Tài liệu CCNP Quick Reference doc

[ vii ]Contents Part I BSCI 1 Chapter 1 The Evolving Network Model 3 Problems with the Hierarchical Design Model 5 Administrative Distance 11Building the Routing Table 12Comparing Routin

Denise Donohue, CCIE No 9566

Brent Stewart Jerold Swan, CCIE No 17783

CCNP Quick Reference

Denise Donohue, Brent Stewart, Jerold Swan

Copyright® 2008 Cisco Systems, Inc

Published by:

Cisco Press

800 East 96th Street

Indianapolis, IN 46240 USA

All rights reserved No part of this book may be reproduced

or transmitted in any form or by any means, electronic or

mechanical, including photocopying, recording, or by any

information storage and retrieval system, without written

permission from the publisher, except for the inclusion of

brief quotations in a review

Printed in the United States of America

First Printing June 2008

Library of Congress Cataloging-in-Publication Date available

upon request

ISBN-13: 978-1-58720-236-0

ISBN-10: 1-58720-236-0

Warning and Disclaimer

This book is designed to provide information about networking Every effort has beenmade to make this book as complete and as accurate as possible, but no warranty orfitness is implied

The information is provided on an “as is” basis The authors, Cisco Press, and CiscoSystems, Inc shall have neither liability nor responsibility to any person or entitywith respect to any loss or damages arising from the information contained in thisbook or from the use of the discs or programs that may accompany it

The opinions expressed in this book belong to the author and are not necessarily those

of Cisco Systems, Inc

Trademark Acknowledgments

All terms mentioned in this book that are known to be trademarks or service markshave been appropriately capitalized Cisco Press or Cisco Systems, Inc., cannot attest

to the accuracy of this information Use of a term in this book should not be regarded

as affecting the validity of any trademark or service mark

Corporate and Government Sales

The publisher offers excellent discounts on this book when ordered in quantity forbulk purchases or special sales, which may include electronic versions and/or

custom covers and content particular to your business, training goals, marketingfocus, and branding interests For more information, please contact:

U.S Corporate and Government Sales 1-800-382-3419

corpsales@pearsontechgroup.com

For sales outside the United States please contact:

International Sales international@pearsoned.com

Readers’ feedback is a natural continuation of this process If you have any

comments regarding how we could improve the quality of this book, or otherwisealter it to better suit your needs, you can contact us through email at

feedback@ciscopress.com Please make sure to include the book title and ISBN inyour message

We greatly appreciate your assistance

[ iii ]

About the Authors

Denise Donohue, CCIE No 9566, is manager of Solutions Engineering for ePlus

Technology in Maryland She is responsible for designing and implementing dataand VoIP networks, supporting companies based in the National Capital region.Prior to this role, she was a systems engineer for the data consulting arm ofSBC/AT&T Denise was a Cisco instructor and course director for Global

Knowledge and did network consulting for many years

Brent Stewart, CCNP, CCDP, CCSI, MCSE, is a network administrator for

CommScope He is responsible for designing and managing a large-scale wide IP network He participated in the development of BSCI with Cisco and haswritten and taught extensively on CCNA and CCNP

world-Jerold Swan, CCIE No 17783, is a senior network engineer for the Southern

Ute Indian Tribe Growth Fund in Ignacio, CO Prior to that he was a Ciscoinstructor and course director for Global Knowledge He has also worked in IT inthe higher education and service provider fields He holds CCNP and CCSPcertifications

About the Technical Editors

Rus Healy, CCIE No 15025, works as a senior engineer for Annese &

Associates, a Cisco partner in upstate New York He also holds CCNP and CCDPcertifications His other interests include bicycling, skiing, and camping with hisfamily, as well as competitive amateur radio events

John Mistichelli, CCIE No 7536, CCSI No 20000, CCNP, CCDP, CCIP, MCSE, CNE, is a self employed Cisco consultant and trainer He provides

network-consulting services for businesses and government organizations out the United States John is also a world-class technical trainer for ConvergentCommunications where he teaches service provider courses for Cisco Advanced

through-Services Education John is a coauthor of the book Cisco Routers 24Seven (ISBN:

0782126464)

Chapter 1 The Evolving Network Model 91

Chapter 2 VLAN Implementation 99

Chapter 3 Spanning Tree 112

Chapter 4 InterVLAN Routing 129

Chapter 5 Layer 3 Redundancy 136

Chapter 6 Using Wireless LANs 141

Chapter 7 VoIP in a Campus Network 152

Chapter 8 Campus Network Security 159

Part III ISCW 171

Chapter 1 Network Conceptual Models 173

Chapter 2 Providing SOHO/Teleworker Connectivity 176

[ v ]

Chapter 3 Frame Mode MPLS 190

Chapter 3 QoS Overview 264

Chapter 4 QoS Details 275

Chapter 5 AutoQoS 303

Chapter 6 Wireless Scalability 308

Index 315

[ vii ]

Contents

Part I BSCI 1

Chapter 1 The Evolving Network Model 3

Problems with the Hierarchical Design Model 5

Administrative Distance 11Building the Routing Table 12Comparing Routing Protocols 12

CHAPTER 2 EIGRP 14

Packet Types 15Neighbor Discovery and Route Exchange 16

EIGRP Metric 16Diffusing Update Algorithm (DUAL) 17Route Selection Example 18

Creating an EIGRP Default Route 20Troubleshooting EIGRP 20

Summarization 21Load Balancing 21WAN Bandwidth 22EIGRP Authentication 24

LSAs 28

LSDB Overload Protection 29LSA Types 29

OSPF Packets 31OSPF Neighbor Relationships 31Establishing Neighbors and Exchanging Routes 32

Router ID 33Troubleshooting OSPF 34

Designated Routers 35Nonbroadcast Multiaccess (NBMA) Networks 36

OSPF Summarization 36Creating a Default Route 37Stub and Not-So-Stubby Areas 38Configuring Virtual Links 39

Chapter 4 IS-IS 41

Types of IS-IS Routers 42NSAP Address Structure 44Adjacency Formation in IS-IS 44IS-IS Network Types 44

Chapter 5 Optimizing Routing 47

Configuring Route Redistribution 47Seed Metric 48

Passive Interface 49Distribute Lists 49

[ ix ]

Route Maps 50Route Map Syntax 50Match and Set Conditions 51Manipulating Administrative Distance 52

Configuring DHCP 55DHCP Relay Agent 56

Multihoming 59BGP Databases 60BGP Message Types 60Internal and External BGP 60BGP Next-Hop Selection 61BGP Next Hop on a Multiaccess Network 62BGP Synchronization Rule 62

Chapter 7 IP Multicast 69

PIM Dense Mode 72PIM Sparse Mode 73

PIM Sparse-Dense Mode 73Configuring Multicast Routing and PIM 73Auto-RP 73

PIM Version 2 74

IGMP Version 1 75IGMP Version 2 75IGMP Version 3 75

IGMP Snooping 75

Chapter 8 IPv6 Introduction 77

Static Routing 82RIPng for IPv6 82EIGRP 83MP-BGP for IPv6 83OSPFv3 84

OSPFv3 LSAs 85 Configuration 85

Troubleshooting 86

NAT-PT, ALG, and BIA/BIS 87

[ xi ]

Chapter 1 The Evolving Network Model 91

Chapter 2 VLAN Implementation 99

Chapter 3 Spanning Tree 112

Root Bridge Election 114Root Port Election 115

[ xiii ]

Chapter 4 InterVLAN Routing 129

Understanding the Switching Process 130Understanding the Switching Table 132Understanding Switch Forwarding Architectures 132

ARP Throttling 134Configuring and Troubleshooting CEF 134

Chapter 5 Layer 3 Redundancy 136

HSRP States 137Configuring HSRP 137

Chapter 6 Using Wireless LANs 141

Characteristics of Wireless LANs 141WLAN Topologies 142

802.11b Standard 143802.11a Standard 143802.11g Standard 144

WPA/WPA2 Authentication 145

Cisco Unified Wireless Network 145Autonomous APs 146

Lightweight Access Points 146Wireless LAN Antennas 147

Gain 148 Directionality 148 Multipath Distortion 148 EIRP 148

Power over Ethernet (PoE) Switches 149

Configuring Autonomous Access Points 149Configuring a WLAN Controller 150

Chapter 7 VoIP in a Campus Network 152

Network and Bandwidth Considerations 153Auxiliary (or Voice) VLANs 154

QoS Actions 154DSCP Values 155Trust Boundaries 156

Manual Configuration 157Using AutoQoS 157

Chapter 8 Campus Network Security 159

Port Security 160Port-Based Authentication 160

Switch Spoofing 161802.1Q Double-Tagging 162VACLs 163

Private VLANs 163

DHCP Spoofing 165ARP Spoofing 165

[ xv ]

BPDU Guard 167BPDU Filtering 167Root Guard 167

Unidirectional Link Detection (UDLD) 168Loop Guard 168

Part III ISCW 171

Chapter 1 Network Conceptual Models 173

Chapter 2 Providing SOHO/Teleworker Connectivity 176

Cable Components 177Cable Standards 178Provisioning the Cable Modem 179

Types of DSL 180ADSL 181

Carrierless Amplitude and Phase Line Coding 182 Discrete Multi-Tone Line Coding 182

Layer 2 over DSL 182

PPPoE 183 PPPoA 184

Configuring PPPoE CPE 184Configuring PPPoA CPE 187Troubleshooting ADSL 188

Troubleshooting ADSL at Layer 1 188 Troubleshooting ADSL at Layer 2 188

Chapter 3 Frame Mode MPLS 190

Handling Customer Routes 197Route Distinguishers 198Route Targets 198

Chapter 4 IPsec 200

Authentication Header 200Encapsulating Security Payload 201

Configuring a Site-to-Site VPN Using Cisco IOS

Configuring an ISAKMP Policy 205

Configuring a Crypto ACL 206Configuring a Crypto Map 207Applying the Crypto Map to an Interface 207Configuring an Optional Interface Access List 207

[ xvii ]

Configuring a GRE Tunnel Using Cisco IOS

Establishing an Easy VPN IPsec Session 214Using SDM to Configure the Easy VPN Server 215

Chapter 5 Cisco Device Hardening 217

Cisco Self-Defending Network 217Types of Network Attacks 217Mitigating Reconnaissance Attacks 218Mitigating Access Attacks 219

Mitigating Denial-of-Service Attacks 219

Disabling Unused Cisco Router Network Services and

Unused Router Interfaces 220Vulnerable Router Services 220Hardening with AutoSecure 221Configuring AutoSecure 222Security Device Manager 222

Securing Cisco Router Installations and Administrative

Password-Creation Rules 222Types of Router Passwords 222Password-Length Enforcement 223Password Encryption 223

Enhanced Username Password Security 223Password Example 224

Securing ROMMON 224Rate-Limiting Authentication Attempts 224Setting Timeouts 225

ACL Review 227Mitigating Spoofed Addresses (Inbound) 227Mitigating Spoofed Addresses (Outbound) 228Mitigating SYN Attacks 228

Using the established Keyword in ACLs 228 Using TCP Intercept 228

ACL Caveats 229

Types of Management Traffic 229Configuring Secure Shell 230Configuring Syslog 231Simple Network Management Protocol 231Network Time Protocol 232

AAA Services 233Router Access Modes 233Configuring AAA 233Configuring CLI Authentication on a Cisco Router 234Configuring Authorization 234

Configuring Accounting 235Troubleshooting AAA 235

Chapter 6 Cisco IOS Threat Defenses 236

[ xix ]

TCP Handling in the Cisco IOS Firewall 237UDP Handling in the Cisco IOS Firewall 237Alerts and Audit Trails 238

Cisco IOS Authentication Proxy 238

Defining External and Internal Interfaces 238Configuring Access Lists on the Interfaces 239Defining Inspection Rules 239

Applying Inspection Rules to Interfaces 240Verifying Inspection 240

Defining IDS/IPS Terms 241Cisco IOS IPS Signatures 242Cisco IOS IPS Alarms 242Configuring Cisco IOS IPS 242

Chapter 1 Network Architecture 247

Hierarchical Design Model 250

Chapter 2 Cisco VoIP 253

Transmission 254

A Worksheet for Calculating VoIP Bandwidth 260

An Example for G.711, No Compression over Ethernet,

20 ms Samples 260

Configuring Cisco Routers to Support VoIP 262

Chapter 3 QoS Overview 264

Bandwidth 264Delay and Jitter 265Packet Loss Issues 266Defining QoS Requirements for Network Traffic 266

Best Effort 267IntServ 267DiffServ 269

Legacy CLI 269MQC 270

MQC Configuration 270 Verifying QoS Configuration 271

AutoQoS 271SDM QoS Wizard 272

Chapter 4 QoS Details 275

Using NBAR for Classifying Traffic 275Marking at Layer 2 278

Marking at Layer 3 279

Default PHB 280 Assured Forwarding and Class Selector PHB 280 DiffServ Expedited Forwarding PHB 281

Classifying and Marking in a VoIP Network 281

Hardware Queue 286Software Queue 287

FIFO Queuing 287Priority Queuing 287Round Robin Queuing 288Weighted Fair Queuing 288

Configuring WFQ 289

[ xxi ]

CBWFQ 290LLQ 291

Traffic Policing 295Traffic Shaping 295

Compression 296Link Fragmentation and Interleave (LFI) 297

GRE Tunnels 298IPsec Tunnels 298

SLA 300Enterprise QoS 300CoPP 302

Chapter 5 AutoQoS 303

AutoQoS Classes 305AutoQoS and Changing Network Conditions 306Manually Tuning AutoQoS Configurations 307

Chapter 6 Wireless Scalability 308

Index 315

Icons Used in This Book

PIX Firewall

VPN

Concentrator

Laptop PC

File Server

Ethernet Connection

Relational

Database

Serial Line Connection

Access Server

[ xxiii ]

Command Syntax Conventions

The conventions used to present command syntax in this book are the same

conventions used in the IOS Command Reference The Command Reference

describes these conventions as follows:

■ Boldface indicates commands and keywords that are entered literally as

shown In actual configuration examples and output (not general commandsyntax), boldface indicates commands that are manually input by the user

(such as a show command).

■ Italic indicates arguments for which you supply actual values.

■ Vertical bars (|) separate alternative, mutually exclusive elements

■ Square brackets ([ ]) indicate an optional element

■ Braces ({ }) indicate a required choice

■ Braces within brackets ([{ }]) indicate a required choice within an optionalelement

CHAPTER 1

The Evolving Network Model

The Hierarchical Design Model

Cisco used the three-level Hierarchical Design Model for years This older

model provided a high-level idea of how a reliable network might beconceived, but it was largely conceptual because it didn’t provide specificguidance Figure 1-1 shows the Hierarchical Design Model

This same three-layer hierarchy can be used in the WAN with a central quarters, division headquarters, and units

The layers break a network in the following way:

■ Access layer—End stations attach to the network using low-costdevices

■ Distribution layer—Intermediate devices apply policies

— Route summarization

— Policies applied, such as:

• Route selection

• Access lists

• Quality of Service (QoS)

■ Core layer—The backbone that provides a high-speed path betweendistribution elements

— Distribution devices are interconnected

— High speed (there is a lot of traffic)

— No policies (it is tough enough to keep up)

Later versions of this model include redundant distribution, core devices,and connections, which make the model more fault-tolerant

Problems with the Hierarchical Design Model

This early model was a good starting point, but it failed to address key

issues, such as:

■ Where do wireless devices fit in?

■ How should Internet access and security be provisioned?

■ How do you account for remote access, such as dial-up or VPN?

■ Where should workgroup and enterprise services be located?

Enterprise Composite Network Model

The newer Cisco model—the Enterprise Composite Model—is significantly more

complex and attempts to address the shortcomings of the Hierarchical Design

Model by expanding the older version and making specific recommendations

about how and where certain network functions should be implemented This

model is based on the principles described in the Cisco Architecture for

Voice, Video, and Integrated Data (AVVID)

The Enterprise Composite Model (see Figure 1-3) is broken into three large

sections:

■ Enterprise Campus—Switches that make up a LAN

■ Enterprise Edge—The portion of the enterprise network connected to

the larger world

■ Service Provider Edge—The different public networks that are

attached

The first section, the Enterprise Campus, looks like the old Hierarchical

Design Model with added details It features six sections:

■ Campus Backbone—The core of the LAN

■ Building Distribution—Links subnets/VLANs and applies policy

■ Building Access—Connects users to network

■ Management

■ Edge Distribution—A distribution layer out to the WAN

■ Server Farm—For Enterprise services

Figure 1-3 The Enterprise Composite Model

BUILDING C BUILDING A

Building

Distribution A

Building Distribution B

Building Distribution A

Building Distribution B Distribution ABuilding Building

Distribution B

2nd Floor Access

4th Floor Access 2nd Floor Access 4th Floor Access 2nd Floor Access 4th Floor Access

1st Floor Access 3rd Floor Access 1st Floor Access 3rd Floor Access 1st Floor Access 3rd Floor Access

The Enterprise Edge, shown in Figure 1-4, details the connections from the

campus to the WAN and includes:

Campus Backbone

Edge Distribution

Internal Router

DMZ Firewall Web

Dial - In

Internal Router DMZ Firewall

Public Servers

Internet Router

Firewall

E-Commerce

Internet

The Service Provider Edge is just a list of the public networks that facilitate

wide-area connectivity and include:

■ Internet service provider (ISP)

■ Public switched telephone network (PSTN)

■ Frame Relay, ATM, and PPP

Figure 1-5 puts together the various pieces: Campus, Enterprise Edge, and

Service Provider Edge Security implemented on this model is described in

the Cisco SAFE (Security Architecture for Enterprise) blueprint

Chapter 1: The Evolving Network Model [ 7 ]

SONA and IIN

Modern converged networks include different traffic types, each with unique

requirements for security, QoS, transmission capacity, and delay These

include:

■ Voice signaling and bearer

■ Core application traffic, such as Enterprise Resource Planning (ERP)

or Customer Relationship Management (CRM)

Service Provider Edge Enterprise Edge

Internal Router

DMZ Firewall Web

Database

App Server Internet Router

Corporate Router

Dial-In

Internal Router DMZ Firewall

Public Servers Internet Router

Cisco routers are able to implement filtering, compression, prioritization,and policing Except for filtering, these capabilities are referred to collec-tively as QoS.

IIN describes an evolutionary vision of a network that integrates network andapplication functionality cooperatively and allows the network to be smartabout how it handles traffic to minimize the footprint of applications IIN is built

on top of the Enterprise Composite Model and describes structures overlaid

on to the Composite design as needed in three phases (see Figure 1-6).Phase 1, “Integrated Transport,” describes a converged network, which is builtalong the lines of the Composite model and based on open standards This isthe phase that the industry has been transitioning to recently The CiscoIntegrated Services Routers (ISR) are an example of this trend

Phase 2, “Integrated Services,” attempts to virtualize resources, such asservers, storage, and network access It is a move to an “on-demand” model

By “virtualize,” Cisco means that the services are not associated with a particulardevice or location Instead, many services can reside in one device to easemanagement, or many devices can provide one service that is more reliable

An ISR brings together routing, switching, voice, security, and wireless It is

an example of many services existing on one device A load balancer, whichmakes many servers look like one, is an example of one service residing onmany devices

VRFs are an example of taking one resource and making it look like many Someversions of IOS are capable of having a router present itself as many virtualrouter (VRF) instances, allowing your company to deliver different logicaltopologies on the same physical infrastructure Server virtualization is

another example The classic example of taking one resource and making it

appear to be many resources is the use of a virtual LAN (VLAN) and a

virtual storage area network (VSAN)

Virtualization provides flexibility in configuration and management

Phase 3, “Integrated Applications,” uses application-oriented networking

(AON) to make the network application-aware and to allow the network to

actively participate in service delivery

An example of this Phase 3 IIN systems approach to service delivery is

Network Admission Control (NAC) Before NAC, authentication, VLAN

assign-ment, and anti-virus updates were separately managed With NAC in place,

the network is able to check the policy stance of a client and admit, deny, or

remediate based on policies

IIN allows the network to deconstruct packets, parse fields, and take actions

based on the values it finds An ISR equipped with an AON blade might be

set up to route traffic from a business partner The AON blade can examine

traffic, recognize the application, and rebuild XML files in memory

Corrupted XML fields might represent an attack (called schema poisoning), so

the AON blade can react by blocking that source from further

communica-tion In this example, routing, an awareness of the application data flow, and

security are combined to allow the network to contribute to the success of

the application

Services-Oriented Network Architecture (SONA) applies the IIN ideal to

Enterprise networks SONA breaks down the IIN functions into three layers:

■ Network Infrastructure—Hierarchical converged network and attached

end systems

■ Interactive Services—Resources allocated to applications

■ Applications—Includes business policy and logic

Figure 1-6 IIN and SONA

Phase 1 – Integrated Transport (converged network)

Phase 3 – Integrated Applications

Application Networking Services

Routing protocols are used to pass information about the structure of the

network between routers Cisco routers support the following IP routing

protocols RIP (versions 1 and 2), IGRP, EIGRP, IS-IS, OSPF, and BGP This

section compares routing protocols and calls out key differences between

them

Administrative Distance

Cisco routers are capable of supporting several IP routing protocols

concur-rently When identical prefixes are discovered from two or more separate

sources, Administrative Distance (AD) is used to discriminate between the

paths AD is a poor choice of words; trustworthiness is a better name.

Routers use paths with the lower AD

Table 1-1 lists the default values for various routing protocols Of course,

there are several ways to change AD for a routing protocol or for a specific

Building the Routing Table

The router builds a routing table by ruling out invalid routes and consideringthe remaining advertisements The procedure is:

1. For each route received, verify the next hop If invalid, discard theroute

2. If multiple, valid routes are advertised by a routing protocol, choosethe lowest metric

3. Routes are identical if they advertise the same prefix and mask, so192.168.0.0/16 and 192.168.0.0/24 are separate paths and are eachplaced into the routing table

4. If more than one specific valid route is advertised by different routingprotocols, choose the path with the lowest AD

Comparing Routing Protocols

Two things should always be considered in choosing a routing protocol: fastconvergence speed and support for VLSM EIGRP, OSPF, and IS-IS meetthese criteria Although all three meet the minimum, there are still importantdistinctions, as described below:

■ EIGRP is proprietary, but it is simple to configure and support

■ OSPF is an open standard, but it is difficult to implement and support

■ There are few books on IS-IS and even fewer engineers with

experience who use it IS-IS is therefore uncommon

Table 1-2 compares routing protocols

Table 1-2 Comparison of Routing Protocols

distance

vector

Enhanced Interior Gateway Routing Protocol (EIGRP) is a Cisco proprietaryclassless routing protocol that uses a complex metric based on bandwidthand delay The following are some features of EIGRP:

■ Fast convergence

■ Support for VLSM

■ Partial updates conserve network bandwidth

■ Support for IP, AppleTalk, and IPX

■ Support for all layer 2 (data link layer) protocols and topologies

■ Sophisticated metric that supports unequal-metric proportional load-balancing

■ Use of multicasts (and unicasts where appropriate) instead of

broadcasts

■ Support for authentication

EIGRP Overview

EIGRP’s function is controlled by four key technologies:

■ Neighbor discovery and maintenance—Uses periodic hello messages

■ The Reliable Transport Protocol (RTP)—Controls sending, tracking,and acknowledging EIGRP messages

■ Diffusing Update Algorithm (DUAL)—Determines the best loop-freeroute

■ Protocol-independent modules (PDM)—Modules are “plug-ins” for IP,IPX, and AppleTalk versions of EIGRP

EIGRP uses three tables:

■ The neighbor table is built from EIGRP hellos and used for reliable

delivery

■ The topology table contains EIGRP routing information for best paths

and loop-free alternatives

■ EIGRP places best routes from its topology table into the common

routing table

EIGRP Messages

EIGRP uses various message types to initiate and maintain neighbor

relation-ships, and to maintain an accurate routing table It is designed to conserve

bandwidth and router resources by sending messages only when needed, and

only to those neighbors that need to receive them

Packet Types

EIGRP uses five packet types:

■ Hello—Identifies neighbors and serves as a keepalive mechanism

■ Update—Reliably sends route information

■ Query—Reliably requests specific route information

■ Reply—Reliably responds to a query

■ ACK—Acknowledgment

EIGRP is reliable, but hellos and ACKs are not acknowledged The

acknowledgement to a query is a reply

If a reliable packet is not acknowledged, EIGRP periodically retransmits the

packet to the nonresponding neighbor as a unicast EIGRP has a window

size of one, so no other traffic is sent to this neighbor until it responds After

16 unacknowledged retransmissions, the neighbor is removed from the