Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Router(config-if)#encapsulation hdlc
Router(config-if)#encapsulation ppp
Router(config-if)#ppp authentication
{chap | chap pap | pap chap | pap}
Presentation
Session
Transport
Network IP/IPX/AppleTalk, etc.
Data-Link Frame Relay
EIA/TIA-232,
Physical EIA/TIA-449, V.35,
X.21, EIA/TIA-530
Frame Relay Terminology
Selecting a Frame Relay Topology
• Problem:
– Broadcast traffic must be replicated for
each active connection.
– Split-horizon rule prevents routing updates received on
one interface from being forwarded out the same interface.
Resolving Reachability Issues
– Use LMI to get locally significant DLCI from the Frame Relay
switch.
– Use Inverse ARP to map the local DLCI to the remote router’s
network layer address.
Frame Relay Signaling
Router#clear frame-relay-inarp
• Clears dynamically created Frame Relay maps, created by using Inverse ARP
LMI Statistics for interface Serial0 (Frame Relay DTE) LMI TYPE = CISCO
Invalid Unnumbered info 0 Invalid Prot Disc 0
Invalid dummy Call Ref 0 Invalid Msg Type 0
Invalid Status Message 0 Invalid Lock Shift 0
Invalid Information ID 0 Invalid Report IE Len 0
Invalid Report Request 0 Invalid Keep IE Len 0
Num Status Enq. Sent 113100 Num Status msgs Rcvd 113100
Num Update Status Rcvd 0 Num Status Timeouts 0
DLCI = 100, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0
E1 Sample Configuration
Router(config)#controller E1 3/0
Router(config-controller)# framing crc4
Router(config-controller)# linecode hdb3
Router(config-controller)# pri-group timeslots 1-31
Router(config-controller)#interface Serial3/0:15
Router(config-if)# isdn switch-type primary-net5
Router(config-if)# no cdp enable
Verifying the ISDN Configuration
Router#show isdn active
79
Benefits of NAT
• You need to connect to the Internet
and your hosts don’t have globally
unique IP addresses.
• You change to a new ISP that
requires you to renumber your
network.
• You need to merge two intranets
with duplicate addresses.
80
Where NAT is typically
configured
81
Basic NAT
82
Three types of NAT
• Static
• Dynamic
• Overloading
83
Static NAT
Let’s take a look at a simple basic static NAT
configuration:
ip nat inside source static 10.1.1.1 170.46.2.2
!
interface Ethernet0
ip address 10.1.1.10 255.255.255.0
ip nat inside
!
interface Serial0
ip address 170.46.2.1 255.255.255.0
ip nat outside
!
84
Dynamic NAT
Here is a sample output of a dynamic NAT
configuration:
ip nat pool todd 170.168.2.2 170.168.2.254
netmask 255.255.255.0
ip nat inside source list 1 pool todd
!
interface Ethernet0
ip address 10.1.1.10 255.255.255.0
ip nat inside
!
interface Serial0
ip address 170.168.2.1 255.255.255.0
ip nat outside
!
access-list 1 permit 10.1.1.0 0.0.0.255
!
85
Port Address Translation
86
PAT
Here is a sample output of a PAT configuration:
ip nat pool globalnet 170.168.2.1 170.168.2.1
netmask 255.255.255.0
ip nat inside source list 1 pool globalnet overload
!
interface Ethernet0/0
ip address 10.1.1.10 255.255.255.0
ip nat inside
!
interface Serial0/0
ip address 170.168.2.1 255.255.255.0
ip nat outside
!
access-list 1 permit 10.1.1.0 0.0.0.255
87
The MPLS Conceptual
Model
Basic MPLS Features
– MPLS is a switching mechanism in which packets are
forwarded based on labels.
– Labels usually correspond to IP destination networks
(equal to traditional IP forwarding).
– Labels can also correspond to other parameters:
• Layer 3 VPN destination
• Layer 2 circuit
• Outgoing interface on the egress router
• QoS
• Source address
– MPLS was designed to support forwarding of non-IP
protocols as well.
Basic MPLS Concepts Example
Component Functions
Control plane • Exchanges routing information
• Exchanges labels
Data plane • Forwards packets (LSRs and
edge LSRs)
Component Architecture of LSR
Component Architecture of Edge LSR
Summary
– MPLS is a switching mechanism that uses labels to forward
packets. The result of using labels is that only edge routers
perform a routing lookup; all the core routers simply forward
packets based on labels assigned at the edge.
– MPLS consists of two major components: control plane and data
plane.
– MPLS uses a 32-bit label field that contains label, experimental
field, bottom-of-stack indicator, and TTL field.
– LSR is a device that forwards packets primarily based on labels.
– Edge LSR is a device that labels packets or removes labels from
packets.
– Exchange routing information and exchange labels are part of
the control plane, while forward packets is part of the data
plane.
The Procedure to
Configure MPLS
The Procedure to Configure MPLS
1. Configure CEF
2. Configure MPLS on a frame mode interface
3. (Optional) Configure the MTU size in label switching
Configuring IP CEF
Step 1: Configure CEF
1. Configure CEF:
• Start CEF switching to create the FIB table
• Enable CEF switching on all core interfaces
2. Configure MPLS on a frame mode interface
3. (Optional) Configure the MTU size in label switching
Step 1: Configure CEF (Cont.)
Router(config)#
ip cef [distributed]
– Peer-to-peer VPN:
• The service provider participates in customer routing.
• The service provider becomes responsible for customer convergence.
• PE routers carry all routes from all customers.
• The service provider needs detailed IP routing knowledge.
Drawbacks of Peer-to-Peer VPNs
– Shared PE router:
• All customers share the same (provider-assigned or
public) address space.
• High maintenance costs are associated with packet
filters.
• Performance is lower—each packet has to pass a packet
filter.
– Dedicated PE router:
• All customers share the same address space.
• Each customer requires a dedicated router at each POP.
MPLS VPN Architecture
MPLS VPN Architecture
• An MPLS VPN combines the best features of
an overlay VPN and a peer-to-peer VPN:
– PE routers participate in customer routing,
guaranteeing optimum routing between sites and
easy provisioning.
– PE routers carry a separate set of routes for each
customer (similar to the dedicated PE router
approach).
– Customers can use overlapping addresses.
MPLS VPN Architecture:
Terminology
PE Router Architecture
IPsec VPNs
80 1024
112 2048
128 3072
192 7680
256 15,360
Security Level of Cryptographic
Algorithms
Security Level Work Factor Algorithms
Router1#show access-lists
access-list 102 permit ahp host 172.16.172.10 host 172.16.171.20
access-list 102 permit esp host 172.16.172.10 host 172.16.171.20
access-list 102 permit udp host 172.16.172.10 host 172.16.171.20 eq isakmp
– IPsec VPNs can experience any one of a number of different types of failures:
• Access link failure
• Remote peer failure
• Device failure
• Path failure
– IPsec should be designed and implemented with redundancy and high-availability
mechanisms to mitigate these failures.
Redundancy
• Native IPsec uses DPD to detect failures in the path and remote peer failure.
• Any form of GRE over IPsec typically uses a routing protocol to detect failures
(hello mechanism).
• HSRP is typically used to detect failures of local devices. VRRP and GLBP have
similar failure-detection functionality.
Dead Peer Detection
– IKE keepalives:
• Keepalives in periodic intervals
– DPD:
• Keepalives in periodic intervals if no data transmitted
• On-demand option
IPsec Backup Peer
IPsec Backup Peer
– IPsec VPNs can be used as cost-effective and fast backups for an existing WAN.
– Switchover options:
• Using an IGP (e.g., GRE over IPsec or VTI):
– Use IGP metrics to influence primary path selection
– Optionally, use HSRP to track PVC status on remote site
• Using floating static routes for VPN destinations
Backing Up a WAN Connection with an
IPsec VPN: Example Using GRE over
IPsec
– IGP used to
detect PVC
failures
– Reroute to GRE
over IPsec
tunnel
Summary
– High availability requires two components:
• Redundant device, links, or paths
• High availability mechanisms to detect failures and reroute
– Native IPsec can be configured with backup peers in
crypto maps in combination with DPD.
– HSRP can be used instead of backup peers.
– IPsec stateful failover can augment HSRP to minimize
downtime upon head-end device failures.
– IPsec VPNs can be used as a backup for other types of
networks.
IPsec VPNs
– The VPN client attempts to establish an SA between peer IP addresses by sending multiple ISAKMP
proposals to the Easy VPN Server.
– To reduce manual configuration on the VPN client, these ISAKMP proposals include several
combinations of the following:
• Encryption and hash algorithms
• Authentication methods
• Diffie-Hellman group sizes
Step 3: The Cisco Easy VPN Server
Accepts the SA Proposal
– If the Easy VPN Server is configured for Xauth, the VPN client waits for a
username/password challenge:
• The user enters a username/password combination.
• The username/password information is checked against authentication entities using AAA.
– All Easy VPN Servers should be configured to enforce user authentication.
Step 5: The Mode Configuration
Process Is Initiated
– If the Easy VPN Server indicates successful authentication, the VPN client requests the
remaining configuration parameters from the Easy VPN Server:
• Mode configuration starts.
• The remaining system parameters (IP address, DNS, split tunneling information,
and so on) are downloaded to the VPN client.
– Remember that the IP address is the only required parameter in a group profile; all
other parameters are optional.
Step 6: The RRI Process Is Initiated
Router(config-if)#
ntp broadcast client
• Receives NTP broadcast packets
Router(config)#
ntp source interface
• Modifies the source IP address of NTP packets
Source(config)#ntp master 5
Source(config)#ntp authentication-key 1 md5 secretsource
Source(config)#ntp peer 172.16.0.2 key 1
Source(config)#ntp source loopback 0
• TACACS+
RADIUS
Configure AAA Login
Authentication on Cisco
Routers Using CLI
AAA Authentication Commands
Router(config)#
Router#show running-config
...
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login my_list group tacacs+
...
line con 0
line aux 0
line vty 0 4
login authentication my_list
• Because the authentication has not been specified for line con 0 and
aux 0, the default option will be used.
Verifying AAA Login
Authentication Commands
aaa new-model
!
aaa authentication login default local
aaa authentication login radius_local group radius group radius
aaa authorization exec default local
!
username joe secret 5 $1$SlZh$Io83V..6/8WEQYTis2SEW1
!
tacacs-server host 10.1.1.10 single-connection key secrettacacs
radius-server host 10.1.1.10 auth-port 1645 acct-port 1646 key
secretradius
!
line vty 0 4
login authentication radius_local
Troubleshoot AAA Login
Authentication on Cisco
Routers
Troubleshoot AAA Login
Authentication on Cisco Routers
router#
debug aaa authentication
router(config)#
aaa authorization {network | exec | commands level | config-commands
| reverse-access} {default|list-name} method1 [method2...]
Example:
router(config)#aaa authorization exec default group radius local none
Authorization Example
R2#show running-config
...
aaa new-model
!
aaa authentication login default local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
...
username admin password 0 cisco123
Troubleshooting Authorization
router#
router(config)#
aaa accounting {command level | connection | exec | network | system}
{default | list-name} {start-stop | stop-only | wait-start} group
{tacacs+ | radius}
Example:
R2(config)#aaa accounting exec default start-stop group tacacs+
AAA Accounting Example