symptoms:
new users can't recieve external emails
When you attempt to telnet to the edge server and send an email to a new user the server will respond that it doesn't know who that user is or something similar
causes:
the edge sync subscription has stopped working
this can be due to different patch levels or update rollups on the hub and edge servers
you need to have your exchange servers on the same patch levels
How to confirm:
1. Run Adsiedit.msc
2. Navigate to Configuration->Services->Microsoft Exchange->Organization Name->Administrative Group->Exchange Administrative Groups->Servers->Edge Server Name
3. Right click the Edge Server and click Properties
4. Locate the msExchEdgeSyncCredential property. Does this have a value set? It will probably show as not set.
solution:
re-create the edge sync subscription
preperation:
Do a full backup on all exch servers if you can.
You must backup all exch databases
You must backup system state on all servers
You must back up how your send connectors are configured (screenshots)
implementation:
On the EdgeServer start up the Exchange Management Shell and type:
New-EdgeSubscription -file “c:\subscription.xml”
Browse to the root of C:\ and copy the subscription.xml file to your hub server. This can be tricky sometimes due to the Edge being located on a DMZ or inaccessible network. I used a USB key to move it between both servers.
On your Hub server open up Exchange System Manager and add the new subscription:
Organization Configuration> Hub Transport> Create New Edge Subscription.
Browse to your subscription.xml file and then click New. Make sure that your subscription is set to the correct site. It will choose Default site as default, so don’t just click next, double check that it is being subscribed to the same site as your Hub server.
NOTE - You do not need to remove the existing Edge Subscription. The new subscription will simply overwrite the existing one as it is for the same servers.
We now need to replicate Active Directory information and synchronize the Edge and the Hub server.
In Exchange Management Shell on your Hub servers and run the following command:
Start-EdgeSynchronization
Hopefully this completes successfully and you should now have a working Edge Sync.
To verify that it is all working as it should, run on your Hub server:
Test-EdgeSynchronization and you should receive a status of succeeded:
Some people have found that re-creating the EdgeSubscription resets your send connectors, but I have not come across this. The settings within the Send Connector and SPAM setting etc, will stay the same as we have not removed the existing Edge Subscription, we have just overwritten attributes within it. Just in case though, verify your Send Connectors with the settings you recorded at the start of the EdgeSubscription process.
Tuesday, 28 August 2012
Monday, 27 August 2012
how to check the mx record with nslookup
Open a Command Prompt
nslookup
Server (The DNS server that you want to use. This is optional.)
Set q=mx (This sets the query type to "MX" {Mail Exchanger}.)
domain.com (The domain name you want to lookup the mail exchanger to.)
This operation can be done on Windows XP, Windows Server 2003, and Windows Vista. There are similar options if you are doing this from Linux.
Open up a terminal
nslookup
Set type=mx (This sets the query type to "MX" {Mail Exchanger}.)
domain.com (The domain name you want to lookup the mail exchanger to.)
nslookup
Server (The DNS server that you want to use. This is optional.)
Set q=mx (This sets the query type to "MX" {Mail Exchanger}.)
domain.com (The domain name you want to lookup the mail exchanger to.)
This operation can be done on Windows XP, Windows Server 2003, and Windows Vista. There are similar options if you are doing this from Linux.
Open up a terminal
nslookup
Set type=mx (This sets the query type to "MX" {Mail Exchanger}.)
domain.com (The domain name you want to lookup the mail exchanger to.)
view email headers in outlook 2010
Double click to open the email, click file -> info -> Properties
Copy the header and paste into www.mxtoolbox.com
Copy the header and paste into www.mxtoolbox.com
Friday, 24 August 2012
CCNA Studies
The OSI Model
7 Application
Below occurs on the network
4 Transport
Example of OSI model
Lets take an example where a PC (10.0.0.3) wants to view a website www.jack.com with internet explorer. The website is hosted on the internet on a web server (200.0.0.50) running apache.
TCP/IP
OSI and TCP/IP were competing protocol. TCP/IP won but OSI is used to describe how networking works. TCP/IP is a suite of protocols.
7 Application layer
6 ===========
5 ===========
4 Transport Layer
3 Internet layer
2 Network Interface Layer
1 ===========
Remember the two address concept
IP addresses are layer 3
MAC Addresses are layer 2
The source and destination IP addresses always remain the same, but the source and destination mac addresses constantly change as the packet makes it way through the network.
TCP and UDP
TCP/UDP are selected and operate at layer 4.
TCP
After the handshake is complete sequence numbers are used to maintain communication
A (Seq10 ->) Here is seq 10
B (<- Seq 5 Ack 11) I got 10 and I'm waiting for 11, here is seq 5
A (Seq 11 Ack 6) I got 5, I'm read for 6, here is seq 11
TCP windowing
Increases and reduces the amount of data sent based on how reliable the connection is. Known as sliding window. You don't have to ack every single packet so network performance is faster.
Port numbers
When a client wants to reach a web server it needs to select source and destination ports. The source port is randomly generated. The destination port is selected based on the protocol we are using. Also a custom port can be defined by the user.
Client 172.30.0.10:4444 -> Webserver 200.200.200.10:80
On windows run
netstat -ano
This will show ports we are listening on and servers/ports that we are connected to. It will also list which process ID that owns that connection.
To get more information on PID 1234 run
tasklist /FI "PID eq 1234"
Port numbers 0 - 1023 are reserved for well known services
TCP and UDP have their own separate set of port numbers. Port 400 on TCP and port 400 on UDP are different.
Some common port numbers you should know
TCP - 21 - FTP
TCP - 22 - SSH
TCP - 23 - Telnet
TCP - 25 - SMTP (email)
TCP - 53 - DNS (DNS servers used when they send records to each other)
TCP - 80 - HTTP
TCP - 110 - POP (email)
TCP - 443 - HTTPS
UDP - 53 - DNS Client (Client wants to lookup www.google.com's IP address)
UDP - 69 - TFTP
Full list here:
https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
Layer 2 communication
Host A 192.168.0.10 255.255.255.0 wants to reach
Host B 192.168.0.50 255.255.255.0
From the subnet mask Host A knows the network is the first 3 octets. The network is 192.168.0.X. Host A compares it's network to Host B's network. Host A is on the same network as host B. So host A can arp for host B's MAC address. Host A sends an arp, which is a broadcast message which everyone on the local network get's. What is the MAC address of 192.168.0.50. Host B gets this arp and replies with its MAC address. Host A starts sending out its data which will have the source and destination IP and MAC addresses.
Layer 3 communication
Host A 192.168.0.10 255.255.255.0
Host B 172.30.0.50 255.255.255.0
Networks are compared and are found not to be the same. Arp will not work because routers block arps. The message will be sent to the default gateway. We hope the router will known how to get there.
Source IP: 192.168.0.10 255.255.255.0
Destination IP: 172.30.0.50 255.255.255.0
Source MAC: HO:ST:AS:MA:CA:DD
Destination MAC: DE:FA:UL:TG:WA:YY
The router looks at the the destination IP address. It see's the packet is bound for another destination IP. The route will sent the packet on depending routes, its own default route etc. The packet will be sent on with the source and destination mac addresses constantly changing but the source and destination IP addresses remaining the same.
On a side note MAC addresses only exist in ethernet. When we move out side the LAN other technologies take over but the principle remains the same.
Ethernet
CSMA/CD
Carrier: The network signal
Sense: The ability to detect
Multiple Access: All devices have equal access
Collision: What happens if two devices send at once
Detection: how the computers handle collisions when they happen
MAC addresses
XX:XX:XX:YY:YY:YY
X's are assigned to organisations
Y's are assigned by that organisation
You can often look up what a devices is based on its mac address
Cables
Cat5 unshielded twisted pair is the most popular cable in networking
Max distance: 100 Meters
Connection: RJ-45
Cat6 isn't that common so some older devices may have issues with it.
Multi-mode fibre (cheaper, easier to work with)
Max Distance: 275 meters to a few miles
Connection: Varies based on your equipment
Single-mode fibre (more expensive, harder to work with, connectors are more expensive)
Max distance: mile to many miles
Connection: Varies based on your equipment
T568-A
Green stripe
Green
Orange stripe
Blue
Blue stripe
Orange
Brown stripe
Brown
T568-B (this is the most popular)
Orange stripe
Orange
Green stripe
Blue
Blue stripe
Green
Brown stripe
Brown
T568A + T568A = straight through cable (100 meters)
T568B + T568B = straight through cable (100 meters)
T568A + T568B = Crossover cable (100 meters)
Unlike devices use straight through
PC <-> Switch
Router <-> Switch
Like devices use crossover cable
Router <-> Router
Switch <-> Switch
PC <-> PC
You need a crossover cable to connect a PC <-> Router
LAN Switches
The issues with CSMA/CD and crap hubs
What is a hub ?
A hub just re-transmits signals
If a message comes in one port it gets sent out all the other ports
In a hub it doesn't matter if its unicast, broadcast or multicast, it will be sent out every port
Every message is broadcast
For this reason hubs have 1 collision domain and 1 broadcast domain also.
Whats a collision domain ?
In basic terms a collision domain is how many devices can send or receive at the same time
Whats a broadcast domain ?
A broadcast domain is how far a message will travel before it stops. On a hub its all ports so it just has 1 broad cast domain.
On a hub only one device can send/receive at one time and its messages will be sent out every port. This is the problem with hubs. The more PCs we add on, the more broadcasts, and the network will get slow.
To fix the problem they invented bridges which learned the MAC addresses on each side of the bridge. The bridge could spit 2 or more hubs into 2 or more broadcast domains. It would only let traffic across the bridge that needed to get to the other side. Everything else was dropped. Bridges were slow at learning MAC addresses because it was done in software.
Enter the switch
Each port on a switch is a collision domain. All PC's can transmit at the same time without issue.
Full duplex communication. Devices can send and receive at the same time.
By using all switches you won't have any collisions.
Switches are fast at learning MAC addresses because they have ASIC's (hardware chips that do the job much faster.)
Hubs/Bridges should be in the bin by now.
Hubs were replaced by switches
Bridges were replaced by and routers.
How a switch ... switches
When the switch powers up the the CAM table (mac address table is empty)
Remember PCs and other devices are quite chatty so will send in some packets
When it gets a packet from a MAC address on a port it remembers that MAC is on that port.
Lets say we have the following setup
PC A : AA:AA:AA:AA:AA:AA on port 1
PC B: BB:BB:BB:BB:BB:BB on port 2
PC A wants to send to PC B
PC A sends an arp to the switch looking for PC B's MAC address
Switch learns that PC A is on port 1
PC B responds to the arp
Switch learns that PC B is on port 2
This process continues until the switch knows what is connected to all ports. Only takes seconds.
Cisco IOS
User EXEC
RouterX>enable
Privileged EXEC
RouterX# conf t
Global config
RouterX(config)#
Ctrl + Z brings you back to privileged exec
exit brings you back one level
? gives context sensitive help
show ?
show r?
interfaces are off by default you need to do a no shutdown
Basic Switch config
enable
conf t
hostname SWITCH1
interface vlan 1
ip address 172.30.0.100 255.255.255.0
no shut
exit
ip default-gateway 172.30.0.1
exit
copy run start
exit
exit
Setting passwords on switches
enable
conf t
enable password cisco
enable secret cisco1
line con 0
password cisco
login
exit
line vty 0 4
login
exit
service password-encryption
copy run start
Some older devices don't have the enable secret command. So on new devices you don't need the enable password. You should always use enable secret on new devices. Always keep the enable password and the enable secret to different passwords.
Setting a Banner
enable
conf t
banner motd @ Here is my banner message @
exit
copy run start
Enabling SSH
enable
conf t
ip domain-name mydomain.com
crypto key generate rsa
[enter]
1024
[enter]
ip ssh version 2
line vty 0 4
transport input ssh
exit
exit
username jack password sshpassword
copy run start
Port security
en
conf t
interface fastEthernet 0/5
switchport mode access
This hard codes the port for access, meaning it should be connected to a PC/Server/Router but not another switch
switchport port-security
Now we have set it as an access port we can enable security
Maximum - Sets the max number of devices allowed to connect to this port
Violation - Lets us set what to do when the policy is violated (default is shutdown)
Mac-address - set the MAC address that is allowed to use this port
Useful show commands
sh ip int brief - shows ip config on interfaces
sh mac address-table - shows the mac address table
sh port security interface fastEthernet 0/5 - shows the port security settings for an interface
sh ip protcols - shows the routing protocols
sh ip nat translations - shows the nat translations
show controllers serial 0/0 - shows the clock rate and DCE/DTE
sh int status - shows speed and duplex, good for spotting speed/duplex issues
Configuring a range of ports at once
int range fastEthernet 0/2 - 23
The following commands will be applied to all of those ports
Configuring speed and duplex
By default the speed and duplex are set to auto. It will auto detect the speed & duplex and use that. However it doesn't always work well on old switches and old/new network cards. Auto is improved in newer devices. You can leave auto for desktops because we don't care. Servers/switches routers and WAN links etc should all be hard coded.
Changing speed and duplex brings the interface down and back up, but its probably not working well if you have to make these changes.
en
conf t
interface fastEthernet 0/5
speed 100
duplex full
Spanning tree intro
Switches will forward broadcasts out all ports by design
However redundant connections are required in businesses
We don't want that to cause a network loop.
Another common cause of a network loop is when a user plugs the network cable from an access port back into another access port causing a loop.
Spanning tree block redundant links until they are needed.
It is a protocol designed for this.
At ICDN1 level we just need to know what it is and what it does.
In ICDN2 you need to know much more about how it works.
Wireless channels
You want to use
1 6 11
and repeat that
802.11b max data rate is 11Mbps
Router config
enable
conf t
hostname Router1
banner motd @ banner text @
line con 0
password cisco
login
exit
line vty 0 4
password cisco
login
exit
enable secret cisco1
exit
interface gigabitEthernet 0/0
description Internet connection
ip address 200.200.200.1 255.255.255.224
no shut
exit
copy run start
Enabling the SDM
enable
conf t
ip domain-name mydomain.com
crypto key generate rsa
[enter]
1024
[enter]
ip http server (80)
ip http secure-server (443)
username SDMuser privilege 15 secret cisco
ip http authentication local
line vty 0 4
login local
exit
copy run start
Browse to the IP address of the router https://172.30.0.1, install the SDM app from there.
Static routing
show ip route
conf t
ip route 192.168.1.0 255.255.255.0 192.168.2.2
To get to 192.168.1.0 network, next hop is 192.168.2.2
Setting the default route
conf t
ip route 0.0.0.0 0.0.0.0 200.200.200.10
If we don't match one of our static routes then send packets destined for every other network to the next hop our ISP (the internet)
Set the DNS server
ip name-server 8.8.8.8
exit
ping www.google.ie
Routing protocols
Allow routers to build paths automatically. Routing protocols basically routers tell their neighbours what they know.
Types of routing protocols
Distance Vector:
enable
show ip route
conf t
router RIP
version 2
no auto-summary
network 192.168.1.0
network 192.168.2.0
Turning on IGRP
enable
conf t
router igrp 1000 ( <- that is an AS number)
network 192.168.1.0
network 192.168.2.0
Turning on NAT/PAT
enable
conf t
access-list 1 remark PAT_ACL category=2
access-list 1 permit 192.168.1.0 0.0.0.255
interface vlan 1
ip nat inside
exit
interface fastEthernet 4
ip nat outside
exit
ip nat inside source list 1 interface fasterEthernet 4 overload
I would like to NAT from the inside of my network which I have designated the source address in access list 1, I want to nat those addresses to fastEthernet 4 and overload which means (PAT)
WAN connections
WAN links connect our offices which maybe across the city, country and world
Some examples of WAN connection
Layer 2 Datalink: Frame relay, ATM, PPP, HDLC
Price and speed will be the two things we look at when creating WAN connections.
A lot of companies use VPN connections instead of WAN connections now because VPNs are cheap.
Leased lines: dedicated bandwidth (most expensive)
T1 CAS
E1 CAS
Circuit switched: on demand bandwidth (cheapest but slowest)
dial up model
ISDN
Packet Switched: shared but guaranteed bandwidth between locations (current favourite)
frame relay
ATM
Price you pay is based on what your are guaranteed for.
HDLC High-level data link control
Cisco propriety
Very simple to setup, just plug cables into serial port
PPP point to point protocol
The alternative to HDLC
DCE (connecting/clocking) is always the service provider
DTE (terminating)is always connected to us
Configuring PPP/HDLC
enable
conf t
int serial 0/0
encapsulation ppp
exit
copy run start
List and disconnect users
sh users (shows users connected with the line number)
sh line (shows all line numbers of all connections)
clear line 10 (disconnects the session on line 10)
CDP
CDP is cisco proprietary, tells you lots of information, IP, what type of device etc.
show cdp neighbors - shows devices
show cdp entry R3 - shows more information on R3
show cdp entry * - shows more information on all neighbors
conf t
int fastEtnernet 0/4
no cdp enable -turns off CDP on a specific interface, other interfaces still send out CDP
conf t
no cdp run - turn of CDP on all interfaces, turns off the whole protocol
Sub-netting
Default network masks:
Class A: 1 - 126, 8 network bits, 24 host bits (255.0.0.0)
Class B: 128 - 191, 16 network bits, 16 host bits (255.255.0.0)
Class C: 192 - 223, 24 network bits, 8 host bits (255.255.255.0)
Sub-netting is the process of borrowing host bits.
Determining the number of valid hosts
Valid hosts = (2^ number of host bits) - 2
We subtract 2 because one address is always used for the network address and the other is used for the broadcast address.
How many valid host addresses are on 150.50.50.0 /24
150 = Class B = 255.255.0.0 (/16)
Default mask = 11111111 . 11111111 . 00000000 . 00000000
Subnet mask = 11111111 . 11111111 . 11111111 . 00000000
We can see there are 8 host bits used. (2^8) -2
2^0 = 1
2^1 = 2
2^2 = 4
2^3 = 8
2^4 = 16
2^5 = 32
2^6 = 64
2^7 = 128
2^8 = 256
So 256 - 2 = 254
Determining the subnet number of a given IP address
Lets take 178.56.21.9 /24
Convert the IP and subnet mask to binary
Perform a boolean AND opertaion. Basically if there are two 1's its 1, any other combination its 0.
Convert the result back to decimal.
178.56.21.9 = 10110010 . 00111000 . 00010101 . 00001001
subnet mask = 11111111 . 11111111 . 11111111 . 00000000
result of and = 10110010 . 00111000 . 00010101 . 00000000
Answer = 178.56.21.0
Subnet is /24 or 255.255.255.0
Lets take a harder one 200.154.150.89 /27
200.154.150.89 = 11001000 . 10011010 . 10010110 . 01011001
subnet /27 = 11111111 . 11111111 . 11111111 . 11100000
bolean and result =11001000 . 10011010 . 10010110 . 01000000
Answer = 200.154.150.64
subnet is /27 or 255.255.255.224
Determining the valid range of host addresses for a given subnet
Lets take the network we worked out above 200.154.150.64 /27
Convert IP and mask to binary
200.154.150.64 = 11001000 . 1011010 . 10010110 . 01000000
subnet is 27 = 11111111 . 1111111 . 11111111 . 11100000
bolean and result = 11001000 . 1011010 . 10010110 . 01000000
First address is all host bits set to 0
network address is not valid for hosts = 11001000 . 1011010 . 10010110 . 01000000
Network ID = 200.154.150.64
Last address in the range is all hosts bits set to 1
broadcast address is not valid for hosts = 11001000 . 1011010 . 10010110 . 01011111
Broadcast address = 200.154.150.95
Valid range of usable addresses is everything in between
200.154.150.65 - 200.154.150.94
The number of network bits is 27 this leaves 5 host bits
Remember number of valid hosts = (2^ number of host bits) - 2
2^5 = 32
32-2 (Network and broadcast) = 30
Your network is /20 how many valid hosts are allowed on this subnet ?
We know there are 20 network bits
That leaves 12 host bits (32 - 20 = 12)
2^12 = 4096
Number of valid hosts is 4096 - 2 (for broadcast and network ID)
Answer = 4094
Are we reserving space for networks or for hosts ?
Given an IP and subnet mask
192.168.1.127
255.255.255.224
You may be given the subnet mask in slash notation
192.168.1.127 /27
Can be useful to write these tables out for to help when converting
128 192 224 240 248 252 254 255
128 64 32 16 8 4 2 1
Convert 224 to binary = 11100000
Increment is lowest network bit = 32
Start writing the ranges
0 - 31
32 - 63
64 - 95
96 - 127
128
We can see 127 is a broadcast address and is not valid to be assigned to a host.
The type of questions you could be asked
Is this a valid IP to be assigned to a host ?
We have connectivity issues between two IP's what is the cause (are they on the same subnet) ?
What range is a given IP on ?
Identify all ranges for 200.154.150.64 /27 ?
VLSM variable length subnet mask
When you see the question asking for the most efficient addressing possible it means they want VLSM.
Don't forget about the point to point links
You can change your mask
192.168.1.0 /24
RA 20 users
RB 20 users
RC 60 users
Start with the largest subnet, and work through the next largest until all subnet's are solved.
We want to save the hosts
60 +1 = 61
128 64 32 16 8 4 2 1
0 0 1 1 1 1 0 1
It took 6 bits to get 61
Thats /26
128 192 224 240 248 252 254 255
128 64 32 16 8 4 2 1
1 1 0 0 0 0 0 0
or 255.255.255.192
RA 20 users 192.168.1.64 -95 /27
RB 20 users 192.168.1.96 - 127 /27
RC 60 users 192.168.1.0 - 63 /26
But we forgot about the point to point links. Watch out for exam questions asking how many networks do you need to create, don't forget the point to point networks.
2 users
2 host bits
/30
255.255.255.252
increment is 4
192.168.1.0 - 3
192.168.1.4 - 3
You can write all the ranges or skip through
192.168.1.128 - 131
192.168.1.132 - 135
192.168.1.136 - 139
192.168.1.140
RA <-> RC 192.168.1.128 - 131 /30
RC <-> RB 192.168.1.132 - 135 /30
RA <-> RB 192.168.1.136 - 139 /30
So we have completed the whole network now
Network behind each route
RA 20 users 192.168.1.64 -95 /27
RB 20 users 192.168.1.96 - 127 /27
RC 60 users 192.168.1.0 - 63 /26
Point-point networks between the routers
RA <-> RC 192.168.1.128 - 131 /30
RC <-> RB 192.168.1.132 - 135 /30
RA <-> RB 192.168.1.136 - 139 /30
The reason we start with the largest number of users is so there is no waste.
VLSM looks great on paper and in the exam. However in the real world networks grow. Always leave room for growth. Lots of people like to add 50%.
Many people use /30 on P2P links and /24 on the LANs.
Summarization
What is the most appropriate summarization for these routes
10.0.0.0
10.0.1.0
10.0.2.0
10.0.3.0
Convert the largest unique octet to binary and reverse the 1's and 0's.
3 = 00000011
Reverse the 1's and 0's = 11111100
The first two octets must be the same
The third octet must be 11111100
After that we don't care
Subnet mask = 11111111.11111111.11111100.00000000
Summarization route should be 10.0.0.0 /22
_________________________________________________________________________________
Virtual LANS (VLANS)
VLANs logically groups users (ports) together
VLANs segments broadcast domains (Broadcasts on vlan1 only go out ports on vlan1, broadcasts on vlan2 only go out ports on vlan2)
Trunks carry all VLANs and are used for connect VLANs to other switches.
One VLAN = one broadcast domain = one subnet
VLANs can be used for access control
VLANs can be used for QOS. (Split IP phones and desktops onto different LANS)
Remember the noram switch setup
One collision domain per port
Broadcasts go to all ports except the port it was received on
One subnet per LAN
Very limited access controll
Cisco advises 200-500 devices per network before broadcasts start to slow the network down.
Advantages of VLANs
VLANs let us segment users(ports) without routers
We are not limited to physical locations because we can use trunks
Tighter control of broadcasts (VLAN pruning)
Trunking
Trunking allows VLAN to pass multi VLAN information between switches
Trunking is also known as tagging by all other vendors
Places VLAN information into each frame
VLANs operate at layer 2
802.1Q is the industry standard trunking protocol
All vendor switches can pass VLAN information to each other using 802.1Q.
The native VLAN
By default switches are usually configured to use VLAN1. So if you plug in the switch all ports are on VLAN1 and it just works, even if the user has no idea about VLANs.
You can configure it later if you do know about them. When connecting two switches together you must make sure the native VLAN's match. So if native VLAN is 10 on SwtichA it must be the same on SwitchB.
Separation
IP phones, desktops, servers etc are often separated. As mentioned IT admins have their own approaches. A section like business, sales are on their own VLANs. Or floor1 and floor2 are on separate VLANs etc.
VTP (VLAN trunking protocol)
This protocol is not actually for trunking. This is for replicating the VLANs onto all of your switches.
Lets say you have 3 switches, SwitchA, SwitchB, SwitchC
If you create a vlan 500 on SwitchA, VTP will replicate that VLAN 500 onto the other switches.
You still need to configure the ports on those VLANs.
There is a pitfall if someone plugs a switch into your network and its REV number is higher than your switches and it overwrites your VLANs with its VLANs. If a port assigned to the VLAN is removed the port stops working. This usually happens when the switches have the default VTP settings.
VTP mode
Every switch is a server by default
Servers can change the database
Send and receives VTP updates
Saves VLAN configuration
Cannot change VLAN information
sends and receives VTP updates
does not save vlan configuration
Power to change vlan information
forwards VTP updates
does not listen to VTP advertisements
saves VLAN configuration
VLAN pruning
Keeps unnecessary broadcast traffic from crossing trunk links
Only works on VTP servers
Configuring VLANS
See status of VLANs (and interfaces)
sh ip int brief
Enter enable mode
en
Enter global config mode
conf t
Configure and IP address on vlan 1 and bring it up
interface vlan 1
ip address 192.168.1.100 255.255.255.0
no shut
Configure trunk ports
interface fastEthernet0/24
switchport trunk encapsulation dot1q (needed for older devices)
switchport mode trunk
Configure the rest of the ports as access ports (remember dynamic desirable is bad)
interface range fastEthernet 0/1 - 23
switchport mode access
Configuring VTP
sh vtp status
Configure the VTP name
vtp domain MYCORPVTPDOMAIN (it is case sensitive)
Configure the VTP password
vtp password cisco (must be configured on all switches)
Configure the VTP mode
vtp mode server (or set it to client)
Creating a VLAN and give it a name (this should be replicated to all switches)
vlan 20
name business
Remember we still need to assign ports to VLANs for any of these to be really useful
See what VLANs are there
show vlan
There are 5 vlans by default. Vlan1 1002, 1003, 1004 and 1005. The last four are not used anymore but must be on the network device to confirm to a standard.
Assign a port to a VLAN
interface fastEthernet 0/5
switchport mode access
switchport access vlan 20
I can be a good idea to match your IP address 192.168.20.x to your vlan number vlan 20. That way by just looking at the IP address you know what VLAN it is on.
There are 3 methods to route between VLANS
When starting off in the real world you will probably start with a single cheap switch. The important thing is to expand when required, add redundancy as soon as you can afford. Buy the best you can afford.
Etherchannels can provide more bandwidth on key links
Redundancy
Redundancy is good we want that but we need to implement it properly
By default switches forward broadcast packets out all ports (except the one it was received on) by design
We need redundant connections in corporate networks
Spanning tree blocks redundant links until they are needed
Only a router can subtract from the TTL. This is why packets will go around and around in loops on switches.
Spanning tree finds the best link and blocks the other redundant links.
BPDU's discover loops
BPDU's help elect the root bridge (by default it will select the oldest switch)
Cisco switches run spanning tree by default. So you can plug in redundant links and it will work without loops, but it may be inefficient.
BPDU and elections
Root port: used to reach the root bridge
Designated port: forwarding port, one per link
Block/non designated: The redundant link which is blocked
All network devices have a bridge ID
Bridge = Priority. MacADD
By default the priority is 32768 (don't ask why)
A lower priority gives you a better chance of being assigned as the root bridge.
So if everyone has the same priority, the mac address will be used. This is why the oldest switch with the lowest mac address will be selected.
The other switches elect root ports based on cost. The lowest cost to the root bridge is selected.
Root bridge will never have a root port because it is the root bridge.
Mac addresses are also used to decided which side of the link is blocked.
How STP find the best path
Elect the root
Find the lowest cost path to the root
Spanning tree is turned on by default on Cisco switches
It will work out of the box but may make some bad choices if you don't intervene.
show spanning-tree
remember the links will only be block on one end of the connection. The port with the lowest number will be selected.
Forcing a device to be the root bridge
en
conf t
spanning-tree vlan 1 root primary (set secondary for a backup switch)
This command will decrease the priority which will make the device the root
Alternatively manual set the value for the priority
spanning tree vlan 1 priority X ( 0 - 61440 in increments of 4096)
Spanning tree is an old protocol and can take 30-60 seconds to failover redundant links. This is why isn't not used in modern business networks because an outage that long is not acceptable.
Improvements to spanning tree
Original spanning tree
Listening (Listen for BPDU's, send/receive BPDU's - 15 seconds)
Learning (Learn MAC addresses on that port - 15 seconds)
Forwarding (Port is forwarding traffic, light changes from amber to green)
Blocking (Waits 20 seconds to see if a link comes back before going into blocking)
PVSTP+ (Per VLAN Spanning-tree protocol plus)
Cisco created an initial enhancement where you could run separate instances of spanning tree on separate vlans
setting the root for several vlans
spanning-tree root vlan 1,10,20 root primary
RSTP (Rapid Spanning tree protocol) 802.1w
This was the next improvement and the spanning tree in use today
RSTP is also per vlan.
Root ports: Same as before used to reach the root bridge
Designated ports: Same as before, forwarding port, one per link
Alternate ports: The blocked ports are now seen as an alternate port should the primary link fail
Enabling RSTP
en
conf t
spanning-tree mode rapid-pvst
You should enable port fast on the ports connected to your hosts/routers, but not on connections to switches
interface range fa0/1 - 20
switchport mode access
spanning-tree portfast
With these settings RSTP will be near an instant failover as the other ports will start forwarding straight away. When failing back we will have an outage of around 1 second / 1 dropped ping.
Troubleshooting and security on switch networks
You need to build and maintain a network diagram.
Some admins recommend troubleshooting from the bottom up with the OSI model. However in the real world you often jump past levels based on things you know about the network. Usually the first step is to confirm if it is a single user issue or a wider network problem.
Port issues
Spanning-tree issues
VLAN and trunking issues
VTP issues
Remember you can't use the ranges already in use
Don't forget the point to point links
2 users +1(exception) = 3 00000011 which takes two bits
11111111.11111111.11111111.11111100 = /30
Routing protocols intro
There are two main types distance vector and link state
Distance vector protocols broadcast the entire routing table at specific intervals. RIP sends update every 30 seconds. Those updates are also used as keepalives. Due to this simplicity Distance vector protocols have looping issues.
Routing loop prevention
These mechanisms help prevent routing loops but can also cause issues.
Maximum distance
16 hops RIP. If it's 16 hops away then its too far away
Route poisoning
Integrates with the max distance. If the router sees a link is down it says its 16 hops away
Triggered updates
Updates go out when they happen instead of waiting for a set interval.
Split horizon
This is the one you will probably disable. Tell routers do not send updates back in the direction you received them. Do not send updates about routes received from other routers back to the router it came from. If we heard about a network from them then they are best suited to give updates on it.
Hold down timers
I will not believe any other updates about a route for X amount of time. This helps with flapping interfaces that are going up and down many times a second. If routing tables were being updated all the time the CPU on the device would go up. Default is 180 seconds.
Link state routing protocols
OSPF and IS-IS
OSPF sends routing table to its neighbors the first time. After that they just keep checking in with neighbors. If there is an update they send out just the update.
Much faster to converge.
No routing loops, no need for loop prevention mechanisms.
Forces a solid network design.
Technical complexity
Access control lists (ACLs)
Think of access lists that identify traffic
They can be used for
Access control
NAT
QOS
Policy routing etc
ACLs are read from top to bottom and when the first rule is matched the traffic is forwarded or dropped and that's the end of it. At the bottom of the list there is an implicit deny so the traffic will be dropped. Likewise if you have a "permit ip any any" at the top everything will be allowed.
Always apply the access inbound, on interfaces.
Types of ACLs
Standard
Match only based on source address
Lower processor utilization
Effect depends on application
Extended
Matched based on source/destination address and source/destination port
Higher processor utilization
Syntax takes some time to learn
Dynamic
Expand and shrink depending on who is connecting.
Established (Reflexive)
Allows return traffic for internal requests (like a stateful firewall)
Time-Based
Allow internet access on lunchtime for example
Context-Based access control (CBAC)
A way to make a router similar to a firewall
Configuring sstandard access-lists
Often a good idea to deny first and then permit
access-list 1 deny 192.168.5.10 0.0.0.0
access-list 1 permit 192.168.5.0 0.0.0.255
If the was applied to an interface this would allow everything on 192.168.5.0 except for .10 which would be denied. So we need to apply it to an interface before it will actually do anything.
We usually want to apply ACLs on inbound packets of the interface.
ip access-group 1 in
With standard access lists we should apply them as close to the destination as possible. This is because we can't define the destination so we should be careful about blocking too much. No one will use standard ACL's these days but you need to know it for the exam.
applying an ACL to telnet works
line vty 0 4
access-class 1 in
Configuring extended ACLs
access-list 100 deny tcp 192.168.5.10 0.0.0.0 any eq 80
extended ACLs should be applied as close to the source to save on processing time
Named access-lists
ip access-list extended DENY-HOSTA deny ip host 192.168.5.10
You can edit ACLs by going into nacl mode
ip access-list 100
ip access-list extended DENY-HOSTA
Reflexive ACLS
just add established to the end of the ACL
Network address translation (NAT)
How to translate private addresses to public addresses (and vice versa)
Dynamic NAT
Mostly used when you have overlapping networks
Two sites are using the same IP
Dynamic NAT, will NAT to a address which will be used for the duration of the session. The address comes from a pool you set up on the router.
192.168.5.10 (inside addr) -> 200.1.1.2 (outside addr) - 200.1.1.3 (outside addr) -> 192.168.5.20 (inside)
NAT overload (PAT)
Lets multiple devices share one public IP.
NAT overload uses port numbers so is often called PAT.
Static NAT
Used if we have several public IPs for our servers
We can statically NAT public IPs to private IPs
200.1.1.2 (outside) <-> 192.168.5.10 (inside)
Static nat can be used with port numbers so different ports on a public IP can point to different internal addressees
Small companies may only have a single public IP but want to run email (25) website (80) off the single public IP. NAT overload can help.
Configuring NAT overload (PAT)
Label your interfaces (inside and outside)
conf t
int e0/0
ip nat inside
int e0/1
ip nat outside
Identify internal IP addresses to be translate
7 Application
- Interfaces with applications
- Provides network access to applications
- Generifies the data (HTTP / JPG / MP3)
- Encryption services
- Starts and ends sessions
- Logically keeps sessions separate
Below occurs on the network
4 Transport
- Dictates how the data is sent (TCP / UDP)
- Defines well known services (ports)
3 Network
- Provides logical addressing (IP address)
- Finds best path to a destination (Routing)
2 Data link
- Provides physical addressing (MAC address)
- Ensures data is error free
1 Physical
- Provides access to the cables
- Electrical signal ones and zeros
Ways to remember
Top to bottom:
All People Seem To Need Data Processing
Bottom to top:
Please Do Not Throw Sausage Pizza Away
7 Application
6 Presentation
5 Session
4 Transport
3 Network
2 Data link
1 Physical
7 Application
6 Presentation
5 Session
4 Transport
3 Network
2 Data link
1 Physical
In the transport layer (layer 4) data can be sent reliably or unreliably. Things that happen in real time (VOIP / streaming video / online games) usually use unreliable transport (UDP).
reliably (TCP) - We get acks for every packet
unreliably (UDP) - We don't get acks
Example of OSI model
Lets take an example where a PC (10.0.0.3) wants to view a website www.jack.com with internet explorer. The website is hosted on the internet on a web server (200.0.0.50) running apache.
- First the PC will contact a DNS server and ask what is the IP address of www.jack.com.
- The DNS server will look the IP address for the website up and respond to the PC with the IP.
- Application - The application layer says get me the webpage www.jackface.com
- Presentation - The presentation layer packages that request into a generic format HTTP
- Session - The session layer separates the specific request for www.jack.com from other requests going on
- Transport - The session is passed to the transport layer where two choices are made. The choice of reliable/unreliable is made. TCP is selected (Web browser is hardcoded to use that). The choice of source and destination ports is made. The destination port of 80 is selected because we are using HTTP. A random free source port number is selected. This is known as a dynamic source port number. Lets says 49000 was selected. At transport layer we chose transport method (reliable/unreliable). Also source & destination port numbers.
- Network - The network layer adds the source and destination IP address. This will be the original source and the final destination address. Source: 10.0.0.3, destination: 200.0.0.50. This never changes.
- Data link - The data link layer adds the source and destination MAC address.If the destination is not on the same network it will send it to the default gateway. In this example the source MAC will be the PC's MAC address and the destination MAC will be the MAC address of the default gateway. The source and destination MAC addresses are changed all the time as the packet makes its way from source to destination. When a router receives a packet it will check if the final destination IP address is it's own IP. If it is not it knows it needs to attempt to send the packet on. If it is the router can consume the packet and handle it however it is configured to handle it.
- Physical - The physical layer sends the 1's and 0's that make up the packets that were created at the layers above out to the wire, hop by hop until it reaches the destination.
TCP/IP
OSI and TCP/IP were competing protocol. TCP/IP won but OSI is used to describe how networking works. TCP/IP is a suite of protocols.
7 Application layer
6 ===========
5 ===========
4 Transport Layer
3 Internet layer
2 Network Interface Layer
1 ===========
Remember the two address concept
IP addresses are layer 3
MAC Addresses are layer 2
The source and destination IP addresses always remain the same, but the source and destination mac addresses constantly change as the packet makes it way through the network.
TCP and UDP
TCP/UDP are selected and operate at layer 4.
TCP
- Reliable (uses acks)
- Build connections
- Uses sequence numbers
UDP
- Unreliable (no acks, no 3 way handshake)
- Connectionless
- Best effort delivery (fire and forget)
The 3 way handshake
Lets say computer A wants to communicate with B
A (Syn -> ) its like making a call on a phone, I want to communicate with you
B (<- Syn-ack) The phone is answered, I will communicate with you
A (Ack ->) ok lets start communicatingLets say computer A wants to communicate with B
A (Syn -> ) its like making a call on a phone, I want to communicate with you
B (<- Syn-ack) The phone is answered, I will communicate with you
After the handshake is complete sequence numbers are used to maintain communication
A (Seq10 ->) Here is seq 10
B (<- Seq 5 Ack 11) I got 10 and I'm waiting for 11, here is seq 5
A (Seq 11 Ack 6) I got 5, I'm read for 6, here is seq 11
TCP windowing
Increases and reduces the amount of data sent based on how reliable the connection is. Known as sliding window. You don't have to ack every single packet so network performance is faster.
Port numbers
When a client wants to reach a web server it needs to select source and destination ports. The source port is randomly generated. The destination port is selected based on the protocol we are using. Also a custom port can be defined by the user.
Client 172.30.0.10:4444 -> Webserver 200.200.200.10:80
On windows run
netstat -ano
This will show ports we are listening on and servers/ports that we are connected to. It will also list which process ID that owns that connection.
To get more information on PID 1234 run
tasklist /FI "PID eq 1234"
Port numbers 0 - 1023 are reserved for well known services
TCP and UDP have their own separate set of port numbers. Port 400 on TCP and port 400 on UDP are different.
Some common port numbers you should know
TCP - 21 - FTP
TCP - 22 - SSH
TCP - 23 - Telnet
TCP - 25 - SMTP (email)
TCP - 53 - DNS (DNS servers used when they send records to each other)
TCP - 80 - HTTP
TCP - 110 - POP (email)
TCP - 443 - HTTPS
UDP - 53 - DNS Client (Client wants to lookup www.google.com's IP address)
UDP - 69 - TFTP
Full list here:
https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
Layer 2 communication
Host A 192.168.0.10 255.255.255.0 wants to reach
Host B 192.168.0.50 255.255.255.0
From the subnet mask Host A knows the network is the first 3 octets. The network is 192.168.0.X. Host A compares it's network to Host B's network. Host A is on the same network as host B. So host A can arp for host B's MAC address. Host A sends an arp, which is a broadcast message which everyone on the local network get's. What is the MAC address of 192.168.0.50. Host B gets this arp and replies with its MAC address. Host A starts sending out its data which will have the source and destination IP and MAC addresses.
Layer 3 communication
Host A 192.168.0.10 255.255.255.0
Host B 172.30.0.50 255.255.255.0
Networks are compared and are found not to be the same. Arp will not work because routers block arps. The message will be sent to the default gateway. We hope the router will known how to get there.
Source IP: 192.168.0.10 255.255.255.0
Destination IP: 172.30.0.50 255.255.255.0
Source MAC: HO:ST:AS:MA:CA:DD
Destination MAC: DE:FA:UL:TG:WA:YY
The router looks at the the destination IP address. It see's the packet is bound for another destination IP. The route will sent the packet on depending routes, its own default route etc. The packet will be sent on with the source and destination mac addresses constantly changing but the source and destination IP addresses remaining the same.
On a side note MAC addresses only exist in ethernet. When we move out side the LAN other technologies take over but the principle remains the same.
Ethernet
CSMA/CD
Carrier: The network signal
Sense: The ability to detect
Multiple Access: All devices have equal access
Collision: What happens if two devices send at once
Detection: how the computers handle collisions when they happen
- Listen to see if the carrier is free
- If its busy wait for a random amount of time (very small)
- Otherwise start transmitting
- Keep listening during transmitting
- If a collision is sensed, stop transmitting for a random amount of time
- Go back to first step
MAC addresses
XX:XX:XX:YY:YY:YY
X's are assigned to organisations
Y's are assigned by that organisation
You can often look up what a devices is based on its mac address
Cables
Cat5 unshielded twisted pair is the most popular cable in networking
Max distance: 100 Meters
Connection: RJ-45
Cat6 isn't that common so some older devices may have issues with it.
Multi-mode fibre (cheaper, easier to work with)
Max Distance: 275 meters to a few miles
Connection: Varies based on your equipment
Single-mode fibre (more expensive, harder to work with, connectors are more expensive)
Max distance: mile to many miles
Connection: Varies based on your equipment
T568-A
Green stripe
Green
Orange stripe
Blue
Blue stripe
Orange
Brown stripe
Brown
T568-B (this is the most popular)
Orange stripe
Orange
Green stripe
Blue
Blue stripe
Green
Brown stripe
Brown
T568A + T568A = straight through cable (100 meters)
T568B + T568B = straight through cable (100 meters)
T568A + T568B = Crossover cable (100 meters)
Unlike devices use straight through
PC <-> Switch
Router <-> Switch
Like devices use crossover cable
Router <-> Router
Switch <-> Switch
PC <-> PC
You need a crossover cable to connect a PC <-> Router
LAN Switches
The issues with CSMA/CD and crap hubs
What is a hub ?
A hub just re-transmits signals
If a message comes in one port it gets sent out all the other ports
In a hub it doesn't matter if its unicast, broadcast or multicast, it will be sent out every port
Every message is broadcast
For this reason hubs have 1 collision domain and 1 broadcast domain also.
Whats a collision domain ?
In basic terms a collision domain is how many devices can send or receive at the same time
Whats a broadcast domain ?
A broadcast domain is how far a message will travel before it stops. On a hub its all ports so it just has 1 broad cast domain.
On a hub only one device can send/receive at one time and its messages will be sent out every port. This is the problem with hubs. The more PCs we add on, the more broadcasts, and the network will get slow.
To fix the problem they invented bridges which learned the MAC addresses on each side of the bridge. The bridge could spit 2 or more hubs into 2 or more broadcast domains. It would only let traffic across the bridge that needed to get to the other side. Everything else was dropped. Bridges were slow at learning MAC addresses because it was done in software.
Enter the switch
Each port on a switch is a collision domain. All PC's can transmit at the same time without issue.
Full duplex communication. Devices can send and receive at the same time.
By using all switches you won't have any collisions.
Switches are fast at learning MAC addresses because they have ASIC's (hardware chips that do the job much faster.)
Hubs/Bridges should be in the bin by now.
Hubs were replaced by switches
Bridges were replaced by and routers.
How a switch ... switches
When the switch powers up the the CAM table (mac address table is empty)
Remember PCs and other devices are quite chatty so will send in some packets
When it gets a packet from a MAC address on a port it remembers that MAC is on that port.
Lets say we have the following setup
PC A : AA:AA:AA:AA:AA:AA on port 1
PC B: BB:BB:BB:BB:BB:BB on port 2
PC A wants to send to PC B
PC A sends an arp to the switch looking for PC B's MAC address
Switch learns that PC A is on port 1
PC B responds to the arp
Switch learns that PC B is on port 2
This process continues until the switch knows what is connected to all ports. Only takes seconds.
Cisco IOS
User EXEC
RouterX>enable
Privileged EXEC
RouterX# conf t
Global config
RouterX(config)#
Ctrl + Z brings you back to privileged exec
exit brings you back one level
? gives context sensitive help
show ?
show r?
interfaces are off by default you need to do a no shutdown
Basic Switch config
enable
conf t
hostname SWITCH1
interface vlan 1
ip address 172.30.0.100 255.255.255.0
no shut
exit
ip default-gateway 172.30.0.1
exit
copy run start
exit
exit
Setting passwords on switches
enable
conf t
enable password cisco
enable secret cisco1
line con 0
password cisco
login
exit
line vty 0 4
login
exit
service password-encryption
copy run start
Some older devices don't have the enable secret command. So on new devices you don't need the enable password. You should always use enable secret on new devices. Always keep the enable password and the enable secret to different passwords.
Setting a Banner
enable
conf t
banner motd @ Here is my banner message @
exit
copy run start
Enabling SSH
enable
conf t
ip domain-name mydomain.com
crypto key generate rsa
[enter]
1024
[enter]
ip ssh version 2
line vty 0 4
transport input ssh
exit
exit
username jack password sshpassword
copy run start
Port security
en
conf t
interface fastEthernet 0/5
switchport mode access
This hard codes the port for access, meaning it should be connected to a PC/Server/Router but not another switch
switchport port-security
Now we have set it as an access port we can enable security
Maximum - Sets the max number of devices allowed to connect to this port
Violation - Lets us set what to do when the policy is violated (default is shutdown)
- Shutdown - shutdown the port
- Protect - Just ignore the other device
- Restrict - Ignore and log it
Mac-address - set the MAC address that is allowed to use this port
Useful show commands
sh ip int brief - shows ip config on interfaces
sh mac address-table - shows the mac address table
sh port security interface fastEthernet 0/5 - shows the port security settings for an interface
sh ip protcols - shows the routing protocols
sh ip nat translations - shows the nat translations
show controllers serial 0/0 - shows the clock rate and DCE/DTE
sh int status - shows speed and duplex, good for spotting speed/duplex issues
Configuring a range of ports at once
int range fastEthernet 0/2 - 23
The following commands will be applied to all of those ports
Configuring speed and duplex
By default the speed and duplex are set to auto. It will auto detect the speed & duplex and use that. However it doesn't always work well on old switches and old/new network cards. Auto is improved in newer devices. You can leave auto for desktops because we don't care. Servers/switches routers and WAN links etc should all be hard coded.
Changing speed and duplex brings the interface down and back up, but its probably not working well if you have to make these changes.
en
conf t
interface fastEthernet 0/5
speed 100
duplex full
Spanning tree intro
Switches will forward broadcasts out all ports by design
However redundant connections are required in businesses
We don't want that to cause a network loop.
Another common cause of a network loop is when a user plugs the network cable from an access port back into another access port causing a loop.
Spanning tree block redundant links until they are needed.
It is a protocol designed for this.
At ICDN1 level we just need to know what it is and what it does.
In ICDN2 you need to know much more about how it works.
Wireless channels
You want to use
1 6 11
and repeat that
802.11b max data rate is 11Mbps
Router config
enable
conf t
hostname Router1
banner motd @ banner text @
line con 0
password cisco
login
exit
line vty 0 4
password cisco
login
exit
enable secret cisco1
exit
interface gigabitEthernet 0/0
description Internet connection
ip address 200.200.200.1 255.255.255.224
no shut
exit
copy run start
Enabling the SDM
enable
conf t
ip domain-name mydomain.com
crypto key generate rsa
[enter]
1024
[enter]
ip http server (80)
ip http secure-server (443)
username SDMuser privilege 15 secret cisco
ip http authentication local
line vty 0 4
login local
exit
copy run start
Browse to the IP address of the router https://172.30.0.1, install the SDM app from there.
Static routing
show ip route
conf t
ip route 192.168.1.0 255.255.255.0 192.168.2.2
To get to 192.168.1.0 network, next hop is 192.168.2.2
Setting the default route
conf t
ip route 0.0.0.0 0.0.0.0 200.200.200.10
If we don't match one of our static routes then send packets destined for every other network to the next hop our ISP (the internet)
Set the DNS server
ip name-server 8.8.8.8
exit
ping www.google.ie
Routing protocols
Allow routers to build paths automatically. Routing protocols basically routers tell their neighbours what they know.
Types of routing protocols
Distance Vector:
- Easy to configure
- Not many features
- RIP, IGRP
- Harder to configure (need to know more)
- feature rich
- OSPF, IS-IS
- Best of both
- Proprietary (Only on Cisco routers)
- EIGRP
enable
show ip route
conf t
router RIP
version 2
no auto-summary
network 192.168.1.0
network 192.168.2.0
Turning on IGRP
enable
conf t
router igrp 1000 ( <- that is an AS number)
network 192.168.1.0
network 192.168.2.0
Turning on NAT/PAT
enable
conf t
access-list 1 remark PAT_ACL category=2
access-list 1 permit 192.168.1.0 0.0.0.255
interface vlan 1
ip nat inside
exit
interface fastEthernet 4
ip nat outside
exit
ip nat inside source list 1 interface fasterEthernet 4 overload
I would like to NAT from the inside of my network which I have designated the source address in access list 1, I want to nat those addresses to fastEthernet 4 and overload which means (PAT)
WAN connections
WAN links connect our offices which maybe across the city, country and world
Some examples of WAN connection
Layer 2 Datalink: Frame relay, ATM, PPP, HDLC
Price and speed will be the two things we look at when creating WAN connections.
A lot of companies use VPN connections instead of WAN connections now because VPNs are cheap.
Leased lines: dedicated bandwidth (most expensive)
T1 CAS
E1 CAS
Circuit switched: on demand bandwidth (cheapest but slowest)
dial up model
ISDN
Packet Switched: shared but guaranteed bandwidth between locations (current favourite)
frame relay
ATM
Price you pay is based on what your are guaranteed for.
HDLC High-level data link control
Cisco propriety
Very simple to setup, just plug cables into serial port
PPP point to point protocol
The alternative to HDLC
DCE (connecting/clocking) is always the service provider
DTE (terminating)is always connected to us
Configuring PPP/HDLC
enable
conf t
int serial 0/0
encapsulation ppp
exit
copy run start
List and disconnect users
sh users (shows users connected with the line number)
sh line (shows all line numbers of all connections)
clear line 10 (disconnects the session on line 10)
CDP
CDP is cisco proprietary, tells you lots of information, IP, what type of device etc.
show cdp neighbors - shows devices
show cdp entry R3 - shows more information on R3
show cdp entry * - shows more information on all neighbors
conf t
int fastEtnernet 0/4
no cdp enable -turns off CDP on a specific interface, other interfaces still send out CDP
conf t
no cdp run - turn of CDP on all interfaces, turns off the whole protocol
Sub-netting
Default network masks:
Class A: 1 - 126, 8 network bits, 24 host bits (255.0.0.0)
Class B: 128 - 191, 16 network bits, 16 host bits (255.255.0.0)
Class C: 192 - 223, 24 network bits, 8 host bits (255.255.255.0)
Sub-netting is the process of borrowing host bits.
Determining the number of valid hosts
Valid hosts = (2^ number of host bits) - 2
We subtract 2 because one address is always used for the network address and the other is used for the broadcast address.
How many valid host addresses are on 150.50.50.0 /24
150 = Class B = 255.255.0.0 (/16)
Default mask = 11111111 . 11111111 . 00000000 . 00000000
Subnet mask = 11111111 . 11111111 . 11111111 . 00000000
We can see there are 8 host bits used. (2^8) -2
2^0 = 1
2^1 = 2
2^2 = 4
2^3 = 8
2^4 = 16
2^5 = 32
2^6 = 64
2^7 = 128
2^8 = 256
So 256 - 2 = 254
Determining the subnet number of a given IP address
Lets take 178.56.21.9 /24
Convert the IP and subnet mask to binary
Perform a boolean AND opertaion. Basically if there are two 1's its 1, any other combination its 0.
Convert the result back to decimal.
178.56.21.9 = 10110010 . 00111000 . 00010101 . 00001001
subnet mask = 11111111 . 11111111 . 11111111 . 00000000
result of and = 10110010 . 00111000 . 00010101 . 00000000
Answer = 178.56.21.0
Subnet is /24 or 255.255.255.0
Lets take a harder one 200.154.150.89 /27
200.154.150.89 = 11001000 . 10011010 . 10010110 . 01011001
subnet /27 = 11111111 . 11111111 . 11111111 . 11100000
bolean and result =11001000 . 10011010 . 10010110 . 01000000
Answer = 200.154.150.64
subnet is /27 or 255.255.255.224
Determining the valid range of host addresses for a given subnet
Lets take the network we worked out above 200.154.150.64 /27
Convert IP and mask to binary
200.154.150.64 = 11001000 . 1011010 . 10010110 . 01000000
subnet is 27 = 11111111 . 1111111 . 11111111 . 11100000
bolean and result = 11001000 . 1011010 . 10010110 . 01000000
First address is all host bits set to 0
network address is not valid for hosts = 11001000 . 1011010 . 10010110 . 01000000
Network ID = 200.154.150.64
Last address in the range is all hosts bits set to 1
broadcast address is not valid for hosts = 11001000 . 1011010 . 10010110 . 01011111
Broadcast address = 200.154.150.95
Valid range of usable addresses is everything in between
200.154.150.65 - 200.154.150.94
The number of network bits is 27 this leaves 5 host bits
Remember number of valid hosts = (2^ number of host bits) - 2
2^5 = 32
32-2 (Network and broadcast) = 30
Your network is /20 how many valid hosts are allowed on this subnet ?
We know there are 20 network bits
That leaves 12 host bits (32 - 20 = 12)
2^12 = 4096
Number of valid hosts is 4096 - 2 (for broadcast and network ID)
Answer = 4094
Are we reserving space for networks or for hosts ?
We want 5 networks
- Subtract 1 (the exception)
- Convert to binary
- Reserve the bits in the subnet mask
- Find increment, it is the lowest network bit
- Write the network ranges
We want 2 hosts
- Add 1 (the exception)
- Convert to binary
- Reserve the bits in the subnet mask
- Find the increment, it is the lowest network bit
- Write the network ranges
Given an IP and subnet mask
192.168.1.127
255.255.255.224
You may be given the subnet mask in slash notation
192.168.1.127 /27
Can be useful to write these tables out for to help when converting
128 192 224 240 248 252 254 255
128 64 32 16 8 4 2 1
Convert 224 to binary = 11100000
Increment is lowest network bit = 32
Start writing the ranges
0 - 31
32 - 63
64 - 95
96 - 127
128
We can see 127 is a broadcast address and is not valid to be assigned to a host.
The type of questions you could be asked
Is this a valid IP to be assigned to a host ?
We have connectivity issues between two IP's what is the cause (are they on the same subnet) ?
What range is a given IP on ?
Identify all ranges for 200.154.150.64 /27 ?
VLSM variable length subnet mask
When you see the question asking for the most efficient addressing possible it means they want VLSM.
Don't forget about the point to point links
You can change your mask
192.168.1.0 /24
RA 20 users
RB 20 users
RC 60 users
Start with the largest subnet, and work through the next largest until all subnet's are solved.
We want to save the hosts
- Add 1 (the exception)
60 +1 = 61
- Convert to binary
128 64 32 16 8 4 2 1
0 0 1 1 1 1 0 1
It took 6 bits to get 61
- Reserve the bits in the subnet mask
Thats /26
128 192 224 240 248 252 254 255
128 64 32 16 8 4 2 1
1 1 0 0 0 0 0 0
or 255.255.255.192
- Find the increment, it is the lowest network bit
128 64 32 16 8 4 2 1
1 1 0 0 0 0 0 0
Thats 64
1 1 0 0 0 0 0 0
Thats 64
- Write the network ranges
192.168.1.0 - 63
192.168.1.64 - 127
We could keep going but we only need 60 hosts
RC =192.168.1.0 - 63 /26
Now move onto the next biggest
20 users
that's 5 host bits
/27
255.255.255.224
increment is 32
192.168.1.0 - 31 ( can't use this its already in use by RC )
192.168.1.32 - 63 ( can't use this its already in use by RC )
192.168.1.64 -95 ( I can use this one for RA )
192.168.1.96 -127 ( I can use this one for RB )
RA 20 users 192.168.1.64 -95 /27
RB 20 users 192.168.1.96 - 127 /27
RC 60 users 192.168.1.0 - 63 /26
But we forgot about the point to point links. Watch out for exam questions asking how many networks do you need to create, don't forget the point to point networks.
2 users
2 host bits
/30
255.255.255.252
increment is 4
192.168.1.0 - 3
192.168.1.4 - 3
You can write all the ranges or skip through
192.168.1.128 - 131
192.168.1.132 - 135
192.168.1.136 - 139
192.168.1.140
RA <-> RC 192.168.1.128 - 131 /30
RC <-> RB 192.168.1.132 - 135 /30
RA <-> RB 192.168.1.136 - 139 /30
So we have completed the whole network now
Network behind each route
RA 20 users 192.168.1.64 -95 /27
RB 20 users 192.168.1.96 - 127 /27
RC 60 users 192.168.1.0 - 63 /26
Point-point networks between the routers
RA <-> RC 192.168.1.128 - 131 /30
RC <-> RB 192.168.1.132 - 135 /30
RA <-> RB 192.168.1.136 - 139 /30
The reason we start with the largest number of users is so there is no waste.
VLSM looks great on paper and in the exam. However in the real world networks grow. Always leave room for growth. Lots of people like to add 50%.
Many people use /30 on P2P links and /24 on the LANs.
Summarization
What is the most appropriate summarization for these routes
10.0.0.0
10.0.1.0
10.0.2.0
10.0.3.0
Convert the largest unique octet to binary and reverse the 1's and 0's.
3 = 00000011
Reverse the 1's and 0's = 11111100
The first two octets must be the same
The third octet must be 11111100
After that we don't care
Subnet mask = 11111111.11111111.11111100.00000000
Summarization route should be 10.0.0.0 /22
_________________________________________________________________________________
Virtual LANS (VLANS)
VLANs logically groups users (ports) together
VLANs segments broadcast domains (Broadcasts on vlan1 only go out ports on vlan1, broadcasts on vlan2 only go out ports on vlan2)
Trunks carry all VLANs and are used for connect VLANs to other switches.
One VLAN = one broadcast domain = one subnet
VLANs can be used for access control
VLANs can be used for QOS. (Split IP phones and desktops onto different LANS)
Remember the noram switch setup
One collision domain per port
Broadcasts go to all ports except the port it was received on
One subnet per LAN
Very limited access controll
Cisco advises 200-500 devices per network before broadcasts start to slow the network down.
Advantages of VLANs
VLANs let us segment users(ports) without routers
We are not limited to physical locations because we can use trunks
Tighter control of broadcasts (VLAN pruning)
Trunking
Trunking allows VLAN to pass multi VLAN information between switches
Trunking is also known as tagging by all other vendors
Places VLAN information into each frame
VLANs operate at layer 2
802.1Q is the industry standard trunking protocol
All vendor switches can pass VLAN information to each other using 802.1Q.
The native VLAN
By default switches are usually configured to use VLAN1. So if you plug in the switch all ports are on VLAN1 and it just works, even if the user has no idea about VLANs.
You can configure it later if you do know about them. When connecting two switches together you must make sure the native VLAN's match. So if native VLAN is 10 on SwtichA it must be the same on SwitchB.
Separation
IP phones, desktops, servers etc are often separated. As mentioned IT admins have their own approaches. A section like business, sales are on their own VLANs. Or floor1 and floor2 are on separate VLANs etc.
VTP (VLAN trunking protocol)
This protocol is not actually for trunking. This is for replicating the VLANs onto all of your switches.
Lets say you have 3 switches, SwitchA, SwitchB, SwitchC
If you create a vlan 500 on SwitchA, VTP will replicate that VLAN 500 onto the other switches.
You still need to configure the ports on those VLANs.
There is a pitfall if someone plugs a switch into your network and its REV number is higher than your switches and it overwrites your VLANs with its VLANs. If a port assigned to the VLAN is removed the port stops working. This usually happens when the switches have the default VTP settings.
VTP mode
- Server
Every switch is a server by default
Servers can change the database
Send and receives VTP updates
Saves VLAN configuration
- Client
Cannot change VLAN information
sends and receives VTP updates
does not save vlan configuration
- Transparent
Power to change vlan information
forwards VTP updates
does not listen to VTP advertisements
saves VLAN configuration
VLAN pruning
Keeps unnecessary broadcast traffic from crossing trunk links
Only works on VTP servers
Configuring VLANS
See status of VLANs (and interfaces)
sh ip int brief
Enter enable mode
en
Enter global config mode
conf t
Configure and IP address on vlan 1 and bring it up
interface vlan 1
ip address 192.168.1.100 255.255.255.0
no shut
Configure trunk ports
interface fastEthernet0/24
switchport trunk encapsulation dot1q (needed for older devices)
switchport mode trunk
Configure the rest of the ports as access ports (remember dynamic desirable is bad)
interface range fastEthernet 0/1 - 23
switchport mode access
Configuring VTP
sh vtp status
Configure the VTP name
vtp domain MYCORPVTPDOMAIN (it is case sensitive)
Configure the VTP password
vtp password cisco (must be configured on all switches)
Configure the VTP mode
vtp mode server (or set it to client)
Creating a VLAN and give it a name (this should be replicated to all switches)
vlan 20
name business
Remember we still need to assign ports to VLANs for any of these to be really useful
See what VLANs are there
show vlan
There are 5 vlans by default. Vlan1 1002, 1003, 1004 and 1005. The last four are not used anymore but must be on the network device to confirm to a standard.
Assign a port to a VLAN
interface fastEthernet 0/5
switchport mode access
switchport access vlan 20
I can be a good idea to match your IP address 192.168.20.x to your vlan number vlan 20. That way by just looking at the IP address you know what VLAN it is on.
There are 3 methods to route between VLANS
- Separate port to each VLAN
- Router-on-a-stick
- Layer 3 switching (CCNP level)
You need an interface on your router for each vlan. The router will look after the routing between VLANs. This doesn't work when you have more than 4 VLANs.
Router-on-a-stick configures a single trunk connection to a router which routes between the VLANS.
Layer 3 switches have a router built in and can route between VLANs. Layer3 switches are much more expensive than layer 2 switches. Layer 3 switches can have an IP address on each VLAN.
Configuring router on a stick
creating sub interfaces
Router> interface fastEthernet 0/0.20 (the sub IF doesn't have to match the VLAN but its a good idea)
Router> encapsulation dot1Q 20
Router> ip address 192.168.20.1 255.255.255.0
Router> interface fastEthernet 0/0.10
Router> encapsulation dot1Q 10
Router> ip address 192.168.10.1 255.255.255.0
Switch> int fastEthernet 0/4 (this is connected to the router above on fa0/0)
Switch> swtichport mode trunk
Spanning Tree
When designing a switch implementation it's best to deploy it in layers- Core
- Distribution
- Access
When starting off in the real world you will probably start with a single cheap switch. The important thing is to expand when required, add redundancy as soon as you can afford. Buy the best you can afford.
Etherchannels can provide more bandwidth on key links
Redundancy
Redundancy is good we want that but we need to implement it properly
By default switches forward broadcast packets out all ports (except the one it was received on) by design
We need redundant connections in corporate networks
Spanning tree blocks redundant links until they are needed
Only a router can subtract from the TTL. This is why packets will go around and around in loops on switches.
Spanning tree finds the best link and blocks the other redundant links.
BPDU's discover loops
BPDU's help elect the root bridge (by default it will select the oldest switch)
Cisco switches run spanning tree by default. So you can plug in redundant links and it will work without loops, but it may be inefficient.
BPDU and elections
Root port: used to reach the root bridge
Designated port: forwarding port, one per link
Block/non designated: The redundant link which is blocked
All network devices have a bridge ID
Bridge = Priority. MacADD
By default the priority is 32768 (don't ask why)
A lower priority gives you a better chance of being assigned as the root bridge.
So if everyone has the same priority, the mac address will be used. This is why the oldest switch with the lowest mac address will be selected.
The other switches elect root ports based on cost. The lowest cost to the root bridge is selected.
Root bridge will never have a root port because it is the root bridge.
Mac addresses are also used to decided which side of the link is blocked.
How STP find the best path
Elect the root
Find the lowest cost path to the root
- 10 Mbps 100
- 100 Mbps 19
- 1 Gbps 4
- 10 Gbps 2
Spanning tree is turned on by default on Cisco switches
It will work out of the box but may make some bad choices if you don't intervene.
show spanning-tree
remember the links will only be block on one end of the connection. The port with the lowest number will be selected.
Forcing a device to be the root bridge
en
conf t
spanning-tree vlan 1 root primary (set secondary for a backup switch)
This command will decrease the priority which will make the device the root
Alternatively manual set the value for the priority
spanning tree vlan 1 priority X ( 0 - 61440 in increments of 4096)
Spanning tree is an old protocol and can take 30-60 seconds to failover redundant links. This is why isn't not used in modern business networks because an outage that long is not acceptable.
Improvements to spanning tree
Original spanning tree
Listening (Listen for BPDU's, send/receive BPDU's - 15 seconds)
Learning (Learn MAC addresses on that port - 15 seconds)
Forwarding (Port is forwarding traffic, light changes from amber to green)
Blocking (Waits 20 seconds to see if a link comes back before going into blocking)
PVSTP+ (Per VLAN Spanning-tree protocol plus)
Cisco created an initial enhancement where you could run separate instances of spanning tree on separate vlans
setting the root for several vlans
spanning-tree root vlan 1,10,20 root primary
RSTP (Rapid Spanning tree protocol) 802.1w
This was the next improvement and the spanning tree in use today
RSTP is also per vlan.
Root ports: Same as before used to reach the root bridge
Designated ports: Same as before, forwarding port, one per link
Alternate ports: The blocked ports are now seen as an alternate port should the primary link fail
Enabling RSTP
en
conf t
spanning-tree mode rapid-pvst
You should enable port fast on the ports connected to your hosts/routers, but not on connections to switches
interface range fa0/1 - 20
switchport mode access
spanning-tree portfast
With these settings RSTP will be near an instant failover as the other ports will start forwarding straight away. When failing back we will have an outage of around 1 second / 1 dropped ping.
Troubleshooting and security on switch networks
You need to build and maintain a network diagram.
Some admins recommend troubleshooting from the bottom up with the OSI model. However in the real world you often jump past levels based on things you know about the network. Usually the first step is to confirm if it is a single user issue or a wider network problem.
Port issues
- Check cabling issues, link lights
- Verify speed and duplex are negotiated/set correctly
- Check that assigned VLAN has not been deleted
Spanning-tree issues
- Switches will be blinking like mad if there is loop, they will have 100% CPU usage
- Solve the immediate issue, disconnect the redundant links (use the network diagram)
- Make sure your network diagram is correct
- Ensure root bridge selection is correct
- Make sure all switches are running RSTP and portfast is enabled on host & router ports but not on ports connecting switches to switches.
VLAN and trunking issues
- Check if there is a native VLAN mismatch (on trunk ports)
- If VLANs are bleeding into each other you could have IP address mismatches etc
- Hardcode trunk and access ports
- Verify IP address assignments in a VLAN
- Use ping and traceroute to diagnose routing issues
VTP issues
- Verify trunks (used to replicate VLANS, only works over trunk links)
- Verify VTP information (name, password, version, mode
- Last resort, delete flash:vlan.dat, reload and re-config
Security
Physical security, if someone has access to your rack/switches they can pull power/network cables, they can reset the switch and re-config, they can attempt to connect to devices with a console cable. They can attach a device to your network.
Set passwords (obvious) and logon banners (legal reasons)
Disable the webserver and configured your switches on the CLI. The webservers tend to have vulnerabilities.
Limit remote access to devices by subnet or IP
Use SSH where possible. Its encrypted.
Configure logging and NTP (to aid logging). Set up a central syslog and NTP server configure all your network devices to use them
Limit where CDP is running. CDP is helpful for finding out information about the switch, attackers can use this.
Use BPDU guard on portfast ports.
spanning-tree BPDU guard
VLSM (variable length subnet mask)
You can change your subnet mask whenever and wherever you like on the network.
Subnetting is taking one network and breaking it up into many networks.
You may get a question like this:
Subnet 192.168.1.0 /24 to address this network. Use the most efficient addressing possible. When you see "most efficient addressing possible". Often you will see 3 routers in a triangle
Lets say we have 20 users, 20 users and 60 users.
Start with the largest subnet and work your way down
Convert the number of hosts to binary
Identify how many bits are required to get that number
Reserve the bits in the original subnet mask (watch out for /16)
Find the increment, the lowest network bit
Write your ranges
Move to the next biggest subnetSet passwords (obvious) and logon banners (legal reasons)
Disable the webserver and configured your switches on the CLI. The webservers tend to have vulnerabilities.
Limit remote access to devices by subnet or IP
Use SSH where possible. Its encrypted.
Configure logging and NTP (to aid logging). Set up a central syslog and NTP server configure all your network devices to use them
Limit where CDP is running. CDP is helpful for finding out information about the switch, attackers can use this.
Use BPDU guard on portfast ports.
spanning-tree BPDU guard
VLSM (variable length subnet mask)
You can change your subnet mask whenever and wherever you like on the network.
Subnetting is taking one network and breaking it up into many networks.
You may get a question like this:
Subnet 192.168.1.0 /24 to address this network. Use the most efficient addressing possible. When you see "most efficient addressing possible". Often you will see 3 routers in a triangle
Lets say we have 20 users, 20 users and 60 users.
Start with the largest subnet and work your way down
Convert the number of hosts to binary
Identify how many bits are required to get that number
Reserve the bits in the original subnet mask (watch out for /16)
Find the increment, the lowest network bit
Write your ranges
Remember you can't use the ranges already in use
Don't forget the point to point links
2 users +1(exception) = 3 00000011 which takes two bits
11111111.11111111.11111111.11111100 = /30
Routing protocols intro
There are two main types distance vector and link state
Distance vector protocols broadcast the entire routing table at specific intervals. RIP sends update every 30 seconds. Those updates are also used as keepalives. Due to this simplicity Distance vector protocols have looping issues.
Routing loop prevention
These mechanisms help prevent routing loops but can also cause issues.
Maximum distance
16 hops RIP. If it's 16 hops away then its too far away
Route poisoning
Integrates with the max distance. If the router sees a link is down it says its 16 hops away
Triggered updates
Updates go out when they happen instead of waiting for a set interval.
Split horizon
This is the one you will probably disable. Tell routers do not send updates back in the direction you received them. Do not send updates about routes received from other routers back to the router it came from. If we heard about a network from them then they are best suited to give updates on it.
Hold down timers
I will not believe any other updates about a route for X amount of time. This helps with flapping interfaces that are going up and down many times a second. If routing tables were being updated all the time the CPU on the device would go up. Default is 180 seconds.
Link state routing protocols
OSPF and IS-IS
OSPF sends routing table to its neighbors the first time. After that they just keep checking in with neighbors. If there is an update they send out just the update.
Much faster to converge.
No routing loops, no need for loop prevention mechanisms.
Forces a solid network design.
Technical complexity
Access control lists (ACLs)
Think of access lists that identify traffic
They can be used for
Access control
NAT
QOS
Policy routing etc
ACLs are read from top to bottom and when the first rule is matched the traffic is forwarded or dropped and that's the end of it. At the bottom of the list there is an implicit deny so the traffic will be dropped. Likewise if you have a "permit ip any any" at the top everything will be allowed.
Always apply the access inbound, on interfaces.
Types of ACLs
Standard
Match only based on source address
Lower processor utilization
Effect depends on application
Extended
Matched based on source/destination address and source/destination port
Higher processor utilization
Syntax takes some time to learn
Dynamic
Expand and shrink depending on who is connecting.
Established (Reflexive)
Allows return traffic for internal requests (like a stateful firewall)
Time-Based
Allow internet access on lunchtime for example
Context-Based access control (CBAC)
A way to make a router similar to a firewall
Configuring sstandard access-lists
Often a good idea to deny first and then permit
access-list 1 deny 192.168.5.10 0.0.0.0
access-list 1 permit 192.168.5.0 0.0.0.255
If the was applied to an interface this would allow everything on 192.168.5.0 except for .10 which would be denied. So we need to apply it to an interface before it will actually do anything.
We usually want to apply ACLs on inbound packets of the interface.
ip access-group 1 in
With standard access lists we should apply them as close to the destination as possible. This is because we can't define the destination so we should be careful about blocking too much. No one will use standard ACL's these days but you need to know it for the exam.
applying an ACL to telnet works
line vty 0 4
access-class 1 in
Configuring extended ACLs
access-list 100 deny tcp 192.168.5.10 0.0.0.0 any eq 80
extended ACLs should be applied as close to the source to save on processing time
Named access-lists
ip access-list extended DENY-HOSTA deny ip host 192.168.5.10
You can edit ACLs by going into nacl mode
ip access-list 100
ip access-list extended DENY-HOSTA
Reflexive ACLS
just add established to the end of the ACL
Network address translation (NAT)
How to translate private addresses to public addresses (and vice versa)
Dynamic NAT
Mostly used when you have overlapping networks
Two sites are using the same IP
Dynamic NAT, will NAT to a address which will be used for the duration of the session. The address comes from a pool you set up on the router.
192.168.5.10 (inside addr) -> 200.1.1.2 (outside addr) - 200.1.1.3 (outside addr) -> 192.168.5.20 (inside)
NAT overload (PAT)
Lets multiple devices share one public IP.
NAT overload uses port numbers so is often called PAT.
Static NAT
Used if we have several public IPs for our servers
We can statically NAT public IPs to private IPs
200.1.1.2 (outside) <-> 192.168.5.10 (inside)
Static nat can be used with port numbers so different ports on a public IP can point to different internal addressees
Small companies may only have a single public IP but want to run email (25) website (80) off the single public IP. NAT overload can help.
Configuring NAT overload (PAT)
- Label your interfaces (inside and outside)
- Identify internal IP addresses to be translate
- Enable NAT overload
Label your interfaces (inside and outside)
conf t
int e0/0
ip nat inside
int e0/1
ip nat outside
Identify internal IP addresses to be translate
ip access-list standard NAT_THESE permit 192.168.0.0 0.0.0.255
Enable NAT overload
ip nat inside source list NAT_THESE interface e0/1 overload
Show all the NAT translations
show ip nat translations
Static NAT
ip nat inside source static 192.168.10.50 200.50.50.50
Static mapping to point port 80 to a specific server (web app server)
ip nat inside source static tcp 192.168.10.50 80 interface e0/1
Dynamic NAT with overload
Identify addresses to be NAT'd
ip access-list standard NAT_THESE permit 192.168.0.0 0.0.0.255
Create the NAT pool
ip nat pool PUBLIC_ADDRESSES 200.50.50.50 200.50.50.100 netmask 255.255.255.0
Enable the NAT overload.
ip nat inside source list NAT_THESE pool PUBLIC_ADDRESSES overload
VPNs
Cheaper than a dedicated link
Available anywhere you have an internet connection
Secured even though they travel across the internet
Can put strain on the firewall/router because of the encryption
Many-to-many connections
Can be complex to configure
Site to site
Connects two offices. Replacement for dedicated links
Remote Access
Users dial into an office from their laptops at home
Users need a client installed on their laptop
SSL or web VPN
Allow users to connect to a webpage where the client can be downloaded or run straight from the webpage.
IPSec = the security protocol that makes VPNs possible
IPSec is built of several components
Connections
encapsulation ppp
PPP authentication
PAP is old, username/password is sent in clear text and not used anymore.
Challenge handshake authentication protocol (CHAP)
Sends username and a hash of the password.
Encryption - scrambles the data but can be reversed with the correct formula (decryption)
Hashing - uses an irreversible formula to scramble the data. Think of a hash as an answer to a formula.
CHAP uses hashing. The password must be known by both sides and is not exchanged over the wire.
Create a user account for the other router (this is run on R1)
The password must match on both sides
username R2 password cisco
Turn on authentication
int serial 0/0
ppp authentication chap
Frame relay
Leased lines used to be the method to connect locations.
Dedicated lines cost a lot of money.
When the line wasn't being used that bandwidth was just going to waste.
Telco's decided to create a large pool of bandwidth and sell different level pipes to connect.
When bandwidth was not in use somewhere it could be used somewhere else.
Packet switched
x.25 was first
Frame Relay was next
ATM came next
MPLS is the newest technology
Committed information rate (CIR)
The minimum you are guaranteed by the service provider
Local Access Rate (LAR)
Physically how fast that circuit can go
Local Management interface (LMI)
The language between the router and the ISP
Sends statistics
Data link connection identifier (DLCI)
Frame relay equivalent of MAC addresses
Each site is identified by a DLCI
Permanent virtual Circuit (PVC)
You can buy a PVC between Dublin and Cork
And another between Dublin and London
DLCI's are locally significant
Dublin DLCI 200 -> PVC -> DLCI 100 Cork
Dublin DLCI 300 -> PVC -> DLCI 500 London
Think of DLCI's like a gate or tunnel. You go into DLCI 200 in Dublin and travel through the PVC and you come out DLCI 100 in Cork.
DLCI's can be the same because they are locally significant
The below will work
Dublin DLCI 200 -> PVC -> DLCI 200 Cork
Dublin DLCI 300 -> PVC -> DLCI 200 London
You can't have two local DLCI's with the same number in the same location
Frame relay designs
Hub and spoke
Cheap
Single point of failure
Delay for voice traffic
Full mesh
Best/fastest design
All sites have a dedicated link to other sites
High cost (as more sites are added the cost keeps going up)
Partial mesh
Critical sites have dedicated links
The rest hub and spoke back to a main site
Multipoint design - all routers are on the same subnet.
Split horizon can cause issues (never send an update back in the direction it came from)
Point to point design - all routers on different subnets
Point to point sub-interface created for each peer
No problems with split horizon
s0/0.100
192.168.1.1/24
s0/0.200
192.168.2.1/24
s0/0.300
192.168.3.1/24
Frame relay config
Multipoint
conf t
int s0/1/0
ip addresses 192.168.1.1 255.255.255.0
encapsulation frame-relay
frame-relay map ip 192.168.1.2 102 broadcast
The remote IP we want to reach and the DLCI that we want to use to get there. Allows router 1 to send broadcasts to router 2. Now your routing protocols can work across the frame relay network. You need to configure the map's on the routers so they have a route back.
sh frame-relay lmi
Send/receive should match
timeouts are bad
show frame-relay map
active - everything is working
deleted - can't find that DLCI
inactive - you are setup but the other side is not
Point to point
int s0/1/0
encapsulation frame-relay
int s0/1/0.102 point-to-point
up address 192.168.1.1 255.255.255.0
frame -relay interface-dlci 102
Have to setup your other sub-interfaces and the other routers.
Show commands
show frame-relay map (shows what DLCI's are mapped to what IP addresses)
show frame-relay pvc (show all DLCI's you have, the status, the interface and statistics, more detail than above)
show frame-relay lmi (shows the communication between you and the ISP)
IPv6
To get rid of groups of zeros you can use :: but you can only use it once per IP
You can drop leading zeros
:005B: becomes :5B:
IPv6 has a simpler header
IPv6 doesn't have broadcasts.
Unicast: one to one
Multicast: one to many
Anycast: one to closest (Web servers can have the same IP you will connect to the closest one)
Link-local: layer 2
Unique / site local: Like private addressing. We don't need them anymore, but humans are used to them. You will have the option to use them or not
Global scope: Public addresses on the internet. Every device on your network can have an address on the internet
Link local addresses always start with FE80
The last 64bits are made up of the MAC address with FFFE in the middle of it
Site local will start FD00::/8 or FC00::/7
Global addresses will start with 2001::/16
IPv6 Configuration
conf t
ipv6 unicast-routing
int f0/0.1
ipv6 address 1FE0:1111::1/32
ipv6 router rip 1
no need to fill in any network statements, you just need to enable it under the interfaces
int e0/0
ipv6 rip 1 enable
Migration to IPv6
Dual stack routers - Can use IPv4 and IPv6
Tunnelling 6to4 and 4to6 - kind of like a VPN through the IPv6 network to connect IPv4 networks and the other way around
NAT protocol translation - NAT between IPv4 and IPv6
_________________________________________________________________________________
Quick router config
Set the hostname
#hostname MyRouterName
Disable DNS lookup
#no ip domain-lookup
Set the enable passwords
#enable password cisco
#enable secret cisco
Go into line vty (telnet and SSH) and set a password
#line vty 0 15
#password cisco
#exit
Go into line console set a password, time out and enable log sync
#line console 0
#exec-timeout 15
#logging synchronous
#password cisco
#login
#exit
Set a message of the day banner
#banner motd @ this is my banner & @
_________________________________________________________________________________
Autonomous Systems: Interior and exterior routing protocols
AS 64520 <-------------------------------------> AS 64530
Interior gateway protocols exterior gateway protocols Interior gateway protocols
RIPv2 BGP
OSPF
EIGRP
An autonomous system (AS) is a collection of networks within a common administrative domain.
Interior gateway protocols operate within an AS
Exterior gatway protocols connect different autonomous systems
Inside IGP's and EGP's there are different classes
Distance Vector
Distance = how far, Vector = in which direction
RIP
-selects route on hop count, not always the best path
-routers discover the best path to destinations from each neighbor
-exchanges routing table every 30 seconds
-has issues with routing loops
-lack of security
Link-state
OSPF (selects route based on cost, but the cost calculation is not good by default)
IS-IS
Advanced Distance Vector (or hybrid)
EIGRP (selects the route by bandwidth and delay, optionally can look at load and reliability)
_________________________________________________________________________________
RIP
In the real world no one uses RIP version1 or IGRP. Very few use RIP version2 anymore.
See what is connected to you
#show cdp neighbors
Show your interfaces
#show ip interface brief
Turn on rip
#router rip
Turn on version 2 of RIP so the subnet masks are sent
#version 2
Add the networks that you want to advertise
#network 192.168.1.0 (class C)
#network 220.110.55.0 (class C)
#network 4.0.0.0 (class A)
Show RIP log entries on the screen
#debug ip rip
Turn off debug
#u all
Shows what versions of protocols the router is running
#show ip protocol
Show all the routes that the router knows about
R = learned by RIP
C = directly connected
S = static
#show ip route
Clear the routing table
#clear ip route
Counting to infinity
R1 loses a directly connected network 10.4.0.0
Before R1 can send an update, R2 sends an update that it has a route to the lost 10.4.0.0 network
However R2's route points to R1
R1 and R2 just keeps sending packets back and forth to each other
The hop count keeps going up and up
To resolve this they implemented a maximum of 15 hops, if your route is 16 hops or more it will be considered a dead route and will be ignored.
Split horizon
One network goes down and before we can update anyone else we recieve a route from another router. One solution to this was split horizon, this meant not to send route updates back in the direction they came from.
Route poisoning
Another solution was route poisoning, if a route is 16 hops or more it is poisoned and is sent to other routers.
Hold down timer
Once I get the poisoned route, wait a while for other routers to sync with the poisened route.
Triggered update
Instead of waiting for the next 30 second window to send updates about bad routes, send those updates as soon as they happen.
Link-state protocols find all of the paths, if something happens it will re-route
Link-state are less noisey, send updates less.
Creates a topology table
Determines all paths to all destinations
Selects the best path to all destinations (uses SPF tree)
Inserts best paths into the routing table
With OSPF you can divide your netowk into Areas. Area0, Area 1 and Area 2 are inside your AS.
Significant demans on resources (memory and CPU)
Requires very scrict network design
Configuration can be complex when tuning various parameters and when design is complex
_________________________________________________________________________________
VLSM
Take a big block and divide it into further sub division. This is why we sub net.
We borrow bits from the host bits to create new subnets.
Subnet 192.168.1.0/24 so it supports 8 subnets and maximizes the number of host addresses for each subnet.
How many bits will you need ? 2^5 = 32 - 2 = 30
What is the new subnet mask in CIDR = /27
What is the new subnet mask =255.255.255.224
Last octect in binary = 11100000
_________________________________________________________________________________
OSFP
Is an open standard. It's a link state protocol. Looks for directly connected routers, find what they are connected to and so on until they have mapped the entire network. Today's routers are fast enough to run the SPF algorithm, before this was taxing on the router's of yester year. The idea is that all routers in the same area keep a full knowledge of all the other routers. OSPF is classless, it sends the subnet mask with each route. It is deployed in many networks. By default it will load balance. It sends LSA advertisment's when there is a change to routing information. The backbone is 0.0.0.0.
LSA stands for link state advertisement
Route Summarization is all about making routing tables smaller. The larger the routing table the slower the router becomes. We can make routers more efficient by shrinking the routing table using route summarization.
R1 <-> R2
R1 has 16 routes to all of these networks below
192.168.0.0/24
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
192.168.4.0/24
192.168.5.0/24
192.168.6.0/24
192.168.7.0/24
192.168.8.0/24
192.168.9.0/24
192.168.10.0/24
192.168.11.0/24
192.168.12.0/24
192.168.13.0/24
192.168.14.0/24
192.168.15.0/24
R1 has to send all of those routes over to R2 and they will be put into R2's routing table. R2 always goes through R1 to get to the 16 netowks. R2 does need to known the specifics about those networks because it will always go through R1 to get to them.
R1 can do route summarization, convert the addresses to binary
192.168.00000000.00000000 = 192.168.0.0
192.168.00000001.00000000 = 192.168.1.0
192.168.00000010.00000000 = 192.168.2.0
192.168.00000011.00000000 = 192.168.3.0
192.168.00000100.00000000 = 192.168.4.0
192.168.00000101.00000000 = 192.168.5.0
192.168.00000110.00000000 = 192.168.6.0
192.168.00000111.00000000 = 192.168.7.0
192.168.00001000.00000000 = 192.168.8.0
192.168.00001001.00000000 = 192.168.9.0
192.168.00001010.00000000 = 192.168.10.0
192.168.00001011.00000000 = 192.168.11.0
192.168.00001100.00000000 = 192.168.12.0
192.168.00001101.00000000 = 192.168.13.0
192.168.00001110.00000000 = 192.168.14.0
192.168.00001111.00000000 = 192.168.15.0
We should take the bits that are similar and group them together.
1st octet = 8 bits the same
2nd octet= 8 bits the same
3rd octet = 4 bits the same
So 8 + 8 + 4 = 20
R1 can advertise 192.168.0.0/20 which represents 192.168.0.0 - 192.168.15.0
There are two advantages:
R2's table is now smaller so more efficient.
It also suppresses updates as R2 doesn't need to know the specifics of each network.
If R1 adds 192.168.16.0 this will mess up the summarization route. So we will have to update the sumarization route. We could move the line back so 192.168.0.0/19. However this will encompass all networks that uses 5 bits so 192.168.0.0 - 192.168.31.0
192.168.16.0 = 192.168.00010000.00000000
192.168.17.0 = 192.168.00010001.00000000
192.168.18.0 = 192.168.00010010.00000000
etc
This isn't a great solution. What most people do is have the summarization route. Have other routes until you get up to 31, then update the summarization route.
_________________________________________________________________________________
In area's we might have 50 routers. On the edge of area's we have ABR's Area Border Routers. They are the ones that can do summarization.
_________________________________________________________________________________
OSPF Configuring and troubleshooting
CCNA only tests on single area configurations.
#conf t
Remember to turn off any other routing protocols that are running eg no router rip
Turn on OSPF(most people make ospf with the same PID on all routers)
You can run OSPF more than once if your router can handle it.
That ID refers to the instance running on your router, other routers don't care
If you edit OSPF later you need to make sure to use the same PID
#router ospf 1
The interface I want to advertise, the wild card mask and the area
#network 192.168.1.0 0.0.0.255 area 0
More on the wild card mask.
You can think of it as opposite to the subnet mask
In wildcard masks a 0 is the network bit, a 1 means wildcard (or i don't care) bit
255.255.255.255
255.255.255.0
- _____________
0.0.0.255
The zeros mean look for these exactly addresses, the 255 means i don't care what comes after that.
If you want ospf to run only on a certain interfaces lets say 192.168.2.2
#network 192.168.2.2 0.0.0.0 area 0
This will advertise the network that belongs to that interface.
To show ospf neighbors
#show ip ospf neighbor
To show routing table (ospf routes show up as O)
#show ip route
Setting the default route with ospf (will show up as E2 in routing table)
#conf t
#router ospf 1
#default-information originate
Setting up multi area
First set up area 0
#conf t
#router ospf 1
#network 192.168.0.0 0.0.255.255 area 0
#show ip ospf neighbor
#show ip route
Area 1 has 172.30.0.0 - 172.30.7.0
Summary route is 172.30.0.0/21 or 172.30.0.0 255.255.248.0
Subtract the subnet mask from the full 255.255.255.255 to get the wild card mask
255.255.255.255
255.255.248.0
-____________
0.0.7.255
#network 172.30.0.0 0.0.7.255 area 1
#router ospf 1
#area 1 range 172.30.0.0 255.255.248.0
_________________________________________________________________________________
Understanding the router ID
#show ip protocols
OSPF routes are marked with an O,
IA (interarea route) E1 and E2 (external routes not native to OSPF)
#show ip route
This will show ospf process ID and router ID, areas
#show ip ospf
#show ip ospf interface Serial 0/1/0
Setting the router ID manually
#router ospf 1
#router-id 172.16.17.5
#exit
Troubleshooting OSPF
EIGRP
Cisco's direct copetition to OSPF
Proprietary (only works on cisco devices)
Hybrid (link state and distance vector)
Rapid convergence
Classful by default but can be turned off with the no auto-summary
100% loop free classless routing
Easy to configure
Only sends out updates as needed
Load balancing across equal cost paths like other protocols
Does unequal load balancing which other protocols do not
Uses unicast and multicast instead of broadcast
Hello's every 5 seconds to the address of .10
Supports VLSM
Why use EIGRP
Backup routes / fast convergence (OSPF/RIP redisocver the backup routes when primary goes down, EIGRP remembers the backup routes and instantly switches to them)
DUAL - defused update algorithm easier on router CPU
Simple configuration
Flexability in summarization (no concept of areas in EIGRP when can summarize)
Unequal cost load-balancing (other protocols will pick the fastest link as the primary, they will load balace if the two links are the same speed. EIGRP can load balance over links that are not the same speed)
Combines best of distance vector and link state (easy to configure and advanced features of link state)
Supports multiple network protocols (not really a great feature these days since all we use is TCP/IP)
How EIGRP works
EIGRP maintains 3 tables
EIGRP cost
It's cost is calculated by using bandwidth and delay by default. For routers to be neighbors the calculation they use must match. In side an AS all routers need to use the same metrics.
Bandwidth (in Kb) plays the biggest part in selecting the best path
Delay (the delay for the entire path, plays a small part in selecting the best path)
EIGRP Load balancing
Configuring EIGRP
#conf t
#show ip protocols (see if any other routing protocols are running)
#no router ospf 1 (turn off any other routing protocols rip / ospf etc)
#router eigrp 10 (the 10 is the AS number, it must be the same on all routers)
#network 192.168.1.0 (this is enough but you can also use wildcard masks)
#network 192.168.1.0 0.0.0.255 (this is me using a wildcard mask, for simplicity always use wildcard masks in EIGRP and OSPF)
#no auto-summary (see below on auto summarization)
#show ip eigrp neighbors
#show ip route
D stands for EIGRP routes because E was already taken.
Redistributing static routes.
#router eigrp 10
#redistribute static
If you don't want to advertise routing updates out an interface that may be just connected to a switch
#router eigrp 10
#passive-interface FastEthernet0/0
EIGRP auto summarization
When you advertise a network that is not of the same class across a boundary. EIGRP will auto summarise the network as its base class (A B C). This can be helpful to some people and annoying to others who want more control.
#router eigrp no auto-summary (you need to run it on all routers)
In EIGRP you can summarize anywhere, just go under the interface you want to send the summary route out off.
#conf t
#interface serial s0/0
AS number, summary address and netmask
#ip summary-address eigrp 10 172.30.0.0 255.255.248.0
#show ip route
If a router has more than one route. The router will always choose the more specific route.
EIGRP MD5 Authentication
Scapy is a packet crafting program that can be used to mess up your EIGRP.
key chain RouterAchain
key 1
key-string firstkey
key 2
key-string secondkey
interface S 0/0/1
ip authenticaion mode eigrp 100 md5
ip authentication key chain eigrp 100 routerAchaing
You need to set the same up on the other routers.
You can see if auth is working by just seeing if you have neighbors and routes.
You can also use the following command you should see errors like auth mismatch, auth failure, invalid auth.
#debug eigrep packets
Troubleshooting EIGRP
Check neighbor relationships
Are all interfaces up up
IP mismatches
Other routrers have EIGRP setup correctly
Do you see hello packets comming from neighbors matches (same AS, same K values, same Subnet)
Check routing table issues
All all networks being advertised ? Check for typos
Are any ACL's / filters being applied ?
Duplicate router ID's ?
auto-summary ?
Is there a discontiguous network
Check EIGRP authentication
Check key chains are setup on all routers
Passwords match on all routers
#debug eigrp packets
________________________________________________________________________________
Access-Lists (ACL)
Access lists identify traffic to be permited or denied. They are commonly associated with firewalls and internet access, but they can be used for much more.
ACLs can be used for:
Remember you want to put the ACL as close to the traffic as possible. For example if you only put your ACL on outbound interfaces the router will still take the packet in, check the routing table, then check it against any ACLs. We've already used up processor time and the packet could be thrown away, when we could have discarded it on the way in. Think about lots of packets coming in, routing table lookups and ACL checks just to discard them all. That's a lot of CPU time. This can be an issue on low - medium spec equipment. Higher end equipment is usually able to handle it.
Remember one access list per interface, per protocol, per direction. Wildcard masks can be used with ACLs too.
Types of ACLs
Can also use named list
Very common
Matches based only on source address only
Lowest processor utilization of any ACL
Affect depends on application, which interface is it applied to ? Inbound or outbound ? Is the traffic permited or denied.
Higher processor utilization
Syntax takes some time to learn, not as common due to complexity
________________________________________________________________________________
Configuring ACLs
Really helpful to use ? here
#conf t
#access-list ?
1-99 standard
100-199 extended
1300-1999 standard (expanded range)
2000-2699 extended (expanded range)
#access-list 1 ?
[deny | permit | remark(comments) ]
#access-list 1 deny ?
hostname | any | host
#access-list 1 deny 192.168.1.50 ?
wildcard bits | log
#access-list 1 deny 192.168.1.50 0.0.0.0 (use wildcard bits to match exactly that address)
we can also use the following
#access-list 1 deny host 192.168.1.50
#show access-list (to list ACLs, remember at the bottom there is the deny)
To apply it to an interface, remember creating the ACL does nothing, you must apply to to an interface for it to affect traffic
#interface fa0/0
#ip access-group 1 in (inbound out for outbound)
To apply an ACL to vty lines (telnet and ssh)
#line vty 0 4
#ip access-class 101 in
Standard named access list to block a single host
#ip access-list standard TROUBLEMAKER
#deny host 172.16.4.13
#permit 172.16.0.0 0.0.0.255
#interface e0
#ip access-group TROUBLEMAKER out
# permit 192.168.0.0 0.0.0.255
# do show access-list
3 - Enable NAT overload
# ip nat inside source list NAT_ADDRESSES interface e0/1 overload
test with a tracert -d from the client machine
test visiting a website
#show ip nat translations
rememeber that the access list only allows or denies hosts from being NAT'ed, not from being routed.
Configuring static NAT
Static NAT one server to the public IP
#ip nat inside source static 192.168.10.79 68.110.171.99
#show ip nat translations
Static NAT one server to port 80 on the public interface, you could NAT other servers to other ports
#ip nat inside source static tcp 192.168.10.79 80 interface e0/1 80
Dynamic NAT with overload (Multiple public IPs using NAT overload)
# conf t
# ip nat pool PUBLIC_IPADDRESSES 68.110.171.99 68.110.171.100 netmask 255.255.255.0
# ip nat inside source list NAT_ADDRESSES pool PUBLIC_IPADDRESSES overload
remember not to forget the overload at the end
Troubleshooting NAT
Check the ACL
Check NAT is setup
Check the direction is set corectly
Check the other side has a route back to you
Make sure your routers are using the same protocol (RIP version)
________________________________________________________________________________
VPNs
At CCNA level you are given enough information to be dangerous. Many people use the SDM GUI to configure VPNs on Cisco routers. Configuring VPNs on the command line can be tedious and one mistake on either side and the VPN won't come up. Often you will be attempting to create a VPN with another organisation so you want have access to the cisco device on the other site.
A leased line can cost upwards of 1000 euro a month. This is too much to connect two sites for a lot of businesses. A site to site VPN uses the current internet connection to create a secure link between the two sites. Home users can also connect into their workplace from their home pc with a remote access (aka dial up) VPN. As the data passes through the internet it needs to be heavily encrypted and secured.
Many to many connections, each site just needs an internet connection and they will be able to connect to other sites, users will also be able to dial in.
VPN types
site to site (link offices to offices)
remote access (link clients to offices)
SSL VPN's, the client uses tunneling and allows users to connect the vpn from a web browser.
IPSEC
IPSec is the protocol that makes all of this possible. IPSec works at the transport layer. It's not just one protocol. It's a group of protocols. It was built with the idea that protocols would be broken and can be replaced by new ones, DES was replaced by 3DES, 3DES was replaced by AES etc.
|-------- IPSec --------|
Negotiation
The engine, allows IPSec to be updated with new protocols
Encryption
Scrambles the data
Authentication
Confirms our sender is who they say they are. Ensures the data is not changed in transit. Also known as hashing protocols
Protection
Lets take two sites Dublin and Cork that need to communicate.
Diffie Hellman uses asymmetric en/decryption.
Each side has a private and a public key
Cork sends its public key across the internet to Dublin
Anything encrypted with the Cork public key can only be decrypted by the Cork Private key.
The Cork private key never leaves Cork.
Dublin generates a shared secret and encrypts it wth the Cork public key
Dublin sends the encrypted shared secret across the internet to Cork
Cork is able to decrypt it becuase it has the Cork private key
Now both sides have the same decrypted shared secret.
Once the connection is teared down or after a certain amount of time the keys are thrown away.
When they connect again the keys are generated again
We use the shared secret because asymmetric encryption is taxing on the CPU.
Hashes can be used to see if something has changed but we don't know what was changed. Common use is when you download a file. The host often provides the MD5 hash. You can check the hash on the file you downloaded with the hash on the provider site and make sure they match to ensure your file is the same. If a single bit has changed when the hash will not match.
________________________________________________________________________________
WAN connections: Understanding PPP Authentications
Physical connections
Lets say we have a cisco 2600 router, on the back it will have a slot of a wic(WAN interface card). You can install many different types of cards, some of the most common:
WIC 1T (old serial conneciton still common)
WIC 2T (updated so you can have 2 WAN interfaces per slot)
If you have purchased a leased line the connection will look like the following.
Cisco Router -> WIC -> DB-60 cable -> CSU/DSU -> eternet cable -> provider wall jack
The other option is to use a WIC that has a CSU/DSU built in, known as a T1 CSU/DSU. That connection looks like the following
Cisco Router -> WIC / CSU/DSU -> etnernet cable -> provider wall jack.
In the WAN world there are no MAC addresses. In the WAN world we have different protocols
Frame relay (DLCI fills the role of mac address)
ATM (VPI/VCI pair fills the role of the mac address)
Leased line protocols PPP and HDLC
High level data link control (HDLC)
Authentication (username and password)
Compression (less bandwidth usage, but higher CPU usage)
Callback (usually used on modems, you can dial in, authenticate and it calls you back)
Multilink (combine multiple T1 lines into one link)
one T1 line = 1.5Mbps
three T1 lines = 4.5Mbps
show a brief summary of all interfaces
#show ip interface brief
show info from the running config about serial 0/0, but does not show info about PPP or HDLC
#show run int serial s0/0
This command will list the encapsulation used
#show interface serial 0/0
To set encapsulation to HDLC
#conf t
#int serial 0/0
#encapsulation hdlc
To set encapsulation to PPP
#conf t
#int serial 0/0
#encapsulation ppp
PPP authentication
PPP Authentication Protocol (PAP) - not used anymore sends password in clear text
Challenge Handshake Authentication Protocol (CHAP) - doesn't use encryption, uses hashing
Encryption
SecretText -> Encryption algorithm -> produces the data sent across the wire "#@"£$%^&*!"
It can only be decrypted with the decryption algorithm
"#@"£$%^&*!" -> decryption algorithm -> SecretText
Hashing
Uses an irriversable forumla to scramble the data which produces an answer "82BF4Z61"
The hash of the password (the answer) is sent across the wire.
If the hashes match then you are using the same password
Configuring PPP authentication
First we need to set up usernames on both routers
R3
#conf t
#username R2 password cisco (the password on each side must match)
#ppp authentication chap (line protocol will go down)
on R2
#conf t
#username R3 password cisco (the password on each side must match)
#ppp authentication chap
When the interface comes up, the two routers challange each other, send the hashes to each other, check them and if they match bring the protocol up.
________________________________________________________________________________
Packet switched (X.25, Frame Relay, ATM, MPLS)
Frame relay is a packet switched network.
x.25 was the first, x.25 became frame relay,
frame relay became ATM,
ATM have been transitioning into MPLS
The idea is that people don't use all of their bandwidth all of the time.
Committed Information Rate (CIR): The minimum the provider guarentees
Local Access Rate (LAR): Physicaly how fast that circuit can go.
Local Management Interface (LMI): The language between your router and the provider
Data Link Connection Identifier (DLCI): Frame relay equivilant or MAC addresses in frame relay.
Permanent Virtual Circuit (PVC): You can purchase multiple PVC's from destination A to B. Each PVC has a CIR. The more PVCs you have the more you will pay. Most organisations have as few PVCs as possible.
DLCI's
DLCIs are locally significant.
DLCI numbers can be from 16 - 1024
Let's say we have our DLCI's set up as follows.
Belfast DLCI 200 -> 100 Dublin
Galway DLCI 300 -> 500 Dublin
Cork DLCI 400 -> 900 Dublin
In frame relay we send data to the circuit entry point not the destination. If we wanted to send from Belfast to Dublin we would send to DLCI 200. The provider takes the data from DLCI 200 through it's network and it pops out at the exit point DLCI 100 on Dublin's end.
When you take a flight you go through gate A and when you arrive you come out gate B.
On your spoke sites you can set the same entry point number, because they are locallay significant. You could even use that same DLCI once in the hub site, but you could not use it more than once.
Belfast DLCI 300 -> 100 Dublin
Galway DLCI 300 -> 500 Dublin
Cork DLCI 300 -> 900 Dublin
Once inside the providers network they tear off the DLCI and it probably bounces around router to router but that its all hidden from you.
Frame Realay PVC designs
Interface configuration
Multipoint design
We make a sepearate sub interface for each spoke
S0/0.100
192.168.1.1/24
S0/0.200
192.168.1.1/24
S0/0.300
192.168.1.1/24
Frame relay configuration
Multipoint configuration
Go to global config mode
#conf t
Go under your serial interface
#int s0/1/0
Configure the ip address
#ip address 192.168.1.1 255.255.255.0
set the encapsulation to frame relay
#encapsulation frame-relay
You may need to set the logical management interface type on older routers, new routers can autodetect
#frame relay lmi-type {cisco|ansi|q933a}
Bring the interface up
#no shutdown
Show that the physical and protocol connectivity are up
#do show ip int brief
Show the LMI type. Sent and recieved should be increasing together, if you see timeouts going up there could be an issue
#show frame-relay lmi
Setup the IP you want to reach and the DLCI you want to use to get to it.
#frame-relay map ip 192.168.1.2 102 broadcast
The broadcast command allows R1 to R2. RIP, OSPF or EIGRP which might use broadcast or multicast messages.
Setup another map to another router
#frame-relay map ip 192.168.1.3 103 broadcast
Shows the currently configured maps (should be defined and active)
If DLCI shows as inactive then it's not set up on the other side.
If DLCI shows as deleted the provider is saying that DLCI does not exist
#show frame-relay map
You need to configure the frame-relay maps on the other two routers. If you do a traceroute from R3 to R2 you will see that it goes to R1 then to R2. Remember multipoint is the one that causes the issue with split horizon.
Point to point configuration
R1 192.168.1.1 (DLCI 102 -> R2, DLCI 103 -> R3)
R2 192.168.1.2 (DLCL 201 -> R1)
R3 192.168.1.3 (DLCI 301 -> R1)
Even if you start off with one PVC on your spoke sites it is advised that you go ahread and configure a sub interface anyway. It means you are using sub interfaces on all sites and if you need to exapand and add more PVC's then you already have sub interfaces set up.
Enter global config mode
#conf t
Go under the serial interface
#int s0/1/0
Set the encapsulation to frame relay
#encapsulation frame-relay
Exit because the rest of the work we will do under the sub interfaces
#exit
Create and configure the sub interface
#interface s0/1/0.102 point-to-point
Configure the IP address
#ip address 192.168.1.1 255.255.255.0
Tell any time you use this sub interface make sure you use DLCI as you go out
#frame-relay interface-dlci 102
exit from that sub interface
#exit
create and configure the other sub interface to R3
#int s0/1/0.103 point-to-point
Notice the different subnet, you must use seperate subnets
#ip address 192.168.2.1 255.255.255.0
tell it to use DLCI 103 on the way out
#frame-relay interface-dlci 103
exit from that sub interface
#exit
Go back to the main interface
#int s0/1/0
Bring the main interface up, this should bring all the sub interfaces up too
#no shutdown
Now configure the sub interfaces and set the frame-relay dlci on R2 and R3.
Useful show commands for frame relay
Show what DLCI's are mapped to what IP addresses
#show frame-relay map
Show every DLCI you have, its status what interface it's on and all the stats
#show frame-relay pvc
Shows the communication between you and the service provider. Sent/Recieved should be ticking up. You don't want to see timeouts.
#show frame-relay lmi
________________________________________________________________________________
TCP IPv6
USA has alot of addresses left so is slow to adopt. The rest of the world especially Africa/Asia have a real shortage. The rest of the world is faster to adopt IPv6 because they have a greater need. NAT our current solution is seens as a hinderence to innovation. IPSEC is built into IPv6.
IPv6 addressing
Address size moved from 32bit (IPv4) to 128 bit (IPv6)
IPv6 has 8 octects which contain hexidecimal 0-9 A-F.
colons : are used to seperate octects.
You can remove consecutive zeros by replacing it with double colons ::
0000:0000:0000 becomes ::
However you can only user it once
You can remove leading zeros
0050 becomes :50
You can do that as many times as you need.
IPv6 header
Bigger in size because addresses are so big(128bit), but simpler than ipv6.
===== Ver ===== Traffic Class==== Flow Lable ====
= Payload Length = Next Header ==== Hop Limit ====
= source address (128 bits) =
= destination address (128 bits) =
There are 3 types of messaging in IPv6:
ip nat inside source list NAT_THESE interface e0/1 overload
Show all the NAT translations
show ip nat translations
Static NAT
ip nat inside source static 192.168.10.50 200.50.50.50
Static mapping to point port 80 to a specific server (web app server)
ip nat inside source static tcp 192.168.10.50 80 interface e0/1
Dynamic NAT with overload
Identify addresses to be NAT'd
ip access-list standard NAT_THESE permit 192.168.0.0 0.0.0.255
Create the NAT pool
ip nat pool PUBLIC_ADDRESSES 200.50.50.50 200.50.50.100 netmask 255.255.255.0
Enable the NAT overload.
ip nat inside source list NAT_THESE pool PUBLIC_ADDRESSES overload
VPNs
Cheaper than a dedicated link
Available anywhere you have an internet connection
Secured even though they travel across the internet
Can put strain on the firewall/router because of the encryption
Many-to-many connections
Can be complex to configure
Site to site
Connects two offices. Replacement for dedicated links
Remote Access
Users dial into an office from their laptops at home
Users need a client installed on their laptop
SSL or web VPN
Allow users to connect to a webpage where the client can be downloaded or run straight from the webpage.
IPSec = the security protocol that makes VPNs possible
IPSec is built of several components
- Negotiation (AH, ESP, ESP + AH)
- Encryption (DES, 3DES, AES)
To secure the data. Scramble it so it is not in plain text. Weaker encryption less CPU intensive but weaker security, stronger encryption requires more processor time but less chance of being compromised
- Authentication (MD5, SHA-1)
Making sure data does not change in transit. This is to stop man in the middle attacks.
- Protection (DH1, DH2, DH3, DH4)
Allows all of this to happen over a public network. Public keys are exchanged over the internet. The shared secret is encrypted with the other sides public key and is sent back. Only the private key can decrypt that shared secret. The private keys are never sent across the internet. These keys are scraped and re-generated every so often for security.
Leased Lines
Connections
WIC <-> DB60 <-> CSU/DSU <-> Service Provider
In the WAN world there are no MAC addresses. Layer 2 - datalink.
Frame relay (DLCI)
PPP
HDLC
High level data link control (HDLC)
In the WAN world there are no MAC addresses. Layer 2 - datalink.
Frame relay (DLCI)
PPP
HDLC
High level data link control (HDLC)
This is the default on Cisco routers
Low overhead and simple
No features
Cisco proprietary
Point to point protocol (PPP)
Industry standard
Moderate overhead
Full of features (Authentication, compression, callback, multilink
Configuration of PPP
show interface serial 0/0
Look for encapsulation will be HDLC by default
int s0/0Low overhead and simple
No features
Cisco proprietary
Point to point protocol (PPP)
Industry standard
Moderate overhead
Full of features (Authentication, compression, callback, multilink
Configuration of PPP
show interface serial 0/0
Look for encapsulation will be HDLC by default
encapsulation ppp
PPP authentication
PAP is old, username/password is sent in clear text and not used anymore.
Challenge handshake authentication protocol (CHAP)
Sends username and a hash of the password.
Encryption - scrambles the data but can be reversed with the correct formula (decryption)
Hashing - uses an irreversible formula to scramble the data. Think of a hash as an answer to a formula.
CHAP uses hashing. The password must be known by both sides and is not exchanged over the wire.
Create a user account for the other router (this is run on R1)
The password must match on both sides
username R2 password cisco
Turn on authentication
int serial 0/0
ppp authentication chap
Frame relay
Leased lines used to be the method to connect locations.
Dedicated lines cost a lot of money.
When the line wasn't being used that bandwidth was just going to waste.
Telco's decided to create a large pool of bandwidth and sell different level pipes to connect.
When bandwidth was not in use somewhere it could be used somewhere else.
Packet switched
x.25 was first
Frame Relay was next
ATM came next
MPLS is the newest technology
Committed information rate (CIR)
The minimum you are guaranteed by the service provider
Local Access Rate (LAR)
Physically how fast that circuit can go
Local Management interface (LMI)
The language between the router and the ISP
Sends statistics
Data link connection identifier (DLCI)
Frame relay equivalent of MAC addresses
Each site is identified by a DLCI
Permanent virtual Circuit (PVC)
You can buy a PVC between Dublin and Cork
And another between Dublin and London
DLCI's are locally significant
Dublin DLCI 200 -> PVC -> DLCI 100 Cork
Dublin DLCI 300 -> PVC -> DLCI 500 London
Think of DLCI's like a gate or tunnel. You go into DLCI 200 in Dublin and travel through the PVC and you come out DLCI 100 in Cork.
DLCI's can be the same because they are locally significant
The below will work
Dublin DLCI 200 -> PVC -> DLCI 200 Cork
Dublin DLCI 300 -> PVC -> DLCI 200 London
You can't have two local DLCI's with the same number in the same location
Frame relay designs
Hub and spoke
Cheap
Single point of failure
Delay for voice traffic
Full mesh
Best/fastest design
All sites have a dedicated link to other sites
High cost (as more sites are added the cost keeps going up)
Partial mesh
Critical sites have dedicated links
The rest hub and spoke back to a main site
Multipoint design - all routers are on the same subnet.
Split horizon can cause issues (never send an update back in the direction it came from)
Point to point design - all routers on different subnets
Point to point sub-interface created for each peer
No problems with split horizon
s0/0.100
192.168.1.1/24
s0/0.200
192.168.2.1/24
s0/0.300
192.168.3.1/24
Frame relay config
Multipoint
conf t
int s0/1/0
ip addresses 192.168.1.1 255.255.255.0
encapsulation frame-relay
frame-relay map ip 192.168.1.2 102 broadcast
The remote IP we want to reach and the DLCI that we want to use to get there. Allows router 1 to send broadcasts to router 2. Now your routing protocols can work across the frame relay network. You need to configure the map's on the routers so they have a route back.
sh frame-relay lmi
Send/receive should match
timeouts are bad
show frame-relay map
active - everything is working
deleted - can't find that DLCI
inactive - you are setup but the other side is not
Point to point
int s0/1/0
encapsulation frame-relay
int s0/1/0.102 point-to-point
up address 192.168.1.1 255.255.255.0
frame -relay interface-dlci 102
Have to setup your other sub-interfaces and the other routers.
Show commands
show frame-relay map (shows what DLCI's are mapped to what IP addresses)
show frame-relay pvc (show all DLCI's you have, the status, the interface and statistics, more detail than above)
show frame-relay lmi (shows the communication between you and the ISP)
IPv6
To get rid of groups of zeros you can use :: but you can only use it once per IP
You can drop leading zeros
:005B: becomes :5B:
IPv6 has a simpler header
IPv6 doesn't have broadcasts.
Unicast: one to one
Multicast: one to many
Anycast: one to closest (Web servers can have the same IP you will connect to the closest one)
Link-local: layer 2
Unique / site local: Like private addressing. We don't need them anymore, but humans are used to them. You will have the option to use them or not
Global scope: Public addresses on the internet. Every device on your network can have an address on the internet
Link local addresses always start with FE80
The last 64bits are made up of the MAC address with FFFE in the middle of it
Site local will start FD00::/8 or FC00::/7
Global addresses will start with 2001::/16
IPv6 Configuration
conf t
ipv6 unicast-routing
int f0/0.1
ipv6 address 1FE0:1111::1/32
ipv6 router rip 1
no need to fill in any network statements, you just need to enable it under the interfaces
int e0/0
ipv6 rip 1 enable
Migration to IPv6
Dual stack routers - Can use IPv4 and IPv6
Tunnelling 6to4 and 4to6 - kind of like a VPN through the IPv6 network to connect IPv4 networks and the other way around
NAT protocol translation - NAT between IPv4 and IPv6
_________________________________________________________________________________
Quick router config
Set the hostname
#hostname MyRouterName
Disable DNS lookup
#no ip domain-lookup
Set the enable passwords
#enable password cisco
#enable secret cisco
Go into line vty (telnet and SSH) and set a password
#line vty 0 15
#password cisco
#exit
Go into line console set a password, time out and enable log sync
#line console 0
#exec-timeout 15
#logging synchronous
#password cisco
#login
#exit
Set a message of the day banner
#banner motd @ this is my banner & @
_________________________________________________________________________________
Autonomous Systems: Interior and exterior routing protocols
AS 64520 <-------------------------------------> AS 64530
Interior gateway protocols exterior gateway protocols Interior gateway protocols
RIPv2 BGP
OSPF
EIGRP
An autonomous system (AS) is a collection of networks within a common administrative domain.
Interior gateway protocols operate within an AS
Exterior gatway protocols connect different autonomous systems
Inside IGP's and EGP's there are different classes
Distance Vector
Distance = how far, Vector = in which direction
RIP
-selects route on hop count, not always the best path
-routers discover the best path to destinations from each neighbor
-exchanges routing table every 30 seconds
-has issues with routing loops
-lack of security
Link-state
OSPF (selects route based on cost, but the cost calculation is not good by default)
IS-IS
Advanced Distance Vector (or hybrid)
EIGRP (selects the route by bandwidth and delay, optionally can look at load and reliability)
_________________________________________________________________________________
RIP
In the real world no one uses RIP version1 or IGRP. Very few use RIP version2 anymore.
See what is connected to you
#show cdp neighbors
Show your interfaces
#show ip interface brief
Turn on rip
#router rip
Turn on version 2 of RIP so the subnet masks are sent
#version 2
Add the networks that you want to advertise
#network 192.168.1.0 (class C)
#network 220.110.55.0 (class C)
#network 4.0.0.0 (class A)
Show RIP log entries on the screen
#debug ip rip
Turn off debug
#u all
Shows what versions of protocols the router is running
#show ip protocol
Show all the routes that the router knows about
R = learned by RIP
C = directly connected
S = static
#show ip route
Clear the routing table
#clear ip route
Counting to infinity
R1 loses a directly connected network 10.4.0.0
Before R1 can send an update, R2 sends an update that it has a route to the lost 10.4.0.0 network
However R2's route points to R1
R1 and R2 just keeps sending packets back and forth to each other
The hop count keeps going up and up
To resolve this they implemented a maximum of 15 hops, if your route is 16 hops or more it will be considered a dead route and will be ignored.
Split horizon
One network goes down and before we can update anyone else we recieve a route from another router. One solution to this was split horizon, this meant not to send route updates back in the direction they came from.
Route poisoning
Another solution was route poisoning, if a route is 16 hops or more it is poisoned and is sent to other routers.
Hold down timer
Once I get the poisoned route, wait a while for other routers to sync with the poisened route.
Triggered update
Instead of waiting for the next 30 second window to send updates about bad routes, send those updates as soon as they happen.
Link-state protocols find all of the paths, if something happens it will re-route
Link-state are less noisey, send updates less.
Creates a topology table
Determines all paths to all destinations
Selects the best path to all destinations (uses SPF tree)
Inserts best paths into the routing table
With OSPF you can divide your netowk into Areas. Area0, Area 1 and Area 2 are inside your AS.
Significant demans on resources (memory and CPU)
Requires very scrict network design
Configuration can be complex when tuning various parameters and when design is complex
_________________________________________________________________________________
VLSM
Take a big block and divide it into further sub division. This is why we sub net.
We borrow bits from the host bits to create new subnets.
Subnet 192.168.1.0/24 so it supports 8 subnets and maximizes the number of host addresses for each subnet.
How many bits will you need ? 2^5 = 32 - 2 = 30
What is the new subnet mask in CIDR = /27
What is the new subnet mask =255.255.255.224
Last octect in binary = 11100000
_________________________________________________________________________________
OSFP
LSA stands for link state advertisement
Route Summarization is all about making routing tables smaller. The larger the routing table the slower the router becomes. We can make routers more efficient by shrinking the routing table using route summarization.
192.168.0.0/24
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
192.168.4.0/24
192.168.5.0/24
192.168.6.0/24
192.168.7.0/24
192.168.8.0/24
192.168.9.0/24
192.168.10.0/24
192.168.11.0/24
192.168.12.0/24
192.168.13.0/24
192.168.14.0/24
192.168.15.0/24
192.168.00000001.00000000 = 192.168.1.0
192.168.00000010.00000000 = 192.168.2.0
192.168.00000011.00000000 = 192.168.3.0
192.168.00000100.00000000 = 192.168.4.0
192.168.00000101.00000000 = 192.168.5.0
192.168.00000110.00000000 = 192.168.6.0
192.168.00000111.00000000 = 192.168.7.0
192.168.00001000.00000000 = 192.168.8.0
192.168.00001001.00000000 = 192.168.9.0
192.168.00001010.00000000 = 192.168.10.0
192.168.00001011.00000000 = 192.168.11.0
192.168.00001100.00000000 = 192.168.12.0
192.168.00001101.00000000 = 192.168.13.0
192.168.00001110.00000000 = 192.168.14.0
192.168.00001111.00000000 = 192.168.15.0
2nd octet= 8 bits the same
3rd octet = 4 bits the same
R2's table is now smaller so more efficient.
It also suppresses updates as R2 doesn't need to know the specifics of each network.
192.168.16.0 = 192.168.00010000.00000000
192.168.17.0 = 192.168.00010001.00000000
192.168.18.0 = 192.168.00010010.00000000
etc
This isn't a great solution. What most people do is have the summarization route. Have other routes until you get up to 31, then update the summarization route.
CCNA only tests on single area configurations.
Remember to turn off any other routing protocols that are running eg no router rip
Turn on OSPF(most people make ospf with the same PID on all routers)
You can run OSPF more than once if your router can handle it.
That ID refers to the instance running on your router, other routers don't care
If you edit OSPF later you need to make sure to use the same PID
#router ospf 1
The interface I want to advertise, the wild card mask and the area
#network 192.168.1.0 0.0.0.255 area 0
You can think of it as opposite to the subnet mask
In wildcard masks a 0 is the network bit, a 1 means wildcard (or i don't care) bit
255.255.255.0
- _____________
0.0.0.255
#network 192.168.2.2 0.0.0.0 area 0
This will advertise the network that belongs to that interface.
#show ip ospf neighbor
#show ip route
Setting the default route with ospf (will show up as E2 in routing table)
#conf t
#router ospf 1
#default-information originate
#conf t
#router ospf 1
#network 192.168.0.0 0.0.255.255 area 0
#show ip ospf neighbor
#show ip route
Summary route is 172.30.0.0/21 or 172.30.0.0 255.255.248.0
Subtract the subnet mask from the full 255.255.255.255 to get the wild card mask
255.255.248.0
-____________
0.0.7.255
#router ospf 1
#area 1 range 172.30.0.0 255.255.248.0
- Identifies the router to ospf neighbors
- Highest physical interface at startup
- Loopback interfaces beat physical, highest loopback wins
- The router-id beats all of them, this is where you hard code it in the config
#show ip protocols
OSPF routes are marked with an O,
IA (interarea route) E1 and E2 (external routes not native to OSPF)
#show ip route
This will show ospf process ID and router ID, areas
#show ip ospf
#show ip ospf interface Serial 0/1/0
Setting the router ID manually
#router ospf 1
#router-id 172.16.17.5
#exit
________________________________________________________________________________
Configuring Loopback interfaces
Loopbacks are used, if lets say you don't want to give your staff the real IP address of the router/switches they can make a loopback 1.1.1.1 for them to just connect to. The other use if you set the default gatway to interior routers to 1.1.1.1 and the edge router's default gateway is e0 and has the loopback 1.1.1.1. That way if the public IP changes there is no reason to re-configure.
#interface loopback 0
Loopback addresses should have a 32bit mask so long as you use different networks
#ip address 192.168.255.254 255.255.255.255
#exit
#copy run start
#reload
Setting the default route to a loopback interface
#ip route 0.0.0.0 0.0.0.0 Loopback 1
Telling OSPF to distribute the default route
#router ospf 1
#default-information originate
________________________________________________________________________________
Configuring Loopback interfaces
Loopbacks are used, if lets say you don't want to give your staff the real IP address of the router/switches they can make a loopback 1.1.1.1 for them to just connect to. The other use if you set the default gatway to interior routers to 1.1.1.1 and the edge router's default gateway is e0 and has the loopback 1.1.1.1. That way if the public IP changes there is no reason to re-configure.
#interface loopback 0
Loopback addresses should have a 32bit mask so long as you use different networks
#ip address 192.168.255.254 255.255.255.255
#exit
#copy run start
#reload
Setting the default route to a loopback interface
#ip route 0.0.0.0 0.0.0.0 Loopback 1
Telling OSPF to distribute the default route
#router ospf 1
#default-information originate
________________________________________________________________________________
Router ID
Hello and dead timers*
Network mask*
Area ID*
Neighbors
Router Priority
DR/BDR IP address
Authentication password*
Check that all items marked with the * match
See details on neighbor's
#show ip ospf neighbor
#show ip ospf neighbor 172.16.1.1
Debugs commands
#debug ip ospf ?
#debug ip ospf adj
Shows events (hello packets)
#debug ip ospf events
Shows more information about the ospf pack (sequence numbers)
#debug ip ospf packet
Turn off all debugging
#undebug all
Clear the ospf process (not to be done on production systems in business hours)
#clear ip ospf process #show ip ospf neighbor 172.16.1.1
Debugs commands
#debug ip ospf ?
#debug ip ospf adj
Shows events (hello packets)
#debug ip ospf events
Shows more information about the ospf pack (sequence numbers)
#debug ip ospf packet
Turn off all debugging
#undebug all
Clear the ospf process (not to be done on production systems in business hours)
________________________________________________________________________________
Configuration of OSPF
View your interfaces (looking for loopbacks configured)
#show ip interface brief
Confirm no other routing protocols running, turn off if they are
#show ip protocols
Enter global config
#conf t
Turn on ospf with process ID of 500
#router ospf 500
Add the networks you want to advertise (don't forget the wild card mask and the area)
#network 192.168.1.0 0.0.0.255 area 0
#network 220.110.55.0 0.0.0.255 area 0
#network 100.5.5.0 0.0.0.255 area 0
#network 100.5.6.0 0.0.0.255 area 0
#network 100.5.6.0 0.0.0.255 area 0
#do copy run start
#exit
See if there are any routes
#show ip route
See if there are any neighbors
#show ip ospf neighbors
Start debugging
#debug ip ospf events
Now configure your other routers in area 0. You should see the information being synced. Check show ip route and show ip ospf neighbors.
________________________________________________________________________________
Setting up OSPF authentication
Go under each interface
#interface serial 2
Set the password
#ip ospf authentication-key insert_password_here
Go under OSPF process
#router ospf 100
Turn on authentication for your area
#area 0 authentication message-digest
________________________________________________________________________________
SPF Algorithm (OSPF)
Running Dijkstra's shortest path first (SPF) algorith is like building a tree.
Cost = reference bandwidth/interface bandwidth (b/s)
reference bandwidth = 10^8 = 1000000000
ethernet = 10000000 (cost = 10)
fastethernet = 100000000 (cost = 1)
gigabit = (cost = .1 but is rounded up to 1)
From here any faster connections will always get a cost of 1. This isn't much good in todays networks where fastethernet and gigabit ethernet are common.
It is possible to change the reference bandwidth, but all devices need to have it configured.
Modem is 56Kbit/b
ISDN is 128 kbit/s or 64Kbit/s
A T1 line is 1.544 Mbps
If the router building the tree already has a better path to a destination, it ignores that path information from other routers.
________________________________________________________________________________
Configuration of OSPF
View your interfaces (looking for loopbacks configured)
#show ip interface brief
Confirm no other routing protocols running, turn off if they are
#show ip protocols
Enter global config
#conf t
Turn on ospf with process ID of 500
#router ospf 500
Add the networks you want to advertise (don't forget the wild card mask and the area)
#network 192.168.1.0 0.0.0.255 area 0
#network 220.110.55.0 0.0.0.255 area 0
#network 100.5.5.0 0.0.0.255 area 0
#network 100.5.6.0 0.0.0.255 area 0
#network 100.5.6.0 0.0.0.255 area 0
#do copy run start
#exit
See if there are any routes
#show ip route
See if there are any neighbors
#show ip ospf neighbors
Start debugging
#debug ip ospf events
Now configure your other routers in area 0. You should see the information being synced. Check show ip route and show ip ospf neighbors.
________________________________________________________________________________
Setting up OSPF authentication
Go under each interface
#interface serial 2
Set the password
#ip ospf authentication-key insert_password_here
Go under OSPF process
#router ospf 100
Turn on authentication for your area
#area 0 authentication message-digest
________________________________________________________________________________
SPF Algorithm (OSPF)
Running Dijkstra's shortest path first (SPF) algorith is like building a tree.
Cost = reference bandwidth/interface bandwidth (b/s)
reference bandwidth = 10^8 = 1000000000
ethernet = 10000000 (cost = 10)
fastethernet = 100000000 (cost = 1)
gigabit = (cost = .1 but is rounded up to 1)
From here any faster connections will always get a cost of 1. This isn't much good in todays networks where fastethernet and gigabit ethernet are common.
It is possible to change the reference bandwidth, but all devices need to have it configured.
Modem is 56Kbit/b
ISDN is 128 kbit/s or 64Kbit/s
A T1 line is 1.544 Mbps
If the router building the tree already has a better path to a destination, it ignores that path information from other routers.
________________________________________________________________________________
Cisco's direct copetition to OSPF
Proprietary (only works on cisco devices)
Hybrid (link state and distance vector)
Rapid convergence
Classful by default but can be turned off with the no auto-summary
100% loop free classless routing
Easy to configure
Only sends out updates as needed
Load balancing across equal cost paths like other protocols
Does unequal load balancing which other protocols do not
Uses unicast and multicast instead of broadcast
Hello's every 5 seconds to the address of .10
Supports VLSM
Why use EIGRP
Backup routes / fast convergence (OSPF/RIP redisocver the backup routes when primary goes down, EIGRP remembers the backup routes and instantly switches to them)
DUAL - defused update algorithm easier on router CPU
Simple configuration
Flexability in summarization (no concept of areas in EIGRP when can summarize)
Unequal cost load-balancing (other protocols will pick the fastest link as the primary, they will load balace if the two links are the same speed. EIGRP can load balance over links that are not the same speed)
Combines best of distance vector and link state (easy to configure and advanced features of link state)
Supports multiple network protocols (not really a great feature these days since all we use is TCP/IP)
How EIGRP works
EIGRP maintains 3 tables
- neighbor table (stored in RAM, maintained by hello packets)
- topology table (stored in RAM, maintained by hello packets)
- routing table
EIGRP cost
It's cost is calculated by using bandwidth and delay by default. For routers to be neighbors the calculation they use must match. In side an AS all routers need to use the same metrics.
Bandwidth (in Kb) plays the biggest part in selecting the best path
Delay (the delay for the entire path, plays a small part in selecting the best path)
Reliability (how many times was the link up when we asked for it 255/255 is 100%)
Load (how busy the path is)
MTU (used in a tie breaking event, won't be used often)
Advertised Distance (the cost to destination that another router advertises to you)
Feasable Distance (the other routers cost to destination, plus your cost to get to that router)
EIGRP's default administrative distance is 90.
EIGRP's default administrative distance is 90.
EIGRP Load balancing
By default EIGRP does equal metric load balancing across 4 routes.
You can configure EIGRP to load balance up to 16 routes witht he maximum-paths command
EIGRP allows unequal load balancing too
EIGRP says all paths are good, but don't overload the slower paths with too much data.
The variance command lets you set a multiplier. It lets you select how much slower the other paths you will load balance over can be. For example lets say have the following 3 paths
Path A, the best path, feasable distance: 10
Path B, slower path feasable distance: 15
Path C, slowest path feasable distance: 21
We set our variance to 2.
variance * best path FD = our range
2 * 10 = 20
This says we can use paths with a feasable distance of up to 20. With these settings path A and B would be used but not path C.
variance 1 means equal cost load balancing
Configuring EIGRP
#show ip protocols (see if any other routing protocols are running)
#no router ospf 1 (turn off any other routing protocols rip / ospf etc)
#router eigrp 10 (the 10 is the AS number, it must be the same on all routers)
#network 192.168.1.0 (this is enough but you can also use wildcard masks)
#network 192.168.1.0 0.0.0.255 (this is me using a wildcard mask, for simplicity always use wildcard masks in EIGRP and OSPF)
#no auto-summary (see below on auto summarization)
#show ip eigrp neighbors
#show ip route
Redistributing static routes.
#router eigrp 10
#redistribute static
If you don't want to advertise routing updates out an interface that may be just connected to a switch
#router eigrp 10
#passive-interface FastEthernet0/0
EIGRP auto summarization
#interface serial s0/0
AS number, summary address and netmask
#ip summary-address eigrp 10 172.30.0.0 255.255.248.0
#show ip route
EIGRP MD5 Authentication
Scapy is a packet crafting program that can be used to mess up your EIGRP.
- Create the keychain (a group of possible passwords)
- Assign a key ID to each key
- Identify the keys
- Enable MD5 authentication on the interface
- Specify which keychain the interface will use
key chain RouterAchain
key 1
key-string firstkey
key 2
key-string secondkey
interface S 0/0/1
ip authenticaion mode eigrp 100 md5
ip authentication key chain eigrp 100 routerAchaing
You need to set the same up on the other routers.
You can see if auth is working by just seeing if you have neighbors and routes.
You can also use the following command you should see errors like auth mismatch, auth failure, invalid auth.
#debug eigrep packets
Troubleshooting EIGRP
Check neighbor relationships
Are all interfaces up up
IP mismatches
Other routrers have EIGRP setup correctly
Do you see hello packets comming from neighbors matches (same AS, same K values, same Subnet)
Check routing table issues
All all networks being advertised ? Check for typos
Are any ACL's / filters being applied ?
Duplicate router ID's ?
auto-summary ?
Is there a discontiguous network
Check EIGRP authentication
Check key chains are setup on all routers
Passwords match on all routers
#debug eigrp packets
- Access control
- NAT
- Quality of service
- Demand dial routing
- Policy routing
- Route filtering
- etc
- Read from top to bottom; stop reading at first match
- There is always an invisible implicit deny all at the bottom
- ACL is applied to an interface inbound OR outbound
Remember you want to put the ACL as close to the traffic as possible. For example if you only put your ACL on outbound interfaces the router will still take the packet in, check the routing table, then check it against any ACLs. We've already used up processor time and the packet could be thrown away, when we could have discarded it on the way in. Think about lots of packets coming in, routing table lookups and ACL checks just to discard them all. That's a lot of CPU time. This can be an issue on low - medium spec equipment. Higher end equipment is usually able to handle it.
Remember one access list per interface, per protocol, per direction. Wildcard masks can be used with ACLs too.
Types of ACLs
- Standard (place as close to destination as standard only works on source address)
Can also use named list
Very common
Matches based only on source address only
Lowest processor utilization of any ACL
Affect depends on application, which interface is it applied to ? Inbound or outbound ? Is the traffic permited or denied.
- Extended (place as close to the source, because it looks at both source and destination)
Higher processor utilization
Syntax takes some time to learn, not as common due to complexity
- Dynamic (for example users need to login and authenticate first then the ACL to allow them is added)
- Established (reflexive) stateful, if we initiate the traffic out, then allow replys to that traffic
- Time-Based (allow facebook,gmail at lunch time etc, allow access to windows update on a certain day each month)
- Context-based Access control (CBAC)
________________________________________________________________________________
#access-list ?
1-99 standard
100-199 extended
1300-1999 standard (expanded range)
2000-2699 extended (expanded range)
[deny | permit | remark(comments) ]
hostname | any | host
wildcard bits | log
we can also use the following
#access-list 1 deny host 192.168.1.50
#interface fa0/0
#ip access-group 1 in (inbound out for outbound)
To apply an ACL to vty lines (telnet and ssh)
#line vty 0 4
#ip access-class 101 in
Standard named access list to block a single host
#ip access-list standard TROUBLEMAKER
#deny host 172.16.4.13
#permit 172.16.0.0 0.0.0.255
#interface e0
#ip access-group TROUBLEMAKER out
Extended named access list to block a network from using port 23
#ip access-list standard BADGROUP
#deny tcp 172.16.4.0 0.0.0.255 any eq 23
#permit ip any any
#interface e0
#ip access-group TROUBLEMAKER out
Remark is useful and will show up in sh run
#ip access-list extended PREVENTION
#remark do not allow user x web access
See if an ACL is applied to an interface (it will also be in show run look for access-group)
#show ip interface e0
#deny tcp 172.16.4.0 0.0.0.255 any eq 23
#permit ip any any
#interface e0
#ip access-group TROUBLEMAKER out
Remark is useful and will show up in sh run
#ip access-list extended PREVENTION
#remark do not allow user x web access
See if an ACL is applied to an interface (it will also be in show run look for access-group)
#show ip interface e0
________________________________________________________________________________
NAT
Dynamic NAT
Converts one pool to another. there is a pool of private and public addresses. The router converts private IPs to an IP from the public pool and back. Usually used inside organisations for overlapping networks.
inside---------------------------------------------outside
192.168.1.x: --------------- 172.26.1.x
configuring a pool
#ip nat pool MYPOOLNAME 209.165.200.225 209.165.200.238 netmask 255.255.255.240
#access-list 1 permit 192.168.1.0 0.0.0.255
#ip nat inside source list 1 pool MYPOOLNAME
You need to confiure your interfaces
#ip nat outside (on the outside interface)
#ip nat inside (on the inside interface)
#show ip nat translations
configuring a pool
#ip nat pool MYPOOLNAME 209.165.200.225 209.165.200.238 netmask 255.255.255.240
#access-list 1 permit 192.168.1.0 0.0.0.255
#ip nat inside source list 1 pool MYPOOLNAME
You need to confiure your interfaces
#ip nat outside (on the outside interface)
#ip nat inside (on the inside interface)
#show ip nat translations
NAT overload or PAT
NAT overload uses ports to NAT serveral addresses behind one public address.
inside---------------------------------------------outside
192.168.1.5:6662 --------------- 83.190.200.8:6662
if two clients try to NAT with the same source port the router will know that the port has already been used by the first client and will just use the next available port
inside---------------------------------------------outside
192.168.1.5:6662 --------------- 83.190.200.8:6663
Static NAT
Used for DMZ servers, we create a static NAT translation
inside---------------------------------------------outside
192.168.1.4 --------------- 83.190.200.8
You can get more granular and static map your web server to port 80 and the email server to port 25 etc
Often Static NAT and NAT overload ar often used together
Configuring NAT overload (PAT)
prep work:
ping an internet address from the router connected to the internet to make sure it's working
tracert -d the host, see if you can browse to a website to make sure NAT is not enabled.
1 - Label interfaces
# conf t
# int e0/0
# ip nat inside
# int e0/1
# ip nat outiside
2 - Identify internal IP addresses to be translated
# ip access list standard NAT_ADDRESSES
# deny 192.168.3.0 0.0.0.255
prep work:
ping an internet address from the router connected to the internet to make sure it's working
tracert -d the host, see if you can browse to a website to make sure NAT is not enabled.
# conf t
# int e0/0
# ip nat inside
# int e0/1
# ip nat outiside
# ip access list standard NAT_ADDRESSES
# deny 192.168.3.0 0.0.0.255
# do show access-list
# ip nat inside source list NAT_ADDRESSES interface e0/1 overload
test visiting a website
Static NAT one server to the public IP
#ip nat inside source static 192.168.10.79 68.110.171.99
#show ip nat translations
#ip nat inside source static tcp 192.168.10.79 80 interface e0/1 80
# conf t
# ip nat pool PUBLIC_IPADDRESSES 68.110.171.99 68.110.171.100 netmask 255.255.255.0
# ip nat inside source list NAT_ADDRESSES pool PUBLIC_IPADDRESSES overload
remember not to forget the overload at the end
Troubleshooting NAT
Check the ACL
Check NAT is setup
Check the direction is set corectly
Check the other side has a route back to you
Make sure your routers are using the same protocol (RIP version)
site to site (link offices to offices)
remote access (link clients to offices)
SSL VPN's, the client uses tunneling and allows users to connect the vpn from a web browser.
IPSEC
IPSec is the protocol that makes all of this possible. IPSec works at the transport layer. It's not just one protocol. It's a group of protocols. It was built with the idea that protocols would be broken and can be replaced by new ones, DES was replaced by 3DES, 3DES was replaced by AES etc.
The engine, allows IPSec to be updated with new protocols
- AH
- ESP
- ESP+AH
Scrambles the data
- DES
- 3DES
- AES
Confirms our sender is who they say they are. Ensures the data is not changed in transit. Also known as hashing protocols
- MD5
- SHA-1
Allows us to create a secure connection over a public network like the internet.
- DH1
- DH2
- DH3
- DH4
Lets take two sites Dublin and Cork that need to communicate.
Diffie Hellman uses asymmetric en/decryption.
Each side has a private and a public key
Cork sends its public key across the internet to Dublin
Anything encrypted with the Cork public key can only be decrypted by the Cork Private key.
The Cork private key never leaves Cork.
Dublin generates a shared secret and encrypts it wth the Cork public key
Dublin sends the encrypted shared secret across the internet to Cork
Cork is able to decrypt it becuase it has the Cork private key
Now both sides have the same decrypted shared secret.
Once the connection is teared down or after a certain amount of time the keys are thrown away.
When they connect again the keys are generated again
Hashes can be used to see if something has changed but we don't know what was changed. Common use is when you download a file. The host often provides the MD5 hash. You can check the hash on the file you downloaded with the hash on the provider site and make sure they match to ensure your file is the same. If a single bit has changed when the hash will not match.
WAN connections: Understanding PPP Authentications
Lets say we have a cisco 2600 router, on the back it will have a slot of a wic(WAN interface card). You can install many different types of cards, some of the most common:
WIC 2T (updated so you can have 2 WAN interfaces per slot)
Frame relay (DLCI fills the role of mac address)
ATM (VPI/VCI pair fills the role of the mac address)
High level data link control (HDLC)
- Cisco proprietary (only works with if you have the provider use Cisco routers)
- Default on Cisco routers
- Extremely low overhead
- Simple it just works
- No features
- Industry standard (Cisco and Juniper routers can work together)
- Moderate overhead
- Lots of features
Authentication (username and password)
Compression (less bandwidth usage, but higher CPU usage)
Callback (usually used on modems, you can dial in, authenticate and it calls you back)
Multilink (combine multiple T1 lines into one link)
one T1 line = 1.5Mbps
three T1 lines = 4.5Mbps
#show ip interface brief
#show run int serial s0/0
#show interface serial 0/0
#conf t
#int serial 0/0
#encapsulation hdlc
#conf t
#int serial 0/0
#encapsulation ppp
PPP Authentication Protocol (PAP) - not used anymore sends password in clear text
Challenge Handshake Authentication Protocol (CHAP) - doesn't use encryption, uses hashing
SecretText -> Encryption algorithm -> produces the data sent across the wire "#@"£$%^&*!"
It can only be decrypted with the decryption algorithm
"#@"£$%^&*!" -> decryption algorithm -> SecretText
Uses an irriversable forumla to scramble the data which produces an answer "82BF4Z61"
The hash of the password (the answer) is sent across the wire.
If the hashes match then you are using the same password
First we need to set up usernames on both routers
#conf t
#username R2 password cisco (the password on each side must match)
#ppp authentication chap (line protocol will go down)
#conf t
#username R3 password cisco (the password on each side must match)
#ppp authentication chap
x.25 was the first, x.25 became frame relay,
frame relay became ATM,
ATM have been transitioning into MPLS
Local Access Rate (LAR): Physicaly how fast that circuit can go.
Local Management Interface (LMI): The language between your router and the provider
Data Link Connection Identifier (DLCI): Frame relay equivilant or MAC addresses in frame relay.
Permanent Virtual Circuit (PVC): You can purchase multiple PVC's from destination A to B. Each PVC has a CIR. The more PVCs you have the more you will pay. Most organisations have as few PVCs as possible.
DLCIs are locally significant.
DLCI numbers can be from 16 - 1024
Galway DLCI 300 -> 500 Dublin
Cork DLCI 400 -> 900 Dublin
When you take a flight you go through gate A and when you arrive you come out gate B.
Galway DLCI 300 -> 500 Dublin
Cork DLCI 300 -> 900 Dublin
- Hub-and-Spoke
- Partial Mesh
- Full Mesh
- All routers on same subnet
- Multiple DLCI numbers mapped to interface
- Causes problems with split horizon (never sends updates back out the same interface, fix is to turn of split horizon but that can cause its own issues)
- All routers are on different subnets
- Point-to-point sub interface created for each peer
- No problems with split horizon
We make a sepearate sub interface for each spoke
S0/0.100
192.168.1.1/24
S0/0.200
192.168.1.1/24
S0/0.300
192.168.1.1/24
#conf t
#int s0/1/0
#ip address 192.168.1.1 255.255.255.0
#encapsulation frame-relay
#frame relay lmi-type {cisco|ansi|q933a}
#no shutdown
#do show ip int brief
#show frame-relay lmi
#frame-relay map ip 192.168.1.2 102 broadcast
The broadcast command allows R1 to R2. RIP, OSPF or EIGRP which might use broadcast or multicast messages.
#frame-relay map ip 192.168.1.3 103 broadcast
If DLCI shows as inactive then it's not set up on the other side.
If DLCI shows as deleted the provider is saying that DLCI does not exist
#show frame-relay map
R1 192.168.1.1 (DLCI 102 -> R2, DLCI 103 -> R3)
R2 192.168.1.2 (DLCL 201 -> R1)
R3 192.168.1.3 (DLCI 301 -> R1)
#conf t
#int s0/1/0
#encapsulation frame-relay
#exit
#interface s0/1/0.102 point-to-point
#ip address 192.168.1.1 255.255.255.0
#frame-relay interface-dlci 102
#exit
#int s0/1/0.103 point-to-point
#ip address 192.168.2.1 255.255.255.0
#frame-relay interface-dlci 103
#exit
#int s0/1/0
#no shutdown
#show frame-relay map
#show frame-relay pvc
#show frame-relay lmi
IPv6 has 8 octects which contain hexidecimal 0-9 A-F.
colons : are used to seperate octects.
0000:0000:0000 becomes ::
However you can only user it once
0050 becomes :50
You can do that as many times as you need.
Bigger in size because addresses are so big(128bit), but simpler than ipv6.
===== Ver ===== Traffic Class==== Flow Lable ====
= Payload Length = Next Header ==== Hop Limit ====
= source address (128 bits) =
= destination address (128 bits) =
There are 3 types of messaging in IPv6:
- Unicast: one to one
- Multicast: one to many (takes the place of broadcasts)
- Anycast: one to closest
With anycast you can give two devices the same anycast IP address, when clients want to use one of those devices they will just use the closest device.
IPv6 addresses
Link local: used to communicate with your layer 2 local address (all devices on the same switch)
Unique/site local address: organization, these fill the role of private addresses. We dont have to use them but people are used to them,
Global scope address: addresses live on the internet
Link local
Dynamically created like the 169 address, but it is actually used. They are used for auto address config, neighbor discovery and router discovery.
Will always begin with FE80. Each character in an IPv6 address is made up of four bits.
Dynamically created like the 169 address, but it is actually used. They are used for auto address config, neighbor discovery and router discovery.
Will always begin with FE80. Each character in an IPv6 address is made up of four bits.
0000 = 0
0001 = 1
0010 = 2
etc
1001 = 9
1010 = A (this would normally be 10)
1100 = C
1111 = F
The last 64 bits will be mac address with FFFE inseted into the middle.
Unique local (site local is the old name)
Used within enterprise networks to identify the boundary of their networks.
They start with FD00
[ FD00 ] [ 40 bits Global ID ] [ 16bits subnet ID ] [ 64bits interface ID ]
Global Addresses
The primary addresses expected to comprise the IPv6 internet are from 2001
These are internet addresses (you can think if them like public IP's if there was no shortage of pub IPs)
[ max 48 bits Global routing prefix ] [ 64bits subnet ID ] [ 64bits Interface ID ]
DHCPv6
DHCPv6
We don't really need DHCP with IPv6, there are some cases where it may be useful to give out DNS details etc. DHCPv6 is an updated version of DHCP. When a PC boots up on the network with IPv6 configured it will generate its own link local address which will look like this:
FE80::its-mac-FFFE-address. (it will insert FFFE in the middle of the mac address)
Then the PC sends out soliciation messages looking for routers.
The router will tell the PC what the routers network address is on its interface. Global address will look like this
2001::
The PC will create it's own public address 2001:xx:its-mac-FFFE-address.
The router has two bits it can set and M and an O which admins can configure.
If we want PCs to go to DHCP to get an address (M) or just to get options like DNS servers (O)
If no router is found the PC will broadcast again sending solicitation messages to all DHCP agents. The PC will use it's link local address as the source.
FE80::its-mac-FFFE-address. (it will insert FFFE in the middle of the mac address)
Then the PC sends out soliciation messages looking for routers.
The router will tell the PC what the routers network address is on its interface. Global address will look like this
2001::
The PC will create it's own public address 2001:xx:its-mac-FFFE-address.
The router has two bits it can set and M and an O which admins can configure.
If we want PCs to go to DHCP to get an address (M) or just to get options like DNS servers (O)
If no router is found the PC will broadcast again sending solicitation messages to all DHCP agents. The PC will use it's link local address as the source.
- Generate your own link local address
- Multicast router solicitation messages
- If a router is found, examine the router advertisment for instuctions
- Instructions may point you to use DHCP or not (M and O bits)
- If no router is found or if the router tells us to use DHCP
- Multicast DHCP soliciatation messages, use link local address as source
Configuring IPv6
Site 1 Private subnet
1FE0:1111::1/32
R1 global
2001:210:10:1::1/64
R2 global
2001:210::10:1::2/64
Site 2 private subnet
1FE0:2222::1/32
Enter global config mode
#conf t
Go under the routing configuration
#ip routing
Turn on ipv6
#ipv6 unicast-routing
Go under your interface
#int fa0/0
assign an ipv6 address
#ipv6 address 1fe0:1111::1/32
#exit
Go under your serial address
#int s0/1/0.102
configure the ipv6 address
#ipv6 address 2001:210:10:1::1/64
You'll see the link local address which will have been autogenerated
#show ipv6 interface brief
You can ping
#ping ipv6 2001:210:10:1::1
IPv6 Routing protocols
- RIPng (next generation)
- OSPFv3
- EIGRP for IPv6
- IS-IS for IPv6
- MP-BGP (supports ipv4 and ipv6)
Configuring RIPng
Enter global config mode
#conf t
Enable RIPng with a tag in this case "1"
#ipv6 router rip 1
Thats all we have to do here
#exit
Go under the interfaces you want to enable rip for
#int e0/0
#ipv6 rip 1 enable
#exit
#int s/0/1/0.201
#ipv6 rip 1 enable
#exit
#show ipv6 rip
#show ipv6 route
#ping ipv6 1Fe0:2222::1
#traceroute ipv6 1Fe0:2222::1
Migration to IPv6
Dual-stack routers (router runs both IPv4 and IPv6)
Tunneling (like making a VPN through the IPv6 internet to connect IPv4 sites on either end or vice versa)
NAT-PT (protocol translation a special version of NAT that can go between IPv4 and IPv6 or vice versa)
ISPs will be connecting the IPv4 and IPv6 internet. So we won't have half the world on the IPv4 internet and half on the IPv6 internet.
Practical commands
Find the VTP domain name
See who last updated us by VTP
See the configuration revision
show vtp status
Set the VTP name
vtp domain JACKVTPDOMAIN
Set the VTP mode
vtp mode client/server
Shows your active telnet sessions
show session
Setting an IP address on a switch
conf t
interface Vlan1
ip address 192.168..1.100 255.255.255.0
no shut
Set the default gateway on a switch
ip default-gateway 192.168.1.1
Save the config
copy run start
Set the hostname
hostname ROUTERNAME
Create a NAT pool
ip nat pool mypool 192.18.184.105 192.18.184.110 netmask 255.255.255.248
Create a standard access list to permit addresses to be translated
access-list 25 permit 192.168.100.16 0.0.0.15
Enable the NAT using the pool and the ACL
ip nat inside source list 25 pool mypool overload
Setting inside/outside on interfaces
interface e0/0
ip nat inside
exit
interface e0/1
ip nat outside
exit
Checking connectivity
ping 192.168.1.10
traceroute 192.168.1.10
Show the full config
show run
Modifying and OSPF configuration
conf t
route ospf 2
no network 192.168.155.0 0.0.0.3 area 0
network 192.168.155.4 0.0.0.3 area 0
exit
copy run start
See what mac's are connected to what ports
show mac address-table
See what interfaces are trunks
show interface trunk
See info on neighbors including model of their device
show cdp nei
See the IP of a neighbor
sh cdp nei detail
See spanning tree details, root/desg ports. Bridge ID and priority
show spanning-tree vlan 1
See what ports are assigned to a vlan
show vlan
See which interfaces are affected by an ACL
show ip interface
Layers protocols operate at
SMTP layer 7 (application)
JPEG layer 6 (presentation)
ASCII layer 6
RPC layer 5 (session)
NETBIOS layer 5
NFS layer 5
SSH layer 4 (transport)
IPSec layer 4 (transport)
TCP layer 4
UDP layer 4
OSPF layer 3 (network)
EIGRP layer 3
IP layer 3
ICMP layer 3
VTP is layer 2 (copies VLANs around) (data link)
802.1Q layer 2 (trunking/tagging)
HDLC layer 2
PPP layer 2
Frame relay layer 2
STP layer 2
Split horizon
Information about a route should not be sent back in the direction from which the original update came
Routing protocol process ID's
Process ID in OSFP is locally significant
Process ID in EIGRP must match on all routers
Point-to-point networks
255.255.255.252 or /30 is used for point to point links because it leaves 2 usable addresses
Frame Relay encapsulation types CISCO and IETF
show frame-relay map will show the type in use
Link-State = OSPF, hello packets, LSA (link state advertisment)
router just completed POST, what happens next ?
It check the configuration register
Data link layers supported by Cisco IOS for IPv6
PPP and Frame Relay PVC
Possible trunking modes for a switch port
auto
on
desirable
Spanning tree = 802.1d
RSTP = 802.1w
VLAN tagging = 802.1q
Valid WAN connectivity methods
PPP
HDLC
ATM
DNS uses UDP
NAT
ISP 192.0.2.114 (default rout has not been configured)
Given public pool 198.18.184.105 - 110
Private pool 198.168.100.17 - 30
Setup NAT
First check the interfaces are assigned correctly
int fa0/0
ip nat inside
exit
int serial0/0
ip nat outside
exit
Find the subnet mask for our public pool
105 - 110 is 6 addresses.
Add 1 for hosts = 7
Convert to binary
00000111
We need 3 bits to make 7.
That means the subnet mask is /29 (32 -3 = 29)
/29 is also 248
subnet mask is 255.255.255.248
Set up the public pool
ip nat pool 198.184.105 198.18.184.110 netmask 255.255.255.248
Find the wildcard mask for the private pool
17 - 30 is 14 addresses.
Add 1 for hosts = 8
Convert to binary
00001000
We need 4 bits to make 8
32 - 4 = 28
Subnet mask is /28 or 240
To get wildcard mask 255 - 240 = 15
Wildcard mask is 0.0.0.15
Set up the access list
access-list 1 permit 192.168.100.16 0.0.0.15
access-list 1 deny any
Enable the NAT
ip nat inside source list 1 pool mypool overload
Set the default route
ip route 0.0.0.0 0.0.0.0 198.0.2.114
Save the config
copy run start
Test connectivity from a host
Practical commands
Find the VTP domain name
See who last updated us by VTP
See the configuration revision
show vtp status
Set the VTP name
vtp domain JACKVTPDOMAIN
Set the VTP mode
vtp mode client/server
Shows your active telnet sessions
show session
Setting an IP address on a switch
conf t
interface Vlan1
ip address 192.168..1.100 255.255.255.0
no shut
Set the default gateway on a switch
ip default-gateway 192.168.1.1
Save the config
copy run start
Set the hostname
hostname ROUTERNAME
Create a NAT pool
ip nat pool mypool 192.18.184.105 192.18.184.110 netmask 255.255.255.248
Create a standard access list to permit addresses to be translated
access-list 25 permit 192.168.100.16 0.0.0.15
Enable the NAT using the pool and the ACL
ip nat inside source list 25 pool mypool overload
Setting inside/outside on interfaces
interface e0/0
ip nat inside
exit
interface e0/1
ip nat outside
exit
Checking connectivity
ping 192.168.1.10
traceroute 192.168.1.10
Show the full config
show run
Modifying and OSPF configuration
conf t
route ospf 2
no network 192.168.155.0 0.0.0.3 area 0
network 192.168.155.4 0.0.0.3 area 0
exit
copy run start
See what mac's are connected to what ports
show mac address-table
See what interfaces are trunks
show interface trunk
See info on neighbors including model of their device
show cdp nei
See the IP of a neighbor
sh cdp nei detail
See spanning tree details, root/desg ports. Bridge ID and priority
show spanning-tree vlan 1
See what ports are assigned to a vlan
show vlan
See which interfaces are affected by an ACL
show ip interface
Layers protocols operate at
SMTP layer 7 (application)
JPEG layer 6 (presentation)
ASCII layer 6
RPC layer 5 (session)
NETBIOS layer 5
NFS layer 5
SSH layer 4 (transport)
IPSec layer 4 (transport)
TCP layer 4
UDP layer 4
OSPF layer 3 (network)
EIGRP layer 3
IP layer 3
ICMP layer 3
VTP is layer 2 (copies VLANs around) (data link)
802.1Q layer 2 (trunking/tagging)
HDLC layer 2
PPP layer 2
Frame relay layer 2
STP layer 2
Split horizon
Information about a route should not be sent back in the direction from which the original update came
Routing protocol process ID's
Process ID in OSFP is locally significant
Process ID in EIGRP must match on all routers
Point-to-point networks
255.255.255.252 or /30 is used for point to point links because it leaves 2 usable addresses
Frame Relay encapsulation types CISCO and IETF
show frame-relay map will show the type in use
Link-State = OSPF, hello packets, LSA (link state advertisment)
router just completed POST, what happens next ?
It check the configuration register
Data link layers supported by Cisco IOS for IPv6
PPP and Frame Relay PVC
Possible trunking modes for a switch port
auto
on
desirable
Spanning tree = 802.1d
RSTP = 802.1w
VLAN tagging = 802.1q
Valid WAN connectivity methods
PPP
HDLC
ATM
DNS uses UDP
NAT
ISP 192.0.2.114 (default rout has not been configured)
Given public pool 198.18.184.105 - 110
Private pool 198.168.100.17 - 30
Setup NAT
First check the interfaces are assigned correctly
int fa0/0
ip nat inside
exit
int serial0/0
ip nat outside
exit
Find the subnet mask for our public pool
105 - 110 is 6 addresses.
Add 1 for hosts = 7
Convert to binary
00000111
We need 3 bits to make 7.
That means the subnet mask is /29 (32 -3 = 29)
/29 is also 248
subnet mask is 255.255.255.248
Set up the public pool
ip nat pool 198.184.105 198.18.184.110 netmask 255.255.255.248
Find the wildcard mask for the private pool
17 - 30 is 14 addresses.
Add 1 for hosts = 8
Convert to binary
00001000
We need 4 bits to make 8
32 - 4 = 28
Subnet mask is /28 or 240
To get wildcard mask 255 - 240 = 15
Wildcard mask is 0.0.0.15
Set up the access list
access-list 1 permit 192.168.100.16 0.0.0.15
access-list 1 deny any
Enable the NAT
ip nat inside source list 1 pool mypool overload
Set the default route
ip route 0.0.0.0 0.0.0.0 198.0.2.114
Save the config
copy run start
Test connectivity from a host
Subscribe to:
Posts (Atom)