IP Advanced PDF

Routing
Alcatel University - 8AS 90200 1140 VT ZZA Ed.01
Alcatel University - 8AS 90200 1140 VH ZZA Ed.01
Page 1
Page intentionally left blank Page intentionally left blank
Page 2
Objective: to be able to configure RIP and OSPF dynamic routing program: 1 Overview
1 Title Session presentation
2 RIP protocol
3 OSPF protocol
Page 3
Page intentionally left blank
Page 4
Routing 1. Overview
Page 5
Page 6
Static
1- Overview Various types of routing
Prevent traffic due to routing protocol Easy design on small network Programmed manually No re-routing in case of failure Risk of errors
Dynamic
Re-route automatically the traffic in case of network failure Ideal for large network Generate over traffic on the network Involve over processing in the routers
Static routing Static routing is manually performed by the network administrator. The administrator is responsible for discovering and propagating routes through the network. These definitions are manually programmed in every routing device in the environment. Once a device has been configured, it simply forwards packets out the predetermined ports. There is no communication between routers regarding the current topology of the network. In small networks with minimal redundancy, this process is relatively simple to administer. However, there are several disadvantages to this approach for maintaining IP routing tables: Static routes require a considerable amount of coordination and maintenance in non-trivial network environments. Static routes cannot dynamically adapt to the current operational state of the network. If a destination subnetwork becomes unreachable, the static routes pointing to that network remain in the routing table. Traffic continues to be forwarded toward that destination. Unless the network administrator updates the static routes to reflect the new topology, traffic is unable to use any alternate paths that may exist. Dynamic routing: Dynamic routing algorithms allow routers to automatically discover and maintain awareness of the paths through the network.
Page 7
1- Overview Principle of routing tables :

204.92.75.0 204.92.75.0
e2 .2
204.92.77.0 204.92.77.0
e1
.1
e0
.1 204.92.76.0 204.92.76.0 204.92.76.0 192.168.201.0 0.0.0.0(default)
.2
e1
R1
R2
e0
.1 192.168.201.0 192.168.201.0
Network
Fill-in this table

255.255.255.0 204.92.76.0 204.92.77.0 255.255.255.0 255.255.255.0 204.92.75.0 192.168.201.0 255.255.255.0 204.92.76.2
255.255.255.0 255.255.255.0 0.0.0.0
Mask
Next hop
204.92.76.1
e1 e0 e1
If
Network
Mask
Next hop If
e0 e1 e2 e0
An important function of the IP layer is IP routing. This provides the basic mechanism for routers to interconnect different physical networks. The router only has information about various kinds of destinations: networks that are directly attached to one of the physical networks to which the router is attached. Hosts or networks for which the router has been given explicit definitions. The metrics provide indication about cost of a route to a destination. Metrics are based on : the number of hops, the bandwidth, the delay, ...
Page 8
1- Overview Routing table : the metric

204.92.77.0 204.92.75.0
e2 .2
192.168.201.0
e1
.1
R1
e0
.1 204.92.76.0
.2
R2
.2 e2
e1
e0
.1
Secondary route Primary route
255.255.255.0 204.92.76.0 192.168.201.0 255.255.255.0 204.92.77.0 255.255.255.0 204.92.76.1 204.92.77.0 255.255.255.0 204.92.75.0 255.255.255.0 204.92.76.1 204.92.75.0 255.255.255.0 204.92.77.1
Network
Mask
Next hop
e1 e0 e1 e2 e1 e2
If metric
0 0 1 0 1 1
The metrics provide indication about cost of a route to a destination and allow the choice when several routes are available.
Page 9
1- Overview Other advantage of static routing
If dynamic routing on ISDN link The connection should be continiousely on for routing information update High cost
ISDN
10
Normally, static routes are used only in simple network topologies. However, there are additional circumstances when static routing can be attractive. For example, static routes can be used: To manually define a default route. This route is used to forward traffic when the routing table does not contain a more specific route to the destination. To define a route that is not automatically advertised within a network. When utilization or line tariffs make it undesirable to send routing advertisement traffic through lower-capacity WAN connections. When complex routing policies are required. For example, static routes can be used to guarantee that traffic destined for a specific host traverses a designated network path. To provide a more secure network environment. The administrator is aware of all subnetworks defined in the environment. The administrator specifically authorizes all communication permitted between these subnetworks. To provide more efficient resource utilization. This method of routing table management requires no network bandwidth to advertise routes between neighboring devices. It also uses less processor memory and CPU cycles to calculate network paths.
Page 10
1- Overview Example of routing (1)

Internet 140.252.1.92 140.252.1.32 140.252.1.11
140.252.1.4
140.252.1.183
network 140.252.1
140.252.13.66 140.252.1.29
140.252.13.65
140.252.13.32
network
140. 252.13.35
140.252.13.33
140.252.13. 34
Network : IP @ : Masque : /27
1 0 0 0 1 1 1 0 1 1 1 1 1 1 0 0 0 0 0 0 1 1 0 1 0 0 1 0 0 0 0 0
140 140
252
. .
13 13
32
1 0 0 0 1 1 1 0 1 1 1 1 1 1 0 0 0 0 0 0 1 1 0 1 0 0 1 0 0 0 1 1
252
35
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0
11
Page 11
1- Overview Example of routing (2)- Routing table

Internet 140.252.1.92 140.252.1.32 140.252.1.11
140.252.1.4
140.252.1.183
Network 140.252.1
140.252.13.66 140.252.1.29
140.252.13.65
Network 140.252.13.32
140. 252.13.35
140.252.13.33
140.252.13. 34
Destination 140.252.13.65/32
Gateway 140.252.13.35
Flags U G H
Refcnt 0
Use 0
Interface eth0 ethernet
To go to :
G: Go througth Gateway
H: This address is a full IP@ of host
U: This route is Up
Refcnt: nb of TCP session Use : nb of packets sent on this @
12
Page 12

Internet 140.252.1.92 140.252.1.32 140.252.1.11
140.252.1.4
140.252.1.183
Network 140.252.1
140.252.13.66 140.252.1.29 140.252.13.65 Network 140.252.13.35 140.252.13.33 140.252.13.34
140.252.13.32 Destination 140.252.13.65/32 140.252.13.32/27
Gateway 140.252.13.35 140.252.13.34 _: direct route
Flags UGH U
Refcnt 0 4
Use 0 2543
Interface eth0 eth0 ethernet
__
To go to :
_: This address is an IP@ of network
U: This route is Up
13
Direct route : route connected to this machine , on this interface
Page 13

Internet 140.252.1.92 140.252.1.32 140.252.1.11
140.252.1.4
140.252.1.183
Network 140.252.1
140.252.13.66 140.252.1.29 140.252.13.65 Network 140.252.13.32 140.252.13.35 140.252.13.33 140.252.13.34
140.252.13.65/32 140.252.13.32/27 127.0.0.1 /32
Destination
Gateway 140.252.13.35 140.252.13.34 127.0.0.1 _: direct route
UGH U_ _ U _ H
Flags
Refcnt 0 4 0
0 2543 0
Use
eth0 eth0 lo0
Interface
To go to :
loopback H: This address is a full IP@ of host Loopback between 2 applications U: this route is Up
14
Page 14

Internet 140.252.1.92 140.252.1.32 140.252.1.11
140.252.1.4
140.252.1.183
Network 140.252.1
140.252.13.66 140.252.1.29 140.252.13.65 Network 140.252.13.32 140.252.13.35 140.252.13.33 140.252.13.34
140.252.13.65 /32 140.252.13.32 /27 127.0.0.1 /32 default
Destination
140.252.13.35
Gateway
140.252.13.34 127.0.0.1 140.252.13.33 Go through G: indirect route
Flags UGH U_ _ U G_ U_H
Refcnt 0 4 0 0
2543 0 0
Use 0
Interface eth0 eth0 lo0 eth0
Default route
ethernet U: This route is Up

15
Page 15
1- Overview Example of routing (6)- routing table using

Internet 140.252.1.92 140.252.1.32 140.252.1.183 140.252.1.11 140.252.1.4
Network 140.252.1
140.252.13.66 140.252.1.29 140.252.13.65 Network 140.252.13.32 140.252.13.35
Example : Search IP@ 140.252.13.35 140.252.13.33 UGH Flags Refcnt 0 4 0 0
140.252.13.34
140.252.13.32 /27 127.0.0.1 /32 default
140.252.13.65 /32
Destination
140.252.13.35 140.252.13.34 127.0.0.1 140.252.13.33
Gateway
U_ _ U_H UG _
Use 0 2543 0 0
1- Search of precise IP @ (among entries with flag=H) => fail
2- Search on network@, The network@ 140.252.13.32 is found => send the packet to the MAC@ of the search host (140.252.13.35) on Ethernet interface : eth0
16
Page 16

Internet
140.252.1.92
140.252.1.32 140.252.1.183
140.252.1.11
140.252.1.4
Network 140.252.1
140.252.13.66
Example : search IP @ 140.252.13.65

140.252.1.29
140.252.13.65
Network 140.252.13.32
140.252.13.35
140.252.13.33
140.252.13.34
140.252.13.32 /27 127.0.0.1 /32 default
140.252.13.65 /32
Destination
140.252.13.35 140.252.13.34 127.0.0.1 140.252.13.33
Gateway
U_ _ U_H UG _
UGH
Flags
Refcnt 0 4 0 0
Use 0 2543 0 0
1- Search of precise IP @ (among entries with flag=H) =>the @ 140.252.13.65 is found => indirect route (G), sends the packet to MAC@ of the router (140.252.13.35) on Ethernet interface : eth0
17
Page 17

Internet 140.252.1.92 Network 140.252.1 140.252.1.32 140.252.1.183 140.252.1.11 140.252.1.4
140.252.13.66
Exemple : recherche @IP 192.207.117.2

140.252.1.29
140.252.13.65
Network 140.252.13.32 140.252.13.35
140.252.13.33
140.252.13.34
140.252.13.32 /27 127.0.0.1 /32 default
140.252.13.65 /32
Destination
140.252.13.35 140.252.13.34 127.0.0.1 140.252.13.33
Gateway
Flags UGH U_ _ U_H UG _
Refcnt 0 4 0 0
Use 0 2543 0 0
1- Search of precise IP @ (among entries with flag=H) => fail
2- Search on network@, => fail 3- Selection of dfault => indirect route (G), sends the packet to MAC@ of the router (140.252.13.33) on Ethernet interface : eth0
18
Page 18
1- Overview Example of routing (9)- Configuration

Internet 140.252.1.92 140.252.1.32 140.252.1.183 140.252.1.11 140.252.1.4
Network 140.252.1
140.252.13.66 140.252.1.29 140.252.13.65 Network 140.252.13.32 140.252.13.35 140.252.13.33 140.252.13.34
140.252.13.65 /32 140.252.13.32 /27 127.0.0.1 /32 default
Destination
140.252.13.34 127.0.0.1 140.252.13.33
140.252.13.35
Gateway
% netstat -rn
U_ _ U_H UGH Flags
Refcnt 0 0 0 0
Use 0 0 0 0
UG _
Creation of direct routes : at the (ifconfig) : One entry for loopback One entry for the local network
route creation : command route . Examples: route add default 140.252.13.33 route add -host 140.252.13.65 140.252.13.35 19
Page 19

Internet 140.252.1.92 140.252.1.32 140.252.1.11
140.252.1.4
140.252.1.183 140.252.1.29 140.252.13.66
Network 140.252.1
140.252.13.65
Network 140.252.13.32
140.252.13.35
140.252.13.33
140.252.13.34
Destination 140.252.13.65 /32
Gateway 140.252.13.35
Flags UG H
Refcnt 0
Use 0
Interface eth0 ethernet
To go to :
G: go through Gateway H: This address is a full IP@ of host
U: This route is Up
20
Page 20

Internet 140.252. 1.92 140.252.1.32 140.252.1.183 140.252.1.29 140.252.13.66 140.252.13.65 140.252.1.11
140.252.1.4
network 140.252.1
140.252.13.32 /27
Destination 140.252.13.65 /32
140.252.13.32
network
140.252.13.35
140.252.13.33
140.252.13.34
Gateway 140.252.13.35 140.252.13.33 _: direct route
Flags UGH U
__
Refcnt 0 0
Use 0 0
Interface eth0 eth0 ethernet
To go to :
_: H: This address is a network IP @
U: This route is Up
Direct route : route connected to this machine , on this interface

21
Page 21

Internet 140.252. 1.92 140.252.1.32 140.252.1.183 140.252.1.29 140.252.13.66 140.252.13.65 Network 140.252.13.32 140.252.13.35 140.252.13.33 140.252.13.34 140.252.1.11
140.252.1.4
Network 140.252.1
Destination 140.252.13.65 /32 140.252.13.32 /27 127.0.0.1 /32
127.0.0.1
140.252.13.35 140.252.13.33
Gateway
U _ H
Flags UGH U_ _
Refcnt 0 0 0
Use 0 0 0
eth0 eth0 lo0
Interface
loopback Loopback between 2 applications

22
Page 22

Internet 140.252. 1.92 140.252.1.32 140.252.1.183 140.252.1.29 140.252.13.66 140.252.13.65 Network 140.252.13.32 140.252.13.35 140.252.13.33 140.252.13.34 140.252.1.11
140.252.1.4
Network 140.252.1
Destination 140.252.13.65 /32 140.252.13.32 /27 127.0.0.1 /32 default
127.0.0.1 140.252.1.29
140.252.13.35 140.252.13.33
Gateway
Flags UGH U _ _ U G
Refcnt 0 0 0 0
Use 0 0 0 0
Interface eth0 eth0 lo0 s0
U _ H
To go to :
G: go through Gateway
U: This route is Up
Serial Interface
23
Page 23
Cisco- Static route command

2- Get out by this interface
ip route net-id netmask {next-hop-ip@ | interface} [distance]

1- To go to this destination 3- pass by this gateway 4- The cost to reach the destination is
Examples :
ip route 0.0.0.0 0.0.0.0 Ethernet0
ip route 172.31.10.0 255.255.255.0 10.10.10.2 101

broadcast interface : the route will be inserted into the routing table only when the broadcast interface is up
ip route 0.0.0.0 0.0.0.0 Serial3 192.168.20.1
24
If you point a static route to a broadcast interface, for example, ip route 0.0.0.0 0.0.0.0 Ethernet0 the route will be inserted into the routing table only when the broadcast interface is up. This configuration is not recommended because when the next hop of a static route points to an interface, the router considers each of the hosts within the range of the route to be directly connected through that interface. With this type of configuration, a router will perform Address Resolution Protocol (ARP) on the Ethernet for every destination the router finds through the default route because the router will consider all of these destinations as directly connected to Ethernet 0. Specifying a numerical next hop on a directly connected interface will prevent the router from performing ARP or each destination address. However, if the interface with the next hop goes down and the numerical next hop is reachable through a recursive route, you should specify both the next hop IP address and the interface through which the next hop should be found. For example, ip route 0.0.0.0 0.0.0.0 Serial3 192.168.20.1 Administrative distance is the feature used by routers to select the best path when there are two or more different routes to the same destination from two different routing protocols. Administrative distance defines the reliability of a routing protocol. Each routing protocol is prioritized in order of most to least reliable (believable) using an administrative distance value. The smaller the administrative distance value, the more reliable the protocol.
Page 24
Cisco - Static routing configuration example

192.168.10.0 /30 .2 2Mb/s .1
S0
Internet
S0
R1
10.10.10.0 /30 .1 2Mb/s

.1 S3 S2
.2 S0 .2 S1
64kb/s 192.168.20.0 /30
R2
172.31.10.0 /24 .1
E0
.2
ip route 0.0.0.0 0.0.0.0 Serial3/0 ip route 172.31.10.0 255.255.255.0 Serial2 10.10.10.2 ip route 172.31.10.0 255.255.255.0 Serial3 192.168.20.2 250
Default administrative distance = 1
primary
default route
ip route 0.0.0.0 0.0.0.0 Serial0 10.10.10.1 ip route 0.0.0.0 0.0.0.0 Serial1 192.168.20.1 250
R1#show ip route Codes: C - connected, S - static, * - candidate default Gateway of last resort is 0.0.0.0 to network 0.0.0.0 C 10.10.10.0/30 is directly connected, Serial2 192.168.10.0/30is directly connected, Serial0 C C 192.168.20.0/30is directly connected, Serial3 S 172.31.10.0/24 [250/0] via 10.10.10.2, Serial2 S* 0.0.0.0/0 is directly connected, Serial3/0
Other administrative distance
R2#show ip route Codes: C - connected, S - static, * - candidate default Gateway of last resort is 10.10.10.1 to network 0.0.0.0 C 172.31.10.0/24 is directly connected, Ethernet0 C 192.168.20.0/30 is directly connected, Serial1 C 10.10.10.0/30 is directly connected, Serial0 S* 0.0.0.0/0 [1/0] via 10.10.10.1
Only the primary route is inserted
25
By default, static routes have an administrative distance of one, which gives them precedence over routes from dynamic routing protocols. By increasing the administrative distance to a value greater than that of a dynamic routing protocol, the static route can be a safety net in the event that dynamic routing fails. If you would specify an administrative distance for a static route.This kind of static route is called "floating" static. It is installed in the routing table only when the preferred route disappears.
Page 25
1- Overview Exercise : Static routing

Internet IP@:10 IP@:9 172.16.0.0 /16
10.0.0.0 / 8 @IP4 192.168.0.0/16 @IP4 172.17.0.0/16 @IP4 0.0.0.0 / 0 @IP10
172.16.0.0/16 @IP9
Routing Table
172.17.0.0/16 @IP6 192.168.1.0/24 @IP7 192.168.2.0/24 @IP8
Routing Table
0.0.0.0 / 0 @IP5
IP@:4 IP@:3 IP@:5 172.17.0.0/16
IP@:6
IP@:8 IP@:7
192.168.2.0 /24
10.2.0.0/16 IP@:2 IP@:1
10.1.0.0/16 @IP1 10.2.0.0/16 @IP2
Routing Table
10.1.0.0/16
0.0.0.0 / 0 @IP3
192.168.0.0/16 @IP6 10.1.0.0/16 @IP2 0.0.0.0 / 0 @IP9
172.16.0.0/16 @IP4 172.17.0.0/16 @IP5
10.2.0.0/16 @IP3
Routing Table
192.168.1.0 /24
26
Complete the routing tables of the various routers to get access to all destinations.
Page 26
Dynamic routing principle
1- Overview
Routers advertise the networks they can reach Routers calculate the routes from advertisements
27
Page 27
1- Overview Various routing protocols algorithms
Algorithm of routing
Distance Vector
RIP BGP IGRP (CISCO) DECnet (Phase IV)

RIP : Routing Information Protocol IS-IS : Intermediate System to Intermediate System OSPF : Open Shortest Path First IGRP: Internet Gateway Routing Protocol BGP: Border Gateway Protocol
Link State OSPF IS-IS DECnet (Phase V)
28
The automatic discovery of routes can use a number of currently available dynamic routing protocols. The difference between these protocols is the way they discover and calculate new routes to destination networks. They can be classified into three broad categories: - Distance vector protocols - Link state protocols
Page 28
1- Overview Distance vector : principle
R1
Network 1
e1 e2
e0
Network 4 Network 5 Network 2

View of R1
R4
Network 3
Routers based on number of hops (D, V)
R2
(Alternative routes are not kept.)
e1 ) , p h o 0 ( 1 , R3) p rk o o h (1 tw N e e tw o r k 2 N Network 3 (1 hop, R4) R1 Netwo N et w rk 4 (0 hop, e0 o rk 5 (0 ) hop, e2 )
Network 1 Network 2
R3
Network 3 Network 4
29
Network 5
Distance vector algorithms they allow each device in the network to automatically build and maintain a local IP routing table. The principle behind distance vector routing is simple. Each router in the internetwork maintains the distance or cost from itself to every known destination. This value represents the overall desirability of the path. Paths associated with a smaller cost value are more attractive to use than paths associated with a larger value. The path represented by the smallest cost becomes the preferred path to reach the destination. This information is maintained in a distance vector table. The table is periodically advertised to each neighboring router. Each router processes these advertisements to determine the best paths through the network.
Page 29
R3 Low throughput
Network 1
1- Overview Distance vector : cost problem
R1
e0 e1
Network 3
High throughput
High throughput R1
Network 2
R2
(no optimal route)
Network 3 (1 hop, R3) Network 2 (0 hop, e1) Network 1 (0 hop, e0)
30
Page 30
1- Overview Link state
R1
Network 1
Network 4 Network 5 Network 2
R4
Each router makes the network topology

Network 3
R2
R3
View of R1
R1
Network 4
Ne tw 5 ork
R4
Network 3
Network 1
R2
Network 2
R3
31
Link state routing The growth in the size and complexity of networks in recent years has necessitated the development of more robust routing algorithms. These algorithms address the shortcoming observed in distance vector protocols. These algorithms use the principle of a link state to determine network topology. A link state is the description of an interface on a router (for example, IP address, subnet mask, type of network) and its relationship to neighboring routers. The collection of these link states forms a link state database. The process used by link state algorithms to determine network topology is straightforward: Each router identifies all other routing devices on the directly connected networks. Each router advertises a list of all directly connected network links and the associated cost of each link. This is performed through the exchange of link state advertisements (LSAs) with other routers in the network. Using these advertisements, each router creates a database detailing the current network topology. The topology database in each router is identical. Each router uses the information in the topology database to compute the most desirable routes to each destination network. This information is used to update the IP routing table.
Page 31
(RIP)
Janet
1- Overview Various routing protocol classes Autonomous
INTERNET
(OSPF)
system
Sphinx BGP
(OSPF)
Sprint
Autonomous
(IGRP)
DFN
(EIGRP)
system
Renater
2 classes of protocols: Interior Gateway Protocol Exterior Gateway Protocol
(RIP, IGRP, OSPF, ) (EGP, BGP, IS-IS, )

32
An AS is defined as a logical portion of a larger IP network. An AS is normally comprised of an internetwork within an organization. It is administered by a single management authority. Some routing protocols are used to determine routing paths within an AS. Others are used to interconnect a set of autonomous systems: Interior Gateway Protocols (IGPs): Interior gateway protocols allow routers to exchange information within an AS. Examples of these protocols are Open Short Path First (OSPF) and Routing Information Protocol (RIP). Exterior Gateway Protocols (EGPs): Exterior gateway protocols allow the exchange of summary information between autonomous systems. An example of this type of routing protocol is Border Gateway Protocol (BGP). The interior protocols used to maintain routing information within each AS. The figure also shows the exterior protocols maintaining the routing information between autonomous systems. Within an AS, multiple interior routing processes may be used. When this occurs, the AS must appear to other autonomous systems as having a single, coherent interior routing plan. The AS must present a consistent view of the internal destinations
Page 32
Routing 2 RIP protocol
33
RFC 1058 and 1723 Routing Information Protocol (RIP) RIP is an example of an interior gateway protocol designed for use within small autonomous systems. In mid-1988, the IETF issued RFC 1058, which describes the standard operations of a RIP system. However, the RFC was issued after many RIP implementations had been completed. For this reason, some RIP systems do not support the entire set of enhancements to the basic distance vector algorithm (for example, poison reverse and triggered updates).
Page 33
34
Page 34
RIP: router start-up

Net HopCost N1 11 0 N3 32 0 Net N1 N2 N4 1 HopCost 12 0 21 0 41 0 B 1 2 2 HopCost 52 0 61 0 42 0 1
A 2 1 D Net HopCost N3 31 0 N6 62 0
N1
N2
2 Net HopCost N5 51 0 N2 22 0 1
N3
N4
N6
Net N5 N6 N4
N5
35
The distance vector table describes each destination network. The entries in this table contain the following information: The destination network (vector) described by this entry in the table. The associated cost (distance) of the most attractive path to reach this destination. This provides the ability to differentiate between multiple paths to a destination. In this context, the terms distance and cost can be misleading. They have no direct relationship to physical distance or monetary cost. The IP address of the next-hop device used to reach the destination network. At router initialization, each device contains a distance vector table listing each directly attached networks and configured cost. Typically, each network is assigned a cost of 1.
Page 35
RIP : Update of the routing tables (1)

Net HopCost N1 11 0 N3 32 0
IP@src:1.1 1.1 IP@dest:broadcast
IP@src:3.2 IP@dest:broadcast
+1
+1
N1 N3
1 1
Net HopCost N1 12 0 N2 21 0 N4 41 0 N3 11 1 2 B 1 1
N1 1 N3 1
A 2 1 D Net HopCost N3 31 0 N6 62 0 N1 32 1
N2
2 Net HopCost N5 51 0 N2 22 0 1
N3
N1
N4
2 2
N6
Net HopCost N5 52 0 N6 61 0 N4 42 0
N5
36
RIP packet types The RIP protocol specifies two packet types. These packets may be sent by any device running the RIP protocol: Request packets: A request packet queries neighboring RIP devices to obtain their distance vector table. The request indicates if the neighbor should return either a specific subset or the entire contents of the table. Response packets: A response packet is sent by a device to advertise the information maintained in its local distance vector table. - The table is automatically sent every 30 seconds. - The table is sent as a response to a request packet generated by another RIP node. When a response packet is received by a device, the information contained in the update is compared against the local distance vector table. If the update contains a lower cost route to a destination, the table is updated to reflect the new path.
Page 36
RIP : Update of the routing tables(2)

Net N1 N3 N6 HopCost 11 0 32 0 31 1 Net N1 N2 N4 N3 1 2 HopCost 12 0 21 0 41 0 11 1 B 1 1
A 2 1 D
+1
N2
2 Net HopCost N5 51 0 N2 22 0 1
N3
N3 N6 N1 1 1 2
N1
N4
2 2
2 1 1 2
Net N3 N6 N1
HopCost N3 31 0 N6 62 0 +1 N1 32 1
N6
Net N5 N6 N4 N3 N1
HopCost 52 0 61 0 42 0 62 1 62 2
N5
37
Page 37

Net N1 N3 N6 HopCost 11 0 32 0 31 1 Net N1 N2 N4 N3 1 2
N1 N2 N4 N3 1 1 1 2
HopCost 12 0 21 0 41 0 +1 11 1 B
+1
A 2 1 D Net N3 N6 N1 HopCost 31 0 62 0 32 1
N2
N1 N2 N4 N3 2
1 1 1 2 Net N5 N2 N1 N4 N3 HopCost 51 0 22 0 21 1 21 1 21 2
N3
N1
N4
2 2
C 1
N6
Net N5 N6 N4 N3 N1 N2
HopCost 52 0 61 0 42 0 62 1 6 42 2 1 1 41 1
N5
38
Page 38

Net N1 N3 N6 HopCost 11 0 32 0 31 1 Net N1 N2 N4 N3 N5 N6 HopCost 12 0 21 0 41 0 11 1 42 1 42 1 B 1 2 1
A 2 1 D Net N3 N6 N1 N5 N4 N2 HopCost 31 0 62 0 32 1 61 1 61 1 61 2
N2
2 Net N5 N2 N1 N4 N3 N6 1 1 1 2 2 2
39
N3
N1
N4
2
+1
N5 N6 N4 N3 N1 N2
1 1 1 2 2 2
C 1
2
N5 N6 N4 N3 N1 N2
N6
2 HopCost 52 0 61 0 +1 42 0 62 1 41 1 41 1
HopCost 51 0 22 0 21 1 21 1 21 2 52 1
1 1 1 2 2 2
Net N5 N6 +1 N4 N3 N1 N2
N5
N5 N6 N4 N3 N1 N2
Page 39

Net N1 N3 N6 N2 N4 N5 HopCost 11 0 32 0 31 1 12 1 12 1 12 2 A 2 1 D Net N3 N6 N1 N5 N4 N2 HopCost 31 0 62 0 32 1 61 1 61 1 61 2 N1 N2 N4 N3 N5 N6 1 1 1 1 2 2 2 Net N1 N2 +1 N4 N3 N5 N6 HopCost 12 0 21 0 +1 41 0 11 1 42 1 42 1 B 1 2
+1
N2
N1 N2 N4 N3 N5 N6
1 1 1 2 2 2 Net N5 N2 N1 N4 N3 N6 HopCost 51 0 22 0 21 1 21 1 21 2 52 1
N3
N1
N1 N2 N4 N3 N5 N6
1 1 1 2 2 2
N4
2 2
C 1
N6
HopCost 52 0 61 0 42 0 62 1 61 1 4 2 41 1
N5
40
Page 40

Net N1 N3 N6 N2 +1 N4 N5 N1 N3 N6 N2 N4 N5 1 1 2 2 2 3 HopCost 11 0 32 0 31 1 +1 12 1 12 1 12 2 A 2 1 D Net N3 N6 N1 N5 N4 N2 HopCost 31 0 62 0 32 1 61 1 61 1 61 2 N1 N3 N6 N2 N4 N5 1 1 2 2 2 3 Net N1 N2 N4 N3 N5 N6 HopCost 12 0 21 0 41 0 11 1 42 1 42 1 B 1 2 1
N2
2 Net N5 N2 N1 N4 N3 N6 HopCost 51 0 22 0 21 1 21 1 21 2 52 1
N3
N1
N4
2 2
C 1
N6
HopCost 52 0 61 0 42 0 62 1 61 1 4 2 41 1
N5
41
Page 41

Net N1 N3 N6 N2 N4 N5 HopCost 11 0 32 0 31 1 12 1 12 1 12 2 A 2 1 D Net N3 N6 N1 N5 N4 N2 HopCost 31 0 62 0 32 1 61 1 61 1 61 2 Net N1 N2 N4 N3 N5 N6 HopCost 12 0 21 0 41 0 11 1 42 1 42 1 B 1 2 1 N5 N2 N1 N4 N3 N6 2 1 1 2 2 3 2 Net N5 N2 N1 N4 N3 N6 1 1 2 2 3 2
42
N2
+1
N3
N1
N4
2 2
C 1
HopCost 51 0 22 0 21 1 21 1 21 2 52 1
+1
N6
HopCost 52 0 61 0 42 0 62 1 61 1 4 2 41 1
N5
N5 N2 N1 N4 N3 N6
During an adverse condition, the length of time for every device in the network to produce an accurate routing table is called the convergence time.
Page 42
RIP: slow convergence

N1
A B C
30s
advertisement
N1; cos t=1
30s
advertisement
N1; cos t=2
43
In RIP the time convergence could be very long:
Page 43
RIP: metric = hop count

N4
N1
E1
1 1
2Mb/s
N2
HopCost 11 0 21 0 31 0 22 1 32 1 22 1
64kb/s
N3
N6
2Mb/s
2 2
C
N5
The route selected by RIP is not the fastest
Solution : Assign a minimum cost to a route

44
Page 44
RIP: Failure in the network (1)

Net N1 N3 N6 N2 N4 +1 N5 N3 N6 1 2 HopCost 11 0 32 0 31 1 12 1 12 1 12 2 A 2 1 D Net N3 N6 N1 N5 N4 N2 HopCost 31 0 62 0 32 1 61 1 61 1 61 2 Net N1 N2 N4 N3 N5 N6 HopCost 12 0 21 0 +1 41 0 11 1 42 1 42 1 B 1 2
+1
N2 N4
1 1 2 2 Net N5 N2 N1 N4 N3 N6 HopCost 51 0 22 0 21 1 21 1 21 2 52 1
N2
N5 N6
N3
N1
N2 1 N4 1 N5 2 N6 2
N4
2 2
C 1
1 Net N5 N6 N4 N3 N1 N2
N6
HopCost 52 0 61 0 42 0 62 1 61 4 2 1 41 1
N5
45
While the routing tables are converging, networks are susceptible to inconsistent routing behaviour. This can cause routing loops or other types of unstable packet forwarding.
Page 45
RIP: Failure in the network(2)

Net N1 N3 N6 N2 N4 N5 HopCost 11 32 0 31 1 11 3 3 2 11 3 2 2 2 11 3 2 A 2 1 D Net N3 N6 N1 N5 N4 N2 HopCost 31 0 62 0 32 1 +1 61 1 61 1 61 2 Net N1 N2 N4 N3 N5 N6 HopCost 12 0 21 0 41 0 11 1 42 1 42 1 B 1 2 1
N2
2 Net N5 N2 N1 N4 N3 N6 HopCost 51 0 22 0 21 1 21 1 21 2 52 1
N3 N6 N5 N4 N2
1 1 2 2 3
+1
N3
N1
N4
2 2
C 1
N6
N3 N6 N5 N4 N2 1 1 2 2 3
HopCost 52 0 61 0 42 0 62 1 61 4 2 1 41 1
N5
46
Page 46
RIP: Failure in the network(3)

Net N1 N3 N6 N2 N4 N5 HopCost 11 32 0 31 1 31 3 31 2 31 2 A 2 1 D Net N3 N6 N1 N5 N4 N2 HopCost 31 0 62 0 32 1 61 1 61 1 61 2 Net N1 N2 N4 N3 N5 N6 HopCost 12 0 21 0 41 0 4 2 12 1 42 1 42 1 B 1 2 1
+1
N2
2 Net N5 N2 N1 N4 N3 N6 HopCost 51 0 22 0 21 1 21 1 22 5 2 1 52 1
N3
N1
N5 N6 N4 N3 N1 N2
1 1 1 2 2
N4
2 2
C 1
N6
N5 N6 N4 N3 N1 N2 1 1 1 2 2
Net N5 N6 +1 N4 N3 N1 N2
HopCost 52 0 61 0 42 0 +1 62 1 61 4 2 1 41 1
N5
N5 N6 N4 N3 N1 N2
1 1 1 2 2
47
Page 47
Counting to infinity (1)

N1
1 Net N1 N2 N3 A 2
N2
N3
HopCost 11 0 22 0 21 1
Net N1 N2 N3
HopCost 22 1 21 0 32 0
Routing table broacasting
30s
30s
Routing table broacasting
Routing table broacasting Routing table broacasting

48
Page 48
Counting to infinity(2)
N1
1 A 2
N2
N3
t0
Net Hop Cost N1 11 0 N2 22 0 N3 21 1 Net Hop Cost 21 N1 1 2 1 N2 22 0 N3 21 1 +1
30s
Net Hop Cost N1 11 0 N2 22 0 N3 21 1
30s
Net N1 N2 N3
HopCost 22 1 21 0 32 0
2.1 broadcast 2.2 broadcast
N1 N2 N3
2 1 1
+1
30s
Net N1 N2 N3 HopCost 3 22 1 21 0 32 0
N1 N2 N3
3 1 2
2.1 broadcast
Net Hop Cost N1 21 2 4 N2 22 0 N3 21 1
N1 N2 N3
4 1 1
+1 49
Convergence and counting to infinity Given sufficient time, this algorithm will correctly calculate the distance vector table on each device. However, during this convergence time, erroneous routes may propagate through the network. The manner in which the costs in the distance vector table increment gives rise to the term counting to infinity. The costs continues to increment, theoretically to infinity. To minimize this exposure, whenever a network is unavailable, the incrementing of metrics through routing updates must be halted as soon as it is practical to do so. In a RIP environment, costs continue to increment until they reach a maximum value of 16. This limit is defined in the RFC. A side effect of the metric limit is that it also limits the number of hops a packet can traverse from source network to destination network. In a RIP environment, any path exceeding 15 hops is considered invalid. The routing algorithm will discard these paths.
Page 49
Split horizon
N1
1 A 2
N2
1
2.2 broadcast
N3
t0
Net Hop Cost N1 11 0 N2 22 0 N3 21 1 Net Hop Cost N1 11 N2 22 0 N3 21 1 +1
30s
Net Hop Cost N1 11 0 N2 22 0 N3 21 1 +1
N1
30s
Net N1 N2 N3
HopCost 22 1 21 0 32 0
2.1 broadcast
N3
+1
2.2 broadcast
30s
Hop Cost 22 1 21 0 32 0
Net Hop Cost N1 22 N2 22 0 N3 21 1
2.1 broadcast
Net N1 N2 N3
+1
N3
50
There are two enhancements to the basic distance vector algorithm that can minimize the counting to infinity problem: Split horizon with poison reverse Triggered updates These enhancements do not impact the maximum metric limit. Split horizon The excessive convergence time caused by counting to infinity may be reduced with the use of split horizon. This rule dictates that routing information is prevented from exiting the router on an interface through which the information was received. The convergence occurs considerably faster using the split horizon rule. The limitation to this rule is that each node must wait for the route to the unreachable destination to time out before the route is removed from the distance vector table. In RIP environments, this timeout is at least three minutes after the initial outage. During that time, the device continues to provide erroneous information to other nodes about the unreachable destination. This propagates routing loops and other routing anomalies.
Page 50
Poison Reverse
N1
1 A 2
N2
1 Net N1 N2 N3
N3 30s
30s
Net Hop Cost N1 11 0 N2 22 0 N3 21 1 Net Hop Cost N1 11 0 N2 22 0 N3 21 1
N1 1
t0
+1
Poison reverse
N1
HopCost 22 1 21 0 32 0 HopCost 2 1 -2 21 0 32 0
Net N1 N2 N3 1
+1
Net Hop Cost N1 11 0 N2 22 0 N3 21 1
N3
Split horizon
30s
30s
51
Poison reverse Poison reverse is an enhancement to the standard split horizon implementation. It is supported in RFC 1058. With poison reverse, all known networks are advertised in each routing update. However, those networks learned through a specific interface are advertised as unreachable in the routing announcements sent out to that interface. This drastically improves convergence time in complex, highly-redundant environments. With poison reverse, when a routing update indicates that a network is unreachable, routes are immediately removed from the routing table. This breaks erroneous, looping routes before they can propagate through the network. This approach differs from the basic split horizon rule where routes are eliminated through timeouts. Triggered updates Like split horizon with poison reverse, algorithms implementing triggered updates are designed to reduce network convergence time. With triggered updates, whenever a router changes the cost of a route, it immediately sends the modified distance vector table to neighboring devices. This mechanism ensures that topology change notifications are propagated quickly, rather than at the normal periodic interval.
Page 51
Hold-Down
N1
End of failure 1 A 2
N2
N3
C Net N1 N2 N3 Net N1 N2 N3 Net N1 N2 N3 HopCost 32 32 1 31 0 HopCost /2 32 32 1 31 0
30s
Net Hop Cost N1 11 /0 N2 22 0 N3 21 1 Net Hop Cost N1 11 /0 N2 22 0 N3 21 1
Net Cost N1 1 N2 1 N3 2 Net Cost N1 1 N2 1 N3 2
30s
Net HopCost N1 22 N2 21 0 N3 32 0 Net HopCost /1 N1 22 N2 21 0 N3 32 0 Net HopCost /1 N1 22 N2 21 0 N3 32 0
Net Cost N1 2 N2 1 N3 1
HopCost /2 32 32 1 31 0
30s
6 Th. advertisement
Net Hop Cost N1 11 0/0 N2 22 0 N3 21 1
Net N1 N2 N3
HopCost 1/1 22 21 0 32 0
Net N1 N2 N3
HopCost 2/2 32 32 1 31 0
52
Hold-down is the amount of time the router will wait before sending flashes about RIP changes. RIP has a 3minute hold-down timer.
Page 52
Format of the RIP 1 message 1 : Request 2 : Response Version =1 0 Command 8 Version 16 24 31
2 for IP
Address Family Id
Network 1 IP address
Value 1 to 15
Address Family Id
Metric (Distance to network 1) Network 2 IP address
Metric (Distance to network 2)

53
RIP packet types The RIP protocol specifies two packet types. These packets may be sent by any device running the RIP protocol: Request packets: A request packet queries neighboring RIP devices to obtain their distance vector table. The request indicates if the neighbor should return either a specific subset or the entire contents of the table. Response packets: A response packet is sent by a device to advertise the information maintained in its local distance vector table. RIPv1 does not manage subnet mask
Page 53
Encapsulation of the RIPv1 messages MAC dest: ff.ff.ff.ff.ff.ff MAC src :--.--.--.--.--.-Flag Version Header length Type Of Service
IP header
TTL
Identification
Source IP address Destination IP address: address:
Protocol: 17
Datagram Offset Checksum
Datagram length UDP Broadcast RIP
255.255.255.255
Checksum UDP
UDP header 512 bytes max
UDP message length
UDP source port
UDP destination port :
520
RIP message
(25 routes maxi)
54
Page 54
Advantages / disadvantages of RIPv1
Easy to implement,
Easy to configure, to maintain, to use Very useful in small networks Slow convergence
Large bandwidth used by the protocol Metric difficult to interpret no multiple paths
Vulnerable while convergence time,
Arbitrary External route costs
No managing of subnets No authentication of routing messages

The main advantage of distance vector algorithms is that they are typically easy to implement and debug. They are very useful in small networks with limited redundancy. RIP limitations There are a number of limitations observed in RIP environments: Path cost limits: The resolution to the counting to infinity problem enforces a maximum cost for a network path. This places an upper limit on the maximum network diameter. Networks requiring paths greater than 15 hops must use an alternate routing protocol. Network-intensive table updates: Periodic broadcasting of the distance vector table can result in increased utilization of network resources. This can be a concern in reduced-capacity segments. Relatively slow convergence: RIP, like other distance vector protocols, is relatively slow to converge. The algorithms rely on timers to initiate routing table advertisements. No support for variable length subnet masking: Route advertisements in a RIP environment do not include subnet masking information. This makes it impossible for RIP networks to deploy variable length subnet masks.
55
Page 55
RIPv2
Advantages of RIPv2 compared with RIPv1 : Allows subnet routing Authentication of the routing messages Multicast transmission
56
RIP-2 is described in RFC 1723. The standard was published in late 1994.
Page 56
Multicast
MAC
00.80.9f.00.02.03
MAC
01.00.5e.00.00.09 00.18.55.92.a2.08
MAC
00.53.27.32.02.c8
Dest : 01.00.5e.00.00.09 ..
MAC
00.35.d6.39.cb .0a 00.35.d6.39.cb.0a
MAC
00.6f.66.32.0b.08 01.00.5e.00.00.09
57
For each multicast address, there exists a set of zero or more hosts that listen for packets transmitted to the address. This set of devices is called a host group. 224.0.0.9: All RIP2 routers
Page 57
Format of the RIP 2 message 1 : Request 2 : Response

x FF FF for authentication entry
Version =2
Command
Address Family Id
Version
16
24 Authentic type
31
0: no authentic 2: Password data
Internal or external route 2 for IP
Authentication data
Address Family Id
Network 1 IP address Subnet Mask Next Hop
Route tag
Value 1 to 15
Metric (Distance to network 1)

58
RIP-2 is described in RFC 1723 it provides these additional benefits not available in RIP-1: Support for CIDR and VLSM: RIP-2 supports supernetting (that is, CIDR) and variable-length subnet masking. This support was the major reason the new standard was developed. This enhancement positions the standard to accommodate a degree of addressing complexity not supported in RIP-1. Support for multicasting: RIP-2 supports the use of multicasting rather than simple broadcasting of routing annoucements. This reduces the processing load on hosts not listening for RIP-2 messages. To ensure interoperability with RIP-1 environments, this option is configured on each network interface. Support for authentication: RIP-2 supports authentication of any node transmitting route advertisements. This prevents fraudulent sources from corrupting the routing table. Support for RIP-1: RIP-2 is fully interoperable with RIP-1. This provides backward-compatibility between the two standards. The first entry in the update contains either a routing entry or an authentication entry. - Route Tag: This field is intended to differentiate between internal and external routes. Internal routes are learned via RIP-2 within the same network or AS. - Subnet Mask: This field contains the subnet mask of the referenced network. - Next Hop: This field contains a recommendation about the next hop the router should use when sending datagrams to the referenced network. The RIP-2 standard does not encrypt the authentication password. It is transmitted in clear text. This makes the network vulnerable to attack by anyone with direct physical access to the environment.
Page 58
Encapsulation of the RIPv2 messages MAC dest: 01.00.5E.00.00.09 MAC src :--.--.--.--.--.-Flag Version Header length Type Of Service
IP header
TTL
Identification
Datagramme length
Source IP address Destination IP address: address:
Protocol: 17
Datagramme Offset Checksum
UDP header 512 bytes max
UDP message length
UDP source port
224.0.0.9 UDP destination port : 520

Checksum UDP
UDP Multicast RIP
RIP message
(25 routes maxi)
59
RIP uses a specific packet format to share information about the distances to known network destinations. RIP packets are transmitted using UDP datagrams. RIP sends and receives datagrams using UDP port 520. RIP datagrams have a maximum size of 512 octets. Updates larger than this size must be advertised in multiple datagrams. In LAN environments, RIP datagrams are sent using the MAC all-stations broadcast address and an IP network broadcast address. In point-to-point or nonbroadcast environments, datagrams are specifically addressed to the destination device. A 512 byte packet size allows a maximum of 25 routing entries to be included in a single RIP advertisement.
Page 59
Relationship between IP and MAC in multicast mode
Address translation Multicast IP Address 224

11100000
00
00
09
00000000 00000000 00001001
Classe D Address of group

0 0 000 00 1 00 0000 0 0 1011 1 100 00 0 000 00 0 000 000 0 00 001 00 1
Multicast MAC address
01
00
5E
00
00
09
60
Multicast addressing Multicast devices use Class D IP addresses to communicate. These addresses are contained in the range encompassing 224.0.0.0 through 239.255.255.255. The mapping between the IP multicast destination address and the data-link address is not done with ARP. Instead, a static mapping has been defined. In an Ethernet network, multicasting is supported if the high-order octet of the data-link address is 0x'01'. The IANA has reserved the range 0x01005E000000' through 0x'01005E7FFFFF' for multicast addresses. This range provides 23 usable bits. The 32-bit multicast IP address is mapped to an Ethernet address by placing the low-order 23 bits of the Class D address into the low-order 23 bits of the IANA reserved address block.
Page 60
CISCO : RIP Configuration R2# config terminal R2(config)# router rip R2(config-router)# version 2 R2(config-router)# network <netid2> R2(config-router)# network <netid3> R2(config-router)# network <netid4>
Routing protocol RIPv2
RIP routing updates will be sent and received only through interfaces on these networks
R1
netid1 netid2
R2
R3
netid4 netid5
61
netid3
router rip : Enable a RIP routing process network network-number : Associate a network with a RIP routing process. RIP routing updates will be sent and received only through interfaces on this network. RIP sends updates to the interfaces in the specified networks. Also, if an interfaces network is not specified, it will not be advertised in any RIP update. version 2 : RIP v2 supports authentication, key management, route summarization, classless interdomain routing (CIDR), and variable-length subnet masks (VLSMs). no auto-summary Disable automatic summarization. RIP Version 2 supports automatic route summarization by default. The software summarizes subprefixes to the classful network boundary when crossing classful network boundaries. If you have disconnected subnets, disable automatic route summarization to advertise the subnets. Static routes that point to an interface will be advertised via RIP, IGRP, and other dynamic routing protocols, regardless of whether redistribute static router configuration commands were specified for those routing protocols. These static routes are advertised because static routes that point to an interface are considered in the routing table to be connected and hence lose their static nature. However, if you define a static route to an interface that is not one of the networks defined in a network command, no dynamic routing protocols will advertise the route unless a redistribute static command is specified for these protocols.
Page 61
Interface configuration Only one router on this LAN (broadcasting of RIP messages not required)
Only one router on this LAN but,
Passive-interface
static route
PSTN
Example:
(config)# router rip (config-router)# network network-to-be-advertised (config-router)# network network-to-be- advertised (config-router)# passive-interface interface
RIP should be implemented in this host having 2 interfaces in order to select the best route
62
RIP modes of operation RIP hosts have two modes of operation: Active mode: Devices operating in active mode advertise their distance vector table and also receive routing updates from neighboring RIP hosts. Routing devices are typically configured to operate in active mode. Passive (or silent) mode: Devices operating in this mode simply receive routing updates from neighboring RIP devices. They do not advertise their distance vector table. End stations are typically configured to operate in passive mode.
Page 62
CISCO : Show RIP protocol

Routing table broadcasted every 30 Route becomes invalid after 180 without information After the end of failure, the route kept invalid 180
#show ip protocols
Next routing table transmission
Routing Protocol is "rip" Sending updates every 30 seconds, next due in 13 seconds
Invalid after 180 seconds, hold down 180, flushed after 240 Outgoing update filter list for all interfaces is Incoming update filter list for all interfaces is Redistributing: rip Default version control: send version 1, receive any version Interface Send Recv Key-chain Ethernet0 1 1 2 Ethernet1 1 1 2 Routing for Networks: 172.16.0.0 Routing Information Sources: Gateway Distance Last Update 172.16.200.4 120 00:00:22 172.16.200.1 120 00:00:12 172.16.200.3 120 00:00:07 172.16.200.200 120 00:00:05 Distance: (default is 120)
Weight added to the original metric which is function of routing protocol : RIP120, OSPF110, IGRP 100, ...
When a route becomes invalid (metric=16), router keeps it in memory during 240
63
Administrative distance is the feature used by routers to select the best path when there are two or more different routes to the same destination from two different routing protocols. Administrative distance defines the reliability of a routing protocol. Each routing protocol is prioritized in order of most to least reliable (believable) using an administrative distance value. Administrative distance is the first criterion that a router uses to determine which routing protocol to use. The smaller the administrative distance value, the more reliable the protocol. If two protocols provide route information for the same destination.When several routing protocols are implemented in CISCO router, it adds a distance (weight) to the original metric, RIP: 120, OSPF:110, IGRP:100. If there are two routes with the same metric to a destination, example: one got by Rip and another by Ospf, the router will select the ospf route, The Cisco IOS software sends routing information updates every 30 seconds; this process is termed advertising. If a router does not receive an update from another router for 180 seconds or more, it marks the routes served by the nonupdating router as being unusable. If there is still no update after 240 seconds, the router removes all routing table entries for the nonupdating router.
Page 63
CISCO : show IP route

r202#
show ip route
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP U - per-user static route, o - ODR T - traffic engineered route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default
Gateway of last resort is not set 172.16.0.0/24 is subnetted, 14 subnets
C R
172.16.200.0 is directly connected, Ethernet0 172.16.202.0 is directly connected, Ethernet1
172.16.204.0 [120/1] via 172.16.200.4, 00:00:00, Ethernet0
C R R
172.16.201.0 [120/1] via 172.16.200.1, 00:00:20, Ethernet0 172.16.203.0 [120/1] via 172.16.200.3, 00:00:14, Ethernet0 172.16.1.0 [120/1] via 172.16.200.200, 00:00:14, Ethernet0 64
If two protocols provide route information for the same destination.When several routing protocols are implemented in CISCO router, it adds a administrative distance (weight) to the original metric, RIP: 120, OSPF:110, IGRP:100. If there are two routes with the same metric to a destination, example: one got by Rip and another by Ospf, the router will select the ospf route, Connected interface Static route Enhanced Interior Gateway Routing Protocol (EIGRP) summary route External Border Gateway Protocol (BGP) Internal EIGRP IGRP OSPF Intermediate System-to-Intermediate System (IS-IS) Routing Information Protocol (RIP) Exterior Gateway Protocol (EGP) On Demand Routing (ODR) External EIGRP Internal BGP Unknown* 0 1 5 20 90 100 110 115 120 140 160 170 200 255
Page 64
CISCO : Debug RIP events

r202#deb ip rip events RIP event debugging is on r202# 00:45:46: RIP: received v1 update from 172.16.200.4 on Ethernet0 00:45:46: RIP: Update contains 1 routes 00:45:52: RIP: sending v1 update to 255.255.255.255 via Ethernet0 (172.16.200.2) 00:45:52: RIP: Update contains 1 routes 00:45:52: RIP: Update queued 00:45:52: RIP: sending v1 update to 255.255.255.255 via Ethernet1 (172.16.202.1) 00:45:52: RIP: Update sent via Ethernet0 00:45:52: RIP: Update contains 13 routes 00:45:52: RIP: Update queued 00:45:52: RIP: Update sent via Ethernet1 00:45:57: RIP: received v1 update from 172.16.200.1 on Ethernet0 00:45:57: RIP: Update contains 1 routes 00:46:02: RIP: received v1 update from 172.16.200.200 on Ethernet0 00:46:02: RIP: Update contains 9 routes 00:46:05: RIP: received v1 update from 172.16.200.3 on Ethernet0 00:46:05: RIP: Update contains 1 routes r202#u all
65
Page 65
CISCO : Debug RIP

r202#deb ip rip RIP protocol debugging is on r202# 00:46:24: RIP: received v1 update from 172.16.200.1 on Ethernet0 00:46:24: 172.16.201.0 in 1 hops 00:46:31: RIP: received v1 update from 172.16.200.200 on Ethernet0 00:46:31: 172.16.1.0 in 1 hops 00:46:31: 172.16.2.0 in 1 hops 00:46:31: 172.16.104.0 in 3 hops 00:46:31: 172.16.105.0 in 3 hops 00:46:31: 172.16.106.0 in 3 hops 00:46:31: 172.16.100.0 in 2 hops 00:46:31: 172.16.101.0 in 3 hops 00:46:31: 172.16.102.0 in 3 hops 00:46:31: 172.16.103.0 in 3 hops 00:46:34: RIP: received v1 update from 172.16.200.3 on Ethernet0 00:46:34: 172.16.203.0 in 1 hops 00:46:43: RIP: received v1 update from 172.16.200.4 on Ethernet0 00:46:43: 172.16.204.0 in 1 hops 00:46:46: RIP: sending v1 update to 255.255.255.255 via Ethernet0 (172.16.200.2) 00:46:46: subnet 172.16.202.0, metric 1 00:46:46: RIP: sending v1 update to 255.255.255.255 via Ethernet1 (172.16.202.1) 00:46:46: subnet 172.16.204.0, metric 2 00:46:46: subnet 172.16.200.0, metric 1 00:46:46: subnet 172.16.201.0, metric 2 00:46:46: subnet 172.16.203.0, metric 2 00:46:46: subnet 172.16.1.0, metric 2 00:46:46: subnet 172.16.2.0, metric 2 00:46:46: subnet 172.16.104.0, metric 4 00:46:46: subnet 172.16.105.0, metric 4 00:46:46: subnet 172.16.106.0, metric 4 00:46:46: subnet 172.16.100.0, metric 3 00:46:46: subnet 172.16.101.0, metric 4 00:46:46: subnet 172.16.102.0, metric 4 00:46:46: subnet 172.16.103.0, metric 4 00:46:52: RIP: received v1 update from 172.16.200.1 on Ethernet0 00:46:52: 172.16.201.0 in 1 hops
66
Page 66
Routing 3. OSPF protocol
67
Open Shortest Path First (OSPF) The Open Shortest Path First (OSPF) protocol is another example of an interior gateway protocol. It was developed as a nonproprietary routing alternative to address the limitations of RIP. Initial development started in 1988 and was finalized in 1991. Subsequent updates to the protocol continue to be published. The current version of the standard is documented in RFC 2328. OSPF provides a number of features not found in distance vector protocols. Support for these features has made OSPF a widelydeployed routing protocol in large networking environments. In fact, RFC 1812 Requirements for IPv4 Routers, lists OSPF as the only required dynamic routing protocol. Equal cost load balancing: The simultaneous use of multiple paths may provide more efficient utilization of network resources. Logical partitioning of the network: This reduces the propagation of outage information during adverse conditions. It also provides the ability to aggregate routing announcements that limit the advertisement of unnecessary subnet information. Support for authentication: OSPF supports the authentication of any node transmitting route advertisements. This prevents fraudulent sources from corrupting the routing tables. Faster convergence time: OSPF provides instantaneous propagation of routing changes. This expedites the convergence time required to update network topologies. Support for CIDR and VLSM: This allows the network administrator to efficiently allocate IP address resources.
Page 67
Shortest path tree
cost
Ra
10
Each router makes a treerepresentation of the network

cost 0 10
Ra (view of R1)
10
Rb
5
Network : 128.213.0.0
Rc
Network 192.213.11.0
10
128.213.0.0
5
Network
Rb
5
Rc
Rd
Network 222.211.10.0
192.213.11.0
Network
Rd
10 5
LinkLink-cost= cost 100 000 000 / bandwidthbps
Network 222.211.10.0
68
The SPF algorithm is used to process the information in the topology database. It provides a tree-representation of the network. The device running the SPF algorithm is the root of the tree. The output of the algorithm is the list of shortest-paths to each destination network. Because each router is processing the same set of LSAs, each router creates an identical link state database. However, because each device occupies a different place in the network topology, application of the SPF algorithm produces a different tree for each router. cost= 100 000 000 / bandwidthbps Example : Cost of 10Mb/s Ethernet link : 108 / 107 = 10 Cost of link T1 1,544Mb/s: 108 / 1544x103 = 64
Page 68
SPF database (Initialisation)

From To B N1 B N2 BA BC BD L 12 21 12 12 21 Cost 1 3 1 1 3
Ra
1
C3
From To A N1 AB AC
L 11 11 11
Cost 3 3 3
Net: 1
From To D N3 D N2 DB DC L 31 22 22 31 Cost 3 4 4 3 2 1
C1 C3
Rb
Rc Rd
Net: 3
3 2
C2
Net: 2
2 1
C4 C3
C1
From To C N1 C N3 CA CB CD
L 13 32 13 13 32
Cost 2 1 2 2 1
Toutes les Databases sont identiques
69
Link state database The link state database is also called the topology database. It contains the set of link state advertisements describing the OSPF network and any external connections.
Page 69
SPF database (Updating)

From To B N1 B N2 BA BC BD A N1 AB AC C N1 C N3 CD CA CB D N3 D N2 DB DC L 12 21 12 12 21 11 11 11 13 32 32 13 13 31 22 22 31 Cost 1 3 1 1 3 3 3 3 2 1 1 2 2 3 4 4 3
Ra
1
C3
Net: 1
2 1
C1 C3
From To D N3 D N2 DB DC B N1 B N2 BA BC BD C N1 C N3 CA CB CD A N1 AB AC
L 31 22 22 31 12 21 12 12 21 13 32 13 13 32 11 11 11
Cost 3 4 4 3 1 3 1 1 3 2 1 2 2 1 3 3 3
Rb
Rc Rd
Net: 3
3 2
C2
Net: 2
2 1
C4 C3
C1
From To A N1 AB AC B N1 B N2 BA BC BD C N1 C N3 CD CA CB D N3 D N2 DB DC
L 11 11 11 12 21 12 12 21 13 32 32 13 13 31 22 22 31
All the Databases are identical
Cost 3 3 3 1 3 1 1 3 2 1 1 2 From To L 2 3 C N1 13 4 C N3 32 4 C A 13 3 C B 13 C D 32 A N1 11 A B 11 A C 11 D N2 22 D N3 31 D B 22 D C 31 B N1 12 B N2 21 B A 12 B C 12 B D 21
Cost 2 1 2 2 1 3 3 3 4 3 4 3 1 3 1 1 3
70
Each router within the area maintains an identical copy of the link state database.
Page 70
SPF calculation
Ra
1 C3 Net: 1 2 C1 1 C3 Net: 2 2 C4 Rd 1 C3 Net: 3 Rb 3 C2 2 C1
Rc
From To A N1 AB AC B N1 B N2 BA BC BD C N1 C N3 CD CA CB D N3 D N2 DB DC
L 11 11 11 12 21 12 12 21 13 32 32 13 13 31 22 22 31
Cost 3 3 3 1 3 1 1 3 2 1 1 2 2 3 4 4 3
A A B C D +3 0 1 2
B 3 0 2 4 A to Route Route Route
C 3 1 0 3 B A,B C=3
D 3 1 0 C A,C C=3 D A,B,D C=6 A,C,D C=4
+3 A 3+1 A 3+2 B 3+0 B 3+2 C 3+1 C 3+0
B C
D 3+3 D 3+1
seco nda ry
primary
71
There are two algorithms for computing a routing table from a link table. These are: the forward search algorithm (Also known as Dijkstra's Algorithm) and, the backward search algorithm (Also known as the Bellman-Ford Algorithm)
Page 71
SPF example : Network topology N1 3 R1 1 3 R2 1 8 E12 E13 E14 8 8 8 R5 8 7 6
N3
N2
1 R3 N4 2
R4 1 8
R6
6 2 E12 6 R7 9 E15 5 1 N6 1
R9 1 1 N9 1 1 R11 R12 2 10 slip N12 N10
N11 3
N8
3 R10
1 R8 N7 4
72
Inter networks example:
Page 72
SPF example : Init N1 3

Dest
R1N1 R1N3
Cost
R1
3 1
1 1
Dest
N3
1 1
Cost
R4 R3 2 N4 8
8
Dest
E12
Cost
R4R5 R4N3
N2 3
Dest
R2
8 1
R6
Cost
E13 E14 8 8 8 8 R5 7 Dest Cost 6 R5 R4 8

Cost
Dest
R9N11 3 R9N9 1
Dest R12N9 R12N10 R12N12
Cost
N10
Cost 1 2 10
R9
3 N11
R2N2 R2N3
Dest R11N9 R11N8
3 1
Dest
R12
1 N9 1 R11 10 N12
Cost 1 2
R3R6 R3N4 R3N3
8 2 1
R6R10 7 R6R3 6 R6R5 6
2 E12 6 E15 R7 9 N6 1
R7R5 R7N6 R7E12 R7E16
Dest Dest
R5R6 R5R7 R5E12 R5E13 R5E14
7 6 8 8 8
N8
3 R10
Dest
Cost
1
Cost
R10R6 R10N6 R10N8
5 1
1 R8 4 N7
6 1 2 9
R8N6 1 R8N7 4
Cost 73
Each node knows the directly connected links as well as the adjacent routers.
Page 73
SPF example : Database exchange N1 3 R1 1 8 6 E12 E13 E14 Dest 8 8 R6 R10 8 R3 8 R5 R6 R6R5 R3R6 7 N4 6 R3 R3N3
Cost 7 6 6 8 2 1 R2N2 3 R2N3 1 R1N1 3 R1N3 1 R4R5 8 R4N3 1 R9N11 3 R9N9 1 2 E12 R12 N9 1 R12N10 2 R12 N12 10 E15 9 R11 N9 1 R11N8 2 R10R6 5 R10N6 1 R10N8 3 R8N6 1 R8N7 4 R7R5 6 R7N6 1 R7E12 2 R7E15 9 R5R4 8 R5R6 7 R5R7 6 R5E12 8 R5E13 8 R5E14 8 74
R6
1 N3
1 1 R3 2
R4 8
N2 3
R2
R9
3 N11 2
N4
R6 7
6 R7 5 1 N6 1
2 N10
R12
1 1 N9 1 10 N12
R11
N8
3 R10
1 R8 4 N7
After exchanges between routers, each router within the area maintains an identical copy of the link state database.
Page 74
SPF example : Graph N1 3 3 3 3 3 R1 8 8 2 6 8 R6 7 3 3 5 R10 1 6 E12 E13 8 8 R5 E14 Dest R6 8R10

Cost 7 R6R3 6 R6R5 6 R3R6 8 R3N4 2 R3N3 1 R2N2 3 R2N3 1 R1N1 3 6 N3 1 R1 R4R5 8 R4N3 1 R9N11 3 R9N9 1 E12 2 R12 N9 1 R12N10 2 R12 N12 10 E15 9N9 1 R11 R11N8 2 R10R6 5 R10N6 1 R10N8 3 R8N6 1 R8N7 4 R7R5 6 R7N6 1 R7E12 2 R7E15 9 R5R4 8 R5R6 7 R5R7 6 R5E12 8 R5E13 8 R5E14 8 75
R6
1 1
1 N3 1 2
R4
N2
R2
1 1
R3 N4
7 6 R7 N6
1 1 1 N9 R11 1 1 2 R12 10 2 10 N12 N10
R9
N11 3 1
2 2
N8
1 1
1 R8 4 4 N7
From its topology database, any router can know the network topology.
Page 75
SPF example : router R6-Shortest Path First N1 3 3 3 3 3 R1 11 1 1 8 8 2 6 8 6 R6 7 3 3 3 5 R10 1 E12 E13 8 8 R5 E14 8
N3
1 1 2
R4
N2
R2
1 1
R3 N4
7 6 R7 N6
6 2 1 9 E12 E15
11 1 N9 1 1 R11 1 2 R12 10 1 2 10 N12 N10
R9
N11 3 1
1 1
2 2
N8
1 1
1 R8 4 4 N7
76
Each router calculate the Shortest Path First for all destinations
Page 76
SPF example : Routing table of R6 N1 3

E13
R1
1
R3
R4
N2
N3
R2
6 2 6
R6
R5
E14
1 1
R9
3 N11
N4
E12
7
R10
R7
E15
2 N10
R12
1 1 N9
10
N12
R11
N8
N6
R8
Dest. Next hop N1 R3 N2 R3 N3 R3 N4 R3 N6 R10 N7 R10 N8 R10 N9 R10 N10 R10 N11 R10 N12 R10 RT5 R5 RT7 R10 E12 R10 E13 R5 N14 R5 N15 R10
Cost 10 10 7 8 8 12 10 11 13 14 21 6 8 10 14 14 17
N7
4
77
Routing tables are constructed by examining a link table whose entries detail the cost of each link in the network.
Page 77
SPF example : Tree seen by R6 R6

R3 R10 R5 E13 E14
N3
R1 R2 R4
N8
R11 R8
N6
R7 E15
N1
N2
N4
R9
N9
R12
N7
E12
N11
N10
N12
78
Each router can see the network as a tree.
Page 78
OSPF: Router Identifier
RID= 7.7.7.7
Loopback IP@= 7.7.7.7 Loopback IP@= 5.5.5.5 IP@= 9.9.9.9
IP@=4.4.4.4 IP@=2.2.2.2 IP@=1.1.1.1 IP@= 3.3.3.3
RID= 3.3.3.3
RID= (Router ID) highest loopback IP@, if no loopback, the highest interface IP@.
79
In OSPF, an unique identifier is assigned to each node : RID (Router Identity) The RID is the highest IP address on the box or the loopback interface, calculated at boot time or whenever the OSPF process is restarted.
Page 79
OSPF: Various types of links
Stub network link
lin k t n i -P o o t t P o in
Transit link
80
Stub network links: This term has nothing to do with stub areas. A stub segment is a segment that has one router only attached to it. An Ethernet or Token Ring segment that has one attached router is considered a link to a stub network. A loopback interface is also considered a link to stub network with a 255.255.255.255 mask (Host route). Point-to-point links: These could be physical or logical (subinterfaces) point-to-point serial link connections. These links could be numbered (an IP address is configured on the link) or unnumbered. Transit links: These are interfaces connected to networks that have more than one router attached, hence the name transit.
Page 80
OSPF: Transit network link
neighbours Network
81
Routers that share a common segment become neighbors on that segment. Neighbors are elected via the Hello protocol. Hello packets are sent periodically out of each interface using IP multicast
Page 81
OSPF: Neighbouring
RID= 3.3.3.3 OSPF interface status Down RID= 4.4.4.4
Network
o} {Hel l o} . 4. 4 {H RID= 4. 4
RID= 3.3.3 .3 {Hello}
Hello interval (10s)
4.4.4.4 Two-way is my neighbour

Hello interval (10s)
:: =
Init
rs: 3 . 3 . 3 . 3 ] } lo [ n eig h b o rs: {Hello R ID = 4 . 4 . 4 . 4 {Hel
R ID = 3. 3. 3. 3 { Hello [ neighb ors: 4. 4. 4.4 ] }
3.3.3.3 is my neighbour
rs: 3 . 3 . 3 . 3 ] } lo [ n eig h b o rs: {Hello R ID = 4 . 4 . 4 . 4 {Hel
R ID = 3. 3. 3. 3 { Hello [ neighb ors: 4. 4. 4.4 ] }

82
Discovering neighbours - the OSPF Hello protocol The Hello protocol discovers and maintains relationships with neighbour routers. Hello packets are periodically sent out to each router interface. The packet contains the RID of other routers whose hello packets have already been received over the interface. When a device sees its own RID in the hello packet generated by another router, these devices establish a neighbor relationship. Hello and Dead Intervals: OSPF exchanges Hello packets on each segment. This is a form of keepalive used by routers in order to acknowledge their existence on a segment and in order to elect a designated router (DR) on multiaccess segments.The Hello interval specifies the length of time, in seconds, between the hello packets that a router sends on an OSPF interface. The dead interval is the number of seconds that a router's Hello packets have not been seen before its neighbors declare the OSPF router down. OSPF requires these intervals to be exactly the same between two neighbors. If any of these intervals are different, these routers will not become neighbors on a particular segment. The router interface commands used to set these timers are: ip ospf hello-interval seconds ip ospf dead-interval seconds.
Page 82
OSPF: Designated Routers
neighbours Network BDR DR

Designated routers
BDR
DR : Designated Router BDR : Backup Designated Router
83
Adjacencies Adjacency is the next step after the neighboring process. Adjacent routers are routers that go beyond the simple Hello exchange and proceed into the database exchange process. In order to minimize the amount of information exchange on a particular segment, OSPF elects one router to be a designated router (DR), and one router to be a backup designated router (BDR), on each multi-access segment. Designated and backup designated router The exchange of link state information between neighbours can create significant quantities of network traffic. To reduce the total bandwidth required to synchronize databases and advertise link state information, a router does not necessarily develop adjacencies with every neighbouring device: Multi-access networks: Adjacencies are formed between an individual router and the (backup) designated router. Point-to-point networks: An adjacency is formed between both devices. Each multi-access network elects a designated router (DR) and backup designated router (BDR). The DR performs two key functions on the network segment: It forms adjacencies with all routers on the multi-access network. This causes the DR to become the focal point for forwarding LSAs. It generates network link advertisements listing each router connected to the multi-access network. The BDR forms the same adjacencies as the designated router. It assumes DR functionality when the DR fails.
Page 83
OSPF: DR election
DR based on the highest priority and the highest RID on a segment R1 (RID= 3.3.3.3)
(P= 1)
Network
(P= 1)
DR(highest RID) DR(highest priority)

(RID= 2.2.2.2)
R2
Network
(RID= 4.4.4.4) (P= 1)
(P= 2)
R3
RID= Router ID : highest loopback IP@, if no loopback, the highest interface IP@.
RID : Router ID P: Priority DR : Designated Router
84
DR Election DR and BDR election is done via the Hello protocol. Hello packets are exchanged via IP multicast packets on each segment. The router with the highest OSPF priority on a segment will become the DR for that segment. The same process is repeated for the BDR. In case of a tie, the router with the highest RID will win. The default for the interface OSPF priority is one. Remember that the DR and BDR concepts are per multiaccess segment. Setting the ospf priority on an interface is done using the interface command ip ospf priority <value>. A priority value of zero indicates an interface which is not to be elected as DR or BDR. The state of the interface with priority zero will be DROTHER In the above diagram, R1 and R2 have the same interface priority but R2 has a higher RID. R2 would be DR on that segment. R3 has a higher priority than R2. R3 is DR on that segment.
Page 84
Setting the ospf priority
ip ospf priority <value>

Network 192.213.11.0 /24
RTA
(P= 2) E1
E0 (P= 1)
RTA# interface Ethernet0 ip address 192.213.11.1 255.255.255.0 interface Ethernet1 ip address 192.213.12.2 255.255.255.0 ip ospf priority 2
Network 192.213.12.0 /24
85
A priority value of zero indicates an interface which is not to be elected as DR or BDR. The state of the interface with priority zero will be DROTHER.
Page 85
Check the OSPF configuration

203.250.15.1
RID: 203.250.15.1
Transit network 203.250.14.0 /24 E0 (P=1) 203.250.14.1
DR
RID: 203.250.13.41
Lo:203.250.13.41
BDR
#show
Ethernet0 is up, line protocol is up Internet Address 203.250.14.1 255.255.255.0, Area 0.0.0.0 Process ID 10, 10, Router ID 203.250.13.41, 203.250.13.41 Network Type BROADCAST, Cost: 10 Transmit Delay is 1 sec, State BDR, Priority 1 Designated Router (ID) 203.250.15.1, Interface address 203.250.14.2 Backup Designated router (ID) 203.250.13.41, Interface address 203.250.14.1 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 0:00:02 Neighbor Count is 3, Adjacent neighbor count is 3 Adjacent with neighbor 203.250.15.1 (Designated Router)
86
ip ospf interface e0
The above output shows very important information : the area 0.0.0.0. The process ID The router ID. Remember that the RID is the highest IP address on the box or the loopback interface, calculated at boot time or whenever the OSPF process is restarted. The state of the interface is DR, BDR, DROTHER. the OSPF priority (default is 1), Also note the neighbor count and the adjacent count. The information about the network type is important and will determine the state of the interface. On broadcast networks such as Ethernet, the election of the DR and BDR should be irrelevant to the end user. It should not matter who the DR or BDR are. In other cases, such as NBMA (Non Broadcast Multiple Access) media such as Frame Relay and X.25, this becomes very important for OSPF to function correctly. Fortunately, with the introduction of point-to-point and point-to-multipoint subinterfaces, DR election is no longer an issue.
Page 86
Check adjacencies
Transit network 203.250.14.0 /24 E0 (P=1) 203.250.14.1
203.250.15.1
RID: 203.250.15.1
DR
(P=1) 203.250.14.2
RID: 203.250.13.41
Lo:203.250.13.41
BDR
RID: 203.250.12.1
Lo:203.250.12.1
#show
203.250.14.3 (P=1)
203.250.12.1 1 2WAY/DROTHER 203.250.15.1 1 FULL/DR 203.250.13.41 1 FULL/BDR
Neighbor ID Pri State
ip ospf neighbor
0:00:34
0:00:36
0:00:37
Dead Time Address
203.250.14.1 Ethernet0
203.250.14.2 Ethernet0
203.250.14.3 Ethernet0
Interface
87
Do not be alarmed if the "Neighbor ID" does not belong to the segment you are looking at. This is "OK" because the "Neighbor ID" is actually the RID which could be any IP address on the box. Status Down: No information has been received from anybody on the segment. Attempt: On non-broadcast multi-access clouds such as Frame Relay and X.25, this state indicates that no recent information has been received from the neighbor. An effort should be made to contact the neighbor by sending Hello packets at the reduced rate PollInterval. Init: The interface has detected a Hello packet coming from a neighbor but bi- birectional communication has not yet been established. 2-Way : Whenever a router sees itself in his neighbor's Hello packet, Exstart : the two neighbors form a Master/Slave relationship where they agree on a initial sequence number. The sequence number is used to detect old or duplicate Link-State Advertisements (LSA). Exchange : Database Description Packets (DD) will get exchanged Loading : link-state request packets are sent to neighbors, asking for more recent advertisements that have been discovered but not yet received.
The show ip ospf neighbor command shows the state of all the neighbors on a particular segment.
Full : the neighbor routers are fully adjacent. The databases for a common area are an exact match between adjacent routers.
Page 87
OSPF routing hierarchy
area 1
area 2
(backbone) backbone)
area 0
area 3 Autonomous System

88
OSPF areas OSPF networks are divided into a collection of areas. An area consists of a logical grouping of networks and routers. The area may coincide with geographic or administrative boundaries. Each area is assigned a 32-bit area ID. Subdividing the network provides the following benefits: Within an area, every router maintains an identical topology database describing the routing devices and links within the area. These routers have no knowledge of topologies outside the area. They are only aware of routes to these external destinations. This reduces the size of the topology database maintained by each router. Areas limit the potentially explosive growth in the number of link state updates. Most LSAs are distributed only within an area. Areas reduce the CPU processing required to maintain the topology database. The SPF algorithm is limited to managing changes within the area. Backbone area and area 0 All OSPF networks contain at least one area. This area is known as area 0 or the backbone area. Additional areas may be created based on network topology or other design requirements. In networks containing multiple areas, the backbone physically connects to all other areas. OSPF expects all areas to announce routing information directly into the backbone. The backbone then announces this information into other areas.
Page 88
Enabling OSPF on the CISCO Router
router ospf <process-id> network <network or IP address> <mask> <area-id> Area 23

E2 128.213.1.1 E0: 192.213.11.1 RTA E1: 192.213.12.1
Area 0
RTA# interface Ethernet0 ip address 192.213.11.1 255.255.255.0 interface Ethernet1 ip address 192.213.12.2 255.255.255.0
interface Ethernet2 ip address 128.213.1.1 255.255.255.0 router ospf 100 network 192.213.0.0 0.0.255.255 area 0.0.0.0 network 128.213.1.1 0.0.0.0 area 23
89
The OSPF process-id is a numeric value local to the router. It does not have to match process-ids on other routers. It is possible to run multiple OSPF processes on the same router, but is not recommended as it creates multiple database instances that add extra overhead to the router. The network command is a way of assigning an interface to a certain area. The mask is used as a shortcut and it helps putting a list of interfaces in the same area with one line configuration line. The mask contains wild card bits where 0 is a match and 1 is a "do not care" bit, e.g. 0.0.255.255 indicates a match in the first two bytes of the network number. The area-id is the area number we want the interface to be in. The area-id can be an integer between 0 and 4294967295 or can take a form similar to an IP address A.B.C.D.
The first network statement puts both E0 and E1 in the same area 0.0.0.0, and the second network statement puts E2 in area 23. Note the mask of 0.0.0.0, which indicates a full match on the IP address. This is an easy way to put an interface in a certain area if you are having problems figuring out a mask.
Page 89
Various types of routers
area
Internal router
AS 100
Area Border Router (ABR)
RIP
Autonomous System Border Router (ASBR)
area
BGP
AS200
90
Intra-area, area border and AS boundary routers There are three classifications of routers in an OSPF network. Intra-Area Routers: This class of router is logically located entirely within an OSPF area. Intra-area routers maintain a topology database for their local area. Area Border Routers (ABR): This class of router is logically connected to two or more areas. One area must be the backbone area. An ABR is used to interconnect areas. They maintain a separate topology database for each attached area. ABRs also execute separate instances of the SPF algorithm for each area. AS Boundary Routers (ASBR): This class of router is located at the periphery of an OSPF internetwork. It functions as a gateway exchanging reachability between the OSPF network and other routing environments. ASBRs are responsible for announcing AS external link advertisements through the AS.
Page 90
Example : Areas N1 R1
Area 1
N3
R4 R3 N4
E12
E13 R5
E14
Backbone
R6
N2
R2 N11
E12 R7 R10 N6 R8
E16
R9 1 R12 N10
N9 R11 N8
Area 3
H1
Area 2
N7
91
Area example
Page 91
Link-state advertisement packets

Router link state advertisement
Describe state and cost of the routers links to the area (intra area)
All routers
Summary link advertisement
ABR
area
area
area
Describe : networks in the AS but outside of an area (Inter area) location of the ASBR
DR
Network link advertisement
External link advertisement
area
Describe all routers attached to the specific segment
AS
Describe destination external the AS or a default routeto the outside AS
ASBR
Other protocol
92
Link state advertisements and flooding Each router within the area maintains an identical copy of the link state database. The contents of an LSA describes an individual network component (that is, router, segment, or external destination). LSAs are exchanged between adjacent OSPF routers. This is done to synchronize the link state database on each device. When a router generates or modifies an LSA, it must communicate this change throughout the network. The router starts this process by forwarding the LSA to each adjacent device. Upon receipt of the LSA, these neighbors store the information in their link state database and communicate the LSA to their neighbors. This store and forward activity continues until all devices receive the update. There are several types of Link State Advertisement The router links are an indication of the state of the interfaces on a router belonging to a certain area. Each router will generate a router link for all of its interfaces. Summary links are generated by ABRs; this is how network reachability information is disseminated between areas. Normally, all information is injected into the backbone (area 0) and in turn the backbone will pass it on to other areas. ABRs also have the task of propagating the reachability of the ASBR. This is how routers know how to get to external routes in other ASs. Network Links are generated by a Designated Router (DR) on a segment. This information is an indication of all routers connected to a particular multi-access segment such as Ethernet. External Links are an indication of networks outside of the AS. These networks are injected into OSPF via redistribution. The ASBR has the task of injecting these routes into an autonomous system. Some special IP multicast addresses are reserved for OSPF: 224.0.0.5: All OSPF routers should be able to transmit and listen to this address. 224.0.0.6: All DR and BDR routers should be able to transmit and listen to this address.
Page 92
External metric type 1 (E1) and type 2 (E2)

Dest Cost
N1 N2
4+2 2
Dest Cost
N1 N2
4+2+3 2
N1
Co st= E1 2
area 1
Cost=4
N2
2 st = E2 o C
ASBR
Backbone area
Cost=3
External LSA with metric type 1 External LSA with metric type 2
Metric type is 2 by default
the cost is incremented by internal cost the internal cost is not considered
router ospf 10 redistribute bgp | connected | egp | igrp | isis | static [ip] | rip
metric 2 metric-type 1
93
External routes fall under two categories, external type 1 and external type 2. The difference between the two is in the way the cost (metric) of the route is being calculated. The cost of a type 2 route is always the external cost, irrespective of the interior cost to reach that route. A type 1 cost is the addition of the external cost and the internal cost used to reach that route. A type 1 route is always preferred over a type 2 route for the same destination. Unless otherwise specified, the default external type given to external routes is type 2.
Page 93
OSPF Advantages
No limitation on the hop count. Support for CIDR and VLSM Better load balancing. IP multicast to send link-state updates. Faster convergence time than RIP Logical partitioning of the network Support for authentication
94
Equal cost load balancing: The simultaneous use of multiple paths may provide more efficient utilization of network resources. Logical partitioning of the network: This reduces the propagation of outage information during adverse conditions. It also provides the ability to aggregate routing announcements that limit the advertisement of unnecessary subnet information. Support for authentication: OSPF supports the authentication of any node transmitting route advertisements. This prevents fraudulent sources from corrupting the routing tables. Faster convergence time: OSPF provides instantaneous propagation of routing changes. This expedites the convergence time required to update network topologies. Support for CIDR and VLSM: This allows the network administrator to efficiently allocate IP address resources. Some special IP multicast addresses are reserved for OSPF: 224.0.0.5: All OSPF routers should be able to transmit and listen to this address. 224.0.0.6: All DR and BDR routers should be able to transmit and listen to this address.
Page 94
Routing Evaluation Objective: to be able to configure RIP and OSPF dynamic routing
Thank you for answering the self assessment of the objectives sheet
95
Page 95
96
Page 96
DHCP : Dynamic Host Configuration Protocol
97
Page 97
98
Page 98
Objective: to be able to configure a DHCP server program: 1 2 4 BOOTP protocol DHCP protocol
DHCP Session presentation
3 BOOTP agent
Address pool creation
99
Page 99
100
Page 100
DHCP
1 2 3 4 BOOTP protocol BOOTP agent DHCP protocol
101
Page 101
1 BOOTP protocol Location of BOOTP and DHCP in TCP/IP protocol stack

DHCP
BOOTP UDP
Network
SNAP LLC
IP
Link
MAC
802.2
Ethernet ISO 802.3
Ethernet V2
102
BOOTstrap Protocol RFC 951 Bootstrap Protocol (BOOTP) RFC 1542 (Clarifications and Extensions for the Bootstrap Protocol) BOOTstrap Protocol RFC 2131 (Dynamic Host Configuration Protocol) RFC 2132 (DHCP Options and BOOTP Vendor Extensions) Dynamic Host Configuration Protocol provides dynamic configuration of IP addresses, prevents address conflicts, and centralises address management. The format of DHCP messages is defined to be compatible with the format of BOOTP messages
Page 102
1 BOOTP protocol Principle of BOOTP
Client
@IP ?
1
Chaddr: Client hardware @
@MACa
@MACa => ff.ff.ff.ff.ff.ff @IP 0.0.0.0 => 255.255.255.255 BOOTP_Request (chaddr: @MACa) @MACb
2
BOOTP_Response (chaddr: @MACa, yiaddr:@IPY, siaddr:@IPB, file: /etc/bootfile, netmask xx.xx.xx.xx

yiaddr : your IP @ siaddr : server IP @ File: path to Boot file
Originally, BOOTP was a protocol intended to hosts without hard disk to enable them to boot. Principle of the exchanges :
@MACb => @MACa @IP B => @IPY
@IPB
Server1
103
The Client sends a a broadcast over the LAN to a possibly BOOTP server. It provides its MAC address in the request message. The server will use this MAC address in order to answer to the client in unicast mode. This MAC address is also used by server to index its database and find the associated IP address. This protocol provides not only the necessary information to communicate : the IP address, the netmask, the default router IP address, the name server IP address but also the location of the boot file to download. BOOTP has got a variable vendor field which allow to provide much more pieces of information. For a given host, it is always the same IP address which is assigned by the server. We will see later that DHCP enable, in addition, to allocate dynamical IP addresses for a lease time.
Page 103
1 BOOTP protocol Use of BOOTP
BootP protocol
BOOTP Response yiadd=xx.xx.xx.xx Boot_file_name= /etc/bootfile TFTP Request file name= /etc/bootfile File transfer
104
BOOTP Request
TFTP protocol
Generally, a diskless machine performs a downloading of boot file by means of TFTP (Trivial File Transfer Protocol).
Page 104
1 BOOTP protocol Various fields of BOOTP message Bootp Client

Well-known port
IP MAC(a)
@ IP0.0.0.0=>IP@255.255.255.255 MAC@a=> Mac@:ff:ff:ff:ff:ff:ff
68 UDP
ciaddr: Client IP@ yiaddr : your IP @ siaddr : server IP @ giaddr : gateway IP @ Chaddr: Client hardware @ sname: server name File: Path to Boot file Vendor: extension rfc1533
Bootp Serveur
Well-known port
IP(s) MAC(b)
67 UDP
ciaddr=> 0.0.0.0 yiaddr=> 0.0.0.0 siaddr=> 0.0.0.0 giaddr=> 0.0.0.0 chaddr=> @MAC a sname=>0 file=> 0 vendor=> 63825363
PORT:68=> 67
ciaddr=> 0.0.0.0 yiaddr=> @IP client siaddr=> @IP(s) giaddr=> 0.0.0.0 chaddr=> @MAC a sname=>serv. serv.alcatel. alcatel.fr file=> /etc/bootfile vendor=> 63825363 options...
MAC@b=> Mac@:a @ IP s=> @IP client PORT:67=> 68
105
Requests and responses have the same format. Therefore, some fields are without meaning according to the message type. Request It is a broadcast. ciaddr : If the client has the ability to remember the last IP address it was assigned, or it has been reconfigured with an IP address via some alternate mechanism, the client MAY fill the 'ciaddr' field with that IP address. siaddr : the client could know the IP address of the server giaddr : always set to 0 sname : the client could indicate the server name vendor 638225363: It is recommended that a BOOTP client always fill the first four bytes of the 'vend' (vendor information) field with a four-bytes identifier called a "magic cookie." file: =generic if the client wishes to know the path to boot file. Response: The server fill in the various fields : yiaddr: address assigned to the client file: if requested in the request, contains the path to boot file. Vendor extension: contains many parameters ( netmask, name server list, routers addresses, name server addresses, )
Page 105
1 BOOTP protocol BOOTP format

1 Byte 1 Byte 1 Byte 1 Byte
Operation
Identification Time B
HWtype
address length
Hop count Flag
Gateway IP address (giaddr) Client hardware address (chaddr) 16 bytes Server name (sname) 64 bytes Boot file name 128 bytes Vendor 64 bytes
General format of BOOTP messages.
Server IP address (siaddr)
Client IP address (ciaddr) Your IP address (yiaddr)
106
Page 106
1 BOOTP protocol Main options of vendor extensions
Code Parameter length Parameters Code Parameter length Parameters
x 63.82.53.63
Magic Cookie
Code Long.
0 1 2 3 4 6
0 4 4
Netmask Time difference (UTC)
Padding
Information
nx4 List of Routers. nx4 List of time servers (NTP nx4 List of name servers (DNS). nx4 List of printers . n 2 n 0
Code Parameter length Parameters
9 13 15 12
End of options: xff
255
Equipment name Size of boot file (in bytes) Domain name End of extensions
107
This list is valid only when the vendor field begin with x63.82.53.63 significant Magic cookie
Page 107
1 BOOTP protocol Exercise
1- Do you have to introduce the Bootp server IP@ in the configuration of the client ?
No, the client will request the Bootp server by means of a broadcast frame
2- What is the field carrying the IP@ assigned to the client by the Bootp server?
Yiaddr (Your IP address)
3- What is the role of the option field ?

Allows the Bootp server to provide client useful information like netmask, Name Server IP@, ... .
108
Page 108
DHCP
109
Page 109
110
Page 110
2 DHCP protocol Principle of the DHCP exchanges
Client
Server 2
Broadcast dhcp_discover ( chaddr+ requ
es t ed s ervices )
Server 1
+ se r vic e s) cp_offer (yiaddr Broadcas t dhcp_ (y ia ddr + serv ices) er r ff fe _o of cp_ cp h d t s Broadca
B ro a dca st dhcp_ request (cha ddr+s erv er1 + requ es ted s erv i ces )
p_ack ( yiaddr +se r vic e s) Broadcast dhcp_
Test of @IP
Unica st dhcp_ request (reques t to keep I P @) Unicas t dhcp _ack
Lease
111
Several servers could answer to a request DHCP discover : broadcasted by the client to locate the DHCP servers DHCP-offer : conveys the services offered by a DHCP server DHCP-Request : the client accepts the server offer. Also used to extend the lease. DHCP-Ack : The server provides the configuration to the client. IP addresses are provides : -for a limited period ( Lease duration ), unit = seconds (de 0 up to 100y ears). -permanently ( permanent lease ) lease time =ff.ff.ff.ff Some IP addresses can be allocated to specific clients (@MAC/@IP) DHCP-Nack : this message can be send back to client when, for instance, the server refuses to extend the lease or, when the client has been slow to answer to the offer.
Principle :
Page 111
2 DHCP protocol DHCP decline

Client Server1
dhcp_discover
@IPa
er r (I P@a) ff fe of cp_o dhcp_

dhcp_ request
dhcp _ack (IP@a)
Broadcast ARP request (@IPa)

a) @IP P a) ARP resp on se ( @I dhcp_ decline
112
DHCP-decline : when the client realizes that the IP address has already been assigned to another client. As a matter of fact, usually, a client receiving an IP address test it by sending an ARP request (ARP gratuitous) with this address as a source address, for two raisons : update the ARP cache of other host in the same LAN, check that no one machine answers, otherwise that will mean another machine has gotthe same IP address. In the last case, the client sends to the server a DHCP-decline message.
Page 112
2 DHCP protocol DHCP_release Client Server 2 Server1
dhcp_request dhcp_ dhcp_ack
dhcp_release ( @IP relea se bef o re lea se ex pira t io n)
lease
IP @ available
113
DHCP-Inform Client to server, asking only for local configuration parameters client already has externally configured network address. DHCP-Release Client to server relinquishing network address and cancelling remaining lease.
Page 113
Client IP@b
2 DHCP protocol DHCP_inform Server 2 Server1
dhcp_inform (ciaddr= IP@b)
cp_ack (DNS se r v dhcp_
e r IP@, de fa ult r o ute r , , WWW se r v e r IP@, )
114
DHCP-Inform Client to server, asking only for local configuration parameters client already has externally configured network address. If a client has obtained a network address through some other means (e.g., manual configuration), it may use a DHCPINFORM request messageto obtain other local configuration parameters. Servers receiving a DHCPINFORM message construct a DHCPACK message with any local configuration parameters appropriate for the client without: allocating a new address, checking for an existing binding, filling in 'yiaddr' or including lease time parameters. The servers SHOULD unicast the DHCPACK reply to the address given in the 'ciaddr' field of the DHCPINFORM message.
Page 114
2 DHCP protocol Lease time and Renewal Time

Client Server 2 Server1
Renewal time
, rebi ndi ng ti me cp_ack (ll eas e ti me, renewal ti me dhcp_
dhcp_ request
Lease time (Bail)
Renewal time
cp_ack dhcp_
Uni ca s t dhcp_ request (s erv eur 1 ) (reques t to keep I P co nfi g ura ti o n) me, renewal ti me, rebinding tim e (l eas e ti me,
(l
lease
new
115
Renewal time : This option specifies the time interval from address assignment until the client is authorised to request for renewing (Usually, Renewal time = lease time x 0,5)
Page 115
2 DHCP protocol Rebinding time

Renewal time
me, renewal ti me, rebinding tim e cp_ack (l eas e ti me, dhcp_
dhcp_ request
Lease time (Bail)
?
Rebinding time
Uni ca s t dhcp_ request (s erv eur 1 ) (reques t to keep I P co nfi g ura ti o n)
Server 1 Out of order
B ro a dca st dhcp_ request
e rebinding tim e e, renewa l t im e, cp_ack (lea se t im e, dhcp_

116
(reques t to keep I P co nfi g ura ti o n)
Rebinding time :If there is no response to the renewing request, Rebinding time is the time interval from address assignment until the client can broadcast the renewing request to several servers. (Usually, Rebinding time = lease time x 0,875)
Page 116
2 DHCP protocol Lease timer expiration

Renewal time
ewal ti me, rebinding tim e dhcp_ack (ll eas e ti me, ren
dhcp_request
Lease time
?
Rebinding time Lease time
Uni ca s t dhcp_ request (s erv eur 1 ) (reques t to keep I P co nfi g ura ti o n)
B ro a dca st dhcp_ request

dhcp_discover
(reques t to keep I P co nfi g ura ti o n)
117
Lease time : a DHCP server uses this option to specify the lease time.
Page 117
2 DHCP protocol DHCP format

1 Byte
Operation
Identification Time B
Type Of Support
1 Byte
address length
1 Byte
Hop count Flag
1 Byte
Client hardware address (chaddr) 16 bytes Server name (sname) 64 bytes Boot file name 128 bytes Options
Magic Cookie: valeur : 63 82 53 63
Client IP address (ciaddr) Your IP address (yiaddr) Server IP address (siaddr) Gateway IP address (giaddr)
( lease time, netmask,)

118
The Dynamic Host Configuration Protocol (DHCP) provides a framework for passing configuration formation to hosts on a TCP/IP network. Configuration parameters and other control information are carried in tagged data items that are stored in the 'options' field of the DHCP message. The data items themselves are also called "options." The format of DHCP messages is based on the format of BOOTP messages, to capture the BOOTP relay agent behaviour described as part of the BOOTP specification and to allow interoperability of existing BOOTP clients with DHCP servers. The list of parameters provided by the server can be very long. The client can inform the server in the DHCP-Discover or DHCP-Offer which parameters are expected. The server is not obliged to provide all requested parameters.
Page 118
2 DHCP protocol Coding of DHCP options
Code= 35 Code hex (= 53dec) Parameter length Parameter length =1 Parameter Parameter= type of message Code Parameter length Parameter
x 63.82.53.63
Magic Cookie
Type of DHCP message (if absent =>BOOTP protocol )
Code Parameter length Parameter
1 2 3 4 5 6 7 8
DHCP_DISCOVER DHCP_OFFER DHCP_REQUEST DHCP_DECLINE DHCP_ACK DHCP_NAK DHCP_RELEASE DHCP_INFORM
End of options: xff
Client to Server Server to Client

119
The first option must be 53 which indicates that the message is a DHCP message and not a BOOTP message. Any message received by a DHCP server that includes a 'DHCP message type' (53) option is assumed to have been sent by a DHCP client.
Page 119
2 DHCP protocol Main option codes
code 1 2 3 4 6 8 9 12 15 23 26 31 35 41
fonction Subnet mask Time offset Router Time server DNS server Cookie printer server Host name Domaine Name Default TTL MTU Perform Router Discovery ARPtimeout NTP server
code 50 51 53 54 55 58 59 61 66 69 70 71 72 74
fonction Requested IPAddress IP Address Lease Time DHCP message Type Server Identifier Parameter Request list Renewal Time value Rebinding Client Identifier FTP server SMTP server POP3 server NNTP server WWW server IRC (Internet Relay Chat)
120
In GPRS, Client identifier will convey the MSISDN of the MS Parameter Request list : This option is used by a DHCP client to request a list of desired parameters
Page 120
DHCP
121
Page 121
3 BOOTP agent IP pool selection on local DHCP server

Pool 1 3 - network : 40.40. 0.0 - Mask : 255.255.0.0 - Start @ : 40.40.0.2 - End @ : 40.40.0.100 Pool 2 - network : 50. 50. 0.0 - Mask : 255.255.0.0 - Start @ : 50.50. 0.2 - End @ : 50.50.0.200
DHCP
50.50.0.1
2
1
40.40.0.1
IPsrc0.0.0.0
DHCP Discover
IPdest255.255.255.255 Network 40.40.0.0
Network 50.50.0.0
Client
Client
Client
Client
122
When a server is directly connected to several LAN, it is capable of selecting the correct IP by means of the IP address of the interface receiving the request. From this address, it can select the IP pool located in the same sub-network.
Page 122
3 BOOTP agent IP pool selection on remote DHCP server

3 Pool 1 - network : 40.40. 0.0 - Mask : 255.255.0.0 - Start @ : 40.40.0.2 - End @ : 40.40.0.100 Pool 2 - network : 50. 50. 0.0 - Mask : 255.255.0.0 - Start @ : 50.50.0.2 - End @ : 50.50.0.200
DHCP
10.1.1.210 IPsrc40.40.0.1 IPdest10.1.1.210
DHCP server IP@= 10.1.1.210
DHCP Relay Agent
10.1.1.101 50.50.0.1
DHCP Discover giaddr= giaddr= 40.40.0.1
Rseau50.50.0.0
40.40. 0.1 IPdest255.255.255.255 IPsrc0.0.0.0 1 DHCP Discover Rseau 40.40. 0. 0
Client
Client
Client
Client
123
In many cases, BOOTP clients and their associated BOOTP server(s) do not reside on the same IP network or subnet. In such cases, some kind of third-party agent is required to transfer BOOTP messages between clients and servers. A BOOTP relay agent may more properly be thought to receive BOOTP messages as a final destination and then generate new BOOTP messages as a result. The router having the functionality BOOTP relay agent knows the IP address of the DHCP server. When it receives a DHCP request from a client, it makes a new request with the giaddr field fill in with the IP address of the interface having received the request from the client. This giaddr address will allow the server to select the correct IP address pool and to send the response to the router.
Page 123
2 DHCP protocol Exercise 1- What are the main advantages of DHCP compared to Bootp?
DHCP provides : leased time, a procedure allowing the use of several IP address servers more services in the option field
2- What is the response to the discovery message ?

Offer
3- Mention the three mains times provided by the DHCP server and their role ?
Lease : lease time for the IP address renewal : the time interval from address assignment until the client may request for an overtime to its DHCP server rebinding: the time interval from address assignment until the client may request for an overtime to any DHCP server
4- What should be the first option of any DHCP message ?

DHCP message type (35hex or 53dec)
5- In Bootp Relay Agent, what is the parameter which allow the server to select the correct IP address pool ?
giaddr
124
Page 124
DHCP
125
Page 125
126
Page 126
/etc/rc.d/init.d/dhcpd stop
DHCP server daemon
start
restart
### Managed by Linuxconf, you may edit by hand. ### Comments may not be fully preserved by linuxconf. server-identifier 10.33.1.210; default-lease-time 86400; max-lease-time 604800; option domain-name "mnc001.mcc208.gprs"; option domain-name-servers 10.33.1.210; subnet 10.33.1.0 netmask 255.255.255.0{ range 10.33.1.1 10.33.1.100; option subnet-mask 255.255.255.0; } subnet 192.168.10.0 netmask 255.255.255.0{ range 192.168.10.150 192.168.10.250; option subnet-mask 255.255.255.0; option broadcast-address 192.168.10.255; } subnet 5.6.7.0 netmask 255.255.255.0{ range 5.6.7.1 5.6.7.49; range 5.6.7.51 5.6.7.101; range 5.6.7.103 5.6.7.110; default-lease-time 3600; max-lease-time 28800; } subnet 50.50.0.0 netmask 255.255.0.0{ range 50.50.0.2 50.50.0.20; range 50.50.0.30 50.50.0.40; range 50.50.0.50 50.50.0.60; default-lease-time 3600; max-lease-time 7200;
/etc/dhcpd.conf
4 Address pool creation LINUX DHCP modules
127
Page 127
DHCP server configuration Evaluation Objective: to be able to configure a DHCP server
128
Page 128
PPP : Point-to-Point Protocol
129
Page 129
130
Page 130
Objective: to be able to configure a PPP access program: 1 Overview
PPP Session presentation
2 LCP : Link Control Protocol 3 Authentication 4 NCP : Network Control Protocol 5 CISCO configuration
131
Page 131
132
Page 132
PPP
1 2 3 4 5 Overview
LCP : Link Control Protocol NCP : Network Control Protocol CISCO configuration Authentication
133
Page 133
134
Page 134
1 Overview Why PPP
@IPA=>@IPB
Flag Adr. Ctrl Prot 03 0021 7E FF 1 1 1 2
46 - 1500
CRC Flag 7E 2 1
IP
PAP/
IP
@IPA=>@IPB @MAC @MAC Type dest. src. (IP) FCS
PPPCHAP MAC V24

10BT
Modem
WAN
Modem
Ethernet
@IPA @IPB WAN protocol LAN protocol

135
Page 135
1 Overview Various phases of PPP setup
ISP
IP network
PSTN network LCP negociation : compression,
authentication protocol selection, .
Authentication : PAP or CHAP NCP negociation : IP address, . Data transfer

136
LCP: Link Control Protocol PAP: Password Authentication Protocol CHAP: Challenge Handshake Authentication Protocol NCP : Network Control Protocol
Page 136
1 Overview PPP protocol situation in IP stack
Network
IP
IPX
AppleTalk
authentication Protocols
Link
PPP
NCP
CHAP LCP
HDLC
PAP
Physical
RS 422
V28/V35...
RS 232
137
Page 137
1 Overview PPP : a subset of HDLC
Subset of HDLC
LAP-D (RNIS) LAP-B Flag Addr. Ctrl 7E field field SABM SARM UA RR RNR REJ I FRMR UI (03) . Frame format DATA (X25) Flag CRC 7E
(Frame Relay) Frame format
LAP-F
PPP
Addr.Ctrl Flag Field field Prot 7E FF 03
03
1
DATA 46 - 1500
CRC Flag 7E 2 1 138
Page 138
1 Overview Main protocol field Coding

002D PPP supports various protocols 0021 0029 002B 8029 TCP/IP compressed Van Jacobson
Datagramme IP
Datagram AppleTalk Datagram Novell
IP
IP
(AppleTalk) (Novell IPX)
NCP PPP
AppleTalk Ctl Prot Novell IPX Ctl Prot
802B 8021 C223 C023 C021
IP Ctl Protocol CHAP PAP LCP:Link Ctl Prot
One NCP per network protocol
Flag 7E FF:all stations

1
Address Control Protocol FF 03

1 1
CRC
46 - 1500 2
03: frame UI
Flag 7E
1 139
Page 139
1 Overview Protocol Codes (IANA)

0001 Padding Protocol 0003 ROHC small-CID [RFC3095] 0005 ROHC large-CID [RFC3095] 0007 to 001f reserved (transparency inefficient) 0021 Internet Protocol version 4 0023 OSI Network Layer 0025 Xerox NS IDP 0027 DECnet Phase IV 0029 Appletalk 002b Novell IPX 002d Van Jacobson Compressed TCP/IP 002f Van Jacobson Uncompressed TCP/IP 0031 Bridging PDU 0033 Stream Protocol (ST-II) 0035 Banyan Vines 0037 reserved (until 1993) [Typo in RFC1172] 0039 AppleTalk EDDP 003b AppleTalk SmartBuffered 003d Multi-Link [RFC1717] 003f NETBIOS Framing 0041 Cisco Systems 0043 Ascom Timeplex 0045 Fujitsu Link Backup and Load Balancing (LBLB) 0047 DCA Remote Lan 0049 Serial Data Transport Protocol (PPP-SDTP) 004b SNA over 802.2 004d SNA 004f IPv6 Header Compression 0051 KNX Bridging Data [ianp] 0053 Encryption [Meyer] 0055 Individual Link Encryption [Meyer] 0057 Internet Protocol version 6 [Hinden] 0059 PPP Muxing [RFC3153] 0061 RTP IPHC Full Header [RFC2509] 0063 RTP IPHC Compressed TCP [RFC2509] 0065 RTP IPHC Compressed Non TCP [RFC2509] 0067 RTP IPHC Compressed UDP 8 [RFC2509] 0069 RTP IPHC Compressed RTP 8 [RFC2509] 006f 0071 0073 007d 007f 0081 0083 00c1 00cf 00fb 00fd 00ff 0201 0203 0205 0207 0209 020b 020d 0211 0213 0231 0233 0235 0281 0283 0285 0287 0289 2063 2065 2067 2069 Stampede Bridging Reserved [Fox] MP+ Protocol [Smith] reserved (Control Escape) [RFC1661] reserved (compression inefficient) [RFC1662] Reserved Until 20-Oct-2000 [IANA] Reserved Until 20-Oct-2000 [IANA] NTCITS IPI [Ungar] reserved (PPP NLPID) single link compression in multilink [RFC1962] compressed datagram [RFC1962] reserved (compression inefficient) 802.1d Hello Packets IBM Source Routing BPDU DEC LANBridge100 Spanning Tree Cisco Discovery Protocol [Sastry] Netcs Twin Routing [Korfmacher] STP - Scheduled Transfer Protocol [Segal] EDP - Extreme Discovery Protocol [Grosser] Optical Supervisory Channel Protocol (OSCP)[Prasad] Optical Supervisory Channel Protocol (OSCP)[Prasad] Luxcom Sigma Network Systems Apple Client Server Protocol [Ridenour] MPLS Unicast [RFC3032] MPLS Multicast [RFC3032] IEEE p1284.4 standard - data packets [Batchelder] ETSI TETRA Network Protocol Type 1 [Nieminen] Multichannel Flow Treatment Protocol [McCann] RTP IPHC Compressed TCP No Delta [RFC2509] RTP IPHC Context State [RFC2509] RTP IPHC Compressed UDP 16 [RFC2509] RTP IPHC Compressed RTP 16 [RFC2509]
140
8053 8055 8057 8059 806f 8073 8071 807d 8081 8083 80c1 80cf 80fb 80fd 80ff 8207 8209 820b 820d 8235 8281 8285 8287 8289 c021 c023 c025 c027 c029 c02b c02d c081 c223 c225 c227 c229 c26f c281 c283 c481 Encryption Control Protocol [Meyer] Individual Link Encryption Control Protocol [Meyer] IPv6 Control Protovol [Hinden] PPP Muxing Control Protocol [RFC3153] Stampede Bridging Control Protocol MP+ Control Protocol [Smith] Reserved [Fox] Not Used - reserved [RFC1661] Reserved Until 20-Oct-2000 [IANA] Reserved Until 20-Oct-2000 [IANA] NTCITS IPI Control Protocol [Ungar] Not Used - reserved [RFC1661] single link compression in multilink control [RFC1962] Compression Control Protocol [RFC1962] Not Used - reserved [RFC1661] Cisco Discovery Protocol Control [Sastry] Netcs Twin Routing [Korfmacher] STP - Control Protocol [Segal] EDPCP - Extreme Discovery Protocol Ctrl Prtcl[Grosser] Apple Client Server Protocol Control [Ridenour] MPLSCP [RFC3032] IEEE p1284.4 standard - Protocol Control [Batchelder] ETSI TETRA TNP1 Control Protocol [Nieminen] Multichannel Flow Treatment Protocol [McCann] Link Control Protocol Password Authentication Protocol Link Quality Report Shiva Password Authentication Protocol CallBack Control Protocol (CBCP) BACP Bandwidth Allocation Control Protocol [RFC2125] BAP [RFC2125] Container Control Protocol [KEN] Challenge Handshake Authentication Protocol RSA Authentication Protocol [Narayana] Extensible Authentication Protocol [RFC2284] Mitsubishi Security Info Exch Ptcl (SIEP) [Seno] Stampede Bridging Authorization Protocol Proprietary Authentication Protocol [KEN] Proprietary Authentication Protocol [Tackabury] Proprietary Node ID Authentication Protocol [KEN]
4001 Cray Communications Control Protocol [Stage] 4003 CDPD Mobile Network Registration Protocol [Quick] 4005 Expand accelerator protocol [Rachmani] 4007 ODSICP NCP [Arvind] 4021 Stacker LZS [Simpson] 4023 RefTek Protocol [Banfill] 4025 Fibre Channel [Rajagopal] 4027 EMIT Protocols [Eastham] 8001-801f Not Used - reserved [RFC1661] 8021 Internet Protocol Control Protocol 8023 OSI Network Layer Control Protocol 8025 Xerox NS IDP Control Protocol 8027 DECnet Phase IV Control Protocol 8029 Appletalk Control Protocol 802b Novell IPX Control Protocol 802d reserved 802f reserved 8031 Bridging NCP 8033 Stream Protocol Control Protocol 8035 Banyan Vines Control Protocol 8037 reserved (until 1993) [See note for 0037] 8039 reserved 803b reserved 803d Multi-Link Control Protocol 803f NETBIOS Framing Control Protocol 8041 Cisco Systems Control Protocol 8043 Ascom Timeplex 8045 Fujitsu LBLB Control Protocol 8047 DCA Remote Lan Network Control Protocol (RLNCP) 8049 Serial Data Control Protocol (PPP-SDCP) 804b SNA over 802.2 Control Protocol 804d SNA Control Protocol 804f IP6 Header Compression Control Protocol 8051 KNX Bridging Control Protocol [ianp]
Page 140
PPP
1 2 3 4 5 Overview
141
Page 141
C021 Code Ident

16 8 8
LCP
2 LCP Link Control Protocol LCP frame format
Length
16 8
Data
8
Request/Response nb Set up: 1: Configure Request 2: Configure Ack 3: Configure Nack 4: Configure Reject Length = code+ Id+ Length+ Data
Type
Length
data
Length= Type+ Length+ Data 1: Maximum Receive Unit 2: Asynch control character Map 3: Authentication Protocol (PAP, CHAP) 4: Link Quality Protocol 5: Magic number (loop detection) 7: Protocol field compression 8: Address et control field compression 9: FCS alternative 10: Self describing padding (padding ff) 13: Callback 14: Compound frame 142
Termination 5: Terminate Request 6: Terminate Ack Link management 7: Code Reject 8: Protocol Reject 9: Echo Request 10 Echo Reply 11: Discard Request Extension 12: Identification 13 : Time Remaining
There are three classes of LCP packets: 1. Link Configuration packets used to establish and configure a link (Configure-Request, Configure-Ack, ConfigureNak and Configure-Reject). 2. Link Termination packets used to terminate a link (Terminate- Request and Terminate-Ack). 3. Link Maintenance packets used to manage and debug a link (Code-Reject, Protocol-Reject, Echo-Request, EchoReply, and Discard-Request).
Page 142
2 LCP Link Control Protocol LCP options

Type Length data Max Receive Unit
16 8 8
Max Receive Unit
01
04
(Default 1500)
Authentication Protocol
03
04
C023 (PAP) C223 (CHAP)
16
Data
(Default no authentication)
Asynch Control Character Map
02
06
Asynch Control Character Map

(Default 0xffffffff)
143
32
Maximum-Receive-Unit This Configuration Option may be sent to inform the peer that the implementation can receive larger frames, or to request that the peer send smaller frames. If smaller frames are requested, an implementation MUST still be able to receive 1500 octet frames in case link synchronization is lost. Authentication-Protocol On some links it may be desirable to require a peer to authenticate itself before allowing network-layer protocol packets to be exchanged. This Configuration Option provides a way to negotiate the use of a specific authentication protocol. By default, authentication is not necessary. Quality-Protocol On some links it may be desirable to determine when, and how often, the link is dropping data. This process is called link quality monitoring. This Configuration Option provides a way to negotiate the use of a specific protocol for link quality monitoring. By default, link quality monitoring is disabled. Async-Control-Character-Map This Configuration Option provides a way to negotiate the use of control character mapping on asynchronous links. By default, PPP maps all control characters into an appropriate two character sequence. However, it is rarely necessary to map all control characters and often it is unnecessary to map any characters.
Page 143
2 LCP Link Control Protocol LCP options - ASCII codes

b7
Bi ts
b6
b4 0 0
0 b5
b3 0 0 0 0 1 1 1 1 0 0 0 0 1 1 1 1 b2 0 0 1 1 0 0 1 1 0 0 1 1 0 0 1 1 b1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 Column Row 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 0
0 0
0 1
0 1
1 2
SP ! " # $ % & ' ( ) * + , . /
0 0
1 3
0 1 2 3 4 5 6 7 8 9 : ; < = > ?
1 1
0 4
@ A B C D E F G H I J K L M N O
1 0
0 5
P Q R S T U V W X Y Z [ \ ] ^ _
1 1
1 6
. a b c d e f g h i j k I m n o
1 0
1 7
p q r s t u v w x y z {
Space : 0x20 A: 0x41
NUL SOH STX ETX EOT ENQ ACK BEL BS

SKIP HT
DLE DC1 DC2 DC3 DC4 NAK SYN ETB CAN EM SUB ESC FS GS
HOME RS NEW LINE US
X-OFF : 0x11 X-ON : 0x13
0 0 0 0 0 0 1 1 1 1 1 1 1 1
LF VT FF CR SO SI
Printable codes
} ~
DEL RUB
144
Page 144
2 LCP Link Control Protocol LCP options - Asynchronous Control Character Map
256 codes 0 0 1 1 1 3 1 f 2 0 sp 3 0 3 9 4 1 5 a 6 1 a 7 a f f
Null 0 . 0 . 0 .
X-on X-off 0 . a . 0 ......
0000.0000.0000.0000. 1010.0000.000...00
Asynchronous Control Character Map Valeur hexa de Asynch Ctl Char Map
(ACCM by default 0xffffffff)
X-off coding Caractre transmettre (0x13) : Exclusive or (0x20) 0001 0011 0010 0000 0011 0011
(escape) 0x33 0x7d 0011 0011 0111 1101 transmitted data

145
Page 145
2 LCP Link Control Protocol LCP Options (continue)

Type
8
Length
Magic number Address & Control compression
05 08
06 02
Data
Magic number
(Dfaut compression non activ)
32
Protocol compression
Flag 7E
1
07
02
(By default no compression) CRC

2

1 1 2
Flag 7E
1
Prot
1
Magic-Number The Magic-Number field is four octets and aids in detecting links which are in the looped-back condition Protocol-Field-Compression This Configuration Option provides a way to negotiate the compression of the Data Link Layer Protocol field. By default, all implementations MUST transmit standard PPP frames with two octet Protocol fields. However, PPP Protocol field numbers are chosen such that some values may be compressed into a single octet form which is clearly distinguishable from the two octet form. Address-and-Control-Field-Compression This Configuration Option provides a way to negotiate the compression of the Data Link Layer Address and Control fields. By default, all implementations MUST transmit frames with Address and Control fields and MUST use the hexadecimal values 0xff and 0x03 respectively. Since these fields have constant values, they are easily compressed. This Configuration Option is sent to inform the peer that the implementation can receive compressed Address and Control fields. Compressed Address and Control fields are formed by simply omitting them. Callback This Configuration Option provides a method for an implementation to request a dial-up peer to call back. This option might be used for many diverse purposes, such as savings on toll charges. Compound-Frames This Configuration Option provides a method for an implementation to send multiple PPP encapsulated packets within the same frame.
146
Page 146
2 LCP Link Control Protocol Principle of the negotiation (LCP and NCP)
Configure Request/ Request Option x: value1, Option y : value2 The sender has to modify its request according to the response One or several options are unknown or some values are not agreed. The receiver does not wish negotiate
Configure Reject / Option y
Configure Request/ Request Option x: value2, The sender has to modify its request with other values
Configure Nack/ Option x : value3
Some values are not agreed by receiver and have to be negotiated
Configure Request/ Request Option x: value3,
Configure Ack
Full acknowledgement
147
Configure-Request An implementation wishing to open a connection MUST transmit a Configure-Request. The Options field is filled with any desired changes to the link defaults. Configure-Ack If every Configuration Option received in a Configure-Request is recognizable and all values are acceptable, then the implementation MUST transmit a Configure-Ack. Configure-Nak If every instance of the received Configuration Options is recognizable, but some values are not acceptable, then the implementation MUST transmit a Configure-Nak. The Options field is filled with only the unacceptable Configuration Options from the Configure-Request. Configure-Reject If some Configuration Options received in a Configure-Request are not recognizable or are not acceptable for negotiation (as configured by a network administrator), then the implementation MUST transmit a Configure-Reject. The Options field is filled with only the unacceptable Configuration Options from the Configure-Request.
Page 147
A (ISP)
2 LCP Link Control Protocol One way LCP negociation example

ConfigureConfigure-Request/ Request Id: 1f/ MRU: 1000; asyncmap : 0; Auth: PAP; MagicNb: 2f 4e6a; Prot-Compression; Addr/ctl-compression
MRU: 1000 (ack); asyncmap : 0 (nack); Auth: PAP (ack); MagicNb: 2f 4e6a (ack); Prot); Prot-Compression (rej (rej); Addr/ctl-compression(ack)
B (Client)
ConfigureConfigure-Reject/ Reject Id: 1f/ Prot-Compression; ConfigureConfigure-Request/ Request Id: 20/ MRU: 1000; asyncmap : 0; Auth: PAP;MagicNumber:2f 4e6a;Add/ctl-compression ConfigureConfigure-Nack/ Nack Id: 20/ asyncmap : 0x2000; ConfigureConfigure-Request/ Request Id: 21/ MRU: 1000; Auth: PAP; MagicNumber: 2f 4e6a; Addr/ctl-compression ConfigureConfigure-Ack/ Ack Id: 21/ MRU: 1000; Auth: PAP; MagicNumber: 2f 4e6a; Addr/ctl-compression
MRU: 1000 (ack); asyncmap : 0 (nack ); (nack); Auth: PAP (ack); MagicNb: 2f 4e6a (ack); Addr/ctl-compression(ack)
A prefers default value of asyncmap
MRU: 1000 (ack); Auth: PAP (ack); MagicNb: 2f 4e6a (ack); Addr/ctl-compression(ack) 148
Page 148
CLIENT
L CP Co n f-Re q I d :1 { As y n c _ m a p :0 x 0 0 0 a 0 0 0 0 , Ma g i c _ n u m b e r: 0 x 0 0 2 1 7 c b b , Pro t_ c o m p , Ad d r/ c tl _ c o m p , Ca l l b a c k }
2 LCP Link Control Protocol Two ways LCP negociation example

ISP
nc_map: 0x00000000, LCP Conf - Req I d: 1 { MRU: 1524, Asy r/ ct l _comp} Aut hent _prot : PAP, Prot _comp, Add
LCP Conf - Ac k Id: 1 { MRU: 1 5 2 4 , As y nc _ m a p: 0 x 0 0 0 0 0 0 0 0 , Aut he nt _ prot : P AP , P rot _ c om p, Addr/c t l_ c om p,}
L CP Co n f-Rej I d :1 {Cal l b ack}
LCP Conf - Req Id: 2 { Async_ma p: 0x000a0000, M agic_number: 0x00217cbb, Pro t _comp, Addr/ct l_comp}
000, n c_map :0x000a0 sy A { :2 d I ck f-A L CP Co n d r/ ctl _co mp } , Pro t_co mp , Ad b cb 17 02 x0 :0 er Mag i c_n u mb
149
Page 149
2 LCP Link Control Protocol Termination
A
One end request a release A timer no traffic expires Authentication failure Protocol error Loop detection (thanks to magic number) Unacceptable line quality TerminateTerminate-Request / Id xx / message
TerminateTerminate-Ack / Id xx
150
. Terminate-Request and Terminate-Ack An implementation wishing to close a connection SHOULD transmit a Terminate-Request. Terminate-Request packets SHOULD continue to be sent until Terminate-Ack is received, the lower layer indicates that it has gone down, or a sufficiently large number have been transmitted such that the peer is down with reasonable certainty.
Page 150
2 LCP Link Control Protocol Surveillance and errors

PPP frame /Id CodeCode-Reject /Id PPP frame /Id ProtocolProtocol-Reject /Id EchoEcho-Request/ Id / MagicMagic-nb x EchoEcho-Reply / Id / MagicMagic-nb y
Unknown PPP code
Unknown protocol
Loop detection
Discard/ Id / MagicMagic-nb x
151
Code-Reject Reception of a LCP packet with an unknown Code indicates that the peer is operating with a different version. This MUST be reported back to the sender of the unknown Code by transmitting a Code- Reject. Protocol-Reject Reception of a PPP packet with an unknown Protocol field indicates that the peer is attempting to use a protocol which is unsupported. This usually occurs when the peer attempts to configure a new protocol. Echo-Request and Echo-Reply LCP includes Echo-Request and Echo-Reply Codes in order to provide a Data Link Layer loopback mechanism for use in exercising both directions of the link. This is useful as an aid in debugging, link quality determination, performance testing, and for numerous other functions. Discard-Request LCP includes a Discard-Request Code in order to provide a Data Link Layer sink mechanism for use in exercising the local to remote direction of the link. This is useful as an aid in debugging, performance testing, and for numerous other functions.
Page 151
2 LCP : Link Control Protocol Example of LCP negotiation
ConfigureConfigure-Request/ Request Id: 1f/ MRU: 1500; asyncmap : 0; Auth: PAP; MagicNb: 2f 4e6a; Prot-Compression; Addr-Compression
MRU: 1500 (ack); asyncmap : 0 (nack); Auth: PAP (ack); MagicNb: 2f 4e6a (ack); Prot); Prot-Compression (rej (rej); Addr-Compression (ack)
ConfigureConfigure-Reject/ Reject Id: 1f/ Prot-Compression; ConfigureConfigure-Request/ Request Id: 20/ MRU: 1500; asyncmap : 0; Auth: PAP;MagicNumber: 2f 4e6a; Addr-Compression ConfigureConfigure-Nack/ Nack Id: 20/ asyncmap : 0x2000; ConfigureConfigure-Request/ Request Id: 21/ MRU: 1500; Auth: PAP; MagicNumber: 2f 4e6a; Addr-Compression ConfigureConfigure-Ack/ Ack Id: 21/ MRU: 1500; Auth: PAP; MagicNumber: 2f 4e6a; Addr-Compression
MRU: 1500 (ack); asyncmap : 0 (nack ); (nack); Auth: PAP (ack); MagicNb: 2f 4e6a (ack); Addr-Compression (ack)
A prefers default asyncmap
MRU: 1500 (ack); Auth: PAP (ack); MagicNb: 2f 4e6a (ack); Addr-Compression (ack) 152
Page 152
PPP
1 2 3 4 5 Overview
153
Page 153
154
Page 154
Authentication Password Authentication Protocol
Connect To Jack User name Password secret
username Alice password test username Jack password secret
X 1
Jack + secret
PAP Authenticate Request
::
PAP Authenticate Ack 4
155
The Password Authentication Protocol (PAP) provides a simple method for the peer to establish its identity using a 2-way handshake. This is done only upon initial link establishment. PAP is not a strong authentication method. Passwords are sent over the circuit "in the clear", and there is no protection from playback
When PAP is enabled, the remote router attempting to connect to the access server is required to send an authentication request. If the username and password specified in the authentication request are accepted, the Cisco IOS software sends an authentication acknowledgement. After you have enabled CHAP or PAP, the access server will require authentication from remote devices dialing in to the access server. If the remote device does not support the enabled protocol, the call will be dropped. To use CHAP or PAP, you must perform the following tasks: 1. Enable PPP encapsulation. 2. Enable CHAP or PAP on the interface. 3. For CHAP, configure host name authentication and the secret or password for each remote system with which authentication is required.
Page 155
Authentication PAP message format
C023 Code Ident

1: Authenticate Request 2: Authenticate Ack 3: Authenticate Nack
PAP
Lenght
Data
ID length
1
Peer ID
PW length Password
1
length
Message
156
RFC 1334 The Code field is one octet and identifies the type of PAP packet. PAP Codes are assigned as follows: 1 2 3 Authenticate-Request Authenticate-Ack Authenticate-Nak
Identifier The Identifier field is one octet and aids in matching requests and replies. Length The Length field is two octets and indicates the length of the PAP packet including the Code, Identifier, Length and Data fields. Octets outside the range of the Length field should be treated a Data Link Layer padding and should be ignored on reception. The Data field is zero or more octets. The format of the Data field is determined by the Code field. Peer-ID The Peer-ID field is zero or more octets and indicates the name of the peer to be authenticated. Password The Password field is zero or more octets and indicates the password to be used for authentication. Message The Message field is zero or more octets, and its contents are implementation dependent. It is intended to be human readable, and MUST NOT affect operation of the protocol. It is recommended that the message contain displayable ASCII characters
Data
Page 156
Authentication CHAP (Challenge Handshake Authentication Protocol) Connect To Nom utilisateur Jack Mot de passe secret
X 2 1
hostname ISP_a
challenge
ISP_a + Random nb
username Alice password test username Jack password secret
MD5
Non reversible algorithme
4
Jack +
Response
MD5
Authentication succeeded
Success
6 =
::
157
The Challenge-Handshake Authentication Protocol (CHAP) is used to periodically verify the identity of the peer using a 3-way handshake. When CHAP is enabled on an interface and a remote device attempts to connect to it, the access server sends a CHAP packet to the remote device. The CHAP packet requests or "challenges" the remote device to respond. The challenge packet consists of an ID, a random number, and the host name of the local router. When the remote device receives the challenge packet, it concatenates the ID, the remote device's password, and the random number, and then encrypts all of it using the remote device's password. The remote device sends the results back to the access server, along with the name associated with the password used in the encryption process. When the access server receives the response, it uses the name it received to retrieve a password stored in its user database. The retrieved password should be the same password the remote device used in its encryption process. The access server then encrypts the concatenated information with the newly retrieved passwordif the result matches the result sent in the response packet, authentication succeeds. The benefit of using CHAP authentication is that the remote device's password is never transmitted in clear text. This prevents other devices from stealing it and gaining illegal access to the ISP's network. CHAP transactions occur only at the time a link is established. The access server does not request a password during the rest of the call. (The local device can, however, respond to such requests from other devices during a call.) After you have enabled CHAP, the access server will require authentication from remote devices dialing in to the access server. If the remote device does not support the enabled protocol, the call will be dropped. To use CHAP, you must perform the following tasks: 1. Enable PPP encapsulation. 2. Enable CHAP on the interface. 3. For CHAP, configure host name authentication and the secret or password for each remote system with which authentication is required.
Page 157
Authentication CHAP message format
C223 Code Ident
CHAP
Lenght
Challenge length
1
Data
Challenge value Response value 128 bytes in MD5 Name of system transmitting this packet Name of system transmitting this packet
1: Challenge 2: Response 3: Success 4: Failure
Response length
1
Length
Message (optional)
158
Challenge and Response The Challenge packet is used to begin the Challenge-Handshake Authentication Protocol. The authenticator MUST transmit a CHAP packet with the Code field set to 1 (Challenge). A Challenge packet MAY also be transmitted at any time during the Network-Layer Protocol phase to ensure that the connection has not been altered. Whenever a Challengepacket is received, the peer MUST transmit a CHAP packet with the Code field set to 2 (Response). Whenever a Response packet is received, the authenticator compares the Response Value with its own calculation of the expected value. Based on this comparison, the authenticator MUST send a Success or Failure packet The Challenge Value is a variable stream of octets. The importance of the uniqueness of the Challenge Value. The Challenge Value MUST be changed each time a Challenge is sent. The Response Value is the one-way hash calculated over a stream of octets consisting of the Identifier, followed by (concatenated with) the "secret", followed by (concatenated with) the Challenge Value. The Name field is one or more octets representing the identification of the system transmitting the packet The Message field is zero or more octets, and its contents are implementation dependent. It is intended to be human readable, and MUST NOT affect operation of the protocol. It is recommended that the message contain displayable ASCII characters Note: Because the Success might be lost, the authenticator MUST allow repeated Response packets after completing the Authentication phase. To prevent discovery of alternative Names and Secrets, any Response packets received having the current Challenge Identifier MUST return the same reply Code returned when the Authentication phase completed(the message portion MAY be different). Any Response packets received during any other phase MUST be silently discarded.
Page 158
PPP
1 2 3 4 5 Overview
159
Page 159
NCP : Network Control Protocol NCP message format
NCP-IP
8021 Code Ident

Set-up: 1: Configure Request 2: Configure Ack 3: Configure Nack 4: Configure Reject Release 5: Terminate Request 6: Terminate Ack link management 7: Code Reject
Lenght
8
Data
8
Request/Response nb Data length
Type
Length
data
Length= Type+ Length+ Data
1: obsolete 2: IP compression protocol (RFC1332) 3: IP Address (RFC1332) 4 : Mobile-IPv4 [RFC2290] 129: Primary DNS Server Address [RFC1877] 130: Primary NBNS Server Address [RFC1877] 131: Secondary DNS Server Address [RFC1877] 132: Secondary NBNS Server Address [RFC1877] NBNS= WINS 160
The IP Control Protocol (IPCP) is the NCP for IP and is responsible for configuring, enabling, and disabling the IP protocol on both ends of the point-to-point link. The IPCP options negotiation sequence is the same as for LCP, thus allowing the possibility of reusing the code. IP-Compression-Protocol This Configuration Option provides a way to negotiate the use of a specific compression protocol. By default, compression is not enabled. Van Jacobson TCP/IP header compression reduces the size of the TCP/IP headers to as few as three bytes. This can be a significant improvement on slow serial lines, particularly for interactive traffic. The IP-Compression-Protocol Configuration Option is used to indicate the ability to receive compressed packets. Each end of the link must separately request this option if bi-directional compression is desired. IP-Address This Configuration Option provides a way to negotiate the IP address to be used on the local end of the link. It allows the sender of the Configure-Request to state which IP-address is desired, or to request that the peer provide the information. The peer can provide this information by NAKing the option, and returning a valid IPaddress. If negotiation about the remote IP-address is required, and the peer did not provide the option in its ConfigureRequest, the option SHOULD be appended to a Configure-Nak. The value of the IP-address given must be acceptable as the remote IP-address, or indicate a request that the peer provide the information. By default, no IP address is assigned. DNS Server Address This Configuration Option defines a method for negotiating with the remote peer the address of the primary and secondary DNS server to be used on the local end of the link. If local peer requests an invalid server address (which it will typically do intentionally) the remote peer specifies the address by NAKing this option, and returning the IP address of a valid DNS server. Default : No address is provided. NBNS Server Address This Configuration Option defines a method for negotiating with the remote peer the address of the primary and secondary NBNS server to be used on the local end of the link. If local peer requests an invalid server address (which it will typically do intentionally) the remote peer specifies the address by NAKing this option, and returning the IP address of a valid NBNS server. By default, no primary NBNS address is provided.
Page 160
NCP : Network Control Protocol IP-Address negotiation

Client
NCP-IP 8021
2
ISP
Code=01
1
Or wished IP@
Lenght=0A
2
Req Ident
1
IP@
03
Length 06
0.0.0.0 194.1.2.3
8021 Nack Ident
Code=03
Lenght=0A
03
06
valid IP@
Length 06
8021
2
Code=01
1
Req Ident
1
Lenght=0A
2
IP@
03
194.1.2.3 194.1.2.3
161
8021 Ack Ident
Code=02
Lenght=0A
03
06
IP-Address This Configuration Option provides a way to negotiate the IP address to be used on the local end of the link. It allows the sender of the Configure-Request to state which IP-address is desired, or to request that the peer provide the information. The peer can provide this information by NAKing the option, and returning a valid IPaddress. If negotiation about the remote IP-address is required, and the peer did not provide the option in its ConfigureRequest, the option SHOULD be appended to a Configure-Nak. The value of the IP-address given must be acceptable as the remote IP-address, or indicate a request that the peer provide the information. By default, no IP address is assigned.
Page 161
NCP : Network Control Protocol Van Jacobson compression

Version Header length
I P
T C P
Flag Datagram Offset Identification TTL Protocol Checksum Source IP address Destination IP address Destination port nb source port nb
Type Of Service
4 bytes
Datagram length
Compression
1 byte
Flags indicating the presence of the field
i p s a w u Connection nb Checksum TCP
U A P R S F Header C S S Y I length Reserved R K H T N N G
Sequence number Ack. number
Checksum
Window size urgent pointer
Urgent Pointer (u) Window delta (w) Acknowledge delta (a) Sequence delta (s) ID delta (i)
Data
Data
162
One important option used with IPCP is Van Jacobson Header Compression, which is used to reduce the size of the combined IP and TCP headers from 40 bytes to approximately 4 by recording the states of a set of TCP connections at each end of the link and replacing the full headers with encoded updates for the normal case, where many of the fields are unchanged or are incremented by small amounts between successive IP datagrams for a session. This compression is described in RFC 1144.
Page 162
NCP : Network Control Protocol IP-compression protocol
IP-Compression Protocol
02
04
00 2d
Data
IP packet transfer in compress mode :

1 1
Van Jacobson Compressed TCP/IP 0 or more octets as additional data for compression protocol
2 46 - 1500 2 1
Flag 7E
IP datagram
CRC
Flag 7E
0021 002d 002f
No compression (higher protocol TCP or, this packet

is a fragment or this packet cannot be compressed) compressed header)
Compressed TCP (TCP/IP headers are replaced by
Decompressed TCP (IP datagram is replaced by the

slot identifier)
163
The Max-Slot-Id field is one octet and indicates the maximum slot identifier. This is one less than the actual number of slots; the slot identifier has values from zero to Max-Slot-Id. The Comp-Slot-Id field is one octet and indicates whether the slot identifier field may be compressed.
Page 163
NCP : Network Control Protocol NCP negotiation
Configure-Request/ Request Id: 01/ Address: 0.0.0.0; Compress VJ: 0f 01 Configure-Nak/ Nak Id: 01/ Address: 172.1.23.5 Configure-Request/ Request Id: 02/ Address: 172.1.23.5 Compress VJ: 0f 01 Configure-Ack/ Ack Id: 02/ Address: 172.1.23.5 Compress VJ: 0f 01
Address (nack); nack); Compress VJ (ack);
Address (nack); Compress VJ (ack);
164
Page 164
NCP : Network Control Protocol Data compression negotiation : CCP
CCP: Compression Control Protocol 80FD Code

16 8
Ident
8
Lenght
16 8
Data
8
Request/Response nb Setup: 1: Configure Request 2: Configure Ack 3: Configure Nack 4: Configure Reject Data length
Type
Length
data
Longth= Type+ Length+ Data
Release 5: Terminate Request 6: Terminate Ack link management 7: Code Reject 14: Reset-request 15: Reset-Ack
0: OUI 1: Predictor type 1 2: Predictor type 2 3: Puddle Jumper 4:-15: unassigned 16: Hewlett Packard PPC 17: Stac Electronic LZS 18: Microsoft PPC 19: Gandalf FZA 20: V42bis compession 21: BSD LZW Compress
165
Page 165
NCP : Network Control Protocol IP packet transfer IP
IP datagram
IPCP
0021
2
IP datagram
PPP
Flag 7E
1

1 1 2
CRC
2
Flag 7E
1
Could be compressed
166
Page 166
PPP
1 2 3 4 5 Overview
167
Page 167
5 CISCO configuration CISCO configuration - Local PPP authentication

Connect To
User name Password
aaa authentication ppp {default | list-name} method1 [method2...]

jack
**********
Example:
PPP
CISCO router
aaa authentication ppp method_list local none
Interface virtual-template1 chap/pap request 1 2 3 ip unnumbered Loopback1 encapsulation ppp ppp authentication chap pap method_list
1s t met hod
2nd method No authentication
username jack password abcd username madona password wxyz 168

The lists that you create with the aaa authentication ppp command are used with the ppp authentication command. These lists contain up to four authentication methods that are used when a user tries to log in to the serial interface. Create a list by entering the aaa authentication ppp list-name method command, where list-name is any character string used to name this list (such as MIS-access). The method argument identifies the list of methods that the authentication algorithm tries in the given sequence. You can enter up to four methods. The additional methods of authentication are only used if the previous method returns an error, not if it fails. Specify none as the final method in the command line to have authentication succeed even if all methods return an error. If authentication is not specifically set for a function, the default is none and no authentication is performed. Main methods : local Uses the local username database for authentication. none Uses no authentication. group radius Uses the list of all RADIUS servers for authentication. group group-name Uses a subset of RADIUS servers for authentication as defined by the aaa group server radius command.
Note_ If a group of aaa servers have been defined, the name of the group is specified in the command line instead of the methods name, eg. aaa server group sg1 server 172.8.7.5 server 173.9.15.18 ! aaa authetication ppp default group sg1 local
Page 168
5 CISCO configuration CISCO configuration- PPP authentication by Radius

Connect To
User name Password
jack ******
IP
PPP
Access network
Router
IP network
.1 1 1 1 0 .8 .1
10. 8 . 1.
210
Radius Servers
radiusradius-server host 10.8.1.210 authauth-port 1812 acctacct-port 1813 radiusradius-server host 10.8.1.111 authauth-port 1812 acctacct-port 1813 aaa authentication ppp method_list group radius local none
username bob password abcd username madona password wxyz Interface virtual-template1 2nd method 4 3rd method 5 1st method
aaa newnew-model
1 Enables PPP on the interface IP@ provided by a DHCP server
ip unnumbered Loopback1 encapsulation ppp ppp authentication chap pap method_list peer default ip address dhcp
No authentication
Protocols supported and the order in which they are used 169
#ppp authentication {protocol1 [protocol2...]} [if-needed] {default | list-name} [callin] [one-time] Defines the authentication protocols supported and the order in which they are used. In this command, protocol1, protocol2 represent the following protocols: CHAP, MS-CHAP, and PAP. PPP authentication is attempted first using the first authentication method, which is protocol1. If protocol1 is unable to establish authentication, the next configured protocol is used to negotiate authentication. If, for instance, you configure ppp authentication chap pap, the access server will attempt to authenticate all incoming calls that start a PPP session with CHAP. If the remote device does not support CHAP, the access server will try to authenticate the call using PAP. If the remote device does not support either CHAP or PAP, authentication will fail and the call will be dropped. Authentication method lists are only available if you have enabled AAA. If you specify the name of an authentication method list with the ppp authentication command, PPP will attempt to authenticate the connection using the methods defined in the specified method list. If AAA is enabled and no method list is defined by name, PPP will attempt to authenticate the connection using the methods defined as the default. Caution : If you use a list-name that has not been configured with the aaa authentication ppp command, you disable PPP on the line. The various methods are : if-needed Does not authenticate if user has already been authenticated on a TTY line. Krb5 Uses Kerberos 5 for authentication (can only be used for PAP authentication). Local Uses the local username database for authentication. local-case Uses case-sensitive local username authentication. None Uses no authentication. group radius Uses the list of all RADIUS servers for authentication. group tacacs+ Uses the list of all TACACS+ servers for authentication. group group-name Uses a subset of RADIUS servers for authentication as defined by the aaa group server radius command. peer default ip address {ip-address | dhcp | pool [pool-name]} : To specify an IP address, an address from a specific IP address pool, or an address from the Dynamic Host Configuration Protocol (DHCP) mechanism to be returned to a remote peer connecting to this interface. pool Use the global default mechanism as defined by the ip address-pool command unless the optional poolname argument is supplied. This is the default. pool-name (Optional) Name of a local address pool created using the ip local pool command. Retrieve an address from this pool regardless of the global default mechanism setting.
Page 169
5 CISCO configuration CISCO conf.- PPP authentication by subset of Radius

Connect To
User name Password
jack ******
IP
PPP
Access network
Router
IP network
.333 20.1.2
1 0 .8 .1 .1 1 1
10. 8 .1.2 10
aaa newnew-model
2 1
aaa-group server radius rad1 server 10.8.1.210 server 10.8.1.111 1st method
aaa authentication ppp method_list group rad1 ip unnumbered Loopback1 encapsulation ppp ppp authentication chap pap method_list peer default ip address dhcp
Radius Servers
Interface virtual-template1
radiusradius-server host 10.8.1.111 authauth-port 1812 acctacct-port 1813 radiusradius-server host 10.8.1.210 authauth-port 1812 acctacct-port 1813 radiusradius-server host 20.1.2.333 authauth-port 1812 acctacct-port 1813
170
#ppp authentication {protocol1 [protocol2...]} [if-needed] {default | list-name} [callin] [one-time] Defines the authentication protocols supported and the order in which they are used. In this command, protocol1, protocol2 represent the following protocols: CHAP, MS-CHAP, and PAP. PPP authentication is attempted first using the first authentication method, which is protocol1. If protocol1 is unable to establish authentication, the next configured protocol is used to negotiate authentication. If, for instance, you configure ppp authentication chap pap, the access server will attempt to authenticate all incoming calls that start a PPP session with CHAP. If the remote device does not support CHAP, the access server will try to authenticate the call using PAP. If the remote device does not support either CHAP or PAP, authentication will fail and the call will be dropped. Authentication method lists are only available if you have enabled AAA. If you specify the name of an authentication method list with the ppp authentication command, PPP will attempt to authenticate the connection using the methods defined in the specified method list. If AAA is enabled and no method list is defined by name, PPP will attempt to authenticate the connection using the methods defined as the default. Caution : If you use a list-name that has not been configured with the aaa authentication ppp command, you disable PPP on the line. The various methods are : if-needed Does not authenticate if user has already been authenticated on a TTY line. Krb5 Uses Kerberos 5 for authentication (can only be used for PAP authentication). Local Uses the local username database for authentication. local-case Uses case-sensitive local username authentication. None Uses no authentication. group radius Uses the list of all RADIUS servers for authentication. group tacacs+ Uses the list of all TACACS+ servers for authentication. group group-name Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ command. peer default ip address {ip-address | dhcp | pool [pool-name]} : To specify an IP address, an address from a specific IP address pool, or an address from the Dynamic Host Configuration Protocol (DHCP) mechanism to be returned to a remote peer connecting to this interface. pool Use the global default mechanism as defined by the ip address-pool command unless the optional poolname argument is supplied. This is the default. pool-name (Optional) Name of a local address pool created using the ip local pool command. Retrieve an address from this pool regardless of the global default mechanism setting.
Page 170
5 CISCO configuration CISCO configuration - aaa authorization network

164.1.3.54 allocated 164.1.3.55 164.1.3.56 164.1.3.57 164.1.3.58
IP pool
PPP
network info: IP@, DNS@, ... 5
Network info request 3
Router
6
IP@ = 164.1.3.54 DNS@= 164.1.3.2
NCP
aaa newnew-model
radius-server host 10.8.1.210 auth-port 1812 acct-port 1813
IP@ req. req.
NCP
Interface virtual-template1
aaa authorization network default group radius

encapsulation ppp no peer default ip address ..
1st method
171
aaa authorization {auth-proxy |network | exec | commands level | reverse-access | configuration} {default | list-name} method1 [method2...]
The aaa authorization command is used to indicate that the RADIUS server will assign an address and other network parameters to the requesting user.
Network : Runs authorization for all network-related service requests, including SLIP, PPP, PPP NCP Auth-proxy : Applies specific security policies on a per-user basis. default : Uses the listed authorization methods that follow this argument as the default list of methods for authorization. list-name : Character string used to name the list of authorization methods. method1 [method2...] : One of the keywords listed below : group group-name : Uses a subset of RADIUS servers for authentication as defined by the aaa group server radius command. if-authenticated : Allows the user to access the requested function if the user is authenticated. krb5-instance : Uses the instance defined by the kerberos instance map command. Local : Uses the local database for authorization. None : No authorization is performed.
no peer default ip adress to disable ip address allocation by dhcp or local pool. In the configuration of the interface virtual template1, because there is not the command ppp authorization list-name, the aaa authorization network default will be selected
Page 171
5 CISCO configuration CISCO configuration - aaa accounting network

164.1.3.54 allocated free 164.1.3.55 164.1.3.56 164.1.3.57 164.1.3.58
IP pool
PPP
Accounting record: User-Name = jack Caller-ID = 164.1.3.54 Acct-Status-Type = Stop

3
aaa newnew-model
1
CISCO router
radius-server host 10.8.1.210 auth-port 1812 acct-port 1813

End of session 1st method 2
aaa accounting network default start-stop group radius

172
aaa accounting network Provides information towards Radius for all PPP, sessions, including packet and byte counts. AAA resource accounting for start-stop records supports the ability to send a "start" record at each call setup, followed by a corresponding "stop" record at the call disconnect.
Page 172
PPP access Evaluation Objective: to be able to configure a PPP access
173
Page 173
174
Page 174
Security
175
Page 175
176
Page 176
Objective: to be able to implement security in a router program: 1 Internal authentication 3 Access-List
Security Session presentation
2 Authentication by AAA server
177
Page 177
178
Page 178
Security implementation in a router

1 2 3 Internal authentication Access-List Authentication by AAA server
179
Page 179
1 Internal authentication Configuring authentication
AAA Authentication Methods aaa new-model
Two main categories for configuring authentication:
(allows Radius authentication, local authentication, )
Non-AAA Authentication Methods

(local authentication only )
180
Configuring Authentication Authentication verifies users before they are allowed access to the network and network services. Authentication, for the most part, is implemented through the AAA security services. Cisco recommends that, whenever possible, AAA be used to implement authentication.
Page 180
1 Internal authentication Configuring line password protection
Privileged mode
hostname # configure terminal hostname (config) # line console 0 hostname (config-line) # Password secret hostname (config-line) # login hostname (config) # line vty 0 1 hostname (config-line) # Password key hostname (config-line) # login
A D A
B E B
C F C
User mode
Console 0: secret vty 0 : key vty 1 : key
Access code
VTY 0 VTY 1
IP Network
A D A
B E B
C F C
console 181
Access code
Passwords (and similar secrets, such as SNMP community strings) are the primary defense against unauthorized access to your router. Usually, a first authentication is requested to access the router. A second authentication level is requested to access to the privileged mode. Commands: Router(config-line)#password password Router(config-line)#login Router(config-line)#no login Assigns a password to a terminal or other device on a line. Enables password checking at login. to disable line password verification by disabling password checking The password checker is case sensitive and can include spaces; for example, the password "Secret" is different from the password "secret," and "two words" is an acceptable password.
Page 181
1 Internal authentication Configuring privileged mode password protection
Privileged mode hostname # configure terminal
hostname (config) # enable secret hypersupersecret
Enable secret:hypersupersecret secret:hypersupersecret
A D A
B E B
C F C
User mode
Console 0: secret vty 0 : key vty 1 : key
Access code
VTY 0 VTY 4
IP Network
A D A
B E B
C F C
console 182
Access code
Passwords (and similar secrets, such as SNMP community strings) are the primary defense against unauthorized access to your router. Usually, a first authentication is requested to access the router. Virtual terminals require a password. If you do not set a password for a virtual terminal, it responds to attempted connections by displaying an error message and closing the connection. A second authentication level is requested to access to the privileged mode. The enable secret command is used to set the password that grants privileged administrative access to the IOS system. An enable secret password should always be set. The enable secret command uses MD5 for password hashing. The algorithm has had considerable public review, and is not reversible as far as anybody at Cisco knows. It is, however, subject to dictionary attacks (a "dictionary attack" is having a computer try every word in a dictionary or other list of candidate passwords). The password checker is case sensitive and can include spaces; for example, the password "Secret" is different from the password "secret," and "two words" is an acceptable password. Show line to display information about line, VTY, ...
Page 182
1 Internal authentication Username based authentication Router # configure terminal Router (config) #username tom password wxyz Router (config) #username jack password abcd Router (config) # line vty 0 4 Router (config-line) # login local
Router local database
Selects local password checking
jack
User Access Verification Username: tom Password:**** Router>
tom
183
You can create a username-based authentication system Caution : Passwords will be displayed in clear text in your configuration unless you enable the service passwordencryption command.
Page 183
1 Internal authentication Password encryption
hypersupersecret
r25ijz45a9t5Ahj
hostname # configure terminal hostname (config) # service password-encryption
184
The service password-encryption command directs the IOS software to encrypt the passwords, CHAP secrets, and similar data that are saved in its configuration file. This is useful for preventing casual observers from reading passwords, for example, when they happen to look at the screen over an administrator's shoulder.
Page 184

185
Page 185
2 Authentication by AAA server AAA authentication methods Radius servers

Example: telnet
aaa new-model
1st method 2
GGSN
radiusradius-server host 10.8.1.210 auth-port 1812 acct-port 1813 radiusradius-server host 10.20.1.210 auth-port 1812 acct-port 1813
aaa authentication login list_name group radius line local enable none
2nd method
3
rd
Iine console 0 password secret
m e th o d
6
d etho 4t h m
5th method 7 8
username jack password abcd username madona password wxyz Enable secret hypersupersecret
No authentication
186
The method argument identifies the list of methods that the authentication algorithm tries, in the given sequence. The additional methods of authentication are used only if the previous method returns an error, not if it fails. To ensure that the authentication succeeds even if all methods return an error, specify none as the final method in the command line. Main methods : enable Uses the enable password for authentication. Line Uses the line password for authentication. Local Uses the local username database for authentication. None Uses no authentication. group radius Uses the list of all RADIUS servers for authentication. group group-name Uses a subset of RADIUS for authentication as defined by the aaa group server radius command.
Page 186
2 Authentication by AAA server Subset of Radius servers GGSN

radius-server host 164.1.1.3 auth-port 1812 acct-port 1813 radius-server host 10.8.1.210 auth-port 1812 acct-port 1813 radius-server host 10.20.1.11 auth-port 1812 acct-port 1813
4 5
craft
aaa group server radius rad_list1 server 10.20.1.11 aaa group server radius rad_list2 server 164.1.1.3 server 10.8.1.210
aaa authentication login method_listx method_listx group rad_list1 rad_list1 local aaa authentication login method_listy method_listy group rad_list2 rad_list2 Interface serial 1/0 login authentication method_listy 2 line console 0 login authentication method_listx
187
A subset of Radius servers can be apply to a method list
Page 187
aaa authentication login {default | list-name} method1 [method2...]

Set AAA authentication at login list of authentication methods
2 Authentication by AAA server Method lists for authentication

Types of authentication to be performed and the sequence in which they will be performed The list default performs only a local authentication The list list1 performs a Radius authentication and possibly a local authentication
aaa new-model aaa authentication login default local aaa authentication login list1 group radius local
Apply that list of methods
Interface fastethernet 1/0 login authentication list1 .. Interface serial 1/0 login authentication default .. line console 0 login authentication default
Apply this list of methods
Note : method list default is automatically applied to all interfaces

Named Method Lists for Authentication To configure AAA authentication, you must first define a named list of authentication methods, and then apply that list to various interfaces. The only exception is the default method list (which is named "default"). The default method list is automatically applied to all interfaces except those that have a named method list explicitly defined. A defined method list overrides the default method list. The method list defines the types of authentication to be performed and the sequence in which they will be performed; A method list is a sequential list describing the authentication methods to be queried in order to authenticate a user. IOS software uses the first listed method to authenticate users. If that method fails to respond, the Cisco IOS software selects the next authentication method listed in the method list. This process continues until there is successful communication with a listed authentication method, or all methods defined in the method list are exhausted. if authentication is not specifically set for a line, the default is to deny access and no authentication is performed. Use the running-config command to display currently configured lists of authentication methods.
188
Page 188

189
Page 189
3 Access-List Principle of standard Access_List

authorized IP addresses unauthorized IP addresses IP@src IP@dest
Inbound standard access list
::
.2
.1 20.20.20.0
.2
.1 10.10.10.0
.3
Internet
.n IP@dest IP@src
.n
.3
unauthorized access authorized access
::
Outbound standard access list

Network security is a broad topic that can be addressed at all TCP/IP levels. GGSN is able of insuring security at two levels: at the network by applying a standard access list at the protocol layer (the point at which Internet Protocol (IP) packets and routing updates are controlled) by applying an extended access list Access lists define the actual traffic that will be permitted or denied. Access lists can be used to deny connections that are known to be a security risk and then permit all other connections, or to permit those connections that are considered acceptable and deny all the rest. For firewall implementation, the latter is the more secure method.
authorized IP addresses unauthorized IP addresses

190
Page 190
3 Access-List Format of the the standard Access List command

Standard Acces list : 1 number 99 condition Network or Host IP address or any
access-list access-list-number {deny | permit } ip-address-source [ wildcard ] [ log ]

IP address in dotted-decimal format
Wildcard bits (in dotted-decimal format) to be applied to the source. Place ones in the bit positions you want to ignore.
Examples :
Cause an informational logging message about the packet that matches the entry ( Access-list 12 permit 10.1.2.3)
access-list 12 permit 10.1.2.3 0.0.0.0
access-list 34 deny 10.1.2.0 0.0.0.255 log access-list 34 permit 0.0.0.0 255.255.255.255

( Access-list 34 permit any)
191
To define a standard IP access list with a number, use the standard version of the access-list global configuration command. To remove a standard access lists, use the no form of this command. access-list-number Number of an access list. This is a decimal number from 1 to 99. deny Denies access if the conditions are matched. permit Permits access if the conditions are matched. source Number of the network or host from which the packet is being sent. There are two alternative ways to specify the source: - Use a 32-bit quantity in four-part, dotted-decimal format. - Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. source-wildcard (Optional) Wildcard bits to be applied to the source. There are two alternative ways to specify the source wildcard: - Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore. - Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. Log (Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.) The access list defaults to an implicit deny statement for everything. The access list is always terminated by an implicit deny statement for everything. After you create an access list, you must apply it to either an interface or terminal line for it to be used. Use the show access-lists EXEC command to display the contents of all access lists. Use the show ip access-list EXEC command to display the contents of all current IP access lists
Page 191
3 Access-List Processing of an Inbound Standard Access List
Incoming Packet
Yes Next entry No Does source address match? Deny Yes
Access list present ?
No
Yes
More entry?
No
Deny or Permit?
Permit
Discard packet
Do route table lookup Route to interface

192
Send ICMP message
Inbound Access list processing The router test the entries one by one. The first match determines whether the router route or discard the packet. Therefore, the order of the conditions is important. Make sure that you list the entries in order from specific references in a network or subnet to general ones. Place more frequently occurring conditions before less frequent conditions; If no conditions match, the router discard the packet. You can consider that there is a last entry, hidden, in any access list and this hidden entry is an implicit deny any. All traffic not explicitly permitted will be implicitly denied. Place an explicit permit any at the and of the list if you do not want to deny by default all traffic that fails to match any of the access list entries. New entries added to the end of the access list. Selectively insert and delete entry do not exist. the best way to modify an access list is to delete it then, to recreate a new one. Undefined access list = permit any.
Page 192
3 Access-List Processing of an Outbound Standard Access List
Outgoing Packet
Do route table lookup Yes Next entry in list Yes No Does source address match? Yes Deny
No
More entry?
No
Deny or Permit?
Permit
Discard packet Send ICMP message
Forward Packet
193
Outbound Access List processing First, the router performs routing then, checks the source address of the packet against the access list. If the access list permits the address, the router transmits the packet, If the access list denies the address, the router discards and return an ICMP message (Host unreachable). Same concept than inbound Access List.
Page 193
3 Access-List Example of an standard Access-List

no accessaccess-list 12 accessaccess-list 12 permit 10.10.10.1 accessaccess-list 12 deny 10.10.10.0 0.0.0.255 accessaccess-list 12 permit 20.20.20.0 0.0.0.255 interface Serial3/0 description Internet access ip address 212.77.200.218 255.255.255.252 ip accessaccess-group 12 out .2 .1 10.10.10.0 .3 .n Eth 1/2 Eth 1/1 20.20.20.0 Serial3/0
Internet
Internet access unauthorized Internet access authorized
194
The ip access-group command applies the access list to the interface. Access lists may be applied to inbound or outgoing traffic in an interface (no default, in or out must be specified) For inbound access lists, after receiving a packet, the Cisco IOS software checks the source address of the packet against the access list. If the access list permits the address, the software continues to process the packet. If the access list rejects the address, the software discards the packet and returns an ICMP Host Unreachable message. For outbound access lists, after receiving and routing a packet to a controlled interface, the software checks the source address of the packet against the access list. If the access list permits the address, the software sends the packet. If the access list rejects the address, the software discards the packet and returns an ICMP Host Unreachable message. When you apply an access list that has not yet been defined to an interface, the software will act as if the access list has not been applied to the interface and will accept all packets.
Page 194
3 Access-List Exercise
no access-list 1 access-list 1 permit 10.10.10.1 access-list 1 deny 10.10.10.0 0.0.0.255 access-list 1 deny 20.20.20.2 access-list 1 permit 20.20.20.0 0.0.0.255
unauthorised
Interface fasteth 1/2 .2 .1 20.20.20.0 .3 .n .3 .2 .1 10.10.10.0 .n
ip accessaccess-group 1 in
IP@src IP@dest
Internet access unauthorized Internet access authorized
Internet
195
Page 195
3 Access-List Outbound Extended Access List

Yes No Does source address match? No Yes
No
IP, TCP, UDP, ICMP, ... Yes Does protocol match? No Yes Does protocol options match? Deny Discard packet Send ICMP message Yes
Does destination address match? No
Yes
Next entry?
No
Deny or Permit?
Permit Forward Packet
196
Although standard access lists use only source addresses for matching, you can use an extended access list source and destination addresses for matching operations and optional protocol type information for finer granularity of control To define an extended IP access list, use the extended version of the access-list global configuration command. To remove the access lists, use the no form of this command.
Page 196
3 Access-List Extended Access List format
For ICMP access-list access-list-number {deny | permit} permit icmp source source-wildcard destination destination-wildcard [icmp-type [icmp-code] | icmp-message] [precedence precedence] [tos tos] [log] For UDP: access-list access-list-number {deny | permit} permit udp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [precedence precedence] [tos tos] [log]
197
AccessAccess-listlist-number Number from 100 to 199 protocol Name or number of an IP protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range 0 through 255 representing an IP protocol number. To match any Internet protocol, including ICMP, TCP, and UDP, use the keyword ip. Some protocols allow further qualifiers described below. destination Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination: destination- wildcard Wildcard bits to be applied to the destination. precedence precedence (Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7 or by name tos tos (Optional) Packets can be filtered by type of service level, as specified by a number from 0 to 15 or by name as listed in the "Type of Service Names" table in the Router Products Command Reference publication. icmp-type (Optional) ICMP packets can be filtered by ICMP message type. The type is a number from 0 to 255. icmp-code (Optional) ICMP packets which are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255. icmp- message (Optional) ICMP packets can be filtered by an ICMP message type name or ICMP message type and code name. igmp-type (Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. operator (Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range). If the operator is positioned after the source and source-wildcard, it must match the source port. If the operator is positioned after the destination and destination-wildcard, it must match the destination port. The range operator requires two port numbers. All other operators require one port number. port (Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP port names are listed in the "TCP Port Names" table in the Router Products Command. UDP port names can only be used when filtering UDP. established (Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RSTbits set. The nonmatching case is that of the initial TCP datagram to form a connection.
Page 197
3 Access-List Example of an extended Access-List

Only access to DNS server is allowed
no accessaccess-list 100 accessaccess-list 100 permit udp 0.0.0.0 255.255.255.255 10.10.10.1 0.0.0.0 equ 53 FTP, Telnet & DNS server interface fastethernet 1/2 description Intranet access ip address 10.10.10.254 255.255.255.0 ip accessaccess-group 100 out
.1 10.10.10.0 .2 .n Eth 1/2 Serial3/0
Internet
198
The ip access-group command applies the access list to the interface. Access lists may be applied to inbound or outgoing traffic in an interface (no default, in or out must be specified) For inbound access lists, after receiving a packet, the Cisco IOS software checks the source address of the packet against the access list. If the access list permits the address, the software continues to process the packet. If the access list rejects the address, the software discards the packet and returns an ICMP Host Unreachable message. For outbound access lists, after receiving and routing a packet to a controlled interface, the software checks the source address of the packet against the access list. If the access list permits the address, the software sends the packet. If the access list rejects the address, the software discards the packet and returns an ICMP Host Unreachable message. When you apply an access list that has not yet been defined to an interface, the software will act as if the access list has not been applied to the interface and will accept all packets.
Page 198
Explain the following access lists:
3 Access-List Exercise
Given ports: 53= DNS, 123= NTP, 23= TELNET, 25=SMTP
access-list 101 permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 53 access-list 101 permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 123
These commands allow domain name system (DNS) and network time protocol (NTP) requests and replies
access-list 101 permit tcp 0.0.0.0 255.255.255.255 194.18.13.2 0.0.0.0 eq 23
This command permits Telnet access to the communication server (194.18.13.2)
access-list 101 permit tcp 0.0.0.0 255.255.255.255 194.18.13.100 0.0.0.0 eq 25 access-list 101 permit tcp 0.0.0.0 255.255.255.255 194.18.1.100 0.0.0.0 eq 25
These commands permit incoming simple mail transfer protocol (SMTP) email to only a few machines
199
Page 199
Security Evaluation Objective: to be able to implement security in a router
200
Page 200
NAT: Network Address Translation PAT: Port Addresss Translation
201
Page 201
202
Page 202
Objective: to be able to configure the NAT and PAT functions program: 1 Public IP address and private IP address 2 NAT function 3 PAT function
NAT - PAT Session presentation
4 Cisco configuration
203
Page 203
204
Page 204
NAT and PAT

1 2 3 4 Public IP address and private IP address NAT function PAT function
Cisco configuration
205
Page 205
206
Page 206
IP @ : 154.11.22.33
1 Public IP address and private IP address Definitions
Public IP@
IP @ : 195.51.63.1
IP @ : 9.1.2.3
Internet
assigned by ICANN unique over the world

Cannot travel Internet IP @ : 10.6.7.8 Private network 10.0.0.0
IP @ : 10.6.7.8 Private network 10.0.0.0
Address ranges reserved by ICANN Can be used several times
Private IP@
207
Public IP@ A Public IP@ is an Internet IP@ assigned by ICANN (Internet Corporation for Assigned Names and Numbers) which is the organisation in charge of IP@ allocation on Internet. Private IP@ ICANN reserved some ranges of IP@ which are not assigned to any Host connected to Internet. Any organization can use any address in these ranges. However, because these addresses are not globally unique, they are not defined to any external routers. Routers in networks not using private addresses, particularly those operated by Internet service providers, are expected to quietly discard all routing information regarding these addresses. Routers in an organization using private addresses are expected to limit all references to private addresses to internal links. They should neither externally advertise routes to private addresses nor forward IP datagrams containing private addresses to external routers.
Page 207
private IP @
Private Net.
1 Public IP address and private IP address Private address ranges
class A : 10.0.0.0 to 10.255.255.255 (1 class)

Private Networks
public IP @
Internet
class B : 172.16.0.0 to 172.31.255.255 (16 classes)

Private Networks
class C: 192.168.0.0 to 192.168.255.255 (256 classes)

208
Internet reserves part of the global address space for use in networks that do not require connectivity to the Internet. Typically these networks are administered by a single organization. Three ranges of addresses have been reserved for this purpose: 10.0.0.0: A single Class A network 172.16.0.0 through 172.31.0.0: 16 contiguous Class B networks 192.168.0.0 through 192.168.255.0: 256 contiguous Class C networks
Page 208
1 Public IP address and private IP address Other private addresses IP @ : 154.11.22.33
Public IP@
IP @ : 195.51.63.1
IP @ : 9.1.2.3
Internet
IP @ : 154.11.22.33
IP@ not assigned by ICANN

Private network 154.11.0.0 @IP: 154.11.63.1
Private IP@
IP @ : 154.11.12.13
209
Private IP@ Is also considered as Private IP address any IP address not assigned by ICANN. These type of addresses can be used inside a private network. They cannot travel Internet.
Page 209
1 Public IP address and private IP address Private IP networks and Internet connections
10.10.10.8 data
1
IP@ : 10.10.10.8 Intranet 1
194.5.3.12
NetID: 10.10.10.0
Discard packet
Internet
194.5.3.12
Private IP addresses
210
A private IP@ cannot travel Internet.
Page 210
NAT and PAT

Cisco configuration
211
Page 211
2 NAT function Principle

2 10.10.10.4 .3 .1 Private Network 10.10.10.0 .4 .2 1 IPsrc: 10.10.10.4 IPdest: 194.5.3.12 IPsrc: 194.5.3.12 IPdest : 10.10.10.4 IPsrc: 212.17.22.21 IPdest: 194.5.3.12 IPsrc: 194.5.3.12 IPdest:212.17.22.21 212.17.22.21 Private IP@ Public IP@ 212.17.22.21 212.17.22.22 212.17.22.23 3
NAT
Internet
194.5.3.12
5
212
Basically, Network Address Translation allows a single device, such as a router, to act as agent between the Internet (or "public network") and a local (or "private") network. The private router connected to Internet must be configured with NAT function and one or several Public IP@. 1 - A computer of the private network send an IP packet to a server connected to Internet. The IP packet contains a private IP@ as a source IP@ and cannot travel Internet 2 - The Internet gateway router translates the source private IP@ into a public IP@ and forwards the packet to Internet. 3 - The Internet gateway router keeps in its memory the assaciation privateIP@ and public IP@. 4 - The IP packet can travel Internet because the IP addresses are valid. 5 - The server can answer. It knows the other party by only the public IP@. 6 - The NAT router operates the inverse translation before forwarding the packet to the private network.
This means that only a single unique IP address is required to represent an entire group of computers to anything outside their network.
Page 212
NAT and PAT

Cisco configuration
213
Page 213
3 PAT function IP@ sharing thanks of the port number

Private Network 10.10.10.0 .4 2 7 NAT
Internet
3 194.5.3.12
.1
Private IP@ 10.10.10.4 10.10.10.1
Public IP@ 212.17.22.21
FTP server IPdest: 194.5.3.12 IPsrc: 212.17.22.13 TCPsrc: 2125 TCPdest: 21 IPdest: 194.5.3.12 IPsrc: 212.17.22.13 TCPsrc: 1024 TCPdest: 21
IPdest: 194.5.3.12 IPsrc: 10.10.10.4 TCPsrc: 2125 TCPdest: 21
194.5.3.12 21 212.17.22.13 2125
Socket : 5
194.5.3.12 21 212.17.22.13 1024 214
Socket : 9
Several internal addresses can be NATed to only one or a few external addresses . A communication is identified by the socket which must be unique
Page 214
3 PAT function What are the risks?

Private Network 10.10.10.0 .4 2 7 NAT
Internet
3 194.5.3.12
.1
Private IP@ 10.10.10.4 10.10.10.1
Public IP@ 212.17.22.21
FTP server IPdest: 194.5.3.12 IPsrc: 212.17.22.13 TCPsrc: 2125 TCPdest: 21 IPdest: 194.5.3.12 IPsrc: 212.17.22.13 TCPsrc: 2125 TCPdest: 21
194.5.3.12 21 212.17.22.13 2125
Socket : 5
Same communication
215
Actually, if the address translation is based only on IP translation, in certain cases, when, by chance, the same ephemeral port is chosen by two clients, the two communications cannot be differentiated. Nevertheless, this can be run correctly when implementing a special feature called PAT.
Page 215
3 PAT function Principle

Private Network 10.10.10.0 .4
Internet
Prot Private IP@ Port 2 tcp 10.10.10.4 2125 5 tcp 10.10.10.1 2125 Public IP@212.17.22.13 Public IP@ Port 212.17.22.13 2125 194.5.3.12 3
.1
212.17.22.13 1024 6 IPdest: 194.5.3.12 IPsrc: 212.17.22.13 TCPsrc: 2125 TCPdest: 21
FTP server

216
PAT uses unique source port numbers on the Inside Global IP address to distinguish between translations. Because the port number is encoded in 16 bits, the total number could theoretically be as high as 65,536 per IP address. PAT will attempt to preserve the original source port, if this source port is already allocated PAT will attempt to find the first available port number starting from the beginning of the appropriate port group 0-5111, 512-1023, or 1024-65535. If there is still no port available from the appropriate group and more than one IP address is configured, PAT will move to the next IP address and try to allocate the original source port again. This continues until it runs out of available ports and IP addresses. The number of simultaneous translations that a router will support is determined mainly by the amount of DRAM it has. (because one translation needs about 160 bytes, 4 Mbytes => 26214 simultaneous translations)
Page 216
NAT and PAT

Cisco configuration
217
Page 217
4 Cisco configuration The various commands
CISCO Router 10.5.0.0

10.5.0.2=>194.63.2.8 10.5.0.2=>194.63.2.8 User data packet ip nat inside ip nat inside source list 3 pool inet 2 access-list 3 permit 10.5.0.0/16 access-list 3 permit 20.8.1.0/24 3
PAT [overload]
192.8.0.3=>194.63.2.8 192.8.0.3=>194.63.2.8 User data packet A
ip nat pool inet 210.70.2.1 210.70.2.35 prefix-length 24 B 5 6 210.70.2.1 =>194.63.2.8 User data packet
20.8.1.0
S1 ip nat outside Internet
194.63.2.8
218
Here, the Access list is used to determin if an address have to be translated or not ip nat { inside | outside } Interfaces need to be marked whether they are on the inside or the outside. Only packets arriving on a marked interface will be subject to translation. ip nat inside source { list <acl> pool <name> [overload] | static <local-ip><global-ip> } Translation of inside source address: The first form enables dynamic translation. Packets from addresses that match those on the simple access list are translated using global addresses allocated from the named pool. The optional keyword overload enables port translation for UDP and TCP. The term overload is equivalent to Port Address Translation (PAT). The second form of the command sets up a single static translation. ip nat translation ip nat inside source list <number> interface <interface> overload to translate all inside addresses to the address assigned to an interface on the router ip nat pool <name> <start-ip> <end-ip> { netmask <netmask>| prefix-length <prefix-length> } [ type { rotary } ] Defines a pool of addresses using start address, end address, and netmask. These addresses will be allocated as needed. ip nat pool <name> { netmask <mask> | prefix-length <length> } [ type { rotary } ] This command will put the user into IP NAT Pool configuration mode, where a sequence of address ranges can be configured : address <start> <end>
Page 218
4 Cisco configuration Exercise
What does the NAT do?

ip nat pool net-20 171.69.233.208 171.69.233.223 netmask <netmask> 255.255.255.240 ip nat inside source list 1 pool net-20 ! interface Ethernet0 ip address 171.69.232.182 255.255.255.240 ip nat outside ! interface Ethernet1 ip address 192.168.1.94 255.255.255.0 ip nat inside ! access-list 1 permit 192.168.1.0 0.0.0.255 access-list 1 permit 192.168.2.0 0.0.0.255
It translates between inside hosts addressed from either the 192.168.1.0 or 192.168.2.0 nets to the globally-unique 171.69.233.208/28 network.
Response :
219
Page 219
4 Cisco configuration NAT analysis
Show commands : Showing active translations : show ip nat translations [ verbose ] Showing translation statistics : show ip nat statistics Clearing dynamic translations : clear ip nat translation * {Clears all dynamic translations} clear ip nat translation <global-ip> {Clears a simple translation}
clear ip nat translation <global-ip> &ltlocal-ip> <proto> <global-port> <local-port>
Debugging debug ip nat [ <list> ] [ detailed ]

220
Dynamic translations time out after a period of non-use. When port translation is not configured, translation entries time out after 24 hours. This time can be adjusted with commands.
Page 220
4 Cisco configuration Time-out
By default :
TCP translations time out 1 minute after RST or FIN is seen on the stream, after 24 hours without any stream.
UDP translations time out after 1 minute for DNS over UDP, after 5 minutes for non-DNS application, This times can be adjusted: ip nat translation udp-timeout <seconds> ip nat translation dns-timeout <seconds> ip nat translation tcp-timeout <seconds> ip nat translation finrst-timeout <seconds>
221
Translation Timeout Improvements The following new timeouts have been implemented for extended translation entries: ip nat translation ? icmp-timeout Specify timeout for NAT ICMP flows syn-timeout Specify timeout for NAT TCP flows after a SYN and no further data Translation Entry Limit Using the following command, Cisco IOS NAT can be configured to limit the number of translation entries it creates. The default is that there is no limit. ip nat translation max-entries <n>
Page 221
4 Cisco configuration Static translation with port

ip nat inside source static tcp 10.10.10.1 25 212.17.22.13 25 (Port 25 = Mail server)
12.1.2.3
.1
Private Network 10.10.10.0 .4 Prot
Internet
local Priv. IP@ Port 25 Public IP@ 212.17.22.13 Public IP@ 212.17.22.13 global port 25 194.5.3.12 2 3
Mail server
tcp 10.10.10.1 IPsrc: 194.5.3.12 IPdest: 10.10.10.1 TCPsrc: 1024 TCPdest: 25
IPsrc: 194.5.3.12 IPdest: 212.17.22.13 TCPsrc: 1024 TCPdest: 25 IPsrc: 12.1.2.3 IPdest: 212.17.22.13 TCPsrc: 2025 TCPdest: 25
IPsrc: 12.1.2.3 IPdest: 10.10.10.1 TCPsrc: 2025 TCPdest: 25
222
Static translations with ports: When translating addresses to an interface's address, outside-initiated connections to services on the inside network (like mail) will require additional configuration to send the connection to the correct inside host. This command allows the user to map certain services to certain inside hosts. ip nat inside source static { tcp | udp } <localaddr> <localport> <globaladdr> <globalport>
Page 222
NAT & PAT Evaluation Objective: to be able to configure the NAT and PAT functions
223
Page 223
224
Page 224
GRE Tunnelling (Generic Routing Encapsulation)
225
Page 225
226
Page 226
Objective: to be able to make a Virtual Private Network by means of GRE protocol
GRE tunnelling Session presentation
227
Page 227
228
Page 228
IP @ : 154.11.22.33
Tunnelling GRE Public addresses - Private addresses
Public IP@
IP @ : 195.51.63.1
IP @ : 9.1.2.3
Internet
assigned by IANA unique over the world

Cannot travel Internet IP @ : 10.6.7.8 Private network 10.0.0.0
IP @ : 10.6.7.8 Private network 10.0.0.0
Address ranges reserved by ICANN Can be used several times
Private IP@
229
Public IP@ A Public IP@ is an Internet IP@ assigned by ICANN (Internet Corporation for Assigned Names and Numbers) which is the organisation in charge of IP@ allocation on Internet. Private IP@ ICANN reserved some ranges of IP@ which are not assigned to any Host connected to Internet. Any organization can use any address in these ranges. However, because these addresses are not globally unique, they are not defined to any external routers. Routers in networks not using private addresses, particularly those operated by Internet service providers, are expected to quietly discard all routing information regarding these addresses. Routers in an organization using private addresses are expected to limit all references to private addresses to internal links. They should neither externally advertise routes to private addresses nor forward IP datagrams containing private addresses to external routers.
Page 229
private IP @
Private Net.
Tunnelling GRE Private address ranges
class A : 10.0.0.0 to 10.255.255.255 (1 class)

Private Networks
public IP @
Internet
class B : 172.16.0.0 to 172.31.255.255 (16 classes)

Private Networks
class C: 192.168.0.0 to 192.168.255.255 (256 classes)

230
Internet reserves part of the global address space for use in networks that do not require connectivity to the Internet. Typically these networks are administered by a single organization. Three ranges of addresses have been reserved for this purpose: 10.0.0.0: A single Class A network 172.16.0.0 through 172.31.0.0: 16 contiguous Class B networks 192.168.0.0 through 192.168.255.0: 256 contiguous Class C networks
Page 230
Tunnelling GRE Other private addresses IP @ : 154.11.22.33
Public IP@
IP @ : 195.51.63.1
IP @ : 9.1.2.3
Internet
IP @ : 154.11.22.33
IP@ not assigned by IANA

Private network 154.11.0.0 @IP: 154.11.63.1
Private IP@
IP @ : 154.11.12.13
231
Private IP@ Is also considered as Private IP address any IP address not assigned by ICANN. These type of addresses can be used inside a private network. They cannot travel Internet.
Page 231
Tunnelling GRE VPN: Virtual Private Network
Private network
Private net.
IP@ : 10.10.10.8 NetID: 10.10.10.0
Leased line
IP@ : 10.10.20.4
Private net.
NetID: 10.10.20.0
Virtual Private Network

Private net.
NetID: 10.10.10.0 IP@ : 10.10.10.8
Tunneling
Private net.
IP@ : 10.10.20.4
Internet
NetID: 10.10.20.0
232
A private network expended over several distant sites has to use very expensive leased lines. To reduce the cost, the infrastructure of Internet can be used while keeping the advantages of a private network (security, ). This concept is called Virtual Private Network. To achieve that a tunnel has to be created between the private networks.
Page 232
Tunnelling GRE VPN: Tunneling principle

10.10.10.8 data
1
IP@ : 10.10.10.8
10.10.20.4
IP@ : 10.10.20.4
Intranet 2
NetID: 10.10.20.0
NetID: 10.10.10.0
Intranet 1
IP@ : 194.3.2.1 2 Encapsulation 3
Internet
4
10.10.10.8 data
10.10.20.4
10.10.10.8
194.3.2.1
data
10.10.20.4
198.6.7.2
IP@ : 198.6.7.2
De-encapsulation
10.10.10.8 data
194.3.2.1
20.10.20.4
198.6.7.2
233
The solution consists of encapsulating the original IP packet into another IP packet. 1- the original IP packet using private IP addresses is sent to the border router. 2- the border router makes an IP packet using public IP addresses known by INET 3- the border router encapsulates in this packet the original IP packet as a data 4- Internet can convey the IP packet towards the border router of the remote Intranet because it examine the header and not the data. 5- the Intranet 2 access router examines the received IP packet and because the destination is its own address, it extracts the data. This data being an IP packet, it submits the destination IP address to its routing table. 6- the original IP packet can travel the Intranet up to the destination.
Page 233
Tunnelling GRE Private network interconnection
172.17.0.0
Private addresses
Routing table RIP 172.19 (local) 172.17 172.18.0.1 172.16 172.18.0.6
(RIP)
172. 1 8. 0 .1 L ease d lin e
(RIP)
172. 1 8. 0
(RIP)
. 2 ( t 1)
172.19.0.0
172.18.0.6
leased line
172.18.0.5(t2)
172.16.0.0
234
Page 234
Tunnelling GRE Virtual Private Network

2 195.5.6.7.2 194.1.2.2 172.17.0.1 172.19.0.1 1 172.19.0.1 Routing table 172.19 (local) 172.17 172.18.0.1 (Tunnel1) 172.16 172.18.0.6 (Tunnel2) Tunnel1 172.18.0.2 local-IP:195.6.7.2 Remote-IP: 194.1.2.2 local-IP:195.6.7.2 Remote-IP: 194.9.8.1
. 2 ( t 1)
172.17.0.1 172.19.0.1 4
172.17.0.0
Public IP@
194.1.2.2
.1
INTERNET
172.17.0.1
172. 1 8. 0
Tunnel2 172.18.0.5
172. 1 8. 0
172.19.0.0
172.18.0.6 Public IP@ 172.16.0.0
172.18.0.5(t2) Public IP@
194.9.8.1
195.6.7.2
172.19.0.2
235
Page 235
Tunnelling GRE Evaluation Objective: to be able to make a Virtual Private Network by means of GRE protocol
236
Page 236
DNS : Domain Name System
237
Page 237
238
Page 238
Objective: to be able to configure a Name Server program: 1 DNS overview 2 Zone creation 3 Reverse translation 4 DNS operation verification 5 Sub-zone creation 6 DNS messages 7 Secondary name server 8 DNS in Linux
DNS Session presentation
239
Page 239
240
Page 240
DNS
1 2 3 4 5 6 7 8 DNS overview Zone creation Reverse translation DNS operation verification Sub-zone creation DNS messages Secondary name server DNS in Linux
241
Page 241
242
Page 242
1 DNS overview Friendly addressing
Addressing by IP address ftp 192.55.100.1 Addressing by domain name
ftp computer.lannion.alcatel.fr.
Internet
Host computer Located at lannion In the company: Alcatel In France In the world
(can be omit)
192.55.100.1
Tree structure
(hierarchy : read right to left)
243
History: Up to 1984, a translation table symbolic name <=> IP@ was maintained by NIC and downloaded by hosts by mean of FTP. The huge number of hosts involved the creation of a distributed database. A new system was born Domain Name System. The goal of domain name system is to provide a mechanism for naming resources in such a way that the names are usable in different hosts, networks, protocol families, internets, and administrative organisations. Domain Name System RFC 1034; RFC 1035 .
Page 243
1 DNS overview Definition of a Domain Name

Root
arpa gov
edu
mil
com
int
net
org
fr
uk
ca
In-addr
harvard
...
princeton
. . . alcatel enst inria edf . . .

lannion alcatel.fr.. Domain name : FQDN
(Fully Qualified Domain Name)
Can be omitted
sales ...
mgt
au
...
trans
switching network
trans.au.lannion.alcatel.fr..
244
DNS is a hierarchical database, meaning the data is structured in an inverted-tree, much like the directory structure of a UNIX or Windows file system. Domain names are organised based on the tree structure of DNS. The individual node name comes first, followed by the domain where it resides, followed by the domain in which the domain resides, and so on, with each level separated by a dot. So, for example, when we see the host name host1.engineering.cisco.com, we know that the node host1 is in the engineering subdomain of the cisco domain, which in turn is in the com domain, which is under the root domain of the Internet. The location of a node is known by analysing the domain name from right to left. A domain name ending by a point . is called ADN (Absolute Domain Name) or FQDN (Fully Qualified Domain Name). A few rules concerning the naming : must be composed of characters: 'a' 'z', '0' '9' and symbol '-' (dash).. All other characters are forbidden no case sensitive. The maximum length of the domain name is 255 characters, each label cannot overtakes 63 characters. Usually, a domain name not ending by . will be filled with default domain name of the local name server.
Domain name
Page 244
1 DNS overview Definition of a Domain

Root
arpa gov
edu
mil
com
int
net
org
fr
uk
ca
fr. domain
In-addr harvard
...
princeton
lannion.alcatel.fr. domain
. . . alcatel enst inria edf . . . alcatel.fr. domain lannion paris mgt au ...
trans
245
sales
...
Domain
switching network
A domain is a sub-tree of DNS. A domain is composed of domain names and other domains. The links between nodes are logical links and not physical links Example: 10 hosts belonging to alcatel domain could be located in 10 different networks ( in France, U.K., US, )
Page 245
1 DNS overview DNS tree

Root
arpa gov
edu
Generic Top Level Domains
mil
com
int
net
org
fr
Geographical Domains
uk
ca
Top Level Domains
In-addr
harvard
...
princeton
. . . alcatel enst inria edf . . .

lannion paris
sales ...
mgt
au
...
trans
246
switching network
The root domain, ".", is at the top, and various subdomains branch out from the root. On the Internet, for example, the first branches coming out of the root are the top-level domains such as .com, which is a domain containing all commercial organizations, .edu, which contains all educational organizations, and the various country codes, like .au for Australia, .ca for Canada, and so on. Just below Root : generic domains: edu: universities net: Internet Access Provider org: non government organisations int: International organisations com: business companies gov: U.S. government mil: U.S. army geographical domains (based on country codes, see : ftp://ftp.ripe.net/iso3166-countrycodes) fr (France); .be (Belgium), .uk (United Kingdom), .
ARPA domain for inverse translation IP @ to domain name . Under each of these top-level domains are more branches containing other domains, such as alcatel.fr, under the .fr domain, and harvard.edu and princeton.edu under the .edu domain. Each of these domains may, in turn, have their own subdomains, such as lannion.alcatel.fr and paris.alcatel.fr under the alcatel.fr domain.
Page 246
1 DNS overview Definition of a Zone Name Server (zone: alcatel) Name Server (zones: sales and mgt)
Root
fr alcatel
lannion
alcatel.fr. domain
Name Server (zones: au, network, switching)

lannion. lannion.alcatel. alcatel.fr. fr.
domain
sales
mgt
switching
au ...
network radio trans
Zone :
zone :
A zone is a point of delegation of the DNS tree. It contains all the names from a certain point downward, except those that have been further delegated to other zones. The name of the zone is the domain name of the upper node
247
Page 247
1 DNS overview Principle of the domain name translation Name Server dnsln.ln.cit.alcatel.fr
. 193.0.14.129 Com. 192.93.0.1
195.25.238.132
iterative requests 3
Cache
@IP: 139.54.40.2
com. (192.93.0.1) 4
m1.ibm .com. m1.ibm.com.
Name Server root.

k.root-servers.net.
@IP:193.0.14.129
ibm.com. ibm.com.
5 ibm.com. ibm.com. (195.25.238.132)
Namens1.nic.fr. Server com.

@IP: 192.93.0.1
com. ibm.com.
m1.ibm.com.
@IP:195.25.238.152

195.25.238.152
m1.ibm .com. (@IP:195.25.238.152) m1.ibm.com.
Name Server ibm.com.

@IP: 195.25.238.132
2 9
ping m1.ibm .com. m1.ibm.com. 1 resolver
m1.ibm .com. (@IP:195.25.238.152) m1.ibm.com.
recursive request
Local zone
248
Name translation Because DNS is distributed across domains, when a name server receives a request for name resolution for a host that is outside of its domain, it may not have address information for that host. Because DNS is hierarchical, it does not need that information, the name server just needs to know how to access the root name server. It forwards the name resolution request to the root name server, which then delegates the request to the appropriate domain beneath it, and this process continues until a name server which has address information for the host is reached, and the information is retrieved. A host wishing to translate a domain name request it to its Resolver, this one interrogates its Name server. Caching In order to reduce the length of time of name resolution, and to reduce traffic on the network, important concept of DNS is that of caching. Whenever a name server receives address information for another host or domain, it stores that information for a specified period of time. That way, if another name resolution request for that host or domain is received, the name server has the address information ready, and does not need to send another inquiry across the Internet. The length of time address information is stored on the name server is determined by the Time-To-Live (TTL). Note: Between Resolver and Name Server, the request is an recursive request, Between local Name server and other servers, the requests are iterative requests.
Page 248
1 DNS overview Default location of the Root name servers
japan
249
Root Servers: At this moment, 13 servers are dispatched over the world. Each one receives approximately 100000 requests/ hours Addresses of Root Servers can be downloaded from: ftp://rs.internic.net/domain/named.root A.ROOT-SERVERS.NET. B.ROOT-SERVERS.NET. C.ROOT-SERVERS.NET. D.ROOT-SERVERS.NET. E.ROOT-SERVERS.NET. F.ROOT-SERVERS.NET. G.ROOT-SERVERS.NET. H.ROOT-SERVERS.NET. I.ROOT-SERVERS.NET. J.ROOT-SERVERS.NET. K.ROOT-SERVERS.NET. L.ROOT-SERVERS.NET. M.ROOT-SERVERS.NET. 198.41.0.4 128.9.0.107 192.33.4.12 128.8.10.90 192.203.230.10 192.5.5.241 192.112.36.4 128.63.2.53 192.36.148.17 198.41.0.10 193.0.14.129 198.32.64.12 202.12.27.33
Each root server knows at least the addresses of the DNS first level (.com, .edu, .fr, etc.) The TTL is approximately 41 days.
Page 249
1 DNS overview Name server redundancy
= Zone edu
Primary server
Primary server
edu
Primary server
fr
fr
fr
ca
Primary server
ca
Secondary server
alcatel
alcatel
Secondary server
lannion
Primary server
lannion
Primary server
Secondary server
250
There are two type of DNS servers: primary secondary. A primary name server gets its authoritative data from its local configuration database. A secondary server gets its zone data from another name server that is authoritative for the zone. A secondary server periodically contacts the name server(s) from which it gets updates and pulls over the zone data, if it has changed. This action is called a zone transfer . The interval is defined in the servers SOA record as the secondary refresh time.
Page 250
1 DNS overview DNS protocol position
DNS
UDP
TCP
Network
SNAP LLC
IP
Link
MAC
802.2
Ethernet ISO 802.3
Ethernet V2 251
DNS protocol allows client and servers to communicate DNS protocol is located over TCP and UDP The type of dialog is client-server The well-known port is 53 DNS over UDP: Mainly to communicate between Resolver and Name Server DNS over TCP: To update secondary Name Servers (Zone transfer) Rarely, to communicate between Resolver and Name Server in the case where the messages are higher than 512 bytes (because over UDP, the message size is limited to 512 bytes).
Page 251
1 DNS overview Exercise

1- What is the standard Well-known port used by DNS? 2- What is the name given to client in the DNS? 3- What is the name given to a node in the DNS tree? 4- How to be sure that a domain name is a FQDN? response?
When it get is ended by a . 5- Why a second DNS request for a same domain name will a faster Resolver A domain name 53
Because the from theof previous request has been stored in 6- What isresponse the contents a Name Server database ? the local Name Server cache
7- What must the domain name of a zone? a be domain
a zone
8- Can a Name Server house several different zone databases?

The domain name of the upper node of the zone Yes No
252
Page 252
DNS
253
Page 253
254
Page 254
2 Zone creation New domain creation
fr . . . alcatel enst inria edf . . .

lannion velizy
Zone
optic trans au
doc trans sales
...
ns backup
switching
Name Server
In the following examples, we will use this hierarchical tree All Alcatel University hosts will be part of : au.lannion.alcatel.fr.
255
Page 255
2 Zone creation Network topology
au.lannion.alcatel.fr.
managt
.2
Zone :
ns
.3
backup
192.249.249._ .4
router
rt249
.1
rt253 .2 .3
.1 .4
192.253.253._
doc
switching
trans
256
We will suppose that the Alcatel University network is composed of two sub-networks : 192.249.249.192.253.253.Each host has got a name (domain name) Because the router has got several interfaces, it possesses at least one IP address per interface. A DNS request to get IP address of this router will return the list of these IP addresses. Sometimes, it could be interesting to point to a specific address for testing. Then, the best way is to assign a domain name to each interface (rt249 et rt253).
Page 256
2 Zone creation Name server database contents (1)
Name Server
Zone :
$TTL value
ns.au.lannion.alcatel.fr. e-mail responsible serial number Refresh delay Retry delay Expiredelay TTL ns Value
managt
.2 {default TTL} .3 PrimaryName Server
ns
backup
192.249.249._ .4 .1
Name @
SOA
type
{negative caching} Name Servers having authority over this zone .2 .3
rt249 router rt253 192.253.253._ .4
.1
NS
doc
au.lannion.alcatel.fr
The format of a DNS file is standarized allowing to be exchanged between Server names. It contains Resource Records RR: Resource Record Resource Records (RR) are records that specify different types of zone data. All Resource Records have the following required entries: Name The name (host) that owns the record, such as au.lannion.alcatel.fr. Class The class of the record is always IN (for Internet) in DNS. TTL (Time-To-Live) Amount of time the record can be stored in cache. It is expressed in seconds. If you do not include a TTL, the Name Server uses the zone default TTL. Type The type of the record. There are many types defined by various RFCs, although 10 or fewer are in common use. Record data Data types whose format and meaning varies with record type. SOA:The Start of Authority (SOA) record designates the top of the zone in the DNS. There can be only one SOA record per zone. The Name indicates the name of the zone The Name of the primary server enables you to specify the name of the server you are configuring. The Contact email address specifies the mailing address for the person responsible for the name server. Remember to use a period instead of an @ sign. Primary servers use serial numbers to indicate when their database has changed. TTL: negative caching: period that a client has to keep in its cache a negative response. refresh time, retry time, expire time will be explain later NS :name server (NS) lists the name of a machine that provides domain service for a particular domain. The name associated with this Resource Record (RR) is the domain name, and the data portion is the name of a host that provides the service.NS record names must have an equivalent A record (that is, they cannot point to an alias). Note: Directive: $TTL : provide a default value of TTL for records which do not have their own TTL
Zone :
switching
trans
257
Page 257
2 Zone creation Name server database contents (2)
A 192.249.249.4 A 192.253.253.2 A 192.253.253.3 A 192.253.253.4 A 192.249.249.1 A 192.253.253.1 rt249 A 192.249.249.1 rt253 A 192.253.253.1 10, backup @ MX www CNAME doc ftp CNAME doc Localhost. A 127.0.0.1
backup doc switching trans router
Name @ @ ns managt
Zone :
type SOA NS A A
ns.au.lannion.alcatel.fr. ns 192.249.249.3 192.249.249.2 Value
Name Server
managt
.2 Translation Name => IP @
ns
.3
mail Server
backup
.4
192.249.249._ rt249 .1
Particularities for multi-homed systems e-mail Server Preference .2
router
rt253 .3
.1 .4
192.253.253._
doc www ftp

Alias
switching
trans
258
Zone :
A : Address record provides the name-to-address mapping for the zone. It contains an Internet Protocol address in dotted decimal form. There must be at least one A record for each host address. Note : If a RR record has its field name identical to the previous one, it can be omitted. MX : Mail Exchanger records specify where mail for a domain name should be delivered. You can have multiple MX records for a single domain name, ranked in preference order. CNAME : (canonical name) is used for nicknames or aliases. The name associated with the Resource Record is the nickname. The data portion is the official or canonical name.When a name server looks up a name and finds a CNAME record, it replaces that name with the canonical name and looks up the new name. (Do not chain CNAME records) Note about localhost : When two applications located on the same host have to communicate together, they can use the IP address 127.0.0.1 but they have also the opportunity to use the domain name localhost therefore, it is convenient to introduce this A record in the local zone.
Page 258
2 Zone creation Cache file
Name Server
Name
cache file
A A A A A A A A A A A
A
type
Value 198.41.0.3 128.9.0.107 192.33.4.12 128.8.10.90 192.5.5.241 192.112.36.4 128.63.2.53

192.36.148.17
managt
.2 rt249 .1
ns
.3
serveur de mail
backup
.4
A.ROOTA.ROOT-SERVERS.NET. C.ROOTC.ROOT-SERVERS.NET. E.ROOTE.ROOT-SERVERS.NET. B.ROOTB.ROOT-SERVERS.NET.
192.249.249._
D.ROOTD.ROOT-SERVERS.NET.
router
G.ROOTG.ROOT-SERVERS.NET. I.ROOTI.ROOT-SERVERS.NET.
H.ROOTH.ROOT-SERVERS.NET. J.ROOTJ.ROOT-SERVERS.NET.
rt253 .2
.1 .3
Internet 192.253.253._ .4
K.ROOTK.ROOT-SERVERS.NET. M.ROOTM.ROOT-SERVERS.NET. L.ROOTL.ROOT-SERVERS.NET.
198.41.0.10
193.0.14.129
198.32.64.12 202.12.27.33
doc www ftp
switching
trans
259
Zone :
When the local Name Server is not able to solve the translation because the response is neither in its cache nor in the zone files, then it must contacts a root server. The Name server has got a file containing the IP addresses of the Root Servers so, it will be able to go down through the DNS inverted-tree. This file can downloaded from : ftp://rs.internic.net/domain/named.root) Note: When a private network is not connected to Internet, this file must be loaded with RR of type A which IP address points to Name Server(s) of the private network root domain.
Page 259
2 Zone creation Process example of a direct translation

A.root-servers.net (IP 198.41.0.3) Zone : 3 5 com. ns serv.net. serv.net. A 198.1.1.1 fr. ns ns1.fr . fr. ns1.fr. ns1.fr . A 194.1.1.1 ns1.fr. in-addr.arpa. ns nic.net. fr. ns ns2.uk ns2.uk fr. ns2.uk A 195.8.8.8 ns2.uk net alcatel com edu edf dns-serv.edf.fr. (194.8.2.1) Zone : edf. edf.fr. fr. @ SOA serv.edf.fr. @ ns ser.edf.fr. serv.edf.fr. A 194.8.2.5 m1.edf.fr. A 194.8.2.1 fr. ns ns1.fr . fr. ns1.fr. ns ns2.uk fr. fr. ns2.uk 4 ns1.fr . A 194.1.1.1 ns1.fr. ns2.uk ns2.uk A 195.8.8.8
ns1.fr (IP 194.1.1.1) Zone : fr. fr. @ ns ns1.fr. @ ns ns2.uk. ns1.fr A 194.1.1.1
edf alcatel
ns dns-serv.edf ns v1.alcatel .fr. v1.alcatel. fr.
2 cache A.root-servers.net (IP 198.41.0.3) B.root-servers.net (IP 128.9.0.107)
v1.alcatel .fr A 195.1.1.1 v1.alcatel. dns-serv.edf A 194.8.2.1 v1.alcatel.fr (IP 195.1.1.1)
fr
alcatel. .fr. alcatel.fr. fr. ns v1.alcatel v1.alcatel. fr. v1.alcatel .fr. v1.alcatel. fr. A 195.1.1.1 lannion. lannion.alcatel. alcatel.fr. fr. ns dnsdns-lan. lan.alcatel. alcatel.fr. fr. dnsdns-lan. lan.alcatel. alcatel.fr. fr. A 192.249.1.1
6 8 10 12
au.lannion .alcatel. lannion. .alcatel. au.lannion. alcatel.fr. fr. ns ns.au. ns.au.lannion alcatel.fr. fr. ns.au. lannion. .alcatel. ns.au.lannion alcatel.fr. fr. A 192.249.249.3
7 Zone : alcatel.fr. @ ns v1.alcatel.fr. v1 A 195.1.2.3 dns-lan ns dnsns dns-nantes
lannion nantes
9 Dns-lan.alcatel.fr. (IP 192.249.1.1)
nantes
lannion
m1
trans.au. lannion. .alcatel. trans.au.lannion alcatel.fr. fr. A 192.253.253.4
dnsA 192.249.1.1 dns-lan dns-nantes A 192.250.1.2
Zone: lannion.alcatel.fr. @ ns dns.lann.alcatel.fr. au .... ns ns.au. lannion. .alcatel. ns.au.lannion alcatel.fr. fr. trans
DNS local server IP@: 194.8.2.1 au research
trans.au. lannion. .alcatel. trans.au.lannion alcatel.fr. fr.
13
ns.au.lannion.alcatel.fr.(IP 192.249.249.3) 11 Zone: au.lannion.alcatel.fr. @ doc ns A ns.au.alcatel.fr. 192.253.253.2
ns.au. lannion. .alcatel. ns.au.lannion alcatel.fr. fr A 192.249.249.3
doc
ns
trans A ns A
192.253.253.4 192.249.249.4
260
Page 260
2 Zone creation General format of a RR (Resource Record) Time-To-Live: how long a Name server can keep this RR IN: Internet Name Domain Name to define TTL Class Type
in its cache memory
Type dependant value
Rdata
IP @ Domain Name Domain Name
A NS MD MF CNAME SOA MB MG MR) NULL WKS PTR HINFO MINFO MX TXT
Domain Name
261
Class : Because network types could be different, consequently, the address format can be also different so, a field class has been introduced in most RR. Class: IN (1) the Internet CS (2) the CSNET class (Obsolete) CH (3) the CHAOS class HS (4) Hesiod [Dyer 87] * (255) Any class The class of the record is always IN (for Internet) in DNS. TTL (Time-To-Live) Amount of time the record can be stored in cache. It is expressed in seconds. If you do not include a TTL, the Name Server uses the zone default TTL defined primitive $TTL.
Page 261
2 Zone creation Various types of RR A (1) A host Address NS (2) an authorative Name Server MD (3) a Mail Destination (Obsolete - use MX) MF (4) a Mail Forwarder (Obsolete - use MX) CNAME (5) the Canonical NAME for an alias SOA (6) marks the Start Of a zone of Authority MB (7) a Mailbox Domain name (EXPERIMENTAL) MG (8) a Mail Group member (EXPERIMENTAL) MR (9) a Mail Rename domain name (EXPERIMENTAL) NULL (10) a NULL RR (EXPERIMENTAL) WKS (11) a Well Known Service description (specify services offered by this host: SMTP,) PTR (12) a domain name PoinTeR HINFO (13) Host INFOrmation (indicates the used OS, the CPU, ) MINFO (14) Mailbox or mail list INFOrmation MX (15) Mail eXchange TXT (16) TeXT strings
HINFO RR The HINFO (Host Info) record provides information about a particular host. The data contains a description of the hardware and software. The hardware description contains the name of the manufacturer and the model number. The software description contains the name of the operating system. WKS RR The WKS (Well Known Services) record lists the Well Known Services a host provides on a particular IP protocol. The common protocols are TCP and UDP. The common services are TIME, TELNET, FTP, or SMTP. TXT RR The TXT (Text) record contains strings of less than or equal to 256 characters that can contain any type of information.
262
Page 262
2 Zone creation SOA (Start Of Authority) Resource Record
Name
TTL Class (1: IN)
SOA
(6)
Rdata
Domaine name Domaine name of the of the name server responsible
32 bits
32 bits
32 bits
32 bits
32 bits
Serial
Refresh
Retry
Expire Minimum
263
The Contact email address text box enables you to specify the mailing address for the person responsible for the name server. Remember to use a period instead of an @ sign. The Name of the primary server text field enables you to specify the name of the server you are configuring. Serial number : Primary servers use serial numbers to indicate when their database has changed. Secondary servers check this serial number to determine whether they need to update their zone data. You only need to enter a serial number the first time you configure a zone. Thereafter, Network Registrar increments the serial number every time a change is made to the database. The Secondary refresh time is how often a secondary name server checks the primary server for an update The Secondary retry time is how often a secondary name server retries after a failure to update a zone. The Secondary expire time is the longest amount of time that a secondary name server can claim authority for zone data when responding to queries when it has failed to update a zone. The Minimum TTL text box enables you to specify the Minimum TTL value to be used in all query operations that retrieve Resource Records (RR) from this zone.
Page 263
2 Zone creation MX (Mail box eXchange ) Resource Record
Name
TTL Class (1: IN)
MX
(15)
Rdata
Precedence
16 bits
Domaine name
Domain name of the Mail Box

264
Mail Exchange Record This corresponds to the MX record, which ensures that mail sent to the host will reach it. A computer that accepts electronic mail. Some mail exchangers forward the mail to other computers. DNS has a separate address type for mail exchangers. Mail Exchanger records specify where mail for a domain name should be delivered. You can have multiple MX records for a single domain name, ranked in preference order.
Page 264
DNS
265
Page 265
3 Reverse translation Goal
Internet
@IPsrc 192.253.253.4 @IPdest 132.25.12.1
1
What is the domain Name of this host?
Server FTP
DNS inverse Request
4.253.253.192 ?
132.25.12.1
IP address provided in inverse way

266
Reverse translation: In order to have a correct DNS configuration, you must have a reverse zone for each network you are using. A reverse zone is a primary zone that allows the Internet to convert IP addresses back to host names. Reverse zones are all in the special domain, in-addr.arpa. Reverse translation is much more complex : Opposite to direct translation where the search is more and more accurate by reading the domain name from right to left, the IP address is more accurate by reading left to right. Consequently, to keep homogenous system in the DNS, the four bytes of the IP addresses will be provided to the name server in reverse order A new space has been created in-addr.arpa (in-addr : inverse address arpanet) note : ip6.int pour IPv6
Page 266
3 Reverse translation DNS space for IP address translation 4. 253. 253. 192. in-addr.
(@IP 192.253.253.4)
arpa.
in-addr 192
arpa
xx xx. xx xx. xx @IP: xx. xx.

255 253 253 255
0 0
0 0 4
255 255
267
trans.au.lannion.alcatel.fr. (@IP 192.253.253.4)

IP addresses are seen as names. Each byte of the IP address is considered as a label which can get 256 combinations Name Servers are dispatched over the world example : 210.37.148.193.in-addr.arpa in-addr.arpa -> managed by the Name Server: A.ROOT-SERVER.NET 193.in-addr.arpa -> managed by the Name Server: NS.RIPE.NET 148. 193.in-addr.arpa -> managed by the Name Server: NS.RIPE.NET 37.148. 193.in-addr.arpa -> managed by the Name Server: first.tvt.fr
Page 267
3 Reverse translation Difficulties for the creation of inverse translation zone h. 249. 249. 192. in-addr.
arpa.
in-addr 0 0 249 249 192
arpa
h. 253. 253. 192. in-addr.
arpa.
255 252 253 1 254Alcatel 253
IBM network
network
255 255
FT network
CISCO IBM network network
250
251
Yahoo network
Ford network
1 2 3 4 rt249 managt ns backup
Alcatel network
2 1 3 4 rt253 doc switching trans

268
When creating a unique zone for several networks, many other zones become daughters of this zone. That arrangement is unacceptable. So, smaller zones have to be created for each network.
Page 268
3 Reverse translation Zones to be create for inverse translation h. 249. 249. 192. in-addr.
arpa.
in-addr 0 0 249 249 192
arpa
h. 253. 253. 192. in-addr.
arpa.
255 252 253 1 254Alcatel 253
IBM network
network
255 255
FT network
CISCO IBM network network
250
251
Yahoo network
Ford network
1 2 3 4 rt249 managt ns backup

Zone: 249.249.192.in-addr.arpa.
2 1 3 4 rt253 doc switching trans Zone: 253.253.192.in-addr.arpa.

269
In order to have a correct DNS configuration, you have to have a reverse zone for each network you are using. A reverse zone is a primary zone that allows the Internet to convert IP addresses back to host names. Reverse zones are all in the special domain, in-addr.arpa. In our example 2 zones have to be created according to our 2 sub-networks.
Page 269
3 Reverse translation Inverse translation zones (1)

Zone:249.249.192.in-addr.arpa. Name type Value @ @ 1 2 3 4 SOA NS PTR PTR PTR PTR ns.au.lannion.alcatel.fr. ns.au.lannion.alcatel.fr. router.au.lannion.alcatel.fr. managt.au.lannion.alcatel.fr. ns.au.lannion.alcatel.fr. backup.au.lannion.alcatel.fr.
Name Server
managt
.2 translation @IP=> Name
ns
.3
mail server
backup
.4
192.249.249._ rt249 .1
router
Internet .1 .4
Zone:253.253.192.in-addr.arpa Name type Value @ @ 1 2 3 4 SOA NS PTR PTR PTR PTR
rt253 .2 .3
ns.au.lannion.alcatel.fr. ns.au. lannion. .alcatel. ns.au.lannion alcatel.fr. fr. router.au.lannion.alcatel.fr. doc.au.lannion.alcatel.fr. switching.au.lannion.alcatel.fr. trans.au.lannion.alcatel.fr.
192.253.253._
doc www ftp
switching
trans
270
Zone :
As any zone, the file must contain at least: a first record type : SOA describing the zone one or several NS records In addition, reverse zone contains PTR records The PTR (Pointer) record enables you to point to some other location in the domain tree. They are used in the INADDR.ARPA zones for translation of addresses to names. PTRs use official names not aliases.
Page 270
3 Reverse translation Inverse translation zones (2)

Zone:0.0.127 Name type @ @ 1 SOA NS PTR
Name Server
Value
in-addr.arpa.
managt
.2
ns
.3
mail server
backup
.4
ns.au.lannion.alcatel.fr. ns.au.lannion.alcatel.fr. localhost. localhost.
192.249.249._ rt249 .1
Zone:255.in-addr.arpa. Name type Value @ @ SOA NS
router
Internet .1 .4
ns.au. lannion. .alcatel. ns.au.lannion alcatel.fr. fr. ns.au. lannion. .alcatel. ns.au.lannion alcatel.fr. fr.
rt253 .2 .3
Name @ @
SOA NS
Zone:0.in-addr.arpa. Value type
192.253.253._
ns.au. lannion. .alcatel. ns.au.lannion alcatel.fr. fr. ns.au. lannion. .alcatel. ns.au.lannion alcatel.fr. fr.
doc www ftp
switching
trans
271
domain :
Other special zones : 0.0.127.in-addr.arpa : enables a host to resolve the loopback address (127.0.0.1) to the name localhost. The loopback address is used by the host to enable it to direct network traffic to itself. Zones 0.in-addr.arpa and 255.in-addr.arpa are created to answer to translation requests 0.0.0.0 and 255.255.255.255. This zones are empty. Therefore, the server will return an error rather than sending this request to other Name Servers.
Page 271
3 Reverse translation Process example of a reverse translation

nic.net (IP 198.2.2.2) Zone : in-addr.arpa 1 ns nsx.us. 2 ns nsx.us. . A.root-servers.net (IP 198.41.0.3) Zone : 3 com. ns serv.net. serv.net. A 198.1.1.1 fr. ns ns1.fr. ns1.fr. 194.1.1.1 in-addr.arpa. ns nic.net. nic.net. A 198.2.2.2 arpa inin-addr 1 192 net 255 com edu fr FT 2 cache A.root-servers.net (IP 198.41.0.3)
192 ns ns1.uk. 202 ns ns1.ja. ns1.uk. A 195.1.1.1 ns1.ja. A 203.1.2.3
B.root-servers.net (IP 128.9.0.107) m1
Zone : 192.in-addr.arpa 5 1 ns ns1.be. 2 ns ns1.de. . 253 ns serv.fr. ns1.be. A 194.3.3.3 serv.fr. A 194.1.2.3
ns1.uk(IP 195.1.1.1)
1 serv.fr. (IP 194.1.2.3)
253
255
3.253.253.192.in3.253.253.192.in-addr. addr.arpa. arpa.
ns.au.lannion.alcatel.fr. A 192.249.249.3
ns1.edf.fr. A 194.3.3.3
Zone: 253.192in-addr.arpa 1 1 ns ns1.edf.fr. 2 ns m2.ft.com. 6 .... 253 ns ns.au.lannion.alcatel.fr.
253
255
ns.au.lannion.alcatel.fr.(IP 192.249.249.3) Zone: 253.253.192in-addr.arpa PTR PTR 1 2 3 doc.au.lannionalcatel.fr. 7
PTR
switching.au.lannionalcatel.fr.
trans.au.lannionalcatel.fr.
272
Page 272
DNS
273
Page 273
verification of the translation Name =>IP@
4 DNS operation verification Test of a DNS from its zone
C:\> nslookup trans.au.lannion.alcatel.fr Server: ns.au.lannion.alcatel.fr. Address: 192.249.249.3 Name : trans.au.lannion.alcatel.fr. Address: 192.253.253.4
verification of the inverse translation IP @ => Name

C:\> nslookup 192.253.253.4 Server: ns.au.lannion.alcatel.fr. Address: 192.249.249.3 Name : trans.au.lannion.alcatel.fr. Address: 192.253.253.4
274
Nslookup is a program to query Internet domain name servers. Interactive mode allows the user to query name servers for information about various hosts and domains or to print a list of hosts in a domain. #nslookup >set domaine=au.lannion.alcatel.fr >trans
Page 274
4 DNS operation verification Out of zone test of a DNS
Verification of the translation exterior name =>@IP

C:\> nslookup ftp.uu.net. Server: ns.au.lannion.alcatel.fr. Address: 192.249.249.3 Name : ftp.uu.net Address: 192.48.96.9
Test of a remote request to the local domain

C:\> nslookup trans gatekeeper.dec.com. Server: gatekeeper.dec.com Address: 204.123.2.2 Name : trans.au.lannion.alcatel.fr. Address: 192.253.253.4
275
Test using remote Name Servers (searched zone outside the local zone) The response could be delayed (several seconds). When this operation successes, that means the local server knows where the Root servers are located to. Otherwise, may be the cache is not correctly configured or there is a problem within the network. Local zone search from an external Name Server In case of failure, may be the local zone has not been recorded in the parent zone. Si le test ne fonctionne pas peut tre que le domaine local na pas t enregistr dans le serveur parent. Contact the parent zone responsible.
Page 275
DNS operation verification Exercise
1- List the DNS main records A, NS, MD, MF, CNAME,SOA, MB, MG, MR, NULL, WKS, PTR, HINFO, MINFO, MX, TXT 2- What kind of record is the first record of any zone? SOA: Start Of Authority Time TO Live in the cache memories CNAME
3- What is the role of the parameter TTL in an A Resource Record? 4- Which type of record allows to assign other names to a host? 5- What will be the default name if the field name of a record is empty? Name of the previous record 6- How an IP@ should be presented in an inverse request? In reverse way followed by in-addr.arpa.
7- What is the characteristic of the zones 255.in-addr.arpa. and 0.in-addr.arpa. Why these zones should be created? There is no RR of the type PTR. Allow to answer an error rather than to search a non existent domain name in the DNS tree.
276
Page 276
DNS
277
Page 277
278
Page 278
5 Sub-zone creation Sub-zone situation in the tree
fr . . . alcatel enst inria edf . . . trans au.lannion.alcatel.fr. domain

backup rt253 router rt249 ns managt
optic
lannion
velizy
au
doc
... oper
trans
Sub-zone
279
switching
Parent zone
Name Server for the sub-zone
Page 279
5 Sub-zone creation Exercise : Write down the RRs of this new zone
trans
Zone : Name @ @
oper.au.lannion.alcatel.fr.
SOA NS A A type Rdata
trans.oper.au.lannion.alcatel.fr.
managt
.2
ns
.3 192.249.249._ rt249 .1
Domain :
mail sever
backup
.4
switching doc
trans
5,backup.au.lannion.alcatel.fr. @ MX www doc CNAME ftp doc CNAME localhost A 127.0.0.1
192. 253. 253.3 192. 253. 253.2
192.253. 253.4
trans
router
rt253 .2 .3
Internet .1 .4
192.253.253._
doc www ftp
switching
oper.au.lannion.alcatel.fr.
280
Zone :
trans
Exercise: Create the database of this new zone You need to specify the hosts that will serve as the subzones name servers. The information you specify here is what the parent domains name servers will use when they are queried about the subzone. Note: a host houses several zones, when it receives a DNS request, it will search in the zone such the name is the nearest name of the requested domain name.
Page 280
5 Sub-zone creation Exercise : Parent zone modification
Name @ @
ns Zone Zone :: au. au.lannion lannion..alcatel alcatel..fr fr.

type SOA NS A ns.au.lannion.alcatel.fr ns.au.lannion.alcatel.fr Rdata
managt
.2
Zone : au.lannion.alcatel.fr.
ns
.3 192.249.249._ rt249 .1
mail server
backup
.4
trans.oper backup router router rt253 @ rt249 ns managt
oper
NS trans.oper.au.lannion.alcatel.fr. A
192.253.253.4
192.249.249.3 192.249.249.1 192.249.249.1 192.253.253.1 192.249.249.4 192.249.249.2
{RR glue}
router
rt253 .3
.1 .4
A A A
.2
192.253.253._
localhost
A MX A
192.253.253.1 10, backup 127.0.0.1
doc www ftp
Zone : Domain :
oper .au. lannion .alcatel .fr au. lannion .alcatel .fr . .

281
switching
trans
A NS record has to be added in order to indicate the domain name of the Name server housing the daughter database (sub-zone)
Also an A record has to be added to provide the IP address of this Name server. This A record is called Glue Record. A glue record is the DNS A (address) record that specifies the address of a sub-domains authoritative name server.
Page 281
5 Sub-zone creation Exercise : Modification of inverse translation zones

Zone:249.249.192.in-addr.arpa. Name type Value @ @ 1 2 3 4 SOA NS PTR PTR PTR PTR
Name Server :ns
au.lannion.alcatel.fr. ns managt
.2 .3
Zone :
mail server
backup
.4
ns.au.lannion.alcatel.fr. ns.au.lannion.alcatel.fr. router.au.lannion.alcatel.fr. managt.au.lannion.alcatel.fr. ns.au.lannion.alcatel.fr. backup.au.lannion.alcatel.fr.
192.249.249._ rt249 .1
router
Internet .1 .4
Zone:253.253.192.in-addr.arpa Name type Value @ @ 1 2 3 4
rt253 .2 .3
SOA ns.au.lannion.alcatel.fr. NS ns.au.lannion.alcatel.fr. PTR router.au.lannion.alcatel.fr. PTR doc.oper. doc.au.lannion.alcatel.fr. PTR switching.oper. switching.au.lannion.alcatel.fr. PTR trans.oper. trans.au.lannion.alcatel.fr.
192.253.253._
doc trans switching www ftp Zone:oper.au.lannion.alcatel.fr.

282
Page 282
DNS
283
Page 283
6 DNS messages DNS message format over UDP
UDP message Length Identification QDcount NScount
UDP source port
UDP destination port Checksum UDP Parameters ANcount ARcount
UDP header
8 bytes
DNS header
12 bytes
Question Section Answer Section
Authority Section Additional Information Section

byte byte byte byte
284
Any message of the DNS protocol use the same format In the Query only the header and question section are used. The UDP (and possibly TCP port) is the well-known port 53.
Page 284
6 DNS messages Header fields of DNS message (1)

Copied in the response, to associate received answer and request.
Identification QDcount NScount
Parameters ANcount ARcount
Header DNS
12 bytes
QR Query: Query 0 Response:1 Response
Op code
AA TC RD RA
0 0
Rcode
Response code :
Standard query: query 0 zone change notification: notification 4 Authoritative Answer: Answer 1 when the server Troncation: Troncation if the response has been
truncated, caused by physical channel is authoritative over this domain
O: no error 1: format error 2: server problem 3: inexistent domain Name (valid when AA=1) 4: not implemented Request type 5: Server refuses to answer accepts the recursive requests
Recursion Available: Available indicates if the Name Server Recursion Desired: Desired the resolver wishes a recursion (this bit is copied in the response)
285
Other Op code values are not used. Requests and responses use the UDP transport layer. Nevertheless, if the response is too long ( >512 bytes), it will be truncated and the bit TC set to one. The caller could retransmit its request over TCP transport layer in order to get the complete response. Usually, it does not do that because the first response over UDP contains enough information.
Page 285
6 DNS messages Header fields of DNS message (2) Number of questions in the question section Identification QDcount NScount Number of RR (Resource Records) in the answer section Parameters ANcount ARcount
Question Section Answer Section Authority Section Additional Information Section Number of RR records in the authority section Number of RR (Resource Record) in the additional section
286
Page 286
6 DNS messages Question section

Identification QDcount NScount Parameters ANcount ARcount
Question Section Answer Section Authority Section Additional Information Section
Label... Label n Record Type
Label 1,... 0 0 1: INternet
Class
Label: an element of the domain name

label 1 Length
07
l annion
Label 1
label 2 Length
07
alcatel
Label 2
label 3 Length
03
com
Label 3
End of domain name
00
RR type coding: 1: A 12:PTR 2: NS 15:MX 5:CNAME 6: SOA 251: IXFR (differential zone trf) 252: AXFR (zone transfer) 255: *
287
Record type coding : A 1 a host address NS 2 an authoritative name server MD 3 a mail destination (Obsolete - use MX) MF 4 a mail forwarder (Obsolete - use MX) CNAME 5 the canonical name for an alias SOA 6 marks the start of a zone of authority MB 7 a mailbox domain name (EXPERIMENTAL) MG 8 a mail group member (EXPERIMENTAL) MR 9 a mail rename domain name (EXPERIMENTAL) NULL 10 a null RR (EXPERIMENTAL) WKS 11 a well known service description PTR 12 a domain name pointer HINFO 13 host information MINFO 14 mailbox or mail list information MX 15 mail exchange TXT 16 text strings Class code : IN CS CH HS * 1 2 3 4 255 the Internet the CSNET class (Obsolete) the CHAOS class Hesiod [Dyer 87] any class
Page 287
6 DNS messages Answer, authority and additional sections

Number of RR in the authority section
Identification QDcount NScount
Question Section Answer Section Authority Section
Parameters ANcount ARcount
Number of RR in the answer section Number of RR in the additional section
Additional Information Section
1 record
Label... Label n Record Type T T L (Time to Live seconds) RData length Rdata (RR data field)
Label 1,... 0 0
Class
288
Additional section is used by the Name Server to provide supplementary information that could be useful for the caller. Example: The caller request the Mailbox of a zone so, he carries out a Query (type=MX). In the response, the answer section contains the RR MX that means, the domain name of the mailbox. The additional section will contain the RR of type A indicating the IP address pf this mailbox.
Page 288
6 DNS messages IP address request Zone :
Name @ @
type
ns.au.lannion.alcatel.fr ns.au.lannion.alcatel.fr
192.253.253.4
oper trans.oper managt backup router router rt249 rt253 @ ns
SOA NS A A A A
Rdata
Op code : Std query, QTYPE:

Question:
NS trans.oper.au.lannion.alcatel.fr. 192.249.249.2
Answer: (empty)
A router.au.lannion.alcatel.fr
Authority: (empty) Additional : (empty) Op code : Std query, Response,
A A A
192.249.249.3 192.249.249.1 192.249.249.1 192.253.253.1 192.253.253.1 5, backup 127.0.0.1
192.249.249.4
Question:
Answer:
localhost
A MX A
Authority: (empty)
router.au.lannion .alcatel. router.au.lannion. alcatel.fr A 192.249.249.1 TTL=x A 192.253.253.1 TTL=x
AA router.au.lannion.alcatel.fr
Additional : (empty)
289
AA (Authoritative Answer) bit set to one in the response when the Name Server answering is authoritative of this zone. When the response has been made from a name server cache, this bit is set to zero and the TTL is lower than the original TTL. The question section is copied in the question section of the response.
Page 289
6 DNS messages Mail Box request Zone :
Name @ @
type
192.253.253.4
SOA NS A A A A
Rdata

Question:
Answer: (empty)
MX
Authority: (empty) Additional : (empty) Op code : Std query, Response, Question:

au.lannion .alcatel. au.lannion. alcatel.fr
A A A
192.249.249.3 192.249.249.1 192.249.249.1 192.253.253.1 192.253.253.1 5, backup 127.0.0.1
192.249.249.4
AA
localhost
A MX A
Answer: au.lannion .alcatel. .alcatel. au.lannion. alcatel.fr MX backup.au.lannion backup.au.lannion. alcatel.fr TTL=5
Authority: (empty)
Additional : backup.au.lannion .alcatel. backup.au.lannion. alcatel.fr A 192.249.249.4 TTL=y
290
The answer section provide the RR MX The additional section gives the IP address of the mailbox.
Page 290
6 DNS messages Request towards an non-authoritative server Zone :
Name @ @
type
192.253.253.4
SOA NS A A A A
Rdata

Question:
switching.oper .au.lannion .alcatel. switching.oper. au.lannion. alcatel.fr
Answer: (empty) Authority: (empty) Additional : (empty) Op code : Std query, Response,
A A A
192.249.249.3 192.249.249.1 192.249.249.1 192.253.253.1 192.253.253.1 5, backup 127.0.0.1
192.249.249.4
Question: switching.oper .au.lannion .alcatel. switching.oper. au.lannion. alcatel.fr

Answer:
localhost
A MX A
Authority:
Additional :
oper.au. lannion. .alcatel. lannion. .alcatel. oper.au.lannion alcatel.fr NS trans. trans.oper.au. oper.au.lannion alcatel.fr. fr. trans. lannion. .alcatel. trans.oper.au. oper.au.lannion alcatel.fr A 192.253.253.4 291
The answer section is empty because the name server is not authoritative for this domain name. The Authority section provides the Name Server(s) having authority over this domain name and the additional section gives the IP address of this server.
Page 291
6 DNS messages Erroneous request Zone :
Name @ @
type
192.253.253.4
SOA NS A A A A
Rdata

Question:
dco.au.lannion.alcatel.fr
Answer: (empty) Authority: (empty) Additional : (empty) Op code : Std query, Response, Question:
Answer:
A A A
192.249.249.3 192.249.249.1 192.249.249.1 192.253.253.1 192.253.253.1 5, backup 127.0.0.1
192.249.249.4
dco.au.lannion.alcatel.fr
AA
RCODE:
NE
localhost
A MX A
Authority: Additional :
au.lannion .alcatel. au.lannion. alcatel.fr SOA
292
Here, the caller has made a mistake when typing the domain name ( dco instead doc) In the response: AA flag is set because the Name server has got the authority over his zone. The response return an error code NE (Name Error) Possibly, the Server Name could provide the SOA (it will be possible, for the caller, to contact the administrator of this zone) Error codes : 0 No error condition 1 Format error - The name server was unable to interpret the query. 2 Server failure - The name server was unable to process this query due to a problem with the name server. 3 Name Error - Meaningful only for responses from an authoritative name server, this code signifies that the domain name referenced in the query does not exist. 4 Not Implemented - The name server does not support the requested kind of query. 5 Refused - The name server refuses to perform the specified operation for policy reasons. For example, a name server may not wish to provide the information to the particular requester, or a name server may not wish to perform a particular operation (e.g., zone transfer) for particular data.
Page 292
DNS
293
Page 293
7 Secondary name server Principle
Name type @ SOA @ NS @ NS ns A managt A localhost A
Primary Name Server Zone : au.lannion.alcatel.fr

ns.au.lannion.alcatel.fr ns trans.oper 192.249.249.3 192.249.249.2 127.0.0.1 Value
managt
.2
ns
.3
Mail server
backup
.4
192.249.249._ rt249 .1
Name type @ SOA @ NS @ NS ns A managt A localhost A
Secondary Name Server Zone : au.lannion.alcatel.fr

ns.au.lannion.alcatel.fr ns trans.oper 192.249.249.3 192.249.249.2 127.0.0.1 Value
Transfert de zone
.2
router rt253 .3 .1
Internet .4
192.253.253._
doc www ftp
switching
trans
294
Page 294
Primary Server
7 Secondary name server Updating

Zone t r a ns f e r Re que s t
4
Zone modification
Zone_name @ SOA Primary name server Address of responsible Serial number = x Refresh = 3h 2 Retry (TCP) Zone transfer Expire TTL NS A
Zone_name @ SOA Primary name server SOA query 6 Address of responsible Serial number = x + 1 SOA Response 7 Refresh Retry Expire TTL Zone t r a ns f e r Re que s t NS A A (TCP) Zone transfer 9
Zone_name @ SOA Primary name server Address of responsible Serial number = x Refresh = 3h 3 5 Retry Expire TTL NS A
Secondary Server
3h 10
295
Page 295
7 Secondary name server Timers

SOA ns.au.lannion.alcatel.fr. e-mail serial Refresh (3h) Retry (1h) Expire (7d)
Primary Name Server

(these times are examples)
?
Zone transfer request
Refresh time (3h) Expiration time

Refresh time (3h)

Retry time(1h) Retry time(1h)
Retry time(1h)
Expiration time (7d)

ns.au.lannion.alcatel.fr. SOA e-mail serial Refresh (3h) Retry (1h) Expire (7d)
Database delete
296
Secondary Name Server
For any zone, it is necessary to have more that one Name Server for the following raisons: To secure DNS system To reduce the load. When you initially configure a domain, you should choose a primary name server, and at least one secondary server. The secondary server should be geographically removed from your primary server. At the very least it should not be on the same network as your primary server. If it is important that the outside world can always reach you, then you should configure several secondary servers to ensure that at least one of them will be able to supply information about your domain at all times. Because the secondary server is preloaded with all the same zone data that the primary server has, it contains all the local data. Therefore, the load on your primary server is reduced. For a caller, there is no difference between a primary and a secondary name server. The difference resides in Where does the zone data come from : a primary server gets information (RR records) from an administrator a secondary server gets information from a primary server by means of a downloading. In the secondary Server we have just to create the zone as a secondary zone and to give the address of the primary server. In the primary server, a NS record has to be added as well as, possibly, an A record given the IP address of this server.
Page 296
Name Server Primary Zone
7 Secondary name server Zone transfer using FTP protocol
Name Server Secondary Zone

Current serial number
UDP {Resp o n se : S
2
U D P { Query :Standard Query [ Question : SOA

tandard Query
.)
]}
refresh
[R
esponse :S OA (Se r ia l nb. )
]}
Open TCP session

TCP {
7
Query :Standard standard
[ Question : (AXFR.)] }
T CP ( Zone
8
t r a ns f e r )
Close TCP session 297

Every refresh time, secondary server reboot or DNS restart : 1- the secondary server request the primary to get the SOA 2- the primary server answers with the current SOA 3- the secondary server compares the primary serial number with its own serial number 4- if the serial numbers are different, the secondary server initiates a TCP session 5- A TCP session is opened between Secondary and Primary 6- The Secondary server request for a Zone Transfer (AXFR) 7- a file transfer is performed 8- when the file transfer is achieved, the TCP session is closed
Page 297
Name Server Primary Zone
7 Secondary name server Notification
Name Server Secondary Zone
Modification
2
UDP {Query : Zone c ha nge Notific a tion [Ques t :SO
U D P { Qu ery : [ Resp : SOA .)]
A(Se
r ia l nb. )]
}
4
TCP {
7
Open TCP session

Query :Standard standard
[ Question : (AXFR.)] }
T CP ( Zone
8
t r a ns f e r )
Close TCP session 298

The update of secondary is made every Refresh time so, the secondary server database could be different from the primary while a certain time (< refresh time) In order to have an immediate update, a name server could implement a zone change notification. In this case, as soon as a modification is made on the primary, this one informs the secondary.
Page 298
DNS
299
Page 299
8 DNS in Linux LINUX BIND files
/etc/rc.d/init.d/named
Name server daemon
/var/named/
root.cache
127.0.0
options { directory "/var/named var/named"; }; zone "." { mnc022.mcc208.gprs mnc022.mcc208.gprs type hint; file root.cache"; }; zone "mnc022.mcc208.gprs" { type master; file "mnc022.mcc208. mnc022.mcc208.gprs gprs"; "; }; ra0001.la0002.mnc0022.mcc0208.gprs ra0001.la0002.mnc0022.mcc0208.gprs zone ra00O1.la0002.mnc022.mcc208.gprs" { type master; file ra0001.la0002.mnc0022.mcc0208. ra0001.la0002.mnc0022.mcc0208.gprs gprs"; "; }; zone "1.1.10.IN-ADDR.ARPA" { type master; file "10.1.1"; }; zone "0.0.127.in-addr.arpa" { type master; file 127.0.0"; };
Various commands: /etc/rc.d/init.d/named start stop restart
/etc/named.conf
10.1.1
300
Page 300
8 DNS in Linux File : root.cache

. 3600000 A.ROOT-SERVERS.NET. 3600000 ; ; formerly NS1.ISI.EDU ; . 3600000 B.ROOT-SERVERS.NET. 3600000 ; ; formerly C.PSI.NET ; . 3600000 C.ROOT-SERVERS.NET. 3600000 ; ; formerly TERP.UMD.EDU ; . 3600000 D.ROOT-SERVERS.NET. 3600000 ; ; formerly NS.NASA.GOV ; . 3600000 E.ROOT-SERVERS.NET. 3600000 ; ; formerly NS.ISC.ORG ; . 3600000 F.ROOT-SERVERS.NET. 3600000 ; ; formerly NS.NIC.DDN.MIL ; . 3600000 G.ROOT-SERVERS.NET. 3600000 ; ; formerly AOS.ARL.ARMY.MIL ; . 3600000 H.ROOT-SERVERS.NET. 3600000 ; ; formerly NIC.NORDU.NET ; . 3600000 I.ROOT-SERVERS.NET. 3600000
/var/named/root.cache
IN NS A NS A NS A NS A NS A NS A NS A NS A NS A
A.ROOT-SERVERS.NET. 198.41.0.4 B.ROOT-SERVERS.NET. 128.9.0.107 C.ROOT-SERVERS.NET. 192.33.4.12 D.ROOT-SERVERS.NET. 128.8.10.90 E.ROOT-SERVERS.NET. 192.203.230.10 F.ROOT-SERVERS.NET. 192.5.5.241 G.ROOT-SERVERS.NET. 192.112.36.4 H.ROOT-SERVERS.NET. 128.63.2.53 I.ROOT-SERVERS.NET. 192.36.148.17
301
Page 301
8 DNS in Linux File : mnc022.mcc111.gprs.

/var/named/mnc022.mcc111.gprs mnc022.mcc111.gprs
$TTL @ 43200 IN SOA dnsFTM.mnc022.mcc111.gprs. hostmaster.dnsFTM.mnc022.mcc11 ( 2001041804 ; serial 3600 ; refresh 900 ; retry 1209600 ; expire 43200 ; default_ttl ) A 10.1.1.101 CNAME ggsn.mnc022.mcc111.gprs. CNAME ggsn.mnc022.mcc111.gprs. CNAME ggsn.mnc022.mcc111.gprs. CNAME ggsn.mnc022.mcc111.gprs. CNAME ggsn.mnc022.mcc111.gprs. CNAME ggsn.mnc022.mcc111.gprs. A 10.1.1.1 MX 5 dnsFTM NS dnsFTM.mnc022.mcc111.gprs. A 10.1.1.210
ggsn Alcatel1 Alcatel2 Alcatel3 Alcatel4 Alcatel5 internet sgsn @ @ dnsFTM
IN IN IN IN IN IN IN IN IN IN IN
302
Page 302
8 DNS in Linux File : named.local

/var/named/ 127.0.0
@ IN SOA localhost. root.localhost. 1997022700 ; 28800 ; 14400 ; 3600000 ; 86400 ) ; localhost. localhost. ( Serial Refresh Retry Expire Minimum
IN 1 IN
NS PTR
303
Page 303
8 DNS in Linux File : 10.1.1
/var/named/10.1.1
$TTL @ 43200 IN SOA dnsFTM.mnc022.mcc111.gprs. 2001041804 ; serial 3600 ; refresh 900 ; retry 1209600 ; expire 43200 ; default_ttl ) ggsn.mnc022.mcc111.gprs. dnsFTM.mnc022.mcc111.gprs. hostmaster.dnsFTM.mnc022.mcc11 (
101 210
IN IN
PTR PTR
304
Page 304
8 DNS in Linux Resolver configuration for Linux client Indicates the default domain of this machine. Requests not ended by . will be filled in by this domain-name. /etc/resolv.conf domain domain-name search default-domaine another-domaine another-domaine nameserver address-IP-of-DNSserver
directives
Indicates the name server that can be interrogated. Several directives like this one could be defiend.
Like domain, but the search will be made in the order provided by this list.
305
Page 305
DNS server configuration Evaluation Objective: to be able to configure a Name server
306
Page 306

IP Advanced PDF

Uploaded by

Copyright:

Available Formats

IP Advanced PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IP Advanced PDF

Uploaded by

Copyright:

Available Formats

Routing

Alcatel University - 8AS 90200 1140 VT ZZA Ed.01

Alcatel University - 8AS 90200 1140 VH ZZA Ed.01

Page intentionally left blank Page intentionally left blank

Alcatel University - 8AS 90200 1140 VH ZZA Ed.01

1 Title Session presentation

Alcatel University - 8AS 90200 1140 VH ZZA Ed.01

Page intentionally left blank

Alcatel University - 8AS 90200 1140 VH ZZA Ed.01

Alcatel University - 8AS 90200 1140 VT ZZA Ed.01

Alcatel University - 8AS 90200 1140 VH ZZA Ed.01

Page intentionally left blank

Alcatel University - 8AS 90200 1140 VH ZZA Ed.01

1- Overview Various types of routing

Alcatel University - 8AS 90200 1140 VH ZZA Ed.01

1- Overview Principle of routing tables :

.1 204.92.76.0 204.92.76.0 204.92.76.0 192.168.201.0 0.0.0.0(default)

Fill-in this table

255.255.255.0 255.255.255.0 0.0.0.0

Alcatel University - 8AS 90200 1140 VH ZZA Ed.01

1- Overview Routing table : the metric

Secondary route Primary route

Alcatel University - 8AS 90200 1140 VH ZZA Ed.01

1- Overview Other advantage of static routing

Alcatel University - 8AS 90200 1140 VH ZZA Ed.01

1- Overview Example of routing (1)

Network : IP @ : Masque : /27

Alcatel University - 8AS 90200 1140 VH ZZA Ed.01

1- Overview Example of routing (2)- Routing table

Interface eth0 ethernet

H: This address is a full IP@ of host

Alcatel University - 8AS 90200 1140 VH ZZA Ed.01

1- Overview Example of routing (3)- Routing table

140.252.13.66 140.252.1.29 140.252.13.65 Network 140.252.13.35 140.252.13.33 140.252.13.34

140.252.13.32 Destination 140.252.13.65/32 140.252.13.32/27

Gateway 140.252.13.35 140.252.13.34 _: direct route

Interface eth0 eth0 ethernet

_: This address is an IP@ of network

Direct route : route connected to this machine , on this interface

Alcatel University - 8AS 90200 1140 VH ZZA Ed.01

1- Overview Example of routing (4)- Routing table

140.252.13.66 140.252.1.29 140.252.13.65 Network 140.252.13.32 140.252.13.35 140.252.13.33 140.252.13.34

140.252.13.65/32 140.252.13.32/27 127.0.0.1 /32

Gateway 140.252.13.35 140.252.13.34 127.0.0.1 _: direct route

eth0 eth0 lo0

Alcatel University - 8AS 90200 1140 VH ZZA Ed.01

1- Overview Example of routing (5)- Routing table

140.252.13.66 140.252.1.29 140.252.13.65 Network 140.252.13.32 140.252.13.35 140.252.13.33 140.252.13.34

140.252.13.65 /32 140.252.13.32 /27 127.0.0.1 /32 default

140.252.13.34 127.0.0.1 140.252.13.33 Go through G: indirect route

Flags UGH U_ _ U G_ U_H

Interface eth0 eth0 lo0 eth0

ethernet U: This route is Up

Alcatel University - 8AS 90200 1140 VH ZZA Ed.01

1- Overview Example of routing (6)- routing table using

140.252.13.66 140.252.1.29 140.252.13.65 Network 140.252.13.32 140.252.13.35

Example : Search IP@ 140.252.13.35 140.252.13.33 UGH Flags Refcnt 0 4 0 0

140.252.13.32 /27 127.0.0.1 /32 default

140.252.13.35 140.252.13.34 127.0.0.1 140.252.13.33