ccna configuration lab hands on
Download
Skip this Video
Download Presentation
CCNA Configuration Lab Hands on

Loading in 2 Seconds...

play fullscreen
1 / 151

CCNA Configuration Lab Hands on - PowerPoint PPT Presentation


  • 128 Views
  • Uploaded on

CCNA Configuration Lab Hands on. Natthapong Wannurat CCNA, CCDA, CSE, SMBAM, SMBSE Channel Account Manager South Region. Introduction to CCNA Exam. Cisco Icons and Symbols. Defining Components of the Network. Home Office. Mobile Users. Internet. Branch Office. Main Office.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' CCNA Configuration Lab Hands on' - fritz-gaines


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
ccna configuration lab hands on

CCNA ConfigurationLab Hands on

Natthapong WannuratCCNA, CCDA, CSE, SMBAM, SMBSEChannel Account ManagerSouth Region

defining components of the network
Defining Components of the Network

Home Office

Mobile Users

Internet

Branch Office

Main Office

defining the components of a network cont
Defining the Components of a Network (cont.)

Branch Office

Floor 2

Server Farm

ISDN

Floor 1

Telecommuter

Remote

Campus

network structure defined by hierarchy
Network Structure Defined by Hierarchy

Core Layer

Distribution

Layer

Access

Layer

osi model overview

Application

Application

(Upper)

Layers

Presentation

Session

OSI Model Overview

Transport Layer

Network Layer

Data Flow

Layers

Data Link

Physical

role of application layers

Telnet

FTP

ASCII

EBCDIC

JPEG

Operating System/

Application Access

Scheduling

Role of Application Layers

EXAMPLES

User Interface

Application

  • How data is presented
  • Special processing such as encryption

Presentation

Keeping different applications’

data separate

Session

Transport Layer

Network Layer

Data Link

Physical

role of data flow layers
Role of Data Flow Layers

Application

Presentation

EXAMPLES

Session

TCP

UDP

SPX

  • Reliable or unreliable delivery
  • Error correction before retransmit

Transport

Provide logical addressing which routers use for path determination

IP

IPX

Network

  • Combines bits into bytes and bytes into frames
  • Access to media using MAC address
  • Error detection not correction

802.3 / 802.2

HDLC

Data Link

  • Move bits between devices
  • Specifies voltage, wire speed and pin-out cables

EIA/TIA-232V.35

Physical

slide11

FCS

FCS

EncapsulatingData

Application

(Protocol Data Unit)

Presentation

PDU

Session

Upper Layer Data

Segment

Transport

TCP Header

Upper Layer Data

Network

Packet

IP Header

Data

LLC Header

Data

Data Link

Frame

MAC Header

Data

Physical

Bits

0101110101001000010

introduction to tcp ip1
Introduction to TCP/IP

TCP (Transmission Control Protocol)is a set of rules (protocol) used along with the Internet Protocol (IP) to send data in the form of message units between computers over the Internet. While IP takes care of handling the actual delivery of the data, TCP takes care of keeping track of the individual units of data (called packets) that a message is divided into for efficient routing through the Internet.

User Datagram Protocol (UDP) is one of the core protocols of the Internet protocol suite. Using UDP, programs on networked computers can send short messages sometimes known as datagrams (using Datagram Sockets) to one another. UDP is sometimes called the Universal Datagram Protocol or Unreliable Datagram Protocol.

1 agenda
1.Agenda
  • Explain basic IP Addressing
  • Review Subnetting concepts
  • How to Calculate Subnets, host Addresses and broadcast id\'s
  • Explain VLSM concepts and Route Summarization
why ip addresses
Why IP Addresses?
  • Uniquely identifies each device on an IP network so that data can be sent correctly to those locations.
  • Real life analogies:
    • Address on a letter
    • Telephone number
  • Every host (computer, networking device, peripheral) must have a unique address.
parts of the ip address
Parts of the IP Address
  • Each IP address consists of:
    • Network ID
      • Identifies the network to which the host belongs
      • Assigned by registry authority and cannot be changed
    • Host ID
      • Identifies the individual host
      • Assigned by organizations to individual devices
ip address format dotted decimal notation
IP Address Format: Dotted Decimal Notation

Remember binary-to-decimal and decimal-to-binary conversion.

ip address ranges
IP Address Ranges
  • *127 (011111111) is a Class A address reserved for loopback testing and cannot be assigned to a network.
example class b network address reserved
Example Class B Network Address (Reserved)

Total number of host addresses available = 2h – 2

where h is the number of bits in the host field

example class b broadcast address reserved
Example Class B Broadcast Address (Reserved)

Total number of host addresses available = 2h – 2

where h is the number of bits in the host field

subnetworks
Subnetworks
  • Smaller networks are easier to manage.
  • Overall traffic is reduced.
  • You can more easily apply network security policies.
number of subnets available
Number of Subnets Available
  • To identify subnets, you will “borrow” bits from the host ID portion of the IP address
    • Number of subnets available depends on the number of bits borrowed.
    • One address is still reserved as the network address.
    • One address is still reserved as broadcast address.
    • Available number of subnets = 2s where s is the number of bits borrowed.
what a subnet mask does
What a Subnet Mask Does
  • Tells the router the number of bits to look at when routing
  • Defines the number of bits that are significant
  • Used as a measuring tool, not to hide anything
what is a variable length subnet mask
Subnet 172.16.14.0/24 is divided into smaller subnets

Subnet with one mask (/27)

Then further subnet one of the unused /27 subnets into multiple /30 subnets

What Is a Variable-Length Subnet Mask?
what is route summarization
What Is Route Summarization?
  • Routing protocols can summarize addresses of several networks into one address.
summary
Summary
  • Basic IP Addressing
  • Subnetting concepts
  • Calculate Subnets, host Addresses and broadcast id\'s
  • VLSM concepts and Route Summarization
agenda
Agenda
  • Overview
  • Cisco IOS Software Features and Functions
  • Starting up Cisco Network Routers and Switches
  • Cisco IOS Command-Line Interface Functions
  • Entering the EXEC Modes
  • Entering Configuration Mode
  • Using the CLI to configure and test Routers and Switches
  • Summary
cisco ios software cli a common interface for managing cisco devices
Cisco IOS Software CLIA common interface for managing Cisco devices.
  • Features to carry the chosen network protocols and functions
  • Connectivity for high-speed traffic between devices
  • Security to control access and prohibit unauthorized network use
  • Scalability to add interfaces and capability as needed for network growth
  • Reliability to ensure dependable access to networked resources
initial startup of routers and switches
System startup routines initiate device software.

Switch: Initial startup uses default configuration parameters.

Initial Startup of Routers and Switches
configuring network devices
Configuring Network Devices
  • Configuration sets up the device with the following:
    • Network policy of the functions required
    • Protocol addressing and parameter settings
    • Options for administration and management
  • A Catalyst switch memory has initial configuration with default settings.
  • A Cisco router will prompt for initial configuration if there is no configuration previously saved in memory.
cisco ios user interface functions
A CLI is used to enter commands.

Specific Operations vary on different internetworking devices.

Users type or paste entries in the console command modes.

Command modes have distinctive prompts.

<Enter> key instructs device to parse and execute the command.

Two primary EXEC modes are User Mode and Privileged Mode.

Cisco IOS User Interface Functions
cisco ios software exec mode user
Cisco IOS Software EXEC Mode (User)
  • There are two main EXEC modes for entering commands.
privileged mode command list
Privileged-Mode Command List

You can complete a command string by entering the unique character string, then pressing the Tab key.

configuration mode
Configuration Mode

Third Mode - Configuration mode:

    • Global configuration mode
      • wg_sw_a#configure terminal
      • wg_sw_a(config)#
    • Interface configuration mode
      • wg_sw_a(config)#interface e0/1
      • wg_sw_a(config-if)#
  • Other configuration modes also exist. (line configuration, routing configuration, etc…)
enhanced editing commands
Enhanced Editing Commands

Router>Shape the future of internetworking by creating unpreced

  • Shape the future of internetworking by creating unprecedented value for customers, employees, and partners.
show running config and show startup config commands
show running-config and show startup-config Commands
  • Displays the current and saved configuration
summary1
Summary
  • The Cisco switch or router has considerable configuration and testing capabilities and can be configured using the Command Line Interface (CLI).
  • A switch or router can be configured from a local terminal connected to the console port or from a remote terminal connected via a modem connection to the auxiliary port.
  • The CLI is used by network administrators to monitor and to configure various Cisco IOS devices. CLI also offers a help facility to aid network administrators with the verification and configuration commands.
  • The CLI supports two EXEC modes: user and privileged. The privileged EXEC mode provides more functionality than the user EXEC mode.
summary cont
Summary (Cont.)
  • From the privileged EXEC mode, the global configuration mode can be entered, providing access to other configuration modes such as the interface configuration mode or line configuration mode.
  • The CLI will be used to configure the router name, password, and other console commands.
  • Interface characteristics such as the IP address and bandwidth are configured using the interface configuration mode.
  • When the router configuration has been completed, it can be verified by using show commands.
  • Always remember to save your configuration!
router operations
To route packets, a router needs to do the following:

Know the destination address

Identify the sources from which the router can learn

Discover possible routes to the intended destination

Select the best route

Maintain and verify routing information

Router Operations
router operations cont
Router Operations (Cont.)
  • The Router knows only the networks it is directly connected to. It must learn all other destinations.
static routes vs dynamic routes
Static Routes

A network administrator enters them into the router manually.

Dynamic Routes

Learned by Routing protocols and added to the routing table. Dynamic routes are adjusted automatically for topology or traffic changes.

Static Routes vs. Dynamic Routes

Two different ways of learning routes to remote networks:

static route configuration
Static Route Configuration

Router(config)#ip route network [mask] {address | interface}[distance] [permanent]

  • Defines a path to an IP destination network or subnet or host by specifying the next hop router interface IP address.
  • Address = IP address of the next hop router
  • Interface = outbound interface of the local router
static route example
Static Route Example

RouterX(config)# ip route 172.16.1.0 255.255.255.0 172.16.2.1

or

Router(config)#ip route 172.16.1.0 255.255.255.0 s0/0/0

  • This is a unidirectional route. You must have a route configured in the opposite direction.
verifying the static route configuration
Verifying the Static route Configuration

RouterA(config)#ip route 172.16.1.0 255.255.255.0 Serial0/0 172.16.2.1

RouterA#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

172.16.0.0/24 is subnetted, 2 subnets

S 172.16.1.0 [1/0] via 172.16.2.1, Serial0/0

C 172.16.2.0 is directly connected, Serial0/0

a special case default routes
A special case: Default Routes
  • This route allows the stub network to reach all known networks beyond router A.
static routes benefits and disadvantages
Static Routes: Benefits and Disadvantages

Benefits:- No overhead on the router CPU - No bandwidth usage between routers - Security and controlDisadvantages:- Administrative burden. - Not practical in large networks.- By default it is not conveyed to other routers as part of an update process.

slide77

Dynamic Routing Configuration

  • Defines an IP routing protocol

Router(config)#router protocol [keyword]

Router(config-router)#network network-number

  • Mandatory configuration command for each IP routing process
  • Identifies the physically connected network to which routing updates are forwarded
slide78

RIP Overview

19.2 kbps

  • Hop-count metric selects the path.
  • Routes update every 30 seconds.

T1

T1

T1

slide79

RIP Configuration

  • Starts the RIP routing process.

Router(config)#router rip

Router(config-router)#network network-number

  • Selects participating attached networks.
  • Requires a major classful network number.
slide80

router rip

network 172.16.0.0

network 10.0.0.0

router rip

network 10.0.0.0

router rip

network 192.168.1.0

network 10.0.0.0

RIP Configuration Example

e0

s2

s2

s3

s3

e1

192.168.1.0

172.16.1.0

A

B

C

10.1.1.1

172.16.1.1

10.1.1.2

10.2.2.2

192.168.1.1

10.2.2.3

2.3.0.0

2.3.0.0

configuring eigrp
Configuring EIGRP

Router(config)#router eigrp autonomous-system

  • Defines EIGRP as the IP routing protocol

Router(config-router)#network network-number

  • Selects participating attached networks
configuring single area ospf
Configuring Single-Area OSPF

RouterX(config)#

router ospf process-id

  • Defines OSPF as the IP routing protocol

RouterX(config-router)#

network addresswildcard-mask area area-id

  • Assigns networks to a specific OSPF area
verifying the ospf configuration
Verifying the OSPF Configuration

RouterX# show ip protocols

  • Verifies that OSPF is configured

RouterX# show ip route

  • Displays all the routes learned by the router

RouterX# show ip route

Codes: I - IGRP derived, R - RIP derived, O - OSPF derived,

C - connected, S - static, E - EGP derived, B - BGP derived,

E2 - OSPF external type 2 route, N1 - OSPF NSSA external type 1 route,

N2 - OSPF NSSA external type 2 route

Gateway of last resort is 10.119.254.240 to network 10.140.0.0

O 10.110.0.0 [110/5] via 10.119.254.6, 0:01:00, Ethernet2

O IA 10.67.10.0 [110/10] via 10.119.254.244, 0:02:22, Ethernet2

O 10.68.132.0 [110/5] via 10.119.254.6, 0:00:59, Ethernet2

O 10.130.0.0 [110/5] via 10.119.254.6, 0:00:59, Ethernet2

O E2 10.128.0.0 [170/10] via 10.119.254.244, 0:02:22, Ethernet2

. . .

verifying the ospf configuration cont
Verifying the OSPF Configuration (Cont.)

RouterX#show ip ospf

  • Displays the OSPF router ID, timers, and statistics

RouterX# showip ospf

Routing Process "ospf 50" with ID 10.64.0.2

<output omitted>

Number of areas in this router is 1. 1 normal 0 stub 0 nssa

Number of areas transit capable is 0

External flood list length 0

Area BACKBONE(0)

Area BACKBONE(0)

Area has no authentication

SPF algorithm last executed 00:01:25.028 ago

SPF algorithm executed 7 times

<output omitted>

verifying the ospf configuration cont1
Verifying the OSPF Configuration (Cont.)

RouterX# show ip ospf interface

  • Displays the area ID and adjacency information

RouterX#show ip ospf interface ethernet 0

Ethernet 0 is up, line protocol is up

Internet Address 192.168.254.202, Mask 255.255.255.0, Area 0.0.0.0

AS 201, Router ID 192.168.99.1, Network Type BROADCAST, Cost: 10

Transmit Delay is 1 sec, State OTHER, Priority 1

Designated Router id 192.168.254.10, Interface address 192.168.254.10

Backup Designated router id 192.168.254.28, Interface addr 192.168.254.28

Timer intervals configured, Hello 10, Dead 60, Wait 40, Retransmit 5

Hello due in 0:00:05

Neighbor Count is 8, Adjacent neighbor count is 2

  Adjacent with neighbor 192.168.254.28 (Backup Designated Router)

  Adjacent with neighbor 192.168.254.10 (Designated Router)

verifying the ospf configuration cont2
Verifying the OSPF Configuration (Cont.)

RouterX# show ip ospf neighbor

  • Displays the OSPF neighbor information on a per-interface basis

RouterX#show ip ospf neighbor

ID Pri State Dead Time Address Interface

10.199.199.137   1 FULL/DR 0:00:31 192.168.80.37 FastEthernet0/0

172.16.48.1 1 FULL/DROTHER 0:00:33 172.16.48.1   FastEthernet0/1

172.16.48.200 1 FULL/DROTHER 0:00:33 172.16.48.200  FastEthernet0/1

10.199.199.137   5 FULL/DR 0:00:33 172.16.48.189  FastEthernet0/1

verifying the ospf configuration cont3
Verifying the OSPF Configuration (Cont.)

RouterX# show ip ospf neighbor 10.199.199.137

Neighbor 10.199.199.137, interface address 192.168.80.37

In the area 0.0.0.0 via interface Ethernet0

Neighbor priority is 1, State is FULL

Options 2

Dead timer due in 0:00:32

Link State retransmission due in 0:00:04

Neighbor 10.199.199.137, interface address 172.16.48.189

In the area 0.0.0.0 via interface Fddi0

Neighbor priority is 5, State is FULL

Options 2

Dead timer due in 0:00:32

Link State retransmission due in 0:00:03

ospf debug commands
OSPF debug Commands

RouterX# debug ip ospf events

OSPF:hello with invalid timers on interface Ethernet0

hello interval received 10 configured 10

net mask received 255.255.255.0 configured 255.255.255.0

dead interval received 40 configured 30

OSPF: rcv. v:2 t:1 l:48 rid:200.0.0.117

aid:0.0.0.0 chk:6AB2 aut:0 auk:

RouterX# debug ip ospf packet

OSPF: rcv. v:2 t:1 l:48 rid:200.0.0.116

aid:0.0.0.0 chk:0 aut:2 keyid:1 seq:0x0

routing protocols vs routed protocols
Routing Protocols vs. Routed Protocols
  • Routing protocols exchange messages between routers to determine paths, build and maintain routing tables.
  • Examples: RIP, IGRP, OSPF
  • After the path is determined, a router can route or forward packets defined by a routed protocol.
  • Examples: IP, IPX
selecting the most trustworthy routing protocol using administrative distance
Selecting the most “trustworthy” routing protocol using Administrative Distance:
  • The lowest Administrative Distance is preferred
  • The Administrative distance is locally configured and are not exchanged between routers
selecting the best route using metrics
Selecting the Best Route using Metrics
  • The route with the lowest metric is selected and added to the routing table.
  • If the best route becomes unavailable, the next lowest metric route is selected to replace it.
examination of the ip routing table
Examination of the IP Routing Table

RouterA#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

172.16.0.0/24 is subnetted, 2 subnets

R 172.16.1.0 [120/1] via 172.16.2.1, 00:00:09, Serial0/0

C 172.16.2.0 is directly connected, Serial0/0

10.0.0.0/8 is variably subnetted, 7 subnets, 4 masks

C 10.1.14.0/24 is directly connected, FastEthernet0/0

C 10.1.13.0/29 is directly connected, FastEthernet0/1

S 10.1.2.0/24 [1/0] via 172.16.2.1, Serial0/0

O 10.1.4.4/32 [110/2] via 10.1.14.4, 15:02:19, FastEthernet0/0

O 10.1.3.3/32 [110/2] via 10.1.13.3, 15:02:20, FastEthernet0/1

C 10.1.1.1/32 is directly connected, Loopback0

O 10.1.34.0/28 [110/2] via 10.1.13.3, 15:02:20, FastEthernet0/1

[110/2] via 10.1.14.4, 15:02:20, FastEthernet0/0

classful routing overview
Classful Routing Overview
  • Classful routing protocols do not include the subnet mask with the route advertisement.
  • Within the same network, consistency of the subnet masks is assumed (all subnet masks must be off the same length).
  • Summary routes are exchanged between foreign networks.
  • Examples of classful routing protocols:
    • RIP version 1 (RIPv1)
    • IGRP
classless routing overview
Classless Routing Overview
  • Classless routing protocols include the subnet mask with the route advertisement.
  • Classless routing protocols support variable-length subnet mask (VLSM).
  • Summary routes can be manually controlled within the network.
  • These are examples of classless routing protocols:
    • RIP version 2 (RIPv2)
    • EIGRP
    • OSPF
    • IS-IS
l2 devices
L2 Devices
  • Bridge
  • Software-based L2 Device
  • Learn MAC addresses
  • Segment LANs
  • Floods broadcasts
  • Filters Frames
  • Usually less than 16 ports
  • Switch
  • Hardware-based L2 device
  • Learns MAC addresses
  • Builds a CAM Table
  • Single station or LAN segment on
  • each port
  • Floods broadcasts
  • Can have 100 or more ports
layer 2 switching logic
Layer 2 Switching Logic
  • A frame is received:
    • Destination – Multicast or Broadcast Flood

Frame

Frame

Frame

Frame

Frame

Frame

Frame

layer 2 switching logic1
Layer 2 Switching Logic
  • A frame is received:
    • Destination – Unknown Unicast Flood

Frame

Frame

Frame

Frame

Frame

Frame

Frame

layer 2 switching logic2
Layer 2 Switching Logic
  • A frame is received:
    • Destination – Unicast in MAC Table Forward

Different Port

Frame

Frame

layer 2 switching logic3
Layer 2 Switching Logic
  • A frame is received:
    • Destination – Unicast – Same Port Filter

X

Frame

layer 2 switching logic4
Layer 2 Switching Logic
  • A frame is received:
    • Destination – Multicast or Broadcast Flood
    • Destination – Unknown Unicast Flood
    • Destination – Unicast in MAC Table Forward
    • Destination – Unicast – Same Port Filter
ethernet switches and bridges
Address learning

Forward/filter decision

Loop avoidance

Ethernet Switches and Bridges
slide105

Transmitting Frames

Cut-Through

  • Switch checks destination address and immediately begins forwarding frame.

Store and Forward

  • Complete frame is received and checked before forwarding.

Fragment-Free

  • Switch checks the first 64 bytes, then immediately begins forwarding frame.
mac address table
MAC Address Table
  • Initial MAC address table is empty.
learning addresses
Learning Addresses
  • Station A sends a frame to station C.
  • Switch caches the MAC address of station A to port E0 by learning the source address of data frames.
  • The frame from station A to station C is flooded out to all ports except port E0 (unknown unicasts are flooded).
learning addresses cont
Learning Addresses (Cont.)
  • Station D sends a frame to station C.
  • Switch caches the MAC address of station D to port E3 by learning the source address of data frames.
  • The frame from station D to station C is flooded out to all ports except port E3 (unknown unicasts are flooded).
filtering frames
Filtering Frames
  • Station A sends a frame to station C.
  • Destination is known; frame is not flooded.
broadcast and multicast frames
Broadcast and Multicast Frames
  • Station D sends a broadcast or multicast frame.
  • Broadcast and multicast frames are flooded to all ports other than the originating port.
port security
Port Security

Switch(config)#interface fastEthernet 0/1

Switch(config-if)#switchport port-security ?

mac-address Secure mac address

maximum Max secure addresses

violation Security violation mode

<cr>

Switch(config-if)#switchport port-security maximum 1

Switch(config-if)#switchport port-security violation shutdown

spanning tree protocol
Spanning-Tree Protocol
  • Provides a loop-free redundant network topology by placing certain ports in the blocking state.
slide114

Spanning-Tree Operation

  • One root bridge per network
  • One root port per nonroot bridge
  • One designated port per segment
  • Nondesignated ports are unused
slide115

Spanning-Tree Protocol Root Bridge Selection

  • Bpdu = Bridge Protocol Data Unit (default = sent every two seconds)
  • Root bridge = Bridge with the lowest bridge ID
  • Bridge ID =
  • In the example, which switch has the lowest bridge ID?
spanning tree
Spanning-Tree

Switch#show spanning-tree vlan 1

VLAN0001

Spanning tree enabled protocol ieee

Root ID Priority 32769

Address 0001.96DC.1A62

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32770 sys-id-ext 1)

Address 0010.1116.A3A4

Aging Time 300

Interface Role Sts Cost Prio.Nbr Type

---------------- ---- --- --------- -------- --------------------------------

Fa0/1 Desg FWD 19128.3 Shr

Fa0/2 Root FWD 19128.3 Shr

Switch(config)#spanning-tree vlan 1 priority 4096

vtp modes
VTP Modes
  • Creates VLANs
  • Modifies VLANs
  • Deletes VLANs
  • Sends/forwards advertisements
  • Synchronizes
  • Saved in NVRAM
  • Creates VLANs
  • Modifies VLANs
  • Deletes VLANs
  • Forwards advertisements
  • Does not synchronize
  • Saved in NVRAM
  • Forwards advertisements
  • Synchronizes
  • Not saved in NVRAM
slide119

VTP Operation

  • VTP advertisements are sent as multicast frames.
  • VTP servers and clients are synchronized to the latest revision number.
  • VTP advertisements are sent every 5 minutes or when there is a change.
objectives
Objectives
  • Explain the difference between public and private IP addresses
  • Summarize three problems with IP addressing that NAT and PAT solve
  • Describe the basic functionality of NAT and NAT Overloading (PAT)
  • Identify the differences between Static and Dynamic Translations
  • Configure Static and Dynamic NAT
  • Configure NAT Overloading (PAT)
  • Verify NAT and PAT Operation
ip addressing review

Network ID

0

7 bits

Node ID (24 bits)

Network ID

1

0

14 bits

Node ID (16 bits)

Network ID

1

1

0

21 bits

Node ID (8 bits)

1

1

1

0

Multicast Group ID (28 bits)

1

1

1

1

0

Reserved for Future Use (27 bits)

IP Addressing Review

Class A

1.0.0.0 - 127.255.255.255

Class B

128.0.0.0 - 191.255.255.255

Class C

192.0.0.0 - 223.255.255.255

Multicasts

Class D

224.0.0.0 - 239.255.255.255

Experimental Use

Class E

240.0.0.0 - 254.255.255.255

ip addressing private addresses

Network ID

0

7 bits

Node ID (24 bits)

Network ID

1

0

14 bits

Node ID (16 bits)

Network ID

1

1

0

21 bits

Node ID (8 bits)

IP Addressing – Private Addresses

“Reserved/Private” Addresses exist in the first three classes of IP Addresses.

Class A

10.0.0.0 – 10.255.255.255

Class B

172.16.0.0 – 172.31.255.255

Class C

192.168.0.0 – 192.168.255.255

These addresses are not globally routable through the public Internet.

not enough ip addresses
Not Enough IP Addresses
  • Public IP address space (non-reserved/private) is limited and obtaining a large block of registered addresses is difficult and expensive.

Your Home Network

ISP Rtr

Internet

Hey, I need some IP Addresses for my network. How about something in the Class-B range so I can grow in the future?

Are you crazy?? All I can give you is a little subnet of a Class-C network. Be happy with that!

i can see you
I Can See You!!
  • Internal network (layout/addressing/design) shouldn’t be visible to external (ex. Internet) users.

I can see your IP Address! I’ve got you now! Time to attack!!

Your Home Network

ISP Rtr

160.1.1.1

Internet

nat networks inside outside
NAT Networks – Inside / Outside
  • NAT translates the source and/or destination IP addresses from packets on the inside network to different IP addresses on the outside network.

NAT Rtr

Inside network

Outside network

configuring static translations
Configuring Static Translations

Router(config)# ip nat inside source static local-ipglobal-ip

  • Establishes static translation between an inside local address and an inside global address

Router(config-if)# ip nat inside

  • Marks the interface as connected to the inside

Router(config-if)# ip nat outside

  • Marks the interface as connected to the outside
enabling static nat address mapping example

193.50.1.2

SA

Enabling Static NAT Address Mapping Example

193.50.1.1

interface serial0

ip address 193.50.1.1 255.255.255.0

ip nat outside

!

interface ethernet 0

ip address 10.1.1.1 255.255.255.0

ip nat inside

!

ip nat inside source static 10.1.1.2 193.50.1.2

ip address 193.50.1.1 255.255.255.0

193.50.1.2

dynamic translations pros and cons

Switch

Dynamic Translations – Pros and Cons
  • Dynamic Translations – Pros and Cons
    • Pros – Conserves addresses. Outside Local addresses get aged out and can be reused after inactivity timer expires.
    • Cons – No ability for outside hosts to initiate conversations.

Dynamic Translation Table

IL IG

10.0.0.1 = 80.0.0.3

10.0.0.2 = 80.0.0.4

Pool of addresses for NAT

80.0.0.3 – 80.0.0.6

Inside network

10.0.0.1

10.0.0.2

NAT Rtr

10.0.0.3

80.0.0.2

10.0.0.4

10.0.0.6

10.0.0.5

Outside network

configuring dynamic translations
Configuring Dynamic Translations

Router(config)# ip nat pool name start-ip end-ip{netmask netmask | prefix-length prefix-length}

  • Defines a pool of global addresses to be allocated as needed.

Router(config)# access-list access-list-number permit source [source-wildcard]

  • Defines a standard IP ACL permitting those inside local addresses that are to be translated.

Router(config)# ip nat inside source list access-list-number pool name

  • Establishes dynamic source translation, specifying the ACL that was defined in the prior step.
dynamic address translation example
Dynamic Address Translation Example

ip nat pool net-208 171.69.233.209 171.69.233.222 netmask

255.255.255.240

ip nat inside source list 1 pool net-208

!

interface serial0

ip address 172.69.232.182 255.255.255.240

ip nat outside

!

interface ethernet 0

ip address 192.168.1.94 255.255.255.0

ip nat inside

!

access-list 1 permit 192.168.1.0 0.0.0.255

nat overloading pat
NAT Overloading - PAT
  • NAT Overloading (PAT):

All inside devices get translated to the SAME Inside Global address on NAT Router.

Source Port number differentiates traffic.

  • How NAT Router chooses the source port number:

NAT Router will attempt to preserve original source port number if not already in use.

If Source Port number is already in use, another, unused source port number will be selected from the following ranges:

    • 0-511 , 512-1023, 1024-65535
configuring overloading
Configuring Overloading

Router(config)# access-list access-list-number permit sourcesource-wildcard

  • Defines a standard IP ACL that will permit the inside local addresses that are to be translated

Router(config)# ip nat inside source list access-list-numberinterface interface overload

  • IP address configured on interface (in command above) will be used as the Overloaded address.
  • Establishes dynamic source translation, specifying the ACL that was defined in the prior step
pat nat overload config example

Switch

Switch

PAT / NAT Overload Config Example

192.168.3.7

Interface Ethernet 0

ip address 192.168.3.1 255.255.255.0

ip nat inside

!

Interface Ethernet1

ip address 192.168.4.1 255.255.255.0

ip nat inside

!

Interface Serial0

ip address 172.17.38.1 255.255.255.0

ip nat outside

!

Ip nat inside source list 1 interface Serial0 overload

!

Access-list 1 permit 192.168.3.0 0.0.0.255

Access-list 1 permit 192.168.4.0 0.0.0.255

192.168.3.1

E0

E1

192.168.4.1

S0

172.17.38.1

192.168.4.12

Internet

clearing the nat translation table
Clearing the NAT Translation Table

Router# clear ip nat translation *

  • Clears all dynamic address translation entries

Router# clear ip nat translation inside global-ip local-ip [outside local-ip global-ip]

  • Clears a simple dynamic translation entry that contains an inside translation or both an inside and outside translation

Router# clear ip nat translation outside local-ip global-ip

  • Clears a simple dynamic translation entry that contains an outside translation

Router# clear ip nat translation protocol inside global-ip global-port local-ip local-port [outside local-ip local-port global-ip global-port]

  • Clears an extended dynamic translation entry
displaying information with show commands
Displaying Information with ‘show’ Commands

Router# show ip nat translations

  • Displays active translations

Router# show ip nat translation Pro Inside global Inside local Outside local Outside global --- 172.16.131.1 10.10.10.1 --- ---

Router# show ip nat statistics

  • Displays translation statistics

Router# show ip nat statistics Total active translations: 1 (1 static, 0 dynamic; 0 extended) Outside interfaces: Ethernet0, Serial2.7 Inside interfaces: Ethernet1Hits: 5 Misses: 0 …

objectives1
Objectives
  • Upon completion, you will be able to:
  • Identify the Two Types of IP Access Control Lists.
  • Describe typical Uses for IP Access Lists.
  • Understand Access List related Terms and Concepts.
  • Configure a Standard IP ACL
what are ip access control lists
What Are IP Access Control Lists?
  • A Cisco IOS feature
  • Sequential list of “permit” or “deny” statements, which block or allow routed traffic.
  • Block Unwanted Traffic – inbound or outbound
    • Basic network security
    • Bandwidth control
    • Enforce network policy

Permit the Good Stuff

  • The good side of the list shown above
types of ip acls
Types of IP ACLs
  • Less Common:
  • Lock and Key (dynamic ACLs)
  • Reflexive ACLs
  • Time-based ACLs using time ranges
  • Commented IP ACL entries
  • Context-based ACL
  • Authentication proxy
  • Named ACLs
  • Turbo ACLs
  • Distributed time-based ACLs
  • Most Common (90%):
  • Standard ACLs
  • Extended ACLs
standard ip acl syntax
Standard IP ACL Syntax

access-list access-list-number{permit|deny}{host | source source-wildcard | any}

  • Numbered 1 – 99
  • Only look at the IP Source Address
  • Easiest to configure
  • Good for blocking traffic close to the destination device

Two Notes:

  • One cannot delete lines of a numbered access list. You must first remove the entire access list.
  • Every ACL has an implicit ‘Deny All’ statement as the last line of the ACL
the infamous wildcard mask
The ‘Infamous’ Wildcard Mask
  • The Inverse of the Subnet Mask
  • 255.255.255.192 (SM) = 0.0.0.63 (WM)
  • Defines either the specific host or size of a subnet to be permitted or denied by the ACL
  • How to Calculate the Wildcard Mask?
      • Subtract the subnet mask from 255.255.255.255
      • Single Host – (SM) 255.255.255.255 (WM) 0.0.0.0
      • Subnet with 16 addresses – (SM) 255.255.255.240 (WM) 0.0.0.15
      • Subnet with 64 addresses – (SM) 255.255.255.192 (WM) 0.0.0.63

access-list access-list-number{permit|deny}{host | source source-wildcard | any}

the infamous wildcard mask1
The ‘Infamous’ Wildcard Mask
  • Subnet with 16 addresses – (SM) 255.255.255.240
      • 255.255.255.255
      • -255.255.255.240 (SM)
      • 0 . 0 . 0 . 15 (WM)

access-list access-list-number{permit|deny}{host | source source-wildcard | any}

two basic steps
Two Basic Steps
  • Create the Access Control List, then…

Router(config)# access-list 8 deny 131.108.7.0 0.0.0.3

Router(config)# access-list 8 permit 131.108.2.0 0.0.0.255

Router(config)# access-list 8 permit any

(access-list 8 deny any)

  • Apply it to the Correct Interface

Router(config)# interface serial0

Router(config-if)# ip access-group 8 in

extended ip acl syntax
Extended IP ACL Syntax

access-list access-list-number {permit|deny} protocol {host | source source-wildcard | any}{host | destination destination-wildcard | any} [precedence precedence name or #]

  • Numbered 100 – 199
  • Looks both the IPsource address and destination address
  • Checks many IP layer (L3) and upper layer (L4) header fields
  • Good for blocking traffic anywhere (near source)
applying access lists
Applying Access Lists
  • To a Specific Interface:
    • Router (config-if)# ip access-group {access-list-number}{in | out}
acl guidelines
ACL Guidelines
  • Use Standard IP Access Lists when filtering near Destination
  • Use Extended IP Access Lists when filtering using both the Source address and a Destination address and/or need to specify a Protocol, Ports, etc.
  • STEPS:
    • Create ACL first, then Apply to interface
  • Remember the implicit “deny all” at end of ACL
  • Carefully place your ACL…consider bandwidth, etc.
  • No editing or re-ordering of numbered ACLs (other than adding lines at end)
ad