You are on page 1of 141

TRAINING ON NETWORK

PREPARED BY: Vishal Bedi

confidential

AGENDA OF THE TRAINING


> > BASIC OF NETWORKING DATA NETWROKING ELEMENTS

ETHERNET AND IP BASICS


INTRODUCTION TO DATA SERVICES RELIANCE METRO ETHERNET ARCHITECHTURE DATA SERVICES OFFERED BY RIC

confidential

What is Network

A network is a group of computers that are connected by communication facilities for exchanging informations. Connections can be permanent by cable or temporary through telephone or other communications links The transmission media can be wireline ( UTP,Fibre) etc or wireless ( satelite) Networks may be classified according to a wide variety of characteristics. Networks are often classified as Local Area Network (LAN), Wide Area Network (WAN), Metropolitan Area Network (MAN), Personal Area Network (PAN), Virtual Private Network (VPN), Campus Area Network (CAN), Storage Area Network (SAN), etc. depending on their scale, scope and purpose. Usage, trust levels and access rights often differ between these types of network - for example

confidential

, LANs tend to be designed for internal use by an organization's internal systems and employees in individual physical locations (such as within building, or cluster of building).Nodes are connected through cable which may be either twisted pair or coaxial cable. while WANs may connect physically separate parts of an organization to each other and may include connections to third parties. Data is transmitted over common pathways called a backbone. It is made up of Lan linked by dial up connections ( phone or ISDN) ,lease line ,fibre ,microwave towers and communication satelite. MAN is has broader scope then Lan. Man is within the entire city. Example of Networking devices Lan Card Hub Switch ( L2 & L3) Router etc

confidential

Network Interface Card


A network interface card (NIC) is a printed circuit board that provides network communication capabilities to and from a personal computer. Also called a LAN adapter.

confidential

DATA NETWORKING ELEMENTS

confidential

LAYER 1Repeater

Cleans up (regenerates) and repeats the signal.


Used when a networks cabling extends beyond its capability.

confidential

Hub
Connects a group of Hosts

confidential

Advantages/Disadvantages of Repeaters and Hubs


Advantages
Extend total network distance Do not seriously impact network performance May connect networks using different physical media

Disadvantages
Cannot connect different network architectures Do not reduce network traffic Limited number Do not segment networks

confidential

LAN Device SymbolsLayer 2

Bridge

Switch

confidential

LAYER 2Bridge

Connects two LAN segments.

Keeps traffic local by filtering traffic based on MAC Addresses.


confidential

Advantages/Disadvantages of Bridges
Advantages
Can extend the network Reduce network traffic Reduce network collisions May connect different network architectures

Disadvantages
Extra processing makes them slower than repeaters Do not filter broadcast traffic More expensive than repeaters

confidential

LAYER 2Switch
The Cloud

Connects multiple LAN segments. Can be called a multi-port bridge. Switches packet to correct LAN segment based on the MAC address.
confidential

Advantages/Disadvantages of Switches
Advantages
Increase available network bandwidth Increase network performance Decrease packet collisions

Disadvantages
Significantly more expensive than bridges Harder to troubleshoot network problems Broadcast traffic can be difficult to manage

confidential

Router
Routers are used to connect networks together Route packets of data from one network to another Cisco became the de facto standard of routers because of their high-quality router products Routers, by default, break up a broadcast domain

15

confidential

THE Network Topology


Topology refers to physical layout including computers, cables and other resources Topology can be physical or logical Physical topology refers to arrangement of cabling Software topology refers to how data travels between Todays network design are mainly based on three topologies
BUS,Star & Ring

confidential

Bus Topology
A bus topology uses a single backbone cable that is terminated at both ends.

All the hosts connect directly to this backbone.

17

confidential

Ring Topology
A ring topology connects one host to the next and the last host to the first.
This creates a physical ring of cable.

18

confidential

Star Topology
A star topology connects all cables to a central point of concentration.

19

confidential

Star Topology
An extended star topology links individual stars together by connecting the hubs and/or switches.This topology can extend the scope and coverage of the network.

20

confidential

MESH TOPOLOGY
A mesh topology is implemented to provide as much protection as possible from interruption of service. Each host has its own connections to all other hosts. Although the Internet has multiple paths to any one location, it does not adopt the full mesh topology.

21

confidential

OVERVIEW
THE NEED FOR STANDARDS OSI - ORGANISATION FOR STANDARDISATION THE OSI REFERENCE MODEL A LAYERED NETWORK MODEL THE SEVEN OSI REFERENCE MODEL LAYERS SUMMARY

confidential

THE NEED FOR STANDARDS


Over the past couple of decades many of the networks that were built used different hardware and software implementations, as a result they were incompatible and it became difficult for networks using different specifications to communicate with each other.
To address the problem of networks being incompatible and unable to communicate with each other, the International Organisation for Standardisation (ISO) researched various network schemes.

The ISO recognised there was a need to create a NETWORK MODEL that would help vendors create interoperable network implementations.

confidential

ISO - ORGANISATION FOR STANDARDISATION


The International Organisation for Standardisation (ISO) is an International standards organisation responsible for a wide range of standards, including many that are relevant to networking. In 1984 in order to aid network interconnection without necessarily requiring complete redesign, the Open Systems Interconnection (OSI) reference model was approved as an international standard for communications architecture.

confidential

THE OSI REFERENCE MODEL


The model was developed by the International Organisation for Standardisation (ISO) in 1984. It is now considered the primary Architectural model for inter-computer communications. The Open Systems Interconnection (OSI) reference model is a descriptive network scheme. It ensures greater compatibility and interoperability between various types of network technologies.

The OSI model describes how information or data makes its way from application programmes (such as spreadsheets) through a network medium (such as wire) to another application programme located on another network.
confidential

THE OSI REFERENCE MODEL


The OSI reference model divides the problem of moving information between computers over a network medium into SEVEN smaller and more manageable problems . This separation into smaller more manageable functions is known as layering.

confidential

A LAYERED NETWORK MODEL


The OSI Reference Model is composed of seven layers, each specifying particular network functions. The process of breaking up the functions or tasks of networking into layers reduces complexity. Each layer provides a service to the layer above it in the protocol specification. Each layer communicates with the same layers software or hardware on other computers.

confidential

A LAYERED NETWORK MODEL


The lower 4 layers (transport, network, data link and physical Layers 4, 3, 2, and 1) are concerned with the flow of data from end to end through the network. The upper three layers of the OSI model (application, presentation and sessionLayers 7, 6 and 5) are orientated more toward services to the applications. Data is Encapsulated with the necessary protocol information as it moves down the layers before network transit.

confidential

THE SEVEN OSI REFERENCE MODEL LAYERS

confidential

LAYER 7: APPLICATION
The application layer is the OSI layer that is closest to the user. It provides network services to the users applications. It differs from the other layers in that it does not provide services to any other OSI layer, but rather, only to applications outside the OSI model. Examples of such applications are spreadsheet programs, word processing programs, and bank terminal programs.

The application layer establishes the availability of intended communication partners, synchronizes and establishes agreement on procedures for error recovery and control of data integrity.
confidential

LAYER 6: PRESENTATION

The presentation layer ensures that the information that the application layer of one system sends out is readable by the application layer of another system. If necessary, the presentation layer translates between multiple data formats by using a common format. Provides encryption and compression of data.

Examples :- JPEG, MPEG, ASCII, EBCDIC, HTML.

confidential

LAYER 5: SESSION
The session layer defines how to start, control and end conversations (called sessions) between applications. This includes the control and management of multiple bidirectional messages using dialogue control. It also synchronizes dialogue between two hosts' presentation layers and manages their data exchange. The session layer offers provisions for efficient data transfer. Examples :- SQL, ASP(AppleTalk Session Protocol).

confidential

LAYER 4: TRANSPORT
The transport layer regulates information flow to ensure end-to-end connectivity between host applications reliably and accurately. The transport layer segments data from the sending host's system and reassembles the data into a data stream on the receiving host's system.

confidential

LAYER 4: TRANSPORT
The boundary between the transport layer and the session layer can be thought of as the boundary between application protocols and data-flow protocols. Whereas the application, presentation, and session layers are concerned with application issues, the lower four layers are concerned with data transport issues. Layer 4 protocols include TCP (Transmission Control Protocol) and UDP (User Datagram Protocol).

confidential

LAYER 3: NETWORK
Defines end-to-end delivery of packets. Defines logical addressing so that any endpoint can be identified. Defines how routing works and how routes are learned so that the packets can be delivered. The network layer also defines how to fragment a packet into smaller packets to accommodate different media. Routers operate at Layer 3. Examples :- IP, IPX, AppleTalk.
confidential

LAYER 2: DATA LINK


The data link layer provides access to the networking media and physical transmission across the media and this enables the data to locate its intended destination on a network. The data link layer provides reliable transit of data across a physical link by using the Media Access Control (MAC) addresses. The data link layer uses the MAC address to define a hardware or data link address in order for multiple stations to share the same medium and still uniquely identify each other.

confidential

LAYER 2: DATA LINK


Concerned with network topology, network access, error notification, ordered delivery of frames, and flow control. Examples :- Ethernet, Frame Relay, FDDI.

confidential

LAYER 1: PHYSICAL
The physical layer deals with the physical characteristics of the transmission medium. It defines the electrical, mechanical, procedural, and functional specifications for activating, maintaining, and deactivating the physical link between end systems. Such characteristics as voltage levels, timing of voltage changes, physical data rates, maximum transmission distances, physical connectors, and other similar attributes are defined by physical layer specifications. Examples :- EIA/TIA-232, RJ45, NRZ.

confidential

SUMMARY
There was no standard for networks in the early days and as a result it was difficult for networks to communicate with each other. The International Organisation for Standardisation (ISO) recognised this. and researched various network schemes, and in 1984 introduced the Open Systems Interconnection (OSI) reference model. The OSI reference model has standards which ensure vendors greater compatibility and interoperability between various types of network technologies.

confidential

SUMMARY
The OSI reference model organizes network functions into seven numbered layers.

Each layer provides a service to the layer above it in the protocol specification and communicates with the same layers software or hardware on other computers.
Layers 1-4 are concerned with the flow of data from end to end through the network and Layers 5-7 are concerned with services to the applications.

confidential

ETHERNET AND IP BASICS

confidential

Local Area Network


A set of nodes that can communicate directly with each other Ethernet 802.11 Wireless X.25, AppleTalk, etc. Ethernet Currently the overwhelming winner for LAN Shared medium protocol Everyone hears all messages.

confidential

Ethernet Messages
Preamble Dest.
8 6 6 2 Type

Data
64-1500 4 CRC

Source

Note: Ethernet messages are called frames

confidential

Ethernet Frames
Few points to note about the Ethernet Frame are: a.) Preamble indicates the start of a new frame b.) Source and Destination are the MAC (hardware) addresses c.) Type field indicates the type of frame being carried on the wire d.) Data field is the area where the actual payload is carried e.) CRC field is used for error checking.

confidential

Ethernet Addressing
MAC Address (Medium Access Control) 48 bit address Uniquely associated with hardware Special address for broadcast. Naming Need to associate machine name with address. Address Resolution Protocol (ARP) Used to find out who is who.

confidential

ARP
Basic process:
Machine A wants to send message to Machine B Machine A sends ARP request to the Broadcast address asking Machine B to identify itself.

Machine B responds with MAC address.


Machine A uses MAC address and remembers the association for later messages

confidential

Ethernet: CSMA/CD
Carrier sense, multiple access / collision detect Multiple access: everyone talks on the same wire Carrier sense: listen to the wire before talking Collision detect: make sure that message is sent without interruptions. CSMA/CD is called a MAC protocol Set of rules for how to send messages on a sharedmedium.

confidential

More about collisions

What does this mean? Messages have to have a minimum length. Length must be long enough such that entire wire is filled before message is over. Length of wire is limited

confidential

Type of Cable Media

Coaxial
Thin net 10base2 10 mbps bw Baseband Tech Upto 185 mts Thicknet 10base5 10 mbps bw Baseband Tech Upto 500 mts
49

Twisted Pair STP (shielded TP) 2 pair (voice) 4 pair (date & voice) UTP (unshielded TP) 2 pair (voice) 4 pair (Computer)

Fibre Optic
Single mode Only one light signal pass through the cable Multi mode Multiple light signals pass through the cable

confidential

Twisted Pair Cables

Unshielded Twisted Pair Cable (UTP) most popular maximum length 100 m prone to noise

Category 1 Category 2 Category 3 Category 4 Category 5 Category 6


50

Voice transmission of traditional telephone For data up to 4Mbps, 4 pairs half-duplex For data up to 10Mbps, 4 pairs half-duplex For data up to 20 Mbps, 4 pairs full-duplex For data up to 100 Mbps, 4 pairs full-duplex For data up to 1000 Mbps, 4 pairs full-duplex
confidential

Communication Modes

Simplex

One way Communication e.g. Microphone

Half Duplex

Two way Communication but, one way at a time e.g. Walkie-Talkie

Full Duplex

Two way Communication both way at a time e.g. Telephone

51

confidential

Type of Transmission

Unicast Multicast Broadcast

52

confidential

Straight-Thru or Crossover
Use straight-through cables for the following cabling: Switch to router Switch to PC or server Hub to PC or server

Use crossover cables for the following cabling: Switch to switch Switch to hub Hub to hub Router to router PC to PC Router to PC
53

confidential

IP
Internet Protocol (IP) Developed to provide internetworking. Built on top of LAN protocol. Two major components: Messaging Addressing and Routing IP Service Model Network protocol independent Best-effort Stateless routing Decentralized control
confidential

IP Classification
Class MSB of 1st Octet A 0 B 10 C 110 D 1110 E 1111

Decimal Range

1 to 126

128 to 191 191 to 223


N.N.H.H 2162 = 214 = 16384 N.N.N.H 2243 =221 =2097152

224 to 239 240 to 254


n.a n.a n.a n.a n.a n.a

Network vs. Host N.H.H.H No. of Network No. of Host 281 = 27 = 128-2 =126 224 = 167771262 = 16777124
255.0.0.0

216 = 28 = 256 655362 = 2 = 254 65534


255.255.0.0 255.255.255.0

Default Subnet Mask (DSM) Usage

n.a

n.a

Huge / Large Organization

Medium Scale Org.


55

SOHO / ROHO

Multicasting

Exp. N/W and research


confidential

Subnetting

Dividing a single IP networking into administrative networks is called subnetting To create a subnet hosts bits are burrowed into the network part Create a subnet divides the network into three parts

- Default network part - Subnetwork part - Host part

56

confidential

Larger Address Space

IPv4

- 32 bits or 4 bytes long

IPv6

~ =

4,200,000,000 possible addressable nodes

- 128 bits or 16 bytes: four times the bits of IPv4


~ =
~ =

3.4 * 1038 possible addressable nodes 340,282,366,920,938,463,374,607,432,768,211,456 5 * 1028 addresses per person

~ =
57

confidential

IP Messaging
Variable Header Data

Whats in the header: Source and Destination IP Addresses Length of data Time to live (TTL) Other stuff

confidential

IP Routing Basics
What is a router? One machine connected to two or more networks. IP Routing is done hop-by-hop Each network has at least one router. Messages intended for machines not on LAN sent to router. Router forwards message on to next router. Eventually gets to router that is connected to same LAN as destination machine.

confidential

Introduction to Routers
A router is a special type of computer. It has the same basic components as a standard desktop PC. However, routers are designed to perform some very specific functions. Just as computers need operating systems to run software applications, routers need the Internetwork Operating System software (IOS) to run configuration files. These configuration files contain the instructions and parameters that control the flow of traffic in and out of the routers. The many parts of a router are shown below:

60

confidential

Router Power-On/ Bootup Sequence


1. 2. 3. 4. 5. 6. 7.

Perform power-on self test (POST). Load and run bootstrap code. Find the Cisco IOS software. Load the Cisco IOS software. Find the configuration. Load the configuration. Run the configured Cisco IOS software.

61

confidential

Boot Process

Power On ROM BIOS POST/BOOTSTRAP EMERGENCY IOS FLASH IOS Image

Rommon1> OR >

RAM Running-Config Router>

NVRAM Startup-Config

Initial Configuration Dialog Y/N?


62

confidential

Components of a 2600 Router

63

confidential

Computer/Terminal Console Connection

64

confidential

HyperTerminal Port Setting

66

confidential

Router Modes
Router> Router>enable Router# Router#configure terminal Router(config)# Router(config)#interface {e0 s0/0} Router(config-if)# Router(config)# line {con aux vty} 0 Router(config-line)# User Executive mode

Privilege Executive mode

Global Configuration mode

Interface Configuration mode

Line Configuration mode

67

confidential

Saving Configurations
Configurations in two locations - RAM and NVRAM. The running configuration is stored in RAM. Any configuration changes to the router are made to the running-configuration and take effect immediately after the command is entered. The startup-configuration is saved in NVRAM and is loaded into the router's running-configuration when the router boots up. To save the running-configuration to the startup configuration, type the following from privileged EXEC mode (i.e. at the "Router#" prompt.)

Router# copy run start


68

confidential

Password

Passwords restrict access to routers. Passwords should always be configured for virtual terminal lines and the console line. Passwords are also used to control access to privileged EXEC mode so that only authorized users may make changes to the configuration file.

69

confidential

Setting Password
Console Password

IIHT(config)#line console 0 IIHT(config-line)#password xxxxxx IIHT(config-line)#login

Auxiliary Password

IIHT(config)#line aux 0 IIHT(config-line)#password xxxxxx IIHT(config-line)#login

Telnet (vty) password

IIHT(config)#line vty 0 4 IIHT(config-line)#password xxxxxx IIHT(config-line)#login

Clear text Privilege mode password


IIHT(config)# enable secret xxxxx
70

IIHT(config)# enable password xxxxx

Encrypted privilege mode password

confidential

Privileged Mode Command

# show startup-config # show running-config # show version # show flash # show interfaces # show interfaces s 0 # show history # show terminal # terminal history size 25 # show ip interface brief
71

OR OR OR OR OR OR OR OR OR

#sh start #sh run #sh ver #sh flash #sh int #sh int s 0 #sh history #sh terminal #sh ip int brief
confidential

Encrypting Passwords
Only the enable secret password is encrypted by default Need to manually configure the user-mode and enable passwords for encryption To manually encrypt your passwords, use the service passwordencryption command

Router#config t Router(config)#service password-encryption

72

confidential

Disable Passwords
IIHT(config)# no enable password IIHT(config)# no enable secret For the Console IIHT(config)# line con 0 IIHT(config-line)# no password IIHT(config)# line vty 0 4 IIHT(config-line)# no password

73

confidential

Interface Configuring

IIHT(config)#interface [int-type] [int-no.] IIHT(config-if)#description connection to lan IIHT(config-if)#ip address 172.16.10.1 255.255.255.0 IIHT(config-if)#bandwidth 64 (kbps)

IIHT(config-if)#clock rate 64000 (bps)


IIHT(config-if)#no shut
74

confidential

Configuring route
Static Route
IIHT(config)#ip route [destination network] [destination mask] [exit interface or next hop address] [Administrative Distance] [Permanent] Eg. IIHTA(config)#ip route 10.3.0.0 255.255.0.0 10.2.0.2

Default Route
IIHT(config)#ip route [any network] [any mask] [exit interface or next hop address] [Administrative Distance] [Permanent] Eg. IIHTA(config)#ip route 0.0.0.0 0.0.0.0 serial 0

75

confidential

Configuring dynamic route

RIP Configuration
IIHT(config)#router rip IIHT(config-router)#version 1 or 2 IIHT(config-router)#network [network-to-route] IIHT(config-router)#passive-interface [int-type] [int-no.] IIHT(config-router)#maximum-path [no.]

EIGRP Route
IIHT(config)#router eigrp [autonomous system no.] IIHT(config-router)#network [network-to-route] IIHT(config-router)#passive-interface [int-type] [int-no.] IIHT(config-router)#maximum-path [no.] IIHT(config-router)#variance [variance multiplier]
76

confidential

Configuring dynamic route

OSPF Route
IIHT(config)#router ospf [process id] IIHT(config-router)#network [network-to-route] [wildcard mask] area [area-id] IIHT(config-router)#passive-interface [int-type] [int-no.] IIHT(config-router)#maximum-path [no.] IIHT(config-router)#router-id [id no.]

77

confidential

Routing Protocol Comparison

Characteristic RIPv1
Type of protocol
Classfull Classless VLSM Support Auto Summary Manual Routing Update

RIPv2 IGRP
DV
Yes Yes Yes Yes Yes Periodic Multicast [224.0.0.9] [30sec]

EIGRP
Hybrid DV
Yes Yes Yes Yes Yes Unicast & Multicast [224.0.0.10]

OSPF
Link State
Yes Yes Yes No Yes Multicast To DR/BDR 224.0.0.5 From DR 224.0.0.6
confidential

Distance Vector [DV]


Yes No No Yes No Periodic Broadcast [30sec]

DV
Yes No No Yes No Periodic Broadcast [30sec]

78

Routing Protocol Comparison

Characteristic RIPv1
Route Metric Hop Count

RIPv2 IGRP
Hop Count
Bellman Ford

EIGRP OSPF
Composite Metric* x 256
DUAL

Composite Metric*
Bellman Ford

Cost (27 / Bandwidth)


Dijkstra SPF

Routing Algorithm

Bellman Ford

No. of Tables

1. Routing

1. Routing

1. Routing

1. Routing 2. Neighbor 3. Topology


232 100 default upto 255 90 interior 170 exterior D

1. Routing 2. Adj (Nei) 3. LBD (top)


N.A. N.A. 110 O
confidential

Infinity Value Maximum Hops Administrative Distance (AD) Routing Code

16 hops 15 120 R

16 hops 15 120 R

232 100 default upto 255 100 I

*Composite metric = sum of (BW+Delay+Load+MTU+Reliability) 79

Routing Protocol Comparison

Characteristic RIPv1
Load Balancing Equal cost

RIPv2 IGRP
Equal Cost
Slow (240 sec)

EIGRP OSPF
Equal and Unequal cost
Fastest

Equal and Unequal cost


Slowest (630 sec)

Equal Cost

Route Conveyance

Slow (240 sec)

Fast (Slow than EIGRP)

Backup route
Cisco Proprietary Suitable for

No
No Small Networks

No
No Small to medium Network Yes RIPng

No
Yes Small to medium (only Cisco) Networks No N.A.

Yes
Yes Huge (only Cisco) Networks Yes EIGRPv6

No
No Huge Networks

IPv6 Support IPv6 Version

No N.A.

yes OSPFv3

80

confidential

Why is Link-State better than Distance-Vector ? Link-state algorithms consider the state of the links to calculate the Best Path to the destination. Distance-Vector algorithms consider the number of hops to calculate the Best Path to the destination. Link-State considers the Bandwidth of the links from the source to the destination before taking a decision. Distance-Vector just considers the number of hops to the destination, the less the number of hops the better the route. Convergence is faster in Link-State Protocols Distance-Vector has a limitation on the max diameter your network can expand.

confidential

Does this mean that Distance-Vector Routing Protocols are not useful ? Definitely not, they are useful. Used according to the network size and requirements. Usually found in smaller sized networks. Routing Protocols that use Distance-Vector Algorithm. RIP v1/v2 IGRP

confidential

What are ACLs?


ACLs are lists of conditions that are applied to traffic traveling across a router's interface. These lists tell the router what types of packets to accept or deny. Acceptance and denial can be based on specified conditions. ACLs can be configured at the router to control access to a network or subnet.

Some ACL decision points are source and destination addresses, protocols, and upper-layer port numbers.

83

confidential

Why Use Access Lists?

Manage IP traffic as network access grows Filter packets as they pass through the router
confidential

Reasons to Create ACLs

The following are some of the primary reasons to create ACLs:

Limit network traffic and increase network performance. Provide traffic flow control. Provide a basic level of security for network access. Decide which types of traffic are forwarded or blocked at the router interfaces For example: Permit e-mail traffic to be routed, but block all telnet traffic. If ACLs are not configured on the router, all packets passing through the router will be allowed onto all parts of the network.
85

confidential

Basic Rules for ACLs



86

Standard IP access lists should be applied closest to the destination. Extended IP access lists should be applied closest to the source. Use the inbound or outbound interface reference as if looking at the port from inside the router. Statements are processed sequentially from the top of list to the bottom until a match is found, if no match is found then the packet is denied. There is an implicit deny at the end of all access lists. This will not appear in the configuration listing. Access list entries should filter in the order from specific to general. Specific hosts should be denied first, and groups or general filters should come last. Never work with an access list that is actively applied. New lines are always added to the end of the access list. A no access-list x command will remove the whole list. It is not possible to selectively add and remove lines with numbered ACLs. Outbound filters do not affect traffic originating from the local router.

confidential

ACLs

Different access list for Telnet Implicit deny at bottom All restricted statements should be on first There are two types

Standard Extended

87

confidential

How to Identify Access Lists

Standard IP lists (1-99) test conditions of all IP packets from source addresses. Extended IP lists (100-199) test conditions of source and destination addresses, specific TCP/IP protocols, and destination ports. Standard IP lists (1300-1999) (expanded range). Extended IP lists (2000-2699) (expanded range).

confidential

Standard ACLs
The full syntax of the standard ACL command is:
Router(config)#access-list access-list-number permit} source [source-wildcard ] {deny |

The no form of this command is used to remove a standard ACL. This is the syntax: Router(config)#no access-list access-list-number
Config# Access-list 1 deny 192.168.1.0 0.0.0.255 Config# access-list 1 permit any

89

confidential

Wildcard Mask

Access-list 99 permit 192.168.1.1 wildcard mask All 32 bits of an IP Address can be filtered Wildcard inverse mask 0=must match 1= ignore

MASK (192.168.1.1) 0.0.0.0 (host) 0.0.0.255


0.0.255.255

Matching IP 192.168.1.1 192.168.1.0-255


192.168.0-255.0-255

0.255.255.255
255.255.255.255

192.0-255.0-255.0-255
0-255.0-255.0-255.0-255 (any)
90

confidential

Extended ACLs
Extended ACLs are used more often than standard ACLs because they provide a greater range of control. Extended ACLs check the source and destination packet addresses as well as being able to check for protocols and port numbers. At the end of the extended ACL statement, additional precision is gained from a field that specifies the optional Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) port number. Logical operations may be specified such as, equal (eq), not equal (neq), greater than (gt), and less than (lt), that the extended ACL will perform on specific protocols. Extended ACLs use an access-list-number in the range 100 to 199 (also from 2000 to 2699 in recent IOS).
91

confidential

Extended ACL Syntax

92

confidential

Named ACLs
IP named ACLs were introduced in Cisco IOS Software Release 11.2, allowing standard and extended ACLs to be given names instead of numbers. The characteristics of named accesslist: Identify an ACL using an alphanumeric name. You can delete individual statements in a named access list Named access lists must be specified as standard or extended You can use the ip access-list command to create named access lists.

Named ACLs are not compatible with Cisco IOS releases prior to Release 11.2.
The same name may not be used for multiple ACLs.
93

confidential

Verify Access List

94

confidential

LAYER 3Router

The Cloud

Can be used to connect different Layer 2 devices and different topologies. Makes decisions based on network addresses (IP Addresses).

confidential

Routers Two Main Functions


Path Determination
Packet Switching

confidential

Devices Function At Layers

Know These! Each device not only operates at its layer, but all layers below it

confidential

VIRTUAL LOCAL AREA NETWORK


confidential

VLANs
A VLAN is a logical grouping of network users and resources connected to administratively defined ports on a switch. Ability to create smaller broadcast domains within a layer 2 switched internetwork by assigning different ports on the switch to different subnetworks. Frames broadcast onto the network are only switched between the ports logically grouped within the same VLAN By default, no hosts in a specific VLAN can communicate with any other hosts that are members of another VLAN, For Inter VLAN communication you need routers

99

confidential

VLANs
VLAN implementation combines Layer 2 switching and Layer 3 routing technologies to limit both collision domains and broadcast domains. VLANs can also be used to provide security by creating the VLAN groups according to function and by using routers to communicate between VLANs. A physical port association is used to implement VLAN assignment. Communication between VLANs can occur only through the router.

This limits the size of the broadcast domains and uses the router to determine whether one VLAN can talk to another VLAN.
NOTE: This is the only way a switch can break up a broadcast domain!
100

confidential

VLANs Simplify Network Management

If we need to break the broadcast domain we need to connect a router By using VLANs we can divide Broadcast domain at Layer-2

A group of users needing high security can be put into a VLAN so that no users outside of the VLAN can communicate with them. As a logical grouping of users by function, VLANs can be considered independent from their physical locations.
101

confidential

VLAN Memberships

VLAN created based on port is known as Static VLAN.

VLAN assigned based on hardware addresses into a database, is called a dynamic VLAN

102

confidential

VLAN Membership Modes

103

confidential

Static VLANs

Most secure Easy to set up and monitor Works well in a network where the movement of users within the network is controlled

104

confidential

Dynamic VLANs
A dynamic VLAN determines a nodes VLAN assignment automatically Using intelligent management software, you can base VLAN assignments on hardware (MAC) addresses. Dynamic VLAN need VLAN Management Policy Server (VMPS) server

105

confidential

VLAN Operation

VLANs can span multiple switches.


Trunks carry traffic for multiple VLANs.

across

Trunks use special encapsulation to distinguish between different VLANs.


106

confidential

Types of Links
Access links This type of link is only part of one VLAN Its referred to as the native VLAN of the port. Any device attached to an access link is unaware of a VLAN Switches remove any VLAN information from the frame before its sent to an access-link device. Trunk links Trunks can carry multiple VLANs These carry the traffic of multiple VLANs

A trunk link is a 100- or 1000Mbps point-to-point link between two switches, between a switch and router.

107

confidential

Frame Tagging Methods

There are two frame tagging methods Inter-Switch Link (ISL) IEEE 802.1Q Inter-Switch Link (ISL) proprietary to Cisco switches used for Fast Ethernet and Gigabit Ethernet links only IEEE 802.1Q Created by the IEEE as a standard method of frame tagging it actually inserts a field into the frame to identify the VLAN If youre trunking between a Cisco switched link and a different brand of switch, you have to use 802.1Q for the trunk to work.
108

confidential

VLAN Trunking Protocol (VTP)

Benefits of VTP
Consistent VLAN configuration across all switches in the network Accurate tracking and monitoring of VLANs Dynamic reporting of added VLANs to all switches in the VTP domain

109

confidential

VTP Modes

Creates VLANs Modifies VLANs Deletes VLANs

Sends/forwards advertisements
Synchronizes Saved in NVRAM Creates VLANs Forwards advertisements Synchronizes Not saved in NVRAM Modifies VLANs Deletes VLANs Forwards advertisements Does not synchronize Saved in NVRAM
110

confidential

VLAN to VLAN

If you want to connect between two VLANs you need a layer 3 device

111

confidential

Vlans and Router on Stick

10.0.0.1 20.0.0.1

9
1 2 3 4 10.0.0.2

FA0/0

24
20.0.0.2

12 1 2 3 4 10.0.0.3 20.0.0.3

Create two VLAN's on each switches #vlan database sw(vlan)#vlan 2 name red sw(vlan)#vlan 3 name blue sw(vlan)#exit sw#config t sw(config)#int fastethernet 0/1 sw(config-if)#switch-portaccess vlan 2 sw(config)#int fastethernet 0/4 sw(config-if)#switch-portaccess vlan 3 To see Interface status #show112 interface status

Trunk Port Configuration sw#config t sw(config)#int fastethernet 0/24 sw(config-if)#switchport trunk encapsulation dot1q sw(config-if)#switchport mode trunk

Router Configuration R1#config t R1(config)#int fastethernet 0/0.1 R1(config-if)#encapsulation dot1q 2 R1(config-if)#ip address 10..0.0.1 255.0.0.0 R1(config-if# No shut R1(config-Iif)# EXIT R1(config)#int fastethernet 0/0.2 R1(config-if)# encapsulation dot1q 3 R1(config-if)#ip address 20..0.0.1 255.0.0.0 R1(config-if# No shut Router-Switch Port to be made as Trunk sw(config)#int fastethernet 0/9 sw(config-if)#switchport trunk enacapsulation dot1q sw(config-if)#switchport mode trunk

confidential

VLANs and Physical Boundaries


A VLAN is a logical grouping of devices or users that can be grouped by function, department, or application, regardless of their physical segment location. VLAN configuration is done at the switch via software.

confidential

Vlans and Router on Stick

10.0.0.1 20.0.0.1

9
1 2 3 4 10.0.0.2

FA0/0

24
20.0.0.2

12 1 2 3 4 10.0.0.3 20.0.0.3

Create two VLAN's on each switches #vlan database sw(vlan)#vlan 2 name red sw(vlan)#vlan 3 name blue sw(vlan)#exit sw#config t sw(config)#int fastethernet 0/1 sw(config-if)#switch-portaccess vlan 2 sw(config)#int fastethernet 0/4 sw(config-if)#switch-portaccess vlan 3 To see Interface status #show114 interface status

Trunk Port Configuration sw#config t sw(config)#int fastethernet 0/24 sw(config-if)#switchport trunk encapsulation dot1q sw(config-if)#switchport mode trunk

Router Configuration R1#config t R1(config)#int fastethernet 0/0.1 R1(config-if)#encapsulation dot1q 2 R1(config-if)#ip address 10..0.0.1 255.0.0.0 R1(config-if# No shut R1(config-Iif)# EXIT R1(config)#int fastethernet 0/0.2 R1(config-if)# encapsulation dot1q 3 R1(config-if)#ip address 20..0.0.1 255.0.0.0 R1(config-if# No shut Router-Switch Port to be made as Trunk sw(config)#int fastethernet 0/9 sw(config-if)#switchport trunk enacapsulation dot1q sw(config-if)#switchport mode trunk

confidential

VLANs and Physical Boundaries


In a typical LAN, users are grouped based on their location in relation to the hub they are plugged into. Traditional LAN segmentation does not group users according to their workgroup association or need for bandwidth.

confidential

Vlans and Router on Stick

10.0.0.1 20.0.0.1

9
1 2 3 4 10.0.0.2

FA0/0

24
20.0.0.2

12 1 2 3 4 10.0.0.3 20.0.0.3

Create two VLAN's on each switches #vlan database sw(vlan)#vlan 2 name red sw(vlan)#vlan 3 name blue sw(vlan)#exit sw#config t sw(config)#int fastethernet 0/1 sw(config-if)#switch-portaccess vlan 2 sw(config)#int fastethernet 0/4 sw(config-if)#switch-portaccess vlan 3 To see Interface status #show116 interface status

Trunk Port Configuration sw#config t sw(config)#int fastethernet 0/24 sw(config-if)#switchport trunk encapsulation dot1q sw(config-if)#switchport mode trunk

Router Configuration R1#config t R1(config)#int fastethernet 0/0.1 R1(config-if)#encapsulation dot1q 2 R1(config-if)#ip address 10..0.0.1 255.0.0.0 R1(config-if# No shut R1(config-Iif)# EXIT R1(config)#int fastethernet 0/0.2 R1(config-if)# encapsulation dot1q 3 R1(config-if)#ip address 20..0.0.1 255.0.0.0 R1(config-if# No shut Router-Switch Port to be made as Trunk sw(config)#int fastethernet 0/9 sw(config-if)#switchport trunk enacapsulation dot1q sw(config-if)#switchport mode trunk

confidential

VIRTUAL PRIVATE NETWORK


confidential

confidential

confidential

confidential

confidential

user

confidential

confidential

confidential

confidential

HOME

confidential

confidential

confidential

confidential

confidential

VPN Advantages:
1- Private & secure connectivity between multiple, geographically dispersed, locations of a single enterprise 2- Transport of voice, video and data between all locations 3- Provides increased productivity through sharing of information 4- Aggregate purchasing power of all branch locations

confidential

VPN Advantages:
5- Access to third party databases via HQ subscription
6- Single Internet access gateway at the HQ provides enhanced security management 7- All locations share additional utilities via corporate/branch resources, i.e.: customer service, software utilities, training

confidential

RELIANCE METRO ETHERNET ARCHITECHTURE

confidential

INTERNET

RELIANCE METRO ACCESS LOGICAL DIAGRAM

MCN MAN
INTERNET DATA CENTER (IDC)

RELIANCE CORE NETWROK

BAN

MA RING

BAN
GIGABIT ETHERNET RING

BAN
BAN RING
10/100 BASET

BA RING

confidential

LEGENDS
ENTERPRISE/RESIDENTIAL BUILDING HOME USER SOHO

CPE INTERNET GATEWAY ROUTER 1000 BASE SX/LX/TX

DESK TOP BOX


BRANCH OFFICE 10/100 BASE T UTP CONENCTION

confidential

TYPICAL HIERARCHY OF RIC ARCHITECHTURE


BUILDING AGGREGATION-BA- BUILDING NODE BUILDING ACCESS NETWORK-BAN- BUILDING AGGREGATION NODE

METRO AGGREGATION NETWORK-MAN- METRO AGGREGATION NODE METRO CONVERGENCE NODE


CORE NETWORK - CORE ROUTERS
confidential

BUILDING ACCESS RING


ALL RESIDENTIAL ,SOHO,ENTERPRISE CUSTOMERS ARE AGGREGATED ON THIS NODE CALLED BUILDING AGGREGATION NODE, TYPICALLY A VPN DEVICE HAVING 10/100 BASE T AS CUSTOMER EDGE INTERFACE AND 1 GE PORTS AS UPLINK PORTS. CUSTOMERS CAN OPT FOR A WIDE VARIETY OF AVAILBLE CONNECTIVITY E.G. ETHERNET,DSL,POTS,SERIAL ETC. AT THE BN ALL CUSTOMERS ARE BEING IDENTIFIED BY A VLAN NO. ASSIGNED TO THEM BY RELIANCE. NOTE THAT CUSTOMER MAY OR MAY NOT CARRY ITS OWN VLAN TAG. ALL THE TRAFFIC ARE AGGREGATED AND TRANPORTED THROUGH A GE RING (1 GBPS) CONSTITUTED BY SEVERAL BUILDING NODES.

confidential

BULDING AGGREGATION RING


SEVERAL BA RINGS BEING AGGREGATED HERE. THE BAN IS REQUIRED TO BE A VERY SCALABLE AND HIGH END SWITCH . IN ORDER TO SERVE CUTOMERS IN THOUSANDS. ALL VLAN TAGGED TRAFFIC BEING ENCAPSULATED HERE WITH A LAYER 2 LABEL AND BEING FORWARDED TO THE METRO AGGREGATION NODE. FORWARDING OF DATA DOES NOT HAPPEN THROUGH ROUTING RATHER IT IS DONE WITH AN EFFICIENT AND PROVEN TECHNOLOGY CALLED MPLS. ALL FORAWRDING DECISIONS TAKEN ON THE BASIS OF LAYER 2 INFORMATION. CUSTOMER SEPARATION IS MAINTAINED THROUGH THE VLAN TAG AND CARRIED ACROSS THE CORE OF RELIANCE TILL THE OTHER END.

THIS IS ACHIEVED BY CREATING AN END TO END MPLS TUNNEL FROM THE BAN .
SECIRITY CONCERNS ARE TAKEN CARE BY THE SEPARATE MPLS LABEL . SWITCHED PATH FOR EACH CUSTOMER.

confidential

METRO AGGREGATION NODE


THE METRO AGGREGATION NODES WORK THE SAME WAY AS THE BAN.
ALL BAN RINGS ARE AGGREGATED ON THE MAN. ALL TRAFFIC AFTER AGGREGATION FROM THE BAN RINGS ARE HANDED OVER TO MAN. THE METRO CONVERGENCE NODE FROM THE MAN RING, WHICH FURTHER HANDS IT OVER TO THE RELIANCE CORE NETWORK.

CORE NETWORK
THE CORE NETWORK OF RELIANCE IS OF HIGH END ROUTERS LOCATED ACROSS ALL MAJOR CITIES.
THE FORAWRDING HERE IS DONE BY MPLS. FOR REACHABILITY INFORMATION THESE ROUTERS RUN OSPF,BGP. FOR QOS AND TRAFFIC ENGINNERING RSVP-TE IS IMPLEMENTED

confidential

DATA SERVICES OFFERED BY RIC


LAYER2 VPN

THIS SERVICE IS AIMED AT BIG ENTERPRISE CUSTOMERS WHO WANTS A HIGH SPEED CONNECTIVITY FROM THE PROVIDER FOR ITS ENTERPRISE CONENCTIVITY. E.G. TLS (ANY TO ANY),P2P,P2MP. PREFERABLY THESE CUSTOMER WOULD WANT TO MANAGE THEIR ROUTING AND OTHER APPLICATIONS THEMSELVES. THE ENTERPRISE CUSTOMERS BEING IDENTIFIED BY A VLAN ID ( Layer2 Information) at THE BN .SP devices forwards customer frames based on VLAN ID. Others method are DLCI,MAC,VPI/VCI etc.

CONNECTIVITY IS ACHIEVED THROUGH LAYER 2 VPN SPECIFICATIONS OVER MPLS AS MENTIONED IN MARTINI,LASSERE-VKOMPELLA DRAFT.
THE CHALLENGE HERE IS TO PROVIDE HIGH BANDWIDTH,SECURITY AND AVAILABILITY. E.g Ethernet, Frame Relay, ATM etc.
confidential

LAYER 3 VPN
THIS SERVICE IS AIMED SMALL AND MEDIUM SIZED ENTERPRISES WHO WANT TO OUT SOURCE THEIR NETWORK REQUIREMENTS ENTIRELY TO THE SERVICE PROVIDER. THE SERVICE PROVIDER HERE NEEDS TO TAKE CARE OF THE CUSTOMERS ALL CONNECTIVITY NEEDS. E.G. CONNECTIVITY, AVAILABILITY AS COMMITED IN THE SLA,SECURITY ETC. THE CPE TYPICALLY WILL ACT AS A CE ROUTER AND THE BAN AS A PE. LIKE LAYER2 VPN,HERE TOO THE FORWARDING TECHNOLOGY IS BASED ON MPLS SWITCHING.THE CORE ROUTER WILL ACT AS A P HERE. NOTE :- CE- CUSTOMER EDGE,PE- PROVIDER EDGE, P- PROVIDER. THE LAYER 3 VPN SERVICES OVER MPLS ARE PROVIDED ON THE BASIS OF RFC 2547 .

confidential

THANK YOU

confidential

You might also like