Oferim servicii de instalare, configurare si monitorizare servere linux (router, firewall, dns, web, email, baze de date, aplicatii, server de backup, domain controller, share de retea) de la 50 eur / instalare. Pentru detalii accesati site-ul BluePink.

ping

verify

rx/tx

TCP/IP

ntw conne

127.0.0.1 internal loop-back

topology

physical

logical

bus

broadcast

ethernet

ring

token passing

Token ring

star

FDDI

ext. star

hierarchical

mesh

SAN

storage area netw

features

high speed server 2 storage

Performance

storage-2 storage

Availability

server 2 server

Scalability

VPN

securte tunnel between telecommuterPC and VPN server

ACCESS VPNs

provide remote access to a mobile worker and small office home office SOHO

use ISDN, analog dialup, DSL, mobie IP

Intranet VPNs

regional remote aloww access only to emplyers

Extranet VPNs

link business p[artners

only data frames similar with 803.3 frames 1518 bytes, but can exceed 2346bytes

WIFI

WLANS use CSMA/CA

collision avoidance return positive ACK that consumes 50%bandwidth

if signal is weaker Adaptive rate selection will drop the rate

authemtication on Layer 2

frames control, management and data

security

EAP-MD5

very similar with CHAP

LEAP

CISCO

user authentication

Encryption

Data authentication

signal and noise

crosstalk

Near end crosstalk

on the same end off link

Far end cross

FEXT

not as significant problem like NEXT

Power sum Near end

PSNEXT

cumulative effect of Next from all wire pairs

RJ45

pins

T568A

T568B

1,2 pins

green

orange

3,6

orange

green

ISDN

BRI

integrated NT1

S/T

non NT

cable

UTP CAT5

straight-through

switch

build CAM

holding MAC info for all ports

switching

cut-through

after MAC rx

lowest latency

no error check available

syncronous switching

store-and-forward

after entire frame

bigest latency

check FCS

fragment-free

after 64K read

compromise

verify reliability of addressing and LLC

asyncronous switching

can use different port bitrates

Colisions Domain

layer 2,3 brake collision domains

late colisions

after 64bytes of frame transmited

4 repetor rule

no more than 4 repetrs between 2 computers on ntw

5-4-3-2-1 rule

5 segments of ntw media

keep round-trip delaytime in a shared ntw with acceptable limits

4 repetors or hubs

three host segments of ntw

1 large colision domains

broadcast domains

to communicate with all collisions domains protocols use broadcast and multicast address

transmit frame with MAC FF-FF-FF-FF-FF-FF

BOOTP

obtain an IP address

send UDP

broadcast

DHCP

optain dinamically

SUBNET

MINIMUM 2 BITS BOROW FOR SUBNET

MINIMUM 2 BITS REMAINING FOR HOSTS

2powerbit borowed-2=usable subnets

2powerbits remainig for hosts-2=usable hosts

TCP/IP

Flow control

Three-way handshake

sincronize ISN-initial seq num

ports(sockets)

connection oriented

1. send SYN to B

ACK not set SYN set

2 seq no is X+1 send to A

3. ACK set SYN not set

sliding windows

protocols that use TCP

FTP

HTTP

SMTP

Telnet

TCP

TCP breaks data into segments.

The data segments are then transported from sender to receiver, following the synchronization process and the negotiation of a

window size that dictates the number of bytes that can be transmitted at any one time.

Port numbers have the following assigned ranges:

Numbers below 255 are reserved for public applications

Numbers from 255-1023 are assigned to companies for marketable applications

Numbers above 1023 are unregulated

This 16-bit value can result in port numbers ranging from 0 to 65535.

Registered ports range from 1024 to 49151. Ports between 49152 and 65535 are defined as dynamic or private ports.

UDP/IP

conectionless

exchange data without ACK

TFTP

SNMP

161

DHCP

DNS

RIP

520

Sockets

0-1023

well known

1024-

dynamically asigned

Routers

to connect on Telnet at least one interface must have IP address

EXEC mode

user

check status

privileged

accessing

configuring

static routes

in privileged

show running-

show ip route

routed protocols

layer3

IPX

DECnet

AppleTalk

Banyan

VINES

metric

max routers

routing protocols

RIP

hopcount

distance vector

IGRP

bandwidth, load, delay, relia

255

distance vector

EIGRP

distance vector

OSPF

linkstate

IS-IS

linkstate

BGP

exterior gateway protocol

Distance Vector

rx routing tables periodically

BELMANN_FORD

learns other networks based on the information that it receives from neighboards

Distance vector algorithms call for each router to send its entire routing table to each of its adjacent neighbors.

The routing tables include information about the total path cost as defined by its metric and the logical address of the first router on the path to each network contained in the table

Distance vector protocols use fewer system resources but can suffer from slow convergence and may use metrics that do not scale well to larger systems

Link State

tx trigger updates only when change occur

tx linkstates refreshes at long time 30min

DIJKSTRAS

Link-state routing algorithms maintain a complex database of topology information.

The distance vector algorithm has nonspecific information about distant networks and no knowledge of distant routers.

A link-state routing algorithm maintains full knowledge of distant routers and how they interconnect.

Because they converge more quickly than distance vector protocols, link-state algorithms are less prone to routing loops.

Link-state protocols are also less prone to routing errors, but they use more system resources.

Link-state protocols, therefore, can be more expensive to implement and support.

However, they are generally more scalable than distance vector protocols

Link-state advertisements (LSAs)

– A link-state advertisement (LSA) is a small packet of routing information that is sent between routers.

Topological database

– A topological database is a collection of information gathered from LSAs.

SPF algorithm

– The shortest path first (SPF) algorithm is a calculation performed on the database resulting in the SPF tree.

Routing tables

– A list of the known paths and interfaces.

Link-state routing algorithms maintain a complex database of topology information.

While the distance vector algorithm has nonspecific information about distant networks and no knowledge of distant routers,

a link-state routing algorithm maintains full knowledge of distant routers and how they interconnect.

Link-state routing protocols perform the following functions:

Respond quickly to network changes

Send triggered updates only when a network change has occurred

Send periodic updates known as link-state refreshes

Use a hello mechanism to determine the reachability of neighbors

A router running a link-state protocol has the following features:

Uses the hello information and LSAs it receives from other routers to build a database about the network

Uses the shortest path first (SPF) algorithm to calculate the shortest route to each network

Stores this route information in its routing table

disadvantages:

They require more memory and processing power than distance vector route

They require strict hierarchical network design, so that a network can be bro

They require an administrator with a good understanding of link-state routing

They flood the network with LSAs during the initial discovery process, which

config Routing

start global routing

(config)#router RIP

config the interfaces

(config-router) #network 101.9.39.16

type

metric

max hops

updates

RIP

distance-vector

hopcount

30 sec

IGRP

distance-vector

bandwidth,delay,reliability,load

90sec def

OSPF

link-state

lowest cost SPF algoritm

EIGRP

distance-vector

combiation distance-vec and link state features, use DUAL alg to calc shortest path

90 sec

BGP

exterior distance-vector

route trafic between AS autonomous systems ISPs

Distance Vector

Routing table updates occur periodically or when the topology in a distance vector protocol network changes.

Routing loops can occur when inconsistent routing tables are not updated due to slow convergence in a changing network

solution =simple split horizon - not send to a neighbor a route learned from that neighbor

Route poisoning is used by various distance vector protocols in order to overcome large routing loops and offer explicit information when a subnet or network is not accessible.

Triggered updates, used in conjunction with route poisoning, ensure that all routers know of failed routes before any holddown timers can expire.

A count to infinity problem can be avoided by using holddown timers

RIP protocol

RIP v1

RIP v2

classfull

classless

It does not send subnet mask information in its updates.

Authentication mechanism to secure table updates.

It sends updates as broadcasts on 255.255.255.255.

Supports variable length subnet masking (VLSM).

It does not support authentication.

Ability to carry additional packet routing information

It is not able to support VLSM or classless interdomain routing (CIDR).

if hop count >15 packet discarded

start protocol

#network 1.1.1.0

Specifies a directly connected network

#network 2.1.1.0

#ip rip triggered

send triggered info when changes occur

Configuring ip classless on the router resolves this problem by allowing the router to ignore the classful boundaries of the networks in its routing table and simply route to the default route

to reduce routing loops RIP use:

Count-to-infinity

Split horizon

Poison reverse

Holddown counters

Triggered updates

The split horizon rule is based on the theory that it is not useful to send information about a route back in the direction from which it came.

In some network configurations, it may be necessary to disable split horizon

(config-if)#no ip split-horizon

Holddown timers help prevent counting to infinity but also increase convergence time.

The default holddown for RIP is 180 seconds. This will prevent any inferior route from being updated but may also prevent a valid alternative route from being installed.

Router(config-router)#timers basic update invalid holddown flush [sleeptime]

GAD(config-router)#update-timer seconds

There are several commands that can be used to verify that RIP is properly configured.

Two of the most common are the show ip route command and the show ip protocols command.

Additional commands to check RIP configuration are as follows:

show interface interface

show ip interface interface

show running-config

Other commands to troubleshoot RIP:

show ip rip database

show ip protocols {summary}

show ip route

debug ip rip {events}

show ip interface brief

For RIP and IGRP, the passive interface command stops the router from sending updates to a particular neighbor,

but the router continues to listen and use routing updates from that neighbor.

IGRP protocol

IGRP is a distance vector Interior Gateway Protocol (IGP). Distance vector routing protocols mathematically compare routes by measuring distances

IGRP sends routing updates at 90 second intervals, advertising networks for a particular autonomous system.

By default, the IGRP routing protocol uses bandwidth and delay as metrics

The metrics that IGRP uses are:

Bandwidth – The lowest bandwidth value in the path

Delay – The cumulative interface delay along the path

Reliability – The reliability on the link towards the destination as determined by the exchange of keepalives

Load – The load on a link towards the destination based on bits per second

MTU – The Maximum Transmission Unit value of the path.

The show ip route command in the example shows the IGRP metric values in brackets.

IGRP advertises three types of routes:

Interior

between subnets of a network attached to a router interface. If the network attached to a router is not subnetted, IGRP does not advertise interior routes.

System

routes to networks within an autonomous system.

Exterior

routes to networks outside the autonomous system that are considered when identifying a gateway of last resort.

IGRP has a number of features that are designed to enhance its stability, such as:

Holddowns

are used to prevent regular update messages from inappropriately reinstating a route that may not be up

Split horizons

are derived from the premise that it is usually not useful to send information about a route back in the direction from which it came

Poison reverse updates

Split horizons prevent routing loops between adjacent routers, but poison reverse updates are necessary to defeat larger routing loops.

use the router igrp configuration command. To shut down an IGRP routing process, use the no form of this command.

RouterA(config)#router igrp as-number

RouterA(config)#no router igrp as-number

To specify a list of networks for IGRP routing processes, use the network router configuration command. To remove an entry, use the no form of the command

Additional commands for checking IGRP configuration are as follows:

show interface interface

show running-config

show running-config interface interface

show running-config | begin interface interface

show running-config | begin igrp

show ip protocols

To verify that the Ethernet interface is properly configured, enter the show interface fa0/0 command. Figure

illustrates the output.

The following commands are useful when troubleshooting IGRP:

show ip protocols

show ip route

debug ip igrp events

debug ip igrp transactions

ping

traceroute

ICMP

nternet Control Message Protocol (ICMP) is the component of the TCP/IP protocol stack that addresses this basic limitation of IP.

The transmit timestamp is filled in just before the ICMP timestamp reply is returned

Internet Control Message Protocol (ICMP) is the component of the TCP/IP protocol stack that addresses this basic limitation of IP.

troubleshoot

The following are some additional commands that can be used with the show ip route command:

show ip route connected

show ip route network

show ip route rip

show ip route igrp

show ip route static

Depending on the desired results, an administrator can use either of the following commands to statically configure a default route:

ip default-network

ip route 0.0.0.0 0.0.0.0

ACL

Routers provide basic traffic filtering capabilities, such as blocking Internet traffic, with access control lists (ACLs).

An ACL is a sequential list of permit or deny statements that apply to addresses or upper-layer protocols

ACLs can be created for all routed network protocols, such as Internet Protocol (IP) and Internetwork Packet Exchange (IPX).

ACLs must be defined on a per-protocol, per direction, or per port basis.

The following are some of the primary reasons to create ACLs:

Limit network traffic and increase network performance. By restricting video traffic, for example, ACLs could greatly reduce the network load and consequently increase network performance.

Provide traffic flow control. ACLs can restrict the delivery of routing updates. If updates are not required because of network conditions, bandwidth is preserved.

Provide a basic level of security for network access. ACLs can allow one host to access a part of the network and prevent another host from accessing the same area.

Decide which types of traffic are forwarded or blocked at the router interfaces. Permit e-mail traffic to be routed, but block all telnet traffic.

Allow an administrator to control what areas a client can access on a network.

Screen certain hosts to either allow or deny access to part of a network. Grant or deny user permission to access only certain types of files, such as FTP or HTTP.

When first learning how to create ACLs, it is a good idea to add the implicit deny at the end of ACLs to reinforce the dynamic presence of the command line.

The access-group command is issued in the interface configuration mode.

When assigning an ACL to an interface inbound or outbound placement should be specified. The filter direction can be set to check packets that are traveling into or out of an interface.

There are two special keywords that are used in ACLs, the any and host options.

Simply put, the any option substitutes 0.0.0.0 for the IP address and 255.255.255.255 for the wildcard mask.

This option will match any address that it is compared against. The host option substitutes for the 0.0.0.0 mask. This

The full syntax of the standard ACL command is:

Router(config)#access-list access-list-number {deny | permit} source [source-wildcard ] [log]

The ip access-group command links an existing extended ACL to an interface.

Remember that only one ACL per interface, per direction, per protocol is allowed. The format of the command is:

Router(config-if)#ip access-group access-list-number {in | out}

IP named ACLs were introduced in Cisco IOS Software Release 11.2

VLSM

With VLSM, a network administrator can use a long mask on networks with few hosts, and a short mask on subnets with many hosts

Cisco routers support VLSM with Open Shortest Path First (OSPF), Integrated Intermediate System to Intermediate System (Integrated IS-IS),

Enhanced Interior Gateway Routing Protocol (EIGRP), RIP v2, and static routing.

As networking technologies have evolved, and IP address depletion has become of real concern, it has become acceptable practice

to use the first and last subnets in a subnetted network in conjunction with VLSM.

If management decides to use subnet zero, it has eight useable subnets. Each may support 30 hosts.

If the management decides to use the no ip subnet-zero command, it has seven usable subnets with 30 hosts in each subnet.

From Cisco IOS version 12.0, remember that Cisco routers use subnet zero by default.

subnet 0

192.168.187.0

/27

subnet 1

192.168.187.32

/27

subnet 2

192.168.187.64

/27

subnet 3

192.168.187.96

/27

subnet 4

192.168.187.128

/27

subnet 5

192.168.187.160

/27

subnet 6

192.168.187.192

/27

subnet 7

192.168.187.224

/27

The use of Classless InterDomain Routing (CIDR) and VLSM not only prevents address waste, but also promotes route aggregation, or summarization.

RIP V2

RIP v2 is an improved version of RIP v1 and shares the following features:

It is a distance vector protocol that uses a hop count metric.

It uses holddown timers to prevent routing loops – default is 180 seconds.

It uses split horizon to prevent routing loops.

It uses 16 hops as a metric for infinite distance.

The choice can be either clear text or Message-Digest 5 (MD5) encryption.

RIP v2 multicasts routing updates using the Class D address 224.0.0.9, which provides for better efficiency.

To enable a dynamic routing protocol, the following tasks must be completed:

Select a routing protocol, such as RIP v2.

Assign the IP network numbers without specifying the subnet values.

Assign the network or subnet addresses and the appropriate subnet mask to the interfaces.

The router command starts the routing process.

The network command causes the implementation of the following three functions:

The routing updates are multicast out an interface.

The routing updates are processed if they enter that same interface.

The subnet that is directly connected to that interface is advertised.

In this example, the configuration of Router A includes the following:

router rip version 2 – Selects RIP v2 as the routing protocol.

network 172.16.0.0 – Specifies a directly connected network.

network 10.0.0.0 – Specifies a directly connected network.

The show ip protocols command displays values about routing protocols and routing protocol timer information associated with the router.

In the example, the router is configured with RIP and sends updated routing table information every 30 seconds.

The show ip interface brief command can also be used to list a summary of the information and status of an interface.

The show ip route command displays the contents of the IP routing table.

Use the show running-config or show ip protocols privileged EXEC commands on the router to check for a possible misconfigured routing protocol.

By default, routers learn paths to destinations three different ways:

Static routes – The system administrator manually defines the static routes as the next hop to a destination. Static routes are useful for security and traffic reduction, as no other route is known.

Default routes – The system administrator also manually defines default routes as the path to take when there is no known route to the destination. Default routes keep routing tables shorter. When an entry for a destination network does not exist in a routing table, the packet is sent to the default network.

Dynamic routes – Dynamic routing means that the router learns of paths to destinations by receiving periodic updates from other routers.

In Figure

, the default route is indicated by the following command:

Router(config)#ip route 172.16.1.0 255.255.255.0 172.16.2.1

The ip default-network command establishes a default route in networks using dynamic routing protocols:

Router(config)#ip default-network 192.168.20.0

The ip default-network command is usually configured on the routers that connect to a router with a static default route.

OSPF

Link-state routing protocols differ from distance vector protocols. Link-state protocols flood routing information allowing every router to have a complete view of the network topology.

Triggered updates allow efficient use of bandwidth and faster convergence. Changes in the state of a link are sent to all routers in the network as soon as the change occurs.

OSPF selects routes based on cost, which is related to speed. The higher the speed, the lower the OSPF cost of the link.

OSPF selects the fastest loop-free path from the shortest-path first tree as the best path in the network.

OSPF guarantees loop-free routing. Distance vector protocols may cause routing loops.

OSPF addresses the following issues:

Speed of convergence

Support for Variable Length Subnet Mask (VLSM)

Network size

Path selection

Grouping of members

OSPF interfaces recognize three types of networks:

Broadcast multi-access, such as Ethernet

Point-to-point networks

Nonbroadcast multi-access (NBMA), such as Frame Relay

The solution to this overhead is to hold an election for a designated router (DR). This router becomes adjacent to all other routers in the broadcast segment.

A second router is elected as a backup designated router (BDR) to take over the duties of the DR if it should fail.

On multi-access networks the Hello protocol elects a designated router (DR) and a backup designated router (BDR).

When the databases are complete, each router uses the SPF algorithm to calculate a loop free logical topology to every known network

To enable OSPF routing, use the global configuration command syntax:

Router(config)#router ospf process-id

IP networks are advertised as follows in OSPF:

Router(config-router)#network address wildcard-mask area area-id

When a loopback interface is configured, OSPF uses this address as the router ID, regardless of the value.

On a router that has more than one loopback interface, OSPF takes the highest loopback IP address as its router ID

To create and assign an IP address to a loopback interface use the following commands:

Router(config)#interface loopback number

Router(config-if)#ip address ip-address subnet-mask

It is considered good practice to use loopback interfaces for all routers running OSPF.

This loopback interface should be configured with an address using a 32-bit subnet mask of 255.255.255.255.

A 32-bit subnet mask is called a host mask because the subnet mask specifies a network of one host.

When OSPF is requested to advertise a loopback network, OSPF always advertises the loopback as a host route with a 32-bit mask

The password can be up to eight characters. Use the following command syntax to configure OSPF authentication:

Router(config-if)#ip ospf authentication-key password

After the password is configured, authentication must be enabled:

Router(config-router)#area area-number authentication

With simple authentication, the password is sent as plain text. This means that it can be easily decoded if a packet sniffer captures an OSPF packet.

Use the interface configuration command mode syntax:

Router(config-if)#ip ospf message-digest-key key-id md5 encryption-type key

The key-id is an identifier and takes the value in the range of 1 through 255.

EIGRP

EIGRP saves routes that are learned in specific ways. Routes are given a particular status and can be tagged to provide additional useful information.

EIGRP maintains three tables:

Neighbor table

Topology table

Routing table

The topology table includes the following fields:

Feasible distance (FD is 2195456) 200.10.10.10 – The feasible distance (FD) is the lowest calculated metric to each destination. For example, the feasible distance to 32.0.0.0 is 90 as indicated by FD is equal 90.

Route source (via 200.10.10.10) – The source of the route is the identification number of the router that originally advertised that route. This field is populated only for routes learned externally from the EIGRP network. Route tagging can be particularly useful with policy-based routing. For example, the route source to 32.0.0.0 is 200.10.10.10 via 200.10.10.10.

Reported distance (FD/RD) – The reported distance (RD) of the path is the distance reported by an adjacent neighbor to a specific destination. For example, the reported distance to 32.0.0.0 is 2195456 as indicated by (90/2195456).

Interface information – The interface through which the destination is reachable

Route status – Routes are identified as being either passive (P), which means that the route is stable and ready for use, or active (A), which means that the route is in the process of being recomputed by DUAL.

The advantages of EIGRP over simple distance vector protocols include the following:

Rapid convergence

Efficient use of bandwidth

Support for variable-length subnet mask (VLSM) and classless interdomain routing (CIDR). Unlike IGRP, EIGRP offers full support for classless IP by exchanging subnet masks in routing updates.

Multiple network-layer support

Independence from routed protocols. Protocol-dependent modules (PDMs) protect EIGRP from lengthy revision. Evolving routed protocols, such as IP, may require a new protocol module but not necessarily a reworking of EIGRP itself.

The five EIGRP packet types are:

Hello

Acknowledgment

Update

Query

Each topology table identifies the following:

The routing protocol or EIGRP

The lowest cost of the route, which is called Feasible Distance (FD)

The cost of the route as advertised by the neighboring router, which is called Reported Distance (RD)

The following fields are found in a neighbor table:

Neighbor address – This is the network layer address of the neighbor router.

Hold time – This is the interval to wait without receiving anything from a neighbor before considering the link unavailable. Originally, the expected packet was a hello packet, but in current Cisco IOS software releases, any EIGRP packets received after the first hello will reset the timer.

Smooth Round-Trip Timer (SRTT) – This is the average time that it takes to send and receive packets from a neighbor. This timer is used to determine the retransmit interval (RTO).

Queue count (Q Cnt) – This is the number of packets waiting in a queue to be sent. If this value is constantly higher than zero, there may be a congestion problem at the router. A zero means that there are no EIGRP packets in the queue.

Sequence Number (Seq No) – This is the number of the last packet received from that neighbor. EIGRP uses this field to acknowledge a transmission of a neighbor and to identify packets that are out of sequence. The neighbor table is used to support reliable, sequenced delivery of packets and can be regarded as analogous to the TCP protocol used in the reliable delivery of IP packets.

lan design

The following requirements are usually seen in most network designs:

Functionality – The network must work. The network must allow users to meet their job requirements. The network must provide user-to-user and user-to-application connectivity with reasonable speed and reliability.

Scalability – The network must be able to grow. The initial design should grow without any major changes to the overall design.

Adaptability – The network must be designed with a vision toward future technologies. The network should include no element that would limit implementation of new technologies as they become available.

Manageability – The network should be designed to facilitate network monitoring and management to ensure ongoing stability of operation.

layer1

One of the most important components to consider when designing a network is the physical cabling. Today, most LAN cabling is based on Fast Ethernet technology.

layer2

The purpose of Layer 2 devices in the network is to provide flow control, error detection, error correction, and to reduce congestion in the network.

layer3

A router is a Layer 3 device and is considered one of the most powerful devices in the network topology

The hierarchical design model includes the following three layers:

The access layer provides users in workgroups access to the network.

The distribution layer provides policy-based connectivity.

The core layer provides optimal transport between sites. The core layer is often referred to as the backbone.

STP

Redundant topologies based on switches and bridges are susceptible to broadcast storms, multiple frame transmissions, and MAC address database instability.

Multicasts are treated as broadcasts by the switches. Broadcasts and multicasts frames are flooded out all ports, except the one on which the frame was received.

Ethernet bridges and switches can implement the IEEE 802.1D Spanning-Tree Protocol and use the spanning-tree algorithm to construct a loop free shortest path network

STP

can design redundant paths

send special BDPUs

elect root bridge

shutdown redundant paths

states

blocking

rx BDPUs

Listening

building active topology

learning

building bridging table

forwarding

RX TX data

disabled

administrat down

As a result, for every switched network the following elements exist:

One root bridge per network

One root port per non root bridge

One designated port per segment

Unused, non-designated ports

When a switch is turned on, the spanning-tree algorithm is used to identify the root bridge. BPDUs are sent out with the Bridge ID (BID).

The BID consists of a bridge priority that defaults to 32768 and the switch base MAC address.

By default BPDUs are sent every two seconds.

When a switch first starts up, it assumes it is the root switch and sends “inferior” BPDUs. These BPDUs contain the switch MAC address in both the root and sender BID.

All switches see the BIDs sent. As a switch receives a BPDU with a lower root BID it replaces that in the BPDUs that are sent out. All bridges see these and decide that the bridge with the smallest BID value will be the root bridge

A network administrator may want to influence the decision by setting the switch priority to a smaller value than the default, which will make the BID smaller.

This should only be implemented when the traffic flow on the network is well understood.

The Rapid Spanning-Tree Protocol is defined in the IEEE 802.1w LAN standard. The standard and protocol introduce the following:

Clarification of port states and roles

Definition of a set of link types that can go to forwarding state rapidly

Concept of allowing switches, in a converged network, to generate their own BPDUs rather than relaying root bridge BPDUs

The “blocked” state of a port has been renamed as the “discarding” state. A role of a discarding port is an “alternate port”.

The discarding port can become the “designated port” in the event of the failure of the designated port for the segment.

Private IP addr

10.0.0.0 - 10.255.255.255

10.0.0.0/8

172.16.0.0-172.31.255.255

172.16.0.0/12

192.168.0.0-192.168.255.255

192.168.0.0/16

NAT

NAT is designed to conserve IP addresses and enable networks to use private IP addresses on internal networks. These private, internal addresses are translated to routable, public addresses.

This is accomplished by inter-network devices running specialized NAT software and can increase network privacy by hiding internal IP addresses.

Cisco defines the following NAT terms:

Inside local address – The IP address assigned to a host on the inside network. The address is usually not an IP address assigned by the Network Information Center (NIC) or service provider. This address is likely to be an RFC 1918 private address.

Inside global address – A legitimate IP address assigned by the NIC or service provider that represents one or more inside local IP addresses to the outside world.

Outside local address – The IP address of an outside host as it is known to the hosts on the inside network.

Outside global address – The IP address assigned to a host on the outside network. The owner of the host assigns this address.

Dynamic NAT is designed to map a private IP address to a public address. Any IP address from a pool of public IP addresses is assigned to a network host.

Overloading, or Port Address Translation (PAT), maps multiple private IP addresses to a single public IP address.

Multiple addresses can be mapped to a single address because each private address is tracked by a port number.

NAT offers the following benefits:

Eliminates reassigning each host a new IP address when changing to a new ISP. NAT eliminates the need to readdress all hosts that require external access, saving time and money.

Conserves addresses through application port-level multiplexing. With PAT, internal hosts can share a single public IP address for all external communications. In this type of configuration, very few external addresses are required to support many internal hosts, thereby conserving IP addresses.

Protects network security. Because private networks do not advertise their addresses or internal topology, they remain reasonably secure when used in conjunction with NAT to gain controlled external access.

NAT has several advantages, including:

NAT conserves the legally registered addressing scheme by allowing the privatization of intranets.

Increases the flexibility of connections to the public network. Multiple pools, backup pools, and load balancing pools can be implemented to assure reliable public network connections.

Consistency of the internal network addressing scheme. On a network without private IP addresses and NAT, changing public IP addresses requires the renumbering of all hosts on the existing network. The costs of renumbering hosts can be significant. NAT allows the existing scheme to remain while supporting a new public addressing scheme.

Cisco IOS NAT supports the following traffic types:

ICMP

File Transfer Protocol (FTP), including PORT and PASV commands

NetBIOS over TCP/IP, datagram, name, and session services

RealNetworks' RealAudio

White Pines' CUSeeMe

Xing Technologies' StreamWorks

DNS "A" and "PTR" queries

H.323/Microsoft NetMeeting, IOS versions 12.0(1)/12.0(1)T and later

VDOnet's VDOLive, IOS versions 11.3(4)11.3(4)T and later

VXtreme's Web Theater, IOS versions 11.3(4)11.3(4)T and later

IP Multicast, IOS version 12.0(1)T with source address translation only

Cisco IOS NAT does not support the following traffic types:

Routing table updates

DNS zone transfers

BOOTP

talk and ntalk protocols

Simple Network Management Protocol (SNMP)

DHCP

Dynamic Host Configuration Protocol (DHCP) works in a client/server mode. DHCP enables DHCP clients on an IP network to obtain their configurations from a DHCP server.

DHCP uses UDP as its transport protocol. The client sends messages to the server on port 67. The server sends messages to the client on port 68.

Both protocols are client/server based and use UDP ports 67 and 68. Those ports are still known as BOOTP ports.

The four basic IP parameters:

IP address

Gateway address

Subnet mask

DNS server address

BOOTP does not dynamically allocate IP addresses to a host. When a client requests an IP address, the BOOTP server searches a predefined table for an entry that matches the MAC address for the client.

There are two primary differences between DHCP and BOOTP:

DHCP defines mechanisms through which clients can be assigned an IP address for a finite lease period. This lease period allows for reassignment of the IP address to another client later, or for the client to get another assignment, if the client moves to another subnet. Clients may also renew leases and keep the same IP address.

DHCP provides the mechanism for a client to gather other IP configuration parameters, such as WINS and domain name.

There are three mechanisms used to assign an IP address to the client:

Automatic allocation – DHCP assigns a permanent IP address to a client.

Manual allocation – The IP address for the client is assigned by the administrator. DHCP conveys the address to the client.

Dynamic allocation – DHCP assigns, or leases, an IP address to the client for a limited period of time.

The DHCP client configuration process uses the following steps:

1. A client must have DHCP configured when starting the network membership process. The client sends a request to a server requesting an IP configuration. Sometimes the client may suggest the IP address it wants, such as when requesting an extension to a DHCP lease. The client locates a DHCP server by sending a broadcast called a DHCPDISCOVER.

2. When the server receives the broadcast, it determines whether it can service the request from its own database. If it cannot, the server may forward the request on to another DHCP server. If it can, the DHCP server offers the client IP configuration information in the form of a unicast DHCPOFFER. The DHCPOFFER is a proposed configuration that may include IP address, DNS server address, and lease time.

3. If the client finds the offer agreeable, it will send another broadcast, a DHCPREQUEST, specifically requesting those particular IP parameters. Why does the client broadcast the request instead of unicasting it to the server? A broadcast is used because the first message, the DHCPDISCOVER, may have reached more than one DHCP server. If more than one server makes an offer, the broadcasted DHCPREQUEST allows the other servers to know which offer was accepted. The offer accepted is usually the first offer received.

4. The server that receives the DHCPREQUEST makes the configuration official by sending a unicast acknowledgment, the DHCPACK. It is possible, but highly unlikely, that the server will not send the DHCPACK. This may happen because the server may have leased that information to another client in the interim. Receipt of the DHCPACK message enables the client to begin using the assigned address immediately.

5. If the client detects that the address is already in use on the local segment it will send a DHCPDECLINE message and the process starts again. If the client received a DHCPNACK from the server after sending the DHCPREQUEST, then it will restart the process again.

6. If the client no longer needs the IP address, the client sends a DHCPRELEASE message to the server.

To disable the service, use the no service dhcp command. Use the service dhcp global configuration command to re-enable the DHCP server process.

To verify the operation of DHCP, the command show ip dhcp binding can be used. This displays a list of all bindings created by the DHCP service.

To verify that messages are being received or sent by the router, use the command show ip dhcp server statistics. This will display count information regarding the number of DHCP messages that have been sent and received.

To troubleshoot the operation of the DHCP server, the command debug ip dhcp server events can be used.

Because some clients are useless without services such as DHCP, one of two choices must be implemented.

The administrator will need to place servers on all subnets or use the Cisco IOS helper address feature.

Running services such as DHCP or DNS on several computers creates overhead and administrative difficulties making the first option inefficient.

When possible, administrators should use the ip helper-address command to relay broadcast requests for these key UDP services.

By using the helper address feature, a router can be configured to accept a broadcast request for a UDP service and then forward it as a unicast to a specific IP address. By default, the ip helper-address command forwards the following eight UDP services:

Time

TACACS

DNS

BOOTP/DHCP Server

BOOTP/DHCP Client

TFTP

NetBIOS Name Service

NetBIOS datagram Service

The DHCP server receives the discover packet. The server uses the GIADDR field to index into the list of address pools, to find one which has the gateway address set to the value in GIADDR.

WAN tech

A copper or fiber cable connects the CPE to the service provider’s nearest exchange or central office (CO). This cabling is often called the local loop, or "last-mile".

Devices that put data on the local loop are called data circuit-terminating equipment, or data communications equipment (DCE).

The customer devices that pass the data to the DCE are called data terminal equipment (DTE)

The bps values are generally full duplex. This means that an E1 line can carry 2 Mbps, or a T1 can carry 1.5 Mbps, in each direction simultaneously.

The communications link needs signals in an appropriate format. For digital lines, a channel service unit (CSU) and a data service unit (DSU) are required.

A variety of different technologies are used, such as ISDN, Frame Relay or Asynchronous Transfer Mode (ATM).

LAPB

X25

LAPD

ISDN

LAPF

FRAME RELAY

HDLC

CISCO DEFAULT

PPP

DIALUP

ISDN

Integrated Services Digital Network (ISDN) turns the local loop into a TDM digital connection. The connection uses 64 kbps bearer channels (B) for carrying voice or data and a signaling, delta channel (D) for call set-up and other purposes.

The connection uses 64 kbps bearer channels (B) for carrying voice or data and a signaling, delta channel (D) for call set-up and other purposes.

Basic Rate Interface (BRI) ISDN is intended for the home and small enterprise and provides two 64 kbps B channels and a 16 kbps D channel.

For larger installations, Primary Rate Interface (PRI) ISDN is available. PRI delivers twenty-three 64 kbps B channels and one 64 kbps D channel in North America, for a total bit rate of up to 1.544 Mbps.

In Europe, Australia, and other parts of the world, ISDN PRI provides thirty B channels and one D channel for a total bit rate of up to 2.048 Mbps, including synchronization overhead.

In North America PRI corresponds to a T1 connection. The rate of international PRI corresponds to an E1 connection.

LEASED LINES

POINT TO POINT

DEDICATED LINES

X25

SVC or PVC

The resulting SVC is identified by a channel number. Data packets labeled with the channel number are delivered to the corresponding address.

Multiple channels can be active on a single connection.

X.25 technology is no longer widely available as a WAN technology in the US. Frame Relay has replaced X.25 at many service provider locations.

Frame relay

Frame Relay differs from X.25 in several aspects. Most importantly, it is a much simpler protocol that works at the data link layer rather than the network layer.

Most Frame Relay connections are PVCs rather than SVCs.

Frame Relay provides permanent shared medium bandwidth connectivity that carries both voice and data traffic. Frame Relay is ideal for connecting enterprise LANs

ATM

Communications providers saw a need for a permanent shared network technology that offered very low latency and jitter at much higher bandwidths.

Their solution was Asynchronous Transfer Mode (ATM).

ATM has data rates beyond 155 Mbps. As with the other shared technologies, such as X.25 and Frame Relay, diagrams for ATM WANs look the same.

ATM cells are always a fixed length of 53 bytes. The 53 byte ATM cell contains a 5 byte ATM header followed by 48 bytes of ATM payload.

Small, fixed-length cells are well suited for carrying voice and video traffic because this traffic is intolerant of delay.

Video and voice traffic do not have to wait for a larger data packet to be transmitted.

ATM offers both PVCs and SVCs, although PVCs are more common with WANs

DSL

Digital Subscriber Line (DSL) technology is a broadband technology that uses existing twisted-pair telephone lines to transport high-bandwidth data to service subscribers.

DSL service is considered broadband, as opposed to the baseband service for typical LANs. Broadband refers to a technique which uses multiple frequencies within the same physical medium to transmit data. The term xDSL covers a number of similar yet competing forms of DSL technologies:

Asymmetric DSL (ADSL)

Symmetric DSL (SDSL)

High Bit Rate DSL (HDSL)

ISDN (like) DSL (IDSL)

Rate Adaptive DSL (RADSL)

Consumer DSL (CDSL), also called DSL-lite or G.lite

To address security concerns, DSL services provide capabilities for using Virtual Private Network (VPN) connections to a VPN server, which is typically located at the corporate site.

Cable MODEM

Coaxial cable is widely used in urban areas to distribute television signals. Network access is available from some cable television networks. This allows for greater bandwidth than the conventional telephone local loop.

Information that would take two minutes to download using ISDN BRI can be downloaded in two seconds through a cable modem connection.

A cable modem is capable of delivering up to 30 to 40 Mbps of data on one 6 MHz cable channel. This is almost 500 times faster than a 56 Kbps modem.

PPP

Time-Division Multiplexing (TDM) is the transmission of several sources of information using one common channel, or signal, and then the reconstruction of the original streams at the remote end.

One TDM example is Integrated Services Digital Network (ISDN). ISDN basic rate (BRI) has three channels consisting of two 64 kbps B-channels (B1 and B2), and a 16 kbps D-channel. The TDM has nine timeslots, which are repeated.

The following examples of derivative protocols are called link access protocols:

Link Access Procedure, Balanced (LAPB) for X.25

Link Access Procedure on the D channel (LAPD) for ISDN

Link Access Procedure for Modems (LAPM) and PPP for modems

Link Access Procedure for Frame Relay (LAPF) for Frame Relay

Then enter the encapsulation hdlc command to specify the encapsulation protocol on the interface.

Cisco HDLC is a point-to-point protocol that can be used on leased lines between two Cisco devices. When communicating with a non-Cisco device, synchronous PPP is a more viable option.

Five possible problem states can be identified in the interface status line of the show interfaces serial display:

Serial x is down, line protocol is down

Serial x is up, line protocol is down

Serial x is up, line protocol is up (looped)

Serial x is up, line protocol is down (disabled)

Serial x is administratively down, line protocol is down

Following are some debug commands that are useful when troubleshooting serial and WAN problems:

debug serial interface – Verifies whether HDLC keepalive packets are incrementing. If they are not, a possible timing problem exists on the interface card or in the network.

debug arp – Indicates whether the router is sending information about or learning about routers (with ARP packets) on the other side of the WAN cloud. Use this command when some nodes on a TCP/IP network are responding, but others are not.

debug frame-relay lmi – Obtains Local Management Interface (LMI) information which is useful for determining whether a Frame Relay switch and a router are sending and receiving LMI packets.

debug frame-relay events – Determines whether exchanges are occurring between a router and a Frame Relay switch.

debug ppp negotiation – Shows Point-to-Point Protocol (PPP) packets transmitted during PPP startup where PPP options are negotiated.

debug ppp packet – Shows PPP packets being sent and received. This command displays low-level packet dumps.

debug ppp – Shows PPP errors, such as illegal or malformed frames, associated with PPP connection negotiation and operation.

debug ppp authentication – Shows PPP Challenge Handshake Authentication Protocol (CHAP) and Password Authentication Protocol (PAP) packet exchanges.

Therefore PPP is made up of two sub-protocols:

Link Control Protocol – Used for establishing the point-to-point link.

Network Control Protocol – Used for configuring the various network layer protocols.

PPP can be configured on the following types of physical interfaces:

Asynchronous serial

Synchronous serial

High-Speed Serial Interface (HSSI)

Integrated Services Digital Network (ISDN)

PPP also uses LCP to automatically agree upon encapsulation format options such as:

Authentication – Authentication options require that the calling side of the link enter information to help ensure the caller has the network administrator's permission to make the call. Peer routers exchange authentication messages. Two authentication choices are Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP).

Compression – Compression options increase the effective throughput on PPP connections by reducing the amount of data in the frame that must travel across the link. The protocol decompresses the frame at its destination. Two compression protocols available in Cisco routers are Stacker and Predictor.

Error detection – Error detection mechanisms with PPP enable a process to identify fault conditions. The Quality and Magic Number options help ensure a reliable, loop-free data link.

Multilink – Cisco IOS Release 11.1 and later supports multilink PPP. This alternative provides load balancing over the router interfaces that PPP uses.

PPP Callback – To further enhance security, Cisco IOS Release 11.1 offers callback over PPP. With this LCP option, a Cisco router can act as a callback client or as a callback server. The client makes the initial call, requests that it be called back, and terminates its initial call. The callback router answers the initial call and makes the return call to the client based on its configuration statements.

LCP will also do the following:

Handle varying limits on packet size

Detect common misconfiguration errors

Terminate the link

Determine when a link is functioning properly or when it is failing

When configuring PPP authentication, the network administrator can select Password Authentication Protocol (PAP) or Challenge Handshake Authentication Protocol (CHAP).

In general, CHAP is the preferred protocol.

CHAP is used at the startup of a link and periodically verifies the identity of the remote node using a three-way handshake. CHAP is performed upon initial link establishment and is repeated during the time the link is established.

The following example enables PPP encapsulation on serial interface 0/0:

Router#configure terminal

Router(config)#interface serial 0/0

Router(config-if)#encapsulation ppp

To configure compression over PPP, enter the following commands:

Router(config)#interface serial 0/0

Router(config-if)#encapsulation ppp

Router(config-if)#compress [predictor | stac]

Enter the following to monitor the data dropped on the link, and avoid frame looping:

Router(config)#interface serial 0/0

Router(config-if)#encapsulation ppp

Router(config-if)#ppp quality percentage

The following commands perform load balancing across multiple links:

Router(config)#interface serial 0/0

Router(config-if)#encapsulation ppp

Router(config-if)#ppp multilink

Use the show interfaces serial command to verify proper configuration of HDLC or PPP encapsulation.

The debug ppp authentication command displays the authentication exchange sequence.

PPP is more robust than HDLC because it provides a mechanism for authentication and negotiation of compatible link and protocol configuration.

ISDN

ISDN allows multiple digital channels to operate simultaneously through the same regular phone wiring used for analog lines, but ISDN transmits a digital signal rather than analog.

Latency is much lower on an ISDN line than on an analog line.

Dial-on-demand routing (DDR) is a technique developed by Cisco that allows the use of existing telephone lines to form a wide-area network (WAN), instead of using separate, dedicated lines.

The ITU-T groups and organizes the ISDN protocols according to the following general topic areas:

E Protocols – Recommend telephone network standards for ISDN. For example, the E.164 protocol describes international addressing for ISDN.

I Protocols – Deal with concepts, terminology, and general methods. The I.100 series includes general ISDN concepts and the structure of other I-series recommendations. I.200 deals with service aspects of ISDN. I.300 describes network aspects. I.400 describes how the UNI is provided.

Q Protocols – Cover how switching and signaling should operate. The term signaling in this context means the process of establishing an ISDN call.

ISDN standards define two main channel types, each with a different transmission rate. The bearer channel, or B channel, is defined as a clear digital path of 64 kbps.

It is said to be clear because it can be used to transmit any type of digitized data in full-duplex mode. For example, a digitized voice call can be transmitted on a single B channel.

The second channel type is called a delta channel, or D channel. There can either be 16 kbps for the Basic Rate Interface (BRI) or 64 kbps for the Primary Rate Interface (PRI).

The D channel is used to carry control information for the B channel.

The overhead bits of an ISDN physical layer frame are used as follows:

Framing bit – Provides synchronization

Load balancing bit – Adjusts the average bit value

Echo of previous D channel bits – Used for contention resolution when several terminals on a passive bus contend for a channel

Activation bit – Activates devices

Spare bit – Unassigned

Note that the physical bit rate for the BRI interface is 48*4000 = 192 kbps. The effective rate is 144 kbps = 64 kbps + 64 kbps + 16 kbps (2B+D).

Layer 2 of the ISDN signaling channel is LAPD. LAPD is similar to HDLC. LAPD is used across the D channel to ensure that control and signaling information is received and flows properly

Several exchanges must occur for one router to connect to another using ISDN. To establish an ISDN call, the D channel is used between the router and the ISDN switch.

Signal System 7 (SS7) signaling is used between the switches within the service provider network.

The following sequence of events occurs during the establishment of a BRI or PRI call:

1. The D channel is used to send the called number to the local ISDN switch.

2. The local switch uses the SS7 signaling protocol to set up a path and pass the called number to the remote ISDN switch.

3. The remote ISDN switch signals the destination over the D channel.

4. The destination ISDN NT-1 device sends the remote ISDN switch a call-connect message.

5. The remote ISDN switch uses SS7 to send a call-connect message to the local switch.

6. The local ISDN switch connects one B channel end-to-end, leaving the other B channel available for a new conversation or data transfer. Both B channels can be used simultaneously.

To connect devices that perform specific functions, the interface between the two devices needs to be well defined. These interfaces are called reference points.

The reference points that affect the customer side of the ISDN connection are as follows:

R – References the connection between a non-ISDN compatible device Terminal Equipment type 2 (TE2) and a Terminal Adapter (TA), for example an RS-232 serial interface.

S – References the points that connect into the customer switching device Network Termination type 2 (NT2) and enables calls between the various types of customer premises equipment.

T – Electrically identical to the S interface, it references the outbound connection from the NT2 to the ISDN network or Network Termination type 1 (NT1).

U – References the connection between the NT1 and the ISDN network owned by the telephone company.

Because the S and T references are electrically similar, some interfaces are labeled S/T interfaces.

To select a Cisco router with the appropriate ISDN interface, do the following:

1. Determine whether the router supports ISDN BRI. Look on the back of the router for a BRI connector or a BRI WAN Interface Card (WIC).

2. Determine the provider of the NT1. An NT1 terminates the local loop to the central office (CO) of the ISDN service provider. In the United States, the NT1 is Customer Premise Equipment (CPE), meaning that it is the responsibility of the customer. In Europe, the service provider typically supplies the NT1.

3. If the NT1 is CPE, make sure the router has a U interface. If the router has an S/T interface, then it will need an external NT1 to connect to the ISDN provider.

If the router has a connector labeled BRI then it is already ISDN-enabled. With a native ISDN interface already built in, the router is a TE1. If the router has a U interface, it also has a built-in NT1.

If the router does not have a connector labeled BRI, and it is a fixed-configuration, or non-modular router, then it must use an existing serial interface. With non-native ISDN interfaces such as serial interfaces, an external TA device must be attached to the serial interface to provide BRI connectivity. If the router is modular it may be possible to upgrade to a native ISDN interface, providing it has an available slot.

Caution: A router with a U interface should never be connected to an NT1 as it will damage the interface.

A SPID is a number provided by the ISDN carrier to identify the line configuration of the BRI service. SPIDs allow multiple ISDN devices, such as voice and data equipment, to share the local loop. SPIDs are required by DMS-100 and National ISDN-1 switches.

Each SPID points to line setup and configuration information. SPIDs are a series of characters that usually resemble telephone numbers.

Configuring the isdn switch-type command in the global configuration mode sets the ISDN switch type identically for all ISDN interfaces. I

Configuration of ISDN BRI is a mix of global and interface commands.

To configure the ISDN switch type, use the isdn switch-type command in global configuration mode:

Router(config)#isdn switch-type switch-type

To disable the switch on the ISDN interface, specify isdn switch-type none. The following example configures the National ISDN-1 switch type in the global configuration mode:

Router(config)#isdn switch-type basic-ni

This command is used to define the SPID numbers that have been assigned for the B channels:

Router(config-if)#isdn spid1 spid-number [ldn]

Router(config-if)#isdn spid2 spid-number [ldn]

The optional ldn argument defines a local dial directory number.

To enter interface configuration mode, use the interface bri command in the global configuration mode:

Router(config)#interface bri slot/port

Router(config)#interface bri0/0

Router(config-if)#isdn spid1 51055540000001 5554000

Router(config-if)#isdn spid2 51055540010001 5554001

To confirm BRI operations, use the show isdn status command to inspect the status of the BRI interfaces.

The show isdn active command displays current call information, including all of the following:

Called number

Time until the call is disconnected

Advice of charge (AOC)

Charging units used during the call

Whether the AOC information is provided during calls or at end of calls

the show interface bri0/0:1 command shows the following:

The B channel is using PPP encapsulation.

LCP has negotiated and is open.

There are two NCPs running, IPCP and Cisco Discovery Protocol Control Protocol (CDPCP).

The following commands are used to debug and troubleshoot the ISDN configuration:

The debug isdn q921 command shows data link layer, or Layer 2, messages on the D channel between the router and the ISDN switch. Use this command if the show isdn status command does not show Layer 1 as ACTIVE and Layer 2 as MULTIPLE_FRAME_ESTABLISHED.

The debug isdn q931 command shows the exchange of call setup and teardown messages of the Layer 3 ISDN connection.

The debug ppp authentication command displays the PPP authentication protocol messages, including Challenge Handshake Authentication Protocol (CHAP) packet exchanges and Password Authentication Protocol (PAP) exchanges.

The debug ppp negotiation command displays information on PPP traffic and exchanges while the PPP components are negotiated. This includes LCP, authentication, and NCP exchanges. A successful PPP negotiation will first open the LCP state, then authenticate, and finally negotiate NCP.

The debug ppp error command displays protocol errors and error statistics associated with PPP connection negotiation and operation. Use the debug ppp commands to troubleshoot a Layer 2 problem if the show isdn status command does not indicate an ISDN problem.

DDR

Dial-on-demand routing (DDR) is triggered when traffic that matches a predefined set of criteria is queued to be sent out a DDR-enabled interface.

The key to efficient DDR operation is in the definition of interesting traffic. Interesting traffic is defined with the dialer-list command.

DDR is implemented in Cisco routers in the following steps:

1. The router receives traffic, performs a routing table lookup to determine if there is a route to the destination, and identifies the outbound interface.

2. If the outbound interface is configured for DDR, the router does a lookup to determine if the traffic is interesting.

3. The router identifies the dialing information necessary to make the call using a dialer map to access the next-hop router.

4. The router then checks to see if the dialer map is in use. If the interface is currently connected to the desired remote destination, the traffic is sent. If the interface is not currently connected to the remote destination, the router sends call-setup information through the BRI using the D channel.

5. After the link is enabled, the router transmits both interesting and uninteresting traffic. Uninteresting traffic can include data and routing updates.

6. The idle timer starts and runs as long as no interesting traffic is seen during the idle timeout period and disconnects the call based on the idler timer configuration

To configure legacy DDR perform the following steps:

Define static routes

Specify interesting traffic

Configure the dialer information

VLANS

There are three basic VLAN memberships for determining and controlling how a packet gets assigned: -

Port-based VLANs

MAC address based VLANs

Protocol based VLANs

There are two major methods of frame tagging, Inter-Switch Link (ISL) and 802.1Q. ISL used to be the most common, but is now being replaced by 802.1Q frame tagging.

LAN emulation (LANE) is a way to make an Asynchronous Transfer Mode (ATM) network simulate an Ethernet network. There is no tagging in LANE, but the virtual connection used implies a VLAN ID.

The goal of end-to-end VLANs is to maintain 80 percent of the traffic on the local VLAN.

The following guidelines must be followed when configuring VLANs on Cisco 29xx switches:

The maximum number of VLANs is switch dependent.

VLAN 1 is one of the factory-default VLANs.

VLAN 1 is the default Ethernet VLAN.

Cisco Discovery Protocol (CDP) and VLAN Trunking Protocol (VTP) advertisements are sent on VLAN 1.

The Catalyst 29xx IP address is in the VLAN 1 broadcast domain by default.

The switch must be in VTP server mode to create, add, or delete VLANs.

The steps necessary to create the VLAN are shown below. A VLAN name may also be configured, if necessary.

Switch#vlan database

Switch(vlan)#vlan vlan_number

Switch(vlan)#exit

Upon exiting, the VLAN is applied to the switch. The next step is to assign the VLAN to one or more interfaces:

Switch(config)#interface fastethernet 0/9

Switch(config-if)#switchport access vlan vlan_number

A good practice is to verify VLAN configuration by using the show vlan, show vlan brief, or show vlan id id_number commands.

The following facts apply to VLANs:

A created VLAN remains unused until it is mapped to switch ports.

All Ethernet ports are on VLAN 1 by default.

VLAN 300 was created on Fastethernet 0/9 using the interface configuration switchport access vlan 300 command.

To remove this VLAN from the interface, simply use the no form of the command

The Spanning-Tree Protocol (STP) is considered one of the most important Layer 2 protocols on the Catalyst switches. By preventing logical loops in a bridged network, STP allows Layer 2 redundancy without generating broadcast storms.

Minimize spanning-tree problems by actively developing a baseline study of the network.

The show vlan displays information about that VLAN on the router. The show vlan command followed by the VLAN number displays specific information about that VLAN on the router. Output from the command includes the VLAN ID, router subinterface, and protocol information.

The first part of the show spanning-tree output lists global spanning tree configuration parameters, followed by those that are specific to given interfaces.

The debug sw-vlan packets command displays general information about VLAN packets received but not configured to support the router.

VLAN packets that the router is configured to route or switch are counted and indicated when using the show sw-vlan command.

When having difficulty with a trunk connection between a switch and a router, be sure to consider the following possible causes:

1. Make sure that the port is connected and not receiving any physical-layer, alignment or frame-check-sequence (FCS) errors. This can be done with the show interface command on the switch.

2. Verify that the duplex and speed are set properly between the switch and the router. This can be done with the show int status command on the switch or the show interface command on the router.

3. Configure the physical router interface with one subinterface for each VLAN that will route traffic. Verify this with the show interface IOS command. Also, make sure that each subinterface on the router has the proper encapsulation type, VLAN number, IP address, and subnet mask configured. This can be done with the show interface or show running-config IOS commands.

4. Confirm that the router is running an IOS release that supports trunking. This can be verified with the show version command.

Scenario 2: VTP is not correctly propagating VLAN configuration changes.

When VTP is not correctly affecting configuration updates on other switches in the VTP domain, check the following possible causes:

1. Make sure the switches are connected through trunk links. VTP updates are exchanged only over trunk links. This can be verified with the show int status command.

2. Make sure the VTP domain name is the same on all switches that need to communicate with each other. VTP updates are exchanged only between switches in the same VTP domain. This scenario is one of the most common VTP problems. It can be verified with the show vtp status command on the participating switches.

3. Check the VTP mode of the switch. If the switch is in VTP transparent mode, it will not update its VLAN configuration dynamically. Only switches in VTP server or VTP client mode update their VLAN configuration based on VTP updates from other switches. Again, use the show vtp status command to verify this.

4. If using VTP passwords, the same password must be configured on all switches in the VTP domain. To clear an existing VTP password, use the no vtp password password command on the VLAN mode.

Scenario 3: Dropped packets and loops.

Spanning-tree bridges use topology change notification Bridge Protocol Data Unit packets (BPDUs) to notify other bridges of a change in the spanning-tree topology of the network. The bridge with the lowest identifier in the network becomes the root. Bridges send these BPDUs any time a port makes a transition to or from a forwarding state, as long as there are other ports in the same bridge group. These BPDUs migrate toward the root bridge.

There can be only one root bridge per bridged network. An election process determines the root bridge. The root determines values for configuration messages, in the BPDUs, and then sets the timers for the other bridges. Other designated bridges determine the shortest path to the root bridge and are responsible for advertising BPDUs to other bridges through designated ports. A bridge should have ports in the blocking state if there is a physical loop.

Problems can arise for internetworks in which both IEEE and DEC spanning-tree algorithms are used by bridging nodes. These problems are caused by differences in the way the bridging nodes handle spanning tree BPDU packets, or hello packets, and in the way they handle data.

In this scenario, Switch A, Switch B, and Switch C are running the IEEE spanning-tree algorithm. Switch D is inadvertently configured to use the DEC spanning-tree algorithm.

Switch A claims to be the IEEE root and Switch D claims to be the DEC root. Switch B and Switch C propagate root information on all interfaces for IEEE spanning tree. However, Switch D drops IEEE spanning-tree information. Similarly, the other routers ignore Router D's claim to be root.

The result is that in none of the bridges believing there is a loop and when a broadcast packet is sent on the network, a broadcast storm results over the entire internetwork. This broadcast storm will include Switches X and Y, and beyond.

To resolve this problem, reconfigure Switch D for IEEE. Although a configuration change is necessary, it might not be sufficient to reestablish connectivity. There will be a reconvergence delay as devices exchange BPDUs and recompute a spanning tree for the network.

VTP

VLAN trunking uses tagged frames to allow multiple VLANs to be carried throughout a large switched network over shared backbones.

Manually configuring and maintaining VLAN Trunking Protocol (VTP) on numerous switches can be challenging. The benefit of VTP is that, once a network is configured with VTP, many of the VLAN configuration tasks are automatic.

The most common tagging schemes for Ethernet segments are listed below:

ISL – Cisco proprietary Inter-Switch Link protocol.

802.1Q – IEEE standard that will be focused on in this section.

ISL is a protocol that maintains VLAN information as traffic flows between the switches. With ISL, an Ethernet frame is encapsulated with a header that contains a VLAN ID.

Before attempting to configure a VLAN trunk on a port, determine what encapsulation the port can support. This can be done using the show port capabilities command.

In the example, notice in the highlighted text that Port 2/1 will support only the IEEE 802.1Q encapsulation.

Verify that trunking has been configured and verify the settings by using the show trunk [mod_num/port_num] command from privileged mode on the switch.

VLAN Trunking Protocol (VTP) was created to solve operational problems in a switched network with VLANs.

A single incorrect VLAN assignment could cause two potential problems:

Cross-connected VLANs due to VLAN configuration inconsistencies

VLAN misconfiguration across mixed media environments such as Ethernet and Fiber Distributed Data Interface (FDDI)

VTP is a messaging protocol that uses Layer 2 trunk frames to manage the addition, deletion, and renaming of VLANs on a single domain. Further, VTP allows for centralized changes that are communicated to all other switches in the network.

VTP messages are encapsulated in either Cisco proprietary Inter-Switch Link (ISL) or IEEE 802.1Q protocol frames, and passed across trunk links to other devices. In IEEE 802.1Q frames a 4 byte field is added that tags the frame. Both formats carry the VLAN ID.

VTP switches operate in one of three modes:

Server

Client

Transparent

A higher configuration revision number indicates that the VLAN information that is being sent is more current then the stored copy.

Any time a switch receives an update that has a higher configuration revision number the switch will overwrite the stored information with the new information being sent in the VTP update. Switch F will not process the update because it is in a different domain.

This overwrite process means that if the VLAN does not exist in the new database, it is deleted from the switch.

In addition, VTP maintains its own NVRAM. An erase startup-configuration clears the NVRAM of configuration commands, but not the VTP database revision number. To set the configuration revision number back to zero, the switch must be rebooted.

By default, server and client Catalyst switches issue summary advertisements every five minutes. Servers inform neighbor switches what they believe to be the current VTP revision number.

Subset advertisements contain detailed information about VLANs such as VTP version type, domain name and related fields, and the configuration revision number. The following can trigger these advertisements:

Creating or deleting a VLAN

Suspending or activating a VLAN

Changing the name of a VLAN

Changing the maximum transmission unit (MTU) of a VLAN

Advertisements may contain some or all of the following information:

Management domain name. Advertisements with different names are ignored.

Configuration revision number. The higher number indicates a more recent configuration.

Message Digest 5 (MD5). MD5 is the key that is sent with the VTP when a password has been assigned. If the key does not match, the update is ignored.

Updater identity. The updater identity is the identity of the switch that is sending the VTP summary advertisement

Two different versions of VTP are available, Version 1 and Version 2. The two versions are not interoperable. If a switch is configured in a domain for VTP Version 2, all switches in the management domain must be configured for VTP Version 2.

VTP Version 1 is the default. VTP Version 2 may be implemented if some of the specific features that VTP Version 2 offers are not offered in VTP Version 1. The most common feature that is needed is Token Ring VLAN support.

To configure the VTP version on a Cisco IOS command-based switch, first enter VLAN database mode.

Use the following command to change the VTP version number on a set command-based switch.

Switch#vlan database

Switch(vlan)#vtp v2-mode

If the switch being installed is the first switch in the network, create the management domain. If the management domain has been secured, configure a password for the domain.

To create a management domain use the following command:

Switch(vlan)#vtp domain cisco

The domain name can be between 1 and 32 characters. The password must be between 8 and 64 characters long.

To add a VTP client to an existing VTP domain, always verify that its VTP configuration revision number is lower than the configuration revision number of the other switches in the VTP domain. Use the show vtp status command.

Switches in a VTP domain always use the VLAN configuration of the switch with the highest VTP configuration revision number.

If a switch is added that has a revision number higher than the revision number in the VTP domain, it can erase all VLAN information from the VTP server and VTP domain.

To set the correct mode of the Cisco IOS command-based switch, use the following command:

Switch(vlan)#vtp {client | server | transparent}

Figure

shows the output of the show vtp status command. This command is used to verify VTP configuration settings on a Cisco IOS command-based switch.

Figure

shows an example of the show vtp counters command. This command is used to display statistics about advertisements sent and received on the switch.

The following are some VLAN configuration issues:

A switch creates a broadcast domain

VLANs help manage broadcast domains

VLANs can be defined on port groups, users or protocols

LAN switches and network management software provide a mechanism to create VLANs

When a node in one VLAN needs to communicate with a node in another VLAN, a router is necessary to route the traffic between VLANs. Without the routing device, inter-VLAN traffic would not be possible.

In a traditional situation, a network with four VLANs would require four physical connections between the switch and the external router.

As technologies such as Inter-Switch Link (ISL) became more common, network designers began to use trunk links to connect routers to switches

The dashed lines in the example refer to the multiple logical links running over this physical link using subinterfaces.

The router can support many logical interfaces on individual physical links. For example, the Fast Ethernet interface FastEthernet 0/0 might support three virtual interfaces numbered FastEthernet 1/0.1, 1/0.2 and 1/0.3.

A subinterface is a logical interface within a physical interface, such as the Fast Ethernet interface on a router.

In order to route between VLANs with subinterfaces, a subinterface must be created for each VLAN

To define subinterfaces on a physical interface, perform the following tasks:

Identify the interface.

Define the VLAN encapsulation.

Assign an IP address to the interface.

To identify the interface, use the interface command in global configuration mode.

Router(config)#interface fastethernet port-number. subinterface-number

The port-number identifies the physical interface, and the subinterface-number identifies the virtual interface.

The router must be able to talk to the switch using a standardized trunking protocol. This means that both devices that are connected together must understand each other. In the example, 802.1q is used. To define the VLAN encapsulation, enter the encapsulation command in interface configuration mode.

Router(config-if)#encapsulation dot1q vlan-number

The vlan-number identifies the VLAN for which the subinterface will carry traffic. A VLAN ID is added to the frame only when the frame is destined for a nonlocal network. Each VLAN packet carries the VLAN ID within the packet header.

To assign the IP address to the interface, enter the following command in interface configuration mode.

Router(config-if)#ip address ip-address subnet-mask

The ip-address and subnet-mask are the 32-bit network address and mask of the specific interface.

FRAME RELAY

Frame Relay uses a subset of the high-level data link control (HDLC) protocol called Link Access Procedure for Frame Relay (LAPF). Frames carry data between user devices called data terminal equipment (DTE), and the data communications equipment (DCE) at the edge of the WAN.

Originally Frame Relay was designed to allow ISDN equipment to have access to a packet-switched service on a B channel. However, Frame Relay is now a stand-alone technology.

The connection through the Frame Relay network between two DTEs is called a virtual circuit (VC).

Virtual circuits may be established dynamically by sending signaling messages to the network. In this case they are called switched virtual circuits (SVCs).

However, SVCs are not very common. Generally permanent virtual circuits (PVCs) that have been preconfigured by the carrier are used.

The various virtual circuits on a single access line can be distinguished because each VC has its own Data Link Channel Identifier (DLCI).

The DLCI is stored in the address field of every frame transmitted. The DLCI usually has only local significance and may be different at each end of a VC.

Frame Relay functions by doing the following:

Takes data packets from a network layer protocol, such as IP or IPX

Encapsulates them as the data portion of a Frame Relay frame

Passes them to the physical layer for delivery on the wire

The serial connection or access link to the Frame Relay network is normally a leased line. The speed of the line is the access speed or port speed.

Port speeds are typically between 64 kbps and 4 Mbps. Some providers offer speeds up to 45 Mbps.

Usually there are several PVCs operating on the access link with each VC having dedicated bandwidth availability. This is called the committed information rate (CIR). The CIR is the rate at which the service provider agrees to accept bits on the VC.

The difference between the CIR and the maximum, whether the maximum is port speed or lower, is called the Excess Information Rate (EIR).

The time interval over which the rates are calculated is called the committed time (T_c). The number of committed bits in T_c is the committed burst (B_c). The extra number of bits above the committed burst, up to the maximum speed of the access link, is the excess burst (B_e).

When a switch sees its queue increasing, it tries to reduce the flow of frames to it. It does this by notifying DTEs of the problem by setting the Explicit Congestion Notification (ECN) bits in the frame address field.

The Forward ECN (FECN) bit is set on every frame that the switch receives on the congested link. The Backward ECN (BECN) bit is set on every frame that the switch places onto the congested link.

If the congestion occurs on an internal trunk, DTEs may receive notification even though they are not the cause of the congestion.

The DE, FECN and BECN bits are part of the address field in the LAPF frame

Frame Relay was designed to provide packet-switched data transfer with minimal end-to-end delays.

The extensions for this status transfer are called the Local Management Interface (LMI).

The 10-bit DLCI field allows VC identifiers 0 through 1023. The LMI extensions reserve some of these identifiers. This reduces the number of permitted VCs. LMI messages are exchanged between the DTE and DCE using these reserved DLCIs.

The LMI extensions include the following:

The heartbeat mechanism, which verifies that a VC is operational

The multicast mechanism

The flow control

The ability to give DLCIs global significance

The VC status mechanism

There are several LMI types, each of which is incompatible with the others. The LMI type configured on the router must match the type used by the service provider. Three types of LMIs are supported by Cisco routers:

Cisco – The original LMI extensions

Ansi – Corresponding to the ANSI standard T1.617 Annex D

q933a – Corresponding to the ITU standard Q933 Annex A

LMI status messages combined with Inverse ARP messages allow a router to associate network layer and data link layer addresses.

If the router needs to map the VCs to network layer addresses, it will send an Inverse ARP message on each VC. The Inverse ARP message includes the network layer address of the router, so the remote DTE, or router, can also perform the mapping.

To change the encapsulation to Frame Relay use the encapsulation frame-relay [cisco | ietf] command.

cisco

Uses the Cisco proprietary Frame Relay encapsulation. Use this option if connecting to another Cisco router. Many non-Cisco devices also support this encapsulation type. This is the default.

ietf

Sets the encapsulation method to comply with the Internet Engineering Task Force (IETF) standard RFC 1490. Select this if connecting to a non-Cisco router.

Cisco’s proprietary Frame Relay encapsulation uses a 4-byte header, with 2 bytes to identify the data-link connection identifier (DLCI) and 2 bytes to identify the packet type.

The LMI connection is established and configured by the frame-relay lmi-type [ansi | cisco | q933a] command. This command is only needed if using Cisco IOS Release 11.1 or earlier. With IOS Release 11.2 or later, the LMI-type is autosensed and no configuration is needed.

Use the frame-relay map protocol protocol-address dlci [broadcast] command to statically map the remote network layer address to the local DLCI

By default, a Frame Relay network provides non-broadcast multi-access (NBMA) connectivity between remote sites. An NBMA environment is viewed like other multiaccess media environments, such as Ethernet, where all the routers are on the same subnet.

A Frame Relay NBMA topology may cause two problems:

Reachability issues regarding routing updates

The need to replicate broadcasts on each PVC when a physical interface contains more than one PVC

Frame Relay subinterfaces can be configured in either point-to-point or multipoint mode:

Point-to-point – A single point-to-point subinterface is used to establish one PVC connection to another physical interface or subinterface on a remote router. In this case, each pair of the point-to-point routers is on its own subnet and each point-to-point subinterface would have a single DLCI. In a point-to-point environment, each subinterface is acting like a point-to-point interface. Therefore, routing update traffic is not subject to the split-horizon rule.

Multipoint – A single multipoint subinterface is used to establish multiple PVC connections to multiple physical interfaces or subinterfaces on remote routers. All the participating interfaces would be in the same subnet. The subinterface acts like an NBMA Frame Relay interface so routing update traffic is subject to the split-horizon rule.

To configure subinterfaces on a physical interface, the following steps are required:

Configure Frame Relay encapsulation on the physical interface using the encapsulation frame-relay command

For each of the defined PVCs, create a logical subinterface

router(config-if)#interface serial number.subinterface-number {multipoint | point-to-point}

To create a subinterface, use the interface serial command. Specify the port number, followed by a period (.), and then by the subinterface number. Usually, the subinterface number is chosen to be that of the DLCI.

Either the multipoint or point-to-point keyword is required. There is no default. The following commands create the subinterface for the PVC to router B:

routerA(config-if)#interface serial 0/0.110 point-to-point

If the subinterface is configured as point-to-point, then the local DLCI for the subinterface must also be configured in order to distinguish it from the physical interface. The DLCI is also required for multipoint subinterfaces for which Inverse ARP is enabled. It is not required for multipoint subinterfaces configured with static route maps. The frame-relay interface-dlci command is used to configure the local DLCI on the subinterface

router(config-subif)#frame-relay interface-dlci dlci-number

The show interfaces command displays information regarding the encapsulation and Layer 1 and Layer 2 status. It also displays information about the following:

The LMI type

The LMI DLCI

The Frame Relay data terminal equipment/data circuit-terminating equipment (DTE/DCE) type

Normally, the router is considered a data terminal equipment (DTE) device. However, a Cisco router can be configured as a Frame Relay switch. The router becomes a data circuit-terminating equipment (DCE) device when it is configured as a Frame Relay switch.

Use the show frame-relay lmi command to display LMI traffic statistics.

For example, this command demonstrates the number of status messages exchanged between the local router and the local Frame Relay switch.

Use the show frame-relay pvc [interface interface] [dlci] command to display the status of each configured PVC as well as traffic statistics.

This command is also useful for viewing the number of BECN and FECN packets received by the router. The PVC status can be active, inactive, or deleted.

The show frame-relay pvc command displays the status of all the PVCs configured on the router. Specifying a PVC will show the status of only that PVC. In Figure

, the show frame-relay pvc 100 command displays the status of only PVC 100.

Use the show frame-relay map command to display the current map entries and information about the connections. The following information interprets the show frame-relay map output that appears in Figure

100 is the decimal value of the local DLCI number

0x64 is the hex conversion of the DLCI number, 0x64 = 100 decimal

0x1840 is the value as it would appear on the wire because of the way the DLCI bits are spread out in the address field of the Frame Relay frame

10.140.1.1 is the IP address of the remote router, dynamically learned via the Inverse ARP process

Broadcast/multicast is enabled on the PVC

PVC status is active

To clear dynamically created Frame Relay maps, which are created using Inverse ARP, use the clear frame-relay-inarp command.

Use the debug frame-relay lmi command to determine whether the router and the Frame Relay switch are sending and receiving LMI packets properly.

The “out” is an LMI status message sent by the router. The “in” is a message received from the Frame Relay switch. “type 0” is a full LMI status message. “type 1” is an LMI exchange. The “dlci 100, status 0x2” means that the status of DLCI 100 is active. The possible values of the status field are as follows:

0x0 – Added/inactive means that the switch has this DLCI programmed but for some reason it is not usable. The reason could possibly be the other end of the PVC is down.

0x2 – Added/active means the Frame Relay switch has the DLCI and everything is operational.

0x4 – Deleted means that the Frame Relay switch does not have this DLCI programmed for the router, but that it was programmed at some point in the past. This could also be caused by the DLCIs being reversed on the router, or by the PVC being deleted by the service provider in the Frame Relay cloud.

Networking operating systems (NOSs) are designed to provide network processes to clients. Network services include the World Wide Web (WWW), file sharing, mail exchange, directory services, remote management, and print services.

Remote management is a powerful service that allows administrators to configure networked systems that are miles apart. It is important to understand that these network processes are referred to as services in Windows 2000 and daemons in UNIX and Linux.

Network processes all provide the same functions, but the way processes are loaded and interact with the NOS are different in each operating system

Network Management includes:

Monitoring network availability

Improved automation

Monitoring response time

Security features

Traffic rerouting

Restoration capability

User registration

The driving forces behind network management are shown in Figure

and explained below:

Controlling corporate assets – If network resources are not effectively controlled, they will not provide the results that management requires.

Controlling complexity – With massive growth in the number of network components, users, interfaces, protocols, and vendors, loss of control of the network and its resources threatens management.

Improved service – Users expect the same or improved service as the network grows and the resources become more distributed.

Balancing various needs – Users must be provided with various applications at a given level of support, with specific requirements in the areas of performance, availability, and security.

Reducing downtime – Ensure high availability of resources by proper redundant design.

Controlling costs – Monitor and control resource utilization so that user needs can be satisfied at a reasonable cost.

Some basic network management terms are introduced in Figure

Simple Network Management Protocol (SNMP) is an application layer protocol designed to facilitate the exchange of management information between network devices. By using SNMP to access management information data, such as packets per second sent on an interface or number of open TCP connections, network administrators can more easily manage network performance to find and solve network problems.

Today, SNMP is the most popular protocol for managing diverse commercial, university, and research internetworks.

Standardization activity continues even as vendors develop and release state-of-the-art SNMP-based management applications. SNMP is a simple protocol, yet its feature set is sufficiently powerful to handle the difficult problems involved with the management of heterogeneous networks.

The organizational model for SNMP based network management includes four elements:

Management station

Management agent

Management information base

Network management protocol