Idea Transcript
CCNA 3.0 Instructor Resource Document
Section 1
IP Addressing
Table of Contents
IP ADDRESSING ............................................................................................................... 1 OVERVIEW ...................................................................................................................................................... 3 OBJECTIVES..................................................................................................................................................... 4 1.1 IPV4 ADDRESSING ...................................................................................................................................... 5 1.1.1 Internet's address architecture ............................................................................................................. 5 1.1.2 Classes of IP addresses........................................................................................................................ 6 1.1.3 Classes of IP addresses (con't.) ............................................................................................................ 8 1.1.4 Subnet masking ................................................................................................................................... 9 1.2 IP ADDRESSING CRISIS AND SOLUTIONS ...................................................................................................... 12 1.2.1 IP addressing crisis ........................................................................................................................... 12 1.2.2 Classless Interdomain Routing (CIDR) ............................................................................................... 13 1.2.3 Route aggregation and supernetting ................................................................................................... 14 1.2.4 Supernetting and address allocation ................................................................................................... 16 1.3 VLSM..................................................................................................................................................... 18 1.3.1 Variable-Length Subnet Masks ........................................................................................................... 18 1.3.2 Classless and classful routing protocols .............................................................................................. 21 1.4 ROUTE SUMMARIZATION ........................................................................................................................... 23 1.4.1 An overview of route summarization ................................................................................................... 23 1.4.2 Route flapping .................................................................................................................................. 24 1.5 PRIVATE ADDRESSING AND NAT ................................................................................................................ 25 1.5.1 Private IP addresses (RFC 1918) ....................................................................................................... 25 1.5.2 Discontiguous subnets ....................................................................................................................... 27 1.5.3 Network Address Translation (NAT) ................................................................................................... 28 1.6 IP UNNUMBERED ..................................................................................................................................... 29 1.6.1 Using IP unnumbered........................................................................................................................ 29 1.7 DHCP AND EASY IP ................................................................................................................................. 31 1.7.1 DHCP overview ................................................................................................................................ 31 1.7.2 DHCP operation ...............................................................................................................................33 1.7.3 Configuring IOS DHCP server ........................................................................................................... 34 1.7.4 Easy IP ............................................................................................................................................ 36 1.8 HELPER ADDRESSES ................................................................................................................................. 38 1.8.1 Using helper addresses...................................................................................................................... 38 1.8.2 Configuring IP helper addresses ........................................................................................................ 39 1.8.3 IP helper address example ................................................................................................................. 40 1.9 IPV6 ....................................................................................................................................................... 42 1.9.1 IP address issues solutions................................................................................................................. 42 1.9.2 IPv6 address format .......................................................................................................................... 43 1.10 ADVANCED IP ADDRESSING MANAGEMENT LAB EXERCISES ....................................................................... 46 1.10.1 Configuring VLSM and IP Unnumbered............................................................................................ 46 1.10.2 VLSM ............................................................................................................................................. 46 1.10.3 Using DHCP and IP Helper Addresses ............................................................................................. 46 SUMMARY ..................................................................................................................................................... 47
1-2
Routing Section 1: IP Addressing
Copyright 2002, Cisco Systems, Inc.
Overview A scalable network requires an addressing scheme that allows for growth. As new nodes and networks are added to the enterprise, existing addresses may need to be reassigned, enlarged routing tables may slow down routers, and the supply of available addresses may run out. These unpleasant consequences can be avoided with a careful plan and deployment of a scalable network-addressing system. Although network designers can choose among many different network protocols and address schemes, the emergence of the Internet and its nonproprietary protocol, TCP/IP, has meant that virtually every enterprise must implement an IP addressing scheme. Companies such as Apple and Novell have recently migrated away from their proprietary protocols to TCP/IP as their network software. Many organizations opt to run TCP/IP as the only routed protocol on their network. The bottom line is that today's administrators must find ways to scale their networks by using IP addressing. Unfortunately, the architects of TCP/IP could not have predicted that their protocol would eventually sustain a global network of information, commerce, and entertainment. Twenty years ago, IP version 4 (IPv4) offered an addressing strategy that, although scalable for a time, resulted in an inefficient allocation of addresses. Over the past two decades, engineers have successfully modified IPv4 so that it could survive the Internet's exponential growth. Meanwhile, an even more extendible and scalable version of IP, IP version 6 (IPv6), has been defined and developed. Today IPv6 is slowly being implemented in select networks. Eventually, IPv6 may replace IPv4 as the Internet's dominant protocol. This chapter explores the evolution and extension of IPv4, including the key scalability features that engineers have added over the years: subnetting, classless interdomain routing (CIDR), variable-length subnet masking (VLSM), and route summarization. Finally, this chapter examines advanced IP implementation techniques, such as IP unnumbered, Dynamic Host Configuration Protocol (DHCP), and helper addresses.
Copyright 2002, Cisco Systems, Inc.
Routing Section 1: IP Addressing
1-3
Objectives After completing this chapter, the student will be able to perform tasks related to: 1.1 IPv4 Addressing 1.2 IP Addressing Crisis and Solutions 1.3 VLSM 1.4 Route Summarization 1.5 Private Addressing and NAT 1.6 IP Unnumbered 1.7 DHCP and Easy IP 1.8 Helper Addresses 1.9 IPv6 1.10 Advanced IP Addressing Management Lab Exercises
1-4
Routing Section 1: IP Addressing
Copyright 2002, Cisco Systems, Inc.
1.1 IPv4 Addressing 1.1.1 Internet's address architecture
Figure 1: Structure of an IP Address
Figure 2: Dotted Decimal Notation
When TCP/IP was first introduced in the 1980s, it relied on a two-level addressing scheme, which at the time offered adequate scalability. IPv4's 32-bitlong address identifies a network number and a host number, as shown in Figure [1]. Together, the network number and the host number uniquely identify all hosts connected via the Internet. It is possible that the needs of a small, networked community could be satisfied with just host addresses, as is the case with LANs. However, network addresses are necessary for end systems on different networks to communicate with each other. Routers use the network portion of the address to make routing decisions and facilitate communication between hosts that belong to different networks. Copyright 2002, Cisco Systems, Inc.
Routing Section 1: IP Addressing
1-5
Unlike routers, humans find working with strings of 32 ones and zeros tedious and clumsy. Therefore, 32-bit IP addresses are written using dotted-decimal notation. Each 32-bit address is divided into four groups of eight, called octets, and each octet is converted to decimal and then separated by decimal points, or dots. [2] In the dotted decimal address, 132.163.128.17, which of these four octets represents the network portion of the address? Which of the octets are the host numbers? Recognizing that the number is in actuality a 32-bit number eases determining the answer. In the early days of TCP/IP, a class system was used to define the network and host portions of the address. IPv4 addresses were grouped into five distinct classes, according to the pattern of the first few bits in the first octet of the address. Although the class system can still be applied to IP addresses, today's networks often ignore the rules of class in favor of a classless IP scheme. In the following sections, the limitations of the IP address classes, the subsequent addition of the subnet mask, and the addressing crisis that led to the adoption of a classless system will be examined.
1.1.2 Classes of IP addresses
Figure 1: Address Architecture
In a classful system, IP addresses can be grouped into one of five different classes: A, B, C, D, and E based on the position of the first 0-bit in the first octet. Each of the four octets of an IP address represents either the network portion or the host portion of the address, depending on the address's class. Only the first three classes (A, B, and C) are used for addressing actual hosts on IP networks. Class D addresses are used for multicasting, and Class E addresses are reserved for experimentation and are not shown in the figure. The following sections explore each of the five classes of addresses. 1-6
Routing Section 1: IP Addressing
Copyright 2002, Cisco Systems, Inc.
Class A Addresses If the first bit of the first octet of an IP address is a binary 0, then the address is a Class A address. With that first bit a 0, the lowest number that can be represented is 00000000 (decimal 0), and the highest number that can be represented is 01111111 (decimal 127). Any address that starts with a value between 0 and 127 in the first octet is a Class A address. The two numbers, 0 and 127, are reserved and cannot be used as a network address. Class A addresses were intended to accommodate very large networks, so only the first octet is used to represent the network number, which leaves three octets (or 24 bits) to represent the host portion of the address. With 24 bits total, 2^24 (^ means to the power of) combinations are possible, yielding 16,777,216 possible addresses. Two of those possibilities, the lowest and highest values (24 zeros and 24 ones), are reserved for special purposes, so each Class A address can support up to 16,777,214 unique host addresses. Why are two host addresses reserved for special purposes? Every network requires a network number, an ID number that is used to refer to the entire range of hosts when building routing tables. The address that contains all 0s in the host portion is used as the network number and cannot be used to address an individual node. 46.0.0.0 is a class A network number. Similarly, every network requires a broadcast address that can be used to address a message to every host on a network. It is created with all 1s in the host portion of the address. With almost 17 million host addresses available, a Class A network actually provides too many possibilities for one company or campus. Although an enormous global network with that many nodes can be imagined, the hosts in such a network could not function as members of the same logical group. Administrators require much smaller logical groupings to control broadcasts, apply policies, and troubleshoot problems. Fortunately, the subnet mask allows subnetting, which breaks a large block of addresses into smaller groups called subnetworks. All Class A networks are subnetted. If they were not, Class A networks would represent huge waste and inefficient allocation of address space. How many Class A addresses are there? If only the first octet is used as network number, and it contains a value greater than 0 and less than 127, then 126 Class A networks exist. There are only 126 Class A addresses, each with almost 17 million possible host addresses, but these account for about half of the entire IPv4 address space. Under this system, a small number of organizations control half of the Internet's addresses. Class B Addresses Class B addresses start with a binary 10 pattern in the first 2 bits of the first octet. Therefore, the lowest number that can be represented with a Class B address is 10000000 (decimal 128), and the highest number that can be represented is 10111111 (decimal 191). Any address that starts with a value in the range of 128 to 191 in the first octet is a Class B address. Class B addresses were intended to accommodate medium-size networks, so the first two octets are used to represent the network number, which leaves two octets (or 16 bits) to represent the host portion of the address. With 16 bits total, 2^16 combinations are possible, yielding 65,536 Class B addresses. Recall that two of those numbers, the lowest and highest values, are reserved for special purposes, so each Class B address can support 65,534 hosts. Though significantly smaller than the networks created by Class A addresses, a logical group of more than 65,000 hosts is still unmanageable and impractical. Copyright 2002, Cisco Systems, Inc.
Routing Section 1: IP Addressing
1-7
Therefore, like Class A networks, Class B addresses are subnetted to improve efficiency. There are 16,384 Class B networks. The first octet of a Class B address offers 64 possibilities (128 to 191), and the second octet has 256 (0 to 255). That yields 16,384 (64 * 256) addresses, or 25 percent of the total IP space. Nevertheless, given the popularity and importance of the Internet, these addresses have run out quickly, which essentially leaves only Class C addresses available for new growth.
1.1.3 Classes of IP addresses (con't.)
Figure 1: IP Address Available to Internet Hosts
Class C Addresses A Class C address begins with a binary 110 pattern. Therefore, the lowest number that can be represented is 11000000 (decimal 192), and the highest number that can be represented is 11011111 (decimal 223). If an IPv4 address contains a number in the range of 192 to 223 in the first octet, it is a Class C address. Class C addresses were originally intended to support small networks; the first three octets of a Class C address represent the network number, and the last octet may be used for hosts. One octet for hosts yields 256 possibilities; after you subtract the all 0s network number and all 1s broadcast address; only 254 hosts may be addressed on a Class C network. Whereas Class A and Class B networks prove impossibly large (without subnetting), Class C networks can impose too restrictive a limit on hosts. With 2,097,152 total network addresses containing a mere 254 hosts each, Class C addresses account for 12.5 percent of the Internet's address space. With Class A and B exhausted, the remaining Class C addresses are all that is left to be assigned to new organizations that need IP networks. Figure 1 summarizes the ranges and availability of the three address classes used to address Internet hosts. Class D Addresses A Class D address begins with a binary 1110 pattern in the first octet. Therefore, the first octet range for Class D addresses is 11100000 to 11101111, or 224 to 239. Class D addresses are not used to address individual hosts. Instead, each Class D address can be used to represent a group of hosts called a host group, or multicast group. For example, a router configured to run EIGRP joins a group that includes other nodes that are also running EIGRP. Members of this group still have unique IP addresses from the Class A, B, or C range, but they also listen for messages addressed to 224.0.0.10, which is a Class D address. Therefore, a single routing 1-8
Routing Section 1: IP Addressing
Copyright 2002, Cisco Systems, Inc.
update message can be sent to 224.0.0.10, and all EIGRP routers will receive it. A single message sent to several select recipients is called a multicast. Class D addresses are also called multicast addresses. A multicast is different from a broadcast. Every device on a logical network receives a broadcast, whereas only devices configured with a Class D address receive a multicast. Class E Addresses If the first octet of an IP address begins with a binary 1111 pattern, then the address is a Class E address. Class E addresses are reserved for experimental purposes and should not be used for addressing hosts or multicast groups.
1.1.4 Subnet masking
Figure 1: Structure of an IP Address After Subnetting
Figure 2: Class B Address Without Subnetting
Copyright 2002, Cisco Systems, Inc.
Routing Section 1: IP Addressing
1-9
Figure 3: Class B Address With Subnetting
Subnet masking, or subnetting, is used to break one large group into several smaller subnetworks. These subnets can then be distributed throughout an enterprise, resulting in less waste and better logical organization. Formalized with RFC 950 in 1985, subnetting introduced a third level of hierarchy to the IPv4 addressing structure. [1] The number of bits available to the network, subnet, and host portions of a given address varies depending on the size of the subnet mask. A subnet mask is a 32-bit number that acts as a counterpart to the IP address. Each bit in the mask corresponds to its counterpart bit in the IP address. If a bit in the IP address corresponds to a 1 bit in the subnet mask, the IP address bit represents a network number. If a bit in the IP address corresponds to a 0 bit in the subnet mask, the IP address bit represents a host number. In effect, the subnet mask (when known) overrides the address class to determine whether a bit is either network or host. Routers and other hosts can be configured to recognize addresses differently than the format dictated by classes. For example, the mask can tell the hosts that, even though their addresses are Class B, the first three octets (instead of the first two) are the network number. In this case, the additional octet acts like part of the network number, but only inside the organization where the mask is configured. The subnet mask applied to an address ultimately determines the network and host portions of an IP address. The network and host portions change when the subnet mask changes. If you apply the mask 255.255.0.0, only the first 16 bits (two octets) of the IP address 172.24.100.45 represent the network number, as shown in Figure [2]. Therefore, the network number for this host address is 172.24.0.0. The shaded portion of the address in Figure [2] indicates the network number.
Because the rules of class dictate that the first two octets of a Class B address are the network number, this 16-bit mask does not create subnets within the 172.24.0.0 network. To create subnets with this Class B address, a mask that identifies bits in the third or fourth octet as part of the network number must be used. A 24-bit mask, 255.255.255.0, specifies the first 24 bits of the IP address as the network number. For this example, the network number is 172.24.100.0. 1-10
Routing Section 1: IP Addressing
Copyright 2002, Cisco Systems, Inc.
Routers and hosts configured with this mask will see all 8 bits in the third octet as part of the network number. These 8 bits are considered the subnet field because they represent network bits beyond the two octets prescribed by classful addressing. Inside this network, devices configured with a 24-bit mask will use the 8 bits of the third octet to determine what subnet a host belongs. Because 172.24.100.45 and 172.24.101.46 have different values in the third octet, they do not belong to the same logical network. Hosts must match subnet fields to communicate with each other directly. Otherwise, the services of a router must be used so that a host on one subnet can talk to a host on another subnet. An 8-bit subnet field creates 2^8, or 256, potential subnets. Because 8 bits remain in the host field, 254 hosts may populate each network (two host addresses are reserved as the network number and broadcast address). By dividing a Class B network into smaller logical groups, the internetwork is more manageable, efficient, and scalable. Subnet masks are not sent as part of an IP packet header, so routers outside this network will not know what subnet mask is configured inside the network. An outside router will therefore treat 172.24.100.45 as just one of sixty-five thousand hosts that belong to the 172.24.0.0 network. In effect, subnetting provides a logical structure that is hidden from the outside world.
Copyright 2002, Cisco Systems, Inc.
Routing Section 1: IP Addressing
1-11
1.2 IP Addressing Crisis and Solutions 1.2.1 IP addressing crisis
Figure 1: IP Address Allocation
Class A and B addresses make up 75 percent of the IPv4 address space, but a relative handful of organizations (fewer than 17,000) can be assigned a Class A or B network number. Class C network addresses are far more numerous than Class A and Class B addresses, although they account for only 12.5 percent of the possible 4 billion (2^32) IP hosts, as shown in Figure 1. Unfortunately, Class C addresses are limited to 254 hosts, which will not meet the needs of larger organizations that can not acquire a Class A or B address. Even if there were more Class A, B, and C addresses, too many network addresses would cause Internet routers to slow to a halt under the weight of enormous routing tables. The classful system of IP addressing, even with subnetting, could not scale to effectively handle global demand for Internet connectivity. As early as 1992, the Internet Engineering Task Force (IETF) identified two specific concerns: !
Exhaustion of the remaining, unassigned IPv4 network addresses. At the time, the Class B space was on the verge of depletion.
!
The rapid and substantial increase in the size of the Internet's routing tables is because of its growth. As more Class C's came online, the resulting flood of new network information threatened Internet routers' capability to cope effectively.
In the short term, the IETF decided that a retooled IPv4 would have to hold out long enough for engineers to design and deploy a completely new Internet Protocol. That new protocol, IPv6, solves the address crisis by using a 128-bit 1-12
Routing Section 1: IP Addressing
Copyright 2002, Cisco Systems, Inc.
address space. After years of planning and development, IPv6 promises to be ready for wide-scale implementation, although that has not happened yet. One reason that IPv6 has not been rushed into service is that the short-term extensions to IPv4 have been so effective. By eliminating the rules of class, IPv4 now enjoys renewed viability.
1.2.2 Classless Interdomain Routing (CIDR)
Figure 1: Why Classless Interdomain Routing?
Routers use a form of IPv4 addressing called classless interdomain routing (CIDR) (pronounced "cider") that ignores class. In a classful system, a router determines the class of an address and then identifies the network and host octets based on that class. With CIDR, a router uses a bitmask to determine the network and host portions of an address, which are no longer restricted to using an entire octet. First introduced in 1993 by RFC 1517, 1518, 1519, and 1520, and later deployed in 1994, CIDR dramatically improves IPv4's scalability and efficiency by providing the following: !
The replacement of classful addressing with a more flexible and less wasteful classless scheme
!
Enhanced route aggregation, also known as supernetting
The following sections describe route aggregation, supernetting, and address allocation in more detail.
Copyright 2002, Cisco Systems, Inc.
Routing Section 1: IP Addressing
1-13
1.2.3 Route aggregation and supernetting
Figure 1: Route Aggregation and Supernetting
Figure 2: Route Aggregation and Supernetting
By using a bitmask instead of an address class to determine the network portion of an address, CIDR allows routers to aggregate, or summarize, routing information. This shrinks the size of the router's routing tables. Just one address and mask combination can represent the routes to multiple networks. Without CIDR and route aggregation, a router must maintain individual entries for the Class B networks shown in Figure [1]. The shaded columns in Figure [1] identify the 16 bits that, based on the rules of class, represent the network number. Classful routers are forced to handle Class B networks using these 16 bits. Because the first 16 bits of each of these eight network numbers are unique, a classful router sees eight unique networks and 1-14
Routing Section 1: IP Addressing
Copyright 2002, Cisco Systems, Inc.
must create a routing table entry for each. However, these eight networks do have common bits, as shown by the shaded portion of Figure [2]. Figure [2] shows that the example eight-network addresses have the first 13 bits in common. A CIDR-compliant router can summarize routes to these eight networks by using a 13-bit prefix, in which these eight networks, and only these networks, share these 13 bits: 10101100 00011 To represent this prefix in decimal terms, the rest of the address is padded with zeros and then paired with a 13-bit subnet mask: 10101100 00011000 00000000 00000000 = 172.24.0.0 11111111 11111000 00000000 00000000 = 255.248.0.0 Thus, a single address and mask define a classless prefix that summarizes routes to the eight networks, 172.24.0.0/13. By using a prefix address to summarize routes, routing table entries are kept manageable, which results in the following: !
More efficient routing
!
A reduced number of CPU cycles when recalculating a routing table or when sorting through the routing table entries to find a match
!
Reduced router memory requirements
Supernetting is the practice of using a bitmask to group multiple classful networks as a single network address. Supernetting and route aggregation are different names for the same process, although the term supernetting is most often applied when the aggregated networks are under common administrative control. Supernetting and route aggregation are essentially the inverse of subnetting. Recall that the Class A and Class B address space is virtually exhausted, leaving large organizations little choice but to request multiple Class C network addresses from their providers. If a company can acquire a block of contiguous (that is, sequential) Class C network addresses, supernetting can be used so that the addresses appear as a single large network, or supernet.
Copyright 2002, Cisco Systems, Inc.
Routing Section 1: IP Addressing
1-15
1.2.4 Supernetting and address allocation
Figure 1: Supernetting and Address Allocation
Figure 2: Addressing with CIDR
Consider Company XYZ, which requires addresses for 400 hosts. Under the classful addressing system, XYZ could apply to a central Internet address authority for a Class B address. If the company got the Class B and then used it to address one logical group of 400 hosts, tens of thousands of addresses would be wasted. A second option for XYZ would be to request two Class C network numbers, yielding 508 (2 * 254) host addresses. The drawback to this approach is that XYZ would have to route between its own logical networks, and defaultfree Internet routers would need to maintain two routing table entries for XYZ's network, rather than just one. Under a classless addressing system, supernetting allows XYZ to get the address space that it needs without wasting addresses or increasing the size of routing tables unnecessarily. Using CIDR, XYZ asks for an address block from its Internet service provider, not a central authority such as the InterNIC. The ISP assesses XYZ's needs and allocates address space from its own large "CIDR block" of addresses. Providers assume the burden of managing address space in a 1-16
Routing Section 1: IP Addressing
Copyright 2002, Cisco Systems, Inc.
classless system. With this system, Internet routers keep only one summary route, or supernet route, to the provider's network, and the provider keeps routes that are more specific to its customer networks. This method drastically reduces the size of Internet routing tables. In the following example, XYZ receives two contiguous Class C addresses, 207.21.54.0 and 207.21.55.0. The shaded portion of Figure [1], shows that these network addresses have this common 23-bit prefix: 11001111 00010101 0011011 When supernetted with a 23-bit mask (207.21.54.0 /23), the address space provides well over 400 host addresses (29) without the tremendous waste of a Class B address. With the ISP acting as the addressing authority for a CIDR block of addresses, the ISP's customer networks, which include XYZ, can be advertised among Internet routers as a single supernet. In Figure [2], the ISP manages a block of 256 Class C addresses and advertises them to the world using a 16-bit prefix: 207.21.0.0 /16. When CIDR enabled ISPs to hierarchically distribute and manage blocks of contiguous addresses, IPv4 address space received the following benefits: !
Efficient allocation of addresses
!
Reduced number of routing table entries
Copyright 2002, Cisco Systems, Inc.
Routing Section 1: IP Addressing
1-17
1.3 VLSM 1.3.1 Variable-Length Subnet Masks
Figure 1: Subnetting with One Mask
Figure 2: Using Subnets to Address the WAN
1-18
Routing Section 1: IP Addressing
Copyright 2002, Cisco Systems, Inc.
Figure 3: Subnetting With Variable Length Masks
Figure 4: Using VLSM to Address Point-to-Point Links
Figure 5: Configuring VSLM
VLSM allows an organization to use more than one subnet mask within the same network address space. Implementing VLSM is often referred to as "subnetting a subnet," and it can be used to maximize addressing efficiency.
Copyright 2002, Cisco Systems, Inc.
Routing Section 1: IP Addressing
1-19
Consider the subnets created by borrowing 3 bits from the host portion of the Class C address, 207.21.24.0, shown in Figure [1]. Using the ip subnet-zero command, this mask creates seven usable subnets of 30 hosts each. Four of these subnets can address remote offices in the organization pictured in Figure [2], at sites A, B, C, and D. Unfortunately, only three subnets are left for future growth, and the three pointto-point WAN links between the four sites have yet to be addressed. If the three remaining subnets were assigned to the WAN links, the supply of IP addresses would be exhausted. Moreover, squandering the remaining 30-host subnets to address these two-node networks will waste more than a third of the available address space. Over the past 20 years, network engineers have developed three strategies for efficiently addressing point- to-point WAN links: !
Use VLSM
!
Use private addressing (RFC 1918)
!
Use IP unnumbered
Private addresses and IP unnumbered are discussed in detail later in this chapter. This section focuses on VLSM. If VLSM is applied to addressing problems, a Class C address can be broken into groups (i.e., subnets) of various sizes. Large subnets are created for addressing LANs, and very small subnets are created for WAN links and other special cases. A 30-bit mask is used to create subnets with only two valid host addresses, the exact number needed for a point-to-point connection. Figure [3] shows what happens if one of the three remaining subnets (subnet 6) is subnetted again using a 30-bit mask. Subnetting the 207.21.24.192 /27 subnet in this way supplies eight ranges of addresses to be used for point-to-point networks. For example, the network 207.21.24.192/30 can be used to address the point-to-point serial link between Site A's router and Site B's router [4]. How is VLSM configured on a Cisco router? Figure [5] shows the commands needed to configure Site A's router (RTA) with a 27-bit mask on its Ethernet port and a 30-bit mask on its serial port.
1-20
Routing Section 1: IP Addressing
Copyright 2002, Cisco Systems, Inc.
1.3.2 Classless and classful routing protocols
Figure1: Classful and Classless Routing Protocols
For routers in a variably subnetted network to properly update each other, they must send masks in their routing updates. Without subnet information in the routing updates, routers will have nothing but the address class and their own subnet mask to work with. Only routing protocols that ignore the rules of address class and use classless prefixes will work properly with VLSM (see the Figure 1). RIPv1 and IGRP, common interior gateway protocols, cannot support VLSM because they do not send subnet information in their updates. Upon receiving an update packet, these classful routing protocols will use one of the following methods to determine the network prefix of an address: !
If the router receives information about a network, and if the receiving interface belongs to that same network (but on a different subnet), the router applies the subnet mask that is configured on the receiving interface.
!
If the router receives information about a network address that is not the same as the one configured on the receiving interface, it applies the default (by class) subnet mask.
Despite its limitations, RIP is a very popular routing protocol and is supported by virtually all IP routers. RIP's popularity stems from its simplicity and universal compatibility. However, the first version of RIP (RIPv1) suffers from several critical deficiencies: 1. RIPv1 does not send subnet mask information in its updates. Without subnet information, VLSM and CIDR cannot be supported. 2. Its updates are broadcast, increasing network traffic. 3. It does not support authentication. In 1988, RFC 1058 prescribed the new (and improved) RIP version 2 to address these deficiencies: 1. RIPv2 does send subnet information and therefore supports VLSM and CIDR. 2. It multicasts routing updates using the Class D address 224.0.0.9, providing better efficiency. 3. It provides for authentication in its updates. Copyright 2002, Cisco Systems, Inc.
Routing Section 1: IP Addressing
1-21
Because of these key features, RIPv2 should always be preferred over RIPv1, unless some legacy device on the network cannot support it. When RIP is first enabled on a Cisco router, the router listens for version 1 and 2 updates but sends only version 1. To take advantage of version 2's features, version 1 support can be turned off and version 2 updates enabled with the following command: Router(config)#router rip Router(router-config)#version 2 RIP's straightforward design ensures that it will continue to survive. A new version has been designed to support future IPv6 networks.
1-22
Routing Section 1: IP Addressing
Copyright 2002, Cisco Systems, Inc.
1.4 Route Summarization 1.4.1 An overview of route summarization
Figure 1: Route Summarization
The use of CIDR and VLSM not only prevents address waste, but it also promotes route aggregation, or summarization. Without route summarization, Internet backbone routing would likely have collapsed sometime before 1997. The figure illustrates how route summarization reduces the burden on upstream routers. This complex hierarchy of variable-sized networks and subnetworks is summarized at various points using a prefix address until the entire network is advertised as a single aggregate route: 200.199.48.0 /20. Recall that this kind of route summarization, or supernetting, is possible only if the network's routers run a classless routing protocol, such as OSPF or EIGRP. Classless routing protocols carry the prefix length (subnet mask) with the 32-bit address in routing updates. In the figure, the summary route that eventually reaches the provider contains a 20-bit prefix common to all of the addresses in the organization, 200.199.48.0 /20 or 11001000 11000111 0001. For summarization to work properly, the addresses must be carefully assigned in a hierarchical fashion so that summarized addresses will share the same high-order bits.
Copyright 2002, Cisco Systems, Inc.
Routing Section 1: IP Addressing
1-23
1.4.2 Route flapping
Figure 1: Route Summarization
Route flapping occurs when a router's interface alternates rapidly between the "up" and "down" states. This can be caused by a number of factors, including a faulty interface or poorly terminated media. Summarization can effectively insulate upstream routers from route flapping problems. Consider RTC in the figure. If RTC's interface connected to the 200.199.56.0 network goes down, RTC will remove that route from its table. If the routers were not configured to summarize, RTC would then send a triggered update to RTZ about the removal of the specific network, 200.199.56.0. In turn, RTZ would update the next router upstream, and so on. Every time these routers are updated with new information, their processors must go to work. It is possible (especially in the case of OSPF routing) that the processors can work hard enough to noticeably impact performance. Now, consider the impact on performance if RTC's interface to network 200.199.56.0 comes back up after only a few seconds. The routers update each other and recalculate. In addition, what happens when RTC's link goes back down seconds later? And then back up? This is route flapping, and it can cripple a router with excessive updates and recalculations. However, the summarization configuration prevents RTC's route flapping from affecting any other routers. RTC updates RTZ about a supernet (200.199.56.0 /21) that includes eight networks (200.199.56.0 through 200.199.63.0). The loss of one network does not invalidate the route to the supernet. While RTC may be kept busy dealing with its own route flap, RTZ (and all upstream routers) do not notice a thing. Summarization effectively insulates the other routers from the problem of route flapping.
1-24
Routing Section 1: IP Addressing
Copyright 2002, Cisco Systems, Inc.
1.5 Private addressing and NAT 1.5.1 Private IP addresses (RFC 1918)
Figure 1: Private IP Network Addresses
Figure 2: Using Private Addresses in the WAN
Because TCP/IP is the world's dominant routed protocol, most network applications and operating systems offer extensive support for it. Thus, many designers build their networks around TCP/IP, even if they do not require Internet connectivity. Internet hosts require globally unique IP addresses. However, private hosts that are not connected to the Internet can use any valid address, as long as it is unique within the private network. Because many private networks exist alongside public nets, grabbing "just any address" is strongly discouraged. RFC 1918 sets aside three blocks of IP addresses (i.e., a Class A, a Class B, and a Class C range) for private, internal use. Addresses in this range will not be routed on the Internet backbone (see Figure [1]). Internet routers immediately discard private addresses. If you are addressing a nonpublic intranet, a test lab, or a home network, these private addresses can be used instead of globally unique addresses. Global addresses must be obtained from a provider or a registry at some expense. Copyright 2002, Cisco Systems, Inc.
Routing Section 1: IP Addressing
1-25
RFC 1918 addresses are used in production networks as well. Earlier in this chapter, the advantages of using VLSM to address the point-to-point WAN links in an internetwork were addressed. With VLSM, a subnet left in a Class C network's address space could be further subnetted. Although this solution was better than wasting an entire 30-host subnet on each two-host WAN link, it still costs one subnet that could have been used for future growth. A less wasteful solution is to address the WAN links using private network numbers. In Figure [2], the WAN links are addressed using subnets from the private address space, 10.0.0.0 /8. How can these routers use private addresses if LAN users at site A, B, C, and D expect to access the Internet? End users at these sites should have no problem because they use globally unique addresses from the 207.21.24.0 network. The routers use their serial interfaces with private addresses merely to forward traffic and exchange routing information. Upstream providers and Internet routers see only the source and destination IP addresses in the packet; they do not care if the packet traveled through links with private addresses at some point. In fact, many providers use RFC 1918 network numbers in the core of their network to avoid depleting their supply of globally unique addresses. One trade-off of using private numbers on WAN links is that these serial interfaces cannot be the original source of traffic bound for the Internet or the final destination of traffic from the Internet. Routers do not normally spend time surfing the web, so this limitation typically becomes an issue only when troubleshooting with ICMP, using SNMP, or connecting remotely with Telnet over the Internet. In those cases, the router can be addressed only by its globally unique LAN interfaces. The following sections discuss implementation of a private addressing scheme, including the pitfalls of discontiguous subnets and the advantages of Network Address Translation (NAT).
1-26
Routing Section 1: IP Addressing
Copyright 2002, Cisco Systems, Inc.
1.5.2 Discontiguous subnets
Figure: Discontiguous Subnets
Mixing private addresses with globally unique addresses can create discontiguous subnets, which are subnets from the same major network that are separated by a completely different major network or subnet. In the figure, Site A and Site B both have LANs that are addressed using subnets from the same major net (207.21.24.0). They are discontiguous because the 10.0.0.4/30 network separates them. Classful routing protocols, notably RIPv1 and IGRP, cannot support discontiguous subnets because the subnet mask is not included in routing updates. If Site A and Site B are running RIPv1, Site A will receive updates about network 207.21.24.0/24 and not about 207.21.24.32/27 because the subnet mask is not included in the update. Because Site A has an interface directly connected to that network (in this case, E0), Site A will reject Site B's route. Even some classless routing protocols require additional configuration to solve the problem of discontiguous subnets. RIPv2 and EIGRP automatically summarize on classful boundaries unless explicitly told not to. Usually, this type of summarization is desirable, but in the case of discontiguous subnets, the following command must be entered for both RIPv2 and EIGRP to disable automatic summarization: Router(config-router)#no auto-summary Finally, when using private addresses on a network that is connected to the Internet, packets and routing updates should be filtered to avoid "leaking" any RFC 1918 addresses between autonomous systems. For example, if both the user and the provider use addresses from the 192.168.0.0 /16 block, the routers could get confused if confronted with updates from both systems.
Copyright 2002, Cisco Systems, Inc.
Routing Section 1: IP Addressing
1-27
1.5.3 Network Address Translation (NAT)
Figure 1: NAT Router
NAT, as defined by RFC 1631, is the process of swapping one address for another in the IP packet header. In practice, NAT is used to allow hosts that are privately addressed (using RFC 1918 addresses) to access the Internet. A NAT-enabled device, such as a UNIX computer or a Cisco router, operates at the border of a stub domain (i.e., an internetwork that has a single connection to the outside world). When a host inside the stub domain wants to transmit to a host on the outside, it forwards the packet to the NAT-enabled device. The NAT process then looks inside the IP header and, if appropriate, replaces the inside IP address with a globally unique IP address. When an outside host sends a response, the NAT process receives it, checks the current table of network address translations, and replaces the destination address with the original inside source address. NAT translations can occur dynamically or statically and can be used for a variety of purposes. The most powerful feature of NAT routers is their capability to use port address translation (PAT), which allows multiple inside addresses to map to the same global address. This is sometimes called a "many-to-one" NAT. With PAT, or address overloading, literally hundreds of privately addressed nodes can access the Internet using only one global address. The NAT router keeps track of the different conversations by mapping TCP and UDP port numbers.
1-28
Routing Section 1: IP Addressing
Copyright 2002, Cisco Systems, Inc.
1.6 IP Unnumbered 1.6.1 Using IP unnumbered
Figure 1: NAT Router
Figure 2: IP Unnumbered
Throughout this chapter, ways to maximize an organization's use of IP addresses have been illustrated. In previous sections, methods that avoid wasting an entire subnet on the point-to-point serial links by using VLSM or private addresses have been discussed. Neither technique can be supported by classful routing protocols, such as the popular RIPv1 and IGRP. Fortunately, the Cisco IOS offers a third option for efficiently addressing serial links: IP unnumbered. When a serial interface is configured for IP unnumbered, it borrows the IP address of another interface (usually a LAN interface or loopback interface) and therefore does not need its own address. [1] Not only does IP unnumbered avoid Copyright 2002, Cisco Systems, Inc.
Routing Section 1: IP Addressing
1-29
wasting addresses on point-to-point WAN links, but it also can be used with classful routing protocols, where VLSM and discontiguous subnets cannot. If the network runs RIPv1 or IGRP, IP unnumbered may be the only solution to maximize addresses. RTA's S1 (168.71.5.1) and RTB's S1 (168.71.8.1) can communicate using TCP/IP over this serial link, even though they do not belong to the same IP network. [2] This is possible because it is a point-to-point link, so there is no confusion about which device a packet is originating from or destined to. There are two ground rules for configuring IP unnumbered on an interface: !
The interface is both serial and connected via a point-to-point link.
!
The same major network with the same mask is used to address the LAN interfaces that "lend" their IP address on both sides of the WAN link.
OR Different major networks with no subnetting are used to address the LAN interfaces on both sides of the WAN link. Using IP unnumbered is not without its drawbacks, which include the following:
1-30
!
Ping cannot be used to determine whether the interface is up because the interface has no IP address.
!
Booting cannot be done from a network IOS image over an unnumbered serial interface.
!
IP security options are not supported on an unnumbered interface.
Routing Section 1: IP Addressing
Copyright 2002, Cisco Systems, Inc.
1.7 DHCP and Easy IP 1.7.1 DHCP overview
Figure 1: Simple DHCP Operation
Figure 2: Simple DHCP Operation
Copyright 2002, Cisco Systems, Inc.
Routing Section 1: IP Addressing
1-31
Figure 3: Simple DHCP Operation
After designing a scalable IP addressing scheme for an enterprise, the daunting task of implementation must still be addressed. Routers, servers, and other key nodes usually require special attention from administrators, but desktop clients are often automatically assigned IP configurations using Dynamic Host Configuration Protocol (DHCP). Because desktop clients typically make up the bulk of network nodes, DHCP is good news for systems administrators. Small offices and home offices can also take advantage of DHCP by using Easy IP, a Cisco IOS feature set that combines DHCP with NAT functions. DHCP works by configuring servers to give out IP configuration information to clients. Clients lease the information from the server for an administratively defined period. When the lease is up, the host must ask for another address, although the host is typically reassigned the same one. [1] - [3] Administrators typically prefer to use a Microsoft NT server or a UNIX computer to offer DHCP services because these solutions are highly scalable and relatively easy to manage. Even so, the Cisco router IOS offers an optional, fully featured DHCP server, which leases configurations for 24 hours by default. Administrators set up DHCP servers to assign addresses from predefined pools of addresses. DHCP servers can also offer other information, such as DNS server addresses, WINS server addresses, and domain names. Most DHCP servers also allow recording of client MAC addresses that can be serviced to automatically assign the same number to a particular host each time. Note: BootP was originally defined in RFC 951 in 1985. It is the predecessor of DHCP, and it shares some operational characteristics. Both protocols use UDP ports, 67 and 68, which are well known as "BootP" ports because BootP was implemented before DHCP.
1-32
Routing Section 1: IP Addressing
Copyright 2002, Cisco Systems, Inc.
1.7.2 DHCP operation
Figure 1: DHCP Operation
The DHCP client configuration process is shown in Figure 1. This process follows these steps: 1. The client sends a DHCPDISCOVER broadcast to all nodes. When a client set up for DHCP needs an IP configuration (typically at boot time), it tries to locate a DHCP server by sending a broadcast called a DHCPDISCOVER. 2. The server sends a DHCPOFFER unicast to client. When the server receives the broadcast, it determines whether it can service the request from its own database. If it cannot, the server may forward the request on to another DHCP server or servers, depending on its configuration. If it can service the request, the DHCP server offers the client IP configuration information in the form of a unicast DHCPOFFER. The DHCPOFFER is a proposed configuration that may include IP address, DNS server address, and lease time. 3. The client sends a DHCPREQUEST broadcast to all nodes. If the client finds the offer agreeable, it will send another broadcast, a DHCPREQUEST, specifically requesting those particular IP parameters. Why does the client broadcast the request instead of unicasting it to the server? A broadcast is used because the very first message, the DHCPDISCOVER, may have reached more than one DHCP server (after all, it was a broadcast). If more than one server makes an offer, the broadcasted DHCPREQUEST lets everyone know which offer was accepted (it is usually the first offer received). 4. The server sends a DHCPACK unicast to client. The server that receives the DHCPREQUEST makes the configuration official by sending a unicast acknowledgment, the DHCPACK. Note that it is possible but highly unlikely that the server will not send the DHCPACK because it may have leased that information to another client in the interim. Receipt of the DHCPACK message enables the client to begin using the assigned address immediately. Depending on an organization's policies, it may be possible for an end user or an administrator to statically assign to a host an IP address that belongs in the Copyright 2002, Cisco Systems, Inc.
Routing Section 1: IP Addressing
1-33
DHCP server's address pool. Just in case, the Cisco IOS DHCP server always checks to make sure that an address is not in use before the server offers it to a client. The server issues ICMP echo requests (pings) to a pool address before sending the DHCPOFFER to a client. Although configurable, the default number of pings used to check for potential IP address conflict is two (the more pings, the longer the configuration process takes).
1.7.3 Configuring IOS DHCP server
Figure 1: Configuring a DHCP Address Pool
Figure 2: Assigning Key DHCP Information
1-34
Routing Section 1: IP Addressing
Copyright 2002, Cisco Systems, Inc.
Figure 3: Key DHCP Server Commands
Figure 4: Key Commands for Monitoring DHCP Operation
Although it is enabled by default on versions of the Cisco IOS that support it, the DHCP server process can be re-enabled by using the service dhcp global configuration command. The no service dhcp command disables the server. Like NAT, DHCP server requires that the administrator define a pool of addresses. In Figure [1], the ip dhcp pool command defines which addresses will be assigned to hosts. The first command, ip dhcp pool room12, creates a pool named “room12” and puts the router in a specialized DHCP configuration mode. In this mode, the network statement is used to define the range of addresses to be leased. If it is desirable to exclude specific addresses on this network, then it is necessary to return to global configuration mode, as shown in Figure [1]. Copyright 2002, Cisco Systems, Inc.
Routing Section 1: IP Addressing
1-35
This ip dhcp excluded-address command configures the router to exclude 172.16.1.1 through 172.16.1.10 when assigning addresses to clients. The ip dhcp excluded-address command is used to reserve addresses that are statically assigned to key hosts. Typically, a DHCP server is used to configure much more than IP addresses. Other IP configuration values can be set from the DHCP config mode, as shown in Figure [2]. IP clients will not get very far without a default gateway, which can be set by using the default-router command. The address of the DNS server (dnsserver) and WINS server (netbios-name-server) can be configured here as well. The IOS DHCP server can configure clients with virtually any TCP/IP information. Figure [3] lists the key IOS DHCP server commands, which are entered in DHCP pool configuration mode (identified by the dhcp-config# prompt). The EXEC mode commands shown in Figure [4] are used to monitor DHCP server operation.
1.7.4 Easy IP
Figure: Cisco IOS Easy IP
Easy IP is a combination of Cisco IOS features that allows a router to negotiate its own IP address and to do NAT through that negotiated address. Typically deployed on a small office/home office (SOHO) router, Easy IP is useful in cases where a small LAN connects to the Internet via a provider that dynamically assigns only one IP address for the entire remote site. 1-36
Routing Section 1: IP Addressing
Copyright 2002, Cisco Systems, Inc.
A SOHO router with the Easy IP feature set uses DHCP to automatically address local LAN clients with RFC 1918 addresses. When the router dynamically receives its WAN interface address via the Point-to-Point Protocol, it uses NAT overload to translate between local inside addresses and the single global address. Therefore, both the LAN side and the WAN side are dynamically configured with little or no administrative intervention. In effect, Easy IP offers "plug-and-play" routing.
Copyright 2002, Cisco Systems, Inc.
Routing Section 1: IP Addressing
1-37
1.8 Helper Addresses 1.8.1 Using helper addresses
Figure 1: Purpose of Helper Addresses
DHCP is not the only critical service that uses broadcasts. Cisco routers and other devices may use broadcasts to locate TFTP servers. Some clients may need to broadcast to locate a TACACS (security) server. Typically, in a complex hierarchical network, clients reside on the same subnet as key servers. Such remote clients will broadcast to locate these servers, but routers, by default, will not forward client broadcasts beyond their subnet. Because some clients cannot function without services such as DHCP, the situation must be resolved in one of two ways: place servers on all subnets, or use the Cisco IOS helper address feature. Running services such as DHCP or DNS on several computers creates overhead and administrative problems, so the first option is not very appealing. When possible, administrators use the ip helper-address command to relay broadcast requests for these key UDP services. By using the helper address feature, a router can be configured to accept a broadcast request for a UDP service and then forward it as a unicast to a specific IP address. Alternately, the router can forward these requests as directed broadcasts to a specific network or subnetwork.
1-38
Routing Section 1: IP Addressing
Copyright 2002, Cisco Systems, Inc.
1.8.2 Configuring IP helper addresses
Figure 1: Default Forwarded UDP Services
Figure 2: Configuring Custom UDP Forwarding
To configure the helper address, identify the router interface that will be receiving the broadcasts for UDP services. In interface configuration mode, use the ip helper-address command to define the address to which UDP broadcasts for services should be forwarded. By default, the ip helper-address command forwards the eight UDP services shown in Figure [1]. What if Company XYZ needs to forward requests for a service not on this list? The Cisco IOS provides the global configuration command ip forward-protocol to allow an administrator to forward any UDP port in addition to the default eight. In order to forward UDP on port 517, the global configuration command, ip forward-protocol udp 517, would be used. This command is used not only to add a UDP port to the "default eight" (see Figure [1]), but also to subtract an unwanted service from the default group. For instance, if it is desired to forward DHCP, TFTP, and DNS, and not Time, TACACS, and NetBIOS, the Cisco IOS requires that the router be configured according to Figure [2].
Copyright 2002, Cisco Systems, Inc.
Routing Section 1: IP Addressing
1-39
1.8.3 IP helper address example
Figure 1: IP Helper Address Example
Figure 2: Verifying IP Helper Address Configuration
Figure 3: Verifying Directed Broadcast Forwarding
Consider this complex sample helper address configuration (see Figure [1]). Assume Host A is to automatically obtain its IP configuration from the DHCP server at 172.24.1.9. Because RTA will not forward Host A's DHCPDISCOVER broadcast, RTA must be configured to help Host A.
1-40
Routing Section 1: IP Addressing
Copyright 2002, Cisco Systems, Inc.
To configure RTA's fa0/0 (the interface that receives Host A's broadcasts) to relay DHCP broadcasts as a unicast to the DHCP server, use the following commands: RTA(config)#interface fa0/0 RTA(config-if)#ip helper-address 172.24.1.9 With this simple configuration, Host A broadcasts using any of the eight default UDP ports will be relayed to the DHCP server's IP address. However, what if Host A also needs to use the services of the NetBIOS server at 172.24.1.5? As configured, RTA will forward NetBIOS broadcasts from Host A to the DHCP server. Moreover, if Host A sends a broadcast TFTP packet, RTA also will forward this to the DHCP server at 172.24.1.9. What is needed in this example is a helper address configuration that relays broadcasts to all servers on the segment. The following commands configure a directed broadcast to the IP subnet that is being used as a server farm: RTA(config)#interface fa0/0 RTA(config-if)#ip helper-address 172.24.1.255 Configuring a directed broadcast to the server segment (172.24.1.255) is more efficient than entering the IP address of every server that could potentially respond to Host A's UDP broadcasts. Finally, some devices on Host A's segment need to broadcast to the TACACS server, which does not reside in the server farm. RTA's fa0/0 can be configured to by adding the command ip helper-address 172.16.1.2. The correct helper configuration can be verified with the show ip interface command, as shown in Figure [2]. Notice in Figure [3] that RTA's interface fa0/3 (which connects to the server farm) is not configured with helper addresses. However, the output in Figure [3] also shows that, for this interface, directed broadcast forwarding is disabled. This means that the router will not convert the logical broadcast 172.24.1.255 into a physical broadcast (with a Layer 2 address of FF-FF-FF-FF-FF-FF). To allow all the nodes in the server farm to receive the broadcasts at Layer 2, configure fa0/3 to forward directed broadcasts with the following commands: RTA(config)#interface fa0/3 RTA(config-if)#ip directed-broadcast Interactive Lab Activity: In this lab activity SanJose2 will be configured to act as a DHCP server. Then SanJose1 will be configured to forward UDP broadcasts for DHCP requests. Finally, the configuration will be tested using a DHCP client.
Copyright 2002, Cisco Systems, Inc.
Routing Section 1: IP Addressing
1-41
1.9 IPv6 1.9.1 IP address issues solutions
Figure: How Big Is the Internet?
In this chapter, it has been shown that IPv4 addressing faces two major problems: the depletion of addresses, particularly the key medium-sized space (Class B), and dangerous overgrowth of Internet routing tables. In the early 1990s, CIDR ingeniously built on the concept of the address mask and stepped forward to temporarily alleviate these serious problems. The hierarchical nature of CIDR dramatically improved IPv4's scalability. Once again, a hierarchical design proves to be a scalable one. Yet even with subnetting (1985), variable-length subnetting (1987), and CIDR (1993), a hierarchical structure could not save IPv4 from one simple problem: There just are not enough addresses to meet future need. At roughly 4 billion possibilities, the IPv4 address space is formidable, but it will not suffice in a future world of mobile Internet-enabled devices and IP-addressable household appliances (RFC 2235 references the world's first "Internet toaster"). Recent short-term IPv4 solutions to the address dilemma are private addressing (RFC 1918), which sets aside addresses for unlimited internal use, and NAT, which allows thousands of hosts to access the Internet with only a handful of valid addresses. However, the ultimate solution to the address shortage is the introduction of IPv6 and its 128-bit address. Developed to create a supply of addresses that would outlive demand, IPv6 is designed to eventually replace IPv4. The fantastically large address space of IPv6 will provide not only far more addresses than IPv4, but additional levels of hierarchy as well. For the record, 128 bits allows for 340,282,366,920,938,463,463,374,607,431,768,211,456 possibilities. In 1994, the IETF proposed IPv6 in RFC 1752, and a number of working groups were formed in response. IPv6 tackles issues such as address depletion, quality 1-42
Routing Section 1: IP Addressing
Copyright 2002, Cisco Systems, Inc.
of service, address autoconfiguration, authentication, and security. It will not be easy for organizations deeply invested in the IPv4 scheme to migrate to a totally new architecture. As long as IPv4 (with its recent extensions and CIDR-enabled hierarchy) remains viable, administrators will be slow to adopt IPv6. A new IP protocol requires new software, new hardware, and new methods of administration. It is likely that IPv4 and IPv6 will coexist, even within an autonomous system, for years to come.
1.9.2 IPv6 address format
Figure 1: Expressing IPv6
Figure 2: IPv6 Address Format
Copyright 2002, Cisco Systems, Inc.
Routing Section 1: IP Addressing
1-43
As defined first by RFC 1884 and later revised by RFC 2373, IPv6 addresses are 128-bit identifiers for interfaces and sets of interfaces, not nodes. Three general types of addresses exist: !
Unicast -- An identifier for a single interface. A packet sent to a unicast address is delivered to the interface identified by that address.
!
Anycast -- An identifier for a set of interfaces (typically belonging to different nodes). A packet sent to an anycast address is delivered to the "nearest," or first, interface in the anycast group.
!
Multicast -- An identifier for a set of interfaces (typically belonging to different nodes). A packet sent to a multicast address is delivered to all interfaces in the multicast group.
To write 128-bit addresses so that they are readable to human eyes, IPv6's architects abandoned dotted-decimal notation in favor of a hexadecimal format. Therefore, IPv6 can be written as 32 hex digits, with colons separating the values of the eight 16-bit pieces of the address, as shown in Figure [1]. Under current plans, IPv6 nodes that connect to the Internet will use what is called an aggregatable global unicast address, which is the counterpart to IPv4 global addresses. Like CIDR-enhanced IPv4, aggregatable global unicast addresses rely on hierarchy to keep Internet routing tables manageable. IPv6 global unicast addresses feature three levels of hierarchy: !
Public topology -- The collection of providers that provide Internet connectivity
!
Site topology -- The level local to an organization that does not provide connectivity to nodes outside itself
!
Interface identifier -- The level specific to a node's individual interface
This three-level hierarchy is reflected by the structure of the aggregatable global unicast address, which includes the following fields (see Figure [2]):
1-44
!
FP field (3 bits) -- The 3-bit Format Prefix (FP) is used to identify the type of address (unicast, multicast, and so on). The bits 001 identify aggregatable global unicasts.
!
TLA ID field (13 bits) -- The Top-Level Aggregation Identifier (TLA ID) field is used to identify the authority responsible for the address at the highest level of the routing hierarchy. Internet routers will necessarily maintain routes to all TLA IDs. With 13 bits set aside, this field can represent up to 8,192 TLAs.
!
Res field (8 bits) -- IPv6 architect defined the reserved (Res) field so that the TLA or NLA IDs could be expanded as future growth warrants. Currently, this field must be set to zero.
!
NLA ID field (24 bits) -- The Next-Level Aggregation Identifier (NLA ID) field is used to identify ISPs. The field itself can be organized hierarchically to reflect a hierarchy, or multitiered relationship, among providers.
!
SLA ID field (16 bits) -- The Site-Level Aggregation Identifier (SLA ID) is used by an individual organization to create its own local addressing hierarchy and to identify subnets.
Routing Section 1: IP Addressing
Copyright 2002, Cisco Systems, Inc.
!
Interface ID field (64 bits) -- The Interface ID field is used to identify individual interfaces on a link. This field is analogous to the host portion of an IPv4 address, but it is derived using the IEEE EUI-64 format, which, on LAN interfaces, adds a 16-bit field to the interface's MAC address.
In addition to the global unicast address space, IPv6 offers internal network numbers, or "site local use" addresses, which are analogous to RFC 1918 addresses. If a node is not addressed with a global unicast address or an internal site local use address, it can be addressed using a link local use address, which is specifically a network segment.
Copyright 2002, Cisco Systems, Inc.
Routing Section 1: IP Addressing
1-45
1.10 Advanced IP Addressing Management Lab Exercises 1.10.1 Configuring VLSM and IP Unnumbered Lab Activity: In this lab, you configure VLSM and test its functionality with two different routing protocols, RIPv1 and RIPv2. Finally, you use IP unnumbered in place of VLSM to further conserve addresses.
1.10.2 VLSM Lab Activity: In this lab, you create an addressing scheme using variable-length subnet masking (VLSM).
Lab Activity: In this lab, you create an addressing scheme using variable-length subnet masking (VLSM).
Lab Activity: In this lab, you create an addressing scheme using variable-length subnet masking (VLSM).
1.10.3 Using DHCP and IP Helper Addresses Lab Activity: In this lab, you configure a Cisco router to act as a DHCP server for clients on two separate subnets. You also use the IP helper address feature to forward DHCP requests from a remote subnet
1-46
Routing Section 1: IP Addressing
Copyright 2002, Cisco Systems, Inc.
Summary This chapter, showed how subnet masks, VLSMs, private addressing, and network address translation could enable more efficient use of IP addresses. The chapter illustrated that hierarchical addressing allows for efficient allocation of addresses and reduced number of routing table entries. VLSMs, specifically, provide the capability to include more than one subnet mask within a network and the capability to subnet an already subnetted network address. Proper IP addressing is required to ensure the most efficient network operations.
Copyright 2002, Cisco Systems, Inc.
Routing Section 1: IP Addressing
1-47
Section 2
Open Shortest Path First (OSPF)
Table of Contents
SECTION 2 ........................................................................................................................ 1 OPEN SHORTEST PATH FIRST (OSPF)........................................................................... 1 OVERVIEW ...................................................................................................................................................... 3 OBJECTIVES..................................................................................................................................................... 4 2.1 OSPF OVERVIEW ....................................................................................................................................... 5 2.1.1 Issues addressed by OSPF ................................................................................................................... 5 2.1.2 OSPF terminology...............................................................................................................................7 2.1.3 OSPF states...................................................................................................................................... 12 2.1.4 OSPF network types .......................................................................................................................... 16 2.1.5 The OSPF Hello protocol .................................................................................................................. 18 2.2. OSPF OPERATION ................................................................................................................................... 21 2.2.1 Steps of OSPF Operation ................................................................................................................... 21 2.2.2 Step 1: Establish router adjacencies ................................................................................................... 21 2.2.3 Step 2: Elect a DR and a BDR............................................................................................................ 22 2.2.4 Step 3: Discover routes...................................................................................................................... 23 2.2.5 Step 4: Select appropriate routes........................................................................................................ 26 2.2.6 Step 5: Maintain routing information.................................................................................................. 27 2.3 CONFIGURING OSPF ................................................................................................................................. 31 2.3.1 Configuring OSPF on routers within a single area............................................................................... 31 2.3.2 Optional configuration commands...................................................................................................... 33 2.3.3 Optional configuration commands (con't.)........................................................................................... 34 2.4 CONFIGURING OSPF OVER NBMA ............................................................................................................ 37 2.4.1 NBMA overview ................................................................................................................................ 37 2.4.2 Full-Mesh Frame Relay ..................................................................................................................... 39 2.4.3 Partial-Mesh Frame Relay................................................................................................................. 41 2.4.4 Point-to-Multipoint OSPF.................................................................................................................. 43 2.5 VERIFYING OSPF OPERATION.................................................................................................................... 45 2.5.1 Show commands................................................................................................................................ 45 2.5.2 Clear and debug commands ............................................................................................................... 45 2.6 OSPF CONFIGURATION LAB EXERCISES...................................................................................................... 47 2.6.1 Configuring OSPF ............................................................................................................................ 47 2.6.2 Examining the DR/BDR election process............................................................................................. 47 2.6.3 Configuring Point-to-Multipoint OSPF over Frame Relay .................................................................... 47 SUMMARY ..................................................................................................................................................... 48
1-2
Routing Section 2: OSPF
Copyright 2002, Cisco Systems, Inc.
Overview Open Shortest Path First (OSPF) is a link-state routing protocol based on open standards. Described in several RFCs, most recently RFC 2328, the Open in Open Shortest Path First means that OSPF is open to the public and nonproprietary. Among nonproprietary routing protocols, such as RIPv1 and RIPv2, OSPF is preferred because of its remarkable scalability. Recall that both versions of RIP are very limited. RIP cannot scale beyond 15 hops, it converges slowly, and it chooses suboptimal routes that ignore critical factors such as bandwidth. OSPF addresses all of these limitations and proves to be a robust, scalable routing protocol appropriate for today's networks. OSPF's considerable capability to scale is achieved through hierarchical design. An OSPF network can be divided into multiple areas, which allows for extensive control of routing updates. By defining areas in a properly designed network, an administrator can reduce routing overhead and improve performance. Multiarea OSPF is discussed in Semester five of the CCNP program.
Copyright 2002, Cisco Systems, Inc.
Routing Section 2: OSPF 1-3
Objectives After completing this chapter, the student will be able to perform tasks related to: 2.1 OSPF Overview 2.2 OSPF Operation 2.3 Configuring OSPF 2.4 Configuring OSPD over NMBA 2.5 Verifying OSPF Operation 2.6 OSPF Configuration Lab Exercises
1-4
Routing Section 2: OSPF
Copyright 2002, Cisco Systems, Inc.
2.1 OSPF Overview 2.1.1 Issues addressed by OSPF
Figure 1: OSPF vs RIP
Figure 2: OSPF vs RIP
OSPF uses link-state technology [1], as opposed to distance-vector technology used by protocols such as RIP [2]. Link-state routers maintain a common picture of the network and exchange link information upon initial discovery or network changes. Link-state routers do not broadcast routing tables periodically like distance-vector routing protocols. While RIP is appropriate for small networks, OSPF was written to address the needs of large, scalable Internetworks. OSPF addresses the following issues: !
Speed of convergence - In large networks, RIP convergence can take several minutes, since the entire routing table of each router is copied and shared with directly connected neighboring routers. In addition, a distance-vector routing algorithm may experience hold down and/or route-aging periods.
Copyright 2002, Cisco Systems, Inc.
Routing Section 2: OSPF 1-5
With OSPF, convergence is faster because only the routing changes (not the entire routing table) are flooded rapidly to other routers in the OSPF network. !
Support for Variable-Length Subnet Masking (VLSM) - RIPv1 is a classful protocol and does not support VLSM. In contrast, OSPF, a classless protocol, supports VLSM. (Note: RIPv2 supports VLSM.)
!
Network size - In a RIP environment, a network that is more than 15 hops away is considered unreachable. Such limitations restrict the size of a RIP network to small topologies. On the other hand, OSPF has virtually no reachability limitations and is appropriate for intermediate to large size networks.
!
Use of bandwidth - RIP broadcasts full routing tables to all neighbors every 30 seconds. This is especially problematic over slow WAN links because these updates consume bandwidth. Alternately, OSPF multicasts minimally sized link-state updates and sends the updates only when there is a network change.
!
Path Selection - RIP selects a path by measuring the hop count, or distance, to other routers. It does not take into consideration the available bandwidth on the link or delays in the network. In contrast, OSPF selects optimal routes using cost as a factor. ("Cost" is a metric based on bandwidth.)
!
Grouping of members - RIP uses a flat topology and all routers are part of the same network. Thus, communication between routers at each end of the network must travel through the entire network. Unfortunately, changes in even one router will affect every device in the RIP network. OSPF, on the other hand, uses the concept of "areas" and can effectively segment a network into smaller clusters of routers. By narrowing the scope of communication within areas, OSPF limits traffic regionally and can prevent changes in one area from affecting performance in other areas. This use of areas allows a network to scale efficiently.
Although OSPF was written for large networks, implementing it requires proper design and planning, which is especially important if the network has more than 50 routers. At this size, it is important to configure the network to let OSPF reduce traffic and combine routing information whenever possible.
1-6
Routing Section 2: OSPF
Copyright 2002, Cisco Systems, Inc.
2.1.2 OSPF terminology
Figure 1: OSPF Terminology
Figure 2: OSPF Terminology
Copyright 2002, Cisco Systems, Inc.
Routing Section 2: OSPF 1-7
Figure 3: OSPF Terminology
Figure 4: OSPF Terminology
1-8
Routing Section 2: OSPF
Copyright 2002, Cisco Systems, Inc.
Figure 5: OSPF Terminology
Figure 6: OSPF Terminology
Copyright 2002, Cisco Systems, Inc.
Routing Section 2: OSPF 1-9
Figure 7: OSPF Terminology
Figure 8: OSPF Terminology
1-10
Routing Section 2: OSPF
Copyright 2002, Cisco Systems, Inc.
Figure 9: OSPF Terminology
As a link-state protocol, OSPF operates differently than the distance-vector routing protocols. Link-state routers identify and communicate with neighbors so that firsthand information can be gathered from other routers in the network. The OSPF terminology is depicted in Figure [1].A brief description of each term is given. The information gathered from OSPF neighbors is not a complete routing table. Instead, OSPF routers tell each other about the status of their connections, or "links," [2] to the internetwork. In other words, OSPF routers advertise their link states. [3] The routers process this information and build a link-state database [4], which is essentially a picture of who is connected to what. All routers in a given area [5] should have identical link-state databases. Independently, each router then runs the Shortest Path First (SPF) algorithm, also known as the Dijkstra algorithm, on the link-state database to determine the best routes to a destination. The SPF algorithm adds up the cost (which is a value usually based on bandwidth) [6] of each link between the router and the destination. The router then chooses the lowest-cost path to add to its routing table, also known as a forwarding database. [7] OSPF routers keep track of neighbors in the adjacencies database. [8] To simplify the exchange of routing information among several neighbors on the same network, OSPF routers may elect a Designated Router (DR) and a Backup Designated Router (BDR) [9] to serve as focal points for routing updates.
Copyright 2002, Cisco Systems, Inc.
Routing Section 2: OSPF 1-11
2.1.3 OSPF states
Figure 1: OSPF Packet Types
Figure 2: OSPF States
1-12
Routing Section 2: OSPF
Copyright 2002, Cisco Systems, Inc.
Figure 3: OSPF
Figure 4: Route Discovery
Copyright 2002, Cisco Systems, Inc.
Routing Section 2: OSPF 1-13
Figure 5: Important Databases Kept by OSPF Routers
OSPF routers establish relationships, or states, with neighbors for efficiently sharing link-state information. In contrast, distance-vector routing protocols, such as RIP, blindly broadcast or multicast their complete routing table out every interface, hoping that a router is out there to receive it. Every 30 seconds, by default, RIP routers send only one kind of message - their complete routing table. OSPF routers, on the other hand, rely on five different kinds of packets to identify neighbors and to update link-state routing information. [1] These five packet types make OSPF capable of sophisticated and complex communications. These packet types will be discussed in more detail later in the chapter. At this point, it is important to become familiar with the different relationships, or states, that are possible between OSPF routers, the different OSPF network types, and the OSPF Hello protocol. OSPF States The key to effectively designing and troubleshooting OSPF networks is to understand the relationships, or states, that develop between OSPF routers. OSPF interfaces can be in one of seven states. [2] OSPF neighbor relationships progress through these states, one at a time, in the order presented. 1. Down State In the Down state, the OSPF process has not exchanged information with any neighbor. OSPF is waiting to enter the next state, which is the Init state. 2. Init State OSPF routers send Type 1 (hello) packets at regular intervals (usually 10 seconds) to establish a relationship with neighbor routers. When an interface receives its first hello packet, the router enters the Init state, which means the router knows a neighbor is out there and is waiting to take the relationship to the next step. –The two kinds of relationships are two-way and adjacency, although there are many phases in between. A router must receive a hello from a neighbor before it can establish any relationship. 3. Two-Way State Using hello packets, every OSPF router tries to establish a Two-way state, or bi-directional communication, with every neighbor router on the same IP 1-14
Routing Section 2: OSPF
Copyright 2002, Cisco Systems, Inc.
network. Among other things, hello packets include a list of the sender's known OSPF neighbors. A router enters the Two-Way state when it sees itself in a neighbor's hello. For example, as shown in Figure [3], when RTB learns that RTA knows about RTB, RTB declares a two-way state to exist with RTA. The Two-Way state is the most basic relationship that OSPF neighbors can have, but routing information is not shared between routers in this relationship. To learn about other routers' link states and eventually build a routing table, every OSPF router must form at least one adjacency. An adjacency is an advanced relationship between OSPF routers that involves a series of progressive states that rely not just on hellos, but also on the other four types of OSPF packets. Routers that attempt to become adjacent to one another exchange routing information even before the adjacency is fully established. The first step toward full adjacency is the ExStart state, which is described next. 4. ExStart State Technically, when a router and the neighbor enter the ExStart state, the conversation is characterized as an adjacency, but the routers have not become fully adjacent yet. ExStart is established using Type 2 database description (DBD) packets, also known as DDPs. The two neighbor routers use hello packets to negotiate who is the "master" and who is the "slave" in the relationship and DBD packets to exchange databases. [4] The router with the highest OSPF router ID "wins" and becomes master. (The OSPF router ID is discussed later in this chapter.) When the neighbors establish the roles as master and slave, the Exchange state is entered and the sending of routing information begins. 5. Exchange State In the Exchange state, neighbor routers use Type 2 DBD packets to send each other link-state information [4]. In other words, the routers describe link-state databases to each other. The routers compare what is learned with existing link-state databases. If either of the routers receives information about a link that is not already in its database, the router requests a complete update from its neighbor. Complete routing information is exchanged in the Loading state. 6. Loading State After the databases have been described to each router, they may request information that is more complete by using Type 3 packets, called link-state requests (LSRs). When a router receives an LSR, it responds with an update by using a Type 4 link-state update (LSU) packet. [4] These Type 4 LSU packets contain the actual link-state advertisements (LSAs), which are the heart of link-state routing protocols. As shown in Figure [4], Type 4 LSUs are acknowledged using Type 5 packets, called link-state acknowledgments (LSAcks). 7. Full Adjacency With the Loading state complete, the routers are fully adjacent. Each router keeps a list of adjacent neighbors, called the adjacency database. The adjacency database should not be confused with the link-state database or the forwarding database. [5]
Copyright 2002, Cisco Systems, Inc.
Routing Section 2: OSPF 1-15
2.1.4 OSPF network types
Figure 1: OSPF Network Types
Figure 2: OSPF Network Types
1-16
Routing Section 2: OSPF
Copyright 2002, Cisco Systems, Inc.
Figure 3: The DR and BDR Receive LSAs
Because adjacency is required for OSPF routers to share routing information, a router will try to become adjacent to at least one other router on each IP network to which it is connected. Some routers may try to become adjacent to all neighbor routers, and others may try with only one or two. OSPF routers determine which routers to become adjacent to based on what type of network connection. OSPF interfaces automatically recognize broadcast multi-access networks, nonbroadcast multiaccess (NBMA) networks, and point-to-point networks [1]. An administrator can configure a fourth network type called a point-tomultipoint network. The four network types are listed in Figure [2]. The type of network dictates how OSPF routers relate to each other. An administrator may have to override the detected network type in order for OSPF to operate properly. Some networks are defined as multiaccess because the number of routers connected is unpredictible. A campus that uses a switched Ethernet core may have half a dozen routers connected to the same backbone network. A school district might have 10, 12, or 25 remote-site routers connected via Frame Relay Permanent Virtual Circuits (PVCs) to the same IP subnet. Because a significant number of routers can exist on a multiaccess network, OSPF's designers developed a system to avoid the overhead that would be created if every router established full adjacency with every other router. This system restricts who can become adjacent to whom by employing the services of one of the following: !
Designated router (DR) - For every multiaccess IP network, one router will be elected the DR. This DR has two main functions. First, become adjacent to all other routers on the network. Second, act as a spokesperson for the network. As spokesperson, the DR will send network LSAs for all other IP networks to every other router. Because the DR becomes adjacent to all other routers on the IP network, it is the focal point for collecting routing information (LSAs).
!
Backup designated router (BDR) - The DR could represent a single point of failure, so a second router is elected as the BDR to provide fault
Copyright 2002, Cisco Systems, Inc.
Routing Section 2: OSPF 1-17
tolerance. Thus, the BDR must also become adjacent to all routers on the network and must serve as a second focal point for LSAs, as shown in Figure [3]. However, unlike the DR, the BDR is not responsible for updating the other routers or sending network LSAs. Instead, the BDR keeps a timer on the DR's update activity to ensure that it is operational. If the BDR does not detect activity from the DR before the timer expires, the BDR takes over the role of DR and a new BDR is elected. On point-to-point networks only two nodes exist. Therefore, a focal point for routing information is not needed. No DR or BDR is elected. Both routers become fully adjacent to one another.
2.1.5 The OSPF Hello protocol
Figure 1: The OSPF Packet Header
Figure 2: The OSPF Hello Header
When a router starts an OSPF routing process on an interface, it sends a hello packet and continues to send hellos at regular intervals. The rules that govern the exchange of OSPF hello packets are collectively referred to as the Hello Protocol. 1-18
Routing Section 2: OSPF
Copyright 2002, Cisco Systems, Inc.
At Layer 3 of the OSI model, hello packets are addressed to the multicast address 224.0.0.5. This address effectively means "all OSPF routers." OSPF routers use hello packets to initiate new adjacencies and to ensure that adjacent neighbors have not disappeared. Hellos are sent every 10 seconds by default on multiaccess and point-to-point networks. On interfaces that connect to NBMA networks, such as Frame Relay, hellos are sent every 30 seconds. Although the hello packet is small (often less than 50 bytes), hellos contain plenty of vital information. Like OSPF packet types, hello packets include an OSPF packet header, which has the form shown in Figure [1]. All five types of OSPF packets use the OSPF packet header, which consists of eight fields. The purpose of each of these fields is described below: !
Version, Type, and Packet Length - The first three fields of the OSPF packet let the recipients know the version of OSPF that is being used by the sender (version 1 and 2), the OSPF packet type, and length. OSPF version 2 was first introduced in 1991 (RFC 1247) and is not compatible with version 1, which is obsolete. The Cisco IOS uses OSPF version 2 and cannot be configured to use OSPF version 1.
!
Router ID - The function of the hello packet is to establish and maintain adjacencies, so the sending router assigns the fourth field with its router ID, which is a 32-bit number used to identify the router to the OSPF protocol. A router uses its IP address as its ID because both the router ID and the IP address must be unique within a network. Because routers support multiple IP addresses, a loopback IP address is used as the router ID. In the absence of a loopback IP address, the highest-value address interface IP is used as the router ID, regardless of whether that interface is involved in the OSPF process.
If the interface associated with that IP address goes down, the router can no longer use that IP address as its router ID. When a router's ID changes for any reason, the router must reintroduce itself to its neighbors on all links. To avoid the unnecessary overhead caused by re-establishing adjacency and readvertising link states, an administrator typically assigns an IP address to a loopback interface. Unless an administrator shuts down a loopback interface, it always stays up, so loopback interfaces make ideal router IDs. Note: If a loopback interface is configured with an IP address, the Cisco IOS will use that IP address as the router ID, even if the other interfaces have higher addresses. !
Area ID - Multiple areas within an OSPF network can be defined to reduce and summarize route information, which allows large and complex networks to continue to grow. When configuring a single-area OSPF network, Area 0 is always used because it is defined as the "backbone" area. A backbone area is needed to scale (add other OSPF areas).
!
Checksum - As seen with other protocols, a 2-byte checksum field is used to check the message for errors. Good packets are retained and damaged packets are discarded.
!
Authentication Type and Authentication Data - OSPF supports different methods of authentication so that OSPF routers will not believe just anyone sending hellos to 224.0.0.5. Routers with unequal authentication fields will not accept OSPF information from each other.
Copyright 2002, Cisco Systems, Inc.
Routing Section 2: OSPF 1-19
The hello header [2], which is found only in Type-1 hello packets, carries essential information. The following are the fields in the hello header:
1-20
!
Network Mask - This 32-bit field carries subnet mask information for the network.
!
Hello Interval and Dead Interval - The hello interval is the number of seconds that an OSPF router waits to send the next hello packet. The default for multiaccess broadcast and point-to-point networks is 10 seconds. The dead interval is the number of seconds that a router waits before it declares a neighbor down (if the neighbor's hello packets are no longer being received). The dead interval is four times the hello interval by default, or 40 seconds. Both of these intervals are configurable, which is the reason for advertisement. If two routers have different hello intervals or dead intervals, OSPF information will not be accepted.
!
Options - The router can use this field to indicate optional configurations, including the stub area flag, which is discussed in Semester five of the CCNP curriculum.
!
Router Priority - This field contains a value that indicates the priority of this router when selecting a designated router (DR) and backup designated router (BDR). The default priority is 1 and can be configured to a higher number to ensure that a specified router becomes the DR.
!
Designated Router and Backup Designated Router - The router IDs of the DR and BDR are listed here, if known by the source of the hello packet.
!
Neighbor Address - If the source of the hello packet has received a valid hello from any neighbor within the dead interval, its router ID is included here.
Routing Section 2: OSPF
Copyright 2002, Cisco Systems, Inc.
2.2. OSPF Operation 2.2.1 Steps of OSPF Operation OSPF routers progress through five distinct steps of operation: 1. Establish router adjacencies. 2. Elect a DR and BDR (if necessary). 3. Discover routes. 4. Select the appropriate routes to use. 5. Maintain routing information. The following sections describe each of these steps in detail.
2.2.2 Step 1: Establish router adjacencies
Figure 1: Example of an OSPF Topology
A router's first step in OSPF operation is to establish router adjacencies. Each of the three routers shown in the figure attempts to become adjacent to another router on the same IP network. To become adjacent with another router, RTB sends hello packets, advertising its own router ID. Because no loopback interfaces are present, RTB chooses its highest IP address, 10.6.0.1, as its router ID. Assuming that RTB is appropriately configured, RTB multicasts hello packets out both S0 and E0. RTA and RTC should both receive the hello packets. These two routers then add RTB to the Neighbor ID field of the respective hello packets and enter the Init state with RTB. Copyright 2002, Cisco Systems, Inc.
Routing Section 2: OSPF 1-21
RTB receives hello packets from both of its neighbors and sees its own ID number (10.6.0.1) in the Neighbor ID field. RTB declares a Two-Way state between itself and RTA, and a Two-Way state between itself and RTC. At this point, RTB determines which routers to establish adjacencies with, based on the type of network that a particular interface resides on. If the network type is point-to-point, the router becomes adjacent with its sole link partner. If the network type is multiaccess, RTB enters the election process to become a DR or BDR, unless both roles are already established (as advertised in the hello packet header). If an election is necessary, OSPF routers will proceed as described in the next section, Step 2: Elect a DR and a BDR. However, if an election is not necessary, the routers will enter the ExStart state, as described in the section, Step 3: Discover Routes.
2.2.3 Step 2: Elect a DR and a BDR
Figure 1: The DR and BDR Election Process
Because multiaccess networks can support more than two routers, OSPF elects a DR to be the focal point of all link-state updates and LSAs. The DR's role is critical, therefore a BDR is elected to "shadow" the DR. In the event that the DR fails, the BDR can smoothly take over. Like any election, the DR/BDR selection process can be rigged. The "ballots" are hello packets, which contain a router's ID and priority fields. The router with the highest priority value among adjacent neighbors wins the election and becomes the DR. The router with the second-highest priority is elected the BDR. When the DR and BDR have been elected, the roles are kept until one of the routers fail, even if additional routers with higher priorities show up on the network. Hello packets inform newcomers of the identity of the existing DR and BDR. OSPF routers all have the same default priority value of 1. Apriority from 0 to 255 can be assigned on any given OSPF interface. A priority of 0 prevents the router from winning any election on that interface. A priority of 255 ensures at least a tie. The Router ID field is used to break ties. If two routers have the same 1-22
Routing Section 2: OSPF
Copyright 2002, Cisco Systems, Inc.
priority, the router with the highest ID will be selected. The router ID can be manipulated by configuring an address on a loopback interface, although that is not the preferred way to control the DR/BDR election process. The priority value should be used instead because each interface can have its own unique priority value. A router can be configured to win an election on one interface and lose an election on another. How does the DR election process affect the example network? As shown in the figure, RTB and RTC are connected via PPP on a point-to-point link. Thus, there is no need for a DR on the network 10.6.0.0/16 because only two routers can exist on this link. Because 10.4.0.0/16 and 10.5.0.0/16 networks are multiaccess Ethernet networks, these two networks may potentially connect more than two routers. Even if only one router is connected to a multiaccess segment, a DR is still elected because the potential exists for more routers to be added to the network. Thus, a DR must be elected on both 10.4.0.0/16 and 10.5.0.0/16. Note: DRs and BDRs are elected on a per-network basis. An OSPF area can contain more than one IP network, so each area can (and usually does) have multiple DRs and BDRs. In the example topology, RTA serves a dual role as both the DR and the BDR. Because it is the only router on the 10.4.0.0/16 network, RTA elects itself as the DR. After all, the 10.4.0.0/16 network is a multiaccess Ethernet network, so a DR is elected because multiple routers could potentially be added to this network. RTA is also the runner-up in the election for 10.5.0.0/16 and thus the BDR for that network. Despite claiming equal priority value with RTA, RTB is elected as DR for 10.5.0.0/16 by virtue of the tiebreaker, which is a higher router ID (10.5.0.2 vs. 10.5.0.1). With elections complete and bi-directional communication established, routers are ready to share routing information with adjacent routers and build their linkstate databases. This process is discussed in the next section.
2.2.4 Step 3: Discover routes
Copyright 2002, Cisco Systems, Inc.
Routing Section 2: OSPF 1-23
Figure 1: Route Discovery
Figure 2: Route Discovery
Figure 3: Route Discovery
1-24
Routing Section 2: OSPF
Copyright 2002, Cisco Systems, Inc.
Figure 4: Route Discovery
Figure 5: Route Discovery
On a multiaccess network, the exchange of routing information occurs between the DR or BDR and every other router on the network. As the DR and BDR on the 10.5.0.0 /16 network, RTA and RTB will exchange link-state information.
Copyright 2002, Cisco Systems, Inc.
Routing Section 2: OSPF 1-25
Link partners on a point-to-point or point-to-multipoint network also engage in the exchange process. That means that RTB and RTC will share link-state data. [1]
However, who goes first? This question is answered in the first stage of the Exchange process, the ExStart state. [2] The purpose of ExStart is to establish a master/slave relationship between the two routers. The router that announces the highest router ID in the hello packet acts as master, as shown in Figure [2]. The master router orchestrates the exchange of link-state information, while the slave router responds to prompts from the master. RTB engages in this process with both RTA and RTC. After the routers define roles as master and slave, the Exchange state is entered. As shown in Figure [3], the master leads the slave through a swap of DBDs that describe each router's link-state database in limited detail. These descriptions include the link-state type, the address of the advertising router, the cost of the link, and a sequence number. The routers acknowledge the receipt of a DBD by sending an LSAck (Type 5) packet, which echoes back the DBD's sequence number. Each router compares the information that it receives in the DBD with the information that it already has. If the DBD advertises a new or more up-to-date link state, the router will enter the Loading state [4] by sending an LSR (Type 3) packet about that entry. In response to the LSR, a router sends the complete link-state information, using an LSU (Type 4) packet. LSUs carry LSAs. With the Loading state complete, the routers have achieved full adjacency (entered into the Full state). [5] RTB is now adjacent to RTA and to RTC. Adjacent routers must be in the Full state before creating the routing tables and routing traffic. At this point, the neighbor routers should all have identical linkstate databases.
2.2.5 Step 4: Select appropriate routes
Figure 1: Selection the Best Route
After a router has a complete link-state database, it is ready to create its routing table so that it can forward traffic. As mentioned earlier in the chapter, OSPF uses the metric value called cost to determine the best path to a destination (see the figure above). The default cost value is based on media bandwidth. In general, cost decreases as the speed of the link increases. RTB's 10-Mbps
1-26
Routing Section 2: OSPF
Copyright 2002, Cisco Systems, Inc.
Ethernet interface, for example, has a lower cost than its T1 serial line because 10 Mbps is faster than 1.544 Mbps. To calculate the lowest cost to a destination, RTB uses the SPF algorithm. In simple terms, the SPF algorithm adds up the total costs between the local router (called the root) and each destination network. If there are multiple paths to a destination, the lowest-cost path is preferred. By default, OSPF keeps up to four equal-cost route entries in the routing table for load balancing. Sometimes a link, such as a serial line, will go up and down rapidly (a condition called flapping). If a flapping link causes LSUs to be generated, routers that receive those updates must rerun the SPF algorithm to recalculate routes. Prolonged flapping can severely affect performance. Repeated SPF calculations can overtax the router's CPU. Moreover, the constant updates may prevent linkstate databases from converging. To combat this problem, the Cisco IOS uses an SPF hold timer. After receiving an LSU, the SPF hold timer determines how long a router will wait before running the SPF algorithm. The timers spf command enables adjustment to the timer, which defaults to 10 seconds. After RTB has selected the best routes using the SPF algorithm, it moves into the final phase of OSPF operation.
2.2.6 Step 5: Maintain routing information
Figure 1: Link-State Information
Copyright 2002, Cisco Systems, Inc.
Routing Section 2: OSPF 1-27
Figure 2: Link-State Information
Figure 3: Link-State Information
1-28
Routing Section 2: OSPF
Copyright 2002, Cisco Systems, Inc.
Figure 4: Link-State Information
When an OSPF router has installed routes in its routing table, it must diligently maintain routing information. When there is a change in a link-state, OSPF routers use a flooding process to notify other routers on the network about the change. The Hello protocol's dead interval provides a simple mechanism for declaring a link partner down. If RTB does not hear from RTA for a time period exceeding the dead interval (usually 40 seconds), RTB declares its link to RTA down. RTB then sends an LSU packet containing the new link-state information, but to whom? !
On a point-to-point network, no DR or BDR exists. New link-state information is sent to the 224.0.0.5 multicast address. All OSPF routers listen at this address.
!
On a multiaccess network, a DR and BDR exist and maintain adjacencies with all other OSPF routers on the network. If a DR or BDR needs to send a link-state update, it will send it to all OSPF routers at 224.0.0.5. However, the other routers on a multiaccess network are adjacent only to the DR and the BDR and thus can send LSUs only to them. For that reason, the DR and BDR have their own multicast address, 224.0.0.6. Non-DR/BDR routers send their LSUs to 224.0.0.6, or "all DR/BDR routers" [1].
When the DR receives and acknowledges the LSU destined for 224.0.0.6, it floods the LSU to all OSPF routers on the network at 224.0.0.5 [2]. Each router acknowledges receipt of the LSU with an LSAck. If an OSPF router is connected to another network, it floods the LSU to other networks by forwarding the LSU to the DR of the multiaccess network, or to an adjacent router if in a point-to-point network [3]. The DR, in turn, multicasts the LSU to the other OSPF routers in that network.
Copyright 2002, Cisco Systems, Inc.
Routing Section 2: OSPF 1-29
Upon receiving an LSU that includes new information, an OSPF router updates its link-state database. It then runs the SPF algorithm using the new information to recalculate the routing table. After the SPF hold timer expires, the router switches over to the new routing table. [4] If a route already exists in a Cisco router, the old route is used while the SPF algorithm is calculating the new information. If the SPF algorithm is calculating a new route, the router will not use that route until after the SPF calculation is complete. It is important to note that even if a change in link state does not occur, OSPF routing information is periodically refreshed. Each LSA entry has its own age timer. The default timer value is 30 minutes. After an LSA entry ages out, the router that originated the entry sends an LSU to the network to verify that the link is still active.
1-30
Routing Section 2: OSPF
Copyright 2002, Cisco Systems, Inc.
2.3 Configuring OSPF 2.3.1 Configuring OSPF on routers within a single area
Figure 1: Basic OSPF Configuration
Figure 2: Basic OSPF Configuration
This section covers the process of configuring OSPF on routers within a single area. To configure OSPF, OSPF is enabled on the router and the router's network addresses and area information are also configured [1], according to the following steps: 1. Enable OSPF on the router using the following command: router(config)# router ospf process-id Copyright 2002, Cisco Systems, Inc.
Routing Section 2: OSPF 1-31
The process ID is a process number on the local router. The process ID is used to identify multiple OSPF processes on the same router. The number can be any value between 1 and 65,535. The numbering process does not have to start at 1. Most network administrators keep the same process ID throughout the entire autonomous system (AS). It is possible to run multiple OSPF processes on the same router, but is not recommended because it creates multiple database instances that add extra overhead to the router. 2. Identify IP networks on the router, using the following command: router(config-router)# network address wildcardmask area area-id For each network, an area must be identified to which the network belongs. The network value can be the network address, subnet, or the address of the interface. The router knows how to interpret the address by comparing the address to the wildcard mask. A wildcard mask is necessary because OSPF supports Classless InterDomain Routing (CIDR) and Variable Length Subnet Masking (VLSM), unlike RIPv1 and IGRP. The area argument is needed even when configuring OSPF in a single area. More than one IP network can belong to the same area. Interactive Lab Activity: In this lab exercise, you will configure the SanJose 1 router for OSPF in a single area. The Westasman router is already configured for OSPF. You will first specify the OSPF process ID and then enter router configuration mode. In router configuration mode, you will configure OSPF for specific networks in area 0.
1-32
Routing Section 2: OSPF
Copyright 2002, Cisco Systems, Inc.
2.3.2 Optional configuration commands
Figure: Monitoring OSPF with the show ip ospf interface Command
Configuring a Loopback Address When the OSPF process starts, the Cisco IOS uses the highest local IP address as its OSPF router ID. If a loopback interface is configured, that address is used, regardless of its value. The loopback interface address is assigned with the following commands: router(config)#interface loopback number router(config-if)#ip address ip-address subnet-mask A loopback-derived router ID ensures stability because that interface is immune to link failure. The loopback interface must be configured before the OSPF process starts, to override the highest interface IP address. It is recommended a loopback address be used on all key routers in an OSPFbased network. To avoid routing problems, it is good practice to use a 32-bit subnet mask when configuring a loopback IP address, as shown: router(config)#interface loopback0 router(config-if)#ip address 192.168.1.1 255.255.255.255 A 32-bit mask is sometimes called a host mask, because it specifies a single host and not a network or subnetwork. Note: To prevent propagation of bogus routes, OSPF always advertises loopback addresses as host routes, with a 32-bit mask. Modifying OSPF Router Priority DR/BDR elections are manipulated by configuring the priority value to a number other than the default value, which is 1. A value of 0 guarantees that the router will not be elected as a DR or BDR. Each OSPF interface can announce a different priority. The priority value (a number from 0 to 255) can be configured with the ip ospf priority command, which has the following syntax: router(config-if)#ip ospf priority number To set a router's E0 with a priority of 0 (so that it cannot win DR/BDR elections on that network), the following commands are used: Copyright 2002, Cisco Systems, Inc.
Routing Section 2: OSPF 1-33
RTB(config)#interface e0 RTB(config-if)#ip ospf priority 0 For the priority value to figure into the election, it must be set before the election takes place. An interface's priority value and other key information can be displayed with the show ip ospf interface command as shown in the figure. The output in this example tells which routers have been elected the DR and BDR, the network type (in this case, broadcast multiaccess), the cost of the link (10), and the timer intervals specific to this interface. The timer intervals configured are Hello (10), Dead (40), Wait (40), Retransmit (5).
2.3.3 Optional configuration commands (con't.)
Figure 1: Cisco IOS Default OSPF Path Costs
Figure 2: The ip ospf message-digest-key Command Parameters
1-34
Routing Section 2: OSPF
Copyright 2002, Cisco Systems, Inc.
OSPF routers use costs associated with interfaces to determine the best route. The Cisco IOS automatically determines cost based on the bandwidth of an interface using the formula: 108/ bandwidth value = 100,000,000 / bandwidth value Figure [1] shows common default path costs for a variety of media. For OSPF to calculate routes properly, all interfaces connected to the same link must agree on the cost of that link. In a multivendor routing environment, the default cost of an interface may be overridden to match another vendor's value with the ip ospf cost command, which has the following syntax: router(config-if)#ip ospf cost number The new cost can be a number between 1 and 65,535. This command can be used to override the default cost on a router's S0 using these commands: router(config)#interface s0 router(config-if)#ip ospf cost 1000 The ip ospf cost command can also be used to manipulate the desirability of a route because routers install the lowest-cost paths in the tables. For the Cisco IOS cost formula to be accurate, serial interfaces must be configured with appropriate bandwidth values. Cisco routers default to T1 (1.544 Mbps) on most serial interfaces and require manual configuration for any other bandwidth, as shown in this example: router(config)#interface s1 router(config-if)#bandwidth 56 Configuring Authentication Authentication is another interface-specific configuration. Each OSPF interface on a router can present a different authentication key, which functions as a password among OSPF routers in the same area. The following command syntax is used to configure OSPF authentication: router(config-if)#ip ospf authentication-key password After a password is configured, authentication can be enabled on an area-wide basis with the following syntax, which must be entered on all participating routers: router(config-router)#area number authentication [message-digest] Although the message-digest keyword is optional, it is recommended that it always be used with this command. By default, authentication passwords will be sent in clear text over the wire. A packet sniffer could easily capture an OSPF packet and decode the unencrypted password. However, if the messagedigest argument is used, a message digest, or hash, of the password is sent over the wire in place of the password itself. Unless the recipient is configured with the proper authentication key, that person will not be able to make sense of the message digest. If message-digest authentication is chosen, the authentication key will not be used. Instead, a message-digest key on the OSPF router's interface must be configured. The syntax for this command is as follows: router(config-if)#ip ospf message-digest-key key-id md5 [encryption-type] password Copyright 2002, Cisco Systems, Inc.
Routing Section 2: OSPF 1-35
Figure [2] describes the ip ospf message-digest-key command parameters. The following example sets the message-digest key to "itsasecret" and enables message-digest authentication within Area 0. router(config)#int s0 router(config-if)#ip ospf message-digest-key 1 md5 7 itsasecret router(config-if)#int e0 router(config-if)#ip ospf message-digest-key 1 md5 7 itsasecret router(config-if)#router ospf 1 router(config-router)#area 0 authentication messagedigest Remember, the same parameters on the other routers in the same area would have to be configured. Configuring OSPF Timers In order for OSPF routers to exchange information, the hello intervals and the dead intervals must be the same. By default, the dead interval is four times the value of the hello interval. That way, a router has four chances to send a hello packet before being declared dead. On broadcast OSPF networks, the default hello interval is 10 seconds, and the default dead interval is 40 seconds. On nonbroadcast networks, the default hello interval is 30 seconds, and the default dead interval is 2 minutes (120 seconds). These default values typically result in efficient OSPF operation and therefore do not need to be modified. There may be a situation in which the hello and dead intervals need to be adjusted either to improve performance or to match another router's timers. The syntax of the commands needed to configure both the hello and dead intervals is as follows: router(config-if)#ip ospf hello-interval seconds router(config-if)#ip ospf dead-interval seconds The following example sets the hello interval to 5 seconds, and the dead interval to 20 seconds. router(config)#interface e0 router(config-if)#ip ospf hello-interval 5 router(config-if)#ip ospf dead-interval 20 Note that although it is advised, the Cisco IOS does not require a configuration of the dead interval to be four times the hello interval. If the dead interval is set to less than that, the risk increases that a router could be declared dead, when in fact a congested or flapping link has prevented one or two hello packets from reaching the destination.
1-36
Routing Section 2: OSPF
Copyright 2002, Cisco Systems, Inc.
2.4 Configuring OSPF Over NBMA 2.4.1 NBMA overview
Figure 1: Neighbor Status in Different Network Types
Figure 2: Types of OSPF Networks
Copyright 2002, Cisco Systems, Inc.
Routing Section 2: OSPF 1-37
Figure 3: Neighbor Status in Different Network Types
This chapter has focused on broadcast multiaccess and point-to-point network OSPF networks in detail.. Even if there is only one router, broadcast multiaccess networks elect a DR and a BDR to serve as focal points for routing information. In contrast, point-to-point OSPF networks do not elect a DR because there can never be more than two nodes. Another type of OSPF network, Nonbroadcast Multiaccess (NBMA), can include more than two nodes [1] and therefore will try to elect a DR and a BDR. Common NBMA implementations include Frame Relay, X.25, and SMDS. NBMA networks follow rules at Layer 2 that prevent the delivery of broadcasts and multicasts. Figure [2] summarizes the OSPF network types. NBMA networks can create problems with OSPF operation, specifically with the exchange of multicast hello packets. In the example shown in Figure [3], RTA, RTB, and RTC belong to the same IP subnetwork and will attempt to elect a DR and a BDR. However, these routers cannot hold a valid election if they cannot receive multicast hellos from every other router on the network. Without administrative intervention, a strange election takes place. As far as RTA is concerned, RTC is not participating. Likewise, RTC goes through the election process oblivious to RTA. This botched election can lead to problems if the central router, RTB, is not elected the DR. The Cisco IOS offers several options for configuring OSPF to overcome NBMA limitations, including the OSPF neighbor command, point-to-point subinterfaces, and point-to-multipoint configuration. The solutions that are available depend on the NBMA network topology.
1-38
Routing Section 2: OSPF
Copyright 2002, Cisco Systems, Inc.
2.4.2 Full-Mesh Frame Relay
Figure 1: Frame Relay Topologies
Figure 2: Full-Mesh Frame Relay
Copyright 2002, Cisco Systems, Inc.
Routing Section 2: OSPF 1-39
Figure 3: Full-Mesh Subinterfaces
Before selecting an OSPF configuration strategy for a Frame Relay network (or legacy X.25 network), the different NBMA topologies must be understood. Fundamentally, two possible physical topologies exist for Frame Relay networks [1]: !
Full-mesh topology
!
Partial-mesh topology (including the hub-and-spoke topology)
The following sections describe how to configure OSPF in both full-mesh and partial-mesh Frame Relay networks. Full-Mesh Frame Relay Organizations deploy Frame Relay primarily because it supports more than one logical connection over a single interface, making it an affordable and flexible choice for WAN links. A full-mesh topology takes advantage of Frame Relay's capability to support multiple permanent virtual circuits (PVCs) on a single serial interface. In a full-mesh topology, every router has a PVC to every other router. [2] For OSPF to work properly over a multiaccess full-mesh topology that does not support broadcasts, each OSPF neighbor addresses must be entered on each router, one at a time. The OSPF neighbor command tells a router about its neighbors' IP addresses so that it can exchange routing information without multicasts. The following example illustrates how the neighbor command is used: RTA(config)#router ospf 1 RTA(config-router)#network 3.1.1.0 0.0.0.255 area 0 RTA(config-router)#neighbor 3.1.1.2 RTA(config-router)#neighbor 3.1.1.3 Specifying each router's neighbors is not the only option to make OSPF work in this type of environment. The following section explains how configuring subinterfaces can eliminate the need for the neighbor command. 1-40
Routing Section 2: OSPF
Copyright 2002, Cisco Systems, Inc.
Configuring Subinterfaces to Create Point-to-Point Networks The IOS subinterface feature can be used to break up a multiaccess network into a collection of point-to-point networks. In Figure [3], a different IP subnet is assigned to each PVC. OSPF automatically recognizes this configuration as point-to-point, not NBMA, even with Frame Relay configured on the interfaces. Recall that OSPF point-to-point networks do not elect a DR. Instead, the Frame Relay router uses Inverse ARP or a Frame Relay map to obtain the link partner's address so that routing information can be exchanged. A full-mesh topology offers numerous advantages, including maximum fault tolerance. Unfortunately, full-mesh topologies can get expensive because each PVC must be leased from a provider. An organization would have to lease 45 PVCs to support just 10 fully meshed routers! If subinterfaces are used to create point-to-point networks, then the 45 IP subnets must also be allocated and managed, which is an additional expense.
2.4.3 Partial-Mesh Frame Relay
Figure 1: A Hub-and-Spoke Topology
Copyright 2002, Cisco Systems, Inc.
Routing Section 2: OSPF 1-41
Figure 2: A Hub-and-Spoke Topology with Subinterfaces
Because a full-mesh topology is costly, many organizations implement a partialmesh topology instead. A partial-mesh topology is any configuration in which at least one router maintains multiple connections to other routers, without being fully meshed. The most cost-effective partial-mesh topology is a hub-and-spoke topology, in which a single router (the hub) connects to multiple spoke routers. The hub-and-spoke topology is a cost-effective WAN solution that introduces a single point of failure (the hub router). Organizations typically deploy Frame Relay because it is inexpensive, not because it is fault-tolerant. Since dedicated leased lines (not Frame Relay links) typically carry mission-critical data, an economical Frame Relay topology, such as hub-and-spoke, makes sense. Unfortunately, the neighbor command that worked with a full-mesh topology does not work as well with the hub-and-spoke topology. The hub router in Figure [1] sees all the spoke routers and can send routing information to them using the neighbor command, but the spoke routers can send hellos only to the hub. The DR/BDR election will be held, but only the hub router sees all of the candidates. Because the hub router must act as the DR for this OSPF network to function properly, an OSPF interface priority of 0 could be configured on all the spoke routers. Recall that a priority of 0 makes it impossible for a router to be elected as a DR or a BDR for a network. A second approach to dealing with this topology is to avoid the DR/BDR issue altogether by breaking the network into point-to-point connections. Point-topoint networks [2] will not elect a DR or a BDR. Although they make OSPF configuration straightforward, point-to-point networks have major drawbacks when used with a hub-and-spoke topology. Subnets must be allocated for each link, which in turn can lead to WAN addressing that is complex and difficult to manage. The WAN addressing issue can be avoided by using IP unnumbered, but many organizations have WANmanagement policies that prevent using this feature. Are there any viable alternatives to a point-to-point configuration? Fortunately, the Cisco IOS offers a relatively new alternative. A hub-and-spoke physical topology can be manually
1-42
Routing Section 2: OSPF
Copyright 2002, Cisco Systems, Inc.
configured as a point-to-multipoint network type, as described in the following section.
2.4.4 Point-to-Multipoint OSPF
Figure 1: A Hub-and-Spoke Topology with OSPF Point-to-Multipoint
! interface Serial0 encapsulation frame-relay ip address 3.1.1.1 255.255.255.0 ip ospf network point-to-multipoint frame-relay map ip 3.1.1.2 22 broadcast ! router ospf 1 network 3.1.1.0 0.0.0.255 area 0 -------------------------------------------- ! interface Serial0 encapsulation frame-relay ip address 3.1.1.2 255.255.255.0 ip ospf network point-to-multipoint frame-relay map ip 3.1.1.1 200 broadcast frame-relay map ip 3.1.1.3 300 broadcast ! router ospf 1 network 3.1.1.0 0.0.0.255 area 0 -------------------------------------------- ! interface Serial0 encapsulation frame-relay ip address 3.1.1.3 255.255.255.0 ip ospf network point-to-multipoint frame-realy map ip 3.1.1.3 33 broadcast ! router ospf 1 network 3.1.1.0 0.0.0.255 area 0
Figure 2: Configurations for Point-to-Multipoint OSPF Copyright 2002, Cisco Systems, Inc.
Routing Section 2: OSPF 1-43
In a point-to-multipoint network, a hub router is directly connected to multiple spoke routers, but all the WAN interfaces are addressed on the same subnet. [1] This logical topology was seen earlier in the chapter, but OSPF does not work properly as an NBMA OSPF network type. By manually changing the OSPF network type to point-to-multipoint, this logical topology will work. Routing between RTA and RTC will go through the router that has virtual circuits to both routers, RTB. Note that it is not necessary to configure neighbors when using this feature. (Inverse ARP will discover them.) Point-to-multipoint networks have the following properties: •
Adjacencies are established between all neighboring routers. There is no DR or BDR for a point-to-multipoint network. No network LSA is originated for point-to-multipoint networks. Router priority is not configured for point-to-multipoint interfaces or for neighbors on pointto-multipoint networks.
•
When originating a router LSA, the point-to-multipoint interface is reported as a collection of point-to-point links to all the interface's adjacent neighbors, together with a single stub link advertising the interface's IP address with a cost of 0.
•
When flooding out a nonbroadcast interface, the LSU or LSAck packet must be replicated to be sent to each of the interface's neighbors.
To configure point-to-multipoint, the detected OSPF network type must be overridden with the following syntax: router(config-if)#ip ospf network point-to-multipoint The interface should be configured with a frame-relay map ip command, as in the following syntax: router(config-if)#frame-relay map ip address dlci broadcast The broadcast keyword permits the router to send broadcasts via the specified DLCI to the mapped neighbor or neighbors. When applying the pointto-multipoint configuration to the example network [1], two separate framerelay map statements must be configured on the hub router, RTB. Partial configurations for each router are shown in Figure [2]. In a point-to-multipoint configuration, OSPF treats all router-to-router connections on the nonbroadcast network as if they were point-to-point links. No DR is elected for the network. Neighbors can be manually specified using the neighbor command or can be dynamically discovered using Inverse ARP. Ultimately, point-to-multipoint OSPF offers efficient operation without administrative complexity.
1-44
Routing Section 2: OSPF
Copyright 2002, Cisco Systems, Inc.
2.5 Verifying OSPF Operation 2.5.1 Show commands
Figure 1: OSPF Operation and Statistics Commands
The commands in the figure verify that OSPF is working properly. These commands ensure that the routers are configured correctly and are performing the way they should.
2.5.2 Clear and debug commands The following commands and their associated options can be used when troubleshooting OSPF: To clear all routes from the IP routing table use the following command: router#clear ip route * To clear a specific route from the IP routing table use the following command: router#clear ip route A.B.C.D A.B.C.D Destination network route to delete To debug OSPF operations use the following debug options: router#debug ip ospf ? adj OSPF adjacency events events OSPF events flood OSPF flooding Copyright 2002, Cisco Systems, Inc.
Routing Section 2: OSPF 1-45
lsa-generation OSPF lsa generation packet OSPF packets retransmission OSPF retransmission events spf OSPF spf tree OSPF database tree
1-46
Routing Section 2: OSPF
Copyright 2002, Cisco Systems, Inc.
2.6 OSPF Configuration Lab Exercises 2.6.1 Configuring OSPF Lab Activity: In this lab, you configure OSPF on three Cisco routers. First, you configure loopback interfaces to provide stable OSPF Router IDs. Then you configure the OSPF process and enable OSPF on the appropriate interfaces. After OSPF is enabled, you tune the update timers and configure authentication.
2.6.2 Examining the DR/BDR election process Lab Activity: In this lab, you observe the OSPF DR and BDR election process using debug commands. Then you assign each OSPF interface a priority value to force the election of a specific router as a DR.
2.6.3 Configuring Point-to-Multipoint OSPF over Frame Relay Lab Activity: In this lab, configure OSPF as a point-to-multipoint network type so that it operates efficiently over a hub-and-spoke Frame Relay topology.
Copyright 2002, Cisco Systems, Inc.
Routing Section 2: OSPF 1-47
Summary OSPF is a scalable, standards-based link-state routing protocol. OSPF's benefits include no hop-count limitation, the capability to multicast routing updates, faster convergence rates, and optimal path selection. The basic steps for OSPF operation are as follows: 1. Establish router adjacencies 2. Select a designated router and a backup designated router 3. Discover routes 4. Select appropriate routes to use 5. Maintain routing information Connecting multiple OSPF areas in order to support a larger hierarchical routing environment is covered in the CCNP curriculum.
1-48
Routing Section 2: OSPF
Copyright 2002, Cisco Systems, Inc.
Section 3
EIGRP
Table of Contents
EIGRP................................................................................................................................ 1 OVERVIEW ...................................................................................................................................................... 3 OBJECTIVES..................................................................................................................................................... 4 3.1 EIGRP FUNDAMENTALS ............................................................................................................................. 5 3.1.1 EIGRP and IGRP compatibility............................................................................................................ 5 3.1.2 EIGRP design ..................................................................................................................................... 7 3.1.3 EIGRP support for Novell IPX and AppleTalk ....................................................................................... 8 3.1.4 EIGRP terminology ............................................................................................................................. 9 3.2 EIGRP FEATURES .................................................................................................................................... 10 3.2.1 EIGRP technologies .......................................................................................................................... 10 3.2.2. Neighbor discovery and recovery....................................................................................................... 11 3.2.3 Reliable transport protocol ................................................................................................................ 13 3.2.4 DUAL finite-state machine................................................................................................................. 14 3.2.5 Protocol-dependent modules .............................................................................................................. 18 3.3 EIGRP COMPONENTS ...............................................................................................................................19 3.3.1 EIGRP packet types........................................................................................................................... 19 3.3.2 EIGRP tables.................................................................................................................................... 21 3.3.3 EIGRP tables (con’t.) ........................................................................................................................ 23 3.3.4 Route tagging with EIGRP................................................................................................................. 26 3.4 EIGRP OPERATION .................................................................................................................................. 28 3.4.1 Convergence using EIGRP................................................................................................................. 28 3.5 CONFIGURING EIGRP ...............................................................................................................................31 3.5.1 Configuring EIGRP for IP networks ................................................................................................... 31 3.5.2 EIGRP and the bandwidth command .................................................................................................. 33 3.5.3. The bandwidth-percent command ...................................................................................................... 35 3.5.4 Configuring EIGRP for IPX networks ................................................................................................. 36 3.5.5 Controlling SAP updates.................................................................................................................... 38 3.5.6 Summarizing EIGRP routes for IP ...................................................................................................... 39 3.5.7 Summarizing EIGRP routes for IP, con’t............................................................................................. 40 3.6 MONITORING EIGRP ................................................................................................................................ 42 3.6.1 Verifying EIGRP operation ................................................................................................................ 42 3.7 EIGRP CONFIGURATION LAB EXERCISES .................................................................................................... 43 3.7.1 Configuring EIGRP with IGRP .......................................................................................................... 43 3.7.2 Configuring EIGRP fault tolerance..................................................................................................... 43 3.7.3 Configuring EIGRP summarization .................................................................................................... 43 3.8 CONFIGURING EIGRP CHALLENGE LAB EXERCISE ....................................................................................... 44 3.8.1 EIGRP challenge lab......................................................................................................................... 44 SUMMARY ..................................................................................................................................................... 45
1-2
Routing Section 3: EIGRP
Copyright 2002, Cisco Systems, Inc.
Overview Enhanced Interior Gateway Routing Protocol (EIGRP) is a Cisco-proprietary routing protocol based on Interior Gateway Routing Protocol (IGRP). Unlike IGRP, which is a classful routing protocol, EIGRP supports classless interdomain routing (CIDR), allowing network designers to maximize address space by using CIDR and variable-length subnet mask (VLSM). Compared to IGRP, EIGRP boasts faster convergence times, improved scalability, and superior handling of routing loops. Furthermore, EIGRP can replace Novell Routing Information Protocol (RIP) and AppleTalk Routing Table Maintenance Protocol (RTMP), serving both Internetwork Packet Exchange (IPX) and AppleTalk networks with powerful efficiency. EIGRP has been described as a hybrid routing protocol offering the best of distance-vector and link-state algorithms. Technically, EIGRP is an advanced distance-vector routing protocol that relies on features commonly associated with link-state protocols. Some of the best features of OSPF, such as partial updates and neighbor discovery, are similarly put to use by EIGRP. However, the benefits of OSPF, especially its hierarchical design, come at the price ofadministrative complexity. As seen in Chapter 5: Multiarea OSPF, multiarea implementation of OSPF requires mastery of a complex terminology and command set. On the other hand, the advanced features of EIGRP can be easily implemented and maintained. Although it does not mirror the classic hierarchical designof OSPF, EIGRP is an ideal choice for large, multiprotocol networks built primarily on Cisco routers. This chapter surveys the key concepts, technologies, and data structuresof EIGRP. This conceptual overview is followed by a study of EIGRP convergence and basic operation. Finally, this chapter shows how to configure and verify EIGRP, including using route summarization.
Copyright 2002, Cisco Systems, Inc.
Routing Section 3: EIGRP 1-3
Objectives After completing this chapter, the student will be able to perform tasks related to: 3.1 EIGRP Fundamentals 3.2 EIGRP Features 3.3 EIGRP Components 3.4 EIGRP Operation 3.5 EIGRP Configuration 3.6 EIGRP Monitoring 3.7 EIGRP Configuration Lab Exercises 3.8 EIGRP Configuration Challenge Lab Exercise
1-4
Routing Section 3: EIGRP
Copyright 2002, Cisco Systems, Inc.
3.1 EIGRP Fundamentals 3.1.1 EIGRP and IGRP compatibility
Figure 1: IGRP and EIGRP Metric Calculation
Figure 2: Using EIGRP with IGRP
Copyright 2002, Cisco Systems, Inc.
Routing Section 3: EIGRP 1-5
Figure 3: Command Outputs
Cisco released EIGRP in 1994 as a scalable, improved version of its proprietary distance-vector routing protocol, IGRP. IGRP and EIGRP are compatible with each other, although EIGRP offers multiprotocol support and IGRP does not. Despite being compatible with IGRP, EIGRP uses a different metric calculation and hop-count limitation. EIGRP scales IGRP's metric by a factor of 256. [1] That is because EIGRP uses a metric that is 32 bits long, and IGRP uses a 24-bit metric. By multiplying or dividing by 256, EIGRP can easily exchange information with IGRP. EIGRP also imposes a maximum hop limit of 224, slightly less than IGRP's generous 255, but more than enough to support today's largest internetworks. Sharing information between dissimilar routing protocols such as OSPF and RIP requires advanced configuration. However sharing, or redistribution, is automatic between IGRP and EIGRP as long as both processes use the same autonomous system (AS) number. In Figure [2], RTB automatically redistributes EIGRP-learned routes to the IGRP AS, and vice versa. EIGRP will tag routes learned from IGRP (or any outside source) as external because they did not originate from EIGRP routers. On the other hand, IGRP cannot differentiate between internal and external routes. Notice that in the show ip route command output for the routers in Figure [3], EIGRP routes are flagged with D, and external routes are denoted by EX. RTA identifies the difference between the network learned via EIGRP (172.16.1.0) and the network that was redistributed from IGRP (192.168.1.0). RTC's table shows that IGRP makes no such distinction. RTC, which is running IGRP only, just sees IGRP routes, despite the fact that both 10.1.1.0 and 172.16.1.0 were redistributed from EIGRP.
1-6
Routing Section 3: EIGRP
Copyright 2002, Cisco Systems, Inc.
3.1.2 EIGRP design
Figure 1: EIGRP Advantages
Even though it is compatible with IGRP, EIGRP operates quite differently from its predecessor. As an advanced distance-vector routing protocol, EIGRP acts like a link-state protocol when updating neighbors and maintaining routing information. EIGRP's advantages over simple distance-vector protocols include the following: !
Rapid convergence - EIGRP routers converge quickly because they rely on a state-of-the-art routing algorithm called the Diffusing Update Algorithm (DUAL). DUAL guarantees loop-free operation at every instant throughout a route computation and allows all routers involved in a topology change to synchronize at the same time.
!
Efficient use of bandwidth - EIGRP makes efficient use of bandwidth by sending partial, bounded updates and by consuming minimal amounts of bandwidth when the network is stable. o
Partial, bounded updates - EIGRP routers make partial, incremental updates rather than sending their complete tables. This may seem similar to OSPF operation, but unlike OSPF routers, EIGRP routers send these partial updates only to the routers that need the information, not to all routers in an area. For this reason, they are called bounded updates.
o
Minimal consumption of bandwidth when the network is stable Instead of using timed routing updates, EIGRP routers keep in touch with each other using small hello packets. Though exchanged regularly, hello packets do not consume a significant amount of bandwidth.
!
Support for VLSM and CIDR - Unlike IGRP, EIGRP offers full support for classless IP by exchanging subnet masks in routing updates.
!
Multiple network-layer support - EIGRP supports IP, IPX, and AppleTalk through protocol-dependent modules (PDMs).
!
Independence from routed protocols - PDMs protect EIGRP from painstaking revision. Evolution of a routed protocol, such as IP, may require a new protocol module, but not necessarily a reworking of EIGRP itself.
Copyright 2002, Cisco Systems, Inc.
Routing Section 3: EIGRP 1-7
3.1.3 EIGRP support for Novell IPX and AppleTalk
Figure 1: EIGRP Support for Novell IPX RIP and SAP
In a legacy NetWare network, servers and routers may be configured to use IPX RIP and the Service Advertising Protocol (SAP) to exchange information with peers. As time-driven protocols, IPX RIP and SAP generate updates every 60 seconds by default. These updates can crowd low-speed WAN links, especially in large internetworks. EIGRP can redistribute IPX RIP and SAP information to improve overall performance. In effect, EIGRP can take over for these two protocols. An EIGRP router will receive routing and service updates and then update other routers only when changes in the SAP or routing tables occur. Routing updates occur as they would in any EIGRP network–, that is, through the use of partial updates. EIGRP sends SAP updates incrementally on all serial interfaces by default. However, incremental SAP updates must be configured manually on LAN interfaces (for example, Ethernet, Token Ring, and FDDI). Like IP RIP, IPX RIP restricts the diameter of a network to 15 hops. By using EIGRP to redistribute IPX RIP, a network diameter can expand to EIGRP's comfortable limit of 224 hops. Moreover, EIGRP's more advanced metric, which uses bandwidth and delay, replaces Novell RIP's less optimal metric derived from hop count and ticks. The obvious shortcomings of IPX RIP and SAP spurred Novell's development of a proprietary link-state routing protocol for NetWare, NetWare Link Services Protocol (NLSP). A link-state protocol, NLSP replaces both RIP and SAP. On servers running NetWare 3.11 or later, administrators can choose between using RIP/SAP or NLSP. Note that since Cisco IOS version 11.1, EIGRP can redistribute NLSP as well as IPX RIP. EIGRP Support for AppleTalk EIGRP can also take over for AppleTalk's Routing Table Maintenance Protocol (RTMP). As a distance-vector routing protocol, RTMP relies on periodic and complete exchanges of routing information. To reduce overhead, EIGRP redistributes AppleTalk routing information using event-driven updates. EIGRP also uses a configurable composite metric to determine the best route to an AppleTalk network. RTMP uses hop count, which can result in suboptimal routing. AppleTalk clients expect RTMP information from local routers, so EIGRP for AppleTalk should be run only on a clientless network, such as a WAN link.
1-8
Routing Section 3: EIGRP
Copyright 2002, Cisco Systems, Inc.
3.1.4 EIGRP terminology EIGRP routers keep route and topology information readily available in RAM so they can react quickly to changes. Like OSPF, EIGRP keeps this information in several tables, or databases. The following terms are related to EIGRP and its tables and are used throughout this chapter: !
Neighbor table - Each EIGRP router maintains a neighbor table that lists adjacent routers. This table is comparable to the adjacency database used by OSPF. A neighbor table is maintained for each protocol that EIGRP supports.
!
Topology table - Every EIGRP router maintains a topology table for each configured network protocol. This table includes route entries for all destinations that the router has learned. All learned routes to a destination are maintained in the topology table. Each EIGRP router maintains a topology table for each network protocol
!
Routing table - EIGRP chooses the best routes to a destination from the topology table and places these routes in the routing table. Each EIGRP router maintains a routing table for each network protocol.
!
Successor - A successor is a route selected as the primary route to use to reach a destination. Successors are the entries kept in the routing table. Multiple successors for a destination can be retained in the routing table.
!
Feasible successor - A feasible successor is a backup route. These routes are selected at the same time the successors are identified but are kept in the topology table. Multiple feasible successors for a destination can be retained in the topology table.
Copyright 2002, Cisco Systems, Inc.
Routing Section 3: EIGRP 1-9
3.2 EIGRP Features 3.2.1 EIGRP technologies
Figure 1: EIGRP technologies
EIGRP includes many new technologies, each of which represents an improvement in operating efficiency, rapidity of convergence, or functionality relative to IGRP and other routing protocols. Each of these new technologies falls into one of the following four categories: !
Neighbor discovery and recovery
!
Reliable Transport Protocol (RTP)
!
DUAL finite-state machine
!
Protocol-specific modules
The following sections examine these technologies in detail.
1-10
Routing Section 3: EIGRP
Copyright 2002, Cisco Systems, Inc.
3.2.2. Neighbor discovery and recovery
Figure 1: Neighbor Routers Exchange their Routing Tables
Figure 2: Neighbor Routers Exchange their Routing Tables
Figure 3: Neighbor Routers Exchange their Routing Tables
Copyright 2002, Cisco Systems, Inc.
Routing Section 3: EIGRP 1-11
Figure 4: Neighbor Routers Exchange their Routing Tables
Figure 5: Neighbor Routers Exchange their Routing Tables
Figure 6: Neighbor Routers Exchange their Routing Tables
1-12
Routing Section 3: EIGRP
Copyright 2002, Cisco Systems, Inc.
Figure 7: Neighbor Routers Exchange their Routing Tables
Remember that simple distance-vector routers do not establish any relationship with their neighbors. RIP and IGRP routers merely broadcast or multicast updates on configured interfaces. In contrast, EIGRP routers actively establish relationships with their neighbors, in much the same way as OSPF routers. Figures [1] –[7] illustrate how EIGRP adjacencies are established. EIGRP routers establish adjacencies with neighbor routers by using small hello packets. Hellos are sent by default every five seconds. An EIGRP router assumes that, as long as it is receiving hello packets from known neighbors, those neighbors (and their routes) remain viable. By forming adjacencies, EIGRP routers do the following: !
Dynamically learn of new routes that join their network
!
Identify routers that become either unreachable or inoperable
!
Rediscover routers that had previously been unreachable
3.2.3 Reliable transport protocol Reliable Transport Protocol (RTP) is a transportlayer protocol that can guarantee ordered delivery of EIGRP packets to all neighbors. On an IP network, hosts use TCP to sequence packets and ensure their timely delivery. However, EIGRP is protocol-independent so it cannot rely on TCP/IP to exchange routing information the way that RIP, IGRP, and OSPF do. To stay independent of TCP/IP, EIGRP uses its own transport-layer protocol to guarantee delivery of routing information. This Cisco proprietary transport protocol is RTP. EIGRP can call on RTP to provide reliable or unreliable service as the situation warrants. For example, hello packets do not require the overhead of reliable delivery because they are frequent and should be kept small. Nevertheless, the reliable delivery of other routing information can actually speed convergence because EIGRP routers are not waiting for a timer to expire before they retransmit. Copyright 2002, Cisco Systems, Inc.
Routing Section 3: EIGRP 1-13
With RTP, EIGRP can multicast and unicast to different peers simultaneously, allowing for maximum efficiency.
3.2.4 DUAL finite-state machine
Figure 1: DUAL Example
Figure 2: DUAL Example
1-14
Routing Section 3: EIGRP
Copyright 2002, Cisco Systems, Inc.
Figure 3: DUAL Example
Figure 4: DUAL Example
Copyright 2002, Cisco Systems, Inc.
Routing Section 3: EIGRP 1-15
Figure 5: DUAL Example
Figure 6: DUAL Example
1-16
Routing Section 3: EIGRP
Copyright 2002, Cisco Systems, Inc.
Figure 7: DUAL Example
The centerpiece of EIGRP is the Diffusing Update Algorithm (DUAL), EIGRP's route-calculation engine. The full name of this technology is DUAL finite-state machine (FSM). An FSM is an abstract machine, not a mechanical device with moving parts. FSMs define a set of possible states that something can go through, what events cause those states, and what events result from those states. Designers use FSMs to describe how a device, computer program, or routing algorithm will react to a set of input events. The DUAL FSM contains all the logic used to calculate and compare routes in an EIGRP network. DUAL tracks all the routes advertised by neighbors and uses the composite metric of each route to compare them. DUAL also guarantees that each path is loop-free. Lowest-cost paths are then inserted by the DUAL protocol into the routing table. As noted earlier in the chapter, EIGRP keeps important route and topology information readily available in a neighbor table and a topology table. These tables supply DUAL with comprehensive route information in case of network disruption. DUAL selects alternate routes quickly by using the information in these tables. If a link goes down, DUAL looks for a feasible successor in its neighbor and topology tables. A successor is a neighboring router that is currently being used for packet forwarding. The successor provides the least-cost route to the destination and is not part of a routing loop. Feasible successors provide the next lowest-cost path without introducing routing loops. Feasible successor routes can be used in case the existing route fails. Packets to the destination network are immediately forwarded to the feasible successor, which at that point is promoted to the status of successor as illustrated in Figures [1] – [7]. Note in the example that router D does not have a feasible successor identified. The FD (feasible distance, or the lowest calculated metric for a destination) for router D to router A is 2 and the AD (administrative distance) via router C is 3. Because the AD is smaller than the best-route metric but larger than the FD, no feasible successor is placed in the topology table. Router C has a feasible Copyright 2002, Cisco Systems, Inc.
Routing Section 3: EIGRP 1-17
successor identified as well as router E because the route is loop-free and because the AD for the next hop router is less than the FD for the successor.
3.2.5 Protocol-dependent modules
Figure 1: EIGRP PDMs
One of EIGRP's most attractive features is its modular design. Modular, layered designs prove to be the most scalable and adaptable. Support for routed protocols such as IP, IPX, and AppleTalk is included in EIGRP through protocol-dependent modules (PDMs). EIGRP can easily adapt to new or revised routed protocols (for example, IPv6) by adding protocol-dependent modules. Each PDM is responsible for all functions related to its specific routed protocol. The IP-EIGRP module is responsible for the following:
1-18
!
Sending and receiving EIGRP packets that bear IP data
!
Notifying DUAL of new IP routing information that is received
!
Maintaining the results of DUAL's routing decisions in the IP routing table
!
Redistributing routing information that was learned by other IP-capable routing protocols
Routing Section 3: EIGRP
Copyright 2002, Cisco Systems, Inc.
3.3 EIGRP Components 3.3.1 EIGRP packet types
Figure 1: EIGRP Packet Types
Figure 2: Default Hello Intervals and Hold Times for EIGRP
Like OSPF, EIGRP relies on several different kinds of packets to maintain its various tables and establish complex relationships with neighbor routers Figure [1]. The five EIGRP packet types are listed here: !
Hello
!
Acknowledgment
!
Update
!
Query
!
Reply
The following sections describe these packet types in detail. Hello Packets EIGRP relies on hello packets to discover, verify, and rediscover neighbor routers. Rediscovery occurs if EIGRP routers do not receive each other's hellos for a hold time interval but then re-establish communication.
Copyright 2002, Cisco Systems, Inc.
Routing Section 3: EIGRP 1-19
EIGRP routers send hellos at a fixed (and configurable) interval, called the hello interval. The default hello interval depends on the bandwidth of the interface, as shown in Figure [2]. EIGRP hello packets are multicast. On IP networks, EIGRP routers send hellos to the multicast IP address 224.0.0.10. An EIGRP router stores information about neighbors in the neighbor table, including the last time that each neighbor responded, t This happens when any EIGRP packets, hello or otherwise, are received from a neighbor. If a neighbor is not heard from for the duration of the hold time, EIGRP considers that neighbor down, and DUAL must re-evaluate the routing table. By default, the hold time is three times the hello interval, but an administrator can configure both timers as desired. Recall that OSPF requires neighbor routers to have the same hello and dead intervals to communicate. EIGRP has no such restriction. Neighbor routers learn about each other's respective timers via the exchange of hello packets, and they use that information to forge a stable relationship, despite unlike timers. Acknowledgment Packets An EIGRP router uses acknowledgment packets to indicate receipt of any EIGRP packet during a "reliable" exchange. Recall that RTP can provide reliable communication between EIGRP hosts. To be reliable, a sender's message must be acknowledged by the recipient. Acknowledgment packets, which are "dataless" hello packets, are used for this purpose. Unlike multicast hellos, acknowledgment packets are unicast. Note also that acknowledgments can be made by piggybacking on other kinds of EIGRP packets, such as reply packets. Hello packets are always sent unreliably and thus do not require acknowledgment. Update Packets Update packets are used when a router discovers a new neighbor. An EIGRP router sends unicast update packets to that new neighbor so that it can add to its topology table. More than one update packet may be needed to convey all the topology information to the newly discovered neighbor. Update packets are also used when a router detects a topology change. In this case, the EIGRP router sends a multicast update packet to all neighbors, alerting them to the change. All update packets are sent reliably. Query and Reply Packets An EIGRP router uses query packets whenever it needs specific information from one or all of its neighbors. A reply packet is used to respond to a query. If an EIGRP router loses its successor and cannot find a feasible successor for a route, DUAL places the route in the active state. At this point, the router multicasts a query to all neighbors, searching for a successor to the destination network. Neighbors must send replies that either provide information on successors or indicate that no successor information is available. Queries can be multicast or unicast, while replies are always unicast. Both packet types are sent reliably.
1-20
Routing Section 3: EIGRP
Copyright 2002, Cisco Systems, Inc.
3.3.2 EIGRP tables
Figure 1: EIGRP Neighbor Table
Figure 2: EIGRP PDMs
Copyright 2002, Cisco Systems, Inc.
Routing Section 3: EIGRP 1-21
Figure 3: EIGRP Routing Table
DUAL can select alternate routes based on the tables kept by EIGRP. By building these tables, every EIGRP router can track all the routing information in an autonomous system (AS), not just the best routes. The following sections examine the neighbor table, the routing table, and the topology table in detail and provide an example of each. In addition, we will look at the various packet types used by EIGRP to build and maintain these tables. The Neighbor Table The most important table in EIGRP is the neighbor table (refer to Figure [1]). The neighbor relationships tracked in the neighbor table are the basis for all EIGRP routing update and convergence activity. The neighbor table contains information about adjacent neighboring EIGRP routers. Whenever a new neighbor is discovered, the address of that neighbor and the interface used to reach it are recorded in a new neighbor table entry. A neighbor table is used to support reliable, sequenced delivery of packets. One field in each row of the table includes the sequence number of the last packet received from that neighbor. EIGRP uses this field to acknowledge a neighbor's transmission and to identify packets that are out of sequence. As shown in Figure [1], an EIGRP neighbor table includes the following key elements:
1-22
!
Neighbor address (Address) - The network-layer address of the neighbor router.
!
Hold time (Hold Uptime) - The interval to wait without receiving anything from a neighbor before considering the link unavailable. Originally, the expected packet was a hello packet, but in current Cisco IOS software releases, any EIGRP packets received after the first hello will reset the timer.
!
Smooth Round-Trip Timer (SRTT) - The average time that it takes to send and receive packets from a neighbor. This timer is used to determine the retransmit interval (RTO).
!
Queue count (Q Cnt) - The number of packets waiting in queue to be sent. If this value is constantly higher than zero, then there may be a congestion
Routing Section 3: EIGRP
Copyright 2002, Cisco Systems, Inc.
problem at the router. A zero means that there are no EIGRP packets in the queue. Note that an EIGRP router can maintain multiple neighbor tables, one for each PDM running (for example, IP, IPX, and AppleTalk as shown in Figure [2]). A router must run a unique EIGRP process for each routed protocol. The Routing Table The routing table contains the routes installed by DUAL as the best loop-free paths to a given destination as shown in Figure [3]. EIGRP will maintain up to four routes per destination. These routes can be of equal or unequal cost. EIGRP routers maintain a separate routing table for each routed protocol.
3.3.3 EIGRP tables (con’t.)
Figure 1: EIGRP Topology Table
Figure 2: EIGRP Successors and Feasible Successors Copyright 2002, Cisco Systems, Inc.
Routing Section 3: EIGRP 1-23
Figure 3: EIGRP Successors and Feasible Successors
Figure 4: EIGRP Successors and Feasible Successors
The Topology Table EIGRP uses its topology table to store all the information it needs to calculate a set of distances and vectors to all reachable destinations. EIGRP maintains a separate topology table for each routed protocol. A sample EIGRP topology table is shown in Figure [1]. The topology table is made up of all the EIGRP routing tables in the autonomous system. By tracking this information, EIGRP routers can find alternate routes quickly. The topology table includes the following fields:
1-24
!
Feasible distance (FD is xxxx) - The feasible distance (FD) is the lowest calculated metric to each destination. For example, in Figure [1], the feasible distance to 32.0.0.0 is 2195456 as indicated by FD is 2195456.
!
Route source (via xxx.xxx.xxx.xxx) - The source of the route is the identification number of the router that originally advertised that route. This
Routing Section 3: EIGRP
Copyright 2002, Cisco Systems, Inc.
field is populated only for routes learned externally from the EIGRP network. Route tagging can be particularly useful with policy-based routing. For example, in Figure [1], the route source to 32.0.0.0 is 200.10.10.10 via 200.10.10.10. !
Reported distance (FD/RD) - The reported distance (RD) of the path is the distance reported by an adjacent neighbor to a specific destination. For example, in Figure [1], the reported distance to 32.0.0.0 is 281600 as indicated by (2195456/281600).
In addition to these fields, each entry includes the interface through which the destination is reachable. EIGRP sorts the topology table so that the successor routes are at the top, followed by feasible successors. At the bottom, EIGRP lists routes that DUAL believes to be loops in the topology table. How does an EIGRP router determine which routers are successors and which routers are feasible successors? Assume that RTA's routing table includes a route to Network Z via RTB (see Figure [2]). From RTA's point of view, RTB is the current successor for Network Z; RTA will forward packets destined for Network Z to RTB. RTA must have at least one successor for Network Z for DUAL to place it in the routing table. Can RTA have more than one successor for Network Z? If RTC claims to have a route to Network Z with the exact same metric as RTB, then RTA also considers RTC a successor, and DUAL will install a second route to Network Z via RTC (see Figure [3]). Any of RTA's other neighbors that advertise a loop-free route to Network Z (but with an RD higher than the best-route metric and lower than the FD) will be identified as feasible successors in the topology table, as shown in Figure [4]. A router views its feasible successors as neighbors that are downstream, or closer, to the destination than it is. If something goes wrong with the successor, DUAL can quickly identify a feasible successor from the topology table and install a new route to the destination. If no feasible successors to the destination exist, DUAL places the route in the active state. Entries in the topology table can be in one of two states: active or passive. These states identify the status of the route indicated by the entry rather than the status of the entry itself. A passive route is one that is stable and available for use. An active route is a route in the process of being recomputed by DUAL. Recomputation happens if a route becomes unavailable and DUAL cannot find any feasible successors. When this occurs, the router must ask neighbors for help in finding a new, loopfree path to the destination. Neighbor routers are compelled to reply to this query. If a neighbor has a route, it will reply with information about the successor(s). If not, the neighbor notifies the sender that it does not have a route to the destination either. Excess recomputation is a symptom of network instability and results in poor performance. To prevent convergence problems, DUAL always tries to find a feasible successor before resorting to a recomputation. If a feasible successor is available, DUAL can quickly install the new route and avoid recomputation. "Stuck in Active" Routes If one or more routers to which a query is sent do not respond with a reply within the active time of 180 seconds (3 minutes), the route, or routes, in question are Copyright 2002, Cisco Systems, Inc.
Routing Section 3: EIGRP 1-25
placed in the "stuck in active" state. When this happens, EIGRP clears the neighbors that did not send a reply and logs a "stuck in active" error message for the route(s) that went active.
3.3.4 Route tagging with EIGRP
Figure 1: Viewing EIGRP Route Tag Information
Not only does the topology table track information regarding route states, but it also can record special information about each route. EIGRP classifies routes as either internal or external. EIGRP uses a process called route tagging to add special tags to each route. These tags identify a route as internal or external and may include other information as well. Internal routes originate from within the EIGRP AS. External routes originate from outside the system. Routes learned (redistributed) from other routing protocols, such as RIP, OSPF, and IGRP are external. Static routes originating from outside the EIGRP AS and redistributed inside are also external routes. All external routes are included in the topology table and are tagged with the following information: !
The identification number (router ID) of the EIGRP router that redistributed the route into the EIGRP network
!
The AS number of the destination
!
The protocol used in that external network
!
The cost or metric received from that external protocol
!
The configurable administrator tag
The figure shows a specific topology table entry for an external route. To develop a precise routing policy, take advantage of route tagging and, in particular, the administrator tag shown in the shaded portion of the figure. A network administrator can configure the administrator tag to be any number between 0 and 255; in effect, this is a custom tag that can be used to implement a special routing policy. External routes can be accepted, rejected, or propagated based on any of the route tags, including the administrator tag. Because a network administrator can configure the administrator tag, the route-tagging 1-26
Routing Section 3: EIGRP
Copyright 2002, Cisco Systems, Inc.
feature affords a high degree of control. This level of precision and flexibility proves especially useful when EIGRP networks interact with Border Gateway Protocol (BGP) networks, which themselves are policy-based.
Copyright 2002, Cisco Systems, Inc.
Routing Section 3: EIGRP 1-27
3.4 EIGRP Operation 3.4.1 Convergence using EIGRP
Figure 1: Convergence Using EIGRP
Figure 2: Topology Table Entries for Network 24
1-28
Routing Section 3: EIGRP
Copyright 2002, Cisco Systems, Inc.
Figure 3: Convergence Using EIGRP
Figure 4: Convergence Using EIGRP
DUAL's sophisticated algorithm results in EIGRP's exceptionally fast convergence. To better understand convergence using DUAL, consider the scenario in Figure [1]. RTA can reach network 24 via three different routers: RTX, RTY, or RTZ. In Figure [1], EIGRP's composite metric is replaced by a link cost to simplify calculations. RTA's topology table includes a list of all routes advertised by neighbors. For each network, RTA keeps the real (computed) cost of getting to that network and also keeps the advertised cost (reported distance) from its neighbor, as shown in Figure [2].
Copyright 2002, Cisco Systems, Inc.
Routing Section 3: EIGRP 1-29
At first, RTY is the successor to network 24, by virtue of its lowest computed cost. RTA's lowest calculated metric to Network 24 is 31; this value is the FD to Network 24. What if the successor to Network 24, RTY, becomes unavailable, as shown Figure [3]? RTA follows a three-step process to select a feasible successor to become a successor for Network 24: Determine which neighbors have a reported distance (RD) to Network 24 that is less than RTA's FD to network 24. The FD is 31; RTX's RD is 30, and RTZ's RD is 220 (see Figure [2]). Thus, RTX's RD is below the current FD, while RTZ's RD is not. Determine the minimum computed cost to Network 24 from among the remaining routes available. The computed cost via RTX is 40, while the computed cost via RTZ is 230. Thus, RTX provides the lowest computed cost. Determine whether any routers that met the criterion in Step 1 also met the criterion in Step 2. RTX has done both, so it is the feasible successor. With RTY down, RTA immediately uses RTX (the feasible successor) to forward packets to Network 24. The capability to make an immediate switchover to a backup route is the key to EIGRP's exceptionally fast convergence times. However, what happens if RTX also becomes unavailable, as shown Figure [4]? Can RTZ be a feasible successor? Using the same three-step process as before, RTA finds that RTZ is advertising a cost of 220, which is not less than RTA's FD of 31. Therefore, RTZ cannot be a feasible successor (yet). The FD can change only during an active-to-passive transition, and this did not occur, so it remains at 31. At this point, because there has not been a transition to active state for network 24, DUAL has been performing what is called a local computation. RTA cannot find any feasible successors, so it finally transitions from passive to active state for Network 24 and queries its neighbors about Network 24. This process is known as a diffusing computation. When Network 24 is in active state, the FD is reset. This allows RTA to at last accept RTZ as the successor to Network 24.
1-30
Routing Section 3: EIGRP
Copyright 2002, Cisco Systems, Inc.
3.5 Configuring EIGRP 3.5.1 Configuring EIGRP for IP networks
Figure 1: Configuring EIGRP for IP
Despite the complexity of DUAL, configuring EIGRP can be relatively simple. EIGRP configuration commands vary depending on the protocol that is to be routed (for example, IP, IPX, or AppleTalk). This section covers configuration commands for each of these routed protocols, in addition to special controls for IPX SAP. Perform the following steps to configure EIGRP for IP: 1. Enable EIGRP and define the autonomous system. router(config)# router eigrp autonomous-systemnumber The autonomous-system-number is the number that identifies the autonomous system. It is used to indicate all routers that belong within the internetwork. This value must be the same for all routers within the internetwork. 2. Indicate which networks belong to the EIGRP autonomous system on the local router. router(config-router)# network network-number
Copyright 2002, Cisco Systems, Inc.
Routing Section 3: EIGRP 1-31
The network-number is the network number that determines which interfaces of the router are participating in EIGRP and which networks are advertised by the router. The network command configures only connected networks. For example, network 3.1.0.0 (on the far left of the main Figure) is not directly connected to Router A. Consequently, that network is not part of Router A's configuration. 3. When configuring serial links using EIGRP, it is important to configure the bandwidth setting on the interface. If the bandwidth for these interfaces is not changed, EIGRP assumes the default bandwidth on the link instead of the true bandwidth. If the link is slower, the router may not be able to converge, routing updates might become lost, or suboptimal path selection may result. router(config-if)# bandwidth kilobits The value, kilobits, indicates the intended bandwidth in kilobits per second. For generic serial interfaces (PPP or HDLC), set the bandwidth to the line speed. Cisco also recommends adding the following command to all EIGRP configurations: router(config-if)# eigrp log-neighbor-changes This command enables the logging of neighbor adjacency changes to monitor the stability of the routing system and to help detect problems. Interactive Lab Activity: In this lab exercise, you will configure EIGRP on the Singapore router. The SanJose3 router is already configured for EIGRP.
1-32
Routing Section 3: EIGRP
Copyright 2002, Cisco Systems, Inc.
3.5.2 EIGRP and the bandwidth command
Figure 1: EIGRP WAN Configuration-Pure Multipoint
Figure 2: EIGRP WAN Configuration-Hybrid Multipoint
Copyright 2002, Cisco Systems, Inc.
Routing Section 3: EIGRP 1-33
Figure 3: EIGRP WAN Configuration-Hybrid Multipoint (Preferred)
Network administrators should follow three rules when configuring EIGRP over a nonbroadcast mulitaccess (NBMA) cloud such as Frame Relay: !
EIGRP traffic should not exceed the committed information rate (CIR) capacity of the virtual circuit (VC).
!
EIGRP's aggregated traffic over all the VCs should not exceed the access line speed of the interface.
!
The bandwidth allocated to EIGRP on each VC must be the same in both directions.
If these rules are understood and followed, EIGRP works well over the WAN. If care is not taken in the configuration of the WAN, EIGRP can swamp the network. Configuring Bandwidth over a Multipoint Network The configuration of the bandwidth command in an NBMA cloud depends on the design of the VCs. If the serial line has many VCs in a multipoint configuration and all of the VCs share bandwidth evenly, set the bandwidth to the sum of all of the CIRs. For example, in Figure [1], each VC's CIR is set to 56 Kbps. Since there are 4 VCs, the bandwidth is set to 224 (4 x 56). Configuring Bandwidth over a Hybrid Multipoint Network If the multipoint network has differing speeds allocated to the VCs, a more complex solution is needed. There are two main approaches. Take the lowest CIR and multiply this by the number of VCs. As shown in Figure [2], this is applied to the physical interface. The problem with this configuration is that the higher-bandwidth links may be underutilized. Use subinterfaces. The bandwidth command may be configured on each subinterface, which allows different speeds on each VC. In this case, subinterfaces are configured for the links with the differing CIRs. The links that have the same configured CIR are presented as a single subinterface with a bandwidth, which reflects the aggregate CIR of all the circuits. In Figure [3], three of the VCs have the same CIR, 256 Kbps. All three VCs are grouped together as a multipoint subinterface, serial 0.1. The single remaining VC, which 1-34
Routing Section 3: EIGRP
Copyright 2002, Cisco Systems, Inc.
has a lower CIR, 56 Kbps, can be assigned a point-to-point subinterface, serial 0.2.
3.5.3. The bandwidth-percent command
Figure 1: Using the ip bandwidth-percent Command
The bandwidth-percent command configures the percentage of bandwidth that may be used by EIGRP on an interface. By default, EIGRP is set to use only up to 50% of the bandwidth of an interface to exchange routing information. In order to calculate its percentage, the bandwidth-percent command relies on the value set by the bandwidth command. Use the bandwidth-percent command when the bandwidth setting of a link does not reflect its true speed. The bandwidth value may be artificially low for a variety of reasons, such as to manipulate the routing metric or to accommodate an oversubscribed multipoint Frame Relay configuration. Regardless of the reasons, configure EIGRP to overcome an artificially low bandwidth setting by setting the bandwidth-percent to a higher number. In some cases, it may even be set to a number above 100. For example, assume that the actual bandwidth of a router's serial link is 64 Kbps, but the bandwidth value is set artificially low, to 32 Kbps. The figure shows how to modify EIGRP's behavior so that it limits routing protocol traffic according to the actual bandwidth of the serial interface. The example configuration sets serial 0's bandwidth-percent to 100 percent for the EIGRP process running in AS 24. Since 100 percent of 32 kbps is 32, EIGRP will be allowed to use half of the actual bandwidth of 64 Kbps. Note that a network administrator can change EIGRP's percentage of bandwidth for IP, IPX, and AppleTalk with the following commands: !
ip bandwidth-percent eigrp
!
ipx bandwidth-percent eigrp
!
appletalk eigrp-bandwidth-percent
Copyright 2002, Cisco Systems, Inc.
Routing Section 3: EIGRP 1-35
3.5.4 Configuring EIGRP for IPX networks
Figure 1: Configuring EIGRP Support for IPX
Figure 2: Configuring EIGRP Support for IPX
1-36
Routing Section 3: EIGRP
Copyright 2002, Cisco Systems, Inc.
To enable EIGRP for IPX, perform the following steps: 1. Enable IPX routing. router(config)# ipx routing 2. Define EIGRP as the IPX routing protocol. router(config)# ipx router {eigrp autonomoussystem-number | rip} If IPX EIGRP is selected, an autonomous system number must be specified. This number must be the same for all IPX EIGRP routers in the network. Figure [1]- [2] 3. Indicate which networks belong to the EIGRP autonomous system. router(config-ipx-router)# network network-number 4. (Optional) If IPX RIP is also operating on the router, remove RIP from the networks using EIGRP by going to the ipx router rip configuration entry and doing the following: router(config-ipx-router)# no network network-number By default, Cisco routers redistribute IPX RIP routes into IPX EIGRP, and vice versa. When routes are redistributed, a RIP route to a destination with a hop count of 1 is always preferred over an EIGRP route with a hop count of 1. This ensures that the router always believes a Novell IPX server over a Cisco router for internal IPX networks. (The only exception to this rule is if both the RIP and EIGRP updates were received from the same router. In this case, the EIGRP route always is preferred over the RIP route when the hop counts are the same.) Controlling IPX RIP IPX RIP runs by default when IPX routing is enabled. If a legacy Novell server is using IPX RIP, a router's LAN interface must also run IPX RIP to exchange routing information with the server. Because the IPX RIP routes are redistributed into EIGRP, the router does not need to run IPX RIP on a serial link to another Cisco router. IPX EIGRP should be used instead. An administrator can disable IPX RIP on a network-by-network basis using the no network command, as shown in step 4, above. EIGRP offers other advantages over RIP in the exchange of IPX information across WAN links, including controlling of SAP updates, which is discussed in the following section.
Copyright 2002, Cisco Systems, Inc.
Routing Section 3: EIGRP 1-37
3.5.5 Controlling SAP updates
Figure 1: Controlling SAP Updates
Figure 2: Configuring EIGRP for Incremental SAP Updates
If an IPX EIGRP router has another IPX EIGRP router as its link partner, a network administrator can configure the router to send SAP updates periodically or when a change occurs in the SAP table. When no IPX EIGRP peer is present on the interface, periodic SAPs are always sent. On serial lines, by default, if an EIGRP neighbor is present, the router sends SAP updates only when the SAP table changes. Overhead is greatly reduced if a router updates other routers only when a change occurs. On Ethernet, Token Ring, and FDDI interfaces, the router sends SAP updates periodically by default. To reduce the amount of bandwidth required to send SAP updates, a network administrator might want to disable the periodic sending of SAP updates on LAN interfaces. This is done only when all nodes out this interface are EIGRP peers; otherwise, loss of SAP information on the other nodes will result. If a router's LAN interface connects to a NetWare server, as shown in the figure, do not disable periodic updates. However, Figure [1] shows that incremental SAP updates on RTC's E0 can safely be configured.
1-38
Routing Section 3: EIGRP
Copyright 2002, Cisco Systems, Inc.
To configure incremental SAP updates using EIGRP, issue the ipx sapincremental eigrp command, which has the following syntax: router(config-if)#ipx sap-incremental eigrp autonomous-system-number [rsup-only] The rsup-only keyword is used to indicate that on this interface the system uses EIGRP to carry reliable SAP update information only. RIP routing updates are used, and EIGRP routing updates are ignored. Configure incremental SAP for RTC as shown in Figure [2]. Note that in Figure [1], RTC does not need to run IPX RIP. Thus, it is explicitly disabled by using the command no ipx router rip in the configuration Figure [2].
3.5.6 Summarizing EIGRP routes for IP
Figure 1: EIGRP Automatically Summarizes Based on Class
Figure 2: EIGRP Automatically Summarizes Based on Class
EIGRP automatically summarizes routes at the classful boundary (that is, the boundary where the network address ends as defined by class-based addressing). This means that even though RTC is connected only to the subnet 2.1.1.0, it will advertise that it is connected to the entire Class A network, 2.0.0.0. In most cases, auto summarization is a good thing; it keeps routing tables as compact as possible (see Figure [1]).
Copyright 2002, Cisco Systems, Inc.
Routing Section 3: EIGRP 1-39
However, as illustrated in Chapter 2: IP Addressing, a network administrator may not want automatic summarization to occur. If the network has discontiguous subnetworks, as shown in Figure [2], auto-summarization must be disabled for routing to work properly. To turn off auto-summarization, use the following command: router(config-router)#no auto-summary
3.5.7 Summarizing EIGRP routes for IP, con’t.
Figure 1: Manual Summarization with EIGRP
EIGRP also enables a network administrator to manually configure a prefix to use as a summary address. Manual summary routes are configured on a perinterface basis, so the network administrator must first select the interface that will propagate the route summary. Then the summary address can be defined with the ip summary-address eigrp command, which has the following syntax: router(config-if)#ip summary-address eigrp autonomoussystem-number ip-address mask administrative-distance EIGRP summary routes have an administrative distance of 5 by default. Optionally, they can be configured for a value between 1 and 255. In the figure, RTC can be configured using the commands shown: RTC(config)#router eigrp 2446 RTC(config-router)#no auto-summary RTC(config-router)#exit RTC(config)#interface serial0 RTC(config-if)#ip summary-address eigrp 2446 2.1.0.0 255.255.0.0 Thus, RTC will add a route to its table, as follows: D
2.1.0.0/16 is a summary, 00:00:22, Null0
Notice that the summary route is sourced from Null0 and not an actual interface. This is because this route is used for advertisement purposes and does not
1-40
Routing Section 3: EIGRP
Copyright 2002, Cisco Systems, Inc.
represent a path that RTC can take to reach that network. On RTC, this route has an administrative distance of 5. In the figure, RTD is oblivious to the summarization but accepts the route, and it assigns the route the administrative distance of a "normal" EIGRP route (which is 90, by default). In the configuration for RTC, automatic summarization is turned off, with the no auto-summary command. If automatic summarization were not turned off, RTD would receive two routes, the manual summary address (2.1.0.0 /16) and the automatic, classful summary address (2.0.0.0 /8). In most cases, when using manual summarization, the no auto-summary command should be issued also.
Copyright 2002, Cisco Systems, Inc.
Routing Section 3: EIGRP 1-41
3.6 Monitoring EIGRP 3.6.1 Verifying EIGRP operation
Figure 1: EIGRP show Commands
Figure 2: EIGRP debug Commands
Throughout this chapter, EIGRP show commands have been used to verify EIGRP operation. Figure [1] lists the key EIGRP show commands and briefly describes their functions. The Cisco IOS debug feature also provides useful EIGRP monitoring commands, as listed in Figure [2]. 1-42
Routing Section 3: EIGRP
Copyright 2002, Cisco Systems, Inc.
3.7 EIGRP Configuration Lab Exercises 3.7.1 Configuring EIGRP with IGRP Lab Activity: In this lab, you configure both EIGRP and IGRP within the International Travel Agency WAN and observe the automatic sharing of route information between both protocols.
3.7.2 Configuring EIGRP fault tolerance Lab Activity: In this lab, you configure EIGRP over a full-mesh topology so that you can test and observe DUAL replace a successor with a feasible successor after a link failure.
3.7.3 Configuring EIGRP summarization Lab Activity: In this lab, you configure EIGRP to test its operation over discontiguous subnets by disabling automatic route summarization. Then you manually configure EIGRP to use specific summary routes.
Copyright 2002, Cisco Systems, Inc.
Routing Section 3: EIGRP 1-43
3.8 Configuring EIGRP Challenge Lab Exercise 3.8.1 EIGRP challenge lab Lab Activity: In this lab, you configure an International Travel Agency EIGRP WAN link with one IGRP segment within the same autonomous system. You also use EIGRP interface summarization to reduce the number of routes in an EIGRP routing table.
1-44
Routing Section 3: EIGRP
Copyright 2002, Cisco Systems, Inc.
Summary In this chapter, the reader learned that EIGRP, a routing protocol developed by Cisco, is an advanced distance-vector routing protocol that uses the DUAL algorithm. EIGRP includes features such as rapid convergence, reduced bandwidth usage, and multiple network-layer support. The text demonstrates that EIGRP converges rapidly, performs incremental updates, routes IP, IPX, and AppleTalk traffic, and summarizes routes. The reader learned how to configure and verify EIGRP configuration for various protocols. In the next chapter, how to optimize routing operations using static routes, default routes, and route filtering will be discussed.
Copyright 2002, Cisco Systems, Inc.
Routing Section 3: EIGRP 1-45
1.10.1 Configuring VLSM and IP Unnumbered Host B 192.168.1.66 /27
Fa0/0 192.168.1.65 /27
S0/0 192.168.1.1 /30
S0/0 192.168.1.2 /30
Vista
S0/1 192.168.1.5 /30
Fa0/0 192.168.1.33 /27
San Jose1
S0/0 192.168.1.6 /30 San Jose2
Fa0/0 192.168.1.34 /27
Host A 192.168.1.35
Objective In this lab, the student will configure VLSM and test its functionality with two different routing protocols, RIPv1, and RIPv2. Finally, the student will use IP unnumbered in place of VLSM to further conserve addresses. Scenario When International Travel Agency was much smaller, it wanted to configure its network using a single Class C address: 192.168.1.0 as shown in the following table. The routers need to be configured with the appropriate addresses. The company requires that at least 25 host addresses be available on each LAN, but it also demands that the maximum number of addresses be conserved for future growth. To support 25 hosts on each subnet, a minimum of five (5) bits is needed in the host 5 portion of the address. Five (5) bits will yield 30 possible host addresses (2 – 2 = 32 - 2). If five (5) bits must be used for hosts, the other three (3) bits in the last octet can be added to the default 24-bit Class C mask.Therefore, a 27-bit mask can be used to create the following subnets:
1-3
Routing Section 1: IP Addressing – Lab 1.10.1
Copyright 2002, Cisco Systems, Inc.
To maximize this address space, the 192.168.1.0 /27 subnet is subnetted further using a 30-bit mask. This creates subnets that can be used on point-to-point links with minimal waste, because each subnet can contain only two possible host addresses. Note that in the following steps some commands may need to be changed to match the actual equipment being used (ethernet may need to be used in place of fastethernet). Step 1. Build and configure the network according to the diagram. This configuration requires the use of subnet 0, so the ip subnet-zero command might need to be entered. This will depend on which IOS version is being used. Note: Host A and Host B are not required to complete this lab. On all three routers, configure RIPv1 and enable updates on all active interfaces with this network command: SanJose1(config)#router rip SanJose1(config-router)#network 192.168.1.0 Use ping to verify that each router can ping its directly connected neighbor.Note: Some remote networks might be unreachable. Proceed to Step 2 anyway. Step 2. Issue the show ip route command on Vista, as shown in the following example: Vista#show ip route Gateway of last resort is not set C C C
192.168.1.0/24 is variably subnetted, 3 subnets, 2 masks 192.168.1.64/27 is directly connected, FastEthernet0/0 192.168.1.0/30 is directly connected, Serial0/0 192.168.1.4/30 is directly connected, Serial0/1
The 192.168.1.32 /27 subnet is clearly absent from Vista’s table. 1. The other routers also have incomplete tables. Why is this so?
Because RIPv1 with VLSM is being used, routing has broken down on the network. Remember that VLSM is not supported by classful routing protocols such as RIPv1 and IGRP. These protocols do not send subnet masks in their routing updates. In order for routing to work, RIPv2 must be configured, which does support VLSM. Step 3. At each of three router consoles, enable RIPv2 updates and turn off automatic route summarization, as shown in the following example: SanJose1(config)#router rip SanJose1(config-router)#version 2 SanJose1(config-router)#no auto-summary When all three routers are running RIPv2, return to Vista and examine its routing table. It should now be complete, as shown below: Vista#show ip route 2-3
Routing Section 1: IP Addressing – Lab 1.10.1
Copyright 2002, Cisco Systems, Inc.
Gateway of last resort is not set C R C C
192.168.1.0/24 is variably subnetted, 4 subnets, 2 masks 192.168.1.64/27 is directly connected, Ethernet0 192.168.1.32/27 [120/1] via 192.168.1.6, 00:00:12, Serial1 [120/1] via 192.168.1.2, 00:00:13, Serial0 192.168.1.0/30 is directly connected, Serial0 192.168.1.4/30 is directly connected, Serial1
Notice that Vista has received equal cost routes to 192.168.1.32 /27 from both SanJose1 and SanJose2. Step 4. Although VLSM has reduced ITA’s address waste by creating very small subnets for point-to-point links, the IP unnumbered feature can make it unnecessary to address these links altogether. Further maximize ITA’s address use by configuring IP unnumbered on every serial interface in the WAN. To configure IP unnumbered, use the following commands: SanJose1(config)#interface serial 0/0 SanJose1(config-if)#ip unnumbered fastethernet 0/0 Vista(config)#interface serial 0/0 Vista(config-if)#ip unnumbered fastethernet 0/0 Vista(config-if)#interface serial 0/1 Vista(config-if)#ip unnumbered fastethernet 0/0 SanJose2(config)#interface serial 0/0 SanJose2(config-if)#ip unnumbered fastethernet 0/0 After the IP unnumbered configuration is complete, each serial interface borrows the address of the local LAN interface. Check Vista’s table again: Vista#show ip route Gateway of last resort is not set C R
192.168.1.0/27 is subnetted, 2 subnets 192.168.1.64 is directly connected, FastEthernet0/0 192.168.1.32 [120/1] via 192.168.1.34, 00:00:00, Serial0/1 [120/1] via 192.168.1.33, 00:00:08, Serial0/0
With IP unnumbered configured, only LANs require addresses. Because each LAN uses the same 27-bit mask, VLSM is not required. This makes classful routing protocols, such as RIPv1 and IGRP, viable options.
3-3
Routing Section 1: IP Addressing – Lab 1.10.1
Copyright 2002, Cisco Systems, Inc.
1.10.2.1: VLSM
Network: 192.168.10.0
60 hosts
28 hosts
12 hosts
12 hosts
Objective Create an addressing scheme using variable length subnet masking (VLSM). Scenario The assignment is the Class C address 192.168.10.0 and it must support the network shown in the diagram. The use of IP unnumbered or NAT is not permitted on this network. Create an addressing scheme that meets the requirements shown in the diagram.
1-1
Routing Section 1: IP Addressing – Lab 1.10.2.1
Copyright 2002, Cisco Systems, Inc.
1.10.2.2: VLSM
Network: 192.168.24.0 /22
400 hosts
50 hosts
50 hosts
200 hosts
Objective Create an addressing scheme using VLSM. Scenario The assignment is the CIDR address 192.168.24.0 /22 and it must support the network shown in the diagram. The use of IP unnumbered or NAT is not permitted on this network. Create an addressing scheme that meets the requirements shown in the diagram.
1-1
Routing Section 1: IP Addressing – Lab 1.10.2.2
Copyright 2002, Cisco Systems, Inc.
1.10.2.3: VLSM
Network: 192.168.30.0 /23
24 hosts
24 Hosts
30 hosts
90 Hosts
20 Hosts
120 hosts
60 hosts
Objective Create an addressing scheme using VLSM. Scenario The assignment is the CIDR address 192.168.30.0 /23 and it must support the network shown in the diagram. The use of IP unnumbered or NAT is not permitted on this network. Create an addressing scheme that meets the requirements shown in the diagram.
1-1
Routing Section 1: IP Addressing – Lab 1.10.2.3
Copyright 2002, Cisco Systems, Inc.
1.10.3: Using DHCP and IP Helper Addresses Host B DHCP Client
Fa0/0 192.168.3.1 /24
S0/0 192.168.1.1 /24
Vista
S0/0 192.168.1.2 /24 San Jose1
IOS DHCP Server
Fa0/0 10.0.0.1 /8
Host A DHCP Client Objective In this lab, the student will configure a Cisco router to act as a DHCP server for clients on two separate subnets. Also use the IP helper address feature to forward DHCP requests from a remote subnet. Scenario Clients on the 192.168.3.0/24 network and the 10.0.0.0/8 network require the services of DHCP for automatic IP configuration. Configure SanJose1 to serve both subnets by creating two separate address pools. Finally, configure Vista’s FastEthernet interface to forward UDP broadcasts, including DHCP requests, to SanJose1.
Note that in the following steps some commands may need to be changed to match the actual equipment being used (ethernet may need to be used in place of fastethernet). Step 1. Build and configure the network according to the diagram. Connect Host A and Host B as shown, but configure these clients to obtain their IP addresses automatically. Because these hosts rely on DHCP, they cannot be tested using ping until Step 5. Configure RIPv2 on SanJose1 and Vista. Be sure to enable updates on all active interfaces with the network command: 1-3
Routing Section 1: IP Addressing – Lab 1.10.3
Copyright 2002, Cisco Systems, Inc.
SanJose1(config)#router rip SanJose1(config)#version 2 SanJose1(config-router)#network 192.168.1.0 SanJose1(config-router)#network 10.0.0.0 Use ping and show ip route to verify the work and test connectivity between SanJose1 and Vista. Step 2. Configure SanJose1 to act as a DHCP server for clients on the 10.0.0.0/8 network. First, verify that SanJose1’s software can use DHCP services and that they are enabled: SanJose1(config)#service dhcp Next, configure the DHCP address pool for the 10.0.0.0 network. Name the pool 10-net: SanJose1(config)#ip dhcp pool 10-net SanJose1(dhcp-config)#network 10.0.0.0 255.0.0.0 Step 3. International Travel Agency uses the first ten addresses in this address range to statically address servers and routers. From global configuration mode, exclude addresses from the DHCP pool so that the server does not attempt to assign them to clients. Configure SanJose1 to dynamically assign addresses from the 10-net pool, starting with 10.0.0.11: SanJose1(config)#ip dhcp excluded-address 10.0.0.1 10.0.0.10 Step 4. Return to DHCP configuration mode and assign the following IP options: default gateway address, DNS server address, WINS server address, and domain name: SanJose1(dhcp-config)#default-router 10.0.0.1 SanJose1(dhcp-config)#dns-server 10.0.0.3 SanJose1(dhcp-config)#netbios-name-server 10.0.0.4 SanJose1(dhcp-config)#domain-name xyz.net Step 5. The DHCP server is now ready to be tested. Check the TCP/IP Properties on the workstation to ensure that the it is set to obtain an IP address automatically. Release and renew Host A’s IP configuration. On Windows 95/98, use winipcfg; on Windows NT/2000, use ipconfig /release and ipconfig /renew. Host A should be dynamically assigned the first available address in the pool, which is 10.0.0.11. Check Host A’s configuration with winipcfg to verify that it received the proper IP address, subnet mask, default gateway, DNS server address, and WINS server address. Check Host A’s configuration with ipconfig /all for Windows NT and Windows 2000 users. Troubleshoot, if necessary. Step 6. Because Host B also requires dynamic IP configuration, create a second DHCP pool with address and gateway options appropriate to Host B’s network, 192.168.3.0 /24: SanJose1(config)#ip dhcp pool 192.168.3-net
2-3
Routing Section 1: IP Addressing – Lab 1.10.3
Copyright 2002, Cisco Systems, Inc.
SanJose1(dhcp-config)#network 192.168.3.0 255.255.255.0 SanJose1(dhcp-config)#default-router 192.168.3.1 SanJose1(dhcp-config)#dns-server 10.0.0.3 SanJose1(dhcp-config)#netbios-name-server 10.0.0.4 SanJose1(dhcp-config)#domain-name xyz.net ITA has recently installed IP phones on the 192.168.3.0 network. These phones require a DHCP server to provide a TFTP server address (10.0.0.5). The Cisco IOS DHCP server configuration does not provide a keyword for TFTP servers, so configure this option using its raw option number: SanJose1(dhcp-config)#option 150 ip 10.0.0.5 Note: ’option 150’ is a keyword equivalent to the ’TFTP's IP address’. Step 7. The configuration of the DHCP server is now complete. However, Host B uses a UDP broadcast to find an IP address, and Vista is not configured to forward broadcasts. In order for DHCP to work, configure Vista’s FastEthernet interface to forward UDP broadcasts to SanJose1: Vista(config)#interface fastethernet 0/0 Vista(config-if)#ip helper-address 192.168.1.2 Step 8. Release and renew Host B’s IP configuration while simultaneously logged into SanJose1’s console. Use a second host, if necessary. 1. Did SanJose1 report any DHCP messages?
Verify, using winipcfg or ipconfig /all, that Host B received the correct IP configuration, and troubleshoot if necessary. 2. An ip dhcp excluded-address command was not issued. The DHCP server did not assign Host B 192.168.3.1. Why not?
Issue show ip dhcp ? and note the choices. Try the conflict and binding options. 3. How did SanJose1 know to assign Host B an address from the 192.168.3-net pool and not the 10-net pool?
3-3
Routing Section 1: IP Addressing – Lab 1.10.3
Copyright 2002, Cisco Systems, Inc.
2.6.1 Configuring OSPF Lo0 192.168.31.22 /32 SanJose2
Fa0/0 192.168.1.2 /24
Lo0 192.168.31.11 /32
Lo0 192.168.31.33 /32
SanJose1
SanJose3
Fa0/0 192.168.1.1 /24
Fa0/0 192.168.1.3 /24
AREA 0
Objective In this lab, the student will configure OSPF on three Cisco routers. First, loopback interfaces will be configured to provide stable OSPF Router IDs. Then the OSPF process will be configured and OSPF will be enabled on the appropriate interfaces. After OSPF is enabled, the update timers are tuned and authentication is configured. Scenario The backbone of International Travel Agency’s (ITA) WAN, located in San Jose, consists of three routers connected via an Ethernet core. These core routers must be configured as members of OSPF Area 0. Because the core routers are connected to the Internet, security must be implemented to prevent unauthorized routers from joining Area 0. Also, within the core, network failures need to be identified quickly. Step 1. Build and configure the network according to the diagram, but do not configure OSPF yet. A switch or hub is required to connect the three routers via Ethernet. Use ping to verify and test connectivity between the FastEthernet interfaces. Step 2. On each router, configure a loopback interface with a unique IP address. Cisco routers use the highest loopback IP address as the OSPF Router ID. In the absence of a loopback interface, the router uses the highest IP address among its active interfaces, which might force a router to change router IDs if an interface goes down. Because loopback interfaces are immune to physical and data link problems, they should be used
1-6
Routing Section 2: OSPF - Lab 2.6.1
Copyright 2002, Cisco Systems, Inc.
to derive the router ID. To avoid conflicts with registered network addresses, use private network ranges for the loopback interfaces. Configure the core routers using the following commands: SanJose1(config)#interface loopback 0 SanJose1(config-if)#ip address 192.168.31.11 255.255.255.255 SanJose2(config)#interface loopback 0 SanJose2(config-if)#ip address 192.168.31.22 255.255.255.255 SanJose3(config)#interface loopback 0 SanJose3(config-if)#ip address 192.168.31.33 255.255.255.255 Step 3. Now that loopback interfaces are configured, configure OSPF. Use the following commands as an example to configure each router: SanJose1(config)#router ospf 1 SanJose1(config-router)#network 192.168.1.0 0.0.0.255 area 0 Note: An OSPF process ID is locally significant. It has no meaning beyond the local router. The ID is needed to identify a unique instance of an OSPF database, because multiple processes can run concurrently on a single router. Step 4. After OSPF routing is enabled on each of the three routers, verify its operation using show commands. Several important show commands can be used to gather OSPF information. First, issue the show ip protocols command on any of the three routers, as follows: SanJose1#show ip protocols Routing Protocol is "ospf 1" Sending updates every 0 seconds Invalid after 0 seconds, hold down 0, flushed after 0 Outgoing update filter list for all interfaces is Incoming update filter list for all interfaces is Redistributing: ospf 1 Routing for Networks: 192.168.1.0 Routing Information Sources: Gateway Distance Last Update Distance: (default is 110)
2-6
Routing Section 2: OSPF - Lab 2.6.1
Copyright 2002, Cisco Systems, Inc.
Note: The update timers are set to zero (0). Updates are not sent at regular intervals. Updates are event driven. Next, use the show ip ospf command to get more details about the OSPF process, including the router ID: SanJose1#show ip ospf Routing Process "ospf 1" with ID 192.168.31.11 Supports only single TOS(TOS0) routes SPF schedule delay 5 secs, Hold time between two SPFs 10 secs Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs Number of external LSA 0. Checksum Sum 0x0 Number of DCbitless external LSA 0 Number of DoNotAge external LSA 0 Number of areas in this router is 1. 1 normal 0 stub 0 nssa External flood list length 0 Area BACKBONE(0) Number of interfaces in this area is 1 Area has no authentication SPF algorithm executed 5 times Area ranges are Number of LSA 4. Checksum Sum 0x1CAC4 Number of DCbitless LSA 0 Number of indication LSA 0 Number of DoNotAge LSA 0 Flood list length 0
1. What address is the router using as its router ID?
The loopback interface should be seen as the router ID. To see the OSPF neighbors, use the show ip ospf neighbor command. The output of this command displays all known OSPF neighbors, including their router IDs, their interface addresses, and their adjacency status. Also issue the show ip ospf neighbor detail command, which will output even more information: SanJose1#show ip ospf neighbor Neighbor ID Pri State Interface 192.168.31.22 1 FULL/BDR FastEthernet0/0 192.168.31.33 1 FULL/DR FastEthernet0/0
Dead Time
Address
00:00:36
192.168.1.2
00:00:33
192.168.1.3
SanJose1#show ip ospf neighbor detail Neighbor 192.168.31.22, interface address 192.168.1.2 In the area 0 via interface FastEthernet0/0 Neighbor priority is 1, State is FULL, 6 state changes DR is 192.168.1.3 BDR is 192.168.1.2 Options 2 Dead timer due in 00:00:34 Index 2/2, retransmission queue length 0, number of retransmission 2 First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0) Last retransmission scan length is 1, maximum is 1 Last retransmission scan time is 0 msec, maximum is 0 msec Neighbor 192.168.31.33, interface address 192.168.1.3 In the area 0 via interface FastEthernet0/0 Neighbor priority is 1, State is FULL, 6 state changes DR is 192.168.1.3 BDR is 192.168.1.2 Options 2 Dead timer due in 00:00:30 Index 1/1, retransmission queue length 0, number of retransmission 1 First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0) Last retransmission scan length is 1, maximum is 1 Last retransmission scan time is 0 msec, maximum is 0 msec
3-6
Routing Section 2: OSPF - Lab 2.6.1
Copyright 2002, Cisco Systems, Inc.
2. Based on the output of this command, which router is the Designated Router (DR) on this network?
3. Which router is the Backup Designated Router (BDR)?
Most likely, the router with the highest router ID is the DR, the router with the second highest router ID is the BDR, and the other router is a DRother. Because each interface on a given router is connected to a different network, some of the key OSPF information is interface specific. Issue the show ip ospf interface command for the router’s FastEthernet interface shown as follows: SanJose1#show ip ospf interface fa0/0 FastEthernet0/0 is up, line protocol is up Internet Address 192.168.1.1/24, Area 0 Process ID 1, Router ID 192.168.31.11, Network Type BROADCAST, Cost: 1 Transmit Delay is 1 sec, State DROTHER, Priority 1 Designated Router (ID) 192.168.31.33, Interface address 192.168.1.3 Backup Designated router (ID) 192.168.31.22, Interface address 192.168.1.2 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:09 Index 1/1, flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 0, maximum is 1 Last flood scan time is 0 msec, maximum is 0 msec Neighbor Count is 2, Adjacent neighbor count is 2 Adjacent with neighbor 192.168.31.22 (Backup Designated Router) Adjacent with neighbor 192.168.31.33 (Designated Router) Suppress hello for 0 neighbor(s)
4. Based on the output of this command, what OSPF network type is the FastEthernet interface connected to?
5. What is the Hello update timer set to?
6. What is the Dead timer set to?
Ethernet networks are known to OSPF as broadcast networks. The default timer values are ten (10) second hello updates and 40 second dead intervals. Step 5. The OSPF timers need to be adjusted so that the core routers will detect network failures in less time. This will increase traffic, but this is less of a concern on the high speed core Ethernet segment than on a busy WAN link. The need for quick convergence at the core outweighs the extra traffic. The Hello and Dead intervals must be manually changed on SanJose1 as follows: SanJose1(config)#interface fastethernet 0/0 SanJose1(config-if)#ip ospf hello-interval 5 SanJose1(config-if)#ip ospf dead-interval 20
4-6
Routing Section 2: OSPF - Lab 2.6.1
Copyright 2002, Cisco Systems, Inc.
These commands set the Hello update timer to five (5) seconds and the Dead interval to 20 seconds. Although the Cisco IOS does not require it, configure the Dead interval to four times the Hello interval. This ensures that routers experiencing temporary link problems can recover and are not declared dead unnecessarily, causing a continuance of updates and recalculations throughout the internetwork. After the timers are changed on SanJose1, issue the show ip ospf neighbor command. 7. Does SanJose1 still show that it has OSPF neighbors?
To find out what happened to SanJose1’s neighbors, use the IOS debug feature. Enter the command debug ip ospf events. SanJose1#debug ip ospf events OSPF events debugging is on SanJose1# 00:08:25: OSPF: Rcv hello from 192.168.31.22 area 0 from FastEthernet0/0 192.168.1.2 00:08:25: OSPF: Mismatched hello parameters from 192.168.1.2 00:08:25: Dead R 40 C 20, Hello R 10 C 5 Mask R 255.255.255.0 C 255.255.255.0 SanJose1# 00:08:32: OSPF: Rcv hello from 192.168.31.33 area 0 from FastEthernet0/0 192.168.1.3 00:08:32: OSPF: Mismatched hello parameters from 192.168.1.3 00:08:32: Dead R 40 C 20, Hello R 10 C 5 Mask R 255.255.255.0 C 255.255.255.0
8. According to the debug output, what is preventing SanJose1 from forming relationships with the other two OSPF routers in Area 0?
The Hello and Dead intervals must be the same before routers within an area can form neighbor adjacencies. Turn off debug using undebug all, or just u all. SanJose1#undebug all All possible debugging has been turned off The Hello and Dead intervals are declared in Hello packet headers. In order for OSPF routers to establish a relationship, their Hello and Dead intervals must match. Configure the SanJose2 and SanJose3 Hello and Dead timers to match the timers on SanJose1. Before continuing, verify that these routers can now communicate by checking the OSPF neighbor table. Step 6. No unauthorized routers should be exchanging updates within Area 0. Adding encrypted authentication to each OSPF packet header can prevent this. Select message digest (MD5) authentication. This mode of authentication sends a message digest, or hash, in place of the password. OSPF neighbors must be configured with the same message digest key number, encryption type, and password in order to authenticate using the hash. To configure a message digest password for SanJose1 to use on its Ethernet interface, use these commands:
5-6
Routing Section 2: OSPF - Lab 2.6.1
Copyright 2002, Cisco Systems, Inc.
SanJose1(config)#interface fastethernet 0/0 SanJose1(config-if)#ip ospf message-digest-key 1 md5 7 itsasecret SanJose1(config-if)#router ospf 1 SanJose1(config-router)#area 0 authentication message-digest
After entering these commands, wait 20 seconds, and then issue the show ip ospf neighbor command on SanJose1. 9. Does SanJose1 still show that it has OSPF neighbors?
Use the debug ip ospf events command to determine why SanJose1 does not see its neighbors: SanJose1#debug ip ospf events OSPF events debugging is on SanJose1# 00:49:32: OSPF: Send with youngest Key 1 SanJose1# 00:49:33: OSPF: Rcv pkt from 192.168.31.33, FastEthernet0/0 Mismatch Authentication type. Input packet specified 0, we use type 2 00:49:33: OSPF: Rcv pkt from 192.168.31.22, FastEthernet0/0 Mismatch Authentication type. Input packet specified we use type 2 SanJose1#u all All possible debugging has been turned off
: type : type ,
Again, it is seen that OSPF routers will not communicate unless certain configurations match. In this case, the routers are not communicating because the authentication fields in the OSPF packet header are different. Correct this problem by configuring authentication on the other two routers. Remember that the same key number, encryption type, and password must be used on each router. After the configurations are complete, verify that the routers can communicate by using the show ip ospf neighborcommand. SanJose1#show ip ospf neighbor Neighbor ID Pri State Interface 192.168.31.33 1 FULL/DR FastEthernet0/0 192.168.31.22 1 FULL/BDR FastEthernet0/0
Dead Time
Address
00:00:16
192.168.1.3
00:00:15
192.168.1.2
Step 7. Save the configurations to NVRAM. These configurations will be used to begin the next lab. At the conclusion of each lab, it is recommended that each router’s configuration file be copied and saved for future reference.
6-6
Routing Section 2: OSPF - Lab 2.6.1
Copyright 2002, Cisco Systems, Inc.
2.6.2: Examining the DR/BDR Election Process Lo0 192.168.31.22 /32 SanJose2
Fa0/0 192.168.1.2 /24
Lo0 192.168.31.11 /32
Lo0 192.168.31.33 /32
SanJose1
SanJose3
Fa0/0 192.168.1.1 /24
Fa0/0 192.168.1.3 /24
AREA 0
Objective In this lab, the student will observe the OSPF DR and BDR election process using debug commands. Then the student will assign each OSPF interface a priority value to force the election of a specific router as a DR. Scenario The backbone of International Travel Agency’s enterprise network consists of three routers connected via an Ethernet core. SanJose1 has more memory and processing power than the other core routers. Unfortunately, other core routers are continually elected as the DR under the default settings. In the interest of optimization, it is necessary that SanJose1 be elected the DR. It is best suited to handle associated extra duties, including management of Link State Advertisements (LSA) for Area 0. This lab will show how to investigate and solve this problem.. Step 1. Build and configure the network according to the diagram. Configure OSPF on all Ethernet interfaces. A switch or hub is required to connect the three routers via Ethernet. Be sure to configure each router with the loopback interface and IP address shown in the diagram. Use ping to verify and test connectivity between the Ethernet interfaces.
1-1
Routing Section 2: OSPF – Lab 2.6.2
Copyright 2002, Cisco Systems, Inc.
Step 2. Use the show ip ospf neighbor detail command to verify that the OSPF routers have formed adjacencies: SanJose3#show ip ospf neighbor detail Neighbor 192.168.31.11, interface address 192.168.1.1 In the area 0 via interface FastEthernet0/0 Neighbor priority is 1, State is FULL, 12 state changes DR is 192.168.1.3 BDR is 192.168.1.2 Options 2 Dead timer due in 00:00:17 Index 2/2, retransmission queue length 0, number of retransmission 1 First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0) Last retransmission scan length is 1, maximum is 1 Last retransmission scan time is 0 msec, maximum is 0 msec Neighbor 192.168.31.22, interface address 192.168.1.2 In the area 0 via interface FastEthernet0/0 Neighbor priority is 1, State is FULL, 6 state changes DR is 192.168.1.3 BDR is 192.168.1.2 Options 2 Dead timer due in 00:00:15 Index 1/1, retransmission queue length 0, number of retransmission 5 First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0) Last retransmission scan length is 1, maximum is 1 Last retransmission scan time is 0 msec, maximum is 0 msec
1. Which router is the DR? Why?
2. Which router is the BDR? Why?
Recall that router IDs determine the DR and BDR. Step 3. If the network is configured according to the diagram, SanJose1 will not be the DR. It is decided to temporarily shut down SanJose3, which has the highest router ID (192.168.31.33), and to observe the DR/BDR election process. To observe the election, issue the following debug command on SanJose1: SanJose1#debug ip ospf adj Now that OSPF adjacency events will be logged to SanJose1’s console, remove SanJose3 from the OSPF network by shutting down its FastEthernet interface: SanJose3(config)#interface fastethernet 0/0 SanJose3(config-if)#shutdown
Watch the debug output on SanJose1: SanJose1# 00:48:47: OSPF: Rcv hello from 192.168.31.22 area 0 from FastEthernet0/0 192.168.1.2 00:48:47: OSPF: Neighbor change Event on interface FastEthernet0/0 00:48:47: OSPF: DR/BDR election on FastEthernet0/0 00:48:47: OSPF: Elect BDR 192.168.31.11 00:48:47: OSPF: Elect DR 192.168.31.22 00:48:47: OSPF: Elect BDR 192.168.31.11 00:48:47: OSPF: Elect DR 192.168.31.22 00:48:47: DR: 192.168.31.22 (Id) BDR: 192.168.31.11 (Id) 00:48:47: OSPF: Remember old DR 192.168.31.33 (id) 00:48:47: OSPF: End of hello processing
2-2
Routing Section 2: OSPF – Lab 2.6.2
Copyright 2002, Cisco Systems, Inc.
3. Who is elected DR? Why?
The former BDR is promoted to DR. In the debug output, look for a statement about remembering the ’old DR’. Unless SanJose1 and SanJose2 are powered off, they will remember that SanJose3 was the old DR. When SanJose3 comes back online, these routers will allow SanJose3 to reassume its role as DR: SanJose1# 00:51:32: OSPF: Rcv hello from 192.168.31.22 area 0 from FastEthernet0/0 192.168.1.2 00:51:32: OSPF: End of hello processing 00:51:33: OSPF: Rcv hello from 192.168.31.33 area 0 from FastEthernet0/0 192.168.1.3 00:51:33: OSPF: 2 Way Communication to 192.168.31.33 on FastEthernet0/0, state 2WAY 00:51:33: OSPF: Neighbor change Event on interface FastEthernet0/0 00:51:33: OSPF: DR/BDR election on FastEthernet0/0 00:51:33: OSPF: Elect BDR 192.168.31.11 00:51:33: OSPF: Elect DR 192.168.31.33 00:51:33: DR: 192.168.31.33 (Id) BDR: 192.168.31.11 (Id) 00:51:33: OSPF: Send DBD to 192.168.31.33 on FastEthernet0/0 seq 0x21CF opt 0x2 flag 0x7 len 32 00:51:33: OSPF: Send with youngest Key 1 00:51:33: OSPF: Remember old DR 192.168.31.22 (id) 00:51:33: OSPF: End of hello processing
Step 4. At this point, SanJose1 should have assumed the role of BDR. Bring SanJose3 back online, and observe the new election process. 4. SanJose3 will assume its former role as DR. Who is elected BDR? Why?
SanJose1 remains the BDR even though SanJose2 has the higher router ID. Step 5. The router can be manipulated to become the DR using two methods. The router ID could be changed to a higher number, but that could confuse the loopback addressing system and affect elections on other interfaces. The same router ID is used for every network that a router is a member of. For example, if an OSPF router has an exceptionally high router ID, it could win the election on every multiaccess interface and, as a result, do triple or quadruple duty as a DR.
3-3
Routing Section 2: OSPF – Lab 2.6.2
Copyright 2002, Cisco Systems, Inc.
Instead of reconfiguring router IDs, manipulate the election by configuring OSPF priority values. Because priorities are an interface specific value, they provide better control of the OSPF internetwork. They allow a router to be the DR in one network and a DRother in another. Priority values are the first consideration in the DR election with the highest priority winning. Values can range from 0-255. A value of zero (0) indicates that the interface will not participate in an election. Use the show ip ospf interface command to examine the current priority values of the Ethernet interfaces on the three routers: SanJose1#show ip ospf interface FastEthernet0/0 is up, line protocol is up Internet Address 192.168.1.1/24, Area 0 Process ID 1, Router ID 192.168.31.11, Network Type BROADCAST, Cost: 1 Transmit Delay is 1 sec, State BDR, Priority 1 Designated Router (ID) 192.168.31.33, Interface address 192.168.1.3 Backup Designated router (ID) 192.168.31.11, Interface address 192.168.1.1 Timer intervals configured, Hello 5, Dead 20, Wait 20, Retransmit 5 Hello due in 00:00:03 Index 1/1, flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 1, maximum is 2 Last flood scan time is 0 msec, maximum is 0 msec Neighbor Count is 2, Adjacent neighbor count is 2 Adjacent with neighbor 192.168.31.33 (Designated Router) Adjacent with neighbor 192.168.31.22 Suppress hello for 0 neighbor(s) Message digest authentication enabled Youngest key id is 1
5. What is the priority value of these interfaces?
The default priority is one (1). Because all have equal priority, router ID is used to determine the DR and BDR. Modify the priority values so that SanJose1 will become the DR and SanJose2 will become the BDR, regardless of their router ID. To do this use the following commands: SanJose1(config)#interface fastethernet 0/0 SanJose1(config-if)#ip ospf priority 200 SanJose2(config)#interface fastethernet 0/0 SanJose2(config-if)#ip ospf priority 100 In order to reset the election process, write each router’s configuration to NVRAM and reload SanJose1, SanJose2, and SanJose3. Issue the following commands at each router: SanJose1#copy running-config startup-config SanJose1#reload
4-4
Routing Section 2: OSPF – Lab 2.6.2
Copyright 2002, Cisco Systems, Inc.
When the routers finish reloading, try to observe the OSPF election on SanJose1 by using the debug ip ospf adj command. Also verify the configuration by issuing the show ip ospf interface command at both SanJose1 and SanJose2. SanJose1#debug ip ospf adj 00:01:20: OSPF: Rcv hello from 192.168.31.22 area 0 from FastEthernet0/0 192.168.1.2 00:01:20: OSPF: Neighbor change Event on interface FastEthernet0/0 00:01:20: OSPF: DR/BDR election on FastEthernet0/0 00:01:20: OSPF: Elect BDR 192.168.31.22 00:01:20: OSPF: Elect DR 192.168.31.11 00:01:20: DR: 192.168.31.11 (Id) BDR: 192.168.31.22 (Id) 00:01:20: OSPF: End of hello processing SanJose2#show ip ospf interface FastEthernet0/0 is up, line protocol is up Internet Address 192.168.1.2/24, Area 0 Process ID 1, Router ID 192.168.31.22, Network Type BROADCAST, Cost: 1 Transmit Delay is 1 sec, State BDR, Priority 100 Designated Router (ID) 192.168.31.11, Interface address 192.168.1.1 Backup Designated router (ID) 192.168.31.22, Interface address 192.168.1.2 Timer intervals configured, Hello 5, Dead 20, Wait 20, Retransmit 5 Hello due in 00:00:03 Index 1/1, flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 1, maximum is 1 Last flood scan time is 0 msec, maximum is 0 msec Neighbor Count is 2, Adjacent neighbor count is 2 Adjacent with neighbor 192.168.31.33 Adjacent with neighbor 192.168.31.11 (Designated Router) Suppress hello for 0 neighbor(s) Message digest authentication enabled Youngest key id is 1
After the election is complete, verify that SanJose1 and SanJose2 have assumed the correct roles by using the show ip ospf neighbor detail command. Troubleshoot, if necessary. SanJose3#show ip ospf neighbor detail Neighbor 192.168.31.22, interface address 192.168.1.2 In the area 0 via interface FastEthernet0/0 Neighbor priority is 100, State is FULL, 6 state changes DR is 192.168.1.1 BDR is 192.168.1.2 Options 2 Dead timer due in 00:00:17 Index 2/2, retransmission queue length 0, number of retransmission 0 First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0) Last retransmission scan length is 0, maximum is 0 Last retransmission scan time is 0 msec, maximum is 0 msec Neighbor 192.168.31.11, interface address 192.168.1.1 In the area 0 via interface FastEthernet0/0 Neighbor priority is 200, State is FULL, 6 state changes DR is 192.168.1.1 BDR is 192.168.1.2 Options 2 Dead timer due in 00:00:19 Index 1/1, retransmission queue length 0, number of retransmission 2 First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0) Last retransmission scan length is 1, maximum is 1 Last retransmission scan time is 0 msec, maximum is 0 msec
Note that the order in which routers join an area can be the most significant factor affecting which routers are elected as DR and BDR. An election is necessary only when a DR or BDR does not
5-5
Routing Section 2: OSPF – Lab 2.6.2
Copyright 2002, Cisco Systems, Inc.
exist in the network. As a router starts its OSPF process, it checks the network for an active DR and BDR. If they exist, the new router becomes a DRother, regardless of its priority or router ID. Remember, the roles of DR and BDR were created for efficiency. New routers in the network should not force an election when adjacencies are already optimized. However, there is an exception. A known bug in some IOS versions allows a ’new’ router with higher election credentials to force an election and assume the role of DR.
6-6
Routing Section 2: OSPF – Lab 2.6.2
Copyright 2002, Cisco Systems, Inc.
2.6.3: Configuring Point-to-Multipoint OSPF Over Frame Relay
Fa0/0 192.168.1.3 /24 DLCI 18
SanJose3
DLCI 16
S0/0 .1
PVC
DLCI 16
PVC
1/1
1/2 S0/0
Frame Relay Atlas 550 2/2 192.168.192.0 /24
DLCI 16
S0/0 .4
.2
Singapore
London Fa0/0 192.168.200.1 /24
Fa0/0 192.168.232.1 /24
AREA 0
Alternate:
Fa0/0 192.168.1.3 /24 DLCI 18
DLCI 16
SanJose3 S0/0 .1
PVC
PVC S0/0 DLCI 16
S0/1 S0/0 .2
London
S0/2 FR switch
192.168.192.0 /24
Fa0/0 192.168.200.1 /24
S0/0
DLCI 17
.4 Singapore Fa0/0 192.168.232.1 /24
AREA 0
1-1
Routing Section 2: OSPF – Lab 2.6.3
Copyright 2002, Cisco Systems, Inc.
Objective In this lab, OSPF will be configured as a point-to-multipoint network type so that it operates efficiently over a hub-and-spoke Frame Relay topology. Scenario International Travel Agency has just connected two regional headquarters to San Jose using Frame Relay in a hub-and-spoke topology. OSPF routing is to be configured over this type of network, which is known for introducing complications into OSPF adjacency relationships. To avoid these complications, manually override the Non-Broadcast MultiAccess (NBMA) OSPF network type and configure OSPF to run as a point-to-multipoint network. In this environment, no DR or BDR is elected. Step 1. Cable the network according to the diagram.Note: This lab requires another router or device to act as a Frame Relay switch. The first diagram assumes that an Adtran Atlas 550 will be used, which is preconfigured. The second diagram assumes that a router will be configured with at least three serial interfaces as a Frame Relay switch. See the configuration at the end of this lab for an example of how to configure a router as a Frame Relay switch. If desired, copy the configuration to a 2600 router for use in this lab. Configure each FastEthernet interface on each router as shown, but leave the serial interfaces and OSPF routing unconfigured for now. If necessary, loopback interfaces can be assigned to each router. Be sure the loopback interfaces are unique within that network. Until Frame Relay is configured, ping will not be able to test connectivity. Step 2. SanJose3 acts as the hub in this hub-and-spoke network. It reaches London and Singapore via two separate PVCs. Configure Frame Relay on the SanJose3 serial 0 interface as follows: SanJose3(config)#interface serial 0/0 SanJose3(config-if)#encapsulation frame-relay ietf SanJose3(config-if)#ip address 192.168.192.1 255.255.255.0 SanJose3(config-if)#no shutdown SanJose3(config-if)#frame-relay map ip 192.168.192.2 18 broadcast SanJose3(config-if)#frame-relay map ip 192.168.192.4 16 broadcast SanJose3(config-if)#ip ospf network point-to-multipoint
Notice that this configuration includes frame-relay map commands, which are typically used with Frame Relay subinterfaces. These commands are needed here so that Frame Relay can be configured to handle broadcast traffic with the broadcast keyword. Without this configuration, OSPF multicast traffic will not be forwarded correctly over this Frame Relay topology. Configure London’s serial interface; use IETF encapsulation: London(config)#interface serial 0/0 London(config-if)#encapsulation frame-relay ietf London(config-if)#ip address 192.168.192.2 255.255.255.0 London(config-if)#no shutdown London(config-if)#frame-relay map ip 192.168.192.1 16 broadcast London(config-if)#frame-relay map ip 192.168.192.4 16 broadcast London(config-if)#ip ospf network point-to-multipoint
2-2
Routing Section 2: OSPF – Lab 2.6.3
Copyright 2002, Cisco Systems, Inc.
Finally, configure Singapore’s serial interface: Singapore(config)#interface serial 0/0 Singapore(config-if)#encapsulation frame-relay IETF Singapore(config-if)#ip address 192.168.192.4 255.255.255.0 Singapore(config-if)#no shutdown Singapore(config-if)#frame-relay map ip 192.168.192.1 17 broadcast Singapore(config-if)#frame-relay map ip 192.168.192.2 17 broadcast Singapore(config-if)#ip ospf network point-to-multipoint
Verify Frame Relay operation with a ping from each router to the other two. Use show frame-relay pvc and show frame-relay map to troubleshoot connectivity problems. Rebooting the Frame Relay switch might also solve connectivity issues. SanJose3#show frame-relay pvc PVC Statistics for interface Serial0/0 (Frame Relay DTE)
Local Switched Unused
Active 2 0 0
Inactive 0 0 0
Deleted 0 0 0
Static 0 0 0
DLCI = 16, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0/0 input pkts 91 output pkts 76 in bytes 13322 out bytes 14796 dropped pkts 10 in FECN pkts 0 in BECN pkts 0 out FECN pkts 0 out BECN pkts 0 in DE pkts 0 out DE pkts 0 out bcast pkts 50 out bcast bytes 9808 pvc create time 00:38:04, last time pvc status changed 00:01:18 DLCI = 18, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0/0 input pkts 61 output pkts 57 in bytes 10786 out bytes 14076 dropped pkts 4 in FECN pkts 0 in BECN pkts 0 out FECN pkts 0 out BECN pkts 0 in DE pkts 0 out DE pkts 0 out bcast pkts 30 out bcast bytes 8940 pvc create time 00:48:17, last time pvc status changed 00:03:31
SanJose3#show frame-relay map Serial0/0 (up): ip 192.168.192.2 dlci 18(0x12,0x420), static, broadcast, IETF, status defined, active Serial0/0 (up): ip 192.168.192.4 dlci 16(0x11,0x410), static, broadcast, IETF, status defined, active
3-3
Routing Section 2: OSPF – Lab 2.6.3
Copyright 2002, Cisco Systems, Inc.
Step 3. Configure OSPF to run over this point-to-multipoint network. Issue the following commands at the appropriate router: London(config)#router ospf 1 London(config-router)#network 192.168.200.0 0.0.0.255 area 0 London(config-router)#network 192.168.192.0 0.0.0.255 area 0 SanJose3(config)#router ospf 1 SanJose3(config-router)#network 192.168.1.0 0.0.0.255 area 0 SanJose3(config-router)#network 192.168.192 0.0.0.255 area 0 Singapore(config)#router ospf 1 Singapore(config-router)#network 192.168.232.0 0.0.0.255 area 0 Singapore(config-router)#network 192.168.192.0 0.0.0.255 area 0
Verify the OSPF configuration by issuing the show ip route command at each of the routers: London#show ip route Gateway of last resort is not set 192.168.192.0/24 is variably subnetted, 3 subnets, 2 masks 192.168.192.0/24 is directly connected, Serial0/0 192.168.192.1/32 [110/64] via 192.168.192.1, 00:06:49, Serial0/0 192.168.192.4/32 [110/128] via 192.168.192.1, 00:06:49, Serial0/0 C 192.168.200.0/24 is directly connected, FastEthernet0/0 O 192.168.232.0/24 [110/129] via 192.168.192.1, 00:06:49, Serial0/0 192.168.204.0/32 is subnetted, 1 subnets C O
O
192.168.1.0/24 [110/65] via 192.168.192.1, 00:06:50, Serial0/0
If each router has a complete table, including routes to 192.168.1.0 /24, 192.168.200.0 /24, and 192.168.232.0 /24, OSPF has been successfully configured to operate over Frame Relay. Test these routes by pinging the FastEthernet interfaces of each router from London’s console. Finally, issue the show ip ospf neighbor detail command at any router console: SanJose3#show ip ospf neighbor Neighbor ID 192.168.200.1 192.168.232.1
Pri 1 1
State FULL/ FULL/
-
Dead Time 00:01:35 00:01:51
Address 192.168.192.2 192.168.192.4
Interface Serial0/0 Serial0/0
SanJose3#show ip ospf neighbor detail Neighbor 192.168.200.1, interface address 192.168.192.2 In the area 0 via interface Serial0/0 Neighbor priority is 1, State is FULL, 6 state changes DR is 0.0.0.0 BDR is 0.0.0.0 Options 2 Dead timer due in 00:01:41
4-4
Routing Section 2: OSPF – Lab 2.6.3
Copyright 2002, Cisco Systems, Inc.
Index 2/2, retransmission queue length 0, number of retransmission 1 First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0) Last retransmission scan length is 1, maximum is 1 Last retransmission scan time is 0 msec, maximum is 0 msec Neighbor 192.168.232.1, interface address 192.168.192.4 In the area 0 via interface Serial0/0 Neighbor priority is 1, State is FULL, 6 state changes DR is 0.0.0.0 BDR is 0.0.0.0 Options 2 Dead timer due in 00:01:56 Index 1/1, retransmission queue length 0, number of retransmission 1 First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0) Last retransmission scan length is 1, maximum is 1 Last retransmission scan time is 0 msec, maximum is 0 msec
1. Is there a DR for this network? Why or why not?
There is no DR. Point-to-multipoint configuration creates a logical multiaccess network over physical point-to-point links. Because each router has only one physical neighbor, only one adjacency can be formed. No efficiency would be realized by electing a DR. Router as Frame Relay Switch Configuration The following example can be used to configure a router as the Frame Relay switch. Frame-Switch#show run version 12.0 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Frame-Switch ! ip subnet-zero no ip domain-lookup ! ip audit notify log ip audit po max-events 100 frame-relay switching ! process-max-time 200 ! interface Serial0/0 no ip address no ip directed-broadcast encapsulation frame-relay clockrate 56000 cdp enable frame-relay intf-type dce frame-relay route 16 interface Serial0/2 17 frame-relay route 18 interface Serial0/1 16 ! interface Serial0/1 no ip address no ip directed-broadcast encapsulation frame-relay clockrate 56000 cdp enable frame-relay intf-type dce
5-5
Routing Section 2: OSPF – Lab 2.6.3
Copyright 2002, Cisco Systems, Inc.
frame-relay route 16 interface Serial0/0 18 ! interface Serial0/2 no ip address no ip directed-broadcast encapsulation frame-relay clockrate 56000 cdp enable frame-relay intf-type dce frame-relay route 17 interface Serial0/0 16 ! interface Serial0/3 no ip address no ip directed-broadcast shutdown ! ip classless no ip http server ! line con 0 password cisco login transport input none line aux 0 line vty 0 4 password cisco login ! no scheduler allocate end
6-6
Routing Section 2: OSPF – Lab 2.6.3
Copyright 2002, Cisco Systems, Inc.
3.7.1 Configuring EIGRP with IGRP
Fa0/0 192.168.232.1 /24 Singapore S0/0 192.168.224.2 /30
EIGRP AS 100 S0/0 192.168.224.1 /30 Lo0 192.168.0.2/24
SanJose3
Fa0/0 192.168.1.3/24
S0/1 192.168.240.1 /30
IGRP AS 100 S0/0 192.168.240.2 /30 Auckland Fa0/0 192.168.248.1/24
Objective In this lab, the student will configure both EIGRP and IGRP within the International Travel Agency WAN and observe the automatic sharing of route information between both protocols. Scenario The International Travel Agency migrated from IGRP to EIGRP between its overseas headquarters and its North American headquarters. However, the Auckland headquarters is still unable to support EIGRP and must continue running IGRP for the time being. EIGRP must be configured on the SanJose3 and Singapore routers so that they can exchange information with the Auckland router. Step 1. Build and configure the network according to the diagram, but do not configure EIGRP or IGRP yet. Use ping to verify the work and test connectivity between serial interfaces. SanJose3 should be unable to ping Auckland until a routing protocol is enabled.
1-3
Routing Section 3: EIGRP – Lab 3.7.1
Copyright 2002, Cisco Systems, Inc.
Step 2. On the Auckland router, configure IGRP for AS 100: Auckland(config)#router igrp 100 Auckland(config-router)#network 192.168.248.0 Auckland(config-router)#network 192.168.240.0
Because the Singapore router has to use IGRP to communicate with the Auckland router, configure the Singapore router for IGRP, but only on the network connected via the serial interface to Auckland. Singapore(config)#router igrp 100 Singapore(config-router)#network 192.168.240.0
Step 3. Configure EIGRP. In order to redistribute routes from IGRP to EIGRP automatically, use the same AS number for each routing process. On the Singapore router, enter these commands: Singapore(config)#router eigrp 100 Singapore(config-router)#network 192.168.224.0 Singapore(config-router)#network 192.168.232.0
To complete the configuration, configure EIGRP on the SanJose3 router: SanJose3(config)#router eigrp 100 SanJose3(config-router)#network 192.168.224.0 SanJose3(config-router)#network 192.l68.0.0 SanJose3(config-router)#network 192.168.1.0
Step 4. After enabling routing processes on each of the three routers, verify their operation using the show ip route command on the Singapore router. The Singapore router should have routes to all networks. 1. Based on the output of this command, which of the routes was learned via EIGRP?
2. Which route was learned via IGRP?
Now issue the show ip route command on the SanJose3 router, the EIGRP router. The SanJose3 router received EIGRP routes that are internal to the EIGRP domain, 192.168.224.0.. The SanJose3 router also received routes that are external to the domain, 192.168.240.0 and 192.168.248.0. Notice that these routes are differentiated in the table. Internally learned routes have a D, and externally learned routes are denoted by a D EX. 3. What is the administrative distance of an internal EIGRP route?
4. What is the administrative distance of an external EIGRP route?
Now issue the show ip route command on the Auckland router, the IGRP router.
2-3
Routing Section 3: EIGRP – Lab 3.7.1
Copyright 2002, Cisco Systems, Inc.
5. Does it tell which IGRP routes are internal and which are external based on the information in this table?
6. What is the administrative distance of an IGRP route?
Step 5. Now that EIGRP and IGRP are configured, use show commands to view EIGRP’s neighbor and topology tables on the SanJose3 router. From the SanJose3 router, issue the show command to view the neighbor table: SanJose3#show ip eigrp neighbor
7. The Auckland router is not an EIGRP neighbor of the SanJose3 router. Why not?
To view the topology table, issue the show ip eigrp topology all-links command. 8. How many routes are in passive mode?
To view more specific information about a topology table entry, use an IP address with this command: SanJose3#show ip eigrp topology 192.168.248.0
9. Based on the output of this command, does it tell what external protocol originated this route to 192.168.248.0?
10. Does it tell which router originated the route? Finally, use show commands to view key EIGRP statistics. On the SanJose3 router, issue the show ip eigrp traffic command. 11. How many hello packets has the SanJose3 router received? How many has it sent?
3-3
Routing Section 3: EIGRP – Lab 3.7.1
Copyright 2002, Cisco Systems, Inc.
3.7.2 Configuring EIGRP Fault Tolerance Fa0/0 192.168.72.1 /24 Westamap S0/0 192.168.64.2 /30
S0/1 192.168.64.6 /30
EIGRP AS 100 S0/0 192.168.64.5 /30
S0/0 192.168.64.1 /30 Fa0/0 192.168.1.1/24 SanJose1
Fa0/0 192.168.1.2 /24 SanJose2
Objective In this lab, the student will configure EIGRP over a full mesh topology. The student will observe DUAL replace a successor with a feasible successor after a link failure. Scenario The International Travel Agency wants to run EIGRP on its core, branch, and regional routers. EIGRP is to be configured and tested for its ability to install alternate routes in the event of link failure. Step 1. Build and configure the network according to the diagram, configuring EIGRP as indicated for AS 100. Check each serial interface’s bandwidth and change to 1544 if necessary. Use the show interface command to verify the configuration. Use ping and show ip route to verify the work and test connectivity between all routers. Step 2. Verify that EIGRP maintains all routes to destination networks in its topology table. From the SanJose2 router, issue the show ip eigrp topology all-links command: SanJose2#show ip eigrp topology all-links IP-EIGRP Topology Table for AS(100)/ID(192.168.64.5) Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply, r - Reply status P 192.168.72.0/24, 1 successors, FD is 20514560, serno 10 via 192.168.64.6 (20514560/28160), Serial0/0 via 192.168.1.1 (20517120/20514560), FastEthernet0/0 P 192.168.64.0/30, 1 successors, FD is 21024000, serno 11 via 192.168.64.6 (21024000/2169856), Serial0/0 P 192.168.64.0/24, 1 successors, FD is 20512000, serno 4 via Summary (20512000/0), Null0 via 192.168.1.1 (20514560/20512000), FastEthernet0/0 P 192.168.64.4/30, 1 successors, FD is 20512000, serno 3
1-3
Routing Section 3: EIGRP – Lab 3.7.2
Copyright 2002, Cisco Systems, Inc.
via Connected, Serial0/0 P 192.168.1.0/24, 0 successors, FD is Inaccessible, serno 0 via 192.168.64.6 (21026560/2172416), Serial0/0
The SanJose2 router’s topology table includes two paths to the 192.168.72.0 network. Use the show ip route command to determine which of the two is installed in SanJose2’s routing table. 1. Which route is installed?
2. According to the output of the show ip eigrp topology all-links command, what is the feasible distance (FD) for the route 192.168.72.0?
Both paths to 192.168.72.0 are listed in the topology table with their computed distance and reported distance in parentheses. Computed distance is listed first. 3. What is the reported distance (RD) of the route to 192.168.72.0 via 192.168.1.1?
4. Is this RD greater than, less than, or equal to the route’s FD?
Step 3. Use the debug eigrp fsm command to observe how EIGRP deals with the loss of a successor to a route. On the SanJose2 router, issue the command debug eigrp fsm. Next, shut down or unplug the SanJose2 router’s serial connection. This causes the SanJose2 router to lose its preferred route to 192.168.72.0 via 192.168.64.6. Examine the debug eigrp fsm output for information regarding the route to 192.168.72.0, as shown in this following example: 0:25:25: %LINK-3-UPDOWN: Interface Serial0/0, changed state to down 00:25:25: DUAL: Find FS for dest 192.168.72.0/24. FD is 20514560, RD is 20514560 00:25:25: DUAL: 192.168.64.6 metric 4294967295/4294967295 00:25:25: DUAL: 192.168.1.1 metric 20517120/20514560 not found Dmin is 20517120 00:25:25: DUAL: Dest 192.168.72.0/24 entering active state. 00:25:25: DUAL: Set reply-status table. Count is 1. 00:25:25: DUAL: Not doing split horizon 00:25:25: DUAL: dual_rcvreply(): 192.168.72.0/24 via 192.168.1.1 metric 20517120/20514560 00:25:25: DUAL: Count is 1 00:25:25: DUAL: Clearing handle 0, count is now 0 00:25:25: DUAL: Freeing reply status table 00:25:25: DUAL: Find FS for dest 192.168.72.0/24. FD is 4294967295, RD is 4294967295 found 00:25:25: DUAL: Removing dest 192.168.72.0/24, nexthop 192.168.64.6 00:25:25: DUAL: RT installed 192.168.72.0/24 via 192.168.1.1 00:25:25: DUAL: Send update about 192.168.72.0/24. Reason: metric chg 00:25:25: DUAL: Send update about 192.168.72.0/24. Reason: new if
2-3
Routing Section 3: EIGRP – Lab 3.7.2
Copyright 2002, Cisco Systems, Inc.
The highlighted portion of the sample output shows DUAL attempting to locate a feasible successor (FS) for 192.168.72.0. In this case, DUAL failed to find a feasible successor, and the router entered the active state. After querying its EIGRP neighbors, SanJose2 locates and installs a route to 192.168.72.0/24 via 192.168.1.1. Step 4. Verify that the new route has been installed by using the show ip route command. Bring the SanJose2 router serial interface back up. 192.168.64.6 will be seen restored as the preferred route to the 192.168.72.0 network.
3-3
Routing Section 3: EIGRP – Lab 3.7.2
Copyright 2002, Cisco Systems, Inc.
3.7.3 Configuring EIGRP Summarization
Fa0/0 172.16.8.1 /24
Lo0 172.16.9.1 /24 Lo1 172.16.10.1 /24 Lo2 172.16.11.1 /24 Lo3 172.16.12.1 /24 Lo4 172.16.13.1 /24 Lo5 172.16.14.1 /24 Lo6 172.16.15.1 /24
Westasman S0/1 192.168.64.6 /30 S0/0 192.168.64.2 /30
EIGRP AS 100 S0/0 192.168.64.5 /30
S0/0 192.168.64.1 /30 Fa0/0 172.16.1.1 /24 SanJose1
Fa0/0 172.16.1.2 /24
SanJose2
Objective In this lab, the student will configure EIGRP to test its operation over discontiguous subnets by disabling automatic route summarization. (Discontiguous subnets are subnets from one major network that are separated by a subnet, or subnets, from another major network). Then the student will manually configure EIGRP to use specific summary routes. Scenario The International Travel Agency uses VLSM to conserve IP addresses. All LANs are addressed using contiguous subnets, but the company would like to examine the effects of discontiguous subnets using EIGRP for future reference. The existence of multiple networks is simulated by loopback interfaces on the Westasman router. The WAN links are addressed using 192.168.64.0 with a 30-bit mask. Because this scheme creates discontiguous subnets, the default summarization behavior of EIGRP should result in incomplete routing tables. The problem should be resolved by disabling EIGRP’s default summarization while maintaining a route summary at the Westasman router with manual route summarization. Step 1. Build and configure the network according to the diagram. This configuration requires the use of subnet zero (0). The ip subnet-zero command may need to be entered depending on which IOS version is used. Configure the Westasman router with seven loopback interfaces using the IP addresses from the diagram. These interfaces simulate the existence of multiple networks behind the Westasman router. Configure EIGRP as indicated for AS 100. Use ping to verify that all serial interfaces can ping each other. Note: Until additional configurations are performed, not all networks will appear in each router’s routing table.
1-1
Routing Section 3: EIGRP – Lab 3.7.1
Copyright 2001, Cisco Systems, Inc.
Step 2. Use show ip route to check SanJose1’s routing table. 1. Which routes are missing?
The SanJose1 router has installed a ’summary route’ to network 172.16.0.0 /16 via Null0. EIGRP routers create these summary routes automatically. Because the local router, in this case, the SanJose1 router, has generated the summary, there is no next hop for the route.Therefore, the SanJose1 router maps this summary route to its null interface. 2. Look again at SanJose1’s routing table. What is the subnet mask for the route to 192.168.64.0?
Check Westasman’s routing table. 3. Which route is missing?
Examine SanJose2’s routing table. 4. Which routes are missing?
If these routing tables complete are to be complete, EIGRP must not automatically summarize routes based on classful boundaries. Step 3. In this step, disable EIGRP’s automatic summarization feature. On each router, issue these commands: Westasman(config)#router eigrp 100 Westasman(config-router)#no auto-summary
After these commands are issued on all three routers, return to the SanJose1 router and type the show ip route command. 5. What has changed in SanJose1’s routing table?
All three routers should now have complete routing tables. Step 4. Now that autosummarization is disabled, the International Travel Agency’s routers should build complete routing tables. Unfortunately, this would mean that the Westasman router would be advertising eight routes that should be summarized for efficiency. Use EIGRP’s manual summarization feature to summarize these addresses.
2-2
Routing Section 3: EIGRP – Lab 3.7.1
Copyright 2001, Cisco Systems, Inc.
The Westasman router should be advertising the existence of eight subnets: 172.16.8.0 172.16.9.0 172.16.10.0 172.16.11.0 172.16.12.0 172.16.13.0 172.16.14.0 172.16.15.0 The first 21 bits of these addresses are the same, so a summary route for all subnets can be created using a /21 prefix, 255.255.248.0 in dotted-decimal notation. Because the Westasman router must advertise the summary route to the SanJose1 and SanJose2 routers, enter the following commands on the Westasman router: Westasman(config)#interface s0/0 Westasman(config-if)#ip summary-address eigrp 100 172.16.8.0 255.255.248.0 Westasman(config-if)#interface s0/1 Westasman(config-if)#ip summary-address eigrp 100 172.16.8.0 255.255.248.0
These commands configure EIGRP to advertise summary routes for AS 100 via the serial 0 and 1 interfaces. Verify this configuration by issuing the show ip protocols command. 6. Which metric is the Westasman router using for its address summarization?
After verifying manual address summarization on the Westasman router, check the routing tables on the SanJose1 and SanJose2 routers. 7. What has happened in RTA’s table since it was looked at it in Step 3?
From the SanJose1 or SanJose2 router, verify that it can be pinged 172.16.8.1. 172.16.15.1 should be able to be pinged from the SanJose1 router. 8. Is there a route to 172.16.15.0 in the SanJose1 router’s routing table? Explain.
3-3
Routing Section 3: EIGRP – Lab 3.7.1
Copyright 2001, Cisco Systems, Inc.
3.8.1 EIGRP Challenge Lab
Lo0 192.168.216.1/24 EIGRP
Lo0 192.168.232.1/24
AS 100 Capetown
Singapore
S0/0 192.168.208.2/24 S0/0 192.168.224.2/24
S0/0 192.168.240.1/24
IGRP AS 100 S0/0 192.168.208.1/24 S0/0 192.168.224.1/24 SanJose3 Lo0 192.168.1.3/24 Lo1 192.168.0.2/24
S0/0 192.168.240.2/24 Auckland Lo0 192.168.248.1/24
Objective In this lab, the student will configure an International Travel Agency EIGRP WAN link with one IGRP segment within the same autonomous system. The student will also use EIGRP interface summarization to reduce the number of routes in an EIGRP routing table. Scenario The International Travel Agency is migrating from IGRP to EIGRP between its overseas headquarters and its North American headquarters. Unfortunately, the Auckland headquarters must continue running IGRP between itself and Singapore. To help reduce the EIGRP routing table of the SanJose3 router, the Singapore router should be configured to advertise only a summary of the Auckland addresses. This will cause both the SanJose3 and Capetown routers to receive summaries of the Auckland address space, which will result in smaller routing tables on both SanJose3 and Capetown. Design Considerations Before this lab is begun, it is recommended that each router be reloaded after its startup configuration is erased. This prevents problems caused by residual configurations. It is also recommended that the network be built and configured according to the diagram. However, do not configure EIGRP or IGRP until the connectivity between directly connected networks can be verified and tested. The respective loopback addresses simulate local networks, so no physical connections for local Ethernet networks need to be made. Implementation Completion Tests •
1-2
A successful ping to every network interface from every router.
Routing Section 3: EIGRP – Lab 3.8.1
Copyright 2002, Cisco Systems, Inc.
Capture Files/Printouts After initial EIGRP and IGRP configuration, but before interface summarization, capture or print the following output: • • •
show run and show ip route for each router. show ip eigrp neighbor of the SanJose3 and Singapore routers. show ip eigrp topology all-links of the SanJose3 and Singapore routers. After interface summarization, capture or print the following output:
• •
2-2
show run and show ip route of the Singapore router. show ip route of the SanJose3 and Capetown routers.
Routing Section 3: EIGRP – Lab 3.8.1
Copyright 2002, Cisco Systems, Inc.
Routing Resources TCP/IP: Academy Curriculum: TCP/IP is a two level addressing scheme http://ccnp.netacad.net/protdoc/curriculum/sem5sv_v2/en/ch2/2_1_1/index.html
CCO: An overview on TCP/IP and Cisco’s implementation, as well as a brief look into IP routing protocols. http://www.cisco.com/warp/public/535/4.html A summary of addressing and subnetting with IP. http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cwhubs/starvwug/834 28.htm Information on configuring IP with Cisco IOS. http://www.cisco.com/univercd/cc/td/doc/product/software/ssr83/tsc_r/54008.ht m
Internet: Extensive information on the tcp/ip protocol with almost everything you need and many things you don’t need. http://www.redbooks.ibm.com/pubs/pdfs/redbooks/gg243376.pdf OSI model and TCP/IP model and how the two go together. Very good descriptions without all the technical details. http://mike.passwall.com/networking/netmodels/tcpip5layermodel.html Q&A on TCP/IP. Find answers to various questions about the protocol. http://www.geocities.com/SiliconValley/Vista/8672/network/ Article about tcp/ip with its history. http://www.networkmagazine.com/article/NMG20000727S0022 Short summary on tcp/ip with descriptions of its layers and some properties about the protocol. http://userpages.umbc.edu/~jack/ifsm498d/tcpip-intro.html Tutorial about tcp/ip from the RFC. ftp://ftp.isi.edu/in-notes/rfc1180.txt FAQ on TCP/IP, good for people that want to know what TCP/IP is if they have no background on it. http://www.faqs.org/faqs/internet/tcp-ip/tcp-ip-faq/part1/
Copyright 2002, Cisco Systems, Inc.
Routing: Resources 1-1
VLSM Academy Curriculum: Use more than one subnet mask in your network and maximize addressing efficiency. http://ccnp.netacad.net/protdoc/curriculum/sem5sv_v2/en/ch2/2_3_1/index.html
CCO: A complete example of subnetting with VLSMs. http://www.cisco.com/univercd/cc/td/doc/cisintwk/idg4/nd20a.htm
Internet: Very short description of VLSM and why it was made. Offers little details of the actual subnettting procedures. Good read to find out what is VLSM. http://www.faqs.org/faqs/cisco-networking-faq/section-37.html Tutorial on subnetmasking and VLSM. Good place to learn how to do subnetmasking with VLSM. http://www.wildpackets.com/compendium/IP/IPVLSM.html Extensive information on VLSM. Teaches how to do subnets, how the routing works, problems associated with it, and some FAQs. Good place to learn VLSM in detail. http://khimich.com/books/ebooks/IP%20Addressing%20&%20Subnetting/69_ipad_ce_05.htm
Single-Area OSPF Academy Curriculum: Comparing the differences between RIP and OSPF. Configure single-area OSPF on your router. http://ccnp.netacad.net/protdoc/curriculum/sem5sv_v2/en/ch4/4_3_1/index.html
CCO: Background and specifications of the OSPF routing protocol. http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/ospf.htm A guide to configuring OSPF. http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/advcfggd/ospf.ht m
1-2
Routing: Resources
Copyright 2002, Cisco Systems, Inc.
Internet: Short summary on deploying single area ospf. Very short reading. http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windo ws2000/en/server/help/sag_rras-ch3_04e.htm
EIGRP Academy Curriculum: Let's take a look at EIGRP Fundamentals. http://ccnp.netacad.net/protdoc/curriculum/sem5sv_v2/en/ch6/6_1_1/index.html
CCO: Background and a summary of EIGRP. http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/en_igrp.htm Detailed information on configuring EIGRP. http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipr_ c/ipcprt2/1cfeigrp.htm
Internet: Definition of EIGRP for basic knowledge without knowing the intricate details of the protocol. http://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci214442,00.html Good summary of EIGRP with short but detailed descriptions of the various parts of the protocol. Explains the parts of the packets and metrics very well. http://www.rware.demon.co.uk/eigrp.htm Short description of EIGRP and some commands and a simple comparison with other routing protocols. http://www.routeru.com/arc/EIGRP/eigrp.htm
Copyright 2002, Cisco Systems, Inc.
Routing: Resources 1-3
Section 1
WANs
Table of Contents
WANS ................................................................................................................................ 1 OVERVIEW ...................................................................................................................................................... 3 OBJECTIVES..................................................................................................................................................... 5 1.1 REMOTE ACCESS ........................................................................................................................................ 6 1.1.1 WAN connection types ......................................................................................................................... 6 1.1.2 Dedicated connections......................................................................................................................... 8 1.1.3 Dedicated connections (cont’) ............................................................................................................ 10 1.1.4 Circuit-switched connections.............................................................................................................. 11 1.1.5 Asynchronous dialup connections....................................................................................................... 12 1.1.6 ISDN connections.............................................................................................................................. 14 1.1.7 Packet-switched networks .................................................................................................................. 15 1.1.8 WAN encapsulation protocols ............................................................................................................ 16 1.2 SELECTING APPROPRIATE WAN TECHNOLOGIES ......................................................................................... 18 1.2.1 Choosing a WAN connection.............................................................................................................. 18 1.2.2 Identifying site requirements and solutions.......................................................................................... 20 1.2.3 Central-site considerations ................................................................................................................ 21 1.2.4 Branch-office considerations.............................................................................................................. 22 1.2.5 Telecommuter-site considerations....................................................................................................... 23 1.3 SELECTING CISCO REMOTE ACCESS SOLUTIONS........................................................................................... 25 1.3.1 Routers............................................................................................................................................. 25 1.3.2 Determining the appropriate interfaces - fixed interfaces...................................................................... 27 1.3.3 Determining the appropriate interfaces - modular interfaces ................................................................ 28 1.4 ASSEMBLING AND CABLING WAN COMPONENTS......................................................................................... 30 1.4.1 Network Overview ............................................................................................................................. 30 1.4.2 Central site route equipment .............................................................................................................. 31 1.4.3 Central site router equipment (cont’) .................................................................................................. 34 1.4.4 Branch office router equipment .......................................................................................................... 36 1.4.5 Telecommuter-site router equipment ................................................................................................... 40 1.5 CASE STUDY ............................................................................................................................................ 43 1.5.1 International Travel Agency (ITA) ...................................................................................................... 43 1.6 INTRODUCTORY LAB EXERCISES ................................................................................................................ 45 1.6.1 Getting started and building Start.TXT................................................................................................ 45 1.6.2 Capturing HyperTerminal and Telnet sessions..................................................................................... 45 1.6.3 Access control list basics and extended ping........................................................................................ 46 SUMMARY ..................................................................................................................................................... 47
1-2
Remote Access Section 1: WANs
Copyright 2002, Cisco Systems, Inc.
Overview Modem Central site AAA Server BRI ISDN/analog
Windows 98 PC
PRI
Serial
Async Frame Relay Service
BRI Modem Serial Branch Office
This chapter covers various remote access technologies and considerations that face an enterprise when it builds its corporate network. In addition, this chapter shows you how to connect remote sites via WAN connections. Finally, this chapter explains what router platform to install and how to cable it, depending on the environment. Figure 1 Typical Corporate Network Topology
Over the last several years, web-based applications, wireless devices, and virtual private networking (VPN) have changed our expectations about computer networks. Today's corporate networks are accessible virtually anytime from anywhere with many users expecting some degree of access to their company's network while at home or on the road. Corporate networks are typically built around one central site that houses key network resources. These resources include file servers, web servers, and e-mail servers that deliver information and services to all users in a company. Such services are readily accessible to central site users by way of the LAN. But how will users working remotely gain access to these resources? A networking professional provides users with remote access to the network. Remote users may be working at branch offices or home offices, or they may even be on the road with a laptop or a handheld mobile device. Essentially, a remote user is any user who is not presently working at the company's central site. Figure [1] presents several remote access solutions. Remote access solutions come in all shapes and sizes. Each company's solution typically involves a combination of varied WAN services. Most of these services are obtained from a service provider, such as a regional telecommunications company. Since the transmission facilities belong to a service provider, the task is to select the appropriate service, not actually to design and maintain the WAN facilities themselves. Types of available WAN services and their costs vary depending on geographical region and the provider. Real-world budgetary constraints and service availability are often the overriding selection criteria.
Copyright 2002, Cisco Systems, Inc.
Remote Access Section 1: WANs 1-3
In order to implement the most appropriate solution the advantages and disadvantages of the different types of WAN services, must be understood. This chapter surveys the general types of WAN connections and provides criteria to use in the selection of the service or blend of services, best suited to the organization's needs, budget, and geography. In addition, this chapter offers guidelines for selecting the best remote access solution from the large number of available products.
1-4
Remote Access Section 1: WANs
Copyright 2002, Cisco Systems, Inc.
Objectives After completing this chapter, the student will be able to perform tasks relating to: 1.1 Remote Access 1.2 Selecting Appropriate WAN Technologies 1.3 Selecting Cisco Remote Access Solutions 1.4 Assembling and Cabling WAN Components 1.5 Case Study 1.6 Introductory Lab Exercises
Copyright 2002, Cisco Systems, Inc.
Remote Access Section 1: WANs 1-5
1.1 Remote Access 1.1.1 WAN connection types
Figure 1 Remote Access Overview
Figure 2 Character Framing in Asynchronous Communication
1-6
Remote Access Section 1: WANs
Copyright 2002, Cisco Systems, Inc.
Figure 3 WAN Connection Types
A WAN is a data communications network that covers a relatively broad geographic area, often using transmission facilities leased from service providers and telephone companies. As shown in Figure [1], WANs are used to connect various users and devices so they can exchange information. There are two basic methods of data communications: asynchronous transmission and synchronous transmission. Typically, synchronous communications are more efficient, but dial-up asynchronous transmission is usually cheaper and more readily available. Asynchronous Transmission Asynchronous means "without respect to time." In terms of data transmission, asynchronous means that no clock or timing source is needed to keep both the sender and the receiver synchronized. Without the benefit of a clock, the sender must signal the start and stop of each character so that the receiver knows when to expect data. Asynchronous transmission is often described as "character-framed" or "start/stop" communication because this method frames each character with a start and stop bit. Each character is typically a 7- or 8-bit value that can represent a number, a letter, a punctuation mark, etc. Each character is preceded by a start bit and followed by a stop bit, or in some cases, two stop bits (see Figure [2]). An additional bit may be added for parity error checking prior to the first stop bit. Synchronous Transmission Synchronous means "with time." In terms of data transmission, "synchronous" means that a common timing signal is used between hosts. A clock signal is either embedded in the data stream or is sent separately to the interfaces.
Copyright 2002, Cisco Systems, Inc.
Remote Access Section 1: WANs 1-7
If two hosts use a timing signal to "synch up," start and stop bits for every 8-bit character value are not necessary. Instead, a large amount of data (e.g., hundreds or even thousands of bytes) can be preceded by synchronization bits. For example, in Ethernet a field of synchronization bits precedes the data payload. This field of synchronization bits, called a preamble, forms a pattern of alternating ones and zeros. The receiver uses this pattern to synchronize with the sender. Service providers offer a variety of synchronous and asynchronous WAN services. These services can be grouped into three categories depending on their connection type: •
dedicated connectivity
•
circuit-switched networks
•
packet-switched networks
Figure [3] illustrates these three different types of WAN connections. Each connection type offers distinct advantages and disadvantages, which are described in the following sections.
1.1.2 Dedicated connections
Figure 1 Dedicated Connections
1-8
Remote Access Section 1: WANs
Copyright 2002, Cisco Systems, Inc.
Figure 2 Dedicated Serial Connections
A dedicated connection is a continuously available point-to-point link between two sites. Dedicated connections typically carry high-speed transmissions. Because of the expense associated with building and maintaining transmission facilities, dedicated connections are almost always leased from the telephone company or some other carrier network. Therefore, a dedicated connection is often referred to as a leased line. A point-to-point dedicated link provides a single, pre-established WAN path from the customer premises, through a carrier network to a remote network (refer to Figure [1]). A dedicated line is not actually a "line" at all. Dedicated lines are switched circuits that establish a fixed path through the carrier network. Leased lines are circuits that are reserved full-time by the carrier for the private use of the customer. The private nature of a dedicated line allows an organization to maximize its control over the WAN connection. Leased lines also offer high speeds of up to 45 Mbps. Leased lines are ideal for high-volume environments with steady-rate traffic patterns. However, because the line is not shared, they tend to be more costly. The line charges accrue whether or not traffic is being transmitted. Some services, such as T1, provide a fixed fee for local-loop access for both locations, and then provide a distance fee for linking those two locations. If the organization's network must support a constant flow of mission-critical data, such as e-commerce or financial transactions, then a high-speed leased line might be suitable. Dedicated leased lines typically require synchronous serial connections. Each leased line connects to a synchronous serial port on the router, via a channel service unit/data service unit (CSU/DSU) (refer to Figure [2]). Therefore, each connection requires a router port and a CSU/DSU, in addition to the actual Copyright 2002, Cisco Systems, Inc.
Remote Access Section 1: WANs 1-9
circuit from the service provider. The cost of maintaining multiple leased lines can add up quickly. For this reason, most companies find a fully meshed WAN (i.e., every site maintains a connection to every other site), too costly to build using only dedicated lines.
1.1.3 Dedicated connections (cont’)
Figure 1 Dedicated Serial Connections
A CSU/DSU is classified as a data communications equipment (DCE) device. A DCE adapts the physical interface on a data terminal equipment (DTE) device to the signaling used by the carrier network. A router is an example of a DTE device. The CSU/DSU provides signal timing for communication and is used for interfacing with the digital transmission facility. Essentially, the CSU/DSU is used by a router to connect to a digital line in much the same way that a PC uses a modem to connect to an analog line. Typical connections on a dedicated network may operate at the following speeds: •
56 kbps
•
64 kbps
•
T1 (1.544 Mbps) US standard
•
E1 (2.048 Mbps) European standard
•
E3 (34.064 Mbps) European standard
•
T3 (44.736 Mbps) US standard
Typically, a router's synchronous serial port connects to a DCE (e.g., a CSU/DSU) using one of the following standards:
1-10
•
EIA/TIA-232 (RS-232)
•
EIA/TIA-449
Remote Access Section 1: WANs
Copyright 2002, Cisco Systems, Inc.
•
V.35
•
X.21
•
EIA-530
When connecting a DTE (for example, a router) to an analog modem, EIA/TIA232 compliant cabling and interfaces will be typically used. First released over 30 years ago as RS-232, the EIA/TIA-232 standard is very common. However, it provides relatively low transmission speeds (typically less than 64 kbps), and is not appropriate for high-capacity dedicated lines. Today many synchronous serial interfaces, such as T1, have the CSU/DSU integrated on the interface card. This eliminates the need for a separate CSU/DSU. When connecting a Cisco router to a T1/E1 or fractional T1/E1 via a CSU/DSU, V.35 cabling and interfaces should be used as they are capable of much higher throughput (over 2 Mbps).
1.1.4 Circuit-switched connections
Figure 1 Circuit Switched Connections
In a circuit-switched network, a dedicated physical circuit is temporarily established for each communication session. Switched circuits are established by an initial set-up signal. This call set-up process determines the caller's ID and the destination's ID, as well as the connection type. A teardown signal brings the circuit down when transmission is complete. Plain old telephone service (POTS) is the most common circuit-switched technology. With telephone service, the circuit doesn't exist until the call is placed. Once the temporary circuit is built, it is fully dedicated to the call. Although circuit switching is not as efficient as other WAN services, it is extremely common and relatively reliable. Circuit-switched connections provide mobile and home users with access to the central site or to an Internet Service Provider (ISP). Corporate networks typically use circuit-switched connections as backup links, or as primary links for branch offices that exchange low-volume or periodic traffic. In such cases, a router must route traffic over the switched circuit.
Copyright 2002, Cisco Systems, Inc.
Remote Access Section 1: WANs 1-11
Anyone who pays a long-distance phone bill knows that circuit-switched connections can be costly if left continuously established. For this reason, routers connected to circuit-switched networks are configured to operate in a specialized way, called dial-on demand routing (DDR). A router configured for DDR only places a call when it detects traffic defined by a network administrator as "interesting." •
Typical circuit-switched connections include:
•
Asynchronous Dialup (POTS)
•
ISDN Basic Rate Interface (BRI)
•
ISDN Primary Rate Interface (PRI)
1.1.5 Asynchronous dialup connections
Figure 1 Asynchronous Dialup Connections
Figure 2 Asynchronous Dialup Connection
1-12
Remote Access Section 1: WANs
Copyright 2002, Cisco Systems, Inc.
Figure 3 Asynchronous Dialup Connection
Asynchronous serial connections offer inexpensive WAN service via the existing telephone network. In order for digital devices, such as computers and routers, to use analog telephone lines, modems are required at each end of the connection (refer to Figure [1]). Modems convert digital data signals to analog signals that can be transported over the telephone company's local loops asynchronously. While this is convenient, modems have one overwhelming drawback; they do not provide high throughput. Today's modems provide transmission speeds of only 56 kbps or less. Because modems can be used with virtually any phone line, mobile and home users often rely on asynchronous serial connections to connect to a corporate network or ISP. An end user can easily initiate and teardown a call using software that controls the modem. Routers can also use asynchronous serial connections to route traffic using DDR. Because modems do not support high transmission speeds, asynchronous serial connections are typically used as backup links (refer to Figure [2]) or for load sharing (refer to Figure [3]). Some routers are designed with dozens of asynchronous lines to support a large number of dial-in users. Routers that act as concentration points for dial-in and dial-out calls are called access servers. Throughout this course, the term "access server" will be used to refer to a router with at least one asynchronous interface. To place or receive an asynchronous serial call, a router must have at least one asynchronous serial interface, such as the AUX (Auxilary) port, which connects to a modem (typically external).
Copyright 2002, Cisco Systems, Inc.
Remote Access Section 1: WANs 1-13
1.1.6 ISDN connections
Figure 1 Circuit-Switched ISDN Connections
Integrated Services Digital Network (ISDN) connections are typically synchronous dial-up connections. Like asynchronous dial-up connections, ISDN provides WAN access when needed, rather than providing a permanent link. ISDN offers more bandwidth than asynchronous dial-up connections, and is designed to carry data, voice, and other traffic across a digital telephone network. ISDN is commonly used with DDR to provide remote access for small office/home office (SOHO) applications, backup links, and load sharing. ISDN offers two levels of service, BRI and PRI (illustrated in the figure). With BRI, there are two channels, called B channels, designed to carry data. A third channel, called the D channel, is used to send call set-up and teardown signals. When both B channels are used together to send data, ISDN BRI yields 128 kbps (more than twice the top speed of POTS). With PRI, there are 23 B channels on T1 used in North America and Japan. There are 30 B channels on E1 used in Europe and other parts of the world. PRI employs a single D channel as well. ISDN BRI requires straight through cables with RJ-45 connections. ISDN PRI requires crossover cables with RJ-48 connections for T1 and DB-15 connections for E1.
1-14
Remote Access Section 1: WANs
Copyright 2002, Cisco Systems, Inc.
1.1.7 Packet-switched networks
Figure 1 Packet-Switched Connections
Figure 2 Virtual Circuits
Unlike leased lines and circuit-switched connections, packet switching does not rely on a dedicated, point-to-point connection through the carrier network. Instead, data packets are routed across the carrier network based on addressing contained in the packet or frame header. This means that packet-switched WAN facilities can be shared with other customers, which allows service providers to support multiple customers over the same physical lines and switches. Typically, customers connect to the packet-switched network via a leased line, such as a T1 or fractional T1. In a packet-switched network, the provider configures its switching equipment to create virtual circuits (VCs) that supply end-to-end connectivity (refer to Figure [1]). Frame Relay is the most common packet-switched WAN service in the United States, although the older X.25 remains a prominent packet-switching technology worldwide. Packet-switched networks offer an administrator less control than a point-topoint connection. However, the cost of a packet-switched VC is generally less than that of a leased line because the WAN facilities are shared. VCs can be permanent, or they can be built on demand.
Copyright 2002, Cisco Systems, Inc.
Remote Access Section 1: WANs 1-15
A Frame Relay VC offers speeds of up to T3, making this packet-switched technology a high-speed, cost-effective alternative to leased lines. As well, a single synchronous serial connection can support several logical VCs in a pointto-multipoint configuration (refer to Figure [2]). This process of combining multiple data conversations into a single physical line is called multiplexing. Multiplexing in a packet-switched network is made possible because a DTE (usually a router) encapsulates the packet with addressing information. The provider's switches use the addressing to determine how and where to deliver a specific packet. In the case of Frame Relay, these addresses are Data Link Control Identifiers, or DLCIs. The ability to multiplex means that a single router port and CSU/DSU can support dozens of VCs each leading to a different site. Therefore, packet-switching makes a full- or partial-mesh topology relatively affordable. Frame Relay is a popular WAN service for providing high-speed WAN connections to branch offices and other remote sites. However, Frame Relay does not offer the degree of reliability, flexibility, and security afforded by dedicated lines. Despite Frame Relay's lower cost and multipoint capability, dedicated lines are the preferred WAN service for mission-critical traffic and continuous, high-volume exchanges.
1.1.8 WAN encapsulation protocols
Figure 1 Typical WAN Protocols
Routers encapsulate packets with a Layer 2 frame before sending them across a WAN link. Although there are several common WAN encapsulations, most have similar anatomies. This is because the most common WAN encapsulations are derived from High-Level Data Link Control (HDLC) and its forerunner Synchronous Data Link Control (SDLC). Despite their similar structures, each 1-16
Remote Access Section 1: WANs
Copyright 2002, Cisco Systems, Inc.
data link protocol specifies its own specific type of frame, which is incompatible with other types. The Figure shows which common data link protocols are used with each of the three WAN connection types. By default, serial interfaces on a Cisco router are set to encapsulate packets using HDLC. The interface must be manually configured for any other type of encapsulation. The choice of encapsulation protocol depends on the WAN technology and the communicating equipment that is being used. Common WAN protocols include the following: •
PPP - Point-to-Point Protocol (PPP) is a standards-based protocol for router-to-router and host-to-network connections over synchronous and asynchronous circuits.
•
Serial Line Internet Protocol (SLIP) - SLIP is the forerunner to PPP, and is used for point-to-point serial connections using TCP/IP.
•
High-Level Data Link Control (HDLC) - HDLC implementations are proprietary, so Cisco's HDLC is typically used only when connecting two Cisco devices. When connecting routers from different vendors, PPP (which is standards-based) is used instead.
•
X.25/LAPB - X.25 is an ITU-T standard that defines the way connections between DTE and DCE devices are maintained for remote terminal access and computer communications in public data networks. X.25 provides extensive error-detection and windowing features because it was designed to operate over error-prone analog copper circuits.
•
Frame Relay - Frame Relay is a high-performance, packet-switched, WAN protocol that can be used over a variety of network interfaces. Frame Relay is streamlined to operate over highly reliable digital transmission facilities.
•
Asynchronous Transfer Mode (ATM) - ATM is an international standard for cell relay, in which multiple service types (e.g., voice, video, or data) are conveyed in fixed-length cells. ATM is designed to take advantage of high-speed transmission media such as Synchronous Optical Network (SONET).
PPP, X.25, and Frame Relay encapsulations are discussed at length in later chapters.
Copyright 2002, Cisco Systems, Inc.
Remote Access Section 1: WANs 1-17
1.2 Selecting Appropriate WAN Technologies 1.2.1 Choosing a WAN connection
Figure 1 WAN Connections Summary
Figure 2 WAN Connection Speed Comparison
1-18
Remote Access Section 1: WANs
Copyright 2002, Cisco Systems, Inc.
Figure 3 Cost Comparison of WAN Connections
Each WAN connection type has advantages and disadvantages. For example, setting up a dialup asynchronous connection offers only limited bandwidth, but a user can call into the office from anywhere over the existing telephone network. In this case, throughput is sacrificed for convenience. This section examines the factors that should be considered when selecting a WAN service. Figure [1] compares applications for various types of WAN connections and Figure [2] compares their potential bandwidth. While every home user would like a T1 line run to their house, and every administrator would like to run an OC-12 to all remote offices, the cost of deploying such services so liberally would be ridiculous. A networking professional must carefully gauge which connections require high-cost, highthroughput links, and then spend accordingly. It is important to note that WAN usage costs are typically 80 percent of a company's entire Information Services budget. When possible, "shop around" for WAN services. If more than one provider offers service it may be possible to purchase services at competitive prices. [3] There are other important factors to consider when choosing a WAN service, including ease of management, quality of service (QoS), and reliability. Leased lines are easier to manage and configure than packet-switched connections. In terms of QoS, some applications, such as Voice over IP (VoIP), require guaranteed bandwidth, minimal delay, and high reliability, which can make anything short of a leased line problematic.
Copyright 2002, Cisco Systems, Inc.
Remote Access Section 1: WANs 1-19
1.2.2 Identifying site requirements and solutions
Figure 1 Company Sites
When selecting WAN services, a networking professional must evaluate the needs of each site within a company. Individual worksites within a company can be broadly categorized as one of the following: a central site, a branch office, or a telecommuter site. The term "telecommuter site" applies to both mobile users and small office/home office (SOHO) locations. These categorizations are applied to the WAN depicted in the figure.
1-20
Remote Access Section 1: WANs
Copyright 2002, Cisco Systems, Inc.
1.2.3 Central-site considerations
Figure 1 Central-Site Considerations
Figure 2 Cisco 3660 Modular Router
Copyright 2002, Cisco Systems, Inc.
Remote Access Section 1: WANs 1-21
The central site is the focal point of a company's network (refer to Figure [1]). Typically, all remote sites and users must connect to the central site to access information, either intermittently or continuously. Because many users access this site in a variety of ways, a central site's routers should have a modular design so that interface modules can be added (or swapped out) as needed. The chassis of a modular router allows installation of the interfaces needed to support virtually any media type. Figure [2] illustrates the slots on a modular router, the Cisco 3660. According to the example network as shown in Figure [1], the central site's router must accommodate circuit-switched connections (e.g., ISDN/analog), packet-switched connections (e.g., Frame Relay), and could feasibly have a dedicated line to the ISP.
1.2.4 Branch-office considerations
Figure 1 Branch Office Considerations
A branch office, commonly referred to as a remote site, typically maintains at least one WAN connection to the central site, and may have several links to other remote sites. Generally, branch-office networks support fewer users than the central site, and therefore require less bandwidth. Because remote-site traffic can be sporadic, or bursty, careful determination should be made whether it is more cost-effective to offer a permanent or dialup solution. The network depicted in the figure employs both: a Frame Relay connection as a primary link, and an ISDN connection as a backup. Telecommuters may also require access to the branch office through various connection types. Therefore, the branch office routers should have the capability to support a variety of WAN connections. Typical WAN solutions for connecting the branch office to the central site include: • 1-22
Leased lines
Remote Access Section 1: WANs
Copyright 2002, Cisco Systems, Inc.
•
Frame Relay
•
X.25
•
ISDN
•
DSL ([digital subscriber line] - This technology enables delivery of high-speed data, voice, and multimedia over conventional telephone wires. In order for a remote site to connect to the corporate network without traversing the public Internet, DSL typically requires ATM at the central site.)
•
Wireless
•
VPN ([Virtual Private Network] - This technology typically requires that both sites are already connected to the public Internet.)
1.2.5 Telecommuter-site considerations
Figure 1 Telecommuter-Site Considerations
Over the past decade, the improvement of WAN technologies, notably DSL and cable modems, has allowed many employees to do their jobs remotely. As a result, the number of telecommuters and small offices has increased. As with the corporate and branch office solutions, the telecommuter site's WAN solution must be evaluated by weighing cost and bandwidth requirements. An asynchronous dialup solution using the existing telephone network and an analog modem is often the solution for telecommuters because it is easy to set up and the telephone facilities are already installed. But if usage and bandwidth requirements increase, other remote-access technologies should be considered. Since mobile users must connect from many different locations, an asynchronous dialup connection may be the only remote access solution that is consistently Copyright 2002, Cisco Systems, Inc.
Remote Access Section 1: WANs 1-23
available. Employees on the road can use their PCs with modems and the existing telephone network to connect to the company. Typical WAN connections employed at telecommuter sites include:
1-24
•
Asynchronous dialup
•
ISDN BRI
•
Cable modems
•
DSL
•
Wireless and Satellite
•
VPN
Remote Access Section 1: WANs
Copyright 2002, Cisco Systems, Inc.
1.3 Selecting Cisco Remote Access Solutions 1.3.1 Routers
Figure 1 Cisco Remote-Access Solutions
Copyright 2002, Cisco Systems, Inc.
Remote Access Section 1: WANs 1-25
Figure 2 Remote-Access Options for Each Series of Router
Cisco offers access servers, routers, and other equipment that allow connection to various WAN services. Figure [1] highlights some of the products that are suited for the various company sites. Figure [2] lists the key features and WAN options for each series of routers.
Web Links Latest product information may be located at: http//www.cisco.com
1-26
Remote Access Section 1: WANs
Copyright 2002, Cisco Systems, Inc.
1.3.2 Determining the appropriate interfaces - fixed interfaces
Figure 1 Determining the Appropriate Interfaces – Fixed Interfaces
The router selected for the WAN connection must offer the interfaces that will support the WAN service, such as the following: •
Asynchronous serial - supports asynchronous dialup connections using a modem.
•
Synchronous serial - supports leased lines, Frame Relay, and X.25.
•
High-speed serial interface (HSSI) - supports high-speed serial lines, such as T3.
•
BRI - supports ISDN BRI connections.
•
T1 or E1 - supports connections such as leased lines, dialup, ISDN PRI, and Frame Relay.
•
DSL - supports Asymmetric Digital Subscriber Line (ADSL), Symmetric DSL (SDSL), or ISDN DSL (IDSL) connections.
•
ATM - supports ATM connections.
Some routers, such as the 2501, offer fixed interface configurations. A fixed configuration is one that cannot be changed or upgraded. The advantage of a fixed interface configuration is that WAN or LAN interface modules do not have to purchased. The number and type of interfaces are predetermined for a specific model of router. A fixed-configuration router may be appropriate for a small remote office or telecommuter. In such cases, the flexibility afforded by a modular design may not be worth additional expense and complexity. Instead, a fixed-configuration router may offer the most affordable, and simplest, WAN solution for the small office.
Copyright 2002, Cisco Systems, Inc.
Remote Access Section 1: WANs 1-27
1.3.3 Determining the appropriate interfaces - modular interfaces
Figure 1 Determining the Appropriate Interfaces – Modular Interfaces
Figure 2 Cisco 3660 Modular Router
Unlike a fixed-configuration router, a modular router allows adding, removing, and swapping out interfaces to meet the needs of a growing network. Modular routers and access servers are usually built with one or more slots that allowing customization of the interface configuration.
1-28
Remote Access Section 1: WANs
Copyright 2002, Cisco Systems, Inc.
With a modular router, some or all of the interfaces on the router may be chosen by installing various feature cards, network modules, or WAN interfaces. Although modular routers require the purchase of each interface card separately, they are more scalable than their fixed-configuration counterparts. For that reason, modular routers are typically installed at large remote sites, and should always be used at the central site. In the long run, it's cheaper to add new interface modules rather than to replace an entire router.
Copyright 2002, Cisco Systems, Inc.
Remote Access Section 1: WANs 1-29
1.4 Assembling and Cabling WAN Components 1.4.1 Network Overview
Figure 1 An Example of WAN Topology
The figure presents three routers in a company's network: one at the central site, one at the branch office, and one at a telecommuter site. Each of these sites has different requirements in terms of bandwidth and availability. For example, the central site requires a permanent high-speed connection to the Internet, while the telecommuter site merely requires a switched connection for intermittent, lowspeed access to the rest of the network. The following sections examine the specific requirements of each of the three sites in this example, and suggest solutions appropriate to each.
1-30
Remote Access Section 1: WANs
Copyright 2002, Cisco Systems, Inc.
1.4.2 Central site route equipment
Figure 1 An Example of WAN Topology
Figure 2 Cisco 3600 Series Router
Copyright 2002, Cisco Systems, Inc.
Remote Access Section 1: WANs 1-31
Figure 3 Cisco AS 5300 Series Router
Figure 4 Cisco 7200 Series Router
In the example network (refer to Figure [1]), the central-site router must have the following interfaces:
1-32
•
ISDN PRI interface
•
Asynchronous serial interface and modem for asynchronous calls
Remote Access Section 1: WANs
Copyright 2002, Cisco Systems, Inc.
•
Serial interface for Frame Relay connections
•
Serial interface for the leased line to the ISP
•
Ethernet interface to access resources on the central-site LAN
To meet the requirements of a central site, a modular router should be selected that will allow for growth. Depending on the amount of growth expected and the number of connections to be supported, a modular router from one of the following series could be utilized: •
Cisco 3600 series - The Cisco 3600 series modular routers (refer to Figure [2]) can provide dial access, routing, and LAN-to-LAN services and multiservice integration of voice, video, and data in the same device. The 3600 series replaces the legacy 4000 series routers. Like the newer 3600 series, Cisco 4000 series routers are modular and can support many variations of protocols, line speeds, and transmission media.
•
Cisco AS5x00 series - The Cisco AS5x00 series access servers (refer to Figure [3]) combine the functions of an access server, a router, and analog and digital modems in one chassis. They provide a high level of scalability, and multiprotocol capabilities for both ISPs and enterprises.
•
Cisco 7200 series - The Cisco 7200 series routers (refer to Figure [4]) allow for maximum scalability and flexibility, by combining highperformance hardware and software with a modular design. The 7200 series supports any combination of Ethernet, Fast Ethernet, Token Ring, Fiber Distributed Digital Interface (FDDI), ATM, serial, ISDN, and HSSI interfaces.
Copyright 2002, Cisco Systems, Inc.
Remote Access Section 1: WANs 1-33
1.4.3 Central site router equipment (cont’)
Figure 1 An Example of WAN Topology
Figure 2 Cisco 3600 Series Router
For the central site (refer to Figure [1]), the 3600 series router makes the most sense. For now, the central site only needs to support five interfaces. The 3600 series will provide the necessary scalability and support of Frame Relay, ISDN, and asynchronous dialup through specialized interface modules. 1-34
Remote Access Section 1: WANs
Copyright 2002, Cisco Systems, Inc.
The AS5x00 series offers a high-density dialup solution. But since the central site does not require a large number of dialup interfaces, an AS5x00 solution would be overkill and not cost-effective. Likewise, a 7200 series router would probably offer more expandability and horsepower than necessary for so few connections. The large chassis of this series would provide more scalability than a 3600 series router, but unless the company is planning on significant shortterm growth, the 7200 may prove too costly a solution. Of the three product series, the Cisco 3600 series offers the right combination of scalability and affordability. With over 70 modular interface options, the 3600 series is often called the "Swiss Army knife" of routers, because of its versatility. The 3600 series (refer to Figure [2]) includes the following models: •
The 3660 has six network module slots
•
The 3640 has four network module slots
•
The 3620 has two slots
An ideal solution for this example would be the 3640 router. The 3620 may not provide enough interfaces as the network grows, and, although the 3660 would provide maximum scalability, it will cost more. In order to serve our example network, the 3640 can be equipped with the following interface cards: •
1-Ethernet 2-WAN card slot network module - supports a single Ethernet connection, as well as two WAN connections.
•
1-port CT1/PRI-CSU network module - provides the PRI interface.
•
Digital modem network module - internal modem used in conjunction with the PRI for dial-in connections. One digital modem network module can support up to 30 Modem ISDN channel aggregation (MICA) modems.
Optionally, a 4-port serial WAN network module which could be used for Frame Relay and, if needed, to connect to an external modem. However, budgetary constraints may dictate the fourth slot remain open for future expansion.
Copyright 2002, Cisco Systems, Inc.
Remote Access Section 1: WANs 1-35
1.4.4 Branch office router equipment
Figure 1 An Example of WAN Topology
Figure 2 Cisco 1600 Series Router
1-36
Remote Access Section 1: WANs
Copyright 2002, Cisco Systems, Inc.
Figure 3 Cisco 1700 Series Router
Figure 4 Cisco 2500 Series Router
Copyright 2002, Cisco Systems, Inc.
Remote Access Section 1: WANs 1-37
Figure 5 Cisco 2600 Series Router
In contrast to the central site solution, the branch-office router needs only one primary WAN connection and a second WAN interface for dial backup (refer to Figure [1]). The branch router must have the following interfaces: •
Serial interface for Frame Relay connections
•
BRI interface for ISDN BRI
To meet the requirements of a branch office, a modular router or a fixedconfiguration router could be selected. If the remote office will act as a WAN hub for smaller offices (in which case a 3600 series router may be needed), an access router from one of the following series may fit:
1-38
•
Cisco 1600 Series [2] - The Cisco 1600 series routers are designed to connect small offices with Ethernet LANs to the public Internet, and to a company's internal intranet or corporate LAN through several WAN connections such as ISDN, asynchronous serial, and synchronous serial. The Cisco 1601 R - 1604 R models have an Ethernet port, a built-in WAN port, and a slot for an optional second WAN port. The 1605 R router has two Ethernet ports and one WAN slot.
•
Cisco 1700 Series [3]- The Cisco 1700 router is a small, modular desktop router that links small- to medium-size remote Ethernet and FastEthernet LANs over one to four WAN connections to regional and central offices.
•
Cisco 2500 Series [4]- The Cisco 2500 series routers provide a variety of models that are designed for branch office and remote site environments. These routers are typically fixed-configuration with at
Remote Access Section 1: WANs
Copyright 2002, Cisco Systems, Inc.
least two of the following interfaces: Ethernet, Token Ring, synchronous serial, and ISDN BRI. •
Cisco 2600 Series [5]- The Cisco 2600 series of modular routers features single or dual fixed LAN interfaces, a network module slot, two Cisco WAN interface card (WIC) slots, and a new Advanced Integration Module (AIM) slot. LAN support includes 10/100 Mbps autosensing Ethernet and Token Ring. WAN interface cards support a variety of serial, ISDN BRI, and integrated CSU/DSU options for primary and backup WAN connectivity. The AIM slot supports integration of advanced services such as hardware-assisted data compression and data encryption for optimizing the 2600 series for VPNs. The Cisco 2600 series shares modular interfaces with the Cisco 1600, 1700, and 3600 series.
A 1600 series router with the appropriate WAN interface card may meet the immediate WAN requirements of the branch office shown in Figure [1]. However, a more flexible solution, such as the 1700 series or 2600 series router, may be needed if the company plans to implement Voice over IP (VoIP), or allow telecommuters to dial in to the branch office. Also, the 1600 series routers do not come with a FastEthernet interface, while the 1700 and 2600 series routers do. If the company has no immediate plans to offer expanded service, and a FastEthernet connection is not necessary, a 1600 series router will make the most cost-effective solution. The 1600 series includes the following: •
the 1601 (one Ethernet, one serial, one WAN interface card (WIC) slot)
•
the 1602 (one Ethernet, one serial with integrated 56-kbps DSU/CSU, one WIC)
•
the 1603 (one Ethernet, one ISDN BRI (S/T interface), one WIC)
•
the 1604 (one Ethernet, one ISDN BRI with integrated NT1 (U interface), one S-bus port for ISDN phones, one WIC slot)
•
and the 1605 (two Ethernet slots, one WIC slot)
In this case, the 1603 or 1604 routers would meet the branch site's ISDN BRI requirement, and have a WAN slot for a serial interface that can be used for Frame Relay.
Copyright 2002, Cisco Systems, Inc.
Remote Access Section 1: WANs 1-39
1.4.5 Telecommuter-site router equipment
Figure 1 An Example of WAN Topology
Figure 2 Cisco 770 Series Router
1-40
Remote Access Section 1: WANs
Copyright 2002, Cisco Systems, Inc.
Figure 3 Cisco 800 Series Router
Figure 4 Cisco 1000 Series Router
According to Figure [1], the telecommuter site should have an ISDN BRI connection to the branch or central sites. The mobile user requires an asynchronous dialup connection to the central site. Therefore, the telecommuter WAN solutions must include the following interfaces: Copyright 2002, Cisco Systems, Inc.
Remote Access Section 1: WANs 1-41
•
PC and modem for asynchronous dialup calls
•
BRI interface for ISDN BRI
•
Ethernet LAN interface
When selecting routers for a telecommuter site, cost is typically the primary concern, especially since only minimal flexibility and scalability are required. In most cases, a telecommuter-site solution would come from the following router families: •
Cisco 700 Series (760 or 770) [2]- The Cisco 700M family products are low-cost, easy-to-manage multiprotocol ISDN access routers. These devices provide small professional offices, home offices, and telecommuters with high-speed remote access to enterprise networks and the Internet. However, the 700 series does not support the Cisco IOS.
•
Cisco 800 Series [3]- The Cisco 800 Series router is the entry-level platform that, unlike the 700 series, contains Cisco IOS technology. The fixed-configuration 800 series is designed to connect a small Ethernet LAN to a corporate network or ISP. Various models include support for DSL, ISDN, and serial connections.
•
Cisco 1000 Series [4]- The Cisco 1000 series routers are easy-to-install, inexpensive, multiprotocol access products, designed for small offices. This IOS-based series currently includes three models: the 1003 (1 Ethernet port, 1 ISDN BRI S/T interface), the 1004 (1 Ethernet port, 1 ISDN BRI U-interface), and the 1005 (1 Ethernet port, 1 serial port).
Models from each of these router families can provide the ISDN connection required by the telecommuter site (refer to Figure [1]). (The dialup requirement for the mobile user can be met by connecting a modem to the Windows PC.) The Cisco 800 series might make the best choice for this telecommuter site, because it is the most affordable series that supports ISDN and runs the feature-rich Cisco IOS.
1-42
Remote Access Section 1: WANs
Copyright 2002, Cisco Systems, Inc.
1.5 Case Study 1.5.1 International Travel Agency (ITA)
Figure 1 International Travel Agency, Inc.
Figure 2 ITA: Company Structure and Locations
Copyright 2002, Cisco Systems, Inc.
Remote Access Section 1: WANs 1-43
POTS 192.168.8.0/24
ISDN 192.168.16.0/24
Frame Relay 192.168.192.0/24
.1
.4
.1
.1 San Jose1 .1
Singapore .1
.2
London .1
.2 .5
San Jose2 .1 .3
Sales Engineer
.2
192.168.0.0/24
.3
Capetown .1 192.168.200.0/24
192.168.232.0/24 192.168.1.0/24 192.168.216.0/24
Figure 3 ITA: Company Topology
The labs in this course reference the fictitious International Travel Agency (ITA) (refer to Figure [1]), which maintains a global data network (refer to Figures [2] and [3]). The ITA business scenario provides a tangible, real-world application for each of the concepts introduced in the labs.
1-44
Remote Access Section 1: WANs
Copyright 2002, Cisco Systems, Inc.
1.6 Introductory Lab Exercises 1.6.1 Getting started and building Start.TXT Lab Activity: This lab introduces the CCNP lab equipment and some IOS features that might be new. This introductory activity also describes how to use a simple text editor to create all (or part) of a router configuration file. After creating a text configuration file, apply that configuration to a router quickly and easily by using the techniques described in this lab.
1.6.2 Capturing HyperTerminal and Telnet sessions Lab Activity: This activity describes how to capture HyperTerminal and Telnet sessions.
Copyright 2002, Cisco Systems, Inc.
Remote Access Section 1: WANs 1-45
1.6.3 Access control list basics and extended ping
Figure 1 Access Control List Basics and Extended Ping
Lab Activity: This lab activity reviews the basics of standard and extended access lists, which are used extensively in the CCNP curriculum.
1-46
Remote Access Section 1: WANs
Copyright 2002, Cisco Systems, Inc.
Summary This chapter explored WAN connections and how to determine the requirements of a central site, a branch office, and a telecommuter site. Cisco products to suit the specific needs of each site and how to utilize Cisco tools to select the proper equipment were also covered. In addition, to the identification and connection of the necessary components for central-site, branch-office, and small-office WAN solutions.
Copyright 2002, Cisco Systems, Inc.
Remote Access Section 1: WANs 1-47
Section 2
Scaling IP Addresses with NAT
Table of Contents
SCALING IP ADDRESSES WITH NAT ............................................................................. 1 OVERVIEW ...................................................................................................................................................... 3 OBJECTIVES..................................................................................................................................................... 4 2.1 NAT OVERVIEW ........................................................................................................................................ 5 2.1.1 NAT terminology................................................................................................................................. 5 2.1.2 Private addressing .............................................................................................................................. 7 2.1.3 NAT terminology................................................................................................................................. 8 2.1.4 NAT functions ..................................................................................................................................... 9 2.2 CONFIGURING NAT .................................................................................................................................. 11 2.2.1 Dynamic NAT ................................................................................................................................... 11 2.2.2 Configuring dynamic NAT ................................................................................................................. 12 2.2.3 Dynamic NAT configuration example.................................................................................................. 13 2.2.4 Static NAT ........................................................................................................................................ 15 2.2.5 Configuring static NAT...................................................................................................................... 16 2.2.6 NAT overload ................................................................................................................................... 17 2.2.7 Configuring NAT overload................................................................................................................. 18 2.2.8 TCP load distribution ........................................................................................................................ 20 2.2.9 Configuring TCP load distribution ..................................................................................................... 21 2.2.10 TCP load distribution configuration example..................................................................................... 22 2.2.11 Overlapping networks...................................................................................................................... 23 2.3 VERIFYING NAT CONFIGURATION .............................................................................................................. 27 2.3.1 Verifying NAT translations................................................................................................................. 27 2.3.2 Troubleshooting NAT translations ...................................................................................................... 28 2.3.3 Clearing NAT translations ................................................................................................................. 29 2.4 NAT CONSIDERATIONS ............................................................................................................................. 30 2.4.1 NAT advantages................................................................................................................................ 30 2.4.2 NAT disadvantages............................................................................................................................ 31 2.4.3 Traffic types supported by Cisco......................................................................................................... 31 2.5 NAT CONFIGURATION LAB EXERCISES ....................................................................................................... 33 2.5.1 Configuring static NAT...................................................................................................................... 33 2.5.2 Configuring dynamic NAT ................................................................................................................. 34 2.5.3 Configuring NAT overload................................................................................................................. 35 2.5.4 Configuring TCP load distribution ..................................................................................................... 36 SUMMARY ..................................................................................................................................................... 37
1-2
Remote Access Section 2: Scaling IP Addresses with NAT
Copyright 2002, Cisco Systems, Inc.
Overview
Figure 1 NAT
There is a limited supply of Internet Protocol (IP) version 4 addresses. In the early 1990s, many experts believed that the supply of IP addresses would run out (if the Internet didn't collapse under the weight of too many IP networks first). Today, IPv4 no longer faces imminent address depletion thanks to new technologies and enhancements. One of the technologies that has helped IPv4 stave off address depletion is Network Address Translation (NAT). NAT, as defined in RFC 1631, is the process of swapping one address for another in the IP packet header. In practice, NAT is used to allow privatelyaddressed hosts the Internet. NAT is particularly effective when connecting a small office or home office (SOHO) to the corporate network. By using NAT, a company does not have to allocate a "real" IP address for each of its remote users. This chapter provides an overview of NAT, and describes how to configure NAT functions, including: static NAT, dynamic NAT, NAT overload, and TCP distribution. Finally, we will discuss the drawbacks of NAT and how its operation can be monitored using the Cisco IOS [1].
Copyright 2002, Cisco Systems, Inc.
Remote Access Section 2: Scaling IP Addresses with NAT 1-3
Objectives After completing this chapter, the student will be able to perform tasks relating to: 2.1 NAT Overview 2.2 Configuring NAT 2.3 Verifying NAT Configuration 2.4 NAT Considerations 2.5 NAT Configuration Lab Exercises
1-4
Remote Access Section 2: Scaling IP Addresses with NAT
Copyright 2002, Cisco Systems, Inc.
2.1 NAT Overview 2.1.1 NAT terminology
Figure 1 A Simple NAT Topology
Figure 2 A Simple NAT Topology
Copyright 2002, Cisco Systems, Inc.
Remote Access Section 2: Scaling IP Addresses with NAT 1-5
Figure 3 A Simple NAT Topology
Figure 4 A Simple NAT topology
Strictly speaking, NAT is the process of altering the IP header of a packet so that the destination address, the source address, or both addresses are replaced in the header by different addresses. This swapping process is performed by a device running specialized NAT software or hardware. Such a NAT enabled device is often called a NAT box because it can be a Cisco router, a UNIX system, a Windows XP server, or several other kinds of systems. A NAT enabled device typically operates at the border of a stub domain. A stub domain is a network that has a single connection to the outside world. Figure [1] presents a simple example of a stub domain. When a host inside the stub domain, such as 10.1.1.6, wants to transmit to a host on the outside, it forwards the packet to its default gateway. In this case, the host's default gateway is also the NAT box. The NAT process running on the router looks inside the IP header and, if appropriate, replaces the local IP address with a globally unique IP address. Figure [2] illustrates this address translation. RTA, the NAT router, determines that the source IP address of the packet (10.1.1.6) should be swapped. In this
1-6
Remote Access Section 2: Scaling IP Addresses with NAT
Copyright 2002, Cisco Systems, Inc.
case, RTA replaces the private address with a global (real) address, 171.70.2.1. RTA also keeps a record of this translation in a NAT translation table. When an outside host sends a response (refer to Figure [3]), the NAT router receives it, checks the current table of network address translations, and replaces the destination address with the original inside source address (refer to Figure [4]). NAT translations can occur dynamically or statically, and can be used for a variety of purposes, as described in the following sections.
2.1.2 Private addressing
Figure 1 Private IP Addresses
RFC 1918 sets aside three blocks of IP addresses--a Class A, a Class B, and a Class C range--for private, internal use (see the figure). These three ranges provide more than 17 million private addresses. Public addresses must be registered by a company or leased from a provider. On the other hand, private IP addresses are set aside to be used by anyone. That means two networks, or two million networks, can each use the same private address. The restriction is that private addresses cannot be used on the public Internet. A private address cannot be used on the Internet because ISPs typically configure their routers to prevent privately-addressed customer traffic from being forwarded. NAT provides tremendous benefits to individual companies and the Internet as well. Before NAT, a host with a private address could not access the Internet. With NAT, individual companies can address some or all of their hosts with private addresses and then use NAT to access the public Internet. At the same time, these hosts connect to the Internet without necessarily depleting its address space.
Copyright 2002, Cisco Systems, Inc.
Remote Access Section 2: Scaling IP Addresses with NAT 1-7
2.1.3 NAT terminology
Figure 1 The Cisco Implementation of NAT Uses the Following Terms Related to NAT
Figure 2 NAT Overview and Terminology
When configuring NAT using the Cisco IOS, it's critical to understand NAT terminology Figure [1]. In particular, a strong grasp of the following terms.
1-8
Remote Access Section 2: Scaling IP Addresses with NAT
Copyright 2002, Cisco Systems, Inc.
•
Inside addresses - The set of networks that are subject to translation. Inside addresses are typically RFC 1918 addresses, but they can be any valid IP addresses.
•
Outside addresses - All other addresses. Usually these are valid addresses located on the Internet.
Inside addresses are associated with hosts inside the NAT boundary regardless of whether they are private (RFC 1918) or public addresses. Inside addresses are part of the network. Outside addresses are typically associated with all Internet addresses. However, in some cases, outside addresses can be associated with hosts on the network, beyond the NAT boundary. There are two different kinds of inside addresses, and two different types of outside addresses. •
Inside local address - Configured IP address assigned to a host on the inside network. Address may be globally unique, allocated out of the private address space defined in RFC 1918, or might be officially allocated to another organization (refer to Figure [2]).
•
Inside global address - The IP address of an inside host as it appears to the outside network. The inside global address is the translated address. These addresses are typically allocated from a globally unique address space, typically provided by the ISP (if the enterprise is connected to the Internet).
•
Outside local address - The IP address of an outside host as it appears to the inside network. These addresses can be allocated from the RFC 1918 space if desired.
•
Outside global address - The configured IP address assigned to a host in the outside network.
2.1.4 NAT functions
Figure 1 NAT Functions
NAT can be used to perform several functions. This chapter describes in detail the operation of the following NAT functions: •
Copyright 2002, Cisco Systems, Inc.
Translating inside local addresses - This function establishes a mapping between inside local and global addresses. Remote Access Section 2: Scaling IP Addresses with NAT 1-9
1-10
•
Overloading inside global addresses - Addresses can be conserved in the inside global address pool by allowing source ports in TCP connections or UDP conversations to be translated. When different inside local addresses map to the same inside global address, the TCP or UDP port numbers of each inside host are used to distinguish between them.
•
TCP load distribution - A dynamic form of destination translation can be configured for some outside-to-inside traffic. When a mapping scheme is established, destination addresses that match an access list are replaced with an address from a pool. Allocation is done on a roundrobin basis, and is done only when a new connection is opened from the inside to the outside. All non-TCP traffic is passed untranslated (unless other translations are in effect).
•
Handling overlapping networks - NAT can be used to resolve addressing issues that arise when inside addresses overlap with addresses in the outside network. This can occur when two companies merge, both with duplicate addresses in the networks. It can also occur when switching ISPs and the previously assigned address was reassigned to another client.
Remote Access Section 2: Scaling IP Addresses with NAT
Copyright 2002, Cisco Systems, Inc.
2.2 Configuring NAT 2.2.1 Dynamic NAT
Figure 1 Dynamic NAT
With dynamic NAT, translations don't exist in the NAT translation table until the router receives traffic that requires translation (such traffic is defined by an administrator). Dynamic translations are temporary, and will eventually time out. For example, host 10.4.1.1 transmits a packet to an Internet host, as shown in the figure. Since a private address can't be routed on the Internet, this host uses the services of a router configured for NAT. The NAT router alters the IP packet by removing the original source address, 10.4.1.1, and replacing it with a globally unique address from a pool defined by an administrator. As shown in the figure, the inside host is dynamically assigned 2.2.2.2 from the address pool. The NAT router keeps a record of this address translation in its NAT table. When an Internet host's reply packet is sent to 2.2.2.2, it arrives at the NAT router, which checks its NAT table for the mapping to the local inside address. The NAT router then replaces the destination address with the original local address, 10.4.4.1. The translation mapping is not permanent; it will age out after a configurable period of time.
Copyright 2002, Cisco Systems, Inc.
Remote Access Section 2: Scaling IP Addresses with NAT 1-11
2.2.2 Configuring dynamic NAT
Figure 1 Configuring Dynamic NAT
When configuring dynamic NAT, a pool of global addresses, is typically created to be allocated as needed. Use the ip nat pool command (see the figure) to configure the address pool, as shown: Router(config)#ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length} When using the ip nat pool command, the user has the option of specifying the subnet mask or the prefix length. The netmask keyword uses a dotteddecimal argument, such as 255.255.255.0. A 24-bit mask can also be specified using the prefix-length command. Packets that should be translated must be specified matching a certain range of source addresses. Use the access-list global configuration command to create an access list to match addresses that the router should translate: Router(config)#access-list access-list-number permit source [source-wildcard] To establish a dynamic translation based on source address, use the ip nat inside source list command: Router(config)#ip nat inside source list accesslist-number pool name This command must specify the access list number. Finally, at least one interface must be configuredon the router as the inside interface, using the following interface configuration command: Router(config-if)#ip nat inside The router will only create dynamic entries in the translation table for packets arriving on interfaces configured with the ip nat inside command. Use the ip nat outside command to mark an interface as an outside interface: Router(config-if)#ip nat outside 1-12
Remote Access Section 2: Scaling IP Addresses with NAT
Copyright 2002, Cisco Systems, Inc.
2.2.3 Dynamic NAT configuration example
Figure 1 Dynamic NAT Configuration Example
Figure 2 Using the show ip nat translations Command
To configure RTA for dynamic NAT (see Figure [1]), follow these steps: First, define the NAT pool. RTA(config)#ip nat pool mynatpool 171.70.2.1 171.70.2.254 netmask 255.255.255.0 This command creates a pool of global addresses called mynatpool that can be used by inside local hosts. But which local hosts are allowed to use this pool? An access list may be used to match the source addresses to be translated, as shown here: RTA(config)#access-list 24 permit 10.1.1.0 0.0.0.255 RTA(config)#ip nat inside source list 24 pool mynatpool The last command configures the router to use access-list 24 to decide whether to translate the IP source address using mynatpool. As the final configuration steps on the NAT router, the following commands configure the appropriate interfaces to take on the role of outside and inside. RTA(config)#interface bri0 RTA(config-if)#ip nat outside RTA(config-if)#interface e0 RTA(config-if)#ip nat inside Copyright 2002, Cisco Systems, Inc.
Remote Access Section 2: Scaling IP Addresses with NAT 1-13
If the host at 10.1.1.6 sends an IP packet to an outside host, such as 4.1.1.1, RTA will translate the source address and create a NAT table entry. Use the show ip nat translations command to view the translation table. Figure [2] shows that the inside local address 10.1.1.6 has been translated to the inside global address 171.70.2.1. While this table entry exists, outside hosts can use the global IP address 171.70.2.1 to reach the 10.1.1.6 host. On a Cisco router, dynamic NAT table entries remain in the table for 24 hours by default. Once the entry ages out, outside hosts will no longer be able to reach 10.1.1.6 until a new table entry is created. The table entry can only be created from the inside. A 24-hour timeout is relatively long. Therefore the translation timeout can be adjusted using the following command: Router(config)#ip nat translation timeout seconds One of the primary advantages to dynamic NAT is the ability to serve a large number of hosts with a smaller number of globally routable IP addresses. It is important for translation table entries to timeout so that addresses in the pool become available for other hosts. A pool of 30 inside global addresses for 250 inside local hosts might be configured however, only 30 of the inside hosts could use a global address at any one time. This configuration may work well in an environment where outside (Internet) connectivity is infrequent and short-lived. If the inside hosts are using outside connections for occasional web surfing or e-mail, this configuration may be appropriate. However, if translation table entries don't age out fast enough, the entire pool of addresses could be in use and additional hosts would be unable to access the Internet. In order to serve a large number of hosts with just a handful of addresses, overloading will have to be utilized, (see "NAT Overload" later in this chapter). Although NAT is not a security firewall, it can prevent outsiders from initiating connections with inside hosts, unless a permanent global address mapping exists in the NAT table (static NAT). Because outside hosts never see the "pretranslated" inside addresses, NAT has the effect of hiding the inside network structure.
1-14
Remote Access Section 2: Scaling IP Addresses with NAT
Copyright 2002, Cisco Systems, Inc.
2.2.4 Static NAT
Figure 1 Static NAT
Static translation occurs when addresses are specifically configured in a lookup table. A specific inside local address maps to a pre-specified inside global address. The inside local and inside global addresses are statically mapped one for one. This means that for every inside local address, static NAT requires an inside global address (see the figure). If an organization uses static NAT exclusively, it is are not conserving real IP addresses. For this reason, static NAT is typically used in conjunction with dynamic NAT, in cases where overlapping networks exist, in cases when a change from one numbering scheme to another has occurred or for network servers that need to keep the same address such as DNS or web servers. Consider this example of how static NAT can be used in conjunction with dynamic NAT. Company XYZ uses dynamic NAT to allow inside hosts to access the Internet. But what if the company wants outside users to access an internally addressed Web server? Without a permanent global address, outside hosts will not be able to consistently access the server. Company XYZ can statically map a global address (171.70.2.10) to an inside address (10.1.1.7). Static mappings exist in the NAT table until an administrator removes them. Internet hosts, and Domain Name System (DNS) can use the global address (171.70.2.10) to access the privately and statically addressed Web server.
Copyright 2002, Cisco Systems, Inc.
Remote Access Section 2: Scaling IP Addresses with NAT 1-15
2.2.5 Configuring static NAT
Figure 1 Configuring Static NAT
Figure 2 Static NAT
Figure [1] shows the steps to configure static NAT. To configure static NAT as shown in Figure [2] enter the following command: RTA(config)#ip nat inside source static 10.1.1.7 171.70.2.10 Once the static mapping(s) have been configured, an inside and outside interface must be specified, as shown here: RTA(config)#interface bri0 RTA(config-if)#ip nat outside RTA(config-if)#interface e0 RTA(config-if)#ip nat inside The ability to create static mappings makes NAT a useful tool if an organization was ever to change providers. If the company moves from one ISP to another, it may have to completely readdress its systems. Instead of readdressing, NAT can 1-16
Remote Access Section 2: Scaling IP Addresses with NAT
Copyright 2002, Cisco Systems, Inc.
be deployed to temporarily translate the old addresses to new ones, with static mappings in place to keep Web and other public services available to the outside.
2.2.6 NAT overload
Figure 1 NAT Overload
One of the most powerful features of NAT routers is their ability to use Port Address Translation (PAT), which allows multiple inside addresses to map to the same global address. This is sometimes called a "many-to-one" NAT, or address overloading. With address overloading, literally hundreds of privately addressed nodes can access the Internet using a single global address. The NAT router keeps track of the different conversations by mapping TCP and UDP port numbers in the translation table. A translation entry that maps one IP address and port pair to another is called an extended table entry. For example, the figure shows three inside nodes using the same translated global address of 171.70.2.2. Each of these hosts can communicate with different Internet hosts, or even with the same outside host. According to the NAT table shown in the figure, RTA translates the packet from the inside local address, 10.1.1.5, TCP port 1232. The translated inside global address is 171.70.2.2, also on port 1232. The outside host at 2.2.2.2, TCP port 80 will reply to the address 171.70.2.2, on port 1232. When RTA (the NAT router) receives this reply, it uses the destination port number to determine whether the destination IP address should be translated to 10.1.1.5, 10.1.1.6, or 10.1.1.7. As long as the inside global port numbers are unique for each inside local host, NAT overload will work. For example, if the host at 10.1.1.5 and 10.1.1.6 both use TCP port 1234, the NAT router can create the extended table entries mapping 10.1.1.5:1234 to 171.70.2.2:1234 and 10.1.1.6:1234 to 171.70.2.2:1235. In fact, NAT implementations don't necessarily try to preserve the original port number. NAT overload can go a long way to alleviate address depletion, but its capabilities are limited. Over 65,000 inside addresses can theoretically map to a single outside address. However, the actual number of translations supported by Copyright 2002, Cisco Systems, Inc.
Remote Access Section 2: Scaling IP Addresses with NAT 1-17
a Cisco router varies, but a realistic number is approximately 4,000 local addresses per global address. Each Nat translation consumes about 160 bytes of router DRAM. NAT overload can be used in conjunction with dynamic mappings to a NAT pool. A NAT device, such a Cisco PIX Firewall, can then use a one-to-one dynamic mapping until the available addresses are almost depleted, at which time NAT can overload the remaining address or addresses. However, on a Cisco IOS router, NAT will overload the first address in the pool until it's maxed out, and then move on to the second address, and so on.
2.2.7 Configuring NAT overload
Figure 1 NAT Overload
Figure 2 NAT Overload Using an Outside Interface Address
1-18
Remote Access Section 2: Scaling IP Addresses with NAT
Copyright 2002, Cisco Systems, Inc.
Configure NAT overload by using the keyword overload: Router(config)#ip nat inside source list accesslist-number pool name overload RTA is configured as shown here: RTA(config)#ip nat pool mypatpool 171.70.2.1 171.70.2.30 netmask 255.255.255.0 RTA(config)#access-list 24 permit 10.1.1.0 0.0.0.255 RTA(config)#ip nat inside source list 24 pool mypatpool overload RTA(config)#interface bri 0 RTA(config-if)#ip nat outside RTA(config-if)#interface ethernet 0 RTA(config-if)#ip nat inside The ip nat pool command creates the pool of addresses that are used for overloading. Notice that this pool, mypatpool, contains only 30 addresses. Using NAT overload, these 30 addresses can comfortably serve hundreds, or even thousands, of inside hosts (see Figure [1]). The access-list command creates the access list that is used to match addresses that are to be translated. The ip nat inside source list 24 command configures the router to translate addresses that match access list 24 using inside global addresses from mypatpool. An address pool does not have to be configured in order for NAT overload to work. If there are not any available IP addresses, the address of the outside interface may be overloaded, as shown: Router(config)#ip nat inside source list accesslist-number interface interface-name overload Typically, home users receive only one IP address by their provider. Figure [2] shows how NAT overload can be configured using the outside interface.
Copyright 2002, Cisco Systems, Inc.
Remote Access Section 2: Scaling IP Addresses with NAT 1-19
2.2.8 TCP load distribution
Figure 1 TCP Load Distribution
Figure 2 TCP Load Distribution Without Private Addresses
As an extension to static mapping, Cisco routers support TCP load distribution. This powerful NAT feature allows the mapping of one global address to multiple inside addresses for the purpose of distributing conversations among multiple hosts. In Figure [1], the NAT router rotates conversations between two inside Web servers at 10.1.1.6 and 10.1.1.7 when an outside host requests web services at 171.70.2.10. TCP load distribution can be used even if not translating between private addresses and public addresses. The scenario depicted in Figure [2] shows that RTA is configured to map both www1 (171.70.2.3/24) and www2 (171.70.2.4/24) to the same inside global IP address (171.70.2.10/24). All three of these IP addresses are public addresses on the same subnet. In such configurations, the address 171.70.2.10 is referred to as a virtual host.
1-20
Remote Access Section 2: Scaling IP Addresses with NAT
Copyright 2002, Cisco Systems, Inc.
2.2.9 Configuring TCP load distribution
Figure 1 Configuring TCP Load Distribution
The following are the steps for configuring a TCP load distribution: 1. Define a pool of addresses containing the addresses of the real hosts: Router(config)#ip nat pool name start-ip endip {netmask netmask | prefix-length prefixlength} type rotary 2. Define an access list permitting the address of the virtual host: Router(config)#access-list access-list-number permit source [source-wildcard] 3. Establish dynamic inside destination translation, identifying the access list defined in Step 2: Router(config)#ip nat inside destination list access-list-number pool name 4. Specify the inside interface: Router(config)#interface type number 5. Mark the interface as connected to the inside: Router(config-if)#ip nat inside 6. Specify the outside interface: Router(config-if)#interface type number 7. Mark the interface as connected to the outside: Router(config-if)#ip nat outside
Copyright 2002, Cisco Systems, Inc.
Remote Access Section 2: Scaling IP Addresses with NAT 1-21
2.2.10 TCP load distribution configuration example
Figure 1 TCP Load Distribution Without Private IP Addresses
In the figure, RTA is configured as shown: RTA(config)#ip nat pool webservers 171.70.2.3 171.70.2.4 netmask 255.255.255.0 type rotary RTA(config)#access-list 46 permit host 171.70.2.10 RTA(config)#ip nat inside destination list 46 pool webservers RTA(config)#interface e0 RTA(config-if)#ip nat inside RTA(config-if)#interface s0 RTA(config)#ip nat outside The keyword rotary is used so that the router will rotate through the webservers pool when translating. Access list 46 is used to define the virtual host address. RTA is configured to translate destination addresses that match 171.70.2.10 (access list 46), using the webservers pool. Because the webservers pool was defined using the rotary keyword, the first translation will be to 171.70.2.3, but the second will be to 171.70.2.4, the third back to 171.70.2.3, and so on. In this way, the load is distributed among the Web servers.
1-22
Remote Access Section 2: Scaling IP Addresses with NAT
Copyright 2002, Cisco Systems, Inc.
2.2.11 Overlapping networks
Figure 1 Overlapping Networks
Figure 2 Overlapping Networks
Copyright 2002, Cisco Systems, Inc.
Remote Access Section 2: Scaling IP Addresses with NAT 1-23
Figure 3 Overlapping Networks
Figure 4 Overlapping Networks
Figure 5 Overlapping Networks
1-24
Remote Access Section 2: Scaling IP Addresses with NAT
Copyright 2002, Cisco Systems, Inc.
Figure 6 Output of show ip nat translations in Overlapping Network Scenario
Overlapping networks result when an IP address is assigned to a device on the network that is already legally owned and assigned to a different device on the Internet or outside network. Overlapping networks also result when two companies, both of whom use RFC 1918 IP addresses in their networks, merge. These two networks need to communicate, preferably without having to readdress all their devices. Figure [1] illustrates an overlapping network scenario. Notice that the inside device, HostA, is addressed using the same IP subnet as the outside device, HostZ. HostA can't reach HostZ by using HostZ's IP address. If HostA pings 10.1.1.6, it will be pinging its local neighbor and not HostZ. One way to allow HostA to communicate with HostZ is to use DNS and NAT. Instead of using HostZ's actual IP address, HostA can use HostZ's hostname. For example, a user on HostA could issue the command ping HostZ, which would result in a name-to-address lookup using DNS (see Figure [2]). A NAT translation is done for the DNS query sourced from 10.1.1.7. The query from 10.1.1.7 is translated by RTA so that it appears to be from the inside global address 192.168.1.7. The DNS server responds to this query, as shown in Figure [3]. This DNS response is the key to making overlapping networks coexist. The DNS server responds with HostZ's actual IP address, 10.1.1.6. But, RTA translates the payload of the DNS response. Cisco's implementation of NAT will actually alter the contents of a DNS packet. Thus creating a simple table entry and mapping the outside global address, (10.1.1.6), to an outside local address, (192.168.3.6). In this way, HostA will believe that HostZ is at 192.168.3.6 (presumably, a reachable IP network). Note: NAT doesn't look at the payload of the DNS reply unless translation occurs on the IP header of the reply packet. HostA can then begin a conversation with HostZ. When HostA sends a packet to HostZ, RTA creates an extended table entry, as shown in Figure [4]. From HostA's point of view, this conversation is between 10.1.1.7 (HostA) and 192.168.3.6 (HostZ). However, both the source and destination addresses are translated by RTA so that HostZ believes this same conversation is between 192.168.1.7 (HostA) and 10.1.1.6 (HostZ). The configuration for RTA is shown in Figure [5]. RTA uses the inGlobal address pool to translate HostA's address so that outside hosts can reach HostA. RTA uses the outLocal pool to translate outside hosts in Copyright 2002, Cisco Systems, Inc.
Remote Access Section 2: Scaling IP Addresses with NAT 1-25
the overlapping network so that HostA can reach those hosts. Figure [6] provides the output of the show ip nat translations command after HostA has sent HostZ an IP packet. The first entry shown in Figure [6] was created when HostA sent a DNS query. The second entry was created when RTA translated the payload of the DNS reply. The third entry was created when the packet was exchanged between HostA and HostZ. The third entry is a summary of the first two entries, and is used for more efficient translations.
1-26
Remote Access Section 2: Scaling IP Addresses with NAT
Copyright 2002, Cisco Systems, Inc.
2.3 Verifying NAT Configuration 2.3.1 Verifying NAT translations
Figure 1 Using the show ip nat translations verbose Command
Figure 2 Show IP NAT Translation Display with Address Overlapping
Figure 3 Using the show ip nat statistics Command
Translation information and clear address translation entries from the NAT translation may be shown using the commands covered in this section. The show ip nat translations [verbose] command can be used to verify the active translations, as shown in Figure [1]. The verbose keyword can be used with this command to display more information, including the time remaining for a dynamic entry. Figure [2] shows the output of this command while address overloading.
Copyright 2002, Cisco Systems, Inc.
Remote Access Section 2: Scaling IP Addresses with NAT 1-27
Use the show ip nat statistics command to see NAT statistics, as shown in Figure [3].
2.3.2 Troubleshooting NAT translations
Figure 1 Debug IP NAT Display
To trace the NAT operation use the debug ip nat command to display a line of output for each packet that gets translated. The detailed keyword may be added to output even more information. The output shown in the figure is a sample of a debug of address translation inside to outside. To decode the above debug output use the following key points:
1-28
•
The asterisk next to NAT indicates that the translation is occurring in the fast path. The first packet in a conversation will always go through the slow path (i.e., be process-switched). The remaining packets will go through the fast path if a cache entry exists.
•
s = a.b.c.d is the source address.
•
a.b.c.d -> w.x.y.z is the address that the source was translated to.
•
d = a.b.c.d is the destination address.
•
The value in brackets is the IP identification number. This information may be useful for debugging because it enables correlation with other packet traces from sniffers, for example.
Remote Access Section 2: Scaling IP Addresses with NAT
Copyright 2002, Cisco Systems, Inc.
2.3.3 Clearing NAT translations
Figure 1 Effect of clear ip nat translation * Command
After enabling NAT, changes may not be made to the NAT process while dynamic translations are active. To clear all translated entries, use the clear ip nat translation * command. It is possible to clear a simple translation entry containing an inside translation, or both an inside and outside translation, by using the clear ip nat translation inside global-ip local-ip [outside localip global-ip] command. To clear a simple translation entry that contains an outside translation by using the clear ip nat translation outside local-ip global-ip command. To clear an extended entry (in its various forms), use the clear ip nat translation protocol inside global-ip global-port local-ip local-port [outside local-ip local-port global-ip global-port] command. The following example shows the use of this command. RTX#clear ip nat translations udp inside 192.168.2.2 1220 10.1.1.2 1220 outside 171.69.2.132 53 171.69.2.132 53 If NAT is properly configured but translations are not occurring, clear the NAT translations and check to see if new translations occur.
Copyright 2002, Cisco Systems, Inc.
Remote Access Section 2: Scaling IP Addresses with NAT 1-29
2.4 NAT Considerations 2.4.1 NAT advantages
Figure 1 NAT Implementation Considerations
NAT has several advantages, including the following:
1-30
•
NAT conserves the legally registered addressing scheme by allowing the privatization of intranets, yet it allows legal addressing scheme pools to be set up to gain access to the Internet.
•
NAT also reduces the instances in which addressing schemes overlap. This could occur if a scheme was originally set up within a private network, and the network was connected to the public network (which may use the same addressing scheme). Without address translation, the potential for overlap exists globally.
•
NAT increases the flexibility of connection to the public network. Multiple pools, backup pools, and load sharing/balancing pools can be implemented to help ensure reliable public network connections. Network design is also simplified because planners have more flexibility when creating an address plan.
•
De-privatization of a network requires the renumbering of the existing network; the costs can be associated with the number of hosts that require conversion to the new addressing scheme. NAT allows the existing scheme to remain, and it still supports the new assigned addressing scheme outside the private network.
Remote Access Section 2: Scaling IP Addresses with NAT
Copyright 2002, Cisco Systems, Inc.
2.4.2 NAT disadvantages
Figure 2 NAT Implementation Considerations
NAT is not without drawbacks. The tradeoff for address translation is a loss of functionality, particularly with any protocol or application that involves sending IP address information outside the IP header. NAT disadvantages include the following: •
NAT increases delay. Switching path delays, of course, are introduced because of the translation of each IP address within the packet headers. Performance may be a consideration because NAT is currently accomplished by using process switching. The CPU must look at every packet to decide whether it has to translate it, and then alter the IP header--and possibly the TCP header. It is not likely that this process will be easily cacheable.
•
One significant disadvantage when implementing and using NAT is the loss of end-to-end IP traceability. It becomes much more difficult to trace packets that undergo numerous packet address changes over multiple NAT hops. This scenario does, however, lead to more secure links because hackers who want to determine the source of a packet will find it difficult, if not impossible, to trace or obtain the original source or destination address.
•
NAT also forces some applications that use IP addressing to stop functioning because it hides end-to-end IP addresses. Applications that use physical addresses instead of a qualified domain name will not reach destinations that are translated across the NAT router. Sometimes, this problem can be avoided by implementing static NAT mappings.
2.4.3 Traffic types supported by Cisco Traffic types supported by Cisco ISO NAT: •
Any TCP/UDP traffic that does not carry source or destination IP addresses in the application data stream
•
Hypertext Transfer Protocol (HTTP)
•
Trivial File Transfer Protocol (TFTP)
Copyright 2002, Cisco Systems, Inc.
Remote Access Section 2: Scaling IP Addresses with NAT 1-31
•
Telnet
•
Archie
•
Finger
•
Network Timing Protocol (NTP)
•
Network File System (NFS)
•
rlogin, rsh, rcp
Although the following traffic types carry IP addresses in the application data stream, they are supported by Cisco IOS NAT: •
ICMP
•
File Transfer Protocol (FTP) (including PORT and PASV commands)
•
NetBIOS over TCP/IP (datagram, name, and session services)
•
Progressive Networks' RealAudio
•
White Pines' CuSeeMe
•
Xing Technologies' Streamworks
•
DNS "A" and "PTR" queries
•
H.323/NetMeeting [12.0(1)/12.0(1)T and later]
•
VDOLive [11.3(4)11.3(4)T and later]
•
Vxtreme [11.3(4)11.3(4)T and later]
•
IP multicast [12.0(1)T] (source address translation only)
The following traffic types are not supported by Cisco IOS NAT:
1-32
•
Routing table updates
•
DNS zone transfers
•
BOOTP
•
talk, ntalk
•
Simple Network Management Protocol (SNMP)
•
NetShow
Remote Access Section 2: Scaling IP Addresses with NAT
Copyright 2002, Cisco Systems, Inc.
2.5 NAT Configuration Lab Exercises 2.5.1 Configuring static NAT
Figure 1 Configuring Static NAT
Lab Activity Configure Network Address Translation (NAT) static translation to provide reliable outside access to three shared company servers.
Copyright 2002, Cisco Systems, Inc.
Remote Access Section 2: Scaling IP Addresses with NAT 1-33
2.5.2 Configuring dynamic NAT
Figure 1 Configuring Dynamic NAT
Lab Activity Configure dynamic NAT to provide privately addressed users with access to outside resources.
1-34
Remote Access Section 2: Scaling IP Addresses with NAT
Copyright 2002, Cisco Systems, Inc.
2.5.3 Configuring NAT overload
Figure 1 Configuring NAT Overload
Lab Activity Configure dynamic NAT with overload.
Copyright 2002, Cisco Systems, Inc.
Remote Access Section 2: Scaling IP Addresses with NAT 1-35
2.5.4 Configuring TCP load distribution
Figure 1 Configuring TCP Load Distribution
Lab Activity This lab will configure NAT with the TCP Load Distribution option. The prefixlength option will also be used as an alternative to the netmask option of the ip nat pool command.
1-36
Remote Access Section 2: Scaling IP Addresses with NAT
Copyright 2002, Cisco Systems, Inc.
Summary This chapter demonstrated that NAT allows the network to scale without depleting the limited supply of global IP addresses. It also covered configuring static NAT in addition to dynamic NAT and NAT overload (PAT). It was also shown how NAT can be used to provide connectivity in overlapping IP networks.
Copyright 2002, Cisco Systems, Inc.
Remote Access Section 2: Scaling IP Addresses with NAT 1-37
Section 3
Emerging Remote Access Technologies
Table of Contents
EMERGING REMOTE ACCESS TECHNOLOGIES ......................................................... 1 OVERVIEW ...................................................................................................................................................... 3 OBJECTIVES..................................................................................................................................................... 4 3.1 CABLE MODEMS......................................................................................................................................... 5 3.1.1 Two-way, high-speed data transmission ................................................................................................ 5 3.1.2 How cable modems work ..................................................................................................................... 6 3.1.3 Cable data network architecture........................................................................................................... 9 3.1.4 Cable and OSI model ........................................................................................................................ 11 3.1.5 Cable summary ................................................................................................................................. 13 3.2 WIRELESS NETWORK ACCESS .................................................................................................................... 15 3.2.1 Overview .......................................................................................................................................... 15 3.2.2 Direct broadcast satellite................................................................................................................... 16 3.2.3 DBS architecture...............................................................................................................................17 3.2.4 Data service ..................................................................................................................................... 19 3.3 MULTICHANNEL MULTIPOINT DISTRIBUTION SERVICES ................................................................................ 20 3.3.1 Overview .......................................................................................................................................... 20 3.3.2 MMDS history .................................................................................................................................. 20 3.3.3 MMDS architecture........................................................................................................................... 21 3.4 LOCAL MULTIPOINT DISTRIBUTION SERVICES .............................................................................................. 23 3.4.1 Overview .......................................................................................................................................... 23 3.4.2 LMDS architecture............................................................................................................................ 24 3.4.3 Wireless broadband summary ............................................................................................................ 26 3.5 WIRELESS LOCAL AREA NETWORKING ....................................................................................................... 27 3.5.1 Overview of wireless local-area networking ........................................................................................ 27 3.5.2 In-building WLANs............................................................................................................................ 28 3.5.3 Building-to-building WLANs .............................................................................................................. 29 3.5.4 The wireless LAN standard ................................................................................................................ 30 3.5.5 The future of wireless local-area networking ....................................................................................... 31 3.5.6 Mobility services ...............................................................................................................................33 3.5.7 Conclusion ....................................................................................................................................... 34 3.6 DIGITAL SUBSCRIBER LINE ........................................................................................................................ 35 3.6.1 DSL background ...............................................................................................................................35 3.6.2 Asymmetric digital subscriber line (ADSL) .......................................................................................... 36 3.6.3 ADSL services architecture ................................................................................................................ 37 3.6.4 ASDL capabilities ............................................................................................................................. 39 3.6.5 ADSL technology .............................................................................................................................. 41 3.6.6 ADSL standards and associations....................................................................................................... 42 3.7 VERY-HIGH-DATA-RATE DIGITAL SUBSCRIBER LINE ................................................................................... 44 3.7.1 Overview .......................................................................................................................................... 44 3.7.2 VDSL projected capabilities............................................................................................................... 45 3.7.3 VDSL technology .............................................................................................................................. 46 3.7.4 VDSL issues...................................................................................................................................... 49 3.7.5 Standards status................................................................................................................................ 50 3.7.6 Relationship of VDSL to ADSL ........................................................................................................... 51 SUMMARY ..................................................................................................................................................... 53
1-2
Remote Access Section 3: Emerging Remote Access Technologies
Copyright 2002, Cisco Systems, Inc.
Overview This appendix gives an overview of emerging remote-access technologies. Additionally, it discusses the pros and cons of accessing the Internet via cable modems, wireless connections, and digital subscriber lines (xDSL).
Copyright 2002, Cisco Systems, Inc.
Remote Access Section 3: Emerging Remote Access Technologies 1-3
Objectives After completing this chapter, the student will be able to perform tasks relating to: 3.1 Cable Modems 3.2 Wireless Network Access 3.3 Multichannel Multipoint Distribution Services (MMDS) 3.4 Local Multipoint Distribution Services (LMDS) 3.5 Wireless Local Area Networking (WLAN) 3.6 Digital Subscriber Line (DSL) 3.7 Very-High-Data-Rate Digital Subscriber Line (VHDSL)
1-4
Remote Access Section 3: Emerging Remote Access Technologies
Copyright 2002, Cisco Systems, Inc.
3.1 Cable Modems 3.1.1 Two-way, high-speed data transmission
Figure 1 Cable Modem
Cable modems enable two-way, high-speed data transmission using the same coaxial lines that transmit cable television. Some cable service providers are promising data speeds up to 6.5 times that of T1 leased lines. This speed makes cable an attractive medium for transferring large amounts of digital information quickly, including video clips, audio files, and large chunks of data. Information that would take two minutes to download using ISDN can be downloaded in two seconds through a cable-modem connection. Cable-modem access provides speeds superior to leased lines, with lower costs and simpler installation. When the cable infrastructure is in place, a firm can connect through installation of a modem or router. Additionally, because cable modems do not use the telephone system infrastructure, there are no local-loop charges. Products such as the Cisco uBR904 universal broadband router cable modem make cable access an even more attractive investment by integrating a fully functional Cisco IOS router, four-port hub, and cable-modem into one unit (see the figure). This combination allows businesses to replace combinations of routers, bridges, hubs, and single-port cable modems with one product. Cable modems provide a full-time connection. As soon as users turn on their computers, they are connected to the Internet. This removes the time and effort of dialing in to establish a connection. The "always-on" cable connection also means that a company's "information pipe" is open at all times. This increases the vulnerability of data to hackers and necessitates the installion of firewalls to Copyright 2002, Cisco Systems, Inc.
Remote Access Section 3: Emerging Remote Access Technologies 1-5
maximize security. Fortunately, the industry is moving toward standardization in cable modems and addressing encryption needs. New models of the Cisco uBR904 cable modem will provide IP Security (IPSec) and firewall capabilities. These features protect company LANs and provide virtual private network (VPN) tunneling, with options for authentication and encryption. Because the connection is permanently established, cable modems connections take place over the Internet. Employees using a cable modem at home to surf the Web can connect to a company LAN only if the business connects its LAN to the Internet. Moving through the Internet in this way can restrict the speedy connection of cable modems. To address this problem, many cable access service providers are in the process of developing services that combine cable and T1 connections. This will provide fast and reliable remote office-tocorporate network connections. Availability may be the biggest barrier to cable-modem adoption by businesses because only a few office buildings have been outfitted for cable reception, compared to the almost 85 percent of households in North America that are wired for cable. Some cable operators are in the process of replacing traditional one-way cable systems with the more interactive two-way architecture known as hybrid fiber coaxial (HFC). Due to the magnitude of this upgrade and the need to expand networks to include businesses, the market penetration of cable modems is expected to lag behind DSLs
3.1.2 How cable modems work
Figure 1 How Cable Modems Work
1-6
Remote Access Section 3: Emerging Remote Access Technologies
Copyright 2002, Cisco Systems, Inc.
Figure 2 How Cable Modems Work
Figure 3 How Cable Modems Work
Like telephone modems, cable modems modulate and demodulate data signals. However, cable modems incorporate more functionality designed for today's high-speed Internet services. In a cable network, data flowing from the network to the user is referred to as downstream and data flowing from the user to the network is referred to as upstream. From a user perspective, a cable modem is a 64/256 QAM radio frequency (RF) receiver capable of delivering up to 30 to 40 megabits per second (Mbps) of data in one 6-megahertz (MHz) cable channel. This is almost 500 times faster than a 56-kilobit-per-second (kbps) modem. The headend manages traffic flow from the user to the network. [1] •
Copyright 2002, Cisco Systems, Inc.
Receive programming (for example, from NBC, CBS, and cable networks such as MTV and ESPN) Remote Access Section 3: Emerging Remote Access Technologies 1-7
•
Convert each channel to the channel frequency desired; scramble channels as needed (for the premium channels)
•
Combine all the frequencies onto a single, broadband analog channel (frequency-division multiplexing [FDM])
•
Broadcast the combined analog stream downstream to subscribers
The data is modulated using a QPSK/16 QAM transmitter with data rates from 320 kbps up to 10 Mbps. The upstream and downstream data rates can be configured to meet the needs of the subscribers. For instance, a business service can be programmed to both transmit and receive at relatively high rates. A residential user, on the other hand, can have their service configured to receive higher bandwidth access to the Internet while limited to low-bandwidth transmission to the network. With a cable modem, a subscriber can continue to receive cable television service while simultaneously receiving data to be delivered to a personal computer. This is accomplished with the help of a simple one-to-two splitter. The data service offered by a cable modem can be shared by up to 16 users in a local-area network (LAN) configuration. [2] Because some cable networks are suited for broadcast television services, cable modems may use either a standard telephone line or a QPSK/16 QAM modem over a two-way cable system to transmit data upstream from a user location to the network. When a telephone line is used in conjunction with a one-way broadcast network, the cable data system is referred to as a telephony return interface (TRI) system. Telephone return means that the consumer (or the subscriber modem) makes a telephone call to a terminal server when the consumer requires return-path service. At the cable headend, data from individual users is filtered by telephone-return systems for further processing by a cable modem terminal server (CMTS). The CMTS communicates with the cable modem to enforce the Media Access Control (MAC) protocol and RF control functions, such as frequency hopping and automatic gain control. A CMTS provides data switching necessary to route data between the Internet and cable-modem users. Data from the network to a user group is sent to a 64/256 QAM modulator. The result is user data modulated into one 6-MHz channel, which is the spectrum allocated for a cable television channel such as ABC, NBC, or TBS for broadcast to all users. [3] A cable headend combines the downstream data channels with the existing video, pay-per-view, audio, and local advertiser programs that are received by television subscribers. The combined signal is now ready to be transmitted throughout the cable distribution network. When the signal arrives at the user's site two different devices receive it. A converter box generally located on the top of a television receives the television signal, while a cable modem or router receives user data and sends it to a PC. The CMTS, an important new element for support of data services, integrates upstream and downstream communication over a cable data network. The number of upstream and downstream channels in any particular CMTS can be designed and adjusted based on the size of the serving area, number of users, and data rates offered to each user. Another important element in the operations and day-to-day management of a cable data system is an element management system (EMS). An EMS is an operations system designed specifically to configure and manage a CMTS and 1-8
Remote Access Section 3: Emerging Remote Access Technologies
Copyright 2002, Cisco Systems, Inc.
associated cable-modem subscribers. These operations include provisioning, day-to-day administration, monitoring, alarms, and testing of various components of a CMTS. From a central Network Operations Center (NOC), a single EMS can support many CMTS systems in a particular geographic region. Beyond modulation and demodulation, a cable modem or router incorporates many features necessary to extend broadband communications to wide-area networks (WANs). The Internet Protocol (IP) is used at the network layer to support the Internet services such as e-mail, Hypertext Transfer Protocol (HTTP), and File Transfer Protocol (FTP). The data link layer comprises three sublayers, including the Logical Link Control (LLC) sublayer, link security sublayer conforming to the security requirements, and MAC sublayer suitable for cable-system operations. Cable systems use the Ethernet frame format for data-transmission over data channels. The downstream data channels and the associated upstream data channels on a cable network basically form an Ethernet WAN. As the number of subscribers increase, the cable operator can add more upstream and downstream data channels to meet the additional bandwidth requirements. The link security sublayer is defined in three (sub) sets of requirements: baseline privacy interface (BPI), security system interface (SSI), and removable security module interface (RSMI). BPI provides cable-modem users with data privacy across the cable network by encrypting data traffic between the cable modem and CMTS. The operational support provided by the EMS allows a CMTS to map cable-modem identities to paying subscribers and thereby authorize subscriber access to data network services. These privacy and security requirements are designed to protect user data as well as prevent unauthorized use of cable data services.
3.1.3 Cable data network architecture
Figure 1 Cable Data Network Architecture
Copyright 2002, Cisco Systems, Inc.
Remote Access Section 3: Emerging Remote Access Technologies 1-9
Figure 2 Cable Data Network Architecture
A CMTS provides an extended Ethernet network over a WAN with a geographic reach up to 100 miles. The cable data network may be fully managed by the local cable operations unit or operations may be aggregated at a regional NOC for better scaling. A given geographic or metropolitan region may have a few cable television headend locations that are connected by fiber links. The day-to-day operations and management of a cable data network may be consolidated at a single location, such as a regional center, while other headend locations may be economically managed as local centers. A basic distribution center is a minimal data network configuration that exists within a cable television headend. A typical headend is equipped with satellite receivers, fiber connections to other regional headend locations, and upstream RF receivers for pay-per-view and data services. [1] The minimal data network configuration includes a CMTS system capable of upstream and downstream data transport and an IP router to connect to the regional location. A regional center is a cable headend location with additional temperaturecontrolled facilities to house a variety of computer servers, which are necessary to run cable data networks. The servers provide the following services:
1-10
•
file transfer
•
user authorization and accounting
•
log control (syslog)
•
IP address assignment and administration and Dynamic Host Configuration Protocol [DHCP] servers
•
Domain Name System or Service (DNS) servers
Remote Access Section 3: Emerging Remote Access Technologies
Copyright 2002, Cisco Systems, Inc.
•
Data-over-Cable Service Interface Specification (DOCSIS) control servers
In addition, a regional center may contain support and network management systems necessary for the television as well as data network operations. User data from local and regional locations is received at a regional data center for further aggregation and distribution throughout the network. Figure [2] A regional data center supports the DHCP, DNS, and log control servers necessary for cable data network administration. It also provides connectivity to the Internet, the World Wide Web and contains the server farms necessary to support Internet services. These servers include e-mail, Web hosting, news, chat, proxy, caching, and streaming-media servers
3.1.4 Cable and OSI model
Figure 1 Cable and the OSI Model
The cable data system comprises many different technologies and standards. For cable modems to be mainstreamed, modems from different vendors must be interoperable. Physical Layer Downstream Data Channel At the physical layer, the downstream data channel is based on North American digital video specifications (specifically, International Telecommunications Union [ITU-T] Recommendation J.83 Annex B) and includes the following features: •
64 and 256 QAM
•
6 MHz-occupied spectrum that coexists with other signals in the cable plant
•
Variable-length interleaving support, both latency-sensitive and latencyinsensitive data services
•
Contiguous serial bit stream with no implied framing, providing complete physical and data link layer decoupling
Upstream Data Channel The upstream data channel is a shared channel featuring the following: • Copyright 2002, Cisco Systems, Inc.
QPSK and 16 QAM formats Remote Access Section 3: Emerging Remote Access Technologies 1-11
•
Data rates from 320 kbps to 10 Mbps
•
Flexible and programmable cable modem under control of CMTS
•
Time-division multiple access
•
Support of both fixed-frame and variable-length protocol data units (PDUs)
Data Link Layer The data link layer provides the general requirements for many cable-modem subscribers to share a single upstream data channel for transmission to the network. Among these requirements are collision detection and retransmission capability. The large geographic reach of a cable data network poses special problems as a result of the transmission delay between users close to headend versus users at a distance from cable headend. To compensate for cable losses and delay as a result of distance, the data link layer performs ranging, by which each cable modem can assess time delay in transmitting to the headend. The data link layer supports: •
timing and synchronization
•
bandwidth allocation to cable modems at the control of CMTS
•
error detection, handling and error recovery
•
procedures for registering new cable modems
Network Layer Cable data networks use IP for communication from the cable modem to the network. The Internet Engineering Task Force (IETF) compliant DHCP typically forms the basis for IP address assignment and administration in the cable network. Transport Layer Cable data networks support both the Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP) at the transport layer. Application Layer All of the Internet-related applications are supported here. These applications include HTTP, FTP, e-mail, Trivial File Transfer Protocol (TFTP), news, chat, and Simple Network Management Protocol (SNMP). The use of SNMP provides for management of the CMTS and cable data networks.
1-12
Remote Access Section 3: Emerging Remote Access Technologies
Copyright 2002, Cisco Systems, Inc.
3.1.5 Cable summary
Figure 1 Cable Modem
Many people are tuning into the Internet channel on their TV. Of all the highspeed Internet access solutions, cable TV systems are probably the most talked about. That is partly because they take advantage of existing broadband cable TV networks and partly because they promise to deliver high-speed access at an affordable price. Although Internet access, via cable, is spreading rapidly cable operators face an uphill battle to reach the mainstream. Like telephone companies offering ISDN service, cable operators must gain expertise in data communications to win and keep customers. One of the technical hurdles that cable providers face is the fact that satellites are only one-way devices. If cable operators make their one-way networks into interactive HFC networks, cable modems could work in both directions. When this is accomplished, the technology could offer the best price/performance combination of any Internet access method to date, delivering close to 10-Mbps speeds at less than $50 per month. This is significantly better than the cost/performance factor of ISDN access. As discussed, making the cable-to-PC connection requires a cable modem to modulate and demodulate the cable signal into a stream of data. The similarity with analog modems ends there. Cable modems also incorporate the following: •
a tuner for separating the data signal from the rest of the broadcast stream
•
bridge and router technology to connect to multiple devices
•
network-management software agents to enable the cable company to control and monitor operations)
Copyright 2002, Cisco Systems, Inc.
Remote Access Section 3: Emerging Remote Access Technologies 1-13
•
encryption devices to deter data interception
Each cable modem has an Ethernet interface for internal network connectivity and a coaxial cable connection for the WAN connection. A network interface card (NIC) is installed in the PC and connected to the cable modem Ethernet port with a straight through cable. There are no phone numbers to dial and no limitations on serial-port throughput (as is the case with ISDN modems). The result is high-speed throughput with download speeds varying from 500 kbps to 30 Mbps and uploads from 96 kbps to 10 Mbps.
1-14
Remote Access Section 3: Emerging Remote Access Technologies
Copyright 2002, Cisco Systems, Inc.
3.2 Wireless Network Access 3.2.1 Overview
Figure 1 Wireless Access Networks
Tremendous strides have been made on wired networks. Copper and fiber networks dominate the Layer 1 space. The transmission capacity of wired networks is virtually limitless as carriers can arbitrarily add bandwidth as demand increases. Despite the capacity of wired networks, wireless networks have had the greatest success among consumers. Broadcast television, cellular telephone, paging, and direct broadcast satellite are all wireless services that have met with commercial success, despite the fact that wireless networks typically carry lower bit rates and higher costs than wired networking. When installing cables underground it may be necessary to obtain permission from residents or obtain permits and easements. Product managers who roll out wired services struggle with marketing and demographic studies to determine the best neighborhoods in which to introduce services. Even if the right neighborhoods are identified, it is expensive and timeconsuming to dig or install overhead cables. To some observers, the fixed networks of wired systems look like vulnerable high-capital assets in a world of fast-changing technologies. Numerous wireless access network technologies are intended by their proponents to serve the consumer market. These are Direct Broadcast Satellite (DBS), Multichannel Multipoint Distribution Services (MMDS), and Local Multipoint Distribution Services (LMDS). The figure illustrates the network architecture of a typical wireless network. The return-path flows through wired networks or, in the case of LMDS, through wireless networks. The content provider forwards content through the core network and to the wireless access node. This access node reformats data and modulates it for satellite or land-based microwave transmission. A receiving antenna at the home end forwards traffic through the home network to the terminal equipment, which is either a TV set-top box or a PC. Copyright 2002, Cisco Systems, Inc.
Remote Access Section 3: Emerging Remote Access Technologies 1-15
In the return path, the consumer uses either the same network that is used for the forward transmission or another access network. Another access network is needed when using DBS or MMDS services, which are one-way networks. The return-path network could be a telephone return, xDSL, or another wireless service, such as digital personal communications services (PCS). PCS service includes wireless voice, a digital form of cellular telephony, as well as wireless data. Because forward and return path traffic can use different physical media, traffic sources must be matched so that a single bidirectional session exists between the content provider and the terminal equipment. The wireless access node or another switching/routing device inside the core network can perform this matching.
3.2.2 Direct broadcast satellite
Figure 1 Worldwide DBS Networks
While cable operators were only talking about digital TV, DBS companies actually achieved it, taking the entire cable industry by surprise. Early entrants were Primestar, DirecTV, and United States Satellite Broadcasting (USSB), all of which launched in 1994. In the United States, DBS is viewed as a commercial success. DBS signed a surprising five million customers in its first three years of operation. This response is particularly strong considering the fact that customers initially paid up to $800 for a home satellite dish and installation. Such a strong start has cable TV operators concerned. More troubling for U.S. cable operators is that the average DBS subscriber spends about 50 percent more per month than the 1-16
Remote Access Section 3: Emerging Remote Access Technologies
Copyright 2002, Cisco Systems, Inc.
average cable subscriber (about $52 versus $35 per month). This difference is partly due to sales of premium sports and movie packages. Much of the success of DBS is due to imaginative programming packages. Aggressive marketing of sports packages has created varied content for which DBS has found an eager market.
3.2.3 DBS architecture
Figure 1 DBS Architecture
Architecturally, DBS is a simple concept. As shown in the Figure, DBS operators receive analog TV reception from the various networks at a single giant headend. The DirecTV headend, for example, is in Castle Rock, Colorado. The analog programming is encoded into Motion Picture Experts Group (MPEG) format for digital retransmission. A control function regulates the amount of bandwidth accorded to each MPEG stream and determines how the MPEG knobs (control parameters), such as the length of a group of pictures, are specified. The settings of the knobs are closely guarded secrets among DBS operators. ESPN, tends to require more bandwidth than the Food Channel as it has a lot more motion. ESPN also has a larger audience and greater advertising revenue. How much more would ESPN pay for access than the Food Channel? How much extra bandwidth is ESPN getting, and for how much? What MPEG knobs should the carrier use, and what knobs does its competition use? This is not public information. ESPN, the Food Channel, and all other channels are encoded into MPEG transport streams, multiplexed together, and then converted to the uplink frequency. The major North American geosynchronous satellites for DBS so far are placed at longitudes 85 degrees west (Primestar), 101 degrees west (DirecTV), and 119 degrees west (Echostar). The Primestar slot rests on the longitude that passes through the East Coast of the United States, the DirecTV longitude bisects the center of North America, and the Echostar longitude passes through the West Copyright 2002, Cisco Systems, Inc.
Remote Access Section 3: Emerging Remote Access Technologies 1-17
Coast. From these orbits, each satellite can broadcast over the contiguous United States, southern Canada, and Mexico. The satellite receives a signal and remodulates it to the designated spectrum for DBS. DBS occupies 500 MHz in the 12.2 KU Band. The Ku band occupies the frequency range from 10.7 GHz to 12.75 GHz. DBS satellites are allowed by regulation to broadcast at 120W to enable reception on small satellite dishes. This is more power than the larger C-band satellite dishes that predate the smaller DBS satellite dishes. This higher-powered transmission and smaller dish distinguish DBS from other forms of satellite reception. The DBS uses Quadrature Phase Shift Keying (QPSK) modulation to encode digital data on the RF carriers. DirecTV encodes using MPEG-2 format to enable a density of up to 720x480 pixels on the user's monitor. Primestar used a proprietary video compression system developed by General Instruments called DigiCipher-1. (NOTE: Primestar was purchased by DIRECTV in 1999 and stopped broadcasting in 2000.) Echostar uses a transmission system based on the European Digital Video Broadcast (DVB) standard. DVB uses the MPEG-2 and standardizes control elements of the total system, such as conditional access. Although 720x480 is the maximum resolution offered today, DBS is capable of higher pixel resolution. In fact, DBS is an early delivery vehicle for highdefinition TV (HDTV) programming, with HBO, Showtime, and Pay-Per-View broadcasting in 1080i and 720P formats. These formats are backward compatible to standard definition (480i resolution) through composite and S-Video outputs.
1-18
Remote Access Section 3: Emerging Remote Access Technologies
Copyright 2002, Cisco Systems, Inc.
3.2.4 Data service DirecTV partnered with Microsoft to produce a push-mode data service over DBS. The service broadcasts approximately 200 popular Web sites, which are cached in the consumer's PC. Some content will be cached at the service provider's site. Instead of having a point-to-point connection with the Internet, consumers access content on the hard drive or service-provider cache. In addition to Web sites, other data services such as AgCast or stock quotes can be offered, either by continuous feeds or by caching on the consumer's PC. The problem with this model is that a Web site that is not part of the service may not be accessed, because no point-to-point return-path connection exists. One form of point-to-point data service, called DirectPC, can reach the Internet. DirectTV and Hughes Network Systems jointly own DirectPC. DirectPC reserves 12 Mbps of downstream service and uses a telephone as a return path. Another example is DishNetwork's StarBand. Its service differs from DirectTV by offering two-way satellite communications, not requiring a telephone for a return path. The portion of the Earth's surface covered by the signal from a communications satellite is called its footprint. Because a geosynchronous satellite has a very large footprint, it is possible that thousands of users will want to use the common 12 Mbps of service concurrently. The more concurrent users there are, the less bandwidth each user gets. To provide a balance between bit rate and the number of concurrent users, DirectPC offers approximately 400 kbps of service to concurrent users.
Copyright 2002, Cisco Systems, Inc.
Remote Access Section 3: Emerging Remote Access Technologies 1-19
3.3 Multichannel Multipoint Distribution Services 3.3.1 Overview The success of DBS convinced telephone companies and other potential cable competitors that delivering digital video to consumers is a viable business. When these competitors analyzed the issues associated with DBS, they found that local content plays the greatest role in marketing a given service. Thus, some wouldbe competitors to DBS sought to improve on it by providing a wireless, multichannel broadband service with local channels. This is called Multichannel Multipoint Distribution Service (MMDS) and is referred to by DAVIC (Digital Audio-Visual council) as Multipoint Video Distribution Systems (MVDS). MMDS provides local over-the-air stations and local advertiser access to digital delivery.
3.3.2 MMDS history MMDS was designed initially as a one-way service for bringing cable TV to subscribers in remote areas or in locations that are difficult to install cable. MMDS supports approximately 33 analog channels and more than 100 digital channels of TV. In 1998, the FCC opened up the technology for two-way transmission, enabling MMDS to provide data and Internet services to subscribers. MMDS takes advantage of a microwave transmission technology known as wireless cable, which is a microwave technology used to deliver analog cable television service over the air to rural areas that cannot be served economically by wired cable. The areas served by wireless cable were too sparsely populated to generate strong revenue as reflected in the lack of financial success for wireless cable operators. However, the success of DBS and continued progress with digital technology (such as MPEG, digital modulation techniques, and advances in semiconductors) changed the perception of microwave from simply a rural delivery system to a system that could be used in urban areas. Telephone companies view microwave as a fast-start service to allow video distribution that can compete against cable and DBS. In 1996, the FCC conducted spectrum auctions for MMDS. The FCC auctions offered 200 MHz in each of the nation's 493 basic trading areas (BTA). A BTA represents a contiguous geographic market. BTA boundaries are drawn on county lines. The counties are aggregated by considering physical topography, population, newspaper circulation, economic activities, and transportation facilities (such as regional airports, rail hubs, and highways). The BTA concept was licensed by the FCC from Rand McNally.
1-20
Remote Access Section 3: Emerging Remote Access Technologies
Copyright 2002, Cisco Systems, Inc.
MMDS uses 198 MHz of licensed spectrum, which could support 33 analog TV channels, in the range of 2.5 GHz. This is channel capacity to DBS. Note that the bit rate available to the MMDS operator is comparable to the bit rate available from DBS systems, even though a narrower spectrum is available. This is because MMDS uses more aggressive modulation techniques. DBS has 500 MHz of bandwidth using QPSK modulation (2 b/Hz). MMDS has 200 MHz using QAM-64 modulation (6 b/Hz). After overhead bits and error correction, both DBS and MMDS can achieve nearly 1 Gb of bandwidth. The auction rules provided no regulations regarding spectrum use. Operators are free to decide whether to offer Internet access, TV, or a combination of the two.
3.3.3 MMDS architecture
Figure 1 MMDS Architecture
The key technical difference between MMDS and DBS is the use of groundbased, or terrestrial microwave, rather than geosynchronous satellites. This represents a difference in the delivery of local content. MMDS provides this service by having local production facilities that can insert local over-the-air channels into the national feeds. The figure shows a schematic of MMDS service. The programmer delivers national television feeds to a production facility. The feeds can come from geosynchronous satellite transmission or high-speed wired services, such as fiber-optic networks. Despite what appears to be a good technical fit, there is little current movement to link MMDS with DBS. DBS could provide economic national distribution of programming for resale by MMDS. Local content and advertising are acquired over the air, encoded into MPEG, and multiplexed with the national programming for local distribution to the viewers. MPEG enables digital multiplexing and thus is a key facilitator of MMDS. Data services may also be received from Web content providers. In this case, the Copyright 2002, Cisco Systems, Inc.
Remote Access Section 3: Emerging Remote Access Technologies 1-21
information is in digital format but requires additional processing, such as encapsulation into MPEG and address resolution, before being transmitted. After the programming mix is determined, composite programming is delivered by satellite or fiber to the MMDS broadcast tower. Generally, the MMDS headend and the MMDS broadcast tower are not co-located because the tower should be placed at a high elevation. At the receiving site, a small microwavereceiving dish, a little larger than a DBS dish is mounted outside the home to receive the signals. A decoder presents the TV images to the TV set. Other units are capable of decoding data for PC users. Return-path data is transmitted on another access network; telephone networks commonly are used for this purpose. For example, it is possible to have an RJ-11 telephone jack on the set-top box. Consideration is also being given to other wireless networks, such as digital PCS and paging networks, for return-path purposes. The range of MMDS is limited primarily by line-of-sight. In relatively flat areas, if the transmitter can be located high enough, the signal can reach over 50 miles. Pacific Bell Video Services (PBVS), for example, currently is rolling out MMDS in Los Angeles and Orange counties in southern California using only two towers. About 75 percent of homes will be able to receive MMDS signals reliably. The remaining 25 percent are limited by line-of-sight problems. Because of the availability of telephone return path, MMDS operators are capable of providing data service very similar to that of cable. Zenith, Hybrid, and General Instruments are taking advantage of their data and cable TV experience to provide data and MMDS modems using telephone return.
1-22
Remote Access Section 3: Emerging Remote Access Technologies
Copyright 2002, Cisco Systems, Inc.
3.4 Local Multipoint Distribution Services 3.4.1 Overview Local Multipoint Distribution Service (LMDS) is a delivery service with a more aggressive strategy than MMDS. This service is known in Canada as Local Multipoint Communication Service (LMCS). The major disadvantages of MMDS are the lack of an inband return path and the lack of sufficient bandwidth to surpass cable channel capacity (by offering superior interactive data services). A strong Internet access network must have two-way service and enough bandwidth to compete with data and cable. LMDS is a two-way, high-bit-rate, wireless service under development by a variety of carriers to solve the return-path problem and vastly increase bandwidth. If significant technological hurdles can be overcome, LMDS offers the greatest two-way bit rate of any residential service, wired or wireless, at surprisingly low infrastructure costs. No restrictions exist as to how carriers use their bandwidth, so bandwidth can be subdivided in any manner carriers see fit. If an LMDS carrier had 1150 MHz of bandwidth, for example, it would be possible to use 500 MHz for broadcast TV, 50 MHz for local broadcast, 300 MHz for forward data services, and 300 MHz for upstream data. Using only the relatively robust QPSK modulation, this bandwidth can provide the following: •
All the broadcast channels of DBS (500 MHz)
•
All local over-the-air channels (50 MHz)
•
Up to 1 Gb of full-duplex data service (600 MHz)
In other words, the potential exists to offer more TV than satellite and more data than cable. This frequency plan is just one example of how a carrier could choose to offer service. Other carriers might choose to segment their frequencies differently and would be permitted to do so under FCC rules. For businesses in cities, LMDS is a very cost-effective broadband wireless alternative to land-lines for multiple services. LMDS operates at higher frequencies where more spectrum is available (bandwidths currently range up to 155 Mbps) and smaller, cheaper antennas are possible
Copyright 2002, Cisco Systems, Inc.
Remote Access Section 3: Emerging Remote Access Technologies 1-23
3.4.2 LMDS architecture
Figure 1 LMDS Architecture
Figure 2 LMDS Architecture
LMDS is a small-cell technology, with each cell having about a 3- to-6-km radius. Small cells coupled with two-way transmission create a different set of architectural problems than MMDS. Figure [1] shows a schematic of LMDS service. Content acquisition at the LMDS headend functions similarly to MMDS. The programmer delivers national television feeds to a production facility. In many cases, these national feeds come from DBS, but the feeds also can come from other geosynchronous satellite transmission or high-speed wired services, such as fiber-optic networks. Local content and advertising are acquired over the air, encoded into MPEG, and multiplexed with the national programming for local distribution. As in the case of MMDS, MPEG is an important facilitator of LMDS because it enables digital multiplexing. Data services received from Web content providers are already in digital format but would need additional processing, such as encapsulation into MPEG and address resolution, before being transmitted. 1-24
Remote Access Section 3: Emerging Remote Access Technologies
Copyright 2002, Cisco Systems, Inc.
The program mix is delivered by satellite or fiber to the LMDS broadcast tower. Generally, the LMDS headend and the LMDS broadcast tower are not co-located because the headend production facilities are normally shared among several towers. An LMDS transmitter tower is erected in the neighborhood, and traffic is broadcast to consumers using QPSK modulation with forward error correction (FEC). It is possible to use QAM modulation, but QPSK is chosen because it is more robust than QAM 16 or QAM 64 and because bandwidth is so plentiful that spectral efficiency is not an issue. As shown in Figure [2], consumers receive the signal on a small dish about the size of a DBS dish or a flat-plate antenna. The dish is mounted outside the home and is connected by cable to a set-top converter, much the same way in which DBS connections are made. The signal is demodulated and fed to a decoder. Unlike DBS, LMDS is capable of two-way service, so both TV sets and PCs must be connected to the satellite dish. Furthermore, a two-way home networking capability must be supported instead of just the simple broadcast scheme of DBS. In the return path, the customer transmits to the carrier using the same dish with QPSK modulation. A MAC protocol is required because the residences in the coverage area share the return spectrum. Architecturally, LMDS looks very much like cable TV. Cable TV clusters serve 500. The MAC protocol is similar to cable TV, as are the application-specific integrated circuits (ASICs) for the customer premises modulators and demodulators. Upstream users request data slots on a contention basis. After slots are granted, the sender transmits in those slots, free of contention. Ranging and power-level controls are also required, as is the case with cable.
Copyright 2002, Cisco Systems, Inc.
Remote Access Section 3: Emerging Remote Access Technologies 1-25
3.4.3 Wireless broadband summary
Figure 1 Wireless Broadband Summary
Multiple wireless options exist that potentially can support broadband services. The services discussed in this chapter, DBS, MMDS, and LMDS, overlap somewhat in functionality but differ enough to attract a particular segment of users. The table in the figure to the left compares features among these technologies.
1-26
Remote Access Section 3: Emerging Remote Access Technologies
Copyright 2002, Cisco Systems, Inc.
3.5 Wireless Local Area Networking 3.5.1 Overview of wireless local-area networking
Figure 1 What is Wireless Local-Area Networking
In the simplest of terms, a wireless local-area network (WLAN) does exactly what the name implies: it provides all the features and benefits of traditional LAN technologies, such as Ethernet and Token Ring, without the limitations of wires or cables. To view a WLAN just in terms of the cables it does not have is to miss the point: WLANs redefine the way we view LANs. Connectivity no longer implies attachment. Local areas are measured not in feet or meters, but miles or kilometers. An infrastructure does not need to be buried in the ground or hidden behind the walls--an "infrastructure" can move and change at the speed of the organization. This technology has several immediate applications, including: •
IT professionals or business executives who want mobility within the enterprise, perhaps in addition to a traditional wired network
•
Business owners or IT directors who need flexibility for frequent LAN wiring changes, either throughout the site or in selected areas
•
Any company whose site is not conducive to LAN wiring because of building or budget limitations, such as older buildings, leased space, or temporary sites
•
Any company that needs the flexibility and cost savings offered by a line-of-sight, building-to-building bridge to avoid expensive trenches, leased lines, or right-of-way issues
Copyright 2002, Cisco Systems, Inc.
Remote Access Section 3: Emerging Remote Access Technologies 1-27
WLANs use a transmission medium, just like wired LANs. Instead of using twisted-pair or fiber-optic cable, WLANs use either infrared (IR) light or RF (radio frequency). Of the two, RF is far more popular for its longer range, higher bandwidth, and wider coverage. Most wireless LANs today use the 2.4-gigahertz (GHz) frequency band, the only portion of the RF spectrum reserved around the world for unlicensed devices. The freedom and flexibility of wireless networking can be applied both within buildings and between buildings.
3.5.2 In-building WLANs
Figure 1 In-Building WLANs
WLAN technology can take the place of a traditional wired network or extend its reach and capabilities. Much like their wired counterparts, in-building WLAN equipment consists of PC Card, Personal Computer Interface (PCI), and Industry-Standard Architecture (ISA) client adapters. They also have access points, which perform functions similar to wired networking hubs. Similar to wired LANs for small or temporary installations, a WLAN can be arranged in a peer-to-peer or improvised topology using only client adapters. For added functionality and range, access points can be incorporated to act as the center of a star topology while simultaneously bridging with an Ethernet network.
1-28
Remote Access Section 3: Emerging Remote Access Technologies
Copyright 2002, Cisco Systems, Inc.
3.5.3 Building-to-building WLANs
Figure 1 Building-to-Building WLANs
In much the same way that a commercial radio signal can be picked up in all sorts of weather, miles from its transmitter, WLAN technology applies the power of radio waves to truly redefine the "local" in LAN. With a wireless bridge, networks located in buildings miles from each other can be integrated into a single local-area network. When bridging between buildings with traditional copper or fiber-optic cable, freeways, lakes, and even local governments can be impassible obstacles. A wireless bridge makes them irrelevant, transmitting data through the air and requiring no license or right of way. Without a wireless alternative, organizations frequently resort to wide-area networking (WAN) technologies to link together separate LANs. Contracting with a local telephone provider for a leased line presents a variety of drawbacks. Installation is typically expensive and rarely immediate. Monthly fees are often quite high for bandwidth that, by LAN standards, is very low. A wireless bridge can be purchased and then installed in an afternoon for a cost that is often comparable to a T1 installation charge alone. After the investment is made, there are no recurring charges. Today's wireless bridges provide the bandwidth one would expect from a technology rooted in data, rather than voice, communications.
Copyright 2002, Cisco Systems, Inc.
Remote Access Section 3: Emerging Remote Access Technologies 1-29
3.5.4 The wireless LAN standard
Figure 1 Wireless LAN
In the wired world, Ethernet has grown to become the predominant LAN technology. Its evolution parallels, and indeed foreshadows, the development of the wireless LAN standard. Defined by the Institute of Electrical and Electronics Engineers (IEEE) with the 802.3 standard, Ethernet provides an evolving, highspeed, widely available, and interoperable networking standard. It has continued to evolve to keep pace with the data rate and throughput requirements of contemporary LANs. Originally providing for 10-Mbps transfer rates, the Ethernet standard evolved to include the 100-Mbps transfer rates required for network backbones and bandwidth-intensive applications. The IEEE 802.3 standard is open, decreasing barriers to market entry and resulting in a wide range of suppliers, products, and price points from which Ethernet users can choose. Perhaps most importantly, conformance to the Ethernet standard allows for interoperability, enabling users to select individual products from multiple vendors while secure in the knowledge that they will all work together. The first wireless LAN technologies were low-speed (1-2 Mbps) proprietary offerings. Despite these shortcomings, their freedom and flexibility allowed these early products to find markets in retail and warehousing where mobile workers use hand-held devices for inventory management and data collection. Later, hospitals applied wireless technology to deliver patient information right to the bedside. As computers made their way into the classrooms, schools and universities began installing wireless networks to avoid cabling costs and to share Internet access. The pioneering wireless vendors soon realized that for the technology to gain broad market acceptance, an Ethernet-like standard was needed. The vendors joined together in 1991, first proposing, and then building,
1-30
Remote Access Section 3: Emerging Remote Access Technologies
Copyright 2002, Cisco Systems, Inc.
a standard based on contributed technologies. In June 1997, the IEEE released the 802.11 standard for wireless local-area networking. Just as the 802.3 Ethernet standard allows for data transmission over twisted-pair and coaxial cable, the 802.11 WLAN standard allows for transmission over different media. Compliant media include infrared light and two types of radio transmission within the unlicensed 2.4-GHz frequency band: •
frequency hopping spread spectrum (FHSS)
•
direct sequence spread spectrum (DSSS)
Spread spectrum is a modulation technique developed in the 1940s that spreads a transmission signal over a broad band of radio frequencies. This technique is ideal for data communications because it is less susceptible to radio noise and creates little interference. FHSS is limited to a 2-Mbps data transfer rate and is recommended for only very specific applications; for example, certain types of watercraft lend themselves to this technology. For all other wireless LAN applications, DSSS is the better choice. The recently released evolution of the IEEE standard, 802.11b, provides for a full Ethernet-like data rate of 11 Mbps over DSSS. FHSS does not support data rates greater than 2 Mbps.
3.5.5 The future of wireless local-area networking
Figure 1 How a Wireless LAN Works
The history of technology improvement in the wired LANs can be summed up with the slogan "Faster, Better, and Cheaper." Wireless LAN technology has already started down that road. Data rates have increased from 1 to 11 Mbps, interoperability became reality with the introduction of the IEEE 802.11 standard, and prices have dramatically decreased. The improvements seen so far are just a beginning. Performance IEEE 802.11b standard 11-Mbps WLANs operate in the 2.4-GHz frequency Copyright 2002, Cisco Systems, Inc.
Remote Access Section 3: Emerging Remote Access Technologies 1-31
band where there is room for increased bandwidth. Using an optional modulation technique within the 802.11b specification, it is possible to double the current data rate. Cisco already has 22 Mbps on the road map for the future. Wireless LAN manufacturers migrated from the 900-MHz band to the 2.4-GHz band to improve data rate. This pattern promises to continue, with a broader frequency band capable of supporting higher bandwidth available at 5 GHz. The IEEE has already issued a specification (802.11a) for equipment operating at 5 GHz that supports up to a 54-Mbps data rate. This generation of technology will likely carry a significant price premium when it is introduced sometime in 2001. As is typical, this premium will decrease over time while data rates increase. The 5.7GHz band promises to allow for the next breakthrough data rate of 100 Mbps. Security The wired equivalent privacy (WEP) option to the 802.11 standard is only the first step in addressing customer security concerns. Security is currently available today for wireless networking, offering up to 128-bit encryption and supporting both the encryption and authentication options of the 802.11 standard. The algorithm with a 40- or 128-bit key is specified in the standard. When WEP is enabled, each station (clients and access points) has up to four keys. The keys are used to encrypt the data before it is transmitted through the air. If a station receives a packet that is not encrypted with the appropriate key, the packet will be discarded and never delivered to the host. The figure shows an outside user being rejected because of an incorrect ID. Although the 802.11 standard provides strong encryption services to secure the WLAN, the means by which the secure keys are granted, revoked, and refreshed is still undefined. Fortunately, several key administration architectures are available for use in the enterprise. The best approach for large networks is centralized key management, which uses centralized encryption key servers. A popular strategy includes the addition of encryption key servers to ensure that valuable data is protected. Encryption key servers provide for centralized creation of keys, distribution of keys, and ongoing key rotation. Key servers enable the network administrator to command the creation of RSA public/private key pairs at the client level that are required for client authentication. The key server will also provide for the generation and distribution to clients and access points of the keys needed for packet encryption. This implementation eases administration and helps avoid compromising confidential keys.
1-32
Remote Access Section 3: Emerging Remote Access Technologies
Copyright 2002, Cisco Systems, Inc.
3.5.6 Mobility services
Figure 1 Mobility Services
A primary advantage of WLANs is mobility, but no industry standard currently addresses the tracking or management of mobile devices in its Management Information Base (MIB). This omission would prohibit users from roaming between wireless access points that cover a common area, such as a complete floor of a building. Individual companies such as Cisco have addressed this issue, providing their own versions of mobility algorithms that facilitate roaming within an IP domain (such as a floor) with an eye toward optimizing roaming across IP domains (such as an enterprise campus). Management Wireless access points share the functions of both hubs and switches. Wireless clients associating with access points share the wireless LAN, similar to the way a hub functions. However, the access point can additionally track movement of clients across its domain and permit or deny specific traffic or clients from communicating through it. For network managers to use these services to their advantage, it is necessary to configure the access point like a hub and a switch. The Cisco WLAN devices are manageable through common Telnet or SNMP (I or II) services and a Web browser interface to facilitate its monitoring and control. In addition to bridge statistics and counters, the access point also offers additional features that make it powerful and manageable. These include mapping of wireless access points and their associated clients as well as monitoring and reporting of client statistics. Access points can also control access and the flow of traffic through the wireless LAN via MAC and protocollevel access lists. Configuration parameters, as well as code images for access
Copyright 2002, Cisco Systems, Inc.
Remote Access Section 3: Emerging Remote Access Technologies 1-33
points, can be centrally configured and managed to facilitate consistency of WLAN network policy.
3.5.7 Conclusion Today, the WLAN has redefined what it means to be connected. It has stretched the boundaries of the local-area network. It makes an infrastructure as dynamic as it needs to be. It has only just begun: the standard is less than three years old, with the high-speed 802.11b yet to reach its first birthday. With standard and interoperable wireless products, LANs can reach scales unimaginable with a wired infrastructure. They can make high-speed interconnections for a fraction of the cost of traditional wide area technologies. In a wireless world, users cannot only just roam within a campus but also within a city, while maintaining a high-speed link to extranets, intranets, and the Internet itself.
1-34
Remote Access Section 3: Emerging Remote Access Technologies
Copyright 2002, Cisco Systems, Inc.
3.6 Digital Subscriber Line 3.6.1 DSL background
Figure 1 DSL 101
Digital subscriber line (DSL) technology is a modem technology that uses existing twisted-pair telephone lines to transport high-bandwidth data, such as multimedia and video, to service subscribers. The term xDSL covers numerous similar yet competing forms of DSL, including. •
asymmetric DSL (ADSL)
•
single-line DSL (SDSL)
•
high-data-rate DSL (HDSL)
•
Rate-adaptive DSL (RADSL)
•
very-high-data-rate DSL (VDSL)
xDSL is drawing significant attention from implementers and service providers because it promises to deliver high-bandwidth data rates to dispersed locations with relatively small changes to the existing Telco infrastructure. xDSL services constitute dedicated, point-to-point, public network access over twisted-pair copper wire on the local loop ("last mile") between a network service provider's (NSP's) central office and the customer site, or on local loops created either intra-building or intra-campus. Currently the primary focus in xDSL is the development and deployment of ADSL and VDSL technologies and architectures. This section covers the characteristics and operations of ADSL and VDSL.
Copyright 2002, Cisco Systems, Inc.
Remote Access Section 3: Emerging Remote Access Technologies 1-35
3.6.2 Asymmetric digital subscriber line (ADSL)
Figure 1 Asymmetric Digital Subscriber Line
DSL technology is asymmetric. It allows more bandwidth from an NSP's central office to the customer site (downstream) than from the subscriber to the central office (upstream). This asymmetry, combined with always-on access (which eliminates call setup), makes ADSL ideal for Internet/intranet surfing, video on demand, and remote LAN access. Users of these applications typically download much more information than they send. ADSL transmits more than 6 Mbps to a subscriber, and as much as 640 kbps more in both directions, as shown in the figure. Such rates expand existing access capacity by a factor of 50 or more without new cabling. ADSL can literally transform the existing public information network from one limited to voice, text, and low-resolution graphics to a powerful, universal system capable of bringing multimedia, including full motion video, to every home this decade. ADSL will play a crucial role over the next decade or more as telephone companies enter new markets for delivering information in video and multimedia formats. New broadband cabling will take decades to reach all prospective subscribers. Success of these new services will depend on reaching as many subscribers as possible during the first few years. By bringing movies, television, video catalogs, remote CD-ROMs, corporate LANs, and the Internet into homes and small businesses, ADSL will make these markets viable and profitable for telephone companies and application vendors alike.
1-36
Remote Access Section 3: Emerging Remote Access Technologies
Copyright 2002, Cisco Systems, Inc.
3.6.3 ADSL services architecture
Figure 1 Basic DSL Network Topology
Figure 2 Basic DSL Network Components
Copyright 2002, Cisco Systems, Inc.
Remote Access Section 3: Emerging Remote Access Technologies 1-37
Figure 3 End-to-End DSL Protocol Stack
A typical end-to-end ADSL services architecture is illustrated in Figure [1]. It consists of customer premises equipment (CPE) and supporting equipment at the ADSL point of presence (POP). Network access providers (NAPs) manage Layer 2 network cores, while NSPs manage Layer 3 network cores. These roles are divided or shared among incumbent local exchange carrier (ILEC), competitive local exchange carrier (CLEC), and Tier 1 and Tier 2 Internet service provider (ISP) businesses. It is expected that over time, market forces will redefine current relationships between ADSL providers. Some NAPs may add Layer 3 capabilities or extend service across the core. CPE represents any combination of end-user PCs or workstations, remote ADSL terminating units (ATU-Rs), and routers. For instance, a residential user may have a single PC with an integrated ADSL modem on a peripheral component interface card, or perhaps a PC with an Ethernet or universal serial bus (USB) interface to a standalone ADSL modem (the ATU-R). In contrast, business users will more often connect many end-user PCs to a router with an integrated ADSL modem or a router plus ATU-R pair. At the ADSL POP, the NAP deploys one or more DSL access multiplexers (DSLAMs) servicing the copper loops between the POP and CPE. In a process called subtending, DSLAMs can be chained together to enhance ATM pipe utilization. DSLAMs connect locally or via an inter-central office (CO) link to a local access concentrator (LAC) that provides ATM "grooming," PPP tunneling, and Layer 3 termination to local or cached content (see Figures [2] and [3]). A service selection gateway (SSG) may be collocated with the LAC, so customers can dynamically select destinations (see Figure [2]). From the LAC/SSG, services extend over the ATM core to the NSP or IP network core. As illustrated in Figure [1], three different architectures are applicable to wholesale ADSL services: •
1-38
ATM point to point - cross-connects subscribers to their ISP or enterprise destination with permanent virtual circuits (PVCs) from the CPE to the endpoint
Remote Access Section 3: Emerging Remote Access Technologies
Copyright 2002, Cisco Systems, Inc.
•
Aggregation - aggregates multiple subscriber virtual circuits (VCs) into trunk PVCs to reduce the number of VC connections across the network core; instead of one VC per subscriber, this uses one VC for many subscribers to the same destination
•
SVC and MPLS - uses switched virtual circuits (SVCs) to autoprovision connections from the CPE through the DSLAM to an edge label switch router (edge LSR), where it enters the Multiprotocol Label Switching (MPLS)-enabled network core.
Figure [3] outlines the end-to-end protocol stack used with xDSL.
3.6.4 ASDL capabilities
Figure 1 ADSL and POTS
Copyright 2002, Cisco Systems, Inc.
Remote Access Section 3: Emerging Remote Access Technologies 1-39
Figure 2 ADSL Capabilities
An ADSL circuit connects an ADSL modem on each end of a twisted-pair telephone line, creating three information channels: a high-speed downstream channel, a medium-speed duplex channel, and a basic telephone service channel (Figure [1]). The basic telephone service channel is split off from the digital modem by filters, thus guaranteeing uninterrupted basic telephone service, even if ADSL fails. The high-speed channel ranges from 1.5 to 6.1 Mbps, and duplex rates range from 16 to 640 kbps. Each channel can be submultiplexed to form multiple lower-rate channels. ADSL modems provide data rates consistent with North American T1 1.544Mbps and European E1 2.048-Mbps digital hierarchies and can be purchased with various speed ranges and capabilities. The minimum configuration provides 1.5 or 2.0 Mbps downstream and a 16-kbps upstream channel. Others provide rates of 6.1 Mbps and 64-kbps upstream. Products with downstream rates up to 8 Mbps and upstream rates up to 640 kbps are available today as well. ADSL modems accommodate Asynchronous Transfer Mode (ATM) transport with variable rates and compensation for ATM overhead, as well as IP protocols. Downstream data rates depend on many factors, including the length of the copper line, its wire gauge, presence of bridged taps, and cross-coupled interference. Line attenuation increases with line length and frequency and decreases as wire diameter increases. Ignoring bridged taps, ADSL performs as shown in Figure [2]. Although the measure varies from telco to telco, these capabilities can cover up to 95 percent of a loop plant, depending on the desired data rate. Customers beyond these distances can be reached with fiber-based digital loop carrier (DLC) systems. As these DLC systems become commercially available, telephone companies can offer virtually unlimited global access in a relatively short time. Many applications envisioned for ADSL involve digital compressed video. As a real-time signal, digital video cannot use link-level or network-level error control procedures commonly found in data communications systems. ADSL modems, therefore, incorporate FEC (Forward Error Correction) that dramatically reduces 1-40
Remote Access Section 3: Emerging Remote Access Technologies
Copyright 2002, Cisco Systems, Inc.
errors caused by impulse noise. Error correction on a symbol-by-symbol basis also reduces errors caused by continuous noise coupled into a line.
3.6.5 ADSL technology
Figure 1 ADSL Transceiver – Network End
Figure 2 ADSL Technology
ADSL depends on advanced digital signal processing and creative algorithms to squeeze so much information through twisted-pair telephone lines. In addition, many advances have been required in transformers, analog filters, and analog/digital (A/D) converters. Long telephone lines may attenuate signals at 1 MHz (the outer edge of the band used by ADSL) by as much as 90 decibels (dB), forcing analog sections of ADSL modems to work very hard to realize large dynamic ranges, separate channels, and maintain low noise figures. On the outside, ADSL looks simple. It is just transparent synchronous data pipes at Copyright 2002, Cisco Systems, Inc.
Remote Access Section 3: Emerging Remote Access Technologies 1-41
various data rates over ordinary telephone lines. The inside, where all the transistors work, is a miracle of modern technology. Figure [1] displays the ADSL transceiver network end. To create multiple channels, ADSL modems divide the available bandwidth of a telephone line in one of two ways: FDM or echo cancellation (Figure [2]). FDM (Frequency-Division Multiplexing) assigns one band for upstream data and another band for downstream data. The downstream path is then divided by timedivision multiplexing (TDM) into one or more high-speed channels and one or more low-speed channels. The upstream path is also multiplexed into corresponding low-speed channels. Echo cancellation assigns the upstream band to overlap the downstream, and separates the two by means of local echo cancellation, a technique well known in V.32 and V.34 modems. With either technique, ADSL splits off a 4-kHz region for basic telephone service at the DC end of the band. An ADSL modem organizes the aggregate data stream created by multiplexing downstream channels, duplex channels, and maintenance channels together into blocks, and attaches an error correction code to each block. The receiver then corrects errors that occur during transmission up to the limits implied by the code and the block length. The unit may, at the user's option, also create superblocks by interleaving data within subblocks. This allows the receiver to correct any combination of errors within a specific span of bits. This in turn allows for effective transmission of both data and video signals.
3.6.6 ADSL standards and associations The American National Standards Institute (ANSI) Working Group T1E1.4 recently approved an ADSL standard at rates up to 6.1 Mbps (ANSI Standard T1.414). The European Technical Standards Institute (ETSI) contributed an annex to T1.414 to reflect European requirements. T1.414 currently embodies a single terminal interface at the premises end. Issue II, now under study by T1E1.4, will expand the standard to include a multiplexed interface at the premises end, protocols for configuration and network management, and other improvements. The ATM Forum and the Digital Audio-Visual Council (DAVIC) have both recognized ADSL as a physical-layer transmission protocol for unshielded twisted-pair (UTP) media. The ADSL Forum was formed in December 1994 to promote the ADSL concept and facilitate development of ADSL system architectures, protocols, and interfaces for major ADSL applications. The Forum has more than 200 members, representing service providers, equipment manufacturers, and semiconductor companies throughout the world. At present, the Forum's formal technical work is divided into the following six areas, each of which is dealt with in a separate working group within the technical committee:
1-42
•
ATM over ADSL (including transport and end-to-end architecture aspects)
•
Packet over ADSL (this working group recently completed its work)
•
CPE/CO configurations and interfaces
•
Operations
Remote Access Section 3: Emerging Remote Access Technologies
Copyright 2002, Cisco Systems, Inc.
•
Network management
•
Testing and interoperability
Copyright 2002, Cisco Systems, Inc.
Remote Access Section 3: Emerging Remote Access Technologies 1-43
3.7 Very-High-Data-Rate Digital Subscriber Line 3.7.1 Overview
Figure 1 VDSL
It is becoming increasingly clear that telephone companies around the world are making decisions to include existing twisted-pair loops in their next-generation broadband access networks. Hybrid fiber coaxial (HFC), a shared-access medium well suited to analog and digital broadcast, comes up somewhat short when used to carry voice telephony, interactive video, and high-speed data communications at the same time. Fiber all the way to the home (FTTH) is still prohibitively expensive in the marketplace. An attractive alternative, soon to be commercially viable, is a combination of fiber cables feeding neighborhood optical network units (ONUs) and last-leg-premises copper connections. This topology, which is often called fiber to the neighborhood (FTTN), encompasses fiber to the curb (FTTC) with short drops and fiber to the basement (FTTB), serving tall buildings with vertical drops. One of the enabling technologies for FTTN is VDSL. In simple terms, VDSL transmits high-speed data over short reaches of twisted-pair copper telephone lines, with a range of speeds depending on actual line length. The maximum downstream rate under consideration is between 51 and 55 Mbps over lines up to 1000 feet (300 m) long. Downstream speeds as low as 14 Mbps over lengths beyond 4000 feet (1500 m) are also common. Upstream rates in early models will be asymmetric, just like ADSL, at speeds from 1.6 to 2.3 Mbps. Both data channels will be separated in frequency from bands used for basic telephone service and Integrated Services Digital Network (ISDN), enabling service providers to overlay VDSL on existing services. At present the two high-speed channels are also separated in frequency. As needs arise for higher-speed upstream channels or symmetric rates, VDSL systems may need to use echo cancellation.
1-44
Remote Access Section 3: Emerging Remote Access Technologies
Copyright 2002, Cisco Systems, Inc.
3.7.2 VDSL projected capabilities
Figure 1 VDSL Projected Capabilities
Although VDSL has not achieved the same degree of definition as ADSL, it has advanced far enough that we can discuss realizable goals, beginning with data rate and range. Downstream rates derive from fractional multiples of the Synchronous Optical Network (SONET) and Synchronous Digital Hierarchy (SDH) canonical speed of 155.52 Mbps, namely 51.84 Mbps, 25.92 Mbps, and 12.96 Mbps. Each rate has a corresponding target range (see the figure). Upstream rates under discussion fall into three general ranges: 1.6-2.3 Mbps 19.2 Mbps Equal to downstream Early versions of VDSL will almost certainly incorporate the slower asymmetric rate. Higher upstream and symmetric configurations may be possible only for very short lines. Like ADSL, VDSL must transmit compressed video; a real-time signal unsuited to error retransmission schemes used in data communications. To achieve error rates compatible with those of compressed video, VDSL will have to incorporate FEC with sufficient interleaving to correct all errors created by impulsive noise events of some specified duration. Interleaving introduces delay, on the order of 40 times the maximum length correctable impulse. Data in the downstream direction will be broadcast to every CPE on the premises or be transmitted to a logically separated hub that distributes data to addressed CPE based on cell or TDM within the data stream itself. Upstream multiplexing is more difficult. Systems using a passive network termination (NT) must insert data onto a shared medium, either by a form of TDM access (TDMA) or a form of FDM. TDMA may use a species of token control called cell grants passed in the downstream direction from the ONU modem, or contention, or both (contention for unrecognized devices, cell grants for recognized devices). FDM gives each CPE its own channel, making a MAC protocol unnecessary, but either limiting data rates available to any one CPE or requiring dynamic allocation of bandwidth and inverse multiplexing at each CPE. Systems using active NTs transfer the upstream collection problem to a logically separated hub that (typically) uses Ethernet or ATM upstream multiplexing. Migration and inventory considerations dictate VDSL units that can operate at various (preferably all) speeds, with automatic recognition of a newly connected device to a line or to a change in speed. Passive network interfaces need to have hot insertion, whereas a new VDSL premises unit can be put on the line without interfering with the operation of other modems. Copyright 2002, Cisco Systems, Inc.
Remote Access Section 3: Emerging Remote Access Technologies 1-45
3.7.3 VDSL technology
Figure 1 VDSL Technologies
Figure 2 Active Network Termination
1-46
Remote Access Section 3: Emerging Remote Access Technologies
Copyright 2002, Cisco Systems, Inc.
Figure 3 Passive Network Termination
VDSL technology resembles ADSL to a large degree, although ADSL must face much larger dynamic ranges and is considerably more complex as a result. VDSL must be lower in cost and lower in power, and premises VDSL units may have to implement a physical-layer MAC for multiplexing upstream data. Line-Code Candidates Four line codes have been proposed for VDSL: •
Carrierless amplitude modulation/phase modulation (CAP) - A version of suppressed carrier quadrature amplitude modulation (QAM). For passive NT configurations, CAP would use quadrature phase shift keying (QPSK) upstream and a type of TDMA for multiplexing (although CAP does not preclude an FDM approach to upstream multiplexing).
•
Discrete multitone (DMT) - A multicarrier system using discrete fourier transforms to create and demodulate individual carriers. For passive NT configurations, DMT would use FDM for upstream multiplexing (although DMT does not preclude a TDMA multiplexing strategy).
•
Discrete wavelet multitone (DWMT) - A multicarrier system using wavelet transforms to create and demodulate individual carriers. DWMT also uses FDM for upstream multiplexing, but also allows TDMA.
•
Simple line code (SLC) - A version of four-level baseband signaling that filters the based band and restores it at the receiver. For passive NT configurations, SLC would most likely use TDMA for upstream multiplexing, although FDM is possible.
Channel Separation Early versions of VDSL will use FDM to separate downstream from upstream channels and both of them from basic telephone service and ISDN, as shown in Figure [1]. Echo cancellation may be required for later-generation systems featuring symmetric data rates. A rather substantial distance, in frequency, will be maintained between the lowest data channel and basic telephone service to enable very simple and cost-effective basic telephone service splitters. Normal practice would locate the downstream channel above the upstream channel. However, the DAVIC specification reverses this order to enable premises distribution of VDSL signals over coaxial cable systems. Copyright 2002, Cisco Systems, Inc.
Remote Access Section 3: Emerging Remote Access Technologies 1-47
Forward Error Control FEC will no doubt use a form of Reed Soloman coding and optional interleaving to correct bursts of errors caused by impulse noise. The structure will be very similar to ADSL, as defined in T1.414. An outstanding question is whether FEC overhead (in the range of 8 percent) will be taken from the payload capacity or added as an out-of-band signal. The former reduces payload capacity but maintains nominal reach, whereas the latter retains the nominal payload but suffers a small reduction in reach. ADSL puts FEC overhead out of band. Upstream Multiplexing If the premises VDSL unit comprises the network termination (an active NT), then the means of multiplexing upstream cells or data channels from more than one CPE into a single upstream becomes the responsibility of the premises network. The VDSL unit simply presents raw data streams in both directions. As illustrated in Figure [2], one type of premises network involves a star connecting each CPE to a switching or multiplexing hub; such a hub could be integral to the premises VDSL unit. In a passive NT configuration, each CPE has an associated VDSL unit. [3] (A passive NT does not conceptually preclude multiple CPE per VDSL, but then the question of active versus passive NT becomes a matter of ownership, not a matter of wiring topology and multiplexing strategies.) Now the upstream channels for each CPE must share a common wire. Although a collisiondetection system could be used, the desire for guaranteed bandwidth indicates one of two solutions. The first invokes a cell-grant protocol in which downstream frames generated at the ONU or farther up the network contain a few bits that grant access to specific CPE during a specified period subsequent to receiving a frame. A granted CPE can send one upstream cell during this period. The transmitter in the CPE must turn on, send a preamble to condition the ONU receiver, send the cell, and then turn itself off. The protocol must insert enough silence to let line ringing clear. One construction of this protocol uses 77 octet intervals to transmit a single 53-octet cell. The second method divides the upstream channel into frequency bands and assigns one band to each CPE. This method has the advantage of avoiding any MAC with its associated overhead (although a multiplexor must be built into the ONU), but either restricts the data rate available to any one CPE or imposes a dynamic inverse multiplexing scheme that lets one CPE send more than its share for a period. The latter would look a great deal like a MAC protocol, but without the loss of bandwidth associated with carrier detect and clear for each cell.
1-48
Remote Access Section 3: Emerging Remote Access Technologies
Copyright 2002, Cisco Systems, Inc.
3.7.4 VDSL issues VDSL is still in the definition stage. Some preliminary products exist, but not enough is known yet about telephone line characteristics, radio frequency interface emissions and susceptibility, upstream multiplexing protocols, and information requirements to frame a set of definitive and standard properties. One large unknown is the maximum distance that VDSL can reliably realize for a given data rate. This is unknown because real line characteristics at the frequencies required for VDSL are speculative. Additionally, items such as short bridged taps or unterminated extension lines in homes, which have no effect on telephony, ISDN, or ADSL, may have very detrimental affects on VDSL in certain configurations. Furthermore, VDSL invades the frequency ranges of amateur radio, and every above ground telephone wire is an antenna that both radiates and attracts energy in amateur radio bands. Balancing low signal levels to prevent emissions that interfere with amateur radio with higher signals needed to combat interference by amateur radio could be the dominant factor in determining line reach. A second dimension of VDSL that is far from clear is the services environment. It can be assumed that VDSL will carry information in ATM cell format for video and asymmetric data communications, although optimum downstream and upstream data rates have not been ascertained. What is more difficult to assess is the need for VDSL to carry information in non-ATM formats (such as conventional Plesiochronous Digital Hierarchy [PDH] structures) and the need for symmetric channels at broadband rates (above T1/E1). VDSL will not be completely independent of upper-layer protocols, particularly in the upstream direction, where multiplexing data from more than one CPE may require knowledge of link-layer formats (that is, ATM or not). A third difficult subject is premises distribution and the interface between the telephone network and CPE. Cost considerations favor a passive network interface with premises VDSL installed in CPE and upstream multiplexing handled similarly to LAN buses. System management, reliability, regulatory constraints, and migration favor an active network termination that can operate like a hub, with point-to-point or shared-media distribution to multiple CPE onpremises wiring that is independent and physically isolated from network wiring. This is the same as ADSL and ISDN. However, costs cannot be ignored. Small ONUs must spread common equipment costs, such as fiber links, interfaces, and equipment cabinets, over a small number of subscribers compared to HFC. VDSL, therefore, has a much lower cost target than ADSL because VDSL may connect directly from a wiring center or cable modems, which also have much lower common equipment costs per user. Furthermore, VDSL for passive NTs may (only may) be more expensive than VDSL for active NTs, but the elimination of any other premises network electronics may make it the most cost-effective solution, and highly desired, despite the obvious benefits of an active NT. Stay tuned.
Copyright 2002, Cisco Systems, Inc.
Remote Access Section 3: Emerging Remote Access Technologies 1-49
3.7.5 Standards status
Figure 1 VDSL Standard Status
At present, five standards organizations/forums have begun work on VDSL:
1-50
•
T1E1.4 - The U.S. ANSI standards group T1E1.4 has just begun a project for VDSL, making a first attack on system requirements that will evolve into a system and protocol definition.
•
ETSI (European Telecommunication Standards Institute) - The ETSI has a VDSL standards project, under the title High-Speed Metallic Access Systems, and has compiled a list of objectives, problems, and requirements. Among its preliminary findings are the need for an active NT and payloads in multiples of SDH virtual container VC-12, or 2.3 Mbps. ETSI works very closely with T1E1.4 and the ADSL Forum, with significant overlapping attendees.
•
DAVIC - DAVIC has taken the earliest position on VDSL. Its first specification due to be finalized will define a line code for downstream data, another for upstream data, and a MAC for upstream multiplexing based on TDMA over shared wiring. DAVIC is specifying VDSL only for a single downstream rate of 51.84 Mbps and a single upstream rate of 1.6 Mbps over 300m or less of copper. The proposal assumes, and is driven to a large extent by, a passive NT, and further assumes premises distribution from the NT over new coaxial cable or new copper wiring.
•
The ATM Forum - The ATM Forum has defined a 51.84-Mbps interface for private-network User-Network Interfaces (UNIs) and a corresponding transmission technology. It has also addressed the question of CPE distribution and delivery of ATM all the way to premises over the various access technologies described above.
•
The ADSL Forum - The ADSL Forum has just begun consideration of VDSL. In keeping with its charter, the Forum will address network, protocol, and architectural aspects of VDSL for all prospective applications, leaving line code and transceiver protocols to T1E1.4 and ETSI and higher-layer protocols to organizations such as the ATM Forum and DAVIC.
Remote Access Section 3: Emerging Remote Access Technologies
Copyright 2002, Cisco Systems, Inc.
3.7.6 Relationship of VDSL to ADSL
Figure 1 Relationship of VDSL to ADSL
Figure 2 DSL Modem Technology
VDSL has an odd technical resemblance to ADSLVDSL achieves data rates nearly ten times greater than those of ADSL (see Figure [1]), but ADSL is the more complex transmission technology. This is in large part because ADSL must contend with much larger dynamic ranges than VDSL. However, the two are essentially cut from the same cloth. ADSL employs advanced transmission techniques and FEC to realize data rates from 1.5 to 9 Mbps over twisted pair, ranging to 18,000 feet; VDSL employs the same advanced transmission techniques and FEC to realize data rates from 14 to 55 Mbps over twisted pair, ranging to 4500 feet. Indeed, the two can be considered a series, a set of Copyright 2002, Cisco Systems, Inc.
Remote Access Section 3: Emerging Remote Access Technologies 1-51
transmission tools that delivers about as much data as theoretically possible over varying distances of existing telephone wiring. VDSL is clearly a technology suitable for a full-service network (assuming that full service does not imply more than two HDTV channels over the highest-rate VDSL). It is equally clear that telephone companies cannot deploy ONUs overnight, even if all the technology were available. ADSL may not be a fullservice network technology, but it has the singular advantage of offering service over lines that exist today, and ADSL products are more widely available than VDSL. Many new services being contemplated today, such as videoconferencing, Internet access, video on demand, and remote LAN access, can be delivered at speeds at or below T1/E1 rates. For such services, ADSL/VDSL provides an ideal combination for network evolution. On the longest lines, ADSL delivers a single channel. As line length shrinks, either from natural proximity to a central office or deployment of fiber-based access nodes, ADSL and VDSL simply offer more channels and capacity for services that require rates above T1/E1 (such as digital live television and virtual CD-ROM access). Figure [2] outlines the differences between all flavors of xDSL.
1-52
Remote Access Section 3: Emerging Remote Access Technologies
Copyright 2002, Cisco Systems, Inc.
Summary
Figure 1 Consumer Access Options
This appendix gave an overview of several emerging remote-access solutions: cable modems, wireless and xDSL. The figure summarizes the major issues surrounding these options. The key issues seem to revolve around speed, cost, and availability. Over the next few years, it will be interesting to see if there is one key winner in the race for market share.
Copyright 2002, Cisco Systems, Inc.
Remote Access Section 3: Emerging Remote Access Technologies 1-53
Lab 1.6.1: Getting Started and Building Start.TXT Objective This lab introduces the CCNP lab equipment and certain IOS features that might be the first time used or seen. This introductory activity also describes how to use a simple text editor to create all, or part of a router configuration file. After creating a text configuration file, that configuration can be applied to a router quickly and easily by using the techniques described in this lab. Equipment Requirements • •
A single router, preferably a 2600 series router, and a workstation running a Windows operating system. One 3 1/2 inch floppy disk with label
Preliminary Modular interfaces Cisco routers can come with a variety of interface configurations. Some models have only fixed interfaces. This means that the interfaces cannot be changed or replaced by the user. Other models have one or more modular interfaces, allowing the user to add, remove, or replace interfaces as needed. Fixed interface identification, such as Serial 0, S0, Ethernet 0, and E0, may already be familiar. Modular routers use notation such as Serial 0/0 or S0/1, where the first number refers to the module and the second number refers to the interface. Both notations use 0 as their starting reference, so S0/1 indicates that there is another serial interface S0/0. Fast Ethernet Many routers today are equipped with Fast Ethernet, 10/100 Mbps auto sensing, interfaces. Fast Ethernet 0/0 or Fa0/0 on routers must be used with Fast Ethernet interfaces. The ip subnet-zero command The ip subnet-zero command is enabled by default in IOS 12. This command allows IP addresses to be assigned in the first subnet, called subnet 0. Because subnet 0 uses only binary zeros in the subnet field, its subnet address can potentially be confused with the major network address. With the advent of classless IP, the use of subnet 0 has become more common. The labs in this manual assume that the student can assign addresses to the router’s interfaces using subnet 0. If any routers are used that have an IOS earlier than 12.0, the global configuration command, ip subnet-zero, must be added to the router’s configuration. The no shutdown command Interfaces are shut down by default. Remember to clearly issue a no shutdown command in interface configuration mode when the interface is ready to be brought up. Passwords The login command is applied to virtual terminals by default. This means that in order for the router to accept Telnet connections, a password must be configured. Otherwise, the router will not allow a Telnet connection, replying with the error message “password required, but none set.” Step 1. Take a few moments to examine the router. Become familiar with any serial, BRI (ISDN), PRI (ISDN), and DSU/CSU interfaces on the router. Pay particular attention to any connectors or cables that are unfamiliar.
1-1
Remote Access Setion 1: WANs - Lab 1.6.1
Copyright 2002, Cisco Systems, Inc.
Step 2. Establish a HyperTerminal session to the router. Enter privileged EXEC mode. Step 3. To clear the configuration, issue the erase start command. Confirm when prompted, and answer ’no’ if asked to save changes. The result should look something like the following: Router#erase start Erasing the nvram filesystem will remove all files! Continue? [confirm] [OK] Erase of nvram: complete Router#
When the prompt returns, issue the reload command. Confirm when prompted. After the router finishes the boot process, choose not to use the Auto install feature, shown as follows: Would you like to enter the initial configuration dialog? [yes/no]: no Would you like to terminate autoinstall? [yes]: ! Press Enter to accept default. Press RETURN to get started!
Step 4. In privileged mode, issue the show run command. Notice the following default configurations while scrolling through the running configuration: • • • • •
The version number of the IOS The ip subnet-zero command, which allows the use of the subnet 0 Each available interface and its name. Note: Each interface has the shutdown command applied to its configuration. The no ip http server command, which prevents the router from being accessed by a Web browser. No passwords are set for CON, AUX, and VTY sessions,shown as follows: line con 0 transport input none line aux 0 line vty 0 4
Using Copy and Paste with Notepad In the next steps, the copy and paste feature will be used to edit router configurations. A text file needs to be created that can be pasted into the labs and used as a starting point for the router configuration. Specifically, a login configuration must be built that can be used with every lab included in this manual. Step 5.
2-2
Remote Access Setion 1: WANs - Lab 1.6.1
Copyright 2002, Cisco Systems, Inc.
If necessary, issue the show run command again so that line con and line vty are showing on the screen: line con 0 transport input none line aux 0 line vty 0 4 ! end
Select this text and choose the copy command from HyperTerminal’s Edit menu. Next, open Notepad, which is typically found on the Start menu under Programs, Accessories. After Notepad opens, select Paste from the Notepad Edit menu. Edit the lines in Notepad to look like the following lines. The one space indent is optional. enable secret class line con 0 transport input none password cisco login line aux 0 password cisco login line vty 0 4 password cisco login
This configuration sets the enable secret to class and requires a login for all console, AUX port, and virtual terminal connections. The password for these connections is set to cisco. The AUX port is usually a modem. Note: Each of the passwords can be set to something else if desired. Step 6. Save the open file in Notepad to a floppy disk as start.txt. Select all the lines in the Notepad document and choose Edit, Copy. Step 7. Use the Windows taskbar to return to the HyperTerminal session, and enter global configuration mode. From HyperTerminal’s Edit menu, choose Paste to Host. Issue the show run command to see if the configuration looks okay. As a shortcut, paste the contents of the start.txt file to any router before getting started with a lab. Other Useful Commands To enhance the start.txt file, consider adding one of the following commands: • •
3-3
ip subnet-zero ensures that an older IOS allows IP addresses from subnet 0. ip http server allows access to the routers using a Web browser. Although this configuration might not be desirable on a production router, it does give an HTTP server for testing purposes in the lab.
Remote Access Setion 1: WANs - Lab 1.6.1
Copyright 2002, Cisco Systems, Inc.
• • •
no ip domain-lookup prevents the router from attempting to query a DNS when a word is input that is not recognized as a command or a host table entry. This saves time if a typo is made or there is a misspelling of a command. logging synchronous in the line con 0 configuration returns to a fresh line when the input is interrupted by a console logging message. configure terminal can be used in a file so that the command does not need to be typed before pasting the contents of the file to the router.
Step 8. Use the Windows taskbar to return to Notepad and edit the lines so that they read asfollows: config t ! enable secret class ip subnet-zero ip http server no ip domain-lookup line con 0 logging synchronous password cisco login transport input none line aux 0 password cisco login line vty 0 4 password cisco login ! end copy run start
Save the file to the floppy disk so work is not lost. Select and copy all the lines, and return to the HyperTerminal session. Normally global configuration mode would be entered before pasting from Notepad. However, because the configure terminal command was included in the script, paste can be done in privileged mode. If necessary, return to privileged EXEC mode. From the Edit menu, select Paste to Host. After the paste is complete, confirm the copy operation. Use show run to see if the configuration looks okay. Using Notepad to Assist in Editing Understanding how to use Notepad can lessen typing and typos during editing sessions. Another benefit is that an entire router configuration can be done in Notepad at home or at the office and then it can be pasted to the router’s console when access becomes available. In the next steps, a simple editing example will be looked at. Step 9. Configure the router with the following commands:
4-4
Remote Access Setion 1: WANs - Lab 1.6.1
Copyright 2002, Cisco Systems, Inc.
Router#config t Router(config)#router rip Router(config)#network 192.168.1.0 Router(config)#network 192.168.2.0 Router(config)#network 192.168.3.0 Router(config)#network 192.168.4.0 Router(config)#network 192.168.5.0
Press Ctrl+Z, and verify the configuration with show run. RIP was just set up to advertise a series of networks.What if the routing protocol is to be changed to IGRP? With the no router rip command, RIP can be easily removed, however, the network commands would still need to be retyped. The next steps show an alternative to retyping the commands. Step 10. Issue the show run command and hold the output so that the router rip commands are displayed. Using the keyboard or mouse, select the router rip command and all network statements. Copy the selection. Use the taskbar to return to Notepad. Open a new document and paste the selection onto the blank page. Step 11. In the new document, type the word no and a space in front of the word router. Press the End key, and press Enter. Type router igrp 100, but do not press Enter. The result should look the following: no router rip router igrp 100 network 192.168.1.0 network 192.168.2.0 network 192.168.3.0 network 192.168.4.0 network 192.168.5.0
Step 12. Select the results and copy them. Use the taskbar to return to the HyperTerminal session. While in global configuration mode, paste the results. Use the show run command to verify the configuration. Reflection How could using copy and paste with Notepad be helpful in other editing situations?
5-5
Remote Access Setion 1: WANs - Lab 1.6.1
Copyright 2002, Cisco Systems, Inc.
Lab 1.6.2: Capturing HyperTerminal and Telnet Sessions Objective This activity describes how to capture HyperTerminal and Telnet sessions. Note: Try to master these techniques. These techniques lessen the amount of typing in later labs and while working in the field. Step 1. Log in to a router using HyperTerminal. It is possible to capture the results of the HyperTerminal session in a text file, which can be viewed and/or printed using Notepad, WordPad, or Microsoft Word. Note: This feature captures future screens, not what is currently on screen. Basically this is turning on a recording session. To start a capture session, choose the menu option Transfer, Capture Text. The Capture Text dialog box appears, as shown in the following figure.
The default filename for a HyperTerminal capture is CAPTURE.TXT, and the default location of this file is C:\Program Files\Accessories\HyperTerminal. Note: When using Telnet, the command to begin a capture, or log, is Terminal, Start Logging. The document created has LOG as the extension. Other than the name and path of the capture file, the logging procedures are the same for both Telnet and HyperTerminal. Make sure that a floppy disk is in the A: drive. When the Capture Text dialog box appears, change the File path to A:\TestRun.txt. Click the Start button. Anything that appears onscreen after this point is copied to the file. Step 2. Issue the show running-config command and view the entire configuration file. From the Transfer menu, choose Capture Text, Stop. Telnet users should select Stop Logging from the Terminal menu to end the session. Step 3. Using the Start menu, launch Windows Explorer. Windows Explorer might be found under Programs or Accessories, depending on which version of Windows is in use. In the left pane, select the 3½ floppy (A:) drive. On the right side, the file that was just created should be seen.
1-1
Remote Access Section 1: WANs - Lab 1.6.2
Copyright 2002, Cisco Systems, Inc.
Double-click the TestRun.txt document’s icon. The result should look something like the following: Router# show running-config Building configuration... Current configuration: ! version 12.0 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Router ! enable secret 5 $1$HD2B$6iXb.h6QEJJjtn/NnwUHO. ! ! ip subnet-zero no ip domain-lookup ! interface FastEthernet0/0 --More-- □□□□□□□ □□□□□□□ no ip address no ip directed-broadcast shutdown
Unrecognizable characters may appear near the word ’More’. This is where the spacebar was pressed to see the rest of the list. Use basic word processing techniques to clean that up.
Suggestion Consider capturing each router configuration for every lab that is done. Captured files can be valuable as while reviewing configuration features and preparing for certification exams. Reflection Could the capture techniques be useful if a member of a lab team misses a lab session? Can capture techniques be used to configure an off site lab?
2-2
Remote Access Section 1: WANs - Lab 1.6.2
Copyright 2002, Cisco Systems, Inc.
Lab 1.6.3: Access Control List Basics and Extended Ping Workstation 192.168.3.2 /24
Fa0/0 192.168.3.1/24
Vista
S0/0 192.168.1.1 /24
S0/1 192.168.2.1 /24
S0/0 192.168.1.2 /24
S0/1 192.168.2.2 /24 Fa0/0 10.0.0.1 /24
SanJose1
Fa0/0 10.0.0.2/ 24 SanJose2
Objective This lab activity reviews the basics of standard and extended access lists, which are used extensively in the CCNP curriculum. Scenario The LAN users connected to the Vista router are concerned about access to their network from hosts on network 10.0.0.0. Use a standard access list to block all access to Vista’s LAN from network 10.0.0.0/24. Also use an extended ACL to block network 192.168.3.0 host access to Web servers on the 10.0.0.0/24 network.
Step 1. Build and configure the network according to the diagram. Use RIPv1, and enable updates on all active interfaces with the appropriate network commands. The commands necessary to configure SanJose1 are shown as an example: SanJose1(config)#router rip SanJose1(config-router)#network 192.168.1.0 SanJose1(config-router)#network 10.0.0.0 Use the ping command to verify the work and test connectivity between all interfaces. Step 2. Check the routing table on Vista using the show ip route command. Vista should have all four networks in its table. Troubleshoot, if necessary.
1-1
Remote Access Section 1: WANs - Lab 1.6.3
Copyright 2002, Cisco Systems, Inc.
Access Control List Basics Access Control Lists (ACLs) are simple but powerful tools. When the access list is configured, each statement in the list is processed by the router in the order in which it was created. If an individual packet meets a statement’s criteria, the permit or deny is applied to that packet, and no further list entries are checked. The next packet to be checked starts again at the top of the list. It is not possible to reorder an access list, skip statements, edit statements, or delete statements from a numbered access list. With numbered access lists, any attempt to delete a single statement results in the entire list’s deletion. Named ACLs (NACLs) do allow for the deletion of individual statements. The following concepts apply to both standard and extended access lists: Two-step process First, the access list is created with one or more access-list commands while in global configuration mode. Second, the access list is applied to or referenced by other commands, such as the access-group command, to apply an ACL to an interface. An example would be the following: Vista#config t Vista(config)#access-list 50 deny 10.0.0.0 0.0.0.255 Vista(config)#access-list 50 permit any Vista(config)#interface fastethernet 0/0 Vista(config-if)#ip access-group 50 out Vista(config-if)#^Z Syntax and Keywords The basic syntax for creating an access list entry is as follows: router(config)#access-list acl-number {permit | deny}... The permit command allows packets matching the specified criteria to be accepted for whatever application the access list is being used for. The deny command discards packets matching the criteria on that line. Two important keywords that can be used with the access-list command are any and host. The keyword any matches all hosts on all networks, equivalent to 0.0.0.0 255.255.255.255. The keyword host can be used with an IP address to indicate a single host address. The syntax is host ip-address, such as host 192.168.1.10. This is treated exactly the same as 192.168.1.10 0.0.0.0. Implicit deny statement Every access list contains a final ’deny’ statement that matches all packets. This is called the implicit deny. Because the implicit deny statement is not visible in show command output, it is often overlooked, with serious consequences. As an example, consider the following single line access list: Router(config)#access-list 75 deny host 192.168.1.10 Access-list 75 clearly denies all traffic sourced from the host, 192.168.1.10. What might not be obvious is that all other traffic will be discarded as well. This happens because the implicit deny any is the final statement in any access list. At least one permit statement is required There is no requirement that an ACL contains a deny statement. If nothing else, the implicit deny any statement takes care of that. But if there are no permit statements, the effect will be the same as if there were only a single deny any statement.
2-2
Remote Access Section 1: WANs - Lab 1.6.3
Copyright 2002, Cisco Systems, Inc.
Wildcard mask In identifying IP addresses, ACLs use a wildcard mask instead of a subnet mask. Initially, they might look like the same thing, but closer observation reveals that they are very different. Remember that a binary 0 in a wildcard bitmask instructs the router to match the corresponding bit in the IP address. In/out When deciding whether an ACL should be applied to inbound or outbound traffic, always view things from the router’s perspective. In other words, determine whether traffic is coming into the router, inbound, or leaving the router, outbound. Applying ACLs Extended ACLs should be applied as close to the source as possible, thereby conserving network resources. Standard ACLs, by necessity, must be applied as close to the destination as possible. This is because the standard ACL can only match the source address of a packet.
Step 3. On the Vista router, create the following standard ACL and apply it to the LAN interface: Vista#config t Vista(config)#access-list 50 deny 10.0.0.0 0.0.0.255 Vista(config)#access-list 50 permit any Vista(config)#interface fastethernet 0/0 Vista(config-if)#ip access-group 50 out Vista(config-if)#^Z Try pinging 192.168.3.2 from SanJose1. SanJose1#ping 192.168.3.2 Sending 5, 100-byte ICMP Echos to 192.168.3.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms The ping should be successful. This result might be surprising, because all traffic from the 10.0.0.0/24 network was just blocked. The ping is successful because, even though it came from SanJose1, it is not sourced from the 10.0.0.0/24 network. A ping or traceroute from a router uses the closest interface to the destination as the source address.Therefore, the ping is coming from 192.168.1. 2/24, SanJose1’s Serial 0/0 interface. In order to test the ACL from SanJose1, use the extended ping command to specify a specific source interface. Step 4. On SanJose1, issue the following commands. Remember that the extended ping works only in privileged mode.
SanJose1# SanJose1#ping Protocol [ip]: Target IP address: 192.168.3.2 Repeat count [5]: Datagram size [100]:
3-3
Remote Access Section 1: WANs - Lab 1.6.3
Copyright 2002, Cisco Systems, Inc.
Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 10.0.0.1 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.3.2, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5)
Step 5. Standard ACLs are numbered one (1) through 99. IOS 12 also allows standard lists to be numbered 1300 through 1699. Extended ACLs are numbered 100 through 199. IOS 12 allows numbers 2000 through 2699. Extended ACLs can be used to enforce highly specific criteria for filtering packets. In this step, configure an extended ACL to block access to a Web server. Before proceeding, issue the no access-list 50 and no ip access-group 50 commands on the Vista router to remove the ACL configured previously. First, configure both SanJose1 and SanJose2 to act as Web servers, by using the ip http server command, shown as follows: SanJose1(config)#ip http server SanJose2(config)#ip http server From the workstation at 192.168.3.2, use a Web browser to view both SanJose1 and SanJose2’s Web servers at 10.0.0.1 and 10.0.0.2. The Web login requires that the router’s enable secret password be entered as the password. After verifying Web connectivity between the workstation and the routers, proceed to Step 6. Step 6. On the Vista router, enter the following commands: Vista(config)#access-list 101 deny tcp 192.168.3.0 0.0.0.255 10.0.0.0 0.0.0.255 eq www Vista(config)#access-list 101 deny tcp 192.168.3.0 0.0.0.255 any eq ftp Vista(config)#access-list 101 permit ip any any Vista(config)#interface fastethernet 0/0 Vista(config-if)#ip access-group 101 in From the workstation at 192.168.3.2, again attempt to view the Web servers at 10.0.0.1 and 10.0.0.2. Both attempts should fail. Next, browse SanJose1 at 192.168.1.2. Why is this not blocked?
4-4
Remote Access Section 1: WANs - Lab 1.6.3
Copyright 2002, Cisco Systems, Inc.
Lab 2.5.1: Configuring Static NAT Host B 192.168.0.20 /24
S0/0 10.0.0.5 /30 ISP1 Lo0 10.0.1.2 /30
SanJose1 Fa0/0 192.168.0.1 /24 S0/0 10.0.0.6 /30
Host A 192.168.0.5 /24 Objective Configure Network Address Translation (NAT) static translation to provide reliable outside access to three shared company servers. Scenario When the International Travel Agency (ITA) expanded and updated their network, they chose to use the 192.168.0.0 /24 private addresses and NAT to handle connectivity with the outside world. In order to secure the outside IP addresses from their ISP, ITA must pay a monthly fee per IP address. ITA has asked that a series of prototypes be set up that would demonstrate NAT’s capabilities to meet ITA’s requirements. The company hopes to be able to get by with 14 real IP addresses, 42.0.0.48 /28. For a variety of reasons including security concerns, the company wishes to hide the internal network from the outside. Step 1. Build and configure the network according to the diagram. This configuration requires the use of subnet zero, so the ip subnet-zero command may need to be entered, depending on the version of IOS being used. Configure SanJose1 to use a default route to ISP1, as shown: SanJose1(config)#ip route 0.0.0.0 0.0.0.0 10.0.0.5
Host A represents one of the proposed shared servers that will be part of an Ethernet LAN attached to SanJose1. Host B represents a user in the ITA network.
1 - 1 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.1
Copyright 2001, Cisco Systems, Inc.
Step 2. Verify the configurations with the show running-config command. Verify that SanJose1 can ping ISP1’s serial interface, 10.0.0.5, and that ISP1 can ping SanJose1’s serial interface, 10.0.0.6. At this time, ISP1 cannot ping either workstation or SanJose1’s Fast Ethernet interface, 192.168.0.1. 1. Both workstations can ping each other and 10.0.0.6, but cannot ping 10.0.0.5. Why does the latter ping fail?
In fact, the ping request should be getting to 10.0.0.5. Because ISP1 has no entry in its routing table for the 192.168.0.0 /24, ISP1 cannot reply. Continue a static route to solve this problem in Step 7. Step 3. SanJose1 is the boundary router where NAT will be configured. The router will be translating the inside local addresses to inside global addresses, essentially converting the internal private addresses into legal public addresses for use on the Internet. On SanJose1, create static translations between the inside local addresses, the servers to be shared, and the inside global addresses using the following commands: SanJose1(config)#ip nat inside source static 192.168.0.3 42.0.0.49 SanJose1(config)#ip nat inside source static 192.168.0.4 42.0.0.50 SanJose1(config)#ip nat inside source static 192.168.0.5 42.0.0.51
2. If a static translation is needed for a fourth server, 192.168.0.6, what would be the appropriate command?
Step 4. Next, specify an interface on SanJose1 to be used by inside network hosts requiring address translation: SanJose1(config)#interface fastethernet0/0 SanJose1(config-if)#ip nat inside
Also specify an interface to be used as the outside NAT interface: SanJose1(config)#interface serial0/0 SanJose1(config-if)#ip nat outside
Step 5. To see the translations, use the show ip nat translations command. The results should look something like the following: SanJose1#show ip nat translations Pro Inside global Inside local global --- 42.0.0.49 192.168.0.3 --- 42.0.0.50 192.168.0.4 --- 42.0.0.51 192.168.0.5
Outside local -------
2 - 2 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.1
Outside -------
Copyright 2001, Cisco Systems, Inc.
Use the show ip nat statistics command to see what NAT activity has occurred. The results should look something like the following: SanJose1#show ip nat statistics Total active translations: 3 (3 static, 0 dynamic; 0 extended) Outside interfaces: Serial0/0 Inside interfaces: FastEthernet0/0 Hits: 0 Misses: 0 Expired translations: 0 Dynamic mappings: SanJose1#
Notice that the Hits value is currently 0. Step 6. From Host A, ping 10.0.0.5, ISP1’s serial interface. The pings should still fail because ISP1 has no route for 192.168.0.0 /24 in its routing table. Return to the console connection of SanJose1 and type show ip nat statistics, as shown here: SanJose1#show ip nat statistics Total active translations: 3 (3 static, 0 dynamic; 0 extended) Outside interfaces: Serial0/0 Inside interfaces: FastEthernet0/0 Hits: 4 Misses: 0 Expired translations: 0 Dynamic mappings:
The hits equal 4 as now shown. This indicates that the translation was made even though no response was given. Remember that the ping replies are not sent because ISP1 does not have route back to SanJose1. It is now time to remedy this. Step 7. On ISP1, configure the following static route to the global addresses used by SanJose1 for NAT: ISP1(config)#ip route 42.0.0.48 255.255.255.240 10.0.0.6
The subnet mask defines the pool of IP addresses as 42.0.0.48 /28. It should now be possible to successfully ping 42.0.0.51. Which is the translated address of the shared server, 192.168.0.5. The show ip route command confirms that the static route is present, as shown here: ISP1#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR
3 - 3 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.1
Copyright 2001, Cisco Systems, Inc.
P - periodic downloaded static route Gateway of last resort is not set
S C C
42.0.0.0/28 is subnetted, 1 subnets 42.0.0.48 [1/0] via 10.0.0.6 10.0.0.0/30 is subnetted, 2 subnets 10.0.1.0 is directly connected, Loopback0/0 10.0.0.4 is directly connected, Serial0/0
Step 8. From Host A, ping the ISP1 router at 10.0.0.5. This ping should now be successful. It should also be possible to ping ISP1’s loopback address, 10.0.1.2, as well. From the console connection to SanJose1, issue the show ip nat statistics command and look over the statistics. The number of hits should be much larger than before. Try the show ip nat translations verbose command. The results should look something like the following: SanJose1#show ip nat Pro Inside global global --- 42.0.0.49 create 00:40:25, flags: static, use_count: 0 --- 42.0.0.50 create 00:40:25, flags: static, use_count: 0 --- 42.0.0.51 create 00:40:25, flags: static, use_count: 0
translations verbose Inside local Outside local
Outside
192.168.0.3 use 00:40:25,
---
---
192.168.0.4 use 00:40:25,
---
---
192.168.0.5 use 00:06:46,
---
---
Note: The verbose option includes information about how recently each translation was used. Step 9. From SanJose1, use the show ip nat statistics command and make a note of the number of hits. From Host B, ping both 10.0.0.5 and 10.0.1.2. 3. Both should fail. Why?
From SanJose1, issue the show ip nat statistics command again and note that the number of hits has not changed. The problem is that NAT did not translate Host B’s IP address, 192.168.0.20, to one of the global addresses. The show ip nat translations command should confirm this.
4 - 4 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.1
Copyright 2001, Cisco Systems, Inc.
A static translation for Host B, which represents a LAN user has not been set up. A static translation could be quickly configured for this single end user. However, configuring a static translation for every user on the LAN could be a huge task, resulting in hundreds of configuration commands. Dynamic NAT allows configuring the router to assign global addresses dynamically, on an as needed basis. While static translation may be appropriate for servers, dynamic translation is almost always used with end user stations. Dynamic NAT will be studied in the next lab exercise.
5 - 5 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.1
Copyright 2001, Cisco Systems, Inc.
Lab 2.5.2: Configuring Dynamic NAT Host B 192.168.0.20 /24
S0/0 10.0.0.5 /30 ISP1 Lo0 10.0.1.2 /30
SanJose1 Fa0/0 192.168.0.1 /24 S0/0 10.0.0.6 /30
Host A 192.168.0.21 /24 Objective Configure dynamic NAT to provide privately addressed users with access to outside resources. Scenario The International Travel Agency (ITA) expanded and updated their network. ITA chose to use the 192.168.0.0 /24 private addresses and NAT to handle connectivity with the outside world. In securing the outside IP addresses from their ISP, ITA has to pay a monthly fee per IP address. ITA has asked for a series of prototypes to be set up that would demonstrate NAT’s capabilities to meet ITA’s requirements. The company hopes to be able to get by with 14 real IP addresses, 42.0.0.48 /28. For a variety of reasons including security concerns, the company wishes to hide the internal network from the outside. ITA is hoping to limit user access to the Internet and other outside resources by limiting the number of connections. Prototype the basic dynamic translation to see if it will meet ITA’s objectives. Step 1. Build and configure the network according to the diagram. This configuration requires the use of subnet zero, so the ip subnet-zero command may need to be entered, depending on the IOS version being used. Both Host A and Host B represent users on the ITA network. Configure SanJose1 to use a default route to ISP1: SanJose1(config)#ip route 0.0.0.0 0.0.0.0 10.0.0.5
On ISP1, configure a static route to the global addresses used by SanJose1 for NAT: ISP1(config)#ip route 42.0.0.48 255.255.255.240 10.0.0.6
1 - 1 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.2
Copyright 2002, Cisco Systems, Inc.
Step 2. Define a pool of global addresses to be allocated by the dynamic NAT process. Issue the following command on SanJose1: SanJose1(config)#ip nat pool MYNATPOOL 42.0.0.55 42.0.0.55 netmask255.255.255.240
The name MYNATPOOL is the name of the address pool. However, another word may be chosen. The first 42.0.0.55 in the command is the first IP address in the pool. The second 42.0.0.55 is the last IP address in the pool. This command creates a pool that contains only a single address. Typically, a larger range of addresses in a pool would be configured. For now, only one address will be used. Next, configure a standard access list to define which internal source addresses can be translated. Since any users are translating on the ITA network, use the following command: SanJose1(config)#access-list 2 permit 192.168.0.0 0.0.0.255
To establish the dynamic source translation, link the access list to the name of the NAT pool, as shown here: SanJose1(config)#ip nat inside source list 2 pool MYNATPOOL
Finally, specify an interface on SanJose1 to be used by inside network hosts requiring address translation: SanJose1(config)#interface fastethernet0/0 SanJose1(config-if)#ip nat inside
Also specify an interface to be used as the outside NAT interface: SanJose1(config)#interface serial0/0 SanJose1(config-if)#ip nat outside
Step 3. On SanJose1, enter the show ip nat translations command, which should result in no output. Unlike static translations, which are permanent and always remain in the translations table, dynamic translations are only assigned as needed, and only appear when active. From Host A, ping ISP1’s serial and loopback IP addresses. Both pings should work. Troubleshoot as necessary. Issue the show ip nat translations command on SanJose1 again. This should now get a single translation for that workstation. The result might look like the following: SanJose1#show ip nat trans Pro Inside global Inside local --- 42.0.0.55 192.168.0.21
Outside local ---
Outside global ---
From Host B, ping ISP1’s serial and loopback IP addresses. They should both fail. The one available IP address in the pool is being used by the other workstation. If a larger pool of addresses had been assigned, Host B could be assigned an address from the pool.
2 - 2 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.2
Copyright 2002, Cisco Systems, Inc.
Step 4. Issue the show ip nat translations verbose command and examine the output: SanJose1#show ip nat translations verbose Pro Inside global Inside local Outside local --- 42.0.0.55 192.168.0.21 --create 00:13:18, use 00:13:06, left 23:46:53, flags: none, use_count: 0
Outside global ---
1. According to the output of this command, how much time is left before the dynamic translation times out?
The default timeout value for dynamic NAT translations is 24 hours. This means the second workstation will have to wait until the next day before it can be assigned the address. Next, issue the show ip nat statistics command. Notice that it summarizes the translation information, shows the pool of global addresses, and indicates that only one address has been allocated, or translated, as shown here: SanJose1#show ip nat statistics Total active translations: 1 (0 static, 1 dynamic; 0 extended) Outside interfaces: Serial0/0 Inside interfaces: FastEthernet0/0 Hits: 45 Misses: 0 Expired translations: 0 Dynamic mappings: -- Inside Source access-list 2 pool MYNATPOOL refcount 1 pool MYNATPOOL: netmask 255.255.255.240 start 42.0.0.55 end 42.0.0.55 type generic, total addresses 1, allocated 1 (100%), misses 4
To change the default NAT timeout value from 24 hours, 86,400 seconds, to 120 seconds, issue the following command: SanJose1(config)#ip nat translation timeout 120
Clear the existing address allocation before the new timer can take effect. Type clear ip nat translation * to immediately clear the translation table. Now, from Host B, try pinging either interface of ISP1 again. The ping should be successful. Use the show ip nat translations and show ip nat translations verbose commands to confirm the translation and to see that the new translations expire in two minutes. Next, perform a ping from Host B and issue the show ip nat translations verbose command again. It should see that the ’time left’ timer has been reset. This means that additional hosts will not be allocated an address until a translation has been inactive for the timeout period. Step 5.
3 - 3 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.2
Copyright 2002, Cisco Systems, Inc.
In this step, configure the NAT pool to include the complete range of global addresses available to ITA. Issue the following command on SanJose1: SanJose1(config)#ip nat pool MYNATPOOL 42.0.0.55 42.0.0.62 netmask 255.255.255.240
This command redefines MYNATPOOL to include a range of eight addresses. It will now be possible to ping ISP1 from both workstations. The show ip nat translations command confirms that two translations have occurred, as shown here: SanJose1#show ip nat translations Pro Inside global Inside local global --- 42.0.0.55 192.168.0.20 --- 42.0.0.56 192.168.0.21
Outside local
Outside
-----
-----
Increasing the address range in the pool allows more hosts to be translated. However, if every address in the pool is allocated, the timeout period must expire before any other hosts can be allocated an address. As was seen in the last step, an allocated address cannot be released until its host is inactive for the duration of the timeout period. In the next lab, many-to-one NAT, or NAT overload will be learned. An overload configuration can allow hundreds of hosts to use a handful of global addresses, without hosts waiting for timeouts.
4 - 4 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.2
Copyright 2002, Cisco Systems, Inc.
Lab 2.5.3: Configuring NAT Overload Host B 192.168.0.20 /24
S0/0 10.0.0.5 /30 ISP1 Lo0 10.0.1.2 /30
SanJose1 Fa0/0 192.168.0.1 /24 S0/0 10.0.0.6 /30
Host A 192.168.0.21 /24 Objective Configure dynamic NAT with overload. Scenario The International Travel Agency (ITA) expanded and updated their network. ITA chose to use the 192.168.0.0 /24 private addresses and NAT to handle connectivity with the outside world. In securing the outside IP addresses from their ISP, ITA is having to pay a monthly fee per IP address. ITA has asked for a series of prototypes to be set up that would demonstrate NAT’s capabilities to meet ITA’s requirements. The company hopes to be able to get by with 14 real IP addresses, 42.0.0.48 /28. For a variety of reasons including security concerns, the company wishes to hide the internal network from the outside. It appears that the basic dynamic NAT translations will be too limiting and cumbersome to meet ITA’s needs. Modify the prototype to use the overload feature. Step 1. Build and configure the network according to the diagram. This configuration requires the use of subnet zero, so the ip subnet-zero command may need to be entered, depending on the IOS version being used. Both Host A and Host B represent users on the ITA network. Configure SanJose1 to use a default route to ISP1: SanJose1(config)#ip route 0.0.0.0 0.0.0.0 10.0.0.5
On ISP1, configure a static route to the global addresses used by SanJose1 for NAT: ISP1(config)#ip route 42.0.0.48 255.255.255.240 10.0.0.6
Define a pool of global addresses to be allocated by the dynamic NAT process. Issue the following command on SanJose1:
1 - 1 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.3
Copyright 2002, Cisco Systems, Inc.
SanJose1(config)#ip nat pool MYNATPOOL 42.0.0.55 42.0.0.62 netmask 255.255.255.240
Configure a standard access list to define which internal source addresses can be translated. Because all users are being translated on the ITA network, use the following command: SanJose1(config)#access-list 2 permit 192.168.0.0 0.0.0.255
Specify an interface on SanJose1 to be used by inside network hosts requiring address translation: SanJose1(config)#interface fastethernet0/0 SanJose1(config-if)#ip nat inside
Also specify an interface to be used as the outside NAT interface: SanJose1(config)#interface serial0/0 SanJose1(config-if)#ip nat outside
Step 2. In the last exercise, a pool of ’real’ global IP addresses were seen that can be used to provide internally addressed hosts with access to the Internet and other outside resources. However, in the previous implementation, each global address could be allocated to only one host at a time. The most powerful feature of NAT is address overloading, or port address translation (PAT). Overloading allows multiple inside addresses to map to a single global address. With PAT, literally hundreds of privately addressed nodes can access the Internet using only one global address. The NAT router keeps track of the different conversations by mapping TCP and UDP port numbers. Configure address overloading on SanJose1 with the following command: SanJose1(config)#ip nat inside source list 2 pool MYNATPOOL overload
After the overload feature is configured, ping both interfaces of ISP1, 10.0.1.2 and 10.0.0.5, from Host A. The pings should be successful. Next, issue the show ip nat translations command: SanJose1#show ip nat translation Pro Inside global Inside local icmp 42.0.0.55:1536 192.168.0.21:1536 icmp 42.0.0.55:1536 192.168.0.21:1536
Outside local 10.0.0.5:1536 10.0.1.2:1536
Outside global 10.0.0.5:1536 10.0.1.2:1536
1. What port number is the source of the ping?
2. What port number is the destination of the ping?
In addition to tracking the IP addresses translated, the translations table also records the port numbers being used. Also notice that the first column, Pro, shows the protocol used. Now look at the output of the show ip nat translation verbose command:
2 - 2 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.3
Copyright 2002, Cisco Systems, Inc.
SanJose1#show ip nat Pro Inside global icmp 42.0.0.55:1536 create 00:00:09, flags: extended, use_count: icmp 42.0.0.55:1536 create 00:00:04, flags: extended, use_count:
translation verbose Inside local Outside local 192.168.0.21:1536 10.0.0.5:1536 use 00:00:06, left 00:00:53,
Outside global 10.0.0.5:1536
0 192.168.0.21:1536 10.0.1.2:1536 use 00:00:01, left 00:00:58,
10.0.1.2:1536
0
Note: The timeout for these overloaded dynamic translations of ICMP is 60 seconds. Notice also that each session has its own timeout timer. New activity only resets one specific session’s timer. To see the result on the router, it may need to be pinged again. From the MS-DOS prompt of Host A, quickly issue the following commands and then return to the SanJose1 console to issue the show ip nat translation command. The commands must be done fast due to the 60 second timeout: HostA:\>ping 10.0.0.5 HostA:\>telnet 10.0.0.5 HostA:\>ftp: 10.0.0.5
(Do not login. Return to command window) (It will fail. Do not worry aboutthis)
Note: To quit the Windows FTP program, type bye and press Enter. After these three sessions are initiated, the output of the show ip nat translation command should look something like the following: SanJose1#show ip nat translation Pro Inside global Inside local icmp 42.0.0.55:1536 192.168.0.21:1536 tcp 42.0.0.55:1095 192.168.0.21:1095 tcp 42.0.0.55:1094 192.168.0.21:1094
Outside local 10.0.0.5:1536 10.0.0.5:21 10.0.0.5:23
Outside global 10.0.0.5:1536 10.0.0.5:21 10.0.0.5:23
Although the NAT router has a pool of eight IP addresses to work with, it chooses to continue to use the 42.0.0.55 for both workstations. The Cisco IOS will continue to overload the first address in the pool until it has reached its limit and then move to the second address, and so on. Step 3. In this step, examine the timeout values in more detail. From Host A, initiate FTP and HTTP sessions with ISP1 at 10.0.0.5. Since ISP1 is not configured as an FTP server or Web server, both sessions will fail. HostA:\>ftp: 10.0.0.5
To open an HTTP session, type ISP1’s IP address in the URL field of a Web browser window. After both FTP and HTTP sessions are attempted, use the show ip nat translation verbose command and examine the time left entries, as shown here: SanJose1# show ip nat translation verbose Pro Inside global Inside local Outside local icmp 42.0.0.55:1536 192.168.0.21:1536 10.0.0.5:1536 create 00:00:29, use 00:00:26, left 00:00:33, flags: extended, use_count: 0
3 - 3 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.3
Outside global 10.0.0.5:1536
Copyright 2002, Cisco Systems, Inc.
tcp 42.0.0.55:1114 192.168.0.21:1114 10.0.0.5:21 create 00:00:16, use 00:00:15, left 00:00:44, flags: extended, timing-out, use_count: 0 tcp 42.0.0.55:1113 192.168.0.21:1113 10.0.0.5:23 create 00:00:22, use 00:00:22, left 23:59:37, flags: extended, use_count: 0 tcp 42.0.0.55:1115 192.168.0.21:1115 10.0.0.5:80 create 00:00:12, use 00:00:11, left 23:59:48, flags: extended, use_count: 0
10.0.0.5:21
10.0.0.5:23
10.0.0.5:80
Notice that some of the TCP transactions are using a 24 hour timeout timer. To see the other timers that can be set, use the ip nat translation ? command while in global configuration mode, as shown here: SanJose1(config)#ip nat translation ? dns-timeout Specify timeout for NAT DNS flows finrst-timeout Specify timeout for NAT TCP flows after a FIN or RST icmp-timeout Specify timeout for NAT ICMP flows max-entries Specify maximum number of NAT entries port-timeout Specify timeout for NAT TCP/UDP port specific flows syn-timeout Specify timeout for NAT TCP flows after a SYN and no further data tcp-timeout Specify timeout for NAT TCP flows timeout Specify timeout for dynamic NAT translations udp-timeout Specify timeout for NAT UDP flows
The actual timeout options vary with versions of the IOS. The defaults for some of the more common times are: • •
dns-timeout finrst-timeout
• • • •
icmp-timeout tcp-timeout timeout udp-timeout
DNS session, lasts 60 seconds TCP session after a FIN or RST / end of session, lasts 60 seconds ICMP session, lasts 60 seconds TCP port session, last 86,400 seconds or 24 hours Dynamic NAT translations, lasts 86,400 seconds or 24 hours UDP port session, lasts 300 seconds or 5 minutes
The finrst-timeout timer makes sure that TCP sessions close the related port 60 seconds after the TCP termination sequence. Dynamic NAT sessions can only be initiated by an internal host. It is not possible to initiate a NAT translation from outside the network. To some extent, this adds a level of security to the internal network. It may also help to explain why the dynamic timeout timer for overload sessions is so short. The session stays open just long enough to make sure that legitimate replies like Web pages, FTP and TFTP sessions, and ICMP messages can get in. In Lab 11.5.1 it was seen that outside hosts can ping the static NAT translations at any time, provided the inside host is up. This is so Web, FTP, TFTP, DNS, and other types of servers can be shared with the outside world. With dynamic NAT not configured for overload, the translation stays up for 24 hours. This could allow an outside host to try to access the translation and therefore the host. But
4 - 4 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.3
Copyright 2002, Cisco Systems, Inc.
with the overload option, the outside host has to be able to recreate the NAT IP address plus the port number. Therefore, this reduces the likelihood of an unwanted host gaining access to the system. Step 4. To see the actual translation process and troubleshoot NAT problems, can use the debug ip nat command and its related options. Remember as with all debug commands, this can seriously impair the performance of the production router and should be used wisely. The undebug all command turns off all debugging. On SanJose1, use the debug ip nat command to turn on the debug feature. From A, ping ISP1’s serial interface, 10.0.0.5, and observe the translations as shown here: SanJose1#debug ip nat IP NAT debugging is on 06:37:40: NAT: s=192.168.0.21->42.0.0.55, d=10.0.0.5 06:37:40: NAT*: s=10.0.0.5, d=42.0.0.55->192.168.0.21 06:37:41: NAT*: s=192.168.0.21->42.0.0.55, d=10.0.0.5 06:37:41: NAT*: s=10.0.0.5, d=42.0.0.55->192.168.0.21 06:37:42: NAT*: s=192.168.0.21->42.0.0.55, d=10.0.0.5 06:37:42: NAT*: s=10.0.0.5, d=42.0.0.55->192.168.0.21 06:37:43: NAT*: s=192.168.0.21->42.0.0.55, d=10.0.0.5 06:37:43: NAT*: s=10.0.0.5, d=42.0.0.55->192.168.0.21 06:38:43: NAT: expiring 42.0.0.55 (192.168.0.21) icmp
[63] [63] [64] [64] [65] [65] [66] [66] 1536 (1536)
Turn off debugging. SanJose1#undebug all All possible debugging has been turned off
Notice that both translations can be seen as the pings pass both ways through the NAT router. Notice that the number at the end of the row is the same for both translations of each ping. The s= indicates the source, d= indicates the destination and -> shows the translation. The 06:38:43 in the translations shows the expiration of the NAT translation. The detailed option can be used with debug ip nat to provide the port numbers as well as the IP address translations, as shown here: SanJose1#debug ip nat detailed IP NAT detailed debugging is on 07:03:50: NAT: i: icmp (192.168.0.21, 1536) -> (10.0.0.5, 1536) [101] 07:03:50: NAT: address not stolen for 192.168.0.21, proto 1 port 1536 07:03:50: NAT: ipnat_allocate_port: wanted 1536 got 1536 07:03:50: NAT*: o: icmp (10.0.0.5, 1536) -> (42.0.0.55, 1536) [101] 07:03:51: NAT*: i: icmp (192.168.0.21, 1536) -> (10.0.0.5, 1536) [102] 07:03:51: NAT*: o: icmp (10.0.0.5, 1536) -> (42.0.0.55, 1536) [102] 07:03:52: NAT*: i: icmp (192.168.0.21, 1536) -> (10.0.0.5, 1536) [103] 07:03:52: NAT*: o: icmp (10.0.0.5, 1536) -> (42.0.0.55, 1536) [103] 07:03:53: NAT*: i: icmp (192.168.0.21, 1536) -> (10.0.0.5, 1536) [104] 07:03:53: NAT*: o: icmp (10.0.0.5, 1536) -> (42.0.0.55, 1536) [104]
5 - 5 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.3
Copyright 2002, Cisco Systems, Inc.
Lab 2.5.4: Configuring TCP Load Distribution
S0/0 10.0.0.5 /30 ISP1 Fa0/0 10.0.2.1 /24
Fa0/0 192.168.0.5 /24
SanJose1 S0/0 10.0.0.6 /30
Web2 Fa0/0 192.168.0.6 /24
Host A 10.0.2.20 /24 Objective In this lab, the student will configure NAT with the TCP Load Distribution option. The student will also learn to use the prefix-length option as an alternative to the netmask option of the ip nat pool command. Scenario The International Travel Agency (ITA) expanded and updated their network. ITA chose to use the 192.168.0.0 /24 private addresses and NAT to handle connectivity with the outside world. In securing the outside IP addresses from their ISP, ITA is having to pay a monthly fee per IP address. ITA has asked that a series of prototypes be set up that demonstrate NAT’s capabilities to meet ITA’s requirements. The company hopes to be able to get by with 14 real IP addresses, 42.0.0.48 /28. For a variety of reasons including security concerns, the company wishes to hide the internal network from the outside. ITA’s Web server, 192.168.0.5, is overwhelmed by outside traffic. A pool of two mirrored servers needs to be created to handle the load. These servers will be addressed as 192.168.0.5 and 192.168.0.6. Outside users and DNS use the global IP address, 42.0.0.51, to access the Web server. ITA would like to continue using the single address and have the NAT router distribute the requests between the two mirrored servers. A prototype needs to be created that will demonstrate TCP load distribution using NAT. Step 1. Build and configure the network according to the diagram. Host A represents a user outside of ITA’s network. Make sure to configure Host A with the correct default gateway. Note: SanJose1’s Fast Ethernet interface should be configured with the IP address 192.168.0.5 /24. This is for testing purposes, so that SanJose1 can respond to HTTP requests directed to 192.168.0.5. Configure SanJose1 to use a default route to ISP1: SanJose1(config)#ip route 0.0.0.0 0.0.0.0 10.0.0.5
On ISP1, configure a static route to the global addresses used by SanJose1 for NAT: ISP1(config)#ip route 42.0.0.48 255.255.255.240 10.0.0.6
1 - 1 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.4
Copyright 2002, Cisco Systems, Inc.
Specify an interface on SanJose1 to be used by inside network hosts requiring address translation: SanJose1(config)#interface fastethernet0/0 SanJose1(config-if)#ip nat inside
Also specify an interface to be used as the outside NAT interface: SanJose1(config)#interface serial0/0 SanJose1(config-if)#ip nat outside
Verify that the workstation can ping 10.0.0.5 and 10.0.0.6. Troubleshoot as necessary. Step 2. For testing purposes, configure SanJose1 as a Web server at 192.168.0.5, as shown here: SanJose1(config)#ip http server
For the purposes of this lab, another router will act as the second Web server. Configure this router as shown here: Router(config)#hostname Web2 Web2(config)#enable password cisco Web2(config)#ip default-gateway 192.168.0.5 Web2(config)#no ip routing Web2(config)#interface fastethernet0/0 Web2(config-if)#ip address 192.168.0.6 255.255.255.0 Web2(config-if)#exit Web2(config)#ip http server
Step 3. Create a NAT pool to represent the planned Web servers, shown as follows: SanJose1(config)#ip nat pool WebServers 192.168.0.5 192.168.0.6 prefix-length 24 type rotary
Note: In this command, the keyword prefix-length is used instead of the keyword netmask. Both keywords specify the subnet mask. The prefix-length option allows the mask to be specified as a bitcount, 24 instead of 255.255.255.0. The type rotary sets up a rotation through the designated pool. The name WebServers is a user defined variable, so it can be any useful word. Next, create an access list to define the global address that will be used to access the server pool. Remember, to use 42.0.0.51, which was the original Web server IP address that is known to the outside users: SanJose1(config)#access-list 50 permit 42.0.0.51
The command that links the pool and the global address is: SanJose1(config)#ip nat inside destination list 50 pool WebServers The inside destination indicates that the NAT translations will be established from the outside network to the inside network.
2 - 2 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.4
Copyright 2002, Cisco Systems, Inc.
Step 4. Ping 42.0.0.51 from Host A. The ping should fail because ping uses ICMP and not TCP, which is the only protocol supported by the NAT load distribution feature. To test the configuration, have Host A open a Web browser window. Type 42.0.0.51 into the address line of the Web browser on Host A. When the following screen appears, use any username and cisco as the password. Note: the password is case sensitive. If the router is not configured with cisco as the enable password, then enter the password that it is configured with instead.
After the router has been authenticated, a page similar to the following should be seen:
1. What is the inside address of the router whose Web server is being viewed?
Click on the refresh button of the Web browser. A new page should appear, as shown in the following figure.
3 - 3 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.4
Copyright 2002, Cisco Systems, Inc.
2. What is the inside address of the router whose Web server that is being viewed?
3. If refresh is clicked again, what will happen?
To verify that SanJose1 is distributing the TCP load in addition to itself and Web2, issue the show ip nat translation command, as shown here: SanJose1#show ip nat translation Pro Inside global Inside local tcp 42.0.0.51:80 192.168.0.5:80 tcp 42.0.0.51:80 192.168.0.6:80 tcp 42.0.0.51:80 192.168.0.5:80 tcp 42.0.0.51:80 192.168.0.6:80 tcp 42.0.0.51:80 192.168.0.5:80 tcp 42.0.0.51:80 192.168.0.6:80 tcp 42.0.0.51:80 192.168.0.5:80 tcp 42.0.0.51:80 192.168.0.6:80 tcp 42.0.0.51:80 192.168.0.5:80 tcp 42.0.0.51:80 192.168.0.6:80 tcp 42.0.0.51:80 192.168.0.5:80 tcp 42.0.0.51:80 192.168.0.6:80
Outside local 10.0.2.20:1322 10.0.2.20:1323 10.0.2.20:1324 10.0.2.20:1325 10.0.2.20:1326 10.0.2.20:1327 10.0.2.20:1328 10.0.2.20:1329 10.0.2.20:1330 10.0.2.20:1331 10.0.2.20:1332 10.0.2.20:1333
4 - 4 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.4
Outside global 10.0.2.20:1322 10.0.2.20:1323 10.0.2.20:1324 10.0.2.20:1325 10.0.2.20:1326 10.0.2.20:1327 10.0.2.20:1328 10.0.2.20:1329 10.0.2.20:1330 10.0.2.20:1331 10.0.2.20:1332 10.0.2.20:1333
Copyright 2002, Cisco Systems, Inc.
Remote Access Resources WAN Cisco Connection A book of LAN and WAN terms used by Cisco. http://www.cisco.com/univercd/cc/td/doc/cisintwk/ita/ita_book.pdf
NAT Cisco Connection A detailed overview of NAT, including configuration procedures. http://www.cisco.com/warp/public/732/nat/
Internet Overview of NAT from the RFC. Explains the need and usage of NAT. http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc1631.html Overview of NAT and some of its shortcomings and solutions to some problems. http://www.ehsco.com/reading/19970215ncw1.html Some things to consider when using NAT and how it works. http://www.vicomsoft.com/knowledge/reference/nat.html Peer to peer apps and the effect of NAT on it as well as solutions. http://www.alumni.caltech.edu/~dank/peer-nat.html
Copyright 2002, Cisco Systems, Inc.
Remote Access: Resources 1-1
Section 1
LAN Media
Table of Contents
LAN MEDIA ...................................................................................................................... 1 OVERVIEW ...................................................................................................................................................... 3 OBJECTIVES..................................................................................................................................................... 4 1.1 LEGACY MEDIA TYPES ................................................................................................................................ 5 1.1.1 Legacy Ethernet .................................................................................................................................. 5 1.1.2 CSMA/CD .......................................................................................................................................... 6 1.1.3 Ethernet addressing............................................................................................................................. 7 1.1.4 Unicast frames.................................................................................................................................... 8 1.1.5 Broadcast frames ................................................................................................................................ 9 1.1.6 Multicast frames ...............................................................................................................................10 1.1.7 LAN frames and hex values ................................................................................................................ 11 1.2 FAST ETHERNET ....................................................................................................................................... 13 1.2.1 10Mbps vs. 100Mbps ......................................................................................................................... 13 1.2.2 Full duplex and half duplex................................................................................................................ 14 1.2.3 100BASE-TX .................................................................................................................................... 16 1.2.4 100BASE-T4 ..................................................................................................................................... 17 1.2.5 100BASE-FX .................................................................................................................................... 18 1.2.6 Practical considerations before moving to Fast Ethernet ...................................................................... 19 1.3 GIGABIT ETHERNET .................................................................................................................................. 21 1.3.1 Specifications.................................................................................................................................... 21 1.3.2 Gigabit architecture .......................................................................................................................... 22 1.3.3 Full duplex and half duplex support.................................................................................................... 23 1.3.4 Gigabit media options ....................................................................................................................... 24 1.4 DETERMINING BANDWIDTH NEEDS ............................................................................................................. 26 1.4.1 Determining bandwidth needs ............................................................................................................ 26 1.4.2 Gathering user statistics .................................................................................................................... 27 1.4.3 Gathering traffic statistics.................................................................................................................. 28 1.4.4 Determining the access-layer requirements ......................................................................................... 29 1.4.5 Determining the distribution-layer requirements.................................................................................. 30 SUMMARY ..................................................................................................................................................... 32
1-2
Switching Section 1: LAN Media
Copyright 2002, Cisco Systems, Inc.
Overview
Figure 1 A Traditional Campus Network
Since the inception of local-area networks (LANs) in the 1970s, numerous LAN technologies have come and gone. The Attached Resource Computer Network (ARCNet), a coaxial-based LAN technology using a token-bus access method, is one example of an essentially defunct LAN technology. ARCNet was the basis for some of the earliest office networks in the 1980s. ARCNet (2Mbps) was easy to deploy in an office with only a few workstations. ARCNet (2Mbps) enjoyed limited success on the market because higher-speed technologies such as 10 Mbps Ethernet and 4Mbps Token Ring were introduced soon after its inception. With the higher-bandwidth capacity of these newer technologies and the rapid development of high-speed workstations, ARCNet was quickly phased out of the marketplace. LAN technologies such as Ethernet, Token Ring, and Fiber Distributed Data Interface (FDDI) have managed to remain in existence. [1] The legacy networks (Ethernet, Token Ring, FDDI) continue to be utilized as distribution and backbone technologies for both manufacturing and office environments. But, like ARCNet, even these technologies see higher-speed networks such as Fast Ethernet and ATM crowding them out. However, due to the wide installation and use of legacy systems, they will likely remain in place for many more years. Users will replace Ethernet and Token Ring in phases as applications demand more bandwidth. In this chapter, the student will learn about legacy, or standard Ethernet, as well as Fast Ethernet and Gigabit Ethernet. In addition, the student will also learn how the access methods operate, some of the physical characteristics of each, and various frame formats and address types.
Copyright 2002, Cisco Systems, Inc.
Switching Section 1: LAN Media 1-3
Objectives After completing this chapter, the student will be able to perform tasks relating to: 1.1 Legacy Media Types 1.2 Fast Ethernet 1.3 Gigabit Ethernet 1.4 Determining Bandwidth Needs
1-4
Switching Section 1: LAN Media
Copyright 2002, Cisco Systems, Inc.
1.1 Legacy Media Types 1.1.1 Legacy Ethernet
Figure 1 Ethernet Technology – Operation
When mainframe computers dominated the industry, user terminals attached either directly to ports on the mainframe or to a controller that gave the appearance of a direct connection. Each wire connection was dedicated to an individual terminal. Users entered data, and the terminal immediately transmitted signals to the host (the term host here refers to the mainframe, a usage that may be confusing because normally the term is applied to end systems). Performance was driven by the horsepower in the host. If the host became overworked, users experienced delays. Note, though, that the connection between the host and terminal was not the cause of the delay. The users had full media bandwidth on the link, regardless of the workload of the host device. Facility managers installing the connections between the terminals and the host experienced distance constraints imposed by the terminal line technology of the host. The technology limited users to locations that lay within a small radius of the host. Further, labor to install the cables inflated installation and maintenance expenses. LANs mitigated these issues to a large degree. One of the immediate benefits of a LAN was to reduce the installation and maintenance costs by eliminating the need to install dedicated wires to each user. Instead, a single cable pulled from user to user allowed users to share a common infrastructure instead of having dedicated infrastructures for each station. A problem arises when users share a cable, however. Specifically, how does the network control who uses the cable and when? Broadband technologies such as cable television (CATV) support multiple users by multiplexing data on different channels (frequencies). Think of each video signal on a CATV system as a data stream,each data stream is transported over its own channel.
Copyright 2002, Cisco Systems, Inc.
Switching Section 1: LAN Media 1-5
A CATV system carries multiple channels on a single cable, and can therefore, carry multiple data streams concurrently. This is an example of frequencydivision multiplexing (FDM). The initial LANs were conceived as baseband technologies, which do not have multiple channels. Baseband technologies do not transmit using FDM. Rather, they use bandwidth sharing, meaning simply that users take turns transmitting. Ethernet and other LAN technologies define sets of rules known as access methods for sharing the cable. The access methods approach media sharing differently, but have essentially the same end goal in mind.
1.1.2 CSMA/CD
Figure 1 Ethernet Technology – Operation
Carrier sense multiple access collision detect (CSMA/CD) describes the Ethernet access method. In Ethernet, multiple access is the terminology for many stations attaching to the same cable and having the opportunity to transmit. No station has any priority over any other station. However, the stations do need to take turns, as defined by the access algorithm. Carrier sense refers to the process of listening before speaking. The Ethernet device wishing to communicate looks for energy on the media (an electrical carrier). If a carrier exists, the cable is in use and the device must wait to transmit. Many Ethernet devices maintain a counter of how many times they have to defer a transmission. Some devices call the counter a deferral or back-off counter. If the deferral counter exceeds a threshold value of 15 retries, the device attempting to transmit assumes that it will never get access to the cable to transmit the packet. In this situation, the source device discards the frame. This might happen if there are too many devices on the network, implying that there is not enough bandwidth available. When two or more devices, on the same segment, attempt to transmit at the same time, a collision occurs. The devices that were transmitting can sense that a collision has occurred because the power level on the cable exceeds a certain 1-6
Switching Section 1: LAN Media
Copyright 2002, Cisco Systems, Inc.
mark. When stations detect that a collision has occurred, the participants generate a collision enforcement signal. The enforcement signal lasts as long as the smallest frame size. In the case of Ethernet, that equates to 64 bytes. This ensures that all stations know about the collision and that no other station attempts to transmit during the collision event. If a station experiences too many consecutive collisions, the station stops attempting to transmit the frame. Some workstations display an error message to the user; the exact message differs from platform to platform, but every workstation attempts to convey to the user that it was unable to send data for one reason or another.
1.1.3 Ethernet addressing
Figure 1 A Simple Ethernet Network
How do stations identify each other? In Ethernet, an application can choose to address the entire group, a set of hosts, or a specific host within the scope of communication (the Ethernet segment). Speaking to the group requires a broadcast; contacting a set of individual stations requires a multicast; and addressing one end system requires a unicast. Most traffic in a network is unicast in nature, characterized as traffic from a specific station to another specific device. Some applications generate multicast traffic. Examples include multimedia services over LANs. These applications intend for more than one station to receive the traffic, but not necessarily all the stations. Video conferencing applications frequently implement multicast addressing to specify a group of recipients. Networking protocols typically have a need to create broadcast traffic in certain instances. For example, IP creates broadcast packets for Address Resolution Protocol (ARP) requests. Routers often transmit routing updates as broadcasts. AppleTalk, Novell Internetwork Packet Exchange (IPX), and other Layer 3 protocols create broadcasts to perform name resolution and to carry out various other functions. The Figure shows a simple Ethernet system with several devices attached. The Ethernet adapter card of each device has a 48-bit (6-octet) address built into it that uniquely identifies the station. This is called the Media Access Control (MAC) address, or the hardware address. All the devices in a LAN must have a unique MAC address. Devices express MAC addresses as hexadecimal values. Sometimes MAC address octets are separated by hyphens "-", sometimes by colons ":", and sometimes by periods ".". The three formats, 00-60-97-8F-4F-86, 00:60:97:8F:4F:86, and 0060.978F.4F86, all specify the same host. Copyright 2002, Cisco Systems, Inc.
Switching Section 1: LAN Media 1-7
To help ensure uniqueness, the first three octets indicate the vendor that manufactured the interface card. This is known as the Organizational Unique Identifier (OUI). Each manufacturer has a unique IEEE-assigned OUI value. The last three octets of the MAC address amount to a host identifier for the device. The last three octets are assigned by the vendor. The combination of OUI and "host number" creates a unique address for that device. Each vendor is responsible to ensure that each of the Ethernet adapters that it manufactures has a unique combination of six octets.
1.1.4 Unicast frames
Figure 1 A Simple Ethernet Network
In a LAN, stations use the Layer 2 MAC address in a frame to identify the source and destination. When Station 1 transmits to Station 2 in the Figure, Station 1 generates a frame that includes the Station 2 MAC address (00-60-0893-AB-12) for the destination and the Station 1 address (00-60-08-93-DB-C1) for the source. This is a unicast frame. Because the LAN is a shared media, all stations on the network receive a copy of the frame. Only Station 2 performs any processing on the frame, however all stations compare the destination MAC address with their own MAC address. If they do not match, the interface module of the station discards (ignores) the frame. This prevents the packet from consuming CPU cycles within the device. Station 2, however, sees a match and sends the packet to the CPU for further analysis. The CPU examines the network protocol information and the intended application and decides whether to drop or use the packet.
1-8
Switching Section 1: LAN Media
Copyright 2002, Cisco Systems, Inc.
1.1.5 Broadcast frames 1.5 Mb Video Server
1.5 Mb
1.5 Mb
Receiver
1.5 Mb
Receiver
1.5 Mb
I do not want to receive this video stream, but my CPU still needs to process that 1.5 MB of data!
1.5 Mb
1.5 Mb
Receiver
Not a Receiver
In a broadcast design, an application sends only one copy of each packet using a broadcast address. This method of transmission is easier to implement than unicast applications, but can have serious effects on the network. Allowing the broadcast to propagate throughout the network is a significant burden on both the network and the hosts connected to the network. Routers can be configured to stop broadcasts at the LAN boundary, but this technique limits the receivers according to physical location.
Figure 1 Broadcast Traffic
Not all frames contain unicast destination addresses. Some have broadcast or multicast destination addresses. Workstations and network devices treat broadcast and multicast frames differently from unicast frames. Stations view broadcast frames as public service announcements. When a station receives a broadcast, the source is saying, "Pay attention, I might have an important message. A broadcast frame has a destination MAC address of FF-FF-FF-FF-FF-FF (all binary 1s). Like unicast frames, all stations receive a frame with a broadcast destination address. When the interface compares its own MAC address against the destination address, they do not match. Normally, a station discards the frame because the destination address does not match its own hardware address. But broadcast frames are treated differently. Even though the destination and built-in address do not match, the interface module is designed so that it still passes the broadcast frame to the processor. This is intentional because the broadcast frame might have an important request or information. Unfortunately, probably only one or at most a few stations really need to receive the broadcast message. For example, an IP ARP request creates a broadcast frame, even though it intends for only one station to respond. The source sends the request as a broadcast because it does not know the destination MAC address and is attempting to find it. When a source only knows the destination IP address it creates an ARP request. However, that is not enough information to address a station on the LAN. The frame must also contain the destination MAC address. Routing protocols sometimes use broadcast MAC addresses when they announce their routing tables. For example, by default, routers send IP Routing Copyright 2002, Cisco Systems, Inc.
Switching Section 1: LAN Media 1-9
Information Protocol (RIP) updates every 30 seconds. The router transmits the update in a broadcast frame. The router does not necessarily know all the routers on the network. By sending a broadcast message, the router is sure that all routers attached to the network will receive the message. There is a downside to this, however. All devices on the LAN receive and process the broadcast frame, even though only a few devices really needed the updates. This consumes CPU cycles in every device. If the number of broadcasts in the network becomes excessive, workstations cannot do the things they need to do, such as run word processors or flight simulators.
1.1.6 Multicast frames
Figure 1 Multicast Frames
Multicast frames differ from broadcast frames in a subtle way. Multicast frames address a group of devices with a common interest. The source sends only one copy of the frame on the network, even though it intends for several stations to receive it. When a station receives a multicast frame, it compares the multicast address with its own address. Unless the card is preconfigured to accept multicast frames, the multicast is discarded on the interface and does not consume CPU cycles. (This behaves just like a unicast frame.) For example, Cisco devices running the Cisco Discovery Protocol (CDP) make periodic announcements to other locally attached Cisco devices. The information contained in the announcement is interesting only to other Cisco devices (and the network administrator). To make the announcement, the Cisco source could send a unicast to each Cisco device. That however, means multiple transmissions on the segment, which consume network bandwidth with redundant information. Furthermore, the source might not know about all the local Cisco devices and could, therefore, choose to send one broadcast frame. All Cisco devices would 1-10
Switching Section 1: LAN Media
Copyright 2002, Cisco Systems, Inc.
receive the frame. Unfortunately, so would all third-party devices. The last alternative is a multicast address. Cisco has a special multicast address reserved, 01-00-0C-CC-CC-CC, which enables Cisco devices to transmit to all other Cisco devices on the segment. All third-party devices ignore this multicast message. Open Shortest Path First (OSPF), an IP routing protocol, sends out routing updates via a specially reserved multicast address. The reserved multicast OSPF IP addresses 224.0.0.5 and 224.0.0.6 translate to MAC multicast addresses of 0100-5E-00-00-05 and 01-00-5E-00-00-06. Only router interfaces configured to receive OSPF announcements will process these packets. All other devices filter the frame.
1.1.7 LAN frames and hex values
Figure 1 Common Ethernet Frame Formats
Figure 2 Common Routed Protocols and Their Hex Type Values
When stations transmit to each other on a LAN, they format the data in a structured manner so that devices know what octets signify what information. Various frame formats are available. When configuring a device, define the format that the station will use, realizing that more than one format might be configured, as is the case for a router. Figure [1] illustrates four common frame formats for Ethernet. Some users interchange the terms packets and frames rather loosely. However, according to RFC 1122, a significant difference does exist. Frames refer to the entire message, from the data link layer (Layer 2) header information through and Copyright 2002, Cisco Systems, Inc.
Switching Section 1: LAN Media 1-11
including the user data. Packets exclude Layer 2 headers and include only the Layer 3 protocol header through and including user data. The frame formats developed as the LAN industry and associated protocol requirements evolved. When Xerox developed the original Ethernet (which was later adopted by the industry), a frame format like the Ethernet frame in Figure was defined. The first six octets contain the destination MAC address, and the next six octets contain the source MAC address. Two bytes following that indicate to the receiver the type of Layer 3 protocol encapsulated within the data portion of the frame. For example, if the frame encapsulates an IP packet, then the type field value is 0x0800. Figure [2] lists several common protocols and their associated type values. Following the type value, the receiver expects to see a protocol header. For example, if the type value indicates that the packet is IP, the receiver expects to decode IP headers next. If the value is 8137, the receiver decodes the encapsulated packet as a Novell packet. IEEE defined an alternative frame format. In the IEEE 802.3 formats, the source and destination MAC addresses remain, but instead of a type field value, the packet length is indicated. Three derivatives of this format are used in the industry: raw 802.3, 802.3 with 802.2 Logical Link Control (LLC), and 802.3 with 802.2 and Subnetwork Access Protocol (SNAP). A receiver recognizes that a packet follows 802.3 formats rather than Ethernet formats by the value of the 2-byte field following the source MAC address. If the value falls within the range of 0x0000 and 0x05DC (1500 decimal), the value indicates length; protocol type values begin after 0x05DC, in which case the frame type is Ethernet Version II. Further, if the 16-bit value following the type/length field is 0xAAAA, then the frame is a SNAP (or IEEE 802.3 SNAP) frame; if this value is 0xFFFF, then the frame is a raw 802.3 (or Novell 802.3 raw) frame; otherwise, it is a 802.3 with 802.2 LLC (or IEEE 802.3 ) frame.
1-12
Switching Section 1: LAN Media
Copyright 2002, Cisco Systems, Inc.
1.2 Fast Ethernet 1.2.1 10Mbps vs. 100Mbps
Figure 1 10Mbps vs. 100Mbps
When Ethernet technology availed itself to users, the 10Mbps bandwidth seemed like an unlimited resource. However, workstations have developed quite rapidly since then, and applications demand much more data in shorter amounts of time. When the data comes from remote sources rather than from a local storage device, the application needs more network bandwidth. Many new applications actually find 10 Mbps to be too slow. For example, think about a surgeon downloading an image from a server over a 10Mbps shared-media network. He/she needs to wait for the image to download so that he/she can begin an operation. If the image is a 100MB high-resolution image, it could take awhile to receive the image. Suppose the shared network makes the available user bandwidth about 500 kbps on the average. It would take the physician 27 minutes to download the image. The hospital administration would be exposing themselves to surgical complications at worst and idle physician time at best. Obviously, this is not an ideal situation. Clearly, more bandwidth would be needed to support this medical application. Recognizing the growing demand for higher-speed networks, the IEEE formed the 802.3u committee to begin work on a 100Mbps technology that works over twisted-pair cables. In June 1995, IEEE approved the 802.3u specification defining a system that offered vendor interoperability at 100 Mbps. Like 10Mbps systems such as 10BASE-T, the 100Mbps systems use CSMA/CD, but provide a huge improvement over legacy 10Mbps networks. Because they operate at ten times the speed of 10Mbps Ethernet, all timing factors scale by a factor of 10. For example, the slot time (the time it takes to transmit a 64-byte, or Copyright 2002, Cisco Systems, Inc.
Switching Section 1: LAN Media 1-13
512-bit, frame) for 100Mbps Ethernet is 5.12 microseconds, one-tenth that of 10Mbps Ethernet. An objective of the 100BASE-X standard (here the X is a variable whose value correlates to a particular 100Mbps standard) was to maintain a common frame format with legacy Ethernet. Therefore, 100BASE-X uses the same frame sizes and formats as 10BASE-X. Everything else scales by one-tenth because of the higher data rate. When passing frames from a 10BASE-X to a 100BASE-X system, the interconnecting device does not need to recreate the frame Layer 2 header because they are identical on the two systems. The original Ethernet over twisted-pair cable standard, 10BASE-T supports Category 3, 4, and 5 cables up to 100 meters in length. The 10BASE-T Ethernet uses the Manchester encoding technique and signals at 20 megahertz (MHz), a level well within the bandwidth capacity of all three cable types. Because of the higher signaling rate of 100BASE-T, creating a single method to work over all cable types was highly unlikely. The encoding technologies that were available at the time forced IEEE to create variants of the standard to support both Category 3 and 5 cables. A fiber-optic version was created as well.
1.2.2 Full duplex and half duplex
Figure 1 Half-Duplex Ethernet Design (Standard Ethernet)
1-14
Switching Section 1: LAN Media
Copyright 2002, Cisco Systems, Inc.
Figure 2 Full-Duplex Ethernet Design
This chapter began with discussion about legacy Ethernet and CSMA/CD. Legacy Ethernet uses CSMA/CD because it operates on a shared media where only one device can talk at a time. When a station talks, all other devices must listen or else the system experiences a collision. In a 10Mbps system operating at half-duplex, the total bandwidth available is dedicated to transmitting or receiving, depending upon whether the station is the source or the destination. The original LAN standards operate in half-duplex mode, allowing only one station to transmit at a time as shown in Figure [1]. This was a result of the early physical media Ethernet implementations, such as 10BASE-5 and 10BASE-2, where all stations were attached to the same cable or "bus." With the introduction of 10BASE-T, networks deployed hubs and attached each station to a hub on a dedicated point-to-point link. Stations do not share the wire in this topology. The 100BASE-X Ethernet uses hubs with dedicated point-to-point links. Because each link is not shared, a new operational mode becomes feasible. Rather than running in half-duplex mode, the systems can operate in full-duplex mode, which allows stations to transmit and receive at the same time, as shown in Figure [2], eliminating the need for collision detection. This provides a tremendous asset of possibly the most precious network commodity-bandwidth. When a station operates in full-duplex mode, the station transmits and receives at full bandwidth in each direction. The most bandwidth that a legacy Ethernet device can expect to enjoy is 10 Mbps. It either listens at 10 Mbps or transmits at 10 Mbps. In contrast, a 100BASE-X device operating in full-duplex mode sees 200 Mbps of bandwidth100 Mbps for transmitting and 100 Mbps for receiving. Users upgraded from 10BASE-T to 100BASE-X have the potential to immediately enjoy a twentyfold or more bandwidth improvement. If the user was previously attached to a shared 10Mbps system, he/she might practically enjoy only a few megabits per second of effective bandwidth. Upgrading to a full-duplex 100Mbps system might provide a perceived one-hundredfold improvement. Copyright 2002, Cisco Systems, Inc.
Switching Section 1: LAN Media 1-15
The IEEE 802.3x committees designed standards for full-duplex operations for 10BASE-T, 100BASE-X, and 1000BASE-X. The 802.3x standards also defined a flow-control mechanism, which allows a receiver to send a special frame back to the source whenever the receiver buffers overflow. The receiver sends a special packet called a pause frame. In the pause frame, the receiver can request the source to stop sending for a specified period of time. If the receiver can handle incoming traffic again before the timer value in the pause frame expires, the receiver can send another pause frame with the timer set to zero. This tells the receiver that it can start sending again.
1.2.3 100BASE-TX
Figure 1 100BASE-X Media Comparisons
Many existing 10Mbps twisted-pair systems use a cabling infrastructure based upon Category 5 unshielded twisted-pair (UTP) and shielded twisted-pair (STP). The devices use two wire pairs within the cable: one pair on pins 1 and 2 for transmit and one pair on pins 3 and 6 for receive and collision detection. The 100BASE-TX Ethernet format also uses this infrastructure. The existing Category 5 cabling for 10BASE-T should support 100BASE-TX, also implying that 100BASE-TX works up to 100 meters, the same as 10BASE-T. 100BASETX Ethernet format uses an encoding scheme like FDDI of 4B/5B. This encoding scheme adds a fifth bit for every four bits of user data. That means there is a 25-percent overhead in the transmission required to support the encoding.
1-16
Switching Section 1: LAN Media
Copyright 2002, Cisco Systems, Inc.
1.2.4 100BASE-T4
Figure 1 100BASE-X Media Comparisons
Not all building infrastructures use Category 5 cable; some use Category 3. Category 3 cable was installed in many locations to support voice transmission, and it is frequently referred to as voice-grade cable. It is tested for voice and low-speed data applications up to 16 megahertz (MHz). Category 5 cable, on the other hand, is intended for data applications, and is tested up to 100 MHz. Because Category 3 cable exists in so many installations, and because many 10BASE-T installations are on Category 3 cable, the IEEE 802.3u committee included this as an option. As with 10BASE-T, 100BASE-T4 links work up to 100 meters. To support the higher data rates, 100BASE-T4 uses more cable pairs. Three pairs support transmission and one pair supports collision detection. Another technology aspect to support the high data rates over a lower bandwidth cable comes from the encoding technique used for 100BASE-T4. 100BASE-T4 uses an encoding method of 8B/6T (8 bits/6 ternary signals), thus significantly lowering the signaling frequency and making it suitable for voice-grade wire.
Copyright 2002, Cisco Systems, Inc.
Switching Section 1: LAN Media 1-17
1.2.5 100BASE-FX
Figure 1 100BASE-X Media Comparisons
The 802.3u specification identifies a variant for single-mode and multimode fiber-optic cables. The 100BASE-FX Ethernet format uses two strands (one pair) of fiber-optic cables, one for transmitting and one for receiving. Like 100BASETX, 100BASE-FX uses a 4B/5B encoding signaling at 125 MHz on the optical fiber. When should the fiber-optic version be used? In situations with extended distance requirements, electrical interference concerns or security concerns. One clear case is when distances greater than 100 meters need to be supported. Multimode supports up to 2000 meters in full-duplex mode, and 412 meters in half-duplex mode. Single-mode works up to 10 kilometers (km)-a significant distance advantage. Other advantages of fiber include its electrical isolation properties. For example, if the cable needs to be installed in areas where there are high levels of radiated electrical noise (near high-voltage power lines or transformers), fiber-optic cable is best. The immunity of the cable to electrical noise makes it ideal for this environment. If installing the system in an environment where lightning frequently damages equipment, or where ground loops exist between buildings on a campus, use fiber. Fiber-optic cable carries no electrical signals to damage the equipment. In security conscious locations fiber offers a more secure solution over copper, because it is more difficult to tap and does not give off radio frequency RF. Note that the multimode fiber form of 100BASE-FX specifies two distances. If the equipment is running in half-duplex mode, transmission is limited to only 412 meters. Full-duplex mode reaches up to 2 kilometers (km).
1-18
Switching Section 1: LAN Media
Copyright 2002, Cisco Systems, Inc.
1.2.6 Practical considerations before moving to Fast Ethernet
Figure 1 An Extended 100BASE-X Network with Catalyst Switches
The 100BASE-X networks offer at least a tenfold increase in network bandwidth over shared legacy Ethernet systems. In a full-duplex network, the bandwidth increases twentyfold. Is all this bandwidth really needed? After all, many desktop systems cannot generate anywhere near 100 Mbps of traffic. Most network systems are best served by a hybrid of network technologies. Some users are content on a shared 10Mbps system. These users normally do little more than e-mail, Telnet, and simple Web browsing. The interactive applications they use demand little network bandwidth, so the user rarely notices delays in usage. Of the applications mentioned for this user, Web browsing is most susceptible to delay because many pages incorporate graphic images that can take some time to download if the available network bandwidth is low. If the user does experience delays that affect work, increase the user's bandwidth by doing the following: •
Upgrade the user to 10BASE-T full duplex and immediately double the bandwidth.
•
Upgrade the user to 100BASE-X half duplex.
•
Upgrade the user to 100BASE-X full duplex.
The choice of option depends upon the user's application needs and the workstation capability. If the user's applications are mostly interactive, either of the first two options will likely suffice. However, if the user transfers large files, as in the case of a physician retrieving medical images, or if the user frequently needs to access a file server, 100BASEX full duplex might be most appropriate.
Copyright 2002, Cisco Systems, Inc.
Switching Section 1: LAN Media 1-19
Another appropriate use of Fast Ethernet is for backbone segments. A corporate network often has an invisible hierarchy where distribution networks to the users are lower-speed systems, whereas the networks interconnecting the distribution systems operate at higher rates. The decision to deploy Fast Ethernet as part of the infrastructure is driven by corporate network needs, as opposed to individual user needs, as previously considered.
1-20
Switching Section 1: LAN Media
Copyright 2002, Cisco Systems, Inc.
1.3 Gigabit Ethernet 1.3.1 Specifications
Figure 1 Specifications
Another higher-bandwidth technology became available in June 1998. Gigabit Ethernet (IEEE standard 802.3z) specifies operations at 1000 Mbps, another tenfold bandwidth improvement. It was discussed earlier how stations are hardpressed to fully utilize 100Mbps Ethernet. Why then is gigabit-bandwidth technology needed? Gigabit Ethernet proponents expect to find it as either a backbone technology or as a pipe into very-high-speed file servers. This contrasts with Fast Ethernet in that network administrators can deploy Fast Ethernet to clients or servers, or use it as a backbone technology. In a switched network, Gigabit Ethernet interconnects switches to form a highspeed backbone. The switches in the figure have low-speed stations connecting to them (10 and 100 Mbps), but have 1000Mbps to pass traffic between switches. A file server in the network also benefits from a 1000Mbps connection supporting more concurrent client accesses.
Copyright 2002, Cisco Systems, Inc.
Switching Section 1: LAN Media 1-21
1.3.2 Gigabit architecture
Figure 1 Gigabit Architecture
Gigabit Ethernet merges aspects of 802.3 Ethernet and fiber channel, a gigabit technology intended for high-speed interconnections between file servers as a LAN replacement. The fiber-channel standard details a layered network model capable of scaling to bandwidths of 4 gigabits per second (Gbps) and to extend to distances of 10 km. Gigabit Ethernet borrows the bottom two layers of the standard: FC-1 for encoding/decoding and FC-0, the interface and media layer. FC-0 and FC-1 replace the physical layer of the legacy 802.3 model. The 802.3 MAC and LLC layers contribute to the higher levels of Gigabit Ethernet. The Figure illustrates the merger of the standards to form Gigabit Ethernet. The fiber-channel standard incorporated by Gigabit Ethernet transmits at 1.062 MHz over fiber optics and supports 800Mbps data throughput. Gigabit Ethernet increases the signaling rate to 1.25 gigahertz (GHz). Further, Gigabit Ethernet uses 8B/10B encoding, meaning that 1 Gbps is available for data. The 8B/10B encoding is similar to 4B/5B discussed for 100BASE-TX, except that for every 8 bits of data, 2 bits are added, creating a 10-bit symbol. This encoding technique simplifies fiber-optic designs at this high data rate. The optical connector used by fiber channel, and therefore by Gigabit Ethernet, is the switching controller (SC) style connector. This is the push-in/pull-out, or snap-and-click connector used by manufacturers to overcome deficiencies with the snap-and-twist (ST) style connector. The ST style connector previously preferred was a bayonet-type connector that required finger space on the front panel to twist the connector into place. The finger-space requirement reduced the number of ports that could be built into a module.
1-22
Switching Section 1: LAN Media
Copyright 2002, Cisco Systems, Inc.
1.3.3 Full duplex and half duplex support
Figure 1 Full-Duplex and Half-Duplex Support
Like Fast Ethernet, Gigabit Ethernet supports both full- and half-duplex modes with flow control. In half-duplex mode, the system operates using CSMA/CD and must consider the reduced slotTime even more than Fast Ethernet. The slotTimes for 10BASE-X and 100BASE-X networks are 51.2 and 5.12 microseconds, respectively. These are derived from the smallest frame size of 64 octets. In the 100BASE-X network, the slotTime translates into a network diameter of about 200 meters. If the same frame size is used in Gigabit Ethernet, the slotTime reduces to 0.512 microseconds and about 20 meters in diameter. This is not feasible. Therefore, 802.3z developed a carrier extension that enables the network distance to extend further in half-duplex mode and still support the smallest 802.3 packets. The carrier-extension process increases the slotTime value to 4096 bits or 4.096 microseconds. The transmitting station expands the size of the transmitted frame to ensure that it meets the minimal slotTime requirements by adding nondata symbols after the frame check sequence (FCS) field of the frame. Not all frame sizes require carrier extension. The 8B/10B encoding scheme used in Gigabit Ethernet defines various combinations of bits called symbols. Some symbols signal real data, whereas the rest indicate nondata. The station appends these nondata symbols to the frame. The receiving station identifies the nondata symbols, strips off the carrier extension bytes, and recovers the original message. The figure shows the anatomy of an extended frame. The addition of the carrier extension bits does not change the actual Gigabit Ethernet frame size. The receiving station still expects to see no fewer than 64 octets and no more than 1518 octets.
Copyright 2002, Cisco Systems, Inc.
Switching Section 1: LAN Media 1-23
1.3.4 Gigabit media options
Figure 1 Gigabit Ethernet Media Options
IEEE 802.3z specified several media options to support different grades of fiberoptic cable and one version to support a new copper cable implementation. The fiber-optic options vary according to the size of the fiber and the modal bandwidth. The table in the graphic summarizes the options and the distances supported by each. The 1000BASE-SX Ethernet format uses the short wavelength of 850 nanometers (nm). Although this is a laser-based system, the distances supported are generally shorter than for 1000BASE-LX. This results from the interaction of the light with the fiber cable at this wavelength. Why use 1000BASE-SX then? Because the components are less expensive than for 1000BASE-LX. Use this least-expensive method for short distances (for example, within an equipment rack). In fiber-optic systems, light sources differ in the type of device (LED or laser) generating the optical signal and in the wavelength they generate. Wavelength correlates to the frequency of radio frequency (RF) systems. In the case of optics, wavelength is specified rather than the frequency. In practical terms, this corresponds to the color of the light. Typical wavelengths are 850 and 1300 nm; 850-nm light is visible to the human eye as red, whereas 1300 nm is invisible. The 1000BASE-LX Ethernet format uses 1300-nm optical sources. In fact, the L of LX stands for long wavelength. The 1000BASE-LX Ethernet uses laser sources. Use the LX option for longerdistance requirements. If single mode must be used, use LX. Be careful when using fiber-optic systems. Do not look into the port or the end of a fiber. It can be hazardous to eyes. Not included in the table in the figure to the left is a copper media option. The 1000BASE-CX Ethernet format uses a 150-ohm balanced shielded copper cable. This new cable type is not well-known in the industry, but is necessary to support high-bandwidth data over copper. The 1000BASE-CX Ethernet format supports transmissions up to 25 meters. It is intended to be used to interconnect devices collocated within an equipment rack. This is appropriate when Catalyst 1-24
Switching Section 1: LAN Media
Copyright 2002, Cisco Systems, Inc.
switches are stacked in a rack and a high-speed link between them is desired, but the expense of fiber-optic interfaces is too high. Another copper version is the 1000BASE-T standard, which uses Category 5 twisted-pair cable. It supports up to 100 meters, and uses all four pairs in the cable. This offers another low-cost alternative to 1000BASE-SX and 1000BASE-LX and does not depend upon the special cable used with 1000BASE-CX. This standard is under the purview of the IEEE 802.3ab committee.
Copyright 2002, Cisco Systems, Inc.
Switching Section 1: LAN Media 1-25
1.4 Determining Bandwidth Needs 1.4.1 Determining bandwidth needs
Figure 1 A Network Topology Using Ethernet and Fast Ethernet Links
In order to determine the bandwidth needed for each link, one must determine the aggregate average bandwidth of all devices that will use that link. The figure shows a sample network topology that uses both standard Ethernet and Fast Ethernet links. In the following sections, information about user traffic patterns and network connections will be presented and a decision made as to whether or not a Fast Ethernet link will be sufficient.
1-26
Switching Section 1: LAN Media
Copyright 2002, Cisco Systems, Inc.
1.4.2 Gathering user statistics
Figure 1 A Network Topology Using Ethernet and Fast Ethernet Links
The following list outlines the user statistics for this sample network. •
One thousand users are housed in this building.
•
Each floor houses 100 users.
•
Each floor has one 24-port 10Mbps switch, allowing four users per port via use of a hub.
•
Shared-media Ethernet can support approximately 4 Mbps of data under load; therefore, in this example each user has 1 Mbps of bandwidth.
•
User standard applications are e-mail and word processing.
•
Each floor is a separate IP subnet.
Copyright 2002, Cisco Systems, Inc.
Switching Section 1: LAN Media 1-27
1.4.3 Gathering traffic statistics
Figure 1 A Network Topology Using Ethernet and Fast Ethernet Links
Figure 2 Example Statistics
When determining bandwidth use in campus networks, many network administrators simply put as much bandwidth as possible in the uplinks from the access layer to the distribution layer and from the distribution layer to the core layer. In general, aggregate bandwidth of the access-layer devices should not exceed the bandwidth of the link they use to reach the distribution-layer switch. Further, the aggregate of all uplinks to the distribution switches should not exceed the bandwidth of the links to the core layer. These rules will help avoid a "bottleneck" situation where one link is overloading another link.
1-28
•
The following list outlines the traffic characteristics of the sample network. [1]
•
Eighty percent of the user traffic remains local to the floor.
•
Twenty percent of the traffic must cross the core and reach the e-mail server.
Switching Section 1: LAN Media
Copyright 2002, Cisco Systems, Inc.
•
If all users simultaneously accessed the network, the switch would receive 24 ports x 4 Mbps, yielding an aggregate bandwidth of 96 Mbps.
Table [2] outlines these statistics.
1.4.4 Determining the access-layer requirements
Figure 1 A Network Topology Using Ethernet and Fast Ethernet Links
As calculated in the previous section, the link between the access- and distribution-layer switches must be capable of carrying up to 96 Mbps of traffic. The decision for the type of link depends on the following factors: •
If the link is Fast Ethernet in full-duplex mode, the link is capable of carrying 100 Mbps of traffic in each direction. This type of link would indeed support a 96Mbps load.
•
If the link is standard Ethernet in full-duplex mode, the link is capable of carrying 10 Mbps of traffic. This capacity is one-tenth the offered load, and packets would be dropped after switch and port buffers are consumed. If this situation is unacceptable, then Fast Ethernet must be chosen.
•
If virtual LANs (VLANs) are implemented in this network, then it is possible that the link may have to operate in "trunk" mode. If this were the case, then Fast Ethernet would be required.
Copyright 2002, Cisco Systems, Inc.
Switching Section 1: LAN Media 1-29
1.4.5 Determining the distribution-layer requirements
Figure 1 Determining the Distribution-Layer Requirements
In this example, the distribution layer must be capable of providing the following capacity: •
Total load at the distribution-layer switch is the number of access switches x 96 Mbps. In this scenario, there are ten access switches, or 10 x 96 Mbps, yielding a 960Mbps aggregate bandwidth requirement at the distribution layer.
•
Eighty percent of the traffic is local to the switch block and is not routed across the core.
•
Twenty percent of the traffic is remote and is routed toward the core.
•
Taking into consideration that only 20 percent of traffic is remote, 20 percent x 960 Mbps, yields 192 Mbps of traffic that must be able to cross the core.
This sample network supports a redundant core; therefore, each core subnet would carry 50 percent of the traffic load, or 96 Mbps of traffic. Given this amount of traffic, the performance of the distribution switch must be capable of switching 187,000 packets per second. The Layer 3 module of the distribution-layer switch will be responsible for routing the remote traffic to the core. Therefore, a switch must be chosen that will support this amount of traffic. This topology presents no redundancy between the end user and the core. If the link between an access switch and distribution device fails, 100 users lose connectivity. If the distribution device fails, the whole building is disconnected 1-30
Switching Section 1: LAN Media
Copyright 2002, Cisco Systems, Inc.
from the network. One solution is to add a second distribution switch with backup links to each access switch.
Copyright 2002, Cisco Systems, Inc.
Switching Section 1: LAN Media 1-31
Summary After completing this chapter, the student should a have a firm understanding of the following concepts:
1-32
•
Despite the advent of superior standards, 10 Mbps Ethernet is the most pervasive LAN technology in the networking industry.
•
Several 10 Mbps systems still exist with varied media options such as copper and fiber. This type of connection method will exist for at least another few years.
•
Because of the limitations that legacy Ethernet can impose on some applications, higher speed network technologies had to be developed. IEEE created Fast Ethernet to meet this need.
•
With the capability to run in full-duplex modes, Fast Ethernet offers significant bandwidth leaps to meet the needs of many users.
•
For real bandwidth consumers, Gigabit Ethernet offers even more capacity to meet the needs of trunking switches together and to feed high performance file servers.
Switching Section 1: LAN Media
Copyright 2002, Cisco Systems, Inc.
Section 2
Configuring the Switch
Table of Contents
CONFIGURING THE SWITCH ......................................................................................... 1 OVERVIEW ...................................................................................................................................................... 3 OBJECTIVES..................................................................................................................................................... 4 2.1 INITIAL CONNECTIVITY TO THE SWITCH......................................................................................................... 5 2.1.1 Cabling the switch block ...................................................................................................................... 5 2.1.2 Connecting to the console port ............................................................................................................. 5 2.1.3 Connecting an Ethernet port ................................................................................................................ 6 2.2 BASIC CONFIGURATION OF THE SWITCH ........................................................................................................ 7 2.2.1 Clearing a configuration and Cisco 2900 series..................................................................................... 7 2.2.2 Setting a password ............................................................................................................................ 10 2.2.3 Naming the switch ............................................................................................................................. 12 2.2.4 Configuring the switch for remote access ............................................................................................ 14 2.2.5 Identifying individual ports ................................................................................................................ 16 2.2.6 Defining link speed............................................................................................................................ 17 2.2.7 Defining line mode on a switch........................................................................................................... 18 2.3 IMPORTANT IOS FEATURES ....................................................................................................................... 21 2.3.1 Command-line recall ......................................................................................................................... 21 2.3.2 Using the help feature........................................................................................................................ 22 2.3.3 Show commands on a set command-based switch ................................................................................ 24 2.3.4 Password recovery ............................................................................................................................ 31 2.3.5 Setting an IDLE timeout .................................................................................................................... 32 2.3.6 Verifying connectivity ........................................................................................................................ 33 2.3.7 Backup and restoration of a configuration using a TFTP server............................................................ 34 2.3.8 HTTP switch commands .................................................................................................................... 37 SUMMARY ..................................................................................................................................................... 40
1-2
Switching Section 2: Configuring the Switch
Copyright 2002, Cisco Systems, Inc.
Overview Those familiar with Cisco routers use a command-line interface (CLI) embedded in the Cisco IOS Software. The CLI characteristics are seen across nearly all of the router product line. However, most Catalyst switch CLIs differ from those found on Cisco routers. This chapter describes the CLI, including aspects such as command-line recall, command editing, uploading and downloading code images, and configuration files.
Copyright 2002, Cisco Systems, Inc.
Switching Section 2: Configuring the Switch 1-3
Objectives After completing this chapter, the student will be able to perform tasks relating to: 2.1 Initial Connectivity to the Switch 2.2 Basic Configuration of the Switch 2.3 Important IOS Features
1-4
Switching Section 2: Configuring the Switch
Copyright 2002, Cisco Systems, Inc.
2.1 Initial Connectivity to the Switch 2.1.1 Cabling the switch block Before beginning switch configuration, a physical connection between the switch and a workstation must be made. There are two types of cable connections used to manage the switch. The first type is through the console port. The second type is via the Ethernet port. The console port is used to initially configure the switch, and the port itself normally does not require configuration. In order to access the switch via the Ethernet port, the switch must be assigned an IP address. When connecting the switch's Ethernet ports to Ethernet-compatible servers, routers, or workstations, use a straight-through Category 5 cable. When connecting the switch to another switch, a crossover cable is required.
2.1.2 Connecting to the console port To connect a management terminal to the Cisco 1900/2800 or 2900 XL Switch through the serial console, use the RJ-45-to-RJ-45 rollover cable supplied with the switch. Perform the following steps to cable the two devices: Step 1 Connect one end of the supplied rollover cable to the console port. Step 2 Attach one of the following supplied adapters to a management station or modem: •
RJ-45-to-DB-9 female data terminal equipment (DTE) adapter (labeled Terminal) to connect a PC
•
RJ-45-to-DB-25 female DTE adapter (labeled Terminal) to connect a UNIX workstation
•
RJ-45-to-DB-25 male data communications equipment (DCE) adapter (labeled Modem) to connect a modem
Step 3 Connect the other end of the supplied rollover cable to the adapter. Step 4 From the management station, start the terminal emulation program. To connect a management terminal to the Supervisor Engine of a Catalyst 4000/5000/6000 switch through the console, use the RJ-45-to-RJ-45 rollover cable and the appropriate adapter, both are supplied with the switch. Perform the following steps to cable the two devices: Step 1 Connect one end of the supplied rollover cable to the console port. Step 2 Attach one of the following supplied adapters to a management station or modem: •
Copyright 2002, Cisco Systems, Inc.
RJ-45-to-DB-9 female DTE adapter (labeled Terminal) to connect a PC
Switching Section 2: Configuring the Switch 1-5
•
RJ-45-to-D-subminiature female adapter (labeled Terminal) to connect a UNIX workstation
•
RJ-45-to-D-subminiature male adapter (labeled Modem) to connect a modem
Step 3 Connect the other end of the supplied rollover cable to the RJ-45 port. Step 4 From start management station, start the terminal emulation program.
2.1.3 Connecting an Ethernet port On the Cisco 1900 and 2800 Series switches, the port types are fixed. All 10BASE-T ports (ports 1x through 12x or ports 1x through 24x) can be connected to any 10BASE-T-compatible device. The 100BASE-TX ports (ports Ax and Bx) can be connected to any 100BASE-TX-compatible device. The Cisco 4000/5000/6000 Series switches have ports that can be configured for either 10BASE-T or 100BASE-T connections. When connecting the switch to servers, workstations, and routers, it is necessary to use a straight-through cable. When connecting to other switches or repeaters, it is necessary to use a crossover cable. The port status LED will illuminate when both the switch and the connected device are powered up. If the LED is not illuminated, it is possible that one of the devices may not be turned on; there may be a problem with the adapter on the attached device or with the cable, or the wrong type of cable may be in use. Lab Activity In this lab activity, you will learn how to upgrade the 4006 Supervisor software.
Lab Activity In this lab activity, you will learn how to configure a Cisco Catalyst 4000 Ethernet switch for first time.
1-6
Switching Section 2: Configuring the Switch
Copyright 2002, Cisco Systems, Inc.
2.2 Basic Configuration of the Switch 2.2.1 Clearing a configuration and Cisco 2900 series
Figure 1 Clearing Configurations on an IOS Based Switch
Copyright 2002, Cisco Systems, Inc.
Switching Section 2: Configuring the Switch 1-7
Figure 2 clear config all Output
When connecting to a Catalyst OS "set command" based switch (such as the Catalyst 4000 and 6000), a password prompt appears at the initial login. The default password for a Catalyst 4000 is pressing the ENTER key. The correct password opens the switch's NORMAL mode. Normal mode equates to a router's User EXEC mode, allowing most switch parameters to be viewed, but not permitting any configuration changes. To make changes, enter PRIVILEGED mode. The privileged mode functionally equates to the router PRIVILEGED EXEC mode. , In the switch privileged mode configuration changes can be made, unlike a router requiring global configuration mode. With both a CLIbased switch and a set command-based switch, enter the switch privileged mode with the enable command. With a CLI-based switch, the command prompt turns to Switch#, where a pound sign (#) rather than a greater than sign (>) follows the switch name. With a set command-based switch, the command prompt turns to Console> (enable). The switch then prompts for a password to enter privileged mode. Remember access to the switch CLI can be through the console interface or a Telnet session. Like in a router, commands in a switch are additive. This means that adding configuration statements to an existing file will not completely overwrite the existing configuration. A foolproof way of ensuring that a new configuration completely overwrites an existing configuration is to enter the clear config all command, as shown in Figure [2]. Clearing the configuration while accessing the switch via Telnet, will not allow the output to be viewed. This can be seen only when directly attached to the console. This CLI command returns the switch Supervisor module to its default configuration where all ports belong to virtual LAN (VLAN) 1, there is no Virtual Trunking Protocol (VTP) domain (explained in Chapter 4), and all Spanning-Tree parameters go back to their default values. It is important to note also that entering this command also clears the console IP address. Clearing the configuration can be accomplished with any of the access methods, but if done while telnetting to the Catalyst Switch, the connection to the switch will be lost because the switch no longer has an IP address. On a 2900 1-8
Switching Section 2: Configuring the Switch
Copyright 2002, Cisco Systems, Inc.
switch, the erase startup-config command erases the configuration that is stored in NVRAM. On a 2900 switch, this does not erase the VLAN information. In order to erase the VLAN information, use the del flash:vlan.dat command. [1] The clear config all command affects only modules that are directly configured from the Supervisor module. To clear the configurations on the router modules, access the modules with the session module_number command. This command performs the equivalent of an internal Telnet to the module. To display which slot the router module is in, use the show module command. The router modules on a switch use Cisco IOS commands to change, save, and clear configurations. Unlike routers, the set command-based switch immediately stores commands in nonvolatile random-access memory (NVRAM) and does not require the copy run start command. Any command typed into a switch is immediately stored and remembered, even through a power cycle. This presents a challenge when attempting to reverse a series of commands. On a router, to reverse a series of commands perform a reload without writing the running configuration into NVRAM. Before making serious changes to a set command-based switch, copy the configuration to a backup text file or to a Trivial File Transfer Protocol (TFTP) server (described later in this section). Use the clear config all command to clear the switch. Then load the previously saved configuration file. On the other hand, when working with a Cisco IOS command-based switch, the switch behaves much more like a router. In the switch user exec mode,changes cannot be made. Use the enable command to access privileged mode and view the extensive list of configuration parameters. To configure the switch, enter configuration mode by using the configure command. This command puts the switch in global configuration mode.. Configuring the switch through the console and through Telnet allows commands to be entered in real time, but only one at a time. Unlike set command-based switches, the Cisco IOS command-based switch does not immediately store commands in NVRAM, and does require a copy run start like a router. This greatly reduces the challenge when attempting to reverse a series of commands. As with a router, to reverse a series of commands execute a reload (provided that the running configuration wasn’t saved into NVRAM).
Copyright 2002, Cisco Systems, Inc.
Switching Section 2: Configuring the Switch 1-9
2.2.2 Setting a password
Figure 1 Set Based Switch
Figure 2 IOS Based Switch
1-10
Switching Section 2: Configuring the Switch
Copyright 2002, Cisco Systems, Inc.
Figure 3 Setting a Password
Figure 4 Setting a Password
One of the first tasks to perform when configuring a device is to secure it against unauthorized access. The simplest form of security is to limit access to the switches with passwords. Seeting passwords limits the level of access or completely excludes a user from logging on to a switch. Two types of login passwords can be applied to switches. The login password requires authorization before accessing any line, including the console. The enable password requires authentication before setting or changing switch parameters.
Copyright 2002, Cisco Systems, Inc.
Switching Section 2: Configuring the Switch 1-11
Cisco also provides levels of authority. A privilege level of "1" allows the user normal EXEC-mode user privileges. A privilege level of "15" is the level of access permitted by the enable password. To set passwords on a set-based switch, enter the commands demonstrated in Figure [1]. To remove a password, enter the no enable password level number command. Figure [2] shows an example of a Cisco 5000 Series Switch that has both a console login and enable password set. Passwords are displayed in encrypted text. To set passwords on a Cisco IOS software-based switch, enter either one or both of the following commands in global configuration mode: Switch(config)#enable password password Switch(config)#enable secret password where password is a combination of four to eight alphanumeric characters. The difference between the two is that the enable secret command encrypts the password, whereas the enable password command displays the password in cleartext. Figure [3] has an example of these commands being used. Figure [4] contains an example of a switch where the console password is cisco and the password cisco4me is the enable password required for privileged mode. Notice how both passwords are encrypted.
2.2.3 Naming the switch
Figure 1 IOS Based Switch
Figure 2 Set Based Switch
1-12
Switching Section 2: Configuring the Switch
Copyright 2002, Cisco Systems, Inc.
Every switch arrives from the factory with the same default prompt. In a large campus network, it is crucial to establish a coherent naming structure for the switches. This is especially true because most network administrators use Telnet to connect to many switches across the campus. To set the host or system name on a Cisco IOS software-based switch such as the Cisco 2900 XL, enter the following command in global configuration mode: Switch(config)#hostname name where name can be from 1 to 255 alphanumeric characters. As soon as the hostname command is executed, the system prompt assumes the hostname, as see in Figure [1]. To remove the system name, enter the no hostname command in global configuration mode. If the switch is a set-based switch, the name assigned for the system name is used to define the system prompt. To assign a system name to the switch, enter the following command in privileged mode: System> (enable) set system name name where name sets the system's name. To assign a name to the CLI prompt that differs from the system enter the following command in privileged mode. System> (enable) set prompt name where name sets the CLI prompt. [2] Lab Activity In this lab activity, you will learn how to configure a Cisco Catalyst 2900 Ethernet switch for first time.
Copyright 2002, Cisco Systems, Inc.
Switching Section 2: Configuring the Switch 1-13
2.2.4 Configuring the switch for remote access
Figure 1 IOS Based Switch
Figure 2 Set Based Switch
To Telnet , ping, or globally manage a switch, to the switch requires an IP address and management VLAN. Although LAN switches are essentially Layer 2 devices, these switches do maintain an IP stack for administrative purposes. Assigning an IP address to the switch associates that switch with the management VLAN, provided the subnet portion of the switch IP address matches the subnet number of the management VLAN. 1-14
Switching Section 2: Configuring the Switch
Copyright 2002, Cisco Systems, Inc.
To assign an IP address on a Cisco IOS software-based switch, follow these steps [1]: 1. Enter global configuration mode on the switch. 2. Go to interface VLAN 1 by issuing the command: Switch(config)#interface vlan 1. 3. Enter the switch IP address with the command: Switch(configif)#ip address address mask. 4. To access you’re a switch via a router, a default gateway must be configured on the switch. This can be done in global configuration mode with the command: Switch(config)#ip default-gateway address. The show ip interface command displays the IP address and the subnet mask for the device. In the example in Figure [1], the management interface resides in VLAN1, which is the default management VLAN, and has a subnet mask of 255.255.255.0. To remove the IP address and subnet mask, enter the no ip address command on the vlan interface. If the switch is a Catalyst OS set command-based switch, assign the IP address to the in-band logical interface. To assign an IP address to this interface, enter the following command in privileged mode: Switch>(enable) set interface sc0 address netmask [broadcast address] Defining the in-band management IP address, also assigns the IP address to its associated management VLAN. The number of the VLAN must match the subnet number of the IP address. To associate the in-band logical interface to a specific VLAN, enter the following command in privileged mode: Switch>(enable) set interface sc0 [vlan] If a VLAN is not specified, the system automatically defaults to VLAN1 and the management VLAN. The show interface command displays the IP address and the subnet mask for the device. In the previous example, the management interface resides in VLAN1 and has a subnet mask of 255.255.255.0. [2] Interactive Lab Activity In this activity, you will learn how to configure basic switch management on the Catalyst 4000.
Interactive Lab Activity In this activity, you will learn how to configure basic management on the Catalyst 2900 series access switch.
Copyright 2002, Cisco Systems, Inc.
Switching Section 2: Configuring the Switch 1-15
2.2.5 Identifying individual ports
Figure 1 IOS Based Switch
Figure 2 Set Based Switch
A description can be added to an interface or port to help remember specific information about that interface, such as what access or distribution-layer device the interface services. This command is very useful in an environment where a switch has numerous connections and the administrator needs to check a link to a specific location. This description is meant solely as a comment to help identify how the interface is being used or where it is connected (such as which floor, which office, and so on). The description will appear in the display output of the configuration information.
1-16
Switching Section 2: Configuring the Switch
Copyright 2002, Cisco Systems, Inc.
To add a unique comment to an interface on a Cisco IOS Software-based switch, enter the following command in interface configuration mode. Switch(config-if)# description description string To enter a description with spaces between characters, enclose the string in quotation marks. For example: Switch(config-if)#description "Port to fourth floor switch." An example of this is shown in Figure [1]. To clear a description, enter the no description command on the interface in interface configuration mode. If the access switch uses a set-based command structure, assign a description to a port by entering the following command in privileged mode. Switch> (enable) set port name mod/number description Variable
Description
mod
Specifies the target module on which the port resides
number
Identifies the specific port
description
Describes the specific text string
The description must be less than 21 alphanumeric characters, and spaces can be entered in the description without having to use quotation marks. To clear a port name, enter the set port name mod/num command, followed by a carriage return in privileged mode. By not defining a port name, the value for this parameter is cleared. This command can be verified by using the show port command, as shown in Figure [2].
2.2.6 Defining link speed
Figure 1 Set Based Switch
On a Cisco IOS software-based switch, the speed of the ports are set using the speed {10|100|auto} command from the interface mode. If the switch is a set-based switch, enter the following command in privileged mode to configure the port speed on 10/100-Mbps Fast Ethernet modules:
Copyright 2002, Cisco Systems, Inc.
Switching Section 2: Configuring the Switch 1-17
Switch> (enable) set port speed mod/num 10|100|auto Mod indicates the port module number. num indicates the port number. {10 | 100 | auto} indicates the port speed. If the port is placed in auto, both speed and port duplex will be automatically negotiated.
2.2.7 Defining line mode on a switch
Figure 1 IOS Based Switch
Figure 1 Set Based Switch
1-18
Switching Section 2: Configuring the Switch
Copyright 2002, Cisco Systems, Inc.
Full-duplex is the simultaneous action of transmitting and receiving data by two devices. This operation is achievable only if the devices on each end support full-duplex. Full-duplex links not only double potential throughput, but also eliminate collisions and the need for each station to wait until the other station finishes transmitting. If reads and writes on a full-duplex link are symmetric, data throughput can be theoretically doubled. However, in reality, bandwidth improvements are more modest. Full-duplex links are particularly useful for server-to-server, server-to-switch, and switch-to-switch connections. To set the duplex mode of an interface on a Cisco IOS software-based switch, enter the following command in interface configuration mode: Switch(config-if)#duplex auto | full | half Parameter
Definition
auto
Sets the 100BASE-TX port into auto-negotiation mode; this is the default for the 100BASE-TX port; this argument is valid on 100BASE-T ports only
full
Forces the 10BASE-T or 100BASE-TX port into full-duplex mode
half
Forces the 10BASE-T or 100BASE-TX port into half-duplex mode; this is the default for a 10BASE-T port
Note: Use the auto argument only for fixed Fast Ethernet TX ports. In auto-negotiation mode, the switch attempts to negotiate full-duplex connectivity with the connecting device. If negotiation is successful, the port operates in full-duplex mode. If the connecting device is unable to operate in full duplex, the port operates in half duplex. This process is repeated whenever there is a change in link status. The example in Figure [1] shows that the fixed port FastEthernet 0/2 is configured for full-duplex mode. To return the duplex parameter to the default setting, enter the no duplex command in the interface configuration mode. To set the port duplex mode on a set-based switch, enter the following command in privileged mode: Switch> (enable) set port duplex mod/port full | half where •
Half-duplex mode is the default for 10-Mbps ports.
•
Full-duplex mode is the default for 100-Mbps ports.
Note: The duplex mode of ports configured for auto-negotiation cannot be changed. Copyright 2002, Cisco Systems, Inc.
Switching Section 2: Configuring the Switch 1-19
Use the show port command to verify the configuration. The example in Figure [2] shows that the 10/100 Ethernet module 6 port 1 is connected and is operating in full-duplex mode. It is important to note that sometimes ports are not activated by default. To activate a port, enter the set port enable mod/port command in privileged mode.
1-20
Switching Section 2: Configuring the Switch
Copyright 2002, Cisco Systems, Inc.
2.3 Important IOS Features 2.3.1 Command-line recall
Figure 1 Command Recall from Catalyst History Buffer
Figure 2 Catalyst Command Recall with Substitution
Figure 3 Catalyst History Buffer Example
When a command on the switch is entered, it retains the command in a buffer called the history buffer. On a Cisco IOS command-based switch, the history buffer holds the last ten commands, like a router does. To access these commands, use the up and down arrows on the keyboard. The history buffer on a set command-based switch stores up to 20 commands. Various devices have specific methods of recalling commands. The switch uses abbreviated key sequences to recall commands. Copyright 2002, Cisco Systems, Inc.
Switching Section 2: Configuring the Switch 1-21
A "bang" is an ! (exclamation point) on a keyboard. When dictating commands, "exclamation mark" is too difficult to say, so "bang" is used as a verbal shortcut. Figure [1] summarizes the key sequence for recalling previous commands in the history buffer. It is possible to not only recall a command, but to also edit it. Figure [2] shows the sequences to recall and edit previous commands. For example observe the command set vlan 3 2/1-10,4/12-216/1,5/7. This command string assigns a set of ports to VLAN 3. However, in the host machines were meant for VLAN 4 rather than VLAN 3. Instead of retyping the whole command a second time and moving the ports to VLAN 4, simply type ^3^4. This forces the Catalyst switch not only to use the previous command, but also to change the number 3 to a number 4, which in this case, corrects the VLAN assignment. One frustration when mentally recalling commands can be the difficult time remembering what command was entered seven lines previously. This can become particularly challenging because the Catalyst history buffer stores up to 20 commands. Use the history command to see the history buffer. Figure [3] shows output from a history command. Notice that the commands are numbered, allowing the user to reference a specific entry for command recall. For example, the output recalls command 2 from the history buffer. This caused the Catalyst switch to recall the history command. Note also that new commands add to the bottom of the list. Newer commands have higher numbers.
2.3.2 Using the help feature
Figure 1 Catalyst Help Example
Figure 2 Another Catalyst Help Example
1-22
Switching Section 2: Configuring the Switch
Copyright 2002, Cisco Systems, Inc.
Figure 3 Command Recall after Help
The help command on a Cisco IOS command-based switch works the same as that on a router. On a switch, access help by entering ? on a command line. The switch then prompts the user with all possible choices for the next parameter. By typing in the next parameter and typing ? again, the switch displays the next set of command-line choices. In fact, the switch displays help on a parameter-byparameter basis. Additionally, when the switch displays help options, it also ends by displaying the portion of the command that was entered so far. This enables the user to continue to append commands to the line without needing to reenter the previous portion of the command. The help system on a set command-based switch functions differently from the router. Help is accessed in the same manner as in a router, but the results differ. For example, where a router prompts the user for the next parameter, a Catalyst switch displays the entire usage options for the command. Figure [1] shows the help result for a partial command string. The string does not uniquely identify what parameter should be modified and lists all related commands. On the other hand, if enough of the command is entered on the line that the Catalyst switch recognizes what command was intended, it displays the options for that command. This time, in Figure [2], the string identifies a specific command and the Catalyst switch displays help appropriate for that command. The user here wants to modify the console interface in some way, but is unsure of the syntax used with the command. Notice that when the console displays help, it returns the command line with a blank line. The command string entered so far is not displayed as it is on a router. Now use command recall. To disable the logical interface, sc0. enter the command set int sc0 down. Use command recall to complete the command. What happens if the command typed is !! sc0 down ? The command usage screen appears again, without the console changing state to down. This happens because the command recall executes the previous statement that was set int ? with the help question mark and the appended parameters. With the additional parameters, the switch interprets the string as set int ? sc0 down, sees the question mark, and displays help. [3]
Copyright 2002, Cisco Systems, Inc.
Switching Section 2: Configuring the Switch 1-23
2.3.3 Show commands on a set command-based switch Console> (enable) show config ... ......... ......... ........ ........ .. begin set password $1$FMFQ$HfZR5DUszVHIRhrz4h6V70 set enablepass $1$FMFQ$HfZR5DUszVHIRhrz4h6V70 set prompt Console> set length 24 default set logout 20 set banner motd ^C^C ! #system set system baud
9600
set system modem disable set system name set system location set system contact ! #snmp set snmp community read-only
public
set snmp community read-write
private
set snmp community read-write-all secret !Other SNMP commands deleted #IP !This sets up the console or slip interfaces.
1-24
Switching Section 2: Configuring the Switch
Copyright 2002, Cisco Systems, Inc.
set interface sc0 1 144.254.100.97 255.255.255.0 144.254.100.255 ! set interface sl0 0.0.0.0 0.0.0.0 set arp agingtime 1200 set ip redirect
enable
set ip unreachable
enable
set ip fragmentation enable set ip alias default
0.0.0.0
! #Command alias ! #vmps set vmps server retry 3 set vmps server reconfirminterval 60 set vmps tftpserver 0.0.0.0 vmps-config-database.1 set vmps state disable ! #dns set ip dns disable ! #tacacs+ !This section configures the TACACS+ authentication parameters ! #bridge !This section defines FDDI module behavior ! #vtp !This section characterizes the virtual trunk protocol and !vlan parameters ! #spantree
Copyright 2002, Cisco Systems, Inc.
Switching Section 2: Configuring the Switch 1-25
#uplinkfast groups set spantree uplinkfast disable #vlan 1 set spantree enable
1
set spantree fwddelay 15
1
set spantree hello
2
1
set spantree maxage
20
1
set spantree priority 32768 1 !Other VLAN Spanning Tree information deleted. This section !describes Spanning Tree for each VLAN. ! #cgmp !This group of commands controls the Catalyst multicast behavior ! #syslog set logging console enable set logging server disable !Other logging commands deleted. This characterizes what events !are logged. ! #ntp !This sets up network time protocol ! #set boot command set boot config-register 0x102 set boot system flash bootflash:cat5000-sup3.3-1-1.bin !Any special boot instructions are placed here.
! #permit list !The access list is found here
1-26
Switching Section 2: Configuring the Switch
Copyright 2002, Cisco Systems, Inc.
set ip permit disable ! #drip !This is Token Ring stuff to take care of duplicate ring !numbers. ! !On a per module basis, the Catalyst displays any module specific !configurations. #module 1 : 2-port 10/100BaseTX Supervisor set module name set vlan 1
1
1/1-2
set port channel 1/1-2 off set port channel 1/1-2 auto set port enable
1/1-2
set port level
1/1-2
normal
set port speed
1/1-2
auto
set port trap
1/1-2
disable
set port name
1/1-2
set port security
1/1-2
disable
set port broadcast
1/1-2
100%
set port membership 1/1-2 set cdp enable
static
1/1-2
set cdp interval 1/1-2 60 set trunk 1/1
auto 1-1005
set trunk 1/2
auto 1-1005
set spantree portfast
1/1-2 disable
set spantree portcost
1/1
100
set spantree portcost
1/2
100
set spantree portpri
1/1-2 32
set spantree portvlanpri 1/1
0
set spantree portvlanpri 1/2
0
Copyright 2002, Cisco Systems, Inc.
Switching Section 2: Configuring the Switch 1-27
set spantree portvlancost 1/1
cost 99
set spantree portvlancost 1/2
cost 99
! #module 2 empty ! #module 3 : 24-port 10BaseT Ethernet set module name
3
set module enable
3
set vlan 1
3/1-24
set port enable
3/1-24
set port level
3/1-24
normal
set port duplex
3/1-24
half
set port trap
3/1-24
disable
set port name
3/1-24
set port security
3/1-24
disable
set port broadcast
3/1-24
0
set port membership 3/1-24 set cdp enable
static
3/1-24
set cdp interval 3/1-24 60 set spantree portfast
3/1-24 disable
set spantree portcost
3/1-24 100
set spantree portpri
3/1-24 32
! #module 5 : 1-port Route Switch !Note that the only things in this configuration are Spanning !Tree and bridge related. There are no routing configs here. set module name set port level
5/1
normal
set port trap
5/1
disable
set port name
5/1
set cdp enable
1-28
5
Switching Section 2: Configuring the Switch
5/1
Copyright 2002, Cisco Systems, Inc.
set cdp interval 5/1 60 set trunk 5/1
on 1-1005
set spantree portcost
5/1 5
set spantree portpri
5/1 32
set spantree portvlanpri 5/1 set spantree portvlancost 5/1
0 cost 4
! #switch port analyzer !If you set up the ability to monitor switched traffic, the !the configs will show up here set span disable ! #cam !set bridge table aging to five minutes set cam agingtime 1,1003,1005 300 end Console> (enable) Figure 1 Annotated Supervisor Configuration File
Figure 2 show interface Display
Copyright 2002, Cisco Systems, Inc.
Switching Section 2: Configuring the Switch 1-29
Figure 3 show module Output
To view configurations on a set command-based switch, use the show command. Figures [1] annotate a simple Supervisor module configuration file displayed through the show config command. Some configuration lines are editorially deleted because they are redundant and needlessly take up space. The remaining portion of the file enables the user to see the general organization of the configuration file. Note in Figures [1] that the file collates in logical sections. First, the Catalyst switch writes any globally applicable configuration items such as passwords, Simple Network Management Protocol (SNMP) parameters, system variables, and so forth. Then, it displays configurations for each module installed. Note that the module configuration files refer to spanning tree and VLAN assignments. Further, it does not display any details about other functions within the module. For example, a route switch module (RSM) is installed in module 5 of this switch. Although this is a router module, it attaches to a virtual bridge port internally. The Catalyst switch displays the bridge attachment parameters, but not the RSM configuration lines. To view module-specific configurations, use the command session module_number followed by the appropriate show command for the module. Other show commands display item-specific details. For example, to look at the current configuration for the in-band (sc0) interface, out-of-band management Ethernet (me1) interface, and SLIP (sl0) interface, use the show interface command, as demonstrated in Figure [2]. Another useful show command displays the modules loaded in the switch (see Figure [3]). The output in Figure [3] displays details about the model number and description of the modules in each slot. The second block of the output displays what Media-Access-Control (MAC) addresses are associated with each module. Notice that the Supervisor module reserves 1024 MAC addresses. Many of these addresses support spanning-tree operations, but other processes are also involved. Module 3, the 24-port Ethernet module, reserves 24 MAC addresses, one for each port. These addresses also support spanning tree because they are the values used for the port ID in the spanning tree convergence algorithm. The third block of the display offers details regarding the Supervisor module.
1-30
Switching Section 2: Configuring the Switch
Copyright 2002, Cisco Systems, Inc.
2.3.4 Password recovery If at any time the the normal mode or enable passwords are lost, a password recovery process must be started. Password recovery on the Catalyst 4000/5000/6000 Series differs from the methods used on a Cisco router or on other models of switches. To perform the password recovery procedure a console connection must be made. Password recovery requires a power cycle of the system by toggling the power switch. Performing a power cycle on the switch, forces it through its initialization routines and eventually prompts the user for a password to enter the normal mode. At this point, the use has 30 seconds to perform password recovery. The trick in password recovery on the switch lies in its behavior during the first 30 seconds after booting. When the switch first boots, it ignores the passwords in the configuration file. It uses the default password during this time. Therefore, when the Catalyst Switch prompts the user for an existing password at any time, simply type and the Catalyst switch accepts the response. Immediately enter set password or set enablepass to change the appropriate password(s). During the password recovery process, when the switch prompts for the new password, simply respond with . Otherwise, trying to type in new passwords sometimes forces the user to reboot again . To minimize the probability of entering a bad value initially set the password to the default value. After setting the enable and EXEC passwords to the default, the user can then go back and change the values without the pressure of completing the process during the 30-second time window provided for in password recovery. As with many security situations, it is extremely important to consider physical security of the equipment. As demonstrated in the password recovery process, an attacker simply needs the ability to reboot the Catalyst switch and access to the console to get into the privileged mode. When in the privileged mode, the attacker can make any changes that he or she desires. Keep wiring closets secured and minimize access to console ports. Lab Activity In this lab activity, you will learn how to regain control of a Cisco Catalyst 4000 Ethernet switch after you have lost the passwords.
Lab Activity In this lab activity, you will learn how to regain control of a Cisco Catalyst 2900 Ethernet switch after you have lost the passwords.
Copyright 2002, Cisco Systems, Inc.
Switching Section 2: Configuring the Switch 1-31
2.3.5 Setting an IDLE timeout
Figure 1 Set Based Switch
Figure 2 IOS Based Switch
If a user is logged into a switch and performs no keystrokes (remains idle) for 5 minutes, the switch will automatically log the user out. This feature is referred to as an "idle timeout." If a user forgets to log out and leaves the terminal unattended, this feature would prevent someone from gaining unauthorized access to the switch by using the terminal. Although the default setting of this feature is 5 minutes, it can be altered with the set logout command on a set command-based switch: Switch> (enable) set logout number of minutes The example in Figure [1] shows how to set the automatic session logout to 20 minutes and how to disable the automatic logout feature. To configure a timeout on a Cisco IOS command-based switch, the user must first choose the line (console or vty) to apply it to and then specify the amount of time. This works just as a router would. The default timeout is 10 minutes. The commands to set the timeout on the console port of a Cisco IOS command-based switch to 20 minutes are shown in Figure [2].
1-32
Switching Section 2: Configuring the Switch
Copyright 2002, Cisco Systems, Inc.
2.3.6 Verifying connectivity
Figure 1 Reaching the Destination IP Address
Figure 2 Reaching the Destination IP Address
After the switch is assigned an IP address and at least one switch port is connected to the network and properly configured, the switch can communicate with other nodes on the network (beyond simply switching traffic). To test connectivity to remote hosts, enter the following command in privileged mode. Switch> (enable) ping destination ip address An example of this command is shown in Figure [1]. The ping command will return one of the following responses: •
Success rate is 100 percent or ip address is alive. This response occurs in 1 to 10 seconds, depending on network traffic and the number of Internet Control Message Protocol (ICMP) packets sent.
•
Destination does not respond. No answer message is returned if the host does not respond.
•
Unknown host. This response occurs if the targeted host does not exist.
•
Destination unreachable. This response occurs if the default gateway cannot reach the specified network.
•
Network or host unreachable. This response occurs if there is no entry in the route table for the host or network.
The example in Figure [2] states that the destination IP address 10.1.1.1 can be reached by the device generating the ping.
Copyright 2002, Cisco Systems, Inc.
Switching Section 2: Configuring the Switch 1-33
2.3.7 Backup and restoration of a configuration using a TFTP server
Figure 1 Uploading a Configuration File to a TFTP Server
Figure 2 Retrieving a Configuration File
1-34
Switching Section 2: Configuring the Switch
Copyright 2002, Cisco Systems, Inc.
Figure 3 Recovering Configuration Files from a TFTP Server
Most switches have a TFTP client, allowing users to retrieve and send configuration files from/to a TFTP server. The actual syntax to perform TFTP configuration file transfers varies based on the type of switch and version of Supervisor module installed in the switch. To save a configuration file from either a Supervisor I or Supervisor II module, use the write net command. Figure [1] shows a session writing a configuration file to a TFTP server. The server IP address and the filename are clearly seen in the output. For the switch to obtain the new configuration over the network, after having cleared the configuration, a valid IP address and default gateway setting must be restored. Retrieving a file from the server uses the command configure network. When retrieving a file, a user must specify the source filename on the TFTP server. [2] For complete system recovery, make sure that to have a copy of the configuration file of each switch stored somewhere other than on the switch itself. If anything happens to the Supervisor module, it might not be possible to recover the configuration file. It is a big mistake to have to rebuild the entire configuration file from scratch during a system outage, especially when a backup copy could have easily been created as a backup on a network-accessible machine. Through TFTP, a copy of the configuration file can be stored on a TFTP server and recoverd later when needed. The syntax varies, depending upon the version of Supervisor module.. This section assumes either a Cisco IOS command-based switch or a set command-based switch with a Supervisor module. As a side note, TFTP servers are inherently weak security wise. It is highly recommended not to keep configuration files in a TFTP directory space until there is an actual need to retrieve them. Anyone who compromises TFTP server can modify the configuration files without the owners knowledge. The prudent network administrator will maintain configuration files in a secure directory space and copy them back to the TFTP directory space only when he or she is
Copyright 2002, Cisco Systems, Inc.
Switching Section 2: Configuring the Switch 1-35
ready to use them. Although this adds another step to the recovery process, the security benefits definitely outweigh the procedural disadvantages. Transferring Cisco IOS command-based switch configuration files via TFTP to another device works the same as with a router. The command copy running-config tftp will copy the configuration file to a TFTP server at the location specified. The recovery process works in reverse. To recover a configuration file from a TFTP server, issue the command copy tftp running-config. This will load the configuration specified file into NVRAM and the "active" memory of the switch. Transferring Supervisor III and Catalyst 4000/6000 configuration files via TFTP to another device looks much like it does with a router. The command copy config flash | file-id | tftp copies the configuration file to one of three locations. The configuration file can be stored in the bootflash memory, a Flash card in a Flash slot (with a supervisor module that supports flash cards), or to a TFTP server. When copying configuration files to or from the switch, specify the source filename. Because of the Flash architecture on the Supervisor III, several configuration files may be stored locally. However, only one can be active. Therefore, the user must specify which of the local files are to becopied. Recovering a configuration file works in reverse. To retrieve the file from a TFTP server, use the command copy tftp flash | file-id | config. When retrieving, write the configuration file to your bootflash, a Flash card, or to the running configuration. To write the configuration file to the running configuration, use the command form copy tftp config. Figure [3] shows a session recovering the configuration filename cat to a Flash device. To recover a configuration from Flash use the command copy flash tftp | file-id | config. Lab Activity In this lab activity, you will learn how to copy your current configuration from a Catalyst 4000 switch to a TFTP server.
Lab Activity In this lab activity, you will learn how to copy your current configuration from a Catalyst 2900 switch to a TFTP server.
1-36
Switching Section 2: Configuring the Switch
Copyright 2002, Cisco Systems, Inc.
2.3.8 HTTP switch commands
Figure 1 Cat4000 Config Example
Figure 2 Authentication Login Example
The Catalyst Web Interface (CWI) is a browser-based tool that can be used to configure the Cisco 6000, 5000, and 4000 Family Switches. It consists of a graphical user interface (GUI) that runs on the client, Catalyst CiscoView (CV), and a Hypertext Transfer Protocol (HTTP) server that runs on the switch. A GUI alternative to the CLI and SNMP interfaces, the CWI provides a real-time graphical representation of the switch and detailed information, such as port Copyright 2002, Cisco Systems, Inc.
Switching Section 2: Configuring the Switch 1-37
status, module status, type of chassis, and modules. The CWI uses HTTP to download Catalyst CV from the server to the client. Communication between the client and server usually occurs on a TCP/IP connection. The TCP/IP port number for HTTP is 80. In this client/server mode, the client opens a connection to the server and sends a request. The server receives the request, sends a response back to the client, and closes the connection. To configure the HTTP server on a set command-based switch, perform the following tasks at the CLI: [1] 1. Assign an IP address to the switch, if necessary using the command set interface sc0 [ip_addr / netmask]. 2. Enable the HTTP server on the switch using the command set ip http server enable. 3. Configure the HTTP port (TCP/IP port default is 80; perform this step only if to change the default) using the command set ip http port port_number default. 4. Verify the HTTP server and CWI support by using the command show ip http. Catalyst Switch software allows the user to configure authentication for console and Telnet logins using the RADIUS/TACACS/Kerberos/Local database. With software Release 5.4(2) or later, the software also allows configuring authentication for HTTP users. When logging into the switch using HTTP, a dialog box appears and requests a username and password. After providing a username and password, the system authenticates the login with the HTTP user-authentication method. The system denies access unless the username and password are valid. In the default configuration, verification is enabled for all users of the CWI. The system validates the login password against the local login password. Authentication for the CWI occurs at these two security levels: •
Level 1 - Username and Password Authentication Level 1 requires user authentication by providing a username and password. This process is similar to the authentication that is obtained at the command prompt for Telnet and console sessions. After passing the first level of security, it is possible to download the Catalyst CV.
•
Level 2 - SNMP IP Permit Restriction Level 2 restricts the IP address of the incoming SNMP request. The IP address of the SNMP request must be configured correctly before the CWI can communicate with the switch.
To configure authentication, perform these tasks at the CLI: Task Step 1
1-38
Command
Configure authentication login. set authentication login
Switching Section 2: Configuring the Switch
Copyright 2002, Cisco Systems, Inc.
Step 2
Display authentication.
show authentication
The example in Figure [2] shows how to set the authentication login for the HTTP option. To download the Catalyst CV from the browser, follow these steps: Step 1 - Enter the switch address in the Universal Resource Locator (URL) field of the browser. For example, open Netscape Navigator or Internet Explorer and enter the following: http://10.1.1.1 In this example, 10.1.1.1 is the switch IP address. After connecting to the switch, a login dialog appears and prompts for username and password. Step 2 - Provide a username and password. The home page of the switch appears in the browser. Step 3 - Click the Switch Manager link to download the Catalyst CV. The switch downloads the Catalyst CV, and the browser opens with a real-time view of the switch chassis.
Copyright 2002, Cisco Systems, Inc.
Switching Section 2: Configuring the Switch 1-39
Summary After completing this chapter, the reader should a have a firm understanding of the following concepts: ■
How to make initial connections to the switch, connecting to the console port and connecting an Ethernet port
■
Basic configuration of the switch including:
■
Clearing a configuration
■
Setting a password
■
Naming the switch
■
Configuring the switch for remote access
■
Identifying individual ports
■
Defining link speed
■
Defining line mode on a switch
Important IOS features such as:
1-40
■
Command line recall
■
Using the help feature
■
Show commands
■
Password recovery
■
Verifying connectivity
■
Saving the configuration
■
Backup and restoration of a configuration using a TFTP server
Switching Section 2: Configuring the Switch
Copyright 2002, Cisco Systems, Inc.
Section 3
Introduction to VLANs
Table of Contents
INTRODUCTION TO VLANS............................................................................................ 1 OVERVIEW ...................................................................................................................................................... 3 OBJECTIVES..................................................................................................................................................... 4 3.1 VLAN BASICS ........................................................................................................................................... 5 3.1.1 Describe a VLAN ................................................................................................................................ 5 3.1.2 Why are VLANs necessary?.................................................................................................................. 6 3.1.3 VLANs and network security ................................................................................................................ 7 3.1.4 VLANs and broadcast distribution ........................................................................................................ 9 3.1.5 VLANs and bandwidth utilization ....................................................................................................... 10 3.1.6 VLANs vs. network latency from routers.............................................................................................. 10 3.1.7 VLANs vs. complex access lists........................................................................................................... 12 3.1.8 Wrong motives for implementing VLANs ............................................................................................. 13 3.2 VLAN TYPES .......................................................................................................................................... 14 3.2.1 VLAN Boundaries ............................................................................................................................. 14 3.2.2 End-to-end VLANs ............................................................................................................................ 15 3.2.3 Local VLANs .................................................................................................................................... 16 3.2.4 Establishing VLAN memberships ........................................................................................................ 17 3.2.5 Port-based VLAN membership ........................................................................................................... 18 3.2.6 Dynamic VLANs................................................................................................................................ 19 3.3 CONFIGURING VLANS .............................................................................................................................. 22 3.3.1 Configuring static VLANs .................................................................................................................. 22 3.3.2 Verify VLAN configuration................................................................................................................. 24 3.3.3 Deleting VLANs ................................................................................................................................ 25 3.3.4 Configure the VMPS server................................................................................................................ 26 3.3.5 Configure a VMPS client ................................................................................................................... 27 3.3.6 Access links and trunk links................................................................................................................ 29 3.4 VLAN IDENTIFICATION ............................................................................................................................. 31 3.4.1 VLAN frame identification ................................................................................................................. 31 3.4.2 ISL................................................................................................................................................... 32 3.4.3 IEEE 802.1Q .................................................................................................................................... 34 3.4.4 LANE ............................................................................................................................................... 35 3.4.5 IEEE 802.10 Protocol ....................................................................................................................... 36 3.5 TRUNKING ............................................................................................................................................... 38 3.5.1 Trunking overview............................................................................................................................. 38 3.5.2 Configuring a VLAN trunk ................................................................................................................. 39 3.5.3 Removing VLANs from a trunk ........................................................................................................... 41 3.6 VLAN TRUNKING PROTOCOL (VTP).......................................................................................................... 44 3.6.1 VTP Benefits..................................................................................................................................... 44 3.6.2 VTP operation .................................................................................................................................. 45 3.6.3 VTP modes ....................................................................................................................................... 46 3.6.4 Adding a switch to a VTP domain....................................................................................................... 47 3.6.5 VTP advertisements........................................................................................................................... 49 3.7 VTP Configuration...............................................................................................................................52 3.7.1 Basic configuration steps ................................................................................................................... 52 3.7.2 Configure the VTP version ................................................................................................................. 52 3.7.3 Configure the VTP domain................................................................................................................. 54 3.7.4 Configure VTP mode ......................................................................................................................... 55 3.7.5 Verify VTP configuration ................................................................................................................... 56 3.8 VTP PRUNING.......................................................................................................................................... 58 3.8.1 Default behavior of a switch............................................................................................................... 58 3.8.2 Configure VTP pruning ..................................................................................................................... 60 3.8.3 Verifying VTP pruning....................................................................................................................... 62 SUMMARY ..................................................................................................................................................... 64
1-2
Switching Section 3: Introduction to VLANs
Copyright 2002, Cisco Systems, Inc.
Overview When the industry started to articulate virtual LANs (VLANs) in the trade journals and the workforce, a lot of confusion arose. What exactly did they mean by VLAN? Authors had different interpretations of the new network terminology that were not always consistent with each other, much less in agreement. Vendors took varied approaches to creating VLANs, which further muddled the understanding. This chapter: •
Presents definitions and categorizations for VLANs
•
Explains how to configure VLANs
•
Discusses reasons to use and not use VLANs
•
Attempts to clarify misinformation about VLANs
In this chapter, the student will learn how to break the Layer 2 switch block into separate broadcast domains called VLANs. The chapter will also introduce VLAN management tools such as the VLAN Trunk Protocol (VTP).
Copyright 2002, Cisco Systems, Inc.
Switching Section 3: Introduction to VLANs 1-3
Objectives After completing this chapter, the student will be able to perform tasks relating to: 3.1 VLAN Basics 3.2 VLAN Types 3.3 Configuring VLANS 3.4 VLAN Identification 3.5 Trunking 3.6 VLAN Trunking Protocol (VTP) 3.7 VTP Configuration 3.8 VTP Pruning
1-4
Switching Section 3: Introduction to VLANs
Copyright 2002, Cisco Systems, Inc.
3.1 VLAN Basics 3.1.1 Describe a VLAN
Figure 1 Describe a VLAN
A virtual LAN (VLAN) logically segments a switched network based on an organization's functions, project teams, or applications rather than on a physical or geographical basis. For example, all workstations and servers used by a particular workgroup team can be connected to the same VLAN, regardless of their physical connections to the network or the fact that they might be intermingled with other teams. Reconfiguration of the network can be done through software rather than by physically unplugging and moving devices or wires. As shown in the Figure, a VLAN can be thought of as a broadcast domain that exists within a defined set of switches. A VLAN consists of a number of end systems, either hosts or network equipment (such as bridges and routers), connected by a single bridging domain. The bridging domain is supported on various pieces of network equipment; for example, LAN switches that operate bridging protocols between them with a separate bridge group for each VLAN. VLANs are created to provide the segmentation services traditionally provided by routers in LAN configurations. VLANs address scalability, security, and network management. Routers in VLAN topologies provide broadcast filtering, security, address summarization, and traffic flow management. By definition, switches may not bridge any traffic between VLANs. This would violate the integrity of the VLAN broadcast domain. Traffic should only be routed between VLANs. Several key issues need to be considered when designing and building switched-LAN internetworks.
Copyright 2002, Cisco Systems, Inc.
Switching Section 3: Introduction to VLANs 1-5
3.1.2 Why are VLANs necessary?
Reasons to use VLANs include: Assignments are logically, not geographically, based. Keep up with moves and changes. Group multiple topologies. VLANs offer network security. VLANs offer broadcast control. Bandwidth utilization is efficient with VLANs.
Figure 1 Why are VLANs Necessary?
In a legacy network, administrators assign users to networks based on geography. The administrator attaches the user's workstation to the nearest network cable. If the user belongs to the engineering department and sits next to someone from the accounting department, they both belong to the same network because they attach to the same cable. This creates some interesting network issues and highlights some of the reasons for using VLANs. VLANs help to resolve many of the problems associated with legacy network designs. Network managers can logically group networks that span all major topologies, including high-speed technologies such as Asynchronous Transfer Mode (ATM), Fiber Distributed Data Interface (FDDI), and Fast Ethernet. By creating VLANs, system and network administrators can control traffic patterns, react quickly to relocations, and keep up with constant changes in the network due to moving requirements and node relocation. VLANs provide the flexibility to carry out these actions. The network administrator simply changes the VLAN member list in the switch configuration. The administrator can add, remove, or move devices or make other changes to the network configuration using software. The sections that follow examine the five issues listed in the Figure that warrant implementation of a VLAN.
1-6
Switching Section 3: Introduction to VLANs
Copyright 2002, Cisco Systems, Inc.
3.1.3 VLANs and network security
Figure 1 Security Problems in a Legacy Network
Figure 2 A Known Unicast Frame in a Switched Network
The first issue is the shared-media nature of legacy networks. Whenever a station transmits in a shared network such as a legacy half-duplex 10BASE-T system, all stations attached to the segment receive a copy of the frame, even if they are not the intended recipients. This does not prevent the network from functioning. There are, however, readily available software packages that monitor network traffic. Anyone with such a package can capture passwords, sensitive e-mail, and any other traffic on the network. If the users on the network belong to the same department, this might not be disastrous, but when users from mixed departments share a segment, undesirable information captures can occur. If someone from human resources or accounting sends sensitive data such as salaries, stock options, or health records on the shared network, anyone with a network monitoring package can decode the information. Copyright 2002, Cisco Systems, Inc.
Switching Section 3: Introduction to VLANs 1-7
Neither of these scenarios is constrained to a single segment. These problems can occur in multisegment environments interconnected with routers. In Figure [1], the accounting department resides on two isolated segments. For users on one segment to transmit to users on the other segment, the frames must cross the engineering network. When they cross the engineering segment, it is possible that they can be intercepted and misused. One way to eliminate the problem is to move all accounting users onto the same segment. However, this is not always possible because there might be space limitations that prevent all accountants from sharing a common part of the building. Another reason may deal with the geographical makeup of the company, users on one segment might be a considerable distance from users on the other segment. Another approach is through the use of VLANs, which enable all processrelated users to be contained in the same broadcast domain and isolated from users in other broadcast domains. All accounting users can be assigned to the same VLAN, regardless of their physical location in the facility. They no longer have to placed in a network based upon their location. Users can be assigned to a VLAN based upon their job function. Keep all the accounting users on one VLAN, the marketing users on another VLAN, and engineering in yet a third. By creating VLANs with switched network devices, another level of protection is created. Switches bridge traffic within a VLAN. When a station transmits, the frame goes to the intended destination. As long as it is a known unicast frame, the switch does not distribute the frame to all users in the VLAN [2]. Station A in Figure [2] transmits a frame to Station B attached to another Catalyst® Switch. Although the frame crosses through a Catalyst Switch, only the destination receives a copy of the frame. The switch filters the frame from the other stations, whether they belong to a different VLAN or the same VLAN. This switch feature limits the opportunity for someone to capture packets with a network analyzer. Although these security methods may seem like overkill, in the corporate network they are crucial. Consider the data transferred among the accounting department. This department has salary information, stock-option information, personal information, and other sensitive and personal material. It is very important to protect the privacy of the users and the integrity of the data. VLANs greatly assist in this endeavor.
1-8
Switching Section 3: Introduction to VLANs
Copyright 2002, Cisco Systems, Inc.
3.1.4 VLANs and broadcast distribution
Figure 1 VLANs and Broadcast Distribution
Practically every network protocol creates broadcast traffic for one reason or another. For example, consider the amount of broadcast traffic AppleTalk generates. AppleTalk routers generate routing updates in the form of broadcast frames every ten seconds. Broadcasts go to all devices in the broadcast domain and must be processed by the receiving devices. Further, many multimedia applications create broadcast and multicast frames that get distributed across the broadcast domain. So why do network administrators dislike broadcast traffic? Broadcasts are necessary to support protocol operations and therefore are overhead frames in the network. With the exception of multimedia-based traffic, broadcast frames rarely transport user data. Since broadcasts tend not to carry user data, they consume bandwidth in the network, resulting in a reduction of the bandwidth for productive traffic. Broadcasts also have a profound effect on the performance of workstations. Any broadcast received by a workstation interrupts the CPU and prevents it from working on user applications. As the number of broadcasts per second increases at the interface, effective CPU utilization diminishes. The actual level of degradation depends upon the applications running in the workstation, the type of network interface card and drivers, the operating system, and the workstation platform. If broadcasts are creating problems in the network, creating smaller broadcast domains can mitigate the negative effects. In VLANs, this means creating additional VLANs and attaching fewer devices to each one. The effectiveness of this action depends upon the source of the broadcast. If the broadcasts come from a local server, isolate the server in another domain. If the broadcasts come from end stations, creating multiple domains might help to reduce the number of broadcasts in each domain. Copyright 2002, Cisco Systems, Inc.
Switching Section 3: Introduction to VLANs 1-9
3.1.5 VLANs and bandwidth utilization
Figure 1 Concurrent Transmissions in a Catalyst
When users attach to the same shared segment, all of them share the bandwidth of the segment. Every additional user attached to the shared medium means there is less average bandwidth available for each user. If the sharing becomes too great, user application performance will begin to suffer. The network administrator will begin to suffer as well because users will begin complaining and asking for more bandwidth. VLANs, which are usually created with LAN switch equipment, can offer more bandwidth to users than is inherent in a shared network. Remember that each interface on a switch behaves like a port on a legacy bridge. Bridges filter traffic that does not need to go to segments other than the source. If a frame needs to cross the bridge, the bridge forwards the frame to the correct interface and to no others. If the bridge or switch does not know where the destination resides, it floods the frame to all ports in the broadcast domain (VLAN) except the "source port." In a switched environment, a station will usually see only traffic destined specifically for it. The switch will filter most of the other background traffic in the network. This allows the workstation to have full, dedicated bandwidth for sending or receiving interesting traffic. Unlike a shared-hub system where only one station can transmit at a time, the switched network in the Figure allows many concurrent transmissions within a broadcast domain without directly affecting other stations inside or outside of the broadcast domain. Station pairs A/B, C/D, and E/F can all communicate without affecting the other station pairs.
3.1.6 VLANs vs. network latency from routers
1-10
Switching Section 3: Introduction to VLANs
Copyright 2002, Cisco Systems, Inc.
Figure 1 Network Latency from Routers vs. VLANs
In the legacy network shown in the Figure, accounting users on the two segments have to cross the engineering segment to transfer any data. The frames have to pass through two routers. Software-based routers tend to be slower than other internetworking products such as a Layer 2 bridge or switch. As a frame passes through a router, the router introduces latency to the network. Latency constitutes the amount of time necessary to transport a frame from the source port to the destination port. Every router that the frame transits increases the endto-end latency. Further, every congested segment that a frame must cross increases latency. By moving all the accounting users into one VLAN, the need to cross through multiple routers and segments is eliminated. This reduces latency in a network that will improve performance for users, especially if they use a connectionoriented protocol such as TCP. Connection-oriented protocols do not send more data until an acknowledgement is received referencing the previous data. Network latency dramatically reduces the effective throughput for connectionoriented protocols. If the need for user traffic to pass through a router can be eliminated, by placing users in the same VLAN, cumulative router latency can be eliminated. If frames must pass through routers, enabling Layer 3 switching will significantly reduce router transit latencies as well.
Copyright 2002, Cisco Systems, Inc.
Switching Section 3: Introduction to VLANs 1-11
3.1.7 VLANs vs. complex access lists
Figure 1 VLANs vs. Complex Access Lists
Routers allow administrators to introduce policies that control the flow of traffic in the network. Access lists control traffic flow and provide varied degrees of policy granularity. Through the implementation of access lists, a specific user can be prevented from communicating with another user or network, or an entire network can be prevented from accessing a user or network. A network administrator might exercise these capabilities for security reasons, or may elect to prevent traffic from flowing through a segment to protect local bandwidth. In any case, the management of access lists can be quite cumbersome. The access list must be developed based on the company's business and security needs. In the network example shown in the Figure, filters in the routers attached to the engineering segment can include access lists allowing the accounting traffic to pass through the engineering segment, but never talk to any engineering devices. That does not prevent engineers from monitoring the traffic, but does prevent direct communication between the engineering and accounting devices. Accounting will not see the engineering traffic, but engineering can see all the accounting transit traffic. VLANs can simplify the network in some cases by allowing the administrator to keep all accounting users in one VLAN. Then their traffic does not need to pass through a router to get to peers within the VLAN. This can simplify access-list design because the administrator can treat networks as groups with similar or equal access requirements.
1-12
Switching Section 3: Introduction to VLANs
Copyright 2002, Cisco Systems, Inc.
3.1.8 Wrong motives for implementing VLANs
Figure 1 Wrong Motives for Implementing VLANs
One common motivation for using VLANs tends to get network administrators excited. Unfortunately, reality quickly meets enthusiasm, revealing errors in motivation. The advent of VLANs led many to believe that a network administrator's life would be simplified. Administrators thought that VLANs would eliminate the need for routers, everyone could be placed in one giant flat network, and administrators could go home at reasonable hours each evening. This turns out to be far from the truth. VLANs do not eliminate Layer 3 issues. They may allow the network administrator to more easily perform some Layer 3 tasks, such as developing simpler access lists, but Layer 3 routing still must exist.
Copyright 2002, Cisco Systems, Inc.
Switching Section 3: Introduction to VLANs 1-13
3.2 VLAN Types 3.2.1 VLAN Boundaries
Figure 1 VLAN Boundaries
The number of VLANs in the switch block may vary greatly, depending on several factors. This includes traffic patterns, types of applications, network management needs, and group commonality. In addition, an important consideration in defining the size of the switch block and the number of VLANs is the IP addressing scheme. For example, suppose the network uses a 24-bit mask to define a subnet. Given this criterion, a total of 254 host addresses are allowed in one subnet. Because a one-to-one correspondence between VLANs and IP subnets is strongly recommended, there can be no more than 254 devices in any one VLAN. It is further recommended that VLANs should not extend outside of the Layer 2 domain of the distribution switch. As demonstrated in the Figure, with many users in the building under the recommended constraints, a minimum of four VLANs will be in the switch block. When scaling VLANs in the switch block, there are two basic methods of defining the VLAN boundaries:
1-14
•
End-to-end VLANs
•
Local VLANs
Switching Section 3: Introduction to VLANs
Copyright 2002, Cisco Systems, Inc.
3.2.2 End-to-end VLANs Switched Ethernet Wiring Closet Fast Ethernet
Distribution Layer Fast Ethernet Workgroup Servers
Core Layer Fast or Gigabit Ethernet
Inter-VLAN Routing Enterprise Servers End-to-end VLANs were originally Cisco's recommended approach to configuring VLANs in the switch block. This helped facilitate the old 80/20 rule. That is, 80 percent of the traffic should be local, and 20 percent of the traffic should be remote. As the corporate community began to move to server farms, application servers, and enterprise-wide servers, this became increasingly difficult to manage. Cisco no longer recommends that using end-to-end VLANs due to the management and spanning-tree concerns. Figure 1 End-to-End VLANs
VLANs can exist either as end-to-end networks, which span the entire switch fabric, or they can exist inside of geographic boundaries. An end-to-end VLAN network comprises the following characteristics: •
Users are grouped into VLANs independent of physical location and dependent on group or job function.
•
All users in a VLAN should have the same 80/20 traffic flow patterns.
•
As a user moves around the campus, VLAN membership for that user should not change.
•
Each VLAN has a common set of security requirements for all members.
In the Figure, starting in the wiring closet, 10-megabit-per-second (Mbps) dedicated Ethernet ports are provisioned for each user. Each color represents a subnet, and because people have moved around over time, each switch eventually becomes a member of all VLANs. Fast Ethernet Inter-Switch Link (ISL) or IEEE 802.1Q is used to carry multiple VLAN information between the wiring closets and the distribution-layer switches. Note: ISL is a Cisco-proprietary protocol that maintains VLAN information as traffic flows between switches and routers. IEEE 802.1Q is an open-
Copyright 2002, Cisco Systems, Inc.
Switching Section 3: Introduction to VLANs 1-15
standard (IEEE) VLAN tagging mechanism that predominates in modern switching installations. Workgroup servers operate in a client/server model, and attempts have been made to keep users in the same VLAN as their server to maximize the performance of Layer 2 switching and keep traffic localized. In the core, a router allows inter-subnet communication. The network is engineered, based on traffic flow patterns, to have 80 percent of the traffic within a VLAN and 20 percent crossing the router to the enterprise servers and to the Internet and WAN.
3.2.3 Local VLANs
Figure 1 Local VLANs
End-to-end VLANs allow devices to be grouped based upon resource usage. This includes such parameters as server usage, project teams, and departments. The goal of end-to-end VLANs is to maintain 80 percent of the traffic on the local VLAN. As many corporate networks have moved to centralize their resources, end-toend VLANs became more difficult to maintain. Users are required to use many different resources, many of which are no longer in their VLAN. Because of this shift in placement and usage of resources, VLANs are now more frequently being created around geographic boundaries rather than commonality boundaries. This geographic location can be as large as an entire building or as small as a single switch inside a wiring closet. In a geographic VLAN structure, it is typical to find the new 20/80 rule in effect with 80 percent of the traffic remote to the user and 20 percent of the traffic local to the user. Although this topology means that the user must cross a Layer 3 device in order to reach 80 percent of the resources, this design allows the network to provide for a deterministic, consistent method of accessing resources. Geographic VLANs are also considerably easier to manage and conceptualize than VLANs that span different geographic areas.
1-16
Switching Section 3: Introduction to VLANs
Copyright 2002, Cisco Systems, Inc.
3.2.4 Establishing VLAN memberships
Figure 1 Establishing VLAN Memberships
y TFTP Server
Catalyst 5000 Primary VMPS Server 1 3/1 End
Switch 1
172.20.26.150 Client
Station 1
Switch 2
172.20.26.151
Secondary VMPS Server 2
Switch 3
172.20.26.152
Switch 4
172.20.26.153
Switch 5
172.20.26.154
Switch 6
172.20.26.155
Switch 7
172.20.26.156
Switch 8
End Station 2 Secondary VMPS Server 3
Router 172.20.22.7
172.20.26.157 Client
Switch 9
172.20.26.158
Switch 10
172.20.26.159
Figure 2 Dynamic VLANs
The two common approaches to assigning VLAN membership are as follows: Copyright 2002, Cisco Systems, Inc.
Switching Section 3: Introduction to VLANs 1-17
•
Static VLANs - This method is also referred to as port-based membership. Static VLAN assignments are created by assigning ports to a VLAN. As a device enters the network, the device automatically assumes the VLAN of the port. If the user changes ports and needs access to the same VLAN, the network administrator must manually make a port-to-VLAN assignment for the new connection. An example of this is shown in Figure [1].
•
Dynamic VLANs - Dynamic VLANs are created through the use of software packages such as CiscoWorks 2000. With a VLAN Management Policy Server (VMPS), the network administrator can assign switch ports to VLANs dynamically based on the source MAC address of the device connected to the port. Dynamic VLANs currently allow for membership based on the MAC address of the device. As a device enters the network, the device queries a database for VLAN membership. An example of this is shown in Figure [2].
3.2.5 Port-based VLAN membership
Figure 1 Port-Based VLAN Membership
In port-based VLAN membership, the port is assigned to a specific VLAN independent of the user or system attached to the port. This means all users attached to the port should be members in the same VLAN. The network administrator typically performs the VLAN assignment. The port configuration is static and cannot be automatically changed to another VLAN without manual reconfiguration. As with other VLAN approaches, the packets forwarded using this method do not leak into other VLAN domains on the network. After a port has been assigned to a VLAN, the port cannot send to, or receive from, devices in another VLAN without the intervention of a Layer 3 device.
1-18
Switching Section 3: Introduction to VLANs
Copyright 2002, Cisco Systems, Inc.
The device that is attached to the port likely has no understanding that a VLAN exists. The device simply knows that it is a member of a subnet and that the device should be able to talk to all other members of the subnet by simply sending information to the cable segment. The switch is responsible for identifying that the information came from a specific VLAN and for ensuring that the information gets to all other members of the VLAN. The switch is further responsible for ensuring that ports in a different VLAN do not receive the information. This approach is quite simple, fast, and easy to manage in that there are no complex lookup tables required for VLAN segmentation. If port-to-VLAN association is done with an application-specific integrated circuit (ASIC), the performance is very good. An ASIC allows the port-to-VLAN mapping to be done at the hardware level.
3.2.6 Dynamic VLANs
y TFTP Server
Catalyst 5000 Primary VMPS Server 1 3/1 End
Switch 1
172.20.26.150 Client
Station 1
Switch 2
172.20.26.151
Secondary VMPS Server 2
Switch 3
172.20.26.152
Switch 4
172.20.26.153
Switch 5
172.20.26.154
Switch 6
172.20.26.155
Switch 7
172.20.26.156
Switch 8
End Station 2 Secondary VMPS Server 3
Router 172.20.22.7
172.20.26.157 Client
Switch 9
172.20.26.158
Switch 10
172.20.26.159
Figure 1 Dynamic VLANs
With a VLAN Management Policy Server (VMPS), switch ports can be assigned to VLANs dynamically, based on the source MAC address of the device connected to the port. When a host is moved from a port on one switch in the network to a port on another switch in the network, the switch assigns the new port to the proper VLAN for that host dynamically. When VMPS is enabled, a MAC address-to-VLAN mapping database downloads from a Trivial File Transfer Protocol (TFTP) server and VMPS begins to accept client requests. If the network administrator resets or power Copyright 2002, Cisco Systems, Inc.
Switching Section 3: Introduction to VLANs 1-19
cycles a Catalyst 5000, 4000, 900, 3500, or 6000 Series Switch, the VMPS database downloads from the TFTP server automatically and VMPS is reenabled. VMPS opens a User Datagram Protocol (UDP) socket to communicate and listen to client requests. When the VMPS server receives a valid request from a client, it searches its database for a MAC address-to-VLAN mapping. If the assigned VLAN is restricted to a group of ports, VMPS verifies the requesting port against this group. If the VLAN is allowed on the port, the VLAN name is returned to the client. If the VLAN is not allowed on the port and VMPS is not in secure mode, the host receives an "access-denied" response. If VMPS is in secure mode, the port is shut down. If a VLAN in the database does not match the current VLAN on the port and active hosts are on the port, VMPS sends an access-denied or a port-shutdown response based on the secure mode of the VMPS. The network administrator can configure a fallback VLAN name. If a device with a MAC address that is not in the database is connected, VMPS sends the fallback VLAN name to the client. If the network administrator does not configure a fallback VLAN and the MAC address does not exist in the database, VMPS sends an access-denied response. If VMPS is in secure mode, it sends a port-shutdown response. An explicit entry can also be made in the configuration table to deny access to specific MAC addresses for security reasons by specifying a --NONE-- keyword for the VLAN name. In this case, VMPS sends an access-denied or portshutdown response. On a set command-based switch, a dynamic (nontrunking) port can belong to only one VLAN at a time. When the link comes up, a dynamic port is isolated from its static VLAN. The source MAC address from the first packet of a new host on the dynamic port is sent to VMPS, which attempts to match the MAC address to a VLAN in the VMPS database. If there is a match, VMPS provides the VLAN number to assign to the port. If there is no match, VMPS either denies the request or shuts down the port (depending on the VMPS secure mode setting). Multiple hosts (MAC addresses) can be active on a dynamic port if they are all in the same VLAN. If the link goes down on a dynamic port, the port returns to an isolated state. Any hosts that come on line through the port are checked again with VMPS before the port is assigned to a VLAN. The following guidelines and restrictions apply to dynamic port VLAN membership:
1-20
•
The VMPS must be configured before configuring ports as dynamic.
•
When a port is configured as dynamic, Spanning-Tree PortFast is enabled automatically for that port. Automatic enabling of SpanningTree PortFast prevents applications on the host from timing out and entering loops caused by incorrect configurations. Spanning-Tree PortFast mode can be disabled on a dynamic port.
•
If a port is reconfigured from a static port to a dynamic port on the same VLAN, the port connects immediately to that VLAN. However, VMPS checks the legality of the specific host on the dynamic port after a certain period.
Switching Section 3: Introduction to VLANs
Copyright 2002, Cisco Systems, Inc.
•
Static secure ports cannot become dynamic ports. Security must be turned off on the static secure port before it can become dynamic.
•
Static ports that are trunking cannot become dynamic ports. Trunking on the trunk port must be turned off before changing it from static to dynamic.
It is also important to note that the VLAN Trunking Protocol (VTP) management domain and the management VLAN of VMPS clients and the VMPS server must be the same.
Copyright 2002, Cisco Systems, Inc.
Switching Section 3: Introduction to VLANs 1-21
3.3 Configuring VLANs 3.3.1 Configuring static VLANs
Switch#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#interface fastethernet 0/3 Switch(config-if)#switchport mode access Switch(config-if)#switchport access vlan 2 Switch(config-if)# Figure 1 Cisco IOS Software-Based Switch
Switch#show running-config hostname Switch ! ip subnet-zero ! ! ! interface FastEthernet0/1 ! interface FastEthernet0/2 ! interface FastEthernet0/3 switchport access vlan 2 ! Figure 2 Cisco IOS Software-Based Switch
Switch> (enable) set VLAN 41 modified. VLAN 1 modified. VLAN Mod/Ports 41 2/1-10
vlan 41 2/1-10
Figure 3 Set Command-Based Switch
Static VLANs are ports on a switch that are manually assigned to a VLAN by using a VLAN management application or by working directly within the switch. These ports maintain their assigned VLAN configuration until they a changed manually. Although static VLANs require manual entry changes, they are secure, 1-22
Switching Section 3: Introduction to VLANs
Copyright 2002, Cisco Systems, Inc.
easy to configure, and straightforward to monitor. This type of VLAN works well in networks where moves are controlled and managed; where there is robust VLAN management software to configure the ports; and where it is not desirable to assume the additional overhead required when maintaining end-station MAC addresses and custom filtering tables. The creation of a VLAN on a switch is a very straightforward and simple task. If using a Cisco IOS command-based switch, simply go to the interface to to configured and issue the command: Switch(config-if)#switchport mode access Switch(config-if)#switchport access vlan number In Figure [1], interface FastEthernet 0/3 is being assigned to vlan 2. As demonstrated in Figure [2], this configuration has been verified by using the show running-config command. If using a set-based switch, simply enter the set vlan command to create a VLAN, as shown below and in Figure [3]. switch> (enable) set vlan vlan_num mod_num/port_list
Lab Activity In this lab activity, the student will learn how to configure a Distribution Layer Catalyst 4000 Ethernet Switch to support three VLANs - Marketing, Accounting, and Engineering.
Copyright 2002, Cisco Systems, Inc.
Switching Section 3: Introduction to VLANs 1-23
Lab Activity In this lab activity, the student will learn how to configure an Access Layer Catalyst 2900 Ethernet Switch to support three VLANs - Marketing, Accounting, and Engineering.
3.3.2 Verify VLAN configuration
Switch#show vlan brief VLAN Name Status Ports ---- --------------------- --------- ------------------------------1 default active Fa0/1, Fa0/2, Fa0/4, Fa0/5, Fa0/6, Fa0/7, Fa0/8, Fa0/9, Fa0/10, Fa0/11, Fa0/12, Fa0/13, Fa0/14, Fa0/15, Fa0/16, Fa0/17, Fa0/18, Fa0/19, Fa0/20, Fa0/21, Fa0/22, Fa0/23, Fa0/24 2 VLAN0002 active Fa0/3 1002 fddi-default active 1003 token-ring-default active 1004 fddinet-default active 1005 trnet-default active
Figure 1 Verifying VLAN Configuration
Switch> (enable) show vlan VLAN Mod/Ports 1 1/1-2 10 2/3-10 20 2/11-24
Figure 2 Verifying VLAN Configuration
As shown in Figure [1], it is considered to be good practice to verify VLAN configuration by using the show vlan brief command while in privileged mode. The output example from a Cisco IOS command-based switch shows that VLAN 2 is configured on module 0, port 3. The output example from a set command-based switch in Figure [2] shows that VLAN 1 is configured on Module 1, Ports 1 and 2; VLAN 10 is configured on Module 2, Ports 1 through 10; and VLAN 20 is configured on Module 2, Ports 11 through 24. The following facts should be remembered: 1-24
Switching Section 3: Introduction to VLANs
Copyright 2002, Cisco Systems, Inc.
•
A created VLAN remains unused until it is mapped to switch ports. Use the set vlan command to map VLANs to ports.
•
The default configuration has all Ethernet ports on VLAN 1. However, Groups of ports can be entered as individual entries, for example, 2/1, 3/3, 3/4, or 3/5. A hyphenated format can also be used to map multiple ports, for example, 2/1-4 or 3/3-5.
•
Do not enter spaces between the port numbers. The switch will respond with an error message because a space delimits another argument that is not in the command structure of this command.
Interactive Lab Activity In this activity, the student will learn how to configure and verify VLAN's on a Catalyst 4000 switch.
Interactive Lab Activity In this activity, the student will learn how to configure and verify VLAN's on a Catalyst 2900 switch.
3.3.3 Deleting VLANs
Console> (enable) clear vlan 2 This command will deactivate all ports on vlan 2 in the entire management domain Do you want to continue(y/n) [n]?y Vlan 2 deleted Console> (enable) Figure 1 Deleting VLANs
Switch(config-if)#no switchport access vlan 2 Switch(config-if)# Figure 2 Cisco IOS Software-Based Switch
Removing a VLAN from a set command-based switch is just as easy as configuring one. To remove a VLAN from the switch, issue the clear vlan vlan_number command, as shown in Figure [1]. In this example, VLAN 2 is Copyright 2002, Cisco Systems, Inc.
Switching Section 3: Introduction to VLANs 1-25
being removed from the domain by using the command clear vlan 2 on the set-based switch. It is important to note that this command must be issued on a VTP server switch. VLANs cannot be deleted from a VTP client switch. If the switch is configured in transparent mode, the VLAN can be deleted. However, the VLAN is removed only from the one Catalyst Switch and is not deleted throughout the management domain. All VLAN creations and deletions are locally significant only on a transparent switch. VTP domains are covered in this section. When an attempt to delete the VLAN is made, the switch will issue a warning that all ports belonging to the VLAN in the management domain will be deactivated. If there are 50 devices as members of the VLAN when it is deleted , all 50 stations become isolated because their local switch port becomes disabled. If recreated, the VLAN, the ports will automatically become active again because the switch remembers what VLAN the port belongs to. In other words, if the VLAN exists, the ports become active. If the VLAN does not exist, the ports become inactive. Use caution when deleting VLANs because it could be catastrophic to accidentally eliminate a VLAN that still has active users on it. Removing a VLAN from a Cisco IOS command-based switch interface is just like removing a command from a router. In a previous example, we created vlan 2 on FastEthernet 0/3 by using the command Switch(configif)#switchport access vlan 2. To remove this VLAN from the interface, simply use the "no" form of the command, as shown in Figure [2].
3.3.4 Configure the VMPS server
Task
Command
Step 1 Configure the IP address of the TFTP server on which the ASCII text VMPS database configuration file resides.
set vmps tftpserver ip_addr [filename]
Step 2 Enable VMPS.
set vmps state enable
Step 3 Verify the VMPS configuration.
show vmps
Console> (enable) set vmps state enable Vlan Membership Policy Server enable is in progress. Console> (enable)
Figure 1 Configure the VMPS Server
1-26
Switching Section 3: Introduction to VLANs
Copyright 2002, Cisco Systems, Inc.
To disable VMPS, perform this task in privileged mode: Task
Command
Step 1 Disable VMPS.
set vmps state disable
Step 2 Verify that VMPS is disabled.
show vmps
Console> (enable) set vmps state disable All the VMPS configuration information will be lost and the resources released on disable. Do you want to continue (y/n[n]): y Vlan Membership Policy Server disabled. Console> (enable)
Figure 2 Disable VMPS
When VMPS is enabled, it downloads the VMPS database from the TFTP server and begins accepting VMPS requests. The configuration of VMPS is basically a two-step process. To configure VMPS on a set command-based switch, follow the steps in Figure [1]. Disabling VMPS is an equally simple process. To disable VMPS on a set command-based switch, simply issue the command set vmps state disable, as shown in Figure [2].
3.3.5 Configure a VMPS client
Task
Command
Step 1 Specify the IP address of the VMPS server (the switch with VMPS enabled).
set vmps server ip_addr [primary]
Step 2 Verify the VMPS server specification.
show vmps server
Step 3 Configure the VLAN membership assignment to a port.
set port membership mod_num/ port_num {dynamic | static}
Step 4 Verify the dynamic port assignments.
show port [mod_num[/port_num]]
Console> (enable) show vmps server VMPS domain serverVMPS Status --------------------------------------192.0.0.6 192.0.0.1 primary 192.0.0.9 Console> (enable) set port membership 3/1-3 dynamic Ports 3/1-3 vlan assignment set to dynamic. Spantree port fast start option enabled for ports 3/1-3.
Figure 1 Configuring Dynamic Ports on a VMPS Client
Copyright 2002, Cisco Systems, Inc.
Switching Section 3: Introduction to VLANs 1-27
Console> show port Port Name Status 1/1 connect 1/2 connect 2/1 connect 3/1 connect 3/2 connect 3/3 connect Console> (enable)
Vlan dyn-3 trunk trunk dyn-5 dyn-5 dyn-5
Level normal normal normal normal normal normal
Duplex full half full half half half
Speed 100 100 155 10 10 10
Type 100 BASE-TX 100 BASE-TX OC3 MMF ATM 10 BASE-T 10 BASE-T 10 BASE-T
Figure 2 Verifying VMPS Configuration
Command
Task Step 1 Enter global configuration mode.
configure terminal
Step 2 Enter the IP address of the switch acting as the primary VMPS server.
vmps server ipaddress primary
Step 3 Enter the IP address for the switch acting as a secondary VMPS server.
vmps server ipaddress
Step 4 Return to privileged EXEC mode.
end
Step 5 Verify the VMPS server entry.
show vmps
Switch#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# vmps server 172.20.128.179 primary Switch(config)# vmps server 172.20.128.178 Switch(config)# end
Figure 3 Configuring a Software-Based Switch as a VMPS Client
Switch#show vmps VQP Client Status: -------------------VMPS VQP Version: 1 Reconfirm Interval: 60 min Server Retry Count: 3 VMPS domain server: 172.20.128.179 (primary, current) 172.20.128.178 Reconfirmation status --------------------VMPS Action: No Dynamic Port
Figure 4 Verifying Configuration on a Software-Based Switch
1-28
Switching Section 3: Introduction to VLANs
Copyright 2002, Cisco Systems, Inc.
To configure dynamic ports on VMPS client set command-based switches, perform the tasks listed in Figure [1] while in privileged mode on the switch. The example shows how to specify the VMPS server, verify the VMPS server specification, and assign dynamic ports. To verify the VMPS configuration, issue the command show port, as shown in Figure [2]. It is important to note that the show port command displays dyn- under the Vlan column of the display when it has not yet been assigned a VLAN for a port. To configure a Cisco IOS Software-based switch as a client, it is simply a matter of entering the IP address of the switch or the other device acting as the VMPS. An example of this is shown in Figure [3]. To verify the VMPS configuration, issue the command show vmps, as shown in Figure [4].
3.3.6 Access links and trunk links
Figure 1 Access Links and Trunk Links
An access link is a link on the switch that is a member of only one VLAN. This VLAN is referred to as the native VLAN of the port. Any device that is attached to the port is completely unaware that a VLAN exists. The device simply assumes that it is part of a network or subnet based on the Layer 3 information that is configured on the device. In order to ensure that it does not have to understand that a VLAN exists, the switch is responsible for removing any VLAN information from the frame before it is sent to the end device. Because only one VLAN is configured on the port, other VLANs cannot communicate with the device unless the information is routed by a Layer 3 device. A trunk link differs from an access link in that it is capable of supporting multiple VLANs. Trunk links are typically used to connect switches to other switches or routers. Switches support trunk links on both Fast Ethernet and Gigabit Ethernet ports.
Copyright 2002, Cisco Systems, Inc.
Switching Section 3: Introduction to VLANs 1-29
The switch has two methods of identifying the VLAN that a frame belongs to when the switch receives the frame on a trunk link. The identification techniques currently used are the Cisco proprietary ISL standard and the IEEE 802.1Q standard. It is important to understand that a trunk link does not belong to a specific VLAN. The responsibility of a trunk link is to act as a conduit for VLANs between switches and routers. The trunk link can be configured to transport all VLANs or to transport a limited number of VLANs. A trunk link may, however, have a native VLAN. The native VLAN of the trunk is the VLAN that the trunk uses if the trunk link fails for any reason. In the Figure, Port A and Port B have been defined as access links on the same VLAN. By definition, they can belong to only VLAN 200 and cannot receive frames with a VLAN identifier. As Switch Y receives traffic from Port A destined for Port B, Switch Y will not add an ISL encapsulation to the frame. Port C is also an access link. Port C has been defined as a member of VLAN 200. If Port A sends a frame destined for Port C, the switch does the following: 1. Switch Y receives the frame and identifies it as traffic destined for VLAN 200 by the VLAN and port number association. 2. Switch Y encapsulates the frame with an ISL header identifying VLAN 200 and sends the frame through the intermediate switch on a trunk link. 3. This process is repeated for every switch that the frame must transit as it moves to its final destination of Port C. 4. Switch Z receives the frame, removes the ISL header, and forwards the frame to Port C.
1-30
Switching Section 3: Introduction to VLANs
Copyright 2002, Cisco Systems, Inc.
3.4 VLAN Identification 3.4.1 VLAN frame identification
Figure 1 Frame Tagging and Encapsulation Methods
VLAN identification logically identifies which packets belong to which VLAN group. Multiple trunking methodologies exist, as follows: •
IEEE 802.1Q - This protocol is an IEEE standard method for identifying VLANs by inserting a VLAN identifier into the frame header. This process is referred to as frame tagging.
•
ISL - This protocol is a Cisco proprietary encapsulation protocol for interconnecting multiple switches; it is supported in switches as well as routers.
•
802.10 - This standard is a Cisco proprietary method of transporting VLAN information inside the standard 802.10 frame (FDDI) - The VLAN information is written to the security association identifier (SAID) portion of the 802.10 frame. This method is typically used to transport VLANs across FDDI backbones.
•
LAN Emulation (LANE) - LANE is an ATM Forum standard that can be used for transporting VLANs over Asynchronous Transfer Mode (ATM) networks.
Copyright 2002, Cisco Systems, Inc.
Switching Section 3: Introduction to VLANs 1-31
3.4.2 ISL
Figure 1 IDSL Frame Format
Figure 2 ISL Frame Format
1-32
Switching Section 3: Introduction to VLANs
Copyright 2002, Cisco Systems, Inc.
Octet
Description
DA
A 40-bit multicast address with a value of 0x01-00-0C-00-00 that indicates to the receiving Catalyst that the frame is an ISL encapsulated frame.
Type
A 4-bit value indicating the source frame type. Values include 0 0 0 0 (Ethernet), 0 0 0 1 (Token Ring), 0 0 1 0 (FDDI), and 0 0 1 1 (ATM).
User
A 4-bit value usually set to zero, but can be used for special situations when transporting Token Ring.
SA
The 802.3 MAC address of the transmitting Catalyst. This is a 48-bit value.
Length
The LEN field is a 16-bit value indicating the length of the user data and ISL header, but excludes the DA , Type, User, SA, Length, and ISL CRC bytes.
SNAP
A three-byte field with a fixed value of 0xAA-AA-03.
HSA
This three-byte value duplicates the high order bytes of the ISL SA field.
VLAN
A 15-bit value to reflect the numerical value of the source VLAN that the user frame belongs to. Note that only 10 bits are used.
BPDU
A single-bit value that, when set to 1, indicates that the receiving Catalyst should immediately examine the frame at an end station because the data contains either a Spanning Tree, ISL, VTP, or CDP message.
Index
The value indicates what port the frame exited from the source Catalyst.
Reserved
Token Ring and FDDI frames have special values that need to be transported over the ISL link. These values, such as AC and FC, are carried in this field. The value of this field is zero for Ethernet frames.
User Frame
The original user data frame is inserted here incuding the frame's FCS.
CRC
ISL calculates a 32-bit CRC for the header and user frame. This doublechecks the integrity of the message as it crosses an ISL trunk. It does not replace the User Frame CRC.
Figure 3 ISL Encapsulation Description
ISL is a vendor-specific, Cisco proprietary protocol used to interconnect multiple switches and maintain VLAN information as traffic travels between switches on trunk links. With ISL, an Ethernet frame is encapsulated with a header that transports VLAN IDs between switches and routers. ISL does add overhead to the packet as a 26byte header containing a 10-bit VLAN ID. In addition, a 4-byte cyclic redundancy check (CRC) is appended to the end of each frame. This CRC is in addition to any frame checking that the Ethernet frame requires. A VLAN ID is added only if the frame is forwarded out a port configured as a trunk link. If the frame is to be forwarded out a port configured as an access link, the ISL encapsulation is removed. Figure [1] illustrates the ISL frame format. Figure [2] lists the sizes of the various ISL fields and Figure [3] describe the ISL fields contained within the frame.
Copyright 2002, Cisco Systems, Inc.
Switching Section 3: Introduction to VLANs 1-33
3.4.3 IEEE 802.1Q
Figure 1 Frame identification with 802.IQ
The official name for the IEEE 802.1Q protocol is the Standard for Virtual Bridged Local-Area Networks, and relates to the ability to carry the traffic of more than one subnet down a single cable. The IEEE 802.1Q committee defined this method of multiplexing VLANs in an effort to provide multivendor VLAN support. Both ISL and IEEE 802.1Q tagging are explicit tagging, meaning that the frame is tagged with VLAN information explicitly. However, while ISL uses an external tagging process that does not modify the existing Ethernet frame, IEEE 802.1Q uses an internal tagging process that does modify the Ethernet frame. This internal tagging process is what allows IEEE 802.1Q tagging to work on both access and trunk links, because the frame appears to be a standard Ethernet frame. The IEEE 802.1Q frame-tagging scheme also has significantly less overhead than the ISL tagging method. As opposed to the 30 bytes added by ISL, 802.1Q inserts only an additional 4 bytes into the Ethernet frame, as shown in the Figure. •
1-34
The IEEE 802.1Q header contains the following: o
A 4-byte tag header containing a tag protocol identifier (TPID) and tag control information (TCI) with the following elements:
o
A 2-byte TPID with a fixed value of 0x8100. This value indicates that the frame carries the 802.1Q/802.1p tag information.
o
A TCI containing the following elements:
Switching Section 3: Introduction to VLANs
!
Three-bit user priority
!
One-bit canonical format indicator (CFI)
!
Twelve-bit VLAN identifier (VID)-Uniquely identifies the VLAN to which the frame belongs Copyright 2002, Cisco Systems, Inc.
Note: The CFI is used in Ethernet frames to indicate the presence of a Routing Information Field (RIF) - the RIF is used in Token Ring networks to indicate the route the frame is to take through the network (source-route bridging). The 802.1Q standard can create an interesting scenario on the network. Recalling that the maximum size for an Ethernet frame as specified by IEEE 802.3 is 1518 bytes, this means that if a maximum-sized Ethernet frame gets tagged, the frame size will be 1522 bytes, a number that violates the IEEE 802.3 standard. To resolve this issue, the 802.3 committee created a subgroup called 802.3ac to extend the maximum Ethernet size to 1522 bytes. If using network devices that do not support a larger frame size, they will process the frame successfully but may report these anomalies as "baby giant."
3.4.4 LANE
Figure 1 LANE
LANE (LAN Emulation) is a standard defined by the ATM Forum that gives two stations attached via ATM the same capabilities they normally have with legacy LANs, such as Ethernet and Token Ring. As the name suggests, the function of the LANE protocol is to emulate a LAN on top of an ATM network. Specifically, the LANE protocol defines mechanisms for emulating either an IEEE 802.3 Ethernet or an 802.5 Token Ring LAN. The LANE protocol defines a service interface for higher-layer (that is, networklayer) protocols that is identical to that of existing LANs. Data sent across the ATM network is encapsulated in the appropriate LAN MAC format. In other words, the LANE protocols make an ATM network look and behave like an Copyright 2002, Cisco Systems, Inc.
Switching Section 3: Introduction to VLANs 1-35
Ethernet or Token Ring LAN, albeit one operating much faster than actual Ethernet or Token Ring LAN networks. An ELAN (emulated LAN) provides Layer 2 communication between all users on an ELAN. One or more ELANs can run on the same ATM network. However, each ELAN is independent of the others and users on separate ELANs cannot communicate directly. Just like a VLAN, communication between ELANs is possible only through routers or bridges. Because an ELAN provides Layer 2 communication, it can be equated to a broadcast domain. VLANs can also be thought of as broadcast domains. This makes it possible to map an ELAN to a VLAN on Layer 2 switches with different VLAN multiplexing technologies such as ISL or 802.10. In addition, IP subnets and Internetwork Packet Exchange (IPX) networks that are defined on Layer 3-capable devices such as routers frequently map into broadcast domains (barring secondary addressing). This makes it possible to assign an IP subnetwork or an IP network to an ELAN. It is important to note that LANE does not attempt to emulate the access method of the specific LAN concerned (that is, carrier sense multiple access collision detect (CSMA/CD) for Ethernet or token passing for IEEE 802.5). LANE requires no modifications to higher-layer protocols to enable their operation over an ATM network. Because the LANE service presents the same service interface of existing MAC protocols to network-layer drivers (such as a network driver interface specification (NDIS) or Open Data-Link Interface (ODI) like driver interface), no changes are required for these drivers.
3.4.5 IEEE 802.10 Protocol The IEEE 802.10 protocol provides connectivity between VLANs. Originally developed to address the growing need for security within shared LAN/MAN environments, it incorporates authentication and encryption techniques to ensure data confidentiality and integrity throughout the network. Additionally, by functioning at Layer 2, it is well suited to high-throughput, lowlatency switching environments. IEEE 802.10 protocol can run over any LAN or HDLC serial interface. VLAN Routing implementation treats the ISL and 802.10 protocols as encapsulation types. On a physical router interface that receives and transmits VLAN packets, an arbitrary subinterface can be selected and mapped to the particular VLAN "color" embedded within the VLAN header. This mapping allows selective control over how LAN traffic is routed or switched outside of its own VLAN domain. In the VLAN routing paradigm, a switched VLAN corresponds to a single routed subnet, and the network address is assigned to the subinterface. To route a received VLAN packet the Cisco IOS software VLAN switching code first extracts the VLAN ID from the packet header (this is a 10-bit field in the case of ISL and a 4-byte entity known as the security association identifier in the case of IEEE 802.10), then demultiplexes the VLAN ID value into a subinterface of the receiving port. If the VLAN color does not resolve to a subinterface, the Cisco IOS software can transparently bridge the foreign packet natively (without modifying the VLAN header) on the condition that the Cisco IOS software is 1-36
Switching Section 3: Introduction to VLANs
Copyright 2002, Cisco Systems, Inc.
configured to bridge on the subinterface itself. For VLAN packets that bear an ID corresponding to a configured subinterface, received packets are then classified by protocol type before running the appropriate protocol specific fast switching engine. If the subinterface is assigned to a bridge group then nonrouted packets are de-encapsulated before they are bridged. This is termed "fallback bridging" and is most appropriate for nonroutable traffic types.
Copyright 2002, Cisco Systems, Inc.
Switching Section 3: Introduction to VLANs 1-37
3.5 Trunking 3.5.1 Trunking overview
Figure 1 Trunking
In basic terminology, a trunk is a point-to-point link that supports several VLANs. The purpose of a trunk is to save ports when creating a link between two devices implementing VLANs, typically two switches. In the top figure, we can see two VLANs that we want available on two switches, Sa and Sb. The first easy method of implementation is to create two physical links between the devices, each one carrying the traffic for a separate VLAN. Of course, this first solution does not scale very well. If we wanted to add a third VLAN, we would need to sacrifice two additional ports. This design is also inefficient in terms of load sharing; the traffic on some VLANs may not justify a dedicated link. A trunk will bundle virtual links over one physical link, as shown in the bottom figure. Here, the unique physical link between the two switches is able to carry traffic for any VLAN. In order to achieve this, each frame sent on the link is tagged by Sa so that Sb knows which VLAN it belongs to. Different tagging schemes exist. The most common for Ethernet segments follow:
1-38
•
ISL (this is the original Cisco proprietary InterSwitch Link protocol)
•
802.1Q (the IEEE standard we focus on in this section)
Switching Section 3: Introduction to VLANs
Copyright 2002, Cisco Systems, Inc.
3.5.2 Configuring a VLAN trunk Switch(config-if)#switchport mode trunk Switch(config-if)#switchport trunk ? allowed Set allowed VLAN characteristics when interface is in trunking mode encapsulation Set trunking encapsulation when interface is in trunking mode native Set trunking native characteristics when interface is in trunking mode pruning Set pruning VLAN characteristics when interface is in trunking mode Switch(config-if)#switchport trunk encapsulation ? dot1q Interface uses only 801.1q trunking encapsulation when trunking isl Interface uses only ISL trunking encapsulation when trunking Switch(config-if)#switchport trunk encapsulation isl Switch(config-if)#
Figure 1 Cisco IOS Software-Based Switch
Console> (enable) show port capabilities 2/1 Model WS-X4232-GB-RJ Port 2/1 Type No GBIC Speed 1000 Duplex full Trunk encap type 802.1Q Trunk mode on,off,desirable,auto,nonegotiate Channel 2/1-2 Flow control receive-(off,on,desired),send-(off,on,desired) Security yes Membership static,dynamic Fast start yes QOS scheduling rx-(none),tx-(2q1t) CoS rewrite no ToS rewrite no Rewrite no UDLD yes SPAN source,destination -------------------------------------------------------------Console> (enable) set trunk 2/1 on dot1q Port(s) 2/1 trunk mode set to on. Port(s) 2/1 trunk type set to dot1q. Console> (enable)
Figure 2 Set Command-Based Switch
To create or configure a VLAN trunk on a Cisco IOS command-based switch, configure the port first as a trunk and then specify the trunk encapsulation. To do this, issue the commands: Switch(config-if)#switchport mode trunk Switch(config-if)#switchport trunk encapsulation ? dot1q Interface uses only 802.1q trunking Copyright 2002, Cisco Systems, Inc.
Switching Section 3: Introduction to VLANs 1-39
encapsulation when trunking isl Interface uses only ISL trunking encapsulation when trunking These commands are shown in Figure [1]. Before attempting to configure a VLAN trunk on a port, it is wise to determine what encapsulation the port can support. This can be done using the show port capabilities command on a set command-based switch, as shown in Figure [2]. In this example, you can see that Port 2/1 will support only the IEEE 802.1Q encapsulation. To create or configure a VLAN trunk on a set command-based switch, enter the set trunk command to configure the port on each end of the link as a trunk port and to specify the VLANs that will be transported on this trunk link. Also, use the set trunk command to change the mode of a trunk. Switch> (enable) set trunk mod_num/port_num [on | off | desirable | auto | nonegotiate] vlan_range [isl | dot1q | dot10 | lane | negotiate] Fast Ethernet and Gigabit Ethernet trunking modes are as follows: •
On - This mode puts the port into permanent trunking. The port becomes a trunk port even if the neighboring port does not agree to the change. The on state does not allow for the negotiation of an encapsulation type. Therefore, the encapsulation must be specified in the configuration.
•
Off - This mode puts the port into permanent nontrunking mode and negotiates to convert the link into a nontrunk link. The port becomes a nontrunk port even if the neighboring port does not agree to the change.
•
Desirable - This mode makes the port actively attempt to convert the link to a trunk link. The port becomes a trunk port if the neighboring port is set to on, desirable, or auto mode.
•
Auto - This mode makes the port willing to convert the link to a trunk link. The port becomes a trunk port if the neighboring port is set to on or desirable mode. This is the default mode for Fast and Gigabit Ethernet ports. Notice that if the default setting is left on both sides of the trunk link, it will never become a trunk; neither side will be the first to ask to convert to a trunk.
•
Nonegotiate - This mode puts the port into permanent trunking mode but prevents the port from generating Dynamic Trunking Protocol (DTP) frames. The neighboring port must be manually cofigured as a trunk port to establish a trunk link.
The example in Figure [2] configures Port 2/1 as a permanent trunk using the IEEE 802.1Q encapsulation.
1-40
Switching Section 3: Introduction to VLANs
Copyright 2002, Cisco Systems, Inc.
3.5.3 Removing VLANs from a trunk
Figure 1 Cisco IOS Software-Based Switch
Figure 2 Set Based Switch
Copyright 2002, Cisco Systems, Inc.
Switching Section 3: Introduction to VLANs 1-41
Figure 3 Set Based Switch
By default, all VLANs are transported across a trunk link when the set trunk command is issued. However, there are instances where the trunk link should not carry all VLANs: •
Broadcast suppression - All broadcasts are sent to every port in a VLAN. A trunk link acts as a member port of the VLAN and, therefore, must pass all the broadcasts. Bandwidth and processing time are wasted if there is no port at the other end of the trunk link that is a member of that VLAN.
•
Topology change - Changes that occur in the topology must also be propagated across the trunk link. If the VLAN is not used on the other end of the trunk link, there is no need for the overhead of a topology change.
By default, a Cisco IOS command-based switch trunk port sends to and receives traffic from all VLANs in the VLAN database. All VLANs, 1 to 1005, are allowed on each trunk. However, VLANs can be removed from the allowed list, preventing traffic from those VLANs from passing over the trunk. To restrict the traffic a trunk carries, use the remove vlan-list parameter to remove specific VLANs from the allowed list: Switch(config-if)#switchport trunk allowed vlan remove vlan-list The example in Figure [1] shows first how to remove VLAN 3 from a trunk and then how to remove VLANs 6-10 from the trunk. This is verified by using the show running-config command. In order to remove a VLAN from a trunk link on a set command-based switch, use the following command: Switch> (enable) clear trunk mod_num/port_num vlan_range The example in Figure [2] shows how to remove VLANs 6-10 from the set command-based switch.
1-42
Switching Section 3: Introduction to VLANs
Copyright 2002, Cisco Systems, Inc.
Verify that trunking has been configured and verify the settings by using the show trunk [mod_num/port_num] command from privileged mode on the switch, as shown in Figure [3]. The example in Figure [3] shows how to verify the trunk configuration on a set command-based switch. Remember that when a trunk is configured, VLANs 1 to 1000 are automatically transported, even if a VLAN range is specified. Use the clear trunk command in order to remove the VLANs from the link. To remove a large number of VLANs from a trunk link, it is probably easier to clear all VLANs from the trunk link before specifying the VLANs that are supposed to be on the link.
Copyright 2002, Cisco Systems, Inc.
Switching Section 3: Introduction to VLANs 1-43
3.6 VLAN Trunking Protocol (VTP) 3.6.1 VTP Benefits
Figure 1 VTP Benefits
The role of the VLAN Trunking Protocol (VTP) is to maintain VLAN configuration consistency across the entire network. VTP is a messaging protocol that uses Layer 2 trunk frames to manage the addition, deletion, and renaming of VLANs on a network-wide basis. Further, VTP allows centralized changes that are communicated to all other switches in the network. VTP minimizes the possible configuration inconsistencies that arise when changes are made. These inconsistencies can result in security violations because VLANs crossconnect when duplicate names are used; they also could become internally disconnected when they are mapped from one LAN type to another (for example, Ethernet to ATM or FDDI). VTP provides the following benefits: •
VLAN configuration consistency across the network
•
Mapping scheme that allows a VLAN to be trunked over mixed media; example: mapping Ethernet VLANs to a high-speed backbone VLAN such as ATM LANE or FDDI
•
Accurate tracking and monitoring of VLANs
•
Dynamic reporting of added VLANs across the network
•
Plug-and-play configuration when adding new VLANs
Before creating VLANs on the switch, first set up a VTP management domain, within which the current VLANs on the network can be verified. All switches in the same management domain share their VLAN information with each other, and a switch can participate in only one VTP management domain. Switches in different domains do not share VTP information. Using VTP, each Catalyst Family Switch advertises the following on its trunk ports: 1-44
Switching Section 3: Introduction to VLANs
Copyright 2002, Cisco Systems, Inc.
•
Management domain
•
Configuration revision number
•
Known VLANs and their specific parameters
3.6.2 VTP operation
Figure 1 VTP Operation
1
ADMIN 1 CONFIG-REV# N+1 Default
2
first-vtp-vlan
1002
fddi-default
1003
token-ring-default
1004
fddinet-default
1003
trnet-default
N+1
BCMSN Domain C5000-3 3/1 3/2 N+1 1/1
ce_domain N+1
5/1
2/2
C5000-1
C5000-6 4/1
C5000-2
C5000-4
4/2 1/1 C5000-5
1/2 2/1
The configuration revision database is incremented every time a VLAN is added, deleted, or modified. If a switch sees an advertisement with a configuration revision number that is higher than the one stored it will overwrite its own VTP database with the new VTP database. This overwrite process means that if the VLAN does not exist in the new database it is deleted from the switch. In addition, VTP maintains its own NVRAM. A clear config all command clears the configuration NVRAM, but does not clear the VTP NVRAM. This means that clearing the configuration does not clear the configuration revision number. The only way to clear the configuration number is to power off the switch. This will set the configuration revision number back to 0. Figure 2 VTP Operation
A VTP domain is made up of one or more interconnected devices that share the same VTP domain name. A switch can be configured to be in one VTP domain only. Global VLAN information is propagated across the network by way of connected switch trunk ports. Copyright 2002, Cisco Systems, Inc.
Switching Section 3: Introduction to VLANs 1-45
When transmitting VTP messages to other switches in the network, the VTP message is encapsulated in a trunking protocol frame such as ISL or IEEE 802.1Q. Figure [1] shows the generic encapsulation for VTP within an ISL frame. The VTP header varies, depending upon the type of VTP message, but generally, four items are found in all VTP messages: •
VTP protocol version - Either Version 1 or 2
•
VTP message type - Indicates one of four types
•
Management domain name length - Indicates size of the name that follows
•
Management domain name - The name configured for the management domain
It is important to note that switches can be configured not to accept VTP information. These switches will forward VTP information on trunk ports in order to ensure that other switches receive the update, but the switches will not modify their database, nor will the switches send out an update indicating a change in VLAN status. This is referred to as transparent mode. By default, management domains are set to a nonsecure mode, meaning that the switches interact without using a password. Adding a password automatically sets the management domain to secure mode. A password must be configured on every switch in the management domain to use secure mode. Detecting the addition of VLANs within the advertisements serves as a notification to the switches (servers and clients) that they should be prepared to receive traffic on their trunk ports with the newly defined VLAN IDs, emulated LAN names, or 802.10 security association identifiers (SAIDs). In Figure [2], C5000-3 transmits a VTP database entry with additions or deletions to C5000-1 and C5000-2. The configuration database has a revision number that is notification +1. A higher configuration revision number indicates that the VLAN information that is being sent is more current then the stored copy. Any time a switch receives an update that has a higher configuration revision number, the switch will overwrite the stored information with the new information being sent in the VTP update.
3.6.3 VTP modes
Figure 1 VTP Mode Comparisons
1-46
Switching Section 3: Introduction to VLANs
Copyright 2002, Cisco Systems, Inc.
Switches can operate in any one of the following three VTP modes: •
Server - When the switch is configured for server mode, VLANs can be created, modified, and deleted , and other configuration parameters (such as VTP version and VTP pruning) for the entire VTP domain can be specified. VTP servers advertise their VLAN configuration to other switches in the same VTP domain, and synchronize the VLAN configuration with other switches based on advertisements received over trunk links. This is the default mode on the switch.
•
Client - VTP clients behave the same way as VTP servers. However, VLANs cannot be created, changed, or deleted on a VTP client.
•
Transparent - VTP transparent switches do not participate in VTP. A VTP transparent switch does not advertise its VLAN configuration, and does not synchronize its VLAN configuration based on received advertisements. However, in VTP Version 2, transparent switches do forward VTP advertisements that the switches receive out their trunk ports.
3.6.4 Adding a switch to a VTP domain
Figure 1 Adding a Switch to a VTP Domain
Use caution when inserting a new switch into an existing domain. In order to prepare a switch to enter an existing VTP domain, perform the following steps: Issue a clear config all or erase startup-config command to remove the existing configuration. This will not clear the VTP configuration revision number. Clearing the revision number is done only by power cycling the switch. Power cycle the switch to clear the VTP nonvolatile RAM (NVRAM). This will reset the configuration revision number to 0. This ensures that the new switch will not propagate incorrect information across the domain. Determine the VTP mode of operation of the switch and include the mode when setting the VTP domain information on the switch using the show vtp status or show vtp domain command. The default for most switches is server mode. If the switch remains in server mode, be sure to verify that the configuration revision number is set to 0 before adding the switch to the VTP domain. Having several servers in the domain is generally recommended, with Copyright 2002, Cisco Systems, Inc.
Switching Section 3: Introduction to VLANs 1-47
all other switches set to client mode for purposes of controlling VTP information. It is also highly recommended that secure mode is used in the VTP domain. Assigning a password to the domain will accomplish this. This will prevent unauthorized switches from participating in the VTP domain. Use the vtp password password or the set vtp passwd passwd commands. Lab Activity In this lab activity, the student will learn how to configure a VLAN trunk between a Catalyst 4000 and Catalyst 2900 switch.
1-48
Switching Section 3: Introduction to VLANs
Copyright 2002, Cisco Systems, Inc.
3.6.5 VTP advertisements Advert-Request 1
2
3
4
Version
Code
Rsvd
MgmtD Len
Management Domain Name (zero-padded to 32 bytes)
Start Value
Summary-Advert 1
2
Version
3
Code
4
Followers
MgmtD Len
Management Domain Name (zero-padded to 32 bytes) Configuration Revision Number Updater Identity Updater Timestamp (12 bytes) MD5 Digest (16 bytes)
Subset-Advert 1
2
3
4
Version
Code
Seq-Num
MgmtD Len
Management Domain Name (zero-padded to 32 bytes) Configuration Revision Number VLAN-info field 1 Updater Timestamp (12 bytes) VLAN-info field N
Switches only listen to advertisements that are coming from the same domain. Transparent switches do not listen to VTP advertisements, nor do they send out advertisements containing their information. They will propagate VTP information to ensure that other server/client switches receive the VTP advertisements.
Figure 1 Three Types of Messages
Copyright 2002, Cisco Systems, Inc.
Switching Section 3: Introduction to VLANs 1-49
Version Type
Number of Subnet Advertisement Messages
Domain Name Length
Management Domain Name (Padded to 32 Bytes) Configuration Revision Number Updater Identity Update Timestamp (12 Bytes) MD5 Digest (16 Bytes) Figure 2 VTP Summary Advertisement Format
Version Code
Seq-Number
Domain Name Length
Management Domain Name (Zero Padded to 32 Bytes) Configuration Revision Number VLAN-info Field 1 . . . VLAN-info Field N The VLAN-info Field Contains Information for Each VLAN and is Formatted as Follows: Info Length Status
VLAN-Type
VLAN-name Len
MTU Size
ISL VLAN-id
802.10 Index VLAN-name (Padded with zeros to Multiple of 4 Bytes Figure 3 VTP Subset Advertisement Format
With VTP, each switch advertises on its trunk ports its management domain, configuration revision number, the VLANs that it knows about, and certain parameters for each known VLAN. These advertisement frames are sent to a multicast address so that all neighboring devices can receive the frames; however, the frames are not forwarded by normal bridging procedures. All devices in the same management domain learn about any new VLANs now configured in the transmitting device. A new VLAN must be created and configured on one device only in the management domain. The information is automatically learned by all the other devices in the same management domain.
1-50
Switching Section 3: Introduction to VLANs
Copyright 2002, Cisco Systems, Inc.
Advertisements on factory-default VLANs are based on media types. User ports should not be configured as VTP trunks. Each advertisement starts as configuration revision number 0. When changes are made, the configuration revision number increments (n + 1). The revision number in the management domain continues to increment until it reaches 2,147,483,648, at which point the counter will reset back to zero. There are two types of advertisements: •
Requests from clients that want information at bootup
•
Response from servers
There are three types of messages: •
Advertisement requests - Clients request VLAN information, and the server responds with summary and subset advertisements. Figure [1]
•
Summary advertisements - By default, server and client Catalyst switches issue summary advertisements every five minutes. They inform neighbor switches what they believe to be the current VTP revision number. Assuming the domain names match, the receiving server or client compares the configuration revision number. If the revision number in the advertisement is higher than the current revision number in the receiving switch, the receiving switch then issues an advertisement request for new VLAN information. Figure [2]
•
Subset advertisements - These contain detailed information about VLANs such as VTP version type, domain name and related fields, and the configuration revision number. Creating or deleting a VLAN, suspending or activating a VLAN, changing the name of a VLAN, and changing the maximum transmission unit (MTU) of a VLAN can trigger these advertisements. Figure [3]
Advertisements may contain some or all of the following information: •
Management domain name - Advertisements with different names are ignored.
•
Configuration revision number - The higher number indicates a more recent configuration.
•
Message Digest 5 (MD5) - MD5 is the key that is sent with the VTP when a password has been assigned. If the key does not match, the update is ignored.
•
Updater identity - The updater identity is the identity of the switch that is sending the VTP summary advertisement.
Copyright 2002, Cisco Systems, Inc.
Switching Section 3: Introduction to VLANs 1-51
3.7 VTP Configuration 3.7.1 Basic configuration steps
Figure 1 Basic Configuration Steps
The following list outlines the basic tasks that must be considered before configuring VTP and VLANs on the network: 1. Determine the version number of VTP that will be running in the environment. 2. Decide if this switch is to be a member of an existing management domain or if a new domain should be created. If a management domain does exist, determine the name and password of the domain. 3. Choose a VTP mode for the switch.
3.7.2 Configure the VTP version
Figure 1 Configure the VTP Version
Figure 2 Configure the VTP Version
1-52
Switching Section 3: Introduction to VLANs
Copyright 2002, Cisco Systems, Inc.
Two different versions of VTP can run in the management domain, VTP Version 1 and VTP Version 2. The two versions are not interoperable. If one switch in the management domain is configured for VTP Version 2, all switches in the management domain must be configured for VTP Version 2. VTP Version 1 is the default. It may be necessary to implement VTP Version 2 if some of the specific features that VTP Version 2 offers, that are not offered in VTP Version 1, are needed. The most common feature that is needed is Token Ring VLAN support. To configure the VTP version on a Cisco IOS command-based switch, first enter VLAN database mode. From there, set the VTP version as shown in Figure [1]. In this example, VTP Version 2 has been configured. Use the following command to change the VTP version number on a set command-based switch. [2] Switch (enable) set vtp v2 enable VTP Version 2 supports the following features not supported in Version 1: •
Token Ring support - VTP Version 2 supports Token Ring LAN switching and VLANs.
•
Unrecognized type/length/value (TLV) support - A VTP server or client propagates configuration changes to its other trunks, even for TLVs it is not able to parse. The unrecognized TLV is saved in NVRAM.
•
Version-dependent transparent mode - In VTP Version 1, a VTP transparent switch inspects VTP messages for the domain name and version, and forwards a message only if the version and domain name match. Because only one domain is supported in the supervisor engine software, VTP Version 2 forwards VTP messages in transparent mode without checking the version.
•
Consistency checks - In VTP Version 2, VLAN consistency checks (such as VLAN names and values) are performed only when new information is entered through the command-line interface (CLI) or Simple Network Management Protocol (SNMP). Consistency checks are not performed when new information is obtained from a VTP message, or when information is read from NVRAM. If the digest on a received VTP message is correct, its information is accepted without consistency checks. A switch that is capable of running VTP Version 2 can operate in the same domain as a switch running VTP Version 1 if VTP Version 2 remains disabled on the VTP Version 2-capable switch.
If all switches in a domain are capable of running VTP Version 2, enable VTP Version 2 on only one switch (using the set vtp v2 enable command). The version number is propagated to the other VTP Version 2-capable switches in the VTP domain.
Copyright 2002, Cisco Systems, Inc.
Switching Section 3: Introduction to VLANs 1-53
3.7.3 Configure the VTP domain
Switch(vlan)#vtp domain cisco Changing VTP domain name from NULL to cisco Figure 1 Cisco IOS Software-Based Switch
Console> (enable) set vtp domain cisco VTP domain cisco modified Console> (enable) Figure 2 Set-Based Switch
If the switch being installed is the first switch in the network, The management domain will have to be created. However, if other Catalyst switches exist, the switch will probably join an existing management domain. Verify the name of the management domain that the switch should join. If the management domain has been secured, it will be necessary to configure the password for the domain. To create a management domain or to add the switch to a management domain with a Cisco IOS command-based switch, use the following command: Switch(vlan)#vtp domain name An example of this is shown in Figure [1]. In this example, the domain name is set to cisco. To create a management domain or to add the switch to a management domain on a set command-based switch, use the following command: Switch (enable) set vtp domain domain_name An example of this is shown in Figure [2]. In this example, the domain name is set to cisco. The domain name can be up to 32 characters, and the password must be between 8 and 64 characters long.
1-54
Switching Section 3: Introduction to VLANs
Copyright 2002, Cisco Systems, Inc.
3.7.4 Configure VTP mode
Switch(vlan)#vtp client Setting device to VTP CLIENT mode. Switch(vlan)#
Figure 1 Cisco IOS Software-Based Switch
Console> (enable) set vtp mode server VTP domain cisco modified Console> (enable) Figure 2 Set-Based Switch
Choose one of the three available VTP modes for this switch. Some general guidelines for choosing the mode of the switch are as follows: If this is the first switch in the management domain and intentions are to add additional switches, set the mode to server. The additional switches will be able to learn VLAN information from this switch. The management domain should have at least one server. If there are any other switches in the management domain, set the switch mode to client to prevent the new switch from accidentally propagating the incorrect information to the existing network. If the switch is supposed to become a VTP server, change the mode of the switch to server after it has learned the correct VLAN information from the network. If the switch is not going to share VLAN information with any other switch on the network, set the switch to transparent mode. Transparent mode will allow creation, deletion, and renaming of VLANs at will without the switch propagating changes to other switches. If a large number of people are configuring devices within the network, the risk of overlapping VLANs with two different meanings in the network but the same VLAN identification exists. To set the correct mode of a Cisco IOS command-based switch, use the following command: Switch(vlan)#vtp client | server | transparent An example of this is shown in Figure [1], as the switch is configured to be in VTP client mode. To set the correct mode of a set command-based switch, use the following command:
Copyright 2002, Cisco Systems, Inc.
Switching Section 3: Introduction to VLANs 1-55
Switch> (enable) set vtp mode server | client | transparent An example of this is shown in Figure [2], as the switch is configured to be in VTP server mode.
3.7.5 Verify VTP configuration
Switch#show vtp status VTP Version Configuration Revision Maximum VLANs supported locally Number of existing VLANs VTP Operating Mode VTP Domain Name VTP Pruning Mode VTP V2 Mode VTP Traps Generation MD5 digest
: : : : : : : : : :
2 2 68 6 Client cisco Disabled Enabled Disabled 0x35 0x84 0x7B 0x04 0x3D 0x55 0x3B 0xDA Configuration last modified by 0.0.0.0 at 10-5-00 20:33:41 Switch#
Figure 1 Cisco IOS Software-Based Switch
Console> (enable) show vtp domain Domain Name Domain Index VTP Version Local Mode Password ------------- ------------ ----------- ----------- -------cisco 1 2 server Vlan-count Max-vlan-storage Config Revision Notifications ---------- ---------------- --------------- ------------5 1023 0 disabled Last Updater V2 Mode Pruning PruneEligible on Vlans --------------- -------- -------- ------------------------0.0.0.0 disabled disabled 2-1000 Console> (enable)
Figure 2 Set-Based Switch
1-56
Switching Section 3: Introduction to VLANs
Copyright 2002, Cisco Systems, Inc.
Console> (enable) show vtp statistics VTP statistics: summary advts received 0 subset advts received 0 request advts received 0 summary advts transmitted 0 subset advts transmitted 0 request advts transmitted 0 No of config revision errors 0 No of config digest errors 0
Figure 3 Set-Based Switch
Figure [1] shows an example of the show vtp status command used to verify VTP configuration settings on a Cisco IOS command-based switch. Figure [2] is an example of the show vtp domain command used to verify VTP configuration settings on a set command-based switch. Figure [3] displays the results of the show vtp statistics command on a set command-based switch. This command shows a summary of VTP advertisement messages sent and received, as well as configuration errors detected. Use this command to assist in troubleshooting VTP. Interactive Lab Activity In this activity, the student will learn how to configure a VLAN trunk link between a Catalyst 4000 (DL1) and a Catalyst 2900 (AL1) to pass traffic for VLANs 100 and 200.
Copyright 2002, Cisco Systems, Inc.
Switching Section 3: Introduction to VLANs 1-57
3.8 VTP Pruning 3.8.1 Default behavior of a switch
Figure 1 Flooded Traffic with VTP Pruning Disabled
Figure 2 Flooded Traffic with VTP Pruning Enabled
The default behavior of a switch is to propagate broadcast and unknown packets across the network. This behavior results in a large amount of unnecessary traffic crossing the network. VTP pruning enhances network bandwidth use by reducing unnecessary flooding of traffic, such as broadcast, multicast, unknown, and flooded unicast packets. VTP pruning increases available bandwidth by restricting flooded traffic to those 1-58
Switching Section 3: Introduction to VLANs
Copyright 2002, Cisco Systems, Inc.
trunk links that the traffic must use to access the appropriate network devices. By default, VTP pruning is disabled. Figure [1] shows a switched network without VTP pruning enabled. Port 1 on Switch 1 and Port 2 on Switch 4 are assigned to the green VLAN. A broadcast is sent from the host connected to Switch 1. Switch 1 floods the broadcast and every switch in the network receives this broadcast, even though Switches 3, 5, and 6 have no ports in the green VLAN. Figure [2] shows a switched network with VTP pruning enabled. The broadcast traffic from Switch 1 is not forwarded to Switches 3, 5, and 6 because traffic for the green VLAN has been pruned on the links indicated (Port 5 on Switch 2 and Port 4 on Switch 4).
Copyright 2002, Cisco Systems, Inc.
Switching Section 3: Introduction to VLANs 1-59
3.8.2 Configure VTP pruning
Switch(vlan)#vtp pruning Pruning switched ON Switch#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#interface fastethernet 0/3 Switch(config-if)#switchport trunk pruning vlan remove 5-10 Switch(config-if)#
Figure 1 Cisco IOS Software-Based Switch
Console> (enable) set vtp pruneeligible 2-50 Vlans 2-50 eligible for pruning on this device. VTP domain cisco modified. Console> (enable) clear vtp pruneeligible 2-1005 Vlans 1-1005 will not be pruned on this device. VTP domain cisco modified. Console> (enable) Figure 2 Set-Based Switch
Enabling VTP pruning on a VTP server enables pruning for the entire management domain. VTP pruning takes effect several seconds after being enabled. By default, VLANs 2 through 1000 are pruning eligible. VTP pruning does not prune traffic from VLANs that are pruning ineligible. VLAN 1 is always pruning ineligible, so traffic from VLAN 1 cannot be pruned. There is the option to make specific VLANs pruning eligible or pruning ineligible on the device. To make VLANs pruning eligible on a Cisco IOS command-based switch, enter the following: Switch(vlan)#vtp pruning To make specific VLANs pruning ineligible on a Cisco IOS command-based switch, enter the following: Switch(config)#interface fastethernet0/3 Switch(config-if)#switchport trunk pruning vlan remove vlan-id Figure [1] shows an example where pruning is enabled for all VLANs except for VLANs 5-10. To make specific VLANs pruning eligible on a set command-based switch, enter the following: Console> (enable) set vtp pruneeligible vlan_range To make specific VLANs pruning ineligible on a set command-based switch, enter the following:
1-60
Switching Section 3: Introduction to VLANs
Copyright 2002, Cisco Systems, Inc.
Console> (enable) clear vtp pruneeligible vlan_range Examples of each of these tasks are illustrated in Figure [2]. Lab Activity In this lab activity, the student will learn how to configure VTP pruning between a Catalyst 4000 switch and Catalyst 2900 switch.
Copyright 2002, Cisco Systems, Inc.
Switching Section 3: Introduction to VLANs 1-61
3.8.3 Verifying VTP pruning Switch#show running-config hostname Switch ! ip subnet-zero ! ! ! interface FastEthernet0/1 ! interface FastEthernet0/2 ! interface FastEthernet0/3 switchport trunk allowed vlan 1,2,4,5,11-1005 switchport trunk pruning vlan 2-4,11-1001 switchport mode trunk ! interface FastEthernet0/4 Switch#show interface fastethernet 0/3 switchport Name: Fa0/3 Switchport: Enabled Administrative mode: trunk Operational Mode: trunk Administrative Trunking Encapsulation: isl Operational Trunking Encapsulation: isl Negotiation of Trunking: Disabled Access Mode VLAN: 0 ((Inactive)) Trunking Native Mode VLAN: 1 (default) Trunking VLANs Enabled: 1,2,4,5,11-1005 Trunking VLANs Active: 1,2 Pruning VLANs Enabled: 2-4,11-1001 Priority for untagged frames: 0 Override vlan tag priority: FALSE Voice VLAN: none Appliance trust: none Switch# Figure 1 Verify VTP Pruning
1-62
Switching Section 3: Introduction to VLANs
Copyright 2002, Cisco Systems, Inc.
switch> (enable) show trunk 1/1 Port Mode Encapsulation ------------- ------------1/1 desirable isl Port -----1/1 Port -----1/1 Port -----1/1
Status ---------trunking
Native vlan ----------1
Vlans allowed on trunk -----------------------------------------------1-100,250,500-1005 Vlans allowed and active in management domain -----------------------------------------------1,521-524 Vlans in spanning tree forwarding state and not pruned ------------------------------------------------------1,521-524
Figure 2 Verify VTP Pruning
In order to verify the VLANs that are either pruned or not pruned on a Cisco IOS command-based switch, use either the show running-config or the show interface interface-id switchport command. These commands are both illustrated in Figure [1]. In order to verify the VLANs that are either pruned or not pruned on a set command-based switch, use the show trunk command. This command is illustrated in Figure [2].
Copyright 2002, Cisco Systems, Inc.
Switching Section 3: Introduction to VLANs 1-63
Summary After completing this chapter, the student should have a firm understanding of the following concepts:
1-64
•
VLANs solve many of the issues found in Layer 2 environments. These issues include broadcast control, isolation of problem components in the network, security, and load balancing through the use of a Layer 3 protocol between VLANs.
•
VLAN identification allows different VLANs to be carried on the same physical link, called a trunk link. There are two different types of frame identification methods: ISL and 802.1Q.
•
The VLAN Trunking Protocol provides support for dynamic reporting of the addition, deletion, and renaming of VLANs across the switch fabric.
•
The overwrite process would mean that if the server deleted all VLANs and had a higher configuration revision number, the other devices in the VTP domain would also delete their VLANs.
Switching Section 3: Introduction to VLANs
Copyright 2002, Cisco Systems, Inc.
Lab 2.1.3.1: Upgrading the 4006 Supervisor Software
Console Cable RJ-45 jumper to 10/100 Mgt Workstation 172.16.0.2 /24 TFTP server
Objective It is possible that when the new Catalyst 4006 arrives, the Supervisor unit will not recognize the L3 module. The software image must be at least 5.5(4) to recognize the L3 module. Many early shipments came with 5.4(2) or older. This set of instructions will cover upgrading the software image. The same process will work for any future upgrades.
Scenario A WS-X4232-L3 layer three Router Switch Card has been added to an existing 4003 or 4006 chassis. After installing it, it is discovered that the Supervisor unit does not recognize the new module. A check of the configuration shows that the software image is too old to support the new module. The following steps cover the process of upgrading the software.
Step 1. To confirm the software version, use the show config command while connected to the Supervisor module via the console port or roll-over cable. Note: If the Catalyst 4006 has not been used before, getting to the privilege (or enable) mode, is the same as other Cisco devices. If passwords have not been set, just press Enter when prompted for both passwords.
Console> (enable) Console> (enable) show config This command shows non-default configurations only. Use 'show config all' to show both default and non-default configurations. .......... .................. .. begin ! # ***** NON-DEFAULT CONFIGURATION ***** ! #time: Wed Apr 18 2001, 14:46:47 ! #version 5.4(2) !
1-1
Switching Section 2: Configuring the Switch - Lab 2.1.3.1
(Shows the current version)
Copyright 2002, Cisco Systems, Inc.
#system web interface version(s) ! #test set test diaglevel minimal ! #frame distribution method set port channel all distribution mac both ! #ip set interface sl0 down ! #syslog set logging level cops 2 default ! #set boot command set boot config-register 0x2 set boot system flash bootflash:cat4000.5-4-2.bin ! #mls set mls nde disable ! #port channel set port channel 1/1-2 1 ! #module 1 : 2-port 1000BaseX Supervisor ! #module 2 empty ! #module 3 empty ! #module 4 empty ! #module 5 empty ! #module 6 empty end
(Shows image used)
The L3 module is in Module 3, slot 3 from the top, on the unit. The ’empty’ above the module confirms that the Supervisor module does not recognize the new L3 module.
Step 2. This is optional for students. The following steps show the process to download the image from the www.cisco.com site. Students: The instructor will explain where to find the appropriate image. Go to the Web site and login with the CCO account information based on the Smartnet agreement. Choose Software Center from the Service & Support section.
2-2
Switching Section 2: Configuring the Switch - Lab 2.1.3.1
Copyright 2002, Cisco Systems, Inc.
Choose LAN Switching Software from the Software Products & Downloads list.
Choose Catalyst 4000 from the list of Catalyst Switch Software choices.
3-3
Switching Section 2: Configuring the Switch - Lab 2.1.3.1
Copyright 2002, Cisco Systems, Inc.
Choose the version by clicking on the link. The newest link is near the bottom of this list.
Agree to the Software License Agreement. Chose a Download Site and then just follow normal download instructions.
Step 3. The upgrade process uses TFTP very much like the CCNA and other CCNP exercises, with just a couple differences unique to this model of switch. Make sure that the TFTP server is running and that the software image is in the default directory for the server. Note the IP address of the TFTP server. Cabling: Use a Cisco console cable to the Supervisor Console port to execute the commands and monitor the process. Use a straight-thru RJ-45 jumper to connect the Supervisor module 10/100Mgmt port to the TFTP server’s NIC. If going through a switch to get to the TFTP server, a crossover cable will be needed between the 4006 and the switch. The 10/100Mgmt interface is a standard switch port. Configuring the me1 (10/100Mgmt) port: The me1 interface must be assigned an address in the same subnet as the TFTP server. The commands to set the me1 from the enable prompt are as follows: Console> (enable) set interface me1 172.16.0.5 255.255.255.0
4-4
Switching Section 2: Configuring the Switch - Lab 2.1.3.1
Copyright 2002, Cisco Systems, Inc.
Interface me1 IP address and netmask set. Console> (enable)
Note: The address fit in with the initial TFTP server. However the address would undoubtedly be different if this was anything but a practice lab. Verify that the change, by using the show config command: Console> (enable) show config This command shows non-default configurations only. begin ! # ***** NON-DEFAULT CONFIGURATION ***** ! #time: Wed Apr 18 2001, 14:48:43 ! #version 5.4(2) ! #system web interface version(s) ! #test set test diaglevel minimal ! #frame distribution method set port channel all distribution mac both ! #ip set interface sl0 down set interface me1 172.16.0.5 255.255.255.0 172.16.0.255 ! #syslog set logging level cops 2 default ! (rest of output omitted)
(here it is)
Step 4. Confirm connectivity with the TFTP server by pinging the server: Console> (enable) ping 172.16.0.2 !!!!! ----172.16.0.2 PING Statistics---5 packets transmitted, 5 packets received, 0% packet loss round-trip (ms) min/avg/max = 14/15/17 Console> (enable)
Note: On some versions of the IOS a “172.16.0.2 is alive” message will be received instead of the typical Cisco ping output. If this fails, check that the TFTP server is on, the IP addresses are correct, and that the cabling is correct. See Step 3 for cabling information. Troubleshoot as needed.
Step 5. Use the show flash command to check the contents of Flash to confirm that space is available for the new image. The contents will ultimately be in there with the existing image or images: Console> (enable) show flash -#- ED --type-- --crc--- -seek-- nlen -length- -----date/time------ name 1 .. ffffffff 548c8f9c 39cf70 17 3526384 --- -- ---- --:--:-- cat4000.5-4-2.bin
5-5
Switching Section 2: Configuring the Switch - Lab 2.1.3.1
Copyright 2002, Cisco Systems, Inc.
12071928 bytes available (3526384 bytes used) Console> (enable)
Step 6. To make sure there is a backup of the current image, start by copying the image to the TFTP server. In addition to creating a backup, this will demonstrate the steps and the time required before copying the new image into the 4006. Enter the TFTP server IP address and the current image name. This final item is case sensitive and might be best handled by copying it from the show flash output and pasting it here as needed. Console> (enable) copy flash tftp Flash device [bootflash]? Name of file to copy from []? cat4000.5-4-2.bin IP address or name of remote host []? 172.16.0.2 Name of file to copy to []? cat4000.5-4-2.bin (This could be renamed here) CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCX File has been copied successfully. Console> (enable)
The X shown at the end of the second row of Cs is to represent a spinning line that looks very much like a turnstile. This will appear on the screen for several minutes until the copy is done. It is a 4MB file so it will take several minutes to copy.
Step 7. This is optional for students. Now proceed to the actual upgrading. Suggestion: Use Windows Explorer and select the new image name, as if it were going to be renamed, and do a copy. Use this when the copy tftp command asks for the file name. Note that the following default values for each prompt assumes the copy flash tftp step was done earlier. Just press Enter at the prompt one (1). Press Enter at prompt three (3) and four (4) unless the image is to be renamed. Console> (enable) copy tftp flash IP address or name of remote host [172.16.0.2]? Name of file to copy from [cat4000. 5-4-2.bin]? cat4000.6-2-1.bin Flash device [bootflash]? Name of file to copy to [cat4000.6-2-1.bin]? 7981064 bytes available on device bootflash, proceed (y/n) [n]? y XCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC File has been copied successfully. Console> (enable)
The X shown before the first row of Cs is to represent a spinning line that looks very much like a turnstile. This will appear on the screen for several minutes until the copy is done. This is exactly the opposite of when coping to the TFTP server.
Step 8. This is optional for students. To confirm that it happened, use the show flash command. Both images are now present. Console> (enable) show flash -#- ED --type-- --crc--- -seek-- nlen -length- -----date/time------ name 1 .. ffffffff 548c8f9c 39cf70 17 3526384 --- -- ---- --:--:-- cat4000.5-4-2.bin 2 .. ffffffff d39d5c46 783778 17 4089736 Apr 17 2001 14:40:15 cat4000.6-2-1.bin 7981192 bytes available (7616376 bytes used)
6-6
Switching Section 2: Configuring the Switch - Lab 2.1.3.1
Copyright 2002, Cisco Systems, Inc.
Console> (enable)
Step 9. This is optional for students. Use the set boot system flash bootflash: image_name prepend command to tell the 4006 which image to use. It is critical that the prepend option is added to the end of the command to move this image ahead of the existing image. Both images will be listed on the configuration. If this option is omitted the machine will boot to the old image. The following output starts with using the help ? feature to see the options: Console> (enable) set boot system flash bootflash:cat4000.6-2-1.bin ? prepend Put as first priority Module number Console> (enable) set boot system flash bootflash:cat4000.6-2-1.bin prepend Console> (enable)
Use the show config command to confirm that the command worked. The following is only the appropriate output lines. Console> (enable) show config ! #set boot command set boot config-register 0x2 set boot system flash bootflash:cat4000.6-2-1.bin set boot system flash bootflash:cat4000.5-4-2.bin ! #mls set mls nde disable
Step 10. This is optional for students. Reboot the device with the reset command. The configuration is automatically saved on a 4006. Therefore, a copy run start command does not need to be done first. Use the show config and show module commands to confirm that the changes have been made. Console> (enable) show config This command shows non-default configurations only. Use 'show config all' to show both default and non-default configurations. .......... .................. .. begin ! # ***** NON-DEFAULT CONFIGURATION ***** ! #time: Wed Apr 18 2001, 15:04:09 ! #version 6.2(1) ! #system web interface version(s) ! #test set test diaglevel minimal ! #frame distribution method set port channel all distribution mac both
7-7
Switching Section 2: Configuring the Switch - Lab 2.1.3.1
(Note the new version)
Copyright 2002, Cisco Systems, Inc.
! #ip set interface sl0 down set interface me1 172.16.0.5 255.255.255.0 172.16.0.255 ! #syslog set logging level cops 2 default ! #set boot command set boot config-register 0x2 set boot system flash bootflash:cat4000.6-2-1.bin set boot system flash bootflash:cat4000.5-4-2.bin (This is ignored. Can be removed) ! #mls set mls nde disable ! #port channel set port channel 1/1-2 1 ! #module 1 : 2-port 1000BaseX Supervisor ! #module 2 empty ! #module 3 : 34-port Router Switch Card (The L3 module is now appearing) ! #module 4 empty ! #module 5 empty ! #module 6 empty end Console> (enable) Console> (enable) show module Mod Slot Ports Module-Type Model Sub Status --- ---- ----- ------------------------- ------------------- --- -------1 1 2 1000BaseX Supervisor WS-X4013 no ok 3 3 34 Router Switch Card WS-X4232-L3 no ok Mod Module-Name --- ------------------1 3
Serial-Num -------------------JAB044200Q9 JAB044204L3
Mod MAC-Address(es) --- -------------------------------------1 00-03-6b-a8-13-00 to 00-03-6b-a8-16-ff 3 00-01-96-d8-d9-ca to 00-01-96-d8-d9-eb Console> (enable)
Hw -----1.2 1.5
Fw ---------5.4(1) 12.0(7)W5(
Sw ----------------6.2(1) 12.0(7)W5(15d)
Step 11. This is optional for students. If the old image is to be removed from the flash, use the cd bootflash: command to move to the bootflash area. The dir command can be used to see the contents. Notice that the output is a little different than the show flash command earlier. Console> cd bootflash: Console> dir -#- -length- -----date/time------ name 1 3526384 --- -- ---- --:--:-- cat4000.5-4-2.bin 2 4089736 Apr 17 2001 14:40:15 cat4000.6-2-1.bin 7981192 bytes available (7616376 bytes used)
Go to the privilege mode and use the delete command to remove the file. Use the dir command to confirm that the file appears to be gone.
8-8
Switching Section 2: Configuring the Switch - Lab 2.1.3.1
Copyright 2002, Cisco Systems, Inc.
Console> enable Enter password: Console> (enable) delete cat4000.5-4-2.bin Console> (enable) dir -#- -length- -----date/time------ name 2 4089736 Apr 17 2001 14:40:15 cat4000.6-2-1.bin 7981192 bytes available (7616376 bytes used)
Notice that the ’bytes available’ and ’bytes used’ have not changed. The file is actually just hidden. This is much like deleting records in a database. To see the deleted file, use the dir deleted command. To remove the file, use the squeeze bootflash: command. Console> (enable) dir deleted -#- ED --type-- --crc--- -seek-- nlen -length- ----date/time---- name 1 .. ffffffff 548c8f9c 39cf70 17 3526384 -- -- ---- --:-:- cat4000.5-4-2.bin 7981192 bytes available (7616376 bytes used) Console> (enable) squeeze bootflash: All deleted files will be removed, proceed (y/n) [n]? y Squeeze operation may take a while, proceed (y/n) y
This may take less than two minutes. Console> (enable) dir -#- -length- -----date/time------ name 1 4089736 Apr 17 2001 14:40:15 cat4000.6-2-1.bin 12070928 bytes available (4089736 bytes used)
The lab is now complete.
9-9
Switching Section 2: Configuring the Switch - Lab 2.1.3.1
Copyright 2002, Cisco Systems, Inc.
Lab 2.1.3.2: Catalyst 4000 Setup
Native VLAN1
Console Cable
DLSwitch1
Workstation 10.1.1.10/24
4006 10.1.1.251/24
Objective: Configure a Cisco Catalyst 4000 Ethernet switch for the first time.
Scenario: A new Catalyst 4000 Ethernet switch with a supervisor module and a 32 port layer 3 switch module has just been purchased. Configure the supervisor module so that it has a name, IP address, and basic password security using the Command Line Interface (CLI).
Lab Tasks: Step 1. Connect the serial port to the console port of the Catalyst 4000. Notice that both the layer 3 switch module and the supervisor module both have a console port. Since configuring the switch plug into the supervisor module console port. Use a standard Cisco console cable kit with a roll-over cable to connect. Use the communications settings: eight (8) data bits, no parity, one (1) stop bit, no flow control. Step 2. Power on the 4000 switch and watch it start up. It may take several minutes for the 4000 to boot up. Notice that the 4000 switch is more wordy in its startup messages than Cisco routers. WS-X4013 bootrom version 5.4(1), built on 2000.04.04 10:48:54 H/W Revisions: Crumb: 5 Rancor: 8 Board: 2 Supervisor MAC addresses: 00:02:4b:59:30:00 through 00:02:4b:59:33:ff (1024 addresses) Installed memory: 64 MB Testing LEDs.... done!
1-1
Switching Section 2: Configuring the Switch - Lab 2.1.3.2
Copyright 2002, Cisco Systems, Inc.
…
Step 3. Once boot up is complete, a password prompt will be received: IP address for Catalyst not configured DHCP/BOOTP will commence after the ports are online Ports are coming online ... Cisco Systems, Inc. Console Enter password: Notice that because the switch has not been configured yet and does not have an IP address, the switch will try to obtain an address via DHCP. In the event that the switch does gain an IP address from a DHCP server, CDP information from a neighboring Cisco device could always be used to determine which address it obtained. To log into the switch, just hit enter at the password prompt. The switch user exec prompt appear: Console> Step 4. Next, configure the switch name, user exec password, and privileged mode password: To do this, go into the enable mode: Console> enable Console> (enable) Console> (enable) set system name DLSwitch1 System name set. DLSwitch1> (enable) Setting the passwords requires that a password setting dialog is entered. This is different from other Cisco devices where the password is entered as part of the password command itself. The Catalyst 4000 has two passwords just like other Cisco IOS devices. The first password is a userexec password and the second is a privileged exec mode password. DLSwitch1> enable) set password Enter old password: (Because currently there is not a password, just hit enter) Enter new password: cisco (Password is not displayed) Retype new password: cisco Password changed. DLSwitch1> (enable) set enablepass Enter old password: (Because currently there is not a password, just hit enter) Enter new password: class (Password is not displayed) Retype new password: class Password changed. DLSwitch1> (enable)
2-2
Switching Section 2: Configuring the Switch - Lab 2.1.3.2
Copyright 2002, Cisco Systems, Inc.
Step 5. Now type show config to view the configuration of the switch. This command shows non-default configurations only. Use 'show config all' to show both default and non-default configurations. ..... ................ .. begin ! # ***** NON-DEFAULT CONFIGURATION ***** ! #time: Wed Nov 1 2000, 10:13:54 CST ! #version 5.4(2) ! set password $2$CBqb$emYj5ImVlOCgbNQTg.TC31 set enablepass $2$0o8Z$gGVzWMgEwfQEZIi2F340Q. . . . Notice the switch shows that only non-default commands are displayed. If all commands were displayed, the configuration would be hard to read. The show config all command is given as an option if the entire configuration needs to be displayed. Type show config all just to see how big the configuration really is. 1. What is noticed about the passwords that are stored in the configuration? Are they encrypted?
2. Was there anything special that had to be done to encrypt them?
Step 6. Next, configure the IP address on the switch so that communication with the switch can be done via the network for management purposes. Notice that there is a port on the supervisor module that is labeled ’10/100 MGT’. This is not a normal switch port, but rather an Ethernet interface that can be used to plug the management part of the switch into another network. This is sometimes referred to as ’out-of-band’ management. This port would be connected to some other Ethernet network that is not part of the normal production network. In the event that the Ethernet networks within this switch failed for some reason, communication with the switch would continue through this external Ethernet interface. This out-of-band Ethernet port is much like a NIC card that exists on the switch. The 10/100 MGT port is referred to as interface ME1 on the switch. There is also a virtual interface inside the switch. This is a virtual connection to the backplane of the switch and can be configured to be a member of any VLAN that the switch has configured. This virtual interface is called sc0.
3-3
Switching Section 2: Configuring the Switch - Lab 2.1.3.2
Copyright 2002, Cisco Systems, Inc.
Configure the management IP address on the sc0 virtual interface. Configuring the sc0 interface allows access to the switch management through the normal switch ports on the 4000. The ME1 10/100 MGT port will not be used. DLSwitch1> (enable) set interface sc0 10.1.1.250 255.255.255.0 Another option would be to configure what VLAN the sc0 virtual interface is a part of: DLSwitch1> (enable) set interface sc0 1 This places the virtual management interface in VLAN 1. By default the sc0 interface is in VLAN 1, so this command is not entirely necessary. However, this command would be necessary if the management was to be associated to a different VLAN. This is a switch and not a router. Therefore, the ability to configure any routing protocols on this device is not possible. To ensure that there is capability to reach all of the networks that are a part of the internetwork, configure a default router to send all traffic to when there is uncertainty of what path to take to get to the destination. DLSwitch1> (enable) set ip route default 10.1.1.1 This command installs a default route that points to the 10.1.1.1 router. Step 7. Configure the workstation so that it is a part of the 10.1.1.0/24 network, which is the same network as the switch's management port. Plug the workstation into any of the Ethernet switch ports on the L3 ROUTING MODULE. By default, all of the ports in the switch are in VLAN 1. If virtual management interface sc0 remains in VLAN 1, communication with the switch is still possible. Use the configured IP address, 10.1.1.250, to telnet to the switch. Log in using the configured password of cisco. Step 8. Using the telnet interface, explore some of the 4000 show commands: Type show module from the user exec prompt. This command gives information about what modules are installed in this switch. Because the 4000 is a modular switch with removable blades, this display could vary. Also seen is the hardware, firmware, and software each of the modules is running. This is very useful when determining which modules need to be upgraded. DLSwitch1> sh mod Mod Slot Ports Module-Type --- ---- ----- ------------------------1 1 2 1000BaseX Supervisor 2 2 34 Router Switch Card Mod Module-Name --- ------------------1 2 Mod MAC-Address(es)
4-4
Model ------------------WS-X4013 WS-X4232-L3
Sub --no no
Status -------ok ok
Serial-Num -------------------JAB043402VU JAB04300JN8 Hw
Switching Section 2: Configuring the Switch - Lab 2.1.3.2
Fw
Sw
Copyright 2002, Cisco Systems, Inc.
--- -------------------------------------- ------ ---------- ----------------1 00-03-6b-0b-7c-00 to 00-03-6b-0b-7f-ff 1.2 5.4(1) 5.5(1) 2 00-01-96-c8-e4-c6 to 00-01-96-c8-e4-e7 1.5 12.0(7)W5( 12.0(7)W5(15d)
Type show system from the user exec prompt. This command gives information about the physical operation of the switch. It tells the status of the power supplies, status of the fans, system uptime, and the percentage of current and peak traffic the switch has observed. DLSwitch1> PS1-Status ---------ok
sh system PS2-Status PS3-Status PEM Installed ---------- ---------- ------------ok none no
Fan-Status Temp-Alarm Sys-Status Uptime d,h:m:s Logout ---------- ---------- ---------- -------------- --------ok off ok 1,00:52:12 20 min PS1-Type PS2-Type PS3-Type ------------ ------------ -----------WS-C4008 WS-C4008 none Modem Baud Traffic Peak Peak-Time ------- ----- ------- ---- ------------------------disable 9600 0% 0% Thu Nov 2 2000, 10:43:34 System Name System Location System Contact CC ------------------------ ------------------------ ------------------------ ---
Type show port from the user exec prompt. This command gives the status of the ports that are installed on this switch. Based on what modules have been installed, this display could vary. DLSwitch1> sh port Port Name ----- -----------------1/1 1/2 2/1 2/2 2/3 2/4 2/5 2/6 2/7 2/8 2/9 2/10
5-5
Status ---------notconnect notconnect connected connected notconnect notconnect notconnect notconnect notconnect notconnect notconnect notconnect
Vlan ---------1 1 1 1 1 1 1 1 1 1 1 1
Switching Section 2: Configuring the Switch - Lab 2.1.3.2
Level Duplex Speed Type ------ ------ ----- -----------normal full 1000 No GBIC normal full 1000 No GBIC normal full 1000 No GBIC normal full 1000 No GBIC normal auto auto 10/100BaseTX normal auto auto 10/100BaseTX normal auto auto 10/100BaseTX normal auto auto 10/100BaseTX normal auto auto 10/100BaseTX normal auto auto 10/100BaseTX normal auto auto 10/100BaseTX normal auto auto 10/100BaseTX
Copyright 2002, Cisco Systems, Inc.
Lab 2.2.3: Catalyst 2900 Setup
Native VLAN1
Console Cable
ALSwitch 2900XL 10.1.1.251/24
Workstation 10.1.1.10/24
Objective: Configure a Cisco Catalyst 2900 Ethernet switch for the first time.
Scenario: A new Catalyst 2900 Ethernet switch has just been purchased. Configure the switch so that it has a name, IP address, and basic password security using the Command Line Interface (CLI).
Lab Tasks: Step 1. Connect the serial port to the console port of the Catalyst 2900. The console port for the 2900 is located on the back of the switch, much like the 1900 series switched. Use a standard Cisco console cable kit with a rollover cable to connect. Use the same communications settings: eight (8) data bits, no parity, one (1) stop bit, no flow control, 9600 bits per second. Step 2. Power on the 2900 switch and watch it start up. It will take a little over one minute for the 2900 to boot up. C2900XL Boot Loader (C2900-HBOOT-M) Version 12.0(5)XU, RELEASE SOFTWARE (fc1) Compiled Mon 03-Apr-00 17:20 by swati starting... Base ethernet MAC Address: 00:02:b9:9a:85:80 Xmodem file system is available. Initializing Flash... flashfs[0]: 108 files, 3 directories
1-1
Switching Section 2: Configuring the Switch - Lab 2.2.3
Copyright 2002, Cisco Systems, Inc.
flashfs[0]: 0 orphaned files, 0 orphaned directories flashfs[0]: Total bytes: 3612672 flashfs[0]: Bytes used: 2775040 flashfs[0]: Bytes available: 837632 flashfs[0]: flashfs fsck took 6 seconds. ...done Initializing Flash. Boot Sector Filesystem (bs:) installed, fsid: 3 Parameter Block Filesystem (pb:) installed, fsid: 4 Loading "flash:c2900XL-c3h2s-mz-120.5XU.bin"...########################################################## #################################################################### ############################# …
Step 3. Once the boot up is complete, a prompt will ask for the System Configuration Dialog. This prompt is due to not currently having a saved configuration on this switch. IOS (tm) C2900XL Software (C2900XL-C3H2S-M), Version 12.0(5)XU, RELEASE SOFTWARE (fc1) Copyright (c) 1986-2000 by cisco Systems, Inc. Compiled Mon 03-Apr-00 16:37 by swati --- System Configuration Dialog --At any point you may enter a question mark '?' for help. Use ctrl-c to abort configuration dialog at any prompt. Default settings are in square brackets '[]'. Continue with configuration dialog? [yes/no]:
Configure the switch manually without the assistance of the setup dialog. The setup dialog is simpler than that of an IOS based router. After completing this lab, reconfigure the switch using the Setup Configuration Dialog. There will not be a prompt for a password. Hit enter to log directly into user exec mode. Switch> Step 4. Before configuring the switch, take a look at the current default running configuration prior to adding any configuration commands. Go into the enable mode. Because there is not an enable password set yet, there will not be a prompt for one. Switch>enable Switch#show running-config Building configuration... Current configuration:
2-2
Switching Section 2: Configuring the Switch - Lab 2.2.3
Copyright 2002, Cisco Systems, Inc.
! version 12.0 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Switch ! ip subnet-zero ! interface FastEthernet0/1 ! interface FastEthernet0/2 ! interface FastEthernet0/3 ! interface FastEthernet0/4 ! interface FastEthernet0/5 ! interface FastEthernet0/6 ! interface FastEthernet0/7 ! interface FastEthernet0/8 ! interface FastEthernet0/9 ! interface FastEthernet0/10 ! interface FastEthernet0/11 ! interface FastEthernet0/12 ! interface VLAN1 no ip directed-broadcast no ip route-cache ! ! line con 0 transport input none stopbits 1 line vty 5 15 ! end Notice that the configuration is much like that of an IOS based router. The interfaces on the switch are the actually ports of the switch. Also notice the lack of any routing protocol, and so on. Because this is a switch and not a router, no commands will be seen that relate to the routing of packets. Step 5. Now configure the switch name, user exec password, and privileged exec mode password: The Catalyst 2900 uses IOS style configuration commands. These commands will look similar to configuring a router.
3-3
Switching Section 2: Configuring the Switch - Lab 2.2.3
Copyright 2002, Cisco Systems, Inc.
Set the switch name. Switch#config terminal Switch(config)#host ALSwitch ALSwitch(config)# Set the passwords. ALSwitch(config)#enable password class ALSwitch(config)#line con 0 ALSwitch(config-line)#password cisco ALSwitch(config-line)#login ALSwitch(config-line)#line vty 0 15 ALSwitch(config-line)#password cisco ALSwitch(config-line)#login Like the IOS, use the copy command to save the current running configuration. Older software uses the write command. Return to the user privileged mode. ALSwitch#copy running-config startup-config
Step 6. Now configure the IP address on the switch so that communication can begin with the switch via the network for management purposes. The management portion of the 2900 series switch defaults to using VLAN 1 as their network connection. When the show running-config command was done earlier, notice that interface VLAN 1 is part of the default configuration. All ports default to membership of VLAN 1. Therefore, configure the switch management to also use VLAN 1. Configure interface vlan 1 just as a router interface would be done when assigning the switch's management IP address. ALSwitch#config terminal ALSwitch(config)#interface vlan 1 ALSwitch(config-if)#ip address 10.1.1.251 255.255.255.0 This immediately assigns the IP address of the switch to VLAN 1. The 2900 can be configured with multiple VLANs simultaneously. Make sure that each VLAN interface has an IP address from that VLAN. Additional VLAN interfaces can be created temporarily by using the interface vlan x command, where x is the VLAN number. Since this is a switch and not a router, no routing protocols can be configured on this device. To be able to reach all of the networks that are a part of this internetwork, a default router needs to be configured. This default router will be used to send all traffic when routing is done between VLANs. ALSwitch(config)#ip default-gateway 10.1.1.1 This command installs a default route that points at the 10.1.1.1 router. Step 7. Configure the workstation so that it is a part of the 10.1.1.0/24 network. This network is the same network as the switch's management port.
4-4
Switching Section 2: Configuring the Switch - Lab 2.2.3
Copyright 2002, Cisco Systems, Inc.
Plug the workstation into any of the switch ports that reside on the switch. By default all of the ports in the switch will be in VLAN 1. Therefore as long as the management IP address is configured on VLAN 1 communicate with the switch will be possible. Use the configured IP address, 10.1.1.251, to telnet to the switch. Log in using the configured password of cisco. Step 8. Using the telnet interface, explore some of the commands in the 2900. Notice that the 2900XL is much like other IOS devices. Use the show interfaces command to look at the switch ports. Notice that the command output is similar to that of a router. ALSwitch#show interfaces FastEthernet0/1 is down, line protocol is down Hardware is Fast Ethernet, address is 0002.fd49.7b81 (bia 0002.fd49.7b81) MTU 1500 bytes, BW 0 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive not set Auto-duplex , Auto Speed , 100BaseTX/FX ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output never, output hang never Last clearing of "show interface" counters never Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 1 packets input, 64 bytes Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast 0 input packets with dribble condition detected 1 packets output, 64 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier --More--
1. What other types of interfaces are seen besides the switch ports?
Type show version and look at the hardware/software information.
5-5
Switching Section 2: Configuring the Switch - Lab 2.2.3
Copyright 2002, Cisco Systems, Inc.
ALSwitch#show version Cisco Internetwork Operating System Software IOS (tm) C2900XL Software (C2900XL-C3H2S-M), Version 12.0(5)XU, RELEASE SOFTWARE (fc1) Copyright (c) 1986-2000 by cisco Systems, Inc. Compiled Mon 03-Apr-00 16:37 by swati Image text-base: 0x00003000, data-base: 0x00301398 ROM: Bootstrap program is C2900XL boot loader ALSwitch uptime is 16 minutes System returned to ROM by power-on System image file is "flash:c2900XL-c3h2s-mz-120.5-XU.bin"
cisco WS-C2924-XL (PowerPC403GA) processor (revision 0x11) with 8192K/1024K byte s of memory. Processor board ID 0x0E, with hardware revision 0x01 Last reset from power-on Processor is running Enterprise Edition Software Cluster command switch capable Cluster member switch capable 24 FastEthernet/IEEE 802.3 interface(s) 32K bytes of flash-simulated non-volatile configuration memory. Base ethernet MAC Address: 00:02:FD:49:7B:80 Motherboard assembly number: 73-3382-08 Power supply part number: 34-0834-01 Motherboard serial number: FAB04301ANJ Power supply serial number: PHI04150042 Model revision number: A0 Motherboard revision number: B0 Model number: WS-C2924-XL-EN System serial number: FAB0432S2GJ Configuration register is 0xF ALSwitch#
2. What type of memory is included in the Catalyst 2900 series switch, but is not listed in the show version output?
6-6
Switching Section 2: Configuring the Switch - Lab 2.2.3
Copyright 2002, Cisco Systems, Inc.
Lab 2.3.4.1: Catalyst 4000 Password Recovery
Native VLAN1
Console Cable
DLSwitch1
Workstation 10.1.1.10/24
4006 10.1.1.250/24
Objective: Regain control of a Cisco Catalyst 4000 Ethernet switch after all the passwords have been lost.
Scenario: With a new job at a company that used Catalyst 4000 Ethernet switches, it is found that the previous network manager did not leave any documentation containing the passwords for the switches. Perform password recovery on the Catalyst 4000. Change the user exec password to cisco and the privileged exec mode password to class.
Lab Tasks: Step 1. First, configure the 4000 switch to the according diagram. Skip this step if the Lab 3.1.3, 4000 initial setup, configuration is complete. Console> enable Console> (enable) set system name DLSwitch1 System name set. DLSwitch1> (enable) In the steps that follow, have a classmate set the passwords. The passwords to be used should be made up and not the standard passwords used in the labs. Make sure the classmate does not divulge the password. DLSwitch1> (enable) set password Enter old password: (Because currently there is not a password, just hit enter)
1-1
Switching Section 2: Configuring the Switch - Lab 2.3.4.1
Copyright 2002, Cisco Systems, Inc.
Enter new password: Retype new password: Password changed. DLSwitch1> (enable) set enablepass Enter old password: (Because currently there is not a password, just hit enter) Enter new password: Retype new password: Password changed. DLSwitch1> (enable) set interface sc0 10.1.1.250 255.255.255.0 DLSwitch1> (enable) set interface sc0 1 Configure the IP address of the workstation to 10.1.1.10/24 Step 2. Attempt to telnet into the Catalyst switch. Because the passwords are unknown, access will be denied. The Catalyst 4000 series of switches deals with password recovery differently than the other Cisco IOS based devices. The Catalyst 4000 series switch does not require a password when logging in from the console port during the first 30 seconds after it has booted up. A password is still required during this time if trying to log in via telnet. This is a great example of why physical security of devices is so important. Anyone who can get access to the console port will have the ability to change passwords.
Step 3. Make sure there is a connection to the console port and power off the Catalyst 4000 switch. Read through the rest of this step. It will need to be completed within 30 seconds after the switch is powered back up. It is important to power off the switch. A warm reset will not allow entrance without a password, therefore, it must be a full power off. Turn on the power to the Catalyst 4000 switch by plugging in the power cords. Watch the start-up messages. When the following is seen:
Cisco Systems, Inc. Console Enter password: Hit enter immediately. Remember, a password is not needed to log in. DLSwitch1> Enter privileged mode. Again, a password will not be needed so hit enter. DLSwitch1> enable DLSwitch1> (enable) Now reset the password using the set password and set enablepass commands. When prompted for the current passwords, hit enter.
2-2
Switching Section 2: Configuring the Switch - Lab 2.3.4.1
Copyright 2002, Cisco Systems, Inc.
DLSwitch1> (enable) set password Enter old password: (just hit enter) Enter new password: (“cisco” hit enter) Retype new password: (“cisco” hit enter) Password changed. DLSwitch1> (enable) set enablepass Enter old password: (just hit enter) Enter new password: (“class” hit enter) Retype new password: (“class” hit enter) Password changed. The password change is now complete. If this were done fast enough, the new passwords become part of the savedconfiguration. The rest of the switches configuration is unchanged.
1. Is the Catalyst 4000 password recovery better or worse than other IOS based devices?
3-3
Switching Section 2: Configuring the Switch - Lab 2.3.4.1
Copyright 2002, Cisco Systems, Inc.
Lab 2.3.4.2: Catalyst 2900 Password Recovery
Native VLAN1
Console Cable
ALSwitch 2900XL 10.1.1.251/24
Workstation 10.1.1.10/24
Objective: Regain control of a Cisco Catalyst 2900 Ethernet switch after the passwords have been lost.
Scenario: With a new job at a company that used Catalyst 2900 Ethernet switches in their IDFs, it is found that the previous network manager did not leave any documentation containing the passwords for the switches. Perform password recovery on the Catalyst 2900. Change the user exec password to cisco and the privileged exec mode password to class.
Lab Tasks: Step 1. First, configure the 2900 switch according to the diagram. Skip this step if the Lab 3.2.3, 2900 initial setup, configuration is complete. Switch>enable Switch# Set the switch name. Switch#config terminal Switch(config)#host ALSwitch ALSwitch(config)# In the steps that follow, have a classmate set the passwords. The passwords to be used should be made up and not the standard passwords used in the labs. Make sure the classmate keeps the passwords to themselves. ALSwitch(config)#enable password somethingdifferent
1-1
Switching Section 2: Configuring the Switch - Lab 2.3.4.2
Copyright 2002, Cisco Systems, Inc.
ALSwitch(config)#line con 0 ALSwitch(config-line)#password somethingelse ALSwitch(config-line)#login ALSwitch(config-line)#line vty 0 15 ALSwitch(config-line)#password somethingelse ALSwitch(config-line)#login ALSwitch(config)#interface vlan 1 ALSwitch(config-if)#ip address 10.1.1.251 255.255.255.0 Configure the IP address of the workstation to 10.1.1.10/24 Step 2. Attempt to telnet into the Catalyst switch. Because the passwords are unknown, access will be denied. The Catalyst 2900 series of switches deals with password recovery in a similar fashion to other IOS devices. The idea is to move the current startup configuration out of the way so that the switch loads the default configuration, which has no passwords. Once the switch is up and running, go into enable mode, move the saved startup configuration into running configuration, modify the passwords, and then move it back into the startup configuration. Step 3. Make sure there is connection to the console port and power off the Catalyst 2900 switch. Hold down the ’MODE’ button on the front of the Catalyst 2900 switch at the same time that the switch is powered on. Let go of the ’MODE’ button a second or two after the LED light above port 1 is no longer lit. Watch the start-up message. Whenthe following is seen: C2900XL Boot Loader (C2900-HBOOT-M) Version 12.0(5)XU, RELEASE SOFTWARE (fc1) Compiled Mon 03-Apr-00 17:20 by swati starting... Base ethernet MAC Address: 00:02:b9:9a:85:80 Xmodem file system is available. The system has been interrupted prior to initializing the flash filesystem. The following commands will initialize the flash filesystem, and finish loading the operating system software: flash_init load_helper boot switch: Type: flash_init and then type load_helper. switch: flash_init Initializing Flash... flashfs[0]: 109 files, 3 directories flashfs[0]: 0 orphaned files, 0 orphaned directories flashfs[0]: Total bytes: 3612672
2-2
Switching Section 2: Configuring the Switch - Lab 2.3.4.2
Copyright 2002, Cisco Systems, Inc.
flashfs[0]: Bytes used: 2776064 flashfs[0]: Bytes available: 836608 flashfs[0]: flashfs fsck took 8 seconds. ...done Initializing Flash. Boot Sector Filesystem (bs:) installed, fsid: 3 Parameter Block Filesystem (pb:) installed, fsid: 4 switch: load_helper This is similar to changing the configuration-register on a router to boot into rom-monitor mode. Now, list the contents of the switch's flash memory: switch: dir flash: Directory of flash:/ 2 -rwx XU.bin 3 -rwx 4 drwx 111 -rwx 112 -rwx
1644046
c2900XL-c3h2s-mz-120.5-
105961 6784 286 648
c2900XL-diag-mz-120.5-XU html env_vars config.text
836608 bytes available (2776064 bytes used) Rename the config.text file to a temporary name, – such as config.old. switch: rename flash:config.text flash:config.old Now reboot the switch: Switch: boot When the switch reboots, it will prompt for the Configuration Dialog to be entered. Answer no. When the switch finishes the boot up sequence, enter privileged exec mode and rename the temporary file back into the original name or the startup-config. Switch> Switch>enable Switch#rename flash:config.old flash:config.text Now copy the startup-configuration, (config.text) , to the running-config. Switch#copy flash:config.text system:running-config Destination filename [running-config]? (Press Enter) 648 bytes copied in 1.206 secs (648 bytes/sec) ALSwitch# While currently in global configuration mode, the passwords can be reassigned: ALSwitch(config)#enable password class ALSwitch(config)#line con 0 ALSwitch(config-line)#password cisco ALSwitch(config-line)#line vty 0 15 ALSwitch(config-line)#password cisco ALSwitch(config-line)#login
3-3
Switching Section 2: Configuring the Switch - Lab 2.3.4.2
Copyright 2002, Cisco Systems, Inc.
Now save the changes. ALSwitch#copy running-config startup-config The password change is now complete.
4-4
Switching Section 2: Configuring the Switch - Lab 2.3.4.2
Copyright 2002, Cisco Systems, Inc.
Lab 2.3.7.1: Catalyst 4000 TFTP Configuration Files
Native VLAN1
Console Cable
DLSwitch1 4006 10.1.1.250/24
Workstation 10.1.1.10/24 TFTP Server
Objective: Copy the current configuration to a TFTP server.
Scenario: The company uses Catalyst 4000 Ethernet switches for their backbone. A copy of the configuration file from the Catalyst 4000 switch to a TFTP server is desired for safekeeping.
Lab Tasks: Step 1. First, configure the 4000 switch according to the diagram. Skip this step if the Lab 3.1.3, 4000 initial setup, configuration is complete. Console> enable Console> enable) set system name DLSwitch1 System name set. DLSwitch1> (enable) DLSwitch1> (enable) set password Enter old password: (Because there is not currently a password, just hit enter) Enter new password: Retype new password: Password changed. DLSwitch1> (enable) set enablepass Enter old password: (Because there is not currently a password, just hit enter) Enter new password:
1-1
Switching Section 2: Configuring the Switch - Lab 2.3.7.1
Copyright 2002, Cisco Systems, Inc.
Retype new password: Password changed. DLSwitch1> (enable) set interface sc0 10.1.1.250 255.255.255.0 DLSwitch1> (enable) set interface sc0 1 Configure the IP address of the workstation to 10.1.1.10/24. Make sure the Cisco TFTP server is loaded on this workstation.
Step 2. Use the copy command to copy the configuration from the switch to the TFTP server. Type copy ? to see what other options there are. 1. What other locations can the configuration file be copied to?
Step 3. Now use the copy config tftp command to move the configuration to the TFTP server. DLSwitch1> (enable) copy config tftp This command uploads non-default configurations only. Use 'copy config tftp all' to upload both default and non-default configurations. IP address or name of remote host []? 10.1.1.10 Name of file to copy to [DLSwitch1.cfg]? (Just hit enter) Upload configuration to tftp:DLSwitch1.cfg, (y/n) [n]? y .....
.. Configuration has been copied successfully. DLSwitch1> (enable)
Step 4. Check the configuration file that was saved to the TFTP server. 2. Is the copy a full version of the configuration, or just the nondefault commands?
3. What command would be used to save both default and nondefault commands?
2-2
Switching Section 2: Configuring the Switch - Lab 2.3.7.1
Copyright 2002, Cisco Systems, Inc.
Lab 2.3.7.2: Catalyst 2900 TFTP Configuration Files
Native VLAN1
Console Cable
ALSwitch
Workstation
2900XL 10.1.1.251/24
10.1.1.10/24 TFTP Server
Objective: Copy the current configuration to a TFTP server.
Scenario: The company uses Catalyst 2900 Ethernet switches in their IDFs. A copy of the configuration file from the Catalyst 2900 switch to a TFTP server is desired for safekeeping.
Lab Tasks: Step 1. First, configure the 2900 switch according to the diagram. Skip this step if the Lab 3.2.3, 2900 initial setup, configuration is complete. Switch>enable Switch# Set the switch name. Switch#config terminal Switch(config)#host ALSwitch ALSwitch(config)# ALSwitch(config)#enable password class ALSwitch(config)#line con 0 ALSwitch(config-line)#password cisco ALSwitch(config-line)#login ALSwitch(config-line)#line vty 0 15 ALSwitch(config-line)#password cisco
1-1
Switching Section 2: Configuring the Switch - Lab 2.3.7.2
Copyright 2002, Cisco Systems, Inc.
ALSwitch(config-line)#login ALSwitch(config)#interface vlan 1 ALSwitch(config-if)#ip address 10.1.1.251 255.255.255.0 Configure the IP address of the workstation to 10.1.1.10/24. Make sure the Cisco TFTP server is loaded on this workstation.
Step 2. Use the copy command to copy the configuration from the switch to the TFTP server. Type copy ? to see what other options there are. 1. What other locations can the configuration file be copied to?
Step 3. Now use the copy running-config tftp command to move the configuration to the TFTP server. ALSwitch#copy running-config tftp Address or name of remote host []? 10.1.1.10 Destination filename [running-config]? ALSwitch (Use the switch name) !! 1165 bytes copied in 4.173 secs (291 bytes/sec) ALSwitch#
Step 4. Check the configuration file that was saved to the TFTP server. 2. Is the copy a full version of the configuration, or just the nondefault commands?
2-2
Switching Section 2: Configuring the Switch - Lab 2.3.7.2
Copyright 2002, Cisco Systems, Inc.
Lab 3.3.1.1: Catalyst 4000 Static VLANs
Native VLAN1
Accounting VLAN10
10.1.1.0/24 Ports 19-24 10.1.10.0/24
Marketing VLAN20
Test Workstation 10.1.x.3
Ports 25-30 10.1.20.0/24
DLSwitch1
Engineering VLAN30
4006 10.1.1.250/24
Engineering Workstation
Ports 31-34 10.1.30.0/24
10.1.30.2
Objective: Configure the Distribution Layer Catalyst 4000 Ethernet Switch to support three VLANs Marketing, Accounting, and Engineering.
Scenario: The current hub based network is being migrated to a Catalyst 4000 switch based network. There are currently three hubs, one for each network. The three VLANs will need to be created on the new switch. Three ports will be assigned to each VLAN.
Design: Switch VLAN Port Assignments: VLANs Port Number
VLAN 1 Default
VLAN 10 Accounting 19-24
VLAN 20 Marketing 25-30
VLAN 30 Engineering 31-34
Lab Tasks: Step 1. First, configure the 4000 switch according to the diagram. Skip this step if the Lab 3.1.3, 4000 initial setup, configuration is complete. Console> enable Console> (enable) set system name DLSwitch1
1-1
Switching Section 3: Introduction to VLANs - Lab 3.3.1.1
Copyright 2002, Cisco Systems, Inc.
System name set. DLSwitch1> (enable) DLSwitch1> (enable) set password Enter old password: (Because there is currently not a password, just hit enter) Enter new password: Retype new password: Password changed. DLSwitch1> (enable) set enablepass Enter old password: (Because there is currently not a password, just hit enter) Enter new password: Retype new password: Password changed. DLSwitch1> (enable) set interface sc0 10.1.1.250 255.255.255.0 DLSwitch1> (enable) set interface sc0 1
Step 2. Before the VLANs can be configured, a little understanding about the default operation of the Catalyst 4000 is needed. By default, the Catalyst 4000 is configured as a VLAN Trunking Protocol (VTP) server. More will be learned about this in later labs. Since the switch defaults to a VTP server, a VTP domain name must be assigned to the switch. DLSwitch1> (enable) set vtp domain corp This command sets the VTP server domain name to ’corp’, which will be used during the rest of the labs. Once this is set, configuring VLANs will be possible.
Step 3. Next assign the ports to their appropriate VLANs. Use the set vlan 10 slot#/port# to assign the ports to their appropriate VLANs. DLSwitch1> (enable) set vlan 10 2/19-24 Notice that multiple ports can be specified by indicating a range of port numbers. –For example, 2/19-24 will include ports 19 through 24 on slot 2. The switch will return a confirmation of the VLAN assignment: Vlan VLAN VLAN VLAN ---10
10 configuration successful 10 modified. 1 modified. Mod/Ports ----------------------2/19-24
1. Why does the switch indicate that VLAN 1 was modified?
2-2
Switching Section 3: Introduction to VLANs - Lab 3.3.1.1
Copyright 2002, Cisco Systems, Inc.
Continue with the other VLANs: DLSwitch1> (enable) set vlan 20 2/25-30 DLSwitch1> (enable) set vlan 30 2/31-34 The other ports do not need to be configured as VLAN 1 because they are in VLAN 1 by default. Use the show vlan command to verify that the ports are assigned to the correct VLAN. 2. What is the maximum number of VLAN supported on a Catalyst 4000 switch?
Step 4. Now configure the Engineering workstation that will be connected to the Engineering VLAN using the IP address 10.1.30.2/24. Make sure the Engineering workstation is plugged into one of the Engineering VLAN ports. 3. What ports are connected to the Engineering VLAN?
4. What command could be used to determine what ports are assigned to what VLAN?
VLANs can be named so they are easier to identify when doing show commands on the switch. These names do not affect the functionality of the VLANs. DLSwitch1> (enable) set vlan 10 name Accounting DLSwitch1> (enable) set vlan 20 name Marketing DLSwitch1> (enable) set vlan 30 name Engineering Do another show vlan command: Console> (enable) sh vlan VLAN Name Status IfIndex Mod/Ports, Vlans ---- -------------------------------- --------- ------- -----------------------1 default active 6 1/1-2 2/1-18 10 Accounting active 45 2/19-24 20 Marketing active 46 2/25-30 30 Engineering active 47 2/31-34 1002 fddi-default active 7 1003 token-ring-default active 10 1004 fddinet-default active 8 1005 trnet-default active 9
Step 5. Configure the Test workstation so it has an IP address of 10.1.20.3/24 and plug it into the
3-3
Switching Section 3: Introduction to VLANs - Lab 3.3.1.1
Copyright 2002, Cisco Systems, Inc.
Marketing VLAN. 5. What ports are in the Marketing VLAN?
6. Can the IP address, 10.1.30.2, of the Engineering workstation be pinged?
7. What is needed to enable pinging the Engineering workstation?
Step 6. Change the IP address of the Test workstation to 10.1.30.3/24. 8. Can the Engineering workstation be pinged now?
If the Engineering workstation still cannot be pinged after the IP address was changed, move the Test workstation to the Engineering VLAN. The ping should now be successful.
4-4
Switching Section 3: Introduction to VLANs - Lab 3.3.1.1
Copyright 2002, Cisco Systems, Inc.
Lab 3.3.1.2: Catalyst 2900 Static VLANs
Native VLAN1
Accounting VLAN10
10.1.1.0/24 Ports fa0/4-fa0/6 10.1.10.0/24
Marketing VLAN20
Test Workstation 10.1.x.3
Ports fa0/7-fa0/9 10.1.20.0/24
ALSwitch 2900XL 10.1.1.251/24
Engineering VLAN30 Engineering Workstation
Ports fa0/10-fa0/12 10.1.30.0/24
10.1.30.2
Objective: Configure the Access Layer Catalyst 2900 Ethernet Switch to support three VLANs: Marketing, Accounting, and Engineering.
Scenario: The current hub based network is being migrated to a Catalyst 2900 switch based network. There are currently three hubs, one for each network. The three VLANs will need to be created on the new switch. Three ports will be assigned to each VLAN.
Design: Switch VLAN Port Assignments: VLANs
VLAN 1 Default
Port Number
Fa0/1-Fa0/3
VLAN 10 Accounting Fa0/4-Fa0/6
VLAN 20 Marketing Fa0/7-Fa0/9
VLAN 30 Engineering Fa0/10-Fa0/12
Lab Tasks: Step 1. First, configure the 2900 switch according to the diagram. Skip this step if the Lab 3.2.3, 2900 initial setup, configuration is completed. Switch> enable Switch#
1-1
Switching Section 3: Introduction to VLANs - Lab 3.3.1.2
Copyright 2002, Cisco Systems, Inc.
Set the switch name. Switch#config terminal Switch(config)#host ALSwitch ALSwitch(config)# ALSwitch(config)#enable password class ALSwitch(config)#line con 0 ALSwitch(config-line)#password cisco ALSwitch(config-line)#login ALSwitch(config-line)#line vty 0 15 ALSwitch(config-line)#password cisco ALSwitch(config-line)#login ALSwitch(config)#interface vlan 1 ALSwitch(config-if)#ip address 10.1.1.251 255.255.255.0
Step 2. Next configure the VLANs. Refer to the Design section for VLAN port assignments. First set all of the ports to ’access’ ports. A port on a 2900 switch can be one of three modes: A trunk port, a multi-VLAN port, or an access port. Trunk ports and multi-VLAN ports are used when connecting a switch to another switch, or another device that understands VLAN trunking. Because workstations will be connected to these ports, configure these ports as ’access’ ports. This means that these will be single VLAN ports with standard devices attached. By default all ports should be configured as access ports. This command is not necessary unless the ports have been setup as trunk ports. ALSwitch(config)#interface fa0/1 ALSwitch(config-if)#switchport mode access Repeat this step for all ports that need to be converted back to access ports. 1. What command or commands could be used to determine if a port is in access or trunk mode and needs to be converted?
Step 3. Next assign the ports to the appropriate VLANs. Use the switchport access vlan n, where n is the VLAN number, to assign the ports to their appropriate VLANs. ALSwitch(config)#interface fa0/4 ALSwitch(config-if)#switchport access vlan 10 ALSwitch(config)#interface fa0/5 ALSwitch(config-if)#switchport access vlan 10 ALSwitch(config)#interface fa0/6 ALSwitch(config-if)#switchport access vlan 10
2-2
Switching Section 3: Introduction to VLANs - Lab 3.3.1.2
Copyright 2002, Cisco Systems, Inc.
ALSwitch(config)#interface fa0/7 ALSwitch(config-if)#switchport access vlan 20 ALSwitch(config)#interface fa0/8 ALSwitch(config-if)#switchport access vlan 20 ALSwitch(config)#interface fa0/9 ALSwitch(config-if)#switchport access vlan 20 ALSwitch(config)#interface fa0/10 ALSwitch(config-if)#switchport access vlan 30 ALSwitch(config)#interface fa0/11 ALSwitch(config-if)#switchport access vlan 30 ALSwitch(config)#interface fa0/12 ALSwitch(config-if)#switchport access vlan 30 Be default, ports fa0/1-fa0/3 do not need to be configured as VLAN 1 because that is the default VLAN that ports are assigned to. Use the show vlan command to verify that the ports are assigned to the correct VLAN. 2. What is the maximum number of VLAN supported on a Catalyst 2900 switch?
Step 4. Now configure the Engineering workstation that will sit on the Engineering VLAN using the IP address 10.1.30.2/24. Make sure the Engineering workstation is plugged into one of the Engineering VLAN ports. 3. What ports are connected to the Engineering VLAN?
4. What command could be used to determine what ports are assigned to what VLAN?
Step 5. Configure the Test Workstation so it has an IP address of 10.1.20.3/24 and plug it into the Marketing VLAN. 5. What ports are in the Marketing VLAN?
6. Can the IP address, 10.1.30.2, of the Engineering workstation be pinged?
7. What needs to be done to enable the Engineering workstation to be pinged?
3-3
Switching Section 3: Introduction to VLANs - Lab 3.3.1.2
Copyright 2002, Cisco Systems, Inc.
Step 6. Change the IP address of the Test Workstation to 10.1.30.3/24. 8. Can g the Engineering workstation be pinged now?
If the Engineering workstation still cannot be pinged after the IP address was changed, move the Test workstation to the Engineering VLAN. The ping should now be successful.
4-4
Switching Section 3: Introduction to VLANs - Lab 3.3.1.2
Copyright 2002, Cisco Systems, Inc.
Lab 3.6.4: VLAN Trunking and VTP Domain
10.1.10.0/24 Ports 2/19-2/24 Accounting VLAN10
10.1.1.0/24 Ports 2/4-16
10.1.1.0/24 fa0/2-fa0/3
Native VLAN1
Native VLAN1
10.1.10.0/24 fa0/4-fa0/6 Accounting VLAN10
10.1.20.0/24 Ports 2/25-2/30
10.1.20.0/24 fa0/7-fa0/9
Marketing VLAN20
Marketing VLAN20
10.1.30.0/24 Ports 2/31-2/34 Engineering VLAN30
Trunk 802.1q Port 2/3
10.1.30.0/24 fa0/10-fa0/12
Port 1
DLSwitch1 4006 10.1.1.250/24
ALSwitch 2900XL 10.1.1.251/24
Workstation
Engineering VLAN30
Workstation
Objective: Configure a VLAN trunk between a Catalyst 4000 switch and Catalyst 2900 switch.
Scenario: The network is growing. The network has outgrown the 2900 and requires more port capacity. As time goes on, the plan is to continue to add Catalyst 2900 switches in the IDFs. At this point a Catalyst 4000 is added in the MDF to tie all of these 2900s together. In order to make additions, moves, and changes easier to manage, VLANs will be configured throughout the entire network. The 4000 will be at the core of this switch configuration. The link between the 4000 and 2900 will need to be configured as a trunk line, which will extend the VLAN configuration between both switches. The Catalyst 4000 switch will act as a VLAN VTP server that will propagate VLAN information to the 2900. Design: Switched Network VTP Configuration Information: Switch DLSwitch1 ALSwitch
1-1
VTP Domain Corp Corp
Switching Section 3: Introduction to VLANs - Lab 3.6.4
VTP Mode Server Client
Copyright 2002, Cisco Systems, Inc.
Switch VLAN Port Assignments: Switch
VLAN 1 Default
DLSwitch1 ALSwitch
VLAN 10 Accounting 19-24 4-6
VLAN 20 Marketing 25-30 7-9
VLAN 30 Engineering 31-34 10-12
Lab Tasks: Step 1. First, configure the 4000 switch to the diagram. Skip this step if the Lab 3.1.3, 4000 initial setup, configuration is completed. Console> enable Console> (enable) set system name DLSwitch1 System name set. DLSwitch1> (enable) DLSwitch1> (enable) set password Enter old password: (Because there is not currently a password, just hit enter) Enter new password: Retype new password: Password changed. DLSwitch1> (enable) set enablepass Enter old password: (Because there is not currently a password, just hit enter) Enter new password: Retype new password: Password changed. DLSwitch1> (enable) set interface sc0 10.1.1.250 255.255.255.0 DLSwitch1> (enable) set interface sc0 1
Step 2. Next, configure the 2900 switch to the diagram. Skip this step if the Lab 3.2.3, 2900 initial setup, configuration is completed. Switch>enable Switch# Set the switch name. Switch#config terminal Switch(config)#host ALSwitch ALSwitch(config)# ALSwitch(config)#enable password class ALSwitch(config)#line con 0 ALSwitch(config-line)#password cisco ALSwitch(config-line)#login ALSwitch(config-line)#line vty 0 15 ALSwitch(config-line)#password cisco ALSwitch(config-line)#login
2-2
Switching Section 3: Introduction to VLANs - Lab 3.6.4
Copyright 2002, Cisco Systems, Inc.
ALSwitch(config)#interface vlan 1 ALSwitch(config-if)#ip address 10.1.1.251 255.255.255.0
Step 3. Configure VLAN Trunking Protocol (VTP) on both switches. VTP is the protocol that will communicate information about which VLANs exist from one switch to another. If VTP did not provide this information, the VLANs on all switches would have to be created individually. By default, the Catalyst 4000 is configured as a VTP server. Because the switch defaults to a VTP server, the VTP server does not have to be turned on. In the event that this was shut off, use the following command: DLSwitch1> (enable) set vtp mode server The 4000 is to act as a VTP server to provide the VLAN information to all the other switches. Once the 4000 is setup as a VTP server, the VTP domain name needs to be specified: DLSwitch1> (enable) set vtp domain corp This command sets the VTP server domain name to ’corp’. This name must match all other switches that are in this VTP domain. The Catalyst 2900XL will be configured as the VTP client. The 2900XL needs to learn the VLANs from the 4000s VTP server. This is done through the vtp database command on the 2900XL. This command enters into a new type of IOS configuration mode. Notice that this mode is entered from the privileged mode exec prompt, and not the traditional ’config term’ configuration mode. ALSwitch#vlan database ALSwitch(vlan)#vtp client ALSwitch(vlan)#vtp domain corp ALSwitch(vlan)#exit ALSwitch# This sets the 2900XL in client VTP mode and sets the VTP domain name to ‘corp’. Once the VTP protocol is configured, VLANs can then be configured.
Step 4. Next ports will be assigned on the 4000 to their appropriate VLANs and set their names. Skip this step if Lab 4.3.1.1 is configured. DLSwitch1> DLSwitch1> DLSwitch1> DLSwitch1> DLSwitch1> DLSwitch1>
(enable) (enable) (enable) (enable) (enable) (enable)
set set set set set set
vlan vlan vlan vlan vlan vlan
10 20 30 10 20 30
2/19-24 2/25-30 2/31-34 name Accounting name Marketing name Engineering
The other ports do not need to be configured as VLAN 1 because that is the default VLAN to which ports are assigned.
3-3
Switching Section 3: Introduction to VLANs - Lab 3.6.4
Copyright 2002, Cisco Systems, Inc.
Use the show vlan command to verify that the ports are assigned to the correct VLAN. DLSwitch1> (enable) sh vlan VLAN Name Status IfIndex Mod/Ports, Vlans ---- -------------------------------- --------- ------- -----------------------1 default active 6 1/1-2 2/1-18 10 Accounting active 45 2/19-24 20 Marketing active 46 2/25-30 30 Engineering active 47 2/31-34 1002 fddi-default active 7 1003 token-ring-default active 10 1004 fddinet-default active 8 1005 trnet-default active 9
The 2900XL is in client VTP mode. Therefore, VLAN information should get passed on to the 2900XL from the 4000.
Step 5. Now cable up the trunk line. Connect Port 1 (fa0/1) on the ALSwitch to port 2/3, (first 10/100 Ethernet port), on the DLSwitch1. Note: The ALSwitch is the 2900XL switch and the DLSwitch is the 4000 switch. 1. What type of cable is used to connect the two switches together?
Use the appropriate cable to connect these two switches together.
Step 6. Configure each end of the trunk link as an 802.1q encapsulated trunk line. On the Catalyst 4000: DLSwitch1> (enable) set trunk 2/3 nonegotiate dot1q 1-1005 This command sets port 2/3 to a dot1q trunk line that supports VLANs 1-1005. The nonegotiate command tells the switch that it should not try to auto sense what type of trunk link this is.
On the Catalyst 2900XL: ALSwitch#config term ALSwitch(config)#int fa0/1 ALSwitch(config)#switchport mode trunk ALSwitch(config)#switchport trunk encapsulation dot1q The first interface command tells the switch that this switch port is a trunk link. The second command tells the switch that this is 802.1q trunk line.
Step 7. Now that the VLAN trunk link is configured, check to see if the VTP client (the 2900XL) has picked up the defined VLANs. The two switches may need a few moments to exchange VLAN information.
4-4
Switching Section 3: Introduction to VLANs - Lab 3.6.4
Copyright 2002, Cisco Systems, Inc.
Use the show vlan command on the 2900XL to see if it has learned the new VLANs from the 4000. ALSwitch#sh vlan VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------1 default active Fa0/2, Fa0/3, Fa0/4, Fa0/5, Fa0/6, Fa0/7, Fa0/8, Fa0/9, Fa0/10, Fa0/11, Fa0/12 10 Accounting active 20 Marketing active 30 Engineering active 1002 fddi-default active 1003 token-ring-default active 1004 fddinet-default active 1005 trnet-default active VLAN ---1 10 20 30 1002 1003 1004 1005
Type ----enet enet enet enet fddi tr fdnet trnet
SAID ---------100001 100010 100020 100030 101002 101003 101004 101005
MTU ----1500 1500 1500 1500 1500 1500 1500 1500
Parent ------
RingNo -----0 0 -
BridgeNo --------
Stp ---ieee ibm
BrdgMode -------srb -
Trans1 -----0 0 0 0 0 0 0 0
Trans2 -----0 0 0 0 0 0 0 0
The three VLANs that were created on the 4000 can now be seen showing up on the 2900XL. Even though the VLANs are now configured on the 2900XL, no ports have been assigned to those VLANs.
Step 8. Assign ports on the 2900XL to their appropriate VLANs: ALSwitch(config)#interface fa0/4 ALSwitch(config-if)#switchport access vlan 10 ALSwitch(config)#interface fa0/5 ALSwitch(config-if)#switchport access vlan 10 ALSwitch(config)#interface fa0/6 ALSwitch(config-if)#switchport access vlan 10 ALSwitch(config)#interface fa0/7 ALSwitch(config-if)#switchport access vlan 20 ALSwitch(config)#interface fa0/8 ALSwitch(config-if)#switchport access vlan 20 ALSwitch(config)#interface fa0/9 ALSwitch(config-if)#switchport access vlan 20 ALSwitch(config)#interface fa0/10 ALSwitch(config-if)#switchport access vlan 30 ALSwitch(config)#interface fa0/11 ALSwitch(config-if)#switchport access vlan 30
5-5
Switching Section 3: Introduction to VLANs - Lab 3.6.4
Copyright 2002, Cisco Systems, Inc.
ALSwitch(config)#interface fa0/12 ALSwitch(config-if)#switchport access vlan 30
Step 9. On the Catalyst 2900XL, examine the output of the show vtp counters and show vtp status commands. 2. What command shows how many VTP advertisements have been transmitted and received?
3. What command shows which mode, server or client, the switch is in?
Step 10. On the Catalyst 4000, examine the output of the show vtp statistics and show vtp domain commands. 4. What command shows how many VTP advertisements have been transmitted and received?
5. What command shows which mode, server or client, the switch is in?
Step 11. Now place two workstations in the same VLAN but on different switches. Try to ping one another. This should be successful.
6-6
Switching Section 3: Introduction to VLANs - Lab 3.6.4
Copyright 2002, Cisco Systems, Inc.
Lab 3.8.2: VTP Pruning
10.1.10.0/24 Ports 2/19-2/24 Accounting VLAN10
10.1.1.0/24 Ports 2/4-16
10.1.1.0/24 fa0/2-fa0/3
Native VLAN1
Native VLAN1
10.1.10.0/24 fa0/4-fa0/6 Accounting VLAN10
10.1.20.0/24 Ports 2/25-2/30
10.1.20.0/24 fa0/7-fa0/9
Marketing VLAN20
Marketing VLAN20
10.1.30.0/24 Ports 2/31-2/34 Engineering VLAN30
Trunk 802.1q Port 2/3
10.1.30.0/24 fa0/10-fa0/12
Port 1
DLSwitch1 4006 10.1.1.250/24
ALSwitch 2900XL 10.1.1.251/24
Workstation
Engineering VLAN30
Workstation
Objective: Configure VTP pruning between a Catalyst 4000 switch and Catalyst 2900 switch.
Scenario: A VTP trunk line has been configured between the distribution layer switch and the access layer switch. However, there are no workstations in VLANs 10 and 20 connected to the access layer switch. There is no reason for broadcast traffic for VLANs 10 and 20 to travel over the trunk link and down to the access layer any more because there are no devices down there. VTP pruning allows VTP to intelligently determine that there are no devices in a particular VLAN at the other end of a trunk link. VTP will then temporarily prune that VLAN from the trunk. Should a device join that VLAN in the future, the VLAN will be placed back on the trunk line.
Design: Switched Network VTP Configuration Information: Switch DLSwitch1 ALSwitch
1-1
VTP Domain Corp Corp
Switching Section 3: Introduction to VLANs - Lab 3.8.2
VTP Mode Server Client
Copyright 2002, Cisco Systems, Inc.
Switch VLAN Port Assignments: Switch
VLAN 1 Default
DLSwitch1 ALSwitch
VLAN 10 Accounting 19-24 4-6
VLAN 20 Marketing 25-30 7-9
VLAN 30 Engineering 31-34 10-12
Lab Tasks: If this is a continuance on from the VTP trunk and domain lab, skip to step 10. Step 1. First, configure the 4000 switch according to the diagram. Skip this step if the Lab 3.1.3, 4000 initial setup, configuration is complete. Console> enable Console> (enable) set system name DLSwitch1 System name set. DLSwitch1> (enable) DLSwitch1> (enable) set password Enter old password: (Because there is not currently a password, just hit enter) Enter new password: Retype new password: Password changed. DLSwitch1> (enable) set enablepass Enter old password: (Because there is not currently a password, just hit enter) Enter new password: Retype new password: Password changed. DLSwitch1> (enable) set interface sc0 10.1.1.250 255.255.255.0 DLSwitch1> (enable) set interface sc0 1
Step 2. Next, configure the 2900 switch to the diagram. The same configuration that was used in Lab 3.2.3, Catalyst 2900 Initial Setup, can be used here. If using that configuration, then skip this step. Switch>enable Switch# Set the switch name. Switch#config terminal Switch(config)#host ALSwitch ALSwitch(config)# ALSwitch(config)#enable password class ALSwitch(config)#line con 0
2-2
Switching Section 3: Introduction to VLANs - Lab 3.8.2
Copyright 2002, Cisco Systems, Inc.
ALSwitch(config-line)#password cisco ALSwitch(config-line)#login ALSwitch(config-line)#line vty 0 15 ALSwitch(config-line)#password cisco ALSwitch(config-line)#login ALSwitch(config)#interface vlan 1 ALSwitch(config-if)#ip address 10.1.1.251 255.255.255.0
Step 3. Configure VLAN Trunking Protocol (VTP) on both switches. VTP is the protocol that will communicate information about which VLANs exist from one switch to another. If VTP did not provide this information, the VLANs on all switches would have to be created individually. By default, the Catalyst 4000 is configured as a VTP server. The switch defaults to a VTP server, so the VTP server mode does not need to beenabled. In the event that this was disabled, use the following command: DLSwitch1> (enable) set vtp mode server The 4000 is to act as a VTP server to provide the VLAN information to the other switches. Once the 4000 is setup as a VTP server, the VTP domain name needs to be specified: DLSwitch1> (enable) set vtp domain corp This command sets the VTP server domain name to ’corp’. This name must match all other switches that are in this VTP domain. The Catalyst 2900XL will be configured as the VTP client. The 2900XL is to learn the VLANs from the 4000s VTP server. This is done through the vtp database command on the 2900XL. This command enters into a new type of IOS configuration mode. Notice that this mode is entered from the privileged mode exec prompt, and not from the typical global configuration mode. ALSwitch#vlan database ALSwitch(vlan)#vtp client ALSwitch(vlan)#vtp domain corp ALSwitch(vlan)#exit ALSwitch# This sets the 2900XL in client VTP mode and sets the VTP domain name to ’corp’. Once the VTP protocol is configured, the VLANs can then be configured.
Step 4. Next the ports will be assigned on the 4000 to their appropriate VLANs and set their names. DLSwitch1> DLSwitch1> DLSwitch1> DLSwitch1>
3-3
(enable) (enable) (enable) (enable)
set set set set
vlan vlan vlan vlan
10 20 30 10
2/19-24 2/25-30 2/31-34 name Accounting
Switching Section 3: Introduction to VLANs - Lab 3.8.2
Copyright 2002, Cisco Systems, Inc.
DLSwitch1> (enable) set vlan 20 name Marketing DLSwitch1> (enable) set vlan 30 name Engineering The other ports do not need to be configured as VLAN 1 because that is the default VLAN to which ports are assigned. Use the show vlan command to verify that the ports are assigned to the correct VLAN. DLSwitch1> (enable) sh vlan VLAN Name Status IfIndex Mod/Ports, Vlans ---- -------------------------------- --------- ------- -----------------------1 default active 6 1/1-2 2/1-18 10 Accounting active 45 2/19-24 20 Marketing active 46 2/25-30 30 Engineering active 47 2/31-34 1002 fddi-default active 7 1003 token-ring-default active 10 1004 fddinet-default active 8 1005 trnet-default active 9
The 2900XL is in client VTP mode. All of this VLAN information should get passed on to the 2900XL from the 4000.
Step 5. Now cable up the trunk line. Connect Port 1 (fa0/1) on the ALSwitch to port 2/3, (first 10/100 Ethernet port,) on the DLSwitch1. Note: The ALSwitch is the 2900XL switch and the DLSwitch is the 4000 switch. Use the appropriate cable to connect these two switches together.
Step 6. Configure the end of each trunk link as an 802.1q encapsulated trunk line. On the Catalyst 4000: DLSwitch1> (enable) set trunk 2/3 nonegotiate dot1q 1-1005 This command sets port 2/3 to a dot1q trunk line that supports VLANs 1-1005. The nonegotiate tells the switch that it should not try to auto sense what type of trunk link this is.
On the Catalyst 2900XL: ALSwitch#config term ALSwitch(config)#int fa0/1 ALSwitch(config)#switchport mode trunk ALSwitch(config)#switchport trunk encapsulation dot1q The first interface command tells the switch that this switch port is a trunk link. The second command tells the switch that this is an 802.1q trunk line.
Step 7. Now that the VLAN trunk link is configured, check to see if the VTP client, the 2900XL, has picked up the defined VLANs.
4-4
Switching Section 3: Introduction to VLANs - Lab 3.8.2
Copyright 2002, Cisco Systems, Inc.
The two switches may need a few moments to exchange VLAN information. Use the show vlan command on the 2900XL to see if it has learned the new VLANs from the 4000. ALSwitch#sh vlan VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------1 default active Fa0/2, Fa0/3, Fa0/4, Fa0/5, Fa0/6, Fa0/7, Fa0/8, Fa0/9, Fa0/10, Fa0/11, Fa0/12 10 Accounting active 20 Marketing active 30 Engineering active 1002 fddi-default active 1003 token-ring-default active 1004 fddinet-default active 1005 trnet-default active VLAN ---1 10 20 30 1002 1003 1004 1005
Type ----enet enet enet enet fddi tr fdnet trnet
SAID ---------100001 100010 100020 100030 101002 101003 101004 101005
MTU ----1500 1500 1500 1500 1500 1500 1500 1500
Parent ------
RingNo -----0 0 -
BridgeNo --------
Stp ---ieee ibm
BrdgMode -------srb -
Trans1 -----0 0 0 0 0 0 0 0
Trans2 -----0 0 0 0 0 0 0 0
The three VLANs that were created on the 4000 can be seen showing up on the 2900XL. Even though the VLANs are now configured on the 2900XL, no ports have been assigned to those VLANs.
Step 8. Assign ports on the 2900XL to their appropriate VLANs: ALSwitch(config)#interface fa0/4 ALSwitch(config-if)#switchport access vlan 10 ALSwitch(config)#interface fa0/5 ALSwitch(config-if)#switchport access vlan 10 ALSwitch(config)#interface fa0/6 ALSwitch(config-if)#switchport access vlan 10 ALSwitch(config)#interface fa0/7 ALSwitch(config-if)#switchport access vlan 20 ALSwitch(config)#interface fa0/8 ALSwitch(config-if)#switchport access vlan 20 ALSwitch(config)#interface fa0/9 ALSwitch(config-if)#switchport access vlan 20 ALSwitch(config)#interface fa0/10 ALSwitch(config-if)#switchport access vlan 30
5-5
Switching Section 3: Introduction to VLANs - Lab 3.8.2
Copyright 2002, Cisco Systems, Inc.
ALSwitch(config)#interface fa0/11 ALSwitch(config-if)#switchport access vlan 30 ALSwitch(config)#interface fa0/12 ALSwitch(config-if)#switchport access vlan 30
Step 9. From the ALSwitch, attempt to ping the DLSwitch1. This ping should be successful. ALSwitch#ping 10.1.1.250 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.250, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 6/13/36 ms
Step 10. Make sure that there are no devices plugged into the non-trunk ports on ALSwitch. Examine the output from the show trunk command on DLSwitch1: DLSwitch1> (enable) sh trunk * - indicates vtp domain mismatch Port Mode Encapsulation -------- ----------- ------------2/3 nonegotiate dot1q
Status -----------trunking
Native vlan ----------1
Port -------2/3
Vlans allowed on trunk --------------------------------------------------------------------1-1005
Port -------2/3
Vlans allowed and active in management domain --------------------------------------------------------------------1,10,20,30
Port -------2/3
Vlans in spanning tree forwarding state and not pruned --------------------------------------------------------------------1,10,20,30
Notice that all defined VLANs 10, 20, and 30 are in spanning tree forwarding state and not pruned. However, there are no devices on ALSwitch. It would be a waste to forward broadcast traffic for VLANs 10, 20 and 30 if there are no hosts there to receive it.
Step 11. Configure VTP pruning. VTP pruning solves this problem. Pruning checks the other end of a trunk link to see if there are any members in a VLAN. If there are not, then it ’prunes’ them from the spanning tree forwarding state. This temporarily keeps traffic from coming down that trunk line. On DLSwitch1: DLSwitch1> (enable) set vtp pruning enable This command will enable the pruning function in the entire management domain. All devices in the management domain should be pruning-capable before enabling.
6-6
Switching Section 3: Introduction to VLANs - Lab 3.8.2
Copyright 2002, Cisco Systems, Inc.
Do you want to continue (y/n) [n]? y On ALSwitch: ALSwitch#vlan database ALSwitch(vlan)#vtp pruning ALSwitch(vlan)#exit This now enables VTP pruning of the spanning-tree state table. Step 12. Verify that pruning is in process: DLSwitch1> (enable) sh trunk * - indicates vtp domain mismatch Port Mode Encapsulation -------- ----------- ------------2/3 nonegotiate dot1q
Status -----------trunking
Native vlan ----------1
Port -------2/3
Vlans allowed on trunk --------------------------------------------------------------------1-1005
Port -------2/3
Vlans allowed and active in management domain --------------------------------------------------------------------1,10,20,30
Port -------2/3
Vlans in spanning tree forwarding state and not pruned --------------------------------------------------------------------1
Notice that now, only VLAN 1 is in a forwarding state. 1. Why is VLAN 1 there?
2. Why are all of the other VLANs not there?
Plug a workstation into a VLAN 30 port on ALSwitch. 3. Check the show trunk command again. What has changed?
Move the workstation to a port in either VLAN 10 or 20. 4. Does the spanning tree forwarding state update?
5. How long does it take?
7-7
Switching Section 3: Introduction to VLANs - Lab 3.8.2
Copyright 2002, Cisco Systems, Inc.
Switching Resources Modern Ethernet: Academy Curriculum: This link provides information about Gigabit Ethernet in your high speed backbone. http://ccnp.netacad.net/protdoc/curriculum/sem7sv/en/ch2/2_3_1/index.html
Cisco Documentation CD: The following page provides background information on the many different forms of Ethernet. Visit the link for a detailed comparison of Ethernet standards, Media, and performance characteristics. http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/ethernet.htm
The following link is to the Cisco documentation CD Ethernet technologies chapter. Topics are general, but include Ethernet history, topologies, comparison to ISO Reference Model, etc. http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/ethernet.htm
This link accesses the Cisco documentation CD for the Catalyst 2950 switch. It is documentation for the CLI software configuration guide. http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/1219ea1/scg/swcl i.htm This link accesses the Cisco documentation CD for the Catalyst 2900 series switch. It is documentation for the Cisco IOS CLI configuration and reference guide. http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2900/cgcr29k/admin.ht m This link accesses the Cisco documentation CD. Information is provided for the Cisco IOS CLI for the Catalyst 2900 XL and Catalyst 3500 XL switch. http://www.cisco.com/univercd/cc/td/doc/product/lan/c2900xl/29_35wc5/scg/sw cli.htm
Internet: This link provides very detailed information about Ethernet frame over SDH/WDM. http://grouper.ieee.org/groups/802/3/ad_hoc/etholaps/public/docs/3151r1.pdf This article is an informative review on 10 Gigabit Ethernet connected to Wide Area Networks using SONET. http://www.10gea.org/10GbE%20Interconnection%20with%20WAN_0302.pdf Copyright 2002, Cisco Systems, Inc.
Switching: Resources 1-1
This link provides general information on 10Gbit Ethernet, IEEE802.ae. http://www.ethermanage.com/ethernet/10gig.html This link is a tutorial on the functional basics and physical encoding of 1000Base-T Gigabit Ethernet. ftp://ftp.iol.unh.edu/pub/gec/training/pcs.pdf This link provides background and technical information about Gigabit Ethernet over 4-pair, 100 ohm, Category 5 cable. http://www.10gea.org/GEA1000BASET1197_rev-wp.pdf This link provides information on 1Gbps Ethernet physical encoding (8B/10B). http://www.iol.unh.edu/training/ge/index.html This link provides configuration guideline information about Ethernet MultiSegments . It is chapter 13 of a book by Charles E. Spurgeon. http://www.ethermanage.com/ethernet/ch13-ora/ch13.html This link is a white paper from Intel that provides information on the new Ethernet. It is a discussion on new advances in Ethernet technology, and how these trends are affecting the way to work, connect, and communicate. http://www.intel.com/network/ethernet/ethernet_r03.pdf This link from Cisco and Intel is an informative solution to deploying Gigabit Ethernet over copper throughout the campus network. It also contains information on Cisco equipment layout throughout the enterprise. http://www.cisco.com/offer/tdm_home/pdfs/infrastructure/lan/ciscointel_sb.pdf
Switch CLI Academy Curriculum: This link provides a lab activity to configure a Cisco Catalyst 2900 Ethernet switch for first time. http://ccnp.netacad.net/protdoc/curriculum/sem7sv/en/ch3/lab_3_2_3/index.html This link provides a lab activity to regain control of a Cisco Catalyst 2900 Ethernet switch after the passwords have been lost or stolen. http://ccnp.netacad.net/prot-doc/curriculum/sem7sv/en/ch3/3_3_4/index.html This link provides an interactive lab activity to configure basic management on the Catalyst 2900 series access switch. http://ccnp.netacad.net/prot-doc/curriculum/sem7sv/en/ch3/3_2_4/index.html
CCO: This link accesses the FAQs page for Cisco Long-Reach Ethernet (LRE) technology. http://www.cisco.com/warp/public/794/lre_faq.html This link provides access to a white paper on the Cisco Long-Reach Ethernet (LRE) networking solution. http://www.cisco.com/warp/public/146/news_cisco/ekits/Lre-wp.pdf 1-2
Switching: Resources
Copyright 2002, Cisco Systems, Inc.
This is the CCO site. Documentation is provided on the steps necessare to upgrade the Catalyst 1900 and 2820 IOS images. While the link does not specify the specific IOS image used for the academy, it does provide a general upgrade procedure. http://www.cisco.com/warp/customer/473/10.html#3 This Cisco White Paper provides an overview of FastEthernet technology. It includes FastEthernet history, media, and operational specifications. http://cisco.com/warp/public/cc/so/neso/lnso/lnmnso/feth_tc.htm
Copyright 2002, Cisco Systems, Inc.
Switching: Resources 1-3