Introduction

The Cisco Certified Internetwork Expert (CCIE) certification may be the most challenging and prestigious of all networking certifications. It has received numerous awards, and certainly has built a reputation as one of the most difficult certifications to earn in all of the computing world. Having a CCIE certification opens doors professionally, typically results in higher pay, and looks great on a r sum . Cisco currently offers several CCIE certifications, with several others that are no...

About the Contributing Authors

Jim Geier, author of Chapters 22 and 23, is the founder of Wireless-Nets, Ltd., (www.wireless-nets .com) and the company's principal consultant. His 25 years of experience includes the analysis, design, development, installation, and support of numerous wired and wireless network systems for cities, enterprises, airports, retail stores, manufacturing facilities, warehouses, and hospitals throughout the world. Under Wireless-Nets, Ltd., Jim founded the Independent Wireless Networking Academy...

Ad Hoc Mode Configuration

Instead of forming an infrastructure wireless LAN, the 802.11 standard allows users to optionally connect directly to each other in what is referred to as ad hoc mode, illustrated in Figure 22-3. The rationale behind this form of networking is to enable users to spontaneously set up wireless LANs. This optional mode is available to users on most radio cards. With ad hoc mode, there is no need for access points. The wireless connection is made directly between the users in a peer-to-peer...

Aggregatable Global Unicast Addresses

IPv6 defines several different types of unicast addresses. The format used for publicly registered addresses is called aggregatable global unicast. The term aggregatable refers to fact that these addresses can be easily aggregated to reduce the problem of large Internet routing tables. The term global refers to the fact that the address is a registered public IP address, routable through the global Internet. In short, when a company obtains a registered IPv6 prefix from a Regional Internet...

Architecture Overview

Traditional IP packet forwarding analyzes the destination IP address contained in the network layer header of each packet as the packet travels from its source to its final destination. A router analyzes the destination IP address independently at each hop in the network. Dynamic routing protocols or static configuration builds the database needed to analyze the destination IP address (the routing table). The process of implementing traditional IP routing also is called hop-by-hop...

Autonegotiation Speed and Duplex

By default, each Cisco switch port uses Ethernet auto-negotiation to determine the speed and duplex setting (half or full). The switches can also set their duplex setting with the duplex interface subcommand, and their speed with you guessed it the speed interface subcommand. Switches can dynamically detect the speed setting on a particular Ethernet segment by using a few different methods. Cisco switches (and many other devices) can sense the speed using the Fast Link Pulses (FLP) of the...

BGP Routing Policies

This chapter examines the tools available to define BGP routing policies. A BGP routing policy defines the rules used by one or more routers to impact two main goals filtering routes, and influencing which routes are considered the best routes by BGP. BGP filtering tools are mostly straightforward, with the exception of AS_PATH filtering. AS_PATH filters use regular expressions to match the AS_PATH path attribute (PA), making the configuration challenging. Beyond that, most of the BGP filtering...

Building the BGP Table

The BGP topology table, also called the BGP Routing Information Base (RIB), holds the network layer reachability information (NLRI) learned by BGP, as well as the associated PAs. An NLRI is simply an IP prefix and prefix length. This section focuses on the process of how BGP injects NLRI into a router's BGP table, followed by how routers advertise their associated PAs and NLRI to neighbors. NOTE Technically, BGP does not advertise routes rather, it advertises PAs plus a set of NLRI that shares...

CB Marking Design Choices

The intent of CB Marking is to simplify the work required of other QoS tools by marking packets of the same class with the same QoS marking. For other QoS tools to take advantage of those markings, packets should generally be marked as close to the ingress point of the packet as possible. However, the earliest possible point may not be a trusted device. For instance, in Figure 14-5 (the figure upon which Examples 14-3 and 14-4 are based), Server1 could set its own DSCP and even CoS if its NIC...

CB Shaping to a Peak Rate

The shape average command has been used in all the examples so far. However, the command shape peak mean-rate is also allowed, which implements slightly different behavior as compared with shape average for the same configured rate. The key actions of the shape peak mean-rate command are summarized as follows KEY It calculates (or defaults) Bc, Be, and Tc the same way as the shape average command. POINT It refills Bc + Be tokens (instead of just Bc tokens) into the token bucket for each time...

Chapter

BGP neighbors must reach the established state, a steady state in which Update messages can be sent and received as needed. 2. c. While eBGP neighbors often share a common link, there is no requirement that neighbors must be connected to the same subnet. 3. a, d. BGP sets TTL to 1 only for messages sent over eBGP connections, so the ebgp-multihop option is only required in that case. The BGP router ID can be set to any syntactically valid number, in the format of an IP address, using the bgp...

CIDR Private Addresses and NAT

The sky was falling in the early 1990s in that the commercialization of the Internet was rapidly depleting the IP Version 4 address space. Also, Internet routers' routing tables were doubling annually (at least). Without some changes, the incredible growth of the Internet in the 1990s would have been stifled. To solve the problems associated with this rapid growth, several short-term solutions were created, as well as an ultimate long-term solution. The short-term solutions included classless...

Cisco 3550 Congestion Avoidance

Catalyst 3550 Gigabit interfaces support a mutually exclusive choice of either WRED or tail-drop logic for managing drops in egress queues. 3550 Fast Ethernet interfaces do not use WRED or tail drop, but rather use a switch-specific method of managing internal buffers (which is not covered in this book). Cisco 3550 WRED has the same overall strategy as WRED as implemented in Cisco routers, but with many differences in implementation details. The key features of Cisco 3550 WRED are as follows,...

Cisco SWAN Hardware

When building a wireless LAN based on Cisco SWAN, a company must choose components designed to fit into the architecture. Cisco SWAN includes the components described in Table 23-2. These access points, which must run Cisco IOS Software to be part of SWAN, are a mandatory component of Cisco SWAN. They enable roaming throughout the network and interconnect wireless LAN users to the wired network. Table 23-2 Cisco SWAN Hardware (Continued) Table 23-2 Cisco SWAN Hardware (Continued) Cisco SWAN...

Cisco Wireless LAN Hardware

Cisco has a complete line of wireless LAN hardware that addresses the needs of enterprises, public networks, and homes. The following list identifies each of these devices, by category, that integrate into SWAN Cisco Aironet 1300 Series A multifunctional component that provides access point and bridge functionality for network connections within an outdoor campus area. The 1300 Series supports the 802.11b g standards. Cisco Aironet 1230AG Series Has dual antenna connectors for extending range,...

Class Based Shaping Configuration

Class-Based Shaping (CB Shaping) implements all the core concepts described so far in this chapter, plus several other important features. First, it allows for several Cisco IOS queuing tools to be applied to the packets delayed by the shaping process. At the same time, it allows for fancy queuing tools to be used on the interface software queues. It also allows for classification of packets, so that some types of packets can be shaped at one rate, a second type of packet can be shaped at...

Classification Using Class Maps

MQC-based tools classify packets using the match subcommand inside an MQC class map. The following list details the rules surrounding how class maps work for matching and classifying packets KEY The match command has many options for matching packets, including QoS fields, ACLs, POINT and MAC addresses. (See Table 14-10 in the Foundation Summary section for a reference.) The match protocol command means that IOS uses Network Based Application Recognition (NBAR) to perform that match. The match...

Classless and Classful Routing

So far this chapter has reviewed the basic forwarding process for IP packets in a Cisco router. The logic requires matching the packet destination with the routing table, or with the CEF FIB if CEF is enabled, or with other tables for the other options Cisco uses for route table lookup. (Those options include fast switching in routers and NetFlow switching in multilayer switches, both of which populate an optimized forwarding table based on flows, but not on the contents of the routing table.)...

Classless Interdomain Routing

CIDR is a convention defined in RFCs 1517 through 1520 that calls for aggregating routes for multiple classful network numbers into a single routing table entry. The primary goal of CIDR is to improve the scalability of Internet routers' routing tables. Imagine the implications of an Internet router being burdened by carrying a route to every class A, B, and C network on the planet CIDR uses both technical tools and administrative strategies to reduce the size of the Internet routing tables....

Comparing Wireless Security

There are many options available for security, and you will need to make a decision on which one to use. Table 22-4 compares the various security mechanisms. Table 22-4 Wireless Security Mechanisms Table 22-4 Wireless Security Mechanisms Can crack with freely available tools Static keys common to both the radio cards and access point Adequate security for most wireless LANs Unique keys automatically assigned to radio cards, and keys change periodically 814 Chapter 22 IEEE 802.11 Fundamentals...

Comparison of PIMDM and PIMSM

One of the most confusing parts of the PIM-DM and PIM-SM designs is that it appears that if sources keep sending, and receivers keep listening, there is no difference between the end results of the end-user multicast packet flow using these two options. Once PIM-SM completes its more complicated processes, the routers near the receivers have all joined the SPT to the source, and the most efficient forwarding paths are used for each (S,G) tree. Although its underlying operation is a bit more...

Configuring OSPF Authentication

One of the keys to keeping OSPF authentication configuration straight is to remember that it differs significantly with RIPv2 and EIGRP, although some of the concepts are very similar. The basic rules for configuring OSPF authentication are as follows Three types are available type 0 (none), type 1 (clear text), and type 2 (MD5). Authentication is enabled per interface using the ip ospf authentication interface subcommand. The default authentication is type 0 (no authentication). The default...

Configuring Trunking on Routers

VLAN trunking can be used on routers and hosts as well as on switches. However, routers do not support DTP, so you must manually configure them to support trunking. Additionally, you must manually configure a switch on the other end of the segment to trunk, because the router does not participate in DTP. The majority of router trunking configurations use subinterfaces, with each subinterface being associated with one VLAN. The subinterface number does not have to match the VLAN ID rather, the...

Congestion Management and Avoidance

Congestion management, commonly called queuing, refers to how a router or switch manages packets or frames while they wait to exit a device. With routers, the waiting occurs once IP forwarding has been completed, so the queuing is always considered to be output queuing. LAN switches often support both output queuing and input queuing, where input queuing is used for received frames that are waiting to be switched to the switch's output interfaces. Congestion avoidance refers to the logic used...

Converged Steady State Operation

Example 8-1 shows a few details of R1's operation while all interfaces in Figure 8-1 are up and working. The example lists the basic (and identical) RIP configuration on all four routers configuration will be covered in more detail later in the chapter. As configured, all four routers are using only RIPv2, on all interfaces shown in Figure 8-1. Read the comments in Example 8-1 for explanations of the output. Example 8-1 Steady-State RIP Operation in Figure 8-1 All routers use the same three...

Converging to a New STP Topology

STP logic monitors the normal ongoing Hello process when the network topology is stable when the Hello process changes, STP then needs to react and converge to a new STP topology. When STP has a stable topology, the following occurs 1. The root switch generates a Hello regularly based on the Hello timer. 2. Each non-root switch regularly (based on the Hello timer) receives a copy of the root's Hello on its RP. 3. Each switch updates and forwards the Hello out its Designated Ports. 4. For each...

Definitions

Next, take a few moments to write down the definitions for the following terms CST, STP, MST, RSTP, Hello timer, Maxage timer, Forward Delay timer, blocking state, forwarding state, listening state, learning state, disabled state, alternate state, discarding state, backup state, Root Port, Designated Port, superior BPDU, PVST+, UplinkFast, BackboneFast, PortFast, Root Guard, BPDU Guard, UDLD, Loop Guard, LACP, PAgP Refer to the CD-based glossary to check your answers. Further Reading The topics...

Differentiated Packet Servicing

Conventional IP packet forwarding uses only the IP destination address contained within the Layer 3 header within a packet to make a forwarding decision. The hop-by-hop destination-only paradigm used today prevents a number of innovative approaches to network design and traffic-flow optimization. In Figure C-2, for example, the direct link between the San Francisco core router and the Washington core router forwards the traffic entering the network in any of the Bay Area Points-of-Presence...

Distance Vector Multicast Routing Protocol

RFC 1075 describes Version 1 of DVMRP. DVMRP has many versions. The operation of DVMRP is similar to PIM-DM. The major differences between PIM-DM and DVMRP are defined as Cisco IOS does not support a full implementation of DVMRP however, it does support connectivity to a DVMRP network. DVMRP uses its own distance vector routing protocol that is similar to RIPv2. It sends route updates every 60 seconds and considers 32 hops as infinity. Use of its own routing protocol adds more overhead to DVMRP...

Do I Know This Already Quiz

Table 23-1 outlines the major sections in this chapter and the corresponding Do I Know This Already quiz questions. Table 23-1 Do I Know This Already Foundation Topics Section-to-Question Mapping Table 23-1 Do I Know This Already Foundation Topics Section-to-Question Mapping Cisco Structured Wireless-Aware Network Applying Wireless LANs in Enterprises In order to best use this pre-chapter assessment, remember to score yourself strictly. You can find the answers in Appendix A, Answers to the 'Do...

EIGRP Configuration Example

Example 9-6 lists the configuration for R1, R2, R4, and R5 from Figure 9-4. The routers were configured based on the following design goals Configure K values to ignore bandwidth. Configure R5 as an EIGRP stub router. Ensure that R2's LAN interface uses a Hello and Hold time of 2 and 6, respectively. Configure R4 to allow 75 percent of interface bandwidth for EIGRP updates. Advertise R4's LAN subnet, but do not attempt to send or receive EIGRP updates on the LAN. Example 9-6 Basic EIGRP...

EIGRP Updates

Once routers are adjacent, they can exchange routes using EIGRP Update messages. The process follows this general sequence 1. Initially, full updates are sent, including all routes except those omitted due to split horizon. 2. Once all routes have been exchanged, the updates cease. 3. Future partial updates occur when one or more routes change. 4. If neighbors fail and recover, or new neighbor adjacencies are formed, full updates are sent. EIGRP uses the Reliable Transport Protocol (RTP) to...

Ej

DHCP Reply Use IP-B, Gateway 10.1.1.2 The following steps explain how the attacker's PC can become a man in the middle in Figure 21-6 1. PC-B requests an IP address using DHCP. 2. The attacker PC replies, and assigns a good IP mask, but using its own IP address as the default gateway. 3. PC-B sends data frames to the attacker, thinking that the attacker is the default gateway. 4. The attacker forwards copies of the packets, becoming a man in the middle. NOTE PC-B will use the first DHCP reply,...

Enabling RIP and the Effects of Autosummarization

Example 8-4 covers basic RIP configuration, the meaning and implication of the RIP network command, and the effects of the default setting for autosummarization. To examine just those functions, Example 8-4 shows the related RIP configuration on R1, R2, and R6, along with some command output. Example 8-4 Basic RIP Configuration on R1, R2, R4, and S1 First, the three lines of configuration are the same on R1 and S1 (Point 1) the version 2 command tells R1 to send and receive only RIPv2 updates,...

Filtering with Distribute Lists and Prefix Lists

Outbound and inbound RIP updates can be filtered at any interface, or for the entire RIP process. To filter the routes, the distribute-list command is used under router rip, referencing an IP ACL or an IP prefix list. Any subnets matched with a permit clause in the ACL make it through any that match with a deny action are filtered. The distribution list filtering can be performed for either direction of flow (in or out) and, optionally, for a particular interface. If the interface option is...

Foundation Summary

This section lists additional details and facts to round out the coverage of the topics in this chapter. Unlike most of the Cisco Press Exam Certification Guides, this book does not repeat information presented in the Foundation Topics section of the chapter. Please take the time to read and study the details in the Foundation Topics section of the chapter, as well as review the items in the Foundation Topics section noted with a Key Point icon. Table 2-10 lists some of the most popular IOS...

Foundation Topics

Like Interior Gateway Protocols (IGPs), BGP exchanges topology information in order for routers to eventually learn the best routes to a set of IP prefixes. Unlike IGPs, BGP does not use a metric to select the best route among alternate routes to the same destination. Instead, BGP uses several BGP path attributes (PAs) and an involved decision process when choosing between multiple possible routes to the same subnet. BGP uses the BGP autonomous system path (AS_PATH) PA as its default metric...

Frame Relay Concepts

Frame Relay remains the most commonly deployed WAN technology used by routers. A slow migration away from Frame Relay has already begun with the advent and rapid growth of IP-based VPNs and MPLS. However, Frame Relay will likely be a mainstay of enterprise networks for the fore-seeable future. Frame Relay standards have been developed by many groups. Early on, Cisco and some other companies (called the gang of four) developed vendor standards to aid Frame Relay adoption and product development....

Frame Relay Data Link Connection Identifiers

To connect two DTEs, an FR service uses a virtual circuit (VC) between pairs of routers. A router can then send an FR frame with the appropriate (typically) 10-bit Data Link Connection Identifier (DLCI) header field that identifies each VC. The intermediary FR switches forward the frame based on its DLCI, until the frame eventually exits the FR service out the access link to the router on the other end of the VC. FR DLCIs are locally significant, meaning that a particular DLCI value only...

Frame Relay Payload Compression

Cisco IOS software supports three options for payload compression on Frame Relay VCs packet-by-packet, data-stream, and Frame Relay Forum Implementation Agreement 9 (FRF. 9). FRF.9 is the only standardized protocol of the three options. FRF.9 compression and data-stream compression function basically the same way the only real difference is that FRF.9 implies compatibility with non-Cisco devices. All three FR compression options use LZS as the compression algorithm, but one key difference...

Frame Mode MPLS Data Plane Operation

There are three major steps in the propagation of an IP packet across an MPLS backbone. The Ingress Edge-LSR receives an IP packet, classifies the packet into a forward equivalence class (FEC), and labels the packet with the outgoing label stack corresponding to the FEC. For unicast destination-based IP routing, the FEC corresponds to a destination subnet and the packet classification is a traditional Layer 3 lookup in the forwarding table. Core LSRs receive this labeled packet and use label...

Frame Mode MPLS Operation

In the first section of this appendix you saw the overall MPLS architecture as well as the underlying concepts. This chapter focuses on one particular application unicast destination-based IP routing in a pure router environment (also called Frame-mode MPLS because the labeled packets are exchanged as frames on Layer 2). This section first focuses on the MPLS data plane, assuming that the labels were somehow agreed upon between the routers. The next section explains the exact mechanisms used to...

FRTS Configuration Using LLQ

FRTS supports a variety of queuing tools for managing packets it queues. The queuing tool is enabled via a command in the map class. Example 16-7 shows just such an example, with a new map class. The requirements implemented in this example are as follows Shape traffic on the two VCs (101 and 102) on s0 0 with the same settings for shaping. Use LLQ only on the VC with DLCI 101. Set Be to 0, and tune Tc to 10 ms. Note that the example does not show the configuration for policy map queue-voip....

FRTS Configuration Using the trafficrate Command

FRTS uses two main styles of configuration for the shaping parameters. The frame-relay traffic-rate average peak command configures the average and peak rate, with Cisco IOS calculating Bc and Be with an assumed Tc of 125 ms. This method is simpler to configure, but offers no ability to tune Tc or set Bc and Be. Example 16-5 uses FRTS to implement the same requirements as the first CB Shaping example shown in Example 16-1, except that it uses FIFO queuing for the interface software queues....

Further Reading

Routing TCP IP, Volume II, by Jeff Doyle and Jennifer DeHaven Carrol Cisco BGP-4 Command and Configuration Handbook, by William R. Parkhurst Internet Routing Architectures, by Bassam Halabi Troubleshooting IP Routing Protocols, by Zaheer Aziz, Johnson Liu, Abe Martey, and Faraz Shamim Most every reference reached from Cisco's BGP support page at http www.cisco.com en US Requires a CCO username password.

General Layer 2 Security Recommendations

Recall that the beginning of the Layer 2 Security section outlined the Cisco SAFE Blueprint recommendations for user and unused ports and some general recommendations. The general recommendations include configuring VTP authentication globally on each switch, putting unused switch ports in an unused VLAN, and simply not using VLAN 1. The underlying configuration for each of these general recommendations is covered in Chapter 2. Additionally, Cisco recommends not using the native VLANs on...

General Layer 3 Security Considerations

This section explains a few of the more common ways to avoid Layer 3 attacks. Smurf Attacks, Directed Broadcasts, and RPF Checks A smurf attack occurs when a host sends a large number of ICMP Echo Requests with some atypical IP addresses in the packet. The destination address is a subnet broadcast address, also known as a directed broadcast address. Routers forward these packets based on normal matching of the IP routing table, until the packet reaches a router connected to the destination...

Going Active on a Route

The second branch in the local computation logic causes the EIGRP router to ask its neighbors about their current best route to a subnet, hoping to find an available, loop-free alternative route to that subnet. When no FS route is found, the EIGRP router goes active for the route. Going active is jargon for the process of changing a route's status to active. Once the router is active, EIGRP multicasts Query messages to its neighbors, asking the neighbors if they have a valid route to the...

Hellos Neighbors and Adjacencies

After a router has been configured for EIGRP, and its interfaces come up, it attempts to find neighbors by sending EIGRP Hellos (destination 224.0.0.10). Once a pair of routers have heard each other say Hello, they become adjacent assuming several key conditions are met. Once neighbors pass the checks in the following list, they are considered to be adjacent. At that point, they can exchange routes and are listed in the output of the show ip eigrp neighbor command. KEY Must pass the...

How Multicasting Provides a Scalable and Manageable Solution

The six basic requirements for supporting multicast across a routed network are as follows A designated range of Layer 3 addresses that can only be used by multicast applications must exist. A network administrator needs to install a multicast application on a multicast server using a Layer 3 multicast address from the designated range. A multicast address must be used only as a destination IP address, and specifically not as a source IP address. Unlike a unicast IP packet, a destination IP...

How WRED Weights Packets

WRED gives preference to packets with certain IPP or DSCP values. To do so, WRED uses different traffic profiles for packets with different IPP and DSCP values. A WRED traffic profile consists of a setting for three key WRED variables the minimum threshold, the maximum threshold, and the MPD. Figure 15-10 shows just such a case, with two WRED traffic profiles (for IPP 0 and IPP 3). As Figure 15-10 illustrates, IPP 3's minimum threshold was higher than for IPP 0. As a result, IPP 0 traffic will...

ICMP Redirect

ICMP Redirect messages allow a host's default gateway router to inform local hosts of a better router to use to reach certain destinations. To do so, a router sends an ICMP Redirect to the host to tell it the IP address of the better alternative router. For example, in Figure 5-2, the PC uses RouterB as its default router, but RouterA's route to subnet 10.1.4.0 24 is a better route. Following the steps in Figure 5-2 1. The PC sends a packet, destined for subnet 10.1.4.0 24, to RouterB. 2....

ICMP Unreachable

When a device realizes that a packet cannot be delivered to its destination, the device sends an ICMP Unreachable message. To help determine the root cause of why the packet cannot be delivered, the ICMP Unreachable message includes one of five code field values to convey the reason for the failure. For instance, in Figure 5-1, assume that Fred is trying to connect to the web server, called Web. Table 5-3, following the figure, lists the key ICMP Unreachable message codes, along with an example...

Info

IP UDP RADIUS EAP RADIUS Message (with EAP Attribute) Eth. IP UDP RADIUS EAP RADIUS Message (with EAP Attribute) Figure 21-7 introduces a couple of general concepts plus several new terms. First, EAP messages are encapsulated directly inside an Ethernet frame when sent between the 802.1X supplicant (user device) and the 802.1X authenticator (switch). These frames are called EAP over LAN (EAPoL) frames. However, RADIUS expects the EAP message as a data structure called a RADIUS attribute,...

Infrastructure Mode Configuration

An infrastructure wireless LAN (sometimes referred to as infrastructure mode) is what most companies, public hotspots, and home users implement. An infrastructure wireless LAN, as depicted in Figure 22-1, offers a means to extend a wired network. In this configuration, one or more access points interface wireless mobile devices to the distribution system. Each access point forms a radio cell, also called a basic service set (BSS), which enables wireless users located within the cell to have...

Internet Group Management Protocol

IGMP has evolved from the Host Membership Protocol, described in Dr. Steve Deering's doctoral thesis, to IGMPvl (RFC 1112), to IGMPv2 (RFC 2236), to the latest, IGMPv3 (RFC 3376). IGMP messages are sent in IP datagrams with IP protocol number 2, with the IP Time-to-Live (TTL) field set to 1. IGMP packets only pass over a LAN, and are not forwarded by routers, due to their TTL field values. The two most important goals of IGMP are as follows KEY To inform a local multicast router that a host...

Intrusion Detection System

Cisco SWAN includes the Wireless LAN Threat Defense Solution, which includes an intrusion detection system (IDS) (refer to Figure 23-2). This safeguards the wireless LAN from malicious and unauthorized access. For example, the IDS detects and suppresses rogue access points by disallowing them to authenticate with the network, and identifies unassociated clients through MAC address association tables. The IDS integrates with the Cisco Self-Defending Network, the Cisco vision for network...

IP Addressing and Subnetting

You need a postal address to receive letters similarly, computers must use an IP address to be able to send and receive data using the TCP IP protocols. Just as the postal service dictates the format and meaning of a postal address to aid the efficient delivery of mail, the TCP IP protocol suite imposes some rules about IP address assignment so that routers can efficiently forward packets between IP hosts. This chapter begins with coverage of the format and meaning of IP addresses, with...

IP Forwarding Routing

Chapter 7 begins the largest part of the book. This part of the book, containing Chapters 7 through 13, focuses on the topics that are the most important and popular for both the CCIE Routing and Switching written and practical (lab) exams. Chapter 7 begins with coverage of the details of the forwarding plane the actual forwarding of IP packets. This process of forwarding IP packets is often called IP routing, or simply routing. Also, many people also refer to IP routing as the data plane,...

IP Multicast Routing

In Chapter 19, Introduction to IP Multicasting, you learned how a multicast router communicates with hosts and then decides whether to forward or stop the multicast traffic on a subnet. But how does a multicast router receive the group traffic How is the multicast traffic forwarded from a source so that all the group users receive it This chapter provides answers to those questions. This chapter first defines the multicast routing problem by identifying the difference between unicast and...

IP Precedence and DSCP Compared

The IP header is defined in RFC 791, including a 1-byte field called the Type of Service (ToS) byte. The ToS byte was intended to be used as a field to mark a packet for treatment with QoS tools. The ToS byte itself was further subdivided, with the high-order 3 bits defined as the IP Precedence IPP) field. The complete list of values from the ToS byte's original IPP 3-bit field, and the corresponding names, is provided in Table 14-2. Table 14-2 IP Precedence Values and Names Table 14-2 IP...

Pv6 Addressing Summary

Besides global addresses, other styles of IPv6 addresses exist. Table 4-14 lists and briefly describes the different types of addresses. Table 4-14 IPv6 Address Type Summary Table 4-14 IPv6 Address Type Summary Unicast IPV6 address must be globally unique. Registered unique globally routable address. Required for each IPv6 interface. Used for processes occurring only on the local link not routable. Intended for use only within a site. Included in the IPv6 definitions in RFC 3513, but deprecated...

ISL and 8021Q Concepts

If two devices are to perform trunking, they must agree to use either ISL or 802.1Q, because there are several differences between the two, as summarized in Table 2-7. Encapsulates original frame or inserts tag 1ISL originally supported only normal-range VLANs, but was later improved to support extended-range VLANs as well. 1ISL originally supported only normal-range VLANs, but was later improved to support extended-range VLANs as well. ISL and 802.1Q differ in how they add a header to the...

Joining a Group

Before a host can receive any multicast traffic, a multicast application must be installed and run on that host. The process of installing and running a multicast application is referred to as launching an application or joining a multicast group. After a host joins a group, the host software calculates the multicast MAC address and its NIC then starts listening to the multicast MAC address, in addition to its BIA. Before a host (or a user) can join a group, the user needs to know what groups...

Label Bindings and Propagation in Frame Mode MPLS

The previous section identifies the mechanisms necessary to forward labeled packets between the LSRs using framed interfaces (LAN, point-to-point links, or WAN virtual circuits). This section focuses on FEC-to-label bindings and their propagation between LSRs over framed interfaces. Cisco IOS software implements two label binding protocols that can be used to associate IP subnets with MPLS labels for the purpose of unicast destination-based routing Tag Distribution Protocol (TDP) Cisco's...

Label Switching in Frame Mode MPLS

After receiving the Layer 2 PPP frame from the San Jose router, the San Francisco router immediately identifies the received packet as a labeled packet based on its PPP Protocol field value and performs a label lookup in its Label Forwarding Information Base (LFIB). NOTE LFIB also is called Tag Forwarding Information Base (TFIB) in older Cisco documentation. The LFIB entry corresponding to inbound label 30 (and displayed in Example C-2) directs the San Francisco router to replace the label 30...

Layer 2 Security

The Cisco SAFE Blueprint document (available at http www.cisco.com go safe) suggests a wide variety of best practices for switch security. In most cases, the recommendations depend on one of three general characterizations of the switch ports, as follows Unused ports Switch ports that are not yet connected to any device for example, switch ports that are pre-cabled to a faceplate in an empty cubicle User ports Ports cabled to end-user devices, or any cabling drop that sits in some physically...

Layer 3 Security

The Cisco SAFE Blueprint also lists several best practices for Layer 3 security. The following list summarizes the key Layer 3 security recommendations from the SAFE Blueprint. KEY 1. Enable secure Telnet access to a router user interface, and consider using Secure Shell (SSH) POINT instead of Telnet. 2. Enable SNMP security, particularly adding SNMPv3 support. 3. Turn off all unnecessary services on the router platform. 4. Turn on logging to provide an audit trail. 5. Enable routing protocol...

Local Management Interface

Local Management Interface (LMI) messages manage the local access link between the router and the Frame Relay switch. A Frame Relay DTE can send an LMI Status Enquiry message to the switch the switch then replies with an LMI Status message to inform the router about the DLCIs of the defined VCs, as well as the status of each VC. By default, the LMI messages flow every 10 seconds. Every sixth message carries a full Status message, which includes more complete status information about each VC....

LSA Types and Network Types

Table 10-4 lists the LSA types and their descriptions for reference following the table, each type is explained in more detail, in the context of a working network. One per router, listing RID and all interface IP addresses. Represents stub networks as well. One per transit network. Created by the DR on the subnet, and represents the subnet and the router interfaces connected to the subnet. Created by ABRs to represent one area's type 1 and 2 LSAs when being advertised into another area....

Mapping IP Multicast Addresses to MAC Addresses

Assigning a Layer 3 multicast address to a multicast group (application) automatically generates a Layer 2 multicast address. Figure 19-6 shows how a multicast MAC address is calculated from a Layer 3 multicast address. The MAC address is formed using an IEEE-registered OUI of 01005E, then a binary 0, and then the last 23 bits of the multicast IP address. The method is identical for Ethernet and Fiber Distributed Data Interface (FDDI). Figure 19-6 Calculating a Multicast Destination MAC Address...

Marking Using Policers

Traffic policers measure the traffic rate for data entering or exiting an interface, with the goal of determining if a configured traffic contract has been exceeded. The contract has two components a traffic rate, configured in bits second, and a burst size, configured as a number of bytes. If the traffic is within the contract, all packets are considered to have conformed to the contract. However, if the rate or burst exceeds the contract, then some packets are considered to have exceeded the...

Modulation

An RF signal has characteristics that enable it to be sent from an antenna, through the air medium, and received by another antenna at the destination. RF signals are analog in nature. A computer, though, uses digital signals to represent bits of information. Before transmitting data through the air, the transceiver within the radio cards and access points must convert digital signals into analog signals suitable for transmission through the air medium. As part of receiving an 802.11 frame, a...

MPLS Interaction with the Border Gateway Protocol

In the section Label Binding and Distribution, earlier in this appendix, you saw that a label is assigned to every IP prefix in the IP routing table of a router acting as LSR, the only exception being routes learned through the Border Gateway Protocol (BGP). No labels are assigned to these routes and the ingress Edge-LSR uses the label assigned to the BGP next hop to label the packets forwarded toward BGP destinations. To illustrate this phenomenon, assume that the MAE-East router in the...

MPLS Packet Forwarding and Label Switched Paths

Each packet enters an MPLS network at an ingress LSR and exits the MPLS network at an egress LSR. This mechanism creates what is known as an Label Switched Path (LSP), which essentially describes the set of LSRs through which a labeled packet must traverse to reach the egress LSR for a particular FEC. This LSP is unidirectional, which means that a different LSP is used for return traffic from a particular FEC. Figure C-5 MPLS Label Imposition and Forwarding Step 1 - IP packet arrives at the San...

Mplsvpn Architecture Overview

Virtual private networks (VPNs) have evolved using two major VPN models overlay VPN and peer-to-peer VPN. The overlay VPN model, most commonly used in a service provider network, dictates that the design and provisioning of virtual circuits across the backbone must be complete prior to any traffic flow. In the case of an IP network, this means that even though the underlying technology is connectionless, it requires a connection-oriented approach to provision the service. From a service...

Multicast Address Range and Structure

KEY The Internet Assigned Numbers Authority (IANA) has assigned class D IP addresses to multicast point applications. The first 4 bits of the first octet for a class D address are always 1110. IP multicast addresses range from 224.0.0.0 through 239.255.255.255. As these addresses are used to represent multicast groups (applications) and not hosts, there is no need for a subnet mask for multicast addresses because they are not hierarchical. In other words, there is only one requirement for a...

Multicast Addresses for Transient Groups

When an enterprise wants to use globally unique unicast addresses, it needs to get a block of addresses from its ISP or from IANA. However, when an enterprise wants to use a multicast address for a global multicast application, it can use any multicast address that is not part of the well-known permanent multicast address space covered in the previous sections. These remaining multicast addresses are called transient groups or transient multicast addresses. This means that the entire Internet...

Multicast Routing Basics

The main function of any routing protocol is to help routers forward a packet in the right direction, causing the packet to keep moving closer to its desired destination, ultimately reaching its destination. To forward a unicast packet, a router examines the packet's destination address, finds the next-hop address from the unicast routing table, and forwards the packet through the appropriate interface. A unicast packet is forwarded along a single path from the source to the destination. The...

Multiple Spanning Trees IEEE 8021s

IEEE 802.1s Multiple Spanning Trees (MST), sometimes referred to as Multiple Instance STP (MISTP) or Multiple STP (MSTP), defines a way to use multiple instances of STP in a network that uses 802.1Q trunking. The following are some of the main benefits of 802.1s Like PVST+, it allows the tuning of STP parameters so that while some ports block for one VLAN, the same port can forward in another VLAN. Always uses 802.1w RSTP, for faster convergence. Does not require an STP instance for each VLAN...

Multiprotocol BGP in the Super Com Network

To illustrate the interaction of per-VPN routing protocols with the MP-BGP used in the service provider network core, consider the case of the FastFood customer in the SuperCom network. Let's assume that the San Jose site is using OSPF to interact with the SuperCom backbone, the Lyon and Santa Clara sites are using RIP, and the Redwood site is using no routing protocol there is a static route configured on the San Jose PE-router and the default route configured on the Redwood router. The...

Multiprotocol Label Switching Introduction

Multiprotocol Label Switching (MPLS) is an emerging technology that aims to address many of the existing issues associated with packet forwarding in today's Internetworking environment. Members of the IETF community worked extensively to bring a set of standards to market and to evolve the ideas of several vendors and individuals in the area of label switching. The IETF document draft-ietf-mpls-framework contains the framework of this initiative and describes the primary goal as follows The...

Network Layer Routing Paradigm

Traditional network layer packet forwarding (for example, forwarding of IP packets across the Internet) relies on the information provided by network layer routing protocols (for example, Open Shortest Path First OSPF or Border Gateway Protocol BGP ), or static routing, to make an independent forwarding decision at each hop (router) within the network. The forwarding decision is based solely on the destination unicast IP address. All packets for the same destination follow the same path across...

Network Management and SNMP

This final section of the chapter summarizes some of the core SNMP concepts and details, particularly with regard to features of different SNMP versions. The Simple Network Management Protocol (SNMP), or more formally, the Internet Standard Management Framework, uses a structure in which the device being managed (the SNMP agent) has information that the management software (the SNMP manager) wants to display to someone operating the network. Each SNMP agent keeps a database, called a Management...

Operation of Protocol Independent Multicast Dense Mode

Internal Structure The Air Purifier

Protocol Independent Multicast (PIM) defines a series of protocol messages and rules by which routers can provide efficient forwarding of multicast IP packets. PIM previously existed as a Cisco-proprietary protocol, although it has been offered as an experimental protocol via RFCs 2362, 3446, and 3973. The PIM specifications spell out the rules mentioned in the earlier examples in this chapter things like the RPF check, the PIM dense-mode logic of flooding multicasts until routers send Prune...

Optimizing Spanning Tree

Left to default settings, IEEE 802.1D STP works, but convergence might take up to a minute or more for the entire network. For instance, when the root fails, a switch must wait on the 20-second maxage timer to expire. Then, newly forwarding ports spend 15 seconds each in listening and learning states, which makes convergence take 50 seconds for that one switch. Over the years, Cisco added features to its STP code, and later the IEEE made improvements as well. This section covers the key...

OSPF Design and LSAs

This section covers two major topics Although these might seem to be separate concepts, most OSPF design choices directly impact the LSA types in a network and impose restrictions on which neighbors may exchange those LSAs. This section starts with an OSPF design and terminology review, and then moves on to LSA types. Toward the end of the section, OSPF area types are covered, including how each variation changes how LSAs flow through the different types of OSPF stubby areas.

OSPF Design Terms

OSPF design calls for grouping links into contiguous areas. Routers that connect to links in different areas are Area Border Routers (ABRs). ABRs must connect to area 0, the backbone area, and one or more other areas as well. Autonomous System Boundary Routers (ASBRs) inject routes external to OSPF into the OSPF domain, having learned those routes from wide-ranging sources from the Border Gateway Protocol (BGP) on down to simple redistribution of static routes. Figure 10-5 shows the terms in...

OSPF Stub Router Configuration

Defined in RFC 3137, and first supported in Cisco IOS Software Release 12.2(4)T, the OSPF stub router feature not to be confused with stubby areas allows a router to either temporarily or permanently be prevented from becoming a transit router. In this context, a transit router is simply one to which packets are forwarded, with the expectation that the transit router will forward the packet to yet another router. Conversely, non-transit routers only forward packets to and from locally attached...

Other MPLS Applications

The MPLS architecture, as discussed so far, enables the smooth integration of traditional routers and ATM switches in a unified IP backbone (IP+ATM architecture). The real power of MPLS, however, lies in other applications that were made possible, ranging from traffic engineering to peer-to-peer Virtual Private Networks. All MPLS applications use control-plane functionality similar to the IP routing control plane shown in Figure C-6 to set up the label switching database. Figure C-7 outlines...

Overlapping Virtual Private Networks

The SuperCom example might lead you to believe that a VPN is associated with a single VRF in a PE-router. Although that would be true in the case where the VPN customer needs no connectivity with other VPN customers, the situation might become more complex and require more than one VRF per VPN customer. Imagine that SuperCom wants to extend its service offering with a Voice over IP (VoIP) service with gateways to the public voice network located in San Jose and Paris, as shown in Figure C-21....

Overview of Multicast Routing Protocols

Routers can forward a multicast packet by using either a dense-mode multicast routing protocol or a sparse-mode multicast routing protocol. This section examines the basic concepts of multicast forwarding using dense mode, the reverse-path-forwarding (RPF) check, and multicast forwarding using sparse mode, all of which help to solve the multicast routing problem. Multicast Forwarding Using Dense Mode Dense-mode routing protocols assume that the multicast group application is so popular that...

Passive and Active Mode FTP

FTP clients and servers use the typical TCP IP client server model for the FTP control connection, with the client initiating a TCP connection to well-known FTP port 21. FTP transfers commands and command acknowledgements over the this TCP control connection. However, at some point, data needs to be transferred and FTP uses a separate but correlated TCP connection for the actual data transfer. FTP clients use one of two modes, passive or active, to define the details of how an FTP data...

Penultimate Hop Popping

An egress Edge-LSR in an MPLS network might have to perform two lookups on a packet received from an MPLS neighbor and destined for a subnet outside the MPLS domain. It must inspect the label in the label stack header, and it must perform the label lookup just to realize that the label has to be popped and the underlying IP packet inspected. An additional Layer 3 lookup must be performed on the IP packet before it can be forwarded to its final destination. Figure C-15 shows the corresponding...

PerVLAN Spanning Tree and STP over Trunks

If only one instance of STP was used for a switched network with redundant links but with multiple VLANs, several ports would be in a blocking state, unused under stable conditions. The redundant links would essentially be used for backup purposes. The Cisco Per VLAN Spanning Tree Plus (PVST+) feature creates an STP instance for each VLAN. By tuning STP configuration per VLAN, each STP instance can use a different root switch and have different interfaces block. As a result, the traffic load...

Physical Layer Standards

A wireless LAN enables mobile, portable, and stationary devices to easily communicate with each other within an enterprise facility and throughout a campus environment. For example, retail stores have been using wireless LANs since the early 1990s to enable wireless bar code scanning when performing price marking and inventory applications. Despite the relatively high cost for wireless LAN components at that time, the retail stores were still able to achieve significant returns on investment...

Pointto Point Protocol

The two most popular Layer 2 protocols used on point-to-point links are High-Level Data Link Control (HDLC) and Point-to-Point Protocol (PPP). The ISO standard for the much older HDLC does not include a Type field, so the Cisco HDLC implementation adds a Cisco-proprietary 2-byte Type field to support multiple protocols over an HDLC link. PPP includes an architected Protocol field, plus a long list of rich features. Table 17-5 points out some of the key comparison points of these two protocols....

Policy Routing

All the options for IP forwarding (routing) in this chapter had one thing in common The destination IP address in the packet header was the only thing in the packet that was used to determine how the packet was forwarded. Policy routing allows a router to make routing decisions based on information besides the destination IP address. Policy routing's logic begins with the ip policy command on an interface. This command tells IOS to process incoming packets with different logic before the normal...

Priority Queuing

Priority queuing's most distinctive feature is its scheduler. PQ schedules traffic such that the higher-priority queues always get serviced instead of lower-priority queues. PQ uses up to four queues, named high, medium, normal, and low, and they are scheduled as shown in Figure 15-1. The PQ scheduler has some obvious benefits and drawbacks. Packets in the high queue get wonderful service they can claim 100 percent of the link bandwidth, with minimal delay and minimal jitter. (Generally...

Problems with Unicast and Broadcast Methods

Why not use unicast or broadcast methods to send a message from one source to many destinations Figure 19-1 shows a video server as a source of a video application and the video data that needs to be delivered to a group of receivers H2, H3, and H4 two hops away across a WAN link. The unicast method requires that the video application send one copy of each packet to every group member's unicast address. To support full-motion, full-screen viewing, the video stream requires about 1.5 Mbps of...