RouterX(config)
Download
Report
Transcript RouterX(config)
Understanding Ethernet
Building a Simple Network
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-1
Local Area Network
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-2
LAN Components
Computers
– PCs
– Servers
Interconnections
– NICs
– Media
Network devices
– Hubs
– Switches
– Routers
Protocols
– Ethernet
– IP
– ARP
– DHCP
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-3
Functions of a LAN
Data and applications
Share resources
Provide communication path to other networks
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-4
LAN Sizes
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-5
Ethernet Evolution
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-6
LAN Standards
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-7
Ethernet Frame Structure
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-8
Communicating Within the LAN
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-9
MAC Address Components
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-10
Understanding the
Challenges of
Shared LANs
Ethernet LANs
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-11
LAN Segment Limitations
Signals degrade with transmission distance.
Each Ethernet type has a maximum segment length.
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-12
Extending LAN Segments
Shares bandwidth
Extends cable distances
Repeats or amplifies signal
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-13
Collisions
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-14
CSMA/CD
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-15
Solving Network
Challenges with Switched
LAN Technology
Ethernet LANs
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-16
Network Congestion
High-performance PCs
More networked data
Bandwidth-intensive applications
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-17
Bridges
Operate at Layer 2 of the OSI model
Forward, filter, or flood frames
Have few ports
Are slow
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-18
LAN Switch
High port density
Large frame buffers
Mixture of port speeds
Fast internal switching
Switching modes:
– Cut-through
– Store-and-forward
– Fragment-free
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-19
LAN Switch Features
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-20
Switches Supersede Bridges
Operate at Layer 2 of the OSI model
Forward, filter, or flood frames
Have many ports
Are fast
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-21
Switching Frames
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-22
LANs Today
Users grouped by physical location
More switches added to networks
Switches connected by high-speed links
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-23
Implementing
VLANs and Trunks
Medium-Sized Switched Network Construction
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-24
Issues in a Poorly Designed Network
Unbounded failure domains
Large broadcast domains
Large amount of unknown
MAC unicast traffic
Unbounded multicast traffic
Management and
support challenges
Possible security
vulnerabilities
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-25
VLAN Overview
Segmentation
Flexibility
Security
VLAN = Broadcast Domain = Logical Network (Subnet)
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-26
Designing VLANs for an Organization
VLAN design must take into consideration the implementation
of a hierarchical network addressing scheme.
The benefits of hierarchical addressing are:
– Ease of management and troubleshooting
– Minimization of errors
– Reduced number of routing table entries
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-27
Guidelines for Applying IP
Address Space
Allocate one IP subnet per VLAN.
Allocate IP address spaces in contiguous blocks.
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-28
VLAN Operation
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-29
VLAN Membership Modes
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-30
802.1Q Trunking
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-31
802.1Q Frame
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-32
Understanding Native VLANs
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-33
Configuring 802.1Q Trunking
SwitchX(config-if)#
switchport mode {access |
dynamic {auto | desirable} | trunk}
Configures the trunking characteristics of the port
SwitchX(config-if)#
switchport mode trunk
Configures the port as a VLAN trunk
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-34
Verifying a Trunk
SwitchX# show interfaces interface [switchport | trunk]
SwitchX# show interfaces fa0/11 switchport
Name: Fa0/11
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: down
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
. . .
SwitchX# show interfaces fa0/11 trunk
Port
Fa0/11
Port
Fa0/11
Port
Fa0/11
Mode
desirable
Encapsulation
802.1q
Status
trunking
Native vlan
1
Vlans allowed on trunk
1-4094
Vlans allowed and active in management domain
1-13
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-35
VLAN Creation Guidelines
The maximum number of VLANs is switch-dependent.
Most Cisco Catalyst desktop switches support 128 separate
spanning-tree instances, one per VLAN.
VLAN 1 is the factory default Ethernet VLAN.
Cisco Discovery Protocol and VTP advertisements are sent on
VLAN 1.
The Cisco Catalyst switch IP address is in the management VLAN
(VLAN 1 by default).
If using VTP, the switch must be in VTP server or transparent
mode to add or delete VLANs.
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-36
Adding a VLAN
SwitchX# configure terminal
SwitchX(config)# vlan 2
SwitchX(config-vlan)# name switchlab99
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-37
Verifying a VLAN
SwitchX# show vlan [brief | id vlan-id || name vlan-name]
SwitchX# show vlan id 2
VLAN Name
Status
Ports
---- -------------------------------- --------- ------------------------------2
switchlab99
active
Fa0/2, Fa0/12
VLAN Type SAID
MTU
Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ -----2
enet 100002
1500 0
0
.
.
.
SwitchX#
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-38
Assigning Switch Ports to a VLAN
SwitchX(config-if)#
switchport access [vlan vlan# | dynamic]
SwitchX# configure terminal
SwitchX(config)# interface range fastethernet 0/2 - 4
SwitchX(config-if)# switchport access vlan 2
SwitchX# show vlan
VLAN
---1
2
Name
Status
Ports
-------------------------------- --------- ---------------------default
active
Fa0/1
switchlab99
active
Fa0/2, Fa0/3, Fa0/4
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-39
Verifying VLAN Membership
SwitchX# show vlan brief
SwitchX# show vlan brief
VLAN Name
---- -------------------------------1
default
2
switchlab99
3
vlan3
4
vlan4
1002 fddi-default
1003 token-ring-default
Status
--------active
active
active
active
act/unsup
act/unsup
VLAN
---1004
1005
Status
Ports
--------- ------------------------------act/unsup
act/unsup
Name
-------------------------------fddinet-default
trnet-default
© 2007 Cisco Systems, Inc. All rights reserved.
Ports
------------------------------Fa0/1
Fa0/2, Fa0/3, Fa0/4
ICND1 v1.0—1-40
Verifying VLAN Membership (Cont.)
SwitchX(config-if)#
show interfaces interface switchport
SwitchX# show interfaces fa0/2 switchport
Name: Fa0/2
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: On
Access Mode VLAN: 2 (switchlab99)
Trunking Native Mode VLAN: 1 (default)
--- output omitted ----
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-41
Improving
Performance with
Spanning Tree
Medium-Sized Switched Network Construction
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-42
Advantages of EtherChannel
Logical aggregation of similar
links between switches
Load-shares across links
Viewed as one logical port
to STP
Redundancy
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-43
Redundant Topology
Redundant topology eliminates single points of failure.
Redundant topology causes broadcast storms, multiple
frame copies, and MAC address table instability problems.
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-44
Broadcast Frames
Station D sends a broadcast frame.
Broadcast frames are flooded to all ports
except the originating port.
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-45
Multiple Frame Copies
Host X sends a unicast frame to router Y.
The MAC address of router Y has not been
learned by either switch.
Router Y will receive two copies of the same frame.
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-46
MAC Database Instability
Host X sends a unicast frame to router Y.
The MAC address of router Y has not been learned by either switch.
Switches A and B learn the MAC address of host X on port 1.
The frame to router Y is flooded.
Switches A and B incorrectly learn the MAC address of host X on port 2.
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-47
Broadcast Storms
Host X sends a broadcast.
Switches continue to propagate
broadcast traffic over and over.
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-48
Loop Resolution with STP
Provides a loop-free redundant network topology
by placing certain ports in the blocking state
Published in the IEEE 802.1D specification
Enhanced with the Cisco PVST+ implementation
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-49
Spanning-Tree Operation
One root bridge per broadcast domain.
One root port per nonroot bridge.
One designated port per segment.
Nondesignated ports are unused.
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-50
STP Root Bridge Selection
BPDU (default = sent every 2 seconds)
Root bridge = bridge with the lowest bridge ID
Bridge ID = Bridge
Priority
© 2007 Cisco Systems, Inc. All rights reserved.
MAC
Address
ICND1 v1.0—1-51
Per VLAN Spanning Tree Plus
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-52
PVST+ Extended Bridge ID
Bridge ID without the
extended system ID
Extended bridge ID
with system ID
System ID = VLAN
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-53
Default Spanning-Tree Configuration
Cisco Catalyst switches support three types of STPs:
– PVST+
– PVRST+
– MSTP
The default STP for Cisco Catalyst switches is PVST+ :
– A separate STP instance for each VLAN
– One root bridge for all VLANs
– No load sharing
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-54
PVRST+ Implementation Commands
SwitchX(config)#
spanning-tree mode rapid-pvst
Configures PVRST+
SwitchX#
show spanning-tree vlan vlan# [detail]
Verifies the spanning-tree configuration
SwitchX#
debug spanning-tree pvst+
Displays PVST+ event debug messages
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-55
Verifying PVRST+
SwitchX# show spanning-tree vlan 30
VLAN0030
Spanning tree enabled protocol rstp
Root ID Priority 24606
Address 00d0.047b.2800
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 24606 (priority 24576 sys-id-ext 30)
Address 00d0.047b.2800
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
-------- ----- --- --- -------- ---Gi1/1
Desg FWD 4
128.1
P2p
Gi1/2
Desg FWD 4
128.2
P2p
Gi5/1
Desg FWD mode
4
128.257
P2p
The
spanning-tree
is set to PVRST.
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-56
Configuring the Root and
Secondary Bridges
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-57
Configuring the Root and
Secondary Bridges: SwitchA
SwitchA(config)#
spanning-tree vlan 1 root primary
This command forces this switch to be the root for VLAN 1.
SwitchA(config)#
spanning-tree vlan 2 root secondary
This command configures this switch to be the secondary root
for VLAN 2.
OR
SwitchA(config)#
spanning-tree vlan # priority priority
This command statically configures the priority (increments of 4096).
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-58
Configuring the Root and
Secondary Bridges: SwitchB
SwitchB(config)#
spanning-tree vlan 2 root primary
This command forces the switch to be the root for VLAN 2.
SwitchB(config)#
spanning-tree vlan 1 root secondary
This command configures the switch to be the secondary root VLAN 1.
OR
SwitchB(config)#
spanning-tree vlan # priority priority
This command statically configures the priority (increments of 4096).
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-59
Configuring Layer 3
Redundancy with HSRP
Implementing High Availability in a Campus
Environment
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-60
Routing Issues: Using Default Gateways
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-61
Routing Issues: Using Proxy ARP
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-62
Router Redundancy
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-63
Router Redundancy
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-64
HSRP
Standby group: The set of routers participating in HSRP that jointly emulate
a virtual router
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-65
The Active Router
The active router responds to ARP requests with the MAC address of
the virtual router.
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-66
The Virtual Router MAC Address
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-67
The Standby Router
The standby router listens for periodic hello messages on 224.0.0.2.
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-68
Active and Standby Router Interaction
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-69
HSRP States
An HSRP router can be in one of six different states:
• Initial
• Learn
• Listen
• Speak
• Standby
• Active
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-70
HSRP State Transition
HSRP Standby Group 1
Router A
Priority
100
Router A does not
hear any higher
priority than itself, so
promotes itself to
standby.
Router A does not
hear an active router,
so promotes itself to
active.
Router B
Priority
50
Initial
Initial
Listen
Listen
Speak
Speak
Standby
Active
Listen
Speak
Router B hears that
router A has a higher
priority, so router B
returns to the listen
state.
Standby
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-71
HSRP Standby State
A router in the standby state:
• Is a candidate for active router
• Sends hello messages
• Knows the virtual router IP address
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-72
HSRP Active State
A router in the active state:
• Assumes the active forwarding of packets for the virtual router
• Sends hello messages
• Knows the virtual router IP address
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-73
HSRP Configuration Commands
Configure
standby 1 ip 10.1.1.1
Verify
show running-config
show standby
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-74
Configuring an HSRP Standby Interface
Enabling HSRP on a Cisco router interface automatically disables
ICMP redirects.
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-75
Displaying the Standby Brief Status
Switch#show standby brief
P indicates configured to preempt.
|
Interface
Grp Prio P State
Active addr
Standby addr
Vl11
11 110
Active
local
172.16.11.114
© 2007 Cisco Systems, Inc. All rights reserved.
Group addr
172.16.11.115
ICND1 v1.0—1-76
Optimizing HSRP
Implementing High Availability in a Campus
Environment
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-77
HSRP Optimization Options
These options can be configured to optimize HSRP:
HSRP standby priority
HSRP standby preempt
Hello message timers
HSRP interface tracking
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-78
Configuring HSRP Standby Priority
• The router with the highest priority in an HSRP group
becomes the active router.
• The default priority is 100.
• In the case of a tie, the router with the highest configured IP
address will become active.
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-79
Configuring HSRP Standby Preempt
Preempt enables a router to resume the forwarding router role.
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-80
Configuring the Hello Message Timers
The holdtime parameter value should be at least three
times the value of the hellotime parameter.
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-81
HSRP Interface Tracking
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-82
HSRP Interface Tracking (Cont.)
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-83
Configuring HSRP Tracking
Switch(config-if)#standby [group-number] track type number
[interface-priority]
• Configures HSRP tracking
Switch(config)#interface vlan 10
Switch(config-if)#standby 1 track GigabitEthernet 0/7 50
Switch(config-if)#standby 1 track GigabitEthernet 0/8 60
• Example of HSRP tracking
Note: Preempt must be configured on all participating devices within
the HSRP group.
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-84
Tuning HSRP
Configure hellotime and holdtime to millisecond values.
Configure preempt delay timer so that preempt occurs only after
the distribution switch has fully rebooted and established full
connectivity to the rest of the network.
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-85
Multiple HSRP Groups
To load balance routers, assign them to multiple groups on the same subnet.
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-86
Addressing HSRP Groups
Across Trunk Links
To load balance routers and links:
– Per VLAN, configure the HSRP active router and the spanning tree
root to be the same multilayer switch.
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-87
About the HSRP Debug Command
debug standby events
debug standby terse
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-88
Debugging HSRP
DSW111#debug standby
*Mar 4 19:08:08.918:
*Mar 4 19:08:09.287:
*Mar 4 19:08:09.287:
*Mar 4 19:08:09.891:
*Mar 4 19:08:09.891:
*Mar 4 19:08:10.294:
*Mar 4 19:08:10.294:
*Mar 4 19:08:10.294:
*Mar 4 19:08:10.294:
*Mar 4 19:08:10.294:
*Mar 4 19:08:10.294:
*Mar 4 19:08:10.898:
*Mar 4 19:08:10.898:
*Mar 4 19:08:10.965:
*Mar 4 19:08:11.300:
HSRP:
HSRP:
HSRP:
HSRP:
HSRP:
HSRP:
HSRP:
HSRP:
HSRP:
HSRP:
HSRP:
HSRP:
HSRP:
HSRP:
HSRP:
Vl1
Vl1
Vl1
Vl1
Vl1
Vl1
Vl1
Vl1
Vl1
Vl1
Vl1
Vl1
Vl1
Vl1
Vl1
Grp
Grp
API
API
Grp
Grp
API
API
Grp
Grp
API
API
Grp
Grp
API
1 Hello out 172.16.1.111 Active pri 150 vIP 172.16.1.113
2 Hello in 172.16.1.112 Active pri 50 vIP 172.16.1.113
active virtual address 172.16.1.113 found
Duplicate ARP entry detected for 172.16.1.113
1 Hello out 172.16.1.111 Active pri 150 vIP 172.16.1.113
2 Hello in 172.16.1.112 Active pri 50 vIP 172.16.1.113
active virtual address 172.16.1.113 found
Duplicate ARP entry detected for 172.16.1.113
1 Hello out 172.16.1.111 Active pri 150 vIP 172.16.1.113
2 Hello in 172.16.1.112 Active pri 50 vIP 172.16.1.113
active virtual address 172.16.1.113 found
Duplicate ARP entry detected for 172.16.1.113
1 Hello out 172.16.1.111 Active pri 150 vIP 172.16.1.113
2 Hello in 172.16.1.112 Active pri 50 vIP 172.16.1.113
active virtual address 172.16.1.113 found
• Example of HSRP debug showing standby group number mismatch
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-89
Introducing ACL
Operation
Access Control Lists
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-90
Why Use ACLs?
Filtering: Manage IP traffic by filtering packets passing through a router
Classification: Identify traffic for special handling
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-91
ACL Applications: Filtering
Permit or deny packets moving through the router.
Permit or deny vty access to or from the router.
Without ACLs, all packets could be transmitted to all parts of your network.
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-92
ACL Applications: Classification
Special handling for traffic based on packet tests
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-93
Outbound ACL Operation
If no ACL statement matches, discard the packet.
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-94
A List of Tests: Deny or Permit
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-95
Types of ACLs
Standard ACL
– Checks source address
– Generally permits or denies entire protocol suite
Extended ACL
– Checks source and destination address
– Generally permits or denies specific protocols and applications
Two methods used to identify standard and
extended ACLs:
– Numbered ACLs use a number for identification
– Named ACLs use a descriptive name or number for
identification
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-96
How to Identify ACLs
Numbered standard IPv4 lists (1–99) test conditions of all IP
packets for source addresses. Expanded range (1300–1999).
Numbered extended IPv4 lists (100–199) test conditions of source
and destination addresses, specific TCP/IP protocols, and destination
ports. Expanded range (2000–2699).
Named ACLs identify IP standard and extended ACLs with an
alphanumeric string (name).
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-97
IP Access List Entry Sequence
Numbering
Requires Cisco IOS Release 12.3
Allows you to edit the order of ACL statements using sequence
numbers
– In software earlier than Cisco IOS Release 12.3, a text editor is
used to create ACL statements, then the statements are copied
into the router in the correct order.
Allows you to remove a single ACL statement from the list using a
sequence number
– With named ACLs in software earlier than Cisco IOS Release
12.3, you must use no {deny | permit} protocol source sourcewildcard destination destination-wildcard to remove an
individual statement.
– With numbered ACLs in software earlier than Cisco IOS Release
12.3, you must remove the entire ACL to remove a single ACL
statement.
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-98
ACL Configuration Guidelines
Standard or extended indicates what can be filtered.
Only one ACL per interface, per protocol, and per direction is allowed.
The order of ACL statements controls testing, therefore, the most
specific statements go at the top of the list.
The last ACL test is always an implicit deny everything else
statement, so every list needs at least one permit statement.
ACLs are created globally and then applied to interfaces for inbound
or outbound traffic.
An ACL can filter traffic going through the router, or traffic to and from
the router, depending on how it is applied.
When placing ACLs in the network:
– Place extended ACLs close to the source
– Place standard ACLs close to the destination
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-99
Dynamic ACLs
Dynamic ACLs (lock-and-key): Users that want to traverse the router
are blocked until they use Telnet to connect to the router and are
authenticated.
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-100
Time-Based ACLs
Time-based ACLs: Allow for access control
based on the time of day and week
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-101
Wildcard Bit Mask Abbreviations
172.30.16.29 0.0.0.0 matches
all of the address bits
Abbreviate this wildcard mask
using the IP address preceded
by the keyword host
(host 172.30.16.29)
0.0.0.0 255.255.255.255
ignores all address bits
Abbreviate expression
with the keyword any
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-102
Wildcard Bits: How to Check the
Corresponding Address Bits
0 means to match the value of the corresponding address bit
1 means to ignore the value of the corresponding address bit
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-103
Wildcard Bits to Match IP Subnets
Match for IP subnets 172.30.16.0/24 to 172.30.31.0/24.
Address and wildcard mask:
172.30.16.0 0.0.15.255
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-104
Configuring and
Troubleshooting
ACLs
Access Control Lists
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-105
Testing Packets with
Numbered Standard IPv4 ACLs
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-106
Numbered Standard IPv4 ACL
Configuration
RouterX(config)#
access-list access-list-number
{permit | deny | remark} source [mask]
Uses 1 to 99 for the access-list-number.
The first entry is assigned a sequence number of 10, and successive entries
are incremented by 10.
Default wildcard mask is 0.0.0.0 (only standard ACL).
no access-list access-list-number removes the entire ACL.
remark lets you add a description to the ACL.
RouterX(config-if)#
ip access-group access-list-number
{in | out}
Activates the list on an interface.
Sets inbound or outbound testing.
no ip access-group access-list-number {in | out} removes the ACL from the interface.
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-107
Numbered Standard IPv4 ACL
Example 1
RouterX(config)# access-list 1 permit 172.16.0.0
(implicit deny all - not visible in the list)
(access-list 1 deny 0.0.0.0
255.255.255.255)
RouterX(config)# interface ethernet
RouterX(config-if)# ip access-group
RouterX(config)# interface ethernet
RouterX(config-if)# ip access-group
0.0.255.255
0
1 out
1
1 out
Permit my network only
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-108
Numbered Standard IPv4 ACL
Example 2
RouterX(config)# access-list 1 deny 172.16.4.13 0.0.0.0
RouterX(config)# access-list 1 permit 0.0.0.0 255.255.255.255
(implicit deny all)
(access-list 1 deny 0.0.0.0
255.255.255.255)
RouterX(config)# interface ethernet 0
RouterX(config-if)# ip access-group 1 out
Deny a specific host
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-109
Numbered Standard IPv4 ACL
Example 3
RouterX(config)# access-list 1 deny 172.16.4.0
RouterX(config)# access-list 1 permit any
(implicit deny all)
(access-list 1 deny 0.0.0.0
255.255.255.255)
0.0.0.255
RouterX(config)# interface ethernet 0
RouterX(config-if)# ip access-group 1 out
Deny a specific subnet
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-110
Standard ACLs to Control vty Access
RouterX(config-line)#
access-class access-list-number {in | out}
Restricts incoming or outgoing connections between a particular
vty and the addresses in an ACL
Example:
access-list 12 permit 192.168.1.0 0.0.0.255
(implicit deny any)
!
line vty 0 4
access-class 12 in
Permits only hosts in network 192.168.1.0 0.0.0.255 to connect
to the router vty lines
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-111
Testing Packets with
Numbered Extended IPv4 ACLs
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-112
Numbered Extended IPv4 ACL
Configuration
RouterX(config)#
access-list access-list-number {permit | deny}
protocol source source-wildcard [operator port]
destination destination-wildcard [operator port]
[established] [log]
Sets parameters for this list entry
RouterX(config-if)#
ip access-group access-list-number
{in | out}
Activates the extended list on an interface
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-113
Numbered Extended IPv4 ACL
Example 1
RouterX(config)# access-list 101
RouterX(config)# access-list 101
RouterX(config)# access-list 101
(implicit deny all)
(access-list 101 deny ip 0.0.0.0
deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21
deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20
permit ip any any
255.255.255.255 0.0.0.0 255.255.255.255)
RouterX(config)# interface ethernet 0
RouterX(config-if)# ip access-group 101 out
Deny FTP traffic from subnet 172.16.4.0 to subnet 172.16.3.0 out E0
Permit all other traffic
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-114
Numbered Extended IPv4 ACL
Example 2
RouterX(config)# access-list 101 deny tcp 172.16.4.0
RouterX(config)# access-list 101 permit ip any any
(implicit deny all)
0.0.0.255
any eq 23
RouterX(config)# interface ethernet 0
RouterX(config-if)# ip access-group 101 out
Deny only Telnet traffic from subnet 172.16.4.0 out E0
Permit all other traffic
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-115
Named IP ACL Configuration
RouterX(config)#
ip access-list {standard | extended} name
Alphanumeric name string must be unique
RouterX(config {std- | ext-}nacl)#
[sequence-number] {permit | deny} {ip access list test conditions}
{permit | deny} {ip access list test conditions}
If not configured, sequence numbers are generated automatically starting at 10 and
incrementing by 10
no sequence number removes the specific test from the named ACL
RouterX(config-if)#
ip access-group name {in | out}
Activates the named IP ACL on an interface
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-116
Named Standard IPv4 ACL Example
RouterX(config)#ip access-list standard troublemaker
RouterX(config-std-nacl)#deny host 172.16.4.13
RouterX(config-std-nacl)#permit 172.16.4.0 0.0.0.255
RouterX(config-std-nacl)#interface e0
RouterX(config-if)#ip access-group troublemaker out
Deny a specific host
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-117
Named Extended IPv4 ACL Example
RouterX(config)#ip access-list extended badgroup
RouterX(config-ext-nacl)#deny tcp 172.16.4.0 0.0.0.255 any eq 23
RouterX(config-ext-nacl)#permit ip any any
RouterX(config-ext-nacl)#interface e0
RouterX(config-if)#ip access-group badgroup out
Deny Telnet from a specific subnet
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-118
Commenting ACL Statements
RouterX(config)#
ip access-list {standard|extended} name
Creates a named ACL
RouterX(config {std- | ext-}nacl)#
remark remark
Creates a named ACL comment
Or
RouterX(config)#
access-list access-list-number remark remark
Creates a numbered ACL comment
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-119
Monitoring ACL Statements
RouterX# show access-lists {access-list number|name}
RouterX# show access-lists
Standard IP access list SALES
10 deny
10.1.1.0, wildcard bits
20 permit 10.3.3.1
30 permit 10.4.4.1
40 permit 10.5.5.1
Extended IP access list ENG
10 permit tcp host 10.22.22.1 any
20 permit tcp host 10.33.33.1 any
30 permit tcp host 10.44.44.1 any
0.0.0.255
eq telnet (25 matches)
eq ftp
eq ftp-data
Displays all access lists
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-120
Verifying ACLs
RouterX# show ip interfaces e0
Ethernet0 is up, line protocol is up
Internet address is 10.1.1.11/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is 1
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Feature Fast switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
<text ommitted>
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-121
Troubleshooting Common ACL Errors
Error 1: Host 10.1.1.1 has no connectivity with 10.100.100.1.
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-122
Introducing VPN
Solutions
LAN Extension into a WAN
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-123
What Is a VPN?
Virtual: Information within a private network is transported
over a public network.
Private: The traffic is encrypted to keep the data confidential.
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-124
Benefits of VPN
Cost
Security
Scalability
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-125
Site-to-Site VPNs
Site-to-site VPN: extension of classic WAN
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-126
Remote-Access VPNs
Remote-access VPN: evolution of dial-in networks and ISDN
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-127
Cisco Easy VPN
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-128
VPN-Enabled Cisco IOS Routers
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-129
Cisco ASA Adaptive Security Appliances
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-130
VPN Clients
(legacy)
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-131
What Is IPsec?
IPsec acts at the network layer, protecting and authenticating IP packets.
It is a framework of open standards that is algorithm independent.
It provides data confidentiality, data integrity, and origin authentication.
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-132
IPsec Security Services
Confidentiality
Data integrity
Authentication
Antireplay protection
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-133
Confidentiality (Encryption)
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-134
Encryption Algorithms
Encryption algorithms:
© 2007 Cisco Systems, Inc. All rights reserved.
DES
3DES
AES
RSA
ICND1 v1.0—1-135
DH Key Exchange
Diffie-Hellman algorithms:
DH1
DH2
DH5
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-136
Data Integrity
Hashing algorithms:
HMAC-MD5
HMAC-SHA-1
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-137
Authentication
Peer authentication methods:
PSKs
RSA signatures
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-138
IPsec Security Protocols
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-139
IPsec Framework
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-140
EZVPN 服务器端配置
第一步:配置XAUTH
R1(config)#aaa new-model
R1(config)#aaa authentication login ezvpnauthen local
R1(config)# aaa authorization network ezvpnauthor local
R1(config)#username cisco password cisco
R1(config)#enable secret cisco
R1(config)#crypto isakmp xauth timeout 30
第二步:建立IP地址池
R1(config)#ip local pool dypool 100.1.1.100 100.1.1.200
第三步:配置ISAKMP策略
R1(config)#crypto isakmp policy 1
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#encryption 3des
R1(config-isakmp)#group 2
R1(config-isakmp)#exit
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-141
EZVPN 服务器端配置
第四步:定义用户组策略
R1(config)#crypto isakmp client configuration group ezvpngroup
R1(config-isakmp-group)#key cisco123
R1(config-isakmp-group)#dns 100.1.1.10 100.1.1.11
R1(config-isakmp-group)#wins 100.1.1.12 100.1.1.13
R1(config-isakmp-group)#domain cisco.com
R1(config-isakmp-group)#pool dypool
R1(config-isakmp-group)#exit
第五步:设置IPsec策略
R1(config)#crypto ipsec transform-set ezset esp-3des esp-sha-hmac
R1(cfg-crypto-trans)#mode transport
R1(cfg-crypto-trans)#exit
第六步:定义Ezvpn profile
R1(config)# crypto isakmp profile vpnclient
R1(config-isakmp-profile)#match identity group ezvpngroup
R1(config-isakmp-profile)#client authen list ezvpnauthen
R1(config-isakmp-profile)#isakmp author list ezvpnauthor
R1(config-isakmp-profile)#client config address respond
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-142
EZVPN 服务器端配置
第七步:建立动态MAP
R1(config)#crypto dynamic-map dymap 1
R1(config-crypto-map)# set isakmp-profile vpnclient
R1(config-crypto-map)#set transform-set ezset
R1(config-crypto-map)#reverse-route
R1(config-crypto-map)#exit
R1(config)# crypto map MAP 10 ipsec-isakmp dynamic dymap
第八步:将动态加密映射应用到接口
R1(config)#int s0/0
R1(config-if)#crypto map MAP
R1(config-if)#exit
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-143
EZVPN 客户端配置
crypto ipsec client ezvpn
connect auto
mode client
group ezvpngroup
key cisco123
peer 10.1.1.1
interfac e0/0
crypto ipsec client ezvpn inside
interface s0/0
crypto ipsec client ezvpn outside
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-144
PPPoE配置 使用ADSL modem
vpdn enable
no vpdn logging
vpdn-group 1
request-dialin
protocol pppoe
interface Ethernet0/0
ip address 192.168.0.1 255.255.255.0
ip nat inside
no ip mroute-cache
interface Ethernet0/1
no ip address
pppoe enable
pppoe-client dial-pool-number 1
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-145
PPPoE配置 使用ADSL modem
interface Dialer1
ip address negotiated
ip nat outside
ip mtu 1492
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer-group 1
ppp authentication pap
ppp pap sent-username [email protected] password xxxxxxxx
!
ip classless
no ip http server
!
dialer-list 1 protocol ip permit
ip nat inside source list 1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 dialer1
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-146
© 2007 Cisco Systems, Inc. All rights reserved.
ICND1 v1.0—1-147