MergedFileBackup Spanning Tree Operation Determine root bridge The bridge advertising the lowest...
38
packetlife.net by Jeremy Stretch v2.0 VLANS Trunk Encapsulation VLAN Creation Switch(config)# vlan 100 Switch(config-vlan)# name Engineering 0 Reserved 1 default 1002 fddi-default 1003 tr Terminology Trunking Carrying multiple VLANs over the same physical connection Access VLAN The VLAN to which an access port is assigned Voice VLAN If configured, enables minimal trunking to support voice traffic in addition to data traffic on an access port Troubleshooting show vlan show interface [status | switchport] show interface trunk show vtp status show vtp password Access Port Configuration Switch(config-if)# switchport mode access Switch(config-if)# switchport nonegotiate Switch(config-if)# switchport access vlan 100 Switch(config-if)# switchport voice vlan 150 Trunk Port Configuration Switch(config-if)# switchport mode trunk Switch(config-if)# switchport trunk encapsulation dot1q Switch(config-if)# switchport trunk allowed vlan 10,20-30 Switch(config-if)# switchport trunk native vlan 10 Trunk Types Header Size 26 bytes ISL 4 bytes 802.1Q Trailer Size 4 bytes N/A Standard Cisco IEEE Maximum VLANs 1000 4094 VLAN Numbers 1004 fdnet 1005 trnet 1006-4094 Extended 4095 Reserved Native VLAN By default, frames in this VLAN are untagged when sent across a trunk Dynamic Trunking Protocol (DTP) Can be used to automatically establish trunks between capable ports (insecure) Switched Virtual Interface (SVI) A virtual interface which provides a routed gateway into and out of a VLAN SVI Configuration Switch(config)# interface vlan100 Switch(config-if)# ip address 192.168.100.1 255.255.255.0 ISL Header Dest MAC Source MAC Type FCS ISL Dest MAC Source MAC Type 802.1Q 802.1Q 26 6 6 2 4 6 6 2 4 Dest MAC Source MAC Type Untagged Switch Port Modes trunk Forms an unconditional trunk dynamic desirable Attempts to negotiate a trunk with the far end dynamic auto Forms a trunk only if requested by the far end access Will never form a trunk VLAN Trunking Protocol (VTP) Domain Common to all switches participating in VTP Server Mode Generates and propagates VTP advertisements to clients; default mode on unconfigured switches Client Mode Receives and forwards advertisements from servers; VLANs cannot be manually configured on switches in client mode Transparent Mode Forwards advertisements but does not participate in VTP; VLANs must be configured manually Pruning VLANs not having any access ports on an end switch are removed from the trunk to reduce flooded traffic VTP Configuration Switch(config)# vtp mode {server | client | transparent} Switch(config)# vtp domain <name> Switch(config)# vtp password <passsword> Switch(config)# vtp version {1 | 2} Switch(config)# vtp pruning
Transcript of MergedFileBackup Spanning Tree Operation Determine root bridge The bridge advertising the lowest...
packetlife.net
by Jeremy Stretch v2.0
VLANSTrunk Encapsulation
VLAN Creation
Switch(config)# vlan 100Switch(config-vlan)# name Engineering
0 Reserved
1 default
1002 fddi-default
1003 tr
Terminology
TrunkingCarrying multiple VLANs over the same physical connection
Access VLANThe VLAN to which an access port is assigned
Voice VLANIf configured, enables minimal trunking to support voice traffic in addition to data traffic on an access port
Troubleshooting
show vlan
show interface [status | switchport]
show interface trunk
show vtp status
show vtp password
Access Port Configuration
Switch(config-if)# switchport mode accessSwitch(config-if)# switchport nonegotiateSwitch(config-if)# switchport access vlan 100Switch(config-if)# switchport voice vlan 150
Trunk Port Configuration
Switch(config-if)# switchport mode trunkSwitch(config-if)# switchport trunk encapsulation dot1qSwitch(config-if)# switchport trunk allowed vlan 10,20-30Switch(config-if)# switchport trunk native vlan 10
Trunk Types
Header Size 26 bytes
ISL
4 bytes
802.1Q
Trailer Size 4 bytesN/A
Standard CiscoIEEE
Maximum VLANs 10004094
VLAN Numbers
1004 fdnet
1005 trnet
1006-4094 Extended
4095 Reserved
Native VLANBy default, frames in this VLAN are untagged when sent across a trunk
Dynamic Trunking Protocol (DTP)Can be used to automatically establish trunks between capable ports (insecure)
Switched Virtual Interface (SVI)A virtual interface which provides a routed gateway into and out of a VLAN
SVI Configuration
Switch(config)# interface vlan100Switch(config-if)# ip address 192.168.100.1 255.255.255.0
ISL
Header
Dest
MAC
Source
MACType FCSISL
Dest
MAC
Source
MACType802.1Q802.1Q
26 6 6 2 4
6 6 24
Dest
MAC
Source
MACTypeUntagged
Switch Port Modes
trunkForms an unconditional trunk
dynamic desirableAttempts to negotiate a trunk with the far end
dynamic autoForms a trunk only if requested by the far end
accessWill never form a trunk
VLAN Trunking Protocol (VTP)
DomainCommon to all switches participating in VTP
Server ModeGenerates and propagates VTP advertisements to clients; default mode on unconfigured switches
Client ModeReceives and forwards advertisements from servers; VLANs cannot be manually configured on switches in client mode
Transparent ModeForwards advertisements but does not participate in VTP; VLANs must be configured manually
PruningVLANs not having any access ports on an end switch are removed from the trunk to reduce flooded traffic
VTP Configuration
Switch(config)# vtp mode {server | client | transparent}Switch(config)# vtp domain <name>Switch(config)# vtp password <passsword>Switch(config)# vtp version {1 | 2}Switch(config)# vtp pruning
packetlife.net
by Jeremy Stretch v3.0
IEEE
Cisco
SPANNING TREE · PART 1
BPDU Format
Protocol ID 16
Spanning Tree Protocols
Algorithm
Legacy STP PVST
Defined By
Instances
Trunking
PVST+ RPVST+ MST
Legacy ST
802.1D-1998
1
N/A
Legacy ST
Cisco
Per VLAN
ISL
Legacy ST
Cisco
Per VLAN
802.1Q, ISL
Rapid ST
Cisco
Per VLAN
802.1Q, ISL
Rapid ST
802.1s, 802.1Q-2003
Configurable
802.1Q, ISL
RSTP
Rapid ST
802.1w, 802.1D-2004
1
N/A
Spanning Tree Instance Comparison
STP
C
A B
All VLANs
x
RootPVST+
C
A B
VLAN 1
VLAN 10
VLAN 20
VLAN 30
xx xx
VLAN 1,10 Root VLAN 20,30 RootMST
C
A B
MSTI 0 (1, 10)
MSTI 1 (20, 30)x x
MSTI 0 Root MSTI 1 Root
Field Bits
Version 8
BPDU Type 8
Flags 8
Root ID 64
Root Path Cost 32
Bridge ID 64
Port ID 16
Message Age 16
Max Age 16
Hello Time 16
Forward Delay 16
Spanning Tree Specifications
802.1D-1998
PVSTISL PVST+ RPVST+
802.1w
802.1s
802.1D-2004
802.1Q-2003
802.1Q-1998
802.1Q-2005
Link Costs
4 Mbps 250
Bandwidth Cost
10 Mbps 100
16 Mbps 62
45 Mbps 39
100 Mbps 19
155 Mbps 14
622 Mbps 6
1 Gbps 4
10 Gbps 2
Default Timers
Hello
Forward Delay
Max Age
2s
15s
20s
Port States
Disabled
Discarding
Legacy ST Rapid ST
Blocking
Listening
Learning Learning
Forwarding Forwarding
IEEE 802.1D-1998 · Deprecated legacy STP standard
IEEE 802.1w · Introduced RSTP
IEEE 802.1D-2004 · Replaced legacy STP with RSTP
IEEE 802.1s · Introduced MST
IEEE 802.1Q-2003 · Added MST to 802.1Q
PVST · Per-VLAN implementation of legacy STP
PVST+ · Added 802.1Q trunking to PVST
RPVST+ · Per-VLAN implementation of RSTP
Port Roles
Root Root
Legacy ST Rapid ST
Designated Designated
BlockingAlternate
Backup
Spanning Tree Operation
Determine root bridgeThe bridge advertising the lowest bridge ID becomes the root bridge
Select root portEach bridge selects its primary port facing the root
Select designated portsOne designated port is selected per segment
Block ports with loopsAll non-root and non-desginated ports are blocked
1
2
3
4
IEEE 802.1Q-2005 · Most recent 802.1Q revision
20+ Gbps 1
packetlife.net
by Jeremy Stretch v3.0
SPANNING TREE · PART 2PVST+ and RPVST+ Configuration
spanning-tree mode {pvst | rapid-pvst}
! Bridge priorityspanning-tree vlan 1-4094 priority 32768
! Timers, in secondsspanning-tree vlan 1-4094 hello-time 2spanning-tree vlan 1-4094 forward-time 15spanning-tree vlan 1-4094 max-age 20
! PVST+ Enhancementsspanning-tree backbonefastspanning-tree uplinkfast
! Interface attributesinterface FastEthernet0/1spanning-tree [vlan 1-4094] port-priority 128spanning-tree [vlan 1-4094] cost 19
! Manual link type specificationspanning-tree link-type {point-to-point | shared}
! Enables PortFast if running PVST+, or! designates an edge port under RPVST+spanning-tree portfast
! Spanning tree protectionspanning-tree guard {loop | root | none}
! Per-interface togglingspanning-tree bpduguard enablespanning-tree bpdufilter enable
Troubleshooting
show spanning-tree [summary | detail | root]
show spanning-tree [interface | vlan]
MST Configuration
spanning-tree mode mst
! MST Configurationspanning-tree mst configurationname MyTreerevision 1
! Map VLANs to instancesinstance 1 vlan 20, 30instance 2 vlan 40, 50
! Bridge priority (per instance)spanning-tree mst 1 priority 32768
! Timers, in secondsspanning-tree mst hello-time 2spanning-tree mst forward-time 15spanning-tree mst max-age 20
! Maximum hops for BPDUsspanning-tree mst max-hops 20
! Interface attributesinterface FastEthernet0/1spanning-tree mst 1 port-priority 128spanning-tree mst 1 cost 19
Bridge ID Format
Pri Sys ID Ext MAC Address
4 12 48
System ID Extension12-bit value taken from VLAN number (IEEE 802.1t)
Priority4-bit bridge priority (configurable from 0 to 61440 in increments of 4096)
MAC Address48-bit unique identifier
Path Selection
1 Bridge with lowest root ID becomes the root
2
3
4
Prefer the neighbor with the lowest cost to root
Prefer the neighbor with the lowest bridge ID
Prefer the lowest sender port ID
Optional PVST+ Ehancements
PortFastEnables immediate transition into the forwarding state (designates edge ports under MST)
UplinkFastEnables switches to maintain backup paths to root
BackboneFastEnables immediate expiration of the Max Age timer in the event of an indirect link failure
Spanning Tree Protection
Root GuardPrevents a port from becoming the root port
BPDU GuardError-disables a port if a BPDU is received
Loop GuardPrevents a blocked port from transitioning to listening after the Max Age timer has expired
BPDU FilterBlocks BPDUs on an interface (disables STP)
RSTP Link Types
Point-to-PointConnects to exactly one other bridge (full duplex)
SharedPotentially connects to multiple bridges (half duplex)
EdgeConnects to a single host; designated by PortFast
show spanning-tree mst […]
packetlife.net
by Jeremy Stretch v2.0
Command Line Options
-A Print frame payload in ASCII
-c <count> Exit after capturing count packets
-D List available interfaces
-e Print link-level headers
-F <file> Use file as the filter expression
-G <n> Rotate the dump file every n seconds
-i <iface> Specifies the capture interface
-K Don't verify TCP checksums
-L List data link types for the interface
-n Don't convert addresses to names
-p Don't capture in promiscuous mode
-q Quick output
-r <file> Read packets from file
-s <len> Capture up to len bytes per packet
-S Print absolute TCP sequence numbers
-t Don't print timestamps
-v[v[v]] Print more verbose output
-w <file> Write captured packets to file
-x Print frame payload in hex
-X Print frame payload in hex and ASCII
-y <type> Specify the data link type
-Z <user> Drop privileges from root to user
Capture Filter Primitives
[src|dst] host <host> Matches a host as the IP source, destination, or either
ether [src|dst] host <ehost> Matches a host as the Ethernet source, destination, or either
gateway host <host> Matches packets which used host as a gateway
[src|dst] net <network>/<len> Matches packets to or from an endpoint residing in network
[tcp|udp] [src|dst] port <port> Matches TCP or UDP packets sent to/from port
[tcp|udp] [src|dst] portrange <p1>-<p2> Matches TCP or UDP packets to/from a port in the given range
less <length> Matches packets less than or equal to length
greater <length> Matches packets greater than or equal to length
(ether|ip|ip6) proto <protocol> Matches an Ethernet, IPv4, or IPv6 protocol
(ether|ip) broadcast Matches Ethernet or IPv4 broadcasts
(ether|ip|ip6) multicast Matches Ethernet, IPv4, or IPv6 multicasts
type (mgt|ctl|data) [subtype <subtype>] Matches 802.11 frames based on type and optional subtype
vlan [<vlan>] Matches 802.1Q frames, optionally with a VLAN ID of vlan
mpls [<label>] Matches MPLS packets, optionally with a label of label
<expr> <relop> <expr> Matches packets by an arbitrary expression
Protocols
arp
TCP Flags
tcp-urg tcp-rst
tcp-ack tcp-syn
tcp-psh tcp-fin
ether
fddi
icmp
ip
ip6
link
ppp
radio
rarp
slip
tcp
tr
udp
wlan
Modifiers
! or not
&& or and
|| or or
Examples
udp dst port not 53
host 10.0.0.1 && host 10.0.0.2
tcp dst port 80 or 8080
UDP not bound for port 53
Traffic between these hosts
Packets to either TCP port
ICMP Types
icmp-echoreply icmp-routeradvert icmp-tstampreply
icmp-unreach icmp-routersolicit icmp-ireq
icmp-sourcequench icmp-timxceed icmp-ireqreply
icmp-redirect icmp-paramprob icmp-maskreq
icmp-echo icmp-tstamp icmp-maskreply
TCPDUMP
packetlife.net
by Jeremy Stretch v1.1
RIP
RIPv2 Configuration
! Enable RIPv2 IPv4 routingrouter ripversion 2
! Disable RIPv2 automatic summarizationno auto-summary
! Designate RIPv2 interfaces by networknetwork network
! Identify unicast-only neighborsneighbor IP-address
! Originate a default routedefault-information originate
! Designate passive interfacespassive-interface {interface | default}
! Modify timerstimers basic update invalid hold flush
Terminology
Split HorizonA rule that states a router may not advertise a route back to the neighbor from which it was learned
Troubleshooting
Route PoisoningWhen a network becomes unreachable, an update with an infinite metric is generated to explicitly advertise the route as unreachable
RIP Implementations
RIPv1Original RIP implementation, limited to classful routing (obsolete)
RIPv2Introduced support for classless routing, authentication, triggered updates, and multicast announcements (RFC 2453)
RIPng (RIP Next Generation)Extends RIPv2 to support IPv6 routing (RFC 2080); functions very similarly to RIPv2 and is subsequently as limited
Type
Attributes
Algorithm
Admin Distance
Distance Vector
Bellman-Ford
120
Standard
Protocols
Transport
RFCs 2080, 2453
IPv4, IPv6
UDP
Authentication
Multicast IP
Plaintext, MD5
224.0.0.9/FF02::9
show ip[v6] protocols
show ip[v6] rip database
debug ip rip { database | events }
debug ipv6 rip [interface]
Metric Hop count (max 15)
Update
Timer Defaults
Invalid
30 sec
180 sec
Flush
Hold-down
240 sec
180 sec
! Configure manual route summarizationip summary-address rip network mask
! Enable MD5 authentication (RIPv2 only)ip rip authentication mode md5ip rip authentication key-chain key-chain
show ip[v6] route rip
IP
Protocols Comparison
IPv4
RIPv1 RIPv2 RIPng
IPv4 IPv6
Classless No Yes Yes
Adv. Address Broadcast 224.0.0.9 FF02::9
Authentication None Plain, MD5 None
Poison ReverseA router advertises a network as unreachable through the interface on which it was learned
UDP Port 520 520 521
Admin Distance 120 120 120
RIPv2 Interface Configuration
! Enable RIPng on the interfaceipv6 rip name enable
! Configure manual route summarizationipv6 rip name summary-address prefix
RIPng Interface Configuration
RIPng Configuration
! Enable IPv6 routingipv6 unicast-routing
! Enable RIPng IPv6 routingipv6 router rip name
! Toggle split-horizon and poison-reverse[no] split-horizon[no] poison-reverse
! Modify timerstimers basic update invalid hold flush
packetlife.net
by Jeremy Stretch v2.1
EIGRPProtocol Header
Type
Attributes
Algorithm
Internal AD
External AD
Distance Vector
DUAL
90
170
Summary AD
Standard
Protocols
Transport
5
Cisco proprietary
IP, IPX, Appletalk
IP/88
Version Opcode Checksum
8 16 24 32
Flags
Sequence Number
Acknowledgment Number
Autonomous System Number
Type Length
Value
Authentication
Multicast IP
Hello Timers
Hold Timers
MD5
224.0.0.10
5/60
15/180
Metric Formula
256 * (K1 * bw + + K3 * delay) * K2 * bw
256 - load
K5
rel + K4
· bw = 107 / minimum path bandwidth in kbps· delay = interface delay in µsecs / 10
EIGRP Configuration
! Enable EIGRProuter eigrp <ASN>
! Add networks to advertisenetwork <IP address> <wildcard mask>
! Configure K values to manipulate metric formulametric weights 0 <k1> <k2> <k3> <k4> <k5>
! Disable automatic route summarizationno auto-summary
! Designate passive interfacespassive-interface (<interface> | default)
! Enable stub routingeigrp stub [receive-only | connected | static | summary]
! Statically identify neighoring routersneighbor <IP address> <interface>
Protocol Configuration
! Set maximum bandwidth EIGRP can consumeip bandwidth-percent eigrp <AS> <percentage>
! Configure manual summarization of outbound routesip summary-address eigrp <AS> <IP address> <mask> [<AD>]
! Enable MD5 authenticationip authentication mode eigrp <AS> md5ip authentication key-chain eigrp <AS> <key-chain>
! Configure hello and hold timersip hello-interval eigrp <AS> <seconds>ip hold-time eigrp <AS> <seconds>
! Disable split horizon for EIGRPno ip split-horizon eigrp <AS>
Interface Configuration
K Defaults Packet Types
K1 1
K2 0
K3 1
K4 0
K5 0
1 Update
3 Query
4 Reply
5 Hello
8 Acknowledge
Terminology
Feasible DistanceThe distance advertised by a neighbor plus the cost
to get to that neighbor
Reported DistanceThe metric for a route advertised by a neighbor
Stuck In Active (SIA)The condition when a route becomes unreachable and not all queries for it are answered; adjacencies
with unresponsive neighbors are reset
Passive InterfaceAn interface which does not participate in EIGRP but whose network is advertised
Stub RouterA router which advertises only a subset of routes, and is omitted from the route query process
Troubleshooting
show ip eigrp interfaces
show ip eigrp neighbors
show ip eigrp topology
show ip eigrp traffic
clear ip eigrp neighbors
debug ip eigrp [packet | neighbors]
packetlife.net
by Jeremy Stretch v2.1
OSPF · PART 1Protocol Header
Type
Attributes
Algorithm
Metric
Link-State
Dijkstra
Cost (Bandwidth)
AD
Standard
Protocols
Transport
110
RFC 2328, 2740
IP
IP/89
Router Types
Internal RouterAll interfaces reside within the same area
Backbone RouterA router with an interface in area 0 (the backbone)
Area Border Router (ABR)Connects two or more areas
AS Boundary Router (ASBR)Connects to additional routing domains; typically located in the backbone
Troubleshooting
show ip [route | protocols]
show ip ospf interface
show ip ospf neighbor
* modifiable with
ospf auto-cost reference-bandwidth
Metric Formula
Version Type Length
8 16 24 32
Router ID
Area ID
Checksum Instance ID Reserved
Data
Link State Advertisements
Router Link (Type 1)Lists neighboring routers and the cost to each; flooded within an area
Network Link (Type 2)Generated by a DR; lists all routers on an adjacent segment; flooded within an area
Network Summary (Type 3)Generated by an ABR and advertised among areas
ASBR Summary (Type 4)Injected by an ABR into the backbone to advertise the presence of an ASBR within an area
External Link (Type 5)Generated by an ASBR and flooded throughout the AS to advertise a route external to OSPF
NSSA External Link (Type 7)Generated by an ASBR in a not-so-stubby area; converted into a type 5 LSA by the ABR when leaving the area
DR/BDR Election
· The BDR also maintains adjacencies with all routers in case the DR fails
· Election does not occur on point-to-point or multipoint links
· Default priority (0-255) is 1; highest priority wins; 0 cannot be elected
· DR preemption will not occur unless the current DR is reset
Virtual Links
· Tunnel formed to join two areas across an intermediate
· Both end routers must share a common area
· At least one end must reside in area 0
· Cannot traverse stub areas
Area Types
Standard AreaDefault OSPF area type
Stub AreaExternal link (type 5) LSAs are replaced with a default route
Totally Stubby AreaType 3, 4, and 5 LSAs are replaced with a default route
Not So Stubby Area (NSSA)A stub area containing an ASBR; type 5 LSAs are converted to type 7 within the area
External Route Types
E1 · Cost to the advertising ASBR plus the external cost of the route
E2 (Default) · Cost of the route as seen by the ASBR
Authentication
AllSPF Address
AllDR Address
Plaintext, MD5
224.0.0.5
224.0.0.6
Adjacency States
1
2
Down
Attempt
5
6
Exstart
Exchange
3
4
Init
2-Way
7
8
Loading
Full
show ip ospf border-routers
show ip ospf virtual-links
debug ip ospf […]
cost = 100,000 Kbps*
link speed
· The DR serves as a common point for all adjacencies on a multiaccess segment
packetlife.net
by Jeremy Stretch v2.1
OSPF · PART 2
Configuration Example
interface Serial0/0description WAN Linkip address 172.16.34.2 255.255.255.252!interface FastEthernet0/0description Area 0ip address 192.168.0.1 255.255.255.0!interface Loopback0! Used as router IDip address 10.0.34.1 255.255.255.0!router ospf 100! Advertising the WAN cloud to OSPFredistribute static subnetsnetwork 192.168.0.0 0.0.0.255 area 0!! Static route to the WAN cloudip route 172.16.0.0 255.255.192.0 172.16.34.1
interface Ethernet0/0description Area 9ip address 192.168.9.1 255.255.255.0ip ospf 100 area 9!interface Ethernet0/1description Area 2ip address 192.168.2.2 255.255.255.0ip ospf 100 area 2! Optional MD5 authentication configuredip ospf authentication message-digestip ospf message-digest-key 1 md5 FooBar! Give C second priority (BDR) in electionip ospf priority 50!!!!!!interface Loopback0ip address 10.0.34.3 255.255.255.0!router ospf 100! Define area 9 as a totally stubby areaarea 9 stub no-summary! Virtual link from area 9 to area 0area 2 virtual-link 10.0.34.2
interface Ethernet0/0description Area 0ip address 192.168.0.2 255.255.255.0ip ospf 100 area 0!interface Ethernet0/1description Area 2ip address 192.168.2.1 255.255.255.0ip ospf 100 area 2! Optional MD5 authentication configuredip ospf authentication message-digestip ospf message-digest-key 1 md5 FooBar! Give B priority in DR electionip ospf priority 100!interface Ethernet0/2description Area 1ip address 192.168.1.1 255.255.255.0ip ospf 100 area 1!interface Loopback0ip address 10.0.34.2 255.255.255.0!router ospf 100! Define area 1 as a stub areaarea 1 stub! Virtual link from area 0 to area 9area 2 virtual-link 10.0.34.3
Router A
Router CRouter B
Network Types
DR/BDR Elected
Nonbroadcast (NBMA)
Multipoint Broadcast
Neighbor Discovery
Hello/Dead Timers
Defined By
Supported Topology
Multipoint Nonbroadcast Broadcast Point-to-Point
Yes
No
30/120
RFC 2328
Full Mesh
No
Yes
30/120
RFC 2328
Any
No
No
30/120
Cisco
Any
Yes
Yes
10/40
Cisco
Full Mesh
No
Yes
10/40
Cisco
Point-to-Point
Area 0
A
BackboneArea 9
Totally Stubby Area
Area 1Stub Area
Area 2Standard Area
WAN172.16.0.0/18
BC
packetlife.net
by Jeremy Stretch v2.1-r1
BGP · PART 1
Type
About BGP
eBGP AD
iBGP AD
Path Vector
20
200
Standard
Protocols
Transport
Authentication
RFC 4271
IP
TCP/179
MD5
Path Selection
Attribute
Weight Administrative preference
Description
1
Preference
Highest
Local PreferenceCommunicated between peers within an AS
2 Highest
Self-originated Prefer paths originated locally3 True
AS Path Minimize AS hops4 Shortest
OriginPrefer IGP-learned routes over EGP, and EGP over unknown
5 IGP
MED Used externally to enter an AS6 Lowest
External Prefer eBGP routes over iBGP7 eBGP
IGP Cost Consider IGP metric8 Lowest
eBGP Peering Favor more stable routes9 Oldest
Router ID Tie breaker10 Lowest
Influencing Path Selection
Weight neighbor 172.16.0.1 weight 200
MED default-metric 400
Local Preference bgp default local-preference 100
Route Map neighbor 172.16.0.1 route-map Foo
Terminology
Autonomous System (AS)A logical domain under the control of a
single entity
External BGP (eBGP)BGP adjacencies which span autonomous
system boundaries
Internal BGP (iBGP)BGP adjacencies formed within a single AS
Synchronization RequirementA route must be known by an IGP before
it may be advertised to BGP peers
Packet Types
Open Update
Keepalive Notification
Neighbor States
Idle · Neighbor is not responding
Connect · TCP session established
Open Sent · Open message sent
Open Confirm · Response received
Established · Adjacency established
Troubleshooting
show ip bgp [summary]
show ip bgp neighbors
show ip route [bgp]
clear ip bgp * [soft]
debug ip bgp […]
Active · Attempting to connect
Well-known Mandatory · Must be supported and propagated
Well-known Discretionary · Must be supported; propagation optional
Optional Transitive · Marked as partial if unsupported by neighbor
Optional Nontransitive · Deleted if unsupported by neighbor
Attributes
Aggregator7 ID and AS of summarizing router
List of autonomous systems which the advertisement has traversed
AS Path2
Atomic Aggregate6Includes ASes which have been dropped due to route aggregation
Originating cluster13 Cluster ID
Route tag8 Community
Metric for internal neighbors to reach external destinations (default 100)
Local Preference5
Multiple Exit Discriminator (MED)
4Metric for external neighbors to reach the local AS (default 0)
External peer in neighboring AS3 Next Hop
Origin type (IGP, EGP, or unknown)1 Origin
The originator of a reflected route9 Originator ID
Weight--Cisco proprietary, not communicated to peers (default 0)
Name Description
List of cluster IDs10 Cluster List
IgnoreAS Path
bgp bestpath as-path ignoreIgnore Cost
Communitiesbgp bestpath cost-community ignore
packetlife.net
by Jeremy Stretch v2.1-r1
BGP · PART 2Configuration Example
interface Serial1/0description Backbone to Bip address 172.16.0.1 255.255.255.252!interface Serial1/1description Backbone to Cip address 172.16.0.5 255.255.255.252!interface FastEthernet2/0description LANip address 192.168.1.1 255.255.255.0!router bgp 65100no synchronizationnetwork 172.16.0.0 mask 255.255.255.252network 172.16.0.4 mask 255.255.255.252network 192.168.1.0neighbor South peer-groupneighbor South remote-as 65200neighbor 172.16.0.2 peer-group Southneighbor 172.16.0.6 peer-group Southno auto-summary
10.0.0.0/30
172.16.0.0/30172.16.0.4/30
AS 65100
AS 65200
F0/0 F0/0
A
B C
OSPF
F2/0 F2/0
S1/0S1/0
S1/0 S1/1
F2/0
interface FastEthernet0/0description Backbone to Bip address 10.0.0.2 255.255.255.252!interface Serial1/0description Backbone to Aip address 172.16.0.6 255.255.255.252!interface FastEthernet2/0description LANip address 192.168.3.1 255.255.255.0!router ospf 100network 10.0.0.2 0.0.0.0 area 0network 192.168.3.1 0.0.0.0 area 2!router bgp 65200no synchronizationredistribute ospf 100 route-map LAN_Subnetsneighbor 10.0.0.1 remote-as 65200neighbor 172.16.0.5 remote-as 65100no auto-summary!access-list 10 permit 192.168.0.0 0.0.255.255!route-map LAN_Subnets permit 10match ip address 10set metric 100
interface FastEthernet0/0description Backbone to Cip address 10.0.0.1 255.255.255.252!interface Serial1/0description Backbone to Aip address 172.16.0.2 255.255.255.252!interface FastEthernet2/0description LANip address 192.168.2.1 255.255.255.0!router ospf 100network 10.0.0.1 0.0.0.0 area 0network 192.168.2.1 0.0.0.0 area 1!router bgp 65200no synchronizationredistribute ospf 100 route-map LAN_Subnetsneighbor 10.0.0.2 remote-as 65200neighbor 172.16.0.1 remote-as 65100no auto-summary!access-list 10 permit 192.168.0.0 0.0.255.255!route-map LAN_Subnets permit 10match ip address 10set metric 100
Router A Routing Table Router B Routing Table
172.16.0.0/30 is subnetted, 2 subnetsC 172.16.0.4 is directly connected, S1/1C 172.16.0.0 is directly connected, S1/0C 192.168.1.0/24 is directly connected, F2/0B 192.168.2.0/24 [20/100] via 172.16.0.2B 192.168.3.0/24 [20/100] via 172.16.0.2
172.16.0.0/30 is subnetted, 2 subnetsB 172.16.0.4 [20/0] via 172.16.0.1C 172.16.0.0 is directly connected, S1/0
10.0.0.0/30 is subnetted, 1 subnetsC 10.0.0.0 is directly connected, F0/0B 192.168.1.0/24 [20/0] via 172.16.0.1C 192.168.2.0/24 is directly connected, F2/0O IA 192.168.3.0/24 [110/2] via 10.0.0.2, F0/0
Router A
Router CRouter B
packetlife.net
by Jeremy Stretch v2.0
FIRST HOP REDUNDANCYProtocols
HSRP Configuration
interface FastEthernet0/0ip address 10.0.1.2 255.255.255.0standby version {1 | 2}standby 1 ip 10.0.1.1standby 1 timers <hello> <dead>standby 1 priority <priority>standby 1 preemptstandby 1 authentication md5 key-string <password>standby 1 track <interface> <value>standby 1 track <object> decrement <value>
Troubleshooting
show standby [brief]
show glbp [brief]
Virtual Router Redundancy Protocol (VRRP)An open-standard alternative to Cisco's HSRP, providing the same functionality
Hot Standby Router Protocol (HSRP)Provides default gateway redundancy using one active and one standby router; standardized but licensed by Cisco Systems
Gateway Load Balancing Protocol (GLBP)Supports arbitrary load balancing in addition to redundancy across gateways; Cisco proprietary
Attributes
HSRP
NoLoad Balancing
RFC 2281Standard
Transport
IPv6 Support
Default Hello
Default Priority
Multicast Group
UDP/1985
Yes
3 sec
100
224.0.0.2
VRRP
No
RFC 3768
IP/112
No
1 sec
100
224.0.0.18
GLBP
Yes
Cisco
UDP/3222
Yes
3 sec
100
224.0.0.102
HSRP VRRP GLBP
Standby Active Listen
100 200 100
Backup Master
100 200 100
Backup
VRRP Configuration
interface FastEthernet0/0ip address 10.0.1.2 255.255.255.0vrrp 1 ip 10.0.1.1vrrp 1 timers {advertise <hello> | learn}vrrp 1 priority <priority>vrrp 1 preemptvrrp 1 authentication md5 key-string <password>vrrp 1 track <object> decrement <value>
GLBP Configuration
interface FastEthernet0/0ip address 10.0.1.2 255.255.255.0glbp 1 ip 10.0.1.1glbp 1 timers <hello> <dead>glbp 1 timers redirect <redirect> <time-out>glbp 1 priority <priority>glbp 1 preemptglbp 1 forwarder preemptglbp 1 authentication md5 key-string <password>glbp 1 load-balancing <method>glbp 1 weighting <weight> lower <lower> upper <upper>glbp 1 weighting track <object> decrement <value>
Speak · Gateway election in progress
HSRP/GLBP Interface States
Active · Active router/VG
Standby · Backup router/VG
Listen · Not the active router/VG
Master · Acting as the virtual router
VRRP Interface States
Backup · All non-master routers
GLBP Roles
Active Virtual Gateway (AVG)Answers for the virtual router and assigns virtual MAC addresses to group members
Active Virtual Forwarder (AVF)All routers which forward traffic for the group
GLBP Load Balancing
Round-Robin (default)The AVG answers host ARP requests for the virtual router with the next router in the cycle
Host-DependentRound-robin cycling is used while a consistent AVF is maintained for each host
WeightedDetermines the proportionate share of hosts handled by each AVF
AVF AVF
AVG
100 200 100
AVF
show vrrp [brief]
show track [brief]
Global Configuration
packetlife.netUnicast Routing Protocols Comparison
Type
Algorithm
Distance Vector
Bellman-Ford
RIP
Distance Vector
DUAL
EIGRP
Link State
Dijkstra
OSPF
Link State
Dijkstra
IS-IS
Path Vector
Path Selection
BGP
Admin Distance
Standard
120
RFCs 2080, 2453
90/170 (external)/5 (summary)
Cisco proprietary
110
RFCs 2328, 5340
115
ISO 10589, RFC 1142
20/200 (IBGP)
RFC 4271
Supported Protocols
Transport
IPv4, IPv6
UDP/520
IPv4, IPv6, IPX, Appletalk
IP/88
IPv4, IPv6
IP/89
IPv4, IPv6, CLNP
Layer 2
IPv4, IPv6
TCP/179
Authentication Plain, MD5 MD5 Plain, MD5, AH (v3) Plain, MD5 MD5
RIP
Metric Formula
· bw = 107 / minimum path bandwidth in kbps
· delay = interface delay in µsecs / 10
! Enable EIGRP for an autonomous system[ipv6] router eigrp AS-number
! Specify a router ID formatted in IPv4 dotted-decimal[eigrp] router-id router-ID
! Disable automatic classful summarization (IPv4 only)no auto-summary
! Enable EIGRP on interfaces by network (IPv4 only)network IPv4-address wildcard-mask
! Modify maximum paths for equal-cost load balancingmaximum-paths 1-16
! Configure multiplier for unequal-cost load balancingvariance 1-128
! Configure K values to manipulate the metric formulametric weights 0 k1 k2 k3 k4 k5
! Explicitly identify neighbors on NBMA linksneighbor IP-address interface
! Designate passive interfacespassive-interface {interface | default}
! Enable stub routing[eigrp] stub [receive-only | connected | static | summary | redist]
Default K ValuesPacket Types
K1 1
K2 0
K3 1
K4 0
K5 0
1 Update
3 Query
4 Reply
5 Hello
8 Acknowledge
Feasible DistanceThe distance advertised by a neighbor plus the cost to get to that neighbor
Reported DistanceThe metric for a route advertised by a neighbor
Stuck In Active (SIA)The condition when a route becomes unreachable and not all queries for it are answered; adjacencies with unresponsive neighbors are reset
Passive InterfaceAn interface which does not participate in EIGRP but whose network is advertised
Stub RouterA router which advertises only a subset of routes, and is omitted from the route query process
EIGRP
Terminology
Multicast Address 224.0.0.9 224.0.0.10 224.0.0.5-6 N/A N/A
EIGRP Configuration
Interface Configuration
interface type number
! Enable EIGRP for IPv6 on the interfaceipv6 eigrp AS-number
! Set the maximum bandwidth EIGRP can consume (can be >100%)ip[v6] bandwidth-percent eigrp AS-number 1-999999
! Configure manual summarization of outbound routesip summary-address eigrp AS-number IPv4-address subnet-mask [AD]ipv6 summary-address eigrp AS-number IPv6-prefix [AD]
! Enable MD5 authenticationip[v6] authentication mode eigrp AS-number md5ip[v6] authentication key-chain eigrp AS-number key-chain
! Modify interface hello and hold timersip[v6] hello-interval eigrp AS-number secondsip[v6] hold-time eigrp AS-number seconds
! Toggle split horizon[no] ip[v6] split-horizon eigrp AS-number
Troubleshooting
show ip[v6] eigrp {interfaces | neighbors }
show ip[v6] eigrp topology
clear ip[v6] eigrp [AS-number] neighbors
debug ip[v6] eigrp [neighbor]
Default Timers
Hello 5 sec
Hold 15 sec
LAN (>T1)
60 sec
180 sec
WAN (<=T1)
256 * (K1 * bw + + K3 * delay) * K2 * bw
256 - load
K5
rel + K4
Router Roles
Internal RouterAll interfaces reside within the same area
Backbone RouterA router with at least one interface in area 0
Area Border Router (ABR)Connects two or more areas
AS Boundary Router (ASBR)Connects to additional routing domains (redistribution to or from other protocols)
Troubleshooting
show ip[v6] ospf [process] interface
show ip[v6] ospf database [LSA-type]
OSPFv2 Link State Advertisements
Router Link (Type 1)Lists neighboring routers and the cost to each; flooded within an area
Network Link (Type 2)Generated by a DR; lists all routers on an adjacent segment; flooded within an area
Network Summary (Type 3)Generated by an ABR; advertises routes between areas
ASBR Summary (Type 4)Injected by an ABR into the backbone to advertise the presence of an ASBR in a non-backbone area
External Link (Type 5)Generated by an ASBR and flooded throughout the AS to advertise a route external to OSPF
NSSA External Link (Type 7)Generated by an ASBR in a not-so-stubby area; converted into a type 5 LSA by the ABR when leaving the area
Area Types
Standard AreaDefault OSPF area type
Stub AreaExternal link (type 5) LSAs are replaced with a single default route
Totally Stubby AreaType 3, 4, and 5 LSAs are replaced with a default route
Not-So-Stubby Area (NSSA)A stub area containing an ASBR; type 5 LSAs are converted to type 7 within the area
External Route Types
E1Considers the cost to the advertising ASBR plus the external cost of the route
E2 (Default)The external cost of a route as seen by the ASBR; internal OSPF cost is not considered
show ip[v6] ospf border-routers
show ip[v6] ospf virtual-links
debug ip[v6] ospf […]
Metric Formula
DR/BDR Election
· The BDR also maintains adjacencies with all routers in case the DR fails
· Does not occur on point-to-point or multipoint links
· Default priority (0-255) is 1; highest priority wins; 0 cannot be elected
· DR preemption will not occur unless the current DR is reset
Virtual Links
· Tunnel formed to join two areas across an intermediate
· Both end routers must share a common non-stub area
· At least one end must reside in area 0
Adjacency States
1
2
Down
Attempt
5
6
ExStart
Exchange
3
4
Init
2-Way
7
8
Loading
Full
· The DR serves as a common point for all adjacencies on a multiaccess segment
Network Types
DR/BDR Elected
Nonbroadcast (NBMA)
Multipoint Broadcast
Neighbor Discovery
Hello/Dead Timers
Defined By
Supported Topology
Multipoint Nonbroadcast Broadcast Point-to-Point
Yes
No
30/120
RFC 2328
Full Mesh
No
Yes
30/120
RFC 2328
Any
No
No
30/120
Cisco
Any
Yes
Yes
10/40
Cisco
Full Mesh
No
Yes
10/40
Cisco
Point-to-Point
OSPF
Integrated IS-IS
Network Types
DIS Elected Yes
Broadcast
Neighbor Discovery Yes
Hello/Dead Timers 10/30
Adjacency Requirements
· Interface MTUs must match
· Areas must match (if level 1)
· System IDs must be unique
· Authentication must succeed
show [clns | isis] neighbors
show clns interface
show isis [ipv6] topology
· Levels must match
NSAP Addressing
Interdomain Part (IDP)Portion of the address used in routing between autonomous systems; assigned by ISO
Domain-Specific Part (DSP)Portion of the address relevant only within the local AS
Authority and Format Identifier (AFI)Identifies the authority which dictates the format of the address
Initial Domain Identifier (IDI)An organization belonging to the AFI
High Order DSP (HODSP)The area within the AS
System IDUnique router identifier; 48 bits for Cisco devices (often taken from an Ethernet MAC address)
NSAP Selector (SEL)Identifies a network layer service; always 0x00 in a NET
No
Point-to-Point
Yes
10/30
Troubleshooting
show isis [database | spf-log]
debug [clns | isis] […]
ISO Routing Levels
Level 0
Level 1
Level 2
Used to locate end systems
Routing within an area (IS-IS)
Routing between areas (IS-IS)
Level 3 Inter-AS routing
Terminology
Type-Length-Value (TLV)Variable-length modular datasets carried by PDUs
Link State PDU (LSP)Carry TLVs encompassing link state information
DIS Election
· Highest-priority interface elected
· Highest system ID breaks SNPA tie
· Default interface priority is 64
· Current DIS may be preempted, unlike OSPF
· Highest SNPA (e.g. MAC or DLCI) breaks tie
Sequence Number Packet (SNP)Used to request and advertise LSPs; can be complete (CSNP) or partial (PSNP)
Network Entity Title (NET)Unique router ID; includes area ID
Designated Intermediate System (DIS)A pseudonode responsible for emulating point-to-point links across a multi-access segment
Global Configuration
! Create an OSPF process[ipv6] router ospf process-ID
! Specify a router ID formatted as IPv4 dotted-decimalrouter-id router-ID
! Modify the default reference bandwidthauto-cost reference-bandwidth speed-in-mbps
! Assign interfaces to areas by network (OSPFv2)network IPv4-address wildcard-mask area area
! Identify neighbors for NBMA links (OSPFv2)neighbor IPv4-address [cost 1-65535]
! Configure summaries on area border routersarea area range { IPv4-address subnet-mask | IPv6-prefix }
! Summarize external routes (ASBRs only)summary-address IPv4-address subnet-mask [not-advertise]summary-prefix IPv6-prefix [not-advertise]
! Originate a default routedefault-information originate [always]
! Designate stub, totally stubby, or not-so-stubby areasarea area { stub | nssa } [no-summary]
! Create a virtual linkarea area virtual-link router-ID
OSPF Configuration
Interface Configuration
interface type number
! Enable OSPF on the interfaceip[v6] ospf process-ID area area
! Identify neighbors for NBMA links (OSPFv3)ipv6 ospf neighbor IPv6-address
! Set interface cost manuallyip[v6] ospf cost 1-65535
! Configure DR election priorityip[v6] ospf priority 0-255
! Specify network type (broadcast, point-to-point, etc.)ip[v6] ospf network type
! Modify interface hello and dead intervalsip[v6] ospf hello-interval secondsip[v6] ospf dead-interval seconds
! Enable MD5 authentication (OSPFv2)ip ospf authentication message-digestip ospf message-digest-key key-id md5 key-string
! Enable IPsec authentication (OSPFv3)ipv6 ospf auth ipsec spi spi-number { md5 | sha1 } string
OSPFv3 Link State Advertisements
0x2001
0x2002
Router LSA
Network LSA
0x2003
0x2004
Inter-area prefix LSA
Inter-area router LSA
0x4005
0x2007
0x0008
0x2009
AS-external LSA
Type-7 LSA
Link LSA
Intra-area prefix LSA
Name v2 Equiv.
Type 1
Type 2
Type 3
Type 4
Type 5
Type 7
N/A
N/A
Group Membership (Type 6)Used by Multicast OSPF; unsupported by IOS
0x2006 Group membership LSA Type 6
Global Configuration
! Enable IS-IS routingrouter isis
! Specify one or more NET addressesnet NET
! Set global routing level (default level-1-2)is-type { level-1 | level-1-2 | level-2-only }
! Configure IPv4 route summariessummary-address IP-address subnet-mask [level]
! Configure IPv6 route summariesaddress-family ipv6summary-prefix IPv6-prefix [level]
! Originate a default routedefault-information originate
IS-IS Configuration
Interface Configuration
interface type number
! Enable IS-IS on an interfaceip[v6] router isis
! Specify interface routing levelisis circuit-type { level-1 | level-1-2 | level-2-only }
! Set interface metricisis [ipv6] metric { 1-16777214 | maximum }
! Designate the network as point-to-pointisis network point-to-point
! Configure DIS election priorityisis priority 0-127 [ level-1 | level-2 ]
! Modify interface hello and dead intervalsisis hello-interval seconds [ level-1 | level-2 ]isis hello-multiplier 3-1000 [ level-1 | level-2 ]
! Enable MD5 authenticationisis authentication mode md5isis authentication key-chain key-chain
RIP Implementations
RIPv1Original RIP implementation, limited to classful routing (obsolete)
RIPv2Introduced support for classless routing, triggered updates, and multicast announcements (RFC 2453)
RIPng (RIP Next Generation)Extends RIPv2 to support IPv6 routing (RFC 2080); functions very similarly to RIPv2 and is subsequently as limited
Global Configuration
! Enable RIPv2 IPv4 routingrouter ripversion 2
! Disable RIPv2 automatic summarizationno auto-summary
! Designate RIPv2 interfaces by networknetwork IPv4-network
! Identify unicast-only neighborsneighbor IP-address
! Originate a default routedefault-information originate
! Designate passive interfacespassive-interface {interface | default}
! Modify equal-cost load balancingmaximum-paths 1-16
! Modify timerstimers basic update invalid hold flush
! Enable RIPng IPv6 routingipv6 router rip name
! Toggle split-horizon and poison-reverse[no] split-horizon[no] poison-reverse
RIP Configuration
Interface Configuration
interface type number
! Enable RIPng on the interfaceipv6 rip name enable
! Configure manual route summarizationip summary-address rip IPv4-address subnet-maskipv6 rip name summary-address IPv6-prefix
! Enable MD5 authentication (RIPv2 only)ip rip authentication mode md5ip rip authentication key-chain key-chain
Troubleshooting
show ip[v6] protocols
show ip[v6] rip database
debug ip rip { database | events }
debug ipv6 rip [interface]
Message Types
Hello
DB Descr.
LS Request
LS Update
LS Ack
RIP Configuration
Terminology
Split-HorizonMitigates routing loops by ensuring a route is never advertised back to the neighbor from which it was learned
Poison ReverseLearned routes are advertised back to their originator as explicitly invalid
show ip[v6] ospf [process] neighbor
· Transition tool; not ideal for permanent designs
IS-IS Hello (IIH)Establish and maintain neighbor adjacencies
1
2
3
4
5
cost = reference-bandwidth
link speed
AFI IDI
49
Area
HODSP
0005.80ff.f800.0000 0001
System ID
0000.0c00.1234
SEL
00
Interdomain Part Domain-Specific Part
Condensed
NSAP
Example
packetlife.net
by Jeremy Stretch v2.0
IOS IPV4 ACCESS LISTSStandard ACL Syntax
permit
Actions
deny
remark
evaluate
Allow matched packets
Deny matched packets
Record a configuration comment
Evaluate a reflexive ACL
Extended ACL Syntax
! Legacy syntaxaccess-list <number> {permit | deny} <source> [log]
! Modern syntaxip access-list standard {<number> | <name>}[<sequence>] {permit | deny} <source> [log]
ACL Numbers
TCP Options
1-991300-1999
IP standard
100-1992000-2699
IP extended
200-299 Protocol
300-399 DECnet
400-499 XNS
ack Match ACK flag
fin Match FIN flag
psh Match PSH flag
rst Match RST flag
syn Match SYN flag
Troubleshooting
show access-lists [<number> | <name>]
show ip access-lists [<number> | <name>]
show ip access-lists interface <interface>
show ip access-lists dynamic
show ip interface [<interface>]
show time-range [<name>]
! Legacy syntaxaccess-list <number> {permit | deny} <protocol> <source> [<ports>] <destination> [<ports>] [<options>]
! Modern syntaxip access-list extended {<number> | <name>}[<sequence>] {permit | deny} <protocol> <source> [<ports>] <destination> [<ports>] [<options>]
500-599 Extended XNS
600-699 Appletalk
700-799 Ethernet MAC
800-899 IPX standard
900-999 IPX extended
1000-1099 IPX SAP
1100-1199 MAC extended
1200-1299 IPX summary
urg
established
Match URG flag
Source/Destination Definitions
any Any address
host <address> A single address
<network> <mask> Any address matched by the wildcard mask
IP Options
dscp <DSCP> Match the specified IP DSCP
fragments Check non-initial fragments
option <option> Match the specified IP option
precedence {0-7} Match the specified IP precedence
ttl <count> Match the specified IP time to live (TTL)
TCP/UDP Port Definitions
eq <port> Not equal to
lt <port> Greater than
range <port> <port> Matches a range of port numbers
neq <port>
gt <port>
Equal to
Less than
Miscellaneous Options
reflect <name> Create a reflexive ACL entry
time-range <name> Enable rule only during the given time range
Applying ACLs to Restrict Traffic
interface FastEthernet0/0ip access-group {<number> | <name>} {in | out}
Match packets in an established session
Logging Options
log Log ACL entry matches
log-inputLog matches including ingress interface and source MAC address
packetlife.net
by Jeremy Stretch v2.0
CISCO IOS VERSIONSIOS Nomenclature Release Lifecycle
96
EOS NoticeNotification of upcoming EOS
First Customer Shipment (FCS)The release is made available to Cisco customers on CCO
IOS Version Verification
show version
dir <filesystem>:
verify <filesystem>:<image>
End of Sale (EOS)The release is no longer orderable or included in manufactured shipments
End of Engineering (EOE)The last day for software fixes; only TAC assistance is offered from this point
End of Life (EOL)The last day for TAC support; release becomes obsolete; upgrade is only option for continued support
EOS Notice
EOS
EOE
EOL
IOS Package Trees
Advanced IP Services
Advanced Enterprise Services
Enterprise Services
Advanced
SecuritySP Services
Enterprise
Base
IP Voice
IP Base
Advanced Enterprise Services
Advanced IP Services Enterprise Services
IP Base
IP Services
IOS Filename
c3725-entbase-mz.124-6.T.bin
Hardware
Feature Set
Memory Location
Compression Format
Maintenance Release
Individual Release
T Designator
Deployment Classifications
3.2.1Major Release
Minor Release
Maintenance Release
IOS XR
12.2(25)SEB4Release
Individual Release
Numbered Version
S Train
12.4(9)T1Maintenance Release
Individual Release
New Feature Identifier
Numbered Version
T Train
12.4(7a)Maintenance Release
Individual Release
Numbered Version
Mainline
General Deployment (GD)A major release considered qualified for deployment on critical devices
Early Deployment (ED)Offers new feature, platform, or interface support
Deferred (DF)Known defective images; should not be installed
Limited Deployment (LD)A major release prior to reaching its GD milestone
0 12 24 36 48 60 72 84
Months
COMMON PORTS packetlife.net
TCP/UDP Port Numbers
7 Echo
19 Chargen
20-21 FTP
22 SSH/SCP
23 Telnet
25 SMTP
42 WINS Replication
43 WHOIS
49 TACACS
53 DNS
67-68 DHCP/BOOTP
69 TFTP
70 Gopher
79 Finger
80 HTTP
88 Kerberos
102 MS Exchange
110 POP3
113 Ident
119 NNTP (Usenet)
123 NTP
135 Microsoft RPC
137-139 NetBIOS
143 IMAP4
161-162 SNMP
177 XDMCP
179 BGP
201 AppleTalk
264 BGMP
318 TSP
381-383 HP Openview
389 LDAP
411-412 Direct Connect
443 HTTP over SSL
445 Microsoft DS
464 Kerberos
465 SMTP over SSL
497 Retrospect
500 ISAKMP
512 rexec
513 rlogin
514 syslog
515 LPD/LPR
520 RIP
521 RIPng (IPv6)
540 UUCP
554 RTSP
546-547 DHCPv6
560 rmonitor
563 NNTP over SSL
587 SMTP
591 FileMaker
593 Microsoft DCOM
631 Internet Printing
636 LDAP over SSL
639 MSDP (PIM)
646 LDP (MPLS)
691 MS Exchange
860 iSCSI
873 rsync
902 VMware Server
989-990 FTP over SSL
993 IMAP4 over SSL
995 POP3 over SSL
1025 Microsoft RPC
1026-1029 Windows Messenger
1080 SOCKS Proxy
1080 MyDoom
1194 OpenVPN
1214 Kazaa
1241 Nessus
1311 Dell OpenManage
1337 WASTE
1433-1434 Microsoft SQL
1512 WINS
1589 Cisco VQP
1701 L2TP
1723 MS PPTP
1725 Steam
1741 CiscoWorks 2000
1755 MS Media Server
1812-1813 RADIUS
1863 MSN
1985 Cisco HSRP
2000 Cisco SCCP
2002 Cisco ACS
2049 NFS
2082-2083 cPanel
2100 Oracle XDB
2222 DirectAdmin
2302 Halo
2483-2484 Oracle DB
2745 Bagle.H
2967 Symantec AV
3050 Interbase DB
3074 XBOX Live
3124 HTTP Proxy
3127 MyDoom
3128 HTTP Proxy
3222 GLBP
3260 iSCSI Target
3306 MySQL
3389 Terminal Server
3689 iTunes
3690 Subversion
3724 World of Warcraft
3784-3785 Ventrilo
4333 mSQL
4444 Blaster
4664 Google Desktop
4672 eMule
4899 Radmin
5000 UPnP
5001 Slingbox
5001 iperf
5004-5005 RTP
5050 Yahoo! Messenger
5060 SIP
5190 AIM/ICQ
5222-5223 XMPP/Jabber
5432 PostgreSQL
5500 VNC Server
5554 Sasser
5631-5632 pcAnywhere
5800 VNC over HTTP
5900+ VNC Server
6000-6001 X11
6112 Battle.net
6129 DameWare
6257 WinMX
6346-6347 Gnutella
6500 GameSpy Arcade
6566 SANE
6588 AnalogX
6665-6669 IRC
6679/6697 IRC over SSL
6699 Napster
6881-6999 BitTorrent
6891-6901 Windows Live
6970 Quicktime
7212 GhostSurf
7648-7649 CU-SeeMe
8000 Internet Radio
8080 HTTP Proxy
8086-8087 Kaspersky AV
8118 Privoxy
8200 VMware Server
8500 Adobe ColdFusion
8767 TeamSpeak
8866 Bagle.B
9100 HP JetDirect
9101-9103 Bacula
9119 MXit
9800 WebDAV
9898 Dabber
9988 Rbot/Spybot
9999 Urchin
10000 Webmin
10000 BackupExec
10113-10116 NetIQ
11371 OpenPGP
12035-12036 Second Life
12345 NetBus
13720-13721 NetBackup
14567 Battlefield
15118 Dipnet/Oddbob
19226 AdminSecure
19638 Ensim
20000 Usermin
24800 Synergy
25999 Xfire
27015 Half-Life
27374 Sub7
28960 Call of Duty
31337 Back Orifice
33434+ traceroute
Legend
Chat
Encrypted
Gaming
Malicious
Peer to Peer
Streaming
IANA port assignments published at http://www.iana.org/assignments/port-numbers
by Jeremy Stretch v1.1
packetlife.net
by Jeremy Stretch v2.0
FRAME MODE MPLSProtocol Header
MPLS Configuration
! Enable CEFip cef
! Select label protocolmpls label protocol ldp
! Enable MPLS on IP interfacesinterface FastEthernet0/0ip address 10.0.0.1 255.255.255.252mpls ip! Raise MPLS MTU to accommodate multilabel stackmpls mtu 1512
Terminology
Tag Distribution Protocol (TDP)Cisco's proprietary predecessor to LDP
Label Distribution Protocol (LDP)Standards-based label distribution protocol defined in RFC 3036
Interim Packet PropagationAn LSR temporarily falls back to IP routing while waiting to learn the necessary MPLS label(s)
Label-Switched Path (LSP)The unidirectional path through one or more LSRs taken by a label-switched packet belonging to an FEC
Forwarding Equivalence Class (FEC)A group of packets which are forwarded in an identical manner, typically by destination prefix and/or traffic class
Troubleshooting
show mpls interfaces
show mpls ldp neighbors
show mpls ldp bindings [detail] (LIB)
show mpls forwarding-table [detail] (LFIB)
show ip cef [detail] (FIB)
Label (20 bits) · Unique label value
Bottom of Stack (1 bit) · Indicates label is last in the stack
Time To Live (8 bits) · Hop counter mapped from IP TTL
Traffic Class (3 bits) · CoS-mapped QoS marking
Label
8 16 24 32
TC S TTL
L2 IP
Label stack
Label Switched Path
Customer (C) · IP-only routers internal to customer network
Provider Edge (PE) · LSRs on the MPLS-IP boundary
Provider (P) · MPLS-only LSRs in provider network
Customer Edge (CE) · C routers which face PE routers
Label Protocols
LDP
UDP/646Hello Port
224.0.0.2Hello Address
Proprietary
Adjacency Port
No
TCP/646
PE PE
LSP
Provider Network
Customer Network
P P
P
CE CEC C
TDP
UDP/711
255.255.255.255
Cisco
TCP/711
Conceptual Components
Forwarding/Data PlaneForwards packets based on label or destination IP address (includes the FIB and LFIB)
Control PlaneFacilitates label exchange between neighboring LSRs using LDP or TDP (includes the LIB)
Label Switching Router (LSR)Any router performing label switching (MPLS)
Label Information Base (LIB)Contains all labels learned by an LSR via a label distribution protocol
Forwarding Information Base (FIB)Routing database for unlabeled (IP) packets
Label FIB (LFIB)Routing database for labeled (MPLS) packets
Penultimate Hop Popping (PHP)The second-to-last LSR in an LSP removes the MPLS label so the last LSR only has to perform an IP lookup
debug mpls […]
by Ivan Pepelnjak www.NIL.com · www.NIL.com/go/community · blog.ioshints.info
MPLS VPN version 1.0
Terminology PE-router: a provider router connected to customer networks P-router: a provider router with no customer links CE-router: a customer router connected to the Service Provider network VRF: Virtual routing and forwarding table MP-BGP: Multi-protocol BGP VPNv4: 96-bit address composed of 64-bit RD and 32-bit IP address RD (Route Distinguisher): 64-bit value that makes customer IP addresses globally unique. Usually written in the AS:NN notation. RT (Route Target): 64-bit BGP community that controls route import/export between VPNv4 BGP table and customer VRF
Route Distinguisher formats 0x0000 localAS num
AS number + 4-byte local identifier (AS:NN)
0x0000 AS num local
0x0001 IP address local IP address + 2-byte local identifier (A.B.C.D:NN)
0x0001 IP address local
0x0002 AS num (4 byte) local 4-byte AS number + 2-byte local identifier (AS:NN)
0x0002 AS num (4 byte) local
Route Target formats 0x00 localAS num0x030x00 0x03 AS num local
AS number + 4-byte local identifier (AS:NN)
IP address + 2-byte local identifier (A.B.C.D:NN)
Reference diagram P-network
Simple customer site
Multi-homed customer site
P-1P-1
P-2P-2
CC
CE-ACE-A
CE-BCE-B
PE-APE-A
PE-BPE-B
PE-CPE-C
PE-DPE-D
CE-CCE-C
CE-DCE-DC-network
C-network
Simple Core Design Rules Configure IBGP sessions between PE-routers. Use BGP route reflectors for scalability. Run IBGP sessions between loopback interfaces. Advertise PE loopback interface with correct mask Do not summarize loopback addresses Establish end-to-end MPLS paths between PE-routers. Use LDP in simple networks.
Simple VPN Design Rules Create one VRF for each customer connected to a PE-router. Use the same VRF name on all PE-routers (not required) Use unique RD and RT values for each customer. Make RD equal to RT. Use the same RD and RT on all PE routers.
Simple PE-CE Design Rules Use numbered PE-CE interfaces (private IP addresses are OK) Use BGP as PE-CE routing protocol if possible When using BGP, use a unique AS number for each customer site Do not mix different non-BGP PE-CE routing protocols in the same VPN. Mixing BGP with other PE-CE routing protocols is acceptable Redistribute PE-CE routing protocol into MP-BGP. Redistribute connected interfaces and static routes into MP-BGP If possible, do not redistribute MP-BGP into PE-CE routing protocols. Default route advertisement is simpler.
MPLS VPN resources MPLS VPN books MPLS VPN training http://www.nil.com/ls/mpls MPLS and VPN Architectures MPLS VPN remote labs http://www.nil.com/go/remote+labs MPLS and VPN Architectures, Volume II MPLS VPN articles http://wiki.nil.com/Category:MPLS_VPN Definitive MPLS Network Designs MPLS VPN tips & tricks http://blog.ioshints.info/search/label/MPLS%20VPN MPLS Fundamentals
0x01 0x03 IP address local0x01 0x03 IP address local
by Ivan Pepelnjak www.NIL.com · www.NIL.com/go/community · blog.ioshints.info
PE-router configuration ip cef ! ip bgp-community new-format ! mpls ip ! interface loopback 0 ip address loopback-IP-address 255.255.255.255 ! interface POS1/0 description core link mpls ip ! router bgp AS-number neighbor remote-PE-loopback remote-as AS-number neighbor remote-PE-loopback update-source loopback 0 ! address-family vpnv4 neighbor remote-PE-loopback activate neighbor remote-PE-loopback send-community both
P-router configuration ip cef ! mpls ip ! interface POS1/0 description core link mpls ip
Route reflector configuration router bgp AS-number neighbor remote-PE-loopback remote-as AS-number neighbor remote-PE-loopback update-source loopback 0 neighbor remote-PE-loopback route-reflector-client ! address-family vpnv4 neighbor remote-PE-loopback activate neighbor remote-PE-loopback send-community both neighbor remote-PE-loopback route-reflector-client
VRF configuration for a simple VPN ip vrf vrf-name rd AS:NN route-target both AS:NN ! interface serial1/0 ip vrf forwarding vrf-name ip address address mask ! router bgp AS address-family ipv4 vrf vrf-name redistribute connected
Running BGP with the customer router bgp AS address-family ipv4 vrf vrf-name
Running OSPF with the customer router ospf process vrf vrf-name network address mask area ospf-area redistribute bgp AS subnets ! router bgp AS ! address-family ipv4 vrf vrf-name redistribute ospf process match internal external
Running EIGRP with the customer router eigrp provider-EIGRP-AS ! address-family ipv4 vrf vrf-name autonomous-system customer-EIGRP-AS network customer-IP-network no auto-summary redistribute bgp AS metric bw delay rel load mtu ! router bgp AS address-family ipv4 vrf vrf-name redistribute eigrp customer-EIGRP-AS
Static routes ip route vrf vrf-name addr mask [interface] [next-hop] ! router bgp AS ! address-family ipv4 vrf vrf-name redistribute static neighbor customer-IP remote-as customer-AS
Running RIP with the customer router rip version 2 no auto-summary ! address-family ipv4 vrf vrf-name network customer-IP-network redistribute bgp AS metric transparent ! router bgp AS ! address-family ipv4 vrf vrf-name redistribute rip
MPLS VPN troubleshooting ping vrf name ip address [size len] [repeat count] trace vrf name ip address [ttl min max] telnet address /vrf name [/source interface] trace mpls ipv4 remote-PE-address/32 show ip vrf [detail|interfaces] show ip protocol vrf name show ip route vrf name show ip cef vrf name show ip bgp vpnv4 all summary show ip bgp vpnv4 vrf name show ip bgp vpnv4 vrf name prefix show ip bgp vpnv4 rd rd-value show ip bgp vpnv4 rd rd-value prefix
packetlife.net
by Jeremy Stretch v2.0
IEEE 802.1X802.1X Header
Configuration
! Define a RADIUS serverradius-server host 10.0.0.100radius-server key MyRadiusKey! Configure 802.1X to authenticate via AAAaaa new-modelaaa authentication dot1x default group radius! Enable 802.1X authentication globallydot1x system-auth-control
Global Configuration
! Static access modeswitchport mode access! Enable 802.1X authentication per portdot1x port-control auto! Configure host mode (single or multi)dot1x host-mode single-host! Configure maximum authentication attemptsdot1x max-reauth-req! Enable periodic reauthenticationdot1x reauthentication! Configure a guest VLANdot1x guest-vlan 123! Configure a restricted VLANdot1x auth-fail vlan 456dot1x auth-fail max-attempts 3
Interface Configuration
802.1X Packet Types EAP Codes
0 EAP Packet
1 EAPOL-Start
2 EAPOL-Logoff
3 EAPOL-Key
4 EAPOL-Encap-ASF-Alert
1 Request
2 Response
3 Success
4 Failure
Terminology
EAP Over LANs (EAPOL)EAP encapsulated by 802.1X for transport across LANs
Extensible Authentication Protocol (EAP)A flexible authentication framework defined in RFC 3748
Authentication ServerA backend server which authenticates the credentials provided by supplicants (for example, a RADIUS server)
Troubleshooting
show dot1x [statistics] [interface <interface>]
dot1x test eapol-capable [interface <interface>]
dot1x re-authenticate interface <interface>
EAP Header
EAP Flow Chart
SupplicantThe device (client) attached to an access link that requests authentication by the authenticator
AuthenticatorThe device that controls the status of a link; typically a wired switch or wireless access point
Guest VLANFallback VLAN for clients not 802.1X-capable
Restricted VLANFallback VLAN for clients which fail authentication
Interface Defaults
Max Auth Requests 2
Reauthentication Off
Quiet Period 60s
Reauth Period 1hr
Server Timeout 30s
EAP Req/Resp Types
1 Identity
2 Notification
3 Nak
4 MD5 Challenge
Supplicant Timeout 30s
Tx Period 30s
5 One Time Password
6 Generic Token Card
254 Expanded Types
255 Experimental
Port-Control Options
force-unauthorizedAlways unauthorized; authentication attempts are ignored
force-authorizedPort will always remain in authorized state (default)
autoSupplicants must authenticate to gain access
Identity Request
Identity Response
Challenge Request
Challenge Response
Success
Access Request
Access Challenge
Access Request
Access Accept
EAP RADIUS
Code Identifier Length Data
1 1 2
Version Type Length EAP
1 1 2
Supplicant Authenticator
Authentication
Server
packetlife.net
by Jeremy Stretch v2.2
IEEE 802.11 WLAN · PART 1IEEE Standards
802.11a
OFDMModulation
5 GHzFrequency
WLAN Types
Ad HocA WLAN between isolated stations with no central point of control; an IBSS
InfrastructureA WLAN attached to a wired network via an access point; a BSS or ESS
54 MbpsMaximum Throughput
1999Ratified
21/19Channels (FCC/ETSI)
802.11b
DSSS
2.4 GHz
11 Mbps
1999
11/13
802.11g
DSSS/OFDM
2.4 GHz
54 Mbps
2003
11/13
802.11n
OFDM
2.4/5 GHz
300 Mbps
2009
32/32
WLAN Components
Basic Service Area (BSA)The physical area covered by the wireless signal of a BSS
Basic Service Set (BSS)A set of stations and/or access points which can directly communicate via a wireless medium
Distribution System (DS)The wired infrastructure connecting multiple BSSs to form an ESS
Extended Service Set (ESS)A set of multiple BSSs connected by a DS which appear to wireless stations as a single BSS
Independent BSS (IBSS)An isolated BSS with no connection to a DS; an ad hoc WLAN
Measuring RF Signal Strength
Decibel (dB)An expression of signal strength as compared to a reference signal; calculated as 10log10(signal/reference)
dBm · Signal strength compared to a 1 milliwatt signal
dBw · Signal strength compared to a 1 watt signal
dBi · Compares forward antenna gain to that of an isotropic antenna
Terminology
Frame Types
Type
Authentication
Association
Class
Management
Management
Beacon
Probe
Management
Management
Clear to Send (CTS)
Request to Send (RTS)
Control
Control
Data
Acknowledgment (ACK)
Data
Control
Client Association
Probe Request
Probe Response
Authentication Request
Authentication Response
Association Request
Association Response
Modulations
Modulation
CCK
DQPSK
DBPSK
QPSK
BPSK
Throughput
5.5/11 Mbps
2 Mbps
1 Mbps
12/18 Mbps
6/9 Mbps
64-QAM
16-QAM
48/54 Mbps
24/36 Mbps
Basic Service Set Identifier (BSSID)A MAC address which serves to uniquely identify a BSS
Service Set Identifier (SSID)A human-friendly text string which identifies a BSS; 1-32 characters
Carrier Sense Multiple Access/Collision Avoidance (CSMA/CA)The mechanism which facilitates efficient communication across a shared wireless medium (provided by DCF or PCF)
Effective Isotropic Radiated Power (EIRP)Net signal strength (transmitter power + antenna gain - cable loss)
IBSS BSS BSS
DS
ESS
DSSS
OFDM
Scheme
packetlife.net
by Jeremy Stretch v2.2
IEEE 802.11 WLAN · PART 2Distributed Coordination Function (DCF)
Interframe Spacing
Short IFS (SIFS)Used to provide minimal spacing delay between control frames or data fragments
DCF IFS (DIFS)Normal spacing enforced under DCF for management and non-fragment data frames
Arbitrated IFS (AIFS)Variable spacing calculated to accommodate differing qualities of service (QoS)
Extended IFS (EIFS)Extended delay imposed after errors are detected in a received frame
Encryption Schemes
Wired Equivalent Privacy (WEP)Flawed RC4 implementation using a 40- or 104-bit pre-shared encryption key (deprecated)
Wi-Fi Protected Access (WPA)Implements the improved RC4-based encryption Temporal Key Integrity Protocol (TKIP) which can operate on WEP-capable hardware
IEEE 802.11i (WPA2)IEEE standard developed to replace WPA; requires a new generation of hardware to implement significantly stronger AES-based CCMP encryption
Client Authentication
Open · No authentication is used
Pre-shared Encryption KeysKeys are manually distributed among clients and APs
Lightweight EAP (LEAP)Cisco-proprietary EAP method introduced to provide dynamic keying for WEP (deprecated)
EAP-TLSEmploys Transport Layer Security (TLS); PKI certificates are required on the AP and clients
EAP-TTLSClients authenticate the AP via PKI, then form a secure tunnel inside which the client authentication takes place (clients do not need PKI certificates)
Protected EAP (PEAP)A proposal by Cisco, Microsoft, and RSA which employs a secure tunnel for client authentication like EAP-TTLS
EAP-FASTDeveloped by Cisco to replace LEAP; establishes a secure tunnel using a Protected Access Credential (PAC) in the absence of PKI certificates
Quality of Service Markings
WMM
Gold
Platinum
802.11e
5/4
7/6
Bronze
Silver
2/1
3/0
RF Signal Interference
Reflection Scattering Absorption
Refraction Diffraction
Antenna Types
Directional · Radiates power in one focused direction
OmnidirectionalRadiates power uniformly across a plane
802.1p
4/3
6/5
2/1
0
Wi-Fi Multimedia (WMM)A Wi-Fi Alliance certification for QoS; a subset of 802.11e QoS
IEEE 802.11eOfficial IEEE WLAN QoS standard ratified in 2005; replaces WMM
IEEE 802.1pQoS markings in the 802.1Q header on wired Ethernet
IsotropicA theoretical antenna referenced when measuring effective radiated power
DIFSDIFS DIFS DIFS
A
B
C
D
Frame
Deferral Period
Random Backoff
Contention Window
packetlife.net
by Jeremy Stretch v1.0
IOS ZONE-BASED FIREWALL
Troubleshooting
show zone security
show zone-pair security
Security Zones
show policy-map type inspect
show class-map type inspect
! Defining security zoneszone security Trustedzone security Guestzone security Internet
! Assigning interfaces to security zonesinterface GigabitEthernet0/0zone-member security Trusted!interface GigabitEthernet0/1zone-member security Internet!interface GigabitEthernet0/2.10zone-member security Trusted!interface GigabitEthernet0/2.20zone-member security Guest
Zone Pair Configuration
! Service policies are applied to zone pairszone-pair security T2I source Trusted destination Internetservice-policy type inspect Trusted2Internet
zone-pair security G2I source Guest destination Internetservice-policy type inspect Guest2Internet
zone-pair security I2T source Internet destination Trustedservice-policy type inspect Internet2Trusted
Terminology
Security ZoneA group of interfaces which share a common level of security
Zone PairA unidirectional pairing of source and destination zones to which a security policy is applied
Inspection PolicyAn inspect-type policy map used to statefully filter traffic by matching one or more inspect-type class maps
Trusted Internet
Guest
Inspection Class Configuration
! Match by protocolclass-map type inspect match-any ByProtocolmatch protocol tcpmatch protocol udpmatch protocol icmp
! Match by access listip access-list extended MyACLpermit ip 10.0.0.0 255.255.0.0 any!class-map type inspect match-all ByAccessListmatch access-group name MyACL
Inspection Policy Actions
Drop Traffic is prevented from passing
Traffic is permitted to pass without stateful inspection
Pass
InspectTraffic is subjected to stateful inspection; legitimate return traffic is permitted in the opposite direction
Inspection Policy Configuration
policy-map type inspect MyInspectionPolicy! Pass permitted stateless trafficclass VPN-Tunnelpass
! Inspect permitted stateful trafficclass Allowed-Traffic1inspect
! Stateful inspection with a parameter mapclass Allowed-Traffic2inspect MyParameterMap
! Drop and log unpermitted trafficclass class-defaultdrop log
Parameter MapAn optional configuration of protocol-specific parameters referenced by an inspection policy
debug zone security events
Parameter Map Configuration
parameter-map type inspect MyParameterMapalert onaudit-trail offdns-timeout 5max-incomplete low 20000max-incomplete high 25000icmp idle-time 3tcp synwait-time 3
show parameter-map type inspect
MPLS WAN Internet
Corporate
LAN
Guest
Wireless LANG0/2.10 G0/2.20
G0/0 G0/1
packetlife.net
by Jeremy Stretch v2.0
IPSECProtocols Encryption Algorithms
DES Symmetric 56
Type Key Length (Bits)
AES Symmetric
3DES Symmetric 168
Weak
Strength
Medium
RSA Asymmetric
128/192/256
1024+
Strong
Strong
Hashing Algorithms
MD5 128
Length (Bits)
SHA-1 160
Medium
Strength
Strong
Internet Security Association and Key Management Protocol (ISAKMP)A framework for the negotiation and management of security associations between peers (traverses UDP/500)
Internet Key Exchange (IKE)Responsible for key agreement using asymmetric cryptography
Encapsulating Security Payload (ESP)Provides data encryption, data integrity, and peer authentication; IP protocol 50
Authentication Header (AH)Provides data integrity and peer authentication, but not data encryption; IP protocol 51
IPsec Modes
IKE Phases
Phase 1A bidirectional ISAKMP SA is established between peers to provide a secure management channel (IKE in main or aggressive mode)
Phase 1.5 (optional)Xauth can optionally be implemented to enforce user authentication
Phase 2Two unidirectional IPsec SAs are established for data transfer using separate keys (IKE quick mode)
Transport ModeThe ESP or AH header is inserted behind the IP header; the IP header can be authenticated but not encrypted
Tunnel ModeA new IP header is created in place of the original; this allows for encryption of the entire original packet
Configuration
crypto isakmp policy 10encryption aes 256hash shaauthentication pre-sharegroup 2lifetime 3600
ISAKMP Policy
crypto isakmp key 1 MySecretKey address 10.0.0.2
ISAKMP Pre-Shared Key
crypto ipsec transform-set MyTS esp-aes 256 esp-sha-hmacmode tunnel
IPsec Transform Set
crypto ipsec profile MyProfileset transform-set MyTS
IPsec Profile
interface Tunnel0ip address 172.16.0.1 255.255.255.252tunnel source 10.0.0.1tunnel destination 10.0.0.2tunnel mode ipsec ipv4tunnel protection ipsec profile MyProfile
Virtual Tunnel Interface
Troubleshooting
show crypto isakmp sa
show crypto isakmp policy
show crypto ipsec sa
show crypto ipsec transform-set
debug crypto {isakmp | ipsec}
Terminology
Data Origin AuthenticationAuthentication of the SA peer
Data IntegritySecure hashing (HMAC) is used to ensure data has not been altered in transit
Data ConfidentialityEncryption is used to ensure data cannot be intercepted by a third party
Anti-replaySequence numbers are used to detect and discard duplicate packets
Hash Message Authentication Code (HMAC)A hash of the data and secret key used to provide message authenticity
Diffie-Hellman ExchangeA shared secret key is established over an insecure path using public and private keys
L2 IP TCP/UDP
L2 IP TCP/UDP
L2 TCP/UDPIP
ESP/AH
ESP/AHNew IP
Original
Packet
Transport
Mode
Tunnel
Mode
packetlife.net
by Jeremy Stretch v2.0
IPV4 MULTICASTLayer 2 Addressing
224.0.0.0/24
Group Ranges
224.0.1.0/24
232.0.0.0/8
233.0.0.0/8
Local network control
Internetwork control
Source-specific
GLOP (RFC 3180)
239.0.0.0/8 Admin-scoped
IGMP Configuration
ip multicast-routing!interface FastEthernet0/0ip pim {sparse-mode | dense-mode | sparse-dense-mode}ip pim version {1 | 2}
Distribution Trees
Source-RootedProvides the shortest paths from the source to receivers
SharedA common set of links which carry all multicast traffic; statically configured
IGMP Troubleshooting
show ip igmp
show ip igmp group
224.0.0.1
Common Groups
224.0.0.2
224.0.1.39
224.0.1.40
All hosts
All routers
Cisco RP Announce
Cisco RP Discovery
IGMP
IGMPv2Adds support for dynamic leave requests and querier election to original IGMP
IGMPv3Adds multicast source filtering to v2
IGMP SnoopingA switch passively inspects IGMP requests to determine which hosts should receive multicast traffic
show ip igmp interface
show ip igmp snooping
ip igmp join-group
Terminology
Internet Group Management Protocol (IGMP)Hosts send IGMP requests to local routers to join multicast groups
Reverse Path Forwarding (RPF)Verifies that multicast traffic travels in the reverse direction of unicast traffic, away from the tree root
Cisco Group Management Protocol (CGMP)A proprietary protocol used by switches to obtain multicast membership information for end hosts (deprecated)
IGMP Support
IGMP Snooping
Router(config-if)# ip igmp [version <#>]
Switch(config)# ip igmp snooping
Protocol Independent Multicast (PIM)
Dense ModeThe initial tree encompasses all multicast routers; after a period of time, routers without IGMP members prune back branches
Sparse-Dense ModeAllows a PIM-enabled interface to function in either sparse or dense mode per group
Sparse ModeThe tree is grown from a central rendezvous point out to the multicast source and recipients
PIMv1Provides automatic RP discovery with Auto-RP (Cisco proprietary)
PIMv2Automatic RP discovery is accomplished by the bootstrap router (BSR) method (standard)
PIM Configuration
RP Configuration
Manual
Auto-RP Mapping Agent
ip pim rp-address <IP>
ip pim send-rp-discovery scope <TTL>
Auto-RP Candidate
BSR Candidate
ip pim send-rp-announce <interface>
ip pim bsr-candidate <interface>
BSR RP Candidate ip pim rp-candidate <interface>
PIM Troubleshooting
show ip mroute
show ip pim interface
show ip pim neighbor
show ip pim rp [mapping]
show ip rpf <IP>
IGMPv1Original IGMP specification
239.142.57.6
01-00-5E-0E-39-06
11101111 10001110 00111001 00000110
00000001 00000000 01011110 00001110 00111001 00000110
packetlife.net
by Jeremy Stretch v2.0
IPV4 SUBNETTING
Terminology
Subnets
CIDR
/32 255.255.255.255 1
Subnet Mask Addresses Wildcard
0.0.0.0
/31 255.255.255.254 2 0.0.0.1
/30 255.255.255.252 4 0.0.0.3
/29 255.255.255.248 8 0.0.0.7
/28 255.255.255.240 16 0.0.0.15
/27 255.255.255.224 32 0.0.0.31
/26 255.255.255.192 64 0.0.0.63
/25 255.255.255.128 128 0.0.0.127
/24 255.255.255.0 256 0.0.0.255
/23 255.255.254.0 512 0.0.1.255
/22 255.255.252.0 1,024 0.0.3.255
/21 255.255.248.0 2,048 0.0.7.255
/20 255.255.240.0 4,096 0.0.15.255
/19 255.255.224.0 8,192 0.0.31.255
/18 255.255.192.0 16,384 0.0.63.255
/17 255.255.128.0 32,768 0.0.127.255
/16 255.255.0.0 65,536 0.0.255.255
/15 255.254.0.0 131,072 0.1.255.255
/14 255.252.0.0 262,144 0.3.255.255
/13 255.248.0.0 524,288 0.7.255.255
/12 255.240.0.0 1,048,576 0.15.255.255
/11 255.224.0.0 2,097,152 0.31.255.255
/10 255.192.0.0 4,194,304 0.63.255.255
/9 255.128.0.0 8,388,608 0.127.255.255
/8 255.0.0.0 16,777,216 0.255.255.255
/7 254.0.0.0 33,554,432 1.255.255.255
/6 252.0.0.0 67,108,864 3.255.255.255
/5 248.0.0.0 134,217,728 7.255.255.255
/4 240.0.0.0 268,435,456 15.255.255.255
/3 224.0.0.0 536,870,912 31.255.255.255
/2 192.0.0.0 1,073,741,824 63.255.255.255
/1 128.0.0.0 2,147,483,648 127.255.255.255
/0 0.0.0.0 4,294,967,296 255.255.255.255
Decimal to Binary
Subnet Mask Wildcard
255 1111 1111 0 0000 0000
254 1111 1110 1 0000 0001
252 1111 1100 3 0000 0011
248 1111 1000 7 0000 0111
240 1111 0000 15 0000 1111
224 1110 0000 31 0001 1111
192 1100 0000 63 0011 1111
128 1000 0000 127 0111 1111
0 0000 0000 255 1111 1111
Subnet Proportion
Classful Ranges
A 0.0.0.0 – 127.255.255.255
B 128.0.0.0 - 191.255.255.255
C 192.0.0.0 - 223.255.255.255
D 224.0.0.0 - 239.255.255.255
E 240.0.0.0 - 255.255.255.255
Reserved Ranges
RFC 1918 10.0.0.0 - 10.255.255.255
Localhost 127.0.0.0 - 127.255.255.255
RFC 1918 172.16.0.0 - 172.31.255.255
RFC 1918 192.168.0.0 - 192.168.255.255
/29
/30
/30
CIDRClassless interdomain routing was developed to provide more granularity than legacy classful addressing; CIDR notation is expressed as /XX
/25
/26/27
/28
VLSMVariable-length subnet masks are an arbitrary length between 0 and 32 bits; CIDR relies on VLSMs to define routes
packetlife.net
by Jeremy Stretch v2.0
IPV6Protocol Header
8 16 24 32
Extension Headers
Ver Traffic Class Flow Label
Payload Length Next Header Hop Limit
Source Address
Destination Address
Version (4 bits) · Always set to 6
Traffic Class (8 bits) · A DSCP value for QoS
Flow Label (20 bits) · Identifies unique flows (optional)
Payload Length (16 bits) · Length of the payload in bytes
Next Header (8 bits) · Header or protocol which follows
Hop Limit (8 bits) · Similar to IPv4's time to live field
Source Address (128 bits) · Source IP address
Destination Address (128 bits) · Destination IP address
Address Types
Unicast · One-to-one communication
Multicast · One-to-many communication
Anycast · An address configured in multiple locations
Address Notation
Address Formats
EUI-64 Formation
· Insert 0xfffe between the two halves of the MAC
· Flip the seventh bit (universal/local flag) to 1
Special-Use Ranges
::/0
::/128
Default route
Unspecified
::1/128
::/96
Loopback
IPv4-compatible*
::FFFF:0:0/96
2001::/32
IPv4-mapped
Teredo
2001:DB8::/32
2002::/16
Documentation
6to4
FC00::/7
FE80::/10
Unique local
Link-local unicast
FEC0::/10
FF00::/8
Site-local unicast*
Multicast
Hop-by-hop Options (0)Carries additional information which must be examined by every router in the path
Routing (43)Provides source routing functionality
Fragment (44)Included when a packet has been fragmented by its source
Encapsulating Security Payload (50)Provides payload encryption (IPsec)
Authentication Header (51)Provides packet authentication (IPsec)
Destination Options (60)Carries additional information which pertains only to the recipient
Transition Mechanisms
Dual StackTransporting IPv4 and IPv6 across an infrastructure simultaneously
TunnelingIPv6 traffic is encapsulated into IPv4 using IPv6-in-IP, UDP (Teredo), or Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)
TranslationStateless IP/ICMP Translation (SIIT) translates IP header fields, NAT Protocol Translation (NAT-PT) maps between IPv6 and IPv4 addresses
Multicast Scopes
1 Interface-local 5 Site-local
2 Link-local 8 Org-local
4 Admin-local E Global
* Deprecated
EUI-64
MAC
Global unicast
Global Prefix Subnet Interface ID
48 16 64
Link-local unicast
Interface ID
64 64
Multicast
Group ID
Flags
Scope
1128 4 4
· Eliminate leading zeros from all two-byte sets
· Replace up to one string of consecutive zeros with a double-colon (::)
packetlife.net
by Jeremy Stretch v2.0
IS-IS · PART 1
Type
Attributes
Algorithm
Metric
Link-State
Dijkstra
Default (10)
AD
Standard
Protocols
Transport
115
ISO 10589
IP, CLNS
Layer 2
Network Types
DIS Elected Yes
Broadcast
Neighbor Discovery Yes
Hello/Dead Timers 10/30
Adjacency Requirements
· Interface MTUs must match
· Areas must match (if level 1)
· System IDs must be unique
· Authentication must succeed
show ip route
show ip protocols
show [clns|isis] neighbor
show [clns|isis] interface
show isis database
· Levels must match
Protocol Header
IRPD
4 8 12 16
Type Length
Value ...
Packet Length
Version/Protocol ID Extension ID Length
R R R PDU Type Version
Reserved Maximum Area Addresses
NSAP Addressing Authentication Plaintext, MD5
Interdomain Part (IDP)Portion of the address used in routing between autonomous systems; assigned by ISO
Domain-Specific Part (DSP)Portion of the address relevant only within the local AS
Authority and Format Identifier (AFI)Identifies the authority which dictates the format of the address
Initial Domain Identifier (IDI)An organization belonging to the AFI
High Order DSP (HODSP)The area within the AS
System IDUnique router identifier; 48 bits for Cisco devices (often taken from a MAC address)
NSAP Selector (SEL)Identifies a network layer service; always 0x00 in a NET address
No
Point-to-Point
Yes
10/30
Troubleshooting
show isis spf-log
debug isis spf-events
debug isis adjacencies-packets
debug isis spf-statistics
debug isis update-packets
Routing Levels
Level 0
Level 1
Level 2
Used to locate end systems
Routing within an area
Backbone between areas
Level 3 Inter-AS routing
Terminology
Type-Length-Value (TLV)Variable-length modular datasets
Link State PDU (LSP)Carry TLVs encompassing link state information
DIS Election
· Highest-priority interface elected
· Highest system ID breaks SNPA tie
· Default interface priority is 64
· Current DIS may be preempted
· Highest SNPA (MAC/DLCI) breaks tie
Sequence Number Packet (SNP)Used to request and advertise LSPs; can be complete (CSNP) or partial (PSNP)
Hello PacketEstablishes and maintains neighbor adjacencies
Designated Intermediate SystemA pseudonode responsible for emulating point-to-point links across a multi-access segment
AFI IDI
47
Area
HODSP
0005.80ff.f800.0000 0001
System ID
0000.0c00.1234
SEL
00
Interdomain Part Domain-Specific Part
Condensed
NSAP
Example
packetlife.net
by Jeremy Stretch v2.0
IS-IS · PART 2TLV Types
interface FastEthernet0/0description Area 1ip address 192.168.1.2 255.255.255.0ip router isisisis circuit-type level-1!router isisnet 49.0001.0000.0000.00a2.00
interface FastEthernet0/0description Area 2ip address 192.168.2.1 255.255.255.0ip router isisisis circuit-type level-1!interface Serial1/0no ip addressencapsulation frame-relay!interface Serial1/0.1 point-to-pointdescription To Area 1ip address 10.0.0.2 255.255.255.252ip router isisisis circuit-type level-2-only! MD5 authentication (keychain not shown)isis authentication mode md5isis authentication key-chain <keychain>frame-relay interface-dlci 101!interface Serial1/0.2 point-to-pointdescription To Area 3ip address 10.0.0.9 255.255.255.252ip router isisisis circuit-type level-2-onlyframe-relay interface-dlci 103!router isisnet 49.0002.0000.0000.00b1.00
interface FastEthernet0/0description Area 1ip address 192.168.1.1 255.255.255.0ip router isisisis circuit-type level-1!interface Serial1/0no ip addressencapsulation frame-relay!interface Serial1/0.1 point-to-pointdescription To Area 2ip address 10.0.0.1 255.255.255.252ip router isisisis circuit-type level-2-only! MD5 authentication (keychain not shown)isis authentication mode md5isis authentication key-chain <keychain>frame-relay interface-dlci 101!interface Serial1/0.2 point-to-pointdescription To Area 3ip address 10.0.0.5 255.255.255.252ip router isisisis circuit-type level-2-onlyframe-relay interface-dlci 102!router isisnet 49.0001.0000.0000.00a1.00
Router A2
Router B1Router A1
10.0.0.0/30
10.0.0.4/30
10.0.0.8/30
Area 1192.168.1.0/24
Area 2192.168.2.0/24
Area 3192.168.3.0/24
B2
B3
C2
C3
A2A3
1 Area Addresses
Name
2 IS Neighbors
3 ES Neighbors
Hello, LSP
Use
LSP
L1 LSP
5 Prefix Neighbors L2 LSP
128 IP Internal Reach.
129 Protocols Supported
131 IDRPI
LSP
Hello, LSP
SNP, L2 LSP
132 IP Interface Address Hello, LSP
6 IS Neighbors
8 Padding
9 LSP Entries
Hello, L2 LSP
Hello
SNP
10 Authentication All
Name Use Name Use
Configuration Example
interface FastEthernet0/0description Area 2ip address 192.168.2.2 255.255.255.0ip router isisisis circuit-type level-1!router isisnet 49.0002.0000.0000.00b2.00
Router B2
A1
B1 C1
packetlife.net
by Jeremy Stretch v2.0
MARKDOWNHeaders
# Text <h1>Text</h1>
## Text <h2>Text</h2>
### Text <h3>Text</h3>
#### Text <h4>Text</h4>
##### Text <h5>Text</h5>
###### Text <h6>Text</h6>
Blockquotes
> Lorem ipsum> dolor sit amet
<blockquote><p>Lorem ipsum dolor sit amet</p></blockquote>
> Lorem ipsum dolorsit amet
<blockquote><p>Lorem ipsum dolor sit amet</p></blockquote>
> Level one>> > Level two> >> > > Level three
<blockquote><p>Level one</p><blockquote><p>Level two</p><blockquote><p>Level three</p></blockquote>
</blockquote></blockquote>
Lists
* Sizes* Shapes* Colors
* Blue* Green
<ul><li>Sizes</li><li>Shapes</li><li>Colors<ul><li>Blue</li><li>Green</li>
</ul></li></ul>
1. First2. Second3. Third
1. Alpha2. Bravo
<ol><li>First</li><li>Second</li><li>Third<ol><li>Alpha</li><li>Bravo</li>
</ol></li></ol>
Code Blocks
Normal text
#include <stdio.h>
<p>Normal text</p><pre><code>#include <stdio.h></code></pre>
Inline Code
Use `<div>` tags Use <code><div></code> tags
``echo `uname -a``` <code>echo `uname -a`</code>
Horizontal Rules
* * * <hr />
*** <hr />
- - - <hr />
--- <hr />
Emphasis
*Emphasis* <em>Emphasis</em>
_Emphasis_ <em>Emphasis</em>
**Strong** <strong>Strong</strong>
__Strong__ <strong>Strong</strong>
*Super*emphasis <em>Super</em>emphasis
**Super**strong <strong>Super</strong>strong
Escapable Characters
\ Backslash
` Backtick
*
_
{ }
[ ]
Asterisk
Underscore
Curly braces
Square brackets
( ) Parantheses
# Hash mark
+
-
.
!
Plus sign
Hyphen
Period
Exclamation
Links
[Google](http://google.com/) <a href="http://google.com/">Google</a>
[Google](http://google.com/ "Search") <a href="http://google.com/" title="Search">Google</a>
[google]: http://google.com/ "Search"[Google][google]
<a href="http://google.com/" title="Search">Google</a>
<http://google.com> <a href="http://google.com/">http://google.com</a>
Images
 <img src="/path/to/img.jpg" alt="Alt text"/>
 <img src="/path/to/img.jpg" alt="Alt text" title="Title"/>
[img1]: /path/to/img.jpg "Title"![Alt text][img1]
<img src="/path/to/img.jpg" alt="Alt text" title="Title"/>
Markdown is available at http://daringfireball.net/projects/markdown/
packetlife.net
by Jeremy Stretch v2.1
MEDIAWIKIHeaders
=Text= <h1>Text</h1>
==Text== <h2>Text</h2>
===Text=== <h3>Text</h3>
====Text==== <h4>Text</h4>
=====Text===== <h5>Text</h5>
======Text====== <h6>Text</h6>
Code
<code>Text</code> <code>Text</code>
<code><pre>Text</pre></code> <code><pre>Text</pre></code>
Miscellaneous
<nowiki>Suppress [[wiki]]'''markup'''</nowiki>
Suppress [[wiki]]
'''markup'''
<!-- a comment --> <!-- a comment -->
Lists
* Sizes* Shapes* Colors** Blue** Green
<ul><li>Sizes</li><li>Shapes</li><li>Colors<ul><li>Blue</li><li>Green</li>
</ul></li></ul>
# First# Second# Third
<ol><li>First</li><li>Second</li><li>Third</li>
</ol>
; Term 1 : Foo; Term 2 : Bar; Term 3 : Baz
<dl><dt>Term 1</dt><dd>Foo</dd>
<dt>Item 2</dt><dd>Bar</dd>
<dt>Item 3</dt><dd>Baz</dd>
</dl>
Formatting
''Text'' <i>Text</i>
'''Text''' <b>Text</b>
'''''Text'''''
<ins>Text</ins>
<del>Text</del>
<i><b>Text</b></i>
<ins>Text</ins>
<del>Text</del>
Templates
Unnamed variables Books by {{{1}}}
Invoking the template {{Author|Palahniuk}}
Named variables Books by {{{name}}}
Invoking the template {{Author|name=Palahniuk}}
Categories
Assign object to a category [[Category:Humor]]
Link to a category [[:Category:Humor]]
Links
[[packet switching]] <a href="Packet_switching">packet switching</a>
[[packet switching|packet switched]] <a href="Packet_switching">packet switched</a>
IP [[network]]ing
IEEE [[802.3 (Ethernet)|]]
[http://google.com/]
[http://google.com/ Google]
IP <a href="Network">networking</a>
IEEE <a href="802.3_(Ethernet)">802.3</a>
<a href="http://google.com/">http://google.com/</a>
<a href="http://google.com/">Google</a>
Images
[[Image:photo.png]] <a href="Image:photo.png"><img src="photo.png" /></a>
[[Image:photo.png|Alt text]] <a href="Image:photo.png"><img src="photo.png" alt="Alt text" /></a>
[[Image:photo.png|30 px]] <a href="Image:photo.png"><img src="30px-photo.png" /></a>
[[:Image:photo.png|A photo]] <a href="Image:photo.png">A photo</a>
Tables
{|
|+
|-
!
|
|}
Starts a table
Table caption (optional; one per table)
Begin a new row
Table header
Table cell
Table end
<tt>Text</tt> <tt>Text</tt>
PHYSICAL TERMINATIONS packetlife.net
Optical Terminations
ST (Straight Tip)
SC (Subscriber Connector)
LC (Local Connector)
MT-RJ
Wireless Antennas
RP-TNC
RP-SMA
Copper Terminations
RJ-45
RJ-11
RJ-21 (25-pair)
DE-9 (Female)
DB-25 (Male)
DB-60 (Male)
GBICs
1000Base-SX/LX
1000Base-T
Cisco GigaStack
1000Base-SX/LX SFP
1000Base-T SFP
X2 (10Gig)
by Jeremy Stretch v1.1
packetlife.net
by Jeremy Stretch v1.2
POINT-TO-POINT PROTOCOL
LCP Header
Code Identifier Length
8 16 24 32
General PPP Configuration
! Configure a peer account if authentication will be usedusername peer-hostname password password
! Configure a local IP address pool if neededip pool name first-IP last-IP
interface Serial0/0! Enable PPP encapsulationencapsulation ppp! Enable CHAP and/or PAP for authenticationppp authentication { chap | pap } [ chap | pap ]! Enable compressioncompress { predictor | stac }! Enable peer IP address assignment (server side)peer default ip address { pool name | IP-address }! Enable IP address negotiation (client side)ip address negotiated
Troubleshooting
show ppp multilink
debug ppp authentication
PPP Components
Link Control Protocol (LCP)Provides for the establishment, configuration, and maintenance of a PPP link. Protocol-independent options are negotiated by LCP.
Network Control Protocol (NCP)A separate NCP is used to negotiate the configuration of each
network layer protocol (such as IP) carried by PPP.
debug ppp { negotiation | packet }
PPP Header
Address Control Protocol
8 16 24 32
Connection Phase Flowchart
Dead Establish
Authenticate
Network
Terminate
Auth Required
No Auth
Success
Failure
Admin Shutdown
Authentication Protocols
Plaintext Authentication Protocol (PAP)Original, obsolete authentication protocol which relies on the exchange of a plaintext key to authenticate peers (RFC 1334).
Challenge Handshake Authentication Protocol (CHAP)Authenticates peers using the MD5 checksum of a pre-shared secret
key (RFC 1994).
PPP Features
Protocol Multiplexing · Multiple NCPs
Optional Compression · Stacker/predictor
Loopback Detection · Provided by LCP
Load Balancing · Multilink PPP
Optional Authentication · PAP/CHAP
Multilink PPP Configuration
! Create the multilink interfaceinterface Multilink1ip address IP-address subnet-maskppp multilink group group
! Assign physical interfaces to the multilink groupinterface Serial0/0encapsulation pppppp multilink group group
PPP Summary
Standard RFC 1661
Asynchronous serial, synchronous serial, ISDN, HSSI
Interfaces
PPP Compression Algorithms
StackerReplaces repetitive data with symbols from a dynamic dictionary (more processor-intensive)
PredictorAttempts to predict sequential data (more memory-intensive)
PPP Connection Example
LCP Configuration Request
LCP Configuration Ack
CHAP Challenge
CHAP Response
CHAP Success
IP Control Configuration Request
IP Control Configuration Ack
CDP Control Configuration Request
CDP Control Configuration Ack
Extensible Authentication Protocol (EAP)Provides MD5-based authentication similar to CHAP (RFC 3748). Could be expanded to support other EAP mechanisms as well.
packetlife.net
by Jeremy Stretch v2.0
QUALITY OF SERVICE · PART 1Quality of Service Models
Layer 2 QoS Markings
Medium
Ethernet Class of Service (CoS)
Name Type
3-bit 802.1p field in 802.1Q header
Frame Relay Discard Eligibility (DE) 1-bit drop eligibility flag
Best Effort · No QoS policies are implemented
Integrated Services (IntServ)Resource Reservation Protocol (RSVP) is used to reserve bandwidth per-flow across all nodes in a path
Differentiated Services (DiffServ)Packets are individually classified and marked; policy decisions are made independently by each node in a path
IP Type of Service (TOS)
Ver HL LenTOS
Precedence
DSCP
Precedence/DSCP
Binary
111000 Reserved
DSCP
56
Prec.
7
110000 Reserved48 6
101110 EF46 5
10000032
410001034
10010036
10011038
01100024
301101026
01110028
01111030
01000016
201001018
01010020
01011022
0010008
100101010
00110012
00111014
000000 BE0 0
CS4
AF41
AF42
AF43
CS3
AF31
AF32
AF33
CS2
AF21
AF22
AF23
CS1
AF11
AF12
AF13
ATM
MPLS
Cell Loss Priority (CLP)
Traffic Class (TC)
1-bit drop eligibility flag
3-bit field compatible with 802.1p
IP QoS Markings
IP PrecedenceThe first three bits of the IP TOS field; limited to 8 traffic classes
Differentiated Services Code Point (DSCP)The first six bits of the IP TOS are evaluated to provide more granular classification; backward-compatible with IP Precedence
QoS Flowchart
Hardware
Queue
Queuing
Decision
Scheduler
Software Queue
No
Yes
Software Queue
Software Queue
HW
Queue
Full?
Terminology
Per-Hop Behavior (PHB)The individual QoS action performed at each independent DiffServ node
Trust Boundary · Beyond this, inbound QoS markings are not trusted
Tail Drop · Occurs when a packet is dropped because a queue is full
PolicingImposes an artificial ceiling on the amount of bandwidth that may be consumed; traffic exceeding the policer rate is reclassified or dropped
ShapingSimilar to policing but buffers excess traffic for delayed transmission; makes more efficient use of bandwidth but introduces a delay
DSCP Per-Hop Behaviors
Class Selector (CS) · Backward-compatible with IP Precedence values
Assured Forwarding (AF) · Four classes with variable drop preferences
Expedited Forwarding (EF) · Priority queuing for delay-sensitive traffic
Congestion Avoidance
Random Early Detection (RED)Packets are randomly dropped before a queue is full to prevent tail drop; mitigates TCP synchronization
Weighted RED (WRED)RED with the added capability of recognizing prioritized traffic based on its marking
TCP SynchronizationFlows adjust TCP window sizes in synch, making inefficient use of a link
Class-Based WRED (CBWRED)WRED employed inside a class-based WFQ (CBWFQ) queue
packetlife.net
by Jeremy Stretch v2.0
QUALITY OF SERVICE · PART 2Queuing Comparison
Default on Interfaces >2 Mbps
FIFO
Number of Queues 1
Configurable Classes
Bandwidth Allocation
Provides for Minimal Delay
Modern Implementation
No
Automatic
No
Yes
No
PQ
4
Yes
Automatic
Yes
No
No
CQ
Configured
Yes
Configured
No
No
<=2 Mbps
WFQ
Dynamic
No
Automatic
No
No
No
CBWFQ
Configured
Yes
Configured
No
Yes
No
LLQ
Configured
Yes
Configured
Yes
Yes
First In First Out (FIFO) Priority Queuing (PQ) LLQ Config Example
! Match packets by DSCP valueclass-map match-all Voicematch dscp ef!class-map match-all Call-Signalingmatch dscp cs3!class-map match-any Critical-Appsmatch dscp af21 af22!! Match packets by access listclass-map match-all Scavengermatch access-group name Other
Class Definitions
policy-map Fooclass Voice! Priority queue policed to 33%priority percent 33
class Call-Signaling! Allocate 5% of bandwidthbandwidth percent 5
class Critical-Appsbandwidth percent 20! Extend queue size to 96 packetsqueue-limit 96
class Scavenger! Police to 64 kbpspolice cir 64000conform-action transmit exceed-action drop
class class-default! Enable WFQfair-queue! Enable WREDrandom-detect
Policy Creation
interface Serial0! Apply the policy in or outservice-policy output Foo
Policy Application
LLQ Config Example
show policy-map [interface]
Show interface
show queue <interface>
High
Medium
Normal
Low
Hardware
QueueHardware Queue
Tx
Ring
Custom Queuing (CQ)Weighted Fair Queuing (WFQ)
· Packets are transmitted in the order they are processed
· No prioritization is provided
· Default queuing method on high-speed (>2 Mbps) interfaces
· Configurable with the tx-ring-limit interface config command
· Provides four static queues which cannot be reconfigured
· Higher-priority queues are always emptied before lower-priority queues
· Lower-priority queues are at risk of bandwidth starvation
· Rotates through queues using Weighted Round Robin (WRR)
· Processes a configurable number of bytes from each queue per turn
· Prevents queue starvation but does not provide for delay-sensitive traffic
· Queues are dynamically created per flow to ensure fair processing
· Statistically drops packets from aggressive flows more often
· No support for delay-sensitive traffic
Class-Based WFQ (CBWFQ)Low Latency Queuing (LLQ)
· WFQ with administratively configured queues
· Each queue is allocated an amount/percentage of bandwidth
· No support for delay-sensitive traffic
· CBWFQ with the addition of a policed strict-priority queue
· Highly configurable while still supporting delay-sensitive traffic
Flow 1
Flow 2
Flow n
...Hardware
Queue
500 B/cycle
4500 B/cycle
1500 B/cycle
Queue A
Queue B
Queue CHardware
Queue
512 Kbps Min
1024 Kbps Min
Remainder
Queue A
Queue B
DefaultHardware
Queue
512 Kbps Min
1024 Kbps Min
Remainder
Queue A
Queue B
Default
512 Kbps MaxPriority
Hardware
Queue
Show mls qos
packetlife.net
by Jeremy Stretch v1.0
SCAPY
Constructing Packets
# Setting protocol fields>>> ip=IP(src="10.0.0.1")>>> ip.dst="10.0.0.2"
# Combining layers>>> l3=IP()/TCP()>>> l2=Ether()/l3
# Splitting layers apart>>> l2.getlayer(1)<IP frag=0 proto=tcp |<TCP |>>>>> l2.getlayer(2)<TCP |>
Basic Commands
ls()List all available protocols and protocol options
lsc()List all available scapy command functions
confShow/set scapy configuration parameters
Specifying Addresses and Values
# Explicit IP address (use quotation marks)>>> IP(dst="192.0.2.1")
# DNS name to be resolved at time of transmission>>> IP(dst="example.com")
# IP network (results in a packet template)>>> IP(dst="192.0.2.0/24")
# Random addresses with RandIP() and RandMAC()>>> IP(dst=RandIP())>>> Ether(dst=RandMAC())
# Set a range of numbers to be used (template)>>> IP(ttl=(1,30))
# Random numbers with RandInt() and RandLong()>>> IP(id=RandInt())
Displaying Packets
# Show an entire packet>>> (Ether()/IPv6()).show()###[ Ethernet ]###
dst= ff:ff:ff:ff:ff:ffsrc= 00:00:00:00:00:00type= 0x86dd
###[ IPv6 ]###version= 6tc= 0fl= 0plen= Nonenh= No Next Headerhlim= 64src= ::1dst= ::1
# Show field types with default values>>> ls(UDP())sport : ShortEnumField = 1025 (53)dport : ShortEnumField = 53 (53)len : ShortField = None (None)chksum : XShortField = None (None)
Sending Packets
send(pkt, inter=0, loop=0, count=1, iface=N)Send one or more packets at layer three
sendp(pkt, inter=0, loop=0, count=1, iface=N)Send one or more packets at layer two
sendpfast(pkt, pps=N, mbps=N, loop=0, iface=N)Send packets much faster at layer two using tcpreplay
Sending and Receiving Packets
sr(pkt, filter=N, iface=N), srp(…)Send packets and receive replies
sr1(pkt, inter=0, loop=0, count=1, iface=N), srp1(…)Send packets and return only the first reply
srloop(pkt, timeout=N, count=N), srploop(…)Send packets in a loop and print each reply
Fuzzing
# Randomize fields where applicable>>> fuzz(ICMP()).show()###[ ICMP ]###
type= <RandByte>code= 227chksum= Noneunused= <RandInt>
Sniffing Packets
sniff(count=0, store=1, timeout=N)Record packets off the wire; returns a list of packets when stopped
# Capture up to 100 packets (or stop with ctrl-c)>>> pkts=sniff(count=100, iface="eth0")>>> pkts<Sniffed: TCP:92 UDP:7 ICMP:1 Other:0>
>>> send(IP(dst="192.0.2.1")/UDP(dport=53)).Sent 1 packets.>>> sendp(Ether()/IP(dst="192.0.2.1")/UDP(dport=53)).Sent 1 packets.
>>> srloop(IP(dst="packetlife.net")/ICMP(), count=3)RECV 1: IP / ICMP 174.143.213.184 > 192.168.1.140RECV 1: IP / ICMP 174.143.213.184 > 192.168.1.140RECV 1: IP / ICMP 174.143.213.184 > 192.168.1.140
packetlife.net
by Jeremy Stretch v1.0
+
+
+
×
VOIP BASICS
Access Switch Port Configuration
interface FastEthernet0/1
! Configure data and voice access VLANsswitchport access vlan <VLAN>switchport voice vlan <VLAN>
! Trust ingress QoS markingsmls qos trust cos
! Optionally pre-allocate power for the portpower inline static [max <wattage>]
Pulse Code Modulation (PCM)
Sampling8000 discrete signal measurements are taken at equal intervals every second
QuantizationThe level of each sample is rounded to the nearest expressible value
EncodingDigital values are encoded as binary numbers for encapsulation
Compression (Optional)The digital signal is compressed in real time to consume less bandwidth
IEEE 802.3af Classes
0 15.4 W
1 4 W
2 7 W
4 Reserved
Power Over Ethernet (PoE)
Cisco Inline Power (ILP)Pre-standard; employs a 340 kHz tone to detect devices; power needs communicated via CDP
IEEE 802.3afDetects power requirements of PoE device by the line resistance present
Voice Codecs
G.711 PCM 4.1 64 kbps
MOS Bandwidth Complexity Free
Low Yes
iLBC 4.1 15.2 kbps High Yes
G.729 CS-ACELP 3.92 8 kbps High No
G.726 ADPCM 3.85 32 kbps Medium Yes
G.729a CS-ACELP 3.7 8 kbps Medium No
G.728 LD-CELP 3.61 16 kbps High No
Signaling Protocols
ITU-T H.323Originally designed for multimedia transmission over ISDN; mature and widely supported; peer-to-peer call control
Session Initiation Protocol (SIP)Text-based, similar in nature to HTTP; defined in RFC 3261; peer-
to-peer call control
Media Gateway Control Protocol (MGCP)Employs centralized call control; defined in RFC 3661
Skinny Client Control Protocol (SCCP)Cisco-proprietary; limited support on gateways; centralized control
IP Phone Boot Process
1. Power Over Ethernet (Optional)Power is supplied via IEEE 802.3af/at or Cisco ILP
2. VLANs Learned via CDP or LLDPVoice and data VLANs communicated via CDP/LLDP
3. IP Assignment via DHCPThe phone sends a DHCP request in the voice VLAN; the response includes an IP and DHCP option 150
4. Configuration Retrieved via TFTPThe phone retrieves its configuration from one of the TFTP servers specified in the DHCP option
5. RegistrationThe phone registers with the call server(s) specified in its configuration
Calculating Required Bandwidth
TFTP Server Call Server
1
2
3
45
Codec Payload(Bitrate × Sample Size)
64 Kbps × 20 msec
G.711/Ethernet Example
L2 Overhead Ethernet (18) + 802.1Q (4)
160 B
22 B
L4 Overhead UDP (8) + RTP (12) 20 B
L3 Overhead IP (20) 20 B
Packets per Second 1000 msec / 20 msec 50 pps
3 15.4 W
IEEE 802.3atUses LLDP to negotiate delivery of up to 25 watts in .10 W intervals
14
12
10
8
6
4
2
0
9.1
12.3
13.6 13.5
12.4
9.2
6.0
2.8
0.9 1.0
2.7
5.9
Sampling
14
12
10
8
6
4
2
0
Quantization
14
12
10
8
6
4
2
0
Encoding
Total Bandwidth 88.8 Kbps
G.722 SB-ADPCM 4.13 48-64 kbps Medium Yes
packetlife.net
by Jeremy Stretch v2.0
WIRESHARK DISPLAY FILTERS · PART 1Ethernet
eth.addr eth.srceth.len
eth.dst eth.trailereth.lg
eth.ig eth.typeeth.multicast
IEEE 802.1Q
vlan.cfi vlan.priorityvlan.id
vlan.etype vlan.trailervlan.len
IPv4
ARP
ip.fragment.overlap.conflictip.addr
ip.checksum ip.fragment.toolongfragment
ip.fragmentsip.checksum_bad
ip.checksum_good ip.hdr_len
ip.hostip.dsfield
ip.dsfield.ce ip.id
ip.lenip.dsfield.dscp
ip.dsfield.ect ip.proto
ip.reassembled_inip.dst
ip.dst_host ip.src
ip.src_hostip.flags
ip.flags.df ip.tos
ip.tos.costip.flags.mf
ip.flags.rb ip.tos.delay
ip.tos.precedenceip.frag_offset
ip.fragment ip.tos.reliability
ip.tos.throughputip.fragment.error
ip.fragment.multipletails ip.ttl
ip.versionip.fragment.overlap
IPv6
ipv6.hop_optipv6.addr
ipv6.class ipv6.host
ipv6.mipv6_home_addressipv6.dst
ipv6.dst_host ipv6.mipv6_length
ipv6.mipv6_typeipv6.dst_opt
ipv6.flow ipv6.nxt
ipv6.opt.pad1ipv6.fragment
ipv6.fragment.error ipv6.opt.padn
ipv6.plenipv6.fragment.more
ipv6.fragment.multipletails ipv6.reassembled_in
ipv6.routing_hdripv6.fragment.offset
ipv6.fragment.overlap ipv6.routing_hdr.addr
ipv6.routing_hdr.leftipv6.fragment.overlap.conflict
ipv6.fragment.toolongfragment ipv6.routing_hdr.type
ipv6.srcipv6.fragments
ipv6.fragment.id ipv6.src_host
ipv6.versionipv6.hlim
arp.dst.hw_mac arp.proto.size
arp.dst.proto_ipv4 arp.proto.type
arp.hw.size arp.src.hw_mac
arp.hw.type arp.src.proto_ipv4
arp.opcode
TCP
tcp.options.qstcp.ack
tcp.checksum tcp.options.sack
tcp.options.sack_letcp.checksum_bad
tcp.checksum_good tcp.options.sack_perm
tcp.options.sack_retcp.continuation_to
tcp.dstport tcp.options.time_stamp
tcp.options.wscaletcp.flags
tcp.flags.ack tcp.options.wscale_val
tcp.pdu.last_frametcp.flags.cwr
tcp.flags.ecn tcp.pdu.size
tcp.pdu.timetcp.flags.fin
tcp.flags.push tcp.port
tcp.reassembled_intcp.flags.reset
tcp.flags.syn tcp.segment
tcp.segment.errortcp.flags.urg
tcp.hdr_len tcp.segment.multipletails
tcp.segment.overlaptcp.len
tcp.nxtseq tcp.segment.overlap.conflict
tcp.segment.toolongfragmenttcp.options
tcp.options.cc tcp.segments
tcp.seqtcp.options.ccecho
tcp.options.ccnew tcp.srcport
tcp.time_deltatcp.options.echo
tcp.options.echo_reply tcp.time_relative
tcp.urgent_pointertcp.options.md5
tcp.options.mss tcp.window_size
tcp.options.mss_val
UDP
udp.checksum udp.srcportudp.dstport
udp.checksum_bad udp.length
udp.checksum_good udp.port
Operators
eq or ==
ne or !=
gt or >
lt or <
ge or >=
le or <=
Logic
Logical ANDand or &&
or or || Logical OR
Logical XORxor or ^^
not or ! Logical NOT
Substring operator[n] […]
packetlife.net
by Jeremy Stretch v2.0
WIRESHARK DISPLAY FILTERS · PART 2Frame Relay
fr.defr.becn
fr.chdlctype fr.dlci
fr.dlcore_controlfr.control
fr.control.f fr.ea
fr.fecnfr.control.ftype
fr.control.n_r fr.lower_dlci
fr.nlpidfr.control.n_s
fr.control.p fr.second_dlci
fr.snap.ouifr.control.s_ftype
fr.control.u_modifier_cmd fr.snap.pid
fr.snaptypefr.control.u_modifier_resp
fr.cr fr.third_dlci
fr.upper_dlcifr.dc
ICMPv6
icmpv6.all_comp
icmpv6.checksum
icmpv6.option.name_type.fqdn
icmpv6.option.name_x501
icmpv6.checksum_bad
icmpv6.code
icmpv6.option.rsa.key_hash
icmpv6.option.type
icmpv6.comp
icmpv6.haad.ha_addrs
icmpv6.ra.cur_hop_limit
icmpv6.ra.reachable_time
icmpv6.identifier
icmpv6.option
icmpv6.ra.retrans_timer
icmpv6.ra.router_lifetime
icmpv6.option.cga
icmpv6.option.length
icmpv6.recursive_dns_serv
icmpv6.type
icmpv6.option.name_type
RIP
BGP
bgp.mp_reach_nlri_ipv4_prefixbgp.aggregator_as
bgp.aggregator_origin bgp.mp_unreach_nlri_ipv4_prefix
bgp.multi_exit_discbgp.as_path
bgp.cluster_identifier bgp.next_hop
bgp.nlri_prefixbgp.cluster_list
bgp.community_as bgp.origin
bgp.originator_idbgp.community_value
bgp.local_pref bgp.type
bgp.withdrawn_prefixbgp.mp_nlri_tnl_id
HTTP
http.proxy_authorizationhttp.accept
http.accept_encoding http.proxy_connect_host
http.proxy_connect_porthttp.accept_language
http.authbasic http.referer
http.requesthttp.authorization
http.cache_control http.request.method
http.request.urihttp.connection
http.content_encoding http.request.version
http.responsehttp.content_length
http.content_type http.response.code
http.serverhttp.cookie
http.date http.set_cookie
http.transfer_encodinghttp.host
http.last_modified http.user_agent
http.www_authenticatehttp.location
http.notification http.x_forwarded_for
http.proxy_authenticate
PPP
ppp.address ppp.direction
ppp.control ppp.protocol
rip.auth.passwd rip.route_tagrip.ip
rip.auth.type rip.routing_domainrip.metric
rip.command rip.versionrip.netmask
rip.family rip.next_hop
MPLS
mpls.oam.defect_locationmpls.bottom
mpls.cw.control mpls.oam.defect_type
mpls.oam.frequencympls.cw.res
mpls.exp mpls.oam.function_type
mpls.oam.ttsimpls.label
mpls.oam.bip16 mpls.ttl
ICMP
icmp.checksum icmp.seqicmp.ident
icmp.checksum_bad icmp.typeicmp.mtu
icmp.code icmp.redir_gw
DTP
dtp.neighbor vtp.neighbordtp.tlv_type
dtp.tlv_len dtp.version
VTP
vtp.vlan_info.802_10_indexvtp.code
vtp.conf_rev_num vtp.vlan_info.isl_vlan_id
vtp.vlan_info.lenvtp.followers
vtp.md vtp.vlan_info.mtu_size
vtp.vlan_info.status.vlan_suspvtp.md5_digest
vtp.md_len vtp.vlan_info.tlv_len
vtp.vlan_info.tlv_typevtp.seq_num
vtp.start_value vtp.vlan_info.vlan_name
vtp.vlan_info.vlan_name_lenvtp.upd_id
vtp.upd_ts vtp.vlan_info.vlan_type
vtp.version
