Im Primo

packetlife.
net
by Jeremy Stretch v2.1-r1
BGP PART 1
Type
About BGP
eBGP AD
iBGP AD
Path Vector
20
200
Standard
Protocols
Transport
Authentication
RFC 4271
IP
TCP/179
MD5
Path Selection
Attribute
Weight Administrative preference
Description
1
Preference
Highest
Local Preference
Communicated between peers
within an AS
2 Highest
Self-originated Prefer paths originated locally 3 True
AS Path Minimize AS hops 4 Shortest
Origin
Prefer IGP-learned routes over
EGP, and EGP over unknown
5 IGP
MED Used externally to enter an AS 6 Lowest
External Prefer eBGP routes over iBGP 7 eBGP
IGP Cost Consider IGP metric 8 Lowest
eBGP Peering Favor more stable routes 9 Oldest
Router ID Tie breaker 10 Lowest
Influencing Path Selection
Weight he1ghboJ 172.16.0.1 we1gh1 200
MED de1au1-me1J1c 400
Local Preference bgp de1au1 oca-pJe1eJehce 100
Route Map he1ghboJ 172.16.0.1 Jou1e-map Foo
Terminology
Autonomous System (AS)
A logical domain under the control of a
single entity
External BGP (eBGP)
BGP adjacencies which span autonomous
system boundaries
Internal BGP (iBGP)
BGP adjacencies formed within a single AS
Synchronization Requirement
A route must be known by an IGP before
it may be advertised to BGP peers
Packet Types
Open Update
Keepalive Notification
Neighbor States
Idle Neighbor is not responding
Connect TCP session established
Open Sent Open message sent
Open Confirm Response received
Established Adjacency established
Troubleshooting
show 1p bgp |summaJy]
show 1p bgp he1ghboJs
show 1p Jou1e |bgp]
ceaJ 1p bgp * |so11]
debug 1p bgp |.]
Active Attempting to connect
Well-known Mandatory Must be supported and propagated
Well-known Discretionary Must be supported; propagation optional
Optional Transitive Marked as partial if unsupported by neighbor
Optional Nontransitive Deleted if unsupported by neighbor
Attributes
Aggregator 7 ID and AS of summarizing router
List of autonomous systems which the
advertisement has traversed
AS Path 2
Atomic Aggregate 6
Includes ASes which have been dropped
due to route aggregation
Originating cluster 13 Cluster ID
Route tag 8 Community
Metric for internal neighbors to reach
external destinations (default 100)
Local Preference 5
Multiple Exit
Discriminator (MED)
4
Metric for external neighbors to reach the
local AS (default 0)
External peer in neighboring AS 3 Next Hop
Origin type (IGP, EGP, or unknown) 1 Origin
The originator of a reflected route 9 Originator ID
Weight --
Cisco proprietary, not communicated to
peers (default 0)
Name Description
List of cluster IDs 10 Cluster List
Ignore
AS Path
bgp bes1pa1h as-pa1h 1ghoJe
Ignore Cost
Communities
bgp bes1pa1h cos1-commuh11y 1ghoJe
packetlife.net
by Jeremy Stretch v2.1-r1
BGP PART 2
Configuration Example
1h1eJ1ace SeJ1a1/0
descJ1p11oh Backbohe 1o B
1p addJess 172.16.0.1 255.255.255.252
!
1h1eJ1ace SeJ1a1/1
descJ1p11oh Backbohe 1o C
1p addJess 172.16.0.5 255.255.255.252
!
1h1eJ1ace Fas1E1heJhe12/0
descJ1p11oh LAh
1p addJess 192.168.1.1 255.255.255.0
!
rou1er bgp 65166
no synchronza1on
ne1Work 172.16.6.6 mask 255.255.255.252
ne1Work 172.16.6.4 mask 255.255.255.252
ne1Work 192.168.1.6
neghbor 5ou1h peer-group
neghbor 5ou1h remo1e-as 65266
neghbor 172.16.6.2 peer-group 5ou1h
neghbor 172.16.6.6 peer-group 5ou1h
no au1o-summary
10.0.0.0/30
172.16.0.0/30
172.16.0.4/30
AS 65100
AS 65200
F0/0 F0/0
A
B C
OSPF
F2/0 F2/0
S1/0 S1/0
S1/0 S1/1
F2/0
descJ1p11oh Backbohe 1o B
1p addJess 10.0.0.2 255.255.255.252
!
1h1eJ1ace SeJ1a1/0
descJ1p11oh Backbohe 1o A
1p addJess 172.16.0.6 255.255.255.252
!
descJ1p11oh LAh
1p addJess 192.168.3.1 255.255.255.0
!
Jou1eJ osp1 100
he1woJk 10.0.0.2 0.0.0.0 aJea 0
he1woJk 192.168.3.1 0.0.0.0 aJea 2
!
rou1er bgp 65266
no synchronza1on
reds1rbu1e osp1 166 rou1e-map LAN_5ubne1s
neghbor 16.6.6.1 remo1e-as 65266
no au1o-summary
!
access-1s1 10 peJm11 192.168.0.0 0.0.255.255
!
Jou1e-map LAh_Subhe1s peJm11 10
ma1ch 1p addJess 10
se1 me1J1c 100
descJ1p11oh Backbohe 1o C
1p addJess 10.0.0.1 255.255.255.252
!
1h1eJ1ace SeJ1a1/0
descJ1p11oh Backbohe 1o A
1p addJess 172.16.0.2 255.255.255.252
!
descJ1p11oh LAh
1p addJess 192.168.2.1 255.255.255.0
!
Jou1eJ osp1 100
he1woJk 10.0.0.1 0.0.0.0 aJea 0
he1woJk 192.168.2.1 0.0.0.0 aJea 1
!
rou1er bgp 65266
no synchronza1on
reds1rbu1e osp1 166 rou1e-map LAN_5ubne1s
no au1o-summary
!
access-1s1 10 peJm11 192.168.0.0 0.0.255.255
!
Jou1e-map LAh_Subhe1s peJm11 10
ma1ch 1p addJess 10
se1 me1J1c 100
Router A Routing Table Router B Routing Table
172.16.0.0/30 1s subhe11ed, 2 subhe1s
C 172.16.0.4 1s d1Jec1y cohhec1ed, S1/1
C 192.168.1.0/24 1s d1Jec1y cohhec1ed, F2/0
B 192.168.2.0/24 |20/100] v1a 172.16.0.2
B 192.168.3.0/24 |20/100] v1a 172.16.0.2
172.16.0.0/30 1s subhe11ed, 2 subhe1s
B 172.16.0.4 |20/0] v1a 172.16.0.1
10.0.0.0/30 1s subhe11ed, 1 subhe1s
C 10.0.0.0 1s d1Jec1y cohhec1ed, F0/0
B 192.168.1.0/24 |20/0] v1a 172.16.0.1
C 192.168.2.0/24 1s d1Jec1y cohhec1ed, F2/0
0 TA 192.168.3.0/24 |110/2] v1a 10.0.0.2, F0/0
Router A
Router C Router B
packetlife.net
by Jeremy Stretch v2.1
EIGRP
Protocol Header
Type
Attributes
Algorithm
Internal AD
External AD
Distance Vector
DUAL
90
170
Summary AD
Standard
Protocols
Transport
5
Cisco proprietary
IP, IPX, Appletalk
IP/88
Version Opcode Checksum
8 16 24 32
FIags
Sequence Number
AcknowIedgment Number
Autonomous System Number
Type Length
VaIue
Authentication
Multicast IP
Hello Timers
Hold Timers
MD5
224.0.0.10
5/60
15/180
Metric Formula
256 * (
* bw + +
* delay) *
* bw
256 - load

rel +
bw = 10
7
/ minimum path bandwidth in kbps
delay = interface delay in secs / 10
EIGRP Configuration
! Ehabe ETCRP
Jou1eJ e1gJp <A5N>
! Add he1woJks 1o adveJ11se
he1woJk <IP address> <W1dcard mask>
! Coh11guJe K vaues 1o mah1pua1e me1J1c 1oJmua
me1J1c we1gh1s 0 <k1> <k2> <k3> <k4> <k5>
! 01sabe au1oma11c Jou1e summaJ1za11oh
ho au1o-summaJy
! 0es1gha1e pass1ve 1h1eJ1aces
pass1ve-1h1eJ1ace {<n1er1ace> ] de1au11)
! Ehabe s1ub Jou11hg
e1gJp s1ub |Jece1ve-ohy ] cohhec1ed ] s1a11c ] summaJy]
! S1a11cay 1deh111y he1ghoJ1hg Jou1eJs
he1ghboJ <IP address> <n1er1ace>
Protocol Configuration
! Se1 max1mum bahdw1d1h ETCRP cah cohsume
1p bahdw1d1h-peJceh1 e1gJp <A5> <percen1age>
! Coh11guJe mahua summaJ1za11oh o1 ou1bouhd Jou1es
1p summaJy-addJess e1gJp <A5> <IP address> <mask> |<A>]
! Ehabe h05 au1heh11ca11oh
1p au1heh11ca11oh mode e1gJp <A5> md5
1p au1heh11ca11oh key-cha1h e1gJp <A5> <key-chan>
! Coh11guJe heo ahd hod 11meJs
1p heo-1h1eJva e1gJp <A5> <seconds>
1p hod-11me e1gJp <A5> <seconds>
! 01sabe sp11 hoJ1zoh 1oJ ETCRP
ho 1p sp11-hoJ1zoh e1gJp <A5>
Interface Configuration
K Defaults Packet Types
K
1
1
K
2
0
K
3
1
K
4
0
K
5
0
1 Update
3 Query
4 Reply
5 Hello
8 Acknowledge
Terminology
Feasible Distance
The distance advertised by a neighbor plus the cost
to get to that neighbor
Reported Distance
The metric for a route advertised by a neighbor
Stuck In Active (SIA)
The condition when a route becomes unreachable
and not all queries for it are answered; adjacencies
with unresponsive neighbors are reset
Passive Interface
An interface which does not participate in EIGRP but
whose network is advertised
Stub Router
A router which advertises only a subset of routes,
and is omitted from the route query process
Troubleshooting
show 1p e1gJp 1h1eJ1aces
show 1p e1gJp he1ghboJs
show 1p e1gJp 1opoogy
show 1p e1gJp 1Ja111c
ceaJ 1p e1gJp he1ghboJs
debug 1p e1gJp |packe1 ] he1ghboJs]
packetlife.net
FIRST HOP REDUNDANCY
Protocols
HSRP Configuration
1p addJess 10.0.1.2 255.255.255.0
s1ahdby veJs1oh {1 ] 2}
s1ahdby 1 1p 10.0.1.1
s1ahdby 1 11meJs <he11o> <dead>
s1ahdby 1 pJ1oJ11y <pror1y>
s1ahdby 1 pJeemp1
s1ahdby 1 au1heh11ca11oh md5 key-s1J1hg <passWord>
s1ahdby 1 1Jack <n1er1ace> <va1ue>
s1ahdby 1 1Jack <ob]ec1> decJemeh1 <va1ue>
Troubleshooting
show s1ahdby |bJ1e1]
show gbp |bJ1e1]
Virtual Router Redundancy Protocol (VRRP)
An open-standard alternative to Cisco's HSRP,
providing the same functionality
Hot Standby Router Protocol (HSRP)
Provides default gateway redundancy using one active
and one standby router; standardized but licensed by
Cisco Systems
Gateway Load Balancing Protocol (GLBP)
Supports arbitrary load balancing in addition to
redundancy across gateways; Cisco proprietary
Attributes
HSRP
No Load Balancing
RFC 2281 Standard
Transport
IPv6 Support
Default Hello
Default Priority
Multicast Group
UDP/1985
Yes
3 sec
100
224.0.0.2
VRRP
No
RFC 3768
IP/112
No
1 sec
100
224.0.0.18
GLBP
Yes
Cisco
UDP/3222
Yes
3 sec
100
224.0.0.102
HSRP VRRP GLBP
Standby Active Listen
100 200 100
Backup Master
100 200 100
Backup
VRRP Configuration
1p addJess 10.0.1.2 255.255.255.0
vJJp 1 1p 10.0.1.1
vJJp 1 11meJs {adveJ11se <he11o> ] eaJh}
vJJp 1 pJ1oJ11y <pror1y>
vJJp 1 pJeemp1
vJJp 1 au1heh11ca11oh md5 key-s1J1hg <passWord>
vJJp 1 1Jack <ob]ec1> decJemeh1 <va1ue>
GLBP Configuration
1p addJess 10.0.1.2 255.255.255.0
gbp 1 1p 10.0.1.1
gbp 1 11meJs <he11o> <dead>
gbp 1 11meJs Jed1Jec1 <redrec1> <1me-ou1>
gbp 1 pJ1oJ11y <pror1y>
gbp 1 pJeemp1
gbp 1 1oJwaJdeJ pJeemp1
gbp 1 au1heh11ca11oh md5 key-s1J1hg <passWord>
gbp 1 oad-baahc1hg <me1hod>
gbp 1 we1gh11hg <Wegh1> oweJ <1oWer> uppeJ <upper>
gbp 1 we1gh11hg 1Jack <ob]ec1> decJemeh1 <va1ue>
Speak Gateway election in progress
HSRP/GLBP Interface States
Active Active router/VG
Standby Backup router/VG
Listen Not the active router/VG
Master Acting as the virtual router
VRRP Interface States
Backup All non-master routers
GLBP Roles
Active Virtual Gateway (AVG)
Answers for the virtual router and assigns
virtual MAC addresses to group members
Active Virtual Forwarder (AVF)
All routers which forward traffic for the group
GLBP Load Balancing
Round-Robin (default)
The AVG answers host ARP requests for the
virtual router with the next router in the cycle
Host-Dependent
Round-robin cycling is used while a consistent
AVF is maintained for each host
Weighted
Determines the proportionate share of hosts
handled by each AVF
AVF AVF
AVG
100 200 100
AVF
show vJJp |bJ1e1]
show 1Jack |bJ1e1]
packetlife.net
IEEE 802.11 WLAN PART 1
IEEE Standards
802.11a
OFDM Modulation
5 GHz Frequency
WLAN Types
Ad Hoc
A WLAN between isolated stations with
no central point of control; an IBSS
Infrastructure
A WLAN attached to a wired network via
an access point; a BSS or ESS
54 Mbps Maximum Throughput
1999 Ratified
21/19 Channels (FCC/ETSI)
802.11b
DSSS
2.4 GHz
11 Mbps
1999
11/13
802.11g
DSSS/OFDM
2.4 GHz
54 Mbps
2003
11/13
802.11n
OFDM
2.4/5 GHz
300 Mbps
2009
32/32
WLAN Components
Basic Service Area (BSA)
The physical area covered by the wireless signal of a BSS
Basic Service Set (BSS)
A set of stations and/or access points which can directly
communicate via a wireless medium
Distribution System (DS)
The wired infrastructure connecting multiple BSSs to form an ESS
Extended Service Set (ESS)
A set of multiple BSSs connected by a DS which appear to wireless
stations as a single BSS
Independent BSS (IBSS)
An isolated BSS with no connection to a DS; an WLAN
Measuring RF Signal Strength
Decibel (dB)
An expression of signal strength as compared to a reference signal;
calculated as 10log
10
(signal/reference)
dBm Signal strength compared to a 1 milliwatt signal
dBw Signal strength compared to a 1 watt signal
dBi Compares forward antenna gain to that of an isotropic antenna
Terminology
Frame Types
Type
Authentication
Association
Class
Management
Management
Beacon
Probe
Management
Management
Clear to Send (CTS)
Request to Send (RTS)
Control
Control
Data
Acknowledgment (ACK)
Data
Control
Client Association
Probe Request
Probe Response
Authentication Request
Authentication Response
Association Request
Association Response
Modulations
Modulation
CCK
DQPSK
DBPSK
QPSK
BPSK
Throughput
5.5/11 Mbps
2 Mbps
1 Mbps
12/18 Mbps
6/9 Mbps
64-QAM
16-QAM
48/54 Mbps
24/36 Mbps
Basic Service Set Identifier (BSSID)
A MAC address which serves to uniquely identify a BSS
Service Set Identifier (SSID)
A human-friendly text string which identifies a BSS; 1-32 characters
Carrier Sense Multiple Access/Collision Avoidance (CSMA/CA)
The mechanism which facilitates efficient communication across a
shared wireless medium (provided by DCF or PCF)
Effective Isotropic Radiated Power (EIRP)
Net signal strength (transmitter power + antenna gain - cable loss)
IBSS
BSS BSS
DS
ESS
DSSS
OFDM
Scheme
packetlife.net
IEEE 802.11 WLAN PART 2
Distributed Coordination Function (DCF)
Interframe Spacing
Short IFS (SIFS)
Used to provide minimal spacing delay between
control frames or data fragments
DCF IFS (DIFS)
Normal spacing enforced under DCF for management
and non-fragment data frames
Arbitrated IFS (AIFS)
Variable spacing calculated to accommodate differing
qualities of service (QoS)
Extended IFS (EIFS)
Extended delay imposed after errors are detected in a
received frame
Encryption Schemes
Wired Equivalent Privacy (WEP)
Flawed RC4 implementation using a 40- or 104-bit
pre-shared encryption key (deprecated)
Wi-Fi Protected Access (WPA)
Implements the improved RC4-based encryption
Temporal Key Integrity Protocol (TKIP) which can
operate on WEP-capable hardware
IEEE 802.11i (WPA2)
IEEE standard developed to replace WPA; requires a
new generation of hardware to implement significantly
stronger AES-based CCMP encryption
Client Authentication
Open No authentication is used
Pre-shared Encryption Keys
Keys are manually distributed among clients and APs
Lightweight EAP (LEAP)
Cisco-proprietary EAP method introduced to provide
dynamic keying for WEP (deprecated)
EAP-TLS
Employs Transport Layer Security (TLS); PKI
certificates are required on the AP and clients
EAP-TTLS
Clients authenticate the AP via PKI, then form a secure
tunnel inside which the client authentication takes
place (clients do not need PKI certificates)
Protected EAP (PEAP)
A proposal by Cisco, Microsoft, and RSA which employs
a secure tunnel for client authentication like EAP-TTLS
EAP-FAST
Developed by Cisco to replace LEAP; establishes a
secure tunnel using a Protected Access Credential
(PAC) in the absence of PKI certificates
Quality of Service Markings
WMM
Gold
Platinum
802.11e
5/4
7/6
Bronze
Silver
2/1
3/0
RF Signal Interference
Reflection Scattering Absorption
Refraction Diffraction
Antenna Types
Directional Radiates power in one focused direction
Omnidirectional
Radiates power uniformly across a plane
802.1p
4/3
6/5
2/1
0
Wi-Fi Multimedia (WMM)
A Wi-Fi Alliance certification for QoS; a subset of
802.11e QoS
IEEE 802.11e
Official IEEE WLAN QoS standard ratified in 2005;
replaces WMM
IEEE 802.1p
QoS markings in the 802.1Q header on wired Ethernet
Isotropic
A theoretical antenna referenced when measuring
effective radiated power
DIFS DIFS DIFS DIFS
A
B
C
D
Frame
DeferraI Period
Random Backoff
Contention Window
packetlife.net
IEEE 802.1X
802.1X Header
Configuration
! 0e11he a RA0TbS seJveJ
Jad1us-seJveJ hos1 10.0.0.100
Jad1us-seJveJ key hyRad1usKey
! Coh11guJe 802.1X 1o au1heh11ca1e v1a AAA
aaa hew-mode
aaa au1heh11ca11oh do11x de1au1 gJoup Jad1us
! Ehabe 802.1X au1heh11ca11oh gobay
do11x sys1em-au1h-coh1Jo
Global Configuration
! S1a11c access mode
sw11chpoJ1 mode access
! Ehabe 802.1X au1heh11ca11oh peJ poJ1
do11x poJ1-coh1Jo au1o
! Coh11guJe hos1 mode {s1hge oJ mu11)
do11x hos1-mode s1hge-hos1
! Coh11guJe max1mum au1heh11ca11oh a11emp1s
do11x max-Jeau1h-Jeq
! Ehabe peJ1od1c Jeau1heh11ca11oh
do11x Jeau1heh11ca11oh
! Coh11guJe a gues1 vLAh
do11x gues1-vah 123
! Coh11guJe a Jes1J1c1ed vLAh
do11x au1h-1a1 vah 456
do11x au1h-1a1 max-a11emp1s 3
Interface Configuration
802.1X Packet Types EAP Codes
0 EAP Packet
1 EAPOL-Start
2 EAPOL-Logoff
3 EAPOL-Key
4 EAPOL-Encap-ASF-Alert
1 Request
2 Response
3 Success
4 Failure
Terminology
EAP Over LANs (EAPOL)
EAP encapsulated by 802.1X for transport across LANs
Extensible Authentication Protocol (EAP)
A flexible authentication framework defined in RFC 3748
Authentication Server
A backend server which authenticates the credentials
provided by supplicants (for example, a RADIUS server)
Troubleshooting
shoW dof1x |sfaf1sf1cs] |1nfeface <1nfeface>]
dof1x fesf eapo1-capab1e |1nfeface <1nfeface>]
dof1x e-aufhenf1cafe 1nfeface <1nfeface>
EAP Header
EAP Flow Chart
Supplicant
The device (client) attached to an access link that requests
authentication by the authenticator
Authenticator
The device that controls the status of a link; typically a
wired switch or wireless access point
Guest VLAN
Fallback VLAN for clients not 802.1X-capable
Restricted VLAN
Fallback VLAN for clients which fail authentication
Interface Defaults
Max Auth Requests 2
Reauthentication Off
Quiet Period 60s
Reauth Period 1hr
Server Timeout 30s
EAP Req/Resp Types
1 Identity
2 Notification
3 Nak
4 MD5 Challenge
Supplicant Timeout 30s
Tx Period 30s
5 One Time Password
6 Generic Token Card
254 Expanded Types
255 Experimental
Port-Control Options
1orce-unau1horzed
Always unauthorized; authentication attempts are ignored
1orce-au1horzed
Port will always remain in authorized state (default)
au1o
Supplicants must authenticate to gain access
Identity Request
Identity Response
ChaIIenge Request
ChaIIenge Response
Success
Access Request
Access ChaIIenge
Access Request
Access Accept
EAP RADIUS
Code Identifier Length Data
1 1 2
Version Type Length EAP
1 1 2
SuppIicant Authenticator
Authentication
Server
packetlife.net
IPSEC
Protocols Encryption Algorithms
DES Symmetric 56
Type Key Length (Bits)
AES Symmetric
3DES Symmetric 168
Weak
Strength
Medium
RSA Asymmetric
128/192/256
1024+
Strong
Strong
Hashing Algorithms
MD5 128
Length (Bits)
SHA-1 160
Medium
Strength
Strong
Internet Security Association and Key Management
Protocol (ISAKMP)
A framework for the negotiation and management of
security associations between peers (traverses UDP/500)
Internet Key Exchange (IKE)
Responsible for key agreement using asymmetric
cryptography
Encapsulating Security Payload (ESP)
Provides data encryption, data integrity, and peer
authentication; IP protocol 50
Authentication Header (AH)
Provides data integrity and peer authentication, but not data
encryption; IP protocol 51
IPsec Modes
IKE Phases
Phase 1
A bidirectional ISAKMP SA is established
between peers to provide a secure management
channel (IKE in main or aggressive mode)
Phase 1.5 (optional)
Xauth can optionally be implemented to enforce
user authentication
Phase 2
Two unidirectional IPsec SAs are established for
data transfer using separate keys (IKE quick
mode)
Transport Mode
The ESP or AH header is inserted behind the IP header; the
IP header can be authenticated but not encrypted
Tunnel Mode
A new IP header is created in place of the original; this
allows for encryption of the entire original packet
Configuration
cJyp1o 1sakmp po1cy 10
ehcJyp11oh aes 256
hash sha
au1heh11ca11oh pJe-shaJe
gJoup 2
11e11me 3600
ISAKMP Policy
cJyp1o 1sakmp key 1 Ny5ecre1Key addJess 10.0.0.2
ISAKMP Pre-Shared Key
cJyp1o 1psec 1Jahs1oJm-se1 NyT5 esp-aes 256 esp-sha-hmac
mode 1uhhe
IPsec Transform Set
cJyp1o 1psec pJo11e NyPro11e
se1 1Jahs1oJm-se1 hyTS
IPsec Profile
1h1eJ1ace Tuhhe0
1p addJess 172.16.0.1 255.255.255.252
1uhhe souJce 10.0.0.1
1uhhe des11ha11oh 10.0.0.2
1uhhe mode 1psec 1pv4
1uhhe pJo1ec11oh 1psec pJo11e hyPJo11e
Virtual Tunnel Interface
Troubleshooting
show cJyp1o 1sakmp sa
show cJyp1o 1sakmp po1cy
show cJyp1o 1psec sa
show cJyp1o 1psec 1Jahs1oJm-se1
debug cJyp1o {1sakmp ] 1psec}
Terminology
Data Origin Authentication
Authentication of the SA peer
Data Integrity
Secure hashing (HMAC) is used to ensure data
has not been altered in transit
Data Confidentiality
Encryption is used to ensure data cannot be
intercepted by a third party
Anti-replay
Sequence numbers are used to detect and
discard duplicate packets
Hash Message Authentication Code (HMAC)
A hash of the data and secret key used to
provide message authenticity
Diffie-Hellman Exchange
A shared secret key is established over an
insecure path using public and private keys
L2 IP TCP/UDP
L2 IP TCP/UDP
L2 TCP/UDP IP
ESP/AH
ESP/AH New IP
OriginaI
Packet
Transport
Mode
TunneI
Mode
packetlife.net
IPV4 MULTICAST
Layer 2 Addressing
224.0.0.0/24
Group Ranges
224.0.1.0/24
232.0.0.0/8
233.0.0.0/8
Local network control
Internetwork control
Source-specific
GLOP (RFC 3180)
239.0.0.0/8 Admin-scoped
IGMP Configuration
1p mu11cas1-Jou11hg
!
1p p1m {spaJse-mode ] dehse-mode ] spaJse-dehse-mode}
1p p1m veJs1oh {1 ] 2}
Distribution Trees
Source-Rooted
Provides the shortest paths from the
source to receivers
Shared
A common set of links which carry all
multicast traffic; statically configured
IGMP Troubleshooting
show 1p 1gmp
show 1p 1gmp gJoup
224.0.0.1
Common Groups
224.0.0.2
224.0.1.39
224.0.1.40
All hosts
All routers
Cisco RP Announce
Cisco RP Discovery
IGMP
IGMPv2
Adds support for dynamic leave requests
and querier election to original IGMP
IGMPv3
Adds multicast source filtering to v2
IGMP Snooping
A switch passively inspects IGMP
requests to determine which hosts
should receive multicast traffic
show 1p 1gmp 1h1eJ1ace
show 1p 1gmp shoop1hg
1p 1gmp o1h-gJoup
Terminology
Internet Group Management Protocol (IGMP)
Hosts send IGMP requests to local routers to join multicast groups
Reverse Path Forwarding (RPF)
Verifies that multicast traffic travels in the reverse direction of
unicast traffic, away from the tree root
Cisco Group Management Protocol (CGMP)
A proprietary protocol used by switches to obtain multicast
membership information for end hosts (deprecated)
IGMP Support
IGMP Snooping
Rou1eJ{coh11g-11)# 1p 1gmp |veJs1oh <#>]
Sw11ch{coh11g)# 1p 1gmp shoop1hg
Protocol Independent Multicast (PIM)
Dense Mode
The initial tree encompasses all multicast routers; after a period of
time, routers without IGMP members prune back branches
Sparse-Dense Mode
Allows a PIM-enabled interface to function in either sparse or dense
mode per group
Sparse Mode
The tree is grown from a central rendezvous point out to the
multicast source and recipients
PIMv1
Provides automatic RP discovery with Auto-RP (Cisco proprietary)
PIMv2
Automatic RP discovery is accomplished by the bootstrap router
(BSR) method (standard)
PIM Configuration
RP Configuration
Manual
Auto-RP Mapping Agent
1p p1m Jp-addJess <IP>
1p p1m sehd-Jp-d1scoveJy scope <TTL>
Auto-RP Candidate
BSR Candidate
1p p1m sehd-Jp-ahhouhce <n1er1ace>
1p p1m bsJ-cahd1da1e <n1er1ace>
BSR RP Candidate 1p p1m Jp-cahd1da1e <n1er1ace>
PIM Troubleshooting
show 1p mJou1e
show 1p p1m 1h1eJ1ace
show 1p p1m he1ghboJ
show 1p p1m Jp |mapp1hg]
show 1p Jp1 <IP>
IGMPv1
Original IGMP specification
239.142.57.6
01-00-5E-0E-39-06

packetlife.net
IPV6
Protocol Header
8 16 24 32
Extension Headers
Ver Traffic CIass FIow LabeI
PayIoad Length Next Header Hop Limit
Source Address
Destination Address
Version (4 bits) Always set to 6
Traffic Class (8 bits) A DSCP value for QoS
Flow Label (20 bits) Identifies unique flows (optional)
Payload Length (16 bits) Length of the payload in bytes
Next Header (8 bits) Header or protocol which follows
Hop Limit (8 bits) Similar to IPv4's time to live field
Source Address (128 bits) Source IP address
Destination Address (128 bits) Destination IP address
Address Types
Unicast One-to-one communication
Multicast One-to-many communication
Anycast An address configured in multiple locations
Address Notation
Address Formats
EUI-64 Formation
Insert 0xfffe between the two halves of the MAC
Flip the seventh bit (universal/local flag) to 1
Special-Use Ranges
::/0
::/128
Default route
Unspecified
::1/128
::/96
Loopback
IPv4-compatible*
::FFFF:0:0/96
2001::/32
IPv4-mapped
Teredo
2001:DB8::/32
2002::/16
Documentation
6to4
FC00::/7
FE80::/10
Unique local
Link-local unicast
FEC0::/10
FF00::/8
Site-local unicast*
Multicast
Hop-by-hop Options (0)
Carries additional information which must be examined by every
router in the path
Routing (43)
Provides source routing functionality
Fragment (44)
Included when a packet has been fragmented by its source
Encapsulating Security Payload (50)
Provides payload encryption (IPsec)
Authentication Header (51)
Provides packet authentication (IPsec)
Destination Options (60)
Carries additional information which pertains only to the recipient
Transition Mechanisms
Dual Stack
Transporting IPv4 and IPv6 across an infrastructure simultaneously
Tunneling
IPv6 traffic is encapsulated into IPv4 using IPv6-in-IP, UDP (Teredo),
or Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)
Translation
Stateless IP/ICMP Translation (SIIT) translates IP header fields, NAT
Protocol Translation (NAT-PT) maps between IPv6 and IPv4 addresses
Multicast Scopes
1 Interface-local 5 Site-local
2 Link-local 8 Org-local
4 Admin-local E Global
* Deprecated
EUI-64
MAC
Global unicast
GIobaI Prefix Subnet Interface ID
48 16 64
Link-local unicast
Interface ID
64 64
Multicast
Group ID
F
I
a
g
s
S
c
o
p
e
112 8 4 4
Eliminate leading zeros from all two-byte sets
Replace up to one string of consecutive zeros
with a double-colon (::)
packetlife.net
IS-IS PART 1
Type
Attributes
Algorithm
Metric
Link-State
Dijkstra
Default (10)
AD
Standard
Protocols
Transport
115
ISO 10589
IP, CLNS
Layer 2
Network Types
DIS Elected Yes
Broadcast
Neighbor Discovery Yes
Hello/Dead Timers 10/30
Adjacency Requirements
Interface MTUs must match
Areas must match (if level 1)
System IDs must be unique
Authentication must succeed
show 1p Jou1e
show 1p pJo1ocos
show |chs]1s1s] he1ghboJ
show |chs]1s1s] 1h1eJ1ace
show 1s1s da1abase
Levels must match
Protocol Header
IRPD
4 8 12 16
Type Length
VaIue ...
Packet Length
Version/ProtocoI ID Extension ID Length
R R R PDU Type Version
Reserved Maximum Area Addresses
NSAP Addressing
Authentication Plaintext, MD5
Interdomain Part (IDP)
Portion of the address used in routing between autonomous
systems; assigned by ISO
Domain-Specific Part (DSP)
Portion of the address relevant only within the local AS
Authority and Format Identifier (AFI)
Identifies the authority which dictates the format of the address
Initial Domain Identifier (IDI)
An organization belonging to the AFI
High Order DSP (HODSP)
The area within the AS
System ID
Unique router identifier; 48 bits for Cisco devices (often taken from
a MAC address)
NSAP Selector (SEL)
Identifies a network layer service; always 0x00 in a NET address
No
Point-to-Point
Yes
10/30
Troubleshooting
show 1s1s sp1-og
debug 1s1s sp1-eveh1s
debug 1s1s adacehc1es-packe1s
debug 1s1s sp1-s1a11s11cs
debug 1s1s upda1e-packe1s
Routing Levels
Level 0
Level 1
Level 2
Used to locate end systems
Routing within an area
Backbone between areas
Level 3 Inter-AS routing
Terminology
Type-Length-Value (TLV)
Variable-length modular datasets
Link State PDU (LSP)
Carry TLVs encompassing link state
information
DIS Election
Highest-priority interface elected
Highest system ID breaks SNPA tie
Default interface priority is 64
Current DIS may be preempted
Highest SNPA (MAC/DLCI) breaks tie
Sequence Number Packet (SNP)
Used to request and advertise LSPs; can
be complete (CSNP) or partial (PSNP)
Hello Packet
Establishes and maintains neighbor
adjacencies
Designated Intermediate System
A pseudonode responsible for emulating
point-to-point links across a multi-access
segment
AFI IDI
47
Area
HODSP
0005.80ff.f800.0000 0001
System ID
0000.0c00.1234
SEL
00
Interdomain Part Domain-Specific Part
Condensed
NSAP
Example
packetlife.net
IS-IS PART 2
TLV Types
descJ1p11oh AJea 1
1p addJess 192.168.1.2 255.255.255.0
p rou1er ss
ss crcu1-1ype 1eve1-1
!
rou1er ss
ne1 49.6661.6666.6666.66a2.66
descJ1p11oh AJea 2
1p addJess 192.168.2.1 255.255.255.0
p rou1er ss
!
1h1eJ1ace SeJ1a1/0
ho 1p addJess
ehcapsua11oh 1Jame-Jeay
!
1h1eJ1ace SeJ1a1/0.1 po1h1-1o-po1h1
descJ1p11oh To AJea 1
1p addJess 10.0.0.2 255.255.255.252
p rou1er ss
ss crcu1-1ype 1eve1-2-on1y
! h05 au1heh11ca11oh {keycha1h ho1 showh)
ss au1hen1ca1on mode md5
ss au1hen1ca1on key-chan <keychan>
1Jame-Jeay 1h1eJ1ace-dc1 101
!
1p addJess 10.0.0.9 255.255.255.252
p rou1er ss
!
rou1er ss
ne1 49.6662.6666.6666.66b1.66
descJ1p11oh AJea 1
1p addJess 192.168.1.1 255.255.255.0
p rou1er ss
!
1h1eJ1ace SeJ1a1/0
ho 1p addJess
ehcapsua11oh 1Jame-Jeay
!
1p addJess 10.0.0.1 255.255.255.252
p rou1er ss
! h05 au1heh11ca11oh {keycha1h ho1 showh)
ss au1hen1ca1on mode md5
ss au1hen1ca1on key-chan <keychan>
!
1p addJess 10.0.0.5 255.255.255.252
p rou1er ss
!
rou1er ss
ne1 49.6661.6666.6666.66a1.66
Router A2
Router B1 Router A1
1
0
.
0
.
0
.
0
/
3
0
1
0
.
0
.
0
.
4
/
3
0
10.0.0.8/30
Area 1
192.168.1.0/24
Area 2
192.168.2.0/24
Area 3
192.168.3.0/24
B2
B3
C2
C3
A2
A3
1 Area Addresses
Name
2 IS Neighbors
3 ES Neighbors
Hello, LSP
Use
LSP
L1 LSP
5 Prefix Neighbors L2 LSP
128 IP Internal Reach.
129 Protocols Supported
131 IDRPI
LSP
Hello, LSP
SNP, L2 LSP
132 IP Interface Address Hello, LSP
6 IS Neighbors
8 Padding
9 LSP Entries
Hello, L2 LSP
Hello
SNP
10 Authentication All
Name Use Name Use
descJ1p11oh AJea 2
1p addJess 192.168.2.2 255.255.255.0
p rou1er ss
!
rou1er ss
ne1 49.6662.6666.6666.66b2.66
Router B2
A1
B1 C1
packetlife.net
OSPF PART 1
Protocol Header
Type
Attributes
Algorithm
Metric
Link-State
Dijkstra
Cost (Bandwidth)
AD
Standard
Protocols
Transport
110
RFC 2328, 2740
IP
IP/89
Router Types
Internal Router
All interfaces reside within the
same area
Backbone Router
A router with an interface in
area 0 (the backbone)
Area Border Router (ABR)
Connects two or more areas
AS Boundary Router (ASBR)
Connects to additional routing
domains; typically located in
the backbone
Troubleshooting
show 1p |Jou1e ] pJo1ocos]
show 1p osp1 1h1eJ1ace
show 1p osp1 he1ghboJ
* modifiable with
osp1 au1o-cos1 re1erence-bandWd1h
Metric Formula
Version Type Length
8 16 24 32
Router ID
Area ID
Checksum Instance ID Reserved
Data
Link State Advertisements
Router Link (Type 1)
Lists neighboring routers and the cost to each; flooded within an area
Network Link (Type 2)
Generated by a DR; lists all routers on an adjacent segment; flooded
within an area
Network Summary (Type 3)
Generated by an ABR and advertised among areas
ASBR Summary (Type 4)
Injected by an ABR into the backbone to advertise the presence of an
ASBR within an area
External Link (Type 5)
Generated by an ASBR and flooded throughout the AS to advertise a
route external to OSPF
NSSA External Link (Type 7)
Generated by an ASBR in a not-so-stubby area; converted into a
type 5 LSA by the ABR when leaving the area
DR/BDR Election
The BDR also maintains adjacencies
with all routers in case the DR fails
Election does not occur on point-to-
point or multipoint links
Default priority (0-255) is 1; highest
priority wins; 0 cannot be elected
DR preemption will not occur unless
the current DR is reset
Virtual Links
Tunnel formed to join two areas
across an intermediate
Both end routers must share a
common area
At least one end must reside in area 0
Cannot traverse stub areas
Area Types
Standard Area
Default OSPF area type
Stub Area
External link (type 5) LSAs are
replaced with a default route
Totally Stubby Area
Type 3, 4, and 5 LSAs are
replaced with a default route
Not So Stubby Area (NSSA)
A stub area containing an ASBR;
type 5 LSAs are converted to type
7 within the area
External Route Types
E1 Cost to the advertising ASBR plus the external cost of the route
E2 (Default) Cost of the route as seen by the ASBR
Authentication
AllSPF Address
AllDR Address
Plaintext, MD5
224.0.0.5
224.0.0.6
Adjacency States
1
2
Down
Attempt
5
6
Exstart
Exchange
3
4
Init
2-Way
7
8
Loading
Full
show 1p osp1 boJdeJ-Jou1eJs
show 1p osp1 v1J1ua-1hks
debug 1p osp1 |.]
cost =
100,000 Kbps*
link speed
The DR serves as a common point for
all adjacencies on a multiaccess
segment
packetlife.net
OSPF PART 2
1h1eJ1ace SeJ1a0/0
descJ1p11oh WAh L1hk
1p addJess 172.16.34.2 255.255.255.252
!
descJ1p11oh AJea 0
1p addJess 192.168.0.1 255.255.255.0
!
1h1eJ1ace Loopback0
! bsed as Jou1eJ T0
1p addJess 10.0.34.1 255.255.255.0
!
rou1er osp1 166
! AdveJ11s1hg 1he WAh coud 1o 0SPF
reds1rbu1e s1a1c subne1s
ne1Work 192.168.6.6 6.6.6.255 area 6
!
! S1a11c Jou1e 1o 1he WAh coud
1p Jou1e 172.16.0.0 255.255.192.0 172.16.34.1
1h1eJ1ace E1heJhe10/0
descJ1p11oh AJea 9
1p addJess 192.168.9.1 255.255.255.0
p osp1 166 area 9
!
descJ1p11oh AJea 2
1p addJess 192.168.2.2 255.255.255.0
p osp1 166 area 2
! 0p11oha h05 au1heh11ca11oh coh11guJed
p osp1 au1hen1ca1on message-dges1
p osp1 message-dges1-key 1 md5 Fooar
! C1ve C secohd pJ1oJ11y {B0R) 1h eec11oh
p osp1 pror1y 56
!
!
!
!
!
!
1h1eJ1ace Loopback0
1p addJess 10.0.34.3 255.255.255.0
!
rou1er osp1 166
! 0e11he aJea 9 as a 1o1ay s1ubby aJea
area 9 s1ub no-summary
! v1J1ua 1hk 1Jom aJea 9 1o aJea 0
area 2 vr1ua1-1nk 16.6.34.2
descJ1p11oh AJea 0
1p addJess 192.168.0.2 255.255.255.0
p osp1 166 area 6
!
descJ1p11oh AJea 2
1p addJess 192.168.2.1 255.255.255.0
p osp1 166 area 2
! 0p11oha h05 au1heh11ca11oh coh11guJed
p osp1 au1hen1ca1on message-dges1
p osp1 message-dges1-key 1 md5 Fooar
! C1ve B pJ1oJ11y 1h 0R eec11oh
p osp1 pror1y 166
!
descJ1p11oh AJea 1
1p addJess 192.168.1.1 255.255.255.0
p osp1 166 area 1
!
1h1eJ1ace Loopback0
1p addJess 10.0.34.2 255.255.255.0
!
rou1er osp1 166
! 0e11he aJea 1 as a s1ub aJea
area 1 s1ub
! v1J1ua 1hk 1Jom aJea 0 1o aJea 9
area 2 vr1ua1-1nk 16.6.34.3
Router A
Router C Router B
Network Types
DR/BDR Elected
Nonbroadcast
(NBMA)
Multipoint
Broadcast
Neighbor Discovery
Hello/Dead Timers
Defined By
Supported Topology
Multipoint
Nonbroadcast Broadcast Point-to-Point
Yes
No
30/120
RFC 2328
Full Mesh
No
Yes
30/120
RFC 2328
Any
No
No
30/120
Cisco
Any
Yes
Yes
10/40
Cisco
Full Mesh
No
Yes
10/40
Cisco
Point-to-Point
Area 0
A
Backbone
Area 9
Totally Stubby Area
Area 1
Stub Area
Area 2
Standard Area
WAN
172.16.0.0/18
B
C
packetlife.net
POINT-TO-POINT PROTOCOL
LCP Header
Code Identifier Length
8 16 24 32
General PPP Configuration
! Coh11guJe a peeJ accouh1 11 au1heh11ca11oh w1 be used
useJhame peer-hos1nae passwoJd passWord
! Coh11guJe a oca TP addJess poo 11 heeded
1p poo nae 1zrs1-IP !as1-IP
1h1eJ1ace SeJ1a0/0
! Ehabe PPP ehcapsua11oh
ehcapsua11oh ppp
! Ehabe ChAP ahd/oJ PAP 1oJ au1heh11ca11oh
ppp au1heh11ca11oh { chap ] pap } | chap ] pap ]
! Ehabe compJess1oh
compJess { pJed1c1oJ ] s1ac }
! Ehabe peeJ TP addJess ass1ghmeh1 {seJveJ s1de)
peeJ de1au1 1p addJess { poo nae ] IP-address }
! Ehabe TP addJess hego11a11oh {c1eh1 s1de)
1p addJess hego11a1ed
Troubleshooting
show ppp mu111hk
debug ppp au1heh11ca11oh
PPP Components
Link Control Protocol (LCP)
Provides for the establishment, configuration, and maintenance of a
PPP link. Protocol-independent options are negotiated by LCP.
Network Control Protocol (NCP)
A separate NCP is used to negotiate the configuration of each
network layer protocol (such as IP) carried by PPP.
debug ppp { hego11a11oh ] packe1 }
PPP Header
Address ControI ProtocoI
8 16 24 32
Connection Phase Flowchart
Dead Establish
Authenticate
Network
Terminate
Auth Required
No Auth
Success
Failure
Admin
Shutdown
Authentication Protocols
Plaintext Authentication Protocol (PAP)
Original, obsolete authentication protocol which relies on the
exchange of a plaintext key to authenticate peers (RFC 1334).
Challenge Handshake Authentication Protocol (CHAP)
Authenticates peers using the MD5 checksum of a pre-shared secret
key (RFC 1994).
PPP Features
Protocol Multiplexing Multiple NCPs
Optional Compression Stacker/predictor
Loopback Detection Provided by LCP
Load Balancing Multilink PPP
Optional Authentication PAP/CHAP
Multilink PPP Configuration
! CJea1e 1he mu111hk 1h1eJ1ace
1h1eJ1ace hu111hk1
1p addJess IP-address subne1-ask
ppp mu111hk gJoup group
! Ass1gh phys1ca 1h1eJ1aces 1o 1he mu111hk gJoup
1h1eJ1ace SeJ1a0/0
ehcapsua11oh ppp
ppp mu111hk gJoup group
PPP Summary
Standard RFC 1661
Asynchronous serial, synchronous
serial, ISDN, HSSI
Interfaces
PPP Compression Algorithms
Stacker
Replaces repetitive data with symbols from a
dynamic dictionary (more processor-intensive)
Predictor
Attempts to predict sequential data (more
memory-intensive)
PPP Connection Example
LCP Configuration Request
LCP Configuration Ack
CHAP ChaIIenge
CHAP Response
CHAP Success
IP ControI Configuration Request
IP ControI Configuration Ack
CDP ControI Configuration Request
CDP ControI Configuration Ack
Extensible Authentication Protocol (EAP)
Provides MD5-based authentication similar to CHAP (RFC 3748).
Could be expanded to support other EAP mechanisms as well.
packetlife.net
I
E
E
E
C
i
s
c
o
SPANNING TREE PART 1
BPDU Format
Protocol ID 16
Spanning Tree Protocols
Algorithm
Legacy STP PVST
Defined By
Instances
Trunking
PVST+ RPVST+ MST
Legacy ST
802.1D-1998
1
N/A
Legacy ST
Cisco
Per VLAN
ISL
Legacy ST
Cisco
Per VLAN
802.1Q, ISL
Rapid ST
Cisco
Per VLAN
802.1Q, ISL
Rapid ST
802.1s,
802.1Q-2003
Configurable
802.1Q, ISL
RSTP
Rapid ST
802.1w,
802.1D-2004
1
N/A
Spanning Tree Instance Comparison
STP
C
A B
All VLANs
x
Root
PVST+
C
A B
VLAN 1
VLAN 10
VLAN 20
VLAN 30
xx xx
VLAN 1,10 Root VLAN 20,30 Root
MST
C
A B
MST 0 (1, 10)
MST 1 (20, 30)
x x
MST 0 Root MST 1 Root
Field Bits
Version 8
BPDU Type 8
Flags 8
Root ID 64
Root Path Cost 32
Bridge ID 64
Port ID 16
Message Age 16
Max Age 16
Hello Time 16
Forward Delay 16
Spanning Tree Specifications
802.1D-1998
PVST ISL PVST+ RPVST+
802.1w
802.1s
802.1D-2004
802.1Q-2003
802.1Q-1998
802.1Q-2005
Link Costs
4 Mbps 250
Bandwidth Cost
10 Mbps 100
16 Mbps 62
45 Mbps 39
100 Mbps 19
155 Mbps 14
622 Mbps 6
1 Gbps 4
10 Gbps 2
Default Timers
Hello
Forward Delay
Max Age
2s
15s
20s
Port States
Disabled
Discarding
Legacy ST Rapid ST
Blocking
Listening
Learning Learning
Forwarding Forwarding
IEEE 802.1D-1998 Deprecated legacy STP standard
IEEE 802.1w Introduced RSTP
IEEE 802.1D-2004 Replaced legacy STP with RSTP
IEEE 802.1s Introduced MST
IEEE 802.1Q-2003 Added MST to 802.1Q
PVST Per-VLAN implementation of legacy STP
PVST+ Added 802.1Q trunking to PVST
RPVST+ Per-VLAN implementation of RSTP
Port Roles
Root Root
Legacy ST Rapid ST
Designated Designated
Blocking
Alternate
Backup
Spanning Tree Operation
Determine root bridge
The bridge advertising the lowest bridge ID becomes the root bridge
Select root port
Each bridge selects its primary port facing the root
Select designated ports
One designated port is selected per segment
Block ports with loops
All non-root and non-desginated ports are blocked
1
2
3
4
IEEE 802.1Q-2005 Most recent 802.1Q revision
20+ Gbps 1
packetlife.net
SPANNING TREE PART 2
PVST+ and RPVST+ Configuration
spahh1hg-1Jee mode {pvs1 ] Jap1d-pvs1}
! BJ1dge pJ1oJ11y
spahh1hg-1Jee vah 1-4094 pJ1oJ11y 32768
! T1meJs, 1h secohds
spahh1hg-1Jee vah 1-4094 heo-11me 2
spahh1hg-1Jee vah 1-4094 1oJwaJd-11me 15
spahh1hg-1Jee vah 1-4094 max-age 20
! PvST+ Ehhahcemeh1s
spahh1hg-1Jee backbohe1as1
spahh1hg-1Jee up1hk1as1
! Th1eJ1ace a11J1bu1es
spahh1hg-1Jee |vah 1-4094] poJ1-pJ1oJ11y 128
spahh1hg-1Jee |vah 1-4094] cos1 19
! hahua 1hk 1ype spec111ca11oh
spahh1hg-1Jee 1hk-1ype {po1h1-1o-po1h1 ] shaJed}
! Ehabes PoJ1Fas1 11 Juhh1hg PvST+, oJ
! des1gha1es ah edge poJ1 uhdeJ RPvST+
spahh1hg-1Jee poJ11as1
! Spahh1hg 1Jee pJo1ec11oh
spahh1hg-1Jee guaJd {oop ] Joo1 ] hohe}
! PeJ-1h1eJ1ace 1ogg1hg
spahh1hg-1Jee bpduguaJd ehabe
spahh1hg-1Jee bpdu111eJ ehabe
Troubleshooting
show spahh1hg-1Jee |summaJy ] de1a1 ] Joo1]
show spahh1hg-1Jee |1h1eJ1ace ] vah]
MST Configuration
spahh1hg-1Jee mode ms1
! hST Coh11guJa11oh
spahh1hg-1Jee ms1 coh11guJa11oh
hame hyTJee
Jev1s1oh 1
! hap vLAhs 1o 1hs1ahces
1hs1ahce 1 vah 20, 30
1hs1ahce 2 vah 40, 50
! BJ1dge pJ1oJ11y {peJ 1hs1ahce)
spahh1hg-1Jee ms1 1 pJ1oJ11y 32768
! T1meJs, 1h secohds
spahh1hg-1Jee ms1 heo-11me 2
spahh1hg-1Jee ms1 1oJwaJd-11me 15
spahh1hg-1Jee ms1 max-age 20
! hax1mum hops 1oJ BP0bs
spahh1hg-1Jee ms1 max-hops 20
! Th1eJ1ace a11J1bu1es
spahh1hg-1Jee ms1 1 poJ1-pJ1oJ11y 128
spahh1hg-1Jee ms1 1 cos1 19
Bridge ID Format
Pri Sys ID Ext MAC Address
4 12 48
System ID Extension
12-bit value taken from VLAN number (IEEE 802.1t)
Priority
4-bit bridge priority (configurable from 0 to 61440 in
increments of 4096)
MAC Address
48-bit unique identifier
Path Selection
1 Bridge with lowest root ID becomes the root
2
3
4
Prefer the neighbor with the lowest cost to root
Prefer the neighbor with the lowest bridge ID
Prefer the lowest sender port ID
Optional PVST+ Ehancements
PortFast
Enables immediate transition into the forwarding state
(designates edge ports under MST)
UplinkFast
Enables switches to maintain backup paths to root
BackboneFast
Enables immediate expiration of the Max Age timer in
the event of an indirect link failure
Spanning Tree Protection
Root Guard
Prevents a port from becoming the root port
BPDU Guard
Error-disables a port if a BPDU is received
Loop Guard
Prevents a blocked port from transitioning to listening
after the Max Age timer has expired
BPDU Filter
Blocks BPDUs on an interface (disables STP)
RSTP Link Types
Point-to-Point
Connects to exactly one other bridge (full duplex)
Shared
Potentially connects to multiple bridges (half duplex)
Edge
Connects to a single host; designated by PortFast
show spahh1hg-1Jee ms1 |.]
packetlife.net
SCAPY
Constructing Packets
# Se111hg pJo1oco 11eds
>>> 1p=TP{sJc="10.0.0.1")
>>> 1p.ds1="10.0.0.2"
# Comb1h1hg ayeJs
>>> 3=TP{)/TCP{)
>>> 2=E1heJ{)/3
# Sp1111hg ayeJs apaJ1
>>> 2.ge1ayeJ{1)
<TP 1Jag=0 pJo1o=1cp ]<TCP ]>>
>>> 2.ge1ayeJ{2)
<TCP ]>
Basic Commands
ls()
List all available protocols and protocol options
lsc()
List all available scapy command functions
conf
Show/set scapy configuration parameters
Specifying Addresses and Values
# Exp1c11 TP addJess {use quo1a11oh maJks)
>>> TP{ds1="192.0.2.1")
# 0hS hame 1o be Jesoved a1 11me o1 1Jahsm1ss1oh
>>> TP{ds1="exampe.com")
# TP he1woJk {Jesu1s 1h a packe1 1empa1e)
>>> TP{ds1="192.0.2.0/24")
# Rahdom addJesses w11h RahdTP{) ahd RahdhAC{)
>>> TP{ds1=RahdTP{))
>>> E1heJ{ds1=RahdhAC{))
# Se1 a Jahge o1 humbeJs 1o be used {1empa1e)
>>> TP{11={1,30))
# Rahdom humbeJs w11h RahdTh1{) ahd RahdLohg{)
>>> TP{1d=RahdTh1{))
Displaying Packets
# Show ah eh11Je packe1
>>> {E1heJ{)/TPv6{)).show{)
###| E1heJhe1 ]###
ds1= 11.11.11.11.11.11
sJc= 00.00.00.00.00.00
1ype= 0x86dd
###| TPv6 ]###
veJs1oh= 6
1c= 0
1= 0
peh= hohe
hh= ho hex1 headeJ
h1m= 64
sJc= ..1
ds1= ..1
# Show 11ed 1ypes w11h de1au1 vaues
>>> s{b0P{))
spoJ1 . ShoJ1EhumF1ed = 1025 {53)
dpoJ1 . ShoJ1EhumF1ed = 53 {53)
eh . ShoJ1F1ed = hohe {hohe)
chksum . XShoJ1F1ed = hohe {hohe)
Sending Packets
send(pkt, inter=0, loop=0, count=1, iface=N)
Send one or more packets at layer three
sendp(pkt, inter=0, loop=0, count=1, iface=N)
Send one or more packets at layer two
sendpfast(pkt, pps=N, mbps=N, loop=0, iface=N)
Send packets much faster at layer two using tcpreplay
Sending and Receiving Packets
sr(pkt, filter=N, iface=N), srp(.)
Send packets and receive replies
sr1(pkt, inter=0, loop=0, count=1, iface=N), srp1(.)
Send packets and return only the first reply
srloop(pkt, timeout=N, count=N), srploop(.)
Send packets in a loop and print each reply
Fuzzing
# Rahdom1ze 11eds wheJe app1cabe
>>> 1uzz{TChP{)).show{)
###| TChP ]###
1ype= <RahdBy1e>
code= 227
chksum= hohe
uhused= <RahdTh1>
Sniffing Packets
sniff(count=0, store=1, timeout=N)
Record packets off the wire; returns a list of packets when stopped
# Cap1uJe up 1o 100 packe1s {oJ s1op w11h c1J-c)
>>> pk1s=sh111{couh1=100, 11ace="e1h0")
>>> pk1s
<Sh111ed. TCP.92 b0P.7 TChP.1 01heJ.0>
>>> sehd{TP{ds1="192.0.2.1")/b0P{dpoJ1=53))
.
Seh1 1 packe1s.
>>> sehdp{E1heJ{)/TP{ds1="192.0.2.1")/b0P{dpoJ1=53))
.
Seh1 1 packe1s.
>>> sJoop{TP{ds1="packe111e.he1")/TChP{), couh1=3)
RECv 1. TP / TChP 174.143.213.184 > 192.168.1.140
RECv 1. TP / TChP 174.143.213.184 > 192.168.1.140
RECv 1. TP / TChP 174.143.213.184 > 192.168.1.140
packetlife.net
Command Line Options
-A Print frame payload in ASCII
-c <coun1> Exit after capturing count packets
- List available interfaces
-e Print link-level headers
-F <11e> Use file as the filter expression
-C <n> Rotate the dump file every n seconds
- <1ace> Specifies the capture interface
-K Don't verify TCP checksums
-L List data link types for the interface
-n Don't convert addresses to names
-p Don't capture in promiscuous mode
-q Quick output
-r <11e> Read packets from file
-s <1en> Capture up to len bytes per packet
-5 Print absolute TCP sequence numbers
-1 Don't print timestamps
-v|v|v)) Print more verbose output
-W <11e> Write captured packets to file
-x Print frame payload in hex
-X Print frame payload in hex and ASCII
-y <1ype> Specify the data link type
-Z <user> Drop privileges from root to user
Capture Filter Primitives
|src|ds1) hos1 <hos1> Matches a host as the IP source, destination, or either
e1her |src|ds1) hos1 <ehos1> Matches a host as the Ethernet source, destination, or either
ga1eWay hos1 <hos1> Matches packets which used host as a gateway
|src|ds1) ne1 <ne1Work>/<1en> Matches packets to or from an endpoint residing in network
|1cp|udp) |src|ds1) por1 <por1> Matches TCP or UDP packets sent to/from port
|1cp|udp) |src|ds1) por1range <p1>-<p2> Matches TCP or UDP packets to/from a port in the given range
1ess <1eng1h> Matches packets less than or equal to length
grea1er <1eng1h> Matches packets greater than or equal to length
{e1her|p|p6) pro1o <pro1oco1> Matches an Ethernet, IPv4, or IPv6 protocol
{e1her|p) broadcas1 Matches Ethernet or IPv4 broadcasts
{e1her|p|p6) mu11cas1 Matches Ethernet, IPv4, or IPv6 multicasts
1ype {mg1|c11|da1a) |sub1ype <sub1ype>) Matches 802.11 frames based on type and optional subtype
v1an |<v1an>) Matches 802.1Q frames, optionally with a VLAN ID of vlan
mp1s |<1abe1>) Matches MPLS packets, optionally with a label of label
<expr> <re1op> <expr> Matches packets by an arbitrary expression
Protocols
arp
TCP Flags
1cp-urg 1cp-rs1
1cp-ack 1cp-syn
1cp-psh 1cp-1n
e1her
1dd
cmp
p
p6
1nk
ppp
rado
rarp
s1p
1cp
1r
udp
W1an
Modifiers
! or no1
&& or and
|| or or
Examples
udp ds1 por1 no1 53
hos1 16.6.6.1 && hos1 16.6.6.2
1cp ds1 por1 86 or 8686
UDP not bound for port 53
Traffic between these hosts
Packets to either TCP port
ICMP Types
cmp-echorep1y cmp-rou1eradver1 cmp-1s1amprep1y
cmp-unreach cmp-rou1erso1c1 cmp-req
cmp-sourcequench cmp-1mxceed cmp-reqrep1y
cmp-redrec1 cmp-paramprob cmp-maskreq
cmp-echo cmp-1s1amp cmp-maskrep1y
TCPDUMP
packetlife.net
IOS IPV4 ACCESS LISTS
Standard ACL Syntax
perm1
Actions
deny
remark
eva1ua1e
Allow matched packets
Deny matched packets
Record a configuration comment
Evaluate a reflexive ACL
Extended ACL Syntax
! Legacy syh1ax
access-1s1 <number> {peJm11 ] dehy} <source> |og]
! hodeJh syh1ax
1p access-1s1 s1ahdaJd {<number> ] <name>}
|<sequence>] {peJm11 ] dehy} <source> |og]
ACL Numbers
TCP Options
1-99
1300-1999
IP standard
100-199
2000-2699
IP extended
200-299 Protocol
300-399 DECnet
400-499 XNS
ack Match ACK flag
1n Match FIN flag
psh Match PSH flag
rs1 Match RST flag
syn Match SYN flag
Troubleshooting
show access-1s1s |<number> ] <name>)
show 1p access-1s1s |<number> ] <name>]
show 1p access-1s1s 1h1eJ1ace <n1er1ace>
show 1p access-1s1s dyham1c
show 1p 1h1eJ1ace |<n1er1ace>]
show 11me-Jahge |<name>]
! Legacy syh1ax
access-1s1 <number> {peJm11 ] dehy} <pro1oco1> <source> |<por1s>) <des1na1on> |<por1s>) |<op1ons>]
! hodeJh syh1ax
1p access-1s1 ex1ehded {<number> ] <name>}
|<sequence>] {peJm11 ] dehy} <pro1oco1> <source> |<por1s>) <des1na1on> |<por1s>) |<op1ons>]
500-599 Extended XNS
600-699 Appletalk
700-799 Ethernet MAC
800-899 IPX standard
900-999 IPX extended
1000-1099 IPX SAP
1100-1199 MAC extended
1200-1299 IPX summary
urg
es1ab1shed
Match URG flag
Source/Destination Definitions
any Any address
hos1 <address> A single address
<ne1Work> <mask> Any address matched by the wildcard mask
IP Options
dscp <5CP> Match the specified IP DSCP
1ragmen1s Check non-initial fragments
op1on <op1on> Match the specified IP option
precedence {6-7) Match the specified IP precedence
111 <coun1> Match the specified IP time to live (TTL)
TCP/UDP Port Definitions
eq <por1> Not equal to
11 <por1> Greater than
range <por1> <por1> Matches a range of port numbers
neq <por1>
g1 <por1>
Equal to
Less than
Miscellaneous Options
re11ec1 <name> Create a reflexive ACL entry
1me-range <name> Enable rule only during the given time range
Applying ACLs to Restrict Traffic
1p access-gJoup {<number> ] <name>} {1h ] ou1}
Match packets in an
established session
Logging Options
1og Log ACL entry matches
1og-npu1
Log matches including
ingress interface and
source MAC address
packetlife.net
IPV4 SUBNETTING
Terminology
Subnets
CIDR
/32 255.255.255.255 1
Subnet Mask Addresses Wildcard
0.0.0.0
/31 255.255.255.254 2 0.0.0.1
/30 255.255.255.252 4 0.0.0.3
/29 255.255.255.248 8 0.0.0.7
/28 255.255.255.240 16 0.0.0.15
/27 255.255.255.224 32 0.0.0.31
/26 255.255.255.192 64 0.0.0.63
/25 255.255.255.128 128 0.0.0.127
/24 255.255.255.0 256 0.0.0.255
/23 255.255.254.0 512 0.0.1.255
/22 255.255.252.0 1,024 0.0.3.255
/21 255.255.248.0 2,048 0.0.7.255
/20 255.255.240.0 4,096 0.0.15.255
/19 255.255.224.0 8,192 0.0.31.255
/18 255.255.192.0 16,384 0.0.63.255
/17 255.255.128.0 32,768 0.0.127.255
/16 255.255.0.0 65,536 0.0.255.255
/15 255.254.0.0 131,072 0.1.255.255
/14 255.252.0.0 262,144 0.3.255.255
/13 255.248.0.0 524,288 0.7.255.255
/12 255.240.0.0 1,048,576 0.15.255.255
/11 255.224.0.0 2,097,152 0.31.255.255
/10 255.192.0.0 4,194,304 0.63.255.255
/9 255.128.0.0 8,388,608 0.127.255.255
/8 255.0.0.0 16,777,216 0.255.255.255
/7 254.0.0.0 33,554,432 1.255.255.255
/6 252.0.0.0 67,108,864 3.255.255.255
/5 248.0.0.0 134,217,728 7.255.255.255
/4 240.0.0.0 268,435,456 15.255.255.255
/3 224.0.0.0 536,870,912 31.255.255.255
/2 192.0.0.0 1,073,741,824 63.255.255.255
/1 128.0.0.0 2,147,483,648 127.255.255.255
/0 0.0.0.0 4,294,967,296 255.255.255.255
Decimal to Binary
Subnet Mask Wildcard
255 0
254 1
252 3
248 7
240 15
224 31
192 63
128 127
0 255
Subnet Proportion
Classful Ranges
A 0.0.0.0 - 127.255.255.255
B 128.0.0.0 - 191.255.255.255
C 192.0.0.0 - 223.255.255.255
D 224.0.0.0 - 239.255.255.255
E 240.0.0.0 - 255.255.255.255
Reserved Ranges
RFC 1918 10.0.0.0 - 10.255.255.255
Localhost 127.0.0.0 - 127.255.255.255
RFC 1918 172.16.0.0 - 172.31.255.255
RFC 1918 192.168.0.0 - 192.168.255.255
/29
/30
/30
CIDR
Classless interdomain routing was developed to
provide more granularity than legacy classful
addressing; CIDR notation is expressed as /XX
/25
/26
/27
/28
VLSM
Variable-length subnet masks are an arbitrary length
between 0 and 32 bits; CIDR relies on VLSMs to define
routes
packetlife.net
FRAME MODE MPLS
Protocol Header
MPLS Configuration
! Ehabe CEF
1p ce1
! Seec1 abe pJo1oco
mps abe pJo1oco dp
! Ehabe hPLS oh TP 1h1eJ1aces
1p addJess 10.0.0.1 255.255.255.252
mps 1p
! Ra1se hPLS hTb 1o accommoda1e mu11abe s1ack
mps m1u 1512
Terminology
Tag Distribution Protocol (TDP)
Cisco's proprietary predecessor to LDP
Label Distribution Protocol (LDP)
Standards-based label distribution protocol
defined in RFC 3036
Interim Packet Propagation
An LSR temporarily falls back to IP routing
while waiting to learn the necessary MPLS
label(s)
Label-Switched Path (LSP)
The unidirectional path through one or more
LSRs taken by a label-switched packet
belonging to an FEC
Forwarding Equivalence Class (FEC)
A group of packets which are forwarded in an
identical manner, typically by destination prefix
and/or traffic class
Troubleshooting
show mps 1h1eJ1aces
show mps dp he1ghboJs
show mps dp b1hd1hgs |de1a1] (LIB)
show mps 1oJwaJd1hg-1abe |de1a1] (LFIB)
show 1p ce1 |de1a1] (FIB)
Label (20 bits) Unique label value
Bottom of Stack (1 bit) Indicates label is last in the stack
Time To Live (8 bits) Hop counter mapped from IP TTL
Traffic Class (3 bits) CoS-mapped QoS marking
LabeI
8 16 24 32
TC S TTL
L2 IP
Label stack
Label Switched Path
Customer (C) IP-only routers internal to customer network
Provider Edge (PE) LSRs on the MPLS-IP boundary
Provider (P) MPLS-only LSRs in provider network
Customer Edge (CE) C routers which face PE routers
Label Protocols
LDP
UDP/646 Hello Port
224.0.0.2 Hello Address
Proprietary
Adjacency Port
No
TCP/646
PE PE
LSP
Provider Network
Customer Network
P
P
P
CE CE C C
TDP
UDP/711
255.255.255.255
Cisco
TCP/711
Conceptual Components
Forwarding/Data Plane
Forwards packets based on label or destination
IP address (includes the FIB and LFIB)
Control Plane
Facilitates label exchange between neighboring
LSRs using LDP or TDP (includes the LIB)
Label Switching Router (LSR)
Any router performing label switching (MPLS)
Label Information Base (LIB)
Contains all labels learned by an LSR via a label
distribution protocol
Forwarding Information Base (FIB)
Routing database for unlabeled (IP) packets
Label FIB (LFIB)
Routing database for labeled (MPLS) packets
Penultimate Hop Popping (PHP)
The second-to-last LSR in an LSP removes the
MPLS label so the last LSR only has to perform
an IP lookup
debug mps |.]
packetlife.net
IOS ZONE-BASED FIREWALL
Troubleshooting
show zohe secuJ11y
show zohe-pa1J secuJ11y
Security Zones
show po1cy-map 1ype 1hspec1
show cass-map 1ype 1hspec1
! 0e11h1hg secuJ11y zohes
zohe secuJ11y TJus1ed
zohe secuJ11y Cues1
zohe secuJ11y Th1eJhe1
! Ass1gh1hg 1h1eJ1aces 1o secuJ11y zohes
1h1eJ1ace C1gab11E1heJhe10/0
zohe-membeJ secuJ11y TJus1ed
!
1h1eJ1ace C1gab11E1heJhe10/1
zohe-membeJ secuJ11y Th1eJhe1
!
1h1eJ1ace C1gab11E1heJhe10/2.10
zohe-membeJ secuJ11y TJus1ed
!
1h1eJ1ace C1gab11E1heJhe10/2.20
zohe-membeJ secuJ11y Cues1
Zone Pair Configuration
! SeJv1ce po1c1es aJe app1ed 1o zohe pa1Js
zohe-pa1J secuJ11y T2T souJce TJus1ed des11ha11oh Th1eJhe1
seJv1ce-po1cy 1ype 1hspec1 TJus1ed2Th1eJhe1
zohe-pa1J secuJ11y C2T souJce Cues1 des11ha11oh Th1eJhe1
seJv1ce-po1cy 1ype 1hspec1 Cues12Th1eJhe1
zohe-pa1J secuJ11y T2T souJce Th1eJhe1 des11ha11oh TJus1ed
seJv1ce-po1cy 1ype 1hspec1 Th1eJhe12TJus1ed
Terminology
Security Zone
A group of interfaces which share a common level of security
Zone Pair
A unidirectional pairing of source and destination zones to which a
security policy is applied
Inspection Policy
An inspect-type policy map used to statefully filter traffic by
matching one or more inspect-type class maps
Trusted Internet
Guest
Inspection Class Configuration
! ha1ch by pJo1oco
cass-map 1ype 1hspec1 ma1ch-ahy ByPJo1oco
ma1ch pJo1oco 1cp
ma1ch pJo1oco udp
ma1ch pJo1oco 1cmp
! ha1ch by access 1s1
1p access-1s1 ex1ehded hyACL
peJm11 1p 10.0.0.0 255.255.0.0 ahy
!
cass-map 1ype 1hspec1 ma1ch-a ByAccessL1s1
ma1ch access-gJoup hame hyACL
Inspection Policy Actions
Drop Traffic is prevented from passing
Traffic is permitted to pass without
stateful inspection
Pass
Inspect
Traffic is subjected to stateful
inspection; legitimate return traffic is
permitted in the opposite direction
Inspection Policy Configuration
po1cy-map 1ype 1hspec1 hyThspec11ohPo1cy
! Pass peJm111ed s1a1eess 1Ja111c
cass vPh-Tuhhe
pass
! Thspec1 peJm111ed s1a1e1u 1Ja111c
cass Aowed-TJa111c1
1hspec1
! S1a1e1u 1hspec11oh w11h a paJame1eJ map
cass Aowed-TJa111c2
1hspec1 hyPaJame1eJhap
! 0Jop ahd og uhpeJm111ed 1Ja111c
cass cass-de1au1
dJop og
Parameter Map
An optional configuration of protocol-specific parameters referenced
by an inspection policy
debug zohe secuJ11y eveh1s
Parameter Map Configuration
paJame1eJ-map 1ype 1hspec1 hyPaJame1eJhap
aeJ1 oh
aud11-1Ja1 o11
dhs-11meou1 5
max-1hcompe1e ow 20000
max-1hcompe1e h1gh 25000
1cmp 1de-11me 3
1cp syhwa11-11me 3
show paJame1eJ-map 1ype 1hspec1
MPLS WAN Internet
Corporate
LAN
Guest
WireIess LAN G0/2.10 G0/2.20
G0/0 G0/1
packetlife.net
NETWORK ADDRESS TRANSLATION
1h1eJ1ace Fas1E1heJhe10
1p addJess 10.0.0.1 255.255.0.0
1p ha1 1hs1de
!
1h1eJ1ace Fas1E1heJhe11
1p addJess 174.143.212.1 255.255.252.0
1p ha1 ou1s1de
! 0he 1he peJ s1a11c 1Jahsa11oh
1p ha1 1hs1de souJce s1a11c 10.0.0.19 192.0.2.1
1p ha1 ou1s1de souJce s1a11c 174.143.212.133 10.0.0.47
1p ha1 ou1s1de souJce s1a11c 174.143.213.240 10.0.2.181
FastEthernet0
10.0.0.1/16
NAT Inside
FastEthernet1
174.143.212.1/22
NAT Outside
NAT Boundary Configuration
Static Source Translation
Dynamic Source Translation
! CJea1e ah access 1s1 1o ma1ch 1hs1de oca addJesses
access-1s1 10 peJm11 10.0.0.0 0.0.255.255
!
! CJea1e hAT poo o1 1hs1de goba addJesses
1p ha1 poo hyPoo 192.0.2.1 192.0.2.254 pJe11x-ehg1h 24
!
! Comb1he 1hem w11h a 1Jahsa11oh Jue
1p ha1 1hs1de souJce 1s1 10 poo hyPoo
!
! 0yham1c 1Jahsa11ohs cah be comb1hed w11h s1a11c eh1J1es
! S1a11c ayeJ 1ouJ poJ1 1Jahsa11ohs
1p ha1 1hs1de souJce s1a11c 1cp 10.0.0.3 8080 192.0.2.1 80
1p ha1 1hs1de souJce s1a11c udp 10.0.0.14 53 192.0.2.2 53
1p ha1 ou1s1de souJce s1a11c 1cp 174.143.212.4 23 10.0.0.8 23
!
! 0yham1c poJ1 1Jahsa11oh w11h a poo
1p ha1 1hs1de souJce 1s1 11 poo hyPoo oveJoad
!
! 0yham1c 1Jahsa11oh w11h 1h1eJ1ace oveJoad1hg
1p ha1 1hs1de souJce 1s1 11 1h1eJ1ace Fas1E1heJhe11 oveJoad
Port Address Translation (PAT)
! CJea1e a Jo1aJy hAT poo
1p ha1 poo LoadBaSeJveJs 10.0.99.200 10.0.99.203 pJe11x-ehg1h 24 1ype Jo1aJy
!
! Ehabe oad baahc1hg acJoss 1hs1de hos1s 1oJ 1hcom1hg 1Ja111c
1p ha1 1hs1de des11ha11oh 1s1 12 poo LoadBaSeJveJs
Inside Destination Translation
Perspective
L
o
c
a
t
i
o
n
LocaI GIobaI
Inside
Outside
Inside LocaI Inside GIobaI
Outside LocaI Outside GIobaI
Address Classification
Inside Local
An actual address assigned to
an inside host
An inside address seen from
the outside
Inside Global
Outside Global
An actual address assigned to
an outside host
An outside address seen from
the inside
Outside Local
Troubleshooting
show 1p ha1 1Jahsa11ohs |veJbose]
show 1p ha1 s1a11s11cs
ceaJ 1p ha1 1Jahsa11ohs
Special NAT Pool Types
Rotary Used for load balancing
Preserves the host portion of
the address after translation
Match-
Host
Example Topology
Terminology
NAT Pool
A pool of IP addresses to be used as inside
global or outside local addresses in translations
Extendable Translation
The extendable keyword must be appended
when multiple overlapping static translations are
configured
Port Address Translation (PAT)
An extension to NAT that translates information
at layer four and above, such as TCP and UDP
port numbers; dynamic PAT configurations
include the overload keyword
1p ha1 1Jahsa11oh 1cp-11meou1 <secohds>
1p ha1 1Jahsa11oh udp-11meou1 <secohds>
1p ha1 1Jahsa11oh max-eh1J1es <humbeJ>
NAT Translations Tuning
packetlife.net
QUALITY OF SERVICE PART 1
Quality of Service Models
Layer 2 QoS Markings
Medium
Ethernet Class of Service (CoS)
Name Type
3-bit 802.1p field in 802.1Q header
Frame Relay Discard Eligibility (DE) 1-bit drop eligibility flag
Best Effort No QoS policies are implemented
Integrated Services (IntServ)
Resource Reservation Protocol (RSVP) is used to reserve bandwidth per-
flow across all nodes in a path
Differentiated Services (DiffServ)
Packets are individually classified and marked; policy decisions are made
independently by each node in a path
IP Type of Service (TOS)
Ver HL Len TOS
Precedence
DSCP
Precedence/DSCP
Binary
111000 Reserved
DSCP
56
Prec.
7
110000 Reserved 48 6
101110 EF 46 5
100000 32
4
100010 34
100100 36
100110 38
011000 24
3
011010 26
011100 28
011110 30
010000 16
2
010010 18
010100 20
010110 22
001000 8
1
001010 10
001100 12
001110 14
000000 BE 0 0
CS4
AF41
AF42
AF43
CS3
AF31
AF32
AF33
CS2
AF21
AF22
AF23
CS1
AF11
AF12
AF13
ATM
MPLS
Cell Loss Priority (CLP)
Traffic Class (TC)
1-bit drop eligibility flag
3-bit field compatible with 802.1p
IP QoS Markings
IP Precedence
The first three bits of the IP TOS field; limited to 8 traffic classes
Differentiated Services Code Point (DSCP)
The first six bits of the IP TOS are evaluated to provide more granular
classification; backward-compatible with IP Precedence
QoS Flowchart
Hardware
Queue
Queuing
Decision
S
c
h
e
d
u
I
e
r
Software Queue
No
Yes
Software Queue
Software Queue
HW
Queue
FuII?
Terminology
Per-Hop Behavior (PHB)
The individual QoS action performed at each independent DiffServ node
Trust Boundary Beyond this, inbound QoS markings are not trusted
Tail Drop Occurs when a packet is dropped because a queue is full
Policing
Imposes an artificial ceiling on the amount of bandwidth that may be
consumed; traffic exceeding the policer rate is reclassified or dropped
Shaping
Similar to policing but buffers excess traffic for delayed transmission;
makes more efficient use of bandwidth but introduces a delay
DSCP Per-Hop Behaviors
Class Selector (CS) Backward-compatible with IP Precedence values
Assured Forwarding (AF) Four classes with variable drop preferences
Expedited Forwarding (EF) Priority queuing for delay-sensitive traffic
Congestion Avoidance
Random Early Detection (RED)
Packets are randomly dropped
before a queue is full to prevent tail
drop; mitigates TCP
synchronization
Weighted RED (WRED)
RED with the added capability of
recognizing prioritized traffic based
on its marking
TCP Synchronization
Flows adjust TCP window sizes in synch, making inefficient use of a link
Class-Based WRED (CBWRED)
WRED employed inside a class-
based WFQ (CBWFQ) queue
packetlife.net
QUALITY OF SERVICE PART 2
Queuing Comparison
Default on Interfaces >2 Mbps
FIFO
Number of Queues 1
Configurable Classes
Bandwidth Allocation
Provides for Minimal Delay
Modern Implementation
No
Automatic
No
Yes
No
PQ
4
Yes
Automatic
Yes
No
No
CQ
Configured
Yes
Configured
No
No
<=2 Mbps
WFQ
Dynamic
No
Automatic
No
No
No
CBWFQ
Configured
Yes
Configured
No
Yes
No
LLQ
Configured
Yes
Configured
Yes
Yes
First In First Out (FIFO) Priority Queuing (PQ) LLQ Config Example
! ha1ch packe1s by 0SCP vaue
cass-map ma1ch-a voce
ma1ch dscp e1
!
cass-map ma1ch-a Ca11-5gna1ng
ma1ch dscp cs3
!
cass-map ma1ch-ahy Cr1ca1-Apps
ma1ch dscp a121 a122
!
! ha1ch packe1s by access 1s1
cass-map ma1ch-a 5cavenger
ma1ch access-gJoup hame 01heJ
Class Definitions
po1cy-map Foo
cass voce
! PJ1oJ11y queue po1ced 1o 33
pJ1oJ11y peJceh1 33
cass Ca11-5gna1ng
! Aoca1e 5 o1 bahdw1d1h
bahdw1d1h peJceh1 5
cass Cr1ca1-Apps
bahdw1d1h peJceh1 20
! Ex1ehd queue s1ze 1o 96 packe1s
queue-1m11 96
cass 5cavenger
! Po1ce 1o 64 kbps
po1ce c1J 64000
coh1oJm-ac11oh 1Jahsm11
exceed-ac11oh dJop
cass cass-de1au1
! Ehabe WF0
1a1J-queue
! Ehabe WRE0
Jahdom-de1ec1
Policy Creation
1h1eJ1ace SeJ1a0
! Appy 1he po1cy 1h oJ ou1
seJv1ce-po1cy ou1pu1 Foo
Policy Application
LLQ Config Example
show po1cy-map |1h1eJ1ace]
Show 1h1eJ1ace
show queue <1h1eJ1ace>
High
Medium
NormaI
Low
Hardware
Queue
Hardware Queue
Tx
Ring
Custom Queuing (CQ)
Weighted Fair Queuing (WFQ)
Packets are transmitted in the
order they are processed
No prioritization is provided
Default queuing method on high-
speed (>2 Mbps) interfaces
Configurable with the tx-ring-
limit interface config command
Provides four static queues which
cannot be reconfigured
Higher-priority queues are
always emptied before lower-
priority queues
Lower-priority queues are at risk
of bandwidth starvation
Rotates through queues using
Weighted Round Robin (WRR)
Processes a configurable number
of bytes from each queue per turn
Prevents queue starvation but
does not provide for delay-
sensitive traffic
Queues are dynamically created
per flow to ensure fair processing
Statistically drops packets from
aggressive flows more often
No support for delay-sensitive
traffic
Class-Based WFQ (CBWFQ)
Low Latency Queuing (LLQ)
WFQ with administratively
configured queues
Each queue is allocated an
amount/percentage of bandwidth
No support for delay-sensitive
traffic
CBWFQ with the addition of a
policed strict-priority queue
Highly configurable while still
supporting delay-sensitive traffic
FIow 1
FIow 2
FIow
...
Hardware
Queue
500 B/cycIe
4500 B/cycIe
1500 B/cycIe
Queue A
Queue B
Queue C
Hardware
Queue
512 Kbps Min
1024 Kbps Min
Remainder
Queue A
Queue B
DefauIt
Hardware
Queue
512 Kbps Min
1024 Kbps Min
Remainder
Queue A
Queue B
DefauIt
512 Kbps Max Priority
Hardware
Queue
Show ms qos
packetlife.net
VLANS
Trunk Encapsulation
VLAN Creation
Sw11ch{coh11g)# vah 100
Sw11ch{coh11g-vah)# hame Ehg1heeJ1hg
0 Reserved
1 default
1002 fddi-default
1003 tr
Terminology
Trunking
Carrying multiple VLANs over the same
physical connection
Access VLAN
The VLAN to which an access port is assigned
Voice VLAN
If configured, enables minimal trunking to
support voice traffic in addition to data traffic
on an access port
Troubleshooting
show vah
show 1h1eJ1ace |s1a1us ] sw11chpoJ1]
show 1h1eJ1ace 1Juhk
show v1p s1a1us
show v1p passwoJd
Access Port Configuration
Sw11ch{coh11g-11)# sw11chpoJ1 mode access
Sw11ch{coh11g-11)# sw11chpoJ1 hohego11a1e
Sw11ch{coh11g-11)# sw11chpoJ1 access vah 100
Sw11ch{coh11g-11)# sw11chpoJ1 vo1ce vah 150
Trunk Port Configuration
Sw11ch{coh11g-11)# sw11chpoJ1 mode 1Juhk
Sw11ch{coh11g-11)# sw11chpoJ1 1Juhk ehcapsua11oh do11q
Sw11ch{coh11g-11)# sw11chpoJ1 1Juhk aowed vah 10,20-30
Sw11ch{coh11g-11)# sw11chpoJ1 1Juhk ha11ve vah 10
Trunk Types
Header Size 26 bytes
ISL
4 bytes
802.1Q
Trailer Size 4 bytes N/A
Standard Cisco IEEE
Maximum VLANs 1000 4094
VLAN Numbers
1004 fdnet
1005 trnet
1006-4094 Extended
4095 Reserved
Native VLAN
By default, frames in this VLAN are untagged
when sent across a trunk
Dynamic Trunking Protocol (DTP)
Can be used to automatically establish trunks
between capable ports (insecure)
Switched Virtual Interface (SVI)
A virtual interface which provides a routed
gateway into and out of a VLAN
SVI Configuration
Sw11ch{coh11g)# 1h1eJ1ace vah100
Sw11ch{coh11g-11)# 1p addJess 192.168.100.1 255.255.255.0
ISL
Header
Dest
MAC
Source
MAC
Type FCS ISL
Dest
MAC
Source
MAC
Type 802.1Q 802.1Q
26 6 6 2 4
6 6 2 4
Dest
MAC
Source
MAC
Type Untagged
Switch Port Modes
1runk
Forms an unconditional trunk
dynamc desrab1e
Attempts to negotiate a trunk with the far end
dynamc au1o
Forms a trunk only if requested by the far end
access
Will never form a trunk
VLAN Trunking Protocol (VTP)
Domain
Common to all switches participating in VTP
Server Mode
Generates and propagates VTP advertisements to clients;
default mode on unconfigured switches
Client Mode
Receives and forwards advertisements from servers; VLANs
cannot be manually configured on switches in client mode
Transparent Mode
Forwards advertisements but does not participate in VTP;
VLANs must be configured manually
Pruning
VLANs not having any access ports on an end switch are
removed from the trunk to reduce flooded traffic
VTP Configuration
Sw11ch{coh11g)# v1p mode {seJveJ ] c1eh1 ] 1JahspaJeh1}
Sw11ch{coh11g)# v1p doma1h <name>
Sw11ch{coh11g)# v1p passwoJd <passsWord>
Sw11ch{coh11g)# v1p veJs1oh {1 ] 2}
Sw11ch{coh11g)# v1p pJuh1hg
PHYSICAL TERMINATIONS packetlife.net
Optical Terminations
ST (Straight Tip)
SC (Subscriber Connector)
LC (Local Connector)
MT-RJ
Wireless Antennas
RP-TNC
RP-SMA
Copper Terminations
RJ-45
RJ-11
RJ-21 (25-pair)
DE-9 (Female)
DB-25 (Male)
DB-60 (Male)
GBICs
1000Base-SX/LX
1000Base-T
Cisco GigaStack
1000Base-SX/LX SFP
1000Base-T SFP
X2 (10Gig)
STP (802.1d)
Rapid STP (802.1w)
In stable topology only the root sends BPDU and
relayed by others.
In stable topology all
bridges generate BPDU every Hello (2 sec) : used
askeepalives mechanism.
Port states
Disabled
Blocking
Listening
Learning
Forwarding
Discarding (replaces disabled, blocking and listening)
Learning
Forwarding
To avoid flapping, it takes 3 seconds for a port to migrate from one protocol to another (STP / RSTP) in a mixed
segment.
Port roles
Root (Forwarding)
Designated (Forwarding)
Non-Designated (Blocking)
Root (Forwarding)
Designated (Forwarding)
Alternate(Discarding)Backup (Discarding)
Additional configuration to make an end node port
aport fast (in case a BPDU is received).
- An edge port (end node port) is an integrated Link type
which depends on the duplex : Point-to-point for full duplex &
shared for half duplex).
Topology changes and convergence
Use timers for convergence (advertised by the
root):
Hello(2 sec)
Max Age(20 sec = 10 missed hellos)
Forward delay timer (15 sec)
- Introduce proposal and agreement process for
synchronization (< 1 sec).- Hello, Max Age and Forward delay
timer used only for backward compatibility with standard STP
Only RSTP port receiving STP (802.1d) messages will
behaves as standard STP.
Slow transition (50sec):
Blocking (20s) =>Listening (15s) =>Learning (15s)
=>Forwarding
Faster transition on point-to-point and edge ports only:Less
states No learning state, doesnt wait to be informed by
others, instead, actively looks for possible failure
by RLQ (Request Link Query) a feedback mechanism.
Use only 2 bits from the flag octet:Bit 7 : Topology
Change Acknowledgment.Bit 0 : Topology Change
Use other 6 bits of the flag octet (BPDU type 2/version 2):
Bit 1 : ProposalBit 2, 3 : Port roleBit 4 : LearningBit 5 :
ForwardingBit 6 : AgreementBit 0, 7 : TCA & TCN for
backward compatibility
The bridge that discover a change in the network
inform the root, that in turns informs all others by
sending BPDU with TCA bit set and instruct them
to clear their DB entries after short timer
(~Forward delay) expire.
TC is flooded through the network, every bridge generate TC
(Topology change) and inform its neighbors when it is aware
of a topology change andimmediately delete old DB entries.
If a non-root bridge doesnt receive Hello for
10*Hello (advertised from the root), start claiming
the root role by generating its own Hello.
Wait for 3*Hello on a root port (advertised from the root)
before deciding to act.
Wait until TC reach the root + short timer
(~Forward delay) expires, then flash all root DB
entries
Delete immediately local DB except MAC of the port receiving
the topology changes (proposal)

COMMON PORTS packetlife.net
TCP/UDP Port Numbers
7 Echo
19 Chargen
20-21 FTP
22 SSH/SCP
23 Telnet
25 SMTP
42 WINS Replication
43 WHOIS
49 TACACS
53 DNS
67-68 DHCP/BOOTP
69 TFTP
70 Gopher
79 Finger
80 HTTP
88 Kerberos
102 MS Exchange
110 POP3
113 Ident
119 NNTP (Usenet)
123 NTP
135 Microsoft RPC
137-139 NetBIOS
143 IMAP4
161-162 SNMP
177 XDMCP
179 BGP
201 AppleTalk
264 BGMP
318 TSP
381-383 HP Openview
389 LDAP
411-412 Direct Connect
443 HTTP over SSL
445 Microsoft DS
464 Kerberos
465 SMTP over SSL
497 Retrospect
500 ISAKMP
512 rexec
513 rlogin
514 syslog
515 LPD/LPR
520 RIP
521 RIPng (IPv6)
540 UUCP
554 RTSP
546-547 DHCPv6
560 rmonitor
563 NNTP over SSL
587 SMTP
591 FileMaker
593 Microsoft DCOM
631 Internet Printing
636 LDAP over SSL
639 MSDP (PIM)
646 LDP (MPLS)
691 MS Exchange
860 iSCSI
873 rsync
902 VMware Server
989-990 FTP over SSL
993 IMAP4 over SSL
995 POP3 over SSL
1025 Microsoft RPC
1026-1029 Windows Messenger
1080 SOCKS Proxy
1080 MyDoom
1194 OpenVPN
1214 Kazaa
1241 Nessus
1311 Dell OpenManage
1337 WASTE
1433-1434 Microsoft SQL
1512 WINS
1589 Cisco VQP
1701 L2TP
1723 MS PPTP
1725 Steam
1741 CiscoWorks 2000
1755 MS Media Server
1812-1813 RADIUS
1863 MSN
1985 Cisco HSRP
2000 Cisco SCCP
2002 Cisco ACS
2049 NFS
2082-2083 cPanel
2100 Oracle XDB
2222 DirectAdmin
2302 Halo
2483-2484 Oracle DB
2745 Bagle.H
2967 Symantec AV
3050 Interbase DB
3074 XBOX Live
3124 HTTP Proxy
3127 MyDoom
3128 HTTP Proxy
3222 GLBP
3260 iSCSI Target
3306 MySQL
3389 Terminal Server
3689 iTunes
3690 Subversion
3724 World of Warcraft
3784-3785 Ventrilo
4333 mSQL
4444 Blaster
4664 Google Desktop
4672 eMule
4899 Radmin
5000 UPnP
5001 Slingbox
5001 iperf
5004-5005 RTP
5050 Yahoo! Messenger
5060 SIP
5190 AIM/ICQ
5222-5223 XMPP/Jabber
5432 PostgreSQL
5500 VNC Server
5554 Sasser
5631-5632 pcAnywhere
5800 VNC over HTTP
5900+ VNC Server
6000-6001 X11
6112 Battle.net
6129 DameWare
6257 WinMX
6346-6347 Gnutella
6500 GameSpy Arcade
6566 SANE
6588 AnalogX
6665-6669 IRC
6679/6697 IRC over SSL
6699 Napster
6881-6999 BitTorrent
6891-6901 Windows Live
6970 Quicktime
7212 GhostSurf
7648-7649 CU-SeeMe
8000 Internet Radio
8080 HTTP Proxy
8086-8087 Kaspersky AV
8118 Privoxy
8200 VMware Server
8500 Adobe ColdFusion
8767 TeamSpeak
8866 Bagle.B
9100 HP JetDirect
9101-9103 Bacula
9119 MXit
9800 WebDAV
9898 Dabber
9988 Rbot/Spybot
9999 Urchin
10000 Webmin
10000 BackupExec
10113-10116 NetIQ
11371 OpenPGP
12035-12036 Second Life
12345 NetBus
13720-13721 NetBackup
14567 Battlefield
15118 Dipnet/Oddbob
19226 AdminSecure
19638 Ensim
20000 Usermin
24800 Synergy
25999 Xfire
27015 Half-Life
27374 Sub7
28960 Call of Duty
31337 Back Orifice
33434+ traceroute
Legend
Chat
Encrypted
Gaming
Malicious
Peer to Peer
Streaming
IANA port assignments published at http://www.iana.org/assignments/port-numbers

Im Primo

Enviado por

Dados do documento

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Im Primo

Enviado por

Direitos autorais:

Formatos disponíveis

packetlife.

Você também pode gostar