Untitled

1.txt Network Protocol - Language that governs communication between networking devices Cost of route - The number of routes (jumps) it takes to go from one interface to another SOHO - Small office & Home office tracert - tracert is amount of hops to destination Logical topology - Path of how data is transferred between devices Physical topology - Physical arrangement of a network (cables, devices) DNS Domain Name System Speed (bits per second) (bytes = 8 bits) Uptime vs Availability - Uptime = Number of minutes / Total number of minutes in a year [525600] - Availability = ((Total number of minutes in a year-Downtime in minutes)/(Total number of minutes in a year ))* 100 Bus topology - All devices connected in a line that branches off Ring topology - Cabled together, first device connected to last device - Each device connected to 2 device Star topology - Star shape, all devices connected to a central switch Mesh topology - One device connects to multiple devices -> increase redundency OSI Model (Open System Interconnect Model) - created by International Organization for Standardization (ISO) Please do not throw sausage pizza away - Application - Presentation - Session - Transport (TCP/UDP) - Network (IP Address, Router, Layer 3 switch) - Datalink (Mac Address, Bridge, Switches) - Physical (RJ45, Hubs, Physical Interfaces) *Each layer is independent of each other Layer 7 Application Layer Pge p - 1.txt FTP, Telnet, HTTP Use protocols to communicate with lower layers Provides network services to application, user authentication Not talking about individual application Talking about application protocol, not the application itself Layer 6 Presentation Layer - Ensures that data sent by one application is "readable" by another application (MP3 can be listened to online with Windows and iOS because data is presented in a format that both side understands) - Formats data to be presented to application layer - Negotiates data transfer syntax for application layer - Provides encryption - This data must be changed to "Machine independent format" ~ Imagine opening a JPG in Notepad Layer 5 Session Layer - Establish, maintain and terminate of sessions between applications - Two application processes on different machines can establish session ex. NetBIOS (Network Basic Input/Output System) ex. PPTP (Point-to-Point Tunneling Protocol) Layer 4 Transport Layer - Message segmentation: segment the message in the upper layers into smaller units, then passes it down to Network layer for sending - Handles transportation issues between hosts - Ensures data transport reliability - Flow control, makes sure it is not transferring more data than it can process - Sessoin Multiplexing, multiple messages streams or sessions onto one logical link 1) TCP (Transmission Control Protocol) - reliability, maintains, and terminates virtual circuits - TCP 3-way handshake - If paket is missing, it will be retransmitted 2) UDP (User Datagram Protocol) - Does not provide reliability - If packets dropped, they are lost, does not retransmit lost packet Layer 3 Network layer - This layer is all about Data Delivery, how it routes data from one device to another - Concern with path determination - 3 routing protocols in Layer 3 switches (router capable) 1) OSPF (Open Shortest Path First) 2) BGP (Border Gateway Protocol) 3) IS-IS (Intermediate Systems to Intermediate Systems) *No reliability at this level. Must depend on TCP. If UDP is used, application layer need to provide reliability. Ex. TFTP uses UDP at Layer 4, and IP at Layer 3 = no reliability. Therefore, TFTP must provide reliability Pge p 1.txt Layer 2 Data Link - Concerns with how data is formatted for transmission ex. Ethernet -> use MAC address XXXYYY = 48bits (made from OUI Organization Unique Identifier XXX + Unique Portion YYY) - MAC Address is flat address structure VS IP Address is logically assigned. Therefore, Data Link does - Provides error detection - Data link formats according to the type of Media (Ethernet, WAN link) into the appropriate Physical Link Layer 1 Physical - Physical Device and Physical Cabling - Specs of these media types TCP/IP model - Application Layer - Transport Layer - Internet Layer - Network Access Layer Host Communication: - Layer 7 only talks to Layer 7 through encapsulation and decapsulation, similarly 1 -> 1 - Encapsulation puts "header" onto the user data from L7 to L2, then FCS Frame Check Sequence occurs at the end to ensure there is no corruption [User Data] [L7 Hdr][User Data] [L6 Hdr][L7 Hdr][User Data] [L5 Hdr][L6 Hdr][L7 Hdr][User Data] [L4 Hdr][L5 Hdr][L6 Hdr][L7 Hdr][User Data] [L3 Hdr][L4 Hdr][L5 Hdr][L6 Hdr][L7 Hdr][User Data] [L2 Hdr][L3 Hdr][L4 Hdr][L5 Hdr][L6 Hdr][L7 Hdr][User Data] FCS [Bits] ---through Physical Media as bits (0,1) --Transport layer transmits "Segments" Network layer transmits "Packets" Data Link layer transmits "Frames" Physical layer transmits "Bits" Protocol Data Unit (PDU) = segments, packets, frames, bits Bits (0,1) 128 64 32 16 8 4 2 1 Hexadecimal (0-F) 0,1,2,...,9,A,B,...,F 0,1,2,...,9,10 (1010),11,...,15 (1111) ex. 128 = 1000 0000 = 8 0 or 80 (Hexadecimal) ex. 240 = 1111 0000 = 15 0 or F0 (Hexadecimal) ipconfig /all | more arp -a telnet (ip) Pge p 1.txt Change MAC address of computer (NIC -> Configure -> Network Address) *Ping requires ICMP Internet Control Message Protocol RFC1918 Addresses - Private address 10.1.1.1 IP Characteristics - Layer 3 or network layer protocol - Connectionless, no sessions formed. TCP on the other hand is connection oriented - packets treated independently of other packets (packets can take different paths to get to destination) -> these packets go through "Routing Protocol" where it determines the bestpath from A to B (bandwidth, hopcount, load balancing) - NO guranteed delivery or data loss recovery (corruption), IP uses "best effort delivery", again TCP will be needed if guranteed is requried Recap IP: - no builtin sessions - no builtin retransmission - TCP is needed to handle dropped, corrupted, and misdirected packets. IP relies on higher level protocol for those requriements Before TCP can be established and any data transmitted, 3-way handshake (Transmitter) SYN -> (Receiver) (Transmitter) <- SYN ACK (Receiver) (Transmitter) -> ACK (Receiver) Address Classes IPv4 - Class A (unicast) - Class B (unicast) - Class C (unicast) - Class D - multicast (one device talking to a group of device, rather than 1 to 1) - Class E - reserved for future or experimental purposes * classful addresses superseeded by CIDR (classless interdomain routing) in 1993 * allocated by Internet Assigned Numbers Authority (IANA) Class A (start with binary 1 - 1XXXXXXX) - first 8 bits = network - Start with 1, end with 126 1.0.0.0 - 126.255.255.255 - 0 is reserved for default network, and 127 is reserved for loopback - [00000000 network],[00000000,00000000,00000000 hosts] Class B (start with binary 10 - 10XXXXXX) - first 16 bits = network - Start with 128, end with 192 128.0.0.0 to 191.255.255.255 - [00000000, 00000000 network],[00000000,00000000 hosts] Pge p 1.txt Class C (start with binary 110 -> 110XXXXX) - first 24 bits = network - Start with 192, end with 223 192.0.0.0 to 223.255.255.255 - [00000000, 00000000,00000000 network],[00000000 hosts] Class D - multicast - 224.0.0.0 - 239.255.255.255 Class E - reserved for future or experimental purposes - 240.0.0.0 - 255.255.255.255 Directed Broadcast Address - Host sends data to all devices on a specific network - It is when all host bits at set to 1s ex. network 172.31.0.0 => broadcast 172.31.255.255 - Routers can route directed broadcast, but it is disabled by default to prevent hacking utilities (ex. Smurf) performing DoS attacks Local Broadcast Address - communicate with all devices on local network - address is all binary 1s 255.255.255.255 ex. host requests an IP address from DHCP server Dynamic Host Configuration Protocol - local broadcast address is ALWAYS dropped by router, however this can be bypassed with DHCP forwarding or DHCP relay ex. device B (vlan 10) connects through a router A to the DHCP server (vlan20) through a router. However, it broadcasts out DHCP request, but blocked by router A. When DHCP forwrading or relay is turned on, then router A blocks this broadcast request, but proxies a unicast DHCP request to the DHCP server on behalf of device B Local loopback address - 127.0.0.1 -> system send a message to itself (anything in range 127.X.X.X is loopback, anyone can be used to test this TCP/IP stack is correctly installed on a machine) - Notice 127.0.0.1 is class A, therefore design flaw of IPv4 to use this class A address for this purpose, loses 16 million addresses - IPv6 uses "::1" *Routers and Switches loopback address ("loopback interface") is different than Local loopback address Private Addresses - Request for Comments is a formal document (Internet Engineering Task Force IETF drafted by a community from multiple vendors), changes can be made only by another RFC - it can be superseeded - Internet Standards - RFC1918: private IP addresses are non routable addresses on the internet, blocked by ISP Blocked by IANA Internet Assigned Numbers Authority -> 10.0.0.0-10.255.255.255 -> 172.16.0.0-172.31.255.255 -> 192.168.0.0-192.168.255.255 Pge p 1.txt - RFC3927: IPv4 Link-Local Addresses, Automatic Private IP Address (APIPA) by Microsoft. Range 169.254.0.0 /16. Allows devices through a cable or local segment (switch) to communicate to each other when no DHCP server is available without configuration. Host would randomly generate the host specific part of the address Subnet Mask - Local vs Remote -> if the network portion of the device A is the same as device B, then A and B are on the same network - hence, local - otherwise the A is remote to B Discontiguous Subnet Mask - Subnet mask must start with Binary 1s and afterwards 0s have to be together ex 255.240.0.0 = 11111111.11110000.00000000.00000000 - Discontiguous subnet mask is inconsistent, ex. 240.255.3.191 = 11110000.11111111.00000110.11000000 *Discontiguous subnet mask is not supported by Cisco devices CIDR (Classless InterDomain Routing - introduced in 1993) - Replaced classful IP addressing - Variable Length Subnet Mask (VLSM) ex. CIDR notation = /24 instead of 255.255.255.0 or /11 = 255.224.0.0 (not on Octet) Cisco IOS Internetwork Opreating System - Cisco's OS - Connecting routers via Console Port Cisco IOS shortcuts - ? for help - Ctrl + C to cancel out current operation - Ctrl + Shift + 6 to abort ping or tracert - Ctrl + Z to get back to Privledge Mode - Ctrl + A to get to the beginning of the line - Ctrl + E to get to the end of the line - Ctrl + D to delete - Ctrl + U to remove entire line Cisco IOS misc: - enable secret is encrypted password [should not be used] - enable password is shown in cleartext in running & saved configuration [should not be used] - VTL lines are used for Telnet and SSL connections Cisco IOS modes 1) User Mode => Type "enable" in User Mode to enter Priviledge Mode/Enable Mode Router> Router>enable Router# *View Only Mode - no execution *By default - no authentication needed 2) Priviledge Mode => Type "configue terminal" in Priviledge Mode/Enable Mode to Pge p 1.txt enter Global Configuration Mode Router# Router#conf t Router(config)# 3) Global Configuration Mode => Type "int f0/0" in Global Configuration Mode to enter Interface Mode Router(config)# Router(config)#int f0/0 Router(config-if)# *Change hostname Router(config)# hostname newNameHere *Change banner motd (notice, delimiting character ot start and finish the motd) Router(config)# banner motd #dflsjfkljdfs# 4) Interface Mode Router(config-if)# *Change interface configuration ip address, type "ip address 10.0.0.1 255.255.255.0" to change IP address Router(config-if)# ip address 10.0.0.1 255.255.255.0 5) Line Mode - Line Console Mode (configuring console port) ex. line console 0 *Setting password for Console before access to User Mode Router> Router(config)# line console 0 Router(config)# login (this makes it required that a password is needed. login or password sequence does not matter) Router(config)# password enterPasswordHere - Line VTY Mode (configuring Telnet/SSH) ex. line vty 0 4 (to configure the first 5 vty ports) *Specify routing protocol (ex. RIP) - will be covered later Router(config)# router rip [commands] Cisco IOS commands Switch# show mac address-table Router> show version Router> enable Router# show startup configuration Router# show startup configuration | include hostname [only viewing hostname] Router# show running-config Router# show running-config | begin vty [looking at a particular interface] Router# show ip interface brief Router# show ip interface g0/0 Router# copy running-config startup-config [saves RAM to NVRAM] MERGE, not overridden Router# configure replace nvram:startup-config - REPLACEMENT (preferred if entire replacement) Router# erase startup-config Router# copy running-config tftp: > 192.168.XX.XX Router# copy startup-config tftp: > 192.168.XX.XX Router# copy tftp running-config > 192.168.XX.XX > sourceFileName [merge running-config from tftp] - MERGE of running-config Pge p 1.txt Router# copy tftp startup-config > 192.168.XX.XX > sourceFileName [copy startup-config from tftp] - REPLACEMENT startup-config in NVRAM Router# configure replace tftp://192.168.XX.XX/sourceFileName [copy running-config from tftp] - REPLACEMENT of running-config Router# show flash [files can also be stored in flash] Router# copy running-config flash:run1.cfg [copying files to flash] Router# copy startup-config flash:/start.cfg [copying files to flash] Router# more flash:run1.cfg [viewing content from stored flash] Router# more flash:/start.cfg [viewing content from stored flash] Router# wr [write memory - builds startup configuration] Router# terminal length X [shows amount of terminal length or 0 to show all - default is 24] Router# no ip domain lookup [prevents a command waiting to timeout when resolving DNS] Router# debug ip icmp [on the router, when a computer tries to ping the router, you can see the result] Router(config)# ip dhcp pool NAME [DHCP pool on router] Router(config)# ip dhcp excluded-address ipAddressStart ipAddressEnd [exclude IP address from DHCP pool] Router(dhcp-config)# default-router ipOfGateway [Gateway] Router(dhcp-config)# dns-server ipOfDNSServer [DNS Server] Summary: - copy running startup [override - overriding startup config with running config] - copy from Startup config to running config [merge] - configure terminal is a merge of configuration - copy tftp:running [merge - copying from tftp to running config] - copy tftp:startup [replacement] - backup with copy run tftp: or copy start tftp: Subnetting ex. 172.16.35.123 /20 == 172.16.01000011.123 255.255.240.0 Therefore 35 -> 0100 0011 0100 = network = 32 0011 = host = 3 *Network IP = 172.16.32.0 [all host = 0] *1st IP = 172.16.32.1 [all host = 0, except for last = 1] *Last IP = 172.16.47.254 [all host = 1, except for last = 0] *Broadcast = 172.16.47.255 [all host = 1] Subnetting ex. 172.16.129.1 /17 == 172.16.10000001.1 255.255.128.0 Therefore 129 -> 1 000 0001 1 = network = 128 000 0001 = host = 1 *Network IP = 172.16.128.0 [all host = 0] *1st IP = 172.16.128.1 [all host = 0, except for last = 1] *Last IP = 172.16.255.254 [all host = 1, except for last = 0] *Broadcast = 172.16.255.255 [all host = 1] Pge p 1.txt Subnetting and Networks # of host of subnet = 2^n - 2 (network and broadcast) # of networks = 2^n ex. 10.1.1.0 /24 into subnets that support 14 machines 1) 2^4-2 = 16 - 2 = 14 machines. Therefore, we need a subnet of /28 (borrowing 4 bits) 2) Turn /24 into /28, 10.1.1.0 -> 10.1.1. 0000 | 0000 So... 10.1.1.0 /28 (0000 | 0000) 10.1.1.16 /28 (0001 | 0000) 10.1.1.32 /28 (0010 | 0000) 10.1.1.48 /28 (0011 | 0000) ... 10.1.1.240 /28 (not 254 because 255.255.255.240 = /28 or 1111|0000 - remember .240 because host portion remains 0)) Subnetting and Networks ex. 10.128.192.0 /18 requires 30 subnets as many hosts as possible # of networks (subnets) = 2^5, therefore n=5 (borrow 5 bits) /18 = 255.255.192.0 192 -> 11 | 000000 We need to borrow 5 bits, therefore /18 -> /23 and 11|000000 becomes 1100000|0 So... 10.128.192.0 /23 (1100000|0) 10.128.194.0 /23 (1100001|0) 10.128.196.0 /23 (1100010|0) 10.128.198.0 /23 (1100011|0) ... 10.128.254.0 /23 (1111111|0 - remember 254.0 because host portion remains 0) ex. What is the network address for 172.16.1.1 with network mask 255.255.192.0? network mask = 255.255.192.0 = /18 or 11 | 000000 (host) -> Make all host = 0 to find network address, therefore 172.16.0.0 /18 ex. What is the broadcast address for host 172.16.1.1 with network mask 255.255.192.0? network mask 255.255.192.0 = /18 or 11 | 000000. 00000000 (host) -> Make all host = 1 to find broadcast address, therefore 172.16.63.255 /18 ex. PC's ip address is 192.168.1.130/27, configure the router's Ethernet 0 interface with the last IP address in the same subnet -> /27 = 255.255.255.224 or 100 | 00010 -> Therefore, last ip address = broadcast - 1 -> Set hosts = 1, 100 | 11111 = 159, 159 - 1 = 158 -> Therefore, router's Ethernet 0 interface should be 192.168.1.158 /27 [PROGRAM] Router1>enable Router1#conf t Router1(config)#interface ethernet 0 Router1(config-if)#ip address 192.168.1.158 255.255.255.224 Pge p 1.txt ex. Configure the router's serial interface (Serial 0/1) with the last IP address in the subnet 192.168.168.184/30, then enable the router's interface -> /30 = 255.255.255.252 or 101110|00 -> Therefore, last ip address = broadcast - 1 -> Set hosts = 1, 187 - 1 = 186 -> Therefore, 192.168.168.186 255.255.255.252 [PROGRAM] Router1>enable Router1#conf t Router1(config)#interface serial 0/1 Router1(config-if)#ip address 192.168.168.186 255.255.255.252 Router1(config-if)#no shutdown ex. Configure the router's Ethernet 0 interface with the last IP address in the same subnet as PC in the diagram. Note 2: PC's address is 172.16.197.231/23 -> .197 /23 = 1100010 | 1 [PROGRAM] Router1>enable Router1#conf t Router1(config)#interface ethernet 0 Router1(config-if)#ip address 172.16.197.254 255.255.254.0 (Note* Not 255, because that is broadcast) ex. Configure the router's Ethernet 0/0 interface with the 2nd IP address in the same subnet as PC in the Diagram. Note: The PC's address is 172.16.197.231/23 -> 197 /23 1100010 | 1 [PROGRAM] Router1>enable Router1#conf t Router1(config)#interface ethernet 0/0 Router1(config-if)#ip address 172.16.196.2 255.255.254.0 ex. Your router is the same subnet as host 10.199.199.199/26. Configure the router's Ethernet 0/0 interface with the first IP address in the subnet -> 199 @ /26 = 11 | 00 0111 [PROGRAM] Router1>enable Router1#conf t Router1(config)#interface ethernet 0/0 Router1(config-if)#ip address 10.199.199.193 255.255.255.192 ex. Your router is the same subnet as host 10.199.199.199/22. Configure the router's Ethernet 0 interface with the first IP address in the subnet. -> 199 @ /22 = 1100 01|11 [PROGRAM] Router1>enable Router1#conf t Router1(config)#interface ethernet 0 Router1(config-if)#ip address 10.199.196.1 255.255.252.0 Pge p 1.txt ex. Your router is the same subnet as host 10.199.199.199/22. Configure the router's Ethernet 0 interface with the last IP address in the subnet -> 199 @ /22 = 1100 01|11 [PROGRAM] Router1>enable Router1#conf t Router1(config)#interface ethernet 0 Router1(config-if)#ip address 10.199.199.254 255.255.252.0 ex. Your router is the same subnet as host 10.10.10.10/21. Configure the router's Ethernet 0 interface with the first IP address in the subnet -> .10 /21 = 00001 | 010 [PROGRAM] Router1>enable Router1#conf t Router1(config)#interface ethernet 0 Router1(config-if)#ip address 10.10.8.1 255.255.248.0 ex. Your router is the same subnet as host 10.10.10.10/21. Configure the router's Ethernet 0 interface with the last IP address in the subnet -> .10 /21 = 00001 | 010 [PROGRAM] Router1>enable Router1#conf t Router1(config)#interface ethernet 0 Router1(config-if)#ip address 10.10.15.254 255.255.248.0 ex. Your router is the same subnet as host 172.172.172.172/25 Configure the router's Ethernet 0 interface with the first IP address in the subnet -> .172 /25 = 1 | 0101100 [PROGRAM] Router1>enable Router1#conf t Router1(config)#interface ethernet 0 Router1(config-if)#ip address 172.172.172.129 255.255.255.128 ex. Your router is in the same subnet as host 172.172.172.172/25 Configure the router's Ethernet 0 interface with the last IP address in the subnet -> .172 /25 = 1 | 0101100 [PROGRAM] Router1>enable Router1#conf t Router1(config)#interface ethernet 0 Router1(config-if)#ip address 172.172.172.254 255.255.255.128 ex. Can 10.1.1.1 ping 10.1.2.1? -> You don't know until you know its submask -> If we are given /24, can we stil ping it? No, because /24 is 255.255.255.0 and (10.1.1).1 is the network for the 1st ip address and (10.1.2).1 is on another network. Hence, not able to ping to each other Pge p 1.txt -> If we are given /16, can we still ping it? Yes, because /16 is 255.255.0.0 and (10.1).1.1 = (10.1).2.1 and 10.1 is the network on both devices ex. For the network 192.168.1.0 /24, how to support 60 hosts? 1) Find host bits. 2^6 host bits = 64 hosts per subnet 2) From /24 = 11111111 11111111 11111111 00000000 -> Borrowing 6 host bits, /24 becomes /26 11111111 11111111 11111111 11000000 192.168.1.0 /26 192.168.1.64 /26 192.168.1.128 /26 192.168.1.192 /26 ex. Get 2 routers connected to talk to each other Router1> enable Router1# conf t Router1(config)#router eigrp 100 [to enable full connectivity] Router1(config-router)# network 192.168.1.0 Router1(config-router)# no auto-summary Router2> enable Router2# conf t Router2(config)#router eigrp 100 [to enable full connectivity] Router2(config-router)# network 192.168.1.0 Router2(config-router)# no auto-summary [confirm it is working] Router1# show ip eigrp neighbors Router1# show ip route [see what's connected] ex. Subnet 192.168.1.128 /26 to allow it to host only 2 hosts 1) To host 2 hosts, we only require 2 host bits. Therefore 255.255.255.252 or /30 or 10 (network) | 00 00 (new subnet) | 00 (new host) 2) # of new subnets with 2 host bits is 2^(network bits borrowed) = 2^4 = 16 new subnets Therefore new subnets would be: 192.168.1.128 /30 (10 (network) | 00 00 (new subnet) | 00 (new host)) 192.168.1.132 /30 (10 (network) | 00 01 (new subnet) | 00 (new host)) 192.168.1.136 /30 (10 (network) | 00 10 (new subnet) | 00 (new host)) ... /30 192.168.1.188 /30 (10 (network) | 11 11 (new subnet) | 00 (new host)) Basic Communication: - CSMA/CD Carrier Sense Multiple Access Colision Detection - Broadcast is not supported on IPv6 - Broadcast vs Multicast - multicast is a selected group of broadcast Bus Topology (early ethernet) - Connects through a T connector - 10base5 "thicknet" (500meters distance) - 10base2 "thinnet" (185meters distance) Pge p 1.txt - Uses CSMA/CD to avoid Collision -> CS Carrier Sense checks the wire -> MA Multiple Access allows multiple devices to access one wire 10base2 - AKA "Single Collision Domain / Single Broadcast Domain - Coax cable - baseband - 10mbs is the maximum speed - 2 is the maximum segment length of 185meters - Base = baseband - single signal in the wire (whereas broadband allows for multiple signal in the wire) - Ends with a Terminator, because again... single signal. Therefore if it heads back, collision would occur (ISSUE1) Collision (ISSUE2) Cable Length, longer the cable, greater the degradation (ISSUE3) Cable break -> No terminator (ISSUE4) 10Mbps is for the entire segment, not per device. Because of Collisions, you can only utilize 30-40% of the speed ex. 10Mbps through 4 devices, 10/4 = 2.5, then *0.3 = 0.75Mbps 10baseT - Shielded/Unshielded twisted pair - maximum segment length of 100meters - Base = baseband RJ45 Pin Connector - T568A or T568B - TIA EIA 568 defined as structured cabling standards - EIA stands for Electronics Industry Alliance - T568A (s.green, green, s.orange, blue, s.blue, orange, s.brown, brown) - T568B (s.orange, orange, s.green, blue, s.blue, green, s.brown, brown) is most popular Straight Through Cables - When connecting PC to Router/Switch, etc - Uses Straight Through Cables (pin 1, corresponds to pin 1, pin 2 to pin 2 etc...) - Ethernet port interface used on NICs, routers and uplink ports Cross Over Cable - When connecting 2 PCs or 2 Routers together - TX transmit - RX receive - Pins cross (pin 1 TX+ to pin 3 RX+, pin 2 TX- to pin 6 RX-, pin 3 RX+ to pin 1 TX+, pin 6 RX- to pin 2 TX-) -> in 10baseT or 100baseT, pin 4 5 7 8 are not used -> in gigabit, all pins are used Cable Category - Cat3: telephone wiring, used to be used for data transfer - Cat5: frequency up to 100MHz, speeds of 10/100 Mbps supported up to 100meters - Cat5e: frequency up to 100Mhz, supports 1Gbps (improve Cat5 by reducing noise and interference... most Cat5 meets Cat5e specs, Pge p 1.txt but might not meet certifications therefore, not categorized as Cat5e) up to 100meters - Cat6: frequency up to 250Mhz, increase pair twists per inch, supports 10Gbps. up to 55meters. Suitable for 10baseT, 100baseTx or fastEthernet or 1000baseTe or Gigabitethernet or 10GbpEthernet - Cat6a (argumented): frequency up to 500Mhz, supports 10Gbps. up to 100meters. - Cat7 - frequency up to 600Mhz, supports 10Gbps. up to 100meters ( can be tera Connectors, doesnt have to be RJ45). Foiled every pair - class F - Cat7a - frequency up to 1000Mhz, supports 100Gbps. - Cat8 - supports 40Gbps - Cat8.1 - backward compatible and interoperable with Cat6a - Cat8.2 - interoperable with Cat7 - DAC Direct Attachment Cable (DAC) - up to 15meters, SFP Small Formfactor Pluggable plug on each end. Supports fiber or copper. up to 10Gbps on SFP+ slot - Roll Over Cable - special cable used in Cisco environment (connects computer to Console through the computer's serial port or get USB to DB9 converter) - pin 1to8, 2-7, ... 8to1. When to use Straight Through and Cross Over? - Straight Through: router-switch, pc-switch, pc-bridge, pc-hub - Cross Over: switch-switch, pc-pc, hub-hub, router-router, bridge-switch, pc-server, hub-switch MDI Media Dependent Interface - Nowadys Auto MDI/MDIX made cross over cables obsolete - auto detect cable type - PC, routers uses MDI - Switches and Hub uses MDIX MAC Address - 48 bits (24 bits to OUI + 24 bits to Station Address) - OUI = Organizational Identifier - identifies vendor - Station address should be unique (can be changed in software) but it is burnt into NIC physically MAC OUI - Last bit in the 1st Octet is 0 (unicast) or 1 (multicast) - 2nd last bit in the 1st Octet is 0 (globally unique MAC address) or 1 (administrator has changed this in software) Hub vs Bridge vs Switch Hub - Layer 1 Physical layer device - Multiport repeater with no intelligence - being a repeater, can regenerate the signal to extend distance - Physical Star topology (hub being a central device) - Logical Bus topology (traffic regenerates to all devices) - 10BaseT -> 10Mbps shared between 4 computers = 2.5Mbps *0.30 (efficiency due to collision) = 0.75Mbps ?How it works? 1) Receives traffic (frame with MAC address), amplifies the signal Pge p 1.txt then sends the traffic out of all ports except on the port of which it was received 2) The destination NICs will receives the frame. They will see the destination MAC address does not match theirs, and they will drop the frame. Otherwise, they will receive the the frame - strip layer 2 headers, pass the packet to higher layer protocol Bridge - Layer 2 Data Link device - Superseeded Hubs - Uses MAC address table to learn where a device is on the topology - Physical Star topology (bridge being a central device) - Perform its processing in software (slow), whereas Switches perofrm its processing in hardware (fast) ?How it works? 1) Host A sending to Host B 2) When Bridge boots up, MAC address table is empty (although it can be configured with a static table) 3) After Host A send to B, then MAC address table learns where Host A is 4) When Host B wants to reply to Host A, it will send a frame to Host A, again Bridge now knows where Host B is, and will update its own MAC address 5) Now different than Hub, during step (4), Bridge will not broadcast the message to all hosts, but it reads from its MAC address, and it will only send it to host A **Advantage of Bridge is that, if there are other hosts on the network (Host C & Host D), by having this directed traffic, it will not use C or D's bandwidth since Host A only wants to communicate with Host B **Another advantage of bridge is that, every port is its own Collision Domain. If Host C is having a collision, it will not affect A, B or D Switch - Layer 2 Data Link Device - Superseeded Bridge - Physical Star topology (switch being a central device) - Similar to bridge, every port is its own Collission Domain **Advantage of Switch is that it allows for more ports than bridges (this is possible due to processing is done in hardware (faster) using ASICs Application Specific Integrated Circuit allows for high throughput, quick table lookup rather than software) **Another advantage, switch can operate at "Wire Speed" (no degradation performance between 2 devices) - perform as fast as if the switch is not even there - does not slow the frame down **Another advantage, switch provide XMbps dedicated speed, compared to a hub where the speed is shared. Switch vs Access Points - Switches operate in dedicated bandwidth - Access Points act like Hubs, and operate in shared bandwidth Router (local destination) Pge p 1.txt - Level 3 devices - Routing decision based on IP addresses of the network address, rather than the individual device IP Address ?How it works? 1) Host A's ip address sending to Host B's ip address 2) Host A needs to know Host B's MAC address, using ARP Address Resolution Protocl 3) Host A checks its own ARP for whether it has stored Host B's MAC address - if it does not have Host B's MAC address, it will broadcast out who has Host B's ip address (ARP Request) --ARP Request--(Source MAC: XX)(Destination MAC: FFFFFFFF)(Source IP: ABC)(Destination IP: DEF) 4) Assume there are host b, c, d on the network. Host B will see that the ARP request and match the request ip address with its own ip, it will then send an (ARP Reply) and add Host A's MAC address to its ARP Cache. Host C and D will drop the frame because it does not match its own IP address 5) Host A will receive the frame and then it will update its own ARP Cache **Note. If the device is on a remote network, then it will send the request to its gateway Router (remote destination) ?How it works? See Section 111. *Moral of the story: IP address will remain the same, but each time a Host transverse a router, the source MAC and destination MAC will be rewritten (Layer 2 headers) Broadcast Domain vs Collision Domain - Broadcast Domain is the entire network that is attached to a router - Collision Domains: each device connected to a device is a collision domain, switch connecting to router is its own collision domain, everything attached to a hub is a single collision domain ARP commands on CMD - arp -d (deletes arp cache) - arp -a (shows arp entries) *Note pinging will usually fail its 1st entry due to ARP cache hasn't been populated during its 1st ping. Full duplex/Half duplex - Full duplex is able to send and receive traffic at the same time, in comparison to Hubs using CSMA/CD Carrier Sense Multiple Access Collision Detection where it is running half duplex (one side can send at any given time) - Full duplex disregards CSMA/CD because there is no collision. However, if one device is set to half-duplex and the other device is set to full-duplex, there will be an issue ex. if 10Mbps is the speed of normal traffic, enabling full duplex in theory will increase to 20Mbps becaues you can receive and send 10Mbps both ways Adding MAC Address to Routers Pge p 1.txt Router#configure Terminal Router(config)#interface f0/0 Router(config-if)#mac-address 0023.3300.0001 (note* 0023.33 is Cisco's allocated MAC address) Router(config-if)#no shutdown BUM traffic = Broadcast Unknown-unicast, Multicast - When a switch receives an unknown unicast packet to an unknown unicast address, it floods all interfaces except from which it was received Unicast, Multicast, Broadcast - Unicast does not flood all ports unless MAC address is unknown - Multicast (if vlan is not configured) it will flood all ports - Broadcast always flood all ports Pge p 2.txt ex. Get Host 1 (10.1.1.1) -> Switch -> Router (f0/0 10.1.1.254, f0/1 10.1.2.254)) -> Switch -> Remote Host 2 (10.1.2.1), host 1 to host 2 to talk to each other [[WHEN NO GATEWAY IS SET... we are setting a "gateway of last resort"]] Host1> enable Host1# conf t Host1(config)# ip route 0.0.0.0 0.0.0.0 10.1.1.254 [this means, when Host1 does not know where to forward traffic without a gateway, it will go to 10.1.1.254) ...similarly... if host 2 wants to contact host 1 and does not know where to forward the traffic for any network that is not connected to them... Host2> enable Host2# conf t Host2(config)# ip route 0.0.0.0 0.0.0.0 10.1.2.254 **To confirm this: Host1> show ip route or Host2> show ip route MAC vs IP Address through a router - MAC address changes when going through a Layer 3 Router/switch going from one Vlan or another / or 1 interface to another interface, MAC address is rewritten by the router - IP address however remains the same, except when a NAT Network Address Translation is used ex. Router1 -> Router2 -> Router 3 Goal: Router1 ping Router3 1) Router1 -> Router2 (ping request) Source MAC: Router1 Destination MAC: Router2 Source IP: Router1 Destination IP: Router3 2) Router2 -> Router3 (ping request) Source MAC: Router2 Destination MAC: Router3 Source IP: Router1 Destination IP: Router3 3) Router3 -> Router2 (ping reply) Source MAC: Router3 Destination MAC: Router2 Source IP: Router3 Destination IP: Router1 4) Router2 -> Router1 (ping reply) Source MAC: Router2 Destination MAC: Router1 Source IP: Router3 Destination IP: Router1 ex. See Router> Router# Answer: how long ARP cache last (using interface f0/0) enable show interface f0/0 "ARP Timeout 04:00:00" (default for Cisco) Hub and Half/Full Duplex - Hub can see all traffic on a network (including passwords on Telnet), another benefit of using a switch - Half Duplex was first used because of Hubs and when negotiation Pge p 2.txt with the other side did not work, it reverted back to 10Mbps Half Duplex - When autonegotiation does not work, the device will also revert back to half duplex... resulting in successful pings but poor speed (transfer of large files). Frames will eventually be queued up and eventually dropped To test Duplex mismatch or when autonegotiation does not work 1) Compare the speed of both devices (ex. router on f0/0 and computer on f0/3) Router1# show running interface f0/0 "full duplex" Computer1# show running interface f0/3 "full duplex" 2) Use a large # of pings (ex. 1000) and select a large datagram size (ex. 18000) 3) Result - The device using half-duplex will have a "late collision" while performing the pings but it only occurs when you are sending enough traffic to trigger this - The device using full-duplex, use "Router1# show interface f0/3" will see "input errors", "CRC", "runts", duplex mismatch messages To match duplex or autonegotiation of Switch1 and Router1 1) From Router1 Router1# conf t Router1(config)# int f0 Router1(config-if)#speed auto Router1(config-if)#duplex auto (or half, or full) 2) If it cannot be set at Router1, then set it on Switch1 Switch1# conf t Switch1(config)# int f0 Switch1(config-if)#speed auto Switch1(config-if)#duplex auto (or half, or full) ***MORAL of the story, set it to auto. Do not hard code. Clear previous collisions Router1# clear counters Loopback interface - 127.0.0.1 - By default, it is active (no need for "no shutdown" command) - Loopback can be used for telnet... must setup EIGRP Creating your own loopback interface Router1>enable Router1#conf terminal Router1(config)# interface loopback 0 (up to 2147483647 - do not memorize) Router1(config-if)# ip address anythingYouWant andGateway Reasons to use Loopback? (Reason 1) - When interfaces are down between 2 routers, we can use Loopback in conjunction with EIGRP to continue access ex. If interface Router1 f0/0 f0/1 wants to telnet with Router2 g0/0 g0/1 and g0/0 is down, we can setup EIGRP using Open Shortest Pge p 2.txt Path First (OSPF) on both devices as a backdoor access (this will use f0/1 and g0/1) through a Loopback 1) Setup Router2 loopback Router2#config terminal Router2(config)# interface loopback 0 Router2(config-if)# ip address 2.2.2.2 255.255.252.255 2) Setup Router1 EIGRP Router1#config terminal Router1(config)# router eigrp 100 Router1(config-router)# network 0.0.0.0 3) Setup Router2 EIGRP Router2#config terminal Router2(config)# router eigrp 100 Router2(config-router)# network 0.0.0.0 --Optional step #3.5-- Confirm EIGRP is working Router1# show ip eigrp neighbors OR Router1# show ip route 4) Telnet to Router2 Router1# telnet 2.2.2.2 Reasons to use Loopback? (Reason 2) - Routing protocols such as OSPF use the loopback to determine Router ID in the OSPF network 1) Enable ospf on all interfaces on Router1 and place them in area 0 Router1#configure terminal Router1(config)# router ospf Router1(config-router)# network 0.0.0.0 255.255.255.0 area 0 Router1(config-router)# end --Optional step-- Show ospf Router1#show ip ospf interface (brief) **Router ID is selected on the highest Loopback IP address, if not, the highest IP address **Router's name is the Router ID. This is important because if you don't use a loopback and the Router ID was selected off a physical interface and the physical interface went down, the name of the router will change. Transport Layer TCP/IP - IP Internet Protcol is connectionless - every packet is treated individual and separately by routers - IP does not gurantee delivery of packets, in correct order, or free from errors (higher layers are responsible for this) TCP/UDP - TCP Transmission Control Protocol - 3-way handshake, connection oriented, reliable, delivery acknowledgement (sequence number), sequenced, HTTP/E-mail/FTP - UDP User Datagram Protocol - connectionless, best effort/unreliability, no gurantee of delivery, no sequencing, limited error delivery (if no port # available, message can be send to sender?), VOIP/Video-Streaming - Allows for Session Multiplexing - single host with single IP address can communicate with mutliple device/session - Connection must first be established between sender and receiver Pge p 2.txt before data transmission in SEGMENTS - MTU Maximum Transmission Unit depends on physical medium (ex. MTU of FastEthernet is 1500bytes, MTU of TCP support 65495 bytes) - MSS Maximum Segment Size is the maximum segment size that TCP is willing to send in a single segment, should be set small enough to avoid IP fragmentation which leads to excessive retransmission if there is packet loss - TCP supports MSS and Path MTU Discovery (sender and receiver automatically determine maximum transmission - avoid fragmentation) - Path MTU Discovery is mandatory in IPv6 - UDP does not support Path MTU Discovery - relies on higher layer protocols - TCP has Flow Control (sliding window) to avoid data being sent too quickly - data sent too quickly will be dropped and require retransmission (causes delay), UDP has no Flow Control - TCP has session, and once transmission is complete, session is terminated. UDP has no sessions - TCP every segment is transmitted is acknowledged - UDP Header 16bit UDP length: minimum 8 bytes, maximum 65,535 bytes (everything is 16) TCP Summary - Connection Oriented - Full duplex operation - Error checking (checksum in datagram to confirm this) - Segments are sequenced - Acknowledgement of receipt - Retransmission of data is possible Application Layer - File Transfer: FTP File Transfer Protocol, TFTP Trivial File Transfer Protocol, NFS Network File System - E-mail: POP3 Post Office Protocol 3 (receive e-mail), SMTP Simple Mail Transfer Protocol (send e-mail), IMAP Internet Message Access Protocol (receive e-mail) - Remote Login: Telnet (sends traffic in clear text/insecure), SSH (secure shell/secure) - Network Management: SNMP Simple Network Management Protocol - Name Management: DNS Domain Name System (translate domain names into ip addresses) Recap 7 layers **Physical (1) -> Data Link (2) -> Network (3) -> Transport (4) -> Application (7) **(RJ45 -> MAC Address -> IP Address -> TCP/UDP -> Port Number) Socket - Combination of: IP address of host, port number, TCP/UDP (transport protocol used) Port Numbers: - 7 ping echo - 20 FTP Data - 21 FTP - 22 SSH Pge p 2.txt - 23 Telne - 53 DNS TCP/UDP (UDP used to serve request, TCP is used when response data is over 512bytes) - 69 TFTP - 80 HTTP - 115 SFTP - 161 SNMP - 443 HTTPS *Well known port numbers: 0 - 1023 *Registered port numbers: 1024 - 49151 *Dynamic/Private port numbers: 49152 - 65535 *Ephemeral port numbers (short lived port used for client side of connection - temporary, only last for session) - varies based on vendor 3-way TCP Handshake 1) [Host A->Host B] Send SYN (flag), set CTL = SYN, chooses random initial sequence number (ex. 100) so it knows the next sequence number to expect from Host B, chooses port # 2) [Host A<-Host B] Received SYN (flag), Send SYN, Send ACK (from ex. ACK = 101, next in sequence to 100), set CTL = SYN, ACK, chooses another random initial sequence number so it knows the next sequence number to expect from Host A 3) [Host A->Host B] SYN flag = unset, set CTL = ACK, set ACK = 301, set SEQ = 101 *SYN flag is unset confirms the 3-way TCP Handshake is completed successfully 3-way TCP 1) Host A 2) Host A 3) Host A Handshake Simplified -> Send SYN, SEQ = 100 -> Host B <- Send SYN, ACK = 101, Send SEQ = 300 <- Host B -> Send ACK = 301, SEQ = 101 -> Host B 3-way TCP Handshake SYN/ACK Simplified 1) Host A -> Send Sequence = 5 (Host A expects Acknowledgement of 6) -> Host B 2) Host A <- Send Ack = 6, Send Sequence = 10 (Host B expects Acknowledgment of 11) <- Host B 3) Host A -> Send Ack = 11, Send Sequence 6 -> Host B TCP Window Size / Fixed Windows - Maximum number of data segments the sender is allow to send Note* Above is a Window Size of "1" - If we increase to Window Size of "3", then Host A can send 3 SYN, but only need to receive 1 ACK. Therefore, increasing throughput TCP Flow Control - Prevents issue of sender overflowing the buffers of a receiver if one machine is more powerful than the other, they can negotiate the rate of transmission - Tells sending Host to slow down or to stop sending data until the host has its Receive Buffer Ready TCP Sliding Widnows - Rather than using Fixed Window Size, TCP uses sliding windows Pge p 2.txt (window size, initial is small, then increase it exponentially with time) - notice how initial slow download, but then gets fast - When packet is dropped, Window Size may be reduced - Determining Window Size is either 1) Granted by receiver 2) Congestion Window (CWND) - initially set to very low value, then increases at exponential rate using "congestion avoidance" Configure Cisco Router as DHCP Dynamic Host Configuration Protocol and enable DNS: Router1#configure terminal Router1(config)#ip domain-lookup Router1(config)#interface f0/0 Router1(config-if)#ip address dhcp Router1(config-if)#no shutdown Router1#show dhcp lease [See DHCP lease] Router1#show dhcp server [See DHCP server] If we do not use DHCP server and without DHCP, DNS and gateway does not automatically populate, we must manually add it: Router1#configure terminal Router1(config)#ip name-server 8.8.8.8 [DNS setup] Router1(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.249 [Gateway of last resort] Router1(config)#interface f0/0 Router1(config-if)#ip address 192.168.1.1 255.255.255.0 Router1(config-if)#no shutdown 3 DHCP Mechanisms (done on DHCP server, NOT on the client PC) 1) Automatic Allocation - DHCP server to assign permanent IP address to client - IP address lease is set to infinity (no expiration date) 2) Dynamic Allocation - What we think of, when we think DHCP 3) Manual Allocation - Preconfigure the IP address and MAC address manually on the DHCP server that is going to be allocated to a specific client - Different than Automatic Allocation because a Pool or Scope of addresses are created, then they are automatically allocated to devices permanently. Whereas Manual Allocation is allocated to a unique device. Configure a Cisco Router as a DHCP Server: ==Initial Setup== Router1#configure terminal Router1(config)#int f0/0 Router1(config-if)#ip address 10.1.1.2 255.255.255.0 *** Router1(config-if)#no shutdown ==DHCP Server setup== Router1(config)#ip dhcp pool enterNameOfPool Router1(dhcp-config)#network 10.1.1.0 255.255.255.0 Router1(dhcp-config)#default-router 10.1.1.2 *** ==DNS Server setup in the same DHCP Server== Router1(dhcp-config)#dns-server 10.1.1.2 Router1(dhcp-config)#lease 7 ==Exclude range/scope== Router1(config)#ip dhcp excluded-address 10.1.1.1 10.1.1.10 Pge p 2.txt ==View your DHCP pool/current pool== Router1#show ip dhcp pool Router1#show ip dhcp binding ==Get DHCP IP from Router2== Router2#configure terminal Router2(config)#interface f0/0 Router2(config-if)#ip address dhcp Router2(config-if)#no shutdown ==To confirm Router2 is working properly== Router2#show ip interface brief Router2#show ip route ==To name a client== Router2(config-if)#ip dhcp client client-id ascii nameHere IP helper address: - a router can be configured to accept a broadcast request for a UDP service and then forward it as a unicast to a specific IP address ex. Router needs to reach a DHCP server on 192.168.2.254 Router2(config)#int f0/0 Router2(config-if)#ip helper-address 192.168.2.254 Router2(config-if)#no shutdown VLAN Virtual Local Area Network (Logical Switch) **Benefits of VLAN over switches - no broadcast or multicast storms - provides security, you cannot access certain files unless you are on a specific VLAN(logical segmentation of users) - easy to modify virtually, no longer a need for switching cables (no longer have to worry about physical topology - focus on logical) - better QoS (VoIP on its own VLAN) *Note: PCs do not know they are put on VLANs, all they see is standard ethernet frames. It is the switches that provide the tagging Trucking Protocol 1) ISL Interswitch Link - Cisco Proprietary Protocol (Old) 2) 802.1Q - Industrial Standard 802.1Q - Has a 4byte "Tag" in the header in addition to the Ethernet header Ethernet Header: [Dest][Src][Len/Etype][Data][FCS] 802.1Q Header: [Dest][Src][Tag][Len/Etype][Data][FCS] Tag Frame: [TPID (0x8100) - identifies as 802.1Q frame, 16bit or 2bytes][PRI - priority 3bit, used in QoS][CFI - Chronic Format Identifier, used old days, no longer used][VLAN ID - 12bit, value of 0 = no VLAN] ~12bit in size = 4096VLANs can be created **Because the frame is being altered, the FCS Frame Check Sequence will be altered and replaced in the modified frame Native VLANs - Native VLANs are untagged Pge p 2.txt VLAN port assignments 1) Static VLAN by Administrator 2) Dynamic VLAN using VLAN Membership Policy Server - allows ports to be automatically updated based on MAC address on that port 3) Voice VLAN VTP Vlan Trunking Protocol - Cisco Layer 2 Protocol - Allows for addition, deletion and renaming of VLANs on one switch and that will propagate across trunk links to other switches **Avoid** headaches if not properly configured, VTP is disabled by default **It can only work over trunk links ==See which interface is trunking== Switch#show interface trunk OR Switch(config-if)#do show vlan brief Trunking vs Access ports **Trunk ports - Permit ALL VLANs - Allows multiple VLANs to traverse a link **Access ports - Specify a single VLAN that is allow to transverse Make a port on a switch to be on VLAN as access port or Trunk port 1) Create the VLAN (ex. 10) Switch#configure terminal Switch(config)#vlan 10 2a) Make f0/0 a trunk port Switch(config-vlan)#interface f0/0 Switch(config-if)#switchport trunk encapsulation dot1q Switch(config-if)#switchport mode trunk [allows multiple VLANs to transverse that port] Switch(config-if)#switchport nonegotiate [disable auto-negotiate DTP Dynamic Trunking Protocol of trunk ports dynamically] 2b) Make f0/0 an access port Switch(config-if)#switchport mode access [allows a single VLAN access] Switch(config-if)#switchport access vlan 10 3) Setup VLAN 10's gateway Switch(config-if)#ip address 10.1.11.254 255.255.255.0 Switch(config-if)#no shutdown 4) Set Default Gateway on the PC/Router if on different VLANs Router#configure terminal Router(config)#no ip routing Router(config)#ip default-gateway 10.1.11.254 255.255.255.0 [optional] 5) Enable DTP Dynamic Trunk Protocol Switch(config-if)#switchport mode dynamic desirable Creating sub interfaces on a Router that has 1 physical interface f0/0 1) Create sub interface f0.0/1 (virtual) Router#configure terminal Router(config)#interface fastEthernet 0/0.1 Pge p 2.txt Router(config)#encapsulation dot1Q 1 native (ex. using VLAN 1 as default) Router(config)#ip address 10.1.1.254 255.255.255.0 2) Create sub interface f0.0/2 Router(config)#interface fastEthernet 0/0.2 Router(config)#encapsulation dot1Q 2 Router(config)#ip address 10.1.2.254 255.255.255.0 VTP VLAN Trunking Protocol - By default, switches belong to Null Domain and no VTP domains is configured - Cisco Proprietary layer 2 proptocol between VLAN 1002-4094 - Being a layer 2 device, it will communicate trunk links (layer 2) and not through a layer 3 router - Does not create trunk ports but requires trunk links to send updates across switches/routers via MAC Address: 01-00-0C-CC-CC-CC (Well known multicast address) - Cisco Engineers however will by default disable VTP Benefits: - Create, dete or rename VLANs on one switch -> propagate to all other switches - Default, doesn't belong to a domain, but when it receives an advertisement, it will automatically join a VTP domain - Each time a change (new/delete/rename), revision number will automatically increase by 1 Procedure of VTP message: 1) When a change is made to a Switch 1, Switch 1 will send out a "Summary advertisement" to all other switches 2) Once "Summary advertisement" is received, those subsequent switches will send a "Advertisement requests" to the Switch 1 requesting information of what was changed 3) Switch 1 will now send that "Subset advertisement" information to all the other switches 3 types of VTP messages: 1) Summary advertisements - Sent every 5 minutes or whenever a change is made - Used to inform a switch in summary format of latest revision number in the VTP domain 2) Summary request/advertisement request - If a switch sees it is out of date in the VTP domain, it will request for new information 3) Subset advertisements - Send a detailed information of changes made to VLAN database 4 VTP Modes **Note, revision number takes presidence (not server, or client) 1) Server (Default mode) - Create/Modify/Delete VLANs - Sends and forwards VTP advertisements - Can save VLAN configuration locally 2) Client - CANNOT Create/Modify/Delete VLANs - Sends and forwards VTP advertisements 3) Transparent Pge p 2.txt - Disables VTP (no synchronization), allows forward VTP advertisements 4) Off - Disables VTP (no synchronization), not allow to forward VTP advertisements VLAN versions - VLAN 1 (Ethernet) = 1 to 1005 are supported, beyond this use "VTP Transparent Mode" - VLAN 2 = 1001 ==Create VLAN 1006== Switch#configure terminal [optional]Switch(config)#vtp domain enterNameHere Switch(config)#vtp mode transparent (**remember, client and server does not support any VLAN beyond 1005) Switch(config)#vlan 1006 ==Erase VLANs== Switch#erase startup-config Switch#delete flash:/vlan.dat ==See all VLANs== Switch#show vlan brief or Switch#show run | i Vlan|vlan ==Rename VLAN== Switch(config)#vlan 2 Switch(config-vlan)#name exampleNameHere VTP Pruning - **ONLY VTP servers can use it - VTP allows for automatic pruning and un-pruning of links - improve proper allocation and bandwidth by reducing unncessary flooded traffic (broadcast, multicast, etc) - will only forward on trunk ports - NEVER pruned VLAN 1, >1002 VTP Password - By Default, no VTP password configured - Only switches that have same password will synchronize with each other ==Join existing VTP Domain from Switch1(ccna) to Switch2== *Note Switch1 f0/0 connects to Switch2 g0/0 1) Set VTP Domain on Switch1 Switch1(config)#vtp domain ccna 2) Set dynamic trunk to utilize VTP Domain on the interface connecting to its 0/0 Switch1(config)#int f0/0 Switch1(config-if)#switchport mode dynamic desirable 3) Set Switch1 to trunk mode Switch2(config-if)#switchport trunk encapsulation dot1q Switch2(config-if)#switchport mode trunk 4) Set Switch2 ==Enable VTP pruning== Switch(config)#vtp pruning Pge p 2.txt ==Show VTP status== Switch#show vtp status ===Simulation#1=== - Configure Switch1 as the VTP server and Switch2 as VTP clients - Set the VTP domain name to cisco - Set the VTP password to cisco - Enable VTP pruning so that inter-switch broadcast replication is minimized Switch1>en Switch1#conf t Switch1(config)#vtp Switch1(config)#vtp Switch1(config)#vtp Switch1(config)#vtp mode server domain cisco password cisco pruning Switch2>en Switch2#conf t Switch2(config)#vtp mode client Switch2(config)#vtp domain cisco ===Simulation#2=== Create the following VLANs on Switch1: - VLAN 10 with a description "HR" - VLAN 20 with a description of "Sales" - Vlan 30 with a description of "Directors" Switch1> en Switch1# conf t Switch1(config)# vlan Switch1(config-vlan)# Switch1(config-vlan)# Switch1(config-vlan)# Switch1(config-vlan)# Switch1(config-vlan)# 10 name vlan name vlan name HR 20 Sales 30 Directors ===Simulation#3=== Assume that ports are configured using the default switchport mode of access Assign interface FastEthernet 0/3 to VLAN 10 on Switch1 Assign interfaces FastEthernet 0/4 through FastEthernet 0/20 to VLAN 20 on Switch1 using the interface range command Switch1> en Switch1# conf t Switch1(config)# interface f0/3 Switch1(config-if)# switchport access vlan 10 Switch1(config-if)# interface range fastethernet 0/4 - 20 Switch1(config-if-range)# switchport access vlan 20 ===Simulation#4=== Configure the switch as a VTP transparent Set the VTP domain to ICND Pge p 2.txt Switch1> en Switch1# conf t Switch1(config)# vtp mode transparent Setting device to VTP mode transparent Switch1(config)# vtp domain ICND Changing VTP domain name from NULL to ICND ===Simulation#5=== Configure Switch1 as a VTP server and Switch2 as a VTP client Set the VTP domain to gns3.com Set the VTP password to cisco Enable VTP pruning Switch1> en Switch1# conf t Switch1(config)# vtp mode server Device mode already VTP SERVER. Switch1(config)# vtp domain gns3.com Changing VTP domain name from NULL to gns3.com Switch1(config)# vtp password cisco Setting device VLAN database password to cisco Switch1(config)# vtp pruning Switch2> en Switch2# conf t Switch2(config)# vtp mode client Setting device to VTP mode client Switch2(config)# vtp domain gns3.com Changing VTP domain name from NULL to gns3.com Switch2(config)# vtp password cisco Setting device VLAN database password to cisco Switch2(config)# vtp pruning Pge p 3.txt VTP Troubleshooting > show interface trunk > show vlan brief > show vtp status - Domain name is case-sensitive and must match - Password must match (MD5 hash) - Versions also must match VTP Troubleshooting 2 > show interface switchport > show interface trunk - VTP requires trunk links - NO on both sides - Administrative Mode: dynamic auto => set one side to dynamic desirable Switch1(config)#interface g0/0 Switch1(config-if)#switchport mode dynamic desirable ===PacketTracer Configuration - Section184=== Switch>en Switch#conf t Switch(config)#int range g0/0-3 Switch(config-if)#no shut Switch(config-if)#int vlan 1 Switch(config-if)#ip address 10.1.100.1 255.255.255.0 Switch(config-if)#no shut Switch(config-if)#vlan 10 Switch(config-if)#ip address 10.1.10.1 255.255.255.0 Switch(config-if)#no shut Switch(config-if)#vlan 20 Switch(config-if)#ip address 10.1.20.1 255.255.255.0 Switch(config-if)#no shut Switch(config-if)#end Switch#conf t Switch(config)#host S1 S1(config)#vtp mode transparent S1(config)#end S1#copy running-config startup-config DTP Dynamic Trunking Protocol - Dyanmically negotiate the forming of trunks - Cisco proprietary protocol, but better to disable it and configure trunking manually 2 Types of DTP: 1) Dynamic Auto - does not initiate trunking, waits for the other side to initiate trunk 2) Dynamic Desirable - initiates trunking ===PacketTracer Configuration - Section189=== Switch>en Switch#conf t Switch(config)#int range g0/0-3 Switch(config-if-range)#switchport trunk encapsulation dot1q ((Alternatively)) Switch(config-if-range)#switchport trunk allowed vlan 1 (or all) Switch(config-if-range)#switchport mode trunk Switch(config-if-range)#switchport nonegotiate Pge p 3.txt For a PC/Router to talk to the switch on vlan 10 for ex., the switch must set its access port Switch>en Switch#conf t Switch(config)#int g1/0 Switch(config-if)#switchport mode access Switch(config-if)#switchport access vlan 10 Switch(config-if)#switchport nonegotiate ===VLAN Simulations - Section193=== Create VLAN 2 on the switch with the name of sales Configure interface FastEthernet 0/1 as an access port Put interface FastEthernet 0/1 in VLAN 2 Enable FastEthernet 0/1 Switch1> en Switch1# conf t Enter configuration commands, one per line. End with CNTL/Z. Switch1(config)# vlan 2 Switch1(config-vlan)# host sales Switch1(config-vlan)# int f0/1 Switch1(config-vlan)# switchport mode access Switch1(config-vlan)# switchport access vlan 2 Switch1(config-vlan)# no shut ===VLAN Simulations - Section194=== FastEthernet 0/2 has a critical server connected to it Configure the port as an access port Set the speed to 100Mbps and full duplex Put the port into VLAN 2 Enable the interface Set a description to 'Main Server' Switch1> en Switch1# conf t Enter configuration commands, one per line. End with CNTL/Z. Switch1(config)# int f0/2 Switch1(config-if)# switchport mode access Switch1(config-if)# speed 100 Switch1(config-if)# duplex full Switch1(config-if)# switchport access vlan 2 Switch1(config-if)# no shut Switch1(config-if)# description Main Server ===VLAN Simulations - Section196=== The Switch supports both ISL and 802.1Q. You will therefore need to configure the encapsulation to dot1q Manually configure the port as a trunk Set the native vlan to 99 Disable Dynamic Trunking Protocol Allow only vlan 1,10,20,30 and 99 on the trunk Enable the interface Switch1> en Switch1# conf t Pge p 3.txt Enter configuration commands, one per line. End with CNTL/Z. Switch1(config)# int f0/23 Switch1(config-if)# switchport trunk encapsulation dot1q Switch1(config-if)# switchport mode trunk Switch1(config-if)# switchport trunk native vlan 99 Switch1(config-if)# switchport nonegotiate Switch1(config-if)# switchport trunk allowed vlan 1,10,20,30,99 Switch1(config-if)# no shut ===VLAN Simulations - Section197=== Configure Switch1 as a VTP server and Switch2 as a VTP client Set the VTP domain to gns3.com Set the VTP password to cisco Enable VTP pruning Switch2> en Switch2# conf t Enter configuration commands, one per Switch2(config)# vtp mode client (vtp Setting device to VTP mode client Switch2(config)# vtp domain gns3.com Changing VTP domain name from NULL to Switch2(config)# vtp password cisco Setting device VLAN database password Switch2(config)# vtp pruning line. End with CNTL/Z. mode server on Switch1) gns3.com to cisco ===VLAN Simulations - Section198=== Delete the VLAN database on the switch (don't forget to reload the switch) Switch1> en Switch1# delete flash:vlan.dat Switch1# reload ===VLAN Simulations - Section199=== Configure interface FastEthernet 0/1 to negotiate from nontrunk to trunk mode Both sides should be able to initiate negotiation. Enable the interface. Switch2> en Switch2# conf t Enter configuration commands, one per line. End with CNTL/Z. Switch2(config)# int f0/1 Switch2(config-if)# switchport mode dynamic desirable Switch2(config-if)# no shut ===VLAN Simulations - Section200=== Configure interface FastEthernet 0/1 to negotiate from nontrunk to trunk mode Only Switch 1 should be able to initiate negotiation. Switch 2 should only become a trunk if Switch1 initiates trunking. Enable the interface. Switch1> en Switch1# conf t Pge p 3.txt Enter configuration commands, one per line. End with CNTL/Z. Switch1(config)# int f0/1 Switch1(config-if)# switchport mode dynamic desirable Switch1(config-if)# no shut ______________________________________________________ Spanning Tree (802.1D) - Used to avoid loops in Layer 2 (MAC Address) environments - Slow convergence due to its design was for bridges (uses software for calculation, rather than switches uses hardware) - Therefore, superseeded by Rapid Spanning Tree and Multiple Spanning Tree Types of Spanning Trees: 1) CST Common Spanning Tree - Assumes one spanning tree for the entire bridged network regardless of # of vlans 2) PVST Per VLAN Spanning Tree (superseeded CST) - Cisco's version of Spanning Tree, each VLAN has its own Spanning Tree 3) MSTP Multiple Spanning Tree - Maps multiple VLANs into same Spanning Tree instances (ex. instead of 200 VLANs, having 200 spanning trees, MSTP -> 1-100 VLANs into Instance1, 101-200 VLANs into Instance2) 4) RSTP Rapid Spanning Tree is built into MSTP - RSTP assigns roles to ports, much quicker convergence, but only support a single instance 5) **Rapid PVST+ (Cisco switches use this by default) - One Spanning Tree instance per VLAN - With Rapid Convergence **Summary** 10 VLANs -> Use Rapid PVS+ 100-1000+ VLANs -> MSTP PVST - Could take 50 seconds for ports to start forwarding traffic **** Blocking20s > Listening15s(Sending BPDUs, not updating MAC address table) > Learning15s(Updating MAC Address table) > Forwarding BPDU Bridge Protocols Data Units - When running spanning tree, BPDUs are sent out of every port on switches every 2 seconds - Switches learn about each other through **receiving BPDUs from the same switch on multiple ports ex. Switch B receives multiple BPDUs on multiple ports from Switch A. So Switch B learns about Switch A - there must be a loop - BPDUs are 8 byte value - unique to the switch (2 byte priority field, 6 byte system ID (burnt in MAC address)) 3 kinds of BPDUs - Uses 802.3 Ethernet 1) Configuration BPDU - used by Spanning Tree to provide information to switches 2) Topology change BPDU - tell switches of a change 3) Acknowledgement BPDU - confirm the receipt of a topology change in notification Pge p 3.txt ==View Spanning Tree== Switch>en Switch#sh spanning-tree Decisions of Spanning Tree 1) Determine Root Bridge - Root Bridge (only forwards traffic - outgoing device) is based on lowest Priority #, if its tie, then it is determined by lowest MAC Address # - Root Bridge default is 32768 + Vlan # (if VLAN 1, then 32769) 2) Every non Root Bridge switch needs to determine Root Port (sh spanning-tree) - Root Port is its best port to get to Root Bridge based on: 1) lowest path cost 2) if lowest path cost are equal, then lowest neighbour ID 3) if lowest neighbour ID are equal, then lowest port priority 4) if not 3) lastly lowest port ID ~Path Cost old IEEE = 100/19/4/2, Path Cost new IEEE = 2,000,000/200,000/etc... 3) To check this in WireShark... Bridge Identifier # > Root Identifier #, if it is the other way around, then the switch in question is the Root Bridge PVST+ Rapid per VLAN Spanning Tree Extended Bridge ID - Rapid PVST+ Extended Bridge ID - Each VLAN in Spanning Tree must be unique and based on MAC Address - In theory then.... for a switch that is capable of 4096VLANs would use 4096MAC Address, thats not feasible... therefore, Extended Bridge ID is used. [Original Bridge ID = 8 bytes] Bridge Priority (2bytes) | MAC Address (6bytes) [*Extended Bridge ID = 8 bytes] Bridge Priority (4bits) + Extended System ID (12bits) | MAC Address (6bytes) - Bridge Priority is a number you can set (default: 32768) - Extended System ID is populated by VLAN number ... because bridge priority is 4 bits and in the most left, it is 0, 4096,... increments of 4096 - Because PVST+ could take 30seconds to converge, some ports are set as "Edge Ports or Port Fast Ports" on Access Ports (do not enable on Trunk Ports - create loops) **Edge Ports or Port Fast Ports immediately transitions to the forwarding state. Skips Blocking, Listening and Learning states, goes directly to Forwarding state Path Cost - Cost to get to root bridge/switch - Calculated from the sum of cost of a port and the number of links - Changing between IEEE Cost 1998 100/19/4/2 vs IEEE Cost 2004 2,000,000/200,000/20,000/2,000 -> Use command Spanning-Tree pathcost method long ==Change root priority of switch== Pge p 3.txt Switch>en Switch#conf t Switch(config)#spanning-tree vlan 1 root primary OR Switch(config)#spanning-tree vlan 1 priority 0 ==Change spanning-tree mode to pvst== Switch#config)#spanning-tree mode pvst ==Change spanning-tree mode to rapid-pvst (rpvst)== Switch#config)#spanning-tree mode rapid-pvst [recall rapid pvst, convergence takes a lot quicker] **In real world, use rapid-pvst instead of pvst **rpvst > pvst > 802.1D (stp), but are backwards compatible, but will cause slowdowns because 802.1D uses timers (20>15>15) **PortFast/Edge Port - connects to end user devices, transition it directly to the forwarding state ***Summary: pvst - per VLAN spanning tree, single root in the entire topology rapid-pvst - rapid pvst, gives root on per VLAN basis mst - multipole spanning tree, associates multiple VLAN to a spanning tree root, can have mutliple roots RSTP Rapid Spanning-Tree Protocol - 802.1W - Not based on timers - *NEW* Port role assignments and port states - *NEW* BPDU format and BPDU processing - *NEW* Uses bridge-bridge handshake mechanism, which allow ports to move directly to forwarding - *NEW* different Topology Change Notification and processing procedure 3 Port States in RSTP 802.1W 1) Learning 2) Forwarding 3) Discarding *NEW* Port role assignments and port states-----------802.1W vs 802.1D: 1) Port State Discarding = Disabled, Blocking, Listening Learning = Learning Forwarding = Forwarding 2) Port Roles - A port's role is determind based on the usefulness of the BPDUs that are receivied - A BPDUs that are more useful, are the ones with lower path cost a) Root Port (FWD) - port that is closest to the root bridge (switch) in terms of path cost - root port leads towards the root bridge b) Designated Port (FWD) - port that is the best port on the root bridge (switch) - designed port leads away of the root bridge c) Alternative Port (BLK) - port that is blocked because it is receiving more useful BPDUs from another bridge d) Backup Port (BLK) - port that is blocked because it is Pge p 3.txt receiving more useful BPDUs from the same brige it is on ==Change Half-duplex to Full-duplex== *Notice "Type" is "Shr" (shared), we need to change this to point-to-point P2p" for full-duplex Switch#conf t Switch(config)#int g0/0 Switch(config-if)#spanning-tree link-type point-to-point Portfast vs Edge Ports - PortFast does not lose its edge port status when it receives BPDU, generates topology changes - Edge Ports loses its edge port status when it receives BPDU, does not generate topology changes *NEW* BPDU format and BPDU processing-----------P2p - uses Proposal/Agreement Handshake Sequence to quickly transition ports to achieve faster convergence whereas 802.1D waits for timer to expire - *NEW* Bit 0 Bit 1 Bit 2-3 Bit 4 Bit 5 Bit 6 Bit 7 - RSTP BPDU now includes Topology Change Proposal - Port Role Learning Forwarding Agreement Topology Change ACK BPDU Processing - must use p2p 1) Root switch p0 send "Proposal" to Switch A p1 2) Switch A receives proposal on p1, makes sure its ports are in sync making its ports "blocking state" or "edge port". Switch A will now unblock p1 3) Switch A replies with an "Agreement" 4) Root switch can immediately unblock p0, transition to forwarding **The proposal agreement is very fast as it does not rely on timers **This handshake propagates quickly towards edge of network, and quickly restores connectivity after a change in topology **If agreement is not received after sent proposal, it transition back to traditional 802.1D listening-learning sequence MSTP Downside - Protocol is more complex than usual STP, requires additional training of staff - Interaction with legacy bridges is sometimes challenging - Only useful for high number of VLANs STP Summary: 1) STP - 802.1D standard - One ST per network Pge p 3.txt - Slow convergence 2) PVST+ - Cisco Proprietary standard - One ST per VLAN - Slow convergence 3) RSTP - 802.W standard - One ST per network - Fast convergence 4) Rapid PVST+ - Cisco Proprietary standard - Upgrade from RSTP, One ST per VLAN with fast convergence and load sharing ex. 200 VLANs, would require 200 instances of ST 5) MSTP - 802.1s - One for Multiple VLANs - Upgrade from Rapid PVST+, with low resources because of resource sharing via multiple VLANs with fast convergence "Instance of ST, then map various VLANs to that instance" ex. 200 VLANs, could use 2 instances to do load sharing of 100 VLANs each (lower memory and CPU requirements) BPDU Guard - Security mechanism of ST to protect the ST network - ex. a hacker plugging into the switch, making it the root of the ST to analyze the traffic How BPDU Guard works? - Disables a port if BPDU is received on that port or portFast - Because, portFast should be connected to a user's device, it should not be connected to another switch 2 ways to configure BPDU Guard (through CLI) 1) Per Interface basis Switch(config)#spanning-tree portfast 2) Configure it globally on a switch Switch(config)#spanning-tree portfast edge bpduguard __________________________________________________________ ===VLAN Simulations - Section222=== Enable PortFast on all non-trunking interfaces Switch1(config)# spanning-tree portfast default ===VLAN Simulations - Section223=== Enable PortFast on FastEthernet 0/4 and enable the interface Switch1> en Switch1# conf t Enter configuration commands, one per line. End with CNTL/Z. Switch1(config)# int f0/4 Switch1(config-if)# spanning-tree portfast default Switch1(config-if)# no shut Pge p 3.txt ===VLAN Simulations - Section224=== Configure the spanning tree mode as Rapid PVST+ on both switches. Switch1> en Switch1# conf t Enter configuration commands, one per line. End with CNTL/Z. Switch1(config)# spanning-tree mode rapid-pvst ===VLAN Simulations - Section225=== Configure switch1 as the primary root for VLAN 1 Configure switch2 as the secondary root for VLAN 1 Switch1> en Switch1# conf t Enter configuration commands, one per line. End with CNTL/Z. Switch1(config)# spanning-tree vlan 1 root primary Switch2(config)# spanning-tree vlan 1 root secondary ===VLAN Simulations - Section226=== Configure switch with the second lowest possible priority Assume that Extended System IDs are used Switch1> en Switch1# conf t Enter configuration commands, one per line. End with CNTL/Z. Switch1(config)# spanning-tree vlan 1 priority 4096 ===VLAN Simulations - Section226=== Configure the switch with a default gateway of 10.1.1.1 Switch1> en Switch1# conf t Enter configuration commands, one per line. End with CNTL/Z. Switch1(config)# ip default-gateway 10.1.1.1 __________________________________________________________ CDP Cisco Discovery Protocol (hoewver, LLDP Link Layer Discovery Protcol is industry standard) - Layer 2 - See how devices are directly connected (one jump) to each other that are running cdp - Useful, but security concerns CDP (Cisco devices ONLY) /LLDP (Non-Cisco devices) Commands ==See CDP/LLDP neighbours== R1#show cdp neighbors or R1#show cdp neighbors details [show lldp neighbors] ==Disable CDP/LLDP on globally on device== R3(config)#no cdp run [no lldp run] ==Disable CDP on interface f0/1== R3(config)#int f0/1 R3(config-if)#no cdp enable ==Configure CDP== R3(config)#cdp ___ (use ?) Pge p 3.txt __________________________________________________________ ===VLAN Simulations - Section234=== Disable CDP globally on the router But enable it on Ethernet 0 Router1> en Router1# conf t Enter configuration commands, one per line. Router1(config)# no cdp run Router1(config)# int ethernet 0 Router1(config-if)# cdp enable End with CNTL/Z. ===VLAN Simulations - Section235=== Enter the relevant commands on the router to answer the sets of question below. (1) What interface on R2 is connected to R1? (2) What type of router is R5? > Router2> en > Router2# show cdp nei ===VLAN Simulations - Section236=== Enter the CDP command that displays information about R3 only and then answer the following questions. > Router2# show cdp entry R3 **Note: version of CDP = advertisement version Pge p 4.txt Setting up Root and VLANs for (Picture1) - load sharing - Switch1 is the root for vlan 1 and 10 and is a backup for vlan 20. - Switch2 is the root for vlan 20 and backup for vlan 1 and 10. 1) Set Switch1 to be the root for vlan 10 S1(config)#spanning-tree vlan 10 priority 0 **Remember, Priority # = prioritySetting# + VLAN#... so priority 0 on vlan10 = priority10 2) Set Switch2 to be the root for vlan 20 S2(config)#spanning-tree vlan 20 priority 0 3) Set Switch1 a backup for vlan 20 S1(config)#spanning-tree vlan 20 priority 4096 (can't use 1 increments) 4) Set Switch2 a backup for vlan 1 and 10 S2(config)#spanning-tree vlan 1 priority 4096 S2(config)#spanning-tree vlan 10 priority 4096 ==Result== Switch1(vlan1)= Desg, Desg, Desg, Desg Switch1(vlan10)= Desg, Desg, Desg, Desg Switch1(vlan20)= Root, Altn (BLK), Desg, Desg Switch2(vlan1)= Root, Altn (BLK), Desg, Desg Switch2(vlan10)= Root, Altn (BLK), Desg, Desg Switch2(vlan20)= Desg, Desg, Desg, Desg **Management traffic such as cdp, and lldp are still transmitted and received on blocked ports (i.e. ports that are discarding) Link Aggregation / Etherchannel (for when there are 2 links between switches - does not work if there is only 1 link) - When there is too much traffic from Switch2 -> Switch1 or vice versa, we want to make ST see 2 physical ports as a single port and doesn't block either of the ports Switch1 =G0/1= Switch2 Switch1 =G0/0 = Switch2 ex. for vlan20, G0/0 is Root/FWD but G0/1 is Altn/BLK ==Set Switch1's G0/0 and G0/1 to be link aggregation or etherchannel== Switch1#conf t Switch1(config)#int range g0/0-1 Switch1(config-if-range)#shutdown Switch1(config-if-range)#switchport trunk encapsulation dot1q Switch1(config-if-range)#switchport mode trunk Switch1(config-if-range)#channel-group 1 mode active (ex. using random channel 1 and using LACP (active)) *Note: LACP is industry standard, PAgP is Cisco proprietary *Note: Do not set both side to passive (waiting for the other side to become active), one side or both sides must be active ==Set Switch1's ST on G0/0 and G0/1 to be P2p== *Recall, P2p is like full-duplex to Shared being half-duplex (uses timers, blocking, listening, learning and forwarding) Switch1(config)#int range g0/0-1 Switch1(config-if-range)#spanning-tree link-type point-to-point ==Make sure it is set properly by viewing this command== Switch1#show etherchannel summary Switch1#show etherchannel port-channel *Note: Switch1or2#sh spanning-tree vlan 1/10/20, all ports are now Pge p 4.txt FWD in Desg *Note: cost = 3 instead of 4 because it is the better path Link Aggregation / Etherchannel (Benefits) - Redundancy = if one of the ports go down, the port channel will still be up - Higher throughput = ST not blocking one of the ports - Load balance *** Furthermore on "channel-group X mode ____" active - LACP unconditional passive - LACP only if LACP device is detected desirable - PAgP unconditional auto - PAgP only if PAgP device is detected *** _______________________________________________________ ===VLAN Simulations - Section247=== Configure a layer2 Etherchannel between the switches as follows: Configure interface fa0/23 and fa0/24 as 802.1Q trunk links between Switch1 and Switch2. Configure interfaces individually (fa0/23 and then fa0/24) Set the trunk encapsulation to dot1q and then manually configure the port as a trunk port Configure a Layer 2 EtherChannel between Switch1 and Switch2 on the inter-switch links. (fa0/23 and fa0/24) Use Port-Channel no 12 (Tip: This is number twelve) These links should not use dynamic EtherChannel negotiation. Switch2> en Switch2# conf t Enter configuration commands, one per line. End with CNTL/Z. Switch2(config)# int f0/23 Switch2(config-if)# switchport trunk encapsulation dot1q Switch2(config-if)# switchport mode trunk Switch2(config-if)# int f0/24 Switch2(config-if)# switchport trunk encapsulation dot1q Switch2(config-if)# switchport mode trunk Switch2(config-if)# int f0/23 Switch2(config-if)# channel-group 12 mode on Switch2(config-if)# int f0/24 Switch2(config-if)# channel-group 12 mode on ===VLAN Simulations - Section248=== Configure interface fa0/23 and fa0/24 as 802.1Q trunk links between Switch1 and Switch2 Configure the interfaces individually. Configure a Layer 2 EtherChannel between Switch1 and Switch2 on the inter-switch links. (fa0/23 and fa0/24). Use PagP for dynamic negotiation Switch1 should initiate negotiation and Switch2 should respond Use Port-Channel no 12 **Basically... same as above except: Pge p 4.txt Switch1(config-if)# channel-protocol pagp (or lacp if it is asking for lacp) Switch1(config-if)# channel-group 12 mode desirable ===VLAN Simulations - Section249=== Configure interface fa0/23 and fa0/24 as 802.1Q trunk links between Switch1 and Switch2 Configure a Layer 2 EtherChannel between Switch1 and Switch2 on the inter-switch links. (fa0/23 and fa0/24) Use LACP for dynamic negotiation Switch1 should initiate negotiation and Switch2 should respond Use Port-Channel no 12 Switch1> en Switch1# conf t Enter configuration commands, one per line. End with CNTL/Z. Switch1(config)# int f0/23 Switch1(config-if)# switchport trunk encapsulation dot1q Switch1(config-if)# switchport mode trunk Switch1(config-if)# int f0/24 Switch1(config-if)# switchport trunk encapsulation dot1q Switch1(config-if)# switchport mode trunk Switch1(config-if)# int f0/23 Switch1(config-if)# channel-protocol lacp Switch1(config-if)# channel-group 12 mode active Switch1(config-if)# int f0/24 Switch1(config-if)# channel-protocol lacp Switch1(config-if)# channel-group 12 mode active (??) ===VLAN Simulations - Section250=== Configure interface fa0/23 and fa0/24 on Switch1 and Switch2 as a Layer 3 EtherChannel. Use Port-Channel no 12 and subnet 172.16.10.0/24 Switch1 = 172.16.10.1 ans Switch2 = 172.16.10.2 Switch1> en Switch1# conf t Enter configuration commands, one per line. End with CNTL/Z. Switch1(config)# interface port-channel 12 Switch1(config-if)# no switchport Switch1(config-if)# ip address 172.16.10.1 255.255.255.0 Switch1(config-if)# int f0/23 Switch1(config-if)# no switchport Switch1(config-if)# channel-group 12 mode on Switch1(config-if)# int f0/24 Switch1(config-if)# no switchport Switch1(config-if)# channel-group 12 mode on ~The "no switchport" command puts the interface in L3 mode (known as "routed port") and makes it operate more like a "router interface" rather than a "switch port". _____________________________________________ *Recall, if a port is link-type = "Shared", we can make convergence faster by making the port into a portfast Pge p 4.txt Switch3(config)#int g0/2 Switch3(config-if)#spanning-tree portfast **Summary: To optimize your ST 1) Set all links to P2p Point-to-point 2) Set your edge ports(industry)/portfast (cisco) (ports connected to your edge devices) as Shared Edge **Turning an interface (or switch) into a router Switch1(config-if)#no switchport *With routers, you can set ip address to interfaces (ex. g0/0), but with switches, you can only set VLANs ==Enable eigrp== Switch1#conf t Switch(config)#router eigrp 1 Switch(config-router)#network 0.0.0.0 ==Configure Layer 3 switch Switch1 to allow routes advertised to Layer 3 switch Switch2 and vice versa== Switch1#conf t Switch1(config)#router eigrp 100 Switch1(config-router)#network 0.0.0.0 Switch1(config-router)#no auto-summary Switch2#conf t Switch2(config)#router eigrp 100 Switch2(config-router)#network 0.0.0.0 Switch2(config-router)#no auto-summary **Summary of Switches & Routers: - switchport is a Layer 2 Interface - no switchport is a router Layer 3 Interface - switch's IP address is configured via vlan (ex. vlan1) - router's IP address is configured via interfaces (ex. g0/0) - router ports do not run vlans, STP, DTP - routers' interfaces are shut down by default - routers block broadcast by default *router ports are used between routers and switches *vlans, switchports are used when traffic needs to be tagged throughout the network ==Created vlan 2 & 3, then place interface g0/0 in vlan2, g0/1 in vlan3== Switch(config)#vlan 2 Switch(config-vlan)#vlan 3 Switch(config-vlan)#end Switch#config t Switch(config)#int g0/0 Switch(config-if)#switchport access vlan 2 Switch(config-if)#int g0/1 Switch(config-if)#switchport access vlan 3 ==Set IP address to the vlans on SWITCHES== Switch(config)#int g0/0 Switch(config-if)#ip address 10.1.2.254 255.255.255.0 Switch(config-if)#no shut Switch(config-if)#int g0/1 Switch(config-if)#no shut Pge p 4.txt Switch(config-if)#ip address 10.1.3.254 255.255.255.0 ==Set IP address to the vlans on PC== PC(config)#int g0/0 PC(config-if)#no shut PC(config-if)#ip address 10.1.2.1 255.255.255.0 PC(config-if)#exit PC(config)#no ip routing [[since acting as PC but its really a router]] PC(config)#ip default-gateway 10.1.2.254 ==To enable layer 3 IP routing== Switch(config)#ip routing ==Random troubleshooting - Show commands== Switch1#show cdp neighb Switch1#show ip interface brief Switch1#show ip protocol Switch1#show ip eigrp int Switch1#show interface trunk Switch1#show vlan brief Switch1#show vtp status Switch1#show controllers serial X Switch1#show mac address-table Switch1#debug ip icmp Routed vs Routing Protocols 1) Routed - IPv4, IPv6 - Carry user information ?- Each router making independent decision in determining path 2) Routing - EIGRP (bandwidth & delay), OSPF (bandwidth), RIP (hopcount), ISIS, BGP Border Gateway Protocol (largest in world) - Determine best route between networks - chooses the best path - Routing protocols are used to automatically advertise routing between networks and that's how routers learn about the available networks in a topology - If a router receive traffic going to IP address A.A.A.A, but A.A.A.A doesn't match a network in the router's routing table, the packets will be dropped - applies specifically to unicast routing based on destination IP address Routed Protocols - Are independent of each other - IPv4 could be in different subnet, but IPv6 could be in same subnet. Therefore, even if IPv6 can ping each other, IPv4 might not be able to - "ships in the night" - what one ship is doing at night is different than what another ship is doing at night - Dynamic Routes - uses routing protocols EIGRP, OSPF, BGP... - EIGRP - Cisco Proprietary - OSPF - Industry Stardard - multivendor Default route - similar to default gateway, special static route. When router does not know where to send it, it will point your router to a gateway of last resort Pge p 4.txt 3 Systems 1) AS Autonomous System - Grouping of network under one administrative domain 2) IGPs Internal Gateway Protocols - RIP, EIGRP, OSPF - Routing protocol used within an AS - These 3) EGP External Gateway Protocols - BGP Border Gateway Protocol - Routing protocol used between AS going through ISP To use BGP: - You must have/apply for an AS number similar to IP Address Routing Protocols: 1) Distance Vector - signs of road direction - Determines direction (next hop address) and distance (hop count) - Routing by rumour (could make bad choices based on word of mouth) Algorithm: Bellman-Ford algorithm (relys on periodic updates and triggers) Advantage: Easy to configure Disadvantage: Limited visibility (only knows what neighbours tell them - routing by rumour), does not know the entire path 2) Link State - Each router originates information about itself, its directly connected links and the state of those links, it is then advertised to all routers in its area - these routers make a copy of this information so all routers share the same information Algorithm: SPF Shortest Path First Advantage: Visibility of entire network Diadvantage: Difficult to configure, requires more memory 3) Advanced Distance Vector - EIGRP, takes best of distance vector (easy to configure) and forms neighbour relationships (similar to Link State protocol) Advantage: Easy to configure, updates quickly Diadvantage: Cisco Proprietary 4) Administrative Distance ? If 2 routing protocols conflict, which way to forward traffic - routing protocol uses the route with the lowest Administrative Distance ? Order of believe (range: 0-255) (1) itself 0 - administrative distance = 0 (2) next hop = 1 (3) Internal EIGRP = 90 (4) OSPF = 110 (5) RIP = 120 (6) Unknown = 255 - EIGRP is lower because it considers bandwidth and delay, whereas RIP only takes into consideration of hop count Classful routing - Do not advertise subnet mask to other routers /24? /8? - Assumes consistency of subnet mask - Not scalable, deployable - this is why RIPv1 is no longer used ~Auto Summarization: when moving from Class A 10.1.1.0/24 to Class B, it will summarize its advertisement as 10.0.0.0 /8 because it Pge p 4.txt is Class A network Classless routing - Advertise subnet mask - Support VLSM Variable Length Subnet Mask (mask does not have to be the same) - Summary routes can be manually configured **Distance Vector vs Link State routing protocol Distance Vector = Road sign Link State = Road map Link State routing protocol - Floods network with LSAs Link State Advertisements - Runs SPF Shortest Path First algorithm from their perspective to the destination compared to the topological database (all routers in an area share the same database with all the links and link state), then puts the best route into their routing table - OSPF, ISIS Intermediate System - Intermediate System OSPF Hierarchy - Breaks a single AS into multiple areas, as a result: 1) reduction in routing table 2) hides internal changes (does not need to rerun SPF algorithm when a network goes down) 3) reduces flooding - AS "border routers" - connects OSPF to external AS - AS routers within the border are "backbone/internal routers" - "LSAs Link State Advertisements" are contained within its area - "Summary LSAs" are propagated to other areas Link State routing (Benefits) - Fast convergence - Less suspectible to routing loops because of their great visibility of their network - Link State packets are sequenced and acknowledged (if not received, it will retransmitt) - Hierarchical design enables optimization of resources - Can scale better than distance vector routing protocols Link State routing (Drawbacks) - Demands more resources (memory, CPU) - Configuration and design can be complex ==Configure static route== Topology: R1 f0/0 (10.1.1.1/24) <-> R2 f0/0 (10.1.1.2/24) <-> R2 f0/1 (10.1.2.1/24) <-> R3 f0/0 (10.1.2.2/24) <-> R3 Loopback (3.3.3.3/32) R1#show ip route ->FORWARD R1#conf t R1(config)#ip route destinationIP destinationGateway nextHopPortIPAddress R1(config)#ip route 10.1.2.0 255.255.255.0 10.1.1.2 <-BACKWARD R3#conf t Pge p 4.txt R3(config)#ip route 10.1.1.0 255.255.255.0 10.1.2.1 ==Configure static route for R2 to R3 Loopback== R2#conf t R2(config)#ip route 3.3.3.3 255.255.255.255 10.1.2.2 **Note this also works, but matches other addresses too... so watch out: ip route 3.3.3.0 255.255.255.0 10.1.2.2 ==Disable the above static route== R2(config)#no ip route 3.3.3.3 255.255.255.255 10.1.2.2 ==Next hop command== R2#show ip cef ==Ping source== R1#ping x.x.x.x source y.y.y.y Router Configurations ==Enable DNS and set it to DNS server 8.8.8.8== R1#conf t R1(config)#ip domain-lookup R1(config)#ip name-server 8.8.8.8 ==Set default route== R1(config)#ip route 0.0.0.0 0.0.0.0 yourNextHopRouter ==Set next hop router at gateway of last resort 192.168.0.254== R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.0.254 ==Set administrative distance to 100 (default is 1)== R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.0.254 enterAdminDistanceHere R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.0.254 100 **If IP routing is enable on a switch, we use a routing protocol **If IP routing is disabled on a switch, we use ip default gateway to allow a switch to send traffic to a remote subnet ==Layer 2 Switch (no ip routing - disable by default) - requires== S1(config)#ip default-gateway 10.1.1.254 ==Layer 3 Switch (ip route) - requires== S1(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.254 **Traffic will only route to the longest match (i.e. it will choose 5.5.5.5 255.255.255.255 over 5.5.5.0 255.255.255.0) **If 2 equal entries (5.5.5.5 255.255.255.255 & 5.5.5.5 255.255.255.255), then they will be load balancing - each path will get an entry Pge p 5.txt RIP Routing Information Protocol - Small Business - Distance Vector routing protocol - Determines best path based on hop count (limit to 15 hops) - Allows for load balancing across equal paths (4 is default) - Easy to configure, no scalability, not power demanding - Sends update by default every 30s - Default RIP multicast address 224.0.0.9 - RIP uses UDP port 520 ==Enable RIP v2== R1#conf t R1(config)#router rip R1(config-router)#version 2 ==Setup RIP v2 Networks== R1(config-router)#network 1.0.0.0 R1(config-router)#network 10.0.0.0 **Any interface on the router within the network range will be assigned RIP automatically through classful boundaries ==Disable auto-summary - for network IP Address conflicts== ex. R1 loopback is 1.1.1.1/32 (network 1.0.0.0) and R3 loopback is 1.1.1.2/32 (network 1.0.0.0) and R2 is between R1 and R3. R1(config-router)#no auto-summary ==Disable a router's interface f0/1 from advertising routes, but still able to receive routes== R1(config-router)#passive-interface f0/1 ==Advertise a router as the default, gateway of last resort== *R1<->R2<->R3(f0/1)<->Internet *Now, R3 is automatically set for R1 and R2 as the gateway of last resort R3(config-router)#default-information originate (advertise default route to all routers) ==Enable DHCP== R3(config-router)#int f0/1 R3(config-if)#ip address dhcp ==Enable DNS== R3(config-if)#exit R3(config)#ip domain-lookup (enable DNS) R3(config)#ip name-server 8.8.8.8 (setting DNS) ==Change RIP timers== R3(config)#router rip R3(config-router)# timers ______ **General rule of thumb, don't change timers. If timers are changed, make them all consistent ==Misc== R3#debug ip rip R3#sh ip route R3#sh ip rip database R3#sh ip protocols R3#sh run | section rip __________________________________________________________ ===VLAN Simulations - Section303=== Enable RIP on the routers in the diagram Advertise the FastEthernet (192.168.1.1) interface first and then the Serial interface (10.1.1.1) Pge p 5.txt Set RIP to version 2 Ensure that Router1 advertises routes correctly ... Advertise the FastEthernet (192.168.2.1) interface first and then the Serial interface (10.1.1.1) Advertise the FastEthernet (192.168.3.1) interface first and then the Serial interface (10.1.1.1) Router1> en Router1# conf t Enter configuration commands, one per line. Router1(config)# router rip Router1(config-if)# network 192.168.1.0 Router1(config-if)# network 10.0.0.0 Router1(config-if)# version 2 Router1(config-if)# int s0/1 Router1(config-if)# no ip split-horizon Router2> en Router2# conf t Enter configuration commands, one per line. Router2(config)# router rip Router2(config-if)# network 192.168.2.0 Router2(config-if)# network 10.0.0.0 Router2(config-if)# version 2 ... Router3(config)# router rip Router3(config-if)# network 192.168.3.0 Router3(config-if)# network 10.0.0.0 Router3(config-if)# version 2 End with CNTL/Z. End with CNTL/Z. ===VLAN Simulations - XX === > Display the routing protocols enabled on the router Router1> en Router1# show ip protocols > Display the routing table Router1> en Router1# show ip route > Display RIP updates in real time Router1> en Router1# debug ip rip ===VLAN Simulations - 308 === Enable RIP An IP address of 172.16.1.24 /16 is configured on Ethernet 0. Advertise this network in RIP. Set the RIP version to 2. Router1> en Router1# conf t Enter configuration commands, one per line. Router1(config)# router rip Pge p End with CNTL/Z. 5.txt Router1(config-router)# network 172.16.0.0 Router1(config-router)# version 2 ===VLAN Simulations - 308 === Enable RIP on Router1 only. Router2 has already been configured. An IP address of 172.16.1.1/24 is configured on Ethernet 0/0. Advertise this network in RIP. An IP address of 10.10.10.10/24 is configured on Serial 1/0. Advertise this RIP Router1> en Router1# conf t Enter configuration commands, one per line. End with CNTL/Z. Router1(config)# router rip Router1(config-router)# network 172.16.0.0 Router1(config-router)# network 10.0.0.0 _____________________________________________ ==InterVLAN routing== PC1 <-> Switch <-> PC2 ^R1 Configure PC1 with 10.1.2.1 /24 in VLAN2 Configure PC2 with 10.1.3.1 /24 in VLAN3 Configure R1 with 10.1.1.254 /24 in VLAN1, 10.1.2.254 /24 in VLAN2, 10.1.3.254 /24 in VLAN3 Make sure PC1 can ping PC2 using R1 as "router on a stick" PC1>ip 10.1.2.1 255.255.255.0 10.1.2.254 PC2>ip 10.1.3.1 255.255.255.0 10.1.3.254 R1>en R1#conf t R1(config)#int f0/0.1 R1(config-subif)#encapsulation dot1q 1 this VLAN first) R1(config-subif)#ip address 10.1.1.254 R1(config-subif)#int f0/0.2 R1(config-subif)#encapulation dot1q 2 R1(config-subif)#ip address 10.1.2.254 R1(config-subif)#int f0/0.3 R1(config-subif)#encapulation dot1q 3 R1(config-subif)#ip address 10.1.3.254 native (need to configure 255.255.255.0 255.255.255.0 255.255.255.0 __________________________________________________________ ===VLAN Simulations - Section313=== Configure the SVI for VLAN 10 with IP address 10.1.1.1 255.255.255.0 Configure the SVI for VLAN 20 with IP address 10.2.2.1 255.255.255.0 Enable ip routing on the switch Switch1> en Pge p 5.txt Switch1# conf t Enter configuration commands, one per line. End with CNTL/Z. Switch1(config)# int vlan 10 Switch1(config-if)# ip address 10.1.1.1 255.255.255.0 Switch1(config-if)# int vlan 20 Switch1(config-if)# ip address 10.2.2.1 255.255.255.0 Switch1(config-if)# ip routing __________________________________________________________ ===VLAN Simulations - Section314=== **Note: Routed Port = Access Port Configure Fa0/10 on Switch1 as a routed port Use the ip address 10.1.1.1 255.255.255.0 on interface Fa0/10 Switch1> en Switch1# conf t Enter configuration commands, one per line. End with CNTL/Z. Switch1(config)# int f0/10 Switch1(config-if)# no switchport Switch1(config-if)# ip address 10.1.1.1 255.255.255.0 __________________________________________________________ Classful networks A,B,C - Not scalable - RIPv1, IGRP CIDR Classless Interdomain Routing - Scalable - Based on VLSM Variable Length Subnet Mask - **RIPv2, **EIGRP, OSPF **Acts as Classful by default, you need to use "no auto-summary" command Summarization - Instead of sending all of the advertisements of IPs on a network to another network, we can send a single advertisement - Hides topology, if a single router goes down inside a network, the other network won't know about it ---ex. 10.1.10/24 - 10.1.200.0/24 can be summarized into network 10.1.0.0 /16. Full connectively can remain estbalished with 10.1.0.0 /16 ---ex. 172.16.32.0/24 - 172.16.63.0/24 can be viewed as follows... 172.16.32.0 172.16. 0010 0000 . 0 172.16.63.0 172.16. 0011 1111 . 0 So... we have 0010, or 32. Therefore, the summary address will be 172.16.32.0 /19 ---ex. 172.16.64.0/24 - 172.16.127.0/24... NOTICE.... ** It's always just the first bit, therefore 172.16.64.0 /18 Classful Routing - assumes everyone is using the same network mask, summary routes are automatic Pge p 5.txt Classless Routing - includes networkmask, summary routes can be manually configured Auto Summarization occurs when: - Cross classful boundaries class A/B/C - Cross major network boundaries 10.0.0.0 to 11/12.0.0.0 How will a router choose its route? 1) Choose longest match -> Most specific. /27 is more specific than /16 2) If IP address and mask is all the same, then it will be decided by lowest administrative distance (EIGRP > OSPF > RIPv2) ==Enable OSPF== R1#config t R1(config)#router ospf 1 R1(config-router)#network 0.0.0.0 255.255.255.0 area 0 ==Enable EIGRP== R1(config)#router eigrp 1 R1(config-router)#network 0.0.0.0 ==Show commands== R1#show ip route R1#show ip bgp summary R1#show ip bgp neigh ==No shutdown bgp neighbour== R1(config)#router bgp 1 R1(config-router)#no neighbor 10.1.1.2 shutdown Administrative distance eBGP = 20 EIGRP = 90 OSPF = 110 RIP = 120 iBGP = 200 "Rib Failure" - from 'show ip bgp' indicates a route learned from a neighbor has lower administrative distance (static or other IGP Internet Gateway Protocol) in the routing table, therefore BGP route has failed to install into IP routing table (RIB Routing Information Base) First Hop Redundacy Protocols **Think of your PC having 2 default gateways, but 2 default gateways is set on the switch/router rather than the PC itself - Provides hop redundacy - incase one network gateway goes down, there is a second gateway available through the use of a standby virtual router - Highest priority (100 is default, therefore we will set 200 as the highest priority) will be the 'active forwarder/router' for the VLAN 1) HSRP Hop Standby Routing Protocol - Cisco Proprietary 2) VRRP Virtual Router Redundacy Protocol - Industry standard Pge p 5.txt ==Set HSRP Active== We want to set Switch1 as the active forwarder (priority of 200, default = 100) for VLAN 10 (10.1.10.254/24) and Switch2 Switch1#conf t Switch1(config)#int vlan 10 Switch1(config-if)#standby groupNumber (random) ip (ipAddressOfVlan) Switch1(config-if)#standby 1 ip 10.1.10.254 Switch1(config-if)#standby 1 priority 200 Switch1(config-if)#standby 1 preempt (makes sure Switch1 is the active forwarder when it is up. If it goes down and back up, it will force itself to be the active forwarder) ==Confirm this== Switch1#show standby **Because the router is virtual, it also gets a virtual HSRP MAC Address 0000.0c07.ac(hexadecimalOfGroup#) **Virtual routers can use the same MAC address for mutliple VLANs because its Layer 2 Switch1#show running interface vlan 10 ==Set HSRP Secondary== Switch2#conf t Switch2(config)#int vlan 10 Switch2(config-if)#standby groupNumber (random) ip (ipAddressOfVlan) Switch2(config-if)#standby 1 ip 10.1.10.254 *Optional*Switch2(config-if)#standby 1 priority 100 ==Change standby timers for quicker switchover== Switch2(config-if)#standby 1 timers 1 3 NTP Network Time Protocol - UDP port 123 - Unicast, multicast, broadcast ==Setting NTP Client time/date [Manual]== [Privledge mode] R1#clock set 23:04:00 16 August 2016 [GlobalExe mode] R1(config)#clock timezone GMT 0 [GlobalExe mode] R1(config)#clock summer-time randomName recurring last Sun March 1:00 last Sun 1:00 ==Setting NTP Master time/date [Manual]== **Loopback is good for this because Loopback doesn't go down R2#conf t R2(config)#ntp master 10 R2(config)#ntp source loopback 0 (IP 3.3.3.3) **# is 1-15. Lower the #, closer to atomic source ==Confirm this== R2#sh ntp associations ==Setting time/date [Auto with NTP Master]== R1#conf t R1(config)# ntp server 3.3.3.3 SPAN Switch Port Analyzer - Mirror / Monitor a port or VLAN by either sending that port's traffic to another port, or sending VLAN1's traffic to another port - make copies of Ethernet Frames Remote SPAN Pge p 5.txt - Copy Ethernet Frames from a local switch to a remote switch ==Setup SPAN (monitor)== > Capture data that goes through Switch1 vlan 1, then send it to port f1/0/5 S1#conf t S1(config)#monitor session [randomNumberIsSwitchDependent**] S1(config)#monitor session 1 source vlan 1 both [both = sent and receive] S1(config)#monitor session 1 destination interface fastEthernet 1/0/5 > Setup session 2 in a similar way, and change destination to session 2 S1(config)#monitor session 2 source interface f1/0/3 S1(config)#no monitor session 1 destination interface fastEthernet 1/0/5 S1(config)#monitor session 2 destination interface fastEthernet 1/0/5 **Remember, a SPAN Destination port can only be used on a SINGLE SESSION ==Confirm== S1#do sh run | i monitor S1#show monitor ==Setup SPAN on 2 interfaces== > Capture RECEIVE ONLY On both f1/0/3 and f1/0/1 S1#conf t S1(config)#monitor session 1 source interface fastEthernet 1/0/3, fastEthernet 1/0/1 rx ==Disable SPAN (monitor)== S1(config)#no monitor session 1 ==Allow SPAN traffic== **By default, SPAN ports' MAC Address is removed, therefore traffic is not accepted S1(config)#monitor session 1 destination interface fastEthernet 1/0/5 ingress untagged vlan 1 SPAN overview: - 1 SPAN destination port = 1 SPAN session at a time - SPAN destination port =/= SPAN source port - Multiple SPAN source ports are allowed - 1 SPAN session cannot mix both interfaces and VLAN sources - SPAN destination port is no longer treated as an ethernet port MAC Address not learned by switch Pge p 6.txt [Protocols] ICMP Internet Control Message Protocol SNMP Simple Network Management Protocol SNMP Traps - SNMP Traps are alert messages sent from a remote SNMP-enabled device to a central collector, the "SNMP manager" Syslog WMI Windows Management Instrumentation MIB Management Information Base Object Identifier Performance Counter NPM Network Performance Management 2 types of Network Management Protocols *****USE BOTH***** > NMS Network Management System 1) Query-Based Network Management Protocol **NMS sends a query to extract information, then waits for response [Advantage] Reliable - query and waits for return message [Disadvantage] Slow to react = Could be queried/poll every 5 minutes, therefore it could take 5 minutes for action - If NMS queries and does not get a response -> problem - a.k.a Polling based Network Management - can be scheduled and frequency 2) Event-based **NMS listens for possible announcements/events - Syslog, SNMP trap based [Disadvantage] Not reliable - passively waiting, event errors might not arrive [Advantage] Acts quickly = Immediate, once event has taken place (SNMP trap) *****USE BOTH***** Network Availability - 5 9s -> 99.999% ~ 5 minutes of downtime a year - 4 9s -> 99.99% ~ 52 minutes of downtime a year Collect Data remotely - Distributed NMP Network Management Architecture vs Single Centralized NMS ~ Multiple Data Centres and Multiple Copies of NPM forwards to EOC Enterprise Operation Console Network Reachability - SNMP & ICMP (important to NMP Network Management protocol) may be blocked by Network Engineers - reliability issue > Bypass this by allowing certain subnets through > Bypass this by allowing Management VLAN with ACL and Firewall rules disabled NMP Network Management Protocol [SolarWinds] Fault Management -> uses ICMP/ping. If no ping response, then NMS assumes device is down [Orion] Pge p 6.txt Fault Management -> If no ping response, placed in 'Mode Warning Stage', then Orion will 'fast poll of device' will monitor the device for 120s before Orion notifies you device is down NMS vs SNMP NMS (ICMP/Ping): no ping response, assumes device is down SNMP: queries the device, if SNMP says it is down, then NMS can confirm it is down ICMP/Ping vs SNMP vs WMI Windows Management Instrumentation ICMP/ping - availiability calculations, latency response timers SNMP - everything else WMI - checks for performance counter type values *When NMS sends Data along with its Ping request because the device's Firewall being pinged might block: - 0 size Data field - large payload - odd in size SNMP - UDP (port 161) Network Protocols MIBs vs OIDs > MIBs Management Information Bases - Larger entity - Use for managing entities in a Network (SNMP) - Hierarchy database / Tree-structure - Each entry in MIB is addressed with an OID > OIDs Object Identifiers - Included within MIB Performance Counters **ex. MIBs would be used for polling statistics on a router, whereas OIDs would be polling a specific interface (object identifier) on that route **ex. In wireshark, captured SNMP data has 1.3.6.1.2.1.2.2.1.2.2: 46617374457468... > MIB: 1.3.6.1.2.1.2.2.1.2.2 > OID: 46617374457468... > These values' meaning can be determined with Solarwinds, with inside NMM Syslog Protocol Numerical Severity Code 0 Emergency: system is unusable (ex. System shutting down) 1 Alert: action must be taken immediately (ex. temperature reached) 2 Critical: critical conditions (ex. memory allocation error) 3 Error: error conditions (ex. Interface up/down messages) 4 Warning: warning conditions (ex. Configuration file written by SNMP request) 5 Notice: normal but significant condition Pge p 6.txt (ex. Line protocol down) 6 Informational: informational messages (ex. Access List violation) 7 Debug: debug-level messages ex. *Mar 1 00:06:38.895: %SYS-5-CONFIG_I: Configured from console by console > 5 is the Syslog Code ==See Logging== R1#show logging ==Change Console/Monitor Logging level== > If you change logging level to 5, then only 0-5 is enabled, similar 4, then only 0-4 > Change console to 5 and monitor to 3 (error) R1#conf t R1(config)#logging console 5 or notice R1(config)#logging monitor error or 3 ==Disable commands being retyped in Console== R1(config)#line console 0 R1(config-line)#no logging synchronous ==Enable OSPF on Adjacency events== R1#debug ip ospf adj ==Setup passwords/Telnet to 192.168.1.223== R2#conf t R2(config)#line vty 0 4 R2(config-line)#login R2(config-line)#password cisco R2(config-line)#exit R2(config)#enable password cisco **By default, terminal monitor function is turned on by default on Console. However, for monitor (cmd/VTY - via Telnet), we must use the following command: "R1#terminal monitor" ==Disable console logging== R1#conf t R1(config)#no logging console ==Enable Buffered Logging Level & Size== R1#conf t R1(config)#logging buffered 7 R1(config)#logging buffered 64000 [size] ==View the buffered log/search== > After buffer is turned on (off by default), you can view the log R1#show log R1#show log | include BDR **Notice: logs can become quite extensive, therefore it will be better to have a Syslog server ==Log content (Must have GNS3 and Kiwilog enabled)== > Kiwilog server is 192.168.1.108 and trap debugging (7) R1#conf t R1(config)#logging 192.168.1.108 R1(config)#logging trap 7 ==Add Syslog sequence number== R1#conf t R1(config)#service sequence-numbers > Other functions... R1(config)#service timestamps log datetime msec (millisecs) year R1(config)#service timestamps log uptime Pge p 6.txt > Cisco Router **Currently, Cisco routers copies the entire Cisco IOS into RAM during boot process ==Information== R1#show version R1#show flash R1#show run R1#show start R1#erase start ==Copy running-config to flash== R1#sh run | redirect flash:/showruntest.cfg > To view this new file R1#more flash:/showruntest.cfg ROM Read-Only Memory - ROM stores the routers bootstrap startup program, operating system software, and power-on diagnostic test programs (the POST) - 'ROM Monitor' used for password recovery, Router Disaster Recovery, Upload Router OS - think 'Safe Mode' Flash (Non-Volatile) - Flash is erasable and reprogrammable ROM (permanent storage) - Flash memory content is retained by the router on power-down or reload RAM (Volatile) - RAM on a Cisco router stores operational information such as routing tables and the running configuration file. - RAM contents are lost when the router is powered down or reloaded - RAM holds the running configuration file **How much ram in R1#show version ... 239616K/22528K bytes of memory? > 239616+22538=262154 > 262154/1024=256 > 256Mbs ram NVRAM (Non-Volatile) - If NVRAM is empty, you will be prompted to enter setup mode - NVRAM holds the startup configuration file (configuration register) Configuration Register **16 bits R1#show version > Configuration register is 0x2102 (default) > This is in hexadecimal because of '0x' > 0010 0001 0000 0010 > The last digit is how the router boots = 'boot field' ==Change register to 0x2100== R1(config)#config-register 0x2100 > 0x2100 is ROMMON mode, because last digit of 'boot field' of 0 is ROMMON boot field (last digit) Pge p 6.txt 0 = ROMMON 1 = ROM/Flash 2 = Cisco IOS ***Memoriable for CCNA 0x2102 to 0x210F - Normal Mode 0x2101 - RxBoot Mode (boot using first OS in flash) 0x2100 - ROMMON Mode 0x2142 - Bypass Startup Config **Router bootup process 1) Perform POST Power-on Self-test 2) Loads using bootstrap code (only for loading) 3) Finds Cisco IOS software - if not available, boots into ROMMON 4) OS loaded into RAM, router finds startup configuration in NVRAM 5) This startup configuration then loads into NVRAM and becomes current running configuration 6) Runs configured IOS software **How Cisco routers locate boot configuration 1) Checks for boot field 2) If not boot field, boots in Flash and boots in 1st IOS image 3) If no file in flash, boots from TFTP server (using 'slop') 4) If none is available, then loads ROMMON Cisco IOS IFS Integrated File System ==Create directory (flash) similar to Windows explorer/folders== R1#mkdir flash:/test (make directory) ==Redirect running-config to that flash file above== R1#show running-config | redirect flash:/test/shrun.cfg ==Read that file in that directory== R1#more flash:/test/shrun.cfg Cisco IOS systems R1#show file systems *'opaque' is for internal functions/commands *'network' is external file system of different servers *'disk' is used for flash *'nvram' is used for start-up config ==Copy nvram file to flash== R1#copy nvram:startup-config flash:/copystart.cfg ==Backup IOS to TFTP Server== R1#copy flash:insertFileNameHere tftp:insertIPAddyHere **Note. TFTP has not security mechanism. SecureCopy has security. ==Upgrade IOS image from TFTP server== > Make sure flash has enough space R1#show flash > Copy image from TFTP to flash R1#copy tftp: flash: > Once done, reboot R1# boot system flash: fileNameHere Cisco IOS naming conventions ex. c2900-universalkh-mz.SPA-152.4.M1.bin c2900 = Platform 2900 Cisco Router universal k9 = Universal feature set Pge p 6.txt mz = File format- m(runs in RAM), z(compressed) SPA = Special Image, Production (approved production image), A (key version A,B,C) 152-4.M1 = Software verison number ==Password Recovery== **Step (1-4) can be achieved by sending a 'break' in PuTTy to break out of the boot cycle and immediately enter ROMMON mode 1) Switch off router 2) Remove compact flash 3) Switch on router 4) In ROMMON mode, reinsert flash rommon>confreg 0x2142 rommon>reset 5) Enter 'no' to setup questions Router>enable Router#copy startup-config running-config 6) Setup new Password (old password is unknown) Router#conf t Router(config)#enable secret cisco Router(config)#config-register 0x2102 Router(config)#end Router#copy running-config startup-config **config-register saves automatically to startup-config!!! Cisco IOS Passwords ==Setup enable password== > Configure UNENCRYPTED enable password of cisco R1>en R1#conf t R1(config)#enable password 'cisco' > To enable encryption (only useful for someone standing behind you. It can be decrypted with a tool) R1(config)#service password-encryption > Configure ENCRYPTED enable password properly of 'cisco' **MD5 hashing encryption 128bit R1(config)#enable secret 'cisco' ==View services/ports running== R1#show control-plane host open-ports ==Disable services== > Disable dns server R1#config t R1(config)#no ip dns server > Disable DHCP pool test R1(config)#no ip dhcp pool test > Disable Telnet (should use SSH) R1(config)#no telnet > Disable CDP Cisco Discovery Protocol **Dangerous because R1#sh cdp neighbors R1(config)#int f0/1 R1(config-if)#no cdp enable ==Setup UserMode / Console password== > Console password ONLY Pge p 6.txt Switch#conf t Switch(config)#line 0 Switch(config-line)#password cisco Switch(config-line)#login > Console user & password Switch#conf t Switch(config)#username david password cisco Switch(config)#line 0 Switch(config-line)#login local > Console user with immediate privledge mode access Switch#conf t Switch(config)#username david privledge 15 > Set inactivity timer Switch#conf t Switch(config)#line console 0 Switch(config-line)#exec-timeout 5 0 ==Setup VTY (Telnet) lines== Switch1#conf t Switch1(config)#line vty 0 4 (5 sessions, 0 1 2 3 4) Switch1(config)#password cisco Switch1(config)#login ==Show VTY (Telnet) lines== Switch1#show users ==Disconnect a user from VTY line== > TTY line 98 Switch1#clear line 98 > VTY line 0 Switch1#clear vty line 0 ==Connect to VTY lines== > Connect to 4 sessions R1#telnet 10.1.1.2 R1#telnet 10.1.1.2 R1#telnet 10.1.1.2 R1#telnet 10.1.1.2 ==Select a session== > Show session R1#show session > Resume sesison 2 R1#2 ==Disconnect session== > Disconnect 3 R1#disconnect 3 ==Enable SSH Secure Shell== > Specific hostname and domain name R1#conf t R1(config)#hostname R1 R1(config)#ip domain-name cisco.com R1(config)#username david secret cisco R1(config)#crypto key generate rsa modulus 1024 (larger of this key, the more secure) > Show current SSH connections R1#show ssh ==Disable Telnet, enable only SSH== Pge p 6.txt R1(config)#line vty 0 4 R1(config-line)#transport input ssh // Or vice versa R1(config-line)#transport input telnet // Or BOTH R1(config-line)#transport input ssh telnet ==Connect to SSH== > Connect to 10.1.1.2 with the userName David R2#ssh -l david 10.1.1.2 ==Setup BOTD Banner of The Day== > Login banner (displays before login) R1#conf t R1(config)#banner login #thisIsLoginBanner# > Executive banner (displays after login) R1(config)#banner exec #thisIsExecBanner# > MOTD R1(config)#banner #thisIsMessageOfTheDay# ==View license== R1#show license udi *License UDI Universal Device Identifier = PID Product Identifier + SN Serial Number **IOS before and current [Before - ISR G1 Integrated Services Routers] - Default, universal license is loaded with basic features - Extended features are loaded with a purchase of new IOS [Current - ISR G2] - Default, universal IOS is loaded with all features, but features are unlocked through the use of licenses ISR G1 5 Basic IOS Images 1) IP Base - Entry level Cisco IOS Image 2) IP Voice - VoIP, VoFR, IP Telephony 3) Advanced Security - IOS Firewall, IPSec, 3DES, VPN, IPS, SSH 4) SP Service Provider Services 5) Enterprise Base - IPX, Apple Talk, IPv4 ISR G1 3 Combination IOS Images 6) Advanced IP Services (3+4) - IPv6 7) Enterprise Services (4+5) - Full IBM Support 8) Advanced Enterprise Services - Full Cisco IOS Feature Set Problem with ISR G1 - If you only want selected features from selected IOS, then you have to purchase the Advanced Enterprise Services Pge p 6.txt **ISR G2 - CCNA needs to know this 1) IP Base (ipbaseK9) - Basic set of IOS features 2) Data (dataK9) - Supports MPLS, ATM, multiprotocols 3) Unified Communications (ucK9) - Support VOIP and Telephony 4) Security (securityK9) - Cisco Firewall, IPS, IPsec, 3DES, VPN License Types 1) Permanent 2) Temporary - 60 days (continue to operate normally until reload - reload will revert to default) 3) Feature - features are checked for their licenses before enabling themselves ==Load temporary license== 2921-B#conf t 2921-B(config)#license boot module c2900 technology-package uck9 2921-B(config)#end 2921-B#write ==Install license== > Once gathered from Cisco (XML License) 2921-B#license install flash:/all_licenses.lic ==Remove license== 2921-B(config)#license boot module c2900 technology-package uck9 disable 2921-B(config)#end 2921-B#write > Once reloaded 2921-B#license clear uck9 2921-B#conf t 2921-B(config)#no license boot module c2900 technology-package uck9 disable ==Save current license== 2921-B#license save flash:all_licenses.lic ~Cisco PAK Product Authentiation Key - license key (receipt) DHCP Snooping **Layer 2 security feature in an ethernet switch environment 'bootp' - Sets Trusted/Untrusted ports - Prevent Rogue DHCP servers, man-in-the-middle attacks - All ports are untrusted by default, you have to explicit a specific port as trusted for that port for DHCP Snooping to allow the DHCP server on that port. If it is untrusted, the untrusted port will not be able to receive DHCP messages **Switch will build a DHCP Snooping Binding Database (MAC Address, IP Address, VLAN of host), this Database can be leverage by other security features Dynamic ARP inspection - Leverage DHCP Snooping database to protect against ARP poisoning Pge p 6.txt - Intercepts all untrusted ports' ARP requests and replies and match those in DHCP Snooping database ==Show DHCP leases== R1#show ip dhcp binding ==Enable DNS on router== R1#conf t R1(config)#ip dns server R1(config)#ip domain-lookup Man-in-the-middle > Setup rogue DHCP server and provide the IP to the user > User -> Rogue DHCP server -> Real Gateway 1) ip route 0.0.0.0 0.0.0.0 10.1.1.254 (rogue DHCP server) 2) enable NAT (ex. if user wants to to get their router name MyRouter, then we can set 2a) 2a) rougeRouter(config)#ip host MyRouter 10.1.2.254 (MyRouter's own gateway - translating the name to an IP address) ==Enable DHCP Snooping on switch== Switch1#conf t Swtich1(config)#ip dhcp snooping lan 1 [enabled on VLAN1] Swtich1(config)#ip dhcp snooping [enabled globally] ==Enable trusted ports (because default, all untrusted)== > Assume g0/0 on switch is DHCP server Router1#conf t Router1(config)#interface g0/0 Router1(config-if)#ip dhcp snopping trust Port Security - Restrict a port to a single MAC Address or limit the # of MAC Addresses (1 for ex., now Hubs/APs cannot use it) that can be learned - Violation: port shutdown or frames being dropped *"Sticky Learning" - automatically add a learnt MAC Address to running config (you can then save the running-config to startup-config) Port Security Violations 1) Protect - Drop packets from unknown source MAC Address 2) Restricted - Protect + generation of log message + security violation counters will increment 3) Shutdown - Puts into Error disabled mode ==Setup port security== > Show port security S1#show port-security S1#show port-security address ==Enable port security automatically== >Enable port security on G0/0 automatically **First... setup port as access port and trunk port S1#conf t S1(config)#int g0/0 S1(config-if)#switchport mode access [makes the port as Access port] Pge p 6.txt S1(config-if)#switchport port-security [enable port-security] ==Enable port security manually== > Enable port security on G0/1 with MAC address 0023.3300.0003 S1(config-if)#switchport mode access S1(config-if)#switchport port-security mac-address 0023.3300.0003 S1(config-if)#switchport port-security > Set violation S1(config-if)#switchport port-security violation shutdown ==Enable port security manually - sticky== S1(config-if)#switchport port-security mac-address sticky ==Set violation type== > Also set timer to 30secs S1#conf t S1(config)#errdisable recovery cause psecure-violation S1(config)#errdisable recovery interval 30 3 A's 1) Authentication - Authentication of Username and Password 2) Authorization - What you are allowed to do after authentication 3) Accounting - Log of what happened on a network IEEE 802.1X Identity Based Authentication/Networks - Implement identity based networking, user must present username/password before they can gain access to network **Radius/Tacacs is used between the authenticator (switch) and the authentication server Radius - Combines Authentication and Authorization - UDP - Port 1645, 1812 - Password encryption on single packets Tacacs+ - Cisco priorietary - setup which users can do what - Authentication, then Authorization and Accounting is separate - TCP - Port 49 - Password encryption on entire packets TACAS Server (Before) ==Enable AAA authentication== R1#conf t R1(config)#line console 0 R1(config)#aaa new-model [Disables OLD access control commands login / login local no longer works] ==Setup local/backup username== R1(config)#username david password cisco ==Direct authentication to ACS Access Control Server and setup TACACS+ key== > ACS located 10.1.1.1 R1(config)#tacacs-server host 10.1.1.1 > Set key-encryption password, this is used to communicate with Pge p 6.txt ACS R1(config)#tacacs-server key cisco ==Setup Authentication== > Here, you can setup when ppl go to enable mode,botd for which user, list of logins... > default = will apply to all lines on router - console, aux, vty, tty > local = if tacacs server is unavailable, then local usernames/passwords will be used R1(config)#aaa authentication login default group tacacs+ local ****TACAS Server Groups (Modern) - CCNA exam ==Configue TACAS server groups== > Server IP 10.1.1.1 R1#conf t R1(config)#aaa new-model R1(config)#username david password cisco [local backup] > Point to ip address of the TACACS server named 'acs' R1(config)#tacacs server acs R1(config-server-tacacs)#address ipv4 10.1.1.1 R1(config-server-tacacs)#key cisco R1(config-server-tacacs)#exit > Setup our AAA group using TACACS server called 'acs' -> name this group 'acsgroup' R1(config)#aaa group server tacas+ acsgroup [nameOfGroup] R1(config-sg-tacas)#server name acs R1(config-sg-tacas)#exit > Setup all lines such that 'acsgroup' will be used for AAA. If unavailable, local is useds R1(config)#aaa authentication login default group acsgroup local [local is used as backup] Pge p 7.txt Switch Stacking - TLDR: "LOGICAL - SINGLE VIRTUAL SWITCH" ***TLDR2: Stacking techologies and Chassis Aggregation Technologies... Simplifies management, configuration and forwarding of traffic - Multiple switches linked together to act as a single switch through 'stacking ports' - Connected in a series (ring) - 1st switch attaches to last switch - Full duplex - Single "STACK MASTER" that controls the stack - Runs the same protocols, share the same MAC Address table, single management IP Address, one configuration file, (STP, CDP, VTP) running on one switch ONLY BENEFITS: 1) Etherchannels/Link Aggregation is created - easier/better than STP, STP has to block one port and allow another port 2) Simplified configuration and management of network Switch Stacking (Access Layer vs Chassis Aggregation) 1) Access Layer - stack of switches joined together via special cables - up to 8 switches 2) Chassis Aggregation - Distribution and core layers - Does not require special cables, instead uses ethernet interface switches - usually 2 switches - HA High Availability / Redundancy / Scalability (HSRP Hot Standby Router Protocol, Spanning Tree) - Cisco VSS Virtual Switch System BENEFIT: HA, Redundancy, Scalability DOWNSIDE: Harder to implement, cost Chassis Based Switch (Using Link Aggregation) - 2 or more switches are independent of each other, but joined together - Multiple line cards, supervisor modules and power supplies *Supervisor Module: If one of the modules go down, the supervisor module can take over the management of the switch Aggregated Chassis Environment - Similar to Chassis Based Switch, but the multiple switches becomes one switch BENEFITS: STP not required because if switches are setup R1(2 switches in 1) + R2(4 switches in 1) but R1 and R2 are single switches, then there is only 1 link between R1 and R2 TCP Port numbers: 20/21 FTP 22 SSH 23 Telnet 25 SMTP 80 HTTP 110 POP3 443 HTTPS SSL Pge p 7.txt UDP Port numbers: 67,68 DHCP 69 TFTP 161 SNTP Both Port numbers: 53 DNS ACL Access Control List - Used to permit/deny packets moving through a router ACL Process **ACL goes through a sequential list (permit, deny) **Must have at least one permit statement, otherwise might as well unplug the cable 1) No ACL permit match? Goes to next line in the sequential list - If next line, ACL permits? Permit, process stops - If next line, ACL does not permit? Deny, process stops 2) If no ACL permit match by the end of the sequential list? Implicit deny, process stops Inbound ACL: - ACL determines whether to allow/deny traffic before it hits router 1) ACL -> 2) Router Outbound ACL: 1) Router -> 2) ACL **It is more efficient to bind an ACL for inbound traffic ACL uses: 1) IPSec tunneling - ACL determines which routes need to be encrypted 2) Redistribute routing protocols - ACL determines which routing protocols such as EIGRP needs to be redistributed to EIGRP. Not all EIGRP needs to be redistributed, therefore ACL can control which ones need to be redistributed 3) NAT - ACL controls which set of routes need to be translated Standard ACL - Checks source IP Address ONLY - Permits or denies entire protocol suite - Numbered 1-99, 1300-1999 - Names (you specify) *Remark = ACL description in IOS Extended ACL - Checks source IP Address and Destination IP Address - Permits or denies individual protocols, applications, ports, etc... - Numbered 100-199, 2000-2699 - Names (you specify) Wildcard masks - Standard/Extended ACL - ACL use inverse mask (opposite of Network Mask) Binary: 0 = match Pge p 7.txt 1 = ignore ex. Match a specific address "access-list 1 permit 10.1.1.1 0.0.0.0" or "access-list 1 permit host 10.1.1.1" Address|Mask 10|0 (match) 1|0 (match) 1|0 (match) 1|0 (match) ex. Match anything "access-list 1 permit 0.0.0.0 255.255.255.255" or "access-list 1 permit any" ex. Match subnet 0.0.0.Anything "access-list 1 permit 10.1.1.0 0.0.0.255" 10|0 (match) 1|0 (match) 1|0 (match) 0|255 (anything) ex. Ignore last 4 bits of last octet "access-list 1 permit 10.1.1.0 0.0.0.15" 10|0 (match) 1|0 (match) 1|0 (match) 0|15 0000 1111 (8 4 2 1 = 15), the last 4 binary bits can be set to anything Therefore, 10.1.1.1 will match 0.0.0.15 because 0000 0001 permitted by 0000 1111 But... 10.1.1.129 will not match 0.0.0.15 because 1000 0001, the issue is 1000 does not match 0000 **Remember, an access list has to bind in order for it to be active. You can create all the access list you want, but if you don't activate it, then you might as well delete it **Also, non-existent access list can be bind to interfaces - bad practice, do not to have access list bind if the access list does not exist **Order of processing is important. ACL is top-down process ex. (b) would not be evaluated a) access-list 1 permit all b) access-list 1 deny host 10.1.1.1 **Standard ACL: Placement of ACLs closest to destination - prevent any unwanted deny because it only accounts for source IP **Extended ACL: Placement of ACLs closest to source - does not matter because it accounts for both source and destination IP along with its with protocols ==Permit 10.1.1.1 in ACL== R1#conf t R1(config)#access-list 1 permit 10.1.1.1 0.0.0.0 ==Show IP access list== R1#show ip access-lists ==Permit 10.1.2.3 in ACL, deny everyone else on int f0/0== R1(config)#access-list 2 permit 10.1.2.3 0.0.0.0 or permit host 10.1.2.3 R1(config)#int f0/0 > Set inbound ACL to be ACL list 1, and ACL list 3 to permit all traffic R1(config-if)#ip access-group 1 in Pge p 7.txt R1(config-if)#end R1(config)#access-list 3 permit any R1(config)#int f0/0 R1(config-if)#ip access-group 3 out > Confirm this R1#show ip int f0/0 ==Add remark== R1(config)#access list 5 remark (Add In Your Comment Here) > See remark (show ip access-lists does not work) R1#show run | i access-list ==Standard ACL========================================== 10.1.1.1 + 10.1.1.2 <-> f0/0 R1 f0/1 <-> 10.1.2.1 server Permit host 10.1.1.1 to server 10.1.2.1 Deny everyone else to server 10.1.2.1 Allow traffic to other server R1#conf t R1(config)#access-list 4 permit 10.1.1.1 0.0.0.0 R1(config)#int f0/1 R1(config-if)#ip access-group 4 out ==Standard ACL========================================== 10.1.1.1 <-> f0/0 R1 f0/1 <-> 10.1.2.1 server Permit subnet 10.1.1.0/24 Deny everyone else R1#conf t R1(config)#access-list 5 10.1.1.0 0.0.0.255 R1(config)#int f0/0 R1(config-if)#ip access-group 5 in ==Standard ACL========================================== 10.1.1.1 <-> f0/0 R1 f0/1 <-> 10.1.2.1 server Permit 10.1.1.1 to telnet to router Deny everyone else telnet to router Allow traffic anywhere else **Standard control list has no access to permit/deny protocols, since this is telnet, we have to permit is inside vty line R1#conf t R1(config)#access-list 6 permit 10.1.1.1 R1(config)#line vty 0 4 R1(config-line)#access-class 6 in ==Extended ACL========================================== 10.1.1.1 <-> f0/0 R1 s0/0 <-> s0/0 R2 f0/0 <-> 10.1.2.1 server Permit http traffic from 10.1.1.1 to 10.1.2.1 Deny all other traffic from subnet 10.1.1.0/24 to server 10.1.2.1 Permit all other traffic from subnet anywhere else *Recall 100-199 = extended ACL Pge p 7.txt R1#conf t R1(config)#access-list 100 permit tcp 10.1.1.1 0.0.0.0 host 10.1.2.1 eq 80 (or www) R1(config)#access-list 100 deny ip 10.1.1.0 0.0.0.255 host 10.1.2.1 R1(config)#access-list 100 permit ip 10.1.1.0 0.0.0.255 any R1(config)#int f0/0 R1(config-if)#ip access-group 100 in ==Extended ACL========================================== 10.1.1.1 <-> f0/0 R1 s0/0 <-> s0/0 R2 f0/0 <-> 10.1.2.1 server Permit http and tftp traffic from subnet 10.1.1.0/24 to server 10.1.2.1 Deny all other traffic from subnet 10.1.1.0/24 to server 10.1.2.1 Permit all other traffic from subnet anywhere else R1#conf t R1(config)#access-list 101 permit tcp 10.1.1.0 0.0.0.255 host 10.1.2.1 eq 80 R1(config)#access-list 101 permit udp 10.1.1.0 0.0.0.255 host 10.1.2.1 eq 69 OR R1(config)#access-list 101 permit udp 10.1.1.0 0.0.0.255 10.1.2.1 0.0.0.0 eq 69 R1(config)#access-list 101 deny ip 10.1.1.0 0.0.0.255 host 10.1.2.1 OR R1(config)#access-list 101 deny ip 10.1.1.0 0.0.0.255 10.1.2.1 0.0.0.0 R1(config)#access-list 101 permit ip 10.1.1.0 0.0.0.255 any R1(config)#int f0/0 R1(config-if)#ip access-group 101 in ==Extended ACL========================================== 10.1.1.1 <-> f0/0 R1 s0/0 <-> s0/0 R2 f0/0 <-> 10.1.2.1 server Permit http and tftp traffic from anywhere to server 10.1.2.1 Deny all other traffic to server 10.1.2.1 R2#conf t R2(config)#access-list 102 permit tcp any (0.0.0.0 255.255.255.255) 10.1.2.1 0.0.0.0 eq 80 R2(config)#access-list 102 permit udp any 10.1.2.1 0.0.0.0 eq 69 R2(config)#access-list 102 deny ip any 10.1.2.1 0.0.0.0 R2(config)#int f0/0 R2(config)#ip access-group 102 out ==Edit individual line numbers on ACL== > View ACL 102 R1#show access-list 102 10 permit... 20 permit... 30 deny... > Remove 30 R1#conf t Pge p 7.txt R1(config)#ip access-list extended 102 R1(config)#no 30 =================================================== Private address space (IANA Internet Assigned Numbers Authority) /8 10.0.0.0 - 10.255.255.255 /12 172.16.0.0 - 172.31.255.255 /16 192.168.0.0 - 192.168.255.255 - Non routable - ISP blocked and dropped NAT Network Address Translation - IPv4 exhausted RFC1918 - Private address translated to Public address to be used on the internet PAT Port Address Translation - 1 public IP address used by 500 internal devices (Overloading the address) ***3 types of NAT - Overloading: 1) Static NAT - Permanent - 1-1 mapping: private IP to public IP 2) Dynamic NAT - Not Permanent - NAT translations are automatically created and torned down when not needed (mapping will be removed once communication ends) times out by itself - A pool of Public IP addresses is available for use internally by Private IP addresses. Router dynamically allocates public IP addresses (on as needed basis) 3) PAT - maps multiple private IP addresses to a single public IPv4 address - uses Port Numbers to differentiate between different translations - a.k.a NAT Overloaading (single IP address with multiple IP addresses) - it is a type of Dynamic NAT Inside Local - Our private IP address Inside Global - Our public IP address Outside Local - Destination private IP address Outside Global - Destination public IP address ==Static NAT Setup== R1 10.1.1.1 /24 <-> f0/0 10.1.1.2 /24 R2 f0/1 8.1.1.1 /24<-> 8.1.1.2 /24 R3 > Setup outside NAT R2#conf t R2(config)#int f0/1 R2(config-if)#ip nat outside > Setup inside NAT R2(config)#int f0/0 Pge p 7.txt R2(config-if)#ip nat inside R2(config-if)#end > Setup random address for this ex. R2(config)#ip nat inside source static 10.1.1.1 8.1.1.5 (Inside Global, Inside Local) ==Show NAT== R2#show ip nat translations ==Watch NAT in action== R3#ping 8.1.1.5 (5/5 successful pings!) **Reason this works is because R3 thinks 8.1.1.5 is real, but actually 8.1.1.5 is the inside translation for 10.1.1.1) Similarly... R3#telnet 8.1.1.5 (This Telnets to 10.1.1.1 and can be confirmed below. R1#conf t R1(config)#line vty 0 5 R1(config-line)#login R1(config-line)#password cisco R1(config-line)#end R1(config)#enable password cisco ==Dynamic NAT Setup== R1 10.1.1.1 /24 <-> f0/0 10.1.1.2 /24 R2 f0/1 8.1.1.1 /24<-> 8.1.1.2 /24 R3 > Setup outside NAT R2#conf t R2(config)#int f0/1 R2(config-if)#ip nat outside > Setup inside NAT R2(config-if)#int f0/0 R2(config-if)#ip nat inside R2(config-if)#end > Setup ACL and NAT-POOL R2(config)#ip nat pool NAT-POOL (nameHere) 8.1.1.5 8.1.1.10 (range) netmask 255.255.255.0 R2(config)#ip nat inside source list 1 pool NAT-POOL R2(config)#access-list 1 permit 10.1.1.0 0.0.0.255 ==Clear NAT translations== R2#clear ip nat translations ==PAT Setup (NAT Overloading)== > Setup outside NAT R2#conf t R2(config)#int f0/1 R2(config-if)#ip nat outside > Setup inside NAT R2(config-if)#int f0/0 R2(config-if)#ip nat inside R2(config-if)#end > Setup PAT / NAT Overloading R2(config)#access-list 1 permit 10.1.1.0 0.0.0.255 R2(config)#ip nat inside source list 1 interface fastEthernet 0/1 overload **Static and Dynamic NAT is not good for when your network has 100 Pge p 7.txt devices. This is when NAT Overloading is beneficial **PAT Port Address Translation is able to differentiate the sessions based on Port Number, hence the term Port Address Translation **In previous examples, we NAT to the Router's IP address, we will now NAT to a Public IP address **TDLR: Static NAT, Dynamic NAT = everytime a device wants to send data out, it will need a public IP address **TDLR: Therefore, PAT is more useful because it is NAT overloading and uses 1 public IP address with different ports (hence, 'Port Address' translation) for each private IP device __________________________________________________________ ===NAT Server Enable server Simulations - Section447=== 10.1.1.1 <-> f0/0 Router1 s0/0 <-> Internet Static NAT so users on the Internet can access the Web 10.1.1.1 as follows: Create a NAT translation on the router for the server The inside global address is 192.168.1.2 (assume that this is a valid address) Configure the Serial interface as the outside interface Configure the FastEthernet interface as the inside interface Router1> en Router1# conf t Enter configuration commands, one per line. End with CNTL/Z. Router1(config)# ip nat inside source static 10.1.1.1 192.168.1.2 Router1(config)# int s0/0 Router1(config-if)# ip nat outside Router1(config-if)# int f0/0 Router1(config-if)# ip nat inside ===NAT Server Enable Server Simulations - Section448=== 10.1.1.1 <-> f0/0 Router1 s0/0 <-> Internet Static NAT so users on the Internet can access the Web 10.1.1.1 as follows: Create NAT translation on the router for the server. The inside global address is 1.2.3.4 Configure the Serial interface as the outside interface Configure the Fast Ethernet interface as the inside interface Router1> en Router1# conf t Enter configuration commands, one per line. End with CNTL/Z. Router1(config)# ip nat inside source static 10.1.1.1 1.2.3.4 Router1(config)# int s0/0 Router1(config-if)# ip nat outside Router1(config-if)# int f0/0 Router1(config-if)# ip nat inside ===NAT Simulations - Section449=== Pge p 7.txt Server 10.1.1.0/24 <-> f0/0 Router1 s0/0 <-> Internet Configure Dynamic NAT using a pool on the Router as followings: Step 1: Create a nat pool with the name "natpool" with address range: 192.168.1.1 to 192.168.1.10 and netmask 255.255.255.240 Step 2: Bind access list 1 to the nat pool Step3: Create access list 1 and permit network 10.1.1.0/24 Step 4: Configure interface Serial 0/0 as the outside interface Step 5: Configure interface FastEthernet 0/0 as the inside interface Router1> en Router1# conf t Enter configuration commands, one per line. End with CNTL/Z. Router1(config)# ip nat pool natpool 192.168.1.1 192.168.1.10 netmask 255.255.255.240 Router1(config)# ip nat inside source list 1 pool natpool Router1(config)# access-list 1 permit 10.1.1.0 0.0.0.255 Router1(config)# int s0/0 Router1(config-if)# ip nat outside Router1(config-if)# int f0/0 Router1(config-if)# ip nat inside ===NAT Simulations - Section450=== Server 10.1.1.0/24 <-> f0/0 Router1 s0/0 <-> Interne Configure the router with PAT so that hosts in the 10.1.1.0/24 subnet can access the access the Internet: Step Step Step Step 1: 2: 3: 4: Create the PAT translation using the Serial 0/0 Configure access list 1 to permit network 10.1.1.0/24 Configure Serial 0/0 as the outside interface Configure FastEthernet 0/0 as the inside interface Router1> en Router1# conf t Enter configuration commands, one per line. End with CNTL/Z. Router1(config)# ip nat inside source list 1 interface serial 0/0 overload Router1(config)# access-list 1 permit 10.1.1.0 0.0.0.255 Router1(config)# int s0/0 Router1(config-if)# ip nat outside Router1(config-if)# int f0/0 Router1(config-if)# ip nat inside __________________________________________________________ QOS Quality of Service Converged Networks - Single Network for Voice, Data and Video (before it was all on different networks) Quality issues in Converged Network 1) Lack of bandwidth - Maximum bandwidth = the lowest link in the network - Forward the most important packets first (voice over ftp) Pge p 7.txt 2) End-to-end delay - A-to-B delay - Propagation delay - time it takes to transit a packet - Processing delay - time it takes to process a packet from its input, decision, then onto its output - Queuing delay (can be prioritized) - when a packet waits in the output queue of a router - Serialization delay - times it takes to physically transfer bits on the wire 3) Variation of delay (jitter) ex. Traffic (A)(B)(C) is a lot smoother than (A)(B)---(C), the latter is jitter. Cisco has dejitter functions to resolve this. Similar to how videos are prebuffered 4) Packet loss - Tail drops: packets may be lost when output queue is full - WRED Weighted Random Early Detection: X [MAX] Y [MIN] Z, if it gets to X amount of traffic, low priority traffic are randomly dropped Ways to reduce delay: - Upgrade links - Forward important packets first - Compress payload / IP packet headers - Guarantee enough bandwidth to sensitive traffic QOS requirements Voice/Video latency <= 150ms Jitter <= 30ms Loss <= 1% Video bandwidth +20% (ex. 384kbps + 20% requires 460kbps) QOS requirements classes/priority Mission-critical apps > Transactional (chats, client-to-server transactions) > Best-Effort (internet, e-mail) > Less-than-best-effort (scavenger - facebook, youtube, bit torrent) Implement QOS 1) CLI - no templates 2) Modular QoS CLI (MQC) - can create templates 3) AutoQoS - can create templates 3a) AutoQoS VoIP (voice ONLY) - DOES NOT looks at traffic - Router & Switches 3b) AutoQoS Enterprise (voice, video and data) - looks at traffic and also offer suggestions - Routers ONLY 4) QoS Policy Manager (QPM) - Centralized QoS Management platform, enables network wide QoS 3 models of QoS 1) Best effort - no QoS is applied to packets - does scale, no gurantee delivery 2) IntServ - applications signal to network that they require special QoS - does not scale, gurantee delivery (ex. "you bought First Class Pge p 7.txt ticket, you will be guranteed a seat in First Class") 3) DiffServ - disregard application, network recognize classes that require special QoS - does scale, no gurantee delivery (ex. "just because you want to be treated like First Class, does not gurantee you will be treated like First Class") **Real world, IntServ (mission-control) and DiffServ (QoS) work together **Real world, Best Effort is used on the Internet IP 1) 2) 3) 4) 5) 6) 7) Phone startup process (Phone) Obtains power (Phone) Loads locally stored image with previous configuration (Switch) will provide VLAN information via CDP/LLDP-MED (Phone) Obtain IP address via DHCP (Phone) Downloads firmware/configuration from TFTP (Phone) Register with CUCM (Phone) Downloads softkeys template IP Phone POE - 6.3W = POE - 15.4W = 802.3af POE - applies DC current to cable, if resistance (25K Ohm resistance), then supply POE - 30W = 802.3at POE+ > POE Class 4 - >15.4W - 802.3at (POE+) 3 - 15.4W - Full power (POE) 2 - 7W - Medium power (POE) 1 - 4W - Low power (POE) 0 - 15.4W - default (POE) ==Show POE usage== R1>en R1#show power inline ==Change POE power== **Always on auto. Cannot use specific power R1#conf t R1(config)#int f0/1/0 R1(config-if)#power inline auto [or never] ==See details== R1>show cdp neighbor detail **IP Phones use the enhanced LLDP MED (Media Endpoint Discovery) instead of the standard LLDP ==[Not Recommended - Old Configuration] Configure Data and Voice VLAN== > Data VLAN 1 10.1.10/24 > Voice VLAN 2 10.1.2.0/24 > PC (VLAN 1) -> IP Phone (VLAN 2) -> Switch **This method uses 802.1q between switch and IP Phone uc500#conf t uc500(config)#vlan 2 uc500(config-vlan)#name VV uc500(config-vlan)#int f0/1/1 Pge p 7.txt uc500(config-if)#switchport mode access uc500(config-if)#switchport access vlan 2 uc500(config-if)#int range f0/1/1 - 3 uc500(config-if-range)#switchport trunk encapsulation dot1q uc500(config-if-range)#switchport mode trunk uc500(config-if-range)#switchport trunk native vlan 1 [default ethernet for PC] uc500(config-if-range)#switchport voice vlan 2 > All VLANs will be allowed this port at the moment, manually prune trunk so all traffic won't go through the IP Phone (older IP phones will turn itself off when it receives too much traffic) uc500(config-if-range)#switchport trunk allowed vlan 1,2,1002-1005 ==[Recommended - Multiple VLAN Access Ports] Configure Data and Voice VLAN== > PC (VLAN 2) -> IP Phone (VLAN 2) -> Switch **PC is also on VLAN 2 because it is one access port **Learned from previous lecture, Access Port only belongs to a single VLAN, this is not actually true **This method uses 802.1p between switch and IP Phone, prioritizing voice traffic (CoS Class of Service field of 5) allowing high priority than data traffic **Advantages? - Multi-VLAN access port is secured - Voice VLAN ID can be discovered using CDP/LLDP-MED - Scalable (allocate seperate subnet for PC and Phone) - Easier to implement QoS, ACLs, security - Minimize cabling - using a single port for both PC with IP Phone uc500#conf t uc500(config)#vlan 2 uc500(config-vlan)#name VV uc500(config-vlan)#int range f0/1/1-3 uc500(config-if-range)#switchport mode access uc500(config-if-range)#switchport voice vlan dot1p uc500(config-if-range)#switchport access vlan 2 802.1Q Frame (Dest)(Src)(Tag)(Len/Etype)(Data)(FCS) - Inserts a tag (TPID, PRI, CFI, VLAN ID) > PRI field is XXX (0,1), higher the value, the more priority. **Voice has PRI # of 101 = 5 **Voice has VLAN ID of 0 (even though it is VLAN 2) IP Phone - obtain IP address - Obtain 2 parameters from DHCP server: Option 3 = Default Router/Gateway and Option 150 = TFTP Server =======================IP Phone - Start ======================= CUCM Cisco Unified Communications Manager DHCP *Not recommended - better to use external DHCP, no scalability/redundacy - Designed to provide DHCP to IP Phones ONLY (up to 1000) (famous webpage) https://10.2.1.1/ccmadmin/showHome.do > Option 150: TFTP IPv4 address is the host IPv4 address Pge p 7.txt IP Phone - obtain configuration file 1) From TFTP server (SEPdeviceMACAddress.cnf.xml) 2) If (1) is unavailable, attempts to download (XMLDefault.cnf.xml) contains firmware - points to CUCM Servers SCCP Skinny Call Control Protocol - Cisco proprietary terminal control protocol *Client-server protocol - Stimulus protocol - every event, end device sends message to CUCM - CUCM controls IP phone SCCP TLDR - Whatever phone wants to do, SCCP will say do it 1) Phone -> SCCP, SCCP says sure, do that 2) SCCP -> Phone will do ~RTP stream is direct between 2 phones (bypass CUCM) Session Initiation Protocol (SIP) - Open standard (compared to SCCP) *Peer-peer protocol - Limited features, b/c not Cisco uc500 - It is a router, switch, firewall, voice mail system in a single device uc500 commands uc500#show version uc500#show voice port sum =======================IP Phone - End======================= EIGRP Enhanced Interior Gateway Routing Protocol **Best route based on: Bandwidth, Load, Delay, Reliability - Used for exchanging routes between routers - Cisco Proprietary (industry standard: OSPF) - Classless (subnet mask included with route) - Support discontiguous networks, auto-summarization is enabled by default - Above Layer 3 (Network) port 88 - Uses RTP Reliable Transport Protocol because below TCP/UDP layer 4 (NOT Realtime Transport Protocol in VoIP) - Advanced distance vector protocol - Uses link-local multicast 224.0.0.10, unicast, not broadcast (IGRP uses broadcast) - Features Hybrid: Takes best principals from (Link State Routing Protocol and Distance Vector Routing Protocol) - Features 100% loop free classless routing - DUAL Diffusing Update Algorithm (OSPF uses SPF algorithm) - Features Partial updates send to pre-existing neighbours and Full updates on new neighbours (RIP sends entire routing table every 30seconds, OSPF database synchronization every 30 minutes) - Features load balancing across equal and unequal cost paths (10packets in 10mbs link and 2packets in 2mbs link) - can use lower speed links - Features Rapid Convergence - backup routes (Feasible Successors) Pge p 7.txt are pre-calculated > Back-up routes is immediately installed in routing table when best route (Successor) is lost > In RIP, when the best route is lost, back-up routes are calculated then, whereas EIGRP, routes are pre-calculated EIGRP Packet Types > Hello: Estbalish neighbor relationships on multicast 224.0.0.10 using MD5 authentication - Hold timer: Determine if neighbor has failed > Update: Send routing updates > Query: Ask neighbors about routing information > Reply: Respond to Query > ACK: Acknowledge a reliable packet EIGRP Autonomous System # - Must be the same AS to form neighbor relationships and exchange routes - Metric weights must match (K values) EIGRP K values **K valuve used to determine best path and route to destination - Values from 0 - 255 K1 = Bandwidth modifier K2 = Load modifier K3 = Delay modifier K4 = Reliability modifier K5 = Additional Reliability modifier EIGRP Metrics **Metrics weights must match K Values are not metrics themselves, 0-255 - 6 K values in total, but the below 4 are used in vector computing K1 = Bandwidth (default = 1) > slowest bandwidth between source and destination K2 = Load (0) [by default, not used] K3 = Delay (1) > 10s of ms, cumulative interface delay from your router to destination network K4 = Reliability (0) [by default, not used] ~K5 = Additional Reliability modifier (0) - Last 2: MTU Maximum Transmission Unit, Hop count **Load and Reliability, if not used is in EIGRP because it was originally used by IGRP and was kept during migration ***Composite Metric Formula = Final Value of all K values ***Metric = 256 * (bandwidth + delay) Metric = 256 * (bandwidth of slowest link + sum of delays) since all other values are 0 or not used MTU - Maximum amount of data that you can insert in a single packet over a physical medium - MTU is exchanged in EIGRP packets - Used as a tie breaker between 2 equal paths, those with the lowest MTU is not used, only for INBOUND updates Pge p 7.txt Hop count - Maximum 255 or 224 - Used to limit EIGRP AS to 255 or 224 hops EIGRP TLDR 1) EIGRP routers send "hello" by default on multicast 224.0.0.10 2) EIGRP routers listens for "hello" on interfaces with EIGRP enabled 3) Once received "hello", those neighbours are added to EIGRP neighbor tables 4) EIGRP table is populated from its learned EIGRP neighbours along with its interface 5) EIGRP Topology table contains not only the best routes, but all the routes learned (successor routes, fessible routes, distances) 6) EIGRP will use composite metric to determine the best routes, and put those best routes in the EIGRP routing table (successor routes) ==Show EIGRP== R1#show ip prot R1#show ip eigrip topology x.x.x.x 255.255.255.255 ==Setup EIGRP== > Do this on both routers, then it will connect R1 <-> R2 R1#conf t R1(config)#router eigrp 100 (this is the AS) R1(config-router)#network 10.0.0.0 [Optional] R1(config-router)#metric weights 0 1 0 1 0 0 (K0 K1 K2 K3 K4 K5) R2#conf t R2(config)#router eigrp 100 (this is the AS) R2(config-router)#network 10.0.0.0 [Optional - enable EIGRP on all interfaces] R2(config-router)#network 0.0.0.0 255.255.255.255 ==Change Bandwidth/Delay== R1(config)#int s0/1 R1(config-if)#bandwidth 64 R1(config-if)#delay 1000 ==Show EIGRP== > Shows the neighboring device wtih EIGRP enabled along with its interface R1#show ip eigrp neigh > Shows the topology R1#show ip eigrp topology **P 2.0.0.0 .......... FD is 40640000 ....................... <40640000/128256>, Serial 1/0 > To get to 2.0.0.0, Feasible Distance is the total cost to get to that route is 40640000 > Advertise distance: 128256 (from Router 2 to Router 1) > Total cost (feasible distance) = Advertise distance + cost of the link EIGRP Dual Algorithm - Selects lowest-cost, loop-free paths to each destination - AD Advertise Distance: cost between next-hop router and destination (cost for EIGRP neighbour to reach destination Pge p 7.txt - FD Feasible Distance: cost from local router = AD + cost between local router and the next hop router R1 <-> R2 <-> R3 **The FD for R1 -> R3 is R1 = Distance of R2->R3 + Distance of R1->R2 EIGRP Dual Algorithm.. ***No need to recalculate, Feasible successor is ready for when Successor goes down - Successor = main route - Feasible successor = backup route (chosen based on the alternative route's AD must be lower than FD) ex. R4: FD = 25 R2: FD = 35 (AD = 15) R5: FD = 50 (AD = 30) > Since R2's AD is 15, it can become the Feasible successor. R5 however cannot be chosen as Feasible successor because AD > FD. **Once R4 goes down, R2 will immediately become the Successor route ex. Becomes... R2: FD = 35 (AD = 15) R5: FD = 50 (AD = 30), since 30 < 35, then R5 becomes the new Feasible successor **If 2 path's AD are the same, there will be no Feasible successor (require neighbours to determine successors) and may be hidden from the command "R1#show ip eigrp topology", therefore we need to use "R1#show ip eigrp topology all-links" **Recall K-number and AS MUST MATCH EIGRP Load Balancing - Supports both Equal and Unequal load balancing - Default "maximum metric variance = 1": Equal cost load balancing (1) and 4 routes with minimum metric - Support up to 16 routes using 'maximum-path' command EIGRP Unequal Load Balancing - Variance must be changed to utilize Unequal Load Balancing, default is set to 1 - Variance is the multiplier by taking the path with the smallest cost and multiplies it by Variance *2 Conditions must be met: 1) FD > AD 2) FD * Variance > current path cost EIGRP auto summarization - EIGRP is a classless protocol, but by default, auto summarization is turned on - it is best to turn this off immediately ex. R1 (10.1.1.0 /24 f0/0) <-> R2 (10.0.0.0/8 f0/0 & f0/1) <-> R3 (10.1.2.0/24 f0/1), R2 will send packets to both R1 and R3 if auto summarization is not turned off. R1 will ping R3 and following will happen: > ping 10.1.1.1 > result: .!.!. R1 -> R2 -> R3 Pge p 7.txt R1 -> R2 -> R1 R1 -> R2 -> R3 R1 -> R2 -> R1 R1 -> R2 -> R3 ***This happens because although 10.1.1.0 is advertised as /24, its 10.X.X.X roots is /8 - After auto-summary is turned off, then the route looks as follows... > R2 (10.1.1.0/24 f0/0 & 10.1.2.0/24 f0/1) - Note: Also after no auto-summary, Null0 routes and summarized routes are removed ==Turn off EIGRP Auto-summary== R1#conf t R1(config)#router eigrp 100 R1(config-router)#no auto-summary EIGRP MD5 authentication - Support ONLY MD5 Hashing - Hashes an arbitary length into 128bit value - Every EIGRP update (send & receive) includes the hash for authentication - Each participating neighbor must have the same key ID & key string - EIGRP interface can interact with RIP interface, but must specify which keychain the interface will use ==Setup key ID & key string== R1#conf t R1(config)#key chain nameOfKeyGroup (name of key group) R1(config-keychain)#key numericValue (key ID) R1(config-keychain-key)#key-string stringValue (key string) ==Setup key group with EIGRP== > R1 s1/0 <-> s1/0 R2 R1(config-keychain-key)#int s1/0 R1(config-if)#ip authentication mode eigrp 100 md5 R1(config-if)#ip authentication key-chain eigrp 100 nameOfKeyGroup R2#conf t R2(config)#key chain nameOfKeyGroupDoesNotNeedToMatchHere (name of key group) R2(config-keychain)#key numericValue (key ID) R2(config-keychain-key)#key-string stringValue (key string) R2(config-keychain-key)#int s1/0 R2(config-if)#ip authentication mode eigrp 100 md5 R2(config-if)#ip authentication key-chain eigrp 100 nameOfKeyGroupDoesNotNeedToMatchHere ==Show key chain== R1#show key chain Pge p 8.txt For EIGRP to work: - EIGRP Neighbor must be on common subnet - Neighbor K values must be equal - Neighbor AS must be equal - Note: Access List can block EIGRP ==See EIGRP info== R1#show ip protocols R1#show ip eigrp interfaces _______________________________________________________ ===EIGRP Simulations - Section485=== Enable EIGRP in AS 100 Advertise all networks using the classful mask Router1> en Router1# conf t Enter configuration commands, one per line. Router1(config)# router eigrp 100 Router1(config-router)# network 10.0.0.0 Router2> en Router2# conf t Enter configuration commands, one per line. Router2(config)# router eigrp 100 Router2(config-router)# network 10.0.0.0 End with CNTL/Z. End with CNTL/Z. _______________________________________________________ ===EIGRP Simulations - Section486=== Enable EIGRP in AS 100 192.168.1.1/28 Advertise FastEthernet 0/0 in EIGRP using the exact network mask 10.1.1.1 /24 Advertise the Serial 0/0 interface using the exact network mask 172.16.1.1/32 Advertise Loopback 0 in EIGRP using the exact network mask Router1> en Router1# conf t Enter configuration commands, one per line. End with CNTL/Z. Router1(config)# router eigrp 100 Router1(config-router)# network 192.168.1.0 0.0.0.15 Router1(config-router)# network 10.1.1.0 0.0.0.255 Router1(config-router)# network 172.16.1.1 0.0.0.0 _______________________________________________________ ===EIGRP Simulations - Section487=== Enable EIGRP in AS 100 on Router1. Router2 has already been configured Router1's Ethernet IP address is 10.1.1.1/24 Router1's Serial 0/1 IP address is the first in the subnet (192.168.168.184/30)in the diagram Pge p 8.txt Use IP address masks to advertise both networks (use /32 mask) Router1> en Router1# conf t Enter configuration commands, one per line. End with CNTL/Z. Router1(config)# router eigrp 100 Router1(config-router)# network 10.1.1.1 0.0.0.0 Router1(config-router)# network 192.168.168.185 0.0.0.0 _______________________________________________________ ===EIGRP Simulations - Section488=== Enable EIGRP in AS 100 with as few commands as posible to get a fully functioning network, but without using the network 0.0.0.0 Sart with Ethernet 0 (192.168.1.1/28), then Loopback 0 (172.16.1.1 /32) and then Serial 0 (10.1.1.1 /24) Make sure that EIGRP advertises routes correctly (Hint: VLSM) Router1> en Router1# conf t Enter configuration commands, one per line. End with CNTL/Z. Router1(config)# router eigrp 100 Router1(config-router)# network 192.168.1.1 0.0.015 Router1(config-router)# network 172.16.0.0 Router1(config-router)# network 10.0.0.0 Router1(config-router)# no auto-summary _______________________________________________________ ==Configure Gateway/default route== R1#conf t R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.254 ==Redistribute/External EIGRP== > Advertise this default route to EIGRP neighbors R1(config)#router eigrp 100 R1(config-router)#redistribute static metric 10000 100 255 1 1500 **Previously, If redistribute is not applied, then all routes are Internal EIGRP (90). But Gateway of Last Resort is from External EIGRP (170) ==NAT setup== f0/0 R1 f0/1 <-> Cloud R1#conf t R1(config)#int f0/1 R1(config-if)#ip nat outside R1(config-if)#int f0/0 R1(config-if)#ip nat inside R1(config-if)#exit ==PAT / NAT Overload Access List setup== > Permit all devices on the 10 network R1(config)#ip nat inside source list 1 interface f0/1 overload R1(config)#access-list 1 permit 10.0.0.0 0.255.255.255 ==Enable DNS== R1(config)#ip domain-lookup R1(config)#ip name-server 8.8.8.8 Pge p 8.txt _______________________________________________________ OSPF Open Shortest-Path First - Mix routes between diff vendors - Dijkstra Algorithm used for determining best route to destination - Link state running protocol > Link: router interface > State: description of interface and its relationship to neighboring routers - Collection of Link State = topological database / link state database - Create neighbors by sending out Hellos using multicast 224.0.0.5 or unicast - Above layer 3 (IP), below layer 4 (TCP 6/UDP 17) - Port 89 - Default, synchronized every 30 minutes OSPF Tables 1) IP OSPF Neighbor Table - List of neighbors shown in Adjacency Table / OSPF Neighbor Table ==Show Table= R1#show ospf neighbors 2) IP OSPF Topology Database (LSDB Link State Database) - LSDB contains all routers and attached links in area/network - All OSPF routers in the same area share the same database 3) IP Routing Table (Forwarding Table) - Best routes are placed here OSPF Packet Types 1) Hello - Dynamically discover neighbors, forms and maintains those neighbors - Discover Frequency: Ethernet (10 seconds) - Discover Frequency: Serial/NBMA Non-broadcast multi-access environment (30 seconds) - Dead Timer (if no response to Discover within Dead Timer, relationship is torn down)-> 4 times the Hello interval 2) DD/DBD Database Description - Brief overview of LSA Link State Advertisements 3) LSR Link State REquest - If DD/DBD is missing information, request for FULL LSA information 4) LSU Link State Update - Contains FULL LSAs in response to LSR 5) LSAck Link State Acknowledgement - Confirm receipt of LSU OSPF Hierarchy (Areas) - OSPF's network is its own AS - When multiple OSPF's are used, they are broken up into Areas (Area 0 is the back bone - all traffic will traverse the backbone) **Both sides of the link must be in the same Area - Cisco recommends no more than 50 routers in a single Area - Areas are useful in stopping the flood of LSA by breaking up the Pge p 8.txt network into multiple areas - Routers that border the backbone area and another area is known as ABR Area Border Routers - ABRs are also backbone routers - Routers that borders 2 AS (could be same or different routing systems), are call ASBR Autonomous Systems Border Routers (could be RIP and EIGRP) OSPF ABR - BENEFITS: Summarization of routes ex. Area 1: 10.1.1.0/24 - 10.1.100.0/24, the ABR can summarize the routes as 10.1.0.0 /16 ex. Area 1: 10.2.1.0/24 - 10.2.100.0/24, the ABR can summarize the routes as 10.2.0.0 /16 OSPF Router ID - Chosen based on: 1) Manual configuration 2) Highest Loopback interface (never go down) 3) Highest IP address (physical interface) 4) Everything else ==Specify OSPF Router ID== > High IP address is 10.1.1.1 *****using ospf 1 is local to the router, it does not need to match other routers R1#conf t R1(config)#router ospf 1 ==Refresh OSPF Router ID (assume there is a higher IP address than current)== R1(config)#no router ospf 1 R1(config)#router ospf 1 ==Manual OSPF Router ID== R1(config)#router ospf 1 R1(config-router)#router-id 192.168.1.1 (arbitrary) ==Setup OSPF Network== > This step is needed, otherwise OSPF will not work R1(config-router)#network 10.1.1.0 0.0.0.255 area 0 ==Show OSPF info== R1#show ip ospf int R1#show ip ospf int brief R1#show ip ospf neighbor R1#show ip ospf database ==Enable OSPF inside interface== R1(config)#int g0/0 R1(config)#ip address 10.1.1.0 0.0.0.255 R1(config-if)#ip ospf 1 area 0 (?) ==Configure OSPF timers== > To adjust timers, simply adjust it to Broadcast, it might be set to Non-Broadcast R1(config)#int g0/0 R1(config-if)#ip ospf network broadcast OSPF Hello Packet > Must be the same: 1) Hello and Dead intervals Pge p 8.txt 2) Area ID 3) Authentication password 4) Stub area flag OSPF DR Designated Router - Criteria for DR: Chosen based on highest priority *Priority is from 1-255 (0 excludes the router from being a DR) default = 1, disable = 0 - DR/BDR can see 224.0.0.6 multicast update - All other routers sees 224.0.0.5 OSPF DR Process R1 (DR) <-> R2 (BDR Backup DR) <-> R3,4,5,6 1) R1 goes down, R1 updates R2 through multicast 224.0.0.6 2) R2 receives multicast 224.0.0.5, that R1 went down 3) R2 sends multicast 224.0.0.5 to all OSPF routers R3,4,5,6 4) All active OSPF routers are now acknowledged that network has gone down **If no DR, then all routers are adjaceny routers and all routers will multicast to each other (saves update and duplicated traffic) **Only Main DR and Backup DR has full relationships with all OSPF routers **Every ethernet segment requires the maintenance and electric of its own DR (10.1.1.0/24 and 10.1.2.0/24 are two different) ***DR is not preemptive (ex. if R2 (priority 10) goes down and R5 (priority 5) becomes DR and R3 becomes BDR and if R2 comes back online, R2 will not become DR again because DR already exist even though R2 has highest priority - not preemptive. R2 will become DRO DR Other) - will not host another election OSPF SPF Algorithm - Default reference bandwidth = 100mbps (cost of 1) - Cost = 10^8 / bandwidth (Note: Bandwidth of 10Mbps = 10,000,000bps, therefore Cost of 10Mbps = 100,000,000 / 10,000,000 = 10) (Note: Bandwidth of 1.544Mbps = 15,440,000bps, Cost = 64) ==Change reference bandwidth== R1(config)#auto-cost reference-bandwidth X ==Change cost of an interface== R1(config-if)#ip ospf cost X OSPF stub nssa - stub stubby area (i.e. loopback) - nssa not so stubby area - stub and nssa is used for reducing the routes in the routing table Note: "Initial SPF schedule delay 5000 msecs" - when a network is going down or a new network is added, OSPF will wait 5 seconds allowing OSPF to stablize before running the new SPF algorithm ***** ==Total OSPF setup== R1#conf t R1(config)#interface f0/0 R1(config-if)#ip address 10.1.1.1 255.255.255.0 Pge p 8.txt R1(config-if)#no shut R1(config-if)#interface f0/1 R1(config-if)#ip address 10.1.2.1 255.255.255.0 R1(config-if)#no shut R1(config-if)#router ospf 1 R1(config-router)#network 10.1.1.1 0.0.0.0 area 0 R1(config-router)#network 10.1.2.1 0.0.0.0 area 0 R1(config-router)#interface loop 0 R1(config-if)#ip address 1.1.1.1 255.255.255.255 R1(config-if)#router ospf 1 R1(config-router)#network 1.1.1.1 0.0.0.0 area 0 > OR enable all networks [R1(config-router)#network 0.0.0.0 255.255.255.255 area 0] *Routers that are connected to each other (usually via Serial) is Point-to-Point. **Point-to-Point does not require an election ***Even if loopback's network is not a part of the OSPF interface, loopback's network will be the Router ID ==Optional:Change Router ID manually== R1(config-router)#router-id 1.1.1.1 R1(config-router)#clear ip ospf process OSPF Network Type - Broadcast = fastEthernet - Point_to_Point = Serial OSPF Link Count - 2 = Serial (point-to-point: 1 - transmitter's IP address, 1 receiver's IP address) - 1 = fastEthernet - 1 = loopback ex. router with 2x serial interfaces, 1 fastEthernet and 1 loopback = Link Count of 6 OSPF Link Count ex. R1 10.1.2.1 255.255.255.0 <-> R2 2.2.2.2 1) Point-to-Point (Link connecting to neighboring router) Link ID: 2.2.2.2 Link Data: 10.1.2.1 2) Stub Network (Actual subnet on point-to-point link) Link ID: 10.1.2.0 Link Data: 255.255.255.0 OSPF States Full - Between DR and BDR 2WAY - Between DROTHER DR Other **DR and BDR relations do not take place on Serial links ***DR, BDR or DROtherare elected per segment basis (only on multiaccess links), not per router. I.e. if R1 has g0/0 and g0/1, one can be DR and the other can be BDR OSPF DR Election Process 1) Hello packets are exchanged via IP multicast packets on each segment 2) Router with highest OSPF priority on a segment becomes the DR Pge p 8.txt (default OSPF priority = 1, do not elect = 0) 3) Process repeats for BDR 4) In case of tie, router with highest RID will win 5) Priority of 0 will become the DROTHER **OSPF DR Election Priority 1) Highest priority 2) Highest router ID **Router ID is not based on the interface's IP address, but on the highest IP address on the Router **Router ID must be UNIQUE 3) Highest Loopback IP address 4) Highest configured physical interface address ~Turning an expensive router into a PC - Default gateway is set, therefore "no ip rout" was used ==Turn on logging== R1(config)#logging console ==Turn on logging (telnet/ssh)== R1(config)#term mon ***Router Types - ABR Area Border Router - separate routers with different areas, always touch Backbone - ASBR Autonomous System Border Router - seperates routers with different routing protocols (between EIRP and OSPF) - Internal Router - does not touch other routers ==Convert EIGRP to OSPF (ABR Area Border Router)== > Recall: EIGRP uses Bandwidth and Delay to determine best route > Recall: OSPF only understands Bandwidth, therefore, we need to specify a seed metric R1(config)#router eigrp 100 R1(config-router)#network 10.1.1.2 0.0.0.0 > Advertising OSPF in EIGRP R1(config-router)#router ospf 1 R1(config-router)#network 10.1.2.1 0.0.0.0 area 1 > Advertising EIGRP in OSPF R1(config-router)#redistribute eigrp 100 R1(config-router)#redistribute ospf 1 metric 10000 1000 255 1 1500 [memorize this] EIGRP1 <-> OSPF1(Area1) <-> OSPF2(Area0) <-> OSPF3 (Area0) **OSPF3#show ip route > OSPF2 is an "Intra-area OSPF Route" (local) > OSPF1 is an "Inter-area OSPF Route" (different local) > EIGRP1 is an "External route" (different routing protocol) LSA Link State Advertisement 1) Router LSA (Type 1) - Router ID of directly connected routers 2) Net LSA (Type 2) - Router ID of intra-routers 3) Summary Net LSA (Type 3) - Router ID of inter-routers Pge p 8.txt 4) Summary ASB Autonomous System Border Router (Type 4) - Router ID of ABRs Area Border Routers 5) Type 5 LSA - Router ID of external LSA **OSPF Areas must border/touch Area 0 (Backbone) **All areas must be adjacent to Area 0 (GOOD) Area 1 <-> Area 0 <-> Area 2 (GOOD) Area 1 <-> Area 0 <-> Area 1 (BAD) Area 1 <-> Area 2 <-> Area 0 (Area 1 and not bordering Area 0 - otherwise Area 1 must attach to Area 0 via Virtual Link/Tunnel) ==Create Virtual Link/Tunnel== **Virtual Links must use Router ID (not IP Address) **Virtual Links are labelled "DNA" Do Not Age **No election takes place on Virtual Links R3 Area 0 (Router ID = 3.3.3.3) <-> Area 1 <-> R5 Area 2 (Router ID = 5.5.5.5) R3(config)#router ospf 1 > Area 1 is the Area we can traversing R3(config-router)#area 1 virtual-link 5.5.5.5 >From R5 R5(config)#router ospf 1 R5(config-router)#area 1 virtual-link 3.3.3.3 Pge p 9.txt ==Display ip routing protocols== R1>en R1#show ip proto ==Display the routing table== R1#show ip route ==Display OSPF errors in real time== R1#display ip ospf events ==Display OSPF neighbors== R1#show ip ospf neigh ==Display OSPF interfaces== R1#show ip ospf int ==Display OSPF everything== R1#show ip ospf database _______________________________________________________ ==OSPF Simulations - Section514=== Enable OSPF using process number 1 Advertise network 10.0.0/8 in area 0 using a classful mask Router1> en Router1# conf t Enter configuration commands, one per line. End with CNTL/Z. Router1(config)# router ospf 1 Router1(config-router)# network 10.0.0.0 0.255.255.255 area 0 _______________________________________________________ ==OSPF Simulations - Section515=== Enable OSPF with process number 1 An IP address of 192.168.1.1/28 is configured on Ethernet 0. Advertise this network in OSPF area 0 using an exact network mask. 172.16.1.1/32 is configure on loopback 0. Advertise the loopback in area 1 using an exact network mask. Router1> en Router1# conf t Enter configuration commands, one per line. End with CNTL/Z. Router1(config)# router ospf 1 Router1(config-router)# network 192.168.1.0 0.0.0.15 area 0 Router1(config-router)# network 172.16.1.1 0.0.0.0 area 1 _______________________________________________________ ==OSPF Simulations - Section516=== Enable OSPF with process number 1 Router1's Ethernet IP address is 10.1.1.1/24 Router1's Serial 0/1 IP address is the first in the subnet in the diagram Use host masks (32) to add both interfaces to area 0 Pge p 9.txt Router1> en Router1# conf t Enter configuration commands, one per line. End with CNTL/Z. Router1(config)# router ospf 1 Router1(config-router)# network 10.1.1.1 0.0.0.0 area 0 Router1(config-router)# network 192.168.168.185 0.0.0.0 area 0 _______________________________________________________ ==OSPF Simulations - Section517=== Enable OSPF on the routers with process id 1 Start with E0, then S0, then loop 0 and advertise each network using exact network masks Inject a default route into the network on R1 Ethernet 0: 192.168.1.1/28 (Area 1) Serial 0: 10.1.1.1/30 (Area 0) Loopback 0: 172.16.1.1/32 (Area 0) Router1> en Router1# conf t Enter configuration commands, one per line. End with CNTL/Z. Router1(config)# router ospf 1 Router1(config-router)# network 192.168.1.0 0.0.0.15 area 1 Router1(config-router)# network 10.1.1.0 0.0.0.3 area 0 Router1(config-router)# network 172.16.1.1 0.0.0.0 area 0 Router1(config-router)# default-information originate _______________________________________________________ ==OSPF Simulations - Section519=== Enable OSPF with process number 1. Put interfaces into OSPF using a host mask(/32) Router is configured with the first IP address in the same subnet as host 10.185.185.255/25 Router is configured with the last IP address in the same subnet as host 172.16.195.195/23 Router is configured with the first IP address in the same subnet as 192.168.168.168/27 172.16.195.195 /23 195 128 64 X X X 4 X 1 | 195 --192.168.168.168 /27 168 128 X 32 X 8 X X X 1 0 1 0 1 0 0 0 | 160 Pge p 9.txt Router1> en Router1# conf t Enter configuration commands, one per line. End with CNTL/Z. Router1(config)# router ospf 1 Router1(config-router)# network 10.185.185.129 0.0.0.0 area 0 Router1(config-router)# network 172.16.195.254 0.0.0.0 area 0 Router1(config-router)# network 192.168.168.161 0.0.0.0 area 0 _______________________________________________________ *** ==OSPF Simulations - Section523=== Configure plain text OSPF authentication on the FastEthernet 0/0 interface of Router 1 Use a password of cisco Router1> en Router1# conf t Enter configuration commands, one per line. End with CNTL/Z. Router1(config)# int f0/0 Router1(config-if)# ip ospf authentication Router1(config-if)# ip ospf authentication-key cisco _______________________________________________________ *** ==OSPF Simulations - Section527=== Configure OSPf with process id 1 Configure OSPF to load balance over 10 equal paths Configure the OSPF cost of FastEthernet 0/0 to 100 Router1> en Router1# conf t Enter configuration commands, one per line. End with CNTL/Z. Router1(config)# router ospf 1 Router1(config-router)# maximum-paths 10 Router1(config-router)# int f0/0 Router1(config-if)# ip ospf cost 100 _______________________________________________________ IPv6 vs IPv4 - IPv6 128bit 3.4x10^38 addresses - IPv4 32 bit 4.3million addresses - All OSI layers stays the same - IPv6 can have multiple primary IP addresses - IPv4 can only have 1 primary IP address IPv6 addresses - Not case-sensitive - Leading zeros are optional - Successive fields of zeros can be represented as ::, but only once per address **Every IPv6 interface contains at least 1 loopback ::1/128 ex. 2001:0123:0000:0000:FFFF:0000:0000:0ABC = Pge p 9.txt 2001:123::FFFF:0:0:ABC > Loopback = ::1 > Unassigned Address = :: (all zeros) - Surfing the web @ 2001:123:4567::8, user would need to enter ex. http://[2001:123:4567::8]:8080/index.html IPv6 Unicast Addresses - Global Unique Unicast - NAT no longer needed - Reserved Unicast Addresses - Link Local unicast address (routers do not forward Link Local addresses) - used for automatic addresses config, neighbour/router discovery - Site Local unicast address RFC3879 - private addresses assigned to an entire site similar to RFC1918 (Deprecated in 2004) - no longer used IPv6 Multicast - One-to-many, replaced Broadcast IPv6 Anycast - One-to-nearest, used for load balancing IPv6 Unicast Address (Network Prefix - 64bits)(Interface identifier - 64bits) - No Subnetting, No NAT - All interface have subnet mask of /64 - "Aggregatable Global Unicast Address" means addresses in your organization is globally unique (public IP addresses inside organization) IPv6 EUI address - Convert MAC address into Pv6 EUI Address (Interface Identifier 64bits) - Changes the 7th bit in the 64bits address to X > X = 1 globally managed (unique) > X = 0 locally managed (not unique) ex. MAC Address -> 00 34 56 78 90 AB IPv6 -> 00 34 56 FF FF 78 90 AB 00 -> 000000X0 -> 00000000 = not unique IPv6 Aggregatable Global Unicast Address (Network Prefix - 64bits)(Interface identifier - 64bits) ([Global Prefix - 48 bits][Subnet ID - 16bit])(Interface identifier - 64bits) ([Public topology][Site topology])(Interface) > ISP Allocates you /48. This gives you 16bit to subnet, which gives 2^16 = 65536 subnets within your organization > Your internal network will use /64 from ISP's /48 to each interface ex. Internet Registry 2001::/16 -> ISP 2001:1234::/32 ISP 2001:1234::/32 -> Organization 2001:1234:1::/48 Organization 2001:1234:1::/48 -> Organization subnet 2001:1234:1:2::/64 or 2001:1234:1:3::/64, etc... Pge p 9.txt ==Setup IPv6 address== R1(config)#int f0/0 R1(config-if)#ipv6 address 2001::1/64 ==Setup IPv6 eui-64== **eui-64 uses the MAC address. eui-64 inserts FF:FE in the middle of the MAC address and changes the 7th bit to identify itself as locally or globally managed (1). eui-64 then becomes the host address by translating itself as an 48bit address to 64bit > MAC (bia burn in address) Address: c401.0fe8.0000 > eui-64: c601:FFF:FEE8:0 (notice 4 becomes 6 becomes the 7th bit has a value of 2) R1(config)#interface f0/1 R1(config-if)#ipv6 address 2001:2::/64 eui-64 IPv6 Unicast Addresses 1) Link Local - Unicast, restricted to Local Link - Enabled by default - 128 bits in length, not bound to MAC address - 1st 10 bits: 1111 1110 10 [FE80::/10] - configured in EUI-64 format - IPv6 uses Link Local to advertise routes to one and another using routing protocols - Link Local addresses is also useful for when your routers' Global Unicast Address changes 2) Site Local [Should no longer be used] - Unicast, restricted to the Site - Not Enabled by default - 128 bits in length - 1st 10 bits: 1111 1110 11 [FEC0:/10] **Equivalent RFC1918 addresses 3) IPv4 compatible addresses [Should no longer be used] - Uses /96 mask - Recal IPv4 is 32bits, IPv6 is 128bits - Therefore... IPv4 Compatible addresses become... IPv6 tunnel = [96bits of 0s][32bits of IPv4 addresses] 0:0:0:0:0:0:192.0.2.100 =::192.0.2.100 =::C000:0246 > 192 = C0 because 192 = 1 1 0 0 | 0 0 0 0 = 12 | 0 = C0 > 100 = 0 1 1 0 | 0 1 0 0 = 64 **Bypassed by "Dynamic NAT PT Protocol Transmission" 4) Unspecified address 0:0:0:0:0:0:0:0 - initial DHCP request, DAD Duplicate Address Detection 5) Loopback address 0:0:0:0:0:0:0:1 (IPv4 127.0.0.1) IPv6 Multicast Addresses 1) Assigned FF00::/8 2) Solicited-Node FF02.../104 - Solicited-Node multicast address is scoped to the Local Link - Similar use to ARP, but ARP uses Broadcast and Broadcast is no longer supported on IPv6, Solicited-Node multicast address is used Pge p 9.txt to learn about neighboring link layer addresses, neighbor nodes and routers on the same link **For any unicast/anycast setup on an interface, a corresponding Solicited-Node multicast address is automatically enabled IPv6 Stateless Autoconfiguration - Remember, Stateless because no subnetting is required - Enables serverless basic configuration of IP addresses, while keeping those addresses unique - Routers send periodic router advertisement messages using a link local address, through ICMPv6 Type 134 multicast FF02::1 (Cisco has 7 days lifetime by default) IPv6 Stateless Autoconfiguration (How it works - How Host gets IPv6 address) *Don't memorize Type XXX 1) Host sends Router solicitation to all routers using FF02::2 (ICMPv6 Type 133 - Router solicitation), asks for IP address immediately - Host uses it's link local address FE80::X/10 (with its EUI) as source 2) Router replies (ICMPv6 Type 134 - Router advertisement) - Router uses it's link local address FE80::Y/10 (with its EUI) as source - Router uses destination FF02::1 (ICMPv6 Type 134) IPv6 Stateless Autoconfiguration Benefits 1) Easy Configuration of PC's IP address (DHCP ish...) - Configure IP Address on router, by default, router advertisements are enabled - PCs will automatically learn Prefix assigned to them and Default Gateway, without administrator configuration DHCP server (host automatically configured - combined with its IPv6 link local address with its EUI allows PC to communicate to the network 2) Easy renumbering of IP addresses - Routers can advertise a new prefix, and timeout the old prefix and hosts will automatically be updated with new prefixes IPv6 Stateful DHCP - Provides control and options (IP phones) - You can use Stateless Autoconfiguration and Stateful DHCP at the same time - Stateful DHCP can provide IPv6 addresses in absence of routers IPv6 Stateful DHCP (How it works) 1) Host will first detect for routers using Neighbor Discovery Messages to see if router is available 2) If router is found, Host will examine the router advertisement to see if DHCPv6 should be used 3) If DHCPv6 is available for use or no routers are found, Host will start IPv6 solicitation phrase to find a DHCP server > If no DHCPv6 cannot be used, then Host uses Stateless Configuration 4) Host sends DHCP solicit message to DHCPv6 agents using multicast address FF02::1:2 **FF02 = multicast Pge p 9.txt **FE80 = link local Host FE80::Y/10 (Y = DUI) -> DHCPv6 agents ==Enable IPv6 on Router== [Network = 2001:1:1:1. Host = 1] R1(config)#ipv6 unicast-routing R1(config)#int f0/0 R1(config-if)#ipv6 address 2001:1:1:1::1/64 R1(config-if)#no shut ==Enable IPv6 on Router with eui-64== R1(config)#int f0/1 R1(config-if)#ipv6 address 2001:2::/64 eui-64 R1(config-if)#no shut IPv6 DAD Duplicate Address Detection FF02::1 - All nodes & routers on link FF02::2 - All routers on link FF02::1:FFX:Y FF02::1:FFX:Z - X:Y and X:Z is the unique portion (unique node) multicast entry - this happens because of DAD Duplicate Address Detection IPv6 Routing Protocols (does not reuse IPv4 routing protocols) **To enable IPv6 routing protocol, use command: ipv6 unicast-routing *You can run IPv4 and IPv6 routing protocol at the same time this is called "Dual Stack" - Static - RIPng - OSPFv3 - IS-IS for IPv6 - MP-BGP4 IPv6 RIPng Next Generation **RIP router multicast group FF02::9 - for RIP updates **RIP IPv4 uses multicast 224.0.0.9 - RIP IPv6 sends RIP updates on UDP port 521 - Distance vector - Radius of 15hops (16hop = infinity) ~split horizon, poison reverse ==Display IPv6 routes== R1#show ipv6 route ==Enable RIPng== **To enable IPv6 routing protocol, use command: ipv6 unicast-routing > RIPng = randomName R1(config)#ipv6 unicast-routing R1(config)#ipv6 router rip RIPng > Enable on interface R1(config)#int f0/0 R1(config-if)#ipv6 rip RIPng enable R1(config-if)#int f0/1 R1(config-if)#ipv6 rip RIPng enable ==Enable RIPng default route== > This route will show as ::/0 Pge p 9.txt R1(config-if)#ipv6 rip RIPng default-information originate ==Create RIPng default route== > Create default route to serial 0/0 R1(config-if)#ipv6 route ::/0 serial 0/0 ==Enable OSPFv3 (IPv6)== > OSPFv3 even though its IPv6, requires router id in IPv4 format > We will use 1.1.1.1 R1(config)#ipv6 router ospf 1 R1(config-rtr)#router-id 1.1.1.1 R1(config-rtr)#int f0/2 R1(config-if)#ipv6 ospf 1 area 1 R1(config-rtr)#int f0/3 R1(config-if)#ipv6 ospf 1 area 0 R1(config-if)#int loop 0 R1(config-if)#ipv6 address 2002::1/64 R1(config-if)#ipv6 ospf 1 area 1 > Need to enable it for both R1 and R2 for the connecting interface > R1 f0/3 (area 0) <-> f0/1 R2 (area 0) R2(config)#ipv6 router ospf 2 R2(config-rtr)#router-id 2.2.2.2 R2(config-rtr)#int f0/0 R2(config-if)#ipv6 ospf 2 area 2 R2(config-rtr)#int f0/1 R2(config-if)#ipv6 ospf 2 area 0 **Notice.. R2 can see R1's loopback via R2's f0/1 ==Display IPv6 OSPF Route== R2#show ipv6 route ospf IPv4 to IPv6 transition methods 1) Dual Stack (run both IPv4 and IPv6) 2) Tunneling (run IPv6 over IPv4) IPv4/IPv6 Dual Stack (How to?) 1) [Layer 7] Application -> TCP/UDP? [Layer 4] 2) [Layer 4] TCP/UDP -> IPv4 or IPv6? [Layer 3] 3a) [Layer 3] IPv4 -> Type 0x800 [Layer 2] 3b) [Layer 3] IPv6 -> Type 0x86DD [Layer 2] 4) [Layer 2] 0x800/0x86DD -> Ethernet medium [Layer 1] IPv4/IPv6 Tunneling 1) [Manual] Manual IPv6 over IPv4 tunnel 2) [Auto] Dynamic 6-to-4 Tunnel [don't worry] 3) ISATAP Intra site automatic tunnel addressing protocol [don't worry] 4) Teredo tunneling 1) IPv4/IPv6 Tunneling - IPv6 over IPv4 tunnel (Manual) **Protocol type 41 is specified in IPv4 header for encapsulation [IPv6 Data][IPv6 Header][IPv4 Header][SA:1.1.1.1][DA:2.2.2.2] - IPv6 is sent inside IPv4 header, then stripped off IPv4 header at destination router then sent off as pure IPv6 data - Note. IPv4 header is 20bytes 2) IPv4/IPv6 Tunneling - Dynamic 6-to-4 Tunnel (Auto) *Must use 2002::/16 Pge p 9.txt - R1: [2002:c0a8:6301::/48][192.168.99.1] <-> R2: [192.168.30.1][2002:c0a8:1e01::/48] [Sending from PC1 -> R1 -> R2 -> PC] 1) PC1 sends packets to R1 2) Converts IPv4 address 192.168.99.1 to hexadecimal, then add it to 2002::/16 > 2002:c0a8:6301::/48 3) Because of the IPv6 address, R1 knows it needs to send it to IPv4 of R2 > R1 will then encapsulate the data into IPv4 packets to R2 4) R2 will then decapsulate the data into IPv6 packets to PC2 5) R2 will forward the IPv6 packets to PC2 ==IPv4/IPv6 Tunneling== > R1 s0/0 [10.1.2.1/24][2001:1:1:1::1/64]<-> s0/0 R2 [10.1.2.2/24][2001:1:1:3::1/64] R1(config)#int tun 0 R1(config-if)#ipv6 address 2003::1/64 R1(config-if)#tunnel source 10.1.2.1 R1(config-if)#tunnel destination 10.1.2.2 R1(config-if)#tunnel mode ipv6ip (otherwise default is GRE) >Static route R1(config)#ipv6 route 2001:1:1:3::/64 tun 0 R2(config)#int tun 0 R2(config-if)#ipv6 address 2003::2/64 R2(config-if)#tunnel source 10.1.2.2 R2(config-if)#tunnel destination 10.1.2.1 R2(config-if)#tunnel mode ipv6ip >Static route R2(config)#ipv6 route 2001:1:1:1::/64 tun 0 ==Show IPv4 interface== R1#show ip int brief ==Show IPv6 interface== R1#show ipv6 int brief IPv6/IPv4 Proxying and translation (NAT-PT) > PC1 IPv4 <-> R1 <-> Server IPv6 > PC1 only use IPv4 and Server only use IPv6, so R1 acts as a translator _______________________________________________________ ==OSPF Simulations - Section534=== Configure the router's FastEthernet 0/0 interface with the following: Network IPv6: 2001:152:1:17::/64 EUI Router1> en Router1# conf t Enter configuration commands, one per line. End with CNTL/Z. Router1(config)# int f0/0 Router1(config-if)# ipv6 address 2001:152:1:17::/64 eui-64 _______________________________________________________ Pge p 9.txt ==OSPF Simulations - Section535=== Configure RIPng on Router1 as follows: (Router2 is configured) Enable IPv6 unicast routing Enable RIP process cisco Configure 2001:1:2:3::1/64 on FastEthernet 0/0 Enable RIP process cisco on FastEthernet 0/0 Advertise a default route out of FastEthernet 0/0 Configure 2001:2::1/64 on Serial 0/0 Create a default route to serial 0/0 Router1> en Router1# conf t Enter configuration commands, one per line. End with CNTL/Z. Router1(config)# ipv6 unicast-routing Router1(config)# ipv6 router rip cisco Router1(config-router)# int f0/0 Router1(config-if)# ipv6 address 2001:1:2:3::1/64 Router1(config-if)# ipv6 rip cisco enable Router1(config-if)# ipv6 rip cisco default-information originate Router1(config-if)# int serial 0/0 Router1(config-if)# ipv6 address 2001:2::1/64 Router1(config-if)# ipv6 route ::/0 serial 0/0 _______________________________________________________ ==Config IPv6== > R1 int s2/0 , 2001:1::1/64 > R2 int s2/0 , 2001:1::2/64 > R1 loopback, 2001:FACE::1/128 R1(config)#int loopback 0 R1(config-if)#ipv6 address 2001:FACE::1/128 R1(config-if)#int s2/0 R1(config-if)#ipv6 address 2001:1::1/64 R2(config)#int s2/0 R2(config-if)#ipv6 address 2001:1::2/64 > R1#show ipv6 router. Notice, /128 appears **Routers will create IPv6 routes based on the unicast IPv6 address configured on the interface C 2001:1::/64 ... Serial 2/0 [R1] L 2001:1:1/128 ... Serial 2/0 [R2] LC 2001:FACE::2/128 ... Loopback [R1] **C = Connected (Directly connected physical cable) **L = Local (Network connection) **LC = Both directly connected because loopback and Network connection ==Configure IPv6 SERIAL connection (static route)== > R1 2001:FACE:1::1/64 on Loopback | 2001:1::1/64 on S0/0 <-> R2 2001:FACE:2::1/64 on Loopback | 2001:1::2/64 on S0/0 R1(config)#int s2/0 R1(config-if)#no shut R1(config-if)#ipv6 address 2001:1::1/64 R1(config-if)#int loop 0 R1(config-if)#ipv6 address 2001:FACE:1::1/64 R2(config)#int s2/0 Pge p 9.txt R2(config-if)#no shut R2(config-if)#ipv6 address 2001:1::2/64 R2(config-if)#int loop 0 R2(config-if)#ipv6 address 2001:FACE:2::1/64 > Static routes [Serial] R1(config)#ipv6 route 2001:FACE:2::1/64 serial 2/0 R2(config)#ipv6 route 2001:FACE:1::/64 serial 2/0 ==Configure IPv6 ETHERNET Next Hop IP Address (static route)== > R1 2001:FACE:1::1/64 on Loopback | 2001:1::1/64 on f0/0 <-> R2 2001:FACE:2::1/64 on Loopback | 2001:1::2/64 on f0/0 R1(config)#int f0/0 R1(config-if)#ipv6 address 2001:1::1/64 R2(config)#int f0/0 R2(config-if)#ipv6 address 2001:1::2/64 > Static routes [Next Hop IP Address] R1(config)#ipv6 route 2001:FACE:2::/64 2001:1::2 R2(config)#ipv6 route 2001:FACE:1::/64 2001:1::1 ==Show IPv6 routes== > IPv4 routes: R1#show ip route R1#show ipv6 route IPv6 DHCP options - DHCPv6 - SLAAC Stateless Address Autoconfiguration IPv4 vs IPv6 - IP Address - Default Gateway vs Default Router - Subnet Mask vs Prefix Length - DNS servers - NDP Neighbor Discovery Protocol (use Neighbors to discover and exchange info) vs ARP IPv6 NDP 1) SLAAC Stateless Address Autoconfiguration - Advertise/Discover which Subnet or Prefix/length it belongs to - Router dynamically allocates the network portion of address (host uses its MAC address for host portion of IP) - Uses DAD Duplicate Address Detection to determine no other host uses the same IP 2) Neighbor MAC Discovery - Again, no ARP and no Broadcast ICMPv6 NDP Messages 1) Router Solicitation (RS) [FF02::2] - similarly 224.0.0.2 - Sent to routers 2) Router Advertisement (RA) [FF02::1] - similarly 224.0.0.1 - Sent by routers (includes Link-Local IPv6 address and local segment) *Host address numbers is kind of consistent ICMPv6 Process 1) PC boots up, sends RS FF02::2 asks all routers to identify themselves Pge p 9.txt 2) Routers, replies RA FF02::1 with their Link-Local IPv6 address 3) Routers will periodically advertise their details FF02::1 R1#sh int g0/0 R1#sh ip int g0/0 R1#sh ipv6 int g0/0 ==Setup IPv6 Relay Agent== > Initial Setup PC <-> g0/0 R1 g0/1 <-> g0/1 2001:1234::2 DHCPServer R1(config)#ipv6 unicast-routing R1(config)#int g0/0 R1(config-if)#ipv6 address 2001:FACE::1/64 R1(config-if)#no shut R1(config-if)#int g0/1 R1(config-if)#ipv6 address 2001:1234::1/64 R1(config-if)#no shut > DHCP Server setup DHCPServer(config)#ipv6 unicast-routing DHCPServer(config)#int g0/1 DHCPServer(config-if)#ipv6 address 2001:1234::2/64 DHCPServer(config-if)#no shut DHCPServer(config-if)#exit DHCPServer(config)#ipv6 dhcp pool mypool DHCPServer(config-dhcpv6)#address prefix 2001:face::/64 DHCPServer(config-dhcpv6)#dns-server 2001:1234::2 DHCPServer(config-dhcpv6)#domain-name ccnax.com DHCPServer(config-dhcpv6)#end DHCPServer(config)#int g0/1 DHCPServer(config-if)#ipv6 dhcp server mypool > DHCP static route to the Relay Agent DHCPServer(config)#ipv6 route 2001:face::/64 2001:1234::1 > DHCP Relay Agent > Since R1 g0/0 will be receiving DHCP Request from PC, we will setup relay on this port R1(config-if)#int g0/0 R1(config-if)#ipv6 dhcp relay destination 2001:1234::2 > Configure PC PC1(config)#ipv6 unicast-routing PC1(config)#int g0/0 PC1(config-if)#ipv6 address dhcp PC1(config-if)#ipv6 enable PC1(config-if)#no shut _____________________________________________ WAN Technologies: - Frame Relay - ATM - DSL - PPP - HDLC WAN PPP Point-to-Point Protocols (aka Serial Link) - Provides dedicated connection between 2 sites - Leased Line (Monthly Fee) Pge p 9.txt - These days, replaced by VPN using DSL used instead of PPP - Connection between 2 points, rather than multiple points WAN HDLC High-Level Data Link Control WIC WAN Interface Card - Uses T1 CSU Channel Service Unit / DSU Data Service Unit (X.21 / V.35 cable) VPN Virtual Private Networks - Replaced Leased Line Leased Lines - Synchronous Serial Communication - one party provides the clocking for the communication > 2 devices will synchronized their clocks before data transfer takes place to ensure data does not get corrupted - CSU DSU (aka CSU) provides the clocking and is the master for communication - Router acts as a Slave, receives clocking from CSU DCE and DTE: - DCE Data Communication Equipment (ISP) -> CSU DSU (ISP's box) -> DTE Data Terminal Equipment (receives clocking from CSU DSU onsite router) ~Devices: WIC 1T - 1 serial cable/connection WIC 2T - 2 serial cable/connection WIC 4T - 4 serial cable/connection Advantage of Leased Line: - Easy configuration - High QoS - Bandwidth of connection is dedicated only to you and you alone - Permanent Disadvantage of Leased Line - Expensive - Charged whether you use it or not - Limited to the speed of the link Leased Line (aka T or E carrer system) Nyquist Theorem - Converts Analog Voice to Digital 64KBPS stream (Time Division Multiplexing) US Speeds DSO Digital Signal level 0 = 64kbps T1 = 24 x DS0 = 1.544Mbps T2 = 4 * T1 T3 = 28 * T1 T4 = 168 * T1 Euro Speeds Pge p 9.txt E1 E2 E3 E4 = = = = 30 x DS0 = 2Mbps 4 * E1 17 * E1 70 * E1 WAN Technologies 1) PSTN Public Switch Telephone Network - Layer 2 protocols (HDLC High-Level Data Link Control, PPP) - PPP has advange because it has authentication - Circuit switched, dedicated path is setup for the duration of the call - Analog Asynchronous: Insert START/STOP bits in the same channel as the data. START bit prior to each byte of data. Uses STOP bit after each byte of data - lowers cost of equipment - NOT DIGITAL - Does NOT use clock to differentiate between bytes of data is to use START/STOP bits ADVANTAGE: Simple, Availability, Cost DISADVANTAGE: Slow (33-56kbps), upgrade ISDN (64-128kbps) 2) Leased Line - Serial / Point-to-Point link between 2 sites with dedicated bandwidth - Leased from Service Provider - Connects to a CSU DSU Channel service unit/ digital service unit - Synchronized clocks for Data Transfer, before transfer they must align their clock - DCE Data Communication Equipment uses Internal Clocking (Server Provider provides this) - DTE Data Terminal Equipment uses External Clock (Customer side of WAN connection) -> dependent on DCE (Modem/DCE/CSU/DSU) - X.21 / V.35 cable ADVANTAGES: Simple, High QoS, Permanent Connection DISADVANTAGE: Cost, charged for circuit - if you don't use it, you are still charged, no ability to go above speed set (burst) 3) Packet Switched - Serial / Point-to-Point link between 2 sites with shared bandwidth ADVANTAGE: Cost, potential to use above speed limit if other user is not using (burst) DISADVANTAGE: Share DTE DCE - If connecting 2 routers both females, 1 of the routers must be the DCE. Cable will determine which side is the DCE and which side is DTE - 21, 35, 232, 449 - DCE = Female - DTE = Male ==Setup Serial Interface clock rate - DCE== **Default speed is T1 **Bandwidth is especially important to OSPF and EIGRP because those protocols use bandwidth in their calculations to determine best route R1(config)#int serial 0/0/0 Pge p 9.txt R1(config-if)#clock rate 64000 (64kbps) or R1(config-if)#bandwidth 64 ==Enable HDLC== R1(config)#int serial 1/0 R1(config-if)#ip address 10.1.1.1 255.255.255.0 R1(config-if)#encapsulation HDLC ==Enable PPP/CHAP & Authentication== > Connect R1 and R2 R1(config)#int serial 1/0 R1(config-if)#ip address 10.1.1.1 255.255.255.0 R1(config-if)#encapsulation ppp > Username R2 , Password cisco, pap R1(config-if)#end R1(config)#username R2 password cisco R1(config)#int s0/0 R1(config-if)#ppp authentication pap R1(config-if)#ppp pap sent-username R1 password cisco > R2 side R2(config)#username R1 password cisco R2(config)#int s0/0 R2(config-if)#ppp authentication pap R2(config-if)#ppp pap sent-username R2 password cisco > Enable CHAP instead R2(config-if)#ppp authentication chap Types of HDLC [Flag][Address][Control][Data][FCS][Flag] 1) HDLC High-Level Data Link Control [Industry Standard] - Missing Proprietary field, cannot run IPx and IPv4 OR IPv4 and IPv6 at same time 2) Cisco HDLC High-Level Data Link Control [Cisco ONLY] - Includes [PROPRIETARY] - Can run both IPv4 and IPv6 at same time 3) PPP [Industry Standard] - Includes [PROTOCOL] - Can run both IPv4 and IPv6 at same time - Layer 2 - Multilink PPP - makes several links as a single link - Support multiple higher layer protocols, authentication (PAP, CHAP) - PAP - clear Text - CHAP - MD5 Hash, uses Router's name for authentication Frame Relay - Replaced by MPLS Multiple Protocol Label Switching - Replaced X.25 (error checking at Layer 2) - Frame Relay does not error check, relys on TCP - Shared Packet Switched environment where companies share the bandwidth - Sites are setup as SVC Switch Virtual Circuits (acts like a phone call - only brought up when required) or PVC Permanent Virtual Circuits (permanent connection from 1 site to another site) - Speeds up to 4Mbps - Switches are programmed to deal with DLCI Data Link Control Identifier. Once it receives a specific DLCI, the switch has been Pge p 9.txt programmed to switch frames of XXX to YYY. ***Think. Traffic are directed with DLCI - Routers learn each other's IP addresses using "Inverse ARP" - "I tell you my IP address without me requesting for it" ADVANTAGES: Cost, Bursting ATM Asynchronous Transfer Mode - Developed to carry voice, video and data across a single infrastructure - Higher speed than Frame Relay up to 155Mbps - ATM is good for voice because data is broken up - broken up data 53bytes is good reduces delay and jitter when voice has to be transmitted after data packets - Physical Media uses SONET/SDH, Optical Fibre - VPI/VCI Virtual Path/Channel Identifier is similar to DLCI ADSl Asynchronous Digital Subscriber Line - Home setup - phone and data used together - Voice and data is split by frequency through the use of a splitter ADVANTAGE: Single analog cable into home (= less cost) DSL ADVANTAGE: Speed, simultaneous voice/data transmission, always on, backward compatible to analog phone DISADVANTAGE: limited availability, local phone company requirement, security risk (permanently on) 1) ADSL Asymmetric Digital Subscriber Line - up/down speed is unequal - analog phone and internet at the same time 2) SDSL Symmetric Digital Subscriber Line - up/down speed is EQUAL - no analog telephone calls (VoIP is useful here) _______________________________________________________ ==OSPF Simulations - Section572=== Enable ppp on Serial 0/1 and enable the interface. Router2> en Router2# conf t Enter configuration commands, one per line. Router2(config)# interface serial 0/1 Router2(config-if)# encapsulation ppp Router2(config-if)# no shut End with CNTL/Z. _______________________________________________________ ==OSPF Simulations - Section573=== Serial 0/1: Set the clocking 64kbps on Router1 as it has the DCE side of the cable Set the bandwidth to 64kbps Set the encapsulation to ppp Router1> en Pge p 9.txt Router1# conf t Enter configuration commands, one per line. Router1(config)# int serial 0/1 Router1(config-if)# clock rate 64000 Router1(config-if)# bandwidth 64 Router1(config-if)# encapsulation ppp End with CNTL/Z. _______________________________________________________ ==OSPF Simulations - Section574=== Configure the following IP addresses and then enable HDLC on the router Serial interfaces 0/1 Router 1:10.1.1.1/24 Router1> en Router1# conf t Enter configuration commands, one per line. End with CNTL/Z. Router1(config)# int serial 0/1 Router1(config-if)# ip address 10.1.1.1 255.255.255.0 Router1(config-if)# encapsulation hdlc _______________________________________________________ ==OSPF Simulations - Section575=== You are connecting to Cisco router to another vender's router using serial 0/1 Set the correct encapsulation to enable communication Configure the last IP address in the subnet 192.168.1.128/30 **Since we are connecting Cisco's router to another vender, we want Industrial Standard protocol (ppp) 192.168.1.128 /30 128 64 32 16 0 0 0 0 1 0 0 0 0 0 | 0 0 Router1> en Router1# conf t Enter configuration commands, one per line. End with CNTL/Z. Router1(config)# int serial 0/1 Router1(config-if)# encapsulation ppp Router1(config-if)# ip address 192.168.1.130 255.255.255.252 _______________________________________________________ ==OSPF Simulations - Section576=== Enter the command that displays the encapsulation on interface serial 0/1 Router1> en Router1# show int serial 0/1 Pge p 10.txt ==Check Cabling DCE/DTE== R1#show controller serial 0/1/0 ==Set clock speed and bandwidth== **Note. Clock speed can only be done on DCE. Bandwidth is fine on noth DTE and DCE R1(config)#int s0/1/0 R1(config-if)#clock speed 64000 R1(config-if)#bandwidth 64 Cisco Default Encapsulation = HDLC High-level Data Link Control **Point-to-point link/back-to-back , Encapsulation between two connected interfaces must match but can change on different connected links **Point-to-point/back-to-back link, DTE interfaces must have bandwidth, DCE interfaces must have both bandwidth and clock rate **MAC addresses are used on Ethernet Segment, but not used on HDLC (HDLC will reference which higher level protocol will be used IPv4, IPv6) HDLC High-level Data Link Control (Industry Standard) [Flag][Address][Control][Data][FCS] - Layer 2 encapsulation - Leased Line Cisco HDLC High-level Data Link Control (Proprietary) [Flag][Address][Control][TYPE][Data][FCS] **By default, Cisco routers use HDLC for encapsulation - HDLC with a "Type" field - Allow multiple higher layer protocol to traverse at the same time (IPv4 and IPv6) R1(config)#int s1/0 R1(config-if)#ip address 10.1.2.1 255.255.255.252 R1(config-if)#encapsulation HDLC ==Setup HDLC between 2 routers== **Notice, no configuration required because HDLC is enabled by default R1 s2/0 <-> s2/0 R2 R1(config)#int s2/0 R1(config-if)#10.1.2.1 255.255.255.252 R1(config-if)#no shut R2(config)#int s2/0 R2(config-if)#10.1.2.2 255.255.255.252 R2(config-if)#no shut Protocols: Unicast = (0x0f) CDP = (0x2000) IPv4 = (0x0800) IPv6 = (0x86dd) PPP Advantages - Multiple Vendors - Multiple Protocols simultaneously (IPv4, IPv6) - Authentication and multilink (present multiple interfaces (physical interfaces) as a single link to higher protocols (IPv4 Pge p 10.txt would think it is a single link)) PPP Authentication - Layer 2 similar to HDLC 1) PAP Password Authentication Protocol (clear text) 2) CHAP Challenge Handshake Authentication Protocol (MD5 Hash) PPP Protocols 1) LCP Link Control Protocol - Manages features (authentications, multilink) 2) NCP Network Control Protocol > Allow multiple higher layer protocols to traverse single link by using NCP > NCP for IPv4 = IPCP > NCP for CDP = CDPCP > NCP for IPv6 = IPv6CP - Therefore, to use both IPv4 and IPv6, PPP would need to use both IPCP and IPv6CP **Again PPP is Layer 2 Protocol, therefore in order to support Layer 3 IPv4 and IPv6, must use a single leased line with the help of IPCP and IPv6CP PPP 3 phases of link establishment 1) Link establishment phase - PPP devices send LCP packets to configure and test the Data Link (negotiate which authentication method (PAP, CHAP), multilink?) 2) Authentication Phase (OPTIONAL) - Device to choose PAP? CHAP? both? 3) Network Layer Protocol Phase - Devices choose to use IPv4? IPv6? both? PPP PAP - Requires ONLY password - Cleartext Password - Remote peer is in control of authentication attempt (no protection from repeated attempts) - router's running config (local database) stores the usernames/passwords PPP CHAP Challenge Handshake Authentication Protocol **CCNA level, make sure hostnames are configured correctly - Requires username and password - MD5 Hash (hash data to 128bit value) - aka Trap door (you cant take hash value and come up with original value) PPP CHAP Process > R1 wants to authenticate with R2 (challenger) 1) R2 sends CHAP challenge Packet to R1 [CHAP challenge packet type identifier][identifier id][random #][nameOfSender] *R2 might be challenging multiple remote devices, therefore needs [identifier id] to keep track *[random #] stops playback attacks **2) R1 receives the challenge, enters passsword 3) R1 will then hash the 3 fields together MD5# = [password + identifier id + random #] Pge p 10.txt 4) R1 sends the 3 fields back to R2, inserting MD5# where random# was 5) R2 will compare the Z to its hash ==TLDR== R1 <- R2 **[id] is kept --1) [01][id][random][R2]-R1 -> R2 --2) [02][id][MD5#][R1]-PPP Two authentication method (using both PAP and CHAP) - Only one of the authentication methods will ever be used but you can have the other on standby i.e. R1 (PAP, then CHAP) - R2 (CHAP), then CHAP will be used i.e. R1 (CHAP, then PAP) - R2 (CHAP), then CHAP will be used i.e. R1 (CHAP, then PAP) - R2 (PAP), then PAP will be used i.e. R1 (PAP, then CHAP) - R2 (PAP, then CHAP), then PAP will be used, CHAP will not be used ***CHAP, routers use their hostname for authentication ***CHAP, passwords must be the same for both sides *If username/password is changed after successful login, no error ==PPP PAP username/password== R1 s2/0 <-> s2/0 R2 > Create R1 local user R1(config)#username User2 password cisco > Create R2 local user R2(config)#username User1 password cisco > Config R1 encapsulation R1(config)#int s2/0 R1(config-if)#encapsulation ppp R1(config-if)#ppp authentication pap R1(config-if)#ppp pap sent-username User1 password cisco > Config R2 encapsulation R2(config)#int s2/0 R2(config-if)#encapsulation ppp R2(config-if)#ppp authentication pap R2(config-if)#ppp pap sent-username User2 password cisco ==PPP CHAP username/password== > Create R1 local user R1(config)#username R2 password cisco > Config R1 encapsulation R1(config)#int s2/0 R1(config-if)#encapsulation ppp R1(config-if)#ppp authentication chap > Create R2 local user R2(config)#username R1 password cisco > Config R2 encapsulation R2(config)#int s2/0 R2(config-if)#encapsulation ppp R2(config-if)#ppp authentication chap Multilink PPP Pge p 10.txt - Makes 2 or more serial links appear as a single physical link - If one of the links go down, multilink will still be up. If all links go down, then multilink goes down - Accomplished via "Virtual Multilink Interface" by fragmenting packets across both links ex. PC1 -> R1 s0/0 & s0/1 R2 -> PC2, R1 will fragment a packet onto the 2 links, then R2 will join them back again to continue transmission to PC2 - PC2 would not know fragment took place - Multilink used to be used on single physical links, because it provides fragmentation - Wireshark will show errors about fragments (if 2 or more links), but it will fail checksum. However, when all links are disabled down to 1 link, then there will be no error, because on a single link, no fragmentation will take place - Fragmentation/Reassemble is based on "Sequence number" in the Multilink Protocol ==Configure PPP Multilink== > R1 s2/1 10.1.4.1 <-> s2/1 10.1.4.2 R2 > R1 s2/0 10.1.2.1 <-> s2/0 10.1.2.2 R2 **Note. Neighbor relationship must be established first, i.e. EIGRP have to be enable R1(config)#interface multilink 1 (randomNumber) R1(config-if)#encapsulation ppp R1(config-if)#ppp multilink R1(config-if)#ip address 10.1.5.1 255.255.255.252 R1(config-if)#ppp multilink group 1 R1(config-if)#int s2/0 R1(config-if)#ppp multilink group 1 R1(config-if)#int s2/1 R1(config-if)#ppp multilink group 1 R2(config)#interface multilink 1 (randomNumber) R2(config-if)#encapsulation ppp R2(config-if)#ppp multilink R2(config-if)#ip address 10.1.5.2 255.255.255.252 R2(config-if)#ppp multilink group 1 R2(config-if)#int s2/0 R2(config-if)#ppp multilink group 1 R2(config-if)#int s2/1 R2(config-if)#ppp multilink group 1 PPPoE Point-to-Point over Ethernet **Does not encrypt in PPPoE Tunnel (cleartext) > PPPoE Client <-(DSLAM Digital Subscriber Line Multiplexer & PPP Tunnel)-> PPPoE Access Server ==Configure PPPoE Client== > PPPoE client g0/0 <-> g0/0 PPPoE server > Assume PPPoE Server is setup and ready for PPPoE Client **int dialer 1, even when interface is shut down, it will still show as up/up Client(config)#int dialer 1 [spoof an interface as up, even though it is down - keeps routing protocols] Client(config-if)#ip address negotiated [Server will allocate IP address to Client via PPP] Client(config-if)#encapsulation ppp Pge p 10.txt Client(config-if)#mtu 1492 [Maximum transmission unit - often 1500, we set it lower due to addition PPP headers] Client(config-if)#ppp chap hostname david Client(config-if)#ppp chap password cisco Client(config-if)#dialer pool 2 > Configure g0/0 Client(config-if)#int g0/0 Client(config-if)#no ip address Client(config-if)#pppoe-client dial-pool-number 2 Client(config-if)#pppoe enable Client(config-if)#exit Client(config)#ip route 0.0.0.0 0.0.0.0 dialer 1 Client(config)#ip domain-lookup Client(config)#ip name-server 8.8.8.8 ==Show PPPoE Session== Client#show pppoe session ==Show dialer 1== Client#show int dialer 1 ==Show virtual interface (from dialer 1)== > Notice, the configuration is from Dialer 1, we didn't configure this **Virtual interfaces will go down when dialer goes down Client#show int virtual-access 2 configuration Client#show run int dialer 1 Client#show run int virtual-access 2 IP SLAs Service Level Agreement - SP provides a certain level of agreement (i.e. ICMP traffic/Voice traffic) > Cisco routers can generate/mimic voice traffic to test SLA IP SLAs Cisco Router **IP SLA cannot be changed in Cisco routers, they must be deleted and readded ==Setup Tracking - IP SLA== > R1 g0/1 10.1.2.1 <-> R2 <-> f0/0 10.1.6.1 R6 > R1 g0/2 10.1.3.1 <-> R2 <-> f0/0 10.1.6.1 R6 > Setup ping test > When it goes above threshold of 50, interface goes down R1(config)#ip sla 1 R1(config-ip-sla)#icmp-echo 10.1.6.2 source-ip 10.1.1.1 R1(config-ip-sla-echo)#frequency 5 R1(config-ip-sla-echo)#threshold 50 R1(config-ip-sla-echo)#exit R1(config)#ip sla schedule 1 life forever start-time now > Create tracking object R1(config)#track 1 ip sla 1 R1(config-track)#track 1 ip sla 1 > Rechecks every 5 seconds for threshold to determine up/down R1(config-track)#delay down 5 up 5 R1(config-track)#exit R1(config)#ip route 10.1.6.0 255.255.255.0 10.1.2.2 track 1 [Using SLA1, route will be removed when we are below SLA threshold] R1(config)#ip route 10.1.6.0 255.255.255.0 10.1.3.2 2 [Setting administrative distance of 2, route will be used when we exceeded Pge p 10.txt SLA threshold] ==Show SLA== > ms should be less than 50ms, because we set threshold to be 50 > If yes, then will use track 1, otherwise will use 10.1.3.2 R1#show track 1 R1#show ip sla summary BGP Border Gateway Protocol **CCNA needs to know - eBGP (External Border Gateway Protocol) configuration between [A] Enterprise Server and [B]ISP Server using single internet link **CCNA: 3 types of eBGP connections 1) Dual Homed connection - 2 connections between [A] and [B] 2) Single Multihomed connection - 1 connection [A] to [B]1 and 1 connection [A] to [B]2 3) Dual Multihomed connection - 2 connections [A] to [B]1 and 2 connections [A] to [B]2 BGP Border Gateway Protocols vs IGP Interior Gateway Protocols > IGP (within AS) = OSPF, EIGRP > BGP (between AS) = - BGP is the only protocol used on the internet - BGP runs the internet - BGP chooses best routes based on metric/criteria - BGP needs to converge (when there is a change add/remove/change/replace) - BGP routing tables are huge and increasing (all routes on the internet) **BGP relationship is not automatic, manual configuration is required on both routers. BGP runs on Layer 7, therefore not on an interface. Whereas IGP such as EIGRP, IGP runs on Layer 3/4 and therefore are configured automatically - BGP (admin distance) = 200 - OSPF (admin distance) = 110 iBGP vs eBGP - iBGP - inside same AS but still routers on the internet - iBGP - advertise itself with Loopack - eBGP - different AS - eBGP - advertise itself with the physical connected interface BGP Neighbor states 1) Idle - No connection to neighbor (neighbor shutdown) 2) Connect - TCP connection has been attempted, but hasn't been completed 3) Active (Not working!) - TCP connection has been completed, no BGP messages have been sent 4) Opensent - TCP connection exists, router is trying to create connection to neighboring device 5) Openconfirm - TCP connection exists, local router had receive a message back from neighboring router 6) Established Pge p 10.txt - Both router and neighboring router has agreed to form relationship. Now they can exchange messages with each other ==Show BGP Routes== PC>#telnet route-views.routeviews.org R1>sh ip bgp sum R1>sh ip route sum > # of IP routes = Networks + Subnet > 197993 Networks, 458350 Subnets = 656,343 routes *Changes all the time ==Configure iBGP== **BGP relationship is not automatic, manual configuration is required on both routers > R1 **Just because BGP is setup, does not mean routes are automatically advertised, it must be redistribute it or manually advertise **Router ID is its loopback address (automatically) *Use loopbacks for Router IP Address *If "State" is blank, it is running (misleading) *Same AS *Even thought, same AS, still use remote-as R1 17.17.17.1/32 loopback <-> R2 17.17.17.2/32 loopback R1(config)#router bgp 17 R1(config-router)#neighbor 17.17.17.2 remote-as 17 R1(config-router)#neighbor 17.17.17.2 update-source loopback 0 [when R1 wants to send to 17.17.17.2, it uses its loopback 0 as the source - this way, 17.17.17.2 expects R1's loopback address to send traffic to 17.17.17.2 and not a random interface] > OSPF is used for internal routers, they must be enabled R1(config-router)#router ospf 1 R1(config-router)#network 0.0.0.0 255.255.255.255 area 0 > If want to advertise a specific ospf network (i.e. 8.1.2.1), then... R1(config-router)#network 8.1.2.1 0.0.0.0 area 0 > R2, does not want to advertise itself to the internet, hence only 17.0.0.0 was used R2(config)#router ospf 1 R2(config-router)#network 17.0.0.0 0.255.255.255 area 0 R2(config-router)#router bgp 17 R2(config-router)#neighbor 17.17.17.1 remote-as 17 R2(config-router)#neighbor 17.17.17.1 update-source loopback 0 ==Advertise routes in BGP (redistribute - basically... advertising all of your routes)== R1(config-router)#network 17.1.1.0 mask 255.255.255.0 R2(config-router)#network 17.17.17.0 mask 255.255.255.255 R2(config-router)#network 17.17.17.2 mask 255.255.255.255 ==Configure eBGP== **Notice, no "update-source" is needed on eBGP > R1 <-> R2 s2/0 8.1.1.1/30 (AS17) <-> R3 8.1.1.2/30 s2/0 (AS8) > R2 R2(config)#router bgp 17 R2(config-router)#neighbor 8.1.1.2 remote-as 8 **R2 needs to advertise this network, otherwise R1 will not know how to get to R3 Pge p 10.txt R2(config-router)#network 8.1.1.0 mask 255.255.255.252 > R3 R3(config)#router bgp 8 R3(config-router)#neighbor 8.1.1.1 remote-as 17 R3(config-router)#network 8.1.1.0 mask 255.255.255.252 [Optional] ==Force 1-BGP path over another== > Instead of going x.x.x.x, we want it go to y.y.y.y by increasing weight to 1000 - default weight is 0 R1(config)#router bgp 17 R1(config-router)#neighbor x.x.x.x weight 1000 R1(config-router)#exit R1#clear ip bgp x.x.x.x > Confirm weight has changed R1#show ip bgp R1#show ip bgp neighbor R1#show run | section bgp R1#show ip proto R1#show tcp brief ***BGP - TLDR*** *Internal BGP, not on CCNA exam 1) Both Internal and External BGP - Uses remote-as "neighbor y.y.y.y remote-as 17" - Advertise its networks in exact subnet mask - When selecting router bgp XX, XX refers to its own bgp 2) Internal BGP - in addition to (1) - uses OSPF/routing protocols interfaces connecting 2 internal routers - uses Loopback as its source "neighbor x.x.x.x update-source loopback 0" 3) Administrative Distances eBGP - 20 iBGP - 200 4) eBGP, iBGP - eBGP runs outside of AS (different AS #) - iBGP runs within AS (same AS #) 5) Quick ex. R3 15.1.1.1 /24 <-> R4 15.1.1.2 /24 R3(config)# router bgp 65002 R3(config-router)#neighbor 15.1.1.2 remote-as 65002 R3(config-router)#network 15.1.1.0 mask 255.255.255.0 R4(config)# router bgp 65002 R4(config-router)#neighbor 15.1.1.1 remote-as 65002 MPLS (1) Multiprotocol (2) Label (3) Switching **Troubleshooting not on CCNA - (1) Multiprotocol means support IPv4, IPv6, Layer 2 - (3) Switching from one interface/protocol to another on a router using Labels (2) - 2 mains uses: Layer 3 VPNs and Layer 2 VPNs - In Layer 3 used to seperate customer traffic by IP, similar to VLAN seperates traffic in Layer 2 ~ASICs Application Specific Integrated Circuits MPLS Layer3 VPN ex. Pge p 10.txt > EdgeDevice1 <-> R1 <-> R2 <-> R3 <-> R4 <-> EdgeDevice2 - Traditionally, all ED1, ED2, R1-4 would need to know how to send/receive traffic if we were to send from ED1 to ED2. With MPLS, R2-3 does not need to know how to route ED1 to ED2, instead R1 would put a "Label" on the traffic with information to send to R4, R4 will know how to send it to ED2 MPLS Terminology - LSR Label Switch Router > EdgeDevice1 -> R1 -> R2 -> R3 -> R4 -> EdgeDevice2 R2, R3 = Provider Routers R1, R4 = Provider Edge Routers (Connected to Provider and to Customers) R1, R4 = Intermediate LSR ED1, ED2 = Customer Edge Routers (VRF Virtual, Routing, and Forwarding - indicates Customer Virtual Network) R1 = Ingress LSR a.k.a Edge LSR (Inserts a "Label" between Layer 2 Header and Layer 3 Header) R4 = Egress LSR MPLS LSP Label Switch Path > EdgeDevice1 -> R1 -> R2 -> R3 -> R4 -> EdgeDevice2 1) ED1 sends packet to R1 2) R1 inserts a "Label" (i.e. 20) between Layer 2 header and Layer 3 header (aka Layer 2.5 Header) into the Egress Network (Outer Label) 3) R1 sends to R2 4) R2 swaps the Label to 21 (not sequential), then forwards it to R3 5) R3 swaps the Label to 22 (not sequential), then forwards it to R4 6) R4 strips the "Label" (Inner Label), then forwards to ED2 without a label in the Customer Network **R1 -> R4, sends a label known as "Next Hop Label" MPLS Traffic Engineering - OSPF does not load balance - EIGRP does some unequal cost load balancing *MPLS provides a lot of flexibility in load share traffic across multiple paths based on link utilization - reroute traffic based on 1) Load 2) Traffic Type i.e. VoIP will take path 1, FTP will take path 2 MPLS Labels - 32bit header inserted between Layer 2 and 3 Header [20bit Label][3bit Experimental Field (QoS)][1bit Bottom-of-Stack indicator (Outer/Inner Label)][3bit Time-to-live (Stop Loops)] OSPFv3 - 128bit IPv6 Addresses Compatible - OSPFv3 vs OSPFv2 are independent of each other OSPFv3 vs OSPFv2 similarities **OSPF does not require Area 0, if you only have 1 other area (i.e. Area 1) Pge p 10.txt - Link-state (LSA Link State Advertisements) routing protocols, same design concepts (Backbone area, Area border router, AS border routers, 32-bit router ID - IP Protocol # 89 OSPFv3 vs OSPFv2 differences - Separate databases, Different Addresses, they do not communicate with each other > Activation - OSPFv2 - use Network Command on interfaces - OSPFv3 - go on interface and enable OSPF > IP Address - OSPFv3 - Uses IPv6 link local addresses for neighbor relationships - OSPFv2 - Uses IPv4 interface IP Addresses for neighbor relationships > Advertisements - OSPFv3 - Uses FF02::5 to advertise info to all OSPF routers, and FF002::6 to DR and BDR - OSPFv2 - 224.0.0.5 and 224.0.0.6 **Make sure OSPF/EIGRP interfaces are not set to "Passive Interface" **Passive Interface is useful for not forming relationships with external networks or users ==Turn on Passive Interface globally (interface will not form neighbor relationships and send updates)== R1(config)#ipv6 router ospf 1 R1(config-rtr)#passive-interface default ==Turn on Passive Interface individually== R1(config-rtr)#passive-interface g0/0 R1(config-rtr)#passive-interface g0/1 > Undo above R1(config-rtr)#no passive-interface g0/0 R1(config-rtr)#no passive-interface g0/1 ==Similiarly on EIGRP== R1(config)#ipv6 router eigrp 1 R1(config-rtr)#no passive-interface g0/0 R1(config-rtr)#no passive-interface g0/1 ==Show OSPFv3== R1#show ipv6 ospf database R1#show ipv6 ospf int R1#show ipv6 ospf neighbor R1#show ipv6 protocols R1#show ipv6 router ==Ping IPv6== **Both works R1#ping ipv6 2001:FACE:1::1 R1#ping 2001:FACE:1::1 ==Configure OSPFv3== [Area 1: R1 G0/0 <-> G0/0 R2]<->[Area 0: R2 G0/1 <-> G0/0 R3]<->[Area 2: R3 G0/1 <-> R4 G0/0] > R1 Initial Setup Pge p 10.txt R1(config)#int loop 0 R1(config-if)#ipv6 address 2001:FACE:1::1/64 R1(config-if)#int g0/0 R1(config-if)#ipv6 address 2001:1::1/64 R1(config-if)#no shut R1(config-if)#end > Enable IPv6 routing R1(config)#ipv6 unicast-routing R1(config)#ipv6 router ospf 1 (**Remember, this is arbitrary, other routers do not need to use the same number!) R1(config-rtr)#router-id 1.1.1.1 R1(config-rtr)#end > Go into each individual interface to enable OSPFv3 R1(config)#int loop 0 R1(config-if)#ipv6 ospf 1 area 1 R1(config-if)#int g0/0 R1(config-if)#ipv6 ospf 1 area 1 > R2 Initial Setup R2(config)#int loop 0 R2(config-if)#ipv6 address 2001:FACE:2::1/64 R2(config-if)#int g0/0 R2(config-if)#ipv6 address 2001:1::2/64 R2(config-if)#no shut R2(config-if)#int g0/1 R2(config-if)#ipv6 address 2001:2::2/64 R2(config-if)#no shut R2(config-if)#end > Enable IPv6 routing R2(config)#ipv6 unicast-routing R2(config)#ipv6 router ospf 1 R2(config-rtr)#router-id 2.2.2.2 R2(config-rtr)#end > Go into each individual interface to enable OSPFv3 R2(config)#int loop 0 R2(config-if)#ipv6 ospf 1 area 1 R2(config-if)#int g0/0 R2(config-if)#ipv6 ospf 1 area 1 R2(config-if)#int g0/1 R2(config-if)#ipv6 ospf 1 area 0 > R3 R3(config)#int loop 0 R3(config-if)#ipv6 address 2001:FACE:3::1 R3(config-if)#int g0/0 R3(config-if)#2001:2::3/64 R3(config-if)#no shut R3(config-if)#int g0/1 R3(config-if)#2001:3::1/64 R3(config-if)#no shut R3(config-if)#end R3(config)#ipv6 unicast-routing R3(config-rtr)#ipv6 routing ospf 1 R3(config-rtr)#route-id 3.3.3.3 R3(config-rtr)#int loop 0 R3(config-if)#ipv6 ospf 1 area 2 R3(config-if)#int g0/0 R3(config-if)#ipv6 ospf 1 area 0 Pge p 10.txt R3(config-if)#int g0/0 R3(config-if)#ipv6 ospf 1 area 2 > R4 R4(config)#int loop 0 R4(config-if)#ipv6 address 2001:FACE:4::1/64 R4(config-if)#int g0/0 R4(config-if)#ipv6 address 2001:3::2/64 R4(config-if)#no shut R4(config-if)#end R4(config)#ipv6 unicast-routing R4(config-rtr)#ipv6 routing ospf 1 R4(config-rtr)#router-id 4.4.4.4 R4(config-rtr)#int loop 0 R4(config-if)#ipv6 ospf 1 area 2 R4(config-if)#int g0/0 R4(config-if)#ipv6 ospf 1 area 2 ==Configure OSPFv3 without IP address (uses link-local)== > R1 g0/0 <-> g0/0 R2 > R1 R1(config)#ipv6 unicast-routing R1(config)#ipv6 router ospf 1 R1(config-rtr)#router-id 1.1.1.1 R1(config-rtr)#end R1(config)#int g0/0 R1(config-if)#ipv6 enable R1(config-if)#ipv6 ospf 1 area 0 R1(config-if)#no shut > R2 R2(config)#ipv6 unicast-routing R2(config)#ipv6 router ospf 1 R2(config-rtr)#router-id 2.2.2.2 R2(config-rtr)#end R2(config)#int g0/0 R2(config-if)#ipv6 enable R2(config-if)#ipv6 ospf 1 area 0 R2(config-if)#no shut [Optional] Proof that it works (R1 able to ping R2) > R1 R1(config)#int loop 0 R1(config-if)#ipv6 address 2001:FACE:1::1/128 R1(config-if)#ipv6 ospf 1 area 0 > R2 R2(config)#int loop 0 R2(config-if)#ipv6 address 2001:FACE:2::2/128 R2(config-if)#ipv6 ospf 1 area 0 IPv6 EIGRP - Advanced Distance Vector routing protocol (Link State) - [Diff] To form neighbor relationships, uses Link-local addresses, no longer uses neighbor's IP address - [Diff] To enable EIGRP on an interface, you must now specify it on the interface. Network command no longer used - [Same] Use "Dual Algorithm" for best path to destination network - [Same] Use RTP Reliable Transport Protocol to send updates/acknowledgements Pge p 10.txt - [Same] Use Multicast FF02::A (10) == 224.0.0.10 for updates - No longer Broadcast - [Same] Support both equal and unequal cost load balancing topology and neighbor tables are both created ==Configure IPv6 EIGRP== ***AS# must match > Do this for each router > Once configured, setup IP addresses and they will be able to ping each other R1(config)#ipv6 unicast-routing R1(config)#ipv6 router eigrp 1 [AS] R1(config-rtr)#eigrip router-id 1.1.1.1 R1(config-rtr)#no shut R1(config-rtr)#int g0/0 R1(config-rtr)#ipv6 eigrp 1 R1(config-rtr)#int loop 0 R1(config-rtr)#ipv6 eigrp 1 R2(config)#ipv6 unicast-routing R2(config)#ipv6 router eigrp 1 [AS] R2(config-rtr)#eigrip router-id 2.2.2.2 R2(config-rtr)#no shut R2(config-rtr)#int g0/0 R2(config-rtr)#ipv6 eigrp 1 R2(config-rtr)#int loop 0 R2(config-rtr)#ipv6 eigrp 1 ==Show commands== > Check eigrp is enabled on interfaces R1#show ipv6 eigrp int R1#show ipv6 eigrp neigh R1#show ipv6 route eigrp Pge p 11.txt IPv6 ACL Access Control List - 1st line of defence... should also have IPS Intrusion Prevention System, Firewall, Protocol analyzers - Permit or deny traffic in your network **IPv6 CCNA focus - Use IPv6 to filter IPv6 packets received & transmitted via Routers IPv6 IPv4 ACL similarities > ACL can match on - Source/Destination IP Address - Individual host address - Subnets in both inbound/outbound - Protocols (TCP, UDP, Port #) - ICMP message *Both uses implicit deny/deny all statement at the end *Cannot copy IPv4 ACLs to IPv6 ACLs IPv6 IPv4 ACL differences 1) - IPv6 ACL and IPv4 ACL are independent of each other (i.e. the same source can be allowed in IPv6A ACL, but denied on IPv4 ACL) 2) - IPv6 ACL has "Implicit Permit", IPv4 ACL does not, only has "Implicit Deny"/"Deny any any" (which IPv6 also have) 3) **IPv4 ACL uses NAME/NUMBER (recall Standard (filter Source ONLY) = 1-99, Extended (filter Source and Destination) = 100-199) **IPv6 ACL only use NAMES (Standard and Extended are still used, but using WORDS instead) 4) - IPv4 match on Precedence, ToS Type of Service, TTL, fragments - IPv6 match on Flow label, DSCP, Extentions and option header values 5) - IPv4 ACL match on /22,/23,/24,/25 - IPv6 ACL match on a hex-digit boundary /48,/52,/56,/64 ~ICMPv6 - Remember, ARP was used to determine MAC address of neighbor, ARP no longer used in IPv6 **ARP (IPv4) == ICMPv6 (IPv6), you dont want to block ICMPv6 as it provides basic IPv6 functionality (Neighbor Discovery Protocol NDP & Path MTU Discovery) ==Show ACL== R2#show ipv6 access-list ==Configure ACL== > Permit - any traffic with 2001:1::/64 R2(config)#ipv6 access-list acl1 R2(config-ipv6-acl)#permit 2001:1::/64 any > Deny - all traffic except for acl1 R2(config-ipv6-acl)#int g0/0 R2(config-if)#ipv6 traffic-filter acl1 in [inbound] Pge p 11.txt ==Extended ACL== > Permit - ping (ICMP) with 2001:1::/64 R2(config)#ipv6 access-list acl2 R2(config-ipv6-acl)#permit icmp 2001:1::/64 any > Permit - telnet (TCP) any any R2(config-ipv6-acl)#permit tcp any any ==Enable Telnet== R3(config)#line vty 0 4 R3(config-line)#transport input all R3(config-line)#password cisco R3(config-line)#exit R3(config)#enable password cisco VPN Virtual Private Network - Low cost (expensive lease lines previously), high bandwidth - Send traffic securely (private information - encrypted) over an insecure medium (internet) Cleartext Protocols (FTP, Telnet, SMTP, HTTP, SNMPv1) Cryptography Algorithms 1) Cipher - Encryption algorithm (ex. Symmetric - DES, 3DES, AES, Blowfish) - Put cleartext data into non-readable forms 2) Symmetric Algorithm - Same key used for encryption and decryption (ex. Secret Key) 3) Asymmetric Algorithm - Diff key used for encryption and decryption (ex. Public Key) 4 goals of protecting data 1) Confidentiality - no one should be read the data 2) Integrity - data has traversed unchanged between 2 parties 3) Origin Authentication - protected data could only have originated from sender 4) Antireplay protection - verify that each packet is unique and not duplicated Caesar algorithm ex. MJQQT -> HELLO Algorithm = move data to the rigth Key = 5 > Hacker would ned to know algorithm and key Keylength/Keyspace - Total # of all combinations - The larger this keylength/keyspace is, harder it is to crack ---(1)--- Data confidentiality 3 Types of Symmetric Algorithm **Algorithms not on CCNA, but good for understanding for VPN 1) DES - 1975 Created by IBM - Do not use in today's environment - 1 set of key - Fixed key length = 56bits (2^56 combinations) Pge p 11.txt - Suspectible to Brute Force > 1998 decrypted in 56hours, 1999 decrypted in over 22hours 2) 3DES - 3 sets of keys 1) Encrypt with Key 1 2) Decrypt with Key 2 3) Encrypt with Key 3 - If Key1 = Key3 -> 112bit key length - If Key1 =/= Key3 -> 168bit key length 3) AES - Recommended for today's environment - Good for bulk encryption Asymmetric algorithm **Algorithms not on CCNA, but good for understanding for VPN - Uses different key to decrypt and encrypt Steps: 1) Router generate private key (cannot be generated from public key) - not shared 2) Router generate public key (can only be generated from private key) - shared -> Private key can only be decrypted by your public key <- Public key can only be decrypted by your private key TLDR: If A wants to send something to B, then A will encrypt the data with B's public key, then B will use their private key to decrypt what they got from A. Similarly, if B wants to send something to A, then B will encrypt the data with A's public key, then A will use their private key to decrypt what they got from B. *Diffie Hellman DH - Key Exchange - AES, 3DES, DES securely, over insecure medium (internet) - Public Key Algorithm 3 set of keys (longer key length, the more secure, downside, more processing power is required) 1) DH1 - 768bits 2) DH2 - 1024bits 3) DH5 - 1536bits ---(2)--- Data Integrity - Ensure data has not been tampered with by using Hash, trap-door, digest (1 way algorithm - cannot be reversed) - Converts to fix length hash MD5 - 128bit or SHA Secured Hash Algorithm (more secure than MD5) SHA-3 > SHA-2 > SHA-1 > MD5 **HMAC Hash Message Authentication Code HMAC Hash Message Authentication Code Procedure 1) Host A sends secure msg (X) to Host B with a Hash Value (Y) to compare 2) Host B can confirm there was no tampering of data because B can hash (X) and make sure (Hash X) == (Y) 3) To prevent a hacker from tampering with Y because Hacker could change both (X) and (Y) in the message, Host A and Host B knows a secure HMAC 4) Therefore, msg (X) + (HMAC) == Z -> Hash would be the final Hash that Host B needs to compare. Therefore, Host A sends (X) and (Z), and Host B can confirm (Z) by hashing (X) and (HMAC) Pge p 11.txt ---(3)--- Data Authentication - Ensure data is from claimed sender (session hijacking) 1) Pre shared Key (PSK) - Secret key value entered into each peer manually and is used to authenticate peer 2) RSA Signatures (PSK with a private key) - Encrypt the hash with a private key - Similar to (1) Pre shared Key, but taking it 1 step further with Host A encrypting the hash with his/her Digital Signature with Host A's private key, then Host B has Host A's public key, decrypts the Digital Signature, and then Host B can compare Host A's hash Certificate of Authority - But what stops below? Host A -> Host A Public Key -> Host B Host A -> Host A Public Key -> Hacker -> Fake Host A Public Key -> Host B Answer: Certificate of Authority - trusted 3rd party (a.k.a PKI Public Key Infrastructure) PKI Public Key Infrastructure - trust -> Host A trust PKI (X), Host B trusts (X), therefore Host B trusts Host A <- Host B trust PKI (X), Host A trusts (X), therefore Host B trusts Host A <-> Host A trust Host B IPSec IP Security - Network layer protocol (IP Sec Protocols) - Layer 4 - Protects and authenticates IP packets IPSec Protocols 1) Internet Key Exchange (IKE) - Framework for negotiating security parameters and establishing authenticated keys 2) Authentication Header (AH) - No Encryption - Authentication - Integrity 3) Encapsulating Security Payload (ESP) - Encryption - Authentication - Integrity IPSec Modes 1) Transport Mode - Original IP header of packet is used to transport packet 2) Tunnel Mode - Original IP header of packet not used to transport packet, a new IP header is tagged in front (using its peer devices' IP Address) **Common: ESP with Tunnel Mode ex. PC1 (IP: X) <-> R1 (IP: A) <-> Internet <-> R2 (IP: B) <-> PC2 (IP: Y) Pge p 11.txt 1) [SA: X][DA: Y] 2) [ESP][SA: A][SA: B] Original IP header is not used IPSec Framework - IKE Internet Key Exchange 1) IPSec Protocol [ESP] or [AH] or [ESP + AH] 2) IPSec Mode [Transport Mode] or [Tunnel Mode] 3) Encryption (Algorithm) [DES] or [3DES] or [AES] 4) Authentication (Integrity) [MD5] or [SHA] 5) DH (Key Length) [DH1] or [DH2] or [DH5] VPN Types *Benefit... no leased line. Therefore, Cost Savings, Security, Scalability 1) Site to Site VPN 2) Remote Access IPSec VPN (Shirley) - PC Software required 3) Remote Access SSL VPN - No PC Software required **CCNA - not required to know how to setup IPSec VPN GRE Generic Routing Encapsulation (Tunneling) > PC1 (IP: X) <-> R1 (IP: A) s2/0 <-> Internet <-> s2/0 R2 (IP: B) <-> PC2 (IP: Y) > [PC1 to send packet to PC2] R1 will encapsulate the packet in GRE, R2 will decapsulate the packet and send it to PC2 - Point-to-Point tunnel - similar to a Serial Link (hence, no authentication or encryption provided) - Multiple higher layer protocols IPv6, IPv4, IPX - Multicast Routing Protocols available - GRE encapsulates other traffic within 20byte IP Header, 4byte GRE header GRE Generic Routing Encapsulation Header [Delivery Header][GRE Header][Payload packet] - When tunneling, ONLY Delivery Header will be read *Because of additional Header in GRE (Delivery and GRE), MTU is reduced *[Payload packet] is the original header ==Show Tunnel== R1#show run int tun 0 R1#show int s2/0 | i MTU ==Configure GRE Tunnel== > PC1 (IP: X) <-> R1 (IP: 4.1.1.1) s2/0 <-> Internet <-> s2/0 R2 (IP: 4.1.2.2) <-> PC2 (IP: Y) > PC1 (IP: X) <-> R1 [Tunnel: 10.1.3.1 --- 10.1.3.2 :Tunnel] R2 <-> PC2 (IP: Y) **Encapsulates IPv4 packet (10.1.3.1, 10.1.3.2) within GRE within an IPv4 Packet (4.1.1.1, 4.1.2.2) Pge p 11.txt **Must configure both sides > R1 R1(config)#interface tunnel 0 R1(config-if)#ip address 10.1.3.1 255.255.255.252 R1(config-if)#tunnel mode gre ip [IPv4] R1(config-if)#tunnel source 4.1.1.1 R1(config-if)#tunnel destination 4.1.2.2 > R2 R2(config)#interface tunnel 0 R2(config-if)#ip address 10.1.3.2 255.255.255.252 R1(config-if)#tunnel mode gre ip R1(config-if)#tunnel source 4.1.2.2 R1(config-if)#tunnel destination 4.1.1.1 **Note, PC1 will not be able to get to PC2 via the tunnel, EIGRP must be enabled on R1 and R2 such that the route R2 <-> PC2 will be advertised to R1 R1(config)#router eigrp 100 R1(config-router)#network 10.0.0.0 [this will enable tunnel interface on 10.X.X.X, but not on 4.Y.Y.Y] R1(config-router)#no auto-summary [this allows, 10.X.X.X instead of classful A addresses because we have both 10.1.3.X and 10.1.1.X (not here)] R2(config)#router eigrp 100 R2(config-router)#network 10.0.0.0 R2(config-router)#no auto-summary DMVPN Dynamic Multipoint VPN **CCNA, do not need to know DMVPN - Solves problems with Point-to-Point GRE Tunnels > ex. 1) Labour and Troubleshooting intensive - 500 sites connecting to one central site, requires 500 GRE tunnels (configure both sides) 2) Complicated configuration - GRE tunnel does not provide authentication or encryption, therefore GRE have to be encapsulated within IPSec - DMVPN has 1 single tunnel interface that connects the central site to multiple site - DMVPN allows these multiple sites (Spokes) to automatically setup tunnels with each other (other Spokes) via NHRP Next Hop Resolution Protocol to discover new nodes ex. Central Site <-> NHRP <-> Many spokes, then spokes setup tunnels with each other - DMVPN like GRE is encapsulated within IPSec to provide authentication and encryption Hypervisors - Hardware with Virtual Servers (ex. VMWare) NFV Network Functions Virtualisation - Virtualize Network devices and Network Functions and physical appliances i.e. Virtualize device: routers instead of using physical router i.e. Virtualize function: HSRP function instead of using a full OS to run this single function ~ Microsegmentation - segment your network into tiny subnets/segments to reduce broadcast, increase security (ex. run Firewall in front of every virtual server) Pge p 11.txt SDN Software Defined Networking - 3 visions 1) OpenSDN - Original vision at Stanford - "The physical separation of network control plane from forwarding plane, and where a control plane controls several devices" 2) "SDN via Overlays" vision: "NSX from VMWare" - Virtual network overlays a Physical network (underlay Network) 3) Brite Box / White Box SDN: "Pica8, Cumulus Networks" - Run OS that can be installed on multiple devices (X) Don't buy Proprietary hardware, OS, features (Y) Buy Switches that are not tied to a specific vendor (Facebook Switches: 6 pack wedge - open modular switch) 4) SDN via APIs Application Program Interfaces - Using APIs instead of traditional CLIs 5) Open Stack - Manage all of networking devices, servers, storage from a single management console 6) NFV Network Function Virtualization (X) Don't run specific hardware on specific OS (Y) Virtualize networking devices/functions/OS, rather than having a specific device performs that one function OpenSDN vs OpenFlow - Microsoft: OpenSDN is used to overcome traditional problems of networking - NSA: OpenFlow is used to provide simplicity to the current network and provide more control Pge p

Untitled

Related documents

Products

Support

Untitled

Related documents

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib