Networks for the smallest. Part Three Static routing
The boy said to his mother: "I want to eat." Mom sent him to dad.
The boy said to dad: "I want to eat." Dad sent him to mom.
The boy said to his mother: "I want to eat." Mom sent him to dad.
And so the boy ran, until at one moment he fell.
What happened to the boy? TTL is over.
So, a turning point in the history of the company βLift me Upβ. The management understands that the company producing elevators, traveling only upward, will not withstand the struggle in a highly competitive market. It is necessary to expand the business. It was decided to purchase two plants: in St. Petersburg and Kemerovo.
We urgently need to organize communications to new offices, and your local network has not even earned yet.
Today:
1. We configure routing between vlans in our network (InterVlan routing)
2. We are trying to deal with the processes occurring in the network, and what is happening with the data.
3. We plan network expansion (IP addresses, vlana, switching tables)
4. We configure static routing and understand how it works.
5. Use the L3 switch as a gateway
')
Content:
A bit of practice for rejuvenation.
The last time we configured our local network switches. At the moment, devices of different vlan do not see each other. That is, in fact, FEI and VET, for example, are located in completely different networks and are not connected with each other. Similarly, the server network exists by itself. It would be necessary to correct this annoying nuisance.
In our Moscow network, we will use the cisco 2811 router for routing between vlans. In other words, it will terminate vlans. The frames here end their lives: IP packets are extracted from them, and the data link layer headers are discarded.
The process of configuring the router is very simple:
0) First we finish with the msk-arbat-dsw1 switch. On it we need to configure the trunk port in the direction of the router, which we did not do last time.
1) We assign the name of the router with the command hostname , and in order to develop a good tone, it is necessary to mention that it is better to set the time on the device immediately. This will help you to correctly identify entries in the logs.
It is desirable to distribute time to network devices via NTP (any tsiska can be made an NTP server, by the way)
2) Next, go to the interface configuration mode, turned into our local network and turn it on, since by default it is in the Administratively down state.
3) Create a virtual interface, or else it is called a subinterface or another sub-interface.
The logic here is simple. First, we specify in the usual way the physical interface to which the necessary network is connected, and after the dot we put some unique identifier of this virtual interface. For convenience, usually the subinterface number is made similar to the vlan that it terminates.
4) Now let's recall the 802.1q standard, which describes frame tagging with a vlan tag. The next command indicates that the frames originating from this virtual interface will be marked with the tag of the 2nd vlan. And the frames entering on the physical interface FastEthernet0 / 0 with the tag of this vlan will be accepted by the virtual interface FastEthernet0 / 0.2.
5) Well, as on a regular physical L3 interface, we define an IP address. This address will be the default gateway for all devices in this vlan.
Similarly, we configure, for example, the 101st vlan:
and now make sure that we see the control network from the computer from the PTO network:
It works and is fine, configure all the other interfaces for now. Problems with this should arise.
What happens at this time with your data?
We reasoned last time what happens if you try to connect to a device from the same subnet that you are on.
By the same subnet we understand the following.
For example, the following is configured on your computer:
IP: 172.16.3.2
Mask: 255.255.255.0
GW: 172.16.3.1
All devices whose addresses will be in the range 172.16.3.1-172.16.3.254 with the same mask as you will be members of your subnet. What happens to the data if you send it to a device with an address in this range?
Repeat this with some additions.
To send data, they must be packed into an Ethernet frame, in the header of which the MAC address of the remote device must be inserted. But where to get it?
To do this, your computer sends a broadcast ARP request. As the IP address of the destination node in the IP packet with this request will be placed the address of the desired host. The network card when encapsulating indicates the MAC address of FF: FF: FF: FF: FF: FF - this means that the frame is intended for all devices. Then it goes to the nearest switch and copies are sent to all ports of our vlan (well, except, of course, the port from which the frame was received). Recipients see that the request is broadcast and they may be the desired host, so they extract the data from the frame. All those devices that do not have the IP address specified in the ARP request simply ignore the request, but the real receiver device will respond to it and send its MAC address to the original sender. The sender (in this case, our computer) places the received MAC into its IP-and-MAC-address correspondence table, aka ARP cache. How the ARP cache looks like on your computer right now, you can see with the help of the arp -a command
Then your payload is packaged in an IP packet, where the recipient is the address that you specified in the command / application, then in the Ethernet frame, in the header of which the MAC address received by the ARP request is placed. Next, the frame is sent to the switch, which, according to its table of MAC addresses, decides which port to forward it to.
But what happens if you try to reach the device in another vlan? An ARP request will not return anything, because the broadcast L2 messages end on the router (that is, within the broadcast L2 domain), the desired network is behind it, and the switch will not allow frames from one vlan to another. And for this you need a default gateway (default gateway) on your computer.
That is, if the recipient device is on your own subnet, the frame is simply sent to the port with the MAC address of the final recipient. If the message is addressed to any other subnet, then the frame is sent to the default gateway, so the routerβs MAC address will be substituted as the destination MAC address.
We follow the course of events.
1) A PC with the address 172.16.3.2/24 wants to send data to the computer with the address 172.16.4.5.
He sees that the address is from a different subnet, therefore, the data must go to the default gateway. But in this case, the PC needs the gateway MAC address. The PC checks its ARP cache in order to match the gateway's IP address β the MAC address does not find the one needed.
2) The PC sends a broadcast ARP request to the local network. ARP request structure:
- at the data link layer as a recipient - broadcast address (FF: FF: FF: FF: FF: FF), as sender - the MAC address of the interface of the device trying to figure out the IP
- on the network - the actual ARP request, it contains information about what IP and who is looking for.
3) The switch that received the frame sends its copies to all ports of this vlan (the one that owns the original host), in addition to where it came from.
4) All devices, having received this frame and, seeing that it is a broadcast, assume that it is addressed to them.
5) Having unpacked the frame, all the hosts, except for the router, see that the ARP request does not have their address. And the router sends a unicast ARP reply with its MAC address.
6) The original host receives an ARP reply, now it has the MAC address of the gateway. It forms a packet from the data that it needs to send to 172.16.4.5. As the MAC address of the recipient, the PC sets the gateway address. In this case , the recipient's IP address in the packet remains 172.16.4.5
7) The frame is sent to the network, the switches deliver it to the router.
8) On the router, in accordance with the label of the vlan, the frame is received by a specific subinterface. Data link level recline .
9) From the header of an IP packet, the router learns the destination address, and from its routing table it sees that it is located in a directly connected network on a certain subinterface (in our case FE0 / 0.102).
10) The router sends an ARP request from this subinterface β it learns the recipient's MAC address.
11) The original IP packet, without changing, is encapsulated in a new frame , with:
- as the source MAC address, the gateway interface address is specified
- source IP address β address of the original host (in our case, 172.16.3.2)
- the destination host's address is specified as the destination MAC address
- Recipient's IP address β destination host address (in our case, 172.16.4.5)
and sent to the network from the FastEthernet0 / 0.102 subinterface, while receiving the label of the 102th vlan.
12) A frame is delivered by switches to the destination host.
Now turn to planning. In the zero part, we have already touched on this topic, but then it was only about two offices in Moscow, but now the network is growing.
It will be like this:
That is, two points are added in St. Petersburg: a small office on Vasilyevsky Island and the plant itself in Ozerki - and one in Kemerovo in the area of ββKrasnaya Gorka.
For simplicity, we will have one provider βBalagan Telecomβ, which on favorable terms will provide us with L2VPN to both points.
In one of the next issues, we will open the topic of various connection options in colors. In the meantime, in brief: L2VPN is, very roughly, when the provider provides you with a vlan from point to point (for simplicity, you can imagine that they are included in one switch).
A few words should be said about IP addressing and subnetting.
In the zero part, we have already touched upon the issues of planning, I must say very casually.
In general, in any more or less large company there should be a certain regulation - a set of rules, following which you distribute IP addresses everywhere. Our network is now growing and developing it is very important.
Well, for example, let's say that for offices in other cities it will be like this:
This is a very simplified procedure, but now, in any case, we know for sure that the gateway will always have the 1st address, until the 12th we will issue switches and all wi-fi-points, and we will look for all servers in the 172.16.x range .13-172.16..23. Of course, to your liking you can refine the rules up to the address of each server, add to it the rule for generating device names, domain names, access lists policies, etc.
The more precisely you formulate the rules and the more strictly you will monitor their implementation, the easier it is to understand the network structure, solve problems, adapt to the situationand punish those responsible .
This is approximately like a password memorization scheme: when you have a certain rule of their formation, you do not need to keep in mind several dozen difficult-to-remember passwords, you can always calculate them.
That's the same here. I once worked in a medium-sized holding and knew that if I came to an office somewhere in a village forgotten by cows, then there exactly xyz1 is a tsiska, xyz2 is a distribution set of the pro-switch, and xyz101 is a computer of the chief accountant from which it is necessary to give access to any contour-extern. Another question is that it is necessary to check this further, because local ITshniki can sometimes do such a thing that you wash with tears through laughter.
Now we would be very helpful to make an IP plan. We will proceed from the fact that at all three points we will use a standard network with a 24-bit mask (255.255.255.0) This means that there may be 254 devices in them.
Why is this so? And how do you understand all these subnet masks? In the framework of one article we will not be able to tell this, otherwise it will turn out to be long, like the deck of the Titanic, and tangled, like the Odessa catacombs. We highly recommend to get acquainted with such concepts as IP-address, subnet mask, their binary representation and CIDR (Classless InterDomain Routing) independently. We will further only argue the choice of a specific network size. Anyway, full understanding will come only with practice.
In general, this topic is very well covered in this article: http://habrahabr.ru/post/129664/
At the moment (recall the zero issue ) we have used addresses 172.16.0.0-172.16.6.255 in Moscow. Suppose that the network can still increase here, for example, an office will appear on the Sparrow Hills and reserve another subnet to 172.16.15.0/24 inclusive.
All these addresses: 172.16.0.0-172.16.15.255 - can be described as: 172.16.0.0/20. This network (with the prefix / 20) will be the so-called supernetwork , and the operation of merging subnetworks in the supernetwork is called summing up subnetworks (summing up routes, to be exact, route summarization)
Very intuitive IP calculator . I occasionally use it even now, although with time comes an intuitive and logical understanding of the correspondence between the mask length and the network boundaries.
Now turn to Peter. At the moment in this beautiful city we have 2 points and on each of them there are subnets / 24. Let's say it will be 172.16.16.0/24 and 172.16.17.0/24. We reserve addresses 172.16.18.0-172.16.23.255 for possible network expansion.
172.16.16.0-172.16.23.255 can be combined into 172.16.16.0/21 - in general, it is on this basis that we leave this range in reserve.
In Kemerovo, it makes no sense for us to keep such huge reserves / 21, as in St. Petersburg (2048 addresses or 8 subnets / 24), or even more / 20, as in Moscow (4096 or 16 subnets / 24). But 1024 addresses and 4 subnets / 24, which corresponds to the mask / 22 is quite rational.
Thus, we will have the network 172.16.24.0/22 ββ(addresses 172.16.24.0-172.16.27.255) for Kemerovo.
One should note here: in general, it is not necessary to make such a reserve, and what we have reserved can be used anywhere in the network. There is no taboo on this. However, in large networks, this is exactly what is recommended and this is connected with the amount of information in the routing tables.
You see, the thing is: if you have several consecutive subnets scattered across different ends of the network, then each of them has one entry in the routing table of each router. If at the same time you suddenly use only static routing, then it is still a tremendous job of setting up and tracking the correctness of the setting.
And if they all go in a row, then you can summarize several small subnets into one large one.
Let us explain by the example of St. Petersburg. When configuring static routing, we could do this:
These are 8 teams and 8 records in the table. But at the same time, a packet arriving at the router to any of the 172.16.16.0/21 networks in any case will be sent to the device with the address 172.16.2.2.
Instead, we do this:
And instead of eight possible comparisons there will be only one.
For modern devices, neither in terms of processor time nor memory usage is no longer a significant burden, however, such planning is considered to be good tone rules and in the end itβs easier for you to figure it out.
But, hand on heart, such planning is the exception rather than the rule: one way or another, route fragmentation with the growth of the network is inevitable.
Now a few more words about the βlinkβ networks. In the environment of network administrators, the so-called network point-to-point (Point-to-Point) between the two routers.
Here again in the example of Peter. Two routers (in Moscow and Petersburg) are connected to each other by a direct link (it doesn't matter that the provider has hundreds of switches and routers - for us it is just a lan). That is, besides these 2 devices, there will be no others here. We know that for sure. In any case, the interfaces of both devices (facing each other) need to be configured with IP addresses. And we definitely have no reason to assign a network / 24 on this site with 254 available addresses, because 252 in this case will be lost in vain. In this case, there is a great way out - classless IP addressing.
Why is it classless? If you remember, then in the zero part we talked about three classes of subnetworks: A, B and C. In theory, only you could use them when planning the network. Classless Inter-Domain Routing ( CIDR ) allows for very flexible use of IP address space.
We just take the network with the smallest mask possible - 30 (255.255.255.252) - this is a network with 4 addresses. Why can't we take the network with an even narrower mask? Well, for obvious reasons, 32 (255.255.255.255) is generally one single address, network 31 (255.255.255.254) is already 2 addresses, but one of them (the first) is the network address, and the second (the last) is a broadcast address. As a result, we have nothing left for the addresses of the hosts. Therefore, we take a mask of 30 with 4 addresses and then just 2 addresses remain on our two routers.
Generally speaking, the narrowest mask for subnets in cisco is / 31. Under certain conditions they can be used on PtP links.
As for the mask / 32, such subnets, which are the only one host, are used to assign addresses to Loopback interfaces.
That is what we will do. For this, in fact, in the zero part we left the network 172.16.2.0/24 - we will split it into small grids / 30. In total, they will turn out 64 pieces, respectively, you can assign them to 64 links .
Here we did the same as in the previous case: we made a small reserve for Peter, and a reserve for Kemerovo. In general, the reserve is always very good about whatever we say. ;)
Before starting the configuration, you should decide on what routing is needed at all.
Consider this network:
For example from PC1 - 172.16.3.2 I want to connect via telnet to the L3 switch with the address 172.16.17.1.
How does my computer know what to do? Where to send data?
1) As you already know, if the recipient address is from a different subnet, then the data must be sent to the default gateway.
2) According to the scheme already known to you, the computer uses the ARP request to retrieve the MAC address of the router.
3) Next, it forms a frame with a packet encapsulated in it and sends it to the port. After the frame is sent, the computer is already on the drum, what happens to it further.
4) At the same time, the frame itself first gets to the switch, where its fate is decided according to the table of MAC addresses. And then reaches the router RT1.
5) Since the router restricts the broadcast domain - here the life of this frame ends. Tsisk simply discards the header of the data link layer - it is no longer useful - it extracts an IP packet from it.
6) Now the router must decide what to do with it next. Of course, send it to some kind of your own interface. But which one?
To do this, there is a routing table, which is on any router. To find out what is currently in our routing table, you can use the show ip route command:
Each line in it is a way to get to a particular network.
For example, if a packet is addressed to the network 172.16.17.0/24, then the data must be sent to the device with the address 172.16.2.2.
The routing table is formed from:
- directly connected networks (directly connected) are networks that start directly on it. In the example 172.16.3.0/24 and 172.16.2.0/30. In the table, they are denoted by the letter C
- static routes are those that you manually entered using the ip route command. Denoted by the letter s
- routes obtained using dynamic routing protocols (OSPF, EIGRP, RIP, and others).
7) So, the data to the network 172.16.17.0 (and we want to connect to the device 172.16.17.1) should be sent to the next hop - the next hop, which is the router 172.16.2.2. Moreover, from the routing table it can be seen that the next hop is located behind the interface FE0 / 1.4 (subnet 172.16.2.0/30).
8) If there is no MAC address in the ARP cache of the tsiska, then you need to run the ARP request again to find out the MAC address of the device with the IP address 172.16.2.2. RT1 sends a broadcast frame from port FE0 / 1.4. In this broadcast domain we have two devices, and accordingly only one recipient. RT2 receives an ARP request, discards the Ethernet header and, realizing from the ARP protocol data that the address it belongs to, sends an ARP reply with its MAC address.
9) The initial IP packet arriving at RT1 does not change , it is encapsulated in a completely new frame and sent to port FE0 / 1.4, while receiving the label of the 4th vlan.
10) Completely similar actions occur on the next router. And on the next and next (if they were), until the packet reaches the last one, to which the necessary network is connected.
11) , , , , .
. , β .
? , -. , . L2VPN, , .
, , . , , , 2912 754. , , .
, β FE0/0 β , (FE0/1) .
-. - 4 5- . IP- IP-.
, . , .
: . , 3 β , MPLS- .
β β:
spb-vsl-gw1. 2 , : . FastEthernet- WIC .
, .
.
FastEthernet β (Ethernet, Fastethernet, GigabitEthernet, POS, Serial )
x/y/zw=Slot/Sub-slot/Interface.Sub-interface.
β , . , .
, :
:
. msk-arbat-gw1 172.16.2.2:
172.16.16.1:
, , :
:
:
, β , :
?!
, β 172.16.3.1, β 172.16.2.2. , spb-vsl-gw1, , 172.16.16.1 . 172.16.3.3, 172.16.3.0 . , , β .
, , , msk-arbat-gw1 172.16.16.1 ? 172.16.3.1 172.16.3.2? It's simple.
, β 172.16.2.2, 172.16.2.1 , IP- , 172.16.3.1. spb-vsl-gw1, , , echo-reply. IP-, 172.16.2.1, 172.16.2.0/30 β spb-vsl-gw1 , . 172.16.2.0/30 , 172.16.3.0/24 .
spb-vsl-gw1 172.16.3.0, . , , β .
, β . β , . , .
? β , β . . , , , , β , , β , . , β .
:
:
, .
. L3-. , (, , ).
. -, , . , L3- , L2- . , , . .
, :
172.16.17.0/24, :
, β 172.16.2.6
:
fa1/1 24- 3560 .
L3- L2, ββ , . L3-, . IP-:
:
. , Cisco 1- , , 2-:
172.16.17.1
, :
.
, :
spb-vsl-gw1 :
:
. traceroute:
, spb-vsl-gw1 , . , , 172.16.2.5 (, , ) :
172.16.17.0/24 . , , , 172.16.16.0/21 , , , :
Checking:
, spb-ozerki-gw1 -:
, - 172.16.17.1:
172.16.17.26 :
How so? , , β .
, msk-arbat-gw1 172.16.17.0/24 , 172.16.2.4/30 . 172.16.2.6 β ( , IP-) . .
: 172.16.3.0/24 , ? . ?
, -, . 172.16.3.0/24 172.16.16.0/21 :
spb-ozerki-gw1 172.16.3.0 spb-vsl-gw1, : β172.16.3.0/24 172.16.2.6β, spb-ozerki-gw1, : β172.16.3.0/24 172.16.2.5β . -, TTL.
, TTL IP-, 255, 1. , 0, , , , .
β , .
, Ethernet , , , β ( \ STP- ).
, 172.16.17.0 172.16.3.1, IP- , , 254 .
, , , 255 . . - .
β (router on a stick).
:
, . , , ( ).
:
. UpLink- 5- :
vlan 2 , β , . : , , 2- , , .
, 5- , 2- β .
:
, .
, :
and
, , . , :
Although there is no separate entry in the routing table for subnet 172.16.17.0, the router will show you which next hop.
And I would also like to repeat the most important things:
- When a data block hits the router, the Ethernet header is completely discarded and a completely new frame is formed when sending. But the IP packet remains unchanged.
- Each router in the case of static routing decides on the fate of the packet solely on its own and does not know anything about other people's tables.
- The search in the table does NOT go to the first matching entry, but until the most exact match is found (the narrowest mask). For example, if your routing table looks like this:
And you transfer the data to 172.16.10.5, it will not follow the route through 172.16.2.22 or 172.16.2.26, but will choose the narrowest mask (the longest) / 30 through 172.16.2.30.
- If no record in the routing table matches the recipient's IP address and the default route is not configured (gateway of last resort), the packet will simply be dropped.
At this first acquaintance with the routing can be completed. It seems to us that the reader himself sees how many difficulties await him here, can suggest how much work he will have if the network grows to several dozen routers. But it must be said that in the modern world static routing is not something that is not used, of course, there is room for it, but in the vast majority of networks that are larger than the district pioneer net, dynamic routing protocols are implemented. Among them are OSPF, EIGRP, IS-IS, RIP, to which we will dedicate a separate release and, most likely, not one. But setting up static routing greatly helps your overall understanding of routing.
As an independent task, try setting up routing between Moscow and Kemerovo and answering the question why devices do not respond from the control network.
New IP plan, switching plans for each point and time limit
RT file with lab
Device configuration
We apologize for the giant sheets, the video, too, is getting longer and more unbearable each time. Next time we will try to be more compact.
All interested, but unregistered are invited to talk in the LiveJournal .
For the preparation of the article, many thanks to my co-author of thegluck and my wife for the lion's patience.
The boy said to dad: "I want to eat." Dad sent him to mom.
The boy said to his mother: "I want to eat." Mom sent him to dad.
And so the boy ran, until at one moment he fell.
What happened to the boy? TTL is over.
All issues
8. Networks for the smallest. Part Eight BGP and IP SLA
7. Networks for the smallest. Part Seven. VPN
6. Networks for the smallest. Part six. Dynamic routing
5. Networks for the smallest: Part Five. NAT and ACL
4. Networks for the smallest: Part Four. STP
3. Networks for the smallest: Part Three. Static routing
2. Networks for the smallest. Part two. Switching
1. Networks for the smallest. Part one. Connection to the equipment cisco
0. Networks for the smallest. Part zero. Planning
7. Networks for the smallest. Part Seven. VPN
6. Networks for the smallest. Part six. Dynamic routing
5. Networks for the smallest: Part Five. NAT and ACL
4. Networks for the smallest: Part Four. STP
3. Networks for the smallest: Part Three. Static routing
2. Networks for the smallest. Part two. Switching
1. Networks for the smallest. Part one. Connection to the equipment cisco
0. Networks for the smallest. Part zero. Planning
So, a turning point in the history of the company βLift me Upβ. The management understands that the company producing elevators, traveling only upward, will not withstand the struggle in a highly competitive market. It is necessary to expand the business. It was decided to purchase two plants: in St. Petersburg and Kemerovo.
We urgently need to organize communications to new offices, and your local network has not even earned yet.
Today:
1. We configure routing between vlans in our network (InterVlan routing)
2. We are trying to deal with the processes occurring in the network, and what is happening with the data.
3. We plan network expansion (IP addresses, vlana, switching tables)
4. We configure static routing and understand how it works.
5. Use the L3 switch as a gateway
')
Content:
- InterVlan Routing
- Expansion planning
- ... IP plan
- Routing Principles
- Customization
- ... Moscow. Arbat
- ... Provider
- β¦ St. Petersburg. Vasilyevsky Island
- β¦ St. Petersburg. Lakes
- ... Kemerovo. Red hill
- Additionally
- Release materials
InterVlan Routing
A bit of practice for rejuvenation.
The last time we configured our local network switches. At the moment, devices of different vlan do not see each other. That is, in fact, FEI and VET, for example, are located in completely different networks and are not connected with each other. Similarly, the server network exists by itself. It would be necessary to correct this annoying nuisance.
In our Moscow network, we will use the cisco 2811 router for routing between vlans. In other words, it will terminate vlans. The frames here end their lives: IP packets are extracted from them, and the data link layer headers are discarded.
The process of configuring the router is very simple:
0) First we finish with the msk-arbat-dsw1 switch. On it we need to configure the trunk port in the direction of the router, which we did not do last time.
msk-arbat-dsw1 (config) #interface FastEthernet0 / 24
msk-arbat-dsw1 (config-if) # description msk-arbat-gw1
msk-arbat-dsw1 (config-if) # switchport trunk allowed vlan 2-3,101-104
msk-arbat-dsw1 (config-if) # switchport mode trunk
1) We assign the name of the router with the command hostname , and in order to develop a good tone, it is necessary to mention that it is better to set the time on the device immediately. This will help you to correctly identify entries in the logs.
Router0 # clock set 12:34:56 7 august 2012
Router0 # conf t
Router0 (config) #hostname msk-arbat-gw1
It is desirable to distribute time to network devices via NTP (any tsiska can be made an NTP server, by the way)
2) Next, go to the interface configuration mode, turned into our local network and turn it on, since by default it is in the Administratively down state.
msk-arbat-gw1 (config) #interface fastEthernet 0/0
msk-arbat-gw1 (config-if) #no shutdown
3) Create a virtual interface, or else it is called a subinterface or another sub-interface.
msk-arbat-gw1 (config) #interface fa0 / 0.2
msk-arbat-gw1 (config-if) #description Management
The logic here is simple. First, we specify in the usual way the physical interface to which the necessary network is connected, and after the dot we put some unique identifier of this virtual interface. For convenience, usually the subinterface number is made similar to the vlan that it terminates.
4) Now let's recall the 802.1q standard, which describes frame tagging with a vlan tag. The next command indicates that the frames originating from this virtual interface will be marked with the tag of the 2nd vlan. And the frames entering on the physical interface FastEthernet0 / 0 with the tag of this vlan will be accepted by the virtual interface FastEthernet0 / 0.2.
msk-arbat-gw1 (config-if) #encapsulation dot1Q 2
5) Well, as on a regular physical L3 interface, we define an IP address. This address will be the default gateway for all devices in this vlan.
msk-arbat-gw1 (config-if) #ip address 172.16.1.1 255.255.255.0
Similarly, we configure, for example, the 101st vlan:
msk-arbat-gw1 (config) #interface FastEthernet0 / 0.101
msk-arbat-gw1 (config-if) #description PTO
msk-arbat-gw1 (config-if) #encapsulation dot1Q 101
msk-arbat-gw1 (config-if) #ip address 172.16.3.1 255.255.255.0
and now make sure that we see the control network from the computer from the PTO network:
It works and is fine, configure all the other interfaces for now. Problems with this should arise.
The physics and logic of the interlaced routing process
What happens at this time with your data?
We reasoned last time what happens if you try to connect to a device from the same subnet that you are on.
By the same subnet we understand the following.
For example, the following is configured on your computer:
IP: 172.16.3.2
Mask: 255.255.255.0
GW: 172.16.3.1
All devices whose addresses will be in the range 172.16.3.1-172.16.3.254 with the same mask as you will be members of your subnet. What happens to the data if you send it to a device with an address in this range?
Repeat this with some additions.
To send data, they must be packed into an Ethernet frame, in the header of which the MAC address of the remote device must be inserted. But where to get it?
To do this, your computer sends a broadcast ARP request. As the IP address of the destination node in the IP packet with this request will be placed the address of the desired host. The network card when encapsulating indicates the MAC address of FF: FF: FF: FF: FF: FF - this means that the frame is intended for all devices. Then it goes to the nearest switch and copies are sent to all ports of our vlan (well, except, of course, the port from which the frame was received). Recipients see that the request is broadcast and they may be the desired host, so they extract the data from the frame. All those devices that do not have the IP address specified in the ARP request simply ignore the request, but the real receiver device will respond to it and send its MAC address to the original sender. The sender (in this case, our computer) places the received MAC into its IP-and-MAC-address correspondence table, aka ARP cache. How the ARP cache looks like on your computer right now, you can see with the help of the arp -a command
Then your payload is packaged in an IP packet, where the recipient is the address that you specified in the command / application, then in the Ethernet frame, in the header of which the MAC address received by the ARP request is placed. Next, the frame is sent to the switch, which, according to its table of MAC addresses, decides which port to forward it to.
But what happens if you try to reach the device in another vlan? An ARP request will not return anything, because the broadcast L2 messages end on the router (that is, within the broadcast L2 domain), the desired network is behind it, and the switch will not allow frames from one vlan to another. And for this you need a default gateway (default gateway) on your computer.
That is, if the recipient device is on your own subnet, the frame is simply sent to the port with the MAC address of the final recipient. If the message is addressed to any other subnet, then the frame is sent to the default gateway, so the routerβs MAC address will be substituted as the destination MAC address.
We follow the course of events.
1) A PC with the address 172.16.3.2/24 wants to send data to the computer with the address 172.16.4.5.
He sees that the address is from a different subnet, therefore, the data must go to the default gateway. But in this case, the PC needs the gateway MAC address. The PC checks its ARP cache in order to match the gateway's IP address β the MAC address does not find the one needed.
2) The PC sends a broadcast ARP request to the local network. ARP request structure:
- at the data link layer as a recipient - broadcast address (FF: FF: FF: FF: FF: FF), as sender - the MAC address of the interface of the device trying to figure out the IP
- on the network - the actual ARP request, it contains information about what IP and who is looking for.
3) The switch that received the frame sends its copies to all ports of this vlan (the one that owns the original host), in addition to where it came from.
4) All devices, having received this frame and, seeing that it is a broadcast, assume that it is addressed to them.
5) Having unpacked the frame, all the hosts, except for the router, see that the ARP request does not have their address. And the router sends a unicast ARP reply with its MAC address.
6) The original host receives an ARP reply, now it has the MAC address of the gateway. It forms a packet from the data that it needs to send to 172.16.4.5. As the MAC address of the recipient, the PC sets the gateway address. In this case , the recipient's IP address in the packet remains 172.16.4.5
7) The frame is sent to the network, the switches deliver it to the router.
8) On the router, in accordance with the label of the vlan, the frame is received by a specific subinterface. Data link level recline .
9) From the header of an IP packet, the router learns the destination address, and from its routing table it sees that it is located in a directly connected network on a certain subinterface (in our case FE0 / 0.102).
C 172.16.0.0/24 is directly connected, FastEthernet0 / 0.3
C 172.16.1.0/24 is directly connected, FastEthernet0 / 0.2
C 172.16.2.16/30 is directly connected, FastEthernet0 / 1.5
C 172.16.3.0/24 is directly connected, FastEthernet0 / 0.101
C 172.16.4.0/24 is directly connected, FastEthernet0 / 0.102
C 172.16.5.0/24 is directly connected, FastEthernet0 / 0.103
C 172.16.6.0/24 is directly connected, FastEthernet0 / 0.104
10) The router sends an ARP request from this subinterface β it learns the recipient's MAC address.
11) The original IP packet, without changing, is encapsulated in a new frame , with:
- as the source MAC address, the gateway interface address is specified
- source IP address β address of the original host (in our case, 172.16.3.2)
- the destination host's address is specified as the destination MAC address
- Recipient's IP address β destination host address (in our case, 172.16.4.5)
and sent to the network from the FastEthernet0 / 0.102 subinterface, while receiving the label of the 102th vlan.
12) A frame is delivered by switches to the destination host.
Expansion planning
Now turn to planning. In the zero part, we have already touched on this topic, but then it was only about two offices in Moscow, but now the network is growing.
It will be like this:
That is, two points are added in St. Petersburg: a small office on Vasilyevsky Island and the plant itself in Ozerki - and one in Kemerovo in the area of ββKrasnaya Gorka.
For simplicity, we will have one provider βBalagan Telecomβ, which on favorable terms will provide us with L2VPN to both points.
In one of the next issues, we will open the topic of various connection options in colors. In the meantime, in brief: L2VPN is, very roughly, when the provider provides you with a vlan from point to point (for simplicity, you can imagine that they are included in one switch).
A few words should be said about IP addressing and subnetting.
In the zero part, we have already touched upon the issues of planning, I must say very casually.
In general, in any more or less large company there should be a certain regulation - a set of rules, following which you distribute IP addresses everywhere. Our network is now growing and developing it is very important.
Well, for example, let's say that for offices in other cities it will be like this:
This is a very simplified procedure, but now, in any case, we know for sure that the gateway will always have the 1st address, until the 12th we will issue switches and all wi-fi-points, and we will look for all servers in the 172.16.x range .13-172.16..23. Of course, to your liking you can refine the rules up to the address of each server, add to it the rule for generating device names, domain names, access lists policies, etc.
The more precisely you formulate the rules and the more strictly you will monitor their implementation, the easier it is to understand the network structure, solve problems, adapt to the situation
This is approximately like a password memorization scheme: when you have a certain rule of their formation, you do not need to keep in mind several dozen difficult-to-remember passwords, you can always calculate them.
That's the same here. I once worked in a medium-sized holding and knew that if I came to an office somewhere in a village forgotten by cows, then there exactly xyz1 is a tsiska, xyz2 is a distribution set of the pro-switch, and xyz101 is a computer of the chief accountant from which it is necessary to give access to any contour-extern. Another question is that it is necessary to check this further, because local ITshniki can sometimes do such a thing that you wash with tears through laughter.
It was the case of the boy who decided to manage all the access to the Internet himself (I usually did this on the router). I installed a proxy server, accidentally raised a NAT on it and tugged the local network traffic there, registering it as a default gateway on all machines, and then I understood for 20 minutes how it works: they all work and we donβt see them.
IP plan
Now we would be very helpful to make an IP plan. We will proceed from the fact that at all three points we will use a standard network with a 24-bit mask (255.255.255.0) This means that there may be 254 devices in them.
Why is this so? And how do you understand all these subnet masks? In the framework of one article we will not be able to tell this, otherwise it will turn out to be long, like the deck of the Titanic, and tangled, like the Odessa catacombs. We highly recommend to get acquainted with such concepts as IP-address, subnet mask, their binary representation and CIDR (Classless InterDomain Routing) independently. We will further only argue the choice of a specific network size. Anyway, full understanding will come only with practice.
In general, this topic is very well covered in this article: http://habrahabr.ru/post/129664/
At the moment (recall the zero issue ) we have used addresses 172.16.0.0-172.16.6.255 in Moscow. Suppose that the network can still increase here, for example, an office will appear on the Sparrow Hills and reserve another subnet to 172.16.15.0/24 inclusive.
All these addresses: 172.16.0.0-172.16.15.255 - can be described as: 172.16.0.0/20. This network (with the prefix / 20) will be the so-called supernetwork , and the operation of merging subnetworks in the supernetwork is called summing up subnetworks (summing up routes, to be exact, route summarization)
Very intuitive IP calculator . I occasionally use it even now, although with time comes an intuitive and logical understanding of the correspondence between the mask length and the network boundaries.
Now turn to Peter. At the moment in this beautiful city we have 2 points and on each of them there are subnets / 24. Let's say it will be 172.16.16.0/24 and 172.16.17.0/24. We reserve addresses 172.16.18.0-172.16.23.255 for possible network expansion.
172.16.16.0-172.16.23.255 can be combined into 172.16.16.0/21 - in general, it is on this basis that we leave this range in reserve.
In Kemerovo, it makes no sense for us to keep such huge reserves / 21, as in St. Petersburg (2048 addresses or 8 subnets / 24), or even more / 20, as in Moscow (4096 or 16 subnets / 24). But 1024 addresses and 4 subnets / 24, which corresponds to the mask / 22 is quite rational.
Thus, we will have the network 172.16.24.0/22 ββ(addresses 172.16.24.0-172.16.27.255) for Kemerovo.
One should note here: in general, it is not necessary to make such a reserve, and what we have reserved can be used anywhere in the network. There is no taboo on this. However, in large networks, this is exactly what is recommended and this is connected with the amount of information in the routing tables.
You see, the thing is: if you have several consecutive subnets scattered across different ends of the network, then each of them has one entry in the routing table of each router. If at the same time you suddenly use only static routing, then it is still a tremendous job of setting up and tracking the correctness of the setting.
And if they all go in a row, then you can summarize several small subnets into one large one.
Let us explain by the example of St. Petersburg. When configuring static routing, we could do this:
ip route 172.16.16.0 255.255.255.0 172.16.2.2
ip route 172.16.17.0 255.255.255.0 172.16.2.2
ip route 172.16.18.0 255.255.255.0 172.16.2.2
β¦β¦
ip route 172.16.23.0 255.255.255.0 172.16.2.2
These are 8 teams and 8 records in the table. But at the same time, a packet arriving at the router to any of the 172.16.16.0/21 networks in any case will be sent to the device with the address 172.16.2.2.
Instead, we do this:
ip route 172.16.16.0 255.255.248.0 172.16.2.2
And instead of eight possible comparisons there will be only one.
For modern devices, neither in terms of processor time nor memory usage is no longer a significant burden, however, such planning is considered to be good tone rules and in the end itβs easier for you to figure it out.
But, hand on heart, such planning is the exception rather than the rule: one way or another, route fragmentation with the growth of the network is inevitable.
Now a few more words about the βlinkβ networks. In the environment of network administrators, the so-called network point-to-point (Point-to-Point) between the two routers.
Here again in the example of Peter. Two routers (in Moscow and Petersburg) are connected to each other by a direct link (it doesn't matter that the provider has hundreds of switches and routers - for us it is just a lan). That is, besides these 2 devices, there will be no others here. We know that for sure. In any case, the interfaces of both devices (facing each other) need to be configured with IP addresses. And we definitely have no reason to assign a network / 24 on this site with 254 available addresses, because 252 in this case will be lost in vain. In this case, there is a great way out - classless IP addressing.
Why is it classless? If you remember, then in the zero part we talked about three classes of subnetworks: A, B and C. In theory, only you could use them when planning the network. Classless Inter-Domain Routing ( CIDR ) allows for very flexible use of IP address space.
We just take the network with the smallest mask possible - 30 (255.255.255.252) - this is a network with 4 addresses. Why can't we take the network with an even narrower mask? Well, for obvious reasons, 32 (255.255.255.255) is generally one single address, network 31 (255.255.255.254) is already 2 addresses, but one of them (the first) is the network address, and the second (the last) is a broadcast address. As a result, we have nothing left for the addresses of the hosts. Therefore, we take a mask of 30 with 4 addresses and then just 2 addresses remain on our two routers.
Generally speaking, the narrowest mask for subnets in cisco is / 31. Under certain conditions they can be used on PtP links.
As for the mask / 32, such subnets, which are the only one host, are used to assign addresses to Loopback interfaces.
That is what we will do. For this, in fact, in the zero part we left the network 172.16.2.0/24 - we will split it into small grids / 30. In total, they will turn out 64 pieces, respectively, you can assign them to 64 links .
Here we did the same as in the previous case: we made a small reserve for Peter, and a reserve for Kemerovo. In general, the reserve is always very good about whatever we say. ;)
Routing Principles
Before starting the configuration, you should decide on what routing is needed at all.
Consider this network:
For example from PC1 - 172.16.3.2 I want to connect via telnet to the L3 switch with the address 172.16.17.1.
How does my computer know what to do? Where to send data?
1) As you already know, if the recipient address is from a different subnet, then the data must be sent to the default gateway.
2) According to the scheme already known to you, the computer uses the ARP request to retrieve the MAC address of the router.
3) Next, it forms a frame with a packet encapsulated in it and sends it to the port. After the frame is sent, the computer is already on the drum, what happens to it further.
4) At the same time, the frame itself first gets to the switch, where its fate is decided according to the table of MAC addresses. And then reaches the router RT1.
5) Since the router restricts the broadcast domain - here the life of this frame ends. Tsisk simply discards the header of the data link layer - it is no longer useful - it extracts an IP packet from it.
6) Now the router must decide what to do with it next. Of course, send it to some kind of your own interface. But which one?
To do this, there is a routing table, which is on any router. To find out what is currently in our routing table, you can use the show ip route command:
172.16.0.0/16 is variably subnetted, 10 subnets, 3 masks
C 172.16.3.0/24 is directly connected, FastEthernet0 / 0.101
C 172.16.2.0/30 is directly connected, FastEthernet0 / 1.4
S 172.16.17.0/24 [1/0] via 172.16.2.2
Each line in it is a way to get to a particular network.
For example, if a packet is addressed to the network 172.16.17.0/24, then the data must be sent to the device with the address 172.16.2.2.
The routing table is formed from:
- directly connected networks (directly connected) are networks that start directly on it. In the example 172.16.3.0/24 and 172.16.2.0/30. In the table, they are denoted by the letter C
- static routes are those that you manually entered using the ip route command. Denoted by the letter s
- routes obtained using dynamic routing protocols (OSPF, EIGRP, RIP, and others).
7) So, the data to the network 172.16.17.0 (and we want to connect to the device 172.16.17.1) should be sent to the next hop - the next hop, which is the router 172.16.2.2. Moreover, from the routing table it can be seen that the next hop is located behind the interface FE0 / 1.4 (subnet 172.16.2.0/30).
8) If there is no MAC address in the ARP cache of the tsiska, then you need to run the ARP request again to find out the MAC address of the device with the IP address 172.16.2.2. RT1 sends a broadcast frame from port FE0 / 1.4. In this broadcast domain we have two devices, and accordingly only one recipient. RT2 receives an ARP request, discards the Ethernet header and, realizing from the ARP protocol data that the address it belongs to, sends an ARP reply with its MAC address.
9) The initial IP packet arriving at RT1 does not change , it is encapsulated in a completely new frame and sent to port FE0 / 1.4, while receiving the label of the 4th vlan.
10) Completely similar actions occur on the next router. And on the next and next (if they were), until the packet reaches the last one, to which the necessary network is connected.
11) , , , , .
. , β .
? , -. , . L2VPN, , .
, , . , , , 2912 754. , , .
Moscow.
, β FE0/0 β , (FE0/1) .
-. - 4 5- . IP- IP-.
msk-arbat-gw1(config)#interface FastEthernet 0/1.4
msk-arbat-gw1(config-subif)#description Saint-Petersburg
msk-arbat-gw1(config-subif)#encapsulation dot1Q 4
msk-arbat-gw1(config-subif)#ip address 172.16.2.1 255.255.255.252
msk-arbat-gw1(config)#interface FastEthernet 0/1.5
msk-arbat-gw1(config-subif)#description Kemerovo
msk-arbat-gw1(config-subif)#encapsulation dot1Q 5
msk-arbat-gw1(config-subif)#ip address 172.16.2.17 255.255.255.252
, . , .
: . , 3 β , MPLS- .
β β:
Switch(config)#vlan 4
Switch(config-vlan)#vlan 5
Switch(config)#interface fa0/1
Switch(config-if)#switchport mode trunk
Switch(config-if)#switchport trunk allowed vlan 4-5
Switch(config-if)#exit
Switch(config)#int fa0/2
Switch(config-if)#switchport trunk allowed vlan 4
Switch(config-if)#int fa0/3
Switch(config-if)#switchport trunk allowed vlan 5
St. Petersburg. Vasilyevsky Island
spb-vsl-gw1. 2 , : . FastEthernet- WIC .
, .
.
FastEthernet β (Ethernet, Fastethernet, GigabitEthernet, POS, Serial )
x/y/zw=Slot/Sub-slot/Interface.Sub-interface.
β , . , .
, :
spb-vsl-gw1(config)interface FastEthernet1/0.4
spb-vsl-gw1(config-if)description Moscow
spb-vsl-gw1(config-if)encapsulation dot1Q 4
spb-vsl-gw1(config-if)ip address 172.16.2.2 255.255.255.252
:
spb-vsl-gw1(config)#int fa0/0
spb-vsl-gw1(config-if)#description LAN
spb-vsl-gw1(config-if)#ip address 172.16.16.1 255.255.255.0
. msk-arbat-gw1 172.16.2.2:
msk-arbat-gw1#ping 172.16.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.2, timeout is 2 seconds:
!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/7/13 ms
172.16.16.1:
msk-arbat-gw1#ping 172.16.16.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.16.1, timeout is 2 seconds:
...
Success rate is 0 percent (0/5)
, , :
msk-arbat-gw1#sh ip route
Gateway of last resort is not set
172.16.0.0/16 is variably subnetted, 8 subnets, 2 masks
C 172.16.0.0/24 is directly connected, FastEthernet0/0.3
C 172.16.1.0/24 is directly connected, FastEthernet0/0.2
C 172.16.2.0/30 is directly connected, FastEthernet0/1.4
C 172.16.3.0/24 is directly connected, FastEthernet0/0.101
C 172.16.4.0/24 is directly connected, FastEthernet0/0.102
C 172.16.5.0/24 is directly connected, FastEthernet0/0.103
C 172.16.6.0/24 is directly connected, FastEthernet0/0.104
:
msk-arbat-gw1(config)#ip route 172.16.16.0 255.255.255.0 172.16.2.2
msk-arbat-gw1#sh ip route
Codes: C β connected, S β static, I β IGRP, R β RIP, M β mobile, B β BGP
D β EIGRP, EX β EIGRP external, O β OSPF, IA β OSPF inter area
N1 β OSPF NSSA external type 1, N2 β OSPF NSSA external type 2
E1 β OSPF external type 1, E2 β OSPF external type 2, E β EGP
i β IS-IS, L1 β IS-IS level-1, L2 β IS-IS level-2, ia β IS-IS inter area
* β candidate default, U β per-user static route, o β ODR
P β periodic downloaded static route
Gateway of last resort is not set
172.16.0.0/16 is variably subnetted, 9 subnets, 2 masks
C 172.16.0.0/24 is directly connected, FastEthernet0/0.3
C 172.16.1.0/24 is directly connected, FastEthernet0/0.2
C 172.16.2.0/30 is directly connected, FastEthernet0/1.4
C 172.16.2.16/30 is directly connected, FastEthernet0/1.5
C 172.16.3.0/24 is directly connected, FastEthernet0/0.101
C 172.16.4.0/24 is directly connected, FastEthernet0/0.102
C 172.16.5.0/24 is directly connected, FastEthernet0/0.103
C 172.16.6.0/24 is directly connected, FastEthernet0/0.104
S 172.16.16.0/24 [1/0] via 172.16.2.2
:
msk-arbat-gw1#ping 172.16.16.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.16.1, timeout is 2 seconds:
!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/10/24 ms
, β , :
?!
, β 172.16.3.1, β 172.16.2.2. , spb-vsl-gw1, , 172.16.16.1 . 172.16.3.3, 172.16.3.0 . , , β .
spb-vsl-gw1#sh ip route
Gateway of last resort is not set
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.2.0/30 is directly connected, FastEthernet1/0.4
C 172.16.16.0/24 is directly connected, FastEthernet0/0
, , , msk-arbat-gw1 172.16.16.1 ? 172.16.3.1 172.16.3.2? It's simple.
, β 172.16.2.2, 172.16.2.1 , IP- , 172.16.3.1. spb-vsl-gw1, , , echo-reply. IP-, 172.16.2.1, 172.16.2.0/30 β spb-vsl-gw1 , . 172.16.2.0/30 , 172.16.3.0/24 .
spb-vsl-gw1 172.16.3.0, . , , β .
, β . β , . , .
? β , β . . , , , , β , , β , . , β .
:
spb-vsl-gw1(config)#ip route 0.0.0.0 0.0.0.0 172.16.2.1
:
, .
St. Petersburg. Lakes
. L3-. , (, , ).
. -, , . , L3- , L2- . , , . .
, :
spb-vsl-gw1(config)interface fa1/1
spb-vsl-gw1(config-if)#description Ozerki
spb-vsl-gw1(config-if)#ip address 172.16.2.5 255.255.255.252
172.16.17.0/24, :
spb-vsl-gw1(config)#ip route 172.16.17.0 255.255.255.0 172.16.2.6
, β 172.16.2.6
:
fa1/1 24- 3560 .
L3- L2, ββ , . L3-, . IP-:
Switch(config)#hostname spb-ozerki-gw1
spb-ozerki-gw1(config)#interface fa0/24
spb-ozerki-gw1(config-if)#no switchport
spb-ozerki-gw1(config-if)#ip address 172.16.2.6 255.255.255.252
:
spb-ozerki-gw1#ping 172.16.2.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.5, timeout is 2 seconds:
.!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/18/61 ms
. , Cisco 1- , , 2-:
spb-ozerki-gw1(config)#vlan 2
spb-ozerki-gw1(config-vlan)#name LAN
spb-ozerki-gw1(config-vlan)#exit
spb-ozerki-gw1(config)#interface vlan 2
spb-ozerki-gw1(config-if)#description LAN
spb-ozerki-gw1(config-if)#ip address 172.16.17.1 255.255.255.0
spb-ozerki-gw1(config)#interface fastEthernet 0/1
spb-ozerki-gw1(config-if)#description Pupkin
spb-ozerki-gw1(config-if)#switchport mode access
spb-ozerki-gw1(config-if)#switchport access vlan 2
172.16.17.1
, :
spb-ozerki-gw1(config)#ip routing
.
, :
spb-ozerki-gw1(config)#ip route 0.0.0.0 0.0.0.0 172.16.2.5
spb-vsl-gw1 :
spb-ozerki-gw1#ping 172.16.16.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.16.1, timeout is 2 seconds:
!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/50/234 ms
:
spb-ozerki-gw1#ping 172.16.3.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.3.1, timeout is 2 seconds:
...
Success rate is 0 percent (0/5)
. traceroute:
spb-ozerki-gw1#traceroute 172.16.3.1
Type escape sequence to abort.
Tracing the route to 172.16.3.1
1 172.16.2.5 4 msec 2 msec 5 msec
2 * * *
3 * * *
4 *
, spb-vsl-gw1 , . , , 172.16.2.5 (, , ) :
msk-arbat-gw1#sh ip rou
Gateway of last resort is not set
172.16.0.0/16 is variably subnetted, 9 subnets, 2 masks
C 172.16.0.0/24 is directly connected, FastEthernet0/0.3
C 172.16.1.0/24 is directly connected, FastEthernet0/0.2
C 172.16.2.0/30 is directly connected, FastEthernet0/1.4
C 172.16.2.16/30 is directly connected, FastEthernet0/1.5
C 172.16.3.0/24 is directly connected, FastEthernet0/0.101
C 172.16.4.0/24 is directly connected, FastEthernet0/0.102
C 172.16.5.0/24 is directly connected, FastEthernet0/0.103
C 172.16.6.0/24 is directly connected, FastEthernet0/0.104
S 172.16.16.0/24 [1/0] via 172.16.2.2
172.16.17.0/24 . , , , 172.16.16.0/21 , , , :
msk-arbat-gw1(config)#no ip route 172.16.16.0 255.255.255.0 172.16.2.2
msk-arbat-gw1(config)#ip route 172.16.16.0 255.255.248.0 172.16.2.2
Checking:
msk-arbat-gw1#ping 172.16.17.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.17.1, timeout is 2 seconds:
!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/10/18 ms
, spb-ozerki-gw1 -:
spb-ozerki-gw1#ping 172.16.3.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.3.1, timeout is 2 seconds:
...
Success rate is 0 percent (0/5)
, - 172.16.17.1:
spb-ozerki-gw1#ping
Protocol [ip]:
Target IP address: 172.16.3.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: ping172.16.17.1
% Invalid source
Source address or interface: 172.16.17.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.3.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.17.1
!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/9/14 ms
172.16.17.26 :
How so? , , β .
, msk-arbat-gw1 172.16.17.0/24 , 172.16.2.4/30 . 172.16.2.6 β ( , IP-) . .
msk-arbat-gw1(config)#ip route 172.16.2.4 255.255.255.252 172.16.2.2
spb-ozerki-gw1#ping 172.16.3.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.3.1, timeout is 2 seconds:
!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 7/62/269 ms
: 172.16.3.0/24 , ? . ?
spb-vsl-gw1(config)#ip route 172.16.3.0 255.255.255.0 172.16.2.6
, -, . 172.16.3.0/24 172.16.16.0/21 :
spb-ozerki-gw1 172.16.3.0 spb-vsl-gw1, : β172.16.3.0/24 172.16.2.6β, spb-ozerki-gw1, : β172.16.3.0/24 172.16.2.5β . -, TTL.
, TTL IP-, 255, 1. , 0, , , , .
β , .
, Ethernet , , , β ( \ STP- ).
, 172.16.17.0 172.16.3.1, IP- , , 254 .
, , , 255 . . - .
.
β (router on a stick).
:
, . , , ( ).
:
. UpLink- 5- :
Switch(config)#hostname kmr-gorka-sw1
kmr-gorka-sw1(config)#vlan 5
kmr-gorka-sw1(config-vlan)#name Moscow
kmr-gorka-sw1(config)#int fa0/24
kmr-gorka-sw1(config-if)#description Moscow
kmr-gorka-sw1(config-if)#switchport mode trunk
kmr-gorka-sw1(config-if)#switchport trunk allowed vlan 5
vlan 2 , β , . : , , 2- , , .
kmr-gorka-sw1(config)#vlan 2
kmr-gorka-sw1(config-vlan)#name LAN
kmr-gorka-sw1(config)#int fa0/1
kmr-gorka-sw1(config-if)#description syn_generalnogo
kmr-gorka-sw1(config-if)#switchport mode access
kmr-gorka-sw1(config-if)#switchport access vlan 2
, 5- , 2- β .
kmr-gorka-sw1(config)#int fa0/23
kmr-gorka-sw1(config-if)#description kmr-gorka-gw1
kmr-gorka-sw1(config-if)#switchport mode trunk
kmr-gorka-sw1(config-if)#switchport trunk allowed vlan 2,5
:
Router(config)#hostname kmr-gorka-gw1
kmr-gorka-gw1(config)#int fa0/0.5
kmr-gorka-gw1(config-subif)#description Moscow
kmr-gorka-gw1(config-subif)#encapsulation dot1Q 5
kmr-gorka-gw1(config-subif)#ip address 172.16.2.18 255.255.255.252
kmr-gorka-gw1(config)#int fa0/0
kmr-gorka-gw1(config-if)#no sh
kmr-gorka-gw1(config)#int fa0/0.2
kmr-gorka-gw1(config-subif)#description LAN
kmr-gorka-gw1(config-subif)#encapsulation dot1Q 2
kmr-gorka-gw1(config-subif)#ip address 172.16.24.1 255.255.255.0
, .
Additionally
, :
traceroute
and
show ip route
, , . , :
msk-arbat-gw1#sh ip route 172.16.17.0
Routing entry for 172.16.16.0/21
Known via Β«staticΒ», distance 1, metric 0
Routing Descriptor Blocks:
* 172.16.2.2
Route metric is 0, traffic share count is 1
Although there is no separate entry in the routing table for subnet 172.16.17.0, the router will show you which next hop.
And I would also like to repeat the most important things:
- When a data block hits the router, the Ethernet header is completely discarded and a completely new frame is formed when sending. But the IP packet remains unchanged.
- Each router in the case of static routing decides on the fate of the packet solely on its own and does not know anything about other people's tables.
- The search in the table does NOT go to the first matching entry, but until the most exact match is found (the narrowest mask). For example, if your routing table looks like this:
172.16.0.0/16 is variably subnetted, 6 subnets, 3 masks
S 172.16.0.0/16 [1/0] via 172.16.2.22
C 172.16.2.20/30 is directly connected, FastEthernet0 / 0
C 172.16.2.24/30 is directly connected, FastEthernet0 / 0.2
C 172.16.2.28/30 is directly connected, FastEthernet0 / 0.3
S 172.16.10.0/24 [1/0] via 172.16.2.26
S 172.16.10.4/30 [1/0] via 172.16.2.30
And you transfer the data to 172.16.10.5, it will not follow the route through 172.16.2.22 or 172.16.2.26, but will choose the narrowest mask (the longest) / 30 through 172.16.2.30.
- If no record in the routing table matches the recipient's IP address and the default route is not configured (gateway of last resort), the packet will simply be dropped.
At this first acquaintance with the routing can be completed. It seems to us that the reader himself sees how many difficulties await him here, can suggest how much work he will have if the network grows to several dozen routers. But it must be said that in the modern world static routing is not something that is not used, of course, there is room for it, but in the vast majority of networks that are larger than the district pioneer net, dynamic routing protocols are implemented. Among them are OSPF, EIGRP, IS-IS, RIP, to which we will dedicate a separate release and, most likely, not one. But setting up static routing greatly helps your overall understanding of routing.
As an independent task, try setting up routing between Moscow and Kemerovo and answering the question why devices do not respond from the control network.
Release materials
New IP plan, switching plans for each point and time limit
RT file with lab
Device configuration
We apologize for the giant sheets, the video, too, is getting longer and more unbearable each time. Next time we will try to be more compact.
All interested, but unregistered are invited to talk in the LiveJournal .
For the preparation of the article, many thanks to my co-author of thegluck and my wife for the lion's patience.
: , , . , , . , . , , .
: , , . , , . , . , , . Source: https://habr.com/ru/post/140552/
All Articles