Senior Acquisitions Editor: Kenyon Brown Development Editor: Kim Wimpsett
Yüklə 22,5 Mb. Pdf görüntüsü
|
- Bu səhifədəki naviqasiya:
- Config t Router rip network 172.16.0.0
- Three Switch Functions at Layer 2
- Forward/filter decisions
- Address Learning
- FIGURE 10.3
- 0005.dccb.d74b
|
config t router rip 4. Add the network number for the networks you want to advertise. Since router Lab_A has two interfaces that are in two different networks, you must enter a network statement using the network ID of the network in which each interface resides. Alternately, you could use a summarization of these networks and use a single statement, minimizing the size of the routing table. Since the two networks are 172.16.10.0/24 and 172.16.20.0/24, the network summarization 172.16.0.0 would include both subnets. Do this by typing
and pressing Enter. 5. Press Ctrl+Z to get out of configuration mode.
6. The interfaces on Lab_B and Lab_C are in the 172.16.20.0/24 and 172.16.30.0/24 networks; therefore, the same summarized network statement will work there as well. Type the same commands, as shown here:
Config t Router rip network 172.16.0.0 7. Verify that RIP is running at each router by typing the following commands at each router:
(Should indicate to you that RIP is present on the router.) show ip route (Should have routes present with an R to the left of them.) show running-config or show run (Should indicate that RIP is present and the networks are being advertised.) 8. Save your configurations by typing copy run start or
copy running- config startup-config and pressing Enter at each router. 9. Verify the network by pinging all remote networks and hosts.
The following questions are designed to test your understanding of this chapter's material. For more information on how to get additional questions, please see www.lammle.com/ccna . You can find the answers to these questions in Appendix B, “Answers to Review Questions.” 1. What command was used to generate the following output? Codes: L - local, C - connected, S - static, [output cut] 10.0.0.0/8 is variably subnetted, 6 subnets, 4 masks C 10.0.0.0/8 is directly connected, FastEthernet0/3 L 10.0.0.1/32 is directly connected, FastEthernet0/3 C 10.10.0.0/16 is directly connected, FastEthernet0/2 L 10.10.0.1/32 is directly connected, FastEthernet0/2 C 10.10.10.0/24 is directly connected, FastEthernet0/1 L 10.10.10.1/32 is directly connected, FastEthernet0/1 S* 0.0.0.0/0 is directly connected, FastEthernet0/0 2. You are viewing the routing table and you see an entry 10.1.1.1/32. What legend code would you expect to see next to this route? A. C B. L
C. S D. D
3. Which of the following statements are true regarding the command ip route 172.16.4.0 255.255.255.0 192.168.4.2 ? (Choose two.) A. The command is used to establish a static route. B. The default administrative distance is used. C. The command is used to configure the default route. D. The subnet mask for the source address is 255.255.255.0. E. The command is used to establish a stub network. 4. What destination addresses will be used by HostA to send data to the HTTPS server as shown in the following network? (Choose two.) A. The IP address of the switch B. The MAC address of the remote switch C. The IP address of the HTTPS server D. The MAC address of the HTTPS server E. The IP address of RouterA's Fa0/0 interface F. The MAC address of RouterA's Fa0/0 interface 5. Using the output shown, what protocol was used to learn the MAC address for 172.16.10.1? Interface: 172.16.10.2 --- 0x3 Internet Address Physical Address Type 172.16.10.1 00-15-05-06-31-b0 dynamic A. ICMP
B. ARP C. TCP
D. UDP 6. Which of the following is called an advanced distance-vector routing protocol? A. OSPF
B. EIGRP C. BGP D. RIP
7. When a packet is routed across a network, the_________________ in the packet changes at every hop while the__________ does not. A. MAC address, IP address B. IP address, MAC address C. Port number, IP address D. IP address, port number 8. Which statements are true regarding classless routing protocols? (Choose two.) A. The use of discontiguous networks is not allowed. B. The use of variable length subnet masks is permitted. C. RIPv1 is a classless routing protocol. D. IGRP supports classless routing within the same autonomous system.
E. RIPv2 supports classless routing. 9. Which two of the following are true regarding the distance-vector and link-state routing protocols? (Choose two.) A. Link state sends its complete routing table out of all active interfaces at periodic time intervals. B. Distance vector sends its complete routing table out of all active interfaces at periodic time intervals. C. Link state sends updates containing the state of its own links to all routers in the internetwork. D. Distance vector sends updates containing the state of its own links to all routers in the internetwork. 10. When a router looks up the destination in the routing table for every single packet, it is called_____________. A. dynamic switching B. fast switching C. process switching D. Cisco Express Forwarding 11. What type(s) of route is the following? (Choose all that apply.) S* 0.0.0.0/0 [1/0] via 172.16.10.5 A. Default B. Subnetted C. Static D. Local 12. A network administrator views the output from the show ip route command. A network that is advertised by both RIP and EIGRP appears in the routing table flagged as an EIGRP route. Why is the RIP route to this network not used in the routing table? A. EIGRP has a faster update timer. B. EIGRP has a lower administrative distance. C. RIP has a higher metric value for that route. D. The EIGRP route has fewer hops. E. The RIP path has a routing loop. 13. Which of the following is not an advantage of static routing? A. Less overhead on the router CPU B. No bandwidth usage between routers C. Adds security D. Recovers automatically from lost routes 14. What metric does RIPv2 use to find the best path to a remote network?
A. Hop count B. MTU
C. Cumulative interface delay D. Load E. Path bandwidth value 15. The Corporate router receives an IP packet with a source IP address of 192.168.214.20 and a destination address of 192.168.22.3. Looking at the output from the Corp router, what will the router do with this packet?
Corp# sh ip route [output cut] R 192.168.215.0 [120/2] via 192.168.20.2, 00:00:23, Serial0/0 R 192.168.115.0 [120/1] via 192.168.20.2, 00:00:23, Serial0/0 R 192.168.30.0 [120/1] via 192.168.20.2, 00:00:23, Serial0/0 C 192.168.20.0 is directly connected, Serial0/0 C 192.168.214.0 is directly connected, FastEthernet0/0 A. The packet will be discarded. B. The packet will be routed out of the S0/0 interface. C. The router will broadcast looking for the destination. D. The packet will be routed out of the Fa0/0 interface. 16. If your routing table has a static, an RIP, and an EIGRP route to the same network, which route will be used to route packets by default? A. Any available route B. RIP route C. Static route D. EIGRP route E. They will all load-balance. 17. Which of the following is an EGP? A. RIPv2 B. EIGRP C. BGP
D. RIP 18. Which of the following is an advantage of static routing? A. Less overhead on the router CPU
B. No bandwidth usage between routers C. Adds security D. Recovers automatically from lost routes 19. What command produced the following output? Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.10.1 YES manual up up FastEthernet0/1 unassigned YES unset administratively down down Serial0/0/0 172.16.10.2 YES manual up up Serial0/0/1 unassigned YES unset administratively down down A.
show ip route B.
show interfaces C.
show ip interface brief D.
show ip arp 20. What does the 150 at the end of the following command mean? Router(config)#
A. Metric B. Administrative distance C. Hop count D. Cost
Chapter 10 Layer 2 Switching THE FOLLOWING ICND1 EXAM TOPICS ARE COVERED IN THIS CHAPTER: 2.0 LAN Switching Technologies 2.1 Describe and verify switching concepts 2.1.a MAC learning and aging 2.1.b Frame switching 2.1.c Frame flooding 2.1.d MAC address table 2.7 Configure, verify, and troubleshoot port security 2.7.a Static 2.7.b Dynamic 2.7.c Sticky 2.7.d Max MAC addresses 2.7.e Violation actions 2.7.f Err-disable recovery When people at Cisco discuss switching in
regards to the Cisco exam objectives, they’re talking about layer 2 switching unless they say otherwise. Layer 2 switching is the process of using the hardware address of devices on a LAN to segment a network. Since you’ve got the basic idea of how that works nailed down by now, we’re going to dive deeper into the particulars of layer 2 switching to ensure that your concept of how it works is solid and complete. You already know that we rely on switching to break up large collision domains into smaller ones and that a collision domain is a network segment with two or more devices sharing the same bandwidth. A hub network is a typical example of this type of technology. But since each port on a switch is actually its own collision domain, we were able to create a much better Ethernet LAN network by simply replacing our hubs with switches! Switches truly have changed the way networks are designed and implemented. If a pure switched design is properly implemented, it absolutely will result in a clean, cost-effective, and resilient internetwork. In this chapter, we’ll survey and compare how networks were designed before and after switching technologies were introduced. I’ll be using three switches to begin our configuration of a switched network, and we’ll actually continue with their configurations in Chapter 11, “VLANs and Inter-VLAN Routing.” To find up-to-the-minute updates for this chapter, please see www.lammle.com/ccna or the book's web page at www.sybex.com/go/ccna .
Unlike old bridges, which used software to create and manage a Content Addressable Memory (CAM) filter table, our new, fast switches use application-specific integrated circuits (ASICs) to build and maintain their MAC filter tables. But it’s still okay to think of a layer 2 switch as a multiport bridge because their basic reason for being is the same: to break up collision domains. Layer 2 switches and bridges are faster than routers because they don’t
take up time looking at the Network layer header information. Instead, they look at the frame’s hardware addresses before deciding to either forward, flood, or drop the frame. Unlike hubs, switches create private, dedicated collision domains and provide independent bandwidth exclusive on each port. Here’s a list of four important advantages we gain when using layer 2 switching: Hardware-based bridging (ASICs) Wire speed Low latency Low cost A big reason layer 2 switching is so efficient is that no modification to the data packet takes place. The device only reads the frame encapsulating the packet, which makes the switching process considerably faster and less error-prone than routing processes are. And if you use layer 2 switching for both workgroup connectivity and network segmentation (breaking up collision domains), you can create more network segments than you can with traditional routed networks. Plus, layer 2 switching increases bandwidth for each user because, again, each connection, or interface into the switch, is its own, self-contained collision domain.
There are three distinct functions of layer 2 switching that are vital for you to remember: address learning, forward/filter decisions, and loop
address of each frame received on an interface and enter this information into a MAC database called a forward/filter table.
the switch looks at the destination hardware address, then chooses the appropriate exit interface for it in the MAC database. This way, the frame is only forwarded out of the correct destination port. Loop avoidance If multiple connections between switches are created for redundancy purposes, network loops can occur. Spanning Tree Protocol (STP) is used to prevent network loops while still permitting redundancy. Next, I’m going to talk about address learning and forward/filtering decisions. Loop avoidance is beyond the scope of the objectives being covered in this chapter.
When a switch is first powered on, the MAC forward/filter table (CAM) is empty, as shown in Figure 10.1 .
Empty forward/filter table on a switch When a device transmits and an interface receives a frame, the switch places the frame’s source address in the MAC forward/filter table, allowing it to refer to the precise interface the sending device is located on. The switch then has no choice but to flood the network with this frame out of every port except the source port because it has no idea where the destination device is actually located. If a device answers this flooded frame and sends a frame back, then the switch will take the source address from that frame and place that MAC address in its database as well, associating this address with the interface
that received the frame. Because the switch now has both of the relevant MAC addresses in its filtering table, the two devices can now make a point-to-point connection. The switch doesn’t need to flood the frame as it did the first time because now the frames can and will only be forwarded between these two devices. This is exactly why layer 2 switches are so superior to hubs. In a hub network, all frames are forwarded out all ports every time—no matter what. Figure 10.2 shows the processes involved in building a MAC database. FIGURE 10.2 How switches learn hosts’ locations In this figure, you can see four hosts attached to a switch. When the switch is powered on, it has nothing in its MAC address forward/filter table, just as in Figure 10.1 . But when the hosts start communicating, the switch places the source hardware address of each frame into the table along with the port that the frame’s source address corresponds to. Let me give you an example of how a forward/filter table is populated using Figure 10.2 : 1. Host A sends a frame to Host B. Host A’s MAC address is 0000.8c01.000A; Host B’s MAC address is 0000.8c01.000B. 2. The switch receives the frame on the Fa0/0 interface and places the source address in the MAC address table. 3. Since the destination address isn’t in the MAC database, the frame is forwarded out all interfaces except the source port. 4. Host B receives the frame and responds to Host A. The switch receives this frame on interface Fa0/1 and places the source hardware address in the MAC database. 5. Host A and Host B can now make a point-to-point connection and only these specific devices will receive the frames. Hosts C and D won’t see the frames, nor will their MAC addresses be found in the database because they haven’t sent a frame to the switch yet. If Host A and Host B don’t communicate to the switch again within a certain time period, the switch will flush their entries from the database to keep it as current as possible.
When a frame arrives at a switch interface, the destination hardware address is compared to the forward/filter MAC database. If the destination hardware address is known and listed in the database, the frame is only sent out of the appropriate exit interface. The switch won’t transmit the frame out any interface except for the destination interface, which preserves bandwidth on the other network segments. This process is called frame filtering. But if the destination hardware address isn’t listed in the MAC database, then the frame will be flooded out all active interfaces except the interface it was received on. If a device answers the flooded frame, the MAC database is then updated with the device’s location—its correct interface. If a host or server sends a broadcast on the LAN, by default, the switch will flood the frame out all active ports except the source port. Remember, the switch creates smaller collision domains, but it’s always still one large broadcast domain by default. In Figure 10.3 , Host A sends a data frame to Host D. What do you think the switch will do when it receives the frame from Host A? FIGURE 10.3 Forward/filter table Let’s examine Figure 10.4 to find the answer.
Forward/filter table answer Since Host A’s MAC address is not in the forward/filter table, the switch will add the source address and port to the MAC address table, then forward the frame to Host D. It’s really important to remember that the source MAC is always checked first to make sure it’s in the CAM table. After that, if Host D’s MAC address wasn’t found in the forward/filter
table, the switch would’ve flooded the frame out all ports except for port Fa0/3 because that’s the specific port the frame was received on. Now let’s take a look at the output that results from using a show mac
address-table command:
Switch# sh mac address-table Vlan Mac Address Type Ports ---- ----------- -------- ----- 1 0005.dccb.d74b DYNAMIC Fa0/1 1 000a.f467.9e80 DYNAMIC Fa0/3 1 000a.f467.9e8b DYNAMIC Fa0/4 1 000a.f467.9e8c DYNAMIC Fa0/3 1 0010.7b7f.c2b0 DYNAMIC Fa0/3 1 0030.80dc.460b DYNAMIC Fa0/3 1 0030.9492.a5dd DYNAMIC Fa0/1 1 00d0.58ad.05f4 DYNAMIC Fa0/1 But let’s say the preceding switch received a frame with the following MAC addresses: Source MAC: 0005.dccb.d74b Destination MAC: 000a.f467.9e8c How will the switch handle this frame? The right answer is that the destination MAC address will be found in the MAC address table and the frame will only be forwarded out Fa0/3. Never forget that if the destination MAC address isn’t found in the forward/filter table, the frame will be forwarded out all of the switch’s ports except for the one on which it was originally received in an attempt to locate the destination device. Now that you can see the MAC address table and how switches add host addresses to the forward filter table, how do think we can secure it from unauthorized users? Port Security It’s usually not a good thing to have your switches available for anyone to just plug into and play around with. I mean, we worry about wireless security, so why wouldn’t we demand switch security just as much, if not more? But just how do we actually prevent someone from simply plugging a host into one of our switch ports—or worse, adding a hub, switch, or access point into the Ethernet jack in their office? By default, MAC addresses will just dynamically appear in your MAC forward/filter database and you can stop them in their tracks by using port security! Figure 10.5 shows two hosts connected to the single switch port Fa0/3 via either a hub or access point (AP).
“Port security” on a switch port restricts port access by MAC address. Port Fa0/3 is configured to observe and allow only certain MAC addresses to associate with the specific port, so in this example, Host A is denied access, but Host B is allowed to associate with the port. By using port security, you can limit the number of MAC addresses that can be assigned dynamically to a port, set static MAC addresses, and— here’s my favorite part—set penalties for users who abuse your policy! Personally, I like to have the port shut down when the security policy is violated. Making abusers bring me a memo from their boss explaining why they violated the security policy brings with it a certain poetic justice, which is nice. And I’ll also require something like that before I’ll enable their port again. Things like this really seem to help people remember to behave!
This is all good, but you still need to balance your particular security needs with the time that implementing and managing them will realistically require. If you have tons of time on your hands, then go ahead and seriously lock your network down vault-tight! If you’re busy like the rest of us, I’m here to reassure you that there are ways to secure things nicely without being totally overwhelmed with a massive amount of administrative overhead. First, and painlessly, always remember to shut down unused ports or assign them to an unused VLAN. All ports are enabled by default, so you need to make sure there’s no access to unused switch ports! Here are your options for configuring port security: Switch#
Yüklə 22,5 Mb. Dostları ilə paylaş:
|