2. PPP
WAN Encapsulation Protocols
-
HDLC : default encapsulation type on point-to-point connection
-
PPP : authentication PAP and CHAP
-
Serial Line Internet Protocol (SLIP) : replace by ppp
-
X.25/Link Access Procedure, Balanced (LAPB) : predecessor to Frame Relay
-
Frame Relay : Industry standard
-
ATM : International standard for cell relay for multi services types
Configuring HDLC Encapsulation
(config)# interface S0/0
(config-if)# encapsulation HDLC
# show interface serial //verify
# show controllers //troubleshooting
PPP Architecture
-
Physical media: asynchronous , synchronous serial
-
Link Control Protocol: establishing, configuring, and testing the
data-link connection.
-
Network Control Protocol: carry multi protocols
Configuring PPP
(config)# interface S0/0
(config-if)# encapsulation PPP
(config-if)# compress [predictor | stac] //compress
(config-if)# ppp quality [percentage] //set
Link Quality Monitor (LQM)
(config-if)# ppp multilink //load
balancing across link
# show inter serila0/0 //verify
# debug ppp
# undebug all //turn
off debug
(config-if)# ppp authentication { pap | chap | ..} //set
authentication type
# debug ppp authentication //troubleshotting
3. Frame Relay
Configure Frame Relay
1. Set
IP address on the Interface
IP address
2. Configuring
Encapsulation
Encapsulation
frame-relay
3. Setting
the Bandwidth
bandwidth
4. Setting
the LMI Type (optional)
Encapsulation
frame-relay [cisco | ietf]
5. Verify
Show
interfaces serial
Frame Relay Map is activated dynamically.
Anyway, you can configure it as static mapping manually.
Frame-relay map protocol
protocol-address dlci [broadcast]
Show frame-relay map //verify
[Protocol-address] = network layer address
of the destination router interface.
[broadcast] is used to broadcast because
frame relay doesn’t broadcast to multi-destination.
Configure Point-to-Point Subinterface
1.
Clear all configuration in physical interface
2.
Configure Fram Relay encapsulation on the physical interface
Encapsulation
frame-relay
3.
Create subinterface
(config-if)#
interface serial 0/0/0.103 point-to-point
4.
Configure IP address for the interface and set the bandwidth
5.
Configure the local DLCI on subinterface
(config-subif)#
frame-relay interface-dlci 103 //DLCI must be set for
subinterface
Verify Frame Relay Operation
Show interface
Show frame-relay lmi //non-zero
“ invalid”
Show frame-relay pvc //check
statistic
Clear counters //clear
statistic
Clear frame-relay-inarp //clear
dynamically created frame relay
Debug frame-relay lmi //troubleshooting
5. ACLs
Protocol Port
TCP Ports:
FTP 21
Telnet 23
SMTP 25
POP3 110
IRC 194
HTTPS 443
UDP Ports:
MSN
messenger 1863
TFTP 69
RIP 520
RADIUS 1812
Cisco
SCCP(VoIP) 2000
TCP/UDP Ports:
DNS 53
SNMP 161
MS
SQL 1433
WAP
(MMS) 2948
Using an ACL to Control VTY Access
(config)# access-list 21 permit 192.168.10.0 0.0.0.255
(config)# access-list 21 permit 192.168.11.0 0.0.0.255
(config)# access-list 21 deny any
(config)# line vty 0 4
(config-line)# login
(config-line)# password SECRET
(config-line)# access-class 21 in //IN = restrict incoming
Creating Standard Named ACLs
(config)# ip access-list
[standard | extended] NAME
(cofnig-std-nacl)# [permit |
deny | remark] {source wildcard} [log]
(config-if)# ip access-group
name [in | out]
Configure Dymanic ACL (Locked-and-Key)
1. create
username and pwd
R3(config)# username STUDENT password 0 CISCO
2. Allow
TELNET, activate by lock-and-key, opened for 15 minutes
R3(config)# access-list 101 permit any host 10.2.2.2 eq telnet
R3(config)# access-list 101 dynamic TESTLIST timeout 15 permit
ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
3. Apply
ACL 101 to int S0/0/1
R3(config)# line vty 0 4
R3(config-line)# ip access-group 101 in
4. Once
the user is authenticated using TELNET, the AUTOCOMMAND cmd executes and the
Telnet session terminates. The user can now access network 192.168.30.0. If
there is up to 5 mns of inactivity, the window will close.
R3(config)# line vty 0 4
R3(config-line)# login local
R3(config-line)# autocommand access-enable host timeout 5
Configure Reflexive ACLs
1. Causes
the R2 to keep track of traffic that was initiated from inside
R2(confi)# ip access-list extended OUTBOUNDFILTERS
R2(config-ext-nacl)# permit tcp 192.168.0.0 0.0.255.255 any
reflect TCPTRAFFIC
R2(config-ext-nacl)# permit icmp 192.168.0.0 0.0.255.255 any
reflect ICMPTRAFFIC
2. Create
an inbound policy
R2(config)# ip access-list extended INBOUNDFILTERS
R2(config-ext-nacl)# evaluate TCPTRAFFIC
R2(config-ext-nacl)# evaluate ICMPTRAFFIC
3. Apply
ACLs to the interface
R2(config)# interface S0/1/0
R2(config-if)# ip access-group INBOUNDFILTERS in
R2(config-if)# ip access-group OUTBOUNDFILTERS out
Configure Time-Based ACLs
1. Define
Time range
R1(config)# time-range EVERYOTHERDAY
R1(config-time-range)# periodic Monday Wednesday Friday 8:00 to
17:00
2. Apply
the time range to ACL
R1(config)# access-list 101 permit tcp 192.168.10.0 0.0.0.255
any eq telnet time-range EVERYOTHERDAY
3. Apply
the ACL to the interface
R1(config)# interface S0/0/0
R1(config-if)# ip access-group 101 out
No comments:
Post a Comment