Professional Documents
Culture Documents
Training Document
Training Document
NETWORKING TRAINING
By
Networking training
Table Of Contents
Open Systems Interconnection (OSI) Reference Model...............................2 OSI Layer Wise Description.........................................................................2 CHAPTER 2................................................................................................4 INTRODUCTION TO LAN..........................................................................4 What is a LAN?.............................................................................................4
LAN Media-Access Methods 4
Ethernet Technologies...................................................................................5
LAN Data Transmission Methods LAN Devices 5 5
Repeater.........................................................................................................5 Hub................................................................................................................6 Bridges and Switches....................................................................................6 Types of Switches.........................................................................................6 LAN Switch...................................................................................................6 Router ...........................................................................................................6 CHAPTER 3................................................................................................7 INTRODUCTION TO WAN TECHNOLOGIES...........................................7
What is a WAN? 7
Point-to-Point Links......................................................................................7 Circuit Switching...........................................................................................8 Packet Switching...........................................................................................8 WAN Devices...............................................................................................9 Modem..........................................................................................................9 CSU/DSU......................................................................................................9
ii
Networking training
10
Router Components.....................................................................................15 Command-Line Interface............................................................................16 Navigating the IOS CLI..............................................................................18 Configuration Processes and the Configuration File...................................19 CHAPTER 5..............................................................................................20 ROUTING BASICS...................................................................................20
Basics 20
Routing........................................................................................................21 Routing Protocol.........................................................................................21 Static Routing..............................................................................................22 Dynamic Routing .......................................................................................22 Administrative Distances............................................................................22 CHAPTER 6..............................................................................................23 ROUTING PROTOCOL............................................................................23 BASICS.....................................................................................................23 ROUTING..................................................................................................24 ROUTED PROTOCOL (ROUTABLE PROTOCOL)................................25 ROUTING PROTOCOL............................................................................25 STATIC ROUTING...................................................................................26
iii
Networking training
DYNAMIC ROUTING ...............................................................................26 ADMINISTRATIVE DISTANCES.............................................................26 DYNAMIC ROUTING PROTOCOL..........................................................27 DISTANCE VECTOR................................................................................27 LINK STATE.............................................................................................27 HYBRID....................................................................................................27 DISTANCE-VECTOR ROUTING PROTOCOLS......................................27 ROUTING INFORMATION PROTOCOL (RIP)........................................31 ROUTING UPDATES ..............................................................................31 RIP ROUTING METRIC............................................................................31 RIP TIMERS..............................................................................................31 RIP VERSION 2........................................................................................32 SUMMARY................................................................................................33 INTERIOR GATEWAY ROUTING PROTOCOL (IGRP)..........................33 IGRP TIMERS ..........................................................................................33 RIP AND IGRP COMPARISON...............................................................33 HYBRID ROUTING PROTOCOL.............................................................34 EIGRP (ENHANCED INTERIOR GATEWAY ROUTING PROTOCOL)..34 ROUTING CONCEPTS............................................................................36 SELECTION OF ROUTING PROTOCOL................................................37
iv
Networking training
CONFIGURING SUMMARY AGGREGATE ADDRESSES.....................43 ROUTE SUMMARIZATION EXAMPLE...................................................43 LINK STATE ROUTING PROTOCOL......................................................44 OSPF ( OPEN SHORTEST PATH FIRST ).............................................44 ROUTING HIERARCHY...........................................................................44 LINK-STATE ALGORITHM......................................................................47 SHORTEST PATH ALGORITHM.............................................................47 Link-State Packets.......................................................................................49 ENABLING OSPF ON THE ROUTER.....................................................50 OSPF Authentication...................................................................................51 THE BACKBONE AND AREA 0..............................................................52 Virtual Links...............................................................................................53 NEIGHBORS ...........................................................................................55 ADJACENCIES .......................................................................................55 BUILDING THE ADJACENCY.................................................................57 CHAPTER 7..............................................................................................61
Networking training
CONFIGURATIONS.................................................................................61 Common Configuration Command.............................................................61 Configuring Ethernet interface....................................................................62 Configuring Serial Interface........................................................................62 CHAPTER 8..............................................................................................63
Exercise Setting the hostname of the Router Exercise Configuring the Ethernet interface of the Router for Telnet access Exercise Setting the password to console Port of the Router 63 63 64 64 66 66
vi
Networking training
Chapter 1
Networking Basics
Internetworking
This chapter focuses mainly on mapping the Open Systems Interconnect (OSI) model to networking/internetworking functions and summarizing the general nature of addressing schemes within the context of the OSI model.
What is a Network?
A network is a collection of individual computers, connected by some physical media and networking devices.
What is an Internetwork?
An internetwork is a collection of individual networks, connected by intermediate networking devices that function as a single large network. Internetworking refers to the industry, products, and procedures that meet the challenge of creating and administering internetworks. Figure illustrates some different kinds of network technologies that can be interconnected by routers and other networking devices to create an internetwork:
Figure : Different network technologies can be connected to create an internetwork.
Networking training
Networking Architecture
Open Systems Interconnection (OSI) Reference Model
OSI is the Open Systems Interconnection reference model for communications. OSI is a rather well defined set of protocol specifications with many options for accomplishing similar tasks. Some participants in OSIs creation and development wanted it to become the networking protocol used by all applications. The OSI model consists of seven layers, each of which can have several sub layers. The upper layers of the OSI model (application, presentation, and sessionLayers 7, 6, and 5) are oriented more toward services to the applications. These layers are also referred as host layers. The lower four layers (transport, network, data link, and physicalLayers 4, 3, 2, and 1) are oriented more toward the flows of data from end to end through the network. These layers are referred as internetwork layers.
IEEE 802.3/802.2, HDLC, Frame Relay, PPP, FDDI, ATM, IEEE, 802.5/802.2
Apple
Networking training
Transport (Layer 4)
Session (Layer 5)
Presentation (Layer 6)
Application (Layer 7)
learned so that the packets can be delivered. The network layer also defines how to fragment a packet into smaller packets to accommodate media with smaller maximum transmission unit size This layer includes the choice of protocols that either do or do not provide error recovery. Multiplexing of incoming data for different flows to applications on the same host (For example, TCP socket 0 is also performed. Reordering of the incoming data stream when packets arrive out of order is included This layer defines how to start, control, and end conversations (called sessions). This includes the control and management of multiple bi-directional messages so that the application can be notified if only some of the presentation layer to have a seamless view of an incoming stream of data. The session layer creates ways to imply which flows must complete before any are considered complete This layer main purpose is defining data formats, such as ASCII text, binary, BCD, and JPEG. Encryption is also defined by presentation layer service. For example, FTP enables you to choose binary or ASCII transfer. If binary is selected, the sender and receiver do not modify the contents of the file. If ASCII is chosen, the sender translates the text from the senders character set to a standard ASCII and send the data. The receiver translates back from the standard ASCII to the character set used on the receiving computer An application that communicates with other computers is in implementing OSI application layer concepts. The application layer refers to communications services to the applications. For example, a word processor that lacks communications capabilities would not implement code for communications, and word processor programmers would not be concerned about OSI layer 7. However, if an option for transferring a file were added, then the word processor would need to implement OSI Layer 7
RPC, SQL, NFS, Net bios names, AppleTalk ASP, DECnet SCP
Networking training
What is a LAN?
A LAN is a high-speed, fault-tolerant data network that covers a relatively small geographic area. It typically connects workstations, personal computers, printers, and other devices. LANs offer computer users many advantages, including shared access to devices and applications, file exchange between connected users, and communication between users via electronic mail and other applications.
Networking training
therefore sometimes called contention access. Examples of LANs that use the CSMA/CD mediaaccess scheme are Ethernet/IEEE 802.3 networks, including 100BaseT.
Ethernet Technologies
The term Ethernet refers to the family of local area network (LAN) implementations that includes three principal categories. Ethernet and IEEE 802.3---LAN specifications that operate at 10 Mbps over coaxial cable. 100-Mbps Ethernet---A single LAN specification, also known as Fast Ethernet that operates at 100 Mbps over twisted-pair cable. 1000-Mbps Ethernet---A single LAN specification, also known as Gigabit Ethernet, that operates at 1000 Mbps (1 Gbps) over fiber and twisted-pair cables.
LAN Devices
Devices commonly used in LANs include repeaters, hubs, LAN extenders, bridges, LAN switches, and routers. Repeaters, hubs, and LAN extenders are discussed briefly in this Chapter. The functions and operations of bridges, switches, and routers are discussed generally in "Bridging and Switching Basics," and "Routing Basics."
Repeater
A repeater is a physical layer device used to interconnect the media segments of an extended network. A repeater essentially enables a series of cable segments to be treated as a single cable.
Figure : A repeater connects two network segments.
Networking training
Hub
A hub is a physical-layer device that connects multiple user stations, each via a dedicated cable. Electrical interconnections are established inside the hub. Hubs are used to create a physical star network while maintaining the logical bus or ring configuration of the LAN. In some respects, a hub functions as a multi-port repeater.
Types of Switches
Switches are data link layer devices that, like bridges, enable multiple physical LAN segments to be interconnected into a single larger network. Similar to bridges, switches forward and flood traffic based on MAC addresses. Because switching is performed in hardware instead of in software, it is significantly faster. Switches use either store-and-forward switching or cut-through switching when forwarding traffic. Many types of switches exist, including ATM switches, LAN switches, and various types of WAN switches.
LAN Switch
LAN switches are used to interconnect multiple LAN segments. LAN switching provides dedicated, collision-free communication between network devices, with support for multiple simultaneous conversations. LAN switches are designed to switch data frames at high speeds. Figure illustrates a simple network in which a LAN switch interconnects a 10-Mbps and a 100Mbps Ethernet LAN.
Figure: A LAN switch can link 10-Mbps and 100-Mbps Ethernet segments.
Router
A Router connects multiple logical networks such as Ethernet and Token Ring, into a single internetwork, with each separate logical network maintaining its logical network address. Routers work at the network layer, and include the capability to separate the management of the segments on the internetwork.
6
Networking training
Point-to-Point Links
A point-to-point link provides a single, pre-established WAN communications path from the customer premises through a carrier network, such as a telephone company, to a remote network. A point-to-point link is also known as a leased line because its established path is permanent and fixed for each remote network reached through the carrier facilities. The carrier company reserves point-to-point links for the private use of the customer. These links accommodate two types of transmissions: Datagram transmissions, which are composed of individually addressed frames, and data-stream transmissions, which are composed of a stream of data for which address checking occurs only once. Figure illustrates a typical point-to-point link through a WAN.
Networking training
Circuit Switching
Circuit switching is a WAN switching method in which a dedicated physical circuit is established, maintained, and terminated through a carrier network for each communication session. Circuit switching accommodates two types of transmissions: Datagram transmissions and data-stream transmissions. Used extensively in telephone company networks, circuit switching operates much like a normal telephone call. Integrated Services Digital Network (ISDN) is an example of a circuit-switched.
Figure : A circuit- switched WAN undergoes a process similar to that used for a telephone call.
Packet Switching
Packet switching is a WAN switching method in which network devices share a single point-topoint link to transport packets from a source to a destination across a carrier network. Statistical multiplexing is used to enable devices to share these circuits. Asynchronous Transfer Mode (ATM), Frame Relay, Switched Multi-megabit Data Service (SMDS), and X.25 are examples of packet-switched WAN technologies (see Figure).
Networking training
WAN Devices
WANs use numerous types of devices that are specific to WAN environments. WAN switches, access servers, modems, CSU/DSUs, and ISDN terminal adapters are discussed in the following sections. Other devices found in WAN environments that are exclusive to WAN implementations include routers, ATM switches, and multiplexers.
Modem
A modem is a device that interprets digital and analog signals, enabling data to be transmitted over voice-grade telephone lines. At the source, digital signals are converted to a form suitable for transmission over analog communication facilities. At the destination, these analog signals are returned to their digital form. Figure illustrates a simple modem-to-modem connection through a WAN.
Figure : A modem connection through a WAN handles analog and digital signals.
CSU/DSU
A channel service unit/digital service unit (CSU/DSU) is a digital-interface device (or sometimes two separate digital devices) that adapts the physical interface on a data terminal equipment (DTE) device (such as a terminal) to the interface of a data circuit-terminating (DCE) device (such as a switch) in a switched-carrier network. The CSU/DSU also provides signal timing for communication between these devices. Figure illustrates the placement of the CSU/DSU in a WAN implementation.
Networking training
Figure : The CSU/DSU stands between the switch and the terminal.
10
Networking training
Default Class C mask Subnet mask Network part / field Host part / field
The mask is used for Class C network when no subnetting is used. The value is 255.255.255.0 A non-default mask used when subnetting Tern used to describe the last part of an IP address. The host part is 24, 16, 8 bits for Class A, B, C networks, respectively. Term used to describe the last part of an IP address. The host part is 24, 16, 8 bits for class A, B, C networks, respectively. When subnetting is not used. When subnetting, the size of the host part depends on the subnet mask chosen for that network Term used to describe the middle part of an IP address. The subnet part is variable in size, based on how subnetting is implemented
Classes of Networks
Class A, B, and C networks provide three network sizes. By definition, all addresses in the same network have the same numeric value network portion of the addresses. The rest of the address is called the host portion of the address. Individual addresses in the same network all have a different value in the host parts of the addresses but have identical values in the network part. Class A networks have a 1-byte-long network part. That leaves 24 bits for the rest of the address, or the host part. That means that 2 24 addresses are numerically possible in a Class A network. Similarly, Class B networks have a 2-byte-long network part, leaving 16 bits for the host of the address. So, 216 possible addresses exist in a single Class B network. Finally, Class C networks have a 3-byte-long network part, leaving only 8 bits for the host part, which implies only 28 addresses in a Class C network. Following Table summarizes the characteristics of Class A, B, and C networks. Size of network and Host parts of IP addresses with No Subnetting
Network Type A B C Number of Network Bytes (Bits) 1 (8) 2 (16) 3 (24) Number of Host Bytes (Bits) 3 (24) 2 (16) 1 (8) Number of Addresses per Network 224 minus 2 special cases 216 minus 2 special cases 28 minus 2 special cases
11
Networking training
Figure
For example, Figure shows a small network with addresses filled in. Network 8.0.0.0 is a Class A network; Network 130.4.0.0 is a Class B network; Network 199.1.1.0 is a Class C network. Network numbers look like addresses (in dotted decimal format), but they are not assignable to any interface as an IP address. Conceptually, network numbers represent the group of all IP addresses in the network. Numerically, the network number is built with a nonzero value in the network part but with all 0s in the host part of the network number. Given the three examples from Figure , following Table provides a closer look at the numerical version of the three network numbers: 8.0.0.0, 199.1.1.0, and 130.4.0.0. Example: Network Numbers, Decimal & Binary Network No. 8.0.0.0 130.4.0.0 199.1.1.0 Binary Representation, with Host part Bold 0000 1000 0000 0000 0000 0000 0000 0000 1000 0010 0000 0100 0000 0000 0000 0000 1100 0111 0000 0001 0000 0001 0000 0000
Next Table summarize the possible network numbers, the total number of each type, and the number of hosts in each Class A, B, C network. Class First Octet Valid Range Network Numbers 1 to 126 128 to 191 192 to 223 Total Number of this Class of Network 1.0.0.0 to 27 minus two 126.0.0.0 special cases 128.1.0.0 to 214 minus two 191.254.0.0 special cases 192.0.1.0 to 224 minus 223.254.254. two special 0 cases Number of Host per Network 224 minus two special cases 216 minus two special cases 28 minus two special cases
A B C
Valid Network Numbers column shows actual network numbers. There are several reserved cases. For example, network 0.0.0.0 (available for use as a broadcast address) and 127.0.0.0 (available for use as the loopback address) are reserved. Networks 128.0.0.0, 191.255.0.0, 192.0.0.0, and 223.255.255.0 are also reserved.
Networking training
network part of the address; however, the class of network actually already implies the network part. Following Table summarizes the default masks and reflects the sizes of the two parts of an IP address. Class Address A B C of Size/Bits of Size/Bits Network part Host part of address address 8 24 16 16 24 8 of Default Mask of for each class of Network 255.0.0.0 255.255.0.0 255.255.255.0
When subnetting, a third part of an IP address appearsnamely, the subnet part of the address. Stealing bits from the host part of the address creates this field. Figure shows the format of addresses when subnetting. Three portions of the address now exist: network, subnet, and host. The network part size is determined by the class (A, B, or C). The subnet mask in use determines the host part the number of bits of value 0 in the subnet mask defines the number of host bits. The remaining bits define the size of the subnet part of the address. For instance, a mask of 255.255.255.240, used with a Class C network, implies four host bits. The mask has four binary 0s at the end, implying 4 host bits.
Figure The number of host bits defines the number of hosts per network or subnet; 2 host bits minus two special reserved cases, is the number of assignable IP addresses in a network or subnet. Similarly, the number of subnet bits, assuming that the same mask is used on all subnets, defines the number of subnets of a network, 2 subnet bits is the number of usable IP subnets of that network. Two special cases, the zero subnet and broadcast subnet, were reserved in years past but are now usable.
WAN Protocols
WAN technologies function at the lower three layers of the OSI reference model: the physical layer, the data link layer, and the network layer. Figure illustrates the relationship between the common WAN technologies and the OSI model. We shall discuss PPP and frame relay data link layer WAN protocols.
13
Networking training
Point-to-Point Protocol
Background The Point-to-Point Protocol (PPP) originally emerged as an encapsulation protocol for transporting IP traffic over point-to-point links. PPP also established a standard for the assignment and management of IP addresses, asynchronous (start/stop) and bit-oriented synchronous encapsulation, network protocol multiplexing, link configuration, link quality testing, error detection, and option negotiation for such capabilities as network-layer address negotiation and data-compression negotiation. PPP supports these functions by providing an extensible Link Control Protocol (LCP) and a family of Network Control Protocols (NCPs) to negotiate optional configuration parameters and facilities. In addition to IP, PPP supports other protocols, including Novell's Internetwork Packet Exchange (IPX) and DECnet. This chapter provides a summary of PPP's basic protocol elements and operations. PPP Components PPP provides a method for transmitting datagrams over serial point-to-point links. PPP contains three main components: A method for encapsulating datagrams over serial links An extensible LCP to establish, configure, and test the data-link connection. A family of NCPs for establishing and configuring different network-layer protocols---PPP is designed to allow the simultaneous use of multiple network-layer protocols. General Operation To establish communications over a point-to-point link, the originating PPP first sends LCP frames to configure and (optionally) test the data-link. After the link has been established and optional facilities have been negotiated as needed by the LCP, the originating PPP sends NCP frames to choose and configure one or more network-layer protocols. When each of the chosen network-layer protocols has been configured, packets from each network-layer protocol can be sent over the link. The link will remain configured for communications until explicit LCP or NCP frames close the link, or until some external event occurs (for example, an inactivity timer expires or a user intervenes). Physical-Layer Requirements PPP is capable of operating across any DTE/DCE interface. Examples include EIA/TIA-232-C (formerly RS-232-C), EIA/TIA-422 (formerly RS-422), EIA/TIA-423 (formerly RS-423),) and International Telecommunication Union Telecommunication Standardization Sector (ITU-T) (formerly CCITT) V.35. The only absolute requirement imposed by PPP is the provision of a duplex circuit, either dedicated or switched, that can operate in either an asynchronous or synchronous bit-serial mode, transparent to PPP link-layer frames. PPP does not impose any restrictions regarding transmission rate other than those imposed by the particular DTE/DCE interface in use. PPP Link-Control Protocol The PPP LCP provides a method of establishing, configuring, maintaining, and terminating the point-to-point connection. LCP goes through four distinct phases:
14
Networking training
First, link establishment and configuration negotiation occurs. Before any network-layer datagrams (for example, IP) can be exchanged, LCP first must open the connection and negotiate configuration parameters. This phase is complete when a configuration-acknowledgment frame has been both sent and received. This is followed by link-quality determination. LCP allows an optional link-quality determination phase following the link-establishment and configuration-negotiation phase. In this phase, the link is tested to determine whether the link quality is sufficient to bring up network-layer protocols. This phase is optional. LCP can delay transmission of network-layer protocol information until this phase is complete. At this point, network-layer protocol configuration negotiation occurs. After LCP has finished the link-quality determination phase, network-layer protocols can be configured separately by the appropriate NCP and can be brought up and taken down at any time. If LCP closes the link, it informs the network-layer protocols so that they can take appropriate action. Finally, link termination occurs. LCP can terminate the link at any time. This usually will be done at the request of a user but can happen because of a physical event, such as the loss of carrier or the expiration of an idle-period timer.
Three classes of LCP frames exist. Link-establishment frames are used to establish and configure a link. Link-termination frames are used to terminate a link, while link-maintenance frames are used to manage and debug a link. These frames are used to accomplish the work of each of the LCP phases.
Router Components
Before examining the IOS, a review of hardware and hardware terminology is useful. In addition to handling the logic of routing packets, the IOS controls the use of different physical components, which includes memory, processor, and interfaces. This section of the book reviews common hardware details. All Cisco routers have a console port, and most have an auxiliary port. The console port is intended for local administrative access from an ASCII terminal or a computer using a terminal emulator. The auxiliary port, missing on a few models of Cisco routers, is intended for asynchronous dial access from an ASCII terminal or terminal emulator; the auxiliary port is often used for dial backup.
15
Networking training
Each router has different types of memory, as follows: RAMSometimes called DRAM for dynamic random-access memory, RAM is used by the router just as it is used by any other computer for working storage. ROMThis type of memory (read-only memory) stores a bootable IOS image, which is not typically used for normal operation. ROM contains the code that is used to boot the router until the router knows where to get the full IOS image. Flash memoryEither an EEPROM or a PCMCIA card, Flash memory stores fully functional IOS images and is the default where the router gets its IOS at boot time. Flash memory also can be used to store configuration files on Cisco 7500 series platforms. NVRAMNonvolatile RAM stores the initial or startup configuration file. All these types of memory are permanent memory except RAM. No hard disk or diskette storage exists on Cisco routers.
Figure summarizes the use of memory in Cisco routers.
A router for routing packets and bridging frames through a router uses interfaces. The types of interfaces available change over time due to new technology. Physical interfaces are referred to as interfaces by the IOS commands, as opposed to ports or plugs. In some smaller routers, the interface number is a single number. However, with some other families of routers, the interface is numbered first with the slot in which the card resides, followed by a slash and then the port number on that card. For example, port 3 on the card in slot 2 would be interface 2/3. Numbering starts with 0 for card slots and 0 for ports on any card. In some cases, three numbers define the interface: first the card slot, then the daughter card (typically called a port adapter), and then a number for the physical interface on the port adapter. The 2600 and 3600 families also use a slot/port numbering scheme.
Command-Line Interface
Cisco uses the acronym CLI to refer to the terminal user command-line interface to the IOS. The term CLI implies that the user is typing commands at a terminal, terminal emulator, or Telnet connection. To access the CLI, use one of three methods, as illustrated in Figure.
16
Networking training
Figure
Regardless of which access method is used, a CLI user initially is placed in user mode, or user EXEC mode, after logging in. EXEC refers to the fact that the commands typed here are executed, and some response messages are displayed onscreen. The alternative mode is configuration mode, which is covered in the next section. Passwords can be required when accessing the CLI. In fact, the default configuration at IOS 12.x requires a password for Telnet and auxiliary port access, but no password is settherefore, you must configure passwords from the console first. The following Table reviews different types of passwords and the configuration for each type.
The login command actually tells the router to display a prompt. The password commands specify the text password to be typed by the user to gain access. The first command in each configuration is a context-setting command, as described in the section Configuration Processes and the Configuration File, later in this chapter. Typically, all three passwords have the same value. Several concurrent telnet connections to a router are allowed. The line vty 0 4 command signifies that this configuration applies to vty's (virtual teletypesterminals) 0 through 4. Only these five vty's are allowed by the IOS unless it is an IOS for a dial access server, such as a Cisco
17
Networking training
AS5300. All five vtys typically have the same password, which is handy because users connecting to the router via a Telnet cannot choose which vty they get. User EXEC mode is one of two command EXEC modes in the IOS user interface. Enable mode (also known as privileged mode or privileged EXEC mode) is the other. Enable mode is so named because of the command used to reach this mode, as shown in Figure 41; privileged mode earns its name because powerful, or privileged, commands can be executed there.
Figure
18
Networking training
When you type the? the IOSs CLI reacts immediately; that is, you dont need to press the Enter key or any other keys. The router also redisplays what you typed before the ? to save you some keystrokes. If you press Enter immediately after the ?, the IOS tries to execute the command with only the parameters you have typed so far. The context in which help is requested is also important. For example, when ? is typed in user mode, the commands allowed only in privileged EXEC mode are not displayed. Also, help is available in configuration mode; only configuration commands are displayed in that mode of operation. Commands you use at the CLI are stored in a command history buffer that retains the last 10 commands you typed. You can change the history size with the terminal history size x command, where x is the number of commands for the CLI to recall; this can be set to a value between 0 and 256.
19
Networking training
Commands typed in configuration mode update the active configuration file. Changes are moved into the active configuration file each time the user presses the Enter key and are acted upon immediately by the router. In configuration mode, context-setting commands are used before most configuration commands. These context-setting commands tell the router the topic about which you will type commands. More importantly, they tell the router what commands to list when you ask for help. After all, the whole reason for these contexts is to make online help more convenient and clear for you.
Networking training
This can be done by bridging or by routing, and more recently by switching. Bridging is the capability to connect two or more physical network segments such that the connection is transparent to the network. In bridging, broadcasts are sent to all nodes on the bridged segments, and all nodes are considered to be in the same logical network (subnet). Bridging occurs at the data link layer. Switching is a way to increase bandwidth (as well as limit the amount of traffic a node encounters) by providing a dedicated channel for each switched port. Switching occurs at the data link layer. In contrast to either of these network traffic-guiding methods, routing connects multiple logical networks such as Ethernet and Token Ring, into a single internetwork, with each separate logical network maintaining its logical network address. Routing occurs at the network layer, and includes the capability to separate the management of the segments on the internetwork. The number of hosts allowed on each segment is limited on a network topology. This limit varies, depending on the type of network topology used. For example, an Ethernet segment using twistedpair wiring is limited to the number of hosts, or nodes. Once the maximum number of hosts has been reached, another segment must be created, and the traffic to that segment must be bridged or routed. Some routing protocols can handle flow control, so that if a router is congested, another router sending internetwork traffic to it can be notified by the routing protocol to slow down the rate that data is being sent to the router. Routing protocols do this to ensure that minimal delay is encountered when routers become overloaded. Dissimilar network topologies, such as FDDI, X.25, and ATM, cannot always be bridged or switched, because the nature of the physical media or physical layer protocol prevents it. In order to transmit internetwork traffic, dissimilar networks must be routed.
Routing
Routing traffic is the process of getting a packet of data from the originating station to the destination station. This could be as simple as putting the packet on the network where the local destination station can receive the packet. It can also be as complex as sending the packet to a default gateway (a router) where the packet is compared to a routing table and then forwarded to the next router that can help the packet along its path. The next router then compares the packet to its routing table and forwards it to the next hop along its journey. This continues until the packet reaches a router directly attached to the network of the destination station.
Routing Protocol
Routing Protocols actually helps the Routed Protocols by providing the multiple routes to the destination with their cost so Routed Protocol can make decision to choose the appropriate route to reach the destination. Example: RIP, IGRP, OSPF, and EIGRP. Functions provided by Routing Protocol are: To dynamically learn & fill routing table with routes to all subnets in the network. To notice when routes in the table are no longer valid, and to remove those routes from the routing protocol.
21
Networking training
Search for an alternative routes for discarded route from neighboring router and as well new routes for the new subnets. To prevent routing loops
Mainly Routing protocol is associated with routing Table maintenance. But Routing Table methodology is subdivided into two parts Dynamic Routing & Static Routing.
Static Routing
In Static Routing methodology, Network Administrator has to maintain the routing table manually. This can be done by placing static routes in the routers configuration. A static route is a route statement that you place in the routers configuration. These routes tell router where to forward traffic destined for remote network. Static routes have specific uses within a network. Most Internet connection for organizations uses a static route to the ISP. It would be useless for an organization with one connection to the Internet to maintain routing tables for the Internet using Routing Protocol. By using static route first of all it prevents unnecessary route update traffic and secondly using a static route to the default gateway, the router can be configured to send any traffic for which it doesnt specifically have routing entry to the Internet. However, the biggest disadvantage to static routes is they cannot adapt to a changing network. That means they do not change dynamically with the changes in the network topology. Another disadvantage is they cannot scale for larger & complex network, due to heavy administration overhead. It is suitable for only small network with a few routers in the internetwork. And also there is chance of router getting mis-configured.
Dynamic Routing
Dynamic Routing is when the router uses some sort of routing protocol to learn about the network and creates the routing tables based on this information. There is no requirement for manual configuration of the router; everything is taken care by the routing protocol. In a network using dynamic routing, when changes occurs in the network, the changes are reflected in the routing table soon after. Thus administrative overhead is greatly reduced. Using Dynamic Routing, size of network is of no matter and the network can scale up to any size. Using Dynamic router, the disadvantage is that you cannot utilize the full bandwidth, since part of the bandwidth is occupied by the regular route update traffic. Due to this reason it is not useful for the small network with a few routers.
Administrative Distances
When configuring routing protocols, you need to be aware of administrative distances (ADs). These are used to rate the trustworthiness of routing information received on a router from a neighbor router. An administrative distance is an integer from 0 to 255, where 0 is the most trusted and 255 means no traffic will be passed via this route. Following Table shows the default administrative distances that a Cisco router will use to decide which route to use to a remote network.
22
Networking training
Chapter 6
Routing Protocol
Basics
Internetworks use routing to get data from one network to another. In order to keep data on the best path to its destination, some sort of map of the routes available on the network is needed. The mapping of the networks that the data travels to is handled by a routing protocol. Local Area Networks (LANs) have an inherent performance limit, which is dependent upon size or complexity. Routers, and their routing protocols, can resolve some common bottlenecks and other conditions that degrade network efficiency. These limits include: Network physical segment size Number of hosts per segment Redundancy Amount of traffic Dissimilar network topologies Depending on the type of network, whether Ethernet, Token Ring, or other protocol, the network segment size is limited. A new segment must be created to support nodes located beyond the distance limit set by the segment size-usually measured in cabling distance, or wireless limit. For instance, Ethernet segments using twisted-pair copper wiring are limited to a maximum physical distance from the node to the hub. When a new node is added beyond this limitation, and another segment is created, there must be some way of getting traffic from one segment to the other. This can be done by bridging or by routing, and more recently by switching. Bridging is the capability to connect two or more physical network segments such that the connection is transparent to the network. In bridging, broadcasts are sent to all nodes on the bridged segments, and all nodes are considered to be in the same logical network (subnet). Bridging occurs at the data link layer. Switching is a way to increase bandwidth (as well as limit the amount of traffic a node encounters) by providing a dedicated channel for each switched port. Switching occurs at the data link layer. In contrast to either of these network traffic-guiding methods, routing connects multiple logical networks such as Ethernet and Token Ring, into a single internetwork, with each separate logical network maintaining its logical
23
Networking training
network address. Routing occurs at the network layer, and includes the capability to separate the management of the segments on the internetwork. The number of hosts allowed on each segment is limited on a network topology. This limit varies, depending on the type of network topology used. For example, an Ethernet segment using twisted-pair wiring is limited to the number of hosts, or nodes. Once the maximum number of hosts has been reached, another segment must be created, and the traffic to that segment must be bridged or routed. Bridging can offer a single path for traffic between segments. However, when multiple transmission paths are needed, routing may be implemented to support those multiple paths. When redundancy is required for internetwork traffic, a routing protocol may be implemented with that option. Congestion is the point where the amount of traffic exceeds the network capacity. Congestion in a network can be debilitating to its use. Bridging, switching and routing can control the amount of traffic. Some routing protocols can handle flow control, so that if a router is congested, another router sending internetwork traffic to it can be notified by the routing protocol to slow down the rate that data is being sent to the router. Routing protocols do this to ensure that minimal delay is encountered when routers become overloaded. Dissimilar network topologies, such as FDDI, X.25, and ATM, cannot always be bridged or switched, because the nature of the physical media or physical layer protocol prevents it. In order to transmit internetwork traffic, dissimilar networks must be routed.
Routing
Routing traffic is the process of getting a packet of data from the originating station to the destination station. This could be as simple as putting the packet on the network where the local destination station can receive the packet. It can also be as complex as sending the packet to a default gateway ( a router ) where the packet is compared to a routing table and then forwarded to the next router that can help the packet along its path. The next router then compares the packet to its routing table and forwards it to the next hop along its journey. This continues until the packet reaches a router directly attached to the network of the destination station. TCP/IP traffic is routed based on the Network portion of the address. If the network node generating the packet is on the same network as the destination node, then the packet is simply placed on the network where the destination node will see it. If however, the destination node is on a remote network, the source node must make a decision. In most cases, network nodes are attached to only one network. A desktop PC in an office for instance is usually connected to one network the office network. In the case of a network node that is attached to only one network, there is usually a default gateway IP address defined in the routing table. This default gateway IP address is usually a router. When the network node generates an IP packet for a destination node that is on a remote network, the source node compares the network portion of the IP address to its own network. The two will not match and thus the source node sends the packet to the default gateway IP address for forwarding. The default gateway can be a router attached to many networks like a router connected to the internet. After the packet is received at the default gateway, it is compared to the routing table to determine how to forward it. In some cases, the router itself may be attached to the destination network, in which case the packet is simply placed on the destination network for the destination node to receive.
24
Networking training
Figure
However, if the router is not attached to the destination network, the routing table is searched for the destination network. If match is found in the routing tables, the packet is sent to the next hop defined by the table. If match is not found and there is not a default gateway, the packet is dropped and a network unreachable message is sent to the originator of the packet. This chapter covers is how the routing table of the router are made and maintained. Routing protocol is used to exchange information about the networks to which they are directly connected. Routing exchanges also include information about routes they have learned from other routers. This allows router to build a table of paths to each network in an internetworking system. Routing of packets across the internetwork is carried out by router with help of routing protocols & routed protocol (Routable protocol).
Routing Protocol
Routing Protocols actually helps the Routed Protocols by providing the multiple routes to the destination with their cost so Routed Protocol can make decision to choose the appropriate route to reach the destination. Example RIP, IGRP, OSPF, EIGRP. Functions provided by Routing Protocol are: 1) To dynamically learn & fill routing table with routes to all subnets in the network. 2) To notice when routes in the table are no longer valid, and to remove those routes from the routing table. 3) Search for an alternative routes for discarded route from neighboring router and as well new routes for the new subnets. 4) To prevent routing loops Mainly Routing protocol is associated with routing Table maintenance. But Routing Table methodology is subdivided into two parts Dynamic Routing & Static Routing.
25
Networking training
Static Routing
In Static Routing methodology, Network Administrator has to maintain the routing table manually. This can be done by placing static routes in the routers configuration. A static route is a route statement that you place in the routers configuration. These routes tell router where to forward traffic destined for remote network. Static routes have specific uses within a network. Most Internet connection for organizations uses a static route to the ISP. It would be useless for an organization with one connection to the Internet to maintain routing tables for the Internet using Routing Protocol. By using static route first of all it prevents unnecessary route update traffic and secondly using a static route to the default gateway, the router can be configured to send any traffic for which it doesnt specifically have routing entry to the Internet. However, the biggest disadvantage to static routes is they cannot adapt to a changing network. That means they do not change dynamically with the changes in the network topology. Another disadvantage is they can not scaled for larger & complex network, due to heavy administration overhead. It is suitable for only small network with a few routers in the internetwork. And also there is chance of router getting misconfigured.
Dynamic Routing
Dynamic Routing is when the router uses some sort of routing protocol to learn about the network and creates the routing tables based on this information. There is no requirement for manual configuration of the router; everything is taken care by the routing protocol. In a network using dynamic routing, when changes occurs in the network, the changes are reflected in the routing table soon after. Thus administrative overhead is greatly reduced. Using Dynamic Routing, size of network is of no matter and the network can scaled up to any size. Using Dynamic router, the disadvantage is that you cannot utilize the full bandwidth, since part of the bandwidth is occupied by the regular route update traffic. Due to this reason it is not useful for the small network with a few routers.
Administrative Distances
When configuring routing protocols, you need to be aware of administrative distances (ADs). These are used to rate the trustworthiness of routing information received on a router from a neighbor router. An administrative distance is an integer from 0 to 255, where 0 is the most trusted and 255 means no traffic will be passed via this route. Following Table shows the default administrative distances that a Cisco router will use to decide which route to use to a remote network.
26
Networking training
Distance vector
The distance-vector routing protocols use a distance to a remote network to find the best path. Each time a packet goes through a router, its called a hop. The route with the least number of hops to the network is determined to be the best route. The vector is the determination of direction to the remote network. Examples of distance-vector routing protocols are RIP and IGRP.
Link state
Typically called shortest path first, the routers each create three separate tables. One of these tables keeps track of directly attached neighbors, one determines the topology of the entire internetwork, and one is used for the routing table. Link-state routers know more about the internetwork than any distance-vector routing protocol. An example of an IP routing protocol that is completely link state is OSPF.
Hybrid
Uses aspects of distance vector and link state, for example, EIGRP.
27
Networking training
RIP uses only hop count to determine the best path to an internetwork. If RIP finds more than one link to the same remote network with the same hop count, it will automatically perform a round-robin load balance. RIP can perform load balancing for up to six equal-cost links. However, a problem with this type of routing metric arises when the two links to a remote network are different bandwidths but the same hop count. Figure below, for example, shows two links to remote network 172.16.50.0.
Since network 172.16.30.0 is a T1 link with a bandwidth of 1.544Mbps, and network 172.16.20.0 is a 56K link, you would want the router to choose the T1 over the 56K link. However, since hop count is the only metric used with RIP routing, they would both be seen as equal-cost links. This is called pinhole congestion. It is important to understand what happens when a distance-vector routing protocol does when it starts up. In Figure 6-3, the four routers start off with only their directly connected networks in the routing table. After a distance-vector routing protocol is started on each router, the routing tables are updated with all route information gathered from neighbor routers.
Figure
As shown in Figure , each router has only the directly connected networks in each routing table. Each router sends its complete routing table out to each active interface on the router. The routing table of each router includes the network number, exit interface, and hop count to the network. In Figure , the routing tables are complete because they include information about all the networks in the internetwork. They are considered con-verged. When the routers are converging, no data is passed.
28
Networking training
Thats why fast convergence time is a plus. One of the problems with RIP, in fact, is its slow convergence time.
Figure
The routing tables in each router keep information regarding the network number, the interface to which the router will send packets out to get to the remote network, and the hop count or metric to the remote network.
Routing Loops
Distance-vector routing protocols keep track of any changes to the internet-work by broadcasting periodic routing updates to all active interfaces. This broadcast includes the complete routing table. This works fine, although it takes up CPU process and link bandwidth. However, if a network outage happens, problems can occur. The slow convergence of distance-vector routing protocols can cause inconsistent routing tables and routing loops. Routing loops can occur because every router is not updated close to the same time. Lets say that the interface to Network 5 in Figure below fails. All routers know about Network 5 from Router E. Router A, in its tables, has a path to Network 5 through Routers B, C, and E. When Network 5 fails, Router E tells Router C. This causes Router C to stop routing to Network 5 through Router E. But Routers A, B, and D dont know about Network 5 yet, so they keep sending out update information. Router C will eventually send out its update and cause B to stop routing to Network 5, but Routers A and D are still not updated. To them, it appears that Network 5 is still available through Router B with a metric of three.
29
Networking training
Figure :
Router A sends out its regular 30-second Hello, Im still herethese are the links I know about message, which includes reachability for Network 5. Routers B and D then receive the wonderful news that Network 5 can be reached from Router A, so they send out the information that Network 5 is available. Any packet destined for Network 5 will go to Router A, to Router B, and then back to Router A. This is a routing loophow do you stop it?
The routing loop problem just described is called counting to infinity, and its caused by gossip and wrong information being communicated and propagated throughout the internetwork. Without some form of intervention, the hop count increases indefinitely each time a packet passes through a router. One way of solving this problem is to define a maximum hop count. Distance vector (RIP) permits a hop count of up to 15, so anything that requires 16 hops is deemed unreachable. In other words, after a loop of 15 hops, Net-work 5 will be considered down. This means that counting to infinity will keep packets from going around the loop forever. Though this is a workable solution, it wont remove the routing loop itself. Packets will still go into the loop, but instead of traveling on unchecked, theyll whirl around for 16 bounces and die.
Split Horizon
Another solution to the routing loop problem is called split horizon. This reduces incorrect routing information and routing overhead in a distance-vector network by enforcing the rule that information cannot be sent back in the direction from which it was received. It would have prevented Router A from sending the updated information it received from Router B back to Router B.
Route Poisoning
Another way to avoid problems caused by inconsistent updates is route poisoning. For example, when Network 5 goes down, Router E initiates route poisoning by entering a table entry for Network 5 as 16, or unreachable (sometimes referred to as infinite). By this poisoning of the route to Network 5, Router C is not susceptible to incorrect updates about the route to Network 5. When Router C receives a router poisoning from Router E, it sends an update, called a poison reverse, back to Router E. This makes sure all routes on the segment have received the poisoned route information. Route poisoning, used with holddowns (discussed next), will speed up convergence time because neighboring routers dont have to wait 30 seconds (an eternity in computer land) before advertising the poisoned route.
Holddowns
And then there are holddowns. These prevent regular update messages from reinstating a route that has gone down. Holddowns also help prevent routes from changing too rapidly by allowing time for either the downed route to come back or the network to stabilize somewhat before changing to the next best route. These also tell routers to restrict, for a specific time period, any changes that might affect recently removed routes. This prevents inoperative routers from being prematurely restored to other routers tables. When a router receives an update from a neighbor indicating that a previously accessible network is not working and is inaccessible, the holddown timer will start. If a new update arrives from a neighbor with a better metric than the original network entry, the holddown is removed and data is passed. However, if an update is received from a neighbor router before the holddown timer expires and it has a lower metric than the previous route, the update is ignored and the holddown timer keeps ticking. This allows more time for the network to converge. Holddowns use triggered updates, which reset the holddown timer, to alert the neighbor routers of a change in the network. Unlike update messages from neighbor routers, triggered updates create a new routing table that is sent immediately to neighbor routers because a change was detected in the internetwork.
30
Networking training
There are three instances when triggered updates will reset the holddown timer: 1. The holddown timer expires. 2. The router receives a processing task proportional to the number of links in the internetwork. 3. Another update is received indicating the network status has changed.
Routing Updates
RIP sends routing-update messages at regular intervals and when the network topology changes. When a router receives a routing update that includes changes to an entry, it updates its routing table to reflect the new route. The metric value for the path is increased by 1, and the sender is indicated as the next hop. RIP routers maintain only the best route (the route with the lowest metric value) to a destination. After updating its routing table, the router immediately begins transmitting routing updates to inform other network routers of the change. These updates are sent independently of the regularly scheduled updates that RIP routers send.
RIP Timers
RIP uses three different kinds of timers to regulate its performance:
31
Networking training
RIP Version 2
RIP Version 2, defined by RFC 1723, is simply an improved version of RIP Version 1. Many features are the same: Hop count is still used for the metric, it is still a distance vector protocol, and it still uses holddown timers and route poisoning. Several features have been added, as listed in following Table
Although all features of RIP-2 are important, certainly the one that allows RIP to continue to be a valid option in modern networks is the support of VLSM by including the subnet mask. For instance, the problem with RIP-1 and IGRP by the lack of this feature, with RIP-2, the problem is removed. The updates sent by RIP 2 enabled router are sent to multicast IP address 224.0.0.9, as opposed to a broadcast address; this allows the devices that are not using RIP-2 to ignore the updates and not waste processing cycles.
32
Networking training
Migration from RIP-1 to RIP-2 requires some planning. RIP-1 sends updates to the broadcast address, whereas RIP-2 uses a multicast. A RIP-1 only router and a RIP-2 only router will not succeed in exchanging routing information. To migrate to RIP-2, one option is to migrate all routers at the same time. This might not be a reasonable political or administrative option, however. If not, then some coexistence between RIP-1 and RIP-2 is required.. The ip rip send version command can be used to overcome the problem. Essentially, the configuration tells the router whether to send RIP-1 style updates, RIP-2 style updates, or both for each interface.
Summary
Despite RIP's age and the emergence of more sophisticated routing protocols, it is far from obsolete. RIP is mature, stable, widely supported, and easy to configure. Its simplicity is well suited for use in stub networks and in small autonomous systems that do not have enough redundant paths to warrant the overheads of a more sophisticated protocol.
IGRP Timers
To control performance, IGRP includes the following timers with default settings:
Update timers
These specify how frequently routing-update messages should be sent. The default is 90 seconds.
Invalid timers
These specify how long a router should wait before declaring a route invalid if it doesnt receive a specific update about it. The default is three times the update period.
Holddown timers
These specify the holddown period. The default is three times the update timer period plus 10 seconds.
Flush timers
These indicate how much time should pass before a route should be flushed from the routing table. The default is seven times the routing update period.
33
Networking training
The metric with IGRP is more robust than RIPs metric. The metric is calculated using the bandwidth and delay settings on the interface on which the update was received. By using bandwidth and delay, the metric is more meaningful; longer hop routes over faster links can be considered better routes. The metric used by IP RIP is hop count. When an update is received, the metric for each subnet in the update signifies the number of routers between the router receiving the update and each subnet. Before sending an update, router increments its metric for routes to each subnet by 1. In other words, a routing update includes metric values that tell the receiving router what its metrics should be. Finally, the issue of whether the mask is sent is particularly important if VLSMs in the same network are desired. This topic is discussed in the upcoming section Configuration of RIP and IGRP.
34
Networking training
35
Networking training
Although recomputation is not processor-intensive, it does affect convergence time, so it is advantageous to avoid unnecessary recomputations. Protocol-dependent modules are responsible for network-layer protocol-specific requirements. The IPEnhanced IGRP module, for example, is responsible for sending and receiving Enhanced IGRP packets that are encapsulated in IP. Likewise, IP-Enhanced IGRP is also responsible for parsing Enhanced IGRP packets and informing DUAL of the new information that has been received. IP-Enhanced IGRP asks DUAL to make routing decisions, the results of which are stored in the IP routing table. IPEnhanced IGRP is responsible for redistributing routes learned by other IP routing protocols.
Routing Concepts
Enhanced IGRP relies on four fundamental concepts: neighbor tables, topology tables, route states, and route tagging. Each of these is summarized in the discussions that follow.
Neighbor Tables
When a router discovers a new neighbor, it records the neighbor's address and interface as an entry in the neighbor table. One neighbor table exists for each protocol-dependent module. When a neighbor sends a hello packet, it advertises a hold time, which is the amount of time a router treats a neighbor as reachable and operational. If a hello packet is not received within the hold time, the hold time expires and DUAL is informed of the topology change. The neighbor-table entry also includes information required by RTP. Sequence numbers are employed to match acknowledgments with data packets, and the last sequence number received from the neighbor is recorded so that out-of-order packets can be detected. A transmission list is used to queue packets for possible retransmission on a per-neighbor basis. Round-trip timers are kept in the neighbor-table entry to estimate an optimal retransmission interval.
Topology Tables
The topology table contains all destinations advertised by neighboring routers. The protocol-dependent modules populate the table, and the DUAL finite-state machine acts the table on. Each entry in the topology table includes the destination address and a list of neighbors that have advertised the destination. For each neighbor, the entry records the advertised metric, which the neighbor stores in its routing table. An important rule that distance vector protocols must follow is that if the neighbor advertises this destination, it must use the route to forward packets. The metric that the router uses to reach the destination is also associated with the destination. The metric that the router uses in the routing table, and to advertise to other routers, is the sum of the best advertised metric from all neighbors, plus the link cost to the best neighbor.
Route States
A topology-table entry for a destination can exist in one of two states: active or passive. A destination is in the passive state when the router is not performing a recompilation, or in the active state when the router is performing a recompilation. If feasible successors are always available, a destination never has to go into the active state, thereby avoiding a recompilation. A recompilation occurs when a destination has no feasible successors. The router initiates the recompilation by sending a query packet to each of its neighboring routers. The neighboring router can send a reply packet, indicating it has a feasible successor for the destination, or it can send a query packet, indicating that it is participating in the recompilation. While a destination is in the active state, a router cannot change the destination's routing-table information. After the router has received a reply from each neighboring router, the topology-table entry for the destination returns to the passive state, and the router can select a successor.
36
Networking training
Command router rip router igrp process-id router ospf process-id router eigrp process-id network ip-address passive-interface ip-address-ofinterface maximum-paths x variance multiplier traffic-share { balanced / min }
Configuration Mode Global Global Global Global Router subcommand Router subcommand Router subcommand Router subcommand Router subcommand
37
Networking training
Each network command enables RIP or IGRP on a set of interfaces. The network command causes implementation of the following three functions: Routing updates are broadcast or multicast out an interface. Routing updates are processed if they enter that same interface. The subnet directly connected to that interface is advertised. The network command matches some of the interfaces on a router. The interfaces matched by the network command have the three functions previously mentioned performed on them. The passive-interface command can be used to cause the router to listen for RIP/IGRP and advertise about the connected subnet, but not to send RIP/IGRP updates on the interface. By default, the IOS supports four equal-cost routes to the same IP subnet in the routing table at the same time. This number can be changed to between 1 and 6 using the ip maximum-paths x router configuration subcommand, where x is the maximum number of routes to any subnet. As mentioned earlier, the packets are balanced on a per-destination address basis by default; packets also can be balanced on a packet-by-packet basis, but at a performance penalty. The metric formula used for IGRP (and EIGRP) poses an interesting problem when considering equalmetric routes. IGRP can learn more than one route to the same subnet, with different metrics; however, the metrics are very likely to never be exactly equal. The variance router subcommand is used to define how variable the metrics can be for routes to be considered to have equal metrics. The parameter to the command (the multiplier) is multiplied by the lowest of the received metrics for a particular subnet. Any routes with a metric less than the product of best metric times the multiplier are considered to be equal. Some rather interesting twists in logic must be considered when deciding whether to use one or multiple equal-cost routes with IGRP. If maximum-paths is set to 1, then the first of these equal-cost routes learned to each subnet is placed into the routing table. However, these could be the routes with the largest metric. To avoid that, maximum-paths could be defaulted to 4 or could be coded as some other number; in addition, the variance command can be used to define how close the metrics must be in value to be considered equal. However, in that case, some of the traffic will flow over the routes with the best metric, and some will flow over the route with the worst metric. Neither situation seems to be optimal. A differentand possibly betteralternative is to use the traffic-share min router IGRP subcommand in conjunction with maximum-paths and variance. This command tells the router to add the multiple routes to the routing table, but to send only traffic using the route with the smallest metric. This allows all routes to each subnet to be in the routing table, which is an advantage for faster convergence. However, all traffic goes across the lowest-metric route that is currently in the routing table. The trafficshare balanced command, which is the default, tells the router to use all the routes proportionally based on the metrics for each route.
38
Networking training
Load-balancing is a concept that allows a router to take advantage of multiple best paths to a given destination. The paths are derived either statically or with dynamic protocols, such as RIP, EIGRP, OSPF, and IGRP. When a router learns multiple routes to a specific network via multiple routing processes (or routing protocols), it installs the route with the lowest administrative distance in the routing table. Sometimes the router must select a route from among many learned via the same routing process with the same administrative distance. In this case, the router chooses the path with the lowest cost (or metric) to the destination. Each routing process calculates its cost differently and the costs may need to be manipulated in order to achieve load-balancing. If the router receives and installs multiple paths with the same administrative distance and cost to a destination, load-balancing can occur. The IGRP and EIGRP routing processes also support unequal cost load-balancing. You can use the variance command with IGRP and EIGRP to accomplish unequal cost load-balancing. Every routing protocol supports equal cost path load balancing. IGRP and EIGRP also support unequal cost path load balancing, which is known as variance. The variance command instructs the router to include routes with a metric less than or equal to n times the minimum metric route for that destination, where n is the number specified by the variance command. For example, variance <n>. Traffic is also distributed among the links with respect to the metric. Note: If a path isn't a feasible successor, then it isn't used in load balancing. Let's look at an example. In the figure below, there are three ways to get to Network X: E-B-A with a metric of 30 E-C-A with a metric of 20 E-D-A with a metric of 45
39
Networking training
Router E chooses the second path above, E-C-A with a metric of 20, because 20 is better than 30 and 45. To instruct EIGRP to select the path E-B-A as well, configure variance with a multiplier of 2: router eigrp 1 network x.x.x.x variance 2 This increases the minimum metric to 40 (2 * 20 = 40). EIGRP includes all the routes that have a metric less than or equal to 40, and are feasible successors. In the above configuration, EIGRP now uses two paths to get to Network X, E-C-A and E-B-A, because both paths have a metric under 40. EIGRP doesn't use path E-D-A because it has a metric of 45, and it's not a feasible successor. Also, the reported distance of neighbor D is 25, which is greater than the feasible distance (20). Let's look at the traffic share count for this example:
Since the ratio is not an integer, we round down to the nearest integer. In this example EIGRP sends one packet to E-C-A and one packet to E-B-A. Now let's assume the metric between E-B is 25 and B-A is 15. The E-B-A metric would be 40 and the traffic share count ratio would be:
40
Networking training
In this situation EIGRP sends two packets to E-C-A and one packet to E-B-A. In this way, EIGRP not only provides unequal cost path load balancing, but also intelligent load balancing.
Prerequisites
Before you can enable Enhanced IGRP route authentication, you must enable IP Enhanced IGRP.
Configuration Tasks
To enable authentication of IP Enhanced IGRP packets, perform the following tasks beginning in interface configuration mode:
Task Command Step 1 Enable MD5 authentication in IP Enhanced ip authentication mode eigrp autonomousIGRP packets. system md5 Step 2 Enable authentication of IP Enhanced IGRP ip authentication key-chain eigrp packets. autonomous-system key-chain Step 3 Exit to global configuration mode. exit Step 4 Identify a key chain. (Match the name key chain name-of-chain configured in Step 1). Step 5 In key chain configuration mode, identify the key number key number. Step 6 In key chain key configuration mode, key-string text identify the key string. Step 7 Optionally specify the time period during accept-lifetime start-time {infinite | endwhich the key can be received. time | duration seconds} Step 8 Optionally specify the time period during send-lifetime start-time {infinite | end-time | which the key can be sent. duration seconds}
Each key has its own key identifier (specified with the key number command), which is stored locally. The combination of the key identifier and the interface associated with the message uniquely identifies the authentication algorithm and MD5 authentication key in use. You can configure multiple keys with lifetimes. Only one authentication packet is sent, regardless of how many valid keys exist. The software examines the key numbers in order from lowest to highest, and uses the first valid key it encounters.
Configuration Example
The following example enables MD5 authentication on IP Enhanced IGRP packets in autonomous system 1. Figure below, shows the scenario.
41
Networking training
Router A: ip authentication mode eigrp 1 md5 ip authentication key-chain eigrp 1 holly key chain holly key 1 key-string 0987654321 accept-lifetime infinite send-lifetime 04:00:00 Dec 4 1996 04:48:00 Dec 4 1996 exit key 2 key-string 1234567890 accept-lifetime infinite send-lifetime 04:45:00 Dec 4 1996 infinite Router B: ip authentication mode eigrp 1 md5 ip authentication key-chain eigrp 1 mikel key chain mikel key 1 key-string 0987654321 accept-lifetime infinite send-lifetime 04:00:00 Dec 4 1996 infinite exit key 2 key-string 1234567890 accept-lifetime infinite send-lifetime 04:45:00 Dec 4 1996 infinite
Router A will accept and attempt to verify the MD5 digest of any Enhanced IGRP packet with a key equal to 1. It will also accept a packet with a key equal to 2. All other MD5 packets will be dropped. Router A will send all Enhanced IGRP packets with key 2. Router B will accept key 1 or key 2, and will send key 1. In this scenario, MD5 will authenticate.
42
Networking training
Function Show entire routing table, or one entry if subnet is entered Show ip protocol Shows routing protocol parameters and current timer values Debug ip rip Issues log messages for each RIP update Debug ip igrp Issue log messages with details of the IGRP transactions updates Debug ip igrp events Issues log messages for each IGRP packets Show ip ospf Shows neighboring router IP details neighbor detail Show ospf database Shows Topological Database generated by OSPF Debug ip ospf Issues log messages for each OSPF packets events Show ip eigrp Shows neighboring router IP details neighbors Show ip eigrp Shows Topological Database generated by
43
Networking training
Routing Hierarchy
Unlike RIP, OSPF can operate within a hierarchy. The largest entity within the hierarchy is the autonomous system (AS), which is a collection of networks under a common administration that share a common routing strategy. OSPF is an intra-AS (interior gateway) routing protocol, although it is capable of receiving routes from and sending routes to other ASs. An AS can be divided into a number of areas, which are groups of contiguous networks and attached hosts. Routers with multiple interfaces can participate in multiple areas. These routers, which are called area border routers, maintain separate topological databases for each area. A topological database is essentially an overall picture of networks in relationship to routers. The topological database contains the collection of LSAs received from all routers in the same area. Because routers within the same area share the same information, they have identical topological databases. The term domain sometimes is used to describe a portion of the network in which all routers have identical topological databases. Domain is frequently used interchangeably with AS. An area's topology is invisible to entities outside the area. By keeping area topologies separate, OSPF passes less routing traffic than it would if the AS were not partitioned. Area partitioning creates two different types of OSPF routing, depending on whether the source and destination are in the same or different areas. Intra5area routing occurs when the source and destination are in the same area; inter-area routing occurs when they are in different areas. An OSPF backbone is responsible for distributing routing information between areas. It consists of all area border routers, networks not wholly contained in any area, and their attached routers.
44
Networking training
Figure
In the figure 6-6, Routers 4, 5, 6, 10, 11, and 12 make up the backbone. If Host H1 in Area 3 wants to send a packet to Host H2 in area 2, the packet is sent to Router 13, which forwards the packet to Router 12, which sends the packet to Router 11. Router 11 then forwards the packet along the backbone to area border Router 10, which sends the packet through two intra-area routers (Router 9 and Router 7) to be forwarded to Host H2. The backbone itself is an OSPF area, so all backbone routers use the same procedures and algorithms to maintain routing information within the backbone that any area router would. The backbone topology is invisible to all intra-area routers, as are individual area topologies to the backbone. Areas can be defined in such a way that the backbone is not contiguous. In this case, backbone connectivity must be restored through virtual links. Virtual links are configured between any backbone routers that share a link to a non-backbone area and function as if they were direct links. AS border routers running OSPF learn about exterior routes through exterior gateway protocols (EGPs), such as Exterior Gateway Protocol (EGP) or Border Gateway Protocol (BGP), or through configuration information. The OSPF protocol is based on link-state technology which is a departure from the Bellman-Ford vector based algorithms used in traditional Internet routing protocols such as RIP. OSPF has introduced new concepts such as authentication of routing updates, Variable Length Subnet Masks (VLSM), route summarization, etc.
45
Networking training
In the following chapters we will discuss the OSPF terminology, algorithm and the pros and cons of the protocol in designing the large and complicated networks of today. OSPF versus RIP The rapid growth and expansion of today's networks has pushed RIP to its limits. RIP has certain limitations that could cause problems in large networks: RIP has a limit of 15 hops. A RIP network that spans more than 15 hops (15 routers) is considered unreachable. RIP cannot handle Variable Length Subnet Masks (VLSM). Given the shortage of IP addresses and the flexibility VLSM gives in the efficient assignment of IP addresses, this is considered a major flaw. Periodic broadcasts of the full routing table will consume a large amount of bandwidth. This is a major problem with large networks especially on slow links and WAN clouds. RIP converges slower than OSPF. In large networks convergence gets to be in the order of minutes. RIP routers will go through a period of a hold-down and garbage collection and will slowly time-out information that has not been received recently. This is inappropriate in large environments and could cause routing inconsistencies. RIP has no concept of network delays and link costs. Routing decisions are based on hop counts. The path with the lowest hop count to the destination is always preferred even if the longer path has a better aggregate link bandwidth and slower delays. RIP networks are flat networks. There is no concept of areas or boundaries. With the introduction of classless routing and the intelligent use of aggregation and summarization, RIP networks seem to have fallen behind. Some enhancements were introduced in a new version of RIP called RIP2. RIP2 addresses the issues of VLSM, authentication, and multicast routing updates. RIP2 is not a big improvement over RIP (now called RIP 1) because it still has the limitations of hop counts and slow convergence which are essential in todays large networks. OSPF, on the other hand, addresses most of the issues presented above: With OSPF, there is no limitation on the hop count. The intelligent use of VLSM is very useful in IP address allocation. OSPF uses IP multicast to send link-state updates. This ensures less processing on routers that are not listening to OSPF packets. Also, updates are only sent in case routing changes occur instead of periodically. This ensures a better use of bandwidth. OSPF has better convergence than RIP. This is because routing changes are propagated instantaneously and not periodically. OSPF allows for better load balancing. OSPF allows for a logical definition of networks where routers can be divided into areas. This will limit the explosion of link state updates over the whole network. This also provides a mechanism for aggregating routes and cutting down on the unnecessary propagation of subnet information. OSPF allows for routing authentication by using different methods of password authentication. This of course would lead to more complexity in configuring and troubleshooting OSPF networks. Administrators that are used to the simplicity of RIP will be challenged with the amount of new information they have to learn in order to keep up with OSPF networks. Also, this will introduce more overhead in memory allocation and CPU utilization. Some of the routers running RIP might have to be upgraded in order to handle the overhead caused by OSPF.
46
Networking training
Link-State Algorithm
OSPF uses a link-state algorithm in order to build and calculate the shortest path to all known destinations. The algorithm by itself is quite complicated. The following is a very high level, simplified way of looking at the various steps of the algorithm: 1. Upon initialization or due to any change in routing information, a router will generate a linkstate advertisement. This advertisement will represent the collection of all link-states on that router. 2. All routers will exchange link-states by means of flooding. Each router that receives a linkstate update should store a copy in its link-state database and then propagate the update to other routers. 3. After the database of each router is completed, the router will calculate a Shortest Path Tree to all destinations. The router uses the Dijkstra algorithm to calculate the shortest path tree. The destinations, the associated cost and the next hop to reach those destinations will form the IP routing table. 4. In case no changes in the OSPF network occur, such as cost of a link or a network being added or deleted, OSPF should be very quiet. Any changes that occur are communicated via link-state packets, and the Dijkstra algorithm is recalculated to find the shortest path.
OSPF Cost
The cost (also called metric) of an interface in OSPF is an indication of the overhead required to send packets across a certain interface. The cost of an interface is inversely proportional to the bandwidth of that interface. A higher bandwidth indicates a lower cost. There is more overhead (higher cost) and time delays involved in crossing a 56k serial line than crossing a 10M ethernet line. The formula used to calculate the cost is: For example, it will cost 10 EXP8/10 EXP7 = 10 to cross a 10M Ethernet line and will cost 10 EXP8/1544000 = 64 to cross a T1 line. By default, the cost of an interface is calculated based on the bandwidth; you can force the cost of an interface by using the ip ospf cost <value> interface sub-command.
47
Networking training
The above is the view of the network as seen from RTA. Note the direction of the arrows in calculating the cost. For example, the cost of RTB's interface to network 128.213.0.0 is not relevant when calculating the cost to 192.213.11.0. RTA can reach 192.213.11.0 via RTB with a cost of 15 (10+5). RTA can also reach 222.211.10.0 via RTC with a cost of 20 (10+10) or via RTB with a cost of 20 (10+5+5). In case equal cost paths exist to the same destination, Cisco's implementation of OSPF will keep track of up to six next hops to the same destination. After the router builds the shortest path tree, it will start building the routing table accordingly. Directly connected networks will be reached via a metric (cost) of 0 and other networks will be reached according to the cost calculated in the tree.
48
Networking training
An area is interface specific. A router that has all of its interfaces within the same area is called an internal router (IR). A router that has interfaces in multiple areas is called an area border router (ABR). Routers that act as gateways (redistribution)between OSPF and other routing protocols (IGRP, EIGRP, IS-IS, RIP, BGP, Static) or other instances of the OSPF routing process are called autonomous system border routers (ASBR). Any router can be an ABR or an ASBR.
Link-State Packets
There are different types of Link State Packets, those are what you normally see in an OSPF database (Appendix A). The different types are illustrated in the following diagram:
49
Networking training
As indicated above, the router links are an indication of the state of the interfaces on a router belonging to a certain area. Each router will generate a router link for all of its interfaces. Summary links are generated by ABRs; this is how network reachability information is disseminated between areas. Normally, all information is injected into the backbone (area 0) and in turn the backbone will pass it on to other areas. ABRs also have the task of propagating the reachability of the ASBR. This is how routers know how to get to external routes in other ASs. Network Links are generated by a Designated Router (DR) on a segment (DRs will be discussed later). This information is an indication of all routers connected to a particular multi-access segment such as Ethernet, Token Ring and FDDI (NBMA also). External Links are an indication of networks outside of the AS. These networks are injected into OSPF via redistribution. The ASBR has the task of injecting these routes into an autonomous system.
50
Networking training
The network command is a way of assigning an interface to a certain area. The mask is used as a shortcut and it helps putting a list of interfaces in the same area with one line configuration line. The mask contains wild card bits where 0 is a match and 1 is a "do not care" bit, e.g. 0.0.255.255 indicates a match in the first two bytes of the network number. The area-id is the area number we want the interface to be in. The area-id can be an integer between 0 and 4294967295 or can take a form similar to an IP address A.B.C.D.
Here's an example:
RTA# interface Ethernet0 ip address 192.213.11.1 255.255.255.0 interface Ethernet1 ip address 192.213.12.2 255.255.255.0 interface Ethernet2 ip address 128.213.1.1 255.255.255.0 router ospf 100 network 192.213.0.0 0.0.255.255 area 0.0.0.0 network 128.213.1.1 0.0.0.0 area 23 The first network statement puts both E0 and E1 in the same area 0.0.0.0, and the second network statement puts E2 in area 23. Note the mask of 0.0.0.0, which indicates a full match on the IP address. This is an easy way to put an interface in a certain area if you are having problems figuring out a mask.
OSPF Authentication
It is possible to authenticate the OSPF packets such that routers can participate in routing domains based on predefined passwords. By default, a router uses a Null authentication which means that routing exchanges over a network are not authenticated. Two other authentication methods exist: Simple password authentication and Message Digest authentication (MD-5).
Networking training
Here's an example: interface Ethernet0 ip address 10.10.10.10 255.255.255.0 ip ospf authentication-key mypassword router ospf 10 network 10.10.0.0 0.0.255.255 area 0 area 0 authentication
52
Networking training
In the above diagram, all areas are directly connected to the backbone. In the rare situations where a new area is introduced that cannot have a direct physical access to the backbone, a virtual link will have to be configured. Virtual links will be discussed in the next section. Note the different types of routing information. Routes that are generated from within an area (the destination belongs to the area) are called intra-area routes. These routes are normally represented by the letter O in the IP routing table. Routes that originate from other areas are called inter-area or Summary routes. The notation for these routes is O IA in the IP routing table. Routes that originate from other routing protocols (or different OSPF processes) and that are injected into OSPF via redistribution are called external routes. These routes are represented by O E2 or O E1 in the IP routing table. Multiple routes to the same destination are preferred in the following order: intra-area, inter-area, external E1, external E2. External types E1 and E2 will be explained later.
Virtual Links
Virtual links are used for two purposes: 1)Linking an area that does not have a physical connection to the backbone. 2)Patching the backbone in case discontinuity of area 0 occurs.
53
Networking training
In this example, area 1 does not have a direct physical connection into area 0. A virtual link has to be configured between RTA and RTB. Area 2 is to be used as a transit area and RTB is the entry point into area 0. This way RTA and area 1 will have a logical connection to the backbone. In order to configure a virtual link, use the area <area-id> virtual-link <RID> router OSPF sub-command on both RTA and RTB, where area-id is the transit area. In the above diagram, this is area 2. The RID is the router-id. The OSPF router-id is usually the highest IP address on the box, or the highest loopback address if one exists. The router-id is only calculated at boot time or anytime the OSPF process is restarted. To find the router-id, use the show ip ospf interface command. Assuming that 1.1.1.1 and 2.2.2.2 are the respective RIDs of RTA and RTB, the OSPF configuration for both routers would be: RTA# router ospf 10 area 2 virtual-link 2.2.2.2 RTB# router ospf 10 area 2 virtual-link 1.1.1.1
54
Networking training
In the above diagram two area 0s are linked together via a virtual link. In case a common area does not exist, an additional area, such as area 3, could be created to become the transit area. In case any area which is different than the backbone becomes partitioned, the backbone will take care of the partitioning without using any virtual links. One part of the partioned area will be known to the other part via inter-area routes rather than intra-area routes.
Neighbors
Routers that share a common segment become neighbors on that segment. Neighbors are elected via the Hello protocol. Hello packets are sent periodically out of each interface using IP multicast (Appendix B). Routers become neighbors as soon as they see themselves listed in the neighbor's Hello packet. This way, a two way communication is guaranteed. Neighbor negotiation applies to the primary address only. Secondary addresses can be configured on an interface with a restriction that they have to belong to the same area as the primary address. Two routers will not become neighbors unless they agree on the following:
Area-id: Two routers having a common segment; their interfaces have to belong to the same area on that segment. Of course, the interfaces should belong to the same subnet and have a similar mask. Authentication: OSPF allows for the configuration of a password for a specific area. Routers that want to become neighbors have to exchange the same password on a particular segment. Hello and Dead Intervals: OSPF exchanges Hello packets on each segment. This is a form of keepalive used by routers in order to acknowledge their existence on a segment and in order to elect a designated router (DR) on multiaccess segments.The Hello interval specifies the length of time, in seconds, between the hello packets that a router sends on an OSPF interface. The dead interval is the number of seconds that a router's Hello packets have not been seen before its neighbors declare the OSPF router down. OSPF requires these intervals to be exactly the same between two neighbors. If any of these intervals are different, these routers will not become neighbors on a particular segment. The router interface commands used to set these timers are: ip ospf hellointerval seconds and ip ospf dead-interval seconds. Stub area flag: Two routers have to also agree on the stub area flag in the Hello packets in order to become neighbors. Stub areas will be discussed in a later section. Keep in mind for now that defining stub areas will affect the neighbor election process.
Adjacencies
Adjacency is the next step after the neighboring process. Adjacent routers are routers that go beyond the simple Hello exchange and proceed into the database exchange process. In order to minimize the amount of information exchange on a particular segment, OSPF elects one router to be a designated router (DR), and one router to be a backup designated router (BDR), on each multi-access segment. The BDR is elected as a backup mechanism in case the DR goes down. The idea behind this is that routers have a central point of contact for information exchange. Instead of each router exchanging updates with every other router on the segment, every router exchanges
55
Networking training
information with the DR and BDR. The DR and BDR relay the information to everybody else. In mathematical terms, this cuts the information exchange from O(n*n) to O(n) where n is the number of routers on a multi-access segment. The following router model illustrates the DR and BDR:
In the above diagram, all routers share a common multi-access segment. Due to the exchange of Hello packets, one router is elected DR and another is elected BDR. Each router on the segment (which already became a neighbor) will try to establish an adjacency with the DR and BDR.
DR Election
DR and BDR election is done via the Hello protocol. Hello packets are exchanged via IP multicast packets (Appendix B) on each segment. The router with the highest OSPF priority on a segment will become the DR for that segment. The same process is repeated for the BDR. In case of a tie, the router with the highest RID will win. The default for the interface OSPF priority is one. Remember that the DR and BDR concepts are per multiaccess segment. Setting the ospf priority on an interface is done using the ip ospf priority <value> interface command. A priority value of zero indicates an interface which is not to be elected as DR or BDR. The state of the interface with priority zero will be DROTHER. The following diagram illustrates the DR election:
In the above diagram, RTA and RTB have the same interface priority but RTB has a higher RID. RTB would be DR on that segment. RTC has a higher priority than RTB. RTC is DR on that segment.
56
Networking training
57
Networking training
RTA, RTB, RTD, and RTF share a common segment (E0) in area 0.0.0.0. The following are the configs of RTA and RTF. RTB and RTD should have a similar configuration to RTF and will not be included. RTA#hostname RTA interface Loopback0 ip address 203.250.13.41 255.255.255.0 interface Ethernet0 ip address 203.250.14.1 255.255.255.0 router ospf 10 network 203.250.13.41 0.0.0.0 area 1 network 203.250.0.0 0.0.255.255 area 0.0.0.0 RTF#hostname RTF interface Ethernet0 ip address 203.250.14.2 255.255.255.0 router ospf 10 network 203.250.0.0 0.0.255.255 area 0.0.0.0 The above is a simple example that demonstrates a couple of commands that are very useful in debugging OSPF networks. sh ip ospf interface <interface> This command is a quick check to see if all of the interfaces belong to the areas they are supposed to be in. The sequence in which the OSPF network commands are listed is very important. In RTA's configuration, if the "network 203.250.0.0 0.0.255.255 area 0.0.0.0" statement was put before the "network 203.250.13.41 0.0.0.0 area 1" statement, all of the interfaces would be in area 0, which is incorrect because the loopback is in area 1. Let us look at the command's output on RTA, RTF, RTB, and RTD: RTA#show ip ospf interface e0 Ethernet0 is up, line protocol is up Internet Address 203.250.14.1 255.255.255.0, Area 0.0.0.0 Process ID 10, Router ID 203.250.13.41, Network Type BROADCAST, Cost: 10 Transmit Delay is 1 sec, State BDR, Priority 1 Designated Router (ID) 203.250.15.1, Interface address 203.250.14.2 Backup Designated router (ID) 203.250.13.41, Interface address 203.250.14.1 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 0:00:02 Neighbor Count is 3, Adjacent neighbor count is 3 Adjacent with neighbor 203.250.15.1 (Designated Router) Loopback0 is up, line protocol is up Internet Address 203.250.13.41 255.255.255.255, Area 1 Process ID 10, Router ID 203.250.13.41, Network Type LOOPBACK, Cost: 1Loopback interface is treated as a stub Host
58
Networking training
RTF#show ip ospf interface e0 Ethernet0 is up, line protocol is up Internet Address 203.250.14.2 255.255.255.0, Area 0.0.0.0 Process ID 10, Router ID 203.250.15.1, Network Type BROADCAST, Cost: 10 Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) 203.250.15.1, Interface address 203.250.14.2 Backup Designated router (ID) 203.250.13.41, Interface address 203.250.14.1 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 0:00:08 Neighbor Count is 3, Adjacent neighbor count is 3 Adjacent with neighbor 203.250.13.41 (Backup Designated Router) RTD#show ip ospf interface e0 Ethernet0 is up, line protocol is up Internet Address 203.250.14.4 255.255.255.0, Area 0.0.0.0 Process ID 10, Router ID 192.208.10.174, Network Type BROADCAST, Cost: 10 Transmit Delay is 1 sec, State DROTHER, Priority 1 Designated Router (ID) 203.250.15.1, Interface address 203.250.14.2 Backup Designated router (ID) 203.250.13.41, Interface address 203.250.14.1 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 0:00:03 Neighbor Count is 3, Adjacent neighbor count is 2 Adjacent with neighbor 203.250.15.1 (Designated Router) Adjacent with neighbor 203.250.13.41 (Backup Designated Router) RTB#show ip ospf interface e0 Ethernet0 is up, line protocol is up Internet Address 203.250.14.3 255.255.255.0, Area 0.0.0.0 Process ID 10, Router ID 203.250.12.1, Network Type BROADCAST, Cost: 10 Transmit Delay is 1 sec, State DROTHER, Priority 1 Designated Router (ID) 203.250.15.1, Interface address 203.250.14.2 Backup Designated router (ID) 203.250.13.41, Interface address 203.250.14.1 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 0:00:03 Neighbor Count is 3, Adjacent neighbor count is 2 Adjacent with neighbor 203.250.15.1 (Designated Router) Adjacent with neighbor 203.250.13.41 (Backup Designated Router) The above output shows very important information. Let us look at RTA's output. Ethernet0 is in area 0.0.0.0. The process ID is 10 (router ospf 10) and the router ID is 203.250.13.41. Remember that the RID is the highest IP address on the box or the loopback interface, calculated at boot time or whenever the OSPF process is restarted. The state of the interface is BDR. Since all routers have the same OSPF priority on Ethernet 0 (default is 1), RTF's interface was elected as DR because of the higher RID. In the same way, RTA was elected as BDR. RTD and RTB are neither a DR or BDR and their state is DROTHER. Also note the neighbor count and the adjacent count. RTD has three neighbors and is adjacent to two of them, the DR and the BDR. RTF has three neighbors and is adjacent to all of them because it is the DR. The information about the network type is important and will determine the state of the interface. On broadcast networks such as Ethernet, the election of the DR and BDR should be irrelevant to the end user. It should not matter who the DR or BDR are. In other cases, such as NBMA media such as Frame Relay and X.25, this becomes very important for OSPF to function correctly. Fortunately, with the introduction of point-to-point and point-to-multipoint subinterfaces, DR election is no longer an issue. OSPF over NBMA will be discussed in the next section.
59
Networking training
Another command we need to look at is: show ip ospf neighbor Let us look at RTD's output: RTD#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface
203.250.12.1 1 2WAY/DROTHER 0:00:37 203.250.14.3 Ethernet0 203.250.15.1 1 FULL/DR 0:00:36 203.250.14.2 Ethernet0 203.250.13.41 1 FULL/BDR 0:00:34 203.250.14.1 Ethernet0 The show ip ospf neighbor command shows the state of all the neighbors on a particular segment. Do not be alarmed if the "Neighbor ID" does not belong to the segment you are looking at. In our case 203.250.12.1 and 203.250.15.1 are not on Ethernet0. This is "OK" because the "Neighbor ID" is actually the RID which could be any IP address on the box. RTD and RTB are just neighbors, that is why the state is 2WAY/DROTHER. RTD is adjacent to RTA and RTF and the state is FULL/DR and FULL/BDR.
60
Networking training
In the above diagram, it is essential for RTA's interface to the cloud to be elected DR. This is because RTA is the only router that has full connectivity to other routers. The election of the DR could be influenced by setting the ospf priority on the interfaces. Routers that do not need to become DRs or BDRs will have a priority of 0 other routers could have a lower priority.
Chapter 7 Configurations
Common Configuration Command
Configuration of TCP/IP in a Cisco router is straightforward. Table summarizes many of the most common commands used for IP configuration and verification.
Command ip address ip-address mask [secondary] ip host name [tcp-port-number] address1 [address2...address8] ip route prefix mask {next-hop-router|outputinterface} ip default-network network Ip classless ip domain-lookup Global Global Configuration Mode Interface mode Global Global Global
show hosts
Lists all hostnames and corresponding IP addresses Lists interface statistics, including IP address
61
Networking training
show ip interface [type number] Provides a detailed view of IP parameter settings, per interface Shows entire routing table, or one entry if is entered
Albuquerque#show running-config Building configuration... Current configuration: version 11.2 hostname Albuquerque ! enable secret 5 $1$skrN$z4oq6OHfB6zu1WG4P/6ZY0 ! ip name-server 10.1.1.100 ip name-server 10.1.2.100 ! interface Ethernet0 ip address 10.1.1.251 255.255.255.0 ! no ip classless banner motd ^C Should ve taken a left turn here!This is Albuquerque...^C ! line con 0 password cisco login line aux 0 line vty 0 4 password cisco login
Interface
62
Networking training
Interface
Function Lists statistics and details of interface configuration, including the encapsulation type. Lists compression ratios. Lists processor and task utilization. Is useful in watching for increased utilization due to compression.
Assume that Router A and Router B have a serial link attached to their serial 0 ports, respectively.
Router A Interface serial 0 encapsulation ppp Router B Interface serial 0 encapsulation ppp
Chapter 8
Exercise Setting the hostname of the Router
Scenario
You have been assigned to configure the router identification name.
Goal
In this exercise, you will assign the hostname to the router. If you have many routers then it is required that the router should be identified by some name so that while managing and configuring you configure the desired router only and not some other router.
Steps
1. For any Configuration we have to enter first in Global Configuration Mode. For entering in to Global
Configuration Mode command is config Router#config t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname Test_Router_1 Test_Router_1(config)# The prompt will change to the hostname you specify.
63
Networking training
Exercise Configuring the Ethernet interface of the Router for Telnet access
Scenario
You have been assigned to configure the ethernet interface of the route, so that you can telnet to the router.
Goal
You cannot use console port every time for router configuration since you have to be near the router. So, to access a router from the network you need to configure the ethernet interface.
Steps
1. Go to Global Configuration Mode by using configure terminal command
Test_Router_1# conf term Enter configuration commands, one per line. End with CNTL/Z. Test_Router_1(config)#
64
Networking training
Why?
65
Networking training
4487 packets input, 4798927 bytes, 0 no buffer Received 4376 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 input packets with dribble condition detected 470 packets output, 30847 bytes, 0 underruns 195 output errors, 0 collisions, 4 interface resets 0 babbles, 0 late collision, 0 deferred 195 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out Test_Router_1# Out put shows that ethernet is up and running.
9. From a machine with ip addresss in the same subnet as the router i.e. 163.122.31.0 telnet to the ethernet e0/0 port ip address ( 163.122.31.130).
The out put will be as follows
Goal
You need to set the password to the console port, otherwise any body can enter in to the router from the console port. It is therefore required that a password be assigned to the console port.
Steps
Enter the commands in the following order. 1. Test_Router_1#conf t 2. Enter configuration commands, one per line. End with CNTL/Z. 3. Test_Router_1(config)#line con 0 4. Test_Router_1(config-line)#login 5. Test_Router_1(config-line)#password console 6. Test_Router_1(config-line)#exit 7. Test_Router_1(config)#exit 8. Test_Router_1#
66
Networking training
Now when we access the router via console port , it will ask for the password and the out put will be as
Welcome to the UTS Network User Access Verification Password:
67
Networking training
Chapter 9
IPSec Overview
IPSec services are similar to those provided by Cisco Encryption Technology (CET), a proprietary security solution introduced in Cisco IOS Software Release 11.2. (The IPSec standard was not yet available at Release 11.2.) However, IPSec provides a more robust security solution and is standardsbased. IPSec also provides data authentication and anti-replay services in addition to data confidentiality services, while CET provides only data confidentiality services.
Supported Standards
Cisco implements the following standards with this feature: IPSecIP Security Protocol. IPSec is a framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPSec provides these security services at the IP layer; it uses IKE to handle negotiation of protocols and algorithms based on local policy, and to generate the encryption and authentication keys to be used by IPSec. IPSec can be used to protect one or more data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.
68
Networking training
Internet Key Exchange (IKE) A hybrid protocol which implements Oakley and SKEME key exchanges inside the ISAKMP framework. While IKE can be used with other protocols, its initial implementation is with the IPSec protocol. IKE provides authentication of the IPSec peers, negotiates IPSec security associations, and establishes IPSec keys. The component technologies implemented for IPSec include: DESThe Data Encryption Standard (DES) is used to encrypt packet data. Cisco IOS implements the mandatory 56-bit DES-CBC with Explicit IV. Cipher Block Chaining (CBC) requires an initialization vector (IV) to start encryption. The IV is explicitly given in the IPSec packet. For backwards compatibility, Cisco IOS IPSec also implements the RFC 1829 version of ESP DES-CBC. MD5 (HMAC variant)MD5 (Message Digest 5) is a hash algorithm. HMAC is a keyed hash variant used to authenticate data. SHA (HMAC variant)SHA (Secure Hash Algorithm) is a hash algorithm. HMAC is a keyed hash variant used to authenticate data. IPSec as implemented in Cisco IOS software supports the following additional standards: AHAuthentication Header. A security protocol which provides data authentication and optional anti-replay services. AH is embedded in the data to be protected (a full IP datagram).
List of Terms
Configuring IPSec Network Security SC-273 ESPEncapsulating Security Payload. A security protocol which provides data privacy services and optional data authentication, and anti-replay services. ESP encapsulates the data to be protected.The updated ESP protocol allows for the use of various cipher algorithms and (optionally) various authentication algorithms. Cisco IOS implements the mandatory 56-bit DES-CBC with Explicit IV as the encryption algorithm, and MD5 or SHA (HMAC variants) as the authentication algorithms. The updated ESP protocol provides anti-replay services. List of Terms anti-replayA security service where the receiver can reject old or duplicate packets in order to protect itself against replay attacks. IPSec provides this optional service by use of a sequence number combined with the use of data authentication. Cisco IOS IPSec provides this service whenever it provides the data authentication service, except in the following cases: RFC 1828 does not provide support for this service. The service is not available for manually established security associations (that is, security associations established by configuration and not by IKE). data authenticationIncludes two concepts: Data integrity (verify that data has not been altered). Data origin authentication (verify that the data was actually sent by the claimed sender). Data authentication can refer either to integrity alone or to both of these concepts (although data origin authentication is dependent upon data integrity). data confidentialityA security service where the protected data cannot be observed. data flowA grouping of traffic, identified by a combination of source address/mask, destination address/mask, IP next protocol field, and source and destination ports, where the protocol and port fields can have the values of any. In effect, all traffic matching a specific combination of these values is logically grouped together into a data flow. A data flow can represent a single TCP connection between two hosts, or it can represent all of the traffic between two subnets. IPSec protection is applied to data flows.
69
Networking training
peerIn the context of this chapter, a peer refers to a router or other device that participates in IPSec. perfect forward secrecy (PFS)A cryptographic characteristic associated with a derived shared secret value. With PFS, if one key is compromised, previous and subsequent keys are not compromised, because subsequent keys are not derived from previous keys. security associationAn IPSec security association (SA) is a description of how two or more entities will use security services in the context of a particular security protocol (AH or ESP) to communicate securely on behalf of a particular data flow. It includes such things as the transform and the shared secret keys to be used for protecting the traffic. IPSec Overview The IPSec security association is established either by IKE or by manual user configuration. Security associations are unidirectional and are unique per security protocol. So when security associations are established for IPSec, the security associations (for each protocol) for both directions are established at the same time. When using IKE to establish the security associations for the data flow, the security associations are established when needed and expire after a period of time (or volume of traffic). If the security associations are manually established, they are established as soon as the necessary configuration is completed and do not expire. Security parameter index (SPI)This is a number which, together with a destination IP address and security protocol, uniquely identifies a particular security association. When using IKE to establish the security associations, the SPI for each security association is a pseudo-randomly derived number. Without IKE, the SPI is manually specified for each security association. transformA transform lists a security protocol (AH or ESP) with its corresponding algorithms. For example, one transform is the AH protocol with the HMAC-MD5 authentication algorithm; another transform is the ESP protocol with the 56-bit DES encryption algorithm and the HMAC-SHA authentication algorithm. tunnelIn the context of this chapter, a secure communication path between two peers, such as two routers. It does not refer to using IPSec in tunnel mode. IPSec Interoperability with Other Cisco IOS Software Features You can use Cisco Encryption Technology and IPSec together; the two encryption technologies can coexist in your network. Each router may support concurrent encryption links using either IPSec or Cisco Encryption Technology. A single interface can even support the use of IPSec or CET for protecting different data flows. Supported Hardware, Switching Paths, and Encapsulation IPSec has certain restrictions for hardware, switching paths, and encapsulation methods as follows. Supported Hardware IPSec is not supported on VIP2 interfaces (VIP2-40 or above) or the Encryption Service Adapter (ESA) card. There is currently no hardware accelerator for IPSec. Supported Switching Paths IPSec works with both process switching and fast switching. IPSec does not work with optimum or flow switching. Supported Encapsulation IPSec works with the following serial encapsulations: High-Level Data-Links Control (HDLC), Pointto-Point Protocol (PPP), and Frame Relay. IPSec also works with the GRE and IPinIP Layer 3, L2F, L2TP, DLSw+, and SRB tunneling protocols; however, multipoint tunnels are not supported. Other Layer 3 tunneling protocols may not be supported for use with IPSec. Since the IPSec Working Group has not yet addressed the issue of group key distribution, IPSec currently cannot be used to protect group traffic (such as broadcast or multicast traffic).
70
Networking training
Restrictions At this time, IPSec can be applied to unicast IP datagrams only. Because the IPSec Working Group has not yet addressed the issue of group key distribution, IPSec does not currently work with multicasts or broadcast IP datagrams. If you use Network Address Translation (NAT), you should configure static NAT translations so that IPSec will work properly. In general, NAT translation should occur before the router performs IPSec encapsulation; in other words, IPSec should be working with global addresses. Overview of How IPSec Works In simple terms, IPSec provides secure tunnels between two peers, such as two routers. You define which packets are considered sensitive and should be sent through these secure tunnels, and you define the parameters which should be used to protect these sensitive packets, by specifying characteristics of these tunnels. Then, when the IPSec peer sees such a sensitive packet, it sets up the appropriate secure tunnel and sends the packet through the tunnel to the remote peer. Note The use of the term tunnel in this chapter does not refer to using IPSec in tunnel mode. More accurately, these tunnels are sets of security associations that are established between two IPSec peers. The security associations define which protocols and algorithms should be applied to sensitive packets, and also specify the keying material to be used by the two peers. Security associations are unidirectional and are established per security protocol (AH or ESP). With IPSec you define what traffic should be protected between two IPSec peers by configuring access lists and applying these access lists to interfaces by way of crypto map sets. Therefore, traffic may be selected based on source and destination address, and optionally Layer 4 protocol, and port. (Similar to CET, the access lists used for IPSec are used only to determine which traffic should be protected by IPSec, not which traffic should be blocked or permitted through the interface. Separate access lists define blocking and permitting at the interface. A crypto map set can contain multiple entries, each with a different access list. The crypto map entries are searched in orderthe router attempts to match the packet to the access list specified in that entry. When a packet matches a permit entry in a particular access list, and the corresponding crypto map entry is tagged as cisco, then CET is triggered, and connections are established if necessary. If the crypto map entry is tagged as ipsec-isakmp, IPSec is triggered. If no security association exists that IPSec can use to protect this traffic to the peer, IPSec uses IKE to negotiate with the remote peer to set up the necessary IPSec security associations on behalf of the data flow. The negotiation uses information specified in the crypto map entry as well as the data flow information from the specific access list entry. (The behavior is different for dynamic crypto map entries. If the crypto map entry is tagged as ipsec-manual, IPSec is triggered. If no security association exists that IPSec can use to protect this traffic to the peer, the traffic is dropped. In this case, the security associations are installed via the configuration, without the intervention of IKE. If the security associations did not exist, IPSec did not have all of the necessary pieces configured. Once established, the set of security associations (outbound, to the peer) is then applied to the triggering packet as well as to subsequent applicable packets as those packets exit the router.Applicable packets are packets that match the same access list criteria that the original packet
IPSec Overview
For example, all applicable packets could be encrypted before being forwarded to the remote peer. The corresponding inbound security associations are used when processing the incoming traffic from that peer. If IKE is used to establish the security associations, the security associations will have lifetimes so that they will periodically expire and require renegotiation. (This provides an additional level of security.) Multiple IPSec tunnels can exist between two peers to secure different data streams, with each tunnel using a separate set of security associations. For example, some data streams might be just authenticated while other data streams must both be encrypted and authenticated. Access lists
71
Networking training
associated with IPSec crypto map entries also represent which traffic the router requires to be protected by IPSec. Inbound traffic is processed against the crypto map entriesif an unprotected packet matches a permit entry in a particular access list associated with an IPSec crypto map entry, that packet is dropped because it was not sent as an IPSec-protected packet. Crypto map entries also include transform sets. A transform set is an acceptable combination of security protocols, algorithms and other settings to apply to IPSec protected traffic. During the IPSec security association negotiation, the peers agree to use a particular transform set when protecting a particular data flow.
It is possible for the traffic between the outer peers to have one kind of protection (such as data authentication) and for traffic between the inner peers to have different protection (such as both data authentication and encryption). After you have completed IKE configuration, configure IPSec. To configure IPSec, complete the tasks in the following sections at each participating IPSec peer. Ensure Access Lists Are Compatible with IPSec Set Global Lifetimes for IPSec Security Associations Create Crypto Access Lists Define Transform Sets Create Crypto Map Entries Apply Crypto Map Sets to Interfaces Monitor and Maintain IPSec
72
Networking training
There are two lifetimes: a timed lifetime and a traffic-volume lifetime. A security association expires after the first of these lifetimes is reached. The default lifetimes are 3600 seconds (one hour) and 4,608,000 kilobytes (10 megabytes per second for one hour). If you change a global lifetime, the new lifetime value will not be applied to currently existing security associations, but will be used in the negotiation of subsequently established security associations. If you wish to use the new values immediately, you can clear all or part of the security association database. Refer to the clear crypto sa command for more details. IPSec security associations use one or more shared secret keys. These keys and their security associations time out together. To change a global lifetime for IPSec security associations, use one or more of the following commands in global configuration mode:
73
Networking training
74
Networking training
The crypto access list you define will be applied to an interface after you define the corresponding crypto map entry and apply the crypto map set to the interface. Different access lists must be used in different entries of the same crypto map set. (These two tasks are described in following sections.) However, both inbound and outbound traffic will be evaluated against the same outbound IPSec access list. Therefore, the access lists criteria is applied in the forward direction to traffic exiting your router, and the reverse direction to traffic entering your router. In below figure , IPSec protection is applied to traffic between Host 10.0.0.1 and Host 20.0.0.2 as the data exits Router As S0 interface enroute to Host 20.0.0.2. For traffic from Host 10.0.0.1 to Host 20.0.0.2, the access list entry on Router A is evaluated as follows:
source = host 10.0.0.1 dest = host 20.0.0.2
For traffic from Host 20.0.0.2 to Host 10.0.0.1, that same access list entry on Router A is evaluated as follows:
source = host 20.0.0.2 dest = host 10.0.0.1
If you configure multiple statements for a given crypto access list which is used for IPSec, in general the first permit statement that is matched will be the statement used to determine the scope of the IPSec security association. That is, the IPSec security association will be set up to protect traffic that meets the criteria of the matched statement only. Later, if traffic matches a different permit statement of the crypto access list, a new, separate IPSec security association will be negotiated to protect traffic matching the newly matched access list statement. Any unprotected inbound traffic that matches a permit entry in the crypto access list for a crypto map entry flagged as IPSec will be dropped, since this traffic was expected to be protected by IPSec. Note: If you view your routers access lists by using a command such as show ip access-lists, all extended IP access lists will be shown in the command output. This includes extended IP access lists that are used for traffic filtering purposes as well as those that are used for crypto. The show command output does not differentiate between the different uses of the extended access lists.
75
Networking training
76
Networking training
Load Sharing
You can define multiple remote peers using crypto maps to allow for load sharing. If one peer fails, there will still be a protected path. The peer that packets are actually sent to is determined by the last peer that the router heard from (received either traffic or a negotiation request from) for a given data flow. If the attempt fails with the first peer, IKE tries the next peer on the crypto map list. If you are not sure how to configure each crypto map parameter to guarantee compatibility with other peers, you might consider configuring dynamic crypto maps as described in the section Creating Dynamic Crypto Maps. Dynamic crypto maps are useful when the establishment of the IPSec tunnels is initiated by the remote peer (such as in the case of an IPSec router fronting a server). They are not useful if the establishment of the IPSec tunnels is locally initiated, because the dynamic crypto maps are
77
Networking training
policy templates, not complete statements of policy. (Although the access lists in any referenced dynamic crypto map entry are used for crypto packet filtering.)
78
Networking training
Creating Crypto Map Entries that Use IKE to Establish Security Associations When IKE is used to establish security associations, the IPSec peers can negotiate the settings they will use for the new security associations. This means that you can specify lists (such as lists of acceptable transforms) within the crypto map entry.
79
Networking training
To create crypto map entries that will use IKE to establish the security associations, use the following commands starting in global configuration mode:
80
Networking training
81
Networking training
Create a Dynamic Crypto Map Set Dynamic crypto map entries, like regular static crypto map entries, are grouped into sets. A set is a group of dynamic crypto map entries all with the same dynamic-map-name but each with a different dynamic-seq-num. To create a dynamic crypto map entry, use the following commands starting in global configuration mode:
82
Networking training
Dynamic crypto map entries specify crypto access lists that limit traffic for which IPSec security associations can be established. A dynamic crypto map entry that does not specify an access list will be ignored during traffic filtering. A dynamic crypto map entry with an empty access list causes traffic to be dropped. If there is only one dynamic crypto map entry in the crypto map set, it must specify acceptable transform sets.
83
Networking training
For redundancy, you could apply the same crypto map set to more than one interface. The default behavior is as follows: Each interface will have its own piece of the security association database. The IP address of the local interface will be used as the local address for IPSec traffic originating from or destined to that interface. If you apply the same crypto map set to multiple interfaces for redundancy purposes, you need to specify an identifying interface. This has the following effects: The per-interface portion of the IPSec security association database will be established one time and shared for traffic through all the interfaces that share the same crypto map. The IP address of the identifying interface will be used as the local address for IPSec traffic originating from or destined to those interfaces sharing the same crypto map set. One suggestion is to use a loopback interface as the identifying interface. To specify redundant interfaces and name an identifying interface, use the following command in global configuration mode:
84
Networking training
To view information about your IPSec configuration, use one or more of the following commands in EXEC mode:
85