the best damn cisco internetworking book period phần 1 potx

Hisspecialties include Cisco routers and LAN switches, strategic network planning,network architecture and design, and network troubleshooting and optimization.Ron’s background includes

s o l u t i o n s @ s y n g r e s s c o m

With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Ciscostudy guides in print, we continue to look for ways we can better serve theinformation needs of our readers One way we do that is by listening

Readers like yourself have been telling us they want an Internet-based vice that would extend and enhance the value of our books Based onreader feedback and our own strategic plan, we have created a Web sitethat we hope will exceed your expectations

ser-Solutions@syngress.com is an interactive treasure trove of useful

infor-mation focusing on our book topics and related technologies The siteoffers the following features:

■ One-year warranty against content obsolescence due to vendorproduct upgrades You can access online updates for any affectedchapters

■ “Ask the Author” customer query forms that enable you to postquestions to our authors and editors

■ Exclusive monthly mailings in which our experts provide answers toreader queries and clear explanations of complex material

■ Regularly updated links to sites specially selected by our editors forreaders desiring additional reliable information on key topics

Best of all, the book you’re now holding is your key to this amazing site

Just go to www.syngress.com/solutions, and keep this book handy when

you register to verify your purchase

Thank you for giving us the opportunity to serve your needs And be sure

to let us know if there’s anything else we can do to help you get the maximum value from your investment We’re listening

www.syngress.com/solutions

a b o u t i t f a q n e t c o m

Syngress Publishing is a proud sponsor of itfaqnet.com, one of the web’s

most comprehensive FAQ sites for IT professionals This is a free servicethat allows users to query over 10,000 FAQs pertaining to Cisco net-working, Microsoft networking Network security tools, NET development,Wireless technology, IP Telephony, Storage Area Networking, Java develop-ment and much more The content on itfaqnet.com is all derived from ourhundreds of market proven books, written and reviewed by content

experts

So bookmark ITFAQnet.com as your first stop for mission critical advice

from the industry’s leading experts

www.itfaqnet.com

Charles Riley Technical Editor

Michael E Flannagan, CCIE | Ron Fuller, CCIE | Umer Khan, CCIE |

Wayne A Lawson II, CCIE | Keith O’Brien, CCIE | Martin Walshaw, CCIE |

Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or

production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work.

There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY You may have other legal rights, which vary from state to state.

In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you.

You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files.

Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,”“Ask the Author

UPDATE®,” and “Hack Proofing®” are registered trademarks of Syngress Publishing, Inc “Syngress:The Definition of a Serious Security Library™,”“Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress Publishing, Inc Brands and product names mentioned in this book are trademarks or service marks of their respective companies.

KEY SERIAL NUMBER

The Best Damn Cisco Internetworking Book Period

Copyright © 2003 by Syngress Publishing, Inc All rights reserved Printed in the United States of America Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication.

Printed in the United States of America

1 2 3 4 5 6 7 8 9 0

ISBN: 1-931836-91-4

Technical Editor: Charles Riley Cover Designer: Michael Kavish

Technical Reviewer: Jason Campbell Page Layout and Art by: Patricia Lupien

Acquisitions Editor: Catherine B Nolan Copy Editor: Judy Eby, Amy Thomson, Beth Roberts Indexer: J Edmund Rush

Distributed by Publishers Group West in the United States and Jaguar Book Group in Canada.

Duncan Enright, AnnHelen Lindeholm, David Burton, Febea Marinetti, and Rosie Moss ofElsevier Science for making certain that our vision remains worldwide in scope.

David Buckland, Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim, AudreyGan, and Joseph Chan of Transquest Publishers for the enthusiasm with which they receiveour books

Kwon Sung June at Acorn Publishing for his support

Jackie Gross, Gayle Voycey, Alexia Penny, Anik Robitaille, Craig Siddall, Darlene Morrow,Iolanda Miller, Jane Mackay, and Marie Skelly at Jackie Gross & Associates for all their helpand enthusiasm representing our product in Canada

Lois Fraser, Connie McMenemy, Shannon Russell, and the rest of the great folks at JaguarBook Group for their help with distribution of Syngress books in Canada

David Scott, Annette Scott, Delta Sams, Geoff Ebbs, Hedley Partis, and Tricia Herbert ofWoodslane for distributing our books throughout Australia, New Zealand, Papua NewGuinea, Fiji Tonga, Solomon Islands, and the Cook Islands

Charles Riley(CCNP, CSS-1, CISSP,CCSA, MCSE, CNE-3) has a long tenure ininformation technology, and can rememberwhen the Cisco AGS+ was new Charles has

co-authored several books including Routing

and Configuring Cisco Voice over IP, Second Edition Some go bungee jumping, others

crochet Charles writes and tries dangerousnetwork configurations on a non-productionrack at home

The middle son of a tenant farmerand his wife, Charles initially planned tocontinue the Riley tradition of farming.However, with the collapse of the farm andthe kick of an ill-tempered bovine, educa-tion became more attractive to the youngcowherd Moving to the metropolis of nearby Remington, he was enticed withthe opportunities that urban living offered

Exhausting the educational offerings of Remington, Charles matriculated atthe Model Secondary School for the Deaf in Washington, D.C before attendingGallaudet University (www.gallaudet.edu) Quick to a decision and even quicker

to change his mind, he moved to Florida where he graduated from the University

of Central Florida in 1989 Upon graduation, Charles was contacted by andoffered a position with the U.S Army, a relationship that lasted over 10 years

He started as a U.S Army telecommunications specialist at Fort Huachuca,Arizona, eventually finishing his Army stretch as the network manager of the 7thArmy Training Command in Grafenwoehr, Germany As a consultant for Sprint,

he designed and implemented robust networking solutions for large Fortune 500and privately held companies He continues unabated in networking today

I am blessed to have my wife, René, and daughter,Tess.Your love and supportduring the countless midnight hours spent crafting this book made it all possible.You lift me when the load is heavy

Everything has a beginning My writing started with a wonderful teacher,Barbara Gantley, who saw my potential before I did; your patience and dedicationwas inexhaustible.You embody all that great teachers are I hope my antics andinappropriately timed sense of humor never made you reconsider your choice ofcareer

Technical Editor

pro-Dentler is a contributing author for Snort 2.0 Intrusion Detection (Syngress Publishing, ISBN: 1-931836-74-4), and Cisco Security Professional’s Guide to Secure

Intrusion Detection Systems (ISBN: 1-932266-69-0) Additionally, Scott would like

to offer his sincere thanks to Alicia Jensen for her unwavering support during theproduction of this book

Michael E Flannagan(CCIE #7651, CCDP, CCNA, 3COM-CSA) isNetwork Consulting Engineer and Team Leader in the Network SupportedAccounts (NSA) Group at Cisco Systems Mike is a member of the globalQuality of Service (QoS) Team and has extensive network design experience,with emphasis on Routing Protocol design and Quality of Service mechanisms.Mike’s experience, prior to joining Cisco Systems, includes enterprise networkarchitecture, IT management, and consulting Mike’s QoS testing and research wasused to recommend the implementation of various QoS mechanisms for one ofthe world’s largest pharmaceutical companies, and he has participated in large-scale QoS designs for several major US companies In addition to holding variouscertifications from Cisco, 3Com, and Nortel Networks, Mike has passed both theCCIE Routing/Switching and the CCIE Design written exams and is currentlypreparing for his CCIE Lab exams He lives in Morrisville, NC

Ron Fuller(CCIE #5851, CSS-Level 1, CCNP, CCDP, MCNE) is a SeniorNetwork Engineer with a large financial institution in Columbus, OH He cur-rently provides design and engineering support for the network infrastructure Hisspecialties include Cisco routers and LAN switches, strategic network planning,network architecture and design, and network troubleshooting and optimization.Ron’s background includes senior systems engineering responsibilities for Cisco

Special Contributor

Contributors

and Novell resellers in Central Ohio Ron has also acted as contributing author to

the book Administering Cisco QoS in IP Networks (Syngress Publishing, ISBN:

1-928994-21-0) He currently resides in Sunbury, OH with his family, Julie and Max

Martin Walshaw(CCIE #5629, CCNP, CCDP) is a Systems Engineer workingfor Cisco Systems in South Africa His areas of specialty include IP Telephony(including all voice and video applications such as IPCC) and security, both ofwhich keep him busy night and day During the last 14 years, Martin has dabbled

in many aspects of the IT industry, ranging from programming in RPG III andCobol to PC sales When Martin is not working, he likes to spend time with hisexpectant wife Val and his son Joshua Without their patience, understanding, sup-port, and most importantly love, projects such as this would not be possible

Wayne A Lawson II (CCIE # 5244, CCNA, CCDA, NNCSE, CNX, MCSE,CNE, Banyan CBE) is a Systems Engineer with Cisco Systems in Southfield,Michigan His core area of expertise is in the Routed Wide Area Network(WAN) and Campus Switching He has provided pre- and post-sales technicalsupport for various dot-com start-ups on redundant ISP access, failsafe security,content networking and verification for local premise, as well as geographical loadbalancing His internetworking proficiency includes Layer One and Two, LayerThree, IBM & Voice Technologies, and Network Management and MonitoringTechnologies

Wayne received the “Top Performer” award at Cisco 2000 National SalesMeeting for achieving Cisco’s highest level of technical certification He has also

contributed to Syngress Publishing’s Building Cisco Remote Access Networks (ISBN:

1-928994-13-X) Wayne lives in Holly, MI

Keith O’Brien (CCIE #2591) is a Consulting Systems Engineer with CiscoSystems specializing in packet voice technologies and multiservice networking.Keith has over 13 years of experience in IT, including large-scale routing, remoteaccess, IP multicast and campus switch designs Before joining Cisco, Keithworked at MCI Telecommunications, designing international voice and data net-works Keith holds a Bachelors of Science degree in Electrical Engineering fromLafayette College and a Masters of Science degree from Stevens Institute ofTechnology

Jason Sinclair (CCIE #9100, CCNP, CCNA) is the Manager of the NetworkControl Center at PowerTel Ltd., which is Australia’s third largest telecommuni-cations carrier Jason is responsible for all operational aspects of the PowerTelvoice, data and IP networks Jason’s technical background is predominantly inlarge scale IP, Internet, VoIP and DLSW networking He has also designed and

deployed several large-scale networks that have made extensive use of BGP andMPLS technology Previously Jason worked for a number of ISPs and carriers inthe Asia Pacific Region Jason specializes in IP and IPX routing protocols, withparticular focus on BGP, OSPF, and ISIS He is also an expert in IBM net-working, ATM, Frame Relay, ISDN,Token Ring, and Ethernet Jason has pub-

lished an article for Certification Zone, which is a CCIE level discussion of the

theory and configuration of EIGRP He is also working on articles coveringnetworking case studies, large-scale carrier networks and IBM Networking.Jason lives in Sydney, Australia with his wife, Michelle, and son, Andy

Edgar Parenti, Jr.(CCNA, CCDA, CCNP, CCDP, CNE-3/4/5, MCNE, PSE,MCSE2000, MCT) has a strong background in network and directory design,network analysis and optimization, system performance tuning, Web applicationarchitecture and support, messaging and infrastructure engineering, operatingsystem support, process engineering, and information security His backgroundalso includes working at numerous corporations of all sizes providing senior-level

IT consulting services utilizing a wide array of technologies and over six years ofdesigning and managing Cisco internetworks

Oliver Steudler(CCNP, CCDP, CSE, CNE) is a Senior Systems Engineer atiFusion Networks in Cape Town, South Africa Oliver specializes in routing,switching, and security and has over 10 years of experience in consulting,designing, implementing and troubleshooting complex networks He has writtenarticles on TCP/IP, networking, security, and data communications andalso co-

authored another Syngress title, Managing Cisco Network Security (ISBN:

1-928994-17-2)

Sean Thurston (CCDP, CCNP, MCSE, MCP+I) is a Senior Solution Architectwith Siemens Business Services He provides network and data center designsolutions for large-scale deployment His specialties include implementation ofmultivendor routing and switching equipment and XoIP (Everything over IPinstallations) Sean’s background includes positions as a Technical Analyst forSprint-Paranet and the director of a brick-and-mortar advertising dot com Sean

is also a contributing author to Building a Cisco Network for Windows 2000 (Syngress Publishing, ISBN: 1-928994-00-8) and Cisco AVVID & IP Telephony

Design and Implementation (Syngress Publishing, ISBN: 1-928994-83-0) Sean lives

in Renton, WA with his fiancée, Kerry He is currently pursuing his CCIE

Tim Blankenship(CCNP, CCDA, CNE-5, CNE-4, CNE-3, MCP,CSEC–Wireless Field Engineer) is a private consultant responsible for leading thedesign and implementation efforts involving local and wide area networks toclients in the mid-west region of the United States His specialties include Cisco

wireless networking, routers and LAN switches, Novell design and tion, strategic network planning, network architecture and design, and networktroubleshooting and optimization.Tim lives in Grove City, OH with his family,Connie, Morgan, Ben, and Emily

implementa-Umer Khan(SCE, CCIE, MCSE, SCSA, SCNA, CCA, CNX) is the Manager

of Networking and Security at Broadcom Corporation (www.broadcom.com).Umer’s department is responsible for the design and implementation of globalLAN/MAN/WAN solutions that are available with 99.9% up time (planned andunplanned), as well as all aspects of information security at Broadcom Amongother technologies, Broadcom’s network consists of Cisco switching gear end-to-end, dark fiber, OC-48 SONET, DWDM, 802.11 wireless, multi-vendor VPNs,and VoIP.The information security group deals with policies, intrusion detectionand response, strong authentication, and firewalls Umer received his bachelor’sdegree in Computer Engineering at the Illinois Institute of Technology

xiii

Chapter 1 Cisco Technologies, Routers, and Switches 1

Introduction 2

Layer 2: Media Access Layer and Logical Link Control 3

The TCP/IP Model, the DoD Model, or the Internet Model 6Process/Application Layer

(Application, Presentation, and Session) 6

TCP 8UDP 10

xiv Contents

Switches 26Spanning Tree Protocol 27Spanning Tree Port States 28Cisco Catalyst Series Models 29Switch Architecture 31Supervisor Engine 31Switch Fabric 34Backplane 34Memory 35Flash 36Non-Volatile Random Access Memory (NVRAM) 36Modules 36Application Specific Integrated Circuits (ASIC) 37Switch Commands 37Routers 37Router Architecture 37Backplane 37Memory 38Cards 38Cisco Models 39Accessing and Using Routers and Switches 45Access Cisco Console and AUX Port Cabling 46Connecting to the Router 46Console Port Connections 47Telnet Connection 49SSH 49Cisco Software 51Cisco Software - IOS 51Software Image Lifecycle 53Early Deployment (ED) 54First Customer Ship (FCS) 55

Entering Commands toConfigure a Cisco Router 58Using Configuration Commands 60Using Passwords to Control Router Access 62

Contents xv

Performing Interface Configuration Tasks 64Using show Commands 66Using the show version Command 69Using the show running-configuration Command 70Using the show Interface Command 72Increasing Efficiency by Using Shortcuts 73The autocommand Feature 74Menus 75CATOS Command Syntax and Basic Configuration 76Configuring Network Parameters 77Securing the Switch 78Creating VLANs 78Port Configuration 79Enabling Trunking 80Networking Monitoring and Packet Capture 81You are Not Alone—Resources for Cisco Hardware and Software 82Cisco Technical Support—General 82CCO 83TAC 84NPC 85Software Advisor 85Software Center 86Groupstudy.com 87Summary 88

Introduction 92Wide Area Network Topologies 92Point-to-Point Topology 93Fully Meshed Topology 93Hub-and-Spoke Topology 93High-Level Data Link Control 94Point to Point Protocol 95

Bonding of Communications Links 97Link Control Protocol 97Network Control Protocol 99PPP Alternatives…Not Really: PPP vs SLIP and ARAP 100Configuring PPP 100Autoselect 101PPP Addressing Methods 102

xvi Contents

PPP Authentication 103Password Authentication Protocol (PAP) 103Challenge Handshake Authentication Protocol 104What’s in a Name? Usernames and Passwords 105Authentication Failures 106PPP Callback 106PPP Compression 108Multilink PPP 108Multichassis MP (MMP) 109Verifying and Troubleshooting PPP 111Circuit Types and Terminology 114T1 and Fractional T1 115

Committed Information Rate (CIR) 118Local Management Interface (LMI) 118Frame Relay Topologies 119Subinterfaces 121Configuring Frame Relay 122Verifying and Troubleshooting Frame Relay 124Physical Layer Troubleshooting 124Loopback Tests 126Frame Relay Problems 127Asynchronous Transfer Mode (ATM) 129ATM Cell Format 130ATM Adaptation Layer (AAL) 130ATM Virtual Circuits 131PVC Mapping and Circuit Buildup 131Configuring ATM 132Verifying and Troubleshooting ATM 133ATM Debug Commands 135Integrated Services Digital Network 139Basic Rate Interface (BRI) 140BRI Call Setup 140BRI Reference Points and Functional Groups 141Primary Rate Interface (PRI) 142PRI Reference Points and Functional Groups 142ISDN Protocol Layers 142U-plane 143C-plane 143ISDN Call Setup and Teardown 143

Contents xvii

Dial-on-Demand Routing (DDR) 145Dialer Interfaces 146Supported Interfaces 147ISDN Interfaces 147Synchronous Serial Interfaces 148Asynchronous Modem Connections 148Configuring ISDN and DDR 148ISDN and DDR commands 161ISDN Troubleshooting 163ISDN Connections between Cisco Routers 163Monitoring the ISDN Interface 168Monitoring the Dialer 171Backing up Permanent Connections 172Backup Interface 172The backup load Command 175Floating Static Routes and Default Routes 176Dialer Watch 181Configuring a Dialer Profile 182Verifying and Troubleshooting Backup Connections 182Routing Issues 185Redundant Hardware and Links/ Design and Performance Issues 185Load Balancing 186Per-Destination Load Balancing 186Summary 188

Introduction 190Understanding the Fundamentals of Radio Frequencies 190Understanding Wireless Radio Signal Transmission

and Reception 191Radio Frequencies 193Radio Country Options 195What is Bandwidth? 196WLAN Frequency Bands 196Radio Wave Modulation 198Digital Signal Modulation: Phase Modulation 198BSPK 199QPSK 199Complementary Code Keying 200Communicating with WLAN Technologies 201Microwave Technology 202

xviii Contents

Infrared Technology 202Spread Spectrum Technology 203Frequency Hopping Spread Spectrum (FHSS) 204Direct Sequence Spread Spectrum (DSSS) 204DSSS Channel Setup 205Wireless Networking Standards 206IEEE 208802.11 208802.11b 214802.11a 215802.11g 215Wireless Design Considerations 216Attenuation 216Multipath Distortion 216Refraction 218Accounting for the Fresnel Zone and Earth Bulge 219

RF Interference 220Interference from Radio Transmitters 221Harmonics 221Application Considerations 222Structural Considerations 222Implementing a WLAN Architecture 223The OSI Reference Model 224Logical Wireless System Components 225Physical Wireless System Components 225Security Fundamentals for Wireless Networks 226Ensuring Confidentiality 227Ensuring Integrity 227Ensuring Availability 228Ensuring Authentication 228Extensible Authentication Protocol (EAP) 229Per-packet Authentication 230

Configuration and Deployment of LEAP 232

An Introduction to the 802.1x Standard 233Ensuring Authorization 235Where in the Authentication/Association

Process Does MAC Filtering Occur? 236Accounting and Audit Trails 237Wireless Equivalency Privacy (WEP) 237

Contents xix

Addressing the Issues with Policy 238Creating Privacy with WEP 238WEP Benefits and Advantages 239WEP Disadvantages 239The WEP Authentication Process 239Implementing WEP on the Cisco Aironet AP 340 239Security of 64-Bit versus 128-Bit Keys 240Cisco Wireless Systems 241Cisco’s WLAN Product Line 241Cisco’s Aironet 3X0 Series APs and Bridges 243The Cisco Aironet 350 Series 244Aironet 350 AP 245Aironet 350 Wireless Bridge 246Aironet 350 Workgroup Bridge 247Features of the Cisco Aironet 340 Series - End-of-Sale 249The Cisco Aironet 340 Series AP 249The Cisco Aironet 340 Series Wireless Bridge 250The Cisco Aironet 340 Series Workgroup Bridge 251The Cisco Aironet 340 Series Base Station 252Cisco’s Aironet Wireless NICs 253Installing the Cisco Aironet 3X0 APs 254Power Requirements 255Network Connectivity 256Initial Configuration of the Cisco 3X0 Series AP 256

IP Setup Utility 257Terminal Emulator Setup 257Web-Based Configuration of the Cisco 340 BSE/BSM

Troubleshooting the Cisco 340 BSE/BSM Series AP 261Cisco Aironet Wireless Bridges 262Cisco Aironet Wireless Bridge - Point-to-Point 262Cisco Aironet Wireless Bridge - Point-to-Multipoint 263Cisco Wireless Bridge - Repeater 264Installation of the Cisco Aironet Bridge Unit 264Installing the Antenna 265Configuring the Network Port 266Applying Power 266Working with Root and Non-Root Modes on a

Wireless Bridge 266Initial Configuration of Wireless Bridge Using the CLI 267

xx Contents

Assigning the Radio Parameters 269Setting the Root Parameters 269Setting the SSID 270Setting the Data Rate 270Setting the Distance 270Assigning IP Information 270Establishing Communications Using Remote

Telnet Access 270Establishing Communications Using Remote Web

Browser Access 271Operational Configuration of the Cisco Aironet Wireless Bridge 271Using the Cisco Aironet Wireless Bridge Radio Main Menu 272Configuring the Basic Rates Option 272Configuring the Frequency Option 272Configuring the IEEE 802.11 Options 272Configuring the Extended Options 275Configuring the Ethernet Port 277Configuring the Network Identifiers 277Console Management Access 278Configuring Passwords 278Configuring Privileges 279Configuring the Time Service 279Setting Up Association Tables 280Using Filters 280Configuring the Multicast Option 281Configuring the Node Option 281Configuring the Protocols Option 282Event Logging 282Viewing Statistics 283Cisco Aironet Wireless Bridge Troubleshooting 285Network Menu Option 286Connect Option 286Find Option 286Ping Option 287Linktest Menu Options 287Restart Option 288Default and Reset Options 288Loading Firmware and Configurations 288FTP 289Distribute 289

Contents xxi

BOOTP and DHCP 290Backing Up Wireless Bridge Configurations 290Cisco Aironet Antennas 290Ceiling Mount Omni-Directional Antenna 292Mast Mount Omni-Directional Antenna 292High-Gain Mast Mount Omni-Directional Antenna 292Pillar Mount Diversity Omni-Directional Antenna 293POS Diversity Dipole Omni-Directional Antenna 293Diversity Ceiling Mount Omni-Directional Patch Antenna 293Directional Wall Mount Patch Antenna 293Diversity Directional Wall Mount Patch Antenna 293Yagi Antenna 293Dish Antenna 294Antenna Accessories 295Yagi Articulating Mount 295Magnetic Mount 296Lightning Arrestor with Grounding Ring 297Bridge and AP Accessories 297Bridge Mounting Kit 298AP/Bridge Spare Power Supplies 298AP/Bridge Serial Cable 299NEMA Enclosures 299Cabling, Connectors, and Bulkhead Extenders 301Cabling 301Connectors 301RP-TNC Connectors 301Bulkhead Extenders 302Summary 303

Chapter 4 IP Addressing, Multicasting, and IPv6 305

Introduction 306IPv4 Address and Header Format 306Classful Addressing - Structure and Size of Each Type 308

xxii Contents

VLSM 310Private Addresses 310Public versus Private Address Spaces 311RFC 1918 - Private Network Addresses 311The Three Address Blocks 311Considerations 312The Fundamentals of Subnetting 312What the Mask Does 312Subnet Mask Components 313Binary Determination of Mask Values 313Decimal Equivalent Mask Values 313Addresses and Mask Interaction 315Reserved and Restricted Addresses 317Determining the Range of Addresses within Subnets 317Determining Subnet Addresses Given a Single

Address and Mask 319Strategies for Subnetting 319Creating and Managing Variable Length Subnets 319Determine Addressing Requirements 320Review Your Internetwork Design 320How Many Subnets do You Need? 321Document Your Addresses 326Multicast Addresses and Protocols 326Understanding the Basics of Multicasting 327Unicast Traffic 328Broadcast Traffic 328Multicast Traffic 329Multicast IP Addressing 330

IP Address Designations 330Scope of Multicast Addresses Using the Time-to-Live Field 332TTL Thresholds 332Administrative Scopes 332Mapping Multicast IP Addresses to MAC Addresses 333Participating in Multicasting 336Internet Group Management Protocol Versions 336IGMPv1 337IGMP version 2 339IGMP version 3 341Multicasting via Switches 344CGMP 344

Contents xxiii

IGMP Snooping 344Distribution Trees 346Shared 346Source 346Multicast Routing 347Sparse Mode Routing Protocols 347Dense Mode Routing Protocols 348DVMRP 348PIM Dense Mode (PIM-DM) 349MOSPF 350NAT 350NAT Terminology and Concepts 351NAT Operation 352Configuring NAT on Cisco IOS 354Configuration Commands 354NAT Architectures 358Traditional NAT or Outbound NAT 358Dynamic Translation 360Dynamic NAT Translation Commands 362

Static Translation Process 365Configuring Static NAT Translations 366Dual Address Translation (Overlapping Networks) 368Port Address Translation 371Configuring PAT 374TCP Load Distribution 374Configuring TCP Load Distribution 376Verifying TCP Load Distribution 377NAT Monitoring and Troubleshooting Commands 379Considerations about NAT and PAT 381

IP Address Information in Data 381Bundled Session Applications 381Peer-to-Peer Applications 381

IP Fragmentation with PAT en Route 381IPSec and IKE 382IPv6 382Benefits of IPv6 382IPv4 versus IPv6 383Header Comparison 383Feature Comparison 384

xxiv Contents

IPv6 Addresses 385IPv6 Address Space 386The Fundamentals of IPv6 Addresses 387IPv4 Addresses as IPv6 Addresses 389IPv6 Unicast Addresses 390Aggregatable Global Unicast Address 391Subnetting and Prefixes for IPv6 Aggregation 397IPv6 Multicast Addressing 400IPv6 Anycast Addresses 403IPv6 Address Autoconfiguration 405IPv6 Headers 406The IPv6 Extension Headers 407Hop-by-Hop Options Header 410Routing Header 412Fragment Header 414Destination Options Header 415IPv6 Security 416

AH 416ESP 419Upper-Layer Protocol Issues 420Understanding ICMPv6 422Error Messages 422Informational Messages 423Understanding Neighbor Discovery 424Router Solicitation and Advertisement 424Neighbor Solicitation and Advertisement 425Redirect Message 429Message Options 429Configuring IPv6 Addressing 429Configuring LAN Addresses 430Configuring Duplicate Address Detection 432Configuring DNS 433Configuring WAN Addresses 433Configuring ATM 433Configuring Frame-Relay 433Configuring ICMPv6 and Neighbor Discovery 436Monitoring and Troubleshooting IPv6 436Using Basic show Commands 436Using the show bgp Commands 442

Contents xxv

Verifying WAN Addressing 445Verifying ICMPv6 and Neighbor Discovery

Configuration 446Using debug Commands 447Summary 451

Introduction 454Routing Terminology 454CIDR 459Contiguous Subnets 461Cisco Routing in General 462Static Routes 462Default Routes and Networks 463Many Are Learned, Few Are Chosen 464Routing Information Protocol (RIP) 464Routing Update Impact 465

RIPv1 466RIPv2 467Configuring RIP 469IGRP 472Configuring IGRP 473RIP versus IGRP 475EIGRP 476EIGRP Concepts 477Configuring EIGRP 477OSPF 481Becoming Neighbors 481Achieving Adjacency 482Types of OSPF Packets 483Hello Packets 483Link State Advertisements 485The Function of Link State Advertisements 486Common LSA Header 486LSA Type 1 Router LSA 487LSA Type 2 Network LSA 489LSA Type 3 Summary LSA (Network) and LSA Type 4 Summary LSA (ASBR) 489LSA Type 5 External LSA 490Types of OSPF Areas 491

Multiple Paths of Equal Cost 506Cost Calculation with Gigabit Ethernet and

Faster Interfaces 506Types of Recognized Networks 506Point to Point 507Point to Multipoint 508Broadcast 509Non-Broadcast Multi-Access (NBMA) 510Physical Interfaces, Point-to-Point Subinterfaces, and

Point-to-Multipoint Subinterfaces 512Basic OSPF Configuration 513OSPF over Frame Relay Point to Point (Subinterfaces) 514OSPF over Frame Relay (NBMA and Physical Interfaces) 516OSPF over Frame Relay Point-to-Multipoint Subinterfaces 518OSPF over Frame Relay Point-to-Multipoint Subinterfaces 520OSPF on Broadcast Networks 522OSPF Summarization 525Why Summarize? 525The summary-address Command 525The area range Command 527Authentication 528Plaintext versus Message Digest 5 528Area Authentication 529OSPF Virtual Links 531Monitoring and Troubleshooting OSPF 532The show ip ospf database Command 532

Contents xxvii

The show ip ospf database router (LSA 1) Command 533show ip ospf database network (LSA TYPE 2) 533The show ip ospf database summary (LSA 3) Command 534The show ip ospf database asbr-summary (LSA 4)

Command 535The show ip ospf database external Command 536The show ip ospf database nssa-external (LSA 7)

Command 537show ip ospf neighbor 537The show ip ospf interface Command 538The show ip ospf Command 538The show ip ospf borders-routers Command 539The show ip ospf database self-originate Command 540The show ip ospf database adv-router Command 540debug Commands 541Intermediate System to Intermediate System (IS-IS) 541ISO Terminology 542ISO Addressing and Topologies 543NSAP Address Format 544IS-IS View of NSAP Address 544Configuring CLNS-Only IS-IS 545Configuring Single Area IS-IS 545Configuring Multi-area IS-IS 547Configuring Integrated IS-IS 550Single-Area Integrated IS-IS 550Multi-Area Integrated IS-IS 552Monitoring IS-IS 554Border Gateway Protocol (BGP) 556BGP Terminology 556BGP Concepts 557Configuring BGP 558Bare Minimum BGP—EBGP 559Bare Minimum BGP—IGBP 560Route Reflectors 562BGP Confederations 564Filtering 566Summarization 567BGP Security 567Monitoring and Verifying BGP 567Dial-on-Demand Routing 570

xxviii Contents

Static and Default Routes 570Snapshot Routing 570Route Redistribution 571Configuring Snapshot Routing and Route Redistribution 571Monitoring Snapshot Routing 574OSPF Demand Circuits 575

Do Not Age (DNA) 576Configuring an OSPF Demand Circuit 577IPv6 Routing 579Configuring RIP for IPv6 579Basic IPv6 RIP Configuration 580Default Routes and RIPng 582Verifying RIPng Operation 582Integrated IS-IS 584Configuring IS-IS for IPv6 584IS-IS Default Routes 586Maximum Paths for IS-IS 586Configuring BGP Extensions for IPv6 587Configuring an IPv6 Neighbor Relationship 587Configuring a BGP Router ID 590Configuring BGP Peer Groups 590Configuring Link-Local Addressing 591Verifying BGP Operation 592Using the show bgp Command 592Using the show bgp ipv6 summary Command 593Summary 594

Introduction 596QoS Overview 597Bandwidth Reservation 598Real-Time Transport Protocol 598Understanding Real-Time Transport Protocol 598Configuring RTP 599Compressed Real-Time Transport Protocol 600RTP Header Compression 601cRTP Implementation 602Verifying IP RTP Priority 604Resource Reservation Protocol 605Configuring RSVP 607Verifying RSVP 607

Contents xxix

Selecting a Cisco IOS Queuing Method 610First-In, First-Out Queuing 612Low Latency Queuing (LLQ) 612Priority Queuing (PQ) 613Configuring Priority Queuing 615Enabling Priority Queuing 615Configuring the Queue Limits 616Applying Your Priority List to an Interface 617Verifying Priority Queuing 617Priority Queuing Examples 618Custom Queuing (CQ) 620Configuring Custom Queuing 622Enabling Custom Queuing 622Adjusting Byte Counts and Queue Sizes 623Applying Your Configuration to an Interface 624Verifying Custom Queuing 624Custom Queuing Examples 626Weighted Fair Queuing 627WFQ and IP Precedence 630Planning Considerations 630VIP Distributed Weight Fair Queuing (DWFQ) 633Configuring Weighted Fair Queuing 634Class-Based Weighted Fair Queuing (CB-WFQ) 636Configuring Class-Based Weighted Fair Queuing 637Defining Class Maps 638Creating Policies 639Attaching Policies to Interfaces 640Verifying CB-WFQ 641Why Packet Classification? 642

IP Precedence 643

Traffic Shaping 645Configuring Traffic Shaping 646Verifying Traffic Shaping 648Link Fragmentation and Interleaving 648Configuring Link Fragmentation and Interleaving 649Verifying Link Fragmentation and Interleaving 650Weighted Random Early Detection 651

xxx Contents

Flow-Based WRED 652Configuring Congestion Avoidance with WRED 652Verifying WRED 654Data Compression Overview 655The Data Compression Mechanism 655Selecting a Cisco IOS Compression Method 656Header Compression 656Link and Payload Compression 657Per-Interface Compression (Link Compression) 658Per-Virtual Circuit Compression (Payload Compression) 658Hardware Compression 659Verifying Compression Operation 659Configuring Packet Classification 659

IP Precedence 660Verifying IP Precedence 660Policy Routing 661Configuring Policy Routing 661Verifying Policy Routing 662Call Admission Control 662Configuring Call Admission Control (CAC) 664Verifying Call Admission Control 665Summary 668

Introduction 670Attacks and Threats 670Active Attacks 671DOS/DDOS 671Buffer Overflows 672SYN Attacks 672Spoofing 672Man-in-the-Middle Attacks 673Replay Attacks 674TCP/IP Hijacking 674WarDialing 675Social Engineering 675Passive Attacks 675Vulnerability Scanning 675Sniffing and Eavesdropping 676Password Attacks 676Brute Force Attacks 676

Contents xxxi

Dictionary-based Attacks 677Malicious Code Attacks 677Malware 677Viruses 678Trojan Horses 679Logic Bombs 679Worms 679

Attacker Aids 680Bad Key Exchanges 680Hashing Pieces Separately 681Using a Short Password to Generate a Long Key 681Improperly Stored Private or Secret Keys 681Detecting Breaches 682What are the Key Steps after a Breach is Detected? 682Reducing Vulnerabilities 682Providing a Simple Security Network Architecture 683Developing a Security Policy 683AAA Overview 683Authentication 684Authorization 684Accounting 684

Method-Lists 685Configuring AAA 686Security Protocols 686RADIUS 686TACACS+ 687Comparing TACACS+ and RADIUS 689Using RADIUS and TACACS+ for AAA Services 689Configuring the RADIUS or TACACS+ Parameters 689Configuring TACACS+ Parameters 690Optional TACACS+ Commands 691Configuring RADIUS Parameters 691Configuring AAA Authentication 693Configuring Login Authentication Using AAA 693Configuring PPP Authentication Using AAA 696Enabling Password Protection for Privileged EXEC Mode 697The aaa authentication login Command 698The aaa authentication ppp Command 698

xxxii Contents

The aaa authentication enable default Command 699Configuring AAA Authorization 699TACACS+ Configuration Example 702Configuring AAA Accounting 703Suppress Generation of Accounting Records for Null

Username Sessions 706RADIUS Configuration Example: AAA Accounting 706Typical RAS Configuration Using AAA 708Virtual Profiles and AAA 710Example of Virtual Profiles Using Virtual Templates 710Configuring Virtual Profiles Using AAA Configuration 712Example of Virtual Profiles Using AAA Configuration 712Example of Virtual Profiles Using Virtual Templates and AAA Configuration 713Per-user Configuration Example 713User Remote RADIUS Configuration 714NAS Configuration (Central) 714Monitoring and Verifying AAA Access Control 715AAA debug and show Commands 715Complete AAA Configuration Example 718Authentication Proxy 720How the Authentication Proxy Works 720Benefits of Authentication Proxy 720Restrictions of Authentication Proxy 721Configuring Authentication Proxy 721Configuring the HTTP Server 721Configuring the Authentication Proxy 722Authentication Proxy Configuration Example 723Cisco Secure ACS 724Overview of the Cisco Secure ACS 724Benefits of the Cisco Secure ACS 725Authentication 725Authorization 725Accounting 725Placing Cisco Secure ACS in the Network 726Configuration Example: Adding and Configuring an

Cisco IP Security Hardware and Software 728Cisco PIX Firewall 728Cisco IOS Firewall Feature Set 729

Contents xxxiii

Cisco Secure Intrusion Detection System 729CSPM 729ACLs 730ACL Operation 730Types of ACLs 732Standard IP ACLs 732Source Address and Wildcard Mask 733The any and host Keywords 734ACL Logging 734Applying an ACL 735Extended IP ACLs 735Protocol 737Source and Destination Port Number 737The established Keyword 738

Applying and Editing ACLs 740Problems with ACLs 740Lock-and-Key ACLs 740Reflexive ACLs 742Building Reflexive ACLs 744Applying Reflexive ACLs 745Context-based Access Control 745The CBAC Process 747Configuring CBAC 747Inspection Rules 749Applying the Inspection Rule 749Configuring Port to Application Mapping 750Configuring PAM 750Protecting a Private Network 751Protecting a Network Connected to the Internet 753Protecting Server Access using Lock-and-Key 754Protecting Public Servers Connected to the Internet 755Applying Perimeter Security in IPv6 759ACL Control Manager 760The Basic Operation of ACLM 760Using Templates and Defining Classes 760Using Diff Viewer 761Using the Optimizer and the Hits Optimizer 761Configuring the ACLM 762Configuration Example: Creating ACLs with ACLM 762

xxxiv Contents

CSPM 765Overview of VPN Technologies 765Tunneling VPNs 765Virtual Private Dial Networks 766Intranet VPNs 766Extranet VPNs 766

L2TP 767Configuring Cisco L2TP 768

An LAC Configuration Example 768

A LNS Configuration Example 768PPTP Overview 769Understanding Cryptography Concepts 771Encryption Key Types 771Standard Cryptographic Algorithms 771DES 7713DES 773IDEA 773AES (Rijndael) 773Understanding Asymmetric Algorithms 774

DH 774RSA 775Skeme and Oakley Protocols 775IPsec Concepts 775VPN Terminology 776IPsec 777IPsec Core Layer 3 Protocols: ESP and AH 777IPsec Communication Modes:Tunnel and Transport 779IPsec Architecture 781IKE 782ISAKMP and IKE 782SAs 784VPN Operation 787Authentication Methods 788IPsec Limitations 790Configuring ISAKMP/IKE 791Configuring IPsec 792

Configuring IPsec on the NAS 795Configuring Cisco IPsec 795

Contents xxxv

IPsec Manual Keying Configuration 796IPsec over GRE Tunnel Configuration 799Verifying and Debugging VPN Operation 801Wireless Security 804Extensible Authentication Protocol 805

An Introduction to the 802.1x Standard 807Per-Packet Authentication 809

Configuration and Deployment of LEAP 811Ensuring Authorization 811MAC Filtering 812Where in the Authentication/Association Process

does MAC Filtering Occur? 812MAC Spoofing 813Accounting and Audit Trails 813Implementing WEP 813Defining WEP 813Creating Privacy with WEP 813The WEP Authentication Process 814WEP Benefits and Advantages 814WEP Disadvantages 815Implementing WEP on the Cisco Aironet AP 3x0 815Exploiting WEP 815Security of 64-bit versus 128-bit Keys 816Strengthening WEP 816Summary 817

Introduction 820PIX Firewall Features 820Embedded Operating System 820The Adaptive Security Algorithm 820State 821Security Levels 821How ASA Works 821Technical Details for ASA 822Advanced Protocol Handling 823

URL Filtering 823

High Availability 824

xxxvi Contents

PIX Hardware 824Models 824

Contents xxxvii

Object Grouping 849Configuring and Using Object Groups 849ICMP-type Object Groups 849Network Object Groups 850Protocol Object Groups 850Service Object Groups 851Handling Advanced Protocols 852Filtering Web Traffic 856Filtering URLs 856Websense and N2H2 857Fine-Tuning and Monitoring the Filtering Process 858Active Code Filtering 860Filtering Java Applets 861Filtering ActiveX Objects 861Configuring Intrusion Detection 861Supported Signatures 862Configuring Auditing 862Disabling Signatures 863Configuring Shunning 863Dynamic Host Control Protocol Functionality 864DHCP Clients 864DHCP Servers 865Fragmentation Guard 867Authentication, Authorization, and Accounting Floodguard 868SYN Floodguard 868Reverse-Path Forwarding 868Unicast Routing 869Static and Connected Routes 869RIP 870Stub Multicast Routing 871SMR Configuration with Clients on a More

Secure Interface 872SMR Configuration with Clients on a Less

Secure Interface 874Access Control and Other Options 874Point-to-Point Protocol over Ethernet 875Configuring Console Authentication 877Configuring Local Console Authentication 877Configuring RADIUS and TACACS+ Console

Authentication 878

xxxviii Contents

Configuring Local Command Authorization 879Configuring Authentication for Traffic Through the Firewall 880Configuring Cut-through Proxy 880Virtual HTTP 882Virtual Telnet 884Configuring Authorization for Traffic Through the Firewall 885Configuring Accounting for Traffic Through the Firewall 885Failover Concepts 886Configuration Replication 887

IP and MAC Addresses Used for Failover 888Failure Detection 888Stateful Failover 889Standard Failover Using a Failover Cable 890Configuring and Enabling Failover 890Monitoring Failover 892LAN-Based Failover 894Configuring and Enabling Failover 894Monitoring Failover 898Failing Back 900Disabling Failover 900Configuring Logging 901Local Logging 901Buffered Logging 901Console Logging 902Terminal Logging 902Syslog 902Logging Levels 903Logging Facility 905Disabling Specific Syslog Messages 905Configuring Remote Access 906Enabling SSH Access 906Troubleshooting SSH 907Telnet 908Configuring SNMP 908Configuring System Identification 909Configuring Polling 909Configuring Traps 909Configuring System Date and Time 910Setting and Verifying the Clock and Time Zone 910Configuring and Verifying the Network Time Protocol 912

Contents xxxix

NTP Authentication 913Configuring VPN 913Allowing IPsec Traffic 914Enabling IKE 914Creating an ISAKMP Protection Suite 915Defining an ISAKMP Pre-shared Key 916Configuring Certificate Authority Support 916Configuring the Hostname and Domain Name 917Generating an RSA Key Pair 917Specifying a CA to Be Used 918Configuring CA Parameters 918Authenticating the CA 918Enrolling with the CA 920Configuring Crypto ACLs 921Defining a Transform Set 922Bypassing NAT 922Configuring a Crypto Map 923Configuring Site-to-site IPsec without IKE (Manual IPsec) 925Configuring PPTP 927Configuration 927Configuring L2TPwith IPsec 930Dynamic Crypto Maps 931Configuration 932Configuring Support for the Cisco Software VPN Client 934Mode Configuration 934Extended Authentication 935

Sample Configurations of PIX and VPN Clients 937Troubleshooting PIX Firewall Hardware, Software,

and Performance 943Troubleshooting PIX Cabling 947Troubleshooting Connectivity 948Checking Addressing 948Checking Routing 949Checking Translation 950Checking Access 952Troubleshooting IPsec 953IKE 953IPsec 955Capturing Traffic 958