490 likes | 641 Views
CCNA Certification Preparation Session 4 of 4 April, 2012. Jaskaran Kalsi & Bogdan Doinea Assoc. Technical Managers Europe/ CEE / RCIS Cisco Networking Academy . Agenda. NAT. PPP. Frame Relay. Access Lists. Troubleshooting. Network Address Translation (NAT). How NAT works.
E N D
CCNA Certification PreparationSession 4 of 4April,2012 Jaskaran Kalsi & Bogdan Doinea Assoc. Technical Managers Europe/CEE/RCIS Cisco Networking Academy
Agenda NAT PPP Frame Relay Access Lists Troubleshooting
Expected questions 192.168.101.0/24 209.165.200.1 NAT LAN 50 users 129.10.20.1/30 Given the network topology make configurations on R2 to enable 50 users from R1 LAN to access internet. Possible solution: R2(config)#access-list 1 permit 192.168.101.0 0.0.0.255 R2(config)#ipnat inside source list 1 interface s 0/0/0 overload
WAN connection • WAN connections are often leased lines, PPP, Frame Relay, ATM works on OSI level 2. • Instead of MAC addresses, they have own 2nd layer addressing technology (DLCI, VPI/VCI etc).
Leased Line connections • HDLC (High level Data Link Control) • Cisco proprietary (enabled by default) • Low overhead • PPP (Point to Point) • Open protocol • Moderate overhead • Features: Authentication, compression etc.
Configuring & Verifying PPP Router(config)#interface serial 0/0 Router(config-if)#encapsulation ppp Router#show interfaces serial 0/0 Link Control Protocol is open. LCP handles all the features, services and service messages of PPP CDP Control Protocol allows Cisco Discovery Protocol to work over PPP IP Control Protocol allows IP to work over PPP Network Control Protocol family (NCP)
Authentication • PPP can use PAP or CHAP authentication methods • PAP (Password Authentication Protocol) uses encrypted password, like below encrypted passwords can be decrypted (cracked) • CHAP (Challenge Handshake Authentication Protocol) uses hashed password HASHED passwords can not be decrypted
Configuring PAP hostname SantaCruz username HQ password HQpass interface Serial0 ip address 172.25.3.2 255.255.255.0 encapsulation ppp ppp authentication pap ppp pap sent-username SantaCruz password SantaCruzpass hostname HQ username SantaCruz password SantaCruzpass interface Serial0 ip address 172.25.3.1 255.255.255.0 encapsulation ppp ppp authentication pap ppp pap sent-username HQ password HQpass Notes: sent-username and password must match remote username and password. Passwords are case-sensitive, but usernames are not. Hostnames are not involved.
Configuring CHAP hostname SantaCruz username HQ password boardwalk ppp chap hostname SantaCruz (optional) interface Serial0 ip address 172.25.3.2 255.255.255.0 encapsulation ppp ppp authentication chap hostname HQ username SantaCruz password boardwalk ppp chap hostname HQ (optional) interface Serial0 ip address 172.25.3.1 255.255.255.0 encapsulation ppp ppp authentication chap Notes: Hostnames are involved unless the ppp chap hostname command is used, and must match remote router’s username command (not case-sensitive). Passwords are case-sensitive and must match
Verifying PPP authentication Do a Router#debugppp authentication And re-enable the interface (shutdown/no shutdown)
Possible Problems with PPP • Layer 1 Cable problems results in “Serial0/0/0 is down, line protocol is down” • Layer 2 Clock rate, encapsulation or authentication error results in “Serial0/0/0 is up, line protocol is down” • Layer 3 “Serial0/0/0 is up, line protocol is up” Still does not work? PPP is not involved here. Check IP addressing!
Expected Questions Which of the following are key characteristics of PPP (choose two)? • PPP can work with several routed protocols • PPP provides error correction and compression • PPP supports only IP • PPP works on Layer 3 OSI model
Expected questions Which PPP sub-protocol is responsible for establishing and terminating connection? • NCP • IPCP • CDP • LCP • DLCI • VPI/VCI
Expected Questions The PPP link between RTA and RTB seems to be down. What could be the problem? • Incorrect ip addressing • Wrong type of cable • Incorrect encapsulation on Layer 2 • Link reliability is too poor
Frame Relay basics • Packet Switched X.25 => Frame Relay => ATM => MPLS • Can be more flexible than Leased Lines, bandwidth may vary • Point to Point or multipoint
Frame Relay Terminology • CIR (Commited Information Rate) – min bandwidth guaranteed by ISP • LAR (Local Access Rate) – Local physical link – maximum bandwidth (like 100Mb/s for FastEthernet) • LMI (Local Management Interface) – “language” used between ISP and end device. Purpose – manage service parameters of connection (quality, statistics, etc) • DLCI (Data Link Connection Identifier) – analog of MAC address used in FR • PVC (Permanent Virtual Circuit) – your dedicated virtual link, the way thru a cloud • Your serial link can have many PVCs, each of them has it’s own agreed CIR and DLCI. You can have many PVCs until their summary bandwidth fits LAR.
Frame Relay congestion management mechanisms • FECN (Forward Explicit Congestion Notification) – indicates frames that the switch receives on the congested link, • BECN (Backward Explicit Congestion Notification) – packets that switch places onto the congested link • DE (Discard Eligibility) flag is set on “less important” packets that can be dropped in case of congestion
How FR works • In FR DLCIs are used instead of MAC address • DLCIs are locally significant • You only know your local (own) DLCI, and you never know “destination” DLCI • PVC is your path through a FR cloud, but you don’t care how it’s elected. This is ISP’s responsibility, not yours • You should only care of your DLCI
FR P2P and Multipoint • Multipoint is similar to Shared Ethernet, but issues can appear like split horizon • P2P is similar to inter VLAN routing, when each subinterface has it’s own IP network
Multipoint configuration Multipoint Subinterfaceat the Hub and Point-to-Point Subinterfaces at the Spokes • Notes • Highly scalable solution • Disable Split Horizon on Hub router when running a distance vector routing protocol • Interface Serial0 (for all routers) • encapsulation frame-relay • no ip address • HubCity • interface Serial0.1 mulitpoint • ip address 172.16.3.3 255.255.255.0 • frame-relay interface-dlci 301 • frame-relay interface-dlci 302 • no ip split-horizon • Spokane • interface Serial0.1 point-to-point • ip address 172.16.3.1 255.255.255.0 • frame-relay interface-dlci 103 • Spokomo • interface Serial0.1 point-to-point • ip address 172.16.3.2 255.255.255.0 • frame-relay interface-dlci 203 One subnet
Each subinterface on Hub router requires a separate subnet (or network) • Each subinterface on Hub router is treated like a regular physical point-to-point interface, so split horizon does not need to be disabled. • Interface Serial0 (for all routers) • encapsulation frame-relay • no ip address • HubCity • interface Serial0.1 point-to-point • ip address 172.16.1.1 255.255.255.0 • encapsulation frame-relay • frame-relay interface dlci 301 • interface Serial0.2 point-to-point • ip address 172.16.2.1 255.255.255.0 • encapsulation frame-relay • frame-relay interface dlci 302 • Spokane • interface Serial0.1 point-to-point • ip address 172.16.1.2 255.255.255.0 • frame-relay interface dlci 103 • Spokomo • interface Serial0.1 point-to-point • ip address 172.16.2.2 255.255.255.0 • frame-relay interface dlci 203 Point-to-Point configuration Point-to-Point Subinterfaces at the Hub and Spokes Two subnets
Final notes With multipointsubinterface you can have: • can have multiple DLCIs assigned to it. • can use frame-relay map & interface dlci statements • can use Inverse-ARP Remember, with point-to-pointsubinterfaces you: • cannot have multiple DLCIs associated with a single point-to-point subinterface • cannot use frame-relay map statements • cannot use Inverse-ARP (can use the frame-relay interface dlci statement for both point-to-point and multipoint)
Expected Questions What are three Frame Relay congestion management mechanisms? (Choose three.) • BECN • DLCI • DE • FECN • LMI • Inverse ARP
Expected Questions Router#show frame-relay map Serial0/0/0 (up): ip 10.0.0.2 dlci 102, dynamic, broadcast, CISCO, status defined, active Based on the output of the Router connected to a FR cloud, what is the meaning of “dynamic” statement? • DLCI 102 has been dynamically allocated by ISP • Interface S0/0/0 was dynamically configured with the help of DLCI 102 • IP address 10.0.0.2 is configured via DHCP • The remote IP address 10.0.0.2 was mapped to a local DLCI 102 dynamically via inverse-ARP
Expected Questions What are the three possible LMI types? • PAgP • IETF • CDPCP • Cisco • ANSI • inARP • Q.933 A
Expected Questions Why this FR network is failing? • Split horizon must be disabled. • The LMI type must be specified. • Logical subinterfaces must be used instead. • The frame-relay map commands are using incorrect DLCIs.
What are ACLs for? • ACLs are for identifying traffic. Permitting, Denying, enabling or disabling smth. • Not just a traffic filter or firewall. Can be used in: • Traffic control • Access control • NAT • Quality of Service • Demand dial routing • Route filtering • …and more • ACLs are read from TOP to BOTTOM and STOP at the FIRST match • Invisible implicit “deny any” at the end • Applied to an interface Inbound or Outbound, assuming that you are “inside” of a router
ACL Types • STANDARD • Matches based on source address • # 1 – 99 • Applied to port closest to destination • EXTENDED • Matches based on source/destination address, port number, protocol • # 100 – 199 • Applied to port closest to source • REFLEXIVE • Allows return traffic from internal request (established)
Wildcard mask • Network mask is a way to understand where the network portion of the IP address ends and where host portion begins • Wildcard mask is a tool for filtering IP address bits. • What bits should go through a “security control”? Subnet mask Host portion Network portion Wildcard mask Don’t care Check these bits
One more example • Wildcard mask 0.0.1.128 • Will require the first 23 and the last 7 bits of IP to be checked • Given the reference IP 192.168.2.38 • 192.168.2.38 – ok • 192.168.2.166 – ok • 192.168.3.38 – ok • 192.168.3.166 – ok • All others will not match! check Check these bits Don’t care
Easy way to calculate Wilcard mask Example: 172.16.32.0 255.255.240.0 RouterB(config)#access-list 10 permit 172.16.32.0 0.0.15.255 We can calculate the Wildcard Mask by: 255 . 255 . 255 . 255 Subnet Mask: - 255 . 255 . 240 . 0 --------------------- Wildcard Mask: 0 . 0 . 15 . 255 Remember: • Wildcard mask for the given continuous network is always invert of a subnet mask, NOT vice versa. • If not sure, Think in binary! …Twice!
Configuring ACLs Standard ACL Extended ACL Named ACL
Expected questions Network administrator would like to permit access to the internet for only hosts that are assigned an address in the range 172.16.8.0 – 172.16.15.255. Which wild card mask should be used? • 0.0.0.255 • 0.0.255.255 • 0.0.3.255 • 255.255.248.0 • 0.0.7.255
Expected Questions There is a need to restrict telnet access to R2’s LAN, for all R1’s LAN users. Which ACL can be used in this case and where should it be applied? • R1(config)#access-list 101 deny tcp 192.168.12.0 0.0.0.255 192.168.10.0 0.0.0.255 eq 23 R1(config)#access-list 101 permit ip any any R1(config)#interface fa 0/0 R1(config-if)#ip access-group 101 in • R1(config)#access-list 101 deny tcp 192.168.10.0 0.0.0.255 192.168.12.0 0.0.0.255 eq 25 R1(config)#access-list 101 permit ip any any R1(config)#interface fa 0/0 R1(config-if)#ip access-group 101 in • R1(config)#access-list 101 deny tcp 192.168.10.0 0.0.0.255 192.168.12.0 0.0.0.255 eq 23 R1(config)#access-list 101 permit ip any any R1(config)#interface fa 0/0 R1(config-if)#ip access-group 101 in • R2(config)#access-list 101 deny tcp 192.168.10.0 0.0.0.255 192.168.12.0 0.0.0.255 eq 23 R2(config)#access-list 101 permit ip any any R2(config)#interface fa 0/0 R2(config-if)#ip access-group 101 in
Expected Questions The access list below was applied on the e0/0 interface connected to 192.168.1.16/29 LAN in the outbound direction: Access-list 129 deny tcp 192.168.1.16 0.0.0.7 eq 20 any Access-list 129 deny tcp 192.168.1.16 0.0.0.7 eq 21 any What is the effect of such ACL? • FTP traffic from 192.168.1.38 will be denied • FTP traffic from 192.168.1.28 to any host will be denied • no traffic except FTP will be allowed to exit e0/0 • All traffic exiting e0/0 will be denied • All FTP traffic to network 192.168.1.16/20 will be denied Comment: this ACL will deny all traffic, because of implicit DENY ANY. Do avoid it, the statement “access-list 129 permit ip any any” should have been added below.
Troubleshooting Essentials • Use common approach • Bottom-up approach using the OSI Model • Check all LEDs on your hardware • Use Windows Service Utilities • ipconfig; ping; trace route; • Remember possible ‘SHOW’ commands • CDP can help, do not forget about it! • Be confident with DEBUG commands and what they represent • Be very careful when subnetting, think twice!
Common troubleshooting commands • L2 Switching • Sw#sh mac-address-table • Sw#shvlan brief • sw#sh spanning-tree • Sw#shvtp status • Sw#shinterfaces [trunk, swithport] Layer 3 • ship route • ship protocols • ship interface • ship [routing protocol name<ospf>] ? • shipnat ? • sh access-lists • shipdhcp ? General • sh running-config Layer 1 • ship interface brief • sh interfaces Layer 2 • shcdp neighbors detail • sh frame relay ? • debug ppp ?
Using Debug Commands • debug ip rip
Summary • PPP • Understanding PPP • PPP authentication • PPP configuration • Frame Relay • Understanding Frame Relay and terminology • Frame Relay topologies • Point-to-Point and Multipoint Frame Relay • Access Lists • What are ACLs • Understanding and calculation Wildcard mask • Configuring ACLs • Troubleshooting • Frequently used commands