Upload
lyliem
View
301
Download
16
Embed Size (px)
Citation preview
by Steven Crutchley www.netquirks.co.uk
CCNASummaryNotesSpanningTreeProtocol(802.1D)
Problemswithredundantlinks-BroadcastStorms-Duplicateframetransmission-MACdatabaseinstability(HostAisonport1,nowait…port2)Layer2can’tdealwiththese(layer3canwithTTLetcbutlayer2can’t)Switchessendbroadcastpacketsoutallofitsinterfaceexcepttheoneuponwhichitwasreceived.STPs3stepsSTPputssomeportsintoastandbystatewheretheydonotlistento,forward,orflooddataframes.Onlyonepathtoanygivennetworksegmentatonetime.
1. Electarootbridge–allportsaredesigned2. Selectstherootportonthenon-rootbridges(bridge=switch).Rootportisclosesttorootbridgebasedonaccumulatedbandwidth.3. Selectthedesignatedportoneachsegments.Thisisbasedonlowestcosttorootbridge(orBIDifcostisequal).
BPDUsareexchangedevery2seconds.LowestBID=root.
TheBridgeID(BID)isincludedinBPDUs.BID=2btyebridgepriority(32768default)+6byteMAC.
WhenSTPisenableallportstransitionthroughblockingàListeningàLearningandthenstabilizeonforwardingorblocking.
Forwarding
Learning(ForwardDelay=15sec)
Blocking(LossofBPUDetected)(MaxAge=20sec)
Listening(ForwardDelay=15sec)
Blocking(MovestoListeningafterit
decidesthatitistherootportoradesignatedport)
Linkcomesup
NB.Thesenoteswerecreatedaround2009.
NewerversionsofCCNAR&Shavebeenreleasedsincethen,howeverthesenoteswillstillcoveralargeportionofthematerial.
by Steven Crutchley www.netquirks.co.uk
WhenaswitchbootsupitassumesthatitistherootbridgeandmovesfromtheBockingtotheListeningstate.IfitisintheBlockingstatefortheMaxAgeandreceivesnoBPDUsitmovestotheListeningstates.WhilstintheListeningstateitsendsandreceivestheBPDUstodeterminethetopology.Itdoesnotpassanyuserdata.Itdoesthe3STPstepsinthisstate.Spends15secondsinthisstate.THELEARNINGSATEREDUCESTHEAMOUNTOFFLOODINGREQUIREDWHENDATABEGINSFORWARDING.After15secondsitmovestotheforwarding(rootordesignated)orblocking(nondesignated)state.IntheblockingstatetheportwithreceiveBPDUsbutnotsenddata.
PortFastPortFastisusedtosendportstraighttoforwardingstate(e.g.ifitisattachedtoPC).DoesnothavetowaitforSTPconvergence.IthasBPDUportguardwhichwilldisabletheportifaBPDUisreceivedtopreventroutingloops.Switch(config-if)#spanning-treeportfastSwitch(config-if)#spanning-treeportfastbpdu-guard(usenocommandtodisable)Switch(config)#spanning-treeportfastdefault (enableportfastonallaccesports)Switch#showrunintinterface (showsifportfasthasbeenenabled)PathCosts10Gbps 21Gbps 4 NormaltimetoconvergenceforSTPis30-50seconds.100Mbps 1910Mbps 100OthertypesofspanningTreePVST+(PerVLANSpanningTree)UsesmoreCPUandbandwidth.BIDhasanextraVID(VLANID)fieldbytakinguppartofthePriorityfield.12bitsofthe2bytepriorityfieldarenowforanextendedsystemID.RapidSpanningTreeProtocol802.1wàfasterconvergence.Nowhasabackupstateoptionforports.PortRolesareasfollows:Rootàforwardingport(sameasSTP)DesignatedàforwardingportelectedforeveryswitchLANsegment(sameasSTP)AlternateàAlternatepathtotherootbridge.
by Steven Crutchley www.netquirks.co.uk
BackupàProvidesaredundant,lessdesirable,connectiontoanotherswitch.Onlyexistwheretwoportsareconnectedonaloopbackbypoint-to-pointORwhereabridgehastwoconnectionstothesamesharedVLANsegment.DisabledàPlaysnorole.LearningandforwardingareidenticalinRSTPandSTP.EverythingelseisRSTPisdiscarding.Switch(config)#spanning-treemoderapid-pvst (enablesPVRST+)Switch#showspanning-treevlanvlan_number[detail] (showsinfoperVLAN)Switch#debugspanning-treepvst+ (debugsPVRST+evetns)Switch#debugspanning-treeswitchstate (debugsportstatechanges)PVRST+(PerVLANRapidSpanningTree)Combinestheabove2methods.MultipleSpanningTreeProtocolCanhavemultipleVLANsallwithonespanningtreeinstance.Mergews802.1Q-2003.Selectingtherootbridge–makeitcentralised.Switch#spanning-treevlanvlan_numberroot[primary|secondary]…tosetrootbridgeorbackup(youcanhavemultiplebackups)
Security
Thingstoconsiderwheninsertingnewequipment
1. ConsidercurrentSecurityPolicies2. Secureswitchaccess
Awellestablishedpolicyhasthesefeatures:
• Youcanauditthesecuritysetup• Framework• Defineshowtotreatunwantedelectronicdata• Procedures• Consensusamoungdecisionmakes• Incidentmanagement
by Steven Crutchley www.netquirks.co.uk
• Enterprisewideplan
Securingswitchingdevices
• Enablesecretpassword• G00dpasswords• Consoleandvtysecurity(passwordsandACLs)• UseSSHnottelnet(ciscousedv1.Noplaintextissent)• DisableintegrateHTTPdaemonifnotused.IfneededuseACLs.• Warningbanners• Disableunneededservices.noserice[tcp-small-servers|finger|config]• Configurebasiclogging• Encryptpassword(servicepw-en)
Securingswitchprotocols
• ManagedCDP.Soreconnaissancecannotattackscan’ttakeplace.Disablegloballyifnotneeded.Disableperportifneeded.• SecureSTP.Seerootandbackupbridgesmanually.UseBPDUguard.
Mitigatingcompromiseslaunchedthroughaswitch
• Disableunusedportsorputthemina“parking-lot”vlanasaccessports.• DisableautomaticnegotiationofTrunking(DoS,rediectionetcarethreats).PWVTP.• MonitorPHYSICALplacement.• Portbasedsecurity.swithporthostputsportinaccesswithnochannellingandSTPportfast.nowillreverseit.defaultinterfacereturnsinterfacebackto
default
Using“portsecurity”feature
ThisisusedonaswitchtoacceptonlyparticularMACaddresses.
• Dynamic–youcareabouthowmanyratherthanthespecificMACaddressesthatconnect.• Static–specifyMACaddressesthatareallowed.• Combinationofstaticanddynamic.
by Steven Crutchley www.netquirks.co.uk
• StickyLearning–dynamicallylearnaMACandthenaddittoastatictable.
IfunauthorisedMACattemptstoconnectswitchcanshutdownport.OraddMACtodisallowedlistandlog.
802.1XPort-basedauthentication
Clientrequestsaccesstoswitch.Switchcommunicateswithauthenticationserver.UntilauthenticationtakesplaceonlyExtensibleAuthenticationProtocoloverLAN(EAPOL)trafficisallowedthroughtheswitchport.
Client–needs802.1Xsoftwareclient(XPoffersthis).Portthattheclientisattachedtoiscalledtheclient/supplicant.
Authenticationserver–Givesthepermit/denytotheproxyswitch.Isinvisibletotheclient.RADIUSwithEAPistheonlysupportedserver.
Switch–Controlsthephysicalaccessbasedontheauthenticationstatus.Proxy.HasaRADIUSsoftwareclient.En/decapsulatesEAPframes.
Portisinitiallyinauthorisedstate.Goestoauthorisedonceserversaysso.IfswitchasksforclientsID(authenticationinitiator)andclientdoesn’tsupport802.1X…tough.IfclientsendsanEAPOL-startframeandgetsnoresponse(no802.1Xonswitch)itjustsendsaway.WhenaclientlogsoutàsendEAPOL-logmessageàchangebacktounauthorised.
by Steven Crutchley www.netquirks.co.uk
Troubleshootingswitches
EIGRP(thehybrid)RapidcovergenceusingDUAL.Sendsperiodicupdateaboutonlythepartsthatareneeded.PDMsareused.Usesmulticastandunicast.NOBROADCAST.Easysummarisationanywhereinthenetwork.
EIGRPhasaNEIGHBOURTABLEandaTOPOLOGYTABLE.
SuccessorrouteàBestroutetodestination
Feasiblesuccessoràbackuproute
AdvertiseddistanceàDistanceforaNEIGHBOURtoreachanetwork
FeasibledisableàDistancetotheneighbour+advertiseddistance
PhysicalLayer
Cabletype?Cat?Length?
VLANmembers?
Portsadminup?
LAN/Trunks
Duplexmismatch?
Nativesmatch?
Trunkmodes?
VTP
SeeVLANsinshowrun?
VTPinfoxchngng?
STP
Usediagram
IDloop
VLANtosubnet?
Inter-VLANL3?
Insertedswitch?
Inactiveafterpowercycle?
Checklog
Verifyroot&RSTP
by Steven Crutchley www.netquirks.co.uk
SummarisationEIGRPwillautomaticallysummariseataclassfulboundary.Youmaynotwantthisifyouhavediscontiguousnetworks.Usethenoautosummarycommandtodisableauto-summarisation.Loadbalancingacrossunequalpaths2conditionsmustbemet:-Nextrouterinpathmustbecloser-currentfeasibledistance*variance(*=‘multipliedby’).Ifthealternativeroutedoesnotfitunderthisyoucan’tuseit.Metric
Bandwidthanddelay
Configure
RouterA(config)#routereigrp100 (100istheADnumber–noneedtoregister)RouterA(config-router)#network192.168.3.0RouterA(config-router)#network192.168.4.0RouterA(config-router)#noauto-summaryRouterA(config-router)#variance5 (MetricofthealternativepathastobewithinRouterA(config-router)#exitRouterA(config)#interfacefa0/1RouterA(config-if)#bandwidthbandwidth-in-kbps
Foraroutetobecomeafeasiblesuccessor(backup),anext-hoproutermusthaveanAdvertiseddistancethatislessthatthefeasibledistanceofthecurrentrouter(i.e.the
neighbourmustbeclosetothedestinationthanthecurrentrouter).
by Steven Crutchley www.netquirks.co.uk
Showcommands
Showipprotocols (showmetricsandparametersofcurrentprotocols)showipeigrpneighbors (showneighbours)showipeigrpneighbors (showsintswithEIGRP–canspecifyintorAS)showiprouteeigrp (routingtableEIGRPdetails)showipeigrptopology (showsalllearnedroutes)debugeigrpneighbors (showneighbourstatesandhellopackets)debugeigrppackets (viewneighbouradjacencyprocess)AuthenticationRouterA(config)#interfacefa0/1RouterA(config-if)#ipauthenticationmodeeigrpprocess-idmd5RouterA(config-if)#ipauthenticationkey-chaineigrpprocess-idkey-chainRouterA(config-if)#exitRouterA(config)#keychainname-of-key-chain (createthechain)RouterA(config-chain)#keynumber (createakey)RouterA(config-chain-key)#key-stringtext (textisthepassword)RouterA(config-chain-key)#accept-lifetime04:00:00Jan1200604:01:00Jan12006RouterA(config-chain-key)#send-lifetime04:00:00Jan12006infinite
Neighbours
Intup/up?
Commonsubnets?
Network10.0.0.0ok?
RoutingTable
Hellopacketmatch?(AS/K)
Networksadvrt? Routefilters?
EIGRPAuthentication
Keymismatch?
Badtiming
DuplicateRIDs?
Discontiguous?
Troubleshooting
by Steven Crutchley www.netquirks.co.uk
Authenticationkey
KeyID(password)
Authenticationkey
KeyID(password)
IwillauthenticatetheSOURCEofallroutingupdateIreceive
STOREDLOCALLY STOREDLOCALLY
KeyID(password)+interface=AuthenticationKeyKEYCHAIN1
AuthenticationKey1AuthenticationKey2AuthenticationKey3AuthenticationKey4
Activefrom9am–10am
Activefrom9.55am–11am
Activefrom10.55am–12am
Activefrom11.55am–1pm
KEYS DEFINITIONS
Only1authenticationpacketissent
Recievingrouterwilllookthroughitstableuntilitfindsavalidkey
RouterA(config)#interfacefa0/1RouterA(config-if)#ipauthenticationmodeeigrpprocess-idmd5RouterA(config-if)#ipauthenticationkey-chaineigrpprocess-idkey-chainRouterA(config-if)#exitRouterA(config)#keychainname-of-key-chainRouterA(config-chain)#keynumberRouterA(config-chain-key)#key-stringtext
EIGRPKeychains
by Steven Crutchley www.netquirks.co.uk
OSPF
Link(interfaceinformation)state.CollectionofLinkstatesformsalinkstatedatabase.
LSA
Sentevery30minutesorwhensomethingchanges.
Topologicaldatabase
Anoverallviewofthenetwork.AllroutersinsameareahaveidenticaltopologicalDB
Hierarchy
AutonomousSystem(Domain)àArea
EachASmusthaveabackbone.OffthatbackbonecanhangSTUBAREAS,TOTALLYSTUBAREAS,NSSAtohelproutingtablesize.
AreaBorderRoutersconnectmultipleareastothebackbonerouter.ABRadvertisesadefaultroutertothebackbonerouter.ASBRistheborderforanAS.
Neighbouradjacencies
EstablishedusingtheHELLOprotocol.Bidirectionalcommunication=routerseesitselfinhellopacketofneighbour.224.0.0.5ismulticastaddressthatHELLOpacketsaresentouton.HELLOPACKETRouterID–32bitloopbackaddressactingasID(noloopback=highestIP)Hellointerval–Howoftenpacketsaresent.Default=10s(30secsonnon-broadcastlink).Deadinterval–Howlongrouterwillwaitbeforedeclaringneighbouroutofservice(4timeshello)Neighbours–Adjacentrouterswithbi-directionalcommunication.AreaID–Needstobethesame.Routerpriority–8bitnumberusedtodeterminewhoisDRandBDR.IPofDRAndBDRAuthentication–ifenabledmustswapsamePW.StubAreaFlag–Helpstoreduceroutingtablesizebyprovidingdefaultroute.
InterfacesMetrics
LSA
by Steven Crutchley www.netquirks.co.uk
SPFAlgorithm
Dijkstra’salgorithmputsrouteratrootandcalculatesbestpathtoallothernodes.LSAsareflooded.
Metric
Metric=100,000,000/speedinbps(higherbandwidth=lower&bettercost)
Tochangethereferencebandwidthuseospfauto-costreference-bandwidthref-bwcommand.
Configure
RouterA(config)#clearipospfprocess (restartsallOSPFprocesses)RouterA(config)#routerospf100 (100istheprocessid.Neednotmatch)RouterA(config-router)#network192.168.3.00.0.0.255area0 (8bitboundariesisbad)RouterA(config-router)#network192.168.4.00.0.0.255area0RouterA(config-router)#maximum-paths6 (default4.Upto16)RouterA(config-router)#exitRouterA(config)#interfacelo0/1 (loopbackinterfaceisusedasID)RouterA(config-if)#ipaddress192.168.99.99 (createstherouterIDvalue)RouterA(config-router)#exitRouterA(config)#interfacefa0/0 RouterA(config-if)#ipospfcost10 (settheOSPFcost) RouterA(config)#interfacefa0/1 RouterA(config-if)#ipospfcost10 (settheOSPFcost) Usingwildcardsonnon8bitboundariesisdangerous.UseIPforeachinterfacewith0.0.0.0WCtoavoidthisproblem.LoopbackinterfaceUseadvertised=canbeaccessedacrossthenetwork.Useunadvertised=savesaddressspace.
by Steven Crutchley www.netquirks.co.uk
Showcommands
showipprotocols (showparametersfortherouter–timers,filters,metrics)showipospf (showsospfsettingsandstatistics,timesOSPFhasbeenrun)showipospfneighbor (showsneighbours)showipospfneighbourrouterID (showsdetailsforthatneighbour)showiprouteospf (routingtableOSPFdetails)showipospfinterfaceserial0 (showsOSPFdetailsonthatinterface–timerintervals,hellointervals,neighbouradjacencies)showipospfinterface (listsallinterfacesinOSPF)debugipospfevents (IPwrong,Hello/deadintervalsarewrong)debugipospfpacket (captureslogmessagesbeingsentandreceived)debugipospfadj (capturetheauthenticationprocessandhellopacketmismatches)debugipospfhello (captureshellomessages)AuthenticationRouterA(config)#interfacefa0/1RouterA(config-if)#ipospfauthentication-keypasswordRouterA(config-if)#ipospfauthenticationRouterA(config-if)#exitRouterA(config-if)#routerospf100RouterA(config-router)#area0authenticationRouterA(config-if)#routerospf100RouterA(config-router)#area0authenticationmessage-digestRouterA(config-router)#exitRouterA(config)#interfacefa0/1RouterA(config-if)#ipospfmessage-digest-key1md5cisco Version3AdvertisesusingmulticastgroupFF02::5(allOSPFrouters)andFF02::6(allOSPFdesignatedrouters)Usedlinklocaladdressesasthesource
by Steven Crutchley www.netquirks.co.uk
Troubleshooting
OPSFneighbourstates
Down–noadjacency.Attempt–OnlyonNBMAnetworks.SendsunicastHellopacketsatHellointerval.Init–ReceivedHELLOpacket,butitcan’tseeitselfinthere.2-way–IthasbeenitselfintheHELLOpacket.Exstart–DRsestablishmasterslaverelationshiponsegmentandsetstartingnumbers.Exchange–senddatabaseinfobackandforth.Loading–Linkstateinfosenttothosewhoneedit.Full–Fullneighbouradjacencyestablished.Neighbourshaveexchangedroutes.
LSAtypes
1–GeneratedforeachRouterforeacharea2–DRandBDRthatdescribeasetofroutersattachedtoaparticularnetwork.
NeighbourAdjacencies
Interfacesup/up?
AreMTUssame?
Neighconfig?
RoutingTable
Hellomatch?
Networksadvertised?
Routefilters?
Authentication
Checktype
Checkpassword
by Steven Crutchley www.netquirks.co.uk
ACLsRangesStandard1-99&1300-1999(expandedrange)Extended100-199&2000-2699(expandedrange)assess-listnumber{permit|deny}protocolsourcewc[port]destwc[port][established][log]protocols:IP,TCP,UDP,ICMP,GRE,IGRPCreatingadynamicACLStep1:Createauserauthenticationmethodontherouter(localorremote)Step2:DefineanextendedACLtopermitvtpaccessbutblockallothertrafficStep3:CreateadynamicACLthatappliestotheextendedACLyoucreatedafteritisauthenticated.RouterX(config)#usernametestpasswordtestRouterX(config)#usernametestautocommandaccess-enablehosttimeout10RouterX(config)#access-list101permittcpanyhost10.1.1.1eqtelnetRouterX(config)#interfacefa0/0RouterX(config-if)#ipaddress10.1.1.1255.255.255.0RouterX(config-if)#ipaccess-group101inRouterX(config-if)#exitRouterX(config)#access-list101dynamictestlisttimeout15permitip10.1.1.00.0.0.255172.16.1.00.0.0.255RouterX(config)#linevty04RouterX(config-line)#loginlocalCreatingareflexiveACLRouterX(config)#ipaccess-listextendedoutboundfilterRouterX(config-ext-nacl)#permiticmp10.1.1.00.0.0.255172.16.1.00.0.0.255RouterX(config-ext-nacl)#permittcp10.1.1.00.0.0.255172.16.1.00.0.0.255reflecttcptrafficRouterX(config-ext-nacl)#exitRouterX(config)#ipaccess-listextendedinboundfiltersRouterX(config-ext-nacl)#permiticmp172.16.1.00.0.0.25510.1.1.00.0.0.255evaluatetcptraffic
by Steven Crutchley www.netquirks.co.uk
RouterX(config-ext-nacl)#exitRouterX(config)#intfa0/0RouterX(config-if)#ipaddress172.16.1.2255.255.255.0RouterX(config-if)#ipaccess-groupinboundfiltersinRouterX(config-if)#ipaccess-groupinboundfiltersoutCreatingatimebasedACLRouterX(config)#time-rangeEVERYOTHERDAYRouterX(config-time-range)#periodicMondayWednesdayFriday8:00to17:00RouterX(config-time-range)#exitRouterX(config)#periodicaccess-list101permittcp10.1.1.00.0.0.255172.161.00.0.0.255eqtelnettime-rangeEVERYOTHERDAYRouterX(config)#intfa0/1RouterX(config)#ipaccess-group101in
by Steven Crutchley www.netquirks.co.uk
ConfiguringNATConfigurestaticNATRouterA(config)#ipnatinsidesourcestatic192.168.10.5216.1.1.3 RouterA(config)#ints0RouterA(config-if)#ipnatoutside (defines0asconnectingtotheoutsidenetwork)RouterA(config-if)#inte0RouterA(config-if)#ipnatinside (definee0asconnectingtotheinsidenetwork)ConfigureIPv6DNSnameserversRouterA(config)#ipname-serverserver-address1[server-address2...server-address6]ConfigurePATRouterA(config)#access-list20permit192.168.1.00.0.0.255 (defineACL)RouterA(config)#ipnatinsidesourcelist20interfaces0overload (applyittointerfaces0) NatpoolRouterA(config)#ipnatpoolcisco216.1.1.1216.1.1.14netmask255.255.255.240RouterA(config)#access-list10permit192.168.10.00.0.0.255RouterA(config)#ipnatinsidesourcelist10poolciscoShowcommandsShowipnattranslation (showNATtranslationtable)Debugipnat (showsnattingprocess)
by Steven Crutchley www.netquirks.co.uk
IPversion6128bitsà32hexadecimaldigital(asopposedto32binarydigits!)
AdvantagesoverIPv4Largeraddressspace–aggregationofprefixes.MobilityandSecurity–IPSecismandatory,MobileIPisbuiltin.TranslationRichness–DualStack,Tunnelling,NAT-PTIPv6hasnobroadcast!!!Itusesmulticast,unicastandAnycast(one-to-nearestONLYONROUTERS)MulticastusesFF00::/8TypesofUnicastaddressesGlobal–routable.AggregatedupwardstoISPs.2003::/3Reserved–IETFreservedforresearch.Private(FE8–FEF)
o Sitetosite–Sitelocal.Routersforwardwithinsitebutnotointernet.FEC-FEF.o Link-local–Refertoparticularphysicallink.Referonlytoparticularsegment.Automaticaddressconfiguration,neighbourdiscoveryetc/
Loopback-::1test.Unspecified–allzeros::ReferstoitselfusuallywhenaskingforIPconfiguration.Globalunicastaddress48-bitglobalroutingprefix.16-bitsubnetID(usedbyanorganisationforsubnets).
Addressprefixingtakesplacetoreducethesizeoftheroutingtable.
InterfaceidentifiersThisisessentiallythehostportion.64bits.Canbeassignedanumberofways:ManuallyJustlikeinIPv4.RouterX(config-if)#ipv6address2001:DB8:222:7272::72/64EUI-64
by Steven Crutchley www.netquirks.co.uk
FFEEinsertedintothemiddleoftheinterface’sMACaddress.7thbitissetto1(globalbit)02 90 27 FF EE 17 FC 0FRouterX(config-if)#ipv6address2001:DB8:0:1::/64eui-64StatelessautoconfigurationDeterminedfromRouteradvertisements.Itcanbeawhiletowaitsoanode/devicesendsasolicitationmessgeaskingforarouteradvertisement.ThisactsaSaplugandplayfetureanddoesnotneedaDHCPserver.DHCPv6Updatedversionofv4.-CanbeusedwithStateless-AutomaticDNS-LooksatrouteradvertisementstodetermineisDHCPv6isused.àSendsolicità(DHCP)sendsALL-DHCPP-Agents-multicastwithlinklocalscope.WhenitforwardsamessageitcansendittoAll-DHCP-Servers.YouthusdonotneedtogivearelayaddresslikeyoudoisDHCPv4.YoucanconfigureDHCPservertogiveoutaddressesbasedondifferentpolicies(i.e.don’tgiveglobalIPstoprinters).
ipv6 unicast-routing enables ipv6. Nothing will work beforehand. 12.2(2)T
Hostnameconfigurationivp6hostname[port]add1,add2...add4.Youcanassignupto4IPv6addressesforonehostname.Ipname-serverdnsadd1...dnsadd6.RIPngport521–FF02::9multicast–modelledafterv4.RouterX(config)#ipv6unicast-routingRouterX(config)#ipv6routerripEXAMPLENAMERouterX(config)#interfaceEthernet0RouterX(config-if)#ipv6address2001:db8:1:1:::/64eui-64RouterX(config-if)#ipv6ripEXAMPLENAMEenableRouterX(config)#interfaceEthernet1RouterX(config-if)#ipv6address2001:db8:1:2:::/64eui-64RouterX(config-if)#ipv6ripEXAMPLENAMEenable
by Steven Crutchley www.netquirks.co.uk
TransitioningDualStackNodecanuseIPv4andIPv6(2protocolstacks).Canconfigureononeormultipleinteraces.Choosestouse4or6basedondestinationaddress(prefers6wherepossible).NewAPIisdefinedtosupportboth(+DNSreq).Smallchangeinsourcecodeofmostappswillmakeitv6compatible)TunnelingProtocol41.20-btyeIPv4header.Hardtotroubleshoot.DecreasesMTU.Itisrecommendedtonumbertunnelendpoints.Manual-IPv6encapsulatedinIPv4–needdualstackDynamic6to4-IPv6islandsinanIPv4network.Intra-SiteAutomaticTunnelAddressingProtocol-usesunderlyingIPv64networkaslinklayerforIPv6.Teredo–hosttohosttunnelling(norouter).PassesIPv6unicastwhenNATisbetween.ProxyandTranslation(NAT-PT)TranslateonetypeintoanotherEnablinganIPv6tunnelRouterA(config)#interfacetunnel0 (createthetunnelinterface)RouterA(config-if)#descriptionIPv6tunneltoRouterA (identifythetunnel)RouterA(config-if)#ipv6unnumberedethernet0 (useIPv6addressone0tunnel)RouterA(config-if)#tunnelsourceethernet0 (settunnelsourcease0)RouterA(config-if)#tunneldestination192.168.10.2 (IPv4addresswheretunnelends)RouterA(config-if)#tunnelmodeipv6ip (IPv4addresswheretunnelends)
by Steven Crutchley www.netquirks.co.uk
VirtualPrivateNetworksAVPNisanencryptedconnectionbetweenprivatenetworksOVERapublicnetworksuchastheinternet.VPNusesIPSectoformvirtualconnectionsthatareroutedthroughtheinternet.TypeofVPNs
(1) SitetoSite–o Connectstwowholenetworkstooneanother(i.e.siteofficetoheadquarters).LeasedLineorFrameRelayedusedtobeusedforthis.o HostsdonothaveVPNclientsoftwareo TheyuseaVPNgateway–router/firewall/VPNconcentrator/ASA5500o Itencapsulates,encryptsandsendsoverVPNtunnel(andvicaversa)
(2) Remoteaccess–
o Evolutionofcircuitswitchednetworks(POTSISDN)o SupportsTelecommuters,mobileusers–Connectsindividualusers.o Usedtousedialin.Nowalltheyhavetodoisaccessthenet.o ClientVPNclientsoftwareISneeded.o SendsdatatoVPNgateway.
CiscoEasyVPNHas2parts:
(1) VPNServer/Gateway–Concentrator/PIXfirewall/ASAadaptivesecurityappliance/CiscoIOSrouter.CanterminateRemote Access or site to siteVPNs(thatuseCiscoEasyVPNremotenodes).
(2) VPNremoteclients–Canreceivedsecuritypolicies(thusminimisingconfigurations).VPNparameters(InternetIP/SN/DHCP/WINS/split-tunnellingflags)canbepushedfromtheservertotheremotedevicethankstoCiscoEasyVPN.Splittunnelling=youcanaccesstheinternetatthesametimethatyouareusingtheVPN.
Benefits:
o Dynamicconfigo VPNconfiginINDEPENDENTofendusernetworkdetails.o Centralisedsecuritypolicy.o Largescaledeployment
Restrictions:
by Steven Crutchley www.netquirks.co.uk
o NomanualNATorPAT–remoteclientdoesNAT/PATfortunnelautomatically.o Only1destinationpeer/tunnelconnectionissupported.o Requiresdestinationservers–remoteaccessserversneeded.o PSKandXAUTHareauthentication.NoDigitalCertificates.o OnlyISAKMPareused–theyusegroup2negotiation.o Sometransformationsetsarenotincluded(authORencrpyonly=notsupported)
IPSecSSLVPN(WebVPN)Usesweb+nativeSSLencryption.SECUREACCESSISPROVIDEDàREGARDLESSOFENDPOINTHOST.Nosoftwareclientiftheneedsaremodest.Twomethodsofaccess:Clientless&ThinClientUserscanaccess–Files,Email,TCPApplications,withoutclientsoftware.Bestforper-applicationusersoraccessforprivatelyowndevices(laptopsetc)Benefits:
o CompatiblewithDynamicMultipointVPNso CompatiblewithCiscofirewallso CompatiblewithIPSeco CompatiblewithIntrusionpreventionsystemso CompatiblewithCiscoEasyVPNo CompatiblewithNAT.
Restrictions:
o Supportedonlyinsoftware.o TherouterCPUprocessestheWebVPNconnectionso On-boardVPNacceleratesonlyIPSec.
ComponentsofVPNsCiscoprovidesVPN-enabledrouters.CiscoASA5500SeriesAdaptiveSecurityAppliance:
o Providesremoteaccessandsite-to-sitesupporto HasIPSecandSSLVPNononeplatformo AlsohasfirewallandIPStechnologyo RemoteaccessVPNsrequireoneofthefollowing3clients:
1. CerticomClient–WirelessPDAclient
by Steven Crutchley www.netquirks.co.uk
2. CiscoVPN3002HardwareClient(legacy)–ConnectSOHOtoVPN.1or8portswitchversion.ReplacesSOHOPCapplications.3. CiscoVPNSoftwareclient–SoftwareloadedontoPC.Canestablishencryptedend-to-endtunnels.CiscoEasyVPNclientcanreceivesecurityconfigfrom
EasyVPNserver.
IPSecOperatesatthenetworklayer.FRAMEWORKOFOPENSTANDARDSàcanthusimplementneweralgorithmswithhavingtodesignedtheframework.Encryption(digitalscrambling)data+encryptionalgorithm+key(stringofdigits)=unreadablecipher.LONGERKEY=MORESECUREDH(Diffie-Helman)keyagreementisapublickeyexchange.Itallows2peerstoestablishasecretsharedkeyeventhoughitisoveraninsecurechannel.Encryptionalgorithms:
(1) DES(DataEncryptionStandard)-56bitkey.Symmetrickey.(2) 3DES(TripleDES)-Dataisbrokeninto64bitblocks.3different56bitkeysencryptdataonebyone.Symmetrickey.(3) AES(AdvancedEncryptionStandard)-Computationallybetterthan3DES.128,192or256bitkeys.(4) RSA(Rivest,ShamirandAdleman)-Asymmetricalkey.512+inkeylength.IPSecdoesn’tuseRSA.IKEusesitforpeerauthentication.
IntegrityAddsahashtothemethod.Transmittedhash=receivedhash=JMessage+HashAlgorithm+key=Message+hashvalueHMAC(HashMessageAuthenticationCode)algorithms(thesealsoauthenticate):
(1) MD5(MessageDigest5)-128bitsharedkey.Outputis128bithashthatisappended.(2) SHA-1(SecureHashAlgorithm)-160bitsecretkey.Outputis160bithashthatisappended.
AuthenticationYouarewhoyousayyouare.Peerauthenticationmethods:
(1) PSKs–manuallyenteredintoeachpeer.PSK+otherinfo=key.(2) RSASignatures–exchangesdigitalcertificates.Localendmakeshavewithprivatekey.Remoteendmakeshashwithpublickey.Match=genuine.
by Steven Crutchley www.netquirks.co.uk
Anti-replayprotectionVerifiesthatthereisnoduplication.Compareseq#withreceiver’sslidingwindow.Outsidewindow=lateorduplicate=drop.IPSecProtocolFramework–thetwomainprotocolsAH(Authenticationheader):Authenticates,checksintegrity.NOencryption.ESP(encapsulatingSecurityPayload):Authentication(forpacketandESPheader)andencryption.Concealspayloadandsource/destination.Oneortheothermustbeselected.
IPSecprotocol
Encryption
Authentication
DH
ESP bothAH
DES AES3DES
MD5 SHA
DH1 DH5DH2
by Steven Crutchley www.netquirks.co.uk
PPPPPPisanencapsulationprotocolfortransportingIPtrafficoverpoint-to-point(leasedline)serialconnections.FramesareencapsulatedbeforebeingsentovertheWANlink.SynchronousandAsynchronouscircuits.
ConfiguringPPP
- POTS(Asynchronous)/ISDNandPoint-to-Point(Synchronous)- LCPnegotiatesandsetsupoptions(configureslink).- NCPcarriespacketsfromthenetworklayerprotocols.
Threephasesetupprocess:
(1) Establishlink–LCPpacketssentbackandforth.MTUunits.Compressionsize.Authentication.Optionnotincluded=defaultassumed.(2) AuthenticationPAPorCHAP.(3) Networklaterprotocolphase–NCPpacketsaresenttoconfigureL3.
PAP–twowayhandshake.RepeatedlysendsUNandPWuntilauthenticationortimeout.Passwordssentinplaintext.Noprotectionagainstrepeatedattempted.Remotenodedeterminesattemptfreq.
CHAP–usesa3wayhandshake.LocalRoutersendsachallengetoremotenode.Remotenoderespondswithonewayhashfunction(MD5).Localrouteracceptsorrejects.Challengesvary.Localrouterorauthenticationserverisindeterminesfreq.
Configuration:
(1) EnablePPPencapsulation.(2) Enableauthentication.
by Steven Crutchley www.netquirks.co.uk
EnablingAuthentication
(1) Givetherouteraname(hostname)–mustmatchtheusernamethatthelocalrouterisexpecting.(2) Definetheusernameandpasswordoneachrouter.Theremustbeenausernameentryforeachremoterouter.(3) Pickanauthentication.pppauthentication{chap|pap|papchap|chappap}Ifbotharespecifiedthefirstonementionedwillbetriedfirst.IFpeer
suggeststhesecondmethodorrejectsthefirstthesecondistried.
showinterface (LCPOpenmeansLCPhasestablishedasession)
debugpppauthentication (“byboth”istwowaychapauthentication,I-incoming,O-outgoing,idfieldtomatchresponsewithrequest)
TypicalWANprotocols
HDLC(High-LevelDataLinkControl)–thisisthedefaultonpoint-to-pointconnections,dedicatedlinksandcircuitswitchedconnections.Itisabit-orientedsynchronousL2protocol.
PPP(Point-to-PointProtocol)–UsessynchronousandAsynchronouscircuits.DesignedtoworkwithhigherlevelslikeIP.HasPAPandCHAP.
FrameRelay–SwitchedL2protocolthatusesmultipleVCs.Noerrorcorrectorflowcontrol.
ATM–53-bytecell-switching.VideoandVoice.Fixedlength=fastprocessing.
Broadband–Twotransmissionsshareamedium.
o DSL-PPPoE(encapsulatesPPPinEthernetframes)&PPPoAgoesoverthelocaltelephonenetwork.Auth.Encry.Compr.o Cable-EhternetusesacablemodemovercableTVinfrastructure.3Mbps–30Mbps.UsesEthernetframe.
MetroEthernet–PointtoPointandMultipointservicesinbusinessareas.
by Steven Crutchley www.netquirks.co.uk
FrameRelay
ConnectionOriented.Reliesonupperlayersforerrorcorrection.FrameRelaydefinesconnectionbetweenrouterandFrameRelayCloudedge.ITHASNOTHINGTODOWITHHOWTHINGSAREROUTEDWITHINTHEFRAMERELAYCLOUD.
DTE–FRADs,routersandbridges.Ownedbycustomer.
DCE–Provideclockingandswitches.TransmitsdatathroughtheWAN.
TherearemanyVCsoverasingleconnection.ConnectionIDsareassignedtoDTEdevices.ConnectionIDsaremappedtooutboundportsinswitchingtables.Pathtothedestinationisestablishedbeforethefirstframeissent.
FrameRelayTerms
Localaccessrate–clockspeedofconnectiontoframerelaycloud
VC–alogicalcircuit.DLCIistheidentifier.ConnectsoneDTEtoanother.MultipleVCsononecircuit.
PVC–Nocallsetup/teardown.Alwaysup.
SVC–dynamic/temporary.
DLCI–10bitconnectionVCidentifier.LOCALSIGNIFICANT.2dev=diffDLCIforsameVC.
CIR(committedinformationrate)–Maxaveragedataratethatnetworktriestodeliver.Specifiedwhenyousubscribe.IfyougooversomeframesaretaggedasDE(discardeligible).CIR=0=allframesareDE.
InverseARP–LetarouterfindtheIPaddressofaremoteDTEbasedontheDLCI.
LMI(localmanagementinterface)–ThisisasignallingstandardbetweentheDTEandlocalFrameRelayswitch(DCE).Itmanagestheconnection.
FECN(forwardexplicitcongestionnotification)–bitissetonthewaytorecipientDTEwhichpassesituptohigherprotocolsforprocessing.
BECN(backwardexplicitcongestionnotification)–setinframesthattravelintheoppositedirectiontoframewithFECNbitsset.ThisissosourceDTEcanlearnofcongestion.
by Steven Crutchley www.netquirks.co.uk
Topologytypes–partialmesh,fullmesh(allroutershaveVCstootherdestinations.n(n-1)/2links),startopology(mostcommonframerelaytopology).
FRAMERELAYNETWORKPROVIDESNBMACONNECTIVITYBETWEENREMOTESITES.ALLROUTERSAREONTHESAMESUBET.
NBMAareusuallybuiltintoahubandspoketopology.Withahubandspoketopologythephysicalsetupdoesnothavethemulti-accesscapabilitiesthatEthernetdoes.ThismeansthateachroutermaynotneabletohaveseparatePVCstoreachtheotherremoteroutersonthesamesubnet.ThismakessplithorizonanissuebecauseyouhavetorunmultiplePVCsoveronenetwork.
NMBAproblemswhenusingasingleinterfacetointerconnectmultiplesites.
Routingupdates:RouterAsendsupdatetoRouterCenter.RouterCentercannotsendtheroutingupdateoutoftheinterfacetootherrouter(cozofthesplithorizonrule).
Solutions: Turnoffsplithorizon.Notallnetworklayersletyoudothis.
Usefullmeshtopology.Expensive.
Usesub-interfaces.EachVCcanbeconsideredapoint-to-pointconnection.Eachsub-interfacecanbeonitsownsubnet.
Broadcastreplication:Ifyouhavetobroadcastoutofoneinterface(tomultipleremotedevices)thenyouhavetosendmultiplebroadcastsoutoverthesamelinkwhichcancauselatency.
EachVCismappedtoaDLCI.RoutersuseLMItofindtheirlocalDLCI.TheyuseARPtofindtheremoteIPbasedontheirDLCI.Ie.RouterfiguresoutthatDLCI500isassociatedwith10.1.1.1.Iftherouterneedstotalkto10.1.1.1itusesDLCI500.
YoucanmanuallymapDLCIstoIPaddresses.CiscorouterstrytoautodetectthetypeofLMIthattheframerelayrouteruses.RoutersendsoutanLMIstatusrequest.Usesthelatestthattheswitchsendsback.Canalsomanuallyconfigurety
LMItypes:Cisco,ANSIandQ.933A
VCstatuses
Active–cangoaheadandexchangedata.
by Steven Crutchley www.netquirks.co.uk
Inactive–ConnectiontoDCEok.ButremoterouterconectiontoDCEisnotok.Deleted–noconnectionorLMIbeingreceived.
HowFrameRelayworks
1. RouterconnectstoFrameRelayswitchthroughCSU/DSU2. RoutersendsLMIenquiry.Asksforconnectionsstatus’oftheroutersVCs.3. FrameRelayswitchreplieswithlocalDLCIsoftheVCs.4. RoutersendsoutIARPforeachDLCItointroduceitself.5. RemoterouterreceivedIARPandmakesanentryinitsFrameRelaymaptable(IPàlocalDLCI)6. IARPsaresenttoallVCsevery60sLMIkeepalivesaresenttoFrameRelayswitchevery10s.7. RouterchangesVCstatusbasedonLMIsfromFrameRelayswitch.
Configuring
RouterX(config)#interfaceserial1RouterX(config-if)#ipaddress10.16.0.1255.255.255.0RouterX(config-if)#encapsulationframe-relay[cisco|ietf] (useciscoforcisco)RouterX(config-if)#frame-relaylmi-type[ansi|cisco|q933a] (11.2orlaterautosenses)RouterX(config-if)#bandwidth64 (affectsOSPF&EIGRP)RouterX(config-if)#frame-relayinverse-arpip16 (protocolandDLCI–onbydefault)NoIARPàFrameRelaypeershavedifferentFrameRelayencapsulations.TocontrolbroadcastandmulticasttrafficyoumustmanuallymapnetworktoDLICaddresses.
RouterX(config-if)#frame-relaymapprotovcolprotocol-addressdlci[broadcast][ietf|cisco|payload-compresspacket-by-packet]
BroadcastallowsbroadcastandmulticastovertheVC.ThisletsyouusedynamicroutingprotocolovertheVC.
Payload-compresspacket-by-packetenablesatypeofcompression.
by Steven Crutchley www.netquirks.co.uk
Sub-interfaces
Point-to-point:EachsubinterfacehasaDLCI.Bothendsonsamesubnet.Updatetrafficisnosubjecttosplithorizon.
RouterX(config)#interfaceserial0RouterX(config-if)#noipaddressRouterX(config-if)#encapsulationframe-relayRouterX(config-if)#interfaceserial0.110point-to-pointRouterX(config-subif)#ipaddress0.17.0.1255.255.255.0RouterX(config-subif)#bandwidth64RouterX(config-subif)#frame-relayinterface-dlci110RouterX(config-subif)#interfaceserial0.120point-to-pointRouterX(config-subif)#ipaddress0.18.0.1255.255.255.0RouterX(config-subif)#bandwidth64RouterX(config-subif)#frame-relayinterface-dlci120 (mustdefinetodistinguishfromphy)DONOTUSEframe-relayinterface-dlci120ONPHYSICALINTERFACES
Multipoint:ThesinglemultipointsubinterfacehasmultiplePVCs.Allonsamesubnet.Updatetrafficissubjecttosplithorizon.
RouterX(config)#interfaceserial0RouterX(config-if)#noipaddressRouterX(config-if)#encapsulationframe-relayRouterX(config-if)#interfaceserial0.2multipointRouterX(config-subif)#ipaddress0.17.0.1255.255.255.0RouterX(config-subif)#bandwidth64RouterX(config-subif)#frame-relaymapip10.17.0.2120broadcastRouterX(config-subif)#frame-relaymapip10.17.0.3130broadcastRouterX(config-subif)#frame-relaymapip10.17.0.4140broadcast (staticmapping)RouterX(config-subif)#noipsplit-horizon (splithorizonmustbedisabledtoavoidproblems)IFYOUHAVECONFIGUREDTHESUBINTERACEASMULTIPOINTANDIARPISENABLEDYOUMUSTCONFIGURETHELOCALDLCIFORTHESUBINTERFACETODISTINGIUSHITFROMTHEPHYSICALINTERFACE(I.E.BYTYPINGframe-relayinterface-dlci120).YOUDONOTNEEDTOINTHEABOVEEXAMPLEBAECAUSEYOUARESTATICALLYMAPPINGTHEIPsTOTHEDLCIs.showinterfaces
by Steven Crutchley www.netquirks.co.uk
showframe-relaypvcshowframe-relaylmidebugframe-relaylmishowframe-relaymapclearframe-relay-inarp
TroubleshootingFrameRelay
ChecktheFrameRelaylink–Useshowinterfaceserialtoseeofthereisalayer1problem.Showcontrollersserialcanshowifthecableispresentandcorrectlyrecognised.
Toperformaloopbacktest:
1. Setencapsulationtohdlcandkeepaliveto10s.2. SetCSU/DSUtoloopbackmode.3. IflineprotocolcomesuptheproblemisbeyondtheCSU/DSU.4. Pingisalsouseful(seepage349)
IncorrectDLCIcanbewrong.Usetheshowframe-relaypvccommandtocheck.IfitshowsasDELETEDitcouldbeconfiguredwrong.Ifinterface=up.Line=downcouldbeaL2problem.Checkwiththeshowframe-relaylmicommand.NEXT...checktheremoterouterChecktheremoteroutermapshowframe-relaymap.Ifyouhaverecentlychangedtheinterfaceontheremoteframerelayrouterinterfaceusetheclearframerelay-relay-inarpcommandsothatyoudonothaveincorrectDLCItoIPmappings.IftheremoterouterdoesnotsupportIARPthenmaybeyouneedtostaticallymaptheDLCIandIPs.ACLscouldbestoppingthetrafficfromgettingthrough.Temporarilydisableittoseeifthisistheissue.NEXT...checkendtoendconnectivityChecktheroutingtablesincludingthedefaultgatewayofthesourcenode.Ifroutingprotocolsarenotworking,youwillneedtocheckthatbroadcasttrafficissupportingusingtheshowframe-relaymapcommand(ifinverseARPisconfigurebroadcastisineffectautomatically).
by Steven Crutchley www.netquirks.co.uk
AdministrativedistancesRouteSource ADConnectedRoute 0StaticRoute 1ExternalBGP 20InternalEIGRP 90IGRP 100OSPF 110IS-IS 115RIP 120ExternalEIGRP 170InternalBGP 200Unknown 255PrivateIPRanges(RFC1918)10.0.0.0to10.255.255.255172.16.0.0to172.31.255.255192.168.0.0to192.168.255.255Well-knownReservedMulticastaddresses(non-exhuastive)MulticastRoute GroupMembers224.0.0.1 AllHosts224.0.0.2 AllRouters224.0.0.5 AllOSPFRouters224.0.0.6 AllOSPFDRs224.0.0.9 AllRIPV2Routers224.0.0.10 AllEIGRPRouters
Connectionsfromahosttoahuborfromahubtoaswitchmustbehalfduplexbecauseahubissimplyarepeateranddoesnotguaranteeacollision-freepath.
by Steven Crutchley www.netquirks.co.uk
Enablingportsecurity(canonlybedoneonanaccessport)Switch(config)#intfa0/1Switch(config-if)#switchportmodeaccessSwitch(config-if)#switchportport-securitySwitch(config-if)#switchportport-secuirtymax3Switch(config-if)#switchportport-secuirtymac-addresss1111.2222.3333Switch(config-if)#switchportport-securitymac-addressstickySwitch(config-if)#switchportport-securityviolationrestrict