packetlife.net by Jeremy Stretch v2.0 VLANS Trunk Encapsulation VLAN Creation Switch(config)# vlan 100 Switch(config-vlan)# name Engineering 0 Reserved 1 default 1002 fddi-default 1003 tr Terminology Trunking Carrying multiple VLANs over the same physical connection Access VLAN The VLAN to which an access port is assigned Voice VLAN If configured, enables minimal trunking to support voice traffic in addition to data traffic on an access port Troubleshooting show vlan show interface [status | switchport] show interface trunk show vtp status show vtp password Access Port Configuration Switch(config-if)# switchport mode access Switch(config-if)# switchport nonegotiate Switch(config-if)# switchport access vlan 100 Switch(config-if)# switchport voice vlan 150 Trunk Port Configuration Switch(config-if)# switchport mode trunk Switch(config-if)# switchport trunk encapsulation dot1q Switch(config-if)# switchport trunk allowed vlan 10,20-30 Switch(config-if)# switchport trunk native vlan 10 Trunk Types Header Size 26 bytes ISL 4 bytes 802.1Q Trailer Size 4 bytes N/A Standard Cisco IEEE Maximum VLANs 1000 4094 VLAN Numbers 1004 fdnet 1005 trnet 1006-4094 Extended 4095 Reserved Native VLAN By default, frames in this VLAN are untagged when sent across a trunk Dynamic Trunking Protocol (DTP) Can be used to automatically establish trunks between capable ports (insecure) Switched Virtual Interface (SVI) A virtual interface which provides a routed gateway into and out of a VLAN SVI Configuration Switch(config)# interface vlan100 Switch(config-if)# ip address 192.168.100.1 255.255.255.0 ISL Header Dest MAC Source MAC Type FCS ISL Dest MAC Source MAC Type 802.1Q 802.1Q 26 6 6 2 4 6 6 2 4 Dest MAC Source MAC Type Untagged Switch Port Modes trunk Forms an unconditional trunk dynamic desirable Attempts to negotiate a trunk with the far end dynamic auto Forms a trunk only if requested by the far end access Will never form a trunk VLAN Trunking Protocol (VTP) Domain Common to all switches participating in VTP Server Mode Generates and propagates VTP advertisements to clients; default mode on unconfigured switches Client Mode Receives and forwards advertisements from servers; VLANs cannot be manually configured on switches in client mode Transparent Mode Forwards advertisements but does not participate in VTP; VLANs must be configured manually Pruning VLANs not having any access ports on an end switch are removed from the trunk to reduce flooded traffic VTP Configuration Switch(config)# vtp mode {server | client | transparent} Switch(config)# vtp domain <name> Switch(config)# vtp password <passsword> Switch(config)# vtp version {1 | 2} Switch(config)# vtp pruning
38
Embed
MergedFileBackup Spanning Tree Operation Determine root bridge The bridge advertising the lowest bridge ID becomes the root bridge Select root port Each bridge selects its primary
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
packetlife.net
by Jeremy Stretch v2.0
VLANSTrunk Encapsulation
VLAN Creation
Switch(config)# vlan 100Switch(config-vlan)# name Engineering
0 Reserved
1 default
1002 fddi-default
1003 tr
Terminology
TrunkingCarrying multiple VLANs over the same physical connection
Access VLANThe VLAN to which an access port is assigned
Voice VLANIf configured, enables minimal trunking to support voice traffic in addition to data traffic on an access port
! Configure hello and hold timersip hello-interval eigrp <AS> <seconds>ip hold-time eigrp <AS> <seconds>
! Disable split horizon for EIGRPno ip split-horizon eigrp <AS>
Interface Configuration
K Defaults Packet Types
K1 1
K2 0
K3 1
K4 0
K5 0
1 Update
3 Query
4 Reply
5 Hello
8 Acknowledge
Terminology
Feasible DistanceThe distance advertised by a neighbor plus the cost
to get to that neighbor
Reported DistanceThe metric for a route advertised by a neighbor
Stuck In Active (SIA)The condition when a route becomes unreachable and not all queries for it are answered; adjacencies
with unresponsive neighbors are reset
Passive InterfaceAn interface which does not participate in EIGRP but whose network is advertised
Stub RouterA router which advertises only a subset of routes, and is omitted from the route query process
Troubleshooting
show ip eigrp interfaces
show ip eigrp neighbors
show ip eigrp topology
show ip eigrp traffic
clear ip eigrp neighbors
debug ip eigrp [packet | neighbors]
packetlife.net
by Jeremy Stretch v2.1
OSPF · PART 1Protocol Header
Type
Attributes
Algorithm
Metric
Link-State
Dijkstra
Cost (Bandwidth)
AD
Standard
Protocols
Transport
110
RFC 2328, 2740
IP
IP/89
Router Types
Internal RouterAll interfaces reside within the same area
Backbone RouterA router with an interface in area 0 (the backbone)
Area Border Router (ABR)Connects two or more areas
AS Boundary Router (ASBR)Connects to additional routing domains; typically located in the backbone
Troubleshooting
show ip [route | protocols]
show ip ospf interface
show ip ospf neighbor
* modifiable with
ospf auto-cost reference-bandwidth
Metric Formula
Version Type Length
8 16 24 32
Router ID
Area ID
Checksum Instance ID Reserved
Data
Link State Advertisements
Router Link (Type 1)Lists neighboring routers and the cost to each; flooded within an area
Network Link (Type 2)Generated by a DR; lists all routers on an adjacent segment; flooded within an area
Network Summary (Type 3)Generated by an ABR and advertised among areas
ASBR Summary (Type 4)Injected by an ABR into the backbone to advertise the presence of an ASBR within an area
External Link (Type 5)Generated by an ASBR and flooded throughout the AS to advertise a route external to OSPF
NSSA External Link (Type 7)Generated by an ASBR in a not-so-stubby area; converted into a type 5 LSA by the ABR when leaving the area
DR/BDR Election
· The BDR also maintains adjacencies with all routers in case the DR fails
· Election does not occur on point-to-point or multipoint links
· Default priority (0-255) is 1; highest priority wins; 0 cannot be elected
· DR preemption will not occur unless the current DR is reset
Virtual Links
· Tunnel formed to join two areas across an intermediate
· Both end routers must share a common area
· At least one end must reside in area 0
· Cannot traverse stub areas
Area Types
Standard AreaDefault OSPF area type
Stub AreaExternal link (type 5) LSAs are replaced with a default route
Totally Stubby AreaType 3, 4, and 5 LSAs are replaced with a default route
Not So Stubby Area (NSSA)A stub area containing an ASBR; type 5 LSAs are converted to type 7 within the area
External Route Types
E1 · Cost to the advertising ASBR plus the external cost of the route
E2 (Default) · Cost of the route as seen by the ASBR
Authentication
AllSPF Address
AllDR Address
Plaintext, MD5
224.0.0.5
224.0.0.6
Adjacency States
1
2
Down
Attempt
5
6
Exstart
Exchange
3
4
Init
2-Way
7
8
Loading
Full
show ip ospf border-routers
show ip ospf virtual-links
debug ip ospf […]
cost = 100,000 Kbps*
link speed
· The DR serves as a common point for all adjacencies on a multiaccess segment
packetlife.net
by Jeremy Stretch v2.1
OSPF · PART 2
Configuration Example
interface Serial0/0description WAN Linkip address 172.16.34.2 255.255.255.252!interface FastEthernet0/0description Area 0ip address 192.168.0.1 255.255.255.0!interface Loopback0! Used as router IDip address 10.0.34.1 255.255.255.0!router ospf 100! Advertising the WAN cloud to OSPFredistribute static subnetsnetwork 192.168.0.0 0.0.0.255 area 0!! Static route to the WAN cloudip route 172.16.0.0 255.255.192.0 172.16.34.1
interface Ethernet0/0description Area 9ip address 192.168.9.1 255.255.255.0ip ospf 100 area 9!interface Ethernet0/1description Area 2ip address 192.168.2.2 255.255.255.0ip ospf 100 area 2! Optional MD5 authentication configuredip ospf authentication message-digestip ospf message-digest-key 1 md5 FooBar! Give C second priority (BDR) in electionip ospf priority 50!!!!!!interface Loopback0ip address 10.0.34.3 255.255.255.0!router ospf 100! Define area 9 as a totally stubby areaarea 9 stub no-summary! Virtual link from area 9 to area 0area 2 virtual-link 10.0.34.2
interface Ethernet0/0description Area 0ip address 192.168.0.2 255.255.255.0ip ospf 100 area 0!interface Ethernet0/1description Area 2ip address 192.168.2.1 255.255.255.0ip ospf 100 area 2! Optional MD5 authentication configuredip ospf authentication message-digestip ospf message-digest-key 1 md5 FooBar! Give B priority in DR electionip ospf priority 100!interface Ethernet0/2description Area 1ip address 192.168.1.1 255.255.255.0ip ospf 100 area 1!interface Loopback0ip address 10.0.34.2 255.255.255.0!router ospf 100! Define area 1 as a stub areaarea 1 stub! Virtual link from area 0 to area 9area 2 virtual-link 10.0.34.3
Router A
Router CRouter B
Network Types
DR/BDR Elected
Nonbroadcast (NBMA)
Multipoint Broadcast
Neighbor Discovery
Hello/Dead Timers
Defined By
Supported Topology
Multipoint Nonbroadcast Broadcast Point-to-Point
Yes
No
30/120
RFC 2328
Full Mesh
No
Yes
30/120
RFC 2328
Any
No
No
30/120
Cisco
Any
Yes
Yes
10/40
Cisco
Full Mesh
No
Yes
10/40
Cisco
Point-to-Point
Area 0
A
BackboneArea 9
Totally Stubby Area
Area 1Stub Area
Area 2Standard Area
WAN172.16.0.0/18
BC
packetlife.net
by Jeremy Stretch v2.1-r1
BGP · PART 1
Type
About BGP
eBGP AD
iBGP AD
Path Vector
20
200
Standard
Protocols
Transport
Authentication
RFC 4271
IP
TCP/179
MD5
Path Selection
Attribute
Weight Administrative preference
Description
1
Preference
Highest
Local PreferenceCommunicated between peers within an AS
172.16.0.0/30 is subnetted, 2 subnetsC 172.16.0.4 is directly connected, S1/1C 172.16.0.0 is directly connected, S1/0C 192.168.1.0/24 is directly connected, F2/0B 192.168.2.0/24 [20/100] via 172.16.0.2B 192.168.3.0/24 [20/100] via 172.16.0.2
172.16.0.0/30 is subnetted, 2 subnetsB 172.16.0.4 [20/0] via 172.16.0.1C 172.16.0.0 is directly connected, S1/0
10.0.0.0/30 is subnetted, 1 subnetsC 10.0.0.0 is directly connected, F0/0B 192.168.1.0/24 [20/0] via 172.16.0.1C 192.168.2.0/24 is directly connected, F2/0O IA 192.168.3.0/24 [110/2] via 10.0.0.2, F0/0
Virtual Router Redundancy Protocol (VRRP)An open-standard alternative to Cisco's HSRP, providing the same functionality
Hot Standby Router Protocol (HSRP)Provides default gateway redundancy using one active and one standby router; standardized but licensed by Cisco Systems
Gateway Load Balancing Protocol (GLBP)Supports arbitrary load balancing in addition to redundancy across gateways; Cisco proprietary
Feasible DistanceThe distance advertised by a neighbor plus the cost to get to that neighbor
Reported DistanceThe metric for a route advertised by a neighbor
Stuck In Active (SIA)The condition when a route becomes unreachable and not all queries for it are answered; adjacencies with unresponsive neighbors are reset
Passive InterfaceAn interface which does not participate in EIGRP but whose network is advertised
Stub RouterA router which advertises only a subset of routes, and is omitted from the route query process
First Customer Shipment (FCS)The release is made available to Cisco customers on CCO
IOS Version Verification
show version
dir <filesystem>:
verify <filesystem>:<image>
End of Sale (EOS)The release is no longer orderable or included in manufactured shipments
End of Engineering (EOE)The last day for software fixes; only TAC assistance is offered from this point
End of Life (EOL)The last day for TAC support; release becomes obsolete; upgrade is only option for continued support
EOS Notice
EOS
EOE
EOL
IOS Package Trees
Advanced IP Services
Advanced Enterprise Services
Enterprise Services
Advanced
SecuritySP Services
Enterprise
Base
IP Voice
IP Base
Advanced Enterprise Services
Advanced IP Services Enterprise Services
IP Base
IP Services
IOS Filename
c3725-entbase-mz.124-6.T.bin
Hardware
Feature Set
Memory Location
Compression Format
Maintenance Release
Individual Release
T Designator
Deployment Classifications
3.2.1Major Release
Minor Release
Maintenance Release
IOS XR
12.2(25)SEB4Release
Individual Release
Numbered Version
S Train
12.4(9)T1Maintenance Release
Individual Release
New Feature Identifier
Numbered Version
T Train
12.4(7a)Maintenance Release
Individual Release
Numbered Version
Mainline
General Deployment (GD)A major release considered qualified for deployment on critical devices
Early Deployment (ED)Offers new feature, platform, or interface support
Deferred (DF)Known defective images; should not be installed
Limited Deployment (LD)A major release prior to reaching its GD milestone
0 12 24 36 48 60 72 84
Months
COMMON PORTS packetlife.net
TCP/UDP Port Numbers
7 Echo
19 Chargen
20-21 FTP
22 SSH/SCP
23 Telnet
25 SMTP
42 WINS Replication
43 WHOIS
49 TACACS
53 DNS
67-68 DHCP/BOOTP
69 TFTP
70 Gopher
79 Finger
80 HTTP
88 Kerberos
102 MS Exchange
110 POP3
113 Ident
119 NNTP (Usenet)
123 NTP
135 Microsoft RPC
137-139 NetBIOS
143 IMAP4
161-162 SNMP
177 XDMCP
179 BGP
201 AppleTalk
264 BGMP
318 TSP
381-383 HP Openview
389 LDAP
411-412 Direct Connect
443 HTTP over SSL
445 Microsoft DS
464 Kerberos
465 SMTP over SSL
497 Retrospect
500 ISAKMP
512 rexec
513 rlogin
514 syslog
515 LPD/LPR
520 RIP
521 RIPng (IPv6)
540 UUCP
554 RTSP
546-547 DHCPv6
560 rmonitor
563 NNTP over SSL
587 SMTP
591 FileMaker
593 Microsoft DCOM
631 Internet Printing
636 LDAP over SSL
639 MSDP (PIM)
646 LDP (MPLS)
691 MS Exchange
860 iSCSI
873 rsync
902 VMware Server
989-990 FTP over SSL
993 IMAP4 over SSL
995 POP3 over SSL
1025 Microsoft RPC
1026-1029 Windows Messenger
1080 SOCKS Proxy
1080 MyDoom
1194 OpenVPN
1214 Kazaa
1241 Nessus
1311 Dell OpenManage
1337 WASTE
1433-1434 Microsoft SQL
1512 WINS
1589 Cisco VQP
1701 L2TP
1723 MS PPTP
1725 Steam
1741 CiscoWorks 2000
1755 MS Media Server
1812-1813 RADIUS
1863 MSN
1985 Cisco HSRP
2000 Cisco SCCP
2002 Cisco ACS
2049 NFS
2082-2083 cPanel
2100 Oracle XDB
2222 DirectAdmin
2302 Halo
2483-2484 Oracle DB
2745 Bagle.H
2967 Symantec AV
3050 Interbase DB
3074 XBOX Live
3124 HTTP Proxy
3127 MyDoom
3128 HTTP Proxy
3222 GLBP
3260 iSCSI Target
3306 MySQL
3389 Terminal Server
3689 iTunes
3690 Subversion
3724 World of Warcraft
3784-3785 Ventrilo
4333 mSQL
4444 Blaster
4664 Google Desktop
4672 eMule
4899 Radmin
5000 UPnP
5001 Slingbox
5001 iperf
5004-5005 RTP
5050 Yahoo! Messenger
5060 SIP
5190 AIM/ICQ
5222-5223 XMPP/Jabber
5432 PostgreSQL
5500 VNC Server
5554 Sasser
5631-5632 pcAnywhere
5800 VNC over HTTP
5900+ VNC Server
6000-6001 X11
6112 Battle.net
6129 DameWare
6257 WinMX
6346-6347 Gnutella
6500 GameSpy Arcade
6566 SANE
6588 AnalogX
6665-6669 IRC
6679/6697 IRC over SSL
6699 Napster
6881-6999 BitTorrent
6891-6901 Windows Live
6970 Quicktime
7212 GhostSurf
7648-7649 CU-SeeMe
8000 Internet Radio
8080 HTTP Proxy
8086-8087 Kaspersky AV
8118 Privoxy
8200 VMware Server
8500 Adobe ColdFusion
8767 TeamSpeak
8866 Bagle.B
9100 HP JetDirect
9101-9103 Bacula
9119 MXit
9800 WebDAV
9898 Dabber
9988 Rbot/Spybot
9999 Urchin
10000 Webmin
10000 BackupExec
10113-10116 NetIQ
11371 OpenPGP
12035-12036 Second Life
12345 NetBus
13720-13721 NetBackup
14567 Battlefield
15118 Dipnet/Oddbob
19226 AdminSecure
19638 Ensim
20000 Usermin
24800 Synergy
25999 Xfire
27015 Half-Life
27374 Sub7
28960 Call of Duty
31337 Back Orifice
33434+ traceroute
Legend
Chat
Encrypted
Gaming
Malicious
Peer to Peer
Streaming
IANA port assignments published at http://www.iana.org/assignments/port-numbers
by Jeremy Stretch v1.1
packetlife.net
by Jeremy Stretch v2.0
FRAME MODE MPLSProtocol Header
MPLS Configuration
! Enable CEFip cef
! Select label protocolmpls label protocol ldp
! Enable MPLS on IP interfacesinterface FastEthernet0/0ip address 10.0.0.1 255.255.255.252mpls ip! Raise MPLS MTU to accommodate multilabel stackmpls mtu 1512
Terminology
Tag Distribution Protocol (TDP)Cisco's proprietary predecessor to LDP
Label Distribution Protocol (LDP)Standards-based label distribution protocol defined in RFC 3036
Interim Packet PropagationAn LSR temporarily falls back to IP routing while waiting to learn the necessary MPLS label(s)
Label-Switched Path (LSP)The unidirectional path through one or more LSRs taken by a label-switched packet belonging to an FEC
Forwarding Equivalence Class (FEC)A group of packets which are forwarded in an identical manner, typically by destination prefix and/or traffic class
Troubleshooting
show mpls interfaces
show mpls ldp neighbors
show mpls ldp bindings [detail] (LIB)
show mpls forwarding-table [detail] (LFIB)
show ip cef [detail] (FIB)
Label (20 bits) · Unique label value
Bottom of Stack (1 bit) · Indicates label is last in the stack
Time To Live (8 bits) · Hop counter mapped from IP TTL
Traffic Class (3 bits) · CoS-mapped QoS marking
Label
8 16 24 32
TC S TTL
L2 IP
Label stack
Label Switched Path
Customer (C) · IP-only routers internal to customer network
Provider Edge (PE) · LSRs on the MPLS-IP boundary
Provider (P) · MPLS-only LSRs in provider network
Customer Edge (CE) · C routers which face PE routers
Label Protocols
LDP
UDP/646Hello Port
224.0.0.2Hello Address
Proprietary
Adjacency Port
No
TCP/646
PE PE
LSP
Provider Network
Customer Network
P P
P
CE CEC C
TDP
UDP/711
255.255.255.255
Cisco
TCP/711
Conceptual Components
Forwarding/Data PlaneForwards packets based on label or destination IP address (includes the FIB and LFIB)
Control PlaneFacilitates label exchange between neighboring LSRs using LDP or TDP (includes the LIB)
Label Information Base (LIB)Contains all labels learned by an LSR via a label distribution protocol
Forwarding Information Base (FIB)Routing database for unlabeled (IP) packets
Label FIB (LFIB)Routing database for labeled (MPLS) packets
Penultimate Hop Popping (PHP)The second-to-last LSR in an LSP removes the MPLS label so the last LSR only has to perform an IP lookup
debug mpls […]
by Ivan Pepelnjak www.NIL.com · www.NIL.com/go/community · blog.ioshints.info
MPLS VPN version 1.0
Terminology PE-router: a provider router connected to customer networks P-router: a provider router with no customer links CE-router: a customer router connected to the Service Provider network VRF: Virtual routing and forwarding table MP-BGP: Multi-protocol BGP VPNv4: 96-bit address composed of 64-bit RD and 32-bit IP address RD (Route Distinguisher): 64-bit value that makes customer IP addresses globally unique. Usually written in the AS:NN notation. RT (Route Target): 64-bit BGP community that controls route import/export between VPNv4 BGP table and customer VRF
Route Distinguisher formats 0x0000 localAS num
AS number + 4-byte local identifier (AS:NN)
0x0000 AS num local
0x0001 IP address local IP address + 2-byte local identifier (A.B.C.D:NN)
0x0001 IP address local
0x0002 AS num (4 byte) local 4-byte AS number + 2-byte local identifier (AS:NN)
0x0002 AS num (4 byte) local
Route Target formats 0x00 localAS num0x030x00 0x03 AS num local
AS number + 4-byte local identifier (AS:NN)
IP address + 2-byte local identifier (A.B.C.D:NN)
Reference diagram P-network
Simple customer site
Multi-homed customer site
P-1P-1
P-2P-2
CC
CE-ACE-A
CE-BCE-B
PE-APE-A
PE-BPE-B
PE-CPE-C
PE-DPE-D
CE-CCE-C
CE-DCE-DC-network
C-network
Simple Core Design Rules Configure IBGP sessions between PE-routers. Use BGP route reflectors for scalability. Run IBGP sessions between loopback interfaces. Advertise PE loopback interface with correct mask Do not summarize loopback addresses Establish end-to-end MPLS paths between PE-routers. Use LDP in simple networks.
Simple VPN Design Rules Create one VRF for each customer connected to a PE-router. Use the same VRF name on all PE-routers (not required) Use unique RD and RT values for each customer. Make RD equal to RT. Use the same RD and RT on all PE routers.
Simple PE-CE Design Rules Use numbered PE-CE interfaces (private IP addresses are OK) Use BGP as PE-CE routing protocol if possible When using BGP, use a unique AS number for each customer site Do not mix different non-BGP PE-CE routing protocols in the same VPN. Mixing BGP with other PE-CE routing protocols is acceptable Redistribute PE-CE routing protocol into MP-BGP. Redistribute connected interfaces and static routes into MP-BGP If possible, do not redistribute MP-BGP into PE-CE routing protocols. Default route advertisement is simpler.
VRF configuration for a simple VPN ip vrf vrf-name rd AS:NN route-target both AS:NN ! interface serial1/0 ip vrf forwarding vrf-name ip address address mask ! router bgp AS address-family ipv4 vrf vrf-name redistribute connected
Running BGP with the customer router bgp AS address-family ipv4 vrf vrf-name
Running OSPF with the customer router ospf process vrf vrf-name network address mask area ospf-area redistribute bgp AS subnets ! router bgp AS ! address-family ipv4 vrf vrf-name redistribute ospf process match internal external
Running EIGRP with the customer router eigrp provider-EIGRP-AS ! address-family ipv4 vrf vrf-name autonomous-system customer-EIGRP-AS network customer-IP-network no auto-summary redistribute bgp AS metric bw delay rel load mtu ! router bgp AS address-family ipv4 vrf vrf-name redistribute eigrp customer-EIGRP-AS
Running RIP with the customer router rip version 2 no auto-summary ! address-family ipv4 vrf vrf-name network customer-IP-network redistribute bgp AS metric transparent ! router bgp AS ! address-family ipv4 vrf vrf-name redistribute rip
MPLS VPN troubleshooting ping vrf name ip address [size len] [repeat count] trace vrf name ip address [ttl min max] telnet address /vrf name [/source interface] trace mpls ipv4 remote-PE-address/32 show ip vrf [detail|interfaces] show ip protocol vrf name show ip route vrf name show ip cef vrf name show ip bgp vpnv4 all summary show ip bgp vpnv4 vrf name show ip bgp vpnv4 vrf name prefix show ip bgp vpnv4 rd rd-value show ip bgp vpnv4 rd rd-value prefix
! Define a RADIUS serverradius-server host 10.0.0.100radius-server key MyRadiusKey! Configure 802.1X to authenticate via AAAaaa new-modelaaa authentication dot1x default group radius! Enable 802.1X authentication globallydot1x system-auth-control
Global Configuration
! Static access modeswitchport mode access! Enable 802.1X authentication per portdot1x port-control auto! Configure host mode (single or multi)dot1x host-mode single-host! Configure maximum authentication attemptsdot1x max-reauth-req! Enable periodic reauthenticationdot1x reauthentication! Configure a guest VLANdot1x guest-vlan 123! Configure a restricted VLANdot1x auth-fail vlan 456dot1x auth-fail max-attempts 3
Interface Configuration
802.1X Packet Types EAP Codes
0 EAP Packet
1 EAPOL-Start
2 EAPOL-Logoff
3 EAPOL-Key
4 EAPOL-Encap-ASF-Alert
1 Request
2 Response
3 Success
4 Failure
Terminology
EAP Over LANs (EAPOL)EAP encapsulated by 802.1X for transport across LANs
Extensible Authentication Protocol (EAP)A flexible authentication framework defined in RFC 3748
Authentication ServerA backend server which authenticates the credentials provided by supplicants (for example, a RADIUS server)
Troubleshooting
show dot1x [statistics] [interface <interface>]
dot1x test eapol-capable [interface <interface>]
dot1x re-authenticate interface <interface>
EAP Header
EAP Flow Chart
SupplicantThe device (client) attached to an access link that requests authentication by the authenticator
AuthenticatorThe device that controls the status of a link; typically a wired switch or wireless access point
Guest VLANFallback VLAN for clients not 802.1X-capable
Restricted VLANFallback VLAN for clients which fail authentication
Interface Defaults
Max Auth Requests 2
Reauthentication Off
Quiet Period 60s
Reauth Period 1hr
Server Timeout 30s
EAP Req/Resp Types
1 Identity
2 Notification
3 Nak
4 MD5 Challenge
Supplicant Timeout 30s
Tx Period 30s
5 One Time Password
6 Generic Token Card
254 Expanded Types
255 Experimental
Port-Control Options
force-unauthorizedAlways unauthorized; authentication attempts are ignored
force-authorizedPort will always remain in authorized state (default)
autoSupplicants must authenticate to gain access
Identity Request
Identity Response
Challenge Request
Challenge Response
Success
Access Request
Access Challenge
Access Request
Access Accept
EAP RADIUS
Code Identifier Length Data
1 1 2
Version Type Length EAP
1 1 2
Supplicant Authenticator
Authentication
Server
packetlife.net
by Jeremy Stretch v2.2
IEEE 802.11 WLAN · PART 1IEEE Standards
802.11a
OFDMModulation
5 GHzFrequency
WLAN Types
Ad HocA WLAN between isolated stations with no central point of control; an IBSS
InfrastructureA WLAN attached to a wired network via an access point; a BSS or ESS
54 MbpsMaximum Throughput
1999Ratified
21/19Channels (FCC/ETSI)
802.11b
DSSS
2.4 GHz
11 Mbps
1999
11/13
802.11g
DSSS/OFDM
2.4 GHz
54 Mbps
2003
11/13
802.11n
OFDM
2.4/5 GHz
300 Mbps
2009
32/32
WLAN Components
Basic Service Area (BSA)The physical area covered by the wireless signal of a BSS
Basic Service Set (BSS)A set of stations and/or access points which can directly communicate via a wireless medium
Distribution System (DS)The wired infrastructure connecting multiple BSSs to form an ESS
Extended Service Set (ESS)A set of multiple BSSs connected by a DS which appear to wireless stations as a single BSS
Independent BSS (IBSS)An isolated BSS with no connection to a DS; an ad hoc WLAN
Measuring RF Signal Strength
Decibel (dB)An expression of signal strength as compared to a reference signal; calculated as 10log10(signal/reference)
dBm · Signal strength compared to a 1 milliwatt signal
dBw · Signal strength compared to a 1 watt signal
dBi · Compares forward antenna gain to that of an isotropic antenna
Terminology
Frame Types
Type
Authentication
Association
Class
Management
Management
Beacon
Probe
Management
Management
Clear to Send (CTS)
Request to Send (RTS)
Control
Control
Data
Acknowledgment (ACK)
Data
Control
Client Association
Probe Request
Probe Response
Authentication Request
Authentication Response
Association Request
Association Response
Modulations
Modulation
CCK
DQPSK
DBPSK
QPSK
BPSK
Throughput
5.5/11 Mbps
2 Mbps
1 Mbps
12/18 Mbps
6/9 Mbps
64-QAM
16-QAM
48/54 Mbps
24/36 Mbps
Basic Service Set Identifier (BSSID)A MAC address which serves to uniquely identify a BSS
Service Set Identifier (SSID)A human-friendly text string which identifies a BSS; 1-32 characters
Carrier Sense Multiple Access/Collision Avoidance (CSMA/CA)The mechanism which facilitates efficient communication across a shared wireless medium (provided by DCF or PCF)
Effective Isotropic Radiated Power (EIRP)Net signal strength (transmitter power + antenna gain - cable loss)
IBSS BSS BSS
DS
ESS
DSSS
OFDM
Scheme
packetlife.net
by Jeremy Stretch v2.2
IEEE 802.11 WLAN · PART 2Distributed Coordination Function (DCF)
Interframe Spacing
Short IFS (SIFS)Used to provide minimal spacing delay between control frames or data fragments
DCF IFS (DIFS)Normal spacing enforced under DCF for management and non-fragment data frames
Arbitrated IFS (AIFS)Variable spacing calculated to accommodate differing qualities of service (QoS)
Extended IFS (EIFS)Extended delay imposed after errors are detected in a received frame
Encryption Schemes
Wired Equivalent Privacy (WEP)Flawed RC4 implementation using a 40- or 104-bit pre-shared encryption key (deprecated)
Wi-Fi Protected Access (WPA)Implements the improved RC4-based encryption Temporal Key Integrity Protocol (TKIP) which can operate on WEP-capable hardware
IEEE 802.11i (WPA2)IEEE standard developed to replace WPA; requires a new generation of hardware to implement significantly stronger AES-based CCMP encryption
Client Authentication
Open · No authentication is used
Pre-shared Encryption KeysKeys are manually distributed among clients and APs
Lightweight EAP (LEAP)Cisco-proprietary EAP method introduced to provide dynamic keying for WEP (deprecated)
EAP-TLSEmploys Transport Layer Security (TLS); PKI certificates are required on the AP and clients
EAP-TTLSClients authenticate the AP via PKI, then form a secure tunnel inside which the client authentication takes place (clients do not need PKI certificates)
Protected EAP (PEAP)A proposal by Cisco, Microsoft, and RSA which employs a secure tunnel for client authentication like EAP-TTLS
EAP-FASTDeveloped by Cisco to replace LEAP; establishes a secure tunnel using a Protected Access Credential (PAC) in the absence of PKI certificates
Quality of Service Markings
WMM
Gold
Platinum
802.11e
5/4
7/6
Bronze
Silver
2/1
3/0
RF Signal Interference
Reflection Scattering Absorption
Refraction Diffraction
Antenna Types
Directional · Radiates power in one focused direction
OmnidirectionalRadiates power uniformly across a plane
802.1p
4/3
6/5
2/1
0
Wi-Fi Multimedia (WMM)A Wi-Fi Alliance certification for QoS; a subset of 802.11e QoS
IEEE 802.11eOfficial IEEE WLAN QoS standard ratified in 2005; replaces WMM
IEEE 802.1pQoS markings in the 802.1Q header on wired Ethernet
IsotropicA theoretical antenna referenced when measuring effective radiated power
DIFSDIFS DIFS DIFS
A
B
C
D
Frame
Deferral Period
Random Backoff
Contention Window
packetlife.net
by Jeremy Stretch v1.0
IOS ZONE-BASED FIREWALL
Troubleshooting
show zone security
show zone-pair security
Security Zones
show policy-map type inspect
show class-map type inspect
! Defining security zoneszone security Trustedzone security Guestzone security Internet
! Service policies are applied to zone pairszone-pair security T2I source Trusted destination Internetservice-policy type inspect Trusted2Internet
zone-pair security G2I source Guest destination Internetservice-policy type inspect Guest2Internet
zone-pair security I2T source Internet destination Trustedservice-policy type inspect Internet2Trusted
Terminology
Security ZoneA group of interfaces which share a common level of security
Zone PairA unidirectional pairing of source and destination zones to which a security policy is applied
Inspection PolicyAn inspect-type policy map used to statefully filter traffic by matching one or more inspect-type class maps
Trusted Internet
Guest
Inspection Class Configuration
! Match by protocolclass-map type inspect match-any ByProtocolmatch protocol tcpmatch protocol udpmatch protocol icmp
! Match by access listip access-list extended MyACLpermit ip 10.0.0.0 255.255.0.0 any!class-map type inspect match-all ByAccessListmatch access-group name MyACL
Inspection Policy Actions
Drop Traffic is prevented from passing
Traffic is permitted to pass without stateful inspection
Pass
InspectTraffic is subjected to stateful inspection; legitimate return traffic is permitted in the opposite direction
Inspection Policy Configuration
policy-map type inspect MyInspectionPolicy! Pass permitted stateless trafficclass VPN-Tunnelpass
! Stateful inspection with a parameter mapclass Allowed-Traffic2inspect MyParameterMap
! Drop and log unpermitted trafficclass class-defaultdrop log
Parameter MapAn optional configuration of protocol-specific parameters referenced by an inspection policy
debug zone security events
Parameter Map Configuration
parameter-map type inspect MyParameterMapalert onaudit-trail offdns-timeout 5max-incomplete low 20000max-incomplete high 25000icmp idle-time 3tcp synwait-time 3
show parameter-map type inspect
MPLS WAN Internet
Corporate
LAN
Guest
Wireless LANG0/2.10 G0/2.20
G0/0 G0/1
packetlife.net
by Jeremy Stretch v2.0
IPSECProtocols Encryption Algorithms
DES Symmetric 56
Type Key Length (Bits)
AES Symmetric
3DES Symmetric 168
Weak
Strength
Medium
RSA Asymmetric
128/192/256
1024+
Strong
Strong
Hashing Algorithms
MD5 128
Length (Bits)
SHA-1 160
Medium
Strength
Strong
Internet Security Association and Key Management Protocol (ISAKMP)A framework for the negotiation and management of security associations between peers (traverses UDP/500)
Internet Key Exchange (IKE)Responsible for key agreement using asymmetric cryptography
Encapsulating Security Payload (ESP)Provides data encryption, data integrity, and peer authentication; IP protocol 50
Authentication Header (AH)Provides data integrity and peer authentication, but not data encryption; IP protocol 51
IPsec Modes
IKE Phases
Phase 1A bidirectional ISAKMP SA is established between peers to provide a secure management channel (IKE in main or aggressive mode)
Phase 1.5 (optional)Xauth can optionally be implemented to enforce user authentication
Phase 2Two unidirectional IPsec SAs are established for data transfer using separate keys (IKE quick mode)
Transport ModeThe ESP or AH header is inserted behind the IP header; the IP header can be authenticated but not encrypted
Tunnel ModeA new IP header is created in place of the original; this allows for encryption of the entire original packet
! Configure a peer account if authentication will be usedusername peer-hostname password password
! Configure a local IP address pool if neededip pool name first-IP last-IP
interface Serial0/0! Enable PPP encapsulationencapsulation ppp! Enable CHAP and/or PAP for authenticationppp authentication { chap | pap } [ chap | pap ]! Enable compressioncompress { predictor | stac }! Enable peer IP address assignment (server side)peer default ip address { pool name | IP-address }! Enable IP address negotiation (client side)ip address negotiated
Troubleshooting
show ppp multilink
debug ppp authentication
PPP Components
Link Control Protocol (LCP)Provides for the establishment, configuration, and maintenance of a PPP link. Protocol-independent options are negotiated by LCP.
Network Control Protocol (NCP)A separate NCP is used to negotiate the configuration of each
network layer protocol (such as IP) carried by PPP.
debug ppp { negotiation | packet }
PPP Header
Address Control Protocol
8 16 24 32
Connection Phase Flowchart
Dead Establish
Authenticate
Network
Terminate
Auth Required
No Auth
Success
Failure
Admin Shutdown
Authentication Protocols
Plaintext Authentication Protocol (PAP)Original, obsolete authentication protocol which relies on the exchange of a plaintext key to authenticate peers (RFC 1334).
Challenge Handshake Authentication Protocol (CHAP)Authenticates peers using the MD5 checksum of a pre-shared secret
key (RFC 1994).
PPP Features
Protocol Multiplexing · Multiple NCPs
Optional Compression · Stacker/predictor
Loopback Detection · Provided by LCP
Load Balancing · Multilink PPP
Optional Authentication · PAP/CHAP
Multilink PPP Configuration
! Create the multilink interfaceinterface Multilink1ip address IP-address subnet-maskppp multilink group group
! Assign physical interfaces to the multilink groupinterface Serial0/0encapsulation pppppp multilink group group
StackerReplaces repetitive data with symbols from a dynamic dictionary (more processor-intensive)
PredictorAttempts to predict sequential data (more memory-intensive)
PPP Connection Example
LCP Configuration Request
LCP Configuration Ack
CHAP Challenge
CHAP Response
CHAP Success
IP Control Configuration Request
IP Control Configuration Ack
CDP Control Configuration Request
CDP Control Configuration Ack
Extensible Authentication Protocol (EAP)Provides MD5-based authentication similar to CHAP (RFC 3748). Could be expanded to support other EAP mechanisms as well.
packetlife.net
by Jeremy Stretch v2.0
QUALITY OF SERVICE · PART 1Quality of Service Models
Layer 2 QoS Markings
Medium
Ethernet Class of Service (CoS)
Name Type
3-bit 802.1p field in 802.1Q header
Frame Relay Discard Eligibility (DE) 1-bit drop eligibility flag
Best Effort · No QoS policies are implemented
Integrated Services (IntServ)Resource Reservation Protocol (RSVP) is used to reserve bandwidth per-flow across all nodes in a path
Differentiated Services (DiffServ)Packets are individually classified and marked; policy decisions are made independently by each node in a path
IP Type of Service (TOS)
Ver HL LenTOS
Precedence
DSCP
Precedence/DSCP
Binary
111000 Reserved
DSCP
56
Prec.
7
110000 Reserved48 6
101110 EF46 5
10000032
410001034
10010036
10011038
01100024
301101026
01110028
01111030
01000016
201001018
01010020
01011022
0010008
100101010
00110012
00111014
000000 BE0 0
CS4
AF41
AF42
AF43
CS3
AF31
AF32
AF33
CS2
AF21
AF22
AF23
CS1
AF11
AF12
AF13
ATM
MPLS
Cell Loss Priority (CLP)
Traffic Class (TC)
1-bit drop eligibility flag
3-bit field compatible with 802.1p
IP QoS Markings
IP PrecedenceThe first three bits of the IP TOS field; limited to 8 traffic classes
Differentiated Services Code Point (DSCP)The first six bits of the IP TOS are evaluated to provide more granular classification; backward-compatible with IP Precedence
QoS Flowchart
Hardware
Queue
Queuing
Decision
Scheduler
Software Queue
No
Yes
Software Queue
Software Queue
HW
Queue
Full?
Terminology
Per-Hop Behavior (PHB)The individual QoS action performed at each independent DiffServ node
Trust Boundary · Beyond this, inbound QoS markings are not trusted
Tail Drop · Occurs when a packet is dropped because a queue is full
PolicingImposes an artificial ceiling on the amount of bandwidth that may be consumed; traffic exceeding the policer rate is reclassified or dropped
ShapingSimilar to policing but buffers excess traffic for delayed transmission; makes more efficient use of bandwidth but introduces a delay
DSCP Per-Hop Behaviors
Class Selector (CS) · Backward-compatible with IP Precedence values
Assured Forwarding (AF) · Four classes with variable drop preferences
Expedited Forwarding (EF) · Priority queuing for delay-sensitive traffic
Congestion Avoidance
Random Early Detection (RED)Packets are randomly dropped before a queue is full to prevent tail drop; mitigates TCP synchronization
Weighted RED (WRED)RED with the added capability of recognizing prioritized traffic based on its marking
TCP SynchronizationFlows adjust TCP window sizes in synch, making inefficient use of a link
Class-Based WRED (CBWRED)WRED employed inside a class-based WFQ (CBWFQ) queue
packetlife.net
by Jeremy Stretch v2.0
QUALITY OF SERVICE · PART 2Queuing Comparison
Default on Interfaces >2 Mbps
FIFO
Number of Queues 1
Configurable Classes
Bandwidth Allocation
Provides for Minimal Delay
Modern Implementation
No
Automatic
No
Yes
No
PQ
4
Yes
Automatic
Yes
No
No
CQ
Configured
Yes
Configured
No
No
<=2 Mbps
WFQ
Dynamic
No
Automatic
No
No
No
CBWFQ
Configured
Yes
Configured
No
Yes
No
LLQ
Configured
Yes
Configured
Yes
Yes
First In First Out (FIFO) Priority Queuing (PQ) LLQ Config Example
! Match packets by DSCP valueclass-map match-all Voicematch dscp ef!class-map match-all Call-Signalingmatch dscp cs3!class-map match-any Critical-Appsmatch dscp af21 af22!! Match packets by access listclass-map match-all Scavengermatch access-group name Other
Class Definitions
policy-map Fooclass Voice! Priority queue policed to 33%priority percent 33
class Call-Signaling! Allocate 5% of bandwidthbandwidth percent 5
class Critical-Appsbandwidth percent 20! Extend queue size to 96 packetsqueue-limit 96
class Scavenger! Police to 64 kbpspolice cir 64000conform-action transmit exceed-action drop
class class-default! Enable WFQfair-queue! Enable WREDrandom-detect
Policy Creation
interface Serial0! Apply the policy in or outservice-policy output Foo
Policy Application
LLQ Config Example
show policy-map [interface]
Show interface
show queue <interface>
High
Medium
Normal
Low
Hardware
QueueHardware Queue
Tx
Ring
Custom Queuing (CQ)Weighted Fair Queuing (WFQ)
· Packets are transmitted in the order they are processed
· No prioritization is provided
· Default queuing method on high-speed (>2 Mbps) interfaces
· Configurable with the tx-ring-limit interface config command
· Provides four static queues which cannot be reconfigured
· Higher-priority queues are always emptied before lower-priority queues
· Lower-priority queues are at risk of bandwidth starvation
· Rotates through queues using Weighted Round Robin (WRR)
· Processes a configurable number of bytes from each queue per turn
· Prevents queue starvation but does not provide for delay-sensitive traffic
· Queues are dynamically created per flow to ensure fair processing
· Statistically drops packets from aggressive flows more often
· No support for delay-sensitive traffic
Class-Based WFQ (CBWFQ)Low Latency Queuing (LLQ)
· WFQ with administratively configured queues
· Each queue is allocated an amount/percentage of bandwidth
· No support for delay-sensitive traffic
· CBWFQ with the addition of a policed strict-priority queue
· Highly configurable while still supporting delay-sensitive traffic