CCNA Certification Training - Session 4-2012_04

8/11/2019 CCNA Certification Training - Session 4-2012_04

1/49

Cisco Confidential 1 2010 Cisco and/or its affiliates. All rights reserved.

CCNA Certification PreparationSession 4 of 4April, 2012

Jaskaran Kalsi & Bogdan Doinea

Assoc. Technical Managers

Europe/CEE/RCIS

Cisco Networking Academy


2/49

2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

NAT

PPP

Frame Relay

Access Lists

Troubleshooting


3/49



4/49



5/49


6/49



7/49 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7

WAN connections are often leased lines, PPP, Frame Relay, ATM workson OSI level 2.

Instead of MAC addresses, they have own 2ndlayer addressingtechnology (DLCI, VPI/VCI etc).



HDLC (High level Data Link Control)

Cisco proprietary (enabled by default)

Low overhead

PPP (Point to Point) Open protocol

Moderate overhead

Features: Authentication, compression etc.



Router(config)#interface serial 0/0

Router(config-if)#encapsulation ppp

Router#show interfaces serial 0/0

Link ControlProtocol is open.

LCP handles all

the features,

services and

service messages

of PPP

IP Control Protocol allows

IP to work over PPP

CDP Control Protocol

allows Cisco Discovery

Protocol to work over PPP

Network Control Protocol family (NCP)



PPP can use PAP or CHAP authentication methods PAP (Password Authentication Protocol) uses encrypted password,

like below

encrypted passwords can be decrypted (cracked)

CHAP (Challenge Handshake Authentication Protocol) useshashed password

HASHED passwords can not be decrypted



Notes: sent-usernameand passwordmust match remote username

andpassword. Passwordsare case-sensitive, but usernames are not.

Hostnamesare not involved.

172.25.3.0/24Serial .1/S0.2/S0

DCEDTE

hostname SantaCruz

username HQpassword HQpass

interface Serial0

ip address 172.25.3.2 255.255.255.0

encapsulation pppppp authentication pap

ppp pap sent-username SantaCruz

password SantaCruzpass

hostname HQ

username SantaCruzpassword SantaCruzpass

interface Serial0

ip address 172.25.3.1 255.255.255.0

encapsulation pppppp authentication pap

ppp pap sent-username HQ

password HQpass



Notes: Hostnamesare involved unless theppp chap hostname

command is used, and must match remote routers username

command (not case-sensitive). Passwordsare case-sensitive and

must match

172.25.3.0/24

Serial .1/S0.2/S0

DCEDTE

hostname SantaCruz

username HQpasswordboardwalk

ppp chap hostname SantaCruz (optional)

interface Serial0

ip address 172.25.3.2 255.255.255.0

encapsulation ppp

ppp authentication chap

hostname HQ

username SantaCruzpasswordboardwalk

ppp chap hostname HQ (optional)

interface Serial0

ip address 172.25.3.1 255.255.255.0

encapsulation ppp

ppp authentication chap



Do a Router#debug ppp authentication

And re-enable the interface (shutdown/no shutdown)


14/49


Layer 1

Cable problems results in

Serial0/0/0 is down, line protocol is down

Layer 2

Clock rate, encapsulation or authentication error results in

Serial0/0/0 is up, line protocol is down

Layer 3

Serial0/0/0 is up, line protocol is up

Still does not work? PPP is not involved here. Check IP addressing!


15/49


Which of the following are key characteristics of PPP (choose two)?

PPP can work with several routed protocols

PPP provides error correction and compression

PPP supports only IP

PPP works on Layer 3 OSI model


16/49


Which PPP sub-protocol is responsible for establishing and terminatingconnection?

o NCP

o IPCP

o CDP

o LCP

o DLCI

o VPI/VCI


17/49


o Incorrect ip addressing

o Wrong type of cable

o Incorrect encapsulation onLayer 2

o Link reliability is too poor

The PPP link

between RTAand RTB

seems to be

down. What

could be the

problem?


18/49



19/49


Packet Switched X.25 => Frame Relay => ATM => MPLS

Can be more flexible than Leased Lines, bandwidth may vary

Point to Point or multipoint


20/49


CIR(Commited Information Rate)min bandwidth guaranteed by ISP

LAR(Local Access Rate)Local physical link maximum bandwidth (like100Mb/s for FastEthernet)

LMI (Local Management Interface)language used between ISP and enddevice. Purposemanage service parameters of connection (quality, statistics,

etc)

DLCI(Data Link Connection Identifier)analog of MAC address used in FR

PVC(Permanent Virtual Circuit)your dedicated virtual link, the way thru acloud

Your serial link can have many PVCs, each of them has its own agreed CIRand DLCI. You can have many PVCs until their summary bandwidth fits LAR.


21/49


FECN(Forward Explicit Congestion Notification)indicates frames that theswitch receiveson the congested link,

BECN(Backward Explicit Congestion Notification)packets that switchplaces

onto the congested link

DE(Discard Eligibility) flag is set on less important packets that can bedropped in case of congestion


22/49


In FR DLCIs are used instead of MAC address

DLCIs are locally significant

You only know your local (own) DLCI, and you never knowdestination DLCI

PVC is your path through a FR cloud, but you dont care how its

elected. This is ISPs responsibility, not yours

You should only care of your DLCI


23/49



24/49


25/49


Frame Relay

Network

Headquarters

Hub City

Satellite Office 1

Spokane

Satellite Office 2

Spokomo

Serial 0

172.16.3.1

Serial 0

172.16.3.2

Serial 0

172.16.3.3

DLCI 301

DLCI 103

DLCI 302

DLCI 203

Notes

Highly scalable solutionDisable Split Horizon on Hub router when

running a distance vector routing protocol

Interface Serial0 (for all routers)

encapsulation frame-relay

no ip address

HubCity

interface Serial0.1mulitpoint

ip address 172.16.3.3 255.255.255.0

frame-relay interface-dlci 301


no ip split-horizon

Spokane

interface Serial0.1point-to-point

ip address 172.16.3.1 255.255.255.0frame-relay interface-dlci 103

Spokomo


ip address 172.16.3.2 255.255.255.0


Multipoint Subinterface at the Hub and Point-to-Point Subinterfaces at the Spokes

One subnet


26/49


Point-to-Point Subinterfaces at the Huband Spokes

Each subinterface on Hub router

requires a separate subnet (or network)

Each subinterface on Hub router is

treated like a regular physical point-to-

point interface, so split horizon does not

need to be disabled.Interface Serial0 (for all routers)


no ip address

HubCity


ip address 172.16.1.1 255.255.255.0

encapsulation frame-relayframe-relay interface dlci 301


ip address 172.16.2.1 255.255.255.0


frame-relay interface dlci 302

Spokane


ip address 172.16.1.2 255.255.255.0

frame-relay interface dlci 103

Spokomo


ip address 172.16.2.2 255.255.255.0frame-relay interface dlci 203

Frame Relay

Network

Headquarters

Hub City

Satellite Office 1

Spokane

Satellite Office 2

Spokomo

Serial 0.1

172.16.1.2/24

Serial 0.1

172.16.2.2/24

Serial 0.1

172.16.1.1/24

DLCI 301

DLCI 103

DLCI 302

DLCI 203

Serial 0.2

172.16.2.1/24

Two subnets


27/49


With multipoint subinterface you can have:

canhave multiple DLCIs assigned to it.

canuse frame-relay map & interface dlci statements

canuse Inverse-ARP

Remember, with point-to-point subinterfaces you:

cannothave multiple DLCIs associated with a single point-to-pointsubinterface

cannotuse frame-relay map statements

cannotuse Inverse-ARP

(canuse the frame-relay int erface dlcistatement for both point- to-po in tand mult ipo int)


28/49


What are three Frame Relay congestion management mechanisms?(Choose three.)

BECN

DLCI

DE

FECN

LMI

Inverse ARP


29/49


Based on the output of the Router connected to a FR cloud, what is

the meaning of dynamic statement?

DLCI 102 has been dynamically allocated by ISP

Interface S0/0/0 was dynamically configured with the help of DLCI102

IP address 10.0.0.2 is configured via DHCP

The remote IP address 10.0.0.2 was mapped to a local DLCI 102dynamically via inverse-ARP

Router#show frame-relay mapSerial0/0/0 (up): ip 10.0.0.2 dlci 102, dynamic, broadcast,

CISCO, status defined, active


30/49


What are the three possible LMI types?

PAgP

IETF

CDPCP

Cisco

ANSI

inARP

Q.933 A


31/49


Why this FR network is failing?

o Split horizon must be disabled.

o The LMI type must be specified.

o Logical subinterfaces must be used instead.

o The frame-relay mapcommands are using incorrect DLCIs.


32/49



33/49


ACLs are for identifyingtraffic. Permitting, Denying, enabling ordisabling smth.

Not just a traffic filter or firewall. Can be used in:

Traffic control

Access control

NAT

Quality of ServiceDemand dial routing

Route filtering

and more

ACLs are read from TOP to BOTTOM and STOP at the FIRSTmatch

Invisible implicit deny any at the end

Applied to an interface Inbound or Outbound, assuming that youare inside of a router


34/49


STANDARD

Matches based on source address

# 199

Applied to port closest to destination

EXTENDED

Matches based on source/destination address, port number,protocol

# 100199

Applied to port closest to source

REFLEXIVE

Allows return traffic from internal request (established)


35/49


Network mask is a way to understand where the network portion of the IP

address ends and where host portion begins Wildcard mask is a tool for filtering IP address bits.

What bits should go through a security control?

IP address 1 1 0 0 0 0 0 0 . 1 0 1 0 1 0 0 0 . 0 0 0 0 0 0 1 0 . 0 0 1 0 0 1 1 0

Subnet mask 1 1 1 1 1 1 1 1 . 1 1 1 1 1 1 1 1 . 1 1 1 1 0 0 0 0 . 0 0 0 0 0 0 0 0

LOGICAL ANDing process

Net. address 1 1 0 0 0 0 0 0 . 1 0 1 0 1 0 0 0 . 0 0 0 0 0 0 0 0 . 0 0 0 0 0 0 0 0

Reference IP 1 1 0 0 0 0 0 0 . 1 0 1 0 1 0 0 0 . 0 0 0 0 0 0 1 0 . 0 0 1 0 0 1 1 0

Wildcard mask 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 . 1 1 1 1 1 1 1 1

Subject 1 1 0 0 0 0 0 0 . 1 0 1 0 1 0 0 0 . 0 0 0 0 0 0 1 0 . 0 0 0 0 0 0 0 0

Network portion Host portion

Check these bits Dont care

Subnet mask

Wildcard mask


36/49


Wildcard mask 0.0.1.128

Will require the first 23 and the last 7 bits of IP to be checked Given the reference IP 192.168.2.38

192.168.2.38ok

192.168.2.166ok

192.168.3.38ok

192.168.3.166ok

All others will not match!

Reference IP 1 1 0 0 0 0 0 0 . 1 0 1 0 1 0 0 0 . 0 0 0 0 0 0 1 0 . 0 0 1 0 0 1 1 0

Wildcard mask 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 . 1 0 0 0 0 0 0 0

192.168.2.38 1 1 0 0 0 0 0 0 . 1 0 1 0 1 0 0 0 . 0 0 0 0 0 0 1 0 . 0 0 1 0 0 1 1 0

192.168.2.166 1 1 0 0 0 0 0 0 . 1 0 1 0 1 0 0 0 . 0 0 0 0 0 0 1 0 . 1 0 1 0 0 1 1 0

192.168.3.38 1 1 0 0 0 0 0 0 . 1 0 1 0 1 0 0 0 . 0 0 0 0 0 0 1 1 . 0 0 1 0 0 1 1 0

192.168.3.166 1 1 0 0 0 0 0 0 . 1 0 1 0 1 0 0 0 . 0 0 0 0 0 0 1 1 . 1 0 1 0 0 1 1 0

192.168.3.39 1 1 0 0 0 0 0 0 . 1 0 1 0 1 0 0 0 . 0 0 0 0 0 0 1 0 . 0 0 1 0 0 1 1 1

Check these bits Dont care check


37/49


Example: 172.16.32.0 255.255.240.0

RouterB(config)#access-list 10 permit 172.16.32.0 0.0.15.255

We can calculate the Wildcard Mask by:

255 . 255 . 255 . 255Subnet Mask: - 255 . 255 . 240 . 0

---------------------Wildcard Mask: 0 . 0 . 15 . 255

Remember:

Wildcard mask for the given continuous network is always invert ofa subnet mask, NOT vice versa.

If not sure, Think in binary! Twice!


38/49


Standard ACL

Extended ACL

Named ACL


39/49



40/49


Network administrator would like to permit access to the internet for onlyhosts that are assigned an address in the range 172.16.8.0172.16.15.255. Which wild card mask should be used?

o 0.0.0.255

o 0.0.255.255

o 0.0.3.255

o 255.255.248.0

o 0.0.7.255


41/49


There is a need to restrict telnet access

to R2sLAN, for all R1sLAN users.

Which ACL can be used in this caseand where should it be applied?

R1(config)#access-list 101 deny tcp 192.168.12.0 0.0.0.255 192.168.10.0 0.0.0.255 eq 23

R1(config)#access-list 101 permit ip any anyR1(config)#interface fa 0/0

R1(config-if)#ip access-group 101 in


R1(config)#access-list 101 permit ip any any

R1(config)#interface fa 0/0











42/49


The access list below was applied on the e0/0 interface connected to

192.168.1.16/29 LAN in the outbound direction:Access-list 129 deny tcp 192.168.1.16 0.0.0.7 eq 20 any

Access-list 129 deny tcp 192.168.1.16 0.0.0.7 eq 21 any

What is the effect of such ACL?

FTP traffic from 192.168.1.38 will be deniedFTP traffic from 192.168.1.28 to any host will be denied

no traffic except FTP will be allowed to exit e0/0

All traffic exiting e0/0 will be denied

All FTP traffic to network 192.168.1.16/20 will be denied

Comment: this ACL will deny all traffic, because of implicit DENY

ANY. Do avoid it, the statement access-list 129 permit ip any any

should have been added below.


43/49



44/49


Use common approach

Bottom-up approach using the OSI Model

Check all LEDs on your hardware

Use Windows Service Utilitiesipconfig; ping; trace route;

Remember possible SHOW commands

CDP can help, do not forget about it!

Be confident with DEBUG commands and what they represent

Be very careful when subnetting, think twice!


45/49


General

sh running-configLayer 1

sh ip interface brief

sh interfaces

Layer 2

sh cdp neighbors detail

sh frame relay ?

debug ppp ?

L2 Switching

Sw#sh mac-address-table

Sw#sh vlan brief

sw#sh spanning-tree

Sw#sh vtp status

Sw#sh interfaces [trunk, swithport]

Layer 3sh ip routesh ip protocolssh ip interface

sh ip [routing protocol name] ?sh ip nat ?sh access-listssh ip dhcp ?


46/49


debug ip rip


47/49



48/49


PPP

Understanding PPP

PPP authentication

PPP configuration

Frame Relay

Understanding Frame Relay and terminology Frame Relay topologies

Point-to-Point and Multipoint Frame Relay

Access Lists

What are ACLs

Understanding and calculation Wildcard mask

Configuring ACLs

Troubleshooting

Frequently used commands


49/49

Thank you.

Date post:	02-Jun-2018
Category:	Documents
Upload:	mokone22
View:	238 times
Download:	0 times

CCNA Certification Training - Session 4-2012_04

Documents