Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
ing interface.
display current-configuration configuration rip
4) Check whether the undo rip output command is configured on outgoing i
nterface.
5) Checking whether the rip split-horizon command is configured on the o
utgoing interface.
6) Check whether a routing policy is configured to filter RIP routes.
filter-policy export
7) Check the status of the interface when the route contains the address
of the local interface.
display interface
8) Check whether there are other problems.
peer
RTA and RTB use different authentication keys, so they cannot receive routes fro
m each other.
OSPF
router id
) loopback interface
..
ip address
) loopback interface
physical interface
ip address
router id
..
DR-BDR
) priority
router
DR
..
) priority
router id
DR BDR
router
fully adjacency
neighbour
1. Subnet mask used on the subnet
2. Subnet number
3. Hello interval
4. Dead interval
5. OSPF Area ID
6. Must pass authentication checks (if used)
7. Value of the stub Area flag
router id
..Active
..DRother
..
inter
BDR
neighbour
MODULE 3 (SWITCHING)
IEEE 802.3
Ethernet standard
IEEE 802.3u 100 Base-T Fast Ethernet
IEEE 802.3z/ab 1000Mb/s Gigabit Ethernet
IEEE 802.3ae 10Ge Ethernet (Fiber)
IEEE 802.3ak 10Ge Ethernet (Coaxial)
IEEE 802.3an 10Ge Ethernet (Twisted Pair)
10G Ethernet is the cutting-edge technology in the Ethernet world.
Carrier Sense Multiple Access with Collision Detection (CSMA/CD)
0800=ip datagram (Ethernet 2 frame)
0806=ARP request
0835=RARP request
1. If a MAC address whose 48 bits are all 1s, it is a broadcast address.
2. If a MAC address whose eighth bit is 1, it is a multicast address.
Switch mode 3
1) Cut-Through
- destination MAC address
forward
- low delay
- no error check
2) Store-and-Forward
- full frame
forward
- frame
delay time
- switch
error detact
frame
discard
3) Fragment-free
- switch
64 byte
address table
forward
64 byte
error
discard
The L2 switch works at the data-link layer and has two basic functions:
1)learning based on the source MAC address and
2)forwarding based on the destination MAC address.
-Ethernet over fiber does not support auto-negotiation.
-Ethernet twisted pair supports (1) Full-duplex (2) Half-duplex (3) Auto-negotia
tion
command line is [SW1-Ethernet0/1]duplex full
[SW1-Ethernet0/1]undo duplex
[SW1-Ethernet0/1]negotiation auto
100Mbps port
10Mbps port
packet loss
delay time
Half duplex mode
backpressure
full duplex mode
flow control (PAUSED)
-The rate, duplex mode and traffic control configured differently, they cannot c
ommunicate with each other.
-100BASE-T4 can be realized through Type3, Type4 and Type5 UTP and all the four
pairs are used. 100BASE-TX can
only run over Type5 UTP or STP and two pairs of the four pairs are used.
[SW1-Ethernet0/1]flow-control
[SW1-Ethernet0/1]undo flow-control
Advantages of Port Aggregation
1. Increase bandwidth
2. Improve reliability
port aggregation
port
speed
Duplex mode
Quality of Service (QoS), VLAN, Port link type(trunk, hybrid, access)
Port Aggragation
command
[SW1]interface eth-trunk 1 (eth-trunk
)
[SW1]interface ethernet 0/1 (agg
eth
)
[SW1-Ethernet0/1]eth-trunk 1
quit,
eth
eth-trunk
dis link-aggregation
Port Mirroring
traffic
fault location
1)port based, port based
multiple port
port
2)flow based, port
mirror
mirror
Span
Configuration:
1.Configure interface E0/1 of SW as observe-port
[SW]observe-port 1 interface Ethernet 0/1
2.Configure interface E0/24 of SW as mirroring port, and
transferring data to observe-port.
[SW-Ethernet0/24] port-mirroring to observe-port 1 inbound
VLAN
-4-byte VLAN
-VLAN ID12
-Priority is
-two methods
g GVRP.
Switch Port
1) Access port, host
port,
vlan
(PVID
untagged frame
PVID
Access port
frame
untagged frame 1 i
command line { port
port link-type access}
vlan
{vlan 3}, port
2) Trunk port, switch
tagged frame
vlan id
tagged frame
vlan id
list
discard
tagged frame
vlan id
P
list
tag
forward
trunk port
frame
tagged frame
vlan id
pvid
peer device
modified
forward
command line- vlan
- port link-type trunk
- port trunk pvid vlan 3
- port trunk allow-pass vlan 5
3) Hybrid port, switch
device vlan
support
vlan
3 trunk port vlan
4
4
forward
-If a Hybrid port is only configured to allow untagged VLAN forwarding,
the port will take on the same role as an access port.
-If a port is configured to support only tagged VLANs, it will have
the same function as a trunk port.
command line-port link-type hybrid
-port hybrid pvid vlan 2
-port hybrid untagged vlan 2 99
GVRP is disable by default, After Enabling GVRP on Trunk port, switch is not all
owed to change trunk port to any other port type.
GVRP is automatic configuration, command line is -gvrp
-port link-type trunk
-port trunk allow-pass vlan all
at layer 3 switch, When a layer-3 switch needs to communicate with devices at th
e network layer,
a logical interface can be created, namely, a VLANIF interface.The layer-3 switc
h then uses the
VLANIF interface to communicate with devices at the network layer.
command line- interface vlanif {vlan-id}
STP(Spanning Tree Protocol)
switch
loop
backup link
STP information and parameter
Bridge Protocol Data Unit(BPDU)
bridge identifier
root bridge
bridge identifier-2byte priority and 6byte MAC add, priority range is 0 to 65535
, default is 32768
priority
smallest MAC
The higher the bandwidth is, the smaller the port cost
Root Port
root switch
port
command line
-stp enable
-stp mode stp
forwarding
VRRP
virtual router
priority
master,
slave, default
100, 255
IP address owner
[RTA-Ethernet0/0]vrrp vrid 1 virtual-ip {virtual ip address}
[RTA-Ethernet0/0]vrrp vrid 1 priority 200
[RTA-Ethernet0/0]vrrp vrid 1 track interface Ethernet 1/0 reduced 150
Module 4 (WAN)
HDLC (High-Level Data Link Control)
-bit base
-run on synchronous serial link
-frame
-character
-transmitted transparently (0 bit insert method)
-full duplex
-transmitted continously without waiting
-frame
(1) flag field (F), (2) address field (A), (3) control field (C), (4) informa
tion field (I),
and (5)a sequence number field (FCS).
-3 types of frame (1) information frame (2)Supervisory frame (3)Unnumbered frame
command line
interface serial 0/0/1
link-protocol hdlc
ip address ------interface
mode
default is ppp
-loopback 0
ip address
command
ip address unnumbered interface loopback 0
PPP
-three components (1)data encapsulation method, (2)Link Control Protocol (LCP) ,
and
(3) Network Control Protocol (NCP)
-maximum receive unit (MRU) of PPP. The default value of MRU is 1500 bytes.
-0x0021-IP datagram
-0xc021-LCP
-0x8021-IPCP
command line is {link-protocol ppp}
-Link Control Protocol 4 types (1)Configure-request (2)Configure-ack (3)Configur
e-nak (4)Configure-reject
-LCP configure ack packet
con req packet
-Configure NAK
req
router
parameter
..
-LCP
magic number
loop
abnormal cases
detcet
magic numb
randomly, magic number
loop
-After establishing a connection, LCP detects the status of the link by using th
e
Echo-Request and Echo-Reply packets in every 10 second.
PAP (Password Authentication Protocol)
Command line
-aaa
-local-user huawei password simple hello
-local-user huawei service-type ppp
-interface serial 0
-link-protocol ppp
-ppp authentication-type pap
-ip address ------
(1)packet
simple , acl based, no flexible
(2)proxy
work at application level, works as intermidate node, acts as sever for
client and acts as client for sever, cost high
(3)state
three way handshake
five element(source/destination IP add,source/destinati
port no:,protocol no:)
session
pass ,
restrict. session
delete
attack
attack
-balance
-VPN
Firewall zones
-zone
( ) untrust zone 5 (priority) external network
( ) trust zone
85 (priority) internal network
( ) dmz zone
50 (priority) sever firm
( ) local zone
100(priority) all device within LAN include firewall
-other zone create
0 to 100
zone
- local(High)----Firewall----internet(Low), high to low
outbound, low to high
command line
[FW]firewall zone name userzone
zone 16
..default 4 zone
16-2=14 zone
zone
1024 interface
zone
security policy
policy interzone trust untrust inbound
policy source any
action permit
USG firewall
mode
( ) route mode ( )transparent mode( )composite
(1) firewall
external interface
ip assign
route mode
ACL packet filtering, ASPF (status based packet filtering) dynamic filterin
g and NAT functionality.
(2) transparent mode
firewall switch
plug and play, no need to conf
stp
support
loop
internal and external must be in s
(3) composite mode
backup
2
physical ip
route mode, virtual
transparent mode
vrrp on
device
internal network
external
same subnet
ACL application
1.packet filtering
2.NAT (network address translation)
3.IPSec
4.QoS
IP packet header
acl rule
Basic ACL 2000 ~ 2999 (source IP add)
Advance ACL 3000 ~ 3999 (add: / port / priority)
Layer2 ACL 4000 ~ 4999 ( source MAC & Destination MAC)
FW ACL 5000 ~ 5499 (Source address / Destination add / Destination port)
Note: same ACL group -> small rule id = highest
NAPT is multiple private IP to single public IP
-[USG2100] nat server global 202.168.0.10 inside 192.168.1.100
-[USG2100] nat server protocol tcp global 202.168.0.11 80 inside 192.168.1.101 8
080
-[USG2100] nat server protocol tcp global 202.168.0.12 1021 inside 192.168.1.102
ftp
-[USG2100]policy interzone dmz untrust inbound
-[USG2100-policy-interzone-dmz-untrust-inbound]policy 1
-[USG2100-policy-interzone-dmz-untrust-inbound-1]policy destination 192.168.1.0
mask 24
-[USG2100-policy-interzone-dmz-untrust-inbound-1]policy service service-set ftp
-[USG2100-policy-interzone-dmz-untrust-inbound-1]action deny
-[USG2100]display nat-policy all
-[USG2100]dis nat address-group