Professional Documents
Culture Documents
packetlife.net
Attributes
Name
About BGP
Description
2 AS Path
3 Next Hop
6 Atomic Aggregate
8 Community
Route tag
Multiple Exit
Metric for external neighbors to reach the
Discriminator (MED) local AS (default 0)
9 Originator ID
10 Cluster List
13 Cluster ID
Originating cluster
-- Weight
iBGP AD 200
Standard RFC 4271
Protocols IP
Transport TCP/179
Authentication MD5
Terminology
Autonomous System (AS)
A logical domain under the control of a
single entity
Synchronization Requirement
A route must be known by an IGP before
it may be advertised to BGP peers
Packet Types
Attribute
eBGP AD 20
Open
Update
Keepalive
Notification
Neighbor States
Description
Preference
1 Weight
Administrative preference
Highest
2 Local Preference
Highest
3 Self-originated
True
4 AS Path
Minimize AS hops
Shortest
5 Origin
IGP
6 MED
Lowest
7 External
eBGP
8 IGP Cost
Lowest
9 eBGP Peering
Oldest
Tie breaker
Lowest
debug ip bgp []
10 Router ID
BGP PART 2
packetlife.net
Configuration Example
AS 65100
F2/0
A
S1/0
S1/1
172.16.0.0/30
172.16.0.4/30
AS 65200
S1/0
S1/0
F0/0
F0/0
10.0.0.0/30
B
F2/0
C
F2/0
OSPF
interface Serial1/0
description Backbone to B
ip address 172.16.0.1 255.255.255.252
!
interface Serial1/1
description Backbone to C
ip address 172.16.0.5 255.255.255.252
!
interface FastEthernet2/0
description LAN
ip address 192.168.1.1 255.255.255.0
!
router bgp 65100
no synchronization
network 172.16.0.0 mask 255.255.255.252
network 172.16.0.4 mask 255.255.255.252
network 192.168.1.0
neighbor South peer-group
neighbor South remote-as 65200
neighbor 172.16.0.2 peer-group South
neighbor 172.16.0.6 peer-group South
no auto-summary
Router A
Router B
interface FastEthernet0/0
description Backbone to C
ip address 10.0.0.1 255.255.255.252
!
interface Serial1/0
description Backbone to A
ip address 172.16.0.2 255.255.255.252
!
interface FastEthernet2/0
description LAN
ip address 192.168.2.1 255.255.255.0
!
router ospf 100
network 10.0.0.1 0.0.0.0 area 0
network 192.168.2.1 0.0.0.0 area 1
!
router bgp 65200
no synchronization
redistribute ospf 100 route-map LAN_Subnets
neighbor 10.0.0.2 remote-as 65200
neighbor 172.16.0.1 remote-as 65100
no auto-summary
!
access-list 10 permit 192.168.0.0 0.0.255.255
!
route-map LAN_Subnets permit 10
match ip address 10
set metric 100
Router C
interface FastEthernet0/0
description Backbone to B
ip address 10.0.0.2 255.255.255.252
!
interface Serial1/0
description Backbone to A
ip address 172.16.0.6 255.255.255.252
!
interface FastEthernet2/0
description LAN
ip address 192.168.3.1 255.255.255.0
!
router ospf 100
network 10.0.0.2 0.0.0.0 area 0
network 192.168.3.1 0.0.0.0 area 2
!
router bgp 65200
no synchronization
redistribute ospf 100 route-map LAN_Subnets
neighbor 10.0.0.1 remote-as 65200
neighbor 172.16.0.5 remote-as 65100
no auto-summary
!
access-list 10 permit 192.168.0.0 0.0.255.255
!
route-map LAN_Subnets permit 10
match ip address 10
set metric 100
C
C
C
B
B
by Jeremy Stretch
B
C
C
B
C
O
v2.1-r1
packetlife.net
IOS Nomenclature
Release Lifecycle
12.4(7a)
Mainline
Maintenance Release
Individual Release
Numbered Version
EOS Notice
EOS
EOE
12.4(9)T1
T Train
EOL
0
Maintenance Release
Individual Release
New Feature Identifier
Numbered Version
12
36
48
Months
60
72
84
96
12.2(25)SEB4
S Train
Release
Individual Release
Numbered Version
3.2.1
IOS XR
Major Release
Minor Release
Maintenance Release
EOS Notice
Notification of upcoming EOS
End of Sale (EOS)
The release is no longer orderable or included in
manufactured shipments
End of Engineering (EOE)
The last day for software fixes; only TAC assistance is offered
from this point
End of Life (EOL)
The last day for TAC support; release becomes obsolete;
upgrade is only option for continued support
IOS Filename
c3725-entbase-mz.124-6.T.bin
Advanced IP Services
Advanced
Security
24
Enterprise Services
SP Services
Enterprise
Base
Hardware
Feature Set
Memory Location
Compression Format
Maintenance Release
Individual Release
T Designator
Deployment Classifications
IP Voice
IP Base
Advanced IP Services
Enterprise Services
IP Services
show version
dir <filesystem>:
IP Base
by Jeremy Stretch
verify <filesystem>:<image>
v2.0
COMMON PORTS
packetlife.net
TCP/UDP Port Numbers
7 Echo
554 RTSP
19 Chargen
2745 Bagle.H
546-547 DHCPv6
2967 Symantec AV
6970 Quicktime
560 rmonitor
3050 Interbase DB
7212 GhostSurf
22 SSH/SCP
23 Telnet
587 SMTP
25 SMTP
591 FileMaker
3127 MyDoom
42 WINS Replication
43 WHOIS
3222 GLBP
8118 Privoxy
49 TACACS
53 DNS
3306 MySQL
8767 TeamSpeak
69 TFTP
691 MS Exchange
3689 iTunes
8866 Bagle.B
70 Gopher
860 iSCSI
3690 Subversion
79 Finger
873 rsync
80 HTTP
20-21 FTP
67-68 DHCP/BOOTP
88 Kerberos
102 MS Exchange
110 POP3
113 Ident
9800 WebDAV
4444 Blaster
9898 Dabber
9988 Rbot/Spybot
4672 eMule
9999 Urchin
4899 Radmin
5000 UPnP
1080 MyDoom
5001 Slingbox
1194 OpenVPN
5001 iperf
143 IMAP4
1214 Kazaa
5004-5005 RTP
1241 Nessus
177 XDMCP
5060 SIP
179 BGP
1337 WASTE
5190 AIM/ICQ
201 AppleTalk
9119 MXit
4333 mSQL
161-162 SNMP
9100 HP JetDirect
9101-9103 Bacula
3784-3785 Ventrilo
123 NTP
137-139 NetBIOS
8086-8087 Kaspersky AV
7648-7649 CU-SeeMe
5222-5223 XMPP/Jabber
10000 Webmin
10000 BackupExec
10113-10116 NetIQ
11371 OpenPGP
12035-12036 Second Life
12345 NetBus
13720-13721 NetBackup
14567 Battlefield
15118 Dipnet/Oddbob
264 BGMP
1512 WINS
5432 PostgreSQL
19226 AdminSecure
318 TSP
19638 Ensim
1701 L2TP
5554 Sasser
20000 Usermin
5631-5632 pcAnywhere
24800 Synergy
381-383 HP Openview
389 LDAP
1723 MS PPTP
1725 Steam
445 Microsoft DS
464 Kerberos
1812-1813 RADIUS
25999 Xfire
27015 Half-Life
27374 Sub7
28960 Call of Duty
1863 MSN
6129 DameWare
497 Retrospect
6257 WinMX
500 ISAKMP
512 rexec
Chat
513 rlogin
2049 NFS
6566 SANE
Encrypted
6588 AnalogX
Gaming
514 syslog
2082-2083 cPanel
6346-6347 Gnutella
515 LPD/LPR
6665-6669 IRC
520 RIP
2222 DirectAdmin
2302 Halo
540 UUCP
2483-2484 Oracle DB
6699 Napster
Legend
Malicious
Peer to Peer
Streaming
6881-6999 BitTorrent
by Jeremy Stretch
v1.1
EIGRP
packetlife.net
Protocol Header
Attributes
16
Version
24
Opcode
32
Checksum
Algorithm DUAL
Flags
Internal AD 90
Sequence Number
External AD 170
Acknowledgment Number
Summary AD 5
Length
Value
Transport IP/88
Metric Formula
256 * (K1 * bw +
K2 * bw
256 - load
Authentication MD5
+ K3 * delay) *
K5
rel + K4
EIGRP Configuration
Protocol Configuration
! Enable EIGRP
router eigrp <ASN>
! Add networks to advertise
network <IP address> <wildcard mask>
Multicast IP 224.0.0.10
Hello Timers 5/60
Hold Timers 15/180
K Defaults
Packet Types
K1 1
1 Update
K2 0
3 Query
K3 1
4 Reply
K4 0
5 Hello
K5 0
8 Acknowledge
Terminology
Reported Distance
Feasible Distance
Passive Interface
An interface which does not participate in EIGRP but
whose network is advertised
Stub Router
A router which advertises only a subset of routes,
and is omitted from the route query process
Troubleshooting
by Jeremy Stretch
packetlife.net
Protocols
Attributes
HSRP
Transport UDP/1985
Default Priority 100
Standby
200
GLBP
RFC 3768
Cisco
No
Yes
No
Yes
IP/112
UDP/3222
100
100
1 sec
3 sec
224.0.0.18
224.0.0.102
VRRP
100
Active
VRRP
Listen
100
200
Backup
Master
HSRP Configuration
interface FastEthernet0/0
ip address 10.0.1.2 255.255.255.0
standby version {1 | 2}
standby 1 ip 10.0.1.1
standby 1 timers <hello> <dead>
standby 1 priority <priority>
standby 1 preempt
standby 1 authentication md5 key-string <password>
standby 1 track <interface> <value>
standby 1 track <object> decrement <value>
GLBP
100
Backup
100
200
AVF
100
AVF
AVG
AVF
VRRP Configuration
interface FastEthernet0/0
ip address 10.0.1.2 255.255.255.0
vrrp 1 ip 10.0.1.1
vrrp 1 timers {advertise <hello> | learn}
vrrp 1 priority <priority>
vrrp 1 preempt
vrrp 1 authentication md5 key-string <password>
vrrp 1 track <object> decrement <value>
GLBP Configuration
interface FastEthernet0/0
ip address 10.0.1.2 255.255.255.0
glbp 1 ip 10.0.1.1
glbp 1 timers <hello> <dead>
glbp 1 timers redirect <redirect> <time-out>
glbp 1 priority <priority>
glbp 1 preempt
glbp 1 forwarder preempt
glbp 1 authentication md5 key-string <password>
glbp 1 load-balancing <method>
glbp 1 weighting <weight> lower <lower> upper <upper>
glbp 1 weighting track <object> decrement <value>
by Jeremy Stretch
GLBP Roles
Active Virtual Gateway (AVG)
Answers for the virtual router and assigns
virtual MAC addresses to group members
Active Virtual Forwarder (AVF)
All routers which forward traffic for the group
GLBP Load Balancing
Round-Robin (default)
The AVG answers host ARP requests for the
virtual router with the next router in the cycle
Host-Dependent
Round-robin cycling is used while a consistent
AVF is maintained for each host
Weighted
Determines the proportionate share of hosts
handled by each AVF
Troubleshooting
show standby [brief]
packetlife.net
Protocol Header
8
16
Label
Conceptual Components
24
32
TC S
L2
TTL
Control Plane
Facilitates label exchange between neighboring
LSRs using LDP or TDP (includes the LIB)
Forwarding/Data Plane
Forwards packets based on label or destination
IP address (includes the FIB and LFIB)
IP
Label stack
Label Protocols
LDP
UDP/711
TCP/711
Proprietary No
Cisco
Terminology
Provider Network
PE
TDP
PE
P
LSP
Customer Network
CE
CE
MPLS Configuration
! Enable CEF
ip cef
Troubleshooting
show mpls interfaces
debug mpls []
by Jeremy Stretch
v2.0
IEEE 802.1X
packetlife.net
802.1X Header
1
Version
1
Type
Terminology
2
Length
EAP
EAP Header
1
Code
1
Identifier
2
Length
Data
Authenticator
Supplicant
The device (client) attached to an access link that requests
authentication by the authenticator
Authenticator
The device that controls the status of a link; typically a
wired switch or wireless access point
Authentication
Authentication Server
Server
A backend server which authenticates the credentials
provided by supplicants (for example, a RADIUS server)
Guest VLAN
Fallback VLAN for clients not 802.1X-capable
Restricted VLAN
Fallback VLAN for clients which fail authentication
Identity Request
Identity Response
Access Request
Challenge Request
Challenge Response
Access Challenge
Access Request
1 Request
1 EAPOL-Start
2 Response
2 EAPOL-Logoff
3 Success
3 EAPOL-Key
4 Failure
4 EAPOL-Encap-ASF-Alert
Success
Access Accept
EAP
RADIUS
Configuration
Global Configuration
! Define a RADIUS server
radius-server host 10.0.0.100
radius-server key MyRadiusKey
! Configure 802.1X to authenticate via AAA
aaa new-model
aaa authentication dot1x default group radius
! Enable 802.1X authentication globally
dot1x system-auth-control
EAP Codes
Interface Defaults
Max Auth Requests 2
Reauthentication Off
Quiet Period 60s
Port-Control Options
Interface Configuration
by Jeremy Stretch
force-authorized
Port will always remain in authorized state (default)
force-unauthorized
Always unauthorized; authentication attempts are ignored
auto
Supplicants must authenticate to gain access
Troubleshooting
show dot1x [statistics] [interface <interface>]
dot1x test eapol-capable [interface <interface>]
dot1x re-authenticate interface <interface>
v2.0
packetlife.net
IEEE Standards
802.11a
802.11b
802.11g
802.11n
11 Mbps
54 Mbps
300 Mbps
2.4 GHz
2.4 GHz
2.4/5 GHz
Modulation OFDM
DSSS
DSSS/OFDM
OFDM
11/13
11/13
32/32
1999
2003
2009
Ratified 1999
WLAN Types
Ad Hoc
A WLAN between isolated stations with
no central point of control; an IBSS
WLAN Components
IBSS
ESS
BSS
BSS
Infrastructure
A WLAN attached to a wired network via
an access point; a BSS or ESS
DS
Frame Types
Type
Class
Association
Management
Authentication
Management
Probe
Management
Beacon
Management
Control
Control
Acknowledgment (ACK)
Control
Data
Data
Client Association
Probe Request
Probe Response
Authentication Request
Authentication Response
Association Request
Association Response
Modulations
Scheme
DSSS
OFDM
Modulation
Throughput
DBPSK
1 Mbps
DQPSK
2 Mbps
CCK
5.5/11 Mbps
BPSK
6/9 Mbps
QPSK
12/18 Mbps
16-QAM
24/36 Mbps
64-QAM
48/54 Mbps
by Jeremy Stretch
Decibel (dB)
An expression of signal strength as compared to a reference signal;
calculated as 10log10(signal/reference)
dBm Signal strength compared to a 1 milliwatt signal
dBw Signal strength compared to a 1 watt signal
dBi Compares forward antenna gain to that of an isotropic antenna
Terminology
Basic Service Set Identifier (BSSID)
A MAC address which serves to uniquely identify a BSS
Service Set Identifier (SSID)
A human-friendly text string which identifies a BSS; 1-32 characters
Carrier Sense Multiple Access/Collision Avoidance (CSMA/CA)
The mechanism which facilitates efficient communication across a
shared wireless medium (provided by DCF or PCF)
Effective Isotropic Radiated Power (EIRP)
Net signal strength (transmitter power + antenna gain - cable loss)
v2.2
packetlife.net
DIFS
DIFS
DIFS
Frame
Deferral Period
Random Backoff
Contention Window
Interframe Spacing
Client Authentication
EAP-TLS
Employs Transport Layer Security (TLS); PKI
certificates are required on the AP and clients
EAP-TTLS
Clients authenticate the AP via PKI, then form a secure
tunnel inside which the client authentication takes
place (clients do not need PKI certificates)
EAP-FAST
Developed by Cisco to replace LEAP; establishes a
secure tunnel using a Protected Access Credential
(PAC) in the absence of PKI certificates
RF Signal Interference
Reflection
Scattering
Absorption
802.11e
802.1p
Platinum
7/6
6/5
Gold
5/4
4/3
Silver
3/0
Bronze
2/1
2/1
Refraction
Diffraction
Antenna Types
Directional Radiates power in one focused direction
Omnidirectional
Radiates power uniformly across a plane
Isotropic
A theoretical antenna referenced when measuring
effective radiated power
v2.2
packetlife.net
Algorithm Bellman-Ford
Admin Distance 120
Standard RFCs 2080, 2453
Supported Protocols IPv4, IPv6
Transport UDP/520
Authentication Plain, MD5
Multicast Address 224.0.0.9
Link State
Link State
Path Vector
DUAL
Dijkstra
Dijkstra
Path Selection
110
115
20/200 (IBGP)
Cisco proprietary
RFC 4271
IPv4, IPv6
IPv4, IPv6
IP/88
IP/89
Layer 2
TCP/179
MD5
Plain, MD5
MD5
224.0.0.5-6
RIPv2
Introduced support for classless routing,
triggered updates, and multicast
announcements (RFC 2453)
RIPng (RIP Next Generation)
Extends RIPv2 to support IPv6 routing
(RFC 2080); functions very similarly to
RIPv2 and is subsequently as limited
Split-Horizon
Mitigates routing loops by ensuring a
route is never advertised back to the
neighbor from which it was learned
Poison Reverse
Learned routes are advertised back to
their originator as explicitly invalid
Interface Configuration
RIP Configuration
interface type number
! Enable RIPng on the interface
ipv6 rip name enable
EIGRP Configuration
! Enable EIGRP for an autonomous system
[ipv6] router eigrp AS-number
Metric Formula
K5
K2 * bw
+ K3 * delay) *
256 - load
rel + K4
Name
3 Query
K2 0
4 Reply
K3 1
5 Hello
K4 0
8 Acknowledge
K5 0
Terminology
Reported Distance
The metric for a route advertised by a neighbor
Feasible Distance
The distance advertised by a neighbor plus the cost
to get to that neighbor
Stuck In Active (SIA)
The condition when a route becomes unreachable
and not all queries for it are answered; adjacencies
with unresponsive neighbors are reset
Passive Interface
An interface which does not participate in EIGRP
but whose network is advertised
Stub Router
A router which advertises only a subset of routes,
and is omitted from the route query process
Default Timers
WAN (<=T1)
60 sec
180 sec
Troubleshooting
show ip[v6] eigrp {interfaces | neighbors }
show ip[v6] eigrp topology
clear ip[v6] eigrp [AS-number] neighbors
Global Configuration
K1 1
Type 1
Type 2
Type 3
Type 4
Type 5
Type 6
Type 7
N/A
N/A
5 ExStart
2 Attempt
6 Exchange
3 Init
7 Loading
4 2-Way
8 Full
1 Hello
4 LS Update
2 DB Descr.
5 LS Ack
3 LS Request
DR/BDR Election
The DR serves as a common
point for all adjacencies on a
multiaccess segment
The BDR also maintains
adjacencies with all routers in
case the DR fails
Does not occur on point-topoint or multipoint links
Default priority (0-255) is 1;
highest priority wins; 0 cannot
be elected
DR preemption will not occur
unless the current DR is reset
Virtual Links
Tunnel formed to join two
areas across an intermediate
Both end routers must share
a common non-stub area
At least one end must reside
in area 0
Transition tool; not ideal for
permanent designs
Troubleshooting
Network Types
Multipoint
Broadcast
Multipoint
Nonbroadcast
Broadcast
Point-to-Point
No
No
Yes
No
Yes
No
Yes
Yes
30/120
30/120
10/40
10/40
RFC 2328
Cisco
Cisco
Cisco
Any
Any
Full Mesh
Point-to-Point
AFI
Condensed
Example
HODSP
Area
49
0005.80ff.f800.0000
0001
System ID
SEL
0000.0c00.1234
00
Adjacency Requirements
Interface MTUs must match
Levels must match
Point-to-Point
No
Yes
Terminology
Type-Length-Value (TLV)
Variable-length modular datasets carried by PDUs
IS-IS Hello (IIH)
Establish and maintain neighbor adjacencies
Link State PDU (LSP)
Carry TLVs encompassing link state information
Sequence Number Packet (SNP)
Used to request and advertise LSPs; can be complete
(CSNP) or partial (PSNP)
Network Entity Title (NET)
Unique router ID; includes area ID
Designated Intermediate System (DIS)
A pseudonode responsible for emulating point-topoint links across a multi-access segment
Network Types
Broadcast
10/30
Troubleshooting
DIS Election
Highest-priority interface elected
Highest SNPA (e.g. MAC or DLCI) breaks tie
IS-IS Configuration
! Enable IS-IS routing
router isis
Domain-Specific Part
IDI
NSAP
NSAP Addressing
Interdomain Part
Integrated IS-IS
1 Down
Message Types
link speed
Adjacency States
Standard Area
Default OSPF area type
Stub Area
External link (type 5) LSAs are replaced with
a single default route
Totally Stubby Area
Type 3, 4, and 5 LSAs are replaced with a
default route
Not-So-Stubby Area (NSSA)
A stub area containing an ASBR; type 5 LSAs
are converted to type 7 within the area
v2 Equiv.
Interface Configuration
1 Update
reference-bandwidth
cost =
Area Types
Default K Values
Nonbroadcast
(NBMA)
EIGRP
Hold 15 sec
Hello 5 sec
! Modify timers
timers basic update invalid hold flush
LAN (>T1)
Troubleshooting
show ip[v6] protocols
N/A
RIP Configuration
Global Configuration
RIPv1
Original RIP implementation, limited to
classful routing (obsolete)
Packet Types
N/A
Terminology
RIP Implementations
BGP
Distance Vector
224.0.0.10
RIP
256 * (K1 * bw +
IS-IS
Global Configuration
OSPF
OSPF Configuration
Interface Configuration
EIGRP
Metric Formula
Global Configuration
RIP
Router Roles
Internal Router
All interfaces reside within the same area
Backbone Router
A router with at least one interface in area 0
Area Border Router (ABR)
Connects two or more areas
AS Boundary Router (ASBR)
Connects to additional routing domains
(redistribution to or from other protocols)
OSPF
Interface Configuration
packetlife.net
Actions
! Legacy syntax
access-list <number> {permit | deny} <source> [log]
! Modern syntax
ip access-list standard {<number> | <name>}
[<sequence>] {permit | deny} <source> [log]
permit
deny
remark
evaluate
ACL Numbers
1-99
IP standard
1300-1999
Source/Destination Definitions
any Any address
host <address> A single address
100-199
IP extended
2000-2699
200-299 Protocol
IP Options
300-399 DECnet
400-499 XNS
500-599 Extended XNS
600-699 Appletalk
700-799 Ethernet MAC
800-899 IPX standard
900-999 IPX extended
1000-1099 IPX SAP
1100-1199 MAC extended
1200-1299 IPX summary
TCP Options
ack Match ACK flag
fin Match FIN flag
psh Match PSH flag
rst Match RST flag
syn Match SYN flag
urg Match URG flag
established
Match packets in an
established session
Logging Options
log Log ACL entry matches
Log matches including
log-input ingress interface and
source MAC address
by Jeremy Stretch
Troubleshooting
show access-lists [<number> | <name>]
show ip access-lists [<number> | <name>]
show ip access-lists interface <interface>
show ip access-lists dynamic
show ip interface [<interface>]
show time-range [<name>]
v2.0
Security Zone
A group of interfaces which share a common level of security
Zone Pair
A unidirectional pairing of source and destination zones to which a
security policy is applied
Inspection Policy
An inspect-type policy map used to statefully filter traffic by
matching one or more inspect-type class maps
Parameter Map
An optional configuration of protocol-specific parameters referenced
by an inspection policy
MPLS WAN
Internet
G0/0
G0/1
! Match by protocol
class-map type inspect match-any ByProtocol
match protocol tcp
match protocol udp
match protocol icmp
! Match by access list
ip access-list extended MyACL
permit ip 10.0.0.0 255.255.0.0 any
!
class-map type inspect match-all ByAccessList
match access-group name MyACL
Security Zones
Trusted
packetlife.net
Internet
Guest
Corporate
LAN
G0/2.10
G0/2.20
Guest
Wireless LAN
Pass
Troubleshooting
show zone security
show zone-pair security
show policy-map type inspect
by Jeremy Stretch
IPSEC
packetlife.net
Protocols
Encryption Algorithms
L2
IP
TCP/UDP
Transport
Mode
L2
IP
ESP/AH
Tunnel
Mode
L2
New IP
ESP/AH
Strength
56
Weak
168
Medium
AES Symmetric
128/192/256
Strong
RSA Asymmetric
1024+
Strong
DES Symmetric
3DES Symmetric
Hashing Algorithms
Length (Bits)
MD5 128
Strength
Medium
SHA-1 160
Strong
IKE Phases
TCP/UDP
IP
TCP/UDP
Transport Mode
The ESP or AH header is inserted behind the IP header; the
IP header can be authenticated but not encrypted
Tunnel Mode
A new IP header is created in place of the original; this
allows for encryption of the entire original packet
Configuration
crypto isakmp policy 10
encryption aes 256
hash sha
authentication pre-share
group 2
lifetime 3600
Phase 1
A bidirectional ISAKMP SA is established
between peers to provide a secure management
channel (IKE in main or aggressive mode)
IPsec Modes
Original
Packet
Type
ISAKMP Policy
Phase 2
Two unidirectional IPsec SAs are established for
data transfer using separate keys (IKE quick
mode)
Terminology
Data Integrity
Secure hashing (HMAC) is used to ensure data
has not been altered in transit
Data Confidentiality
Encryption is used to ensure data cannot be
intercepted by a third party
Data Origin Authentication
Authentication of the SA peer
Anti-replay
Sequence numbers are used to detect and
discard duplicate packets
Hash Message Authentication Code (HMAC)
A hash of the data and secret key used to
provide message authenticity
Diffie-Hellman Exchange
A shared secret key is established over an
insecure path using public and private keys
Troubleshooting
show crypto isakmp sa
show crypto isakmp policy
show crypto ipsec sa
show crypto ipsec transform-set
debug crypto {isakmp | ipsec}
by Jeremy Stretch
v2.0
IPV4 MULTICAST
Layer 2 Addressing
239.142.57.6
11101111 10001110 00111001 00000110
Group Ranges
224.0.0.0/24 Local network control
224.0.1.0/24 Internetwork control
232.0.0.0/8 Source-specific
01-00-5E-0E-39-06
00000001 00000000 01011110 00001110 00111001 00000110
Terminology
Reverse Path Forwarding (RPF)
Verifies that multicast traffic travels in the reverse direction of
unicast traffic, away from the tree root
Cisco Group Management Protocol (CGMP)
A proprietary protocol used by switches to obtain multicast
membership information for end hosts (deprecated)
Internet Group Management Protocol (IGMP)
Hosts send IGMP requests to local routers to join multicast groups
IGMP Configuration
IGMP Support Router(config-if)# ip igmp [version <#>]
IGMP Snooping Switch(config)# ip igmp snooping
Protocol Independent Multicast (PIM)
Dense Mode
The initial tree encompasses all multicast routers; after a period of
time, routers without IGMP members prune back branches
Sparse Mode
The tree is grown from a central rendezvous point out to the
multicast source and recipients
Sparse-Dense Mode
Allows a PIM-enabled interface to function in either sparse or dense
mode per group
PIMv1
Provides automatic RP discovery with Auto-RP (Cisco proprietary)
PIMv2
Automatic RP discovery is accomplished by the bootstrap router
(BSR) method (standard)
PIM Configuration
ip multicast-routing
!
interface FastEthernet0/0
ip pim {sparse-mode | dense-mode | sparse-dense-mode}
ip pim version {1 | 2}
RP Configuration
Manual ip pim rp-address <IP>
Auto-RP Mapping Agent ip pim send-rp-discovery scope <TTL>
Auto-RP Candidate ip pim send-rp-announce <interface>
BSR Candidate ip pim bsr-candidate <interface>
BSR RP Candidate ip pim rp-candidate <interface>
by Jeremy Stretch
packetlife.net
IPV4 SUBNETTING
packetlife.net
Subnets
Decimal to Binary
Addresses
Wildcard
Subnet Mask
Wildcard
/32 255.255.255.255
0.0.0.0
0 0000 0000
/31 255.255.255.254
0.0.0.1
1 0000 0001
/30 255.255.255.252
0.0.0.3
3 0000 0011
/29 255.255.255.248
0.0.0.7
7 0000 0111
/28 255.255.255.240
16
0.0.0.15
15 0000 1111
/27 255.255.255.224
32
0.0.0.31
31 0001 1111
/26 255.255.255.192
64
0.0.0.63
63 0011 1111
/25 255.255.255.128
128
0.0.0.127
/24 255.255.255.0
256
0.0.0.255
0 0000 0000
/23 255.255.254.0
512
0.0.1.255
/22 255.255.252.0
1,024
0.0.3.255
/21 255.255.248.0
2,048
0.0.7.255
/20 255.255.240.0
4,096
0.0.15.255
/19 255.255.224.0
8,192
0.0.31.255
/18 255.255.192.0
16,384
0.0.63.255
/17 255.255.128.0
32,768
0.0.127.255
/16 255.255.0.0
65,536
0.0.255.255
/15 255.254.0.0
131,072
0.1.255.255
/14 255.252.0.0
262,144
0.3.255.255
/13 255.248.0.0
524,288
0.7.255.255
/12 255.240.0.0
1,048,576
0.15.255.255
/11 255.224.0.0
2,097,152
0.31.255.255
/10 255.192.0.0
4,194,304
0.63.255.255
/9 255.128.0.0
8,388,608
0.127.255.255
A 0.0.0.0 127.255.255.255
/8 255.0.0.0
16,777,216
0.255.255.255
B 128.0.0.0 - 191.255.255.255
/7 254.0.0.0
33,554,432
1.255.255.255
C 192.0.0.0 - 223.255.255.255
/6 252.0.0.0
67,108,864
3.255.255.255
D 224.0.0.0 - 239.255.255.255
/5 248.0.0.0
134,217,728
7.255.255.255
E 240.0.0.0 - 255.255.255.255
/4 240.0.0.0
268,435,456
15.255.255.255
/3 224.0.0.0
536,870,912
31.255.255.255
/2 192.0.0.0
1,073,741,824
63.255.255.255
/1 128.0.0.0
2,147,483,648
127.255.255.255
/0 0.0.0.0
4,294,967,296
255.255.255.255
Subnet Proportion
/27
/28
/26
/29
/30
/30
/25
Classful Ranges
Reserved Ranges
Terminology
CIDR
Classless interdomain routing was developed to
provide more granularity than legacy classful
addressing; CIDR notation is expressed as /XX
by Jeremy Stretch
VLSM
Variable-length subnet masks are an arbitrary length
between 0 and 32 bits; CIDR relies on VLSMs to define
routes
v2.0
IPV6
packetlife.net
Protocol Header
8
Ver
16
Address Notation
24
Traffic Class
32
Flow Label
Payload Length
Next Header
Hop Limit
Source Address
Global unicast
Global Prefix
Subnet
Interface ID
48
16
64
Destination Address
Link-local unicast
Version (4 bits) Always set to 6
Interface ID
64
Multicast
Flags
Group ID
4 4
112
EUI-64 Formation
64
Scope
MAC
Address Types
EUI-64
Multicast Scopes
1 Interface-local
5 Site-local
2 Link-local
8 Org-local
4 Admin-local
E Global
Special-Use Ranges
Extension Headers
Hop-by-hop Options (0)
Carries additional information which must be examined by every
router in the path
Routing (43)
Provides source routing functionality
::/0
Default route
Fragment (44)
Included when a packet has been fragmented by its source
::/128
Unspecified
::1/128
Loopback
::/96
IPv4-compatible*
::FFFF:0:0/96
IPv4-mapped
2001::/32
Teredo
2001:DB8::/32
Documentation
2002::/16
6to4
FC00::/7
Unique local
FE80::/10
Link-local unicast
FEC0::/10
Site-local unicast*
FF00::/8
Multicast
by Jeremy Stretch
Transition Mechanisms
Dual Stack
Transporting IPv4 and IPv6 across an infrastructure simultaneously
Tunneling
IPv6 traffic is encapsulated into IPv4 using IPv6-in-IP, UDP (Teredo),
or Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)
Translation
Stateless IP/ICMP Translation (SIIT) translates IP header fields, NAT
* Deprecated Protocol Translation (NAT-PT) maps between IPv6 and IPv4 addresses
v2.0
IS-IS PART 1
packetlife.net
Protocol Header
4
Attributes
12
IRPD
Packet Length
Version/Protocol ID Extension
ID Length
PDU Type
16
Type Link-State
Algorithm Dijkstra
Metric Default (10)
Version
AD 115
Reserved
Type
Length
Value ...
Transport Layer 2
Authentication Plaintext, MD5
NSAP Addressing
Interdomain Part
Routing Levels
Domain-Specific Part
AFI
IDI
Condensed
Example
HODSP
Area
47
System ID
SEL
0000.0c00.1234
00
0005.80ff.f800.0000
0001
Point-to-Point
No
Yes
10/30
Troubleshooting
DIS Election
show ip route
show ip protocols
by Jeremy Stretch
v2.0
IS-IS PART 2
packetlife.net
TLV Types
Name
Use
Name
Use
Name
Use
1 Area Addresses
Hello, LSP
6 IS Neighbors
Hello, L2 LSP
LSP
2 IS Neighbors
LSP
8 Padding
Hello
Hello, LSP
3 ES Neighbors
L1 LSP
9 LSP Entries
SNP
131 IDRPI
SNP, L2 LSP
5 Prefix Neighbors
L2 LSP
Hello, LSP
10 Authentication All
Configuration Example
Area 1
Router A2
192.168.1.0/24
interface FastEthernet0/0
description Area 1
ip address 192.168.1.2 255.255.255.0
ip router isis
isis circuit-type level-1
!
router isis
net 49.0001.0000.0000.00a2.00
A3
A2
10
.0.
0
192.168.2.0/24
30
.4/
Area 2
.0
.0
10
.0
/3
0
A1
Area 3
192.168.3.0/24
B2
C2
B1
10.0.0.8/30
C1
B3
C3
Router B2
interface FastEthernet0/0
description Area 2
ip address 192.168.2.2 255.255.255.0
ip router isis
isis circuit-type level-1
!
router isis
net 49.0002.0000.0000.00b2.00
Router A1
interface FastEthernet0/0
description Area 1
ip address 192.168.1.1 255.255.255.0
ip router isis
isis circuit-type level-1
!
interface Serial1/0
no ip address
encapsulation frame-relay
!
interface Serial1/0.1 point-to-point
description To Area 2
ip address 10.0.0.1 255.255.255.252
ip router isis
isis circuit-type level-2-only
! MD5 authentication (keychain not shown)
isis authentication mode md5
isis authentication key-chain <keychain>
frame-relay interface-dlci 101
!
interface Serial1/0.2 point-to-point
description To Area 3
ip address 10.0.0.5 255.255.255.252
ip router isis
isis circuit-type level-2-only
frame-relay interface-dlci 102
!
router isis
net 49.0001.0000.0000.00a1.00
by Jeremy Stretch
Router B1
interface FastEthernet0/0
description Area 2
ip address 192.168.2.1 255.255.255.0
ip router isis
isis circuit-type level-1
!
interface Serial1/0
no ip address
encapsulation frame-relay
!
interface Serial1/0.1 point-to-point
description To Area 1
ip address 10.0.0.2 255.255.255.252
ip router isis
isis circuit-type level-2-only
! MD5 authentication (keychain not shown)
isis authentication mode md5
isis authentication key-chain <keychain>
frame-relay interface-dlci 101
!
interface Serial1/0.2 point-to-point
description To Area 3
ip address 10.0.0.9 255.255.255.252
ip router isis
isis circuit-type level-2-only
frame-relay interface-dlci 103
!
router isis
net 49.0002.0000.0000.00b1.00
v2.0
MARKDOWN
packetlife.net
Headers
# Text
<h1>Text</h1>
## Text
<h2>Text</h2>
### Text
<h3>Text</h3>
#### Text
<h4>Text</h4>
##### Text
<h5>Text</h5>
###### Text
<h6>Text</h6>
Lists
* Sizes
* Shapes
* Colors
* Blue
* Green
1. First
2. Second
3. Third
1. Alpha
2. Bravo
<ul>
<li>Sizes</li>
<li>Shapes</li>
<li>Colors
<ul>
<li>Blue</li>
<li>Green</li>
</ul></li>
</ul>
<ol>
<li>First</li>
<li>Second</li>
<li>Third
<ol>
<li>Alpha</li>
<li>Bravo</li>
</ol></li>
</ol>
Blockquotes
> Lorem ipsum
> dolor sit amet
<blockquote>
<p>Lorem ipsum dolor sit amet</p>
</blockquote>
<blockquote>
<p>Lorem ipsum dolor sit amet</p>
</blockquote>
>
>
>
>
>
<blockquote><p>Level one</p>
<blockquote><p>Level two</p>
<blockquote><p>Level three</p>
</blockquote>
</blockquote>
</blockquote>
Level one
> Level two
>
> > Level three
Inline Code
Use `<div>` tags
Code Blocks
Normal text
#include <stdio.h>
<p>Normal text</p>
<pre><code>
#include <stdio.h>
</code></pre>
Horizontal Rules
* * *
<hr />
- - -
<hr />
***
<hr />
---
<hr />
Emphasis
Escapable Characters
*Emphasis*
<em>Emphasis</em>
Backslash
( ) Parantheses
_Emphasis_
<em>Emphasis</em>
Backtick
Hash mark
**Strong**
<strong>Strong</strong>
Asterisk
Plus sign
__Strong__
<strong>Strong</strong>
Underscore
Hyphen
*Super*emphasis
<em>Super</em>emphasis
{ } Curly braces
Period
**Super**strong
<strong>Super</strong>strong
[ ] Square brackets
Exclamation
Links
[Google](http://google.com/)
<a href="http://google.com/">Google</a>
[Google](http://google.com/ "Search")
<http://google.com>
<a href="http://google.com/">http://google.com</a>
Images
![Alt text](/path/to/img.jpg)
v2.0
MEDIAWIKI
packetlife.net
Headers
Code
=Text=
<h1>Text</h1>
<code>Text</code>
==Text==
<h2>Text</h2>
<code><pre>Text</pre></code> <code><pre>Text</pre></code>
===Text===
<h3>Text</h3>
====Text====
<h4>Text</h4>
<h5>Text</h5>
<nowiki>Suppress [[wiki]]
'''markup'''</nowiki>
Suppress [[wiki]]
=====Text=====
======Text======
<h6>Text</h6>
<code>Text</code>
Miscellaneous
Lists
Formatting
* Sizes
* Shapes
* Colors
** Blue
** Green
<ul>
<li>Sizes</li>
<li>Shapes</li>
<li>Colors
<ul>
<li>Blue</li>
<li>Green</li>
</ul></li>
</ul>
# First
# Second
# Third
<ol>
<li>First</li>
<li>Second</li>
<li>Third</li>
</ol>
; Term 1 : Foo
; Term 2 : Bar
; Term 3 : Baz
'''markup'''
''Text''
<i>Text</i>
'''Text'''
<b>Text</b>
'''''Text'''''
<i><b>Text</b></i>
<ins>Text</ins>
<ins>Text</ins>
<del>Text</del>
<del>Text</del>
<tt>Text</tt>
<tt>Text</tt>
Templates
Books by {{{1}}}
Unnamed variables
{{Author|Palahniuk}}
Books by {{{name}}}
Named variables
<dl>
<dt>Term 1</dt>
<dd>Foo</dd>
<dt>Item 2</dt>
<dd>Bar</dd>
<dt>Item 3</dt>
<dd>Baz</dd>
</dl>
{{Author|name=Palahniuk}}
Categories
Assign object to a category
[[Category:Humor]]
Link to a category
[[:Category:Humor]]
Links
[[packet switching]]
IP [[network]]ing
IP <a href="Network">networking</a>
[http://google.com/]
<a href="http://google.com/">http://google.com/</a>
[http://google.com/ Google]
<a href="http://google.com/">Google</a>
Images
[[Image:photo.png]]
[[Image:photo.png|Alt text]]
[[Image:photo.png|30 px]]
[[:Image:photo.png|A photo]]
Tables
{|
Starts a table
Table header
|+
Table cell
|-
|}
Table end
by Jeremy Stretch
v2.1
packetlife.net
Address Classification
Inside Local
FastEthernet0
10.0.0.1/16
NAT Inside
FastEthernet1
174.143.212.1/22
NAT Outside
Outside Local
Location
interface FastEthernet0
ip address 10.0.0.1 255.255.0.0
ip nat inside
!
interface FastEthernet1
ip address 174.143.212.1 255.255.252.0
ip nat outside
Perspective
Local
Global
Inside
Inside Local
Inside Global
Outside
Outside Local
Outside Global
Terminology
NAT Pool
A pool of IP addresses to be used as inside
global or outside local addresses in translations
Extendable Translation
The extendable keyword must be appended
when multiple overlapping static translations are
configured
Troubleshooting
show ip nat translations [verbose]
show ip nat statistics
clear ip nat translations
NAT Translations Tuning
ip nat translation tcp-timeout <seconds>
ip nat translation udp-timeout <seconds>
ip nat translation max-entries <number>
by Jeremy Stretch
v1.0
OSPF PART 1
packetlife.net
Protocol Header
8
Attributes
16
Version
24
Type
32
Type Link-State
Length
Algorithm Dijkstra
Router ID
Area ID
Checksum
AD 110
Instance ID
Reserved
Data
Protocols IP
Transport IP/89
Authentication Plaintext, MD5
AllSPF Address 224.0.0.5
AllDR Address 224.0.0.6
Metric Formula
100,000 Kbps*
cost =
* modifiable with
ospf auto-cost reference-bandwidth
Area Types
Internal Router
All interfaces reside within the
same area
Backbone Router
A router with an interface in
area 0 (the backbone)
Standard Area
Default OSPF area type
Stub Area
External link (type 5) LSAs are
replaced with a default route
link speed
Adjacency States
1 Down
5 Exstart
2 Attempt
6 Exchange
3 Init
7 Loading
4 2-Way
8 Full
DR/BDR Election
Virtual Links
Tunnel formed to join two areas
across an intermediate
debug ip ospf []
by Jeremy Stretch
v2.1
OSPF PART 2
packetlife.net
Network Types
Nonbroadcast
(NBMA)
Multipoint
Broadcast
Multipoint
Nonbroadcast
Broadcast
Point-to-Point
No
No
Yes
No
Yes
No
Yes
Yes
30/120
30/120
10/40
10/40
RFC 2328
Cisco
Cisco
Cisco
Any
Any
Full Mesh
Point-to-Point
Configuration Example
WAN
Area 0
Area 9
172.16.0.0/18
Backbone
A
C
Area 1
Area 2
Stub Area
Standard Area
Router B
interface Ethernet0/0
description Area 0
ip address 192.168.0.2 255.255.255.0
ip ospf 100 area 0
!
interface Ethernet0/1
description Area 2
ip address 192.168.2.1 255.255.255.0
ip ospf 100 area 2
! Optional MD5 authentication configured
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 FooBar
! Give B priority in DR election
ip ospf priority 100
!
interface Ethernet0/2
description Area 1
ip address 192.168.1.1 255.255.255.0
ip ospf 100 area 1
!
interface Loopback0
ip address 10.0.34.2 255.255.255.0
!
router ospf 100
! Define area 1 as a stub area
area 1 stub
! Virtual link from area 0 to area 9
area 2 virtual-link 10.0.34.3
by Jeremy Stretch
Router A
interface Serial0/0
description WAN Link
ip address 172.16.34.2 255.255.255.252
!
interface FastEthernet0/0
description Area 0
ip address 192.168.0.1 255.255.255.0
!
interface Loopback0
! Used as router ID
ip address 10.0.34.1 255.255.255.0
!
router ospf 100
! Advertising the WAN cloud to OSPF
redistribute static subnets
network 192.168.0.0 0.0.0.255 area 0
!
! Static route to the WAN cloud
ip route 172.16.0.0 255.255.192.0 172.16.34.1
Router C
interface Ethernet0/0
description Area 9
ip address 192.168.9.1 255.255.255.0
ip ospf 100 area 9
!
interface Ethernet0/1
description Area 2
ip address 192.168.2.2 255.255.255.0
ip ospf 100 area 2
! Optional MD5 authentication configured
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 FooBar
! Give C second priority (BDR) in election
ip ospf priority 50
!
!
!
!
!
!
interface Loopback0
ip address 10.0.34.3 255.255.255.0
!
router ospf 100
! Define area 9 as a totally stubby area
area 9 stub no-summary
! Virtual link from area 9 to area 0
area 2 virtual-link 10.0.34.2
v2.1