Training Document

CISCO Networking training
NETWORKING TRAINING
CRIS-UTS WAN PROJECT
By
Tata Infotech Ltd.
Networking training
Table Of Contents
CHAPTER 1 ..............................................................................................1 NETWORKING BASICS............................................................................1

Internetworking 1
What is a Network?.......................................................................................1 What is an Internetwork?..............................................................................1

Networking Architecture 2
Open Systems Interconnection (OSI) Reference Model...............................2 OSI Layer Wise Description.........................................................................2 CHAPTER 2................................................................................................4 INTRODUCTION TO LAN..........................................................................4 What is a LAN?.............................................................................................4
LAN Media-Access Methods 4
Ethernet Technologies...................................................................................5
LAN Data Transmission Methods LAN Devices 5 5
Repeater.........................................................................................................5 Hub................................................................................................................6 Bridges and Switches....................................................................................6 Types of Switches.........................................................................................6 LAN Switch...................................................................................................6 Router ...........................................................................................................6 CHAPTER 3................................................................................................7 INTRODUCTION TO WAN TECHNOLOGIES...........................................7
What is a WAN? 7
Point-to-Point Links......................................................................................7 Circuit Switching...........................................................................................8 Packet Switching...........................................................................................8 WAN Devices...............................................................................................9 Modem..........................................................................................................9 CSU/DSU......................................................................................................9
ii
Networking training
IP Addressing and Subnetting
10
Classes of Networks....................................................................................11 Masks and IP Address Formats...................................................................12

WAN Protocols 13
Point-to-Point Protocol................................................................................14 CHAPTER 4 .............................................................................................15 CISCO ROUTERS BASIC........................................................................15

Cisco IOS 15
Router Components.....................................................................................15 Command-Line Interface............................................................................16 Navigating the IOS CLI..............................................................................18 Configuration Processes and the Configuration File...................................19 CHAPTER 5..............................................................................................20 ROUTING BASICS...................................................................................20
Basics 20
Routing........................................................................................................21 Routing Protocol.........................................................................................21 Static Routing..............................................................................................22 Dynamic Routing .......................................................................................22 Administrative Distances............................................................................22 CHAPTER 6..............................................................................................23 ROUTING PROTOCOL............................................................................23 BASICS.....................................................................................................23 ROUTING..................................................................................................24 ROUTED PROTOCOL (ROUTABLE PROTOCOL)................................25 ROUTING PROTOCOL............................................................................25 STATIC ROUTING...................................................................................26
iii
Networking training
DYNAMIC ROUTING ...............................................................................26 ADMINISTRATIVE DISTANCES.............................................................26 DYNAMIC ROUTING PROTOCOL..........................................................27 DISTANCE VECTOR................................................................................27 LINK STATE.............................................................................................27 HYBRID....................................................................................................27 DISTANCE-VECTOR ROUTING PROTOCOLS......................................27 ROUTING INFORMATION PROTOCOL (RIP)........................................31 ROUTING UPDATES ..............................................................................31 RIP ROUTING METRIC............................................................................31 RIP TIMERS..............................................................................................31 RIP VERSION 2........................................................................................32 SUMMARY................................................................................................33 INTERIOR GATEWAY ROUTING PROTOCOL (IGRP)..........................33 IGRP TIMERS ..........................................................................................33 RIP AND IGRP COMPARISON...............................................................33 HYBRID ROUTING PROTOCOL.............................................................34 EIGRP (ENHANCED INTERIOR GATEWAY ROUTING PROTOCOL)..34 ROUTING CONCEPTS............................................................................36 SELECTION OF ROUTING PROTOCOL................................................37
iv
Networking training
CONFIGURING ROUTING PROTOCOL.................................................37

How Does Load-Balancing Work? 38
IP ENHANCED IGRP ROUTE AUTHENTICATION................................41

Description Prerequisites Configuration Tasks Configuration Example 41 41 41 41
CONFIGURING SUMMARY AGGREGATE ADDRESSES.....................43 ROUTE SUMMARIZATION EXAMPLE...................................................43 LINK STATE ROUTING PROTOCOL......................................................44 OSPF ( OPEN SHORTEST PATH FIRST ).............................................44 ROUTING HIERARCHY...........................................................................44 LINK-STATE ALGORITHM......................................................................47 SHORTEST PATH ALGORITHM.............................................................47 Link-State Packets.......................................................................................49 ENABLING OSPF ON THE ROUTER.....................................................50 OSPF Authentication...................................................................................51 THE BACKBONE AND AREA 0..............................................................52 Virtual Links...............................................................................................53 NEIGHBORS ...........................................................................................55 ADJACENCIES .......................................................................................55 BUILDING THE ADJACENCY.................................................................57 CHAPTER 7..............................................................................................61
Networking training
CONFIGURATIONS.................................................................................61 Common Configuration Command.............................................................61 Configuring Ethernet interface....................................................................62 Configuring Serial Interface........................................................................62 CHAPTER 8..............................................................................................63
Exercise Setting the hostname of the Router Exercise Configuring the Ethernet interface of the Router for Telnet access Exercise Setting the password to console Port of the Router 63 63 64 64 66 66
CHAPTER 9..............................................................................................68 NETWORK SECURITY IPSEC................................................................68 IPSec Overview...........................................................................................68

Supported Standards 68
vi
Networking training
Chapter 1
Networking Basics
Internetworking
This chapter focuses mainly on mapping the Open Systems Interconnect (OSI) model to networking/internetworking functions and summarizing the general nature of addressing schemes within the context of the OSI model.
What is a Network?
A network is a collection of individual computers, connected by some physical media and networking devices.
What is an Internetwork?
An internetwork is a collection of individual networks, connected by intermediate networking devices that function as a single large network. Internetworking refers to the industry, products, and procedures that meet the challenge of creating and administering internetworks. Figure illustrates some different kinds of network technologies that can be interconnected by routers and other networking devices to create an internetwork:
Figure : Different network technologies can be connected to create an internetwork.
Networking training
Networking Architecture
Open Systems Interconnection (OSI) Reference Model
OSI is the Open Systems Interconnection reference model for communications. OSI is a rather well defined set of protocol specifications with many options for accomplishing similar tasks. Some participants in OSIs creation and development wanted it to become the networking protocol used by all applications. The OSI model consists of seven layers, each of which can have several sub layers. The upper layers of the OSI model (application, presentation, and sessionLayers 7, 6, and 5) are oriented more toward services to the applications. These layers are also referred as host layers. The lower four layers (transport, network, data link, and physicalLayers 4, 3, 2, and 1) are oriented more toward the flows of data from end to end through the network. These layers are referred as internetwork layers.
OSI Layer Wise Description

Layer Name Physical (Layer 1) Functional Description This layer deals with the physical characteristics of the transmission medium. Connectors, pins, use of pins, electrical currents, encoding, and light modulation are the all part of different physical layer specifications. Multiple specifications are sometimes used to complete all details of the physical layer. For example, RJ-45 defines the shape of the connector and the number of wires or pins in the cable. Ethernet and 802.3 define the use of wires or pins 1, 2, 3, and 6. So, to use a Category 5 cable, with an RJ-45 connector for an Ethernet connection, Ethernet and RJ-45 physical layer specifications are used Data Link This layer's specifications are concerned with (Layer 2) getting data across one particular link or medium. The datalink protocols define delivery across an individual link. These protocols are necessarily concerned with the type of media in question: for example, 802.3 & 802.2 are specifications define how Ethernet works. Other protocol such as Highlevel Data Link Control (HDLC) for point-to-point WAN link, deal with the different details of a WAN link. Network This layer defines end-to-end delivery of packets. To (Layer 3) accomplish this, the network layer defines logical addressing so that any endpoint can be identified. It also defines how routing works and how routes are Examples EIA/TIA-232, V.35, EIA/TIA449, V.24, RJ45, Ethernet, 802.3, 802.5, FDDI,
IEEE 802.3/802.2, HDLC, Frame Relay, PPP, FDDI, ATM, IEEE, 802.5/802.2
IP, IPX, Talk DDP.
Apple
Networking training
Transport (Layer 4)
Session (Layer 5)
Presentation (Layer 6)
Application (Layer 7)
learned so that the packets can be delivered. The network layer also defines how to fragment a packet into smaller packets to accommodate media with smaller maximum transmission unit size This layer includes the choice of protocols that either do or do not provide error recovery. Multiplexing of incoming data for different flows to applications on the same host (For example, TCP socket 0 is also performed. Reordering of the incoming data stream when packets arrive out of order is included This layer defines how to start, control, and end conversations (called sessions). This includes the control and management of multiple bi-directional messages so that the application can be notified if only some of the presentation layer to have a seamless view of an incoming stream of data. The session layer creates ways to imply which flows must complete before any are considered complete This layer main purpose is defining data formats, such as ASCII text, binary, BCD, and JPEG. Encryption is also defined by presentation layer service. For example, FTP enables you to choose binary or ASCII transfer. If binary is selected, the sender and receiver do not modify the contents of the file. If ASCII is chosen, the sender translates the text from the senders character set to a standard ASCII and send the data. The receiver translates back from the standard ASCII to the character set used on the receiving computer An application that communicates with other computers is in implementing OSI application layer concepts. The application layer refers to communications services to the applications. For example, a word processor that lacks communications capabilities would not implement code for communications, and word processor programmers would not be concerned about OSI layer 7. However, if an option for transferring a file were added, then the word processor would need to implement OSI Layer 7
TCP, UDP, SPX.
RPC, SQL, NFS, Net bios names, AppleTalk ASP, DECnet SCP
JPEG, ASCII, EBCDIC, TIFF, GIF, PICT, encryption, MPEG, MIDI.
Telnet, HTTP, FTP, WWW browser, NFS, SMTP gateways, SNMP.
Networking training
Chapter 2 Introduction to LAN

This chapter introduces the various media-access methods, transmission methods, topologies, and devices used in a local area network (LAN). Topics addressed focus on the methods and devices used in Ethernet/IEEE 802.3, Token Ring/IEEE 802.5, and Fiber Distributed Data Interface (FDDI). Figure illustrates the basic layout of these three implementations.
Figure: Three LAN implementations are used most commonly.
What is a LAN?
A LAN is a high-speed, fault-tolerant data network that covers a relatively small geographic area. It typically connects workstations, personal computers, printers, and other devices. LANs offer computer users many advantages, including shared access to devices and applications, file exchange between connected users, and communication between users via electronic mail and other applications.
LAN Media-Access Methods

LAN protocols typically use one of two methods to access the physical network medium: carrier sense multiple access collision detect (CSMA/CD) and token passing. In the CSMA/CD mediaaccess scheme, network devices contend for use of the physical network medium. CSMA/CD is
Networking training
therefore sometimes called contention access. Examples of LANs that use the CSMA/CD mediaaccess scheme are Ethernet/IEEE 802.3 networks, including 100BaseT.
Ethernet Technologies
The term Ethernet refers to the family of local area network (LAN) implementations that includes three principal categories. Ethernet and IEEE 802.3---LAN specifications that operate at 10 Mbps over coaxial cable. 100-Mbps Ethernet---A single LAN specification, also known as Fast Ethernet that operates at 100 Mbps over twisted-pair cable. 1000-Mbps Ethernet---A single LAN specification, also known as Gigabit Ethernet, that operates at 1000 Mbps (1 Gbps) over fiber and twisted-pair cables.
LAN Data Transmission Methods

LAN data transmissions fall into three classifications: unicast, multicast, and broadcast. In each type of transmission, a single packet is sent to one or more nodes. In a unicast transmission, a single packet is sent from the source to a destination on a network. First, the source node addresses the packet by using the address of the destination node. The package is then sent onto the network, and finally, the network passes the packet to its destination. A multicast transmission consists of a single data packet that is copied and sent to a specific subset of nodes on the network. First, the source node addresses the packet by using a multicast address. The packet is then sent into the network, which makes copies of the packet and sends a copy to each node that is part of the multicast address. A broadcast transmission consists of a single data packet that is copied and sent to all nodes on the network. In these types of transmissions, the source node addresses the packet by using the broadcast address. The packet is then sent into the network, which makes copies of the packet and sends a copy to every node on the network.
LAN Devices
Devices commonly used in LANs include repeaters, hubs, LAN extenders, bridges, LAN switches, and routers. Repeaters, hubs, and LAN extenders are discussed briefly in this Chapter. The functions and operations of bridges, switches, and routers are discussed generally in "Bridging and Switching Basics," and "Routing Basics."
Repeater
A repeater is a physical layer device used to interconnect the media segments of an extended network. A repeater essentially enables a series of cable segments to be treated as a single cable.
Figure : A repeater connects two network segments.
Networking training
Hub
A hub is a physical-layer device that connects multiple user stations, each via a dedicated cable. Electrical interconnections are established inside the hub. Hubs are used to create a physical star network while maintaining the logical bus or ring configuration of the LAN. In some respects, a hub functions as a multi-port repeater.
Bridges and Switches

Bridges and switches are data communications devices that operate principally at Layer 2 of the OSI reference model. As such, they are widely referred to as data link layer devices.
Types of Switches
Switches are data link layer devices that, like bridges, enable multiple physical LAN segments to be interconnected into a single larger network. Similar to bridges, switches forward and flood traffic based on MAC addresses. Because switching is performed in hardware instead of in software, it is significantly faster. Switches use either store-and-forward switching or cut-through switching when forwarding traffic. Many types of switches exist, including ATM switches, LAN switches, and various types of WAN switches.
LAN Switch
LAN switches are used to interconnect multiple LAN segments. LAN switching provides dedicated, collision-free communication between network devices, with support for multiple simultaneous conversations. LAN switches are designed to switch data frames at high speeds. Figure illustrates a simple network in which a LAN switch interconnects a 10-Mbps and a 100Mbps Ethernet LAN.
Figure: A LAN switch can link 10-Mbps and 100-Mbps Ethernet segments.
Router
A Router connects multiple logical networks such as Ethernet and Token Ring, into a single internetwork, with each separate logical network maintaining its logical network address. Routers work at the network layer, and include the capability to separate the management of the segments on the internetwork.
6
Networking training
Chapter 3 Introduction to WAN Technologies

What is a WAN?
A WAN is a data communications network that covers a relatively broad geographic area and often uses transmission facilities provided by common carriers, such as telephone companies. WAN technologies function at the lower three layers of the OSI reference model: the physical layer, the data link layer, and the network layer. Figure illustrates the relationship between the common WAN technologies and the OSI model.
Figure : WAN technologies operate at the lowest levels of the OSI model.
Point-to-Point Links
A point-to-point link provides a single, pre-established WAN communications path from the customer premises through a carrier network, such as a telephone company, to a remote network. A point-to-point link is also known as a leased line because its established path is permanent and fixed for each remote network reached through the carrier facilities. The carrier company reserves point-to-point links for the private use of the customer. These links accommodate two types of transmissions: Datagram transmissions, which are composed of individually addressed frames, and data-stream transmissions, which are composed of a stream of data for which address checking occurs only once. Figure illustrates a typical point-to-point link through a WAN.
Networking training
Figure : A typical point-to-point link operates through a WAN to a remote network.
Circuit Switching
Circuit switching is a WAN switching method in which a dedicated physical circuit is established, maintained, and terminated through a carrier network for each communication session. Circuit switching accommodates two types of transmissions: Datagram transmissions and data-stream transmissions. Used extensively in telephone company networks, circuit switching operates much like a normal telephone call. Integrated Services Digital Network (ISDN) is an example of a circuit-switched.
Figure : A circuit- switched WAN undergoes a process similar to that used for a telephone call.
Packet Switching
Packet switching is a WAN switching method in which network devices share a single point-topoint link to transport packets from a source to a destination across a carrier network. Statistical multiplexing is used to enable devices to share these circuits. Asynchronous Transfer Mode (ATM), Frame Relay, Switched Multi-megabit Data Service (SMDS), and X.25 are examples of packet-switched WAN technologies (see Figure).
Networking training
Figure : Packet switching transfers packets across a carrier network.
WAN Devices
WANs use numerous types of devices that are specific to WAN environments. WAN switches, access servers, modems, CSU/DSUs, and ISDN terminal adapters are discussed in the following sections. Other devices found in WAN environments that are exclusive to WAN implementations include routers, ATM switches, and multiplexers.
Modem
A modem is a device that interprets digital and analog signals, enabling data to be transmitted over voice-grade telephone lines. At the source, digital signals are converted to a form suitable for transmission over analog communication facilities. At the destination, these analog signals are returned to their digital form. Figure illustrates a simple modem-to-modem connection through a WAN.
Figure : A modem connection through a WAN handles analog and digital signals.
CSU/DSU
A channel service unit/digital service unit (CSU/DSU) is a digital-interface device (or sometimes two separate digital devices) that adapts the physical interface on a data terminal equipment (DTE) device (such as a terminal) to the interface of a data circuit-terminating (DCE) device (such as a switch) in a switched-carrier network. The CSU/DSU also provides signal timing for communication between these devices. Figure illustrates the placement of the CSU/DSU in a WAN implementation.
Networking training
Figure : The CSU/DSU stands between the switch and the terminal.
IP Addressing and Subnetting

This section contains an extensive review of IP addressing and subnetting. To have complete familiarity with the terminology used with IP addressing for proper understanding of IP addressing refer to the following table: Term Definition IP address 32- bit number, usually written in dotted decimal form, that uniquely identifies an interface of some computer Host address Another term for IP address Network The concept of a group of hosts Network number A32-bit number, usually written in dotted decimal form that represents a network. This number cannot be assigned as an IP address to an interface of some computer. The host portion of the network number has a value of all binary 0s. Network address Another name for network number Broadcast address A 32-bit number, usually written in dotted form that is used to address all host in the network. The host portion of the broadcast address has a value of all binary 1s. Broadcast address cannot be assigned as an IP address Subnet The concept of a group of hosts, which is a subdivision of a network Subnet number A 32-bit number, usually written in dotted decimal form that represents all hosts in subnet. This number cannot be used as an IP address for some computers interface. Subnet address Another term for subnet number Subnetting The process of subdividing networks into smaller subnets. Network mask A 32-bit number, usually written in dotted decimal form. Computers to calculate the network number of a given IP address by performing a Boolean AND of the address and the mask use the mask. The mask also defines the number of host bits in am address Mask A generic term for a mask, heather it is default mask or a subnet mask Address mask Another term for a mask. Default Class A The mask used for class A network when no subnetting is used. The mask value is 255.0.0.0 Default Class B The mask used for Class B network when no subnetting is used. The mask value is 255.255.0.0
10
Networking training
Default Class C mask Subnet mask Network part / field Host part / field
Subnet part / field
The mask is used for Class C network when no subnetting is used. The value is 255.255.255.0 A non-default mask used when subnetting Tern used to describe the last part of an IP address. The host part is 24, 16, 8 bits for Class A, B, C networks, respectively. Term used to describe the last part of an IP address. The host part is 24, 16, 8 bits for class A, B, C networks, respectively. When subnetting is not used. When subnetting, the size of the host part depends on the subnet mask chosen for that network Term used to describe the middle part of an IP address. The subnet part is variable in size, based on how subnetting is implemented
Classes of Networks
Class A, B, and C networks provide three network sizes. By definition, all addresses in the same network have the same numeric value network portion of the addresses. The rest of the address is called the host portion of the address. Individual addresses in the same network all have a different value in the host parts of the addresses but have identical values in the network part. Class A networks have a 1-byte-long network part. That leaves 24 bits for the rest of the address, or the host part. That means that 2 24 addresses are numerically possible in a Class A network. Similarly, Class B networks have a 2-byte-long network part, leaving 16 bits for the host of the address. So, 216 possible addresses exist in a single Class B network. Finally, Class C networks have a 3-byte-long network part, leaving only 8 bits for the host part, which implies only 28 addresses in a Class C network. Following Table summarizes the characteristics of Class A, B, and C networks. Size of network and Host parts of IP addresses with No Subnetting
Network Type A B C Number of Network Bytes (Bits) 1 (8) 2 (16) 3 (24) Number of Host Bytes (Bits) 3 (24) 2 (16) 1 (8) Number of Addresses per Network 224 minus 2 special cases 216 minus 2 special cases 28 minus 2 special cases
11
Networking training
Figure
For example, Figure shows a small network with addresses filled in. Network 8.0.0.0 is a Class A network; Network 130.4.0.0 is a Class B network; Network 199.1.1.0 is a Class C network. Network numbers look like addresses (in dotted decimal format), but they are not assignable to any interface as an IP address. Conceptually, network numbers represent the group of all IP addresses in the network. Numerically, the network number is built with a nonzero value in the network part but with all 0s in the host part of the network number. Given the three examples from Figure , following Table provides a closer look at the numerical version of the three network numbers: 8.0.0.0, 199.1.1.0, and 130.4.0.0. Example: Network Numbers, Decimal & Binary Network No. 8.0.0.0 130.4.0.0 199.1.1.0 Binary Representation, with Host part Bold 0000 1000 0000 0000 0000 0000 0000 0000 1000 0010 0000 0100 0000 0000 0000 0000 1100 0111 0000 0001 0000 0001 0000 0000
Next Table summarize the possible network numbers, the total number of each type, and the number of hosts in each Class A, B, C network. Class First Octet Valid Range Network Numbers 1 to 126 128 to 191 192 to 223 Total Number of this Class of Network 1.0.0.0 to 27 minus two 126.0.0.0 special cases 128.1.0.0 to 214 minus two 191.254.0.0 special cases 192.0.1.0 to 224 minus 223.254.254. two special 0 cases Number of Host per Network 224 minus two special cases 216 minus two special cases 28 minus two special cases
A B C
Valid Network Numbers column shows actual network numbers. There are several reserved cases. For example, network 0.0.0.0 (available for use as a broadcast address) and 127.0.0.0 (available for use as the loopback address) are reserved. Networks 128.0.0.0, 191.255.0.0, 192.0.0.0, and 223.255.255.0 are also reserved.
Masks and IP Address Formats

Mask is used for several purposes. One key purpose is to define the number of host bits in an address. Computers when calculating the network also use this mask or subnet number of which that address is a member. The default mask used with each class of network defines the number of host bits. The mask has binary 0 for each corresponding bit position in the address that is considered to be part of the host portion of the address. Similarly, it appears that the mask implies the size and position of the
12
Networking training
network part of the address; however, the class of network actually already implies the network part. Following Table summarizes the default masks and reflects the sizes of the two parts of an IP address. Class Address A B C of Size/Bits of Size/Bits Network part Host part of address address 8 24 16 16 24 8 of Default Mask of for each class of Network 255.0.0.0 255.255.0.0 255.255.255.0
When subnetting, a third part of an IP address appearsnamely, the subnet part of the address. Stealing bits from the host part of the address creates this field. Figure shows the format of addresses when subnetting. Three portions of the address now exist: network, subnet, and host. The network part size is determined by the class (A, B, or C). The subnet mask in use determines the host part the number of bits of value 0 in the subnet mask defines the number of host bits. The remaining bits define the size of the subnet part of the address. For instance, a mask of 255.255.255.240, used with a Class C network, implies four host bits. The mask has four binary 0s at the end, implying 4 host bits.
Figure The number of host bits defines the number of hosts per network or subnet; 2 host bits minus two special reserved cases, is the number of assignable IP addresses in a network or subnet. Similarly, the number of subnet bits, assuming that the same mask is used on all subnets, defines the number of subnets of a network, 2 subnet bits is the number of usable IP subnets of that network. Two special cases, the zero subnet and broadcast subnet, were reserved in years past but are now usable.
WAN Protocols
WAN technologies function at the lower three layers of the OSI reference model: the physical layer, the data link layer, and the network layer. Figure illustrates the relationship between the common WAN technologies and the OSI model. We shall discuss PPP and frame relay data link layer WAN protocols.
13
Networking training
Point-to-Point Protocol
Background The Point-to-Point Protocol (PPP) originally emerged as an encapsulation protocol for transporting IP traffic over point-to-point links. PPP also established a standard for the assignment and management of IP addresses, asynchronous (start/stop) and bit-oriented synchronous encapsulation, network protocol multiplexing, link configuration, link quality testing, error detection, and option negotiation for such capabilities as network-layer address negotiation and data-compression negotiation. PPP supports these functions by providing an extensible Link Control Protocol (LCP) and a family of Network Control Protocols (NCPs) to negotiate optional configuration parameters and facilities. In addition to IP, PPP supports other protocols, including Novell's Internetwork Packet Exchange (IPX) and DECnet. This chapter provides a summary of PPP's basic protocol elements and operations. PPP Components PPP provides a method for transmitting datagrams over serial point-to-point links. PPP contains three main components: A method for encapsulating datagrams over serial links An extensible LCP to establish, configure, and test the data-link connection. A family of NCPs for establishing and configuring different network-layer protocols---PPP is designed to allow the simultaneous use of multiple network-layer protocols. General Operation To establish communications over a point-to-point link, the originating PPP first sends LCP frames to configure and (optionally) test the data-link. After the link has been established and optional facilities have been negotiated as needed by the LCP, the originating PPP sends NCP frames to choose and configure one or more network-layer protocols. When each of the chosen network-layer protocols has been configured, packets from each network-layer protocol can be sent over the link. The link will remain configured for communications until explicit LCP or NCP frames close the link, or until some external event occurs (for example, an inactivity timer expires or a user intervenes). Physical-Layer Requirements PPP is capable of operating across any DTE/DCE interface. Examples include EIA/TIA-232-C (formerly RS-232-C), EIA/TIA-422 (formerly RS-422), EIA/TIA-423 (formerly RS-423),) and International Telecommunication Union Telecommunication Standardization Sector (ITU-T) (formerly CCITT) V.35. The only absolute requirement imposed by PPP is the provision of a duplex circuit, either dedicated or switched, that can operate in either an asynchronous or synchronous bit-serial mode, transparent to PPP link-layer frames. PPP does not impose any restrictions regarding transmission rate other than those imposed by the particular DTE/DCE interface in use. PPP Link-Control Protocol The PPP LCP provides a method of establishing, configuring, maintaining, and terminating the point-to-point connection. LCP goes through four distinct phases:
14
Networking training
First, link establishment and configuration negotiation occurs. Before any network-layer datagrams (for example, IP) can be exchanged, LCP first must open the connection and negotiate configuration parameters. This phase is complete when a configuration-acknowledgment frame has been both sent and received. This is followed by link-quality determination. LCP allows an optional link-quality determination phase following the link-establishment and configuration-negotiation phase. In this phase, the link is tested to determine whether the link quality is sufficient to bring up network-layer protocols. This phase is optional. LCP can delay transmission of network-layer protocol information until this phase is complete. At this point, network-layer protocol configuration negotiation occurs. After LCP has finished the link-quality determination phase, network-layer protocols can be configured separately by the appropriate NCP and can be brought up and taken down at any time. If LCP closes the link, it informs the network-layer protocols so that they can take appropriate action. Finally, link termination occurs. LCP can terminate the link at any time. This usually will be done at the request of a user but can happen because of a physical event, such as the loss of carrier or the expiration of an idle-period timer.
Three classes of LCP frames exist. Link-establishment frames are used to establish and configure a link. Link-termination frames are used to terminate a link, while link-maintenance frames are used to manage and debug a link. These frames are used to accomplish the work of each of the LCP phases.
Chapter 4 CISCO Routers Basic

Cisco IOS
IOS, a registered trademark of Cisco Systems, is the name of the operating system found in most of Ciscos routers. The majority of Cisco routers run the IOS, with its familiar command-line interface (CLI).
Router Components
Before examining the IOS, a review of hardware and hardware terminology is useful. In addition to handling the logic of routing packets, the IOS controls the use of different physical components, which includes memory, processor, and interfaces. This section of the book reviews common hardware details. All Cisco routers have a console port, and most have an auxiliary port. The console port is intended for local administrative access from an ASCII terminal or a computer using a terminal emulator. The auxiliary port, missing on a few models of Cisco routers, is intended for asynchronous dial access from an ASCII terminal or terminal emulator; the auxiliary port is often used for dial backup.
15
Networking training
Each router has different types of memory, as follows: RAMSometimes called DRAM for dynamic random-access memory, RAM is used by the router just as it is used by any other computer for working storage. ROMThis type of memory (read-only memory) stores a bootable IOS image, which is not typically used for normal operation. ROM contains the code that is used to boot the router until the router knows where to get the full IOS image. Flash memoryEither an EEPROM or a PCMCIA card, Flash memory stores fully functional IOS images and is the default where the router gets its IOS at boot time. Flash memory also can be used to store configuration files on Cisco 7500 series platforms. NVRAMNonvolatile RAM stores the initial or startup configuration file. All these types of memory are permanent memory except RAM. No hard disk or diskette storage exists on Cisco routers.
Figure summarizes the use of memory in Cisco routers.
A router for routing packets and bridging frames through a router uses interfaces. The types of interfaces available change over time due to new technology. Physical interfaces are referred to as interfaces by the IOS commands, as opposed to ports or plugs. In some smaller routers, the interface number is a single number. However, with some other families of routers, the interface is numbered first with the slot in which the card resides, followed by a slash and then the port number on that card. For example, port 3 on the card in slot 2 would be interface 2/3. Numbering starts with 0 for card slots and 0 for ports on any card. In some cases, three numbers define the interface: first the card slot, then the daughter card (typically called a port adapter), and then a number for the physical interface on the port adapter. The 2600 and 3600 families also use a slot/port numbering scheme.
Command-Line Interface
Cisco uses the acronym CLI to refer to the terminal user command-line interface to the IOS. The term CLI implies that the user is typing commands at a terminal, terminal emulator, or Telnet connection. To access the CLI, use one of three methods, as illustrated in Figure.
16
Networking training
Figure
Regardless of which access method is used, a CLI user initially is placed in user mode, or user EXEC mode, after logging in. EXEC refers to the fact that the commands typed here are executed, and some response messages are displayed onscreen. The alternative mode is configuration mode, which is covered in the next section. Passwords can be required when accessing the CLI. In fact, the default configuration at IOS 12.x requires a password for Telnet and auxiliary port access, but no password is settherefore, you must configure passwords from the console first. The following Table reviews different types of passwords and the configuration for each type.
The login command actually tells the router to display a prompt. The password commands specify the text password to be typed by the user to gain access. The first command in each configuration is a context-setting command, as described in the section Configuration Processes and the Configuration File, later in this chapter. Typically, all three passwords have the same value. Several concurrent telnet connections to a router are allowed. The line vty 0 4 command signifies that this configuration applies to vty's (virtual teletypesterminals) 0 through 4. Only these five vty's are allowed by the IOS unless it is an IOS for a dial access server, such as a Cisco
17
Networking training
AS5300. All five vtys typically have the same password, which is handy because users connecting to the router via a Telnet cannot choose which vty they get. User EXEC mode is one of two command EXEC modes in the IOS user interface. Enable mode (also known as privileged mode or privileged EXEC mode) is the other. Enable mode is so named because of the command used to reach this mode, as shown in Figure 41; privileged mode earns its name because powerful, or privileged, commands can be executed there.
Figure
Navigating the IOS CLI

Several references are available for help when you are using the IOS. No matter which documentation you use, it is incredibly unlikely that you will remember all IOS commands. (The command reference manuals stack 14 inches high.) Therefore, you will find tools and tricks to recall commands particularly useful. Following Table summarizes command recall help options available at the CLI. Note that in the first column, Command represents any command. Likewise, parm represents a commands parameter. For instance, the third row lists command? which means that commands (such as show? and copy?) would list help for the show and copy commands, respectively.
18
Networking training
When you type the? the IOSs CLI reacts immediately; that is, you dont need to press the Enter key or any other keys. The router also redisplays what you typed before the ? to save you some keystrokes. If you press Enter immediately after the ?, the IOS tries to execute the command with only the parameters you have typed so far. The context in which help is requested is also important. For example, when ? is typed in user mode, the commands allowed only in privileged EXEC mode are not displayed. Also, help is available in configuration mode; only configuration commands are displayed in that mode of operation. Commands you use at the CLI are stored in a command history buffer that retains the last 10 commands you typed. You can change the history size with the terminal history size x command, where x is the number of commands for the CLI to recall; this can be set to a value between 0 and 256.
Configuration Processes and the Configuration File

Configuration mode is another mode for the Cisco CLI. Changing the configuration of the router by typing various configuration commands is the purpose of configuration mode. Figure illustrates the relationships among configuration mode, user EXEC mode, and privileged EXEC mode.
19
Networking training
Commands typed in configuration mode update the active configuration file. Changes are moved into the active configuration file each time the user presses the Enter key and are acted upon immediately by the router. In configuration mode, context-setting commands are used before most configuration commands. These context-setting commands tell the router the topic about which you will type commands. More importantly, they tell the router what commands to list when you ask for help. After all, the whole reason for these contexts is to make online help more convenient and clear for you.
Chapter 5 Routing Basics

Basics
Internetworks use routing to get data from one network to another. In order to keep data on the best path to its destination, some sort of map of the routes available on the network is needed. The mapping of the networks that the data travels to is handled by a routing protocol. Local Area Networks (LANs) have an inherent performance limit, which is dependent upon size or complexity. Routers, and their routing protocols, can resolve some common bottlenecks and other conditions that degrade network efficiency. These limits include: Network physical segment size Number of hosts per segment Redundancy Amount of traffic Dissimilar network topologies Depending on the type of network, whether Ethernet, Token Ring, or other protocol, the network segment size is limited. A new segment must be created to support nodes located beyond the distance limit set by the segment size-usually measured in cabling distance, or wireless limit. For instance, Ethernet segments using twisted-pair copper wiring are limited to a maximum physical distance from the node to the hub. When a new node is added beyond this limitation, and another segment is created, there must be some way of getting traffic from one segment to the other.
20
Networking training
This can be done by bridging or by routing, and more recently by switching. Bridging is the capability to connect two or more physical network segments such that the connection is transparent to the network. In bridging, broadcasts are sent to all nodes on the bridged segments, and all nodes are considered to be in the same logical network (subnet). Bridging occurs at the data link layer. Switching is a way to increase bandwidth (as well as limit the amount of traffic a node encounters) by providing a dedicated channel for each switched port. Switching occurs at the data link layer. In contrast to either of these network traffic-guiding methods, routing connects multiple logical networks such as Ethernet and Token Ring, into a single internetwork, with each separate logical network maintaining its logical network address. Routing occurs at the network layer, and includes the capability to separate the management of the segments on the internetwork. The number of hosts allowed on each segment is limited on a network topology. This limit varies, depending on the type of network topology used. For example, an Ethernet segment using twistedpair wiring is limited to the number of hosts, or nodes. Once the maximum number of hosts has been reached, another segment must be created, and the traffic to that segment must be bridged or routed. Some routing protocols can handle flow control, so that if a router is congested, another router sending internetwork traffic to it can be notified by the routing protocol to slow down the rate that data is being sent to the router. Routing protocols do this to ensure that minimal delay is encountered when routers become overloaded. Dissimilar network topologies, such as FDDI, X.25, and ATM, cannot always be bridged or switched, because the nature of the physical media or physical layer protocol prevents it. In order to transmit internetwork traffic, dissimilar networks must be routed.
Routing
Routing traffic is the process of getting a packet of data from the originating station to the destination station. This could be as simple as putting the packet on the network where the local destination station can receive the packet. It can also be as complex as sending the packet to a default gateway (a router) where the packet is compared to a routing table and then forwarded to the next router that can help the packet along its path. The next router then compares the packet to its routing table and forwards it to the next hop along its journey. This continues until the packet reaches a router directly attached to the network of the destination station.
Routing Protocol
Routing Protocols actually helps the Routed Protocols by providing the multiple routes to the destination with their cost so Routed Protocol can make decision to choose the appropriate route to reach the destination. Example: RIP, IGRP, OSPF, and EIGRP. Functions provided by Routing Protocol are: To dynamically learn & fill routing table with routes to all subnets in the network. To notice when routes in the table are no longer valid, and to remove those routes from the routing protocol.
21
Networking training
Search for an alternative routes for discarded route from neighboring router and as well new routes for the new subnets. To prevent routing loops
Mainly Routing protocol is associated with routing Table maintenance. But Routing Table methodology is subdivided into two parts Dynamic Routing & Static Routing.
Static Routing
In Static Routing methodology, Network Administrator has to maintain the routing table manually. This can be done by placing static routes in the routers configuration. A static route is a route statement that you place in the routers configuration. These routes tell router where to forward traffic destined for remote network. Static routes have specific uses within a network. Most Internet connection for organizations uses a static route to the ISP. It would be useless for an organization with one connection to the Internet to maintain routing tables for the Internet using Routing Protocol. By using static route first of all it prevents unnecessary route update traffic and secondly using a static route to the default gateway, the router can be configured to send any traffic for which it doesnt specifically have routing entry to the Internet. However, the biggest disadvantage to static routes is they cannot adapt to a changing network. That means they do not change dynamically with the changes in the network topology. Another disadvantage is they cannot scale for larger & complex network, due to heavy administration overhead. It is suitable for only small network with a few routers in the internetwork. And also there is chance of router getting mis-configured.
Dynamic Routing
Dynamic Routing is when the router uses some sort of routing protocol to learn about the network and creates the routing tables based on this information. There is no requirement for manual configuration of the router; everything is taken care by the routing protocol. In a network using dynamic routing, when changes occurs in the network, the changes are reflected in the routing table soon after. Thus administrative overhead is greatly reduced. Using Dynamic Routing, size of network is of no matter and the network can scale up to any size. Using Dynamic router, the disadvantage is that you cannot utilize the full bandwidth, since part of the bandwidth is occupied by the regular route update traffic. Due to this reason it is not useful for the small network with a few routers.
Administrative Distances
When configuring routing protocols, you need to be aware of administrative distances (ADs). These are used to rate the trustworthiness of routing information received on a router from a neighbor router. An administrative distance is an integer from 0 to 255, where 0 is the most trusted and 255 means no traffic will be passed via this route. Following Table shows the default administrative distances that a Cisco router will use to decide which route to use to a remote network.
22
Networking training
Chapter 6
Routing Protocol
Basics
Internetworks use routing to get data from one network to another. In order to keep data on the best path to its destination, some sort of map of the routes available on the network is needed. The mapping of the networks that the data travels to is handled by a routing protocol. Local Area Networks (LANs) have an inherent performance limit, which is dependent upon size or complexity. Routers, and their routing protocols, can resolve some common bottlenecks and other conditions that degrade network efficiency. These limits include: Network physical segment size Number of hosts per segment Redundancy Amount of traffic Dissimilar network topologies Depending on the type of network, whether Ethernet, Token Ring, or other protocol, the network segment size is limited. A new segment must be created to support nodes located beyond the distance limit set by the segment size-usually measured in cabling distance, or wireless limit. For instance, Ethernet segments using twisted-pair copper wiring are limited to a maximum physical distance from the node to the hub. When a new node is added beyond this limitation, and another segment is created, there must be some way of getting traffic from one segment to the other. This can be done by bridging or by routing, and more recently by switching. Bridging is the capability to connect two or more physical network segments such that the connection is transparent to the network. In bridging, broadcasts are sent to all nodes on the bridged segments, and all nodes are considered to be in the same logical network (subnet). Bridging occurs at the data link layer. Switching is a way to increase bandwidth (as well as limit the amount of traffic a node encounters) by providing a dedicated channel for each switched port. Switching occurs at the data link layer. In contrast to either of these network traffic-guiding methods, routing connects multiple logical networks such as Ethernet and Token Ring, into a single internetwork, with each separate logical network maintaining its logical
23
Networking training
network address. Routing occurs at the network layer, and includes the capability to separate the management of the segments on the internetwork. The number of hosts allowed on each segment is limited on a network topology. This limit varies, depending on the type of network topology used. For example, an Ethernet segment using twisted-pair wiring is limited to the number of hosts, or nodes. Once the maximum number of hosts has been reached, another segment must be created, and the traffic to that segment must be bridged or routed. Bridging can offer a single path for traffic between segments. However, when multiple transmission paths are needed, routing may be implemented to support those multiple paths. When redundancy is required for internetwork traffic, a routing protocol may be implemented with that option. Congestion is the point where the amount of traffic exceeds the network capacity. Congestion in a network can be debilitating to its use. Bridging, switching and routing can control the amount of traffic. Some routing protocols can handle flow control, so that if a router is congested, another router sending internetwork traffic to it can be notified by the routing protocol to slow down the rate that data is being sent to the router. Routing protocols do this to ensure that minimal delay is encountered when routers become overloaded. Dissimilar network topologies, such as FDDI, X.25, and ATM, cannot always be bridged or switched, because the nature of the physical media or physical layer protocol prevents it. In order to transmit internetwork traffic, dissimilar networks must be routed.
Routing
Routing traffic is the process of getting a packet of data from the originating station to the destination station. This could be as simple as putting the packet on the network where the local destination station can receive the packet. It can also be as complex as sending the packet to a default gateway ( a router ) where the packet is compared to a routing table and then forwarded to the next router that can help the packet along its path. The next router then compares the packet to its routing table and forwards it to the next hop along its journey. This continues until the packet reaches a router directly attached to the network of the destination station. TCP/IP traffic is routed based on the Network portion of the address. If the network node generating the packet is on the same network as the destination node, then the packet is simply placed on the network where the destination node will see it. If however, the destination node is on a remote network, the source node must make a decision. In most cases, network nodes are attached to only one network. A desktop PC in an office for instance is usually connected to one network the office network. In the case of a network node that is attached to only one network, there is usually a default gateway IP address defined in the routing table. This default gateway IP address is usually a router. When the network node generates an IP packet for a destination node that is on a remote network, the source node compares the network portion of the IP address to its own network. The two will not match and thus the source node sends the packet to the default gateway IP address for forwarding. The default gateway can be a router attached to many networks like a router connected to the internet. After the packet is received at the default gateway, it is compared to the routing table to determine how to forward it. In some cases, the router itself may be attached to the destination network, in which case the packet is simply placed on the destination network for the destination node to receive.
24
Networking training
Figure
However, if the router is not attached to the destination network, the routing table is searched for the destination network. If match is found in the routing tables, the packet is sent to the next hop defined by the table. If match is not found and there is not a default gateway, the packet is dropped and a network unreachable message is sent to the originator of the packet. This chapter covers is how the routing table of the router are made and maintained. Routing protocol is used to exchange information about the networks to which they are directly connected. Routing exchanges also include information about routes they have learned from other routers. This allows router to build a table of paths to each network in an internetworking system. Routing of packets across the internetwork is carried out by router with help of routing protocols & routed protocol (Routable protocol).
Routed Protocol (Routable Protocol)

TCP/IP suite include network layer protocol which participate in packet movement across the network with the help of routing table. Example IP. Functions provided by Routed protocol are: 1) It provides the logical addressing to uniquely identify the host on Network or Internet also. 2) It routes the packets across the internetwork to send the packets till destination host. 3) It carries out routing decision on information available through the routing protocol.
Routing Protocol
Routing Protocols actually helps the Routed Protocols by providing the multiple routes to the destination with their cost so Routed Protocol can make decision to choose the appropriate route to reach the destination. Example RIP, IGRP, OSPF, EIGRP. Functions provided by Routing Protocol are: 1) To dynamically learn & fill routing table with routes to all subnets in the network. 2) To notice when routes in the table are no longer valid, and to remove those routes from the routing table. 3) Search for an alternative routes for discarded route from neighboring router and as well new routes for the new subnets. 4) To prevent routing loops Mainly Routing protocol is associated with routing Table maintenance. But Routing Table methodology is subdivided into two parts Dynamic Routing & Static Routing.
25
Networking training
Static Routing
In Static Routing methodology, Network Administrator has to maintain the routing table manually. This can be done by placing static routes in the routers configuration. A static route is a route statement that you place in the routers configuration. These routes tell router where to forward traffic destined for remote network. Static routes have specific uses within a network. Most Internet connection for organizations uses a static route to the ISP. It would be useless for an organization with one connection to the Internet to maintain routing tables for the Internet using Routing Protocol. By using static route first of all it prevents unnecessary route update traffic and secondly using a static route to the default gateway, the router can be configured to send any traffic for which it doesnt specifically have routing entry to the Internet. However, the biggest disadvantage to static routes is they cannot adapt to a changing network. That means they do not change dynamically with the changes in the network topology. Another disadvantage is they can not scaled for larger & complex network, due to heavy administration overhead. It is suitable for only small network with a few routers in the internetwork. And also there is chance of router getting misconfigured.
Dynamic Routing
Dynamic Routing is when the router uses some sort of routing protocol to learn about the network and creates the routing tables based on this information. There is no requirement for manual configuration of the router; everything is taken care by the routing protocol. In a network using dynamic routing, when changes occurs in the network, the changes are reflected in the routing table soon after. Thus administrative overhead is greatly reduced. Using Dynamic Routing, size of network is of no matter and the network can scaled up to any size. Using Dynamic router, the disadvantage is that you cannot utilize the full bandwidth, since part of the bandwidth is occupied by the regular route update traffic. Due to this reason it is not useful for the small network with a few routers.
Administrative Distances
When configuring routing protocols, you need to be aware of administrative distances (ADs). These are used to rate the trustworthiness of routing information received on a router from a neighbor router. An administrative distance is an integer from 0 to 255, where 0 is the most trusted and 255 means no traffic will be passed via this route. Following Table shows the default administrative distances that a Cisco router will use to decide which route to use to a remote network.
26
Networking training
Dynamic Routing Protocol

Dynamic routing is carried out by the Routing Protocol, which can be classified by methodology adapted for routes determination and their metrics and cost. According operational methodology Routing Protocol can be subdivided into three subdivisions:
Distance vector
The distance-vector routing protocols use a distance to a remote network to find the best path. Each time a packet goes through a router, its called a hop. The route with the least number of hops to the network is determined to be the best route. The vector is the determination of direction to the remote network. Examples of distance-vector routing protocols are RIP and IGRP.
Link state
Typically called shortest path first, the routers each create three separate tables. One of these tables keeps track of directly attached neighbors, one determines the topology of the entire internetwork, and one is used for the routing table. Link-state routers know more about the internetwork than any distance-vector routing protocol. An example of an IP routing protocol that is completely link state is OSPF.
Hybrid
Uses aspects of distance vector and link state, for example, EIGRP.
Distance-Vector Routing Protocols

The distance-vector routing algorithm passes complete routing tables to neighbor routers. The neighbor routers then combine the received routing table with their own routing tables to complete the internetwork map. This is called routing by rumor, because a router receiving an update from a neighbor router believes the information about remote networks without actually finding out for itself. It is possible to have a network that has multiple links to the same remote network. If that is the case, the administrative distance is first checked. If the administrative distance is the same, it will have to use other metrics to deter-mine the best path to use to that remote network.
27
Networking training
RIP uses only hop count to determine the best path to an internetwork. If RIP finds more than one link to the same remote network with the same hop count, it will automatically perform a round-robin load balance. RIP can perform load balancing for up to six equal-cost links. However, a problem with this type of routing metric arises when the two links to a remote network are different bandwidths but the same hop count. Figure below, for example, shows two links to remote network 172.16.50.0.
Since network 172.16.30.0 is a T1 link with a bandwidth of 1.544Mbps, and network 172.16.20.0 is a 56K link, you would want the router to choose the T1 over the 56K link. However, since hop count is the only metric used with RIP routing, they would both be seen as equal-cost links. This is called pinhole congestion. It is important to understand what happens when a distance-vector routing protocol does when it starts up. In Figure 6-3, the four routers start off with only their directly connected networks in the routing table. After a distance-vector routing protocol is started on each router, the routing tables are updated with all route information gathered from neighbor routers.
Figure
As shown in Figure , each router has only the directly connected networks in each routing table. Each router sends its complete routing table out to each active interface on the router. The routing table of each router includes the network number, exit interface, and hop count to the network. In Figure , the routing tables are complete because they include information about all the networks in the internetwork. They are considered con-verged. When the routers are converging, no data is passed.
28
Networking training
Thats why fast convergence time is a plus. One of the problems with RIP, in fact, is its slow convergence time.
Figure
The routing tables in each router keep information regarding the network number, the interface to which the router will send packets out to get to the remote network, and the hop count or metric to the remote network.
Routing Loops
Distance-vector routing protocols keep track of any changes to the internet-work by broadcasting periodic routing updates to all active interfaces. This broadcast includes the complete routing table. This works fine, although it takes up CPU process and link bandwidth. However, if a network outage happens, problems can occur. The slow convergence of distance-vector routing protocols can cause inconsistent routing tables and routing loops. Routing loops can occur because every router is not updated close to the same time. Lets say that the interface to Network 5 in Figure below fails. All routers know about Network 5 from Router E. Router A, in its tables, has a path to Network 5 through Routers B, C, and E. When Network 5 fails, Router E tells Router C. This causes Router C to stop routing to Network 5 through Router E. But Routers A, B, and D dont know about Network 5 yet, so they keep sending out update information. Router C will eventually send out its update and cause B to stop routing to Network 5, but Routers A and D are still not updated. To them, it appears that Network 5 is still available through Router B with a metric of three.
29
Networking training
Figure :
Router A sends out its regular 30-second Hello, Im still herethese are the links I know about message, which includes reachability for Network 5. Routers B and D then receive the wonderful news that Network 5 can be reached from Router A, so they send out the information that Network 5 is available. Any packet destined for Network 5 will go to Router A, to Router B, and then back to Router A. This is a routing loophow do you stop it?
Maximum Hop Count
The routing loop problem just described is called counting to infinity, and its caused by gossip and wrong information being communicated and propagated throughout the internetwork. Without some form of intervention, the hop count increases indefinitely each time a packet passes through a router. One way of solving this problem is to define a maximum hop count. Distance vector (RIP) permits a hop count of up to 15, so anything that requires 16 hops is deemed unreachable. In other words, after a loop of 15 hops, Net-work 5 will be considered down. This means that counting to infinity will keep packets from going around the loop forever. Though this is a workable solution, it wont remove the routing loop itself. Packets will still go into the loop, but instead of traveling on unchecked, theyll whirl around for 16 bounces and die.
Split Horizon
Another solution to the routing loop problem is called split horizon. This reduces incorrect routing information and routing overhead in a distance-vector network by enforcing the rule that information cannot be sent back in the direction from which it was received. It would have prevented Router A from sending the updated information it received from Router B back to Router B.
Route Poisoning
Another way to avoid problems caused by inconsistent updates is route poisoning. For example, when Network 5 goes down, Router E initiates route poisoning by entering a table entry for Network 5 as 16, or unreachable (sometimes referred to as infinite). By this poisoning of the route to Network 5, Router C is not susceptible to incorrect updates about the route to Network 5. When Router C receives a router poisoning from Router E, it sends an update, called a poison reverse, back to Router E. This makes sure all routes on the segment have received the poisoned route information. Route poisoning, used with holddowns (discussed next), will speed up convergence time because neighboring routers dont have to wait 30 seconds (an eternity in computer land) before advertising the poisoned route.
Holddowns
And then there are holddowns. These prevent regular update messages from reinstating a route that has gone down. Holddowns also help prevent routes from changing too rapidly by allowing time for either the downed route to come back or the network to stabilize somewhat before changing to the next best route. These also tell routers to restrict, for a specific time period, any changes that might affect recently removed routes. This prevents inoperative routers from being prematurely restored to other routers tables. When a router receives an update from a neighbor indicating that a previously accessible network is not working and is inaccessible, the holddown timer will start. If a new update arrives from a neighbor with a better metric than the original network entry, the holddown is removed and data is passed. However, if an update is received from a neighbor router before the holddown timer expires and it has a lower metric than the previous route, the update is ignored and the holddown timer keeps ticking. This allows more time for the network to converge. Holddowns use triggered updates, which reset the holddown timer, to alert the neighbor routers of a change in the network. Unlike update messages from neighbor routers, triggered updates create a new routing table that is sent immediately to neighbor routers because a change was detected in the internetwork.
30
Networking training
There are three instances when triggered updates will reset the holddown timer: 1. The holddown timer expires. 2. The router receives a processing task proportional to the number of links in the internetwork. 3. Another update is received indicating the network status has changed.
Routing Information Protocol (RIP)

Routing Information Protocol (RIP) is a true distance-vector routing protocol. It sends the complete routing table out to all active interfaces every 30 seconds. RIP only uses hop count to determine the best way to a remote network, but it has a maximum allowable hop count of 15, meaning that 16 is deemed unreachable. RIP works well in small networks, but it is inefficient on large networks with slow WAN links or on networks with a large number of routers installed. RIP version 1 uses only classful routing, which means that all devices in the network must use the same subnet mask. This is because RIP version 1 does not send updates with subnet mask information in tow. RIP version 2 provides what is called prefix routing and does send subnet mask information with the route updates. This is called classless routing.
Routing Updates
RIP sends routing-update messages at regular intervals and when the network topology changes. When a router receives a routing update that includes changes to an entry, it updates its routing table to reflect the new route. The metric value for the path is increased by 1, and the sender is indicated as the next hop. RIP routers maintain only the best route (the route with the lowest metric value) to a destination. After updating its routing table, the router immediately begins transmitting routing updates to inform other network routers of the change. These updates are sent independently of the regularly scheduled updates that RIP routers send.
RIP Routing Metric

RIP uses a single routing metric (hop count) to measure the distance between the source and a destination network. Each hop in a path from source to destination is assigned a hop count value, which is typically 1. When a router receives a routing update that contains a new or changed destination network entry, the router adds 1 to the metric value indicated in the update and enters the network in the routing table. The IP address of the sender is used as the next hop.
RIP Stability Features

RIP prevents routing loops from continuing indefinitely by implementing a limit on the number of hops allowed in a path from the source to a destination. The maximum number of hops in a path is 15. If a router receives a routing update that contains a new or changed entry, and if increasing the metric value by 1 causes the metric to be infinity (that is, 16), the network destination is considered unreachable. The downside of this stability feature is that it limits the maximum diameter of a RIP network to less than 16 hops.
RIP Timers
RIP uses three different kinds of timers to regulate its performance:
31
Networking training
Route update timer

Sets the interval (typically 30 seconds) between periodic routing updates, in which the router sends a complete copy of its routing table out to all neighbors.
Route invalid timer

Determines the length of time that must expire (90 seconds) before a router determines that a route has become invalid. It will come to this conclusion if it hasnt heard any updates about a particular route for that period. When that happens, the router will send out updates to all its neighbors letting them know that the route is invalid.
Route flush timer

Sets the time between a route becoming invalid and its removal from the routing table (240 seconds). Before it is removed from the table, the router notifies its neighbors of that routes impending doom. The value of the route invalid timer must be less than that of the route flush timer. This is to provide the router with enough time to tell its neighbors about the invalid route before the routing table is updated.
RIP Version 2
RIP Version 2, defined by RFC 1723, is simply an improved version of RIP Version 1. Many features are the same: Hop count is still used for the metric, it is still a distance vector protocol, and it still uses holddown timers and route poisoning. Several features have been added, as listed in following Table
Although all features of RIP-2 are important, certainly the one that allows RIP to continue to be a valid option in modern networks is the support of VLSM by including the subnet mask. For instance, the problem with RIP-1 and IGRP by the lack of this feature, with RIP-2, the problem is removed. The updates sent by RIP 2 enabled router are sent to multicast IP address 224.0.0.9, as opposed to a broadcast address; this allows the devices that are not using RIP-2 to ignore the updates and not waste processing cycles.
32
Networking training
Migration from RIP-1 to RIP-2 requires some planning. RIP-1 sends updates to the broadcast address, whereas RIP-2 uses a multicast. A RIP-1 only router and a RIP-2 only router will not succeed in exchanging routing information. To migrate to RIP-2, one option is to migrate all routers at the same time. This might not be a reasonable political or administrative option, however. If not, then some coexistence between RIP-1 and RIP-2 is required.. The ip rip send version command can be used to overcome the problem. Essentially, the configuration tells the router whether to send RIP-1 style updates, RIP-2 style updates, or both for each interface.
Summary
Despite RIP's age and the emergence of more sophisticated routing protocols, it is far from obsolete. RIP is mature, stable, widely supported, and easy to configure. Its simplicity is well suited for use in stub networks and in small autonomous systems that do not have enough redundant paths to warrant the overheads of a more sophisticated protocol.
Interior Gateway Routing Protocol (IGRP)

Interior Gateway Routing Protocol (IGRP) is a Cisco proprietary distance-vector routing protocol. This means that all your routers must be Cisco routers to use IGRP in your network. Cisco created this routing protocol to overcome the problems associated with RIP. IGRP has a maximum hop count of 255 with a default of 100. This is helpful in larger networks and solves the problem of there being only 15 hops maximum possible in a RIP network. IGRP also uses a different metric from RIP. IGRP uses bandwidth and delay of the line by default as a metric for determining the best route to an internetwork. This is called a composite metric. Reliability, load, and Maximum Transmission Unit (MTU) can also be used, although they are not used by default.
IGRP Timers
To control performance, IGRP includes the following timers with default settings:
Update timers
These specify how frequently routing-update messages should be sent. The default is 90 seconds.
Invalid timers
These specify how long a router should wait before declaring a route invalid if it doesnt receive a specific update about it. The default is three times the update period.
Holddown timers
These specify the holddown period. The default is three times the update timer period plus 10 seconds.
Flush timers
These indicate how much time should pass before a route should be flushed from the routing table. The default is seven times the routing update period.
RIP and IGRP Comparison

RIP and IGRP both use distance vector logic, so they are very similar in many respects. A couple of major differences exist, however, and will be explained in the upcoming text. Following Table outlines the features of RIP and IGRP.
33
Networking training
The metric with IGRP is more robust than RIPs metric. The metric is calculated using the bandwidth and delay settings on the interface on which the update was received. By using bandwidth and delay, the metric is more meaningful; longer hop routes over faster links can be considered better routes. The metric used by IP RIP is hop count. When an update is received, the metric for each subnet in the update signifies the number of routers between the router receiving the update and each subnet. Before sending an update, router increments its metric for routes to each subnet by 1. In other words, a routing update includes metric values that tell the receiving router what its metrics should be. Finally, the issue of whether the mask is sent is particularly important if VLSMs in the same network are desired. This topic is discussed in the upcoming section Configuration of RIP and IGRP.
RIP-1 and IGRPNo Subnet Masks

RIP-1 and IGRP do not transmit the subnet mask in the routing updates. Several subtle actions are taken in light of the lack of mask information in the update: Updates sent out an interface in network X, when containing routes about subnets of network X, contain the subnet numbers of the subnets of network X but not the corresponding masks. Updates sent out an interface in network X, when containing routes about subnets of network Y, are summarized into one route about the entire network Y. When receiving a routing update containing routes referencing subnets of network X, the receiving router assumes that the mask in use is the same mask it uses on an interface with an address in network X. When receiving an update about network X, if the receiving router has no interfaces in network X, it treats the route as a route to the entire Class A, B, or C network X.
Hybrid Routing Protocol EIGRP (Enhanced Interior Gateway Routing Protocol)

This is the balanced hybrid protocol. Balanced hybrid is a term created by Cisco to describe the inner workings of EIGRP, which uses the Diffusing Update Algorithm (DUAL) for calculating routes. A balanced hybrid protocol exchanges more topology information than does a distance vector routing protocol, but it does not require full topology and does not require the computationally intensive Dijkstra algorithm for computing loop-free routes.
34
Networking training
Enhanced IGRP Capabilities and Attributes

Key capabilities that distinguish Enhanced IGRP from other routing protocols include fast convergence, support variable-length subnet mask, support for partial updates, and support for multiple network-layer protocols. A router running Enhanced IGRP stores all its neighbors' routing tables so that it can quickly adapt to alternate routes. If no appropriate route exists, Enhanced IGRP queries its neighbors to discover an alternate route. These queries propagate until an alternate route is found. Its support for variable-length subnet masks permits routes to be automatically summarized on a network number boundary. In addition, Enhanced IGRP can be configured to summarize on any bit boundary at any interface. Enhanced IGRP does not make periodic updates. Instead, it sends partial updates only when the metric for a route changes. Propagation of partial updates is automatically bounded so that only those routers that need the information are updated. As a result of these two capabilities, Enhanced IGRP consumes significantly less bandwidth than IGRP. Enhanced IGRP includes support for AppleTalk, IP, and Novell NetWare. The AppleTalk implementation redistributes routes learned from the Routing Table Maintenance Protocol (RTMP). The IP implementation redistributes routes learned from OSPF, Routing Information Protocol (RIP), ISIS, Exterior Gateway Protocol (EGP), or Border Gateway Protocol (BGP). The Novell implementation redistributes routes learned from Novell RIP or Service Advertisement Protocol (SAP).
Underlying Processes and Technologies

To provide superior routing performance, Enhanced IGRP employs four key technologies that combine to differentiate it from other routing technologies: neighbor discovery/recovery, reliable transport protocol (RTP), DUAL finite-state machine, and protocol-dependent modules. Neighbor discovery/recovery is used by routers to dynamically learn about other routers on their directly attached networks. Routers also must discover when their neighbors become unreachable or inoperative. This process is achieved with low overhead by periodically sending small hello packets. As long as a router receives hello packets from a neighboring router, it assumes that the neighbor is functioning, and the two can exchange routing information. Reliable Transport Protocol (RTP) is responsible for guaranteed, ordered delivery of Enhanced IGRP packets to all neighbors. It supports intermixed transmission of multicast or unicast packets. For efficiency, only certain Enhanced IGRP packets are transmitted reliably. On a multiaccess network that has multicast capabilities, such as Ethernet, it is not necessary to send hello packets reliably to all neighbors individually. For that reason, Enhanced IGRP sends a single multicast hello packet containing an indicator that informs the receivers that the packet need not be acknowledged. Other types of packets, such as updates, indicate in the packet that acknowledgment is required. RTP contains a provision for sending multicast packets quickly when unacknowledged packets are pending, which helps ensure that convergence time remains low in the presence of varying speed links. DUAL finite-state machine embodies the decision process for all route computations by tracking all routes advertised by all neighbors. DUAL uses distance information to select efficient, loop-free paths and selects routes for insertion in a routing table based on feasible successors. A feasible successor is a neighboring router used for packet forwarding that is a least-cost path to a destination that is guaranteed not to be part of a routing loop. When a neighbor changes a metric, or when a topology change occurs, DUAL tests for feasible successors. If one is found, DUAL uses it to avoid recomputing the route unnecessarily. When no feasible successors exist but neighbors still advertise the destination, a recomputation (also known as a diffusing computation) must occur to determine a new successor.
35
Networking training
Although recomputation is not processor-intensive, it does affect convergence time, so it is advantageous to avoid unnecessary recomputations. Protocol-dependent modules are responsible for network-layer protocol-specific requirements. The IPEnhanced IGRP module, for example, is responsible for sending and receiving Enhanced IGRP packets that are encapsulated in IP. Likewise, IP-Enhanced IGRP is also responsible for parsing Enhanced IGRP packets and informing DUAL of the new information that has been received. IP-Enhanced IGRP asks DUAL to make routing decisions, the results of which are stored in the IP routing table. IPEnhanced IGRP is responsible for redistributing routes learned by other IP routing protocols.
Routing Concepts
Enhanced IGRP relies on four fundamental concepts: neighbor tables, topology tables, route states, and route tagging. Each of these is summarized in the discussions that follow.
Neighbor Tables
When a router discovers a new neighbor, it records the neighbor's address and interface as an entry in the neighbor table. One neighbor table exists for each protocol-dependent module. When a neighbor sends a hello packet, it advertises a hold time, which is the amount of time a router treats a neighbor as reachable and operational. If a hello packet is not received within the hold time, the hold time expires and DUAL is informed of the topology change. The neighbor-table entry also includes information required by RTP. Sequence numbers are employed to match acknowledgments with data packets, and the last sequence number received from the neighbor is recorded so that out-of-order packets can be detected. A transmission list is used to queue packets for possible retransmission on a per-neighbor basis. Round-trip timers are kept in the neighbor-table entry to estimate an optimal retransmission interval.
Topology Tables
The topology table contains all destinations advertised by neighboring routers. The protocol-dependent modules populate the table, and the DUAL finite-state machine acts the table on. Each entry in the topology table includes the destination address and a list of neighbors that have advertised the destination. For each neighbor, the entry records the advertised metric, which the neighbor stores in its routing table. An important rule that distance vector protocols must follow is that if the neighbor advertises this destination, it must use the route to forward packets. The metric that the router uses to reach the destination is also associated with the destination. The metric that the router uses in the routing table, and to advertise to other routers, is the sum of the best advertised metric from all neighbors, plus the link cost to the best neighbor.
Route States
A topology-table entry for a destination can exist in one of two states: active or passive. A destination is in the passive state when the router is not performing a recompilation, or in the active state when the router is performing a recompilation. If feasible successors are always available, a destination never has to go into the active state, thereby avoiding a recompilation. A recompilation occurs when a destination has no feasible successors. The router initiates the recompilation by sending a query packet to each of its neighboring routers. The neighboring router can send a reply packet, indicating it has a feasible successor for the destination, or it can send a query packet, indicating that it is participating in the recompilation. While a destination is in the active state, a router cannot change the destination's routing-table information. After the router has received a reply from each neighboring router, the topology-table entry for the destination returns to the passive state, and the router can select a successor.
36
Networking training
Enhanced IGRP Packet Types

Enhanced IGRP uses the following packet types: hello and acknowledgment, update, and query and reply. Hello packets are multicast for neighbor discovery/recovery and do not require acknowledgment. An acknowledgment packet is a hello packet that has no data. Acknowledgment packets contain a non-zero acknowledgment number and always are sent by using a unicast address. Update packets are used to convey reachability of destinations. When a new neighbor is discovered, unicast update packets are sent so that the neighbor can build up its topology table. In other cases, such as a link-cost change, updates are multicast. Updates always are transmitted reliably. Query and reply packets are sent when a destination has no feasible successors. Query packets are always multicast. Reply packets are sent in response to query packets to instruct the originator not to recompute the route because feasible successors exist. Reply packets are unicast to the originator of the query. Both query and reply packets are transmitted reliably.
Selection of Routing Protocol

Selection of Routing Protocol is mainly depends on the size, complexity, Number of router in the internetwork. With a very few routers in the network, it is advisable to administer manually i.e. Static Routing With a little more routers in network with less complexity, it is advisable to go for Distance Vector routing i.e. RIP, IGRP With large number of routers in network with more complexity like different kind of links between different routers, It is advisable to go for Link State or Hybrid routing i.e. OSPF, EIGRP
Configuring Routing Protocol

Configuration of RIP, IGRP, OSPF, EIGRP
Command router rip router igrp process-id router ospf process-id router eigrp process-id network ip-address passive-interface ip-address-ofinterface maximum-paths x variance multiplier traffic-share { balanced / min }
Configuration Mode Global Global Global Global Router subcommand Router subcommand Router subcommand Router subcommand Router subcommand
37
Networking training
Each network command enables RIP or IGRP on a set of interfaces. The network command causes implementation of the following three functions: Routing updates are broadcast or multicast out an interface. Routing updates are processed if they enter that same interface. The subnet directly connected to that interface is advertised. The network command matches some of the interfaces on a router. The interfaces matched by the network command have the three functions previously mentioned performed on them. The passive-interface command can be used to cause the router to listen for RIP/IGRP and advertise about the connected subnet, but not to send RIP/IGRP updates on the interface. By default, the IOS supports four equal-cost routes to the same IP subnet in the routing table at the same time. This number can be changed to between 1 and 6 using the ip maximum-paths x router configuration subcommand, where x is the maximum number of routes to any subnet. As mentioned earlier, the packets are balanced on a per-destination address basis by default; packets also can be balanced on a packet-by-packet basis, but at a performance penalty. The metric formula used for IGRP (and EIGRP) poses an interesting problem when considering equalmetric routes. IGRP can learn more than one route to the same subnet, with different metrics; however, the metrics are very likely to never be exactly equal. The variance router subcommand is used to define how variable the metrics can be for routes to be considered to have equal metrics. The parameter to the command (the multiplier) is multiplied by the lowest of the received metrics for a particular subnet. Any routes with a metric less than the product of best metric times the multiplier are considered to be equal. Some rather interesting twists in logic must be considered when deciding whether to use one or multiple equal-cost routes with IGRP. If maximum-paths is set to 1, then the first of these equal-cost routes learned to each subnet is placed into the routing table. However, these could be the routes with the largest metric. To avoid that, maximum-paths could be defaulted to 4 or could be coded as some other number; in addition, the variance command can be used to define how close the metrics must be in value to be considered equal. However, in that case, some of the traffic will flow over the routes with the best metric, and some will flow over the route with the worst metric. Neither situation seems to be optimal. A differentand possibly betteralternative is to use the traffic-share min router IGRP subcommand in conjunction with maximum-paths and variance. This command tells the router to add the multiple routes to the routing table, but to send only traffic using the route with the smallest metric. This allows all routes to each subnet to be in the routing table, which is an advantage for faster convergence. However, all traffic goes across the lowest-metric route that is currently in the routing table. The trafficshare balanced command, which is the default, tells the router to use all the routes proportionally based on the metrics for each route.
How Does Load-Balancing Work?
38
Networking training
Load-balancing is a concept that allows a router to take advantage of multiple best paths to a given destination. The paths are derived either statically or with dynamic protocols, such as RIP, EIGRP, OSPF, and IGRP. When a router learns multiple routes to a specific network via multiple routing processes (or routing protocols), it installs the route with the lowest administrative distance in the routing table. Sometimes the router must select a route from among many learned via the same routing process with the same administrative distance. In this case, the router chooses the path with the lowest cost (or metric) to the destination. Each routing process calculates its cost differently and the costs may need to be manipulated in order to achieve load-balancing. If the router receives and installs multiple paths with the same administrative distance and cost to a destination, load-balancing can occur. The IGRP and EIGRP routing processes also support unequal cost load-balancing. You can use the variance command with IGRP and EIGRP to accomplish unequal cost load-balancing. Every routing protocol supports equal cost path load balancing. IGRP and EIGRP also support unequal cost path load balancing, which is known as variance. The variance command instructs the router to include routes with a metric less than or equal to n times the minimum metric route for that destination, where n is the number specified by the variance command. For example, variance <n>. Traffic is also distributed among the links with respect to the metric. Note: If a path isn't a feasible successor, then it isn't used in load balancing. Let's look at an example. In the figure below, there are three ways to get to Network X: E-B-A with a metric of 30 E-C-A with a metric of 20 E-D-A with a metric of 45
39
Networking training
Router E chooses the second path above, E-C-A with a metric of 20, because 20 is better than 30 and 45. To instruct EIGRP to select the path E-B-A as well, configure variance with a multiplier of 2: router eigrp 1 network x.x.x.x variance 2 This increases the minimum metric to 40 (2 * 20 = 40). EIGRP includes all the routes that have a metric less than or equal to 40, and are feasible successors. In the above configuration, EIGRP now uses two paths to get to Network X, E-C-A and E-B-A, because both paths have a metric under 40. EIGRP doesn't use path E-D-A because it has a metric of 45, and it's not a feasible successor. Also, the reported distance of neighbor D is 25, which is greater than the feasible distance (20). Let's look at the traffic share count for this example:
For path E-C-A: 30/20 = 3/2 = 1 For path E-B-A: 30/30 = 1
Since the ratio is not an integer, we round down to the nearest integer. In this example EIGRP sends one packet to E-C-A and one packet to E-B-A. Now let's assume the metric between E-B is 25 and B-A is 15. The E-B-A metric would be 40 and the traffic share count ratio would be:
For path E-C-A: 40/20 = 2
40
Networking training
For path E-B-A: 40/40 = 1
In this situation EIGRP sends two packets to E-C-A and one packet to E-B-A. In this way, EIGRP not only provides unequal cost path load balancing, but also intelligent load balancing.
IP Enhanced IGRP Route Authentication

Description
This feature provides MD5 authentication of routing updates from the IP Enhanced IGRP routing protocol. The MD5 keyed digest in each IP Enhanced IGRP packet prevents the introduction of unauthorized or false routing messages from unapproved sources.
Prerequisites
Before you can enable Enhanced IGRP route authentication, you must enable IP Enhanced IGRP.
Configuration Tasks
To enable authentication of IP Enhanced IGRP packets, perform the following tasks beginning in interface configuration mode:
Task Command Step 1 Enable MD5 authentication in IP Enhanced ip authentication mode eigrp autonomousIGRP packets. system md5 Step 2 Enable authentication of IP Enhanced IGRP ip authentication key-chain eigrp packets. autonomous-system key-chain Step 3 Exit to global configuration mode. exit Step 4 Identify a key chain. (Match the name key chain name-of-chain configured in Step 1). Step 5 In key chain configuration mode, identify the key number key number. Step 6 In key chain key configuration mode, key-string text identify the key string. Step 7 Optionally specify the time period during accept-lifetime start-time {infinite | endwhich the key can be received. time | duration seconds} Step 8 Optionally specify the time period during send-lifetime start-time {infinite | end-time | which the key can be sent. duration seconds}
Each key has its own key identifier (specified with the key number command), which is stored locally. The combination of the key identifier and the interface associated with the message uniquely identifies the authentication algorithm and MD5 authentication key in use. You can configure multiple keys with lifetimes. Only one authentication packet is sent, regardless of how many valid keys exist. The software examines the key numbers in order from lowest to highest, and uses the first valid key it encounters.
Configuration Example
The following example enables MD5 authentication on IP Enhanced IGRP packets in autonomous system 1. Figure below, shows the scenario.
41
Networking training
Figure: Enhanced IGRP Route Authentication Scenario
Router A: ip authentication mode eigrp 1 md5 ip authentication key-chain eigrp 1 holly key chain holly key 1 key-string 0987654321 accept-lifetime infinite send-lifetime 04:00:00 Dec 4 1996 04:48:00 Dec 4 1996 exit key 2 key-string 1234567890 accept-lifetime infinite send-lifetime 04:45:00 Dec 4 1996 infinite Router B: ip authentication mode eigrp 1 md5 ip authentication key-chain eigrp 1 mikel key chain mikel key 1 key-string 0987654321 accept-lifetime infinite send-lifetime 04:00:00 Dec 4 1996 infinite exit key 2 key-string 1234567890 accept-lifetime infinite send-lifetime 04:45:00 Dec 4 1996 infinite
Router A will accept and attempt to verify the MD5 digest of any Enhanced IGRP packet with a key equal to 1. It will also accept a packet with a key equal to 2. All other MD5 packets will be dropped. Router A will send all Enhanced IGRP packets with key 2. Router B will accept key 1 or key 2, and will send key 1. In this scenario, MD5 will authenticate.
42
Networking training
Configuring Summary Aggregate Addresses

You can configure a summary aggregate address for a specified interface. If any more specific routes are in the routing table, EIGRP will advertise the summary address out the interface with a metric equal to the minimum of all more specific routes. To configure a summary aggregate address, use the following command in interface configuration mode:
Command Router(config-if)#ip summaryaddress eigrp autonomous-system-number ip-address mask
Purpose Configures a summary aggregate address.
Route Summarization Example

The following example configures route summarization on the interface and also configures the automatic summary feature. This configuration causes EIGRP to summarize network 10.0.0.0 out Ethernet interface 0 only. In addition, this example disables automatic summarization. interface Ethernet 0
ip summary-address eigrp 1 10.0.0.0 255.0.0.0 ! router eigrp 1 network 172.16.0.0 no auto-summary

Troubleshooting Routing Protocol
Command Show ip route
Function Show entire routing table, or one entry if subnet is entered Show ip protocol Shows routing protocol parameters and current timer values Debug ip rip Issues log messages for each RIP update Debug ip igrp Issue log messages with details of the IGRP transactions updates Debug ip igrp events Issues log messages for each IGRP packets Show ip ospf Shows neighboring router IP details neighbor detail Show ospf database Shows Topological Database generated by OSPF Debug ip ospf Issues log messages for each OSPF packets events Show ip eigrp Shows neighboring router IP details neighbors Show ip eigrp Shows Topological Database generated by
43
Networking training
topology Debug ip events
EIGRP eigrp Issues log messages for each EIGRP packets
Link State Routing Protocol OSPF ( Open Shortest Path First )

One type of routing protocol is the link-state protocol. Link-state protocols use a topological database that is created on each router; entries describing each router, each routers attached links, and each routers neighboring routers are included in the database. Each router builds a complete map of the network. The topology database is processed by an algorithm called the Dijkstra shortest path first (SPF) algorithm for choosing the best routes to add to the routing table. This detailed topology information along with the Dijkstra algorithm helps link-state protocols avoid loops and converge quickly.
Routing Hierarchy
Unlike RIP, OSPF can operate within a hierarchy. The largest entity within the hierarchy is the autonomous system (AS), which is a collection of networks under a common administration that share a common routing strategy. OSPF is an intra-AS (interior gateway) routing protocol, although it is capable of receiving routes from and sending routes to other ASs. An AS can be divided into a number of areas, which are groups of contiguous networks and attached hosts. Routers with multiple interfaces can participate in multiple areas. These routers, which are called area border routers, maintain separate topological databases for each area. A topological database is essentially an overall picture of networks in relationship to routers. The topological database contains the collection of LSAs received from all routers in the same area. Because routers within the same area share the same information, they have identical topological databases. The term domain sometimes is used to describe a portion of the network in which all routers have identical topological databases. Domain is frequently used interchangeably with AS. An area's topology is invisible to entities outside the area. By keeping area topologies separate, OSPF passes less routing traffic than it would if the AS were not partitioned. Area partitioning creates two different types of OSPF routing, depending on whether the source and destination are in the same or different areas. Intra5area routing occurs when the source and destination are in the same area; inter-area routing occurs when they are in different areas. An OSPF backbone is responsible for distributing routing information between areas. It consists of all area border routers, networks not wholly contained in any area, and their attached routers.
44
Networking training
Figure shows an example of an internetwork with several areas.
Figure
In the figure 6-6, Routers 4, 5, 6, 10, 11, and 12 make up the backbone. If Host H1 in Area 3 wants to send a packet to Host H2 in area 2, the packet is sent to Router 13, which forwards the packet to Router 12, which sends the packet to Router 11. Router 11 then forwards the packet along the backbone to area border Router 10, which sends the packet through two intra-area routers (Router 9 and Router 7) to be forwarded to Host H2. The backbone itself is an OSPF area, so all backbone routers use the same procedures and algorithms to maintain routing information within the backbone that any area router would. The backbone topology is invisible to all intra-area routers, as are individual area topologies to the backbone. Areas can be defined in such a way that the backbone is not contiguous. In this case, backbone connectivity must be restored through virtual links. Virtual links are configured between any backbone routers that share a link to a non-backbone area and function as if they were direct links. AS border routers running OSPF learn about exterior routes through exterior gateway protocols (EGPs), such as Exterior Gateway Protocol (EGP) or Border Gateway Protocol (BGP), or through configuration information. The OSPF protocol is based on link-state technology which is a departure from the Bellman-Ford vector based algorithms used in traditional Internet routing protocols such as RIP. OSPF has introduced new concepts such as authentication of routing updates, Variable Length Subnet Masks (VLSM), route summarization, etc.
45
Networking training
In the following chapters we will discuss the OSPF terminology, algorithm and the pros and cons of the protocol in designing the large and complicated networks of today. OSPF versus RIP The rapid growth and expansion of today's networks has pushed RIP to its limits. RIP has certain limitations that could cause problems in large networks: RIP has a limit of 15 hops. A RIP network that spans more than 15 hops (15 routers) is considered unreachable. RIP cannot handle Variable Length Subnet Masks (VLSM). Given the shortage of IP addresses and the flexibility VLSM gives in the efficient assignment of IP addresses, this is considered a major flaw. Periodic broadcasts of the full routing table will consume a large amount of bandwidth. This is a major problem with large networks especially on slow links and WAN clouds. RIP converges slower than OSPF. In large networks convergence gets to be in the order of minutes. RIP routers will go through a period of a hold-down and garbage collection and will slowly time-out information that has not been received recently. This is inappropriate in large environments and could cause routing inconsistencies. RIP has no concept of network delays and link costs. Routing decisions are based on hop counts. The path with the lowest hop count to the destination is always preferred even if the longer path has a better aggregate link bandwidth and slower delays. RIP networks are flat networks. There is no concept of areas or boundaries. With the introduction of classless routing and the intelligent use of aggregation and summarization, RIP networks seem to have fallen behind. Some enhancements were introduced in a new version of RIP called RIP2. RIP2 addresses the issues of VLSM, authentication, and multicast routing updates. RIP2 is not a big improvement over RIP (now called RIP 1) because it still has the limitations of hop counts and slow convergence which are essential in todays large networks. OSPF, on the other hand, addresses most of the issues presented above: With OSPF, there is no limitation on the hop count. The intelligent use of VLSM is very useful in IP address allocation. OSPF uses IP multicast to send link-state updates. This ensures less processing on routers that are not listening to OSPF packets. Also, updates are only sent in case routing changes occur instead of periodically. This ensures a better use of bandwidth. OSPF has better convergence than RIP. This is because routing changes are propagated instantaneously and not periodically. OSPF allows for better load balancing. OSPF allows for a logical definition of networks where routers can be divided into areas. This will limit the explosion of link state updates over the whole network. This also provides a mechanism for aggregating routes and cutting down on the unnecessary propagation of subnet information. OSPF allows for routing authentication by using different methods of password authentication. This of course would lead to more complexity in configuring and troubleshooting OSPF networks. Administrators that are used to the simplicity of RIP will be challenged with the amount of new information they have to learn in order to keep up with OSPF networks. Also, this will introduce more overhead in memory allocation and CPU utilization. Some of the routers running RIP might have to be upgraded in order to handle the overhead caused by OSPF.
46
Networking training
What Do We Mean by Link-States?

OSPF is a link-state protocol. We could think of a link as being an interface on the router. The state of the link is a description of that interface and of its relationship to its neighboring routers. A description of the interface would include, for example, the IP address of the interface, the mask, the type of network it is connected to, the routers connected to that network and so on. The collection of all these link-states would form a link-state database.
Link-State Algorithm
OSPF uses a link-state algorithm in order to build and calculate the shortest path to all known destinations. The algorithm by itself is quite complicated. The following is a very high level, simplified way of looking at the various steps of the algorithm: 1. Upon initialization or due to any change in routing information, a router will generate a linkstate advertisement. This advertisement will represent the collection of all link-states on that router. 2. All routers will exchange link-states by means of flooding. Each router that receives a linkstate update should store a copy in its link-state database and then propagate the update to other routers. 3. After the database of each router is completed, the router will calculate a Shortest Path Tree to all destinations. The router uses the Dijkstra algorithm to calculate the shortest path tree. The destinations, the associated cost and the next hop to reach those destinations will form the IP routing table. 4. In case no changes in the OSPF network occur, such as cost of a link or a network being added or deleted, OSPF should be very quiet. Any changes that occur are communicated via link-state packets, and the Dijkstra algorithm is recalculated to find the shortest path.
Shortest Path Algorithm

The shortest path is calculated using the Dijkstra algorithm. The algorithm places each router at the root of a tree and calculates the shortest path to each destination based on the cumulative cost required to reach that destination. Each router will have its own view of the topology even though all the routers will build a shortest path tree using the same link-state database. The following sections indicate what is involved in building a shortest path tree.
OSPF Cost
The cost (also called metric) of an interface in OSPF is an indication of the overhead required to send packets across a certain interface. The cost of an interface is inversely proportional to the bandwidth of that interface. A higher bandwidth indicates a lower cost. There is more overhead (higher cost) and time delays involved in crossing a 56k serial line than crossing a 10M ethernet line. The formula used to calculate the cost is: For example, it will cost 10 EXP8/10 EXP7 = 10 to cross a 10M Ethernet line and will cost 10 EXP8/1544000 = 64 to cross a T1 line. By default, the cost of an interface is calculated based on the bandwidth; you can force the cost of an interface by using the ip ospf cost <value> interface sub-command.
cost= 10000 0000/bandwith in bps
47
Networking training
Shortest Path Tree

Assume we have the following network diagram with the indicated interface costs. In order to build the shortest path tree for RTA, we would have to make RTA the root of the tree and calculate the smallest cost for each destination.
The above is the view of the network as seen from RTA. Note the direction of the arrows in calculating the cost. For example, the cost of RTB's interface to network 128.213.0.0 is not relevant when calculating the cost to 192.213.11.0. RTA can reach 192.213.11.0 via RTB with a cost of 15 (10+5). RTA can also reach 222.211.10.0 via RTC with a cost of 20 (10+10) or via RTB with a cost of 20 (10+5+5). In case equal cost paths exist to the same destination, Cisco's implementation of OSPF will keep track of up to six next hops to the same destination. After the router builds the shortest path tree, it will start building the routing table accordingly. Directly connected networks will be reached via a metric (cost) of 0 and other networks will be reached according to the cost calculated in the tree.
Areas and Border Routers

As previously mentioned, OSPF uses flooding to exchange link-state updates between routers. Any change in routing information is flooded to all routers in the network. Areas are introduced to put a boundary on the explosion of link-state updates. Flooding and calculation of the Dijkstra algorithm on a router is limited to changes within an area. All routers within an area have the exact link-state database. Routers that belong to multiple areas, called area border routers (ABR), have the duty of disseminating routing information or routing changes between areas.
48
Networking training
An area is interface specific. A router that has all of its interfaces within the same area is called an internal router (IR). A router that has interfaces in multiple areas is called an area border router (ABR). Routers that act as gateways (redistribution)between OSPF and other routing protocols (IGRP, EIGRP, IS-IS, RIP, BGP, Static) or other instances of the OSPF routing process are called autonomous system border routers (ASBR). Any router can be an ABR or an ASBR.
Link-State Packets
There are different types of Link State Packets, those are what you normally see in an OSPF database (Appendix A). The different types are illustrated in the following diagram:
49
Networking training
As indicated above, the router links are an indication of the state of the interfaces on a router belonging to a certain area. Each router will generate a router link for all of its interfaces. Summary links are generated by ABRs; this is how network reachability information is disseminated between areas. Normally, all information is injected into the backbone (area 0) and in turn the backbone will pass it on to other areas. ABRs also have the task of propagating the reachability of the ASBR. This is how routers know how to get to external routes in other ASs. Network Links are generated by a Designated Router (DR) on a segment (DRs will be discussed later). This information is an indication of all routers connected to a particular multi-access segment such as Ethernet, Token Ring and FDDI (NBMA also). External Links are an indication of networks outside of the AS. These networks are injected into OSPF via redistribution. The ASBR has the task of injecting these routes into an autonomous system.
Enabling OSPF on the Router

Enabling OSPF on the router involves the following two steps in config mode: 1)Enabling an OSPF process using the router ospf <process-id> command. 2)Assigning areas to the interfaces using the network <network or IP address> <mask> <area-id> command. The OSPF process-id is a numeric value local to the router. It does not have to match process-ids on other routers. It is possible to run multiple OSPF processes on the same router, but is not recommended as it creates multiple database instances that add extra overhead to the router.
50
Networking training
The network command is a way of assigning an interface to a certain area. The mask is used as a shortcut and it helps putting a list of interfaces in the same area with one line configuration line. The mask contains wild card bits where 0 is a match and 1 is a "do not care" bit, e.g. 0.0.255.255 indicates a match in the first two bytes of the network number. The area-id is the area number we want the interface to be in. The area-id can be an integer between 0 and 4294967295 or can take a form similar to an IP address A.B.C.D.
Here's an example:
RTA# interface Ethernet0 ip address 192.213.11.1 255.255.255.0 interface Ethernet1 ip address 192.213.12.2 255.255.255.0 interface Ethernet2 ip address 128.213.1.1 255.255.255.0 router ospf 100 network 192.213.0.0 0.0.255.255 area 0.0.0.0 network 128.213.1.1 0.0.0.0 area 23 The first network statement puts both E0 and E1 in the same area 0.0.0.0, and the second network statement puts E2 in area 23. Note the mask of 0.0.0.0, which indicates a full match on the IP address. This is an easy way to put an interface in a certain area if you are having problems figuring out a mask.
OSPF Authentication
It is possible to authenticate the OSPF packets such that routers can participate in routing domains based on predefined passwords. By default, a router uses a Null authentication which means that routing exchanges over a network are not authenticated. Two other authentication methods exist: Simple password authentication and Message Digest authentication (MD-5).
Simple Password Authentication

Simple password authentication allows a password (key) to be configured per area. Routers in the same area that want to participate in the routing domain will have to be configured with the same key. The drawback of this method is that it is vulnerable to passive attacks. Anybody with a link analyzer could easily get the password off the wire. To enable password authentication use the following commands: ip ospf authentication-key key (this goes under the specific interface) area area-id authentication (this goes under "router ospf <process-id>")
51
Networking training
Here's an example: interface Ethernet0 ip address 10.10.10.10 255.255.255.0 ip ospf authentication-key mypassword router ospf 10 network 10.10.0.0 0.0.255.255 area 0 area 0 authentication
Message Digest Authentication

Message Digest authentication is a cryptographic authentication. A key (password) and key-id are configured on each router. The router uses an algorithm based on the OSPF packet, the key, and the key-id to generate a "message digest" that gets appended to the packet. Unlike the simple authentication, the key is not exchanged over the wire. A non-decreasing sequence number is also included in each OSPF packet to protect against replay attacks. This method also allows for uninterrupted transitions between keys. This is helpful for administrators who wish to change the OSPF password without disrupting communication. If an interface is configured with a new key, the router will send multiple copies of the same packet, each authenticated by different keys. The router will stop sending duplicate packets once it detects that all of its neighbors have adopted the new key. Following are the commands used for message digest authentication: ip ospf message-digest-key keyid md5 key (used under the interface) area area-id authentication message-digest (used under "router ospf <process-id>") Here's an example: interface Ethernet0 ip address 10.10.10.10 255.255.255.0 ip ospf message-digest-key 10 md5 mypassword router ospf 10 network 10.10.0.0 0.0.255.255 area 0 area 0 authentication message-digest
The Backbone and Area 0

OSPF has special restrictions when multiple areas are involved. If more than one area is configured, one of these areas has be to be area 0. This is called the backbone. When designing networks it is good practice to start with area 0 and then expand into other areas later on. The backbone has to be at the center of all other areas, i.e. all areas have to be physically connected to the backbone. The reasoning behind this is that OSPF expects all areas to inject routing information into the backbone and in turn the backbone will disseminate that information into other areas. The following diagram will illustrate the flow of information in an OSPF network:
52
Networking training
In the above diagram, all areas are directly connected to the backbone. In the rare situations where a new area is introduced that cannot have a direct physical access to the backbone, a virtual link will have to be configured. Virtual links will be discussed in the next section. Note the different types of routing information. Routes that are generated from within an area (the destination belongs to the area) are called intra-area routes. These routes are normally represented by the letter O in the IP routing table. Routes that originate from other areas are called inter-area or Summary routes. The notation for these routes is O IA in the IP routing table. Routes that originate from other routing protocols (or different OSPF processes) and that are injected into OSPF via redistribution are called external routes. These routes are represented by O E2 or O E1 in the IP routing table. Multiple routes to the same destination are preferred in the following order: intra-area, inter-area, external E1, external E2. External types E1 and E2 will be explained later.
Virtual Links
Virtual links are used for two purposes: 1)Linking an area that does not have a physical connection to the backbone. 2)Patching the backbone in case discontinuity of area 0 occurs.
Areas Not Physically Connected to Area 0

As mentioned earlier, area 0 has to be at the center of all other areas. In some rare case where it is impossible to have an area physically connected to the backbone, a virtual link is used. The virtual link will provide the disconnected area a logical path to the backbone. The virtual link has to be established between two ABRs that have a common area, with one ABR connected to the backbone. This is illustrated in the following example:
53
Networking training
In this example, area 1 does not have a direct physical connection into area 0. A virtual link has to be configured between RTA and RTB. Area 2 is to be used as a transit area and RTB is the entry point into area 0. This way RTA and area 1 will have a logical connection to the backbone. In order to configure a virtual link, use the area <area-id> virtual-link <RID> router OSPF sub-command on both RTA and RTB, where area-id is the transit area. In the above diagram, this is area 2. The RID is the router-id. The OSPF router-id is usually the highest IP address on the box, or the highest loopback address if one exists. The router-id is only calculated at boot time or anytime the OSPF process is restarted. To find the router-id, use the show ip ospf interface command. Assuming that 1.1.1.1 and 2.2.2.2 are the respective RIDs of RTA and RTB, the OSPF configuration for both routers would be: RTA# router ospf 10 area 2 virtual-link 2.2.2.2 RTB# router ospf 10 area 2 virtual-link 1.1.1.1
Partitioning the Backbone

OSPF allows for linking discontinuous parts of the backbone using a virtual link. In some cases, different area 0s need to be linked together. This can occur if, for example, a company is trying to merge two separate OSPF networks into one network with a common area 0. In other instances, virtuallinks are added for redundancy in case some router failure causes the backbone to be split into two. Whatever the reason may be, a virtual link can be configured between separate ABRs that touch area 0 from each side and having a common area. This is illustrated in the following example:
54
Networking training
In the above diagram two area 0s are linked together via a virtual link. In case a common area does not exist, an additional area, such as area 3, could be created to become the transit area. In case any area which is different than the backbone becomes partitioned, the backbone will take care of the partitioning without using any virtual links. One part of the partioned area will be known to the other part via inter-area routes rather than intra-area routes.
Neighbors
Routers that share a common segment become neighbors on that segment. Neighbors are elected via the Hello protocol. Hello packets are sent periodically out of each interface using IP multicast (Appendix B). Routers become neighbors as soon as they see themselves listed in the neighbor's Hello packet. This way, a two way communication is guaranteed. Neighbor negotiation applies to the primary address only. Secondary addresses can be configured on an interface with a restriction that they have to belong to the same area as the primary address. Two routers will not become neighbors unless they agree on the following:
Area-id: Two routers having a common segment; their interfaces have to belong to the same area on that segment. Of course, the interfaces should belong to the same subnet and have a similar mask. Authentication: OSPF allows for the configuration of a password for a specific area. Routers that want to become neighbors have to exchange the same password on a particular segment. Hello and Dead Intervals: OSPF exchanges Hello packets on each segment. This is a form of keepalive used by routers in order to acknowledge their existence on a segment and in order to elect a designated router (DR) on multiaccess segments.The Hello interval specifies the length of time, in seconds, between the hello packets that a router sends on an OSPF interface. The dead interval is the number of seconds that a router's Hello packets have not been seen before its neighbors declare the OSPF router down. OSPF requires these intervals to be exactly the same between two neighbors. If any of these intervals are different, these routers will not become neighbors on a particular segment. The router interface commands used to set these timers are: ip ospf hellointerval seconds and ip ospf dead-interval seconds. Stub area flag: Two routers have to also agree on the stub area flag in the Hello packets in order to become neighbors. Stub areas will be discussed in a later section. Keep in mind for now that defining stub areas will affect the neighbor election process.
Adjacencies
Adjacency is the next step after the neighboring process. Adjacent routers are routers that go beyond the simple Hello exchange and proceed into the database exchange process. In order to minimize the amount of information exchange on a particular segment, OSPF elects one router to be a designated router (DR), and one router to be a backup designated router (BDR), on each multi-access segment. The BDR is elected as a backup mechanism in case the DR goes down. The idea behind this is that routers have a central point of contact for information exchange. Instead of each router exchanging updates with every other router on the segment, every router exchanges
55
Networking training
information with the DR and BDR. The DR and BDR relay the information to everybody else. In mathematical terms, this cuts the information exchange from O(n*n) to O(n) where n is the number of routers on a multi-access segment. The following router model illustrates the DR and BDR:
In the above diagram, all routers share a common multi-access segment. Due to the exchange of Hello packets, one router is elected DR and another is elected BDR. Each router on the segment (which already became a neighbor) will try to establish an adjacency with the DR and BDR.
DR Election
DR and BDR election is done via the Hello protocol. Hello packets are exchanged via IP multicast packets (Appendix B) on each segment. The router with the highest OSPF priority on a segment will become the DR for that segment. The same process is repeated for the BDR. In case of a tie, the router with the highest RID will win. The default for the interface OSPF priority is one. Remember that the DR and BDR concepts are per multiaccess segment. Setting the ospf priority on an interface is done using the ip ospf priority <value> interface command. A priority value of zero indicates an interface which is not to be elected as DR or BDR. The state of the interface with priority zero will be DROTHER. The following diagram illustrates the DR election:
In the above diagram, RTA and RTB have the same interface priority but RTB has a higher RID. RTB would be DR on that segment. RTC has a higher priority than RTB. RTC is DR on that segment.
56
Networking training
Building the Adjacency

The adjacency building process takes effect after multiple stages have been fulfilled. Routers that become adjacent will have the exact link-state database. The following is a brief summary of the states an interface passes through before becoming adjacent to another router: Down: No information has been received from anybody on the segment. Attempt: On non-broadcast multi-access clouds such as Frame Relay and X.25, this state indicates that no recent information has been received from the neighbor. An effort should be made to contact the neighbor by sending Hello packets at the reduced rate PollInterval. Init: The interface has detected a Hello packet coming from a neighbor but bi-directional communication has not yet been established. Two-way: There is bi-directional communication with a neighbor. The router has seen itself in the Hello packets coming from a neighbor. At the end of this stage the DR and BDR election would have been done. At the end of the 2way stage, routers will decide whether to proceed in building an adjacency or not. The decision is based on whether one of the routers is a DR or BDR or the link is a point-to-point or a virtual link. Exstart: Routers are trying to establish the initial sequence number that is going to be used in the information exchange packets. The sequence number insures that routers always get the most recent information. One router will become the primary and the other will become secondary. The primary router will poll the secondary for information. Exchange: Routers will describe their entire link-state database by sending database description packets. At this state, packets could be flooded to other interfaces on the router. Loading: At this state, routers are finalizing the information exchange. Routers have built a link-state request list and a link-state retransmission list. Any information that looks incomplete or outdated will be put on the request list. Any update that is sent will be put on the retransmission list until it gets acknowledged. Full: At this state, the adjacency is complete. The neighboring routers are fully adjacent. Adjacent routers will have a similar link-state database. Let's look at an example:
57
Networking training
RTA, RTB, RTD, and RTF share a common segment (E0) in area 0.0.0.0. The following are the configs of RTA and RTF. RTB and RTD should have a similar configuration to RTF and will not be included. RTA#hostname RTA interface Loopback0 ip address 203.250.13.41 255.255.255.0 interface Ethernet0 ip address 203.250.14.1 255.255.255.0 router ospf 10 network 203.250.13.41 0.0.0.0 area 1 network 203.250.0.0 0.0.255.255 area 0.0.0.0 RTF#hostname RTF interface Ethernet0 ip address 203.250.14.2 255.255.255.0 router ospf 10 network 203.250.0.0 0.0.255.255 area 0.0.0.0 The above is a simple example that demonstrates a couple of commands that are very useful in debugging OSPF networks. sh ip ospf interface <interface> This command is a quick check to see if all of the interfaces belong to the areas they are supposed to be in. The sequence in which the OSPF network commands are listed is very important. In RTA's configuration, if the "network 203.250.0.0 0.0.255.255 area 0.0.0.0" statement was put before the "network 203.250.13.41 0.0.0.0 area 1" statement, all of the interfaces would be in area 0, which is incorrect because the loopback is in area 1. Let us look at the command's output on RTA, RTF, RTB, and RTD: RTA#show ip ospf interface e0 Ethernet0 is up, line protocol is up Internet Address 203.250.14.1 255.255.255.0, Area 0.0.0.0 Process ID 10, Router ID 203.250.13.41, Network Type BROADCAST, Cost: 10 Transmit Delay is 1 sec, State BDR, Priority 1 Designated Router (ID) 203.250.15.1, Interface address 203.250.14.2 Backup Designated router (ID) 203.250.13.41, Interface address 203.250.14.1 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 0:00:02 Neighbor Count is 3, Adjacent neighbor count is 3 Adjacent with neighbor 203.250.15.1 (Designated Router) Loopback0 is up, line protocol is up Internet Address 203.250.13.41 255.255.255.255, Area 1 Process ID 10, Router ID 203.250.13.41, Network Type LOOPBACK, Cost: 1Loopback interface is treated as a stub Host
58
Networking training
RTF#show ip ospf interface e0 Ethernet0 is up, line protocol is up Internet Address 203.250.14.2 255.255.255.0, Area 0.0.0.0 Process ID 10, Router ID 203.250.15.1, Network Type BROADCAST, Cost: 10 Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) 203.250.15.1, Interface address 203.250.14.2 Backup Designated router (ID) 203.250.13.41, Interface address 203.250.14.1 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 0:00:08 Neighbor Count is 3, Adjacent neighbor count is 3 Adjacent with neighbor 203.250.13.41 (Backup Designated Router) RTD#show ip ospf interface e0 Ethernet0 is up, line protocol is up Internet Address 203.250.14.4 255.255.255.0, Area 0.0.0.0 Process ID 10, Router ID 192.208.10.174, Network Type BROADCAST, Cost: 10 Transmit Delay is 1 sec, State DROTHER, Priority 1 Designated Router (ID) 203.250.15.1, Interface address 203.250.14.2 Backup Designated router (ID) 203.250.13.41, Interface address 203.250.14.1 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 0:00:03 Neighbor Count is 3, Adjacent neighbor count is 2 Adjacent with neighbor 203.250.15.1 (Designated Router) Adjacent with neighbor 203.250.13.41 (Backup Designated Router) RTB#show ip ospf interface e0 Ethernet0 is up, line protocol is up Internet Address 203.250.14.3 255.255.255.0, Area 0.0.0.0 Process ID 10, Router ID 203.250.12.1, Network Type BROADCAST, Cost: 10 Transmit Delay is 1 sec, State DROTHER, Priority 1 Designated Router (ID) 203.250.15.1, Interface address 203.250.14.2 Backup Designated router (ID) 203.250.13.41, Interface address 203.250.14.1 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 0:00:03 Neighbor Count is 3, Adjacent neighbor count is 2 Adjacent with neighbor 203.250.15.1 (Designated Router) Adjacent with neighbor 203.250.13.41 (Backup Designated Router) The above output shows very important information. Let us look at RTA's output. Ethernet0 is in area 0.0.0.0. The process ID is 10 (router ospf 10) and the router ID is 203.250.13.41. Remember that the RID is the highest IP address on the box or the loopback interface, calculated at boot time or whenever the OSPF process is restarted. The state of the interface is BDR. Since all routers have the same OSPF priority on Ethernet 0 (default is 1), RTF's interface was elected as DR because of the higher RID. In the same way, RTA was elected as BDR. RTD and RTB are neither a DR or BDR and their state is DROTHER. Also note the neighbor count and the adjacent count. RTD has three neighbors and is adjacent to two of them, the DR and the BDR. RTF has three neighbors and is adjacent to all of them because it is the DR. The information about the network type is important and will determine the state of the interface. On broadcast networks such as Ethernet, the election of the DR and BDR should be irrelevant to the end user. It should not matter who the DR or BDR are. In other cases, such as NBMA media such as Frame Relay and X.25, this becomes very important for OSPF to function correctly. Fortunately, with the introduction of point-to-point and point-to-multipoint subinterfaces, DR election is no longer an issue. OSPF over NBMA will be discussed in the next section.
59
Networking training
Another command we need to look at is: show ip ospf neighbor Let us look at RTD's output: RTD#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface
203.250.12.1 1 2WAY/DROTHER 0:00:37 203.250.14.3 Ethernet0 203.250.15.1 1 FULL/DR 0:00:36 203.250.14.2 Ethernet0 203.250.13.41 1 FULL/BDR 0:00:34 203.250.14.1 Ethernet0 The show ip ospf neighbor command shows the state of all the neighbors on a particular segment. Do not be alarmed if the "Neighbor ID" does not belong to the segment you are looking at. In our case 203.250.12.1 and 203.250.15.1 are not on Ethernet0. This is "OK" because the "Neighbor ID" is actually the RID which could be any IP address on the box. RTD and RTB are just neighbors, that is why the state is 2WAY/DROTHER. RTD is adjacent to RTA and RTF and the state is FULL/DR and FULL/BDR.
Adjacencies on Point-to-Point Interfaces

OSPF will always form an adjacency with the neighbor on the other side of a point-to-point interface such as point-to-point serial lines. There is no concept of DR or BDR. The state of the serial interfaces is point to point.
Adjacencies on Non-Broadcast Multi-Access (NBMA) Networks

Special care should be taken when configuring OSPF over multi-access non-broadcast medias such as Frame Relay, X.25, ATM. The protocol considers these media like any other broadcast media such as Ethernet. NBMA clouds are usually built in a hub and spoke topology. PVCs or SVCs are laid out in a partial mesh and the physical topology does not provide the multi access that OSPF believes is out there. The selection of the DR becomes an issue because the DR and BDR need to have full physical connectivity with all routers that exist on the cloud. Also, because of the lack of broadcast capabilities, the DR and BDR need to have a static list of all other routers attached to the cloud. This is achieved using the neighbor ip-address [priority number] [poll-interval seconds] command, where the "ipaddress" and "priority" are the IP address and the OSPF priority given to the neighbor. A neighbor with priority 0 is considered ineligible for DR election. The "poll-interval" is the amount of time an NBMA interface waits before polling (sending a Hello) to a presumably dead neighbor. The neighbor command applies to routers with a potential of being DRs or BDRs (interface priority not equal to 0). The following diagram shows a network diagram where DR selection is very important:
60
Networking training
In the above diagram, it is essential for RTA's interface to the cloud to be elected DR. This is because RTA is the only router that has full connectivity to other routers. The election of the DR could be influenced by setting the ospf priority on the interfaces. Routers that do not need to become DRs or BDRs will have a priority of 0 other routers could have a lower priority.
Chapter 7 Configurations
Common Configuration Command
Configuration of TCP/IP in a Cisco router is straightforward. Table summarizes many of the most common commands used for IP configuration and verification.
Command ip address ip-address mask [secondary] ip host name [tcp-port-number] address1 [address2...address8] ip route prefix mask {next-hop-router|outputinterface} ip default-network network Ip classless ip domain-lookup Global Global Configuration Mode Interface mode Global Global Global
show hosts
Lists all hostnames and corresponding IP addresses Lists interface statistics, including IP address
show interfaces [type number]
61
Networking training
show ip interface [type number] show ip route [subnet] subnet
show ip interface [type number] Provides a detailed view of IP parameter settings, per interface Shows entire routing table, or one entry if is entered
Configuring Ethernet interface

The following site guidelines were used when choosing configuration details: Use name servers at 10.1.1.100 and 10.1.2.100. Use host names The routers IP addresses are to be assigned from the last few valid IP addresses in their attached subnets; use a mask of 255.255.255.0.\
Albuquerque#show running-config Building configuration... Current configuration: version 11.2 hostname Albuquerque ! enable secret 5 $1$skrN$z4oq6OHfB6zu1WG4P/6ZY0 ! ip name-server 10.1.1.100 ip name-server 10.1.2.100 ! interface Ethernet0 ip address 10.1.1.251 255.255.255.0 ! no ip classless banner motd ^C Should ve taken a left turn here!This is Albuquerque...^C ! line con 0 password cisco login line aux 0 line vty 0 4 password cisco login
Configuring Serial Interface

Be sure to configure the same WAN data link protocol on each end of the serial link. Otherwise, the routers will misinterpret the incoming frames, and the link will not work. The configuration commands and the show commands used for HDLC and PPP configuration.
PPP and HDLC Configuration Commands Command Configuration Mode
encapsulation {hdlc | ppp | lapb} subcommand
Interface
62
Networking training
compress [Predictor | stac | mppc subcommand [ignore-pfc]]

Command show interface show compress show process
Interface
Function Lists statistics and details of interface configuration, including the encapsulation type. Lists compression ratios. Lists processor and task utilization. Is useful in watching for increased utilization due to compression.
Assume that Router A and Router B have a serial link attached to their serial 0 ports, respectively.
Router A Interface serial 0 encapsulation ppp Router B Interface serial 0 encapsulation ppp
Chapter 8
Exercise Setting the hostname of the Router
Scenario
You have been assigned to configure the router identification name.
Goal
In this exercise, you will assign the hostname to the router. If you have many routers then it is required that the router should be identified by some name so that while managing and configuring you configure the desired router only and not some other router.
Steps
1. For any Configuration we have to enter first in Global Configuration Mode. For entering in to Global
Configuration Mode command is config Router#config t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname Test_Router_1 Test_Router_1(config)# The prompt will change to the hostname you specify.
63
Networking training
Exercise Configuring the Ethernet interface of the Router for Telnet access
Scenario
You have been assigned to configure the ethernet interface of the route, so that you can telnet to the router.
Goal
You cannot use console port every time for router configuration since you have to be near the router. So, to access a router from the network you need to configure the ethernet interface.
Steps
1. Go to Global Configuration Mode by using configure terminal command
Test_Router_1# conf term Enter configuration commands, one per line. End with CNTL/Z. Test_Router_1(config)#
2. Go to interface configuration mode by using interface ethernet0/0 command

Test_Router_1(config)#inter eth0/0 Test_Router_1(config-if)#
3. Assign the ip address to the interface by using ip address command

Test_Router_1(config-if)#ip address 163.122.31.130 Test_Router_1(config-if)# 255.255.255.0
4. Up the ethernet interface as by default every port is in administratively down state

Test_Router_1(config-if)#no shut Test_Router_1(config-if)# The output will be as follows %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to up %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up Test_Router_1(config-if)# %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to do wn Test_Router_1(config-if)#
64
Networking training
5. Check the interface configuration using show interface

Test_Router_1#sh int e0/0 Ethernet0/0 is up, line protocol is down Hardware is AmdP2, address is 0010.7b04.2281 (bia 0010.7b04.2281) Internet address is 163.122.31.130/24 MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, rely 193/255, load 1/255 Encapsulation ARPA, loopback not set, keepalive set (10 sec) ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:04:27, output 00:00:02, output hang never Last clearing of "show interface" counters never Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 4250 packets input, 4525897 bytes, 0 no buffer Received 4139 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 input packets with dribble condition detected 439 packets output, 28987 bytes, 0 underruns 173 output errors, 0 collisions, 4 interface resets 0 babbles, 0 late collision, 0 deferred 173 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out
6. line protocol is down.
Why?
As no ethernet cable is connected, so LAN protocol is down.
7. Connect a UTP cable to the e0/0 interface

Line protocol will change status to up The output will be as follows Test_Router_1# %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to up Test_Router_1#
8. Check the interface configuration again using show interface

Test_Router_1#sh int e0/0 Ethernet0/0 is up, line protocol is up Hardware is AmdP2, address is 0010.7b04.2281 (bia 0010.7b04.2281) Internet address is 163.122.31.130/24 MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, rely 199/255, load 1/255 Encapsulation ARPA, loopback not set, keepalive set (10 sec) ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:01, output hang never Last clearing of "show interface" counters never Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops 5 minute input rate 17000 bits/sec, 2 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec
65
Networking training
4487 packets input, 4798927 bytes, 0 no buffer Received 4376 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 input packets with dribble condition detected 470 packets output, 30847 bytes, 0 underruns 195 output errors, 0 collisions, 4 interface resets 0 babbles, 0 late collision, 0 deferred 195 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out Test_Router_1# Out put shows that ethernet is up and running.
9. From a machine with ip addresss in the same subnet as the router i.e. 163.122.31.0 telnet to the ethernet e0/0 port ip address ( 163.122.31.130).
The out put will be as follows
User Access Verification Password:
Exercise Setting the password to console Port of the Router

Scenario
You have been assigned to restrict access to the Router.
Goal
You need to set the password to the console port, otherwise any body can enter in to the router from the console port. It is therefore required that a password be assigned to the console port.
Steps
Enter the commands in the following order. 1. Test_Router_1#conf t 2. Enter configuration commands, one per line. End with CNTL/Z. 3. Test_Router_1(config)#line con 0 4. Test_Router_1(config-line)#login 5. Test_Router_1(config-line)#password console 6. Test_Router_1(config-line)#exit 7. Test_Router_1(config)#exit 8. Test_Router_1#
66
Networking training
Now when we access the router via console port , it will ask for the password and the out put will be as
Welcome to the UTS Network User Access Verification Password:
67
Networking training
Chapter 9
Network Security IPSec

Configuring IPSec Network Security
This chapter describes how to configure IPSec, which is a framework of open standards developed by the Internet Engineering Task Force (IETF). IPSec provides security for transmission of sensitive information over unprotected networks such as the Internet. IPSec acts at the network layer, protecting and authenticating IP packets between participating IPSec devices (peers), such as Cisco routers. IPSec provides the following network security services. These services are optional. In general, local security policy will dictate the use of one or more of these services: Data ConfidentialityThe IPSec sender can encrypt packets before transmitting them across a network. Data IntegrityThe IPSec receiver can authenticate packets sent by the IPSec sender to ensure that the data has not been altered during transmission. Data Origin AuthenticationThe IPSec receiver can authenticate the source of the IPSec packets sent. This service is dependent upon the data integrity service. Anti-ReplayThe IPSec receiver can detect and reject replayed packets. Note The term data authentication is generally used to mean data integrity and data origin authentication. With IPSec, data can be transmitted across a public network without fear of observation, modification, or spoofing. This enables applications such as virtual private networks (VPNs), including intranets, extranets, and remote user access.
IPSec Overview
IPSec services are similar to those provided by Cisco Encryption Technology (CET), a proprietary security solution introduced in Cisco IOS Software Release 11.2. (The IPSec standard was not yet available at Release 11.2.) However, IPSec provides a more robust security solution and is standardsbased. IPSec also provides data authentication and anti-replay services in addition to data confidentiality services, while CET provides only data confidentiality services.
Supported Standards
Cisco implements the following standards with this feature: IPSecIP Security Protocol. IPSec is a framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPSec provides these security services at the IP layer; it uses IKE to handle negotiation of protocols and algorithms based on local policy, and to generate the encryption and authentication keys to be used by IPSec. IPSec can be used to protect one or more data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.
68
Networking training
Internet Key Exchange (IKE) A hybrid protocol which implements Oakley and SKEME key exchanges inside the ISAKMP framework. While IKE can be used with other protocols, its initial implementation is with the IPSec protocol. IKE provides authentication of the IPSec peers, negotiates IPSec security associations, and establishes IPSec keys. The component technologies implemented for IPSec include: DESThe Data Encryption Standard (DES) is used to encrypt packet data. Cisco IOS implements the mandatory 56-bit DES-CBC with Explicit IV. Cipher Block Chaining (CBC) requires an initialization vector (IV) to start encryption. The IV is explicitly given in the IPSec packet. For backwards compatibility, Cisco IOS IPSec also implements the RFC 1829 version of ESP DES-CBC. MD5 (HMAC variant)MD5 (Message Digest 5) is a hash algorithm. HMAC is a keyed hash variant used to authenticate data. SHA (HMAC variant)SHA (Secure Hash Algorithm) is a hash algorithm. HMAC is a keyed hash variant used to authenticate data. IPSec as implemented in Cisco IOS software supports the following additional standards: AHAuthentication Header. A security protocol which provides data authentication and optional anti-replay services. AH is embedded in the data to be protected (a full IP datagram).
List of Terms
Configuring IPSec Network Security SC-273 ESPEncapsulating Security Payload. A security protocol which provides data privacy services and optional data authentication, and anti-replay services. ESP encapsulates the data to be protected.The updated ESP protocol allows for the use of various cipher algorithms and (optionally) various authentication algorithms. Cisco IOS implements the mandatory 56-bit DES-CBC with Explicit IV as the encryption algorithm, and MD5 or SHA (HMAC variants) as the authentication algorithms. The updated ESP protocol provides anti-replay services. List of Terms anti-replayA security service where the receiver can reject old or duplicate packets in order to protect itself against replay attacks. IPSec provides this optional service by use of a sequence number combined with the use of data authentication. Cisco IOS IPSec provides this service whenever it provides the data authentication service, except in the following cases: RFC 1828 does not provide support for this service. The service is not available for manually established security associations (that is, security associations established by configuration and not by IKE). data authenticationIncludes two concepts: Data integrity (verify that data has not been altered). Data origin authentication (verify that the data was actually sent by the claimed sender). Data authentication can refer either to integrity alone or to both of these concepts (although data origin authentication is dependent upon data integrity). data confidentialityA security service where the protected data cannot be observed. data flowA grouping of traffic, identified by a combination of source address/mask, destination address/mask, IP next protocol field, and source and destination ports, where the protocol and port fields can have the values of any. In effect, all traffic matching a specific combination of these values is logically grouped together into a data flow. A data flow can represent a single TCP connection between two hosts, or it can represent all of the traffic between two subnets. IPSec protection is applied to data flows.
69
Networking training
peerIn the context of this chapter, a peer refers to a router or other device that participates in IPSec. perfect forward secrecy (PFS)A cryptographic characteristic associated with a derived shared secret value. With PFS, if one key is compromised, previous and subsequent keys are not compromised, because subsequent keys are not derived from previous keys. security associationAn IPSec security association (SA) is a description of how two or more entities will use security services in the context of a particular security protocol (AH or ESP) to communicate securely on behalf of a particular data flow. It includes such things as the transform and the shared secret keys to be used for protecting the traffic. IPSec Overview The IPSec security association is established either by IKE or by manual user configuration. Security associations are unidirectional and are unique per security protocol. So when security associations are established for IPSec, the security associations (for each protocol) for both directions are established at the same time. When using IKE to establish the security associations for the data flow, the security associations are established when needed and expire after a period of time (or volume of traffic). If the security associations are manually established, they are established as soon as the necessary configuration is completed and do not expire. Security parameter index (SPI)This is a number which, together with a destination IP address and security protocol, uniquely identifies a particular security association. When using IKE to establish the security associations, the SPI for each security association is a pseudo-randomly derived number. Without IKE, the SPI is manually specified for each security association. transformA transform lists a security protocol (AH or ESP) with its corresponding algorithms. For example, one transform is the AH protocol with the HMAC-MD5 authentication algorithm; another transform is the ESP protocol with the 56-bit DES encryption algorithm and the HMAC-SHA authentication algorithm. tunnelIn the context of this chapter, a secure communication path between two peers, such as two routers. It does not refer to using IPSec in tunnel mode. IPSec Interoperability with Other Cisco IOS Software Features You can use Cisco Encryption Technology and IPSec together; the two encryption technologies can coexist in your network. Each router may support concurrent encryption links using either IPSec or Cisco Encryption Technology. A single interface can even support the use of IPSec or CET for protecting different data flows. Supported Hardware, Switching Paths, and Encapsulation IPSec has certain restrictions for hardware, switching paths, and encapsulation methods as follows. Supported Hardware IPSec is not supported on VIP2 interfaces (VIP2-40 or above) or the Encryption Service Adapter (ESA) card. There is currently no hardware accelerator for IPSec. Supported Switching Paths IPSec works with both process switching and fast switching. IPSec does not work with optimum or flow switching. Supported Encapsulation IPSec works with the following serial encapsulations: High-Level Data-Links Control (HDLC), Pointto-Point Protocol (PPP), and Frame Relay. IPSec also works with the GRE and IPinIP Layer 3, L2F, L2TP, DLSw+, and SRB tunneling protocols; however, multipoint tunnels are not supported. Other Layer 3 tunneling protocols may not be supported for use with IPSec. Since the IPSec Working Group has not yet addressed the issue of group key distribution, IPSec currently cannot be used to protect group traffic (such as broadcast or multicast traffic).
70
Networking training
Restrictions At this time, IPSec can be applied to unicast IP datagrams only. Because the IPSec Working Group has not yet addressed the issue of group key distribution, IPSec does not currently work with multicasts or broadcast IP datagrams. If you use Network Address Translation (NAT), you should configure static NAT translations so that IPSec will work properly. In general, NAT translation should occur before the router performs IPSec encapsulation; in other words, IPSec should be working with global addresses. Overview of How IPSec Works In simple terms, IPSec provides secure tunnels between two peers, such as two routers. You define which packets are considered sensitive and should be sent through these secure tunnels, and you define the parameters which should be used to protect these sensitive packets, by specifying characteristics of these tunnels. Then, when the IPSec peer sees such a sensitive packet, it sets up the appropriate secure tunnel and sends the packet through the tunnel to the remote peer. Note The use of the term tunnel in this chapter does not refer to using IPSec in tunnel mode. More accurately, these tunnels are sets of security associations that are established between two IPSec peers. The security associations define which protocols and algorithms should be applied to sensitive packets, and also specify the keying material to be used by the two peers. Security associations are unidirectional and are established per security protocol (AH or ESP). With IPSec you define what traffic should be protected between two IPSec peers by configuring access lists and applying these access lists to interfaces by way of crypto map sets. Therefore, traffic may be selected based on source and destination address, and optionally Layer 4 protocol, and port. (Similar to CET, the access lists used for IPSec are used only to determine which traffic should be protected by IPSec, not which traffic should be blocked or permitted through the interface. Separate access lists define blocking and permitting at the interface. A crypto map set can contain multiple entries, each with a different access list. The crypto map entries are searched in orderthe router attempts to match the packet to the access list specified in that entry. When a packet matches a permit entry in a particular access list, and the corresponding crypto map entry is tagged as cisco, then CET is triggered, and connections are established if necessary. If the crypto map entry is tagged as ipsec-isakmp, IPSec is triggered. If no security association exists that IPSec can use to protect this traffic to the peer, IPSec uses IKE to negotiate with the remote peer to set up the necessary IPSec security associations on behalf of the data flow. The negotiation uses information specified in the crypto map entry as well as the data flow information from the specific access list entry. (The behavior is different for dynamic crypto map entries. If the crypto map entry is tagged as ipsec-manual, IPSec is triggered. If no security association exists that IPSec can use to protect this traffic to the peer, the traffic is dropped. In this case, the security associations are installed via the configuration, without the intervention of IKE. If the security associations did not exist, IPSec did not have all of the necessary pieces configured. Once established, the set of security associations (outbound, to the peer) is then applied to the triggering packet as well as to subsequent applicable packets as those packets exit the router.Applicable packets are packets that match the same access list criteria that the original packet
IPSec Overview
For example, all applicable packets could be encrypted before being forwarded to the remote peer. The corresponding inbound security associations are used when processing the incoming traffic from that peer. If IKE is used to establish the security associations, the security associations will have lifetimes so that they will periodically expire and require renegotiation. (This provides an additional level of security.) Multiple IPSec tunnels can exist between two peers to secure different data streams, with each tunnel using a separate set of security associations. For example, some data streams might be just authenticated while other data streams must both be encrypted and authenticated. Access lists
71
Networking training
associated with IPSec crypto map entries also represent which traffic the router requires to be protected by IPSec. Inbound traffic is processed against the crypto map entriesif an unprotected packet matches a permit entry in a particular access list associated with an IPSec crypto map entry, that packet is dropped because it was not sent as an IPSec-protected packet. Crypto map entries also include transform sets. A transform set is an acceptable combination of security protocols, algorithms and other settings to apply to IPSec protected traffic. During the IPSec security association negotiation, the peers agree to use a particular transform set when protecting a particular data flow.
Nesting of IPSec Traffic to Multiple Peers

You can nest IPSec traffic to a series of IPSec peers. For example, in order for traffic to traverse multiple firewalls (and these firewalls have a policy of not letting through traffic that they themselves have not authenticated), the router needs to establish IPSec tunnels with each firewall in turn. The nearest firewall becomes the outermost IPSec peer. In the example shown in Figure 21, Router A encapsulates the traffic destined for Router C in IPSec (Router C is the IPSec peer). However, before Router A can send this traffic, it must first reencapsulate this traffic in IPSec in order to send it to Router B (Router B is the outermost IPSec peer).
Figure: Nesting Example of IPSec Peers
It is possible for the traffic between the outer peers to have one kind of protection (such as data authentication) and for traffic between the inner peers to have different protection (such as both data authentication and encryption). After you have completed IKE configuration, configure IPSec. To configure IPSec, complete the tasks in the following sections at each participating IPSec peer. Ensure Access Lists Are Compatible with IPSec Set Global Lifetimes for IPSec Security Associations Create Crypto Access Lists Define Transform Sets Create Crypto Map Entries Apply Crypto Map Sets to Interfaces Monitor and Maintain IPSec
Ensure Access Lists Are Compatible with IPSec

IKE uses UDP port 500. The IPSec ESP and AH protocols use protocol numbers 50 and 51. Ensure that your access lists are configured so that protocol 50, 51, and UDP port 500 traffic is not blocked at interfaces used by IPSec. In some cases you might need to add a statement to your access lists to explicitly permit this traffic.
Set Global Lifetimes for IPSec Security Associations.

You can change the global lifetime values which are used when negotiating new IPSec security associations. (These global lifetime values can be overridden for a particular crypto map entry). These lifetimes only apply to security associations established via IKE. Manually established security associations do not expire.
72
Networking training
There are two lifetimes: a timed lifetime and a traffic-volume lifetime. A security association expires after the first of these lifetimes is reached. The default lifetimes are 3600 seconds (one hour) and 4,608,000 kilobytes (10 megabytes per second for one hour). If you change a global lifetime, the new lifetime value will not be applied to currently existing security associations, but will be used in the negotiation of subsequently established security associations. If you wish to use the new values immediately, you can clear all or part of the security association database. Refer to the clear crypto sa command for more details. IPSec security associations use one or more shared secret keys. These keys and their security associations time out together. To change a global lifetime for IPSec security associations, use one or more of the following commands in global configuration mode:
How These Lifetimes Work?

Assuming that the particular crypto map entry does not have lifetime values configured, when the router requests new security associations it will specify its global lifetime values in the request to the peer; it will use this value as the lifetime of the new security associations. When the router receives a negotiation request from the peer, it will use the smaller of either the lifetime value proposed by the peer or the locally configured lifetime value as the lifetime of the new security associations. The security association (and corresponding keys) will expire according to whichever comes sooner, either after the number of seconds has passed (specified by the seconds keyword) or after the amount of traffic in kilobytes is passed (specified by the kilobytes keyword). Security associations that are established manually (via a crypto map entry marked as ipsec-manual) have an infinite lifetime. A new security association is negotiated before the lifetime threshold of the existing security association is reached, to ensure that a new security association is ready for use when the old one expires. The new security association is negotiated either 30 seconds before the seconds lifetime expires or when the volume of traffic through the tunnel reaches 256 kilobytes less than the kilobytes lifetime (whichever comes first). If no traffic has passed through the tunnel during the entire life of the security association, a new security association is not negotiated when the lifetime expires. Instead, a new security association will be negotiated only when IPSec sees another packet that should be protected.
73
Networking training
Create Crypto Access Lists

Crypto access lists are used to define which IP traffic will be protected by crypto and which traffic will not be protected by crypto. (These access lists are not the same as regular access lists, which determine what traffic to forward or block at an interface.) For example, access lists can be created to protect all IP traffic between Subnet A and Subnet Y or Telnet traffic between Host A and Host B. The access lists themselves are not specific to IPSecthey are no different from what is used for CET. It is the crypto map entry referencing the specific access list that defines whether IPSec or CET processing is applied to the traffic matching a permit in the access list. Crypto access lists associated with IPSec crypto map entries have four primary functions: Select outbound traffic to be protected by IPSec (permit = protect). Indicate the data flow to be protected by the new security associations (specified by a single permit entry) when initiating negotiations for IPSec security associations. Process inbound traffic in order to filter out and discard traffic that should have been protected by IPSec. Determine whether or not to accept requests for IPSec security associations on behalf of the requested data flows when processing IKE negotiation from the IPSec peer. (Negotiation is only done for ipsecisakmp crypto map entries.) In order to be accepted, if the peer initiates the IPSec negotiation, it must specify a data flow that is permitted by a crypto access list associated with an ipsec-isakmp crypto map entry. If you want certain traffic to receive one combination of IPSec protection (for example, authentication only) and other traffic to receive a different combination of IPSec protection (for example, both authentication and encryption), you need to create two different crypto access lists to define the two different types of traffic. These different access lists are then used in different crypto map entries which specify different IPSec policies. Later, you will associate the crypto access lists to particular interfaces when you configure and apply crypto map sets to the interfaces (following instructions in the sections Create Crypto Map Entries and Apply Crypto Map Sets to Interfaces). To create crypto access lists, use the following command in global configuration mode:
Crypto Access List Tips

Using the permit keyword causes all IP traffic that matches the specified conditions to be protected by crypto, using the policy described by the corresponding crypto map entry. Using the deny keyword prevents traffic from being protected by crypto in the context of that particular crypto map entry.
74
Networking training
The crypto access list you define will be applied to an interface after you define the corresponding crypto map entry and apply the crypto map set to the interface. Different access lists must be used in different entries of the same crypto map set. (These two tasks are described in following sections.) However, both inbound and outbound traffic will be evaluated against the same outbound IPSec access list. Therefore, the access lists criteria is applied in the forward direction to traffic exiting your router, and the reverse direction to traffic entering your router. In below figure , IPSec protection is applied to traffic between Host 10.0.0.1 and Host 20.0.0.2 as the data exits Router As S0 interface enroute to Host 20.0.0.2. For traffic from Host 10.0.0.1 to Host 20.0.0.2, the access list entry on Router A is evaluated as follows:
source = host 10.0.0.1 dest = host 20.0.0.2
For traffic from Host 20.0.0.2 to Host 10.0.0.1, that same access list entry on Router A is evaluated as follows:
source = host 20.0.0.2 dest = host 10.0.0.1
If you configure multiple statements for a given crypto access list which is used for IPSec, in general the first permit statement that is matched will be the statement used to determine the scope of the IPSec security association. That is, the IPSec security association will be set up to protect traffic that meets the criteria of the matched statement only. Later, if traffic matches a different permit statement of the crypto access list, a new, separate IPSec security association will be negotiated to protect traffic matching the newly matched access list statement. Any unprotected inbound traffic that matches a permit entry in the crypto access list for a crypto map entry flagged as IPSec will be dropped, since this traffic was expected to be protected by IPSec. Note: If you view your routers access lists by using a command such as show ip access-lists, all extended IP access lists will be shown in the command output. This includes extended IP access lists that are used for traffic filtering purposes as well as those that are used for crypto. The show command output does not differentiate between the different uses of the extended access lists.
75
Networking training
Define Transform Sets

A transform set represents a certain combination of security protocols and algorithms. During the IPSec security association negotiation, the peers agree to use a particular transform set for protecting a particular data flow. You can specify multiple transform sets, and then specify one or more of these transform sets in a crypto map entry. The transform set defined in the crypto map entry will be used in the IPSec security association negotiation to protect the data flows specified by that crypto map entrys access list. During IPSec security association negotiations with IKE, the peers search for a transform set that is the same at both peers. When such a transform set is found, it is selected and will be applied to the protected traffic as part of both peers IPSec security associations. With manually established security associations, there is no negotiation with the peer, so both sides must specify the same transform set. If you change a transform set definition, the change is only applied to crypto map entries that reference the transform set. The change will not be applied to existing security associations, but will be used in subsequent negotiations to establish new security associations. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear crypto sa command. To define a transform set, use the following commands starting in global configuration mode:
76
Networking training
About Crypto Maps

Crypto maps, used with Cisco Encryption Technology (CET) are now expanded to also specify IPSec policy. Crypto map entries created for IPSec pull together the various parts used to set up IPSec security associations, including: Which traffic should be protected by IPSec (per a crypto access list) The granularity of the flow to be protected by a set of security associations Where IPSec-protected traffic should be sent (who the remote IPSec peer is) The local address to be used for the IPSec traffic (See the Apply Crypto Map Sets to Interfaces section for more details.) What IPSec security should be applied to this traffic (selecting from a list of one or more transform sets) Whether security associations are manually established or are established via IKE Other parameters that might be necessary to define an IPSec security association Crypto map entries with the same crypto map name (but different map sequence numbers) are grouped into a crypto map set. Later, you will apply these crypto map sets to interfaces; then, all IP traffic passing through the interface is evaluated against the applied crypto map set. If a crypto map entry sees outbound IP traffic that should be protected and the crypto map specifies the use of IKE, a security association is negotiated with the remote peer according to the parameters included in the crypto map entry; otherwise, if the crypto map entry specifies the use of manual security associations, a security association should have already been established via configuration. (If a dynamic crypto map entry sees outbound traffic that should be protected and no security association exists, the packet is dropped.) The policy described in the crypto map entries is used during the negotiation of security associations. If the local router initiates the negotiation, it will use the policy specified in the static crypto map entries to create the offer to be sent to the specified IPSec peer. If the IPSec peer initiates the negotiation, the local router will check the policy from the static crypto map entries, as well as any referenced dynamic crypto map entries to decide whether to accept or reject the peers request (offer). For IPSec to succeed between two IPSec peers, both peers crypto map entries must contain compatible configuration statements. When two peers try to establish a security association, they must each have at least one crypto map entry that is compatible with one of the other peers crypto map entries. For two crypto map entries to be compatible, they must at least meet the following criteria: The crypto map entries must contain compatible crypto access lists (for example, mirror image access lists). In the case where the responding peer is using dynamic crypto maps, the entries in the local crypto access list must be permitted by the peers crypto access list. The crypto map entries must each identify the other peer (unless the responding peer is using dynamic crypto maps). The crypto map entries must have at least one transform set in common.
Load Sharing
You can define multiple remote peers using crypto maps to allow for load sharing. If one peer fails, there will still be a protected path. The peer that packets are actually sent to is determined by the last peer that the router heard from (received either traffic or a negotiation request from) for a given data flow. If the attempt fails with the first peer, IKE tries the next peer on the crypto map list. If you are not sure how to configure each crypto map parameter to guarantee compatibility with other peers, you might consider configuring dynamic crypto maps as described in the section Creating Dynamic Crypto Maps. Dynamic crypto maps are useful when the establishment of the IPSec tunnels is initiated by the remote peer (such as in the case of an IPSec router fronting a server). They are not useful if the establishment of the IPSec tunnels is locally initiated, because the dynamic crypto maps are
77
Networking training
policy templates, not complete statements of policy. (Although the access lists in any referenced dynamic crypto map entry are used for crypto packet filtering.)
How Many Crypto Maps Should You Create?

You can apply only one crypto map set to a single interface. The crypto map set can include a combination of CET, IPSec/IKE, and IPSec/manual entries. Multiple interfaces can share the same crypto map set if you want to apply the same policy to multiple interfaces. If you create more than one crypto map entry for a given interface, use the seq-num of each map entry to rank the map entries: the lower the seq-num, the higher the priority. At the interface that has the crypto map set, traffic is evaluated against higher priority map entries first. You must create multiple crypto map entries for a given interface if any of the following conditions exist: If different data flows are to be handled by separate IPSec peers. If you want to apply different IPSec security to different types of traffic (to the same or separate IPSec peers); for example, if you want traffic between one set of subnets to be authenticated, and traffic between another set of subnets to be both authenticated and encrypted. In this case the different types of traffic should have been defined in two separate access lists, and you must create a separate crypto map entry for each crypto access list. If you are not using IKE to establish a particular set of security associations, and want to specify multiple access list entries, you must create separate access lists (one per permit entry) and specify a separate crypto map entry for each access list.
Creating Crypto Map Entries for Establishing Manual Security Associations

The use of manual security associations is a result of a prior arrangement between the users of the local router and the IPSec peer. The two parties may wish to begin with manual security associations, and then move to using security associations established via IKE, or the remote partys system may not support IKE. If IKE is not used for establishing the security associations, there is no negotiation of security associations, so the configuration information in both systems must be the same in order for traffic to be processed successfully by IPSec. The local router can simultaneously support manual and IKE-established security associations, even within a single crypto map set. There is very little reason to disable IKE on the local router (unless the router only supports manual security associations, which is unlikely). To create crypto map entries to establish manual security associations (SAs) (that is, when IKE is not used to establish the SAs), use the following commands starting in global configuration mode:
78
Networking training
Creating Crypto Map Entries that Use IKE to Establish Security Associations When IKE is used to establish security associations, the IPSec peers can negotiate the settings they will use for the new security associations. This means that you can specify lists (such as lists of acceptable transforms) within the crypto map entry.
79
Networking training
To create crypto map entries that will use IKE to establish the security associations, use the following commands starting in global configuration mode:
80
Networking training
Creating Dynamic Crypto Maps

Dynamic crypto maps (this requires IKE) can ease IPSec configuration and are recommended for use with networks where the peers are not always predetermined. An example of this is mobile users, who obtain dynamically-assigned IP addresses. First, the mobile clients need to authenticate themselves to the local routers IKE by something other than an IP address, such as a fully qualified domain name. Once authenticated, the security association request can be processed against a dynamic crypto map which is set up to accept requests (matching the specified local policy) from previously unknown peers. To configure dynamic crypto maps, follow these instructions: Understand Dynamic Crypto Maps Create a Dynamic Crypto Map Set Add the Dynamic Crypto Map Set into a Regular (Static) Crypto Map Set Understand Dynamic Crypto Maps Dynamic crypto maps are only available for use by IKE. A dynamic crypto map entry is essentially a crypto map entry without all the parameters configured. It acts as a policy template where the missing parameters are later dynamically configured (as the result of an IPSec negotiation) to match a remote peers requirements. This allows remote peers to exchange IPSec traffic with the router even if the router does not have a crypto map entry specifically configured to meet all of the remote peers requirements. Dynamic crypto maps are not used by the router to initiate new IPSec security associations with remote peers. Dynamic crypto maps are used when a remote peer tries to initiate an IPSec security association with the router. Dynamic crypto maps are also used in evaluating traffic. A dynamic crypto map set is included by reference as part of a crypto map set. Any crypto map entries that reference dynamic crypto map sets should be the lowest priority crypto map entries in the crypto map set (that is, have the highest sequence numbers) so that the other crypto map entries are evaluated first; that way, the dynamic crypto map set is examined only when the other (static) map entries are not successfully matched. If the router accepts the peers request, at the point that it installs the new IPSec security associations it also installs a temporary crypto map entry. This entry is filled in with the results of the negotiation. At this point, the router performs normal processing, using this temporary crypto map entry as a normal entry, even requesting new security associations if the current ones are expiring (based upon the policy specified in the temporary crypto map entry). Once the flow expires (that is, all of the corresponding security associations expire), the temporary crypto map entry is then removed. For both static and dynamic crypto maps, if unprotected inbound traffic matches a permit statement in an access list, and the corresponding crypto map entry is tagged as IPSec, then the traffic is dropped because it is not IPSec-protected. (This is because the security policy as specified by the crypto map entry states that this traffic must be IPSec-protected.) For static crypto map entries, if outbound traffic matches a permit statement in an access list and the corresponding SA is not yet established, the router will initiate new SAs with the remote peer. In the case of dynamic crypto map entries, if no SA existed, the traffic would simply be dropped (since dynamic crypto maps are not used for initiating new SAs).
81
Networking training
Create a Dynamic Crypto Map Set Dynamic crypto map entries, like regular static crypto map entries, are grouped into sets. A set is a group of dynamic crypto map entries all with the same dynamic-map-name but each with a different dynamic-seq-num. To create a dynamic crypto map entry, use the following commands starting in global configuration mode:
82
Networking training
Dynamic crypto map entries specify crypto access lists that limit traffic for which IPSec security associations can be established. A dynamic crypto map entry that does not specify an access list will be ignored during traffic filtering. A dynamic crypto map entry with an empty access list causes traffic to be dropped. If there is only one dynamic crypto map entry in the crypto map set, it must specify acceptable transform sets.
83
Networking training
Apply Crypto Map Sets to Interfaces

You need to apply a crypto map set to each interface through which IPSec or CET traffic will flow. Applying the crypto map set to an interface instructs the router to evaluate all the interfaces traffic against the crypto map set and to use the specified policy during connection or security association negotiation on behalf of traffic to be protected by crypto (either CET or IPSec).To apply a crypto map set to an interface, use the following command in interface configuration mode:
For redundancy, you could apply the same crypto map set to more than one interface. The default behavior is as follows: Each interface will have its own piece of the security association database. The IP address of the local interface will be used as the local address for IPSec traffic originating from or destined to that interface. If you apply the same crypto map set to multiple interfaces for redundancy purposes, you need to specify an identifying interface. This has the following effects: The per-interface portion of the IPSec security association database will be established one time and shared for traffic through all the interfaces that share the same crypto map. The IP address of the identifying interface will be used as the local address for IPSec traffic originating from or destined to those interfaces sharing the same crypto map set. One suggestion is to use a loopback interface as the identifying interface. To specify redundant interfaces and name an identifying interface, use the following command in global configuration mode:
Monitor and Maintain IPSec

Certain configuration changes will only take effect when negotiating subsequent security associations. If you want the new settings to take immediate effect, you must clear the existing security associations so that they will be re-established with the changed configuration. For manually established security associations, you must clear and reinitialize the security associations or the changes will never take effect. If the router is actively processing IPSec traffic, it is desirable to clear only the portion of the security association database that would be affected by the configuration changes (that is, clear only the security associations established by a given crypto map set). Clearing the full security association database should be reserved for large-scale changes, or when the router is processing very little other IPSec traffic. To clear (and reinitialize) IPSec security associations, use one of the following commands in global configuration mode:
84
Networking training
To view information about your IPSec configuration, use one or more of the following commands in EXEC mode:
IPSec Configuration Example

The following is an example of a minimal IPSec configuration where the security associations will be established via IKE. For more information about IKE, see the chapter Configuring Internet Key Exchange Security Protocol. An IPSec access list defines which traffic to protect: access-list 101 permit ip 10.0.0.0 0.0.0.255 10.2.2.0 0.0.0.255 A transform set defines how the traffic will be protected: crypto ipsec transform-set myset esp-des esp-sha A crypto map joins together the IPSec access list and transform set and specifies where the protected traffic is sent (the remote IPSec peer): crypto map toRemoteSite 10 ipsec-isakmp match address 101 set transform-set myset set peer 10.2.2.5 The crypto map is applied to an interface: interface Serial0 ip address 10.0.0.2 crypto map toRemoteSite
85

Training Document

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Training Document

Uploaded by

Copyright:

Available Formats

CISCO Networking training

CRIS-UTS WAN PROJECT

Tata Infotech Ltd.

CHAPTER 1 ..............................................................................................1 NETWORKING BASICS............................................................................1

What is a Network?.......................................................................................1 What is an Internetwork?..............................................................................1

IP Addressing and Subnetting

Classes of Networks....................................................................................11 Masks and IP Address Formats...................................................................12

CONFIGURING ROUTING PROTOCOL.................................................37

IP ENHANCED IGRP ROUTE AUTHENTICATION................................41

OSI Layer Wise Description

IP, IPX, Talk DDP.

TCP, UDP, SPX.

JPEG, ASCII, EBCDIC, TIFF, GIF, PICT, encryption, MPEG, MIDI.

Telnet, HTTP, FTP, WWW browser, NFS, SMTP gateways, SNMP.

Chapter 2 Introduction to LAN

LAN Media-Access Methods

LAN Data Transmission Methods

Bridges and Switches

Chapter 3 Introduction to WAN Technologies

Figure : A typical point-to-point link operates through a WAN to a remote network.

Figure : Packet switching transfers packets across a carrier network.

IP Addressing and Subnetting

Subnet part / field

Masks and IP Address Formats

Chapter 4 CISCO Routers Basic

Navigating the IOS CLI

Configuration Processes and the Configuration File

Chapter 5 Routing Basics

Routed Protocol (Routable Protocol)

Dynamic Routing Protocol

Distance-Vector Routing Protocols

Maximum Hop Count

Routing Information Protocol (RIP)

RIP Routing Metric

RIP Stability Features

Route update timer

Route invalid timer

Route flush timer

Interior Gateway Routing Protocol (IGRP)

RIP and IGRP Comparison

RIP-1 and IGRPNo Subnet Masks

Hybrid Routing Protocol EIGRP (Enhanced Interior Gateway Routing Protocol)

Enhanced IGRP Capabilities and Attributes

Underlying Processes and Technologies

Enhanced IGRP Packet Types

Selection of Routing Protocol

Configuring Routing Protocol

How Does Load-Balancing Work?

For path E-C-A: 30/20 = 3/2 = 1 For path E-B-A: 30/30 = 1

For path E-C-A: 40/20 = 2

For path E-B-A: 40/40 = 1

IP Enhanced IGRP Route Authentication

Figure: Enhanced IGRP Route Authentication Scenario

Configuring Summary Aggregate Addresses

Command Router(config-if)#ip summaryaddress eigrp autonomous-system-number ip-address mask

Purpose Configures a summary aggregate address.

Route Summarization Example

ip summary-address eigrp 1 10.0.0.0 255.0.0.0 ! router eigrp 1 network 172.16.0.0 no auto-summary

Command Show ip route

topology Debug ip events

EIGRP eigrp Issues log messages for each EIGRP packets

Link State Routing Protocol OSPF ( Open Shortest Path First )

Figure shows an example of an internetwork with several areas.

What Do We Mean by Link-States?