Mastering Cisco Routers, Second Edition MASTERING CISCO ROUTERS, SECOND EDITION .4 INTRODUCTION .6 What This Book Covers 6 Who Should Read This Book .7 CHAPTER 1: COMMUNICATION BASICS 8 Overview 8 Analog and Digital Transmissions 8 Communication Synchronization .13 Understanding Topologies 14 Connection Types .18 Data Packaging 20 The OSI Model .24 Transport Layer Services 29 Summary 32 CHAPTER 2: UNDERSTANDING LOGICAL TOPOLOGIES 33 Overview 33 Local Area Network Topologies 33 Wide Area Network Topologies .48 Summary 60 CHAPTER 3: PROTOCOLS .61 The Internet Protocol Suite (IP) 61 Internetwork Packet Exchange (IPX) 85 Network Basic Input/Output System (NetBIOS) .95 AppleTalk .99 Summary 103 CHAPTER 4: BRIDGING AND SWITCHING 104 Overview 104 Bridges .104 Switches .110 Designing Networks with Bridges and Switches 119 Summary 126 CHAPTER 5: ROUTING .127 Protocol Review .127 Routers .129 Routing Tables .131 Layer 3 Switching .141 Designing Networks with Routers .142 Summary 146 CHAPTER 6: ROUTING PROTOCOLS 147 Routing with IP 147 IPX Routing .153 Routing with NetBIOS 154 AppleTalk Routing 157 Protocol-Independent Routing 157 Summary 158 CHAPTER 7: CISCO IOS .159 Online Help 159 Modes of Operation 160 Configuration Basics 165 Management via HTTP .172 Understanding Cisco Memory 173 Summary 176 CHAPTER 8: INSTALLING CISCO IOS 177 Selecting a Feature Set .177 The Router Software Loader .178 Cisco ConfigMaker .182 TFTP 193 Summary 198 CHAPTER 9: ACCESS LISTS 200 Available Options .200 Static Packet Filtering 200 Dynamic Packet Filtering .207 Access List Basics .211 Creating a Set of IP Access Lists .219 Non-IP Access Lists 229 Installing Your Access Rules .233 Summary 238 CHAPTER 10: CREATING A BASTION ROUTER .239 What Is a Bastion Host? .239 Security Check .239 Disabling Unneeded Services .241 Password Security 244 Additional Security Precautions 246 Summary 249 CHAPTER 11: VIRTUAL PRIVATE NETWORKING 250 Overview 250 Authentication and Encryption 250 Encryption 101 .254 Good Encryption Required .259 VPN Basics 260 Standards Used by Cisco 263 VPN Deployment 268 Configuring VPN Access 271 Summary 274 CHAPTER 12: MANAGING CISCO ROUTERS .275 Logging to Syslog .275 Backup and Management via TFTP 287 Management via SNMP 289 Summary 293 CHAPTER 13: NETWORK CASE STUDIES .294 Case Study 1: A Subnet Masking Puzzle 294 Case Study 1: Implementing the Solution 298 Case Study 2: Router Table Efficiency 301 Case Study 2: Implementing the Solution 304 Case Study 3: Designing a New WAN .310 Case Study 3: Implementing the Solution 312 Summary 315 CHAPTER 14: REAL-WORLD ROUTING: ADVICE FROM THE FIELD .316 Overview 316 Case Study 1: Dedicated Internet Access .316 Case Study 2: Private WAN Using Dedicated Lines .325 Case Study 3: Private IP/IPX WAN Using Frame Relay 330 Case Study 4: A Multipoint VPN .337 Case Study 5: A Network Operations Center .348 Case Study 6: A Large Network Infrastructure 363 Summary 378 CHAPTER 15: GETTING CISCO CERTIFIED .379 The Brief History of Cisco Certifications .379 Why Get Certified? .379 Certification Levels 381 Certification Requirements .388 Preparing for the Tests .388 Taking the Tests .390 Summary 390 Mastering Cisco Routers, Second Edition Chris Brenton and Bob Abuhoff with Network Designs by Andrew Hamilton and Gary Kessler Associate Publisher: Neil Edde Acquisitions and Developmental Editor: Chris Denny Editor: William Rodarmor Production Editor: Elizabeth Campbell Technical Editor: Errol Robichaux Graphic Illustrator: Tony Jonick Electronic Publishing Specialist: Jill Niles Book Designer: Maureen Forys, Happenstance Type-o-Rama Proofreaders: Nanette Duffy, Emily Hsuan, Laurie O’Connell, Yariv Rabinovitch, Nancy Riddiough Indexer: Jack Lewis Cover Designer: Design Site Cover Illustrator/Photographer: Sergie Loobkoff Copyright © 2002 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved. No part of this publication may be stored in a retrieval system, transmitted, or reproduced in any way, including but not limited to photocopy, photograph, magnetic, or other record, without the prior agreement and written permission of the publisher. First edition copyright © 2000 SYBEX Inc. Library of Congress Card Number: 2002101989 ISBN: 0-7821-4107-2 SYBEX and the SYBEX logo are either registered trademarks or trademarks of SYBEX Inc. in the United States and/or other countries. Mastering is a trademark of SYBEX Inc. Screen reproductions produced with FullShot 99. FullShot 99 © 1991-1999 Inbit Incorporated. All rights reserved. FullShot is a trademark of Inbit Incorporated. TRADEMARKS: SYBEX has attempted throughout this book to distinguish proprietary trademarks from descriptive terms by following the capitalization style used by the manufacturer. The author and publisher have made their best efforts to prepare this book, and the content is based upon final release software whenever possible. Portions of the manuscript may be based upon pre-release versions supplied by software manufacturer(s). The author and the publisher make no representation or warranties of any kind with regard to the completeness or accuracy of the contents herein and accept no liability of any kind including but not limited to performance, merchantability, fitness for any particular purpose, or any losses or damages of any kind caused or alleged to be caused directly or indirectly from this book. Manufactured in the United States of America 10 9 8 7 6 5 4 3 2 1 This book is dedicated to Shelby Morgan Brenton. Thank you for being Daddy’s little muse. — Chris Brenton Acknowledgments I think that my favorite part of writing is being able to generate the acknowledgments because it gives me an opportunity to thank all of the wonderful people who have made this book possible by sharing their time and effort. Let me start by saying thank you to Guy Hart-Davis. The old text butcher himself has been a strong influence on my writing since my very first book. It’s kind of bizarre for me to think that this may be our last book project together, as Guy has moved on to other opportunities. At the very least, the offer to Guy of a few home brews on the front porch still stands. Thank you to Colleen Wheeler Strand (the Cisco Router Diva) for writing the certification chapter. Her witty style makes her material a wonderful asset to the book. Speaking of contributing authors, thanks to Andy and Kess for their great work on the design case studies. It’s great knowing guru types in the industry who have a few free clock cycles to share and teach what they know. Thanks as well to Dana Gelinas and Deb Tuttle for providing technical editing and support. It’s nice to have tech editors who can point out my stupider mistakes without picking on me too heavily about it. On a technical note, I would like to thank Tina Bird (the VPN Diva), Ron Hallam, Jim Oliver, Gene Garceau, and Geoff Shaw who each helped to contribute to the content of this book in some way, shape, or form. While not direct contributors, each of the following individuals has had a strong influence on keeping me challenged technically and thus sharp enough to generate material that (I hope) people find useful. Thanks to Lance Spitzner who has the best security white paper sites on the net, J.D. Glaser who makes the best security tools on the planet, Stephen Northcutt with all of his great community work through SANS, Dave Elfering, Joe Prest, Kathy Hickey, William Stearns, Gerry Fowley, Alice Peal, Michael Wright, Jerry Buote, George Cybenko, and the whole Dartmouth College security crew. On a personal note, I would like to thank Sean Tangney, Chris Tuttle, Al and Maria Goodniss, Linda Catterson, Toby Miller, Sheila O’Donnell, Patricia Kennedy, and the ultimate best bud and nag, Sue Rotchford, for being cool individuals to bounce ideas off of or just to hang out with and pretend the whole computer thing never really happened. On a family note, I would like to thank my parents Al and Carolee Brenton for buying me that first computer and not shipping me off to military school. Hopefully, you feel your persistence and patience finally paid off. Thanks as well to my sister Kym and brother-in-law Brian Frasier for being very cool people and making a difference in the lives of all of the kids who are lucky enough to be around them. Thanks also to my son Skylar for showing me that some of the greatest joys in life can be found in an empty cardboard box or a roll of refrigerated cookie dough. Finally, thanks to my wonderful wife, soul mate, and best friend Andrea. The fact that you would let me turn our lives upside down again by writing a book during a pregnancy is a testimony to your sheer tolerance and fortitude. Thank you for putting up with all the long hours and multiple, half-completed house projects. This book never would have been finished without your loving support. — Chris Brenton I’d like to acknowledge the Sybex team for their assistance: James Gaskin for setting the standards for what works in a technical book, Neil Edde for logistics support, Errol Robichaux for tough-minded skepticism, William Rodarmor for shouting encouragement from his director’s chair, Chris Denny for giving me a chance, and Elizabeth Campbell for keeping us all on track. An honorable mention goes to Peter Norton, whose first PC book was my Bible in exploring the digital realm. Also, thanks to my relentless son, Aaron, whose idealism never wanes, to my mercurial wife Diana, who still believes in magic, and to my parents for encouraging all my experiments. Sorry about the washing machine! Robert Abuhoff Introduction It can be argued that no company has dominated its own little portion of computer networking as completely as Cisco Systems. Market research has estimated that 70 percent of the Internet runs on Cisco hardware. This is an amazing statistic when you consider the number of manufacturers vying for market share in this arena. To put this number in perspective, imagine that seven out of every ten cars on the highway today were produced by a single car manufacturer. Why is Cisco hardware so popular? First and foremost is reliability. In my time, I’ve installed probably hundreds of Cisco routers. Out of all of these installations, I’ve seen maybe three or four of these routers fail within the first three years. This means that when you invest in a Cisco router, you can be relatively certain that it will continue to perform for many years. Another strength is a plethora of features. Cisco routers support a wide range of networking protocols, as well as many options. Along with the expected routing functionality, you can choose to implement packet filtering, network address translation, quality of service, and even virtual private networking. Cisco is constantly adding new features to its router product line to make these devices even more valuable to an organization’s core infrastructure. You also have many different router models to choose from. Cisco offers a wide range of router products that can fill the requirements of the small home office, the large WAN infrastructure, and everything in between. You can choose between models that have integrated communication ports and models that accept module cards that let you customize the router to your communication needs. If you go the module route, you can choose between routers that will accept only a single module to routers that will accept as many as 16 different module cards. Clearly, there is a Cisco router to fit every need. Of course, you don’t have to learn a new set of commands as you move from the lower-end models to the top-of-the- line routers. All Cisco routers are based on the Cisco Internetwork Operating System (IOS). This means that the commands you use to manage a low-end Cisco 800 router are identical to the commands you use on the top-of-the-line Cisco 12000. This helps to cut the learning curve: Knowing how to work with one router product allows you to feel comfortable when working with the rest. Cisco routers are also easy to work with. When you purchase a Cisco router, you get a free copy of the Router Software Loader and ConfigMaker. These products make upgrading and configuring your router a simple task. For example, with ConfigMaker, you simply draw a picture of your network and the software automatically takes care of the proper configuration settings. For the more hands-on types, you can choose to configure the router through the command line or an HTML interface. Finally, Cisco takes router performance and security very seriously. This is probably one of the main reasons that so many Internet routers have the Cisco label. If Internet connectivity has become a critical business function, you need to know that the device providing this connectivity can do so in a reliable fashion. Cisco has proved over the years that its line of router products can do just that. What This Book Covers Chapter 1 starts you off with the basic technologies of network communications. We’ll look at how information is packaged and transmitted between network systems. We’ll also cover a range of connectivity options and the strengths and weaknesses of each. In Chapter 2, you’ll learn about logical topologies. We’ll cover an assortment of LAN and WAN topologies and discuss the strengths and weaknesses of each. In particular, the discussion on Ethernet includes a good primer on how to measure and calculate your network’s performance. This can be extremely helpful when planning for your network’s growth. Chapter 3 discusses network protocols. Included are TCP/IP, IPX, AppleTalk, and NetBIOS/ NetBEUI. Since a router needs to know how to handle each of these protocols, we go into some depth on network addressing, address discovery, and transport layer services. The efficiency of each of these protocols is also compared. Bridging and switching are the focus of Chapter 4. Since most environments that use routers will also use bridges or switches, you need a good understanding of how these devices work in order to integrate the technologies. This chapter also includes a number of design examples in which you must decide whether bridging or switching is a proper fit for the environment. Chapter 5 covers the fundamentals of routing. We’ll look at the available options for propagating network address information throughout your infrastructure. We’ll also compare and contrast the strengths and weaknesses of each of these options. You’ll even reconsider some design examples to see when routing can control traffic more effectively than bridging and switching. In Chapter 6, we discuss the specific routing protocols you will need to manage your network infrastructure. We consider routing protocol options for TCP/IP, IPX, AppleTalk, and NetBIOS in depth. We’ll even start looking at how routing protocols are configured on a Cisco router. Ready to go hands on with a Cisco router and start learning the IOS command set? Chapter 7 teaches basic operations like how to access help and how to get assistance in determining proper command syntax. For those who don’t like working with a command line interface, the HTTP interface is covered, as well. In Chapter 8, you’ll learn how to determine which features you require when ordering your Cisco router. We’ll also cover how to go about installing the operating system on your router after it has arrived. Finally, we’ll discuss the different options available to you in loading and managing your configuration files. Chapter 9 is all about packet filtering. You’ll learn how a packet filter works and how to use this feature to control traffic effectively. We’ll discuss standard access lists, extended access lists, and even Cisco’s new reflexive filters. We’ll close out the chapter by looking at some design examples that use packet filtering to control traffic in TCP/IP, IPX, and AppleTalk environments. Router security is featured in Chapter 10. Because many routers live outside the protective circle of a firewall, we’ll look at all the precautionary steps you can take to make sure that your router remains secure. In Chapter 11, you’ll learn all about virtual private networking. We’ll start by discussing the importance of authentication and encryption and how to use these technologies to build a secure tunnel between two sites. We’ll look at the options available to you in setting up a VPN and cover a design example using Cisco router hardware. Chapter 12 discusses how best to manage your router infrastructure. Keeping tabs on the health of your routers is a critical step in insuring that network performance remains at an optimal level. We’ll cover how to collect log entries and statistics from your routers, as well as how to perform proper backups in case the worst ever occurs. In Chapter 13, you’ll get into the basics of network design. We’ll start by looking at a set of business requirements and follow the design process all the way through to deployment. Each design example includes the necessary router configuration files, so you can even adapt these designs to your own environment. Chapter 14 continues with additional case studies on how to formulate a proper network design. The designs in this chapter have been generated by two other authors. This helps to spice things up a bit and gives you a different perspective on how to resolve problems through the design process. Finally, Chapter 15 discusses Cisco certification and the options available to you. You’ll learn about the different levels of certification, as well as the requirements for each. While getting certified is not an easy process, the benefits that certification can bestow are well worth the effort. Who Should Read This Book With all the Cisco books on the market today, why pick up this one? While most Cisco books are specifically geared toward earning a certification, this book focuses on the individual who needs to get up to speed quickly on deploying and managing Cisco routers. So, while a CCNA book may focus on the actual router configuration and a CCDA book on design, this book melds these two topics in an attempt to give you a complete set of tools for both laying out and deploying your infrastructure. True, you may very well be able to pass your CCNA or CCDA based on the material presented in this book. I can guarantee, however, that you will not see a sufficient number of exam questions on TFTP to make it worth the heavy coverage it has received in these pages. If, on the other hand, you are actually deploying a large number of routers, the material presented on how and when to use TFTP, as well as how to configure it on multiple operating systems, will be extremely valuable to you. The focus here is on getting the job done. I’ve made few assumptions about the reader’s prior knowledge. This means that the book includes enough background theory to get the truly green up to speed. For those who are a bit more seasoned, feel free to skip the introductory information and get right to the meat of the book. If you’ve been assigned the task of redesigning your company’s network, you may want to jump right into the design examples to start getting a few ideas. Chapter 1: Communication Basics Overview Before we can discuss routers and how they work, we first need to cover the basics. In this chapter, we will look at the fundamentals of network communications and how data is moved between systems. While the communication process is cloaked from the typical end user, a savvy network engineer must be armed with this information in order to be an effective troubleshooter. We will start by looking at analog and digital signaling. All network communications rely on one of these transmission methods for moving information. We will then look at the kinds of problems that can occur during attempts to transmit information and how you can minimize the effects of these problems. From there, we will talk about the core infrastructure of a network. We’ll look at how systems get connected and exactly how digital or analog signaling is used to move information between systems. Finally, we’ll map out the entire process of a communication session using the OSI model as a guide, so you can better understand exactly what is occurring on your network. Analog and Digital Transmissions There are two ways data can be communicated: • Through analog transmissions • Through digital transmissions An analog transmission is a signal that can vary either in power level (known as amplitude) or in the number of times this power level changes in a fixed period (known as frequency). An analog transmission can have a nearly infinite number of permissible values over a given range. For example, we use analog signals in order to communicate verbally. Our voice boxes vibrate the air at different frequencies and amplitudes. These vibrations are received by the eardrum and interpreted as words. Subtle changes in tone or volume can dramatically change the meaning of what we say. Figure 1.1 shows an example of an analog transmission. Notice the amplitude each time the waveform peaks. Each of the three amplitude levels could be used to convey different information, such as alphanumeric characters. This makes for a very efficient way to communicate information, as each wave cycle can be used to convey additional information. In a perfect world, analog might be the ideal way to convey information. Figure 1.1: An example of an analog transmission plotted over time xxxxx Note Frequency is measured in cycles per second, or hertz (Hz). If Figure 1.1 were measured over a period of one second, it would be identified as a frequency of three cycles per second or 3Hz. The problem with analog transmissions is that they are very susceptible to noise, or interference. Noise is the addition of unwanted signal information. It can result in a number of data retransmissions, slowing down the rate of information transfer. Think of having a conversation in a crowded room with lots of people talking. With all of this background noise going on, it can become difficult to distinguish between your discussion and the others taking place within the room. Data retransmissions are signaled by phrases such as “What?” and “What did you say?” This slows down the rate of information transfer. Figure 1.2 shows an example of an analog signal in a noisy circuit. Note that it is now more difficult to determine the precise amplitude of each waveform. This can result in incorrect information being transmitted or in requiring the correct information to be resent. Figure 1.2: An analog transmission on a noisy circuit To the rescue come digital transmissions. Digital communications are based on the binary system: Only two pieces of information are ever transmitted, a 1 or a 0. In an electrical circuit, a 0 is usually represented by a voltage of zero volts and a 1 is represented by five volts. This is radically different from analog transmissions, which can have an infinite number of possible values. These 1s and 0s are then strung together in certain patterns to convey information. For example, the binary equivalent of the letter A is 01000001. Each individual signal or digital pulse is referred to as a bit. When eight bits are strung together (like our binary equivalent of A), it is referred to as a byte. The byte is considered to be the base unit when dealing with digital communications. Each byte relays one complete piece of information, such as the letter A. Note Digital communication is analogous to Morse code or the early telegraph system: Certain patterns of pulses are used to represent different letters of the alphabet. If you examine Figure 1.3, you’ll note that our waveform has changed shape. It is no longer a free-flowing series of arcs but now follows a rigid and predictable format. Figure 1.3: A digital transmission plotted over time Because this waveform is so predictable and the variation between acceptable values is so great, it is now much easier to determine which values are being transmitted. As shown in Figure 1.4, even when there is noise in the circuit, you can still see which part of the signal is a binary 1 and which part is a 0. Figure 1.4: A digital transmission on a noisy circuit [...]... Topologies and Cisco Routers So what role does the physical topology play in deploying your Cisco routers? You need to determine up front what kind of physical topology you will be using in order to insure that you order a model which supports the right type of connectors For example, let’ say you decide to use fiber optic cables to connect your Cisco router in order to support long cable s runs Cisco routers... break, then you have a pretty good idea of the magnitude of what happens when you request a simple file Cisco Routers and the OSI Model Since a router controls traffic at the Network layer, it is considered an OSI layer 3 device A Cisco router does offer, however, some higher-level services For example, a Cisco router can control traffic flow using information contained in the Transport and Session layers... transmission speed of 10 megabits per second (Mbps) This means that 10Mb Ethernet is capable of transferring 10,000,000 bits (or 1,250,000 bytes) from one network station to another in a one -second period of time This is under ideal conditions, however, and your mileage may vary Note that 10Mb does not translate into a 10megabyte (MB) transfer rate but rather to 1.25 megabytes per second (MBps) This confusion... information learned through ARP requests For example, if a few seconds later Fritz wishes to send another packet of data to Wren, he would not have to transmit a new ARP request for the router’ MAC s address, as this value would be saved in memory This memory area is referred to as the ARP cache ARP cache entries are retained for up to 60 seconds After that, they are typically flushed out and must again... 802.14 Cable modem IEEE 802.15 Wireless Personal Area Networks Broadband wireless IEEE 802.16 As a major player in the internetworking arena, Cisco has taken an active role in finalizing many of the specifications shown in Table 1.1 This not only helps to insure that Cisco products adhere to the IEEE specifications; it also helps to insure that support can be included as soon as a specification is ready... device may put you a little closer to determining which system is giving you trouble For example, if the first three bytes are 00000C, you know you need to focus your attention on any Cisco devices on your network The second half of the MAC address is the serial number the manufacturer has assigned to the device One address worthy of note is FF-FF-FF-FF-FF-FF This is referred to as a broadcast address... transmissions, they slow down the transfer of information even more Another common measurement of throughput is frame rate, or the number of frames that pass from one station to another in a one -second period of time (frames per second, or fps) The relationship between frame rate and utilization is directly related to the size of the frames As I mentioned earlier, a legal Ethernet frame can be anywhere from 64... Field Size Times Frame Rate Bytes of Data per Second 46 x 14,881 684,526 238 x 4,529 1,077,902 494 x 2,350 1,160,900 1,006 x 1,197 1,276,002 1,500 x 813 1,219,500 As you can see, the frame size can make a dramatic difference in the amount of information the network is capable of transferring Using the largest possible frame size, we can move 1.2 megabytes per second of data along the network At the smallest... of data along the network At the smallest frame size, this transfer rate is cut almost in half, to 685 kilobytes per second (KBps) Note Some of the factors that go into controlling a network’ average frame size are protocol selection and regulating the s amount of broadcast traffic A Cisco router, by default, filters out broadcasts from being propagated across a network So which is a better measuring... between the two systems While this type of negotiation is simple and straightforward, it has a number of inherent flaws First, if a station has nothing to say, its time slice will be wasted while the second station sits by idly, waiting to transmit additional information Also, if the stations’ clocks are slightly different, the two systems will eventually fall out of sync and will smother each other’ . Mastering Cisco Routers, Second Edition MASTERING CISCO ROUTERS, SECOND EDITION. 4. Summary 390 Mastering Cisco Routers, Second Edition Chris Brenton and Bob Abuhoff with Network Designs by