WAN technology (two-layer encapsulation technology)
(LAN: Local Area Network WAN: Wide Area Network WLAN: Wireless Local Area Network VLAN: Virtual Local Area Network) (The earliest bandwidth: two copper wires 64kbit/s)
1. Layer 2 - data link layer
(1) Classification: Different layer 2 encapsulation technologies correspond to different physical layers; different layer 2 encapsulation technologies are divided into different network types .
Network rate ≈ (bandwidth/8)*85%
(2) Duplex: refers to two-way data transmission between two communication devices. Usually there are two duplex modes .
- Full-duplex: Simultaneous two-way data transmission between two devices
- Half Duplex: Allows data transmission between two devices, but not simultaneously. The terminal can only be in one state between sending and receiving at a single time.
2. Network type
The physical layer changes and upgrades indefinitely during the growth of the network, so its corresponding data link layer technology is also constantly changing and upgrading. It is divided into different network types based on different data link characteristics .
Classification:
- Point-to-point: In a physical network, there are only two nodes, and the third node is not accepted physically and logically.
- BMA: Broadcast Multiple Access – In a MA network, broadcast mechanisms also exist.
- NBMA: Non-Broadcast Multiple Access – In an MA network, there is no broadcast mechanism.
(MA: Multiple Access - unlimited number of nodes in a network segment)
3. Ethernet – shared (shared physical link)
The currents of different frequency bands and non-interfering wave points are concentrated in one physical medium for transmission, which plays the role of bandwidth superposition
(1) Physical network cable – RJ-45 twisted pair, RJ-11 telephone line, coaxial cable, optical fiber
(2) Network device identification --- binary signal (digital signal)
- RJ-45/coaxial cable - direct transmission of digital signals
- RJ-11-analog signal fiber-optic signal (both RJ-11 and fiber optic require a modem for signal conversion)
(3) Core technology --- frequency division (one cable with multiple frequencies) information channel
(4) Ethernet type is defined as BMA network.
There are multiple nodes in the MA network, so it must have a Layer 2 unicast address.
Ethernet uses MAC addresses, and there is a broadcast-flooding mechanism.
4. HDLC --- High Level Link Control Protocol
(Belongs to the point-to-point network type - no layer 2 unicast address) The physical network cable is a string link
(The technology of each manufacturer is proprietary. Huawei's default serial link is not HDLC)
[r1] interface s4/0/0
[r1-Serial4/0/0] link-protocol hdlc (将串线链路改为HDLC)HDLC does not have too many actions in the data link layer, and the main work is to control the physical layer
5. PPP—point-to-point protocol (upgraded version of HDLC)
(It belongs to the point-to-point network type. The default serial port encapsulation technology of Huawei equipment)
Upgrade points:
(1) Even if the IP addresses between direct connections are not on the same network segment , they can communicate normally.
(In the initial stage of PPP negotiation, the IP addresses are shared with each other, and a directly connected 32-bit host route is generated)
(2) Authentication - identity verification
<1> PAP --- clear text , no encryption
主认证(服务器端)
[r1] aaa
[r1-aaa] local-user sss privilege level 15 password cipher
[r1-aaa] local-user sss service-type ppp
[r1] int s4/0/0
[r1-Serial4/0/0] ppp authentication-mode pap --- 要求接口对端进行pap认证被认证(客户端)
[r2] interface s4/0/0
[r2-Serial4/0/0] ppp pap local-user sss password cipher 123456
(需要关闭重启r2的配置)<2> CHAP --- Challenge challenge handshake protocol (cipher text)
主认证方:
[r1] aaa
[r1-aaa] local-user aaa privilege level 15 password cipher
[r1-aaa] local-user aaa service-type ppp
[r1] int s4/0/0
[r1-Serial4/0/0] ppp authentication-mode chap被认证方:
[r2] interface s4/0/0
[r2-Serial4/0/0] ppp chap local-user aaa password cipher 123456
[r2-Serial4/0/0] ppp chap user aaa(3) Establish a virtual connection and assign an IP address
6. GRE (Generic Routing Encapsulation)
It belongs to the point-to-point network type, virtual technology, and does not pay attention to the physical layer
Essence: A Simple VPN (VPN - Virtual Private)
[r2]interface Tunnel 0/0/0 --- 创建隧道接口
[r2-Tunnel0/0/0]ip add 10.1.1.2 24
[r2-Tunnel0/0/0]tunnel-protocol gre --- 定义封装标准
[r2-Tunnel0/0/0]source 23.1.1.2 --- 新增报头的源IP
[r2-Tunnel0/0/0]destination 12.1.1.1 --- 新增报头的目标IP
切记:隧道接口建立后,需要考虑路由来判断流量是否基于tunnel接口传输
[r2] ip route-static 192.168.1.0 24 tunnel 0/0/0 --- 点到点建议写接口7. Multipoint GRE – belongs to NBMA network
(If point-to-point GRE is used to build a VPN environment with multiple nodes, the number of VPNs, network segments, fixed IPs, and routing entries will increase exponentially with the increase of nodes)
(1) MGRE - All nodes have the same MA network segment, and it is a center-to-site structure .
In this structure, only the central site needs a fixed public IP address by default, and the addresses of branch sites can be changed. ---Greatly reduces management difficulty, resource occupation, and cost.
(2) NHRP (Next Hop Path Discovery Protocol) - there are server and client .
The server needs a fixed IP address. The IP address of the client is variable, and the client actively registers with the server after the local public IP changes. The server generates a MAP, which records the correspondence between the client's public IP and the tunnel's IP address. If other clients need to access another client, they can download the MAP from the server.
(3) MGRE environment is NBMA environment .
In the NBMA environment, broadcast and flooding mechanisms are not supported. If you want to forward broadcast information, you can learn from the pseudo-broadcast rules and perform unicast forwarding to all nodes in the network segment to achieve broadcast effects.
(4) Configuration:
中心-->站点配置
interface Tunnel0/0/0 --- 创建tunnel口
ip address 10.1.1.1 255.255.255.0 --- 配置接口ip地址
tunnel-protocol gre p2mp --- 先修改接口模式为多点GRE
source 15.1.1.1 --- 再定义公有的源IP地址
nhrp entry multicast dynamic --- 本地成为NHRP中心,同时可以进行伪广播
nhrp network-id 100 --- 默认为0号,该网段内所有节点tunnel接口必须为相同域Pseudo-broadcast—when the target IP address is a multicast or broadcast address, the traffic is unicast based on each user; the outer header is a unicast header, and the inner header is a multicast or broadcast header; this function is not enabled, it is normal Dynamic routing protocols based on multicast and broadcast work will not work properly.
分支站点
interface Tunnel0/0/0
ip address 10.1.1.2 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet0/0/2 --- 假设分支站点ip地址不固定
nhrp network-id 100
nhrp entry 10.1.1.1 15.1.1.1 register --- 分支需要到中心站点注册
dis nhrp peer all --- 查看分支站点注册结果If the public ips corresponding to all tunnels are fixed ip addresses, each router can become a central site, and each router can be manually registered; a fully connected network topology can be formed, and there is a horizontal split mechanism --- rip The protocol can converge normally;
When the topology is center-to-site (hub-spoke, star-shaped) --- not all network points are fixed public IPs, all tunnel devices cannot register with each other, and the normal convergence of the entire network of routes can only be achieved by disabling split horizon .
[r1-Tunnel0/0/0]undo rip split-horizon --- 关闭水平分割