Metaheuristics for computing the forwarding index of a graph
STP’de Port States RSTP’de Port States Disabled Discarding Blocking Discarding Listening...
-
Upload
independent -
Category
Documents
-
view
3 -
download
0
Transcript of STP’de Port States RSTP’de Port States Disabled Discarding Blocking Discarding Listening...
1. “Broadcast Domain” ve “Collasion Domain”;
2. DTE ve DCE nedir?
DTE ve DCE kavramları network’teki cihazları işlevsel olarak sınıflandırmamızı sağlar. DTE cihazları
genellikle end-user cihazlardır. Örneğin PC’ler, yazıcılar ve router’lar, DTE cihazlardır. DCE cihazları ise
DTE’lerin servis sağlayıcıların ağlarına ulaşabilmek için kullandıkları modem, multiplexer gibi
cihazlardır. DCE’ler DTE’lere clock işaretini sağlarlar.
3. CSU/DSU nedir?
CSU ve DSU modemler ise yerel alan ağlarında kullanılan veri çerçeveleri (data frame) geniş alan ağı
çerçevelerine veya geniş alan ağı çerçevelerinini yerel alan ağı çerçevelerine dönüştürmek için
kullanılır.
CSU/DSU converts digital signals from router to a leased line, modem converts digital signals
from router to a phone line.
NOT: Farklı VLAN’lar farklı Broadcast domain’ler oluşturur.
NOT: Physical Layer’da bir problem cable ya da power’dan kaynaklanmaktadır.
IPV4 Adresi
IP Adres sınıflandırılması;
Class A: 0.0.0.0 - 127.255.255.255
Class B: 128.0.0.0 - 191.255.255.255
Class C: 192.0.0.0 - 223.255.255.255
Class D: 224.0.0.0 - 239.255.255.255
Class E: 240.0.0.0 - 255.255.255.255
MAC Adresi
6 oktet’den oluşur. İlk 3 oktet üreticiye özeldir. Buna Organizationally Unique Identifier (OUI) denir.
Sonraki 3 oktet ise üretici tarafından üretilen cihazlara verilir. Buna Network Interface Controller
(NIC) denir.
Layers
OSI Layer TCP/IP Layer PDU
7. Application Application Data
6. Presentation Data
5. Session Data
4. Transport Transport Segment
3. Network Internet Packet
2. Data Link Network Access Frame
1. Physical Bits
NOT: Katmanlara göre paketlere eklenen kısımlar şu şekildedir.
Layer 7 – Application – Application Data
Layer 6 – Presentation – Formatting Data
Layer 5 – Session – Control Data
Layer 4 – Transport – Source and Destination Service - Port Numbers
Layer 3 – Network – Source and Destination Logical Addresses – IP addresses
Layer 2 – Data Link – Source and Destination Physical Addresses – MAC addresses
Layer 1 – Physical – Encoding, Timing and Bit Sequence
Appliccation Layer
Most common application Layer protocols are HTTP, SMTP, FTP, SSH, TELNET, DNS, DHCP, POP
Transport Layer
Two main functions are UDP and TCP
Differences between UDP and TCP;
UDP fast
TCP have much overhead
UDP no establish connection
TCP have flow control
İmportant Port Number in Layer 4;
HTTP 80
Telnet 23
FTP 20,21
SSH 22
SMTP 25
DNS 53
POP 110
Well Known Ports 0-1023
Registered Ports 1024-49151
Dynamic Ports 49152-65535
Network Layer
Most common Network Layer Protocol IPV4, IPV6, ICMP, IPSec
Sınıfsız Alanlar Arası Yönlendirme (Classless Inter Domain Routing) = CIDR
IP adresi ataması işlemi sırasında VLSM (Variable Length Subnet Masking) kullanılıyorsa, bu
yapıya CIDR denir.
VLSM bize her alt ağ için farklı subnet mask kullanmamızı sağlar.
Data Link Layer
Ethernet, Token Ring, FDDI and 802.11 (wireless) called “data link layer Technologies.
Data link layer composed of 2 sublayers. There are LLC (Logical Link Control) and MAC (Media Access
Control).
LLC: Logical link control refers to the functions required for the establishment and control of logical
links between local devices on a network
MAC: Since many networks use a shared medium, it is necessary to have rules for managing the
medium to avoid conflicts. for instance, Ethernet uses the CSMA/CD method of media access control,
while Token Ring uses token passing.
Data link layer also responsible for;
Data Framing
Addressing (Mac adressing)
Error Detection and Handling (CRC)
NOT: Some of the most popular technologies and protocols generally associated with layer 2 are
Ethernet, Token Ring, FDDI (plus CDDI), HomePNA, IEEE 802.11(WİFİ), ATM, Serial Link Interface
Protocol (SLIP) and Point-To-Point Protocol (PPP).
NOT: Topologies (Star, RinG,mesh,bus, Point2Point…) are involved in Link Layer.
Physical Layer
Cooper Media, Fiber Media, Wireless Media.
NOT: DTEs are host devices. DCEs are network devices, that is, any device that stands between two
host devices
NOT: Coaxial cables like 10Base2 (Thinnet) and the predominant Fast Ethernet and Gigabit Ethernet
using Cat5E
Router
Router’da 4 farklı memory bulunur. Bunlar;
ROM (post, bootstrap, ROMMON)
Flash (IOS)
NVRAM (Configuration File)
SDRAM (Running-config, Routing Table, IOS)
While router is starting these processes carry out.
- POST
- Bootstrap
- Load of IOS
o Router check Flash, TFTP and ROM for IOS successively.
- Load the startup-config
o Router check NVRAM, TFTP, Setup-mode successively.
NOT:
Rommon = Düşük level işletim sistemi. Disaster recovery and password recovery.
Bootstrap = Routerı up konuma getirir. NVRAM üzerindeki configuration register'ı okuyarak Router'ın
nasıl boot edileceğine yardımcı olur.
POST = (Power on self testtir.) Router üzerindeki basic fonksiyonları ve donanımda ne tür bileşenlerin
tanımlandığını test eder.
Routing
NOT: Typically distance vector routing protocols like RIPv1, RIPv2 and IGRP, do not converge
networks as quickly as link state routing protocols like OSPF and ISIS.
CCNA Routing Protocols
Static Routing
İki yöntem mevcut. Birinde Next Hop Router’s IP adresi, diğerinde local router exit interface belirtilir.
R1(config)#ip route <destination network> <subnet mask> <next hop router address>
R1(config)#ip route <destination network> <subnet mask> <local router exit interface>
NOT: Yalnızca belli router’lar arasında değilde, tüm router’lardan gelen istekleri yönlendirmek
istersek
R1(config)#ip route 0.0.0.0 0.0.0.0 <next hop router IP address>
R1(config)#ip route 0.0.0.0 0.0.0.0 <exit interface>
CDP (Cisco Discovery Protocol)
used to share information about other directly connected Cisco equipment, such as the operating
system version and IP address
bağlı olduğu cihazlara ilişkin bilgileri görüntülemek için;
R1(Enable)#show cdp entry
R1(Enable)#show cdp interface
R1(Enable)#show cdp neighbor
NOT: CDP protokolünü aktif yada de aktif etmek için configure moda geçilir ve
#“cdp run” yada “no cdp run” komutları kullanılır.
RIP
RIP V1
RIP V1 routing characteristics are;
- Classful routing
- Periodic and Triggered updates
- Hop count (16 hop is limit, Rip can not deliver to the packets more than 16 hops)
- RIP can avoid from loops using with Hold down timer, split horizon rule, TTL.
- RIP use UDP port 520
- RIP can load balance between 4 equal routes.
RIP V1 config;
router(config)#router rip //to activate RIP
router(config-router)#network <network ip address> //to add a participating network
NOT: İnitial RIP commands;
router(config-router)#passive-interface <interface type> <interface number> //to stop RIP from
sending updates out of an interface
router#show running-config //to verify your configuration
router#show ip route //to verify your routing table
router#show ip protocols //to verify your RIP configuration
router#copy running-config startup-config //to save your configuration
router#debug ip rip
RIP V2
RIP V2 routing characteristics are;
- it can sends the subnet mask and the next hop address as well
- İt is non-classful
Similarities between RIP V1 and RIP V2
- Auto Summarizes
- Distance vector protocol
- Hop count
Differences between RIP V1 and RIP V2
- RIP V1 classful (do not support VLSM and CIDR)
- RIP V1 multicast is 255.255.255.255, RIP V2 multicast 224.0.0.9
- An important point to remember is the difference in sending and receiving version updates.
RIPv1 sends version 1 updates, receives both version 1 and 2 updates, but will ignore the
version 2 updates. RIPv2 sends and receives only version 2 updates.
- RIP 2 has autorization. (RIP 2 kimlik denetimini destekler.)
- Adresleme türü RIP-1'de broadcast, RIP-2'de multicast'dir.
RIP V2 Configuration
- router(config)#router rip
- router(config-router)#version 2
- router(config-router)#no auto-summary
- router(config-router)#network <network address>
NOT: Örneğin router 1, 172.16.5.0'ı içeren bir update'i Router 2 ye gönderdiğinde router
172.16.5.0/24'u 172.16.0.0/16 olarak çevirir. Bu işlem auto-summarization olarak adlandırılır.
Ayrık networkleri desteklemek için automatic summarization disable edilmelidir.
EIGRP
Enhanced Interior Gateway Routing Protocol or EIGRP is Cisco's proprietary Distance Vector routing
protocol that replaced the earlier IGRP routing protocol.
Administrative Distance Values for Different Routing Protocols
Improvments of EIGRP
- EIGRP supports VLSM & CIDR
- EIGRP guranteed “loop free” using to the DUAL
- No periodic updates like RIP. EIGRP only sends information when there is a change in the
network. That is provide faster convergence
- Unequal Cost Load Balancing (farklı uzunluktaki yollar arasında load balance yapabilir)
EIGRP have 3 different types of routing table. These are;
Routing Table
Neighbor Table
Topology Table
EIGRP configuration
router(config)# router(e)igrp <AS/ID-number>[istenilen numara verilebilir.
Haberleşmesi istenen tüm routerlarda aynı olmalı.]
router(config-router)# network <network-number> <wildcard-mask>
router(config-router)# no auto-summary
router(config-router)# redistribute static
router(config-router)#passive-interface <interface>
NOT:
auto-summarize features sustain to send of wild card. (Bu komut yazılırsa network’e ait wild
cardın yazılmasına gerek kalmaz)
redistribute static command will propagate all static routes including the default route to all
other EIGRP routers
The passive-interface command can be used to stop EIGRP packets from being sent out of a
network interface where there are no other EIGRP routers present.
Initial EIGRP commands
show ip eigrp interfaces IP-EIGRP interfaces
neighbors IP-EIGRP neighbors
topology IP-EIGRP Topology Table
traffic IP-EIGRP Traffic Statistics
Link State Protocols
Link State Charactaristics
Link-State routing protocols use SPF
Cost Metric SPF algorithm finds the shortest path based on a cost metric
Link-State routing protocols establish connect with neighboring routers using hello packets.
Link-State routing protocols build and maintain a complete map or topology of the network
area (Topology or SPF tree)
Disadvantages of Link State
Greater Processing Requirements (power and memory)
Greater Administrator Knowledge
OSPF
Classless routing protocol that use Shortest Path First (SPF) algorithm to calculate the best path.
NOT: OSPF has some similarities to EIGRP, especially in regards to configuration, like requiring a
process-id number, using wildcard bits for the subnet mask, hello packets, neighbor relationships or
adjacencies, triggered updates, and the use of multiple tables like the neighbor and topology tables.
Features of OSPF
- Using SPF Algorithm
- Using Metric which is based bandwidth of link
- Process ID number (special to the router)
- Use Wildcard
- Area Number (Which must be same to the other connecting routers)
- Hello packets in every 10 seconds
- Dead interval 40 seconds
- Multiple tables like EIGRP
Configuration of OSPF
router(config)# router ospf <process-id>
router(config-router)# network <network-number> <wildcard-mask> area
<area-number>
router(config-router)# router-id <ip-address>
router(config-router)# passive-interface <interface-number>
Initial OSPF commands
- "Show ip ospf" komutu routerda çalışan bir ya da tüm OSPF proseslerini görüntülemede
kullanılır.
- "show ip ospf interface brief" komutu network statementlarımızın doğru olup olmadığını
kontrol eder.
- "show ip route ospf" Son olarakta OSPF routing tablosunun içerini görüntülemek için
- "sh ip ospf interface (ilgili interface) komutu ile interface üzerinde çalışan OSPF hakkında
detaylı bir çıktısını görülebilir
- "debug ip ospf events"
- debug ip ospf packet"
Port Security
1. interface (arayüz) [Güvenlik uygulanmak istenen interface'e girilir]
2. switchport mode (access /trunk)
3. switchport port-security
4. switchport port-security max (numara) [bu interface üzerinde kaç farklı MAC olabileceğini
belirler]
5. switchport port-security violation (shutdown / restrict / protect)
STATİK olarak yalnızca belirli bir MAC'i atamak için
6. switchport port-security mac (mac adresi)
DİNAMİK olarak
7. Switchport port-security mac-address sticky [sticky ile MAC girmek gerekmez ancak bu
noktada yukarıdaki maximum sayısı önemlidir]
Protect which discards the traffic but keeps the port up and does not send a SNMP
message.
Restrict which discards the traffic and sends a SNMP message but keeps the port up
Shutdown which discards the traffic sends a SNMP message and disables the port. (This
is the default behavior is no setting is specified.)
TELNET ve SSH Bağlantısı
Telnet
1. hostname (name)
2. username (name) password (pass) [uzaktan erişim için]
3. enable secret (secret password) [bu olmadan telnet ile erişilir ancak enable moda geçilemez]
4. login local (şifreyi sormak için)
5. line vty 0 4
SSH
1. hostname (name)
2. ip domain-name (domain name)
3. crypto key generate rsa
4. 360-2048
5. username (name) password (pass)
6. line vty 0 4
7. login local(şifreyi sormak için)
8. transport input ssh / telnet (hangi tür bağlantıya izin verilebileceği)
9. ip ssh time-out (sn) [şifre time-out süresi)
10. ip ssh authentcation-retries (count) [şifre tekrar süresi]
NOT: Konfigürasyonlar yapıldıktan sonra bir router'dan başka bir router'a ssh bağlantısı
telnet (ip adresi)
ssh -l (username) (ip adresi)
DTP
Uses trunk advertisements between switchs. Auto-negotiate a switchport to either an access or trunk
link.
There are four switchport modes;
Access
Trunk
Dynamic Auto
Dynamic Desirable NOT: When DTP is enabled by default on a switch, the default switchport mode is Dynamic Auto. Following chart shows how the link will auto negotiate when DTP is enabled on both switches and different DTP modes are configured.
VTP
VLAN Trunking Protocol allows switches to share VLAN information dynamically. This way an administrator only needs to change VLAN information on one switch and it will automatically propagate to other switches in the VTP domain. NOT:
For VTP to begin functioning the participating switches must be configured with the same VTP domain name.
VTP advertisements are sent every 5 minutes by default, or when there is a change VTP Modes
Server Mode
Client Mode
Transparent Mode
STP (Spanning Tree Protocol)
STP used to prevent Layer 2 Switching Loops and Layer 2 Broadcast Storms. STP is necessary in big
networks. In layer 3 there is TTL. Since there is not TTL in Layer 2 STP used. Spanning Tree Algorithm
(STA) calculates the costs of all the paths in the network starting from the root bridge. The root
bridge is determined by an election process in which the switch with the lowest bridge ID (BID) is
elected root bridge.
NOT: STP recalculated when there is a change in the network
NOT: IEEE 802.1D STP protokolünün diğer ismidir.
STP solves this problem by automatically blocking redundant or duplicate paths (ports) from switch
to switch, thus closing the loops. There is root bridge at the top of the Spanning Tree.
Hız arttıkça STP Maliyeti düşer.
PVSTP (Per VLAN Spanning Tree Protocol)
Allowing a separate spanning tree for each VLAN. By creating a separate spanning tree for each
VLAN, data traffic from the different VLANs can take different paths across the network.
RSTP (Rapid Spanning Tree Protocol)
RSTP is enhancement of the original STP. RSTP is an IEEE open implementation. Rapid-PVST+ is
special RSTP which only used in CISCO devices. Network convergence of RTSP is much better than
STP after link failure. Öncelikle ROOT CİHAZ belirlenir. Bu cihaz beyin olarak hareket eder. Root cihaz
seçilirken önce “Priority değerine” sonra “MAC” adreslerine bakılır.
NOT: Hem STP hem de RSTP de alernatif yollar BPDU paketleri yardımı ile belirlenir.
Differences Between STP and RSTP
reconverging time ( RSTP > STP)
RSTP expends the STP port roles by adding the alternate and backup roles BPDU packets are more active in RSTP
NOT: STP yol hesaplamarında Fast-Ethernet 19, Gb-Ethernet 4 değerinde maliyet getirir.
STP’de Port States RSTP’de Port States
Disabled Discarding
Blocking Discarding
Listening Discarding
Learning Learning
Forwarding Forwarding
Detail Port roles
Root Port: Cihazların root bridge e bakan portları
Designated Port: root bridge yönünde veri gönderen loglardır. (Designated portun belirlenmesinde
path cost önemlidir)
Alternate Port: Başka cihazda daha uygun (kullanışlı) port olduğu için bloklanan porttur.
Backup Port: Aynı cihazda daha uygun port olduğu için bloklanan porttur.
NOT: RSTP provides a faster transition to the forwarding state on p2p links than STP does.
Benefits of VLAN
Higher level of network security which seperated for sensitive data trafic
Efficient use of bandwidth for different networks wihch using same infrastructure
Decreasing Broadcast storm bu increasing Broadcast domain number.
VLAN Configuration
VLAN
1. Switch configure moda geçilir
2. #VLAN (vlan numarası)
3. #Name (vlan ismi)
4. #İnterface (arayüz türü) (arayüz no) [oluşturuluna VLAN'ı seçilen cihaza atamak için arayüz
seçilir]
5. #Switchport mode (tür; access / trunk)
6. #Switchport access vlan (vlan numarası) [bu adım trunk da bulunmaz]
7. Vlanlara IP vermek için router bacağı alt interfacelere bölünür.
8. #Interface fastethernet (router bacak no.1-2-3...) [Örn: 0/0.1]
9. #encapsulation dot1Q (vlan no)
10. #ip ad (IP Numarası) (Subnet Mask)
VLAN DHCP Konfigürasyonu
belirli bir vlan daki cihazlara DHCP ile IP atamak için;
1. #Ip dhcp pool vlan(vlan numrası)
2. #Network (IP alacak cihazın bulunduğu network IP) (Subnet mask)
3. #Default-router (gateway adresi)
4. #Dns-server (server IP'si)
VLAN
VLAN Works in Layer 2. VLAN sustain effective bandwidth utilization, increasing bandwidth and
security.
VLAN içerisinde anahtarlayıcı veya yönlendiricinin VLAN’ları tanıyabilmesi için VLAN etiketleme (VLAN
Tagging) adı verilen bir yöntem kullanılır. Paketin geldiği anahtarlayıcı paketin VLAN kimliğine bakarak
pakete ne yapılması gerektiğine karar verir. Hangi paketin hangi VLAN’a ait olduğunu tanımlamak için
değişik izleme yöntemleri kullanılır. There are ISL and 802.1Q. Bot hare used for multi VLAN over
single Link.
NOT: Normal switches can operate without plan
NOT: “Show VLAN” command only Show Access ports for trunk ports, “Show interface trunk”
or “Show interface switchport” must be used.
Native VLAN use for untagged traffic.
ISL ( Inter Switch Link)
İt is an encapsulation standard. This protocol works only in Cisco devices. Works in Layer 2. 26 byte
header vardır. Bunun 15’i VLAN ayırı olarak kullanılır. Can support 100 VLAN.
802.1Q
Ethernet paketlerinin içerisine yerleştirdiği bitler sayesinde vlan kimliğinin ne olduğunu belirler.
802.1Q standartı VLAN kullanımında ortaya çıkan büyük ağları daha küçük ve yönetilebilir parçalara
bölme ihtiyacını karşılamak için geliştirilmiştir. 802.1Q use to prevent loops in a layer 2 network.
ISL’nin alternatifidir. 802.1Q açık standarttır. Özellikleri;
4096 VLAN can be supported
802.1Q trunks support tagged and untagged Ethernet frames. In 802.1Q trunking, all VLAN
packets are tagged on the trunk link, native VLAN is untagged.
Enkapsülasyonsuz 4 byte’lik bir VLAN tanıtıcı kısmı vardır.
Hedef çerçeveye ayrılan alan daha küçüktür.
In 802.1Q, FCS is recomputed after the 4-byte tag is inserted. (It modifies the 802.3 frame
header and thus requires that the FCS be recomputed.)
802.1Q native VLAN frames are untagged by default.
802.1Q trunks can use 10 Mb/s Ethernet interfaces.
802.1Q trunks should have native VLANs that are the same at both ends.
NOT: 802.1Q ve ISL trunking protokolünün alt türleridir. İkisi ile de tel link üzerinden birden fazla
VLAN taşınabilir.
VLAN identifier of 802.1Q(4byte) are smaller than ISL(26byte).
WAN
Circuit Switched Network PSTN (analog), ISDN (Digital)
Packet Switched NetworkX.25, Frame Relay, MPLS
Cell Switched: ATM
Dedicated Line NetworksPPP (T1/E1)
Public Internet Networks DSL, Cable, Wireless
WAN protocols operate at Layer 1 and Layer 2. When we talk about WAN protocols we are
talking about Layer 2 encapsulation and framing.
WAN links are typically point-to-point connections, the frames do not have source and
destination addresses in the header like Ethernet frames.
A WAN device is typically a modem or a CSU/DSU. DCE also WAN device.
6. WAN Technologies
PPP de bir WAN teknolojisi.
6.1. Metro Ethernet
Provide p2p and multipoint connection. Most scalable transport tech. Starting 10 Mbps to 40 Gbps.
Methods which transport Ethernet over metro network are;
Ethernet over dark fiber
Ethernet over SONET
SDH networks
Ethernet using with Resilient Packet Ring (RPR) technology
6.2. VAST
Provides two way broadband satellite connectivity. Generally use for backup connections. VAST
composed of 2 main unit. These are Indoor and Outdoor units. ODU is dish antenna. IDU is
transmitter and receiver.
6.3. MPLS
MPLS is switching that imposes labels(numbers) to packets, than use it for forwarding. Labels usually
correspond to a path to layer 3 destination adresses. Now a days frema relay networks are replacing
with MPLS
6.4. ISDN
Integrated Services Digital Network (ISDN) is a set of digital services that transmit voice amd data
over existing phone lines. It is cost effective solution for high speed remote user. ISDN also good back
up for other types of link such as Frame Relay or T1.
6.5. DSL
It works over twisted pair copper telephone wires. Speed can be ranged limited by line lengths and
quality. DSL is not e2e solution. It is phsical layer transmission technology like dial up, cable or
wireless. Connection set up between CPE(modem) and DSLAM.
6.6. Frame Relay
Frame Relay is packet switching technology. It is high performance data link and physical layer
spesification. İt is successor of X.25 Frame relay is more cost effective than p2p connection. Speed of
frame relay is changes between 64Kbps to 45 Mbps. Frame Relay sustain Dynamic bandwidth
allocation and congestion control.
6.7. Cable
Provides Access to a data signal sent over cable television infrastructure. Advantage is using
bandwidth on a cable television network which is unused. Speed is changed between 3 Mbps – 30
Mbps.
6.8. VPN
Internet based solution. Secure is most important thing. VPN sustain us cost effective and high
bandwidth.
7. WAN Configurations
7.1. High Level Data Link Control Protocol (HDLC)
HDLC is data link layer protocol
İt is encapsulation method for data on synchronous serial data link using frame characters
and chechsum.
P2P protocol used in leased line.
There is no authentication can be used with HDLC.
Cisco routers use HDLC by defaulth for synchronous serial links.
Configuration of HDLC
NOT: HDLC kullanabilmek için 2 router da cisco olmalıdır.
1. HLDC uygulanacak arayüz seçilir. Router(config)# int s0
2. Router(config-if)# encapsulation hdlc
PPP
PPP is layer 2 WAN protocol. PPP can be used Dial-Up, ISDN, Leased Line (e.g. T1 & E1), Frame Relay,
DSL (PPPoE), and ATM (PPPoA). The speed of PPP is limited only by the DTE and DCE interface
connections it uses. PPP supports supports: authentication, encryption and compression.
PPP uses (composes) LCP and NCPs.
NCP: that is used to negotiate options for a network layer protocol. NCP is used to negotiate
which upper layer protocols will run over a connection and negotiates their addressing.
LCP: Link Control Protocol handles link setup and termination as well as most of the configuration
options including: authentication, compression error detection, and multilink (load balancing)
LCP responsible to the;
Authentication: CHAP and PAP. CHAP is more secure than PAP
PAP uses clear text, CHAP uses encripted text.
Comprension: PPP supports stacker and predictor compression mode
Error Detection: report the quality of the serial link
Multilink: PPP can be configured to load balance across multiple serial interfaces for greater
bandwidth.
NOT:
DSL (PPPoE), and ATM (PPPoA)
For serial connections, Cisco routers by default use Cisco's version of the HDLC protocol
(Cisco-HDLC) but if you are going to connect to another non-Cisco router it is recommended
to use the PPP protocol and frame encapsulation.
PPP provide Error detection & Error correction.
CHAP uses three way handshake
CHAP authantication periodically occur
Configuration of PPP
PAP Configuration
1. Kurulan network mimarisine ilişkin ip adresleri verilir.
2. Dinamik yada statik olarak gerekli yönlendirmeler yapılır.
3. noktadan noktaya bağlantı yapılacak router'lardan biri seçilir.(Örn: R1)
#username (Diğer noktanın username'i) password (Şifre)
4. Diğer nokta ile bağlantıyı sağlayan arayüz seçilir.
#int s1/1
5. PPP için gerekli encap. komutları girilir.
#encapsulation ppp
#ppp authentication pap
#ppp pap sent-username (kendi username'i) password (atanan şifre)
6. Aynı işlem diğer router için yapılır.
CHAP Configuration
1. Kurulan network mimarisine ilişkin ip adresleri verilir.
2. Dinamik yada statik olarak gerekli yönlendirmeler yapılır.
3. noktadan noktaya bağlantı yapılacak router'lardan biri seçilir.(Örn: R1)
#username (Diğer noktanın username'i) password (Şifre)
4. Diğer nokta ile bağlantıyı sağlayan arayüz seçilir.
#int s1/1
5. PPP için gerekli encap. komutları girilir.
#encapsulation ppp
#ppp authentication chap
6. Aynı işlem diğer router için yapılır.
Frame Relay
Frame Relay uses virtual circuits;
o (SVCs) Switched Virtual Circuits: temporary connections, SVC connections require
call setup and termination for each connection.
o (PVC) to interconnect routers across the WAN.
Unlike with LANs, you cannot send a data link layer broadcast over Frame Relay. Therefore,
Frame Relay networks are called nonbroadcast multiaccess (NBMA) networks Root of Frame
Relay is X.25
Frame Relay provides no error recovery mechanism. It only provides CRC error detection.
CIR (Committed indormation rate) however is a speed that is guaranteed in Frame Relay.
Exceeding trafic marked as Discard eligable.
“Frame Relay Switch” is DCE devices.
In Frame Relay, separete sub-interface for each PVC has unique DLCI.
Frame-relay uses something called LMI (Local Management Interface). LMI has two functions;
It’s a keepalive mechanism.
It tells us if the PVC is active or inactive.
It also gives us a DLCI (Data Link Connection Identifier)
LMI Types;
Cisco
Ansi
Q933A
Frame-relay uses data-link connection identifiers (DLCIs) to build up logical circuits. The
identifiers have local meaning only, that means that their values are unique per router.
Frame Relay use DLCI (Data Link Connection Identifier) in data link layer.
Split-horizon will prevent routing updates from being sent back on the same interface it
received.
Routers(DLCI) which communicate with Frame Relay should be same network .
Inverse ARP protocol enable dynamic “Frame Relay Mapping”
“Show Frame Relay Map” command provide DLCI No and PVC Status.
Cisco support 2 “Frame Relay” encapsulation type;
IETF
Cisco
Status of the Frame Relay;
ACTIVE: the PVC is operational and can transmit data
INACTIVE: the connection from the local router to the switch is working, but the connection
to the remote router is not available
DELETED: the PVC is not present and no LMI information is being received from the Frame
Relay switch
STATIC: the Local Management Interface (LMI) mechanism on the interface is disabled
“show frame-relay map” komutu ile Statüler görüntülebilir.
BECN is used to warn source devices that congestion has occurred on that path while FECN is used
to alert receiving devices.
Configuration of Frame Relay
1. Tüm router, switch, pc ve cloud konularak bağlantıları yapılır.
Bağlantılar sırasında DCE bulut tarafında, DTE router tarafında olmalıdır.
2. Router bacakları ve pc'lere IP adresleri verilir.
3. Router'lar arası statik yada dinamik konfigürasyonları yapılır.
4. Cloud'a girilir. Uygun serial intarface seçilerek DLCI numaraları belirlenir.
DLCI kısmına seçilen serial'ın bağlı olduğu DLCI no'ları, Name'de router isimleri yazılır.
[DCLI = (Başlangıç Router No) ----> (Bitiş Router No)] [NAME = Başlangıç Router ------> Bitiş
Router]
5. Cloud altındaki "Frame-Relay" Sekmesinden serial'lar birbiri ile eşlenerek configürasyona
eklenir.
Port=Serial, Sublink=gideceği router; Port=bulutun gideceği router serial'ı,
sublink=yola çıktığı router.
6. Router'ın cloud'a bağlanan serial interface'i açılarak
a #encapsulation frame-relay
b #frame-relay interface-dlci "(gidilecek router dcli)"
c #frame-relay lmi-type (frame-relay tipi)
Frame-Relay MAP tekniği ile 3. ve 6. adımın b ve c'leri yapılmadan şu komutlarla frame-relay
gerçekleştirilebilir.
6.a'dan sonra
#bandwidth (bant genişliği)
#frame-relay map ip [(gideceği router'ın cloud'a bağlı olduğu IP)] [ilgili DLCI NO (Örneğin R1--
>R2 ise 102)] broadcast
öRN: frame-relay map ip 10.0.0.2 102 broadcast
Not: Bu işlem tüm router'lara yapılır.
Access Lists
Used for firewall security on a router.
Types of Access List;
Standard (1-99, 2000-2699)
Extended (100-199)
Named
Differences Between Standard and Extended Access List
ACL Configuration
1. Router'a girilerek access-list oluşturulur.
ip access-list standard (List No) [List No 1-99 Standart, 100-199 Extended]
deny host (Engellenmek istenen IP)
permit host (izin verilmek istenen IP)
2. access-list uygulanmak istenen arayüz seçilir.
ip access-group (access grup no) in
Named Acceess List
Hem standard hem de extended için uygulanabilir. Tek fark numara yerine isim verilmesi
router(config)#ip access-list <standard | extended> <name>
router(config-std-nacl)#<permit | deny> <source host or network>
<wildcard> <destination host or network> <wildcard>
DHCP Configuration
1. Topolojiye ilişkin konfigürasyonlar yapılır.
2. Router üzerinde DHCP konfigürasyonları yapılır.
#İp dhcp pool “pool adı”
#Network <DHCP dağıtacağı network adresi> <subnet mask>
#Defaulth-router 10.1.8.1
#exit
NOT: belirtilen network içinde verilmesi istenmeyen bir IP adresi varsa;
#ip dhcp excluded-address 10.1.8.1
NOT: defaulth router adresi DHCP ile IP dağıtılacak network’e bağlı olan router bacağına atanır.
IP Proccess in DHCP
The DHCP client broadcasts a DHCPDISCOVER packet.
A DHCP server returns a DHCPOFFER packet.
The client may receive multiple DHCPOFFER packets.
The client chooses a DHCP server based on the DHCPOFFER packet.
The client sends a DHCPREQUEST packet to the server.
The server responds with a DHCPACK message and the lease is finalized.
DNS Configuration
#İp domain-lookup
#İp name-server <IP adresi>
#İp domain-name < ___.com>
NOT: Packets are created when network layer encapsulate segments with destination address and
control information.
Physical Layer
Physical layer translates bits into voltages for transmission across the physical link.
SNMP Protocol
SNMP operate in “Application Layer”
Uses monitoring and management over various devices.
Nice to know informations.
SNMP Manager: The SNMP manager is a central system that is used to monitor traffic as well as provide a
mechanism for the control of these agents
SNMP Agent: SNMP agent is a software component that exists within a network element
Management Information Base (MIB): MIB is a virtual information storage location where network management
information is held.
There is not big differences between SNMP V1 and SNMP V2, SNMP V3 HAS much higher level of security such
as;
Message Integrity
Authentication
Encryption
The two additional messages are added in SNMP2;
GetBulk: Sustain more information
Inform: used to send an acknowledged message from the agent to the manager
Trap: used to send an acknowledged message from the agent to the manager
NOT:
Yukarıdaki topolojide PC-1’den FTP server’a paket aktarılırken MAC adresleri cihazların birbirine
bakan farklı router’kardaki bacaklara ait interface’ler e ait MAC adresleri, IP adresleri ise cihazlara ait
IP adreslerini alır.
NETFLOW
Netflow provides detailed information on packets flowing. Flow is described by these 7 values;
Source IP
Destination IP
Source Port No
Destination Port No
Layer 3 Protocol Type
Input Logical Interface
Type of Service
Netflow’un aktif olduğu cihazlarda netflow raporları oluşturulur. Raporlar UDP veya SCTP (Stream
Control Transmission Protocol) ile netlow data toplama sunucusuna iletilir.
Netflow datasına CLI üzerinden ve “NetFlow Collector” adı verilen sunucular üzerinde ulaşılır. Show
komutları ile anlık olarak CLI üzerinden trafik bilgisi alınabilir. Troubleshooting için büyük öneme
sahiptir.
Purposes and Adventages of Netlow
Network monitoring
Network security
Network Design
Network Billing
DDOS and DOS preventing
Display details of WHO USES network resources
Information can be used by billing and charging for resource utilization
Detailed information for network planing
Detail data for network application and services
Netflow tools are Netflow Collectors and Netflow Analyzers.
NOT:
“show ip cache flow” komutu ile genel netflow istatistikleri görüntülenebilir.
Netflow Network Components;
Network devices that are configured for NetFlow
NetFlow Collector, which receives NetFlow information from network devices
IPV6
IPv6 is equipped with 128 bits for addressing. IPV6 8 adet 4’lü den oluşur. Bu 4’lüde
bulunan ifadeler yalnızca Hexadecimal olabilir(0-9 ve A-F).
0012 yerine 12 yazılabilir. Solda bulunan sıfırların yazılması şart değiş.
Yalnızca 0’lardan oluşan 4’lüler yazılmayabilir. Örneğin;
o ABC:567:0:0:8888:9999:1111:0 ABC:567::8888:9999:1111:0
o 0:0:0:0:0:0:0:5 ::5
Not: Bir adreste yalnızca 1 tane :: olabilir.
Improvments of IPv6
Superior IP Addressing
Larger address space which sustain global connectivity and flexibility. Offers more plug-and-play
options for more devices
Simplified Header
- Better routing efficiency for performance
- Elimination of broadcasts (no Broadcast storm)
- No requirement for processing checksums
- Simplified and more efficient extension header mechaism
Improved Mobility and Security
Mobility enables people with mobile network. IPV6 have auto-configuration feature.
Standardized IPV6 Adresses
Known IPV6 Multicast Groups
Type of IPv6 Adressing
Unicast addressed and delivered to only a single interface Global Unicast is used just like a regular public routable address in IPv4 Multicast is meant to be delivered to multiple interfaces Anycast address identifies multiple interfaces, but packets are delivered only
to the first address it finds Link-local address is private addresses in IPv4 in that they are not meant to
be routed over the Internet. Every IPV6 interface contains at least one loopback address The encapsulation of IPv6 packets inside IPv4 packets is called tunneling
IPV6 Transition (Tunel) Mechanisms
6to4 Tunnels
ISATAP Tunnels (Intra-Site automatic tunnel addresing protocol)
GRE Tunnels (Generic Routing Encapsulation) NOT: Router interface’ine IPV6 adresi atmak için; ipv6 address 2001:db8….. komutu uygulanır.
Router Passwords
Enable Password In order to Access “ENABLE” mode
When we are in global config mode;
# enable password (şifre)
If we do not want to see our password on the screen;
# enable secret (şifre)
Console and VTY (Telnet password) In order to reach router using Telnet or Consol
#line console 0
#password (şifre)
#login
After these commands, we can Access router using “TERMINAL” in PC.
#line vty 0 4
#password (şifre)
#login
After these commands, we can Access router using “Command Probe” in PC.
Not: Bu şifrelerin tümü router da “running – config” komutu ile görülebilir. Bu komut ile şifrelere
ulaşılamaması için;
# service password-encryption komutu kullanılır.
HSRP (Hot Standby Router Protocol)
2(or more) routers act as a single virtual router with the help of “Virtual IP” and “Virtual default
gateway”.
HSRP V1: 0000.0C07.ACxx (multicast address 224.0.0.2)
HSRP V2: 0000.0C9F.Fxxx (multicast address 224.0.0.102)
Currently HSRPv1 is the default version when running HSRP on Cisco devices.
hello packet is sent between the HSRP standby group devices every 3 seconds. If does not receive
any hello packet in 10 seconds. Standby device became active device.
HSRP States
Initial: while turn on
Listen: if there are both active and standby, new router became listen.
Speak: While chosing process routers became.
Standby:
Active:
HSRP version 1 supports up to 256 group numbers. HSRP version 2 supports 4096 group numbers.
VRRP (Virtual Router Redundancy Protocol)
HSRP and VRRP are nearly same but while HSRP cisco spesific, VRRP open standart. Like HSRP only if
active router fail standby start to work.
There can be more than one redundant router.
VRRP also provide load balancing between routers.
VRRP provide 255 VRRP group.
Router which has highest priority number became master.
VRRP allow us to assign more than 1 virtual IP for single port. In this way, single physical port can be
used for different subnets.
Preemption: In case of failure standby became master, master stand up again, standby router return
back to the standby.
We can partially configure load balancing via HSRP or VRRP using “Multiple groups”.
GLBP (Gateway Load Balancing Protocol)
GLBP is a Cisco proprietary protocol and performs the similar function to HSRP and VRRP but it
supports load balancing among members in a GLBP group. [more than 1 active routers at the same
time]
Aynı GLBP grubunda bulunan router’lar birbirlerine her 3 sn’ de bir “hello” mesajı gönderir.
GLBP router’lar AVG ve AVF olmak üzere iki ayrı grupta toplanırlar.
AVG: AVG GLBP nin beynini oluşturur. AVG grupta bulunan diğer router’lara sanal MAC
adresleri atar. AVG nin hizmet verememesi durumunda bu görevi diğer elemanlardan biri
üstlenir. Bir grupta aynı anda sadece 1 adet AVG bulunabilir.
AVF: GLBP grubunda yer alan AVG haricindeki diğer routerlardır.
Bir GLBP grubunda maksimum 4 adet router bulunabilmektedir. GLBP üyesi router’lar kendi
aralarında 224.0.0.102 multicast IP adresini UDP 3222 portunu kullanaraktan haberleşirler.
AVG seçimi router’ların “priority” değerine bakılaraktan gerçekleşir. Priority değeri her bir router için
varsayılan olaraktan 100 değerindedir. Priority değeri 1 ile 255 arasında değişir ve yüksek priority
değeri tercih sebebidir. Priority değerlerinin eşit olması durumunda en yüksek IP adresine sahip
router AVG seçilir.
Preempt modu AVF’ler için varsayılan olarak açık konumdadır.
GLBP Load Balancıng
1. Round Robin (Default)
2. Host Dependent: Kullanıcıların sadece belirtilen router üzerinden çıkış yapmasının sağlandığı
load-balancing türüdür.
3. Weighted: GLBP işlemi dahilinde her bir router’a atanmış “weight” değeri oranınca
kullanıcıların routerlar arasında paylaştırılması esasına dayanır.
GLBP supports clear text and MD5 password authentication between GLBP group members.
First Hop Redundancy Protocol (FHRP)
Tek bir “default gateway” adresinin birden fazla router tarafından kullanılmasına sağlar. Fail-over anında
yedeklilik sağlar. Bu protokol yalnızca router değil diğer cihazlarda da kullanılmaktadır.
Examples of FHRP are;
VRRP
HSRP
GLBP
VRRP (Virtual Router Redundancy Protocol) :
Birden çok yönlendirici (router)'nin tek bir sanal yönlendirici (virtual router) gibi davranmasına imkan sağlar.
VRRP’nin başlıca özellikleri;
Redundancy
Load Sharing (VRRP LAN cihazlarının trafiğinin birden fazla yönlendirici üzerinden iletilmesine imkan
sağlar)
Multiple virtual routers support (VRRP, yönlendiricinin fiziksel portunda 255 adete kadar sanal
yönlendirici (VRRP grubu)'yi destekler. Birden çok yönlendirici desteği alan bir LAN topolijisinde yedeklilik
ve yük paylaşımı sağlanmış olur.) Kısacası 1 router 1’den fazla router’ın yedeği olabilir.)
Multiple IP adresses: Ethernet bağlantı noktasında birden fazla alt ağ (subnet) yapılandırılırsa her alt
ağ için ayrı bir VRRP yapılandırması yapılabilir.
Preemption: Ana makinede sıkıntı olursa yedek ana olur. Ana makine düzelince tekrar yedeğe geçer.
HSRP (Hot Standby Router Protocol)
Sustain redundancy. While one of the router is Active, other would be standby. Connection realized
by the means of hello packets in every 3 seconds. This time period can be adjustable.
HSRP ve VRRP Arasındaki Farklar.
o HSRP Cisco’ya özel bir protokolken VRRP IEEE standartında açık bir protokoldür.
o HSRP’deki aktif yönlendirici (active router) VRRP’de ana yönlendirici olarak adlandırılır.
o VRRP’de yönlendiricilere sanal yönlendirici grubunun IP adresi verilebilir. Sanal yönlendirici grubunun IP adresi verilen yönlendirici ana yönlendirici olur.
o HSRP’de sadece bir adet yedek yönlendirici bulunurken VRRP’de birden fazla yedek yönlendirici bulunabilir.
GLBP (Gateway Load Balancing Protocol)
Cisco’ya özgüdür. GLBP’yi diğer dinamik gateway yedekliliği sağlayan protokollerden ayıran en büyük
özelliği aktif olarak paket aktarımının yapıldığı birden fazla router’ın aynı anda çalışmasına
imkan sağlamasıdır. GLBP bununla da kalmayıp aktif çalışan routerlar üzerinde istenilen
düzeyde load-balancing yapılmasına da imkân sağlar.
GLBP router'lar AVG ve AVF olmak üzere iki ayrı grupta toplanırlar;
AVG(Active Virtual Gateway) Router’lara sanal MAC’ler atayan, grubun beyni
AVF(Active Virtual Forwarder) Beyin olmayan routerlar
GLBP ile Round Robin, Host Dependent ve Weighted yük dengeleme yapılabilir.
SNMP
Using for monitoring. SNMP consist of 3 component;
SNMP Manager(NMS): Software run on the pc of the network administer.
SNMP Agent: software that run on the network devices.
Management Inf. Base (MIB): MIB contains a set of questions that the SNMP Manager can ask the
Agent
SNMP Versions:
SNMP V1,
SNMP V2c = (SNMP1+INFORM and GETBULK messages)
SNMP V3 = (SNMPV2c+Security)
SNMPV1 and SNMPV2 have community string security;
Read-Only (RO): Gives read-only access to the MIB
Read-Write(RW): This method allows SNMP Manager to change the configuration of the
managed router/switch
SNMP V3 Security has; Authentication, Message integrity and Privacy (Encryption)
SNMP Messages;
SNMP GET (NEXT, RESPONSE) : Retrieve information.
SNMP SET: Used by the SNMP Manager to modify or assign the value to the SNMP Agents.
SNMP TRAP: TRAP messages are initiated from the SNMP Agents to inform the SNMP Manager on
the occurrence of an event. (olay olursa bilgilendiriyor.)
SNMP INFORM: More reliable than TRAP. Trap use UDP, Inform TCP.
SNMP GETBULK: operation efficiently retrieve large blocks of data
Syslog
Syslog is an excellent tool for system monitoring.
Syslog messeges can be stored in;
Internal buffer, Syslog Server, Flash Memory, Nonconsole Terminal, Console Line.
Syslog messages include; sequence no, time stamp, facility (protocol, modüle, process..) and
severity (from 0 to 7)
0 is most emergence. [0 -> Emergence, 1->Alert, 2->critic, 3->error, 4->warning, 5->notification,
6->informal, 7->debug]
Eventually All Critical Errors Will Not Involve Damage
Default Syslog facility level is 7.
NOTLAR:
MTU = Maximum Unit (Packet) size
line vty 0 4 (bu komutu yazdıktan sonra telnet bağlantısı yapabilmek için vty password ü
vermeliyiz.)
show versiyon ile router belleklerinin ve ne kadarının kullanıldığını görebiliriz.
segment LAYER 4
STP prevents loop in local area network so "Layer 2"
Router(config)# service password-encryption
configuration dasyasındaki daha önce girilmiş yada girilecek tüm text olan paroları şifreler.
Virtual interface güvenliği için;
1. Virtual Terminal için password atanabilir.
2. Access-list oluşturulur. Fiziksel arayüzler için Access-Group, Sanal arayüzler için Access-
class komutları kullanılır.
Global command = Global configuration mode
Cisco da "traceroute" var. diğeri yok
Cisco da "ipconfig" kullanılmıyor.
"show sessions" kurulu session'ları gösterir
line vty "Sayı" belirtilen sayı kadar telnet, ssh session'ına izin verilir.
PPP supports both synchronous (like analog phone lines) and asynchronous circuits (such as
ISDN or digital links). With synchronous circuits we need to use clock rate.
PPP de authantication türleri arasında tek komut ile önceliklendirme yapılabilir. Örneğin;
(config-if)# ppp authentication chap pap “chap uygula olmazsa pap demek”
A CSU/DSU terminates a digital local loop, A modem terminates an analog local loop
FCS (Frame Check Sequence) is 4 octed field used to verify frame was received without loss
and error.
NAT – PAT
Static NAt: 1to1 mapping.
Dynamic NAT: It must be enough real IP addresses for everyone who wants to send packets
through the Internet. If all the public IP addresses are already allocated, the router discards the
packet that requires a public IP address.
Pat (NAT Overload ): permits multiple devices on LAN to be mapped to a single public IP address
with different port numbers.
PAT can support 216 IP adress.