ملخص_سيسكو[1].pdf
Document Details
Uploaded by SmilingRiver
Tags
Full Transcript
Chapter 1 Reliability Reliability transport can accomplish the following: Ensure that segments delivered will be acknowledged to the sender. Provide for retransmission of any segments that are not acknowledged. Put segments back into...
Chapter 1 Reliability Reliability transport can accomplish the following: Ensure that segments delivered will be acknowledged to the sender. Provide for retransmission of any segments that are not acknowledged. Put segments back into their correct sequence at the destination. Provide congestion avoidance and control. -------------------------------------------------------------------------------------------------------------- Flow Control Avoids the problem of a host at one side of the connection overflowing the buffers in the host at the other side. -------------------------------------------------------------------------------------------------------------- Acknowledgment Positive acknowledgment requires a recipient to communicate with the source sending back an acknowledgment message when it receives data. Sender keeps record of each data packet that it sends and expects an acknowledgment. -------------------------------------------------------------------------------------------------------------- Transmission Control Protocol (TCP) the protocols that use TCP include: FTP [File Transfer Protocol]. HTTP [Hypertext Transfer Protocol]. SMTP [Simple Mail Transfer Protocol] Telnet. -------------------------------------------------------------------------------------------------------------- User Datagram Protocol (UDP) the protocols that use UDP include: TFTP [Trivial File Transfer Protocol]. SNMP [Simple Network Management Protocol]. DHCP [Dynamic Host Control Protocol]. DNS [Domain Name System]. -------------------------------------------------------------------------------------------------------------- TCP and UDP Ports numbers Both TCP and UDP use Port (socket) numbers to pass information to the upper layers. Numbers below 1024 are considered well-known ports numbers Numbers above 1024 are dynamically assigned ports numbers Registered port numbers are those registered for vendor-specific applications. Most of these are above 1024. Domain Name Service [DNS] System used for translating names of domains into IP address There are more than 200 top-level domains on the internet. Examples: -------------------------------------------------------------------------------------------------------------- FTP and TFTP FTP is reliable connection-oriented service that uses TCP to transfer files. between systems that support FTP. TFTP is a connectionless service that uses UDP. o TFTP is used on routers to transfer configuration files and Cisco IOS images. o TFTP is designed to be small and easy to implement. -------------------------------------------------------------------------------------------------------------- SNMP application layer protocol that facilitates the exchange of management information between network devices. -------------------------------------------------------------------------------------------------------------- TELNET client software provides the ability to log in to remote internet host that is running telnet server application and then to execute commands from the command line. Chapter 2 Access Control List A Layer 3 security which controls the flow of traffic from one router to another. called Packet Filtering Firewall. -------------------------------------------------------------------------------------------------------------- Types of Access-list Standard ACL Extended ACL Named ACL -------------------------------------------------------------------------------------------------------------- Standard Access List The access-list number lies between 1 – 99. Can block a Network, Host and Subnet. Two way communication is stopped. All services are blocked. Implemented closest to the destination. (Guideline) -------------------------------------------------------------------------------------------------------------- Extended Access List The access-list number lies between 100 – 199. Can block a Network, Host, Subnet and Service. One way communication is stopped. Selected services can be blocked. Implemented closest to the source. (Guideline) -------------------------------------------------------------------------------------------------------------- Terminology Deny: Blocking a Network/Host/Subnet/Service. Permit: Allowing a Network/Host/Subnet/Service. Source Address: The address of the PC from where the request starts. Show Diagram. Destination address: The address of the PC where the request ends. Inbound: Traffic coming into the interface. Outbound: Traffic going out of the interface. Protocols: IP - TCP - UDP - ICMP Operators: eq (equal to) neq (not equal to) lt (less than) gt (greater than) Services: HTTP, FTP, TELNET, DNS, DHCP etc.. -------------------------------------------------------------------------------------------------------------- Wild Card Mask Tells the router which addressing bits must match in the address of the ACL statement. It’s the inverse of the subnet mask, hence is also called as Inverse mask. A bit value of 0 indicates MUST MATCH (Check Bits) A bit value of 1 indicates IGNORE (Ignore Bits) Wild Card Mask for a Host will be always 0.0.0.0 A wild card mask can be calculated using the formula : Named Access List Access-lists are identified using Names rather than Numbers. Names are Case-Sensitive No limitation of Numbers here. One Main Advantage is Editing of ACL is Possible (i.e) Removing a specific statement from the ACL is possible. (IOS version 11.2 or later allows Named ACL) -------------------------------------------------------------------------------------------------------------- Creation of Standard Named Access List Router(config)# ip access-list standard Router(config-std-nacl)# Implementation of Standard Named Access List Router(config)#interface Router(config-if)#ip access-group -------------------------------------------------------------------------------------------------------------- Creation of Extended Named Access List Router(config)# ip access-list extended Router(config-ext-nacl)# < destination wildcard mask> Implementation of Extended Named Access List Router(config)#interface Router(config-if)#ip access-group -------------------------------------------------------------------------------------------------------------- Creation of Standard Access List Router(config)# access-list Implementation of Standard Access List Router(config)#interface Router(config-if)#ip access-group -------------------------------------------------------------------------------------------------------------- Creation of Extended Access List Router(config)# access-list < destination wildcard mask> Implementation of Extended Access List Router(config)# interface Router(config-if)# ip access-group Commands used to verify access-list configuration Command Effect show access-list Displays all access lists and their parameters configured on the router. Also shows statistics about how many times the line either permitted or denied a packet. This command does not show you which interface the list is applied on. show access-list 110 Reveals only the parameters for the access list 110. this command will not reveal the specific interface the list is set on. show ip access-list Shows only the IP access lists configured on the router. show ip interface Displays which interfaces have access lists set on them. show running-config Shows the access lists and the specific interfaces that have ACLs applied on them. Chapter 3 VLAN Configuration To configure VLANs on a Cisco Catalyst switch, use the global config vlan command. You can create VLANs from 1 to 4094. Standard Vlans range 1 to 1005 VLAN 1, 1002, 1003,1004,1005 are reserved. VLAN 1 is called the native vlan. Extended range VLANs 1006-4094 can be created only in VTP transparent mode only. Use command Show vlan and show vlan brief to display vlans. -------------------------------------------------------------------------------------------------------------- Switchport Modes Access: It puts the interface (access port) into permanent nontrunking mode and negotiates to convert the link into a nontrunk link. Dyanmic Auto: The interface passively waits to receive a trunk negotiation message. Dyamic Desirable: The interface actively attempt to convert the link to a trunk link. Nonegotiate: Prevents the interface from generating DTP frames, it is used when switchport mode is access or trunk. Trunk (on): Puts the interface into permanent trunking mode and negotiates to convert the neighboring link into a trunk link. -------------------------------------------------------------------------------------------------------------- VLAN Trunking Protocol (VTP) VTP allows you to add, delete, and rename VLANs—information VLANs can be created on switch with VTP server mode only. All servers that need to share VLAN information must use the same domain name. A switch can share VTP domain information with other switches only if they’re configured into the same VTP domain. VTP information is sent between switches only via a trunk port. -------------------------------------------------------------------------------------------------------------- VTP Modes of Operation Server: default mode for all Catalyst switches. The switch must be in server mode to be able to create, add, and delete VLANs in a VTP domain. VLAN configurations are saved in NVRAM on the switch. Client: switches receive information from VTP servers forward updates to other switches. VLAN information sent from a VTP server isn’t stored in NVRAM Transparent: The switch must be in VTP transparent mode to let you create VLAN IDs from 1006 to 4094. -------------------------------------------------------------------------------------------------------------- Spanning-Tree Protocol (STP) The primary objectives of STP is to prevent network loops on layer 2 network bridges or switches. STP monitors the network to track all links and shut down the redundant ones. STP uses the spanning-tree algorithm (STA) to first create a topology Database and then search out and Disable Redundant links. With STP running, frames will be forwarded on only premium, STP-chosen links. The default IEEE version of STP is 802.1d. Spanning Tree Terms Root Bridge: Switch with the lowest bridge ID becomes the root bridge. It is the focal point in the network. Bridge ID: used to keep track of all switches in the network. It is determined by a combination of the bridge priority and MAC address. Non root Bridges: Non-root bridges exchange BPDUs with all bridges and update STP topology database. Port Cost: The cost of a link is determined by its bandwidth. Path Cost: Path cost is the sum of the various port costs to the root bridge. BPDU: data messages exchanged between the switches containing information about ports, costs, priorities and bridge ID. Convergence: all ports on bridges and switches have transitioned to either forwarding or blocking modes. (No data will be forwarded until convergence is complete.) (The original STP (802.1d) takes 50 seconds to go from blocking to forwarding mode by default.) -------------------------------------------------------------------------------------------------------------- Bridge Port Roles 1. Root Port: The port with the best path to the root bridge is called the root port. Every non-root bridge must have a root port. All root ports are placed in forwarding state. 2. Designated Port: A designated port is one that’s been determined to have the best (lowest) cost to get to on a given network segment. 3. Non-designated Port: This is the link with highest cost and kept blocked. 4. Forwarding Port: It forwards frames and can be either a root port or a designated port. 5. Blocked Port: It can only receive BPDU frames from other switches. 6. Alternate port: This corresponds to the blocking state of 802.1d, and is a term used with the newer 802.1w (RSTP). 7. Backup Port: It is connected on a LAN segment with another port on that switch is acting the designated port. -------------------------------------------------------------------------------------------------------------- Spanning-Tree Port States Disabled: It is non-operational state. Blocking: Port in this state will not forward frames, just listens to BPDUs. Listening: A port in the listening state prepares to forward data frames without populating the MAC address table. Learning: A port in learning state populates the MAC address table but still doesn’t forward data frames. Forwarding: If the port is still a designated or root port at the end of the learning state, it enters the forwarding state. -------------------------------------------------------------------------------------------------------------- RSTP Configuration commands Sw(config) # spanning-tree mode rapid-pvst SW# show spanning-tree SW# show mac address-table Spanning-tree Failure Consequences The list of the problems that will occur in a failed STP network. 1. The load on all links begins increasing and more and more frames enter the loop. 2. Traffic will increase on the switches because all the circling frames actually get duplicated. 3. The MAC address table is now completely unstable. 4. The device becomes unresponsive. -------------------------------------------------------------------------------------------------------------- PortFast We can use PortFast on the ports on S1 to help them transition to the STP forwarding state immediately upon connecting to the switch. ports will transition from blocking to forwarding state immediately. S1(config)#spanning-tree portfast default S1(config-if)#spanning-tree portfast -------------------------------------------------------------------------------------------------------------- BPDU Guard used for switch ports for which PortFast is enabled. -------------------------------------------------------------------------------------------------------------- EtherChannel (Port Channel) Etherchannel bundles together multiple links between switches by using port channelling. EtherChannel is Cisco’s proprietary term for port channelling. It groups several Fast Ethernet or Gigabit Ethernet ports into one logical channel. There are two version of port channel negotiation protocols. 1. Port Aggregation Protocol (PAgP): Cisco’s proprietary protocol. 2. Link Aggregation Control Protocol (LACP): IEEE 802.3ad standard protocol. Cisco EtherChannel allows us to bundle up to 8 FastEthernet or two gigabit ports active between switches.
