TCP / IP 协议.

Presentation on theme: "TCP / IP 协议."— Presentation transcript:

1 TCP / IP 协议

2 TCP/IP与OSI模型比较 OSI TCP/IP 应用层 应用层 表示层 会话层 传送层 TCP UDP 协议 网络层 网络层 IP协议
数据链路层 网络接口协议 物理层 物理网络

3 TCP/IP结构 TELNET FTP SMTP DNS TFTP TCP UDP ICMP IP ARP RARP 网络接口协议

4 TCP/IP应用层 DNS Domain Name Service TCP, UDP 53
SMTP Simple Mail Transport Protocol TCP FTP-Data File Transfer Protocol /Data TCP 20 & >1023 FTP File Transfer Protocol TCP Telnet TCP NNTP Network News Transport Protocol TCP HTTP Hypertext Transport Protocol TCP

5 TCP/IP传输层 TCP协议 UDP协议 Reliable data transfer
Connection-oriented virtual circuit Buffered transfer Resequencing Multiplexing Efficient, full-duplex transmission Flow control UDP协议 提供无连接的数据操作

6 TCP/IP Internet 层 IP_ Internet Protocol 协议
Connectionless, unreliable delivery service Packet fragmentation and reassembly Routing functions ICMP_Internet Control Message Protocol ARP_Address Resolution Protocol RARP_Reverse Address Resolution Protocol InARP_Inverse Address Resolution Protocol

7 交 换 机 的 工 作 原 理

8 一 、 交换机的概念 LAN交换机用于多个LAN网段的相互连接，它在网络设备之间进行专用的无冲突的通讯，同时支持多个设备之间的对话。
只有几个用户数的网段称为微型网段，微型网段允许建立专用网段，即每个网段只有一个用户，每个用户立即对整个带宽访问，不会发生冲突。 LAN 交换机属第二层设备，用于解决带宽问题。 最近LAN交换机涉及到OSI的多层，具有处理高带宽应用得协议。

9 二 、VLAN交换工作原理 一、LAN交换机在功能上类似透明桥：
1、当交换机通电时，它们通过分析所有相邻网络的输入帧源地址获取网络拓扑结构。如交换机从链路1上接收到一个来自主机A的帧，则该交换机推断可通过网络连接链路1访问主机A。通过这种处理，建立一个表。 14 网络号 主机地址 1 13 12 2 3 2、交换机以该表为基础进行通信。当交换机的某接口收到一个信息帧时，交换机在内部表中查看该帧得目的地址。如表中包含目的地址，则该帧被发送到指定的端口。 3、如果未发现任何关联，则该帧采用广播法发往除输入端口以外的所有端口。 二、LAN交换机除具有拓扑结构、转发和过滤功能外还具有独特等新功能：设备间的特定通信、多个并发会话、全双工通信等功能。

10 三 、 LAN 交换转 发 LAN 交换机主要有两种转发方式： 存储转发(store-and-forward )
LAN 交换机将整个帧拷贝到入站缓冲区，并由计算机执行循环冗余校验(CRC)，如果出现CRC错误，或该帧是小帧(包括CRC小于64字节)/ 大帧(包括CRC小于1518字节)/，则丢弃该帧，如果帧没有任何错误，LAN交换机在转发或交换时寻找目的地址，确定外出接口，然后将帧转发到目的地址。 直通(cut-through) LAN 交换机仅将目的地址(跟在序号后的6个字节)拷贝到入站缓冲区，然后在交换表中寻找目的地址， 确定外出接口 ，将帧转发到目的地。直通方式交换一旦读到目的地址并确定出站接口，就开始转发，因而减少了等待时间。 有些交换可以先将每个端口配置为直通交换方式，当到达用户定义的出错限制时，将自动改变到存储转发方式。一旦错率降到限制以下，端口自动转回到直通交换模式。

11 路由器基本功能、作用(四) 地区网：路由器主要作用是网络连接和路由选择， 即连接下层各个基层网络单位－园区网，同时负责 下层网络之间的数据转发。 园区网：路由器主要作用是分隔子网，各个子网在 逻辑上独立，而路由器是唯一能够分隔它们的设备 ，它负责子网之间报文转发和广播隔离，同时在边 界上的路由器与上层网络连接。

12 IP 地 址 的 分 类 及 规 划

13 TCP/IP 地 址 概 述

14 介 绍 TCP/IP 地 址 只允 许 具 有 唯 一 地 址 的 工 作 站 进 行 通 讯 选 路 基 于 位 置
UNIX Host Company A Internet TCP/IP UNIX Host Company B 选 路 基 于 位 置 位 置 代 表 了 一 个 地 址 In a TCP/IP environment, end stations communicate seamlessly with servers or other end stations. This communication occurs because each node using the TCP/IP protocol suite has a unique 32-bit logical address. Often traffic is forwarded through the internetwork based on the name of an organization, rather than an individual person or host. If names are used instead of addresses, the names must be translated to the numeric address before the traffic can be delivered. Location of the organization will dictate the path that the data follows through the internetwork. Each company listed on the internetwork is seen as a single network that must be reached before an individual host within that company can be contacted. Each company network has an address; the hosts that populate that network share those same bits, but each host is identified by the uniqueness of the remaining bits. 只允 许 具 有 唯 一 地 址 的 工 作 站 进 行 通 讯

15 IP 地 址 172 . 16 . 122 . 204 Network Host 32 Bits 8 Bits
The IP address is 32 bits in length and has two parts: Network number Host number The address format is known as dotted-decimal notation. Example address: Each bit in the octet has a binary weight, such as (128,...4, 2, 1). The minimum value for an octet is 0; it contains all zeros. The maximum value for an octet is 255; it contains all ones. The allocation of addresses is managed by a central authority.

16 IP 地 址 分 类 Class A: Class B: Class C: Class D: for multicast
Class E: for research N H N H N H When IP was first developed, there were no classes of addresses. Now, for ease of administration, the IP addresses are broken up into classes. There are only 126 Class A address spaces, but each one can contain approximately 16million hosts. There are 65,534 Class B address spaces with 65,534 hosts each. There are more than 16 million Class C address spaces possible, but they only have 254 hosts each. This scheme allows the administrative authority to assign addresses based on the size of the network. That authority designed this system on the assumption that there would be many more small networks than large networks in the world. Note: Class D and E addresses are also defined. Class D addresses start at and are used for multicast purposes. Class E addresses start at and are used for experimental purposes. N = Network number assigned by NIC H = Host number assigned by network administrator

17 IP 地 址 位 Class A: Class B: Class C: 1 7 24 # Bits network # host # 1
network # host # 1 14 16 Class B: # Bits network # host # 1 21 8 Class C: # Bits network # host # The most significant bit pattern determines the class of the address, as well as how many bits make up the network portion of the address. Class A addresses include Range of network numbers: to Number of host addresses: 16,777,214 Class B addresses include Range of network numbers: to Number of host addresses: 65,534 Class C addresses include Range of network numbers: to Number of host addresses: 254 Class D addresses include Range of network numbers: to

18 识 别 IP地 址 分 类 (第 一 字 节 ) High Order Bits Octet in Decimal
Address Class 10 110 1 -126 A B C The first octet rule states that the class of an address can be determined by the numerical value of the first octet. Once the first octet rule is applied, the router identifies how many bits it must match to interpret the network portion of the address (based on the standard address class). If there is no further identification of additional bits to use as part of the network address, the router can make a routing decision using this address.

19 练 习 : IP 地 址 分 类 Address Class Network Host 10.2.1.1 A 10.0.0.0
B C C Written Exercise: IP Address Classes Objective: Describe the different classes of IP addresses. Write the address class (A, B, or C) the network, and the host numbers for each IP address listed in the table. B Nonexistent

20 IP 地 址 规 划

21 Host 地 址 E0 E1 IP: IP: Network Interface E0 E1 Routing Table Each device or interface must have a nonzero host number. A host address of all ones is reserved for an IP broadcast into that network. A value of zero means 搕his network?or 搕he wire itself?(for example, ). It was also used for IP broadcasts in some early TCP/IP implementations, although it is rarely found now. The routing table contains entries for network or wire addresses; it usually does not contain any information about hosts. An IP address and subnet address on an interface achieves three purposes: It enables the system to process the receipt and transmission of packets. It specifies the device抯 local address. It specifies a range of addresses that share the cable with the device. 172.16 . 12 . 12 Network Host

22 地 址 没 有 进 行 子 网(SubNets) Network 172.16.0.0 172.16.0.0
For an address without subnets, the outside world sees the organization as a single network, and no detailed knowledge of our internal structure is required. All datagrams addressed to are treated the same way, regardless of the third and fourth octet of the address. A benefit from this addressing schemecan be the relatively short routing tables that routers can use. Network addressing with the scheme we have set up so far has no way of distinguishing individual segments (wires) within the network. Inside the cloud having no subnets we have a single large broadcast domain梐ll systems on the network encounter all the broadcasts on the network. This addressing scheme can result in relatively poor network performance. By default, this Class B address space defines one wire with 65,000 workstations on it. What is needed is a way to divide this wire into segments. Network

23 地 址 有 子 网 (SubNets) Network 172.16.0.0 172.16.1.0 172.16.2.0
With subnets, the network address use is more efficient. There is no change to how the outside world sees the network, but within the organization, there is additional structure. In the example, the network is subdivided or broken up into four subnets, , , , and Routers determine the destination network using the subnet address, limiting the amount of traffic on the other network segments. Network

24 Subnet(子 网 )地 址 E0 E1 Network Interface E0 E1 Routing Table IP: IP: 172.16 2 160 Host . Subnet Network Interface E0 E1 Routing Table From the addressing standpoint, subnets are an extension of the network number. Network administrators decide the size of subnets based on organization and growth needs. Network devices use subnet masks to identify which part of the address is considered network and which remaining part to leave for host addressing.

25 Subnet Mask (子 网 掩 码 ) 172 16 255 255 Network Host IP 地 址 缺省子网掩 码
IP 地 址 255 缺省子网掩 码 Network Host 255 8-bit 子 网 掩 码 Use host bits, starting at the high order bit position Network Subnet Host An IP address is 32 bits in size, written as four octets. The subnet mask is 32 bits in size, written as four octets. The layout of the subnet mask field is as follows: Binary 1 for the network bits Binary 1 for the subnet bits Binary 0 for the host bits Subnet masks indicate which of the bits in the host field are used to specify different parts (subnets) of a particular network.

26 十 进 制 与 位 的 等 值 = 128 = 192 = 224 = 240 = 248 = 252 = 254 = 255 Subnet bits come from the high-order bits of the host field. To determine a subnet mask for an address, add up the decimal values of each position that has a 1 in it. For example, 224 = Because the subnet mask is not defined by the octet boundary, but by bits, we need to convert dotted-decimal addresses to binary and back into dotted-decimal so they can work with these addresses.

27 子 网 掩 码 (Subnet Mask)没 有 子 网 (Subnets)
Network Host 172 16 The router extracts the IP destination address from the packet and retrieves the internal subnet mask. The router performs a logical AND operation to obtain the network number. During the logical AND operation, the host portion of the destination address is removed. Routing decisions are then based on network number only. In this example, with no subnetting, the network number 揺xtracted?is 不 用 子 网 (Subnets) ___ 缺 省

28 子 网 掩 码 (Subnet Mask)没 有 子 网 (Subnets
Network Subnet Host 172 16 2 With eight bits of subnetting, the extracted network (subnet) number is This sample shows more bits turned on, extending the network portion and creating a secondary field extending from the end of the standard mask and using eight of the host bits. This secondary field is the subnet field and is used to represent wires (or subnetworks) inside the network. 网 络 号 码 扩 展 8位 (bits)

29 练 习 : 子 网 掩 码 (Subnet Masks)
Address Subnet Mask Class Subnet B A B Written Exercise: Subnet Masks Objective: Extract network information. Prepare to configure IP addresses. Use the IP address to perform a logical AND with the subnet mask to determine the subnet number. Write the address class and subnet number in the table.

30 子 网 规 划 20 子 网 5 hosts/每 个 子 网 C类 地 址 : 201.222.5.0 其 它 子 网
In this example, the network has been assigned a Class C address of Assume 20 subnets are needed, with 5 hosts per subnet. We need to subdivide the last octet into a subnet and a host portion and determine what the subnet mask will be. Select a subnet field size that yields enough subnetworks. In this example, choosing a 5-bit mask allows 20 subnets. In the example, the subnet addresses are all multiples of 8, such as , , and The remaining bits in the last octet are used for the host field. The three bits of our example allow enough hosts to cover the required five hosts per wire. The host numbers will be 1, 2, 3, and so forth. The final host addresses are a combination of the network/subnet 搘ire?starting address plus each host value. The hosts on the subnet would be addressed as , , , and so forth. A host number of zero is reserved for the 搘ire?address, and a host value of all ones is reserved because it selects all hosts梐 broadcast. A table used for the subnet planning example is on the following page; also, a routing sample shows the combining of an arriving IP address with the subnet mask to derive the subnet number. The extracted subnet number should be typical of the subnets generated during this planning exercise.

31 B类 子 网 划 分 例 子 子 网 (Subnet)地 址 = 172.16.2.0
IP Host Address: Subnet Mask: Network Subnet Host : /8: Subnet: 172 16 2 This network has eight bits of subnetting that provide up to 254 subnets and 254 host addresses. No. Bits Subnet Mask No. Subnets No. Hosts ,382 ,382 2 子 网 (Subnet)地 址 = 主 机 (Host )地 址 = 广 播 (Broadcast) 地 址 = 八 位 子 网

32 C类 地 址 例 子 IP Host Address: Subnet Mask: Network Subnet Host : /5: Subnet: 201 222 5 120 In this example, a Class C network is subnetted to provide 6 host addresses and 30 subnets. No. Bits Subnet Mask No. Subnets No. Hosts 子 网 (Subnet)地 址 = 主 机 (Host)地 址 = 广 播 (Broadcast) 地 址 = 5 位 子 网

33 (Local network broadcast)
(Direct broadcast) (Local network broadcast) X Broadcasting is supported on the internet. Broadcast messages are those you want every host on the network to see. The broadcast address is formed by using all ones within the IP address. The Cisco IOS?software supports two kinds of broadcasts: Directed broadcasts Flooding Flooded broadcasts ( ) are not propagated, but are considered local broadcasts. Broadcasts directed into a specific network are allowed and are forwarded by the router. These directed broadcasts contain all ones in the host portion of the address.

34 练 习 : 广 播 (Broadcast)地 址 地 址 子 网 掩 码 类 子 网 广 播 201.222.10.60
C A B B Written Exercise: Broadcast Addresses Objective: Configure IP addresses. Write the address class, subnet number, and the broadcast address for the subnet for each of the IP addresses and subnet masks in the table.

35 子 网 (Subnetting)例 子 Cisco A Cisco B E0 S0 T0 E0: 172.16.2.1
Mask /8 Subnet The graphic shows a small network with assigned interface addresses, subnet masks, and resulting subnet numbers. The number of bits in each subnet mask is indicated by the /8 following the mask.

36 公 有 地 址 与 私 有 地 址 私 有 地 址： 由 IANA 预 留 的 地 址：
公 有 地 址 :由 Internet Assigned Numbers Authority (IANA) 划 分 的 能 在 INTERNET上 用 得 地 址 私 有 地 址： 由 IANA 预 留 的 地 址：

37 DDN简介 新时科技有限公司

38 DDN概述 数字数据网(DDN)是一个半永久性连接电路的公共数字 数据传输网络，它为用户提供一个高质、高带宽的数字 传输通道。
组成，由DDN提供的业务又称为DDS(数字数据业务) The router uses information from the configuration file when it starts up. The configuration file contains commands to customize router operation. As you saw in the previous chapter, if there is no configuration file available, the system configuration dialog setup guides you through creating one.

39 DDN特征 DDN是个透明网，可以支持任何类型的用户设备入网，可以是计算机、终端、亦可是图像设备、 语音设备或LAN等，支持数据、图像、语音等多 种业务。 DDN采用同步的数字时分复用技术，不具备交换功能，以点对点作半永久电路连接方式。用户可 以在固定的时隙以预先设定的通道带宽和速率顺 序传送信息。干线传输速率通常为2M(E1), 33M(E3),最高速率可达150Mb/s. DDN的中继一般采用光纤信道，且全网统一时钟. DDN主要模块采用热冗余技术，具有路由迂回功能。

40 DDN的接入 通过调制解调器接入DDN 通过DDN的数据终端设备接入DDN 通过2M数字电路接入DDN 通过用户集中设备接入DDN

41 DDN的配置 S0 S0 routerB routerA routerA#conf t
M M 基带Modem routerB routerA 基带Modem routerA#conf t routerA(config)#interface serial 0 routerA(config-if)#ip add routerA(config-if)#encapsulation hdlc (缺省) routerA(config-if)#no shut routerA(config-if)#description DDN to routerb routerA(config-if)#end router#sh int s0

42 DDN的配置(续.) routerB的配置 routerB#conf t
routerB(config)#interface serial 0 routerB(config-if)#ip add routerB(config-if)#encapsulation hdlc (缺省) routerB(config-if)#no shut routerB(config-if)#description DDN to routerb routerB(config-if)#end routerB#sh int s0

43 路由器简介 新时科技有限公司

44 目的 学完这一章应达到以下: 理解路由器的概念。 理解路由器的功能、作用 。 路由器的结构与组成
This module discusses how to update the configuration file. It includes an overview of router modes and discusses configuration methods for current and prior versions of Cisco IOS?software. Sections: Router Modes Configuration Methods

45 路由器概念 路由器---互连网络的枢纽 路由器工作在最低三层协议中，其中最高层为网 络层，如TCP/IP的IP层或SPX/IPX的IPX层。关 键地位是因为它 处于网络层， 路由器具有很强的异种网互联能力，互联的两个 物理网络其最低二层协议可互不相同，通过路由 器第三层得到统一 CISCO路由器均是多协议路由器，能同时支持多种不同的网络层协议(IP、IPX、APPLETALK)，并可以“使能”或“禁止”某些特定协议。 The router uses information from the configuration file when it starts up. The configuration file contains commands to customize router operation. As you saw in the previous chapter, if there is no configuration file available, the system configuration dialog setup guides you through creating one.

46 路由器基本功能、作用(一) 路由器的一个基本功能是连接多个独立的网络或 子网 LAN 1 LAN 2 LAN 3

47 路由器基本功能、作用(二) 路由器的另一个基本功把数据(IP报文)传送到正确的网络，细分则 包括：
子网隔离，抑制广播风暴。 维护路由表，并与其它路由器交换路由信息，这 是 IP报文转发的基础。 IP 数据报的差错处理及简单的拥塞控制。 实现对 IP 数据报表的过滤、记帐

48 路由器基本功能、作用(三) 对于不同规模网络，路由器作用的侧重点有所不 同
主干网 树型体系的互联 地区网 地区网 园区网 园区网 主干网：路由选择，主干网上的路由器必须知道 到达所有下层网络的路径，这需要维护庞大的路 由表，并对连接状态变化作出尽可能迅速的反应

49 路由器基本功能、作用(四) 地区网：路由器主要作用是网络连接和路由选择， 即连接下层各个基层网络单位－园区网，同时负责 下层网络之间的数据转发。 园区网：路由器主要作用是分隔子网，各个子网在 逻辑上独立，而路由器是唯一能够分隔它们的设备 ，它负责子网之间报文转发和广播隔离，同时在边 界上的路由器与上层网络连接。

50 CISCO路由器的结构、组成 路由器是一台特殊的计算机 (1)、外部：端口类型的数量(同步、异步、ATM、以太接口等) (2)、内部：
存储系统 CPU RAM ROM NVRAM FLASH 接口处理模块1 接口处理模块n

51 路由器基础 新时科技有限公司

52 目的 学完这一章应达到以下要求: 检查路由器的元件 远程访问路由器 测试网络的连通性
This module discusses general information you need to understand before configuring a router.

53 配置元件 与 路由器模式

54 外部配置方式 配置信息可以来自多种方式 虚拟终端 vty 0-4 接口(Interfaces) 控制台端口(console)
辅助口(Aux) TFTP Server The router can be configured from many locations: Upon initial installation, it is configured from the console terminal, which is connected via the console port. It can be connected via modem using the auxiliary port. Once installed on the network, it can be configured from virtual terminals 0 through 4. Files can also be downloaded from a TFTP server on the network. 网管工作站 配置信息可以来自多种方式

55 内部结构元件 RAM NVRAM Flash ROM Console Interfaces Auxiliary
Internal configuration components are as follows: RAM/DRAM桽tores routing tables, ARP cache, fast-switching cache, packet buffering (shared RAM), and packet hold queues. RAM also provides temporary or running memory for the router抯 configuration file while the router is powered up. RAM content is lost when you power down or restart. NVRAM桸onvolatile RAM stores the router抯 backup configuration file. NVRAM content is retained when you power down or restart. Flash桬rasable, reprogrammable ROM. Flash memory holds the operating system image and microcode. Having Flash memory allows you to update software without removing and replacing chips on the processor. Flash content is retained when you power down or restart. Multiple copies of Cisco IOS?software can be stored in Flash memory. ROM桟ontains power-up diagnostics, a bootstrap program, and operating system software. To perform software upgrades, remove and replace pluggable chips on the CPU. Interfaces桸etwork connections through which packets enter and exit the router. Interfaces are on the motherboard or on separate interface modules.

56 RAM ：储存当前运行内容 RAM Bootstrap Program Executes
Command Executive Internetwork Operating System Bootstrap Program Executes Programs Active Configuration File Tables Buffers RAM is the working storage area for the router. When the router is turned on, a bootstrap program is executed from ROM. This program performs some tests, then loads the Cisco IOS software into memory. The command executive, or EXEC, is one part of the Cisco IOS software. EXEC receives and executes commands you enter for the router. The router also stores an active configuration file and tables of networks maps and routing address lists. The configuration file contains ASCII characters and can be displayed on a remote or console terminal. A saved version of this file is stored in NVRAM. The saved file is accessed and loaded into main memory each time the router initializes. The configuration file contains global, process, and interface statements that directly affect the operation of the router and its interface ports. The operating system image is already in binary executable form and cannot be displayed on the terminal screen. The image is usually executed from the main RAM and loaded from one of several input sources. The operating software is organized into 搑outines?that handle the tasks associated with different protocols, the movement of data, management of tables and buffers, routing updates, and the execution of user commands.

57 路由器模式 用 户 执 行 状 态 全 局 配 置 状 态 特 权 执 行 状 态 其 它 的 配 置 状 态 初 始 配 置 状 态
只 限 于 路 由 器 的 某 一 些 有 限 的 权 限，登 陆 到 机 器 时 的 缺 省 状 态 在 特 权 执 行 态 输 入 config terminal 则 进 入 该 态 Router> Router(config)# 特 权 执 行 状 态 其 它 的 配 置 状 态 有 检 查 配 置 调 试 等所 有 权 限 通 过 enble 可 进 入 此 状 态 在 全局配置状 态 输 入 相 应 的 命 令时 进 入 Router# Router(config - mode)# 初 始 配 置 状 态 RXBOOT 状 态 Whether accessed from the console or by a Telnet session through an auxiliary port, the router can be placed in several modes. Each mode provides different functions: User EXEC mode桝 搇ook-only?mode in which the user can view some information about the router, but cannot change anything. Privileged EXEC mode桽upports the debugging and testing commands, detailed examination of the router, manipulation of configuration files, and access to configuration modes. Setup mode桺resents an interactive prompted dialog at the console that helps the new user create a first-time basic configuration. Global configuration mode桰mplements powerful one-line commands that perform simple configuration tasks. Other configuration modes桺rovide more complicated multiple-line configurations. RXBOOT mode桝 maintenance mode that can be used, among other things, to recover lost passwords. 开 机 后 60 秒 内 按 ctrl-break 则 进 入 该 态, 在 机 器 不 能 正 常 自 动 引 导 时 进 行 手 动 引 导 > 以 对 话 的 方 式 来 创 建 一 个 基 本 配 置，才 出 厂 的 机 器 或 删 了 startup-config 的，机 器 开 机 后 自 动 进 入 或 手 动 用 setup 命 令 进 入

58 检查路由器状态 新时科技有限公司

59 Router# show interfaces
路由器状态命令 Router# show version Router# show flash Router# show interfaces RAM I n t e r f a c s NVRAM Flash Internetwork Operating System Active Configuration File Tables and Buffers Backup Configuration File Operating Systems Programs Router# show mem Router# show stacks Router# show buffers Router# show processes CPU Router# show protocols Router# show running-config Router# write term Router# show startup-config Router# show config Router status commands are as follows: show version桪isplays the configuration of the system hardware, the software version, the names and sources of configuration files, and the boot images. show processes桪isplays information about the active processes. show protocols桪isplays the configured protocols. This command shows the status of any configured Layer 3 (network) protocol. show mem桽hows statistics about the router抯 memory, including memory free pool statistics. show stacks桵onitors the stack use of processes and interrupt routines and displays the reason for the last system reboot. show buffers桺rovides statistics for the buffer pools on the network server. show flash桽hows information about the Flash memory device. show running-config (write term on Cisco IOS Release 10.3 or earlier)桪isplays the active configuration file. show startup-config (show config on Cisco IOS Release 10.3 or earlier)桪isplays the backup configuration file. show interfaces桪isplays statistics for all interfaces configured on the router.

60 show running-config 命令与 show startup-config 命令
Router# show running-config Building configuration... Current configuration: ! version 11.2 ! -- More -- Router# show startup-config Using 1108 out of bytes ! version 11.2 ! hostname router -- More -- 10.3 或 10.3以前 用 write terminal 命令 10.3 或 10.3以后 用 Use show config 命令 The show running-config and show startup-config commands are among the most used Cisco IOS software EXEC commands because they allow an administrator to see the current running configuration on the router or the image size and startup configuration commands the router will use on the next restart. Note: The commands write term and show config used with Cisco IOS Release 10.3 and earlier have been replaced by new commands. The commands that have been replaced continue to perform their normal functions in the current release but are no longer documented. Support for these commands will cease in a future release. You will know that you are looking at the active configuration file when you see the words 揅urrent Configuration?at the top. You will know that you are looking at the backup configuration file when you see a message at the top telling you how much nonvolatile memory has been used.

61 show interface serial 命令
Router# show interface serial 1 Serial1 is up, line protocol is up Hardware is MK Internet address is , subnet mask is MTU 1500 bytes, BW 56 Kbit, DLY usec, rely 255/255, load 9/255 Encapsulation HDLC, loopback not set, keepalive set (10 sec) Last input 0:00:00, output 0:00:01, output hang never Last clearing of "show interface" counters never Output queue 0/40, 0 drops; input queue 0/75, 0 drops Five minute input rate 1000 bits/sec, 0 packets/sec Five minute output rate 2000 bits/sec, 0 packets/sec packets input, bytes, 0 no buffer Received broadcasts, 0 runts, 0 giants input errors, 3 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort packets output, bytes, 0 underruns output errors, 0 collisions, 8 interface resets, 0 restarts carrier transitions The show interface serial command displays configurable parameters and real-time statistics related to serial interfaces.

62 show version 命令 RouterA#show version
Cisco Internetwork Operating System Software IOS (tm) 2500 Software (C2500-JS40-L), Version 11.2(5), RELEASE SOFTWARE (fc1) Copyright (c) by cisco Systems, Inc. Compiled Tue 01-Apr-97 09:12 by ckralik Image text-base: 0x0303F9A8, data-base: 0x ROM: System Bootstrap, Version 5.2(8a), RELEASE SOFTWARE ROM: 3000 Bootstrap Software (IGS-RXBOOT), Version 10.2(8a), RELEASE SOFTWARE (f c1) RouterA uptime is 1 day, 5 hours, 50 minutes System restarted by reload System image file is "flash:c2500-js40-l bin", booted via flash --More-- The show version command displays information about the Cisco IOS software version that is currently running on the router.

63 show version 命令 cisco 2522 (68030) processor (revision M) with 14336K/2048K bytes of memory. Processor board ID , with hardware revision Bridging software. SuperLAT software copyright 1990 by Meridian Technology Corp). X.25 software, Version 2.0, NET2, BFE and GOSIP compliant. TN3270 Emulation software (copyright 1994 by TGV Inc). Basic Rate ISDN software, Version 1.0. 1 Ethernet/IEEE interface(s) 2 Serial network interface(s) 8 Low-speed serial(sync/async) network interface(s) 1 ISDN Basic Rate interface(s) 32K bytes of non-volatile configuration memory. 16384K bytes of processor board System flash (Read ONLY) Configuration register is 0x2102 RouterA# The show version command displays information about the Cisco IOS software version that is currently running on the router.

64 show protocols 命令 RouterA# show protocols Global values: Internet Protocol routing is enabled DECNET routing is enabled XNS routing is enabled Appletalk routing is enabled Novell routing is enabled --More-- Ethernet0 is up, line protocol is up Internet address is , subnet mask is Decnet cost is 5 XNS address is 3010.aa AppleTalk address is , zone ld-e0 Novell address is 3010.aa Use the show protocols EXEC command to display the protocols configured on the router. This command shows the global and interface-specific status of any configured Level 3 protocols (for example, IP, DECnet, IPX, and AppleTalk).

65 telnet 操作 Paris 终止一个会话 Escape sequence Paris> <Cntl><Shift><6> <x> Denver> Denver Tokyo 开始一个会话 恢复上一个会话 Denver> <Return> Denver> telnet paris 结束一个会话 Paris> exit 断开一个会话 Denver> disconnect paris Another way to learn about a remote router is to connect to it. Telnet, a virtual terminal protocol that is part of the TCP/IP protocol suite, allows connections to hosts. You can set a connection between the router and a connected device. A router can have up to five simultaneous incoming Telnet sessions. With our implementation of TCP/IP, you do not need to enter the connect or telnet command to establish a Telnet connection. If you prefer, you can just enter the learned host name. To end a Telnet session, use the EXEC command exit or logout. These are alternate commands for the operations listed on the graphic: Initiate a session Denver> connect paris Denver> paris Denver> Resume a session (enter session number or name) Denver> 1 Paris> End a session Paris> exit 显示会话 Denver# show sessions Conn Host Address Idle Conn Name 1 Paris Paris 2 Tokyo Tokyo*

66 基本测试 新时科技有限公司

67 测试概述 telnet ping trace show ip route show interface 应用层 表达层 会话层 传输层
网络层 数据链路层 物理层 7 6 5 4 3 2 1 telnet ping trace show ip route show interface Basic testing of an internetwork should proceed in sequence from one ISO/OSI layer to the next.

68 测试应用层用 telnet 是否能访问远程的路由器？ Paris Telnet York 应用层 Paris>
Begin testing by initially focusing on upper-layer applications. The Telnet application provides a virtual terminal so that administrators can use Telnet operations to connect with other hosts running TCP/IP. Test to determine whether the remote router can be accessed. For example, your success running Telnet to connect from the router York to another router Paris provides a basic test of the internetwork connecting the two. If we can remotely access another router through Telnet, then at least we know that one TCP/IP application can reach the remote router. A successful Telnet connection indicates that the upper-layer application (and the services of lower layers, as well) functions properly. If we can Telnet to one router but not to another router, it is likely that the Telnet failure is caused by specific addressing, naming, or access permission problems. These problems can exist on our router or on the router that failed as a Telnet target.

69 用 ping 命令测试 数据报是否被转发？ 网络层 请求回应 答复回应 Router> ping 172.16.1.5
Type escape sequence to abort. Sending 5, 100 byte ICMP Echos to , timeout is 2 seconds: .!!!! Success rate is 80 percent, round-trip min/avg/max = 1/3/4 ms Router> 网络层 As an aid to diagnosing basic network connectivity, many network protocols support an echo protocol, which is a test to determine whether protocol packets are being routed. The ping command sends a special datagram to the destination host and then waits for a reply datagram from that host. Results from this echo protocol can help evaluate the path-to-host reliability, delays over the path, and whether the host can be reached or is functioning. In the graphic, the ping target responded successfully to all five datagrams sent. The exclamation points (!) indicate each successful echo. If you instead receive one or more periods (.) on your display, the application on your router timed out waiting for a given datagram echo from the ping target. The ping user EXEC command can be used to diagnose basic network connectivity on AppleTalk, CLNS, IP, Novell IPX, Apollo, VINES, DECnet, or XNS networks.

70 用 trace 命令测试 从哪条路径转发数据报？ 网络层 Rome London 172.16.33.5 172.16.12.3 Paris
York London Paris 网络层 York# trace ROME Type escape to abort. Tracing the route to ROME ( ) 1 LONDON ( ) 1000 msec 8 msec 4 msec 2 PARIS ( ) 8 msec 8 msec 8 msec 3 ROME ( ) 8 msec 8 msec 4 msec York# The trace command is the ideal tool for finding where data is being sent in your network. The trace command uses the same technology as the ping command, except that instead of testing end-to-end connectivity, trace tests each step along the way. This operation can be performed at either the user or privileged EXEC levels. Protocols that support trace functions are IP, AppleTalk, VINES, and CLNS. The trace command takes advantage of the error messages generated by routers when a datagram exceeds its Time To Live (TTL) value. The trace command starts by sending probe datagrams with a TTL value of 1. This value causes the first router to discard the probe datagram and send back an error message. The trace command sends several probes at each TTL level and displays the round-trip time for each. The benefit of the trace command is that it tells us which router in the path is the last one to be reached, which is called fault isolation. In this example, we are tracing the path from York to Rome. Along the way the path must go through London and Paris. If one of these routers had been unreachable, we would have seen three asterisks (*) instead of the name of the router. The trace command would continue attempting to reach the next step until we escape using the Ctrl-Shift-6 X escape sequence.

71 用 show ip route命令 路由表中是否存在入口? 网络层 Paris# show ip route
Codes: I - IGRP derived, R - RIP derived, O - OSPF derived C - connected, S - static, E - EGP derived, B - BGP derived i - IS-IS derived, D - EIGRP derived * - candidate default route, IA - OSPF inter area route E1 - OSPF external type 1 route, E2 - OSPF external type 2 route L1 - IS-IS level-1 route, L2 - IS-IS level-2 route EX - EIGRP external route Gateway of last resort is not set I [100/1300] via :00:22 Ethernet1 is subnetted (mask is ), 3 subnets I [100/180771] via , 0:01:29, Ethernet1 C is directly connected, Ethernet0 C is directly connected, Ethernet1 I [100/1200] via , 0:00:22, Ethernet1 The router offers us some powerful tools at this point in our search. We can actually look at the routing table梩he directions that the router uses to determine how it will direct traffic across the network. The next basic test also focuses on the network layer. Use the show ip route command to determine whether a routing table entry exists for the target network. The highlight shows that Rome ( ) is reachable to Paris ( ) via the Enternet0 and Ethernet1 interface.

72 链接是否正常? ? 硬件 (物理层) 链接 数据链路层 数据 Keepalive 消息 keepalive 消息是否被接收? 控制信息
载波检测信号是否存在? 硬件 (物理层) ? 电缆 连接器 接口 链接 数据 数据链路层 Keepalive 消息 控制信息 用户信息 keepalive 消息是否被接收? The interface has two pieces: physical (hardware) and logical (software). The hardware must make the actual connection between the devices. The software is the messages that are passed between adjacent devices. This information is data being passed between two connected, or linked, devices. When you test the physical and data link, you ask two questions: Is the Carrier Detect signal present? Are keepalive messages being received?

73 show interface serial解释过程
Router# show interface serial 1 Serial1 is up, line protocol is up Hardware is cxBus Serial Description: 56Kb Line San Jose - MP :: :: :: :: :: :: :: :: :: :: 载波 检测 Keepalives 正常 连接问题 厖厖? 接口问题厖厖 禁止 Serial1 is up, line protocol is up Serial1 is up, line protocol is down Serial1 is down, line protocol is down Serial1 is administratively down, line protocol is down One of the most important elements of the show interface serial command output is display of the line and data-link protocol status. The graphic indicates the key summary line to check and the status meanings. The line status in this example is triggered by a Carrier Detect signal, and refers to the physical-layer facility. However, the line protocol, triggered by keepalive frames, refers to the data-link framing.

74 清除show interface 的计数器 Router# clear counters
Router# show interface serial 1 Serial1 is up, line protocol is up Hardware is cxBus Serial Description: 56Kb Line San Jose - MP Internet address is , subnet mask is MTU 1500 bytes, BW 56 Kbit, DLY usec, rely 255/255, load 1/255 Encapsulation HDLC, loopback not set, keepalive set (10 sec) Last input 0:00:07, output 0:00:00, output hang never Last clearing of "show interface" counters 2w4d Output queue 0/40, 0 drops; input queue 0/75, 0 drops Five minute input rate 0 bits/sec, 0 packets/sec Five minute output rate 0 bits/sec, 0 packets/sec 16263 packets input, bytes, 0 no buffer Received broadcasts, 0 runts, 0 giants 2 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 2 abort 0 input packets with dribble condition detected 22146 packets output, bytes, 0 underruns 0 output errors, 0 collisions, 2 interface resets, 0 restarts 1 carrier transitions The router tracks statistics that provide information about the interface. Use the show interfaces command to display the statistics. The statistics reflect router operation since the last time the counters were cleared, as shown in the top highlighted line. In this example, that was two weeks and four days ago. The bottom set of highlights shows the critical counters. Use the clear counters command to reset the counters to zero. By starting from zero, you get a more clear picture of the current status of the network.

75 用 debug 检查实时的流量 什么协议消息正在被发送? 应用层 网络层 数据链路层 物理层(硬件) 数据 路由更新
Keepalive 消息 数据链路层 物理层(硬件) Router# debug broadcast broadcast debugging is on Ethernet0: Broadcast ARPA, src c0.6fa4, dst ffff.ffff.ffff type 0x0800, data FF11EA7B, len 60 Serial3: Broadcast HDLC, size 64, type 0x800, flags 0x8F00 The router includes hardware and software to aid in tracking down problems on it or on other hosts in the network. The debug privileged EXEC command starts the console display of the network events specified in the command parameter. Use the terminal monitor command to forward debug output to your Telnet session terminal. In this example, data-link broadcasts received by the router are displayed. Use the undebug all command to turn debugging off when you no longer need it. Caution: Debugging is really intended for solving problems. Be very careful with this tool on a live network. Substantial debugging on a busy network will slow down the network significantly. Do not leave debugging turned on; use it to diagnose a problem, and then turn it off.

76 Logging 消息 控制台终端 Telnet 终端 UNIX 主机 (运行Syslog Server) 缓冲器 (default)
no logging buffered terminal monitor Telnet 终端 Debug 输出 与 系统错误信息 UNIX 主机 (运行Syslog Server) logging on logging By default, the router sends output from system error messages and the debug EXEC command to the console terminal. Messages can be redirected to a UNIX host or to an internal buffer. The terminal monitor command provides you the ability to redirect these messages to a terminal. show logging logging buffered 缓冲器

77 总结 路由器是由可配置的元件组成 路由器有检查、维护、改变元件的模式 用 Show 命令检查 用CDP 显示邻居的入口
用 Telnet访问路由器 一层一层的测试网络的连通性 测试命令包括： ping, trace,与 debug

78 配置增强 IGRP 新时科技有限公司

79 目的 学完这一章应达到以下要求: 了解增强IGRP特征与运作 配置增强 IGRP 校验增强 IGRP运作
This module presents Enhanced IGRP configuration.

80 增强 IGRP 运作

81 增强 IGRP 概述 增强 IGRP 支持: 快速收敛 部分边界更新 支持多协议 IP Routing Protocols
Enhanced IGRP Novell Routing Protocols AppleTalk RTMP IP Routing Protocols 增强 IGRP 支持: 快速收敛 部分边界更新 支持多协议 Enhanced IGRP is an advanced distance vector routing protocol that combines the advantages of link-state and distance vector routing protocols. Enhanced IGRP includes the following features: Rapid convergence Enhanced IGRP uses the Diffusing Update Algorithm (DUAL) to achieve rapid convergence. A router running Enhanced IGRP stores all its neighbor抯 routing tables so that it can quickly adapt to alternate routes. If no appropriate route exists in the local routing table, Enhanced IGRP queries its neighbors to discover an alternative route. These queries are propagated until an alternate route is found. Enhanced IGRP routing logic makes the path decisions and updates the routing tables with the new paths. The routing table remains separate. When path information changes, the DUAL algorithm sends an update about that link only, rather than the entire table. This approach conserves bandwidth on all connected media by reducing overhead traffic. Partial bounded updates Enhanced IGRP does not make periodic updates. Instead, it sends partial updates about a route when the path changes or the metric for that route changes. These partial updates are automatically bounded so that only routers that need the information are updated. Multiple network-layer support Enhanced IGRP supports AppleTalk, IP, and Novell NetWare. Enhanced IGRP maintains three protocol dependent modules: IP, IPX, and AppleTalk. These modules are responsible for network-layer-specific protocol requirements.

82 增强 IGRP 收敛 邻居 B 提供到网络7的最佳路径 邻居 B 在路由表中 H A D 拓扑表 路由表 邻居表 7 B 网络 7 邻居
Enhanced IGRP uses several methods to ensure fast convergence in the event of a network change. Enhanced IGRP uses several tables that store network topology information: Neighbor table桬ach Enhanced IGRP router maintains a neighbor table that lists adjacent routers. Topology table桬ach Enhanced IGRP router maintains a topology table. This table contains route information learned from neighbors. Only the current and backup routes to a destination are maintained in the topology table. In the example, router A抯 topology table contains the routing tables of its neighbor routers, B, D, and H. Enhanced IGRP routers build the topology table at startup from updates received from neighbor routers. Routing table桬nhanced IGRP chooses the best route to a destination from the topology table and places this route in the routing table. The router maintains one routing table for each network protocol. When a network topology change occurs, Enhanced IGRP checks the topology table for a suitable new route to the destination. If such a route exists in the topology table, Enhanced IGRP updates the routing table instantly. Each Enhanced IGRP protocol dependent module maintains its own set of Enhanced IGRP tables. 邻居 B 提供到网络7的最佳路径 邻居 B 在路由表中

83 部分边界更新 更新内容仅发送到直接相连的邻居 X H B D A Update
Enhanced IGRP routers send several types of packets to maintain routing information. These packets are exchanged between directly connected (neighbor) routers only. Hello Enhanced IGRP routers use multicast Hello packets to discover neighbor routers. Periodically, each Enhanced IGRP router sends a multicast Hello packet to verify an Enhanced IGRP neighbor抯 availability. Update Enhanced IGRP routers use Update packets to convey destination reachability information. When a new neighbor is discovered, the router sends out unicast Update packets to its neighbors. The neighbors use this information to modify their topology tables. In other cases, such as a link-cost change, the router multicasts updates. Updates are reliably transmitted. Query and Reply When a router loses a route and must compute a new route to the destination, it sends out Query packets to all its neighbors asking for information on the destination. Every Enhanced IGRP router that receives a Query packet must send a Reply. If the neighbor that receives that query does not have destination information, it will send Query packets to its neighbors as well.

84 增强 IGRP使用的包类型 问候和确认包：问候包用于相邻节点的发现和恢复 多路复用包；确认包没有数据的问候包。
刷新包：刷新包用于目标的可达信息，当一个新的 相邻节点出现时，单一地址的刷新包被发送，新相 邻节点可以利用刷新包来建立自己的拓扑表。 查询和应答包：当一个目标节点没有发现可行后继 节点则发送查询和应答包。 请求包：

85 邻居自动发现 H A D 拓扑表 路由表 邻居表 7 B 网络 7 B D H 邻居 网络
The router builds the neighbor table from Hello packets that it receives from adjacent Enhanced IGRP routers running the same network-layer protocol. Enhanced IGRP maintains a neighbor table for each configured network-layer protocol. In the example, all routers can access each other and network 7. Neighboring Enhanced IGRP routers exchange their routing information. Each Enhanced IGRP router stores route information learned from its neighbors in its topology table. Enhanced IGRP maintains a topology table for each configured network-layer protocol.

86 多协议支持 IP Enhanced IGRP IP RIP 自治域 200 IGRP 自治域 200 增强 IGRP
IP networks that are already using IGRP can benefit from the use of Enhanced IGRP. Enhanced IGRP replaces the periodic routing table updates used by IGRP with a scheme that sends routing updates only when a topology change occurs. These updates only contain information about the link that changed, rather than the entire routing table. In addition, the updates are bounded so the updates only go to affected routers, which makes the network converge more quickly than with IGRP. Enhanced IGRP supports variable-length subnet masks (VLSMs) to allow administrators to more efficiently allocate IP addresses. The IP implementation of Enhanced IGRP can redistribute routes learned by OSPF, IP RIP, IS-IS, EGP, or BGP. The two routers in the graphic are using Enhanced IGRP to convert IP RIP routing information. Enhanced IGRP routers and IGRP routers can exchange routing information easily because of the similar metric structure. If the Enhanced IGRP router and the IGRP router are in the same autonomous system, route redistribution between the routers is automatic. If the two routers are in different autonomous systems, the network administrator must configure redistribution manually. Note: It is important to control route redistribution in order to eliminate multiple points of redistribution that can lead to redistribution feedback and routing loops.

87 增强IGRP 配置

88 IP 增强 IGRP 配置 选择相邻的网络、子网 定义一个增强 IGRP 作为IP 路由进程
Router (config) # router eigrp autonomous-system-number 定义一个增强 IGRP 作为IP 路由进程 Router (config-router) # network network-number 选择相邻的网络、子网 Use the router eigrp command to enable Enhanced IGRP as a routing protocol. router eigrp Command Description autonomous-system-number The number of the autonomous system to which this router belongs. Use the network command to define the directly connected networks with which this router uses Enhanced IGRP. network Command Description network-number The number of the network that will be advertised by this router.

89 IP 增强 IGRP 实例 E T0 S1 A S2 B S0 D C In the example: Command Description router eigrp 109 Enables Enhanced IGRP on router A in autonomous system 109. network Interfaces connected to network will send Enhanced IGRP updates to other Enhanced IGRP routers. network Interfaces connected to network will send Enhanced IGRP updates to other Enhanced IGRP routers. The Enhanced IGRP routing process for autonomous system 109 is active in router A and it advertises directly connected networks and Network is not advertised, initially, because it is not directly connected to router A. router eigrp 109 network network

90 增强IGRP的路径选择 增强 IGRP用综合的度量去选择最佳路径 Enhanced IGRP 19.2 T1 IP RIP
IPX RIP AppleTalk RTMP IP RIP IPX RIP 增强 IGRP用综合的度量去选择最佳路径 Unlike routing protocols that use a single metric, such as a hop count, Enhanced IGRP uses a composite set of metrics to determine the best path to a destination. Enhanced IGRP can determine that the single 19.2-kbps hop between networks is significantly slower than the three-hop path through the multiple T1 links. Enhanced IGRP uses the same vector of metrics as IGRP. The Enhanced IGRP metrics are: Bandwidth桾he smallest bandwidth between source and destination Delay桟umulative interface delay along the path Reliability梂orst reliability between source and destination based on keepalives Loading梂orst load on a link between source and destination based on bits per second MTU桽mallest MTU in path Enhanced IGRP supports up to six paths between a source and a destination. Note: You can use the variance and traffic-share commands to configure Enhanced IGRP load balancing.

91 最小路由更新

92 路由过滤 对于接收到的路由协议指定可以通过的路由 用一个标准的访问表来允许和禁止某些路由
Router (config-router) # distribute-list access-list-number { out l in } [ interface-name l routing-process ] 对于接收到的路由协议指定可以通过的路由 用一个标准的访问表来允许和禁止某些路由 可以实施传输 (outbound)或接收(inbound) 路由协议 过滤所有的更新或指定接口的更新 Use the distribute-list command to filter networks received in updates. distribute-list Command Description access-list-number Standard IP access list number. This list explicitly specifies which networks are to be received and which are to be suppressed. interface-name (Optional) Interface name. routing process (Optional) Name of the routing process or the keyword static or connected. You can use the distribute-list command to manage IP RIP, OSPF, IGRP, Enhanced IGRP, IPX RIP, and NLSP.

93 IP 路由过滤实例 S0 router eigrp 1 network network distribute-list 7 out s0 ! access-list 7 permit In the example: Command Description distribute-list 7 out s0 Applies access list 7 as a route redistribution filter on routing updates sent on serial 0. access-list 7 permit 7 Access list number. permit Routes matching the parameters can be forwarded. Network number and wildcard mask used to qualify source addresses. The first two address octets must match and the rest are masked. The distribute-list command applies access list 7 to outbound packets. The access list does not allow routing information from network to be distributed out the S0 interface. As a result, network is hidden. 用接口过滤来隐藏网络

94 重新分配过滤实例 用重新分配过滤来隐藏网络 10.0.0.0 RIP 192.168.5.0 EIGRP 172.16.0.0
router rip network redistribute eigrp 1 default-metric 3 distribute-list 7 out eigrp 1 ! router eigrp 1 network redistribute rip default-metric ! access-list 7 deny access-list 7 permit In the example: Command Description redistribute eigrp 1 Enables routes learned from Enhanced IGRP autonomous system 1 to be redistributed into IP RIP. default-metric 3 Specifies that all routes learned from Enhanced IGRP will be advertised by RIP as reachable in three hops. distribute-list 7 out eigrp 1 Defines that routes defined by distribute list 7 leaving the Enhanced IGRP process will be filtered prior to being given to the RIP process. We are filtering the redistribution of routing updates between different routing processes (protocols), such as IP RIP and Enhanced IGRP. The distribute-list 7 out eigrp 1 command sets up distribute-list 7 as the input for the RIP process. This distribute list redistributes all routing information except updates from network 用重新分配过滤来隐藏网络

95 增强 IGRP 路由的总结(Summarization)
网络层的路由总结( A, B, C类) 缺省是 enabled Router (config-router) # no auto-summary 关闭自动总结 Router (config-if) # ip summary-address eigrp as-number address mask 允许在一个指定的接口进行总结广播 Use the no auto-summary command to turn off automatic route summarization. Use the ip summary-address eigrp command to specify the format of the route summary statement that is advertised. Command Description ip summary-address eigrp as-number Autonomous system number of the network being summarized. address The IP address being advertised as the summary address. This address does not need to be aligned on Class A, B, or C boundaries. mask The IP mask being used to create the summary address. You can use the ip summary-address eigrp command to specify summary routes on a particular interface. If you want summary routes on a subnet boundary, rather than Class A, B, or C addresses, you can use this command.

96 路由总结实例 S0 World router eigrp 1 router eigrp 1 network network network int s0 For the left router in the example: Command Description router eigrp 1 Starts an Enhanced IGRP process for autonomous system 1. no auto-summary Disables automatic summarization at the point between major network numbers, such as and Automatic route summarization has been disabled to allow noncontiguous subnets and to communicate. For the right router: ip summary-address eigrp eigrp 1 Specifies that routes learned from Enhanced IGRP autonomous system 1 will be manually summarized at interface serial 0. Defines the IP address of the summary route and the mask to be associated with that route. ip address no auto-summary ip summary-address eigrp 1

97 静态路由配置 缺省的管理距离1 定义一条到IP目的网络或子网的路径 需要重新分配 缺省的管理距离 0 (意思是直接相连) 自动重新分配
Router (config) # ip route network [ mask ] address [ distance ] 定义一条到IP目的网络或子网的路径 缺省的管理距离1 需要重新分配 缺省的管理距离 0 (意思是直接相连) 自动重新分配 Router (config) # ip route network [ mask ] interface [ distance ] You can reduce the number of routing updates over an interface by defining static routes. Use the ip route command to define a static route. ip route Command Description network The IP address of the target network or subnet. mask The optional subnet mask. address IP address of the next hop that can be used to reach that network. interface Network interface to use. distance Administrative distance.

98 静态路由的重新分配 passive-interface s0 192.31.7.10 S0 192.31.7.18 131.108.0.0
B A C D E D E ip route ip route ! router eigrp 1 network default-metric redistribute static distribute-list 3 out static ! access-list 3 permit In the example: Command Description ip route Defines the IP address and subnet mask of the destination network. Defines the next-hop address to use to reach the destination. redistribute static Assigns routes learned from static entries in the routing table to be redistributed into Enhanced IGRP. distribute-list 3 out static Filters routes, specified in distribute list 3, learned from static entries before those routes are passed to the Enhanced IGRP process. access-list 3 permit 3 The access list is list number 3. permit Routes that match the parameters will be advertised. Packets from source IP addresses that match the first two octets of will be forwarded. Configure static route redistribution on one router only to eliminate the possibility of routing loops created by static route redistribution on routers with parallel routes between networks. In this example, the route is passed to routers D and E. The route is filtered by the access list.

99 校验增强 IGRP 运作 显示路由表中当前的 IGRP入口 显示当前激活的路由协议进程的参数和当前状态 show ip protocols
Router # 显示当前激活的路由协议进程的参数和当前状态 show ip route eigrp Router # 显示路由表中当前的 IGRP入口 Use the show ip protocols command to display the parameters and current state of the active routing protocol process. This command shows the Enhanced IGRP autonomous system number. It also displays filtering and redistribution numbers as well as neighbors and distance information. Use the show ip route eigrp command to display the current Enhanced IGRP entries in the routing table.

100 校验增强 IGRP 运作 (续.) 显示IP增强 IGRP 拓扑表 显示IP 增强IGRP发送和接收到的包 显示IP 增强IGRP发现的邻居
show ip eigrp neighbors Router # 显示IP 增强IGRP发现的邻居 show ip eigrp topology Router # 显示IP增强 IGRP 拓扑表 show ip eigrp traffic Router # 显示IP 增强IGRP发送和接收到的包 Use the show ip eigrp neighbors command to display neighbors discovered by Enhanced IGRP. Use the show ip eigrp topology command to display the Enhanced IGRP topology table. This command shows the topology table, the Active/Passive state of routes, the number of successors, and the feasible distance to the destination. Use the show ip eigrp traffic command to display the number of Enhanced IGRP packets sent and received. This command displays statistics on Hello, Updates, Queries, Replies, and Acknowledgments.

101 Basic Traffic Management with Access Lists
Module 9 Copyright ?1998, Cisco Systems, Inc. Managing IP

102 目标 在完成本章学习基础上, 你应该能执行以下任务 Configure IP standard access lists
Limit virtual terminal access Configure IP extended access lists Verify access list configuration Configure an alternative to using access lists Configure an IP helper address to manage broadcasts This module discusses the following Cisco IOS?features useful in reducing unwanted traffic or controlling access in an IP environment: access lists, null interfaces, and helper addresses.

103 Access List 应用 访问列表可以控制通过网络的包转发 在一个端口上传递一个包 虚拟终端访问 (IP)
Packet filtering helps control packet movement through the network. Such control can help limit network traffic and restrict network use by certain users or devices. To permit or deny packets from crossing specified router interfaces, Cisco provides access lists. An IP access list is a sequential collection of permit and deny conditions that apply to IP addresses or upper-layer IP protocols. The following table show the types of access lists and the available list numbers: Type of Access List Range IP standard IP extended Bridge type-code DECnet standard and extended XNS standard XNS extended AppleTalk zone Bridge MAC

104 其他访问列表使用 访问列表是多用途的 Priority and custom queuing Dial-on-demand routing
Queue List Dial-on-demand routing Route filtering Routing Table You can use an IP access list to establish a finer granularity of control when differentiating traffic into priority and custom queues. An access list can also be used to identify 搃nteresting?traffic that serves to trigger dialing in dial-on-demand routing (DDR). Access lists are also a fundamental component of route maps, which filter and in some cases alter the attributes within a routing protocol update. 访问列表是多用途的

105 配置IP 标准 访问列表 Cisco IOS Release 10.3 introduced substantial additions to IP access lists. These extensions are backward compatible. Migrating from existing releases to the Release 10.3 or later image will convert your access lists automatically. However, previous releases are not upwardly compatible with these changes. Thus, if you save an access list with the Release 10.3 or later image and then use older software, the resulting access list will not be interpreted correctly. This incompatibility can cause security problems. Save your old configuration file before booting Release 10.3 (or later) images in case you need to revert to an earlier version. Copyright ?1998, Cisco Systems, Inc. Managing IP

106 IP Standard Access Lists Overview
Destination Address Source Address X Use source address only Access list range: 1 to 99 Standard access lists permit or deny packets based only on the source IP address of the packet. The access list number range for defining standard access lists is 1 to 99. Standard access lists are easier to configure than their more robust counterparts, extended access lists.

107 Inbound Access List Processing
For Standard IP Access Lists Route to interface Incoming packet Access list? Next entry in list Does source address match? More entries? Apply condition Deny Permit Yes No ICMP Message Forward Packet An access list is a sequential collection of permit and deny conditions that apply to IP addresses. The router tests addresses against the conditions in an access list one by one. The first match determines whether the router accepts or rejects the packet. Because the router stops testing conditions after the first match, the order of the conditions is critical. If no conditions match, the router rejects the packet. For inbound standard access lists, after receiving a packet, the router checks the source address of the packet against the access list. If the access list permits the address, the router exits the access list and continues to process the packet. If the access list rejects the address, the router discards the packet and returns an ICMP Host Unreachable message. Note that the action taken if no more entries are found in the access list is to deny the packet, which llustrates an important concept to remember when creating access lists. The last entry in an access list is what is known as an 搃mplicit deny any.?All traffic not explicitly permitted will be implicitly denied.

108 Outbound Access List Processing
Forward Packet For Standard IP Access Lists ICMP Message Incoming packet Does source address match? More entries? Permit Yes No Route to interface Next entry in list Apply condition Access list? Deny For outbound standard IP access lists, after receiving and routing a packet to a controlled interface, the router checks the source address of the packet against the access list. If the access list permits the address, the router transmits the packet. If the access list denies the address, the router discards the packet and returns an ICMP Host Unreachable message. The primary difference between a standard access list and an extended access list is that the latter may continue to check other information in the packet against the access list after the source address has been found to match.

109 IP Addressing Review Class B subnets Class C High-Order Bits
First Octet Class Standard Mask 10 110 1-126 A B C 1 2 3 4 5 6 7 8 9 11 12 13 14 15 The IP address is 32 bits in length and is made up of two parts: Network number Host number The address format is known as dotted-decimal notation. An example address is Each bit in an octet has a binary weight, such as (128,...4,2,1). The minimum value for an octet is 0; it contains all zeros. The maximum value for an octet is 255; it contains all ones. The allocation of addresses is managed by a central authority. Network numbers are administered by the Internet Network Information Center (InterNIC). The NIC is also the main Request For Comments (RFCs) repository.

110 Access Lists Use Wildcard Mask
Address Mask Matches any address network only subnet * local broadcast exactly host 0 bit = must match bits in addresses 1 bit = unconditional match for bits in addresses Both standard and extended IP access lists use a wildcard mask. Like an IP address, a wildcard mask is a 32-bit quantity written in dotted-decimal format. Address bits corresponding to wildcard mask bits set to 1 are ignored in comparisons; address bits corresponding to wildcard mask bits set to 0 are used in comparisons. An alternative way to think of the wildcard mask is as follows: If a 0 bit appears in the mask, then the corresponding bit location in the access list address and the same location in the packet address must match (either both 0 or both 1). If a 1 bit appears in the mask, then the bit location in the packet will match whether it is 0 or 1, and the bit location in the access list address is ignored. For this reason, 1 bits in the mask are sometimes called 揹on抰 care?bits. An access list can contain an indefinite number of actual and wildcard addresses. A wildcard address has a nonzero address mask and thus potentially matches more than one actual address. Remember that the order of the access list statements is important, because the access list is not processed further after a match has been found. * Assuming subnet mask of

111 Access List Configuration Tasks
To create an access list, perform the following tasks: Define an access list Apply the list to an interface Whether you are creating a standard or extended access list, you will need to complete two tasks: Step 1 Create an access list in global configuration mode by specifying an access list number and access conditions. Define a standard IP access list using a source address and wildcard. Define an extended access list using source and destination addresses, as well as optional protocol-type information for finer granularity of control. Step 2 Apply the access list in interface configuration mode to interfaces or terminal lines. After an access list is created, you can apply it to one or more interfaces. Access lists can be applied on either outbound or inbound interfaces.

112 Standard Access List Commands
Router (config) # access-list access-list-number { permit | deny } { source [ source-wildcard ] | any } Defines a standard access list (numbered 1-99) Router (config-if) # ip access-group access-list-number { in | out } Applies an access list to a specific interface Use the access-list command to create an entry in a standard traffic filter list. access-list Command Description access-list-number Identifies the list to which the entry belongs; a number from 1 to permit | deny Indicates whether this entry allows or blocks traffic from the specified address. source Identifies source IP address. source-wildcard (Optional) Identifies which bits in the address field are matched. It has a 1 in positions indicating 揹on抰 care?bits, and a 0 in any position that is to be strictly followed. If this field is omitted, the mask is assumed. any Uses address and source wildcard to match any address. Use the ip access-group command to link an existing access list to an interface. Each interface may have both an inbound and an outbound access list (provided they are both standard or extended). ip access-group Command Description access-list-number Indicates the number of the access list to be linked to this interface. in | out Process packets arriving on/leaving from (default) this interface. Eliminate the entire list by typing no access-list access-list number. Deapply the access list with the no ip access-group access-list-number command.

113 Implicit Masks Omitted mask assumed to be 0.0.0.0
correct common errors access-list 1 permit ! deny any For Standard IP Access Lists not needed Omitted mask assumed to be Last two lines unnecessary (implicit deny any) Eliminate the entire list by typing no access-list access-list number. Deapply the access list with the no ip access-group access-list-number command. Implicit masks reduce typing and simplify configuration. Shown are three examples of implicit masks.The first line is an example of a specific host configuration. For standard access lists, if no mask is specified, the mask is assumed to be The implicit mask makes it easier to enter a large number of individual addresses. When the symbolic name any is used, the mask is implied. When a packet does not match any of the configured lines in an access list, the packet is denied by default, which implies an invisible line at the end of the access list that is equivalent to 揹eny any.?Denying any is the same as configuring For this reason, the last two lines need not be configured. Common errors are found in the other access list lines: The second linePermit would exactly match the address and then permit it. In most cases, this address is illegal so this list would prevent all traffic from getting through (the implicit deny any). The third linePermit is probably a configuration error. The intention is probably The exact address is reserved to refer to the network and would never be assigned to a host. Network and subnets are represented by explicit masks. As a result, nothing would get through with this list, again due to the implicit deny any. The fourth lineDeny any is unnecessary to configure because it duplicates the function of the default deny that occurs when a packet fails to match all of the configured lines in an access list. The fifth lineDeny is unnecessary for the same reason as the fourth line.

114 Configuration Principles
Top-down processing Place more specific references first Implicit deny any Unless access list ends with explicit permit any New lines added to the end Cannot selectively add/remove lines Undefined access list = permit any Need to create access list lines for implicit deny any Following these general principles helps ensure the access lists you create have the intended results: Top-down processing Organize your access list so that more specific references in a network or subnet appear before more general ones. Place more frequently occurring conditions before less frequent conditions. Implicit deny any Unless you end your access list with an explicit permit any, it will deny by default all traffic that fails to match any of the access list lines. New lines added to the end Subsequent additions are always added to the end of the access list. You cannot selectively add or remove lines. Undefined access list = permit any If you apply an access list with the access-group command to an interface before any access list lines have been created, the result will be permit any. The list is 搇ive,?so if you enter only one line, it goes from a permit any to a 揹eny most?(because of the implicit deny any) as soon as you press <ENTER>. For this reason, create your access list before you apply it to an interface.

115 Standard Access List Example
Router (config)# access-list 2 permit access-list 2 deny !(Note: all other access implicitly denied) interface ethernet 0 Router (config-if)# ip access-group 2 in E0 Internet A B C D Can host B communicate with host A? Yes. Permitted by the first line, which uses an implicit host mask. Can host C communicate with host A? No. Host C is in the subnet denied by the second line. Can host D communicate with host A? Yes. Host D is on a subnet that is explicitly permitted by the third line. Can users on the Internet communicate with host A? No. Users outside of this network are not explicitly permitted, so they are denied by default (implicit deny any). Who can connect to A?

116 Location of Standard Access Lists
access-list 3 deny access-list 3 permit any B A E0 E1 C D W V X Y Z On which router should the access list be configured to deny host Z access to host V? How does location of a standard access list change the policy implemented? Access list location can be more of an art than a science, but there are some general guidelines that we can discover by looking at this simple example. If the policy goal is to deny host Z access to host V, and not to change any other access policy, on which router should the access list shown be configured and on which interface of that router? The access list would be placed on router A. The reason is that the standard access list can only specify the source address. Wherever in the path the traffic is denied, no hosts beyond can connect. The access list could be configured as an outbound list on E0, but it would most likely be configured as an inbound list on E1 so that packets to be denied would not have to be routed first. What would be the effect of placing the access list on other routers? Router B桯ost Z could not connect with hosts V and W. Router C桯ost Z could not connect with hosts V, W, and X. Router D桯ost Z could not connect with hosts V, W, X, and Y. For standard access lists, place them as close to the destination router as possible to exercise the most control.

117 Written Exercise: IP Standard Access Lists
E2 S0 W X Z A B Outside World Written Exercise: IP Standard Access Lists Objective: Configure IP standard access lists. Create an access list and place it in the proper location to satisfy the following requirements: Prevents all hosts on subnet except host from accessing subnet Prevents the outside world from accessing subnet Allows all other hosts on all other subnets of network (subnet mask ) to access Prevents host from accessing subnet Write your configuration in the space below. Be sure to include the router name (A or B), interface name (E0, E1, or E2), and access list direction (in or out)