6 week project training in networking.docx
TRANSCRIPT
HCL Infosystem
HCL InfosystemPage 1
HCL InfosystemPage 8
HCL InfosystemPage 1Page 1[Type the abstract of the document here. The abstract is typically a short summary of the contents of the document. Type the abstract of the document here. The abstract is typically a short summary of the contents of the document.][Type the document subtitle]
1.3 HCL INFOSYS Ltd.
HCL INFOSYSTEMS Ltd.
DILBER KHAN, 9914550702
HEAD OFFICE:
HCL INFOSYSTEMS Ltd., C-133, Phase-8, Industrial Area, Mohali.9915715814
ABOUT CISCO PACKET TRACER
6.1 Packet tracer overview 6.2 Packet tracer features
6.1 Packet tracer overview
Packet Tracer is a protocol simulator developed by Dennis Frezzo and his team at Cisco Systems. Packet Tracer (PT) is a powerful and dynamic tool that displays the various protocols used in networking, in either Real Time or Simulation mode. This includes layer 2 protocols such as Ethernet and PPP, layer 3 protocols such as IP, ICMP, and ARP, and layer 4 protocols such as TCP and UDP. Routing protocols can also be traced. Purpose: The purpose of this lab is to become familiar with the Packet Tracer interface. Learn how to us
Fig. 9.1
Fig 9.2
6.2 Packet tracer features
Fig. 9.3
Chapter 7
NETWORK DESIGN
7.1 Network design 7.2 Hardware used 7.3 Software used 7.4 Devices used in network 7.5 Basic Device configuration 7.6 Configuring IP addresses 7.7 Configuring routing protocol on routers
7.1 Network design
Fig. 7.1
In the network structure, there are three branches- BRANCH 1,BRANCH 2 and BRANCH 3.
BRANCH 1 has five departments- SERVER , DEPARTMENT 1 and DEPARTMENT 2.DEPARTMENT 3,DEPARTMENT 4. SERVER has end devices connected to Cisco 2960 series Switch-SWITCH 1. DEPARTMENT 1 has end devices connected to Cisco 2960 series Switch-SWITCH 2.
DEPARTMENT 2 has end devices connected to Cisco 2960 series Switch-SWITCH 3.
DEPARTMENT 3 has end devices connected to Cisco 2960 series Switch-SWITCH 4.
DEPARTMENT 4 has end devices connected to Linksys WRT300N series wireless devices 1.
SWITCH 1 ,SWITCH 2 and SWITCH 3, SWITCH 4 are connected via straight wires.
BRANCH 1 is connected to BRANCH 2 and BRANCH 3 via Cisco 2811 series Routers- ROUER 0, ROUTER 1 , ROUTER 2 and ROUTER 3. Open shortest path first(OSPF) Protocol is configured on Routers. Router 3 is connected to Router 1 and Router 2.Router 0 is connected to Router 2. IP phones is connected with SWICHES by end devices in all departments..
7.2 Hardware Used
Routers : Cisco 2811 Series. Switches : Cisco 2960 Series. Devices : Computers, Servers, IP phones. Other Media : Console cables, Ethernet cables, Serial cable etc.
7.3 Software Used
Operating System : Windows 2003 SERVER,Windows XP, Windows7 etc.
Front end tools : Cisco Packet Tracer,GNS3.
7.4 Device used in network
Router and switch:
Fig. 7.2
Workgroup Switch
9Workgroup switches add more intelligence to data transfer management. Switches can determine whether data should remain on a LAN or not, and they can transfer the data to the connection that needs that data.
Fig. 7.3
Router
10
Routers have all capabilities of the previous devices. Routers can regenerate signals, concentrate multiple connections, convert data transmission formats, and manage data transfers.They can also connect to a WAN, which allows them to connect LANs that are separated by great distances
R1Internet
Fig.7.4
Cables
Fig.7.5 Console Cable
Fig.7.6 Serial cable
Fig. 7.7 Twisted Pair
Cableing
A Straight-Through Ethernet Cable It use to connect:- pc to switch router to switch
Fig. 7.8
7.5Device configuration
Step 1: Cable the network as shown in the topology.Attach the devices shown in the topology diagram and cable as necessary.Step 2: Configure basic settings for the router and each switch.
Router to routerTo connectivity of router to router ,first we have select serial ports from WIC 2T.
Fig. 7.10
Select serial ports :
Router to switch: For connectivity of router to switch, we used straight wire at fast Ethernet port Fat0/0 to Fat 0/1.
Fig. 7.11
Switch to switch: For connectivity of switch to switch, we used straight wire at fast Ethernet port Fat0/1 to Fat 0/3.
Fig. 7.12
Switch to servers and IP phones: For connectivity of switch to servers and IP phones, we used straight wire at fast Ethernet port.
Fig. 7.13
7.6Configuration IP addressesTo assign IP addresses we used commands, which are given in the following snapshots and also its IP configuration.
From router0 to router2:
IP configuration router0:
From router2 to router0 & router3:
IP configuration:
From router3 to router2 & router1:
IP configuration:
From router1 to router3:
7.7Configuring routing protocol on routersOpen shortest path first(OSPF) Protocol is configured on Routers.1. Configure OSPF on Router 2 with Process id 2 and Backbone Area id 3 for 190.168.0.1 , 192.168.0.1 networks.
2. Configure OSPF on Router 3 with Process id 2 and backbone area id 3 for 192.168.0.0, 194.168.0.10network .
3. Configure OSPF on Router 1 with Process id 2 ,Backbone Area id 3 for 194.168.0.0. network and Area id 1 for 40.0.0.0 network.
Chapter 8
IP ADSRESSING
8.1 IP address 8.2 Subnetmask 8.3 Private IP addresses
8.1 IP Address
IP address is a 32-bit address. It is divided into four octets. Each octet has 8 bits. It has two parts one is network address and second is host address. in local area network, we can used private IP address, which is provided by IANA (Internet Assigning Numbering Authority). When IP was first standardized, the specification required that each system attached to an IP-based internet be assigned a unique, 32-bitninternet address value. Systems that have interface to more than one network require a unique IP address for each network interface. The first part of an internet address identifies the network on whitch the host resides, while the second part identifies the particular host on the given network. IP addresses are divided into five classes.
ClassRange N/w bits Host bitsSubnet mask Total IP Valid IPA1 126 8 24255.0.0.0 1677721616777214B 128 191 16 16255.255.0.0 6553665534C192 223 24 8255.255.255.0 256 254D224 239 it is reserved for multicast.E240 255 it is reserved for research/scientific use.We can use first three classes. IANA provides private IP addresses from first three classes.
ClassPrivate IP RangeA10.0.0.0 10.255.255.255B172.16.0.0 172.31.255.255C192.168.0.0 192.168.255.255
IP Address RangesThe graphic below shows the IP address range of the first octet both in decimal and binary for each IP address class. 14
8.2 Subnet Mask
Subnet mask is also 32-bit address, which tell us how many bits are used for network and how many bits are used for host address.In Subnet mask Network bits are always 1 and Host bits are always 0.When we are going to assign IP addresses to our computers then we have to follow some rules.Rules: -(1) All Host bits cannot be 0 (10.0.0.0), because it represent network address which is reserved for router.(2) All Host bits cannot be 1 (10.255.255.255), because this is broadcast address of that network (10th network).(3) All bits cannot be 0 (0.0.0.0), because this address is reserved for Default routing. Default routing is used in case of Stub n/w (means our network has one exit point).(4) All bits cannot be 1 (255.255.255.255), because this is reserved for Broadcasting.(5) 127.0.0.1 - This is Loopback address, which is used for self-communication or troubleshooting purpose.C:\>ipconfigC:\>ipconfig/allIt shows all detail.
8.2 Private IP Addresses
Early network design, when global end to end connectivity was envisioned for all internet hosts, intended that IP addresses be uniquely assigned to a particular computer or device. However, it was found that it was not always necessary as private networks developed and address space needed to be conserved (IPv4 address exhaustion).
Computer not connected to the internet, such as factory machines that communicate only with each other via TCP/IP, need not have globally unique IP addresses. Three ranges of IPv4 addresses for private networks, one range for each class (A,B,C) were reserved. These addresses are not routed on the Internet, and thus their use need not be coordinated with an IP address registry.
Today, such private networks typically connect to the internet through Network Address Translation (NAT).
15
Private IP addresses are another solution to the problem of the impending exhaustion of public IP addresses.As mentioned, public networks require hosts to have unique IP addresses. However, private networks that are not connected to the Internet may use any host addresses, as long as each host within the private network is unique. Private IP Addresses
Chapter 13
IP ROUTING & ROUTING PROTOCOLS
13.1 IP routing 13.2 Dynamic routing 13.3 Routing protocols 13.4 Interior Gateway Routing Protocol (IGRP)
13.1 IP Routing
When we want to connect two or more networks using different n/w addresses then we have to use IP Routing technique. The router will be used to perform routing between the networks. A router will perform following functions for routing.(1) Path determination(2) Packet forwarding
(1) Path determination The process of obtaining path in routing table is called path determination. There are three different methods to which router can learn path.i) Automatic detection of directly connected n/w.ii) Static & Default routingiii) Dynamic routing
(2) Packet forwarding It is a process that is by default enable in router. The router will perform packet forwarding only if route is available in the routing table.
In this project, we are using only DYNAMIC ROUTING
13.2 Dynamic Routing
In dynamic routing, we will enable a routing protocol on router. This protocol will send its routing information to the neighbor router. The neighbors will analyze the information and write new routes to the routing table.The routers will pass routing information receive from one router to other router also. If there are more than one path available then routes are compared and best path is selected. Some examples of dynamic protocol are: -RIP, IGRP, EIGRP, OSPFTypes of Dynamic Routing ProtocolsAccording to the working there are two types of Dynamic Routing Protocols.(1) Distance Vector(2) Link State
According to the type of area in which protocol is used there are again two types of protocol: -(1) Interior Routing Protocol(2) Exterior Routing Protocol
Distance vector routing algorithm - Class of routing algorithms that iterate on the number of hops in a route to find a shortest-path spanning tree. Distance vector routing algorithms call for each router to send its entire routing table in each update, but only to its neighbors. Distance vector routing algorithms can be prone to routing loops, but are computationally simpler than link state routing algorithms. Distance vector algorithms do not allow a router to know the exact topology of an internetwork. Also called Bellman-Ford routing algorithm.Distance Vector Routing: Pass periodic copies of routing table to neighbor routers and accumulate distance vectors Routers discover the best path to destination from each neighbor Updates proceed step-by-step from router to router Link state routing algorithm - (also called Shortest Path First) Routing algorithm in which each router broadcasts (floods) or multicasts information regarding the cost of reaching each of its neighbors to all nodes in the internetwork. Link state algorithms create a consistent view of the network and are therefore not prone to routing loops, but they achieve this at the cost of relatively greater computational difficulty and more widespread traffic (compared with distance vector routing algorithms).Convergence - The speed and ability of a group of internetworking devices running a specific routing protocol to agree on the topology of an internetwork after a change in that topology. Convergence occurs when all routers use a consistent perspective of network topology (When all routers in an internetwork are operating with the same knowledge) After a topology changes, routers must recomputer routes, which disrupts routing The process and time required for router reconvergence varies in routing protocols Autonomous System (AS) - consists of routers, run by one or more operators, that present a consistent view of routing to the external world. (Routers under a common administration). The Internet Network Information Center (InterNIC) assigns a unique autonomous system to enterprises. This autonomous system is a 16-bit number. A routing protocol such as Cisco's Interior Gateway Routing Protocol (IGRP) requires that you specify this unique, assigned autonomous system number in your configuration.Exterior routing protocolsare used to communicate between autonomous systems. Interior routing protocolsare used within a single autonomous system. Interior IP Routing Protocols: RIP - A distance vector routing protocol. IGRP - Ciscos distance vector routing protocol. (supports multipath routing) OSPF - A link-state routing protocol. Enhanced IGRP - A balanced hybrid routing protocol. IP Routing configuration tasks: Global Configuration: Select a routing protocol, RIP or IGRP. Assign IP network numbers without specifying subnet values. Interface Configuration Assign network/subnet addresses and subnet mask Dynamic Routing configurationRouter(config)# router-protocol [keyword] Defines an IP routing protocol (starts a routing process) protocol - RIP,IGRP,OSPF,EIGRP keyword - autonomous system Router(config-router)# network network-number The network subcommand is a mandatory configuration command for each IP routing process (allows the routing process to determine which interfaces will participate in the sending and receiving of routing updates) network-number - specifies a directly connected network (must be based on the NIC network numbers, not subnet numbers or individual addresses)
13.3 Routing Protocols
Routed protocolused between routers to carry user traffic (Ex. IP,IPX) Routing protocolused between routers to maintain tables (Ex. RIP,IGRP) Routed protocol - Protocol that can be routed by a router. A router must be able to interpret the logical internetwork as specified by that routed protocol. Examples of routed protocols include AppleTalk, DECnet, and IP.Routing protocol - Protocol that accomplishes routing through the implementation of a specific routing algorithm. Examples of routing protocols include IGRP, OSPF, and RIP.
A routing protocol describes: How updates are sent What knowledge is contained in these updates When to send this knowledge How to locate recipients of the updates
RIP (Routing Information Protocol) - IGP supplied with UNIX BSD systems. The most common IGP in the Internet. RIP uses hop count as a routing metric.IGRP (Interior Gateway Routing Protocol) - IGP developed by Cisco to address the problems associated with routing in large, heterogeneous networks.EIGRP (Enhanced Interior Gateway Routing Protocol) -Advanced version of IGRP developed by Cisco. Provides superior convergence properties and operating efficiency, and combines the advantages of link state protocols with those of distance vector protocols.OSPF (Open Shortest Path First) - Link-state, hierarchical IGP routing protocol proposed as a successor to RIP in the Internet community. OSPF features include least-cost routing, multipath routing, and load balancing. OSPF was derived from an early version of the ISIS protocol.Configuring RIP
Router#conf terRouter(config)#router ripRouter(config-router)#network Router(config-router)#network ----------------------------Router(config-router)#exit 172.16.0.6
R1 10.0.0.1 172.16.0.5175.2.1.1
200.100.100.12
Router(config-router)#network 10.0.0.0Router(config-router)#network 172.16.0.0Router(config-router)#network 200.100.100.0
175.2.0.0 via 172.16.0.6
Configuring IGRP
Router(config)#router igrp (1 65535)Router(config-router)#network Router(config-router)#network Router(config-router)#exit
Serial E1modemSerial E1
2048 k2048 k256 kSync
Configuring following options in IGRP as same as in case of RIP: -
(1) Neighbor (2) Passive interface(3) Timer(4) Distance (AD)(5) Maximum pathEnhanced Interior Gateway Routing ProtocolFeatures: -* Cisco proprietary* Hybrid protocol Link StateDistance Vector* Multicast Updates usingAddress 224.0.0.10* Support AS* Support VLSM* Automatic Route Summarization* Unequal path cost load balancing* Metric (32 bit composite)BandwidthDelayLoadReliabilityMTU* Neighbor Recovery* Partial updates* Triggered updates* Backup Route
Configuring EIGRP
Router(config)#router eigrp Router(config-router)#network Router(config-router)#network Router(config-router)#exit
OSPF TerminologyAlready known topics in this: -(1) Hello packets(2) LSA (Link State Advertisement)(3) Neighbor(4) Neighbor table(5) Topology table (LSA database).Commands to configure OSPFRouter#conf terRouter(config)#router ospf Router(config-router)#network area Router(config-router)#network area Router(config-router)#exit
Wild Mask Complement of subnet mask
Example 255.255.0.0 0.0.255.255
255.255.255.255 - Subnet mask
Wild mask
255.255.255.255 - 255.255.192.0 subnet mask
0.0.63.255 wild mask
R1Router(config)#router ospf 33Router(config-router)#network 200.100.100.32 0.0.0.3 area 0Router(config-router)#network 200.100.100.64 0.0.0.31 area 0Router(config-router)#exit
R2Router(config)#router ospf 2Router(config-router)#network 200.100.100.32 0.0.0.3 area 0Router(config-router)#network 200.100.100.128 0.0.0.63 area 0Router(config-router)#exit
12.4 Interior Gateway Routing Protocol (IGRP)
Internetworking functions of the 3Network Layer include 'network addressing' and 'best path selection' for traffic. 'Network addressing' uses one part to identify the path used by the router and one part for ports or devices on the net. 'Routed protocols' carry user traffic, while 'Routing protocols' work between routers to maintain path tables. Network discovery for 'Distance vector' involves exchange of routing tables; problems can include 'slower convergence'. For 'Link-state', routers calculate the shortest paths to other routers; problems can include 'inconsistent updates'. 'Balanced hybrid' routing uses attributes of both link-state and distance vector, applying paths to several protocols.
configuring IGRPIGRP is a distance vector routing protocol developed by Cisco. IGRP sends routing updates at 90-second intervals that advertise networks for a particular autonomous system. Composite metric selects the path Speed is the primary consideration Supports multi-path routing Supports Equal-cost and Unequal-cost load balancing Versatility to automatically handle indefinite, complex topologies. Flexibility for segments having different bandwidth and delay characteristics. Scalability to function in very large networks. Variables IGRP uses include: Bandwidth Delay Load Reliability Maximum transmission unit (MTU) MTU (Maximum transmission unit) - Maximum packet size, in bytes, that a particular interface can handle.
Router(config)# router igrp autonomous-system Defines/selects IGRP as an IP routing process/protocol autonomous-system (AS) - Identifies the IGRP router processes that will share routing information Router(config-router)# network network-number Specifies any participating attached networks network-number - Specifies a directly connected network: a network number, not a subnet number or individual address EXAMPLE: Router(config)# router igrp 109 Selects IGRP as the routing protocol for AS 109. Router(config-router)# network 1.0.0.0 Specifies a directly connected network. Router(config-router)# network 2.0.0.0 Specifies a directly connected network. Router> show ip protocol show ip protocol - Displays IP routing protocol, routing timers and network information associated with the entire router. The algorithm used to calculate the routing metric for IGRP is also shown as well as information about routing metrics (like hop count) and routing filters. Router> show ip route show ip route - Command that displays the contents of an IP routing table. The table contains a list of all known networks and subnets and the metrics associated with each entry.
Chapter 14
ACCESS CONTROL LIST
14.1 Access control list 14.2 Types of ACL 14.3 Access list command overview 14.4 Standard IP ACL configuration 14.5 Extended IP ACL configuration
14.1 Access list control
ACL are the basic security feature that is required in any network to control the flow of traffic. Most of time our network may have servers and clients for which traffic control is required.We can also use ACL to classify the traffic. ACLs are used in features like QOS (Quality of Service), Prioritize traffic and interesting traffic for ISDN.
Classification Access Control List: -Types of ACL based on Protocol: -(1) IP Access Control List(2) IPX Access Control List(3) Appletalk Access Control List
Types of ACL based on Feature: -(1) Standard ACL(2) Extended ACL
Types of ACL based on Access mode: -(1) Numbered ACL(2) Named ACL
Types of ACL based on Order of rules: -(1) Deny, permit(2) Permit, deny
IP Standard ACL (Numbered)In Standard ACL, we are only able to specify source address for the filtering of packets. The syntax to create IP standard ACL are: -
Router#conf terRouter(config)#access-list Router(config)#exit
Single pchost 192.168.10.5192.168.10.5192.168.10.5 0.0.0.0
N/w200.100.100.0 0.0.0.255
200.100.100.32 0.0.0.15
Applying ACL on interface
Router#conf terRouter(config)#interface Router(config-if)#ip access-group Router(config-if)#exit
Internet
Router
Router(config)#access-list 25 permit 192.168.10.32 0.0.0.31Router(config)#access-list 25 permit 192.168.10.64 0.0.0.3Router(config)#access-list 25 permit 192.168.10.68Router(config)#access-list 25 permit 192.168.10.69Router(config)#access-list 25 permit 192.168.10.70
Router(config)#interface serial 0Router(config-if)#ip access-group 25 out
IP Standard ACL (Named)In Numbered ACL editing feature is not available that is we are not able to delete single rule from the ACL. In Named ACL editing feature is available.
Router#config terRouter(config)#ip access-list standard Router(config-std-nacl)#Router(config-std-nacl)#exitRouter#conf terRouter(config)#ip access-list standard abcRouter(config-std-nacl)#deny 172.16.0.16Router(config-std-nacl)#deny 172.16.0.17Router(config-std-nacl)#deny 172.16.0.18Router(config-std-nacl)#permit anyRouter(config-std-nacl)#exitTo modify the ACLRouter#conf terRouter(config)#ip access-list standard abcRouter(config-std-nacl)#no deny 172.16.0.17Router(config-std-nacl)#exit
IP Extended ACL (Numbered)Extended ACL are advanced ACL. ACL, which can control traffic flow on the basis of five different parameters that are: -(i) Source address(ii) Destination address(iii) Source port(iv) Destination port(v) Protocol (layer 3/layer 4)
The syntax to create Extended ACLRouter#conf terRouter(config)#access-list [] []router(config)#exit
To display ACLRouter#show access-lists orRouter#show access-list
To display ACL applied on interfaceRouter#show ip interface
Router#show ip interface Router#show ip interface Ethernet 0
Time-Based ACLsIn this you can specify a certain time of day and week and then identity that particular period by giving it a name referenced by a task. The reference function will fall under whatever time constraints you have dictated. The time period is based upon the routers clock, but it is highly recommended that using it in conjunction with Network Time Protocol (NTP) synchronization.
Router#conf terRouter(config)#time-range no-httpRouter(config-time-range)#periodic 06:00 to 12:00Router(config-time-range)#exit
Router(config)#time-range tcp-yesRouter(config-time-range)#periodic weekend 06:00 to 12:00Router(config-time-range)#exit
Router(config)ip access-list extended timeRouter(config-ext-nacl)#deny tcp any any eq www time-range no-httpRouter(config-ext-nacl)#permit tcp any any time-range tcp-yes
Router(config-ext-nacl)#interface f0/0Router(config-if)#ip access-group time inRouter(config-if)#do show time-range
Access Lists perform serveral functions within a cisco router, including: Implement security / access procedures Act as a protocol "firewall"Extended Access Lists allow filtering on address, protocol, and applications. Access lists are used to limit broadcast traffic.Why use Access Lists: Deny traffic you do not want based on packet tests (for example, addressing or traffic type) Identify packets for priority or custom queuing Restrict or reduce the contents of routing updates Provide IP traffic dynamic access control with enhanced user authentication using the lock-and-key feature Identify packets for encryption Identify Telnet access allowed to the router virtual terminals Specify packet traffic for dial-in remote sites using dial-on-demand routing (DDR) Dial-on-demand routing (DDR) - technique whereby a Cisco router can automatically initiate and close a circuit-switched session as transmitting stations demand. The router spoofs keepalives so that end stations treat the session as active. DDR permits routing over ISDN or telephone lines using an external ISDN terminal adaptor or modem.14.2 Types of NAT
1. Standard access lists Standard access lists for IP check the 'source address' of packets that could be routed. The result permits or denies output for an 'entire protocol' suite, based on the network/subnet/host address. 2. Extended access lists Extended access lists check for both 'source' and 'destination' packet addresses. They also can check for 'specific protocols', 'port numbers', and other parameters. Packets can be 'permitted' or 'denied' output based on where the packet originated and on its destination. Generally permits or denies 'specific protocols'Access lists express the set of rules that give added control for packets that enter inbound interfaces, packets that relay through the router, and packets that exit outbound interfaces of the router. Access lists do not act on packets that originates in the router itself.Access list statements operate in sequential, logical order. They evaluate packets from the top down. If a packet header and access list statement match, the packet skips the rest of the statements. If a condition match is true, the packet is permitted or denied. There can be only one access list per protocol per interface.NOTE: For logical completeness, an access list must have conditions that test true for all packets using the access list. A final implied statement covers all packets for which conditions did not test true. This final test condition matches all other packets. It results in a deny. Instead of proceeding in or out an interface, all these remaining packets are dropped.14.3 Access List command overviewStep 1: Set parameters for this access list test statement (which can be one of several statements). The access list process contains global statements: This global statement identifies the access list, usually an access list number. This number refers to the type of access list this will be. In Cisco IOS Release 11.2 or newer, access lists for IP may also use an access list name rather than a number. The permit or deny term in the global access list statement indicates how packets that meet the test conditions will be handled by Cisco IOS. Permit usually means the packet will be allowed to use one or more interfaces that you will specify later. The final term or terms specifies the test conditions used by this access list statement. The test can be as simple as checking for a single source address, but usually test conditions are extended to include several test conditions. Use several global access list statements with the same identifier to stack several test conditions into a logical sequence or list of tests.
Router(config)# access-list acl-number {permit|deny} {conditions} Step 2: Enable an interface to become part of the group that uses the specific acces list. The access list process uses an interface command. All the access list statements identified by the access-list number associate with one or more interfaces. Any packets that pass the access list test conditions can be permitted to use any interface in the access group of interfaces.Router(config-if)# {protocol} access-group acl-number Access lists are numbered (for IP, numbered or named)How to identify Access Lists:
* IP Standard1 - 99
* IP Extended100-199Named (Cisco IOS 11.2 and later)
* IPX Standard800 - 899
* IPX SAP filters1000 - 1099
* Apple Talk600 - 699
* Number identifies the protocol and type
* Other number ranges for most protocolsFor TCP/IP packet filters, Cisco IOS access lists check the packet and upper-layer headers for: Source IP addresses using standard access lists; identify these with a number in the range 1 to 99. Destination and source IP addresses or specific protocols using extended access lists; identify these with a number in the range 100 to 199. Upper-level TCP or UDP port numbers in addition to the other tests in extended access lists; also identify these with a number in the range 100 to 199. For all of these TCP/IP access lists, after a packet is checked for a match with the access list statement, it can be denied or permitted to use an interface in the access group. Key Concepts for IP Access Lists: Standard lists (1-99) test conditions of all IP packets from source address Extended lists (100-199) can test conditions of: Source and destination address Specific TCP/IP-suite protocols Destination ports Wildcard bits indicate how to check the corresponding address bits (0=check, 1=ignore) Wildcard mask - 32-bit quantity used in conjunction with an IP address to determine which bits in an IP address should be ignored when comparing that address with another IP address. A wildcard mask is specified when setting up access lists. A wildcard mask bit 0 means "check the corresponding bit value." A wildcard mask bit 1 means "do not check (ignore) that corresponding bit value." NOTE: Wildcard masking for access lists operates differently from an IP subnet mask. A zero in a bit position of the access list mask indicates that the corresponding bit in the address must be checked; a one in a bit position of the access list mask indicates the corresponding bit in the address is not 'interesting' and can be ignored.How to use Wildcard mask bits - IP access list test conditions: Check for IP subnets: 172.30.16.0 to 172.30.31.0 * address and wildcard mask: 172.30.16.0 0.0.15.255 Test condition: Ignore all the address bits (match any) Accept any address: 0.0.0.0 255.255.255.255 (ignore all) * abbreviate the expression using the key word "any" Test condition: Check all the address bits (match all) Check for an IP host: 172.30.16.29 0.0.0.0 (check all bits) * Abbreviate the wildcard using the key word "host" followed by the IP address 14.4 Standard IP Access List configuration1. List kept by Cisco routers to control access to or from the router for a number of services (for example, to prevent packets with a certain IP address from leaving a particular interface on the router). 2. Command that creates an entry in a standard traffic filter list. Standard access lists filter based on a 'source address' and mask. Standard access lists permit or deny the entire TCP/IP protocol suite. Router(config)# access-list acl-number {permit|deny} source [mask] Sets parameters for this list entry IP standard access list 'acl-number' uses 1 - 99 permit|deny - does this entry allow or block the specified address source - source IP addresses mask - 0s = must match, 1s = dont care positions IP access-group - Command that links an existing access list to an outbound interface.Router(config-if)# ip access-group acl-number {in|out} Activates the list on an interface acl-number - the number of the access list to be linked to this interface in|out - Selects whether the access list is applied to the incoming or outgoing interface. If in or out is not specified, out is the default NOTE: To remove an access list, first enter the 'no ip access-group' command, including 'list number', for each interface where the list had been used, then enter the 'no access-list' command (with list number).
Standard Access List examples:(1.) Allow only traffic from a specific source network
Router(config)# access-list 1 permit 172.16.0.0 0.0.255.255
(implicit deny any - not visable in the list) (access-list 1 deny 0.0.0.0 255.255.255.255)
Router(config)# interface ethernet 0Router(config-if)# ip access-group 1 outRouter(config)# interface ethernet 1Router(config-if)# ip access-group 1 out(2.) Deny a specific host
Router(config)# access-list 1 deny host 172.16.4.13Router(config)# access-list 1 permit 0.0.0.0 255.255.255.255
(implicit deny any - not visable in the list) (access-list 1 deny 0.0.0.0 255.255.255.255)
Router(config)# interface ethernet 0Router(config-if)# ip access-group 1(3.) Deny a specific subnet
Router(config)# access-list 1 deny 172.16.4.0 0.0.0.255Router(config)# access-list 1 permit any
(implicit deny any - not visable in the list) (access-list 1 deny 0.0.0.0 255.255.255.255)
Router(config)# interface ethernet 0Router(config-if)# ip access-group 1
14.5 Extended IP Access List configurationAllow more precise filtering conditions: Check source and destination IP address Specify an optional IP (TCP or UDP) protocol port number Use access list number range 100 - 199 Well-Known IP Protocol Port Numbers (Decimal): 20 - File Transfer Protocol (FTP) data 21 - FTP program 23 - Telnet 25 - Simple Mail Transport Protocol (SMTP) 69 - Trivial File Transfer Protocol (TFTP) 53 - Domain Name System (DNS)
Router(config)# access-list acl-number {permit|deny} protocol source source-mask destination destination-mask [operator operand] [established] Sets parameters for this list entry IP uses a acl-list number in range 100 - 100 permit|deny - does this entry allow or block the specified address protocol - IP, TCP, UDP, ICMP, GRE, IGRP source and destination - source and destination IP addresses masks - Wildcard mask; 0s = must match, 1s = dont care positions operator and operand - lt, gt, eq, neq (not equal), and a port number established - Allows TCP traffic to pass if packet uses an established connection (for example, has ACK bits set) IP access-group - Command that links an existing access list to an outbound interface. Only one access list per port per protocol is allowed.Router(config-if)# ip access-group acl-number {in|out} Activates the extended list on an interface acl-number - the number of the access list to be linked to this interface in|out - Selects whether the access list is applied to the incoming or outgoing interface. If in or out is not specified, out is the default Extended Access List examples:(1.) Deny FTP for E0
Router(config)# access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21Router(config)# access-list 101 permit ip 172.16.4.0 0.0.0.255 0.0.0.0 255.255.255.255
(implicit deny any - not visable in the list) (access-list 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255)
Router(config)# interface ethernet 0Router(config-if)# ip access-group 101(2.) Allow only SMTP for E0
Router(config)# access-list 101 permit tcp 172.16.4.0 0.0.0.255 any eq 25
(implicit deny any - not visable in the list) (access-list 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255)
Router(config)# interface ethernet 0Router(config-if)# ip access-group 101Using Named IP Access ListsA feature for Cisco IOS Release 11.2 or newer, Named IP access lists can be used to delete individual entries from a specific access list. This enables you to modify your access lists without deleting and then reconfiguring them. Use named IP access lists when:
You want to intuitively identify access lists using an alphanumeric name You have more than 99 simple and 100 extended access control lists to be configured in a router for a given protocol. NOTE: Most of the commonly used IP access list commands accept named IP access lists.
Router(config)# ip access-list {standard|extended} name* Alaphanumeric name string must be unique
Router(config {std-|ext-}nacl)# {permit|deny} {ip access list text cond}Router(config {std-|ext-}nacl)# {permit|deny} {ip access list text cond}Router(config {std-|ext-}nacl)# no {permit|deny} {ip access list text cond}* Permit or deny statements have no prepended number* "no" removes the specified tests from the named access list
Router(config-if)# ip access-group {name|1-199 {in|out}}* Activate the IP named access list on an interfaceWhere to 'place' IP Access ListsAn access lists can act as a firewall. A firewall filters packets and eliminates unwanted traffic at a destination. Where the administrator places an access list statement can reduce unnecessary traffic. Traffic that will be denied at a remote destination should not use network resources along the route to that destination. Place standard access lists close to the destination Place extended access lists close to the source Firewall - Router or access server, or several routers or access servers, designated as a buffer between any connected public networks and a private network. A firewall router uses access lists and other methods to ensure the security of the private network.
Router> show ip interface
* Command that displays IP interface information and indicates whether any access lists are set. (Monitor Access Lists)
Router> show access-lists
* Command that displays the contents of all access lists. This Cisco IOS command provides more details about the access list statements. By entering the access list name or number as an option for this command, you can see a specific list. (Monitor Access List statements).
Chapter 15
NETWORK ADDRESS TRANSLATION
15.1 Nerwork address translation 15.2 Types of NAT 15.3 Configuration NAT 15.4 Commands for basic NAT
15.1 NETWORK ADDRESS TRANSLATION
NAT is the feature that can be enable in a Router, Firewall or a Pc. With the help of NAT, we are able to translate network layer addresses that are IP addresses of packets. With the help of Port Address Translation, we are also able to translate port no.s present in transport layer header.
There are two reasons due to which we use NAT: -
(1) Conserve Live IP address
On Internet, there are limited no of IP addresses. If our Pc wants to communicate on Internet then it should have a Live IP address assigned by our ISP. So that IP address request will depend on no. of PCs that we want to connect on Internet. Due to this, there will be a lot of wastage in IP addresses. To reduce wastage, we can share live IP addresses between multiple PCs with the help of NAT.
(2) NAT enhances the network security by hiding PC & devices behind NAT.15.2 Types of NATStatic NATThis NAT is used for servers in which one Live IP is directly mapped to one Local IP. This NAT will forward on the traffic for the Live IP to the Local PC in the n/w.
static nat
Internet 200.1.1.5 = 192.168.10.6
Router
Live 200.1.1.5
Local 192.168.10.6
Dynamic NAT
Dynamic NAT is used for clients, which want to access Internet. The request from multiple client IPs are translated with the Live IP obtained from the Pool. It is also called Pool Based Dynamic NAT.
Pool => 200.1.1.8 200.1.1.12/28
InternetLocal address => 172.16.X.XExcept => 172.16.0.5 172.16.0.6 172.16.0.7
Router
Web Server DNS Full access 172.16.X.X 172.16.0.5 172.16.0.6 172.16.0.7
15.3 Configuration NAT
Router#conf terRouter(config)#int serial 0Router(config-if)#ip nat outsideRouter(config-if)#int eth 0Router(config-if)#ip nat insideRouter(config-if)#exit
Router(config)#ip nat inside source static 172.16.0.7 200.1.1.3Router(config)#ip nat inside source static tcp 172.16.0.5 80 200.1.1.4 80Router(config)#ip nat inside source static udp 172.16.0.6 53 200.1.1.4 53
Router(config)#access-list 30 deny 172.16.0.5Router(config)#access-list 30 deny 172.16.0.6Router(config)#access-list 30 deny 172.16.0.7Router(config)#access-list 30 permit anyRouter(config)#ip nat pool abc 200.1.1.8 200.1.1.12 netmask 255.255.255.240Router(config)#ip nat inside source list 30 pool abc overload
NAT + PAT
15.4 Command for Basic NATRouter(config)#ip nat inside source list 30 interface seen
To display NAT translationRouter#sh ip nat translations(after ping any address, it shows ping details)
To clear IP NAT TranslationRouter#clear ip nat Translation *
Chapter 16
IP PHONES
16.1 IP Phones 16.2 Configuration of IP Phones 16.3 Testing of IP Phones
16.1 IP Phones
A IP phone uses voice over IP (VoIP) technologies allowing telephone calls to be made over an IP network such as the Internet instead of the ordinary PSTN system. Calls can traverse the Internet, or a private IP network such as that of a company.The phones use control protocols such as Session Initiation Protocol(SIP), Skinny Client Control Protocol(SCCP) or one of various proprietary protocols such as that used bySkype. It is commonly refers to the communication protocols, technologies and transmission techniques involved in the delivery of voice communications and multimedia sessions over Internet Protocol (IP) networks, such as the Internet.
Session Initiation Protocol (SIP)is a signaling protocol widely used[citation needed] for controlling communication sessions such as voice and video calls over Internet Protocol (IP). The protocol can be used for creating, modifying and terminating two-party (unicast) or multiparty (multicast) sessions. Sessions may consist of one or several media streams.
Fig. 16.1
Skinny Client Control Protocol (SCCP)is a proprietary network terminal controlprotocol. SCCP is a lightweight protocol for session signaling with Cisco CallManager. Examples of SCCP clients include the Cisco 7900 series of IP phones, Cisco IP Communicator softphone along with Cisco Unity voicemail
server. CallManager acts as a signaling proxy for call events initiated over other common protocols such as Session Initiation Protocol (SIP), ISDN.A SCCP client uses TCP/IP to communicate with one or more Call Manager applications in a cluster. It uses the Real-time Transport Protocol (RTP) over UDP-transport for the bearer traffic (real-time audio stream).
16.2 Configuration of IP Phones
First you need to set the following toplogy ip phones / analog phones but connect phones to power one by one after finishing configuration:
next you will need to configure your switch with teh following commands :Switch(config)#interfacer angefa0/1 5Switch(config-if-range)#switchport mode accessSwitch(config-if-range)#switchport voice vlan 1then we need to configure our router to provide ip address to ip phones and set the calling numbers for phones , we will use CME call manager express embded with router IOS it self.Router(config)#int fa 0/0Router(config-if)#ip add 192.168.10.1 255.255.255.0Router(config-if)#no shRouter(config-if)#exitRouter(config)#ip dhcp pool voicelabRouter(dhcp-config)#network 192.168.10.0 255.255.255.0Router(dhcp-config)#default-router 192.168.10.1Router(dhcp-config)#option 150ip 192.168.10.1Router(dhcp-config)#exit(Cisco recommends to use option 150 rather 066 to obtain the TFTP address to the IP phones Option 66 only allows 1 host, while option 150 can contain more than 1 ip address, which can be used for TFTP redundancy.)Router(config)#telephony-serviceRouter(config-telephony)#max-dn 5