token Ring/802.5 Media Control
Access Control Field P P P T M R R R P Priority bits T Token bit M Monitor bit R Reservation bits Token Ring networks use a priority system that permits certain user-designated, high-priority stations to use the network more frequently. Token Ring frames have two fields within the access control field that control priority: the priority field and the reservation field. Only stations with a priority equal to or higher than the priority of a token can claim that token. After the token is claimed and changed to an information frame, only stations with priority higher than the transmitting station can reserve the token for the next pass around the network. When the next token is generated, it includes the highest priority of the reserving station. Stations that raise a token's priority level must reinstate the previous lower priority level after their transmission is complete. The graphic illustrates the bits in the access control field that are used to define the current priority and reservation priority. Fields in a frame determine priority and reservation for sharing media

Token Ring/802.5 Active Monitor
T Data Token Ring networks employ several mechanisms for detecting and compensating for network faults. For example, one station in the Token Ring network is selected to be the active monitor. This station, which can be any station on the network, acts as a centralized source of timing information for other stations and performs a variety of ring maintenance functions. One ring maintenance function is to remove continuously circulating frames from the ring. When an originating station fails, it is not able to remove its frame from the Token Ring. The leftover frame, which continues to circle the ring, can prevent other stations from transmitting their own frames and can tie up the network. The active monitor can detect such frames, remove them from the ring, and generate a new token. Active monitor ensure token operation on the ring for media access

Token Ring/802.5 Reliability
Frame Status Field A C r r A C r r 0 0 Destination not found 0 1 Copied but not acknowledged 1 0 Unable to copy data from frame 1 1 Station found or frame copied to another ring by a bridge A The IEEE specification describes two bits in the frame status field: the A bit, which stands for address (destination MAC address recognized), and the C bit, which stands for copied (the Token Ring frame copied at the destination). These two bits are used to indicate the status of an outstanding frame. When the Token Ring frame returns to the sender, these bits provide a dependable method for ensuring the sender about the disposition of frames sent out onto the Token Ring. An originating station generates a frame with the A and C bits turned off (set to zero). Because the originating station always views-the returning frame, it can examine these two bits to determine whether they have been modified during their journey around the ring. Sending station receives status information in a frame

Fiber Distributed Data Interface (FDDI)
100 Mbps FDDI Dual Ring FDDI is an American National Standards Institute (ANSI) standard that defines a dual Token Ring LAN operating at 100 Mbps over a fiber-optic medium. The FDDI standards were published in 1987 in the ANSI X3T9.5 standards. Note ANSI has defined a Twisted-Pair Physical Medium Dependent standard. Based on this standard, Copper Distributed Data Interface (CDDI) provides operation of FDDI but using the more commonly used copper cabling. Devices on FDDI maintain connectivity on dual counter-rotating rings

Physical Layer: FDDI Devices attached to FDDI use token passing
Dual-Homed SAS DAC DAC SAS DAS FDDI standards describe the physical layer and MAC sublayer. Because FDDI specifies communication over fiber-optic cable, it is well suited for operations where nodes are separated by large distances or where networks must operate in electronically hostile environments such as factory floors. FDDI has high speeds that make it suitable for network applications requiring large bandwidth-for example, video and graphics applications. FDDI uses a token-passing protocol that operates on dual counter-rotating rings, as shown in the graphic. Under normal operation, data flows on a primary ring, while the secondary ring is idle. Some stations known as dual attachment stations (DASs) attach to both rings. Single attachment stations (SASs) have only a single physical medium dependent (PMD) connection to the primary ring by way of a dual-attached concentrator (DAC). Mission-critical stations such as routers or mainframe hosts can use a technique called dual homing to provide additional fault-tolerance and help guarantee operation. With dual homing, a station is single-attached to two DACs, thereby providing an active primary link and a backup path to the FDDI LAN. Devices attached to FDDI use token passing

The FDDI Interface F0 FDDI Dual Ring FDDI is logically and physically a ring topology. Although it operates at higher speeds, FDDI is similar to Token Ring. The two network types share many features such as token passing and predictable deterministic delays. All FDDI LAN stations use MAC addresses, including the router shown on the right of the graphic. The FDDI frame format uses four-bit symbols rather than eight-bit octets. Thus, the 48-bit MAC address for FDDI has 12 four-bit symbols. For indicating the FDDI interface on the router, you will use the Cisco IOS interface type abbreviation F followed by an interface number (for example, 0, as shown in the graphic). Cisco router’s data link to FDDI uses an interface named F plus a number (for example, F0)

FDDI Dual-Ring Reliability
2. … wrap primary and secondary rings ... 1. When a failure domain occurs ... 2. … wrap primary and secondary rings ... 3. … maintaining network integrity Access to the FDDI dual ring is determined by token possession. However, stations attach new tokens to the ends of their transmissions, and a downstream station is allowed to add its frame to the existing frame. Thus, at any given time, several information frames can be circling the ring. All stations monitor the ring for invalid conditions such as a lost token, persistent data frames, or a break in the ring. If a node determines that no tokens have been received from its nearest active upstream neighbor (NAUN) during a predetermined time period, it begins transmitting beacon frames to identify the failure and its domain. If a station receives its own beacon from upstream, it assumes that the ring has been repaired. If beaconing continues beyond a certain time limit, DASs on both sides of the failure domain loop (or wrap) the primary ring to the secondary ring to maintain network integrity (as illustrated in the graphic).

Common WAN Technologies

WAN Technology Overview
SDLC HDLC LAPB PPP X.25 Frame Relay ISDN WAN physical layer protocols describe how to provide electrical, mechanical, operational, and functional connections for wide-area networking services. These services are most often obtained from WAN service providers such as Regional Bell Operating Companies (RBOCs), alternate carriers, and Post, Telephone, and Telegraph (PTT) agencies. WAN data-link protocols describe how frames are carried between systems on a single data link. They include protocols designed to operate over dedicated point-to-point facilities, multipoint facilities based on dedicated facilities, and multiaccess switched services such as Frame Relay. WAN standards are defined and managed by a number of recognized authorities including the following agencies: International Telecommunication Union-Telecommunication Standardization Sector (ITU-T), formerly the Consultative Committee for International Telegraph and Telephone (CCITT) International Organization for Standardization (ISO) Internet Engineering Task Force (IETF) Electronic Industries Association (EIA) WAN standards typically describe both physical layer and data link layer requirements. The graphic identifies several popular WAN services used in internetworks today. For example, ISDN integrates voice and data services on digital facilities. ISDN has grown as a preferred facility for accessing World Wide Web (WWW) multimedia.

Data Terminal Equipment End of the user’s device on the WAN link
Physical Layer: WAN DTE to DCE Interface Standards EIA/TIA-232 V.35 X.21 HSSI others (Modem) DTE DCE The WAN physical layer describes the interface between the data terminal equipment (DTE) and the data circuit-terminating equipment (DCE). Typically, the DCE is the service provider, and the DTE is the attached device. In this model, the services offered to the DTE are made available through a modem or channel service unit/data service unit (CSU/DSU). Several physical layer standards specify this interface: EIA/TIA-232 EIA/TIA-449 V.24 V.35 X.21 G.703 EIA-530 High-Speed Serial Interface (HSSI) Data Terminal Equipment End of the user’s device on the WAN link Data Circuit-Terminal Equipment End of the WAN provider’s side of the communication facility

Data Link Layer: WAN protocols
(Modem) (Modem) SDLC - Synchronous Data Link Control HDLC - High-Level Data Link Control LAPB - Link Access Procedure Balanced Frame Relay - Simplified version of HDLC framing PPP - Point-to-Point Protocol X.25 - Packet level protocol (PLP) ISDN - Integrated Services Digital Network (data-link signaling) The common data-link encapsulations associated with synchronous serial lines are listed in the graphic: Synchronous Data Link Control (SDLC)-A bit-oriented protocol developed by IBM. SDLC defines a multipoint WAN environment that allows several stations to connect to a dedicated facility. SDLC defines a primary station and one or more secondary stations. Communication is always between the primary station and one of its secondary stations. Secondary stations cannot communicate with each other directly. High-Level Data Link Control (HDLC)-An ISO standard. HDLC might not be compatible between different vendors because of the way each vendor has chosen to implement it. HDLC supports both point-to-point and multipoint configurations. Link Access Procedure, Balanced (LAPB)-Primarily used with X.25, but can also be used as a simple data-link transport. LAPB includes capabilities for detecting out-of-sequence or missing frames as well as for exchanging, retransmitting, and acknowledging frames. Frame Relay-Uses high-quality digital facilities where the error checking of LAPB is unnecessary. By using a simplified framing with no error correction mechanisms, Frame Relay can send Layer 2 information very rapidly, compared to these other WAN protocols. Point-to-Point Protocol (PPP)-Described by RFC 1661, two standards developed by the IETF. PPP contains a protocol field to identify the network-layer protocol. X.25-Defines the connection between a terminal and a packet-switching network. Integrated Services Digital Network-A set of digital services that transmits voice and data over existing phone lines.

Summary The physical layer provides access to the wires of an internetwork The data link layer provides support for communication over several types of data links: LAN (Ethernet/IEEE 802.3, Token Ring/IEEE 802.5, FDDI) Dedicated WAN (SDLC, HDLC, PPP, LAPB) Switched WAN (X.25, Frame Relay, ISDN)

Network Layer and Path Determination

Objectives Upon completion of this chapter, you will be able to:
List the key internetworking functions of the OSI network layer and how they are performed in a router Describe the two parts of network addressing, then identify the parts in specific protocol address examples Contrast the network discovery and update processes in distance vector routing with those in link-state routing List problems that each routing type encounters when dealing with topology changes, and describe techniques to reduce the number of these problems Explain the services of separate and integrated multiprotocol routing This chapter discusses the network layer of the OSI reference model. It covers basic information such as how network-layer addressing works with different protocols. It explains the difference between routing and routed protocols and contrasts static and dynamic routes. It explains how routers track the distance between locations. The chapter then covers distance vector, link-state, and hybrid routing approaches. It explains the strengths of each approach and describes how each resolves common routing problems. Sections: Network Layer Basics Routing Protocols Answers to Exercises

Network Layer Basics

Network Layer: Path Determination
Which Path? Which path should traffic take through the cloud of networks? Path determination occurs at Layer 3, the network layer. The path determination function enables a router to evaluate the available paths to a destination and to establish the preferred handling of a packet. Routing services use network topology information when evaluating network paths. This information can be configured by the network administrator or collected through dynamic processes running in the network. The network layer interfaces to networks and provides best effort end-to-end packet delivery services to its user, the transport layer. The network layer sends packets from the source network to the destination network. After the router determines which path to use, it can proceed with switching the packet: taking the packet it accepted on one interface and forwarding it to another interface or port that reflects the best path to the packet's destination. Layer 3 functions to find the best path through the internetwork

Network Layer: Communicate Path
5 2 9 6 8 4 10 11 3 1 7 To be truly practical, an internetwork must consistently represent the paths of its media connections. As the graphic shows, each line between the routers has a number that the routers use as a network address. These addresses must convey information that can be used by a routing process. This means that an address must have information about the path of media connections used by the routing process to pass packets from a source toward a destination. The network layer combines this information about the path of media connections-sets of links-into an internetwork by adding path determination, path switching, and route processing functions to a communication system. Using these addresses, the network layer also provides a relay capability that interconnects independent networks. The consistency of Layer 3 addresses across the entire internetwork also improves the use of bandwidth by preventing unnecessary broadcasts. Broadcasts invoke unnecessary process overhead and waste capacity on any devices or links that do not need to receive the broadcast. By using consistent end-to-end addressing to represent the path of media connections, the network layer can find a path to the destination without unnecessarily burdening the devices or links on the internetwork with broadcasts. Addresses represent the path of media connections

Addressing: Network and Host
1 2 3 1 2.1 1.2 2 1 1.3 1.1 3.1 3 1 The network address identifies a path part used by the router within the internetwork cloud. The router uses the network address to identify the source or destination network of a packet within an internetwork. The graphic shows three network numbers emanating from the router. For some network-layer protocols, this relationship is established by a network administrator who assigns network addresses according to some preconceived internetwork addressing plan. For other network-layer protocols, assigning addresses is partially or completely dynamic. Most network-protocol addressing schemes use some form of a host or node address. The host address refers to the device's specific port or device on the network. For instance, in the graphic three hosts are shown sharing the network number 1. The host or node address identifies that the packet is on its source or destination port or device on the network. For LANs, this port or device address can reflect the real Media Access Control (MAC) address of the device. However, unlike a MAC address that has a preestablished and usually fixed relationship to a device, a network address has a logical relationship. Network address - Path part used by the router Host address - Specific port or device on the network

Protocol Addressing Variations
Network Node General Example 1 1 Network Node TCP/IP Example 10. 8.2.48 (Mask ) Network Node Novell IPX Example 1ac.eb0b 0000.0c00.6e25 The two-part network addressing scheme extends across all the protocols covered in this course. How do you interpret the meaning of the address parts? What authority allocates the addresses? These answers vary from protocol to protocol. For example, in the TCP/IP example IP address, dotted decimal numbers show a network part and a host part. The network 10 uses the first of the four numbers as the network part and the last three sets of numbers as a host address. The mask is a companion number to the IP address. It communicates to the router the part of the number to interpret as the network number and identifies the remainder available for host addresses inside that network. The Novell IPX example uses a different variation of this two-part address. The network address 1 aceb0b is a hexadecimal (base 16) number that cannot exceed a fixed maximum number of digits. The host address OOOO.Oc00.6e25 (also a hexadecimal number) is a fixed 48 bits long. This host address derives automatically from information in the hardware of the specific LAN device. These are the two most common Layer 3 address types. You will learn more about these and other protocol addressing rules in the next few pages. Then you will use valid Layer 3 addresses during the hands-on labs later in this course.

Router Functions Routing = building maps and giving directions
Switching = moving packets between interfaces The two main functions are: - routing - switching

Routing Table Network # Interface Next Hop Metric Age Source
Ethernet0 [170/304793] 02:03:50 D [110/9936] 02:03:50 O [120/3] 00:00:20 R C The four rows show: 1. To the network send the packet through E0 to The administrative distance is 170, the route is 2:03:50 old, and it is learned from EIGRP. 2. To the network send the packet through E0 to The administrative distance is 110, the route is 2:03:50 old, and it is learned from OSPF. 3. To the network send the packet through E0 to The administrative distance is 120, the route is 0:00:20 old, and it is learned from RIP. 4. To the network send the packet through E0 to the ultimate destination. The administrative distance is 0 (not shown), it is a directly connected interface.

Routing in Internetworks
Routing protocols need to handle issues associated with larger networks: Maintain route information Select routes As networks grow, the routing protocols we use must meet the challenge of changing enviroment. In larger internetworks routing protocols must deal with several important issuses. Maintain route information Routing protocols discover routes and maintain route information in severalways. The method employed to determine routes and maintain routing information can have a major impact on internetwork bandwidth use and perfomance. - Distance vector - Link state - Distance vector/link-state hybrid (advanced) Route selection Once a routing protocol has routing information, the best route must be selected. Several factors influence route selection. - Metrics - Load sharing - Hierarchical network structure

Routing in Internetworks (cont.)
Routing protocols need to handle issues associated with larger networks: Support flexible network address management Redistribute routes Route multiple protocols Routing protocols in large internetworks must be flexible enough to support a large number of network addresses and to function in an environment with multiple network protocols and even multiple routing protocols. several key issues are as follows: Support flexible address management Route summarization is a key routing protocol feature that is useful in networks with a large number of network addresses. Route summarization can significantly reduce routing protocol overhead. Redistribute routes When multiple routing protocols are in use in an internetwork, it is important that these routing protocols be able to share routing information. Route multiple protocols In most internetworks, several network protocols are in use. It is generally advantageous to use one routing protocol for all network protocols in the internetwork.

Route selection: Metrics
Source Dest. When a routing protocol knows multiple paths to a destination, the routing protocol uses a metric to determine the best path to the destination. Several different types of metrics are used by routing protocols. Path length Hop count or ticks are common path length metrics. These metrics can be too small to reach a destination in a large network. Hop count cannot discriminate between high-speed and low-speed links. IP RIP and IPX RIP use path length metrics. Cost Some rouitng protocols use a cost value to help discriminate between fast and slow links. OSPF and NLSP use a cost metric. Network administrators can define a preferred path by assigning a cost when configuring OSPF and NLSP. This value is not directly related to telecommunication tariffs or other charges. Composite metric A composite metric uses a variety of factors to determine the best route to a destination. these factors can include: reliability, delay, bandwidth, MTU, and load. IGRP and Enhanced IGRP use a composite metric. Which is the best path from Source to Destination?

Route selection: Load Balancing
Routing protocols determine the best path to a destination. In a large network, multiple routes to a destination are certain to exist. You can use these multiple routes for route redundancy and for increased route bandwidth. All routing protocols supported by Cisco can provide load sharing across up to six equal-cost paths. IGRP and Enhanced IGRP allow load sharing across up to six paths with different metric values. IGRP and Enhanced IGRP can distribute the packets proportionally across the paths according to metric values assigned to paths. Load balancing can provide increased bandwidth and redundancy

Route selection: Routing Hierarchy
Hierarchical Network Corporate Headquarters National Office Remote Office Some routing protocols use only a flat routing structure, while others can use routing hierarchies. In flat routing system such as RIP, all routers are in a single organization unit. Hierarchical routing protocols often designate routers into logical groups. These groups are known as domains, autonomous system, or areas, depending on the routing protocol. a routing hierarchy can be formed by connecting these groups to a core routing group. The primary advantage of hierarchical routing is that it can mimic the hierarchy of the organization. Because most network traffic occurs within small groups within the organization, a hierarchical routing design can keep most traffic within the local and off the network backbone. Routing update traffic can also be reduced by a hierarchical routing structure. The following table shows common flat and hierarchical routing protocols: Structure Routing Protocol Flat IP RIP, IPX RIP, NLSP 1.0 Hierarchical OSPF, NLSP 1.1, IGRP, Enhanced IGRP A hierarchical network can reflect the corporation’s organization

Static versus Dynamic Routes
Static Route Uses a protocol route that a network administrators enters into the router Dynamic Route Uses a route that a network routing protocol adjusts automatically for topology or traffic changes Static knowledge is administrated manually: A network administrator enters it into the router’s configuration. The administrator must manually update this static route entry whenever an internetwork topology change requires an update. Static knowledge can be private - by default it is not conveyed to other routes as part of an update process. You can, however, configure the router to share this knowledge. Dynamical knowledge works differently. After the network administrator enters configuration commands to start dynamic routing, route knowledge is updated automatically by a routing process whenever new topology information is received from the internetwork. Changes in dynamic knowledge are exchanged between routers as part of the update process.

Static Route Example Point-to-point or circuit-switched connection
Only a single network connection with no need for routing updates B Use static routes when there are: - only a few networks (usually one) to know about - only one path exists to the destination “Stub” Network Fixed route to address reflects administrator’s knowledge

No entry for destination net Try router B deafult route
Default Route Example Company X Internet A B C Routing Table No entry for destination net Try router B deafult route The default route if used as a last resort: if there is no matching route, the default route is used. Used for example to the Internet. Use if next hop is not explicitly listed in the routing table

Adapting to Topology Change
B X D C If the topology changes, a new (usually worse, with higher metric) should be inserted into the routing table to maintain connectivity. Can alternate route substitute for a failed route ?

Dynamic Routing Operations
Network Routing Protocol Routing Protocol Routing table Routing table The success of dynamic routing depends on two basic router functions: Maintenance of a routing table Timely distribution of knowledge - in the form of routing updates . To other routers Dynamic routing relies on a routing protocol to disseminate knowledge. A routing protocol defines the set of rules used by a router when it communicates with neighbouring routers. For example, a routing protocol describes: How updates are conveyed What knowledge is conveyed When to convey knowledge How to locate recipients of the updates Routing protocol maintains and distributes routing information

Representing Distance with Metrics
64 A Hop count Ticks Cost E1 Bandwidth Delay Load Reliability 64 E1 B When a routing algorithm updates the routing table, its primary objective is to determine the best information to include in the table. Each algorithm interprets best in its own way. The algorithm generates a number - called the metric value - for each path through the network. Typically, the smaller the metric, the better the path. Metrics can be calculated based on a single characteristic of a path. You can calculated more complex metrics by combining several characteristics. Several path characteristics are used in metric calculations. The metrics most commonly used by routers follow: Bandwidth - Data capacity of a link. For instance, normally, a 10-Mbps Ethernet link is preferable to a 64-kbps leased line Delay - Length of time required to move a packet from source to destination Load - Amount of activity on a network resource such as a router or link Reliability . Usually refers to the bit-error rate of each network link Hop count - Number of passages of a packet through the output port of one router Ticks - Delay on a data link using IBM PC clock ticks (approximately 55 milliseconds) Cost - Arbitrary value, usually based on bandwidth, dollar expense, or other measurement, that is assigned by a network administrator. Information used to select the best path for routing

Routing Protocols

Classes of Routing Protocols
B Distance Vector D C Hybrid Routing A B Link State Most routing algorithms can be classified as conforming to one of two basic algorithms: distance vector or link state. The distance vector routing approach determines the direction (vector) and distance to any link in the internetwork. The link-state (also called shortest path first) approach re-creates the exact topology of the entire internetwork (or at least the partition in which the router is situated). The balanced hybrid approach combines aspects of the link-state and distance vector algorithms. The next several pages cover procedures and problems for each of these routing algorithms and present techniques for minimizing the problems. There is no single best routing algorithm for all internetworks. Network administrators must weigh technical and nontechnical aspects of their network to determine the best algorithm. Cisco IOS software can configure whatever routing choices best fit the administrator's internetwork. D C

One Issue: Time to Convergence
Convergence occurs when all routers use a consistent perspective of network topology After a topology changes, routers must recompute routes, which disrupts routing The process and time required for router reconvergence varies in routing protocols The routing algorithm is fundamental to dynamic routing. Whenever the topology of the internetwork changes because of growth, reconfiguration, or failure, the internetwork knowledge base must also change. The knowledge base needs to reflect an accurate, consistent view of the new topology. This accurate, consistent view is called convergence. When all routers in an internetwork are operating with the same knowledge, the internetwork is said to have converged. Fast convergence is a desirable internetwork feature because it reduces the period of time that routers have outdated knowledge for making routing decisions that could be incorrect, wasteful, or both.

Distance Vector Concept
B D C D C B A Distance vector-based routing algorithms (also known as Bellman-Ford algorithms) pass periodic copies of a routing table from router to router. Regular updates between routers communicate topology changes. Each router receives a routing table from its direct neighbor. For example, in the graphic, router B receives information from router A. Router B adds a distance vector number (such as a number of hops) increasing the distance vector, then passes the routing table to its other neighbor, router C. This same step-by-step process occurs in all directions between direct-neighbor routers. In this way, the algorithm accumulates network distances so it can maintain a database of internetwork topology information. Distance vector algorithms do not allow a router to know the exact topology of an internetwork. Routing Table Routing Table Routing Table Routing Table Pass periodic copies of routing table to neighbor routers and accumulate distance vectors

Distance Vector Network Discovery
X Y W Z A B C Routing Table W X Y Z Routing Table X Y Z W Routing Table Y Z X W Each router using distance vector routing begins by identifying its own neighbors. In the graphic, the port to each directly connected network is shown as having a distance of 0. As the distance vector network discovery process proceeds, routers discover the best path to destination networks based on accumulated metrics from each neighbor. For example, router A learns about other networks based on information it receives from router B. Each of these other network entries in the routing table has an accumulated distance vector to show how far away that network is in the given direction. Routers discover the best path to destinations from each neighbor

Distance Vector Topology Changes
Process to Update This Routing Table Process to Update This Routing Table Router A Sends Out This Updated Routing Table Topology Change Causes Routing Table Update B A When the topology in a distance vector protocol internetwork changes, routing table updates must occur. As with the network discovery process, topology change updates proceed step-by-step from router to router. Distance vector algorithms call for each router to send its entire routing table to each of its adjacent neighbors. Distance vector routing tables include information about the total path cost (defined by its metric) and the logical address of the first router on the path to each network it knows about. When a router receives an update from a neighboring router, it compares the update to its own routing table. If it learns about a better route (smaller metric) to a network from its neighbor, the router updates its own routing table. In updating its own table, the router adds the cost of reaching the neighbor router to the path cost reported by the neighbor to establish the new metric. For example, if router B in the graphic is one unit of cost from router A, router B would add 1 to all costs reported by router A when it runs the distance vector processes to update its routing table. Updates proceed step-by-step from router to router

Problem: Routing Loops
Network 1, Unreachable C A E 1 X D Alternate Route: Network 1, Distance 3 Alternate Route: Use A Network 1, Distance 4 Network 1 Down Routing loops can occur if the internetwork's slow convergence on a new configuration causes inconsistent routing entries. The graphic illustrates how a routing loop can occur: Just before the failure of network 1, all routers have consistent knowledge and correct routing tables. The network is said to have converged. Assume for the remainder of this example that router C's preferred path to network 1 is by way of router B, and router C has a distance of 3 to network 1 in its routing table, When network 1 fails, router E sends an update to router A, Router A stops routing packets to network 1, but routers B, C, and D continue to do so because they have not yet been informed about the failure. When router A sends out its update, routers B and D stop routing to network 1; however, router C is still not updated. To router C, network 1 is still reachable via router B. This would be the new preferred route with a metric of three hops. Now router C sends a periodic update to router D indicating a path to network 1 by way of router B. Router D changes its routing table to reflect this good, but erroneous, news and propagates the information to router A. Router A propagates the information to routers B and E, and so on. Any packet destined for network 1 will now loop from router C to B to A to D and back to C. Alternate routes, slow convergence, inconsistent routing

Problem: Counting to Infinity
Network 1, Distance 6 Network 1, Distance 7 C A E 1 X D Network 1, Distance 5 Network 1, Distance 4 Network 1 Down Continuing our example from the previous page, the invalid updates about network 1 continue to loop. Until some other process can stop the looping, the routers update each other in an inappropriate way, considering the fact that network 1 is down. This condition, called count-to-infinity, continuously loops packets around the network, despite the fundamental fact that the destination network 1 is down. While the routers are counting to infinity, the invalid information allows a routing loop to exist. Without countermeasures to stop the process, the distance vector of hop count increments each time the packet passes through another router. These packets loop through the network because of wrong information in the routing tables. Routing loops increment the distance vector

Solution: Defining a Maximum Network 1 is Unreachable
Network 1, Distance 13 Network 1, Distance 14 C A E 1 X Network 1, Distance 15 D Network 1, Distance 12 Network 1 Down Routing Table Maximum metric is 16 Network 1 is Unreachable Distance vector routing algorithms are self-correcting, but the routing loop problem can require a count to infinity first. To avoid this prolonged problem, distance vector protocols define infinity as some maximum number. This number refers to a routing metric (for example, a simple hop count). With this approach, the routing protocol permits the routing loop until the metric exceeds its maximum allowed value. The graphic shows this defined maximum as 16 hops; for hop-count distance vectors, a maximum of 15 hops is commonly used. In any case, once the metric value exceeds the maximum, network 1 is considered unreachable. Specify a maximum distance vector metric as infinity

Solution: Split Horizon
B:Do not update router A about routes to network 1 B C Network 1, unreachable A E 1 X D Network 1 Down D: Do not update router A about routes to network 1 Another possible source for a routing loop occurs when incorrect information sent back to a router contradicts the correct information it sent. Here is how this problem occurs: Router A passes an update to router B and router D indicating that network 1 is down. However, router C transmits an update to router B indicating that network 1 is available at a distance of 4 by way of router D. This does not violate split-horizon rules. Router B concludes (incorrectly) that router C still has a valid path to network 1, although at a much less favorable metric. Router B sends an update to router A advising A of the "new" route to network 1. RouterA now determines it can send to network 1 by way of router B; router B determines it can send to network 1 by way of router C; and router C discerns it can send to network 1 by way of router D. Any packet introduced into this environment will loop between routers. Split horizon attempts to avoid this situation. As shown in the graphic, if a table update about network 1 arrives from router A, router B or D cannot send information about network 1 back to router A. Split horizon thus reduces incorrect routing information and reduces routing overhead. If you learn a protocol’s route on an interface, do not send information about that route back out that interface

Solution: Route Poisoning
Network 1 route to network 1 has infinite Cost B C A E 1 X D Route poisoning offers yet another technique routers use to try to avoid the problems caused by inconsistent updates. With this technique, the router sets a table entry that keeps the network state consistent while other routers gradually converge correctly on the topology change. Used with hold-down timers, which are described on the next page, route "poisoning" is a solution to long loops. The graphic provides the following example. When network 1 goes down, router E initiates route poisoning by entering a table entry for network 1 as having infinite cost (that is, being unreachable). By poisoning its route to network l, router E is not susceptible to other incorrect updates about network 1 coming from neighboring routers that might claim to have a valid alternate path. This can work with the hold-down mechanism described on the next page. Router E keeps this poison-route entry for several update cycles. The poisoned router can trigger an update about network 1 in neighbor routers (as well as the other routers in the internetwork). Route poisoning and triggered updates speed up convergence because the routers do not have to wait for update intervals before advertising the poisoned route. This can hasten the spread of updated path information about network 1 as these other routers recompute their distance vector tables and converge on the topology change. Network 1 Down Router keeps an entry for the network down state, allowing time for other routers to recompute for this topology change

Solution: Hold Down Timers
Update after Hold-Down Time Update after Hold-Down Time B Network 1 Down C A E 1 Update after Hold-Down Time Update after Hold-Down Time ?,X D You can avoid the count-to-infinity problem by using hold-down timers, which work as follows: · When a router receives an update from a neighbor indicating that a previously accessible network is now inaccessible, the router marks the route as inaccessible and starts a hold-down timer. If at any time before the hold-down timer expires an update is received from the same neighbor indicating that the network is again accessible, the router marks the network as accessible and removes the hold-down timer. · If an update arrives from a different neighboring router with a better metric than originally recorded for the network, the router marks the network as accessible and removes the hold-down timer. · If at any time before the hold-down timer expires an update is received from a different neighboring router with a poorer metric, the update is ignored. Ignoring an update with a poorer metric when a hold-down is in effect allows more time for the knowledge of a disruptive change to propagate through the entire network. Hold-down timers work with route poisoning. Network 1 Down Routers ignore network update information for some period

Shortest Path First Tree
Link-State Concept B C A Topological Database D Link-State Packets Routing Table SPF Algorithm The second basic algorithm used for routing is the link-state algorithm. Link-state-based routing algorithms-also known as shortest path first (SPF) algorithms-maintain a complex database of topology information. Whereas the distance vector algorithm has nonspecific information about distant networks and no knowledge of distant routers, a link-state routing algorithm maintains full knowledge of distant routers and how they interconnect. Link-state routing uses link-state packets (LSPs), a topological database, the SPF algorithm, the resulting SPF tree, and finally, a routing table of paths and ports to each network. The following pages cover these processes and databases in more detail. Engineers have implemented this link-state concept in Open Shortest Path First (OSPF) routing. RFC 1583 contains a description of OSPF link-state concepts and operations. Shortest Path First Tree After initial flood, pass small event-triggered link-state updates to all other routers

Link-State Network Discovery
X Y W Z A B C Link-State Packet W X Link-State Packet X Y Link-State Packet Y Z Topological Database SPF SPF Topological Database Topological Database SPF SPF Tree SPF Tree SPF Tree A Routing Table B Routing Table C Routing Table Network discovery for link-state routing uses the following processes: Routers exchange LSPs with each other. Each router begins with directly connected networks for which it has direct link-state information. Next, each router in parallel with one another constructs a topological database consisting of all the LSPs from the internetwork. The SPF algorithm computes network reachability, determining the shortest path first to each other network in the link-state protocol internetwork. The router constructs this logical topology of shortest paths as an SPF tree. With itself as root, this tree expresses paths from the router to all destinations. The router lists its best paths and the ports to these destination networks in the routing table. It also maintains other databases of topology elements and status details. After the routers dynamically discover the details of their internetwork, they can use the routing table for switching packet traffic. Routers calculate the shortest path to destinations in paralell

Link-State Topology Changes
Process to Update This Routing Table Process to Update This Routing Table Topology Change in Link- State Update Process to Update This Routing Table Link-state algorithms rely on using the same link-state updates. Whenever a link-state topology changes, the routers that first become aware of the change send information to other routers or to a designated router that all other routers can use for updates. This entails the propagation of common routing information to all routers in the internetwork. To achieve convergence, each router does the following: Keeps track of its neighbors: the neighbor's name, whether the neighbor is up or down, and the cost of the link to the neighbor. Constructs an LSP that lists its neighbor router names and link costs. This includes new neighbors, changes in fink costs, and links to neighbors that have gone down. Sends out this LSP so that all other routers receive it. When it receives an LSP, records the LSP in its database so that it can store the most recently generated LSP from each other router. Using accumulated LSP data to construct a complete map of the internetwork topology, proceeds from this common starting point to rerun the SPF algorithm and compute routes to every network destination. Each time an LSP causes a change to the link-state database, the link-state algorithm recalculates the best paths and updates the routing table. Then every router takes the topology change into account as it determines the shortest paths to use for packet switching. Update processes proceed using the same link-state update

Link-State Concerns Processing and memory required for link-state routing SPF Topological Database There are two link-state concerns: Processing and memory requirements-Running link-state routing protocols in most situations requires that routers use more memory and perform more processing. Network administrators must ensure that the routers they select are capable of providing these resources for routing. Routers keep track of their neighbors and the networks they reach through other routing nodes. For link-state routing, memory must hold information from various databases, the topology tree, and the routing table. Computing the shortest path first with Dijkstra's algorithm requires a processing task proportional to the number of links in the internetwork times the number of routers in the network. Bandwidth requirements-Another cause for concern involves the bandwidth consumed for initial link-state packet flooding. During the initial discovery process, all routers using link-state routing protocols send LSPs to all other routers. This action floods the internetwork as routers make their peak demand for bandwidth, and temporarily reduces the bandwidth available for routed traffic that carries user data. After this initial flooding, link-state routing protocols generally require only internetwork bandwidth to send infrequent or event-triggered LSPs that reflect topology changes. Bandwidth consumed for initial link state „flood” SPF Tree Routing Table

Problem: Link-State Updates
Slow path update Slow path update arrives last Network 1, Unreachable B Network 1, Unreachable Which SPF tree to use for routing? C A X,ok Network 1 goes down then comes up Fast path updates arrive first D Network 1, Unreachable Network 1, Back Up Now The most complex and critical aspect of link-state routing is making sure that all routers get all the LSPs necessary. Routers with different sets of LSPs will calculate routes based on different topological data. Then routes become unreachable as a result of the disagreement among routers about a link. Here is an example of inconsistent path information: Suppose that network 1 between routers C and D goes down. As discussed earlier, both routers construct an LSP to reflect this unreachable status. Soon afterward, network 1 comes back up; another LSP reflecting this next topology change is needed. If the original "Network 1, Unreachable" message from router C uses a slow path for its update, that update comes later. This LSP can arrive at router A after router D's "Network 1, Back Up Now" LSP With unsynchronized LSPs, router A can face a dilemma about which SPF tree to construct: Does it use paths containing network 1 or without network 1, which was most recently reported as unreachable? If LSP distribution to all routers is not done correctly, link-state routing can result in invalid routes. Unsynchronized updates, inconsistent path decisions

Link State Update Problems (cont.)
Synchronizing large networks-which network topology updates are correct? Router startup-order of start alters the topology learned Partitioned regions-slow updating part separated from fast updating part Scaling up with link-state protocols on very large internetworks can intensify the problem of faulty LSP distribution. If one part of the internetwork comes up first with other parts coming up later, the order for sending and receiving LSPs will vary. This variation can alter and impair convergence. Routers might learn about different versions of the topology before they construct their SPF trees and routing tables. On a large internetwork, parts that update more quickly can cause problems for parts that update more slowly. Routers sending out LSPs cannot assume they will be correctly transported by following existing routing table entries because these entries might not reflect the current topology. With faulty updates, LSPs can multiply as they propagate through the internetwork, unproductively consuming more and more bandwidth. Eventually a partition can split the internetwork into a fast updating part and a slow updating part. Then network administrators must troubleshoot the link-state complexities to restore acceptable connectivity.

Solution: Link State Mechanisms
Reduce the need for resources ”Dampen” update frequency Target link-state updates to multicast Use link-state area hierarchy for topology Exchange route summaries at area borders Coordinate link-state updates Use time stamps Update numbering and counters Manage partitioning using an area hierarchy Link-state routing has several techniques for preventing or correcting potential problems arising from resource requirements and LSP distribution. A network administrator can reduce the periodic distribution of LSPs so that updates only occur after some long, configurable duration. The dampening does not interfere with LSP updates triggered by topology changes. LSP updates can go to a multicast group rather than in a flood to all routers. On interconnected LANs, you can use one or more designated routers as the target depository for LSP transmissions. Other routers can use their designated routers as a specialized source of consistent topology data. In large networks you can set up a hierarchy made up of different router levels. A router in one area of the hierarchical domains does not need to store and process LSPs from other routers not located in its area. For problems of LSP coordination, link-state implementations can allow for LSP time stamps, sequence numbers, aging schemes, and other related mechanisms to help avoid inaccurate LSP distribution or uncoordinated updates. The partitioning of an internetwork can be actively managed with a hierarchy if the link-state protocol provides for hierarchical management. Then routers can concentrate on only the routers within their domain or area, and they can depend on special routers at the domain borders for external routing information.

Comparing Distance Vector Routing to Link-State Routing
Distance Vector Link-State Views net topology from Gets common view of neighbor’s perspective entire network topology Adds distance vectors Calculates the shortest from router to router path to other routers Frequent, periodic updates: Event-triggered updates: slow convergence faster convergence Passes copies of routing Passes link-state routing updates table to neighbor routers to other routers You can compare distance-vector routing to link-state routing in several key areas: · Distance vector routing gets all topological data from the perspective it receives from processing the routing table information of its neighbors. Link-state routing obtains a wide view of the entire internetwork topology by accumulating all necessary LSPs. · Distance vector routing determines the best path by adding to the metric value it receives as tables move from router to router. For link-state routing, each router works in parallel to calculate its own shortest path to destinations. · With most distance vector routing protocols, updates for topology changes come in periodic table updates. These tables pass incrementally from router to router, usually resulting in slower convergence. · With link-state routing protocols, updates are usually triggered by topology changes. Relatively small LSPs passed to all other routers, or a multicast group of routers, usually result in faster time to converge on any internetwork topology change.

Convergence rapidly using
Hybrid Routing EIGRP Choose a routing path based on distance vectors Convergence rapidly using change-based updates Ballanced Hybrid Routing This chapter so far has presented the two major types of routing protocols: distance vector and link-state. An emerging third type of routing protocol combines aspects of both. This third type is called balanced hybrid in this course. The balanced hybrid routing protocol uses distance vectors with more accurate metrics to determine the best paths to destination networks. However, it differs from most distance vector protocols by using topology changes to trigger routing database updates. The balanced hybrid routing type converges more rapidly, like the link-state protocols. However, it differs from these protocols by emphasizing economy in the use of required resources such as bandwidth, memory, and processor overhead. Examples of balanced hybrid protocols are OSI's Intermediate System-to-Intermediate System (IS-IS) routing and Cisco's Enhanced Interior Gateway Routing Protocol (Enhanced IGRP). Share attributes of both distance-vector and link-state routing

Summary Internetworking functions of the network layer include network addressing and best path selection for traffic Network addressing uses one part to identify the path used by the router and one part for ports or devices on the net Routed protocols direct user traffic, while routing protocols work between routers to maintain path tables Network discovery for distance vector involves exchange of routing tables; problems can include slower convergence For link-state, routers calculate the shortest paths to other routers; problems can include inconsistent updates Balanced hybrid routing uses attributes of both link-state and distance vector, applying paths to several protocols

Basic Router Operations

External Configuration Sources
Virtual Terminal Interfaces VTY 0-4 Console port Auxiliary port TFTP Server The router can be configured from many locations: Upon initial installation, it is configured from the console terminal, which is connected via the console port. It can be connected via modem using the auxiliary port. Once installed on the network, it can be configured from virtual terminals 0 through 4. Files can also be downloaded from a TFTP server on the network. Network Management Statio Configuraion information can come from many sources

Internal Configuration Components
RAM NVRAM Flash ROM Console Auxiliary Interfaces Internal configuration components are as follows: RAM/DRAM-Stores routing tables, ARP cache, fast-switching cache, packet buffering (shared RAM), and packet hold queues. RAM also provides temporary and/or running memory for the routers configuration file while the router is powered on. RAM content is lost when you power down or restart. NVRAM-Nonvolatile RAM stores the routers backup configuration file. NVRAM content is retained when you power down or restart. Flash-Erasable, reprogrammable ROM. Flash memory holds the operating system image and microcode. Having Flash memory allows you to update software without removing and replacing chips on the processor. Flash content is retained when you power down or restart. Multiple copies of IOS can be stored in flash memory. ROM-Contains power-on diagnostics, a bootstrap program, and operating system software. To perform software upgrades, remove and replace pluggable chips on the CPU. Interfaces-Network connections through which packets enter and exit the router. Interfaces are on the motherboard or on separate interface modules.

An Overview of System Startup
Check hardware Find and load Cisco IOS software image Find and apply router configuration information The startup routines for Cisco IOS software have the goal of starting router operations. The router must deliver reliable performance connecting the user networks it was configured to serve. To do this, the startup routines must: Make sure that the router comes up with tested hardware. Find and load the Cisco IOS software that the router uses for its operating system. Find and apply the configuration statements about router-specific attributes, protocol functions, and interface addresses. The router will make sure that it comes up with tested hardware. When a Cisco router powers up, it performs a power-up self-test. During this self test, the router executes diagnostics from ROM on all modules. These diagnostics verify the basic operation of the CPU, memory, and interface circuitry. After verifying the hardware functions, the router proceeds with software initialization. Some startup routines act as fallback operations that are able to perform the router startup should other routines be unable to do so. This flexibility allows Cisco IOS software to start up in a variety of initial situations. System startup routines initiate router software Fallback routines provide startup alternatives as needed

Startup Sequence RAM Load Bootstrap Locate and Load Operating System
ROM Bootstrap Load Bootstrap Cisco Internetworking Operating System Locate and Load Operating System Flash TFTP Server ROM Configuration File NVRAM Locate and Load Configuration File or Enter „setup” mode After the power-up self test on the router, the following events occur when the router initializes: 1 The generic bootstrap loader executes from ROM on the CPU card. A bootstrap is a simple, preset operation to load instructions that in turn cause other instructions to be loaded into memory, or cause entry into other configuration modes. The term comes from the data processing concept of the system "pulling itself up by its own bootstraps.” 2 The operating system source is determined from the boot field of the configuration register. If the boot field indicates a Flash or network load, boot system commands in the configuration file indicate the exact location of the image. 3 The operating system image is loaded into low-addressed memory. Once loaded and operational, the operating system determines the hardware and software components and lists the results on the console terminal. 4 The saved configuration file in NVRAM is loaded into main memory and executed one line at a time. These configuration commands start routing processes, supply addresses for interfaces, set media characteristics, and so on. 5 If no valid configuration file exists in NVRAM, the operating system executes a question-driven initial configuration routine referred to as the system configuration dialog. This special mode is also called the setup dialog. Setup is not intended as the mode for entering complex protocol features in the router. Use setup to bring up a minimal configuration. Instead of setup, network administrators use various config-mode commands for most router configuration tasks. TFTP Server Console

RAM for Working Storage
Command Executive Internetwork Operation System Bootstrap Program Executes Active Programs Configuration Tables Buffers File RAM is the working storage area for the router. When the router is turned on, a bootstrap program is executed from ROM. This program performs some tests, then loads the Cisco IOS software into memory. The command executive, or EXEC, is one part of the Cisco IOS software. EXEC receives and executes commands you enter for the router. The router also stores an active configuration file and tables of networks maps and routing address lists. The configuration file contains ASCII characters and can be displayed on a remote or console terminal. A saved version of this file is stored in NVRAM. The saved file is accessed and loaded into main memory each time the router initializes. The configuration file contains global, process, and interface statements that directly affect the operation of the router and its interface ports. The operating system image is already in binary executable form and cannot be displayed on the terminal screen. The image is usually executed from the main RAM and loaded from one of several input sources. The operating software is organized into "routines" that handle the tasks associated with different protocols, the movement of data, management of tables and buffers, routing updates, and the execution of user commands.

Router Modes User EXEC Mode Global Configuration Mode
Limited examination of router. Remote access. Router> Global Configuration Mode Simple configuration commands. Router (config)# Privileged EXEC Mode Detailed examination of router. Debugging and testing. File manipulation. Remote access Router# Other Configuration Mode Comlex and multiline configuration. Router (config - mode)# SETUP Mode Prompted dialog used to establish an initial configuration. RXBOOT Mode Recovery from a catastrophe in the case of a lost password or the operating system being accidentally erased from Flash Whether accessed from the console or by a Telnet session through an auxiliary port, the router can be placed in several modes. Each mode provides different functions: User EXEC mode-A "look-only" mode in which the user can view some information about the router, but cannot change anything. Privileged EXEC mode-Supports the debugging and testing commands, detailed examination of the router, manipulation of configuration files, and access to configuration modes. Setup mode-Presents an interactive prompted dialog at the console that helps the new user create a first-time basic configuration. Global configuration mode-Implements powerful one-line commands that perform simple configuration tasks. Other configuration modes-Provide more complicated multiple-line configurations. RXBOOT mode-A maintenance mode that can be used, among other things, to recover lost passwords.

Logging in to the Router: Cisco IOS
Console Router con0 is now available Press RETURN to get started User Access Verification Password: Router> Router> enable Router# Router# disable Router> exit User-mode prompt When you first log in to the router, you will see a user-mode prompt. EXEC commands available at this user level are a subset of the EXEC commands available at the privileged level. For the most part, these commands allow you to display information without changing router configuration settings. To access the full set of commands, you must first enable privileged mode; your EXEC prompt shows as a pound sign (#) while you are in this mode. From the privileged level, you can also access global configuration mode and the other specific configuration modes. These include interface, subinterface, line, router, route-map, and several additional configuration modes. To log out of the router, type exit. Screen output varies with your specific Cisco IOS software level and router configuration. Privileged-mode prompt

Context-Sensitive Help
Router# clock Translating „CLOCK” %Unknown command or computer name, or unable to find computer address clear clock %Incomplete command Router# clock? Set set the time and date Router# clock set Router# clock set? Current time (hh:mm:ss) Router# clock set 19:56:00 %Incomplete command Router# clock set 19:56:00 ? <1-31> Day of the month MONTH Month of the year Router# clock set 19:56: . %Invalid input detected at the ‘^ ‘ maker Router# clock set 19:56:00 04 August Router# clock set 19:56:00 04 August ? < > Year In the graphic shown, suppose you want to set the router clock. If you do not know the command, use context-sensitive help to check the syntax for setting the clock. The help output shows that the set keyword is required. Next, check the syntax for entering the time. Now enter the current time using hours, minutes, and seconds as shown. The system indicates that you need to provide additional arguments to complete the command. Press Control-P (or up arrow) to repeat the previous command entry automatically. Then add a space and a question mark (?) to reveal the additional arguments. Now you can complete the command entry. .The caret symbol (^) and help response indicate an error. To list the correct syntax, reenter the command up to the point where the error occurred, and then enter a question mark (?). Enter the year using the correct syntax and press Return to execute the command. Note that the user interface provides syntax checking in the form of an error location indicator (^). The caret symbol character appears at the point in the command string where you have entered an incorrect command, keyword, or argument. The error location indicator and interactive help system allow you to find and correct syntax errors easily. Screen output varies with Cisco IOS software level and router configuration. Command prompting Syntax checking Symbolic translation Keyword completion Last command recall <Ctrl>

Using Editing Commands
Router> $ value for our customers, emplyees, investors, and partners Automatic scrolling of long lines. <Ctrl><A> Move to the begenning of the command line <Ctrl><E> Move to the end of the command line <Esc> Move back one word <Ctrl><F> Move forward one character <Ctrl> Move back one character <Esc><F> Move forward one character <Ctrl> Refresh line The user interface includes an enhanced editing mode that provides a set of editing key functions. Although enhanced editing mode is automatically enabled with the current software release, you can disable it and revert to the editing mode of previous software releases. You might also want to disable enhanced editing if you have written scripts that do not interact well when enhanced editing is enabled. Use the key sequences indicated in the graphic to move the cursor around on the command line for corrections or changes. The editing command set provides a horizontal scrolling feature for commands that extend beyond a single line on the screen. When the cursor reaches the right margin, the command line shifts ten spaces to the left. You cannot see the first ten characters of the line, but you can scroll back and check the syntax at the beginning of the command. To scroll back, press Control-B or the Left arrow key repeatedly until you are at the beginning of the command entry, or press Control-A to return directly to the beginning of the line. In the example shown, the command entry extends beyond one line. When the cursor first reaches the end of the line, the line is shifted ten spaces to the left and redisplayed. The dollar sign ($) indicates that the line has been scrolled to the left. Each time the cursor reaches the end of the line, the line is again shifted ten spaces to the left. Screen output varies with Cisco IOS software level and router configuration.

Reviewing Command History
<Ctrl> or Up arrow Last (previous) command recall <Ctrl><N> or Down arrow More recent command recall Router> show history Show command buffer Router>terminal history size number-of-lines Set command buffer size Router> no terminal editing Disable advanced editing features Router> terminal editing Reenable advanced editing <tab> Entry completion The user interface provides a history or record of commands you have entered. This feature is particularly useful for recalling long or complex commands or entries. With the command history feature, you can complete the following tasks: Set the command history buffer size Recall commands Disable the command history feature By default, command history is enabled and the system records ten command lines in its history buffer. To change the number of command lines the system will record during the current terminal session, use the terminal history size or history size command. The maximum number of commands is 256. To recall commands in the history buffer beginning with the most recent command, press Control-P or the Up arrow key. Repeat the key sequence to recall successively older commands. To return to more recent commands in the history buffer after recalling commands with Control-P or the Up arrow, press Control-N or the Down arrow key. Repeat the key sequence to recall successively more recent commands. Once you enter the unique characters for a command, press the Tab key and the interface will finish the entry for you. On most laptop computers you may also have additional select and copy facilities available. Copy a previous command string, then paste or insert it as your current command entry and press Return. Ctrl-Z backs you out of configuration mode.

Summary Using the router Advanved help features
Log in with user password Enter privileged mode with enable password Disable or quit Advanved help features Command completion and prompting Syntax checking Advanced editing features Automatic line scrolling Cursor controls History buffer with command recall Copy and paste using most laptop computers

Examining Router Status

Router Status Commands
Router# show version Router# show flash Router# show interface RAM NVRAM Flash I n t e r f a c s Internetwork Operating System Active Tables Backup Operating Programs Configuration and Configuration System File Buffer File Router status commands are as follows: show version-Displays the configuration of the system hardware, the software version, the names and sources of configuration files, and the boot images. show processes-Displays information about the active processes. show protocols-Displays the configured protocols. This command shows the status of any configured Layer 3 (network) protocol. show mem-Shows statistics about the routers memory, including memory free pool statistics. show stacks-Monitors the stack use of processes and interrupt routines and displays the reason for the last system reboot. show buffers-Provides statistics for the buffer pools on the network server. · show flash-Shows information about the Flash memory device. show running-config (write term on Cisco IOS Release 10.3 or earlier)-Displays the active configuration file. show startup-config (show config on Cisco IOS Release 10.3 or earlier)-Displays the backup configuration file. show interfaces-Displays statistics for all interfaces configured on the router. Router# show processes CPU Router# show protocols Router# show mem Router# show stack Router# show buffers Router# show startup-config Router# show config Router# show running-congif Router# write term

show version Command Router# show version
Cisco Internetwork Operating System Software IOS ™ 4500 Software (C4500-J-M), Experimental Version 11.2 ( :214907) Copyright © by cisco System, Inc. Complied Fri 28-Jun-96 16:32 by rbeach Image test-base: 0x600088A0, data-base: 0x6076E000 ROM: System Bootstrap, Version5.1 (1) [daveu 1], RELEASE SOFTWARE (fc1) ROM: 4500-XBOOT Bootstrap Software, Version 10.1(1), RELEASE SOFTWARE (fc1) router uptime is 1 week, 3 days, 32 minutes System restarted by reload System image file is „c4500-j-mz”, booted via tftp from - - - More - - - The show version command displays information about the Cisco IOS software version that is currently running on the router.

show running-config Command and show startup-config Command
Router# show running-config Building configuration . . . Current configuration: ! Version 11.2 - - - More - - - Router# show startup-config Using 1108 out of bytes ! Version 11.2 Hostname router - - - More - - - Use write terminal with Release 10.3 and earlier Use show config with Release 10.3 and earlier show running-config and show startup-config are among the most used Cisco IOS software EXEC commands because they allow an administrator to see the current running configuration on the router or the image size and startup configuration commands the router will use on the next restart. Note The commands write term and show config used with Cisco IOS Release 10.3 and earlier have been replaced by new commands. The commands that have been replaced continue to perform their normal functions in the current release but are no longer documented. Support for these commands will cease in a future release. You will know that you are looking at the active configuration file when you see the words "Current Configuration" at the top. You will know that you are looking at the backup configuration file when you see a message at the top telling you how much nonvolatile memory has been used.

Configuring a Router

Objectives Upon completion of this chapter, you will be able to perform the following tasks: Load an existing configuration file Change the router identification Assign a password to both the user and privileged EXEC modes Configure a serial interface Save the changes to NVRAM

Router Configuration Overview
Cisco IOS software version Router identification Boot file locations Protocols information Interface configurations The router uses information from the configuration file when it starts up. The configuration file contains commands to customize router operation. As you saw in the previous chapter, if there is no configuration file available, the system configuration dialog setup guides you through creating one.

Configuration Modes Global Configuration Mode Other Configuration Mode
Router# config term Router (config)# : : : Router (config) # (command) Router (config)# Router (config)# exit Router# Router# config term : : : Router (config)# router protocol Router (config-router) # : : : Router (config-router) # (command) Router (config-router) # exit Router (config) # interfacetype port Route (config-if) # : : : Router (config-if) # (command) Router (config-if) # : : : Router (config-if) # exit Router (config) # exit Used for system-wide configuration requiring one command line. Includes commands to enter other configuration modes Other Configuration Mode Usedforother configurations requiring multiple command lines Global configuration commands apply to features that affect the system as a whole. Use the privileged EXEC command configure to enter global configuration mode. When you enter this command, the EXEC prompts you for the source of the configuration commands. You can then specify the terminal, NVRAM, or a file stored on a network server as the source. The default is to type in commands from the terminal console. Pressing the Return key begins this configuration method. Commands to enable a particular routing or interface function begin with global configuration commands. To configure a routing protocol (indicated by the prompt config-router) you first enter a global router protocol command type. To configure an interface (indicated by the prompt config-if) you first enter the global interface type and number command. Commands to configure the access line to the router using the directly connected console or the virtual terminal used with Telnet also begin with global configuration commands. To enable console configuration mode, begin with the global command line console 0. To enable the virtual terminal ports configuration modes to set up remote console access, begin with global command line vty followed by the line number and ending line number if you want to configure a range of lines. After entering commands in any of these modes, finish with the command exit.

Working with 11.x Config Files
Console or Terminal config term RAM show running-config show startup-config config memory erase startup-config NVRAM copy running-config startup-config Bit bucket copy tftp running-config Copy tftp startup-config copy running-config tftp Router configuration information can be generated by several means. The privileged EXEC configure command can be used to configure from either a virtual (remote) terminal or the console terminal, allowing you to enter changes to an existing configuration at any time. The privileged EXEC configure command can also be used to load a configuration from a network TFTP server, allowing you to maintain and store configuration information at a central site. Configuration command summary: configure terminal-Configure manually from the console terminal. configure memory-Load configuration information from NVRAM. copy tftp running-config-Load configuration information from a network TFTP server. show running-config-Display the current configuration in RAM. copy running-config startup-config-Store the current configuration in RAM into NVRAM. copy running-config tftp-Store the current configuration in RAM on a network TFTP server. show startup-config-Display the saved configuration, which is the contents of NVRAM. erase startup-config-Erase the contents of NVRAM. TFTP Server (IP Only) Use these commands for routers running Cisco IOS Release 11.0 or later

Using a TFTP Server RAM RAM Tokyo# copy running-config tftp
Remote host []? name of configuration file to write [tokzo-confg] ? Tokyo.2 Write file tokyo.2 to ? [confirm] y Writing tokyo.2 ! ! ! ! ! ! ! ! [OK] tokyo# RAM Router# copy tftp running-config Host or network configuration file [host]? IP address of remote host [ ]? Name of configuration file [router-confg] ? Tokyo.2 configure using tokyo.2 from ? [confirm] y Booting tokyo.2 from : ! ! [OK - 874/16000 bytes] tokyo# RAM A current copy of the configuration can be stored on a TFTP server. Use the copy running-config tftp command to store the current configuration in RAM on a network TFTP server. You can configure the router by retrieving the configuration file stored on one of your network servers. To do so, complete the following tasks: Step 1 Enter configuration mode by entering the copy tftp running-config command. Step 2 At the system prompt, select a host or network configuration file. The network configuration file contains commands that apply to all routers and terminal servers on the network. The host configuration file contains commands that apply to one router in particular. Step 3 At the system prompt, enter the optional IP address of the remote host from which you are retrieving the configuration file. In this example, the router is configured from the TFTP server at IP address At the system prompt, enter the name of the configuration file or accept the default name. The filename convention is UNIX-based. The default filename is hostname-config for the host file and network-config for the network configuration file. In the DOS environment, the server filenames are limited to eight characters plus a three-character extension (for example, router.cfg). Confirm the configuration filename and the server address that the system supplies. In the second example in the graphic, notice that the router prompt changes to tokyo immediately. This is evidence that the reconfiguration happens as soon as the new file is downloaded.

Overview of Router Modes
User EXEC mode Privileged EXEC mode Global configuration mode Router> <Ctrl><z> Router# Exit Router(config)# Other configuration modes Configuration Mode Prompt Interface Subinterface Controller Map-list Map-class Line Router IPX-router Route-map Router (config.if)# Router (config-subif)# Router (config-controllr) # Router (config-map-list) # Router (config-map-class)# Router (config-line)# Router (config-router) # Router (config-ipx-router)# Router (config-route-map)# The command interpreter is called the EXEC. The EXEC interprets the commands you type and carries out the corresponding operations. You must log into the router before you can enter an EXEC command. There are two EXEC modes. The EXEC commands available at the user mode are a subset of the EXEC commands available at the privileged mode. From the privileged level, you can also access global configuration mode and specific configuration modes, some of which are listed: Interface Subinterface Controller Map-list Map-class Line Router IPX-router Route-map If you type exit, the router will back out one level, eventually allowing you to log out. In general, typing exit from one of the specific configuration modes will return you to global configuration mode. Pressing Control-Z leaves configuration mode completely and returns the router to privileged EXEC mode.

Configuring Router Identification
Router Name Router (config) # hostname Tokyo Tokyo# Login Banner Tokyo (config) # banner motd# Welcome to router Tokyo Accounting Department 3rd Floor Interface Decsription Tokyo (config) # interface e 0 Tokyo (config-if) # description EngineeringLAN, Bldg. 18 The hostname is used in authentication processes and helps you know to which router you are connected. The banners and the descriptions are for the humans only, the routers do not use them; they provide additional information to the administrator. For example it is a good practice to put the serial line IDs in the interface description. Sets local identify or message for the accessed router or interface

Password Configuration
Console Password Router (config) # line console 0 Router (config-line) # login Router (config-line) # password cisco Virtual Terminal Password Router (config) # line vty 0 4 Router (config-line) # login Router (config-line) # password cisco Enable Password Router (config) # enable-password san-fran Perform PasswordEncryption In the example: - the console password is set to cisco - the telnet password is set to cisco on all 5 lines - the enable password is set (enable secret is a more secure alternative) - the password encryption service is turned on. The password encryption uses a 2-way cryptographic algorithm to encrypt the passwords. This means it is not a very secure encryption, only makes harder to memorize the peeped passwords. So do not trust this algorithm; if you give your configs away even if the passwords are encrypted, delete the passwords from it. The enable secret uses a more secure 1-way encryption. Router (config) # service password-encryption (set password here) Router (config) # no service password-encryption

Interface Configuration Mode
Router (config) # interface type port Router (config) # interface type slot/port Type includes serial, ethernet, tokenring, fddi, hssi, loopback, dialer null async atm bri and tunnel Router (config-if) # shutdown Use this commadn to administratively turn off an interface without altering its other configuration entries Router (config-if) # no shutdown Turn on an interface that has been shutdown Router (config-if) # exit Many features are enabled on a per-interface basis. Interface configuration commands modify the operation of an Ethernet, Token Ring, FDDI, or serial port. Interface subcommands always follow an interface command; the interface command defines the interface type. You can configure a number of virtual interfaces on a single physical serial interface. These virtual interfaces are logical constructs called subinterfaces. For details on interface configuration commands that affect general interface parameters such as bandwidth, clock rate, and so on, see the Cisco IOS command reference publications. Quit from current config-interface mode Router (config) # interface type number.subinterface After designating the primary interface, use this to establish virtual interfaces on the single physical interface

Verifying Configuration Changes
Make changes in configuration modes Examine results Router# show running-config No Intended results? Remove changes Router (config) # no Yes Save changes to backup Router# copy running-config startup-config Router# copy running-config tftp Router# config mem To configure the system follow the above flow-chart. Always examine the results, and save the config. Router# copy tftp running-config Router# erase startup-config Router# reload Examine backup file Router# show startup-config

Using NVRAM with Release 11.x
Router# configure memory [OK] Router# NVRAM RAM Router# erase startup-config [OK] Router# NVRAM Bit bucket Router# copy runnning-config startup-config Router# NVRAM RAM Router# show startup-config using 5057 out of bytes ! Enable-password san-fran Interface Ethernet 0 ip address ----More ---- NVRAM These commands manage the contents of NVRAM: configure memory-Load configuration information from NVRAM. erase startup-config-Erase the contents of NVRAM. copy running-config startup-config-Store the current configuration in RAM (the running configuration) into NVRAM (as the startup configuration). show startup-config-Display the saved configuration, which is the contents of NVRAM.

Summary Configuration files can come from the console, NVRAM, or a TFTP server The router has several modes: Privileged mode used for copying and managing entire configuration files Global configuration mode used for one-line commands and commands that change the entire router Other configuration modes used for multiple command lines and detailed configurations The router provides a host name, a banner, and interface descriptions to aid in identification

Managing the Configuration Environment

Locating the Cisco IOS Software
Configuration registers Registers in NVRAM for modifying fundamental Cisco IOS software Identifies where to boot Cisco IOS image (for examle, use config-mode commands) Router# configure terminal Router(config)# boot system flash IOS_filename Router(config)# boot system tftp IOS_filename tftp_address Router(config)# boot system rom [Ctrl-Z] Router# copy running-config startup-config Boot system commands not found in NVRAM The default source for Cisco IOS software depends on the hardware platform, but most commonly the router looks to the configuration commands saved in NV RAM. Cisco IOS software offers several alternatives. You can specify other sources where the router should look for software, or the router will use its own fall back sequence as necessary to load software. Settings in the configuration register enable alternatives for where the router will bootstrap Cisco IOS software. You can specify enabled config-mode boot system commands to enter fallback sources for the router to use in sequence. Save these statements in NVRAM to use during the next startup with the command copy running-config startup-config. The router will use these commands as needed, in sequence, when it restarts. However, if NVRAM lacks boot system commands the router can use, the system has its own fall back alternatives. The router will fall back and use default Cisco IOS in Flash memory. If Flash memory is empty, the router will try its next TFTP alternative. The router uses the configuration register value to form a filename from which to boot a default system image stored on a network server. Get default Cisco IOS software from flash Flash memory empty Get default Cisco IOS software from tftp server

show version Command Router>show version
Cisco Internetwork Operating System Software Copyright (c) by cisco Systems, Inc. Compiled Tue 26-May-98 17:50 by dschwart Image text-base: 0x , data-base: 0x ROM: System Bootstrap, Version 11.1(8)CA1, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) BOOTFLASH: RSP Software (RSP-BOOT-M), Version 11.2(14)P, RELEASE SOFTWARE (fc1) Router uptime is 23 hours, 24 minutes System restarted by reload at 15:44:39 CET-DST Tue Sep --More-- IOS (tm) RSP Software (RSP-ISV-M), Version 11.2(14)P, RELEASE SOFTWARE (fc1) The show version command displays information about the Cisco IOS software version that is currently running on the router. This includes the boot field setting (shown on the continued example on the next page). In the example, the Cisco IOS version and descriptive information is highlighted on the second output line. The screen captured shows an experimental version of Release 11.2. The final line in the graphic shows the system image name. You will learn about Cisco IOS software Release 11.2 image naming conventions later in this chapter. For now, notice the portion of the filename that indicates this image is for a Cisco 4500 platform. System image file is "slot0:rsp-isv-mz P", booted via slot0

show version Command (cont.)
cisco RSP4 (R5000) processor with 32768K/2072K bytes of memory. R5000 processor, Implementation 35, Revision 2.1 (512KB Level 2 Cache) Last reset from power-on G.703/E1 software, Version 1.0. Channelized E1, Version 1.0. Bridging software. X.25 software, Version 2.0, NET2, BFE and GOSIP compliant. Chassis Interface. 4 VIP2 controllers (2 FastEthernet)(12 E1). 2 FastEthernet/IEEE interface(s) 218 Serial network interface(s) 123K bytes of non-volatile configuration memory. 20480K bytes of Flash PCMCIA card at slot 0 (Sector size 128K). 8192K bytes of Flash internal SIMM (Sector size 256K). As it continues to output, the show version command displays information about the type of platform where the version of Cisco IOS software is currently running. The highlighted text provides the results of the command config-register 0xl0f, which is used to enter configuration register values. Note You will not see evidence of any config-register setting in output from either the show running-config or show startup-config commands. Configuration register is 0x102

Configuration Register Values
Router# configure terminal Router(config)# config-register 0x10F [Ctrl-Z] Configuration register bits 3,2,1, and 0 set boot option Configuration-Register Value Meaning 0x0 Use ROM monitor mode (Manually boot using the b command 0x1 Automatically boot from ROM (default if router has no flash) 0x2 to 0xF Examine NVRAM for boot system commands (0x2 default if router has Flash) The order in which the router looks for system bootstrap information depends on the boot field setting in the configuration register. You can change the default configuration register setting with the enabled config-mode command config-register. Use a hexadecimal number as the argument to this command. In this example, the configuration register is set so that the router will examine the startup file in NVRAM for boot system options. The configuration register is a 16-bit register in NVRAM. The lowest four bits of the configuration register (bits 3, 2, 1, and 0) form the boot field. To change the boot field and leave all other bits set to their default values, follow these guidelines: Set the configuration register value to 0x100 if you need to enter the ROM monitor, primarily a programmer's environment. From ROM monitor, boot the operating system manually using the b command at the ROM monitor prompt. (This value sets the boot field bits to ) Set the configuration register to 0x101 to configure the system to boot automatically from ROM. (This value sets the boot field bits to ) Set the configuration register to any value from Ox 102 to Ox l OF to configure the system to use the boot system commands in NVRAM. This is the default. (These values set the boot field bits to through ) To check the boot field setting, for example, to verify the config-register command, you must use the show version command. Check configuration register setting with show version

show flash Command Display the layout and contents of current device
Router> show flash (dir) -#- ED --type-- --crc--- -seek-- nlen -length date/time name unknown 81E4BFDC 64D Jun :32:10 rsp-isv-mz.112- 14.P bytes available ( bytes used) Display the layout and contents of the specified device Router> show flash bootflash: (show flash device:) -#- ED --type-- --crc--- -seek-- nlen -length date/time name unknown D607A4A1 3FCDD Jun :13:04 rsp-boot-mz. P bytes available ( bytes used) The show flash command show the contents and the status of the flash memory.

Flash devices List possible devices Display current directory
Router>show flash devices slot0, slot1, bootflash, slaveslot0, slaveslot1, slavebootflash, slavenvram, nvram, tftp, rcp Display current directory Router> pwd slot0 These examples show how you can enter multiple boot system commands to specify the fallback sequence for booting Cisco IOS software. The three examples show boot system entries that specify that a Cisco IOS image will load first from Flash memory, next from a network server, and finally from ROM. Flash memory Using this approach, you can copy a system image without changing electrically erasable programmable read-only memory (EEPROM). Information stored in Flash memory is not vulnerable to network failures that can occur when loading system images from TFTP servers. Network server To provide for a backup in case flash memory becomes corrupted, you can specify that a system image should then be loaded from a TFTP server. ROM If both Flash memory is corrupted and the network server fails to load the image, booting from ROM is the final bootstrap option in software. However, the system image in ROM will likely be a subset of Cisco IOS software, lacking the protocols, features, and configurations of full Cisco IOS software. It may also be an older version of Cisco IOS software if you have updated software since you purchased the router. The command copy running-config startup-config saves the command in NVRAM. The router will execute the boot system commands as needed in the order in which they were originally entered into configuration mode. Change directory Router> cd device:

Creating a Software Image Backup
Flash RAM TFTP Server copy device: tftp Router# copy slot0: tftp Enter source file name: rsp-isv-mz P Enter destination file name [rsp-isv-mz P]: CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC Address or name of remote host [sun]? ! You can copy a system image back to a network server. This copy of the system image can serve as a backup copy and also can be used to verify that the copy in Flash is the same as the original disk file. The example uses the show flash command to learn the name of the system image file (xk09140z), and the copy flash tftp command to copy the system image to a TFTP server. The files can be renamed during transfer. In the example, an administrator is backing up the current image to the TFTP server. One scenario for this upload to the server would be to provide a fallback copy of the current image prior to updating the image with a new version. Then, if the new version has trouble, the administrator can download the backed-up image and return to the image that was running before the update attempt. Back up files from flash devices

Downloading the Image from the Net
Flash RAM TFTP Server copy tftp device: Tozsde_1#copy tftp slot0: Enter source file name: rsp-isv-mz a.P bytes available on device slot0, proceed? [confirm] Address or name of remote host [sun]? Accessing file "rsp-isv-mz a.P" on sun ...FOUND Loading rsp-isv-mz a.P from (via FastEthernet4/0/0): !!!!!!! !!!!!!!!!!!!!!!!!!!.!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!! [OK / bytes] CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC The above example shows an IOS download from the (named sun) to the PCMCIA slot 0.

Summary Create running and startup configuration Configure interface
Determine the load location of the Cisco IOS image

Access to Other Routers

Cisco Discovery Protocol (CDP) Overview
Upper Layer Entry Addresses Cisco Proprietary Data-Link Protocol Media Supporting SNAP TCP/IP Novell AppleTalk Others IPX CDP discovers and show Information about directly connected Cisco devices LANs Frame ATM Others Relay Cisco Discovery Protocol (CDP) provides a single proprietary command that enables network administrators to access a summary of the multiple protocols and addresses configured on other directly connected routers. CDP runs over a data link layer connecting lower physical media and upper-network-layer protocols. Because CDP operates at this level, two or more CDP devices that support different network-layer protocols can learn about each other. Physical media supporting the Subnetwork Access Protocol (SNAP) connect CDP devices. These can include all LANs, Frame Relay and SMDS WANs, and ATM networks. When a Cisco device running Cisco IOS Release 10.3 and later boots up, CDP starts up by default. CDP can then automatically discover neighboring Cisco devices running CDP, regardless of which protocol suite or suites are running. Discovered devices extend beyond those having TCP/IP CDP will discover directly connected Cisco devices regardless of which protocol suite they run. Once CDP discovers a device, it can display any of the various upper-layer protocol address entries used on the discovered device's port-IPX, AppleTalk Datagram Delivery Protocol (DDP), DECnet CLNS, and others. Media and protocol interaction

Show CDP Neighbor Entries
IP, IPX Router IP, AppleTalk CDP Router IP, CLNS, DECnet #sho cdp CDP Router IP, CLNS The graphic displays an example of how CDP delivers its benefits to a system manager. Each router running CDP exchanges information about any protocol entries it knows with its neighbors. The administrator can display the results of this CDP information exchange on a console connected to a router configured to run CDP on its interfaces. The network manager uses a show command to display information about the networks directly connected to the router. Frames formed by CDP provide information about each CDP neighbor device. Values include the following: Device identifiers-For example, the routers configured host name and domain name (if any). Address list-At least one protocol for SNMP, up to one address for each protocol supported. Port identifier-An ASCII character string such as Ethernet 0. Capabilities list-If, for example, the device acts as a source route bridge as well as a router. Version-Information such as that provided by the local command show version. Platform-The device's hardware platform: for example, Cisco 7000. Notice that the lowest router in the graphic is not directly connected to the router of the administrator's console. To obtain CDP information about this device, the administrator would need to Telnet to a router directly connected to this target. Single command summarizes protocols and adresses on target (for example, neighboring Cisco router)

CDP Configuration Example
Router B Frame Relay WAN routerA (confi-if)# cdp enable Router A S0 E0 Enable CDP on each interface S0 E0 routerA# show cdp interface Serial0 is up, line protocol is up, encapsulation is Frame Relay Sending CDP packets every 60 seconds Holdtime is 180 seconds Ethernet0 is up, line protocol is up, encapsulation is ARPA CDP begins automatically upon a device's system startup. The CDP function normally starts by default when a Cisco product boots up with Cisco IOS Release 10.3 or later. Although CDP runs by default, you must explicitly enable it on the device's interface using the command cdp enable. For example, the graphic shows the cdp enable command that you use on the EO and SO interfaces on the router named routerA. This command begins CDP's dynamic discovery function on the device's interfaces. Advertisement and discovery using CDP involves data-link frame exchanges. Only directly connected neighbors exchange CDP frames. A router caches any information it receives from its CDP neighbors. If a subsequent CDP frame indicates that any of the information about a neighbor has changed, the router discards the older information in favor of the newer information. Use the command show cdp interface to display the values of the CDP timers, the interface status, and the encapsulation used by CDP for its advertisement and discovery frame transmission. Default values for timers set the frequency between CDP updates and for aging CDP entries. These timers are set automatically at 60 seconds and 180 seconds, respectively. If the device receives a more recent update or if this holdtime value expires, the device must discard the CDP entry.

Showing CDP Neighbors routerA#sho cdp neighbors
Capabality Codes: R - Router, T - Trans Bridge, B - Source-Route Bridge, S - Switch, H - Host, I - IGMP Device ID Local Intrfce Holdtime Capabality Platform Port ID routerB.cisco.com Eth0 151 R T AGS Eth0 routerB.cisco.com Ser0 165 R T AGS Ser3 routerA#show cdp neighbors detail Device ID: routerB.cisco.com Entry aaddress(es): IP address: CLNS address: Appletalk address: 10.1 Platform: AGS, Capabalities: Router Trans-Bridge Interface: Ethernet0, port ID (outgoing port): Ethernet0 Holdtime: 143 sec Use the command show cdp neighbors to display the CDP updates received on the local router. Notice that for each local port, the display shows the following: · Neighbor device ID · Local port type and number · Decremental holdtime value in seconds · Neighbor's device capability code · Hardware platform of the neighbor .· Neighbor's remote port type and number To display this information as well as information like that from show cdp entry, the administrator uses the optional show cdp neighbors detail. Note In this example, a neighbor's device name contains a domain name. Therefore, the Device ID column for the router B displays a domain-name entry in the form company. com. To check the device as a single target, include the domain by entering the command variation show cdp entry routerB.cisco.com.

Showing CDP Entries for a Device
routerA#sho cdp entry routerB Device ID: routerB Entry address(es): IP address: CLNS address: APPLETALK ADDRESS: 10.1 Platform: AGS, Capabalities: Router Trans-Bridge Interface: Ethernet0, Port ID (outgouing port): Ethernet0 Holdtime: 155 sec Version: IOS ™ GS Software (GS3), 11.2(13337) [asastry] Copyright © by cisco System, Inc. complied Tue 14-May-96 1:04 Use the command show cdp entry {device name} to display a single cached CDP entry. Notice that output from this command includes all the Layer 3 addresses present in the neighbor router B-an administrator can see the IP, CLNS, and DECnet network addresses of the targeted CDP neighbor with the single command entry on router A. The holdtime value indicates how long ago the CDP frame arrived with this information. The command includes abbreviated version information about router B. CDP was designed and implemented as a very simple, low-overhead protocol. A CDP frame can be as small as 80 octets, mostly made up of the ASCII strings that represent information like that shown.

TCP/IP Overview

Objectives Upon completion of this chapter, you will be able to perform the following tasks: Describe how the TCP/IP implementation relates to the OSI reference Model Identify the functions of the TCP/IP transport-layer protocols Identify the functions of the TCP/IP network-layer protocols Identify the functions performed by ICMP

TCP/IP Protocol Stack 7 6 5 4 3 2 1 Application Presentation Session
OSI Reference Model TCP/IP Conceptual Layers 7 6 5 4 3 2 1 Application Presentation Session Transport Network Data Link Physical Application Transport Internet Network Interface Ethernet, 802.3, 802.5, FDDI, and so on The TCP/IP protocol stack maps closely to the OSI reference model in the lower layers. All standard physical and data-link protocols are supported. TCP/IP information is transferred in a sequence of datagrams. One message may be transmitted as a series of datagrams that are reassembled into the message at the receiving location.

Application Layer Overview
File Transfer TFTP* FTP NFS Application Transport Internet Network Interface Hardware SMTP Remote Login Telnet* rLogin Network Management SNMP* Application protocols exist for file transfer, , and remote login. Network management is also supported at the application layer. Name Management DNS* *Used by the router

Transport Layer

Transport Layer Overview
Application Transport Internet Network Interface Hardware Transmission Control Protocol (TCP) User Datagram Protocol (UDP) The transport layer performs two functions: Flow control provided by sliding windows Reliability provided by sequence numbers and acknowledgments Two protocols are provided at the transport layer: TCP and UDP. TCP is a connection-oriented, reliable protocol. It is responsible for breaking messages into segments, reassembling them at the destination station, resending anything that is not received, and reassembling messages from the segments. TCP supplies a virtual circuit between end-user applications. UDP is connectionless and "unreliable." Although UDP is responsible for transmitting messages, no software checking for segment delivery is provided at this layer; hence the description "unreliable: *Used by the router

Acknowledgment Number
TCP Segment Format #Bits Source Port Dest. Port Sequence Number Acknowledgment Number HLEN Reserved Code Bits or 32 Field definitions in the TCP segment: Source Port-Number of the calling port Destination Port-Number of the called port Sequence Number-Number used to ensure correct sequencing of the arriving data Acknowledgment Number-Next expected TCP octet HLEN-Number of 32-bit words in the header · Reserved-Set to zero Code Bits-Control functions (such as setup and termination of a session) Window-Number of octets that the sender is willing to accept Checksum-Calculated checksum of the header and data fields Urgent Pointer-Indicates the end of the urgent data Option-One currently defined: maximum TCP segment size · Data-Upper-layer protocol data Window Check-sum Urgent Pointer Option Data...

Port Numbers TELNET SMTP FTP TFTP SNMP DNS TCP UDP Application Layer
21 23 25 53 69 161 Both TCP and UDP use port (or socket) numbers to pass information to the upper layers. Port numbers are used to keep track of different conversations crossing the network at the same time. Application software developers agree to use well-known port numbers that are defined in RFC For example, any conversation bound for the FTP application uses the standard port number 21. Conversations that do not involve an application with a well-known port number are assigned port numbers randomly chosen from within a specific range instead. These port numbers are used as source and destination addresses in the TCP segment. Some ports are reserved in both TCP and UDP, but applications might not be written to support them. Port numbers have the following assigned ranges: Numbers below 255 are for public applications. Numbers from 255 to 1023 are assigned to companies for saleable applications. Numbers above 1023 are unregulated. Transport Layer TCP UDP

TCP Port Numbers ... Telnet Z Dest.port = 23 Send packet to my Telnet
Source Port Dest. Port ... Telnet Z Host A Host Z Dest.port = 23 Send packet to my Telnet application. End systems use port numbers to select the proper application. Originating source port numbers are dynamically assigned by the source host, usually some number greater than 1023. SP DP 1028 23 ……...

TCP Handshake/Open Connection
Host A Host Z Send SYN (seq = x) Receive SYN (seq = x) Send SYN (seq = y, ack = x+1) Receive SYN (seq = y, ack = x+1) Both ends of the connection are synchronized with a three-way handshake/open connection sequence. Exchanging beginning sequence numbers during the connection sequence ensures that lost data can be recovered if problems occur later. Send ACK (ack = y+1) Receive ACK (ack = y+1)

TCP Simple Acknowledgement
Sender Receiver Send 1 Receive 1 Send ACK 2 Receive ACK 2 Send 2 Receive 2 Send ACK 3 Receive ACK 3 Send 3 The window size determines how much data the receiving station can accept at one time. With a window size of one, each segment must be acknowledged before another segment is transmitted. This results in inefficient use of bandwidth by the hosts. Receive 3 Send ACK 4 Receive ACK 4 Window size = 1

TCP Sliding Window Window size = 3 Send 1 Receive 1 Send 2 Send 3
Sender Receiver Send 1 Receive 1 Send 2 Send 3 Receive 2 Receive 3 Send ACK 4 Receive ACK 4 Send 4 Receive 4 Send 5 Receive 5 Send 6 A larger window size allows more data to be transmitted pending acknowledgment. Window size refers to the number of messages that can be transmitted while awaiting an acknowledgment. After a host transmits the window-size number of bytes, it must receive an acknowledgment before any more messages can be sent. TCP uses expectational acknowledgments, meaning that the acknowledgment number refers to the octet expected next. The "sliding" part of "sliding window" refers to the fact that the window size is negotiated dynamically during the TCP session. A sliding window results in more efficient use of bandwidth by the hosts. Receive 6 Send ACK 7 Receive ACK 7 Window size = 3

UDP Segment Format No sequence or acknowledgement fields
#Bits Source Port Destination Port Length Checksum Data …. No sequence or acknowledgement fields UDP uses no windowing or acknowledgments. Application-layer protocols can provide for reliability. UDP is designed for applications that do not need to put sequences of segments together. Protocols that use UDP include TFTP, SNMP, Network File System (NFS), and Domain Name System (DNS).

Network Layer

Internet Layer Overview
Application Transport Internet Network Interface Hardware Internet Protocol (IP) Internet Control Message Protocol (ICMP) Address Resolution Protocol (ARP) Reserve Address resolution Protocol (RARP) Several protocols operate at the TCP/IP Internet layer, which corresponds to the OSI network layer: IP provides connectionless, best-effort delivery routing of datagrams. It is not concerned with the content of the datagrams. Instead, it looks for a way to move the datagrams to their destination. ICMP provides control and messaging capabilities. ARP determines the data link layer address for known IP addresses. RARP determines network addresses when data link layer addresses are known. OSI network layer corresponds to the TCP/IP Internet layer

Destination IP Address
IP Diagram #Bits VERS HLEN Type of service Total Length Frag Offset TTL Identification Flags var Field definitions within this IP datagram are as follows: · VERS-Version number HLEN-Header length in 32-bit words Type of Service-How the datagram should be handled Total Length-Total length (header + data) Identification, Flags, Frag Offset-Provide fragmentation of datagrams to allow differing MTUs in the Internet TTL-Time-To-Live Protocol-Upper-layer (Layer 4) protocol sending the datagram Header Checksum-Integrity check on the header Source and Destination IP addresses-32-bit IP addresses IP Options-Network testing, debugging, security, and others Header Checksum Source IP Address Destination IP Address IP Option Data... Protocol

Protocol Field Determines destination upper-layer protocol TCP UDP IP
Transport Layer Protocol Numbers 6 17 IP Internet Layer The protocol field determines the Layer 4 protocol being carried within an IP datagram. Although most IP traffic uses TCP, there are other protocols that can use IP. Each IP header must identify the destination Layer 4 protocol for the datagram. Transport-layer protocols are numbered, similar to port numbers. IP includes the protocol number in the protocol field. Determines destination upper-layer protocol

Internet Control Message Protocol (ICMP)
Application Transport Internet Network Interface Hardware Destination Unreachable Echo (Ping) Other ICMP The ICMP is implemented by all TCP/IP hosts. ICMP messages are carried in IP datagrams and are used to send error and control messages. ICMP uses the following types of defined messages. Others exist that are not included on this list: Destination Unreachable Time Exceeded Parameter Problem Source Quench Redirect · Echo Echo Reply Timestamp Timestamp Reply Information Request · Information Reply Address Request · Address Reply

Destination unreachable
ICMP Testing I do not know how to get to Z! Send ICMP Send data to Z Host A Data Network To Z Destination unreachable Destination unreachable Host or port unreachable Network unreachable If a router receives a packet that it is unable to deliver to its ultimate destination, the router sends an ICMP host unreachable message to the source. The message might be undeliverable because there is no known route to the destination.

ICMP Testing (cont.) Generated by the ping command Is B reachable ?
Yes, I am here. Host A Host B ICMP Echo Request ICMP Echo Reply An echo reply is a successful reply to a ping command; however, results could include other ICMP messages, such as unreachables and timeouts. Generated by the ping command

Address Resolution Protocol (ARP)
I heard that broadcast, that is me. Here is my Ethernet address. I need the Ethernet address of Host B IP: = ??? ARP is used to resolve or map a known IP address to a MAC sublayer address to allow communication on a multiaccess medium such as Ethernet. To determine a destination address for a datagram, the ARP cache table is checked. If the address is not in the table, ARP sends a broadcast looking for the destination station. Every station on the network receives the broadcast. The term local ARP is used to describe resolving an address when both the requesting host and the destination host share the same media or wire. Prior to issuing the ARP, the subnet mask was consulted. The mask determined that the nodes are on the same subnet. IP: = Ethernet: Map IP Ethernet Local ARP

Reserve ARP (RARP) Map Ethernet IP
What is my IP address? I heard that broadcast. IP address is Ethernet: IP = ??? Ethernet: IP: RARP relies on the presence of a RARP server with a table entry or other means to respond to these requests. On the local segment, RARP can be used to initiate a remote operating system load sequence. Map Ethernet IP ARP and RARP are implemented directly on top of the data link layer

Summary The TCP/IP protocol stack has the following components:
Protocols to support file transfer, , remote login, and other applications Reliable and “unreliable” transports Connectionless datagram delivery at the network layer ICMP provides control and message functions at the network layer

IP Address Configuration

Objectives Upon completion of this chapter, you will be able to perform the following tasks: Describe the different classes of IP addresses Configure IP addresses Verify IP addresses

TCP/IP Address Overview

IP Addressing 172 . 16 . 122 . 204 Network Host 32 Bits 8 Bits 8 Bits
The IP address is 32 bits in length and has two parts: Network number Host number The address format is known as dotted decimal notation. Example address: Each bit in the octet has a binary weight, such as ( 128,...4, 2, 1 ). The minimum value for an octet is 0; it contains all Os. The maximum value for an octet is 255; it contains all 1 s. The allocation of addresses is managed by a central authority.

IP Address Classes Class A: Class B: Class C: Class D: for multicast
Class E: for research N= Network number assigned by NIC H= Host number assigned by network administrator N H H H N N H H N N N H When IP was first developed, there were no classes of addresses. Now, for ease of administration, the IP addresses are broken up into classes. There are only 126 Class A address spaces, but each one can contain approximately 16 million hosts. There are 65,534 Class B address spaces with 65,534 hosts each. There are more than 16 million Class C address spaces possible, but they only have 254 hosts each. This scheme allows the administrative authority to assign addresses based on the size of the network. That authority designed this system on the assumption that there would be many more small networks than large networks in the world. Note Class D and E addresses are also defined. Class D addresses start at and are used for multicast purposes. Class E addresses start at and are used for experimental purposes.

Recognizing Classes in IP Addresses (First Octet Rule)
High Order Bits Octet in Decimal Address Class 10 110 A B C The first octet rule states that the class of an address can be determined by the numerical value of the first octet. Once the first octet rule is applied, the router identifies how many bits it must match to interpret the network portion of the address (based on the standard address class). If there is no further identification of additional bits to use as part of the network address, the router can make a routing decision using this address.

Configuring IP Addresses

Host Addresses E0 E1 IP: IP: . 172.16 Routing Table Network Interface E E1 Each device or interface must have a nonzero host number. A host address of all ones is reserved for an IP broadcast into that network. A value of zero means "this network" or "the wire itself " (for example, ). It was also used for IP broadcasts in some early TCP/IP implementations, although it is rarely found now. The routing table contains entries for network or wire addresses; it usually does not contain any information about hosts. An IP address and subnet address on an interface achieves three purposes: It enables the system to process the receipt and transmission of packets. It specifies the device's local address. It specifies a range of addresses that share the cable with the device. Network Host

Subnetting Addressing
E0 E1 IP: IP: New Routing Table Network Interface E E1 . From the addressing standpoint, subnets are an extension of the network number. Network administrators decide the size of subnets based on organization and growth needs. Network devices use subnet masks to identify which part of the address is considered network and which remaining part to leave for host addressing. 172.16 2 . 160 Network Subnet Host

Subnet Mask 172 16 255 255 255 255 255 IP Adresses Default Subnet Mask
Network Host IP Adresses Default Subnet Mask 8-bit 172 16 Network Host 255 255 Network Subnet Host 255 255 255 An IP address is 32 bits in size, written as four octets. The subnet mask is 32 bits in size, written as four octets. The layout of the subnet mask field is as follows: Binary 1 for the network bits Binary 1 for the subnet bits Binary 0 for the host bits Subnet masks indicate which of the bits in the host field are used to specify different parts (subnets) of a particular network. Use host bits, starting at the high order bit position

Broadcast Address (Directed broadcast) (Local Network broadcast) Broadcasting is supported on the Internet. Broadcast messages are those you want every host on the network to see. The broadcast address is formed by using all ones within the IP address. The Cisco IOS software supports two kinds of broadcasts: Directed broadcasts Flooding Flooded broadcasts ( ) are not propagated, but are considered local broadcasts. Broadcasts directed into a specific network are allowed and are forwarded by the router. These directed broadcasts contain all ones in the host portion of the address.

IP Address Configuration
Router (config-if) # ip address ip-address subnet-mask Assigns an address and subnet mask Start IP processing on an interface Router (config) # term ip netmask-format Use the ip address command to establish the logical network address of this interface. Command Description ip-address A 32-bit dotted decimal number. subnet-mask A 32-bit dotted decimal number indicating which bit positions must match; ones indicate positions that must match, and zeros indicate positions that do not match. Use the term ip netmask-format command to specify the format of network masks for the current session. Format options are: · Bit count · Dotted decimal (the default) · Hexadecimal Sets format of network mask as seen in show commands

IP Host Names ip host name [tcp-port-number] address [address] . . .
Router (config) # ip host name [tcp-port-number] address [address] . . . Define statics host name to IP address mapping ip host tokyo ip host tokyo The ip host command makes a static name-to-address entry in the routers configuration file. Command Description ip host name Any name you prefer to describe the destination. tcp-port-number Optional number that identifies TCP port to use when using the host name with an EXEC connect or Telnet command. The default is port 23 for Telnet. address IP address or addresses where the device can be reached. In the example: ip host tokyo Defines two network addresses to the host tokyo. ip host kyoto Defines kyoto as a name equivalent for the address Hosts/interfaces selectable by name or IP address

Name Server Configuration
Router (config) # ip name-server server-address1 [[server-address2] [server-address6] Specifies one or more hosts that supply host name information The ip name-server command defines which hosts can provide the name service. A maximum of six IP addresses can be specified as name servers in a single command. To map domain names to IP addresses, you must identify the host names, then specify a name server, and enable the Domain Name System (DNS). Any time the operating system software receives a command or address it does not recognize, it refers to DNS for the IP address of that device.

Name System ip domain-lookup DNS enables by default
Router (config) # ip domain-lookup DNS enables by default Router (config) # no ip domain-lookup Turns off the name service Each unique IP address can have a host name associated with it. The Cisco IOS software maintains a cache of host name-to-address mappings for use by EXEC commands. This cache speeds the process of converting names to addresses. IP defines a naming scheme that allows a device to be identified by its location in IP. A name such as ftp.cisco.com identifies the domain of the File Transfer Protocol for Cisco. To keep track of domain names, IP identifies a name server that manages the name cache. The DNS is enabled by default with a server address of , which is a local broadcast. The no ip domain-lookup command turns off name-to-address translation in the router. This means the router will not forward name system broadcast packets.

Simple Ping Test IP network connectivity Router> ping 172.16.101.1
Type escape sequence to abort timeout is 2 second Success rate is 80 percent, round-trip min/avg/max = 6/6/6 ms Router> Sending 5, 100-byte ICMP Echos to , . ! ! ! ! Test IP network connectivity The ping command sends ICMP echo packets and is supported in both user and privileged EXEC mode. In this example, one ping timed out, as reported by the dot (.) and four were successfully received, as shown by the exclamation point (!). These are the commands that may be returned by the ping test: Character Definition ! Successful receipt of an echo reply . Times out waiting for datagram reply U Destination unreachable error C Congestion-experienced packet I Ping interrupted (for example, Ctrl-Shift-6 X) ? Packet type unknown & Packet Time To Live exceeded

Extended Ping Ping supported for several protocols Router# ping
Repeat count [5]: Datagram size [100]: Timeout in second [2]: Extended commands [n] : z Source address: Type of service [0]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of siyes [n]: Tzpe escape sequence to abort. Sending 5, 100/bzte ICMP Echos to , timeout is 2 second: ! ! ! ! ! Success rate is 100 percent (5/5), round-trip min/avg/max = 24/26/28 ms Router# Protocol [ip]: Target IP address: Set DF bit in IP header? [no] : yes The extended ping command is supported only from privileged EXEC mode. You can use the extended command mode of the ping command to specify the supported Internet header options. To enter the extended mode, enter Y at the extended commands prompt. Ping supported for several protocols

IP Trace Shows interface addresses used to reach the destination
Router# trace aba.nyc.mil Type escape sequence to abort. 1 debris.cisco.com ( ) msec 8 msec 4 msec 2 barrnet-gw.cisco.com ( ) 8 msec 8 msec 8 msec 3 externa-a-gateway.stanford.edu ( ) 8 msec 4 msec 4 msec 4 bb2.su.barrnet.net ( ) 8msec 8 msec 8 msec 5 su.arc.barrnet.net ( ) 12 msec 12 msec 8 msec 6 moffett-fld-mb.in.mil ( ) 216 msec 120 msec 132 msec Tracing the route to aba.nyc.mil ( ) 7 aba.nyc.mil ( ) 412 msec * msec Shows interface addresses used to reach the destination Host names are shown if the addresses are translated dynamically or via static host table entries. The times listed represent the time required for each of three probes to return. Note trace is supported by IP, CLNS, VINES, and AppleTalk. When the trace reaches the target destination, an asterisk (*) is reported at the display. This normally is caused by the receipt of a port-unreachable packet and the time out in response to the probe packet. Other responses include: !H-The probe was received by the router, but not forwarded, usually due to an access list. P-The protocol was unreachable. N-The network was unreachable. U-The port was unreachable. *-Time out.

Summary IP addresses are specified in 32-bit dotted decimal format
Router interface can be configured with an IP address ping and trace commands can be used to verify IP address configuration

IP Routing Configuration

Objectives Upon completion of this chapter, you will be able to perform the following tasks: Perform the initial configuration of your router and enable IP Add the RIP routing protocol to your configuration Add the EIGRP routing to your configuration This chapter discusses how to configure IP routing. It includes a discussion of RIP routing and IGRP routing. Sections: Configuring IP Routing Configuring RIP Configuring IGRP

IP Routing Learns Destinations
Static routes Default routes Dynamic routing Default routers learn paths to destinations three different ways: Static routes-Manually defined by the system administrator as the only path to the destination. Useful for controlling security and reducing traffic. Default routes-Manually defined by the system administrator as the path to take when no route to the destination is known. Dynamic routing-Router learns of paths to destinations by receiving periodic updates from other routers.

Static Route Configuration
Router (config) # ip route network [mask] {address | interface } [distance] Define a path to an IP destination network or subnet The ip route command sets up a static route. Command Description ip route network Destination network or subnet. mask Subnet mask. address IP address of next hop router. interface Name of interface to use to get to destination network. distance The administrative distance. The administrative distance is a rating of the trustworthiness of a routing information source expressed as a numeric value from 0 to 255. The higher the number, the lower the trustworthiness rating. A static route allows manual configuration of the routing table. No dynamic changes to this table entry will occur as long as the path is active. A static route may reflect some special knowledge of the networking situation known to the network administrator. Manually entered administrative distance values for static routes are usually low numbers. Routing updates are not sent on a link if only defined by a static route, thereby conserving bandwidth.

Static Route Configuration
Cisco A S1 Cisco B S0 E0 S2 S0 Iin this example: ip route Command Description ip route Specifies a static route to the destination subnetwork Subnet mask indicates that 8 bits of subnetting are in effect IP address of next hop router in the path to the destination The assignment of a static route to reach the stub network is proper for Cisco A because there is only one way to reach that network. The assignment of a static route from Cisco B to the cloud networks is also possible. However, a static route assignment is required for each destination network, so a default route may be more appropriate. ip route

Default Route Configuration
Router (config) # ip default-network network-number Define a default route The ip default-network command establishes a default route: Command Description ip default-network network-number IP network number or subnet number defined as the default. When an entry for the destination network does not exist in the routing table, the packet is sent to the default network. The default network must exist in the routing table. Default routes keep the length of routing tables shorter. Use the default network number when you need a route but have only partial information about the destination network. Because the router does not have complete knowledge about all destination networks, it can use a default network number to indicate the direction to take for unknown network numbers.

Default Route Example Company X Public Network Cisco A 192.168.17.0
Subnet Mask Cisco A In the example, the global command ip default-network defines the Class B network $.17.0 as the destination path for packets that have no routing table entry. Router A could need a firewall for routing updates. The Company X administrator does not want updates coming in from the public network. Router A may need a mechanism to group those networks that will share Company X's routing strategy. One such mechanism is an autonomous system number. router rip network network ip default-network

Interior or Exterior Routing Protocols
Autonomous System 100 Autonomous System 200 Exterior routing protocols are used to communicate between autonomous systems. Interior routing protocols are used within a single autonomous system. Interior Routing Protocols: RIP IGRP

IP Routing Protocol Mode
Router (config)# router ? bgp Border Gateway Protocol (BGP) egp Exterior Gateway Protocol (EGP) eigrp Enhanced Interior Gateway Routing Protocol (EIGRP) igrp Interior Gateway Routing Protocol (IGRP) sisis ISO-IS IS iso-igrp IGRP for OSI network mobile Mobile router odr On Demand stub Router ospf Open Shorted Path First (OSPF) rip Routing Information Protocol (RIP) static Static routes Router (config) # router rip Router configuration commands: default-information control distribution of default information default-metric Set metric of redistrative router distance Define an administrative distance distance-list Filter network in routing updates exit Exit from routing protocol configuration mode --- More --- Router (config-router) # ? After a routing protocol is enabled by a global command, the router configuration mode prompt Router (config-router)# is displayed. Type a question mark (?) to list the router configuration commands.

Interior IP Routing Protocols
Routing Information Protocols (RIP) Interior Gateway Routing Protocols (IGRP) Open Shorted Path First Protocols (OSPF) Enhanced IGRP (EIGRP) Application Transport Internet Network Interface Hardware At the Internet layer of the TCP/IP suite of protocols, a router can use the IP routing protocol to accomplish routing through the implementation of a specific routing algorithm. Examples of the IP routing protocols include: RIP-A distance vector routing protocol IGRP-Cisco's distance vector routing protocol OSPF-A link-state routing protocol Enhanced IGRP-A balanced hybrid routing protocol The following pages teach you how to configure the first two of these protocols in class.

IP Routing Configuration Tasks
Network Global configuration Select routing protocol(s) Specify network(s) RIP IGRP IGRP, RIP Interface configuration Verify address/subnet mask Network RIP The selection of IP as a routing protocol involves the setting of both global and interface parameters. Global tasks: Select a routing protocol, RIP or IGRP. Assign IP network numbers without specifying subnet values. The interface task is to assign network/subnet addresses and the appropriate subnet mask. Dynamic routing uses broadcasts and multicasts to communicate with other routers. The routing metric helps routers find the best path to each network or subnet. Network

Dynamic Routing Configuration
Router (config) # router protocol [keyword] Defines an IP routing protocol Router (config-router) # Network network-number The router command starts a routing process. Command Description router protocol Either RIP, IGRP, OSPF, or Enhanced IGRP. keyword Such as autonomous system, which is used with those protocols that require an autonomous system, such as EIGRP. The network command is required because it allows the routing process to determine which interfaces will participate in the sending and receiving of routing updates. network network-number Specifies a directly connected network. The network number must be based on the NIC network numbers, not subnet numbers or individual addresses. The network subcommand is a mandatory configuration command for each IP routing process

Routing Information Protocol

RIP Overview 19.2 kbps T1 T1 T1 Hop count metric selects the path
The RIP protocol was originally specified in RFC Key characteristics of RIP include the following: It is a distance vector routing protocol. Hop count is used as the metric for path selection. The maximum allowable hop count is 15. Routing updates are broadcast every 30 seconds by default. Hop count metric selects the path

RIP Configuration router rip Starts the RIP routing process
Router (config) # router rip Starts the RIP routing process Router (config-router) # network network-number The router rip command selects RIP as the routing protocol. The network command assigns a NIC-based address to which the router is directly connected. The routing process will associate interfaces with the proper addresses and will begin packet processing on the specified networks. Selects participating attached networks

RIP Configuration Example
Token Ring Cisco E T0 S1 S0 S2 Cisco A Cisco B Cisco C Cisco D Cisco A In the example: router rip-Selects RIP as the routing protocol. network Specifies a directly connected network. network Specifies a directly connected network. The Cisco A router interfaces connected to networks and will send and receive RIP updates. These routing updates allow the router to learn the network topology. router rip network network Token Ring

Monitoring IP Router> show ip protocol Routing Protocol is „rip”
Invalid after 180 seconds, hold down 180, flushed after 240 Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Redistributing : rip Routing Information Sources: Gateway Distance Last Update :00:14 :00:19 :00:03 Sending update every 30 seconds, next due in 13 seconds Routing for Network: The show ip protocol command displays values about routing timers and network information associated with the entire router. Use this information to identify a router that is suspected of delivering bad routing information. This router sends updated routing table information every 30 seconds. (This interval is configurable.) It has been 17 seconds since it sent its last update, and the next one will be sent in 13 seconds. The router is injecting routes for the networks listed following the Routing for Networks line. Distance: (default is 120)

Displaying the IP Routing Table
Router> show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP, D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area, E1 - OSPF external type1, E2 - OSPF external type 2, E - EGP, I - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default Gateway of last resort is not set is subnetted (mask is ), 1 subnets C is directly connected, Ethernet0 R [120/1] via , 00:00:09, Ethernet0 Is subnetted (mask is ), 4 subnets R [120/1] via , 00:00:17, Serial0 [120/1] via , 00:00:17, Serial1 C is directly connected, Ethernet0 C is directly connected, Serial1 C is directly connected, Serial0 R The show ip route command displays the contents of the IP routing table. The routing table contains entries for all known networks and subnetworks and contains a code that indicates how that information was learned.

Internet Gateway Routing Protocol

IGRP Overview 19.2 kbps T1 T1 T1 Composite metric selectss the path
Speed is the primary consideration

IGRP Configuration router igrp autonomous-system
Router (config) # router igrp autonomous-system Defines IGRP as an IP routing process Router (config-router) # network network-number Selects participating attached networks

IGRP Configuration Example
Token Ring Cisco E T0 S1 S0 S2 Cisco A Cisco B Cisco C Cisco D Cisco A router igrp 109 network network Token Ring

show ip protocol Command
Router> show ip protocol Routing Protocol is „igrp 300” Invalid after 270 seconds, hold down 280, flushed after 630 Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Default netwworks flagged in outgoing updates Default networks accepted from incoming updates IGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0 IGRP maximum hopcount 100 IGRP maximum metric variance 1 Redistributing : igrp 300 Routing Information Sources: Gateway Distance Last Update :00:14 :00:19 :00:03 --More-- Sending update every 30 seconds, next due in 55 seconds Routing for Network: Distance: (default is 120)

Summary Routers can be configured to use one or more IP routing protocols Two IP routing protocols are: RIP IGRP

Configuring Novell IPX

Objectives Upon completion of this chapter, you will be able to perform the following tasks: Describe the Novell IPX protocol stack Describe key features of Novell IPX List the required IPX address and encapsulation type Enable the Novell IPX protocol and configure interfaces Monitor Novell IPX operation on the router

IPX Routing Overview

Novell IPX Protocol Stack
NetWare 3.x/4.x Protocols OSI Reference Model Upper Layer Protocols Transport Network Data Link Physical 7 6 5 4 3 2 1 RIP SAP NCP NLSP Other Protocols SPX Internetwork Packet Exchange (IPX) Novell's Internetwork Packet Exchange (IPX) is a proprietary protocol derived from the Xerox Network Systems (XNS) protocol. Novell IPX is a: · Datagram, connectionless protocol that does not require an acknowledgment for each packet. · Layer 3 protocol that defines the internetwork and internode addresses. · Router specification used to identify the Novell NetWare protocol suite. Novell IPX uses: · Routing Information Protocol (RIP) to facilitate the exchange of routing information. · Proprietary Service Advertisement Protocol (SAP) to advertise network services. · NetWare Core Protocol (NCP) to provide client-to-server connections and applications. · Sequenced Packet Exchange (SPX) service for Layer 4 connection-oriented services. Note Novell has introduced a link-state routing protocol called NetWare Link Services Protocol (NLSP). Novell intends for this new Layer 3 protocol to eventually replace RIP and SAP. The NetWare protocol stack is compatible with Open Data-Link Interface (ODI) and all common media access protocols. Open Data-Link Interface (ODI) Medium Access Protocols (Ethernet, Token Ring, WAN, others)

Key Novell IPX Features
Address is 80 bits (network.node) Interface MAC address is part of logical address Multiple encapsulations per interface Default routing protocol is Novell RIP Novell service advertisements in SAP traffic NetWare clients find servers with GNS packets A Novell IPX address has 80 bits: 32 bits for the network number and 48 bits for the node number. The node number contains the MAC address of an interface. Novell IPX supports multiple logical networks on an individual interface, and each network requires a single encapsulation type. Novell RIP is the default routing protocol. Novell has also developed a link-state routing protocol, NLSP. The client/server relationship is enhanced in IPX because servers automatically use the SAP protocol to advertise the services they provide. One type of SAP advertisement is Get Nearest Server (GNS), which enables a client to locate the nearest server for login. These features are discussed in detail in this chapter.

Each interface has a unique address
Novell IPX Addressing Network.Node Up to 32 bits 48 bits (from MAC) Network 4a1d 4a1d c56.de33 2c c56.de33 E0 S0 Network 2c E1 Novell IPX addressing uses a two-part address, the network number and the node number. The IPX network number can be up to 8 hexadecimal digits in length. This number is assigned by the network administrator. The example features the IPX network 4ald. Other IPX networks shown are 2c and 3f. The IPX node number is 12 hexadecimal digits in length. This number is usually the MAC address obtained from a router interface that has a MAC address. The example features the IPX node c56.de33. Another node address is c56.de34. Notice that the same node number appears for both E0 and S0. Serial interfaces do not have MAC addresses so Novell IPX obtained this node number for S0 by using the MAC address from E0. Each interface retains its own address. The use of the MAC address in the logical address eliminates the need for an Address Resolution Protocol (ARP). 3f c56.de34 Network 3f Each interface has a unique address

Multiple Novell Encapsulations
For example, four types of Ethernet framing Novell IPX Name Framing Structure Ethernet_II Ethernet IPX 802.3 802.2 LLC IPX Ethernet_802.2 Default for NetWare 3.12 or later 802.3 802.2 LLC 802.2 LLC SNAP IPX Ethernet_SNAP The Novell IPX protocol on Cisco routers supports all the framing variations used on Novell NetWare implementations. These framing types include service access point (SAP), Ethernet, with logical link control (LLC) protocol, and Subnetwork Access Protocol (SNAP). There are four different Ethernet framing types with variations in the fields they use. Each encapsulation type is appropriate in specific situations: · Ethernet II-Used with TCP/IP and DECnet. · Ethernet Used with NetWare 4.x and OSI routing. · Ethernet SNAP-Used with TCP/IP and AppleTalk. · Ethernet Also called raw Ethernet; used with early NetWare versions 2.x and 3.x. Note Multiple encapsulations can be specified on an interface, but only if multiple network numbers have also been assigned. Although several encapsulation types can share the same interface, clients and servers with different encapsulation types cannot communicate directly with each other. 802.3 IPX Ethernet_802.3 Default for NetWare 3.11 or earlier

Cisco Encapsulation Names
Novell IPX Name Cisco IOS Name Ethernet_II arpa Ethernet_ sap Ethernet_SNAP snap Ethernet_ novell-ether Token-Ring token When you configure an IPX network, you may need to specify a nondefault encapsulation type. To help you specify the appropriate encapsulation type, use the table in the graphic. The table matches the Novell framing terms to equivalent Cisco IOS names for the same framing types. When you configure Cisco IOS software for Novell IPX, use the Cisco name for the appropriate encapsulation. If you do not specify an encapsulation type when you configure the router for IPX, the router will use a default encapsulation type on its interfaces. The default encapsulation types on Cisco router interfaces and their keywords are: · Ethernet - novell-ether · Token Ring - snap · FDDI - snap Token-Ring_SNAP snap Specify encapsulation when you configure IPX network

Exercise: IPX Parameter Planning
R2 Interface Network Name Address Encapsulation S0 S1 E1 Network c0b0 S0 hdlc S0 hdlc S1 R1 R2 E0 S1 arpa E1 Network d100 Network b001 Network b1b0 snap Always plan and document the encapsulations and network numbers for your network. Multiple encapsulations are allowed on Ethernet, single encapsulation on serial lines. E0 E0 arpa R3 R0 Write the IPX addresses and encapsulation types for R2

RIP - The IPX Routing Protocol
B C A D D C B A RIP Table RIP Table RIP Table RIP Table Novell RIP is a distance vector routing protocol. RIP has two metrics: ticks and hops. Ticks (a time measure) and hop count (a count of each router traversed) are the IPX metrics for path decisions. RIP checks its two distance vector metrics by first comparing the ticks for path alternatives. If two or more paths have the same tick value, RIP compares the hop count. If two or more paths have the same hop count, the router will try to use a user-defined tiebreaker. Each IPX router passes periodic copies of its RIP routing table to its direct neighbor IPX routers. The neighbor IPX routers add distance vectors as required before passing copies of their RIP tables to their own neighbors. A "best information" split-horizon algorithm prevents the neighbor from broadcasting RIP tables about IPX information back to the networks from where it received that information. RIP also uses an information aging mechanism to handle conditions where an IPX router goes down without any explicit message to its neighbors. Periodic updates reset the aging timer. Routing table updates are sent at 60-second intervals. This update frequency can cause excessive overhead traffic on some internetworks. Uses ticks (about 1/18 sec.) and hop count (maximum of 15 hops) Broadcasts routing information to neighbor routers every 60 seconds

SAP - Service Advertisement
SAP table Advertiseses print service Listens to SAP SAP Advertiseses file service SAP All the servers on NetWare internetworks can advertise their services and addresses. All versions of NetWare support SAP broadcasts to locate registered network services. Adding, finding, and removing services on the internetwork is dynamic because of SAP advertisements. Each SAP service is an object type identified by a hexadecimal number. Examples: 4 NetWare file server 7 Print server 24 Remote bridge server (router) All servers and routers keep a complete list of the services available throughout the network in server information tables. Like RIP, SAP also uses an aging mechanism to identify and remove table entries that become invalid. By default, service advertisements occur at 60-second intervals. However, although this might work well on a LAN, this advertisement can require too much bandwidth to be acceptable on large internetworks, or in internetworks linked on WAN serial connections. Routers do not forward SAP broadcasts. Instead, each router builds its own SAP table and forwards the SAP table to other routers. By default this occurs every 60 seconds. SAP packets advertise all NetWare services Can add excessive broadcast traffic to the network

GNS - Clients Get Nearest Server
File Server NetWare Client GNS response SAP GNS request GNS is a broadcast from a client needing a server File server and Cisco router get this SAP packet File server provides GNS response The IPX client/server interaction begins when the client powers up and runs its client startup programs. These programs use the client's network adapter on the LAN and initiate the connection sequence for the NetWare shell to use. The Get Nearest Server (GNS) is a broadcast that comes from a client using IPX SAP. The nearest NetWare file server responds with another SAP; the protocol type is Give Nearest Server. From that point on, the client can log in to the target server, make a connection, set the packet size, and proceed to use server resources. If a NetWare server is located on the segment, it will respond to the client request. The Cisco router will not respond to the GNS request. If there are no NetWare files, the Cisco router will respond to a GNS request on a network segment.

Configuring IPX Routing

Novell IPX Configuration Tasks
Network 9e encap arpa Global configuration IPX routing Load sharing Interface configuration Network numbers Encapsulation type RIP IPX RIP Network 4a encap arpa Configuration of Novell IPX as a routing protocol involves both global and interface parameters. Global tasks: · Start the IPX routing process. · Enable load sharing if appropriate for your network. Load sharing is the division of routing tasks evenly among multiple routers to balance the work and improve network performance. Interface tasks: · Assign unique network numbers to each interface. Multiple network numbers can be assigned to an 'interface, allowing support of different encapsulation types. · Set the optional encapsulation type if it is different from the default.

Novell IPX Global Configuration
Router (config) # IPX routing [ node ] Enables Novell IPX routing Router (config) # IPX maximum-path path The ipx routing command enables Novell IPX routing. If no node address is specified, the Cisco router uses the MAC address of the interface. If a Cisco router has only serial interfaces, an address must be specified. The ipx maximum-paths command enables load sharing. Command Description ipx maximum-paths paths Maximum number of parallel paths to the destination; the default is 1 and the maximum is 512. Configures round-robin load sharing over multiple equal metric paths

Novell IPX Interface Configuration
Router (config-if) # IPX network number [encapsulation encapsulation-type] [secondary] Assigns primary and secondary network number and encapsulation The ipx network command enables Novell IPX processing on this interface. Command Description ipx network number Each interface must have a unique Novell IPX network number that is specified in hexadecimal and up to eight hexadecimal numbers in length. encapsulation-type (Optional) Specifies the encapsulation type for the interface. Can be one of the following encapsulation types: novell-ether, sap, arpa, snap. secondary (Optional) Applies another network number and encapsulation to the interface. Assigning the second network number is necessary if an additional encapsulation type is linked to an individual network.

Verifying and Monitoring IPX Routing

Verifying IPX Operation
Monitoring Commands Troubleshooting Commands Show ipx interface debug ipx routing activity Show ipx route debug ipx sap Show ipx servers Show ipx traffic Once IPX routing is configured, you can monitor and troubleshoot it using the following commands: Monitoring Command Displays show ipx interface IPX status and parameters. show ipx route Routing table contents. show ipx servers IPX server list. show ipx traffic Number and type of packets. Troubleshooting Command Displays debug ipx routing activity Information about RIP update packets. debug ipx sap Information about SAP update packets. Each of these commands is discussed in detail on the pages that follow.

Monitoring IPX Status Router# show ipx interface ethernet 0
Ethernet0 is up, line protocol is up IPX address is 3010.aa , NOVELL-ETHER [up] line-up, RIPPQ: 0, SAPPQ: 0 Delay of this Novell network, in ticks is 1 IPXWAN processing not enabled on this interface IPX SAP update interval is 1 minute(s) IPX type 20 propagation packet forwarding is disabled Outgoing access list is not set IPX helper access list is not set SAP Input filter list is not set SAP Output filter list is not set SAP Router filter list is not set SAP GNS output filter list is not set Input filter list is not set Output filter list is not set Router filter list is not set Netbios Input host access list is not set Netbios Input bytes access list is not set Netbios Output host access list is not set Netbios Output bytes access list is not set Update time is 60 seconds -- More -- The show ipx interface command shows the status of IPX interface and IPX parameters configured on each interface. The first highlighted line shows the IPX address, the type of encapsulation, and the status of the interface. The middle set of highlighting shows that the SAP filters are not set. The last highlighted line shows that fast switching is enabled. You can manually set the tick metric. Use the command ipx delay number where number is the ticks to associate with an interface. This command manually overrides the following defaults on the Cisco router: · For LAN interfaces, one tick · For WAN interfaces, six ticks

Monitoring IPX Routing Tables
Router# show ipx route Codes: C - Connected primary network, C - Connected secondary network R - RIP, E - EIGRP, S - static, W - IPXWAN connected 5 Total IPX routes Up to 2 parallel paths allowed Novell routing algorithm variant in use R Net 3030 [6/1] via c03.13d3, 23 sec, 1 uses, Serial1 via c03.13d3, 23 sec, 0 uses, Serial0 C Net 3020 (x25), is directly connected, 15 uses, Serial0 C Net 3021 (HDLC), is directly connected, 15 uses, Serial1 C Net 3010 (NOVELL_ETHER), is directly connected, 15 uses, Ethernet0 C Net 3000 (NOVELL_ETHER), is directly connected, 15 uses, Ethernet1 The show ipx route command displays the contents of the IPX routing table. The first highlighted line provides routing information for a remote network: · The information was learned from a RIP update. · The network is number 3030. · It is located six ticks or one hop away. This information is used to determine best routes. If there is a tie between ticks, hops are used to break the tie. · The next hop in the path is router c03.13d3. · The information was updated 23 seconds ago. · The updates will be sent through the interface named Seriall. The second line of highlighting provides information about a direct connection: · The network number is 3010. · The encapsulation type is NOVELL-ETHER.

Monitoring IPX Servers List
Router> show ipx servers Codes: P - Periodic, I - Incremental, H- Holddown, S - static 1 Total IPX Servers Table ordering is based on routing and server info Type Name Net Address Port Route Hops Itf P4 MAXINE AD b : / Et3 The show ipx servers command lists the IPX servers discovered through SAP advertisements. This example provides the following information: · The service learned about the server from a SAP update · The server name, network location, device address, and source socket number · The ticks and hops for the route (taken from the routing table) · The number of hops (taken from the SAP protocol) · The interface through which to reach the server

Monitoring IPX Traffic
Router# show ipx traffic System Traffic for System-Name: dtp-18 Rcvd: total, format errors, 0 checksum errors, 0 bad hop count, 0 packets pitched, local dastinatio, 0 multicast Bcast: received, 9486 sent Sent: generated, 0 forwarded 0 encapsulation failed, 0 no route SAP: 6 SAP request, 6 SAP replies, 2309 servers 0 SAP Nearest Name requests, 0 replies 0 SAP General Name requests, 0 replies 1521 SAP advertisements received, sent 0 SAP flash updates sent, 0 SAP format errors RIP: 6 RIP request, 6 RIP replies, 2979 routes 8033 RIP advertisements received, 4300 sent 154 Rip flash updates sent, 0 RIP format eroors Echo: Rcvd 0 request, 0 replies Sent 0 request, 0 replies 0 unknown: 0 no socket, 0 filtered, 0 no helper 0 SAPs throttled, freed NDB len 0 -- More -- The show ipx traffic command displays information about the number and type of IPX packets received and transmitted by the router. Notice in this example that a high percentage of the total number of packets received and sent were RIP advertisements. This is because this sample was taken from a lab network with essentially no user traffic on it. This screen shows how much overhead traffic IPX generates.

Troubleshooting IPX Routing
Router# debug ipx routing activity IPX routing debugging is on Router# IPXRIP: positing full update to 3010.ffff.fffff.fffff via Ethernet0 (broadcast) IPXRIP: positing full update to 3000.ffff.fffff.fffff via Ethernet1 (broadcast) IPXRIP: positing full update to 3020.ffff.fffff.fffff via Serial0 (broadcast) IPXRIP: positing full update to 3021.ffff.fffff.fffff via Serial1 (broadcast) IPXRIP: sending update to 3020.ffff.fffff.fffff via Serial0 IPXRIP: src= c23.14d8, dst=3020.ffff.ffff.ffff, packet sent network 3021, hops 1, delay 6 network 3010, hops 1, delay 6 network 3000, hops 1, delay 6 IPXRIP: sending update to 3021.ffff.fffff.fffff via Serial1 IPXRIP: src= c03.14d8, dst=3021.ffff.ffff.ffff, packet sent network 3020, hops 1, delay 6 IPXRIP: sending update to 3010.ffff.fffff.fffff via Ethernet0 IPXRIP: src= c03.14d8, dst=3010.ffff.ffff.ffff, packet sent network 3020, hops 2, delay 7 network 3010, hops 1, delay 1 -- More -- The debug ipx routing activity command displays information about IPX routing update packets that are transmitted or received. A router sends an update every 60 seconds. Each update packet can contain up to 50 entries. If there are more than 50 entries in the routing table, the update will include more than one packet. In this example, the router is sending updates but not receiving them. Updates received from other routers would also appear in this listing.

Troubleshooting IPX SAP
Router# debug ipx sap IPX sap debugging is on Router# NovellSAP: at 0023F778 I SAP response type 0x2 len 160 src: c00.070d dest: 160.ffff.ffff.ffff(452) type 0x4, “HELLO2”, (451), 2 hops type 0x4, “HELLO1”, (451), 2 hops NovellSAP: sending update to 160 NovellSAP: at 0 SAP Update type 0x2 len 96 ssoc:0x452 dest: 160.ffff.ffff.ffff(452) Novell: type 0x4 “Magnolia”, (451), 2 hops The debug ipx sap command displays information about IPX SAP packets that are transmitted or received. Like RIP updates, these SAP updates are sent every 60 seconds and may contain multiple packets. Each SAP packet appears as multiple lines in the output, including a packet summary message and a service detail message. SAP responses may be one of these types: · 0x1-General query · 0x2-General response · 0x3-Get Nearest Server request · 0x4-Get Nearest Server response In each line, the address and distance of the responding or target router is listed.

Summary Address is network.node
Logical address contains interface MAC address IPX interface configuration supports multiple data-link encapsulations Rip uses the distance vectors of ticks and hops SAPs and GNS broadcasts function to connect client and server

Configuring AppleTalk

Objectives Upon completion of this chapter, you will be able to perform the following tasks: Describe the AppleTalk protocol stack Plan an AppleTalk network Enable AppleTalk protocol and configure AppleTalk interfaces Monitor AppleTalk operation in the router

AppleTalk Overview

Apple Talk Protocol Stack Apple Talk Architecture
OSI Reference Model Apple Talk Architecture Application Prsentation Session Transport Network Data Link Physical Application Zone Information Protocol (ZIP) Routing Table Maint. Prot.(RTMP) Name Binding Protocol (NBP) Datagram Delivery Protocol (DDP) Ether Token FDDI Others Talk Talk Talk 7 7 6 6 5 5 4 4 3 3 At the hardware layers, most standard media types are supported. Many Apple products contain a LocalTalk interface that operates over twisted-pair cabling at 230 kbps. The LocalTalk interface is not available on Cisco products. LocalTalk devices can be adapted to Ethernet or other LAN environments. At Layer 3 in the AppleTalk architecture, the Datagram Delivery Protocol (DDP) provides a connectionless datagram service. At Layer 4 in the AppleTalk architecture, the Name Binding Protocol (NBP) provides name-to-address association. Routing table content is provided by the Routing Table Maintenance Protocol (RTMP). At Layer 5 in the AppleTalk architecture, the Zone Information Protocol (ZIP) provides localized broadcast traffic. 2 2 1 1

Apple Talk Features Peer-to-peer based networking
Client lookups for services propagate in logical zones Addresses use 24 bits (Network.Node) Nodes dynamically acquire addresses Routing protocol is RTMP Updates sent at 10-second intervals Metric is hop count Distance vector routing Clients use broadcasts to learn about available services. The AppleTalk environment allows propagation of lookups by the router, ensuring that all available services will be located by the user. AppleTalk addresses are composed of a 16-bit network number and an 8-bit node number. The network portion of the address is manually configured by the administrator. The node identifier portion is dynamically acquired during router startup. The node identifier is also manually configured on the Cisco router. This process is useful when configuring AppleTalk for multipoint WANs and for dialers that use maps for WAN access. RTMP provides routing information updates at Layer 4. RTMP is a Routing Information Protocol (RIP) derivative, using hop count as its metric for routing decisions. Hosts listen to RTMP updates to learn the routers address.

Locating Printers Zone: Users User 1 User 2 Printer 1A Unicast to
What printers are available User 1 User 2 Printer 1A Unicast to find printers in zone Zone: Users Users on the AppleTalk network locate specific services using NBP requests. In the graphic, user 2 looks for printers in the zone named Users. The router will create one request to send out cable , and another request to send out cable Responses that the router forwards to user 2 informs user 2 about printer lA and printer 1B. Propagate request for printers Printer 1B User 3

Nonextended or Extended Networks
127 hosts, 127 servers per network Single network number per wire Extended Network Early releases of AppleTalk (pre-1988) used a scheme referred to as Phase 1. This scheme did not allow large numbers of hosts on a single wire. An equal number of servers and hosts was allocated. Any Macintosh can be a host or server. The network and node address were considered separately, limiting the available address space. Later releases of AppleTalk use extended addressing. Multiple network numbers can exist on the same wire. The maximum number of servers and hosts is the same as before The network and node addresses are considered in combination, greatly enlarging the available address space. 253 hosts/servers per network Range of network numbers per wire

Apple Talk Address Acquisition
Address 101.77 Address 100.58 I’ll use provisional address User 2 I’ll choose network 105 User 1 Address 105.3 Requests network range Get cable range Network numbers available Node number available? User 2 is powered on, but has no address stored in its permanent memory (RAM). User 2's software selects a provisional network address from the FF00-FFEO range and a random node number. The new node sends 10 AppleTalk Address Resolution Protocol (AAUP) probes to verify the node ID availability. A "get cable range" ZIP request is issued by user 2. The routers response indicates the range of network numbers available on the wire. User 2 selects a network number from the cable range. User 2 issues AARP probes for a node ID: · If there is a response that the node ID is in use, user 2 tries another node ID. · If there is no response to the probe, user 2 uses this ID. User 2's address becomes After an address is acquired, it is saved in RAM. The stored address is probed for at the next power-up sequence, and if it is in use, dynamic assignment is initiated. Cable range Probe: 3

Configuring AppleTalk

Apple Talk Configuration Tasks
Global configuration Select Apple Talk Routing Network RTMP Interface configuration Assign network number range Select routing update protocol Assign zones RTMP Network Apple Talk Network Configuration of AppleTalk as a routing protocol requires setting both global and interface parameters. Global task: Select AppleTalk routing to start the routing process. Interface tasks: · Assign a range of network numbers to each interface. A narrow range can be an appropriate assignment. · Assign each interface to a zone. Phase 2 allows multiple zones per segment. After an address and zone name are assigned, the interface is enabled for packet processing. All routers in a network or data link must agree on the cable range, default zone, and zone list. Campus Zone

Apple Talk Configuration
Router (config) # appletalk routing Turns on Apple Talk Routing Router (config-if) # appletalk protocol {rtmp | eigrp | aurp} Selects the protocol that generates routing updates on this interface The appletalk routing command starts the AppleTalk routing process. The appletalk protocol command selects one or more routing protocols for use on this interface. appletalk protocol Command Description rtmp Routing protocol is RTMP, which is the default. eigrp Specifies that the routing protocol to use is Enhanced IGRP aurp Specifies that the routing protocol to use is AURP. You can enable AURP only on tunnel interfaces. If the appletalk protocol command is omitted in the interface specification, RTMP is selected by default.

Apple Talk Configuration (cont.)
Router (config-if) appletalk cable-range cable-range [network.node] Assigns a range of network numbers Router (config-if) appletalk zone zone-name Defines zone name The appletalk cable-range command specifies a range of network numbers available to the interface. If the cable range value is 0-0, the interface is placed in discovery mode. The optional network. node argument allows the network administrator to specify a unique address. This is useful on mapped interfaces. The appletalk zone command assigns the zone name to the data link. Multiple zones can be assigned to one interface in a Phase 2 installation. The first zone name is the default zone name.

Discovery Mode Example
Initial Configuration Zone Bldg-17 appletalk routing interface ethernet 0 appletalk cable-range 0-0 interface ethernet 1 appletalk cable-range appletalk discovery Cisco A 100.35 E0 Network E0 Live Configuration after Discovery appletalk routing interface ethernet 0 appletalk cable-range appletalk discovery appletalk Zone Bldg-17 interface ethernet 1 appletalk cable-range appletalk Zone Bldg-13 E1 Network In the example: Command Description appletalk cable-range 0-0 Places E0 into discovery mode. appletalk cable-range Assigns a network range to E appletalk discovery Places E1 into discovery mode. Both E0 and El dynamically learn their addresses and zones. In the live configuration file, for E0: appletalk cable-range Is the acquired network range appletalk Zone Bldg-17 Is the acquired zone name. appletalk discovery Is the statement inserted when interface is placed in discovery mode. Remove this statement if dynamic or hard-coded addresses are used. In the live configuration file, for E1: appletalk cable-range Is the acquired network range appletalk Zone Bldg-13 Is the acquired zone name. E0 E0 Cisco B Zone Bldg-13

Monitoring Apple Talk Router# show appletalk interface athernet 0
Ethernet0 is up, line protocol is up AppleTalk cable range is AppleTalk address is , Valid AppleTalk zone is ”ld-e0” AppleTalk port configuration verified by AppleTalk Address gleaning is enabled AppleTalk route cache is enabled Use the show appletalk interface command to display status about all AppleTalk interfaces, including individual addressing, line status, timers, access lists assigned, and other details. This command is particularly useful when you first enable AppleTalk on a router interface. This display shows you this information: · The interface is Ethernet 0. · The cable range contains an address value from which an address was selected. The address is marked as valid. · The zone name is listed. · AppleTalk address gleaning is enabled. · AppleTalk route cache is enabled.

Monitoring Apple Talk (cont.)
Router# show appletalk route Codes: R-RTMP derived, E-EIGRP derived, C-connected, A-AURP, S-static, P-proxy 5 routes in internet The first zone listed for each entry is its defult (primary) zone. C Net directly connected, Ethernet1, zone, ozone C Net directly connected, Ethernet0, zone Id-e0 C Net directly connected, Seria10, zone dc-s0 C Net directly connected, Seria11, zone dc-s1 R Net [1/G] via , 4sec, Seria10, zone cf-e0 Use the show appletalk route command to display the contents of the AppleTalk routing table. The sample shows the zones assigned to each cable range. The highlighted line shows an example of a wide cable range in the entry derived from RTMP

Monitoring AppleTalk (cont.)
Router# show appletalk zone Name Network(s) ld-e ozone cf-e dc-s dc-s The show appletalk zone command displays entries in the AppleTalk zone information table. Notice that the wide range of networks, , occur in zone ld-e0 as well as in zone ozone. The NBP lookup process is limited to the zone specified by the Macintosh users zone selection in the Chooser.

Router# show appletalk globals AppleTalk global information: Internet is incompatible with older, AT Phase1, routers. There are 5 routes in the internet. There are 5 zones defined. Loggin of significant AppleTalk events is disabled. ZIP resends queries every 10 seconds. RTMP updates are sent every 10 seconds. RTMP entries are considered BAD after 20 seconds. RTMP entries are discarded after 60 seconds. AARP probe retransmit count: 10, interval: 200 AARP request retransmit count: 5, interval:1000 DDP datagrams will be checksummed. RTMP datagrams will be strictly checked. RTMP routes may not be propagated without zones. Routes will not be distributed between routing protocols. AppleTalk EIGRP is not enabled. IPTalk uses the udp base port of 768 (Default). Alternate node address format will not be displayed. Access control of any networks of a zone hides the zone. The show appletalk globals command displays information and settings about the routers global AppleTalk configuration parameters. The highlighted line indicates Phase 1 compatibility through the use of unary cable ranges and single zones per interface.

Router# debug apple routing AppleTalk RTMP routing debugging is on AppleTalk EIGRP routing debugging is on Router# AT: RTMP from (new 0,old 0, ign 0, dwn 0) AT: RTMP from (new 0, old 0, bad 0, ign 0, dwn 0) AT: scr=Ethernet0: , dst= , size=34, 4 rtes, RTMP pkt sent AT: scr=Ethernet1: ,dst= , size=34, 4rtes, RTMP pkt sent AT: src=Seria10: ,dst= , size=28, 3rtes, RTMP pkt sent AT: src=Seria11: ,dst= ,size=34, 4rtes,RTMP pkt sent AT: Route ager starting on main AT RoutingTable (5 active nodes) AT: Route ager finished on Main AT RoutingTable (5 active nodes) AT: RTMP from (new 0, old 1, bad 0, ign 1, dwn 0) AT: RTMP from (new 0, old 1, bad 0, ign 3, dwn 0) AT: RTMP from (new 0, old 0, bad 0, ign 0, dwn 0) AT: RTMP from (new 0, old 1, bad 0, ign 1, dwn 0) AT: src=Ethernet0: , dst= , size=34, 4 rtes, RTMP pkt sent AT: src=Ethernet1: dst= ,size=34, 4 rtes, RTMP pkt sent AT: src=Seria10: , dst= , size=28, 3 rtes, RTMP pktsent AT: src=Seria11: , dst= , size=34, 4 rtes, RTMP pkt sent The debug apple routing command displays output from the RTMP routines. This command is used to monitor acquisition, aging, and advertisement of routes. It also reports conflicting network numbers on the same network.

Summary AppleTalk addressing is Network.Node
Addresses are dynamically acquired Multiple network numbers can exist on one wire Unicast traffic is limited using zones

Basic Traffic Management with Access Lists

Objectives Upon completion of this chapter, you will be able to perform the following tasks: Describe the use, value, and processes of access lists Configure standard and extended access lists to filter IP traffic Monitor and verify selected access list operations on the router IPX and AppleTalk access lists later

Access Lists Overview

Why use Access Lists? Internet The earliest routed networks connected a modest scale of LANs and hosts. Next, the network administrator enlarged router connections to legacy and outside partners' networks. Increased use of the Internet brought new challenges to access control. Newer technology-from optical backbones to broadband services and high-speed LAN switches-increased control challenges again. Network administrators face the following dilemma: how to deny unwanted connections while allowing appropriate access? Although other tools such as passwords, callback equipment, and physical security devices are helpful, they often lack the flexible expression and specific controls most administrators prefer. Access lists offer another powerful tool for network control. These lists add the flexibility to filter the packet flow that flow in or out router interfaces. The access lists help protect expanding network resources without impeding the flow of legitimate communication. Access lists differentiate packet traffic into categories that permit or deny other features. You can also use access lists to: Identify packets for priority or custom queuing Restrict or reduce the contents of routing updates Access lists also process packets for other security features to: Provide IP traffic dynamic access control with enhanced user authentication using the lock-and-key feature Identify packets for encryption Identify Telnet access allowed to the router virtual terminals Deny traffic you do not want based on packet tests (for example, addressing or traffic type) Specify packet traffic for dialing remote sites using dial-on-demand routing (DDR)

What Are Access Lists? Standard Extended Access List Processes E0 S0
Protocol E0 Outgoing Packet Incoming Packet Source and Destination Permit? S0 Optional Dialer Standard Simpler address specifications Generally permits or denies entire protocol suite Access lists are statements that specify conditions that an administrator sets so the router will handle the traffic covered by the access list in an out-of-the ordinary manner. Access lists give added control for processing the specific packets in a unique way. The two main types of access lists are: Standard access lists Standard access lists for IP check the source address of packets that could be routed. The result permits or denies output for an entire protocol suite, based on the network/subnet/host address. For example, packets coming in EO are checked for address and protocol. If permitted, the packets are output through S0, which is grouped to the access list. If the packets are denied by the standard access list, all these packets for the given category are dropped. Extended access lists Extended access lists check for both source and destination packet addresses. They also can check for specific protocols, port numbers, and other parameters. This allows administrators more flexibility to describe what checking the access list will do. Packets can be permitted or denied output based on where the packet originated and on its destination. The extended access list also permits or denies with more granularity. For example, it can allow electronic mail traffic from EO to specific SO destinations, while denying remote logins or file transfers. Extended More complex address specification Generally permits or denies specific protocols

Test Access List Statements
How Access Lists Work Packet Choose Interface Inbound Interfaces Outbound Interfaces Y Test Access List Statements Y Route/bridge? Table Entry? Packet Packet Y N N Permit? N Access List? Access lists express the set of rules that give added control for packets that enter inbound interfaces, packets that relay through the router, and packets that exit outbound interfaces of the router. Access lists do not act on packets that originates in the router itself. The beginning of the process is the same regardless of whether access lists are used: As a packet enters an interface, the router checks to see whether it is routable (or bridgeable). If either situation is false, the packet will be dropped. A routing table entry indicates a destination network, some routing metric or state, and the interface to use. Next the router checks to see whether the destination interface is grouped to an access list. If it is not, the packet can be sent to the output buffer; for example, if it will use T0, which has no access lists in effect, the packet uses TO directly. Interface EO has been grouped to an extended access list. The administrator used precise, logical expressions to set the access list. Before a packet can proceed to that interface, it is tested by a combination of access list statements associated with that interface. Based on the extended access list tests, the packet can be permitted. For inbound lists, this means continue to process the packet after receiving it on an inbound interface. For outbound lists, this means send it to the output buffer for E0; otherwise test results can deny permission. This means discard the packet. The routers access list provides firewall control to deny use of the EO interface. When discarding packets, some protocols return a special packet to the sender. This notifies the sender of the unreachable destination. Firewall Y N Unwanted Packet Packet Discard Bucket Notify Sender

A List of Tests: Deny or Permit
Packet to Interface(s) in the Access Group Match First Test? Y Y N Deny Permit Match Next Test? Destination Interface(s) Y Y Deny Permit N Deny Permit Match Last Test? Y Y Access list statements operate in sequential, logical order. They evaluate packets from the top down. If a packet header and access list statement match, the packet skips the rest of the statements. If a condition match is true, the packet is permitted or denied. There can be only one access list per protocol per interface. In the graphic, for instance, by matching the first test, a packet is denied access to destination interfaces. It will be discarded and dropped into the bit bucket. The packet is not exposed to any access list tests that follow. Only if the packet does not match conditions of the first test will it drop to the next access list statement. Assume a different packet's parameters match the next test, a permit statement; the .permitted packet proceeds to the destination interface. Another packet does not match the conditions of the first or second test, but does match conditions of the next access list statement; again, a permit results. Note For logical completeness, an access list must have conditions that test true for all packets using the access list. A final implied statement covers all packets for which conditions did not test true. This final test condition matches all other packets. It results in a deny. Instead of proceeding in or out an interface, all these remaining packets are dropped. Implicit Deny N Deny Packet Discard Bucket

Access List Command Overview
Step 1: Set parameters for this access list test statement (which can be one of several statements) Router (config) # access-list access-list-number {permit|deny}{test conditions} Step 2: Enable an interface to become part of the group that uses the specified access list Router (config-if) # In practice, access list commands can be lengthy character strings. Access lists can be complicated to enter or interpret. However, you can simplify understanding the general access list configuration commands by reducing the commands to two general elements. Step 1 The access list process contains global statements: This global statement identifies the access list, usually an access list number. This number refers to the type of access list this will be. In Cisco IOS Release 11.2 or newer, access lists for IP may also use an access list name rather than a number. The permit or deny term in the global access list statement indicates how packets that meet the test conditions will be handled by Cisco IOS. Permit usually means the packet will be allowed to use one or more interfaces that you will specify later. The final term or terms specifies the test conditions used by this access list statement. The test can be as simple as checking for a single source address, but usually test conditions are extended to include several test conditions. Use several global access list statements with the same identifier to stack several test conditions into a logical sequence or list of tests. Step 2 The access list process uses an interface command. All the access list statements identified by the access-list number associate with one or more interfaces. Any packets that pass the access list test conditions can be permitted to use any interface in the access group of interfaces. {protcol} access-group access-list-number {in|out} Access lists are numbered (for IP, numbered or named)

How to identify Access Lists
Access List Type Number Range/Identifier IP Standard 1-99 Extended Named (Cisco IOS 11.2 and later) IPX Standard SAP filters AppleTalk Access lists can control most protocols on a Cisco router. The graphic shows the protocols and number ranges of the access list types covered in this chapter. An administrator enters a number in the protocol number range as the first argument of the global access list statement. The router identifies which access list software to use based on this numbered entry. Access list test conditions follow as arguments. These arguments specify tests according to the rules of the given protocol suite. The meaning or validity of the standard and extended identification scheme for access lists varies by protocol. Many access lists are possible for a protocol. Select a different number from the protocol number range for each new access list; however, the administrator can specify only one access list per protocol per interface. Note With Cisco IOS Release 11.2 and later you can also identify a standard or extended IP access list with an alphanumeric string (name) instead of the current numeric ( 1 to 199) representation. This can be an easier identification method to administer. Named IP access lists provide other advantages covered later in this chapter. Number identifies the protocol and type Other number ranges for most protocols

TCP/IP Access Lists

Managing IP Traffic Overview
FTP Limit traffic and restrict network use Broadcast Integral to the task of managing IP traffic is eliminating unwanted traffic while still allowing appropriate user-access to necessary service. For many protocols, broadcasting is the primary method for locating services. Because routers inherently do not forward broadcasts, it it frequently necessary to help these broadcasts get forwarded onto the appropriate subnet where the server is located. The Cisco IOS software provides mechanisms for reducing unwanted traffic, for restricting network use to only authorized users, and for enabling broadcasts to be forwarded beyond the local router to the desired server. Access lists limit traffic and restrict network use, and helper addressing enables broadcast forwarding. Both access lists and helper addressing are covered in this chapter. Enable directed forwarding of broadcasts

Access List Application
Transmission of packets on an interface Virtual terminal line access ( IP) Access lists control packet movement through a network Packet filtering helps control packet movement through the network. Such control can help limit network traffic and restrict network use by certain users or devices. To permit or deny packets from crossing specified router interface. Cisco provides access lists. An IP access list is a sequential collection of permit and deny conditions that apply to IP addresses and/or upper.layer Ip network.

Other Access List Uses Access lists are multipurpose
Priority and custom queuing Queue List Dial-on-demand routing Route filtering Routing table You can use an IP access list to establish a finer granularity of control when differentiating traffic into priority and custom queues. An access list can also be used to identify “interesting” traffic that serves to trigger dialing in dial-on-demand routing (DDR). Access lists are also a fundamental component of route maps, which filter and in some cases alter the attributes within a routing protocol update. Access lists are multipurpose

Key Concepts for IP Access Lists
Standard lists (1 to 99) test conditions of all IP packets from source addresses Extended lists (100 to 199) can test conditions of Source and destination addresses Specific TCP/IP-suite protocols Destination Wildcard bits indicate how to check the corresponding address bits (0=check, 1=ignore) Create access lists using the normal global router configuration process. Specifying an access list number from 1 to 99 instructs the router to accept standard IP access list statements. Specifying an access list number from 100 to 199 instructs the router to accept extended IP access list statements. The administrator must carefully decide specific access controls logically and order the statements to achieve intended controls. Permitted protocols must be specified. All other TCP/IP protocols are denied. Select which IP protocols to check. Any other IP protocols are not checked. Later in the procedure, the administrator can also specify an optional destination port for more granularity. Address filtering occurs using access list address wildcard masking to identify how to check or ignore corresponding IP address bits.

How to Use Wildcard Mask Bits
= = = = = Octet bit position and address value for bit Examples Check all address bits (match all) Ignore last 6 address bits Ignore last 4 address bits Ignore last 2 address bits Do not check address (ignore bits in octet) IP access lists use wildcard masking. Wildcard masking for IP address bits uses the number 1 and the number 0 to identify how to treat the corresponding IP address bits. A wildcard mask bit 0 means "check the corresponding bit value:' A wildcard mask bit 1 means "do not check (ignore) that corresponding bit value." By carefully setting wildcard masks, an administrator can select single or several IP addresses for permit or deny tests. Refer to the example in the graphic. Note Wildcard masking for access lists operates differently from an IP subnet mask. A zero in a bit position of the access list mask indicates that the corresponding bit in the address must be checked; a one in a bit position of the access list mask indicates the corresponding bit in the address is not "interesting" and can be ignored. 0 means check corresponding bit value 1 means ignore value of corresponding bit

How to Use Wildcard Mask Bits (cont.)
IP access list test conditions: Check for IP subnets to network.host Wildcard mask to match bits: check ignore You have seen how the zero and one bits in an access list wildcard mask cause the access list to either check or ignore the corresponding bit in the IP address. In the example, this wildcard masking process is applied in an example. An administrator wants to test an IP address for subnets that will be permitted or denied. Assume the IP address is Class B (first two octets are the network number) with eight bits of subnetting (the third octet is for subnets). The administrator wants to use IP wildcard masking bits to match subnets to Here is how to use the wildcard mask to do this: To begin, the wildcard mask will check the first two octets ( ) using corresponding zero bits in the wildcard mask. Because there is no interest in individual host addresses (a host ID will not be .00 at the end of the address), the wildcard mask will ignore the final octet using corresponding one bits in the wildcard mask. In the third octet, where the subnet address occurs, the wildcard mask will check that the bit position for the binary 16 is on and all the higher bits are off using corresponding zero bits in the wildcard mask. For the final (low end) four bits in the this octet the wildcard mask will ignore the value-in these positions, the address value can be binary 0 or binary 1. In this way, the wildcard mask matches subnet 16, 17, 18, and so on up to subnet 31. The wildcard mask will not match any other subnets. In this example, the address with the wildcard mask matches subnets to Address and wildcard mask:

How to Use the Wildcard any
Test conditions: Ignore all the address bits (match any) Any IP address Wildcard mask: (ignore all) Working with decimal representations of binary wildcard mask bits can be tedious. For the most common uses of wildcard masking, you can use abbreviation words. These abbreviation words reduce how many numbers an administrator will be required to enter while configuring address test conditions. One example where you can use an abbreviation instead of a long wildcard mask string is when you want to match any address. Consider a network administrator who wants to specify that any destination address will be permitted in an access list test. To indicate any IP address, the administrator would enter ; then to indicate that the access list should ignore (allow without checking) any value, the corresponding wildcard mask bits for this address would be all ones (that is, ). The administrator can use the abbreviation any to communicate this same test condition to Cisco IOS access list software. Instead of typing , the administrator can use the word any by itself as the keyword. Accept any address: ; abbreviate the expression using the keyword any

How to Use the Wildcard host
Test conditions: Check all the address bits (match all) An IP host address, for example: Wildcard mask: (check all bits) A second common condition where Cisco IOS will permit an abbreviation term in the extended access list wildcard mask is when the administrator wants to match all the bits of an entire IP host address. Consider a network administrator who wants to specify that a specific IP host address will be denied in an access list test. To indicate a host IP address, the administrator would enter the full address-for example, ; then to indicate that the access list should check all the bits in the address, the corresponding wildcard mask bits for this address would be all zeros (that is, ). The administrator can use the abbreviation host to communicate this same test condition to Cisco IOS access list software. In the example, instead of typing , the administrator can use the word host. An example of using this abbreviation in as an access list test condition is the string host. Abbreviate the wildcard using the IP address followed by the keyword host. For example, host Example checks all the address bits

IP Standard Access List Configuration
Router (config) # access-list access-list-number { permit | deny } source [source-mask] Sets parameters for this list entry IP standard access lists use 1 to 99 Router (config) # ip access-group access-list-number { in | out } The access-list command creates an entry in a standard traffic filter list. Command Description access-list access-list-number Identifies the list to which the entry belongs; a number from 1 to 99. permit | deny Indicates whether this entry allows or blocks traffic from the specified address. source Identifies source IP address. source-mask Identifies which bits in the address field are matched. It has a 1 in positions indicating "don't care" bits, and a 0 in any position that is to be strictly followed. The ip access-group command links an existing access list to an outbound interface. Only one access list per port per protocol per direction is allowed. ip access-group access-list-number Indicates the number of the access list to be linked to this interface. in | out Selects whether the access list is applied to the incoming or outgoing interface. If in or out is not specified, out is the default. Note To remove an access list, first enter the no access-group command with all of its set parameters, then enter the no access-list command with all of its set parameters. Activates the list on an interface

Inbound Access List Processing
For Standard IP Access Lists No Incoming packet Access list? Yes Next entry in list Does source address match? Yes No More entries? Yes Apply condition No An access list is a sequential collection of permit and deny conditions that apply to IP addresses. The router tests addresses against the conditions in an access list one by one. The first match determines whether the router accepts or rejects the packet. Because the router stops testing conditions after the first match, the order of the conditions is critical. If no conditions match, the router rejects the packet. For inbound standard access lists, after receiving a packet, the router checks the source address of the packet against the access list. If the access list permits the address, the router exits the access list and continues to process the packet. If the access list rejects the address, the router discards the packet and returns an ICMP Host Unreachable message. Note that the action taken if no more entries are found in te access list is to deny the packet. This illustrates an important concept to remember when creating access list. The last entry in an access list is what is known as an “implicit deny any”. All traffic not explicitly permitted will be implicitly denied. Route to interface Deny Permit ICMP Message Forward Packet

Outbound Access List Processing
For Standard IP Access Lists No Incoming packet Route to interface Access list? Yes Next entry in list Does source address match? Yes No More entries? Yes Apply condition No For outbound standard IP access lists, after receiving and routing a packet to a controlled interface the router checks the source address of the packet against the access list. If the access list permit the address, the router transmit the packet. If the access list denies the address, the router discards the packet and returns an ICMP Host Unreachable message. The primary difference between a standard access list and an extended access list is that the latter may continue to check other information in the packet against the access list after the source address has been found to match. Deny Permit ICMP Message Forward Packet

Standard Access List Example
Non S0 E0 E1 access-list 1 permit (implicit deny all - not visible in the list) (access-list 1 deny ) interface ethernet 0 ip accress-group 1 out interface ethernet 1 ip access-group 1 out In the example: Command Description access-list 1 Access list number; indicates this is a simple list. permit Traffic that matches selected parameters will be forwarded. IP address that will be used with the wildcard mask to identify the source network. Wildcard mask; Os indicate positions that must match, is indicate "don't care" positions. ip access-group 1 out Links the access list to an outgoing interface. This access list allows only traffic from source network to be forwarded. Non network traffic is blocked. Permit my network only

Extended IP Access Lists
Allow more precise filtering conditions check source and destination IP address Specify an optional IP protocol port number Use access list number range 100 to 199 The standard access list (numbered 1 to 99) may not provide the traffic-filtering control you need. Standard access lists filter based on a source address and mask. Standard access lists permit or deny the entire TCP/IP protocol suite. You may need a more precise way to configure your firewall policy. For more precise traffic-filtering control, use extended IP access lists. Extended IP access list statements check for source address and for destination address. In addition, at the end of the extended access list statement, you gain additional precision from a field that specifies the optional TCP or UDP protocol port number. These can be the well-known port numbers for TCP/IP. A few of the most common port numbers are as follows: Well-Known Port Number (Decimal) IP Protocol 20 File Transfer Protocol (FTP) data 21 FTP program 23 Telnet 25 Simple Mail Transport Protocol (SMTP) 69 Trivial File Transfer Protocol (TFTP) 53 Domain Name System (DNS) By using this option, you can specify the logical operation the extended access list will perform on specific protocols. Extended access lists use a number from the range 100 to 199.

Extended Access List Configuration
Router (config) # access-list access-list-number { permit | deny } protocol source source-mask destination destination-mask [operator operand] [established] Sets parameters for this list entry IP uses a list number in range 100 to 199 The access-list command creates an entry to express a condition statement in a complex filter. Command Description access-list access-list-number Identifies the list using a number in the range 100 to 199. permit | deny Indicates whether this entry allows or blocks the specified address. protocol IP, TCP, UDP, ICMP, GRE, IGRP source and destination Identifies source and destination IP addresses. source-mask and Wildcard mask; Os indicate positions that must match, is destination-mask indicate "don't care" positions. operator and operand lt, gt, eq, neq (less than, greater than, equal, not equal), and a port number. established Allows TCP traffic to pass if packet uses an established connection (for example, has ACK bits set). The ip access-group command links an existing extended access list to an outbound interface. Only one access list per port per protocol is allowed. ip access-group access-list-number Indicates the number of the access list to be linked to this interface. in | out Selects whether the access list is applied to the incoming or outgoing interface. If in or out is not specified, out is the default. ip access-group access-list-number { in | out } Activates the extended list on an interface

ICMP Command Syntax Filters based on icmp messages
Router (config) # access-list access-list-number { permit | deny } {source source-wildcard |any} {destination destination-wildcard | any } icmp [icmp-type [ icmp-code] | icmp-message ] Filters based on icmp messages Use the access-list icmp command to create an entry in a complex traffic filter list. The protocol keyword icmp indicates that an alternate syntax is being used for this command and that protocol-specific options are available. Command Description access-list access-list number A number from 100 to 199. icmp permit | deny Whether this entry is used to allow or block the specified address(es) source and destination IP addresses source-wildcard and Wildcard masks of address bits that must match. 0s destination-wildcard indicate bits that must match, 1s are “don’t care”. The keyword any used in place either the source and destination, or wildcard masks can be used as a shortcut to typing icmp-type (Optional) Packets can be filtered by ICMP message type. The type is a number from 0 to 255. icmp-code (Optional) Packets that have been filtered by ICMP message type can also be filtered by ICMP message code. The code is a number form 0 to 255. icmp-message (Optional) Packet can be filtered ba a symbolic name representing an ICMP message type or a combination of ICMP message type and ICMP message code. A list of these names is provided on the following slide.

TCP Syntax Filters based on tcp/tcp port number or name
Router (config) # access-list access-list-number { permit | deny } [ operator source-port| source-port] {destination destination-wildcard | any } tcp {source source-wildcard |any} [operator destination-port | destination-port ] [established] . Use the access-list tcp command to create an entry in a complex traffic filter list. The protocol keyword tcp indicates that an alternate syntax is being used for this command and that protocol-specific options are available. Command Description access-list access-list-number A number from 100 to 199 tcp permit | deny Whether this entry is used to allow or block the specified address Source and destination IP addresses source-wildcard and Wildcard mask of address bits that must match. 0s indicate bit that destination-wildcard must match, 1s are “don’t care” operator (Optional) A qualifying condition. Can be: lt, gt, eq, neq source-port and (Optional) A decimal number from 0 to or a name that destination-port represents a TCP port number established (Optional) A match occurs if the TCP datagram has the ACK or RST bits set. Filters based on tcp/tcp port number or name

UDP Syntax Filters based on udp protocol or udp port number or name
Router (config) # access-list access-list-number { permit | deny } {source source-wildcard |any} [ operator source-port| source-port ] {destination destination-wildcard | any } udp [operator destination-port | destination-port ] Filters based on udp protocol or udp port number or name The access-list udp command create an entry in a complex traffic filter list. The protocol keyword udp indicates that an alternate syntax is being used for this command and that protocol-specific options are available. Command Description Access-list access-list-number A number from 100 to 199 udp permit | deny Whether this entry is used to allow or block the specified address(es) Source and destination IP addresses source-wildcard and Wildcard mask of address bits that must match. 0s indicate bit that destination-wildcard must match, 1s are “don’t care” any Use this keyword as an abbreviation for a source and source- wildcard, and destination and destination-wildcard of source-port and (Optional) A decimal number from 0 to or a name that destination-port represents a UCP port number operator (Optional) A qualifying condition. Can be: lt, gt, eq, neq

Extended Access List Processing
No packet Access list? Does not match Yes Match Source address Match Destination address Match Protocol? * Match Protocol options ? Apply condition Next entry in list Next entry in list Every condition tested must match in order for the line of the access list to match and the permit or deny condition to be applied. As soon as one parameter or condition fails, the next line in the access list is compared. The extended access list checks source address, protocol, and destination address. Depending on the protocol configured, there may be more protocol-dependent options tested. For example, a TCP port may be checked. This allows routers to filter at the application layer. Deny Permit ICMP Message Forward Packet * If present in access list

Extended Access List Example
Non S0 E0 E1 access-list 101 deny tcp eq 21 access-list 101 deny tcp eq 20 access-list 101 permit ip (implicit deny all) (access-list 101 deny ip ) interface ethernet0 ip address-group 101 out In this example: Command Description access-list 101 Access list number; indicates extended IP access list. deny Traffic that matches selected parameters will be blocked. tcp Transport-layer protocol. and Source IP address and mask; the first three octets must match but do not care about the last octet. and Destination IP address and mask; the first three octets must match, but do not care about the last octet. eq 21 Specifies well-known port number for FTP eq 20 Specifies the well-known port number for FTP data. ip access-group 101 Links access list 101 to outgoing port interface E0. The permit statement allows traffic from subnet to be forwarded to all other networks or subnetworks via interface E0. Deny FTP for E0

Monitoring Access Lists
Router# show ip interface Ethernet 0 is up, line protocol is up Internet address is , subnet mask is Broadcast address is Address determined by non-volatile memory MTU is 1500 byte Helper address is Secondary address , subnet mask Proxy ARP is enabled Security level is default Slit horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent Ip fast switching is enabled Gateway Discovery is disabled IP accounting is disabled TCP/IP header compression is disabled Probe proxy name replies are disabled Router # Outgoing access list 10 is set Inbound access list is not set The show ip interface command displays IP interface information and indicates whether any access lists are set.

Access List show Command
Router # show access-lists Display access lists from all protocols Router # show ip access-lists [access-list-number] Display a specific IP access lists Router # clear access-lists counters [ access-list-number] Clear packet counts Router # Use the show access-lists command to display access lists from all protocol. Use the show ip access-lists command to display IP access lists. Command Description Show ip access-list access-list-number (Optional) Shows a specific list. If this option is not specified, then all IP access lists are displayed. The system counts how many packets pass each line of access list, the counters are displayed by the show access-list command. Use the clear access-list counters command in EXEC mode to clear the counter of an access list. Use the show line command to display information about terminal lines. show line Display line configuration

Monitoring Access List Statements
Router> show access-lists Standard IP access list 19 permit Standard Ip access list 49 permit wildcard bits permit wildcard bits permit wildcard bits permit wildcard bits permit wildcard bits Extended IP access list 101 permit tcp eq 23 Type code access list 201 permit 0x x0000 Type code access list 202 permit 0x x0000 deny 0x xFFFF Router> deny , wildcard bits The show access-lists command displays the contents of all access lists. This Cisco IOS command provides more details about the access list statements. By entering the access list name or number as an option for this command, you can see a specific list.

Restricting Virtual Terminal Access

Virtual Terminal Access Overview
Router# Router# Standard and extended access lists will not block access from the router For security, virtual terminal (vty) access can be blocked to or from the router Standard and extended access list will block packets from going through the router. They not designed to block packets that originate within the router. An outbound Telnet extended access list does not prevent router-initiated Telnet sessions, by default. For security purpose, users can be denied virtual terminal (vty) access to the router, or users can be permitted vty access to the router but denied access to destination from that router. Restricting virtual terminal access is less a traffic control mechanism than one technique for increasing network security. Vty access is accomplished using the Telnet protocol. As a result, there is only one type of vty access list.

How to Control vty Access
Physical port (E0) 4 Virtual port (vty 0 4) 1 2 3 Router# Router# Five virtual terminal lines (0-4) Set identical restrictions on all the virtual terminal lines Just as there are physical ports or interfaces such as E0 and E1, there are also virtual ports. These virtual ports are called virtual terminal lines. There are five such virtual terminal lines, numbered vty 0 through 4. You must set identical restrictions on all virtual terminal lines because you cannot control on which virtual terminal line a user will connect.

Virtual Terminal Line Commands
Router (config) # Line { vty number | vty-range} Enters configuration mode for a terminal line or a range of lines Router (config/line) # access-class access-list-number { in | out } Restricts incoming and outgoing connections between a particular virtual terminal line into a device (and the addresses in an access list) Use the line command to plate the router in line configuration mode. Command Description Line vty vty-number Indicates the number of the line to be configured vty-range Indicates the lines to which the configuration will apply. Use the access-class command to link an existing access list to a terminal line or range of files. Command Description Access-class access-list-number Indicates the number of the access list to be linked to a terminal line. This is a decimal number from 1 to 99. In Restricts incoming connections between a particular Cisco device and the address in the access list. Out Restricts outgoing connections between a particular Cisco device and the addresses in the access list

Virtual Terminal Access Example
Controlling Inbound Access Access-list 12 permit ! Line vty 0 4 access-class 12 in Permits only hosts in netwrok to connect to the virtual terminal ports on the router In this example, we are permitting any device on network to establish a virtual terminal (Telnet) session with the router. Of course, the user must know the appropriate passwords to enter user mode and privileged mode. Notice that identical restrictions have been set on all virtual terminal lines (0-4) because you cannot control on which virtual terminal line a user will connect. The implicit deny any still applies in an alternate application such as limiting virtual terminal access.

Novell IPX Access Lists

Key Concepts for IPX Access Lists
IPX addressing uses a network.node and a socket number Standard lists (800 to 899) can filter source and destination address Access list (1000 to 1099) are SAP filters for service types and servers on one or more networks Other access list number ranges offer additional Novell software filters (examples: GNS, RIP, NLSP) Novell addressing is based on network.node.socket. The network number is assigned by the administrator; the node portion is derived from the MAC address of the individual interface. Serial lines adopt the MAC address of another interface in the creation of their logical addresses. The socket number refers to a process or application (somewhat like the TCP segment). Every NetWare file server has an internal IPX network number and performs IPX routing. External IPX networks attach to router interfaces. The IPX network number assigned on a Cisco routers interface must be unique and consistent with the network numbers known to the file server. IPX standard access lists use numbers in the range 800 to 899. These access lists check for either source address or both source and destination address. To identify parts of the address to check or ignore, IPX standard access lists use a wildcard mask that operates like the mask used with IP addresses. To control the traffic from the Service Advertisement Protocol (SAP), use SAP filters that use numbers in the range 1000 to Several other packet and route filters can help manage IPX overhead traffic. For example, access lists can control Get Nearest Server (GNS) from clients to servers, Routing Information Protocol (RIP), and NetWare Link Services Protocol (NLSP).

IPX Standard Access List Configuration
Router (config) # Access-list access-list-number { deny| permit} source-network [. Source-node] [ source-node-mask] [destination-network] [.destination-node] [destination-node-mask] Sets parameters for this list entry Standard access list uses list-number in range 800 to 899 Router (config) # Use the access-list command to filter traffic in an IPX network. Using filters on the outgoing router interface allows or restricts different protocols and applications on individual networks. Command Description access-list access-list-number Access list number for an IPX filter fist from 800 to 899. protocol Number of the protocol type, can be: 0=any protocol (refer to socket number below), 1=RIP, 4=SAP, 5=SPX, 17=NCP, 20=IPX NetBIOS. source-network Source network number, expressed in eight-digit hexadecimal. source-node Node number on the source network. Represented as a 48-bit value shown in a dotted triplet of 4-digit hexadecimal numbers. destination-network Network number to which the packet is being sent. destination-node Node on the destination network to which the packet is being sent. Use the ipx access-group command to link an IPX traffic filter to an interface. ipx access-group access-list-number Access list number for an IPX filter list from 800 to 899. ipx access-group access-list-number Activates the IPX standard access list on an interface

Standard IPX Access List Example
Cilent Server network 2b network 4d E1 E0 Cilent E2 ipx routing access-list 800 permit 2b 4d (implicit deny all) int e 0 ipx network 4d ipx access-group 800 int e 1 ipx network 2b int e 2 ipx network 3c network 3c In the example: access-list 800 permit 2b 4d Command Description 800 Specifies a Novell IPX standard access list. permit Traffic matching the selected parameters will be forwarded. 2b Source network number. 4d Destination network number. (implicit deny all) Not a valid configuration command, just a reminder that access lists filter traffic not specified to be forwarded. ipx access-group 800 Links access list 800 to outgoing interface E0. Command Traffic from network 2b destined for network 4d will be forwarded out Ethernet 0. The access list is applied to an outgoing interface and filters outbound packets. Notice that the other interfaces E1 and E2 are not subject to the access list; they lack the access group statement to link them to the access list 800. E2

Why to Control IPX Overhead
B client Find Server server Advertising Routing server server Advertising Routing Advertising Routing Advertising Routing server IPX routing and advertising processes were developed to run on LANs. As LANs interconnect with slower, more costly WAN links, concerns increase about the traffic with overhead from IPX control packets reducing the bandwidth available for user applications traffic. IPX servers broadcast service advertising (SAPs) details every 60 seconds. Routers broadcast routing information and metrics to other IPX routers. The graphic shows four IPX routers: the two servers A and C, as well as the two Cisco routers. Whenever a client workstations starts up, it sends its own SAP broadcast to find a server; then from the nearest server, the client can log in to a target server and run network applications from network drives. Whenever packets from these protocols are unwanted, a network administrator can set up IPX access lists. With the standard access lists in this chapter, the permit/deny filtering acts on all IPX packets for the interface addresses. C WAN Link Flooded with Overhead Traffic Frequent updates reduce the bandwidth for user traffic

Normal IPX SAP Operation
Server/RouterA Client1 Server/RouterB SAP Table SAP Table SAP Table SAP Table Server/RouterC SAP Table SAP Table SAP Table SAP Table Server/RouterD SAP Table SAP Table A Big IPX Network SAP broadcasts synchronize the list of available services. The NetWare files server acts like an IPX router. The Cisco router acts like a SAP server. If the router passed a SAP every time it received one, the WAN link would be flooded with SAP traffic. The router will not forward SAP broadcasts. Instead, both file servers and routers listen to SAP messages and build a SAP table. All devices that build SAP tables advertise this information every 60 seconds. This can still result in considerable overhead as all these servers and routers send their own complete SAP table every 60 seconds. Client2 Router does not forward SAP broadcasts IPX routers send SAP table every 60 seconds

How to Use SAP Filters Plan for SAP filters and enter global command
SAP Filter Goals deny type 7 (print server) SAP from 2a deny type 98 (access server) SAP from 5b deny type 24 (router) SAP to 7c deny type 4 (file server) SAP from 4a deny type 26a (NMS) deny type 7a (NetWare for VMS) SAP from *8 permit the remaining SAPs Access-list You must carefully plan for SAP filtering before configuring. Make sure that all clients will see advertisements necessary and sufficient for their application processing. You will need to enter the SAP filters in any and all routers where you want them to operate. A table of the most common SAP numbers follows. SAP Number Server Type 4 NetWare file server 7 Print server 24 Remote bridge server (router) Place SAP filters close to the source. Proper placement of SAP filters conserves critical bandwidth, especially on serial links. Plan for SAP filters and enter global command Note. Must set up SAP filters on all routers

How to Use SAP Filters (cont.)
Input filter: Do not add filtered SAPs to SAP table SAP SAP SAP Table SAP Table SAP SAP Output filter: Do not add filtered SAPs to the SAP table sent SAP SAP SAP SAP SAP SAP Table SAP Table SAP When a SAP advertisement arrives at the router interface, the contents are placed in the SAP table portion of main memory. The contents of the table are propagated during the next SAP update. Two types of access list filters control SAP traffic: · IPX input SAP filter When a SAP input filter is in place, the services entered into the SAP table are reduced. The propagated SAP updates represent the entire table, but contain only a subset of all services. · IPX output SAP filter When a SAP output filter is in place, the services propagated from the table are reduced. The propagated SAP updates represent a portion of the table contents and are a subset of all the known services. SAP Apply the access list to the interface as an input or output SAP filter

SAP Filter Configuration
Router (config) # access-list access-list-number { deny| permit} network [.node] [ network-mask-node-mask] [server-type [server-name]] Creates an entry in a SAP filter list Router (config-if) # ipx input -sap-filter access-list-number Activates the input SAP filter on the interface Use the access-list command to control propagation of the SAP messages. Command Description access-list access-list-number Number from 1000 to 1099, indicates a SAP filter list. network [.node] Novell source internal network number with optional node number; -1 is all networks. network-mask node-mask Mask to be applied to the network and node. Place ones in the positions to be masked. service-type SAP service type to filter. Each SAP service type is identified by a hexadecimal number. server-name Name of the server providing the specified service type. The ipx input-sap-filter and ipx output-sap-filter commands place a SAP filter on an interface. The use of input or output determines whether SAPs are filtered before entry into the SAP table, or whether the SAP table contents are filtered during the next update. SAP table content can be filtered on input by using the ipx router-sap-filter command, which identifies from which router SAP advertisements can be received. Router (config-if) # ipx output -sap-filter access-list-number Activates the output SAP filter on the interface

SAP Filter Example 1 File services from Novell server C are not advertised to A or B Network 9e A C Network 3d Cisco B E0 S0 Network 1 S0 T0 E1 B Network 4a access-list 1000 deny 9e access-list 1000 permit -1 interface ethernet 0 ipx network 9e interface ethernet 1 ipx network 4a interface serial 0 ipx network 1 ipx output-sap-filter 1000 D In the example: access-list 1000 deny 9e Command Description 1000 An access list number in the Novell SAP filter range. deny SAP services matching selected parameters will be blocked. 9e Source network address of SAP advertisement. 4 Type of SAP service; advertises file service. access-list 1000 permit -1 Command Description 1000 Access list number. permit SAP services matching parameters will be forwarded. -1 Source network number; -1 means all networks. ipx output-sap-filter 1000 Places list 1000 on interface serial 0 as an output SAP filter. Command File server advertisements from server 9e will not be forwarded on interface serial 0 (S0). All other SAP services from any source will be forwarded on interface S0.

SAP Filter Example 2 Print services from Novell server C and D are not entered into the SAP table Network 9e A C Network 3d Cisco B E0 S0 Network 1 S0 T0 E1 B Network 4a access-list 1001 deny -1 7 access-list 1001 permit -1 interface ethernet 0 ipx network 9e interface ethernet 1 ipx network 4a interface serial 0 ipx network 1 ipx output-sap-filter 1001 D In the example: access-list 1001 deny 7 Command Description 1001 An access list number in the Novell SAP filter range. deny SAP services matching selected parameters will be blocked. 7 Type of SAP service; advertises print service. access-list 1001 permit -1 Command Description 1001 Access list number. permit SAP services matching parameters will be forwarded. -1 Source network number; -1 means all networks. ipx input-sap-filter 1001 Command Places list 1001 on interface serial 0 as an input SAP filter. Print server advertisements from servers C and D will not be entered into the SAP table. All other SAP services from any source will be added into the SAP table.

Monitoring IPX Access List
dtp -19# sh ipx int et1/1 Ethernet0 is up, line protocol is up IPX address is c0d.724f, NOVELL-ETHER [up] line-up Delay of this IPXl network, in ticks is 1 throughput 0 link delay 0 IPXWAN processing not enabled on this interface IPX SAP update interval is 1 minute(s) IPX type 20 propagation packet forwarding is disabled Incoming access list is not set Outgoing access list is not set IPX helper access list is not set SAP GNS processing enabled, delay 0 ms, output filter list is not set SAP Input filter list is not set SAP Output filter list is not set SAP Router filter list is not set Input filter list is not set Output filter list is not set Router filter list is not set Netbios Input host access list is not set Netbios Input bytes access list is not set Netbios Output host access list is not set Netbios Output bytes access list is not set Update time is 60 seconds, aging multiples RIP: 3 SAP: 3 -- More -- dtp-19# sh access-lists IPX access list 800 deny 8000 IPX access list 801 deny FFFFFFFF The show ipx interface command displays information about the configuration of the interface. It shows that the input filter list is 800 and the output filter list is 801. The show access-lists command displays the contents of lists 800 and 801.

AppleTalk Access Lists

Testing Packets with Access Lists An example Using an AppleTalk Packet
Frame Header (for example Ethernet) Packet (DDP header) Upper-Level headers Data Zip information Use access list statements to test the packet Cable range For the AppleTalk packet filters covered in this chapter, Cisco IOS access lists check the packet header for: · Cable range or network numbers with access lists; identify these with a number in the range 600 to 699. · Zone Information Protocol (ZIP) replies with zip-reply-filter access lists; also identify these with a number in the range 600 to 699. For all of these AppleTalk access lists, after a packet is checked for a match with the access list statement, it can be denied or permitted to use an interface in the access group. Note Cisco IOS offers several other forms of access lists for AppleTalk packets. Refer to the Cisco Connection Documentation, Enterprise Series CD-ROMs for further information. Permit Deny

Key Concepts for AppleTalk Access Lists
AppleTalk lists (600 to 699) offer several packet filters Filter extended networks or cable range Select partial cable range filters within extended networks Zones divide networks into communities of interest Use lists to limit ZIP traffic A key AppleTalk concept hides network numbering from end users. End users may see zones and resources, but numerical configuration is a hidden issue for the network administrator. Administrators can use AppleTalk filters to control traffic by referring to the 16-bit network number portion of a full 24-bit address. Because the node portion is dynamically assigned as AppleTalk nodes come up, these node numbers are not predictable for access list entries. Although earlier AppleTalk networks offered a single nonextended network on a single medium, current AppleTalk uses extended addressing. This means that more than one AppleTalk network can occupy the same physical media. Express one or more AppleTalk networks on the medium as the cable range. An administrator can filter an entire cable range. Alternately, by including the term "within," an administrator can select portions of a cable range for access list testing. One use of a partial cable range is when an Appletalk administrator establishes a broad cable-range for an interface to a location (say a remote regional office), then wants to identify subsets of the cable-range for the various departments at the regional office. The administrator specifies access-list filters appropriate to the different departments. Then access to the interface can be permitted or denied within the cable-range subsets appropriate for each of the departments. ZIP filters are one method for reducing AppleTalk zone information update distribution traffic.

AppleTalk Network Structures
Zone Users Network (extended) Bo Zone Network 130 (nonextended) It has become commonplace for routed AppleTalk networks to evolve into complex internetworks. As growth extends across LANs and serial lines, access list controls involve several AppleTalk network structures. The first is the grouping of networks and their resources into zones. These are arbitrary subsets of nodes within the AppleTalk internetwork. One zone called Users contains a separate group of resources from those in zones Bldg D lst floor and Bldg-13. Current AppleTalk internetworks use extended network addresses. For example, an Ethernet transmission medium in zone Users can contain networks in the contiguous network number range of 200 to 205. Older internetworks continue using nonextended network addressing such as 130 in Bldg D 1 st floor. The user's application sends output to the print manager. For network access, the routing tables and zone information helps direct the user's output from its source to the destination zone containing the selected printer. The administrator can use access lists to control traffic based on network and cable-range selections. Zone Bldg-13 Zone Bldg D 1st floor

AppleTalk Access List Procedures
Zone HQ Access list configuration AppleTalk list number: Specify permit or deny access Enter source net or cable range Access group configuration Apply list number to interface Filter data or specify overhead packets Network RZ Network E0 120, 130 E1 S0 RZ RZ Network To configure for AppleTalk number access lists, select a unique access list number from within the range 600 to 699. As with the other protocols, the AppleTalk access list statement requires a permit or deny in each statement to specify traffic controls to potential outgoing interfaces. With phase 1 addressing, specify a single network number such as network130. More commonly, specify phase 2 addresses by entering a cable range such as 100 to 105. As a further alternative, the administrator can specify AppleTalk networks from within a partial cable range. For example, an access list statement can target AppleTalk networks 201 to 204 from within the complete cable range of 200 to 205. As with other access lists, an implicit deny performs the last test of the access list. In AppleTalk, the default is to deny all other network access. The access-group command is used to apply the AppleTalk access lists to one or more interfaces. By filtering networks, the administrator can permit or prevent data packets and routing update packets on the specified interface. Routing updates use the AppleTalk Layer 3 protocol Routing Table Maintenance Protocol-RTMP. Access list control involving zone updates controls ZIP traffic. These access lists focus on GetZoneList (GZL) packets. The administrator must use separate access list statements for zone filtering. The procedures involving GZL are covered in the ACRC course. Zone ENG R = AppleTalk RTMP Z = AppleTalk ZIP

AppleTalk Access List Commands
Router (config) # access-list number { deny| permit } cable-range cable-range Defines full cable-range filtering parameter access-list number { deny| permit } within cable-range cable-range Defines partial cable-range filtering parameter access-list number { deny| permit } other-access Defines default action for other cable-range Router (config-if) # The access-list command permits or denies an entire cable range. The access-list within cable-range variation permits or denies part of a cable range. Specify a start and end network number separated by a hyphen. The access-list other-access command defines the default action (permit or deny) to take for other networks or cable ranges. The appletalk access-group command links the access list to one or more specified interfaces. appletalk access-group access-list-number Links traffic filter to an interface

Controlling Access Example
Zone 1 Zone 2 S0 E1 E0 Nets S0 E1 Nets 120 E0 ;from access list in router A access-list 601 deny within cable-range access-list 601 permit within cable-range interface ethernet 0 appletalk access-group 601 In the example, the access list shows configuration statements in router A: access-list 601 deny within cable-range field descriptions: 601-Specifies this as an AppleTalk access list. deny-Traffic matching specified parameters will be blocked. within cable-range Sets the range of networks for denial. permit-Traffic matching specified parameters will be allowed access. within cable-range Set the remaining networks in the cable range for permit. appletalk access-group 601-Applies list 601 to interface EO as a cable-range filter for AppleTalk networks. Bldg. 1

ZIP Reply Filter Configuration
Limit ZIP traffic between routers Router (config) # access-list number { deny| permit } zone zone-name Defines filtering for specified zone access-list number { deny| permit } additional-zones Defines default filtering for all other zones Use the access-list zone command to create an entry in the zone filter list. It must use an access list number in the number range 600 to 699. Command Description access-list zone access-list-number The number of the access list; an integer in the range 600 to 699. zone-name The name assigned to the zone being filtered. Use the appletalk zip-reply-filter command to assign the access list to an incoming interface. The zip-reply filter limits the zones that are visible from the router by other AppleTalk routers. appletalk zip-reply-filter Router (config-if) # appletalk zip-reply-filter access-list-number Links traffic filter to an interface

Monitoring AppleTalk Access Lists
Router> show appletalk access-lists AppleTalk access list 601: permit zone ZoneA permit zone ZonB deny additional-zones permit network 55 permit network 500 permit cable-range deny includes permit within deny other-access Use the show appletalk access-lists command to display the access lists that are set up for AppleTalk.

Summary Access lists perform several functions within a Cisco router, including: Implement security/access procedures Determine whether packets need dialer for WAN links Act as a protocol “firewall” Extended access lists allow filtering on address, protocol, and application parameters

Introduction to Serial Connections

Describe and distinguish the types and attributes of serial communication on WANs Describe how WAN communication works Identify Point-to-Point Protocol operations to encapsulate WAN data on Cisco routers Identify dial-on-demand routing processes as a signaling trigger for WAN data calls on Cisco routers

Wide-Area Network Service

An Overview of Wide-Area Services
Call Setup (SS7 or other Time-Division Multiplexed Circuits (56/64K or T1/E1) X.25/Frame Relay Networks Basic Telephone Service Basic Telephone Service A wide-area network (WAN) is different from a local-area network. With a WAN, you must subscribe to an outside WAN provider to use network resources that your organization does not own. Basic telephone service is the most commonly used WAN service. Telephone service and data service routed from the customer premises interface with the service provider's cloud at a central office (CO). An overview of the WAN cloud organizes WAN provider services into three main types: · Call setup service-Sets up and clears calls between telephone users. Also called signaling, call setup uses a separate telephone channel not used for other traffic. The most commonly used call setup is Signaling System number 7 (SS7). It uses telephone control messages and signals between the transfer points along the way to the called destination. · Time-division multiplexing (TDM)-Information from multiple sources has bandwidth allocation on a single media. Circuit switching uses signaling to determine the call route, which is a dedicated path between the sender and the receiver. By multiplexing traffic into fixed time slots, TDM avoids congested facilities and variable delays. Basic telephone service and Integrated Services Digital Network (ISDN) use TDM circuits. · X.25 or Frame Relay service-Information contained in packets or frames shares nondedicated bandwidth. X.25 packet switching uses Layer 3 routing with sender and receiver addressing contained in the packet. By using virtual circuits (VCs), X.25 avoids delays for call setup. Frame Relay uses Layer 2 identifiers and permanent virtual circuits (PVCs). By streamlining functions, Frame Relay adjusts its bandwidth to handle bursty traffic. The router uses a WAN central office

Interfacing WAN Service Provides
WAN Service Provider Toll Network CO Switch S S Local Loop S S Demarcation S S Customer Premises Equipment S Trunks and Switches When your organization subscribes to an outside WAN provider for network resources, the provider assigns your organization the parameters for connecting WAN calls. Your organization makes connections to destinations as point-to-point calls. These are the most commonly used terms for these main parts. · Customer premises equipment (CPE)-Devices physically located on the subscriber's premises. Includes both devices owned by the subscriber and devices leased to the subscriber by the service provider. · Demarcation (or demarc)-The juncture at which the CPE ends and the local loop portion of the service begins. Often occurs at a telecommunication closet. · Local loop (or "last-mile")-Cabling (usually copper wiring) that extends from the demarc into the WAN service provider's central office. · Central office (CO)-A switching facility that provides the nearest point of presence for the provider's WAN service. Inside the long distance toll network are several types of central offices. · Toll network-The collective switches and facilities (called trunks) inside the WAN provider's cloud. The caller's traffic may cross a trunk to a primary center, then go to a sectional center, and then to a regional- or international-carrier center as the call goes the long distance to its destination. Switches operate in provider offices with toll charges based on tariffs or authorized rates. Point-to-Point or circuit-switched connection Provider assigns connection parameters to subscriber

Subscriber to Provider Interface
Data Terminal Equipment End of the user’s device on the WAN link Data Circuit-Terminating Equipment End of the WAN provider’s side of the communication facility Modem CSU/DSU TA/NT1 DCE DTE S S S S S DTE DCE S DCE DTE A key interface in the customer premises occurs between the data terminal equipment (DTE) and the data circuit-terminating equipment (DCE). Typically, DTE is the router where the packet switching application resides. The DCE is the device used to convert the user data from the DTE into a form acceptable to the WAN service's facility. In the graphic, the DCE is the attached modem, channel service unit/data service unit (CSU/DSU), or terminal adapter/NetworkTermination 1 (TA/NT1). Data communication over WANs interconnects DTEs so they can share resources with each other over a wide area. The WAN path between the Des is called the link, circuit, channel, or line. The DCE primarily provides the interface of the DTE into the communication link in the WAN cloud. The DTEfDCE/ interface acts as a boundary where responsibility for the traffic passes between the WAN subscriber and the WAN provider. The DTE/DCE interface uses one of the various protocols available. These protocols establish the codes that the devices use to communicate with each other. This communication determines how call setup operates and how user traffic crosses the WAN. DTE/DCE - The point where responsibility passes

Using WAN Services with Routers
X.25/LAPB Frame Relay ISDN/LAPB SDLC You can access three forms of WAN services with Cisco routers: · The first form uses switched or relayed services. A special device interfaces to a service provider's cloud. Examples of this form of WAN include X.25, Frame Relay, and ISDN. Chapters on each of these WAN services follow in this module. · The second form of WAN service provides an interface front end to the IBM enterprise data center computers. This form of WAN uses Synchronous Data Link Control (SDLC) for the point-to-point or point-to-multipoint connection of remote devices to the central mainframe. This topic is covered in Cisco's System Network Architecture (SNA) configuration courses. · With the third form, you can access the services of WAN providers using protocols that connect peer devices. This form uses High-Level Data Link Control (HDLC) or PPP encapsulation on the peer devices. An introduction to PPP follows this section. This third form of WAN access can use DDR as a trigger for the Cisco router to make a WAN call. For example, a router uses DDR statements when local user traffic needs to set up an ISDN call over a WAN so it can access a remote network. An introduction to DDR follows later in this chapter. HDLC PPP DDR

WAN Frame Format Summary
Link Control Protocol (LCP) Code Identifier Length Data PPP Flag Address Control Protocol LCP FCS Flag Cisco HDLC Flag Address Control Proprietary Data FCS Flag The frame formats for SDLC and Link Access Procedure, Balanced (LAPB) are very similar. SDLC is IBM's bit-synchronous data-link protocol that is a primary ancestor for serial framing. It supports legacy IBM networks. LAPB, used by X.25, a nonproprietary standard from ITU-T (formerly the CCITT), is derived from HDLC. HDLC is the popular ISO-standard bit-oriented data-link protocol that encapsulates data on synchronous serial data links. Frame Relay also uses a variation of HDLC. HDLC does not inherently support multiprotocols on a single link because it does not have a standard way to indicate which protocol it is carrying. The Cisco HDLC frame uses a proprietary type field that acts as a protocol field. This makes it possible for multiple network-layer protocols to share the same serial link. PPP extends the basic SDLC frame by incorporating a protocol field. The protocol field identifies the protocol encapsulated in the information field of the frame. The Link Control Protocol (LCP) used by PPP provides a method of establishing, configuring, maintaining, and terminating the point-to-point connection. LCP serves much the same function as the logical link control (LLC) in the LAN protocols. This course deals mainly with the WAN frame formats for PPP and HDLC. Serial connections use WAN framing that is similar. However, field differences in the framing types makes it necessary to specify the framing needed unless the serial line default Cisco HDLC is sufficient. SDLC and LAPB Flag Address Control Data FCS Flag Formats assume framing on dedicated WAN facilities

Point-to-Point Protocol

An Overview of PPP Multiple protocol encapsulations using NCPs in PPP PPP Encapsulation TCP/IP NOVELL IPX AppleTalk Link setup and control using LCP in PPP Developers on the Internet designed PPP to make the connection for point-to-point links. Originating with RFCs in the late 1980s, PPP replaces limited or proprietary protocols for asynchronous or synchronous dial-up connections. PPP uses its Network Control Programs (NCPs) component to encapsulate multiple protocols. This use of NCPs surpasses the Iimits of PPP's predecessor Serial Line IP (SLIP, which could only set up transport for IP packets). PPP uses another of its major components, the LCP, to negotiate and set up control options on the WAN data link. PPP can carry packets from several protocol suites using Network Control Programs (NCPs) PPP controls the setup of several link options using LCP

Layering PPP Elements PPP - A data link with network-layer services IP
IPX Layer 3 Protocols Network Layer IPCP IPXCP Many Others Network Control Programs Authentication, other options Link Control Protocol Synchronous or Asynchronous Physical Media Data Link Layer PPP uses a layered architecture. With its lower-level functions, PPP can use synchronous physical media like those that connect ISDN and asynchronous physical media like those that use basic telephone service for modem dial-up connections. PPP offers a rich set of services that control setting up a data link. These services are options in LCP and are primarily negotiation and checking frames to implement the point-to-point controls an administrator specifies for the call. With its higher-level functions, PPP carries packets from several network-layer protocols in NCPs. These are functional fields containing standardized codes to indicate the network-layer protocol type that PPP encapsulates. Physical Layer PPP - A data link with network-layer services

PPP LCP Configuration Options
Feature How It Operates Protocol Authentication Require a password PAP Perform Challenge Handshake CHAP Compress data at source; Stacker or Compression reproduce data at Predictor destination Error Monitor data dropped on link Quality Detection Avoid frame looping Magic Number Multilink Load balancing across Multilink multiple links Protocol (MP) RFC 1548 describes PPP operation and LCP configuration options. Cisco routers that use PPP encapsulation include the LCP options shown in the table. · Authentication options require that the calling side of the link enter information to help ensure the caller has the network administrator's permission to make the call. Peer routers exchange authentication messages. Two alternatives are: - Password Authentication Protocol (PAP) - Challenge Handshake Authentication Protocol (CHAP) · Compression options increase the effective throughput on PPP connections by reducing the amount of data in the frame that must travel across the link. The protocol decompresses the frame at its destination. Two compression protocols available in Cisco routers are Stacker and Predictor. · Error-detection mechanisms with PPP enable a process to identify fault conditions. The Quality and Magic Number options help ensure a reliable, loop-free data link. · Cisco IOS Release 11.1 and later support multilink PPP. This alternative provides load balancing over the router interfaces that PPP uses. Packet fragmentation and sequencing, as specified in RFC 1717, splits the load for PPP and sends fragments over parallel circuits. In some cases, this "bundle" of multilink PPP pipes functions as a single logical link, improving throughput and reducing latency between peer routers.

Configuring PPP Defines encapsulation type as PPP
Router (config-if) # Encapsulation ppp Defines encapsulation type as PPP Router (config-if) # ppp authentication pap Sets password checking for incoming calls Router (config-if) # ppp authentication chap The commands shown in the graphic relate to PPP configurations most commonly used for ISDN on Cisco routers. Note The administrator may use either PAP or CHAP, but not both, on a PPP link, PAP uses the exchange of clear-text passwords between the calling and called sides of the link. Alternately, CHAP is a more sophisticated process that authenticates the caller without disclosing the password on the link. CHAP is less vulnerable to line taps and is generally preferred because it provides better security. Forces incoming calls to answer password challenges Router (config) # Username name password secret-pwd Sets host name and password for call verification

Monitoring PPP dtp -19# show interface b0 b 1
BRI0: B-Channel 1 is up, line protocol is up Hardware is BRI MTU 1500 bytes, BW 64 Kbit, DLY usec, rely 255/255, load1/255 Encapsulation PPP, loopback not set, keepalive not set lcp =OPEN multilink=OPEN ipcp =OPEN Last input 0:05:51, output 0:05:52, output hang never Last clearing of “show interface” counters never Input queue: 0/75/0 (size/max/drops); Total output drops: 0 Output queue: 0/64/0 (size/threshold/drops) Conversation 0/1 (active/max aactive) Reserved Conversations 0/0 (allocated/max allocated) 5 minutes input rate 0 bits/set, 0 packet/sec 5 minutes output rate 0 bits/sec, 0 packets/sec 15 packet input, 804 bytes, 0 no buffer Received 0 broadcast, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 14 packet output, 806 bytes, 0 underruns 0 output errors, 0 collisions, 19 interface resets, 0 restarts 0 output buffer failures, 0 output buffers swapped out 1 carrier transitions When PPP is configured, you can check its LCP and NCP states using the show interfaces command. In the example, the administrator used this command to monitor the Basic Rate Interface (BRI). The multilink option is enabled. When CHAP is enabled, a remote device (a PC, workstation, or access server) attempting to connect to the local access server is requested, or "challenged," to respond. The challenge consists of an ID, '-a random number, and either the host name of the local access server or the name of the user on the remote device. This challenge is transmitted to the remote device. The required response consists of two parts: · An encrypted version of the ID, a secret password (or secret), and the random number · Either the host name of the remote device or the name of the user on the remote device When the local access server receives the challenge response, it verifies the secret by looking up the name given in the response and performing the same encryption operation. The secret passwords must be identical on the remote device and the local access server. By transmitting this response, the secret is never transmitted, thus preventing other devices from stealing it and gaining illegal access to the system. Without the proper response, the remote device cannot connect to the local access server.

Dial-on-Demand Routing

Public Switched Telephone or ISDN Net
An Overview of DDR DCE Device “Interesting” Packet Arrives DCE Device Public Switched Telephone or ISDN Net S0 DCE Device Use for low-volume, periodic traffic Connect remote sites only when traffic dictates Start DDR for telephone calls with the command dialer in-band (this is not needed for ISDN calls) With dial-on-demand routing, the router opens the wide-area connection only when there is traffic that needs to be transmitted. The context for using DDR involves infrequent or intermittent traffic to and from remote sites. DDR uses a WAN facility such as asynchronous, dial-in access or ISDN. Compared to the traffic using LAN or campus-based networking, the traffic that uses DDR is typically low volume and periodic. There are two ways to start DDR. If you will be using a public switched telephone service, start DDR by entering the dialer in-band command. This sets up the proper call operations between the router and a DCE device such as an external modem. The call setup uses the same bandwidth that data will use after the call is made. If you are using an ISDN service, there is no need for the dialer in-band command. As you will see later, the ISDN call setup uses an out-of-band channel that is different than the channels that bear data. The ISDN alternative is featured in this course. To identify the traffic that should be transmitted, you specify the packets that the DDR processes on the router will interpret as "interesting" traffic. Specify static routes to the remote sites on links that DDR will use. This prevents routing updates across the DCE and over the Public Switched Telephone Network (PSTN) cloud. Unlike routing updates on a LAN or campus, WAN traffic increases the charges billed by the WAN service provider.

DDR Configuration Overview
DDR interface Commands defining interesting traffic Dialer group S0 or BRI0 Commands direct call and traffic to group interface Commands sets DDR call parameters Define interesting traffic to trigger call Direct call and traffic to dialer-group interface Make and control call with DDR-configured parameters The previous page had a high-level introduction to DDR. This page provides a high-level summary of the configuration steps to follow when configuring DDR. · Enter configuration commands that indicate which protocol packets constitute interesting traffic to initiate the call. Choose between two approaches: - Indicate that all packets in a specified protocol are sufficient to make the call. - Set access list statements to identify the source and destination addresses and choose specific protocol selection criteria for initialing the call. · Establish the interfaces where the DDR call initiates. This step designates a dialer group. The dialer group associates the results of the first step to the routers interfaces. · Include information about the call. This information might include: - The carrier-provided number to use when initiating the call sequence. - One or more configuration-parameter statements to synchronize the routers calls with operational requirements of the CO switch. Examples include: · Should bandwidth be set to 56 kbps or is the default 64 kbps appropriate? · Does the switch require any pauses or other adjustments for call processing? · How long should the line be idle before dropping the call?

Define Interesting traffic for DDR
Router (config) # Dialer-list dialer-group protocol protocol-name [permit | deny | list access-list number ] Triggers call by protocol or protocol and access list Assigns previous access list expressions to dialer group used by DDR interface(s) DDR uses two ways to specify interesting packets that trigger the dialer to make a call. The first way uses the dialer-list list global command. It applies an access list to a specified dialer group. The access list specifies any IP or IPX access list including standard, extended, and IPX service access point (SAP) access lists. The second way to specify interesting packets uses the dialer-list protocol command. With this method, you can specify a protocol or a combination of protocol and a previously defined access list. Command Description dialer-list protocol dialer-group Specifies the number of the dialer group. Later, this dialer-group number associates specific interfaces with the dialer list. protocol-name Specifies the protocol for packets to be considered for DDR. Choices include ip, ipx, appletalk, decnet, and vines. permit | deny Optional entry to specifically permit or deny an entire protocol for DDR; if field is not entered, traffic is permitted by default. list Specifies that an access list will define permit or deny based on granularity finer than the entire protocol. access-list-number The access list number specified for the protocol. For example, access list 120 specifies an extended IP access list.

Place Interface in the Dialer Group
Router (config-if) # Dialer-group group-number Make the interface part of a group of interfaces Associate interface with the dialer list For interesting packets, DDR will direct call and packets to appropriate interface in the dialer group Use the dialer-group command to assign an interface to a dialer access group. This connects the interface you are configuring to access list statements that identify interesting protocol traffic. Command Description dialer-group group-number Specifies the number of the dialer group to which the interface belongs. The group number can be an integer from 1 to 10. When interesting packets arrive (as specified by the dialer-list command), DDR will trigger a call to the appropriate dialer-group interface. When the call setup finishes, DDR routes the interesting packets out this interface.

Set DDR Call Parameters with Map
Router (config-if) # Dialer map protocol next-hop-address [ name hostname ] [ speed 56|64 ] [ broadcast ] [ dial/string ] Defines how to reach a DDR destination Recipient’s protocol address (Optional) Host name of remote system (Optional) Line speed for TDM circuit (Optional) Indicates broadcasts are forwarded (Optional) Phone number of next hop sent to the dialing device for interesting traffic Use the dialer map command to define one or several dial-on-demand numbers for a particular interface. Command Description dialer map protocol Must be IP, IPX, or AppleTalk. next-hop-address Address of the next-hop router. name An identification generally used for PPP authentication from PAP or CHAP or some other calling-line identifier of the far-end router. It can also help associate a number from one provider coming in from another provider (for example, two PTTs having different identification numbers). dial-string ISDN dial string sent to the V.25 bis DCE device when packets with the specified next-hop address are received. The character string passed to the V.25 bis device comes from the WAN service provider. It can be any number or format that works for the specific provider. The dialer map command must be used with the dialer-group command and its associated access list to initiate dialing.

Other Call Control Parameters
Router (config-if) # dialer wait-for-carrier-time seconds Specifies time to wait for carrier to come up Router (config-if) # dialer idle-timeout seconds The dialer wait-for-carrier-time command specifies the number of seconds the router waits for the WAN service provider to come up when a call initiates. Because the time for call initiation can vary, a larger number of seconds to wait can accommodate the delay (for example, making worldwide interconnections). The dialer idle-timeout command specifies the number of idle seconds before a call is disconnected. When an interface in a dialer group receives an interesting packet, it resets the idle seconds counter. The call is not disconnected until the idle-seconds threshold on the dialer-group interface is reached. Specifies idle time before circuit disconnect

DDR Example for ISDN DCE Device “Interesting” Packet Arrives
DCE Device (Q.921) To Branch 1 BRI0 (Called Number) ISDN Net ! (Prior global configuration commands specify switch and static routes) access-list 111 deny ip any access-list 111 permit ip any dialer-list 1 protocol ip list 111 ! Interface bri 0 ip address dialer-group 1 Dialer map ip name branch1 speed dialer idle-timeout 300 In the example, DDR will operate for ISDN. For the ISDN Basic Rate Interface (BRI) call, the configuration statements assume that the ISDN details of switch type and static routes to the destination have already been set up. Command Description access-list 111 deny ip any Denies packets using IP from any source to the specific destination of No IP broadcast will be interesting traffic that causes a DDR call. access-list 111 permit ip any Permits packets using IP from any other source to any other any destination to be interesting for causing a DDR call. dialer-list 1 protocol ip list Assigns the dialer group number 1 as the dialer group that the 111 dialer-group interfaces will use for IP traffic calls triggered by access list 111. dialer-group 1 Makes BRIO part of the dialer group. Calls triggered by access list 111 can use this dialer-group 1 interface. dialer map ip Sets the BRIO call parameters: Use as the port name branchl speed 64 out to a static route to branchl. Use 64 kbps and the dial string to make the BRI call. dialer idle-timeout 300 Set an optional call parameter for BRIO: If the idle seconds threshold on BRI reaches 300 seconds, DDR will disconnect the call.

Summary A WAN subscriber must know how to interface customer premises equipment to the provider service Mapping associated the Layer 3 address with the WAN media-dependent address PPP sets data-link encapsulation capable of transmitting packets from multiple protocols DDR enables “as-needed-only” use of expensive WAN links by triggering calls based on traffic-type lists

Configuring ISDN BRI

Objectives Upon completion of this chapter, you will be able to perform the following tasks: State a relevant use and context for ISDN networking Identify ISDN protocols, function groups, reference points, and channels Relate Point-to-Point Protocol (PPP) and dial-on-demand routing (DDR) functions to ISDN Describe Cisco’s implementation of ISDN BRI Configure an ISDN call, open a circuit, and pass data over an interface Monitor and analyze ISDN operation through the router

ISDN BRI Overview

Using ISDN Services Uses higher-quality end-to-end digital facilities
Sets up call faster than basic telephone service Carries varied feeds(for example, packets, voice, video) Meets demand for telecommuting bandwidth Improves Internet response (especially for WWW) Integrated Services Digital Network (ISDN) is a complex call processing system that allows telephone networks to carry voice, data, and other source material in the same all-digital communication stream. The product features much faster call setup using out-of-band signaling than modem connections. For example, a duration of less than 1 second can be sufficient to make some ISDN calls. Once a call is up, ISDN can carry a variety of user-traffic feeds. The ISDN model shows ISDN providing access to all-digital facilities for video, telex, packet-switched data, and enriched telephone net services. ISDN users access bearer (B) channel services at 64 kbps-much faster than common modem alternatives of 14.4 kbps. With multiple B channels, ISDN offers users more bandwidth on WANs than they receive with a leased line at 56 kbps in North America or 64 kbps in much of the rest of the world. ISDN is fast becoming the transport of choice for applications using remote connectivity, access to the Internet, and the World Wide Web (WWW). Before the tremendous growth in these applications, many in the United States believed ISDN was a solution looking for a problem.

Routing over ISDN All major protocols can use ISDN
IP HDLC IPX PPP ISDN AppleTalk Others X.25 All others Frame Relay Once an ISDN call has been established, the router can use an ISDN cloud to carry any of the network-layer protocols supported by the Cisco IOS software to multiple destinations. As its configured encapsulation, ISDN defaults to High-Level Data Link Control (HDLC). Alternately, a network administrator can select PPP. This choice can enable the PPP Challenge Handshake Authentication Protocol (CHAP), a popular, standards-based method for call screening. Among the other encapsulations for end-to-end ISDN is Link Access Protocol on the D Channel (LAPD). Although the ISDN call can statistically multiplex packets from several higher-layer protocols, ISDN interfaces allow only a single encapsulation type. If the end-to-end path for user traffic interconnects with an X.25 or Frame Relay service, the administrator specifies the WAN encapsulation choices for these two services that will use the ISDN interface. This selection facilitates internetworking between the traffic passed from the ISDN cloud to these other WAN services. All major protocols can use ISDN Choose one encapsulation option Connect to other WANs

Obtaining ISDN Services
Many provides and switch types S Because ISDN originated in the research forums of CCITT and Bell Labs, developers planned a model for integrated services that users would access on a limited set of standard, multipurpose, user-to-network interfaces. However, ISDN implementation does not guarantee seamless, end-to-end connectivity. ISDN providers use a variety of different switch types for their ISDN services. Services offered by the national Post, Telephone, and Telegraphs (PTTs) or other carriers vary considerably from nation to nation or region to region. The good news is that ISDN services worldwide are increasing their offerings while decreasing their prices. The bad news is that you must be aware of the switch types used at the central office (CO) of your network. You specify this during configuration so your router can place ISDN network-level calls and send data. Following is a sample of countries and the ISDN switch types you are likely to encounter in your provider's ISDN cloud. Country Switch Type United States and Canada AT&T 5ees and 4ess; Northern Telecom DMS-100 France VN2, VN3 Germany 1TR6 Australia TS-O 13 Japan NTT United Kingdom Net3 and Nets

ISDN Functions/Reference Points
S/T U V TE1 NT1 LT ET R TE2 TA Functions are devices or hardware functions Reference points characterize different interface To access ISDN, you must provide functions and reference points that comply with ISDN service provider standards. By using these functions and reference points, you can improve communication with vendors and service providers while you engineer, install, and support your ISDN facilities. Functions-Device types or hardware functions that represent transition points between the reference-point interfaces. The following table defines the basic ISDN device or hardware acronym and its function. Acronym Device Name Device Function TA Terminal Adapter Converts from RS-232, V.35, and other signals into BRI signals. TE1 Terminal End-point 1 Designates a router as a device having a native ISDN interface. TE2 Terminal End-point 2 Designates a router as a device requiring a TA for its BRI signals. NT1 Network Termination 1 Converts BRI signals into a form used by the ISDN digital line. LT Local Termination Portion of the local exchange that terminates the local loop. ET Exchange Termination Portion of the exchange that communicates with other ISDN components. · Reference points-CCITT has defined the ISDN local loop characterized by different interfaces. The standards call these key reference points R, S, T, U, and V.

Router connections to ISDN
Native ISDN interface Local loop to CO Non-ISDN interface Examples: EIA/TIA.232 V.35 X.21 S/T U ISDN TE1 NT1 R Network Termination 1 (ISDN Modem) TE2 TA Terminal Adapter Example of a native interface - int bri 0 Example of a nonnative ISDN interface - int s 0 NT1 physically terminates the local loop Network administrators must add one or more devices to their router to access ISDN BRI. ISDN service providers specify that these devices must perform standardized functions that they designate with two- or three-letter acronyms. To find out which ISDN devices you need to connect to ISDN, check your router. Look on the back of your router to determine whether your router needs a TA. · If you see a connector labeled "BRI," you already have a Basic Rate Interface. With a native ISDN interface already built-in, your router is a TE1. Your router already contains the ISDN TA function. · If you do not see a connector labeled "BRI," your router has a nonnative ISDN interface and is a TE2. Usually this is a serial interface labeled "S0:' You need to obtain an external TA device and attach it to the serial interface to provide a BRI interface. In either case, you must obtain an external NT1. An NT1 terminates the local loop of wires to the CO of your ISDN provider. Work with your service provider to determine exactly what you need and where to obtain it.

Cisco ISDN Features Multiprotocol support
Available on several router series SNMP support with ISDN MIB Group Multiple Bearer channels Bandwidth on demand Optional incoming call screening PPP with compression options Service only when needed by using DDR As you saw earlier, ISDN provides WAN transport for all major routing protocols. ISDN also works with other WAN services such as X.25 and Frame Relay. Cisco offers a broad range of ISDN products, including several router models that contain native ISDN interfaces. Administrators can use an SNMP-based network management application to control the ISDN interfaces. Routers use an ISDN Management Information Base (MIB) and can act as managed objects. The multiple, independent B channels on router ISDN configurations transmit data at the standard 64-kbps (DSO) rate, or you can configure for 56-kbps facilities. The bandwidth-on-demand option allows a preestablished load threshold setting to add available B-channel resources to an ISDN call. This DDR dialer load condition could, for example, add a DSO on demand. Another option on Cisco routers is to preestablish table entries on a destination router to provide incoming ISDN call screening. The destination (or called router) acts on entries that specify which calls from a source (or calling) router the destination will accept. PPP encapsulation offers improved capabilities for standards-based access to the Internet. Among these improvements are access control and compression methods. DDR improves the cost-effective use of ISDN by setting conditions that make the ISDN call, then dropping the call once the link is no longer needed.

Dial-on-Demand Routing for ISDN
NT1 or DSU/CSU ISDN Service Provider 4. Remote Call Destination 1. NT1 or DSU/CSU 3. BRI or PRI NT1 or DSU/CSU 2. Interesting packet arrives Use host ID and dial string Make outgoing call to ISDN switch Access circuit-switched destination ISDN operates with DDR.You identify a BRI in a DDR access group and specify the protocol list (or access list) statements to check for "interesting" traffic. You can use different list settings to designate interesting traffic mapped for other DDR destination routers. For this periodic-use environment, specify static routes so that routing updates that can be billable from the service provider are not exchanged across the ISDN cloud. DDR commands map a host ID and dialer string to initiate setup of an ISDN call for interesting traffic. The router then makes an outgoing call from its BRI through the ISDN NT1. If using an external TA, it must support V.25 bis dialing. Calling details for these devices come from dialer commands. ISDN end stations now use this static route to transmit packet traffic. When no more traffic is transmitted over the ISDN call, an idle timer starts. After the idle timeout occurs, the call disconnects.

Configuring BRI

ISDN Channels for BRI Are 2B+D
Channel Capacity Mostly Used for: B 64 Kbps Circuit-switched data (HDLC, PPP) 2B NT1 ISDN D Channel Capacity Mostly Used for: D 16 Kbps Signaling information (LAPD) BRI is sometimes written as 2B+D. This interface provides two bearer channels at 64 kbps and an additional 16 kbps signaling channel. The B channels can be used for digitized speech transmission or for relatively high-speed data transport. Narrowband ISDN is circuit-switching oriented. The B channel is the elemental circuit switching unit. The D channel carries signaling information (call setup) to control calls on B channels at the user-network interface. In addition to carrying signaling information, the D channel is used to carry subscriber low-rate packet data, such as alarm systems. Cisco routers do not currently use this facility. Traffic over the D channel employs the LAPb data-link-level protocol. LAPD is based on HDLC. The call setup follows the ITU-T Q.931 recommendation for call control standards. BRI is used globally for ISDN services

ISDN Configuration Tasks
Global configuration Select switch type Specify traffic to trigger DDR call Interface configuration Select interface specifications Configure ISDN addressing Optional feature configuration You must specify global and interface parameters to prepare the router for operation in an ISDN environment. The graphic outlines high-level tasks used for both BRI and PRI configuration. Later in this chapter, syntax and specific examples show the configuration differences for these two interfaces. Global tasks-Select the switch that matches the ISDN provider's switch at the CO. This requirement is necessary because, despite standards, signaling specifics differ regionally and nationally. Set destination details. Indicate static routes from the router to other ISDN destinations. Establish the criteria for interesting packets in the router that initiate an ISDN call to the appropriate destination. Interface tasks: · Select interface specifications. Specify the interface type BRI and the number for this ISDN BRI port. For PRI, the interface task description occurs later in this chapter. The interface uses an IP address and subnet mask. · Configure ISDN addressing with DDR dialer information and any ID supplied by the ISDN service provider. Indicate the interface is part of the dialer group using the interesting packets set globally. Additional commands place the ISDN call to the appropriate destination. Following interface configuration, you can define optional features including time to wait for the ISDN carrier to respond to the call and seconds of idle time before the router times out and drops the call.

Selecting the ISDN Switch Type
Router (config) # isdn switch-type switch-type Specifies the type of ISDN switch with which the router communicates Other line configuration requirements vary for specific provides Use the isdn switch-type global command to specify the CO switch to which the router connects. For BRI ISDN service, the switch type can be one of the following: Switch Type Description basic-Sess AT&T basic rate switches (USA) basic-dms100 NT DMS-100 (North America) basic-nil National ISDN-1 (North America) basic-1 tr6 German 1TR6 ISDN switches basic-nwnet3 Norwegian Net3 switches basic-nznet3 New Zealand Net3 switches basic-ts013 Australian TS013 switches basic-net3 Switch type for NET3 in United Kingdom and Europe ntt NTT ISDN switch (Japan) vn3 French VN3 ISDN switches none No specific switch specified

Specifying Traffic to Trigger Call
Router (config) # Dialer-list dialer-group protocol protocol-name [ permit | deny ] Router (config-if) # Dialer-group group/number Router (config-if) # Dialer map protocol next/hop/address name [ name ] speed speed dial-string broadcast These commands are used to configure dial-on-demand calls that will initiate a connection. They are a review from the previous chapter, which discussed dial-on-demand routing.

Selecting Interface Specifications
Router (config) # Interface bri interface-number Selects the interface for ISDN BRI operation Router (config-if) # Encapsulation [ ppp | hdlc ] The interface bri interface-number command designates the interface used for ISDN on a router acting as a TE1. If the router does not have a native BRI (is a TE2 device), it must use an external ISDN terminal adapter. On a TE2 router, use the command interface serial interface-number. Use the encapsulation ppp command if you want PPP encapsulation for your ISDN interface. This is the case if you want any of the rich LCP options that PPP offers (for example, CHAP authentication). You must use PPP PAP or CHAP if you will receive calls from more than one dial-up source. To revert from PPP encapsulation to the default, use the encapsulation hdlc command. Selects framing for ISDN BRI

Setting SPIDs if Necessary
Router (config/if) # isdn spid1 spid/number [ ldn ] Sets a B channel Service Profile Identifier (SPID) required by many service provider Router (config-if) # isdn spid2 spid/number [ ldn ] Several ISDN providers use ISDN switches that operate on dialin numbers called Service Profile Identifiers (SPIDs). These switches include National ISDN1 and DMS-100 ISDN switches, as well as the AT&T 5EES multipoint switch. The local SPID number is supplied by the service provider. Use the isdn spidl and isdn spid2 commands to access the ISDN network when your router makes its call to the local ISDN exchange. Command Description isdn spidl and isdn spid2 spid-number Number identifying the service to which you have subscribed. This value is assigned by the ISDN service provider. ldn (Optional) local dial number. This number must match the called- party information coming in from the ISDN switch in order to use both B channels on most switches. Sets a SPID for the second B channel

Configuring for a Simple ISDN Call
Cisco A Cisco B BRI0 ISDN E0 T0 NT1 NT1 E0 Use PPP encapsulation All IP traffic to destination triggers ISDN call Carrier uses AT&T basic rate switch Service provider assigns connection parameters Here is an example of how you can combine the commands described on the previous pages to set up DDR and ISDN. DDR is configured to connect Cisco A to Cisco B. The network between the serial interfaces of the two routers uses 8 bits of subnetting. Static route statements define the IP route to the Cisco B LAN interfaces over IP packets will initiate a call, but not IGRP routing updates. Interesting traffic to DDR must be defined in an access list. The number dialed is for the remote ISDN device. This number is provided by the Regional Bell Operating Company (RBOC) offering the ISDN service. Cisco B (the next-hop router to the destination networks) has subnets 126 and 29 directly connected.

BRI Simple Configuration Example
! set up switch type, static route and dialer for ISDN on Cisco A isdn switch-type basic-5ess ip route dialer-list 1 protocol ip permit ! ! Configure BRI interface for PPP; set address and mask interface bri 0 encapsulation ppp ip address ! Refer to protocols in dialer-list to identify interesting packets dialer-group 1 ! Select call start, stop, and other ISDN provider details dialer wait-for-carrier-time 15 dialer idle-timeout 300 isdn spid ! Call setup details for router dialer map ip name cisco-b 445 In the example: Command Description isdn switch-type Selects the AT&T switch as the CO ISDN switch on this interface. dialer-list 1 protocol ip Associates permitted IP traffic with the dialer group 1. The router permit will not start an ISDN call for any other packet traffic with dialer group 1. interface bri 0 Selects the interface with TA and other ISDN functions on the router. encapsulation ppp Use PPP encapsulation on the selected interface. dialer-group 1 Associates the serial 0 interface with dialing access group 1. dialer wait-for-carrier-time Specifies a 15-second maximum time for the provider to respond once the call initiates. dialer idle-timeout Number of seconds of idle time before the router drops the ISDN call. Note that a long duration is configured to delay termination. dialer map ip Name of protocol. Destination address. name An identification for the remote side router. Refers to called router. 445 ISDN connection number used to reach this DDR destination.

Optional Interface Configuration
ISDN Apply extended access lists for call trigger Enable caller ID screening Select rate adaptation Establish subaddresses Specify multilink PPP The first category of advanced ISDN configurations applies a more specific set of conditions for the DDR call trigger using extended access list conditions. The second category of optional ISDN configurations applies additional interface functions desired or required by the ISDN situation: · Use access lists for call triggers · Filter inbound call setups with caller ID screening. · Enable rate adaptation if calls are placed at a speed lower than 64 kbps. · Establish subaddressing on the multipoint devices and create dialer map statements if subaddresses are required. · Implement multilink PPP for better bandwidth use.

Extended Access List ISDN Calls
NT1 ISDN Service Provider BRI0 NT1 NT1 On Cisco-a, allow all IP traffic expect Telnet and IGRP to trigger ISDN call to Allow only IP traffic to all other destinations Carrier uses Northern Telecom MDS-100 switch Service provider assigns ID, timers, and dial string This example shows how you can combine commands described in the previous material on DDR to set up an extended access list to trigger an ISDN call. Use many of the same commands as you saw previously for configuring a simple ISDN call. DDR is configured on router cisco-a to connect with cisco-b for all IP traffic except Telnet and IGRP routing updates. The details about what is interesting to DDR are defined in an access list. The RBOC offering the ISDN service uses a Northern Telecom DMS-100 switch, so the configuration uses SPIDs. The service provider provides other details you must use when you configure your router for ISDN.

BRI Access List Example
isdn switch-type basic-dms100 ip route ! Set up conditions for call to cisco-b: only IP but not for telnet or IGRP access-list 101 deny tcp eq 23 access-list 101 deny igrp access-list 101 permit ip dialer-list 2 list 101 ! ! Interface details follow interface bri 0 ip address ! In group that refers to access statements in dialer-list for call trigger dialer-group 2 dialer wait-for-carrier-time 15 dialer idle-timeout 300 isdn spid isdn spid ! Call setup deatils for router and NT1 dialer map ip name cisco-b 945 In the example: Command Description access-list 101 deny... Selects an extended IP access list with a from-address on router A (a to-address on router B). Denies the IP port number equaling 21 to arrange that Telnet packets will not trigger DDR with this configuration. In the next statement, IGRP is not allowed to trigger an ISDN call. access-list 101 permit.... Selects the same extended IP access list with a from-address on router A (a to-address of any network). All IP traffic not denied by prior statements is permitted. Other protocol packets are implicitly denied. These other protocols will not trigger DDR calls with this configuration. dialer-list 2 list 101 Sets up control for automatic DDR dialing. Dialing group 2 connects access list 101 conditions with the following dialer-group command statement. dialer-group 2 Associates the routers interface bri 0 as an interface in the group that uses the dialer list and access list 101 statements. isdn spidl Sets the service provider ID as specified by the service provider for the first B channel of the ISDN line. isdn spid Sets the SPID for the second B channel on the ISDN line. dialer map ip Defines the call string 945 for permitted IP traffic to the name cisco-b 945 destination on a cisco-b interface.

Caller Identification Screening
Compare with allowed numbers Call setup message with local ISDN numbers Router ISDN number A 1234 1234 ISDN Router A Router B Accept Call Extra level of call management Call not set up (and charged) until acceptance Alternative: PPP encapsulation and CHAP Calling line identification screens incoming ISDN calls. The called number supplied in the call message setup request is verified against a table of allowed numbers. This feature prevents charges for calls from unauthorized numbers. Caller ID is only available from providers that supply "called number values" in the setup request. Note As a preferred alternative, PPP encapsulation enables PAP or CHAP. This allows an administrator to control access to ISDN if the caller ID is not used. You must use CHAP if your router receives incoming ISDN calls from multiple destinations on the same subnet.

Configuring Call Screening
Router (config-if) # isdn caller number Enables caller ID screening Router (config-if) # isdn answer1 [ called-party-number ] or Use the isdn caller command to specify the numbers from which calls are accepted. Use the isdn answerl or isdn answer2 command to specify numbers to which the interface will respond in a call request. The number is the called party number, which is supplied by the ISDN network. The called party number should not be mistaken for the number used by the router to initiate the call. Command Description isdn answer1 called-party-number Number supplied in the call setup request. Some service providers require that both isdn answerl and isdn answer2 parameters be specified. Router (config-if) # isdn answer2 [ called-party-number ] Sets the number to switch interface responds

Multilink PPP Opeation
LCP Option Negotiation MRRU Bundle Multilink PPP works over any interface that supports DDR rotary groups and PPP including ISDN, synchronous, and asynchronous interfaces. During PPP's LCP option negotiation, a system indicates to its peer that it is willing to multilink by sending the maximum received reconstructed unit (MRRU) option as part of the initial LCP option negotiation. Multilink systems must be able to do the following: · Combine multiple physical links into one logical bundle. · Receive and reassemble upper-layer protocol data units (PDUs). · Receive PDUs of a negotiated size. After the LCP negotiation has completed, the remote destination must be authenticated and a dialer map with the remote system name must be configured. The authenticated username or caller ID is used to determine which bundle to add the link to.

Configuring Multilink PPP
Router (config-if) # ppp multilink Enables multilink on rotary group Router (config-if) # dialer load-threshold load direction [outbound | inbound | either ] The ppp multilink interface configuration command enables multilink on a rotary group. The rotary group must be using PPP encapsulation. The maximum number of links in a bundle is the number of interfaces in the dialer/ISDN interface. Standard DDR configuration for load balancing should be in place before configuring the multilink. The dialer load-threshold command enables a rotary group to bring up links and add the links to a multilink bundle. This command has been extended to allow the threshold determination to be decided by any of the following: · Outbound traffic only (default) · Inbound traffic only · The maximum of either inbound or outbound traffic Brings up links and adds them to bundle

Summary One signaling channel and multiple data channels
ISDN has two opertaional modes: BRI on the Cisco 100, 2500, 3000, and 4x00 series PRI on the Cisco 7x00 and 4x00 series You may need an external TA; you will need an external NT1 or CSU/DSU Set parameter values for attaching as specified for the ISDN-provider switch Use standard DDR commands for making an ISDN call Caller ID screening provides security Multilink PPP provides load balancing

Configuring X.25

Objectives Upon completion of this chapter, you will be able to perform the following tasks: Describe the X.25 protocol stack Describe key features of X.25 Configure X.25 on router interfaces Monitor X.25 operation in the router

X.25 Overview

An Introduction to X.25 LAN LAN Protocol Protocol Circuit X.25 Cloud
Virtual Circuit IP AppleTalk Novell IPX Banyan VINES XNS DECnet ISO-CLNS Apollo Compressed TCP Bridging X.25 is a standard that defines the connection between a terminal and a packet-switching network. X.25 offers the closest approach to worldwide data communication available. Virtually every nation uses some X.25-addressable network. X.25 originated in the early 1970s. The networking industry commonly uses the term X.25 to refer to the entire suite of X.25 protocols. Engineers designed X.25 to transmit and receive data between alphanumeric "dumb" terminals through analog telephone lines. X.25 enabled dumb terminals to remotely access applications on mainframes or minicomputers. Because modern desktop applications needed LAN-to-WAN-to-LAN data communication, engineers designed newer forms of wide-area technology-Integrated Services Digital Network (ISDN) and Frame Relay (also covered in this module). In many situations, these newer WANs complement or extend, rather than replace, X.25. Many different network-layer protocols can be transmitted across X.25 virtual circuits (VCs). This results in "tunneling" that has datagrams or other Layer 3 packets within the X.25 Layer 3 packets. Each Layer 3 packet keeps addressing legal for its respective protocol, while the X.25 VC transports the packet across the WAN.

X.25 Protocol Stack OSI Reference Model X.25 Protocol Application
Prsentation Session Transport Network Data Link Physical . X.25 LAPB Physical 7 6 5 4 3 3 The X.25 packet switching protocol suite compares to the lower three layers of the Open System Interconnection (OSI) model. In general, we use X.25 as an overengineered data link in the internetworking world. Both X.25 at Layer 3 and Link Access Procedure, Balanced (LAPB) at Layer 2 provide reliability and sliding windows. Layers 3 and 2 were designed with strong flow control and error checking to reduce the requirement for these functions external to X.25. X.25 evolved in the days of analog circuits when error rates were much higher than today. For analog circuit technology at Layer 1, it is more efficient to build more reliability into the network at the hardware level. With digital or fiber-optic technologies, the error rates have dropped dramatically. Newer technologies such as Frame Relay have taken advantage of this by providing a stripped-down "unreliable" data link. X.25 was designed in the days of alphanumeric terminals and computing on central time-sharing computers. Demands on the packet switch were lower than today. Complex applications on desktop workstations demand more bandwidth and speed. Newer technologies such as ISDN and X.25 over Frame Relay add packet-switching capability. 2 2 1 1

X.25 DTE and DCE Public Data Network (PDN)
X.25 DCE X.25 DCE S S X.25 DTE-Usually a subscriber’s router or PAD X.25 DCE-Usually a PDN’s switch or concentrator Data terminal equipment (DTE) and data circuit-terminating equipment (DCE) for X.25 identify the responsibilities of the two stations on an X.25 attachment. The X.25 protocol implements virtual circuits between the X.25 DTE and X.25 DCE. Although the terms DTE and DCE occur at all three of the layers associated with the X.25 stack,the use shown in the graphic identifies responsibilities independent of the physical-layer DTE/DCE. The X.25 DTE is typically a router or a packet assembler/disassembler (PAD). The X.25 packet-level DCE typically acts as a boundary function to the public data network (PDN) within a switch or concentrator. The X.25 switch at the carrier site may also be called data switching equipment (DSE). X.25's use of DTE/DCE terminology differs from the usual physical-layer interpretation. The way X.25 traffic is carried within the carrier cloud depends on the implementation. In some cases, X.25 is also used within the cloud.

X.25 (X.121) Addressing Format
4 decimal digits Up to 10 or 11 decimal digits Data Network ID Code Network Terminal Number Addressing set by service provider The format of X.25 addresses is defined by the ITU-T X.121 standard. · The first four digits specify the Data Network Identification Code (DNIC). This address field is the country code and provider number assigned by the ITU. · The remaining 8 to 10 or 11 digits specify the network terminal number (NTN) assigned by the packet-switched network (PSN) provider. Private X.25 networks may assign addresses that best fit their network architecture. Only decimal digits are legal for X.121 addresses. The router accepts an X.121 address with as few as 1 or as many as 15 digits. Some networks allow subscribers to use subaddresses (one or more digits after the assigned base address).

X.25 Address Resolution X.25 ARP X.25 Map ETH Destination MAC Source
IP IP For different network protocols to connect across X.25, statements are entered on the router to map the next-hop network-layer address to an X.121 address. For example, an IP network-layer address is mapped to an X.121 address to identify the next-hop host on the other side of the X.25 network. This is logically equivalent to the LAN Address Resolution Protocol (ARP) that dynamically maps a network-layer address to a data-link MAC address. Maps are required for each protocol because ARP is not supported in an X.25 network. Mapping statements are a manual configuration step required when setting up X.25 on the router.

X.25 Encapsulation X.25 Data-Link Frame (LAPB) X.25 Header IP Datagram Movement of network-layer data through the internetwork usually involves encapsulation of datagrams inside media-specific frames. As each media frame arrives at the router and the media frame is discarded, the router analyzes the datagram and places it inside a new frame as it is forwarded. Similarly, in an X.25 environment, the LAPB frame arrives at the router, which extracts the datagram from the packet or packets. The router discards the encapsulating frame and analyzes the datagram to identify the format and next hop. Based on the route determination, the router reencapsulates the datagram in framing suitable for the outgoing media as it forwards the traffic. Protocol datagrams are reliably carried inside X.25 frames

X.25 Virtual Circuits Numbering for up to 4095 VCs per X.25 interface
Switched Virtual Circuits (SVCs) Permanent Virtual Circuits (PVCs) VCs are used interchangeably with the terms virtual circuit number (VCN), logical channel number (LCN), and virtual channel identifier (VCI). A VC can be a permanent virtual circuit (PVC) or, more commonly, a switched virtual circuit (SVC). An SVC exists only for the duration of the session. There are three phases associated with SVCs: · Call setup · Information transfer · Call clear A PVC is similar to a leased line. Both the network provider and the attached X.25 subscriber must provision the virtual circuit. PVCs use no call setup or call clear that is apparent to the subscriber. Any provisioned PVCs are always present, even when no data traffic is being transferred. The X.25 protocol offers simultaneous service to many hosts (for example, multiplex connection service). An X.25 network can support any legal configuration of SVCs and PVCs over the same physical circuit attached to the X.25 interface. However, configuring a large number of VCs over a serial interface may result in poor performance. X.25's original design aim assumed service for time-sharing and terminal-to-host applications, not contemporary computer-to-computer applications. Numbering for up to 4095 VCs per X.25 interface

SVC Usage Novell Host SVCs may be combiined to improve throughput for a particular protocol Throughput for encapsulating a specific protocol can be improved using multiple SVCs. Multiple SVCs provide a larger effective window size, especially for protocols that offer their own higher-layer resequencing. This combination of SVCs does not benefit traditional X.25 applications such as those available from a time-sharing host. A maximum of eight SVCs per protocol per destination is allowed

Single Protocol Virtual Circuits
Novell TCP/IP AppleTalk Host Each network-layer protocol is associated with its own virtual circuit The Cisco routers traditional encapsulation method enables different protocols to transport their datagrams through an X.25 cloud because the router uses separate virtual circuits. Each protocol is specified in an individual x25 map command statement that references the X.121 address used to reach the destination. A maximum of eight SVCs per protocol per destination is allowed

Multiprotocol Virtual Circuits
Novell TCP/IP AppleTalk Host In Cisco IOS Release 10.2 and later releases, a single virtual circuit to a host can carry traffic from multiple protocols. One X.25 map statement contains several protocol addresses mapped to a single X.121 address associated with the destination host. This capability uses the method described in RFC Each of the supported protocols can map to a destination host. Because higher traffic loads are generated by routing multiple protocols over a VC, combining SVCs as described earlier in this chapter may improve throughput. Multiple prtocols are carried within a virtual circuit to a single destination A maximum of nine protocols may be mapped to a host

Configuring X.25

X.25 Configuration Tasks Interface configuration
Select X.25 DTE or DCE encapsulation Configure parameters for X.25 network attachment Map protocol address to X.121 address Additional configuration steps When you select X.25 as a WAN protocol, you must set appropriate interface parameters. Interface tasks: · Define the X.25 encapsulation (DTE is the default). · Assign the X.121 address (usually supplied by the PDN service provider). · Define map statements to associate X.121 addresses with higher-level protocol addresses. Other configuration tasks can be performed to control data throughput and to ensure compatibility with the X.25 network service provider. Commonly used parameters include the number of VCs allowed and packet size negotiation. X.25 is a flow-controlled protocol. The default flow-control parameters must match on both sides of a link. Mismatches because of inconsistent configurations can cause severe internetworking problems.

X.25 Configuration Defines encapsulation type
Router (config-if) # Router (config-if) # Encapsulation x25 Encapsulation x25 dce Defines encapsulation type Router (config-if) # X25 address x.121-address Use the encapsulation x25 command to specify the encapsulation style to be used on the serial interface. The router can be an X.25 DTE, which is typically used when the X.25 PDN is used to transport various protocols, or the router can also be configured as an X.25 DCE, which is typically used when the router acts as an X.25 switch. The x25 address command defines the local routers X.121 address (one address per interface). The value specified must match the address designated by the X.25 PDN. Establish interface address

X.25 Configuration (cont.)
Router (config-if) # X25 map protocol address x.121-address [ options ] Specifies how a single protocol reaches a destination Router (config-if) # X25 map protocol address [ protocol2 address2 ] x.121/address [ options ] The x25 map command provides a static conversion of higher-level addresses to X.25 addresses. The command correlates the network-layer addresses of the peer host to the peer host's X.121 address. Command Description x25 map protocol Selects the protocol type. Supported protocols are: ip, xns, decnet, ipx, appletalk, vines, apollo, bridge, clns, and compressed tcp. address Specifies the protocol address (not specified for bridged or CLNS connections). x.121-address Specifies the X.121 address. Both the protocol address and the X.121 addresses are required to specify the complete network protocol-to-X.121 mapping. options (Optional) Used to customize the connection. Use the second x25 map statement only when trying to communicate with a host that understands multiple protocols over a single VC. This communication requires the multiprotocol encapsulations defined by RFC In the second x25 map command, the "*" means that a maximum of nine network protocol addresses may be associated with one host destination in a single configuration command. Bridging is not supported. Specifies how multiple protocols reach a single destination using one SVC

X.25 Configuration Example
IP Address: X.121 Address: IP Address: X.121 Address: S0 X.25 S0 Cisco A Cisco B Cisco B Cisco A Interface serial 0 encapsulation x25 x25 address ip address x25 map ip Interface serial 0 encapsulation x25 x25 address ip address x25 map ip In the example: Command Description encapsulation x25 Sets the encapsulation style on interface serial 0 to X.25 type. x25 address Establishes the X.121 address of serial 0. x25 map ip A Layer 3 protocol specified for address association. IP address that is mapped. The X.121 address of the host that defines the IP address. IP routing on Cisco A forwards datagrams destined for subnet to interface serial 0. The interface map identifies the destination to the X.25 cloud. In this typical configuration, Cisco A tries to establish an SVC to Cisco B using its X.121 source address and a destination X.121 address of when it sends packets to Upon receipt of the setup request, Cisco B identifies the remote IP address from the source X.121 address and accepts the connection. Once the SVC is connected, each router uses it as a point-to-point data link for the identified destination. The two X.25 attachments need complementary map configurations to establish the VC that will encapsulate IP datagrams.

X.25 Additional Configuration Tasks
Configure interface for X.25 Layer 3 parameters Virtual circuits Packet size Window size Window modulus It may be necessary to perform additional configuration steps so that the router will work correctly with the service provider network. Crucial X.25 parameters are: · Virtual circuit range-Incoming, two-way, and outgoing · Default packet sizes-Input and output · Default window sizes · Window modulus

Configuring X.25 VC Ranges
Range Default Command PVCs x25 pvc circuit 1-4095 svc Incoming only x25 lic circuit DCE initiated x25 hic circuit Two-way x25 ltc circuit x25 htc circuit Outgoing only x25 loc circuit DCE initiated x25 hoc circuit This table summarizes additional configuration tasks for virtual circuit number assignment. The complete range of virtual circuits can be allocated to PVCs or SVCs depending on your requirements. SVCs are commonly used. If both limits of a range are zero, the range is unused. The circuit numbers must be assigned so that an incoming range comes before a two-way range, both of which come before an outgoing range. Any PVCs must take a circuit number that comes before any SVC range. The following numbering scheme lists the proper order for these virtual circuit number assignment commands: 1 <= PVCs < (lic <= hic) < (ltc <= htc) < (loc <= hoc) <= 4095 (Where lic is low incoming circuit number, hic is high incoming circuit number, ltc is low two-way circuit number, htc is high two-way circuit number, loc is low outgoing circuit number, and hoc is high outgoing circuit number.) X.25 ignores any events on a VC number not in an assigned VC range; it considers the out-of-range VC as a protocol error. The network administrator specifies the VC ranges for an X.25 attachment. For correct operation, the X.25 DTE and DCE must have identically configured ranges. Numbers configured for any PVCs must also agree on both sides of an attachment (not necessarily end to end).

Configuring X.25 Packet Sizes
Router (config-if) # X25 ips bytes Specifies default incoming packet size Router (config-if) # X25 ops bytes The x25 ips/ops command sets the default maximum input/output packet size. The input and output values should match unless the network supports asymmetric transmissions. Command Description x25 ips/ops bytes Maximum packet size assumed for VCs that do not negotiate a size. Supported values are: 16, 32, 64, 128, 256, 512, 1024, 2048, and Default is 128 bytes. If the stations of an X.25 attachment conflict on the VC's maximum packet size, the VC is unlikely to work. Specifies default outgoing packet size

Configuring Window Parameters
Router (config-if) # Router (config-if) # X25 win packets x25 wout packets Specifies default unacknowledged packet limits Router (config-if) # X25 modulo modulus Use the x25 win/wout command to set the default window size. The window size specifies the number of packets that can be received/sent without sending/receiving an acknowledgment. Both ends of an X.25 link must use the same default window size. The x25 modulo command specifies the packet numbering modulus. It affects the maximum number of window sizes. The x25 modulo command specifies the data packet numbering modulo. Modulo 8 is widely used and allows virtual circuit window sizes up to 7 packets. Modulo 128 is rare, but allows VC window sizes up to 127 packets. Both ends of an X.25 link must use the same modulo. Command Description x25 win/wout packets Packet window size, assumed for VCs that do not negotiate a size. Range is one to one less than the modulus. The default is two packets. x25 modul modulus Either 8 or 128. Defines packet-level window counter limit

X.25 Additional Configuration Example
S0 Interface serial 0 encapsulation x25 x25 address x25 ips 1024 x25 op 1024 sx25 win 7 x25 wout 7 An X.121 address is assigned to interface serial 0. The input and output packet and window sizes and the maximum number of virtual circuits for any protocol are also defined. In the example: Command Description x25 address Specifies the address of the interface. x25 ips/ops 1024 Sets both input and output default packet size to 1024 to match the values defined for the network attachment. Maximum value is x25 win/wout 7 Sets both input and output window sizes to 7 to match the values defined for the network attachment. The typical default packet size provided worldwide by PDNs is 128 bytes. In the United States and Europe, default packet sizes of 1024 are common. Other countries can also provide higher packet sizes. The Layer 3 default maximum packet size is subject to the limit that lower layers are able to support.

Monitoring X.25 Router# show interfaces serial 0
Serial0 is up, line protocol is up Hardware address is , subnet mask is MTU 1500 bytes, BW 56 Kbit, DLY 2000 usec, rely 255/255, load 1/255 Encapsulation X25, loopback not set LAPB DCE, state CONNECT, modulo8, k 7, N , N2 20 T1 3000, inerface outgate (partial T3) 0, T4 0 VS 1, VR 1, Remote VR 1, Retransmissions 0 IFRAMEs / RNRs 0/0 REJs 0/0 SABM/Es 3/2 FRMRs 0/0 DISCs 0/0 X25 DCE, address , state R1, modulo 8, timer 0 Defaults: cisco encapsulation, idle , nvc 1 input/output window sizes 2/2, packet sizes 128/128 Timers: T T11 180, T12 60, T13 60, TH 0 Channels: Incoming-only none, Two-way , outgoing-only none RESTARTs 3/3 CALLs / /0+0 DIAGs 0/0 Last input 0:00:00, output 0:00:00, output hang never -- More -- Use the show interfaces command to display status and counter information about an interface. This serial interface has its encapsulation type configured for X.25 operation. The output from this command also displays LAPB information.

Summary X.25 defines the lower three layers of the OSI model
LAPB ids the data-link protocol Tunneling of other protocols inside X.25 is supported To configure an X.25 interface you must: Define the interface encapsulation Set critical parameter values for attaching to the PDN Configure the interface X.121 address Define any protocol to X.25 mapping

Configuring Frame Relay

Objectives Upon completion of this module, you will be able to perform the following tasks: Describe Cisco’s implementation of Frame Relay Recognize key Frame Relay terms and features List the command to configure Frame Relay LMIs, maps, and subinterfaces List the command to monitor Frame Relay operation in the router

Frame Relay Overview

Introduction to Frame relay
Local Management Interface (LMI) LAN Protocol LAN Protocol DCE DLCIs DLCIs DTE PVCs DTE DCE Frame Relay operates like a streamlined, speeded-up descendant of X.25. In many industrialized countries, Frame Relay has been replacing the more complex, slower packet-switching services. Regional Bell Operating Companies (RBOCs), alternate WAN carriers, and Post, Telephone, and Telegraph (PTT) providers have widely deployed a digital communication infrastructure that operates inside the WAN cloud. At the same time, end-user devices at the edge of the WAN cloud increasingly demand wide- area connections that provide higher transmission speeds, lower network delays, and efficient bandwidth to accommodate bursty data. Frame Relay is based on virtual circuits (VCs). Because of its relatively high-speed throughput and minimal overhead, Frame Relay is well suited for connecting LANs across a WAN. Because the router encapsulates upper-layer data in Frame Relay, it provides a DTE connection to the communications cloud DCE, which is a Frame Relay switch. Frame Relay operates over permanent virtual circuits (PVCs). This means that connections are static, provisioned by a configuration statement. Multiple PVCs can interconnect DTEs across the Frame Relay network to a destination. A data-link connection identifier (DLCI) identifies each PVC. The DLCI provides the major addressing mechanism of the routers Frame Relay support to the Frame Relay WAN service. Local Management Interface (LMI) refers to the overhead processing that sets up and maintains the connection between the router and the switch. It contains information about the PVC setup, status inquiries, and keepalive exchanges, as well as DLCI usage. Permanent virtual circuits (PVCs) use data-link connection identifiers (DLCs)

Frame Relay Stack 7 6 5 4 3 2 1 Application Presentation Session
OSI Reference Model Frame Relay 7 6 5 4 3 2 1 Application Presentation Session Transport Network Data Link Physical . Frame Relay Physical 2 1 The core aspects of Frame Relay function at the lower two layers of the OSI reference model. Using modern physical-layer facilities such as fiber media and digital transmission links, Frame Relay offers higher-speed WAN transmission for end stations, typically on LANs. Working at the data link layer, Frame Relay encapsulates information from the upper layers of the OSI stack. Frame Relay operations share some features with older WAN packet switching such as X.25. For example, a Frame Relay interface between the user and the network equipment will transmit and receive frames using first-in, first-out (FIFO) queuing on a statistically multiplexed circuit. Several 1ogical connections, described as virtual circuits, can share the same physical link. However, unlike X.25, Frame Relay offers a relatively high-speed, streamlined service: · Transmission speeds for Frame Relay span a wide range of data rates. Typically, a Frame Relay link transmits data at 56 kbps or 64 kbps, with T1/E1 (up to 2 Mbps) becoming common; Digital Signal 3 (DS-3) speed (45 Mbps) is available from some service providers. · Frame Relay streamlined service functions as a "best-effort" unreliable link, assuming that improved digital or fiber facilities allow forgoing time-consuming error-correction algorithms, acknowledgment schemes, and flow control corrections.

Frame Relay DLCI Assignment
DLCI Network Address DLCI 48 Frame Relay Switch Get DLCI from your Frame Relay provider Each DLCI is locally significant map your network addresses to DLCI Map entry indicates static route to destination This graphic shows a closer look at a Frame Relay DLCI in operation. Two routers are separated by a Frame Relay cloud. The channel service unit/digital service unit (CSU/DSU) is a common intermediary device used for digital circuit connection and line interface. The large Frame Relay switch in the cloud represents a Frame Relay service provider. Frame Relay as a public service is typically deployed by telephone companies such as RBOCs in the data communication market. Frame Relay can also be a network of privately owned switches. In either case, the Frame Relay provider sets up the DLCI numbers to be used by the routers for establishing PVCs. DLCIs usually have local-only significance, meaning that any locally available number can be used at each location. Also, certain DLCIs represent special functions: DLCI 1023 is specific for LMI use; and DLCIs 1019 to 1022 address multicast (one to several) as defined by the industry-common specification. A network administrator configures an available DLCI number to map this provided Frame Relay number to a network address. For example, an administrator might map to an IP address of the interface on the right side router in the graphic. This mapping in the router points to a static route, which is the PVC to that remote router. For example, the administrator can configure a Frame Relay map for I.3 using the PVC identified as DLCI 48.

Configuring Frame Relay

Frame Relay Configuration
Router (config-if) # Encapsulation frame-relay [ ietf ] Sets Frame relay encapsulation Router (config-if) # Frame Relay Imi-type { ansi | cisco | q933a } Use the encapsulation frame-relay command to specify the data-link encapsulation type to be used on the serial interface communicating with the Frame Relay network. Two different data-link encapsulations are supported: · The default is the Cisco encapsulation developed by the gang of four. This default operates only with other Cisco routers. · The Internet Engineering Task Force (IETF) encapsulation is specified in RFC 1294/ This encapsulation allows interoperation with other vendors' routers. The encapsulation can be specified globally, as illustrated here, or on a circuit-by-circuit basis, as shown in the next graphic. The standard Frame Relay encapsulation, as defined by the IETF, is derived from Point-to- Point Protocol (PPP). The default encapsulation on the Cisco router is proprietary. Use the frame-relay lmi-type command to select the LMI type. The router must be configured with the appropriate signaling to match the Frame Relay carrier implementation. All standard LMI signaling formats are supported: · ANSI-Annex D defined by ANSI standard T1.617 · ITU-T (or q933a)-Annex A defined by Q.933 · Cisco-LMI defined by the gang of four (default) Selects LMI type

Frame Relay Address Mapping
Router (config-if) # Frame-relay map protocol protocol-address DLCI [ broadcast ] [ ietf | cisco ] Defines how to reach a destination Use the frame-relay map command to statically map destination network protocol addresses to a designated DLCI. Command Description frame-relay map protocol Supported protocols: appletalk, clns, decnet, ip, xns, ipx, vines. protocol-address Address for the protocol. DLCI DLCI number of the virtual circuit. broadcast (Optional) Broadcasts should be forwarded when multicast is not enabled. ietf (Optional) Enables the IETF LMI. cisco (Optional) Enables the Cisco LMI (default). This command is used in configurations where the Inverse ARP protocol is not used to dynamically determine the network protocol address at the other end of a virtual circuit.

Nonbroadcast Multiaccess (NBMA)
DLCI 66 DLCI 48 DLCI 134 Frame Relay Network DLCI 110 DLCI 235 Subnet DLCI 77 One model for implementing Frame Relay in an internetwork is called nonbroadcast multiaccess (NBMA). The NBMA model makes all routers connected by virtual circuits peers on the same IP network or subnetwork. Because Frame Relay does not support broadcasting, the routers must copy all broadcasts and transmit on each virtual circuit. For routing protocols that allow split horizon to be turned off, full connectivity can be achieved in a partial mesh configuration. For protocols such as AppleTalk RTMP, which do not allow split horizon to be turned off, connectivity is restricted between routers that are directly connected by virtual circuits. All routers appear as peers on a single subnet Assumes configuration with fully meshed virtual circuits

Frame Relay Maps Example
Cisco A interface serial 0 ip address ! ! Enable frame relay, use the ANSI LMI encapsulation frame-relay frame-relay Imi-type ansi !Note: for alternate ietf encap, also use Imi-type ansi !set up a static frame relay map - full mesh frame-relay map ip broadcast frame-relay map ip broadcast In the example: encapsulation frame-relay - Sets encapsulation type to Cisco (default). frame-relay lmi-type ansi - Selects LMI to ANSI. Command Description frame-relay map ip Higher-level protocol. Address being mapped. 48 DLCI used to reach the destination. broadcast Allows broadcasts, such as routing updates, to be forwarded. IP traffic destined for will use DLCI 48 to negotiate the Frame Relay cloud. Interface serial 0 will send broadcast traffic as well as IP traffic. Cisco A is configured with a frame-relay map statement for every peer router. In this example, we show a fully meshed configuration with three routers. Because of the overhead associated with copying broadcasts to a large number of peer routers, it is important to limit the number of routers in an NBMA group.

Split Horizon and Frame Relay
B: Sending updates for C or D using S0 on A B DLCI 16 to B DLCI 17 to C DLCI 22 to D S0: C A A: Do not send updates in from B on S0 back out on S0 In an NBMA environment, routers trying to forward updates face another condition that can cause trouble. This condition comes from the operation of split horizon on a serial interface attached to WAN services. With split horizon, if a router learns a route from an interface, it does not propagate information about that route back out that same interface. For Frame Relay, this condition applies for all routing protocols except those in the IP suite (for example, RIP, IGRP, Enhanced IGRP). Split horizon also applies to all service advertisements (for example, IPX SAP or GNS traffic, and AppleTalk ZIP updates). If you map DLCIs from a serial interface, for example, SO on router A, only updates from router A or to router A can traverse the SO interface. If router B attempts to send updates for routers C or D through router A, then router A's split horizon process takes effect. Because the update comes in on S0, router A with split horizon will not allow it to go back out on S0. D If you map DLCIs from A’s SO, only updates to or from A can route on that interface (that is, not B to C or D)

Full Mesh for Frame Relay
DLCI to C DLCI to D DLCI to A B DLCI to B DLCI to A DLCI to D DLCI to B DLCI to C DLCI to D C A DLCI to A DLCI to B DLCI to C Because the split-horizon mechanism will not allow routers to send updates into and then out of the same interface, you could provision for connectivity by operating Frame Relay with a full mesh. This sets up a Frame Relay data link from every router to every other destination. Then at each router you configure a DLCI to each destination of that router. However, this approach to connect routers over the Frame Relay WAN involves key disadvantages: · The administrator must order many Frame Relay PVCs from the service provider. The service provider will need to install each provisioned PVC, and the enterprise will receive a bill for all charges. Then the enterprise faces ongoing, incremental bills for each PVC. · The configuration at each router must contain mapping statements for each DLCI it uses. To represent all its Frame Relay destinations, the configuration of all routers using this full-mesh approach will require many map statements. This configuration might be difficult to set up and support. D Full connectivity using a full point-to-point mesh uses many PVCs and configuration statements

An Alternative: Subinterfaces
S0.2 for DLCI to C C B S0.3 for DLCI to D S0.1 for DLCI to B S0 to a serial line A An NBMA WAN environment needs to act like a LAN regarding its multiaccess operations. However, split horizon does not allow multiaccess updates into, and then out from, the same single serial line. Although routers need to get around split horizon for updates that use the WAN, the alternative of provisioning a full mesh may be impractical. Another alternative establishes a number of virtual interfaces on a single physical serial interface. These virtual interfaces are logical constructs called subinterfaces. You define these logical subinterfaces on the serial line. Each subinterface uses a DLCI that represents the destination for a Frame Relay PVC on your network. After you configure the Frame Relay interface DLCI on the subinterface, your router must associate one or more protocol addresses from the destination to the DLCI. Keep in mind that you have still defined only the single SO physical interface on router A. However, on that single S0, you have now defined an S0.1 subinterface for the Frame Relay DLCI to router B, an S0.2 subinterface for router C, and an S0.3 subinterface for router D. D Routers need to bypass split horizon on S0 Define logical subinterfaces on the serial line

Partial Mesh for Frame Relay
B: Sending traffic for C or D using serial line to A B S0.1 S0.2 S0.3 C A A: Can relay traffic in from B on S0.1, back out on S0.2, or back out on S0.3 D When you define logical subinterfaces on a single physical interface, Frame Relay operates using a partial-mesh design. To do so, you associate the DLCI for a destination to a subinterface. Use one DLCI and one subinterface for each destination router. With subinterfaces configured, routers can connect with each other and send updates. Routers bypass the split horizon in effect for the single physical interface on router A's S0. As a result you can connect all routers without needing a separate Frame Relay PVC between each router. The overall configuration to accomplish these connections is much simpler-you no longer need a map statement for each protocol address on each destination of each router. Map DLCIs with A’s subinterfaces to connect all routers with fewer DLCIs and a simpler configuration

Subinterface Configuration
Router (config) # Interface type.subinterface-number point-to-point Defines the logical subinterface f or Frame Relay and enters the interface configuration mode Router (config-if) # frame Relay interface-dlci dlci broadcast Before you can configure and use Frame Relay subinterfaces, you must first have a physical interface set up with encapsulation for Frame Relay. The commands and descriptions for Frame Relay subinterfaces follow. The first command defines the subinterface. Command Description type Any interface suitable for Frame Relay. Usually a serial interface. .subinterface-number number refers to the number of the physical interface; following the dot, subinterface is a unique integer on that interface. point-to-point This required keyword specifies that the subinterface refers to a single Frame Relay destination; the alternative argument is multipoint. The frame-relay interface-dlci command assigns a Frame Relay DLCI to the subinterface. dlci The DLCI you designate to indicate the destination on the subinterface you defined with the first command. broadcast Allows the subinterface to forward broadcasts, such as routing updates. Follow these commands by defining a destination's network address that Frame Relay will represent using the DLCI. Assign a DLCI to the Frame Relay subinterface on the router

Frame Relay with Subinterfaces
int S0.1 DLCI ipx address 4a1d c556.de33 Frame Relay Network S0 int S0.2 DLCI 48 ipx address 4a1d c566.de35 When you configure subinterfaces and Frame Relay DLCIs, the network architecture that results uses a different subnet for the link on each subinterface, as the graphic shows. · On router A, the subinterface 50.1 uses DLCI I 10 on IP subnet (assuming 8 bits of subnet mask). · For subinterface S0.2, DLCI 48 connects to This design differs from the approach you saw earlier with point-to-point mapping for NBMA. In that configuration, all routers acted as peers on a single subnetwork. The configuration used fully meshed PVCs. However, when you use Frame Relay with subinterfaces, only the two routers on a PVC act as subnet peers. The Frame Relay configuration contains multiple subnetworks. The DLCI on the subinterface represents one or more destination protocol addresses. · On router A, DLCI 110 refers to the destination IPX network 4ald. · DLCI 48 refers to the destination IPX network 4c 1 d. The next page shows the configuration commands used to implement this configuration. A full mesh is no longer necessary for full update connectivity. No Frame Relay facility directly connects the two routers on the right. Using this approach saves the organization the initial and ongoing expenses otherwise necessary with a full-mesh network. Each Frame Relay subinterface uses its own subnet

Subinterface Configuration Example
Cisco A interface serial 0 encapsulation frame-relay ! ! The first of the two subinterfaces interface s 0.1 point-to-point ! Assign the DLCI to the subinterface frame-relay interface-dlci 110 broadcast ! Indicate the destination protocol address for DLCI 110 ipx network 4a1d ! The second subinterface on the S0 interface interface s 0.2 point-to-point frame-relay interface-dlci 48 broadcast ipx network 4c1d To configure Frame Relay subinterfaces, you start with the same commands you saw earlier. This example assumes that the Frame Relay LMI uses the default encapsulation cisco. In the example: The interface s 0.n point-to-point command assigns a subinterface on the designated interface (S0). n Subinterface number from 1 through point-to-point Establishes the type of the subinterface. The frame-relay interface-dlci nn broadcast command sets the DLCI to use on the subinterface. nn Locally unique number from the DLCIs provided by the Frame Relay network service. broadcast Indicates that broadcast traffic can use the DLCI to the destination. The ipx network nnnn command sets the network number. The subinterface DLCI refers to this destination.

Inverse ARP for Network Discovery
Frame Relay Network DLCI 48 DLCI 66 S A B S Switch announces DLCI 48 Switch announces DLCI 66 Router A announces IP for DLCI 66 Configurations using either NBMA groups or subinterface DLCIs can be simplified through use of the Inverse ARP protocol. With Inverse ARP, the router needs to know only its own network protocol address on the NBMA network or subnet. The router learns about the virtual circuits through LMI signaling from the Frame Relay switch. The router then learns the network address of each peer router by sending and receiving Inverse ARP messages on each added DLCI. Router B announces IP for DLCI 48 This auto-discovery of remote destination addresses simplifies Frame Relay configuration

Using Inverse ARP for DLCIs
B DLCI 16 to B Inverse-arp ipx 16 B’s IPX Address DLCI 17 to C Inverse-arp ipx 17 C C’s IPX Address A DLCI 22 to D Inverse-arp ipx 22 D’s IPX Address D As soon as you specify DLCIs for Frame Relay, Inverse ARP automatically starts. With Inverse ARP, the process resolves to a network address when given a DLCI. The router announces a network address and DLCI. The Frame Relay Inverse ARP allows the Frame Relay network to propagate the information. Because Inverse ARP for Frame Relay is on by default, if you need to disable Inverse ARP on a local DLCI, use the no frame-relay inverse-arp command. This configuration replaces the need for frame-relay map commands. However, any entries resulting from frame-relay map commands continue to establish static routes. This configuration also replaces the need for entering specific network protocol address statements for subinterface configurations. However, any specific addresses you enter take precedence over any addresses for that protocol resolved by Inverse ARP. The lines of text that describe the various arrows on the graphic are not commands the administrator must enter. Instead, they show the status of information that Inverse ARP uses for Frame Relay networks. Frame Relay Inverse ARP is on by default once you specify DLCIs Inverse ARP resolves protocol addresses of remote routers for local DLCIs

Showing a Frame Relay Interface
Router# show int s 0 Serial 0 is up, line protocol is up hardware is MCI serial Internet address is , subnet mask MTU 1500 bytes, BW 56 Kbit, DLY usec, rely 255/255, load 1/255 Encapsulation Frame Relay, loopback not set, keepalive set (10 sec) LMI DLCI 1026, LMI sent 1, LMI stat recvd 0, LMI upd recvd 0 Last input 0:04:42, output 0:00:07 output hang never Last clearing of “show interface” counters never output queue 0/40, 0 drops; input queue 0/75, 0 drpos five minutes input rate 0 bits/sec, 0 packets/sec five minutes output rate 0 bits/sec, 0 packets/sec 6019 packets input, bytes, 0 no buffer Received 2973 broadcasts. 0 runts, 0 giants 7 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 7 abort 8595 packets output, bytes, 0 underruns 0 output errors, 0 collosions, 10 interface resets, 0 restarts 17 carrier transitions Using the show interface serial command displays a snapshot of current Frame Relay settings. In particular, note the encapsulation set to Frame Relay, and the bandwidth set to 56 kbps. Also note that LMI transactions will use DLCI 1023. Several other show and debug commands for monitoring Frame Relay operation from your router are described in the Cisco Connection Documentation, Enterprise Series CD-ROMs.

Monitoring Frame Relay
Router#terminal monitor Router#no logging console Router#debug frame-relay Imi Serial 0 (out): StEnq, clock , myseq 206, mineseen 205, yourseen 136, DTE up Serial 0 (in): StEnq, clock , myseq 206 RT IE 1, length 1, type 1 Serial 0 (out): StEnq, clock , myseq 207, mineseen 205, yourseen 136, DTE up Serial 0 (in): StEnq, clock , myseq 207 RT IE 1, length 1, type 0 KA IE 3, length 2, yourseq 146, myseq 298 PVC IE 0x7, length 0x6, dlci 48, status 0, bw 56000 PVC IE 0x7, length 0x6, dlci 58, status 0, bw 56000 PVC IE 0x7, length 0x6, dlci 110, status 4, bw 56000 Your Frame Relay configuration enables the router to interface the Frame Relay service provider network. The router exchanges LMI packets with the provider's Frame Relay switch. Use the debug frame-relay lmi command to see an indication of the exchanged information between your router and your Frame Relay service provider. The sample display from this debug command includes the following information: Command Description Serial 0 (out) Indicates an LMI packet sent out from the router on that interface. DTE up Frame Relay line protocol is up for the user-side interface. Serial 0 (in) Indicates an LMI sent by the provider switch into the router. type 1 (or type 0) Status update is abbreviated (type 1), or full (type 0). PVC IE.....dlci 48, status 0 Full status update PVC information element on DLCI 48 shows that DLCI has been added to the network and is inactive. bw PVC for the DLCI uses a 56-kbps Frame Relay facility.

Summary Use a locally significant DLCI as an indicator of the ultimate destination of a Frame Relay PVC Cisco supports different Frame Relay LMIs: ANSI (Annex D) CCITT (Annex A) Cisco (LMI) Define static PVCroutes with Frame Relay maps Alternately, define subinterfaces for interface DLCIs to avoid split horizon on routing and SAP updates Inverse ARP, on by default, auto-discovers remote protocol addresses for local DLCIs Monitor Frame Relay with show and debug commands

Autolnstalling Configuration Data

Describe how to use the AutoInstall procedure to remotely configure a new router Identify where the new router acquires its IP address, host name, and configuration Download a configuration file over the following: LAN link HDLC serial connection This chapter describes how to use the AutoInstall feature to configure a router. It explains where a router acquires its IP address, host name, and configuration.

New Router AutoInstall Overview
Existing Router TFTP server Host name startup-config file BOOTP server Provides IP address Uses helper-address to TFTP server DNS server (if needed) Provides address-to-host name translation The AutoInstall procedure allows a network administrator to configure a router automatically and remotely over the network. This configuration is most useful for establishing new routers in remote locations where branch office staff members have limited networking knowledge and skills. The new router must be connected to an existing router on either a WAN or LAN link. Both existing and new routers must be running Cisco IOS Release 9.1 or later for encapsulations other than Frame Relay. For Frame Relay encapsulation, both routers must be running Cisco IOS Release 10.3 or later. The existing router acts as a Bootstrap Protocol (BOOTP) or Reverse Address Resolution Protocol (RARP) server. It must be set up to help the new router acquire its IP address. This existing router also contains a helper address for the TFTP server. Note The new router configuration files must reside on the TFTP server. Prepare new router configuration files for AutoInstall in the Cisco IOS software configuration mode. Move your new router configuration files using the copy running-config tftp command to store the current configuration in RAM on a network TFTP server. This server provides a host name for the address presented by the new router. If this IP address-to-host name translation does not occur on the TFTP server, then the new router uses a Domain Name System (DNS) server. The new router configuration is downloaded from a reachable TFTP server to the new router. Configure a new router automatically and and remotely

AutoInstall Procedures
New Existing TFTP Server BOOTP request IP address TFTP request to resolve host name TFTP reply with network-confg TFTP request for hostname-confg The AutoInstall procedure has several steps. First, the new router sends a BOOTP request for an IP address. The new router learns its IP address from the first valid BOOTP or RARP reply. Once it has obtained an IP address, the new router requests a translation by the TFTP server to resolve this IP address into a host name. The response to this request comes in the form of a network-confg file containing the host name for the new router. The new router uses its newly acquired host name to request the hostname-confg file that contains its specific configuration entries. The TFTP server downloads this file to the new router. TFTP reply downloads config file The new router acquires its IP address, host name, and configuration

Fallback Requests for AutoInstall
New Existing TFTP Server DNS Server If request to resolve host name not met, broadcast DNS request DNS replies with host name (if any) If request for hostname-confg not met, TFTP request for router-confg TFTP server replies with download of router-confg (if any) Prior discussions outlined AutoInstall operating in the most common scenarios. However, the AutoInstall process also includes several fallback requests to use if a common scenario fails to provide the proper response to the new routers requests. If the host name request to the TFTP server fails to provide the new router with a host name, it will fall back to another request procedure. This sends a request to the DNS server to obtain IP address-to-host name translation. Later, if the new router requests a hostname-confg file, but the TFTP server cannot send the requested file, it will send a more generic configuration in a router-confg file. Then the administrator can log in to the new router and make any specific configuration changes necessary for the new router. If host name resolution from TFTP network-confg fails, the new router sends a request to the DNS server If the new router cannot get host name-specific confg, it sends a TFTP request for thr more generic router-confg

LAN AutoInstall Example
New Existing E0 TFTP Server Interface ethernet 0 ip address ip helper-address A new router can AutoInstall from an existing router and TFTP server using an Ethernet, Token Ring, or FDDI interface. The example commands shown are entries on the existing router. Command Description interface ethernet 0 Defines an Ethernet interface on the existing router. ip address Defines the IP address for Ethernet interface 0 on the existing router. ip helper-address Defines the address of the TFTP server; all incoming TFTP requests at this interface are then forwarded to this address. Supported interfaces: Ethernet, Token Ring, FDDI

WAN AutoInstall Example
Using HDCL Existing New S1 TFTP Server interface serial 1 ip address ip helper-address A new router can AutoInstall from an existing router and TFTP server across a WAN. The example command entries are shown for the existing router that uses HDLC. Command Description interface serial 1 Defines serial interface 1 on the existing router. ip address Defines the IP address and its subnet mask for serial interface 1 on the existing router. ip helper-address Defines the address of the TFTP server; all incoming TFTP requests at this interface are then forwarded to this address. Supported interfaces: HDLC, Frame Relay, HSSI with Frame Relay

WAN AutoInstall Example (cont.)
Using Frame Relay Existing New S1 Frame Relay TFTP Server DLCI 39 interface serial 1 ip address ip helper-address encapsulation frame-relay frame-relay map ip In this example, the existing router and new router connect over a Frame Relay link. Command entries to set up AutoInstall for this environment are as follows: Command Description interface serial 1 Defines serial interface 1 on the existing router. ip address Defines the IP address and its subnet mask for serial interface 1 on the existing router. ip helper-address Defines the address of the TFTP server; all incoming TFTP requests at this interface are then forwarded to this address. encapsulation frame-relay Defines Frame Relay encapsulation to be the Cisco-proprietary type instead of the type defined by the Internet Engineering Task Force (IETF). frame-relay map ip Statically maps the new routers IP address to its designated data-link connection identifier (DLCI) 39.

Summary Use AutoInstall to download to a remote router over: LAN HDLC
Frame Relay With AutoInstall, remote routers can get their: IP address Host name Cisco IOS software configuration

Appendixes

Configuring DECnet

Objectives Upon completion of this chapter, you will be able to perform the following tasks: Describe the DECnet protocol stack Describe the key features of DECnet Enable DECnet protocol and configure DECnet interfaces Monitor DECnet operation in the router

Overview of DECnet

End-to-End Communication
DECnet Protocol Stack OSI Reference Model DECnet Architecture User 7 6 5 4 3 2 1 Application 7 6 5 4 3 2 1 Network Mgt. Presentation Network Application Session Control Session End-to-End Communication Transport Network Routing Data Link Data Link Physical Physical

DECnet Features - Updates sent at 40-second intervals
Addressing is 16 bits (area.node) Modifies MAC address to contain node ID Nodes are grouped into areas Broadcasts are not propagated Routing protocol is DECnet - Updates sent at 40-second intervals - Metric path cost

DECnet Addressing One address is assigned to the entire unit
Area.Node 5.14 One address is assigned to the entire unit - Each interface has the same logical address - Each “wire” does not require a unique network number

Area Assignements X Logical grouping of nodes Arbitrary topology
Must be contiguous

Node Assignments Concatenate to form 16-bit hex number
Area 5 . Node 17 DEC Concatenate to form 16-bit hex number or 0x1411 Swap two lower bytes and add to standardized DEC MAC address header AA

Routers Pass Information
Cost 15 5.10 Routing Table Host/Cost/Next Dest. 5.2 / 5 / . 5.3 / 5 / . 5.4 / 20 / 5.10 Cost 5 Cost 5 DEC DEC DEC 5.4 5.2 5.3 Routing decisions are based on cost Routing table contains host and cost information Routers know about all hosts in their area

Designated Routers Hello, I am 5.3, the designated router Designated router arbitration The designated router is 5.3 Hello Routers and end nodes advertise their presence via hello messages Designated routes are chosen by highest priority Initial end-node traffic is always sent to the designated router

Level 1 and Level 2 Routing
5.1 10.2 8.1 10.100 5.10 5.100 8.100 10.1 8.13 5.8 5.3 Level 1 - Inside your area Level 2 - Between areas

Configuring DECnet

DECnet Configuration Tasks
Level 2 5.6 8.18 5.100 DECnet Cost 15 5.1 8.2 Global configuration DECnet routing and address Routing Level 1 or 2 Interface configuration Cost

DECnet Configuration Router (config) # decnet [ network-number ] routing [ iv-prime ] decnet-address Enables DECnet routing and assigns the area and node address Router (config) # decnet [ network-number ] node-type { area | routing iv } Assign Level 1 or Level 2 responsibility

DECnet Configuration Assign an outgoing cost decnet cost cost-value
Router (config-if) # decnet cost cost-value Assign an outgoing cost

DECnet Configuration Example
Cisco A 5.6 8.18 5.100 S0 E0 5.6 5.1 8.2 decnet routing 5.6 decnet node-type area interface ethernet 0 decnet cost 5 interface serial 0 decnet cost 15

DECnet Access Lists

Key Concepts of DECnet Access Lists
DECnet address is area.node 16-bit address has 10 bits for area, 6 bits for node Level 1 router is intra-area; Level 2 router is interarea Standard access lists filter source address Extended lists filter source and destination

DECnet Access List Procedures
Area 10 10.2 Access list connfiguration Access list numbers: Enter source area addresses Optional: destination, wildcard masks 10.10 10.1 Access group connfiguration Apply access list number to interface Use Level 2 routers between area Area 5 5.10 5.100 5.8 5.3

Controlling DECnet Access
Router (config) # access-list acces-list-number { permit deny } source source-mask [ destination destination-mask Traffic filter using access lists Router (config-if) # decnet access-group access-list-number Links filter list to autgoing interface

Controlling DECnet Example
Area 1 S1 E0 S2 Area 2 S3 Area 3 ! access-list 301 permit access-list 301 permit interface ethernet decnet access-group 301

Summary DECnet addressing is area.node
One address is assigned to the entire router DECnet modifies MAC addresses on all interfaces Routers function within or between areas

Bevezetés a Cisco routerek konfigurálásába

Similar presentations

Presentation on theme: "Bevezetés a Cisco routerek konfigurálásába"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Bevezetés a Cisco routerek konfigurálásába

Similar presentations

Presentation on theme: "Bevezetés a Cisco routerek konfigurálásába"— Presentation transcript:

Similar presentations

About project

Feedback