18. APJ Instructor Forum

Download Report

Transcript 18. APJ Instructor Forum

CCNA Certification Preparation Session 4 of 4

April, 2012

Cisco Confidential 1

NAT PPP Frame Relay Access Lists Troubleshooting

Cisco Confidential 2

Cisco Confidential 3

Cisco Confidential 4

192.168.101.0/24 LAN 50 users

NAT

129.10.20.1/30 209.165.200.1

Given the network topology make configurations on R2 to enable 50 users from R1 LAN to access internet. Possible solution: R2(config)#access-list 1 permit 192.168.101.0 0.0.0.255

Cisco Confidential 5

Cisco Confidential 6

• WAN connections are often leased lines, PPP, Frame Relay, ATM works on OSI level 2. • Instead of MAC addresses, they have own 2 nd technology (DLCI, VPI/VCI etc).

Cisco Confidential 7

• HDLC (High level Data Link Control) • Cisco proprietary (enabled by default) • Low overhead • PPP (Point to Point) • Open protocol • • Moderate overhead Features: Authentication, compression etc.

Cisco Confidential 8

Router(config)#interface serial 0/0 Router(config-if)#encapsulation ppp Router#show interfaces serial 0/0

IP Control Protocol allows IP to work over PPP CDP Control Protocol allows Cisco Discovery Protocol to work over PPP

Network Control Protocol family (NCP)

Link Control Protocol is open.

LCP handles all the features, services and service messages of PPP Cisco Confidential 9

• PPP can use PAP or CHAP authentication methods • PAP (Password Authentication Protocol) uses encrypted password, like below encrypted passwords can be decrypted (cracked) • CHAP (Challenge Handshake Authentication Protocol) uses hashed password HASHED passwords can not be decrypted © 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential 10

DTE .2/S0

hostname SantaCruz username HQ password HQpass

172.25.3.0/24 Serial DCE .1/S0

hostname HQ username SantaCruz password SantaCruzpass interface Serial0 ip address 172.25.3.2 255.255.255.0

encapsulation ppp ppp authentication pap ppp pap sent-username SantaCruz password SantaCruzpass interface Serial0 ip address 172.25.3.1 255.255.255.0

encapsulation ppp ppp authentication pap ppp pap sent-username HQ password HQpass

Notes:

sent-username

and and

password. Passwords password

must match remote

username

are case-sensitive, but usernames are not.

Hostnames

Cisco Confidential 11

DTE .2/S0 172.25.3.0/24 Serial

hostname SantaCruz username HQ password boardwalk ppp chap hostname SantaCruz

(optional)

DCE .1/S0

hostname HQ username SantaCruz password boardwalk ppp chap hostname HQ

(optional)

interface Serial0 ip address 172.25.3.2 255.255.255.0

encapsulation ppp ppp authentication chap interface Serial0 ip address 172.25.3.1 255.255.255.0

encapsulation ppp ppp authentication chap

Notes:

Hostnames

are involved unless the

ppp chap hostname

command is used, and must match remote router’s

username

command (not case-sensitive).

Passwords

Cisco Confidential 12

Do a

Router#debug ppp authentication

Cisco Confidential 13

•

Layer 1

Cable problems results in “Serial0/0/0 is

down

, line protocol is

down

” •

Layer 2

Clock rate, encapsulation or authentication error results in “Serial0/0/0 is

, line protocol is

down

” •

Layer 3

“Serial0/0/0 is

, line protocol is

” Still does not work? PPP is not involved here. Check IP addressing!

Cisco Confidential 14

Which of the following are key characteristics of PPP (choose two)?

 PPP can work with several routed protocols  PPP provides error correction and compression  PPP supports only IP  PPP works on Layer 3 OSI model © 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential 15

Which PPP sub-protocol is responsible for establishing and terminating connection?

Cisco Confidential 16

The PPP link between RTA and RTB seems to be down.

What could be the problem?

o Incorrect encapsulation on Layer 2 o Link reliability is too poor Cisco Confidential 17

Cisco Confidential 18

• Packet Switched X.25 => Frame Relay => ATM => MPLS • Can be more flexible than Leased Lines, bandwidth may vary • Point to Point or multipoint © 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential 19

•

CIR

(Commited Information Rate) – min bandwidth guaranteed by ISP •

LAR

(Local Access Rate) – Local physical link – maximum bandwidth (like 100Mb/s for FastEthernet) •

LMI

(Local Management Interface) – “language” used between ISP and end device. Purpose – manage service parameters of connection (quality, statistics, etc) •

DLCI

(Data Link Connection Identifier) – analog of MAC address used in FR •

PVC

cloud (Permanent Virtual Circuit) – your dedicated virtual link, the way thru a •

Your serial link can have many PVCs, each of them has it’s own agreed CIR and DLCI. You can have many PVCs until their summary bandwidth fits LAR.

Cisco Confidential 20

•

FECN

(Forward Explicit Congestion Notification) – indicates frames that the switch

receives

on the congested link, •

BECN

(Backward Explicit Congestion Notification) – packets that switch

places

onto the congested link •

Cisco Confidential 21

• In FR DLCIs are used instead of MAC address •

DLCIs are locally significant

• You only know your local (own) DLCI, and you never know “destination” DLCI • PVC is your path through a FR cloud, but you don’t care how it’s elected. This is ISP’s responsibility, not yours • You should only care of your DLCI © 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential 22

Cisco Confidential 23

• Multipoint is similar to Shared Ethernet, but issues can appear like split horizon • P2P is similar to inter VLAN routing, when each subinterface has it’s own IP network © 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential 24

Notes

• Highly scalable solution • Disable Split Horizon on Hub router when running a distance vector routing protocol

Interface Serial0 (for all routers) encapsulation frame-relay no ip address HubCity interface Serial0.1 mulitpoint ip address 172.16.3.3 255.255.255.0

frame-relay interface-dlci 301 frame-relay interface-dlci 302 no ip split-horizon Spokane interface Serial0.1 point-to-point ip address 172.16.3.1 255.255.255.0

frame-relay interface-dlci 103 Spokomo interface Serial0.1 point-to-point ip address 172.16.3.2 255.255.255.0

frame-relay interface-dlci 203 Multipoint Subinterface at the Hub and Point to-Point Subinterfaces at the Spokes Headquarters Hub City

DLCI 301 Serial 0 172.16.3.3

DLCI 302

Frame Relay Network

DLCI 103 Serial 0 172.16.3.1

Satellite Office 1 Spokane One subnet

DLCI 203 Serial 0 172.16.3.2

Satellite Office 2 Spokomo

Cisco Confidential 25

• • Each subinterface on Hub router requires a separate subnet (or network) Each subinterface on Hub router is treated like a regular physical point-to point interface, so split horizon does not need to be disabled.

Interface Serial0 (for all routers) encapsulation frame-relay no ip address HubCity interface Serial0.1 point-to-point ip address 172.16.1.1 255.255.255.0

encapsulation frame-relay frame-relay interface dlci 301 interface Serial0.2 point-to-point ip address 172.16.2.1 255.255.255.0

encapsulation frame-relay frame-relay interface dlci 302 Spokane interface Serial0.1 point-to-point ip address 172.16.1.2 255.255.255.0

frame-relay interface dlci 103 Spokomo interface Serial0.1 ip address 172.16.2.2 255.255.255.0

point-to-point frame-relay interface dlci 203 Point-to-Point Subinterfaces at the Hub and Spokes

DLCI 103 Serial 0.1

172.16.1.2/24

Satellite Office 1 Spokane Headquarters Hub City

DLCI 301 Serial 0.1

172.16.1.1/24 DLCI 302 Serial 0.2

172.16.2.1/24

Frame Relay Network Two subnets

DLCI 203 Serial 0.1

172.16.2.2/24

Satellite Office 2 Spokomo

Cisco Confidential 26

With multipoint subinterface you can have:

•

can

have multiple DLCIs assigned to it.

•

can

use frame-relay map & interface dlci statements •

can

use Inverse-ARP

Remember, with point-to-point subinterfaces you:

•

cannot

have multiple DLCIs associated with a single point-to-point subinterface •

cannot

use frame-relay map statements •

cannot

use Inverse-ARP

(can use the frame-relay interface dlci statement for both point-to- point and multipoint)

Cisco Confidential 27

Cisco Confidential 28

Router#show frame-relay map Serial0/0/0 (up): ip 10.0.0.2 dlci 102, dynamic, broadcast, CISCO, status defined, active

Based on the output of the Router connected to a FR cloud, what is the meaning of “

dynamic

” statement?

 DLCI 102 has been dynamically allocated by ISP  Interface S0/0/0 was dynamically configured with the help of DLCI 102  IP address 10.0.0.2 is configured via DHCP  The remote IP address 10.0.0.2 was mapped to a local DLCI 102 dynamically via inverse-ARP © 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential 29

What are the three possible LMI types?

Cisco Confidential 30

Why this FR network is failing?

o Split horizon must be disabled. o The LMI type must be specified. o Logical subinterfaces must be used instead. o The

frame-relay map

Cisco Confidential 31

Cisco Confidential 32

• ACLs are for

identifying

disabling smth.

traffic. Permitting, Denying, enabling or • Not just a traffic filter or firewall. Can be used in: • Traffic control • Access control • NAT • Quality of Service • Demand dial routing • Route filtering • …and more • ACLs are read from TOP to BOTTOM and STOP at the FIRST match • Invisible

implicit “deny any”

Cisco Confidential 33

•

STANDARD

• Matches based on source address • # 1 – 99 • Applied to port closest to destination •

EXTENDED

• Matches based on source/destination address, port number, protocol • # 100 – 199 • Applied to port closest to source •

REFLEXIVE

Cisco Confidential 34

• Network mask is a way to understand where the network portion of the IP address ends and where host portion begins • Wildcard mask is a tool for filtering IP address bits. • What bits should go through a “security control”?

IP address

Subnet mask Net. address

Subnet mask

1 1

1 1

Network portion

1 1 0 0 0 0 0 0 .

1 1

0 1 0 1 0 0 0 .

0 0

1 1 1 1 1 1 1 .

1 LOGICAL ANDing process 1 0 1 0 1 0 0 0 .

0 0

0 0 0 0 0 0

0 0

Host portion

0 0 0 0

0 0 0 0 0

Wildcard mask

Reference IP

Wildcard mask Subject

1 1

0 0

0 1 1 0 0 0

0 0

Check these bits

0 0 .

1 0 1 0

0 1 0 0 0 .

1 0 0 0 0 0

0 1 0 .

1 1 1 .

Don’t care

1 0 1 0 .

Cisco Confidential 35

• • Wildcard mask 0.0.1.128

• Will require the first 23 and the last 7 bits of IP to be checked • Given the reference IP 192.168.2.38  192.168.2.38 – ok  192.168.2.166 – ok  192.168.3.38 – ok  192.168.3.166 – ok All others will not match!

Reference IP

Wildcard mask 192.168.2.38

192.168.2.166

192.168.3.38

192.168.3.166

192.168.3.39

1 1

0 0

0 1 1 0 1 1 1 1 1 1 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

Check these bits

0 0 .

1 0 1 0 0 0 0 0 0 0 0 0 .

1 1 1 1 0 0 0 0 1 1 1 1 0 0 0 0 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 .

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1

1 0 .

0 0

0 1 .

1 0 1

Don’t care 0

0 1 1 0

1 0 1 0

0 0 0 0

0 1 1 1 1 1 0 0 0 0

check

0 0 1 0 0 0 0 1 1 1 1

0 1 1 1 1 1 0 0 0 0

Cisco Confidential 36

Example: 172.16.32.0 255.255.240.0

RouterB(config)#access-list 10 permit 172.16.32.0 0.0.15.255

We can calculate the Wildcard Mask by: 255 . 255 . 255 . 255 Subnet Mask: - 255 . 255 . 240 . 0 -------------------- Wildcard Mask: 0 . 0 . 15 . 255 Remember: • Wildcard mask for the given continuous network is always invert of a subnet mask, NOT vice versa. • If not sure, Think in binary! …Twice!

Cisco Confidential 37

Standard ACL Extended ACL Named ACL

Cisco Confidential 38

Cisco Confidential 39

Network administrator would like to permit access to the internet for only hosts that are assigned an address in the range 172.16.8.0 – 172.16.15.255. Which wild card mask should be used?

o 0.0.0.255

o 0.0.255.255

o 0.0.3.255

o 255.255.248.0

o 0.0.7.255

Cisco Confidential 40

There is a need to restrict telnet access to R2’s LAN, for all R1’s LAN users. Which ACL can be used in this case and where should it be applied?

 R1(config)#access-list 101 deny tcp 192.168.12.0 0.0.0.255 192.168.10.0 0.0.0.255 eq 23 R1(config)#access-list 101 permit ip any any R1(config)#interface fa 0/0 R1(config-if)#ip access-group 101 in  R1(config)#access-list 101 deny tcp 192.168.10.0 0.0.0.255 192.168.12.0 0.0.0.255 eq 25 R1(config)#access-list 101 permit ip any any R1(config)#interface fa 0/0 R1(config-if)#ip access-group 101 in  R1(config)#access-list 101 deny tcp 192.168.10.0 0.0.0.255 192.168.12.0 0.0.0.255 eq 23 R1(config)#access-list 101 permit ip any any R1(config)#interface fa 0/0 R1(config-if)#ip access-group 101 in  R2(config)#access-list 101 deny tcp 192.168.10.0 0.0.0.255 192.168.12.0 0.0.0.255 eq 23 R2(config)#access-list 101 permit ip any any R2(config)#interface fa 0/0 R2(config-if)#ip access-group 101 in © 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential 41

The access list below was applied on the e0/0 interface connected to 192.168.1.16/29 LAN in the outbound direction:

Access-list 129 deny tcp 192.168.1.16 0.0.0.7 eq 20 any Access-list 129 deny tcp 192.168.1.16 0.0.0.7 eq 21 any

What is the effect of such ACL?

 FTP traffic from 192.168.1.38 will be denied  FTP traffic from 192.168.1.28 to any host will be denied  no traffic except FTP will be allowed to exit e0/0  All traffic exiting e0/0 will be denied  All FTP traffic to network 192.168.1.16/20 will be denied Comment: this ACL will deny all traffic, because of implicit DENY ANY. Do avoid it, the statement “

access-list 129 permit ip any any

” should have been added below.

Cisco Confidential 42

Cisco Confidential 43

• Use common approach Bottom-up approach using the OSI Model • Check all LEDs on your hardware • Use Windows Service Utilities ipconfig; ping; trace route; • Remember possible ‘SHOW’ commands • CDP can help, do not forget about it!

• Be confident with DEBUG commands and what they represent • Be very careful when subnetting, think twice!

Cisco Confidential 44

General

• sh running-config

Layer 1

• sh ip interface brief • sh interfaces

Layer 2

• sh cdp neighbors detail • sh frame relay ?

• debug ppp ?

L2 Switching



Sw#sh mac-address-table



Sw#sh vlan brief



sw#sh spanning-tree



Sw#sh vtp status



Sw#sh interfaces [trunk, swithport]

Layer 3



sh ip route



sh ip protocols



sh ip interface



sh ip [routing protocol name] ?



sh ip nat ?



sh access-lists



sh ip dhcp ?



debug ip rip

Cisco Confidential 46

Cisco Confidential 47

• PPP • • • Understanding PPP PPP authentication PPP configuration • Frame Relay • • • Understanding Frame Relay and terminology Frame Relay topologies Point-to-Point and Multipoint Frame Relay • Access Lists • • • What are ACLs Understanding and calculation Wildcard mask Configuring ACLs • Troubleshooting • Frequently used commands © 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential 48

18. APJ Instructor Forum

Transcript 18. APJ Instructor Forum

CCNA Certification Preparation Session 4 of 4

April, 2012

NAT PPP Frame Relay Access Lists Troubleshooting

Router(config)#interface serial 0/0 Router(config-if)#encapsulation ppp Router#show interfaces serial 0/0

Router#show frame-relay map Serial0/0/0 (up): ip 10.0.0.2 dlci 102, dynamic, broadcast, CISCO, status defined, active

Subnet mask

Wildcard mask

Standard ACL Extended ACL Named ACL

L2 Switching

Sw#sh mac-address-table

Sw#sh vlan brief

sw#sh spanning-tree

Sw#sh vtp status

Sw#sh interfaces [trunk, swithport]

Layer 3

sh ip route

sh ip protocols

sh ip interface

sh ip [routing protocol name] ?

sh ip nat ?

sh access-lists

sh ip dhcp ?

debug ip rip

Thank you.

Directory