Module 1 (Network Fundamentals)

-message,sender, receiver, medium and protocol

-simplex, half duplex, full duplex
-ISDN (64kbps to 128kbps)
-X.25(9600bps to 2Mbps, Frame Relay(64kbps to 2.048Mbps),
-International Organization for Standardization (ISO) ---OSI
-Institute of Electrical and Electronics Engineers (IEEE)---LAN(802.X), 802.3(Et
hernet), 802.4(token bus),802.5(token ring), 802.11(Wireless)
-American National Standards Institute (ANSI)
-Electronic Industries Association/Telecomm Industries Association (EIA/TIA)---N
etwork Cable
-International Telecomm Union (ITU)---X.25, Frame Relay
-Internet Engineering Task Force (IETF)
-Physical layer medium-coaxial cable, twisted pair,fibre,wireless radio, hubs, r
epeater,LAN(802.3,802.4,802.5,FDDI), WAN(V.24,V.35,EIA/TIA-232)
-Data Link Layer medium - Switch- LAN(802.2 LLC), WAN(SDLC, HDLC, Frame Relay, P
PP)
-Network layer medium- Router - IP, ICMP, ARP, RARP
-Transport layer- create end to end connection- LAN(TCP), WAN(UDP)
-Application Layer- LAN( FTP, TELNET,HTTP, SMTP/POP3), WAN(TFTP, SNMP, RIP, DNS)
-MSS 536 bytes
-TCP Header size( 20 - 60 bytes)
-port numbers- HTTP(80), Telnet(23), FTP(20,21){20 for transfer data, 21 for tra
nsfer command},DNS(53)
-IP header 20-60 byte, IP packet 65535 bytes
-TCP protocol number 6, UDP protocol number 17
-0x0800 IP packets, 0x0806 ARP, 0x8035 RARP
-over 1500= type Ethernet 2, less than 1500=length
-network part host part
address type
any
all 0
network add
any
all 1
broadcast add
127
any
loopback add
all 0
all networks
all 1
broadcast add
-private IP address
10.0.0.0-10.255.255.255
172.16.0.0-172.31.255.255
192.168.0.0-192.168.255.255
-ARP
broadcast
MAC add
unicast
-RARP
IP
-Proxy ARP
router
add
-gratuitous ARP
IP conflict
-Routing Table
destination address, network mask, outgoing interface, next hop
Module 2 (Routing)
[huawei]User-interface vty 0 4
[huawei-ui-vty0-4]authentication-mode password
[huawei-ui-vty0-4]set authentication password simple Huawei
[huawei-ui-vty0-4]user privilege level 3
system-view
display history-command
up-arrow key or Ctrl+P
down-arrow key or Ctrl+N
display ip routing-table
display saved-configuration
{client
server
file
password
server
config
security
}
ftp server enable
aaa

local-user huawei service-type ftp

local-user huawei password simple huawei
local-user huawei ftp-directory flash:/......
tftp server
file
SNMP(simple network management protocol) - UDP mode- port 161 and 162
SNMP consists of NMS and Agent, two operations are GET and SET
ip route-static {ip address}
dis ip routing-table protocol static
[RTB]ip route-static 0.0.0.0 0.0.0.0 (next hop ip)
AS number ranges from 1 to 65535
1-64511 is public AS no:
64512-65534 is private no:
distance-vector routing protocol disadvantages - poor extendibility-maximun hop
count is 16
To protect routing loop,
1) split horizon [
route information
]
2) route poisoning [holddown timer
update
3) holddown timer
4) triggered update [
]
RIP UDP
update every 30 sec, 180 sec
update
unreachable
,
120 sec
routing table
port number 520
RIP v1 - does not support VLSM and CIDR, packet send in broadcast mode
RIP v2 - support VLSR, route aggregation, CIDR, plain text authentication, MD5 a
uthentication,
packet send in broadcast and multicast(default, 224.0.0.9)
RIP packet header size= 504+UDP header 8= 512byte
commands 1) [RTA] rip
[RTA-rip-1]version 2
[RTA-rip-1]network {ip address}
[RTA]display rip 1 route
for route aggregation , [RTA-rip-1]summary
for route aggregation manually, [RTA-Serial0/0/0]rip summary-address 172.16.1.0
32
[RTA-rip]import-route direct
After configuration, all or some route are not receive,
1) Check whether RIP is enabled on the incoming interface.
use dis cur-configuration rip
2) Check whether the incoming interface works normally.
use dis interface
3) Check version
4) Check undo rip input or not
5) Check routing policy
display current-configuration configuration acl-basic
If the IP address prefix is used, use the display ip ip-prefix comma
nd to check the
configured routing policy.
6) Check whether the additional metric set by the rip metricin command m
akes the metric
of the received route exceed 15.
7) Check whether the metric of the received RIP route exceeds 15.
8) Check whether the routing table contains the same route learned throu
gh another protocol.
Use dis rip 1 route.
display ip routing-table protocol rip verbose
After configuration, all or some route are not sent,
1) Check whether RIP is enabled on the outgoing interface.
2) Check whether the outgoing interface works normally.
3) Check whether the silent-interface command is configured on the outgo

ing interface.
display current-configuration configuration rip
4) Check whether the undo rip output command is configured on outgoing i
nterface.
5) Checking whether the rip split-horizon command is configured on the o
utgoing interface.
6) Check whether a routing policy is configured to filter RIP routes.
filter-policy export
7) Check the status of the interface when the route contains the address
of the local interface.
display interface
8) Check whether there are other problems.
peer
RTA and RTB use different authentication keys, so they cannot receive routes fro
m each other.
OSPF
router id
) loopback interface
..
ip address
) loopback interface
physical interface
ip address
router id
..
DR-BDR
) priority
router
DR
..
) priority
router id
DR BDR
router
fully adjacency
neighbour
1. Subnet mask used on the subnet
2. Subnet number
3. Hello interval
4. Dead interval
5. OSPF Area ID
6. Must pass authentication checks (if used)
7. Value of the stub Area flag

router id
..Active

..DRother

OSPF packet type

1.Hello
2.Database description(DD)
3.Link state request(LSR)
4.Link state update(LSU)
5.Link state Acknowledgement(LSAck)
-OSPF ip protocol number is 89
-OSPF supports CIDR
-Supports area division
-Avoids route loops
-The routes converge very quickly when the network topology is changed
-Forwards protocol data through IP multicast.
-Supports equal-cost routes
-Supports authentication of protocol packets
Display neighbor relation
[RTA]display ospf peer
[RTA]display ip routing-table protocol ospf
OSPF AREA CONFIGURATION
-router id 1.1.1.1
-ospf
-area 0
-network {ip addresses}

..
inter

BDR
neighbour

MODULE 3 (SWITCHING)
IEEE 802.3
Ethernet standard
IEEE 802.3u 100 Base-T Fast Ethernet
IEEE 802.3z/ab 1000Mb/s Gigabit Ethernet
IEEE 802.3ae 10Ge Ethernet (Fiber)
IEEE 802.3ak 10Ge Ethernet (Coaxial)
IEEE 802.3an 10Ge Ethernet (Twisted Pair)
10G Ethernet is the cutting-edge technology in the Ethernet world.
Carrier Sense Multiple Access with Collision Detection (CSMA/CD)
0800=ip datagram (Ethernet 2 frame)
0806=ARP request
0835=RARP request
1. If a MAC address whose 48 bits are all 1s, it is a broadcast address.
2. If a MAC address whose eighth bit is 1, it is a multicast address.
Switch mode 3
1) Cut-Through
- destination MAC address
forward
- low delay
- no error check
2) Store-and-Forward
- full frame
forward
- frame
delay time
- switch
error detact
frame
discard
3) Fragment-free
- switch
64 byte
address table
forward
64 byte
error
discard
The L2 switch works at the data-link layer and has two basic functions:
1)learning based on the source MAC address and
2)forwarding based on the destination MAC address.
-Ethernet over fiber does not support auto-negotiation.
-Ethernet twisted pair supports (1) Full-duplex (2) Half-duplex (3) Auto-negotia
tion
command line is [SW1-Ethernet0/1]duplex full
[SW1-Ethernet0/1]undo duplex
[SW1-Ethernet0/1]negotiation auto
100Mbps port
10Mbps port
packet loss
delay time
Half duplex mode
backpressure
full duplex mode
flow control (PAUSED)
-The rate, duplex mode and traffic control configured differently, they cannot c
ommunicate with each other.
-100BASE-T4 can be realized through Type3, Type4 and Type5 UTP and all the four
pairs are used. 100BASE-TX can
only run over Type5 UTP or STP and two pairs of the four pairs are used.
[SW1-Ethernet0/1]flow-control
[SW1-Ethernet0/1]undo flow-control
Advantages of Port Aggregation
1. Increase bandwidth
2. Improve reliability
port aggregation
port
speed
Duplex mode
Quality of Service (QoS), VLAN, Port link type(trunk, hybrid, access)
Port Aggragation
command
[SW1]interface eth-trunk 1 (eth-trunk
)
[SW1]interface ethernet 0/1 (agg
eth
)
[SW1-Ethernet0/1]eth-trunk 1
quit,
eth
eth-trunk
dis link-aggregation
Port Mirroring
traffic
fault location
1)port based, port based
multiple port
port
2)flow based, port
mirror

mirror

Span

Configuration:
1.Configure interface E0/1 of SW as observe-port
[SW]observe-port 1 interface Ethernet 0/1
2.Configure interface E0/24 of SW as mirroring port, and
transferring data to observe-port.
[SW-Ethernet0/24] port-mirroring to observe-port 1 inbound
VLAN
-4-byte VLAN
-VLAN ID12
-Priority is
-two methods
g GVRP.

tag is added to the Ethernet frame header directly.

bits, from 0 to 4095.
Policy based-MAC based-Subnet base-Protol based-Port based
Port based
to create VLANs: Manual configuration or automatically created usin

Switch Port
1) Access port, host
port,
vlan
(PVID
untagged frame
PVID
Access port
frame
untagged frame 1 i
command line { port
port link-type access}
vlan
{vlan 3}, port
2) Trunk port, switch
tagged frame
vlan id
tagged frame
vlan id
list
discard
tagged frame
vlan id
P
list
tag
forward
trunk port
frame
tagged frame
vlan id
pvid
peer device
modified
forward
command line- vlan
- port link-type trunk
- port trunk pvid vlan 3
- port trunk allow-pass vlan 5
3) Hybrid port, switch
device vlan
support
vlan
3 trunk port vlan
4
4
forward
-If a Hybrid port is only configured to allow untagged VLAN forwarding,
the port will take on the same role as an access port.
-If a port is configured to support only tagged VLANs, it will have
the same function as a trunk port.
command line-port link-type hybrid
-port hybrid pvid vlan 2
-port hybrid untagged vlan 2 99
GVRP is disable by default, After Enabling GVRP on Trunk port, switch is not all
owed to change trunk port to any other port type.
GVRP is automatic configuration, command line is -gvrp
-port link-type trunk
-port trunk allow-pass vlan all
at layer 3 switch, When a layer-3 switch needs to communicate with devices at th
e network layer,
a logical interface can be created, namely, a VLANIF interface.The layer-3 switc
h then uses the
VLANIF interface to communicate with devices at the network layer.
command line- interface vlanif {vlan-id}
STP(Spanning Tree Protocol)
switch
loop
backup link
STP information and parameter
Bridge Protocol Data Unit(BPDU)
bridge identifier
root bridge
bridge identifier-2byte priority and 6byte MAC add, priority range is 0 to 65535
, default is 32768
priority
smallest MAC
The higher the bandwidth is, the smaller the port cost
Root Port
root switch
port
command line
-stp enable
-stp mode stp

-stp priority ----RSTP

Rapid STP- no delay time( blocking
MSTP (multiple STP)

forwarding

VRRP
virtual router
priority
master,
slave, default
100, 255
IP address owner
[RTA-Ethernet0/0]vrrp vrid 1 virtual-ip {virtual ip address}
[RTA-Ethernet0/0]vrrp vrid 1 priority 200
[RTA-Ethernet0/0]vrrp vrid 1 track interface Ethernet 1/0 reduced 150
Module 4 (WAN)
HDLC (High-Level Data Link Control)
-bit base
-run on synchronous serial link
-frame
-character
-transmitted transparently (0 bit insert method)
-full duplex
-transmitted continously without waiting
-frame
(1) flag field (F), (2) address field (A), (3) control field (C), (4) informa
tion field (I),
and (5)a sequence number field (FCS).
-3 types of frame (1) information frame (2)Supervisory frame (3)Unnumbered frame
command line
interface serial 0/0/1
link-protocol hdlc
ip address ------interface
mode
default is ppp
-loopback 0
ip address
command
ip address unnumbered interface loopback 0
PPP
-three components (1)data encapsulation method, (2)Link Control Protocol (LCP) ,
and
(3) Network Control Protocol (NCP)
-maximum receive unit (MRU) of PPP. The default value of MRU is 1500 bytes.
-0x0021-IP datagram
-0xc021-LCP
-0x8021-IPCP
command line is {link-protocol ppp}
-Link Control Protocol 4 types (1)Configure-request (2)Configure-ack (3)Configur
e-nak (4)Configure-reject
-LCP configure ack packet
con req packet

-Configure NAK
req
router
parameter
..
-LCP
magic number
loop
abnormal cases
detcet
magic numb
randomly, magic number
loop
-After establishing a connection, LCP detects the status of the link by using th
e
Echo-Request and Echo-Reply packets in every 10 second.
PAP (Password Authentication Protocol)
Command line
-aaa
-local-user huawei password simple hello
-local-user huawei service-type ppp
-interface serial 0
-link-protocol ppp
-ppp authentication-type pap
-ip address ------

--ppp pap local-user huawei password simple hello

CHAP (Challenge Handshake Authentication Protocol)
command line [ip address ppp-negotiate]
Frame Relay
-fast packet switching at data link layer
-virtual circuit , transimit data on logical link rather than physical link
-serial port
-SVC(Switched Virtual Circuit)
PVC(Permanent Virtual Circuit)
PVC
-X.25
layer-3 function
-64 kbps to 2 Mbps
-for example, 32kbps
bandwidth
-maximum length of frame is 1600 bytes
-DTE(Data Terminal Equipment)-user side device
-DCE(Data Circuit-terminating Equipment)-network
switching equipment
-DLCI(Data Link Connection Identifier)-link interface
-Frame Relay interface type
1) DTE 2)DCE 3)NNI (network-to-network interface)
-frame ralay
dynamic
inverse arp
map
local DLCI
remote IP
-up to 1024 virtual circuits, user range 16 to 1007
-FR
topology
(1) Full-mashed (2) Partial-mashed (3) Star
-Inverse ARP
destination router
ip
dynamically
-static
inverse arp
request
-FR
subinterface 2
(1)point to point (2) point to multipoint
-FR
default interface type point to multi point
-FR network does not support broadcasts.
-default network NBMA( non-broadcast multi access)
-command line
[RTA-Serial0]link-protocol fr ietf
[RTA-Serial0]fr interface-type dce
[RTA-Serial0]fr dlci 100 (FR
virtual circuit
)
[RTA-fr-dlci-Serial0-100]quit
[RTA-Serial0]ip address 10.1.1.1 30
[RTA-Serial0]fr inarp
display fr interface
Static mapping
[RTA-Serial0]undo fr inarp
[RTA-Serial0]ip address ..local address.......
[RTA-Serial0]fr map ip ...remote address... 100(dlci number range from 16 to 10
07)
display fr map-info
Module 5 Firewall
3 kinds of firewall
(1) packet firewall
(2) proxy firewall
(3) state firewall

(1)packet
simple , acl based, no flexible
(2)proxy
work at application level, works as intermidate node, acts as sever for
client and acts as client for sever, cost high
(3)state
three way handshake
five element(source/destination IP add,source/destinati
port no:,protocol no:)
session
pass ,
restrict. session
delete
attack
attack
-balance

-VPN

end to end encryption data

Firewall zones
-zone
( ) untrust zone 5 (priority) external network
( ) trust zone
85 (priority) internal network
( ) dmz zone
50 (priority) sever firm
( ) local zone
100(priority) all device within LAN include firewall
-other zone create
0 to 100
zone
- local(High)----Firewall----internet(Low), high to low
outbound, low to high
command line
[FW]firewall zone name userzone
zone 16
..default 4 zone
16-2=14 zone
zone
1024 interface
zone
security policy
policy interzone trust untrust inbound
policy source any
action permit
USG firewall
mode
( ) route mode ( )transparent mode( )composite
(1) firewall
external interface
ip assign
route mode
ACL packet filtering, ASPF (status based packet filtering) dynamic filterin
g and NAT functionality.
(2) transparent mode
firewall switch
plug and play, no need to conf
stp
support
loop
internal and external must be in s
(3) composite mode
backup
2
physical ip
route mode, virtual
transparent mode
vrrp on
device
internal network
external
same subnet
ACL application
1.packet filtering
2.NAT (network address translation)
3.IPSec
4.QoS
IP packet header
acl rule
Basic ACL 2000 ~ 2999 (source IP add)
Advance ACL 3000 ~ 3999 (add: / port / priority)
Layer2 ACL 4000 ~ 4999 ( source MAC & Destination MAC)
FW ACL 5000 ~ 5499 (Source address / Destination add / Destination port)
Note: same ACL group -> small rule id = highest
NAPT is multiple private IP to single public IP
-[USG2100] nat server global 202.168.0.10 inside 192.168.1.100
-[USG2100] nat server protocol tcp global 202.168.0.11 80 inside 192.168.1.101 8
080
-[USG2100] nat server protocol tcp global 202.168.0.12 1021 inside 192.168.1.102
ftp
-[USG2100]policy interzone dmz untrust inbound
-[USG2100-policy-interzone-dmz-untrust-inbound]policy 1
-[USG2100-policy-interzone-dmz-untrust-inbound-1]policy destination 192.168.1.0
mask 24
-[USG2100-policy-interzone-dmz-untrust-inbound-1]policy service service-set ftp
-[USG2100-policy-interzone-dmz-untrust-inbound-1]action deny
-[USG2100]display nat-policy all
-[USG2100]dis nat address-group