You are on page 1of 28

BGP PART 1

Attribute Types
Well-known Mandatory Must be supported and propagated Well-known Discretionary Must be supported; propagation optional Optional Transitive Marked as partial if unsupported by neighbor Optional Nontransitive Deleted if unsupported by neighbor

packetlife.net About BGP Type Path Vector Algorithm Path Selection eBGP AD 20 iBGP AD 200 Standard RFC 4271 Protocols IP Transport TCP 179 Authentication MD5 Terminology
Autonomous System (AS) A logical domain under the control of a single entity External BGP (eBGP) BGP neighborships formed between autonomous systems Internal BGP (iBGP) BGP between peers within a single autonomous system Synchronization requirement Asserts that a route must be known by an IGP before it may be advertised to BGP peers

Attributes Name Aggregator AS Path Atomic Aggregate Cluster ID Community Local Preference Multiple Exit Discriminator (MED) Next Hop Origin Originator ID Weight Type Description OT WM WD ON OT WD ON WM WM ON O ID and AS of router which performed summarization List of autonomous systems the advertisement has traversed Includes AS which have been dropped due to route aggregation Originating cluster Route tag Metric for internal neighbors to reach external paths; default 100 Metric for external neighbors to reach the AS; default 0 External peer in neighboring AS Origin type (IGP, EGP, or unknown) Identifies route reflector Cisco proprietary, not communicated to peers; default 0

Packet Types Open Keepalive Update Notification

Neighbor States
Idle Neighbor is not responding

Path Selection Order 1 Weight 2 Local Preference 3 Self-Originated 4 AS Path 5 Origin 6 MED 7 External 8 IGP Cost 9 eBGP Peering 10 Router ID Description Administrative preference Communicated between peers within an AS Prefer paths originated locally Minimize AS hops Prefer IGP-learned routes over EGP, and EGP over unknown Used externally to enter an AS Prefer eBGP routes over iBGP Consider IGP attributes Favor more stable routes Tie breaker Preference Highest Highest True Shortest IGP Lowest eBGP Lowest Oldest Lowest Influencing Path Selection Weight neighbor 172.16.0.1 weight 200 MED default-metric 400 by Jeremy Stretch

Connect TCP session established Open Sent Open message sent Open Confirm Response received Established Neighborship established

Troubleshooting show ip bgp show ip bgp summary show ip bgp neighbors show ip route [bgp] clear ip bgp * [soft] debug ip bgp events debug ip bgp updates

Local Preference bgp default local-preference 100 Route Map neighbor 172.16.0.1 route-map Foo v1.1

BGP PART 2
Configuration Example
Router A interface Serial1/0 description Backbone to B ip address 172.16.0.1 255.255.255.252 ! interface Serial1/1 description Backbone to C ip address 172.16.0.5 255.255.255.252 ! interface FastEthernet2/0 description LAN ip address 192.168.1.1 255.255.255.0 ! router bgp 65100 no synchronization network 172.16.0.0 mask 255.255.255.252 network 172.16.0.4 mask 255.255.255.252 network 192.168.1.0 neighbor South peer-group neighbor South remote-as 65200 neighbor 172.16.0.2 peer-group South neighbor 172.16.0.6 peer-group South no auto-summary Router B interface FastEthernet0/0 description Local to C ip address 10.0.0.1 255.255.255.252 ! interface Serial1/0 description Backbone to A ip address 172.16.0.2 255.255.255.252 ! interface FastEthernet2/0 description LAN ip address 192.168.2.1 255.255.255.0 ! router ospf 100 network 10.0.0.1 0.0.0.0 area 0 network 192.168.2.0 0.0.0.255 area 1 ! router bgp 65200 no synchronization redistribute ospf 100 route-map LAN_Subnets neighbor 10.0.0.2 remote-as 65200 neighbor 172.16.0.1 remote-as 65100 no auto-summary ! access-list 10 permit 192.168.0.0 0.0.255.255 ! route-map LAN_Subnets permit 10 match ip address 10 set metric 100 Router C

packetlife.net

interface FastEthernet0/0 description Local to B ip address 10.0.0.2 255.255.255.252 ! interface Serial1/0 description Backbone to A ip address 172.16.0.6 255.255.255.252 ! interface FastEthernet2/0 description LAN ip address 192.168.3.1 255.255.255.0 ! router ospf 100 network 10.0.0.2 0.0.0.0 area 0 network 192.168.3.0 0.0.0.255 area 2 ! router bgp 65200 no synchronization redistribute ospf 100 route-map LAN_Subnets neighbor 10.0.0.1 remote-as 65200 neighbor 172.16.0.5 remote-as 65100 no auto-summary ! access-list 10 permit 192.168.0.0 0.0.255.255 ! route-map LAN_Subnets permit 10 match ip address 10 set metric 100

Router A Routing Table


172.16.0.0/30 is subnetted, 2 subnets 172.16.0.4 is directly connected, S1/1 172.16.0.0 is directly connected, S1/0 192.168.1.0/24 is directly connected, F2/0 192.168.2.0/24 [20/100] via 172.16.0.2 192.168.3.0/24 [20/100] via 172.16.0.2

Router B Routing Table


172.16.0.0/30 is subnetted, 2 subnets 172.16.0.4 [20/0] via 172.16.0.1 172.16.0.0 is directly connected, S1/0 10.0.0.0/30 is subnetted, 1 subnets 10.0.0.0 is directly connected, F0/0 192.168.1.0/24 [20/0] via 172.16.0.1 192.168.2.0/24 is directly connected, F2/0 IA 192.168.3.0/24 [110/2] via 10.0.0.2, F0/0

C C C B B

B C C B C O

by Jeremy Stretch

v1.1

CISCO IOS VERSIONS


IOS Nomenclature Typical Release Lifecycle

packetlife.net

First Customer Shipment (FCS) The release is first available to Cisco customers on CCO EOS Notice Notification of upcoming EOS End of Sale (EOS) The release is no longer orderable or included in manufactured shipments End of Engineering (EOE) The last day for software fixes; only TAC assistance is offered from this point End of Life (EOL) The last day for TAC support; release becomes obsolete; upgrade is only option for support

IOS Filename

IOS Package Trees

Recommended IOS 800, 1700, 2600, 2800, 3700, 3800 Catalyst 2960, 3560, 3750 Catalyst 4500 and 4900 Catalyst 6500 7200, 7301 routers 7304 routers 7500 routers 10000 routers 7600 routers 12.4 / 12.4T 12.2SE 12.2SG 12.2SX 12.4 / 12.4T / 12.2SB 12.2SB 12.4 / 12.0S 12.2SB 12.2SR IOS Verification Router# show version Router# dir <filesystem>: Router# verify <filesystem>:<image>

by Jeremy Stretch

v1.1

COMMON PORTS
TCP/UDP Port Numbers
7 Echo 19 Chargen 20-21 FTP 22 SSH/SCP 23 Telnet 25 SMTP 42 WINS Replication 43 WHOIS 49 TACACS 53 DNS 67-68 DHCP/BOOTP 69 TFTP 70 Gopher 79 Finger 80 HTTP 88 Kerberos 102 MS Exchange 110 POP3 113 Ident 119 NNTP (Usenet) 123 NTP 135 Microsoft RPC 137-139 NetBIOS 143 IMAP4 161-162 SNMP 177 XDMCP 179 BGP 201 AppleTalk 264 BGMP 318 TSP 381-383 HP Openview 389 LDAP 411-412 Direct Connect 443 HTTP over SSL 445 Microsoft DS 464 Kerberos 465 SMTP over SSL 497 Retrospect 500 ISAKMP 512 rexec 513 rlogin 514 syslog 515 LPD/LPR 520 RIP 521 RIPng (IPv6) 540 UUCP 554 RTSP 546-547 DHCPv6 560 rmonitor 563 NNTP over SSL 587 SMTP 591 FileMaker 593 Microsoft DCOM 631 Internet Printing 636 LDAP over SSL 639 MSDP (PIM) 646 LDP (MPLS) 691 MS Exchange 860 iSCSI 873 rsync 902 VMware Server 989-990 FTP over SSL 993 IMAP4 over SSL 995 POP3 over SSL 1025 Microsoft RPC 1026-1029 Windows Messenger 1080 SOCKS Proxy 1080 MyDoom 1194 OpenVPN 1214 Kazaa 1241 Nessus 1311 Dell OpenManage 1337 WASTE 1433-1434 Microsoft SQL 1512 WINS 1589 Cisco VQP 1701 L2TP 1723 MS PPTP 1725 Steam 1741 CiscoWorks 2000 1755 MS Media Server 1812-1813 RADIUS 1863 MSN 1985 Cisco HSRP 2000 Cisco SCCP 2002 Cisco ACS 2049 NFS 2082-2083 cPanel 2100 Oracle XDB 2222 DirectAdmin 2302 Halo 2483-2484 Oracle DB 2745 Bagle.H 2967 Symantec AV 3050 Interbase DB 3074 XBOX Live 3124 HTTP Proxy 3127 MyDoom 3128 HTTP Proxy 3222 GLBP 3260 iSCSI Target 3306 MySQL 3389 Terminal Server 3689 iTunes 3690 Subversion 3724 World of Warcraft 3784-3785 Ventrilo 4333 mSQL 4444 Blaster 4664 Google Desktop 4672 eMule 4899 Radmin 5000 UPnP 5001 Slingbox 5001 iperf 5004-5005 RTP 5050 Yahoo! Messenger 5060 SIP 5190 AIM/ICQ 5222-5223 XMPP/Jabber 5432 PostgreSQL 5500 VNC Server 5554 Sasser 5631-5632 pcAnywhere 5800 VNC over HTTP 5900+ VNC Server 6000-6001 X11 6112 Battle.net 6129 DameWare 6257 WinMX 6346-6347 Gnutella 6500 GameSpy Arcade 6566 SANE 6588 AnalogX 6665-6669 IRC 6679/6697 IRC over SSL 6699 Napster 6881-6999 BitTorrent

packetlife.net

6891-6901 Windows Live 6970 Quicktime 7212 GhostSurf 7648-7649 CU-SeeMe 8000 Internet Radio 8080 HTTP Proxy 8086-8087 Kaspersky AV 8118 Privoxy 8200 VMware Server 8500 Adobe ColdFusion 8767 TeamSpeak 8866 Bagle.B 9100 HP JetDirect 9101-9103 Bacula 9119 MXit 9800 WebDAV 9898 Dabber 9988 Rbot/Spybot 9999 Urchin 10000 Webmin 10000 BackupExec 10113-10116 NetIQ 11371 OpenPGP 12035-12036 Second Life 12345 NetBus 13720-13721 NetBackup 14567 Battlefield 15118 Dipnet/Oddbob 19226 AdminSecure 19638 Ensim 20000 Usermin 24800 Synergy 25999 Xfire 27015 Half-Life 27374 Sub7 28960 Call of Duty 31337 Back Orifice 33434+ traceroute Legend Chat Encrypted Gaming Malicious Peer to Peer Streaming

IANA port assignments published at http://www.iana.org/assignments/port-numbers

by Jeremy Stretch

v1.1

EIGRP
Protocol Header Attributes

packetlife.net

Type Distance Vector Algorithm DUAL Internal AD 90 External AD 170 Summary AD 5 Standard Cisco proprietary Protocols IP, IPX, Appletalk Transport IP 88 Metric Formula
256 * (K1 * bw + K2 * bw 256 - load + K3 * delay) * K5 reliability + K4

Authentication MD5 Multicast IP 224.0.0.10 Hello Timer 5 / 60 Hold Timer 15 / 180 K Defaults K1 1 K2 0 K3 1 K4 0 K5 0 Packet Types 1 Update 3 Query 4 Reply 5 Hello 8 Acknowledge Terminology
Reported Distance The metric for a route advertised by a neighbor Feasible Distance The distance advertised by a neighbor plus the cost to get to that neighbor Stuck In Active (SIA) The condition when a route becomes unreachable and not all queries are answered; adjacencies with unresponsive neighbors are reset Passive Interface An interface which does not participate in EIGRP but whose network is advertised Stub Router A router which does not relay updates between neighbors or participate in querying

bw = 107 / Interface bandwidth in Kbps delay = Interface delay in usecs / 10

EIGRP Configuration
Protocol Configuration ! Enable EIGRP router eigrp <ASN> ! Add interfaces to advertise network <IP address> <wildcard mask> ! Configure K values metric weights 0 <k1> <k2> <k3> <k4> <k5> ! Disable automatic route summarization no auto-summary ! Designate passive interfaces passive-interface (<interface> | <default>) ! Enable stub routing eigrp stub [receive-only | connected | static | summary] ! Statically identify a neighboring router neighbor <IP address> <interface> Interface Configuration ! Set maximum bandwidth EIGRP can consume ip bandwidth-percent eigrp <percentage> ! Configure manual summarization of outbound advertisements ip summary-address eigrp <ASN> <IP address> <mask> [<AD>] ! Enable MD5 authentication ip authentication mode eigrp <ASN> md5 ip authentication key-chain eigrp <ASN> <key-chain> ! Configure hello and hold timers ip hello-interval eigrp <ASN> <seconds> ip hold-time eigrp <ASN> <seconds> ! Disable split horizon for EIGRP no ip split-horizon eigrp <ASN>

Troubleshooting show ip eigrp interfaces show ip eigrp neighbors show ip eigrp topology show ip eigrp traffic clear ip eigrp neighbors debug ip eigrp [packet | neighbors] v1.3

by Jeremy Stretch

FIRST HOP REDUNDANCY


First Hop Redundancy Protocols
Hot Standby Router Protocol Provides default gateway redundancy using one active and one standby router; standardized but licensed by Cisco Virtual Router Redundancy Protocol An open-standard alternative to Cisco's HSRP, providing the same functionality Gateway Load Balancing Protocol Supports arbitrary load balancing in addition to redundancy across gateways; Cisco proprietary

packetlife.net Protocols Comparison HSRP Standard RFC 2281 Load Balancing No IPv6 Support Yes Transport UDP 1985 Default Priority 100 Default Hello 3s Multicast Group 224.0.0.2 VRRP Operation VRRP RFC 3768 No No IP 112 100 1s 224.0.0.18 GLBP Cisco Yes Yes UDP 3222 100 3s 224.0.0.102

HSRP Operation

GLBP Operation

HSRP Configuration
interface FastEthernet0/0 ip address 10.0.1.2 255.255.255.0 standby version {1 | 2} standby 1 ip 10.0.1.1 standby 1 timers <hello> <dead> standby 1 priority <priority> standby 1 preempt standby 1 authentication md5 key-string <password> standby 1 track <interface> <value> standby 1 track <object> decrement <value>

HSRP/GLBP Interface States


Speak Gateway election in progress Active Active router/VG Standby Backup router/VG Listen Not the active router/VG

VRRP Interface States


Master Acting as the virtual router Backup All non-master routers

VRRP Configuration GLBP Roles


interface FastEthernet0/0 ip address 10.0.1.2 255.255.255.0 vrrp 1 ip 10.0.1.1 vrrp 1 timers {advertise <hello> | learn} vrrp 1 priority <priority> vrrp 1 preempt vrrp 1 authentication md5 key-string <password> vrrp 1 track <object> decrement <value>

Active Virtual Gateway (AVG) Answers for the virtual router and assigns virtual MAC addresses to group members Active Virtual Forwarder (AVF) All routers which forward traffic for the group (may include the AVG)

GLBP Load Balancing


Round-Robin (default) The AVG answers host ARP requests for the virtual router with the next router in the cycle Host-Dependent Round-robin cycling while maintaining a consistent AVF for each host Weighted GLBP weight determines the proportionate share of hosts handled by each AVF

GLBP Configuration
interface FastEthernet0/0 ip address 10.0.1.2 255.255.255.0 glbp 1 ip 10.0.1.1 glbp 1 timers <hello> <dead> glbp 1 timers redirect <redirect> <time-out> glbp 1 priority <priority> glbp 1 preempt glbp 1 forwarder preempt glbp 1 authentication md5 key-string <password> glbp 1 load-balancing <method> glbp 1 weighting <weight> lower <lower> upper <upper> glbp 1 weighting track <object> decrement <value>

Troubleshooting show standby [brief] show glbp [brief] show vrrp [brief] show track [brief]

by Jeremy Stretch

v1.0

IEEE 802.1X
802.1X Header Terminology

packetlife.net

Extensible Authentication Protocol (EAP) A flexible authentication framework defined in RFC 3748

EAP Header

EAP Over LANs (EAPOL) The encapsulation used by 802.1X to carry EAP across a layer two segment Supplicant The device on one end of a link that requests authentication by the authenticator

EAP Flow Chart

Authenticator The device that controls the status of a link; typically a wired switch or wireless access point Authentication Server A backend server which authenticates the credentials provided by supplicants (for example, a RADIUS server) Guest VLAN Fallback VLAN for clients not 802.1X-capable Restricted VLAN Fallback VLAN for clients which fail authentication

802.1X Packet Types 0 EAP Packet 1 EAPOL-Start 2 EAPOL-Logoff 3 EAPOL-Key 4 EAPOL-Encap-ASF-Alert Interface Defaults Max Auth Requests 2 Reauthentication Off Configuration
Global Configuration ! Define a RADIUS server radius-server host 10.0.0.100 radius-server key MyRadiusKey ! Configure 802.1X to authenticate via AAA aaa new-model aaa authentication dot1x default group radius ! Enable 802.1X authentication globally dot1x system-auth-control Interface Configuration ! Configure static access mode switchport mode access ! Enable 802.1X authentication per port dot1x port-control auto ! Configure host mode (single or multi) dot1x host-mode single-host ! Configure maximum authentication attempts dot1x max-reauth-req ! Enable periodic reauthentication dot1x reauthentication ! Configure a guest VLAN dot1x guest-vlan 123 ! Configure a restricted VLAN dot1x auth-fail vlan 456 dot1x auth-fail max-attempts 3

EAP Codes 1 Request 2 Response 3 Success 4 Failure EAP Req/Resp Types 1 Identity 2 Notification 3 Nak 4 MD5 Challenge 5 One Time Password 6 Generic Token Card 254 Expanded Types 255 Experimental

Quiet Period 60s Reauth Period 3600s Server Timeout 30s Supplicant Timeout 30s Tx Period 30s

Port-Control Options
force-authorized Port will always remain in authorized state (default setting) force-unauthorized Port will always remain in unauthorized state, ignoring authentication attempts auto Port is authorized only in the presence of a successfully authenticated supplicant

Troubleshooting show dot1x [interface <interface>] show dot1x statistics interface <interface> dot1x test eapol-capable [interface <interface>] dot1x re-authenticate interface <interface> v1.0

by Jeremy Stretch

IEEE 802.11 WIRELESS PART 1


IEEE Standards 802.11a Maximum Throughput Frequency Modulation Channels (FCC/ETSI) Ratified WLAN Types
Ad Hoc A WLAN between isolated stations with no central point of control; an IBSS Infrastructure A WLAN attached to a wired network via an access point; a BSS or ESS

packetlife.net

802.11b 11 Mbps 2.4 GHz DSSS 11/13 1999

802.11g 54 Mbps 2.4 GHz DSSS/OFDM 11/13 2003 WLAN Components

802.11n (Draft) 300 Mbps 2.4/5 GHz OFDM 32/32 N/A

54 Mbps 5 GHz OFDM 21/19 1999

Frame Types Type Association Authentication Probe Beacon Request To Send (RTS) Clear To Send (CTS) Acknowledgment (ACK) Data Class Management Management Management Management Control Control Control Data Client Association
Basic Service Area (BSA) The physical area covered by the wireless signal of a BSS Basic Service Set (BSS) A set of stations and/or access points which can directly communicate via a wireless medium Distribution System (DS) The wired infrastructure connecting multiple BSSs to form an ESS Extended Service Set (ESS) A set of multiple BSSs connected by a DS which appear to wireless stations as a single BSS Independent BSS (IBSS) An isolated BSS with no connection to a DS; an ad hoc WLAN

Measuring RF Signal Strength


Decibel (dB) An expression of signal strength as compared to a reference signal; calculated as 10log10(signal/reference) dBm Signal strength compared to a 1 milliwatt signal dBw Signal strength compared to a 1 watt signal

Modulations Scheme Modulation DBPSK DSSS DQPSK CCK BPSK OFDM QPSK 16-QAM 64-QAM by Jeremy Stretch Throughput 1 Mbps 2 Mbps 5.5, 11 Mbps 6, 9 Mbps 12, 18 Mbps 24, 36 Mbps 48, 54 Mbps

dBi Compares forward antenna gain to that of an isotropic antenna

Terminology
Basic Service Set Identifier (BSSID) A MAC address (typically belonging to an AP) which serves to uniquely identify a BSS Service Set Identifier (SSID) A human-friendly text string which identifies a BSS (up to 32 characters in length) Carrier Sense Multiple Access/Collision Avoidance (CSMA/CA) The mechanism which facilitates efficient communication across a shared wireless medium (provided by DCF or PCF) Effective Isotropic Radiated Power (EIRP) An expression of net signal strength (transmitter power + antenna gain - cable loss)

v1.0

IEEE 802.11 WIRELESS PART 2


Distributed Coordination Function

packetlife.net

Interframe Spacing
Short IFS (SIFS) Used to provide minimal spacing delay between control frames or data fragments DCF IFS (DIFS) Normal spacing enforced under DCF for management and nonfragment data frames Arbitrated IFS (AIFS) Variable spacing calculated to accomodate differing qualities of service (QoS) Extended IFS (EIFS) Extended delay imposed detecting errors in a received frame after

Client Authentication
Open No authentication is used Preshared Encryption Keys Keys must be manually entered into clients and access points before a secure connection can be established Lightweight EAP (LEAP) Deprecated Cisco- proprietary EAP method introduced to provide dynamic keying for WEP EAP-TLS Employs Transport Layer Security (TLS); PKI certificates are required on the AP and clients to provide mutual authentication EAP-TTLS Clients authenticate the AP with its cert, then form a secure tunnel inside which the client authentication takes place; removes the requirement for a PKI cert on the client Protected EAP (PEAP) A proposal by Cisco, Microsoft, and RSA which forms a secure tunnel like EAP-TTLS and does not require a cert on the client EAP-FAST Developed by Cisco to replace LEAP; establishes a secure tunnel using a Protected Access Credential (PAC) in the absence of PKI certs

Encryption Schemes
Wired Equivalent Privacy (WEP) Deprecated encryption mechanism which employs a flawed RC4 implementation and a 40- or 104-bit preshared encryption key Wi-Fi Protected Access (WPA) A temporary fix for the flaws in WEP; implements an improved RC4-based encryption called Temporal Key Integirty Protocol (TKIP) which can operate on WEP-capable hardware IEEE 802.11i (WPA2) IEEE standard developed to replace WPA; requires a new generation of hardware to implement significantly stronger AES-based CCMP encryption

Quality of Service Markings WMM Platinum 802.11e 7 6 5 4 3 0 2 1 802.1p 6 5 4 3 0 2 1 Reflection

RF Signal Interference Scattering Absorption

Gold

Refraction

Diffraction

Silver

Bronze

Wi-Fi Multimedia (WMM) A Wi-Fi Alliance certification for QoS; a subset of 802.11e 802.11e Official IEEE WLAN QoS standard ratified in 2005; replaces WMM 802.1p QoS markings in the 802.1Q header on wired Ethernet LANs shown for comparison

Antenna Types
Directional Radiates power in one or several focused directions Omnidirectional Radiates power uniformly across a plane Isotropic A theoretical antenna referenced when measuring effective radiated power

by Jeremy Stretch

v1.0

IP ACCESS LISTS
Standard IP ACL Syntax
! Legacy syntax access-list <number> {permit | deny} <source> [log] ! Modern syntax ip access-list standard {<number> | <name>} [<sequence>] {permit | deny} <source> [log]

packetlife.net Actions permit deny remark evaluate Allow matched packets Deny matched packets Record a config comment Evaluate a reflexive ACL

Extended IP ACL Syntax


! Legacy syntax access-list <number> {permit | deny} <protocol> <source> [<ports>] <destination> [<ports>] [<options>] ! Modern syntax ip access-list extended {<number> | <name>} [<sequence>] {permit | deny} <protocol> <source> [<ports>] <destination> [<ports>] [<options>]

ACL Numbers 1-99 IP standard 1300-1999 100-199 IP extended 2000-2699 200-299 Protocol 300-399 DECnet 400-499 XNS 500-599 Extended XNS 600-699 Appletalk 700-799 Ethernet MAC 800-899 IPX standard 900-999 IPX extended 1000-1099 IPX SAP 1100-1199 MAC extended 1200-1299 IPX summary TCP Options ack fin psh rst syn urg Match ACK flag Match FIN flag Match PSH flag Match RST flag Match SYN flag Match URG flag reflect <name> eq <port> lt <port> dscp <DSCP> fragments option <option> any host <address>

Source/Destination Definitions Any address A single address Any address matched by the wildcard mask IP Options Match packets with the given DSCP value Check non-initial fragments Match packets with the specified IP option Match packets with the given precedence value Match packets with the given Time To Live TCP/UDP Port Definitions Equal to Less than neq <port> gt <port> Not equal to Greater than

<network> <mask>

precedence <0-7> ttl <count>

range <port> <port>

Matches a range of port numbers Miscellaneous Options

Create a reflexive ACL Enable rule only during the specified time range

time-range <name>

Applying ACLs to Restrict Traffic


interface FastEthernet0/0 ip access-group {<number> | <name>} {in | out}

Troubleshooting show access-lists {<number> | <name>} show ip access-lists {<number> | <name>} show ip access-lists interface <interface> show ip access-lists dynamic show ip interface [<interface>] show time-range [<name>] v1.1

established Match packets in a preestablished session Logging Options log Log ACL entry matches

log-input Log matches with ingress interface and source MAC by Jeremy Stretch

IPSEC
Protocols
Internet Security Association and Key Management Protocol (ISAKMP) A framework for the negotiation and management of security associations between peers; traverses UDP port 500 Internet Key Exchange (IKE) Responsible for key agreement using public key cryptography Encapsulating Security Payload (ESP) Provides data encryption, data integrity, and peer authentication; IP protocol 50 Authentication Header (AH) Provides data integrity and peer authentication, but not data encryption; IP protocol 51

packetlife.net Encryption Algorithms Type DES Symmetric 3DES Symmetric AES Symmetric Key 56-bit 168-bit Strength Weak Medium

128, 192, or Strong 256-bit Strong

RSA Asymmetric 1024-bit minimum Hashing Algorithms Length MD5 128-bit SHA-1 160-bit

IPsec Modes

Strength Medium Strong

IKE Phases
Phase 1 A bidirectional ISAKMP SA is established between peers to provide a secure management channel; IKE is performed in main mode or agressive mode Transport Mode The ESP or AH header is inserted behind the IP header; the IP header can be authenticated but not encrypted Tunnel Mode A new IP header is created in place of the original; this allows for encryption of the entire original packet Phase 1.5 (optional) Xauth can optionally be implemented to enforce user authentication Phase 2 Two unidirectional IPsec SAs are established for data transfer using separate keys; IKE quick mode is used

Configuration
ISAKMP Policy crypto isakmp policy 10 encryption aes 256 hash sha authentication pre-share group 2 lifetime 3600 ISAKMP Pre-Shared Secret Key crypto isakmp key 0 MySecretKey address 10.0.0.2 IPsec Transform Set crypto ipsec transform-set MyTS esp-aes 256 esp-sha-hmac mode tunnel IPsec Profile crypto ipsec profile MyProfile set transform-set MyTS Virtual Tunnel Interface interface Tunnel0 ip address 172.16.0.1 255.255.255.252 tunnel source 10.0.0.1 tunnel destination 10.0.0.2 tunnel mode ipsec ipv4 tunnel protection ipsec profile MyProfile

Terminology
Data Integrity Secure hashing (HMAC) is used to ensure data has not been altered in transit Data Confidentiality Encryption is used to ensure data cannot be intercepted by a third party Data Origin Authentication Peer authentication Anti-replay Sequence numbers are used to detect and block duplicate packets Hash-based Message Authentication Code (HMAC) A hash of the data and secret key used to provide message authenticity Diffie-Hellman A method of establishing a shared secret key over an insecure path using public and private keys

Troubleshooting show crypto isakmp sa show crypto isakmp policy show crypto ipsec sa show crypto ipsec transform-set debug crypto isakmp debug crypto ipsec

by Jeremy Stretch

v1.1

IPV4 MULTICAST
Layer 2 Addressing

packetlife.net Ranges 224.0.0.0/24 Local network control 224.0.1.0/24 Internetwork control 232.0.0.0/8 233.0.0.0/8 239.0.0.0/8 Source-specific GLOP (RFC 3180) Admin-scoped

Bits 1-24 Bit 25 Bits 26-48

Multicast OUI of 01-00-5E Always set to zero Carried over from lower 23 bits of IP address Terminology

Common Groups 224.0.0.1 224.0.0.2 224.0.1.39 224.0.1.40 All hosts All routers Cisco RP Announce Cisco RP Discovery

Reverse Path Forwarding (RPF) Verifies that multicast traffic travels in the reverse direction of unicast traffic, away from the tree root Internet Group Management Protocol (IGMP) End hosts issue IGMP requests to local routers to join multicast groups Cisco Group Management Protocol (CGMP) A proprietary protocol used by switches to obtain multicast membership information for end hosts

Distribution Trees
Shared A common, static set of links which carry all multicast traffic; administratively constructed Source-Rooted Provide the shortest paths from the source to receivers

IGMP Configuration IGMP Support Router(config-if)# ip igmp [version {1|2|3}]

IGMP
IGMPv1 End hosts send requests to local routers to receive multicast traffic for a particular group IGMPv2 Adds support for dynamic leave requests and querier election IGMPv3 Adds multicast source filtering capability IGMP Snooping A switch passively inspects IGMP requests to determine which hosts should receive layer two multicast traffic

IGMP Snooping Switch(config)# ip igmp snooping Protocol Independent Multicast


Dense Mode The initial tree encompasses all multicast routers; after a period of time, routers without IGMP members prune back branches Sparse Mode The tree is grown from a central rendevous point out to the multicast source and recipients Sparse-Dense Mode Allows a PIM-enabled interface to function in either sparse or dense mode per group PIMv1 Provides automatic RP discovery with Auto-RP (Cisco proprietary) PIMv2 Automatic RP discovery is accomplished by the bootstrap router method (standards based)

IGMP Troubleshooting show ip igmp show ip igmp group show ip igmp interface show ip igmp snooping ip igmp join-group

PIM Configuration
ip multicast-routing ! interface FastEthernet0/0 ip pim {sparse-mode | dense-mode | sparse-dense-mode } ip pim version {1 | 2}

RP Configuration Manual ip pim rp-address <IP>

PIM Troubleshooting show ip mroute show ip pim interface show ip pim neighbor show ip pim rp [mapping] show ip rpf <IP> v1.0

Auto-RP Mapping Agent ip pim send-rp-discovery scope <TTL> Auto-RP Candidate BSR Candidate BSR RP Candidate by Jeremy Stretch ip pim send-rp-announce <interface> ip pim bsr-candidate <interface> ip pim rp-candidate <interface>

IPV6
Protocol Header Address Notation

packetlife.net

Step 1 Eliminate all leading zeros Step 2 Replace up to one set of consecutive zeros with a double-colon

Address Formats
Global unicast

Link-local unicast Version (4 bits) Always set to 6 Traffic Class (8 bits) A DSCP value for QoS Flow Label (20 bits) Identifies unique flows (optional) Payload Length (16 bits) Length of the payload in bytes Next Header (8 bits) Header or protocol which follows Hop Limit (8 bits) Functions as IPv4's time to live field Source Address (128 bits) Source IP address Destination Address (128 bits) Destination IP address Multicast

EUI-64 Formation

Address Types
Unicast One-to-one communication Multicast One-to-many communication Anycast An address configured in multiple locations Step 1 Insert 0xfffe between the two halves of the MAC Step 2 Flip the seventh bit (universal/local flag) to 1

Special-Use Ranges ::/0 ::/128 ::1/128 ::/96 Default route Unspecified Loopback IPv4-compatible*

Extension Headers
Hop-by-hop Options (0) Carries additional information which must be examined by every router in the path Routing (43) Provides source routing functionality Fragment (44) Included when a packet has been fragmented by its source Encapsulating Security Payload (50) Provides payload encryption (IPsec) Authentication Header (51) Provides packet authentication (IPsec) Destination Options (60) Carries additional information which pertains only to the recipient

::FFFF:0:0/96 IPv4-mapped 2001::/32 Teredo

2001:DB8::/32 Documentation 2002::/16 FC00::/7 FE80::/10 FEC0::/10 FF00::/8


* Deprecated

6to4 Unique local Link-local unicast Site-local unicast* Multicast Transition Methods
Dual Stack Running IPv4 and IPv6 on all devices simultaneously Tunneling IPv6 packets are encapsulated into IPv4 using IPv6-in-IP, UDP (Teredo), or Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) Translation Stateless IP/ICMP Translation (SIIT) translates IP header fields and NAT Protocol Translation (NAT-PT) maps between IPv6 and IPv4 addresses

by Jeremy Stretch

v1.1

INTEGRATED IS-IS PART 1


Protocol Header
4 8 12 16

packetlife.net Attributes Type Link-State Algorithm Dijkstra Metric Default (10) AD 115 Standard ISO 10589 Protocols IP, CLNS Transport CLNP Authentication Plaintext, MD5 Routing Levels Level 0 Used to locate end systems

IRPD Version/Protocol ID Extension R R R PDU Type Reserved Type Value ... Additional TLVs ... NSAP Addressing Relevance NSAP AFI Interdomain Part IDI

Packet Length ID Length Version Maximum Area Addresses Length

Domain Specific Part HODSP 0001 System ID SEL

Level 1 Routing within an area Level 2 Backbone between areas Level 3 Inter-AS routing Terminology
Type-Length-Value (TLV) length modular datasets Variable TLVs

Example 47 0005.80ff.f800.0000 Condensed Area

0000.0c00.1234 00 System ID SEL

Interdomain Part (IDP) Portion of the address used in routing between autonomous systems; assigned by ISO Domain Specific Part (DSP) Portion of the address relevant only within the local AS Authority and Format Identifier (AFI) Identifies the authority which dictates the format of the address Initial Domain Identifier (IDI) An organization belonging to the AFI High Order DSP (HODSP) The area within the AS System ID Unique router identifier; six bytes for Cisco devices; often taken from a MAC address NSAP Selector (SEL) Identifies a network layer service; always 0x00 in a NET address

Link State PDU (LSP) Carry describing link state information

Sequence Number Packet (SNP) Used to request and advertise LSPs; can be complete (CSNP) or partial (PSNP) Hello Packet Establish and maintain neighbor adjacencies Designated Intermediate System (DIS) A pseudonode responsible for emulating point-to-point links across a multiaccess segment

Network Types Broadcast Point-to-Point Other DIS Elected Yes Neighbor Discovery Yes Hello/Dead Timers 10/30 No Yes 10/30 Must be configured as broadcast or point-to-point

Adjacency Requirements
Interface MTUs must match Levels must match Areas must match (if level 1) System IDs must be unique Authentication must succeed

Troubleshooting show ip route show ip protocols show clns|isis neighbor show clns|isis interface show isis database show isis spf-log debug isis spf-events debug isis adjacencies-packets debug isis spf-statistics debug isis update-packets

DIS Election
Highest interface priority elected Highest SNPA (MAC/DLCI) breaks tie Highest system ID breaks SNPA tie Default interface priority is 64 Current DIS may preempted

by Jeremy Stretch

v1.1

INTEGRATED IS-IS PART 2


TLV Types Name 1 Area Addresses 2 IS Neighbors 3 ES Neighbors Use Hello, LSP LSP L1 LSP Name 6 IS Neighbors 8 Padding 9 LSP Entries Use Hello Hello SNP Name

packetlife.net

Use

128 IP Internal Reachability LSP 129 Protocols Supported 131 IDRP 132 IP Interface Address Hello L2 LSP Hello, LSP

5 Prefix Neighbors L2 LSP

10 Authentication Hello, LSP, SNP Configuration Example

RouterA2 interface FastEthernet0/0 description Area 1 ip address 192.168.1.2 255.255.255.0 ip router isis isis circuit-type level-1 ! router isis net 49.0001.0000.0000.00a2.00 ! RouterB2 interface FastEthernet0/0 description Area 2 ip address 192.168.2.2 255.255.255.0 ip router isis isis circuit-type level-1 ! router isis net 49.0002.0000.0000.00b2.00 ! RouterA1 interface FastEthernet0/0 description Area 1 ip address 192.168.1.1 255.255.255.0 ip router isis isis circuit-type level-1 ! interface Serial1/0 no ip address encapsulation frame-relay ! interface Serial1/0.1 point-to-point description To Area 2 ip address 10.0.0.1 255.255.255.252 ip router isis isis circuit-type level-2-only ! MD5 authentication (keychain not shown) isis authentication mode md5 isis authentication key-chain keychain frame-relay interface-dlci 101 ! interface Serial1/0.2 point-to-point description To Area 3 ip address 10.0.0.5 255.255.255.252 ip router isis isis circuit-type level-2-only frame-relay interface-dlci 102 ! router isis net 49.0001.0000.0000.00a1.00 RouterB1 interface FastEthernet0/0 description Area 2 ip address 192.168.2.1 255.255.255.0 ip router isis isis circuit-type level-1 ! interface Serial1/0 no ip address encapsulation frame-relay ! interface Serial1/0.1 point-to-point description To Area 1 ip address 10.0.0.2 255.255.255.252 ip router isis isis circuit-type level-2-only ! MD5 authentication (keychain not shown) isis authentication mode md5 isis authentication key-chain keychain frame-relay interface-dlci 101 ! interface Serial1/0.2 point-to-point description To Area 3 ip address 10.0.0.9 255.255.255.252 ip router isis isis circuit-type level-2-only frame-relay interface-dlci 103 ! router isis net 49.0002.0000.0000.00b1.00

by Jeremy Stretch

v1.1

FRAME MODE MPLS


Protocol Header

packetlife.net Conceptual Components


Control Plane Facilitates label exchange between neighboring LSRs using LDP or TDP (includes the distribution protocol and LIB) Forwarding/Data Plane Forwards packets based on label or destination IP address (includes the FIB and LFIB)

Label Protocols LDP


Label (20 bits) Unique label value Experimental/QoS (3 bits) CoS-mapped QoS marking Bottom of Stack (1 bit) Indicates label is last in the stack Time To Live (8 bits) Hop counter mapped from IP TTL

TDP 255.255.255.255 UDP 711 TCP 711 Cisco

Hello Address 224.0.0.2 Hello Port UDP 646 Adjacency Port TCP 646 Proprietary No

Label Switched Path

Terminology
Label Distribution Protocol (LDP) Standards based label distribution protocol defined in RFC 3036 Tag Distribution Protocol (TDP) Cisco's proprietary predecessor to LDP Label Switching Router (LSR) Any router capable of label switching Label-Switched Path (LSP) The unidirectional path through one or more LSRs taken by a label switched packet belonging to an FEC Forwarding Equivalence Class (FEC) A group of packets which are forwarded in an identical manner Label Information Base (LIB) Contains all labels known by an LSR via a label distribution protocol Forwarding Information Base database for unlabeled (IP) packets (FIB) Routing

Label FIB (LFIB) Routing database for labeled packets Customer (C) IP-only routers internal to customer network Customer Edge (CE) C routers which face PE routers Provider Edge (PE) LSRs which form the MPLS-IP boundary Provider (P) MPLS-only LSRs in provider network Interim Packet Propagation An LSR temporarily performs IP routing while waiting to learn the necessary MPLS labels Penultimate Hop Popping (PHP) The second-to-last LSR in an LSP removes the MPLS label so the last LSR only has to perform an IP lookup

MPLS Configuration
! ** Enable CEF ** ip cef ! ! ** Select label protocol ** mpls label protocol ldp ! ! ** Enable MPLS on IP interfaces ** interface FastEthernet0/0 ip address 10.0.0.1 255.255.255.252 mpls ip ! ** Raise MPLS MTU to accomodate multilabel stack ** mpls mtu 1512

Troubleshooting show mpls interfaces show mpls ldp neighbors show mpls ldp bindings [detail] (LIB) show mpls forwarding-table [detail] (LFIB) show ip cef [detail] (FIB) debug mpls events debug mpls ldp bindings v1.0

by Jeremy Stretch

OSPF PART 1
Protocol Header

packetlife.net Attributes Type Link-State Algorithm Dijkstra Metric Cost (Bandwidth) AD 110 Standard RFC 2328, 2740 Protocols IP Metric Formula Transport IP 89 Authentication Plaintext, MD5 AllSPF Address 224.0.0.5 AllDR Address 224.0.0.6 Adjacency States 1 2 3 4 Down Attempt Init 2-Way 5 6 7 8 Exstart Exchange Loading Full

cost =

100,000,000bps* link speed

* modifiable with 'ospf auto-cost reference-bandwidth'

Link State Advertisements Type 1 Router Link Lists a router's neighbors and its cost to each;
flooded throughout an area

Type 2 Network Link Generated by a DR; lists all routers on an adjacent


segment; flooded throughout an area

Type 3 Network Summary Generated by an ABR and sent between


areas; point of summarization

Router Types
Internal Router All interfaces reside within the same area Backbone Router A router with an interface in area 0 (the backbone) Area Border Router (ABR) Connects two or more areas AS Boundary Router (ASBR) Connects to additional routing domains; typically located in the backbone

Type 4 ASBR Summary Injected by an ABR into the backbone to


advertise the presence of an ASBR

Type 5 External Link Generated by an ASBR and flooded throughout the


AS to advertise a route external to OSPF

Type 7 NSSA External Link Generated by an ASBR in a not-so-stubby


area; converted into a type 5 LSA by the ABR

DR/BDR Election
The DR serves as a common point for all adjacencies on a multiaccess segment The BDR also maintains adjacencies with all routers in case the DR fails Election does not occur on point-to-point or multipoint links Default priority (0-255) is 1; highest priority wins; 0 cannot be elected DR preemption will not occur unless the current DR is reset

Virtual Links
Tunnel formed to join two areas across an intermediate Both end routers must share a common area At least one end must reside in area 0 Cannot traverse stub areas Temporary solution; considered best practice not

Area Types
Standard Area Default OSPF area type Stub Area External summary route (type 5) LSAs are replaced by the ABR with a default route Totally Stubby Area A stub area which also replaces summary (type 3 and 4) LSAs with a default route Not So Stubby Area (NSSA) A stubby area containing an ASBR; type 5 LSAs are converted to type 7 within the area

Troubleshooting show ip route show ip protocols show ip ospf interface show ip ospf neighbor show ip ospf database by Jeremy Stretch show ip ospf border-routers show ip ospf virtual-links debug ip packet debug ip ospf events debug ip ospf adjacency

External Route Types


E1 Cost of the path to the originating ASBR is added to the route cost E2 (default) Only the cost of the route as seen by the ASBR is considered

v1.3

OSPF PART 2
Network Types Nonbroadcast (NBMA) DR/BDR Eelected Yes Neighbor Discovery No Hello/Dead Timers 30/120 Standard RFC 2328 Supported Topology Full Mesh Multipoint Broadcast No Yes 30/120 RFC 2328 Any Multipoint Nonbroadcast No No 30/120 Cisco Any Broadcast Yes Yes 10/40 Cisco Full Mesh

packetlife.net

Point-to-Point No Yes 10/40 Cisco Point-to-Point

Configuration Example
RouterA interface Serial0/0 description WAN Link ip address 172.16.34.2 255.255.255.252 ! interface FastEthernet0/0 description Area 0 ip address 192.168.0.1 255.255.255.0 ! interface Loopback0 ! Used as router ID ip address 10.0.34.1 255.255.255.0 ! router ospf 100 ! Advertising the WAN cloud to OSPF redistribute static subnets network 192.168.0.0 0.0.0.255 area 0 ! ! Static route to the WAN cloud ip route 172.16.0.0 255.255.192.0 172.16.34.1 RouterB interface Ethernet0/0 description Area 0 ip address 192.168.0.2 255.255.255.0 ! interface Ethernet0/1 description Area 2 ip address 192.168.2.1 255.255.255.0 ! Optional MD5 authentication configured ip ospf authentication message-digest ip ospf message-digest-key 1 md5 FooBar ! Give RouterB priority in DR election ip ospf priority 100 ! interface Ethernet0/2 description Area 1 ip address 192.168.1.1 255.255.255.0 ! interface Loopback0 ip address 10.0.34.2 255.255.255.0 ! router ospf 100 ! Define area 1 as a stub area area 1 stub ! Virtual link from area 0 to area 9 area 2 virtual-link 10.0.34.3 network 192.168.0.0 0.0.0.255 area 0 network 192.168.1.0 0.0.0.255 area 1 network 192.168.2.0 0.0.0.255 area 2 RouterC interface Ethernet0/0 description Area 9 ip address 192.168.9.1 255.255.255.0 ! interface Ethernet0/1 description Area 2 ip address 192.168.2.2 255.255.255.0 ! Optional MD5 authentication configured ip ospf authentication message-digest ip ospf message-digest-key 1 md5 FooBar ! Give RouterC second priority (BDR) in election ip ospf priority 50 ! ! ! ! ! interface Loopback0 ip address 10.0.34.3 255.255.255.0 ! router ospf 100 ! Define area 9 as a totally stubby area area 9 stub no-summary ! Virtual link from area 9 to area 0 area 2 virtual-link 10.0.34.2 network 192.168.2.0 0.0.0.255 area 2 network 192.168.9.0 0.0.0.255 area 9 !

by Jeremy Stretch

v1.3

PHYSICAL TERMINATIONS
Optical Terminations Copper Terminations

packetlife.net GBICs

ST (Straight Tip)

RJ-45 1000Base-SX/LX

RJ-11

SC (Subscriber Connector) 1000Base-T

RJ-21 (25-pair)

LC (Local Connector) Cisco GigaStack MT-RJ Wireless Antennas DE-9 (Female)

1000Base-SX/LX SFP

RP-TNC DB-25 (Male)

1000Base-T SFP

RP-SMA DB-60 (Male) X2 (10Gig) v1.1

by Jeremy Stretch

QUALITY

OF

SERVICE PART 1
Quality of Service Models

packetlife.net IP Type of Service (TOS)

Best Effort No QoS policies are implemented Integrated Services (IntServ) Resource Reservation Protocol (RSVP) is used to reserve bandwidth per flow across all nodes in a path Differentiated Services (DiffServ) Packets are individually classified and marked; policy decisions are made independently at each node in a path

Layer 2 QoS Markings Medium Ethernet Name Class of Service (CoS) Type 3-bit 802.1p field in 802.1Q header 1-bit drop eligibility flag 1-bit drop eligibility flag 3-bit field compatible with 802.1p Precedence Values Binary 7 111 6 110 5 101 4 100 3 011 2 010 1 001 0 000 Application Reserved Routing Voice Streaming Video Call Signaling Transactional Bulk Data Best Effort DSCP Values Binary 56 111000 48 110000 46 101110 32 100000 34 100010 Terminology
Per-Hop Behavior (PHB) The individual QoS action performed at each DiffServ node according to its configured policy Trust Boundary The perimeter beyond which QoS markings are not trusted Tail Drop Occurs when a packet is dropped because its queue is full Policing Creates an artificial ceiling on the amount of bandwidth that may be consumed; traffic exceeding the cap and be remarked or dropped Shaping Similar to policing but buffers excess traffic for delayed transmission; makes more efficient use of bandwidth but introduces a delay TCP Synchronization Flows adjust window sizes in synch, wasting bandwidth

Frame Relay Discard Eligibility (DE) ATM MPLS Cell Loss Priority (CLP) Experimental Field (EXP)

IP QoS Markings
Precedence The first three bits of the IP TOS field are evaluated; compatible with Ethernet CoS and MPLS EXP values DSCP The first six bits of the IP TOS are evaluated to provide more granular classification; backward-compatible with IP Precedence

QoS Flowchart

Prec. 7 6 5

DSCP Reserved Reserved EF CS4

36 100100 38 100110 24 011000 26 011010 28 011100 30 011110 16 010000 18 010010 20 010100 22 010110 8 001000 10 001010 12 001100 14 001110 0 000000

AF41 AF42 AF43 CS3

AF31 AF32 AF33 CS2

AF21 AF22 AF23 CS1

Per-Hop Behaviors
Class Selector (CS) Backwardcompatible with IP Precedence values Assured Forwarding (AF) Four classes with variable drop preferences Expedited Forwarding (EF) Provides priority queuing for delay-sensitive traffic

Congestion Avoidance
Random Early Detection (RED) Packets are randomly dropped before a queue is full to prevent tail drop; mitigates TCP synchronization Weighted RED (WRED) RED with the added capability of recognizing prioritized traffic by its marking

AF11 AF12 AF13

BE v1.2

by Jeremy Stretch

QUALITY

OF

SERVICE PART 2
Queuing Comparison Chart FIFO PQ No 4 Yes Automatic Yes No CQ No Configured Yes Configured No No WFQ <=2 Mbps Dynamic No Automatic No No CBWFQ No

packetlife.net

LLQ No Configured Yes Configured Yes Yes

Default on interfaces >2 Mbps Number of queues 1 Configurable classes No Bandwidth allocation Automatic Provides for minimal delay No Modern implementation Yes First In First Out (FIFO)

Configured Yes Configured No Yes

Priority Queuing (PQ)

LLQ Configuration Example


! *** Class definitions *** class-map match-all Voice ! Matches packets by DSCP value match dscp ef ! class-map match-all Call-Signaling match dscp cs3 ! class-map match-any Critical-Apps match dscp af21 af22 ! Matches packets by access list match access-group name Mgmt_LAN ! class-map match-all Scavenger match dscp cs1 ! ! *** Policy creation *** policy-map Foo class Voice ! Priority queue policed to 33% priority percent 33 class Call-Signaling ! Allocate 5% of bandwidth bandwidth percent 5 class Critical-Apps bandwidth percent 20 ! Extend queue size to 96 packets queue-limit 96 class Scavenger ! Police to 64 kbps police cir 64000 conform-action transmit exceed-action drop class class-default ! Enable WFQ fair-queue ! Enable WRED random-detect ! ! *** Policy Application *** interface Serial0 service-policy Foo

Packets are transmitted in the order they are processed No prioritization is provided Default queuing method on highspeed (>2 Mbps) interfaces Configurable with the tx-ring-limit interface configuration command

Provides four static queues which cannot be reconfigured Higher-priority queues are always emptied before lower-priority queues Lower-priority queues are at risk of bandwidth starvation

Custom Queuing (CQ)

Weighted Fair Queuing (WFQ)

Rotates through queues Weighted Round Robin (WRR)

using

Queues are dynamically created per flow to ensure fair processing Statistically drops packets agressive flows more often from

A configurable number of bytes is processed from each queue per turn Prevents queue starvation but does not support delay-sensitive traffic

No support for delay-sensitive traffic

Class-Based WFQ (CBWFQ)

Low Latency Queuing (LLQ)

Troubleshooting
Provides the benefits of WFQ with administratively configured queues Each queue is allocated an amount or percentage of bandwidth No support for delay-sensitive traffic CBWFQ with the addition of a policed strict priority queue Highly configurable while supporting delay-sensitive traffic still

show policy-map show interface show queue <interface> show mls qos v1.2

by Jeremy Stretch

SPANNING TREE PART 1


Spanning Tree Protocols Legacy STP Algorithm Legacy ST Definition 802.1D-1998 Instances One Trunking N/A PVST Legacy ST Cisco Per VLAN ISL PVST+ Legacy ST Cisco Per VLAN 802.1Q, ISL RSTP Rapid ST 802.1w, 802.1D-2004 One N/A RPVST+ Rapid ST Cisco Per VLAN 802.1Q, ISL

packetlife.net

MST Rapid ST 802.1s, 802.1Q-2003 Configurable 802.1Q, ISL

Spanning Tree Instance Comparison

BPDU Format Field Protocol ID Version BPDU Type Flags Root ID Root Path Cost Bridge ID Port ID Message Age Max Age Hello Time Forward Delay Bits 16 8 8 8 64 32 64 16 16 16 16 16

Spanning Tree Specifications

Link Costs Bandwidth 4 Mbps 10 Mbps 16 Mbps 45 Mbps 100 Mbps 155 Mbps Cost 250 100 62 39 19 14 6 4 2

Open Standards
IEEE 802.1D-1998 Deprecated legacy STP standard IEEE 802.1w Introduced Rapid STP (RSTP) IEEE 802.1D-2004 Replaced legacy STP with RSTP IEEE 802.1s Introduced Multiple Spanning Tree (MST) IEEE 802.1Q-2003 Added MST to 802.1Q

622 Mbps 1 Gbps 10 Gbps

Port States Legacy ST Disabled Blocking Listening Learning Forwarding Rapid ST Discarding Discarding Discarding Learning Forwarding

Default Timers Hello Forward Delay Max Age 2s 15s 20s

Cisco Proprietary Implementations


PVST Per-VLAN implementation of legacy STP PVST+ Added 802.1Q trunking to PVST RPVST+ Per-VLAN implementation of RSTP

Spanning Tree Operation 1 Determine root bridge 2 Select root port The bridge advertising the lowest bridge ID becomes the root bridge Each bridge selects its primary port facing the root

Port Roles Legacy ST Root Designated Blocking Blocking Rapid ST Root Designated Alternate Backup v2.0

3 Select designated ports One designated port is selected per segment 4 Block ports with loops by Jeremy Stretch All non-root and non-desginated ports are blocked

SPANNING TREE PART 2


PVST+ and RPVST+ Configuration
! Set STP type spanning-tree mode {pvst | rapid-pvst} ! Bridge priority spanning-tree vlan 1-4094 priority 32768 ! Timers, in seconds spanning-tree vlan 1-4094 hello-time 2 spanning-tree vlan 1-4094 forward-time 15 spanning-tree vlan 1-4094 max-age 20 ! Enabling PortFast by default spanning-tree portfast default ! PVST+ Enhancements spanning-tree backbonefast spanning-tree uplinkfast ! Interface attributes interface FastEthernet0/1 spanning-tree [vlan 1-4094] port-priority 128 spanning-tree [vlan 1-4094] cost 19 ! Manual link type specification spanning-tree link-type {point-to-point | shared} ! Enables spanning tree if running PVST+, or ! designates an edge port under RPVST+ spanning-tree portfast ! Spanning tree protection spanning-tree guard {loop | root | none} ! Per-interface toggling spanning-tree bpduguard enable spanning-tree bpdufilter enable

packetlife.net Bridge ID Format

Priority 4-bit configurable priority (configurable from 0 to 61440 in increments of 4096) System ID Extension 12-bit value taken from VLAN number MAC Address 48-bit value to ensure uniqueness

Path Selection 1 Prefer the neighbor advertising the lowest root ID 2 Prefer the neighbor advertising the lowest cost to root 3 Prefer the neighbor with the lowest bridge ID 4 Prefer the lowest sender port ID Optional PVST+ Ehancements PortFast Enables
immediate transition forwarding state on edge ports paths to root into the

UplinkFast Enables access switches to maintain backup BackboneFast Enables immediate expiration of the Max Age
timer on an indirect link failure

Spanning Tree Protection Root Guard Prevents a port from becoming the root port BPDU Guard Error disables a port if a BPDU is received Loop Guard Prevents a blocked port from transitioning to
listening after the Max Age timer has expired

MST Configuration
! Set STP type spanning-tree mode mst ! MST Configuration spanning-tree mst configuration name MyTree revision 1 ! Map VLANs to instances instance 1 vlan 20, 30 instance 2 vlan 40, 50 ! Bridge priority (per instance) spanning-tree mst 1 priority 32768 ! Timers, in seconds spanning-tree mst hello-time 2 spanning-tree mst forward-time 15 spanning-tree mst max-age 20 ! Maximum hops for BPDUs spanning-tree mst max-hops 20 ! Interface attributes interface FastEthernet0/1 spanning-tree mst 1 port-priority 128 spanning-tree mst 1 cost 19

BPDU Filter Blocks BPDUs on an interface RSTP Link Types Point-to-Point Connects to exactly one other bridge (a full
duplex interface)

Shared Potentially connects to multiple bridges (a half


duplex interface)

Edge Connects to a single host; designated by


applying PortFast

Troubleshooting show spanning-tree [summary | detail] show spanning-tree root show spanning-tree vlan <VLAN> show spanning-tree interface <interface> show spanning-tree mst [<instance>] [detail] show spanning-tree mst configuration show spanning-tree mst interface <interface> v2.0

by Jeremy Stretch

SUBNETTING
Subnet Chart CIDR Subnet Mask Addresses 1 2 4 8 16 32 64 128 256 512 1,024 2,048 4,096 8,192 16,384 32,768 65,536 131,072 262,144 524,288 1,048,576 2,097,152 4,194,304 8,388,608 16,777,216 33,554,432 67,108,864 134,217,728 268,435,456 536,870,912 1,073,741,824 2,147,483,648 4,294,967,296 Wildcard 0.0.0.0 0.0.0.1 0.0.0.3 0.0.0.7 0.0.0.15 0.0.0.31 0.0.0.63 0.0.0.127 0.0.0.255 0.0.1.255 0.0.3.255 0.0.7.255 0.0.15.255 0.0.31.255 0.0.63.255 0.0.127.255 0.0.255.255 0.1.255.255 0.3.255.255 0.7.255.255 0.15.255.255 0.31.255.255 0.63.255.255 0.127.255.255 0.255.255.255 1.255.255.255 3.255.255.255 7.255.255.255 15.255.255.255 31.255.255.255 63.255.255.255 127.255.255.255 255.255.255.255 Terminology
-

packetlife.net Decimal to Binary Subnet Mask 255 1111 1111 254 1111 1110 252 1111 1100 248 1111 1000 240 1111 0000 224 1110 0000 192 1100 0000 128 1000 0000 0 0000 0000 Wildcard 0 0000 0000 1 0000 0001 3 0000 0011 7 0000 0111 15 0000 1111 31 0001 1111 63 0011 1111 127 0111 1111 255 1111 1111

/32 255.255.255.255 /31 255.255.255.254 /30 255.255.255.252 /29 255.255.255.248 /28 255.255.255.240 /27 255.255.255.224 /26 255.255.255.192 /25 255.255.255.128 /24 255.255.255.0 /23 255.255.254.0 /22 255.255.252.0 /21 255.255.248.0 /20 255.255.240.0 /19 255.255.224.0 /18 255.255.192.0 /17 255.255.128.0 /16 255.255.0.0 /15 255.254.0.0 /14 255.252.0.0 /13 255.248.0.0 /12 255.240.0.0 /11 255.224.0.0 /10 255.192.0.0 /9 255.128.0.0 /8 255.0.0.0 /7 254.0.0.0 /6 252.0.0.0 /5 248.0.0.0 /4 240.0.0.0 /3 224.0.0.0 /2 192.0.0.0 /1 128.0.0.0 /0 0.0.0.0

Subnet Proportion

Classful Ranges A 0.0.0.0 - 127.255.255.255 B 128.0.0.0 - 191.255.255.255 C 192.0.0.0 - 223.255.255.255 D 224.0.0.0 - 239.255.255.255 E 240.0.0.0 - 255.255.255.255 Reserved Ranges RFC1918 10.0.0.0 - 10.255.255.255 Localhost 127.0.0.0 - 127.255.255.255 RFC1918 172.16.0.0 - 172.31.255.255 RFC1918 192.168.0.0 - 192.168.255.255 Determine Usable Hosts
Total Addresses Subnet ID Broadcast Address Usable hosts 256 1 1 254

CIDR Classless interdomain routing was developed to VLSM Variable length subnet masks are an arbitrary length provide more granularity than legacy classful addressing; between 0 and 32 bits; CIDR relies on VLSMs to define routes masks expressed in the form /XX are in CIDR notation

by Jeremy Stretch

v1.0

TCPDUMP
Command Line Options -A Print frame payload in ASCII -q Quick output

packetlife.net

-c <count> Exit after capturing count packets -D -e -F <file> -G <n> List available interfaces Print link-level headers in the capture dump Use file as the filter expression Rotate the dump file every n seconds

-r <file> Read packets from file -s <len> -S -t -v[v[v]] Capture up to len bytes per packet Print absolute TCP sequence numbers Don't print timestamps Print more verbose output

-i <iface> Specifies the capture interface -K -L -n -p Don't verify TCP checksums List data link types for the interface Don't convert addresses to names Don't capture in promiscuous mode

-w <file> Write captured packets to file -x -X Print frame payload in hex Print frame payload in hex and ASCII

-y <type> Specify the data link type -Z <user> Drop privileges from root to user

Capture Filter Primitives [src|dst] host <host> ether [src|dst] host <ehost> gateway host <host> [src|dst] net <network>/<len> [tcp|udp] [src|dst] port <port> [tcp|udp] [src|dst] portrange <p1>-<p2> less <length> greater <length> (ether|ip|ip6) proto <protocol> (ether|ip) broadcast (ether|ip|ip6) multicast type (mgt|ctl|data) [subtype <subtype>] vlan [<vlan>] mpls [<label>] <expr> <relop> <expr> Protocols arp ether fddi icmp ip ip6 link ppp radio rarp TCP Flags tcp-urg tcp-ack tcp-push tcp-rst tcp-syn tcp-fin slip tcp tr udp wlan icmp-echoreply icmp-unreach icmp-sourcequench icmp-redirect icmp-echo Modifiers ! or not && or and || or or udp dst port not 53 Matches a host as the IP source, destination, or either Matches a host as the Ethernet source, destination, or either Matches packets which used host as a gateway Matches packets to or from an endpoint residing in network Matches TCP or UDP packets sent to/from port Matches TCP or UDP packets to/from a port in the given range Matches packets less than or equal to length Matches packets greater than or equal to length Matches an Ethernet, IPv4, or IPv6 protocol Matches Ethernet or IPv4 broadcasts Matches Ethernet, IPv4, or IPv6 multicasts Matches 802.11 frames based on type and optional subtype Matches 802.1Q frames, optionally with a VLAN ID of vlan Matches MPLS packets, optionally with a label of label Matches packets by an arbitrary expression Examples All UDP not bound for port 53

host 10.0.0.1 && host 10.0.0.2 All packets between these hosts tcp dst port 80 or 8080 ICMP Types icmp-routeradvert icmp-routersolicit icmp-timxceed icmp-paramprob icmp-tstamp icmp-tstampreply icmp-ireq icmp-ireqreply icmp-maskreq icmp-maskreply v1.0 All packets to either TCP port

by Jeremy Stretch

VLANS
Trunk Encapsulation Ethernet Header Trunk Types

packetlife.net

802.1Q Header Size 4 bytes Trailer Size N/A Standard IEEE Maximum VLANs 4094 Command dot1q VLAN Numbers 0 Reserved

ISL 26 bytes 4 bytes Cisco 1000 isl

1004 fdnet 1005 trnet 1006-4094 Extended 4095 Reserved

VLAN Creation
Switch(config)# vlan 100 Switch(config-vlan)# name Engineering

1 default 1002 fddi-default 1003 tr

Access Port Configuration


Switch(config-if)# Switch(config-if)# Switch(config-if)# Switch(config-if)# switchport switchport switchport switchport mode access nonegotiate access vlan 100 voice vlan 150

Terminology
Trunking Extending multiple VLANs over the same physical connection Native VLAN By default, frames in this VLAN are untagged when sent across a trunk Access VLAN The VLAN to which an access port is assigned Voice VLAN If configured, enables minimal trunking to support voice traffic in addition to data traffic on an access port Dynamic Trunking Protocol (DTP) Can be used to automatically establish trunks between capable ports; carries a security risk Switched Virtual Interface (SVI) A virtual interface which provides a routed gateway into and out of a VLAN

Trunk Port Configuration


Switch(config-if)# Switch(config-if)# Switch(config-if)# Switch(config-if)# switchport switchport switchport switchport mode trunk trunk encapsulation dot1q trunk allowed vlan 10,100-200 trunk native vlan 10

SVI Configuration
Switch(config)# interface vlan100 Switch(config-if)# ip address 192.168.100.1 255.255.255.0

VLAN Trunking Protocol


Domain Common to all switches participating in VTP Server Mode Generates and propagates VTP advertisements to clients; this mode is default on unconfigured switches Client Mode Receives and forwards advertisements from servers; VLANs cannot be manually configured on switches in client mode Transparent Mode Forwards advertisements but does not participate in VTP; VLANs must be configured manually Pruning VLANs not having any access ports on an end switch are removed from the trunk to reduce flooded traffic

Switch Port Modes


trunk Forms an unconditional trunk dynamic desirable Actively attempts to negotiate a trunk with the distant end dynamic auto Will form a trunk only if requested by the distant end access Will never form a trunk

Troubleshooting show vlan

VTP Configuration
Switch(config)# Switch(config)# Switch(config)# Switch(config)# Switch(config)# vtp vtp vtp vtp vtp mode server domain LASVEGAS password Presl3y version 2 pruning

show interface status show interface switchport show interface trunk show vtp status show vtp password

by Jeremy Stretch

v1.2

WIRESHARK DISPLAY FILTERS PART 1


Ethernet
eth.addr eth.dst eth.ig eth.len eth.lg eth.multicast eth.src eth.trailer eth.type arp.dst.hw_mac arp.dst.proto_ipv4 arp.hw.size arp.hw.type arp.opcode

packetlife.net ARP
arp.proto.size arp.proto.type arp.src.hw_mac arp.src.proto_ipv4

IEEE 802.1Q
vlan.cfi vlan.etype vlan.id vlan.len vlan.priority vlan.trailer

TCP
tcp.ack tcp.checksum tcp.checksum_bad tcp.checksum_good tcp.continuation_to tcp.dstport tcp.flags tcp.flags.ack tcp.flags.cwr tcp.flags.ecn tcp.flags.fin tcp.flags.push tcp.flags.reset tcp.flags.syn tcp.flags.urg tcp.hdr_len tcp.len tcp.nxtseq tcp.options tcp.options.cc tcp.options.ccecho tcp.options.ccnew tcp.options.qs tcp.options.sack tcp.options.sack_le tcp.options.sack_perm tcp.options.sack_re tcp.options.time_stamp tcp.options.wscale tcp.options.wscale_val tcp.pdu.last_frame tcp.pdu.size tcp.pdu.time tcp.port tcp.reassembled_in tcp.segment tcp.segment.error tcp.segment.multipletails tcp.segment.overlap tcp.segment.overlap.conflict tcp.segment.toolongfragment tcp.segments tcp.seq tcp.srcport tcp.time_delta tcp.time_relative tcp.urgent_pointer tcp.window_size

IPv4
ip.addr ip.checksum ip.checksum_bad ip.checksum_good ip.dsfield ip.dsfield.ce ip.dsfield.dscp ip.dsfield.ect ip.dst ip.dst_host ip.flags ip.flags.df ip.flags.mf ip.flags.rb ip.frag_offset ip.fragment ip.fragment.error ip.fragment.multipletails ip.fragment.overlap ip.fragment.overlap.conflict ip.fragment.toolongfragment ip.fragments ip.hdr_len ip.host ip.id ip.len ip.proto ip.reassembled_in ip.src ip.src_host ip.tos ip.tos.cost ip.tos.delay ip.tos.precedence ip.tos.reliability ip.tos.throughput ip.ttl ip.version

IPv6
ipv6.addr ipv6.class ipv6.dst ipv6.dst_host ipv6.dst_opt ipv6.flow ipv6.fragment ipv6.fragment.error ipv6.fragment.more ipv6.fragment.multipletails ipv6.fragment.offset ipv6.fragment.overlap ipv6.fragment.overlap.conflict ipv6.fragment.toolongfragment ipv6.fragments ipv6.fragment.id ipv6.hlim ipv6.hop_opt ipv6.host ipv6.mipv6_home_address ipv6.mipv6_length ipv6.mipv6_type ipv6.nxt ipv6.opt.pad1 ipv6.opt.padn ipv6.plen ipv6.reassembled_in ipv6.routing_hdr ipv6.routing_hdr.addr ipv6.routing_hdr.left ipv6.routing_hdr.type ipv6.src ipv6.src_host ipv6.version

tcp.options.echo tcp.options.echo_reply tcp.options.md5 tcp.options.mss tcp.options.mss_val

UDP
udp.checksum udp.checksum_bad udp.checksum_good udp.dstport udp.length udp.port udp.srcport

Operators
eq ne gt lt ge le == != > < >= <= not [n] ! [...] and or xor && || ^^

Logic
Logical AND Logical OR Logical XOR Logical NOT Substring operator

by Jeremy Stretch

v1.0

WIRESHARK DISPLAY FILTERS PART 2


Frame Relay
fr.becn fr.chdlctype fr.control fr.control.f fr.control.ftype fr.control.n_r fr.control.n_s fr.control.p fr.control.s_ftype fr.control.u_modifier_cmd fr.control.u_modifier_resp fr.cr fr.dc fr.de fr.dlci fr.dlcore_control fr.ea fr.fecn fr.lower_dlci fr.nlpid fr.second_dlci fr.snap.oui fr.snap.pid fr.snaptype fr.third_dlci fr.upper_dlci rip.auth.passwd rip.auth.type rip.command rip.family rip.ip rip.metric rip.netmask rip.next_hop icmpv6.all_comp icmpv6.checksum icmpv6.checksum_bad icmpv6.code icmpv6.comp icmpv6.haad.ha_addrs icmpv6.identifier icmpv6.option icmpv6.option.cga icmpv6.option.cga.pad_length icmpv6.option.length

packetlife.net ICMPv6
icmpv6.option.name_type icmpv6.option.name_type.fqdn icmpv6.option.name_x501 icmpv6.option.rsa.key_hash icmpv6.option.type icmpv6.ra.cur_hop_limit icmpv6.ra.reachable_time icmpv6.ra.retrans_timer icmpv6.ra.router_lifetime icmpv6.recursive_dns_serv icmpv6.type

RIP
rip.route_tag rip.routing_domain rip.version

PPP
ppp.address ppp.control ppp.direction ppp.protocol

MPLS
mpls.bottom mpls.cw.control mpls.cw.res mpls.exp mpls.label mpls.oam.bip16 mpls.oam.defect_location mpls.oam.defect_type mpls.oam.frequency mpls.oam.function_type mpls.oam.ttsi mpls.ttl bgp.aggregator_as bgp.aggregator_origin bgp.as_path bgp.cluster_identifier bgp.cluster_list bgp.community_as bgp.community_value icmp.seq icmp.type bgp.local_pref bgp.mp_nlri_tnl_id

BGP
bgp.mp_reach_nlri_ipv4_prefix bgp.mp_unreach_nlri_ipv4_prefix bgp.multi_exit_disc bgp.next_hop bgp.nlri_prefix bgp.origin bgp.originator_id bgp.type bgp.withdrawn_prefix

ICMP
icmp.checksum icmp.checksum_bad icmp.code icmp.ident icmp.mtu icmp.redir_gw

HTTP
http.accept http.proxy_authorization http.proxy_connect_host http.proxy_connect_port http.referer http.request http.request.method http.request.uri http.request.version http.response http.response.code http.server http.set_cookie http.transfer_encoding http.user_agent http.www_authenticate http.x_forwarded_for http.accept_encoding http.accept_language http.authbasic http.authorization http.cache_control http.connection http.content_encoding http.content_length http.content_type http.cookie http.date http.host http.last_modified http.location http.notification http.proxy_authenticate

DTP
dtp.neighbor dtp.tlv_len dtp.tlv_type dtp.version vtp.neighbor

VTP
vtp.code vtp.conf_rev_num vtp.followers vtp.md vtp.md5_digest vtp.md_len vtp.seq_num vtp.start_value vtp.upd_id vtp.upd_ts vtp.version vtp.vlan_info.802_10_index vtp.vlan_info.isl_vlan_id vtp.vlan_info.len vtp.vlan_info.mtu_size vtp.vlan_info.status.vlan_susp vtp.vlan_info.tlv_len vtp.vlan_info.tlv_type vtp.vlan_info.vlan_name vtp.vlan_info.vlan_name_len vtp.vlan_info.vlan_type

by Jeremy Stretch

v1.0