316
Student Guide Volume 1 Version 09.07.16
Student Guide Volume 1 Version 09.07.16
Table of Contents
Chapter 1 Equipment Overview & Architecture Chapter 2 IT Networking & Cisco Routing Chapter 3 Component Level Operations
TAB
Insert Tab # 1 Here
Equipment Overview and Architecture
2
3
ESB BnCPN Network Example
STT HCLOSV1
STTSTT
HCLOSV3
TSC-93STT JNN
Step SiteDISA
TSC-85 STTJNN
SSSV3
Ku Band
X Band EHF Band
ESB Hub Node
Signal Platoon Element
Signal Platoon Element
STT
Signal Platoon Element
ESB Expeditionary Signal Platoon
TDMA
TDMA
TDMAFDMA
TDMA
TDMA
ESB Heavy Signal Platoon
Signal Platoon Element
TDMAFDMA
LOSBack-Up Link
The above figure is an example of an Area Signal posture and the basic inter-connectivity of Signal assets. Mission Statement The Warfighter Information Network - Tactical (WIN-T) is the Army’s current and future tactical network that provides seamless, assured, mobile communications for the warfighter along with advanced network management tools to support implementation of commander’s intent and priorities – incrementally. Increment 1 provides “Networking At-The-Halt” capability down to battalion level with a follow-on “Enhanced Networking At-The-Halt” (Inc 1b) to improve efficiency and encryption to divisions, brigades and battalions. WIN-T Increment 1 components reside at the division, brigade, and battalion levels. Description
• State of the art COTS/GOTS for the current force. • Connects the Warfighter to the Global Information Grid. • DISN connectivity down to battalion Level. • Enhanced mobility and communications at the quick halt. • Joint and coalition connectivity. • Provided interface to legacy systems. • Encrypted SIPRNET traffic through the NIPRNET. • SATCOM and terrestrial termination. • Autonomous brigade operations.
4
Benefits/Capabilities
• Supports modularity by allowing a Brigade Combat Team to have self-sustaining reachback communications.
• Provides internet infrastructure connectivity directly to the Battalion level. • Transitions Army networks from proprietary protocols to “EVERYTHING
OVER IP” (EOIP). • Allows independent mobility of command posts and centers unconstrained
by line of sight radio ranges. • Incorporates industry standards for network operations and intrusion
detection. The BnCPN has a single radio link into the JNN network via the TDMA satellite. Permanent or static VPNs are built into the JNNs and Hub Node. Dynamic VPNs are built on demand to other BnCPN systems. The establishment of these demand VPNs are based on user requirements to transfer information between BnCPNs.
Establishing VPNs between CPNs on an as needed basis decreases the amount of satellite resources required to support the network. The THN is a Division asset that provides connectivity to the Defense Information Systems Network (DISN) and the Global Information Grid (GIG). The THN utilizes both FDMA and TDMA satellite connectivity. The THN also serves as the master hub node for TDMA mesh networks of the BCTs and their associated BnCPN. The JNN is located at the Brigade Combat Team (BCT) element. It serves as both a distribution point for the various systems within the BCT and provides direct network services for the Brigade headquarter elements. The JNN can utilize both TDMA and FDMA satellite connectivity and has a single FDMA link that is usually reserved for connectivity to the THN. The Regional Hub Node (RHN) is the largest of the four JNN-N Hub Node types, and can provide the following capabilities:
• Provide primary hub node connectivity (FDMA and TDMA) and services for tactical users during reception, staging, onward movement, and integration (RSOI) operations.
• Provide TDMA management support enabling intra-theater Brigade-to-Brigade level routing and network services.
• Provide continuity of operations (COOP) for MRHNs and THNs. • Provide primary hub node connectivity and services to expeditionary units
(e.g., BCT) not deploying with a THN. • Provide support to Expeditionary Signal Battalions (ESBs)/Integrated
Theater Signal Battalion (ITSBs). • Joint Network Nodes (ITSB-J) that are task organized to support Division
and below units. • •
5
• Provide a server sanctuary supporting the delivery of theater level
services and a stable location for Division or Brigade units to host services for their tactical users.
• Provide WIN-T and legacy JNN Hub Node connectivity and services for mounted battle command on the move (MBCOTM) users.
• Support up to three WIN-T and legacy JNN equipped Divisions, or reconfigurable to support two WIN-T and legacy JNN equipped Divisions, four BCTs, and one separate (non-BCT) mission.
• Extend DISN voice, data, and video services to the warfighter. • Provide assured, low latency reachback to the TNCCs for Top
Secret/Sensitive compartmented Information (TS/SCI) users using JNNs or CPNs as their transport connection to the RHN.
The RHN system is designed to support 3 separate JNN-enabled Army Divisions and up to 4 stand-alone BCTs through satellite connectivity to other JNN Network systems: They are the THN, the JNN, and the BnCPN. The RHN will support both Frequency Division Multiple Access (FDMA) and Time Division MultipleAccess (TDMA) satellite links. Equipment is grouped into enclaves within the FHRN facility as shown. Each enclave will operate independently of the others.
6
(WIN-T Inc 1) Systems Architecture Overview
NIPR Call Manger SIPR Call Manager
10K TQG
7
NIPR/SIPR Router Case
Front View Rear View
NIPR/SIPR Router Cases: Components
• Micro TACLANE • ASA 5510 Firewall • Citrix WANScaler PEP • Cisco 3825 Router • Cisco 3560G Ethernet Switch • Patch Panels • Signal Entry Panel • Power Entry Panel
Case Dimensions
• 22.47 W x 19.40 H x 34.50 D Estimated Case Weight
• 154 lbs. Estimated Power
• 813 W
8
BnCPN Signal Flow
LOS CASE
To LOS
This diagram illustrates component connections. The VPN Case provides direct connectivity to the Ku Satellite trailer for connectivity into the TDMA satellite network. The VPN Case can be configured to support NIPR users though this is not part of the standard configuration. The LOS Case is intended to provide connectivity for the BnCPN to a legacy system with a TRI-TAC CDI interface such as an MSE LOS system. When using the LOS Case, DMVPN operation is not possible. The Router Case directly supports the SIPR user, data and voice and is connected to the VPN Case via fiber. The BnCPN provides direct network access to users within a Battalion element for secure data and voice services. It utilizes only Time Division Multiple Access (TDMA) satellite connectivity. Line of sight inter-connectivity is provided through the use of the LOS Transit Case. It has permanent links to the THN and JNN and can establish on demand connections to other CPNs within the meshed network. The BnCPN provides LAN and WAN firewall protection.
9
Routing & Switching
Routing and Switching: Two 3825 Routers
1. SIPR Router 2. NIPR Router
Cisco Catalyst 3650 Ethernet Switch
• The switch terminates IP phones and computers. • The switch can be stacked with other switches. • Provides 48 ports with Power over Ethernet (POE), for VoIP telephones.
10
ASA 5510 Firewall
ASA 5510 Firewall:
• A console port for connecting to serial terminal emulation programs such as HyperTerminal.
• A modem port used for remote console sessions using dial-up
connections.
• Four Ethernet ports for connecting the ASA 5510 device to your LAN or local workstation and to the internet.
11
TACLANE Micro Model KG-175D
TACLANE Micro Model KG-175D:
• Provides encryption over DoD IP networks and ATM networks (ATDNET & WIN-T).
• Provides security over legacy tactical IP networks (MPN) and strategic IP networks (SIPRNET).
• The SVNs support the logical grouping of users at a common security level in a common community of interest.
Although multiple SVNs can operate at different security levels, they can share common transmission and switching elements because they are isolated from each other via cryptography. SVNs encrypt data prior to passing it over the Ku network. TACLANE Micro Capabilities:
• Support IP datagram encryption over Ethernet 10/100 Base-TX or 100 Base-FX physical Interface.
• 200 Mbps aggregate throughput, full duplex. • HAIPE is v1.3.5 compliant IP encryption. • 512 security associations support user traffic. • One security association protects all user traffic between a pair of
TACLANEs.
12
• Automated peer TACLANE discovery using SDD (Secure Dynamic
Discovery). • PPK and FFVS for each security association. • Up to 16 PPK Chains. • Up to 11 changeover PPKs in each chain. • IP TFS controls. • Over the network software download and field software upgrade. • Up to 9 simultaneous network managers.
Other Characteristics:
• TACLANE can communicate at multiple security levels, one level at any given time. The operator selects the security level.
• The CIK protects one FIREFLY vector set and up to 48 PPKs, all filled using a DTD.
• An operator can create 2 user CIKs, for a total of 3 CIKs, to allow shift operators access to the same key material.
• Physical access control is provided by removing the CIK, which locks the TACLANE.
• TACLANE is NSA-certified to provide Type 1 encryption and decryption for information classified TOP SECRET codeword and below.
• When a valid CIK is inserted, the TACLANE is classified at the highest classification level of the key it contains (but never less than UNCLASSIFIED/CCI).
• When the CIK is removed, the TACLANE is UNCLASSIFIED/CCI and the CIK is UNCLASSIFIED.
13
Citrix WANScaler
Citrix WANScaler: The WANScaler appliance will optimize WAN links, which gives the network maximum throughput at any distance, making the WAN behave like a LAN. This appliance works transparently on your network; there is no need to reconfigure servers, clients, applications, or your network infrastructure. The WANScaler becomes a virtual gateway that controls the TCP traffic on the link. Normally, TCP is controlled by the endpoint devices, which have no visibility into the state of the link or the amount of other traffic on the link. This situation makes TCP less than advantageous over WAN links. The WANScaler appliance supplies the intelligence that is missing in the network and the TCP connections. It is configured as a virtual gateway with only one parameter – the bandwidth limit – that configures the link speed. By overcoming the inherent limitations of TCP/IP over impaired links (high delay and/or high error), it improves performance of TCP/IP based applications such as web browsing (HTTP), file transfer (FTP), etc.
14
Uninterruptible Power Supply (UPS)
Front View
Rear View
The UPS provides emergency power for 12 minutes to the cases in the event of a prime power loss. Power Output: 1005 Watts Amps: 13 at 115VAC / 6.5 at 230VAC Backup Time with Full Load: 12 Minutes Total Number of Outputs: 4 Surge Suppression: 480 Joules Transfer Time: Zero, True online design Operating Temperature: 0oC to 40o Automatic Shutdown Audible Alarm
15
BnCPN LOS Case
Front View
Rear View
Diphase Modem Line Of Sight Interface Case: The LOS case is intended to be used in conjunction with either the Battalion Command Post NIPR case or the Battalion Command Post SIPR case. It accepts a serial interface from the NIPR or SIPR case and applies Forward Error Correction (FEC), encrypts via KIV-7M, and modulates signals using a CTM-100C diphase modem. It supports 2 LOS links.
16
CTM-100/C
CTM-100/C: The CDIMs have two modem functions:
• Converts data between Non Return to Zero (NRZ) and Conditioned Diphase signaling types [Cat5 and CX-11230 cables].
• Converts between Fiber Optic and NRZ [TFOCA-II and Cat5 cables]. • The purpose of the dual port CDIMs is to convert the NRZ data into CDI or
fiber. • Allows interfaces to be extended from the shelter using either CX-11230
cable or fiber optic cable. • Supports rates up to 4608 kb/s using CX-11230, 18720 using fiber. • Transports data up to 2 miles using CX-11230 depending on the
transmission rate. • Transports data up to 10 miles using fiber optical cable for all data rate. • Can support loopbacks on the NRZ, CDI, or fiber side of the selected port.
17
(HSFEC)
HSFEC:
• High Speed Forward Error Correction card- corrects Bit Error rates. • Automatically senses data rates. • Located in the LOS Interface case, inside the FEC box. • Houses 1 HSFEC-5 card.
18
KIV-7M
KIV-7M:
• Provides digital data encryption/decryption.
• Operates in full duplex synchronous operation employing identical key generators for transmission and reception.
TAB
Insert Tab # 2 Here
IT Networking and Cisco Routing
2
3
Outline
• Internetworking Concepts• IP Addressing and Subnet Masking• Introduction to Router Operations• Routing and Static Routes• Introduction to Switching• Open Shortest Path First (OSPF)• Dynamic Multi-point Virtual Private
Networks (DMVPN)• Introduction to Voice Operations
4
Internetworking Concepts
5
Cisco Networking Model
CORE
DISTRIBUTION
ACCESS
Cisco Switches
Cisco Routers
The Cisco networking model consists of three layers: Access Layer: Where end users connect to the network. Multiple groups of users and their resources exist at the Access Layer. Distribution Layer: Provides the function of routing, filtering, and WAN access. This class focuses on the Distribution Layer and how it functions in the Army tactical communications arena. Core: Moves data as fast as possible. Normally consists of high-speed switches and routers. In the tactical world, the Core Layer is referred to as SIPRNET and NIPRNET.
• SIPRNET: Secure Internet • NIPRNET: Non-secure Internet
6
Tactical Networking Model
CORE
DISTRIBUTION
ACCESS
Brigade
As mentioned in the previous slide, the distribution layer will be the primary focus of this class. The Access Layer services will be provided by the various units requiring data support. The Core Layer is normally provided by the DOIM or step sites. The Distribution Layer focuses on:
• Aggregation point for access layer devices (hosts, servers, and VTC equipment).
• Routing traffic to provide unit and organizational access between end users as well as internet connectivity.
• Providing translation between different media types such as Ethernet and Serial.
• Providing filtering services and limited security. • Segmenting the network into multiple collision and broadcast domains.
7
The Concept of Networking
At its most elementary level, a network consists of two computers connected to each other by a cable so that they can share data. All networking, no matter how sophisticated, stems from that simple principle.
Everything we cover throughout the class is to provide connectivity from one computer to another. It may be email, web page or some other service. In each case, we are connecting one computer to another. Data tends to exist as rather large files. However, networks cannot operate if computers put large amounts of data on the cable at one time. There are two reasons why this slows down the network:
1. Large amounts of data sent as one large unit ties up the network and makes timely interaction and communications impossible, because one computer is flooding the cable with data.
2. Networks reformat large chunks of data into smaller packages. If there is
a transmission error, only a small section of data is affected, so only a small amount of data must be resent, making it relatively easy to recover from the error.
In order for many users at once to transmit data quickly and easily across the network, the data must be broken into small, manageable chunks. These chunks are called packets or frames. Packets are the basic units of network communications. With data divided into packets, individual transmissions are speeded up so that every computer on the
8
network will have more opportunities to transmit and receive data. At the target (receiving) computer, the packets are collected and reassembled in the proper order to form the original data. All packets have certain components in common. These include:
• A source address identifying the sending computer. • The data that is intended for transmission. • A destination address identifying the recipient. • Instructions that tell network components how to pass the data along. • Information that tells the receiving computer how to connect the packet to
other packets in order to reassemble the complete data package. • Error checking information to ensure that the data arrives intact.
9
Basic Packet Design
HEADER
An alert signal to indicate that the packet is being transmitted. The source and destination address. Clock information to synchronize transmission.DATAThis is the actual data being sent. This part of the packet can be of various sizes depending on the network. The data section on most networks varies from 512 bytes to 4k.
TRAILERThe trailer usually contains an error checking component called a cyclical redundancy check (CRC). The CRC is a number produced by a mathematical calculation on the packet at its source.
The Header includes: • An alert signal to indicate that the packet is being transmitted. • The source address. • The destination address. • Clock information to synchronize transmission.
Data - This is the actual data being sent. This part of the packet can be various sizes, depending on the network. The data section in most packets varies from 512 bytes to 4k. Because most original data strings are much longer than 4k, data must be broken into chunks small enough to be put into packets. It takes many packets to complete the transmission of a large file. Trailer - The exact content of the trailer varies depending on the communication method or protocol. However, the trailer usually contains an error-checking component called a cyclical redundancy check (CRC). The CRC is a number produced by a mathematical calculation on the packet at its source. When the packet arrives at its destination, the calculation is redone. If the results are the same, it indicates that the data in the packet has remained stable. If the calculation at the destination differs from the calculation at the source, it means the data has changed during the transmission. In that case, the damaged packet is discarded and the CRC routine signals the source computer to retransmit the data.
10
Basic Packet Flow
Computer A creates apacket destined for computer F
ABCDEF
Computer F processesthe packet
All computers exam the header
As shown above, computer A prepares a packet to be sent on the wire. As the packet is felt on the wire, every other computer will look at the header to determine if the packet is destined for them. Each computer looks in the header of the packet for their own unique MAC address (discussed in further detail later in the chapter). Only the computer with the correct address will accept the packet -- in this case, computer F. The router will also check the header of the packet to see if the address matches its own address. As with the computers, if the packet is not destined for the router, it will discard the packet.
11
The OSI Model (1)
Physical Layer
Data Link Layer
Network Layer
Transport Layer
Session Layer
Presentation Layer
Application Layer7
6
5
4
3
1
2
The OSI (Open Systems Interconnection) model uses a layered architecture to standardize the levels of service and the interaction types for networked computers.
In 1978, the International Standards Organization (ISO) released a set of specifications that described network architecture for connecting dissimilar devices. In 1984, the ISO released a revision of this model and called it the Open Systems Interconnection (OSI) reference model. Why OSI Was Developed The OSI model was developed to provide a consistent method for transmitting and receiving data through the network. All devices supporting the universal protocol would communicate by using a well-defined and well-understood process. Vendors design network products based on the specifications of the OSI model. It provides a description of how network hardware and software work together in a layered fashion to make communications possible. It also helps with troubleshooting by providing a frame of reference that describes how components should function and interact with each other.
12
Physical Layer
Data Link Layer
Network Layer
Transport Layer
Session Layer
Presentation Layer
Application LayerApplicationLayers
Data FlowLayers
The OSI Model (2)
Upper Layers - The three upper layers of the OSI reference model are often referred to as the Application Layers. These layers deal with the user interface, data formatting, and application access. Lower Layers - The four lower layers of the OSI model are responsible for defining how data is transferred across a physical wire, through internetworking devices, to the desired end station or host. We will briefly discuss the upper layers, but the remainder of this chapter will focus on the lower layers and how they interact in the Army tactical data network.
13
The OSI Model Upper Layers
Physical Layer
Data Link Layer
Network Layer
Transport Layer
Session Layer
Presentation Layer
Application LayerTELNETHTTPSMTPASCIIJPEGGIF
APPLICATIONACCESS SCHEDULING
EXAMPLES
User Interface (Application Interface)
How data is presented.Special processing such asencryption and compression.
Establishing, managing, andterminating communication sessions.
Application Layer - This is the highest layer of the OSI model. It is the point where the user or application interfaces with the protocols to gain access to the network. For example, a word processor is serviced by file transfer services, Microsoft Explorer is serviced by http and www, and Microsoft Outlook is serviced by SMTP. Presentation Layer - The presentation layer provides a variety of coding and conversion functions that are applied to the application layer data. These functions ensure that data sent from the application layer of one system can be read by the application layer of another system. An example is jpeg and gif formats of images displayed on web pages. This formatting ensures that all web browsers, regardless of operating system, can display the images. Session Layer - The session layer is responsible for establishing, managing, and terminating communication sessions between presentation layer entities. Communications at the layer consist of service requests and responses that occur between applications located in different devices. An example of coordination would be between a database server and a database client.
14
The OSI Model Lower Layers
Physical Layer
Data Link Layer
Network Layer
Transport Layer
Session LayerPresentation LayerApplication Layer
*Reliable or unreliable delivery*Error correction before retransmit
*Provide logical addressing whichrouters use for path determination
*Combines bits into bytes andbytes into frames
*Access to media using MAC address*Error detection not correction*Move bits between devices*Specifies voltage, wire speed, and
pin-out cables
TCPUDPSPX
IPIPX
802.3/802.2HDLCPPP
EIA/TIA-232V.35RS-442
EXAMPLES
It is the responsibility of the protocol stack to provide communications between the network devices. A protocol stack is the set of rules that define how information travels across the network. An example of this would be TCP/IP. The OSI reference model provides the basic framework common to most protocol stacks. Each layer of the model allows data to pass across the network. These layers exchange information to provide communications between the network devices. The layers communicate with one another using protocol data units (PDUs). These PDUs control what information is added to the user data. PDUs are covered in more detail on the next page.
15
EncapsulationAs the transmitted user data travelsdown the OSI stack, bits are addedto the header or trailer by each layer. This is encapsulation.
Physical Layer
Data Link Layer
Network Layer
Transport Layer
Session LayerPresentation LayerApplication Layer
Segment
Packet
Frame
Bits
Upper Layer Data
TCP
IP
LLC
MAC
Upper Layer Data
Upper Layer Data
Upper Layer Data
Upper Layer Data FCS/CRC
TCP
TCP
TCP
IP
IPLLC
FCS/CRC
0110111100011101110111101111101111110111101110111011101
Received data travels up the OSI stack. Header and trailer bits are stripped off as they are examined at each layer. Finally, only the user data remains. This process is called decapsulation, also called de-encapsulation.
Because a PDU includes different information as it goes up or down the layers, it is given a name according to the information it is carrying. Information added at the transport layer is called the TCP header; it is then referred to as a segment. When passed down to the network layer, an IP header is placed on the PDU, which is then referred to as a packet. The data link layer actually has two sub layers: the logical link control layer (LLC) and the media access layer (MAC). When this data is added, it is referred to as a frame. The complete product is referred to as bits after the frame has been formatted into electrical signals at the correct voltage levels representing binary highs and lows on the physical media. This method of passing data down the stack and adding header information is called encapsulation. After the data travels across the network and is received at the destination machine, the process is reversed and is called decapsulation. The concept of encapsulation is relatively simple. Pretend that you were sending a package through the post office. The first thing you would do is decide what
16
you are sending (Upper Layer information). Then you would wrap the package for shipment. If you sent it priority mail (TCP/UDP), you would add that label. You might even add a note for the receiving end to call when the package is delivered (TCP). You would then address the package -- the portion of the address containing the city, state, and zip code is the IP (or network) address, while the remaining address references the local street address for the destination (LLC and MAC). You might then place special tape to verify if the package has been tampered with (FCS/CRC), and if the package had been tampered or altered in some way, the recipient could refuse to accept the package. Frame Check Sequence (FCS) and Cyclical Redundancy Check (CRC) are two different methods for error checking and detection. We will not go into great detail about either. The key point to remember is that they both provide an error detection algorithm to test the integration of the packet received. Do not confuse this with error recovery. Error recovery is performed at the transport layer and is covered in further detail later in this chapter.
17
Transport Layer
Physical Layer
Data Link Layer
Network Layer
Transport Layer
In order to connect two devices in the fabric of the network, a connection or session must be established. The transport layerdefines the end-to-end station establishment guidelines.
TCP UDPConnection-Oriented ConnectionlessTrusted Un-trustedReliable Unreliable
The transport layer provides the following functions:
• Allows end stations to assemble and disassemble multiple upper-layer segments into the same transport layer data stream. This is accomplished by assigning upper-layer application identifiers. Within the TCP/IP protocol suite (discussed a little later in this chapter), these identifiers are known as port numbers. The OSI reference model refers to these as Service Access Points (SAPs). The transport layer uses these port numbers to identify application layer entities such as FTP and Telnet.
• Allows applications to request reliable data transport between
communicating end systems which accomplishes the following:
1. Ensure that segments delivered will be acknowledged back to the sender.
2. Provide for retransmission of any segments that are not acknowledged.
3. Put segments back into their correct sequence order at the receiving end.
4. Provide congestion avoidance and control.
18
TCP Header
SourcePort
Dest.Port
SequenceNumber
ACKNumber Offset Reserved Flags Window
Size Checksum Urgent Options Pad
2 2 4 4 4 6 6 2 2 2 3 1
SourcePort
Dest.Port Length Checksum
UDP Header2 2 2 2
TCP Header and UDP Header
TCP provides for reliable data transfer, which is also referred to as trusted and/or connection oriented. This is accomplished by using Sequence and Acknowledgement fields in the TCP header. It also uses the Window Size to determine when an acknowledgement is required. This allows the two computers to negotiate the amount of packets sent before an acknowledgement must be provided. UDP is referred to as unreliable, un-trusted, and/or connectionless oriented. As you can see in the header above, there is not much information sent with a UDP packet other than the source and destination port.
19
TCP Connection
ServerHost
SEQ=100 SYN DPORT=80 SPORT=1027
SEQ=1000 ACK =101 SYN ACK DPORT=1027 SPORT=80
SEQ=101 ACK =1001 ACK DPORT=80 SPORT=1027
3 Step Start Up
Step 1 Let’s start with the host computer requesting a TCP connection to a server. The (SEQ=) indicates the number of bytes in the packet. This allows the destination TCP counter to verify that 100 Bytes was received. The (SYN) is sent in the flag field of the TCP header and indicates a request for connection. DPORT=is the destination port number. This tells the server what type of service connection you are requesting. In this example, it is an HTTP connection. Step 2 The server responds with (SEQ=1000) indicating 1000 bytes of information for the SEQ parameters, it sends (ACK=101) indicating it received the 100 BYTES of information from the first packet. The (SYN) is a request to SYNC the SEQ fields and the (ACK) means the acknowledgement field is valid in this header. Step 3 The host replies with (SEQ=101) which is the number of BYTES in the packet, the (ACK=1001) says I received 1000 from the previous segment and I acknowledge it by providing a reply of 1001. Now that the parameters have been established, the computers can begin communications. The ensuing connection may be a simple request to open a web page.
20
TCP Moving Data (SIMPLE)
HostServer
1000 BYTES of data, Sequence=1000
Simple data transfer with an ACK of 3000
1000 BYTES of data, Sequence=2000
1000 BYTES of data, Sequence=3000
No data, Acknowledgement=4000
In the scenario above, the server sends three 1000-BYTE packets. If all three are received without error, the host computer acknowledges with ACK=4000. This tells the server to continue with the transmission.
21
TCP Moving Data(Error Recovery)
HostServer 1000 BYTES of data, Sequence=1000
Data transfer with an error
1000 BYTES of data, Sequence=2000
1000 BYTES of data, Sequence=3000
No data, Acknowledgement=4000
No data, Acknowledgement=2000
1000 BYTES of data, Sequence=2000
In the scenario above, the host computer received the first packet and the third packet, but the second packet was lost. The host sends a reply back to the server requesting that SEQ=2000 be resent. The server waits for the host to reply with an ACK=4000 to continue or another ACK indicating another packet was lost as well. If the server has sent all three packets and receives no reply, then the server assumes nothing was received and resends all three packets.
22
TCP Moving Data(Windowing)
HostServer 1000 BYTES of data, Sequence=1000
1000 BYTES of data, Sequence=2000
1000 BYTES of data, Sequence=3000
ACK=1000 Window=3000
ACK=4000 Window=4000
1000 BYTES of data, Sequence=4000
1000 BYTES of data, Sequence=5000
1000 BYTES of data, Sequence=6000
1000 BYTES of data, Sequence=7000
ACK=8000 Window=5000
With Windowing, the amount of data sent before an ACK is required can change. In this scenario, the host continues to raise the window size after each ACK if no errors were detected. This continues until there are errors, and then the host computer decreases the window size until the errors are cleared. The WINDOW slides up and down based on network performance and is often referred to as a sliding window for this reason. It is the SEQ+ACK+WINDOW SIZE working together that make this whole process work, adjusting for network conditions and providing error recovery.
23
TCP Shutdown
ServerHostACK FIN SEQ=1000
4 Step Shutdown
ACK ACK=1001
ACK FIN ACK=1001 SEQ=1470
ACK ACK=1471
Step 1 Now that all the data has been transferred, the host requests a shutdown of the TCP connection. In the flag field, it sends a (FIN) which stands for finished. Step 2 The server replies with an ACK in the flag field and ACK=1001 letting the host know it has received the request. Step 3 The first reply from the server was to notify the host it received the request, so it does not continually resend, then the server waits on the application to respond to the request. Once the application program has responded, the second ACK is sent along with a FIN. Step 4 The host replies with an ACK in the flag field and an ACK=1471 indicating it received the last transmission. The TCP connection is now closed.
24
Network Layer
Physical Layer
Data Link Layer
Network Layer
Transport Layer
The network layer defines how to transporttraffic between devices that are not locallyattached in the same broadcast domain.
Two pieces of information are required to dothis:
•A logical address (Source and Destination)•A path through the network
Network layer addresses (also called virtual or logical addresses) exist at layer 3 of the OSI reference model. Unlike the data link layer address, which usually exists within a flat address space, network layer addresses are usually hierarchical in that they define the network first and then the devices or nodes on each of those networks. So logical addresses contain information that can be used to route packets. MAC addresses (physical addresses) at Layer 2 are just serial numbers for a piece of hardware. This logical addressing in conjunction with the subnet mask allows the network manager to define what portion of an address is the network and what portion is the host.
25
Network Layer IP Address
148.43.200.16
148 43 200 16
0-255 0-255 0-255 0-255
10010100 00101011 11001000 00010000
8 + + +8 8 8
16 Network Bits 16 Host Bits
=32 Bits
The logical address consists of two portions. One part uniquely identifies each network within the internetwork, and the other part uniquely identifies the host on that network. Combining both portions results in a unique network address for each device. This unique address has two functions.
1. The network portion identifies each network in the internetwork structure, allowing the routers to identify paths through the network cloud. The router uses this address to determine where to send network packets, in the same manner that the zip code determines the state and city to which a package should be delivered.
2. The host portion identifies a particular device or a device’s port on the network in the same manner that a street address on a letter identifies a location within that city.
There are many network layer protocols, and they all share the function of identifying networks and hosts throughout the internetwork structure. Most of these protocols have different schemes for accomplishing this task. TCP/IP is a common protocol that is used in router networks.
26
An Internet Protocol (IP) address has the following components to identify networks and hosts:
• A 32-bit address, divided into four 8-bit sections called octets. This address identifies a specific network and a specific host on that network by subdividing the bits into network and host portions.
• A 32-bit subnet mask that is also divided into four 8-bit octets. The subnet mask is used to determine which bits represent the network and which bits represent the host. The bit pattern for a subnet mask is a string of repeating 1s followed by the remaining bits, which are set to zero.
The portion of the mask with one bits defines the network portion of the IP address, and the zero bits represent the host bits in the address. With that in mind, the mask would have to accompany the IP address for other computers and routers to determine how much of any address is network and how much is reserved for hosts. The function of the subnet mask is to mask the host portion of the IP address, so that the network address can be identified. Routers route to networks, so they must be able to identify what network an IP address is on.
27
Data Link Layer
Physical Layer
Data Link Layer
Network Layer
Transport Layer
The data link layer provides communications between workstations at the first logical layer above the bits on the wire.
The data link layer is broken into two sub-layers, the MAC and LLC.
Media Access Control (MAC)
Logical Link Control (LLC)
The data link layer has two sub-layers. They are described below. Media Access Control (MAC) Sub-layer (802.3) The Media Access Control sub-layer is responsible for how the data is transported over the physical wire. This is the part of the data link layer that communicates with the physical layer. It defines such functions as physical addressing, network topology, line discipline, error notification, orderly delivery of frames, and optional flow control. Logical Link Control (LLC) Sub-layer (802.2) The logical link control sub-layer is responsible for logically identifying different layer 3 protocol types and then encapsulating them at layer 2 in order to be transmitted across the network. A type code identifier does the logical identification; these codes are referred to as Service Access Points (SAP). The data link layer provides the physical addressing necessary for communications on a LAN, and it provides error detection. Cisco Layer 2 switches operate at the data link layer, because they use physical addressing to move data from source to destination.
28
MAC Address (1)
0000C0A05124
0000C0 A05124
MAC Address
IEEE AssignedVendor Code
Vendor AssignedSerial Number
MAC addresses contain 6 bytes/octets (48 bits) that protocol analyzers display as 12 hexadecimal characters. The first three bytes (pairs of hexadecimal characters) contain the vendor address component of the NIC (network interface card) address. The last three bytes carry the serial number of that vendor’s card. Although many vendors are careful not to use registered codes, others are not so careful. A code may be the same on two or more vendors’ NICs. If these cards are installed on the same network segment, the results could be unpredictable.
29
MAC Address (2)
UNICAST 0000c0a04424 One DeviceVendor Serial
MULTICAST 010001d00000 Group of Devices
BROADCAST FFFFFFFFFFFF All Devices
The hexadecimal format uses 16 characters – 0 through 9, and A through F. Any of these characters used in the MAC address represent four binary bits. 0 in hexadecimal represents 0000 in binary, 1 represents 0001, 2 represents 0010, and so on, until the last hexadecimal character is reached - F, representing binary 1111. Turning on the lowest valued bit in the first byte of the Ethernet address field indicates that the transmission is a multicast and multiple recipients share the destination address. Some of the systems participate in more than one multicast group. An example of a multicast is VTC (Video teleconferencing). The broadcast address field will contain all 1s as indicated by the hexadecimal Fs. All the computers on that cable segment will process packets with that destination address. For example, if one computer wants to ask for information from another local computer, first it must identify that computer’s MAC address. The source address will always be unicast.
30
Broadcast Packets
Two types:1. Directed - last IP in a subnet range2. Local - an IP address of all 1s
148.18.255.255 FFFFFFFFFFFF
Directed Broadcast Packet
destination IP address
destination MAC address
255.255.255.255 FFFFFFFFFFFF
Local Broadcast Packet
destination IP address
destination MAC address
The IP address whose bits are all 1s, or 255.255.255.255 in dotted decimal notation, is called a local broadcast address. The local broadcast address can be used as a destination IP address only. It addresses all hosts on a segment. A common use for a local broadcast is for a host that has no IP configuration information to utilize it as a destination address to request IP information, such as with Dynamic Host Configuration Protocol (DHCP). A local broadcast is never forwarded by a router. Once the router receives the DHCP request it replaces the local broadcast destination address with a preconfigured IP address for the DHCP server. The IP address whose host ID bits are all 1s is called a directed broadcast address. A directed broadcast address can appear as a destination IP address only. It addresses all hosts on the segment whose network ID is equal to the network ID of the directed broadcast address. A directed broadcast is utilized by a host on a network segment when it has information for all other hosts on that segment such as an ARP request.
31
Physical Layer
1 2 3 4 5 6 7 8
TD+ TD- RD+ N/C N/C RD- N/C N/C
Pins 1 & 2 - Pair #1 Transmit DataPins 3 & 6 - Pair #2 Receive DataPins 4, 5, 7, & 8 - Not Connected
Twisted Pair
The physical layer defines themedia type, connector type, and signaling type.
THINLAN
Physical Layer
Data Link Layer
Network Layer
Transport Layer
The physical layer defines the electrical, mechanical, procedural, and functional requirements for activating, maintaining, and deactivating the physical link between end systems. It also specifies the voltage levels, data rates, maximum transmission distances, and physical connectors. The physical media and the connectors used to connect devices into the media are defined by standards at the physical layer. The Ethernet and IEEE 802.3 (CSMDA/CD) standards define a bus topology LAN that operates at a baseband signaling rate of 10/100 megabits per second. Three examples are listed below: • 10Base2 -- known as Thinnet. Allows network segments up to 185 meters
on coaxial cable by interconnecting or chaining devices together. • 10Base5 -- known as Thicknet. Allows network segments up to 500 meters
on large coaxial cable with devices tapping into the cable to receive signals • 10BaseT -- Carries Ethernet signals up to 100 meters on inexpensive twisted-
pair wiring back to a centralized concentrator called a hub. Hubs operate at the physical layer. The 10 refers to the speed. The Base refers to baseband signaling. The T refers to the type of cabling used, twisted pair.
When routers are connected together over some form of transmission media, serial cabling is normally used. These serial connections are referred to as WAN connections. A few examples of serial cables are RS-232, RS-449 and, RS-530. As with the Ethernet cabling mentioned above, the physical layer determines all aspects of the cable, which includes transmit and receive pins and control leads.
32
Network Adapter
Network Adapter:The Physical Media and
Media Access Control (MAC)Address
Before data can be sent over the network, the network adapter card must change it from a form the computer can understand to another form, which can travel over a network cable. Data moves through a computer along paths called busses. These are actually several data paths placed side by side. Because several paths are side-by-side (parallel), data can move along them in groups instead of a single (serial) data stream. Older busses, such as those used in the original IBM personal computer, were known as 8-bit busses because they could move data 8 bits at a time. The IBM PC/AT@ used a 16-bit bus, which means it could move data 16 bits at a time. Many computers use 32-bit buses. When data travels on a computer's bus, it is said to be traveling in parallel because the 16 or 32 bits are moving along side by side. Think of a 16-bit bus as being a 16-lane highway with 16 cars moving side-by-side (moving in parallel), each carrying one-bit of data. On the network cable, data must travel in a single bit stream. When data travels on a network cable, it is said to be traveling as a serial transmission because one bit follows another in series. In other words, the cable is a one-lane highway. The data on these highways always travels in one direction. The computer is either sending or receiving data. The network adapter card takes data traveling in parallel as a group and restructures it so that it will flow through the 1-bit wide serial path of the network
33
cable. This is accomplished through the translation of the computer's digital signals into electrical and optical signals that can travel on the network's cables. The component responsible for this is the transceiver. Network adapter cards act as the physical interface or connection between the computer and the network cable. The cards are installed in an expansion slot in each computer and server on the network. After the card has been installed, the network cable is attached to the card's port to make the actual physical connection between the computer and the rest of the network. The role of the network adapter card is to:
1) Prepare data from the computer for the network cable. 2) Send the data to another computer. 3) Control the flow of data between the computer and the cabling system.
34
MAC Addressing
Physical Layer
Data Link Layer
Network Layer
Transport Layer
Session LayerPresentation LayerApplication Layer
Segment
Packet
Frame
Bits
Upper Layer Data
TCP
IP
LLC
MAC
Upper Layer Data
Upper Layer Data
Upper Layer Data
Upper Layer Data FCS/CRC
TCP
TCP
TCP
IP
IPLLC
FCS/CRC
0110111100011101110111101111101111110111101110111011101
0000c0a04424 Source MAC
AF E D C B
0001b0a01342Destination MAC
As we discussed earlier in the chapter, communications on a LAN is half-duplex. That is, only one computer sends data at a time. All other computers on the LAN, to include the router port, will also be listening. What they are listening for is their MAC address. If in the header of a packet they find their MAC address, that machine will accept and process the contents of the packet. It is important to keep in mind that all communications on a LAN is done using MAC addressing. The IP address is not needed for communications on a LAN. However, if you want to send or receive data outside of your LAN, an IP address is needed. The relation between the two and how they are used in the router will be covered in the TCP/IP portion of the class. In the example above, computer A is attempting to send a packet to computer F. To do this, computer A needs computer F’s MAC address. That information is included in the packet at the data link layer along with the CRC. The packet is then sent out on the wire. Computer F identifies the destination MAC address and accepts the contents of the packet. It uses the CRC to verify the packet was received without error.
35
TCP/IP Protocol Stack (1)
*User Interface (Application Interface)*How data is presented*Special processing such as
encryption and compression
*Establishing, managing, and terminating sessions*Reliable or unreliable delivery*Error correction before retransmit
*Provide logical addressing whichrouters use for path determination
*Combines bits into bytes and bytes into frames *Access to media using MAC address *Error detection *Move bits between devices*Specifies voltage, wire speed, and pin-out cables
Application
Presentation
Session
Transport
Network
Data Link
Physical
Process/
Host-to-Host
Internet
NetworkAccess
Application
There is no direct correlation between TCP/IP and the OSI model. However, many people understand protocol stacks by using the OSI model. Therefore, we have put the two stacks here for comparison. The TCP/IP Process/Application layer is roughly equivalent to the OSI application and presentation layer. The host-to-host layer shares the session layer with the process layer and is similar to the OSI transport layer. The internet layer is similar to the OSI network layer, and the network access layer aligns with the data link and physical layers of the OSI model.
36
Process/Application
Host-to-Host
Internet
AccessEthernet, Token Ring, FDDI, SLIP, PPP, others
ARP IP RARP
IGRP OSPFICMP
TCP UDP
TELNET
FTP
SMTP
DNS
BOOTP
DHCP
TFTP
SNMP
0806 0800 8035
88 8901
6 17
23 20 21 25 53 53 67 68 69 161 162
TCP/IP Protocol Stack (2)
The network access layer or physical/data link layer (OSI) is responsible for the physical movement of the data over the wire or fiber used in the network. It also monitors packets on the wire in search of MAC addresses. The data link piece and internet piece are covered in more detail below. The Access Layer provides: A Target Hardware Address field is first, so that the NICs know when a packet is destined for their computer. The first bits of data all other computers will see on a LAN are the target MAC address. If a computer finds a match to its internal MAC, it will accept the packet for processing. A Source Hardware Address field identifies the specific hardware card that originated the Ethernet frame. The destination will know immediately where the packet came from. The Protocol Field acts as a shipping label to identify what function is to receive the contents of this packet at the target end of the transmission. Ethernet and IEEE rules set limits on the size of a packet carried on the wire. The MTU (maximum transmission unit) specifies that Ethernet II and 802.3 packets may contain up to 1,500 bytes of data.
37
The CRC (Cyclical Redundancy Check) is an algorithm used to determine if the packet was received in full and without errors. The Internet Layer Provides: Each of the protocols in the TCP/IP suite uses a series of bytes (known as a header) to perform its required functions. The IP header is no different. Some of the required functions are:
• Logical Addressing (IP Addressing) • Fragmentation • Data Length • Quality of Service • Higher Layer Protocol identification • Routing • Diagnostics
Each field in the IP header has a particular role. These fields may contain a single bit or multiple bytes to identify the function. If you have not already noticed, the Ethernet addresses exist both in the network access layer and internet layer. Once the network access layer has been stripped off and the data has been sent up to the internet layer, that layer must also know the target and source hardware addresses. The protocol type field identifies which function is being serviced at the next layer, and thus which protocol (TCP, UDP) will either receive the data (going up the stack), or has sent the encapsulated data down the TCP/IP stack. The source and destination IP addresses are also included in the internet layer header. The internet layer is the layer at which routers also function. When delivering a packet to a destination outside the local LAN, the router will use the source and destination addresses to deliver the packet.
38
TCP/IP Packet Construction
Process/
Application
Host-to-
Host
Internet
Access
ARP IP RARP
IGRP OSPFICMP
TCP UDP
TELNET
FTP
SMTP
DNS
BOOTP
DHCP
TFTP
SNMP
0806 0800 8035
88 8901
6 17
23 20 21 25 53 53 67 68 69 161 162
Microsoft OutlookEMAIL
Data From Computer
DATA
DATA 25 32 5
DATA 25 32 5 6 S-IP D-IP
Source and DestinationPort Number
Sequence Number
Acknowledgement
DATA 25 32 5 6 S-IP D-IP S-MAC D-MACCRC 08-00
Protocol No#
SMTP
TCP
IP
Ethernet, Token Ring, FDDI, SLIP, PPP, others
Error Detection
Protocol No# Source/Destination IP Address
Source/Destination MAC Address
The above slide provides a flow from computer to wire, creating a packet containing MS Outlook information. Not everything included in a packet creation is provided. We are highlighting key areas for the purpose of this class. If further information is desired on TCP/IP and packet construction, there are several great books available, along with RFCs that are free on the internet.
39
LAN Star Topology
HUB
AZ
Collision Domain
Broadcast Domain
Twisted Pair
Pins 1 & 2 - Pair #1 Transmit DataPins 3 & 6 - Pair #2 Receive DataPins 4, 5, 7, & 8 - Not Connected
1 2 3 4 5 6 7 8
TD+ TD- RD+ N/C N/C RD- N/C N/C
Collision
The term topology, or more specifically, network topology, refers to the arrangement or physical layout of computers, cables, and other components on the network. Topology is the standard term that most network professionals use when they refer to the network's basic design. Star topology is normally made up of a hub using Cat V (five) unshielded twisted pair cable with an RJ-45 connector. Although UTP has eight wires, only four are generally used. The pin outs are listed above. The hub takes the transmit pairs and receive pairs and transposes the signal when they are received on any of the spokes. If computer A transmits, that data will travel across pins 1 & 2. The hub will take the signal and forward the information onto pins 3 & 6 for all computers on the network. As with the bus topology, every computer on the network will sense the data and as with a bus topology, only one computer can transmit at a time. All computers hooked to the hub or chain of hubs is considered to be under the same collision domain. As the amount of computers increase on the network, the amount of collisions will also increase. Collisions occur when two computers attempt to transmit at exactly the same time.
40
When this condition occurs, the computers sense the collision. Each computer will attempt to resend but does so based on a varied time. The varied time is referred to as the back-off algorithm. The back-off algorithm timer varies from time to time and from computer to computer. This dramatically reduces the likelihood of the same two computers from having repeated collisions for the same traffic. All computers sharing the same wire are considered to be under the same collision domain. As the amount of computers increase on the network, the amount of collisions will also increase. Although collisions are a normal part of communicating on a network, at some point during network expansion collisions will seriously slow the flow of traffic. Later in this chapter, we will discuss network devices that separate collision domains
41
CSMA/CD
CSMA – Ethernet hosts first listen to see if any other host on the segment is transmitting. If no other host is transmitting or the wire is clear, the listening host then transmits its data.
CD – CSMA does not take into account if two hosts transmit at exactly the same time. Each host monitors its own transmissions for collisions with other packets on the wire. When collisions occur, each host stops transmitting and starts a “back off algorithm” to calculate an arbitrary time to retransmit. This insures that the hosts which experienced the collision will not retransmit at the same time.
• Carrier Sense Multi-Access / Collision Detect
Ethernet uses a refinement of ALOHA, known as Carrier Sense Multiple Access (CSMA), which improves performance when there is a great deal of traffic on the medium. When a NIC has data to transmit, the NIC first listens to the cable (using a transceiver) to see if a carrier (signal) is being transmitted by another node. This may be achieved by monitoring whether a current is flowing in the cable (each bit corresponds to 18-20 milliamps (ma)). The individual bits are sent by encoding them with a 10 MHz (or 100 MHz for Fast Ethernet) clock using Manchester encoding. Data is only sent when no carrier is observed (i.e. no current present) and the physical medium is therefore idle. Any NIC, which does not need to transmit, listens to see if other NICs have started to transmit information to it. However, this alone is unable to prevent two NICs transmitting at the same time. If two NICs simultaneously try transmitting, then both could see an idle physical medium (i.e. neither will see the other's carrier signal), and both will conclude that no other NIC is currently using the medium. In this case, both will then decide to transmit and a collision will occur. The collision will result in the corruption of the frame being sent, which will subsequently be discarded by the receiver since a corrupted Ethernet frame will (with a very high probability) not have a valid 32-bit MAC CRC at the end. A second element to the Ethernet access protocol is used to detect when a collision occurs. When there is data waiting to be sent, each transmitting NIC
42
also monitors its own transmission. If it observes a collision (excess current above what it is generating, i.e. > 24 for coaxial Ethernet), it stops transmission immediately and instead transmits a 32-bit jam sequence. The purpose of this sequence is to ensure that any other node, which may currently be receiving this frame, will receive the jam signal in place of the correct 32-bit MAC CRC. This causes the other receivers to discard the frame due to a CRC error. To ensure that all NICs start to receive a frame before the transmitting NIC has finished sending it, Ethernet defines a minimum frame size (i.e. no frame may have less than 46 bytes of payload). The minimum frame size is related to the distance, which the network spans, the type of media being used, and the number of repeaters, which the signal may have to pass through to reach the furthest part of the LAN. Together these define a value known as the Ethernet Slot Time, corresponding to 512-bit times at 10 Mbps. When two or more transmitting NICs each detect a corruption of their own data (i.e. a collision), each responds in the same way by transmitting the jam sequence.
43
Star Topology With Layer 2 Switch
One Broadcast Domain
CollisionDomain
CollisionDomain
CollisionDomain
Bridges and Layer 2 switches are used to isolate two or more networks at the network interface layer. They understand physical layer addressing and can learn where each device is located. A switch listens to all traffic on a physical segment. When it finds data that belongs to a device on another segment, it forwards the data to that LAN segment. Since the switch uses MAC addressing, it does not route; it only forwards. Bridges forward complete packets and are known as store-and-forward devices. Switches can function as a bridge does, but have the added feature of remembering source and destination packets and are able to forward by looking at the destination address only. This dramatically increases the speed of data delivery and is referred to as cut through processing.
44
Switches Build a MAC Database
SWITCH
AAAA.AAAA.AAAA
BBBB.BBBB.BBBB
CCCC.CCCC.CCCC
DDDD.DDDD.DDDD
E-0
E-1
E-2
E-3
E-3E-2E-1E-0
Initially a switch MAC Database will be empty. Each frame received will be flooded out all ports. As MAC address are mapped to ports the switch can “learn”
the port to forward the frame on.
AAAA.AAAA.AAAA
Frame
Frame
FrameFrame
A switch or bridge learns the MAC addresses attached to each port by listening to the traffic and examining the source MAC address of the incoming frame. The MAC addresses to port mappings are stored in a MAC database. The database is commonly referred to as the MAC table or the Content-Addressable Memory (CAM) table. When a frame is received by the switch or bridge, the MAC table is consulted to determine which port can reach the station identified in the destination portion of the frame. If the destination MAC is found in the MAC table, the frame is transmitted on to the port listed. If the destination MAC is not found, the frame is transmitted on all outgoing ports except on the one from which it was received. Once the switch has learned the location of each attached host, the MAC table is fully populated. At that point, each unicast transmission will be delivered only to one outgoing port. Flooding of packets would be eliminated for these unicast transmissions. In the graphic above, there would be no collisions possible, because each host is attached to its own switchport. Broadcast and multicast frames are a special case. Because broadcast and multicast frames may be of interest to all stations, the switch or bridge normally floods broadcast and multicast to every port except the originating port. A switch or bridge never learns a broadcast or multicast address because broadcast and multicast addresses never appear as the source address of a frame.
45
Switch and Hub
AAAA.AAAA.AAAA
E-2
With a hub and attached hosts configured off a switch port, as shown, a shared collision domain is created that includes E-2, the hub and its attached hosts . Any traffic for C is still received at D, and vice versa.
SWITCHE-0
E-1
BBBB.BBBB.BBBB
Frame
Frame
CCCC.CCCC.CCCC
DDDD.DDDD.DDDD
Fram
eFr
ame
DDDD.DDDD.DDDDE-2CCCC.CCCC.CCCCE-2BBBB.BBBB.BBBBE-1AAAA.AAAA.AAAAE-0
Switch Set-Up (No Collisions)
SWITCH
AAAA.AAAA.AAAA
BBBB.BBBB.BBBB
CCCC.CCCC.CCCC
DDDD.DDDD.DDDD
E-0
E-1
E-2
E-3
If each switch port has one host attached, as traffic is heard on each port the switch can “MAP” the MAC to the port. All further communications will be sent directly from one port to another and not be flooded out all ports. Only one host will receive a unicast transmission. Each host exists in its own collision domain at this point.
Frame
E-0E-1E-2E-3
AAAA.AAAA.AAAABBBB.BBBB.BBBBCCCC.CCCC.CCCCDDDD.DDDD.DDDD
Frame
46
Shared Collisionand Broadcast Domain
SWITCH
This broadcastdomain will giveeach host its owncollision domain.
With this topology configured, CSMA / CD automatically shuts down and your LANgoes to full duplex.
Routers separate Broadcast Domains as well as Collision Domains.
Star Topology with Layer 3 Router
Routers are used to separate collision and broadcast domains. With LAN segmentation, the router can keep local traffic local, increase the bandwidth available to each user, reduce collisions, reduce broadcasts, and deal with Ethernet distance limitations. Routers move traffic through a network based on an IP address, or logical address. This type of addressing is understood by all networking devices and can be segmented as large or as small as your network requires. The physical addressing used on switches is not routable, and therefore is used only when communicating on a LAN or segmented LAN via a layer 2 switch. Routers also give you the flexibility to control or filter certain traffic, providing the network administrator more control over the data network and how it functions.
47
Address ResolutionProtocol (ARP)
ARP CACHE
148.43.200.2
148.43.200.5
I need the Ethernet address (MAC)for 148.43.200.5
I am IP address 148.43.200.5, my MACAddress is 0800.0200.111
148.43.200.5 = 0800.0200.111
I need the Ethernet address (MAC)for 148.43.200.1
148.43.200.1I am IP address 148.43.200.1, my MACAddress is 0500.2132.452
148.43.200.1 = 0500.2132.452
ARP is used to resolve or map a known destination IP address (network layer) to a MAC address (data link layer). Remember earlier, we stated communications on Ethernet use MAC only. Since many of our data functions today require the use of IP addresses, to include routing, we need to be able to communicate and map IP to MAC. To determine a destination address for a datagram, the sending station checks the internal ARP cache table for a match. If no match exists, the sending station will create a packet using a broadcast address with the question, “I have this IP address, what is your MAC address?” All machines on the network process the packet, and the machine whose IP matches the request, responds with, “I am the computer with this IP address, my MAC is XXXX.XXXX.XXX.” The computer requesting the information then stores the mapped IP to MAC in the ARP cache for later use. It will also place the MAC address in the packet it is sending out and will put it on the wire. The receiving computer now has a packet addressed specifically for his machine. The ARP Cache is not a permanent entry, meaning over a period of time the ARP cache entries will be removed if they have not been used. This time varies from software to software, and is dependent upon how often the ARP cache is accessed for any particular MAC.
48
How It All Works Together
148.43.200.2
148.43.200.1
I need the Ethernet address (MAC) for 148.43.200.1, this is my gateway IP address.
A Z
I am IP address 148.43.200.1, my MAC Address is 0800.0200.111
199.20.100.5
199.20.100.1
I need the Ethernet address (MAC) for 199.20.100.5
I am IP address 199.20.100.5, my MAC Address is 0500.0200.113
Packet information at Router 1Source IP:148.43.200.2Destination IP:199.20.100.5Source MAC: Computer ADestination MAC: Router 1
R 1 R 2Packet information at Router 2Source IP:148.43.200.2Destination IP:199.20.100.5Source MAC: Router 2Destination MAC: Computer Z
Encapsulation PPP: Does notcarry any information pertainingto the MAC address.
ARP Cache148.43.200.1 = 0800.0200.111
ARP Cache199.20.100.5 = 0500.0200.113
Computer A has a packet destined for Computer Z: Before computer A can send a packet out to computer Z, it must first obtain the MAC address for the gateway. Generally, the gateway for any network is the IP address of the router Ethernet port connected to that network. From router to computer on the same Ethernet network, communication is done by MAC only, and therefore requires an ARP request if the IP to MAC mapping does not reside in the ARP cache. The router responds with an IP to MAC mapping to allow Computer A to create a packet destined for computer Z; but the Layer two MAC addressing will be from Computer A to Router 1. The IP addressing will be from Computer A to Computer Z. Once the packet is received at Router 1, the Ethernet header is stripped off, and a PPP header is added. Remember that routers route based on IP addressing, and the packet does not carry the MAC addressing across WAN links. When the packet arrives at Router 2, the only addressing information is source and destination IP. Router 2 receives the packet from Router 1 and removes the PPP header. It determines if the packet is destined for a network directly connected to it. This is based on the destination IP address and in this case, it is.
49
Then Router 2 looks at the destination IP address and does an ARP look-up. If there is not a match for Computer Z’s IP address, the router does an ARP request. Computer Z responds to the ARP request and an IP to MAC mapping is placed in the router ARP cache. Router 2 places an Ethernet header on the packet with the source MAC as Router 2, the destination MAC as Computer Z, the source IP address as Computer A, and the destination IP address as Computer Z
50
IP Addressing and Subnet Masking
51
One of the most important concepts of Internetworking.
It is essential you understand how IP Addresses are used in a network.
IP Addressing and Subnet Masks
Internet Scaling Problems Over the past few years, the Internet has experienced two major scaling issues as it has struggled to provide continuous and uninterrupted growth:
1. The eventual exhaustion of the IPv4 address space. 2. The ability to route traffic between the ever-increasing numbers of
networks that comprise the Internet. The first problem is concerned with the eventual depletion of the IP address space. The current version of IP, IP version 4 (IPv4), defines a 32-bit address which means that there are only 232 (4,294,967,296) IPv4 addresses available. This might seem like a large number of addresses, but as new markets open and a significant portion of the world's population becomes candidates for IP addresses, the finite number of IP addresses will eventually be exhausted. The address shortage problem is aggravated by the fact that portions of the IP address space have not been efficiently allocated. In addition, the traditional model of classful addressing does not allow the address space to be used to its maximum potential. The Address Lifetime Expectancy (ALE) Working Group of the IETF has expressed concerns that if the current address allocation policies are not modified, the Internet will experience a near to medium term exhaustion of its unallocated address pool. If the Internet's address supply problem is not solved, new users may be unable to connect to the global Internet networks (in the thousands).
52
The second problem is caused by the rapid growth in the size of the Internet routing tables. Internet backbone routers are required to maintain complete routing information for the Internet. Over recent years, routing tables have experienced exponential growth as increasing numbers of organizations connect to the Internet -- in December 1990, there were 2,190 routes; in December 1992, there were 8,500 routes; and in December 1995, there were 30,000+ routes. By the early 2000s, the number had reached 210,000. Unfortunately, the routing problem cannot be solved by simply installing more router memory and increasing the size of the routing tables. Other factors related to the capacity problem include the growing demand for CPU horsepower to compute routing table/topology changes, the increasingly dynamic nature of World Wide Web connections and their effect on router forwarding caches, and the sheer volume of information that needs to be managed by people and machines. If the number of entries in the global routing table is allowed to increase without bounds, core routers will be forced to drop routes and portions of the Internet will become unreachable. The long-term solution to these problems can be found in the anticipated widespread deployment of IP Next Generation (IPng or IPv6). However, while the Internet community waits for IPng, IPv4 will need to be patched and modified so that the Internet can continue to provide the universal connectivity we have come to expect. This patching process may cause a tremendous amount of pain and may alter some of our fundamental concepts about the Internet.
53
IP Address (1)
• Is made up of 4 octets.• Each octet is 8 bits in length.• Each IP address is 32 bits in length.
148.43.200.110010100.00101011.11001000.00000001
54
IP Address (2)
148.43.200.1
148 43 200 1
10010100 00101011 11001000 00000001
Dotted-Decimal Notation - To make Internet addresses easier for human users to read and write, IP addresses are often expressed as four decimal numbers, each separated by a dot. This format is called dotted-decimal notation. Dotted-decimal notation divides the 32-bit Internet address into four 8-bit (byte) fields and specifies the value of each field independently as a decimal number with the fields separated by dots.
55
NetworkIs a group of devices which share a range of IP addresses. Those addresses include a unique network address, a unique broadcast address and other addresses assignable to host devices.
HostIs any device on the network that is capable of receiving and transmitting IP packets, such as a workstation or a router. Each host must be supplied with a unique IP address.
MaskA mask is applied to the address to define which portion of the address is network specific and which is host specific. The mask is 32 bits long, and is a series of 1s followed by a series of 0s.
IP Addressing Terms
IP addressing is based on the concept of hosts and networks. A host is essentially anything on the network that is capable of receiving and transmitting IP packets, such as a workstation or a router. The hosts are connected together by one or more networks (segments). The IP address of any host consists of its network address and its own host address on the network. Routers deliver packets to networks, not hosts. A mask is used to determine the network and host portion of an IP address. When applied to an IP address, it quite simply defines a range of addresses. The mask determines which IP addresses reside on a given network or segment. The mask is written in the same dotted decimal notation format as the IP address but it is limited to contiguous binary variations, meaning it is a series of all ones, then all zeros. All ones in the first octet is the starting point:
11111111 00000000 00000000 00000000 or 255.0.0.0.
56
A decimal number can be represented bya group of binary 1s and 0s.
Computers do not understand decimal Numbers.
They communicate in 1s and 0s, electrical highs and lows.
0 1 0 1
Decimal to Binary Conversion (1)
0 0 0 0
1 1 1 1
01010101
85
Decimal to BinaryConversion (2)
57
Decimal to BinaryConversion (3)
Converting from binary to decimal
1 1 1 1 1 1 1 1128 64 32 16 8 4 2 1 = 255
0 1 0 0 0 0 0 1128 64 32 16 8 4 2 1
Value for each bit
0+ 64 +0 +0 + 0+0 +0+1 = 65
Decimal to BinaryConversion (4)
7
128 64 32 16 8 4 2 1
0 0 0 0 0 1 1 1
00000111
A Decimal
Is A Binary
58
Decimal to Binary Conversion (5)
67
128 64 32 16 8 4 2 1
0 1 0 0 0 0 1 1
01000011
A Decimal
Is A Binary
59
Classful IP Addressing
Network NumberNetwork Number Host NumberHost Number
What networkare we in?
Which user on thatnetwork are we?Network
148.43.0.0 /16
Host 148.43.200.76
Classful IP Addressing When IP was first standardized in September 1981, the specification required that each system attached to an IP-based internet be assigned a unique 32-bit Internet address value. Some systems, such as routers, which have interfaces to more than one network, must be assigned a unique IP address for each network interface. The first part of an Internet address identifies the network on which the host resides, while the second part identifies the particular host on the given network. This created the two-level addressing hierarchy.
• Network-Prefix Host-Number • Network-Number Host-Number
In recent years, the network-number field has been referred to as the network-prefix because the leading portion of each IP address identifies the network number. All hosts on a given network share the same network-prefix but must have a unique host-number. Similarly, any two hosts on different networks must have different network-prefixes but may have the same host-number.
60
Primary Address Classes
. . .
. . .
. . .
Class A
Class B
Class C
0
1 0
1 1 0
= Network= Host
Primary Address Classes In order to provide the flexibility required to support different size networks, the designers decided that the IP address space should be divided into three different address classes - Class A, Class B, and Class C. This is often referred to as classful addressing because the address space is split into three predefined classes, groupings, or categories. Each class fixes the boundary between the network-prefix and the host-number at a different point within the 32-bit address. One of the fundamental features of classful IP addressing is that each address contains a self-encoding key that identifies the dividing point between the network-prefix and the host-number. For example, if the first two bits of an IP address are 1-0, the dividing point falls between the 15th and 16th bits. This simplified the routing system during the early years of the Internet because the original routing protocols did not supply a deciphering key or mask with each route to identify the length of the network-prefix.
61
Class A
Class A (1 – 126) (/8 Prefixes)
0 0 0 0 0 0 0 1 . . .
0 1 1 1 1 1 1 0
NETWORK HOST
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
0 0 0 0 0 0 0 00 0 0 0 0 0 0 00 0 0 0 0 0 0 01 0 0 0
126 255 255 255
1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Mask
255 0 0 0
. . .
. . .
Class A Networks (/8 Prefixes) Each Class A network address has an 8-bit network-prefix with the highest order bit set to 0 and a seven-bit network number, followed by a 24-bit host-number. Today, it is no longer considered modern to refer to a Class A network. Class A networks are now referred to as /8s (pronounced "slash eight" or just "eights") since they have an 8-bit network-prefix. A maximum of 126 (27 -2) /8 networks can be defined. The calculation requires that the 2 is subtracted because the /8 network 0.0.0.0 is reserved for use as the default route and the /8 network 127.0.0.0 (also written 127/8 or 127.0.0.0/8) has been reserved for the "loopback" function. Each /8 supports a maximum of 16,777,214 (224 -2) hosts per network. The host calculation requires that 2 is subtracted because the all-0s (this network) and all-1s (broadcast) host-numbers may not be assigned to individual hosts. Since the /8 address block contains 231 (2,147,483,648) individual addresses and the IPv4 address space contains a maximum of 232 (4,294,967,296) addresses, the /8 address space is 50% of the total IPv4 unicast address space.
62
Class B (128 – 191) (/16 Prefixes)
1 0 0 0 0 0 0 0 . . .
1 0 1 1 1 1 1 1
NETWORK HOST
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
0 0 0 0 0 0 0 00 0 0 0 0 0 0 00 0 0 0 0 0 0 0128 0 0 0
191 255 255 255
1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Mask
255 255 0 0
. . .
. . . 1 1 1 1 1 1 1 1
Class B
Class B Networks (/16 Prefixes) Each Class B network address has a 16-bit network-prefix with the two highest order bits set to 10 and a 14-bit network number, followed by a 16-bit host-number. Class B networks are now referred to as /16s since they have a 16-bit network-prefix. A maximum of 16,384 (214) /16 networks can be defined with up to 65,534 (216 -2) hosts per network. Since the entire /16 address block contains 230 (1,073,741,824) addresses, it represents 25% of the total IPv4 unicast address space.
63
Class C (192 – 223) (/24 Prefixes)
1 1 0 0 0 0 0 0 . . .
1 1 0 1 1 1 1 1
HOST
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
0 0 0 0 0 0 0 00 0 0 0 0 0 0 00 0 0 0 0 0 0 0192 0 0 0
223 255 255 255
1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
Mask
255 255 255 0
. . .
. . . 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
NETWORK
Class C
Class C Networks (/24 Prefixes) Each Class C network address has a 24-bit network-prefix with the three highest order bits set to 110 and a 21-bit network number, followed by an 8-bit host-number. Class C networks are now referred to as /24s since they have a 24-bit network-prefix. A maximum of 2,097,152 (221) /24 networks can be defined with up to 254 (28 -2) hosts per network. Since the entire /24 address block contains 229 (536,870,912) addresses, it represents 12.5% (or 1/8th) of the total IPv4 unicast address space.
64
. . .
Class D (IP Multicasting)
1 1 1 0
. . .1 1 1 1 1
224 – 239
Class E (Experimental)240 – 254
Other Classes
In addition to the three most popular classes, there are two additional classes. Class D addresses have their leading four-bits set to 1110 and are used to support IP Multicasting. Class E addresses have their leading four-bits set to 1111 and are reserved for experimental use.
65
Subnet Masking (1)
148.43.200.1 255.255.255.0
10010100 . 00101011 . 11001000 . 0000000111111111 . 11111111 . 11111111 . 0000000010010100 . 00101011 . 11001000 . xxxxxxxx
Address:Mask:
Network Host
• A bit for bit comparison is conducted between the address & mask.
• The address bits that align with ones in the mask are considered network.
• The address bits that align with zeros in the mask are considered host.
• The point at which the mask changes from ones to zeros divides the address into network and host portions.
Subnet Masking (2)
148.43.200.1/24 or 255.255.255.0
10010100 . 00101011 . 11001000 . 0000000111111111 . 11111111 . 11111111 . 0000000010010100 . 00101011 . 11001000 . 00000001
10010100 . 00101011 . 11001000 . 00000000 10010100 . 00101011 . 11001000 . 11111111
148 . 43 . 200 . 0-255
Address:Mask:
Range:
Network Host
You will often see the mask as a slash prefix (/)This represents the number of bits that are on (ones)
66
Subnet Masking (3)
148.43.200.1/25 or 255.255.255.128
10010100 . 00101011 . 11001000 . 0 000000111111111 . 11111111 . 11111111 . 1 000000010010100 . 00101011 . 11001000 . 0 0000001
10010100 . 00101011 . 11001000 . 0 0000000 10010100 . 00101011 . 11001000 . 0 1111111
148 . 43 . 200 . 0-127
Address:Mask:
Range:
Network Host
Subnet Masking (4)
148.43.200.1/27 or 255.255.255.224
10010100 . 00101011 . 11001000 . 000 0000111111111 . 11111111 . 11111111 . 111 0000010010100 . 00101011 . 11001000 . 000 00001
10010100 . 00101011 . 11001000 . 000 00000 10010100 . 00101011 . 11001000 . 000 11111
148 . 43 . 200 . 0-31
Address:Mask:
Range:
Network Host
67
Subnet Masking (5)
148.43.200.1/28 or 255.255.255.240
10010100 . 00101011 . 11001000 . 0000 000111111111 . 11111111 . 11111111 . 1111 000010010100 . 00101011 . 11001000 . 0000 0001
10010100 . 00101011 . 11001000 . 0000 000010010100 . 00101011 . 11001000 . 0000 1111
148 . 43 . 200 . 0-15
Address:Mask:
Range:
HostNetwork
Subnet Masking (6)
148.43.200.1/29 or 255.255.255.248
10010100 . 00101011 . 11001000 . 00000 00111111111 . 11111111 . 11111111 . 11111 00010010100 . 00101011 . 11001000 . 00000 001
10010100 . 00101011 . 11001000 . 00000 000 10010100 . 00101011 . 11001000 . 00000 111
148 . 43 . 200 . 0-7
Address:Mask:
Range:
HostNetwork
68
Available Hosts in Network
148.43.200.0 Network Address
148.43.200.1
148.43.200.14
148.43.200.15 Broadcast Address
Hosts
148.43.200.0 255.255.255.240
Defining Network, Host and Broadcast Addresses According to Internet practices, the host-number field of an IP address cannot contain all 0-bits or all 1-bits. The all-0s host-number identifies the base network (or sub-network) number, while the all-1s host-number represents the broadcast address for the network (or sub-network). In the above example, there are 4 bits in the host-number field of each subnet address. This means that each subnet represents a block of 16 host addresses (24 -2 = 14, note that the 2 is subtracted because the all-0s and the all-1s host addresses cannot be used). The hosts on this subnet are numbered 1 through 14.
69
Network Address
• The network address is used by routers to identify and route packets to the correct destination.
• The network address can be identified by having all 0s in the host field.
• The network address cannot be assigned to a computer or host.
148.43.200.0 255.255.255.0148.43.200.128 255.255.255.128
148.43.200.64 255.255.255.192148.43.200.96 255.255.255.224
Network Address Examples
Broadcast Address
• The broadcast address is used by routers and hosts to send packets to all computers on a network at one time.
• The broadcast address can be identified by having all 1s in the host field.
• The broadcast address cannot be assigned to a computer or host.
148.43.200.255 255.255.255.0148.43.200.127 255.255.255.128
148.43.200.63 255.255.255.192148.43.200.95 255.255.255.224
Broadcast Address Examples
70
Subnet Masking Template
decimal
binary
Where the 1s end and the 0s begin, draw a VERTICAL line of demarcation to represent the division of the network specific bits and host specific bits.
binary
decimal
binary
decimalIP address plus Subnet prefix
IP address convertedInto binary
binarySubnet from the prefix Converted into binary
All zeroes in the Host Field gives you theNetwork address
Convert the binary back to Dotted decimal, this is yourNetwork IP address
All ones in the Host fieldgives you the broadcastAddress
Convert the binary back to Dotted decimal, this is yourBroadcast IP address
Once you have determined the Network and Broadcast IP addresses, everything in between will be usable host addresses
71
Introduction to Router Operations
72
Router Front Panel
Cisco 2811
FE 0/1 FE 0/0A
F
S
L
A
F
S
L
A= ACTS= SPEED
F= FDXL= LINK
S L O T 2
S L O T 0
S L O T 3
S L O T 1NME 0
R
PVDM1 PVDM2 AIM1 AIM0
SERIAL 1
CONNWIC
2TCONN
SERIAL 0
NM-
EN
0x8x1x9x2x10x3x11x4x12x5x13x6x14x7x15x
15x
7x 0x
8xFASTETHERNET PORTS
10/100/1000BASE TX
-48V GE
EXTPWRESW-
161
VIC
1
IN U
SE
0
IN U
SE
FXS
SERIAL 1
CONNWIC
2TCONN
SERIAL 0VIC
1
IN U
SE
0
IN U
SE
FXO
FastEthernet
WIC
WIC
Network Module Slot
Cisco 2800 Series
DO NOT REMOVE DURING NETWORK OPERATION
CF COMPACT FLASH 1
0
SYSACT
AUX /PWR
SYSPWR
CONSOLE
AUX
100 -240 V ~ 2A50 /60 H z
OPTIONAL RPS INPUT
12V - - -___ 11A
Power / Aux/Pwr / Activity /CF CardIndicators
Console
AUX
VIC
VIC
USB
External Compact FlashCard Slot
Redundant Pwr Systemconnection
Sys Pwr LED Solid green if operating normally. Blinks while booting or in ROM monitor. Amber if there is a system error. Off if, no power applied or system board is faulty. Aux/Pwr LED Off—No IP phone power or RPS installed. Redundant Power System connection is covered if not used. On (Green)— IP phone power operating normally (if installed). Cisco RPS operating normally (if installed). On (Amber) — IP phone power fault or RPS fault. Activity Blinking when any packets are transmitted or received on any WAN or LAN. CF Green indicates compact flash memory is being accessed. Do not eject card. Off indicates no card access. Card may be ejected. USB Universal Serial Bus ports Console RJ-45 serial connection used to access the router for configuration and monitoring with a local PC. Auxiliary RJ-45 serial connection used to access the router via a dial- up modem.
73
Fast Ethernet FastEthernet connections. Number / type depends on router model. WIC WAN Interface Card slot. WIC modules come in a variety of different interfaces. VIC Voice Interface Card. Used for VOIP/PSTN/PBX connectivity. Slot may also be used for WICs. Network Module Slot for a network module. Network modules come in several different varieties, which contain/support a variety of network interfaces. Often referred to as an NME (Network Module Enhanced).
74
Router Initialization Process
CPUInteracts withMemory Modules
At start-up,ROM firstperforms hardware check
After POST, Flash loads IOSstart-up routines to RAM orruns them directly fromFlash
Runs IOS and currentconfig; buffer forexternal interfaces
NVRAM loads saved user settings, controls boot sequence
ROMBootstrap
POST ROM Mon
RAMMain Shared
Running Config & IOS
Interfaces
NVRAMConfig Register
StartupConfig
FLASHIOS Storage
ROM: Read Only Memory contains the micro-code for basic functions to start and maintain the router. Major areas contained in ROM include:
1) Bootstrap code – Used to bring the router up during initialization. It reads the configuration register to determine how to boot and then, if instructed to do so, load the IOS (Internetwork Operating System). 2) POST – Power on Self Test is the micro-code used to test the basic functionality of the router hardware and to determine what components are present. 3) ROM Monitor – A low level operating system normally used for testing and troubleshooting problems occurring during the boot process.
RAM: Random access memory contains the software and data structures to
allow the router to function. The principle software running in RAM is the IOS and the running configuration. The IOS and start-up configurations are loaded into RAM during the boot process. RAM also provides the buffering function for the router’s external interfaces.
NVRAM Non-volatile RAM is mainly used to store the configuration. It uses a battery to maintain the data when the power is removed from the router. The NVRAM also contains the configuration register. It is a 16 bit virtual register that determines router boot sequence. By varying the register settings, the boot sequence on the router can be changed.
External Flash: The external flash memory is primarily used to store the IOS software image.
75
On Cisco hardware, components are numbered from right to left, then from bottom to top.
0
0
1
1
Cisco 2811
FE 0 /1 FE 0/0A
F
S
L
A
F
S
L
A= ACTS= SPEED
F= FDXL= LINK
S L O T 2
S L O T 0
S L O T 3
S L O T 1NME 0
R
PVDM1 PVDM2 AIM1 AIM0CONN
WIC2T
CONN
NM-
EN
0x8x1x9x2x10x3x11x4x12x5x13x6x14x7x15x
15x
7x 0x
8xFASTETHERNET PORTS
10/100/1000BASE TX
-48V GE
EXTPWRESW-
161
VIC
IN U
SE
IN U
SE
FXS
CONN
WIC2T
CONNVIC
IN U
SE
IN U
SE
FXO
NMS NMS 11
NMS 0NMS 0
Slot 1Slot 1
Slot Slot 22
Slot Slot 33
Slot Slot 00
Port Port 11Port Port 00Port Port 11Port Port 00
Port Port 11
Port Port 11
Port Port 00
Port Port 00
Port Port 00
Port Port 77
Port Port 1515
Port Port 88
ss00//22//11
NMS=
NM
S=
Slot
Slot
Port
Port
Port Port 11
Port Port 00
In this case, the ports exist on a “Network-Module”(NM) plugged into a “Network-Module-Slot”(NMS). There is no “Card-Slot” present, therefore there is no “slot” number.
ff00//11
NMS=
NMS=
Port
Port
ff11//88
NMS=
NMS=
Port
Port
The first numerical value represents the “interface-type”. If the value is 1, there is a “Network-Module-Slot (NMS)”present. If the value is 0, there is no NMS present and the physical interface is plugged directly into the chassis rear panel.
Network Interfaces
In this case, the ports don’t exist on a cardin a “Card-Slot”, or even in a NM. They are built straight into the chassis rear panel, therefore there is no “slot” number.
Cisco routers are considered modular in that not all network interfaces are fixed, or built directly into the chassis. The interfaces can be removed and installed depending on the network connectivity required. When facing the rear of the router, the slots count from right to left as shown above. When a network module has more than one type of the same interface, the interfaces are numbered with the slot first then the interface number again counting from right to left. The 2800 series router as shown above may have interfaces 1) built directly into the chassis, 2) interfaces plugged into a card slot on a network module, or 3) interfaces built directly into a network module. Interfaces built directly into the chassis front panel are numbered simply as ‘interface type – port number’. Interface USB1 would be an example. Interfaces built directly into the chassis rear panel are numbered ‘interface type 0/port number’. The ‘0’ comes from being in network module slot 0 of the rear panel. Interface f0/1 is an example. Interfaces plugged into a network module card slot are numbered Interface-type network-module-number / interface-card-slot / port-number. Interface S0/2/1 is an example. Interfaces built directly into an installed network module are numbered Interface-type network-module-number / port. Interface f1/8 is the example shown above.
76
WIC-2T 2 Port Serial WAN Interface Card
Serial Network Module
The WIC-2T provides two serial ports using the Smart Serial connector.
• Asynchronous support with a maximum speed (per port) of 115.2 Kbps, minimum 600 bps. If you need to run at speeds lower than 600 bps, use the AUX port instead.
• Synchronous support with a maximum speed of 8 Mbps per port.
• Supports one port at 8 Mbps when used in NM-1FE1R2W, NM-1FE2W,
NM-2FE2W, or NM-2W, or Cisco router chassis WIC slots. All other WIC ports on that network module or Cisco router chassis must not be used.
• Supports two ports at 4 Mbps each when used in NM-1FE1R2W, NM-
1FE2W, NM-2FE2W, or NM-2W, or Cisco router chassis WIC slots. All other WIC ports on that network module or Cisco router chassis must not be used.
• Supports 8 Mbps on all ports simultaneously on 2691, 3725, and 3745.
No restrictions. Maximum six ports at 8 Mbps each.
• Serial connections are used for point-to-point communications.
• Can operate as DTE or DCE. Operates at multiple clock rates.
• Can interface to multiple standards: RS-449, RS-530, RS-232, V.35, etc.
77
Serial Link Encapsulation
LAYER TWO ENCAPSULATION ON SERIAL LINKS:
•HDLC – HIGH-LEVEL DATA LINK CONTROL •PPP – POINT-TO-POINT
• used in JNN and tactical networks•SLIP – SERIAL LINE INTERFACE PROTOCOL•LAPB - X.25/LINK ACCESS PROCEDURE BALANCED•FRAME RELAY•ATM – ASYNCHRONOUS TRANSFER MODE
78
1 2 3 1 2 3
Fast Ethernet LEDs1. 100Mbps – lit when i/f speed is 100 Mbps2. Link – indicates connectivity established with connected device3. FDX – indicates full duplex mode
Other LEDs associated w/ fast ethernet (not on every model)1. Col – Indicator of collision activity on the network2. EN – on installable modules; indicates module passed hardware test and
is ready for use.
Note: I/Fs above are built in to router chassis. Ethernet / fast ethernet i/fs may also be installed as separately purchased modules.
Ethernet Connections
• Normally used for host connections.
• Can be used for router connection, point-to-point or broadcast multi-access.
• Normally AUI, 10/100BaseT, or 10Base2.
• AUI (Auxiliary Unit Interface): Connection for Transceiver.
• 10/100BaseT: RJ45
- crossover for Ethernet to Ethernet connection - straight through for ethernet to hub connection
• 10Base2: Coax/RG-58
Console and Aux connections are both used to access router for programming and monitoring.
• Console for local PC • Auxiliary for dial-up modem • Router logging defaults to console • Same type of connection, RJ-45/serial-rollover cable used
79
Types of RJ-45 Ethernet Cables
Rollover Pin Outs(console/aux)
1 - 82 - 73 - 64 - 55 - 46 - 37 - 28 - 1
Crossover Pin Outs(ethernet to ethernet)
1 - 32 - 63 - 16 - 2
Straight Thru Pin Outs(ethernet to hub)
1 - 12 - 23 - 36 - 6
GigabitCrossover Pin Outs
(ethernet to ethernet)
1 - 32 - 63 – 14 – 75 - 86 – 27 – 48 - 5
GigabitStraight Thru Pin Outs
(ethernet to hub)
1 - 12 - 23 – 34 – 45 – 56 – 67 – 78 - 8
10/100/1000baseT 10/100/1000baseT
10/100baseT 10/100baseT
This illustration shows the pin-out information for specific cable construction.
80
Accessing the Router
• Configuration information can come from many sources
Console Port
Auxiliary Port
Serial/EtherInterfaces
VirtualTerminals
VTY 0 15
TFTP Server
Network ManagementStation
Local Access Remote Access
There are several ways to access a router for configuration and displaying various functions. • Console Port – Local PC. • Auxiliary Port – Dial-up Modem. • Virtual Terminals (VTY 0 4) – Telnet. Used to access the router via the
network. • TFTP Server – Trivial File Transfer Protocol. Used to download a
configuration via the network. • Network Management Station – Computer running some type of Network
Management Software such as HP Openview, Cisco Works, or What’s Up Gold.
Note: To utilize Virtual Terminals, TFTP Server, and Network Management, the router must be configured to support IP traffic.
81
Router Modes
Command Mode Access Method Prompt Exit MethodUser Exec log in router> logout command
Privileged Exec enable command router# disable command
Global Configuration
configure terminal command router(config)# exit command or Ctrl Z
ROM Monitor Press break key during first 60 seconds of boot
> reset command
Setup Option provided during boot (yes/no) if no config found
Consists of a series of questions
When complete, enters user exec mode
The Cisco IOS user interface provides access to several different command modes. Each command mode provides a group of related commands that allow you to configure or monitor your router. Entering a question mark (?) at the system prompt allows you to obtain a list of commands available for each command mode. • User EXEC mode - After you log in to the router, you are automatically in user
EXEC command mode. In general, the user EXEC mode contains nondestructive commands that allow you to connect to remote devices, change terminal settings on a temporary basis, perform basic tests, and list system information. User EXEC mode is indicated by the device host name followed by the angle bracket (>).
• Privileged EXEC mode - The privileged EXEC mode commands set
operating parameters. The privileged commands include those commands contained in user EXEC mode, as well as the configure command through which you can access the remaining command modes. Privileged EXEC mode also includes high-level testing commands, such as debug. To enter privileged EXEC mode, enter enable at the user EXEC prompt. The privileged EXEC mode prompt consists of the device host name followed by the pound sign (#).
From the privileged level, you can access a number of specific configuration modes:
82
• ROM monitor mode - A command-line interface (CLI) that allows you to
configure your router. ROM monitor mode occurs if your router does not find a valid system image, or if you interrupt the boot sequence during startup. The ROM Monitor prompt is the angle bracket (>). On the Cisco 1003, 4500, 7200, and 7500 series, rommon> is the default ROM monitor prompt. The continue command takes you from ROM monitor to user EXEC mode.
• Setup mode - This mode is an interactive prompted dialog at the console that
helps the new user create a first-time basic configuration. You can also enter setup mode by entering setup at the privileged EXEC prompt. Setup mode consists of series of questions and does not exhibit a defining prompt of its own.
• RXBoot Mode - This mode is a special mode you enter by altering the
settings of the configuration register and rebooting the router. RXBoot mode provides the router with a subset of the Cisco I0S software and helps the router boot when it cannot find a valid Cisco IOS image in Flash memory. The RXBoot mode prompt is the host name followed by <boot>.
• Global configuration mode - Global configuration commands apply to
features that affect the system as a whole. You initiate global configuration mode by entering the configure command at the privileged EXEC mode prompt. Global configuration mode is indicated by the device host name (config) followed by the pound sign (#). To exit to Privileged EXEC mode, enter exit, end, or press Ctrl-Z at the prompt.
From global configuration mode, you can access a number of other command modes. • Other configuration modes - These modes provide more specific multiple-
line configurations that target individual interfaces or functionality, such as modifying the operation of an interface, configuring multiple virtual interfaces (called subinterfaces) on a single physical interface, or setting an IP routing protocol. There are more than 17 different specific configuration modes. To learn more about these different modes, refer to "Understanding the User Interface" on your Cisco Documentation CD-ROM.
83
78
Password Recovery1. Turn on the router.
2. Within 60 seconds, perform a “control break” from the PC keyboard.
3. Router prompt should read “rommon>”. This indicates the router is in the ROM Monitor mode.
4. Enter the command “confreg 0x2142”. This resets the configuration register to bypass NVRAM during the boot and not load the startup configuration file.
5. Enter the command “reset”. This will reboot the router.
6. After the router boots, DO NOT enter the setup mode and terminate auto install.
7. Enter the enable mode.
NOTE: perform either step 8 or 9, not both.
8. If the startup configuration is not needed, perform an “erase start” command.
9. If the startup configuration is needed, perform a “copy start run” command. Change the passwords. Perform a “copy run start” command.
10. Enter the global configuration mode. Enter the command “config-reg 0x2102”. This resets the configuration register so the router will perform a normal boot and load the edited startup configuration.
11. From the enable prompt, perform a “show version” command. Verify configuration settings are correct.
12. Reboot the router.
Password Recovery
1. Turn on the router.
2. Within 60 seconds, perform a “control break” from the PC keyboard.
3. Router prompt should read “rommon>”. This indicates the router is in the ROM Monitor mode.
4. Enter the command “confreg 0x2142”. This resets the configuration
register to bypass NVRAM during the boot and not load the startup configuration file.
5. Enter the command “reset”. This will reboot the router.
6. After the router boots, DO NOT enter the setup mode and terminate auto
install.
7. Enter the enable mode. NOTE: perform either step 8 or 9, not both.
84
8. If the startup configuration is not needed, perform an “erase start”
command.
9. If the startup configuration is needed, perform a “copy start run” command. Change the passwords. Perform a “copy run start” command.
10. Enter the global configuration mode. Enter the command “config-reg
0x2102”. This resets the configuration register so the router will perform a normal boot and load the edited startup configuration.
11. From the enable prompt, perform a “show version” command. Verify
configuration settings are correct.
12. Reboot the router.
85
Basic Commands
• Show Version• Show Flash• Show Run• Copy Run Start/Run TFTP• Erase start/NVRAM• Show Interface• Show IP Interface Brief• Show CDP Neighbor• Show CDP Neighbor Detail• Show Controllers• Clear Counters/IP Route
Show Version
router2#show versionCisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-IPVOICE-M), Version 12.3(6b), RELEASE SOFTWARE (fc1) (IOS Version #)Copyright (c) 1986-2004 by cisco Systems, Inc.Compiled Wed 19-May-04 23:04 by dchihImage text-base: 0x80008098, data-base: 0x817A2EB4
ROM: System Bootstrap, Version 12.2(8r) [cmong 8r], RELEASE SOFTWARE (fc1) (ROM Bootstrap Version #)
router2 uptime is 3 minutes (amount of time router IOS loaded in RAM)System returned to ROM by reload (method used to reboot router: reload or power on)System image file is "flash:c2600-ipvoice-mz.123-6b.bin“ (file name for IOS)
cisco 2620XM (MPC860P) processor (revision 0x300) with 126976K/4096K bytes of memory. (total RAM installed:
main/shared)Processor board ID JAE0815CHT3 (1401975376)M860 processor: part number 5, mask 2Bridging software.X.25 software, Version 3.0.0.1 FastEthernet/IEEE 802.3 interface(s) (interfaces identified during POST)2 Serial network interface(s)32K bytes of non-volatile configuration memory. (total NVRAM installed)32768K bytes of processor board System flash (Read/Write) (total Flash installed)Configuration register is 0x2102 (configuration register setting value)
86
router2#show flash
System flash directory:File Length Name/status
1 16091148 c2600-ipvoice-mz.123-6b.bin (first file, size of file, & name) [16091212 bytes used, 16938932 available, 33030144 total] (total memory used, memory available, total
memory)32768K bytes of processor board System flash (Read/Write)
Show Flash
87
router2#show running-configBuilding configuration...
Current configuration : 828 bytes (size of configuration file)!version 12.3service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname router2 (host name of router)!boot-start-marker (boot commands)boot-end-marker!enable secret 5 $1$gluW$shWysSIBKZcaSsS8b16DO0 (enable secret password)!no network-clock-participate slot 1 no network-clock-participate wic 0 no aaa new-modelip subnet-zeroip cefno ftp-server write-enable
Show Running-Config (1)
Note: The Show Run command will always take more than one page to display. If you see “More” at the bottom of a display page, tapping the space bar on the keyboard will scroll down a full screen. Tapping the ‘enter’ key will scroll down line by line.
88
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0
ip address 148.43.200.2 255.255.255.252
clockrate 250000
!
interface Serial0/1
no ip address
shutdown
!
(FastEthernet 0/0 configuration)
(Serial 0/0 configuration)
Show Running-Config (2)
84
router ospf 100
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
ip classless
ip http server
!
line con 0
password router
login
line aux 0
line vty 0 4
password router
login
!
end
(routing protocol configuration)
(line console 0 configuration)
(line vty 0 4 configuration)
Show Running-Config (3)
89
85
Copy Commands
router2#copy running-config startup-config Destination filename [startup-config]? Building configuration...
[OK]
router2#copy running-config tftpAddress or name of remote host? 148.43.200.1Destination filename [router2-confg]? .....%Error opening tftp://148.43.200.1/router2-confg (Timed out)
(copy the running config (RAM) to the startup config (NVRAM))
(copy the running config (RAM) to a tftp server)(address or name of tftp server)
(name used for running config when stored on tftp server, name in brackets is default)
86
router2#erase startup-configErasing the nvram filesystem will remove all configuration files! Continue? [confirm][OK]
Erase of nvram: completerouter2#*Mar 1 00:06:06.151: %SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram
router2#erase nvramErasing the nvram filesystem will remove all configuration files! Continue? [confirm][OK]Erase of nvram: complete
Erase Commands
(erases the startup config from NVRAM)
(erases all files in NVRAM)
90
87
Show Interface
router2#show interface s0/0Serial0/0 is up, line protocol is up
Hardware is PowerQUICC SerialInternet address is 148.43.200.2/30MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255Encapsulation HDLC, loopback not setKeepalive set (10 sec)Last input 00:00:05, output 00:00:00, output hang neverLast clearing of "show interface" counters 00:06:26Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0Queueing strategy: weighted fairOutput queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/2/256 (active/max active/max total)Available Bandwidth 1158 kilobits/sec
5 minute input rate 0 bits/sec, 0 packets/sec5 minute output rate 0 bits/sec, 0 packets/sec
80 packets input, 6472 bytes, 0 no buffer0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort79 packets output, 6656 bytes, 0 underruns0 output errors, 0 collisions, 5 interface resets0 output buffer failures, 0 output buffers swapped out4 carrier transitionsDCD=up DSR=up DTR=up RTS=up CTS=up
(indicates the status of layer 1 & 2 on the interface)
(IP address and mask assigned to the interface)(values assigned to the interface; used to calculate routing metrics)
(layer 2 protocol)(layer 2 keepalive interval)
(counters on the interface which log various values used for trouble--shooting and other calculations)
(control lead status)
The show interface command is displays useful information about an interface and will normally give good clues to line problems. The display shown above is a sample output from the show interface serial command for a synchronous serial interface. The following are some significant fields that are shown in the display that are useful in a troubleshooting environment: Serial…is… Indicates whether the interface hardware is up (carrier
detect is present), down (carrier detect is not present), or administratively down if the interface hardware has been taken down by an administrator. (Layer 1)
line protocol is Indicates whether the software processes that handle the
line protocol (encapsulation) consider the line usable or not (up / down), that is, whether keepalives are successful. (Layer 2)
Internet Address Indicates the IP address and mask of the interface. MTU Maximum Transmission Unit of the interface. BW Bandwidth of the i/f in kilobits per second. The BW value is
used to compute metrics only, not real interface speed. Serial defaults to T1 and ether to 10 mbs.
91
DLY Delay of the interface n microseconds. (EIGRP/IGRP metrics only)
rely Reliability of the interface as a fraction of 255(255/255 is
100% reliability), calculated as an exponential average over 5 minutes.
Load Load on interface as a fraction of 255 (255/255 is completely
saturated), calculated as an exponential average over 5 minutes. Based on BW.
Encapsulation Type of encapsulation used on serial link. HDLC is default
for Cisco. keepalive Indicates whether or not keepalives are set and time
between each. Last input Number of hours, minutes, and seconds since the last
packet was successfully received by an interface. Useful for knowing when a dead interface failed.
output Number of hours, minutes, and seconds since the last
packet was successfully transmitted by an interface. Useful for knowing when a dead interface failed.
Last clearing Time at which the shown counters measuring cumulative
statistics (such as number of bytes transmitted and received) were last reset to zero. Variables that might affect routing (for example, load, and reliability) are not cleared when the counters are cleared. *** indicates the elapsed time is too large to be displayed.
Output queue, Input queue Number of packets in output / input queues. Each number is
followed by a slash, the max queue size, and the number of packets dropped by a drops full queue.
packets input Total number of error-free packets received by the system. bytes input Total number of bytes, including data and MAC
encapsulation, in the error-free packets received by the system.
no buffers Number of received packets discarded because there was
no buffer space in the main system. Compare with ignored count. Broadcast storms on Ethernets are often responsible for no input buffer events.
Received…Broadcasts Total number of broadcast or multicast packets
received by the interface. The number of broadcasts should
92
be kept as low as practicable. An approximate threshold is less than 20 percent of the total number of input packets.
runts Number of runt packets discarded because they are smaller
than the medium’s minimum packet size. Any Ethernet packet that is less than 64 bytes is considered a runt. Runts are usually caused by collisions. More than one runt per million bytes received should be investigated.
giants Number of packets discarded for exceeding the medium’s maximum packet size. Any Ethernet packet that is greater than 1518 bytes is considered a giant.
input error includes runts, giants, no buffer, CRC, frame, overrun, and
ignored counts. Other input-related errors can also cause the input errors count to be increased, and some datagrams may have more than one error; therefore, this sum may not balance with the sum of enumerated input error counts.
CRC Cyclic redundancy checksum generated by the originating
LAN station does not match the checksum calculated from the data received. On a LAN, this usually indicates noise or transmission problems on the LAN interface or the LAN bus itself. A high number of CRCs is usually the result of collisions or a station transmitting bad data. More than one CRC error per million bytes received should be investigated.
frame Number of packets received incorrectly with a CRC error.
On a LAN, this is usually the result of collisions or a malfunctioning Ethernet device.
overrun Number of times the receiver was unable to hand receive
data to a hardware buffer because the input rate exceeded the receiver’s ability to handle the data.
ignored Number of received packets ignored by the interface
because the interface hardware ran low on internal buffers. These buffers are different from the system buffers mentioned previously in the buffer description. Broadcast storms and bursts of noise can cause the ignored count to be increased.
collisions Number of messages retransmitted due to an Ethernet
collision. Collisions are a normal part of Ethernet carrier sense multiple access with collision detection (CSMA/CD.) Excessive collisions are usually the result of a faulty network
interface card somewhere on the Ethernet or an overextended LAN (Ethernet or transceiver cable too long, more than two repeaters between stations, or too many
93
cascaded multiport transceivers).The total number of collisions with respect to total output packets should be around 0.1 percent or less. A packet that collides is counted only once in output packets.
interface resets Number of times an interface has been completely reset.
This can happen if packets queued for transmission were not sent within several seconds. Interface resets can also occur when an interface is looped back or shut down.
carrier transitions Number of times the carrier detects signals of a serial i/f has
changed state. If data carrier detect (DCD) goes down and comes up, the carrier transition counter will increment two times. Indicates modem or line problems if the carrier detects line are changing state often.
DCD, DSR, DTR, Indicates whether the control leads between the DCE, and DTE device RTS, CTS are in an up down nstatus. If any are in a down status, the interface will be down.
94
router2#show ip interface brief (snapshot status of all interfaces)
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES unset administratively down downSerial0/0 148.43.200.2 YES manual up upSerial0/1 unassigned YES unset administratively down down
Interface: interface of the router
IP-Address: IP address assigned to the interface
OK?: did the interface pass the POST (power on self test) during the boot process
Method: method used to configure the interface – unset, manual, NVRAM
Status: layer 1 status of the interface, up/down
Protocol: status of the layer 2 protocol, up/down
Show IP Interface Brief
Show CDP Neighbor
router2#show cdp neighbor
(Cisco Discovery Protocol; layer 2 protocol for Cisco devices to exchange hardware information)
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater
Device ID Local Intrfce Holdtme Capability Platform Port ID
router1 Ser 0/0 127 R S 2620XM Ser 0/0
Device ID: host name of the neighbor device
Local Intrfce: interface of local Cisco device attached to the neighbor
Holdtime: decremented holdtime in seconds (default is 180), if cdp packet is not received within holdtime, neighbor declared dead.
Capability: capability of neighbor device – R for router, S for Switch, H for host, etc.
Platform: model number of neighbor device.
Port ID: interface of neighbor device used to receive cdp information.
95
UHN_66030_ST2R#show cdp neighbor detail-------------------------Device ID: JNN_77050_NV1S (Hostname of neighbor device)Entry address(es):IP address: 10.5.1.2 (IP address of CDP neighbor)
Platform: cisco WS-C2950-24, Capabilities: Switch IGMP (Info on hardware platform of neighbor)Interface: FastEthernet0/0, Port ID (outgoing port): FastEthernet0/2 (Local outgoing interface, Holdtime : 159 sec followed by neighbor’s i/f)
Version :Cisco Internetwork Operating System Software (Neighbor’s IOS info)IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(14)EA1a, RELEASE SOFTWARE(fc1)
Copyright (c) 1986-2003 by cisco Systems, Inc.Compiled Tue 02-Sep-03 03:33 by antonino
advertisement version: 2Protocol Hello: OUI=0x00000C, Protocol ID=0x0112; payload len=27, value=00000000FFFFFFFF010221FF000000000000000E834953C0FF0000VTP Management Domain: ''Duplex: full
Show CDP Neighbor Detail
96
Introduction to Routing and Static Route Lab
97
• Routing is the process of determining the best path through a topology to reach a destined network. The router does this by building and referencing the routing table.
Which Path?Which Path?Which Path?
What is Routing?
Routing is the process of determining the best path for packets through an internetwork based on OSI layer three addressing. The destination address of packets is examined, then stored information (routing table) about destination networks is examined to determine the best path. These packets are then directed from a source network to the destination network. Through the use of dynamic routing protocols, routers exchange information concerning the state of destination networks. This information is then used to build the routing table. Different routing protocols use different criteria for determining the best route.
98
What is Switching?
Routing TableNetwork X s0
Network Y s1
Network Z s2
Network A e0e0
s0
s1
s2
X
Y
Z
Switching is the process of moving packets within a router from an incoming interface to an outgoing interface. Theroutingtable is consulted to determine the outgoing interface.
NetworkA
Switching, in relation to routers, is the process of taking an incoming packet from an interface and delivering it out another interface. The router determines the best path by consulting the routing table; the table lists the interface the packet must exit to take the path. Routers employ different types of switching. The most basic has the router building a table or cache of destination addresses as packets are routed out certain interfaces. From this point on, the switching cache is consulted before the routing table and if an exact match is found, the packet is immediately switched to the appropriate exit interface. This dramatically speeds up the delivery of packets. The phrase “route few, switch many” is used to describe this process. The separate functions of routing and switching work together to move data as fast as possible. After the routing function decides which outgoing interface to use for addressed packets, the switching function can use the same interface for any identically addressed follow-on packets. A new route look-up is not needed.
99
Routing Uses NetworkAddresses
Destination Network
Router Port
10.1.0.0 E0
10.2.0.0 E1
10.3.0.0 E2
Router Address
10.1.23.7
10.2.5.3
10.3.15.14
10.1.0.010.2.0.0
10.3.0.0E0=10.1.23.7
E1=10.2.5.3
E2=10.3.15.14
• Network portion of address used to make path selections
• Packets are routed to networks, not hosts.
• Packets are delivered to host via layer 2 (ARP)
Routers relay a packet from one data link to another. To relay a packet, a router uses two basic functions: a path determination function and a switching function. The graphic illustrates how routers use the addressing for routing and switching functions. Although the path determination function sometimes is able to calculate the complete path from the router to the destination, a router is responsible only for passing the packet to the best network along the path. This best path is represented as a direction to a destination network—like the arrows in the figure pointing to the next hop. The router uses the network portion of the address to make path selections. The switching function allows a router to accept a packet on one interface and forward it on a second interface. The path determination function enables the router to select the most appropriate interface for forwarding a packet. The network portion of the address refers to a specific port on the router that leads to an adjacent router in that direction.
100
Network-Layer Protocol Operations
BB
XY
AACC
ApplicationPresentationSessionTransportNetworkData LinkPhysical
ApplicationPresentationSessionTransportNetworkData LinkPhysical
A B C
X Y
NetworkData LinkPhysical
NetworkData LinkPhysical
NetworkData LinkPhysical
As packets travels through the network only layers 1-3 are examined and/or altered.
When a host application needs to send a packet to a destination on a different network, a data-link frame is received on one of a router’s interfaces. The router decapsulates and examines the frame to determine what type of network-layer data is being carried. The network-layer data is sent to the appropriate network-layer process, and the frame itself is discarded. The network-layer process examines the header to determine the destination network and then references the routing table that associates networks to outgoing interfaces. The packet is again encapsulated in the data-link frame for the selected interface and queued for delivery to the next hop in the path. This process occurs each time the packet switches through another router. At the router connected to the network containing the destination host, the packet is again encapsulated in the destination LAN’s data-link frame type for delivery to the protocol stack on the destination host.
101
What is a Routing Table? Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGPi - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area* - candidate default, U - per-user static route, o - ODRP - periodic downloaded static route
Gateway of last resort is 148.18.16.255 to network 0.0.0.0
148.18.0.0/16 is variably subnetted, 51 subnets, 6 masksD 148.18.120.252/30 [90/1787392] via 148.18.16.255, 03:46:01, Serial2/0D 148.18.14.128/30 [90/11023872] via 148.18.16.255, 03:45:33, Serial2/0
[90/11023872] via 148.18.14.255, 03:45:33, Serial1/2D 148.18.14.129/32 [90/11023872] via 148.18.16.255, 03:46:01, Serial2/0D 148.18.14.130/32 [90/11023872] via 148.18.14.255, 03:45:33, Serial1/2D 148.18.106.224/30 [90/10563072] via 148.18.57.255, 03:46:05, Serial3/0D 148.18.104.224/29 [90/6026496] via 148.18.19.255, 03:46:01, Serial1/1C 148.18.110.248/30 is directly connected, Ethernet0/2D 148.18.104.255/32 [90/6151936] via 148.18.19.255, 03:46:26, Serial1/1D 148.18.102.244/30 [90/3037440] via 148.18.19.255, 03:46:26, Serial1/1D 148.18.111.255/32 [90/10716672] via 148.18.57.255, 00:48:39, Serial3/0D 148.18.20.132/30 [90/11023872] via 148.18.57.255, 03:46:05, Serial3/0S 148.18.110.244/30 [1/0] via 148.18.110.250D*EX 0.0.0.0/0 [170/2767360] via 148.18.16.255, 03:45:34, Serial2/0
A routing table is what the router uses to determine where to send packets. The table lists the network and the router interface the packet must exit to reach it. To build the table, the router uses the administrative distance as the first factor in determining which routes are placed into the table. If routes have the same distance, the cost or metrics is then used.
102
Longest Match Rule
D 148.18.20.132/30 [90/11023872] via 148.18.57.255, 03:46:05, Serial3/0
S 148.18.110.244/30 [1/0] via 148.18.110.250
D*EX 0.0.0.0/0 [170/2767360] via 148.18.16.255, 03:45:34, Serial2/0
• When there are multiple matches in a routing table for incoming packets, the entry with the most explicit or longest mask is the entry utilized. • In the above example, the packet would be routed out interface S3/0.
A packet with an address of 148.18.20.133 is a match for
both of these entries.
Which interface will the packet exit?
All routers must implement a consistent forwarding algorithm based on the "longest match" algorithm. The deployment of VLSM means that the set of networks associated with extended-network-prefixes may manifest a subset relationship – that is, one or more of the subnets listed in the routing table may be smaller parts of other larger networks listed in the table. A route with a longer extended-network-prefix describes a smaller set of destinations than the same route with a shorter extended-network-prefix. As a result, a route with a longer extended-network-prefix is said to be more specific, while a route with a shorter extended-network-prefix is said to be less specific. Routers must use the route with the longest matching extended-network-prefix (most specific matching route) when forwarding traffic. A longer mask means a smaller network, so forwarding packets to that routing table entry gets the packets closer to home.
103
How is a Routing Table Built?
STATICnetwork 192.10.1.0/24 via s0
OSPFnetwork 192.10.1.0/24 via s1
RIPnetwork 192.10.1.0/24 via s2
RoutingTable
192.10.1.0/24
s0s1
s2
STATIC
OSPF
RIP
The router can learn about the same network from multiple sources (protocols).How does the router determine which source’s information to use?
Candidate Routes Being Offered
Route information can come from many different sources. When the router receives the same route information from multiple sources, it must decide which source’s information to use (install into the routing table). How does it do this?
104
Choosing a Candidate Route
Distance & Metrics
O 148.43.200.101/32 [110/455]
Distance
(Routing Table Entry) Metric
When deciding what route information is installed into the routing table, the router looks at two things: Distance and Metrics
105
Administrative Distance
Interface 128.31.7.1 Administrative Distance=100
Interface 128.5.1.3Administrative Distance=120 Router DRouter DRouter CRouter C
Router BRouter B
I need to send a packet to Router D. Both router B and C will get it there. Which route is more reliable?
Router BRouter BRouter ARouter A
Administrative distance is a rating of the trustworthiness of a routing information source, such as an individual router or a group of routers running a particular routing protocol. Distance is an integer from 0 to 255. In general, the higher the value, the lower the trust rating. A distance of 255 means the routing information source cannot be trusted at all and should be ignored. Specifying distance values enables the router to discriminate between sources or routing information. The router always picks the route whose source has the lowest distance.
106
Administrative Distance Defaults
Connected Interface 0
Static Route 1
RIP 120
IGRP 100
EIGRP 90
OSPF 110
BGP 20
Administrative distance can be manually configured on the router to give certain routing protocols preference over others. Under the desired routing protocol configuration, use the distance command.
107
Metrics
Metric is used to determine the best path when multiple routes to a destination are received from the same source (equal distance).
The router uses values such as bandwidth, delay, MTU, load & reliability to calculate the metric. These values are assigned to the router interface and the metric is applied on an outgoing basis.
SourceDestination
256 kbs 768 kbs
T1
10 mbs
256 kbs 512 kbs
256 kbs512 kbs
Once a routing information source has been selected using administrative distance, it is possible to get multiple path information for the same destination from the same source. How does the router decide which is the preferred path? Metrics are used to determine this. Different routing protocols use different variables to determine the metric value. Examples of the variables used are things such as hop count, bandwidth, delay, reliability, load, and MTU.
108
Classful Routing
• Classful routing protocols are a consequence of the distance vector method of route calculation.
- RIPv1- IGRP
Routing masks are not carried within the periodic routing updates.
• Within a network, consistency of masks is assumed.
Classful protocols do not ‘get’ VLSM. All subnets within your network must have the same mask.
Classful routing is a consequence of the fact that routing masks are not advertised in the periodic, routine, routing advertisements generated by most distance vector routing protocols. In a classful environment, the receiving device must know the routine mask associated with any advertised subnets. This information can be gained two ways:
• The receiving device shares the same routing mask as the advertised device.
• If the mask does not match, the receiving device must use the default
routing mask. This means the device must summarize the received route into a classful boundary before sending it with the default routing mask in its own advertisement.
109
• Classless routing protocols include the routing maskwith the route advertisement.
- OSPF- EIGRP- RIPv2- IS-IS- BGP
• Summary routes can be manually controlled withinthe network.
Classless Routing
Classless routing protocols can be considered second-generation protocols because they are designed to deal with some of the limitations of the earlier classful protocols. One of the most serious limitations in a classful network environment is that the routing mask is not exchanged during the routing update process. This original approach required the same routing mask be used on all subnetworks. The classless approach advertises the routing mask for each route and therefore a more precise lookup can be performed in the routing table. Classless routing protocols also addressed another limitation of the classful approach: the need to summarize to a classful network with a default routing mask at all major network boundaries. In the classless environment, the summarization process is manually controlled and can be invoked at any bit position (i.e., using any length of mask) with the network address. Some of the hierarchical designs using OSPF allow summarization at any bit position, but restrict configuring summarization to specific devices, such as area border routers. Since subnet routes are propagated throughout the routing domain, summarization is required to keep the size of the routing table manageable.
110
Types of Routing Protocols
Distance Vector•RIP•IGRP
Distance Vector•RIP•IGRP
Hybrid Routing•EIGRPHybrid Routing•EIGRP
Link State•OSPFLink State•OSPFCC
DD
BB
AA
CC
DD
BB
AA
Distance vector algorithms are based on the work done of R. E. Bellman, 1 L. R. Ford, and D. R. Fulkerson2 and for this reason occasionally are referred to as Bellman-Ford or Ford-Fulkerson algorithms. The name distance vector is derived from the fact that routes are advertised as vectors of (distance, direction), where distance is defined in terms of a metric and direction is defined in terms of the next-hop router. For example, "Destination A is a distance of 5 hops away, in the direction of next-hop router X.” As that statement implies, each router learns routes from its neighboring routers' perspectives and then advertises the routes from its own perspective. Because each router depends on its neighbors for information, which the neighbors in turn may have learned from their neighbors, and so on, distance vector routing is sometimes facetiously referred to as "routing by rumor”. The information available to a distance vector router has been compared to the information available from a road sign. Link state routing protocols are like a road map. A link state router cannot be fooled as easily into making bad routing decisions, because it has a complete picture of the network. The reason is that unlike the routing-by-rumor approach of distance vector, link state routers have firsthand information from all their peer routers.
111
Routing Protocol Design
Distance Vector Protocols: “Routing by Rumor” Each router only knows what its neighbors tell it. None of the routers have a complete picture of the network topology. A distance vector update would say “I can get your traffic to network X, which is Y distance from me.” Can be prone to routing loops as a result of too little information.
Link State Protocols: Each router sends info about itself and its connected links to its neighbors. This info is passed alongunchanged, and thus shared with all routers. Each router ends up with an identical, complete map of the network.
Hybrid Protocols: Routers use distance vector metrics, but have loop-avoidance mechanisms built in. Hybrid protocol routers build a much smaller database than a link state router.
Link state routing protocols (continued): Each router originates information about itself, its directly connected links, and the state of those links (hence the name). This information is passed around from router to router, each router making a copy of it, but never changing it. The ultimate objective is that every router has identical information about the internetwork, and each router will independently calculate its own best paths. Link state protocols, sometimes called shortest path first or distributed database protocols, are built around a well-known algorithm from graph theory, E. W. Dijkstra'a shortest path algorithm. Hybrid Routing, commonly referred to as balanced-hybrid routing, is a combination of distance-vector routing, which works by sharing its knowledge of the entire network with its neighbors and link-state routing which works by having the routers tell every router on the network about its closest neighbors. Hybrid Routing is a third classification of routing algorithm. Hybrid routing protocols use distance-vectors for more accurate metrics to determine the best paths to destination networks, and report routing information only when there is a change in the topology of the network. Hybrid routing allows for rapid convergence but requires less processing power and memory as compared to link-state routing.
112
Static vs. Dynamic Routes
• Static routeUses a protocol route that a network administrator enters into the router.
• Dynamic routeUses a route that a network routing protocol adjusts automatically for topology or traffic changes.
Static knowledge is administered manually: A network administrator enters it into the router’s configuration. The administrator must manually update this static route entry whenever an internetwork topology change occurs. Static knowledge can be private – by default, it is not conveyed to other routers as part of an update process. However, the routers can be configured to share this knowledge. Dynamic knowledge works differently. After the network administrator enters configuration commands to start dynamic routing, a routing process updates route knowledge automatically whenever new topology information is received from the internetwork. Changes in dynamic knowledge are exchanged between routers as part of the update process.
113
Configure Router for Network Operations
Options for Router Configuration- System Configuration Dialog
Consists of a series of questions designed to guide a user through a first-time set-up of the router
- Manual ConfigurationConfiguration commands are typed in one by one at the Command Line Interface (CLI), orConfiguration may be pasted into the CLI from saved text file
- Configuration File Transfer from TFTP Server
Routers can be configured by following a set of questions included in the System Configuration Dialog. This method was designed as a first-time set-up routine. This initial configuration dialog can take longer than manual configuration. Manual configuration is performed by typing commands at the Command Line Interface (CLI), or pasting a series of configuration commands into the CLI from a text file. This method is most commonly used. Configurations can also be stored as back-ups on a TFTP server accessible through the network. By using ‘copy’ commands, files can be written to, or downloaded from, the server.
114
Network Cabling and IP Addresses
1 4
7
5
f0/0
2
f0/0
f0/0
f0/0f0/0
f0/0
f0/0
.193/28
.194/28
.195/28 .196/28
.197/28
.198/28
.199/28
148.43.200.192/28
63
8
.200/28f0/0
Static Router Lab. 1. Cabling 2. Router Manual Configuration
a. Hostname and Passwords b. Configure Fastethernet interfaces c. Confirm configuration using 'show' commands
3. Static Routes 4. Limitations
115
110
--- System Configuration Dialog ---
Would you like to enter the initial configuration dialog? [yes/no]: no!Press return to get started!!!Router>enRouter#config tEnter configuration commands, one per line. End with CNTL/Z.Router(config)#hostname router3router3(config)#enable secret secretrouter3(config)#line con 0router3(config-line)#password consolerouter3(config-line)#logging synchronousrouter3(config-line)#loginrouter3(config-line )#line vty 0 15router3(config-line)#password vtyrouter3(config-line)#loginrouter3(config-line)#^Z
Hostname and Passwords
Setting the password on the virtual terminal lines allows the option of telnetting in to the router for remote monitoring or troubleshooting.
Password:router1>enPassword:router1#config tEnter configuration commands, one per line. End with CNTL/Z.router1(config)#int fa0/0router1(config-if)#ip address 148.43.200.9 255.255.255.252router1(config-if)#no shutrouter1(config-if)#^Zrouter1#
Configuring a FastethernetInterface
Use the diagrams on the preceding pages to determine your ip addresses and subnet masks.
116
Show IP Interface Brief
router5>enablePassword:router5#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 148.43.200.21 YES manual up up
Serial0/0/0 unassigned YES manual administratively down down
Serial0/0/1 unassigned YES manual administratively down down
The router will not place a route in the routing table until the path to that network is ‘up up’
Router5# show interface fa0/0 FastEthernet0/0 is up, line protocol is up Hardware is DEC21140, address is 0000.0c0c.1111 (bia 0002.eaa3.5a60) Internet address is 148.43.200.17 255.255.255.240MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, rely 255/255, load 1/255 Encapsulation ARPA, loopback not set, keepalive not set, hdx, 100BaseTX ARP type: ARPA, ARP Timeout 4:00:00 Last input never, output 0:00:16, output hang 0:28:01 Last clearing of "show interface" counters 0:20:05 Output queue 0/40, 0 drops; input queue 0/75, 0 drops 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 1786161921 ignored, 0 abort 0 watchdog, 0 multicast 0 input packets with dribble condition detected 67 packets output, 8151 bytes, 0 underruns0 output errors, 0 collisions, 1 interface resets, 0 restarts 0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out
Show Interface
117
Router5#sho ip routeCodes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGPi - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate defaultU - per-user static route, o - ODR
Gateway of last resort is not set
148.43.0.0/16 is variably subnetted, 4 subnets, 2 masksC 148.43.200.192/28 is directly connected, Fastethernet0/0
Show IP Route
NOTICE: At no time did you type a network address whenyou configured the interfaces. The router calculated thenetwork address to put in the routing table, based on your choice of interface ip address and mask.
Reachable Routers
• Ping the interface of a connected neighbor• Ping an interface of a router not directly
connected to yours• Trace route to an interface on a router not
directly connected.
Routers consult their routing tables in order to route packets to the destination network. If the destination is not listed in the routing table, the network is unreachable. One option to get these networks listed in the routing table is to set up static routes.
118
116
Hosts and the Default Gateway
f0/1 163.1.15.254/23
5
router1(config)#int f0/1router1(config-if)#ip address 163.1.15.254 255.255.254.0
The host IP address given to the fastethernet interface establishes the
local area network on the router. Hosts can be connected to the network, using other host addresses for their IPs, and specifying the router’s interface as the
default gateway.
119
ip route network mask [address|interface] [distance] [permanent]
Network Destination network for the static route
Mask Prefix mask for the destination network
Address IP address of the next hop that can be used to reach that network
Interface Interface number on router to exit to reach destination network
distance (Optional) Administrative distance for the static route
permanent (Optional) Specifies that the route will not be removed
Router(config)#
Static Route Configuration
Static Routes: Administrator must configure router with all networks not directly connected to it. Specifies the interface the router must use to reach a network. Every router within the topology must configure for all networks not directly connected. Every router must update their configurations when there is a change in the topology (network added/deleted). Static route configuration forces an entry into the routing table.
120
router5>enablePassword:router5#config tEnter configuration commands, one per line. End with CNTL/Z.router5(config)#ip route 148.43.200.16 255.255.255.240 f0/0router5(config)#exit01:06:01: %SYS-5-CONFIG_I: Configured from console by console
Configure Static Routes
Note: Routers route to networks. IP addresses specified in static route configuration should be the actual network address,
not a host address.
Every router within the topology must configure for all networks not directly connected.
USE THE NETWORK DIAGRAM TO DETERMINE ALL STATIC ROUTES
NETWORK SUBNET MASK INTERFACE
Determine Static Routes
121
Static Route Lab Diagram
148.43.200.17/27
148.43.200.25/27
148.43.200.33/27
1 4
7
5
f0/0
2
f0/0
f0/0
f0/0f0/0
f0/0
f0/0
.193/28
.194/28
.195/28 .196/28
.197/28
.198/28
.199/28
148.43.200.192/28
63
8
.200/28f0/0
f0/1
f0/1
f0/1
f0/1148.43.200.65/27
f0/1148.43.200.73/27
f0/1148.43.200.41/27
f0/1148.43.200.49/27
f0/1148.43.200.57/27
Configure:
• Static Routes • Limitations
122
show runip route 148.43.200.12 255.255.255.252 Serial0/0/1ip route 148.43.200.16 255.255.255.252 Serial0/0/1ip route 148.43.200.20 255.255.255.252 Serial0/0/1ip route 148.43.200.24 255.255.255.252 Serial0/0/0
show ip routeGateway of last resort is not set
148.43.0.0/16 is variably subnetted, 8 subnets, 2 masksS 148.43.200.20/30 is directly connected, Serial0/0/1S 148.43.200.16/30 is directly connected, Serial0/0/1S 148.43.200.24/30 is directly connected, Serial0/0/0C 148.43.200.6/32 is directly connected, Serial0/0/0C 148.43.200.4/30 is directly connected, Serial0/0/0S 148.43.200.12/30 is directly connected, Serial0/0/1C 148.43.200.10/32 is directly connected, Serial0/0/1C 148.43.200.8/30 is directly connected, Serial0/0/1
ConfirmStatic Routeentries at bottomof Show RunScreen.
ConfirmStatic Routesappear inrouting table.
Confirm Static Routes
• Control “Z”• copy run start• sho ip interface brief• sho ip route• Ping all routers on network• Traceroute to a network not directly
connected
Confirmation Commands
123
router5#telnet 148.43.200.14Trying 148.43.200.14 ... Open
User Access Verification
Password:router4> exit
router5#trace 148.43.200.14-- ‘Ctrl-Shift-6’ to stop
Telnet / Trace
124
Configuring a LoopbackInterface
router (config-if)#IP address 148.43.200.x 255.255.255.255
router (config)#Interface loopback0
Establishes the loopback interface 0
Gives the interface an address. Note the explicit mask, 255.255.255.255, or /32, which defines the loopback address as a network with one IP address only.
A loopback interface is a virtual interface on a Cisco router which is treated as a physical (real) port, but has no external connection. An IP address is assigned as if it were a physical interface.
125
Loopback Interface Example
Configuring a Loopback AddressPassword:router1>enPassword:router1#config tEnter configuration commands, one per line. End with CNTL/Z.router1(config)#int loopback0router1(config-if)#ip address 148.43.200.1 255.255.255.255router1(config-if)#^Z
New Networks
• Static Routes– Must know the new network exists.– Must have the IP address (network &
mask).– Point your router towards the new networks.
Include the loopback addresses and host LANs.
126
Static Route Lab w/ Loopback
1 4
7
5
f0/0Loopback Address148.43.200.1/32
Loopback Address148.43.200.2/32
Loopback Address148.43.200.4/32
Loopback Address148.43.200.5/32
Loopback Address148.43.200.7/32
Loopback Address148.43.200.6/32
2
Loopback Address148.43.200.3/32
f0/0
f0/0
f0/0f0/0
f0/0
f0/0
.193/28
.194/28
.195/28 .196/28
.197/28
.198/28
.199/28
148.43.200.192/28
63
8
.200/28f0/0
Loopback Address148.43.200.8/32
f0/1148.43.200.17/27
f0/1148.43.200.25/27
f0/1148.43.200.33/27
f0/1148.43.200.65/27
f0/1148.43.200.73/27
f0/1148.43.200.41/27
f0/1148.43.200.49/27
f0/1148.43.200.57/27
• Sho ip interface brief• Sho ip route• Ping the network – loopback
interfaces and laptop IP addresses
• Once the network is operational, "copy run start."
Show and Ping Commands
127
Review
• Static Routes• LANs and Host Addressing • New Networks• Limitations
128
OSPF (Open Shortest Path First) Operation in a Single Area
129
Routing Protocols
• RIP - Routing Information Protocol. distance vector type, open.
• IGRP - Interior Gateway Routing Protocol, distance vector, Cisco Proprietary.
• OSPF - Open Shortest Path First, link state type, open.
• EIGRP - Enhanced IGRP, balanced hybrid type, Cisco Proprietary.
• BGP - Border Gateway Protocol, inter-autonomous system, open.
130
OSPF History
1987 1989 1991 1993 1995 1997
OSPFWorkgroup
formed
OSPF V1spec
defined
Interoperabilitytesting
OSPF V2spec
defined
OSPFadded toGate D
MOSPFadded toGate D
CIDRadopted
Authentication
Point-to-Multipoint
added
OSPF V2updated
1998
OSPF V2updated
The IETF (Internet Engineering Task Force) was looking for a fast, scalable, efficient interior routing protocol that would replace RIP1. In 1987, work was begun on OSPF, and in 1989, OSPF v1 was finalized as RFC 1131. OSPF v2 was defined in 1991, and the latest enhancements released in 1998. OSPF v2 is the standard that is addressed in this section. This standard is defined in RFC 2328. OSPF is a work in progress; features will be added and modified on an as-needed basis.
131
OSPF Features
OSPF was developed to overcome RIP’slimitations
• Open, non-proprietary• Has no hop count limitation, uses link bandwidth• Supports VLSM• Uses multicast addressing for updates
- 224.0.0.5 (All OSPF Router); 224.0.0.6 (DR only)
• Has fast convergence• Allows for routing authentication• Supports hierarchical routing
• OSPF is in the public domain, not owned by any entity, and can be used by anyone.
• Unlike RIP, which has a 15-hop count limitation (if a destination is more than 15 routers away it is deemed unreachable); OSPF has no hop count limitation. OSPF uses metrics or cost assigned to individual links to determine the best path.
• Supports Variable Length Subnet Masking for efficient IP address allocation.
• Uses IP multi-casting to send link-state updates. This ensures less processing on routers that are not listening to OSPF packets. In addition, updates are only sent in case routing changes occur, instead of periodically.
• OSPF has fast convergence in that it sends out routing changes instantaneously and not just periodically.
• Allows routing authentication by using password authentication and encryption, which prevents fraudulent sources from corrupting the routing tables.
• OSPF allows for logical definition of networks where routers can be divided into areas. This reduces the propagation of outage information during adverse conditions.
132
OSPF Hierarchical Routing
• Consists of areas within an autonomous system• Minimizes routing update traffic
Area 0
Area 1 Area 2Autonomous System
There are two primary elements in the OSPF hierarchy: Area – An area is a grouping of contiguous OSPF networks and hosts. OSPF areas are logical subdivisions of OSPF autonomous systems. The topology of each area is invisible to entities in other areas, and each area maintains its own topological database. Autonomous System – OSPF autonomous systems are the largest entity within an OSPF internetwork. They consist of a collection of networks that are under a common administration and share a common routing strategy. An autonomous system, sometimes called a domain, is logically subdivided into multiple areas. The hierarchical topology of OSPF has several important benefits. Because the topology of an area is hidden from the rest of the autonomous system, routing update traffic can be reduced through route summarization, and the topological databases and SPF trees remain manageable and more efficient. Summarization in an OSPF network allows certain routers to group or aggregate smaller networks into larger logical networks when sending out LSAs. For example, the 148.43.200.0, 148.43.200.64, 148.43.200.128, and 148.43.200.192 networks (all with /26 masks) could be summarized in an advertisement as the 148.43.200.0 / 24 network. It is like telling your friend that you have a dollar,
133
rather than telling him that you have a quarter and a quarter and a quarter and a quarter. Within each autonomous system, a central area must be defined as area 0. All others areas are connected off the central or backbone area. Area 0 is also called the transition area because all other areas communicate through it. The OSPF backbone also distributes routing information between OSPF areas. The OSPF backbone has all the properties of a normal OSPF area. Backbone routers maintain OSPF routing information using the same procedures and algorithms as internal routers. The backbone topology is invisible to routers in other areas, while the topologies of individual areas are invisible to backbone routers.
134
OSPF Network Types
NBMAATM
Frame Relay
Broadcast Multi-access
Point-to-Point
Point-to-Multipoint
There are four network types defined for the OSPF routing protocol.
1. Point-to-Point: Normally found on serial connections. Neighbor relationships are formed only with the other router on the point-to-point link. Both routers can independently communicate with all other OSPF routers.
2. Broadcast Multi-Access: Normally found on LAN connections. There is a
potential for many neighbor relationships since several routers can be on the same segment. Through an election process, a Designated Router for the network is selected. The DR communicates with all other routers r2egarding the LAN network.
3. NonBroadcast Multi-Access: Routers setup in a hub spoke topology using
non-broadcast media such as Frame Relay, x.25, and ATM. Special care must be taken when configuring this network. Neighbor relationships may have to be manually configured.
4. Point-to-Multipoint: Defined as a numbered point-to-point interface having
more than one neighbor. This occurs when there are sub-interfaces on one end of the point-to-point network.
135
Types of OSPF Routers
Internal
Area 1 Area 2
ASBR
Backbone
ABR
Area 0
ExternalAS
ABR
Internal
OSPF routers can be categorized as one or more of the following types: Backbone Router: Has an interface to the backbone (area 0). Area Border Router (ABR): Attaches to multiple areas, maintains separate topological databases for each area to which they are connected, and routes traffic destined for or arriving from other areas. Internal Router: Has all directly connected networks belonging to the same area. It runs a single copy of the routing algorithm. Autonomous System Boundary Router (ASBR): Exchanges routing information with routers belonging to other autonomous systems.
136
OSPF Fundamentals
Which interfaces will begin transmitting hello packets to discover neighbors?
How to identify itself to those prospective neighbors?
?
Who am I?Who do I talk to?
When OSPF is enabled, an OSPF router makes two fundamental decisions about how it will communicate with other OSPF network routers:
137
Which Interfaces To Use
RouterX (config)# router ospf 100RouterX (config-router)#network 148.43.200.0 0.0.0.255 area 0RouterX (config-router)#network 148.43.201.0 0.0.0.255 area 0RouterX (config-router)#network 150.150.101.254 0.0.0.0 area 0RouterX (config-router)#network 150.150.100.0 0.0.0.255 area 0
.
150.150.100.1/24
int loopback0150.150.101.254/32
148.43.200.65/26
148.43.200.1/26
148.43.200.129/25
148.43.201.1/24
?
The person enabling OSPF configures one or more network statements to identify the interfaces that will begin sending out hello packets. The network statements define ranges of IP addresses. If an interface’s address falls within the range, OSPF will discover the connected network, and that interface will send out hello packets
138
Selecting the Router ID
150.150.100.1/24
int loopback0150.150.101.254/32
148.43.200.65/26
148.43.200.1/26
148.43.200.129/25
.254148.43.201.1/24
Hello! Hello!
Hello!
Hello!
Hello!
Hello everybody!I’m Router ID
150.150.101.254! Hello!
After interfaces are selected and connected networks are identified, OSPF decides which address to use as a “Router ID.” The Router ID will be used to identify all routing info coming from this router to the other OSPF routers. If a loopback interface has been configured, the router will select that address as the ID by default. If no loopback address has been defined, the router will use the highest numbered active physical interface address.
139
Router IDs
• Routing Protocols communicate with other routers using router IDs. It is the name of the routing protocol database.
• Most protocols use the highest IP address on an active interface as their router ID.
• If a loopback interface is present, routing protocols default to it for their router ID.
• A loopback interface is always active which makes the routing protocol more stable.
The Router ID is used by routing protocols in establishing neighbors, the election of designated routers, and the exchanging of database information. Its selection and use is internal to the router and requires no operator intervention. Once a loopback address is established, routing protocols default to it for their router ID. If more than one loopback address exists, then both protocols revert to their respective highest and lowest IP rule in choosing the appropriate loopback address for a router ID.
140
Adjacencies Database
Lists Neighbors
RoutingTable
Lists Best Routes
Topology Database
Lists All Routes
HelloPackets
LSAs Calculated by Routerusing info from Topo
Database (SPF)
OSPF Databases
OSPF creates three types of databases as shown above. The adjacencies database determines whom the router will exchange routing updates with or who its neighbor will be. It is formed during link initialization by hello packets. The topology database lists all known routes and is made up of routing updates known as Link State Advertisements (LSAs) received from neighbor OSPF routers. The LSAs are identified by the Router ID of the advertising router and by the network being advertised. The routing table lists the preferred or best routes and is formed by the Shortest Path First algorithm being applied to the topology database.
141
Discovering Neighbors
* Entry must match on neighboring routers
Router IDHello/Dead Intervals*NeighborsArea-ID*Router PriorityDR IP AddressBDR IP AddressAuthentication Password*Stub Area Flag*
hello packet
hello packet
Routers that share a common segment become neighbors on that segment using the Hello Protocol. Hello packets are sent periodically out of each interface using IP multicast addresses. The Hello protocol serves the primary purposes of neighbor discovery, DR and BDR election, and link integrity verification. Two routers will become neighbors if they agree on the following:
1. They must have the same area-id and be on the same subnet/mask. 2. They must both use the same type of authentication and password (if
any).
3. The hello and dead intervals must be the same – hello is 10 seconds by default and dead is 4 times the hello by default, (interface hello and dead intervals or timers can be manipulated under the interface configuration using the “ip ospf” command.)
4. They must agree on the stub area flag – a bit in the hello packet that
indicates whether the interface is a stub area.
142
Hello, I am router ID 148.43.200.2; 148.43.200.1 is my neighbor
Router 2 enters 148.43.200.1
into neighbor database
Hello, I am router ID 148.43.200.1Down State
Init State
Two-Way State
Router ID 148.43.200.1 Router ID 148.43.200.2
Router 1 enters 148.43.200.2
into neighbor database
21
*OSPF must be enabled on the interfaceusing the network command to start the neighboring process
Establishing Adjacencies (1)
Router 1 is enabled on the network and is in a down state because it has not exchanged information with any other router. It begins sending hello packets on interfaces running OSPF even though it does not know the identity of any other routers. The packets are sent via multicast using address 224.0.0.5. All directly connected routers receive hello packets from router A and add it to their list of neighbors. This is called the initial state. The routers then send a unicast reply hello packet to router 1 with their corresponding information. The neighbor field in the hello packet lists all other neighboring routers. When router 1 receives the hello packets, it adds all the routers that had its router ID in their hello packet to its own database. The state is referred to as the two-way state. At this point, all routers that have each other in their adjacencies database have established bidirectional communications.
143
No, I will start exchange because I have a higher router ID (148.43.200.2)
I will start exchange because I have router ID 148.43.200.1
Summary of link-state database
Exstart State
Exchange State
Summary of link-state database
Router ID 148.43.200.1 Router ID 148.43.200.2
21
Establishing Adjacencies (2)
After the routers have formed an adjacency, the routers are considered to be in an exstart state. In this state, a master-slave relationship is formed between each set of neighbors. The router with the highest router ID acts as the master during the exchange process. The master and slave routers then enter the exchange state and send each other a summary of the information within their link state database. The routers use this summarized information to determine which complete route entries they require from their neighbors. The router uses the sequence number to determine if the neighbor has newer information.
144
Request complete information for summary entries not in own database
Respond with requested information
Full State
Loading State
Acknowledge receipt of database summary
Acknowledge receipt of requested information
Router ID 148.43.200.1 Router ID 148.43.200.2
21
Establishing Adjacencies (3)
The neighbors then acknowledge receipt of the summarized database information. Once the router determines what information it requires, it requests that information from its neighbor. The process of requesting this information is called the loading state. The neighbor then responds with the complete information requested and the receiving router acknowledges it. Once the loading process is complete and all requested information has been received between two neighbors, the neighbors’ databases are now synchronized and considered to be in the full state. At this point, the neighbors’ databases should be identical.
145
router#sho ip ospf nei
Neighbor ID Pri State Dead Time Address Interface
148.43.200.4 1 FULL/ - 00:00:32 148.43.200.4 Serial0/2/1
148.43.200.6 1 FULL/ - 00:00:31 148.43.200.6 Serial0/2/0
148.43.200.3 1 FULL/ - 00:00:30 148.43.200.3 Serial0/0/1
148.43.200.1 1 FULL/ - 00:00:30 148.43.200.1 Serial0/0/0
Show IP OSPF Neighbor
The show IP OSPF neighbor command contains the following information: • Neighbor ID: router ID. • Priority: used in the election of a DR (1 is default), normally manipulated on
Broadcast Multi-Access networks. • State: Init – first hello sent 2way – neighbor discovered but adjacency not built Full – adjacency built, databases exchanged • Drother – not a DR or BDR, unique to broadcast multi-access. • DR – designated router. • BDR – backup designated router. • Dead Time – dead-interval timer (defaults to 40 sec), amount of time left
before neighbor is declared dead. • Address – lists the link IP identifier or neighbors interface IP. • Interface – the router interface connected to the neighbor.
146
Router with highest OSPF priority elected.• router(config-if) ip ospf priority number-valueAll routers communicate only with the DR/BDR.• multicast address 224.0.0.5 = to all OSPF routers• multicast address 224.0.0.6 = to DR and BDR
Broadcast Multi-Access DR & BDR
P=1 P=0P=1
P=3 P=2
DR BDR224.0.0.6
224.0.0.5 224.0.0.5
Hello
On a multi-access segment, two routers are elected the designated router (DR) and the backup designated router (BDR). These routers act as the central point of contact for all information exchange on the network. The BDR maintains the same information as the DR and replaces it in the event it fails. Instead of each router on the network exchanging LSAs with every other router, they simply exchange them with the DR/BDR. This significantly reduces the amount of router-related traffic on the segment. Election of the routers is done using the hello protocol. The router with the highest OSPF priority (or Router ID) on a segment will become the DR and the process is then repeated for the BDR. OSPF priority must be set on an interface with a number from 0 to 255. The router with the highest priority is elected the DR. The priority defaults to 1 and in case of a tie, the highest router ID is used. A value of 0 indicates an interface that cannot be elected DR/BDR. When the network is first established, the first router with an interface active on the segment begins in a WAITING state, and will stay in that state for the dead interval, 40 seconds by default, waiting for a hello packet from another router. If no hellos are received by the end of the waiting period, it will declare itself the DR. If a second router has become active on the network before the dead interval expires, the process of neighbor establishment will begin at the end of the dead interval waiting time. DR and BDR will be elected by priority or router ID. Once the DR and BDR have been elected, any router added to the network will recognize them as such, will not attempt to preempt them as DR or BDR, and will only establish 'full state' adjacencies with those two DR and BDR routers.
147
router#sho ip ospf nei
Neighbor ID Pri State Dead Time Address Interface
148.43.200.1 4 FULL/BDR 00:00:35 148.43.200.193 FastEthernet0/0
148.43.200.2 3 FULL/DROTHER 00:00:35 148.43.200.194 FastEthernet0/0
148.43.200.3 2 FULL/DROTHER 00:00:35 148.43.200.195 FastEthernet0/0
148.43.200.4 1 FULL/DROTHER 00:00:36 148.43.200.198 FastEthernet0/0
148.43.200.5 1 FULL/DROTHER 00:00:33 148.43.200.197 FastEthernet0/0
148.43.200.6 0 FULL/DROTHER 00:00:38 148.43.200.196 FastEthernet0/0
148.43.200.8 1 FULL/DROTHER 00:00:34 148.43.200.200 FastEthernet0/0
Show IP OSPF Neighbor - DR
The information contained is the same as the previous show neighbor display except that this is done from the designated router on a broadcast multi-access network. The show IP OSPF neighbor command contains the following information: • Neighbor ID: router ID • Priority: used in the election of a DR (1 is default), normally manipulated on
Broadcast Multi-Access networks. • State: Init – first hello sent 2way – neighbor discovered but adjacency not built Full – adjacency built, databases exchanged • Drother – not a DR or BDR, unique to broadcast multi-access. • DR – designated router. • BDR – backup designated router. • Dead Time – dead-interval timer (defaults to 40 sec), amount of time left
before neighbor is declared dead. • Address – lists the link IP identifier or neighbors interface IP. • Interface – the router interface connected to the neighbor.
148
Show IP OSPF Neighbor - Drother
router#sho ip ospf nei
Neighbor ID Pri State Dead Time Address Interface
148.43.200.1 4 FULL/BDR 00:00:37 148.43.200.193 FastEthernet0/0
148.43.200.2 3 2WAY/DROTHER 00:00:35 148.43.200.194 FastEthernet0/0
148.43.200.3 2 2WAY/DROTHER 00:00:37 148.43.200.195 FastEthernet0/0
148.43.200.4 1 2WAY/DROTHER 00:00:38 148.43.200.198 FastEthernet0/0
148.43.200.5 1 2WAY/DROTHER 00:00:35 148.43.200.197 FastEthernet0/0
148.43.200.6 0 2WAY/DROTHER 00:00:30 148.43.200.196 FastEthernet0/0
148.43.200.7 5 FULL/DR 00:00:35 148.43.200.199 FastEthernet0/0
The information contained is the same as the previous show neighbor display except that this is done from a drother router on a broadcast multi-access network. Notice that a "full" state has only been established with the DR and BDR, showing that an exchange of topology database information has only occurred with them. The show IP OSPF neighbor command contains the following information: • Neighbor ID: router ID. • Priority: used in the election of a DR (1 is default), normally manipulated on
Broadcast Multi-Access networks. • State: Init – first hello sent 2way – neighbor discovered but adjacency not built Full – adjacency built, databases exchanged • Drother – not a DR or BDR, unique to broadcast multi-access. • DR – designated router. • BDR – backup designated router. • Dead Time – dead-interval timer (defaults to 40 sec), amount of time left
before neighbor is declared dead. • Address – lists the link IP identifier or neighbors interface IP. • Interface – the router interface connected to the neighbor.
149
The Link-State Database
Link-State DatabaseLink-State Database
• Each router within an area has exact same database (convergence)• Database contains information to construct entire network topology
Each router maintains link-state records including information about each of its interfaces and reachable neighbors. Through flooding, each router distributes its state to all other routers in the area/autonomous system. As a result, each router possesses an identical database describing the area/autonomous system. All routers run the SPF algorithm in parallel. Using the link state database, each router then constructs a tree of the shortest paths with itself as the root. Each destination within the AS is contained within the SPF tree.
150
OSPF Routing Table
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGPD - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGPi - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area* - candidate default, U - per-user static route, o - ODR
Gateway of last resort is 148.43.200.30 to network 0.0.0.0
148.43.0.0/16 is variably subnetted, 20 subnets, 3 masksO 148.43.200.144/28 [110/196] via 148.43.200.186, 00:03:07, Serial0/0/1C 148.43.200.128/28 is directly connected, FastEthernet0/0O 148.43.200.80/28 [110/586] via 148.43.200.30, 00:03:07, Serial0/0/0C 148.43.200.28/30 is directly connected, Serial0/0/0O 148.43.200.188/30 [110/390] via 148.43.200.186, 00:03:07, Serial0/0/1C 148.43.200.184/30 is directly connected, Serial0/0/1O 148.43.200.6/32 [110/391] via 148.43.200.30, 00:03:08, Serial0/0/0
[110/391] via 148.43.200.194, 00:03:08, Serial0/0/1O 148.43.200.5/32 [110/196] via 148.43.200.194, 00:03:08, Serial0/0/1O 148.43.200.3/32 [110/391] via 148.43.200.30, 00:03:08, Serial0/0/0O 148.43.200.160/28 [110/391] via 148.43.200.30, 00:03:08, Serial0/0/0
[110/391] via 148.43.200.194, 00:03:08, Serial0/0/1S* 0.0.0.0/0 [1/0] via 148.43.200.30
The routing table lists the preferred or best routes to a destination network. The two main criteria used to determine these routes are administrative distance and metrics. Administrative distance is the first factor used to determine which routes are placed into the table. If routes have the same distance, the cost or metrics is then used. The two major parts to the routing table are the destination network entries and the interface the router must use as an exit point to reach that network.
151
Distance & Metrics (Cost)
O 148.43.200.188/30 [110/390]
Distance
Metric(Routing Table Entry)
152
Administrative Distance Defaults
Connected Interface 0
Static Route 1
RIP 120
IGRP 100
EIGRP 90
OSPF 110
BGP 20
The above listed values are the default administrative distances on a Cisco router. Administrative distance can be manually configured on the router to give certain routing protocols preference over others. Under the desired routing protocol configuration, use the distance command. Administrative distance is a rating of the trustworthiness of a routing information source, such as an individual router or a group of routers. Distance is an integer from 0 to 255 and in general, the higher the value, the lower the trust rating. A distance of 255 means the routing information source cannot be trusted at all and should be ignored. Specifying distance values enables the router to discriminate between sources of routing information. The router always picks the route whose routing protocol has the lowest distance.
153
OSPF Metrics
• Metric is used to determine the best path when multiple routes to a destination are received from the same source (equal distance).
• OSPF uses the bandwidth (BW) value assigned to a router interface to calculate the metric value (cost) associated with that interface. That is the only function of the bandwidth statement [example: router1(config-if)#bandwidth 512]. It gives the routing protocol a figure to use in cost calculation, and therefore can be used to manipulate OSPF’s choice of best path.
Source
Destination
256 kbs 768 kbs
T1
10 mbs
256 kbs
512 kbs
256 kbs512 kbs
The cost (also called metric) of an interface in OSPF is an indication of the overhead required to send packets across a certain interface. The cost of an interface is inversely proportional to the bandwidth of that interface. A higher bandwidth indicates a lower cost. The default formula used to calculate the cost is {cost=108 / bandwidth in bps}. If no bandwidth statement is used, serial interfaces default to 1.544 mbs (T1) and Ethernet defaults to 10 mbs. The bandwidth statement has no actual effect on data transfer rate. It is simply used by the routing protocol to calculate the cost of the link. The cost of an interface can be set manually, which will override the bandwidth statement. Under the interface, use the command ip ospf cost. Manipulating the cost of links can make them more or less preferential for use by the router. It is recommended that cost be manipulated using the bandwidth statement.
154
Calculating OSPF Cost
Router A Router B256k512k
1024k
T-1
T-1
56k
56Kbs = 1786256Kps = 391512Kps = 1951024Kps = 98
T1/1544Kps = 65
TOP ROUTE: 391 + 195 + 98 = 684
BOTTOM ROUTE: 65 + 65 + 1786 = 1916
Utilizing the information provided on the previous page, calculate the cost for each path from router A to router B. Cost is cumulative for point A to point B. The cost for each outgoing interface in the path must be calculated and then added together for a total path (route) cost. Which path will OSPF select? If no bandwidth statement were placed in the 56k link because the person programming the router forgot to enter it, but the actual link speed was at 56k, what would the result be?
155
Show IP OSPF Interface
R1#sho ip ospf int f0/1FastEthernet0/1 is up, line protocol is up
Internet Address 148.42.200.217/28, Area 0Process ID 1, Router ID 148.42.200.7, Network Type BROADCAST, Cost: 10Transmit Delay is 1 sec, State DR, Priority 1Designated Router (ID) 148.42.200.7, Interface address 148.42.200.199Backup Designated router (ID) 148.42.200.1, Interface address 148.42.200.193Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40Hello due in 00:00:01
Supports Link-local Signaling (LLS)Index 1/1, flood queue length 0Next 0x0(0)/0x0(0)Last flood scan length is 1, maximum is 1Last flood scan time is 0 msec, maximum is 4 msecNeighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 148.42.200.1 (Backup Designated Router)Suppress hello for 0 neighbor(s)
The show IP OSPF interface command provides an inventory of all the interfaces in your router and their status with respect to OSPF. The cost assigned to each interface, along with the type of OSPF network it belongs to, can be verified here. Hello and dead interval timers are also listed. If the interface is a member of a broadcast multi-access network, as shown above, the router's state, specifying its role as DR, BDR or DROTHER can be seen. The priority set for the router's participation in the election of DR / BDR is listed right after the state.
156
OSPF Basic Configuration
(router ospf 1-65535) use your router station #
(network 148.43.200.0 0.0.0.255 area 0)
Use the router OSPF command to define an OSPF routing process. The process-id is an internally used identification number. A unique value is assigned for each OSPF routing process within a single router, just as each file in a computer folder must have a unique filename. The OSPF process-id does not have to match process-ids on other routers. It is possible to run multiple OSPF processes on the same router, but it is not recommended because it creates multiple databases, which adds extra overhead to the router. The network command defines which router interfaces will run OSPF. An IP range is defined in the command by entering an address & wild card mask. Any router interface IP address, which falls within this range, will then run OSPF. Once it has been determined that an interface will run OSPF, the protocol advertises the subnet assigned to that interface. The command also assigns an interface to an OSPF area. Neighboring routers’ directly connected interfaces must be configured in the same area. The network command uses a wildcard mask, which is essentially the inverse of a traditional mask. The mask in the network command can be used as a shortcut for assigning a list of interfaces to the same area with one configuration line.
157
router7#sho ip protoRouting Protocol is "ospf 100"
Outgoing update filter list for all interfaces is not setIncoming update filter list for all interfaces is not setRouter ID 148.43.200.7Number of areas in this router is 1. 1 normal 0 stub 0 nssaMaximum path: 4Routing for Networks:
0.0.0.0 255.255.255.255 area 0Routing Information Sources:Gateway Distance Last Update148.43.200.7 110 01:04:25148.43.200.6 110 01:04:25148.43.200.5 110 01:04:25
Distance: (default is 110)
Show IP Protocol
The show IP protocol command provides information about all IP routing protocols configured. The routing protocol and process are identified along with information concerning routing filters, redistribution, and summarization. Routing network statements can be verified along with routing information sources. This is displayed using the source router IDs, the distance of the protocol, and when the last update was received.
158
router#sho ip ospfRouting Process "ospf 100" with ID 148.43.200.7Supports only single TOS(TOS0) routes, Supports opaque LSASupports Link-local Signaling (LLS), Supports area transit capabilityInitial SPF schedule delay 5000 msecsMinimum hold time between two consecutive SPFs 10000 msecsMaximum wait time between two consecutive SPFs 10000 msecsIncremental-SPF disabled, Minimum LSA interval 5 secs, Minimum LSA arrival 1000 msecs, LSA group pacing timer 240 secsInterface flood pacing timer 33 msecs, Retransmission pacing timer 66
msecsNumber of external LSA 0. Checksum Sum 0x000000Number of opaque AS LSA 0. Checksum Sum 0x000000Number of DCbitless external and opaque AS LSA 0Number of DoNotAge external and opaque AS LSA 0Number of areas in this router is 1. 1 normal 0 stub 0 nssaNumber of areas transit capable is 0, External flood list length 0
Show IP OSPF
The show IP OSPF command can be used to verify your OSPF configuration and the overall configuration of the areas within the router. The router ID and process ID can be verified here. Information concerning frequency of updates and other timers are provided. Information is provided for each individual area to which the router is connected. The use of OSPF authentication can be verified with this command. .
159
Area BACKBONE(0)Number of interfaces in this area is 6 (1 loopback)Area has no authenticationSPF algorithm last executed 01:04:55.281 agoSPF algorithm executed 17 timesArea ranges areNumber of LSA 7. Checksum Sum 0x04A9BBNumber of opaque link LSA 0. Checksum Sum
0x000000Number of DCbitless LSA 0Number of indication LSA 0Number of DoNotAge LSA 0Flood list length 0
Show IP OSPF (2)
160
Passive Interface
u Prevents routing protocol updates from being generated on the specified interface
Example: router (config-router)# passive-interface f0/0
passive-interface interface
router(config-router)#
As stated before, the network command is used to define which interfaces will run OSPF. The networks in which the interfaces are participating will be the networks advertised to other routers. There may be cases where we want to advertise a network to other routers but do not necessarily want routing updates being sent from an interface. One case is an Ethernet interface with only hosts connected to it. There is no point in sending routing update traffic into a LAN where only PCs, printers, and servers are networked. The passive-interface command will keep updates from being sent from the interface even though there is a network statement relating to the address of the interface.
161
OSPF Broadcast Multi-Access
1 4
7
5
f0/0Loopback Address148.43.200.1/32
Loopback Address148.43.200.2/32
Loopback Address148.43.200.4/32
Loopback Address148.43.200.5/32
Loopback Address148.43.200.7/32
Loopback Address148.43.200.6/32
2
Loopback Address148.43.200.3/32
f0/0
f0/0
f0/0f0/0
f0/0
f0/0
.193/28
.194/28
.195/28 .196/28
.197/28
.198/28
.199/28
148.43.200.192/28
63
8
.200/28f0/0
Loopback Address148.43.200.8/32
f0/1148.43.200.17/27
f0/1148.43.200.25/27
f0/1148.43.200.33/27
f0/1148.43.200.65/27
f0/1148.43.200.73/27
f0/1148.43.200.41/27
f0/1148.43.200.49/27
f0/1148.43.200.57/27
1. Router Configuration: • Hostname and Passwords • Configure Loopback interface • Configure Fast Ethernet interfaces • Configure OSPF • Confirm configuration using 'show' commands
Confirm network connectivity.
162
Layer 2 Switching and VLANs
163
What is Ethernet Switching ?
RG-58 and Terminators
CAT -5 and Hub
Bridges separate Collision Domains
Switching
Bridge
Ethernet switching evolved from a need to provide high-speed access and geographical separation on local area networks. Initial networks provided access through RG-58 cable T connectors and Terminators. Disadvantages of this type network were quickly realized, for example if anywhere along the cable segment a break or disconnect occurred the entire network would be disabled. The next major evolution of Local Area Network access involved the introduction of Hubs and Category 5 cable. The hub provided a central point for connection of all user devices. The hub however worked only at layer 1 and simply passed all information received on one port out all others. Congestion of Local Area Networks drove the development of bridges, which allowed the isolation of traffic between segments of the LAN. This was accomplished by allowing the bridge to examine the frame (layer 2) header and to determine the source (MAC address) of the traffic. The bridge could then build a table that would show the topology and traffic could be filtered to allow it to flow only to needed segments. This is termed as separating “Collision domains”. Bridges initially were nothing more than a computer with two LAN cards installed and specialized software that allowed for the table to be built and queries to be made against the table that would control the traffic between segments of the network. This was often slow and costly to implement. As technology evolved and the cost came down the mechanism of bridging was placed directly on each port of the bridge. This was accomplished utilizing ASIC (application specific integrated circuits) and allowed a bridge to now have many ports, each of which having the capability to separate collision domains. This new implementation is what is now termed “Switching”
164
What is Switching ?
1. Hubs operate at Layer 1.
2. Layer 2 LAN Switches and Bridges operate at Layer 2 of the OSI reference model.
3. Switches and Bridges must have more intelligence in order to examine the Layer 2 Frame.
4. The Source and Destination MAC addresses are examined.
5. A Table can be built from the Source addresses that enables the Switch or Bridge to “decide” which ports the traffic needs sent out.
6. From this point a frame can be “switched” from one port to another.
Hubs operate at Layer 1, meaning they do not examine any headers. They simply regenerate the electrical signals received out all other ports. Layer 2 LAN Switches and Bridges operate at Layer 2 of the OSI reference model, meaning the frame received is actually examined for information so the frame can be sent to the appropriate location. Switches and Bridges must have more intelligence in order to examine the Layer 2 Frame. This implies processing power and storage capabilities. The Source and Destination MAC addresses are examined, as well as some optional trunking and VLAN information. A Table is built from the Source addresses that enable the Switch or Bridge to “decide” which ports the traffic must be sent.
165
Switch Use in Topology
Multi-Access Point for Users
Hub Multi-Access
SWITCH SWITCHCrossover
Crossover
A switch or Bridge learns of the MAC addresses attached to each port by listening to the traffic and examining the source MAC address of the incoming frame. The MAC address to Port mappings are stored in a MAC database. The database is commonly referred to as the (MAC table) or the Content-addressable memory (CAM table). When a frame is received by the Switch or Bridge, the MAC table is consulted to determine the port that can reach the station identified in the destination portion of the frame. If the destination MAC is found in the MAC table the frame is transmitted on only the port listed. If the destination MAC is not found the frame is transmitted on all outgoing ports except on the one from which it was received.
166
Cut Through
Store & Forward
Fragment Free
The Switch checks the frame header for the destination MAC and immediately begins forwarding the frame
The entire frame is read into memory and the FCS is checked as well as the destination MAC before the frame is forwarded
Only the first 64 bytes are read to determine the destination MAC, the switch then immediately begins forwarding the frame. Collisions occur within the time required to read 64 bytes.
Fastest, but no error checking
Slow, has error checking
Fast, with error checking
Modes of Switching
Cut Through In the cut through mode, the switch or bridge checks the destination address as soon as the header is received and immediately begins forwarding the frame. There is a significant decrease in latency compared with the store and forward mode. The delay in cut through switching remains constant regardless of frame size because this switching mode starts to forward the frame as soon as the switch or bridge reads the destination addresses. In some switches and bridges, only the destination addresses are read. Some switches and bridges continue to read the FCS and keep a count of errors. Although the switch or bridge will not stop an error frame, if the error rate is too high, the switch or bridge can be set, either manually or automatically, to use the store and forward mode instead. This is often known as “adaptive cut through”. It combines the low latency advantage of cut through and the error protection offered by store and forward. Store and Forward In the store and forward mode, the switch or bridge receives the complete frame, and then forwards it. The destination and source addresses are read, the Frame Check Sequence is performed, the relevant filters are applied, and the frame is forwarded. If the FCS is bad, the frame is discarded. Latency through the switch or bridge varies with frame length.
167
Fragment Free In the Fragment Free mode, the switch or bridge will read the first 64 bytes, which is the minimum Ethernet frame size, before forwarding the frame. Usually, collisions happen within the first 64 bytes of a frame. When a collision occurs, a fragment (a frame less than 64 bytes) is created. By reading 64 bytes, the switch or bridge can filter out collisions. The fragment free mode has higher latency than the cut through mode. Fragment free can detect fragment frames and discard them rather than forwarding them, in contrast to cut through, which will forward fragmented frames if the destination address exists. Switching mode can be verified by using the “show port system” command.
168
Portfast
Portfast is applied on fast-Ethernet ports on a switch or switch module.
Portfast is used on ports that have end users or devices.
This forces the port into the Forwarding state.
If you connect a workstation or a server with a single NIC card or an IP phone to a switch port the connection cannot create a physical loop. These connections are considered leaf nodes. There is no reason to make the workstation wait 30 seconds while the switch checks for loops if the workstation cannot cause a loop. Cisco added the PortFast or fast-start feature. Portfast is applied to the interface with the following command: Router (config-if) # spanning-tree portfast
169
Default Switch Configuration
When shipped, the Switch default configuration includes the following:
IP Address 0.0.0.0
CDP Enabled
100BaseT port Auto negotiate duplex mode
Spanning Tree Enabled
Console password
None
All Ports Member of Vlan 1 (discussed later)
When the switch is shipped, it is ready to be used, however some items, which will be unique to your network, can only be set to a default value. Above you will see the most common settings that you may be tasked to customize to meet the needs of your network.
170
Common Configuration Changes
• Hostname
• Passwords
• IP Address
• Default Gateway
• VLAN assignments
• Port duplex and speed
• Saving and Clearing Configurations
The above figure lists the most common configuration requirements for layer 2 switching. Each of the topics will be discussed in the following pages.
171
Available Prompts
Command Mode
Access Method Prompt Exit Method
User EXEC Log In Switch> logoutPrivileged Exec
(enable)From User Exec,
type enableSwitch# disable
Global Configuration
(config t)
From Privileged Exec, type configure terminal
Switch(config)# Exit, end, or CTRL Z
ROM Monitor Hold mode key while applying
power to switch
Switch: Boot
Setup Mode From privileged EXEC mode, typesetup or
automatic if no config found in NVRAM
during initialization
Consists of a set of questions with no prompt of its own
Enters user EXEC after setup is
complete
The Cisco IOS user interface provides access to several different command modes. Each command mode provides a group of related commands that allow you to configure or monitor your switch. Entering a question mark (?) at the system prompt allows you to obtain a list of commands available for each command mode. User EXEC mode - After you log in to the switch, you are automatically in user EXEC command mode. In general, the user EXEC mode contains nondestructive commands that allow you to connect to remote devices, change terminal settings on a temporary basis, perform basic tests, and list system information. User EXEC mode is indicated by the device host name followed by the angle bracket (>). Privileged EXEC mode - The privileged EXEC mode commands set operating parameters. The privileged commands include those commands contained in user EXEC mode, as well as the configure command through which you can access the remaining command modes. Privileged EXEC mode also includes high-level testing commands, such as debug. To enter privileged EXEC mode, enter enable at the user EXEC prompt. The privileged EXEC mode prompt consists of the device host name followed by the pound sign (#). From the privileged level, you can access a number of specific configuration modes:
172
ROM monitor mode - A command-line interface (CLI) that allows you to configure your switch. ROM monitor mode occurs if your switch does not find a valid system image, or if you interrupt the boot sequence during startup. Setup mode - This mode is an interactive prompted dialog at the console that helps the new user creates a first-time basic configuration. You can also enter setup mode by entering setup at the privileged EXEC prompt. Setup mode consists of series of questions and does not exhibit a defining prompt of its own.
173
Setting Hostname
switch>en
switch#config t
switch (config)#hostname example
example (config)#ctl Z
example#
Setting Password
switch>en
switch#config t
switch (config)#enable secret abc123
switch (config)#line vty 0 15
switch (config-line)#password abc123
switch (config-line)#login
switch (config-line)#line con 0
switch (config-line)#password abc123
switch (config-line)#login
switch (config-line)#ctl z
switch#
174
Setting the IP Addressswitch#config t
switch(config)#int vlan 1
switch(config-if)#ip address 148.43.200.75 255.255.255.240
switch(config-if)#no shutdown
switch(config-if)#ctl z
It is only necessary to configure an IP address for the switch if it is going to be a manageable entity on the network. Realize it will also be necessary to configure a default-gateway. The switch will look like a standard user of the subnet.
What 3 pieces of information are required for a PC? Clue: TCP/IP properties
Setting the Default Gateway
switch>enswitch#config tswitch (config)#ip default-gateway 148.43.200.1switch (config)#ctl Zswitch#
The default gateway is utilized whenever it is determined that the address you are attempting to contact is not local to the subnet or vlan to which you are connected.
175
Configuring the Ports
switch>enswitch#config tswitch (config)#int fa 0/1switch (config-if)#speed 10switch (config-if)#duplex halfswitch (config-if)#switchport mode accessswitch (config-if)#switchport port-securitySwitch (config-if)#switchport port-security maximum 1Switch (config-if)#switchport port-security mac-address 0008.aaaa.bbbbSwitch (config-if)#switchport port-security violation shutdown
Switch>en puts the switch in the enable mode Switch#config t puts the switch in the global configuration mode Switch (config)#int fa 0/1 specifies interface fast Ethernet 0/1 for configuration Switch (config-if)#duplex half Sets the interface duplex ability to half Switch (config-if)#speed 10 Sets the interface duplex speed to 10MBPS When a port is active on a switch any user can plug into the port and access the network. Because many networks use DHCP (Dynamic Host Configuration Protocol) to assign user addresses, it would be very easy for someone with physical access to a network port to plug in his own device and become a user on the network. Switch (config-if)#switchport port-security Turns on port security Switch (config-if)#switchport port-security maximum value After turning on port security, you need to determine how many different devices will be accessing the ports. The Value option allows you to specify the number of addresses. The default is 1. Switch (config-if)#switchport port-security mac-address 0008.aaaa.bbbb By default, the switches will learn the MAC addresses of the devices that are plugged into that port. If you want to control which devices can access the switch, use the above command to specify which MAC addresses are secured on a port.
176
Switch (config-if)#switchport port-security violation {protect | restrict | shutdown} When a violation occurs, the switch generally protects the port by dropping the traffic associated with the unauthorized MAC address. This means that the switch does not allow those frames through the device, if a frame comes from a device that is configured as secure, the switch will allow it through. This is the meaning of “protect” and is the default. Another option that you can configure is for the interface to move to a “shutdown” state. If this is configured the port remains in the administratively down state until an administrator re-enables the port with the no shutdown command. A third option is “restrict”. If this is selected an SNMP trap will be generated.
177
Saving & Deleting Configurations (1)
switch>enswitch#copy run startThis copies the running configuration to the startup-config file which resides in NVRAM
switch>enswitch#copy start runThis copies the startup-config file from NVRAM into RAM. This will merge what is presently in your running configuration with what is copied in from the startup-config file.
switch>enswitch#copy run tftp://address/filenameAddress or name of remote host [148.43.200.7]?Destination filename [switch1.bin]?
This copies the running-config file from RAM to a tftp (trivial file transfer protocol) server. If you do not specify a filename and address, the system prompts for this information.
148.43.200.7 switch1.bin
Saving & Deleting Configurations (2)
switch>enswitch#erase startThis erases the startup-config file from NVRAM. At this point it is commonly followed by a reload, which will cause the switch to boot with a default configuration. switch>enswitch#delete flash:vlan.datThis deletes the vlan database. The file is recreated as soon as a new vlan is created.
Utilizing both of the above commands, then performing a reload on the switch allows it to be restored to factory values.
178
VLAN Concept (1)
Router Interface fast Ethernet 0/1
Network 148.43.200.0 255.255.255.240
Interface fa 0/1 is configured with a /28 mask (16 addresses).
SW – A utilizes default configuration, meaning all of its ports are assigned to VLAN-1.
IP address utilization is as listed.
If SW – A is a 24 port switch only 12 ports can be utilized, the remaining ports can not support users requiring an IP.
.10
SW - A
.1
.3 .4 .5 .6 .7 .8 .9
.2
VLAN = Subnet
A VLAN is a group of ports on switches that provides service to end stations with a common set of requirements, independent of their physical location. A VLAN has the same attributes as a physical LAN, but allows you to group end stations even if they are not physically located on the same LAN segment. VLANs allow you to group ports on a switch to limit unicast, multicast, and broadcast traffic flooding. Flooded traffic that originates from a particular VLAN floods only to ports belonging to that VLAN. VLANs are created on Layer 2 switches to control broadcasts and collision domains, as well as enforce the use of a layer 3 device (router) for communications off the VLAN. Each VLAN is created in the local switches database for use. If a VLAN is not known to a switch, that switch cannot transfer traffic across any of its ports for that VLAN. VLANS are created by number, and there are two ranges of usable VLAN numbers (normal 1 – 1000 and extended range 1025 – 4096). When a VLAN is created, you can also give it certain attributes such as a VLAN name, VLAN type, and its operational state.
179
VLAN Concept (2)
SW - B
SW - A
SW - C
Subnet A
Subnet C
Subnet B
Example of switching utilizing individual Ethernet ports on the router.
Above is one example of a VLAN. All ports on each switch have been assigned to a common VLAN, that VLAN is synonymous with Subnet A from the router’s perspective.
180
VLAN Concept (3)
One Physical Ethernet Interface
SW - 2
SW - 3
SW - 1
Example of switching utilizing subinterfaces on the router.
A router’s Ethernet port can be configured to support separate VLANs on the same physical interface. This is accomplished with the use of “trunking” and will be discussed in detail.
181
VLAN Concept (4)
One Physical Ethernet Interface
SW - 2
SW - 3
SW - 1
Example of switching utilizing subinterfaces on the router.
Users for all VLANs can now be dispersed throughout the switching topology.
When utilized in this fashion a Layer 2 topology can provide flexibility to match user requirements. By changing port assignments a VLAN member can be moved throughout the physical topology and retain all of its logical assignments.
182
VLAN Trunking
SW - 1 SW - 2Trunk
ISL Cisco Proprietary (Encapsulation)
802.1Q Open Standard (Modified Header)
When using VLANs in networks that have multiple interconnected switches, you need to use VLAN trunking between the switches. With VLAN trunking, the switches tag each frame sent between switches so that the receiving switch knows to which VLAN the frame belongs. With trunking, you can support multiple VLANs that have members on more than one switch.
183
802.1Q
Dest Src Len/Etype Data FCS
EtherType (0x8100 PRI X VLAN - ID
Original FCS is replaced with new FCS.
Token RingFlag
The IEEE standardizes many of the protocols relating to LANs today, and VLAN trunking is no exception. After Cisco created ISL, the IEEE completed work on the 802.1Q standard, which defines a different way to do trunking. 802.1Q uses a different style of header than does ISL to tag frames with a VLAN number. In fact, 802.1Q does not actually encapsulate the original frame. Rather, it adds an extra 4-byte header to the original Ethernet header. That additional header includes a field with which to identify the VLAN number. Because the original header has been changed, 802.1Q encapsulations forces a recalculation of the original FCS field in the Ethernet trailer, because the FCS is based on the contents of the entire frame.
184
Cisco 2811
FE 0/1 FE 0/0A
F
S
L
A
F
S
L
A= ACTS= SPEED
F= FDXL= LINK
S L O T 2
S L O T 0
S L O T 3
S L O T 1NME 0
R
PVDM1 PVDM2 AIM1 AIM0CONN
WIC2TCONN
NM-
EN
0x8x1x9x2x10x3x11x4x12x5x13x6x14x7x15x
15x
7x 0x
8xFASTETHERNET PORTS
10/100/1000BASE TX
-48V GE
EXTPWRESW-
161
VIC
IN U
SE
IN U
SE
FXS
CONNWIC
2TCONN
VIC
IN U
SE
IN U
SE
FXO
Bay 1Bay 1 Bay 0Bay 0
Slot 1Slot 1
Slot 2Slot 2Slot 3Slot 3
Slot 0Slot 0
Port 1Port 1Port 0Port 0
Port 1Port 1 Port 0Port 0
Port 0Port 0Port 7Port 7
Port 15Port 15 Port 8Port 8
ss00//22//11
Bay
Bay
Slot
Slot
Port
Port
ff11//88
Bay
Bay
Port
Port
ff00//11
Bay
Bay
Port
Port
Port 1Port 1 Port 0Port 0
*In this case, the ports don’t exist on a card in a slot, (they are built straight into the “bay”) so there is no “slot”designator.
*In this case, the ports exist on a card that consumes the ENTIRE “bay", so there is no need for a “slot” designator.
In a Cisco hardware environment, components are numbered from right to left, then from bottom to top.
0
0
1
1
Cisco Interface Numbering Scheme
185
Router With Stand Alone Switch•Add VLAN to VLAN Database on Switch.
•Create Sub-interfaces on Router’s Fast Ethernet Port.
•Assign the VLAN to the Switch’s Ports.
Router With Switch Module•Add VLAN to VLAN Database.
•Apply an IP Address and Subnet Mask to VLAN Interface.
•Assign the VLAN to the Switch Module’s Ports.
SERIAL 1
CONNWIC
2TCONN
SERIAL 0
NM-
EN
0x8x1x9x2x10x3x11x4x12x5x13x6x14x7x15x
15x
7x 0x
8xFASTETHERNET PORTS
10/100/1000BASE TX
-48V GE
EXTPWRESW-
161
VIC
1
IN U
SE
0
IN U
SE
FXS
SERIAL 1
CONNWIC
2TCONN
SERIAL 0VIC
1
IN U
SE
0
IN U
SE
FXO
Catalyst 2950 SERIES
SYST
MODE
SPEEDDUPLXUTILSTATRPS
1X
18 X
17X
16X2X
15X 31X
32X 34X
33X 47X
48X
1000 Base-SX11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 481 2 3 4 5 6 7 8 9 10
1 2
Switch vs. Switch Module VLAN Config
SERIAL 1
CONNWIC
2TCONN
SERIAL 0VIC
1
IN U
SE
0
IN U
SE
FXS
SERIAL 1
CONNWIC
2TCONN
SERIAL 0VIC
1
IN U
SE
0
IN U
SE
FXO
HDA-4FXS
0 1 2 3
Trunk
The major difference between to above VLAN configurations is that if you are using a stand-alone switch you have to program a trunk (Sub-interfaces) between the router and the switch. If you are using a switch module there is no trunking involved since layer 2 switching and routing functions are located within the same piece of equipment.
186
VLAN Configuration
Create VLAN Database Entry
Switch>en
Switch#vlan database
Switch (vlan)#vlan 100 name test
Switch (vlan)#exit
switch#
VLAN Database Show Commands: From the enable prompt, enter “vlan database”.
• “show changes” Show the changes to the database since modification began (or since reset).
• “show current” Show the database installed when modification began. • “show proposed” Show the database, as it would be modified if applied.
187
Router Switchport Configuration
interface VLAN 58description voice VLANip address 148.30.1.1 255.255.255.240
interface VLAN 59description data VLANip address 148.30.1.17 255.255.255.240
interface VLAN 60description server VLANip address 148.30.1.33 255.255.255.240
Create VLAN Interface on Router with Switchport Module
With the addition of switchport modules in routers being widely available today, there is an additional configuration option available. Rather than having to create subinterfaces for each VLAN on a router, then configuring the trunking to the switch, it is now possible to assign IP address directly to the VLAN on the router. By assigning this IP address, then assigning the VLAN to a port on the module, it eliminates the necessity of an additional device to provide network services to end users. The configuration of a router with switchports is in effect, the same as configuring multiple IPs on a switch. Once the IPs are set, and the VLANS are assigned to various ports on the switching interface, then those subnets are active.
188
VLAN Configuration
To assign ports to the VLAN:
Switch>en
Switch#config t
Switch (config)#interface fastethernet 0/1
Switch (config-if)#switchport access vlan 100
Switch (config-if)#ctl z
Switch#
VLAN Configuration Range CMD
Switch>en
Switch#config t
Switch (config)#interface range fastethernet 0/1 – 3 , 0/9 - 12
Switch (config-if-range)#switchport access vlan 100
Switch (config-if-range)#no shut
Switch (config-if-range)#ctl z
Switch#
Spaces
189
Trunk Configuration
Switch>en
Switch#config t
Switch (config)#interface fast Ethernet 0/1
Switch (config-if)#switchport mode trunk
Switch (config-if)#switchport trunk allowed vlan remove 2-1001
Switch (config-if)#no shut
Switch (config-if)#ctl z
Switch#
By default a trunk link carries all the VLANs that exist on the switch. You can elect to selectively remove and add VLANs from a trunk link. To specify which VLANs are to be added or removed from a trunk link use the above command.
By default, a trunk link carries all the VLANs that exist on the switch. This is because all VLANs are active on a trunk link; and as long as the VLAN is in the switch's local database, traffic for that VLAN is carried across the trunks. You can elect to selectively remove and add VLANs from a trunk link. To specify which VLANs are to be added or removed from a trunk link, use the following commands. (Optional) Manually remove VLANs from a trunk link: From the (global) interface Switch (config-if)#switchport trunk allowed vlan remove vlanlist (in the example above it is 2-1001) By specifying VLANs in the vlanlist field of this command, the VLANs will not be allowed to travel across the trunk link until they are added back to the trunk using the command switchport trunk allowed vlan add vlanlist.
190
Router Configuration
interface FastEthernet0/0description Trunk to Switchno ip addressduplex full
interface FastEthernet0/0.1description VLAN 100encapsulation dot1Q 100ip address 148.30.1.1 255.255.255.240
interface FastEthernet0/0.2description VLAN 200encapsulation dot1Q 200ip address 148.30.1.17 255.255.255.240
Create Sub-Interfaces on Router Fast-Ethernet Port
Cisco IOS software has a configuration feature called subinterfaces that creates a logical subdivision of a physical interface. Sub-interfaces allow the router to have multiple IP addresses associated with its physical interface by configuring separate sub-interfaces. A router can treat each subinterface as if it were an individual link. Each of the sub-interfaces would be assigned a different IP address from its associated subnet. In the example above, it is seen that interface fast Ethernet 0/0 has been subdivided into three sub-interfaces (note the interface fast Ethernet 0/0.1). Each sub-interface receives its own configuration for which subnet it belongs to as well as which encapsulation method to use. The physical interface of fast Ethernet 0/0 is simply administratively enabled by issuing the command “no shutdown”
191
VLAN Lab
1 4
7
5
f0/0Loopback Address148.43.200.1/32
Loopback Address148.43.200.2/32
Loopback Address148.43.200.4/32
Loopback Address148.43.200.5/32
Loopback Address148.43.200.7/32
Loopback Address148.43.200.6/32
2
Loopback Address148.43.200.3/32
f0/0
f0/0
f0/0f0/0
f0/0
f0/0
.193/28
.194/28
.195/28 .196/28
.197/28
.198/28
.199/28
148.43.200.192/28
63
8
.200/28f0/0
Loopback Address148.43.200.8/32
vlan 58148.43.200.17/27
148.43.200.25/27
148.43.200.33/27
148.43.200.65/27
148.43.200.73/27
148.43.200.41/27
148.43.200.49/27
148.43.200.57/27
vlan 58
vlan 58
vlan 58
vlan 58
vlan 58
vlan 58
vlan 58
1. Configure router for VLAN 58. 2. Assign IP addresses as shown on network diagram. 3. Assign ports FA1/0 – 4 for VLAN 58. 4. Configure OSPF single area 5. Set laptop addresses to each VLAN and verify operations.
192
Show Commands
2950 Switch Switchport Module Description
show vlan show vlan-switch Displays the parameters for all configured VLANs
show vlan id vlan-id
show vlan-switch id vlan-id
Displays the parameters for a specified configured VLAN
show Interface show Interface Displays the administrative and operational status of all interfaces or a specified interface.
TAB
Insert Tab # 3 Here
Component Level Operations
2
3
CPN NIPR VLANS
CPN SIPR VLANS
4
CPN Router Case SEP SIPR
Use a Cat5 straight-through console cable to connect the laptop to the 3560 SEP console port
CPN Router Case SEP NIPR
5
Router Case Signal Flow
LOS CASE
To LOS
6
Cisco 3560 NIPR/SIPR Ethernet Switches
7
Cisco Catalyst 3560Front Panel
MODE BUTTON & LED DISPLAYSMALL FORM-FACTOR PLUGGABLE PORTS
The Catalyst 3560 family of switches are standalone fixed-configuration Ethernet switches to which you can connect devices like Cisco™ IP Phones, Cisco™ Wireless Access Points workstations, and other network devices such as servers, routers, and other switches.
• The switches can be deployed as backbone switches, aggregating 10BASE-T, 100BASE-TX, and 1000BASE-T Ethernet traffic from other network devices.
• The catalyst 3560G can deliver the necessary power to support 24 ports at 15.4 watts, 48 ports at 7.7 watts, or any combination in between for a total of 370 watts, for inline Power Over Ethernet (PoE) to VOIP phone devices.
• The Cisco™ Catalyst 3560G series switches can be managed through the console port or telnet. Additionally, they may be managed by Cisco™ Works LAN Management Solution (LMS) applications like Cisco™ View, Campus Manager, and Resource Manager Essentials.
• Auto-sensing of port speed and auto-negotiation of duplex mode on all switch ports for optimizing bandwidth IEEE 802.3x flow control on all ports (the switch does not send pause frames).
• Fast EtherChannel© and Gigabit EtherChannel© for enhanced fault tolerance and for providing up to 2 Gbps full duplex of bandwidth between switches, routers, and servers.
8
• Per-port storm control for preventing broadcast, multicast, and unicast storms.
• Performance and configuration of the 3560G-48PS Ethernet switch • 48 10/100/1000 Ethernet ports and 4 Small Form-Factor Pluggable (SFP)
based ports. • Support for up to 1024 VLAN’s for assigning users to VLANs associated
with appropriate network resources, traffic patterns, and bandwidth • Support for VLAN IDs in the full 1 to 4094 range allowed by the IEEE
802.1Q standard. • ISL and IEEE 802.1Q trunking support on all ports. • Support for Voice VLAN ID (VVID). • Supports the IPv6 standard. • Dynamic Trunking Protocol (DTP) for negotiating trunking on a link
between two devices and for negotiating the type of trunking. encapsulation (802.1Q or ISL) to be used.
• VLAN Trunking Protocol (VTP) and VTP pruning for reducing network traffic by restricting flooded traffic to links destined for stations receiving the traffic.
• VLAN1 minimization for reducing the risk of spanning-tree loops or storms by allowing VLAN 1 to be disabled on any individual VLAN trunk link. With this feature enabled, no user traffic is sent or received on the trunk. The switch CPU continues to send and receive control protocol frames.
• DHCP for automating configuration of switch information (such as IP address, default gateway, host name, and Domain Name System [DNS] and TFTP server names).
• DHCP relay for forwarding User Datagram Protocol (UDP) broadcasts, including IP address requests, from DHCP clients.
• DHCP server for automatic assignment of IP addresses and other DHCP options to IP hosts.
• Cisco™ Discovery Protocol (CDP) Versions 1 and 2 for network topology discovery and mapping between the switch and other Cisco™ devices on the network.
• Network Time Protocol (NTP) for providing a consistent time stamp to all switches from an external source.
• Power redundancy. • The switch is powered through the internal power supply. • Connection for an optional (NOT used in the CPN) Cisco™ RPS 675 to
provide backup power if the switch internal power supply should fail.
9
Cisco Catalyst 3560Rear Panel
• Cisco IOS Command Line Interface (CLI). • Connect a PC or terminal directly to the console port (using a straight-
through Cat5 cable) located on Signal Entry Panel of the CPN case. If the switch is connected to your network, then you can use a Telnet connection to manage the switch from a remote location.
10
Cisco™ Catalyst 3560 Ethernet Switch
Front Panel LED Array
SYSTEM LED OFF System is not powered on. GREEN System is operating normally.
AMBER System is receiving power but not functioning properly.
RPS NOT used in the CPN STATUS LED PORT STATUS The port status. This is the DEFAULT mode DUPLX The port duplex mode. Full duplex or Half duplex SPEED The port operating speed. 10, 100, or 1000 MBPS POE PORT POWER The POE status STATUS (PORT STATUS) LED COLOR MEANING OFF No link or link was administratively shut down GREEN Link present BLINKING GREEN Link activity. Port is transmitting or receiving data GREEN & AMBER Link fault AMBER Port is blocked by Spanning Tree Protocol (STP), and is not
forwarding data. BLINKING AMBER Port is blocked by STP and is not transmitting or receiving
packets
11
DUPLX (Duplex) LED COLOR MEANING OFF Port is operating at HALF duplex GREEN Port is operating at FULL duplex SPEED LED COLOR 10/100/1000 Ports OFF Port is operating at 10 Mbps GREEN Port is operating at 100 Mbps BLINKING GREEN Port is operating at 1000 Mbps SFP Ports OFF Port is operating at 10 Mbps GREEN Port is operating at 100 Mbps BLINKING GREEN Port is operating at 1000 Mbps POE (LED) LED COLOR MEANING OFF PoE is NOT selected. No PoE faults on ports GREEN PoE status is selected. See individual port LED’s BLINKING AMBER PoE is NOT selected, but a FAULT has been detected on
one or more of the ports POE (Port LED) PORT LED COLOR 10/100/1000 Ports OFF PoE is OFF GREEN PoE is ON. LED is on only when the port is providing power to a
connected device GREEN & AMBER PoE is denied because switch would exceed the maximum
370W BLINKING AMBER PoE is OFF because of fault. Check cable or remove device
from the port AMBER PoE has been disabled by user. This is the default
12
CPN_01_ST2S#show version
Cisco™ IOS Software, C3560 Software (C3560-ADVIPSERVICESK9-M), Version 12.2(25)SEE2, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2006 by Cisco™ Systems, Inc.
Compiled Fri 28-Dec-06 12:34 by jensend
Image text-base: 0x00003000, data-base: 0x012237D0
ROM: Bootstrap program is C3560 boot loader
BOOTLDR: C3560 Boot Loader (C3560-HBOOT-M) Version 12.2(25r)SE1, RELEASE SOFTWARE (fc)
CPN_01_ST2S uptime is 4 days, 23 hours, 8 minutes
System returned to ROM by power-on
System restarted at 16:06:38 GMT Wed Dec 23 2006
System image file is "flash:c3560-advipservicesk9-mz.122-25.SEE2/c3560-advipservicesk9-mz.122-25.SEE2.bin“
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and transfer and
use. Delivery of Cisco™ cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
Show Version
Operating System File “.bin” typeOperating System File “.bin” type
Operating System VersionOperating System Version
Equipment SupportedEquipment Supported
IOS File LocationIOS File Location
Show Flash
CPN_01_ST2S#show flash:
Directory of flash:/
1 drwx 192 Dec 29 2006 16:02:19 +00:00 c3560-advipservicesk9-mz.122-25.SEE2.bin
2 -rwx 796 Mar 1 1993 00:02:33 +00:00 vlan.dat
3 -rwx 1956 Dec 27 2006 16:05:29 +00:00 private-config.text
4 -rwx 10521 Dec 27 2006 16:05:29 +00:00 config.text
5 -rwx 3096 Dec 27 2006 16:05:29 +00:00 multiple-fs
32514048 bytes total (22809088 bytes free)
CPN_01_ST2S#
Files Located on the FlashFiles Located on the Flash
Space Remaining on FlashSpace Remaining on Flash
File Location or “Slot” in FlashFile Location or “Slot” in Flash
13
Switch Configuration (1)version 12.2
service nagle
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname BCP_77402_ST2S
!
logging buffered 51200 warnings
enable secret 5 $1$ZcWJ$mEFbA/nCxntzVGE7pV2qE0
!
username gdadmin privilege 5 password 7 10490D485744464F
!
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!
! is a spacer and is NOT part of the actual configuration. This is used to separate functional areas within the configuration
! is a spacer and is NOT part of the actual configuration. This is used to separate functional areas within the configuration
Congestion Control Protocol. If an assigned port is busy or congested, data will be routed (if possible) through a different port automatically
Congestion Control Protocol. If an assigned port is busy or congested, data will be routed (if possible) through a different port automatically
Encrypts PasswordsEncrypts Passwords
User assigned “host” nameUser assigned “host” name
Defined User Names & PasswordsDefined User Names & Passwords
AAA is used to authenticate users. If you see local, it means local usernames and passwords will be used. Tacacs+ is a remote server.
AAA is used to authenticate users. If you see local, it means local usernames and passwords will be used. Tacacs+ is a remote server.
Authentication, Authorization and Accounting commands
Authentication, Authorization and Accounting commands
Switch Configuration (2)aaa session-id common
clock timezone GMT 0
vtp domain BCP_77402
vtp mode transparent
ip subnet-zero
no ip source-route
ip routing
no ip domain-lookup
ip domain-name jntc.army.smil.mil
!
ip multicast-routing distributed
ip ssh time-out 60
ip ssh authentication-retries 2
ip scp server enable
!
no file verify auto
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 6,58-59,175,222-226,233,275,322,324,333,358 Assigned VLAN’sAssigned VLAN’s
Set switch as a member of a domainSet switch as a member of a domain
Set switch as a member of a Virtual Trunking Protocol DomainSet switch as a member of a Virtual Trunking Protocol Domain
Tells switch how to react to VTP updatesTells switch how to react to VTP updates
14
Switch Configuration (3)interface Loopback0
ip address 22.218.32.22 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-dense-mode
!
interface GigabitEthernet0/1
switchport access vlan 59
switchport mode access
switchport voice vlan 58
no mdix auto
spanning-tree portfast
!
interface GigabitEthernet0/36
switchport access vlan 59
switchport mode access
switchport voice vlan 58
no mdix auto
spanning-tree portfast
!
Automatically puts a port in forwarding mode. If not enabled, a port can take 30 seconds or more to come up, which causes problems for some devices.
Automatically puts a port in forwarding mode. If not enabled, a port can take 30 seconds or more to come up, which causes problems for some devices.
Allows data to pass on portAllows data to pass on port
Allows voice to pass on portAllows voice to pass on port
Switch Configuration (4)interface GigabitEthernet0/37
description Interface to FW-UNUSED (e0/0)
shutdown
!
interface GigabitEthernet0/38
description Interface to FW-UNUSED (e0/2)
shutdown
!
interface GigabitEthernet0/39
description Interface to PEP (APA-FUTURE USE)
shutdown
!
interface GigabitEthernet0/40
description Interface to PEP (APA-FUTURE USE)
shutdown
!
interface GigabitEthernet0/41
description Interface to Call Manager
switchport access vlan 58
switchport mode access
switchport voice vlan 58
spanning-tree portfast
!
Port is “Administratively down”. Plugging a device into this port will not change status nor will a service be rendered.Port is “Administratively down”. Plugging a device into this port will not change status nor will a service be rendered.
* Port set up to connect to laptop running Call Manager. THIS IS NOT A USER PORT!* Port set up to connect to laptop running Call Manager. THIS IS NOT A USER PORT!
15
Switch Configuration (5)interface GigabitEthernet0/42
description Interace to Taclane (PT)
switchport access vlan 175
switchport mode access
!
interface GigabitEthernet0/43
description Interface to Firewall (FW Management)
switchport access vlan 233
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/44
description Interface to Firewall (IPS Management)
switchport access vlan 233
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/45
description Interface to PEP (PRIMARY)
switchport access vlan 222
switchport mode access
spanning-tree portfast
!
Description informs the operator of the ports use and function
Description informs the operator of the ports use and function
Switch Configuration (6)interface GigabitEthernet0/46
description Interface to FW-UNTRUST (e0/3)
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,322,324,333,358,1002-1005
switchport mode trunk
!
interface GigabitEthernet0/47
description Interface to FW-TRUST (e0/1)
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,58,222,224,233,1002-1005
switchport mode trunk
!
interface GigabitEthernet0/48
description Interface to T2 Router (g0/0)
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,6,175,322,324,333,358,1002-1005
switchport mode trunk
!
interface GigabitEthernet0/49
description (SFP2) Trunk (100mbs) to STT via SEP SFP2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,6,1002-1005
switchport mode trunk
duplex full
Trunking protocolTrunking protocol
Turns the trunking feature onTurns the trunking feature on
“Trunked” port. Allowing multiple Vlan’s to use one interface or port
“Trunked” port. Allowing multiple Vlan’s to use one interface or port
802.1Q / dot1q is NON vendor specific. If not put in, Cisco Devices default to ISL.. And will not work In JNN802.1Q / dot1q is NON vendor specific. If not put in, Cisco Devices default to ISL.. And will not work In JNN
16
Switch Configuration (7)interface GigabitEthernet0/50
description (SFP3) Trunk (1000mbs) via SEP SFP3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,6,58,59,222,1002-1005
switchport mode trunk
!
interface GigabitEthernet0/51
description (SFP1) (100mbs) to SIPR Case TACLANE via SEP SFP1
switchport access vlan 175
switchport mode access
!
interface GigabitEthernet0/52
description (SFP4) Trunk (1000mbs) via SEP SFP4
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,6,58,59,222,1002-1005
switchport mode trunk
!
interface Vlan1
no ip address
shutdown
VLAN 1 cannot be deleted. Must be “SHUTDOWN” for security purposes.VLAN 1 cannot be deleted. Must be “SHUTDOWN” for security purposes.
Switch Configuration (8)interface Vlan59
description Data Vlan
ip address 22.218.24.14 255.255.255.240
no ip proxy-arp
ip pim sparse-dense-mode
!
interface Vlan224
description Interface to T2R with FW & PEP
ip address 22.218.24.45 255.255.255.240
no ip proxy-arp
ip pim sparse-dense-mode
!
router ospf 21
log-adjacency-changes
passive-interface Vlan59
network 22.218.24.0 0.0.0.15 area 0
network 22.218.24.32 0.0.0.15 area 0
network 22.218.32.22 0.0.0.0 area 0
!
ip classless
no ip http server
no ip http secure-server
Establish VLAN’s that will originate at the switchEstablish VLAN’s that will originate at the switch
Set OSPF and update permissionsSet OSPF and update permissions
These commands disallow GUI connections through a portThese commands disallow GUI connections through a port
17
Switch Configuration (9)ip pim spt-threshold infinity
ip pim register-source Loopback0
banner exec
Configuration version 82AB.LOT10
02/19/2008
Built off IOS Baseline c3560-ipservicesk9-mz.122-25.SEE4.bin
banner motd
ATTENTION!
THIS IS A DOD COMPUTER SYSTEM.
!
line con 0
exec-timeout 5 0
line vty 0 4
exec-timeout 5 0
transport input telnet ssh
line vty 5 15
exec-timeout 0 10
no exec
transport input telnet ssh
end
Set up policies for access through console portSet up policies for access through console port
Set up policies for access through remote telnet/ ssh sessions.Set up policies for access through remote telnet/ ssh sessions.
Set up initial login greetingSet up initial login greeting
Show VLAN
VLAN 1 is the default VLAN. All ports will be assigned to VLAN 1 unless assigned elsewhere
VLAN 1 is the default VLAN. All ports will be assigned to VLAN 1 unless assigned elsewhere
CPN_01_ST2S#show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi0/46, Gi0/47, Gi0/48, Gi0/49
Gi0/50, Gi0/51, Gi0/52
6 VLAN0006 active
58 VLAN0058 active Gi0/1, Gi0/2, Gi0/3, Gi0/4
Gi0/5, Gi0/6, Gi0/7, Gi0/8
Gi0/9, Gi0/10, Gi0/11, Gi0/12
Gi0/13, Gi0/14, Gi0/15, Gi0/16
Gi0/17, Gi0/18, Gi0/19, Gi0/20
Gi0/21, Gi0/22, Gi0/23, Gi0/24
Gi0/25, Gi0/26, Gi0/27, Gi0/28
Gi0/29, Gi0/30, Gi0/31, Gi0/32
Gi0/33, Gi0/34, Gi0/35, Gi0/36
Gi0/37, Gi0/38, Gi0/39, Gi0/40
Gi0/41, Gi0/42
VLAN 58 is the “VOICE” VLAN. ALL phone calls will use VLAN 58. Notice that all ports that a user could plug into, are assigned to this VLAN
VLAN 58 is the “VOICE” VLAN. ALL phone calls will use VLAN 58. Notice that all ports that a user could plug into, are assigned to this VLAN
VLAN 59 (not listed on this screen) is the “DATA” VLAN. ALL laptop activity will use VLAN 59. Notice that all ports that a user could plug into, are assigned to this VLAN
VLAN 59 (not listed on this screen) is the “DATA” VLAN. ALL laptop activity will use VLAN 59. Notice that all ports that a user could plug into, are assigned to this VLAN
Management VLANManagement VLAN
18
Show VLAN IDCPN_01_ST2S#show vlan id 58
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
58 VLAN0058 active Gi0/1, Gi0/2, Gi0/3, Gi0/4
Gi0/5, Gi0/6, Gi0/7, Gi0/8
Gi0/9, Gi0/10, Gi0/11, Gi0/12
Gi0/13, Gi0/14, Gi0/15, Gi0/16
Gi0/17, Gi0/18, Gi0/19, Gi0/20
Gi0/21, Gi0/22, Gi0/23, Gi0/24
Gi0/25, Gi0/26, Gi0/27, Gi0/28
Gi0/29, Gi0/30, Gi0/31, Gi0/32
Gi0/33, Gi0/34, Gi0/35, Gi0/36
Gi0/37, Gi0/38, Gi0/39, Gi0/40
Gi0/41, Gi0/42, Gi0/44
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
58 enet 100058 1500 - - - - - 0 0
VLAN ID NumberVLAN ID Number
If the VLAN has been applied and can process information, the status will be “active”. A VLAN that is not ready to process information will display an “inactive” status
If the VLAN has been applied and can process information, the status will be “active”. A VLAN that is not ready to process information will display an “inactive” status
Displays information on specific VLAN’s onlyDisplays information on specific VLAN’s only
Show IP Interface Brief
CPN_01_ST2S#show ip interface brief
Interface IP-Address OK? Method Status Protocol
Vlan1 unassigned YES NVRAM administratively down down
Vlan59 22.218.40.61 YES NVRAM up up
GigabitEthernet0/1 unassigned YES unset down down
GigabitEthernet0/2 unassigned YES unset down down
GigabitEthernet0/3 unassigned YES unset down down
GigabitEthernet0/4 unassigned YES unset down down
GigabitEthernet0/5 unassigned YES unset down down
GigabitEthernet0/6 unassigned YES unset down down
GigabitEthernet0/22 unassigned YES unset up up
GigabitEthernet0/23 unassigned YES unset up up
GigabitEthernet0/24 unassigned YES unset down down
GigabitEthernet0/25 unassigned YES unset down down
Port is “shutdown”by userPort is “shutdown”by user
Device is plugged into this port and is functioning
Device is plugged into this port and is functioning
19
Show IP Interface
CPN_01_ST2S#show ip interface
Vlan1 is administratively down, line protocol is down
Internet protocol processing disabled
Vlan59 is up, line protocol is up
Internet address is 22.218.40.61/26
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
Lists all interfaces in detailLists all interfaces in detail
20
Password Recovery (1)
1) Attach a terminal or PC with terminal emulation (for example, Hyper Terminal) to the console port of the switch.
Use the following terminal settings:
Bits per second (baud): 9600
Data bits: 8
Parity: None
Stop bits: 1
Flow Control: Xon/Xoff
2) Hold down the mode button located on the left side of the front panel, while you power cycle the switch.
3) Release the Mode button after approximately 15 seconds when the SYST LED turns solid green. When yourelease the Mode button, the SYST LED blinks green.
4) The system has been interrupted prior to initializing the flash file system to finish loading the operating systemsoftware:
flash_initload_helperboot switch:
Password Recovery (2)
5) Issue the flash_init command.
switch: flash_init
Initializing Flash...
flashfs[0]: 143 files, 4 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 3612672
flashfs[0]: Bytes used: 2729472
flashfs[0]: Bytes available: 883200
flashfs[0]: flashfs fsck took 86 seconds
....done Initializing Flash…….
Boot Sector Filesystem (bs:) installed, fsid: 3
Parameter Block Filesystem (pb:) installed, fsid: 4
switch:
21
Password Recovery (3)
6) Issue the load_helper command.
switch: load_helper
switch:
7) Issue the dir flash: command.
Note: Make sure to type a colon ":" after the dir flash.
The switch file system is displayed:
switch: dir flash:
Directory of flash:/ 2 -rwx 1803357 <date> c3500xl-c3h2s-mz.120-5.WC7.bin!--- This is the current version of software.
4 - rwx 1131 <date> config.text!--- This is the configuration file.
5 - rwx 109 <date> info 6 -rwx 389 <date> env_vars7 Drwx 640 <date> html 18 -rwx 109 <date> info.ver
7 403968 bytes available (3208704 bytes used)switch:
Password Recovery (4)
8) Type rename flash:config.text flash:config.old to rename the configuration file.
switch: rename flash:config.text flash:config.old switch:
!--- The config.text file contains the password !--- definition.
9) Issue the boot command to boot the system.
switch: boot
Loading "flash:c3500xl-c3h2s-mz.120-5.WC7.bin"...############################### ################################################################################ ######################################################################
File "flash:c3500xl-c3h2s-mz.120-5.WC7.bin" uncompressed and installed, entry po
int: 0x3000
executing...
22
Password Recovery (5)
--- System Configuration Dialog--- At any point you may enter a question mark '?' for help.Use ctrl-c to abort configuration dialog at any prompt.Default settings are in square brackets '[]'.
Continue with configuration dialog? [yes/no]: n
Press RETURN to get started.
Switch>
10) At the switch prompt, type en to enter enable mode.
Switch>en
Switch#
Type rename flash:config.old flash:config.text to rename the configuration file with its original name.
Switch#rename flash:config.old flash:config.text
Destination filename [config.text]
Switch#
Password Recovery (6)
12) Overwrite the current passwords that you do not know. Choose a strong password with at least one capital letter, one number, and one special character.
11) Copy the configuration file into memory.
Switch#copy flash:config.text system:running-config
Destination filename [running-config]?
!--- Press Return or Enter.
1131 bytes copied in 0.760 secs
Sw1#
The configuration file is now reloaded.
Sw1# conf t
Sw1(config)#enable password <new_enable_password>
Sw1(config)#enable secret <new_secret_password>
Sw1(config-line)#line con 0Sw1(config-line)#password <new_console_password>
Sw1#write memoryBuilding configuration... [OK]Sw1#
23
Modem CTM-100v 1.01
24
CDIM
• The purpose of the dual port CDIM is to convert NRZ (RS-530) data into CDI or fiber
• Allow interfaces to be extended from the shelter using either CX-11230 cable or fiber optic cable
• Support rates up to 4608 Kbps using CX-11230, 18720 Kbps using fiber
A> ALARMS
* >> A,B
The major engineering goal of the optional CTM-100/C multiplexer mode was to interface THSDN Digital Trunk Groups (DTGs). The CTM-100/C can break out the voice and data circuits of a High Speed DTG. This allows for Small Extension Node, SEN-like capabilities to be performed in a much smaller form factor. The basic operation is that the CTM-100/C receives the High Speed DTG and breaks out the separate voice and data streams. The voice portion of the DTG is delivered to an RMC or LTU and the data portion of the DTG is delivered to a router. The CTM-100/C can move circuits at distances up to 16 km and rates up to 18720 kbs utilizing tactical fiber cable such as CX-13295, or at distances up to 3.2 km and at rates up to 4608 kbs via legacy copper cables such as CX-11230. The CTM-100/C optical transceivers can drive circuits 16km over single or multimode cable. The loopbacks are digital loopbacks, which allow the data to pass through the CTM-100/C internal circuitry before being looped back.
• Transport data up to 2 miles using CX-11230 depending on the transmission rate.
• Transport data up to 10 miles using fiber optical cable for all data rates. • Can support loopbacks on the NRZ, CDI, or Fiber side of the selected
port.
25
J-1 TERM Interface to Terminal Server and for external configuration. PORT Select the desired port (A/B). ENTER Accepts entered selection such as data rate. ESC Returns to the default top-level menu (alarms display). Up and down arrows scroll through menu options available. Left and right arrows scroll through available menu option settings. LCD Status and configuration display. Upon power-up, the CDIM will display software version and then the system level Alarms status. From the alarms status, the user can configure the CDIM using the panel buttons. Configurations are automatically saved in NVRAM (Non Volatile Random Access Memory) after eight seconds of no menu activity. Three types of available commands:
1. Normal: Contain options selectable by the user Different options available for Fiber and CDI 2. Status Only: Statuses that can not be changed 3. Re-Settable: Status items that may be reset
26
CDIM Rear Panel Controls & Indicators
J3/J7 DB-50 female connectors for ports A and B, used for CDI signals.
J4/J8 DB-25 female connectors, used for NRZ signals
J5/J9 Port A and B fiber optic transmit connections
J6/J10 Port A and B fiber optic receive connections
27
CDIM Front Panel Configuration
N>MENU ITEM
INDICATOR MENU SELECTION
When scrolling through the menus, the Liquid Crystal Display (LCD) will display information as above.
• N: Either A or B to indicate which is the current selected port. • Menu Item: The current menu selection/option is shown here. • Indicator: an asterisk • Solid if “Menu Selection” is the current active value. • Off if, “Menu Selection” is not the current active value. • Flashing if “Menu Item” is a status only item. • Menu Selection: The current selection of the current menu item.
28
CDIM LCD Commands (1)
These commands and options are available when the mode is set as CTM-100/B NRZ/CDI. Bold options indicate normal or usual settings in the WIN-T Shelters.
29
CDIM LCD Commands (2)
These commands and options are available when the mode is set as Fiber Optic. Dashed line between Input and Data Rate settings correlates available setting options. Bold indicates normal or usual settings in the WIN-T Shelters.
30
CDIM LCD Commands (3)
These are additional commands and options for the Fiber Optic mode.
• Available when input set as NRZ or 50 Pin 422. • NRZ Clock not available if NRZ Conf set as DCE /INT or DCE/EXT. • In 50 Pin input mode, only Clock and Data Polarity available as extra
settings. • Bold indicates normal or usual settings in the WIN-T Shelters.
31
CDIM LCD Commands (4)
Status Only Options Resettable Options
Status Only and Re-settable options are used to check performance of the CDIM. The Status Command displays a condensed status of the CDIM.
32
CDIM Status Display (1)
A>STATUS
* <Rate> <NRZ> <CDI> <Ext> <Pll> <Lx>
CTM-100/B NRZ/CDI MODE STATUS DISPLAYS Rate Data rate selected by the user. NRZ N – if the NRZ group is active and the system clock source. n – If the NRZ group is active but not the system clock source. Blank – if the NRZ group is not active. CDI C – if the CDI group is active and the system clock source. c – If the CDI group is active but not the system clock source. Blank – if the CDI group is not active. Ext E – if the external timing group is active and the system clock source. e – If the external timing group is active but not the system clock source. Blank – if the external timing group is not active. PLL P – if the Phase Loop Lock is operating in normal range. P+ – if the PLL indicates clock source is higher bit rate than modem setting. P- – if the PLL indicates clock source is lower bit rate than modem setting. Lx Indicates current CDI signal level where X is a number between 0 and 9.
33
CDIM Status Display (2)
A>STATUS
* <Rate><Input><Fiber><Ext><Pll><LX>
FIBER OPTIC MODE STATUS DISPLAYS Rate Data rate selected by the user. Input N or C – if the NRZ or CDI group is active and also the system clock source. n or c – if the NRZ or CDI group is active but not the system clock source. Blank – if the NRZ or CDI group is not active. Fiber F – if the Fiber Optic group is active and the system clock source. f – If the Fiber Optic group is active but not the system clock source. Blank – if the fiber Optic group is not active. Ext E – if the external timing group is active and also the system clock source. e – If the external timing group is active but not the system clock source. Blank – if the external timing group is not active. PLL P – if the Phase Loop Lock is operating in normal range. P+ – if the PLL indicates clock source is higher bit rate than modem setting.
34
P- – if the PLL indicates clock source is lower bit rate than modem setting. LX Indicates current CDI signal level where X is a number between 0 and 9 (Only in CDI mode). Modem Timing Options EXT 5M – Allows the CDIM to derive timing from a 5 MHz external GPS signal USED IN WIN – T. FIBER OPTIC – Allows the CDIM to recover timing (SLAVE) from the Fiber Optic source USED IN THE STT. CDI – Allows the CDIM to recover timing from the CX-11230 cable. INTERNAL - Used for troubleshooting. Other timing options are available but are not utilized in the Shelter.
35
CDIM Tests and Loops
CDIM Test CDIM Loopback
Tests and loopbacks will help troubleshoot the CDIM links whenever they are not working properly.
• CDIM tests can be applied on any of the CDIM ports. • Port selection will be done through the Test Mode menu option. • Different ports will be available depending on what CDIM mode is
selected. • For tests to function, the network device will have to be put in loopback. • CDIM loops can also be put on any of the CDIM ports. • Port selection will be done through the loops menu option.
36
(HSFEC)Controls and Indicators
1 2 3
4
1 M (MODE) LED: Green FEC ON + INTERLEAVER ONYellow FEC onlyRed No FEC
2 B (BER) LED: Red The bit error rate is higher than 2x10-6 (only BER Test Mode or Loopback Mode)
Green The bit error rate is lower than 2x10-6 (only BER Test Mode orLoopback Mode)
3 S (SYNC) LED: Red The FEC cards on the sending and receiving end are out of syncGreen The FEC cards on the sending and receiving end are in syncOff FEC is turned off.
4 HOT SWAP LED Red Card can be removed and reinserted without shutting off power
• This procedure loops back the HSFEC network element in a NIPR Tier 1 serial channel. The HSFEC card in the FLEXMUX front panel toggle switches are used to set the loopback.
– Check the mode (M) LED for the channel under test on the HSFEC front panel. If the LED is green or yellow, the HSFEC circuit is activated: proceed with this procedure. If the LED is red, the HSFEC function is bypassed and loopback testing does not apply.
– Set the channel’s Loopback-Normal-BER Test switch to the Loopback position.
– Check the port status using SNMPc and verify that the port is Up indicating a successful loopback test.
– Set the Loopback-Normal-BER Test switch back to the Normal position when the test is complete.
HSFEC Loopback Test
37
Introduction to the KIV-7M v1.01
38
KIV-7M Functions
The KIV-7M is a Type-1 encryption device which will be used in the SSS for the purpose of encrypting DTG links between the SMU and other circuit switches, encrypting SA-TRK links between Prominas, and for encrypting router to router links. Each KIV-7M will have two independently configurable channels that may be keyed at different security levels if needed. They will operate in one of four modes or personalities. Which mode we use will depend on what the distant end COMSEC equipment is. One of the modes we use will be the KIV-7 mode that will communicate with older KIV-7 models. This mode will probably be used for encrypting router circuits. The second mode we will use is the KG-194 mode that will be compatible with KIV-19 and KG-194 type encryptors. We will probably use this mode for encrypting SMU DTGs, Promina SA-TRK links, and even some router-to-router links. The final mode that we will be using is the Suite-A mode. This mode will be used for communicating between two KIV-7Ms. You can store up to four configurations per each channel. These are handy if you interface to different equipment that requires different settings in your device. One example is that you set up the KIV with certain settings for communication with another KIV-7 M, store that config in one of the four storage locations, and store a config for communication with a legacy KG-194 in another location. These two configs can be stored on the same channel and recalled into use as necessary. This will be the normal operations for us during training.
39
The KIV will be able to run at speeds of up to 2048 Kb when we re using it in KIV-7 mode. If we use it in KG-194 mode then we can run up to 13.5 Mb but most of the equipment we will be interfacing does not go that high. Suite-A can go even higher, but we will probably be using the EIA-530 connectors for all communications. To break it down again, the KIV-7M is a dual channel encryptor. These two channels are independently configurable. They can be set up in one of four modes for use with differing distant end encryption devices. The fact that the two channels are independently configurable means you can set up one of the channels as a KG-194 with a secret key and the other channel as a Suite-A device with a top-secret key if needed. The possible data rates depend on device configuration as far as mode and data connector type.
40
Controls and Indicators (1)
Channel Display
Command and Status Display
Before starting to configure the KIV, we need to familiarize with the controls and indicators of the device. The fill port on the front panel will be used for loading COMSEC keys into the KIV. We will go over how to load keys later. This port will normally be configured as a DS-102 port that will make it compatible with KYK-13s, KYX-15s, and AN/CYZ-10s. The CIK port is where the CIK or Crypto Ignition Key is inserted for operating the KIV. The KIV will not function without a CIK or with an incorrect CIK. Only one valid CIK may be existing for each KIV. If the CIK that was prior initialized for the device is lost or damaged, then a new CIK may be initialized. However, since only one valid CIK may exist, the old CIK, which was lost or damaged, is no longer valid. Not a problem if it was damaged, but if it was lost and then found, it will no longer work with this or any other KIV. Be sure to properly label and store CIK keys when not in use. The purpose of the CIK key is to encrypt keys that are loaded in the KIV. Once a CIK is installed and initialized, it will be valid only in the KIV for which it was initialized. During operations, any COMSEC keys that are loaded into the KIV will only be valid as long as the associated CIK is installed. The CIK may be removed and stored without zeroing the KIV. If the CIK is lost, then the keys that are loaded in the KIV will not be operational. If a new CIK is installed and initialized in the KIV, then any loaded keys will be zeroized since they were only valid with the prior initialized CIK.
41
The channel display will be used to notify the operator that is the current valid channel on the KIV. On the other hand, more precisely, it will notify the operator of which channel is currently being displayed and configured on the KIV. There will either be a 1 for channel one, a 2 for channel two, or a – signifying that system or KIV itself is being configured and not either of the channels. The command and status display will be used for displaying statuses of the KIV. We will also use it for scrolling through commands and options of the KIV and then selecting the desired command and/or setting/option. FILL Connector: Used for loading keys into the KIV-7M. Programmable by personality as either DS-101 for DTD type devices, DS-102 for common fill devices, or RS-232. CIK Port: Used for Crypto Ignition Key insertion which is used to initialize the KIV-7M. If no CIK key, then the KIV-7M is inoperable. Channel Display: Single character display that signifies which channel of the KIV-7M is currently being configured. If a – is displayed then you are in system configuration. Command and Status Display: Displays command options and status messages to the operator.
42
Controls and Indicators (2)
The CH button will be used for selecting which channel of the KIV to configure. Pressing this button will cause the channel display to scroll between either channel 1, 2, or – for system configuration. The up and down arrow buttons will scroll through the commands and options of the KIV for the selected channel or system. The commands will display at the command and status display screen. When accessing the command menu from a status display, it may be necessary to first press the down arrow before the command menu displays. The INIT button will be used to initiate an action, depending on the operational status of the KIV. This action may be to select the current command, select the current setting for the command, to load a key, to update or resync a key. The ESC button will be used to back up one level in the menu tree. The ON LINE button will place the selected channel into an on-line or operational status. The channel will only go on-line as long as valid keys have been loaded for the channel. The channel may also be brought off-line with this button.
43
When the INIT and ESC buttons are pressed simultaneously, the KIV will be zeroized. All keys will be zeroed and the CIK will be initialized to a blank state. If this is done, it will be necessary to reset the KIV. This may be accomplished by removing and reinserting the CIK key or by cycling power to the KIV. CH Button Used to select channel to configure. Either 1, 2, or – for system. ▲ Button Scrolls up through the command and status messages in the command/status display. INIT Button Initiates an action for the requested channel, depending on operational state of the KIV-7M. Examples are command initialization, option selection, or crypto synchronization. ▼ Button Scrolls down through the command and status messages in the command/status display. ESC Button Back up one level in the menu tree. ON LINE Button Transfers the selected channel from off-line to on-line and reverse. Also initiates header bypass when enabled.
44
Controls and Indicators (3)
The HDR BYP indicator will indicate when the selected channel is in header bypass mode. We will probably not ever use header bypass but it can be used to transmit up to 512 bits of data from the connected data device to any equipment between your KIV and the distant end KIV or to the distant end, data device before secure operations is established. This data will not be encrypted even if keys are loaded in the KIV. After the 512 bits of data are transmitted, the KIV will go to secure on-line operations and start encrypting. The ALARM indicator will indicate when an alarm with the selected channel or system has occurred. If the alarm and zeroize indicators are steadily lit at the same time and the display reads “LOAD JK0”, then the device must be turned in for re-initialization. The PARITY indicator will light continuously whenever there is a parity error with the key or there are no keys loaded. It will flash momentarily when the operation such as key loading was successful. The ZEROIZE indicator will indicate when the KIV is completely zeroized or when it is being zeroized. If completely zeroed, the LED will be constantly lit. It will flash when a key or keys are being zeroed.
45
The ON LINE indicator will indicate when the selected channel is operational and encrypting/decrypting data. It will flash when the channel is trying to sync or resync. HDR BYP indicator Green LED indicates when the selected channel is bypassing header data. When channel indicates “–” LED illuminates if either channel in header bypass mode. ALARM indicator Red LED indicates an alarm with the selected channel or with the system. PARITY indicator Red LED lights continuously if parity error during key loading, selection, transfer, or OTAR operations or no keys are loaded. Indicator blinks if operation successful. ZEROIZE indicator Red LED lights when KIV-7M zeroized. Blinks during zeroization. ON LINE indicator, Green LED indicates when selected channel is operational and encrypting/decrypting data. Off if channel is in standby or header bypass. Blinks during synchronization. Lights up if either channel operational when channel indicates “–”.
46
KIV-7M Connectors
One thing to point out is the HCI. This port would normally allow configuring the KIV through a web interface. However, NSA does not allow connecting of the KIVs to a LAN. HAIPE = High Assurance Internet Protocol Encryptor. RED CHANNEL 1 J3 68-pin connector for RED Plain Text channel 1 data. RED CHANNEL 2 J5 68-pin connector for RED Plain Text channel 2 data. BLACK CHANNEL 1 J4 68 pin connector for BLACK Cipher Text channel 1 data. BLACK CHANNEL 2 J6 68 pin connector for BLACK Cipher Text channel 2 data. +5V DC J1 7 pin DC power input and ground HCI J2 RJ-45 Host Control Interface for remote connection to the device. Not connected in SHELTER. RED CH 3 J8 High Assurance Internet Protocol Encryptor (HAIPE) port. Not used. BLACK CH 3 J7 HAIPE port. Not used.
47
Initialize the KIV-7M (1)
– Testing*
1 ▓ ▓ ▓ ▓ ▓▓
– KIV-7M
– –STATUS
In order to use the KIV-7M, it must of course be turned on. It is recommended to insert the CIK key before applying power to the devices. The CIK key only goes in one way so do not force the key into the slot or you may cause damage to the key. Also, do not force the key when turning it, it should only turn ¼ turn and no further. When power is applied, the KIV will perform self-tests after which, if tests pass, the KIV will be ready for operations. If an invalid CIK was installed then you will receive a status display of “CIK FAIL”. As far as the self-test, what the students should see is displayed here on the slide. Upon power up the display window will display Testing followed by a rotating cursor not an asterisk as shown here. After a few minutes, the cursor should disappear but Testing continues to display. Then there will be a moving checkerboard pattern, the channel display will show1, 2, and 3. Finally, all indicators will light and turn off and the display will change to KIV-7M. After several moments the display will change to –STATUS to indicate completion of the self-test. If the valid CIK was installed and the KIV passes the self-test, you may want to zero any keys that may be installed in the KIV. This should not normally be necessary since the KIV should be zeroed daily after operations. However, if you come in to a shelter where the KIV still has keys loaded it may be best to zeroize so as not to get a bunch of different keys loaded in the equipment. Remind
48
students that in an actual environment, it may be normal to remove a CIK from the KIV temporarily and still have keys loaded. We are only talking about training for now. Zeroing the KIV may be done directly from the front panel using the menu or using the INIT and ESC buttons simultaneously. So as not to be continuously initializing the KIVs, it may be best to scroll through the menus and zero all keys per channel instead of doing a full system zero. However, it is recommended that all keys be zeroed at the end of every shift so as not to have too many keys floating around. We will go over loading and zeroing keys on a per channel basis later. The next step would be to set the date and time for the KIV. This may not really be necessary, but we will still do it. We will also see this later. Next, it is recommended to set the blackout timer for the front panel of the KIV. This is a screensaver type setting which will blank out the command and status display of the KIV after one minute of inactivity. This will keep the display from being constantly lit and help extend the life of the display. If set, you can access the menu again by pressing any button except the CH button. Finally, you may want to set the personalities for the channels. We will cover these steps momentarily.
• Insert current valid or new CIK. • Turn clockwise about ¼ turn until stops. • Do not force CIK. • Apply power at panel circuit breaker. • Observe self-tests.
May take a few minutes for test to complete.
• –STATUS should display when test passes and completes. • Recommend display blackout timer configuration. • Set date and time. • Set the Personalities (modes) for the channels.
49
After Every Command String
System Menu
Initialize the KIV-7M (2)
This is most of the system menu tree. All of the level 1 (indicated by a – and blue background) menu commands are shown. Most of the level two (indicated by = and lighter blue background) and three (indicated by ≡ and greenish background) level commands are also shown with the exception that at the end of every level 2 and 3 menu there is a return command. It is shown here only for the first menu string but it is in every single string. Not shown either are the level four menu options that would be used to set the level three commands. Level four options are only settings and not commands. There were too many to show so that is why they are not here. We will see some of the recommended settings later. On this menu, the first string starts with –STATUS. The STATUS menu string allows you to view certain information about the device. For instance, under system and then config you can view the serial number for the KIV as well as the software and firmware versions. You can view the four personalities stored in the KIV also. Status CH1 and CH2 let you view up to 10 non-fatal messages that have auto cleared. The BitRslt lets you view the results of the built in tests. Through the SysLOAD string, you can load the Benign Fill FireFly keys. We will not be doing this. Zeroize allows you to completely zeroize the KIV. The KIV must be reset afterwards if this is performed. This is equal to pressing INIT and ESC simultaneously on the front panel. The SYSTEST menu will perform test functions on the KIV. You can configure the Host Control Interface through the HCI menu. We will not be doing this either since we do not have this port
50
connected. We may use the FP menu to set the timeout setting for the Front Panel. It is disabled by default. We will also probably use the DATE menu to set the date and time for the KIV. The SelPers menu allows us to select the desired personality for each channel of the KIV. This must be done in order for the KIVs to communicate properly with the distant end. Point out again how to scroll through the menus. This is the system menu command tree that means that in order for us to view these commands the channel select must not be 1 nor 2. It must be at the system (–) or channel zero setting. The arrows will scroll you through the level one commands which are shown here at the top of the tree with the blue background and a (–). To access the second level depicted by a greenish background and a =, you can press the INIT button at the desired level one command. Once in the level 2 menu, you can also scroll through any available commands or settings. When the desired command or setting is reached, you can again press INIT to access the next level or to select the setting. Also, point out that when they start scrolling through the options, if the option is higher intensity than most of the other options, it is the currently selected option.
51
– –STATUS
– –FP
– =TIMEOUT
– ≡ENABLE
Initialize the KIV-7M (3)
Here we see an example of using the front panel for setting an option on the KIV. We are setting the front panel display timer for the KIV. We are assuming that the KIV is powered on and the self-test passed. Set Blackout Timer
• Ensure channel display is set to (–). • Press CH button until desired channel is selected. • Access the menu tree. • –STATUS should be displayed. • Scroll to desired setting or menu option using ▼▲ buttons. • When –FP option is displayed press INIT button. • =TIMEOUT should display. • Press INIT to access options for =TIMEOUT. • ≡ENABLE should display. • Press INIT to enable the front panel blackout timer option. • The display should intensify to indicate that ≡ENABLE is now the selected
option. • Press ESC repeatedly until the display changes back to –FP.
52
– –STATUS
– –DATE
– =SetDate
– ≡mm/dd/yy
Initialize the KIV-7M (4)
This is an example of setting the KIV-7M time and date. Point out that after the last digit for the date is entered, the display will momentarily display the new date and then change to the =SetDate command. From there they students should be able to scroll to the next command of =SetTime. Also, inform the students that they will not actually see ≡mm/dd/yy at the display but will instead see numbers representing the month/day/year. In addition, when they get to the time setting it will be in the format HH:MM:SS. Set Date and Time
• Ensure channel display is set to (–). • Press CH button until desired channel is selected. • Access the menu tree. • –STATUS should be displayed. • Scroll to desired setting or menu option using ▼▲ buttons. • When –DATE option is displayed press INIT button. • =SetDate should display. • Press INIT to access options for =SetDate. • ≡mm/dd/yy should display. • Use ▼▲ to scroll the first digit to the correct number and press INIT to set
the first digit and advance to the next digit. • When the final digit is correct press INIT to set the date and return to
=SetDate.
53
• Press ▼button to advance to =SetTime and set the time similar to the date.
• When time is correct, press ESC repeatedly to return to –DATE.
54
– –SelPers
– =Ch1
– ≡KIV-7
– ■CONFIRM
Initialize the KIV-7M (5)
This is an example of setting a personality for a channel on the KIV. Here we are setting channel 1 to a KIV-7 personality. Again, we are assuming that we are starting from the beginning and we have to first access the menu. The steps are pretty much all shown here for selecting the personality for channel 1. It would be just as easy to have scrolled to channel 2 and set the personality for that channel. When ■CONFIRM is initiated, it may take a few minutes to load the personality for the channel. During this time, the display will be displaying Loading٭ to indicate that the personality is being loaded and to please wait until completion. Notice the block in front of the abort and confirm commands. This block indicates a level four-menu option. It is a good idea to have any connected equipment such as a router or the Promina turned off and disconnected before configuring the channel with a personality. This is especially true if you are going from one personality to another because of the possibility of different signals on different pins and the connected equipment not expecting a signal on a certain pin. Some of these signals will be low voltage signals, which, even though they are low voltage, could cause damage to the connected equipment.
55
Inform students that whenever a new personality is set for a channel, there will be a default configuration assigned also. This configuration may be modified, which we will do. If preferred, the modified configuration may be stored in one of the channel’s four storage locations, which we will do also. However, even if it is not stored, the modifications will not be lost in the event of a power down and upon the next power up all changes that were made will still be in effect. Set Channel Personality
• Ensure channel display is set to (–). • Access the menu tree. • –STATUS should be displayed. • Scroll to desired setting or menu option using ▼▲ buttons. • When –SelPers option is displayed press INIT button. • =Ch1 should display. • Press INIT to access options for =Ch1 or use ▼▲ buttons to change
channel. • Press ▼▲ until the desired personality displays. • Press INIT to select the personality. • The display changes to ■ABORT • Press ▼ to change the display to ■CONFIRM • Press INIT to confirm selection. • Press ESC repeatedly to return to –SelPers
56
DED Operations (1)
DED (Dedicated Encryption Device) operations are how we refer to setting up a KIV-7M for communicating with a KIV-7 family device or the older KG-84 family of devices. As the diagram shows, we will mostly be using this mode of operations for encrypting router circuits. However, this is only a representation of one of the possible scenarios for using this mode and what is shown here will not always be the case. The X-MSN may be any of the transmission or modem devices in the CPN such as a CDIM. We already saw how to set a personality for a channel earlier. We will now start configuring the channels for operations. We are first going to go over how to set up a channel for operation as a DED or KIV-7. Remember than in order to do this we must have the channel select set to either one or two. What we see on the slide is pretty much, what needs to be done in order to communicate between a KIV-7M and a KIV-7. There are many settings associated with SETUP A through C. We will go over these and the recommended settings in a few slides. The key selection and loading is also very important since you need to have the same key loaded at both ends in order to talk.
57
• Select correct channel personality • KIV-7 • Set Security Level • Configure port options for personality • SETUP A • SETUP B • SETUP C • Load Keys • Select Keys to use • Bring channel on-line for link communications
58
Off-Line Menu
On-Line Menu
TopScrt– SecLvl
CONFIG VIEWSetTEST CHZEROIZEV/U cntXFR VXLoadKey
= SETUP A
– Secret
– Conf
– UnClass
= SecLvl
– CommSel
= Key X10
– DataMod
– DataLen
– TX Rate
= SETUP B
Sel Key
= ExtLoop
= IntLoop
= Zero V
= Zero U
= Zero Ch
= X10:Cnn
= X01:Cnn
= U : Cnn
= VX–10
= VX–01
= LD V
= LD U= Key X01
– ClkSel
– SyncSel
– RX Rate
– TTYmode
– TXclock
– RXclock
– SyncOOS
– IdleSel
– Invert
– UpdateU
– Hdr Byp
– OTAR
= LD X10
= LD X01
– Abort
– Confirm
– Abort
– Confirm
= ZeroX10
= ZeroX01
= FulLoop
= SETUP C
– PTRS I
– PTTR I
– PTCS O
– PTTR O
–RED I/F
– PTDM O
– CTCS I
– CTRR I
– CTDM I
– CTRS O
– CTRR O
– RsncLvl
– FIL I/F
– FILaddr
– FILbaud
– RECALL0– STORE 1
= STORE
–STORE 2
– STORE 3
–STORE 4
= RECALL
– RECALL1
– RECALL2
– RECALL3
– RECALL4
Through
– BLK I/F
Through Through
Through
Through
–RETURN –RETURN
–RETURN
DED Operations (2)
Here we see the menu tree for a channel that is configured in KIV-7 mode or personality. There are two different trees, one for off-line and one for on-line. All configurations will be done off-line. We can only load, change, transfer keys, and views the configuration while on-line. Remind students how to navigate the menu on the front panel if they still have questions. While off-line, we can use the CONFIG tree to configure the channel. Here we select the security level for the key we are loading and for the channel itself. We can also set up the options for the port such as clock, data rates, and invert of signals. We will do these through the SETUP A, B, and C menus. There are many options here and most of them will be fine if left at default. We will go over some of these later and some of the recommended settings. You can also store and recall configurations for the channel through the CONFIG menu. There can be up to four different stored configs, which allow you to have a config for a KIV-7, one for a KG-194, and different options for these personalities. When you store the config, it will go into one of four slots labeled 1 through 4. When you recall the config, you can recall 1 through 4, which are the stored configs, or zero which is the default config.
59
The SelKey option will be used to select one of the keys stored in one of the ten available key storage slots. This will be the key that is used for communicating with the distant end. LoadKey will be used to load keys into the KIV. LDU is used for loading a unique KEK, which will be used for OTAR, which we will probably not do during training. LDV is used for loading a TEK key into the KIV. This is normally done for a future use key, which will be transferred to an X location. You can also load the TEKs in slots 1 through 10 using LDX01 through LDX10. If you load an untagged key with a KYK-13 or KYX-15 type fill device, then upon loading of a TEK the display will change to ≡SecLvl so that you can give the key a classification of either unclass, Confidential, Secret, or Top Secret. If the key was tagged and loaded with a DTD then you will not have to worry about this. When you go on-line, the classification of the key will be checked against the classification of the channels security level set up through the CONFIG menu. XFRV→X will be used to transfer the V key into an X location. V/Ucnt is used for viewing and updating the count of the TEK or KEK. When doing this you will see the Classification (C) and the update (nn) for the key. You can update the count with the INIT key. Not sure if we will actually do this since it seems that you can only update a key count when you are off-line. It does not sound like a good idea to drop a link every time you want to update the count for a key. Zeroize is used to zero all or select keys of a channel. You can test the channel with loopbacks. IntLoop is used for testing the device internally. ExtLoop places loopbacks to the connected equipment. VIEWSet allows you to scroll through and view the settings for the channel. This is a good option to use to verify local and distant end settings when troubleshooting. All of the settings are available for viewing, you just have to scroll to the desired setting and initiate on the setting to view the current status. We will go over the on-line options on a later slide.
60
1 –CONFIG
– =SecLvl
– ≡UnClass
DED Operations (3)
Setting a security level should be fairly simple to figure out. The soldiers should be able to do this just from looking at the command tree a few slides earlier. That is as long as they have been paying attention and understand the menus and how to navigate through the menus with the keys. If they still have trouble, here is an example of selecting a security level for a channel that has a KIV-7 personality. Remind students that the reason for setting the security level is that keys that are loaded into the device must match the security level of the device. Some keys may be electronically with their security level and some may need to have their security level set after loading. In either case, the level of the key and the device must match. First thing is to make sure the channel is actually in KIV-7 mode. Otherwise, the menu tree and this slide will not be valid. The soldiers could scroll through the ViewSet menu to view the personality for the channel. However, that menu is quite large and it would probably be easier to just set the channel gain as we did few slides earlier. For now, we assume we have the correct mode set. Now that we know the channel is set for the correct personality, we need to start configuring the channels. First thing is to actually connect to one of the channels for the KIV. We do this by changing the channel display with the CH button until the desired channel is shown. Once at the correct channel we enter the menu tree by pressing ▼button. The first command to display should be the –CONFIG command. From here, we enter the second level menu by pressing INIT. The
61
rest of the steps are displayed on the slide and it should be fairly easy to follow along for configuring the security level. Remind the students that for training we will always use UnClass as the setting for our security level. Also, remind them that we are setting this security level here and it must later match with the setting for the keys we load into the KIV. In a real world environment, it will be possible to set both channels of the KIV to different security levels. The available security levels are UnCLass, Conf (confidential), Secret, and Top-Secret. Set Channel Security Level
• Ensure channel display is set to (1) or (2) • Press CH button until desired channel is selected • Access the menu tree • –CONFIG should be displayed • Press INIT button to access level two menu options • =SecLvl option is displayed • Press INIT again and ≡UnClass should display • Press ▼▲ buttons until desired classification is displayed • Press INIT to select the classification • The display should intensify • Press ESC repeatedly to return to –CONFIG
62
DED Operations (4)
There are many options to configure for the channel so that it may communicate properly with the connected data device and with the distant end. The students should be aware of the available configurations and the recommended settings. Configuration of the port will be done through the second level SETUP menus available under the first level CONFIG menu option as seen on the menu tree. The next few slides will show the recommended setting for a channel configured with a KIV-7 personality. These are only the recommended settings and will not always be the case. However, these will hopefully work most of the time for most of the links that may be set up through the SSS. Port options determine how KIV-7M will communicate with the connected data equipment and with the distant end. There are many settings that may be configured to include:
• Clock select • Data rate • Signal Inversions • Configurations are done through the CONFIG menu • SETUP A • SETUP B • SETUP C
63
SETUP A is where we select our clock source and data rate. We also decide how the data is modulated and how we communicate. We will go over the recommended settings later in this lesson. For now, it is good to know what these settings do. ClkSel is used for selecting the clock mode and clock source for the KIV. TT SEL2 is terminal timing. SyncSel is used for determining the process for establishing communications across a link, synchronizing of the keys. CommSel is how we will actually communicate across the link such as full duplex (FDX). Data Modulation (DataMod) is how the data will be modulated and unmodulated. DataLen here is referring to whether we are sending Synchronous or Asynchronous data. If synchronous (Synch/S), we do not have a data length. If Asynchronous we have three data lengths. Either 10 data bit (Synch/A), 7 bit with one start, 5 data, and one stop bit or 10 bit with one start, 8data, and one stop bit. The transmit and receive (TX and RX) rates can be derived either internally or externally Internal data rates can be from 50 Bits Per Second through 288 KBPs. Externally derived rates can be from 50 BPS through 2048 KBPs. The teletype mode will normally be AUTO.
64
DED Operations (5)
This is the SETUP-B menu. Invert will allow you to invert certain signals of the device such as transmit clocks. Transmit and receive clocks (TX and RX) may be continuous (contTXC and contRXC) or gated. Continuous means the clock will be present whether on or off line. If set to gate, the clock is only present when on line. Synchronous Out of Sync detection is usually disabled. Idle Select when enabled keeps the channel active when the transmitter has stopped transmitting be generating idles. We probably will not use this. UpdateU setting enables or disables the automatic updating of the U (KEK) key whenever an OTAR is performed. Header Bypass allows for transmitting up to 512 bits of plain text data prior to coming on-line (the on-line button bust be pressed for this to happen) for communicating with the transmission device to which it is connected. This allows for sending data to the modem such as the telephone number to dial. We will probably not use this option. OTAR Time Out is the amount of time the KIV-7M will allow for a successful OTAR to occur once it has been initiated.
65
DED Operations (6)
This is the SETUP-C menu. The red and black interfaces select what kind of electrical interface you will be using. PTRS I through CTRR O are more signals that may be inverted or forced as needed. RsncLvl or resync level determines whether we start resynchronization on the leading edge of the SYNCTX and SYNCRX signals or after a ten-microsecond pulse. This setting will be set either at low intensity, which equals the edge setting, or high intensity, which equals the level or 10-microsecond setting. The Fill I/F may be set for DS-102, which will allow us to use older KYK-13s and KYX-15s along with a DS-102 configured DTD, for DS-101, which allows for using the AN/CYZ-10 configured as DS-101, or as RS-232. DS-101 setting means you can load tagged keys. As long as we use DS-102 mode, FILaddr and FILbaud do not matter. FILaddr is used with DS-101 and RS-232 ports. FILbaud isonly used with RS-232 ports. After all configurations are complete, it might be a good idea to review the settings through the ViewSel command.
66
1 –LoadKey
1 ≡SecLvl
1 UnClass
=LD X011•
DED Operations (7)
We have just seen the menu trees for the KIV-7 personality. These settings would be valid for either of the channels as long as they are set for KIV-7 mode. We will now go over the steps to load a TEK into the channel of a KIV that is set up for KIV-7 mode. We are still off-line so we are going over loading a key from the off-line menu. The steps here are easy to follow. The main thing is that this slide shows how to load any of the keys for the channel. When –LD U is displayed, the soldiers can scroll to –LD V or even –LD X01 through –LD X10. Remind them that the security level here must match that set for the channel earlier. Tagged keys may be loaded from a DTD such as the AN/CYZ-10. We must set the fill port up as a DS-101 for this though.
67
Load Key • Ensure channel display is set to (1) or (2) • Press CH button to select desired channel • Navigate to –LoadKey using the ▼▲ buttons • Press INIT button to access level two menu options • =LD U option is displayed • Press ▼▲ buttons to select key to load such as LD X01 • Connect fill device and turn on ensuring correct key is selected • Press INIT button on KIV to load key • Parity indicator should blink • If key was not tagged ≡SecLvl should display • Press INIT to enter classification selection • Use ▼▲ buttons to select correct classification such as UnClass and
press INIT • SecLvSet displays momentarily and then the selected classification is
displayed • Press ESC repeatedly to return to –LoadKey
68
1 –SelKey
1 =Key X01
=Key X011
=Key X011•
DED Operations (8)
As we saw, there are many keys that can be loaded into a KIV-7M channel set up for KIV-7 emulation. There is one KEK (LD U) and 11 TEKs (X 01 – X10 and the V key). The KEK will be automatically used whenever we do an OTAR with these devices. The V key will need to be transferred to an X location before it can be used. We will need to select which X key to use though. The steps shown here will help the students select an X key to use. You can select a key to use even if no key is currently loaded. However, if you want to have secure comms you must load a key into the selected key location.
69
Go through the steps of selecting a key for secure communications. Selecting a Key
• Ensure channel display is set to (1) or (2) • Press CH button to select desired channel • Navigate to –SelKey using the ▼▲ buttons • Press INIT button to access level two menu options • =Key X01 is displayed • Press ▼▲ buttons to reach desired key • Currently selected key will be high intensity • Press INIT button to select key • Parity indicator should blink • Key Good displays momentarily and then display returns to selected key
which should be high intensity now • Press ESC repeatedly to return to –SelKey
70
1 ≡CONFIRM
1 =X01 : U01
1 –VU /cnt
=X01 : U001
DED Operations (9)
Updating a key may or may not be done with a channel set up for KIV-7 mode when in an actual environment. This is because once a link is established the only way to update the key is by bringing the unit off-line. We will probably not do this during training but here are the steps in case the soldiers need to do this later. These steps should also be easy to follow. The things to point out here are that when the level twp menu displays with the current key the U shown here will actually be a letter signifying the current security classification of the key. This may be U for unclassified, C for confidential, S for secret and T for top secret. The highest the update may be set to is 99. After that, if the INIT button is pressed to update again the display will show MaxVUcnt to signify the key cannot be updated any higher. In case they ask, VU signifies Variable Update.
71
Updating a Key • Ensure channel display is set to (1) or (2) • Press CH button to select desired channel • Navigate to –VU /cnt using the ▼▲ buttons • Press INIT button to access level two menu options • =X01 : U00 is displayed • Press ▼▲ buttons to reach desired key • Press INIT button to update key • Display should change to ≡ ABORT • Press ▼ to change to ≡ CONFIRM • Press INIT to update key • Display changes to new update number • Press ESC repeatedly to return to –Vu/cnt
72
1 ≡STORE1
1 ■CONFIRM
1 –CONFIG
=STORE1
DED Operations (10)
We recommend that a config be stored after configuration of the channel. It would probably be best to have a config for each type of personality used stored in one of the KIVs storage locations for each channel. This way it will be easier to go through and reconfigure as needed without having to actually through all the configuration steps every single time. The steps shown here for storing a config should be easy to follow along with. It really does not matter which location the config is stored in as long as the user remembers what is where. We will recommend that the KIV-7 config be stored in location one. No particular reason other than this is the first config we went over. We will be going over TED or KG-194 personality next so we will recommend storing that config in slot two. The final personality we will go over is Suite-A so we will recommend storing that in slot three of the channels.
73
Storing a Config • Ensure channel display is set to (1) or (2) • Press CH button to select desired channel • Navigate to –CONFIG using the ▼▲ buttons • Press INIT button to access level two menu options • Navigate to =STORE using ▼▲ buttons • Press INIT buttons • Display changes to ≡STORE1 • Navigate to desired storage location with ▼▲ buttons • Press INIT button to store config • Display should change to ■ABORT • Press ▼ to change to ■CONFIRM • Press INIT to continue • Display changes to STO GOOD • Press ESC repeatedly to return to –CONFIG
74
1 ≡RECALL0
1 –CONFIG
=RECALL1
1 Loading*
DED Operations (11)
Once you have stored a config, it may be necessary to occasionally recall that config for use. This is especially true if you are going from one personality to another. We will go over the three personalities we will use for normal operations during this training and for the PE we will configure each of the personalities and store them into one of the slots for each KIV-7M channel. As we progress through PEs and start modifying equipment strings with patching, it may be that a KIV-7M we were using as a DED will now be used as a TED. We do not want to have to continually configure the KIVs every time we make a modification. With stored configs, we will alleviate some of the constant configurations when we make a patch or something. Recalling a Config
• Ensure channel display is set to (1) or (2) • Press CH button to select desired channel • Navigate to –CONFIG using the ▼▲ buttons • Press INIT button to access level two menu options • Navigate to =RECALL using ▼▲ buttons • Press INIT buttons • Display changes to ≡RECALL0 • Navigate to desired storage location with ▼▲ buttons • Press INIT button to recall config • Display should change to RCL GOOD momentarily and returns to chosen
location
75
• If recalled configuration and channel personality were different, display changes to Loading* while new personality is loaded
• Press ESC repeatedly to return to –CONFIG We have seen most of the options we will use for setting the KIV-7M channel for Kiv-7 personality and operations. Some of the other options are shown here. A key may be loaded into the V location and later transferred into an X location. We may do this if time permits. The keys in the channel may be zeroed individually or as a set. In addition, the channel may be tested either internally or set into loopback for the distant end. The VIEWset command is very useful for verifying ho the channel is configured. This will come in handy hen troubleshooting with the distant end to verify configurations at both ends. Most of the settings shown will coincide with the SETUP A through SETUP C menus. All these items shown here are easily done using the front panel just as we have seen with key loading and security level selection so far. Point out that by using the menu tree the students should be able to figure out what they need to do. Also point out that they need to remember what the symbols in the display mean such as a – signifies a level one option and a = signifies level two and so on as we have seen. The only thing we have not really seen so far is the lower levels of the VIEWset command. There are many settings here and as we said, they are just options that were set using the SETUP menus. Other Off-Line Options
• Transfer V key to X location • V key is a replacement key • Zero Keys • Zero all keys in channel • Zero individual keys in channel • Test channel • Loaded key needed for internal and full loop test • Loopback plugs needed to perform full loop test • External loops used for connected data device or for distant end • VIEWSet command useful for verifying configuration of channel
76
1 –VIEWset
1 FDX•
1 FDX TR•
DED Operations (12)
Now that we have configured the channel with all the configs we need, we are ready to come on-line and start communicating. The main thing to check for is that the on-line indicator stays steadily lit. This signifies that you are synchronized with the distant end and communicating securely. If during operations, you notice the on-line indicator goes out or starts flashing, and then you are no longer in sync or dropped sync but are trying to re-sync. Once on-line, you should try to keep the window set to the status display (this is what is shown on the bottom of the slide) so you can see if you are transmitting and receiving or not. Of course, with the blackout timer set you will need to press the up or down key whenever the display is blank if you want to check the status. However, with the green LED lit you should know if you are on line or not. If Sync fails during operations, you can enable a re-sync by pressing the INIT button. This should cause the KIV to try to sync again with the distant end. The display will change to FDX only and the on-line indicator should start flashing until sync is achieved.
77
Bring Channel On-Line • Ensure channel display is set to (1) or (2) • Press CH button to select desired channel • Use –VIEWset to verify configuration with distant end • Press the ON LINE button to bring channel on-line and start
communicating securely with distant end • FDX should display • Signifies Full Duplex communications • ON LINE LED should blink during synchronization • Synchronization reached • ON LINE LED lights steadily • FDX TR displays • Full Duplex • Transmit and Receive
78
DED Operations (13)
Here we see the on-line menu tree again and some of the options we have while on-line. Notice that the first option is actually the status display, which for us should read just as it says here. That is FDX TR. Below that is the selected personality for the channel and finally is the current key count along with the security level. The status display is what we want to have showing on our KIV. The status display is the top-level display while on-line. It can be reached by continuously pressing the ESC button. To access the menu you have to scroll through the status, personality, and key count displays. After that, the menu works just like before with different levels and options. To reach the menu and scroll through the displays you would press the ▼ button. Notice that about all that can be done on-line has to do with COMSEC. Pretty much everything you do with COMSEC off-line you can do on-line too. The exceptions are that you cannot update a key but you can do OTARs on-line. We probably will not do this during training either. However, if it is done by the soldiers later, make sure they understand that the receiving end must enable receive key for the same slot that the sending end is sending. Also point out that there is a timeout enabled for OTAR and the receive side must enable receive
79
before that timeout is reached if the send side initiated first. Recommend the receive side initiate first. One more thing is that OTAR will not replace the current selected key. You will use this to send to a new X location, which you can later select as the current key. Options Available while on-line
• Loading and Selecting a new key • Transfer a V key to an X location • Over The Air Re-key (OTAR) only available on-line • Transfer key to distant end • Receive key from distant end • View current settings
80
TED Operations (1)
The TED mode or personality is used for communicating with the KIV-19 and/or KG-194 family of encryptors. This mode will allow us to encrypt SMU, router, and Promina SA-TRK links. We just went over most of the configurations for a channel set up with a KIV-7 personality. There were many options available and the same is the case for the KG-194 mode. We are now going to go over the KG-194 personality options for the channels of a KIV-7M. This shown on the slide is what we need to do to configure the KIV-7M channel to operate as a KG-194. Main thing of course is to select the personality.
• Select correct channel personality • KG-194 • Set Security Level • Configure port options for personality • SETUP A • SETUP B • Load Keys • Bring channel on-line for link communications
81
Off-Line Menu
On-Line Menu
TED Operations (2)
Here are the menu trees for the KG-194 personality. It is smaller than that of the KIV-7 personality but mostly similar. We should notice that we do not need to select a key here because if you look at the load menu, there is only one X key location to load. That and the firefly vector key are the only keys available for loading. The KIV will select automatically the key that is loaded, either the X key or the FireFly key. We will need to set security level for TED operations just as for DED operations. The steps will be the same as before so this should not be too difficult. As we said earlier, we need to load a key but do not need to worry about selecting one. This is because the KIV will automatically select the key that is loaded be it the firefly key or the TEK. Loading a key for this personality is similar to that of the DED (KIV-7) personality so this should not be a problem either. Something new is that you can select to load a firefly key, but by following the commands tree and the prompts, it should not be too complicated. The biggest problem with this is that a firefly key will probably come from an AN/CYZ-10 and be tagged which means we may need to go and modify the settings for the fill port. Most operations for a KG-194 personality should not be too difficult to configure now that we have seen the KIV-7 personality. They are both similar and since this is, still a KIV-7M we are working with, not all the buttons for scrolling through
82
the menus and configuring have changed. We still have the same on-line menu prompts to scroll through with the status being the top level, then the personality, and finally the key update and classification count before reaching the actual commands. We will go over the SETUP A and B settings in the next few slides. We will also go over the change key procedures, which is something that was not available with the KIV-7 personality.
83
TED Operations (3)
This is the SETUP-A tree for the KIV-7M in KG-194 mode. Students should be familiar by now with navigating the trees. Clock Select determines where we get clocking for the TED from. This will also select how our data rate will be selected. Selecting Normal means the transmit and receive clocks are independent but mainly we will use the Black Station Clock for the clock. PTTT uses Plain Text Terminal Timing for the clock. ECHO uses Red station clock. SyncSel is the synchronization mode for synchronizing or establishing communications. COOP is cooperative and means that there will be a handshake procedure for establishing synchronization. NonCoop means the KIV-7Ms will not have a handshake procedure for synchronizing. CommSel is how communications between the devices is done for synchronization. Either full duplex two-way communications or one end transmitting while the other end receives. MODE must be the same at both ends and this setting determines how the key generator in the device operates. We can invert signals here as needed. The Timeout setting determines the amount of time to wait before initiating resynchronization.
84
TED Operations (4)
With the exception of the RED/BLACK interface settings, the SETUP-B tree for the KG-194 personality is the same as the SETUP-C tree for the KIV-7 personality. State again that setting the parameters for the KG-194 personality are not much different from that of the KIV-7 personality. The menu trees should provide the students with enough information to be able to go through the front panel of the device and configure it as needed. The biggest difference between the personalities as far as configuring and operating is that you can do an on-line change key with the KG-194 personality. Change key procedures are a common occurrence between KIV-19s and KG-194s. The KIV-7M is also capable of performing this task. This is something that should be normally performed nightly when in a real network. A regular change key just updates the key count of the fill. A change key with a new key loaded into the temporary position will replace the current key with the new key and restart the key count.
85
Setting up the KIV-7M with the KG-194 personality very similar as setting the KIV-7M with the KIV-7 personality.
• Security Level • SETUP-A • SETUP-B • Loading and updating keys • No key selection required • Storing/recalling configs as needed • Bringing channel to on-line state • One important difference is once on-line you can initiate a change key
procedure • Similar to key updating but can be done on-line • Updates the current key with a new count number • Updates to a new key if one is loaded and restarts count
86
1 –ChngKey
1 =CONFIRM
1 =X01 : CNN
1 ReKeying•
TED Operations (5)
While on-line, change key procedures will either update the current key count at both ends or, if both ends loaded a new key, change the current key with the newly loaded key. Loading a key into a TED while on-line places the new key into a standby position, not directly into the X position. The change key procedure must be performed to make the new key the current key. If a change key was performed without a new key having been loaded, the current key will be updated to a new key count. If a new key was loaded, it will replace the current key when change key is initiated and the key count will return to zero if it was previously at a higher count. If a new key is loaded for performing the change key, the parity light will flash continuously after a successful load until the change key is performed. Updating the key when not is sync will not usually work. If you are not in sync, it is recommended you go to offline and perform key updates until the correct key count is reached. In addition, if you are in sync and performing change key procedures, care should be taken to not perform too many updates at once. Again, if you must update the key by more than one count, it would be recommended to go offline at both ends and perform key updates until the correct count is reahed.
87
TED Change Key • Ensure you are on-line with good status • Ensure valid U key (KEK) is loaded • Navigate menu until –ChngKey is reached • Press the INIT button and the display changes to =ABORT • Press INIT to abort or press ▼ to change display to =CONFIRM • Press INIT button to update key • Parity indicator blinks • Display shows REkeying • Transfer completes and display shows ReKEyOK momentarily • Returns to =X01 : CNN where NN should be the next higher number or 00
if changed to a new key NOTE: Recommend that a change key only be performed when in sync. If not in sync, then an offline key update should be performed.
88
Suite-A Operations (1)
We will be using the Suite-A personality for communicating with other KIV-7M devices. Since only SSS (V) 3 shelters currently have these KIV-7Ms, we will mostly be using this personality for communicating with other SSS (V) 3 shelters such as during our training. Setting all these personalities is mostly the same. There are some differences in the options available, but if you can set one personality, you should be able to set them all. The main thing is to follow the menu trees and there will be some cut sheets (more or less) at the end of the lesson. With cut sheets and a menu tree for understanding where to go for configuring desired options, the students should not have a problem. We will now go over the Suite-A mode.
• Select correct channel personality • Suite A • Set Security Level • Configure port options for personality • SETUP A • SETUP B • SETUP C • Load Keys • Bring channel on-line for link communications
89
Off-Line Menu
On-Line Menu
Suite-A Operations (2)
Here we see the Suite-A menu tree. It is almost identical to that of the KIV-7 personality. There are some differences, but not many. Some of the differences between this personality and the KIV-7 are options that can be found on the TED personality. The Suite-A personality is a cross between mostly the KIV-7 personality with a little bit of the KG-194 personality.
90
Suite-A Operations (3)
The SETUP-A menu is almost identical to the SETUP-A of the KIV-7 personality. There is one difference with the clock selection, but that is about it. Go over the settings as needed. For a refresher refer back to the KIV-7 SETUP-A slide.
91
Suite-A Operations (4)
The SETUP-B is the same as the KIV-7 personality. Refer back to that slide too for a refresher to go over the settings with the students.
92
Suite-A Operations (5)
The same goes for the SETUP-C. Setting up a SUITE-A personality should not be too difficult if students are familiar with the KIV-7 and KG-194 personalities already. Once the unit is on-line, you can perform change keys as with a TED or OTARs as with a DED. Configuration of off-line parameters mostly similar to that of KIV-7 personality. Setting up the KIV-7M with the KG-194 personality is very similar to setting up the KIV-7M with the KIV-7 personality.
• Change Key • OTAR
93
Zeroize the KIV-7M (1)
– – Zeroize
– = CONFIRM
ZEROIZED–
Full Zeroization (Physical) • Front Panel Push Buttons • Press the ESC and INIT buttons Simultaneously • The Zeroize indicator will Illuminate, and the display indicates the KIV-7M
is Zeroized Full Zeroization (Menu driven)
• System Menu • Press the CH button until [-] is displayed • Press ▼ repeatedly until Zerioze is displayed, press INIT • Press INIT to CONFIRM • The ZEROIZE indicator will Illuminate, and the display indicates
ZEROIZED
94
Zeroize the KIV-7M (2)
2 – ZEROIZE
2 = Zero CH
2 = ABORT=
2 CONFIRM
Zeroized2
Zeroizing Keys (Single Channel) • Press the CH button until [1] or [2] is displayed • Press ▼ until ZEROIZE is displayed • To zeroize all keys related to A KIV-7M personality, proceed as follows: • Press INIT. The display changes to [≡ABORT ] • If you change your mind, press INIT. Otherwise, press the ▼ button
once. The display changes to [≡CONFIRM] • Press INIT. The display changes to [Zeroized] and the ZEROIZE
indicator lights
95
Zeroize the KIV-7M (3)
2 – ZEROIZE
2 = Zero CH
2 = Zero X01
Zeroizing Keys (Single Key) • To zeroize an individual key set related to the KIV-7M personalities,
proceed as follows: • Press the CH button until [1] or [2] is displayed • Press the ▼ button until the desired key [=Zero (FF, U, V, X01-10)] is
displayed. • Press INIT. The display changes to [Zeroized] for a moment and then
changes to [=Zero (FF, U, V, X01-10)].
96
1. Configuring KVM/Element Manager 1.1 Configuring Network Settings
a.) Console into the KVM device using either async port # <TBD> on the MRV (if already configured) or any client machine with hypertext terminal available. NOTE: Default factory password is “raritan”
b.) Change password to GD standard “Gd1234567$” c.) Set IP address, subnet mask, and gateway as per your cutsheet. d.) Set the hostname per naming convention (i.e. UHN-77430-KVM1 for
CallManager KVM and UHN-77430-KVM2 for Webshield KVM).
1.2 Setting Device Channel Names
a.) Open the following URL in Internet Explorer: (https://<KVM IP address>/admin)
b.) Expand the KVM channels and then right-click on the channel and select Properties…
c.) Rename channel to hostname of device connected to (i.e. UHN-77430-SCMX for CallManager on UHN-77430-KVM1)
d.) Repeat these steps for all other KVM devices in your network.
1.3 Creating a Desktop Shortcut on Element Manager
First launch the “Raritan Remote Client” applet manually by using Internet Explorer and typing in the following URL (https://<KVM IP address>).
97
Next close the applet, an Internet Explorer window titled “Raritan Remote Client” will re-appear. Use File->Send->Shortcut to Desktop to create a shortcut on the desktop for the KVM. This html page (URL: https://<KVM IP address>/rrc.htm) only appears after you close out the actual client application (applet). You can rename desktop shortcut to something like “CallManager and Webshield KVM”.
1.4 Accessing All KVM Devices from Element Manager
(From a Single “Raritan Remote Client” Window)
The “Raritan Remote Client” applet running on the Element Manager “caches” any KVM101 devices it has already connected to. Therefore, you should manually connect to all KVM(s) on the Management network (see 1.2 above) once to load them into the “Raritan Remote Client” applet. From that point on, you will have access to all KVM devices on the Management network from a single “Raritan Remote Client” window - despite the fact your Desktop shortcut is to a specific IP address of one of the KVM devices.
2. Using KVM
Keystroke Combinations Needed (From ‘Raritan Remote Client’) The main keystroke combos are as follows:
a) ‘Ctrl-Alt-M’ = Brings up the KVM menu b) ‘Ctrl-Alt-M’ then ‘F’ then <Enter> = Toggle between Full/Normal Screen
(image below is of Normal screen) c) ‘Ctrl-Alt-M’ then ‘S’ = Toggle between single and double mouse mode
(uncheck the box causing a prompt when entering single mouse mode for the first time)
d) ‘Ctrl-Alt-M’ then ‘D’ = Send ‘Ctrl-Alt-Delete’ command to device
Example: To get started using the CallManager you would perform b), c) then d) above (after you have double-clicked on the CallManager device and acquired video first). The Webshield is Linux so probably just b) then c). To get out of KVM Full Screen mode and return to using the Element Manager platform you would just perform b) then c) then minimize the “Raritan Remote Client” applet. NOTE: During shelter configuration periods it is probably best to leave the “Raritan Remote Client” applet minimized (versus exiting altogether) to avoid authentication prompt/delay and re-acquiring video delays.
98
3. Security Options Device Security
Device ACLs
KVM Provides ability to control IP access to the device: a.) Open the following URL in Internet Explorer: (https://<KVM IP
address>/admin) b.) Select Setup->Security->Access Control List… from drop-down
menu c.) Enter in <TBD> (Whole Mgmt network?, elem mgr only?)
Allow SSL Only (https://)
Setup Authentication Through RADIUS Server
Security Settings on Client Machine (“Raritan Remote Client”)
There are several local security settings on a client machine that may impact the use of the “Raritan Remote Client”. <TBD>
99
WANScaler PEP Configuration
1. Apply power to the CITRIX PEP:
a. On the front panel, toggle the down arrow and check that these options are set.
(a) Wanscaler model number 8500 (b) Bandwidth accelerated limit. (c) Host Name of Wanscaler: localhost.local (d) apA I/F: Accelerated Pair A: ON by default. (e) apA VLan id: Off by default. (f) apA Vlan ID: should be 0000 VLAN tagging isn’t used. (g) Save: select NO vlan tagging is not used. (h) apA IP Address: Press down button to display the IP address.
Using the 5 buttons on the front panel set the IP address according to the IP matrix. This will have to be done for SIPR/NIPR wanscalers.
(i) apA Netmask: set the subnet mask for the interface. Check
IP matrix for correct subnet mask. (j) apA Gateway: set the default gateway for the device. This
will be in IP address of G0/1 in the Tier 2 router. (k) Primary I/F: Primary interface should be OFF. This interface
will be configured from the WEBGUI interface. (l) Restart: Press the middle button for the device to restart and
changes take effect.
2. Adding New Username and password:
a. Navigate to the IP address entered during initial configuration. b. Login to Wanscaler username: admin password: admin
c. Select Security, Manage Users, Add New User
d. New User: gdadmin password gd1234$
100
3. Setting Primary IP Address:
a. Navigate to the IP address from left pane. b. Scroll down to Primary IP address field.
c. Enter the IP address for VLAN 222
d. Enter subnet mask for VLAN 222
e. Enter the default gateway for VLAN 222
4. Saving Configuration:
a. Select Save/Restore from the left pane. b. Select Save Configuration.
Configuration procedure for the ASA5510
1. To load config files login to ASA and go to the Global config prompt 2. FW(conf-t)# mode multi 3. Confirm and system will reboot. Once rebooted, log back in to global. 4. Send the System text file (ex. NFWHS for Nipr Host or NFWPS for Nipr
perimeter) 5. At PrivExec prompt type copy run start 6. NFWHS# change to context admin 7. NFW-admin# config t 8. Send the Admin text file (ex. NFWHA or NFWPA) 9. At PrivExec prompt for this context type copy run start 10. Repeat 17-20 for each context. (Host additional contexts are HL-DATA,
HL-IA, HL-NETMGMT, HL-VOICE) (Perimeter additional context is DMZ) 11. After all contexts are loaded exit back to system, go to PrivExec prompt. 12. NFWHS# session 1 13. Takes you into the IPS, login (default is cisco cisco@123) 14. Go to global config prompt. 15. Send the IPS text file (NIPHS or NIPPS) 16. NFIPS# copy current-config backup-config 17. Exit IPS back to system 18. NFWHS# reload 19. During reload, observe contexts being loaded and vlans coming up. Once
reloaded you should be able to ping from SDS to the T2R etc.
