CCNA Summary Notes Steven Crutchley CCNA Summary Notes Spanning Tree Protocol (802.1D)

by Steven Crutchley www.netquirks.co.uk

CCNASummaryNotesSpanningTreeProtocol(802.1D)

Problemswithredundantlinks-BroadcastStorms-Duplicateframetransmission-MACdatabaseinstability(HostAisonport1,nowait…port2)Layer2can’tdealwiththese(layer3canwithTTLetcbutlayer2can’t)Switchessendbroadcastpacketsoutallofitsinterfaceexcepttheoneuponwhichitwasreceived.STPs3stepsSTPputssomeportsintoastandbystatewheretheydonotlistento,forward,orflooddataframes.Onlyonepathtoanygivennetworksegmentatonetime.

1. Electarootbridge–allportsaredesigned2. Selectstherootportonthenon-rootbridges(bridge=switch).Rootportisclosesttorootbridgebasedonaccumulatedbandwidth.3. Selectthedesignatedportoneachsegments.Thisisbasedonlowestcosttorootbridge(orBIDifcostisequal).

BPDUsareexchangedevery2seconds.LowestBID=root.

TheBridgeID(BID)isincludedinBPDUs.BID=2btyebridgepriority(32768default)+6byteMAC.

WhenSTPisenableallportstransitionthroughblockingàListeningàLearningandthenstabilizeonforwardingorblocking.

Forwarding

Learning(ForwardDelay=15sec)

Blocking(LossofBPUDetected)(MaxAge=20sec)

Listening(ForwardDelay=15sec)

Blocking(MovestoListeningafterit

decidesthatitistherootportoradesignatedport)

Linkcomesup

NB.Thesenoteswerecreatedaround2009.

NewerversionsofCCNAR&Shavebeenreleasedsincethen,howeverthesenoteswillstillcoveralargeportionofthematerial.

by Steven Crutchley www.netquirks.co.uk

WhenaswitchbootsupitassumesthatitistherootbridgeandmovesfromtheBockingtotheListeningstate.IfitisintheBlockingstatefortheMaxAgeandreceivesnoBPDUsitmovestotheListeningstates.WhilstintheListeningstateitsendsandreceivestheBPDUstodeterminethetopology.Itdoesnotpassanyuserdata.Itdoesthe3STPstepsinthisstate.Spends15secondsinthisstate.THELEARNINGSATEREDUCESTHEAMOUNTOFFLOODINGREQUIREDWHENDATABEGINSFORWARDING.After15secondsitmovestotheforwarding(rootordesignated)orblocking(nondesignated)state.IntheblockingstatetheportwithreceiveBPDUsbutnotsenddata.

PortFastPortFastisusedtosendportstraighttoforwardingstate(e.g.ifitisattachedtoPC).DoesnothavetowaitforSTPconvergence.IthasBPDUportguardwhichwilldisabletheportifaBPDUisreceivedtopreventroutingloops.Switch(config-if)#spanning-treeportfastSwitch(config-if)#spanning-treeportfastbpdu-guard(usenocommandtodisable)Switch(config)#spanning-treeportfastdefault (enableportfastonallaccesports)Switch#showrunintinterface (showsifportfasthasbeenenabled)PathCosts10Gbps 21Gbps 4 NormaltimetoconvergenceforSTPis30-50seconds.100Mbps 1910Mbps 100OthertypesofspanningTreePVST+(PerVLANSpanningTree)UsesmoreCPUandbandwidth.BIDhasanextraVID(VLANID)fieldbytakinguppartofthePriorityfield.12bitsofthe2bytepriorityfieldarenowforanextendedsystemID.RapidSpanningTreeProtocol802.1wàfasterconvergence.Nowhasabackupstateoptionforports.PortRolesareasfollows:Rootàforwardingport(sameasSTP)DesignatedàforwardingportelectedforeveryswitchLANsegment(sameasSTP)AlternateàAlternatepathtotherootbridge.

by Steven Crutchley www.netquirks.co.uk

BackupàProvidesaredundant,lessdesirable,connectiontoanotherswitch.Onlyexistwheretwoportsareconnectedonaloopbackbypoint-to-pointORwhereabridgehastwoconnectionstothesamesharedVLANsegment.DisabledàPlaysnorole.LearningandforwardingareidenticalinRSTPandSTP.EverythingelseisRSTPisdiscarding.Switch(config)#spanning-treemoderapid-pvst (enablesPVRST+)Switch#showspanning-treevlanvlan_number[detail] (showsinfoperVLAN)Switch#debugspanning-treepvst+ (debugsPVRST+evetns)Switch#debugspanning-treeswitchstate (debugsportstatechanges)PVRST+(PerVLANRapidSpanningTree)Combinestheabove2methods.MultipleSpanningTreeProtocolCanhavemultipleVLANsallwithonespanningtreeinstance.Mergews802.1Q-2003.Selectingtherootbridge–makeitcentralised.Switch#spanning-treevlanvlan_numberroot[primary|secondary]…tosetrootbridgeorbackup(youcanhavemultiplebackups)

Security

Thingstoconsiderwheninsertingnewequipment

1. ConsidercurrentSecurityPolicies2. Secureswitchaccess

Awellestablishedpolicyhasthesefeatures:

• Youcanauditthesecuritysetup• Framework• Defineshowtotreatunwantedelectronicdata• Procedures• Consensusamoungdecisionmakes• Incidentmanagement

by Steven Crutchley www.netquirks.co.uk

• Enterprisewideplan

Securingswitchingdevices

• Enablesecretpassword• G00dpasswords• Consoleandvtysecurity(passwordsandACLs)• UseSSHnottelnet(ciscousedv1.Noplaintextissent)• DisableintegrateHTTPdaemonifnotused.IfneededuseACLs.• Warningbanners• Disableunneededservices.noserice[tcp-small-servers|finger|config]• Configurebasiclogging• Encryptpassword(servicepw-en)

Securingswitchprotocols

• ManagedCDP.Soreconnaissancecannotattackscan’ttakeplace.Disablegloballyifnotneeded.Disableperportifneeded.• SecureSTP.Seerootandbackupbridgesmanually.UseBPDUguard.

Mitigatingcompromiseslaunchedthroughaswitch

• Disableunusedportsorputthemina“parking-lot”vlanasaccessports.• DisableautomaticnegotiationofTrunking(DoS,rediectionetcarethreats).PWVTP.• MonitorPHYSICALplacement.• Portbasedsecurity.swithporthostputsportinaccesswithnochannellingandSTPportfast.nowillreverseit.defaultinterfacereturnsinterfacebackto

default

Using“portsecurity”feature

ThisisusedonaswitchtoacceptonlyparticularMACaddresses.

• Dynamic–youcareabouthowmanyratherthanthespecificMACaddressesthatconnect.• Static–specifyMACaddressesthatareallowed.• Combinationofstaticanddynamic.

by Steven Crutchley www.netquirks.co.uk

• StickyLearning–dynamicallylearnaMACandthenaddittoastatictable.

IfunauthorisedMACattemptstoconnectswitchcanshutdownport.OraddMACtodisallowedlistandlog.

802.1XPort-basedauthentication

Clientrequestsaccesstoswitch.Switchcommunicateswithauthenticationserver.UntilauthenticationtakesplaceonlyExtensibleAuthenticationProtocoloverLAN(EAPOL)trafficisallowedthroughtheswitchport.

Client–needs802.1Xsoftwareclient(XPoffersthis).Portthattheclientisattachedtoiscalledtheclient/supplicant.

Authenticationserver–Givesthepermit/denytotheproxyswitch.Isinvisibletotheclient.RADIUSwithEAPistheonlysupportedserver.

Switch–Controlsthephysicalaccessbasedontheauthenticationstatus.Proxy.HasaRADIUSsoftwareclient.En/decapsulatesEAPframes.

Portisinitiallyinauthorisedstate.Goestoauthorisedonceserversaysso.IfswitchasksforclientsID(authenticationinitiator)andclientdoesn’tsupport802.1X…tough.IfclientsendsanEAPOL-startframeandgetsnoresponse(no802.1Xonswitch)itjustsendsaway.WhenaclientlogsoutàsendEAPOL-logmessageàchangebacktounauthorised.

by Steven Crutchley www.netquirks.co.uk

Troubleshootingswitches

EIGRP(thehybrid)RapidcovergenceusingDUAL.Sendsperiodicupdateaboutonlythepartsthatareneeded.PDMsareused.Usesmulticastandunicast.NOBROADCAST.Easysummarisationanywhereinthenetwork.

EIGRPhasaNEIGHBOURTABLEandaTOPOLOGYTABLE.

SuccessorrouteàBestroutetodestination

Feasiblesuccessoràbackuproute

AdvertiseddistanceàDistanceforaNEIGHBOURtoreachanetwork

FeasibledisableàDistancetotheneighbour+advertiseddistance

PhysicalLayer

Cabletype?Cat?Length?

VLANmembers?

Portsadminup?

LAN/Trunks

Duplexmismatch?

Nativesmatch?

Trunkmodes?

VTP

SeeVLANsinshowrun?

VTPinfoxchngng?

STP

Usediagram

IDloop

VLANtosubnet?

Inter-VLANL3?

Insertedswitch?

Inactiveafterpowercycle?

Checklog

Verifyroot&RSTP

by Steven Crutchley www.netquirks.co.uk

SummarisationEIGRPwillautomaticallysummariseataclassfulboundary.Youmaynotwantthisifyouhavediscontiguousnetworks.Usethenoautosummarycommandtodisableauto-summarisation.Loadbalancingacrossunequalpaths2conditionsmustbemet:-Nextrouterinpathmustbecloser-currentfeasibledistance*variance(*=‘multipliedby’).Ifthealternativeroutedoesnotfitunderthisyoucan’tuseit.Metric

Bandwidthanddelay

Configure

RouterA(config)#routereigrp100 (100istheADnumber–noneedtoregister)RouterA(config-router)#network192.168.3.0RouterA(config-router)#network192.168.4.0RouterA(config-router)#noauto-summaryRouterA(config-router)#variance5 (MetricofthealternativepathastobewithinRouterA(config-router)#exitRouterA(config)#interfacefa0/1RouterA(config-if)#bandwidthbandwidth-in-kbps

Foraroutetobecomeafeasiblesuccessor(backup),anext-hoproutermusthaveanAdvertiseddistancethatislessthatthefeasibledistanceofthecurrentrouter(i.e.the

neighbourmustbeclosetothedestinationthanthecurrentrouter).

by Steven Crutchley www.netquirks.co.uk

Showcommands

Showipprotocols (showmetricsandparametersofcurrentprotocols)showipeigrpneighbors (showneighbours)showipeigrpneighbors (showsintswithEIGRP–canspecifyintorAS)showiprouteeigrp (routingtableEIGRPdetails)showipeigrptopology (showsalllearnedroutes)debugeigrpneighbors (showneighbourstatesandhellopackets)debugeigrppackets (viewneighbouradjacencyprocess)AuthenticationRouterA(config)#interfacefa0/1RouterA(config-if)#ipauthenticationmodeeigrpprocess-idmd5RouterA(config-if)#ipauthenticationkey-chaineigrpprocess-idkey-chainRouterA(config-if)#exitRouterA(config)#keychainname-of-key-chain (createthechain)RouterA(config-chain)#keynumber (createakey)RouterA(config-chain-key)#key-stringtext (textisthepassword)RouterA(config-chain-key)#accept-lifetime04:00:00Jan1200604:01:00Jan12006RouterA(config-chain-key)#send-lifetime04:00:00Jan12006infinite

Neighbours

Intup/up?

Commonsubnets?

Network10.0.0.0ok?

RoutingTable

Hellopacketmatch?(AS/K)

Networksadvrt? Routefilters?

EIGRPAuthentication

Keymismatch?

Badtiming

DuplicateRIDs?

Discontiguous?

Troubleshooting

by Steven Crutchley www.netquirks.co.uk

Authenticationkey

KeyID(password)

Authenticationkey

KeyID(password)

IwillauthenticatetheSOURCEofallroutingupdateIreceive

STOREDLOCALLY STOREDLOCALLY

KeyID(password)+interface=AuthenticationKeyKEYCHAIN1

AuthenticationKey1AuthenticationKey2AuthenticationKey3AuthenticationKey4

Activefrom9am–10am

Activefrom9.55am–11am

Activefrom10.55am–12am

Activefrom11.55am–1pm

KEYS DEFINITIONS

Only1authenticationpacketissent

Recievingrouterwilllookthroughitstableuntilitfindsavalidkey

RouterA(config)#interfacefa0/1RouterA(config-if)#ipauthenticationmodeeigrpprocess-idmd5RouterA(config-if)#ipauthenticationkey-chaineigrpprocess-idkey-chainRouterA(config-if)#exitRouterA(config)#keychainname-of-key-chainRouterA(config-chain)#keynumberRouterA(config-chain-key)#key-stringtext

EIGRPKeychains

by Steven Crutchley www.netquirks.co.uk

OSPF

Link(interfaceinformation)state.CollectionofLinkstatesformsalinkstatedatabase.

LSA

Sentevery30minutesorwhensomethingchanges.

Topologicaldatabase

Anoverallviewofthenetwork.AllroutersinsameareahaveidenticaltopologicalDB

Hierarchy

AutonomousSystem(Domain)àArea

EachASmusthaveabackbone.OffthatbackbonecanhangSTUBAREAS,TOTALLYSTUBAREAS,NSSAtohelproutingtablesize.

AreaBorderRoutersconnectmultipleareastothebackbonerouter.ABRadvertisesadefaultroutertothebackbonerouter.ASBRistheborderforanAS.

Neighbouradjacencies

EstablishedusingtheHELLOprotocol.Bidirectionalcommunication=routerseesitselfinhellopacketofneighbour.224.0.0.5ismulticastaddressthatHELLOpacketsaresentouton.HELLOPACKETRouterID–32bitloopbackaddressactingasID(noloopback=highestIP)Hellointerval–Howoftenpacketsaresent.Default=10s(30secsonnon-broadcastlink).Deadinterval–Howlongrouterwillwaitbeforedeclaringneighbouroutofservice(4timeshello)Neighbours–Adjacentrouterswithbi-directionalcommunication.AreaID–Needstobethesame.Routerpriority–8bitnumberusedtodeterminewhoisDRandBDR.IPofDRAndBDRAuthentication–ifenabledmustswapsamePW.StubAreaFlag–Helpstoreduceroutingtablesizebyprovidingdefaultroute.

InterfacesMetrics

LSA

by Steven Crutchley www.netquirks.co.uk

SPFAlgorithm

Dijkstra’salgorithmputsrouteratrootandcalculatesbestpathtoallothernodes.LSAsareflooded.

Metric

Metric=100,000,000/speedinbps(higherbandwidth=lower&bettercost)

Tochangethereferencebandwidthuseospfauto-costreference-bandwidthref-bwcommand.

Configure

RouterA(config)#clearipospfprocess (restartsallOSPFprocesses)RouterA(config)#routerospf100 (100istheprocessid.Neednotmatch)RouterA(config-router)#network192.168.3.00.0.0.255area0 (8bitboundariesisbad)RouterA(config-router)#network192.168.4.00.0.0.255area0RouterA(config-router)#maximum-paths6 (default4.Upto16)RouterA(config-router)#exitRouterA(config)#interfacelo0/1 (loopbackinterfaceisusedasID)RouterA(config-if)#ipaddress192.168.99.99 (createstherouterIDvalue)RouterA(config-router)#exitRouterA(config)#interfacefa0/0 RouterA(config-if)#ipospfcost10 (settheOSPFcost) RouterA(config)#interfacefa0/1 RouterA(config-if)#ipospfcost10 (settheOSPFcost) Usingwildcardsonnon8bitboundariesisdangerous.UseIPforeachinterfacewith0.0.0.0WCtoavoidthisproblem.LoopbackinterfaceUseadvertised=canbeaccessedacrossthenetwork.Useunadvertised=savesaddressspace.

by Steven Crutchley www.netquirks.co.uk

Showcommands

showipprotocols (showparametersfortherouter–timers,filters,metrics)showipospf (showsospfsettingsandstatistics,timesOSPFhasbeenrun)showipospfneighbor (showsneighbours)showipospfneighbourrouterID (showsdetailsforthatneighbour)showiprouteospf (routingtableOSPFdetails)showipospfinterfaceserial0 (showsOSPFdetailsonthatinterface–timerintervals,hellointervals,neighbouradjacencies)showipospfinterface (listsallinterfacesinOSPF)debugipospfevents (IPwrong,Hello/deadintervalsarewrong)debugipospfpacket (captureslogmessagesbeingsentandreceived)debugipospfadj (capturetheauthenticationprocessandhellopacketmismatches)debugipospfhello (captureshellomessages)AuthenticationRouterA(config)#interfacefa0/1RouterA(config-if)#ipospfauthentication-keypasswordRouterA(config-if)#ipospfauthenticationRouterA(config-if)#exitRouterA(config-if)#routerospf100RouterA(config-router)#area0authenticationRouterA(config-if)#routerospf100RouterA(config-router)#area0authenticationmessage-digestRouterA(config-router)#exitRouterA(config)#interfacefa0/1RouterA(config-if)#ipospfmessage-digest-key1md5cisco Version3AdvertisesusingmulticastgroupFF02::5(allOSPFrouters)andFF02::6(allOSPFdesignatedrouters)Usedlinklocaladdressesasthesource

by Steven Crutchley www.netquirks.co.uk

Troubleshooting

OPSFneighbourstates

Down–noadjacency.Attempt–OnlyonNBMAnetworks.SendsunicastHellopacketsatHellointerval.Init–ReceivedHELLOpacket,butitcan’tseeitselfinthere.2-way–IthasbeenitselfintheHELLOpacket.Exstart–DRsestablishmasterslaverelationshiponsegmentandsetstartingnumbers.Exchange–senddatabaseinfobackandforth.Loading–Linkstateinfosenttothosewhoneedit.Full–Fullneighbouradjacencyestablished.Neighbourshaveexchangedroutes.

LSAtypes

1–GeneratedforeachRouterforeacharea2–DRandBDRthatdescribeasetofroutersattachedtoaparticularnetwork.

NeighbourAdjacencies

Interfacesup/up?

AreMTUssame?

Neighconfig?

RoutingTable

Hellomatch?

Networksadvertised?

Routefilters?

Authentication

Checktype

Checkpassword

by Steven Crutchley www.netquirks.co.uk

ACLsRangesStandard1-99&1300-1999(expandedrange)Extended100-199&2000-2699(expandedrange)assess-listnumber{permit|deny}protocolsourcewc[port]destwc[port][established][log]protocols:IP,TCP,UDP,ICMP,GRE,IGRPCreatingadynamicACLStep1:Createauserauthenticationmethodontherouter(localorremote)Step2:DefineanextendedACLtopermitvtpaccessbutblockallothertrafficStep3:CreateadynamicACLthatappliestotheextendedACLyoucreatedafteritisauthenticated.RouterX(config)#usernametestpasswordtestRouterX(config)#usernametestautocommandaccess-enablehosttimeout10RouterX(config)#access-list101permittcpanyhost10.1.1.1eqtelnetRouterX(config)#interfacefa0/0RouterX(config-if)#ipaddress10.1.1.1255.255.255.0RouterX(config-if)#ipaccess-group101inRouterX(config-if)#exitRouterX(config)#access-list101dynamictestlisttimeout15permitip10.1.1.00.0.0.255172.16.1.00.0.0.255RouterX(config)#linevty04RouterX(config-line)#loginlocalCreatingareflexiveACLRouterX(config)#ipaccess-listextendedoutboundfilterRouterX(config-ext-nacl)#permiticmp10.1.1.00.0.0.255172.16.1.00.0.0.255RouterX(config-ext-nacl)#permittcp10.1.1.00.0.0.255172.16.1.00.0.0.255reflecttcptrafficRouterX(config-ext-nacl)#exitRouterX(config)#ipaccess-listextendedinboundfiltersRouterX(config-ext-nacl)#permiticmp172.16.1.00.0.0.25510.1.1.00.0.0.255evaluatetcptraffic

by Steven Crutchley www.netquirks.co.uk

RouterX(config-ext-nacl)#exitRouterX(config)#intfa0/0RouterX(config-if)#ipaddress172.16.1.2255.255.255.0RouterX(config-if)#ipaccess-groupinboundfiltersinRouterX(config-if)#ipaccess-groupinboundfiltersoutCreatingatimebasedACLRouterX(config)#time-rangeEVERYOTHERDAYRouterX(config-time-range)#periodicMondayWednesdayFriday8:00to17:00RouterX(config-time-range)#exitRouterX(config)#periodicaccess-list101permittcp10.1.1.00.0.0.255172.161.00.0.0.255eqtelnettime-rangeEVERYOTHERDAYRouterX(config)#intfa0/1RouterX(config)#ipaccess-group101in

by Steven Crutchley www.netquirks.co.uk

ConfiguringNATConfigurestaticNATRouterA(config)#ipnatinsidesourcestatic192.168.10.5216.1.1.3 RouterA(config)#ints0RouterA(config-if)#ipnatoutside (defines0asconnectingtotheoutsidenetwork)RouterA(config-if)#inte0RouterA(config-if)#ipnatinside (definee0asconnectingtotheinsidenetwork)ConfigureIPv6DNSnameserversRouterA(config)#ipname-serverserver-address1[server-address2...server-address6]ConfigurePATRouterA(config)#access-list20permit192.168.1.00.0.0.255 (defineACL)RouterA(config)#ipnatinsidesourcelist20interfaces0overload (applyittointerfaces0) NatpoolRouterA(config)#ipnatpoolcisco216.1.1.1216.1.1.14netmask255.255.255.240RouterA(config)#access-list10permit192.168.10.00.0.0.255RouterA(config)#ipnatinsidesourcelist10poolciscoShowcommandsShowipnattranslation (showNATtranslationtable)Debugipnat (showsnattingprocess)

by Steven Crutchley www.netquirks.co.uk

IPversion6128bitsà32hexadecimaldigital(asopposedto32binarydigits!)

AdvantagesoverIPv4Largeraddressspace–aggregationofprefixes.MobilityandSecurity–IPSecismandatory,MobileIPisbuiltin.TranslationRichness–DualStack,Tunnelling,NAT-PTIPv6hasnobroadcast!!!Itusesmulticast,unicastandAnycast(one-to-nearestONLYONROUTERS)MulticastusesFF00::/8TypesofUnicastaddressesGlobal–routable.AggregatedupwardstoISPs.2003::/3Reserved–IETFreservedforresearch.Private(FE8–FEF)

o Sitetosite–Sitelocal.Routersforwardwithinsitebutnotointernet.FEC-FEF.o Link-local–Refertoparticularphysicallink.Referonlytoparticularsegment.Automaticaddressconfiguration,neighbourdiscoveryetc/

Loopback-::1test.Unspecified–allzeros::ReferstoitselfusuallywhenaskingforIPconfiguration.Globalunicastaddress48-bitglobalroutingprefix.16-bitsubnetID(usedbyanorganisationforsubnets).

Addressprefixingtakesplacetoreducethesizeoftheroutingtable.

InterfaceidentifiersThisisessentiallythehostportion.64bits.Canbeassignedanumberofways:ManuallyJustlikeinIPv4.RouterX(config-if)#ipv6address2001:DB8:222:7272::72/64EUI-64

by Steven Crutchley www.netquirks.co.uk

FFEEinsertedintothemiddleoftheinterface’sMACaddress.7thbitissetto1(globalbit)02 90 27 FF EE 17 FC 0FRouterX(config-if)#ipv6address2001:DB8:0:1::/64eui-64StatelessautoconfigurationDeterminedfromRouteradvertisements.Itcanbeawhiletowaitsoanode/devicesendsasolicitationmessgeaskingforarouteradvertisement.ThisactsaSaplugandplayfetureanddoesnotneedaDHCPserver.DHCPv6Updatedversionofv4.-CanbeusedwithStateless-AutomaticDNS-LooksatrouteradvertisementstodetermineisDHCPv6isused.àSendsolicità(DHCP)sendsALL-DHCPP-Agents-multicastwithlinklocalscope.WhenitforwardsamessageitcansendittoAll-DHCP-Servers.YouthusdonotneedtogivearelayaddresslikeyoudoisDHCPv4.YoucanconfigureDHCPservertogiveoutaddressesbasedondifferentpolicies(i.e.don’tgiveglobalIPstoprinters).

ipv6 unicast-routing enables ipv6. Nothing will work beforehand. 12.2(2)T

Hostnameconfigurationivp6hostname[port]add1,add2...add4.Youcanassignupto4IPv6addressesforonehostname.Ipname-serverdnsadd1...dnsadd6.RIPngport521–FF02::9multicast–modelledafterv4.RouterX(config)#ipv6unicast-routingRouterX(config)#ipv6routerripEXAMPLENAMERouterX(config)#interfaceEthernet0RouterX(config-if)#ipv6address2001:db8:1:1:::/64eui-64RouterX(config-if)#ipv6ripEXAMPLENAMEenableRouterX(config)#interfaceEthernet1RouterX(config-if)#ipv6address2001:db8:1:2:::/64eui-64RouterX(config-if)#ipv6ripEXAMPLENAMEenable

by Steven Crutchley www.netquirks.co.uk

TransitioningDualStackNodecanuseIPv4andIPv6(2protocolstacks).Canconfigureononeormultipleinteraces.Choosestouse4or6basedondestinationaddress(prefers6wherepossible).NewAPIisdefinedtosupportboth(+DNSreq).Smallchangeinsourcecodeofmostappswillmakeitv6compatible)TunnelingProtocol41.20-btyeIPv4header.Hardtotroubleshoot.DecreasesMTU.Itisrecommendedtonumbertunnelendpoints.Manual-IPv6encapsulatedinIPv4–needdualstackDynamic6to4-IPv6islandsinanIPv4network.Intra-SiteAutomaticTunnelAddressingProtocol-usesunderlyingIPv64networkaslinklayerforIPv6.Teredo–hosttohosttunnelling(norouter).PassesIPv6unicastwhenNATisbetween.ProxyandTranslation(NAT-PT)TranslateonetypeintoanotherEnablinganIPv6tunnelRouterA(config)#interfacetunnel0 (createthetunnelinterface)RouterA(config-if)#descriptionIPv6tunneltoRouterA (identifythetunnel)RouterA(config-if)#ipv6unnumberedethernet0 (useIPv6addressone0tunnel)RouterA(config-if)#tunnelsourceethernet0 (settunnelsourcease0)RouterA(config-if)#tunneldestination192.168.10.2 (IPv4addresswheretunnelends)RouterA(config-if)#tunnelmodeipv6ip (IPv4addresswheretunnelends)

by Steven Crutchley www.netquirks.co.uk

VirtualPrivateNetworksAVPNisanencryptedconnectionbetweenprivatenetworksOVERapublicnetworksuchastheinternet.VPNusesIPSectoformvirtualconnectionsthatareroutedthroughtheinternet.TypeofVPNs

(1) SitetoSite–o Connectstwowholenetworkstooneanother(i.e.siteofficetoheadquarters).LeasedLineorFrameRelayedusedtobeusedforthis.o HostsdonothaveVPNclientsoftwareo TheyuseaVPNgateway–router/firewall/VPNconcentrator/ASA5500o Itencapsulates,encryptsandsendsoverVPNtunnel(andvicaversa)

(2) Remoteaccess–

o Evolutionofcircuitswitchednetworks(POTSISDN)o SupportsTelecommuters,mobileusers–Connectsindividualusers.o Usedtousedialin.Nowalltheyhavetodoisaccessthenet.o ClientVPNclientsoftwareISneeded.o SendsdatatoVPNgateway.

CiscoEasyVPNHas2parts:

(1) VPNServer/Gateway–Concentrator/PIXfirewall/ASAadaptivesecurityappliance/CiscoIOSrouter.CanterminateRemote Access or site to siteVPNs(thatuseCiscoEasyVPNremotenodes).

(2) VPNremoteclients–Canreceivedsecuritypolicies(thusminimisingconfigurations).VPNparameters(InternetIP/SN/DHCP/WINS/split-tunnellingflags)canbepushedfromtheservertotheremotedevicethankstoCiscoEasyVPN.Splittunnelling=youcanaccesstheinternetatthesametimethatyouareusingtheVPN.

Benefits:

o Dynamicconfigo VPNconfiginINDEPENDENTofendusernetworkdetails.o Centralisedsecuritypolicy.o Largescaledeployment

Restrictions:

by Steven Crutchley www.netquirks.co.uk

o NomanualNATorPAT–remoteclientdoesNAT/PATfortunnelautomatically.o Only1destinationpeer/tunnelconnectionissupported.o Requiresdestinationservers–remoteaccessserversneeded.o PSKandXAUTHareauthentication.NoDigitalCertificates.o OnlyISAKMPareused–theyusegroup2negotiation.o Sometransformationsetsarenotincluded(authORencrpyonly=notsupported)

IPSecSSLVPN(WebVPN)Usesweb+nativeSSLencryption.SECUREACCESSISPROVIDEDàREGARDLESSOFENDPOINTHOST.Nosoftwareclientiftheneedsaremodest.Twomethodsofaccess:Clientless&ThinClientUserscanaccess–Files,Email,TCPApplications,withoutclientsoftware.Bestforper-applicationusersoraccessforprivatelyowndevices(laptopsetc)Benefits:

o CompatiblewithDynamicMultipointVPNso CompatiblewithCiscofirewallso CompatiblewithIPSeco CompatiblewithIntrusionpreventionsystemso CompatiblewithCiscoEasyVPNo CompatiblewithNAT.

Restrictions:

o Supportedonlyinsoftware.o TherouterCPUprocessestheWebVPNconnectionso On-boardVPNacceleratesonlyIPSec.

ComponentsofVPNsCiscoprovidesVPN-enabledrouters.CiscoASA5500SeriesAdaptiveSecurityAppliance:

o Providesremoteaccessandsite-to-sitesupporto HasIPSecandSSLVPNononeplatformo AlsohasfirewallandIPStechnologyo RemoteaccessVPNsrequireoneofthefollowing3clients:

1. CerticomClient–WirelessPDAclient

by Steven Crutchley www.netquirks.co.uk

2. CiscoVPN3002HardwareClient(legacy)–ConnectSOHOtoVPN.1or8portswitchversion.ReplacesSOHOPCapplications.3. CiscoVPNSoftwareclient–SoftwareloadedontoPC.Canestablishencryptedend-to-endtunnels.CiscoEasyVPNclientcanreceivesecurityconfigfrom

EasyVPNserver.

IPSecOperatesatthenetworklayer.FRAMEWORKOFOPENSTANDARDSàcanthusimplementneweralgorithmswithhavingtodesignedtheframework.Encryption(digitalscrambling)data+encryptionalgorithm+key(stringofdigits)=unreadablecipher.LONGERKEY=MORESECUREDH(Diffie-Helman)keyagreementisapublickeyexchange.Itallows2peerstoestablishasecretsharedkeyeventhoughitisoveraninsecurechannel.Encryptionalgorithms:

(1) DES(DataEncryptionStandard)-56bitkey.Symmetrickey.(2) 3DES(TripleDES)-Dataisbrokeninto64bitblocks.3different56bitkeysencryptdataonebyone.Symmetrickey.(3) AES(AdvancedEncryptionStandard)-Computationallybetterthan3DES.128,192or256bitkeys.(4) RSA(Rivest,ShamirandAdleman)-Asymmetricalkey.512+inkeylength.IPSecdoesn’tuseRSA.IKEusesitforpeerauthentication.

IntegrityAddsahashtothemethod.Transmittedhash=receivedhash=JMessage+HashAlgorithm+key=Message+hashvalueHMAC(HashMessageAuthenticationCode)algorithms(thesealsoauthenticate):

(1) MD5(MessageDigest5)-128bitsharedkey.Outputis128bithashthatisappended.(2) SHA-1(SecureHashAlgorithm)-160bitsecretkey.Outputis160bithashthatisappended.

AuthenticationYouarewhoyousayyouare.Peerauthenticationmethods:

(1) PSKs–manuallyenteredintoeachpeer.PSK+otherinfo=key.(2) RSASignatures–exchangesdigitalcertificates.Localendmakeshavewithprivatekey.Remoteendmakeshashwithpublickey.Match=genuine.

by Steven Crutchley www.netquirks.co.uk

Anti-replayprotectionVerifiesthatthereisnoduplication.Compareseq#withreceiver’sslidingwindow.Outsidewindow=lateorduplicate=drop.IPSecProtocolFramework–thetwomainprotocolsAH(Authenticationheader):Authenticates,checksintegrity.NOencryption.ESP(encapsulatingSecurityPayload):Authentication(forpacketandESPheader)andencryption.Concealspayloadandsource/destination.Oneortheothermustbeselected.

IPSecprotocol

Encryption

Authentication

DH

ESP bothAH

DES AES3DES

MD5 SHA

DH1 DH5DH2

by Steven Crutchley www.netquirks.co.uk

PPPPPPisanencapsulationprotocolfortransportingIPtrafficoverpoint-to-point(leasedline)serialconnections.FramesareencapsulatedbeforebeingsentovertheWANlink.SynchronousandAsynchronouscircuits.

ConfiguringPPP

- POTS(Asynchronous)/ISDNandPoint-to-Point(Synchronous)- LCPnegotiatesandsetsupoptions(configureslink).- NCPcarriespacketsfromthenetworklayerprotocols.

Threephasesetupprocess:

(1) Establishlink–LCPpacketssentbackandforth.MTUunits.Compressionsize.Authentication.Optionnotincluded=defaultassumed.(2) AuthenticationPAPorCHAP.(3) Networklaterprotocolphase–NCPpacketsaresenttoconfigureL3.

PAP–twowayhandshake.RepeatedlysendsUNandPWuntilauthenticationortimeout.Passwordssentinplaintext.Noprotectionagainstrepeatedattempted.Remotenodedeterminesattemptfreq.

CHAP–usesa3wayhandshake.LocalRoutersendsachallengetoremotenode.Remotenoderespondswithonewayhashfunction(MD5).Localrouteracceptsorrejects.Challengesvary.Localrouterorauthenticationserverisindeterminesfreq.

Configuration:

(1) EnablePPPencapsulation.(2) Enableauthentication.

by Steven Crutchley www.netquirks.co.uk

EnablingAuthentication

(1) Givetherouteraname(hostname)–mustmatchtheusernamethatthelocalrouterisexpecting.(2) Definetheusernameandpasswordoneachrouter.Theremustbeenausernameentryforeachremoterouter.(3) Pickanauthentication.pppauthentication{chap|pap|papchap|chappap}Ifbotharespecifiedthefirstonementionedwillbetriedfirst.IFpeer

suggeststhesecondmethodorrejectsthefirstthesecondistried.

showinterface (LCPOpenmeansLCPhasestablishedasession)

debugpppauthentication (“byboth”istwowaychapauthentication,I-incoming,O-outgoing,idfieldtomatchresponsewithrequest)

TypicalWANprotocols

HDLC(High-LevelDataLinkControl)–thisisthedefaultonpoint-to-pointconnections,dedicatedlinksandcircuitswitchedconnections.Itisabit-orientedsynchronousL2protocol.

PPP(Point-to-PointProtocol)–UsessynchronousandAsynchronouscircuits.DesignedtoworkwithhigherlevelslikeIP.HasPAPandCHAP.

FrameRelay–SwitchedL2protocolthatusesmultipleVCs.Noerrorcorrectorflowcontrol.

ATM–53-bytecell-switching.VideoandVoice.Fixedlength=fastprocessing.

Broadband–Twotransmissionsshareamedium.

o DSL-PPPoE(encapsulatesPPPinEthernetframes)&PPPoAgoesoverthelocaltelephonenetwork.Auth.Encry.Compr.o Cable-EhternetusesacablemodemovercableTVinfrastructure.3Mbps–30Mbps.UsesEthernetframe.

MetroEthernet–PointtoPointandMultipointservicesinbusinessareas.

by Steven Crutchley www.netquirks.co.uk

FrameRelay

ConnectionOriented.Reliesonupperlayersforerrorcorrection.FrameRelaydefinesconnectionbetweenrouterandFrameRelayCloudedge.ITHASNOTHINGTODOWITHHOWTHINGSAREROUTEDWITHINTHEFRAMERELAYCLOUD.

DTE–FRADs,routersandbridges.Ownedbycustomer.

DCE–Provideclockingandswitches.TransmitsdatathroughtheWAN.

TherearemanyVCsoverasingleconnection.ConnectionIDsareassignedtoDTEdevices.ConnectionIDsaremappedtooutboundportsinswitchingtables.Pathtothedestinationisestablishedbeforethefirstframeissent.

FrameRelayTerms

Localaccessrate–clockspeedofconnectiontoframerelaycloud

VC–alogicalcircuit.DLCIistheidentifier.ConnectsoneDTEtoanother.MultipleVCsononecircuit.

PVC–Nocallsetup/teardown.Alwaysup.

SVC–dynamic/temporary.

DLCI–10bitconnectionVCidentifier.LOCALSIGNIFICANT.2dev=diffDLCIforsameVC.

CIR(committedinformationrate)–Maxaveragedataratethatnetworktriestodeliver.Specifiedwhenyousubscribe.IfyougooversomeframesaretaggedasDE(discardeligible).CIR=0=allframesareDE.

InverseARP–LetarouterfindtheIPaddressofaremoteDTEbasedontheDLCI.

LMI(localmanagementinterface)–ThisisasignallingstandardbetweentheDTEandlocalFrameRelayswitch(DCE).Itmanagestheconnection.

FECN(forwardexplicitcongestionnotification)–bitissetonthewaytorecipientDTEwhichpassesituptohigherprotocolsforprocessing.

BECN(backwardexplicitcongestionnotification)–setinframesthattravelintheoppositedirectiontoframewithFECNbitsset.ThisissosourceDTEcanlearnofcongestion.

by Steven Crutchley www.netquirks.co.uk

Topologytypes–partialmesh,fullmesh(allroutershaveVCstootherdestinations.n(n-1)/2links),startopology(mostcommonframerelaytopology).

FRAMERELAYNETWORKPROVIDESNBMACONNECTIVITYBETWEENREMOTESITES.ALLROUTERSAREONTHESAMESUBET.

NBMAareusuallybuiltintoahubandspoketopology.Withahubandspoketopologythephysicalsetupdoesnothavethemulti-accesscapabilitiesthatEthernetdoes.ThismeansthateachroutermaynotneabletohaveseparatePVCstoreachtheotherremoteroutersonthesamesubnet.ThismakessplithorizonanissuebecauseyouhavetorunmultiplePVCsoveronenetwork.

NMBAproblemswhenusingasingleinterfacetointerconnectmultiplesites.

Routingupdates:RouterAsendsupdatetoRouterCenter.RouterCentercannotsendtheroutingupdateoutoftheinterfacetootherrouter(cozofthesplithorizonrule).

Solutions: Turnoffsplithorizon.Notallnetworklayersletyoudothis.

Usefullmeshtopology.Expensive.

Usesub-interfaces.EachVCcanbeconsideredapoint-to-pointconnection.Eachsub-interfacecanbeonitsownsubnet.

Broadcastreplication:Ifyouhavetobroadcastoutofoneinterface(tomultipleremotedevices)thenyouhavetosendmultiplebroadcastsoutoverthesamelinkwhichcancauselatency.

EachVCismappedtoaDLCI.RoutersuseLMItofindtheirlocalDLCI.TheyuseARPtofindtheremoteIPbasedontheirDLCI.Ie.RouterfiguresoutthatDLCI500isassociatedwith10.1.1.1.Iftherouterneedstotalkto10.1.1.1itusesDLCI500.

YoucanmanuallymapDLCIstoIPaddresses.CiscorouterstrytoautodetectthetypeofLMIthattheframerelayrouteruses.RoutersendsoutanLMIstatusrequest.Usesthelatestthattheswitchsendsback.Canalsomanuallyconfigurety

LMItypes:Cisco,ANSIandQ.933A

VCstatuses

Active–cangoaheadandexchangedata.

by Steven Crutchley www.netquirks.co.uk

Inactive–ConnectiontoDCEok.ButremoterouterconectiontoDCEisnotok.Deleted–noconnectionorLMIbeingreceived.

HowFrameRelayworks

1. RouterconnectstoFrameRelayswitchthroughCSU/DSU2. RoutersendsLMIenquiry.Asksforconnectionsstatus’oftheroutersVCs.3. FrameRelayswitchreplieswithlocalDLCIsoftheVCs.4. RoutersendsoutIARPforeachDLCItointroduceitself.5. RemoterouterreceivedIARPandmakesanentryinitsFrameRelaymaptable(IPàlocalDLCI)6. IARPsaresenttoallVCsevery60sLMIkeepalivesaresenttoFrameRelayswitchevery10s.7. RouterchangesVCstatusbasedonLMIsfromFrameRelayswitch.

Configuring

RouterX(config)#interfaceserial1RouterX(config-if)#ipaddress10.16.0.1255.255.255.0RouterX(config-if)#encapsulationframe-relay[cisco|ietf] (useciscoforcisco)RouterX(config-if)#frame-relaylmi-type[ansi|cisco|q933a] (11.2orlaterautosenses)RouterX(config-if)#bandwidth64 (affectsOSPF&EIGRP)RouterX(config-if)#frame-relayinverse-arpip16 (protocolandDLCI–onbydefault)NoIARPàFrameRelaypeershavedifferentFrameRelayencapsulations.TocontrolbroadcastandmulticasttrafficyoumustmanuallymapnetworktoDLICaddresses.

RouterX(config-if)#frame-relaymapprotovcolprotocol-addressdlci[broadcast][ietf|cisco|payload-compresspacket-by-packet]

BroadcastallowsbroadcastandmulticastovertheVC.ThisletsyouusedynamicroutingprotocolovertheVC.

Payload-compresspacket-by-packetenablesatypeofcompression.

by Steven Crutchley www.netquirks.co.uk

Sub-interfaces

Point-to-point:EachsubinterfacehasaDLCI.Bothendsonsamesubnet.Updatetrafficisnosubjecttosplithorizon.

RouterX(config)#interfaceserial0RouterX(config-if)#noipaddressRouterX(config-if)#encapsulationframe-relayRouterX(config-if)#interfaceserial0.110point-to-pointRouterX(config-subif)#ipaddress0.17.0.1255.255.255.0RouterX(config-subif)#bandwidth64RouterX(config-subif)#frame-relayinterface-dlci110RouterX(config-subif)#interfaceserial0.120point-to-pointRouterX(config-subif)#ipaddress0.18.0.1255.255.255.0RouterX(config-subif)#bandwidth64RouterX(config-subif)#frame-relayinterface-dlci120 (mustdefinetodistinguishfromphy)DONOTUSEframe-relayinterface-dlci120ONPHYSICALINTERFACES

Multipoint:ThesinglemultipointsubinterfacehasmultiplePVCs.Allonsamesubnet.Updatetrafficissubjecttosplithorizon.

RouterX(config)#interfaceserial0RouterX(config-if)#noipaddressRouterX(config-if)#encapsulationframe-relayRouterX(config-if)#interfaceserial0.2multipointRouterX(config-subif)#ipaddress0.17.0.1255.255.255.0RouterX(config-subif)#bandwidth64RouterX(config-subif)#frame-relaymapip10.17.0.2120broadcastRouterX(config-subif)#frame-relaymapip10.17.0.3130broadcastRouterX(config-subif)#frame-relaymapip10.17.0.4140broadcast (staticmapping)RouterX(config-subif)#noipsplit-horizon (splithorizonmustbedisabledtoavoidproblems)IFYOUHAVECONFIGUREDTHESUBINTERACEASMULTIPOINTANDIARPISENABLEDYOUMUSTCONFIGURETHELOCALDLCIFORTHESUBINTERFACETODISTINGIUSHITFROMTHEPHYSICALINTERFACE(I.E.BYTYPINGframe-relayinterface-dlci120).YOUDONOTNEEDTOINTHEABOVEEXAMPLEBAECAUSEYOUARESTATICALLYMAPPINGTHEIPsTOTHEDLCIs.showinterfaces

by Steven Crutchley www.netquirks.co.uk

showframe-relaypvcshowframe-relaylmidebugframe-relaylmishowframe-relaymapclearframe-relay-inarp

TroubleshootingFrameRelay

ChecktheFrameRelaylink–Useshowinterfaceserialtoseeofthereisalayer1problem.Showcontrollersserialcanshowifthecableispresentandcorrectlyrecognised.

Toperformaloopbacktest:

1. Setencapsulationtohdlcandkeepaliveto10s.2. SetCSU/DSUtoloopbackmode.3. IflineprotocolcomesuptheproblemisbeyondtheCSU/DSU.4. Pingisalsouseful(seepage349)

IncorrectDLCIcanbewrong.Usetheshowframe-relaypvccommandtocheck.IfitshowsasDELETEDitcouldbeconfiguredwrong.Ifinterface=up.Line=downcouldbeaL2problem.Checkwiththeshowframe-relaylmicommand.NEXT...checktheremoterouterChecktheremoteroutermapshowframe-relaymap.Ifyouhaverecentlychangedtheinterfaceontheremoteframerelayrouterinterfaceusetheclearframerelay-relay-inarpcommandsothatyoudonothaveincorrectDLCItoIPmappings.IftheremoterouterdoesnotsupportIARPthenmaybeyouneedtostaticallymaptheDLCIandIPs.ACLscouldbestoppingthetrafficfromgettingthrough.Temporarilydisableittoseeifthisistheissue.NEXT...checkendtoendconnectivityChecktheroutingtablesincludingthedefaultgatewayofthesourcenode.Ifroutingprotocolsarenotworking,youwillneedtocheckthatbroadcasttrafficissupportingusingtheshowframe-relaymapcommand(ifinverseARPisconfigurebroadcastisineffectautomatically).

by Steven Crutchley www.netquirks.co.uk

AdministrativedistancesRouteSource ADConnectedRoute 0StaticRoute 1ExternalBGP 20InternalEIGRP 90IGRP 100OSPF 110IS-IS 115RIP 120ExternalEIGRP 170InternalBGP 200Unknown 255PrivateIPRanges(RFC1918)10.0.0.0to10.255.255.255172.16.0.0to172.31.255.255192.168.0.0to192.168.255.255Well-knownReservedMulticastaddresses(non-exhuastive)MulticastRoute GroupMembers224.0.0.1 AllHosts224.0.0.2 AllRouters224.0.0.5 AllOSPFRouters224.0.0.6 AllOSPFDRs224.0.0.9 AllRIPV2Routers224.0.0.10 AllEIGRPRouters

Connectionsfromahosttoahuborfromahubtoaswitchmustbehalfduplexbecauseahubissimplyarepeateranddoesnotguaranteeacollision-freepath.

by Steven Crutchley www.netquirks.co.uk

Enablingportsecurity(canonlybedoneonanaccessport)Switch(config)#intfa0/1Switch(config-if)#switchportmodeaccessSwitch(config-if)#switchportport-securitySwitch(config-if)#switchportport-secuirtymax3Switch(config-if)#switchportport-secuirtymac-addresss1111.2222.3333Switch(config-if)#switchportport-securitymac-addressstickySwitch(config-if)#switchportport-securityviolationrestrict