SaigonLAB CCNA Module7 Va Module 8

8/10/2019 SaigonLAB CCNA Module7 Va Module 8

http://slidepdf.com/reader/full/saigonlab-ccna-module7-va-module-8 1/128

Bringing a True-long Stand Vocation

CCNACCNAwww.saigonlab.vn



Bringing a True-long Stand Vocation 2

www.saigonlab.vn

Module 7: NAT and ACLs

The purpose and types of ACLs1

Configure and apply an ACLs2

The basic operation of NAT3




www.saigonlab.vn

Lesson 1: The purpose and types ofACLs

ACL Overview ACL Applications

Types of ACLs ACL Operations ACL Statement Processing

Wildcard Mas ing Process




www.saigonlab.vn


W!y "se ACLs#

Manage $P traffic as networ access grows%ilter pac ets as t!ey pass t!ro&g! t!e ro&ter




www.saigonlab.vn


ACL Applications

Permit or deny pac ets moving t!ro&g! t!e ro&ter Permit or deny vty access to or from t!e ro&ter Wit!o&t ACLs' all pac ets co&ld (e transmitted onto allparts of yo&r networ




www.saigonlab.vn


Ot!er ACL "ses

pecial handling for traffic based on pac!et tests


http://slidepdf.com/reader/full/saigonlab-ccna-module7-va-module-8 7/128Bringing a True-long Stand Vocation 7

www.saigonlab.vn


Types of ACLs

Standard ACL) C!ec s so&rce address) *enerally permits or denies entire protocol s&ite

"#tended ACL) C!ec s so&rce and destination address) *enerally permits or denies specific protocols



www.saigonlab.vn


+ow to $dentify ACLs

Standard $P lists ,1-../ test conditions of all $Ppac ets from so&rce addresses0 tended $P lists ,1 -1../ test conditions ofso&rce and destination addresses' specificTCP $P protocols' and destination ports



www.saigonlab.vn


+ow to $dentify ACLsStandard $P lists ,13 -1.../ ,e panded range/0 tended $P lists ,2 -24../ ,e panded range/Ot!er ACL n&m(er ranges test conditions forot!er networ ing protocols5amed ACLs identify $P standard and e tended

ACLs wit! an alp!an&meric string ,name/



www.saigonlab.vn


Testing Pac ets wit! Standard ACLs




www.saigonlab.vn


Testing Pac ets wit! 0 tended ACLs




www.saigonlab.vn


O&t(o&nd ACL Operation

$f no ACL state%ent %atches& discard the pac!et

'utbound$nterfaces

(ac!et

(ac!et

Notify ender (ac!et)iscard*uc!et

$nbound$nterface

(ac!et




www.saigonlab.vn


A List of Tests6 7eny or Permit

(ac!et)iscard*uc!et

$nterface+s,

)estination

$f no Match deny All

(ac!et to $nterface+s, inthe Access -roup




www.saigonlab.vn


Wildcard 8its6 +ow to C!ec t!eCorresponding Address 8its

means c!ec val&e of corresponding address (it1 means ignore val&e of corresponding address (it




www.saigonlab.vn


Wildcard Bits to Match a Specific IPHost AddressChec! all of the address bits +%atch all,

erify an $( host address& for e#a%ple:

) 192:3 :14:2. : : : c!ec s all of t!e address (its) A((reviate t!is wildcard mas &sing t!e $P address

preceded (y t!e eyword !ost , !ost 192:3 :14:2. /

h d f




www.saigonlab.vn


Wildcard 8its to Matc! Any $P AddressTest conditions: $gnore all the address bits+%atch any,An $( host address& for e#a%ple:

) Accept any address: any) Abbreviate e#pression with !eyword / any 0

h d f




www.saigonlab.vn


Wildcard 8its to Matc! $P S&(netsChec! for $( subnets 17 .23. 14 .35 6 to17 .23. 21 .35 6

) Address and wildcard mas 6 192:3 :14:: :1;:2;;

L C fi d l




www.saigonlab.vn

Lesson : Configure and apply anACLs

$mplementing ACLs Config&ring Standard $P ACLs

Config&ring 0 tended $P ACLs "sing 5amed ACLs Config&ring vty ACLs

*&idelines for Placing ACLs <erifying t!e ACL Config&ration

L C fi d l




www.saigonlab.vn


ACL Config&ration *&idelines ACL n&m(ers indicate w!ic! protocol is filteredOne ACL per interface' per protocol' perdirection is allowedT!e order of ACL statements controls testingT!e most restrictive statements go at t!e top oft!e listT!e last ACL test is always an implicit deny anystatement' so every list needs at least onepermit statement

ACLs m&st (e created (efore applying t!em tointerfaces

ACLs filter traffic going t!ro&g! t!e ro&ter: ACLsdo not filter traffic originating from t!e ro&ter

L C fi d l




www.saigonlab.vn


ACL Commandtep 1: et para%eters for this ACL teststate%ent +which can be one of severalstate%ents,

tep : "nable an interface to use thespecified ACL

) Standard $P lists ,1-../) 0 tended $P lists ,1 -1../

outer+config,8access9list access-list-number

per%it ; deny< test conditions <

outer+config9if,8 protocol < access9groupaccess-list-number in ; out<

L C fi d l




www.saigonlab.vn


Standard $P ACL Config&ration

Sets parameters for t!is list entry$P standard ACLs &se 1 to ..

7efa&lt wildcard mas = : : :no access9list access-list-number removes entire ACLremar lets yo& add a description for t!e ACL

Activates t!e list on an interfaceSets in(o&nd or o&t(o&nd testing7efa&lt = o&t(o&ndno ip access9group access-list-number removes ACLfrom t!e interface

Router(config)#access-list access-list-number{permit | deny | remark} source [ mask ]

Router(config-if)#ip access-groupaccess-list-number {in | out}

L C fi d l




www.saigonlab.vn


Standard $P ACL - 0 ample 1

Permit my networ only

outer+config,8 access9list 1 per%it 17 .14.3.3 3.3. ==. ==+$%plicit deny all > not visible in the List,+access9list 1 deny 3.3.3.3 ==. ==. ==. ==,

outer+config,8 interface ethernet 3outer+config,8 ip access9group 1 outouter+config,8 interface ethernet 1outer+config,8 ip access9group 1 out

L C fi d l




www.saigonlab.vn



7eny a specific !ost

outer+config,8 access9list 1 deny 17 .14.6.12 3.3.3.3outer+config,8 access9list 1 per%it 3.3.3.3 ==. ==. ==. ==

+i%plicit e deny all,+access9list 1 deny 3.3.3.3 ==. ==. ==. ==,

outer+config,8 interface ethernet 3outer+config,8 ip access9group 1 out

L C fig d l




www.saigonlab.vn



7eny a specific s&(net

outer+config,8 access9list 1 deny 17 .14.6.3 3.3.3. ==outer+config,8 access9list 1 per%it any

+i%plicit e deny all,+access9list 1 deny 3.3.3.3 ==. ==. ==. ==,


L C fig d l




www.saigonlab.vn


0 tended $P ACL Config&ration

Sets parameters for t!is list entry

Activates t!e e tended list on an interface

Router(config)#access-list access-list-number {permit | deny} protocol source source-wildcard[ operator port ] destination destination-wildcard

[ operator port ] [established] [log]

Router(config-if)#ip access-group access-list-number {in | out}

Lesson : Config re and appl an




www.saigonlab.vn


0 tended ACL - 0 ample 1

7eny %TP from s&(net 192:14:>: to s&(net 192:14:3: o&t 0Permit all ot!er traffic

outer+config,8 access9list 131 deny tcp 17 .14.6.3 3.3.3. == 17 .14.2.3 3.3.3. == e? 1outer+config,8 access9list 131 deny tcp 17 .14.6.3 3.3.3. == 17 .14.2.3 3.3.3. == e? 3outer+config,8 access9list 131 per%it ip any any

+i%plicit e deny all,

+access9list 1 deny 3.3.3.3 ==. ==. ==. == 3.3.3.3 ==. ==. ==. ==,


Lesson : Configure and apply an




www.saigonlab.vn


0 tended ACL - 0 ample 2

7eny only Telnet from s&(net 192:14:>: o&t 0Permit all ot!er traffic

outer+config,8 access9list 131 deny tcp 17 .14.6.3 3.3.3. == any e? 2outer+config,8 access9list 131 per%it ip any any

+i%plicit e deny all,






www.saigonlab.vn


"sing 5amed $P ACL

Alp!an&meric name string m&st (e &ni?&e

Permit or deny statements !ave no prepended n&m(er @no removes t!e specific test from t!e named ACL

Activates t!e named $P ACL on an interface

Router(config)#ip access-list {standard | e tended} name

Router(config {std- | e t-}nacl)#{permit | deny}{ip access list test conditions}{permit | deny} {ip access list test conditions}no {permit | deny} {ip access list test conditions}

Router(config-if)#ip access-group name {in | out}





www.saigonlab.vn


%iltering vty Access to a Bo&ter

%ive virt&al terminal lines , t!ro&g! >/%ilter addresses t!at can access t!e ro&ter vty ports%ilter vty access originating from t!e ro&ter





www.saigonlab.vn


+ow to Control vty Access

Set &p an $P address filter wit! a standard ACL statement

"se line config&ration mode to filter access wit! t!e access-class commandSet identical restrictions on every vty





www.saigonlab.vn


vty Commands

0nters config&ration mode for a vty or vty range

Bestricts incoming or o&tgoing vty connections foraddresses in t!e ACL

Router(config)#line !ty { vty# | vty-range }

Router(config-line)#access-class access-list-number {in | out}





www.saigonlab.vn


vty Access 0 ampleControlling $n(o&nd Access

) Permits only !osts in networ 1.2:14 :1:: : :2;; to connect to t!e ro&ter vty

access-list " permit "$ %"&'%"% % % %

(implicit deny any) *line !ty + access-class " in





www.saigonlab.vn


ACL Config&ration *&idelinesT!e order of ACL statements is cr&cial

) Becommended6 "se a te t editor on a PC to create t!e ACLstatements' t!en c&t and paste t!em into t!e ro&ter

) Top-down processing is important

) Place t!e more specific test statements firstStatements cannot (e rearranged or removed

) "se t!e no access9list nu%ber command to remove t!eentire ACL

) 0 ception6 5amed ACLs permit removal of individ&alstatements

$mplicit deny any will (e applied to all pac ets t!at donot matc! any ACL statement &nless t!e ACL endswit! an e plicit permit any statement





www.saigonlab.vn


W!ere to Place $P ACLs

Place standard ACLs close to t!e destinationPlace e tended ACLs close to t!e so&rce





www.saigonlab.vn


Monitoring ACL Statements, . $ #sho {protocol} access-list { access-list number }

, . $ #sho access-lists { access-list number }

g.ro.a# sho access-lists,tandard /0 access list " permit " % % %" permit " %1%1%" permit " %+%+%" permit " % % %"2 tended /0 access list " " permit tcp host " % % %" any e3 telnet permit tcp host " %11%11%" any e3 ftp permit tcp host " %++%++%" any e3 ftp-data"&




www.saigonlab.vn

Lesson 2: The basic operation of NAT

$ntrod&cing 5AT and PAT Translating $nside So&rce Addresses

Overloading an $nside *lo(al Address <erifying t!e 5AT and PAT Config&ration Tro&(les!ooting t!e 5AT and PAT Config&ration




www.saigonlab.vn


5etwor Address Translation

An $P address is eit!er local or glo(alLocal $P addresses are seen in t!e inside networ




www.saigonlab.vn


Port Address Translation




www.saigonlab.vn


Translating $nside So&rce Addresses




www.saigonlab.vn


Config&ring Static Translation

) 0sta(lis!es static translation (etween an insidelocal address and an inside glo(al address

) Mar s t!e interface as connected to t!e inside

) Mar s t!e interface as connected to t!e o&tside

Router(config)#ip nat inside source static local-ip global-ip

Router(config-if)#ip nat inside

Router(config-if)#ip nat outside




www.saigonlab.vn


0na(ling Static 5AT Address Mapping 0 ample

$nterface s3ip address 1@ .14 .1.1 ==. ==. ==.3

ip nat outsideB$nterface e3ip address 13.1.1.1 ==. ==. ==.3ip nat insideB$p nat inside source static 13.1.1. 1@ .14 .1.

h b f




www.saigonlab.vn


Config&ring 7ynamic Translation

7efines a pool of glo(al addresses to (e allocated as needed

7efines a standard $P ACL permitting t!ose inside localaddresses t!at are to (e translated

0sta(lis!es dynamic so&rce translation' specifying t!e ACL t!atwas defined in t!e prior step

Router(config)#ip nat pool name start-ip end-ip {netmask netmask | prefi -length prefix-length }

Router(config)#access-list access-list-number permitsource [ source-wildcard ]

Router(config)#ip nat inside source listaccess-list-number pool name

h b f




www.saigonlab.vn


7ynamic Address Translation 0 ample$p nat pool net9 3 17 .4@. 22. 3@ 171.4@. 22. net%ar!

==. ==. ==. 63ip nat inside source list 1 pool net9 3B$nterfave serial 3 ip address 17 .4@. 2 .1 ==. ==. ==. 63 ip nat outsideB

$nterface ethernet 3 ip address 1@ .14 .1.@6 ==. ==. ==.3 ip nat insideBAccess9list 1 per%it 1@ .14 .1.3 3.3.3. ==

1@ .14 .1.@6 171.4@. 2 .1

"3 3

ost )17 .14 .1.1

ost C13.1.1.1

ost *1@ .14 .1.131

ost A1@ .14 .1.133

L 2 Th b i i f NAT




www.saigonlab.vn


Overloading an $nside *lo(al Address

L 2 Th b i i f NAT




www.saigonlab.vn


Config&ring Overloading

) 7efines a standard $P ACL t!at will permit t!e insidelocal addresses t!at are to (e translated

0sta(lis!es dynamic so&rce translation' specifyingt!e ACL t!at was defined in t!e prior step

Router(config)#ip nat inside source listaccess-list-number interface interface o!erload

Router(config)#access-list access-list-number permitsource source-wildcard

L 2 Th b i i f NAT




www.saigonlab.vn


Overloading an $nside *lo(al Address 0 ample

1@ .14 .6.1

1@ .14 .6.11@ .14 .2.1

1@ .14 .6.1

"3

"1 317 .17.2 .1

L 2 Th b i i f NAT




www.saigonlab.vn


7isplaying $nformation wit! s!ow Commands

7isplays active translations

7isplays translation statisticsRouter#sho ip nat statistics

Router#sho ip nat translations

Router#sho ip nat translation 0ro /nside global /nside local 4utside local 4utside global --- "5 %"&%"1"%" " %" %" %" --- ---

Router#sho ip nat statistics 6otal acti!e translations7 " (" static8 dynamic9 e tended) 4utside interfaces7 2thernet 8 ,erial %5 /nside interfaces7 2thernet" :its7 ;isses7 <

L 2 Th b i ti f NAT




www.saigonlab.vn


Sample Pro(lem6 Cannot Ping Bemote +ost

ost A1@ .14 .1.

1@ .14 . .113.1.1. 5 61@ .14 .

int e3 ip address 1@ .14 . .1 ==. ==. ==.3Bint s3 ip address 13.1.1. ==. ==. ==.3B outer rip networ! 13.3.3.3 networ! 1@ .14 . .3

ost *1@ .14 . .

ip nat pool test 17 .14.17. 3 17 .14.17.23ip nat inside source list 1 pool testBint s3 ip address 13.1.1.1 ==. ==. ==.3 ip nat inside

Bint e3 ip address 1@ .14 .1.1 ==. ==. ==.3

ip nat outsideB

outer rip networ! 13.3.3.3 networ! 1@ .14 .1.3BAccess9list 1 per%it 1@ .14 .1.3 ==. ==. ==.3

L 2 Th b i ti f NAT




www.saigonlab.vn


Sol&tion6 5ew Config&ration

ost A1@ .14 .1.

ost *1@ .14 . .

1@ .14 . .113.1.1. 5 61@ .14 .1

$nt e3 ip address 1@ .14 . .1 ==. ==. ==.3B$nt s3 ip address 13.1.1. ==. ==. ==.3B

outer rip networ! 13.3.3.1 networ! 1@ .1 . .3

L 2 Th b i ti f NAT




www.saigonlab.vn


"sing t!e de(&g ip nat Command

Router# debug ip nat

=>67 s?"$ %"&'%"%$ -@"5 %1"% 11% $8 d?"5 %1"% %"1 [&' ] =>67 s?"5 %1"% %"1 8 d?"5 %1"% 11% $-@"$ %"&'%"%$ [ "' ] =>67 s?"$ %"&'%"%$ -@"5 %1"% 11% $8 d?"5 %1"%"%"&" [&' &] =>6A7 s?"5 %1"%"%"&"8 d?"5 %1"% 11% $-@"$ %"&'%"%$ [ 11""] =>6A7 s?"$ %"&'%"%$ -@"5 %1"% 11% $8 d?"5 %1"%"%"&" [&' 5] =>6A7 s?"$ %"&'%"%$ -@"5 %1"% 11% $8 d?"5 %1"%"%"&" [&' '] =>6A7 s?"5 %1"%"%"&"8 d?"5 %1"% 11% $-@"$ %"&'%"%$ [ 11"1] =>6A7 s?"5 %1"%"%"&"8 d?"5 %1"% 11% $-@"$ %"&'%"%$ [ 11 ]

L 2 Th b i ti f NAT




www.saigonlab.vn


Translation 5ot $nstalled in t!eTranslation Ta(le#

<erify t!at6) T!e config&ration is correct

) T!ere are not any in(o&nd ACLs denying t!e pac ets entryto t!e 5AT ro&ter

) T!e ACL referenced (y t!e 5AT command is permitting allnecessary networ s

) T!ere are eno&g! addresses in t!e 5AT pool) T!e ro&ter interfaces are appropriately defined as 5AT

inside or 5AT o&tside

Module : $%ple%ent and verify DAN




www.saigonlab.vn

$ p ylin!s

Methods for connecting to aDAN

1

Connecting to e%ote Networ!s2

((( connection between Cisco routers3

Era%e elay on Cisco routers>

(N Technology;

Lesson 1: Methods for connecting to a




www.saigonlab.vn

gDAN

W!at $s a Wide Area 5etwor #W!y Are WA5s 5ecessary#+ow $s a WA5 7ifferent from a LA5#

WA5 Access and t!e OS$ Beference ModelWA5 7evicesT!e Bole of Bo&ters in WA5s

WA5 7ata Lin ProtocolsM&ltiple ingWA5 Comm&nication Lin Options





www.saigonlab.vn

gDAN

Wide-Area 5etwor





www.saigonlab.vn

gDAN

5eed for WA5s*ussiness (artners

ery e%ote 'ffice

Thousands ofe%ote Dor!ers

egional 'fficee%ote 'ffice

o%e 'ffices Mobile Dor!ers





www.saigonlab.vn

gDAN

WA5s vs: LA5s

DANs LANs

Area

'wnership





www.saigonlab.vn

gDAN

WA5 Access and t!e OS$ Model





www.saigonlab.vn

gDAN

WA5 7evices





www.saigonlab.vn

gDAN

WA5 Connection Types6 Layer 1





www.saigonlab.vn

gDAN

WA5DM&ltiple LA5s





www.saigonlab.vn

gDAN

$nterfacing 8etween WA5 Service Providers

Provider assigns connection parameters to s&(scri(er





www.saigonlab.vn

gDAN

Serial Point-to-Point Connectionsouter Connections"nd9Fser )evice

)T"

)C"C F5) F

Networ! Connections at the C F5) F





www.saigonlab.vn

gDAN

Typical WA5 0ncaps&lation Protocols6Layer 2





www.saigonlab.vnDAN

M&ltiple ing Tec!nologies

Time-7ivision M&ltiple ing ,T7M/%re?&ency-7ivision M&ltiple ing ,%7M/Statistical M&ltiple ing

Multiple#er





www.saigonlab.vnDAN

WA5 Lin OptionsDAN

witched)edicated

Lesson : Connecting to e%ote




www.saigonlab.vnNetwor!s

Circ&it-Switc!ed Comm&nication Lin sP&(lic Switc!ed Telep!one 5etwor$ntegrated 7igital Services 5etworPac et-Switc!ed Comm&nication Lin sE:2;%rame Belay

Async!rono&s Transfer Mode and Cell Switc!ing7SLCa(le*lo(al $nternetFt!e Largest WA5






Circ&it Switc!ing






PST5

Local "#change






PST5 ConsiderationsAdvantages

) Simplicity

) Availa(ility) Cost

)isadvantages) Low data rates

) Belatively long connection set&p time

Lesson : Connecting to e%oteN !





$S75






8B$ and PB$






$S75 ConsiderationsAdvantages

) Speed

) Always-on availa(ility)isadvantages) Limited geograp!ic availa(ility) Cost






Pac et Switc!ing

ynchronous

erial

ynchronouserial

Lesson : Connecting to e%oteN t !





WA5 wit! E:2;






%rame Belay)C" or Era%e

elay witch

Era%e elay wor!s here






%rame Belay 7evices and <irt&al Circ&its






ATM and Cell Switc!ing

ATM witch ATM witch

Cells

Lesson : Connecting to e%oteNet or!s





7SL

Lesson : Connecting to e%oteNetwor!s





7SL Service Types Overview

)own Fp )own Fp






7SL ConsiderationsAdvantages

) Speed) Sim&ltaneo&s voice and data transmission

) $ncremental additions) Always-on availa(ility) 8ac ward compati(ility wit! analog p!ones

)isadvantages) Limited availa(ility) Local p!one company re?&irements) Sec&rity ris s






Ca(le-8ased WA5s

Cable Mode% Cableeadend

Cable outer with 69port witch






+ow Ca(le Modems Wor(icasso "instein Leonard

osieCoa#ial Cable

Coa#

Gi%%y Mo%

-randpa

Gunior

(adA%plifier

plitter

Tap






T!e *lo(al $nternet

Lesson 2: ((( connection betweenCisco routers




www.saigonlab.vnCisco routers

+7LC 0ncaps&lation Config&rationPPP Layered Arc!itect&rePPP Config&ration

PPP Session 0sta(lis!mentPPP A&t!entication ProtocolsPPP A&t!entication Config&ration

Serial 0ncaps&lation Config&ration <erificationPPP A&t!entication Config&ration Tro&(les!ooting






+7LC %rame %ormat

"ses a proprietary data field to s&pportm&ltiprotocol environments

S&pports only single-protocol environments






Config&ring +7LC 0ncaps&lation

0na(les +7LC encaps&lation"ses t!e defa&lt encaps&lation on sync!rono&sserial interfaces

outer+config9if,8 encapsulation hdlc






An Overview of PPP

PPP can carry pac ets from several protocol s&ites &sing 5CPPPP controls t!e set&p of several lin options &sing LCP

Multiple (rotocol"ncapsulations

Fsing NC(s in (((






Layering PPP 0lements

PPP = 7ata lin wit! networ layer services






PPP LCP Config&ration Options






PPP Session 0sta(lis!ment

Two PPP a&t!entication protocols6 PAP and C+AP






PPP A&t!entication Protocols

Passwords sent in clear te tPeer in control of attempts

(A(Two9Day andsha!e

/santacruH boardwal!0

e%ote outer+santacruH,

ost na%e : santacruH(assword: broadwal!

Central9 ite outer+ I,







C!allenge +ands!a e A&t!entication Protocol

+as! val&es' not act&al passwords' are sent across t!e linT!e local ro&ter or e ternal server is in control of attempts

e%ote outer+santacruH,







Config&ring PPP and A&t!entication Overview






Config&ring PPP

"nables ((( encapsulation

Router(config-if)#encapsulation ppp






Config&ring PPP A&t!entication

Assigns a host na%e to your router

$dentifies the userna%e and password ofre%ote router

0na(les PAP or C+AP a&t!entication

Router(config)#hostname name

Router(config)#username name pass ord password

Router(config-if)#ppp authentication{chap | chap pap | pap chap | pap}






C+AP Config&ration 0 ample






<erifying t!e +7LC and PPP0ncaps&lation Config&rationRouter# sho interface s,erial is up8 line protocol is up :ard are is :B&+ 5 /nternet address is " %"+ %"% C + ;6D " bytes8 EF " ++ Gbit8 BHI usec8 rely C 8 load "C 2ncapsulation 0008 loopback not set8 keepali!e set (" sec) HJ0 4pen <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< minute input rate bitsCsec8 packetsCsec minute output rate bitsCsec8 packetsCsec 1' " packets input8 & &"" bytes8 no buffer Recei!ed 1+'' broadcasts8 runts8 giants8 throttles

input errors8 JRJ8 frame8 o!errun8 ignored8 abort 1' $5 packets output8 "1 &$5 bytes8 underruns output errors8 collisions8 & + interface resets output buffer failures8 output buffers s apped out +' carrier transitions BJB?up B,R?up B6R?up R6,?up J6,?up






<erifying PPP A&t!entication

) de(&g ppp a&t!entication s!ows s&ccessf&l C+AP o&tp&t:

outer8 debug ppp authentication6d 3h : J L$NK929F()'DN : $nterface erial3& changed state to up6d 3h : e3 ((( : Treating connection as a dedicated line6d 3h : e3 (((: (hase is AFT "NT$CAT$N-& by both6d 3h : e3 C A( : 3 C ALL"N-" id len fro% /left06d 3h : e3 C A( : $ C ALL"N-" id 2 len fro% /right06d 3h : e3 C A( : $ " ('N " id 2 len fro% /left06d 3h : e3 C A( : $ " ('N " id len fro% /right06d 3h : e3 C A( : 3 FCC" id len 6

6d 3h : e3 C A( : $ FCC" id 2 len 66d 3h : JL$N"( 'T'9=9F()'DN : Line (rotocol on $nterface erial3& changedstate to up





www.saigonlab.vnC sco oute s

<erifying PPP 5egotiationRouter# debug ppp negotiation000 protocol negotiation debugging is onRouter#A;ar " 7 &71&%&+ 7 KH/=G-1-D0B4F=7 /nterface ER/ 7"8 changed state to upA;ar " 7 &71&%&&"7 ER 7" 0007 6reating connection as a callinA;ar " 7 &71&%&& 7 ER 7" 0007 0hase is 2,6>EH/,:/=L8 0assi!e 4penA;ar " 7 &71&%&&$7 ER 7" HJ07 ,tate is HistenA;ar " 7 &715% 1+7 ER 7" HJ07 / J4=MR2N [Histen] id 5 len "5A;ar " 7 &715% 1'7 ER 7" HJ07 >uth0roto 0>0 ( 1 +J 1)A;ar " 7 &715% + 7 ER 7" HJ07 ;agic=umber 5> "+B ( & 5> "+B)A;ar " 7 &715% +&7 ER 7" HJ07 Jallback ( B 1 )A;ar " 7 &715% +7 ER 7" HJ07 4 J4=MR2N [Histen] id + len "A;ar " 7 &715% '7 ER 7" HJ07 >uth0roto J:>0 ( 1 J 1 )A;ar " 7 &715% & 7 ER 7" HJ07 ;agic=umber " '"252" ( &" '"252")A;ar " 7 &715% &&7 ER 7" HJ07 4 J4=MR2O [Histen] id 5 len 5A;ar " 7 &715% 5 7 ER 7" HJ07 Jallback ( B 1 )A;ar " 7 &715% $'7 ER 7" HJ07 / J4=M>JG [R2Nsent] id + len "A;ar " 7 &715%" 7 ER 7" HJ07 >uth0roto J:>0 ( 1 J 1 )A;ar " 7 &715%" &7 ER 7" HJ07 ;agic=umber " '"252" ( &" '"252")A;ar " 7 &715%""+7 ER 7" HJ07 / J4=MR2N [>JGrc!d] id ' len "+A;ar " 7 &715%""57 ER 7" HJ07 >uth0roto 0>0 ( 1 +J 1)A;ar " 7 &715%" "7 ER 7" HJ07 ;agic=umber 5> "+B ( & 5> "+B)

Lesson 6: Era%e elay on Ciscorouters




www.saigonlab.vn

%rame Belay Overview%rame Belay Stac Layered S&pport%rame Belay Terminology%rame Belay Topologies

Beac!a(ility $ss&es in %rame BelayBeac!a(ility $ss&e Besol&tion%rame Belay Address Mapping

%rame Belay Signaling+ow Service Providers Map %rame Belay 7LC$sService Provider %rame Belay-to-ATM $nterwor ing





www.saigonlab.vn

%rame Belay Overview

Connections made (y virt&al circ&itsConnection-oriented service





www.saigonlab.vn

%rame Belay Stac' $ eference Model Era%e elay

(hysical

(resentation

ession

Transport

Networ!

)ata Lin!

Application

"$A5T$A9 2 &"$A5T$A966@& .2=&

. 1& "$A5T$A9=23

Era%e elay

$(5$( 5AppleTal!& etc.





www.saigonlab.vn

%rame Belay Terminology

)LC$ - 7ata-lin connection identifier LM$ - Local Management $nterface

outer A outer *

)LCL: 633

)LCL: 133

( C

LocalAccess

Loop T1

Local AccessLoop 46 !bps





www.saigonlab.vn

Selecting a %rame Belay Topology

%rame Belay defa&lt6 58MA





www.saigonlab.vn

Beac!a(ility $ss&es wit! Bo&ting "pdates

Pro(lem6

) 8roadcast traffic m&st (e replicated for eac! activeconnection) Split !oriGon r&le prevents ro&ting &pdates received on an

interface from (eing forwarded o&t t!e same interface





www.saigonlab.vn

Besolving Beac!a(ility $ss&es

Split !oriGon can ca&se pro(lems in 58MAenvironmentsS&(interfaces can resolve split-!oriGon iss&esSol&tion6 A single p!ysical interface sim&lates m&ltiplelogical interfaces





www.saigonlab.vn

%rame Belay Address Mapping

"se LM$ to get locally significant 7LC$ from t!e %rame Belay switc!"se $nverse ABP to map t!e local 7LC$ to t!e remote ro&ter networlayer address





www.saigonlab.vn

%rame Belay Signaling

Cisco s&pports t!ree LM$ standards6) Cisco) A5S$ T1:419 Anne 7) $T"-T H:.33 Anne A





www.saigonlab.vn

%rame Belay $nverse ABP and LM$ Signaling





www.saigonlab.vn

Stages of $nverse ABP and LM$ Operation





www.saigonlab.vn

Config&ring 8asic %rame Belay





www.saigonlab.vn

Config&ring a Static %rame Belay Map





www.saigonlab.vn

Config&ring S&(interfacesPoint-to-point) S&(interfaces act li e leased lines) 0ac! point-to-point s&(interface re?&ires its own s&(net

) Point-to-point is applica(le to !&(-and-spo e topologiesM&ltipoint) S&(interfaces act li e 58MA networ s' so t!ey do not

resolve t!e split !oriGon iss&es

) M&ltipoint can save address space (eca&se it &ses asingle s&(net

) M&ltipoint is applica(le to partial mes! and f&ll mes!topologies

i l b





www.saigonlab.vn

Config&ring Point-to-Point S&(interfaces

i l b





www.saigonlab.vn

M&ltipoint S&(interfaces Config&ration 0 ample

. 13.17.3.15 6 .1 13.17.3. 5 6

.1 13.17.3.25 6

.1 13.17.3.65 6

i l b





www.saigonlab.vn

Router# sho interfaces s,erial is up8 line protocol is up :ard are is :B&+ 5 /nternet address is " %"+ %"% C + ;6D " bytes8 EF " ++ Gbit8 BHI usec8 rely C 8 load "C 2ncapsulation MR>;2-R2H>I8 loopback not set8 keepali!e set (" sec) H;/ en3 sent "$8 H;/ stat rec!d 8 H;/ upd rec!d 8 B62 H;/ up H;/ en3 rec!d 8 H;/ stat sent 8 H;/ upd sent H;/ BHJ/ " 1 H;/ type is J/,J4 frame relay B62 MR ,PJ disabled8 H>0M state do n Eroadcast 3ueue C&+8 broadcasts sentCdropped 'C 8 interface broadcasts Hast input 7 7 8 output 7 7 8 output hang ne!er Hast clearing of Qsho interfaceQ counters ne!er Nueueing strategy7 fifo 4utput 3ueue C+ 8 drops9 input 3ueue C5 8 drops 4utput omitted@

<erifying %rame Belay Operation

7isplays information a(o&t %rame Belay 7LC$s and t!e LM$

outer8 show interfaces type number

ig l b





www.saigonlab.vn

Router# sho frame-relay lmi H;/ ,tatistics for interface ,erial (Mrame Relay B62)H;/ 6I02 ? J/,J4 /n!alid Dnnumbered info /n!alid 0rot Bisc /n!alid dummy Jall Ref /n!alid ;sg 6ype /n!alid ,tatus ;essage /n!alid Hock ,hift

/n!alid /nformation /B /n!alid Report /2 Hen /n!alid Report Re3uest /n!alid Geep /2 Hen =um ,tatus 2n3% ,ent ""1" =um ,tatus msgs Rc!d ""1" =um Dpdate ,tatus Rc!d =um ,tatus 6imeouts


)isplays LM$ statistics

Router# sho frame-relay lmi [ type number ]

www saigonlab vn





www.saigonlab.vn

Router# sho frame-relay p!c "0PJ ,tatistics for interface ,erial (Mrame Relay B62)

BHJ/ ? " 8 BHJ/ D,>L2 ? H4J>H8 0PJ ,6>6D, ? >J6/P28 /=62RM>J2 ? ,erial

input pkts ' output pkts " in bytes '1$'

out bytes ""$' dropped pkts in M2J= pkts in E2J= pkts out M2J= pkts out E2J= pkts in B2 pkts out B2 pkts out bcast pkts " out bcast bytes ""$' p!c create time 7 17+&8 last time p!c status changed 7 17+5


7isplays P<C statistics

outer8 show fra%e9relay pvc type number dlci OO

www saigonlab vn





www.saigonlab.vn

Router# sho frame-relay map

,erial (up)7 ip " %"+ %"%" dlci " ( &+8 "'+ )8 dynamic8 broadcast88 status defined8 acti!eRouter# clear frame-relay-inarpRouter# sho frame mapRouter#


7isplays t!e c&rrent %rame Belay map entries

Clears dynamically created %rame Belay maps'created (y &sing $nverse ABP

outer8 show fra%e9relay %ap

outer8 clear fra%e9relay9inarp

www saigonlab vn





www.saigonlab.vn

Router# debug frame-relay lmiMrame Relay H;/ debugging is onBisplaying all Mrame Relay H;/ dataRouter#" d7 ,erial (out)7 ,t2n38 myse3 "+ 8 yourseen "1$8 B62 up" d7 datagramstart ? 2 '2J8 datagramsiSe ? "1" d7 MR encap ? MJM" 1 $

" d7 5 " " " 1 'J 'E" d7" d7 ,erial (in)7 ,tatus8 myse3 "+" d7 R6 /2 "8 length "8 type "" d7 G> /2 18 length 8 yourse3 "+ 8 myse3 "+" d7 ,erial (out)7 ,t2n38 myse3 "+"8 yourseen "+ 8 B62 up" d7 datagramstart ? 2 '2J8 datagramsiSe ? "1" d7 MR encap ? MJM" 1 $" d7 5 " " " 1 'B 'J" d7" d7 ,erial (in)7 ,tatus8 myse3 "+" d7 R6 /2 "8 length "8 type " d7 G> /2 18 length 8 yourse3 "+ 8 myse3 "+" d7 0PJ /2 5 8 length & 8 dlci " 8 status 8 b

Tro&(les!ooting 8asic %rame Belay

Operations

)isplays LM$ debug infor%ation

www saigonlab vn

Lesson =: (N Technology




www.saigonlab.vn

<P5 7efinitionBemote Access <P5sSite-to-Site <P5sT&nneling Protocols I *B0T&nneling Protocols I $PSecT&nneling Protocols I L2% and L2TP

www saigonlab vn





www.saigonlab.vn

<P5 7efinition

<irt&al private networ ,<P5/Dan encryptedconnection (etween private networ s over ap&(lic networ s&c! as t!e $nternet

www saigonlab vn





www.saigonlab.vn

Bemote Access <P5s

www saigonlab vn





www.saigonlab.vn

Site-to-Site <P5s

Site-to-Site <P5 I 0 tension of classic WA5

www.saigonlab.vn





www.saigonlab.vn

T&nneling Protocols I *B0 ,*eneric Bo&ting0ncaps&lation/

CiscoJs m&ltiprotocol carrier t!at can encaps&late $P' CL5P'$PE' AppleTal ' 70Cnet' and E5S inside $P t&nnels8est for site-to-site <P5sTypically &sed to t&nnel m&lticast pac ets s&c! as ro&tingprotocols7oes not s&pport data encryption or pac et integrity0ncaps&lates all traffic regardless of so&rce destination

www.saigonlab.vn





www.saigonlab.vn

T&nneling Protocols I $PSec ,$P Sec&rity/Most commonly &sed t&nneling protocol wit! <P5sCan (e &sed in com(ination wit! *B0 or L2TP ,Layer 2T&nneling Protocol/ w!en t!ere is a need to s&pportt&nneling m&lticast pac ets"ses $K0 to manage e c!ange of sec&rity eysBeplay protection I someone capt&ring pac ets andreplaying t!em later to gain access7ata origin a&t!entication ,Ma es&re t!e pac ets are a&t!entic/Confidentiality I 0ncryption is&sed to !ide t!e $P !eader of t!eoriginal pac et

www.saigonlab.vn





g

T&nneling Protocols I L2% ,Layer 2 %orwarding/ andL2TP ,Layer 2 T&nneling Protocol/

CiscoJs protocol t!at was &sed (efore L2TP ,Layer 2T&nneling Protocol/ was esta(lis!ed$t is not forward compati(le wit! L2TP

L2TP is a com(ination of CiscoJs L2% and MicrosoftJs PPTP,Point-to-Point T&nneling Protocol/L2TP is &sed to create a media-independent' m&ltiprotocol<P75 ,<irt&al Private 7ial 5etwor / w!ic! allows &sers toinvo e corporate sec&rity policies across a <P5 or <P75lin as an e tension of t!eir internal networ

L2TP is good for remote-access <P5s t!at re?&irem&ltiprotocol s&pport ,or *B0/



www.saigonlab.vn

http://www.saigonlab.vn/

http://www.saigonlab.vn/

Documents

SaigonLAB CCNA Module7 Va Module 8