Professional Documents
Culture Documents
0
Instructor Resource
Document
Section 1
IP Addressing
Table of Contents
IP ADDRESSING ............................................................................................................... 1
OVERVIEW ...................................................................................................................................................... 3
OBJECTIVES..................................................................................................................................................... 4
1.1 IPV4 ADDRESSING ...................................................................................................................................... 5
1.1.1 Internet's address architecture ............................................................................................................. 5
1.1.2 Classes of IP addresses........................................................................................................................ 6
1.1.3 Classes of IP addresses (con't.) ............................................................................................................ 8
1.1.4 Subnet masking ................................................................................................................................... 9
1.2 IP ADDRESSING CRISIS AND SOLUTIONS ...................................................................................................... 12
1.2.1 IP addressing crisis ........................................................................................................................... 12
1.2.2 Classless Interdomain Routing (CIDR) ............................................................................................... 13
1.2.3 Route aggregation and supernetting ................................................................................................... 14
1.2.4 Supernetting and address allocation ................................................................................................... 16
1.3 VLSM..................................................................................................................................................... 18
1.3.1 Variable-Length Subnet Masks ........................................................................................................... 18
1.3.2 Classless and classful routing protocols .............................................................................................. 21
1.4 ROUTE SUMMARIZATION ........................................................................................................................... 23
1.4.1 An overview of route summarization ................................................................................................... 23
1.4.2 Route flapping .................................................................................................................................. 24
1.5 PRIVATE ADDRESSING AND NAT ................................................................................................................ 25
1.5.1 Private IP addresses (RFC 1918) ....................................................................................................... 25
1.5.2 Discontiguous subnets ....................................................................................................................... 27
1.5.3 Network Address Translation (NAT) ................................................................................................... 28
1.6 IP UNNUMBERED ..................................................................................................................................... 29
1.6.1 Using IP unnumbered........................................................................................................................ 29
1.7 DHCP AND EASY IP ................................................................................................................................. 31
1.7.1 DHCP overview ................................................................................................................................ 31
1.7.2 DHCP operation ...............................................................................................................................33
1.7.3 Configuring IOS DHCP server ........................................................................................................... 34
1.7.4 Easy IP ............................................................................................................................................ 36
1.8 HELPER ADDRESSES ................................................................................................................................. 38
1.8.1 Using helper addresses...................................................................................................................... 38
1.8.2 Configuring IP helper addresses ........................................................................................................ 39
1.8.3 IP helper address example ................................................................................................................. 40
1.9 IPV6 ....................................................................................................................................................... 42
1.9.1 IP address issues solutions................................................................................................................. 42
1.9.2 IPv6 address format .......................................................................................................................... 43
1.10 ADVANCED IP ADDRESSING MANAGEMENT LAB EXERCISES ....................................................................... 46
1.10.1 Configuring VLSM and IP Unnumbered............................................................................................ 46
1.10.2 VLSM ............................................................................................................................................. 46
1.10.3 Using DHCP and IP Helper Addresses ............................................................................................. 46
SUMMARY ..................................................................................................................................................... 47
1.3 VLSM
1.6 IP Unnumbered
1.9 IPv6
Class C Addresses
A Class C address begins with a binary 110 pattern. Therefore, the lowest
number that can be represented is 11000000 (decimal 192), and the highest
number that can be represented is 11011111 (decimal 223). If an IPv4 address
contains a number in the range of 192 to 223 in the first octet, it is a Class C
address.
Class C addresses were originally intended to support small networks; the first
three octets of a Class C address represent the network number, and the last octet
may be used for hosts. One octet for hosts yields 256 possibilities; after you
subtract the all 0s network number and all 1s broadcast address; only 254 hosts
may be addressed on a Class C network. Whereas Class A and Class B networks
prove impossibly large (without subnetting), Class C networks can impose too
restrictive a limit on hosts.
With 2,097,152 total network addresses containing a mere 254 hosts each, Class
C addresses account for 12.5 percent of the Internet's address space. With Class
A and B exhausted, the remaining Class C addresses are all that is left to be
assigned to new organizations that need IP networks. Figure 1 summarizes the
ranges and availability of the three address classes used to address Internet hosts.
Class D Addresses
A Class D address begins with a binary 1110 pattern in the first octet. Therefore,
the first octet range for Class D addresses is 11100000 to 11101111, or 224 to
239. Class D addresses are not used to address individual hosts. Instead, each
Class D address can be used to represent a group of hosts called a host group, or
multicast group.
For example, a router configured to run EIGRP joins a group that includes other
nodes that are also running EIGRP. Members of this group still have unique IP
addresses from the Class A, B, or C range, but they also listen for messages
addressed to 224.0.0.10, which is a Class D address. Therefore, a single routing
Subnet masking, or subnetting, is used to break one large group into several
smaller subnetworks. These subnets can then be distributed throughout an
enterprise, resulting in less waste and better logical organization. Formalized
with RFC 950 in 1985, subnetting introduced a third level of hierarchy to the
IPv4 addressing structure. [1] The number of bits available to the network,
subnet, and host portions of a given address varies depending on the size of the
subnet mask.
A subnet mask is a 32-bit number that acts as a counterpart to the IP address.
Each bit in the mask corresponds to its counterpart bit in the IP address. If a bit
in the IP address corresponds to a 1 bit in the subnet mask, the IP address bit
represents a network number. If a bit in the IP address corresponds to a 0 bit in
the subnet mask, the IP address bit represents a host number.
In effect, the subnet mask (when known) overrides the address class to determine
whether a bit is either network or host. Routers and other hosts can be
configured to recognize addresses differently than the format dictated by classes.
For example, the mask can tell the hosts that, even though their addresses are
Class B, the first three octets (instead of the first two) are the network number.
In this case, the additional octet acts like part of the network number, but only
inside the organization where the mask is configured.
The subnet mask applied to an address ultimately determines the network and
host portions of an IP address. The network and host portions change when the
subnet mask changes. If you apply the mask 255.255.0.0, only the first 16 bits
(two octets) of the IP address 172.24.100.45 represent the network number, as
shown in Figure [2]. Therefore, the network number for this host address is
172.24.0.0. The shaded portion of the address in Figure [2] indicates the network
number.
Because the rules of class dictate that the first two octets of a Class B address are
the network number, this 16-bit mask does not create subnets within the
172.24.0.0 network.
To create subnets with this Class B address, a mask that identifies bits in the
third or fourth octet as part of the network number must be used.
A 24-bit mask, 255.255.255.0, specifies the first 24 bits of the IP address as the
network number. For this example, the network number is 172.24.100.0.
Class A and B addresses make up 75 percent of the IPv4 address space, but a
relative handful of organizations (fewer than 17,000) can be assigned a Class A
or B network number. Class C network addresses are far more numerous than
Class A and Class B addresses, although they account for only 12.5 percent of
the possible 4 billion (2^32) IP hosts, as shown in Figure 1.
Unfortunately, Class C addresses are limited to 254 hosts, which will not meet
the needs of larger organizations that can not acquire a Class A or B address.
Even if there were more Class A, B, and C addresses, too many network
addresses would cause Internet routers to slow to a halt under the weight of
enormous routing tables.
The classful system of IP addressing, even with subnetting, could not scale to
effectively handle global demand for Internet connectivity. As early as 1992, the
Internet Engineering Task Force (IETF) identified two specific concerns:
! Exhaustion of the remaining, unassigned IPv4 network addresses. At the
time, the Class B space was on the verge of depletion.
! The rapid and substantial increase in the size of the Internet's routing tables
is because of its growth. As more Class C's came online, the resulting flood
of new network information threatened Internet routers' capability to cope
effectively.
In the short term, the IETF decided that a retooled IPv4 would have to hold out
long enough for engineers to design and deploy a completely new Internet
Protocol. That new protocol, IPv6, solves the address crisis by using a 128-bit
Consider Company XYZ, which requires addresses for 400 hosts. Under the
classful addressing system, XYZ could apply to a central Internet address
authority for a Class B address. If the company got the Class B and then used it
to address one logical group of 400 hosts, tens of thousands of addresses would
be wasted. A second option for XYZ would be to request two Class C network
numbers, yielding 508 (2 * 254) host addresses. The drawback to this approach
is that XYZ would have to route between its own logical networks, and default-
free Internet routers would need to maintain two routing table entries for XYZ's
network, rather than just one.
Under a classless addressing system, supernetting allows XYZ to get the address
space that it needs without wasting addresses or increasing the size of routing
tables unnecessarily. Using CIDR, XYZ asks for an address block from its
Internet service provider, not a central authority such as the InterNIC. The ISP
assesses XYZ's needs and allocates address space from its own large "CIDR
block" of addresses. Providers assume the burden of managing address space in a
When supernetted with a 23-bit mask (207.21.54.0 /23), the address space
provides well over 400 host addresses (29) without the tremendous waste of a
Class B address. With the ISP acting as the addressing authority for a CIDR
block of addresses, the ISP's customer networks, which include XYZ, can be
advertised among Internet routers as a single supernet. In Figure [2], the ISP
manages a block of 256 Class C addresses and advertises them to the world
using a 16-bit prefix: 207.21.0.0 /16.
VLSM allows an organization to use more than one subnet mask within the same
network address space. Implementing VLSM is often referred to as "subnetting a
subnet," and it can be used to maximize addressing efficiency.
Unfortunately, only three subnets are left for future growth, and the three point-
to-point WAN links between the four sites have yet to be addressed. If the three
remaining subnets were assigned to the WAN links, the supply of IP addresses
would be exhausted. Moreover, squandering the remaining 30-host subnets to
address these two-node networks will waste more than a third of the available
address space.
Over the past 20 years, network engineers have developed three strategies for
efficiently addressing point- to-point WAN links:
! Use VLSM
! Use private addressing (RFC 1918)
! Use IP unnumbered
Private addresses and IP unnumbered are discussed in detail later in this chapter.
This section focuses on VLSM. If VLSM is applied to addressing problems, a
Class C address can be broken into groups (i.e., subnets) of various sizes. Large
subnets are created for addressing LANs, and very small subnets are created for
WAN links and other special cases.
A 30-bit mask is used to create subnets with only two valid host addresses, the
exact number needed for a point-to-point connection. Figure [3] shows what
happens if one of the three remaining subnets (subnet 6) is subnetted again using
a 30-bit mask.
Subnetting the 207.21.24.192 /27 subnet in this way supplies eight ranges of
addresses to be used for point-to-point networks. For example, the network
207.21.24.192/30 can be used to address the point-to-point serial link between
Site A's router and Site B's router [4].
How is VLSM configured on a Cisco router? Figure [5] shows the commands
needed to configure Site A's router (RTA) with a 27-bit mask on its Ethernet port
and a 30-bit mask on its serial port.
For routers in a variably subnetted network to properly update each other, they
must send masks in their routing updates. Without subnet information in the
routing updates, routers will have nothing but the address class and their own
subnet mask to work with. Only routing protocols that ignore the rules of address
class and use classless prefixes will work properly with VLSM (see the Figure
1).
RIPv1 and IGRP, common interior gateway protocols, cannot support VLSM
because they do not send subnet information in their updates. Upon receiving an
update packet, these classful routing protocols will use one of the following
methods to determine the network prefix of an address:
! If the router receives information about a network, and if the receiving
interface belongs to that same network (but on a different subnet), the router
applies the subnet mask that is configured on the receiving interface.
! If the router receives information about a network address that is not the
same as the one configured on the receiving interface, it applies the default
(by class) subnet mask.
Despite its limitations, RIP is a very popular routing protocol and is supported
by virtually all IP routers. RIP's popularity stems from its simplicity and
universal compatibility. However, the first version of RIP (RIPv1) suffers from
several critical deficiencies:
1. RIPv1 does not send subnet mask information in its updates. Without subnet
information, VLSM and CIDR cannot be supported.
2. Its updates are broadcast, increasing network traffic.
3. It does not support authentication.
In 1988, RFC 1058 prescribed the new (and improved) RIP version 2 to address
these deficiencies:
1. RIPv2 does send subnet information and therefore supports VLSM and
CIDR.
2. It multicasts routing updates using the Class D address 224.0.0.9, providing
better efficiency.
3. It provides for authentication in its updates.
When RIP is first enabled on a Cisco router, the router listens for version 1 and 2
updates but sends only version 1. To take advantage of version 2's features,
version 1 support can be turned off and version 2 updates enabled with the
following command:
Router(config)#router rip
Router(router-config)#version 2
RIP's straightforward design ensures that it will continue to survive. A new
version has been designed to support future IPv6 networks.
The use of CIDR and VLSM not only prevents address waste, but it also
promotes route aggregation, or summarization. Without route summarization,
Internet backbone routing would likely have collapsed sometime before 1997.
The figure illustrates how route summarization reduces the burden on upstream
routers. This complex hierarchy of variable-sized networks and subnetworks is
summarized at various points using a prefix address until the entire network is
advertised as a single aggregate route: 200.199.48.0 /20.
Route flapping occurs when a router's interface alternates rapidly between the
"up" and "down" states. This can be caused by a number of factors, including a
faulty interface or poorly terminated media.
Because many private networks exist alongside public nets, grabbing "just any
address" is strongly discouraged. RFC 1918 sets aside three blocks of IP
addresses (i.e., a Class A, a Class B, and a Class C range) for private, internal
use. Addresses in this range will not be routed on the Internet backbone (see
Figure [1]). Internet routers immediately discard private addresses.
If you are addressing a nonpublic intranet, a test lab, or a home network, these
private addresses can be used instead of globally unique addresses. Global
addresses must be obtained from a provider or a registry at some expense.
How can these routers use private addresses if LAN users at site A, B, C, and D
expect to access the Internet? End users at these sites should have no problem
because they use globally unique addresses from the 207.21.24.0 network. The
routers use their serial interfaces with private addresses merely to forward traffic
and exchange routing information. Upstream providers and Internet routers see
only the source and destination IP addresses in the packet; they do not care if the
packet traveled through links with private addresses at some point. In fact, many
providers use RFC 1918 network numbers in the core of their network to avoid
depleting their supply of globally unique addresses.
One trade-off of using private numbers on WAN links is that these serial
interfaces cannot be the original source of traffic bound for the Internet or the
final destination of traffic from the Internet. Routers do not normally spend time
surfing the web, so this limitation typically becomes an issue only when
troubleshooting with ICMP, using SNMP, or connecting remotely with Telnet
over the Internet. In those cases, the router can be addressed only by its globally
unique LAN interfaces.
In the figure, Site A and Site B both have LANs that are addressed using subnets
from the same major net (207.21.24.0). They are discontiguous because the
10.0.0.4/30 network separates them. Classful routing protocols, notably RIPv1
and IGRP, cannot support discontiguous subnets because the subnet mask is not
included in routing updates. If Site A and Site B are running RIPv1, Site A will
receive updates about network 207.21.24.0/24 and not about 207.21.24.32/27
because the subnet mask is not included in the update. Because Site A has an
interface directly connected to that network (in this case, E0), Site A will reject
Site B's route.
NAT, as defined by RFC 1631, is the process of swapping one address for
another in the IP packet header. In practice, NAT is used to allow hosts that are
privately addressed (using RFC 1918 addresses) to access the Internet.
The most powerful feature of NAT routers is their capability to use port address
translation (PAT), which allows multiple inside addresses to map to the same
global address. This is sometimes called a "many-to-one" NAT. With PAT, or
address overloading, literally hundreds of privately addressed nodes can access
the Internet using only one global address. The NAT router keeps track of the
different conversations by mapping TCP and UDP port numbers.
Figure 2: IP Unnumbered
Although it is enabled by default on versions of the Cisco IOS that support it, the
DHCP server process can be re-enabled by using the service dhcp global
configuration command. The no service dhcp command disables the server.
Like NAT, DHCP server requires that the administrator define a pool of
addresses. In Figure [1], the ip dhcp pool command defines which addresses
will be assigned to hosts.
The first command, ip dhcp pool room12, creates a pool named “room12”
and puts the router in a specialized DHCP configuration mode. In this mode, the
network statement is used to define the range of addresses to be leased. If it is
desirable to exclude specific addresses on this network, then it is necessary to
return to global configuration mode, as shown in Figure [1].
IP clients will not get very far without a default gateway, which can be set by
using the default-router command. The address of the DNS server (dns-
server) and WINS server (netbios-name-server) can be configured here as
well. The IOS DHCP server can configure clients with virtually any TCP/IP
information.
Figure [3] lists the key IOS DHCP server commands, which are entered in DHCP
pool configuration mode (identified by the dhcp-config# prompt).
The EXEC mode commands shown in Figure [4] are used to monitor DHCP
server operation.
1.7.4 Easy IP
DHCP is not the only critical service that uses broadcasts. Cisco routers and
other devices may use broadcasts to locate TFTP servers. Some clients may need
to broadcast to locate a TACACS (security) server. Typically, in a complex
hierarchical network, clients reside on the same subnet as key servers. Such
remote clients will broadcast to locate these servers, but routers, by default, will
not forward client broadcasts beyond their subnet. Because some clients cannot
function without services such as DHCP, the situation must be resolved in one of
two ways: place servers on all subnets, or use the Cisco IOS helper address
feature. Running services such as DHCP or DNS on several computers creates
overhead and administrative problems, so the first option is not very appealing.
When possible, administrators use the ip helper-address command to relay
broadcast requests for these key UDP services.
To configure the helper address, identify the router interface that will be
receiving the broadcasts for UDP services. In interface configuration mode, use
the ip helper-address command to define the address to which UDP
broadcasts for services should be forwarded.
What if Company XYZ needs to forward requests for a service not on this list?
The Cisco IOS provides the global configuration command ip forward-protocol
to allow an administrator to forward any UDP port in addition to the default
eight. In order to forward UDP on port 517, the global configuration command,
ip forward-protocol udp 517, would be used. This command is used not
only to add a UDP port to the "default eight" (see Figure [1]), but also to subtract
an unwanted service from the default group. For instance, if it is desired to
forward DHCP, TFTP, and DNS, and not Time, TACACS, and NetBIOS, the
Cisco IOS requires that the router be configured according to Figure [2].
Consider this complex sample helper address configuration (see Figure [1]).
Assume Host A is to automatically obtain its IP configuration from the DHCP
server at 172.24.1.9. Because RTA will not forward Host A's DHCPDISCOVER
broadcast, RTA must be configured to help Host A.
RTA(config)#interface fa0/0
RTA(config-if)#ip helper-address 172.24.1.9
With this simple configuration, Host A broadcasts using any of the eight default
UDP ports will be relayed to the DHCP server's IP address. However, what if
Host A also needs to use the services of the NetBIOS server at 172.24.1.5? As
configured, RTA will forward NetBIOS broadcasts from Host A to the DHCP
server. Moreover, if Host A sends a broadcast TFTP packet, RTA also will
forward this to the DHCP server at 172.24.1.9. What is needed in this example is
a helper address configuration that relays broadcasts to all servers on the
segment. The following commands configure a directed broadcast to the IP
subnet that is being used as a server farm:
RTA(config)#interface fa0/0
RTA(config-if)#ip helper-address 172.24.1.255
Finally, some devices on Host A's segment need to broadcast to the TACACS
server, which does not reside in the server farm. RTA's fa0/0 can be configured
to by adding the command ip helper-address 172.16.1.2.
The correct helper configuration can be verified with the show ip interface
command, as shown in Figure [2].
Notice in Figure [3] that RTA's interface fa0/3 (which connects to the server
farm) is not configured with helper addresses. However, the output in Figure [3]
also shows that, for this interface, directed broadcast forwarding is disabled.
This means that the router will not convert the logical broadcast 172.24.1.255
into a physical broadcast (with a Layer 2 address of FF-FF-FF-FF-FF-FF). To
allow all the nodes in the server farm to receive the broadcasts at Layer 2,
configure fa0/3 to forward directed broadcasts with the following commands:
RTA(config)#interface fa0/3
RTA(config-if)#ip directed-broadcast
In this lab activity SanJose2 will be configured to act as a DHCP server. Then
SanJose1 will be configured to forward UDP broadcasts for DHCP requests.
In this chapter, it has been shown that IPv4 addressing faces two major
problems: the depletion of addresses, particularly the key medium-sized space
(Class B), and dangerous overgrowth of Internet routing tables.
In the early 1990s, CIDR ingeniously built on the concept of the address mask
and stepped forward to temporarily alleviate these serious problems. The
hierarchical nature of CIDR dramatically improved IPv4's scalability. Once
again, a hierarchical design proves to be a scalable one.
Yet even with subnetting (1985), variable-length subnetting (1987), and CIDR
(1993), a hierarchical structure could not save IPv4 from one simple problem:
There just are not enough addresses to meet future need. At roughly 4 billion
possibilities, the IPv4 address space is formidable, but it will not suffice in a
future world of mobile Internet-enabled devices and IP-addressable household
appliances (RFC 2235 references the world's first "Internet toaster").
Recent short-term IPv4 solutions to the address dilemma are private addressing
(RFC 1918), which sets aside addresses for unlimited internal use, and NAT,
which allows thousands of hosts to access the Internet with only a handful of
valid addresses.
However, the ultimate solution to the address shortage is the introduction of IPv6
and its 128-bit address. Developed to create a supply of addresses that would
outlive demand, IPv6 is designed to eventually replace IPv4. The fantastically
large address space of IPv6 will provide not only far more addresses than IPv4,
but additional levels of hierarchy as well. For the record, 128 bits allows for
340,282,366,920,938,463,463,374,607,431,768,211,456 possibilities.
In 1994, the IETF proposed IPv6 in RFC 1752, and a number of working groups
were formed in response. IPv6 tackles issues such as address depletion, quality
It will not be easy for organizations deeply invested in the IPv4 scheme to
migrate to a totally new architecture. As long as IPv4 (with its recent extensions
and CIDR-enabled hierarchy) remains viable, administrators will be slow to
adopt IPv6. A new IP protocol requires new software, new hardware, and new
methods of administration. It is likely that IPv4 and IPv6 will coexist, even
within an autonomous system, for years to come.
Under current plans, IPv6 nodes that connect to the Internet will use what is
called an aggregatable global unicast address, which is the counterpart to IPv4
global addresses. Like CIDR-enhanced IPv4, aggregatable global unicast
addresses rely on hierarchy to keep Internet routing tables manageable. IPv6
global unicast addresses feature three levels of hierarchy:
! Public topology -- The collection of providers that provide Internet
connectivity
! Site topology -- The level local to an organization that does not provide
connectivity to nodes outside itself
! Interface identifier -- The level specific to a node's individual interface
This three-level hierarchy is reflected by the structure of the aggregatable global
unicast address, which includes the following fields (see Figure [2]):
! FP field (3 bits) -- The 3-bit Format Prefix (FP) is used to identify the type
of address (unicast, multicast, and so on). The bits 001 identify aggregatable
global unicasts.
! TLA ID field (13 bits) -- The Top-Level Aggregation Identifier (TLA ID)
field is used to identify the authority responsible for the address at the
highest level of the routing hierarchy. Internet routers will necessarily
maintain routes to all TLA IDs. With 13 bits set aside, this field can
represent up to 8,192 TLAs.
! Res field (8 bits) -- IPv6 architect defined the reserved (Res) field so that the
TLA or NLA IDs could be expanded as future growth warrants. Currently,
this field must be set to zero.
! NLA ID field (24 bits) -- The Next-Level Aggregation Identifier (NLA ID)
field is used to identify ISPs. The field itself can be organized hierarchically
to reflect a hierarchy, or multitiered relationship, among providers.
! SLA ID field (16 bits) -- The Site-Level Aggregation Identifier (SLA ID) is
used by an individual organization to create its own local addressing
hierarchy and to identify subnets.
Lab Activity:
In this lab, you configure VLSM and test its functionality with two different
routing protocols, RIPv1 and RIPv2. Finally, you use IP unnumbered in place of
VLSM to further conserve addresses.
1.10.2 VLSM
Lab Activity:
Lab Activity:
Lab Activity:
Lab Activity:
In this lab, you configure a Cisco router to act as a DHCP server for clients on
two separate subnets. You also use the IP helper address feature to forward
DHCP requests from a remote subnet
SECTION 2 ........................................................................................................................ 1
–The two kinds of relationships are two-way and adjacency, although there
are many phases in between. A router must receive a hello from a neighbor
before it can establish any relationship.
3. Two-Way State
Using hello packets, every OSPF router tries to establish a Two-way state, or
bi-directional communication, with every neighbor router on the same IP
The Two-Way state is the most basic relationship that OSPF neighbors can
have, but routing information is not shared between routers in this
relationship. To learn about other routers' link states and eventually build a
routing table, every OSPF router must form at least one adjacency. An
adjacency is an advanced relationship between OSPF routers that involves a
series of progressive states that rely not just on hellos, but also on the other
four types of OSPF packets. Routers that attempt to become adjacent to one
another exchange routing information even before the adjacency is fully
established. The first step toward full adjacency is the ExStart state, which is
described next.
4. ExStart State
Technically, when a router and the neighbor enter the ExStart state, the
conversation is characterized as an adjacency, but the routers have not
become fully adjacent yet. ExStart is established using Type 2 database
description (DBD) packets, also known as DDPs. The two neighbor routers
use hello packets to negotiate who is the "master" and who is the "slave" in
the relationship and DBD packets to exchange databases. [4]
The router with the highest OSPF router ID "wins" and becomes master.
(The OSPF router ID is discussed later in this chapter.) When the neighbors
establish the roles as master and slave, the Exchange state is entered and the
sending of routing information begins.
5. Exchange State
In the Exchange state, neighbor routers use Type 2 DBD packets to send
each other link-state information [4]. In other words, the routers describe
link-state databases to each other. The routers compare what is learned with
existing link-state databases. If either of the routers receives information
about a link that is not already in its database, the router requests a complete
update from its neighbor. Complete routing information is exchanged in the
Loading state.
6. Loading State
After the databases have been described to each router, they may request
information that is more complete by using Type 3 packets, called link-state
requests (LSRs). When a router receives an LSR, it responds with an update
by using a Type 4 link-state update (LSU) packet. [4] These Type 4 LSU
packets contain the actual link-state advertisements (LSAs), which are the
heart of link-state routing protocols. As shown in Figure [4], Type 4 LSUs
are acknowledged using Type 5 packets, called link-state acknowledgments
(LSAcks).
7. Full Adjacency
With the Loading state complete, the routers are fully adjacent. Each router
keeps a list of adjacent neighbors, called the adjacency database. The
adjacency database should not be confused with the link-state database or
the forwarding database. [5]
Because multiaccess networks can support more than two routers, OSPF elects a
DR to be the focal point of all link-state updates and LSAs. The DR's role is
critical, therefore a BDR is elected to "shadow" the DR. In the event that the DR
fails, the BDR can smoothly take over.
Like any election, the DR/BDR selection process can be rigged. The "ballots"
are hello packets, which contain a router's ID and priority fields. The router with
the highest priority value among adjacent neighbors wins the election and
becomes the DR. The router with the second-highest priority is elected the BDR.
When the DR and BDR have been elected, the roles are kept until one of the
routers fail, even if additional routers with higher priorities show up on the
network. Hello packets inform newcomers of the identity of the existing DR and
BDR.
OSPF routers all have the same default priority value of 1. Apriority from 0 to
255 can be assigned on any given OSPF interface. A priority of 0 prevents the
router from winning any election on that interface. A priority of 255 ensures at
least a tie. The Router ID field is used to break ties. If two routers have the same
After a router has a complete link-state database, it is ready to create its routing
table so that it can forward traffic. As mentioned earlier in the chapter, OSPF
uses the metric value called cost to determine the best path to a destination (see
the figure above). The default cost value is based on media bandwidth. In
general, cost decreases as the speed of the link increases. RTB's 10-Mbps
When an OSPF router has installed routes in its routing table, it must diligently
maintain routing information. When there is a change in a link-state, OSPF
routers use a flooding process to notify other routers on the network about the
change. The Hello protocol's dead interval provides a simple mechanism for
declaring a link partner down. If RTB does not hear from RTA for a time period
exceeding the dead interval (usually 40 seconds), RTB declares its link to RTA
down.
RTB then sends an LSU packet containing the new link-state information, but to
whom?
! On a point-to-point network, no DR or BDR exists. New link-state
information is sent to the 224.0.0.5 multicast address. All OSPF routers
listen at this address.
! On a multiaccess network, a DR and BDR exist and maintain adjacencies
with all other OSPF routers on the network. If a DR or BDR needs to send a
link-state update, it will send it to all OSPF routers at 224.0.0.5. However,
the other routers on a multiaccess network are adjacent only to the DR and
the BDR and thus can send LSUs only to them. For that reason, the DR and
BDR have their own multicast address, 224.0.0.6. Non-DR/BDR routers
send their LSUs to 224.0.0.6, or "all DR/BDR routers" [1].
When the DR receives and acknowledges the LSU destined for 224.0.0.6, it
floods the LSU to all OSPF routers on the network at 224.0.0.5 [2]. Each router
acknowledges receipt of the LSU with an LSAck.
If an OSPF router is connected to another network, it floods the LSU to other
networks by forwarding the LSU to the DR of the multiaccess network, or to an
adjacent router if in a point-to-point network [3]. The DR, in turn, multicasts the
LSU to the other OSPF routers in that network.
This section covers the process of configuring OSPF on routers within a single
area.
To configure OSPF, OSPF is enabled on the router and the router's network
addresses and area information are also configured [1], according to the
following steps:
1. Enable OSPF on the router using the following command:
For each network, an area must be identified to which the network belongs.
The network value can be the network address, subnet, or the address of the
interface. The router knows how to interpret the address by comparing the
address to the wildcard mask. A wildcard mask is necessary because OSPF
supports Classless InterDomain Routing (CIDR) and Variable Length Subnet
Masking (VLSM), unlike RIPv1 and IGRP. The area argument is needed
even when configuring OSPF in a single area. More than one IP network can
belong to the same area.
In this lab exercise, you will configure the SanJose 1 router for OSPF in a single
area. The Westasman router is already configured for OSPF.
You will first specify the OSPF process ID and then enter router configuration
mode.
In router configuration mode, you will configure OSPF for specific networks in
area 0.
Before selecting an OSPF configuration strategy for a Frame Relay network (or
legacy X.25 network), the different NBMA topologies must be understood.
Fundamentally, two possible physical topologies exist for Frame Relay networks
[1]:
! Full-mesh topology
! Partial-mesh topology (including the hub-and-spoke topology)
The following sections describe how to configure OSPF in both full-mesh and
partial-mesh Frame Relay networks.
Full-Mesh Frame Relay
Organizations deploy Frame Relay primarily because it supports more than one
logical connection over a single interface, making it an affordable and flexible
choice for WAN links. A full-mesh topology takes advantage of Frame Relay's
capability to support multiple permanent virtual circuits (PVCs) on a single
serial interface. In a full-mesh topology, every router has a PVC to every other
router. [2]
For OSPF to work properly over a multiaccess full-mesh topology that does not
support broadcasts, each OSPF neighbor addresses must be entered on each
router, one at a time. The OSPF neighbor command tells a router about its
neighbors' IP addresses so that it can exchange routing information without
multicasts. The following example illustrates how the neighbor command is
used:
RTA(config)#router ospf 1
RTA(config-router)#network 3.1.1.0 0.0.0.255 area 0
RTA(config-router)#neighbor 3.1.1.2
RTA(config-router)#neighbor 3.1.1.3
Specifying each router's neighbors is not the only option to make OSPF work in
this type of environment. The following section explains how configuring
subinterfaces can eliminate the need for the neighbor command.
The commands in the figure verify that OSPF is working properly. These
commands ensure that the routers are configured correctly and are performing
the way they should.
Lab Activity:
In this lab, you configure OSPF on three Cisco routers. First, you configure
loopback interfaces to provide stable OSPF Router IDs. Then you configure the
OSPF process and enable OSPF on the appropriate interfaces. After OSPF is
enabled, you tune the update timers and configure authentication.
Lab Activity:
In this lab, you observe the OSPF DR and BDR election process using debug
commands. Then you assign each OSPF interface a priority value to force the
election of a specific router as a DR.
Lab Activity:
EIGRP
Table of Contents
EIGRP................................................................................................................................ 1
OVERVIEW ...................................................................................................................................................... 3
OBJECTIVES..................................................................................................................................................... 4
3.1 EIGRP FUNDAMENTALS ............................................................................................................................. 5
3.1.1 EIGRP and IGRP compatibility............................................................................................................ 5
3.1.2 EIGRP design ..................................................................................................................................... 7
3.1.3 EIGRP support for Novell IPX and AppleTalk ....................................................................................... 8
3.1.4 EIGRP terminology ............................................................................................................................. 9
3.2 EIGRP FEATURES .................................................................................................................................... 10
3.2.1 EIGRP technologies .......................................................................................................................... 10
3.2.2. Neighbor discovery and recovery....................................................................................................... 11
3.2.3 Reliable transport protocol ................................................................................................................ 13
3.2.4 DUAL finite-state machine................................................................................................................. 14
3.2.5 Protocol-dependent modules .............................................................................................................. 18
3.3 EIGRP COMPONENTS ...............................................................................................................................19
3.3.1 EIGRP packet types........................................................................................................................... 19
3.3.2 EIGRP tables.................................................................................................................................... 21
3.3.3 EIGRP tables (con’t.) ........................................................................................................................ 23
3.3.4 Route tagging with EIGRP................................................................................................................. 26
3.4 EIGRP OPERATION .................................................................................................................................. 28
3.4.1 Convergence using EIGRP................................................................................................................. 28
3.5 CONFIGURING EIGRP ...............................................................................................................................31
3.5.1 Configuring EIGRP for IP networks ................................................................................................... 31
3.5.2 EIGRP and the bandwidth command .................................................................................................. 33
3.5.3. The bandwidth-percent command ...................................................................................................... 35
3.5.4 Configuring EIGRP for IPX networks ................................................................................................. 36
3.5.5 Controlling SAP updates.................................................................................................................... 38
3.5.6 Summarizing EIGRP routes for IP ...................................................................................................... 39
3.5.7 Summarizing EIGRP routes for IP, con’t............................................................................................. 40
3.6 MONITORING EIGRP ................................................................................................................................ 42
3.6.1 Verifying EIGRP operation ................................................................................................................ 42
3.7 EIGRP CONFIGURATION LAB EXERCISES .................................................................................................... 43
3.7.1 Configuring EIGRP with IGRP .......................................................................................................... 43
3.7.2 Configuring EIGRP fault tolerance..................................................................................................... 43
3.7.3 Configuring EIGRP summarization .................................................................................................... 43
3.8 CONFIGURING EIGRP CHALLENGE LAB EXERCISE ....................................................................................... 44
3.8.1 EIGRP challenge lab......................................................................................................................... 44
SUMMARY ..................................................................................................................................................... 45
Even though it is compatible with IGRP, EIGRP operates quite differently from
its predecessor. As an advanced distance-vector routing protocol, EIGRP acts
like a link-state protocol when updating neighbors and maintaining routing
information. EIGRP's advantages over simple distance-vector protocols include
the following:
! Rapid convergence - EIGRP routers converge quickly because they rely on
a state-of-the-art routing algorithm called the Diffusing Update Algorithm
(DUAL). DUAL guarantees loop-free operation at every instant throughout a
route computation and allows all routers involved in a topology change to
synchronize at the same time.
! Efficient use of bandwidth - EIGRP makes efficient use of bandwidth by
sending partial, bounded updates and by consuming minimal amounts of
bandwidth when the network is stable.
o Partial, bounded updates - EIGRP routers make partial,
incremental updates rather than sending their complete tables. This
may seem similar to OSPF operation, but unlike OSPF routers,
EIGRP routers send these partial updates only to the routers that
need the information, not to all routers in an area. For this reason,
they are called bounded updates.
o Minimal consumption of bandwidth when the network is stable -
Instead of using timed routing updates, EIGRP routers keep in touch
with each other using small hello packets. Though exchanged
regularly, hello packets do not consume a significant amount of
bandwidth.
! Support for VLSM and CIDR - Unlike IGRP, EIGRP offers full support
for classless IP by exchanging subnet masks in routing updates.
! Multiple network-layer support - EIGRP supports IP, IPX, and AppleTalk
through protocol-dependent modules (PDMs).
! Independence from routed protocols - PDMs protect EIGRP from
painstaking revision. Evolution of a routed protocol, such as IP, may require
a new protocol module, but not necessarily a reworking of EIGRP itself.
In a legacy NetWare network, servers and routers may be configured to use IPX
RIP and the Service Advertising Protocol (SAP) to exchange information with
peers. As time-driven protocols, IPX RIP and SAP generate updates every 60
seconds by default. These updates can crowd low-speed WAN links, especially
in large internetworks.
EIGRP can redistribute IPX RIP and SAP information to improve overall
performance. In effect, EIGRP can take over for these two protocols. An EIGRP
router will receive routing and service updates and then update other routers only
when changes in the SAP or routing tables occur. Routing updates occur as they
would in any EIGRP network–, that is, through the use of partial updates. EIGRP
sends SAP updates incrementally on all serial interfaces by default. However,
incremental SAP updates must be configured manually on LAN interfaces (for
example, Ethernet, Token Ring, and FDDI).
Like IP RIP, IPX RIP restricts the diameter of a network to 15 hops. By using
EIGRP to redistribute IPX RIP, a network diameter can expand to EIGRP's
comfortable limit of 224 hops. Moreover, EIGRP's more advanced metric, which
uses bandwidth and delay, replaces Novell RIP's less optimal metric derived
from hop count and ticks.
The obvious shortcomings of IPX RIP and SAP spurred Novell's development of
a proprietary link-state routing protocol for NetWare, NetWare Link Services
Protocol (NLSP). A link-state protocol, NLSP replaces both RIP and SAP. On
servers running NetWare 3.11 or later, administrators can choose between using
RIP/SAP or NLSP. Note that since Cisco IOS version 11.1, EIGRP can
redistribute NLSP as well as IPX RIP.
EIGRP Support for AppleTalk
EIGRP can also take over for AppleTalk's Routing Table Maintenance Protocol
(RTMP). As a distance-vector routing protocol, RTMP relies on periodic and
complete exchanges of routing information. To reduce overhead, EIGRP
redistributes AppleTalk routing information using event-driven updates. EIGRP
also uses a configurable composite metric to determine the best route to an
AppleTalk network. RTMP uses hop count, which can result in suboptimal
routing.
AppleTalk clients expect RTMP information from local routers, so EIGRP for
AppleTalk should be run only on a clientless network, such as a WAN link.
One of EIGRP's most attractive features is its modular design. Modular, layered
designs prove to be the most scalable and adaptable. Support for routed
protocols such as IP, IPX, and AppleTalk is included in EIGRP through
protocol-dependent modules (PDMs). EIGRP can easily adapt to new or revised
routed protocols (for example, IPv6) by adding protocol-dependent modules.
Each PDM is responsible for all functions related to its specific routed protocol.
The IP-EIGRP module is responsible for the following:
! Sending and receiving EIGRP packets that bear IP data
! Notifying DUAL of new IP routing information that is received
! Maintaining the results of DUAL's routing decisions in the IP routing table
! Redistributing routing information that was learned by other IP-capable
routing protocols
Like OSPF, EIGRP relies on several different kinds of packets to maintain its
various tables and establish complex relationships with neighbor routers Figure
[1]. The five EIGRP packet types are listed here:
! Hello
! Acknowledgment
! Update
! Query
! Reply
The following sections describe these packet types in detail.
Hello Packets
EIGRP relies on hello packets to discover, verify, and rediscover neighbor
routers. Rediscovery occurs if EIGRP routers do not receive each other's hellos
for a hold time interval but then re-establish communication.
DUAL can select alternate routes based on the tables kept by EIGRP. By
building these tables, every EIGRP router can track all the routing information in
an autonomous system (AS), not just the best routes.
The following sections examine the neighbor table, the routing table, and the
topology table in detail and provide an example of each. In addition, we will
look at the various packet types used by EIGRP to build and maintain these
tables.
The Neighbor Table
The most important table in EIGRP is the neighbor table (refer to Figure [1]).
The neighbor relationships tracked in the neighbor table are the basis for all
EIGRP routing update and convergence activity.
The neighbor table contains information about adjacent neighboring EIGRP
routers. Whenever a new neighbor is discovered, the address of that neighbor
and the interface used to reach it are recorded in a new neighbor table entry.
A neighbor table is used to support reliable, sequenced delivery of packets. One
field in each row of the table includes the sequence number of the last packet
received from that neighbor. EIGRP uses this field to acknowledge a neighbor's
transmission and to identify packets that are out of sequence.
As shown in Figure [1], an EIGRP neighbor table includes the following key
elements:
! Neighbor address (Address) - The network-layer address of the neighbor
router.
! Hold time (Hold Uptime) - The interval to wait without receiving anything
from a neighbor before considering the link unavailable. Originally, the
expected packet was a hello packet, but in current Cisco IOS software
releases, any EIGRP packets received after the first hello will reset the timer.
! Smooth Round-Trip Timer (SRTT) - The average time that it takes to send
and receive packets from a neighbor. This timer is used to determine the
retransmit interval (RTO).
! Queue count (Q Cnt) - The number of packets waiting in queue to be sent.
If this value is constantly higher than zero, then there may be a congestion
Not only does the topology table track information regarding route states, but it
also can record special information about each route. EIGRP classifies routes as
either internal or external. EIGRP uses a process called route tagging to add
special tags to each route. These tags identify a route as internal or external and
may include other information as well.
Internal routes originate from within the EIGRP AS. External routes originate
from outside the system. Routes learned (redistributed) from other routing
protocols, such as RIP, OSPF, and IGRP are external. Static routes originating
from outside the EIGRP AS and redistributed inside are also external routes.
All external routes are included in the topology table and are tagged with the
following information:
! The identification number (router ID) of the EIGRP router that redistributed
the route into the EIGRP network
! The AS number of the destination
! The protocol used in that external network
! The cost or metric received from that external protocol
! The configurable administrator tag
The figure shows a specific topology table entry for an external route.
To develop a precise routing policy, take advantage of route tagging and, in
particular, the administrator tag shown in the shaded portion of the figure. A
network administrator can configure the administrator tag to be any number
between 0 and 255; in effect, this is a custom tag that can be used to implement
a special routing policy. External routes can be accepted, rejected, or propagated
based on any of the route tags, including the administrator tag. Because a
network administrator can configure the administrator tag, the route-tagging
In this lab exercise, you will configure EIGRP on the Singapore router. The
SanJose3 router is already configured for EIGRP.
Network administrators should follow three rules when configuring EIGRP over
a nonbroadcast mulitaccess (NBMA) cloud such as Frame Relay:
! EIGRP traffic should not exceed the committed information rate (CIR)
capacity of the virtual circuit (VC).
! EIGRP's aggregated traffic over all the VCs should not exceed the access
line speed of the interface.
! The bandwidth allocated to EIGRP on each VC must be the same in both
directions.
If these rules are understood and followed, EIGRP works well over the WAN. If
care is not taken in the configuration of the WAN, EIGRP can swamp the
network.
Configuring Bandwidth over a Multipoint Network
The configuration of the bandwidth command in an NBMA cloud depends on
the design of the VCs. If the serial line has many VCs in a multipoint
configuration and all of the VCs share bandwidth evenly, set the bandwidth to
the sum of all of the CIRs. For example, in Figure [1], each VC's CIR is set to 56
Kbps. Since there are 4 VCs, the bandwidth is set to 224 (4 x 56).
Configuring Bandwidth over a Hybrid Multipoint Network
If the multipoint network has differing speeds allocated to the VCs, a more
complex solution is needed. There are two main approaches.
Take the lowest CIR and multiply this by the number of VCs. As shown in
Figure [2], this is applied to the physical interface. The problem with this
configuration is that the higher-bandwidth links may be underutilized.
Use subinterfaces. The bandwidth command may be configured on each
subinterface, which allows different speeds on each VC. In this case,
subinterfaces are configured for the links with the differing CIRs. The links that
have the same configured CIR are presented as a single subinterface with a
bandwidth, which reflects the aggregate CIR of all the circuits. In Figure [3],
three of the VCs have the same CIR, 256 Kbps. All three VCs are grouped
together as a multipoint subinterface, serial 0.1. The single remaining VC, which
If an IPX EIGRP router has another IPX EIGRP router as its link partner, a
network administrator can configure the router to send SAP updates periodically
or when a change occurs in the SAP table. When no IPX EIGRP peer is present
on the interface, periodic SAPs are always sent.
On serial lines, by default, if an EIGRP neighbor is present, the router sends SAP
updates only when the SAP table changes. Overhead is greatly reduced if a
router updates other routers only when a change occurs.
On Ethernet, Token Ring, and FDDI interfaces, the router sends SAP updates
periodically by default. To reduce the amount of bandwidth required to send
SAP updates, a network administrator might want to disable the periodic sending
of SAP updates on LAN interfaces. This is done only when all nodes out this
interface are EIGRP peers; otherwise, loss of SAP information on the other
nodes will result. If a router's LAN interface connects to a NetWare server, as
shown in the figure, do not disable periodic updates. However, Figure [1] shows
that incremental SAP updates on RTC's E0 can safely be configured.
EIGRP automatically summarizes routes at the classful boundary (that is, the
boundary where the network address ends as defined by class-based addressing).
This means that even though RTC is connected only to the subnet 2.1.1.0, it will
advertise that it is connected to the entire Class A network, 2.0.0.0. In most
cases, auto summarization is a good thing; it keeps routing tables as compact as
possible (see Figure [1]).
Throughout this chapter, EIGRP show commands have been used to verify
EIGRP operation. Figure [1] lists the key EIGRP show commands and briefly
describes their functions.
The Cisco IOS debug feature also provides useful EIGRP monitoring
commands, as listed in Figure [2].
Lab Activity:
In this lab, you configure both EIGRP and IGRP within the International Travel
Agency WAN and observe the automatic sharing of route information between
both protocols.
Lab Activity:
In this lab, you configure EIGRP over a full-mesh topology so that you can test
and observe DUAL replace a successor with a feasible successor after a link
failure.
Lab Activity:
In this lab, you configure EIGRP to test its operation over discontiguous subnets
by disabling automatic route summarization. Then you manually configure
EIGRP to use specific summary routes.
Lab Activity:
In this lab, you configure an International Travel Agency EIGRP WAN link with
one IGRP segment within the same autonomous system. You also use EIGRP
interface summarization to reduce the number of routes in an EIGRP routing
table.
Host B
192.168.1.66 /27
Vista
S0/0 192.168.1.1 /30 S0/1 192.168.1.5 /30
Host A
192.168.1.35
Objective
In this lab, the student will configure VLSM and test its functionality with two different
routing protocols, RIPv1, and RIPv2. Finally, the student will use IP unnumbered in place
of VLSM to further conserve addresses.
Scenario
When International Travel Agency was much smaller, it wanted to configure its network
using a single Class C address: 192.168.1.0 as shown in the following table. The routers
need to be configured with the appropriate addresses. The company requires that at least
25 host addresses be available on each LAN, but it also demands that the maximum
number of addresses be conserved for future growth.
To support 25 hosts on each subnet, a minimum of five (5) bits is needed in the host
5
portion of the address. Five (5) bits will yield 30 possible host addresses (2 – 2 = 32 - 2).
If five (5) bits must be used for hosts, the other three (3) bits in the last octet can be
added to the default 24-bit Class C mask.Therefore, a 27-bit mask can be used to create
the following subnets:
1-3 Routing Section 1: IP Addressing – Lab 1.10.1 Copyright 2002, Cisco Systems, Inc.
To maximize this address space, the 192.168.1.0 /27 subnet is subnetted further using a
30-bit mask. This creates subnets that can be used on point-to-point links with minimal
waste, because each subnet can contain only two possible host addresses.
Note that in the following steps some commands may need to be changed to
match the actual equipment being used (ethernet may need to be used in place of
fastethernet).
Step 1.
Build and configure the network according to the diagram. This configuration requires the
use of subnet 0, so the ip subnet-zero command might need to be entered. This will
depend on which IOS version is being used. Note: Host A and Host B are not required to
complete this lab.
On all three routers, configure RIPv1 and enable updates on all active interfaces with this
network command:
SanJose1(config)#router rip
SanJose1(config-router)#network 192.168.1.0
Use ping to verify that each router can ping its directly connected neighbor.Note: Some
remote networks might be unreachable. Proceed to Step 2 anyway.
Step 2.
Issue the show ip route command on Vista, as shown in the following example:
Vista#show ip route
<output omitted>
Gateway of last resort is not set
1. The other routers also have incomplete tables. Why is this so?
Because RIPv1 with VLSM is being used, routing has broken down on the network.
Remember that VLSM is not supported by classful routing protocols such as RIPv1 and
IGRP. These protocols do not send subnet masks in their routing updates. In order for
routing to work, RIPv2 must be configured, which does support VLSM.
Step 3.
At each of three router consoles, enable RIPv2 updates and turn off automatic route
summarization, as shown in the following example:
SanJose1(config)#router rip
SanJose1(config-router)#version 2
SanJose1(config-router)#no auto-summary
When all three routers are running RIPv2, return to Vista and examine its routing table. It
should now be complete, as shown below:
Vista#show ip route
<output omitted>
2-3 Routing Section 1: IP Addressing – Lab 1.10.1 Copyright 2002, Cisco Systems, Inc.
Gateway of last resort is not set
Notice that Vista has received equal cost routes to 192.168.1.32 /27 from both SanJose1
and SanJose2.
Step 4.
Although VLSM has reduced ITA’s address waste by creating very small subnets for
point-to-point links, the IP unnumbered feature can make it unnecessary to address these
links altogether. Further maximize ITA’s address use by configuring IP unnumbered on
every serial interface in the WAN. To configure IP unnumbered, use the following
commands:
After the IP unnumbered configuration is complete, each serial interface borrows the
address of the local LAN interface. Check Vista’s table again:
Vista#show ip route
<output omitted>
With IP unnumbered configured, only LANs require addresses. Because each LAN uses
the same 27-bit mask, VLSM is not required. This makes classful routing protocols, such
as RIPv1 and IGRP, viable options.
3-3 Routing Section 1: IP Addressing – Lab 1.10.1 Copyright 2002, Cisco Systems, Inc.
1.10.2.1: VLSM
Objective
Create an addressing scheme using variable length subnet masking (VLSM).
Scenario
The assignment is the Class C address 192.168.10.0 and it must support the network
shown in the diagram. The use of IP unnumbered or NAT is not permitted on this
network. Create an addressing scheme that meets the requirements shown in the
diagram.
1-1 Routing Section 1: IP Addressing – Lab 1.10.2.1 Copyright 2002, Cisco Systems, Inc.
1.10.2.2: VLSM
Objective
Create an addressing scheme using VLSM.
Scenario
The assignment is the CIDR address 192.168.24.0 /22 and it must support the network
shown in the diagram. The use of IP unnumbered or NAT is not permitted on this
network. Create an addressing scheme that meets the requirements shown in the
diagram.
1-1 Routing Section 1: IP Addressing – Lab 1.10.2.2 Copyright 2002, Cisco Systems, Inc.
1.10.2.3: VLSM
24 20 90
Hosts Hosts Hosts
Objective
Create an addressing scheme using VLSM.
Scenario
The assignment is the CIDR address 192.168.30.0 /23 and it must support the network
shown in the diagram. The use of IP unnumbered or NAT is not permitted on this
network. Create an addressing scheme that meets the requirements shown in the
diagram.
1-1 Routing Section 1: IP Addressing – Lab 1.10.2.3 Copyright 2002, Cisco Systems, Inc.
1.10.3: Using DHCP and IP Helper Addresses
Host B
DHCP Client
Vista
S0/0 192.168.1.1 /24
Host A
DHCP Client
Objective
In this lab, the student will configure a Cisco router to act as a DHCP server for clients
on two separate subnets. Also use the IP helper address feature to forward DHCP
requests from a remote subnet.
Scenario
Clients on the 192.168.3.0/24 network and the 10.0.0.0/8 network require the services of
DHCP for automatic IP configuration. Configure SanJose1 to serve both subnets by
creating two separate address pools. Finally, configure Vista’s FastEthernet interface to
forward UDP broadcasts, including DHCP requests, to SanJose1.
Note that in the following steps some commands may need to be changed
to match the actual equipment being used (ethernet may need to be used
in place of fastethernet).
Step 1.
Build and configure the network according to the diagram. Connect Host A and Host B as
shown, but configure these clients to obtain their IP addresses automatically. Because
these hosts rely on DHCP, they cannot be tested using ping until Step 5.
Configure RIPv2 on SanJose1 and Vista. Be sure to enable updates on all active
interfaces with the network command:
1-3 Routing Section 1: IP Addressing – Lab 1.10.3 Copyright 2002, Cisco Systems, Inc.
SanJose1(config)#router rip
SanJose1(config)#version 2
SanJose1(config-router)#network 192.168.1.0
SanJose1(config-router)#network 10.0.0.0
Use ping and show ip route to verify the work and test connectivity between
SanJose1 and Vista.
Step 2.
Configure SanJose1 to act as a DHCP server for clients on the 10.0.0.0/8 network.
First, verify that SanJose1’s software can use DHCP services and that they are enabled:
SanJose1(config)#service dhcp
Next, configure the DHCP address pool for the 10.0.0.0 network. Name
the pool 10-net:
Step 3.
International Travel Agency uses the first ten addresses in this address range to statically
address servers and routers. From global configuration mode, exclude addresses from
the DHCP pool so that the server does not attempt to assign them to clients. Configure
SanJose1 to dynamically assign addresses from the 10-net pool, starting with 10.0.0.11:
Step 4.
Return to DHCP configuration mode and assign the following IP options: default gateway
address, DNS server address, WINS server address, and domain name:
SanJose1(dhcp-config)#default-router 10.0.0.1
SanJose1(dhcp-config)#dns-server 10.0.0.3
SanJose1(dhcp-config)#netbios-name-server 10.0.0.4
SanJose1(dhcp-config)#domain-name xyz.net
Step 5.
The DHCP server is now ready to be tested. Check the TCP/IP Properties on the
workstation to ensure that the it is set to obtain an IP address automatically.
Release and renew Host A’s IP configuration. On Windows 95/98, use winipcfg; on
Windows NT/2000, use ipconfig /release and ipconfig /renew.
Host A should be dynamically assigned the first available address in the pool, which is
10.0.0.11. Check Host A’s configuration with winipcfg to verify that it received the
proper IP address, subnet mask, default gateway, DNS server address, and WINS server
address. Check Host A’s configuration with ipconfig /all for Windows NT and
Windows 2000 users. Troubleshoot, if necessary.
Step 6.
Because Host B also requires dynamic IP configuration, create a second DHCP pool with
address and gateway options appropriate to Host B’s network, 192.168.3.0 /24:
2-3 Routing Section 1: IP Addressing – Lab 1.10.3 Copyright 2002, Cisco Systems, Inc.
SanJose1(dhcp-config)#network 192.168.3.0 255.255.255.0
SanJose1(dhcp-config)#default-router 192.168.3.1
SanJose1(dhcp-config)#dns-server 10.0.0.3
SanJose1(dhcp-config)#netbios-name-server 10.0.0.4
SanJose1(dhcp-config)#domain-name xyz.net
ITA has recently installed IP phones on the 192.168.3.0 network. These phones require a
DHCP server to provide a TFTP server address (10.0.0.5). The Cisco IOS DHCP server
configuration does not provide a keyword for TFTP servers, so configure this option using
its raw option number:
Step 7.
The configuration of the DHCP server is now complete. However, Host B uses a UDP
broadcast to find an IP address, and Vista is not configured to forward broadcasts. In
order for DHCP to work, configure Vista’s FastEthernet interface to forward UDP
broadcasts to SanJose1:
Step 8.
Release and renew Host B’s IP configuration while simultaneously logged into
SanJose1’s console. Use a second host, if necessary.
Verify, using winipcfg or ipconfig /all, that Host B received the correct IP
configuration, and troubleshoot if necessary.
2. An ip dhcp excluded-address command was not issued. The DHCP server did not
assign Host B 192.168.3.1. Why not?
Issue show ip dhcp ? and note the choices. Try the conflict and binding options.
3. How did SanJose1 know to assign Host B an address from the 192.168.3-net pool and
not the 10-net pool?
3-3 Routing Section 1: IP Addressing – Lab 1.10.3 Copyright 2002, Cisco Systems, Inc.
2.6.1 Configuring OSPF
SanJose2
SanJose1 SanJose3
AREA 0
Objective
In this lab, the student will configure OSPF on three Cisco routers. First, loopback
interfaces will be configured to provide stable OSPF Router IDs. Then the OSPF process
will be configured and OSPF will be enabled on the appropriate interfaces. After OSPF is
enabled, the update timers are tuned and authentication is configured.
Scenario
The backbone of International Travel Agency’s (ITA) WAN, located in San Jose, consists
of three routers connected via an Ethernet core. These core routers must be configured
as members of OSPF Area 0. Because the core routers are connected to the Internet,
security must be implemented to prevent unauthorized routers from joining Area 0. Also,
within the core, network failures need to be identified quickly.
Step 1.
Build and configure the network according to the diagram, but do not configure OSPF yet.
A switch or hub is required to connect the three routers via Ethernet.
Use ping to verify and test connectivity between the FastEthernet interfaces.
Step 2.
On each router, configure a loopback interface with a unique IP address. Cisco routers
use the highest loopback IP address as the OSPF Router ID. In the absence of a
loopback interface, the router uses the highest IP address among its active interfaces,
which might force a router to change router IDs if an interface goes down. Because
loopback interfaces are immune to physical and data link problems, they should be used
1-6 Routing Section 2: OSPF - Lab 2.6.1 Copyright 2002, Cisco Systems, Inc.
to derive the router ID. To avoid conflicts with registered network addresses, use private
network ranges for the loopback interfaces. Configure the core routers using the following
commands:
SanJose1(config)#interface loopback 0
SanJose1(config-if)#ip address 192.168.31.11 255.255.255.255
SanJose2(config)#interface loopback 0
SanJose2(config-if)#ip address 192.168.31.22 255.255.255.255
SanJose3(config)#interface loopback 0
SanJose3(config-if)#ip address 192.168.31.33 255.255.255.255
Step 3.
Now that loopback interfaces are configured, configure OSPF. Use the following
commands as an example to configure each router:
SanJose1(config)#router ospf 1
SanJose1(config-router)#network 192.168.1.0 0.0.0.255 area 0
Note: An OSPF process ID is locally significant. It has no meaning beyond the local
router. The ID is needed to identify a unique instance of an OSPF database, because
multiple processes can run concurrently on a single router.
Step 4.
After OSPF routing is enabled on each of the three routers, verify its operation using
show commands. Several important show commands can be used to gather OSPF
information. First, issue the show ip protocols command on any of the three routers,
as follows:
SanJose1#show ip protocols
Routing Protocol is "ospf 1"
Sending updates every 0 seconds
Invalid after 0 seconds, hold down 0, flushed after 0
Outgoing update filter list for all interfaces is
Incoming update filter list for all interfaces is
Redistributing: ospf 1
Routing for Networks:
192.168.1.0
Routing Information Sources:
Gateway Distance Last Update
Distance: (default is 110)
2-6 Routing Section 2: OSPF - Lab 2.6.1 Copyright 2002, Cisco Systems, Inc.
Note: The update timers are set to zero (0). Updates are not sent at regular intervals.
Updates are event driven. Next, use the show ip ospf command to get more details
about the OSPF process, including the router ID:
SanJose1#show ip ospf
Routing Process "ospf 1" with ID 192.168.31.11
Supports only single TOS(TOS0) routes
SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs
Number of external LSA 0. Checksum Sum 0x0
Number of DCbitless external LSA 0
Number of DoNotAge external LSA 0
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
External flood list length 0
Area BACKBONE(0)
Number of interfaces in this area is 1
Area has no authentication
SPF algorithm executed 5 times
Area ranges are
Number of LSA 4. Checksum Sum 0x1CAC4
Number of DCbitless LSA 0
Number of indication LSA 0
Number of DoNotAge LSA 0
Flood list length 0
The loopback interface should be seen as the router ID. To see the OSPF neighbors, use
the show ip ospf neighbor command. The output of this command displays all
known OSPF neighbors, including their router IDs, their interface addresses, and their
adjacency status. Also issue the show ip ospf neighbor detail command, which
will output even more information:
3-6 Routing Section 2: OSPF - Lab 2.6.1 Copyright 2002, Cisco Systems, Inc.
2. Based on the output of this command, which router is the Designated Router (DR) on this
network?
Most likely, the router with the highest router ID is the DR, the router with the second
highest router ID is the BDR, and the other router is a DRother.
Because each interface on a given router is connected to a different network, some of the
key OSPF information is interface specific. Issue the show ip ospf interface
command for the router’s FastEthernet interface shown as follows:
4. Based on the output of this command, what OSPF network type is the FastEthernet
interface connected to?
Ethernet networks are known to OSPF as broadcast networks. The default timer values
are ten (10) second hello updates and 40 second dead intervals.
Step 5.
The OSPF timers need to be adjusted so that the core routers will detect network failures
in less time. This will increase traffic, but this is less of a concern on the high speed core
Ethernet segment than on a busy WAN link. The need for quick convergence at the core
outweighs the extra traffic. The Hello and Dead intervals must be manually changed on
SanJose1 as follows:
4-6 Routing Section 2: OSPF - Lab 2.6.1 Copyright 2002, Cisco Systems, Inc.
These commands set the Hello update timer to five (5) seconds and the Dead interval to
20 seconds. Although the Cisco IOS does not require it, configure the Dead interval to
four times the Hello interval. This ensures that routers experiencing temporary link
problems can recover and are not declared dead unnecessarily, causing a continuance of
updates and recalculations throughout the internetwork.
After the timers are changed on SanJose1, issue the show ip ospf neighbor
command.
To find out what happened to SanJose1’s neighbors, use the IOS debug feature. Enter
the command debug ip ospf events.
8. According to the debug output, what is preventing SanJose1 from forming relationships
with the other two OSPF routers in Area 0?
The Hello and Dead intervals must be the same before routers within an area can form
neighbor adjacencies.
SanJose1#undebug all
All possible debugging has been turned off
The Hello and Dead intervals are declared in Hello packet headers. In order for OSPF
routers to establish a relationship, their Hello and Dead intervals must match.
Configure the SanJose2 and SanJose3 Hello and Dead timers to match the timers on
SanJose1. Before continuing, verify that these routers can now communicate by checking
the OSPF neighbor table.
Step 6.
No unauthorized routers should be exchanging updates within Area 0. Adding encrypted
authentication to each OSPF packet header can prevent this. Select message digest
(MD5) authentication. This mode of authentication sends a message digest, or hash, in
place of the password. OSPF neighbors must be configured with the same message
digest key number, encryption type, and password in order to authenticate using the
hash.
To configure a message digest password for SanJose1 to use on its Ethernet interface,
use these commands:
5-6 Routing Section 2: OSPF - Lab 2.6.1 Copyright 2002, Cisco Systems, Inc.
SanJose1(config)#interface fastethernet 0/0
SanJose1(config-if)#ip ospf message-digest-key 1 md5 7 itsasecret
SanJose1(config-if)#router ospf 1
SanJose1(config-router)#area 0 authentication message-digest
After entering these commands, wait 20 seconds, and then issue the show ip ospf
neighbor command on SanJose1.
Use the debug ip ospf events command to determine why SanJose1 does not see
its neighbors:
Again, it is seen that OSPF routers will not communicate unless certain configurations
match. In this case, the routers are not communicating because the authentication fields
in the OSPF packet header are different.
Correct this problem by configuring authentication on the other two routers. Remember
that the same key number, encryption type, and password must be used on each router.
After the configurations are complete, verify that the routers can communicate by using
the show ip ospf neighborcommand.
Step 7.
Save the configurations to NVRAM. These configurations will be used to begin the next
lab. At the conclusion of each lab, it is recommended that each router’s configuration file
be copied and saved for future reference.
6-6 Routing Section 2: OSPF - Lab 2.6.1 Copyright 2002, Cisco Systems, Inc.
2.6.2: Examining the DR/BDR Election Process
SanJose2
SanJose1 SanJose3
AREA 0
Objective
In this lab, the student will observe the OSPF DR and BDR election process using debug
commands. Then the student will assign each OSPF interface a priority value to force the
election of a specific router as a DR.
Scenario
The backbone of International Travel Agency’s enterprise network consists of three
routers connected via an Ethernet core. SanJose1 has more memory and processing
power than the other core routers. Unfortunately, other core routers are continually
elected as the DR under the default settings. In the interest of optimization, it is
necessary that SanJose1 be elected the DR. It is best suited to handle associated extra
duties, including management of Link State Advertisements (LSA) for Area 0. This lab
will show how to investigate and solve this problem..
Step 1.
Build and configure the network according to the diagram. Configure OSPF on all
Ethernet interfaces. A switch or hub is required to connect the three routers via Ethernet.
Be sure to configure each router with the loopback interface and IP address shown in the
diagram.
Use ping to verify and test connectivity between the Ethernet interfaces.
1-1 Routing Section 2: OSPF – Lab 2.6.2 Copyright 2002, Cisco Systems, Inc.
Step 2.
Use the show ip ospf neighbor detail command to verify that the OSPF routers
have formed adjacencies:
Step 3.
If the network is configured according to the diagram, SanJose1 will not be the DR. It is
decided to temporarily shut down SanJose3, which has the highest router ID
(192.168.31.33), and to observe the DR/BDR election process. To observe the election,
issue the following debug command on SanJose1:
Now that OSPF adjacency events will be logged to SanJose1’s console, remove
SanJose3 from the OSPF network by shutting down its FastEthernet interface:
SanJose1#
00:48:47: OSPF: Rcv hello from 192.168.31.22 area 0 from
FastEthernet0/0 192.168.1.2
00:48:47: OSPF: Neighbor change Event on interface FastEthernet0/0
00:48:47: OSPF: DR/BDR election on FastEthernet0/0
00:48:47: OSPF: Elect BDR 192.168.31.11
00:48:47: OSPF: Elect DR 192.168.31.22
00:48:47: OSPF: Elect BDR 192.168.31.11
00:48:47: OSPF: Elect DR 192.168.31.22
00:48:47: DR: 192.168.31.22 (Id) BDR: 192.168.31.11 (Id)
00:48:47: OSPF: Remember old DR 192.168.31.33 (id)
00:48:47: OSPF: End of hello processing
2-2 Routing Section 2: OSPF – Lab 2.6.2 Copyright 2002, Cisco Systems, Inc.
3. Who is elected DR? Why?
In the debug output, look for a statement about remembering the ’old DR’. Unless
SanJose1 and SanJose2 are powered off, they will remember that SanJose3 was the old
DR. When SanJose3 comes back online, these routers will allow SanJose3 to reassume
its role as DR:
SanJose1#
00:51:32: OSPF: Rcv hello from 192.168.31.22 area 0 from
FastEthernet0/0 192.168.1.2
00:51:32: OSPF: End of hello processing
00:51:33: OSPF: Rcv hello from 192.168.31.33 area 0 from
FastEthernet0/0 192.168.1.3
00:51:33: OSPF: 2 Way Communication to 192.168.31.33 on
FastEthernet0/0, state 2WAY
00:51:33: OSPF: Neighbor change Event on interface FastEthernet0/0
00:51:33: OSPF: DR/BDR election on FastEthernet0/0
00:51:33: OSPF: Elect BDR 192.168.31.11
00:51:33: OSPF: Elect DR 192.168.31.33
00:51:33: DR: 192.168.31.33 (Id) BDR: 192.168.31.11 (Id)
00:51:33: OSPF: Send DBD to 192.168.31.33 on FastEthernet0/0 seq
0x21CF opt 0x2 flag 0x7 len 32
00:51:33: OSPF: Send with youngest Key 1
00:51:33: OSPF: Remember old DR 192.168.31.22 (id)
00:51:33: OSPF: End of hello processing
Step 4.
At this point, SanJose1 should have assumed the role of BDR. Bring SanJose3 back
online, and observe the new election process.
4. SanJose3 will assume its former role as DR. Who is elected BDR? Why?
SanJose1 remains the BDR even though SanJose2 has the higher router ID.
Step 5.
The router can be manipulated to become the DR using two methods. The router ID
could be changed to a higher number, but that could confuse the loopback addressing
system and affect elections on other interfaces. The same router ID is used for every
network that a router is a member of. For example, if an OSPF router has an
exceptionally high router ID, it could win the election on every multiaccess interface and,
as a result, do triple or quadruple duty as a DR.
3-3 Routing Section 2: OSPF – Lab 2.6.2 Copyright 2002, Cisco Systems, Inc.
Instead of reconfiguring router IDs, manipulate the election by configuring OSPF priority
values. Because priorities are an interface specific value, they provide better control of
the OSPF internetwork. They allow a router to be the DR in one network and a DRother
in another. Priority values are the first consideration in the DR election with the highest
priority winning. Values can range from 0-255. A value of zero (0) indicates that the
interface will not participate in an election. Use the show ip ospf interface
command to examine the current priority values of the Ethernet interfaces on the three
routers:
The default priority is one (1). Because all have equal priority, router ID is used to
determine the DR and BDR.
Modify the priority values so that SanJose1 will become the DR and SanJose2 will
become the BDR, regardless of their router ID. To do this use the following commands:
In order to reset the election process, write each router’s configuration to NVRAM and
reload SanJose1, SanJose2, and SanJose3. Issue the following commands at each
router:
4-4 Routing Section 2: OSPF – Lab 2.6.2 Copyright 2002, Cisco Systems, Inc.
When the routers finish reloading, try to observe the OSPF election on SanJose1 by
using the debug ip ospf adj command. Also verify the configuration by issuing the
show ip ospf interface command at both SanJose1 and SanJose2.
After the election is complete, verify that SanJose1 and SanJose2 have assumed the
correct roles by using the show ip ospf neighbor detail command. Troubleshoot,
if necessary.
Note that the order in which routers join an area can be the most significant factor affecting which
routers are elected as DR and BDR. An election is necessary only when a DR or BDR does not
5-5 Routing Section 2: OSPF – Lab 2.6.2 Copyright 2002, Cisco Systems, Inc.
exist in the network. As a router starts its OSPF process, it checks the network for an active DR
and BDR. If they exist, the new router becomes a DRother, regardless of its priority or router ID.
Remember, the roles of DR and BDR were created for efficiency. New routers in the network
should not force an election when adjacencies are already optimized. However, there is an
exception. A known bug in some IOS versions allows a ’new’ router with higher election
credentials to force an election and assume the role of DR.
6-6 Routing Section 2: OSPF – Lab 2.6.2 Copyright 2002, Cisco Systems, Inc.
2.6.3: Configuring Point-to-Multipoint OSPF Over Frame Relay
DLCI 18 DLCI 16
SanJose3
S0/0 .1
PVC PVC
1/1
Frame Relay
DLCI 16 1/2 Atlas 550 2/2
S0/0 S0/0 DLCI 16
192.168.192.0 /24
.2 .4
London Singapore
AREA 0
Alternate:
DLCI 18 DLCI 16
SanJose3
S0/0 .1
PVC PVC
S0/0
AREA 0
1-1 Routing Section 2: OSPF – Lab 2.6.3 Copyright 2002, Cisco Systems, Inc.
Objective
Scenario
International Travel Agency has just connected two regional headquarters to San Jose
using Frame Relay in a hub-and-spoke topology. OSPF routing is to be configured over
this type of network, which is known for introducing complications into OSPF adjacency
relationships. To avoid these complications, manually override the Non-Broadcast Multi-
Access (NBMA) OSPF network type and configure OSPF to run as a point-to-multipoint
network. In this environment, no DR or BDR is elected.
Step 1.
Cable the network according to the diagram.Note: This lab requires another router or
device to act as a Frame Relay switch. The first diagram assumes that an Adtran Atlas
550 will be used, which is preconfigured. The second diagram assumes that a router will
be configured with at least three serial interfaces as a Frame Relay switch. See the
configuration at the end of this lab for an example of how to configure a router as a
Frame Relay switch. If desired, copy the configuration to a 2600 router for use in this lab.
Configure each FastEthernet interface on each router as shown, but leave the serial
interfaces and OSPF routing unconfigured for now. If necessary, loopback interfaces can
be assigned to each router. Be sure the loopback interfaces are unique within that
network.
Until Frame Relay is configured, ping will not be able to test connectivity.
Step 2.
SanJose3 acts as the hub in this hub-and-spoke network. It reaches London and
Singapore via two separate PVCs. Configure Frame Relay on the SanJose3 serial 0
interface as follows:
Notice that this configuration includes frame-relay map commands, which are
typically used with Frame Relay subinterfaces. These commands are needed here so
that Frame Relay can be configured to handle broadcast traffic with the broadcast
keyword. Without this configuration, OSPF multicast traffic will not be forwarded correctly
over this Frame Relay topology.
2-2 Routing Section 2: OSPF – Lab 2.6.3 Copyright 2002, Cisco Systems, Inc.
Finally, configure Singapore’s serial interface:
Verify Frame Relay operation with a ping from each router to the other two. Use show
frame-relay pvc and show frame-relay map to troubleshoot connectivity
problems. Rebooting the Frame Relay switch might also solve connectivity issues.
3-3 Routing Section 2: OSPF – Lab 2.6.3 Copyright 2002, Cisco Systems, Inc.
Step 3.
Configure OSPF to run over this point-to-multipoint network. Issue the following
commands at the appropriate router:
London(config)#router ospf 1
London(config-router)#network 192.168.200.0 0.0.0.255 area 0
London(config-router)#network 192.168.192.0 0.0.0.255 area 0
SanJose3(config)#router ospf 1
SanJose3(config-router)#network 192.168.1.0 0.0.0.255 area 0
SanJose3(config-router)#network 192.168.192 0.0.0.255 area 0
Singapore(config)#router ospf 1
Singapore(config-router)#network 192.168.232.0 0.0.0.255 area 0
Singapore(config-router)#network 192.168.192.0 0.0.0.255 area 0
Verify the OSPF configuration by issuing the show ip route command at each of the
routers:
London#show ip route
If each router has a complete table, including routes to 192.168.1.0 /24, 192.168.200.0
/24, and 192.168.232.0 /24, OSPF has been successfully configured to operate over
Frame Relay.
Test these routes by pinging the FastEthernet interfaces of each router from London’s
console.
Finally, issue the show ip ospf neighbor detail command at any router console:
4-4 Routing Section 2: OSPF – Lab 2.6.3 Copyright 2002, Cisco Systems, Inc.
Index 2/2, retransmission queue length 0, number of
retransmission 1
First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
Last retransmission scan length is 1, maximum is 1
Last retransmission scan time is 0 msec, maximum is 0 msec
Neighbor 192.168.232.1, interface address 192.168.192.4
In the area 0 via interface Serial0/0
Neighbor priority is 1, State is FULL, 6 state changes
DR is 0.0.0.0 BDR is 0.0.0.0
Options 2
Dead timer due in 00:01:56
Index 1/1, retransmission queue length 0, number of
retransmission 1
First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
Last retransmission scan length is 1, maximum is 1
Last retransmission scan time is 0 msec, maximum is 0 msec
5-5 Routing Section 2: OSPF – Lab 2.6.3 Copyright 2002, Cisco Systems, Inc.
frame-relay route 16 interface Serial0/0 18
!
interface Serial0/2
no ip address
no ip directed-broadcast
encapsulation frame-relay
clockrate 56000
cdp enable
frame-relay intf-type dce
frame-relay route 17 interface Serial0/0 16
!
interface Serial0/3
no ip address
no ip directed-broadcast
shutdown
!
ip classless
no ip http server
!
line con 0
password cisco
login
transport input none
line aux 0
line vty 0 4
password cisco
login
!
no scheduler allocate
end
6-6 Routing Section 2: OSPF – Lab 2.6.3 Copyright 2002, Cisco Systems, Inc.
3.7.1 Configuring EIGRP with IGRP
Singapore
S0/0 192.168.224.2 /30 S0/1 192.168.240.1 /30
Lo0 192.168.0.2/24
SanJose3 Auckland
Fa0/0 192.168.1.3/24 Fa0/0 192.168.248.1/24
Objective
In this lab, the student will configure both EIGRP and IGRP within the International Travel
Agency WAN and observe the automatic sharing of route information between both
protocols.
Scenario
The International Travel Agency migrated from IGRP to EIGRP between its overseas
headquarters and its North American headquarters. However, the Auckland headquarters
is still unable to support EIGRP and must continue running IGRP for the time being.
EIGRP must be configured on the SanJose3 and Singapore routers so that they can
exchange information with the Auckland router.
Step 1.
Build and configure the network according to the diagram, but do not configure EIGRP or
IGRP yet.
Use ping to verify the work and test connectivity between serial interfaces. SanJose3
should be unable to ping Auckland until a routing protocol is enabled.
1-3 Routing Section 3: EIGRP – Lab 3.7.1 Copyright 2002, Cisco Systems, Inc.
Step 2.
Because the Singapore router has to use IGRP to communicate with the Auckland router,
configure the Singapore router for IGRP, but only on the network connected via the serial
interface to Auckland.
Step 3.
Configure EIGRP. In order to redistribute routes from IGRP to EIGRP automatically, use
the same AS number for each routing process. On the Singapore router, enter these
commands:
Step 4.
After enabling routing processes on each of the three routers, verify their operation using
the show ip route command on the Singapore router. The Singapore router should
have routes to all networks.
1. Based on the output of this command, which of the routes was learned via EIGRP?
Now issue the show ip route command on the SanJose3 router, the EIGRP router.
The SanJose3 router received EIGRP routes that are internal to the EIGRP domain,
192.168.224.0.. The SanJose3 router also received routes that are external to the
domain, 192.168.240.0 and 192.168.248.0. Notice that these routes are differentiated in
the table. Internally learned routes have a D, and externally learned routes are denoted
by a D EX.
Now issue the show ip route command on the Auckland router, the IGRP router.
2-3 Routing Section 3: EIGRP – Lab 3.7.1 Copyright 2002, Cisco Systems, Inc.
5. Does it tell which IGRP routes are internal and which are external based on the
information in this table?
Step 5.
Now that EIGRP and IGRP are configured, use show commands to view EIGRP’s
neighbor and topology tables on the SanJose3 router.
From the SanJose3 router, issue the show command to view the neighbor table:
7. The Auckland router is not an EIGRP neighbor of the SanJose3 router. Why not?
To view the topology table, issue the show ip eigrp topology all-links
command.
To view more specific information about a topology table entry, use an IP address with
this command:
9. Based on the output of this command, does it tell what external protocol originated this
route to 192.168.248.0?
Finally, use show commands to view key EIGRP statistics. On the SanJose3 router,
issue the show ip eigrp traffic command.
11. How many hello packets has the SanJose3 router received? How many has it sent?
3-3 Routing Section 3: EIGRP – Lab 3.7.1 Copyright 2002, Cisco Systems, Inc.
3.7.2 Configuring EIGRP Fault Tolerance
Westamap
S0/0 192.168.64.2 /30 S0/1 192.168.64.6 /30
EIGRP AS 100
Objective
In this lab, the student will configure EIGRP over a full mesh topology. The student will
observe DUAL replace a successor with a feasible successor after a link failure.
Scenario
The International Travel Agency wants to run EIGRP on its core, branch, and regional
routers. EIGRP is to be configured and tested for its ability to install alternate routes in
the event of link failure.
Step 1.
Build and configure the network according to the diagram, configuring EIGRP as
indicated for AS 100.
Check each serial interface’s bandwidth and change to 1544 if necessary. Use the show
interface command to verify the configuration.
Use ping and show ip route to verify the work and test connectivity between all
routers.
Step 2.
Verify that EIGRP maintains all routes to destination networks in its topology table.
From the SanJose2 router, issue the show ip eigrp topology all-links
command:
1-3 Routing Section 3: EIGRP – Lab 3.7.2 Copyright 2002, Cisco Systems, Inc.
via Connected, Serial0/0
P 192.168.1.0/24, 0 successors, FD is Inaccessible, serno 0
via 192.168.64.6 (21026560/2172416), Serial0/0
The SanJose2 router’s topology table includes two paths to the 192.168.72.0 network.
Use the show ip route command to determine which of the two is installed in
SanJose2’s routing table.
Both paths to 192.168.72.0 are listed in the topology table with their computed distance
and reported distance in parentheses. Computed distance is listed first.
3. What is the reported distance (RD) of the route to 192.168.72.0 via 192.168.1.1?
Step 3.
Use the debug eigrp fsm command to observe how EIGRP deals with the loss of a
successor to a route.
Next, shut down or unplug the SanJose2 router’s serial connection. This causes the
SanJose2 router to lose its preferred route to 192.168.72.0 via 192.168.64.6.
Examine the debug eigrp fsm output for information regarding the route to
192.168.72.0, as shown in this following example:
2-3 Routing Section 3: EIGRP – Lab 3.7.2 Copyright 2002, Cisco Systems, Inc.
The highlighted portion of the sample output shows DUAL attempting to locate a feasible
successor (FS) for 192.168.72.0. In this case, DUAL failed to find a feasible successor,
and the router entered the active state. After querying its EIGRP neighbors, SanJose2
locates and installs a route to 192.168.72.0/24 via 192.168.1.1.
Step 4.
Verify that the new route has been installed by using the show ip route command.
Bring the SanJose2 router serial interface back up. 192.168.64.6 will be seen restored as
the preferred route to the 192.168.72.0 network.
3-3 Routing Section 3: EIGRP – Lab 3.7.2 Copyright 2002, Cisco Systems, Inc.
3.7.3 Configuring EIGRP Summarization
Westasman
S0/0 192.168.64.2 /30 S0/1 192.168.64.6 /30
EIGRP AS 100
Objective
In this lab, the student will configure EIGRP to test its operation over discontiguous
subnets by disabling automatic route summarization. (Discontiguous subnets are subnets
from one major network that are separated by a subnet, or subnets, from another major
network). Then the student will manually configure EIGRP to use specific summary
routes.
Scenario
The International Travel Agency uses VLSM to conserve IP addresses. All LANs are
addressed using contiguous subnets, but the company would like to examine the effects
of discontiguous subnets using EIGRP for future reference. The existence of multiple
networks is simulated by loopback interfaces on the Westasman router. The WAN links
are addressed using 192.168.64.0 with a 30-bit mask.
Because this scheme creates discontiguous subnets, the default summarization behavior
of EIGRP should result in incomplete routing tables. The problem should be resolved by
disabling EIGRP’s default summarization while maintaining a route summary at the
Westasman router with manual route summarization.
Step 1.
Build and configure the network according to the diagram. This configuration requires the
use of subnet zero (0). The ip subnet-zero command may need to be entered
depending on which IOS version is used. Configure the Westasman router with seven
loopback interfaces using the IP addresses from the diagram. These interfaces simulate
the existence of multiple networks behind the Westasman router. Configure EIGRP as
indicated for AS 100.
Use ping to verify that all serial interfaces can ping each other. Note: Until additional
configurations are performed, not all networks will appear in each router’s routing table.
1-1 Routing Section 3: EIGRP – Lab 3.7.1 Copyright 2001, Cisco Systems, Inc.
Step 2.
Use show ip route to check SanJose1’s routing table.
The SanJose1 router has installed a ’summary route’ to network 172.16.0.0 /16 via Null0.
EIGRP routers create these summary routes automatically. Because the local router, in
this case, the SanJose1 router, has generated the summary, there is no next hop for the
route.Therefore, the SanJose1 router maps this summary route to its null interface.
2. Look again at SanJose1’s routing table. What is the subnet mask for the route to
192.168.64.0?
If these routing tables complete are to be complete, EIGRP must not automatically
summarize routes based on classful boundaries.
Step 3.
In this step, disable EIGRP’s automatic summarization feature.
After these commands are issued on all three routers, return to the SanJose1 router and
type the show ip route command.
Step 4.
Now that autosummarization is disabled, the International Travel Agency’s routers should
build complete routing tables. Unfortunately, this would mean that the Westasman router
would be advertising eight routes that should be summarized for efficiency. Use EIGRP’s
manual summarization feature to summarize these addresses.
2-2 Routing Section 3: EIGRP – Lab 3.7.1 Copyright 2001, Cisco Systems, Inc.
The Westasman router should be advertising the existence of eight subnets:
172.16.8.0
172.16.9.0
172.16.10.0
172.16.11.0
172.16.12.0
172.16.13.0
172.16.14.0
172.16.15.0
The first 21 bits of these addresses are the same, so a summary route for all subnets can
be created using a /21 prefix, 255.255.248.0 in dotted-decimal notation.
Because the Westasman router must advertise the summary route to the SanJose1 and
SanJose2 routers, enter the following commands on the Westasman router:
Westasman(config)#interface s0/0
Westasman(config-if)#ip summary-address eigrp 100 172.16.8.0
255.255.248.0
Westasman(config-if)#interface s0/1
Westasman(config-if)#ip summary-address eigrp 100 172.16.8.0
255.255.248.0
These commands configure EIGRP to advertise summary routes for AS 100 via the serial
0 and 1 interfaces. Verify this configuration by issuing the show ip protocols
command.
6. Which metric is the Westasman router using for its address summarization?
After verifying manual address summarization on the Westasman router, check the
routing tables on the SanJose1 and SanJose2 routers.
From the SanJose1 or SanJose2 router, verify that it can be pinged 172.16.8.1.
3-3 Routing Section 3: EIGRP – Lab 3.7.1 Copyright 2001, Cisco Systems, Inc.
3.8.1 EIGRP Challenge Lab
Capetown Singapore
S0/0 192.168.208.2/24 S0/0 192.168.224.2/24 S0/0 192.168.240.1/24
IGRP
AS 100
S0/0 192.168.208.1/24 S0/0 192.168.224.1/24 S0/0 192.168.240.2/24
SanJose3 Auckland
Objective
In this lab, the student will configure an International Travel Agency EIGRP WAN link with
one IGRP segment within the same autonomous system. The student will also use
EIGRP interface summarization to reduce the number of routes in an EIGRP routing
table.
Scenario
The International Travel Agency is migrating from IGRP to EIGRP between its overseas
headquarters and its North American headquarters. Unfortunately, the Auckland
headquarters must continue running IGRP between itself and Singapore. To help reduce
the EIGRP routing table of the SanJose3 router, the Singapore router should be
configured to advertise only a summary of the Auckland addresses. This will cause both
the SanJose3 and Capetown routers to receive summaries of the Auckland address
space, which will result in smaller routing tables on both SanJose3 and Capetown.
Design Considerations
Before this lab is begun, it is recommended that each router be reloaded after its startup
configuration is erased. This prevents problems caused by residual configurations. It is
also recommended that the network be built and configured according to the diagram.
However, do not configure EIGRP or IGRP until the connectivity between directly
connected networks can be verified and tested. The respective loopback addresses
simulate local networks, so no physical connections for local Ethernet networks need to
be made.
1-2 Routing Section 3: EIGRP – Lab 3.8.1 Copyright 2002, Cisco Systems, Inc.
Capture Files/Printouts
After initial EIGRP and IGRP configuration, but before interface summarization, capture
or print the following output:
2-2 Routing Section 3: EIGRP – Lab 3.8.1 Copyright 2002, Cisco Systems, Inc.
Routing Resources
TCP/IP:
Academy Curriculum:
TCP/IP is a two level addressing scheme http://ccnp.netacad.net/prot-
doc/curriculum/sem5sv_v2/en/ch2/2_1_1/index.html
CCO:
An overview on TCP/IP and Cisco’s implementation, as well as a brief look into
IP routing protocols. http://www.cisco.com/warp/public/535/4.html
A summary of addressing and subnetting with IP.
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cwhubs/starvwug/834
28.htm
Information on configuring IP with Cisco IOS.
http://www.cisco.com/univercd/cc/td/doc/product/software/ssr83/tsc_r/54008.ht
m
Internet:
Extensive information on the tcp/ip protocol with almost everything you need
and many things you don’t need.
http://www.redbooks.ibm.com/pubs/pdfs/redbooks/gg243376.pdf
OSI model and TCP/IP model and how the two go together. Very good
descriptions without all the technical details.
http://mike.passwall.com/networking/netmodels/tcpip5layermodel.html
Q&A on TCP/IP. Find answers to various questions about the protocol.
http://www.geocities.com/SiliconValley/Vista/8672/network/
Article about tcp/ip with its history.
http://www.networkmagazine.com/article/NMG20000727S0022
Short summary on tcp/ip with descriptions of its layers and some properties
about the protocol. http://userpages.umbc.edu/~jack/ifsm498d/tcpip-intro.html
Tutorial about tcp/ip from the RFC. ftp://ftp.isi.edu/in-notes/rfc1180.txt
FAQ on TCP/IP, good for people that want to know what TCP/IP is if they have
no background on it. http://www.faqs.org/faqs/internet/tcp-ip/tcp-ip-faq/part1/
Academy Curriculum:
Use more than one subnet mask in your network and maximize addressing
efficiency. http://ccnp.netacad.net/prot-
doc/curriculum/sem5sv_v2/en/ch2/2_3_1/index.html
CCO:
A complete example of subnetting with VLSMs.
http://www.cisco.com/univercd/cc/td/doc/cisintwk/idg4/nd20a.htm
Internet:
Very short description of VLSM and why it was made. Offers little details of the
actual subnettting procedures. Good read to find out what is VLSM.
http://www.faqs.org/faqs/cisco-networking-faq/section-37.html
Tutorial on subnetmasking and VLSM. Good place to learn how to do
subnetmasking with VLSM. http://www.wildpackets.com/compendium/IP/IP-
VLSM.html
Extensive information on VLSM. Teaches how to do subnets, how the routing
works, problems associated with it, and some FAQs. Good place to learn VLSM
in detail. http://khimich.com/books/e-
books/IP%20Addressing%20&%20Subnetting/69_ipad_ce_05.htm
Single-Area OSPF
Academy Curriculum:
Comparing the differences between RIP and OSPF. Configure single-area OSPF
on your router. http://ccnp.netacad.net/prot-
doc/curriculum/sem5sv_v2/en/ch4/4_3_1/index.html
CCO:
Background and specifications of the OSPF routing protocol.
http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/ospf.htm
A guide to configuring OSPF.
http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/advcfggd/ospf.ht
m
EIGRP
Academy Curriculum:
Let's take a look at EIGRP Fundamentals. http://ccnp.netacad.net/prot-
doc/curriculum/sem5sv_v2/en/ch6/6_1_1/index.html
CCO:
Background and a summary of EIGRP.
http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/en_igrp.htm
Detailed information on configuring EIGRP.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipr_
c/ipcprt2/1cfeigrp.htm
Internet:
Definition of EIGRP for basic knowledge without knowing the intricate details
of the protocol.
http://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci214442,00.html
Good summary of EIGRP with short but detailed descriptions of the various
parts of the protocol. Explains the parts of the packets and metrics very well.
http://www.rware.demon.co.uk/eigrp.htm
Short description of EIGRP and some commands and a simple comparison with
other routing protocols. http://www.routeru.com/arc/EIGRP/eigrp.htm
WANs
Table of Contents
WANS ................................................................................................................................ 1
OVERVIEW ...................................................................................................................................................... 3
OBJECTIVES..................................................................................................................................................... 5
1.1 REMOTE ACCESS ........................................................................................................................................ 6
1.1.1 WAN connection types ......................................................................................................................... 6
1.1.2 Dedicated connections......................................................................................................................... 8
1.1.3 Dedicated connections (cont’) ............................................................................................................ 10
1.1.4 Circuit-switched connections.............................................................................................................. 11
1.1.5 Asynchronous dialup connections....................................................................................................... 12
1.1.6 ISDN connections.............................................................................................................................. 14
1.1.7 Packet-switched networks .................................................................................................................. 15
1.1.8 WAN encapsulation protocols ............................................................................................................ 16
1.2 SELECTING APPROPRIATE WAN TECHNOLOGIES ......................................................................................... 18
1.2.1 Choosing a WAN connection.............................................................................................................. 18
1.2.2 Identifying site requirements and solutions.......................................................................................... 20
1.2.3 Central-site considerations ................................................................................................................ 21
1.2.4 Branch-office considerations.............................................................................................................. 22
1.2.5 Telecommuter-site considerations....................................................................................................... 23
1.3 SELECTING CISCO REMOTE ACCESS SOLUTIONS........................................................................................... 25
1.3.1 Routers............................................................................................................................................. 25
1.3.2 Determining the appropriate interfaces - fixed interfaces...................................................................... 27
1.3.3 Determining the appropriate interfaces - modular interfaces ................................................................ 28
1.4 ASSEMBLING AND CABLING WAN COMPONENTS......................................................................................... 30
1.4.1 Network Overview ............................................................................................................................. 30
1.4.2 Central site route equipment .............................................................................................................. 31
1.4.3 Central site router equipment (cont’) .................................................................................................. 34
1.4.4 Branch office router equipment .......................................................................................................... 36
1.4.5 Telecommuter-site router equipment ................................................................................................... 40
1.5 CASE STUDY ............................................................................................................................................ 43
1.5.1 International Travel Agency (ITA) ...................................................................................................... 43
1.6 INTRODUCTORY LAB EXERCISES ................................................................................................................ 45
1.6.1 Getting started and building Start.TXT................................................................................................ 45
1.6.2 Capturing HyperTerminal and Telnet sessions..................................................................................... 45
1.6.3 Access control list basics and extended ping........................................................................................ 46
SUMMARY ..................................................................................................................................................... 47
1-2 Remote Access Section 1: WANs Copyright 2002, Cisco Systems, Inc.
Overview
Modem
Central site
AAA Server
BRI
PRI
ISDN/analog Serial
Async
Windows 98 PC
Frame Relay
BRI
Service
Modem
Serial
Branch Office
Over the last several years, web-based applications, wireless devices, and virtual
private networking (VPN) have changed our expectations about computer
networks. Today's corporate networks are accessible virtually anytime from
anywhere with many users expecting some degree of access to their company's
network while at home or on the road.
Corporate networks are typically built around one central site that houses key
network resources. These resources include file servers, web servers, and e-mail
servers that deliver information and services to all users in a company. Such
services are readily accessible to central site users by way of the LAN. But how
will users working remotely gain access to these resources?
A networking professional provides users with remote access to the network.
Remote users may be working at branch offices or home offices, or they may
even be on the road with a laptop or a handheld mobile device. Essentially, a
remote user is any user who is not presently working at the company's central
site. Figure [1] presents several remote access solutions.
Remote access solutions come in all shapes and sizes. Each company's solution
typically involves a combination of varied WAN services. Most of these services
are obtained from a service provider, such as a regional telecommunications
company. Since the transmission facilities belong to a service provider, the task
is to select the appropriate service, not actually to design and maintain the WAN
facilities themselves.
Types of available WAN services and their costs vary depending on
geographical region and the provider. Real-world budgetary constraints and
service availability are often the overriding selection criteria.
Copyright 2002, Cisco Systems, Inc. Remote Access Section 1: WANs 1-3
In order to implement the most appropriate solution the advantages and
disadvantages of the different types of WAN services, must be understood. This
chapter surveys the general types of WAN connections and provides criteria to
use in the selection of the service or blend of services, best suited to the
organization's needs, budget, and geography. In addition, this chapter offers
guidelines for selecting the best remote access solution from the large number of
available products.
1-4 Remote Access Section 1: WANs Copyright 2002, Cisco Systems, Inc.
Objectives
After completing this chapter, the student will be able to perform tasks
relating to:
Copyright 2002, Cisco Systems, Inc. Remote Access Section 1: WANs 1-5
1.1 Remote Access
1-6 Remote Access Section 1: WANs Copyright 2002, Cisco Systems, Inc.
Figure 3 WAN Connection Types
Copyright 2002, Cisco Systems, Inc. Remote Access Section 1: WANs 1-7
If two hosts use a timing signal to "synch up," start and stop bits for every 8-bit
character value are not necessary. Instead, a large amount of data (e.g., hundreds
or even thousands of bytes) can be preceded by synchronization bits. For
example, in Ethernet a field of synchronization bits precedes the data payload.
This field of synchronization bits, called a preamble, forms a pattern of
alternating ones and zeros. The receiver uses this pattern to synchronize with the
sender.
Service providers offer a variety of synchronous and asynchronous WAN
services. These services can be grouped into three categories depending on their
connection type:
• dedicated connectivity
• circuit-switched networks
• packet-switched networks
Figure [3] illustrates these three different types of WAN connections. Each
connection type offers distinct advantages and disadvantages, which are
described in the following sections.
1-8 Remote Access Section 1: WANs Copyright 2002, Cisco Systems, Inc.
Figure 2 Dedicated Serial Connections
Copyright 2002, Cisco Systems, Inc. Remote Access Section 1: WANs 1-9
circuit from the service provider. The cost of maintaining multiple leased lines
can add up quickly. For this reason, most companies find a fully meshed WAN
(i.e., every site maintains a connection to every other site), too costly to build
using only dedicated lines.
1-10 Remote Access Section 1: WANs Copyright 2002, Cisco Systems, Inc.
• V.35
• X.21
• EIA-530
When connecting a DTE (for example, a router) to an analog modem, EIA/TIA-
232 compliant cabling and interfaces will be typically used. First released over
30 years ago as RS-232, the EIA/TIA-232 standard is very common. However, it
provides relatively low transmission speeds (typically less than 64 kbps), and is
not appropriate for high-capacity dedicated lines. Today many synchronous
serial interfaces, such as T1, have the CSU/DSU integrated on the interface card.
This eliminates the need for a separate CSU/DSU.
When connecting a Cisco router to a T1/E1 or fractional T1/E1 via a CSU/DSU,
V.35 cabling and interfaces should be used as they are capable of much higher
throughput (over 2 Mbps).
Copyright 2002, Cisco Systems, Inc. Remote Access Section 1: WANs 1-11
Anyone who pays a long-distance phone bill knows that circuit-switched
connections can be costly if left continuously established. For this reason,
routers connected to circuit-switched networks are configured to operate in a
specialized way, called dial-on demand routing (DDR). A router configured for
DDR only places a call when it detects traffic defined by a network administrator
as "interesting."
• Typical circuit-switched connections include:
• Asynchronous Dialup (POTS)
• ISDN Basic Rate Interface (BRI)
• ISDN Primary Rate Interface (PRI)
1-12 Remote Access Section 1: WANs Copyright 2002, Cisco Systems, Inc.
Figure 3 Asynchronous Dialup Connection
Asynchronous serial connections offer inexpensive WAN service via the existing
telephone network. In order for digital devices, such as computers and routers, to
use analog telephone lines, modems are required at each end of the connection
(refer to Figure [1]). Modems convert digital data signals to analog signals that
can be transported over the telephone company's local loops asynchronously.
While this is convenient, modems have one overwhelming drawback; they do not
provide high throughput. Today's modems provide transmission speeds of only
56 kbps or less.
Because modems can be used with virtually any phone line, mobile and home
users often rely on asynchronous serial connections to connect to a corporate
network or ISP. An end user can easily initiate and teardown a call using
software that controls the modem.
Routers can also use asynchronous serial connections to route traffic using DDR.
Because modems do not support high transmission speeds, asynchronous serial
connections are typically used as backup links (refer to Figure [2]) or for load
sharing (refer to Figure [3]).
Some routers are designed with dozens of asynchronous lines to support a large
number of dial-in users. Routers that act as concentration points for dial-in and
dial-out calls are called access servers. Throughout this course, the term "access
server" will be used to refer to a router with at least one asynchronous interface.
To place or receive an asynchronous serial call, a router must have at least one
asynchronous serial interface, such as the AUX (Auxilary) port, which connects
to a modem (typically external).
Copyright 2002, Cisco Systems, Inc. Remote Access Section 1: WANs 1-13
1.1.6 ISDN connections
1-14 Remote Access Section 1: WANs Copyright 2002, Cisco Systems, Inc.
1.1.7 Packet-switched networks
Unlike leased lines and circuit-switched connections, packet switching does not
rely on a dedicated, point-to-point connection through the carrier network.
Instead, data packets are routed across the carrier network based on addressing
contained in the packet or frame header. This means that packet-switched WAN
facilities can be shared with other customers, which allows service providers to
support multiple customers over the same physical lines and switches. Typically,
customers connect to the packet-switched network via a leased line, such as a T1
or fractional T1.
In a packet-switched network, the provider configures its switching equipment to
create virtual circuits (VCs) that supply end-to-end connectivity (refer to Figure
[1]). Frame Relay is the most common packet-switched WAN service in the
United States, although the older X.25 remains a prominent packet-switching
technology worldwide.
Packet-switched networks offer an administrator less control than a point-to-
point connection. However, the cost of a packet-switched VC is generally less
than that of a leased line because the WAN facilities are shared. VCs can be
permanent, or they can be built on demand.
Copyright 2002, Cisco Systems, Inc. Remote Access Section 1: WANs 1-15
A Frame Relay VC offers speeds of up to T3, making this packet-switched
technology a high-speed, cost-effective alternative to leased lines. As well, a
single synchronous serial connection can support several logical VCs in a point-
to-multipoint configuration (refer to Figure [2]). This process of combining
multiple data conversations into a single physical line is called multiplexing.
Multiplexing in a packet-switched network is made possible because a DTE
(usually a router) encapsulates the packet with addressing information. The
provider's switches use the addressing to determine how and where to deliver a
specific packet. In the case of Frame Relay, these addresses are Data Link
Control Identifiers, or DLCIs. The ability to multiplex means that a single router
port and CSU/DSU can support dozens of VCs each leading to a different site.
Therefore, packet-switching makes a full- or partial-mesh topology relatively
affordable.
Frame Relay is a popular WAN service for providing high-speed WAN
connections to branch offices and other remote sites. However, Frame Relay
does not offer the degree of reliability, flexibility, and security afforded by
dedicated lines. Despite Frame Relay's lower cost and multipoint capability,
dedicated lines are the preferred WAN service for mission-critical traffic and
continuous, high-volume exchanges.
Routers encapsulate packets with a Layer 2 frame before sending them across a
WAN link. Although there are several common WAN encapsulations, most have
similar anatomies. This is because the most common WAN encapsulations are
derived from High-Level Data Link Control (HDLC) and its forerunner
Synchronous Data Link Control (SDLC). Despite their similar structures, each
1-16 Remote Access Section 1: WANs Copyright 2002, Cisco Systems, Inc.
data link protocol specifies its own specific type of frame, which is incompatible
with other types. The Figure shows which common data link protocols are used
with each of the three WAN connection types.
By default, serial interfaces on a Cisco router are set to encapsulate packets
using HDLC. The interface must be manually configured for any other type of
encapsulation. The choice of encapsulation protocol depends on the WAN
technology and the communicating equipment that is being used. Common WAN
protocols include the following:
• PPP - Point-to-Point Protocol (PPP) is a standards-based protocol for
router-to-router and host-to-network connections over synchronous and
asynchronous circuits.
• Serial Line Internet Protocol (SLIP) - SLIP is the forerunner to PPP,
and is used for point-to-point serial connections using TCP/IP.
• High-Level Data Link Control (HDLC) - HDLC implementations are
proprietary, so Cisco's HDLC is typically used only when connecting
two Cisco devices. When connecting routers from different vendors,
PPP (which is standards-based) is used instead.
• X.25/LAPB - X.25 is an ITU-T standard that defines the way
connections between DTE and DCE devices are maintained for remote
terminal access and computer communications in public data networks.
X.25 provides extensive error-detection and windowing features because
it was designed to operate over error-prone analog copper circuits.
• Frame Relay - Frame Relay is a high-performance, packet-switched,
WAN protocol that can be used over a variety of network interfaces.
Frame Relay is streamlined to operate over highly reliable digital
transmission facilities.
• Asynchronous Transfer Mode (ATM) - ATM is an international
standard for cell relay, in which multiple service types (e.g., voice,
video, or data) are conveyed in fixed-length cells. ATM is designed to
take advantage of high-speed transmission media such as Synchronous
Optical Network (SONET).
PPP, X.25, and Frame Relay encapsulations are discussed at length in later
chapters.
Copyright 2002, Cisco Systems, Inc. Remote Access Section 1: WANs 1-17
1.2 Selecting Appropriate WAN
Technologies
1-18 Remote Access Section 1: WANs Copyright 2002, Cisco Systems, Inc.
Figure 3 Cost Comparison of WAN Connections
Each WAN connection type has advantages and disadvantages. For example,
setting up a dialup asynchronous connection offers only limited bandwidth, but a
user can call into the office from anywhere over the existing telephone network.
In this case, throughput is sacrificed for convenience. This section examines the
factors that should be considered when selecting a WAN service.
Figure [1] compares applications for various types of WAN connections and
Figure [2] compares their potential bandwidth.
While every home user would like a T1 line run to their house, and every
administrator would like to run an OC-12 to all remote offices, the cost of
deploying such services so liberally would be ridiculous. A networking
professional must carefully gauge which connections require high-cost, high-
throughput links, and then spend accordingly. It is important to note that WAN
usage costs are typically 80 percent of a company's entire Information Services
budget. When possible, "shop around" for WAN services. If more than one
provider offers service it may be possible to purchase services at competitive
prices. [3]
There are other important factors to consider when choosing a WAN service,
including ease of management, quality of service (QoS), and reliability. Leased
lines are easier to manage and configure than packet-switched connections. In
terms of QoS, some applications, such as Voice over IP (VoIP), require
guaranteed bandwidth, minimal delay, and high reliability, which can make
anything short of a leased line problematic.
Copyright 2002, Cisco Systems, Inc. Remote Access Section 1: WANs 1-19
1.2.2 Identifying site requirements and solutions
1-20 Remote Access Section 1: WANs Copyright 2002, Cisco Systems, Inc.
1.2.3 Central-site considerations
Copyright 2002, Cisco Systems, Inc. Remote Access Section 1: WANs 1-21
The central site is the focal point of a company's network (refer to Figure [1]).
Typically, all remote sites and users must connect to the central site to access
information, either intermittently or continuously. Because many users access
this site in a variety of ways, a central site's routers should have a modular
design so that interface modules can be added (or swapped out) as needed. The
chassis of a modular router allows installation of the interfaces needed to support
virtually any media type. Figure [2] illustrates the slots on a modular router, the
Cisco 3660. According to the example network as shown in Figure [1], the
central site's router must accommodate circuit-switched connections (e.g.,
ISDN/analog), packet-switched connections (e.g., Frame Relay), and could
feasibly have a dedicated line to the ISP.
1-22 Remote Access Section 1: WANs Copyright 2002, Cisco Systems, Inc.
• Frame Relay
• X.25
• ISDN
• DSL ([digital subscriber line] - This technology enables delivery of
high-speed data, voice, and multimedia over conventional telephone
wires. In order for a remote site to connect to the corporate network
without traversing the public Internet, DSL typically requires ATM at
the central site.)
• Wireless
• VPN ([Virtual Private Network] - This technology typically requires that
both sites are already connected to the public Internet.)
Over the past decade, the improvement of WAN technologies, notably DSL and
cable modems, has allowed many employees to do their jobs remotely. As a
result, the number of telecommuters and small offices has increased.
As with the corporate and branch office solutions, the telecommuter site's WAN
solution must be evaluated by weighing cost and bandwidth requirements.
An asynchronous dialup solution using the existing telephone network and an
analog modem is often the solution for telecommuters because it is easy to set up
and the telephone facilities are already installed. But if usage and bandwidth
requirements increase, other remote-access technologies should be considered.
Since mobile users must connect from many different locations, an asynchronous
dialup connection may be the only remote access solution that is consistently
Copyright 2002, Cisco Systems, Inc. Remote Access Section 1: WANs 1-23
available. Employees on the road can use their PCs with modems and the
existing telephone network to connect to the company.
Typical WAN connections employed at telecommuter sites include:
• Asynchronous dialup
• ISDN BRI
• Cable modems
• DSL
• Wireless and Satellite
• VPN
1-24 Remote Access Section 1: WANs Copyright 2002, Cisco Systems, Inc.
1.3 Selecting Cisco Remote Access
Solutions
1.3.1 Routers
Copyright 2002, Cisco Systems, Inc. Remote Access Section 1: WANs 1-25
Figure 2 Remote-Access Options for Each Series of Router
Cisco offers access servers, routers, and other equipment that allow connection
to various WAN services. Figure [1] highlights some of the products that are
suited for the various company sites. Figure [2] lists the key features and WAN
options for each series of routers.
Web Links
Latest product information may be located at:
http//www.cisco.com
1-26 Remote Access Section 1: WANs Copyright 2002, Cisco Systems, Inc.
1.3.2 Determining the appropriate interfaces - fixed
interfaces
The router selected for the WAN connection must offer the interfaces that will
support the WAN service, such as the following:
• Asynchronous serial - supports asynchronous dialup connections using
a modem.
• Synchronous serial - supports leased lines, Frame Relay, and X.25.
• High-speed serial interface (HSSI) - supports high-speed serial lines,
such as T3.
• BRI - supports ISDN BRI connections.
• T1 or E1 - supports connections such as leased lines, dialup, ISDN PRI,
and Frame Relay.
• DSL - supports Asymmetric Digital Subscriber Line (ADSL),
Symmetric DSL (SDSL), or ISDN DSL (IDSL) connections.
• ATM - supports ATM connections.
Some routers, such as the 2501, offer fixed interface configurations. A fixed
configuration is one that cannot be changed or upgraded. The advantage of a
fixed interface configuration is that WAN or LAN interface modules do not have
to purchased. The number and type of interfaces are predetermined for a specific
model of router.
A fixed-configuration router may be appropriate for a small remote office or
telecommuter. In such cases, the flexibility afforded by a modular design may
not be worth additional expense and complexity. Instead, a fixed-configuration
router may offer the most affordable, and simplest, WAN solution for the small
office.
Copyright 2002, Cisco Systems, Inc. Remote Access Section 1: WANs 1-27
1.3.3 Determining the appropriate interfaces - modular
interfaces
1-28 Remote Access Section 1: WANs Copyright 2002, Cisco Systems, Inc.
With a modular router, some or all of the interfaces on the router may be chosen
by installing various feature cards, network modules, or WAN interfaces.
Although modular routers require the purchase of each interface card separately,
they are more scalable than their fixed-configuration counterparts. For that
reason, modular routers are typically installed at large remote sites, and should
always be used at the central site. In the long run, it's cheaper to add new
interface modules rather than to replace an entire router.
Copyright 2002, Cisco Systems, Inc. Remote Access Section 1: WANs 1-29
1.4 Assembling and Cabling WAN
Components
The figure presents three routers in a company's network: one at the central site,
one at the branch office, and one at a telecommuter site. Each of these sites has
different requirements in terms of bandwidth and availability. For example, the
central site requires a permanent high-speed connection to the Internet, while the
telecommuter site merely requires a switched connection for intermittent, low-
speed access to the rest of the network. The following sections examine the
specific requirements of each of the three sites in this example, and suggest
solutions appropriate to each.
1-30 Remote Access Section 1: WANs Copyright 2002, Cisco Systems, Inc.
1.4.2 Central site route equipment
Copyright 2002, Cisco Systems, Inc. Remote Access Section 1: WANs 1-31
Figure 3 Cisco AS 5300 Series Router
In the example network (refer to Figure [1]), the central-site router must have the
following interfaces:
• ISDN PRI interface
• Asynchronous serial interface and modem for asynchronous calls
1-32 Remote Access Section 1: WANs Copyright 2002, Cisco Systems, Inc.
• Serial interface for Frame Relay connections
• Serial interface for the leased line to the ISP
• Ethernet interface to access resources on the central-site LAN
To meet the requirements of a central site, a modular router should be selected
that will allow for growth. Depending on the amount of growth expected and the
number of connections to be supported, a modular router from one of the
following series could be utilized:
• Cisco 3600 series - The Cisco 3600 series modular routers (refer to
Figure [2]) can provide dial access, routing, and LAN-to-LAN services
and multiservice integration of voice, video, and data in the same device.
The 3600 series replaces the legacy 4000 series routers. Like the newer
3600 series, Cisco 4000 series routers are modular and can support many
variations of protocols, line speeds, and transmission media.
• Cisco AS5x00 series - The Cisco AS5x00 series access servers (refer to
Figure [3]) combine the functions of an access server, a router, and
analog and digital modems in one chassis. They provide a high level of
scalability, and multiprotocol capabilities for both ISPs and enterprises.
• Cisco 7200 series - The Cisco 7200 series routers (refer to Figure [4])
allow for maximum scalability and flexibility, by combining high-
performance hardware and software with a modular design. The 7200
series supports any combination of Ethernet, Fast Ethernet, Token Ring,
Fiber Distributed Digital Interface (FDDI), ATM, serial, ISDN, and
HSSI interfaces.
Copyright 2002, Cisco Systems, Inc. Remote Access Section 1: WANs 1-33
1.4.3 Central site router equipment (cont’)
For the central site (refer to Figure [1]), the 3600 series router makes the most
sense. For now, the central site only needs to support five interfaces. The 3600
series will provide the necessary scalability and support of Frame Relay, ISDN,
and asynchronous dialup through specialized interface modules.
1-34 Remote Access Section 1: WANs Copyright 2002, Cisco Systems, Inc.
The AS5x00 series offers a high-density dialup solution. But since the central
site does not require a large number of dialup interfaces, an AS5x00 solution
would be overkill and not cost-effective. Likewise, a 7200 series router would
probably offer more expandability and horsepower than necessary for so few
connections. The large chassis of this series would provide more scalability than
a 3600 series router, but unless the company is planning on significant short-
term growth, the 7200 may prove too costly a solution.
Of the three product series, the Cisco 3600 series offers the right combination of
scalability and affordability. With over 70 modular interface options, the 3600
series is often called the "Swiss Army knife" of routers, because of its versatility.
The 3600 series (refer to Figure [2]) includes the following models:
• The 3660 has six network module slots
• The 3640 has four network module slots
• The 3620 has two slots
An ideal solution for this example would be the 3640 router. The 3620 may not
provide enough interfaces as the network grows, and, although the 3660 would
provide maximum scalability, it will cost more. In order to serve our example
network, the 3640 can be equipped with the following interface cards:
• 1-Ethernet 2-WAN card slot network module - supports a single
Ethernet connection, as well as two WAN connections.
• 1-port CT1/PRI-CSU network module - provides the PRI interface.
• Digital modem network module - internal modem used in conjunction
with the PRI for dial-in connections. One digital modem network module
can support up to 30 Modem ISDN channel aggregation (MICA)
modems.
Optionally, a 4-port serial WAN network module which could be used for Frame
Relay and, if needed, to connect to an external modem. However, budgetary
constraints may dictate the fourth slot remain open for future expansion.
Copyright 2002, Cisco Systems, Inc. Remote Access Section 1: WANs 1-35
1.4.4 Branch office router equipment
1-36 Remote Access Section 1: WANs Copyright 2002, Cisco Systems, Inc.
Figure 3 Cisco 1700 Series Router
Copyright 2002, Cisco Systems, Inc. Remote Access Section 1: WANs 1-37
Figure 5 Cisco 2600 Series Router
In contrast to the central site solution, the branch-office router needs only one
primary WAN connection and a second WAN interface for dial backup (refer to
Figure [1]). The branch router must have the following interfaces:
• Serial interface for Frame Relay connections
• BRI interface for ISDN BRI
To meet the requirements of a branch office, a modular router or a fixed-
configuration router could be selected. If the remote office will act as a WAN
hub for smaller offices (in which case a 3600 series router may be needed), an
access router from one of the following series may fit:
• Cisco 1600 Series [2] - The Cisco 1600 series routers are designed to
connect small offices with Ethernet LANs to the public Internet, and to a
company's internal intranet or corporate LAN through several WAN
connections such as ISDN, asynchronous serial, and synchronous serial.
The Cisco 1601 R - 1604 R models have an Ethernet port, a built-in
WAN port, and a slot for an optional second WAN port. The 1605 R
router has two Ethernet ports and one WAN slot.
• Cisco 1700 Series [3]- The Cisco 1700 router is a small, modular
desktop router that links small- to medium-size remote Ethernet and
FastEthernet LANs over one to four WAN connections to regional and
central offices.
• Cisco 2500 Series [4]- The Cisco 2500 series routers provide a variety
of models that are designed for branch office and remote site
environments. These routers are typically fixed-configuration with at
1-38 Remote Access Section 1: WANs Copyright 2002, Cisco Systems, Inc.
least two of the following interfaces: Ethernet, Token Ring, synchronous
serial, and ISDN BRI.
• Cisco 2600 Series [5]- The Cisco 2600 series of modular routers
features single or dual fixed LAN interfaces, a network module slot, two
Cisco WAN interface card (WIC) slots, and a new Advanced Integration
Module (AIM) slot. LAN support includes 10/100 Mbps autosensing
Ethernet and Token Ring. WAN interface cards support a variety of
serial, ISDN BRI, and integrated CSU/DSU options for primary and
backup WAN connectivity. The AIM slot supports integration of
advanced services such as hardware-assisted data compression and data
encryption for optimizing the 2600 series for VPNs. The Cisco 2600
series shares modular interfaces with the Cisco 1600, 1700, and 3600
series.
A 1600 series router with the appropriate WAN interface card may meet the
immediate WAN requirements of the branch office shown in Figure [1].
However, a more flexible solution, such as the 1700 series or 2600 series router,
may be needed if the company plans to implement Voice over IP (VoIP), or
allow telecommuters to dial in to the branch office. Also, the 1600 series routers
do not come with a FastEthernet interface, while the 1700 and 2600 series
routers do.
If the company has no immediate plans to offer expanded service, and a
FastEthernet connection is not necessary, a 1600 series router will make the most
cost-effective solution. The 1600 series includes the following:
• the 1601 (one Ethernet, one serial, one WAN interface card (WIC) slot)
• the 1602 (one Ethernet, one serial with integrated 56-kbps DSU/CSU,
one WIC)
• the 1603 (one Ethernet, one ISDN BRI (S/T interface), one WIC)
• the 1604 (one Ethernet, one ISDN BRI with integrated NT1 (U
interface), one S-bus port for ISDN phones, one WIC slot)
• and the 1605 (two Ethernet slots, one WIC slot)
In this case, the 1603 or 1604 routers would meet the branch site's ISDN BRI
requirement, and have a WAN slot for a serial interface that can be used for
Frame Relay.
Copyright 2002, Cisco Systems, Inc. Remote Access Section 1: WANs 1-39
1.4.5 Telecommuter-site router equipment
1-40 Remote Access Section 1: WANs Copyright 2002, Cisco Systems, Inc.
Figure 3 Cisco 800 Series Router
According to Figure [1], the telecommuter site should have an ISDN BRI
connection to the branch or central sites. The mobile user requires an
asynchronous dialup connection to the central site. Therefore, the telecommuter
WAN solutions must include the following interfaces:
Copyright 2002, Cisco Systems, Inc. Remote Access Section 1: WANs 1-41
• PC and modem for asynchronous dialup calls
• BRI interface for ISDN BRI
• Ethernet LAN interface
When selecting routers for a telecommuter site, cost is typically the primary
concern, especially since only minimal flexibility and scalability are required. In
most cases, a telecommuter-site solution would come from the following router
families:
• Cisco 700 Series (760 or 770) [2]- The Cisco 700M family products are
low-cost, easy-to-manage multiprotocol ISDN access routers. These
devices provide small professional offices, home offices, and
telecommuters with high-speed remote access to enterprise networks and
the Internet. However, the 700 series does not support the Cisco IOS.
• Cisco 800 Series [3]- The Cisco 800 Series router is the entry-level
platform that, unlike the 700 series, contains Cisco IOS technology. The
fixed-configuration 800 series is designed to connect a small Ethernet
LAN to a corporate network or ISP. Various models include support for
DSL, ISDN, and serial connections.
• Cisco 1000 Series [4]- The Cisco 1000 series routers are easy-to-install,
inexpensive, multiprotocol access products, designed for small offices.
This IOS-based series currently includes three models: the 1003 (1
Ethernet port, 1 ISDN BRI S/T interface), the 1004 (1 Ethernet port, 1
ISDN BRI U-interface), and the 1005 (1 Ethernet port, 1 serial port).
Models from each of these router families can provide the ISDN connection
required by the telecommuter site (refer to Figure [1]). (The dialup requirement
for the mobile user can be met by connecting a modem to the Windows PC.) The
Cisco 800 series might make the best choice for this telecommuter site, because
it is the most affordable series that supports ISDN and runs the feature-rich
Cisco IOS.
1-42 Remote Access Section 1: WANs Copyright 2002, Cisco Systems, Inc.
1.5 Case Study
Copyright 2002, Cisco Systems, Inc. Remote Access Section 1: WANs 1-43
POTS
192.168.8.0/24
ISDN
Frame Relay
192.168.16.0/24
192.168.192.0/24
.1 .1
.4
.1
.2
Singapore San Jose1 .2
.1 .1
.2 London
San Jose2 .1
.5 .1
.3 .3
Capetown
Sales Engineer .1
192.168.0.0/24
192.168.232.0/24 192.168.200.0/24
192.168.1.0/24
192.168.216.0/24
The labs in this course reference the fictitious International Travel Agency (ITA)
(refer to Figure [1]), which maintains a global data network (refer to Figures [2]
and [3]). The ITA business scenario provides a tangible, real-world application
for each of the concepts introduced in the labs.
1-44 Remote Access Section 1: WANs Copyright 2002, Cisco Systems, Inc.
1.6 Introductory Lab Exercises
Lab Activity:
This lab introduces the CCNP lab equipment and some IOS features that might
be new. This introductory activity also describes how to use a simple text editor
to create all (or part) of a router configuration file. After creating a text
configuration file, apply that configuration to a router quickly and easily by
using the techniques described in this lab.
Lab Activity:
Copyright 2002, Cisco Systems, Inc. Remote Access Section 1: WANs 1-45
1.6.3 Access control list basics and extended ping
Lab Activity:
This lab activity reviews the basics of standard and extended access lists, which
are used extensively in the CCNP curriculum.
1-46 Remote Access Section 1: WANs Copyright 2002, Cisco Systems, Inc.
Summary
This chapter explored WAN connections and how to determine the requirements
of a central site, a branch office, and a telecommuter site. Cisco products to suit
the specific needs of each site and how to utilize Cisco tools to select the proper
equipment were also covered. In addition, to the identification and connection of
the necessary components for central-site, branch-office, and small-office WAN
solutions.
Copyright 2002, Cisco Systems, Inc. Remote Access Section 1: WANs 1-47
Section 2
Scaling IP Addresses
with NAT
Table of Contents
1-2 Remote Access Section 2: Scaling IP Addresses with NAT Copyright 2002, Cisco Systems, Inc.
Overview
Figure 1 NAT
Copyright 2002, Cisco Systems, Inc. Remote Access Section 2: Scaling IP Addresses with NAT 1-3
Objectives
After completing this chapter, the student will be able to perform tasks
relating to:
1-4 Remote Access Section 2: Scaling IP Addresses with NAT Copyright 2002, Cisco Systems, Inc.
2.1 NAT Overview
Copyright 2002, Cisco Systems, Inc. Remote Access Section 2: Scaling IP Addresses with NAT 1-5
Figure 3 A Simple NAT Topology
Strictly speaking, NAT is the process of altering the IP header of a packet so that
the destination address, the source address, or both addresses are replaced in the
header by different addresses. This swapping process is performed by a device
running specialized NAT software or hardware. Such a NAT enabled device is
often called a NAT box because it can be a Cisco router, a UNIX system, a
Windows XP server, or several other kinds of systems.
A NAT enabled device typically operates at the border of a stub domain. A stub
domain is a network that has a single connection to the outside world. Figure [1]
presents a simple example of a stub domain. When a host inside the stub domain,
such as 10.1.1.6, wants to transmit to a host on the outside, it forwards the packet
to its default gateway. In this case, the host's default gateway is also the NAT
box.
The NAT process running on the router looks inside the IP header and, if
appropriate, replaces the local IP address with a globally unique IP address.
Figure [2] illustrates this address translation. RTA, the NAT router, determines
that the source IP address of the packet (10.1.1.6) should be swapped. In this
1-6 Remote Access Section 2: Scaling IP Addresses with NAT Copyright 2002, Cisco Systems, Inc.
case, RTA replaces the private address with a global (real) address, 171.70.2.1.
RTA also keeps a record of this translation in a NAT translation table.
When an outside host sends a response (refer to Figure [3]), the NAT router
receives it, checks the current table of network address translations, and replaces
the destination address with the original inside source address (refer to Figure
[4]).
NAT translations can occur dynamically or statically, and can be used for a
variety of purposes, as described in the following sections.
RFC 1918 sets aside three blocks of IP addresses--a Class A, a Class B, and a
Class C range--for private, internal use (see the figure). These three ranges
provide more than 17 million private addresses.
Public addresses must be registered by a company or leased from a provider. On
the other hand, private IP addresses are set aside to be used by anyone. That
means two networks, or two million networks, can each use the same private
address. The restriction is that private addresses cannot be used on the public
Internet. A private address cannot be used on the Internet because ISPs typically
configure their routers to prevent privately-addressed customer traffic from
being forwarded.
NAT provides tremendous benefits to individual companies and the Internet as
well. Before NAT, a host with a private address could not access the Internet.
With NAT, individual companies can address some or all of their hosts with
private addresses and then use NAT to access the public Internet. At the same
time, these hosts connect to the Internet without necessarily depleting its address
space.
Copyright 2002, Cisco Systems, Inc. Remote Access Section 2: Scaling IP Addresses with NAT 1-7
2.1.3 NAT terminology
Figure 1 The Cisco Implementation of NAT Uses the Following Terms Related to
NAT
When configuring NAT using the Cisco IOS, it's critical to understand NAT
terminology Figure [1]. In particular, a strong grasp of the following terms.
1-8 Remote Access Section 2: Scaling IP Addresses with NAT Copyright 2002, Cisco Systems, Inc.
• Inside addresses - The set of networks that are subject to translation.
Inside addresses are typically RFC 1918 addresses, but they can be any
valid IP addresses.
• Outside addresses - All other addresses. Usually these are valid
addresses located on the Internet.
Inside addresses are associated with hosts inside the NAT boundary regardless
of whether they are private (RFC 1918) or public addresses. Inside addresses are
part of the network. Outside addresses are typically associated with all Internet
addresses. However, in some cases, outside addresses can be associated with
hosts on the network, beyond the NAT boundary. There are two different kinds
of inside addresses, and two different types of outside addresses.
• Inside local address - Configured IP address assigned to a host on the
inside network. Address may be globally unique, allocated out of the
private address space defined in RFC 1918, or might be officially
allocated to another organization (refer to Figure [2]).
• Inside global address - The IP address of an inside host as it appears to
the outside network. The inside global address is the translated address.
These addresses are typically allocated from a globally unique address
space, typically provided by the ISP (if the enterprise is connected to the
Internet).
• Outside local address - The IP address of an outside host as it appears
to the inside network. These addresses can be allocated from the RFC
1918 space if desired.
• Outside global address - The configured IP address assigned to a host
in the outside network.
NAT can be used to perform several functions. This chapter describes in detail
the operation of the following NAT functions:
• Translating inside local addresses - This function establishes a
mapping between inside local and global addresses.
Copyright 2002, Cisco Systems, Inc. Remote Access Section 2: Scaling IP Addresses with NAT 1-9
• Overloading inside global addresses - Addresses can be conserved in
the inside global address pool by allowing source ports in TCP
connections or UDP conversations to be translated. When different
inside local addresses map to the same inside global address, the TCP or
UDP port numbers of each inside host are used to distinguish between
them.
• TCP load distribution - A dynamic form of destination translation can
be configured for some outside-to-inside traffic. When a mapping
scheme is established, destination addresses that match an access list are
replaced with an address from a pool. Allocation is done on a round-
robin basis, and is done only when a new connection is opened from the
inside to the outside. All non-TCP traffic is passed untranslated (unless
other translations are in effect).
• Handling overlapping networks - NAT can be used to resolve
addressing issues that arise when inside addresses overlap with
addresses in the outside network. This can occur when two companies
merge, both with duplicate addresses in the networks. It can also occur
when switching ISPs and the previously assigned address was reassigned
to another client.
1-10 Remote Access Section 2: Scaling IP Addresses with NAT Copyright 2002, Cisco Systems, Inc.
2.2 Configuring NAT
With dynamic NAT, translations don't exist in the NAT translation table until the
router receives traffic that requires translation (such traffic is defined by an
administrator). Dynamic translations are temporary, and will eventually time out.
For example, host 10.4.1.1 transmits a packet to an Internet host, as shown in the
figure. Since a private address can't be routed on the Internet, this host uses the
services of a router configured for NAT.
The NAT router alters the IP packet by removing the original source address,
10.4.1.1, and replacing it with a globally unique address from a pool defined by
an administrator.
As shown in the figure, the inside host is dynamically assigned 2.2.2.2 from the
address pool. The NAT router keeps a record of this address translation in its
NAT table. When an Internet host's reply packet is sent to 2.2.2.2, it arrives at
the NAT router, which checks its NAT table for the mapping to the local inside
address. The NAT router then replaces the destination address with the original
local address, 10.4.4.1. The translation mapping is not permanent; it will age out
after a configurable period of time.
Copyright 2002, Cisco Systems, Inc. Remote Access Section 2: Scaling IP Addresses with NAT 1-11
2.2.2 Configuring dynamic NAT
1-12 Remote Access Section 2: Scaling IP Addresses with NAT Copyright 2002, Cisco Systems, Inc.
2.2.3 Dynamic NAT configuration example
To configure RTA for dynamic NAT (see Figure [1]), follow these steps:
First, define the NAT pool.
RTA(config)#ip nat pool mynatpool 171.70.2.1
171.70.2.254 netmask 255.255.255.0
This command creates a pool of global addresses called mynatpool that can be
used by inside local hosts. But which local hosts are allowed to use this pool? An
access list may be used to match the source addresses to be translated, as shown
here:
RTA(config)#access-list 24 permit 10.1.1.0
0.0.0.255
RTA(config)#ip nat inside source list 24 pool
mynatpool
The last command configures the router to use access-list 24 to decide
whether to translate the IP source address using mynatpool.
As the final configuration steps on the NAT router, the following commands
configure the appropriate interfaces to take on the role of outside and inside.
RTA(config)#interface bri0
RTA(config-if)#ip nat outside
RTA(config-if)#interface e0
RTA(config-if)#ip nat inside
Copyright 2002, Cisco Systems, Inc. Remote Access Section 2: Scaling IP Addresses with NAT 1-13
If the host at 10.1.1.6 sends an IP packet to an outside host, such as 4.1.1.1, RTA
will translate the source address and create a NAT table entry. Use the show
ip nat translations command to view the translation table.
Figure [2] shows that the inside local address 10.1.1.6 has been translated to the
inside global address 171.70.2.1. While this table entry exists, outside hosts can
use the global IP address 171.70.2.1 to reach the 10.1.1.6 host.
On a Cisco router, dynamic NAT table entries remain in the table for 24 hours
by default. Once the entry ages out, outside hosts will no longer be able to reach
10.1.1.6 until a new table entry is created. The table entry can only be created
from the inside.
A 24-hour timeout is relatively long. Therefore the translation timeout can be
adjusted using the following command:
Router(config)#ip nat translation timeout seconds
One of the primary advantages to dynamic NAT is the ability to serve a large
number of hosts with a smaller number of globally routable IP addresses. It is
important for translation table entries to timeout so that addresses in the pool
become available for other hosts.
A pool of 30 inside global addresses for 250 inside local hosts might be
configured however, only 30 of the inside hosts could use a global address at any
one time. This configuration may work well in an environment where outside
(Internet) connectivity is infrequent and short-lived. If the inside hosts are using
outside connections for occasional web surfing or e-mail, this configuration may
be appropriate. However, if translation table entries don't age out fast enough,
the entire pool of addresses could be in use and additional hosts would be unable
to access the Internet. In order to serve a large number of hosts with just a
handful of addresses, overloading will have to be utilized, (see "NAT Overload"
later in this chapter).
Although NAT is not a security firewall, it can prevent outsiders from initiating
connections with inside hosts, unless a permanent global address mapping exists
in the NAT table (static NAT). Because outside hosts never see the "pre-
translated" inside addresses, NAT has the effect of hiding the inside network
structure.
1-14 Remote Access Section 2: Scaling IP Addresses with NAT Copyright 2002, Cisco Systems, Inc.
2.2.4 Static NAT
Copyright 2002, Cisco Systems, Inc. Remote Access Section 2: Scaling IP Addresses with NAT 1-15
2.2.5 Configuring static NAT
Figure [1] shows the steps to configure static NAT. To configure static NAT as
shown in Figure [2] enter the following command:
RTA(config)#ip nat inside source static 10.1.1.7
171.70.2.10
Once the static mapping(s) have been configured, an inside and outside interface
must be specified, as shown here:
RTA(config)#interface bri0
RTA(config-if)#ip nat outside
RTA(config-if)#interface e0
RTA(config-if)#ip nat inside
The ability to create static mappings makes NAT a useful tool if an organization
was ever to change providers. If the company moves from one ISP to another, it
may have to completely readdress its systems. Instead of readdressing, NAT can
1-16 Remote Access Section 2: Scaling IP Addresses with NAT Copyright 2002, Cisco Systems, Inc.
be deployed to temporarily translate the old addresses to new ones, with static
mappings in place to keep Web and other public services available to the
outside.
One of the most powerful features of NAT routers is their ability to use Port
Address Translation (PAT), which allows multiple inside addresses to map to the
same global address. This is sometimes called a "many-to-one" NAT, or address
overloading. With address overloading, literally hundreds of privately addressed
nodes can access the Internet using a single global address. The NAT router
keeps track of the different conversations by mapping TCP and UDP port
numbers in the translation table. A translation entry that maps one IP address and
port pair to another is called an extended table entry.
For example, the figure shows three inside nodes using the same translated
global address of 171.70.2.2. Each of these hosts can communicate with different
Internet hosts, or even with the same outside host.
According to the NAT table shown in the figure, RTA translates the packet from
the inside local address, 10.1.1.5, TCP port 1232. The translated inside global
address is 171.70.2.2, also on port 1232.
The outside host at 2.2.2.2, TCP port 80 will reply to the address 171.70.2.2, on
port 1232. When RTA (the NAT router) receives this reply, it uses the
destination port number to determine whether the destination IP address should
be translated to 10.1.1.5, 10.1.1.6, or 10.1.1.7.
As long as the inside global port numbers are unique for each inside local host,
NAT overload will work. For example, if the host at 10.1.1.5 and 10.1.1.6 both
use TCP port 1234, the NAT router can create the extended table entries
mapping 10.1.1.5:1234 to 171.70.2.2:1234 and 10.1.1.6:1234 to
171.70.2.2:1235. In fact, NAT implementations don't necessarily try to preserve
the original port number.
NAT overload can go a long way to alleviate address depletion, but its
capabilities are limited. Over 65,000 inside addresses can theoretically map to a
single outside address. However, the actual number of translations supported by
Copyright 2002, Cisco Systems, Inc. Remote Access Section 2: Scaling IP Addresses with NAT 1-17
a Cisco router varies, but a realistic number is approximately 4,000 local
addresses per global address. Each Nat translation consumes about 160 bytes of
router DRAM.
NAT overload can be used in conjunction with dynamic mappings to a NAT
pool. A NAT device, such a Cisco PIX Firewall, can then use a one-to-one
dynamic mapping until the available addresses are almost depleted, at which
time NAT can overload the remaining address or addresses. However, on a Cisco
IOS router, NAT will overload the first address in the pool until it's maxed out,
and then move on to the second address, and so on.
1-18 Remote Access Section 2: Scaling IP Addresses with NAT Copyright 2002, Cisco Systems, Inc.
Configure NAT overload by using the keyword overload:
Router(config)#ip nat inside source list access-
list-number pool name overload
RTA is configured as shown here:
RTA(config)#ip nat pool mypatpool 171.70.2.1
171.70.2.30 netmask 255.255.255.0
RTA(config)#access-list 24 permit 10.1.1.0
0.0.0.255
RTA(config)#ip nat inside source list 24 pool
mypatpool overload
RTA(config)#interface bri 0
RTA(config-if)#ip nat outside
RTA(config-if)#interface ethernet 0
RTA(config-if)#ip nat inside
The ip nat pool command creates the pool of addresses that are used for
overloading. Notice that this pool, mypatpool, contains only 30 addresses. Using
NAT overload, these 30 addresses can comfortably serve hundreds, or even
thousands, of inside hosts (see Figure [1]). The access-list command
creates the access list that is used to match addresses that are to be translated.
The ip nat inside source list 24 command configures the router to
translate addresses that match access list 24 using inside global addresses from
mypatpool.
An address pool does not have to be configured in order for NAT overload to
work. If there are not any available IP addresses, the address of the outside
interface may be overloaded, as shown:
Router(config)#ip nat inside source list access-
list-number interface interface-name overload
Typically, home users receive only one IP address by their provider. Figure [2]
shows how NAT overload can be configured using the outside interface.
Copyright 2002, Cisco Systems, Inc. Remote Access Section 2: Scaling IP Addresses with NAT 1-19
2.2.8 TCP load distribution
1-20 Remote Access Section 2: Scaling IP Addresses with NAT Copyright 2002, Cisco Systems, Inc.
2.2.9 Configuring TCP load distribution
The following are the steps for configuring a TCP load distribution:
1. Define a pool of addresses containing the addresses of the real hosts:
Router(config)#ip nat pool name start-ip end-
ip {netmask netmask | prefix-length prefix-
length} type rotary
2. Define an access list permitting the address of the virtual host:
Router(config)#access-list access-list-number
permit source [source-wildcard]
3. Establish dynamic inside destination translation, identifying the access
list defined in Step 2:
Router(config)#ip nat inside destination list
access-list-number pool name
4. Specify the inside interface:
Router(config)#interface type number
5. Mark the interface as connected to the inside:
Router(config-if)#ip nat inside
6. Specify the outside interface:
Router(config-if)#interface type number
7. Mark the interface as connected to the outside:
Router(config-if)#ip nat outside
Copyright 2002, Cisco Systems, Inc. Remote Access Section 2: Scaling IP Addresses with NAT 1-21
2.2.10 TCP load distribution configuration example
1-22 Remote Access Section 2: Scaling IP Addresses with NAT Copyright 2002, Cisco Systems, Inc.
2.2.11 Overlapping networks
Copyright 2002, Cisco Systems, Inc. Remote Access Section 2: Scaling IP Addresses with NAT 1-23
Figure 3 Overlapping Networks
1-24 Remote Access Section 2: Scaling IP Addresses with NAT Copyright 2002, Cisco Systems, Inc.
Figure 6 Output of show ip nat translations in Overlapping Network Scenario
Copyright 2002, Cisco Systems, Inc. Remote Access Section 2: Scaling IP Addresses with NAT 1-25
the overlapping network so that HostA can reach those hosts. Figure [6] provides
the output of the show ip nat translations command after HostA has
sent HostZ an IP packet.
The first entry shown in Figure [6] was created when HostA sent a DNS query.
The second entry was created when RTA translated the payload of the DNS
reply. The third entry was created when the packet was exchanged between
HostA and HostZ. The third entry is a summary of the first two entries, and is
used for more efficient translations.
1-26 Remote Access Section 2: Scaling IP Addresses with NAT Copyright 2002, Cisco Systems, Inc.
2.3 Verifying NAT Configuration
Translation information and clear address translation entries from the NAT
translation may be shown using the commands covered in this section.
The show ip nat translations [verbose] command can be used to
verify the active translations, as shown in Figure [1]. The verbose keyword can
be used with this command to display more information, including the time
remaining for a dynamic entry. Figure [2] shows the output of this command
while address overloading.
Copyright 2002, Cisco Systems, Inc. Remote Access Section 2: Scaling IP Addresses with NAT 1-27
Use the show ip nat statistics command to see NAT statistics, as
shown in Figure [3].
To trace the NAT operation use the debug ip nat command to display a line
of output for each packet that gets translated. The detailed keyword may be
added to output even more information. The output shown in the figure is a
sample of a debug of address translation inside to outside.
To decode the above debug output use the following key points:
• The asterisk next to NAT indicates that the translation is occurring in the
fast path. The first packet in a conversation will always go through the
slow path (i.e., be process-switched). The remaining packets will go
through the fast path if a cache entry exists.
• s = a.b.c.d is the source address.
• a.b.c.d -> w.x.y.z is the address that the source was translated to.
• d = a.b.c.d is the destination address.
• The value in brackets is the IP identification number. This information
may be useful for debugging because it enables correlation with other
packet traces from sniffers, for example.
1-28 Remote Access Section 2: Scaling IP Addresses with NAT Copyright 2002, Cisco Systems, Inc.
2.3.3 Clearing NAT translations
After enabling NAT, changes may not be made to the NAT process while
dynamic translations are active. To clear all translated entries, use the clear
ip nat translation * command.
It is possible to clear a simple translation entry containing an inside translation,
or both an inside and outside translation, by using the clear ip nat
translation inside global-ip local-ip [outside local-
ip global-ip] command.
To clear a simple translation entry that contains an outside translation by using
the clear ip nat translation outside local-ip global-ip
command.
To clear an extended entry (in its various forms), use the clear ip nat
translation protocol inside global-ip global-port
local-ip local-port [outside local-ip local-port
global-ip global-port] command. The following example shows the
use of this command.
RTX#clear ip nat translations udp inside
192.168.2.2 1220 10.1.1.2 1220 outside 171.69.2.132
53 171.69.2.132 53
If NAT is properly configured but translations are not occurring, clear the NAT
translations and check to see if new translations occur.
Copyright 2002, Cisco Systems, Inc. Remote Access Section 2: Scaling IP Addresses with NAT 1-29
2.4 NAT Considerations
1-30 Remote Access Section 2: Scaling IP Addresses with NAT Copyright 2002, Cisco Systems, Inc.
2.4.2 NAT disadvantages
NAT is not without drawbacks. The tradeoff for address translation is a loss of
functionality, particularly with any protocol or application that involves sending
IP address information outside the IP header. NAT disadvantages include the
following:
• NAT increases delay. Switching path delays, of course, are introduced
because of the translation of each IP address within the packet headers.
Performance may be a consideration because NAT is currently
accomplished by using process switching. The CPU must look at every
packet to decide whether it has to translate it, and then alter the IP
header--and possibly the TCP header. It is not likely that this process
will be easily cacheable.
• One significant disadvantage when implementing and using NAT is the
loss of end-to-end IP traceability. It becomes much more difficult to
trace packets that undergo numerous packet address changes over
multiple NAT hops. This scenario does, however, lead to more secure
links because hackers who want to determine the source of a packet will
find it difficult, if not impossible, to trace or obtain the original source or
destination address.
• NAT also forces some applications that use IP addressing to stop
functioning because it hides end-to-end IP addresses. Applications that
use physical addresses instead of a qualified domain name will not reach
destinations that are translated across the NAT router. Sometimes, this
problem can be avoided by implementing static NAT mappings.
Copyright 2002, Cisco Systems, Inc. Remote Access Section 2: Scaling IP Addresses with NAT 1-31
• Telnet
• Archie
• Finger
• Network Timing Protocol (NTP)
• Network File System (NFS)
• rlogin, rsh, rcp
Although the following traffic types carry IP addresses in the application data
stream, they are supported by Cisco IOS NAT:
• ICMP
• File Transfer Protocol (FTP) (including PORT and PASV commands)
• NetBIOS over TCP/IP (datagram, name, and session services)
• Progressive Networks' RealAudio
• White Pines' CuSeeMe
• Xing Technologies' Streamworks
• DNS "A" and "PTR" queries
• H.323/NetMeeting [12.0(1)/12.0(1)T and later]
• VDOLive [11.3(4)11.3(4)T and later]
• Vxtreme [11.3(4)11.3(4)T and later]
• IP multicast [12.0(1)T] (source address translation only)
The following traffic types are not supported by Cisco IOS NAT:
• Routing table updates
• DNS zone transfers
• BOOTP
• talk, ntalk
• Simple Network Management Protocol (SNMP)
• NetShow
1-32 Remote Access Section 2: Scaling IP Addresses with NAT Copyright 2002, Cisco Systems, Inc.
2.5 NAT Configuration Lab Exercises
Lab Activity
Copyright 2002, Cisco Systems, Inc. Remote Access Section 2: Scaling IP Addresses with NAT 1-33
2.5.2 Configuring dynamic NAT
Lab Activity
1-34 Remote Access Section 2: Scaling IP Addresses with NAT Copyright 2002, Cisco Systems, Inc.
2.5.3 Configuring NAT overload
Lab Activity
Copyright 2002, Cisco Systems, Inc. Remote Access Section 2: Scaling IP Addresses with NAT 1-35
2.5.4 Configuring TCP load distribution
Lab Activity
This lab will configure NAT with the TCP Load Distribution option. The prefix-
length option will also be used as an alternative to the netmask option of the ip
nat pool command.
1-36 Remote Access Section 2: Scaling IP Addresses with NAT Copyright 2002, Cisco Systems, Inc.
Summary
This chapter demonstrated that NAT allows the network to scale without
depleting the limited supply of global IP addresses. It also covered configuring
static NAT in addition to dynamic NAT and NAT overload (PAT). It was also
shown how NAT can be used to provide connectivity in overlapping IP
networks.
Copyright 2002, Cisco Systems, Inc. Remote Access Section 2: Scaling IP Addresses with NAT 1-37
Section 3
Emerging Remote
Access Technologies
Table of Contents
1-2 Remote Access Section 3: Emerging Remote Access Technologies Copyright 2002, Cisco Systems, Inc.
Overview
This appendix gives an overview of emerging remote-access technologies.
Additionally, it discusses the pros and cons of accessing the Internet via cable
modems, wireless connections, and digital subscriber lines (xDSL).
Copyright 2002, Cisco Systems, Inc. Remote Access Section 3: Emerging Remote Access Technologies 1-3
Objectives
After completing this chapter, the student will be able to perform tasks
relating to:
1-4 Remote Access Section 3: Emerging Remote Access Technologies Copyright 2002, Cisco Systems, Inc.
3.1 Cable Modems
Cable modems enable two-way, high-speed data transmission using the same
coaxial lines that transmit cable television. Some cable service providers are
promising data speeds up to 6.5 times that of T1 leased lines. This speed makes
cable an attractive medium for transferring large amounts of digital information
quickly, including video clips, audio files, and large chunks of data. Information
that would take two minutes to download using ISDN can be downloaded in two
seconds through a cable-modem connection.
Cable-modem access provides speeds superior to leased lines, with lower costs
and simpler installation. When the cable infrastructure is in place, a firm can
connect through installation of a modem or router. Additionally, because cable
modems do not use the telephone system infrastructure, there are no local-loop
charges. Products such as the Cisco uBR904 universal broadband router cable
modem make cable access an even more attractive investment by integrating a
fully functional Cisco IOS router, four-port hub, and cable-modem into one unit
(see the figure). This combination allows businesses to replace combinations of
routers, bridges, hubs, and single-port cable modems with one product.
Cable modems provide a full-time connection. As soon as users turn on their
computers, they are connected to the Internet. This removes the time and effort
of dialing in to establish a connection. The "always-on" cable connection also
means that a company's "information pipe" is open at all times. This increases
the vulnerability of data to hackers and necessitates the installion of firewalls to
Copyright 2002, Cisco Systems, Inc. Remote Access Section 3: Emerging Remote Access Technologies 1-5
maximize security. Fortunately, the industry is moving toward standardization in
cable modems and addressing encryption needs. New models of the Cisco
uBR904 cable modem will provide IP Security (IPSec) and firewall capabilities.
These features protect company LANs and provide virtual private network
(VPN) tunneling, with options for authentication and encryption.
Because the connection is permanently established, cable modems connections
take place over the Internet. Employees using a cable modem at home to surf the
Web can connect to a company LAN only if the business connects its LAN to
the Internet. Moving through the Internet in this way can restrict the speedy
connection of cable modems. To address this problem, many cable access
service providers are in the process of developing services that combine cable
and T1 connections. This will provide fast and reliable remote office-to-
corporate network connections.
Availability may be the biggest barrier to cable-modem adoption by businesses
because only a few office buildings have been outfitted for cable reception,
compared to the almost 85 percent of households in North America that are
wired for cable.
Some cable operators are in the process of replacing traditional one-way cable
systems with the more interactive two-way architecture known as hybrid fiber
coaxial (HFC). Due to the magnitude of this upgrade and the need to expand
networks to include businesses, the market penetration of cable modems is
expected to lag behind DSLs
1-6 Remote Access Section 3: Emerging Remote Access Technologies Copyright 2002, Cisco Systems, Inc.
Figure 2 How Cable Modems Work
Like telephone modems, cable modems modulate and demodulate data signals.
However, cable modems incorporate more functionality designed for today's
high-speed Internet services. In a cable network, data flowing from the network
to the user is referred to as downstream and data flowing from the user to the
network is referred to as upstream. From a user perspective, a cable modem is a
64/256 QAM radio frequency (RF) receiver capable of delivering up to 30 to 40
megabits per second (Mbps) of data in one 6-megahertz (MHz) cable channel.
This is almost 500 times faster than a 56-kilobit-per-second (kbps) modem. The
headend manages traffic flow from the user to the network. [1]
• Receive programming (for example, from NBC, CBS, and cable
networks such as MTV and ESPN)
Copyright 2002, Cisco Systems, Inc. Remote Access Section 3: Emerging Remote Access Technologies 1-7
• Convert each channel to the channel frequency desired; scramble
channels as needed (for the premium channels)
• Combine all the frequencies onto a single, broadband analog channel
(frequency-division multiplexing [FDM])
• Broadcast the combined analog stream downstream to subscribers
The data is modulated using a QPSK/16 QAM transmitter with data rates from
320 kbps up to 10 Mbps. The upstream and downstream data rates can be
configured to meet the needs of the subscribers. For instance, a business service
can be programmed to both transmit and receive at relatively high rates. A
residential user, on the other hand, can have their service configured to receive
higher bandwidth access to the Internet while limited to low-bandwidth
transmission to the network.
With a cable modem, a subscriber can continue to receive cable television
service while simultaneously receiving data to be delivered to a personal
computer. This is accomplished with the help of a simple one-to-two splitter.
The data service offered by a cable modem can be shared by up to 16 users in a
local-area network (LAN) configuration. [2]
Because some cable networks are suited for broadcast television services, cable
modems may use either a standard telephone line or a QPSK/16 QAM modem
over a two-way cable system to transmit data upstream from a user location to
the network. When a telephone line is used in conjunction with a one-way
broadcast network, the cable data system is referred to as a telephony return
interface (TRI) system. Telephone return means that the consumer (or the
subscriber modem) makes a telephone call to a terminal server when the
consumer requires return-path service. At the cable headend, data from
individual users is filtered by telephone-return systems for further processing by
a cable modem terminal server (CMTS). The CMTS communicates with the
cable modem to enforce the Media Access Control (MAC) protocol and RF
control functions, such as frequency hopping and automatic gain control.
A CMTS provides data switching necessary to route data between the Internet
and cable-modem users. Data from the network to a user group is sent to a
64/256 QAM modulator. The result is user data modulated into one 6-MHz
channel, which is the spectrum allocated for a cable television channel such as
ABC, NBC, or TBS for broadcast to all users. [3]
A cable headend combines the downstream data channels with the existing
video, pay-per-view, audio, and local advertiser programs that are received by
television subscribers. The combined signal is now ready to be transmitted
throughout the cable distribution network. When the signal arrives at the user's
site two different devices receive it. A converter box generally located on the top
of a television receives the television signal, while a cable modem or router
receives user data and sends it to a PC.
The CMTS, an important new element for support of data services, integrates
upstream and downstream communication over a cable data network. The
number of upstream and downstream channels in any particular CMTS can be
designed and adjusted based on the size of the serving area, number of users, and
data rates offered to each user.
Another important element in the operations and day-to-day management of a
cable data system is an element management system (EMS). An EMS is an
operations system designed specifically to configure and manage a CMTS and
1-8 Remote Access Section 3: Emerging Remote Access Technologies Copyright 2002, Cisco Systems, Inc.
associated cable-modem subscribers. These operations include provisioning,
day-to-day administration, monitoring, alarms, and testing of various
components of a CMTS. From a central Network Operations Center (NOC), a
single EMS can support many CMTS systems in a particular geographic region.
Beyond modulation and demodulation, a cable modem or router incorporates
many features necessary to extend broadband communications to wide-area
networks (WANs). The Internet Protocol (IP) is used at the network layer to
support the Internet services such as e-mail, Hypertext Transfer Protocol
(HTTP), and File Transfer Protocol (FTP). The data link layer comprises three
sublayers, including the Logical Link Control (LLC) sublayer, link security
sublayer conforming to the security requirements, and MAC sublayer suitable
for cable-system operations. Cable systems use the Ethernet frame format for
data-transmission over data channels. The downstream data channels and the
associated upstream data channels on a cable network basically form an Ethernet
WAN. As the number of subscribers increase, the cable operator can add more
upstream and downstream data channels to meet the additional bandwidth
requirements.
The link security sublayer is defined in three (sub) sets of requirements: baseline
privacy interface (BPI), security system interface (SSI), and removable security
module interface (RSMI). BPI provides cable-modem users with data privacy
across the cable network by encrypting data traffic between the cable modem
and CMTS. The operational support provided by the EMS allows a CMTS to
map cable-modem identities to paying subscribers and thereby authorize
subscriber access to data network services. These privacy and security
requirements are designed to protect user data as well as prevent unauthorized
use of cable data services.
Copyright 2002, Cisco Systems, Inc. Remote Access Section 3: Emerging Remote Access Technologies 1-9
Figure 2 Cable Data Network Architecture
1-10 Remote Access Section 3: Emerging Remote Access Technologies Copyright 2002, Cisco Systems, Inc.
• Data-over-Cable Service Interface Specification (DOCSIS) control
servers
In addition, a regional center may contain support and network management
systems necessary for the television as well as data network operations.
User data from local and regional locations is received at a regional data center
for further aggregation and distribution throughout the network. Figure [2] A
regional data center supports the DHCP, DNS, and log control servers necessary
for cable data network administration. It also provides connectivity to the
Internet, the World Wide Web and contains the server farms necessary to
support Internet services. These servers include e-mail, Web hosting, news, chat,
proxy, caching, and streaming-media servers
The cable data system comprises many different technologies and standards. For
cable modems to be mainstreamed, modems from different vendors must be
interoperable.
Physical Layer
Downstream Data Channel
At the physical layer, the downstream data channel is based on North American
digital video specifications (specifically, International Telecommunications
Union [ITU-T] Recommendation J.83 Annex B) and includes the following
features:
• 64 and 256 QAM
• 6 MHz-occupied spectrum that coexists with other signals in the cable
plant
• Variable-length interleaving support, both latency-sensitive and latency-
insensitive data services
• Contiguous serial bit stream with no implied framing, providing
complete physical and data link layer decoupling
Upstream Data Channel
The upstream data channel is a shared channel featuring the following:
• QPSK and 16 QAM formats
Copyright 2002, Cisco Systems, Inc. Remote Access Section 3: Emerging Remote Access Technologies 1-11
• Data rates from 320 kbps to 10 Mbps
• Flexible and programmable cable modem under control of CMTS
• Time-division multiple access
• Support of both fixed-frame and variable-length protocol data units
(PDUs)
Data Link Layer
The data link layer provides the general requirements for many cable-modem
subscribers to share a single upstream data channel for transmission to the
network. Among these requirements are collision detection and retransmission
capability. The large geographic reach of a cable data network poses special
problems as a result of the transmission delay between users close to headend
versus users at a distance from cable headend. To compensate for cable losses
and delay as a result of distance, the data link layer performs ranging, by which
each cable modem can assess time delay in transmitting to the headend. The data
link layer supports:
• timing and synchronization
• bandwidth allocation to cable modems at the control of CMTS
• error detection, handling and error recovery
• procedures for registering new cable modems
Network Layer
Cable data networks use IP for communication from the cable modem to the
network. The Internet Engineering Task Force (IETF) compliant DHCP typically
forms the basis for IP address assignment and administration in the cable
network.
Transport Layer
Cable data networks support both the Transmission Control Protocol (TCP) and
the User Datagram Protocol (UDP) at the transport layer.
Application Layer
All of the Internet-related applications are supported here. These applications
include HTTP, FTP, e-mail, Trivial File Transfer Protocol (TFTP), news, chat,
and Simple Network Management Protocol (SNMP). The use of SNMP provides
for management of the CMTS and cable data networks.
1-12 Remote Access Section 3: Emerging Remote Access Technologies Copyright 2002, Cisco Systems, Inc.
3.1.5 Cable summary
Many people are tuning into the Internet channel on their TV. Of all the high-
speed Internet access solutions, cable TV systems are probably the most talked
about. That is partly because they take advantage of existing broadband cable
TV networks and partly because they promise to deliver high-speed access at an
affordable price.
Although Internet access, via cable, is spreading rapidly cable operators face an
uphill battle to reach the mainstream. Like telephone companies offering ISDN
service, cable operators must gain expertise in data communications to win and
keep customers.
One of the technical hurdles that cable providers face is the fact that satellites are
only one-way devices. If cable operators make their one-way networks into
interactive HFC networks, cable modems could work in both directions. When
this is accomplished, the technology could offer the best price/performance
combination of any Internet access method to date, delivering close to 10-Mbps
speeds at less than $50 per month. This is significantly better than the
cost/performance factor of ISDN access.
As discussed, making the cable-to-PC connection requires a cable modem to
modulate and demodulate the cable signal into a stream of data. The similarity
with analog modems ends there. Cable modems also incorporate the following:
• a tuner for separating the data signal from the rest of the broadcast
stream
• bridge and router technology to connect to multiple devices
• network-management software agents to enable the cable company to
control and monitor operations)
Copyright 2002, Cisco Systems, Inc. Remote Access Section 3: Emerging Remote Access Technologies 1-13
• encryption devices to deter data interception
Each cable modem has an Ethernet interface for internal network connectivity
and a coaxial cable connection for the WAN connection. A network interface
card (NIC) is installed in the PC and connected to the cable modem Ethernet port
with a straight through cable. There are no phone numbers to dial and no
limitations on serial-port throughput (as is the case with ISDN modems). The
result is high-speed throughput with download speeds varying from 500 kbps to
30 Mbps and uploads from 96 kbps to 10 Mbps.
1-14 Remote Access Section 3: Emerging Remote Access Technologies Copyright 2002, Cisco Systems, Inc.
3.2 Wireless Network Access
3.2.1 Overview
Tremendous strides have been made on wired networks. Copper and fiber
networks dominate the Layer 1 space. The transmission capacity of wired
networks is virtually limitless as carriers can arbitrarily add bandwidth as
demand increases.
Despite the capacity of wired networks, wireless networks have had the greatest
success among consumers. Broadcast television, cellular telephone, paging, and
direct broadcast satellite are all wireless services that have met with commercial
success, despite the fact that wireless networks typically carry lower bit rates and
higher costs than wired networking.
When installing cables underground it may be necessary to obtain permission
from residents or obtain permits and easements. Product managers who roll out
wired services struggle with marketing and demographic studies to determine the
best neighborhoods in which to introduce services.
Even if the right neighborhoods are identified, it is expensive and time-
consuming to dig or install overhead cables. To some observers, the fixed
networks of wired systems look like vulnerable high-capital assets in a world of
fast-changing technologies.
Numerous wireless access network technologies are intended by their proponents
to serve the consumer market. These are Direct Broadcast Satellite (DBS),
Multichannel Multipoint Distribution Services (MMDS), and Local Multipoint
Distribution Services (LMDS). The figure illustrates the network architecture of
a typical wireless network. The return-path flows through wired networks or, in
the case of LMDS, through wireless networks.
The content provider forwards content through the core network and to the
wireless access node. This access node reformats data and modulates it for
satellite or land-based microwave transmission. A receiving antenna at the home
end forwards traffic through the home network to the terminal equipment, which
is either a TV set-top box or a PC.
Copyright 2002, Cisco Systems, Inc. Remote Access Section 3: Emerging Remote Access Technologies 1-15
In the return path, the consumer uses either the same network that is used for the
forward transmission or another access network. Another access network is
needed when using DBS or MMDS services, which are one-way networks. The
return-path network could be a telephone return, xDSL, or another wireless
service, such as digital personal communications services (PCS). PCS service
includes wireless voice, a digital form of cellular telephony, as well as wireless
data.
Because forward and return path traffic can use different physical media, traffic
sources must be matched so that a single bidirectional session exists between the
content provider and the terminal equipment. The wireless access node or
another switching/routing device inside the core network can perform this
matching.
While cable operators were only talking about digital TV, DBS companies
actually achieved it, taking the entire cable industry by surprise. Early entrants
were Primestar, DirecTV, and United States Satellite Broadcasting (USSB), all
of which launched in 1994.
In the United States, DBS is viewed as a commercial success. DBS signed a
surprising five million customers in its first three years of operation. This
response is particularly strong considering the fact that customers initially paid
up to $800 for a home satellite dish and installation. Such a strong start has cable
TV operators concerned. More troubling for U.S. cable operators is that the
average DBS subscriber spends about 50 percent more per month than the
1-16 Remote Access Section 3: Emerging Remote Access Technologies Copyright 2002, Cisco Systems, Inc.
average cable subscriber (about $52 versus $35 per month). This difference is
partly due to sales of premium sports and movie packages.
Much of the success of DBS is due to imaginative programming packages.
Aggressive marketing of sports packages has created varied content for which
DBS has found an eager market.
Copyright 2002, Cisco Systems, Inc. Remote Access Section 3: Emerging Remote Access Technologies 1-17
Coast. From these orbits, each satellite can broadcast over the contiguous United
States, southern Canada, and Mexico.
The satellite receives a signal and remodulates it to the designated spectrum for
DBS. DBS occupies 500 MHz in the 12.2 KU Band. The Ku band occupies the
frequency range from 10.7 GHz to 12.75 GHz. DBS satellites are allowed by
regulation to broadcast at 120W to enable reception on small satellite dishes.
This is more power than the larger C-band satellite dishes that predate the
smaller DBS satellite dishes. This higher-powered transmission and smaller dish
distinguish DBS from other forms of satellite reception.
The DBS uses Quadrature Phase Shift Keying (QPSK) modulation to encode
digital data on the RF carriers. DirecTV encodes using MPEG-2 format to enable
a density of up to 720x480 pixels on the user's monitor. Primestar used a
proprietary video compression system developed by General Instruments called
DigiCipher-1. (NOTE: Primestar was purchased by DIRECTV in 1999 and
stopped broadcasting in 2000.) Echostar uses a transmission system based on the
European Digital Video Broadcast (DVB) standard. DVB uses the MPEG-2 and
standardizes control elements of the total system, such as conditional access.
Although 720x480 is the maximum resolution offered today, DBS is capable of
higher pixel resolution. In fact, DBS is an early delivery vehicle for high-
definition TV (HDTV) programming, with HBO, Showtime, and Pay-Per-View
broadcasting in 1080i and 720P formats. These formats are backward compatible
to standard definition (480i resolution) through composite and S-Video outputs.
1-18 Remote Access Section 3: Emerging Remote Access Technologies Copyright 2002, Cisco Systems, Inc.
3.2.4 Data service
Copyright 2002, Cisco Systems, Inc. Remote Access Section 3: Emerging Remote Access Technologies 1-19
3.3 Multichannel Multipoint Distribution
Services
3.3.1 Overview
The success of DBS convinced telephone companies and other potential cable
competitors that delivering digital video to consumers is a viable business. When
these competitors analyzed the issues associated with DBS, they found that local
content plays the greatest role in marketing a given service. Thus, some would-
be competitors to DBS sought to improve on it by providing a wireless,
multichannel broadband service with local channels. This is called Multichannel
Multipoint Distribution Service (MMDS) and is referred to by DAVIC (Digital
Audio-Visual council) as Multipoint Video Distribution Systems (MVDS).
MMDS provides local over-the-air stations and local advertiser access to digital
delivery.
1-20 Remote Access Section 3: Emerging Remote Access Technologies Copyright 2002, Cisco Systems, Inc.
MMDS uses 198 MHz of licensed spectrum, which could support 33 analog TV
channels, in the range of 2.5 GHz. This is channel capacity to DBS. Note that the
bit rate available to the MMDS operator is comparable to the bit rate available
from DBS systems, even though a narrower spectrum is available. This is
because MMDS uses more aggressive modulation techniques. DBS has 500
MHz of bandwidth using QPSK modulation (2 b/Hz). MMDS has 200 MHz
using QAM-64 modulation (6 b/Hz). After overhead bits and error correction,
both DBS and MMDS can achieve nearly 1 Gb of bandwidth. The auction rules
provided no regulations regarding spectrum use. Operators are free to decide
whether to offer Internet access, TV, or a combination of the two.
The key technical difference between MMDS and DBS is the use of ground-
based, or terrestrial microwave, rather than geosynchronous satellites. This
represents a difference in the delivery of local content. MMDS provides this
service by having local production facilities that can insert local over-the-air
channels into the national feeds. The figure shows a schematic of MMDS
service.
The programmer delivers national television feeds to a production facility. The
feeds can come from geosynchronous satellite transmission or high-speed wired
services, such as fiber-optic networks. Despite what appears to be a good
technical fit, there is little current movement to link MMDS with DBS. DBS
could provide economic national distribution of programming for resale by
MMDS.
Local content and advertising are acquired over the air, encoded into MPEG, and
multiplexed with the national programming for local distribution to the viewers.
MPEG enables digital multiplexing and thus is a key facilitator of MMDS. Data
services may also be received from Web content providers. In this case, the
Copyright 2002, Cisco Systems, Inc. Remote Access Section 3: Emerging Remote Access Technologies 1-21
information is in digital format but requires additional processing, such as
encapsulation into MPEG and address resolution, before being transmitted.
After the programming mix is determined, composite programming is delivered
by satellite or fiber to the MMDS broadcast tower. Generally, the MMDS
headend and the MMDS broadcast tower are not co-located because the tower
should be placed at a high elevation. At the receiving site, a small microwave-
receiving dish, a little larger than a DBS dish is mounted outside the home to
receive the signals. A decoder presents the TV images to the TV set. Other units
are capable of decoding data for PC users. Return-path data is transmitted on
another access network; telephone networks commonly are used for this purpose.
For example, it is possible to have an RJ-11 telephone jack on the set-top box.
Consideration is also being given to other wireless networks, such as digital PCS
and paging networks, for return-path purposes.
The range of MMDS is limited primarily by line-of-sight. In relatively flat areas,
if the transmitter can be located high enough, the signal can reach over 50 miles.
Pacific Bell Video Services (PBVS), for example, currently is rolling out
MMDS in Los Angeles and Orange counties in southern California using only
two towers. About 75 percent of homes will be able to receive MMDS signals
reliably. The remaining 25 percent are limited by line-of-sight problems.
Because of the availability of telephone return path, MMDS operators are
capable of providing data service very similar to that of cable. Zenith, Hybrid,
and General Instruments are taking advantage of their data and cable TV
experience to provide data and MMDS modems using telephone return.
1-22 Remote Access Section 3: Emerging Remote Access Technologies Copyright 2002, Cisco Systems, Inc.
3.4 Local Multipoint Distribution Services
3.4.1 Overview
Local Multipoint Distribution Service (LMDS) is a delivery service with a more
aggressive strategy than MMDS. This service is known in Canada as Local
Multipoint Communication Service (LMCS). The major disadvantages of
MMDS are the lack of an inband return path and the lack of sufficient bandwidth
to surpass cable channel capacity (by offering superior interactive data services).
A strong Internet access network must have two-way service and enough
bandwidth to compete with data and cable.
LMDS is a two-way, high-bit-rate, wireless service under development by a
variety of carriers to solve the return-path problem and vastly increase
bandwidth. If significant technological hurdles can be overcome, LMDS offers
the greatest two-way bit rate of any residential service, wired or wireless, at
surprisingly low infrastructure costs.
No restrictions exist as to how carriers use their bandwidth, so bandwidth can be
subdivided in any manner carriers see fit. If an LMDS carrier had 1150 MHz of
bandwidth, for example, it would be possible to use 500 MHz for broadcast TV,
50 MHz for local broadcast, 300 MHz for forward data services, and 300 MHz
for upstream data. Using only the relatively robust QPSK modulation, this
bandwidth can provide the following:
• All the broadcast channels of DBS (500 MHz)
• All local over-the-air channels (50 MHz)
• Up to 1 Gb of full-duplex data service (600 MHz)
In other words, the potential exists to offer more TV than satellite and more data
than cable. This frequency plan is just one example of how a carrier could
choose to offer service. Other carriers might choose to segment their frequencies
differently and would be permitted to do so under FCC rules.
For businesses in cities, LMDS is a very cost-effective broadband wireless
alternative to land-lines for multiple services. LMDS operates at higher
frequencies where more spectrum is available (bandwidths currently range up to
155 Mbps) and smaller, cheaper antennas are possible
Copyright 2002, Cisco Systems, Inc. Remote Access Section 3: Emerging Remote Access Technologies 1-23
3.4.2 LMDS architecture
1-24 Remote Access Section 3: Emerging Remote Access Technologies Copyright 2002, Cisco Systems, Inc.
The program mix is delivered by satellite or fiber to the LMDS broadcast tower.
Generally, the LMDS headend and the LMDS broadcast tower are not co-located
because the headend production facilities are normally shared among several
towers.
An LMDS transmitter tower is erected in the neighborhood, and traffic is
broadcast to consumers using QPSK modulation with forward error correction
(FEC). It is possible to use QAM modulation, but QPSK is chosen because it is
more robust than QAM 16 or QAM 64 and because bandwidth is so plentiful
that spectral efficiency is not an issue.
As shown in Figure [2], consumers receive the signal on a small dish about the
size of a DBS dish or a flat-plate antenna. The dish is mounted outside the home
and is connected by cable to a set-top converter, much the same way in which
DBS connections are made. The signal is demodulated and fed to a decoder.
Unlike DBS, LMDS is capable of two-way service, so both TV sets and PCs
must be connected to the satellite dish. Furthermore, a two-way home
networking capability must be supported instead of just the simple broadcast
scheme of DBS.
In the return path, the customer transmits to the carrier using the same dish with
QPSK modulation. A MAC protocol is required because the residences in the
coverage area share the return spectrum.
Architecturally, LMDS looks very much like cable TV. Cable TV clusters serve
500. The MAC protocol is similar to cable TV, as are the application-specific
integrated circuits (ASICs) for the customer premises modulators and
demodulators. Upstream users request data slots on a contention basis. After
slots are granted, the sender transmits in those slots, free of contention. Ranging
and power-level controls are also required, as is the case with cable.
Copyright 2002, Cisco Systems, Inc. Remote Access Section 3: Emerging Remote Access Technologies 1-25
3.4.3 Wireless broadband summary
Multiple wireless options exist that potentially can support broadband services.
The services discussed in this chapter, DBS, MMDS, and LMDS, overlap
somewhat in functionality but differ enough to attract a particular segment of
users. The table in the figure to the left compares features among these
technologies.
1-26 Remote Access Section 3: Emerging Remote Access Technologies Copyright 2002, Cisco Systems, Inc.
3.5 Wireless Local Area Networking
Copyright 2002, Cisco Systems, Inc. Remote Access Section 3: Emerging Remote Access Technologies 1-27
WLANs use a transmission medium, just like wired LANs. Instead of using
twisted-pair or fiber-optic cable, WLANs use either infrared (IR) light or RF
(radio frequency). Of the two, RF is far more popular for its longer range, higher
bandwidth, and wider coverage. Most wireless LANs today use the 2.4-gigahertz
(GHz) frequency band, the only portion of the RF spectrum reserved around the
world for unlicensed devices. The freedom and flexibility of wireless networking
can be applied both within buildings and between buildings.
WLAN technology can take the place of a traditional wired network or extend its
reach and capabilities. Much like their wired counterparts, in-building WLAN
equipment consists of PC Card, Personal Computer Interface (PCI), and
Industry-Standard Architecture (ISA) client adapters. They also have access
points, which perform functions similar to wired networking hubs. Similar to
wired LANs for small or temporary installations, a WLAN can be arranged in a
peer-to-peer or improvised topology using only client adapters. For added
functionality and range, access points can be incorporated to act as the center of
a star topology while simultaneously bridging with an Ethernet network.
1-28 Remote Access Section 3: Emerging Remote Access Technologies Copyright 2002, Cisco Systems, Inc.
3.5.3 Building-to-building WLANs
In much the same way that a commercial radio signal can be picked up in all
sorts of weather, miles from its transmitter, WLAN technology applies the power
of radio waves to truly redefine the "local" in LAN. With a wireless bridge,
networks located in buildings miles from each other can be integrated into a
single local-area network. When bridging between buildings with traditional
copper or fiber-optic cable, freeways, lakes, and even local governments can be
impassible obstacles. A wireless bridge makes them irrelevant, transmitting data
through the air and requiring no license or right of way.
Without a wireless alternative, organizations frequently resort to wide-area
networking (WAN) technologies to link together separate LANs. Contracting
with a local telephone provider for a leased line presents a variety of drawbacks.
Installation is typically expensive and rarely immediate. Monthly fees are often
quite high for bandwidth that, by LAN standards, is very low. A wireless bridge
can be purchased and then installed in an afternoon for a cost that is often
comparable to a T1 installation charge alone. After the investment is made, there
are no recurring charges. Today's wireless bridges provide the bandwidth one
would expect from a technology rooted in data, rather than voice,
communications.
Copyright 2002, Cisco Systems, Inc. Remote Access Section 3: Emerging Remote Access Technologies 1-29
3.5.4 The wireless LAN standard
In the wired world, Ethernet has grown to become the predominant LAN
technology. Its evolution parallels, and indeed foreshadows, the development of
the wireless LAN standard. Defined by the Institute of Electrical and Electronics
Engineers (IEEE) with the 802.3 standard, Ethernet provides an evolving, high-
speed, widely available, and interoperable networking standard. It has continued
to evolve to keep pace with the data rate and throughput requirements of
contemporary LANs. Originally providing for 10-Mbps transfer rates, the
Ethernet standard evolved to include the 100-Mbps transfer rates required for
network backbones and bandwidth-intensive applications. The IEEE 802.3
standard is open, decreasing barriers to market entry and resulting in a wide
range of suppliers, products, and price points from which Ethernet users can
choose. Perhaps most importantly, conformance to the Ethernet standard allows
for interoperability, enabling users to select individual products from multiple
vendors while secure in the knowledge that they will all work together.
The first wireless LAN technologies were low-speed (1-2 Mbps) proprietary
offerings. Despite these shortcomings, their freedom and flexibility allowed
these early products to find markets in retail and warehousing where mobile
workers use hand-held devices for inventory management and data collection.
Later, hospitals applied wireless technology to deliver patient information right
to the bedside. As computers made their way into the classrooms, schools and
universities began installing wireless networks to avoid cabling costs and to
share Internet access. The pioneering wireless vendors soon realized that for the
technology to gain broad market acceptance, an Ethernet-like standard was
needed. The vendors joined together in 1991, first proposing, and then building,
1-30 Remote Access Section 3: Emerging Remote Access Technologies Copyright 2002, Cisco Systems, Inc.
a standard based on contributed technologies. In June 1997, the IEEE released
the 802.11 standard for wireless local-area networking.
Just as the 802.3 Ethernet standard allows for data transmission over twisted-pair
and coaxial cable, the 802.11 WLAN standard allows for transmission over
different media. Compliant media include infrared light and two types of radio
transmission within the unlicensed 2.4-GHz frequency band:
• frequency hopping spread spectrum (FHSS)
• direct sequence spread spectrum (DSSS)
Spread spectrum is a modulation technique developed in the 1940s that spreads a
transmission signal over a broad band of radio frequencies. This technique is
ideal for data communications because it is less susceptible to radio noise and
creates little interference. FHSS is limited to a 2-Mbps data transfer rate and is
recommended for only very specific applications; for example, certain types of
watercraft lend themselves to this technology. For all other wireless LAN
applications, DSSS is the better choice. The recently released evolution of the
IEEE standard, 802.11b, provides for a full Ethernet-like data rate of 11 Mbps
over DSSS. FHSS does not support data rates greater than 2 Mbps.
Copyright 2002, Cisco Systems, Inc. Remote Access Section 3: Emerging Remote Access Technologies 1-31
band where there is room for increased bandwidth. Using an optional modulation
technique within the 802.11b specification, it is possible to double the current
data rate. Cisco already has 22 Mbps on the road map for the future. Wireless
LAN manufacturers migrated from the 900-MHz band to the 2.4-GHz band to
improve data rate. This pattern promises to continue, with a broader frequency
band capable of supporting higher bandwidth available at 5 GHz. The IEEE has
already issued a specification (802.11a) for equipment operating at 5 GHz that
supports up to a 54-Mbps data rate. This generation of technology will likely
carry a significant price premium when it is introduced sometime in 2001. As is
typical, this premium will decrease over time while data rates increase. The 5.7-
GHz band promises to allow for the next breakthrough data rate of 100 Mbps.
Security
The wired equivalent privacy (WEP) option to the 802.11 standard is only the
first step in addressing customer security concerns. Security is currently
available today for wireless networking, offering up to 128-bit encryption and
supporting both the encryption and authentication options of the 802.11
standard. The algorithm with a 40- or 128-bit key is specified in the standard.
When WEP is enabled, each station (clients and access points) has up to four
keys. The keys are used to encrypt the data before it is transmitted through the
air. If a station receives a packet that is not encrypted with the appropriate key,
the packet will be discarded and never delivered to the host. The figure shows an
outside user being rejected because of an incorrect ID.
Although the 802.11 standard provides strong encryption services to secure the
WLAN, the means by which the secure keys are granted, revoked, and refreshed
is still undefined. Fortunately, several key administration architectures are
available for use in the enterprise. The best approach for large networks is
centralized key management, which uses centralized encryption key servers. A
popular strategy includes the addition of encryption key servers to ensure that
valuable data is protected. Encryption key servers provide for centralized
creation of keys, distribution of keys, and ongoing key rotation. Key servers
enable the network administrator to command the creation of RSA public/private
key pairs at the client level that are required for client authentication. The key
server will also provide for the generation and distribution to clients and access
points of the keys needed for packet encryption. This implementation eases
administration and helps avoid compromising confidential keys.
1-32 Remote Access Section 3: Emerging Remote Access Technologies Copyright 2002, Cisco Systems, Inc.
3.5.6 Mobility services
Copyright 2002, Cisco Systems, Inc. Remote Access Section 3: Emerging Remote Access Technologies 1-33
points, can be centrally configured and managed to facilitate consistency of
WLAN network policy.
3.5.7 Conclusion
Today, the WLAN has redefined what it means to be connected. It has stretched
the boundaries of the local-area network. It makes an infrastructure as dynamic
as it needs to be. It has only just begun: the standard is less than three years old,
with the high-speed 802.11b yet to reach its first birthday. With standard and
interoperable wireless products, LANs can reach scales unimaginable with a
wired infrastructure. They can make high-speed interconnections for a fraction
of the cost of traditional wide area technologies. In a wireless world, users
cannot only just roam within a campus but also within a city, while maintaining
a high-speed link to extranets, intranets, and the Internet itself.
1-34 Remote Access Section 3: Emerging Remote Access Technologies Copyright 2002, Cisco Systems, Inc.
3.6 Digital Subscriber Line
Copyright 2002, Cisco Systems, Inc. Remote Access Section 3: Emerging Remote Access Technologies 1-35
3.6.2 Asymmetric digital subscriber line (ADSL)
1-36 Remote Access Section 3: Emerging Remote Access Technologies Copyright 2002, Cisco Systems, Inc.
3.6.3 ADSL services architecture
Copyright 2002, Cisco Systems, Inc. Remote Access Section 3: Emerging Remote Access Technologies 1-37
Figure 3 End-to-End DSL Protocol Stack
1-38 Remote Access Section 3: Emerging Remote Access Technologies Copyright 2002, Cisco Systems, Inc.
• Aggregation - aggregates multiple subscriber virtual circuits (VCs) into
trunk PVCs to reduce the number of VC connections across the network
core; instead of one VC per subscriber, this uses one VC for many
subscribers to the same destination
• SVC and MPLS - uses switched virtual circuits (SVCs) to
autoprovision connections from the CPE through the DSLAM to an edge
label switch router (edge LSR), where it enters the Multiprotocol Label
Switching (MPLS)-enabled network core.
Figure [3] outlines the end-to-end protocol stack used with xDSL.
Copyright 2002, Cisco Systems, Inc. Remote Access Section 3: Emerging Remote Access Technologies 1-39
Figure 2 ADSL Capabilities
1-40 Remote Access Section 3: Emerging Remote Access Technologies Copyright 2002, Cisco Systems, Inc.
errors caused by impulse noise. Error correction on a symbol-by-symbol basis
also reduces errors caused by continuous noise coupled into a line.
Copyright 2002, Cisco Systems, Inc. Remote Access Section 3: Emerging Remote Access Technologies 1-41
various data rates over ordinary telephone lines. The inside, where all the
transistors work, is a miracle of modern technology. Figure [1] displays the
ADSL transceiver network end.
To create multiple channels, ADSL modems divide the available bandwidth of a
telephone line in one of two ways: FDM or echo cancellation (Figure [2]). FDM
(Frequency-Division Multiplexing) assigns one band for upstream data and
another band for downstream data. The downstream path is then divided by time-
division multiplexing (TDM) into one or more high-speed channels and one or
more low-speed channels. The upstream path is also multiplexed into
corresponding low-speed channels. Echo cancellation assigns the upstream band
to overlap the downstream, and separates the two by means of local echo
cancellation, a technique well known in V.32 and V.34 modems. With either
technique, ADSL splits off a 4-kHz region for basic telephone service at the DC
end of the band.
An ADSL modem organizes the aggregate data stream created by multiplexing
downstream channels, duplex channels, and maintenance channels together into
blocks, and attaches an error correction code to each block. The receiver then
corrects errors that occur during transmission up to the limits implied by the
code and the block length. The unit may, at the user's option, also create
superblocks by interleaving data within subblocks. This allows the receiver to
correct any combination of errors within a specific span of bits. This in turn
allows for effective transmission of both data and video signals.
1-42 Remote Access Section 3: Emerging Remote Access Technologies Copyright 2002, Cisco Systems, Inc.
• Network management
• Testing and interoperability
Copyright 2002, Cisco Systems, Inc. Remote Access Section 3: Emerging Remote Access Technologies 1-43
3.7 Very-High-Data-Rate Digital
Subscriber Line
3.7.1 Overview
Figure 1 VDSL
It is becoming increasingly clear that telephone companies around the world are
making decisions to include existing twisted-pair loops in their next-generation
broadband access networks. Hybrid fiber coaxial (HFC), a shared-access
medium well suited to analog and digital broadcast, comes up somewhat short
when used to carry voice telephony, interactive video, and high-speed data
communications at the same time. Fiber all the way to the home (FTTH) is still
prohibitively expensive in the marketplace. An attractive alternative, soon to be
commercially viable, is a combination of fiber cables feeding neighborhood
optical network units (ONUs) and last-leg-premises copper connections. This
topology, which is often called fiber to the neighborhood (FTTN), encompasses
fiber to the curb (FTTC) with short drops and fiber to the basement (FTTB),
serving tall buildings with vertical drops.
One of the enabling technologies for FTTN is VDSL. In simple terms, VDSL
transmits high-speed data over short reaches of twisted-pair copper telephone
lines, with a range of speeds depending on actual line length. The maximum
downstream rate under consideration is between 51 and 55 Mbps over lines up to
1000 feet (300 m) long. Downstream speeds as low as 14 Mbps over lengths
beyond 4000 feet (1500 m) are also common. Upstream rates in early models
will be asymmetric, just like ADSL, at speeds from 1.6 to 2.3 Mbps. Both data
channels will be separated in frequency from bands used for basic telephone
service and Integrated Services Digital Network (ISDN), enabling service
providers to overlay VDSL on existing services. At present the two high-speed
channels are also separated in frequency. As needs arise for higher-speed
upstream channels or symmetric rates, VDSL systems may need to use echo
cancellation.
1-44 Remote Access Section 3: Emerging Remote Access Technologies Copyright 2002, Cisco Systems, Inc.
3.7.2 VDSL projected capabilities
Although VDSL has not achieved the same degree of definition as ADSL, it has
advanced far enough that we can discuss realizable goals, beginning with data
rate and range. Downstream rates derive from fractional multiples of the
Synchronous Optical Network (SONET) and Synchronous Digital Hierarchy
(SDH) canonical speed of 155.52 Mbps, namely 51.84 Mbps, 25.92 Mbps, and
12.96 Mbps. Each rate has a corresponding target range (see the figure).
Upstream rates under discussion fall into three general ranges:
1.6-2.3 Mbps
19.2 Mbps
Equal to downstream
Early versions of VDSL will almost certainly incorporate the slower asymmetric
rate. Higher upstream and symmetric configurations may be possible only for
very short lines. Like ADSL, VDSL must transmit compressed video; a real-time
signal unsuited to error retransmission schemes used in data communications. To
achieve error rates compatible with those of compressed video, VDSL will have
to incorporate FEC with sufficient interleaving to correct all errors created by
impulsive noise events of some specified duration. Interleaving introduces delay,
on the order of 40 times the maximum length correctable impulse.
Data in the downstream direction will be broadcast to every CPE on the premises
or be transmitted to a logically separated hub that distributes data to addressed
CPE based on cell or TDM within the data stream itself. Upstream multiplexing
is more difficult. Systems using a passive network termination (NT) must insert
data onto a shared medium, either by a form of TDM access (TDMA) or a form
of FDM. TDMA may use a species of token control called cell grants passed in
the downstream direction from the ONU modem, or contention, or both
(contention for unrecognized devices, cell grants for recognized devices). FDM
gives each CPE its own channel, making a MAC protocol unnecessary, but either
limiting data rates available to any one CPE or requiring dynamic allocation of
bandwidth and inverse multiplexing at each CPE. Systems using active NTs
transfer the upstream collection problem to a logically separated hub that
(typically) uses Ethernet or ATM upstream multiplexing.
Migration and inventory considerations dictate VDSL units that can operate at
various (preferably all) speeds, with automatic recognition of a newly connected
device to a line or to a change in speed. Passive network interfaces need to have
hot insertion, whereas a new VDSL premises unit can be put on the line without
interfering with the operation of other modems.
Copyright 2002, Cisco Systems, Inc. Remote Access Section 3: Emerging Remote Access Technologies 1-45
3.7.3 VDSL technology
1-46 Remote Access Section 3: Emerging Remote Access Technologies Copyright 2002, Cisco Systems, Inc.
Figure 3 Passive Network Termination
VDSL technology resembles ADSL to a large degree, although ADSL must face
much larger dynamic ranges and is considerably more complex as a result.
VDSL must be lower in cost and lower in power, and premises VDSL units may
have to implement a physical-layer MAC for multiplexing upstream data.
Line-Code Candidates
Four line codes have been proposed for VDSL:
• Carrierless amplitude modulation/phase modulation (CAP) - A
version of suppressed carrier quadrature amplitude modulation (QAM).
For passive NT configurations, CAP would use quadrature phase shift
keying (QPSK) upstream and a type of TDMA for multiplexing
(although CAP does not preclude an FDM approach to upstream
multiplexing).
• Discrete multitone (DMT) - A multicarrier system using discrete
fourier transforms to create and demodulate individual carriers. For
passive NT configurations, DMT would use FDM for upstream
multiplexing (although DMT does not preclude a TDMA multiplexing
strategy).
• Discrete wavelet multitone (DWMT) - A multicarrier system using
wavelet transforms to create and demodulate individual carriers. DWMT
also uses FDM for upstream multiplexing, but also allows TDMA.
• Simple line code (SLC) - A version of four-level baseband signaling
that filters the based band and restores it at the receiver. For passive NT
configurations, SLC would most likely use TDMA for upstream
multiplexing, although FDM is possible.
Channel Separation
Early versions of VDSL will use FDM to separate downstream from upstream
channels and both of them from basic telephone service and ISDN, as shown in
Figure [1]. Echo cancellation may be required for later-generation systems
featuring symmetric data rates. A rather substantial distance, in frequency, will
be maintained between the lowest data channel and basic telephone service to
enable very simple and cost-effective basic telephone service splitters. Normal
practice would locate the downstream channel above the upstream channel.
However, the DAVIC specification reverses this order to enable premises
distribution of VDSL signals over coaxial cable systems.
Copyright 2002, Cisco Systems, Inc. Remote Access Section 3: Emerging Remote Access Technologies 1-47
Forward Error Control
FEC will no doubt use a form of Reed Soloman coding and optional interleaving
to correct bursts of errors caused by impulse noise. The structure will be very
similar to ADSL, as defined in T1.414. An outstanding question is whether FEC
overhead (in the range of 8 percent) will be taken from the payload capacity or
added as an out-of-band signal. The former reduces payload capacity but
maintains nominal reach, whereas the latter retains the nominal payload but
suffers a small reduction in reach. ADSL puts FEC overhead out of band.
Upstream Multiplexing
If the premises VDSL unit comprises the network termination (an active NT),
then the means of multiplexing upstream cells or data channels from more than
one CPE into a single upstream becomes the responsibility of the premises
network. The VDSL unit simply presents raw data streams in both directions. As
illustrated in Figure [2], one type of premises network involves a star connecting
each CPE to a switching or multiplexing hub; such a hub could be integral to the
premises VDSL unit.
In a passive NT configuration, each CPE has an associated VDSL unit. [3] (A
passive NT does not conceptually preclude multiple CPE per VDSL, but then the
question of active versus passive NT becomes a matter of ownership, not a
matter of wiring topology and multiplexing strategies.) Now the upstream
channels for each CPE must share a common wire. Although a collision-
detection system could be used, the desire for guaranteed bandwidth indicates
one of two solutions. The first invokes a cell-grant protocol in which
downstream frames generated at the ONU or farther up the network contain a
few bits that grant access to specific CPE during a specified period subsequent to
receiving a frame. A granted CPE can send one upstream cell during this period.
The transmitter in the CPE must turn on, send a preamble to condition the ONU
receiver, send the cell, and then turn itself off. The protocol must insert enough
silence to let line ringing clear. One construction of this protocol uses 77 octet
intervals to transmit a single 53-octet cell.
The second method divides the upstream channel into frequency bands and
assigns one band to each CPE. This method has the advantage of avoiding any
MAC with its associated overhead (although a multiplexor must be built into the
ONU), but either restricts the data rate available to any one CPE or imposes a
dynamic inverse multiplexing scheme that lets one CPE send more than its share
for a period. The latter would look a great deal like a MAC protocol, but without
the loss of bandwidth associated with carrier detect and clear for each cell.
1-48 Remote Access Section 3: Emerging Remote Access Technologies Copyright 2002, Cisco Systems, Inc.
3.7.4 VDSL issues
VDSL is still in the definition stage. Some preliminary products exist, but not
enough is known yet about telephone line characteristics, radio frequency
interface emissions and susceptibility, upstream multiplexing protocols, and
information requirements to frame a set of definitive and standard properties.
One large unknown is the maximum distance that VDSL can reliably realize for
a given data rate. This is unknown because real line characteristics at the
frequencies required for VDSL are speculative. Additionally, items such as short
bridged taps or unterminated extension lines in homes, which have no effect on
telephony, ISDN, or ADSL, may have very detrimental affects on VDSL in
certain configurations. Furthermore, VDSL invades the frequency ranges of
amateur radio, and every above ground telephone wire is an antenna that both
radiates and attracts energy in amateur radio bands. Balancing low signal levels
to prevent emissions that interfere with amateur radio with higher signals needed
to combat interference by amateur radio could be the dominant factor in
determining line reach.
A second dimension of VDSL that is far from clear is the services environment.
It can be assumed that VDSL will carry information in ATM cell format for
video and asymmetric data communications, although optimum downstream and
upstream data rates have not been ascertained. What is more difficult to assess is
the need for VDSL to carry information in non-ATM formats (such as
conventional Plesiochronous Digital Hierarchy [PDH] structures) and the need
for symmetric channels at broadband rates (above T1/E1). VDSL will not be
completely independent of upper-layer protocols, particularly in the upstream
direction, where multiplexing data from more than one CPE may require
knowledge of link-layer formats (that is, ATM or not).
A third difficult subject is premises distribution and the interface between the
telephone network and CPE. Cost considerations favor a passive network
interface with premises VDSL installed in CPE and upstream multiplexing
handled similarly to LAN buses. System management, reliability, regulatory
constraints, and migration favor an active network termination that can operate
like a hub, with point-to-point or shared-media distribution to multiple CPE on-
premises wiring that is independent and physically isolated from network wiring.
This is the same as ADSL and ISDN.
However, costs cannot be ignored. Small ONUs must spread common equipment
costs, such as fiber links, interfaces, and equipment cabinets, over a small
number of subscribers compared to HFC. VDSL, therefore, has a much lower
cost target than ADSL because VDSL may connect directly from a wiring center
or cable modems, which also have much lower common equipment costs per
user. Furthermore, VDSL for passive NTs may (only may) be more expensive
than VDSL for active NTs, but the elimination of any other premises network
electronics may make it the most cost-effective solution, and highly desired,
despite the obvious benefits of an active NT. Stay tuned.
Copyright 2002, Cisco Systems, Inc. Remote Access Section 3: Emerging Remote Access Technologies 1-49
3.7.5 Standards status
1-50 Remote Access Section 3: Emerging Remote Access Technologies Copyright 2002, Cisco Systems, Inc.
3.7.6 Relationship of VDSL to ADSL
Copyright 2002, Cisco Systems, Inc. Remote Access Section 3: Emerging Remote Access Technologies 1-51
transmission tools that delivers about as much data as theoretically possible over
varying distances of existing telephone wiring.
VDSL is clearly a technology suitable for a full-service network (assuming that
full service does not imply more than two HDTV channels over the highest-rate
VDSL). It is equally clear that telephone companies cannot deploy ONUs
overnight, even if all the technology were available. ADSL may not be a full-
service network technology, but it has the singular advantage of offering service
over lines that exist today, and ADSL products are more widely available than
VDSL. Many new services being contemplated today, such as
videoconferencing, Internet access, video on demand, and remote LAN access,
can be delivered at speeds at or below T1/E1 rates. For such services,
ADSL/VDSL provides an ideal combination for network evolution. On the
longest lines, ADSL delivers a single channel. As line length shrinks, either from
natural proximity to a central office or deployment of fiber-based access nodes,
ADSL and VDSL simply offer more channels and capacity for services that
require rates above T1/E1 (such as digital live television and virtual CD-ROM
access). Figure [2] outlines the differences between all flavors of xDSL.
1-52 Remote Access Section 3: Emerging Remote Access Technologies Copyright 2002, Cisco Systems, Inc.
Summary
Copyright 2002, Cisco Systems, Inc. Remote Access Section 3: Emerging Remote Access Technologies 1-53
Lab 1.6.1: Getting Started and Building Start.TXT
Objective
This lab introduces the CCNP lab equipment and certain IOS features that might be the
first time used or seen. This introductory activity also describes how to use a simple text
editor to create all, or part of a router configuration file. After creating a text configuration
file, that configuration can be applied to a router quickly and easily by using the
techniques described in this lab.
Equipment Requirements
• A single router, preferably a 2600 series router, and a workstation running a Windows
operating system.
• One 3 1/2 inch floppy disk with label
Preliminary
Modular interfaces
Cisco routers can come with a variety of interface configurations. Some models have only
fixed interfaces. This means that the interfaces cannot be changed or replaced by the
user. Other models have one or more modular interfaces, allowing the user to add,
remove, or replace interfaces as needed.
Fixed interface identification, such as Serial 0, S0, Ethernet 0, and E0, may already be
familiar. Modular routers use notation such as Serial 0/0 or S0/1, where the first number
refers to the module and the second number refers to the interface. Both notations use 0
as their starting reference, so S0/1 indicates that there is another serial interface S0/0.
Fast Ethernet
Many routers today are equipped with Fast Ethernet, 10/100 Mbps auto sensing,
interfaces. Fast Ethernet 0/0 or Fa0/0 on routers must be used with Fast Ethernet
interfaces.
Passwords
The login command is applied to virtual terminals by default. This means that in order
for the router to accept Telnet connections, a password must be configured. Otherwise,
the router will not allow a Telnet connection, replying with the error message “password
required, but none set.”
Step 1.
Take a few moments to examine the router. Become familiar with any serial, BRI (ISDN),
PRI (ISDN), and DSU/CSU interfaces on the router. Pay particular attention to any
connectors or cables that are unfamiliar.
1-1 Remote Access Setion 1: WANs - Lab 1.6.1 Copyright 2002, Cisco Systems, Inc.
Step 2.
Establish a HyperTerminal session to the router.
Step 3.
To clear the configuration, issue the erase start command.
Confirm when prompted, and answer ’no’ if asked to save changes. The result should
look something like the following:
Router#erase start
Erasing the nvram filesystem will remove all files! Continue?
[confirm]
[OK]
Erase of nvram: complete
Router#
Confirm when prompted. After the router finishes the boot process, choose not to use the
Auto install feature, shown as follows:
Step 4.
In privileged mode, issue the show run command.
Notice the following default configurations while scrolling through the running
configuration:
line con 0
transport input none
line aux 0
line vty 0 4
Step 5.
2-2 Remote Access Setion 1: WANs - Lab 1.6.1 Copyright 2002, Cisco Systems, Inc.
If necessary, issue the show run command again so that line con and line vty are
showing on the screen:
line con 0
transport input none
line aux 0
line vty 0 4
!
end
Select this text and choose the copy command from HyperTerminal’s Edit menu.
Next, open Notepad, which is typically found on the Start menu under Programs,
Accessories. After Notepad opens, select Paste from the Notepad Edit menu.
Edit the lines in Notepad to look like the following lines. The one space indent is optional.
This configuration sets the enable secret to class and requires a login for all console,
AUX port, and virtual terminal connections. The password for these connections is set to
cisco. The AUX port is usually a modem.
Note: Each of the passwords can be set to something else if desired.
Step 6.
Save the open file in Notepad to a floppy disk as start.txt.
Select all the lines in the Notepad document and choose Edit, Copy.
Step 7.
Use the Windows taskbar to return to the HyperTerminal session, and enter global
configuration mode.
Issue the show run command to see if the configuration looks okay.
As a shortcut, paste the contents of the start.txt file to any router before getting started
with a lab.
3-3 Remote Access Setion 1: WANs - Lab 1.6.1 Copyright 2002, Cisco Systems, Inc.
• no ip domain-lookup prevents the router from attempting to query a DNS when
a word is input that is not recognized as a command or a host table entry. This saves
time if a typo is made or there is a misspelling of a command.
• logging synchronous in the line con 0 configuration returns to a fresh line when
the input is interrupted by a console logging message.
• configure terminal can be used in a file so that the command does not need
to be typed before pasting the contents of the file to the router.
Step 8.
Use the Windows taskbar to return to Notepad and edit the lines so that they read
asfollows:
config t
!
enable secret class
ip subnet-zero
ip http server
no ip domain-lookup
line con 0
logging synchronous
password cisco
login
transport input none
line aux 0
password cisco
login
line vty 0 4
password cisco
login
!
end
copy run start
Select and copy all the lines, and return to the HyperTerminal session.
Normally global configuration mode would be entered before pasting from Notepad.
However, because the configure terminal command was included in the script,
paste can be done in privileged mode.
If necessary, return to privileged EXEC mode. From the Edit menu, select Paste to Host.
Step 9.
4-4 Remote Access Setion 1: WANs - Lab 1.6.1 Copyright 2002, Cisco Systems, Inc.
Router#config t
Router(config)#router rip
Router(config)#network 192.168.1.0
Router(config)#network 192.168.2.0
Router(config)#network 192.168.3.0
Router(config)#network 192.168.4.0
Router(config)#network 192.168.5.0
Press Ctrl+Z, and verify the configuration with show run. RIP was just set up to
advertise a series of networks.What if the routing protocol is to be changed to IGRP?
With the no router rip command, RIP can be easily removed, however, the
network commands would still need to be retyped. The next steps show an alternative
to retyping the commands.
Step 10.
Issue the show run command and hold the output so that the router rip commands
are displayed. Using the keyboard or mouse, select the router rip command and all
network statements.
Open a new document and paste the selection onto the blank page.
Step 11.
In the new document, type the word no and a space in front of the word router.
Type router igrp 100, but do not press Enter. The result should look the following:
no router rip
router igrp 100
network 192.168.1.0
network 192.168.2.0
network 192.168.3.0
network 192.168.4.0
network 192.168.5.0
Step 12.
Select the results and copy them.
Reflection
How could using copy and paste with Notepad be helpful in other editing situations?
5-5 Remote Access Setion 1: WANs - Lab 1.6.1 Copyright 2002, Cisco Systems, Inc.
Lab 1.6.2: Capturing HyperTerminal and Telnet Sessions
Objective
This activity describes how to capture HyperTerminal and Telnet sessions.
Note: Try to master these techniques. These techniques lessen the amount of typing in
later labs and while working in the field.
Step 1.
Log in to a router using HyperTerminal.
It is possible to capture the results of the HyperTerminal session in a text file, which can
be viewed and/or printed using Notepad, WordPad, or Microsoft Word.
Note: This feature captures future screens, not what is currently on screen. Basically this
is turning on a recording session.
To start a capture session, choose the menu option Transfer, Capture Text. The Capture
Text dialog box appears, as shown in the following figure.
The default filename for a HyperTerminal capture is CAPTURE.TXT, and the default
location of this file is C:\Program Files\Accessories\HyperTerminal.
Note: When using Telnet, the command to begin a capture, or log, is Terminal, Start
Logging. The document created has LOG as the extension. Other than the name and
path of the capture file, the logging procedures are the same for both Telnet and
HyperTerminal.
Make sure that a floppy disk is in the A: drive. When the Capture Text dialog box
appears, change the File path to A:\TestRun.txt.
Click the Start button. Anything that appears onscreen after this point is copied to the file.
Step 2.
Issue the show running-config command and view the entire configuration file.
From the Transfer menu, choose Capture Text, Stop.
Telnet users should select Stop Logging from the Terminal menu to end the session.
Step 3.
Using the Start menu, launch Windows Explorer. Windows Explorer might be found under
Programs or Accessories, depending on which version of Windows is in use.
In the left pane, select the 3½ floppy (A:) drive. On the right side, the file that was just
created should be seen.
1-1 Remote Access Section 1: WANs - Lab 1.6.2 Copyright 2002, Cisco Systems, Inc.
Double-click the TestRun.txt document’s icon. The result should look something like the
following:
Router# show running-config
Building configuration...
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
enable secret 5 $1$HD2B$6iXb.h6QEJJjtn/NnwUHO.
!
!
ip subnet-zero
no ip domain-lookup
!
interface FastEthernet0/0
--More-- □□□□□□□ □□□□□□□ no ip address
no ip directed-broadcast
shutdown
Unrecognizable characters may appear near the word ’More’. This is where the spacebar
was pressed to see the rest of the list. Use basic word processing techniques to clean
that up.
Suggestion
Consider capturing each router configuration for every lab that is done. Captured files can
be valuable as while reviewing configuration features and preparing for certification
exams.
Reflection
Could the capture techniques be useful if a member of a lab team misses a lab session?
Can capture techniques be used to configure an off site lab?
2-2 Remote Access Section 1: WANs - Lab 1.6.2 Copyright 2002, Cisco Systems, Inc.
Lab 1.6.3: Access Control List Basics and Extended Ping
Workstation
192.168.3.2 /24
Fa0/0 192.168.3.1/24
Vista
S0/0 192.168.1.1 /24 S0/1 192.168.2.1 /24
Objective
This lab activity reviews the basics of standard and extended access lists, which are used
extensively in the CCNP curriculum.
Scenario
The LAN users connected to the Vista router are concerned about access to their
network from hosts on network 10.0.0.0. Use a standard access list to block all access to
Vista’s LAN from network 10.0.0.0/24.
Also use an extended ACL to block network 192.168.3.0 host access to Web servers on
the 10.0.0.0/24 network.
Step 1.
Build and configure the network according to the diagram. Use RIPv1, and enable
updates on all active interfaces with the appropriate network commands. The
commands necessary to configure SanJose1 are shown as an example:
SanJose1(config)#router rip
SanJose1(config-router)#network 192.168.1.0
SanJose1(config-router)#network 10.0.0.0
Use the ping command to verify the work and test connectivity between all interfaces.
Step 2.
Check the routing table on Vista using the show ip route command. Vista should
have all four networks in its table. Troubleshoot, if necessary.
1-1 Remote Access Section 1: WANs - Lab 1.6.3 Copyright 2002, Cisco Systems, Inc.
Access Control List Basics
Access Control Lists (ACLs) are simple but powerful tools. When the access list is
configured, each statement in the list is processed by the router in the order in which it
was created. If an individual packet meets a statement’s criteria, the permit or deny is
applied to that packet, and no further list entries are checked. The next packet to be
checked starts again at the top of the list.
It is not possible to reorder an access list, skip statements, edit statements, or delete
statements from a numbered access list. With numbered access lists, any attempt to
delete a single statement results in the entire list’s deletion. Named ACLs (NACLs) do
allow for the deletion of individual statements.
The following concepts apply to both standard and extended access lists:
Two-step process
First, the access list is created with one or more access-list commands while in
global configuration mode. Second, the access list is applied to or referenced by other
commands, such as the access-group command, to apply an ACL to an interface. An
example would be the following:
Vista#config t
Vista(config)#access-list 50 deny 10.0.0.0 0.0.0.255
Vista(config)#access-list 50 permit any
Vista(config)#interface fastethernet 0/0
Vista(config-if)#ip access-group 50 out
Vista(config-if)#^Z
Access-list 75 clearly denies all traffic sourced from the host, 192.168.1.10. What might
not be obvious is that all other traffic will be discarded as well. This happens because the
implicit deny any is the final statement in any access list.
At least one permit statement is required
There is no requirement that an ACL contains a deny statement. If nothing else, the
implicit deny any statement takes care of that. But if there are no permit statements,
the effect will be the same as if there were only a single deny any statement.
2-2 Remote Access Section 1: WANs - Lab 1.6.3 Copyright 2002, Cisco Systems, Inc.
Wildcard mask
In identifying IP addresses, ACLs use a wildcard mask instead of a subnet mask. Initially,
they might look like the same thing, but closer observation reveals that they are very
different. Remember that a binary 0 in a wildcard bitmask instructs the router to match
the corresponding bit in the IP address.
In/out
When deciding whether an ACL should be applied to inbound or outbound traffic, always
view things from the router’s perspective. In other words, determine whether traffic is
coming into the router, inbound, or leaving the router, outbound.
Applying ACLs
Extended ACLs should be applied as close to the source as possible, thereby conserving
network resources. Standard ACLs, by necessity, must be applied as close to the
destination as possible. This is because the standard ACL can only match the source
address of a packet.
Step 3.
On the Vista router, create the following standard ACL and apply it to the LAN interface:
Vista#config t
Vista(config)#access-list 50 deny 10.0.0.0 0.0.0.255
Vista(config)#access-list 50 permit any
Vista(config)#interface fastethernet 0/0
Vista(config-if)#ip access-group 50 out
Vista(config-if)#^Z
The ping should be successful. This result might be surprising, because all traffic from
the 10.0.0.0/24 network was just blocked. The ping is successful because, even though
it came from SanJose1, it is not sourced from the 10.0.0.0/24 network. A ping or
traceroute from a router uses the closest interface to the destination as the source
address.Therefore, the ping is coming from 192.168.1. 2/24, SanJose1’s Serial 0/0
interface.
In order to test the ACL from SanJose1, use the extended ping command to specify a
specific source interface.
Step 4.
On SanJose1, issue the following commands. Remember that the extended ping works
only in privileged mode.
SanJose1#
SanJose1#ping
Protocol [ip]:
Target IP address: 192.168.3.2
Repeat count [5]:
Datagram size [100]:
3-3 Remote Access Section 1: WANs - Lab 1.6.3 Copyright 2002, Cisco Systems, Inc.
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.0.0.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.2, timeout is 2
seconds:
U.U.U
Success rate is 0 percent (0/5)
Step 5.
Standard ACLs are numbered one (1) through 99. IOS 12 also allows standard lists to be
numbered 1300 through 1699. Extended ACLs are numbered 100 through 199. IOS 12
allows numbers 2000 through 2699. Extended ACLs can be used to enforce highly
specific criteria for filtering packets. In this step, configure an extended ACL to block
access to a Web server.
Before proceeding, issue the no access-list 50 and no ip access-group 50
commands on the Vista router to remove the ACL configured previously.
First, configure both SanJose1 and SanJose2 to act as Web servers, by using the ip
http server command, shown as follows:
SanJose1(config)#ip http server
SanJose2(config)#ip http server
From the workstation at 192.168.3.2, use a Web browser to view both SanJose1 and
SanJose2’s Web servers at 10.0.0.1 and 10.0.0.2. The Web login requires that the
router’s enable secret password be entered as the password.
After verifying Web connectivity between the workstation and the routers, proceed to
Step 6.
Step 6.
On the Vista router, enter the following commands:
Vista(config)#access-list 101 deny tcp 192.168.3.0
0.0.0.255 10.0.0.0 0.0.0.255 eq www
Vista(config)#access-list 101 deny tcp 192.168.3.0
0.0.0.255 any eq ftp
Vista(config)#access-list 101 permit ip any any
Vista(config)#interface fastethernet 0/0
Vista(config-if)#ip access-group 101 in
From the workstation at 192.168.3.2, again attempt to view the Web servers at 10.0.0.1
and 10.0.0.2. Both attempts should fail.
Next, browse SanJose1 at 192.168.1.2. Why is this not blocked?
4-4 Remote Access Section 1: WANs - Lab 1.6.3 Copyright 2002, Cisco Systems, Inc.
Lab 2.5.1: Configuring Static NAT
Host B
192.168.0.20 /24
Host A
192.168.0.5 /24
Objective
Configure Network Address Translation (NAT) static translation to provide reliable outside
access to three shared company servers.
Scenario
When the International Travel Agency (ITA) expanded and updated their network, they
chose to use the 192.168.0.0 /24 private addresses and NAT to handle connectivity with
the outside world. In order to secure the outside IP addresses from their ISP, ITA must
pay a monthly fee per IP address. ITA has asked that a series of prototypes be set up
that would demonstrate NAT’s capabilities to meet ITA’s requirements. The company
hopes to be able to get by with 14 real IP addresses, 42.0.0.48 /28. For a variety of
reasons including security concerns, the company wishes to hide the internal network
from the outside.
Step 1.
Build and configure the network according to the diagram. This configuration requires the
use of subnet zero, so the ip subnet-zero command may need to be entered,
depending on the version of IOS being used.
Host A represents one of the proposed shared servers that will be part of an Ethernet
LAN attached to SanJose1. Host B represents a user in the ITA network.
1 - 1 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.1 Copyright 2001, Cisco Systems, Inc.
Step 2.
Verify the configurations with the show running-config command.
Verify that SanJose1 can ping ISP1’s serial interface, 10.0.0.5, and that ISP1 can ping
SanJose1’s serial interface, 10.0.0.6.
At this time, ISP1 cannot ping either workstation or SanJose1’s Fast Ethernet
interface, 192.168.0.1.
1. Both workstations can ping each other and 10.0.0.6, but cannot ping 10.0.0.5. Why
does the latter ping fail?
In fact, the ping request should be getting to 10.0.0.5. Because ISP1 has no entry in its
routing table for the 192.168.0.0 /24, ISP1 cannot reply. Continue a static route to solve
this problem in Step 7.
Step 3.
SanJose1 is the boundary router where NAT will be configured. The router will be
translating the inside local addresses to inside global addresses, essentially converting
the internal private addresses into legal public addresses for use on the Internet.
On SanJose1, create static translations between the inside local addresses, the servers
to be shared, and the inside global addresses using the following commands:
2. If a static translation is needed for a fourth server, 192.168.0.6, what would be the
appropriate command?
Step 4.
Next, specify an interface on SanJose1 to be used by inside network hosts requiring
address translation:
SanJose1(config)#interface fastethernet0/0
SanJose1(config-if)#ip nat inside
SanJose1(config)#interface serial0/0
SanJose1(config-if)#ip nat outside
Step 5.
To see the translations, use the show ip nat translations command. The results
should look something like the following:
2 - 2 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.1 Copyright 2001, Cisco Systems, Inc.
Use the show ip nat statistics command to see what NAT activity has occurred.
The results should look something like the following:
Step 6.
From Host A, ping 10.0.0.5, ISP1’s serial interface. The pings should still fail
because ISP1 has no route for 192.168.0.0 /24 in its routing table.
Return to the console connection of SanJose1 and type show ip nat statistics,
as shown here:
The hits equal 4 as now shown. This indicates that the translation was made even though
no response was given. Remember that the ping replies are not sent because ISP1
does not have route back to SanJose1. It is now time to remedy this.
Step 7.
On ISP1, configure the following static route to the global addresses used by
SanJose1 for NAT:
The show ip route command confirms that the static route is present, as shown here:
ISP1#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile,
B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS
inter area
* - candidate default, U - per-user static route, o - ODR
3 - 3 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.1 Copyright 2001, Cisco Systems, Inc.
P - periodic downloaded static route
Step 8.
From Host A, ping the ISP1 router at 10.0.0.5. This ping should now be successful.
From the console connection to SanJose1, issue the show ip nat statistics
command and look over the statistics. The number of hits should be much larger than
before.
Try the show ip nat translations verbose command. The results should look
something like the following:
Note: The verbose option includes information about how recently each translation was
used.
Step 9.
From SanJose1, use the show ip nat statistics command and make a note of the
number of hits.
From SanJose1, issue the show ip nat statistics command again and note that
the number of hits has not changed. The problem is that NAT did not translate Host B’s
IP address, 192.168.0.20, to one of the global addresses. The show ip nat
translations command should confirm this.
4 - 4 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.1 Copyright 2001, Cisco Systems, Inc.
A static translation for Host B, which represents a LAN user has not been set up. A static
translation could be quickly configured for this single end user. However, configuring a
static translation for every user on the LAN could be a huge task, resulting in hundreds of
configuration commands. Dynamic NAT allows configuring the router to assign global
addresses dynamically, on an as needed basis. While static translation may be
appropriate for servers, dynamic translation is almost always used with end user stations.
Dynamic NAT will be studied in the next lab exercise.
5 - 5 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.1 Copyright 2001, Cisco Systems, Inc.
Lab 2.5.2: Configuring Dynamic NAT
Host B
192.168.0.20 /24
Host A
192.168.0.21 /24
Objective
Configure dynamic NAT to provide privately addressed users with access to outside
resources.
Scenario
The International Travel Agency (ITA) expanded and updated their network. ITA chose to
use the 192.168.0.0 /24 private addresses and NAT to handle connectivity with the
outside world. In securing the outside IP addresses from their ISP, ITA has to pay a
monthly fee per IP address. ITA has asked for a series of prototypes to be set up that
would demonstrate NAT’s capabilities to meet ITA’s requirements. The company hopes
to be able to get by with 14 real IP addresses, 42.0.0.48 /28. For a variety of reasons
including security concerns, the company wishes to hide the internal network from the
outside.
ITA is hoping to limit user access to the Internet and other outside resources by
limiting the number of connections. Prototype the basic dynamic translation to see if it will
meet ITA’s objectives.
Step 1.
Build and configure the network according to the diagram. This configuration requires the
use of subnet zero, so the ip subnet-zero command may need to be entered,
depending on the IOS version being used. Both Host A and Host B represent users on
the ITA network.
On ISP1, configure a static route to the global addresses used by SanJose1 for NAT:
1 - 1 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.2 Copyright 2002, Cisco Systems, Inc.
Step 2.
Define a pool of global addresses to be allocated by the dynamic NAT process. Issue the
following command on SanJose1:
The name MYNATPOOL is the name of the address pool. However, another word may
be chosen. The first 42.0.0.55 in the command is the first IP address in the pool. The
second 42.0.0.55 is the last IP address in the pool. This command creates a pool that
contains only a single address. Typically, a larger range of addresses in a pool would be
configured. For now, only one address will be used.
To establish the dynamic source translation, link the access list to the name of the NAT
pool, as shown here:
SanJose1(config)#interface fastethernet0/0
SanJose1(config-if)#ip nat inside
SanJose1(config)#interface serial0/0
SanJose1(config-if)#ip nat outside
Step 3.
On SanJose1, enter the show ip nat translations command, which should result
in no output. Unlike static translations, which are permanent and always remain in the
translations table, dynamic translations are only assigned as needed, and only appear
when active.
From Host A, ping ISP1’s serial and loopback IP addresses. Both pings should work.
Troubleshoot as necessary.
Issue the show ip nat translations command on SanJose1 again. This should
now get a single translation for that workstation. The result might look like the following:
From Host B, ping ISP1’s serial and loopback IP addresses. They should both fail. The
one available IP address in the pool is being used by the other workstation. If a larger
pool of addresses had been assigned, Host B could be assigned an address from the
pool.
2 - 2 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.2 Copyright 2002, Cisco Systems, Inc.
Step 4.
Issue the show ip nat translations verbose command and examine the output:
1. According to the output of this command, how much time is left before the dynamic
translation times out?
The default timeout value for dynamic NAT translations is 24 hours. This means the
second workstation will have to wait until the next day before it can be assigned the
address.
Next, issue the show ip nat statistics command. Notice that it summarizes the
translation information, shows the pool of global addresses, and indicates that only one
address has been allocated, or translated, as shown here:
To change the default NAT timeout value from 24 hours, 86,400 seconds, to 120
seconds, issue the following command:
Clear the existing address allocation before the new timer can take effect. Type clear
ip nat translation * to immediately clear the translation table.
Now, from Host B, try pinging either interface of ISP1 again. The ping should be
successful.
Use the show ip nat translations and show ip nat translations verbose
commands to confirm the translation and to see that the new translations expire in two
minutes.
Next, perform a ping from Host B and issue the show ip nat translations
verbose command again. It should see that the ’time left’ timer has been reset. This
means that additional hosts will not be allocated an address until a translation has been
inactive for the timeout period.
Step 5.
3 - 3 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.2 Copyright 2002, Cisco Systems, Inc.
In this step, configure the NAT pool to include the complete range of global
addresses available to ITA. Issue the following command on SanJose1:
This command redefines MYNATPOOL to include a range of eight addresses. It will now
be possible to ping ISP1 from both workstations.
The show ip nat translations command confirms that two translations have
occurred, as shown here:
Increasing the address range in the pool allows more hosts to be translated. However, if
every address in the pool is allocated, the timeout period must expire before any other
hosts can be allocated an address. As was seen in the last step, an allocated address
cannot be released until its host is inactive for the duration of the timeout period.
In the next lab, many-to-one NAT, or NAT overload will be learned. An overload
configuration can allow hundreds of hosts to use a handful of global addresses, without
hosts waiting for timeouts.
4 - 4 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.2 Copyright 2002, Cisco Systems, Inc.
Lab 2.5.3: Configuring NAT Overload
Host B
192.168.0.20 /24
Host A
192.168.0.21 /24
Objective
Configure dynamic NAT with overload.
Scenario
The International Travel Agency (ITA) expanded and updated their network. ITA chose to
use the 192.168.0.0 /24 private addresses and NAT to handle connectivity with the
outside world. In securing the outside IP addresses from their ISP, ITA is having to pay a
monthly fee per IP address. ITA has asked for a series of prototypes to be set up that
would demonstrate NAT’s capabilities to meet ITA’s requirements. The company hopes
to be able to get by with 14 real IP addresses, 42.0.0.48 /28. For a variety of reasons
including security concerns, the company wishes to hide the internal network from the
outside.
It appears that the basic dynamic NAT translations will be too limiting and cumbersome to
meet ITA’s needs. Modify the prototype to use the overload feature.
Step 1.
Build and configure the network according to the diagram. This configuration requires the
use of subnet zero, so the ip subnet-zero command may need to be entered,
depending on the IOS version being used. Both Host A and Host B represent users on
the ITA network.
On ISP1, configure a static route to the global addresses used by SanJose1 for NAT:
Define a pool of global addresses to be allocated by the dynamic NAT process. Issue the
following command on SanJose1:
1 - 1 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.3 Copyright 2002, Cisco Systems, Inc.
SanJose1(config)#ip nat pool MYNATPOOL 42.0.0.55 42.0.0.62 netmask
255.255.255.240
Configure a standard access list to define which internal source addresses can be
translated. Because all users are being translated on the ITA network, use the following
command:
SanJose1(config)#interface fastethernet0/0
SanJose1(config-if)#ip nat inside
SanJose1(config)#interface serial0/0
SanJose1(config-if)#ip nat outside
Step 2.
In the last exercise, a pool of ’real’ global IP addresses were seen that can be used to
provide internally addressed hosts with access to the Internet and other outside
resources. However, in the previous implementation, each global address could be
allocated to only one host at a time.
The most powerful feature of NAT is address overloading, or port address translation
(PAT). Overloading allows multiple inside addresses to map to a single global
address. With PAT, literally hundreds of privately addressed nodes can access the
Internet using only one global address. The NAT router keeps track of the different
conversations by mapping TCP and UDP port numbers.
After the overload feature is configured, ping both interfaces of ISP1, 10.0.1.2 and
10.0.0.5, from Host A. The pings should be successful. Next, issue the show ip nat
translations command:
In addition to tracking the IP addresses translated, the translations table also records the
port numbers being used. Also notice that the first column, Pro, shows the protocol used.
Now look at the output of the show ip nat translation verbose command:
2 - 2 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.3 Copyright 2002, Cisco Systems, Inc.
SanJose1#show ip nat translation verbose
Pro Inside global Inside local Outside local Outside global
icmp 42.0.0.55:1536 192.168.0.21:1536 10.0.0.5:1536 10.0.0.5:1536
create 00:00:09, use 00:00:06, left 00:00:53,
flags:
extended, use_count: 0
icmp 42.0.0.55:1536 192.168.0.21:1536 10.0.1.2:1536 10.0.1.2:1536
create 00:00:04, use 00:00:01, left 00:00:58,
flags:
extended, use_count: 0
Note: The timeout for these overloaded dynamic translations of ICMP is 60 seconds.
Notice also that each session has its own timeout timer. New activity only resets one
specific session’s timer. To see the result on the router, it may need to be pinged again.
From the MS-DOS prompt of Host A, quickly issue the following commands and then
return to the SanJose1 console to issue the show ip nat translation command.
The commands must be done fast due to the 60 second timeout:
HostA:\>ping 10.0.0.5
HostA:\>telnet 10.0.0.5 (Do not login. Return to command window)
HostA:\>ftp: 10.0.0.5 (It will fail. Do not worry aboutthis)
Note: To quit the Windows FTP program, type bye and press Enter.
After these three sessions are initiated, the output of the show ip nat translation
command should look something like the following:
SanJose1#show ip nat translation
Pro Inside global Inside local Outside local Outside global
icmp 42.0.0.55:1536 192.168.0.21:1536 10.0.0.5:1536 10.0.0.5:1536
tcp 42.0.0.55:1095 192.168.0.21:1095 10.0.0.5:21 10.0.0.5:21
tcp 42.0.0.55:1094 192.168.0.21:1094 10.0.0.5:23 10.0.0.5:23
Although the NAT router has a pool of eight IP addresses to work with, it chooses to
continue to use the 42.0.0.55 for both workstations. The Cisco IOS will continue to
overload the first address in the pool until it has reached its limit and then move to the
second address, and so on.
Step 3.
In this step, examine the timeout values in more detail. From Host A, initiate FTP and
HTTP sessions with ISP1 at 10.0.0.5. Since ISP1 is not configured as an FTP server or
Web server, both sessions will fail.
HostA:\>ftp: 10.0.0.5
To open an HTTP session, type ISP1’s IP address in the URL field of a Web browser
window.
After both FTP and HTTP sessions are attempted, use the show ip nat
translation verbose command and examine the time left entries, as shown here:
3 - 3 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.3 Copyright 2002, Cisco Systems, Inc.
tcp 42.0.0.55:1114 192.168.0.21:1114 10.0.0.5:21 10.0.0.5:21
create 00:00:16, use 00:00:15, left 00:00:44,
flags:
extended, timing-out, use_count: 0
tcp 42.0.0.55:1113 192.168.0.21:1113 10.0.0.5:23 10.0.0.5:23
create 00:00:22, use 00:00:22, left 23:59:37,
flags:
extended, use_count: 0
tcp 42.0.0.55:1115 192.168.0.21:1115 10.0.0.5:80 10.0.0.5:80
create 00:00:12, use 00:00:11, left 23:59:48,
flags:
extended, use_count: 0
Notice that some of the TCP transactions are using a 24 hour timeout timer. To see the
other timers that can be set, use the ip nat translation ? command while in global
configuration mode, as shown here:
The actual timeout options vary with versions of the IOS. The defaults for some of the
more common times are:
The finrst-timeout timer makes sure that TCP sessions close the related port 60
seconds after the TCP termination sequence.
Dynamic NAT sessions can only be initiated by an internal host. It is not possible to
initiate a NAT translation from outside the network. To some extent, this adds a level of
security to the internal network. It may also help to explain why the dynamic timeout timer
for overload sessions is so short. The session stays open just long enough to make sure
that legitimate replies like Web pages, FTP and TFTP sessions, and ICMP messages
can get in.
In Lab 11.5.1 it was seen that outside hosts can ping the static NAT translations at any
time, provided the inside host is up. This is so Web, FTP, TFTP, DNS, and other types of
servers can be shared with the outside world.
With dynamic NAT not configured for overload, the translation stays up for 24 hours. This
could allow an outside host to try to access the translation and therefore the host. But
4 - 4 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.3 Copyright 2002, Cisco Systems, Inc.
with the overload option, the outside host has to be able to recreate the NAT IP address
plus the port number. Therefore, this reduces the likelihood of an unwanted host gaining
access to the system.
Step 4.
To see the actual translation process and troubleshoot NAT problems, can use the
debug ip nat command and its related options.
Remember as with all debug commands, this can seriously impair the performance of
the production router and should be used wisely. The undebug all command turns off
all debugging.
On SanJose1, use the debug ip nat command to turn on the debug feature.
From A, ping ISP1’s serial interface, 10.0.0.5, and observe the translations as shown
here:
SanJose1#debug ip nat
IP NAT debugging is on
06:37:40: NAT: s=192.168.0.21->42.0.0.55, d=10.0.0.5 [63]
06:37:40: NAT*: s=10.0.0.5, d=42.0.0.55->192.168.0.21 [63]
06:37:41: NAT*: s=192.168.0.21->42.0.0.55, d=10.0.0.5 [64]
06:37:41: NAT*: s=10.0.0.5, d=42.0.0.55->192.168.0.21 [64]
06:37:42: NAT*: s=192.168.0.21->42.0.0.55, d=10.0.0.5 [65]
06:37:42: NAT*: s=10.0.0.5, d=42.0.0.55->192.168.0.21 [65]
06:37:43: NAT*: s=192.168.0.21->42.0.0.55, d=10.0.0.5 [66]
06:37:43: NAT*: s=10.0.0.5, d=42.0.0.55->192.168.0.21 [66]
06:38:43: NAT: expiring 42.0.0.55 (192.168.0.21) icmp 1536 (1536)
SanJose1#undebug all
All possible debugging has been turned off
Notice that both translations can be seen as the pings pass both ways through the NAT
router. Notice that the number at the end of the row is the same for both translations of
each ping. The s= indicates the source, d= indicates the destination and -> shows the
translation.
The 06:38:43 in the translations shows the expiration of the NAT translation.
The detailed option can be used with debug ip nat to provide the port numbers as
well as the IP address translations, as shown here:
5 - 5 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.3 Copyright 2002, Cisco Systems, Inc.
Lab 2.5.4: Configuring TCP Load Distribution
Fa0/0
S0/0 10.0.0.5 /30 192.168.0.5 /24
Host A
10.0.2.20 /24
Objective
In this lab, the student will configure NAT with the TCP Load Distribution option. The
student will also learn to use the prefix-length option as an alternative to the
netmask option of the ip nat pool command.
Scenario
The International Travel Agency (ITA) expanded and updated their network. ITA chose to
use the 192.168.0.0 /24 private addresses and NAT to handle connectivity with the
outside world. In securing the outside IP addresses from their ISP, ITA is having to pay a
monthly fee per IP address. ITA has asked that a series of prototypes be set up that
demonstrate NAT’s capabilities to meet ITA’s requirements. The company hopes to be
able to get by with 14 real IP addresses, 42.0.0.48 /28. For a variety of reasons including
security concerns, the company wishes to hide the internal network from the outside.
ITA’s Web server, 192.168.0.5, is overwhelmed by outside traffic. A pool of two mirrored
servers needs to be created to handle the load. These servers will be addressed as
192.168.0.5 and 192.168.0.6.
Outside users and DNS use the global IP address, 42.0.0.51, to access the Web server.
ITA would like to continue using the single address and have the NAT router distribute
the requests between the two mirrored servers. A prototype needs to be created that will
demonstrate TCP load distribution using NAT.
Step 1.
Build and configure the network according to the diagram. Host A represents a user
outside of ITA’s network. Make sure to configure Host A with the correct default gateway.
Note: SanJose1’s Fast Ethernet interface should be configured with the IP address
192.168.0.5 /24. This is for testing purposes, so that SanJose1 can respond to HTTP
requests directed to 192.168.0.5.
On ISP1, configure a static route to the global addresses used by SanJose1 for NAT:
1 - 1 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.4 Copyright 2002, Cisco Systems, Inc.
Specify an interface on SanJose1 to be used by inside network hosts requiring address
translation:
SanJose1(config)#interface fastethernet0/0
SanJose1(config-if)#ip nat inside
SanJose1(config)#interface serial0/0
SanJose1(config-if)#ip nat outside
Verify that the workstation can ping 10.0.0.5 and 10.0.0.6. Troubleshoot as
necessary.
Step 2.
For testing purposes, configure SanJose1 as a Web server at 192.168.0.5, as shown
here:
For the purposes of this lab, another router will act as the second Web server. Configure
this router as shown here:
Router(config)#hostname Web2
Web2(config)#enable password cisco
Web2(config)#ip default-gateway 192.168.0.5
Web2(config)#no ip routing
Web2(config)#interface fastethernet0/0
Web2(config-if)#ip address 192.168.0.6 255.255.255.0
Web2(config-if)#exit
Web2(config)#ip http server
Step 3.
Create a NAT pool to represent the planned Web servers, shown as follows:
Note: In this command, the keyword prefix-length is used instead of the keyword
netmask. Both keywords specify the subnet mask. The prefix-length option allows
the mask to be specified as a bitcount, 24 instead of 255.255.255.0.
The type rotary sets up a rotation through the designated pool. The name
WebServers is a user defined variable, so it can be any useful word.
Next, create an access list to define the global address that will be used to access the
server pool. Remember, to use 42.0.0.51, which was the original Web server IP address
that is known to the outside users:
The command that links the pool and the global address is:
The inside destination indicates that the NAT translations will be established from
the outside network to the inside network.
2 - 2 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.4 Copyright 2002, Cisco Systems, Inc.
Step 4.
Ping 42.0.0.51 from Host A. The ping should fail because ping uses ICMP and not
TCP, which is the only protocol supported by the NAT load distribution feature. To test
the configuration, have Host A open a Web browser window.
Type 42.0.0.51 into the address line of the Web browser on Host A. When the following
screen appears, use any username and cisco as the password. Note: the password is
case sensitive. If the router is not configured with cisco as the enable password, then
enter the password that it is configured with instead.
After the router has been authenticated, a page similar to the following should be seen:
1. What is the inside address of the router whose Web server is being viewed?
Click on the refresh button of the Web browser. A new page should appear, as shown in
the following figure.
3 - 3 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.4 Copyright 2002, Cisco Systems, Inc.
2. What is the inside address of the router whose Web server that is being viewed?
To verify that SanJose1 is distributing the TCP load in addition to itself and Web2, issue
the show ip nat translation command, as shown here:
4 - 4 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.4 Copyright 2002, Cisco Systems, Inc.
Remote Access Resources
WAN
Cisco Connection
A book of LAN and WAN terms used by Cisco.
http://www.cisco.com/univercd/cc/td/doc/cisintwk/ita/ita_book.pdf
NAT
Cisco Connection
A detailed overview of NAT, including configuration procedures.
http://www.cisco.com/warp/public/732/nat/
Internet
Overview of NAT from the RFC. Explains the need and usage of NAT.
http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc1631.html
Overview of NAT and some of its shortcomings and solutions to some
problems. http://www.ehsco.com/reading/19970215ncw1.html
Some things to consider when using NAT and how it works.
http://www.vicomsoft.com/knowledge/reference/nat.html
Peer to peer apps and the effect of NAT on it as well as solutions.
http://www.alumni.caltech.edu/~dank/peer-nat.html
LAN Media
Table of Contents
1-2 Switching Section 1: LAN Media Copyright 2002, Cisco Systems, Inc.
Overview
Since the inception of local-area networks (LANs) in the 1970s, numerous LAN
technologies have come and gone. The Attached Resource Computer Network
(ARCNet), a coaxial-based LAN technology using a token-bus access method, is
one example of an essentially defunct LAN technology. ARCNet was the basis
for some of the earliest office networks in the 1980s.
ARCNet (2Mbps) was easy to deploy in an office with only a few workstations.
ARCNet (2Mbps) enjoyed limited success on the market because higher-speed
technologies such as 10 Mbps Ethernet and 4Mbps Token Ring were introduced
soon after its inception. With the higher-bandwidth capacity of these newer
technologies and the rapid development of high-speed workstations, ARCNet
was quickly phased out of the marketplace.
LAN technologies such as Ethernet, Token Ring, and Fiber Distributed Data
Interface (FDDI) have managed to remain in existence. [1] The legacy networks
(Ethernet, Token Ring, FDDI) continue to be utilized as distribution and
backbone technologies for both manufacturing and office environments. But,
like ARCNet, even these technologies see higher-speed networks such as Fast
Ethernet and ATM crowding them out. However, due to the wide installation
and use of legacy systems, they will likely remain in place for many more years.
Users will replace Ethernet and Token Ring in phases as applications demand
more bandwidth.
In this chapter, the student will learn about legacy, or standard Ethernet, as well
as Fast Ethernet and Gigabit Ethernet. In addition, the student will also learn
how the access methods operate, some of the physical characteristics of each,
and various frame formats and address types.
Copyright 2002, Cisco Systems, Inc. Switching Section 1: LAN Media 1-3
Objectives
After completing this chapter, the student will be able to perform tasks
relating to:
1-4 Switching Section 1: LAN Media Copyright 2002, Cisco Systems, Inc.
1.1 Legacy Media Types
Copyright 2002, Cisco Systems, Inc. Switching Section 1: LAN Media 1-5
A CATV system carries multiple channels on a single cable, and can therefore,
carry multiple data streams concurrently. This is an example of frequency-
division multiplexing (FDM). The initial LANs were conceived as baseband
technologies, which do not have multiple channels. Baseband technologies do
not transmit using FDM. Rather, they use bandwidth sharing, meaning simply
that users take turns transmitting.
Ethernet and other LAN technologies define sets of rules known as access
methods for sharing the cable. The access methods approach media sharing
differently, but have essentially the same end goal in mind.
1.1.2 CSMA/CD
Carrier sense multiple access collision detect (CSMA/CD) describes the Ethernet
access method. In Ethernet, multiple access is the terminology for many stations
attaching to the same cable and having the opportunity to transmit. No station
has any priority over any other station. However, the stations do need to take
turns, as defined by the access algorithm.
Carrier sense refers to the process of listening before speaking. The Ethernet
device wishing to communicate looks for energy on the media (an electrical
carrier). If a carrier exists, the cable is in use and the device must wait to
transmit. Many Ethernet devices maintain a counter of how many times they
have to defer a transmission. Some devices call the counter a deferral or back-off
counter. If the deferral counter exceeds a threshold value of 15 retries, the device
attempting to transmit assumes that it will never get access to the cable to
transmit the packet. In this situation, the source device discards the frame. This
might happen if there are too many devices on the network, implying that there is
not enough bandwidth available.
When two or more devices, on the same segment, attempt to transmit at the same
time, a collision occurs. The devices that were transmitting can sense that a
collision has occurred because the power level on the cable exceeds a certain
1-6 Switching Section 1: LAN Media Copyright 2002, Cisco Systems, Inc.
mark. When stations detect that a collision has occurred, the participants
generate a collision enforcement signal. The enforcement signal lasts as long as
the smallest frame size. In the case of Ethernet, that equates to 64 bytes. This
ensures that all stations know about the collision and that no other station
attempts to transmit during the collision event. If a station experiences too many
consecutive collisions, the station stops attempting to transmit the frame. Some
workstations display an error message to the user; the exact message differs from
platform to platform, but every workstation attempts to convey to the user that it
was unable to send data for one reason or another.
Copyright 2002, Cisco Systems, Inc. Switching Section 1: LAN Media 1-7
To help ensure uniqueness, the first three octets indicate the vendor that
manufactured the interface card. This is known as the Organizational Unique
Identifier (OUI). Each manufacturer has a unique IEEE-assigned OUI value.
The last three octets of the MAC address amount to a host identifier for the
device. The last three octets are assigned by the vendor. The combination of OUI
and "host number" creates a unique address for that device. Each vendor is
responsible to ensure that each of the Ethernet adapters that it manufactures has
a unique combination of six octets.
In a LAN, stations use the Layer 2 MAC address in a frame to identify the
source and destination. When Station 1 transmits to Station 2 in the Figure,
Station 1 generates a frame that includes the Station 2 MAC address (00-60-08-
93-AB-12) for the destination and the Station 1 address (00-60-08-93-DB-C1)
for the source. This is a unicast frame. Because the LAN is a shared media, all
stations on the network receive a copy of the frame. Only Station 2 performs any
processing on the frame, however all stations compare the destination MAC
address with their own MAC address. If they do not match, the interface module
of the station discards (ignores) the frame. This prevents the packet from
consuming CPU cycles within the device. Station 2, however, sees a match and
sends the packet to the CPU for further analysis. The CPU examines the network
protocol information and the intended application and decides whether to drop or
use the packet.
1-8 Switching Section 1: LAN Media Copyright 2002, Cisco Systems, Inc.
1.1.5 Broadcast frames
1.5 Mb
Video
Server I do not want to
receive this video
1.5 Mb stream, but my
1.5 Mb
CPU still needs to
process that 1.5
MB of data!
Not all frames contain unicast destination addresses. Some have broadcast or
multicast destination addresses. Workstations and network devices treat
broadcast and multicast frames differently from unicast frames. Stations view
broadcast frames as public service announcements. When a station receives a
broadcast, the source is saying, "Pay attention, I might have an important
message.
A broadcast frame has a destination MAC address of FF-FF-FF-FF-FF-FF (all
binary 1s). Like unicast frames, all stations receive a frame with a broadcast
destination address. When the interface compares its own MAC address against
the destination address, they do not match. Normally, a station discards the
frame because the destination address does not match its own hardware address.
But broadcast frames are treated differently. Even though the destination and
built-in address do not match, the interface module is designed so that it still
passes the broadcast frame to the processor. This is intentional because the
broadcast frame might have an important request or information. Unfortunately,
probably only one or at most a few stations really need to receive the broadcast
message.
For example, an IP ARP request creates a broadcast frame, even though it
intends for only one station to respond. The source sends the request as a
broadcast because it does not know the destination MAC address and is
attempting to find it. When a source only knows the destination IP address it
creates an ARP request. However, that is not enough information to address a
station on the LAN. The frame must also contain the destination MAC address.
Routing protocols sometimes use broadcast MAC addresses when they announce
their routing tables. For example, by default, routers send IP Routing
Copyright 2002, Cisco Systems, Inc. Switching Section 1: LAN Media 1-9
Information Protocol (RIP) updates every 30 seconds. The router transmits the
update in a broadcast frame. The router does not necessarily know all the routers
on the network. By sending a broadcast message, the router is sure that all
routers attached to the network will receive the message. There is a downside to
this, however. All devices on the LAN receive and process the broadcast frame,
even though only a few devices really needed the updates. This consumes CPU
cycles in every device. If the number of broadcasts in the network becomes
excessive, workstations cannot do the things they need to do, such as run word
processors or flight simulators.
Multicast frames differ from broadcast frames in a subtle way. Multicast frames
address a group of devices with a common interest. The source sends only one
copy of the frame on the network, even though it intends for several stations to
receive it. When a station receives a multicast frame, it compares the multicast
address with its own address. Unless the card is preconfigured to accept
multicast frames, the multicast is discarded on the interface and does not
consume CPU cycles. (This behaves just like a unicast frame.)
For example, Cisco devices running the Cisco Discovery Protocol (CDP) make
periodic announcements to other locally attached Cisco devices. The information
contained in the announcement is interesting only to other Cisco devices (and the
network administrator). To make the announcement, the Cisco source could send
a unicast to each Cisco device. That however, means multiple transmissions on
the segment, which consume network bandwidth with redundant information.
Furthermore, the source might not know about all the local Cisco devices and
could, therefore, choose to send one broadcast frame. All Cisco devices would
1-10 Switching Section 1: LAN Media Copyright 2002, Cisco Systems, Inc.
receive the frame. Unfortunately, so would all third-party devices. The last
alternative is a multicast address. Cisco has a special multicast address reserved,
01-00-0C-CC-CC-CC, which enables Cisco devices to transmit to all other Cisco
devices on the segment. All third-party devices ignore this multicast message.
Open Shortest Path First (OSPF), an IP routing protocol, sends out routing
updates via a specially reserved multicast address. The reserved multicast OSPF
IP addresses 224.0.0.5 and 224.0.0.6 translate to MAC multicast addresses of 01-
00-5E-00-00-05 and 01-00-5E-00-00-06. Only router interfaces configured to
receive OSPF announcements will process these packets. All other devices filter
the frame.
When stations transmit to each other on a LAN, they format the data in a
structured manner so that devices know what octets signify what information.
Various frame formats are available. When configuring a device, define the
format that the station will use, realizing that more than one format might be
configured, as is the case for a router.
Figure [1] illustrates four common frame formats for Ethernet. Some users
interchange the terms packets and frames rather loosely. However, according to
RFC 1122, a significant difference does exist. Frames refer to the entire
message, from the data link layer (Layer 2) header information through and
Copyright 2002, Cisco Systems, Inc. Switching Section 1: LAN Media 1-11
including the user data. Packets exclude Layer 2 headers and include only the
Layer 3 protocol header through and including user data.
The frame formats developed as the LAN industry and associated protocol
requirements evolved. When Xerox developed the original Ethernet (which was
later adopted by the industry), a frame format like the Ethernet frame in Figure
was defined. The first six octets contain the destination MAC address, and the
next six octets contain the source MAC address. Two bytes following that
indicate to the receiver the type of Layer 3 protocol encapsulated within the data
portion of the frame. For example, if the frame encapsulates an IP packet, then
the type field value is 0x0800. Figure [2] lists several common protocols and
their associated type values.
Following the type value, the receiver expects to see a protocol header. For
example, if the type value indicates that the packet is IP, the receiver expects to
decode IP headers next. If the value is 8137, the receiver decodes the
encapsulated packet as a Novell packet.
IEEE defined an alternative frame format. In the IEEE 802.3 formats, the source
and destination MAC addresses remain, but instead of a type field value, the
packet length is indicated. Three derivatives of this format are used in the
industry: raw 802.3, 802.3 with 802.2 Logical Link Control (LLC), and 802.3
with 802.2 and Subnetwork Access Protocol (SNAP).
A receiver recognizes that a packet follows 802.3 formats rather than Ethernet
formats by the value of the 2-byte field following the source MAC address. If the
value falls within the range of 0x0000 and 0x05DC (1500 decimal), the value
indicates length; protocol type values begin after 0x05DC, in which case the
frame type is Ethernet Version II. Further, if the 16-bit value following the
type/length field is 0xAAAA, then the frame is a SNAP (or IEEE 802.3 SNAP)
frame; if this value is 0xFFFF, then the frame is a raw 802.3 (or Novell 802.3
raw) frame; otherwise, it is a 802.3 with 802.2 LLC (or IEEE 802.3 ) frame.
1-12 Switching Section 1: LAN Media Copyright 2002, Cisco Systems, Inc.
1.2 Fast Ethernet
When Ethernet technology availed itself to users, the 10Mbps bandwidth seemed
like an unlimited resource. However, workstations have developed quite rapidly
since then, and applications demand much more data in shorter amounts of time.
When the data comes from remote sources rather than from a local storage
device, the application needs more network bandwidth. Many new applications
actually find 10 Mbps to be too slow. For example, think about a surgeon
downloading an image from a server over a 10Mbps shared-media network.
He/she needs to wait for the image to download so that he/she can begin an
operation. If the image is a 100MB high-resolution image, it could take awhile to
receive the image. Suppose the shared network makes the available user
bandwidth about 500 kbps on the average. It would take the physician 27
minutes to download the image.
The hospital administration would be exposing themselves to surgical
complications at worst and idle physician time at best. Obviously, this is not an
ideal situation. Clearly, more bandwidth would be needed to support this medical
application.
Recognizing the growing demand for higher-speed networks, the IEEE formed
the 802.3u committee to begin work on a 100Mbps technology that works over
twisted-pair cables. In June 1995, IEEE approved the 802.3u specification
defining a system that offered vendor interoperability at 100 Mbps.
Like 10Mbps systems such as 10BASE-T, the 100Mbps systems use CSMA/CD,
but provide a huge improvement over legacy 10Mbps networks. Because they
operate at ten times the speed of 10Mbps Ethernet, all timing factors scale by a
factor of 10. For example, the slot time (the time it takes to transmit a 64-byte, or
Copyright 2002, Cisco Systems, Inc. Switching Section 1: LAN Media 1-13
512-bit, frame) for 100Mbps Ethernet is 5.12 microseconds, one-tenth that of
10Mbps Ethernet.
An objective of the 100BASE-X standard (here the X is a variable whose value
correlates to a particular 100Mbps standard) was to maintain a common frame
format with legacy Ethernet. Therefore, 100BASE-X uses the same frame sizes
and formats as 10BASE-X. Everything else scales by one-tenth because of the
higher data rate. When passing frames from a 10BASE-X to a 100BASE-X
system, the interconnecting device does not need to recreate the frame Layer 2
header because they are identical on the two systems.
The original Ethernet over twisted-pair cable standard, 10BASE-T supports
Category 3, 4, and 5 cables up to 100 meters in length. The 10BASE-T Ethernet
uses the Manchester encoding technique and signals at 20 megahertz (MHz), a
level well within the bandwidth capacity of all three cable types. Because of the
higher signaling rate of 100BASE-T, creating a single method to work over all
cable types was highly unlikely. The encoding technologies that were available
at the time forced IEEE to create variants of the standard to support both
Category 3 and 5 cables. A fiber-optic version was created as well.
1-14 Switching Section 1: LAN Media Copyright 2002, Cisco Systems, Inc.
Figure 2 Full-Duplex Ethernet Design
This chapter began with discussion about legacy Ethernet and CSMA/CD.
Legacy Ethernet uses CSMA/CD because it operates on a shared media where
only one device can talk at a time. When a station talks, all other devices must
listen or else the system experiences a collision. In a 10Mbps system operating at
half-duplex, the total bandwidth available is dedicated to transmitting or
receiving, depending upon whether the station is the source or the destination.
The original LAN standards operate in half-duplex mode, allowing only one
station to transmit at a time as shown in Figure [1]. This was a result of the early
physical media Ethernet implementations, such as 10BASE-5 and 10BASE-2,
where all stations were attached to the same cable or "bus." With the
introduction of 10BASE-T, networks deployed hubs and attached each station to
a hub on a dedicated point-to-point link. Stations do not share the wire in this
topology. The 100BASE-X Ethernet uses hubs with dedicated point-to-point
links. Because each link is not shared, a new operational mode becomes feasible.
Rather than running in half-duplex mode, the systems can operate in full-duplex
mode, which allows stations to transmit and receive at the same time, as shown
in Figure [2], eliminating the need for collision detection. This provides a
tremendous asset of possibly the most precious network commodity-bandwidth.
When a station operates in full-duplex mode, the station transmits and receives
at full bandwidth in each direction.
The most bandwidth that a legacy Ethernet device can expect to enjoy is 10
Mbps. It either listens at 10 Mbps or transmits at 10 Mbps. In contrast, a
100BASE-X device operating in full-duplex mode sees 200 Mbps of bandwidth-
100 Mbps for transmitting and 100 Mbps for receiving. Users upgraded from
10BASE-T to 100BASE-X have the potential to immediately enjoy a twentyfold
or more bandwidth improvement. If the user was previously attached to a shared
10Mbps system, he/she might practically enjoy only a few megabits per second
of effective bandwidth. Upgrading to a full-duplex 100Mbps system might
provide a perceived one-hundredfold improvement.
Copyright 2002, Cisco Systems, Inc. Switching Section 1: LAN Media 1-15
The IEEE 802.3x committees designed standards for full-duplex operations for
10BASE-T, 100BASE-X, and 1000BASE-X. The 802.3x standards also defined
a flow-control mechanism, which allows a receiver to send a special frame back
to the source whenever the receiver buffers overflow. The receiver sends a
special packet called a pause frame. In the pause frame, the receiver can request
the source to stop sending for a specified period of time. If the receiver can
handle incoming traffic again before the timer value in the pause frame expires,
the receiver can send another pause frame with the timer set to zero. This tells
the receiver that it can start sending again.
1.2.3 100BASE-TX
1-16 Switching Section 1: LAN Media Copyright 2002, Cisco Systems, Inc.
1.2.4 100BASE-T4
Not all building infrastructures use Category 5 cable; some use Category 3.
Category 3 cable was installed in many locations to support voice transmission,
and it is frequently referred to as voice-grade cable. It is tested for voice and
low-speed data applications up to 16 megahertz (MHz). Category 5 cable, on the
other hand, is intended for data applications, and is tested up to 100 MHz.
Because Category 3 cable exists in so many installations, and because many
10BASE-T installations are on Category 3 cable, the IEEE 802.3u committee
included this as an option.
As with 10BASE-T, 100BASE-T4 links work up to 100 meters. To support the
higher data rates, 100BASE-T4 uses more cable pairs. Three pairs support
transmission and one pair supports collision detection. Another technology
aspect to support the high data rates over a lower bandwidth cable comes from
the encoding technique used for 100BASE-T4. 100BASE-T4 uses an encoding
method of 8B/6T (8 bits/6 ternary signals), thus significantly lowering the
signaling frequency and making it suitable for voice-grade wire.
Copyright 2002, Cisco Systems, Inc. Switching Section 1: LAN Media 1-17
1.2.5 100BASE-FX
1-18 Switching Section 1: LAN Media Copyright 2002, Cisco Systems, Inc.
1.2.6 Practical considerations before moving to Fast
Ethernet
Copyright 2002, Cisco Systems, Inc. Switching Section 1: LAN Media 1-19
Another appropriate use of Fast Ethernet is for backbone segments. A corporate
network often has an invisible hierarchy where distribution networks to the users
are lower-speed systems, whereas the networks interconnecting the distribution
systems operate at higher rates. The decision to deploy Fast Ethernet as part of
the infrastructure is driven by corporate network needs, as opposed to individual
user needs, as previously considered.
1-20 Switching Section 1: LAN Media Copyright 2002, Cisco Systems, Inc.
1.3 Gigabit Ethernet
1.3.1 Specifications
Figure 1 Specifications
Copyright 2002, Cisco Systems, Inc. Switching Section 1: LAN Media 1-21
1.3.2 Gigabit architecture
Gigabit Ethernet merges aspects of 802.3 Ethernet and fiber channel, a gigabit
technology intended for high-speed interconnections between file servers as a
LAN replacement. The fiber-channel standard details a layered network model
capable of scaling to bandwidths of 4 gigabits per second (Gbps) and to extend
to distances of 10 km. Gigabit Ethernet borrows the bottom two layers of the
standard: FC-1 for encoding/decoding and FC-0, the interface and media layer.
FC-0 and FC-1 replace the physical layer of the legacy 802.3 model. The 802.3
MAC and LLC layers contribute to the higher levels of Gigabit Ethernet. The
Figure illustrates the merger of the standards to form Gigabit Ethernet.
The fiber-channel standard incorporated by Gigabit Ethernet transmits at 1.062
MHz over fiber optics and supports 800Mbps data throughput. Gigabit Ethernet
increases the signaling rate to 1.25 gigahertz (GHz). Further, Gigabit Ethernet
uses 8B/10B encoding, meaning that 1 Gbps is available for data. The 8B/10B
encoding is similar to 4B/5B discussed for 100BASE-TX, except that for every 8
bits of data, 2 bits are added, creating a 10-bit symbol. This encoding technique
simplifies fiber-optic designs at this high data rate. The optical connector used
by fiber channel, and therefore by Gigabit Ethernet, is the switching controller
(SC) style connector. This is the push-in/pull-out, or snap-and-click connector
used by manufacturers to overcome deficiencies with the snap-and-twist (ST)
style connector. The ST style connector previously preferred was a bayonet-type
connector that required finger space on the front panel to twist the connector into
place. The finger-space requirement reduced the number of ports that could be
built into a module.
1-22 Switching Section 1: LAN Media Copyright 2002, Cisco Systems, Inc.
1.3.3 Full duplex and half duplex support
Like Fast Ethernet, Gigabit Ethernet supports both full- and half-duplex modes
with flow control. In half-duplex mode, the system operates using CSMA/CD
and must consider the reduced slotTime even more than Fast Ethernet. The
slotTimes for 10BASE-X and 100BASE-X networks are 51.2 and 5.12
microseconds, respectively. These are derived from the smallest frame size of 64
octets. In the 100BASE-X network, the slotTime translates into a network
diameter of about 200 meters. If the same frame size is used in Gigabit Ethernet,
the slotTime reduces to 0.512 microseconds and about 20 meters in diameter.
This is not feasible. Therefore, 802.3z developed a carrier extension that enables
the network distance to extend further in half-duplex mode and still support the
smallest 802.3 packets.
The carrier-extension process increases the slotTime value to 4096 bits or 4.096
microseconds. The transmitting station expands the size of the transmitted frame
to ensure that it meets the minimal slotTime requirements by adding nondata
symbols after the frame check sequence (FCS) field of the frame. Not all frame
sizes require carrier extension. The 8B/10B encoding scheme used in Gigabit
Ethernet defines various combinations of bits called symbols. Some symbols
signal real data, whereas the rest indicate nondata. The station appends these
nondata symbols to the frame. The receiving station identifies the nondata
symbols, strips off the carrier extension bytes, and recovers the original message.
The figure shows the anatomy of an extended frame.
The addition of the carrier extension bits does not change the actual Gigabit
Ethernet frame size. The receiving station still expects to see no fewer than 64
octets and no more than 1518 octets.
Copyright 2002, Cisco Systems, Inc. Switching Section 1: LAN Media 1-23
1.3.4 Gigabit media options
IEEE 802.3z specified several media options to support different grades of fiber-
optic cable and one version to support a new copper cable implementation. The
fiber-optic options vary according to the size of the fiber and the modal
bandwidth. The table in the graphic summarizes the options and the distances
supported by each.
The 1000BASE-SX Ethernet format uses the short wavelength of 850
nanometers (nm). Although this is a laser-based system, the distances supported
are generally shorter than for 1000BASE-LX. This results from the interaction of
the light with the fiber cable at this wavelength. Why use 1000BASE-SX then?
Because the components are less expensive than for 1000BASE-LX. Use this
least-expensive method for short distances (for example, within an equipment
rack).
In fiber-optic systems, light sources differ in the type of device (LED or laser)
generating the optical signal and in the wavelength they generate. Wavelength
correlates to the frequency of radio frequency (RF) systems. In the case of
optics, wavelength is specified rather than the frequency. In practical terms, this
corresponds to the color of the light.
Typical wavelengths are 850 and 1300 nm; 850-nm light is visible to the human
eye as red, whereas 1300 nm is invisible. The 1000BASE-LX Ethernet format
uses 1300-nm optical sources. In fact, the L of LX stands for long wavelength.
The 1000BASE-LX Ethernet uses laser sources. Use the LX option for longer-
distance requirements. If single mode must be used, use LX. Be careful when
using fiber-optic systems. Do not look into the port or the end of a fiber. It can
be hazardous to eyes.
Not included in the table in the figure to the left is a copper media option. The
1000BASE-CX Ethernet format uses a 150-ohm balanced shielded copper cable.
This new cable type is not well-known in the industry, but is necessary to
support high-bandwidth data over copper. The 1000BASE-CX Ethernet format
supports transmissions up to 25 meters. It is intended to be used to interconnect
devices collocated within an equipment rack. This is appropriate when Catalyst
1-24 Switching Section 1: LAN Media Copyright 2002, Cisco Systems, Inc.
switches are stacked in a rack and a high-speed link between them is desired,
but the expense of fiber-optic interfaces is too high.
Another copper version is the 1000BASE-T standard, which uses Category 5
twisted-pair cable. It supports up to 100 meters, and uses all four pairs in the
cable. This offers another low-cost alternative to 1000BASE-SX and
1000BASE-LX and does not depend upon the special cable used with
1000BASE-CX. This standard is under the purview of the IEEE 802.3ab
committee.
Copyright 2002, Cisco Systems, Inc. Switching Section 1: LAN Media 1-25
1.4 Determining Bandwidth Needs
In order to determine the bandwidth needed for each link, one must determine
the aggregate average bandwidth of all devices that will use that link. The figure
shows a sample network topology that uses both standard Ethernet and Fast
Ethernet links. In the following sections, information about user traffic patterns
and network connections will be presented and a decision made as to whether or
not a Fast Ethernet link will be sufficient.
1-26 Switching Section 1: LAN Media Copyright 2002, Cisco Systems, Inc.
1.4.2 Gathering user statistics
The following list outlines the user statistics for this sample network.
• One thousand users are housed in this building.
• Each floor houses 100 users.
• Each floor has one 24-port 10Mbps switch, allowing four users per port
via use of a hub.
• Shared-media Ethernet can support approximately 4 Mbps of data under
load; therefore, in this example each user has 1 Mbps of bandwidth.
• User standard applications are e-mail and word processing.
• Each floor is a separate IP subnet.
Copyright 2002, Cisco Systems, Inc. Switching Section 1: LAN Media 1-27
1.4.3 Gathering traffic statistics
1-28 Switching Section 1: LAN Media Copyright 2002, Cisco Systems, Inc.
• If all users simultaneously accessed the network, the switch would
receive 24 ports x 4 Mbps, yielding an aggregate bandwidth of 96
Mbps.
Table [2] outlines these statistics.
As calculated in the previous section, the link between the access- and
distribution-layer switches must be capable of carrying up to 96 Mbps of traffic.
The decision for the type of link depends on the following factors:
• If the link is Fast Ethernet in full-duplex mode, the link is capable of
carrying 100 Mbps of traffic in each direction. This type of link would
indeed support a 96Mbps load.
• If the link is standard Ethernet in full-duplex mode, the link is capable of
carrying 10 Mbps of traffic. This capacity is one-tenth the offered load,
and packets would be dropped after switch and port buffers are
consumed. If this situation is unacceptable, then Fast Ethernet must be
chosen.
• If virtual LANs (VLANs) are implemented in this network, then it is
possible that the link may have to operate in "trunk" mode. If this were
the case, then Fast Ethernet would be required.
Copyright 2002, Cisco Systems, Inc. Switching Section 1: LAN Media 1-29
1.4.5 Determining the distribution-layer requirements
In this example, the distribution layer must be capable of providing the following
capacity:
• Total load at the distribution-layer switch is the number of access
switches x 96 Mbps. In this scenario, there are ten access switches, or 10
x 96 Mbps, yielding a 960Mbps aggregate bandwidth requirement at the
distribution layer.
• Eighty percent of the traffic is local to the switch block and is not routed
across the core.
• Twenty percent of the traffic is remote and is routed toward the core.
• Taking into consideration that only 20 percent of traffic is remote, 20
percent x 960 Mbps, yields 192 Mbps of traffic that must be able to
cross the core.
This sample network supports a redundant core; therefore, each core subnet
would carry 50 percent of the traffic load, or 96 Mbps of traffic. Given this
amount of traffic, the performance of the distribution switch must be capable of
switching 187,000 packets per second.
The Layer 3 module of the distribution-layer switch will be responsible for
routing the remote traffic to the core. Therefore, a switch must be chosen that
will support this amount of traffic.
This topology presents no redundancy between the end user and the core. If the
link between an access switch and distribution device fails, 100 users lose
connectivity. If the distribution device fails, the whole building is disconnected
1-30 Switching Section 1: LAN Media Copyright 2002, Cisco Systems, Inc.
from the network. One solution is to add a second distribution switch with
backup links to each access switch.
Copyright 2002, Cisco Systems, Inc. Switching Section 1: LAN Media 1-31
Summary
After completing this chapter, the student should a have a firm understanding of
the following concepts:
• Despite the advent of superior standards, 10 Mbps Ethernet is the most
pervasive LAN technology in the networking industry.
• Several 10 Mbps systems still exist with varied media options such as
copper and fiber. This type of connection method will exist for at least
another few years.
• Because of the limitations that legacy Ethernet can impose on some
applications, higher speed network technologies had to be developed.
IEEE created Fast Ethernet to meet this need.
• With the capability to run in full-duplex modes, Fast Ethernet offers
significant bandwidth leaps to meet the needs of many users.
• For real bandwidth consumers, Gigabit Ethernet offers even more
capacity to meet the needs of trunking switches together and to feed high
performance file servers.
1-32 Switching Section 1: LAN Media Copyright 2002, Cisco Systems, Inc.
Section 2
1-2 Switching Section 2: Configuring the Switch Copyright 2002, Cisco Systems, Inc.
Overview
Those familiar with Cisco routers use a command-line interface (CLI) embedded
in the Cisco IOS Software. The CLI characteristics are seen across nearly all of
the router product line. However, most Catalyst switch CLIs differ from those
found on Cisco routers. This chapter describes the CLI, including aspects such as
command-line recall, command editing, uploading and downloading code
images, and configuration files.
Copyright 2002, Cisco Systems, Inc. Switching Section 2: Configuring the Switch 1-3
Objectives
After completing this chapter, the student will be able to perform tasks
relating to:
1-4 Switching Section 2: Configuring the Switch Copyright 2002, Cisco Systems, Inc.
2.1 Initial Connectivity to the Switch
Copyright 2002, Cisco Systems, Inc. Switching Section 2: Configuring the Switch 1-5
• RJ-45-to-D-subminiature female adapter (labeled Terminal) to connect a
UNIX workstation
• RJ-45-to-D-subminiature male adapter (labeled Modem) to connect a
modem
Step 3 Connect the other end of the supplied rollover cable to the RJ-45 port.
Step 4 From start management station, start the terminal emulation program.
On the Cisco 1900 and 2800 Series switches, the port types are fixed. All
10BASE-T ports (ports 1x through 12x or ports 1x through 24x) can be
connected to any 10BASE-T-compatible device. The 100BASE-TX ports (ports
Ax and Bx) can be connected to any 100BASE-TX-compatible device.
The Cisco 4000/5000/6000 Series switches have ports that can be configured for
either 10BASE-T or 100BASE-T connections.
When connecting the switch to servers, workstations, and routers, it is necessary
to use a straight-through cable. When connecting to other switches or repeaters,
it is necessary to use a crossover cable. The port status LED will illuminate
when both the switch and the connected device are powered up. If the LED is not
illuminated, it is possible that one of the devices may not be turned on; there
may be a problem with the adapter on the attached device or with the cable, or
the wrong type of cable may be in use.
Lab Activity
In this lab activity, you will learn how to upgrade the 4006 Supervisor software.
Lab Activity
In this lab activity, you will learn how to configure a Cisco Catalyst 4000
Ethernet switch for first time.
1-6 Switching Section 2: Configuring the Switch Copyright 2002, Cisco Systems, Inc.
2.2 Basic Configuration of the Switch
Copyright 2002, Cisco Systems, Inc. Switching Section 2: Configuring the Switch 1-7
Figure 2 clear config all Output
1-8 Switching Section 2: Configuring the Switch Copyright 2002, Cisco Systems, Inc.
switch, the erase startup-config command erases the configuration
that is stored in NVRAM. On a 2900 switch, this does not erase the VLAN
information. In order to erase the VLAN information, use the del
flash:vlan.dat command. [1]
The clear config all command affects only modules that are directly
configured from the Supervisor module. To clear the configurations on the router
modules, access the modules with the session module_number
command. This command performs the equivalent of an internal Telnet to the
module. To display which slot the router module is in, use the show module
command. The router modules on a switch use Cisco IOS commands to change,
save, and clear configurations.
Unlike routers, the set command-based switch immediately stores commands in
nonvolatile random-access memory (NVRAM) and does not require the copy
run start command. Any command typed into a switch is immediately
stored and remembered, even through a power cycle. This presents a challenge
when attempting to reverse a series of commands. On a router, to reverse a series
of commands perform a reload without writing the running configuration into
NVRAM.
Before making serious changes to a set command-based switch, copy the
configuration to a backup text file or to a Trivial File Transfer Protocol (TFTP)
server (described later in this section). Use the clear config all
command to clear the switch. Then load the previously saved configuration file.
On the other hand, when working with a Cisco IOS command-based switch, the
switch behaves much more like a router. In the switch user exec mode,changes
cannot be made. Use the enable command to access privileged mode and
view the extensive list of configuration parameters. To configure the switch,
enter configuration mode by using the configure command. This command
puts the switch in global configuration mode..
Configuring the switch through the console and through Telnet allows
commands to be entered in real time, but only one at a time. Unlike set
command-based switches, the Cisco IOS command-based switch does not
immediately store commands in NVRAM, and does require a copy run
start like a router. This greatly reduces the challenge when attempting to
reverse a series of commands. As with a router, to reverse a series of
commands execute a reload (provided that the running configuration wasn’t
saved into NVRAM).
Copyright 2002, Cisco Systems, Inc. Switching Section 2: Configuring the Switch 1-9
2.2.2 Setting a password
1-10 Switching Section 2: Configuring the Switch Copyright 2002, Cisco Systems, Inc.
Figure 3 Setting a Password
One of the first tasks to perform when configuring a device is to secure it against
unauthorized access. The simplest form of security is to limit access to the
switches with passwords. Seeting passwords limits the level of access or
completely excludes a user from logging on to a switch.
Two types of login passwords can be applied to switches. The login password
requires authorization before accessing any line, including the console. The
enable password requires authentication before setting or changing switch
parameters.
Copyright 2002, Cisco Systems, Inc. Switching Section 2: Configuring the Switch 1-11
Cisco also provides levels of authority. A privilege level of "1" allows the user
normal EXEC-mode user privileges. A privilege level of "15" is the level of
access permitted by the enable password.
To set passwords on a set-based switch, enter the commands demonstrated in
Figure [1]. To remove a password, enter the no enable password level
number command. Figure [2] shows an example of a Cisco 5000 Series Switch
that has both a console login and enable password set. Passwords are displayed
in encrypted text.
To set passwords on a Cisco IOS software-based switch, enter either one or both
of the following commands in global configuration mode:
Switch(config)#enable password password
Switch(config)#enable secret password
where password is a combination of four to eight alphanumeric characters. The
difference between the two is that the enable secret command encrypts the
password, whereas the enable password command displays the password in
cleartext. Figure [3] has an example of these commands being used.
Figure [4] contains an example of a switch where the console password is cisco
and the password cisco4me is the enable password required for privileged mode.
Notice how both passwords are encrypted.
1-12 Switching Section 2: Configuring the Switch Copyright 2002, Cisco Systems, Inc.
Every switch arrives from the factory with the same default prompt. In a large
campus network, it is crucial to establish a coherent naming structure for the
switches. This is especially true because most network administrators use Telnet
to connect to many switches across the campus.
To set the host or system name on a Cisco IOS software-based switch such as the
Cisco 2900 XL, enter the following command in global configuration mode:
Switch(config)#hostname name
where name can be from 1 to 255 alphanumeric characters.
As soon as the hostname command is executed, the system prompt assumes
the hostname, as see in Figure [1]. To remove the system name, enter the no
hostname command in global configuration mode.
If the switch is a set-based switch, the name assigned for the system name is
used to define the system prompt. To assign a system name to the switch, enter
the following command in privileged mode:
System> (enable) set system name name
where name sets the system's name.
To assign a name to the CLI prompt that differs from the system enter the
following command in privileged mode.
System> (enable) set prompt name
where name sets the CLI prompt. [2]
Lab Activity
In this lab activity, you will learn how to configure a Cisco Catalyst 2900
Ethernet switch for first time.
Copyright 2002, Cisco Systems, Inc. Switching Section 2: Configuring the Switch 1-13
2.2.4 Configuring the switch for remote access
1-14 Switching Section 2: Configuring the Switch Copyright 2002, Cisco Systems, Inc.
To assign an IP address on a Cisco IOS software-based switch, follow these
steps [1]:
1. Enter global configuration mode on the switch.
2. Go to interface VLAN 1 by issuing the command:
Switch(config)#interface vlan 1.
3. Enter the switch IP address with the command: Switch(config-
if)#ip address address mask.
4. To access you’re a switch via a router, a default gateway must be
configured on the switch. This can be done in global configuration mode
with the command: Switch(config)#ip default-gateway
address.
The show ip interface command displays the IP address and the subnet
mask for the device. In the example in Figure [1], the management interface
resides in VLAN1, which is the default management VLAN, and has a subnet
mask of 255.255.255.0.
To remove the IP address and subnet mask, enter the no ip address
command on the vlan interface.
If the switch is a Catalyst OS set command-based switch, assign the IP address to
the in-band logical interface. To assign an IP address to this interface, enter the
following command in privileged mode:
Switch>(enable) set interface sc0 address netmask
[broadcast address]
Defining the in-band management IP address, also assigns the IP address to its
associated management VLAN. The number of the VLAN must match the
subnet number of the IP address. To associate the in-band logical interface to a
specific VLAN, enter the following command in privileged mode:
Switch>(enable) set interface sc0 [vlan]
If a VLAN is not specified, the system automatically defaults to VLAN1 and
the management VLAN.
The show interface command displays the IP address and the subnet mask
for the device. In the previous example, the management interface resides in
VLAN1 and has a subnet mask of 255.255.255.0. [2]
In this activity, you will learn how to configure basic switch management on the
Catalyst 4000.
In this activity, you will learn how to configure basic management on the
Catalyst 2900 series access switch.
Copyright 2002, Cisco Systems, Inc. Switching Section 2: Configuring the Switch 1-15
2.2.5 Identifying individual ports
1-16 Switching Section 2: Configuring the Switch Copyright 2002, Cisco Systems, Inc.
To add a unique comment to an interface on a Cisco IOS Software-based switch,
enter the following command in interface configuration mode.
Switch(config-if)# description description string
To enter a description with spaces between characters, enclose the string in
quotation marks. For example: Switch(config-if)#description "Port
to fourth floor switch." An example of this is shown in Figure [1].
To clear a description, enter the no description command on the interface
in interface configuration mode.
If the access switch uses a set-based command structure, assign a description to a
port by entering the following command in privileged mode.
Switch> (enable) set port name mod/number
description
Variable Description
The description must be less than 21 alphanumeric characters, and spaces can be
entered in the description without having to use quotation marks.
To clear a port name, enter the set port name mod/num command,
followed by a carriage return in privileged mode. By not defining a port name,
the value for this parameter is cleared. This command can be verified by using
the show port command, as shown in Figure [2].
On a Cisco IOS software-based switch, the speed of the ports are set using the
speed {10|100|auto} command from the interface mode.
If the switch is a set-based switch, enter the following command in privileged
mode to configure the port speed on 10/100-Mbps Fast Ethernet modules:
Copyright 2002, Cisco Systems, Inc. Switching Section 2: Configuring the Switch 1-17
Switch> (enable) set port speed mod/num 10|100|auto
Mod indicates the port module number.
num indicates the port number.
{10 | 100 | auto} indicates the port speed. If the port is placed in auto, both
speed and port duplex will be automatically negotiated.
1-18 Switching Section 2: Configuring the Switch Copyright 2002, Cisco Systems, Inc.
Full-duplex is the simultaneous action of transmitting and receiving data by two
devices. This operation is achievable only if the devices on each end support
full-duplex.
Full-duplex links not only double potential throughput, but also eliminate
collisions and the need for each station to wait until the other station finishes
transmitting. If reads and writes on a full-duplex link are symmetric, data
throughput can be theoretically doubled. However, in reality, bandwidth
improvements are more modest.
Full-duplex links are particularly useful for server-to-server, server-to-switch,
and switch-to-switch connections.
To set the duplex mode of an interface on a Cisco IOS software-based switch,
enter the following command in interface configuration mode:
Switch(config-if)#duplex auto | full | half
Parameter Definition
auto Sets the 100BASE-TX port into auto-negotiation mode; this is the
default for the 100BASE-TX port; this argument is valid on
100BASE-T ports only
Note: Use the auto argument only for fixed Fast Ethernet TX ports. In
auto-negotiation mode, the switch attempts to negotiate full-duplex
connectivity with the connecting device. If negotiation is successful, the
port operates in full-duplex mode. If the connecting device is unable to
operate in full duplex, the port operates in half duplex. This process is
repeated whenever there is a change in link status.
The example in Figure [1] shows that the fixed port FastEthernet 0/2 is
configured for full-duplex mode. To return the duplex parameter to the default
setting, enter the no duplex command in the interface configuration mode.
To set the port duplex mode on a set-based switch, enter the following command
in privileged mode:
Switch> (enable) set port duplex mod/port full |
half
where
• Half-duplex mode is the default for 10-Mbps ports.
• Full-duplex mode is the default for 100-Mbps ports.
Copyright 2002, Cisco Systems, Inc. Switching Section 2: Configuring the Switch 1-19
Use the show port command to verify the configuration. The example in
Figure [2] shows that the 10/100 Ethernet module 6 port 1 is connected and is
operating in full-duplex mode. It is important to note that sometimes ports are
not activated by default. To activate a port, enter the set port enable
mod/port command in privileged mode.
1-20 Switching Section 2: Configuring the Switch Copyright 2002, Cisco Systems, Inc.
2.3 Important IOS Features
Copyright 2002, Cisco Systems, Inc. Switching Section 2: Configuring the Switch 1-21
A "bang" is an ! (exclamation point) on a keyboard. When dictating commands,
"exclamation mark" is too difficult to say, so "bang" is used as a verbal shortcut.
Figure [1] summarizes the key sequence for recalling previous commands in the
history buffer.
It is possible to not only recall a command, but to also edit it. Figure [2]
shows the sequences to recall and edit previous commands. For example observe
the command set vlan 3 2/1-10,4/12-216/1,5/7. This command
string assigns a set of ports to VLAN 3. However, in the host machines were
meant for VLAN 4 rather than VLAN 3. Instead of retyping the whole command
a second time and moving the ports to VLAN 4, simply type ^3^4. This forces
the Catalyst switch not only to use the previous command, but also to change the
number 3 to a number 4, which in this case, corrects the VLAN assignment.
One frustration when mentally recalling commands can be the difficult time
remembering what command was entered seven lines previously. This can
become particularly challenging because the Catalyst history buffer stores up to
20 commands. Use the history command to see the history buffer. Figure [3]
shows output from a history command. Notice that the commands are
numbered, allowing the user to reference a specific entry for command recall.
For example, the output recalls command 2 from the history buffer. This caused
the Catalyst switch to recall the history command. Note also that new
commands add to the bottom of the list. Newer commands have higher numbers.
1-22 Switching Section 2: Configuring the Switch Copyright 2002, Cisco Systems, Inc.
Figure 3 Command Recall after Help
The help command on a Cisco IOS command-based switch works the same as
that on a router. On a switch, access help by entering ? on a command line. The
switch then prompts the user with all possible choices for the next parameter.
By typing in the next parameter and typing ? again, the switch displays the next
set of command-line choices. In fact, the switch displays help on a parameter-by-
parameter basis. Additionally, when the switch displays help options, it also ends
by displaying the portion of the command that was entered so far. This enables
the user to continue to append commands to the line without needing to reenter
the previous portion of the command.
The help system on a set command-based switch functions differently from the
router. Help is accessed in the same manner as in a router, but the results
differ. For example, where a router prompts the user for the next parameter, a
Catalyst switch displays the entire usage options for the command. Figure [1]
shows the help result for a partial command string. The string does not uniquely
identify what parameter should be modified and lists all related commands.
On the other hand, if enough of the command is entered on the line that the
Catalyst switch recognizes what command was intended, it displays the options
for that command. This time, in Figure [2], the string identifies a specific
command and the Catalyst switch displays help appropriate for that command.
The user here wants to modify the console interface in some way, but is unsure
of the syntax used with the command.
Notice that when the console displays help, it returns the command line with a
blank line. The command string entered so far is not displayed as it is on a
router. Now use command recall. To disable the logical interface, sc0. enter
the command set int sc0 down. Use command recall to complete the
command. What happens if the command typed is !! sc0 down ? The
command usage screen appears again, without the console changing state to
down. This happens because the command recall executes the previous statement
that was set int ? with the help question mark and the appended parameters.
With the additional parameters, the switch interprets the string as set int ?
sc0 down, sees the question mark, and displays help. [3]
Copyright 2002, Cisco Systems, Inc. Switching Section 2: Configuring the Switch 1-23
2.3.3 Show commands on a set command-based switch
...
.........
.........
........
........
..
begin
set logout 20
#system
#snmp
#IP
1-24 Switching Section 2: Configuring the Switch Copyright 2002, Cisco Systems, Inc.
set interface sc0 1 144.254.100.97 255.255.255.0 144.254.100.255
#Command alias
#vmps
#dns
#tacacs+
#bridge
#vtp
!vlan parameters
#spantree
Copyright 2002, Cisco Systems, Inc. Switching Section 2: Configuring the Switch 1-25
#uplinkfast groups
#vlan 1
#cgmp
#syslog
!are logged.
#ntp
#permit list
1-26 Switching Section 2: Configuring the Switch Copyright 2002, Cisco Systems, Inc.
set ip permit disable
#drip
!numbers.
!On a per module basis, the Catalyst displays any module specific
!configurations.
Copyright 2002, Cisco Systems, Inc. Switching Section 2: Configuring the Switch 1-27
set spantree portvlancost 1/1 cost 99
#module 2 empty
1-28 Switching Section 2: Configuring the Switch Copyright 2002, Cisco Systems, Inc.
set cdp interval 5/1 60
#cam
end
Console> (enable)
Figure 1 Annotated Supervisor Configuration File
Copyright 2002, Cisco Systems, Inc. Switching Section 2: Configuring the Switch 1-29
Figure 3 show module Output
1-30 Switching Section 2: Configuring the Switch Copyright 2002, Cisco Systems, Inc.
2.3.4 Password recovery
If at any time the the normal mode or enable passwords are lost, a password
recovery process must be started. Password recovery on the Catalyst
4000/5000/6000 Series differs from the methods used on a Cisco router or on
other models of switches.
To perform the password recovery procedure a console connection must be
made. Password recovery requires a power cycle of the system by toggling the
power switch. Performing a power cycle on the switch, forces it through its
initialization routines and eventually prompts the user for a password to enter the
normal mode. At this point, the use has 30 seconds to perform password
recovery.
The trick in password recovery on the switch lies in its behavior during the first
30 seconds after booting. When the switch first boots, it ignores the passwords in
the configuration file. It uses the default password <ENTER> during this time.
Therefore, when the Catalyst Switch prompts the user for an existing password
at any time, simply type <ENTER> and the Catalyst switch accepts the
response. Immediately enter set password or set enablepass to change
the appropriate password(s).
During the password recovery process, when the switch prompts for the new
password, simply respond with <ENTER>. Otherwise, trying to type in new
passwords sometimes forces the user to reboot again . To minimize the
probability of entering a bad value initially set the password to the default value.
After setting the enable and EXEC passwords to the default, the user can then go
back and change the values without the pressure of completing the process
during the 30-second time window provided for in password recovery.
As with many security situations, it is extremely important to consider physical
security of the equipment. As demonstrated in the password recovery process, an
attacker simply needs the ability to reboot the Catalyst switch and access to the
console to get into the privileged mode. When in the privileged mode, the
attacker can make any changes that he or she desires. Keep wiring closets
secured and minimize access to console ports.
Lab Activity
In this lab activity, you will learn how to regain control of a Cisco Catalyst 4000
Ethernet switch after you have lost the passwords.
Lab Activity
In this lab activity, you will learn how to regain control of a Cisco Catalyst 2900
Ethernet switch after you have lost the passwords.
Copyright 2002, Cisco Systems, Inc. Switching Section 2: Configuring the Switch 1-31
2.3.5 Setting an IDLE timeout
If a user is logged into a switch and performs no keystrokes (remains idle) for 5
minutes, the switch will automatically log the user out. This feature is referred to
as an "idle timeout." If a user forgets to log out and leaves the terminal
unattended, this feature would prevent someone from gaining unauthorized
access to the switch by using the terminal. Although the default setting of this
feature is 5 minutes, it can be altered with the set logout command on a set
command-based switch:
Switch> (enable) set logout number of minutes
The example in Figure [1] shows how to set the automatic session logout to 20
minutes and how to disable the automatic logout feature.
To configure a timeout on a Cisco IOS command-based switch, the user must
first choose the line (console or vty) to apply it to and then specify the amount of
time. This works just as a router would. The default timeout is 10 minutes. The
commands to set the timeout on the console port of a Cisco IOS command-based
switch to 20 minutes are shown in Figure [2].
1-32 Switching Section 2: Configuring the Switch Copyright 2002, Cisco Systems, Inc.
2.3.6 Verifying connectivity
After the switch is assigned an IP address and at least one switch port is
connected to the network and properly configured, the switch can communicate
with other nodes on the network (beyond simply switching traffic).
To test connectivity to remote hosts, enter the following command in privileged
mode.
Switch> (enable) ping destination ip address
An example of this command is shown in Figure [1].
The ping command will return one of the following responses:
• Success rate is 100 percent or ip address is alive. This response occurs
in 1 to 10 seconds, depending on network traffic and the number of
Internet Control Message Protocol (ICMP) packets sent.
• Destination does not respond. No answer message is returned if the host
does not respond.
• Unknown host. This response occurs if the targeted host does not exist.
• Destination unreachable. This response occurs if the default gateway
cannot reach the specified network.
• Network or host unreachable. This response occurs if there is no entry in
the route table for the host or network.
The example in Figure [2] states that the destination IP address 10.1.1.1 can be
reached by the device generating the ping.
Copyright 2002, Cisco Systems, Inc. Switching Section 2: Configuring the Switch 1-33
2.3.7 Backup and restoration of a configuration using a
TFTP server
1-34 Switching Section 2: Configuring the Switch Copyright 2002, Cisco Systems, Inc.
Figure 3 Recovering Configuration Files from a TFTP Server
Most switches have a TFTP client, allowing users to retrieve and send
configuration files from/to a TFTP server. The actual syntax to perform TFTP
configuration file transfers varies based on the type of switch and version of
Supervisor module installed in the switch.
To save a configuration file from either a Supervisor I or Supervisor II module,
use the write net command. Figure [1] shows a session writing a
configuration file to a TFTP server. The server IP address and the filename are
clearly seen in the output.
For the switch to obtain the new configuration over the network, after having
cleared the configuration, a valid IP address and default gateway setting must
be restored. Retrieving a file from the server uses the command configure
network. When retrieving a file, a user must specify the source filename on the
TFTP server. [2]
For complete system recovery, make sure that to have a copy of the
configuration file of each switch stored somewhere other than on the switch
itself. If anything happens to the Supervisor module, it might not be possible to
recover the configuration file. It is a big mistake to have to rebuild the entire
configuration file from scratch during a system outage, especially when a backup
copy could have easily been created as a backup on a network-accessible
machine.
Through TFTP, a copy of the configuration file can be stored on a TFTP server
and recoverd later when needed. The syntax varies, depending upon the version
of Supervisor module.. This section assumes either a Cisco IOS command-based
switch or a set command-based switch with a Supervisor module.
As a side note, TFTP servers are inherently weak security wise. It is highly
recommended not to keep configuration files in a TFTP directory space until
there is an actual need to retrieve them. Anyone who compromises TFTP server
can modify the configuration files without the owners knowledge. The prudent
network administrator will maintain configuration files in a secure directory
space and copy them back to the TFTP directory space only when he or she is
Copyright 2002, Cisco Systems, Inc. Switching Section 2: Configuring the Switch 1-35
ready to use them. Although this adds another step to the recovery process, the
security benefits definitely outweigh the procedural disadvantages.
Transferring Cisco IOS command-based switch configuration files via TFTP to
another device works the same as with a router. The command copy
running-config tftp will copy the configuration file to a TFTP server at
the location specified. The recovery process works in reverse. To recover a
configuration file from a TFTP server, issue the command copy tftp
running-config. This will load the configuration specified file into
NVRAM and the "active" memory of the switch.
Transferring Supervisor III and Catalyst 4000/6000 configuration files via TFTP
to another device looks much like it does with a router. The command copy
config flash | file-id | tftp copies the configuration file to one
of three locations. The configuration file can be stored in the bootflash memory,
a Flash card in a Flash slot (with a supervisor module that supports flash cards),
or to a TFTP server. When copying configuration files to or from the switch,
specify the source filename. Because of the Flash architecture on the Supervisor
III, several configuration files may be stored locally. However, only one can be
active. Therefore, the user must specify which of the local files are to becopied.
Recovering a configuration file works in reverse. To retrieve the file from a
TFTP server, use the command copy tftp flash | file-id |
config. When retrieving, write the configuration file to your bootflash, a
Flash card, or to the running configuration. To write the configuration file to the
running configuration, use the command form copy tftp config. Figure
[3] shows a session recovering the configuration filename cat to a Flash device.
To recover a configuration from Flash use the command copy flash tftp
| file-id | config.
Lab Activity
In this lab activity, you will learn how to copy your current configuration from a
Catalyst 4000 switch to a TFTP server.
Lab Activity
In this lab activity, you will learn how to copy your current configuration from a
Catalyst 2900 switch to a TFTP server.
1-36 Switching Section 2: Configuring the Switch Copyright 2002, Cisco Systems, Inc.
2.3.8 HTTP switch commands
The Catalyst Web Interface (CWI) is a browser-based tool that can be used to
configure the Cisco 6000, 5000, and 4000 Family Switches. It consists of a
graphical user interface (GUI) that runs on the client, Catalyst CiscoView (CV),
and a Hypertext Transfer Protocol (HTTP) server that runs on the switch.
A GUI alternative to the CLI and SNMP interfaces, the CWI provides a real-time
graphical representation of the switch and detailed information, such as port
Copyright 2002, Cisco Systems, Inc. Switching Section 2: Configuring the Switch 1-37
status, module status, type of chassis, and modules. The CWI uses HTTP to
download Catalyst CV from the server to the client.
Communication between the client and server usually occurs on a TCP/IP
connection. The TCP/IP port number for HTTP is 80. In this client/server mode,
the client opens a connection to the server and sends a request. The server
receives the request, sends a response back to the client, and closes the
connection.
To configure the HTTP server on a set command-based switch, perform the
following tasks at the CLI: [1]
1. Assign an IP address to the switch, if necessary using the command set
interface sc0 [ip_addr / netmask].
2. Enable the HTTP server on the switch using the command set ip
http server enable.
3. Configure the HTTP port (TCP/IP port default is 80; perform this step
only if to change the default) using the command set ip http
port port_number default.
4. Verify the HTTP server and CWI support by using the command show
ip http.
Catalyst Switch software allows the user to configure authentication for console
and Telnet logins using the RADIUS/TACACS/Kerberos/Local database. With
software Release 5.4(2) or later, the software also allows configuring
authentication for HTTP users.
When logging into the switch using HTTP, a dialog box appears and requests a
username and password. After providing a username and password, the system
authenticates the login with the HTTP user-authentication method. The system
denies access unless the username and password are valid. In the default
configuration, verification is enabled for all users of the CWI. The system
validates the login password against the local login password.
Authentication for the CWI occurs at these two security levels:
• Level 1 - Username and Password Authentication
Level 1 requires user authentication by providing a username and
password. This process is similar to the authentication that is obtained at
the command prompt for Telnet and console sessions.
After passing the first level of security, it is possible to download the
Catalyst CV.
• Level 2 - SNMP IP Permit Restriction
Level 2 restricts the IP address of the incoming SNMP request. The IP
address of the SNMP request must be configured correctly before the
CWI can communicate with the switch.
To configure authentication, perform these tasks at the CLI:
Task Command
1-38 Switching Section 2: Configuring the Switch Copyright 2002, Cisco Systems, Inc.
Step 2 Display authentication. show authentication
The example in Figure [2] shows how to set the authentication login for the
HTTP option.
To download the Catalyst CV from the browser, follow these steps:
Step 1 - Enter the switch address in the Universal Resource Locator (URL) field
of the browser. For example, open Netscape Navigator or Internet Explorer and
enter the following:
http://10.1.1.1
In this example, 10.1.1.1 is the switch IP address. After connecting to the
switch, a login dialog appears and prompts for username and password.
Step 2 - Provide a username and password. The home page of the switch appears
in the browser.
Step 3 - Click the Switch Manager link to download the Catalyst CV. The switch
downloads the Catalyst CV, and the browser opens with a real-time view of the
switch chassis.
Copyright 2002, Cisco Systems, Inc. Switching Section 2: Configuring the Switch 1-39
Summary
After completing this chapter, the reader should a have a firm understanding of
the following concepts:
■ How to make initial connections to the switch, connecting to the console
port and connecting an Ethernet port
■ Basic configuration of the switch including:
■ Clearing a configuration
■ Setting a password
■ Naming the switch
■ Configuring the switch for remote access
■ Identifying individual ports
■ Defining link speed
■ Defining line mode on a switch
Important IOS features such as:
■ Command line recall
■ Using the help feature
■ Show commands
■ Password recovery
■ Verifying connectivity
■ Saving the configuration
■ Backup and restoration of a configuration using a TFTP server
1-40 Switching Section 2: Configuring the Switch Copyright 2002, Cisco Systems, Inc.
Section 3
Introduction to VLANs
Table of Contents
INTRODUCTION TO VLANS............................................................................................ 1
OVERVIEW ...................................................................................................................................................... 3
OBJECTIVES..................................................................................................................................................... 4
3.1 VLAN BASICS ........................................................................................................................................... 5
3.1.1 Describe a VLAN ................................................................................................................................ 5
3.1.2 Why are VLANs necessary?.................................................................................................................. 6
3.1.3 VLANs and network security ................................................................................................................ 7
3.1.4 VLANs and broadcast distribution ........................................................................................................ 9
3.1.5 VLANs and bandwidth utilization ....................................................................................................... 10
3.1.6 VLANs vs. network latency from routers.............................................................................................. 10
3.1.7 VLANs vs. complex access lists........................................................................................................... 12
3.1.8 Wrong motives for implementing VLANs ............................................................................................. 13
3.2 VLAN TYPES .......................................................................................................................................... 14
3.2.1 VLAN Boundaries ............................................................................................................................. 14
3.2.2 End-to-end VLANs ............................................................................................................................ 15
3.2.3 Local VLANs .................................................................................................................................... 16
3.2.4 Establishing VLAN memberships ........................................................................................................ 17
3.2.5 Port-based VLAN membership ........................................................................................................... 18
3.2.6 Dynamic VLANs................................................................................................................................ 19
3.3 CONFIGURING VLANS .............................................................................................................................. 22
3.3.1 Configuring static VLANs .................................................................................................................. 22
3.3.2 Verify VLAN configuration................................................................................................................. 24
3.3.3 Deleting VLANs ................................................................................................................................ 25
3.3.4 Configure the VMPS server................................................................................................................ 26
3.3.5 Configure a VMPS client ................................................................................................................... 27
3.3.6 Access links and trunk links................................................................................................................ 29
3.4 VLAN IDENTIFICATION ............................................................................................................................. 31
3.4.1 VLAN frame identification ................................................................................................................. 31
3.4.2 ISL................................................................................................................................................... 32
3.4.3 IEEE 802.1Q .................................................................................................................................... 34
3.4.4 LANE ............................................................................................................................................... 35
3.4.5 IEEE 802.10 Protocol ....................................................................................................................... 36
3.5 TRUNKING ............................................................................................................................................... 38
3.5.1 Trunking overview............................................................................................................................. 38
3.5.2 Configuring a VLAN trunk ................................................................................................................. 39
3.5.3 Removing VLANs from a trunk ........................................................................................................... 41
3.6 VLAN TRUNKING PROTOCOL (VTP).......................................................................................................... 44
3.6.1 VTP Benefits..................................................................................................................................... 44
3.6.2 VTP operation .................................................................................................................................. 45
3.6.3 VTP modes ....................................................................................................................................... 46
3.6.4 Adding a switch to a VTP domain....................................................................................................... 47
3.6.5 VTP advertisements........................................................................................................................... 49
3.7 VTP Configuration...............................................................................................................................52
3.7.1 Basic configuration steps ................................................................................................................... 52
3.7.2 Configure the VTP version ................................................................................................................. 52
3.7.3 Configure the VTP domain................................................................................................................. 54
3.7.4 Configure VTP mode ......................................................................................................................... 55
3.7.5 Verify VTP configuration ................................................................................................................... 56
3.8 VTP PRUNING.......................................................................................................................................... 58
3.8.1 Default behavior of a switch............................................................................................................... 58
3.8.2 Configure VTP pruning ..................................................................................................................... 60
3.8.3 Verifying VTP pruning....................................................................................................................... 62
SUMMARY ..................................................................................................................................................... 64
1-2 Switching Section 3: Introduction to VLANs Copyright 2002, Cisco Systems, Inc.
Overview
When the industry started to articulate virtual LANs (VLANs) in the trade
journals and the workforce, a lot of confusion arose. What exactly did they mean
by VLAN? Authors had different interpretations of the new network terminology
that were not always consistent with each other, much less in agreement.
Vendors took varied approaches to creating VLANs, which further muddled the
understanding.
This chapter:
• Presents definitions and categorizations for VLANs
• Explains how to configure VLANs
• Discusses reasons to use and not use VLANs
• Attempts to clarify misinformation about VLANs
In this chapter, the student will learn how to break the Layer 2 switch block into
separate broadcast domains called VLANs. The chapter will also introduce
VLAN management tools such as the VLAN Trunk Protocol (VTP).
Copyright 2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-3
Objectives
After completing this chapter, the student will be able to perform tasks
relating to:
3.5 Trunking
1-4 Switching Section 3: Introduction to VLANs Copyright 2002, Cisco Systems, Inc.
3.1 VLAN Basics
Copyright 2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-5
3.1.2 Why are VLANs necessary?
1-6 Switching Section 3: Introduction to VLANs Copyright 2002, Cisco Systems, Inc.
3.1.3 VLANs and network security
The first issue is the shared-media nature of legacy networks. Whenever a station
transmits in a shared network such as a legacy half-duplex 10BASE-T system,
all stations attached to the segment receive a copy of the frame, even if they are
not the intended recipients. This does not prevent the network from functioning.
There are, however, readily available software packages that monitor network
traffic. Anyone with such a package can capture passwords, sensitive e-mail, and
any other traffic on the network.
If the users on the network belong to the same department, this might not be
disastrous, but when users from mixed departments share a segment, undesirable
information captures can occur. If someone from human resources or accounting
sends sensitive data such as salaries, stock options, or health records on the
shared network, anyone with a network monitoring package can decode the
information.
Copyright 2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-7
Neither of these scenarios is constrained to a single segment. These problems
can occur in multisegment environments interconnected with routers. In Figure
[1], the accounting department resides on two isolated segments. For users on
one segment to transmit to users on the other segment, the frames must cross the
engineering network. When they cross the engineering segment, it is possible
that they can be intercepted and misused.
One way to eliminate the problem is to move all accounting users onto the same
segment. However, this is not always possible because there might be space
limitations that prevent all accountants from sharing a common part of the
building. Another reason may deal with the geographical makeup of the
company, users on one segment might be a considerable distance from users on
the other segment.
Another approach is through the use of VLANs, which enable all process-
related users to be contained in the same broadcast domain and isolated from
users in other broadcast domains. All accounting users can be assigned to the
same VLAN, regardless of their physical location in the facility. They no longer
have to placed in a network based upon their location. Users can be assigned to
a VLAN based upon their job function. Keep all the accounting users on one
VLAN, the marketing users on another VLAN, and engineering in yet a third.
By creating VLANs with switched network devices, another level of protection
is created. Switches bridge traffic within a VLAN. When a station transmits, the
frame goes to the intended destination. As long as it is a known unicast frame,
the switch does not distribute the frame to all users in the VLAN [2].
Station A in Figure [2] transmits a frame to Station B attached to another
Catalyst® Switch. Although the frame crosses through a Catalyst Switch, only
the destination receives a copy of the frame. The switch filters the frame from
the other stations, whether they belong to a different VLAN or the same VLAN.
This switch feature limits the opportunity for someone to capture packets with a
network analyzer.
Although these security methods may seem like overkill, in the corporate
network they are crucial. Consider the data transferred among the accounting
department. This department has salary information, stock-option information,
personal information, and other sensitive and personal material. It is very
important to protect the privacy of the users and the integrity of the data.
VLANs greatly assist in this endeavor.
1-8 Switching Section 3: Introduction to VLANs Copyright 2002, Cisco Systems, Inc.
3.1.4 VLANs and broadcast distribution
Practically every network protocol creates broadcast traffic for one reason or
another. For example, consider the amount of broadcast traffic AppleTalk
generates. AppleTalk routers generate routing updates in the form of broadcast
frames every ten seconds. Broadcasts go to all devices in the broadcast domain
and must be processed by the receiving devices. Further, many multimedia
applications create broadcast and multicast frames that get distributed across the
broadcast domain.
So why do network administrators dislike broadcast traffic? Broadcasts are
necessary to support protocol operations and therefore are overhead frames in
the network. With the exception of multimedia-based traffic, broadcast frames
rarely transport user data. Since broadcasts tend not to carry user data, they
consume bandwidth in the network, resulting in a reduction of the bandwidth for
productive traffic.
Broadcasts also have a profound effect on the performance of workstations. Any
broadcast received by a workstation interrupts the CPU and prevents it from
working on user applications. As the number of broadcasts per second increases
at the interface, effective CPU utilization diminishes. The actual level of
degradation depends upon the applications running in the workstation, the type
of network interface card and drivers, the operating system, and the workstation
platform.
If broadcasts are creating problems in the network, creating smaller broadcast
domains can mitigate the negative effects. In VLANs, this means creating
additional VLANs and attaching fewer devices to each one. The effectiveness of
this action depends upon the source of the broadcast. If the broadcasts come
from a local server, isolate the server in another domain. If the broadcasts come
from end stations, creating multiple domains might help to reduce the number of
broadcasts in each domain.
Copyright 2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-9
3.1.5 VLANs and bandwidth utilization
When users attach to the same shared segment, all of them share the bandwidth
of the segment. Every additional user attached to the shared medium means there
is less average bandwidth available for each user. If the sharing becomes too
great, user application performance will begin to suffer. The network
administrator will begin to suffer as well because users will begin complaining
and asking for more bandwidth. VLANs, which are usually created with LAN
switch equipment, can offer more bandwidth to users than is inherent in a shared
network.
Remember that each interface on a switch behaves like a port on a legacy bridge.
Bridges filter traffic that does not need to go to segments other than the source.
If a frame needs to cross the bridge, the bridge forwards the frame to the correct
interface and to no others. If the bridge or switch does not know where the
destination resides, it floods the frame to all ports in the broadcast domain
(VLAN) except the "source port."
In a switched environment, a station will usually see only traffic destined
specifically for it. The switch will filter most of the other background traffic in
the network. This allows the workstation to have full, dedicated bandwidth for
sending or receiving interesting traffic. Unlike a shared-hub system where only
one station can transmit at a time, the switched network in the Figure allows
many concurrent transmissions within a broadcast domain without directly
affecting other stations inside or outside of the broadcast domain. Station pairs
A/B, C/D, and E/F can all communicate without affecting the other station pairs.
1-10 Switching Section 3: Introduction to VLANs Copyright 2002, Cisco Systems, Inc.
Figure 1 Network Latency from Routers vs. VLANs
In the legacy network shown in the Figure, accounting users on the two segments
have to cross the engineering segment to transfer any data. The frames have to
pass through two routers. Software-based routers tend to be slower than other
internetworking products such as a Layer 2 bridge or switch. As a frame passes
through a router, the router introduces latency to the network. Latency
constitutes the amount of time necessary to transport a frame from the source
port to the destination port. Every router that the frame transits increases the end-
to-end latency. Further, every congested segment that a frame must cross
increases latency.
By moving all the accounting users into one VLAN, the need to cross through
multiple routers and segments is eliminated. This reduces latency in a network
that will improve performance for users, especially if they use a connection-
oriented protocol such as TCP. Connection-oriented protocols do not send more
data until an acknowledgement is received referencing the previous data.
Network latency dramatically reduces the effective throughput for connection-
oriented protocols. If the need for user traffic to pass through a router can be
eliminated, by placing users in the same VLAN, cumulative router latency can
be eliminated. If frames must pass through routers, enabling Layer 3 switching
will significantly reduce router transit latencies as well.
Copyright 2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-11
3.1.7 VLANs vs. complex access lists
Routers allow administrators to introduce policies that control the flow of traffic
in the network. Access lists control traffic flow and provide varied degrees of
policy granularity. Through the implementation of access lists, a specific user
can be prevented from communicating with another user or network, or an
entire network can be prevented from accessing a user or network. A network
administrator might exercise these capabilities for security reasons, or may elect
to prevent traffic from flowing through a segment to protect local bandwidth.
In any case, the management of access lists can be quite cumbersome. The
access list must be developed based on the company's business and security
needs.
In the network example shown in the Figure, filters in the routers attached to the
engineering segment can include access lists allowing the accounting traffic to
pass through the engineering segment, but never talk to any engineering devices.
That does not prevent engineers from monitoring the traffic, but does prevent
direct communication between the engineering and accounting devices.
Accounting will not see the engineering traffic, but engineering can see all the
accounting transit traffic.
VLANs can simplify the network in some cases by allowing the administrator to
keep all accounting users in one VLAN. Then their traffic does not need to pass
through a router to get to peers within the VLAN. This can simplify access-list
design because the administrator can treat networks as groups with similar or
equal access requirements.
1-12 Switching Section 3: Introduction to VLANs Copyright 2002, Cisco Systems, Inc.
3.1.8 Wrong motives for implementing VLANs
One common motivation for using VLANs tends to get network administrators
excited. Unfortunately, reality quickly meets enthusiasm, revealing errors in
motivation. The advent of VLANs led many to believe that a network
administrator's life would be simplified. Administrators thought that VLANs
would eliminate the need for routers, everyone could be placed in one giant flat
network, and administrators could go home at reasonable hours each evening.
This turns out to be far from the truth. VLANs do not eliminate Layer 3 issues.
They may allow the network administrator to more easily perform some Layer 3
tasks, such as developing simpler access lists, but Layer 3 routing still must
exist.
Copyright 2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-13
3.2 VLAN Types
The number of VLANs in the switch block may vary greatly, depending on
several factors. This includes traffic patterns, types of applications, network
management needs, and group commonality. In addition, an important
consideration in defining the size of the switch block and the number of VLANs
is the IP addressing scheme.
For example, suppose the network uses a 24-bit mask to define a subnet. Given
this criterion, a total of 254 host addresses are allowed in one subnet. Because a
one-to-one correspondence between VLANs and IP subnets is strongly
recommended, there can be no more than 254 devices in any one VLAN. It is
further recommended that VLANs should not extend outside of the Layer 2
domain of the distribution switch. As demonstrated in the Figure, with many
users in the building under the recommended constraints, a minimum of four
VLANs will be in the switch block.
When scaling VLANs in the switch block, there are two basic methods of
defining the VLAN boundaries:
• End-to-end VLANs
• Local VLANs
1-14 Switching Section 3: Introduction to VLANs Copyright 2002, Cisco Systems, Inc.
3.2.2 End-to-end VLANs
Switched Ethernet
Wiring Closet
Fast Ethernet
Distribution Layer
Fast Ethernet
Workgroup
Servers
Core Layer
Fast or Gigabit Ethernet
Inter-VLAN
Routing
Enterprise Servers
VLANs can exist either as end-to-end networks, which span the entire switch
fabric, or they can exist inside of geographic boundaries.
An end-to-end VLAN network comprises the following characteristics:
• Users are grouped into VLANs independent of physical location and
dependent on group or job function.
• All users in a VLAN should have the same 80/20 traffic flow patterns.
• As a user moves around the campus, VLAN membership for that user
should not change.
• Each VLAN has a common set of security requirements for all members.
In the Figure, starting in the wiring closet, 10-megabit-per-second (Mbps)
dedicated Ethernet ports are provisioned for each user. Each color represents a
subnet, and because people have moved around over time, each switch
eventually becomes a member of all VLANs. Fast Ethernet Inter-Switch Link
(ISL) or IEEE 802.1Q is used to carry multiple VLAN information between the
wiring closets and the distribution-layer switches.
Note: ISL is a Cisco-proprietary protocol that maintains VLAN information
as traffic flows between switches and routers. IEEE 802.1Q is an open-
Copyright 2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-15
standard (IEEE) VLAN tagging mechanism that predominates in modern
switching installations.
Workgroup servers operate in a client/server model, and attempts have been
made to keep users in the same VLAN as their server to maximize the
performance of Layer 2 switching and keep traffic localized.
In the core, a router allows inter-subnet communication. The network is
engineered, based on traffic flow patterns, to have 80 percent of the traffic
within a VLAN and 20 percent crossing the router to the enterprise servers and
to the Internet and WAN.
1-16 Switching Section 3: Introduction to VLANs Copyright 2002, Cisco Systems, Inc.
3.2.4 Establishing VLAN memberships
y
TFTP Server
Catalyst 5000
Primary VMPS
Server 1 Switch 1 172.20.26.150 Router
Secondary VMPS
Server 2 Switch 3 172.20.26.152
Switch 4 172.20.26.153
Switch 5 172.20.26.154
Switch 6 172.20.26.155
Switch 7 172.20.26.156
Switch 8
172.20.26.157
Client
End
Station 2 Switch 9 172.20.26.158
Secondary VMPS
Server 3 Switch 10
172.20.26.159
Copyright 2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-17
• Static VLANs - This method is also referred to as port-based
membership. Static VLAN assignments are created by assigning ports to
a VLAN. As a device enters the network, the device automatically
assumes the VLAN of the port. If the user changes ports and needs
access to the same VLAN, the network administrator must manually
make a port-to-VLAN assignment for the new connection. An example
of this is shown in Figure [1].
• Dynamic VLANs - Dynamic VLANs are created through the use of
software packages such as CiscoWorks 2000. With a VLAN
Management Policy Server (VMPS), the network administrator can
assign switch ports to VLANs dynamically based on the source MAC
address of the device connected to the port. Dynamic VLANs currently
allow for membership based on the MAC address of the device. As a
device enters the network, the device queries a database for VLAN
membership. An example of this is shown in Figure [2].
1-18 Switching Section 3: Introduction to VLANs Copyright 2002, Cisco Systems, Inc.
The device that is attached to the port likely has no understanding that a VLAN
exists. The device simply knows that it is a member of a subnet and that the
device should be able to talk to all other members of the subnet by simply
sending information to the cable segment. The switch is responsible for
identifying that the information came from a specific VLAN and for ensuring
that the information gets to all other members of the VLAN. The switch is
further responsible for ensuring that ports in a different VLAN do not receive the
information.
This approach is quite simple, fast, and easy to manage in that there are no
complex lookup tables required for VLAN segmentation. If port-to-VLAN
association is done with an application-specific integrated circuit (ASIC), the
performance is very good. An ASIC allows the port-to-VLAN mapping to be
done at the hardware level.
Secondary VMPS
Server 2 Switch 3 172.20.26.152
Switch 4 172.20.26.153
Switch 5 172.20.26.154
Switch 6 172.20.26.155
Switch 7 172.20.26.156
Switch 8
172.20.26.157
Client
End
Station 2 Switch 9 172.20.26.158
Secondary VMPS
Server 3 Switch 10
172.20.26.159
Copyright 2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-19
cycles a Catalyst 5000, 4000, 900, 3500, or 6000 Series Switch, the VMPS
database downloads from the TFTP server automatically and VMPS is
reenabled.
VMPS opens a User Datagram Protocol (UDP) socket to communicate and listen
to client requests. When the VMPS server receives a valid request from a client,
it searches its database for a MAC address-to-VLAN mapping.
If the assigned VLAN is restricted to a group of ports, VMPS verifies the
requesting port against this group. If the VLAN is allowed on the port, the
VLAN name is returned to the client. If the VLAN is not allowed on the port and
VMPS is not in secure mode, the host receives an "access-denied" response. If
VMPS is in secure mode, the port is shut down.
If a VLAN in the database does not match the current VLAN on the port and
active hosts are on the port, VMPS sends an access-denied or a port-shutdown
response based on the secure mode of the VMPS.
The network administrator can configure a fallback VLAN name. If a device
with a MAC address that is not in the database is connected, VMPS sends the
fallback VLAN name to the client. If the network administrator does not
configure a fallback VLAN and the MAC address does not exist in the database,
VMPS sends an access-denied response. If VMPS is in secure mode, it sends a
port-shutdown response.
An explicit entry can also be made in the configuration table to deny access to
specific MAC addresses for security reasons by specifying a --NONE-- keyword
for the VLAN name. In this case, VMPS sends an access-denied or port-
shutdown response.
On a set command-based switch, a dynamic (nontrunking) port can belong to
only one VLAN at a time. When the link comes up, a dynamic port is isolated
from its static VLAN. The source MAC address from the first packet of a new
host on the dynamic port is sent to VMPS, which attempts to match the MAC
address to a VLAN in the VMPS database. If there is a match, VMPS provides
the VLAN number to assign to the port. If there is no match, VMPS either denies
the request or shuts down the port (depending on the VMPS secure mode
setting).
Multiple hosts (MAC addresses) can be active on a dynamic port if they are all
in the same VLAN. If the link goes down on a dynamic port, the port returns to
an isolated state. Any hosts that come on line through the port are checked again
with VMPS before the port is assigned to a VLAN.
The following guidelines and restrictions apply to dynamic port VLAN
membership:
• The VMPS must be configured before configuring ports as dynamic.
• When a port is configured as dynamic, Spanning-Tree PortFast is
enabled automatically for that port. Automatic enabling of Spanning-
Tree PortFast prevents applications on the host from timing out and
entering loops caused by incorrect configurations. Spanning-Tree
PortFast mode can be disabled on a dynamic port.
• If a port is reconfigured from a static port to a dynamic port on the same
VLAN, the port connects immediately to that VLAN. However, VMPS
checks the legality of the specific host on the dynamic port after a
certain period.
1-20 Switching Section 3: Introduction to VLANs Copyright 2002, Cisco Systems, Inc.
• Static secure ports cannot become dynamic ports. Security must be
turned off on the static secure port before it can become dynamic.
• Static ports that are trunking cannot become dynamic ports. Trunking on
the trunk port must be turned off before changing it from static to
dynamic.
It is also important to note that the VLAN Trunking Protocol (VTP) management
domain and the management VLAN of VMPS clients and the VMPS server must
be the same.
Copyright 2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-21
3.3 Configuring VLANs
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#interface fastethernet 0/3
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 2
Switch(config-if)#
Switch#show running-config
hostname Switch
!
ip subnet-zero
!
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
switchport access vlan 2
!
<Output omitted>
Static VLANs are ports on a switch that are manually assigned to a VLAN by
using a VLAN management application or by working directly within the switch.
These ports maintain their assigned VLAN configuration until they a changed
manually. Although static VLANs require manual entry changes, they are secure,
1-22 Switching Section 3: Introduction to VLANs Copyright 2002, Cisco Systems, Inc.
easy to configure, and straightforward to monitor. This type of VLAN works
well in networks where moves are controlled and managed; where there is robust
VLAN management software to configure the ports; and where it is not desirable
to assume the additional overhead required when maintaining end-station MAC
addresses and custom filtering tables.
The creation of a VLAN on a switch is a very straightforward and simple task. If
using a Cisco IOS command-based switch, simply go to the interface to to
configured and issue the command:
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan number
In Figure [1], interface FastEthernet 0/3 is being assigned to vlan 2. As
demonstrated in Figure [2], this configuration has been verified by using the
show running-config command.
If using a set-based switch, simply enter the set vlan command to create a
VLAN, as shown below and in Figure [3].
switch> (enable) set vlan vlan_num
mod_num/port_list
Lab Activity
In this lab activity, the student will learn how to configure a Distribution Layer
Catalyst 4000 Ethernet Switch to support three VLANs - Marketing, Accounting,
and Engineering.
Copyright 2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-23
Lab Activity
In this lab activity, the student will learn how to configure an Access Layer
Catalyst 2900 Ethernet Switch to support three VLANs - Marketing, Accounting,
and Engineering.
1-24 Switching Section 3: Introduction to VLANs Copyright 2002, Cisco Systems, Inc.
• A created VLAN remains unused until it is mapped to switch ports. Use
the set vlan command to map VLANs to ports.
• The default configuration has all Ethernet ports on VLAN 1. However,
Groups of ports can be entered as individual entries, for example, 2/1,
3/3, 3/4, or 3/5. A hyphenated format can also be used to map multiple
ports, for example, 2/1-4 or 3/3-5.
• Do not enter spaces between the port numbers. The switch will respond
with an error message because a space delimits another argument that is
not in the command structure of this command.
In this activity, the student will learn how to configure and verify VLAN's on a
Catalyst 4000 switch.
In this activity, the student will learn how to configure and verify VLAN's on a
Catalyst 2900 switch.
Copyright 2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-25
being removed from the domain by using the command clear vlan 2 on the
set-based switch. It is important to note that this command must be issued on a
VTP server switch. VLANs cannot be deleted from a VTP client switch. If the
switch is configured in transparent mode, the VLAN can be deleted. However,
the VLAN is removed only from the one Catalyst Switch and is not deleted
throughout the management domain. All VLAN creations and deletions are
locally significant only on a transparent switch. VTP domains are covered in this
section.
When an attempt to delete the VLAN is made, the switch will issue a warning
that all ports belonging to the VLAN in the management domain will be
deactivated. If there are 50 devices as members of the VLAN when it is deleted
, all 50 stations become isolated because their local switch port becomes
disabled. If recreated, the VLAN, the ports will automatically become active
again because the switch remembers what VLAN the port belongs to. In other
words, if the VLAN exists, the ports become active. If the VLAN does not exist,
the ports become inactive. Use caution when deleting VLANs because it could
be catastrophic to accidentally eliminate a VLAN that still has active users on it.
Removing a VLAN from a Cisco IOS command-based switch interface is just
like removing a command from a router. In a previous example, we created vlan
2 on FastEthernet 0/3 by using the command Switch(config-
if)#switchport access vlan 2. To remove this VLAN from the
interface, simply use the "no" form of the command, as shown in Figure [2].
Task Command
Step 1 Configure the IP address of the TFTP server on which set vmps tftpserver
the ASCII text VMPS database configuration file resides. ip_addr [filename]
Step 2 Enable VMPS. set vmps state
enable
Step 3 Verify the VMPS configuration. show vmps
1-26 Switching Section 3: Introduction to VLANs Copyright 2002, Cisco Systems, Inc.
To disable VMPS, perform this task in privileged mode:
Task Command
Step 1 Disable VMPS. set vmps state
disable
Step 2 Verify that VMPS is disabled. show vmps
When VMPS is enabled, it downloads the VMPS database from the TFTP
server and begins accepting VMPS requests.
The configuration of VMPS is basically a two-step process. To configure VMPS
on a set command-based switch, follow the steps in Figure [1].
Disabling VMPS is an equally simple process. To disable VMPS on a set
command-based switch, simply issue the command set vmps state
disable, as shown in Figure [2].
Task Command
Step 1 Specify the IP address of the VMPS set vmps server ip_addr
server (the switch with VMPS enabled). [primary]
Step 2 Verify the VMPS server specification. show vmps server
Step 3 Configure the VLAN membership set port membership mod_num/
assignment to a port. port_num {dynamic | static}
Step 4 Verify the dynamic port assignments. show port [mod_num[/port_num]]
Copyright 2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-27
Console> show port
Port Name Status Vlan Level Duplex Speed Type
1/1 connect dyn-3 normal full 100 100 BASE-TX
1/2 connect trunk normal half 100 100 BASE-TX
2/1 connect trunk normal full 155 OC3 MMF ATM
3/1 connect dyn-5 normal half 10 10 BASE-T
3/2 connect dyn-5 normal half 10 10 BASE-T
3/3 connect dyn-5 normal half 10 10 BASE-T
Console> (enable)
Task Command
Step 1 Enter global configuration mode. configure terminal
Step 2 Enter the IP address of the switch vmps server ipaddress primary
acting as the primary VMPS server.
Step 3 Enter the IP address for the switch vmps server ipaddress
acting as a secondary VMPS server.
Step 4 Return to privileged EXEC mode. end
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# vmps server 172.20.128.179 primary
Switch(config)# vmps server 172.20.128.178
Switch(config)# end
Switch#show vmps
VQP Client Status:
--------------------
VMPS VQP Version: 1
Reconfirm Interval: 60
min Server Retry Count: 3
1-28 Switching Section 3: Introduction to VLANs Copyright 2002, Cisco Systems, Inc.
To configure dynamic ports on VMPS client set command-based switches,
perform the tasks listed in Figure [1] while in privileged mode on the switch. The
example shows how to specify the VMPS server, verify the VMPS server
specification, and assign dynamic ports. To verify the VMPS configuration,
issue the command show port, as shown in Figure [2]. It is important to note
that the show port command displays dyn- under the Vlan column of the
display when it has not yet been assigned a VLAN for a port.
To configure a Cisco IOS Software-based switch as a client, it is simply a matter
of entering the IP address of the switch or the other device acting as the VMPS.
An example of this is shown in Figure [3]. To verify the VMPS configuration,
issue the command show vmps, as shown in Figure [4].
An access link is a link on the switch that is a member of only one VLAN. This
VLAN is referred to as the native VLAN of the port. Any device that is attached
to the port is completely unaware that a VLAN exists. The device simply
assumes that it is part of a network or subnet based on the Layer 3 information
that is configured on the device. In order to ensure that it does not have to
understand that a VLAN exists, the switch is responsible for removing any
VLAN information from the frame before it is sent to the end device. Because
only one VLAN is configured on the port, other VLANs cannot communicate
with the device unless the information is routed by a Layer 3 device.
A trunk link differs from an access link in that it is capable of supporting
multiple VLANs. Trunk links are typically used to connect switches to other
switches or routers. Switches support trunk links on both Fast Ethernet and
Gigabit Ethernet ports.
Copyright 2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-29
The switch has two methods of identifying the VLAN that a frame belongs to
when the switch receives the frame on a trunk link. The identification techniques
currently used are the Cisco proprietary ISL standard and the IEEE 802.1Q
standard.
It is important to understand that a trunk link does not belong to a specific
VLAN. The responsibility of a trunk link is to act as a conduit for VLANs
between switches and routers. The trunk link can be configured to transport all
VLANs or to transport a limited number of VLANs.
A trunk link may, however, have a native VLAN. The native VLAN of the trunk
is the VLAN that the trunk uses if the trunk link fails for any reason.
In the Figure, Port A and Port B have been defined as access links on the same
VLAN. By definition, they can belong to only VLAN 200 and cannot receive
frames with a VLAN identifier. As Switch Y receives traffic from Port A
destined for Port B, Switch Y will not add an ISL encapsulation to the frame.
Port C is also an access link. Port C has been defined as a member of VLAN
200. If Port A sends a frame destined for Port C, the switch does the following:
1. Switch Y receives the frame and identifies it as traffic destined for
VLAN 200 by the VLAN and port number association.
2. Switch Y encapsulates the frame with an ISL header identifying VLAN
200 and sends the frame through the intermediate switch on a trunk link.
3. This process is repeated for every switch that the frame must transit as it
moves to its final destination of Port C.
4. Switch Z receives the frame, removes the ISL header, and forwards the
frame to Port C.
1-30 Switching Section 3: Introduction to VLANs Copyright 2002, Cisco Systems, Inc.
3.4 VLAN Identification
Copyright 2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-31
3.4.2 ISL
1-32 Switching Section 3: Introduction to VLANs Copyright 2002, Cisco Systems, Inc.
Octet Description
Reserved Token Ring and FDDI frames have special values that need to be
transported over the ISL link. These values, such as AC and FC, are
carried in this field. The value of this field is zero for Ethernet frames.
User The original user data frame is inserted here incuding the frame's FCS.
Frame
CRC ISL calculates a 32-bit CRC for the header and user frame. This double-
checks the integrity of the message as it crosses an ISL trunk. It does
not replace the User Frame CRC.
Copyright 2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-33
3.4.3 IEEE 802.1Q
The official name for the IEEE 802.1Q protocol is the Standard for Virtual
Bridged Local-Area Networks, and relates to the ability to carry the traffic of
more than one subnet down a single cable. The IEEE 802.1Q committee defined
this method of multiplexing VLANs in an effort to provide multivendor VLAN
support.
Both ISL and IEEE 802.1Q tagging are explicit tagging, meaning that the frame
is tagged with VLAN information explicitly. However, while ISL uses an
external tagging process that does not modify the existing Ethernet frame, IEEE
802.1Q uses an internal tagging process that does modify the Ethernet frame.
This internal tagging process is what allows IEEE 802.1Q tagging to work on
both access and trunk links, because the frame appears to be a standard Ethernet
frame.
The IEEE 802.1Q frame-tagging scheme also has significantly less overhead
than the ISL tagging method. As opposed to the 30 bytes added by ISL, 802.1Q
inserts only an additional 4 bytes into the Ethernet frame, as shown in the Figure.
• The IEEE 802.1Q header contains the following:
o A 4-byte tag header containing a tag protocol identifier (TPID)
and tag control information (TCI) with the following elements:
o A 2-byte TPID with a fixed value of 0x8100. This value
indicates that the frame carries the 802.1Q/802.1p tag
information.
o A TCI containing the following elements:
! Three-bit user priority
! One-bit canonical format indicator (CFI)
! Twelve-bit VLAN identifier (VID)-Uniquely identifies
the VLAN to which the frame belongs
1-34 Switching Section 3: Introduction to VLANs Copyright 2002, Cisco Systems, Inc.
Note: The CFI is used in Ethernet frames to indicate the presence of a
Routing Information Field (RIF) - the RIF is used in Token Ring networks
to indicate the route the frame is to take through the network (source-route
bridging).
The 802.1Q standard can create an interesting scenario on the network.
Recalling that the maximum size for an Ethernet frame as specified by IEEE
802.3 is 1518 bytes, this means that if a maximum-sized Ethernet frame gets
tagged, the frame size will be 1522 bytes, a number that violates the IEEE 802.3
standard. To resolve this issue, the 802.3 committee created a subgroup called
802.3ac to extend the maximum Ethernet size to 1522 bytes. If using network
devices that do not support a larger frame size, they will process the frame
successfully but may report these anomalies as "baby giant."
3.4.4 LANE
Figure 1 LANE
LANE (LAN Emulation) is a standard defined by the ATM Forum that gives
two stations attached via ATM the same capabilities they normally have with
legacy LANs, such as Ethernet and Token Ring. As the name suggests, the
function of the LANE protocol is to emulate a LAN on top of an ATM network.
Specifically, the LANE protocol defines mechanisms for emulating either an
IEEE 802.3 Ethernet or an 802.5 Token Ring LAN.
The LANE protocol defines a service interface for higher-layer (that is, network-
layer) protocols that is identical to that of existing LANs. Data sent across the
ATM network is encapsulated in the appropriate LAN MAC format. In other
words, the LANE protocols make an ATM network look and behave like an
Copyright 2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-35
Ethernet or Token Ring LAN, albeit one operating much faster than actual
Ethernet or Token Ring LAN networks.
An ELAN (emulated LAN) provides Layer 2 communication between all users
on an ELAN. One or more ELANs can run on the same ATM network. However,
each ELAN is independent of the others and users on separate ELANs cannot
communicate directly. Just like a VLAN, communication between ELANs is
possible only through routers or bridges.
Because an ELAN provides Layer 2 communication, it can be equated to a
broadcast domain. VLANs can also be thought of as broadcast domains. This
makes it possible to map an ELAN to a VLAN on Layer 2 switches with
different VLAN multiplexing technologies such as ISL or 802.10. In addition, IP
subnets and Internetwork Packet Exchange (IPX) networks that are defined on
Layer 3-capable devices such as routers frequently map into broadcast domains
(barring secondary addressing). This makes it possible to assign an IP
subnetwork or an IP network to an ELAN.
It is important to note that LANE does not attempt to emulate the access method
of the specific LAN concerned (that is, carrier sense multiple access collision
detect (CSMA/CD) for Ethernet or token passing for IEEE 802.5). LANE
requires no modifications to higher-layer protocols to enable their operation over
an ATM network. Because the LANE service presents the same service interface
of existing MAC protocols to network-layer drivers (such as a network driver
interface specification (NDIS) or Open Data-Link Interface (ODI) like driver
interface), no changes are required for these drivers.
1-36 Switching Section 3: Introduction to VLANs Copyright 2002, Cisco Systems, Inc.
configured to bridge on the subinterface itself. For VLAN packets that bear an
ID corresponding to a configured subinterface, received packets are then
classified by protocol type before running the appropriate protocol specific fast
switching engine. If the subinterface is assigned to a bridge group then non-
routed packets are de-encapsulated before they are bridged. This is termed "fall-
back bridging" and is most appropriate for nonroutable traffic types.
Copyright 2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-37
3.5 Trunking
Figure 1 Trunking
1-38 Switching Section 3: Introduction to VLANs Copyright 2002, Cisco Systems, Inc.
3.5.2 Configuring a VLAN trunk
Copyright 2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-39
encapsulation when trunking
isl Interface uses only ISL trunking encapsulation
when trunking
These commands are shown in Figure [1].
Before attempting to configure a VLAN trunk on a port, it is wise to determine
what encapsulation the port can support. This can be done using the show
port capabilities command on a set command-based switch, as shown in
Figure [2]. In this example, you can see that Port 2/1 will support only the IEEE
802.1Q encapsulation.
To create or configure a VLAN trunk on a set command-based switch, enter the
set trunk command to configure the port on each end of the link as a trunk
port and to specify the VLANs that will be transported on this trunk link. Also,
use the set trunk command to change the mode of a trunk.
Switch> (enable) set trunk mod_num/port_num [on |
off | desirable | auto | nonegotiate] vlan_range
[isl | dot1q | dot10 | lane | negotiate]
Fast Ethernet and Gigabit Ethernet trunking modes are as follows:
• On - This mode puts the port into permanent trunking. The port becomes a
trunk port even if the neighboring port does not agree to the change. The on
state does not allow for the negotiation of an encapsulation type. Therefore,
the encapsulation must be specified in the configuration.
• Off - This mode puts the port into permanent nontrunking mode and
negotiates to convert the link into a nontrunk link. The port becomes a
nontrunk port even if the neighboring port does not agree to the change.
• Desirable - This mode makes the port actively attempt to convert the link to
a trunk link. The port becomes a trunk port if the neighboring port is set to
on, desirable, or auto mode.
• Auto - This mode makes the port willing to convert the link to a trunk link.
The port becomes a trunk port if the neighboring port is set to on or desirable
mode. This is the default mode for Fast and Gigabit Ethernet ports. Notice
that if the default setting is left on both sides of the trunk link, it will never
become a trunk; neither side will be the first to ask to convert to a trunk.
• Nonegotiate - This mode puts the port into permanent trunking mode but
prevents the port from generating Dynamic Trunking Protocol (DTP) frames.
The neighboring port must be manually cofigured as a trunk port to establish
a trunk link.
The example in Figure [2] configures Port 2/1 as a permanent trunk using the
IEEE 802.1Q encapsulation.
1-40 Switching Section 3: Introduction to VLANs Copyright 2002, Cisco Systems, Inc.
3.5.3 Removing VLANs from a trunk
Copyright 2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-41
Figure 3 Set Based Switch
By default, all VLANs are transported across a trunk link when the set
trunk command is issued. However, there are instances where the trunk link
should not carry all VLANs:
• Broadcast suppression - All broadcasts are sent to every port in a VLAN.
A trunk link acts as a member port of the VLAN and, therefore, must
pass all the broadcasts. Bandwidth and processing time are wasted if
there is no port at the other end of the trunk link that is a member of that
VLAN.
• Topology change - Changes that occur in the topology must also be
propagated across the trunk link. If the VLAN is not used on the other
end of the trunk link, there is no need for the overhead of a topology
change.
By default, a Cisco IOS command-based switch trunk port sends to and receives
traffic from all VLANs in the VLAN database. All VLANs, 1 to 1005, are
allowed on each trunk. However, VLANs can be removed from the allowed list,
preventing traffic from those VLANs from passing over the trunk. To restrict the
traffic a trunk carries, use the remove vlan-list parameter to remove
specific VLANs from the allowed list:
Switch(config-if)#switchport trunk allowed vlan
remove vlan-list
The example in Figure [1] shows first how to remove VLAN 3 from a trunk and
then how to remove VLANs 6-10 from the trunk. This is verified by using the
show running-config command.
In order to remove a VLAN from a trunk link on a set command-based switch,
use the following command:
Switch> (enable) clear trunk mod_num/port_num
vlan_range
The example in Figure [2] shows how to remove VLANs 6-10 from the set
command-based switch.
1-42 Switching Section 3: Introduction to VLANs Copyright 2002, Cisco Systems, Inc.
Verify that trunking has been configured and verify the settings by using the
show trunk [mod_num/port_num] command from privileged mode on
the switch, as shown in Figure [3].
The example in Figure [3] shows how to verify the trunk configuration on a set
command-based switch. Remember that when a trunk is configured, VLANs 1
to 1000 are automatically transported, even if a VLAN range is specified. Use
the clear trunk command in order to remove the VLANs from the link.
To remove a large number of VLANs from a trunk link, it is probably easier to
clear all VLANs from the trunk link before specifying the VLANs that are
supposed to be on the link.
Copyright 2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-43
3.6 VLAN Trunking Protocol (VTP)
1-44 Switching Section 3: Introduction to VLANs Copyright 2002, Cisco Systems, Inc.
• Management domain
• Configuration revision number
• Known VLANs and their specific parameters
ADMIN 1
CONFIG-REV# N+1
1 Default
2 first-vtp-vlan
1002 fddi-default
1003 token-ring-default
1004 fddinet-default N+1
1003 trnet-default
BCMSN ce_domain
Domain C5000-3 C5000-6
N+1
4/1 4/2
N+1 3/1 3/2
1/1 2/2 5/1 1/1
A VTP domain is made up of one or more interconnected devices that share the
same VTP domain name. A switch can be configured to be in one VTP domain
only. Global VLAN information is propagated across the network by way of
connected switch trunk ports.
Copyright 2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-45
When transmitting VTP messages to other switches in the network, the VTP
message is encapsulated in a trunking protocol frame such as ISL or IEEE
802.1Q. Figure [1] shows the generic encapsulation for VTP within an ISL
frame. The VTP header varies, depending upon the type of VTP message, but
generally, four items are found in all VTP messages:
• VTP protocol version - Either Version 1 or 2
• VTP message type - Indicates one of four types
• Management domain name length - Indicates size of the name that
follows
• Management domain name - The name configured for the management
domain
It is important to note that switches can be configured not to accept VTP
information. These switches will forward VTP information on trunk ports in
order to ensure that other switches receive the update, but the switches will not
modify their database, nor will the switches send out an update indicating a
change in VLAN status. This is referred to as transparent mode.
By default, management domains are set to a nonsecure mode, meaning that the
switches interact without using a password. Adding a password automatically
sets the management domain to secure mode. A password must be configured on
every switch in the management domain to use secure mode.
Detecting the addition of VLANs within the advertisements serves as a
notification to the switches (servers and clients) that they should be prepared to
receive traffic on their trunk ports with the newly defined VLAN IDs, emulated
LAN names, or 802.10 security association identifiers (SAIDs).
In Figure [2], C5000-3 transmits a VTP database entry with additions or
deletions to C5000-1 and C5000-2. The configuration database has a revision
number that is notification +1. A higher configuration revision number indicates
that the VLAN information that is being sent is more current then the stored
copy. Any time a switch receives an update that has a higher configuration
revision number, the switch will overwrite the stored information with the new
information being sent in the VTP update.
1-46 Switching Section 3: Introduction to VLANs Copyright 2002, Cisco Systems, Inc.
Switches can operate in any one of the following three VTP modes:
• Server - When the switch is configured for server mode, VLANs can
be created, modified, and deleted , and other configuration parameters
(such as VTP version and VTP pruning) for the entire VTP domain can
be specified. VTP servers advertise their VLAN configuration to other
switches in the same VTP domain, and synchronize the VLAN
configuration with other switches based on advertisements received over
trunk links. This is the default mode on the switch.
• Client - VTP clients behave the same way as VTP servers. However,
VLANs cannot be created, changed, or deleted on a VTP client.
• Transparent - VTP transparent switches do not participate in VTP. A
VTP transparent switch does not advertise its VLAN configuration, and
does not synchronize its VLAN configuration based on received
advertisements. However, in VTP Version 2, transparent switches do
forward VTP advertisements that the switches receive out their trunk
ports.
Use caution when inserting a new switch into an existing domain. In order to
prepare a switch to enter an existing VTP domain, perform the following steps:
Issue a clear config all or erase startup-config command to
remove the existing configuration. This will not clear the VTP configuration
revision number. Clearing the revision number is done only by power cycling the
switch.
Power cycle the switch to clear the VTP nonvolatile RAM (NVRAM). This will
reset the configuration revision number to 0. This ensures that the new switch
will not propagate incorrect information across the domain.
Determine the VTP mode of operation of the switch and include the mode when
setting the VTP domain information on the switch using the show vtp
status or show vtp domain command. The default for most switches is
server mode. If the switch remains in server mode, be sure to verify that the
configuration revision number is set to 0 before adding the switch to the VTP
domain. Having several servers in the domain is generally recommended, with
Copyright 2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-47
all other switches set to client mode for purposes of controlling VTP
information.
It is also highly recommended that secure mode is used in the VTP domain.
Assigning a password to the domain will accomplish this. This will prevent
unauthorized switches from participating in the VTP domain. Use the vtp
password password or the set vtp passwd passwd commands.
Lab Activity
In this lab activity, the student will learn how to configure a VLAN trunk
between a Catalyst 4000 and Catalyst 2900 switch.
1-48 Switching Section 3: Introduction to VLANs Copyright 2002, Cisco Systems, Inc.
3.6.5 VTP advertisements
Advert-Request
1 2 3 4
Start Value
Summary-Advert
1 2 3 4
Updater Identity
Updater Timestamp
(12 bytes)
MD5 Digest
(16 bytes)
Subset-Advert
1 2 3 4
Version Code Seq-Num MgmtD Len
VLAN-info field 1
Updater Timestamp
(12 bytes)
VLAN-info field N
Switches only listen to advertisements that are coming from the same domain.
Transparent switches do not listen to VTP advertisements, nor do they send out
advertisements containing their information. They will propagate VTP information
to ensure that other server/client switches receive the VTP advertisements.
Copyright 2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-49
Number of Subnet
Domain Name
Version Type Advertisement
Length
Messages
Management Domain Name
(Padded to 32 Bytes)
Configuration Revision Number
Updater Identity
Update Timestamp
(12 Bytes)
MD5 Digest
(16 Bytes)
Domain Name
Version Code Seq-Number
Length
Management Domain Name
(Zero Padded to 32 Bytes)
Configuration Revision Number
VLAN-info Field 1
.
.
.
VLAN-info Field N
The VLAN-info Field Contains Information for Each VLAN
and is Formatted as Follows:
With VTP, each switch advertises on its trunk ports its management domain,
configuration revision number, the VLANs that it knows about, and certain
parameters for each known VLAN. These advertisement frames are sent to a
multicast address so that all neighboring devices can receive the frames;
however, the frames are not forwarded by normal bridging procedures. All
devices in the same management domain learn about any new VLANs now
configured in the transmitting device. A new VLAN must be created and
configured on one device only in the management domain. The information is
automatically learned by all the other devices in the same management domain.
1-50 Switching Section 3: Introduction to VLANs Copyright 2002, Cisco Systems, Inc.
Advertisements on factory-default VLANs are based on media types. User ports
should not be configured as VTP trunks.
Each advertisement starts as configuration revision number 0. When changes are
made, the configuration revision number increments (n + 1). The revision
number in the management domain continues to increment until it reaches
2,147,483,648, at which point the counter will reset back to zero.
There are two types of advertisements:
• Requests from clients that want information at bootup
• Response from servers
There are three types of messages:
• Advertisement requests - Clients request VLAN information, and the
server responds with summary and subset advertisements. Figure [1]
• Summary advertisements - By default, server and client Catalyst
switches issue summary advertisements every five minutes. They inform
neighbor switches what they believe to be the current VTP revision
number. Assuming the domain names match, the receiving server or
client compares the configuration revision number. If the revision
number in the advertisement is higher than the current revision number
in the receiving switch, the receiving switch then issues an
advertisement request for new VLAN information. Figure [2]
• Subset advertisements - These contain detailed information about
VLANs such as VTP version type, domain name and related fields, and
the configuration revision number. Creating or deleting a VLAN,
suspending or activating a VLAN, changing the name of a VLAN, and
changing the maximum transmission unit (MTU) of a VLAN can trigger
these advertisements. Figure [3]
Advertisements may contain some or all of the following information:
• Management domain name - Advertisements with different names are
ignored.
• Configuration revision number - The higher number indicates a more
recent configuration.
• Message Digest 5 (MD5) - MD5 is the key that is sent with the VTP
when a password has been assigned. If the key does not match, the
update is ignored.
• Updater identity - The updater identity is the identity of the switch that
is sending the VTP summary advertisement.
Copyright 2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-51
3.7 VTP Configuration
The following list outlines the basic tasks that must be considered before
configuring VTP and VLANs on the network:
1. Determine the version number of VTP that will be running in the
environment.
2. Decide if this switch is to be a member of an existing management
domain or if a new domain should be created. If a management domain
does exist, determine the name and password of the domain.
3. Choose a VTP mode for the switch.
1-52 Switching Section 3: Introduction to VLANs Copyright 2002, Cisco Systems, Inc.
Two different versions of VTP can run in the management domain, VTP
Version 1 and VTP Version 2. The two versions are not interoperable. If one
switch in the management domain is configured for VTP Version 2, all
switches in the management domain must be configured for VTP Version 2.
VTP Version 1 is the default. It may be necessary to implement VTP Version 2
if some of the specific features that VTP Version 2 offers, that are not offered in
VTP Version 1, are needed. The most common feature that is needed is Token
Ring VLAN support.
To configure the VTP version on a Cisco IOS command-based switch, first
enter VLAN database mode. From there, set the VTP version as shown in
Figure [1]. In this example, VTP Version 2 has been configured.
Use the following command to change the VTP version number on a set
command-based switch. [2]
Switch (enable) set vtp v2 enable
VTP Version 2 supports the following features not supported in Version 1:
• Token Ring support - VTP Version 2 supports Token Ring LAN
switching and VLANs.
• Unrecognized type/length/value (TLV) support - A VTP server or client
propagates configuration changes to its other trunks, even for TLVs it is
not able to parse. The unrecognized TLV is saved in NVRAM.
• Version-dependent transparent mode - In VTP Version 1, a VTP
transparent switch inspects VTP messages for the domain name and
version, and forwards a message only if the version and domain name
match. Because only one domain is supported in the supervisor engine
software, VTP Version 2 forwards VTP messages in transparent mode
without checking the version.
• Consistency checks - In VTP Version 2, VLAN consistency checks
(such as VLAN names and values) are performed only when new
information is entered through the command-line interface (CLI) or
Simple Network Management Protocol (SNMP). Consistency checks are
not performed when new information is obtained from a VTP message,
or when information is read from NVRAM. If the digest on a received
VTP message is correct, its information is accepted without consistency
checks. A switch that is capable of running VTP Version 2 can operate
in the same domain as a switch running VTP Version 1 if VTP Version
2 remains disabled on the VTP Version 2-capable switch.
If all switches in a domain are capable of running VTP Version 2, enable VTP
Version 2 on only one switch (using the set vtp v2 enable command).
The version number is propagated to the other VTP Version 2-capable switches
in the VTP domain.
Copyright 2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-53
3.7.3 Configure the VTP domain
If the switch being installed is the first switch in the network, The management
domain will have to be created. However, if other Catalyst switches exist, the
switch will probably join an existing management domain. Verify the name of
the management domain that the switch should join. If the management domain
has been secured, it will be necessary to configure the password for the domain.
To create a management domain or to add the switch to a management domain
with a Cisco IOS command-based switch, use the following command:
Switch(vlan)#vtp domain name
An example of this is shown in Figure [1]. In this example, the domain name is
set to cisco.
To create a management domain or to add the switch to a management domain
on a set command-based switch, use the following command:
Switch (enable) set vtp domain domain_name
An example of this is shown in Figure [2]. In this example, the domain name is
set to cisco.
The domain name can be up to 32 characters, and the password must be between
8 and 64 characters long.
1-54 Switching Section 3: Introduction to VLANs Copyright 2002, Cisco Systems, Inc.
3.7.4 Configure VTP mode
Switch(vlan)#vtp client
Setting device to VTP CLIENT mode.
Switch(vlan)#
Choose one of the three available VTP modes for this switch. Some general
guidelines for choosing the mode of the switch are as follows:
If this is the first switch in the management domain and intentions are to add
additional switches, set the mode to server. The additional switches will be able
to learn VLAN information from this switch. The management domain should
have at least one server.
If there are any other switches in the management domain, set the switch mode
to client to prevent the new switch from accidentally propagating the incorrect
information to the existing network. If the switch is supposed to become a
VTP server, change the mode of the switch to server after it has learned the
correct VLAN information from the network.
If the switch is not going to share VLAN information with any other switch on
the network, set the switch to transparent mode. Transparent mode will allow
creation, deletion, and renaming of VLANs at will without the switch
propagating changes to other switches. If a large number of people are
configuring devices within the network, the risk of overlapping VLANs with
two different meanings in the network but the same VLAN identification exists.
To set the correct mode of a Cisco IOS command-based switch, use the
following command:
Switch(vlan)#vtp client | server | transparent
An example of this is shown in Figure [1], as the switch is configured to be in
VTP client mode.
To set the correct mode of a set command-based switch, use the following
command:
Copyright 2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-55
Switch> (enable) set vtp mode server | client |
transparent
An example of this is shown in Figure [2], as the switch is configured to be in
VTP server mode.
1-56 Switching Section 3: Introduction to VLANs Copyright 2002, Cisco Systems, Inc.
Console> (enable) show vtp statistics
VTP statistics:
summary advts received 0
subset advts received 0
request advts received 0
summary advts transmitted 0
subset advts transmitted 0
request advts transmitted 0
No of config revision errors 0
No of config digest errors 0
Figure [1] shows an example of the show vtp status command used to
verify VTP configuration settings on a Cisco IOS command-based switch.
Figure [2] is an example of the show vtp domain command used to verify
VTP configuration settings on a set command-based switch.
Figure [3] displays the results of the show vtp statistics command on a
set command-based switch. This command shows a summary of VTP
advertisement messages sent and received, as well as configuration errors
detected. Use this command to assist in troubleshooting VTP.
In this activity, the student will learn how to configure a VLAN trunk link
between a Catalyst 4000 (DL1) and a Catalyst 2900 (AL1) to pass traffic for
VLANs 100 and 200.
Copyright 2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-57
3.8 VTP Pruning
1-58 Switching Section 3: Introduction to VLANs Copyright 2002, Cisco Systems, Inc.
trunk links that the traffic must use to access the appropriate network devices.
By default, VTP pruning is disabled.
Figure [1] shows a switched network without VTP pruning enabled. Port 1 on
Switch 1 and Port 2 on Switch 4 are assigned to the green VLAN. A broadcast is
sent from the host connected to Switch 1.
Switch 1 floods the broadcast and every switch in the network receives this
broadcast, even though Switches 3, 5, and 6 have no ports in the green VLAN.
Figure [2] shows a switched network with VTP pruning enabled. The broadcast
traffic from Switch 1 is not forwarded to Switches 3, 5, and 6 because traffic for
the green VLAN has been pruned on the links indicated (Port 5 on Switch 2 and
Port 4 on Switch 4).
Copyright 2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-59
3.8.2 Configure VTP pruning
Switch(vlan)#vtp pruning
Pruning switched ON
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#interface fastethernet 0/3
Switch(config-if)#switchport trunk pruning vlan remove 5-10
Switch(config-if)#
Enabling VTP pruning on a VTP server enables pruning for the entire
management domain. VTP pruning takes effect several seconds after being
enabled. By default, VLANs 2 through 1000 are pruning eligible. VTP pruning
does not prune traffic from VLANs that are pruning ineligible. VLAN 1 is
always pruning ineligible, so traffic from VLAN 1 cannot be pruned. There is
the option to make specific VLANs pruning eligible or pruning ineligible on the
device. To make VLANs pruning eligible on a Cisco IOS command-based
switch, enter the following:
Switch(vlan)#vtp pruning
To make specific VLANs pruning ineligible on a Cisco IOS command-based
switch, enter the following:
Switch(config)#interface fastethernet0/3
Switch(config-if)#switchport trunk pruning vlan
remove vlan-id
Figure [1] shows an example where pruning is enabled for all VLANs except for
VLANs 5-10.
To make specific VLANs pruning eligible on a set command-based switch, enter
the following:
Console> (enable) set vtp pruneeligible vlan_range
To make specific VLANs pruning ineligible on a set command-based switch,
enter the following:
1-60 Switching Section 3: Introduction to VLANs Copyright 2002, Cisco Systems, Inc.
Console> (enable) clear vtp pruneeligible
vlan_range
Examples of each of these tasks are illustrated in Figure [2].
Lab Activity
In this lab activity, the student will learn how to configure VTP pruning
between a Catalyst 4000 switch and Catalyst 2900 switch.
Copyright 2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-61
3.8.3 Verifying VTP pruning
Switch#show running-config
<output omitted>
hostname Switch
!
ip subnet-zero
!
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
switchport trunk allowed vlan 1,2,4,5,11-1005
switchport trunk pruning vlan 2-4,11-1001
switchport mode trunk
!
interface FastEthernet0/4
<output omitted>
1-62 Switching Section 3: Introduction to VLANs Copyright 2002, Cisco Systems, Inc.
switch> (enable) show trunk 1/1
Port Mode Encapsulation Status Native vlan
---- ---------- ------------- ---------- -----------
1/1 desirable isl trunking 1
In order to verify the VLANs that are either pruned or not pruned on a Cisco IOS
command-based switch, use either the show running-config or the show
interface interface-id switchport command. These commands
are both illustrated in Figure [1].
In order to verify the VLANs that are either pruned or not pruned on a set
command-based switch, use the show trunk command. This command is
illustrated in Figure [2].
Copyright 2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-63
Summary
After completing this chapter, the student should have a firm understanding of
the following concepts:
• VLANs solve many of the issues found in Layer 2 environments. These
issues include broadcast control, isolation of problem components in the
network, security, and load balancing through the use of a Layer 3
protocol between VLANs.
• VLAN identification allows different VLANs to be carried on the same
physical link, called a trunk link. There are two different types of frame
identification methods: ISL and 802.1Q.
• The VLAN Trunking Protocol provides support for dynamic reporting of
the addition, deletion, and renaming of VLANs across the switch fabric.
• The overwrite process would mean that if the server deleted all VLANs
and had a higher configuration revision number, the other devices in the
VTP domain would also delete their VLANs.
1-64 Switching Section 3: Introduction to VLANs Copyright 2002, Cisco Systems, Inc.
Lab 2.1.3.1: Upgrading the 4006 Supervisor Software
Console
Cable
RJ-45 jumper to
10/100 Mgt
Workstation
172.16.0.2 /24
TFTP server
Objective
It is possible that when the new Catalyst 4006 arrives, the Supervisor unit will not recognize the
L3 module. The software image must be at least 5.5(4) to recognize the L3 module. Many early
shipments came with 5.4(2) or older. This set of instructions will cover upgrading the software
image.
The same process will work for any future upgrades.
Scenario
A WS-X4232-L3 layer three Router Switch Card has been added to an existing 4003 or 4006
chassis. After installing it, it is discovered that the Supervisor unit does not recognize the new
module. A check of the configuration shows that the software image is too old to support the
new module. The following steps cover the process of upgrading the software.
Step 1.
To confirm the software version, use the show config command while connected to the
Supervisor module via the console port or roll-over cable. Note: If the Catalyst 4006 has not
been used before, getting to the privilege (or enable) mode, is the same as other Cisco
devices. If passwords have not been set, just press Enter when prompted for both passwords.
Console> (enable)
Console> (enable) show config
This command shows non-default configurations only.
Use 'show config all' to show both default and non-default configurations.
..........
..................
..
begin
!
# ***** NON-DEFAULT CONFIGURATION *****
!
#time: Wed Apr 18 2001, 14:46:47
!
#version 5.4(2) (Shows the current version)
!
1-1 Switching Section 2: Configuring the Switch - Lab 2.1.3.1 Copyright 2002, Cisco Systems, Inc.
#system web interface version(s)
!
#test
set test diaglevel minimal
!
#frame distribution method
set port channel all distribution mac both
!
#ip
set interface sl0 down
!
#syslog
set logging level cops 2 default
!
#set boot command
set boot config-register 0x2
set boot system flash bootflash:cat4000.5-4-2.bin (Shows image used)
!
#mls
set mls nde disable
!
#port channel
set port channel 1/1-2 1
!
#module 1 : 2-port 1000BaseX Supervisor
!
#module 2 empty
!
#module 3 empty
!
#module 4 empty
!
#module 5 empty
!
#module 6 empty
end
The L3 module is in Module 3, slot 3 from the top, on the unit. The ’empty’ above the module
confirms that the Supervisor module does not recognize the new L3 module.
Step 2.
This is optional for students. The following steps show the process to download the image from
the www.cisco.com site. Students: The instructor will explain where to find the appropriate im-
age.
Go to the Web site and login with the CCO account information based on the Smartnet agree-
ment. Choose Software Center from the Service & Support section.
2-2 Switching Section 2: Configuring the Switch - Lab 2.1.3.1 Copyright 2002, Cisco Systems, Inc.
Choose LAN Switching Software from the Software Products & Downloads list.
Choose Catalyst 4000 from the list of Catalyst Switch Software choices.
3-3 Switching Section 2: Configuring the Switch - Lab 2.1.3.1 Copyright 2002, Cisco Systems, Inc.
Choose the version by clicking on the link. The newest link is near the bottom of this list.
Step 3.
The upgrade process uses TFTP very much like the CCNA and other CCNP exercises, with
just a couple differences unique to this model of switch.
Make sure that the TFTP server is running and that the software image is in the default direc-
tory for the server. Note the IP address of the TFTP server.
Cabling: Use a Cisco console cable to the Supervisor Console port to execute the commands
and monitor the process. Use a straight-thru RJ-45 jumper to connect the Supervisor module
10/100Mgmt port to the TFTP server’s NIC. If going through a switch to get to the TFTP server,
a crossover cable will be needed between the 4006 and the switch. The 10/100Mgmt interface
is a standard switch port.
Configuring the me1 (10/100Mgmt) port: The me1 interface must be assigned an address in
the same subnet as the TFTP server. The commands to set the me1 from the enable prompt
are as follows:
Console> (enable) set interface me1 172.16.0.5 255.255.255.0
4-4 Switching Section 2: Configuring the Switch - Lab 2.1.3.1 Copyright 2002, Cisco Systems, Inc.
Interface me1 IP address and netmask set.
Console> (enable)
Note: The address fit in with the initial TFTP server. However the address would undoubtedly
be different if this was anything but a practice lab.
Step 4.
Note: On some versions of the IOS a “172.16.0.2 is alive” message will be received instead of
the typical Cisco ping output.
If this fails, check that the TFTP server is on, the IP addresses are correct, and that the cabling
is correct. See Step 3 for cabling information. Troubleshoot as needed.
Step 5.
Use the show flash command to check the contents of Flash to confirm that space is avail-
able for the new image. The contents will ultimately be in there with the existing image or
images:
Console> (enable) show flash
-#- ED --type-- --crc--- -seek-- nlen -length- -----date/time------ name
1 .. ffffffff 548c8f9c 39cf70 17 3526384 --- -- ---- --:--:-- cat4000.5-4-2.bin
5-5 Switching Section 2: Configuring the Switch - Lab 2.1.3.1 Copyright 2002, Cisco Systems, Inc.
12071928 bytes available (3526384 bytes used)
Console> (enable)
Step 6.
To make sure there is a backup of the current image, start by copying the image to the TFTP
server. In addition to creating a backup, this will demonstrate the steps and the time required
before copying the new image into the 4006.
Enter the TFTP server IP address and the current image name. This final item is case sensitive
and might be best handled by copying it from the show flash output and pasting it here as
needed.
Console> (enable) copy flash tftp
Flash device [bootflash]? Name of file to copy from []? cat4000.5-4-2.bin
IP address or name of remote host []? 172.16.0.2
Name of file to copy to []? cat4000.5-4-2.bin (This could be renamed
here)
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCX
File has been copied successfully.
Console> (enable)
The X shown at the end of the second row of Cs is to represent a spinning line that looks very
much like a turnstile. This will appear on the screen for several minutes until the copy is done. It
is a 4MB file so it will take several minutes to copy.
Step 7.
This is optional for students. Now proceed to the actual upgrading. Suggestion: Use Windows
Explorer and select the new image name, as if it were going to be renamed, and do a copy.
Use this when the copy tftp command asks for the file name.
Note that the following default values for each prompt assumes the copy flash tftp step
was done earlier. Just press Enter at the prompt one (1). Press Enter at prompt three (3) and
four (4) unless the image is to be renamed.
Console> (enable) copy tftp flash
IP address or name of remote host [172.16.0.2]?
Name of file to copy from [cat4000. 5-4-2.bin]? cat4000.6-2-1.bin
Flash device [bootflash]?
Name of file to copy to [cat4000.6-2-1.bin]?
7981064 bytes available on device bootflash, proceed (y/n) [n]? y
XCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
File has been copied successfully.
Console> (enable)
The X shown before the first row of Cs is to represent a spinning line that looks very much like
a turnstile. This will appear on the screen for several minutes until the copy is done. This is ex-
actly the opposite of when coping to the TFTP server.
Step 8.
This is optional for students. To confirm that it happened, use the show flash command. Both
images are now present.
Console> (enable) show flash
-#- ED --type-- --crc--- -seek-- nlen -length- -----date/time------ name
1 .. ffffffff 548c8f9c 39cf70 17 3526384 --- -- ---- --:--:-- cat4000.5-4-2.bin
2 .. ffffffff d39d5c46 783778 17 4089736 Apr 17 2001 14:40:15 cat4000.6-2-1.bin
6-6 Switching Section 2: Configuring the Switch - Lab 2.1.3.1 Copyright 2002, Cisco Systems, Inc.
Console> (enable)
Step 9.
This is optional for students. Use the set boot system flash bootflash: image_name
prepend command to tell the 4006 which image to use. It is critical that the prepend option is
added to the end of the command to move this image ahead of the existing image. Both images
will be listed on the configuration. If this option is omitted the machine will boot to the old image.
The following output starts with using the help ? feature to see the options:
Console> (enable) set boot system flash bootflash:cat4000.6-2-1.bin ?
prepend Put as first priority
<mod> Module number
<cr>
Console> (enable) set boot system flash bootflash:cat4000.6-2-1.bin prepend
Console> (enable)
Use the show config command to confirm that the command worked. The following is only
the appropriate output lines.
Console> (enable) show config
!
#set boot command
set boot config-register 0x2
set boot system flash bootflash:cat4000.6-2-1.bin
set boot system flash bootflash:cat4000.5-4-2.bin
!
#mls
set mls nde disable
Step 10.
This is optional for students. Reboot the device with the reset command. The configuration is
automatically saved on a 4006. Therefore, a copy run start command does not need to be
done first.
Use the show config and show module commands to confirm that the changes have been
made.
Console> (enable) show config
This command shows non-default configurations only.
Use 'show config all' to show both default and non-default configurations.
..........
..................
..
begin
!
# ***** NON-DEFAULT CONFIGURATION *****
!
#time: Wed Apr 18 2001, 15:04:09
!
#version 6.2(1) (Note the new version)
!
#system web interface version(s)
!
#test
set test diaglevel minimal
!
#frame distribution method
set port channel all distribution mac both
7-7 Switching Section 2: Configuring the Switch - Lab 2.1.3.1 Copyright 2002, Cisco Systems, Inc.
!
#ip
set interface sl0 down
set interface me1 172.16.0.5 255.255.255.0 172.16.0.255
!
#syslog
set logging level cops 2 default
!
#set boot command
set boot config-register 0x2
set boot system flash bootflash:cat4000.6-2-1.bin
set boot system flash bootflash:cat4000.5-4-2.bin (This is ignored. Can be removed)
!
#mls
set mls nde disable
!
#port channel
set port channel 1/1-2 1
!
#module 1 : 2-port 1000BaseX Supervisor
!
#module 2 empty
!
#module 3 : 34-port Router Switch Card (The L3 module is now appearing)
!
#module 4 empty
!
#module 5 empty
!
#module 6 empty
end
Console> (enable)
Console> (enable) show module
Mod Slot Ports Module-Type Model Sub Status
--- ---- ----- ------------------------- ------------------- --- --------
1 1 2 1000BaseX Supervisor WS-X4013 no ok
3 3 34 Router Switch Card WS-X4232-L3 no ok
Mod MAC-Address(es) Hw Fw Sw
--- -------------------------------------- ------ ---------- -----------------
1 00-03-6b-a8-13-00 to 00-03-6b-a8-16-ff 1.2 5.4(1) 6.2(1)
3 00-01-96-d8-d9-ca to 00-01-96-d8-d9-eb 1.5 12.0(7)W5( 12.0(7)W5(15d)
Console> (enable)
Step 11.
This is optional for students. If the old image is to be removed from the flash, use the cd
bootflash: command to move to the bootflash area. The dir command can be used to see
the contents. Notice that the output is a little different than the show flash command earlier.
Console> cd bootflash:
Console> dir
-#- -length- -----date/time------ name
1 3526384 --- -- ---- --:--:-- cat4000.5-4-2.bin
2 4089736 Apr 17 2001 14:40:15 cat4000.6-2-1.bin
Go to the privilege mode and use the delete command to remove the file. Use the dir com-
mand to confirm that the file appears to be gone.
8-8 Switching Section 2: Configuring the Switch - Lab 2.1.3.1 Copyright 2002, Cisco Systems, Inc.
Console> enable
Enter password:
Notice that the ’bytes available’ and ’bytes used’ have not changed. The file is actually just hid-
den. This is much like deleting records in a database. To see the deleted file, use the dir
deleted command. To remove the file, use the squeeze bootflash: command.
9-9 Switching Section 2: Configuring the Switch - Lab 2.1.3.1 Copyright 2002, Cisco Systems, Inc.
Lab 2.1.3.2: Catalyst 4000 Setup
Native
VLAN1
Console
Cable
Workstation
DLSwitch1 10.1.1.10/24
4006
10.1.1.251/24
Objective:
Configure a Cisco Catalyst 4000 Ethernet switch for the first time.
Scenario:
A new Catalyst 4000 Ethernet switch with a supervisor module and a 32 port layer 3 switch
module has just been purchased. Configure the supervisor module so that it has a name, IP
address, and basic password security using the Command Line Interface (CLI).
Lab Tasks:
Step 1.
Connect the serial port to the console port of the Catalyst 4000. Notice that both the layer 3
switch module and the supervisor module both have a console port. Since configuring the switch
plug into the supervisor module console port.
Use a standard Cisco console cable kit with a roll-over cable to connect.
Use the communications settings: eight (8) data bits, no parity, one (1) stop bit, no flow control.
Step 2.
Power on the 4000 switch and watch it start up. It may take several minutes for the 4000 to boot
up. Notice that the 4000 switch is more wordy in its startup messages than Cisco routers.
1-1 Switching Section 2: Configuring the Switch - Lab 2.1.3.2 Copyright 2002, Cisco Systems, Inc.
…
Step 3.
Once boot up is complete, a password prompt will be received:
Enter password:
Notice that because the switch has not been configured yet and does not have an IP address, the
switch will try to obtain an address via DHCP. In the event that the switch does gain an IP
address from a DHCP server, CDP information from a neighboring Cisco device could always be
used to determine which address it obtained.
To log into the switch, just hit enter at the password prompt. The switch user exec prompt
appear:
Console>
Step 4.
Next, configure the switch name, user exec password, and privileged mode password:
Console> enable
Console> (enable)
Setting the passwords requires that a password setting dialog is entered. This is different from
other Cisco devices where the password is entered as part of the password command itself. The
Catalyst 4000 has two passwords just like other Cisco IOS devices. The first password is a user-
exec password and the second is a privileged exec mode password.
DLSwitch1> (enable)
2-2 Switching Section 2: Configuring the Switch - Lab 2.1.3.2 Copyright 2002, Cisco Systems, Inc.
Step 5.
Now type show config to view the configuration of the switch.
begin
!
# ***** NON-DEFAULT CONFIGURATION *****
!
#time: Wed Nov 1 2000, 10:13:54 CST
!
#version 5.4(2)
!
set password $2$CBqb$emYj5ImVlOCgbNQTg.TC31
set enablepass $2$0o8Z$gGVzWMgEwfQEZIi2F340Q.
.
.
.
Notice the switch shows that only non-default commands are displayed. If all commands were
displayed, the configuration would be hard to read. The show config all command is given
as an option if the entire configuration needs to be displayed.
Type show config all just to see how big the configuration really is.
1. What is noticed about the passwords that are stored in the configuration?
Are they encrypted?
Step 6.
Next, configure the IP address on the switch so that communication with the switch can be done
via the network for management purposes.
Notice that there is a port on the supervisor module that is labeled ’10/100 MGT’. This is not a
normal switch port, but rather an Ethernet interface that can be used to plug the management
part of the switch into another network. This is sometimes referred to as ’out-of-band’
management. This port would be connected to some other Ethernet network that is not part of
the normal production network. In the event that the Ethernet networks within this switch failed
for some reason, communication with the switch would continue through this external Ethernet
interface. This out-of-band Ethernet port is much like a NIC card that exists on the switch.
There is also a virtual interface inside the switch. This is a virtual connection to the backplane of
the switch and can be configured to be a member of any VLAN that the switch has configured.
3-3 Switching Section 2: Configuring the Switch - Lab 2.1.3.2 Copyright 2002, Cisco Systems, Inc.
Configure the management IP address on the sc0 virtual interface. Configuring the sc0 interface
allows access to the switch management through the normal switch ports on the 4000. The ME1
10/100 MGT port will not be used.
Another option would be to configure what VLAN the sc0 virtual interface is a part of:
This places the virtual management interface in VLAN 1. By default the sc0 interface is in VLAN
1, so this command is not entirely necessary. However, this command would be necessary if the
management was to be associated to a different VLAN.
This is a switch and not a router. Therefore, the ability to configure any routing protocols on this
device is not possible. To ensure that there is capability to reach all of the networks that are a
part of the internetwork, configure a default router to send all traffic to when there is uncertainty of
what path to take to get to the destination.
This command installs a default route that points to the 10.1.1.1 router.
Step 7.
Configure the workstation so that it is a part of the 10.1.1.0/24 network, which is the same
network as the switch's management port.
Plug the workstation into any of the Ethernet switch ports on the L3 ROUTING MODULE. By
default, all of the ports in the switch are in VLAN 1. If virtual management interface sc0 remains
in VLAN 1, communication with the switch is still possible.
Step 8.
Using the telnet interface, explore some of the 4000 show commands:
This command gives information about what modules are installed in this switch. Because the
4000 is a modular switch with removable blades, this display could vary. Also seen is the
hardware, firmware, and software each of the modules is running. This is very useful when
determining which modules need to be upgraded.
DLSwitch1> sh mod
Mod Slot Ports Module-Type Model Sub Status
--- ---- ----- ------------------------- ------------------- --- --------
1 1 2 1000BaseX Supervisor WS-X4013 no ok
2 2 34 Router Switch Card WS-X4232-L3 no ok
Mod MAC-Address(es) Hw Fw Sw
4-4 Switching Section 2: Configuring the Switch - Lab 2.1.3.2 Copyright 2002, Cisco Systems, Inc.
--- -------------------------------------- ------ ---------- -----------------
1 00-03-6b-0b-7c-00 to 00-03-6b-0b-7f-ff 1.2 5.4(1) 5.5(1)
2 00-01-96-c8-e4-c6 to 00-01-96-c8-e4-e7 1.5 12.0(7)W5( 12.0(7)W5(15d)
This command gives information about the physical operation of the switch. It tells the status of
the power supplies, status of the fans, system uptime, and the percentage of current and peak
traffic the switch has observed.
DLSwitch1> sh system
PS1-Status PS2-Status PS3-Status PEM Installed
---------- ---------- ---------- -------------
ok ok none no
This command gives the status of the ports that are installed on this switch. Based on what
modules have been installed, this display could vary.
DLSwitch1> sh port
Port Name Status Vlan Level Duplex Speed Type
----- ------------------ ---------- ---------- ------ ------ ----- ------------
1/1 notconnect 1 normal full 1000 No GBIC
1/2 notconnect 1 normal full 1000 No GBIC
2/1 connected 1 normal full 1000 No GBIC
2/2 connected 1 normal full 1000 No GBIC
2/3 notconnect 1 normal auto auto 10/100BaseTX
2/4 notconnect 1 normal auto auto 10/100BaseTX
2/5 notconnect 1 normal auto auto 10/100BaseTX
2/6 notconnect 1 normal auto auto 10/100BaseTX
2/7 notconnect 1 normal auto auto 10/100BaseTX
2/8 notconnect 1 normal auto auto 10/100BaseTX
2/9 notconnect 1 normal auto auto 10/100BaseTX
2/10 notconnect 1 normal auto auto 10/100BaseTX
5-5 Switching Section 2: Configuring the Switch - Lab 2.1.3.2 Copyright 2002, Cisco Systems, Inc.
Lab 2.2.3: Catalyst 2900 Setup
Native
VLAN1
Console Cable
ALSwitch
Workstation
2900XL
10.1.1.10/24
10.1.1.251/24
Objective:
Configure a Cisco Catalyst 2900 Ethernet switch for the first time.
Scenario:
A new Catalyst 2900 Ethernet switch has just been purchased. Configure the switch so that it
has a name, IP address, and basic password security using the Command Line Interface (CLI).
Lab Tasks:
Step 1.
Connect the serial port to the console port of the Catalyst 2900. The console port for the 2900 is
located on the back of the switch, much like the 1900 series switched.
Use a standard Cisco console cable kit with a rollover cable to connect.
Use the same communications settings: eight (8) data bits, no parity, one (1) stop bit, no flow
control, 9600 bits per second.
Step 2.
Power on the 2900 switch and watch it start up. It will take a little over one minute for the 2900 to
boot up.
1-1 Switching Section 2: Configuring the Switch - Lab 2.2.3 Copyright 2002, Cisco Systems, Inc.
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 3612672
flashfs[0]: Bytes used: 2775040
flashfs[0]: Bytes available: 837632
flashfs[0]: flashfs fsck took 6 seconds.
...done Initializing Flash.
Boot Sector Filesystem (bs:) installed, fsid: 3
Parameter Block Filesystem (pb:) installed, fsid: 4
Loading "flash:c2900XL-c3h2s-mz-120.5-
XU.bin"...##########################################################
####################################################################
#############################
…
Step 3.
Once the boot up is complete, a prompt will ask for the System Configuration Dialog. This prompt
is due to not currently having a saved configuration on this switch.
At any point you may enter a question mark '?' for help.
Use ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.
Configure the switch manually without the assistance of the setup dialog. The setup dialog is
simpler than that of an IOS based router. After completing this lab, reconfigure the switch using
the Setup Configuration Dialog.
There will not be a prompt for a password. Hit enter to log directly into user exec mode.
Switch>
Step 4.
Before configuring the switch, take a look at the current default running configuration prior to
adding any configuration commands.
Go into the enable mode. Because there is not an enable password set yet, there will not be a
prompt for one.
Switch>enable
Switch#show running-config
Building configuration...
Current configuration:
2-2 Switching Section 2: Configuring the Switch - Lab 2.2.3 Copyright 2002, Cisco Systems, Inc.
!
version 12.0
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
ip subnet-zero
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface VLAN1
no ip directed-broadcast
no ip route-cache
!
!
line con 0
transport input none
stopbits 1
line vty 5 15
!
end
Notice that the configuration is much like that of an IOS based router. The interfaces on the
switch are the actually ports of the switch. Also notice the lack of any routing protocol, and so on.
Because this is a switch and not a router, no commands will be seen that relate to the routing of
packets.
Step 5.
Now configure the switch name, user exec password, and privileged exec mode password:
The Catalyst 2900 uses IOS style configuration commands. These commands will look similar to
configuring a router.
3-3 Switching Section 2: Configuring the Switch - Lab 2.2.3 Copyright 2002, Cisco Systems, Inc.
Set the switch name.
Switch#config terminal
Switch(config)#host ALSwitch
ALSwitch(config)#
Like the IOS, use the copy command to save the current running configuration.
Older software uses the write command. Return to the user privileged mode.
Step 6.
Now configure the IP address on the switch so that communication can begin with the switch via
the network for management purposes.
The management portion of the 2900 series switch defaults to using VLAN 1 as their network
connection. When the show running-config command was done earlier, notice that interface
VLAN 1 is part of the default configuration.
All ports default to membership of VLAN 1. Therefore, configure the switch management to also
use VLAN 1. Configure interface vlan 1 just as a router interface would be done when assigning
the switch's management IP address.
ALSwitch#config terminal
ALSwitch(config)#interface vlan 1
ALSwitch(config-if)#ip address 10.1.1.251 255.255.255.0
This immediately assigns the IP address of the switch to VLAN 1. The 2900 can be configured
with multiple VLANs simultaneously. Make sure that each VLAN interface has an IP address
from that VLAN. Additional VLAN interfaces can be created temporarily by using the interface
vlan x command, where x is the VLAN number.
Since this is a switch and not a router, no routing protocols can be configured on this device. To
be able to reach all of the networks that are a part of this internetwork, a default router needs to
be configured. This default router will be used to send all traffic when routing is done between
VLANs.
This command installs a default route that points at the 10.1.1.1 router.
Step 7.
Configure the workstation so that it is a part of the 10.1.1.0/24 network. This network is the same
network as the switch's management port.
4-4 Switching Section 2: Configuring the Switch - Lab 2.2.3 Copyright 2002, Cisco Systems, Inc.
Plug the workstation into any of the switch ports that reside on the switch. By default all of the
ports in the switch will be in VLAN 1. Therefore as long as the management IP address is
configured on VLAN 1 communicate with the switch will be possible.
Step 8.
Using the telnet interface, explore some of the commands in the 2900. Notice that the 2900XL is
much like other IOS devices.
Use the show interfaces command to look at the switch ports. Notice that the command
output is similar to that of a router.
ALSwitch#show interfaces
FastEthernet0/1 is down, line protocol is down
Hardware is Fast Ethernet, address is 0002.fd49.7b81 (bia
0002.fd49.7b81)
MTU 1500 bytes, BW 0 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not set
Auto-duplex , Auto Speed , 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Queueing strategy: fifo
Output queue 0/40, 0 drops; input queue 0/75, 0 drops
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
1 packets input, 64 bytes
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast
0 input packets with dribble condition detected
1 packets output, 64 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
--More--
1. What other types of interfaces are seen besides the switch ports?
5-5 Switching Section 2: Configuring the Switch - Lab 2.2.3 Copyright 2002, Cisco Systems, Inc.
ALSwitch#show version
Cisco Internetwork Operating System Software
IOS (tm) C2900XL Software (C2900XL-C3H2S-M), Version 12.0(5)XU,
RELEASE SOFTWARE
(fc1)
Copyright (c) 1986-2000 by cisco Systems, Inc.
Compiled Mon 03-Apr-00 16:37 by swati
Image text-base: 0x00003000, data-base: 0x00301398
ALSwitch#
2. What type of memory is included in the Catalyst 2900 series switch, but is not listed in the
show version output?
6-6 Switching Section 2: Configuring the Switch - Lab 2.2.3 Copyright 2002, Cisco Systems, Inc.
Lab 2.3.4.1: Catalyst 4000 Password Recovery
Native
VLAN1
Console Cable
Workstation
DLSwitch1 10.1.1.10/24
4006
10.1.1.250/24
Objective:
Regain control of a Cisco Catalyst 4000 Ethernet switch after all the passwords have been lost.
Scenario:
With a new job at a company that used Catalyst 4000 Ethernet switches, it is found that the
previous network manager did not leave any documentation containing the passwords for the
switches. Perform password recovery on the Catalyst 4000. Change the user exec password to
cisco and the privileged exec mode password to class.
Lab Tasks:
Step 1.
First, configure the 4000 switch to the according diagram. Skip this step if the Lab 3.1.3, 4000
initial setup, configuration is complete.
Console> enable
Console> (enable) set system name DLSwitch1
System name set.
DLSwitch1> (enable)
In the steps that follow, have a classmate set the passwords. The passwords to be used should
be made up and not the standard passwords used in the labs. Make sure the classmate does not
divulge the password.
1-1 Switching Section 2: Configuring the Switch - Lab 2.3.4.1 Copyright 2002, Cisco Systems, Inc.
Enter new password:
Retype new password:
Password changed.
Step 2.
Attempt to telnet into the Catalyst switch. Because the passwords are unknown, access will be
denied.
The Catalyst 4000 series of switches deals with password recovery differently than the other
Cisco IOS based devices.
The Catalyst 4000 series switch does not require a password when logging in from the console
port during the first 30 seconds after it has booted up. A password is still required during this time
if trying to log in via telnet.
This is a great example of why physical security of devices is so important. Anyone who can get
access to the console port will have the ability to change passwords.
Step 3.
Make sure there is a connection to the console port and power off the Catalyst 4000 switch.
Read through the rest of this step. It will need to be completed within 30 seconds after the switch
is powered back up. It is important to power off the switch. A warm reset will not allow entrance
without a password, therefore, it must be a full power off.
Turn on the power to the Catalyst 4000 switch by plugging in the power cords.
Enter password:
DLSwitch1>
Enter privileged mode. Again, a password will not be needed so hit enter.
DLSwitch1> enable
DLSwitch1> (enable)
Now reset the password using the set password and set enablepass commands.
When prompted for the current passwords, hit enter.
2-2 Switching Section 2: Configuring the Switch - Lab 2.3.4.1 Copyright 2002, Cisco Systems, Inc.
DLSwitch1> (enable) set password
Enter old password: (just hit enter)
Enter new password: (“cisco” hit enter)
Retype new password: (“cisco” hit enter)
Password changed.
If this were done fast enough, the new passwords become part of the savedconfiguration. The
rest of the switches configuration is unchanged.
1. Is the Catalyst 4000 password recovery better or worse than other IOS based devices?
3-3 Switching Section 2: Configuring the Switch - Lab 2.3.4.1 Copyright 2002, Cisco Systems, Inc.
Lab 2.3.4.2: Catalyst 2900 Password Recovery
Native
VLAN1
Console Cable
ALSwitch
Workstation
2900XL
10.1.1.10/24
10.1.1.251/24
Objective:
Regain control of a Cisco Catalyst 2900 Ethernet switch after the passwords have been lost.
Scenario:
With a new job at a company that used Catalyst 2900 Ethernet switches in their IDFs, it is found
that the previous network manager did not leave any documentation containing the passwords for
the switches. Perform password recovery on the Catalyst 2900. Change the user exec password
to cisco and the privileged exec mode password to class.
Lab Tasks:
Step 1.
First, configure the 2900 switch according to the diagram. Skip this step if the Lab 3.2.3, 2900
initial setup, configuration is complete.
Switch>enable
Switch#
Switch#config terminal
Switch(config)#host ALSwitch
ALSwitch(config)#
In the steps that follow, have a classmate set the passwords. The passwords to be used should
be made up and not the standard passwords used in the labs. Make sure the classmate keeps
the passwords to themselves.
1-1 Switching Section 2: Configuring the Switch - Lab 2.3.4.2 Copyright 2002, Cisco Systems, Inc.
ALSwitch(config)#line con 0
ALSwitch(config-line)#password somethingelse
ALSwitch(config-line)#login
ALSwitch(config-line)#line vty 0 15
ALSwitch(config-line)#password somethingelse
ALSwitch(config-line)#login
ALSwitch(config)#interface vlan 1
ALSwitch(config-if)#ip address 10.1.1.251 255.255.255.0
Step 2.
Attempt to telnet into the Catalyst switch. Because the passwords are unknown, access will be
denied.
The Catalyst 2900 series of switches deals with password recovery in a similar fashion to other
IOS devices. The idea is to move the current startup configuration out of the way so that the
switch loads the default configuration, which has no passwords. Once the switch is up and
running, go into enable mode, move the saved startup configuration into running configuration,
modify the passwords, and then move it back into the startup configuration.
Step 3.
Make sure there is connection to the console port and power off the Catalyst 2900 switch.
Hold down the ’MODE’ button on the front of the Catalyst 2900 switch at the same time that the
switch is powered on. Let go of the ’MODE’ button a second or two after the LED light above port
1 is no longer lit.
flash_init
load_helper
boot
switch:
switch: flash_init
Initializing Flash...
flashfs[0]: 109 files, 3 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 3612672
2-2 Switching Section 2: Configuring the Switch - Lab 2.3.4.2 Copyright 2002, Cisco Systems, Inc.
flashfs[0]: Bytes used: 2776064
flashfs[0]: Bytes available: 836608
flashfs[0]: flashfs fsck took 8 seconds.
...done Initializing Flash.
Boot Sector Filesystem (bs:) installed, fsid: 3
Parameter Block Filesystem (pb:) installed, fsid: 4
switch: load_helper
This is similar to changing the configuration-register on a router to boot into rom-monitor mode.
Switch: boot
When the switch reboots, it will prompt for the Configuration Dialog to be entered. Answer no.
When the switch finishes the boot up sequence, enter privileged exec mode and rename the
temporary file back into the original name or the startup-config.
Switch>
Switch>enable
Switch#rename flash:config.old flash:config.text
3-3 Switching Section 2: Configuring the Switch - Lab 2.3.4.2 Copyright 2002, Cisco Systems, Inc.
Now save the changes.
4-4 Switching Section 2: Configuring the Switch - Lab 2.3.4.2 Copyright 2002, Cisco Systems, Inc.
Lab 2.3.7.1: Catalyst 4000 TFTP Configuration Files
Native
VLAN1
Console Cable
Workstation
DLSwitch1 10.1.1.10/24
4006 TFTP Server
10.1.1.250/24
Objective:
Scenario:
The company uses Catalyst 4000 Ethernet switches for their backbone. A copy of the
configuration file from the Catalyst 4000 switch to a TFTP server is desired for safekeeping.
Lab Tasks:
Step 1.
First, configure the 4000 switch according to the diagram. Skip this step if the Lab 3.1.3, 4000
initial setup, configuration is complete.
Console> enable
Console> enable) set system name DLSwitch1
System name set.
DLSwitch1> (enable)
1-1 Switching Section 2: Configuring the Switch - Lab 2.3.7.1 Copyright 2002, Cisco Systems, Inc.
Retype new password:
Password changed.
Step 2.
Use the copy command to copy the configuration from the switch to the TFTP server. Type
copy ? to see what other options there are.
Step 3.
Now use the copy config tftp command to move the configuration to the TFTP server.
..
-
Configuration has been copied successfully.
DLSwitch1> (enable)
Step 4.
Check the configuration file that was saved to the TFTP server.
2. Is the copy a full version of the configuration, or just the nondefault commands?
3. What command would be used to save both default and nondefault commands?
2-2 Switching Section 2: Configuring the Switch - Lab 2.3.7.1 Copyright 2002, Cisco Systems, Inc.
Lab 2.3.7.2: Catalyst 2900 TFTP Configuration Files
Native
VLAN1
Console Cable
ALSwitch Workstation
2900XL 10.1.1.10/24
10.1.1.251/24 TFTP Server
Objective:
Scenario:
The company uses Catalyst 2900 Ethernet switches in their IDFs. A copy of the configuration file
from the Catalyst 2900 switch to a TFTP server is desired for safekeeping.
Lab Tasks:
Step 1.
First, configure the 2900 switch according to the diagram. Skip this step if the Lab 3.2.3, 2900
initial setup, configuration is complete.
Switch>enable
Switch#
Switch#config terminal
Switch(config)#host ALSwitch
ALSwitch(config)#
1-1 Switching Section 2: Configuring the Switch - Lab 2.3.7.2 Copyright 2002, Cisco Systems, Inc.
ALSwitch(config-line)#login
ALSwitch(config)#interface vlan 1
ALSwitch(config-if)#ip address 10.1.1.251 255.255.255.0
Step 2.
Use the copy command to copy the configuration from the switch to the TFTP server. Type
copy ? to see what other options there are.
Step 3.
Now use the copy running-config tftp command to move the configuration to the TFTP
server.
Step 4.
Check the configuration file that was saved to the TFTP server.
2. Is the copy a full version of the configuration, or just the nondefault commands?
2-2 Switching Section 2: Configuring the Switch - Lab 2.3.7.2 Copyright 2002, Cisco Systems, Inc.
Lab 3.3.1.1: Catalyst 4000 Static VLANs
Native
VLAN1 Accounting
VLAN10
10.1.1.0/24
Ports 19-24 Test
10.1.10.0/24
Marketing
VLAN20 Workstation
10.1.x.3
Ports 25-30
10.1.20.0/24
DLSwitch1
4006 Engineering
10.1.1.250/24 VLAN30
Ports 31-34
Engineering 10.1.30.0/24
Workstation
10.1.30.2
Objective:
Configure the Distribution Layer Catalyst 4000 Ethernet Switch to support three VLANs -
Marketing, Accounting, and Engineering.
Scenario:
The current hub based network is being migrated to a Catalyst 4000 switch based network.
There are currently three hubs, one for each network. The three VLANs will need to be created
on the new switch. Three ports will be assigned to each VLAN.
Design:
Lab Tasks:
Step 1.
First, configure the 4000 switch according to the diagram. Skip this step if the Lab 3.1.3, 4000
initial setup, configuration is complete.
Console> enable
Console> (enable) set system name DLSwitch1
1-1 Switching Section 3: Introduction to VLANs - Lab 3.3.1.1 Copyright 2002, Cisco Systems, Inc.
System name set.
DLSwitch1> (enable)
Step 2.
Before the VLANs can be configured, a little understanding about the default operation of the
Catalyst 4000 is needed.
By default, the Catalyst 4000 is configured as a VLAN Trunking Protocol (VTP) server. More will
be learned about this in later labs. Since the switch defaults to a VTP server, a VTP domain
name must be assigned to the switch.
This command sets the VTP server domain name to ’corp’, which will be used during the rest of
the labs.
Step 3.
Next assign the ports to their appropriate VLANs.
Use the set vlan 10 slot#/port# to assign the ports to their appropriate VLANs.
Notice that multiple ports can be specified by indicating a range of port numbers. –For example,
2/19-24 will include ports 19 through 24 on slot 2.
2-2 Switching Section 3: Introduction to VLANs - Lab 3.3.1.1 Copyright 2002, Cisco Systems, Inc.
Continue with the other VLANs:
The other ports do not need to be configured as VLAN 1 because they are in VLAN 1 by default.
Use the show vlan command to verify that the ports are assigned to the correct VLAN.
Step 4.
Now configure the Engineering workstation that will be connected to the Engineering VLAN using
the IP address 10.1.30.2/24. Make sure the Engineering workstation is plugged into one of the
Engineering VLAN ports.
4. What command could be used to determine what ports are assigned to what VLAN?
VLANs can be named so they are easier to identify when doing show commands on the switch.
These names do not affect the functionality of the VLANs.
Step 5.
Configure the Test workstation so it has an IP address of 10.1.20.3/24 and plug it into the
3-3 Switching Section 3: Introduction to VLANs - Lab 3.3.1.1 Copyright 2002, Cisco Systems, Inc.
Marketing VLAN.
Step 6.
Change the IP address of the Test workstation to 10.1.30.3/24.
If the Engineering workstation still cannot be pinged after the IP address was changed, move
the Test workstation to the Engineering VLAN. The ping should now be successful.
4-4 Switching Section 3: Introduction to VLANs - Lab 3.3.1.1 Copyright 2002, Cisco Systems, Inc.
Lab 3.3.1.2: Catalyst 2900 Static VLANs
Native
VLAN1 Accounting
VLAN10
10.1.1.0/24
Ports fa0/4-fa0/6
10.1.10.0/24 Marketing Test
VLAN20 Workstation
10.1.x.3
Ports fa0/7-fa0/9
10.1.20.0/24
ALSwitch
2900XL
10.1.1.251/24 Engineering
VLAN30
Ports fa0/10-fa0/12
Engineering 10.1.30.0/24
Workstation
10.1.30.2
Objective:
Configure the Access Layer Catalyst 2900 Ethernet Switch to support three VLANs: Marketing,
Accounting, and Engineering.
Scenario:
The current hub based network is being migrated to a Catalyst 2900 switch based network.
There are currently three hubs, one for each network. The three VLANs will need to be created
on the new switch. Three ports will be assigned to each VLAN.
Design:
Lab Tasks:
Step 1.
First, configure the 2900 switch according to the diagram. Skip this step if the Lab 3.2.3, 2900
initial setup, configuration is completed.
Switch> enable
Switch#
1-1 Switching Section 3: Introduction to VLANs - Lab 3.3.1.2 Copyright 2002, Cisco Systems, Inc.
Set the switch name.
Switch#config terminal
Switch(config)#host ALSwitch
ALSwitch(config)#
ALSwitch(config)#interface vlan 1
ALSwitch(config-if)#ip address 10.1.1.251 255.255.255.0
Step 2.
Next configure the VLANs. Refer to the Design section for VLAN port assignments.
First set all of the ports to ’access’ ports. A port on a 2900 switch can be one of three modes: A
trunk port, a multi-VLAN port, or an access port. Trunk ports and multi-VLAN ports are used
when connecting a switch to another switch, or another device that understands VLAN trunking.
Because workstations will be connected to these ports, configure these ports as ’access’ ports.
This means that these will be single VLAN ports with standard devices attached.
By default all ports should be configured as access ports. This command is not necessary unless
the ports have been setup as trunk ports.
ALSwitch(config)#interface fa0/1
ALSwitch(config-if)#switchport mode access
Repeat this step for all ports that need to be converted back to access ports.
Step 3.
Next assign the ports to the appropriate VLANs.
Use the switchport access vlan n, where n is the VLAN number, to assign the ports to
their appropriate VLANs.
ALSwitch(config)#interface fa0/4
ALSwitch(config-if)#switchport access vlan 10
ALSwitch(config)#interface fa0/5
ALSwitch(config-if)#switchport access vlan 10
ALSwitch(config)#interface fa0/6
ALSwitch(config-if)#switchport access vlan 10
2-2 Switching Section 3: Introduction to VLANs - Lab 3.3.1.2 Copyright 2002, Cisco Systems, Inc.
ALSwitch(config)#interface fa0/7
ALSwitch(config-if)#switchport access vlan 20
ALSwitch(config)#interface fa0/8
ALSwitch(config-if)#switchport access vlan 20
ALSwitch(config)#interface fa0/9
ALSwitch(config-if)#switchport access vlan 20
ALSwitch(config)#interface fa0/10
ALSwitch(config-if)#switchport access vlan 30
ALSwitch(config)#interface fa0/11
ALSwitch(config-if)#switchport access vlan 30
ALSwitch(config)#interface fa0/12
ALSwitch(config-if)#switchport access vlan 30
Be default, ports fa0/1-fa0/3 do not need to be configured as VLAN 1 because that is the default
VLAN that ports are assigned to.
Use the show vlan command to verify that the ports are assigned to the correct VLAN.
Step 4.
Now configure the Engineering workstation that will sit on the Engineering VLAN using the IP
address 10.1.30.2/24. Make sure the Engineering workstation is plugged into one of the
Engineering VLAN ports.
4. What command could be used to determine what ports are assigned to what VLAN?
Step 5.
Configure the Test Workstation so it has an IP address of 10.1.20.3/24 and plug it into the
Marketing VLAN.
3-3 Switching Section 3: Introduction to VLANs - Lab 3.3.1.2 Copyright 2002, Cisco Systems, Inc.
Step 6.
Change the IP address of the Test Workstation to 10.1.30.3/24.
If the Engineering workstation still cannot be pinged after the IP address was changed, move
the Test workstation to the Engineering VLAN. The ping should now be successful.
4-4 Switching Section 3: Introduction to VLANs - Lab 3.3.1.2 Copyright 2002, Cisco Systems, Inc.
Lab 3.6.4: VLAN Trunking and VTP Domain
10.1.1.0/24 10.1.1.0/24
Ports 2/4-16 fa0/2-fa0/3
10.1.10.0/24 10.1.10.0/24
Ports 2/19-2/24 fa0/4-fa0/6
Native Native
Accounting VLAN1 VLAN1 Accounting
VLAN10 VLAN10
10.1.20.0/24 10.1.20.0/24
Ports 2/25-2/30 fa0/7-fa0/9
Marketing Marketing
VLAN20 VLAN20
Workstation Workstation
Objective:
Configure a VLAN trunk between a Catalyst 4000 switch and Catalyst 2900 switch.
Scenario:
The network is growing. The network has outgrown the 2900 and requires more port capacity.
As time goes on, the plan is to continue to add Catalyst 2900 switches in the IDFs. At this point a
Catalyst 4000 is added in the MDF to tie all of these 2900s together. In order to make additions,
moves, and changes easier to manage, VLANs will be configured throughout the entire network.
The 4000 will be at the core of this switch configuration.
The link between the 4000 and 2900 will need to be configured as a trunk line, which will extend
the VLAN configuration between both switches. The Catalyst 4000 switch will act as a VLAN
VTP server that will propagate VLAN information to the 2900.
Design:
1-1 Switching Section 3: Introduction to VLANs - Lab 3.6.4 Copyright 2002, Cisco Systems, Inc.
Switch VLAN Port Assignments:
Lab Tasks:
Step 1.
First, configure the 4000 switch to the diagram. Skip this step if the Lab 3.1.3, 4000 initial setup,
configuration is completed.
Console> enable
Console> (enable) set system name DLSwitch1
System name set.
DLSwitch1> (enable)
Step 2.
Next, configure the 2900 switch to the diagram. Skip this step if the Lab 3.2.3, 2900 initial setup,
configuration is completed.
Switch>enable
Switch#
Switch#config terminal
Switch(config)#host ALSwitch
ALSwitch(config)#
2-2 Switching Section 3: Introduction to VLANs - Lab 3.6.4 Copyright 2002, Cisco Systems, Inc.
ALSwitch(config)#interface vlan 1
ALSwitch(config-if)#ip address 10.1.1.251 255.255.255.0
Step 3.
Configure VLAN Trunking Protocol (VTP) on both switches. VTP is the protocol that will
communicate information about which VLANs exist from one switch to another. If VTP did not
provide this information, the VLANs on all switches would have to be created individually.
Because the switch defaults to a VTP server, the VTP server does not have to be turned on. In
the event that this was shut off, use the following command:
The 4000 is to act as a VTP server to provide the VLAN information to all the other switches.
Once the 4000 is setup as a VTP server, the VTP domain name needs to be specified:
This command sets the VTP server domain name to ’corp’. This name must match all other
switches that are in this VTP domain.
The Catalyst 2900XL will be configured as the VTP client. The 2900XL needs to learn the VLANs
from the 4000s VTP server.
This is done through the vtp database command on the 2900XL. This command enters into a
new type of IOS configuration mode. Notice that this mode is entered from the privileged mode
exec prompt, and not the traditional ’config term’ configuration mode.
ALSwitch#vlan database
ALSwitch(vlan)#vtp client
ALSwitch(vlan)#vtp domain corp
ALSwitch(vlan)#exit
ALSwitch#
This sets the 2900XL in client VTP mode and sets the VTP domain name to ‘corp’.
Step 4.
Next ports will be assigned on the 4000 to their appropriate VLANs and set their names. Skip this
step if Lab 4.3.1.1 is configured.
The other ports do not need to be configured as VLAN 1 because that is the default VLAN to
which ports are assigned.
3-3 Switching Section 3: Introduction to VLANs - Lab 3.6.4 Copyright 2002, Cisco Systems, Inc.
Use the show vlan command to verify that the ports are assigned to the correct VLAN.
The 2900XL is in client VTP mode. Therefore, VLAN information should get passed on to the
2900XL from the 4000.
Step 5.
Now cable up the trunk line. Connect Port 1 (fa0/1) on the ALSwitch to port 2/3, (first 10/100
Ethernet port), on the DLSwitch1. Note: The ALSwitch is the 2900XL switch and the DLSwitch is
the 4000 switch.
Step 6.
Configure each end of the trunk link as an 802.1q encapsulated trunk line.
This command sets port 2/3 to a dot1q trunk line that supports VLANs 1-1005. The
nonegotiate command tells the switch that it should not try to auto sense what type of trunk
link this is.
ALSwitch#config term
ALSwitch(config)#int fa0/1
ALSwitch(config)#switchport mode trunk
ALSwitch(config)#switchport trunk encapsulation dot1q
The first interface command tells the switch that this switch port is a trunk link. The second
command tells the switch that this is 802.1q trunk line.
Step 7.
Now that the VLAN trunk link is configured, check to see if the VTP client (the 2900XL) has
picked up the defined VLANs.
The two switches may need a few moments to exchange VLAN information.
4-4 Switching Section 3: Introduction to VLANs - Lab 3.6.4 Copyright 2002, Cisco Systems, Inc.
Use the show vlan command on the 2900XL to see if it has learned the new VLANs from the
4000.
ALSwitch#sh vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/2, Fa0/3, Fa0/4, Fa0/5,
Fa0/6, Fa0/7, Fa0/8, Fa0/9,
Fa0/10, Fa0/11, Fa0/12
10 Accounting active
20 Marketing active
30 Engineering active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
10 enet 100010 1500 - - - - - 0 0
20 enet 100020 1500 - - - - - 0 0
30 enet 100030 1500 - - - - - 0 0
1002 fddi 101002 1500 - 0 - - - 0 0
1003 tr 101003 1500 - 0 - - srb 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0
The three VLANs that were created on the 4000 can now be seen showing up on the 2900XL.
Even though the VLANs are now configured on the 2900XL, no ports have been assigned to
those VLANs.
Step 8.
Assign ports on the 2900XL to their appropriate VLANs:
ALSwitch(config)#interface fa0/4
ALSwitch(config-if)#switchport access vlan 10
ALSwitch(config)#interface fa0/5
ALSwitch(config-if)#switchport access vlan 10
ALSwitch(config)#interface fa0/6
ALSwitch(config-if)#switchport access vlan 10
ALSwitch(config)#interface fa0/7
ALSwitch(config-if)#switchport access vlan 20
ALSwitch(config)#interface fa0/8
ALSwitch(config-if)#switchport access vlan 20
ALSwitch(config)#interface fa0/9
ALSwitch(config-if)#switchport access vlan 20
ALSwitch(config)#interface fa0/10
ALSwitch(config-if)#switchport access vlan 30
ALSwitch(config)#interface fa0/11
ALSwitch(config-if)#switchport access vlan 30
5-5 Switching Section 3: Introduction to VLANs - Lab 3.6.4 Copyright 2002, Cisco Systems, Inc.
ALSwitch(config)#interface fa0/12
ALSwitch(config-if)#switchport access vlan 30
Step 9.
On the Catalyst 2900XL, examine the output of the show vtp counters and show vtp
status commands.
2. What command shows how many VTP advertisements have been transmitted and
received?
3. What command shows which mode, server or client, the switch is in?
Step 10.
On the Catalyst 4000, examine the output of the show vtp statistics and show vtp
domain commands.
4. What command shows how many VTP advertisements have been transmitted and
received?
5. What command shows which mode, server or client, the switch is in?
Step 11.
Now place two workstations in the same VLAN but on different switches. Try to ping one
another. This should be successful.
6-6 Switching Section 3: Introduction to VLANs - Lab 3.6.4 Copyright 2002, Cisco Systems, Inc.
Lab 3.8.2: VTP Pruning
10.1.1.0/24 10.1.1.0/24
Ports 2/4-16 fa0/2-fa0/3
10.1.10.0/24 10.1.10.0/24
Ports 2/19-2/24 fa0/4-fa0/6
Native Native
Accounting VLAN1 VLAN1 Accounting
VLAN10 VLAN10
10.1.20.0/24 10.1.20.0/24
Ports 2/25-2/30 fa0/7-fa0/9
Marketing Marketing
VLAN20 VLAN20
Workstation Workstation
Objective:
Configure VTP pruning between a Catalyst 4000 switch and Catalyst 2900 switch.
Scenario:
A VTP trunk line has been configured between the distribution layer switch and the access layer
switch. However, there are no workstations in VLANs 10 and 20 connected to the access layer
switch. There is no reason for broadcast traffic for VLANs 10 and 20 to travel over the trunk link
and down to the access layer any more because there are no devices down there.
VTP pruning allows VTP to intelligently determine that there are no devices in a particular VLAN
at the other end of a trunk link. VTP will then temporarily prune that VLAN from the trunk. Should
a device join that VLAN in the future, the VLAN will be placed back on the trunk line.
Design:
1-1 Switching Section 3: Introduction to VLANs - Lab 3.8.2 Copyright 2002, Cisco Systems, Inc.
Switch VLAN Port Assignments:
Lab Tasks:
If this is a continuance on from the VTP trunk and domain lab, skip to step 10.
Step 1.
First, configure the 4000 switch according to the diagram. Skip this step if the Lab 3.1.3, 4000
initial setup, configuration is complete.
Console> enable
Console> (enable) set system name DLSwitch1
System name set.
DLSwitch1> (enable)
Step 2.
Next, configure the 2900 switch to the diagram. The same configuration that was used in Lab
3.2.3, Catalyst 2900 Initial Setup, can be used here. If using that configuration, then skip this
step.
Switch>enable
Switch#
Switch#config terminal
Switch(config)#host ALSwitch
ALSwitch(config)#
2-2 Switching Section 3: Introduction to VLANs - Lab 3.8.2 Copyright 2002, Cisco Systems, Inc.
ALSwitch(config-line)#password cisco
ALSwitch(config-line)#login
ALSwitch(config-line)#line vty 0 15
ALSwitch(config-line)#password cisco
ALSwitch(config-line)#login
ALSwitch(config)#interface vlan 1
ALSwitch(config-if)#ip address 10.1.1.251 255.255.255.0
Step 3.
Configure VLAN Trunking Protocol (VTP) on both switches. VTP is the protocol that will
communicate information about which VLANs exist from one switch to another. If VTP did not
provide this information, the VLANs on all switches would have to be created individually.
The switch defaults to a VTP server, so the VTP server mode does not need to beenabled.
In the event that this was disabled, use the following command:
The 4000 is to act as a VTP server to provide the VLAN information to the other switches.
Once the 4000 is setup as a VTP server, the VTP domain name needs to be specified:
This command sets the VTP server domain name to ’corp’. This name must match all other
switches that are in this VTP domain.
The Catalyst 2900XL will be configured as the VTP client. The 2900XL is to learn the
VLANs from the 4000s VTP server.
This is done through the vtp database command on the 2900XL. This command enters
into a new type of IOS configuration mode. Notice that this mode is entered from the
privileged mode exec prompt, and not from the typical global configuration mode.
ALSwitch#vlan database
ALSwitch(vlan)#vtp client
ALSwitch(vlan)#vtp domain corp
ALSwitch(vlan)#exit
ALSwitch#
This sets the 2900XL in client VTP mode and sets the VTP domain name to ’corp’.
Once the VTP protocol is configured, the VLANs can then be configured.
Step 4.
Next the ports will be assigned on the 4000 to their appropriate VLANs and set their names.
3-3 Switching Section 3: Introduction to VLANs - Lab 3.8.2 Copyright 2002, Cisco Systems, Inc.
DLSwitch1> (enable) set vlan 20 name Marketing
DLSwitch1> (enable) set vlan 30 name Engineering
The other ports do not need to be configured as VLAN 1 because that is the default VLAN to
which ports are assigned.
Use the show vlan command to verify that the ports are assigned to the correct VLAN.
The 2900XL is in client VTP mode. All of this VLAN information should get passed on to the
2900XL from the 4000.
Step 5.
Now cable up the trunk line. Connect Port 1 (fa0/1) on the ALSwitch to port 2/3, (first 10/100
Ethernet port,) on the DLSwitch1. Note: The ALSwitch is the 2900XL switch and the DLSwitch is
the 4000 switch.
Step 6.
Configure the end of each trunk link as an 802.1q encapsulated trunk line.
This command sets port 2/3 to a dot1q trunk line that supports VLANs 1-1005. The
nonegotiate tells the switch that it should not try to auto sense what type of trunk link this is.
ALSwitch#config term
ALSwitch(config)#int fa0/1
ALSwitch(config)#switchport mode trunk
ALSwitch(config)#switchport trunk encapsulation dot1q
The first interface command tells the switch that this switch port is a trunk link. The second
command tells the switch that this is an 802.1q trunk line.
Step 7.
Now that the VLAN trunk link is configured, check to see if the VTP client, the 2900XL, has picked
up the defined VLANs.
4-4 Switching Section 3: Introduction to VLANs - Lab 3.8.2 Copyright 2002, Cisco Systems, Inc.
The two switches may need a few moments to exchange VLAN information.
Use the show vlan command on the 2900XL to see if it has learned the new VLANs from
the 4000.
ALSwitch#sh vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/2, Fa0/3, Fa0/4, Fa0/5,
Fa0/6, Fa0/7, Fa0/8, Fa0/9,
Fa0/10, Fa0/11, Fa0/12
10 Accounting active
20 Marketing active
30 Engineering active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
10 enet 100010 1500 - - - - - 0 0
20 enet 100020 1500 - - - - - 0 0
30 enet 100030 1500 - - - - - 0 0
1002 fddi 101002 1500 - 0 - - - 0 0
1003 tr 101003 1500 - 0 - - srb 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0
The three VLANs that were created on the 4000 can be seen showing up on the 2900XL.
Even though the VLANs are now configured on the 2900XL, no ports have been assigned to
those VLANs.
Step 8.
Assign ports on the 2900XL to their appropriate VLANs:
ALSwitch(config)#interface fa0/4
ALSwitch(config-if)#switchport access vlan 10
ALSwitch(config)#interface fa0/5
ALSwitch(config-if)#switchport access vlan 10
ALSwitch(config)#interface fa0/6
ALSwitch(config-if)#switchport access vlan 10
ALSwitch(config)#interface fa0/7
ALSwitch(config-if)#switchport access vlan 20
ALSwitch(config)#interface fa0/8
ALSwitch(config-if)#switchport access vlan 20
ALSwitch(config)#interface fa0/9
ALSwitch(config-if)#switchport access vlan 20
ALSwitch(config)#interface fa0/10
ALSwitch(config-if)#switchport access vlan 30
5-5 Switching Section 3: Introduction to VLANs - Lab 3.8.2 Copyright 2002, Cisco Systems, Inc.
ALSwitch(config)#interface fa0/11
ALSwitch(config-if)#switchport access vlan 30
ALSwitch(config)#interface fa0/12
ALSwitch(config-if)#switchport access vlan 30
Step 9.
From the ALSwitch, attempt to ping the DLSwitch1. This ping should be successful.
ALSwitch#ping 10.1.1.250
Step 10.
Make sure that there are no devices plugged into the non-trunk ports on ALSwitch.
Notice that all defined VLANs 10, 20, and 30 are in spanning tree forwarding state and not
pruned. However, there are no devices on ALSwitch. It would be a waste to forward
broadcast traffic for VLANs 10, 20 and 30 if there are no hosts there to receive it.
Step 11.
Configure VTP pruning.
VTP pruning solves this problem. Pruning checks the other end of a trunk link to see if there
are any members in a VLAN. If there are not, then it ’prunes’ them from the spanning tree
forwarding state. This temporarily keeps traffic from coming down that trunk line.
On DLSwitch1:
6-6 Switching Section 3: Introduction to VLANs - Lab 3.8.2 Copyright 2002, Cisco Systems, Inc.
Do you want to continue (y/n) [n]? y
On ALSwitch:
ALSwitch#vlan database
ALSwitch(vlan)#vtp pruning
ALSwitch(vlan)#exit
Step 12.
Verify that pruning is in process:
7-7 Switching Section 3: Introduction to VLANs - Lab 3.8.2 Copyright 2002, Cisco Systems, Inc.
Switching Resources
Modern Ethernet:
Academy Curriculum:
This link provides information about Gigabit Ethernet in your high speed
backbone. http://ccnp.netacad.net/prot-
doc/curriculum/sem7sv/en/ch2/2_3_1/index.html
This link accesses the Cisco documentation CD for the Catalyst 2950 switch. It
is documentation for the CLI software configuration guide.
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/1219ea1/scg/swcl
i.htm
This link accesses the Cisco documentation CD for the Catalyst 2900 series
switch. It is documentation for the Cisco IOS CLI configuration and reference
guide.
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2900/cgcr29k/admin.ht
m
This link accesses the Cisco documentation CD. Information is provided for the
Cisco IOS CLI for the Catalyst 2900 XL and Catalyst 3500 XL switch.
http://www.cisco.com/univercd/cc/td/doc/product/lan/c2900xl/29_35wc5/scg/sw
cli.htm
Internet:
This link provides very detailed information about Ethernet frame over
SDH/WDM.
http://grouper.ieee.org/groups/802/3/ad_hoc/etholaps/public/docs/3151r1.pdf
This article is an informative review on 10 Gigabit Ethernet connected to Wide
Area Networks using SONET.
http://www.10gea.org/10GbE%20Interconnection%20with%20WAN_0302.pdf
This link is a white paper from Intel that provides information on the new
Ethernet. It is a discussion on new advances in Ethernet technology, and how
these trends are affecting the way to work, connect, and communicate.
http://www.intel.com/network/ethernet/ethernet_r03.pdf
This link from Cisco and Intel is an informative solution to deploying Gigabit
Ethernet over copper throughout the campus network. It also contains
information on Cisco equipment layout throughout the enterprise.
http://www.cisco.com/offer/tdm_home/pdfs/infrastructure/lan/ciscointel_sb.pdf
Switch CLI
Academy Curriculum:
This link provides a lab activity to configure a Cisco Catalyst 2900 Ethernet
switch for first time.
http://ccnp.netacad.net/prot-
doc/curriculum/sem7sv/en/ch3/lab_3_2_3/index.html
This link provides a lab activity to regain control of a Cisco Catalyst 2900
Ethernet switch after the passwords have been lost or stolen.
http://ccnp.netacad.net/prot-doc/curriculum/sem7sv/en/ch3/3_3_4/index.html
CCO:
This link accesses the FAQs page for Cisco Long-Reach Ethernet (LRE)
technology.
http://www.cisco.com/warp/public/794/lre_faq.html
This link provides access to a white paper on the Cisco Long-Reach Ethernet
(LRE) networking solution.
http://www.cisco.com/warp/public/146/news_cisco/ekits/Lre-wp.pdf