C C N A Day4

3,599 views
3,544 views

Published on

C C N A Day4

0 Comments
9 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,599
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
9
Embeds 0
No embeds

No notes for slide
  • Emphasize: The next few slides discuss the basic function of a bridge/switch: 1. How it learns the location of the hosts by reading the source MAC address of incoming frames. 2. How it makes forwarding/filtering decisions. There are three conditions in which a switch will flood a frame out on all ports except to the port on which the frame came in, as follows: Unknown unicast address Broadcast frame Multicast frame 3. How STP is used to avoid loops in a switched/bridged network.
  • Slide 1 of 3 Emphasize: The 1900en max MAC address table size is 1024. Once the table is full, it will flood all new addresses until existing entries age out. The command to change the MAC address table aging time is, as follows: wg_sw_a(config)# mac-address-table aging-time ? <10-1000000> Aging time value The default is 300 sec. The MAC address table is also referred to as the CAM table (Content Address Memory) on some switches.
  • Slide 2 of 3
  • Slide 3 of 3 Emphasize: Once C replies, the switch will also cache station C’s MAC address to port E2, as shown in the next slide.
  • The server in the figure sends a unicast frame to Router C. Since it’s a unicast frame, Switch A forwards the frame, and Switch B provides the same service—it forwards the unicast. This is bad because it means that Router C receives that unicast frame twice, causing additional overhead on the network.one: The MAC address filter table will be totally confused about the device’s location because the switch can receive the frame from more than one link.
  • Emphasize: A looped topology is often desired to provide redundancy, but looped traffic is undesirable. The Spanning-Tree protocol was originally designed for bridges. Today, it is also applied to LAN switches and routers operating as a bridge. Spanning-Tree protocol ensures that all bridged segments are reachable but any points where loops occur will be blocked.
  • a company called Digital Equipment Corporation (DEC) created the original version of Spanning Tree Protocol (STP) . The IEEE later created its own version of STP called 802.1D. All Cisco switches run the IEEE 802.1D version of STP, which isn’t compatible with the DEC version. STP uses the spanning-tree algorithm (STA) to first create a topology database, then search out and destroy redundant links.
  • Emphasize: Using the default Spanning-Tree protocol timers setting, the times it takes to go from the blocking state to the forwarding state is 50 sec (20 + 15 + 15). Blocking A blocked port won’t forward frames; it just listens to BPDUs. The purpose of the blocking state is to prevent the use of looped paths. All ports are in blocking state by default when the switch is powered up. Listening The port listens to BPDUs to make sure no loops occur on the network before passing data frames. A port in listening state prepares to forward data frames without populating the MAC address table. Learning The switch port listens to BPDUs and learns all the paths in the switched network. A port in learning state populates the MAC address table but doesn’t forward data frames. Forwarding The port sends and receives all data frames on the bridged port. If the port is still a designated or root port at the end of the learning state, it enters this state. Disabled A port in the disabled state (administratively) does not participate in the frame forwarding or STP. A port in the disabled state is virtually nonoperational. Switch ports are most often in either the blocking or forwarding state. A forwarding port is one that has been determined to have the lowest (best) cost to the root bridge. But when and if the network experiences a topology change (because of a failed link or because someone adds in a new switch), you’ll find the ports on a switch in listening and learning states.
  • BPDUs are sent every two seconds, BPDUs are sent every two seconds, If more than one link connects to the root bridge, then a port cost is determined by checking the bandwidth of each link.The lowest-cost port becomes the root port. If multiple links have the same cost, the bridge with the lower advertising bridge ID is used. Since multiple links can be from the same device, the lowest port number will be used.
  • Emphasize: By default, the switch with the lowest MAC address will be the root bridge. Note: The Catalyst switches support an instance of spanning tree per VLAN. Each VLAN will use a unique MAC address for spanning tree purposes. On the Catalyst 1900, the address it uses for spanning tree is the MAC address on the various ports. VLAN is discussed in the next chapter. The IEEE 802.1d specification specifies for a 16-bit priority field. The Catalyst 1900 switch only supports the 802.1d Spanning-Tree protocol. The default priority on the Catalyst 1900 is 32768 in decimal or 8000 in hex, the midrange value. BPDU contain the following fields: Protocol ID version Message type Flags Root ID Cost of path Bridge ID Port ID Message age Max age Hello time Forward delay
  • Emphasize: The three general rules when dealing with STP are as follows: 1. One root bridge per network. The root is the bridge with the lowest bridge ID. All the ports on the root bridge are designated ports (forwarding). 2. For every non-root bridge, there is a root port (forwarding). The root port is the port with the lowest accumulated path cost to the root bridge. 3. For every segment, there is only one designated port. The designated port forwards traffic for the segment. The designated port has the lowest accumulated path cost to the root bridge.
  • Selecting the Root Port If more than one link leads to the root bridge, then cumulative outbound port costs along the path to the root bridge becomes the factor used to determine which port will be the root port
  • Emphasize: The three general rules when dealing with STP are as follows: 1. One root bridge per network. The root is the bridge with the lowest bridge ID. All the ports on the root bridge are designated ports (forwarding). 2. For every non-root bridge, there is a root port (forwarding). The root port is the port with the lowest accumulated path cost to the root bridge. 3. For every segment, there is only one designated port. The designated port forwards traffic for the segment. The designated port has the lowest accumulated path cost to the root bridge.
  • Series – 1900 – Stopped 2900 – Will be used in LAB 3500 – layer 3 Switch
  • When the 1900 switch is first powered on, it runs through a power-on self-test (POST). At first, all port LEDs are green, and if upon completion the POST determines that all ports are in good shape, all the LEDs blink and then turn off. But if the POST finds a port that has failed, both the System LED and the port’s LED turn amber.
  • There are several benefits to using VLANs, including: 1. Increased performance 2. Improved manageability 3. Network tuning and simplification of software configurations 4. Physical topology independence 5. Increased security options Increased performance Switched networks by nature will increase performance over shared media devices in use today, primarily by reducing the size of collision domains. Grouping users into logical networks will also increase performance by limiting broadcast traffic to users performing similar functions or within individual workgroups. Additionally, less traffic will need to be routed, and the latency added by routers will be reduced.
  • Purpose: Emphasize: A VLAN is a broadcast domain. Note: In order to have inter-VLAN communications, a router is required.
  • Note: Once a port has been assigned to a VLAN, it cannot send or receive traffic from devices in another VLAN without the intervention of a Layer 3 device like a router. The 1900 can’t be configure as the VMPS. A CiscoWorks 2000 or CWSI management station or a Catalyst 5000 switch can be configured as the VMPS. In the future, dynamic VLANs may also offer membership based on other criteria such as protocol or application. Dynamic VLANs are covered in the Managing Cisco Switched Internetworks class.
  • VMPS VMP S is a server process that supports dynamic ports. Dynamic ports enable end-user nodes to remain on the same VLAN after being moved and plugged into another physical port without the intervention of manual port reconfiguration. To support dynamic ports, there must be at least one Catalyst 5000 switch running VMPS per domain on the network. When a workstation or other end-user node is attached to a dynamic port, the switch uses VMPS information to assign that port to a particular VLAN based on the MAC address of the network interface card in the device. When the device is moved and plugged into another port, VMPS provides configuration information from the MAC-VLAN mapping that allows the device to remain on the same VLAN as before without manual reconfiguration. Without VMPS, each port is statically assigned to a single VLAN. Changing the VLAN assigned to a static port requires manually changing the VLAN assignment of the port. Thus, when you most a device and connect it to a different port, you need to manually reconfigure the port. You can use VlanDirector, CiscoView, or the command-line interface to do this reconfiguration; with VMPS, however, it is automatic.
  • Layer 3 of 3 Emphasize: A trunk is used to connect two switches together. A trunk carries traffic for multiple VLANs. Only the Fast Ethernet ports on the 1900 can be configured as trunk port. Trunking is off by default on the 1900 Fast Ethernet ports (fa 0/26 and fa 0/27). Note: The 1900 supports DISL. At the time of the beta, the core switch (2900xl) doesn’t support DISL.
  • Access port – single VLAN Trunk – Between switches and cannot be part of only one VLAN Trunk port can carry multiple VLANS Creating VLAN on each port should be consistent Port can be anything Trunk port is a fastethernet port Since trunk need to carry this to all VLAN’s there should be an ID This ID is frame Tagging
  • Trunking allows you to make a single port part of multiple VLANs at the same time. This can be a real advantage. For instance, you can actually set things up to have a server in two broadcast domains simultaneously, so that your users won’t have to cross a layer 3 device (router) to log in and access it.
  • The basic purpose of ISL and 802.1Q frame-tagging methods is to provide inter-switch VLAN communication..
  • Note: The 1900 only supports ISL trunking. ISL is Cisco proprietary. 802.1Q is an IEEE standard. Other trunk types: LANE (VLANSs over ATM) 802.10 (FDDI trunk)
  • Two Switches are connected and there are four hosts machines Configure 4 VM with 10.0.0.1 to 10.0.0.4 Ping and see all are pining Have connected thru switches and connect switches using cross cable Create VLAN red and blue on both Switches Now see only the same VLAN’s can communicate
  • Notes: VTP is a Cisco proprietary feature. VTP is a Layer 2 messaging protocol that maintains VLAN configuration consistency by managing the addition, deletion, and renaming of VLANs on a network-wide basis. VTP minimizes misconfigurations and configuration inconsistencies that can cause several problems, such as duplicate VLAN names, incorrect VLAN-type specifications, and security violations. A VTP domain (also called a VLAN management domain) is one switch or several interconnected switches sharing the same VTP domain. A switch is configured to be in only one VTP domain. You make global VLAN configuration changes for the domain by using the Cisco IOS command-line interface (CLI), Cisco Visual Switch Manager Software, or Simple Network Management Protocol (SNMP). By default, a 1900 switch is in the no-management-domain state until it receives an advertisement for a domain over a trunk link or you configure a management domain. The default VTP mode is server mode, but VLANs are not propagated over the network until a management domain name is specified or learned. If the switch receives a VTP advertisement over a trunk link, it inherits the management domain name and configuration revision number. The switch then ignores advertisements with a different management domain name or an earlier configuration revision number. When you make a change to the VLAN configuration on a VTP server, the change is propagated to all switches in the VTP domain. VTP advertisements are transmitted out all trunk connections, including Inter-Switch Link (ISL), IEEE 802.1Q, IEEE 802.10, and ATM LAN Emulation (LANE). If you configure a switch from VTP transparent mode, you can create and modify VLANs, but the changes are not transmitted to other switches in the domain, and they affect only the individual switch.
  • Emphasize: Default VTP mode on the Catalyst switches is server. Be careful when adding new switches into an existing network. This is covered in more detail later.
  • Layer 2 of 2 Emphasize: The latest revision number is what the switches will synchronize to.
  • Emphasize: VTP prunning provides optimized flooding. Without VTP prunning, station A’s broadcast will be flooded to all switches whether they have any port in the red VLAN or not. Note: VLAN1 can’t be prunned. STP, CDP, VTP updates are sent on VLAN1. All switches in the switched network must support prunning or prunning will be disabled. Each trunk port maintains a state variable per VLAN indicating if the switch has any port assigned to a particular VLAN or not.
  • Be cautious when adding a new switch into an existing domain. Add a new switch in a Client mode to get the last up-to-date information from the network then convert it to Server mode. Add all new configurations to switch in transparent mode and check your configuration well then convert it to Server mode to prevent the switch from propagating incorrect VLAN information. Notes: All switches in a VTP domain must run the same VTP version. The password entered with a domain name should be the same for all switches in the domain. If you configure a VTP password, the management domain will not function properly if you do not assign the management domain password to each switch in the domain. A VTP version 2-capable switch can operate in the same VTP domain as a switch running VTP version 1, provided version 2 is disabled on the version 2-capable switch (version 2 is disabled by default). Do not enable VTP version 2 on a switch unless all of the switches in the same VTP domain are version 2-capable. When you enable version 2 on a switch, all of the version 2-capable switches in the domain must have version 2 enabled. If there is a version 1-only switch, it will not exchange VTP information with switches with version 2 enabled. If there are Token Ring networks in your environment, you must enable VTP version 2 for Token Ring VLAN switching to function properly. Enabling or disabling VTP pruning on a VTP server enables or disables VTP pruning for the entire management domain. In the lab, all the switches are set to VTP transparent mode.
  • Layer 2 of 2 Note: The two commands shown in the slide can also be combined into one command: vtp domain switchlab transparent
  • What Does NAT Do? NAT is like the receptionist in a large office. Let's say you have left instructions with the receptionist not to forward any calls to you unless you request it. Later on, you call a potential client and leave a message for that client to call you back. You tell the receptionist that you are expecting a call from this client and to put her through. The client calls the main number to your office, which is the only number the client knows. When the client tells the receptionist that she is looking for you, the receptionist checks a lookup table that matches your name with your extension. The receptionist knows that you requested this call, and therefore forwards the caller to your extension.
  • Like static NAT, the NAT router creates a one-to-one mapping between an inside local and inside global address and changes the IP addresses in packets as they exit and enter the inside network. However, the mapping of an inside local address to an inside global address happens dynamically.
  • There should be router 2600 configured To verify whether router supports IP NAT static go to config and # IP NAT inside source ? (there should be a static Entry) Configure router 2600 with an IP address on Fastethernet port 10.0.0.254 and Serial 0/0 200.0.0.1, need not to connect any cables, configure IP and no shut then see the above commands
  • There should be router 2600 configured Configure router 2600 with an IP address on Fastethernet port 10.0.0.254 and Serial 0/0 200.0.0.1, need not to connect any cables, configure IP and no shut then see the above commands
  • Can have 65000 concurrent connection sharing one connection
  • C C N A Day4

    1. 1. Switching
    2. 2. Layer 2 Switching <ul><li>Switching breaks up large collision domains into smaller ones </li></ul><ul><li>Collision domain is a network segment with two or more devices sharing the same bandwidth. </li></ul><ul><li>A hub network is a typical example of this type of technology </li></ul><ul><li>Each port on a switch is actually its own collision domain, you can make a much better Ethernet LAN network just by replacing your hubs with switches </li></ul>
    3. 3. Switching Services <ul><li>Unlike bridges that use software to create and manage a filter table, switches use Application Specific Integrated Circuits (ASICs) </li></ul><ul><li>Layer 2 switches and bridges are faster than routers because they don’t take up time looking at the Network layer header information. </li></ul><ul><li>They look at the frame’s hardware addresses before deciding to either forward the frame or drop it. </li></ul><ul><li>layer 2 switching so efficient is that no modification to the data packet takes place </li></ul>
    4. 4. How Switches and Bridges Learn Addresses <ul><li>Bridges and switches learn in the following ways: </li></ul><ul><li>Reading the source MAC address of each received frame or datagram </li></ul><ul><li>Recording the port on which the MAC address was received. </li></ul><ul><li>In this way, the bridge or switch learns which addresses belong to the devices connected to each port. </li></ul>
    5. 5. Ethernet Access with Hubs
    6. 6. Ethernet Access with Switches
    7. 7. <ul><ul><li>Address learning </li></ul></ul><ul><ul><li>Forward/filter decision </li></ul></ul><ul><ul><li>Loop avoidance </li></ul></ul>Ethernet Switches and Bridges
    8. 8. Switch Features <ul><li>There are three conditions in which a switch will flood a frame out on all ports except to the port on which the frame came in, as follows: </li></ul><ul><ul><li>Unknown unicast address </li></ul></ul><ul><ul><li>Broadcast frame </li></ul></ul><ul><ul><li>Multicast frame </li></ul></ul>
    9. 9. MAC Address Table <ul><li>Initial MAC address table is empty. </li></ul>
    10. 10. Learning Addresses <ul><li>Station A sends a frame to station C. </li></ul><ul><li>Switch caches the MAC address of station A to port E0 by learning the source address of data frames. </li></ul><ul><li>The frame from station A to station C is flooded out to all ports except port E0 (unknown unicasts are flooded). </li></ul>
    11. 11. Learning Addresses (Cont.) <ul><li>Station D sends a frame to station C. </li></ul><ul><li>Switch caches the MAC address of station D to port E3 by learning the source address of data frames. </li></ul><ul><li>The frame from station D to station C is flooded out to all ports except port E3 (unknown unicasts are flooded). </li></ul>
    12. 12. Filtering Frames <ul><li>Station A sends a frame to station C. </li></ul><ul><li>Destination is known; frame is not flooded. </li></ul>
    13. 13. Broadcast and Multicast Frames <ul><li>Station D sends a broadcast or multicast frame. </li></ul><ul><li>Broadcast and multicast frames are flooded to all ports other than the originating port. </li></ul>
    14. 14. Forward/Filter Decision <ul><li>When a frame arrives at a switch interface, the destination hardware address is compared to the forward/ filter MAC database. </li></ul><ul><li>If the destination hardware address is known and listed in the database, the frame is sent out only the correct exit interface </li></ul><ul><li>If the destination hardware address is not listed in the MAC database, then the frame is flooded out all active interfaces except the interface the frame was received on. </li></ul><ul><li>If a host or server sends a broadcast on the LAN, the switch will flood the frame out all active ports except the source port. </li></ul>
    15. 15. Learning Mac Address
    16. 16. Learning Mac Address
    17. 17. Learning Mac Address
    18. 18. Learning Mac Address
    19. 19. Learning Mac Address
    20. 20. Learning Mac Address
    21. 21. Learning Mac Address
    22. 22. Forward/Filter PC3 to PC1
    23. 23. Forward/Filter PC3 to PC2
    24. 24. Loop Avoidance <ul><li>Redundant links between switches are a good idea because they help prevent complete network failures in the event one link stops working </li></ul><ul><li>However, they often cause more problems because frames can be flooded down all redundant links simultaneously </li></ul><ul><li>This creates network loops </li></ul>
    25. 25. Network Broadcast Loops <ul><li>A manufacturing floor PC sent a network broadcast to request a boot loader </li></ul><ul><li>The broadcast was first received by switch sw1 on port 2/1 </li></ul><ul><li>The topology is redundantly connected; therefore, switch sw2 receives the broadcast frame as well on port 2/1 </li></ul><ul><li>Switch sw2 is also receiving a copy of the broadcast frame forwarded to the LAN segment from port 2/2 of switch sw1. </li></ul><ul><li>In a small fraction of the time, we have four packets. The problem grows exponentially until the network bandwidth is saturated </li></ul>
    26. 26. Multiple Frame Copies
    27. 27. Spanning Tree Protocol
    28. 28. Overview <ul><li>Redundancy in a network is extremely important because redundancy allows networks to be fault tolerant. </li></ul><ul><li>Redundant topologies based on switches and bridges are subject to broadcast storms, multiple frame transmissions, and MAC address database instability. </li></ul><ul><li>Therefore network redundancy requires careful planning and monitoring to function properly. </li></ul><ul><li>The Spanning-Tree Protocol is used in switched networks to create a loop free network </li></ul>
    29. 29. Spanning-Tree Protocol <ul><ul><li>Provides a loop-free redundant network topology by placing certain ports in the blocking state. </li></ul></ul>
    30. 30. Spanning Tree Protocol <ul><li>Spanning Tree Protocol resides in Data link Layer </li></ul><ul><li>Ethernet bridges and switches can implement the IEEE 802.1D Spanning-Tree Protocol and use the spanning-tree algorithm to construct a loop free network. </li></ul>
    31. 31. Spanning-Tree Port States <ul><ul><li>Spanning-tree transits each port through several different states: </li></ul></ul>Disabled
    32. 32. Selecting the Root Bridge <ul><li>The first decision that all switches in the network make, is to identify the root bridge. </li></ul><ul><li>When a switch is turned on, the spanning-tree algorithm is used to identify the root bridge. BPDUs are sent out with the Bridge ID (BID). </li></ul><ul><li>The BID consists of a bridge priority that defaults to 32768 and the switch base MAC address. </li></ul><ul><li>When a switch first starts up, it assumes it is the root switch and sends BPDUs. These BPDUs contain BID. </li></ul><ul><li>All bridges see these and decide that the bridge with the smallest BID value will be the root bridge. </li></ul><ul><li>A network administrator may want to influence the decision by setting the switch priority to a smaller value than the default. </li></ul>
    33. 33. Spanning Tree Protocol Terms <ul><li>BPDU Bridge Protocol Data Unit (BPDU) - All the switches exchange information to use in the selection of the root switch </li></ul><ul><li>Bridge ID - The bridge ID is how STP keeps track of all the switches in the network. It is determined by a combination of the bridge priority (32,768 by default on all Cisco switches) and the base MAC address. </li></ul><ul><li>Root Bridge -The bridge with the lowest bridge ID becomes the root bridge in the network. </li></ul><ul><li>Nonroot bridge - These are all bridges that are not the root bridge. </li></ul><ul><li>Root port - The root port is always the link directly connected to the root bridge or the shortest path to the root bridge. If more than one link connects to the root bridge, then a port cost is determined by checking the bandwidth of each link. </li></ul><ul><li>Designated port - A designated port is one that has been determined as having the best (lowest) cost. A designated port will be marked as a forwarding port </li></ul><ul><li>Nondesignated Port - A nondesignated port is one with a higher cost than the designated port. Nondesignated ports are put in blocking mode </li></ul><ul><li>Forwarding Port - A forwarding port forwards frames </li></ul><ul><li>Blocked Port - A blocked port is the port that will not forward frames, in order to prevent loops </li></ul>
    34. 34. <ul><li>Bpdu = Bridge Protocol Data Unit (default = sent every two seconds) </li></ul><ul><li>Root bridge = Bridge with the lowest bridge ID </li></ul><ul><li>Bridge ID = </li></ul><ul><li>In the example, which switch has the lowest bridge ID? </li></ul>Spanning-Tree Protocol Root Bridge Selection
    35. 35. <ul><li>One root bridge per network </li></ul><ul><li>One root port per nonroot bridge </li></ul><ul><li>One designated port per segment </li></ul><ul><li>Nondesignated ports are unused </li></ul>Spanning-Tree Operation
    36. 36. Selecting the Root Port <ul><li>The STP cost is an accumulated total path cost based on the rated bandwidth of each of the links </li></ul><ul><li>This information is then used internally to select the root port for that device </li></ul>
    37. 37. <ul><li>One root bridge per network </li></ul><ul><li>One root port per nonroot bridge </li></ul><ul><li>One designated port per segment </li></ul><ul><li>Nondesignated ports are unused </li></ul>Spanning-Tree Operation 19 100
    38. 38. Switching Methods 1. Cut-Through (Fast Forward) The frame is forwarded through the switch before the entire frame is received. At a minimum the frame destination address must be read before the frame can be forwarded. This mode decreases the latency of the transmission, but also reduces error detection. 2. Fragment-Free (Modified Cut-Through) Fragment-free switching filters out collision fragments before forwarding begins. Collision fragments are the majority of packet errors. In Fragment-Free mode, the switch checks the first 64 bytes of a frame. 3. Store-and-Forward The entire frame is received before any forwarding takes place. Filters are applied before the frame is forwarded. Most reliable and also most latency especially when frames are large.
    39. 39. Switching Methods
    40. 40. Switch Configuration
    41. 41. Physical Startup of the Catalyst Switch <ul><li>Switches are dedicated, specialized computers, which contain a CPU, RAM, and an operating system. </li></ul><ul><li>Switches usually have several ports for the purpose of connecting hosts, as well as specialized ports for the purpose of management. </li></ul><ul><li>A switch can be managed by connecting to the console port to view and make changes to the configuration. </li></ul><ul><li>Switches typically have no power switch to turn them on and off. They simply connect or disconnect from a power source. </li></ul>
    42. 42. Switch LED Indicators <ul><li>The front panel of a switch has several lights to help monitor system activity and performance. These lights are called light-emitting diodes (LEDs). The switch has the following LEDs: </li></ul><ul><li>System LED </li></ul><ul><li>Remote Power Supply (RPS) LED </li></ul><ul><li>Port Mode LED </li></ul><ul><li>Port Status LEDs </li></ul><ul><li>The System LED shows whether the system is receiving power and functioning correctly. </li></ul><ul><li>The RPS LED indicates whether or not the remote power supply is in use. </li></ul><ul><li>The Mode LEDs indicate the current state of the Mode button. </li></ul><ul><li>The Port Status LEDs have different meanings, depending on the current value of the Mode LED. </li></ul>
    43. 43. Verifying Port LEDs During Switch POST <ul><li>Once the power cable is connected, the switch initiates a series of tests called the power-on self test (POST). </li></ul><ul><li>POST runs automatically to verify that the switch functions correctly. </li></ul><ul><li>The System LED indicates the success or failure of POST . </li></ul>
    44. 44. Switch Command Modes <ul><li>Switches have several command modes. </li></ul><ul><li>The default mode is User EXEC mode, which ends in a greater-than character ( > ). </li></ul><ul><li>The commands available in User EXEC mode are limited to those that change terminal settings, perform basic tests, and display system information. </li></ul><ul><li>The enable command is used to change from User EXEC mode to Privileged EXEC mode, which ends in a pound-sign character ( # ). </li></ul><ul><li>The configure command allows other command modes to be accessed.    </li></ul>
    45. 45. Show Commands in User-Exec Mode
    46. 46. Tasks <ul><li>Setting the passwords ( Password must be between 4 and 8 characters) </li></ul><ul><li>Setting the hostname </li></ul><ul><li>Configuring the IP address and subnet mask </li></ul><ul><li>Erasing the switch configurations </li></ul>
    47. 47. Setting Switch Hostname Setting Passwords on Lines
    48. 48. Switch Configuration <ul><li>There are two reasons to set the IP address information on the switch: </li></ul><ul><ul><li>To manage the switch via Telnet or other management software </li></ul></ul><ul><ul><li>To configure the switch with different VLANs and other network functions </li></ul></ul><ul><li>See the default IP configuration = show IP command </li></ul><ul><li>Configure IP Address </li></ul><ul><ul><li>sw1(config-if)#interface vlan 1 </li></ul></ul><ul><ul><li>sw1(config-if)#ip address 10.0.0.1 255.0.0.0 </li></ul></ul><ul><ul><li>sw1(config-if)#no shut </li></ul></ul><ul><ul><li>sw1(config-if)#exit </li></ul></ul><ul><ul><li>sw1(config)ip default-gateway 10.0.0.254 </li></ul></ul>
    49. 49. Configuring Interface Descriptions <ul><li>You can administratively set a name for each interface on the switches </li></ul><ul><ul><li>SW1#config t </li></ul></ul><ul><ul><li>Enter configuration commands, one per line. End with CNTL/Z </li></ul></ul><ul><ul><li>SW1(config)#int e0/1 </li></ul></ul><ul><ul><li>SW1(config-if)#description Finance_VLAN </li></ul></ul><ul><ul><li>SW1(config-if)#int f0/26 </li></ul></ul><ul><ul><li>SW1(config-if)#description trunk_to_Building_4 </li></ul></ul><ul><ul><li>SW1(config-if)# </li></ul></ul><ul><li>Setting Port Security </li></ul><ul><ul><li>Sw1(config-if)#switchport port-security mac-address mac-address </li></ul></ul><ul><ul><li>Now only this one MAC address is allowed on this switch port </li></ul></ul>
    50. 50. Switch Configuration <ul><li>Connect two machine to a switch </li></ul><ul><li>To view the MAC table </li></ul><ul><li>sw1#show mac-address-table dynamic </li></ul><ul><li>Sw1#sh spanning-tree </li></ul><ul><li>Sw1(config)#spanning-tree vlan 1 priority ? </li></ul><ul><li>Sw1(config)#spanning-tree vlan 1 priority 4096 </li></ul><ul><li>Erase the configuration </li></ul>
    51. 51. VLANs
    52. 52. VLAN’s <ul><li>A VLAN is a logical grouping of network users and resources connected to administratively defined ports on a switch. </li></ul><ul><li>Ability to create smaller broadcast domains within a layer 2 switched internetwork by assigning different ports on the switch to different subnetworks. </li></ul><ul><li>Frames broadcast onto the network are only switched between the ports logically grouped within the same VLAN </li></ul><ul><li>By default, no hosts in a specific VLAN can communicate with any other hosts that are members of another VLAN, </li></ul><ul><li>For Inter VLAN communication you need routers </li></ul>
    53. 53. VLANs <ul><li>VLAN implementation combines Layer 2 switching and Layer 3 routing technologies to limit both collision domains and broadcast domains. </li></ul><ul><li>VLANs can also be used to provide security by creating the VLAN groups according to function and by using routers to communicate between VLANs. </li></ul><ul><li>A physical port association is used to implement VLAN assignment. </li></ul><ul><li>Communication between VLANs can occur only through the router. </li></ul><ul><li>This limits the size of the broadcast domains and uses the router to determine whether one VLAN can talk to another VLAN. </li></ul><ul><li>NOTE: This is the only way a switch can break up a broadcast domain! </li></ul>
    54. 54. VLAN Overview A VLAN = A Broadcast Domain = Logical Network (Subnet) <ul><ul><li>Segmentation </li></ul></ul><ul><ul><li>Flexibility </li></ul></ul><ul><ul><li>Security </li></ul></ul>
    55. 55. History <ul><li>11 Hosts are connected to the switch </li></ul><ul><li>All From same Broadcast domain </li></ul><ul><li>Need to divide them in separate logical segment </li></ul><ul><li>High broadcast traffic reasons </li></ul><ul><ul><li>ARP </li></ul></ul><ul><ul><li>DHCP </li></ul></ul><ul><ul><li>SAP </li></ul></ul><ul><ul><li>XWindows </li></ul></ul><ul><ul><li>NetBIOS </li></ul></ul>
    56. 56. Definition <ul><li>Logically Defined community of interest that limits a Broadcast domain </li></ul><ul><li>LAN are created on the software of Switch </li></ul><ul><li>All devices in a VLAN are members of the same broadcast domain and receive all broadcasts </li></ul><ul><li>The broadcasts, by default, are filtered from all ports on a switch that are not members of the same VLAN. </li></ul>
    57. 57. Security <ul><li>A Flat internetwork’s security used to be tackled by connecting hubs and switches together with routers </li></ul><ul><li>This arrangement is ineffective because </li></ul><ul><ul><li>Anyone connecting physical network could access network resources located on that physical LAN </li></ul></ul><ul><ul><li>Can observe the network traffic by plugging network analyzer into the HUB </li></ul></ul><ul><ul><li>Users could join a workgroup by just plugging their workstations into the existing hub </li></ul></ul><ul><li>By creating VLAN’s administrators have control over each port and user </li></ul>
    58. 58. How VLANs Simplify Network Management <ul><li>If we need to break the broadcast domain we need to connect a router </li></ul><ul><li>By using VLAN’s we can divide Broadcast domain at Layer-2 </li></ul><ul><li>A group of users needing high security can be put into a VLAN so that no users outside of the VLAN can communicate with them. </li></ul><ul><li>As a logical grouping of users by function, VLANs can be considered independent from their physical locations. </li></ul>
    59. 59. VLAN Memberships <ul><li>VLAN created based on port is known as Static VLAN. </li></ul><ul><li>VLAN assigned based on hardware addresses into a database, is called a dynamic VLAN </li></ul>
    60. 60. VLAN Membership Modes
    61. 61. Static VLANs <ul><li>Most secure </li></ul><ul><li>Easy to set up and monitor </li></ul><ul><li>Works well in a network where the movement of users within the network is controlled </li></ul>
    62. 62. Dynamic VLANs <ul><li>A dynamic VLAN determines a node’s VLAN assignment automatically </li></ul><ul><li>Using intelligent management software, you can base VLAN assignments on hardware (MAC) addresses. </li></ul><ul><li>Dynamic VLAN need VLAN Management Policy Server (VMPS) server </li></ul>
    63. 63. LAB – Creating VLAN <ul><li>Connect two computers on a switch </li></ul><ul><li>Ping and see both are able to communicate </li></ul><ul><li>Create two vlans and configure static VLAN’s so both ports are on separate VLAN’s </li></ul><ul><li>Test the communication between PC’s </li></ul>port1 port5 To see the existing VLAN #Show vlan To create VLAN #vlan database Switch(vlan)#vlan 2 name red Switch(vlan)#vlan 3 name blue Assigning ports to VLAN Sw(config)# int fastEthernet 0/1 Sw(config-if)#switch mode access Sw(config-if)#switchport access vlan2
    64. 64. LAB – Deleting VLAN port1 port5 To delete VLAN Sw(config)# no vlan 2 Sw(config)# no vlan 3 To bring port back to VLAN 1 Sw(config-if)#switchport mode acces Sw(config-if)#switch port access vlan1 For a Range Sw(config)#int range fastethernet 0/1 - 5 Sw(config-if)#switch port access vlan1
    65. 65. <ul><li>VLANs can span across multiple switches. </li></ul><ul><li>Trunks carry traffic for multiple VLANs. </li></ul><ul><li>Trunks use special encapsulation to distinguish between different VLANs. </li></ul>VLAN Operation
    66. 66. Types of Links <ul><li>Access links </li></ul><ul><ul><li>This type of link is only part of one VLAN </li></ul></ul><ul><ul><li>It’s referred to as the native VLAN of the port. </li></ul></ul><ul><ul><li>Any device attached to an access link is unaware of a VLAN </li></ul></ul><ul><ul><li>Switches remove any VLAN information from the frame before it’s sent to an access-link device. </li></ul></ul><ul><li>Trunk links </li></ul><ul><ul><li>Trunks can carry multiple VLANs </li></ul></ul><ul><ul><li>These carry the traffic of multiple VLANs </li></ul></ul><ul><ul><li>A trunk link is a 100- or 1000Mbps point-to-point link between two switches, between a switch and router. </li></ul></ul>
    67. 67. Access links
    68. 68. Trunk links
    69. 69. Frame Tagging <ul><li>Can create VLANs to span more than one connected switch </li></ul><ul><li>Hosts are unaware of VLAN </li></ul><ul><li>When host A Create a data unit and reaches switch, the switch adds a Frame tagging to identify the VLAN </li></ul><ul><li>Frame tagging is a method to identify the packet belongs to a particular VLAN </li></ul><ul><li>Each switch that the frame reaches must first identify the VLAN ID from the frame tag </li></ul><ul><li>It finds out what to do with the frame by looking at the information in the filter table </li></ul><ul><li>Once the frame reaches an exit to an access link matching the frame’s VLAN ID, the switch removes the VLAN identifier </li></ul>
    70. 70. Frame Tagging Methods <ul><li>There are two frame tagging methods </li></ul><ul><ul><li>Inter-Switch Link (ISL) </li></ul></ul><ul><ul><li>IEEE 802.1Q </li></ul></ul><ul><li>Inter-Switch Link (ISL) </li></ul><ul><ul><li>proprietary to Cisco switches </li></ul></ul><ul><ul><li>used for Fast Ethernet and Gigabit Ethernet links only </li></ul></ul><ul><li>IEEE 802.1Q </li></ul><ul><ul><li>Created by the IEEE as a standard method of frame tagging </li></ul></ul><ul><ul><li>it actually inserts a field into the frame to identify the VLAN </li></ul></ul><ul><ul><li>If you’re trunking between a Cisco switched link and a different brand of switch, you have to use 802.1Q for the trunk to work. </li></ul></ul>
    71. 71. <ul><ul><li>Performed with ASIC </li></ul></ul><ul><ul><li>ISL header not seen by client </li></ul></ul><ul><ul><li>Effective between switches, and between routers and switches </li></ul></ul>ISL Tagging ISL trunks enable VLANs across a backbone.
    72. 72. LAB-Creating Trunk <ul><li>Create two VLAN's on each switches </li></ul><ul><li>#vlan database </li></ul><ul><li>sw(vlan)#vlan 2 name red </li></ul><ul><li>sw(vlan)#vlan 3 name blue </li></ul><ul><li>sw(vlan)#exit </li></ul><ul><li>sw#config t </li></ul><ul><li>sw(config)#int fastethernet 0/1 </li></ul><ul><li>sw(config-if)#switch-portaccess vlan 2 </li></ul><ul><li>sw(config)#int fastethernet 0/4 </li></ul><ul><li>sw(config-if)#switch-portaccess vlan 3 </li></ul><ul><li>To see Interface status </li></ul><ul><li>#show interface status </li></ul>Trunk Port Configuration sw#config t sw(config)#int fastethernet 0/24 sw(config-if)#switchport trunk encapsulation dot1q sw(config-if)#switchport mode trunk * 2950 Only dot1q Encapsulation 10.0.0.3 10.0.0.4 1 2 3 4 1 2 3 4 10.0.0.1 10.0.0.2 24 12
    73. 73. Assigning Access Ports to a VLAN Switch(config)#interface gigabitethernet 1/1 <ul><li>Enters interface configuration mode </li></ul>Switch(config-if)#switchport mode access <ul><li>Configures the interface as an access port </li></ul>Switch(config-if)#switchport access vlan 3 <ul><li>Assigns the access port to a VLAN </li></ul>
    74. 74. Verifying the VLAN Configuration Switch#show vlan [id | name] [vlan_num | vlan_name] VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Fa0/1, Fa0/2, Fa0/5, Fa0/7 Fa0/8, Fa0/9, Fa0/11, Fa0/12 Gi0/1, Gi0/2 2 VLAN0002 active 51 VLAN0051 active 52 VLAN0052 active … VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------ 1 enet 100001 1500 - - - - - 1002 1003 2 enet 100002 1500 - - - - - 0 0 51 enet 100051 1500 - - - - - 0 0 52 enet 100052 1500 - - - - - 0 0 … Remote SPAN VLANs ------------------------------------------------------------------------------ Primary Secondary Type Ports ------- --------- ----------------- ------------------------------------------
    75. 75. Verifying the VLAN Port Configuration Switch#show running-config interface {fastethernet | gigabitethernet} slot/port <ul><li>Displays the running configuration of the interface </li></ul>Switch#show interfaces [{fastethernet | gigabitethernet} slot/port ] switchport <ul><li>Displays the switch port configuration of the interface </li></ul>Switch#show mac-address-table interface interface-id [vlan vlan-id ] [ | {begin | exclude | include} expression ] <ul><li>Displays the MAC address table information for the specified interface in the specified VLAN </li></ul>
    76. 76. <ul><ul><li>A messaging system that advertises VLAN configuration information </li></ul></ul><ul><ul><li>Maintains VLAN configuration consistency throughout a common administrative domain </li></ul></ul><ul><ul><li>Sends advertisements on trunk ports only </li></ul></ul>VTP Protocol Features
    77. 77. VLAN Trunking Protocol (VTP) <ul><li>Benefits of VTP </li></ul><ul><ul><li>Consistent VLAN configuration across all switches in the network </li></ul></ul><ul><ul><li>Accurate tracking and monitoring of VLANs </li></ul></ul><ul><ul><li>Dynamic reporting of added VLANs to all switches in the VTP domain </li></ul></ul>
    78. 78. VTP Modes <ul><li>Forwards advertisements </li></ul><ul><li>Synchronizes </li></ul><ul><li>Not saved in NVRAM </li></ul><ul><li>Creates VLANs </li></ul><ul><li>Modifies VLANs </li></ul><ul><li>Deletes VLANs </li></ul><ul><li>Sends/forwards advertisements </li></ul><ul><li>Synchronizes </li></ul><ul><li>Saved in NVRAM </li></ul><ul><li>Creates VLANs </li></ul><ul><li>Modifies VLANs </li></ul><ul><li>Deletes VLANs </li></ul><ul><li>Forwards advertisements </li></ul><ul><li>Does not synchronize </li></ul><ul><li>Saved in NVRAM </li></ul>
    79. 79. VTP Operation <ul><ul><li>VTP advertisements are sent as multicast frames. </li></ul></ul><ul><ul><li>VTP servers and clients are synchronized to the latest update identified revision number. </li></ul></ul><ul><ul><li>VTP advertisements are sent every 5 minutes or when there is a change. </li></ul></ul>
    80. 80. VTP Pruning <ul><li>VTP pruning provides a way for you to preserve bandwidth by configuring it to reduce the amount of broadcasts, multicasts, and unicast packets. </li></ul><ul><li>If Switch A doesn’t have any ports configured for VLAN 5, and a broadcast is sent throughout VLAN 5, that broadcast would not traverse the trunk link to Switch A. </li></ul><ul><li>By default, VTP pruning is disabled on all switches. </li></ul><ul><li>Pruning is enabled for the entire domain </li></ul>
    81. 81. <ul><ul><li>Increases available bandwidth by reducing unnecessary flooded traffic </li></ul></ul><ul><ul><li>Example: Station A sends broadcast, and broadcast is flooded only toward any switch with ports assigned to the red VLAN </li></ul></ul>VTP Pruning
    82. 82. VTP Configuration Guidelines <ul><ul><li>Configure the following: </li></ul></ul><ul><ul><ul><li>VTP domain name </li></ul></ul></ul><ul><ul><ul><li>VTP mode (server mode is the default) </li></ul></ul></ul><ul><ul><ul><li>VTP pruning </li></ul></ul></ul><ul><ul><ul><li>VTP password </li></ul></ul></ul><ul><ul><ul><li>Switch(config)#vtp mode server </li></ul></ul></ul><ul><ul><ul><li>Switch(config)#vtp domain gates </li></ul></ul></ul><ul><ul><ul><li>SwitchA#sh vtp status </li></ul></ul></ul>
    83. 83. wg_sw_1900#configure terminal Enter configuration commands, one per line. End with CNTL/Z wg_sw_1900(config)#vtp transparent wg_sw_1900(config)#vtp domain switchlab wg_sw_1900(config)#vtp [server | transparent | client] [domain domain-name ] [trap {enable | disable}] [password password ] [pruning {enable | disable}] Creating a VTP Domain Catalyst 1900 Catalyst 2950 wg_sw_2950#vlan database wg_sw_2950(vlan)#vtp [ server | client | transparent ] wg_sw_2950(vlan)#vtp domain domain-name wg_sw_2950(vlan)#vtp password password wg_sw_2950(vlan)#vtp pruning
    84. 84. Verifying the VTP Configuration Switch#show vtp status Switch# show vtp status VTP Version : 2 Configuration Revision : 247 Maximum VLANs supported locally : 1005 Number of existing VLANs : 33 VTP Operating Mode : Client VTP Domain Name : Lab_Network VTP Pruning Mode : Enabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0x45 0x52 0xB6 0xFD 0x63 0xC8 0x49 0x80 Configuration last modified by 0.0.0.0 at 8-12-99 15:04:49 Switch#
    85. 85. Verifying the VTP Configuration (Cont.) Switch#show vtp counters Switch# show vtp counters VTP statistics: Summary advertisements received : 7 Subset advertisements received : 5 Request advertisements received : 0 Summary advertisements transmitted : 997 Subset advertisements transmitted : 13 Request advertisements transmitted : 3 Number of config revision errors : 0 Number of config digest errors : 0 Number of V1 summary errors : 0 VTP pruning statistics: Trunk Join Transmitted Join Received Summary advts received from non-pruning-capable device ---------------- ---------------- ---------------- --------------------------- Fa5/8 43071 42766 5
    86. 86. VLAN to VLAN <ul><li>If you want to connect between two VLANs you need a layer 3 device </li></ul>
    87. 87. Router on Stick <ul><li>Create two VLAN's on each switches </li></ul><ul><li>#vlan database </li></ul><ul><li>sw(vlan)#vlan 2 name red </li></ul><ul><li>sw(vlan)#vlan 3 name blue </li></ul><ul><li>sw(vlan)#exit </li></ul><ul><li>sw#config t </li></ul><ul><li>sw(config)#int fastethernet 0/1 </li></ul><ul><li>sw(config-if)#switch-portaccess vlan 2 </li></ul><ul><li>sw(config)#int fastethernet 0/4 </li></ul><ul><li>sw(config-if)#switch-portaccess vlan 3 </li></ul><ul><li>To see Interface status </li></ul><ul><li>#show interface status </li></ul>SW1 SW2 R1 Trunk Port Configuration sw#config t sw(config)#int fastethernet 0/24 sw(config-if)#switchport trunk encapsulation dot1q sw(config-if)#switchport mode trunk Router Configuration R1#config t R1(config)#int fastethernet 0/0.1 R1(config-if)#encapsulation dot1q 2 R1(config-if)#ip address 10..0.0.1 255.0.0.0 R1(config-if# No shut R1(config-Iif)# EXIT R1(config)#int fastethernet 0/0.2 R1(config-if)# encapsulation dot1q 3 R1(config-if)#ip address 20..0.0.1 255.0.0.0 R1(config-if# No shut Router-Switch Port to be made as Trunk sw(config)#int fastethernet 0/9 sw(config-if)#switchport trunk enacapsulation dot1q sw(config-if)#switchport mode trunk 10.0.0.1 20.0.0.1 FA0/0 9 10.0.0.3 20.0.0.3 1 2 3 4 1 2 3 4 10.0.0.2 20.0.0.2 24 12
    88. 88. Fig. 3 NAT (TI1332EU02TI_0003 New Address Concepts, 7) NAT Network Address Translator
    89. 89. New Addressing Concepts Fig. 2 Address shortage and possible solutions (TI1332EU02TI_0003 New Address Concepts, 5) Problems with IPv4 Shortage of IPv4 addresses Allocation of the last IPv4 addresses was for the year 2005 Address classes were replaced by usage of CIDR, but this is not sufficient Short term solution NAT: Network Address Translator Long term solution IPv6 = IPng (IP next generation) Provides an extended address range
    90. 90. NAT: Network Address Translator Fig. 4 How does NAT work? (TI1332EU02TI_0003 New Address Concepts, 9) NAT Translates between local addresses and public ones Many private hosts share few global addresses Public Network Uses public addresses Public addresses are globally unique Private Network Uses private address range (local addresses) Local addresses may not be used externally
    91. 91. NAT Addressing Terms <ul><li>Inside Local </li></ul><ul><ul><li>The term “inside” refers to an address used for a host inside an enterprise. It is the actual IP address assigned to a host in the private enterprise network. </li></ul></ul><ul><li>Inside Global </li></ul><ul><ul><li>NAT uses an inside global address to represent the inside host as the packet is sent through the outside network, typically the Internet. </li></ul></ul><ul><ul><li>A NAT router changes the source IP address of a packet sent by an inside host from an inside local address to an inside global address as the packet goes from the inside to the outside network. </li></ul></ul>
    92. 92. Inside/Outside
    93. 93. Inside/Outside
    94. 94. NAT Addressing Terms <ul><li>Outside Global </li></ul><ul><ul><li>The term “outside” refers to an address used for a host outside an enterprise, the Internet. </li></ul></ul><ul><ul><li>An outside global is the actual IP address assigned to a host that resides in the outside network, typically the Internet. </li></ul></ul><ul><li>Outside Local </li></ul><ul><ul><li>NAT uses an outside local address to represent the outside host as the packet is sent through the private network. </li></ul></ul><ul><ul><li>This address is outside private, outside host with a private address </li></ul></ul>
    95. 95. Network Address Translation <ul><li>An IP address is either local or global. </li></ul><ul><li>Local IP addresses are seen in the inside network . </li></ul>
    96. 96. Types Of NAT <ul><li>There are different types of NAT that can be used, which are </li></ul><ul><ul><li>Static NAT </li></ul></ul><ul><ul><li>Dynamic NAT </li></ul></ul><ul><ul><li>Overloading NAT with PAT (NAPT) </li></ul></ul>
    97. 97. Static NAT <ul><li>Static NAT - Mapping an unregistered IP address to a registered IP address on a one-to-one basis. Particularly useful when a device needs to be accessible from outside the network. </li></ul><ul><li>I n static NAT, the computer with the IP address of 192.168.32.10 will always translate to 213.18.123.110. </li></ul>
    98. 98. Dynamic NAT <ul><li>Dynamic NAT - Maps an unregistered IP address to a registered IP address from a group of registered IP addresses. </li></ul><ul><li>In dynamic NAT, the computer with the IP address 192.168.32.10 will translate to the first available address in the range from 213.18.123.100 to 213.18.123.150. </li></ul>
    99. 99. Overloading NAT with PAT (NAPT) <ul><li>Overloading - A form of dynamic NAT that maps multiple unregistered IP addresses to a single registered IP address by using different ports. This is known also as PAT (Port Address Translation), single address NAT or port-level multiplexed NAT. </li></ul><ul><li>In overloading, each computer on the private network is translated to the same IP address (213.18.123.100), but with a different port number assignment.. </li></ul>
    100. 100. Static NAT Configuration <ul><li>For each interface you need to configure INSIDE or OUTSIDE </li></ul>Fig. 2 Address shortage and possible solutions (TI1332EU02TI_0003 New Address Concepts, 5) R1 E0 10.0.0.1 S0 200.0.0.1 Internet 10.0.0.2 10.0.0.3 10.0.0.254 R1(config)#Int fastethernet 0/0 R1(config-if)# IP NAT inside R1(config-if)##Int s 0/0 R1(config-if)# IP NAT outside R1(config-if)# Exit R1(config)# ip NAT inside source static 10.0.0.1 200.0.0.1 To see the table R1(config)#show ip nat translations R1(config)#show ip nat statistics B A C
    101. 101. INSIDE/OUTSIDE
    102. 102. Dynamic NAT <ul><li>Dynamic NAT sets up a pool of possible inside global addresses and defines criteria for the set of inside local IP addresses whose traffic should be translated with NAT. </li></ul><ul><li>The dynamic entry in the NAT table stays in there as long as traffic flows occasionally. </li></ul><ul><li>If a new packet arrives, and it needs a NAT entry, but all the pooled IP addresses are in use, the router simply discards the packet. </li></ul>Fig. 2 Address shortage and possible solutions (TI1332EU02TI_0003 New Address Concepts, 5)
    103. 103. Dynamic NAT <ul><li>Instead of creating static IP, create a pool of IP Address, Specify a range </li></ul><ul><li>Create an access list and permit hosts </li></ul><ul><li>Link Access list to the Pool </li></ul>Fig. 2 Address shortage and possible solutions (TI1332EU02TI_0003 New Address Concepts, 5)
    104. 104. Dynamic NAT Configuration <ul><li>For each interface you need to configure INSIDE or OUTSIDE </li></ul>R1 S0 200.0.0.1/200.0.0.254 Internet Create an Access List R1(config)# Access-list 1 permit 10.0.0.0 0.255.255.255 Configure NAT dynamic Pool R1(config)# IP NAT pool pool1 200.0.0.1 200.0.0.254 netmask 255.255.255.0 Link Access List to Pool R1(config)# IP NAT inside source list 1 pool pool1 E0 B A 10.0.0.1 C 10.0.0.2 10.0.0.3 10.0.0.254
    105. 105. PAT <ul><li>Overloading an inside global address </li></ul><ul><li>NAT overload only one global IP shared among all hosts </li></ul>Fig. 2 Address shortage and possible solutions (TI1332EU02TI_0003 New Address Concepts, 5) 200.0.0.1 Internet Shared Global IP 200.0.0.1:1025 200.0.0.1:1026 200.0.0.1:1027 E0 B A 10.0.0.1 C 10.0.0.2 10.0.0.3 10.0.0.254
    106. 106. PAT
    107. 107. PAT
    108. 108. PAT
    109. 109. PAT
    110. 110. PAT
    111. 111. PAT
    112. 112. PAT
    113. 113. Configuration
    114. 114. PAT LAB <ul><li>R1#config t </li></ul><ul><li>R1(config)# int e 0 </li></ul><ul><li>R1(config-if)# ip nat insde </li></ul><ul><li>R1(config)# int s 0 </li></ul><ul><li>R1(config-if)# ip nat outside </li></ul><ul><li>R1(config)#access-list 1 permit 192.168.10.0 0.0.0.255 </li></ul><ul><li>R1(config)#ip nat inside source list 1 interface s 0 overload </li></ul><ul><li>To see host to host ping configure static or dynamic routing </li></ul><ul><li>To check translation </li></ul><ul><li>#sh ip nat translations </li></ul>S0 S0 E0 E0 192.168.10.2 200.0.0.2 192.168.10.1 200.0.0.1 192.168.20.2 192.168.20.1 R1 R2 <ul><li>R2#config t </li></ul><ul><li>R2(config)# int e 0 </li></ul><ul><li>R2(config-if)# ip nat insde </li></ul><ul><li>R2(config)# int s 0 </li></ul><ul><li>R2(config-if)# ip nat outside </li></ul><ul><li>R2(config)#access-list 1 permit 192.168.20.0 0.0.0.255 </li></ul><ul><li>R2(config)#ip nat inside source list 1 interface s 0 overload </li></ul><ul><li>To see host to host ping configure static or dynamic routing </li></ul><ul><li>To check translation </li></ul><ul><li>#sh ip nat translations </li></ul>A B

    ×