Giao Trinh Ccna

Chng 4: Cng ngh WAN v bo mt
Page | 1

GIO TRNH CCNA

CHNG 4: CNG NGH
WAN V BO MT

Page | 2

CH
PHN 1: Qun l lung d liu bng Access Control List .......................... 11
I. Gii thiu chung ............................................................................... 11
II. Hot ng ca ACL ......................................................................... 11
1. Tm hiu v ACL ........................................................................ 12
2. Hot ng ca ACL .................................................................... 15
3. Phn loi ACL ............................................................................ 19
4. Xc nh ACL ............................................................................. 19
5. ACL wildcard masking ............................................................... 21
III. Cu hnh ACL .................................................................................. 24
1. Cu hnh numbered standard IPv4 ACL ...................................... 25
2. Cu hnh numbered extended IPv4 ACL ..................................... 26
3. Cu hnh named ACL ................................................................. 28
3.1 Khi to named standard ACL ............................................... 28
3.2 Khi to named extended ACL .............................................. 28
4. Thm phn ghi ch cho Named hay Numbered ACLs ................ 31
IV. Cc lnh kim tra trong ACL ........................................................... 32
V. Cc loi khc ca ACL .................................................................... 32
1. Dynamic ACL ............................................................................. 33
2. Reflexive ACL ............................................................................ 35
3. Time-based ACL ........................................................................ 37
VI. Ghi ch khi s dng Wildcard Masks .............................................. 38
VII. Gii quyt s c trong ACL ............................................................. 41
Page | 3

PART 2: M rng quy m mng vi NAT v PAT ..................................... 45
I. Gii thiu v NAT v PAT .............................................................. 45
1. Bin dch a ch ngun bn trong ............................................... 48
2. C ch NAT tnh ......................................................................... 51
3. C ch NAT ng ....................................................................... 52
4. Overloading mt a ch ton cc bn trong ................................ 53
II. Gii quyt vn bng dch ............................................................. 56
III. Gii quyt s c vi NAT ................................................................ 57

PART 3: Gii php VPN .............................................................................. 62
I. Gii thiu v gii php VPN ............................................................ 62
1. VPN v nhng li th ................................................................. 62
2. Cc loi VPN .............................................................................. 64
3. IPsec SSL VPN (WebVPN) ........................................................ 69
II. Gii thiu IPsec ............................................................................... 70

PHN 4: Thit lp kt ni WAN vi PPP ................................................... 77
I. Hiu bit v ng gi trong WAN ................................................... 77
II. Xc thc PPP ................................................................................... 80
1. Tng quan v PPP ....................................................................... 80
2. Vng giao thc ca PPP .............................................................. 80
3. Giao thc iu khin lin kt ...................................................... 81
3.1 Pht hin lin kt lp .............................................................. 81
3.2 Tng cng kh nng pht hin s c .................................... 82
3.3 PPP Multilink ........................................................................ 82
3.4 Xc thc PPP ......................................................................... 83
Page | 4

III. Cu hnh v kim tra PPP ................................................................ 86
IV. Gii quyt s c trong xc thc PPP ................................................ 89
1. Gii quyt cc vn lp 2 ...................................................... 89
2. Gii quyt cc vn lp 3 ...................................................... 92

PART 5: Gii thiu v cng ngh Frame Relay ........................................... 94
I. Cu hnh chung mng Frame Relay ................................................. 94
II. Tng quan v Frame Relay .............................................................. 95
1. Cc tiu chun ca Frame Relay ................................................. 98
2. Mch o ...................................................................................... 98
3. LMI v cc loi ng gi .......................................................... 101
III. Kim sot tc v loi b trong m my Frame Relay .............. 104
1. FECN v BECN ........................................................................ 104
2. Cc Loi b iu kin (DE bit) .................................................. 105
IV. Cu hnh v kim tra Frame Relay ................................................. 106
1. K hoch cho mt cu hnh Frame Relay .................................. 106
2. Mt mng vi y meshed vi mt IP Subnet ...................... 108
3. Cu hnh ng gi v LMI ........................................................ 109
4. Map a ch Frame Relay .......................................................... 113
4.1 Inverse ARP ......................................................................... 113
4.2 Map tnh Frame Relay ......................................................... 113
V. X l s c vi mng Frame Relay ................................................ 114

PHN 6: Tng quan v IPv6 ...................................................................... 127
I. Khi qut chung ............................................................................. 127
Page | 5

II. Cch thc vit a ch Ipv6 ............................................................. 127
III. Phng thc gn a ch Ipv6 ......................................................... 130
IV. Cu trc a ch IPv6 ...................................................................... 130
1. a ch Unicast ......................................................................... 131
2. a ch Anycast ......................................................................... 133
3. a ch Multicast ....................................................................... 134
V. Gn a ch IPv6 cho cng giao din .............................................. 136
1. Cu hnh th cng cng giao din ............................................. 136
2. Gn a ch bng EUI-64 .......................................................... 136
3. Cu hnh t ng ....................................................................... 137
4. DHCPv6 (Stateful) .................................................................... 138
5. Dng dng EUI-64 trong a ch IPv6 ....................................... 138
VI. Xem xt nh tuyn vi IPv6 ......................................................... 139
VII. Chin lc thc hin IPv6 ......................................................... 139
VIII. Cu hnh IPv6 ................................................................................ 143

PHN 7: Cc bi lab minh ha .................................................................. 146
1. Cu hnh Standard Access List ................................................. 146
2. Cu hnh extended Access List ................................................. 151
3. Cu hnh NAT tnh ................................................................... 156
4. Cu hnh NAT overload ............................................................ 159
5. Cu hnh PPP PAP v CHAP .................................................... 163
6. Cu hnh FRAME RELAY ....................................................... 169
7. Cu hnh FRAME RELAY SUBINTERFACE ......................... 176

Page | 6

Ph lc v cc hnh s dng trong ti liu

PART 1: Qun l lung d liu bng ACL ...................................................... 11
Hnh 1-1: Kim sot lu lng bng Access Control List ................................. 13
Hnh 1-2: B lc ca Access Control List ......................................................... 13
Hnh 1-3: ACL xc nh lung d liu .............................................................. 15
Hnh 1-4: V d ca mt outbound ACL ........................................................... 16
Hnh 1-5: S nh gi ca ACL ........................................................................ 18
Hnh 1-6: Wildcard mask .................................................................................. 22
Hnh 1-7: Masking mt dy a ch ................................................................... 23
Hnh 1-8: Trng hp c bit ca Wildcard Mask .......................................... 24
Hnh 1-9: Standard ACL ................................................................................... 25
Hnh 1-10: Extended ACL ................................................................................ 26
Hnh 1-11: Dynamic ACL ................................................................................. 33
Hnh 1-12: Reflexive ACL ................................................................................ 36
Hnh 1-13: Time-based ACL ............................................................................. 37

PART 2: M rng quy m mng vi NAT v PAT ........................................... 45
Hnh 2-1: Network Address Translations .......................................................... 46
Hnh 2-2: Port Address Translation ................................................................... 48
Hnh 2-3: Bin dch mt a ch vi NAT ......................................................... 49
Hnh 2-4: NAT tnh ........................................................................................... 51
Hnh 2-5: NAT ng ......................................................................................... 53
Hnh 2-6: Overloading mt a ch ton cc bn trong ...................................... 54
Page | 7

PART 3: Gii php VPN ................................................................................... 62
Hnh 3-1: Cc v d v kt ni VPN .................................................................. 63
Hnh 3-2: Kt ni site-to-site VPN .................................................................... 64
Hnh 3-3: Minh ha v kt ni remote-access VPN ........................................... 65
Hnh 3-4: Cisco Easy VPN ............................................................................... 66
Hnh 3-5: WebVPN .......................................................................................... 69
Hnh 3-6: Cch thc s dng khc nhau ca IPsec ............................................ 70
Hnh 3-7: M ha d liu .................................................................................. 71
Hnh 3-8: M ha key ....................................................................................... 72
Hnh 3-9: Thit lp qu trnh m ha key .......................................................... 73
Hnh 3-10: Xc thc peer .................................................................................. 75

PHN 4: Thit lp kt ni WAN vi PPP ........................................................ 77
Hnh 4-1: Cc la chn cho mng WAN ........................................................... 78
Hnh 4-2: Khung PPP v HDLC ....................................................................... 81
Hnh 4-3: Cn bng ti khng dng tnh nng Multilink PPP ............................ 83
Hnh 4-4: NCP v LCP trong PPP ..................................................................... 83
Hnh 4-5: Chng thc PAP ............................................................................... 85
Hnh 4-6: Chng thc CHAP ............................................................................ 86

PART 5: Gii thiu v cng ngh Frame Relay ................................................ 94
Hnh 5-1: Mng Frame Relay ............................................................................ 94
Hnh 5-2: Cc thnh phn ca mng Frame Relay ............................................ 96
Page | 8

Hnh 5-3: Khi nim v Frame Relay PVC ....................................................... 96
Hnh 5-4: Mng Frame Relay thng thng vi ba site ..................................... 99
Hnh 5-5: Mng Frame Relay di dng partial-mesh .................................... 100
Hnh 5-6: LAPF Header .................................................................................. 102
Hnh 5-7: ng gi Cisco v RFC 1490/2427 .................................................. 103
Hnh 5-8: Hot ng c bn ca FECN v BECN ........................................... 105
Hnh 5-9: Full mesh vi nhiu a ch IP ......................................................... 108
Hnh 5-10: Tin trnh lm vic ca Inverse ARP ............................................. 113
Hnh 5-11: Cu hnh lin quan n vic R1 ping khng thnh cng 10.1.2.2 .. 118
Hnh 5-12: Kt qu ca vic shut down lin kt R2 v R3 .............................. 124

PHN 6: Tng quan v IPv6 ........................................................................... 127
Hnh 6-1: Cu trc a ch ca Link-local ....................................................... 131
Hnh 6-2: Cu trc a ch ca Site-local ......................................................... 131
Hnh 6-3: Cu trc a ch IPX ........................................................................ 132
Hnh 6-4: Cu trc a ch IPv4 tng thch vi IPv6 ..................................... 132
Hnh 6-5: Cu trc a ch Ipv4 gi l Ipv6 ...................................................... 133
Hnh 6-6: Cu trc a ch n hng trn mng ton cu .............................. 133
Hnh 6-7: Cu trc a ch Anycast ................................................................. 133
Hnh 6-8: Cu trc a ch a hng ............................................................... 134
Hnh 6-9: Cu trc a ch MAC ca LAN ...................................................... 134
Hnh 6-10: Tp hp cc a ch IPv6 ................................................................ 135
Hnh 6-11: T ng cu hnh .......................................................................... 137
Page | 9

Hnh 6-12: Giao din nhn din EUI-64........................................................... 138
Hnh 6-13: S chuyn i IPv4 n IPv6 ........................................................ 140
Hnh 6-14: Cisco IOS Dual Stack ................................................................... 141
Hnh 6-15: Cu hnh Dual-Stack ..................................................................... 141
Hnh 6-16: Cc yu cu ca ng hm IPv6 .................................................. 142
Hnh 6-17: V d cu hnh RIPng .................................................................... 143

Page | 10

Ph lc v cc bng s dng trong ti liu

Bng 1: Lit k cc dy s khc nhau ca ACL cho cc giao thc ....................... 20
Bng 2: Well-known port number v cc giao thc .............................................. 27
Bng 3: Cc tham s cho cu hnh numbered extended ACL ............................... 27
Bng 4: Cc khi nim v Frame Relay ............................................................... 97
Bng 5: Cc giao thc Frame Relay ..................................................................... 98
Bng 6: Cc loi LMI ........................................................................................ 102
Bng 7: Cc gi tr trng thi ca PVC ............................................................... 122

Page | 11

PART 1: Qun l lung d liu bng ACL

I - Gii thiu chung:

Ngy nay cng vi s tin b ca khoa hc v cng ngh, h thng mng
l mt gii php c la chn hng u cho vic truyn ti d liu, v v vy
bo mt trong h thng mng l mt vn ang c quan tm. Mt trong
nhng cng c rt quan trng trong Cisco Router c dng trong lnh vc bo
mt l Access Control List (ACL). y l mt tnh nng gip bn c th cu
hnh trc tip trn Router to ra mt danh sch cc a ch m bn c th cho
php hay ngn cn vic truy cp vo mt a ch no .

Access List c 2 loi l Standard Access List v Extended Access List:

Standard Access List: y l loi danh sch truy cp m khi cho php
hay ngn cn vic truy cp, Router ch kim tra mt yu t duy nht l a ch
ngun (Source Address).

Extended Access List: y l loi danh sch truy cp m rng hn so vi
loi Standard, cc yu t v a ch ngun (Source Address), a ch ch
(Destination Address), giao thc, port s c kim tra trc khi Router cho
php vic truy cp hay ngn cn.

Bn cng c th cu hnh Standard v Extended ca Cisco IOS ACL trn
trn cc cng (interfaces) ca Router cho vic kim sot truy cp kim sot
cc loi lu lng c php thng qua. Cc tnh nng ca Cisco IOS c p
dng vo cc cng giao din theo nhng hng c th (chiu d liu vo vi
chiu d liu i ra). Phn ny s m t hot ng ca cc loi khc nhau ca
ACL v cho bn thy lm th no cu hnh IP phin bn 4 (IPv4) ACL.

II - Hot ng ca ACL:

Tm hiu v vic s dng danh sch kim sot truy cp (ACL) cho php
bn xc nh lm th no thc hin chng trn mng Cisco ca bn. ACL c
th cung cp mt tnh nng an ninh mng quan trng v lc cc gi tin vo v ra
cc cng giao din ca router.

Phn ny m t mt s ng dng cho ACL trn cc mng Cisco, xc nh
cc loi khc nhau ca ACL c th c thc hin, v gii thch cc quy trnh
Cisco IOS software thc thi ACL.

Page | 12

1. Tm bit v ACL:

c th cu hnh v thc hin cc ACL, bn cn phi hiu c nng
lc ca chng c s dng. Thit b Cisco s dng ACL vo hai chc nng
chnh: phn loi v lc. Sau y gii thch mi chc nng:

Phn loi (Classification): Thit b nh tuyn cng s dng ACL
xc nh lung d liu truy cp c th. Sau khi mt ACL xc nh v
phn loi lung truy cp, bn c th cu hnh router v cch x l cc
lung d liu. V d, bn c th s dng mt ACL xc nh cc mng
con iu hnh (subnet) nh l ngun lu lng truy cp (traffic source)
v sau cung cp quyn u tin so vi cc loi cc lung d liu khc
trn mt lin kt WAN tc nghn (congested WAN).

B lc (Filtering): Khi s lng cc kt ni router kt ni ra ngoi h
thng mng tng mnh v s dng Internet tng, kim sot truy cp mang
n nhng thch thc mi. Qun tr mng phi i mt vi tnh trng kh
x nh th no t chi lu lng truy cp khng mong mun trong khi
cho php truy cp thch hp. V d, bn c th s dng mt ACL nh mt
b lc gi li nhng vic truy cp cc d liu nhy cm (sensitive
data) cho khch hng lin quan n ti chnh.

Qua tnh nng phn loi v b lc, ACL cung cp mt cng c rt
mnh trong Cisco IOS. Xem xt cc s mng trong hnh 1-1. ACL c s
dng, qun tr vin c nhng cng c chn lu lng truy cp t Internet,
cung cp truy cp iu khin qun l cc thit b Cisco IOS, v cung cp dch
a ch cho cc a ch t nhn (private addresses) nh cc mng 172.16.0.0

Page | 13

Hnh 1-1: Kim sot lu lng bng ACL
Lc l chc nng ca ACL m mi ngi d dng nhn bit nht. ACL
cung cp mt cng c quan trng kim sot giao thng trn mng. Lc gi
gip kim sot gi tin di chuyn thng qua mng. Hnh 1-2 cho thy mt v d
v ACL lc d liu theo hng vo trong v ra ngoi ca mt giao din vt l,
hoc phin Telnet ca mt thit b Cisco IOS.

Hnh 1-2: B lc ca ACL
Cisco cung cp ACL cho php hoc t chi nhng iu sau y:
Vic vt qua ca cc gi tin n hoc t cc cng ca router v lu
lng qua cc router.
Lung d liu Telnet truy cp vo hoc ra khi cng vty router qun
l router
Page | 14

Theo mc nh, tt c lu lng IP c php vo v ra khi tt c cc giao
din router.
Khi cc router loi b gi tin, mt s giao thc (protocol) tr v mt gi tin c
bit thng bo cho ngi gi l im n khng th kt ni. i vi cc giao
thc IP, ACL c kh nng loi b kt qu trong mt "Destination unreachable
(UUU)" phn hi cho vic ping v mt "Administratively prohibited(A *!! A)"
phn hi ca vic traceroute.
IP ACL c th phn loi v phn bit cc lung d liu. Phn loi cho php bn
ch nh x l c bit cho lung d liu c xc nh trong mt ACL, chng
hn nh sau:
Xc nh cc loi hnh d liu phi c m ha trn mt mng ring
o (VPN) kt ni.
Xc nh cc tuyn ng (routes) s c phn phi t cc giao thc
nh tuyn vi nhau.
S dng vi b lc cho cc tuyn ng xc nh cc tuyn ng s
c bao gm trong cc bn cp nht nh tuyn gia cc router.
S dng vi chnh sch da trn nh tuyn (policy-based routing)
xc nh cc loi hnh giao thng c chuyn qua mt lin kt c ch
nh.
S dng vi Network Address Translation (NAT) xc nh c a
ch cn dch.
S dng vi tnh nng bo m cht lng dch v (QoS) xc nh
cc gi d liu nn c sp xp trong mt hng i c trong thi gian
tc nghn.
Hnh 1-3 cho thy mt s v d v cch s dng ACLs phn loi lu
lng truy cp, chng hn nh c lu lng truy cp m ha trn cc VPN,
trong tuyn ng s c phn phi li gia Open Shortest Path First
(OSPF) v Enhanced Interior Gateway Protocol (EIGRP), v c a ch dch
bng cch s dng NAT.

Page | 15

Hnh 1-3: ACL xc dnh lung d liu
2. Hot ng ca ACL:
ACL th hin thng qua mt b quy tc (rule) kim sot cho gi d
liu i vo giao din, cc gi d liu chuyn tip thng qua cc b nh tuyn,
v cc gi d liu thot ra bn ngoi ca router. ACL khng kim sot trn cc
gi c ngun gc xut pht t router. Thay vo , ACL ra ch nh cc iu
kin ca router lm th no x l lu lng cc d liu i qua cc cng c
ch nh.
ACL hot ng theo hai cch:
Qun l chiu vo (Inbound ACL): Cc gi d liu gi n mt cng
c x l trc khi chng c chuyn n cng khc i ra. Mt
inbound ACL c hiu qu bi v n gip tit kim cc chi ph ca vic tra
cu trong bng nh tuyn nu gi tin s c b i sau khi b t chi bi
cc kim tra ca b lc. Nu gi d liu tha mn cc iu kin cho php
t b lc, n s c x l bng b nh tuyn.
Qun l chiu ra (Outbound ACL): Cc gi d liu gi n c
chuyn ti giao din ra bn ngoi v sau x l thng qua outbound
ACL.
Hnh 1-4 cho thy mt v d ca mt outbound ACL.

Page | 16

Khi mt gi i vo mt giao din, router kim tra bng nh tuyn xem
nu gi d liu c nh tuyn. Nu gi tin khng phi l nh tuyn, n b b
ri (dropped).
Tip theo, router s kim tra xem liu cc giao din im n (destination
interface) l nhm li vi mt ACL. Nu giao din ch khng phi l nhm li
vi mt ACL, gi tin c th c gi ti b m u ra (output buffer).
V d v cc hot ng outbound ACL nh sau:
Nu giao din i l S0, cng khng c nhm li vi mt outbound ACL,
gi tin c gi n S0 trc tip.
Nu giao din ngoi l S1, l cng c nhm li vi mt outbound ACL, gi
tin khng c gi ra trn S1 cho n khi n c kim tra bi s kt hp ca
ACL c lin quan vi giao din . Da trn cc iu kin ca ACL, gi tin
c cho php hay t chi.
i vi cc danh sch gi i (outbound lists), "to permit" c ngha l gi cc
gi d liu ti b m u ra, v "to deny" c ngha l loi b cc gi tin.
Vi mt inbound ACL, khi mt gi tin i vo mt giao din, router kim tra
xem liu cc giao din ngun (source interface) c c nhm li vi mt ACL.
Nu giao din ngun khng c nhm li vi mt ACL, router kim tra bng
Page | 17

nh tuyn xem nu gi d liu c nh tuyn. Nu gi tin khng phi l
nh tuyn, b nh tuyn t chi cc gi tin.
V d v cc hot ng inbound ACL nh sau:
Nu giao din trong l S0, l cng khng c nhm li vi mt inbound
ACL, cc gi d liu c x l bnh thng, v router s kim tra xem liu gi
tin c nh tuyn.
Nu giao din trong l S1, l cng c nhm li vi mt inbound ACL, gi
tin khng c x l, v cc bng nh tuyn khng phi l iu kin cho php
gi tin i hay khng cho n khi n c kim tra bi s kt hp ca ACL c
lin quan vi giao din . Da trn cc iu kin tha mn ACL hay khng,
gi tin c cho php hay t chi.

i vi cc danh sch gi n (inbound lists), "to permit" c ngha l tip tc
qu trnh cc gi tin sau khi nhn c n trn mt giao din trong, v "to deny"
c ngha l loi b cc gi tin.

ACL hot ng theo mt tun t rt logic. N nh gi cc gi tin t trn xung
di, mt tuyn b (statement) ti mt thi im. Nu mt tiu gi tin v
biu ACL tha mn, phn cn li ca statement trong danh sch b b qua, v
gi d liu c cho php hoc t chi c xc nh bi cc cu lnh xut
hin. Nu mt tiu gi tin khng ph hp vi mt iu kin ACL, gi tin
c a n kim tra bi mt iu kin tip theo trong danh sch. Qu trnh
ny c tip tc cho n cui danh sch cc iu kin. Hnh 1-5 cho thy lu
lng hp l ca bo co nh gi.
Page | 18

Hnh 1-5: S nh gi ca ACL
Mt statement cui cng bao gm tt c cc gi d liu m khng tha mn cc
iu kin. V kt qu cho statement ny cho tt c cc gi tin cn li l "deny".
Thay v i vo, hoc i ra mt giao din, cc b nh tuyn s t chi tt c cc
gi cn li. Satement ny cui cng thng c gi l "implicit deny any
statement" (ngm t chi tt c). Bi v statement ny, mt ACL nn c t nht
mt tuyn b cho php (permit) trong cu trc ca n, nu khng, ACL s kha
tt c cc lung d liu hay t chi. Ng t chi tt (implicit deny) c s
khng hin th trong cc cu hnh router.
Bn c th p dng mt ACL cho nhiu giao din cng . Tuy nhin, ch c mt
ACL c th tn ti trn mt giao thc, mi chiu, v mi giao din.

Page | 19

3. Phn loi ACL:
IPv4 ACL n trong cc loi khc nhau. Nhng ACL khc nhau c s dng
ty thuc vo cc chc nng yu cu. Cc loi ACL c th c phn loi nh
sau:
Standard ACLs: Standard IP ACL kim tra a ch ngun ca gi tin c th
c nh tuyn. Kt qu hoc l cho php hoc t chi ti u ra cho ton b
mt b giao thc, da trn mng ngun, mng con, hoc my ch lu tr a ch
IP.
Extended ACL: Extended IP ACL kim tra c a ch ngun v ch gi tin.
N cng c th kim tra cc giao thc c th, s cng, v cc thng s khc, cho
php cc qun tr linh hot hn v kim sot.
Bn c th s dng hai phng php xc nh cc standard v extended
ACL:
nh s ACL: s dng mt s xc nh.
t tn ACLs: s dng tn m t hay s nhn dng.
4. Xc nh ACL:
Khi bn to ra s ACL, bn nhp vo s ACL nh l i s u tin ca cu
lnh ACL ton cc. Cc iu kin kim tra cho mt ACL khc nhau ty thuc
vo vic xc nh mt s standard hoc extended ACL.
Bn c th to nhiu ACL cho mt giao thc. Chn mt s ACL khc nhau cho
mi ACL mi trong vng mt giao thc nht nh. Tuy nhin, bn c th p
dng ch c mt ACL trn giao thc, mi chiu, v mi giao din.
Xc nh mt s ACL 1-99 hoc 1300-1999 ch th cc router chp nhn s
bo co cho standard IPv4 ACL. Xc nh mt s ACL 100-199 hoc 2000-
2699 ch th cc router chp nhn s bo co cho extended IPv4 ACL.
Bng 1: Lit k cc dy s khc nhau ca ACL cho cc giao thc.
Page | 20

Cc tn ACL c tnh nng cho php bn xc nh IP chun v ACL m
rng vi mt chui ch s (tn) thay v cc i din s. t tn IP ACL cung
cp cho bn linh hot hn trong lm vic vi cc mc ACL.

Truy cp danh sch nh s th t nhp c nhiu li ch:

Bn c th chnh sa theo th t cc cu lnh ACL.
Bn c th loi b cc bo co c nhn t mt ACL.

Page | 21

Thit k v thc thi tt ACL l thc hin thm mt thnh phn bo mt
quan trng i vi mng ca bn. Thc hin theo cc nguyn tc chung m
bo rng cc ACL bn to ra c cc kt qu d kin:

Cn c vo cc iu kin kim tra, hy chn mt standard hoc extended,
nh s, hoc dng tn ACL.

Ch c mt ACL trn giao thc, mi hng, v mt giao din c cho php.
Nhiu ACL c php cho mi giao din, nhng mi phi c cho mt giao
thc khc nhau hoc cc hng khc nhau.

ACL nn c t chc cho php x l t trn xung. T chc ACL
tham kho c th cho mt mng hoc mng con xut hin trc nhng iu tng
qut hn. t iu kin xy ra thng xuyn hn trc khi cc iu kin
xy ra t thng xuyn.

ACL c cha mt tim n t chi bt k cui cng:
- Tr khi kt thc ACL vi mt iu kin cho php r rng, theo mc nh,
ACL t chi tt c lu lng truy cp m khng ph hp bt k ca cc dng
ACL.
- Mi ACL nn c t nht mt tuyn b cho php. Nu khng, tt c lu lng
u b t chi.

Nn to cc ACL trc khi p dng n vo mt giao din.

Ty thuc vo cch p dng ACL, cc ACL b lc hoc i qua router hoc i
n v t cc b nh tuyn, chng hn nh lu lng truy cp n hoc t cc
ng vty.

Nn t extended ACLs cng gn cng tt vi ngun (source) ca lu lng
m bn mun t chi (deny). V standard ACL khng ch nh a ch ch
(destination address), bn phi t standard ACL cng gn cng tt n im
n m bn mun t chi v vy ngun c th tip cn mng li trung gian.

5. ACL Wildcard Masking:
B lc a ch xy ra khi dng a ch ACL wildcard masking xc
nhn cch thc kim tra hoc t chi nhng bits a ch IP tng ng.
Wildcard masking cho cc bits ca a ch IP dng s 1 v 0 xc nhn cch
thc i x vi nhng bits IP tng ng, nh sau:
Wildcard mask bit 0: Lin kt vi gi tr bit tng ng trong a ch.
Page | 22

Wildcard mask bit 1: Khng kim tra (b qua) vi gi tr bit tng ng trong
a ch.
Note: Mt wildcard bit thng coi l mt inverse mask.

Vi s iu chnh wildcard mask, c th dng cho php hay t chi s
dng trong mt hm ACL. C th chn la mt hay nhiu a ch IP. Hnh 1-6
chng minh cch kim tra nhng bits a ch tng ng.

Hnh 1-6: Wildcard Mask
Ghi ch: Wildcard Masking cho ACLs hot ng khc vi IP subnet mask. 0
trong v tr bits ca ACL mask ch ra nhng bits tng ng phi ph hp
(match). 1 trong v tr bits ca ACL mask ch ra nhng bits tng ng khng
ph hp trong a ch.

Trong hnh 1-7, mt qun tr vin mun kim tra mt lot cc mng con
IP c cho php hay t chi. Gi s a ch IP l mt Class B a ch (hai
octet u tin l s mng), vi 8 bit ca subnetting. (Cc octet th ba l cho
mng con.) Qun tr vin mun s dng cc k t i din IP bit ph hp vi
wildcard masking ca mng con 172.30.16.0/24 n 172.30.31.0/24
Page | 23

Hnh 1-7: Masking mt dy a ch.
s dng mt ACL ph hp vi phm vi ca cc mng con, s dng
a ch IP 172.30.16.0 trong ACL, l subnet u tin c xut hin, tip theo l
wildcard mask yu cu.
Cc wildcard mask ph hp vi hai octet u tin (172,30) ca a ch IP
bng cch s dng tng ng 0 bit trong hai octet u tin ca wildcard mask.
V khng c quan tm n mt host ring r, cc wildcard mask b qua
cc octet cui cng bng cch s dng cc bit 1 tng ng trong wildcard mask.
V d, octet cui cng ca wildcard mask l 255 trong s thp phn.
Trong octet th ba, ni m cc a ch subnet xy ra, cc wildcard mask
ca thp phn 15, hoc nh phn 00001111, ph hp th t 4 bit cao ca a ch
IP. Trong trng hp ny, wildcard mask ph hp bt u vi mng con subnet
172.30.16.0/24. i vi 4 bit cui cng trong octet ny, cc wildcard mask cho
thy rng cc bit c th c b qua. Trong cc v tr ny, gi tr a ch c th
c nh phn 0 hoc nh phn 1. Do , cc wildcard mask lin kt subnet 16,
17, 18, v nh vy ln n subnet 31. Cc wildcard mask khng ph hp vi
mng con khc.
Trong v d, a ch 172.30.16.0 vi wildcard mask 0.0.15.255 ph hp
nhng subnets 172.30.16.0/24 n 172.30.31.0/24.
Trong mt s trng hp, bn phi s dng nhiu hn mt cu lnh ACL
ph hp vi mt lot cc mng con, cho v d, ph hp 10.1.4.0/24 n
10.1.8.0/24, s dng 10.1.4.0 0.0.3.255 v 10.1.8.0 0.0.0.255.
Cc bit 0 v 1 trong wildcard mask ACL gy ra ACL cho mt trong hai
kh nng ph hp hoc b qua cc bit tng ng trong a ch IP. Hnh 1-8 cho
thy wildcard mask c s dng ph hp vi mt host c th hoc ph
hp vi tt c cc host lu tr (any).
Page | 24

Hnh 1-8: Trng hp c bit ca Wildcard Mask.
Thay v dng 172.30.16.29 0.0.0.0, c th s dng chui host 172.30.16.29.
Thay v s dng 0.0.0.0 255.255.255.255, c th thay th bng t any.
Sau y l tm tt nhng im chnh c tho lun trong phn ny:

ACL c th c s dng lc gi IP hoc xc nh lu lng
truy cp gn cho n cch hnh x c bit.

ACL thc hin x l t trn xung v c th c cu hnh cho lu
lng truy cp n hoc i.

Bn c th to mt ACL bng cch s dng ACL c tn hoc nh s.
c t tn hoc s ACL c th c cu hnh nh standard ACL hoc
extended, quyt nh nhng g n c th lc.

Trong mt wildcard mask, mt bit 0 c ngha l ph hp vi cc bit
a ch tng ng, v mt bit 1 c ngha l b qua cc bit a ch tng ng.

III - Cu hnh ACL:
Standard IPv4 ACL, nh s t 1 to 99 v 1300 1999 hoc dng tn, dng
lc gi tin da trn a ch ngun v mask, v n cho php hoc t chi gi tin.
Hnh 1-9 chng t rng standard ACL ch kim tra a ch ngun trong header
ca IPv4.
Page | 25

1. Cu hnh numbered standard IPv4 ACL:
cu hnh numbered standard IPv4 ACL trn Cisco Router, phi to
mt standard ACL v kch hot n trn mt cng giao din. Cu lnh access-list
dng to mt entry trong danh sch lc ca standard ACL.
Cu lnh ip access-group dng kt cc ACLs tn ti n mt cng
giao din. Ch cho php mt ACL cho mi giao thc, mi hng, v mi cng
giao din.
Ghi ch: loi b mt ACL t mt cng giao din, u tin dng no ip
access-group s/tn [in/out] trn cng sau dng no access-list tn/s loi
b ton b ACL

Cc bc bt buc cu hnh v p t mt numbered standard ACL vo cng
giao din.
Step 1: dng cu lnh access-list to mt entry trong standard ACL.
Router(config)#access-list 1 permit 172.16.0.0 0.0.255.255

Step 2: dng cu lnh interface chn la cng cn p t ACL
Router(config)#interface Ethernet 1
Page | 26

Step 3: Dng cu lnh ip access-group kch hot ACL to trn cng giao
din.
Router(config-if)#ip access-group 1 in

Bc ny dng kch hot mt standard ACL trn cng giao din theo chiu
vo (inbound) lc lung d liu.
2. Cu hnh numbered extended IPv4 ACL:
Vi extended ACL, nh s t 100 n 199 v 2000 n 2699 hoc dng tn, c
th kim tra gc su hn vi c a ch ngun v ch ca IP. Thm vo ,
tn cng ca hm extended ACL, ta c th xc nh c th nhng giao thc l
TCP hay UDP ca tng ng dng (application) ca gi tin. Hnh 1-10 chng t
rng vng header ca IP c th b thm tra vi mt extended ACL.

Hnh 1-10: Extended ACL
ch nh mt ng dng, bn c th cu hnh s cng hoc tn ca mt
ng dng ni ting. Bng 1-2 cho thy mt danh sch rt gn ca mt s port
ca cc ng dng TCP khc nhau

Page | 27

Bng 2: Well-known port number v cc giao thc

cu hnh numbered extended ACL trn Cisco router, u tin to
mt extended ACL v kch hot ACL ny trn mt cng giao din. Dng cu
lnh access-list to mt entry vi iu kin cho b lc. Cu hnh ton b nh
sau:
Access-list access-list-number {permit | deny} protocol source source-
wildcard [operator port] destination destination-wildcard [operator port]
[established] [log]

Bng 3: Cc tham s cho cu hnh numbered extended ACL
Bin s M t
Access-list number Xc nhn mt s trong dy 100-199
hoc 2000-2699
Permit | deny Ch ra entry ny cho php hay t chi
a ch c th ca gi tin
protocol IP, TCP, UDP, ICMP
Source v destination Xc nhn a ch ngun v ch
Source-wildcard mask v destination-
wildcard mask
Wildcard mask; bit 0 ch v tr ph
hp, v bit 1 ch v tr dont care
Operator [port | app_name] C th l lt (less than), gt (greater
than), eq (equal to) hoc l neq (not
equal to). a ch port c th l port
ngun hay port ch, ty thuc vo ni
Page | 28

m ACL cu hnh. Thay v s dng
port, c th sung tn thay th nh
Telnet, FTP hay SMTP.
establishhhed Ch s dng cho chiu vo ca giao
thc TCP. Cho php lung d liu
TCP thng qua nu gi tin phn hi t
mt phin (session) xut pht bn
trong. Loi d liu ny c bt c ACK.
log Gi mt thng tin log n cng
console

V d v s dng extended ACL vi thng s established:
Trong v d ny, bin s established ca extended ACL cho php
phn hi lung d liu m xut pht t mail host, a ch 128.88.1.2, tr v
trn cng serial 0. S ph hp xy ra nu TCP datagram c bt c ACK hay c
reset (RST), ch rng gi tin ny ph thuc vo kt ni hin ti. Nu khng c
bin s established, mail host ch nhn lung d liu SMTP nhng khng th
gi n i.
Access-list 102 permit tcp any host 128.88.1.2 established
Access-list 102 permit tcp any host 128.88.1.2 eq smtp
Interface serial 0
Ip access-group 102 in

3. Cu hnh Named ACLs:
Named ACL l tnh nng cho php bn xc nh standard v extended IP
ACL vi mt chui ch s (tn) thay v cc i din thuc s hin thi.
Named IP ACL cho php bn xa cc mc c nhn trong mt ACL c
th. V bi v bn c th xa cc mc c nhn vi named ACL, bn c th thay
i ACL ca bn m khng cn phi xa v sau cu hnh li ton b ACL.

Page | 29

3.1 Khi to Named Standard IP ACLs
Cc bc bt buc cu hnh v p t mt named standard ACL trn router:
Step 1: nh ngha mt standard named ACL.
Router(config)#ip access-list standard name

Step 2: S dng mt trong nhng cu lnh sau xy dng bin s kim tra
Router(config-std-nacl)#[sequence-number] deny {source [source-wildcard] |
any}
Router(config-std-nacl)#[sequence-number] permit {source [source-wildcard] |
any}

Step 3: Ri khi cu hnh named ACL:
Router(config-std-nacl)#exit
Router(config)

Step 4: Chn mt cng giao din cn p t ACL
Router(config)#inteface Ethernet 0
Router(config-if)#

Step 5: Kch hot standard ACL trn cng giao din
Router(config-if)#ip access-group name in

Dng cu lnh show ip interface kim tra IP ACL p vo cng
3.2 Khi to Named extended ACL:
Cc bc bt buc cu hnh v p t mt named extended ACL trn router:
Page | 30

Step 1: nh ngha mt extended named ACL.
Router(config)#ip access-list extended name

Step 2: S dng cu lnh sau xy dng bin s kim tra
Router(config-ext-nacl)#[sequence-number] {deny | permit} protocol source
source-wildcard destination destination-wildcard [option]

Bn c th s dng cc t kho any vit tt a ch ca 0.0.0.0 vi mt
wildcard mask ca 255.255.255.255 cho cc a ch ngun, a ch ch, hoc c
hai. Bn c th s dng t kho host vit tt mt wildcard mask ca 0.0.0.0
cho cc a ch ngun hoc a ch ch. t t kha host pha trc ca a
ch.
Step 3: Ri khi cu hnh named ACL:
Router(config-std-nacl)#exit
Router(config)

Step 4: Chn mt cng giao din cn p t ACL
Router(config)#inteface Ethernet 0
Router(config-if)#

Step 5: Kch hot extended ACL trn cng giao din
Router(config-if)#ip access-group name in

Dng cu lnh show ip interface kim tra IP ACL p vo cng
C nhiu thun li nu dng dy s trong named ACL thm vo
nhng entry c th trong mt danh sch tn ti. v d sau, mt entry mi
c thm vo mt v tr c th trong mt ACL.
Page | 31

4. Thm phn ghi ch cho Named hay Numbered ACLs:
Bnh lun (comments), cn c gi l nhng nhn xt (remarks), l mt
stament m khng c x l. N l nhng statement m t n gin bn c th
s dng hiu r hn v khc phc s c ACL hoc l t tn hoc nh s.
Mi dng nhn xt c gii hn trong 100 k t. Cc nhn xt c th i
trc hoc sau cho php hoc t chi pht biu.
thm mt remark cho mt named IP ACL, s dng lnh remark trong
ch cu hnh ACL. thm mt remark vi mt numbered IP ACL, s dng
lnh access-list access-list-number remark remark.
Sau y l mt v d v cch thm mt remark vi mt numbered ACL:
access-list 101 remark permit John telnet to server
access-list 101 permit tcp host 10.1.1.2 host 172.16.1.1 eq telnet

V d tip theo thm mt remark n mt named ACL:
ip access-list standard PREVENTION
remark Do not allow J one subnet through
deny 172.69.0.0 0.0.255.255

Page | 32

Standard IPv4 ACL cho php lc gi tin da trn a ch ngun.
Extended ACL cho php lc gi tin a trn a ch ngun v ch, giao thc
v s port.
Named ACL cho php xa nhng statement ring r t mt ACL.

IV Cc lnh kim tra trong ACL:
Khi hon thnh cu hnh ACL, s dng cc lnh show kim tra cu
hnh. S dng show access-list hin th ni dung ca tt c cc ACL, nh th
hin trong v d. Bng cch nhp tn hoc s ACL l mt la chn cho lnh
ny, bn c th hin th mt ACL c th. ch hin th cc ni dung ca tt c
cc ACLs IP, s dng lnh show ip access-list.
Router#show access-lists
Standard IP access list SALES
10 deny 10.1.1., wildcard bits 0.0.0.255
20 permit 10.3.3.1
Extended IP access list ENG
10 permit tcp host 10.22.22.1 any eq telnet (25 matches)
20 permit tcp host 10.33.33.1 any eq ftp
30 permit tcp host 10.44.44.1 any eq ftp-data

Lnh show ip interface hin th thng tin giao din v cho bit d bt k
ACL IP c thit lp trn giao din. Trong lnh show ip interface e0 c
hin th trong v d, IP ACL c cu hnh trn giao din E0 l mt ACL
chiu vo. Khng c chiu ra ca ACL c cu hnh trn giao din E0.
V - Cc loi khc ca ACL:
Standard v extended ACL c th tr thnh nhng mu cht c bn cho cc loi
ACL khc. Nhng loi ACL khc bao gm:
Page | 33

Dynamic ACLs (lock-and-key).
Reflexive ACLs.
Time-based ACLs.
1. Dynamic ACLs (lock-and-key):
ACL ng (dynamic ACL) ph thuc vo kt ni Telnet, chng
thc (authentication) (ni b hoc t xa), v extended ACL. Lock-and-key cu
hnh bt u vi cc ng dng ca mt ACL m rng ngn chn lung d
liu thng qua router. Ngi dng mun i qua cc router b chn bi cc ACL
m rng cho n khi h s dng Telnet kt ni n router v c chng
thc. Cc kt ni Telnet sau b t chi, v mt n nhp dynamic ACL c
thm vo ACL m rng. iu ny cho php lu lng truy cp trong mt thi
gian c th; thi gian nhn ri (idle timeout) v tuyt i (absolute timeout) l
c th. Hnh 1-11 cho thy mt v d v danh sch truy cp ng.

Hnh 1-11: Dynamic ACL
Mt s l do ph bin s dng ACL ng nh sau:
S dng ACL ng khi bn mun c mt ngi dng c th t xa hoc mt
nhm ngi dng t xa truy cp vo mt my ch trong mng ca bn, kt
ni t my ch t xa ca h thng qua Internet. Lock-and-key xc nhn ngi
s dng v cho php truy cp gii hn thng qua cc b nh tuyn tng la
ca bn cho mt my ch hoc mng con trong mt thi gian hu hn.
S dng ACL ng khi bn mun c mt tp hp con ca cc host trn mt
mng ni b truy cp vo mt my ch t xa trn mt mng c bo v bi
tng la. Vi lock-and-key, bn c th cho php truy cp vo cc my ch t
xa ch vi mong mun thit lp my ch lu tr ni b. Lock-and-key i hi
Page | 34

ngi s dng xc thc thng qua mt my ch +TACACS, hoc my ch
bo mt khc, trc khi n cho php my ch ca h truy cp vo my ch
t xa.
Dynamic ACL c li ch bo mt sau hn so vi standard v extended ACL
tnh:
S dng mt c ch thch thc (challenge) xc thc ngi dng c nhn.
Qun l n gin trong mng ln.
Trong nhiu trng hp, gim s lng x l ca router l cn thit cho
ACL.
Gim c hi cho mng break-in ca tin tc mng.
To ngi dng truy cp ng thng qua tng la, m khng nh hng n
nhng hn ch ca cu hnh bo mt khc.
Cc cu hnh sau y to ra mt tn ng nhp v mt khu xc thc. "Idle
Timeout" l 10 pht.
Router(config)#username TEST password TEST
Router(config)#username TEST autocommand access-enable host timeout 10

Cc cu hnh sau cho php ngi dng m mt kt ni Telnet n router
c chng thc v ngn chn tt c lu lng khc:
Router(config)#access-list 101 permit tcp any host 10.1.1.1 eq telnet
Router(config)#interface Ethernet0/0
Router(config-if)#ip address 10.1.1.1 255.255.255.0

Cc cu hnh sau y to ra cc ACL ng s c t ng p dng vo
danh sch truy cp hin ti 101. Thi gian ch absolute timeout c thit lp
15 pht.
Router(config)# access-list 101 dynamic TESTLIST timeout 15 permit ip
10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
Page | 35

Cu hnh sau y xc thc ngi dng khi h m mt kt ni Telnet n
router:
Router(config)#line vty 0 4
Router(config-line)#login local

Sau khi thc hin cc cu hnh, khi ngi s dng ti 10.1.1.2 thnh
cng lm cho mt kt ni Telnet n 10.1.1.1, cc ACL ng c p dng. Kt
ni sau c t chi, v ngi dng c th truy cp vo mng 172.16.1.x.

2. Reflexive ACL:

Reflexive ACLs cho php cc gi tin IP c lc da trn thng tin lp
trn nh s TCP port. Chng thng c s dng cho php lu thng ra
ngoi v hn ch lu lng vo trong p ng vi cc phin c ngun gc t
mt mng bn trong router. Reflexive ACLs c mc ch l tm thi. Nhng
thng s ny s c t ng to ra khi mt IP mi bt u phin, v d, vi
mt gi tin gi i, v cc mc s c t ng loi b khi phin kt thc.
Reflexive ACLs khng c p dng trc tip vo mt giao din nhng c
"lng" trong mt extended named IP ACL p dng cho cng giao din.

Reflexive ACLs cung cp mt hnh thc tin cy hn trong phin lc ca mt
extended ACL s dng cc thng s thit lp. Reflexive ACLs gy nhiu kh
khn hn gi mo, v nhiu tiu ch lc phi ph hp trc khi mt gi c
php thng qua; v d, a ch ngun v ch v s cng, khng ch c ACK m
c RST bits, cng c kim tra. Hnh 1-12 minh ha cch reflexive ACL hot
ng.

Page | 36

Hnh 1-12: Reflexive ACL
Reflexive ACLs l mt phn quan trng ca bo mt mng chng li
hacker mng v c th c bao gm trong mt tng la. Reflexive ACLs
cung cp mt mc bo mt chng li gi mo v mt s t chi dch v
(DoS) tn cng. Reflexive ACLs rt d s dng v, so vi ACL c bn, cung
cp kim sot tt hn cc gi d liu nhp vo mng ca bn.
Cc cu hnh sau theo di lu lng c bt u t bn trong:
Router(config)#ip access-list extended OUTBOUNDFILTERS
Router(config-ext-nacl)#permit icmp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
Router(config-ext-nacl)#permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
reflect TCPTRAFFIC

Cc cu hnh k tip to ra mt danh sch trong i hi cc b nh tuyn
kim tra lu lng n xem liu n c bt u t bn trong v quan
h ca mt phn phn x ca ACL outboundfilters, c gi l tcptraffic, cc
inboundfilters ACL:
Router(config)#ip access-list extended INBOUNDFILTERS
Router(config-ext-nacl)#permit icmp 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255
evaluate TCPTRAFFIC

Page | 37

Cc cu hnh trong v d p dng cho c chiu i vo (inbound) v i ra
(outbound) ACL ti giao din cng.
Router(config-if)#ip access-group INBOUNDFILTERS in
Router(config-if)#ip access-group OUTBOUNDFILTERS out

Reflexive ACLs c th c nh ngha ch c extended named IP ACL.
N khng th c nh ngha vi s hoc standard named IP ACL hoc vi
ACL giao thc khc.

3. Time-based ACL
Time-based ACL tng t chc nng nh extended ACL, nhng chng
cho php kim sot truy cp da trn thi gian. thc hin ACL da trn thi
gian, bn to mt phm vi thi gian xc nh thi gian c th trong nhng ngy
v tun. Phm vi thi gian c xc nh theo tn v sau tham chiu bi mt
hm. V vy, nhng hn ch thi gian c p dng i vi cc chc nng ring
ca mnh. V d, trong hnh 1-13, ngi dng s b kha t truyn HTTP giao
thng sau khi 19:00

Hnh 1-13: Time-based ACL
Time-base ACL c mt s u im nh sau:
Khi nh cung cp tc truy cp khc nhau theo thi gian trong ngy, n c th
t ng nh li chi ph lung d liu mt cch hiu qu.
Page | 38

Qun tr mng c th kim sot ng nhp thng qua nhng log lu tr. Nhng
mc ACL c th lu tr ng nhp truy cp vo nhng thi im nht nh
trong ngy nhng khng lin tc. V vy, cc qun tr vin c th ch cn t chi
truy cp m khng cn nhiu phn tch cc bn ghi c to ra trong gi cao
im.
Cu hnh sau y nh ngha time range thc thi ACL:
Router(config)#time-range EVERYOTHERDAY
Router(config-time-range)#periodic Monday Wednesday Friday 8:00 to 17:00

Cu hnh dng p time range vo ACL:
Router(config)#access-list 101 permit tcp 10.1.1.0 0.0.0.255 172.16.1.0
0.0.0.255 eq telnet time-range EVERYOTHERDAY

p t ACL n cng giao tip:

Time range phn hi da trn h thng ng b thi gian trn router. Thi gian
trn router c s dng, nhng tnh nng ny c th hot ng tt nht khi
ng b vi Network Time protocol (NTP).
VI Ghi ch khi s dng Wildcard Masks:
Cc quy tc c bit n v bn thy nhng v d v lm th no to
wildcard mask: Cc 32 k t wildcard mask bit i din bao gm cc s 1 v 0 ',
theo l 1 tng ng vi b qua bit v mt s 0, kim tra bit ny.

Mc d vy, chng ti ch mun:

1. Match mt host.
2. Match ton b subnet.
Page | 39

3. Match mt range IP.
4. Match tt c.

y l cch hon thnh cc vn trn:
1. match mt host:
Set all the wildcard mask bits to zero.
Vi mt standard ACL:
Access-list 1 permit 186.145.65.12 0.0.0.0 or
Access0list 1 permit 186.145.65.12 (standard access lists assume a 0.0.0.0
mask)

Vi mt Extended ACL:
Access-list 101 permit ip 186.145.65.12 0.0.0.0 any or
Access-list 101 permit host 186.145.65.12 any

2. match ton b subnet:
Wildcard mask = 255.255.255.255 subnet mask
V d 1:
Cho 42.64.86.0 vi subnet mask 255.255.255.0
255.255.255.255 subnet mask 255.255.255.0 =wildcard mask 0.0.0.255
Access-list 1 permit 42.64.86.0 0.0.0.255
V d 2:
V d 3:
Page | 40

V d 4:
3. Match mt dy IP:
tm wildcard mask, ly gi tr cao (tn cng ca dy) tr cho gi tr
thp (tn cng ca dy)
V d 1:
Match mt dy t 132.43.48.0 n 132.43.63.255
132.43.63.255 132.43.48.0 =wildcard mask 0.0.15.255
V d 2:
Match mt dy t 132.43.16.32 n 132.43.31.63
132.43.31.63 132.43.16.32 =wildcard mask 0.0.15.31
4. Match tt c:
Access-list 1 permit any or

Page | 41

VII Gii quyt s c trong ACL: host connectivity

Ticket 1. Host 10.1.1.1 khng th lin lc vi 10.100.100.1. Output sau cho
thy nhng thng tin v cu hnh ACL tm ra nguyn nhn gy li:

Nguyn nhn gy nn host 10.1.1.1 khng th lin lc vi 10.100.100.1 chnh l
th t sp xp ca rule 10. Bi v router s thc thi ACL theo chiu trn xung,
rule 10 s t chi host 10.1.1.1, v rule 20 s khng c thc thi. Gii php
cho vn ny chnh l thay i th t ca rule 10 v 20.
Ticket 2. Lp mng 192.168.1.0 khng th dng TFTP connect ti
10.100.100.1. Output sau cho thy nhng thng tin v cu hnh ACL tm ra
nguyn nhn gy li:

Page | 42

Nguyn nhn lm cho lp mng 192.168.1.0 khng th dng TFTP vi
10.100.100.1 chnh l TFTP dng UDP. Rule 30 trong ACL cho php tt c
lung d liu TCP, v bi v TFTP dng UDP, n s c ng t chi. Gii
php cho vn ny l chnh sa rule 30 (c th l permit ip any any)
Ticket 3. Lp mng 172.16.0.0 c th dng Telnet connect ti 10.100.100.1,
nhng kt ni ny th khng cho php. Output sau cho thy nhng thng tin v
cu hnh ACL tm ra nguyn nhn gy li:

Nguyn nhn chnh l port ca Telnet trong rule 10 sai v tr. Rule 10 hin ti
t chi bt k ngun vi mt port l telnet c gng xy dng kt ni ti bt k
a ch IP. Nu mun t chi Telnet theo chiu vo trn cng S0, gii php
chnh l t chi port ch l telnet (deny tcp any any eq telnet)
Ticket 4. Host 10.1.1.1 c th dng Telnet connect ti 10.100.100.1, nhng
kt ni ny th khng cho php. Output sau cho thy nhng thng tin v cu
hnh ACL tm ra nguyn nhn gy li:

Nguyn nhn chnh gy nn li chnh l khng tn ti bt k rule no t chi
host 10.1.1.1 hoc lp mng ca n nh a ch ngun. Rule 10 t chi cng ca
router m lung d liu i. Nhng khi cc gi tin ny i khi router, chng c
a ch ngun l 10.1.1.1 v khng l a ch ca cng vt l ca router. Gii
php chnh l chnh sa rule 10 m subnet 10.1.0.0 b t chi thay v a ch
10.160.22.11.
Ticket 5. Host 10.100.100.1 c th dng Telnet connect ti 10.1.1.1, nhng
kt ni ny th khng cho php. Output sau cho thy nhng thng tin v cu
hnh ACL tm ra nguyn nhn gy li:

Page | 43

ACL 150 c p t ti cng S0 theo chiu inbound.
Nguyn nhn chnh gy nn li l sai chiu ca ACL 150. Rule 10 t chi a
ch ngun ca 10.100.100.1, nhng a ch ny ch l ngun nu lung d liu
i ra trn cng S0, khng phi chiu i vo. Gii php chnh l iu chnh chiu
m ACL c p t trn giao din cng.
Ticket 6. Host 10.1.1.1 c th dng Telnet connect ti RouterX, nhng kt
ni ny th khng cho php. Output sau cho thy nhng thng tin v cu hnh
ACL tm ra nguyn nhn gy li:

Nguyn nhn chnh gy li chnh l dng Telnet kt ni vo trong router th
khc hon ton khi dng Telnet kt ni qua router n thit b khc. Rule
10 t chi Telnet gn trn cng S0 ca Router B. Host 10.1.1.1 vn cn c th
dng Telnet kt ni vo trong router B khi dng nhng cng a ch khc,
nh l cng E0. Khi nu kha lung Telnet vo trong hay ra ngoi ca mt
router, dng access-class p t vo ng cc vty.
Khi qut chung:
Standard v extended Cisco IOS ACL c s dng phn loi cc gi tin IP.
Cc nhiu tnh nng ca ACL bao gm bo mt, m ha, da trn chnh sch
nh tuyn, v cht lng dch v (QoS). Nhng tnh nng ny c p dng
trn router v chuyn i giao din cho cc hng dn c th (hng trong so
vi ngoi).

Numbered ACL xc nh loi ca ACL ang c to ra: standard hoc
extended. Chng cng cho php cc qun tr linh hot hn khi h ang sa i
cc mc ACL.

Danh sch sau y tm tt nhng im chnh c tho lun trong chng
ny:

ACL c th c s dng lc cc gi tin IP hoc xc nh lung d
liu x l c bit.

Page | 44

ACL thc hin x l t trn xung v c th c cu hnh cho lu
lng truy cp n hoc i.

Trong mt wildcard mask, 0 c ngha l ph hp vi cc bit a ch
tng ng, v 1 c ngha l b qua cc bit a ch tng ng.

Standard IPv4 cho php ACL lc da trn a ch ngun.

Extended ACL IPv4 cho php lc da trn a ch ngun v ch, cng
nh cc giao thc v s cng.
Cc cu lnh show access-lists v show ip interface rt hu ch trong
vic x l s c khi cu hnh ACL.

Page | 45

PART 2: M rng quy m mng vi NAT v PAT

Hai thch thc v kh nng m rng Internet do s cn kit ca IP phin
bn 4 (IPv4) v a ch khng gian v nhn rng trong nh tuyn. Cisco IOS
Network Address Translation (NAT) v Port Address Translation (PAT) l c
ch bo tn ng k a ch IPv4 trong cc mng ln v n gin ha nhim v
qun l a ch IPv4. NAT v PAT dch a ch IPv4 trong mng ni b n cc
a ch IPv4 hp php vn chuyn trn cc mng cng cng bn ngoi, chng
hn nh Internet, m khng yu cu mt a ch subnet ng k. Lung d liu
i vo c dch tr li thnh a ch cp pht bn trong.
Bn dch ny ca a ch IPv4 loi b s cn thit phi nh s li host v
cho php cng mt di a ch IPv4 s c s dng trong nhiu mng ni b.
Phn ny m t cc tnh nng c cung cp bi cc NAT v PAT v cho bn
thy lm th no cu hnh NAT v PAT trn router Cisco.

I - Gii thiu v NAT v PAT:

NAT hot ng trn mt router Cisco v c thit k n gin ha
a ch IPv4 v bo tn. NAT cho php a ch ring IPv4 s dng a ch IPv4
khng ng k kt ni vi Internet. Thng thng, NAT kt ni hai mng
li v dch a ch ring trong mng ni b (inside local) vo a ch cng
cng (inside global) trc khi gi tin c chuyn tip n mt mng khc. L
mt phn ca chc nng ny, bn c th cu hnh NAT qung co ch c mt
a ch cho ton b mng th gii bn ngoi. Qung co ch c mt a ch c
hiu qu n mng ni b t th gii bn ngoi, cung cp thm tnh bo mt cho
h thng mng bn trong. Hnh 2-1 cho thy mt v d v s bin dch a ch
gia mng ring v mng cng cng.

Page | 46

Hnh 2-1: Network Address Translations

Bt k thit b nm gia mt mng ni b v mng cng cng nh tng la,
router, hoc mt my tnh s dng NAT, c nh ngha trong RFC 1631.

Trong thut ng NAT, mng bn trong (inside network) l tp hp ca cc
mng dch. Mng li bn ngoi (outside network) cp n tt c cc a
ch khc. Thng thng y l nhng a ch hp l trn Internet.

Cisco nh ngha v NAT:

Inside local address: Cc a ch IPv4 c gn cho mt host trn mng bn
trong. Cc a ch bn trong c th khng phi l mt a ch IPv4 c gn bi
Trung tm Mng li thng tin hoc nh cung cp dch v.

Inside global address: Mt a ch IPv4 hp php c gn bi cc nh cung
cp NIC hoc nh cung cp dch v m i din cho mt hoc nhiu a ch
IPv4 bn trong n vi th gii bn ngoi.

Outside local address: Cc a ch IPv4 ca mt host bn ngoi khi n xut
hin vi mng bn trong. Khng nht thit phi hp php, cc a ch bn ngoi
c b c phn b t mt khng gian a ch nh tuyn bn trong.
Page | 47

Outside global address: Cc a ch IPv4 c gn cho mt host trn mng
bn ngoi ca ch s hu host. Cc a ch bn ngoi c cp pht t mt a
ch trn ton cc nh tuyn hay khng gian mng.

NAT c nhiu hnh thc v c th lm vic theo nhiu cch sau:

Static NAT: Gn a ch IPv4 khng ng k vi mt a ch IPv4 ng k
(one to one). NAT tnh c bit hu ch khi mt thit b c truy cp t bn
ngoi mng.

Dynamic NAT: Gn a ch IPv4 khng ng k vi mt a ch IPv4 ng
k t mt nhm cc a ch IPv4 ng k.

NAT overloading: Gn nhiu a ch IPv4 khng ng k vi mt a ch
IPv4 n ng k (many to one) bng cch s dng cc cng khc nhau. Qu ti
(overloading) cn c gi l PAT v l mt dng ca NAT ng.

NAT cung cp nhng li ch hn khi s dng cc a ch cng cng:

Loi b s cn thit phi gn li a ch cho tt c cc host c yu cu truy cp
ra bn ngoi, tit kim thi gian v tin bc.

Bo tn a ch thng qua ghp knh cc cng ng dng. Vi NAT, host ni
b c th chia s mt a ch IPv4 ng k duy nht cho tt c cc thng tin lin
lc bn ngoi. Trong loi cu hnh, tng i t cc a ch bn ngoi l cn thit
h tr nhiu host ni b, do bo tn cc a ch IPv4.

Bo v an ninh mng. Bi v cc mng c nhn khng qung co a ch ca
h hoc cu trc lin kt ni b, h vn an ton hp l khi h t c kim
sot truy cp bn ngoi kt hp vi NAT.

Mt trong nhng tnh nng chnh ca NAT l PAT, m cng c gi l
"overload" trong cu hnh Cisco IOS. PAT cho php bn chuyn nhiu a ch
ni b thnh mt a ch bn ngoi duy nht, c bn cho php cc a ch ni b
chia s mt a ch bn ngoi. Hnh 2-2 cho thy mt v d v dch a ch
Port. Danh sch sau y nu bt nhng hot ng ca PAT:

Page | 48

Hnh 2-2: Port Address Translation

PAT s dng s ngun cng duy nht trn a ch IPv4 phn bit gia cc
bn dch. Bi v s cng c m ha trong 16 bit, tng s phin ni b NAT
c th dch thnh a ch bn ngoi, v mt l thuyt, c n 65.536.

PAT n lc bo qun port ngun gc. Nu cc cng ngun c giao,
PAT n lc tm s cng u tin c sn. N bt u t u ca nhm cng
ph hp, 0 n 511, 512-1023, hoc 1024-65535. Nu PAT khng tm thy mt
cng c sn t cc nhm cng ph hp v nu c nhiu hn mt a ch IPv4
bn ngoi c cu hnh, PAT di chuyn n a ch IPv4 tip theo v c gng
b tr cc cng ngun gc mt ln na. PAT tip tc c gng b tr cc cng
ngun gc cho n khi n chy ra cng hin c v a ch IPv4 bn ngoi.

1. Bin dch a ch ngun bn trong:

Ta c th dch cc a ch IPv4 ring vo a ch IPv4 ton cu duy nht khi
ang giao tip bn ngoi mng. Ta c th cu hnh dch tnh hoc ng a ch
ngun bn trong.

Hnh 2-3 minh ha mt router dch mt a ch ngun bn trong mt mng vo
mt a ch ngun bn ngoi mng.
Page | 49

Hnh 2-3: Bin dch mt a ch vi NAT.

Cc bc dch mt a ch ngun bn trong nh sau:

Bc 1: Ngi dng ti host 1.1.1.1 s m ra mt kt ni ti host B.

Bc 2: Cc gi tin u tin m router nhn c t host 1.1.1.1, router s kim
tra bng NAT ca n.

Nu mt mc bin dch tnh c cu hnh, cc b nh tuyn i n Bc 3.
Nu khng c mc bin dch no tn ti, router s xc nh rng a ch ngun
1.1.1.1 (SA 1.1.1.1) phi c dch t ng. Router sau chn mt a ch
hp php, c gi tr ton cc t cc pool a ch ng v to ra mt mc bin
dch (trong v d, 2.2.2.2). Loi mc ny c gi l mt mc nhp n gin
(simple entry).

Bc 3: Router thay th a ch ngun bn trong ni b ca host 1.1.1.1 vi
mc bin dch a ch ton cc v chuyn tip cc gi tin.

Bc 4: Host B nhn c gi d liu v phn hi ti host 1.1.1.1 bng cch s
dng a ch IPv4 ton cc ch 2.2.2.2 (DA 2.2.2.2).

Bc 5: Khi router nhn c gi tin vi a ch IPv4 trong ton cc, cc b
nh tuyn thc hin mt bng tra cu bng cch s dng NAT a ch bn
trong ton cc nh mt key. Cc b nh tuyn sau chuyn cc a ch tr li
Page | 50

a ch ni b bn trong ca host 1.1.1.1 v chuyn tip cc gi tin n host
1.1.1.1. Host 1.1.1.1 nhn c gi v tip tc cuc trao i thng tin. Router
thc hin bc 2 n 5 cho mi gi.

Bng sau minh ha th t m mt router tin hnh thm tra lung d liu, tu
thuc vo hng ca bn dch.

Local to global Global to local
1. Kim tra danh sch u vo truy cp
nu s dng Ipsec.
2. Thc hin gii m-cho cng ngh
m ha hoc IPsec.
3. Kim tra danh sch truy cp vo.
4. Kim tra tc gii hn ca u
vo.
5. Thc hin thng k cc gi tin vo.
6. Thc hin chnh sch nh tuyn.
7. Chuyn gi tin.
8. Chuyn ti cache web.
9. Thc hin NAT bn trong ra bn
ngoi (cc b n ton cc).
10. Kim tra crypto map v nh du
cho vic m ha nu thch hp.
11. Kim tra danh sch truy cp ra bn
ngoi.
1. Kim tra danh sch u vo truy cp
nu s dng IPsec.
2. Thc hin gii m-cho cng ngh
m ha hoc IPsec.
3. Kim tra danh sch truy cp vo.
4. Kim tra tc gii hn ca u
vo.
5. Thc hin thng k cc gi tin vo.
6. Thc hin NAT ngoi vo trong
(chuyn i a ch t ton cc n ni
b).
7. Thc hin chnh sch nh tuyn.
8. Chuyn gi tin.
9. Chuyn ti cache web.
10. Kim tra crypto map v nh du
cho vic m ha nu thch hp.
11. Kim tra danh sch truy cp ra bn
ngoi.
12. Kim tra CBAC.
13. TCP nh chn.
14. Thc hin m ha.
15. Thc hin xp hng i.
IPsec =IP security
CBAC =Context-Based Access Control

cu hnh bin dch t a ch tnh bn trong trn router, lm theo cc bc
sau:

Bc 1 Thit lp bin dch tnh gia mt a ch ni b bn trong v mt a ch
bn trong ton cc

Router(config)#ip nat inside source static local-ip global-ip.

Dng cu lnh no ip nat inside source static b i cu hnh trn.

Page | 51

Bc 2 Xc nh v nh du cc giao din cng bn trong.

Router(config)#interface type number
Router(config-if)#ip nat inside

Bc 3: Xc nh v nh du cc giao din cng bn ngoi.

S dng lnh show ip nat translation trong ch EXEC hin th thng tin
bin dch, nh th hin y:

2. C ch NAT tnh:

V d ny cho thy vic s dng cc phng php gn a ch ring bit vi
NAT tnh cho mng, nh hnh 2-4. Router bin dch cc gi tin t host 10.1.1.2
n mt a ch ngun ca 192.168.1.2.

Hnh 2-4: NAT tnh

cu hnh bin dch ng a ch ngun, theo cc bc sau:

Bc 1: Xc nh mt pool ca cc a ch ton cc c cp pht khi cn thit.

Router(config)#ip nat pool name start-ip end-ip {netmask netmask |
prefix-length prefix-length}

Dng cu lnh no ip nat pool b cu hnh trn.

Bc 2 Xc nh mt danh sch iu khin truy cp chun (ACL) cho php cc
a ch s c bin dch.

Router(config-if)#ip nat outside
Page | 52

Router(config)#access-list access-list-number permit source [source-
wildcard]

Bc 3: Thit lp bin dch ng cc a ch ngun, quy nh c th ACL
c nh ngha trong bc trc.

Router(config)#ip nat inside source list access-list-number pool name

Bc 4: Xc nh v nh du cc giao din cng bn trong.

Router(config)#ip nat inside

Bc 5: Xc nh v nh du cc giao din cng bn ngoi.

Router(config)#ip nat outside

S dng lnh ip nat translations trong ch EXEC hin th thng tin bin
dch.

3. C ch NAT ng:

V d trong hnh 2-5 cho thy s chuyn tt c cc a ch ngun m thng qua
1 ACL, c ngha l mt a ch ngun t mng 192.168.1.0/24, vo mt a ch
t cc pool c tn l net-208. Pool a ch t 171.69.233.209/28 n
171.69.233.222/28.

Page | 53

Hnh 2-5: NAT ng.

4. Overloading mt a ch ton cc bn trong:

Bn c th bo tn cc a ch trong pool a ch bn trong ton cc bng cch
cho php cc router s dng mt a ch ton cc bn trong cho nhiu a ch
ni b bn trong. Khi overloading ny c cu hnh, cc b nh tuyn duy tr
y thng tin t cc giao thc cao cp-th d, s cng TCP hoc UDP-
dch a ch bn trong ton cc tr li vo ng a ch ni b bn trong. Khi
nhiu a ch ni b bn trong gn n mt a ch ton cc bn trong, cc s
cng TCP hay UDP ca mi host s dng phn bit gia cc a ch ni b.

Hnh 2-6 minh ha hot ng NAT khi mt a ch ton cc bn trong i din
cho nhiu a ch ni b bn trong. Cc s cng TCP hot ng gii quyt vn
phn bit cc a ch.

Page | 54

Hnh 2-6: Overloading mt a ch ton cc bn trong.

C host B v host C ngh rng h ang ni chuyn vi mt host duy nht ti a
ch 2.2.2.2. Tht ra h ang ni chuyn vi cc host khc nhau, s cng chnh l
s khc bit. Trong thc t, nhiu host bn trong c th chia s a ch IPv4
trong ton cc bng cch s dng nhiu s cng.

Router thc hin qu trnh khi overloading cc a ch ton cc bn trong nh
sau:

Bc 1: Ngi dng ti host 1.1.1.1 s m ra mt kt ni ti host B.

Bc 2: Cc gi tin u tin m router nhn c t host 1.1.1.1 v router kim
tra bng NAT ca n.

Nu khng c mc bin dch tn ti, router s xc nh a ch 1.1.1.1 phi c
bin dch v thit lp mt bn dch ca cc a ch ni b bn trong 1.1.1.1 vo
mt a ch php l ton cc bn trong. Nu qu ti (overloading) c kch
hot v bn dch khc ang hot ng, router s dng li a ch bn trong ton
cc t cc bn dch v tit kim thng tin c th dch tr li. Loi mc
c gi l mt mc m rng (extended entry).

Bc 3: Router thay th a ch ngun bn trong ni b 1.1.1.1 vi cc la chn
bn trong a ch ton cc v chuyn tip cc gi tin.

Page | 55

Bc 4 Host B nhn c gi d liu v phn hi ti host 1.1.1.1 bng cch s
dng a ch IPv4 ton cc 2.2.2.2.

Bc 5: Khi router nhn c gi tin vi a ch IPv4 trong ton cc, cc b
nh tuyn thc hin mt bng NAT tra cu. S dng cc a ch bn trong ton
cc v cng v a ch ton cc bn ngoi v cng nh l mt key, cc router
dch a ch tr li vo a ch ni b bn trong 1.1.1.1 v chuyn tip cc gi
tin n host 1.1.1.1. Host 1.1.1.1 nhn c gi v tip tc cuc m thoi.
Router thc hin bc 2 n 5 cho mi gi.

cu hnh overloading ca cc a ch ton cc bn trong theo cc bc sau:

Bc 1: Xc nh mt standard ACL cho php cc a ch s c bin dch.

Router(connfig)#access-list access-list-number permit source [source-
wildcard]

Bc 2: Thit lp bng dch ngun ng, quy nh c th ACL c nh
ngha trong bc trc.

Router(config)#ip nat inside source list access-list-number interface
interface overload

Dng cu lnh no ip nat inside source b lnh trn.
T kha overload dng bt tnh nng PAT.

Bc 3 Xc nh giao din cng bn trong.

Router(config-if)#ip nat inside

Bc 4: Xc nh cc giao din cng bn ngoi.

Router(config-if)#ip nat outside

S dng lnh show ip nat translations trong ch EXEC hin th thng tin
bin dch hot ng.

Theo mc nh, thi gian time out ca NAT ng t cc bng NAT v PAT sau
mt thi gian khng s dng. Bn c th cu hnh li timeout mc nh vi lnh
ip nat translation. C php cho lnh ny l nh sau:

Page | 56

ip nat translation {timeout | udp-timeout | dns-timeout | tcp-timeout | finrst-
timeout | icmp-timeout | pptp-timeout | syn-timeout | port-timeout} {seconds |
never}

II - Gii quyt vn bng dch :

Khi c vn kt ni trong mt mi trng NAT, n thng rt kh xc
nh nguyn nhn ca vn . NAT thng l nguyn nhn, trong khi thc t c
mt vn c bn. Khi bn ang c gng xc nh nguyn nhn ca mt vn
kt ni IPv4, n gip loi b NAT nh l vn tim nng. Thc hin theo cc
bc sau xc minh rng NAT ang hot ng nh mong i:

Bc 1 Da trn cu hnh, xc nh r nhng g NAT phi t c. Bn c th
xc nh cu hnh NAT c vn .

Bc 2 S dng lnh show ip nat translations xc nh xem bn dch ng
cha.

Bc 3 Kim tra s chuyn i a ch ang xy ra bng cch s dng lnh
show v debug.

Bc 4 Xem xt c th nhng g ang xy ra vi cc gi tin, v xc minh rng
cc router c cc thng tin nh tuyn chnh xc cho cc a ch dch chuyn cc
gi tin.

Nu vic chuyn i a ch khng tng ng trong bng dch, xc minh cc
mc sau y:

Khng c ACL hng trong t chi gi tin vo cc b nh tuyn NAT.
Cc ACL c tham chiu bi lnh NAT cho php tt c cc mng cn thit.
Cc pool c a ch NAT .
Cc giao din cng c ng vi NAT vo trong hay NAT ra ngoi.

Trong mi trng mng n gin, n rt hu ch theo di s liu thng k
NAT bng cu lnh show ip nat statistics. Tuy nhin, trong mt mi trng
NAT phc tp hn vi mt s bn dch ang din ra, lnh ny cho thy khng
cn hu ch. Trong trng hp ny, n c th l cn thit chy cc lnh
debug trn router.

Cc lnh debug ip nat hin th thng tin v mi gi tin c dch bi cc b
nh tuyn, gip bn kim tra hot ng ca tnh nng NAT. Lnh debug ip nat
detailed to ra mt m t ca mi gi. Lnh ny cng a ra thng tin v sai st
nht nh hoc iu kin ngoi l, chng hn nh vic khng cp pht a ch
Page | 57

ton cc. Cc lnh debug ip nat detailed s hao tn nhiu b nh ca thit b
hn cc lnh debug ip nat, nhng n c th cung cp cc chi tit m bn cn
phi g ri vn NAT.

Mt lnh hu ch khi kim tra hot ng ca NAT l show ip nat statistics.
Lnh ny c th hin trong v d sau.

III - Gii quyt s c vi NAT

Trong hnh 2-7, cc qun tr mng ang c vn sau: Host A (192.168.1.2)
khng th ping my B (192.168.2.2).

Cc v d mt s tip theo cho thy lm th no khc phc vn ny.

khc phc s c cc vn , hy s dng lnh show ip nat translations
xem nu c bn dch hin trong bng:

Page | 58

Bn nhn thy rng khng c bn dch lu trong bng. iu ny c th ch ra
mt vn , hoc n c th c ngha l khng c lu lng truy cp hin ang
c bien dch.

Tip theo, bn phi xc minh nu c bn dch tng xy ra v xc nh cc
giao din cng gia c dch phi c xy ra. S dng show ip nat statistics
xc nh thng tin ny, nh th hin trong v d sau.

Page | 59

T nhng kt qu trn, bn xc nh rng cc b m NAT ang 0, xc minh
rng khng c s bin dch ang xy ra. Bn cng tm thy rng cc giao din
cng th khng ng nh ngha v NAT chiu vo hay ra.

Sau khi bn xc nh mt cch chnh xc bn trong v bn ngoi giao din cng
NAT, to ra mt t host A ping n host B. Trong v d ny, ping vn khng
thnh cng. S dng show ip nat translations v show ip nat statistics mt ln
na g ri vn . Trong v d, bn thy rng cc bn dch vn khng xy ra.

Tip theo, bn nn s dng danh sch truy cp hin th lnh xc minh xem
cc ACL c tham chiu bi lnh NAT cho php tt c cc mng cn thit:

T kt qu ny, bn xc nh c vn t vic s dng sai wildcard mask khi
nh ngha cc a ch c bin dch.

Sau khi iu chnh cc bit wildcard mask, thc hin ping t host A n host B.
vn khng thnh cng. Tuy nhin, khi s dng li show ip nat translations v
show ip nat statistics, thy rng phin dch hin ang xy ra:

Tip theo, s dng lnh show ip route trn Router B xc minh s tn ti ca
mt tuyn ng tr v a ch dch.

T cc kt qu trong v d, pht hin ra rng Router B khng c ng n cc
a ch mng dch ca 172.16.0.0

Page | 60

Quay tr li Router A v nhp lnh show ip protocol.

Thy rng Router A qung b 192.168.1.0, l mng ang c bin dch, thay
v qung b 172.16.0.0.

V vy, khc phc vn gc ni m host A (192.168.1.2) khng th ping
host B (192.168.2.2), bn thay i cc cu hnh sau y Router A:

Giao din S0 by gi l giao din bn ngoi, hn l giao din bn trong.
Giao din E0 hin nay l giao din bn trong, hn l giao din bn ngoi.
Cc wildcard mask hin nay ph hp vi bt k host trn mng 192.168.1.0.
Trc y, access-list 1 khng ph hp vi a ch IPv4 ni b bn trong.
Router A by gi l cu hnh qung co cho mng 172.16.0.0. Trc ,
Router B khng bit ng n mng con 172.16.17.0/24. Cu hnh ny
c thc hin bng cch to ra mt giao din loopback v sa i giao thc
nh n (RIP).

Page | 61

Sau y l tm tt nhng im chnh c tho lun trong phn ny.

C ba loi NAT: tnh, ng, v qu ti (PAT).
NAT tnh l gn a ch theo c ch one-to-one. NAT ng, a ch NAT
c chn t mt pool.
NAT overloading (PAT) cho php gn nhiu a ch bn trong ti mt a ch
bn ngoi.
S dng lnh show ip nat translation hin th bng bin dch v xc minh
bn dch xy ra.
xc nh mt mc dch hin hnh ang c s dng, s dng show ip
nat statistics hoc clear ip nat statistics kim tra v xa cc b m thng
tin.
S dng lnh debug ip nat xc minh bn dch ca cc gi tin.

Page | 62

PHN 3: Gii php VPN

WAN cung cp phng tin cho ngi dng truy cp ti nguyn trn mt
khu vc a l rng. Mt s dch v c coi l kt ni lp 2 gia cc a im
t xa ca bn, thng c cung cp bi mt cng ty in thoi (vin thng -
telco) trn thit b chuyn mch WAN ca n. Mt s ca cc cng ngh ny
bao gm mt kt ni point-to-point (knh thu ring) v kt ni Frame Relay.

Cc kt ni thc y c s h tng Internet, mt lp 3 thay th, kt ni cc
a im t xa ca mt t chc. cung cp bo mt trn mng Internet cng
cng, bn c th thc hin mt gii php mng ring o (VPN).

Phn ny gii thiu cc thnh phn ca mt gii php VPN cho kt ni
I - Gii thiu v gii php VPN:

Gii php Cisco VPN cung cp mt c s h tng da trn Internet WAN kt
ni cc vn phng chi nhnh, vn phng nh, v vi i tc kinh doanh, v kt
ni t xa cho tt c hoc mt phn ca mt mng cng ty. Vi chi ph, hiu qu,
kt ni Internet bng thng cao c bo m bng m ha ng hm VPN,
bn c th gim chi ph bng thng WAN trong khi tng tc kt ni.

Cisco VPN ng tin cy cho nhng lung thng tin quan trng, chng hn nh
cuc gi thoi v nhng ng dng theo quan h my con v my ch, m khng
lm gim cht lng thng tin lin lc, v m bo tnh an ninh cao.

1. VPN v li ch ca n:

VPN l kt ni c m ha gia cc mng bn trong trn mt mng cng cng
nh Internet. Cc thng tin t mt mng ring l an ton vn chuyn qua mt
mng cng cng, mng Internet, to thnh mt mng o. bo m tnh
ring t, lung vn chuyn c m ha gi b mt d liu. Thay v s dng
mt lp 2 dnh ring cho kt ni nh l mt knh thu ring, VPN l s dng
IPsec to kt ni o c nh tuyn qua mng Internet t cc mng ring
ca cng ty cho cc site hoc my ch t xa cho nhn vin. Hnh 3-1 cho thy
Page | 63

mt s v d ca vic s dng VPN kt ni cc loi khc nhau ca cc trang
web t xa.

Hnh 3-1: Cc v d v kt ni VPN.
Li ch ca VPN bao gm:

Tit kim chi ph: VPN cho php cc t chc s dng chi ph Internet mt
cch c hiu qu ca bn th ba (third-party) kt ni vn phng t xa v
ngi dng t xa n site ca cng ty chnh, do loi tr cc lin kt WAN
chuyn dng t tin v cc modem. Hn na, vi s thun li ca nhng cng
ngh hin i v m bo chi ph, chng hn nh DSL, t chc c th s dng
VPN gim chi ph kt ni ca h trong khi ng thi tng bng thng kt ni
t xa.

Bo mt: VPN cung cp mc bo mt cao nht bng cch s dng m ha
tin tin v cc giao thc xc thc bo v d liu t cc truy cp tri php.

Kh nng m rng: VPN cho php cc cng ty s dng c s h tng Internet
trong cc ISP v cc thit b, v lm cho n d dng thm ngi dng mi.
Do , cc cng ty c th thm mt lng ln ngi dng m khng cn thm
c s h tng quan trng.

Page | 64

Kh nng tng thch vi cng ngh bng thng rng: VPN cho php ngi
lm vic di ng, ngi lm vic t xa, v nhng ngi mun m cng vic
hng ngy ca h tn dng tc cao, kt ni bng thng rng, chng hn
nh DSL v cp, truy cp vo mng doanh nghip ca h, cung cp kh nng
lm vic ng k, linh hot v hiu qu. Hn na, cc kt ni bng thng rng
tc cao cung cp mt gii php hiu qu kt ni vn phng t xa.

2. Cc loi VPN

C hai loi mng VPN:

Site-to-site
Truy cp t xa, bao gm hai loi gii php VPN:
- Cisco Easy VPN
- Cisco IOS IP Security (IPsec) / Secure Socket Layer (SSL) VPN, cn c gi
l WebVPN.

Mt site-to-site VPN l mt m rng ca mng WAN c in. VPN Site-to-
site kt ni ton b h thng mng vi nhau. V d, h c th kt ni mt mng
li vn phng chi nhnh n mt mng li tr s cng ty. Trong qu kh,
mt ng dy cho thu hoc kt ni Frame Relay c yu cu kt ni
cc site, nhng v hu ht cc cng ty c th truy cp Internet, nhng kt ni
ny c th c thay th bng VPN site-to-site. Hnh 3-2 cho thy mt v d v
mt VPN site-to-site.

Hnh 3-2: Kt ni site-to-site VPN
Page | 65

Trong mt site-to-site VPN, host khng c phn mm Cisco VPN Client,
n gi v nhn lung d liu TCP/IP thng thng qua mt VPN "gateway",c
th l mt router, tng la, Cisco VPN Concentrator, hoc Cisco ASA 5500
dng thit b tch hp an ninh cao. Cc cng VPN c trch nhim ng gi v
m ha lung thng tin i ra cho tt c lu lng truy cp t mt site c th v
gi i thng qua mt ng hm VPN qua Internet cho mt peer VPN gateway
ti site mc tiu. Khi nhn, cc ng ng VPN gateway phn di tiu , m
ha ni dung, v chuyn tip cc gi tin hng ti mc tiu bn trong host
mng ring ca mnh.

Truy cp t xa (remote access) l mt s tin ha ca chuyn mch mng,
chng hn nh dch v in thoi c (POTS) hoc ISDN. Truy cp t xa VPN
c th h tr cc nhu cu ca nhng ngi lm vic t xa, ngi dng in
thoi di ng, v mng din rng ca ngi tiu dng n lung d liu doanh
nghip. VPN Remote-ccess kt ni my ch c nhn truy cp mng cng ty ca
h mt cch an ton qua Internet. Hnh 3-3 cho thy mt v d v mt VPN truy
cp t xa.

Trong mt truy cp t xa VPN, mi host thng c phn mm Cisco VPN
Client. Bt c khi no host c gng gi lu lng truy cp, cc phn mm
Cisco VPN Client ng gi v m ha lung d liu trc khi gi i qua
Internet n cc gateway VPN ra ca mng mc tiu. Khi nhn, cng VPN
c x nh VPN site-to-site.

Page | 66

Hnh 3-3: Minh ha v kt ni remote-access VPN

Khi trin khai mng ring o cho nhn vin t xa v cc vn phng chi nhnh
nh, d dng cho vic trin khai ngy cng quan trng. Cisco Easy VPN lm
cho n d dng hn bao gi ht trin khai mng ring o nh l mt phn ca
mt mng doanh nghip nh, va, hoc ln c sn phm ca Cisco. Cisco Easy
VPN l mt gii php l tng v chi ph hiu qu cho cc vn phng t xa m
c rt t h tr cng ngh thng tin.

C hai thnh phn ca Cisco Easy VPN:

Cisco Easy VPN Server: My ch c th l mt VPN gateway chuyn dng
nh Cisco VPN Concentrator, mt Cisco PIX Firewall, Cisco ASA mt thit b
an ninh tch hp, hoc mt router Cisco IOS vi cc tnh nng tng la. Mt
cng ni VPN s dng phn mm Cisco Easy VPN Server c th chm dt
nhng ng hm VPN c thc hin bi nhn vin di ng v t xa chy
phn mm Cisco VPN Client trn my tnh. Mt cng VPN cng c th chm
dt VPN t cc thit b t xa m hnh ng nh Cisco Easy VPN trong VPN
site-to-site.

Cisco Easy VPN Remote clients: cho php Cisco router, PIX Firewall, Cisco
ASA tch hp tnh nng bo mt, v Cisco VPN Hardware Clients nhn c
chnh sch bo mt t mt my ch Cisco Easy VPN, gim thiu yu cu cu
hnh VPN ti cc a im t xa . Cisco Easy VPN cho php cc thng s VPN,
chng hn nh a ch IP bn trong, subnet mask ni b, a ch my ch
DHCP, a ch my ch Microsoft Windows Internet Name Service (WINS) s
c y t Cisco Easy VPN Server n cc thit b t xa.

Hnh 3-4 cho thy cc thnh phn ca Cisco Easy VPN cung cp mt
framework cho VPN kt ni n cc site t xa.

Page | 67

Hnh 3-4: Cisco Easy VPN
Li ch
Sau y l nhng li ch ca Cisco Easy VPN:
Trung tm lu tr cu hnh cho php cu hnh ng cc chnh sch ca ngi
dng cui v i hi thao tc bng tay t hn.
Cu hnh VPN ni b c lp vi a ch IP t xa. Tnh nng ny cho php
cc nh cung cp thay i cu hnh thit b v mng khi cn, vi cu hnh li t
hoc khng c ca cc thit b ngi dng cui.
Cisco Easy VPN cung cp qun l tp trung chnh sch an ninh.
Cisco Easy VPN cho php trin khai quy m ln vi ngi dng mt cch
nhanh chng.
Cisco Easy VPN loi b s cn thit cho ngi s dng ci t v cu hnh
phn mm Cisco Easy VPN Remote trn my tnh ca h.

Page | 68

Hn ch:

Thc hin Cisco Easy VPN c th khng c thch hp cho tt c cc mng v
mt s hn ch. Nhng hn ch sau y p dng cho Cisco Easy VPN:
Khng cu hnh bng tay Network Address Translation (NAT) hoc Port
Address Translation (PAT).
- Cisco Easy VPN Remote t ng to ra cc cu hnh NAT hoc PAT thch
hp cho cc ng hm VPN.
Ch c mt ng ng ch l h tr.
- Cisco Easy VPN h tr cc cu hnh ch c mt ng ng ch v kt ni
ng hm.
- Nu mt ng dng i hi vic to ra nhiu ng hm VPN, bn phi cu
hnh VPN IPsec v NAT v PAT thng s trn c my con v my ch t xa.
Cisco Easy VPN yu cu cc my ch ch.
- Cisco Easy VPN i hi cc ng ng (peer) l mt Cisco Easy VPN my
ch.
Chng nhn k thut s khng c h tr.
- Xc thc c h tr bng pre-shared keys (PSK).
- M rng xc thc (XAUTH) cng c th c s dng.
Ch Internet Security Association v Key Management Protocol (ISAKMP)
nhm 2 c h tr trn my ch IPsec.
- Cisco VPN Client v my ch ch h tr m phn bng cc chnh sch s
dng ISAKMP nhm 2 (1024-bit Diffie-Hellman [DH]) Internet Key Exchange
(IKE).
Mt s b chuyn i khng c h tr.
- Cisco Easy VPN remote khng h tr tnh nng chuyn i b m ha v
khng cung cp chng thc (ESP-DES v ESP-3DES) hoc chuyn i b cung
cp chng thc m khng cn m ha (ESP-NULL, ESP-SHA-HMAC, v ESP-
NULL ESP -MD5-HMAC).
- Cisco VPN Client v my ch khng h tr xc thc Authentication Header
(AH) nhng khng h tr Encapsulating Security Payload (ESP).

Page | 69

3. IPsec SSL VPN (WebVPN)
Cisco IOS IPsec / SSL VPN, cn c gi l WebVPN, l mt cng ngh
ang ni ln dng cung cp truy cp t xa t bt k v tr s dng trnh duyt
web v m ha SSL. WebVPN cung cp s linh hot h tr truy cp an ton
cho tt c ngi s dng, khng ph thuc vo host u cui m n thit lp kt
ni. Nu ng dng yu cu truy cp, WebVPN khng i hi mt software
client phi c ci t sn trn host u cui. Kh nng ny cho php cc cng
ty c th m rng mng doanh nghip an ton ca mnh cho bt k ngi dng
c quyn bng cch cung cp truy cp kt ni t xa n cc ti nguyn ca
cng ty t v tr Internet cho php bt k-. Hnh 3-5 cho thy mt ng hm
SSL VPN c th c xy dng qua mng Internet s dng trnh duyt web.

Hnh 3-5: WebVPN

WebVPN hin ang cung cp hai phng thc truy cp SSL VPN: clientless v
thin client. WebVPNs cho php ngi dng truy cp cc trang web v dch v,
bao gm kh nng truy cp cc tp tin, gi v nhn e-mail, v chy cc ng
dng da trn TCP, khng yu cu phn mm IPsec VPN Client. WebVPNs
thch hp cho ngi dng c yu cu vi mi ng dng hoc iu khin truy
cp mi my ch, hoc truy cp t my tnh bn.

Li ch

Li ch chnh ca WebVPN l n tng thch vi Dynamic Multipoint VPNs
(DMVPN), Cisco IOS Firewall, IPsec, cc h thng phng chng xm nhp
Page | 70

(IPS), Cisco Easy VPN, v NAT.

Hn ch

Cng nh vi phn mm VPN khc, mt s hn ch cn tn ti vi IPsec SSL
VPN (WebVPN). Cc hn ch ch yu ca WebVPN l n hin ang h tr ch
trong phn mm. CPU ca router thc hin qu trnh kt ni WebVPN. S tng
tc VPN on-board c sn trong cc dch v tch hp b nh tuyn ch tng tc
kt ni IPsec.

II - Gii thiu IPsec:
IPsec hot ng ti lp mng (network layer), bo v v thm nh cc gi IP
gia cc thit b tham gia IPsec (ng cp). IPsec l khng b rng buc vo bt
k chng thc c th, m ha, hoc cc thut ton bo mt hay cng ngh
keying. IPsec l mt khun kh cc tiu chun m. Hnh 3-6 cho thy cch thc
IPsec c th c s dng vi cc khch hng khc nhau v cc thit b kt
ni.

Hnh 3-6: Cch thc s dng khc nhau ca IPsec.

Bng cch khng rng buc IPsec vo cc thut ton c th, IPsec cho php
thut ton mi hn v tt hn c thc hin m khng cn v cc tiu
chun IPsec hin c. IPsec cung cp bo mt d liu, tnh ton vn d liu v
xc thc ngun gc gia cc ng cp tham gia ti tng IP.

Page | 71

Dch v bo mt IPsec cung cp bn chc nng quan trng sau:

Bo mt (m ha) - Confidentiality: Ngi gi c th m ha cc gi d liu
trc khi truyn chng qua mng. Bng cch , khng ai c th nghe trm trn
ng truyn. Nu giao tip b ngn chn, d liu khng th c c.

Ton vn d liu Data integrity: Ngi nhn c th xc minh rng cc d
liu c truyn qua mng Internet m khng b thay i. IPsec m bo ton
vn d liu bng cch s dng checksums (cng c bit n nh l mt gi tr
bm), mt kim tra d phng n gin.

Xc thc - Authentication: Xc thc m bo rng kt ni c thc hin
vi cc i tc truyn thng mong mun. Ngi nhn c th xc thc ngun gc
ca gi tin, bo m, xc thc ngun gc ca thng tin.

Antireplay protection: Antireplay protection xc nhn rng mi gi tin l
duy nht v khng trng lp. Gi tin IPsec c bo v bng cch so snh cc
s th t ca cc gi tin nhn c vi mt ca s trt (sliding window) trn
my ch hoc cng an ninh. Mt gi tin c s th t trc so vi ca s trt
hoc l tr hoc trng vi gi tin c, s b t chi.

Vn bn dng d liu c vn chuyn qua Internet cng cng c th b chn v
c. gi cho d liu c nhn, bn nn m ha d liu. Bng k thut xo
trn d liu, n th khng th c. Hnh 3-7 cho thy d liu c m ha khi
n i ngang qua Internet cng cng.

Hnh 3-7: M ha d liu.

Page | 72

i vic m ha c th thc thi, c ngi gi v ngi nhn phi bit cc quy
tc c s dng chuyn thng ip ban u vo mu m ca n. Quy tc
ny da trn mt thut ton v kho. Mt thut ton l mt hm ton hc kt
hp mt tin nhn, vn bn, ch s, hoc c ba vi mt chui cc ch s c
gi l mt key. u ra l mt chui mt m c. Gii m th c bit kh khn
hoc khng th khi khng c cha kha chnh xc.

Trong hnh 3-7, ai mun gi mt ti liu ti chnh qua mng Internet. ti
im u cui bn trong, ti liu c kt hp vi mt key v chy thng qua
mt thut ton m ha. Kt qu c vn bn m khng c c. Cc vn bn
mt m sau c gi qua Internet. Khi kt thc t xa, thng bo s kt hp
li vi mt key v gi tr li thng qua cc thut ton m ha. u ra l cc ti
liu ti chnh ban u.

Mc bo mt ph thuc vo di ca key ca thut ton m ha. Thi gian
m n cn x l tt c cc kh nng l mt chc nng ca sc mnh tnh ton
ca my tnh. V vy, vi di key ngn, d dng hn ph v. Hnh 3-8 cho
thy vai tr ca cc key trong tin trnh.

Hnh 3-8: M ha key.
Cc thut ton m ha nh DES v 3DES yu cu chia s key i xng thc
hin m ha v gii m. Bn c th s dng e-mail, chuyn pht nhanh chia
x key b mt n ngi qun tr ca cc thit b. Tuy nhin, phng php trao
i key d nht l phng php trao i public key gia cc thit b m ha v
gii m. Cc DH key tha thun l mt phng php trao i public key cung
cp mt cch thc cho hai ng cp thit lp mt kha chia s b mt, m ch
h bit, ngay c khi h ang giao tip trn mt knh khng an ton. Hnh 3-9
cho thy, cc key c chia s cn phi c thnh lp cch an ton qua h
thng mng m.
Page | 73

Hnh 3-9: Thit lp qu trnh m ha key.
Mt s thut ton m ha v chiu di ca cc key c s dng nh sau:
Tht ton Data Encryption Standard (DES): DES c pht trin bi IBM.
DES s dng mt kha 56-bit, m bo hiu nng cao m ha. DES l mt h
thng mt m kha i xng.
Thut ton Triple DES (3DES): Thut ton 3DES l mt bin th ca DES
56-bit. 3DES hot ng tng t nh DES, trong d liu c chia thnh cc
khi 64-bit. 3DES sau thc thi mi khi ba ln, mi ln vi mt kha 56-bit
c lp. 3DES cung cp sc mnh m ha ng k so vi 56-bit DES. DES l
mt h thng mt m kha i xng.
Advanced Encryption Standard (AES): Vin Tiu chun v Cng ngh
(NIST) va thng qua AES thay th cho m ha DES hin c trong cc thit
b m ha. AES cung cp bo mt mnh hn DES v c tnh ton hiu qu
hn 3DES. AES cung cp ba di chnh khc nhau l: 128, 192, v cc key
256-bit.
Rivest, Shamir v Adleman (RSA): RSA l mt h thng mt m kha bt i
xng. N s dng mt chiu di key ca 512, 768, 1024, hoc ln hn. IPsec
khng s dng RSA m ha d liu. IKE ch s dng RSA m ha trong giai
on xc thc ngang hng.
D liu VPN c vn chuyn qua Internet cng cng. C kh nng, d liu
ny c th c ngn chn v sa i. bo v chng li vn ny, bn c
th s dng mt thut ton ton vn d liu. Mt thut ton ton vn d liu
Page | 74

thm vo d liu mt hm bm. Hm bm m bo s ton vn ca thng ip
ban u. Nu bm truyn ph hp vi bm nhn, thng ip khng b gi mo.
Tuy nhin, nu s ph hp khng tn ti, tc l d liu b thay i.

Trong v d sau y, mt ngi no ang c gng gi Terry Smith mt ha
n vi $ 100. Khi kt thc t xa, Alex J ones ang c gng tr bng tin mt
vi $ 1000. Khi ha n tin hnh thng qua Internet, n b thay i. C
ngi nhn v s ng la c thay i. Trong trng hp ny, nu mt
thut ton ton vn d liu c s dng, cc bm s khng ph hp, v cc
giao dch s khng cn c gi tr.

Keyed Hash-based Message Authentication Code (HMAC) l mt thut ton
ton vn d liu m bo tnh ton vn ca thng ip. Vo im cui ca ni
b, thng ip v mt kha chia s b mt c gi thng qua mt thut ton
bm, trong sn xut mt gi tr bm. Vn bn v gi tr bm c gi qua
mng.

Hai dng ph bin ca thut ton HMAC nh sau:

Thut ton HMAC-message digest 5 (MD5): S dng 128-bit chia s key b
mt. Thng ip bin-chiu di v 128 bit chia s kha b mt c kt hp v
chy thng qua thut ton bm HMAC-MD5. u ra l mt bm 128-bit. Cc
bm c ni vo tin nhn gc v chuyn tip ti u cui t xa.

Thut ton HMAC-Secure Hash 1 (SHA-1): HMAC-SHA-1 s dng mt
kha 160-bit. Thng ip bin-chiu di v 160-bit c chia s kha b mt
c kt hp v chy thng qua thut ton bm HMAC-SHA-1. u ra l mt
Page | 75

bm 160-bit. Cc bm c ni vo tin nhn gc v chuyn tip ti u cui t
xa.

Khi tin hnh khong cch xa, n cn thit bit ai ang u kia ca in
thoi, e-mail, hoc fax. Cng tng t nh cc mng VPN. Cc thit b u
bn kia ca ng hm VPN phi c xc thc trc khi con ng thng tin
lin lc c xem l an ton. iu ny c minh ha trong hnh 3-10.

Hnh 3-10: Xc thc peer.
Hai phng php xc thc ngang hng nh sau:
PSKs: Mt gi tr key quan trng c nhp vo mi peer bng tay v c
s dng xc thc ngang hng. mi u, PSK c kt hp vi cc thng
tin khc hnh thnh chnh xc.
Ch k RSA: S dng vic trao i giy chng nhn k thut s xc thc
cc ng cp. Cc thit b ni b cp pht mt hm bm v m ha n vi kha
ring ca n. Cc mt m bm (k thut ch k s) c nh km vo vn bn
v gi n u cui t xa. Khi kt thc t xa, mt m bm c m ha bng
cch s dng kha cng cng ca u cui. Nu bm gii m ph hp vi bm
tnh li, ch k l chnh hng.

Page | 76

Sau y l tm tt nhng im chnh c tho lun trong phn trc:
T chc thc hin cc mng ring o v n t tn km hn, an ton hn, v d
dng hn m rng mng WAN truyn thng.
Site-to-site VPN an ton thng tin gia cc ng cp mng ni b v mng
din rng. VPN Remote-access an ton thng tin lin lc t cc ngi lm vic
t xa di chuyn vi c quan trung ng.
VPN c th c thc hin vi nhiu loi thit b khc nhau nh router Cisco
IOS, ASA 5500 Series, v phn mm Cisco VPN Client.
IPsec l mt framework kt hp giao thc bo mt v cung cp mng ring o
vi cc d liu bo mt, ton vn v xc thc.
AH v ESP l hai giao thc IPsec chnh.

Page | 77

PHN 4: Thit lp kt ni WAN vi PPP

Dch v mng din rng (WAN) thng c thu t mt nh cung cp dch v.
Mt s dch v WAN hot ng nh lp 2 kt ni gia cc a im t xa ca
bn v thng c cung cp bi mt cng ty in thoi (vin thng) cung cp
qua thit b chuyn mch WAN ca n.
PPP ni ln nh l mt giao thc ng gi cho vn chuyn lu lng IP theo
dng im-im (thu line) kt ni ni tip. Phn ny m t cc hot ng, cu
hnh v xc thc ca PPP.

I. Hiu bit v ng gi trong WAN:

Trn mi kt ni WAN, d liu c ng gi vo khung trc khi n i qua
cc lin kt WAN. m bo rng cc giao thc c s dng chnh xc, bn
phi cu hnh kiu ng gi lp 2 thch hp. Vic la chn giao thc lp 2 ph
thuc vo cng ngh mng WAN v cc thit b giao tip. Hnh 3-11 nu bt
mt s trong nhng la chn kt ni n mng WAN.
Page | 78

Hnh 3-11: Cc la chn cho mng WAN.

Sau y l giao thc in hnh WAN:
High-Level Data Link Control (HDLC): mc nh Cisco ng gi dng kt
ni im-im, lin kt chuyn dng, v cc kt ni chuyn mch. Bn thng
s dng HDLC khi hai thit b Cisco ang giao tip qua mt kt ni point-to-
point.
PPP: Cung cp cc router-to-router v host-to-network kt ni qua mch
ng b v khng ng b. PPP c thit k lm vic vi nhiu giao thc
lp mng, bao gm c IP. PPP cng c xy dng trong c ch bo mt,
chng hn nh Password Authentication Protocol (PAP) v Challenge
Handshake Authentication Protocol (CHAP).

Frame Relay: Giao thc ny l mt tiu chun cng nghip, chuyn i giao
thc lp lin kt d liu x l nhiu mch o (VC). Frame Relay c sp
Page | 79

xp hp l loi b mt s cc quy trnh thi gian, chng hn nh sa li v
kim sot dng chy, m c s dng trong X.25 - lin kt truyn thng t
ng tin cy.

ATM: Giao thc ny l tiu chun quc t chuyn tip cc cell, trong
nhiu loi hnh dch v nh in thoi, video v d liu, c truyn t trong
chiu di cell c nh (53 byte). ATM, mt cng ngh vi chuyn mch, s dng
di cell c nh, cho php thc thi trong phn cng, do lm gim s chm
tr trong di chuyn. ATM c thit k tn dng li th ca cc phng tin
truyn thng truyn tc cao nh T3, E3, v SONET.

Bng thng rng - Broadband: bng thng rng trong truyn thng d liu
thng dng truyn d liu m nhiu phn d liu c gi ng thi
tng t l hiu qu ca truyn dn, bt k tc d liu thc t. Trong k thut
mng, thut ng ny cp n phng php truyn dn ni m hai hay nhiu
tn hiu chia s mt phng tin, chng hn nh cc cng ngh:

- DSL-PPP qua Ethernet (PPPoE) v PPP qua ATM (PPPoA): Cng ngh cung
cp k thut s truyn d liu qua cc dy ca mt mng in thoi ni b.
Thng thng, tc ti v ca ngi tiu dng dch v DSL phm vi t 256
n 24.000 kbps, ty thuc vo cng ngh DSL, iu kin ng, v mc
dch v c thc hin. DSL hin thc thng s dng PPPoE hoc PPPoA.
C hai trin khai cung cp cc tiu chun PPP tnh nng nh xc thc, m ha,
v nn. PPPoE l mt giao thc mng ng gi PPP khung trong khung
Ethernet. PPPoA l mt giao thc mng ng gi PPP khung trong lp 5
ATM (AAL5).

- Cp-Ethernet: Mt modem cp l mt loi modem cung cp truy cp n mt
tn hiu d liu c gi qua cc c s h tng truyn hnh cp. Modem cp ch
yu c s dng cung cp truy cp Internet bng thng rng, li dng bng
thng khng s dng trn mt mng truyn hnh cp. Bng thng ca dch v
kinh doanh modem cp thng thng vo khong t 3 Mbps n 30 Mbps hoc
nhiu hn. Hin ti h thng modem cp s dng nh dng khung Ethernet
truyn d liu qua cc knh d liu thng ngun v h ngun. Mi knh trong
s cc knh d liu h ngun v thng ngun lin quan trn mt mng cp to
thnh mt mng WAN Ethernet m rng.

Page | 80

Metro Ethernet: S xut hin ca Metro Ethernet nh l mt phng php
kh thi ca vic cung cp c hai im-im v cc dch v a im c thc
y bi mt s phong ph ca trin khai si quang n cc khu vc kinh doanh.
Ethernet c th l cng ngh giao thng vn ti quy m nht tng c pht
trin. Bt u t 10 Mbps, n pht trin ti 10 Gbps, vi k hoch cho 40
Gbps. Mt s phng php ni bt dnh cho vn chuyn Metro Ethernet qua
mng, bao gm cc phng php tip cn gii php chnh:
- Cung cp cc dch v Ethernet qua si quang ti.
- Cung cp cc dch v Ethernet trn SONET / ng b h thng mng cp bc
k thut s (Synchronous Digital Hierarchy - SDH).
- Cung cp cc dch v Ethernet s dng cng ngh Resilient Packet Ring
(RPR).

II. Xc thc PPP:
1. Tng quan v PPP:
PPP cung cp mt vi tnh nng c bn nhng chc nng quan trng nht l
dch v knh thu ring lin kt hai u thit b, mt vi kin thc v PPP nh
sau:
nh ngha mt header v mt trailer cho php cp pht mt khung d liu
trn ng dn.
Cung cp trn c ng dn ng b (synchronous) v bt ng b
(asynchronous).
Mt loi min giao thc c bit trong header cho php nhiu giao thc lp 3
c th bng qua trn cng mt lin kt.
C kh nng xc thc: Password Authentication Protocol (PAP) v Challenge
Handshake Authentication Protocol (CHAP).
iu khin giao thc cho mi giao thc lp cao hn i trn PPP, cho php
s hi t d dng hn ca nhng giao thc ny.
2. Vng giao thc ca PPP:
Mt trong nhng tnh nng quan trng trong chun PPP, nhng khng c trpng
chun HDLC, l vng giao thc (protocol field). Vng giao thc xc nhn th
loi ca gi tin bn trong khung. Khi kt ni PPP c to ra, vng ny cho
Page | 81

php cc gi tin t nhiu giao thc lp 3 khc nhau bng qua mt lin kt duy
nht.

Hnh 4-2: Khung PPP v HDLC.
PPP nh ngha mt tp cc vn bn iu khin dng lp 2 thc hin chc
nng u khin nhng lin kt khng ging nhau. Nhng chc nng ny c
phn thnh hai loi chnh:
Nhng iu cn thit bt k giao thc lp 3 no c gi trn lin kt.
C th n mi giao thc lp 3.
3. Giao thc iu khin lin kt:
Giao thc iu khin lin kt (Link Control Protocol LCP) thc hin chc nng
iu khin cng mt cng vic m bt k giao thc lp 3 no c s dng.
Cc Link Control Protocol (LCP) ca PPP c s dng thng lng v
thit lp cc ty chn kim sot vo lin kt d liu WAN. PPP cung cp nhiu
dch v. Cc dch v ny ty chn trong LCP v ch yu c s dng
thng lng v kim tra cc khung thc hin cc iu khin dng im-
im m mt qun tr vin ch nh cho kt ni.
LCP cung cp 4 c tnh c bn sau:

3.1 Pht hin lin kt lp:

Pht hin li v pht hin lin kt lp l hai c tnh quan trng ca PPP. Pht
hin lin kt lp cho php s hi t nhanh hn khi mt lin kt b rt bi v
vng lp. Router khng th gi bt k bit no n ni khc khi c vng lp ang
xy ra. Tuy nhin, router khng th t mnh thng bo l lin kt ang xy ra
vng lp, bi v router bn cn ang nhn mt vi thng tin trn lin kt. PPP
gip router nhn ra mt lin kt lp nhanh chng n c th ng cng giao
din v s dng mt ng i khc.
Page | 82

LCP thng bo lin kt lp nhanh chng bng mt tnh nng gi l magic
numbers. Khi dng PPP, router gi thng bo PPP LCP thay v thng tin
keepalive ca Cisco i qua lin kt; nhng thng tin ny bao gm mt magic
number, khc nhau trn mi router. Nu mt ng b lp, router nhn mt
thng tin LCP vi chnh s magic number ca n thay v ly mt thng tin vi
mt s khc. Khi router nhn chnh s magic ca n, router s bit rng khung
ny c gi tr li do c s c vng lp, v th router lm down cng giao
din vi mt s hi t nhanh.

3.2 Tng cng kh nng pht hin s c:

Tng t nh nhiu giao thc lin kt d liu khc, PPP dng mt vng FCS
trong PPP trailer xc nh nu mt khung c th gp s c. Nu mt khung
gp s c, n c loi b. Tuy nhin, PPP c th kim tra tn s s khung
nhn b li c th lm down cng giao din nu qu trnh frame b li xut
hin.

PPP LCP xem xt t ln s c trn mt lin kt bng mt tnh nng gi l chc
nng pht hin cht lng ca lin kt (Link Quality Monitoring LQM). LCP
ti mi lin kt gi mt thng tin so snh s gi tin ng nhn c v s d
liu byte. Router gi gi tin so snh s ny khung li vi s khung v byte nhn
c, v tnh ton t l phn trm gi tin b mt. Router c th lm down lin
kt sau khi t l li vt qu s mong i.

LQM hu dng khi c mt lin kt d phng trong h thng mng. Bng cch
t b lin kt c nhiu li xy ra, ta c th chuyn gi tin bng cch dng mt
ng d phng c t s c.

3.3 PPP multilink:

Khi tn ti nhiu lin kt PPP gia hai router, c coi nh l cc lin kt song
song, router phi xc nh cch thc s dng cc lin kt ny. Vi ng
HDLC, v vi ng PPP dng mt phng thc n gin, router phi dng
mt k thut cn bng ti lp 3. Ngha l router c nhiu ng i cho cng
mt im n nh v d trong hnh sau:

Page | 83

Hnh 4-3: Cn bng ti khng dng tnh nng Multilink PPP.

Trong v d, ta c 2 gi tin, mt ln v mt gi tin nh. Dng lp lun lp 3,
router c th chn gi mt gi tin trn mt lin kt, v gi tin tip theo trn
ng cn li. Tuy nhin, bi v gi tin c dung lng khc nhau, router khng
th cn bng ti lung d liu bng nhau trn mi lin kt. Trong trng hp
ny, khi hu ht gi tin c gi ti mt vi im ch, s lng gi tin c
gi trn mi lin kt khng th cn bng ti, dn n trn mt lin kt v lin
kt cn li nhn ri.

C ch Multilink PPP cn bng ti lung d liu bng nhau trn cc lin kt
trong khi cho php lp 3 trn mi router i x cc lin kt song song nh l
mt lin kt duy nht. Khi ng gi mt gi tin, PPP ct nh gi tin thnh cc
khung nh hn, gi mt mnh ct trn mi lin kt.

3.4 Xc thc PPP:

PPP c th mang cc gi tin t mt s giao thc lp mng bng cch s dng
giao thc kim sot mng (Network Control Protocol - NCP). Cc NCPs bao
gm cc chc nng c cha m tiu chun cho bit loi giao thc lp mang
m c ng gi trong khung PPP.

Hnh 4-4 cho thy NCP v LCP cung cp cc chc nng ny cho PPP.

Page | 84

Ba giai on ca phin PPP c m t trong danh sch sau y:

1. Giai on xy dng lin kt:
Trong giai on ny, mi thit b PPP s gi cc gi LCP cu hnh v kim
tra cc lin kt d liu. LCP gi cha mt trng ty chn cu hnh cho php
cc thit b m phn vic s dng cc ty chn, nh ti a nhn c s
n v, vic nn ca mt s lnh vc PPP, v lin kt cc giao thc xc thc.
Nu mt ty chn cu hnh khng bao gm trong mt gi LCP, gi tr mc nh
cho rng ty chn cu hnh c gi nh.

2. Giai on xc thc (ty chn)
Sau khi lin kt c thnh lp v cc giao thc xc thc c quyt nh,
cc peer i qua giai on xc thc. Chng thc, nu c s dng, din ra
trc khi cc lp giao thc mng cbt u.

PPP h tr hai giao thc xc thc: PAP v CHAP. C hai giao thc c tho
lun trong RFC 1334.

3. Giai on thng lng giao thc lp mng:
Trong giai on ny, cc thit b PPP gi gi NCP la chn v cu hnh mt
hoc nhiu giao thc lp mng, chng hn nh IP. Sau khi mi la chn giao
thc lp mng c cu hnh, datagrams t mi giao thc lp mng c th c
gi qua lin kt.

PAP l mt giao thc bt tay hai bc (two-way handshake), cung cp mt
phng php n gin cho mt nt iu khin t xa thit lp nhn dng. PAP
c thc hin ch khi thnh lp lin kt ban u.

Sau khi giai on lin kt PPP thnh lp hon tt, cc nt iu khin t xa nhiu
ln gi mt cp tn ngi dng v mt khu nh tuyn cho n khi xc thc
c cng nhn hoc kt ni c chm dt. Hnh 4-5 cho thy mt v d ca
mt chng thc PAP.
Page | 85

Hnh 4-5: Chng thc PAP.
PAP khng phi l mt giao thc xc thc mnh. Mt khu c gi qua cc
lin kt di dng vn bn gc, c th c s dng tt trong mi trng c s
dng mt khu dng token c kh nng thay i mt khu mi ln xc thc,
nhng khng an ton trong hu ht mi trng.
CHAP, trong s dng phng thc bt tay ba bc (three-way handshake),
xy ra ln khi ng ca mt lin kt v nh k sau xc minh danh tnh
ca cc nt iu khin t xa bng cch s dng mt phng thc bt tay ba
bc.

Sau khi giai on lin kt PPP thnh lp hon tt, cc b nh tuyn ni b gi
mt thng ip thch thc n vi cc nt iu khin t xa. Cc nt iu khin
t xa phn hi vi mt gi tr c tnh bng cch s dng mt hm bm mt
chiu, thng thng vn bn c m ha dng MD5, da trn mt khu v vn
bn. Cc b nh tuyn ni b kim tra cc phn ng bng tnh ton ring tr
v gi tr bm mong i. Nu cc gi tr ph hp, xc thc c tha nhn. Nu
khng, kt ni c chm dt ngay lp tc. Hnh 4-6 cung cp mt v d v xc
thc CHAP.

Page | 86

Hnh 4-6: Chng thc CHAP.

CHAP cung cp phng php chng li tn cng bng cch s dng mt gi tr
thch thc (challenge) l duy nht v khng th on trc. Bi v thch thc l
duy nht v ngu nhin, gi tr bm cng s l duy nht v ngu nhin. Cc b
nh tuyn ni b hoc mt my ch chng thc ca bn th ba kim sot
tn s v thi gian trong nhng challenge.
III. Cu hnh v kim tra PPP:
bt tnh nng ng gi PPP bng xc thc PAP hay CHAP trn cng giao
din, hon thnh cc bc sau:

Bt tnh nng ng gi PPP nh giao thc lp 2 trn giao din cng.
(Ty chn) Bt tnh nng xc thc PPP theo cc bc sau:

Bc 1: Cu hnh tn host cho router.
Bc 2: Cu hnh tn v mt khu xc thc PPP ng cp.
Bc 3: Chn phng thc xc thc cho lin kt PPP: PAP hoc CHAP.

bt tnh nng ng gi PPP, dng lnh encapsulation ppp trn giao din
cng.
cu hnh xc thc PPP, giao din cng phi cu hnh ng gi vi PPP. Cc
bc sau dng bt tnh nng xc thc PAP hoc CHAP.

Bc 1: t tn cho host trn mi router bng lnh hostname name. Tn ny
phi ph hp vi username mong ch ca router xc thc u cui.

Bc 2: Trn mi router, nh ngha tn v mt khu trng khp vi thit b u
cui bng lnh username name password password.

Page | 87

Bc 3: Cu hnh xc thc PPP vi lnh PPP authentication {pap | chap pap |
pap chap | chap} trn giao din cng.

Nu cu hnh PPP authentication chap trn giao din cng, tt c cc lung
PPP i vo giao din cng s c chng thc vi CHAP. Ngc li, Nu cu
hnh PPP authentication pap trn giao din cng, tt c cc lung PPP i vo
giao din cng s c chng thc vi PAP.

Nu cu hnh PPP authentication chap pap trn giao din cng, tt c cc
lung PPP i vo giao din cng s c chng thc vi CHAP. Nu thit b
cui khng h tr CHAP, router s c gng dng PAP. Nu thit b u cui
khng h tr c PAP ln CHAP, xc thc s tht bi, v lung PPP s b t
chi.

Ghi ch: Nu bt c hai tnh nng, PAP v CHAP, phng thc xc thc u
tin s c s dng trong sut cc phin thng lng. Nu thit b cui dng
phng thc xc thc th hai hai t chi phng thc u, phng thc xc th
th hai s c dng.

V d: Cu hnh PPP v CHAP.
Trong v d ny, bt tay hai bc s c thc hin. Tn ca router th nht
phi trng vi router cn li. Mt khu cng tng khp.

V d cu hnh PPP v CHAP.

Dng lnh show interface kim tra cu hnh.
Page | 88

Nhn thy rng ng gi PPP cu hnh v LCP xy dng mt kt ni
(LCP Open).
Bi v phng thc bt tay hai bc c cu hnh, do router ny s xc
thc u kia, dng lnh debug ppp authentication thy c cc tin trnh
ang xy ra.

xc nh ni m s thc thi xc thc mt bc hay hai bc bt tay, nhn
vo cnh bo, v y router ang thc hin xc thc di dng bt tay hai
bc.

Cnh bo sau ch rng router ang thc hin xc thc dng bt tay mt bc.

Page | 89

Tin trnh bt tay hai bc din ra:

xc nh ni router s thc hin xc thc CHAP hay PAP, xem cnh bo
sau:
Vi xc thc bng CHAP:

Vi xc thc bng PAP:

Tng kt cc im chnh tho lun:
PPP l giao thc lp 2 ph bin cho kt ni WAN. Hai thnh phn ca PPP l:
thng lng kt ni LCP v ng gi lung d liu bng NCP.
C th cu hnh PPP bng PAP hoc CHAP. PAP gi mi th di dng vn
bn trong khi CHAP dng thut ton bm MD5.
Lnh show interface kim tra ng gi PPP v lnh debug ppp
negotiation xc nh bt tay LCP.

IV. X l s c trong xc thc PPP:

1. Gii quyt cc vn lp 2:

Khi c hai cng giao din u up nhng c t nht mt line protocol ca router
c du hiu Down hoc chuyn i lin tc gia up v down (du hiu flapping)
chng t l nhng s c c lin quan n lp 2.

Vn u tin l s khng ng b kiu xc thc, d dng nhn bit v sa
cha. Dng show interface kim tra kiu xc thc ca c hai router.
Ghi nh rng, HDLC l dng ng gi mc nh ca router, v thng l
nguyn nhn gy ra s bt ng b khi cu hnh ng gi dng PPP. Cu hnh
li mt trong hai router c hai c cng dng xc thc l PPP.

Page | 90

Vn th hai l khng thit lp keepalive (keepalive failure).
c tnh keepalive gip router nhn ra khi mt cng router down, hoc chuyn
i mt ng i mi.
Hot ng keepalive theo mc nh, router s gi thng tin v keppalive n
u kia mi 10 giy. Nu mt router khng nhn bt k thng tin keepalive no
t router cn li trong khong thi gian mc nh, router s lm down cng giao
din do ngh rng cng giao din ny khng hot ng.
Trong thc t, lun bt tnh nng keepalive. Tuy nhin, li gy nn do tt ch
keepalive trn mt u ca cng giao din.

Trong v d sau, Router1 s dng lnh no keepalive trn cng giao din tt
ch keepalive. Router2 vn tip tc gi thng tin keepalive v mong ch
nhn mt gi tr phn hi. Sau mt khong thi gian tri qua, Router 2 khng
nhn c bt k thng tin keepalive t router1, n s chuyn tnh trng ca
cng sang up v down. Sau Router2 tip tc chuyn trng thi cng sang
UP v gi thng tin keepalive, nhng vn khng nhn c phn hi t
Router1, v tip tc tr v trng thi up v down. Trang thi up v down din
ra lin tc (flapping). Trong khi , Router1 khng quan tm v gi tr
keepalive nn cng giao din vn trang thi up v up.

Vn th ba chnh l xc thc khng chnh xc khi dng PAP hay CHAP.
Kim tra thng tin t dng cnh bo vi debug ppp authentication
Page | 91

CHAP trao i ba thng tin cnh bo khi tin hnh xc thc. Ba dng sng di
y ch ra tin trnh xc thc ca R1 vi R2; ban u R1 gi mt thng tin th
thch (challenge), Sau n nhn c thng tin phn hi t R2, v thng tin
cui cng l qu trnh xc thc hon tt.
Khi qu trnh xc thc CHAP khng chnh xc, cnh bo t debug s gi hai
thng tin

Tng kt v cc s c trong lp 2 khi thc thi PPP:

Du hiu
Line
Du hiu protocol L do gy s c
UP Down c hai u giao
din, hoc Down ti mt
u, chuyn i lin tc
gia up v down
Khng ph hp giao
thc xc thc
UP Down mt u, Up ti
u cn li
Keepalive tt
UP Down c hai cng giao
din
Thng tin xc thc v tn
v mt khu cha ph
hp

Page | 92

2. Gii quyt cc vn lp 3:

C hai trng hp xy ra:

Mt l: giao din cng vn trng thi up v up nhng ping khng c do
li cu hnh lp 3. Hai l: ping vn hot ng, nhng cc giao thc routing
khng th trao i qua li gia cc thit b.

Vi HDLC, trong trng hp c hai giao din cng vn trng thi up v up.
Tuy nhin, nu a ch IP c cu hnh trn cng Serial ca hai router khc
nhau v subnet, lnh ping s khng hot ng, bi v router khng trng khp
cc ng route vi nhau.

V d: a ch IP trn cng Serial ca R1 la 192.168.2.1 v ca R2 i li thnh
192.168.3.2 (thay v 192.168.2.2), v vn dng subnet /24. Khi hai router kt
ni vi hai subnet khc nhau. Lnh ping khng th thnh cng.
Gii php cho s c trn ng HDLC n gin. Khi thy c hai giao din cng
u trng thi up v up m lnh ping khng thnh cng l do a ch subnet
trn hai cng khng ph hp vi nhau.

Vi ng PPP l mt trng hp khc, cu hnh khng tng thch v a ch
IP v subnet, c hai giao din cng trng thi up v up, nhng lnh ping vn
thc thi thnh cng. Khi router dng kiu ng gi PPP qung b a ch
cng Serial n router ng xa, vi mt tip u ng /32 (/32 prefix), l mt l
trnh n chnh n. V th, c hai router s c t l trnh a gi tin n
u kia, ngay c khi hai router cu hnh khng tng thch v a ch IP.

V d: nu a ch IP ca R2 l 192.168.4.2/24, trong khi ca R1 l
192.168.2.1/24, hai a ch khc nhau v subnet, nhng lnh ping vn thnh
cng bi v qung b PPP vi mt host route /32.

Ghi ch: mt route vi tip u ng /32, i din cho mt host n, c gi l
host route.

Page | 93

Mc d c th thc thi ping kim tra kt ni hai u, nhng cc giao thc
routing vn khng th qung b cc l trnh bi v khng lin kt c IP
subnet ca u cn li. V th, khi gii quyt s c lp mng. Gi s rng
trng thi cng vn up/up, lnh ping vn thc thi thnh cng nhng cc giao
thc routing vn khng th trao i qua li c do hai router khng cng
subnet,

Tng kt v s c lp 3:

a ch IP cng giao din khc
subnet
HDLC PPP
Lnh ping thnh cng khng? Khng C
Cc giao thc routing c th trao i
khng?
Khng Khng

Page | 94

PART 5: Gii thiu v cng ngh Frame Relay

Ngy nay, cng ngh thng tin c nhng bc tin nhy vt c bit l ch to
v s dng cp quang vo mng truyn dn to nn cht lng thng tin rt cao.
S dng th tc hi p X25 truyn a s liu trn mng cp quang, cu tr
li hu nh lc no cng nhn tt nhn . Vn t ra y l c cn dng
th tc hi v p mt rt nhiu thi gian ca X25 truyn a s liu trn
mng cp quang hay khng? V th l cng ngh Frame Relay ra i. Frame
relay c th chuyn nhn cc khung ln ti 4096 byte trong khi gi tiu
chun ca X25 khuyn co l 128 byte, khng cn thi gian cho vic hi p,
pht hin li v sa li lp 3 nn Frame relay c kh nng chuyn ti nhanh
hn hng chc ln so vi X25 cng tc . Frame relay rt thch hp cho
truyn s liu tc cao v cho kt ni Lan-Lan v c cho m thanh, nhng
iu kin tin quyt s dng cng ngh Frame relay l cht lng mng
truyn dn phi cao.

Frame Relay l mt b tiu chun ca WAN to ra mt dch v WAN hiu qu
hn so vi cc lin kt im-im, trong khi vn cho php cc cp ca cc
router gi d liu trc tip vi nhau. Vi knh thu ring, mi dng i hi
mt giao din ni tip trn mi router v mt mch vt l ring bit c xy
dng bi cng ty vin thng. Frame Relay h tr kh nng gi d liu n
nhiu router t xa qua mt mch WAN vt l n l. V d, mt cng ty vi
mt site trung tm v mi site t xa s i hi mi knh thu ring giao
tip vi site chnh v mi giao din cng ni tip trn site ca router trung tm.
Vi Frame Relay, cc sie chnh c th c mt ng thu ring kt ni n vi
dch v Frame Relay, v mt giao din cng duy nht ni tip trn cc b nh
tuyn ti site trung tm, v vn c th giao tip vi nhau ca mi router t xa
ti ch.
I. Cu hnh chung mng Frame Relay:

Page | 95

Hnh 5-1: Mng Frame Relay.
C s to c mng Frame Relay l cc thit b truy nhp mng FRAD
(Frame Relay Access Device), cc thit b mng FRND (Frame Relay Network
Device), ng ni tip gia cc thit b v mng trc Frame Realy.
Thit b FRAD c th l mt LAN Bridge, LAN router Thit b FRND c th
l cc tng i chuyn mch khung (frame) hay tng i chuyn mch t bo
(Cell relay chuyn ti tng hp cc t bo ca cc dch v khc nhau nh m
thanh, truyn liu s, videp mi t bo di 53 byte, y l phng thc ca
cng ngh ATM). ng kt ni gia cc thit b l giao din chung ca FRAD
v FRND, giao thc ngi dng v mng hay gi l F.R UNI (Frame Relay
User Network Interface). Mng trc Frame Relay cng tng t nh cc mng
vin thng khc c nhiu tng i kt ni vi nhau trn mng truyn dn, theo
th tc ring ca mnh. Trong OSI 7 lp, lp 3 lp mng, Frame relay khng
dng th tc g c (transparent) .
II. Tng quan v Frame Relay:
Frame Relay cung cp thm nhiu tnh nng mng v li ch hn so vi cc lin
kt WAN n gin im-im, nhng lm c iu , cc giao thc
Frame Relay c chi tit hn. V d, cc mng Frame Relay l mng
multiaccess, c ngha l nhiu hn hai thit b c th gn vo mng, tng t
nh mng LAN. Khng ging nh cc mng LAN, bn khng th gi d liu
broadcast trn lp lin kt Frame Relay. V vy, Frame Relay c gi l mng
nonbroadcast multiaccess (NBMA). Ngoi ra, bi v Frame Relay l
multiaccess, n i hi vic s dng mt a ch xc nh m router t xa mi
khung c cp.

Hnh 5-2 trnh by nhng cu trc lin kt c bn v vt l v lin quan n
thut ng trong mt mng Frame Relay.
Page | 96

Hnh 5-2: Cc thnh phn ca mng Frame Relay.
Hnh 5-2 cho thy cc thnh phn c bn nht ca mt mng Frame Relay. Mt
knh thu ring c ci t gia cc router v mt chuyn i Frame Relay
gn , lin kt ny c gi l cc lin kt truy cp. m bo rng cc lin
kt ang hot ng, cc thit b bn ngoi mng Frame Relay, c gi l thit
b u cui d liu (DTE), trao i tin nhn thng xuyn vi s chuyn i
Frame Relay. Cc thng ip keepalive, cng vi nhng thng ip khc, c
nh ngha bi cc giao thc (LMI) Frame Relay giao din qun l. Cc b nh
tuyn c coi l DTE, v cc thit b chuyn mch Frame Relay l truyn
thng d liu thit b (DCE).

Trong khi hnh 5-2 cho thy cc kt ni vt l ti mi kt ni vi mng
Frame Relay, hnh 5-3 cho thy s hp logic, hoc o, kt ni lin kt cc im
u cui vi mt mch o (VC).

Hnh 5-3: Khi nim v Frame Relay PVC.
Con ng truyn thng logic gia mi cp DTEs l mt VC. B ba ca ng
song song trong hnh i din cho mt VC n. Thng thng, cc nh cung
cp dch v preconfigures tt c cc chi tit cn thit ca mt VC; VC c xc
nh trc c gi l cc mch o thng trc (PVC).

Thit b nh tuyn s dng kt ni d liu lin kt nh danh (DLCI) nh l a
Page | 97

ch Frame Relay, n xc nh cc VC trn cc khung nn i qua. V vy,
trong hnh 5-3, khi R1 c nhu cu chuyn tip mt gi tin n R2, R1 ng
gi lp 3 gi vo mt header v trailer ca Frame Relay v sau gi cc
khung. Cc Frame Relay tiu bao gm cc DLCI chnh xc cc nh cung
cp Frame Relay chuyn mch cc khung mt cch chnh xc v pha R2.
Bng 4 lit k cc thnh phn th hin trong hnh 5-2 v 5-3 v mt s thut ng
lin quan.

Thut ng M t
Virtual circuit (VC) Mt khi nim logic i din cho con ng
m khung di chuyn gia DTEs. VC c bit
hu ch khi so snh Frame Relay thu
mt mch vt l.

Permanent virtaul circuit
(PVC)
Mt VC c xc nh trc. Mt PVC c
th c nh ng vi mt knh thu ring
trong khi nim.

Switched virtual circuit (SVC) Mt VC c thit lp t ng khi cn thit.
Mt SVC c th c tng ng vi mt
kt ni quay s trong khi nim.
Data terminal equipment
(DTE)
DTEs c kt ni vi mt dch v Frame
Relay t mt cng ty vin thng. N thng
c t ti cc site c s dng bi cc
cng ty mua dch v Frame Relay.
Data communications
equipment (DCE)
Thit b chuyn mch Frame Relay l cc
thit b DCE. DCEs cng c bit n nh
l d liu thit b u cui mch. DCEs
thng t trong mng li cc nh cung
cp dch v.
Access Link Knh thu ring gia DTE v DCE.
Access rate (AR) Tc m ti cc lin kt n kha. S la
chn ny nh hng n gi tr ca kt ni.
Committed Information Rate
(CIR)
Tc bit c th c gi qua mt VC, theo
hp ng kinh doanh gia khch hng v
nh cung cp.

Data-link connection identifier
(DLCI)
Mt a ch Frame Relay c dng trong
tiu xc nhn VC.
Nonbroadcast multiaccess
(NBMA)
Mt mng li trong broadcast khng
c h tr, nhng hn hai thit b c th
Page | 98

c kt ni.

Local Management Interface
(LMI)
Cc giao thc c s dng gia DCE v
DTE qun l cc kt ni. Thng tin tn
hiu cho SVCs, thng bo trng thi PVC,
v keepalives l tt c cc thng tin ca
LMI.

Bng 4: Cc khi nim v Frame Relay.

1. Cc tiu chun ca Frame Relay:
nh ngha Ti liu ITU Ti liu ANSI
Ch r lin kt d liu,
bao gm LAPF
header/trailer
Q.922 Annex A (Q.922-
A)
T1.618
Qun l PVC, LMI Q.933 Annex A (Q.933-
A)
T1.617 Annex D
(T1.617-D)
Tn hiu SVC Q.933 T1.617
Nhiu giao thc ng gi Q.933 Annex E (Q.933-
E)
T1.617 Annex F
(T1.617-F)

Bng 5: Cc giao thc Frame Relay.
2. Mch o
Frame Relay cung cp nhng li th ng k so vi cch s dng knh thu
ring point-to-point. Thun li u tin l c cc mch o. Hnh 5-4, trong
cho thy mt Frame Relay mng in hnh vi ba site.
Page | 99

Hnh 5-4: Mng Frame Relay thng thng vi ba site.
Mt mch o nh ngha nh mt ng logic gia hai Frame Relay DTEs. N
hot ng nh mt mch im-im, cung cp kh nng gi d liu gia hai
thit b u cui trn mt mng WAN. Khng c mch vt l trc tip gia hai
thit b u cui, v vy n o.
VC chia s lin kt truy cp v mng Frame Relay. V d, c hai VC chm dt
ti R1 s dng truy cp vo cng lin kt. Trong thc t, nhiu khch hng chia
s cng mt mng Frame Relay. Ban u, nhng ngi c mng li knh thu
ring min cng di chuyn n Frame Relay, bi v h s phi cnh tranh
vi cc khch hng khc v cng sut bn trong m my ca nh cung cp dch
v. gii quyt nhng ni s hi, Frame Relay c thit k vi khi nim v
mt t l thng tin cam kt (CIR). Mi VC c CIR, l mt m bo bi nh
cung cp m mt VC c th c t nht l bao nhiu bng thng. V vy, c th
di chuyn t mt ng knh thu ring n Frame Relay, nhn c mt CIR
t nht c nhiu bng thng nh trc y dng vi knh thu ring.

Thm ch vi mt mng li ba site, n c l t tn km hn s dng Frame
Relay hn l s dng cc lin kt im-im. Hy tng tng mt t chc vi
100 site cn n bt k kt ni no. Lm th no nhiu knh thu ring c
yu cu! V bn cnh , cc t chc s cn 99 giao din ni tip trn router
nu n c s dng dng knh thu ring im-im. Vi Frame Relay, mt t
chc c th c 100 lin kt truy cp vo cc chuyn mch Frame Relay ni b,
Page | 100

mi b nh tuyn, v c 4.950 VC chy qua chng. iu i hi rt nhiu
lin kt thc t t hn vt l, v bn s ch cn mt giao din ni tip trn mi
router!

Cung cp dch v Frame Relay c th xy dng mng li ca h v chi ph-
hiu qu hn so vi knh thu ring. Nh mong i, lm cho khch hng s
dng mng Frame Relay t tn km hn. i vi nhiu kt ni WAN, Frame
Relay n gin hn, c hiu qu hn dng knh thu ring.

Hai loi VC c php, vnh cu (PVC) v chuyn mch (SVC). PVC c
nh ngha trc bi nh cung cp; SVCs c to ra t ng. PVC n nay ph
bin hn trong hai loi.
Khi cc mng Frame Relay c thit k, thit k khng bao gm mt VC gia
mi cp ca cc site. Hnh 5-4 bao gm PVC gia mi cp ca cc site, iu
ny c gi l mt Frame Relay ton mng. Khi khng phi tt c cc cp c
mt PVC trc tip, n c gi l mt mng cc b. Hnh 5-5 cho thy cng
mt mng nh hnh 5-4, nhng ln ny vi mt phn v ch c hai PVCs. y
l in hnh khi R1 ti site chnh v R2 v R3 t ti vn phng t xa m t khi
cn giao tip trc tip.

Hnh 5-5: Mng Frame Relay di dng partial-mesh.
Cc li mt phn c mt s li th v bt li so vi mt li y . Thun li
u tin l r hn, bi v nhng chi ph nh cung cp cho mi VC. Nhc im
Page | 101

l lu lng truy cp t site ca R2 vo site ca R3 phi n R1 u tin v sau
c chuyn tip. Nu l mt lng nh lu lng truy cp, s l mt gi
tr rt nh phi tr. Nu l rt nhiu lung d liu, mt mng li ton phn
c gi tr hn, bi v lung d liu i gia hai a im t xa s phi truy cp
vo lin kt cho ca R1 hai ln.

Mt khi nim ro cn vi PVCs l thng c mt lin kt truy cp duy nht
trn nhiu dng PVCs. V d, xem hnh 5-5 t quan im ca R1. Server1 gi
mt gi tin n Larry. N i qua Ethernet. R1 nhn v lin kt vi bng nh
tuyn ca Larry, ch ng gi gi tin ra Serial0. ng gi cc gi tin trong
mt header v trailer ca Frame Relay sau gi n. PVC no s c s
dng? Cc Frame Relay switch nn gi n cho R2, nhng ti sao?

gii quyt vn ny, Frame Relay s dng mt a ch phn bit mt
PVC t ci khc. a ch ny c gi l mt kt ni d liu lin kt nh danh
(DLCI). Tn ny c m t: a ch ny cho mt lp giao thc OSI lp 2(lin
kt d liu), v n xc nh mt VC, m i khi c gi l mt kt ni o. V
vy, trong v d ny, R1 s dng cc DLCI xc nh cc PVC n R2, do ,
nh cung cp dch v chuyn khung n chnh xc trn cc PVC n R2. gi
khung cho R3, R1 s dng cc DLCI m xc nh cc VC cho R3.
3. LMI v cc loi ng gi:

LMI l mt nh ngha ca cc thng ip c s dng gia DTE v DCE (v
d, Frame Relay chuyn i s hu bi cc nh cung cp dch v). ng gi
nh ngha cc tiu c s dng bi mt DTE giao tip mt s thng tin
cho cc DTE u bn kia ca mt VC. Vic chuyn i v quan tm kt ni
router ca mnh v vic s dng cng mt LMI; chuyn i khng quan tm v
ng gi. Cc router u cui (DTE) quan tm v ng gi.

Tnh trng thng tin thc hin hai chc nng chnh:

N thc hin mt chc nng keepalive gia DTE v DCE. Nu lin kt truy
cp c vn , khng c cc thng ip keepalive ng rng lin kt l Down.
Cc tn hiu c PVC l hot ng hoc khng hot ng. Mc d mi PVC
c nh ngha trc, tnh trng ca n c th thay i. Mt lin kt truy cp
c th UP, nhng mt hoc nhiu VC c th Down. Router cn phi bit VC
no Up hay Down. N bit rng thng tin t vic chuyn i s dng thng bo
trng thi LMI.

Page | 102

Ba giao thc LMI tu chn c sn trong phn mm Cisco IOS: Cisco, ITU, v
ANSI. Mi ty chn LMI l khc nhau v do khng tng thch vi hai ty
chn kia. Min l c hai DTE v DCE trn mi u ca mt lin kt truy cp s
dng cc tiu chun cng LMI, LMI hot ng tt.

S khc bit gia cc loi LMI l tinh t. V d, Cisco LMI s dng DLCI
1023, trong khi ANSI T1.617-D v ITU Q.933-A xc nh DLCI 0. Mt s cc
thng tin c nhng vng khc nhau trong cc phn u ca n. DTE n gin
ch cn bit trong ba LMIs s dng n c th s dng cng loi.

Cu hnh loi LMI l d dng. La chn ph bin nht hin nay l s dng thit
lp mc nh LMI. Thit lp ny s dng cc tnh nng t ng LMI, trong
router ch n gin l da ra loi LMI no s dng. V vy, bn ch c th
cho php cc router t ng LMI v khng bao gi bn tm m ha cc loi
LMI. Nu bn chn cu hnh cc loi LMI, router v hiu ha tnh nng t
ng.

Bng 6 vch ra ba loi LMI, ngun gc ca n, v t kho c s dng trong
Cisco IOS subcommand frame-relay lmi-type.

Bng 6: Cc loi LMI.

Mt Frame Relay kt ni router ng gi mi lp 3 bn trong mt header v
trailer ca Frame Relay trc khi n c gi ra mt lin kt truy cp. Cc
header v trailer c xc nh bi c im k thut Link Access Procedure
Frame Bearer Services (LAPF), ITU Q.922-A. Cc khung LAPF tha tht cung
cp cc pht hin li vi mt FCS trong trailer, cng nh cc trng DLCI, DE,
FECN, BECN v trong header

Page | 103

Hnh 5-6: LAPF Header

Tuy nhin, header v trailer ca LAPF khng cung cp tt c cc vng cn thit
bi cc router thng thng. Mi tiu lin kt d liu cn mt trng xc
nh loi gi tin sau tiu lin kt d liu. Nu Frame Relay ch s dng tiu
LAPF, DTEs (bao gm c cc b nh tuyn) khng th h tr nhiu giao
thc cho lung d liu c, v khng c cch no xc nh loi giao thc
trong lnh vc thng tin.

Hai gii php c to ra b p cho vic thiu mt trng Protocol Type
trong tiu tiu chun Frame Relay:

Cisco v ba cng ty khc to ra mt tiu b sung, m i km gia cc tiu
LAPF v cc gi lp 3 nh trong hnh 5-6. N bao gm mt trng 2-byte
Protocol Type, vi gi tr ph hp cng lnh vc Cisco s dng cho HDLC.

Multiprotocol Interconnect over Frame Relay c xc nh l gii php th
hai. RFC 2427 quy nh mt tiu tng t, cng c t gia cc tiu
LAPF v gi tin lp 3, v bao gm mt trng Protocol Type cng nh cc ty
chn khc.

Hnh 5-7: ng gi Cisco v RFC 1490/2427

DTEs s dng v phn ng vi cc lnh vc theo quy nh ca hai loi ng
gi, nhng thit b chuyn mch Frame Relay b qua cc lnh vc ny. Do lu
lng khung t DTE n DTE, c hai DTEs nn ng v ng gi c s
dng. Cc thit b chuyn mch khng quan tm. Tuy nhin, mi VC c th s
dng ng gi khc nhau. Trong cu hnh, ng gi c to ra bi Cisco c
gi l cisco, v mt trong nhng khc c gi l IETF.

Page | 104

III. Kim sot tc v loi b trong m my Frame Relay:

Cc Frame Relay tiu bao gm mt c ba bit n m Frame Relay c th s
dng gip kim sot nhng g xy ra bn trong m my Frame Relay.
Nhng bit ny c bit hu ch khi mt hoc nhiu site s dng mt t l tc
truy cp vt qu CIR ca mt VC. V d, nu router c mt truy cp vo lin
kt Frame Relay T1, nhng ch c 128-kbps tc thng tin cam kt (CIR) trn
mt VC m i qua lin kt , router c th gi d liu nhiu hn vo mng
Frame Relay hn so vi hp ng vi nh cung cp Frame Relay cho php.
Phn ny xem xt 3 bit c tc ng nh th no cc thit b chuyn mch c th
gip kim sot mng li khi mng b tc nghn v tc khng ng b - c
th l, cc Forward Explicit Congestion Notification (FECN), Backward
Explicit Congestion Notification (BECN), v Hu iu kin (DE ) bit.

1. FECN v BECN

i ph vi trng hp trong mt router c th gi nhiu d liu hn so
vi VC cho php, IOS bao gm mt tnh nng gi l Traffic Shaping, cho php
mt router gi mt s gi, ch i, gi nhiu hn, ch i mt ln na, v
nh vy. Traffic Shaping cho php cc b nh tuyn gim tc tng th ca
vic gi cc bit n mt tc chm hn so vi tc truy cp, v thm ch c
th thp bng CIR ca mt VC. V d, vi mt lin kt truy cp T1 v CIR l
128-kbps, Traffic Shaping c th c nh ngha gi bnh qun ch 256
kbps so vi VC. tng l cc Frame Relay cung cp c th s loi b rt
nhiu lung d liu nu cc b nh tuyn gi d liu trung bnh so vi VC
gn tc T1,l 12 ln so vi CIR trong trng hp ny. Tuy nhin, nh cung
cp dch v Frame Relay c th loi b lung d liu nu t l bnh qun ch
256 kbps - hai ln CIR trong trng hp ny.

Bn c th thit lp Traffic Shaping s dng mt tc duy nht, hoc thch
ng vi phm vi gia hai tc thit lp. Khi n c cu hnh thch nghi
gia hai tc , nu mng khng b tc nghn, tc cao hn c s dng; khi
mng b ch tc, cc iu chnh trong router n c th gim bng cch s
dng t l thp hn.

thch ng vi cc t l gim, cc router cn mt cch bit liu c xy ra
n tc v l ni FECN v BECN c s dng. Hnh 5-8 cho thy vic s
Page | 105

dng c bn ca cc bit FECN v BECN.

Hnh 5-8: Hot ng c bn ca FECN v BECN.

FECN v BECN l nhng bit trong tiu ca Frame Relay. Ti bt k im
hoc trong mt router hoc bn trong m my Frame Relay - thit b c th
thit lp cc bit FECN, c ngha l khung ny tri qua tnh trng tc nghn.
Ni cch khc, n tc tn ti trong hng v pha trc ca khung . Trong
hnh 5-8, bc 1, router s gi mt khung, vi FECN = 0. Cc Frame Relay
tc nghn v cc b chuyn mch thng bo FECN = 1 bc 2.

Mc tiu ca ton b qu trnh, tuy nhin, l bo tin cho router gi gi tin
chm li. V vy, bit rng n bt FECN trong mt khung bc 2 nh trong
hnh, cc Frame Relay switch c th thit lp cc bit BECN trong khung tip
theo gi ngc v R1 trn VC , c th hin nh bc 3 trn hnh v.
BECN ni vi R1 m tnh trng tc nghn xy ra trong hng i din. Ni
cch khc, n ni rng tnh trng tc nghn xy ra cho cc frame c gi bi
R1 vi R2. R1 c th chn lm chm (hoc khng), ty thuc vo cch
Traffic Shaping c cu hnh.

2. Cc Loi b iu kin (DE bit):

Khi h thng mng ca nh cung cp tr nn tc nghn, c v nh hp l cho
cc nh cung cp c gng loi b cc khung gi ca khch hng ang gy
ra s tc nghn. Cc nh cung cp thng xy dng mng li ca mnh x
l ti lu lng vt qu ca cc CIRs tp th cho tt c cc VC. Tuy nhin,
nu mt hoc nhiu khch hng lm dng quyn gi d liu tc xa so
Page | 106

vi tc CIR hp ng ca mnh, cc nh cung cp c th loi b lung d
liu ch c gi bi nhng khch hng ny mt cch hp php.

Giao thc Frame Relay xc nh mt phng tin gim bt lung d liu khi
khch hng gi nhiu hn CIR bit / giy trong mt VC, lm cho nh cung cp
loi b mt s khung. Cc khch hng c th thit lp bit DE trong mt s
khung. Nu nh cung cp thit b chuyn mch cn phi loi b cc khung do
tc nghn, cc thit b chuyn mch c th loi b cc khung vi cc thit lp bit
DE. Nu khch hng t bit DE trong khung bn phi, chng hn nh cho lung
d liu t quan trng, khch hng c th m bo rng cc lung d liu quan
trng c thng qua mng Frame Relay, ngay c khi nh cung cp ny phi
loi b. Khi mng ca nh cung cp khng phi qu ng c, khch hng c
th gi thm nhiu d liu thng qua mng Frame Relay m khng b loi i.
IV. Cu hnh v kim tra Frame Relay:

Cu hnh Frame Relay c th rt c bn hoc mt cht chi tit, ph thuc vo
cch ci t mc nh c th c s dng. Theo mc nh, Cisco IOS s t
ng dng cc loi LMI v t ng pht hin ra cc nh x gia DLCI v cc
a ch IP next-hop (s dng Inverse ARP). Nu bn s dng tt c cc router
Cisco, mc nh s dng ng gi Cisco th khng cn bt k cu hnh thm.
Nu bn cng thit k cc mng Frame Relay s dng mt mng duy nht, bn
c th cu hnh router s dng giao din vt l ca n m khng c bt k
subinterfaces-lm cho cu hnh vn cn ngn.

1. K hoch cho mt cu hnh Frame Relay

Cc k s phi lm mt s quy hoch trc khi bit phi bt u vi cu hnh.
Mc d hu ht doanh nghip hin i c mt s kt ni Frame Relay, khi
lp k hoch cho cc site mi, bn phi xem xt cc mc sau y v truyn ti
cho cc nh cung cp Frame Relay, do c mt s tc ng ca cc b nh
tuyn cu hnh Frame Relay:

Xc nh cc site v th cht cn c mt lin kt Frame Relay truy cp ci t,
v xc nh clock rate (tc truy cp) s dng trn mi lin kt
Xc nh mi VC bng cch xc nh cc thit b u cui v thit lp cc
CIR
ng vi mt loi LMI (thng c quyt nh bi nh cung cp)

i vi cc iu khon ny, cc k s khng cn phi tham kho kin cc nh
cung cp Frame Relay:
Page | 107

Chn cc IP subnetting: mt subnet cho tt c cc VC, mt subnet cho tng
VC, hoc mng con cho mi full meshed y .

Chn phng thc gn a ch IP cho cng vt l, hoc subinterfaces, hoc
dng im-im.

Chn nhng VC cn phi s dng ng gi dng IETF thay v gi tr mc
nh ca ng gi "cisco". ng gi dn IETF thng c s dng khi mt
router khng phi l mt router Cisco.

Sau khi quy hoch c hon thnh, cc bc cu hnh trc tip t cc bc
la chn khi thc hin quy hoch mng li. Danh sch di y tm tt cc
cu hnh:

Bc 1: Cu hnh giao din vt l s dng ng gi Frame Relay
(encapsulation frame-relay subcommand).

Bc 2: Cu hnh a ch IP trn giao din hay subinterface (ip address
subcommand).

Bc 3 (ty chn): Thit lp kiu LMI trn mi giao din ni tip vt l
(frame-relay lmi-type subcommand).

Bc 4 (Tu chn): Thay i t ng gi mc nh ca cisco n IETF bng
cch lm nh sau:
a. i vi tt c cc VC trn giao din, thm cc t kho IETF n giao din
cng bng subcommand encapsulation frame-relay.
b. i vi mt VC n, thm cc t kho IETF n giao din bng lnh frame-
relay interface-dlci subcommand (ch point-to-point subinterfaces) hoc lnh
frame-relay map.

Bc 5 (Ty chn): Nu bn khng s dng (mc nh) Inverse ARP gn
DLCI cho a ch next-hop ca router, xc nh gn tnh bng cch s dng
frame-relay map ip dlci ip-address broadcast.

Bc 6: Trn subinterfaces, kt hp mt (point-to-point) hoc nhiu (a) DLCIs
vi cc subinterface bng mt trong hai cch:
a. S dng frame-relay interface-dlci subcommand trn subinterface.
b. Nh mt tc dng ph ca gn tnh bng cch s dng frame-relay map ip
dlci ip-address broadcast trn subinterface.

Page | 108

2. Mt mng vi y meshed vi mt IP Subnet:

V d u tin cho thy cu hnh Frame Relay rt ngn, ch cn hai bc u
tin trong danh sch kim tra cu hnh trong phn ny. Vic thit k cho cc v
d u tin bao gm cc la chn sau:

Ci t mt lin kt truy cp vo ba router.
To mt li y cc PVCs.
S dng mt mng duy nht (Class C mng 199.1.1.0) trong mng Frame
Relay.
Cu hnh router s dng giao din vt l ca n.

Hy thit lp mc nh cho LMI, Inverse ARP, v ng gi. V d 1,2,3 v hin
th cu hnh cho mng nh hnh 5-9.

Hnh 5-9: Full mesh vi nhiu a ch IP.

V d 1: Cu hnh ca Mayberry:

Page | 109

V d 2: Cu hnh ca Mount Pilot

V d 3: Cu hnh ca Raleigh

Cc cu hnh l n gin so vi cc khi nim giao thc. Lnh ng gi
encapsulation frame-relay cho cc router s dng giao thc Frame Relay lin
kt d liu thay v mc nh, l HDLC. Ngoi ra, cu hnh n gin ny li
dng cc thit lp mc nh IOS sau y:

Cc loi LMI c t ng cm nhn.
Vic ng gi (mc nh) l Cisco thay v IETF.
PVC DLCI c hc thng qua thng bo trng thi LMI.
Inverse ARP c kch hot (mc nh) v c kch hot khi thng bo
trng thi tuyn b rng cc VC ang up th nhn c.

3. Cu hnh ng gi v LMI:

Trong mt s trng hp, cc gi tr mc nh l khng ph hp. V d, bn
phi s dng ng gi IETF nu router khng phi l mt router Cisco. Vi
mc ch hin th mt cu hnh thay th, gi s rng cc yu cu sau y
c thm vo:

Page | 110

Cc router Raleigh yu cu ng gi IETF trn c hai VC.
Loi LMI ca Mayberry nn l ANSI, v t ng LMI khng c s dng.

thay i cc mc nh ny, cc bc nh cu hnh ty chn bc 3 v 4
trong danh sch kim tra cu hnh nn c s dng. V d 4 v 5 cho thy
nhng thay i s c thc hin trn cu hnh ca Mayberry v Raleigh.

V d 4: Cu hnh ca Mayberry vi nhng yu cu mi:

V d 5: Cu hnh ca Raleigh vi nhng yu cu mi:

Trc tin, Raleigh thay i ng gi ca n cho c hai PVC vi cc t kho
IETF bng lnh encapsulation. T kha ny p dng cho tt c cc VC trn
giao din. Tuy nhin, Mayberry khng th thay i ng gi ca n trong cng
mt cch, bi v ch c mt trong hai VC chm dt trong nhu cu ca Mayberry
s dng ng gi IETFi, v cc nhu cu khc s dng ng gi dng
Cisco.V vy Mayberry buc phi dng lnh frame-relay interface-dlci, tham
chiu DLCI cho VC n Raleigh, vi t kho IETF. Vi lnh ny, bn c th
thay i cch ng gi trn mt VC, tri vi cc cu hnh trn Raleigh, c
thay i ng gi cho tt c cc VC.

S thay i ln th hai l cu hnh LMI. Cc cu hnh LMI trong Mayberry s
tt m khng c bt k thay i, bi v vic s dng mc nh ca LMI c th
nhn ra ANSI l kiu LMI s dng. Tuy nhin, do lnh frame-relay lmi-type
ansi, Mayberry phi s dng ANSI, bi v lnh ny khng ch t ra cc loi
LMI, n cng v hiu ha tnh nng t ng thng lng ca cc loi LMI.

Mount Pilot cn phi cu hnh lnh frame-relay interface-dlci vi t kho
IETF cho VC ca n n Raleigh, ging nh Mayberry. S thay i ny khng
c hin th trong cc v d.
Page | 111

Quyt nh tip theo m cc router phi lm hon tt qu trnh ch ra s cn
thit cho vic mapping: DLCI no Mayberry nn t trong tiu Frame Relay?
thy cu tr li, hy xem xt v d 6, trong cho thy mt s lnh quan
trng c th c s dng xem nh th no Mayberry c s la chn ng
cho cc DLCI.

Page | 112

V d ni bt tt c cc thng tin lin quan v Mayberry gi gi tin n mng
199.1.11.0/24. Tuyn ng ca Mayberry n 199.1.11.0 cp n giao din
i Serial 0/0/0 v 199.1.1.2 l a ch next-hop. Cc lnh show frame-relay pvc
lit k hai DLCI, 52 v 53, v c hai u hot ng. Lm th no bit cc
DLCI Mayberry? Cc thng ip trng thi ca LMI ni cho Mayberry v VC,
cc DLCI c lin quan, v trng thi (hot ng).

DLCI no m Mayberry nn s dng chuyn tip cc gi tin? Lnh show
frame-relay map a ra cu tr li. Thng bo nhn mnh cm t "ip 199.1.1.2
DLCI 52" u ra. Bng cch no , Mayberry gn 199.1.1.2, l a ch
next-hop trong cc tuyn ng, n ng cc DLCI, l 52. V vy,
Mayberry bit s dng DLCI 52 t c a ch IP next-hop 199.1.1.2.

Page | 113

4. Map a ch Frame Relay:

4.1 Inverse ARP:

Inverse ARP t ng to ra mt nh x gia a ch lp 3 (v d, a ch IP) v
a ch lp 2 (cc DLCI). Kt qu cui cng ca Inverse ARP l ging nh IP
ARP trn mt mng LAN: router c xy dng mt nh x gia mt a ch
ln cn lp 3 v a ch lp 2 tng ng. Tuy nhin, qu trnh s dng bi
Inverse ARP khc nhau cho ARP trn mng LAN. Sau khi VC c ln, mi
router thng bo a ch lp mng ca mnh bng cch gi mt thng ip
Inverse ARP trn VC. iu ny th hin trong hnh 5-10.

Hnh 5-10: Tin trnh lm vic ca Inverse ARP.

Nh c th hin trong hnh 5-10, Inverse ARP thng bo a ch lp 3 ca n
ngay sau khi cc tn hiu LMI cho rng PVCs ang Up. Inverse ARP bt u
bng vic hc cc d liu a ch DLCI lp lin kt (thng qua thng ip LMI),
v sau n thng bo a ch ring lp 3 ca mnh m s dng VC. Inverse
ARP c kch hot mc nh.

4.2 Map tnh Frame Relay:

Bn c th cu hnh tnh cng thng tin mapping thay v s dng Inverse ARP.
V d lit k cc Frame Relay map tnh cho ba b nh tuyn th hin trong hnh
5-9, cng vi cu hnh c s dng v hiu ha Inverse ARP.

Page | 114

Lnh frame-relay map cho Mayberry, tham kho 199.1.1.2, c s dng cho
cc gi tin trong Mayberry i n Mount Pilot. Khi Mayberry to mt tiu
Frame Relay, mong rng n s c chuyn n Mount Pilot, Mayberry phi s
dng DLCI 52. Lnh frame-relay map tng quan a ch IP ca Mount Pilot,
199.1.1.2, vi DLCI c s dng n Mount Pilot, DLCI 52. Tng t nh
vy, mt gi tin gi v t Mount Pilot n Mayberry bi v Mount Pilot s dng
map ch a ch IP ca Mayberry 199.1.1.1. Mapping l cn thit cho next-
hop a ch lp 3 cho mi giao thc lp 3 c nh tuyn.

Ghi ch: T kho broadcast c yu cu khi cc b nh tuyn cn gi
broadcast hoc multicast vi router lng ging, v d, h tr nh tuyn thng
ip giao thc nh hellos.

V. X l s c vi mng Frame Relay:

Nu mt Frame Relay ca router ping khng thnh cng cho tt c cc router t
xa m VC chia s mt lin kt truy cp duy nht, lm nh sau:

Bc 1: Kim tra vn lp 1 truy cp vo lin kt gia cc b nh tuyn v
chuyn mch Frame Relay a phng (tt c cc router).

Bc 2: Kim tra vn lp 2 trn cc lin kt truy cp, c bit l ng gi v
LMI.

Sau khi gii quyt vn trong hai bc u tin, hoc nu cc kim tra ping
ban u cho thy, Frame Relay router c th ping mt s, nhng khng phi tt
c, ca cc router Frame Relay khc m VC chia s mt lin kt truy cp duy
nht, theo cc bc sau:
Page | 115

Bc 3: Kim tra vn PVC da trn trng thi PVC v tnh trng
subinterface.

Bc 4: Kim tra vn lp 2 / 3 vi c hai mao tnh v ng (Inverse ARP).

Bc 5: Kim tra cc vn lp 2 / 3 lin quan n s khng ph hp ca ng
gi end-to-end (cisco hoc IETF).

Bc 6: Kim tra cho cc vn lp 3, bao gm c mng con khng ph hp.

Vn lp 1 v truy nhp (Bc 1)

Nu giao din vt l ca mt router s dng cho cc lin kt Frame Relay truy
cp khng phi l trng thi up v up, cc router khng th gi bt k khung
qua lin kt. Nu giao din c mt trng thi line l Down, giao din rt c th
c mt vn lp 1.

Vn v lp 2 (Bc 2)

Nu mt line giao din vt l ca router tnh trng l Up, nhng tnh trng line
protocol l Down, lin kt thng thng c mt vn lp 2 gia cc router v
switch Frame Relay ni b. Vi giao din Frame Relay, vn l thng lin
quan n lnh ng gi cc Frame Relay LMI.

Cc vn tim n lin quan n cc giao thc ng gi l rt n gin kim
tra. Nu cu hnh giao din ni tip ca b nh tuyn b qua subcommand
encapsulation frame-relay, nhng cc lin kt truy cp vt l ang lm vic,
cc giao din vt l tr thnh trng thi up/down. Nu cu hnh khng c sn,
cc lnh hin th giao din c th c s dng xem cc loi ng gi c
cu hnh.

Cc vn tim n khc lin quan n cc LMI. LMI thng bo trng thi dng
chy trong c hai hng gia mt switch (DTE) v router Frame Relay (DCE)
cho hai mc ch chnh:

i vi DCE thng bo cho DTE v mi DLCI ca VC v tnh trng ca
mnh
cung cp mt chc nng keepalive cc DTE v DCE c th d dng
bit c cc lin kt truy cp khng cn c th chuyn d liu.

Mt router c th t cc lin kt vt l trong mt trng thi up/dpwn khi lin
kt vt l hot ng nhng cc b nh tuyn khng cn nghe thy thng ip
Page | 116

LMI t switch. Vi giao din khng c trong trng thi up/up, cc b nh tuyn
khng c gng gi bt k gi tin IP trong giao din, v vy ping b tht bi
vo thi im ny.

Mt router c th chm dt nhn LMI t cc switch v c hai l do chnh ng
v sai lm. Mc ch hp php thng thng cho cc chc nng keepalive LMI
l nu lin kt thc s l c vn , v khng th vt qua bt k d liu, router
c th nhn thy s mt mt ca thng ip keepalive v mang li nhng lin
kt down. iu ny cho php router s dng mt tuyn ng thay th, gi nh
rng mt tuyn thay th tn ti. Tuy nhin, mt router c th ngng tip nhn
thng ip LMI v lm down giao din v nhng sai lm sau y:

V hiu ha LMI trn router (vi cc subcommand no keepalive trn cng
vt l), nhng n c kch hot trn switch hoc ngc li

Cu hnh loi LMI khc nhau trn router (vi subcommand frame-relay lmi-
type type trn cng vt l) v switch.

Bn c th d dng kim tra cho c hai ng gi v LMI s dng lnh show
frame-relay LMI. Lnh ny ch lit k ra cho cc giao din c lnh frame-relay
ng gi cu hnh, v vy bn c th nhanh chng xc nhn cho d lnh ng
gi frame-relay c cu hnh trn cc giao din ni tip chnh xc. Lnh ny
cng lit k cc kiu LMI c s dng bi router.

i vi v d ny, router R1 c cu hnh tnh vi subcommand frame-
relay lmi-type ansi, vi switch S1 vn cn s dng loi LMI l cisco. Khi cu
hnh LMI c thay i, cc router v switch trao i 34 thng ip LMI
(ca loi cisco). Sau khi thay i iu , b m tip tc tng (122 khi show
frame-relay lmi), nhng b m cc thng bo trng thi lmi nhn c t
switch vn 34. Ch cn di b m l s timeouts, m s ln router nhn
c mt tin nhn LMI nh k t chuyn i nhng khng. Trong trng hp
Page | 117

ny, cc b nh tuyn thc s vn cn nhn c LMI, nhng n khng
ANSI LMI cc router khng hiu hoc nhn ra chng.

Nu lp i lp li s dng cc lnh hin th cc LMI thy rng s lng cc
thng bo trng thi nhn c vn gi nguyn, nguyn nhn c kh nng, khc
hn l mt lin kt thc s khng lm vic, l cc loi LMI khng khp. Gii
php tt nht l cho LMI t ng bng cch cu hnh no frame-relay lmi-
type type trn cng vt l, hay cch khc, cu hnh cc loi cng LMI c s
dng bi switch.

Nu bn khc phc s c v sa cha bt k vn tm thy trong bc 1 v 2,
trn tt c cc b nh tuyn kt ni Frame Relay, tt c cc b nh tuyn truy
cp ca giao din kt ni vt l phi trong trng thi up/up.

Vn PVC v hin trng (Bc 3)

Mc tiu bc ny trong qu trnh x l s c l khm ph ra DLCI ca PVC
c s dng n lng ging v sau tm hiu xem cc PVC ang lm vic.
xc nh chnh xc PVC, c bit nu t hoc khng c cu hnh hoc ti liu
c sn, bn phi bt u vi lnh ping tht bi. Cc lnh ping xc nh a ch
IP ca router lng ging. Cn c vo a ch IP ca lng ging, mt vi lnh
show c th lin kt a ch IP ca ngi ln cn vi cc subnet kt ni lin
quan, cc subnet kt ni vi giao din b nh tuyn ni b, v giao din b
nh tuyn ca ni b vi cc DLCI c th. Ngoi ra, cc thng tin map ca
Frame Relay c th xc nh cc PVC c th. Danh sch sau y tm tt cc
bc a a ch IP ca lng ging n cc ng DLCI ni b s dng gi
cc khung n lng ging:

Bc 3a: Khm ph cc a ch IP v mask ca mi giao din Frame Relay /
subinterface, v mng con kt ni.

Bc 3b: So snh a ch IP trong lnh ping tht bi, v chn giao din /
subinterface c kt ni mng con l cng mt subnet.

Bc 3c: Khm ph cc PVC (s) chogiao din hay subinterface (show frame-
relay pvc).

Bc 3d: Nu c nhiu hn mt PVC c gn cho cc giao din hay
subinterface, xc nh PVC c s dng t c mt lng gin c th
(show frame-relay map).

Bc 3a, 3b, 3c, v 3d khm ph cc PVC chnh xc kim tra. Sau khi n
c pht hin, bc 3 trong qu trnh x l s c ngh gii thch tnh trng
Page | 118

PVC, v giao din lin quan hay subinterface, xc nh nguyn nhn ca mi
vn .

Phn ny c mt ci nhiwn gn hn mt v d trong R1 R2 khng th ping
10.1.2.2, a ch IP Frame Relay. Trc khi tp trung vo qu trnh xc nh
VC c s dng, n l hu ch thy cu tr li cui cng, do , hnh 5-11
lit k mt s chi tit. i vi v d ny, R1 ping 10.1.2.2 khng thnh cng
trong trng hp ny.

Hnh 5-11: Cu hnh lin quan n vic R1 ping khng thnh cng 10.1.2.2

Tm cc Subnet kt ni v giao din i (bc 3a v 3b)

Hai bc nh u tin tm PVC R1 (DLCI) kt ni vi R2 (bc 3a v 3b)
tng i d dng. Bt c lc no bn ping cc a ch IP Frame Relay ca mt
router lng ging, c a ch IP phi trong mt trong cc mng con cng c
kt ni vi router ni b. tm giao din s dng trn mt b nh tuyn khi
chuyn tip cc gi tin n router t xa, bn ch cn cc mng con lin kt.

Trong v d ny, vi R1 ping 10.1.2.2, V d cho thy mt vi lnh m xc nhn
rng subinterface ca R1 S0/0/0.2 c kt ni vi mng 10.1.2.0/24, trong
bao gm a ch IP ca R2 10.1.2.2.

Page | 119

Tm cc PVCs c ch nh n giao din (Step 3c)

Cc lnh show frame-relay pvc trc tip tr li cu hi trong PVC c
ch nh vo giao din v subinterfaces no. Nu lnh c ban hnh khng c
tham s, lnh lit k khong mi dng u ra cho tng VC, vi s kt thc ca
dng u tin lit k cc giao din lin quan hoc subinterface.

Page | 120

tm tt c cc PVCs lin kt vi mt giao din hay subinterface, ch cn qut
cc phn nhn mnh trong v d. Trong trng hp ny, S0/0/0.2 c lit k
ch vi mt PVC, l vi DLCI 102, v vy ch c mt PVC c kt hp vi
S0/0/0.2.
Page | 121

Xc nh PVC no c s dng n mt lng ging c th (Bc 3d)

Nu cu hnh ca router c nhiu hn mt PVC vi mt giao din hay
subinterface, bc tip theo l tm ra cc PVC c s dng gi lu lng
truy cp cho mt lng ging c th. V d cho thy R1 s dng mt subinterface
l S0/0/0.34 vi DLCI 103 v 104, vi DLCI 103 c s dng cho cc PVC
n R3, v DLCI 104 cho PVC kt ni n R4. V vy, nu bn c x l
s c mt vn trong lnh ping 10.1.34.3 tht bi trn R1, bc tip theo s
c xc nh trong hai DLCI (103 hoc 104) xc nh cc VC kt ni R1 vi
R3.

Cc lnh show c th gip hin th l show frame-relay map, c th tng
quan cc a ch IP next-hop v DLCI. Tht khng may, nu cc b nh tuyn
ni b da vo Inverse ARP, cc b nh tuyn ni b khng th tm hiu cc
thng tin map ngay by gi, do , cc bng mapping c th khng c bt k
thng tin hu ch trong . Tuy nhin, nu map tnh c s dng, PVC ng /
DLCI c th c xc nh.

Trong v d ca R1 khi ping 10.1.2.2 (R2) khng thnh cng, bi v ch c mt
PVC c kt hp vi giao din chnh xc (S0/0/0.2), PVC c xc nh, v
vy bn c th b qua bc ny by gi.

Tnh trng PVC

Tnh trng PVC c th c kim tra xem liu PVC c vn .

Router s dng bn m trng thi khc nhau ca PVC. Router hc v hai trong
s nhng gi tr tnh trng c th, hot ng v khng hot ng, thng qua
thng ip LMI t vic chuyn i Frame Relay. Thng tin LMI ca switch lit
k tt c cc DLCI cho tt c cc PVCs cu hnh trn cc lin kt truy cp, v
xc nh PVC hin ang s dng (hot ng) hay khng (khng hot ng).

Thng tin u tin ca hai trng thi PVC ni rng khng hc c cch s
dng LMI c gi l trng thi tnh. Nu LMI b v hiu ha, cc router khng
hiu bt k thng tin t vic chuyn i v trng thi PVC. V vy, router lit k
tt c cc DLCI cu hnh trng thi tnh, c ngha l cu hnh tnh. Cc router
khng bit nu PVCs s lm vic, nhng t nht c th gi hnh bng cch s
dng cc DLCI v hy vng rng cc mng Frame Relay c th cung cp cho n.

Trng thi khc ca PVC, xa, c s dng khi LMI lm vic nhng thng tin
LMI ca switch khng cp n bt c iu g v mt gi tr DLCI c th.
Nu router cu hnh cho mt DLCI (v d, trong lnh frame-relay interface-
Page | 122

dlci), nhng thng ip LMI ca switch khng lit k DLCI, router lit k cc
DLCI trong tnh trng b xa. Trng thi ny c ngha l router cu hnh
DLCI, nhng switch khng c. Trong thc t, trng thi b xa c th c ngha
rng cc router hoc switch b sai, hoc c Frame Relay switch cha c
cu hnh vi cc DLCI ng. Bng 7 tm tt bn Frame Relay PVC m trng
thi.

Trng thi Hot ng Khng hot
ng
B xa Tnh
PVC c nh ngha n
mng Frame Relay
C C Khng Khng bit
Router s tham d gi
cc khung trn VC trong
bc ny
C Khng Khng C

Bng 7: Cc gi tr trng thi ca PVC

Nh cp, hng cui cng ca bng, router ch gi d liu qua PVC trong
trng thi hot ng hoc tnh. Ngoi ra, ngay c khi PVC l trong trng thi
tnh, c g bo m rng cc mng Frame Relay thc s c th gi khung qua
PVC, bi v trng thi tnh c ngha l LMI b tt, v cc b nh tuyn khng
bit bt k tnh trng thng tin.

Bc tip theo trong qu trnh x l s c l tm trng thi ca PVC c s
dng n mt lng ging c th. Tip tc vi vn ca R1 khi ping R2
(10.1.2.2) khng thnh cng, v d cho thy tnh trng ca PVC vi DLCI 102,
nh xc nh trc .

Page | 123

Trong trng hp ny, R1 khng th ping R2 v PVC vi DLCI 102 l trong
trng thi khng hot ng.

tip tc c lp cc vn v tm ra nguyn nhn gc, cn phi nhn su hn
vo nhng l do ti sao mt PVC trong trng thi khng hot ng. u tin,
lp li cc bc x l s c tng t trn R2. Nu khng c vn c tm
thy trn R2, khc hn mt PVC khng hot ng, c th l mt vn thc s
trong mng Frame Relay ca nh cung cp, do , mt cuc gi n cc nh
cung cp c th l bc tip theo. Tuy nhin, bn c th tm thy mt s vn
khc trn router t xa. V d, to ra s tht bi v cc lnh hin th trong
phn ny, lin kt truy cp ca R2 b shut down, do , mt cuc kim tra
nhanh chng x l s c bc 1 trn router R2 s phi xc nh c vn .
Tuy nhin, nu tip tc x l s c cho thy rng c hai thit b nh tuyn kt
thc danh sch ca n v cc PVC trong trng thi khng hot ng, cc nguyn
nhn gc nm trong mng Frame Relay ca nh cung cp.

Tm nguyn nhn gc ca mt vn lin quan n mt PVC trong tnh trng b
xa l tng i d dng. Tnh trng b xa c ngha l cc cu hnh Frame
Relay switch v cu hnh ca router khng ph hp, cu hnh mt DLCI trn
router m khng cu hnh trn switch. Hoc nh cung cp cho bit s cu hnh
mt PVC vi mt DLCI c th, v khng, hoc cu hnh cc gi tr DLCI sai.

Tnh trng Subinterface

Subinterfaces c mt trng thi line v m trng thi protocol, ging nh giao
din vt l. Tuy nhin, do subinterfaces l o, cc m trng thi v ngha ca
chng khc vi giao din vt l.

Cu hnh Frame Relay lin kt mt hoc nhiu DLCIs vi mt subinterface
bng cch s dng hai lnh: frame-relay interface-dlci v frame-relay map.
Trong tt c cc DLCI lin kt vi mt subinterface, IOS s dng cc quy tc
sau y xc nh tnh trng ca subinterface:

Down/Down: Tt c cc subinterface lin quan DLCI l khng hot ng
hoc b xa, hoc cc giao din vt l c bn l khng trong mt trng thi
up/up.

Up/Up: C t nht mt trong nhng DLCI subinterface lin quan ang hot
ng hoc tnh.

V d, gy ra nhng vn c hin th trong v d, R2 v R3 ch n gin
l shut down Frame Relay. Hnh 5-12 cho thy thng ip trng thi LMI tip
theo khi chuyn S1 gi n R1.
Page | 124

Hnh 5-12: Kt qu ca vic shut down lin kt R2 v R3.

Nh c th hin trong hnh, R1 s dng mt subinterface point-to-point
(S0/0/0.2) cho VC kt ni vi R2, v mt subinterface (S0/0/0.34) lin kt vi
cc VC R3 v R4 (103 v 104, tng ng). Khi u ca v d 14-20 cho
thy S0/0/0.2 l trng thi Down/Down, l bi v cc DLCI ch c lin kt
vi cc subinterface (102) l khng hot ng. Tuy nhin, S0/0/0.34 c hai
DLCI, mt trong s ang hot ng, do , S0/0/0.34 c trng thi l up/up.

N rt hu ch xem xt tnh trng subinterface khi x l s c, nhng hy
nh rng ch v mt subinterface l up, nu n l mt subinterface a im, up /
up khng nht thit c ngha l tt c cc DLCI subinterface lin quan ang lm
vic.

Mapping Frame Relap (bc 4):

Danh sch cc im sau y nhc nh khi thc hin bc x l s c ny:

Vi subinterfaces dng im-im:

Nhng subinterfaces khng cn Inverse ARP hoc map tnh, bi v IOS ch
n gin l ngh rng cc mng con c xc nh trn subinterface c th truy
cp thng qua cc DLCI ch trn subinterface ny.

Lnh show frame-relay map ch ra danh sch cc subinterfaces, nhng
khng c a ch IP next-hop.

Page | 125

Trn giao din vt l v a subinterfaces:

Cn phi s dng hoc Inverse ARP hoc map tnh.
Lnh show frame-relay map nu danh sch cc a ch IP ca router t xa v
cc DLCI ni b cho mi PVC kt hp vi giao din hay subinterface.
Nu ang s dng map tnh, t kho broadcast l cn thit h tr mt giao
thc nh tuyn.

V d sau cho thy kt qu ca lnh show frame-relay map trn router R1 t
hnh 5-12, khng c vn vi mapping. (Nhng vn trc c gii
thiu v c c nh.) Trong trng hp ny, giao din S0/0/0.2 l mt
subinterface dng im-im, v S0/0/0.34 l mt a im, vi mt Inverse
ARP, v mt cu hnh map tnh.

End-to-End Encapsulation (Bc 5)

Vic ng gi end-to-end trn mt PVC cp n cc tiu lin quan n
header ca Frame Relay, vi hai la chn: tiu c quyn ca Cisco v l
mt tiu IETF chun.

Khi mt ng gi khng ph hp ci t trn cc b nh tuyn trn hai u ca
lin kt c th gy ra mt vn trong trng hp c bit. Nu mt router l
mt router Cisco, s dng ng gi Cisco, v cc router khc khng l mt
router Cisco, bng cch s dng ng gi IETF, ping c th tht bi v khng
ph hp kiu ng gi. Tuy nhin, hai thit b nh tuyn Cisco c th hiu
c c hai loi ng gi, v vy n khng phi l mt vn trong cc mng
ch vi router Cisco.

Khng ph hp s Subnet (Bc 6)

Ti thi im ny, nu nhng vn tm thy trong nm bc u tin ca cc
bc x l s c th su c gii quyt, tt c cc vn ca Frame Relay
s c gii quyt. Tuy nhin, nu hai router hai u ca PVC c nhm ln
cu hnh khc nhau a ch IP trong mng con, cc router s khng th ping
nhau, v cc giao thc nh tuyn s khng tr thnh ln cn. V vy, nh l
Page | 126

mt bc cui cng, bn nn xc nhn cc a ch IP trn mi router, v cc
mask, v bo m rng n kt ni vi cng mt subnet. lm nh vy, ch cn
s dng lnh show ip interface brief v show interfaces trn hai router.

Page | 127

PHN 6: Tng quan v IPv6

I. Khi qut chung:
a ch th h mi ca Internet IPv6 (IP address version 6) c nhm chuyn
trch v k thut IETF (Internet Engineering Task Force) ca Hip hi Internet
xut thc hin k tha trn cu trc v t chc ca IPv4.
IPv4 c 32 bit a ch vi kh nng l thuyt c th cung cp mt khng gian
a ch l 2
32
= 4 294 967 296 a ch.Cn IPv6 c 128 bit a ch di hn 4 ln
so vi IPv4 nhng kh nng l thuyt c th cung cp khng gian a ch l 2
128

= 340 282 366 920 938 463 463 374 607 431 768 211 456 a ch, nhiu hn
khng gian a ch ca IPv4 l khang 8 t t t ln.
y l khng gian a ch cc ln vi mc ch khng ch cho Internet m cn
cho tt c cc mng my tnh, h thng vin thng, h thng iu khin v thm
ch cho tng vt dng trong gia nh. Nhu cu hin ti ch cn 15% khng gian
a ch IPv6 cn 85% d phng cho tng lai.
II. Cch thc vit a ch Ipv6:
a ch Ipv6 c chiu di l 128 bit, nn vn nh a ch l ht sc kh khn;
nu vit theo dng thng thng ca Ipv4 th mt a ch Ipv6 c 16 nhm h c
s 10. Do vy, cc nh thit k chn cch vit 128 bit a ch thnh 8 nhm,
mi nhm chim 2 byte, mi byte biu din bng 2 s h 16; mi nhm ngn
cch nhau bi du hai chm. V d:
FED1:BA98:7654:FEDC:BA98:7654:3210:ABCD
K hiu hex c li l gn gng v nhn p hn. Tuy nhin cch vit ny cng
gy nhng phc tp nht nh cho ngi qun l h thng mng. Nhn chung,
mi ngi thng s dng theo tn cc host thay bng cc a ch.
Mt cch lm cho n gin hn l cc quy tc cho php vit tt. v khi im
ban u chng ta s khng s dng tt c 128 bit chiu di a ch do s c
rt nhiu s 0 cc bit u.
Mt ci tin u tin l c php b qua nhng s khng ng trc mi
thnh phn h 16, vit 0 thay v vit y 0000, v d vit 8 thay v 0008. Qua
cch vit ny cho ta nhng a ch ngn gn hn. V d:
Page | 128

1080:0:0:0:8:800:200C:417A
Ngoi ra xut hin mt quy tc rt gn khc l quy c v vit hai du hai
chm (double-colon). Trong mt a ch, mt nhm lin tip cc s 0 c th
c thay th bi hai du hai chm. V d, ta c th thay th 3 nhm s 0 lin
tip trong v d trc v c mu ngn hn:
1080::8:800:200C:417A
T a ch vit tt ny, ta c th vit li a ch chnh xc ban u nh quy tc
sau: cn tri cc s bn tri ca du hai chm trong a ch. Sau cn phi tt
c cc s bn phi du hai chm v in y bng cc s 0. V d:
FEDC:BA98::7654:3210 c a ch u l:
FEDC:BA98:0:0:0:0:7654:3210
FEDC:BA98:7654:3210:: c a ch u l:
FEDC:BA98:7654:3210:0:0:0:0
::FEDC:BA98:7654:3210 c a ch u l:
0:0:0:0:FEDC:BA98:7654:3210
Quy c hai du hai chm ch c th c s dng mt ln vi mt a ch.
V d: 0:0:0:BA98:7654:0:0:0 c th c vit tt thnh ::BA98:7654:0:0:0
hoc 0:0:0:BA98:7654:: nhng khng th vit tt l ::BA98:7654:: v nh teh61
s gy ra nhm ln khi dch ra a ch y .
C mt s a ch Ipv6 c c hnh thnh bng cch gn 96 bit 0 vo a ch
Ipv4 (iu ny d dng nhn bit c v khng gian a ch Ipv4 ch l mt tp
con ca Ipv6). gim nh nguy c nhm ln trong chuyn i gia k hiu
chm thp phn ca Ipv4 v hai du chm thp phn ca k hiu Ipv6, cc nh
thit k Ipv6 cng a ra mt khun mu c bit cho cch vit nhng a
ch loi ny nh sau: Thay v vit theo cch ca mt a ch Ipv6 l:
0:0:0:0:0:0:A000:1
Ta c th vn 32 bit cui theo mu chm thp phn.
::10.0.0.1
Page | 129

Ngoi ra, cn c th vit a ch mng theo cc tin t, l cc bit cao ca a ch
Ipv6; iu ny c li cho vic nh tuyn: mt a ch Ipv6 theo sau bi mt du
cho v mt h s 10 m t chiu di cc bit tin t. V d k hiu:
FEDC:BA98:7600::/40
M t mt tin t di 40 bit gi tr nh phn tng ng l:
1111111011100101110101001100001110110
Broadcast trong IPv4 c mt s vn . Broadcast to ra mt s gin on trong
mi my tnh trong mng, v trong mt s trng hp, gy ra trc trc m hon
ton c th ngn chn ton b mng li. S kin ny mang tai hi n nh mt
broadcast storm.

Trong IPv6, broadcasting khng tn ti. IPv6 thay th cho broadcast vi
multicast v anycasts. Multicast cho php hot ng ca mng hiu qu bng
cch s dng mt s nhm multicast chc nng c th gi yu cu ti mt s
gii hn cc my tnh trn mng. Cc nhm multicast ngn chn hu ht cc vn
c lin quan n broadcast storm trong IPv4.

Phm vi ca a ch multicast trong IPv6 l ln hn so vi IPv4. i vi mt
tng lai gn, phn b ca cc nhm multicast khng b hn ch.

IPv6 cng xc nh mt loi a ch c gi l mt a ch anycast. Mt a ch
anycast xc nh mt danh sch cc thit b hoc cc nt, do vy, mt a ch
anycast xc nh nhiu giao din. a ch Anycast ging nh mt ng cho
gia cc a ch unicast v multicast. Cc a ch ny c thit k cho cc dch
v thng c s dng nh l DNS. Unicast gi gi tin n mt thit b c th
vi a ch c th, v multicast gi mt gi tin n tt c cc thnh vin ca
nhm. a ch anycast gi gi tin n bt k mt thnh vin ca nhm ca thit
b vi a ch anycast c giao.

hiu qu, mt gi tin c gi ti mt a ch anycast c gi n cc giao
din gn nh c nh ngha bi cc giao thc nh tuyn s dng, l xc
nh bi cc a ch anycast, do , anycast cng c th c dng nh mt loi
a ch "one-to-nearest ". a ch Anycast l c php khng th phn bit t cc
a ch unicast ton cu bi v cc a ch anycast c phn b t khng gian
a ch unicast ton cu.
Page | 130

III. Phng thc gn a ch Ipv6:
Theo c t ca giao thc Ipv6, tt c cc loi a ch Ipv6 c gn cho cc
giao din, khng gn cho cc nodes (khc vi Ipv4). Mt a ch Ipv6 loi
unicats c gn cho mt giao din n. V mi giao din thuc v mt node
n do vy, mi a ch unicast nh danh mt giao din s nh danh mt node.
Mt giao din n c th c gn nhiu loi a ch Ipv6 (cho php c 3 dng
a ch ng thi unicast, anycast, multicast). Nhng nht thit mt giao din
phi c gn mt a ch Ipv6 dng unicast link-local. thc hin cc kt ni
dng im-im gia cc giao din ngi ta thng gn cc a ch dng unicast
linklocal cho cc giao din thc hin kt ni.
ng thi, Ipv6 cn cho php mt a ch unicast hoc nhm a ch unicast s
dng nh danh mt nhm cc giao din. Vi phng thc gn a ch ny,
mt nhm giao din c hiu nh l mt giao din trong tng IP.
Theo thit k ca Ipv6, mt host c th nh danh bi cc a ch sau:
Mt a ch link-local c cung cp bi nh cung cp dch v.
Mt a ch unicast c cung cp bi cc nh cung cp dch v.
Mt a ch loopback.
Mt a ch multicast, m host l thnh vin trong nhm c a ch
multicast .
Mt router nu h tr Ipv6 s nhn bit c tt c cc loi a ch m host chp
nhn k trn, ngoi ra n cn c th c gn cc loi a ch nh sau:
Tt c cc a ch Multicast c gn trn router.
Tt c a ch Anycast c cuu hnh trn router.
Tt c cc a ch Multicast ca cc nhm thuc v router qun l.
IV. Cu trc a ch IPv6:
a ch IPv4 c chia thnh 5 lp A, B, C, D, E cn IPv6 li c phn ra lm
3 loi chnh nh sau:
Page | 131

Unicast Address: a ch n hng. L a ch dng nhn dng tng node
mt, c th l mt gi s liu c gi ti mt a ch n hng s c
chuyn ti node mang a ch n hng unicast .
Anycast address: a ch bt k hng no. L a ch dng nhn dng mt
tp hp node bao gm nhiu node khc nhau hp thnh, c th l mt gi s
liu c gi ti mt a ch bt c hng no s c chuyn ti mt node
gn nht trong tp hp node mang a ch Anycast .
Multicast address: a ch a hng. L a ch dng nhn dng mt tp
hp node bao gm nhiu node khc nhau hp thnh, c th l mt gi d liu
c gi ti mt a ch a hng s c chuyn ti tt c cc node trong
tp hp node mang a ch multicast .
1. a ch Unicast:
Trong loi a ch ny c rt nhiu kiu, chng ta hy xem xt mt s kiu sau
y:
a. Local dng unicast address. a ch n hng dng ni b, c s dng
cho mt t chc c mng my tnh ring (dng ni b) cha ni vi mng
Internet tan cu hin ti nhng sn sng ni c khi cn.
a ch ny chia thnh hai kiu: Link local nhn dng ng kt nt ni b v
Site local nhn dng trong phm vi ni b c th c nhiu nhm.

Hnh 6-1: Cu trc a ch ca Link-local

Page | 132

Hnh 6-2: Cu trc a ch ca Site-local
Cc bit u tin (trng hp ny l 10 bit) tng t nh cc bit nhn dng lp
a ch (Class Bit) ca IPv4 nhng IPv6 c gi l Prefix dng phn bit
cc loi, cc kiu a ch khc nhau trong IPv6.
Trong c hai trng hp nu trn trng Interface ID nhn dng thit b nh
Node hay Router nhng u s dng cng tn min.
b. IPX address: Internetwork Packet eXchange, trao i cc gi s liu gia cc
mng giao thc c bn trong h iu hnh Novell Netware.
a ch IPX c chuyn sang IPv6 theo dng sau:

Hnh 6-3: Cu trc a ch IPX
c. Ipv6 address vi embedded IPv4: Da ch IPv6 gn km IPv4. y l cu trc
quan trng trong bc chuyn tip t a ch c sang a ch mi trn Internet.
C hai kiu sau:
Kiu a ch IPv4 tng thch vi IPv6. Nhng Node mang a ch IPv6 s
dng kiu a ch ny ti a ch IPv4 32 bit sau nh vy mi kt nt c
vi cc node mang a ch IPv4.

Hnh 6-4: Cu trc a ch IPv4 tng thch vi IPv6.
Kiu a ch IPv4 gi lm IPv6. Nhng node mang a ch IPv4 s dng
kiu a ch ny tng thch vi IPv6 c vy mi kt ni c vi cc node
mang a ch IPv6.
Page | 133

Hnh 6-5: Cu trc a ch Ipv4 gi l Ipv6.
S khc nhau ca hai kiu a ch ny l 16 bit ca kiu th nht gi tr tt c
cac bit u =0, cn kiu th hai gi tr tt c cc bit u =1(M hex l FFFF).
d. Aggreate Global Unicast Address. a ch n hng trn mng ton cu.
Kiu a ch ny c thit k cho ISP hin ti v tng lai. ISP trong tng
lai c quy m ln hn, nh l cc Internet Carrier. Trng hp ny c gi l
cc Trung tm chuyn i (Exchange) trn Internet cung cp kh nng truy nhp
v dch v Internet cho c khch hng (end user) ln ISP.

Hnh 6-6: Cu trc a ch n hng trn mng ton cu

2. a ch Anycast:
Kiu a ch ny cng tng t nh Unicast, nu a ch phn cho mt Node th
l Unicast, cng a ch phn cho nhiu node th l Anycast. V a ch
Ancast phn cho mt nhm node bao gm nhiu node hp thnh (mt
subnet). Mt s gi liu gi n mt a ch Anycast s c chuyn ti mt
node (router) gn nht trong subnet mang a ch .

Hnh 6-7: Cu trc a ch Anycast.
Page | 134

3. a ch Multicast:
a ch a hng ca Ipv6 nhn dng mt tp hp node ni cch khc mt
nhm node. Tng node mt trong nhm u c cng a ch nh nhau.

Hnh 6-8: Cu trc a ch a hng.
8 bit prefix u tin nhn dng kiu a ch a hng, 4 bit tip (Flgs) cho 4
c c gi tr:

Ba bit u cha dng n nn =0, cn bit th t c gia 1tr T. Nu T =0 c
ngha a ch ny c NIC phn c nh.
Nu T =1: c ngha y l a ch tm thi.
Bn bit tip (scop) c gi tr thp phn t 0 n 15, tnh theo hex l t 0 n F.
Nu gi tr scope =1: cho node local
Nu gi tr scope =2: cho link local
Nu gi tr scope =5: cho site local
Nu gi tr scope =8: cho organization local
Nu gi tr scope =E: cho global scope a ch Internet ton cu.
Cn li u dng cho d phng.
V d: Cc mng Lan ang dng theo chun IEEE 802 MAC (Media Access
Contro) khi dng Ipv6 kiu a hng s s dng 32 bit cui trong tng s 112
but dnh cho nhn dng node (group ID) to ra a ch Mac, 80 bit cn li
cha dng ti phi t =0.

Page | 135

Hnh 6-9: Cu trc a ch MAC ca LAN.
Khng gian a ch ln hn to ra nhiu a ch phn b ti cc ISP, t chc.
Mt ISP tp hp tt c cc prefix ca khch hng v thng bo prefix duy nht
n Internet IPv6. Cc khng gian a ch gia tng l cho php cc t chc
xc nh mt tin t duy nht cho ton b mng ca h. Hnh 6-10 cho thy
s kt hp ny xy ra.

Hnh 6-10: Tp hp cc a ch IPv6.

Tp hp kt qu prefix ca khch hng trong mt bng nh tuyn c hiu qu
v kh nng m rng. Kh nng m rng nh tuyn l cn thit m rng p
dng rng hn v chc nng mng. nh tuyn cng gip ci thin kh nng m
rng bng thng mng v chc nng cho lu lng ngi dng kt ni cc thit
b khc nhau v cc ng dng.

S dng Internet, c hin ti v trong tng lai c th bao gm cc yu t sau:

Mt tng rt ln v s lng ngi tiu dng vi kt ni bng thng rng tc
cao.

Ngi dng trc tuyn dnh nhiu thi gian v ni chung l sn sng chi
nhiu tin hn vo dch v truyn thng (nh l ti nhc) v c gi tr cao cc
dch v tm kim

Trang ch mng vi cc ng dng mng khng dy m rng nh VoIP, gim
st nh, v cc dch v tin tin nh xem video trc tuyn.

t m rng cc tr chi vi nhng ngi tham gia phng tin truyn thng
Page | 136

ton cu cung cp cho hc vin vi cc phng th nghim theo yu cu t xa
hoc m phng phng th nghim...

V. Gn a ch IPv6 cho cng giao din:
Giao din nh danh cc a ch IPv6 c s dng xc nh cc giao din
vo mt lin kt. N cng c th c coi l "phn host" ca mt a ch IPv6.
Giao din nh danh phi l duy nht vo mt lin kt c th. Giao din nh
danh lun lun 64 bit v c th c t ng bt ngun t mt lp 2 phng
tin truyn thng v ng gi.

C mt s cch gn a ch IPv6 vi mt thit b:

Gn tnh bng cch s dng mt giao din ID vi phng php th cng.
Gn tnh bng cch s dng mt giao din ID Eui-64
T ng cu hnh
DHCP cho IPv6 (DHCPv6)

1. Cu hnh th cng cng giao din:

Mt cch gn tnh a ch IPv6 vi mt thit b l t gn cc tin t (mng)
v phn ID giao din (host) ca a ch IPv6. cu hnh a ch IPv6 trn mt
cng giao din v bt tnh nng ca b nh tuyn ca Cisco v cho php x l
IPv6 trn giao din , s dng lnh ipv6 address ipv6-address/prefix-length
trong ch cu hnh giao din.

kch hot ch bin IPv6 trn giao din v cu hnh mt a ch da trn cc
bit trc tip ch nh, bn s s dng lnh chng minh y:

Router(config)#ipv6 address 2001:DB8:2222:7272::72/64

2. Gn a ch bng EUI-64:
Mt cch khc gn tnh a ch IPv6 l cu hnh cc tin t (mng) ca a
ch IPv6 v ly c ID ca giao din (host) t cc a ch MAC Lp 2 ca thit
b ny, c bit n nh l giao din Eui-64 .

cu hnh a ch IPv6 cho cc giao din v kch hot IPv6 x l trn giao
din s dng mt Eui-64 theo th t 64 bit thp ca a ch (host), s dng lnh
ipv6 address ipv6-prefix/prefix-length Eui-64 trong ch cu hnh giao din.

gn a ch IPv6 2001:0DB8: 0:1:: / 64 n giao din Ethernet v s dng
mt giao din Eui-64 theo th t 64 bit thp ca a ch, hy nhp lnh sau:
Page | 137

Router(config)#interface ethernet 0
Router(config-if)#ipv6 address 2001:0DB8:1:1::/64 eui-64

3. Cu hnh t ng:

Nh tn ca n, t ng cu hnh l mt c ch t ng cu hnh a ch IPv6
ca mt node. Trong IPv6, ngi ta gi s rng khng phi thit b my tnh,
cng nh thit b u cui my tnh, s c kt ni vo mng. C ch t ng
cu hnh c gii thiu kch hot plug-and-play ca cc thit b ny,
gip gim chi ph qun l.

T ng cu hnh l mt tnh nng ch cht ca IPv6. N cho php cu hnh c
bn ca cc nt v nh s li d dng.

T ng cu hnh s dng thng tin trong cc tin qung b ca router cu
hnh cc nt. Cc tin t bao gm trong qung b cho b nh tuyn c s
dng nh tin t /64 cho a ch nt. 64 bit khc thu c bng cch to xc
nhn giao din, m trong trng hp ca Ethernet, l nh dng Eui-64.

Thit b nh tuyn router nh k gi qung b. Khi mt nt khi ng, nt c
nhu cu cn a ch ca n trong giai on u ca qu trnh khi ng. N c
th c "long" ch i cho cc qung b ca router tip theo c c
nhng thng tin cu hnh giao din ca n. Thay vo , nt gi mt tin nhn
n router trn mng yu cu n tr li ngay lp tc vi mt qung b cc
nt ngay lp tc c th t ng cu hnh a ch IPv6 ca mnh. Tt c router
phn hi vi mt qung b thng thng vi a ch multicast cho tt c cc
nt-nh l a ch ch. Hnh 6-11 minh ha t ng cu hnh.

Page | 138

Hnh 6-11: T ng cu hnh.

T ng cu hnh bt tnh nng cu hnh plug-and-play ca thit b IPv6, cho
php cc thit b kt ni chnh n vo mng m khng cn cu hnh t qun tr
vin v khng c my ch, chng hn nh my ch DHCP. Tnh nng chnh cho
php trin khai cc thit b mi trn Internet, chng hn nh in thoi di ng,
thit b khng dy, thit b gia dng, v mng li nh.

4. DHCPv6 (Stateful)

DHCP cho IPv6 cho php cc my ch DHCP chuyn cc thng s cu hnh
nh a ch mng IPv6 n cc node. N cung cp kh nng phn b t ng
cc a ch mng ti s dng v tnh linh hot. Giao thc ny l mt stateful
t ng cu hnh a ch IPv6 (RFC 2462), v n c th c s dng ring r
hoc ng thi vi a ch IPv6 t ng cu hnh c c cc thng s cu
hnh.

5. Dng dng EUI-64 trong a ch IPv6:

Giao din 64-bit nh danh trong mt a ch IPv6 xc nh mt giao din duy
nht vo mt lin kt. Lin kt c mt mi trng mng trong cc nt
mng lin lc bng cch s dng cc lp lin kt. Giao din nh danh cng c
th l duy nht trn mt phm vi rng ln hn. Trong nhiu trng hp, mt
giao din nhn din l ging nhau, hoc l da trn a ch (MAC) cc lp lin
kt ca mt giao din. Nh trong IPv4, mt tin t subnet trong IPv6 c lin
kt vi mt lin kt. Hnh 6-12 minh ha IPv6 Eui-64 giao din nhn din.

Hnh 6-12: Giao din nhn din EUI-64.

Giao din nh danh trong unicast ton cu v cc loi a ch IPv6 khc phi
c 64 bits di v c th c xy dng trong cc nh dng 64-bit Eui-64.
Cc Eui-64 nh dng giao din c ngun gc t 48-bit (MAC) a ch bng
cch chn cc FFFE s thp lc phn gia 3 byte trn (t chc duy nht nhn
dng trng [Oui]) v thp hn 3 byte (s) ca a ch lp lin kt. m bo
rng a ch c la chn l t mt a ch duy nht MAC Ethernet, cc bit th
by trong byte cao t l 1 ch ra tnh duy nht ca a ch 48-bit.
Page | 139

VI. Xem xt nh tuyn vi IPv6:

IPv6 s dng di prefix lin kt ng i ging nh IPv4. Rt nhiu cc
giao thc nh tuyn thng thng c sa i x l vi a ch IPv6 v
cu trc tiu khc nhau.

Bn c th s dng IPv6 v cu hnh nh tuyn tnh trong cng mt cch
lm vi IPv4. C mt yu cu c th cho mi IPv6 RFC 2461 l mt b nh
tuyn phi c kh nng xc nh a ch lin kt ni b ca mi router lng
ging ca mnh m bo rng a ch mc tiu ca mt chuyn hng thng
ip xc nh cc router lng ging theo a ch lin kt ni b. Yu cu ny c
ngha l s dng mt a ch unicast ton cu nh l mt a ch next-hop vi
nh tuyn IPv6 th khng khuyn khch.

Cisco IOS kch hot IPv6 bng lnh ipv6 unicast-routing.Phi bt tnh nng
nh tuyn unicast IPv6 trc khi mt giao thc nh tuyn IPv6, hoc mt
tuyn ng IPv6 tnh, bt u lm vic.

Giao thc thng tin nh tuyn th h tip theo (RIPng) (RFC 2080) l mt giao
thc nh tuyn distance vector vi gii hn ca 15 hop c s dng split horizon
v poison reverse ngn chn nh tuyn lp. RIPng bao gm cc tnh nng
sau y:

Da trn thng tin nh tuyn IPv4 Protocol (RIP) phin bn 2 (RIPv2) v
tng t nh RIPv2
S dng IPv6 cho truyn ti
Bao gm cc IPv6 prefix v a ch next-hop IPv6.
S dng cc nhm multicast FF02:: 9, nh a ch ch cp nht RIP
Gi thng tin cp nht trn UDP port 521.
VII. Chin lc thc hin IPv6:

Vic chuyn i t IPv4 khng yu cu nng cp trn tt c cc nt cng mt
lc. Nhiu qu trnh chuyn i c ch cho php tch hp trn tru ca IPv4 v
IPv6. Cc c ch khc cho php cc nt IPv4 giao tip vi cc node IPv6 c
sn. Tt c cc c ch ny c p dng cho cc tnh hung khc nhau. Hnh 6-
13 cho thy host IPv6 c th c i qua mng IPv4 trong qu trnh chuyn i
ny.
Page | 140

Hnh 6-13: S chuyn i IPv4 n IPv6.

Ba k thut ph bin nht chuyn i t IPv4 sang IPv6 l nh sau:

Dual stack: Dual stack l mt phng php tch hp trong mt nt thc
hin v kt ni vo c hai mng IPv4 v IPv6. Kt qu l, cc nt v b nh
tuyn tng ng ca n c hai ngn xp giao thc.

Tunneling: Mt s k thut ng hm c sn:

- Manual IPv6-over-IPv4 tunneling: Mt phng php tch hp trong mt
gi tin IPv6 c ng gi trong cc giao thc IPv4. Phng php ny i hi
phi c dual-stack router.

- Dynamic 6to4 tunneling: Mt phng php t ng thit lp kt ni ca IPv6
o thng qua mt mng IPv4, thng l Internet. Phng php o ng hm
6to4 ng c p dng cho php trin khai nhanh cc IPv6 trong mt mng
cng ty m khng c ly a ch t cc ISP hoc ng k.

- Intra-Site Automatic Tunnel Protocol (ISATAP) tunneling: Mt c ch t
ng s dng cc mng IPv4 c bn nh l mt lp lin kt cho IPv6. ng
hm ISATAP cho php cc c nhn IPv4 hoc IPv6 dual-stack trong mt site
giao tip vi my khc nh l mt lin kt o, to ra mt mng IPv6 s dng c
s h tng IPv4.

- Teredo tunneling: Mt qu trnh chuyn i cng ngh IPv6 cung cp host-
to-host t ng thay v cng ng hm. N c s dng vt qua lung
d liu unicast IPv6 khi xp chng ln nhau hai host (my ang chy c IPv6 v
IPv4) c t pha sau mt hay nhiu mng IPv4 NAT.

Proxy v dch thut (NAT-PT): Mt c ch dch m ngi gia mt mng
IPv6 v mt mng IPv4. Cng vic ca bin dch l dch cc gi IPv6 vo trong
cc gi IPv4 v ngc li.

Page | 141

Dual stack l mt phng php tch hp trong mt nt thc hin v kt
ni vi c hai mng IPv4 v IPv6, do , nt c hai ngn xp, nh minh ha
trong hnh 6-14.

Hnh 6-14: Cisco IOS Dual Stack.

Cu hnh c bn IPv4 v IPv6 trn giao din, giao din kp xp chng ln nhau
v chuyn tip lu lng IPv4 v IPv6 trn giao din . Hnh 6-15 cho thy
mt v d v cu hnh ny.

Hnh 6-15: Cu hnh Dual-Stack.

S dng IPv6 trn mt router Cisco IOS yu cu lnh cu hnh ton cu ipv6
unicast-routing.

Lnh ny cho php bt tnh nng chuyn gi ca IPv6.

Page | 142

Tunneling l mt phng php tch hp trong mt gi tin IPv6 c ng
gi trong mt giao thc khc, chng hn nh IPv4. Hnh 6-16 cho thy hot
ng o hm IPv6.

Hnh 6-16: ng hm IPv6.
Khi IPv4 c s dng ng gi cc gi tin IPv6, mt loi giao thc ca 41
c quy nh trong tiu IPv4, v gi d liu c nhng c im sau y:

Bao gm mt tiu 20-byte IPv4 khng c la chn v tiu mt IPv6 v
ti trng.
Yu cu dual-stack router. Qu trnh ny cho php kt ni ca IPv6 m khng
cn phi c mt mng li trung gian chuyn i sang IPv6. Tunneling trnh
by hai vn ny:

- n v truyn ti a (MTU) l c hiu qu gim 20 octet nu tiu IPv4
khng c mt trng ty chn.
- Mt mng li ng hm thng rt kh khc phc s c. Tunneling l
mt hi nhp trung gian v k thut chuyn i m khng nn c coi l mt
gii php cui cng. Mt IPv6 kin trc bn a phi l mc ch cui cng.

Trong mt ng hm cu hnh bng tay, bn cu hnh a ch IPv4 v IPv6 tnh
trn b nh tuyn ti mi u ca ng hm. Cc router phi c kp xp
chng ln nhau, v cc cu hnh khng th thay i ng nh thay i cc nhu
cu mng v nh tuyn. Bn cng phi thit lp ng tuyn chuyn tip mt
gi tin gia hai mng IPv6. Hnh 6-17 minh ha cc yu cu v ng hm
IPv6.
Page | 143

Hnh 6-17: Cc yu cu ca ng hm IPv6.
Thit b u cui ng hm c th unnumbered, nhng lm cho thit b u
cui unnumbered th kh x l s c. Vic thc hnh tit kim a ch IPv4
cho cc thit b u cui ng hm khng cn l mt vn i vi IPv6.

VIII. Cu hnh IPv6 :

C hai bc c bn kch hot IPv6 trn router. Trc tin, bn phi kch hot
IPv6 chuyn tip lu lng trn router, v sau bn phi cu hnh mi giao
din m yu cu IPv6.

Theo mc nh, IPv6 chuyn tip lung d liu b v hiu ha trn mt router
Cisco. kch hot chuyn tip lu lng IPv6 gia giao din, bn phi cu
hnh lnh ipv6 unicast-routing ton cu. Lnh ny cho php chuyn tip lu
lng IPv6 unicast.

Lnh ipv6 address c th cu hnh mt a ch IPv6 ton cu. a ch lin kt,
a phng c t ng cu hnh khi mt a ch c gn cho giao din. Bn
phi xc nh ton b 128-bit a ch IPv6 hoc ch nh s dng tin t 64-bit
bng cch s dng ty chn Eui-64.

Bn hon ton c th ch nh a ch IPv6 hoc tnh t Eui-64 nhn dng ca
giao din. Trong v d th hin trong hnh 6-18, cc a ch IPv6 ca giao din
c cu hnh s dng nh dng Eui-64.

Ngoi ra, bn hon ton c th ch nh ton b a ch IPv6 gn a ch cho
mt giao din router bng lnh ipv6 address ipv6-address/prefix-length trong
ch cu hnh giao din.

Bn c th thc hin phn gii tn t cc phn mm Cisco IOS theo hai cch:

N c th nh ngha mt tn tnh cho cc a ch IPv6 bng cch s dng
lnh ipv6 host name [port] ipv6-address1 [ipv6-address2. . . ipv6-address4].
Bn c th xc nh ln n bn a ch IPv6 cho mt tn my. Cc ty chn
Page | 144

port cp n cng Telnet nn c s dng cho cc host lin quan.

xc nh my ch DNS c s dng bi router, s dng lnh ip name-
server address. Cc a ch c th l mt a ch IPv4 hoc IPv6. Bn c th ln
n su my ch DNS vi lnh ny.

Cu hnh v Xc minh RIPng cho IPv6 :

Cc on sau y m t c php ca mt s lnh thng c s dng cu
hnh RIPng. i vi RIPng, thay v s dng cc lnh network xc nh cc
giao din nn chy RIPng, bn s dng lnh ipv6 rip tag enable trong ch
cu hnh giao din cho php RIPng trn mt giao din. Tham s tag m bn s
dng cho lnh ipv6 rip enable phi ph hp vi thng s t kha trong cu
lnh ipv6 router rip.

V d: Cu hnh RIPng cho IPv6.

Hnh 6-18 cho thy mt mng li ca hai router. Router Y c kt ni vi
mng mc nh. Trn c hai Router X v Router Y, "RT0" l mt tag nhn dng
qu trnh RIPng. RIPng c kch hot trn giao din Ethernet u tin ca
Router bng cch s dng lnh ipv6 rip RT0 enable. Router X cho thy RIPng
c kch hot trn c hai giao din Ethernet s dng lnh ipv6 rip RT0
enable.

Page | 145

Hnh 6-18: V d cu hnh RIPng.

IPv6 cung cp nhiu li ch b sung cho IPv4, bao gm mt khng gian a
ch ln hn, kt hp a ch d dng hn, v an ninh tch hp.
a ch IPv6 l 128 bit di v c to thnh mt tin t ton cu 48-bit, mt
subnet ID 16-bit, v mt giao din 64-bit nh danh.
C nhiu cch gn a ch IPv6: gn tnh, t ng, v DHCPv6.
Cisco h tr tt c cc giao thc nh tuyn IPv6: RIPng, OSPFv3, v EIGRP.
Chuyn t IPv4 sang IPv6 i hi dual stack, ng hm, v c th NAT-PT.
S dng lnh ipv6 unicast-routing kch hot IPv6 v ipv6 address ipv6-
address /prefix-length gn a ch giao din v kch hot mt giao thc nh
tuyn IPv6.

Page | 146

PHN 7: Cc bi lab minh ha

I. Cu hnh Standard Access List.
1. M t bi lab v hnh:
Bi lab ny gip bn thc hin vic cu hnh Standard Access List cho cisco
router vi mc ch ngn khng cho Router2 trao i thng tin vi Host.

2. Cu hnh Router:
Router1:
interface Ethernet0
ip address 11.0.0.1 255.255.255.0
no ip directed-broadcast
Page | 147

interface Serial0
ip address 192.168.1.1 255.255.255.0

Router2:
interface Serial0
ip address 192.168.1.2 255.255.255.0
clockrate 56000

Host:
IP address 11.0.0.2
Subnet mask: 255.255.255.0
Gateway: 11.0.0.1

3. Thc hin cu hnh theo yu cu:
- Thc hin nh tuyn chi router nh sau (dng giao thc RIP):
Router1(config)#router rip
Router1(config-router)#network 192.168.1.0
!

Page | 148

Thc hin kim tra qu trnh nh tuyn:
Router2#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max =32/34/36 ms
!!!!!
!!!!!
Sau qu trnh nh tuyn, kim tra chc chn rng mng c thng, thc
hin vic to ACL ngn khng cho Router2 ping vo host.
V khi lu thng, gi tin mun n c a ch ca host bt buc phi i qua
Router1.
Thc hin to Access List trn Router1 nh sau:
Router1(config)#access-list 1 deny 192.168.1.2 0.0.0.0
//t chi truy cp ca a ch 192.168.1.2//

Lc ny thc hin lnh ping t Router2 vo host
Page | 149

!!!!!
Thy rng lnh ping thc hin vn thh cng, l do l cha m ch Access
List trn interface Serial0 ca Router1.
Router1(config)#interface Serial0
Router1(config-if)#ip access-group 1 in //ngn cn ng vo cng Serial 0
theo access group 1/

U.U.U
Success rate is 0 percent (0/5)
Thc hin vic i a ch ca router:
Router2:
interface Serial0
ip address 192.168.15.2 255.255.255.0

Router1:
interface Serial0
ip address 192.168.15.1 255.255.255.0

Page | 150

Thc hin li vic nh tuyn:
!

Thc hin lnh ping:
U.U.U
Success rate is 0 percent (0/5)
Lnh ping vn khng thnh cng l do l khi khng tm thy a ch source
trong danh sch ACL, router s mc nh thc hin deny any, v vy phi thay
i mc nh ny:
Router1(config)#access-list 1 permit any

Lc ny thc hin li lnh ping:
!!!!!
Page | 151

Lnh ping thnh cng.

II. Cu hnh extended Access List
Mc ch ca bi lab l thc hin cu hnh Extended Access List sao cho Host1
khng th Telnet vo Router2 nhng vn c th duyt Web qua Router2.

2. Cu hnh thit b:
Host1:
IP address 11.0.0.2
Subnet mask 255.255.255.0
Gateway 11.0.0.1

Page | 152

Host2:
IP address 10.0.0.2
Subnet mask 255.255.255.0
Gateway 10.0.0.1

Router1:
interface Ethernet0
ip address 11.0.0.1 255.255.255.0
!
interface Serial0
ip address 192.168.1.1 255.255.255.0

Router2:
interface Ethernet0
ip address 10.0.0.1 255.255.255.0
!
interface Serial0
ip address 192.168.1.2 255.255.255.0
clockrate 56000

Thc hin vic nh tuyn cho router:
Page | 153

!

Thc hin lnh ping kim tra qu trnh nh tuyn. Sau khi chc chn rng
qu trnh nh tuyn thnh cng.
Ti Router2 thc hin cu lnh
Router2(config)#ip http server //dng gi mt http server trn router//

Lc ny router s ng vai tr nh mt web server
Sau khi qu trnh nh tuyn thnh cng, thc hin cc bc telnet v duyt
web t host1 vo Router2.
Ch : thnh cng vic Telnet ta phi Login cho ng line vty v t mt
khu cho ng ny ( y l Cisco)
Telnet:
Page | 154

Tng t thnh cng cho duyt web.
Cc bc kim tra thnh cng ta thc hin cu hnh ACL nh sau:
Router2(config)#access-list 101 deny tcp 11.0.0.2 0.0.0.0 192.168.1.2 0.0.0.0 eq
telnet
Router2(config-if)#ip access-group 101 in

Thc hin li vic Telnet nh trn, ta nhn thy rng qu trnh Telnet khng
thnh cng nhng bc duyt web cng khng thnh cng, sai vi yu cu.
Telnet:

Duyt web:
Page | 155

thnh cng bc duyt web, phi thc hin cu lnh thay i mc nh
deny any ca ACL.
Router2(config)#access-list 101 permit ip any any

Ch rng trong extended ACL, router s kim tra c a ch ngun, ch, giao
thc v cng nn permit ip any any c ngha l cho php tt c cc a ch
ngun v ch khc (khng tm thy trong danh sch ACL) chy trn nn giao
thc IP i qua.
Lc ny ta thc hin li qu trnh duyt web.
Page | 156

n y thnh cng vic cu hnh extended ACL.

III. Cu hnh NAT tnh

Trong bi lab ny, R1 c cu hnh nh mt ISP, R2 c cu hnh nh mt
gateway.
2. Cu hnh thit b:
Chng ta cu hnh router nh sau:
R1(config)#interface Serial 1
R1(config-if)#ip address 192.168.0.1 255.255.255.0
Page | 157

R1(config-if)#no shutdown
R1(config-if)#clock rate 64000
R1(config)#interface ethernet 0
!
R2(config-if)#ip nat outside //cu hnh interface S1 l interface outside//
R2(config)#interface ethernet 0
R2(config-if)#ip nat inside //cu hnh interface S1 l interface inside//

Chng ta cu hnh NAT tnh cho R2 bng cu lnh:
R2(config)#ip nat inside source static 11.1.0.2 172.17.0.1

Cu lnh c ngha l: cc gi tin xut pht t PC2 khi qua R2 ra ngoi s c
i a ch IP source t 11.1.0.2 thnh a ch 172.17.0.1 (y l a ch c
ng k vi ISP).
Tin hnh t static route cho 2 router:
R1(config)#ip route 172.17.0.0 255.255.0.0 192.168.0.2
!
R2(config)#ip route 0.0.0.0 0.0.0.0 192.168.0.1
Page | 158

a ch 172.17.0.1 l a ch c ng k. Trn thc t ISP ch route xung
user bng a ch ng k ny.
kim tra vic NAT ca R2 nh th no chng ta s dng lnh sau:
R2#show ip nat translation
Pro Inside global Inside local Outside local Outside global
--- 172.17.0.1 11.1.0.2 --- ---

kim tra R2 chuyn i a ch nh th no ta s dng lnh:
R2#debug ip nat

T R2, ta ping interface Serial 0 ca R1
R2#ping 192.168.0.1
Type escape sequence to abort
!!!!!
Khi xut hin trn mn hnh ca R2 nhng thng bo sau:

a ch 11.1.0.2 c chuyn thnh a ch 172.17.0.1 v a ch ch l
192.168.0.1 v gi ICMP phn hi c gi tr li cng c chuyn a ch
ch t 172.17.0.1 thnh 11.1.0.2
Page | 159

Cc s 267, 268, 269, 270 l cc phin trong qu trnh NAT.
IV. Cu hnh NAT overload
1. hnh bi lab:

2. Cu hnh bi lab:
Ta cu hnh NAT trn R1 theo cc bc sau:
Bc 1: cu hnh cc interface inside v outside.
Trong bi lab ny ta cu hnh cho cc interface loopback ca R1 l inside cn
interface Serial 0 l outside.
R1(config)#interface loopback 0
R1(config-if)#ip nat inside
R1(config-if)#ip nat outside

Bc 2: To access list cho php mng no c NAT.
Page | 160

Chng ta cu hnh cho php mng 10.1.0.0/16 v mng 11.1.0.0/16 c cho
php, cm mng 12.1.0.0/16
R1(config)#access-list 1 deny 12.1.0.0 0.0.255.255
R1(config)#access-list 1 permit any

Bc 3: To NAT pool cho R1
Cu hnh NAT pool c tn l Router1 c a ch t 172.1.1.1/24 n
172.1.1.5/24
R1(config)#ip nat pool Router1 172.1.1.1 172.1.1.5 netmask 255.255.255.0

Bc 4: Cu hnh NAT cho router.
R1(config)#ip nat inside source list 1 pool Router1 overload

Cu lnh trn cu hnh overload cho NAT pool.
Bc 5: nh tuyn cho router.
R1(config)#ip route 13.1.0.0 255.255.0.0 192.168.1.2
!
R2(config)#ip route 172.1.1.0 255.255.255.0 192.168.1.1

Bc 6: Kim tra hot ng ca NAT.
Ta s kim tra NAT bng cu lnh debug ip nat
R1#debug ip nat
IP NAT debugging is on

Sau khi bt debug NAT, ta s ping n loopback0 ca R2 t loopback0 ca R1.
Page | 161

R1#ping

T kt qu trn ta thy c cc gi tin t mng 10.1.0.1 s c i source IP
thnh 172.1.1.1
S dng lnh show ip nat translations xem cc thng bo v NAT.
R1#show ip nat translations
Page | 162

Cc s9 c in m l port NAT s dng cho a ch 10.1.0.1
i vi 12.1.0.1, chng ta khng ping ra ngoi c v mng 12.1.0.0/16 b
cm trong access-list 1.
R1#ping

Page | 163

V. Cu hnh PPP PAP v CHAP
1. M hnh bi lab:

2. Cu hnh router:
Bc 1: t tn v a ch cho cc interface.
Router(config)#hostname Router1
Router1(configif)#ip address 192.168.1.1 255.255.255.0
Router1(configif)#clock rate 64000
!
Router(config)#hostname Router2
Router2(config-if)#ip address 192.168.1.2 255.255.255.0

Kim tra trng thi cc cng bng lnh show ip interface brief

Cng serial ca Router2 up, lm tng t kim tra trng thi cng ca
Router1.
S dng lnh show interfaces serial bit c cc thng s ca cng serial
cc router.
Page | 164

C hai cng serial ca hai router u s dng giao thc ng gi l HDLC v
trng thi ca c hai l UP.
Bc 2: Cu hnh PPP PAP v CHAP:
Cu hnh PPP PAP:
ng ti Router1, chng ta s cu hnh PPP cho cng serial0 bng cu lnh
encapsulation ppp
Router1(config-if)#encapsulation ppp
Kim tra trng thi cng serial 0 ca Router1.
Page | 165

Nhn xt: cng serial 0 ca Router1 b Down, ng ngha vi cng serial
Router2 cng b Down. Nguyn nhn l hai cng ny s dng giao thc ng
gi khc nhau. (cng Serial0 ca Router1 s dng PPP cn Router2 s dng
HDLC).
V vy chng ta phi cu hnh cho cng serial0 ca Router2 cng s dng giao
thc PPP.
Router2(config-if)#encapsulation ppp
Kim tra trng thi ca cc cng serial.

C hai cng UP tr li. Do c hai c cu hnh s dng cng giao thc
ng gi l PPP.
Trc khi cu hnh PAP cho hai cng ta s dng lnh debug ppp
authentication xem trnh t trao i thng tin ca PAP.
Router2(config)#debug ppp authentication
Page | 166

PPP authentication debugging is on

Chng ta cu hnh PAP cho c hai cng Serial.
Router1(config)#username Router2 password cisco
Router1(config-if)#ppp authentication pap
Router1(config-if)#ppp pap sent-username Router1 password cisco
!
Router2(config)#username Router1 password cisco
Router2(config-if)#ppp authentication pap
Router2(config-if)#ppp pap sent-username Router2 password cisco

Lu :
Trong cu lnh Username name password password, name v password phi
trng vi name v password ca router u xa.
Cn trong cu lnh ppp pap sent-username name password password, name
v password l ca chnh router chng ta cu hnh.
Sau khi cu hnh PAP xong, th mn hnh s xut hin trnh t ca PAP.

00:09:49: Se0 PPP: Phase is AUTHENTICATING, by both
00:09:49: Se0 PAP: O AUTH-REQ id 1 len 18 from Router2
00:09:49: Se0 PAP: I AUTH-REQ id 1 len 18 from Router1
00:09:49: Se0 PAP: Authenticating peer Router1
Page | 167

00:09:49: Se0 PAP: O AUTH-ACK id 1 len 5
00:09:49: Se0 PAP: I AUTH-ACK id 1 len 5
00:09:50: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial,
changed state to up

Nh vy hai cng ca router UP. Chng ta ng Router2 ping cng Serial0
ca Router1 kim tra.

Cu hnh PPP CHAP:
Chng ta cu hnh CHAP bng cu lnh ppp authentication chap.
Router1(config-if)#ppp authentication chap
!
Router2(config-if)#ppp authentication chap

Lu : Khi cu hnh PPP CHAP chng ta vn phi cu hnh cho cng Serial
s dng giao thc ng gi PPP bng lnh encapsulation ppp v cng phi s
dng cu lnh username name password password cu hnh name v
password cho giao thc CHAP thc hin xc nhn.
Trn mn hn hs hin thng bo sau:
00:15:08: Se0 CHAP: O CHALLENGE id 1 len 28 from Router2
Page | 168

00:15:08: Se0 CHAP: I CHALLENGE id 2 len 28 from Router1
00:15:08: Se0 CHAP: O RESPONSE id 2 len 28 from Router2
00:15:08: Se0 CHAP: I RESPONSE id 1 len 28 from Router1
00:15:08: Se0 CHAP: O SUCCESS id 1 len 4
00:15:08: Se0 CHAP: I SUCCESS id 2 len 4
00:15:09: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0,
changed state to up

Hai cng Serial UP, chng ta ng Router2 ping n cng Serial0 ca
Router1 kim tra.

Nu nh name v password trong cu lnh username name password
password khng khp th trng thi ca cng s b DOWN. Do qua trnh xc
nhn ga hai cng s s dng name v password ny. Nu nh khng khp th
kt ni s b hy.

Page | 169

VI. CU HNH FRAME RELAY:

2. Cu hnh thit b:
Router1:
hostname Router1
interface loopback0
ip address 10.1.0.1 255.255.255.0
interface Serial0
ip address 192.168.1.1 255.255.255.0
router rip
network 10.0.0.0
network 192.168.1.0

Router2:
hostname Router2
interface loopback0
ip address 11.1.0.1 255.255.255.0
interface Serial0
Page | 170

192.168.1.2 255.255.255.0
router rip
network 11.0.0.0
network 192.168.1.0

Chng ta tin hnh cu hnh frame relay cho hai router:
Router1(config)#interface Serial 0
Router1(config-if)#encapsulation frame-relay //s dng giao thc ng gi
Frame Relay//
Router1(config-if)#frame-relay lmi-type ansi //cu hnh kiu ca LMI l ANSI//
!
Router2(config)#interface Serial 0
Router2(config-if)#encapsulation frame-relay //s dng giao thc ng gi
Frame Relay//
Router2(config-if)#frame-relay lmi-type ansi //cu hnh kiu ca LMI l ANSI//

Sau khi cu hnh frame relay cho hai router, chng ta s cu hnh cho router
frame switch nh sau:
FrameSwitch(config)#frame-relay switching //cu hnhcho router tr thnh mt
frame switch//
FrameSwitch(config)#interface Serial0
FrameSwitch(config-if)#encapsulation frame-relay
FrameSwitch(config-if)#frame-relay lmi-type ansi
FrameSwitch(config-if)#frame-relay intf-type dce //cu hnh cng l frame relay
DCE//
FrameSwitch(config-if)#clock rate 64000 //cung cp xung clock cho DTE//
Page | 171

FrameSwitch(config-if)#frame-relay route 102 interface s1 201
FrameSwitch(config-if)#no shutdown
!
FrameSwitch(config)#interface Serial1
FrameSwitch(config-if)#encapsulation frame-relay
FrameSwitch(config-if)#frame-relay lmi-type ansi
FrameSwitch(config-if)#frame-relay intf-type dce //cu hnh cng l frame relay
DCE//
FrameSwitch(config-if)#clock rate 64000 //cung cp xung clock cho DTE//
FrameSwitch(config-if)#frame-relay route 201 interface s0 102
FrameSwitch(config-if)#no shutdown

Cu lnh frame-relay route 102 interface s1 201 c ngha: bt k mt lung
d liu frame relay no c DLCI l 102 n cng Serial 0 ca router s c gi
ra cng Serial1 c DLCI l 201.Tng t cho lnh cu lnh frame-relay route
201 interface s0 102: bt k mt lung d liu frame relay no c DLCI l 201
n cng Serial 1 ca router s c gi ra cng Serial0 c DLCI l 102. Hai
cu lnh c s dng to ra mt PVC gia S0 v S1.
kim tra xem router Frameswitch c hot ng nh mt frame switch hay
cha chng ta s dng lnh show frame-relay pvc.
Page | 172

DLCI USAGE ch cho ta bit hai cng S0, S1 hot ng ch frame switch
v ACTIVE. ng thi thng bo ca cu lnh cn cho ta bit c s gi
c chuyn mch qua cng (Num pkts Switched 3).
Nh vy, t kt qu trn ta c bit rng router FrameSwitch ang hoat ng
nh mt Frame Switch.
Chng ta s kim tra tnh trng ca LMI gia router FrameSwitch v hai router
bng lnh show frame-relay lmi.
Page | 173

Cu lnh cho ta bit c thng tin ca tt c cc cng ca router hot ng
ch frame-relay.
By gi chng ta s kim tra frame relay route trn router FrameSwitch bng
cu lnh show frame-relay route.

Kt qu cu lnh cho chng ta bit rng lung d liu n cng Serial0 vi
DLCI 102 s c chuyn mch qua Serial1 vi DLCI 201, ngc li, lung d
liu n Serial1 vi DLCI 201 s c chuyn mch qua Serial0 vi DLCI 102.
ng thi cu lnh cng ch ra l c hai DLCI ang hot ng.
Chuyn sang Router1, chng ta s kim tra xem DLCI 102 trn cng Serial0 c
hot ng cha bng cch:
Router1#show frame-relay pvc
Page | 174

Nhn xt: Cng Serial0 ca Router1 hot ng nh mt frame relay DTE v
DLCI hot ng.
Mc nh cisco s dng Inverse ARP map a ch IP u xa ca PVC vi
DLCI ca cng u gn. Do chng ta khng cn thc hin thm bc ny.
kim tra vic ny chng ta s dng lnh show frame-relay map.
Router1#show frame-relay map

Kt qu cu lnh cho ta bit, DLCI 102 hot ng trn cng Serial0 v c
map vi a ch IP 192.168.1.2 ca cng Serial0 Router2, v vic map ny l t
ng.
Lp li cc bc tng t vi Router2.
Page | 175


Nhn xt: DLCI 201 hot ng trn cng Serial0 ca Router2 v c map vi
a ch IP 192.168.1.1
By gi chng ta s kim tra cc mng c th lin lc c vi nhau cha bng
cch ln lt ng hai router v ping n cc cng loopback ca router u
xa.


Nh vy cc mng c th lin lc c vi nhau. V FrameSwitch thc
hin tt chc nng frame relay switch.

Page | 176

VII. CU HNH FRAME RELAY SUBINTERFACE
1. M hnh bi lab:

2. Cu hnh thit b:
FrameSwitch:
Frame-relay switching
Interface Serial0
No ip address
Encapsulation frame-relay
Clock rate 64000
Frame-relay lmi-type ansi
Frame-relay intf-type dce
Frame-relay route 52 interface Serial1 51
Page | 177

!
Interface Serial1
No ip address
Clock rate 64000
!
Interface Serial2
No ip address
Clock rate 64000

Router3:
Hostname Router3
Interface loopback0
Ip address 192.168.3.1 255.255.255.0
Interface Serial0
No ip address
Page | 178

!
Interface Serial0.301 point-to-point
Ip address 192.168.5.2 255.255.255.0
Frame-relay interface-dlci 51
!
Router igrp 100
Network 192.168.3.0
Network 192.168.5.0

Router2:
Hostname Router2
Interface loopback0
Ip address 192.168.2.1 255.255.255.0
Interface Serial0
No ip address
!
Ip address 192.168.4.2 255.255.255.0
!
Router igrp 100
Page | 179

Network 192.168.2.0
Network 192.168.4.0

Router1:
Hostname Router1
Interface loopback0
Ip address 192.168.1.1 255.255.255.0
Interface Serial0
No ip address
!
Ip address 192.168.4.1 255.255.255.0
!
Ip address 192.168.5.1 255.255.255.0
!

Chng ta kim tra map ca cc router bng lnh:
Page | 180

S dng lnh show frame-relay pvc kim tra cc ng PVC

S dng lnh sau kim tra thng tin lmi.
Router1#hsow frame-relay lmi

Page | 181

FrameSwitch#show frame-relay pvc

By gi chng ta s kim tra trng thi ca cc cng.
Router2#show ip interface brief

Page | 182

Router2#show ip route




Page | 183

Giao Trinh Ccna

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Giao Trinh Ccna

Uploaded by

Copyright:

Available Formats

Chng 4: Cng ngh WAN v bo mt

You might also like