Planet Technology ERT-805 User Manual

Serial WAN Router

ERT-805

User’s Manual

Trademarks

Copyright  PLANET Technology Corp. 2004. Contents subject to revision without prior notice. PLANET is a registered trademark of PLANET Technology Corp. All other trademarks belong

to their respective owners.

Disclaimer

PLANET Technology does not warrant that the hardware will work properly in all environments and applications, and makes no warranty and representation, either implied or expressed, with respect to the quality, performance, merchantability, or fitness for a particular purpose.

PLANET has made every effort to ensure that this User’s Manual is accurate; PLANET disclaims liability for any inaccuracies or omissions that may have occurred.

Information in this User’s Manual is subject to change without notice and does not represent a commitment on the part of PLANET. PLANET assumes no responsibility for any inaccuracies that may be contained in this User’s Manual. PLANET makes no commitment to update or keep current the information in this User’s Manual, and reserves the right to make improvements to this User’s Manual and/or to the products described in this User’s Manual, at any time without notice.

If you find information in this manual that is incorrect, misleading, or incomplete, we would appreciate your comments and suggestions.

FCC Warning

his equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the Instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference in which case the user will be required to correct the interference at his own expense.

CE Mark Warning

This is a Class A product. In a domestic environment, this product may cause radio interference, in which case the user may be required to take adequate measures.

Revision

PLANET Enterprise Serial Router User's Manual FOR MODELS: ERT-805 Part No.: EM-ERT805

TABLE OF CONTENTS

Chapter 1 Introduction............................................................................................................1

1.1 CHECKLIST.........................................................................................................................1

1.2 ABOUT ERT-805................................................................................................................1

1.3 PRODUCT FEATURE............................................................................................................2

1.4 PRODUCT SPECIFICATION...................................................................................................2

Chapter 2 HARDWARE INSTALLATION.................................................................................4

2.1 PACKAGE CONTENTS..........................................................................................................4

2.2 ERT-805 OUTLOOK............................................................................................................4

2.3 INSTALLATION REQUIREMENTS & PHYSICAL INSTALLATION....................................................6

2.3.1 Device placement......................................................................................................6

2.3.2 Connect to a Ethernet device....................................................................................6

2.3.3 Connect to a Serial Device........................................................................................6

2.3.4 Power on the device..................................................................................................7

Chapter 3 Command Line Interface.......................................................................................8

3.1 HELP COMMAND .................................................................................................................8

3.2 REDISPLAY PREVIOUS COMMAND ........................................................................................9

3.3 VERIFY CURRENT CONFIGURATION......................................................................................9

3.4 CTRL-Z, CTRL-C AND EXIT................................................................................................10

3.5 LOGIN FROM CONSOLE PORT ............................................................................................10

3.6 VIRTUAL TERMINAL ACCESS..............................................................................................10

3.7 PASSWORD ENCRYPTION..................................................................................................12

Chapter 4 Router Communication Protocol........................................................................14

4.1 RIP- ROUTER INFORMATION PROTOCOL............................................................................14

4.1.1 Routing loops...........................................................................................................14

4.1.1.5 RIP Command......................................................................................................15

4.2 EIGRP – ENHANCED INTERIOR GATEWAY ROUTING PROTOCOL.........................................17

4.2.1 EIRGP Command....................................................................................................17

4.3 OSPF- OPEN SHORTEST PATH FIRST...............................................................................19

4.3.1 OSPF Command.....................................................................................................20

4.4 PPP................................................................................................................................22

4.5 HDLC PROTOCOL............................................................................................................28

4.6 SNA................................................................................................................................30

4.6.1 Introduction..............................................................................................................30

4.7 X.25 PROTOCOL ..............................................................................................................33

4.8 FRAME RELAY PROTOCOL.................................................................................................37

Chapter 5 Security.................................................................................................................41

5.1 ACCESS-LIST....................................................................................................................41

5.2 NAT – NETWORK ADDRESS TRANSLATION ........................................................................44

5.3 VPN - IPSEC...................................................................................................................47

5.4 FIREWALL- CONTEXT-BASED ACCESS CONTROL (CBAC)...................................................63

5.5 RADIUS SECURITY (AAA)..................................................................................................68

Chapter 6 QOS.......................................................................................................................74

6.1 CAR – COMMITTED ACCESS RATE....................................................................................74

6.2 POLICY-BASED ROUTING...................................................................................................77

6.3 CLASS-MAP AND POLICY-MAP ............................................................................................78

6.4 QUEUE.............................................................................................................................82

6.4.1 FIFO- First IN First Out............................................................................................83

6.4.2 WFQ – Weighted Fair Queuing...............................................................................83

6.4.3 Priority Queuing.......................................................................................................84

6.4.4 Custom Queuing......................................................................................................87

Appendix A Upgrade firmware..............................................................................................92

Appendix B Router Dialing...................................................................................................94

Appendix C Cables / Pin-assignment for ERT-805.............................................................96

C.1 V.35 DTE – CB-ERTV35-MT.........................................................................................96

C.2 V.35 DCE – CB-ERTV35-FC.........................................................................................96

C.3 V.24 DTE – CB-ERT232-MT.........................................................................................97

C.4 V.24 DCE – CB-ERT232-FC.........................................................................................98

C.5 X.21 DTE – CB-ERTX21-MT.........................................................................................98

C.6 X.21 DCE – CB-ERTX21-FC.........................................................................................99

C.7 RJ-45 CONSOLE CABLE.................................................................................................100

C.8 DB9 TO RJ45................................................................................................................100

Chapter 1 Introduction

1.1 Checklist

Thank you for purchasing Planet’s ERT-805 Enterprise Serial Router. Before continuing, please check the contents of your package for following parts:

Ø ERT-805 Serial WAN Router Ø Power Cord Ø DB9 adapter Ø RJ-45 to RJ-45 modem cable Ø User’s Manual CD

Ø Quick installation Guide

if any of these pieces are missing or damage please contact your dialer immediately.

1.2 About ERT-805

ERT-805 provides single WAN port, which is T1/E1 serial interface, single LAN port, and single console (Async) port.

With IPSec/VPN capability, the ERT-805 not only being a standard router but also can be a router with feature-enhanced security. ERT-805 is supports MD5-HMAC/SHA1-HMAC and certificate authentication, DES-CBC and 3DES-CBC encryption.

The other capabilities that ERT-805 provides are NAT, Access-list, AAA security, CBAC firewall and QOS. With these functions ERT-805 is efficiency and secure network device.

User interface

ERT-805 is only able to use command line interface (CLI) to configure.

Protocol and routing

Ø ERT-805 supports few WAN protocols on its WAN port: PPP, HDLC, SDLC, frame-relay,

LAPB and X.25.

Ø Support static and dynamic routing protocol: static route, RIP, EIGRP and OSPF

Network Management

Ø Connect PC to ERT-805 through network and run Telnet to manage it through command

line interface

Ø ERT-805 supports SNMP and can be managed by using SNMP management software

1.3 Product Feature

Ø Support PPP, FR, X.25, HDLC, LAPB, SDLC, SLIP and Stun

Ø Complies with IEEE802.3 10Base-T, IEEE 802.3u 100Base-TX Standard

Ø One serial WAN port, one RJ-45 10/100Mbps LAN port and one Console port

Ø Provide RIP, EIGRP, OSPF and Static routing protocol

Ø Provide Access-list, AAA, RADIUS, PAP, CHAP and CBAC for network security

Ø Network Address Translator (NAT) simultaneous use of one IP address

Ø Provide IPSec (DES/3DES), IKE and GRE for VPN

Ø DHCP Serve with dynamic IP assignment for LAN port

Ø Provide QOS to increase network efficiency

Ø Provide WFQ, priority queuing and custom queuing to increase network performance

1.4 Product Specification

Model ERT-805 Device Specification

LAN 1 x 10/100Base-TX (RJ-45) WAN 1 x Serial Port (DB-25) Console 1 x RJ-45 LED 5; Power, LAN Speed, LAN Link/Activity, WAN and Console Link/Activity Network standard IEEE802.3, 10Base-T, IEEE802.3u, 100Base-TX

Router OS Operation

Communication PPP, frame-relay, X.25, PPPOE. HDLC, SDLC, SLIP and LAPB Security ACL, NAT, AAA RADIUS, PAP, CHAP and CBAC Route protocol RIP V1 and V2, CDP, OSPF, EIGRP and Static VPN IPSEC and IKE, GRE Queue/QOS WFQ, CQ, priority queuing and rate-limit. Class-map and policy-map Application DHCP server, PING, Trace Route, telnet, TFTP Management Telnet, Console Throughput 2Mbps

Environment / Hardware Specification

Power Input 100 ~ 240V AC (+/-10%); 50/60Hz (+/-3%) auto-sensing Power Consumption 10 watts / 34BTU Dimensions 217 x 135 x 43 mm (1U height) Weight 1 Kg

Temperature

Humidity 10 ~ 90% RH (non-condensing) Regulatory FCC, CE class A

0 to 50 degree C (operating)

-20 to 70 degree C (storage)

Chapter 2 HARDWARE INSTALLATION

2.1 Package Contents

Item includes with ERT-805 serial router.

Ø ERT-805 Serial WAN Router Ø Power Cord Ø DB9 to RJ-45 changer Ø Console cable Ø Quick Installation Guide and CD-ROM

2.2 ERT-805 outlook

Black power cord

CD-ROM user’s Guide & Quick Install Guide

Console Cable

Light blue console cable

DB-9-to-RJ-45 adapter

(for use with light blue console cable)

(for Console Cable)

2.2.1 Front Panel

Enterprise WAN Router

ERT-805

PWR

100

LAN

SYNCASYNC

LED definition

LEDs State Indication

PWR

(Power) LAN 100 Green This indicator light for Fast Ethernet connection

Green Power on when 100~240VAC power attached Lights Off No power

LNK ACT

LNK/

This indicator light green when port is connect with

805. Allows the connection to a

n with a

805. Allows to connect to a

e allowed power input is

3%),

Green blink This indicator light blink when packets is transmit

ACT

Serial

Console

Green This indicator light green when port is connected

Green

Blink This indicator light blink when packets is transmit

Green blink Configuration process Lights Off Not in configuration

Rear Panel

Console

Async.

Printing Ports Type Description

Console RJ-45

Serial

Sync.

Asynchronies port of ERTterminal device or PC for management or asynchronize dialing.

serial port

Fast Ethernet

LAN

100~240V AC

50/60HZ

Serial DB-25

Fast Ethernet RJ-45

100~240VAC

Warning!

Synchronies port of ERT-805. Allows the connectio Synchronize/ Asynchronize device like CSU/DSU modem

Fast Ethernet interface of ERTEthernet hub/switch through Category 3 or above UTP cable.

Power socket

The power socket of ERT-805. Th range from 100VAC to 240VAC (+/-10%), 50/60Hz (+/auto-sensing

The two RJ-45 ports of ERT-805 are not a telephone port. Connect to a telephone wire or PSTN line to the ports may cause the router permanently malfunction.

Serial cable is not bundled together with the router, please consult your local dealer for the available serial cable for your CSU/DSU modem.

2.3 Installation requirements & Physical Installation

To install the ERT-805 serial router, the following is required:

Ø An Ethernet device, hub or switch with a free MDI-X RJ-45 interface Ø One Category 3, 4, 5, EIA568A straight UTP cable within 100 meters Ø The asynchronous modem or CSU/DSU (Channel Service Unit/Data Service Unit) that is

planned to connect the router

Ø A serial cable that used to connect the router and the CSU/DSU Ø Rack mount accessories, such as rack ears, screws, and screws driver Ø A standalone PC or terminal device with a free COM interface

The serial cable and rack ears do not ship with the router, pleas consult your local dealer for the information.

To install ERT-805 serial router, just following the steps:

Ø Device placement Ø Connect a Ethernet device Ø Connect a Serial device Ø Connect the power supply Ø Connect a terminal or PC for management

2.3.1 Device placement

The ERT-805 is a 1-U height, 10-inch rack-mountable device that can fit to 10-inch cabinet or 19-inch cabinet. Please consult with your local dealer for the available rack ear if you would to install the router into a 10-inch/19-inch shelf. You can also place the ERT-805 on the desktop, please install the router in a clean, dry environment. Avoid install the router in a place with moisture and water around/near-by.

2.3.2 Connect to a Ethernet device

The ERT-805 is with one Fast Ethernet MDI (media dependent Interface) port. This RJ-45 interface an direct connect to any Ethernet or Fast Ethernet hub or switch with MDI-X port through Category 3 or above, 2-pair straight UTP cable. The maximum distance for the cable should below 100 meters.

Connect to an Ethernet device with MDI interface, a cross-over cable is required.

2.3.3 Connect to a Serial Device

The ERT-805 is with one synchronize interface that can connect with CSU/DSU with up to E1 line rate.

Available connection is as tables below:

WAN Option WAN Encapsulation

RS-232 X.21 V.24 V.35

Link control (HDLC) or ppp Frame-relay X.25

2.3.4 Power on the device

ERT-805 accepts power input from 100 to 240VAC, 50/60Hz power source. Before connect the power cable to the router, please be sure the AC power output from your power outlet. The router must connected to earth ground during normal use.

ERT-805 is a power-required device, it means, ERT-805 will not work until it is powered. If your network and the router will need to transmit data all the time, please consider use an UPS (Uninterrupted Power Supply) for your router and the connected Ethernet Devices. It will prevent you from network data loss. In some area, installing a surge suppression device may also help to protect your router from being damaged by unregulated surge or current to the Switch or the power adapter

Chapter 3 Command Line Interface

This chapter describes the basic commands to access the router through console interface or telnet. Be noted if you want to login to ERT-805 through the telnet, then enable password must be configure.

The user can input system command configuring system protocol by command line port. When you first login a new router by terminal, the system will give a prompt router>. Now you are in user mode. After typing the command “enable”, the prompt will change to router#, and now you are in privilege mode so that you could input more commands including some privilege command. To enter the global configuration mode, you should type the command “configure terminal” or “config T”. Then the prompt will change to router(config)#, and you could input global configuration commands configuring the parameter of the router. If you type the command “interface serial 0/0” or “int s0/0”,you will notice that the prompt change to router(config-serial0/0)# and then you are in port configuration。

Prompt Mode Router> Router# Rouer(config)# Rotuer(config-serial0/0)

Table for different configure mode In different configuration mode, the system will give different prompt, and every configuration mode has its due commands collect. From the prompt you could know what configuration mode you are in. The left most word of the prompt is the name of the router, from which you can know that which router you are configuring. You can set the hostname of the router with the hostname command as below:

router# config terminal Enter configuration commands, one per line. End with CNTL/Z. router(config)# hostname ERT_805 ERT_805(config)# exit ERT_805#

Normal User mode Enable mode for privilege operation Configuration mode Configuration mode of object control

3.1 Help command

“?” and “Tab” keys are two help keys that help user to configure ERT-805. By using a “?” key in different operate mode, the system will display the help message that tell user what command they can use in different operate mode. For example:

ERT_805> ? disable Turn off privileged commands, enter GUEST user mode enable Turn on privileged commands exit Exit from the EXEC help Description of the interactive help system logout Exit from the EXEC pad Open a X.29 PAD connection ping Send echo messages ppp Start IETF Point-to-Point Protocol (PPP) schedule Schedule one task show Show running system information telnet Open a telnet connection traceroute Trace route to destination tty Print current tty information ERT_805>

“Tab” is another help key, when user typing a word if from the letters you’ve typed the system could identify the word you want to type, press the tab key then, the system will complete the word for you automatically.

3.2 Redisplay Previous command

The system saves the inputted commands in a history table, so that you could input the command again by it. Just simply press↑key and↓key or ctrl + P or Ctrl + N.

You could verify the commands in the history table by the command show history

3.3 Verify Current Configuration

The system offered two special hotkeys Ctrl-Q and Ctrl-O with which you could verify your configuration any time. In privilege mode, global configuration mode or port configuration mode, the system will display the current configuration right now if you press Ctrl-Q as if you’ve pressed show run. It means that you needn’t go back to privilege mode to verify your configuration. The hotkey Ctrl-O is available only in port configuration mode. At anywhere even when typing a command, if you press the hotkey Ctrl-O, the system will show you the configuration message of the current port, and then you could go on with your command. This hotkey avoids the condition that when need verifying the configuration message you have to quit and enter the port configuration mode again and again. When configuring the routing protocol you could use the hotkey Ctrl-O as well.

ERT_805(config-serial0/0)# % CONFIGURATION OF CURRENT OPERATING OBJECT interface serial 0/0 encapsulation ppp ip address 10.0.0.1 255.255.255.192 crypto map dynmap

clockrate 48000 ! ERT_805(config-serial0/0)#

3.4 Ctrl-Z, Ctrl-C and exit

To exit from the configuration mode directly to privilege mode, you should type Ctrl-Z or Ctrl-C or type exit. Ctrl-C can be available in other occasions .For example it can stop the current operation that hasn’t been accomplished.

3.5 Login from Console port

Once the terminal has connected to the device, power on the device, the terminal will display that it is running POST (Power on self-test) procedures.

Then, screen as below will show up. The ERT-805 will prompt with “>”. This means ERT-805 is in operating mode now.

Types “enable” to enter privilege mode. The ERT-805 will prompt with “#” for privilege mode. By default there is no password.

Router Software Version 4.2c on Hex_1f73 (3805a)

User Access Verification

Password: ERT_805> enable Password: ERT_805#

3.6 Virtual Terminal Access

The router allows being accessed from network by telnet, therefore you could configure and maintain the router by network. Please to note, if the router hasn’t set a password for entering privilege mode, the router will forbid the network users from entering privilege mode.

ERT805> enable % Password is not set, you are not allowed to enter privileged mode.

Before login ERT-805 by telnet you must set the password by command “enable password” in global configuration mode. After that router will allow you’re entering the privilege mode by

telnet. If configures like below, the system will only ask for password when anyone access. For example set the password as “1234”.

ERT805> enable ERT805# config t ERT805(config)# enable password 1234 ERT805(config)#line vty 0 4 ERT805(config-line)# login ERT805(config-line)# password cisco ERT805(config-line)# exi ERT805(config)# exit ERT805#

The password is set by the command “password” in vty and has no concern with what have been configured above by the command username. The following example shows the result that configure on above.

Router Software Version 4.2c on Hex_1f73 (3805a)

User Access Verification

Password: ERT_805> enable Password: ERT_805#

The other method is force the network user to verify his username and password. For example

ERT805# config t Enter configuration commands, one per line. End with CNTL/Z. ERT805(config)# username rr password cisco ERT805(config)# line vty 0 5 ERT805(config-line)# login local ERT805(config-line)# exit ERT805(config)# exit ERT805#

The following example shows the result that configure on above:

Router Software Version 4.2c on Hex_1f73 (3805a) User Access Verification Username: rr Password: (type the password cisco) ERT805>

3.7 Password Encryption

Security is a most important issue for all the company in the world because all the system is require password to protect important information from hacker, such as username, enable password…etc. In default the system will display these password by clear. So the password is not very secure. The ERT-805 is offers a command that make the system display the password by cryptograph. For example:

ERT_805# show run Building configuration ... description fault

service password-encryption

service timestamps debug ! hostname ERT_805 !

enable password 7 3EDRIxtqRWCA

! username router password 7 65WeJR6evnrR3mP crypto ipsec transform-set transform-1 esp-3des esp-md5-hmac ! crypto map dynmap 1 ipsec-isakmp set transform-set transform-1 set peer 10.0.0.2 match address 100 ! crypto isakmp policy 1 authentication pre-share group 1 hash md5 !

crypto isakmp key 12345678 address 10.0.0.2 255.255.255.192 ! interface fastethernet 0/0 ip address 192.168.99.64 255.255.255.0 ! interface serial 0/0 encapsulation ppp ip address 10.0.0.1 255.255.255.192 crypto map dynmap clockrate 48000 ! interface async 0/0 ! line vty 0 5 login password 7 wAVcXxom8sGSOA ! ip route 0.0.0.0 0.0.0.0 10.0.0.2 ! access-list 100 permit ip 192.168.99.0 0.0.0.255 192.168.98.0 0.0.0.255 ! end

ERT_805#

Chapter 4 Router Communication

Protocol

4.1 RIP- Router Information Protocol

The routing information Protocol (RIP) is a distance-vector protocol that used to exchange routing information between routers. RIP uses broadcast User Datagram Protocol (UDP) data packets to exchange routing information and rip is based on distance-vector algorithm. This routing protocol is determines the best path through an Internet by looking at the number of hops between the two end nodes. The maximum hops count for RIP is 15 hops.

4.1.1 Routing loops

There is problem with distance-vector routing protocol, which is router cannot acquaint with the whole status of network. Routers have to get network reachable information depending on neighboring routers and RIP also comes up against slow convergence, which will introduce inconsistence. The following methods that used by RIP to decrease possibility of routing loop: spilt horizon, spilt horizon with poison reverse, Holddown timer and triggered update.

4.1.1.1 Spilt Horizon

The spilt horizon is a technique for preventing reverse routes between two routers. The rule of spilt horizon is that router never advertised the cost of a destination to neighbor if it is the current next-hop for the destination.

4.1.1.2 Spilt Horizon with Poison Reverse

The rule for “split horizon” is when sending updates out a particular interface, designate any networks that were learned from updates received on that interface as unreachable. This mean is when an interface is up; the router records from which interface a route comes, and not sends the route back to this interface.

4.1.1.3 Holddown timer

Holddown timer is able to prevent a router from receiving new routing information that was just removed from routing table. The default holddown timer is 180 seconds.

4.1.1.4 Triggered update

Split horizon with poisoned reverse will break any loop of two routers. However, it is still possible for loops of three or more routers, to occur. This loop will break only when infinity (presented as 16) will be reached. Triggered updates are an attempt to speed up this

convergence. Whenever a router changes the metric of a route, it is required to send update messages almost immediately

4.1.1.5 RIP Command

router rip – enable rip in global configuration mode

version - To specify a RIP version used globally by the router (version 1 and 2)

auto-summary – enable automatic network number summarization.

Network – Enable routing on an IP network

Neighbor – specify a neighbor router

Bind-interface – Enable RIP protocol on some interface

Default-metric – set metric of redistributed routes

Distance – define an administrative distance

Distribute-list – Filter networks in routing updates

Offset-list –To add an offset to incoming and outgoing metrics to routes learned via RIP

Passive-interface - To disable sending routing updates on an interface.

Redistribute - To redistribute routes from one routing domain into another routing domain.

Timers – adjust routing timers

Validate-update-source - Perform sanity checks against source address of routing updates

Show ip route – show all routes learned through RIP

Debug ip rip - To show RIP operation information and update messages sent or received by

routers.

The difference between RIPV1 and RIPV2 is RIPV2 is not a new protocol; rather it is RIPV1 with some extensions. The most of important extensions in RIPV2 is addition of a Subnet mask field to the routing update entries, enabling the use of VLSM.

Example of RIP

ERT_805# show run

Building configuration ... description fault service password-encryption service timestamps debug ! hostname ERT_805 ! enable password 7 3EDRIxtqRWCA ! username router password 7 65WeJR6evnrR3mP crypto ipsec transform-set transform-1 esp-3des esp-md5-hmac ! crypto map dynmap 1 ipsec-isakmp set transform-set transform-1 set peer 10.0.0.2 match address 100 ! crypto isakmp policy 1 authentication pre-share group 1 hash md5 ! crypto isakmp key 12345678 address 10.0.0.2 255.255.255.192 ! interface fastethernet 0/0 ip address 192.168.99.64 255.255.255.0 ! interface serial 0/0 encapsulation ppp ip address 10.0.0.1 255.255.255.192 ip ospf network point-to-point crypto map dynmap clockrate 48000 ! interface async 0/0 !

router rip version 2

network 10.0.0.0 network 192.168.99.0

! line vty 0 5 login password 7 wAVcXxom8sGSOA ! ip route 0.0.0.0 0.0.0.0 10.0.0.2 ! access-list 100 permit ip 192.168.99.0 0.0.0.255 192.168.98.0 0.0.0.255 ! end

ERT_805# ERT_805# show ip route

Codes: A--all O--ospf S--static R--rip C--connected E--egp T--tunnel o--cdp D--EIGRP [Distance/Metric] g<Group#>

S 0.0.0.0/0 [2/0] via 10.0.0.2 serial0/0* act C 10.0.0.0/26 [0/1] via 10.0.0.1 serial0/0* act C 10.0.0.2/32 [1/0] via 10.0.0.1 serial0/0* act

R 192.168.98.0/24 [120/1] via 10.0.0.2 ttl=160, serial0/0* act

C 192.168.99.0/24 [0/1] via 192.168.99.64 fastethernet0/0* act ERT_805#

4.2 EIGRP – Enhanced interior Gateway Routing Protocol

EIGRP is distance-vector protocol that combines the advantage of distance-vector and link state protocol. The different between these two protocols is distance-vector protocol shares everything it knows with directly connected neighbor only. Link state protocols announce information with directly connected links but share the information with all routers in same area. Because EIGRP is distance-vector therefore it’s run of the Bellman Ford protocol. These protocols are prone to routing loops and counting to infinity. As result they must implement loop-avoidance such as split horizon, route poisoning and holddown timers.

4.2.1 EIRGP Command

router eigrp autonomous system number– enable eigrp in global configuration mode.

Network – enable routing on an IP network

Neighbor – Specify a neighbor router

Auto-summary – Enable automatic network number summarization

Bind-interface – enable EIGRP protocol on some interface

Distance – define an administrative distance

Distribute-list – filter networks in routing updates

Metric/e – modify EIREP routing metrics and parameters

Passive-interface - To disable sending routing updates on an interface.

Redistribute eigrp – redistribute information from other routing protocol and there are some optional value allow user to configure which is bandwidth, delay, reliability, loading and mtu.

Ip hello-interval eigrp autonomous system number– configure EIGRP hello interval

Ip hold-time eigrp autonomous system number – configure EIGRP hold time

Show ip eigrp interface [detail/AS number] – display interface information.

Following is the example:

ERT_805# show ip eigrp interface IP-EIGRP neighbors for process 1 Interface Peers bandwidth delay state fastethernet0/0 0 10000 1000 1 serial0/0 1 1544 20000 1 ERT_805# Show ip eigrp neighbor [detail/AS number] – display information of neighbor ERT_805# show ip eigrp neighbors IP-EIGRP neighbors for process 1 H Address Interface Hold Uptime Seq

(sec) (Num)

0 10.0.0.2 serial0/0 20 00:45:10 4

RT_805#

ERT_805# show run Building configuration ... description fault service password-encryption service timestamps debug ! hostname ERT_805 ! enable password 7 3EDRIxtqRWCA ! username router password 7 65WeJR6evnrR3mP crypto ipsec transform-set transform-1 esp-3des esp-md5-hmac ! crypto map dynmap 1 ipsec-isakmp set transform-set transform-1 set peer 10.0.0.2 match address 100 ! crypto isakmp policy 1

authentication pre-share group 1 hash md5 ! crypto isakmp key 12345678 address 10.0.0.2 255.255.255.192 ! interface fastethernet 0/0 ip address 192.168.99.64 255.255.255.0 ! interface serial 0/0 encapsulation ppp ip address 10.0.0.1 255.255.255.192 crypto map dynmap ip hold-time eigrp 1 20 clockrate 48000 ! interface async 0/0 !

router eigrp 1 network 192.168.99.0 network 10.0.0.0

! line vty 0 5 login password 7 wAVcXxom8sGSOA ! ip route 0.0.0.0 0.0.0.0 10.0.0.2 ! access-list 100 permit ip 192.168.99.0 0.0.0.255 192.168.98.0 0.0.0.255 ! end

ERT_805#

4.3 OSPF- Open Shortest Path First

OSPF is a link state protocol and it uses Dijkstra’s Shortest Path First algorithm to run on the link state database. This technology is opposed to a distance-vector technology. OSPF router protocol is interior gateway router protocol that used to make decision on routes in Autonomous system. The link state protocol is use a cost metric to determine the best path to a destination.

When router or network’s topology start to change the routing protocol will generate a LSA and flood it to notify the area or network that belongs.

Types of area

Standard area – This area can accept intra-area, inter-area and external router. This area also

can be backbone area.

Backbone area – the backbone (transit) area always labeled area 0. Backbone area is a central entity that contains all other area. The backbone is responsible for distributing routing

information between non-backbone areas

Stub area – this area do not accept router that belong to external autonomous system (AS). The routers in stub area use a default route to reach outside autonomous system.

Totally stubby area – This area that does not accept routes from other intra-area and default routes to be propagated within the area. If the router needs to send a packet to outside of area, it sends it using a default route.

Not-so-stubby-area – this area allows limited number of external routes that imports into area.

Types of routers

Internal router – routers that directly connected to the networks belong to the same area.

Backbone router – The router that connect with other Autonomous system bye physical or

victual link.

Area border router (ABR) – A router that attached to multiple areas. ABR routers maintain the separate database for each area that connects with. Then ABR condense the topological information for their attached area and distribute to the backbone area.

Autonomous System Boundary router (ASBR) – This router have at least one interface connect to another autonomous system.

Types of OSPF Network Topologies

Point-to-point – Two routers that directly connect each other by serial interface.

Broadcast multiaccess – Network that connects more then two routers together with

broadcast capability. Such as Ethernet is a broadcast multiaccess.

Nonbroadcast multiaccess (NBMA) – Network support many routers but having no broadcast capability.

4.3.1 OSPF Command

router ospf <ospf ID> - enable OSPF in global configuration mode.

Network area - address wildcard-mask area area-id

Neighbor [poll-interval | priority] - Specify a neighbor router. For point-to-Multipoint and

NBMA networks, neighbor must be configured. Poll-interval is for ospf dead-router polling interval. Priority is for ospf priority of non-broadcast neighbor.

Area – OSPF area parameters

area area-id authentification -specifying the authentification type is single authentification

area area-id authentification message-digest -specifying the authentification type is

Cryptographic authentication*/

area area-id stub [no-summary] - specifying the area is stub area*/ /* no-summary emphasizes the only default summary LSA produced into the area

area area-id default-cost cost- For stub area, default summary LSA cost’s value

area area-id nssa -specifying the area is NSSA area

area area-id range address mask [ advertise | not-advertise ] - configuring the area

parameter of range which used to condense the network topology information */

distance admin-distance

redistribute [ connected | rip | static ]

ip ospf network [ broadcast | non-broadcast | point-to-point | point-to-Multipoint ]

ip ospf cost cost - default value is 1

ip ospf retransmit-interval -seconds default value is 5 seconds

ip ospf transmit-delay seconds- default value is 1 seconds

ip ospf priority number- It is valid only for Broadcast and NBMA networks

ip ospf hello-interval -seconds

ip ospf dead-interval -seconds

ip ospf authentification-key key -key’s max length is 8 Bytes, it is valid when area’s

authentification type is single authentification

ip ospf message-digest-key keyid md5 key - key’s max length is 16 Bytes, it is valid when area’s authentification type is Cryptographic authentication

Configuration Example

Router Software Version 4220lab-RT805 on ERT805 (4.2c )

User Access Verification

Password: ERT-805> enable

Password: ERT_805# show run Building configuration ... service password-encryption service timestamps debug ! hostname router ! enable password level 15 7 aNTUS0QSfz8T ! interface fastethernet 0/0 ip address 192.168.99.64 255.255.255.0 ! interface serial 0/0 encapsulation hdlc ip address 10.0.0.1 255.255.255.192 ip ospf priority 255 clockrate 48000 ! interface async 0/0 !

router ospf 2 network 192.168.99.0 0.0.0.255 area 0 network 10.0.0.0 0.0.0.255 area 0

! line vty 0 4 login password 7 hd3cpRj4s14LeA ! ip route 0.0.0.0 0.0.0.0 10.0.0.2 ! end

ERT_805#

4.4 PPP

PPP (point-to-point) has provides a standard method for transport multi-protocol over ppp. PPP is comprise of three main functional components, which is:

Ø PPP has a method for encapsulating multi-protocol datagrams

Ø Link Control Protocol (LCP) establishes, configures, authenticates and testing the

data-link connection.

Ø Network Control Protocol (NCP) establish and configure different network-layer protocol.

PPP provides two authentications which is:

Ø Password Authentication protocol (PAP)

Ø Challenge Handshake Authentication protocol (CHAP)

PPP authentication using PAP

PAP is using two-way handshake to establish its identity. After PPP link establishment is complete, the authenticator repeatedly sends username and password until the authentication is acknowledged or the connection is terminated.

PAP is not an authentication protocol because password is sends cross the link by clear text and it’s not protection from playback.

PPP authentication using CHAP

CHAP is using three way handshakes to establish it identify. After the PPP link is establishment is complete, the server sends challenge to the remote node. The remote note responds with a value calculated by using a one-way hash function (typically MD5). The server checks the response against its own calculation of expected hash value. If the values match, the authentication is acknowledged. CHAP is more secured then PAP because it is supports protection against playback attack through the use of a variable challenge value that is unique and unpredictable. The use of repeated challenges is intended to limit the time of exposure to any single attack. The access server is in control of the frequency and timing of the challenges.

The following is showing a typical PPP session.

Figure 4-2 Networking diagram of PAP and CHAP

authentication example

ROUTER AROUTER B

encapsulation ppp – encapsulation style to ppp style (interface command)

ppp authentication [pap | chap - enable the PAP or CHAP authentication

username username password password [callback-dialstring]– add the username and

password of the peer into the local user. Callback-dialstring is for callback command in global command

ppp compress [predictor | stacker] – configure predictor or stacker compress on the interface

ip tcp header-compress – configure tcp header compress on the interface.

ppp callback [accept | initiate] – configure callback on interface accept is configured in

server and initiate is configured in client

Configuration Example

CHAP example

router# show run Building configuration ... service password-encryption service timestamps debug !

hostname router ! enable password level 15 7 aNTUS0QSfz8T ! username ERT-805 password 7 SBFV4NgG60tV ! interface fastethernet 0/0 ip address 192.168.99.64 255.255.255.0 ! interface serial 0/0 encapsulation ppp ip address 10.0.0.1 255.255.255.192 ppp authentication chap clockrate 48000 ! interface async 0/0 ! line vty 0 4 login password 7 hd3cpRj4s14LeA ! ip route 192.168.98.0 255.255.255.0 10.0.0.2 ! end

router# ERT-805# show run Building configurati service password-encryption service timestamps debug ! hostname ERT-805 ! enable password 7 5EVbxkwzBvfT ! username router password 7 XNDVyI32Zyje ! interface fastethernet 0/0

ip address 192.168.98.63 255.255.255.0 ! interface serial 0/0 encapsulation ppp ip address 10.0.0.2 255.255.255.192 ppp authentication chap ! interface async 0/0 ! line vty 0 4 login password 7 o2EUq2a6AFiY4D ! ip route 192.168.99.0 255.255.255.0 10.0.0.1 ! end

PAP example

outer# show run Building configuration ... service password-encryption service timestamps debug ! hostname router ! enable password level 15 7 aNTUS0QSfz8T ! interface fastethernet 0/0 ip address 192.168.99.64 255.255.255.0 ! interface serial 0/0 encapsulation ppp ip address 10.0.0.1 255.255.255.192 ppp authentication pap ppp pap sent-username router password 7 wRHOiZagh-kM ppp compress predictor

ip tcp hearder-compression

+ 74 hidden pages