| Application | Application interface not application, services that support applications, service advertisement |
| Presentation | encryption, compression, translation, present, format |
| Session | keeps different applications data separate dialog control simplex, half duplex, full duplex sets up session maintain a session tear down session could get acks here also example netBIOS/netBEUI |
| Transport | Segments or (Cisco) Packets reliable/connection (TCP) or unreliable/connectionless (UDP) delivery error correction before retransmit flow control - buffering windowing congestion avoidance Protocols
|
| Network | Packets or Datagrams logical addressing, ip addrs switching
|
connection svcs - flow ctrl and packet reordering
| Data | Frames or (Cisco) Packets MAC addresses MAC layer - physical addressing, logical topology, method of transmitting on media (e.g. CSMA/CD) LLC Layer - logical link control layer, flow control, error control, synch transmissions -
|
| Physical | Bits, e.g. Current State modulation, 0 volts is 0, 5 or -5 volts is 1,
Physical Topologies Async - Sync bits - start with START bit - stop with STOP bit - receiver uses an internal clock Sync - both sender and receiver use internal clocks - frequently ref external clocks Bandwidth usage - e.g. Broadband - diff comm flows use diff freq ranges OR baseband - single stream all frequencies Multiplexing strategy - TDM - diff channels diff time slots OR Statistical TDM - time slots allocated to channels based on current needs OR FDM (Freq) - diff comm channels get diff frequencies |
ftp - tcp 20/21
ssh/sftp/scp - tcp 22
telnet - tcp 23
smtp - tcp 25
dns - tcp/udp 53
tftp - udp 69
dhcp - udp 67/68
http - tcp 80
pop3 - tcp 110
nntp - tcp 119
ntp/sntp - udp 123
imap4 - tcp 143
ldap - tcp 389
https - tcp 443
rsh - tcp 514
rtsp - tcp/udp 554
rdp - tcp 3389
| hub/repeater |
|
| MAU | Media Access Unit - Token Ring Network, layer 1 device, physical level, ring topology, no collision domain, 1 broadcast domain |
| bridge/switch |
|
| coax cable |
| ||||||||||||
| twisted pair |
Fiber Optic | |
developed by xerox in 1972 10base2 - 10 Mbs, baseband, signal taking all frequencies, thinnet/cheapernet, 185 meters limitation 10base5 - 500 meters limitation, aui 15 pin adapter, thicknet UTP - cat 3, cat 5, cat 5e, cat 6
forwards based on learned mac addrs, unknown (unicast) mac addrs, multicast, broadcast traffic stands between 2 different collision domain ARP broadcast asks for MAC addr for IP addr - switch floods broadcasts and unknown MACs - switch learns source mac address and incoming port - CAM Table
48 bits 1st 3 bytes OUI (organizationally unique identifier/vendor code) last 3 bytes assigned by vendor CAM table on switch records MAC addresses based on origination
Layer 2 - shared bus CSMA/CD Collision - interference occuring when 2 packets transmitted at the same time packet/jamming continues to be transmitted on shared segment random backoff timer ethernet hub - all ports in same collision domain switch - each port is a collision domain full duplex disables CSMA/CD. Full Duplex enabled.
How far broadcast (ff:ff:ff:ff:ff:ff) will broadcast each switch and hub (l2 and l1) are in 1 broadcast domain router and L3 switch (L3 devices) separates broadcast domains
CISC Complex instruction Set Computing RISC Reduced Instruction Set Computing ASICs Application Specific Integrated Circuits
| System LED |
|
| Redundant Power Supply (RPS) |
|
| Port Status |
|
| BW Utilization |
|
| Duplex mode |
|
ctrl-a - beginning of line ctrl-e - end of line ctrl-w - delete previous word ctrl-x - delete current line ctrl-p - prior command in history ctrl-n - next command in history ctrl-k - delete to end of line ctrl-u - delete to beginning of line ctrl-x - delete to beginning of line ctrl-b - back one char ctrl-f - fwd one char ctrl-d - del one char esc b - back one word esc f - fwd one word
> user mode
# privileged mode
show history
history size x
terminal history size x (only for this terminal session)
show line (shows cty - console and 16 VTYs - virtual terminal)
show line vty 0
show running-config
show ip interface brief (shows int, addrs, methods, status, protocol of interfaces)
show run (/ searches)
ping 192.168.1.1 (icmp echo)
conf t
hostname DaSwitchName
service password-encryption !weak encryption for passwords listed - lvl 7 easy to crack
enable password DaPassword (cleartext)
OR BETTER
enable secret DaPassword (non-cleartext - ignore enable password setting)
! 5 128-bit md5 hashed value
int vlan 1 (default vlan - all ports by default)
ip address 192.168.1.11 255.255.255.0
no shutdown
end (exits config mode all the way out)
ip default-gateway 192.168.1.1
line con 0
password DaPassword
login (prompt for the above password)
exec-timeout (minutes) (seconds) !(prompt timeout) - 0 0 no inactivity timer
logging synchronous (show logs after command completion (e.g. show command)
exit (exits this level of config mode)
line vty 0 15 (all the VTYs - will break up in run - 0 4, and 5 15)
password DaOtherPassword
login
OR
login local (if you have username's set up)
transport input all | none | telnet | ssh (ssh or telnet would be exclusive)
history size 256 (num of commands remembered)
exec-timeout 30 0 !30 minute timeout
end
!Enable ssh login
username DaUser password DaPassword
OR BETTER
username DaUser seret DaPassword (encrypts it using sha-256 type 4 hash
ip domain-name domain.com
crypto key generate rsa
ip ssh version 2
line vty 0 15
login local
banner login $ ($ is delimiter - this is shown after MOTD but before login prompt)
(ENTER TEXT MESSAGE)
authorized access only!
$ (delimiter)
ALSO
banner # (motd - shown before login prompt)
banner exec # (shown after login)
write memory (or wr)
OR
copy running-config startup-config
show ip ssh
show ssh (shows who's logged in via ssh)
show version !virtual ethernet is vlan !memory is shown as 2 numbers (e.g. 118784K/12280K - add together for total memory sh ip int brief (shows int, addrs, methods, status, protocol of interfaces) !Status up is L1, Protocol up is L2 show int fa 1/0/1 !bia is mac burned in address - diff mac addr for each port !CRC errors (FD) OR late collisions (HD) - duplex mismatch show mac address-table (mult addrs if conn to sw) !CPU has special mac addr - e.g. broadcasat !CPU 0100.0ccc.cccc - CDP show mac address-table aging !mac addr will ageout (by default) in 5 minutes
int fa 1/0/10
switchport mode access | dynamic | trunk | private-vlan | dot1q-tunnel
switchport port-security
switchport port-security maximum (1-6144 - 2 is a good choice for timeout switch 1)
switchport port-security mac-address 0011.2233.4455
OR
switchport port-security mac-address sticky (1st 2? learned are remembered in mem)
switchport port-security violation protect (drops frame from 3rd addr)
switchport port-security violation restrict (drops and increment security violation counter frame from 3rd addr)
switchport port-security violation shutdown (shuts port down - shut/no shut to clear)
!snmp trap sent on violation
show port-security
show port-security address (shows table of addrs sticky learned or statically configured)
show port-security int fa 1/0/10
int fa 1/0/1 speed 10 | 100 | auto duplex auto | full | half mdix auto (media dependant interface crossover) show int fa 1/0/1 interface range FastEthernet 0/11-20 description end-users connect_here
show vlan brief (shows interfaces in vlan) conf t vlan 2 name DaVLANName vlan 3 name dontreallywantVlan no vlan 3 (vlans configured in separate file on sw from cfg) show flash delete flash:vlan.dat (deletes vlans) (wr erase will delete config) interface fa 0/11 switchport access vlan 2 switchport mode access interface range fastethernet 0/13 - 14 switchport access vlan 2 switchport mode access
interface vlan 1 ip address dhcp no shutdown show dhcp lease show interfaces vlan 1 show ip default-gateway
show int fa 0/2 switchport (will show trunk configuration)
show interfaces trunk (shows which interfaces are in trunk mode)
n-802.1q means negotiated
vlan 1 created automitically
int fa 1/0/2
switchport trunk encapsulation dot1q
switchport mode dynamic desirable
switchport trunk native vlan 100 (to control vlan hopping (default native is 1))
switchport trunk allowed vlan [add | all | except | none | remove] ...
switchport trunk allowed vlan 1,100
OR
switchport trunk allowed vlan except 200
conf t vtp mode [server | client | transparent] vtp domain DaVTPDomain (case sensitive) vtp password DaPassword (case sensitive) vtp pruning vtp version 2 set vtp revision number to 0 when re-adding switch - toggle vtp transparent vtp mode transparent vtp mode server (or client) (keeps revision number 0) (consider deleting vlan.dat - delete flash:vlan.dat) end show vtp status show vlan brief
sh int gigabit 0/1 switchport (shows trunking details) show interfaces trunk (shows which interfaces are in trunk mode)expected trunk oper mode
| SW1 Mode | SW2 Mode | Trunk Formed |
|---|---|---|
| access | any | |
| trunk | dynamic desirable | |
| trunk | dynamic auto | |
| trunk | trunk | |
| dynamic desirable | dynamic desirable | |
| dynamic desirable | any | |
| dynamic auto | dynamic auto |
| admin mode | access | dynamic auto | trunk | dynamic desirable |
|---|---|---|---|---|
| access | access | access | do not use | access |
| dynamic auto | access | access | trunk | trunk |
| trunk | Do Not Use | trunk | trunk | trunk |
| dynamic desirable | Access | trunk | trunk | trunk |
sh interfaces fa 1/0/2 (look at interface status up - L1 / up - L2) down/down(notconnect) - cable not connected to at least one switch, or other switch port admin shutdown show interfaces status (shows status connected/notconnected, member of what vlan, duplex speed, type of fport (e.g. 10/100BaseTX)) clear counters (after fix problem)common issue - one side to full duplex, one to auto, full duplex doesn't participate in auto negotiation
sh cdp sh cdp neighbors (Local Intrfce - egress, Port ID - ingress of other device) (cdp version 2 works with cisco ip phone on what vlan) sh cdp neighbors detail (shows l3 addr, what version of ios, native vlan, vtp info) conf t no cdp run (turn off cdp globally) cdp run no cdp advertise-v2 (turns off version 2 - don't do) int fa 1/0/2 no cdp enable (off for this interface)
show vlan brief (see all ports on a vlan) conf t int range fa 1/0/15 - 20 switchport access vlan 100 (all ports go into vlan 100) int fa 1/0/10 switchport access vlan 300 (if you later delete vlan 300 - port will not be associated with any vlan - will not be able to communicate on network - reassign to new vlan)
sh int trunks make sure things match - including native vlan sh run (look for int cfg)
| Letter | Route Source | Default Distance Values |
|---|---|---|
| C | Connected interface | 0 |
| L | Local Interface | |
| S | Static route | 1 - can be higher for backup route |
| Enhanced Interior Gateway Routing Protocol (EIGRP) summary route | 5 | |
| External Border Gateway Protocol (BGP) | 20 | |
| E | Internal EIGRP | 90 |
| IGRP | 100 | |
| O | OSPF | 110 |
| Intermediate System-to-Intermediate System (IS-IS) | 115 | |
| Routing Information Protocol (RIP) | 120 | |
| Exterior Gateway Protocol (EGP) | 140 | |
| On Demand Routing (ODR) | 160 | |
| External EIGRP | 170 | |
| Internal BGP | 200 | |
| Unknown* | 255 |
| SYS LED | solid green - rtr up blinking green - booting up off - powered off or error with system board |
| Activity | off - not routing solid or blinking rapidly - packet flow |
| POE | green - poe on amber - poe off |
| RPS | green - powered by external PS |
| PS | green - ps powering amber - ps not powering |
| consol led port | which one is in use |
| speed | 1 blink (then pause) 10 2 blinks 100 3 blinks 1000 |
| L(ink) | green - fast ether or gig ether off - no link or 10 mbs |
enable/disable (> vs # prompts) sh running-config sh run | begin line (starts show at first line prompt) wr (write memory OR copy run start) sh version (ios version, uptime, where sys image loaded from, platform, memory (add both #s) interface types) show ip interface brief (summ info about interfaces incl ip addr and status l1 status l2 protocol) sh interface fa 0/0 (or any int id) (ip addr, duplex speed, 5 minute traffic avgs) sh ip route (shows route info including admin distance) sh cdp neighbors (can see this int and other int and other device) sh cdp neighbors detail show cdp entry [devname | *] sh ipv6 interface brief (optional)no cdp run (globally) int fa0/1 no cdp enable (for this interface) hostname DaRtrName ip domain-name domainname.com no ip domain-lookup (don't try to resolve dns lookups (mis-types)) username dauser secret dapassword enable secret dasecretpw (hashed md5 128bit pw, default type 5 (md5), type 4 (sha256) more resistant) service password-encryption (e.g. line password - type 7 encryption not strong) crypto key generate rsa modulus [360-4096] ip ssh version 2 ipv6 unicast-routing (turn on ipv6 routing) line vty 0 4 password DaPassword transport input ssh telnet exec-timeout 5 30 (5 minutes 30 seconds - default is 10 minutes) line con 0 login password DaPassword logging synchronous (wait until after fresh line for console logging) exec-timeout 0 0 (inactivity timer turned off - default is 10 minutes) int fa 0/1 description ipv4 test interface ip address 10.5.4.3 255.255.255.0 (optional - secondary 10.7.4.3 255.255.255.0) no shutdown int fa 0/0 description ipv6 connection to R2 ipv6 enable (optional: link-local addr will auto assign) ipv6 address 2000::4/64 sh ipv6 int fa 0/0 sh ipv6 interface brief banner login $ (delimiting char is $) This is the login banner $ banner motd $ (motd is before login, login only used if pw needed) this is the motd banner $ exit (go out one level) end (go out of config mode to privilege) do show ip int brief
passive-interface gig 0/0 (cfg prevents hellow msgs from being sent out gig 0/0 while still allowing gig 0/0 network to be advertised elsewhere.
passive-interface default (suppresses hello msgs from being sent out any rtr int participating in a particular rting proto)
no passive interface gig 0/1 (hello out this interface only)int fa0/1.1 encapsulation dot1q 10 (10 is the vlan) ip addr 192.168.1.1 255.255.255.0 int fa0/1.2 encapsulation dot1q 20 (could be native) ip addr 172.16.1.1 255.255.255.0 sh ip route sh vlans
show vlan ip routing (enable routing) int vlan 10 (this is an svi) ip addr 192.168.1.1 255.255.255.0 int vlan 20 ip addr 172.16.1.1 255.255.255.0 (cannot assign ip addr to sw port without turning of switching on that port) int fa 1/0/24 no switchport (turn off switching on this port - make it routed) ip addr 10.1.1.1 255.255.255.252 sh ip int brief
sh interface <interface> queues - size/max/total/threshold/drops
clear counters runts < 64 byte ethernet giants > 1518 bytes ethernet
sh cdp neighbors sh cdp neighbor detail no cdp run (turn off cdp globally) int fa0/1 no cdp enable (turn off on this interface)
int fa 0/0 ip address dhcp (interface gets addr from dhcp)
int fa 0/0 ip helper-address 172.17.17.18 sh ip int brief
ip dhcp excluded-address 10.1.1.1 10.1.1.20 ! ip dhcp pool PC network 10.1.1.0 255.255.255.0 OR network 10.1.1.0 /24 default-router 10.1.1.1 dns-server 192.168.1.1 sh ip dhcp pool sh ip dhcp binding
int fa 0/0 ip nat inside int fa 0/1 ip nat outside ip nat inside source static 10.1.1.100 4.4.4.2 sh ip nat translations
int fa 0/0 ip nat inside int fa 0/1 ip nat outside access-list 1 permit 10.1.1.0 0.0.0.255 (wildcard mask, inside local addrs) ip nat pool DAPOOLNAME 4.4.4.2 4.4.4.3 netmask 255.255.255.0 (range) ip nat inside source list 1 pool DAPOOLNAME sh ip nat translations
int fa 0/0 ip nat inside int fa 0/1 ip nat outside access-list 1 permit 10.1.1.0 0.0.0.255 (wildcard mask, inside local addrs) ip nat inside source list 1 int fa 0/1 overload sh ip nat translations
NTP Master clock #clock set 13:36:00 31 July 2013 clock timezone UTC 0 (offset from UTC) ntp master 5 (stratum number) NTP source for first rtr close to internet ntp server 1.1.1.1 clock timezone PST -8 clock summer-time PDT recurring show clock show ntp associations show ntp status (show stratum, reference src, 127.127.1.1 is loopback addr)
access-list 1 permit host 10.1.1.101 (implicit deny) int fa 0/0 ip access-group 1 in sh access-lists
access-list 100 permit ip host 10.1.1.101 host 192.168.1.2 access-list 100 permit tcp host 10.1.1.102 host 192.168.1.3 eq www int fa 0/0 ip access-group 100 in sh access-lists
ip access-list extended DANAME permit ip host 10.1.1.101 host 192.168.1.2 permit tcp host 10.1.1.102 host 192.168.1.3 eq www int fa 0/0 ip access-group DANAME in (edit access control list) ip access-list extended DANAME 15 deny ip any any (inserts between 10 and 20) show access-lists
access-list 1 permit 10.1.1.0 0.0.0.255 access-list 1 deny any log line vty 0 15 access-class 1 in
int range fa 0/1 - 24 shutdown int gig 1/0/1 switchport port-security maximum 1 switchport port-security mac-address aaaa.aaaa.aaaa (or sticky) switchport port-security violation protect | restrict | shutdown !optional put unused ports in unused vlan vlan 999 name NULL_VLAN int range fa 0/1 - 24 int range fa 1/0/1 - 24 switchport access vlan 999 !select non-default native vlan !native vlan not tagged (incl on trunk port) !vlan hopping attack - attack device in another vlan without crossing a router !double tag vlan - 1st switch strips 1st tag, 2nd tag sends to 2nd vlan !don't put production traffic on native vlan
| Channel Mode | On | Auto | Desirable |
|---|---|---|---|
| On | yes | no | no |
| Auto | no | no | yes |
| Desirable | no | yes | yes |
int range fa 1/0/1 - 2 speed auto (needed for mdix auto) duplex auto mdix auto channel-group 1 mode desriable (or active or auto or on or passive) int port-channel 1 switchport encapulation dot1q switchport mode trunk port-channel load-balance src-dst-ip show ip int brief (should see the port-channel1 interface) show int trunk (should see Po1 with vlans)
show interfaces port-channel 1 show etherchannel summary show etherchannel port-channel show etherchannel load-balance (what algo is being used)
config-register 0x2100 reload rommon 1 > confreg (config register utility wizard) do you wish to change the config enable diag mode use net in bcast addr load rom after netboot fails use all zero broadcast break/abort has effect change console baud rate change boot characteristics rommon 1 > reset
sh file systems dir nvram: show flash: mkdir outputdir dir (flash) cd outputdir pwd show ip int_brief | redirect flash:int_brief dir more int_brief delete int_brief cd .. rmdir outputdir copy startup-config tftp:192.168.1.1 copy tftp: flash: (fill in details as prompted) show flash: conf t boot system flash:DaFileName (maybe no boot system flash:daotherfilename) reload sh version
c2800nm-adventerprisek9-mz.151-4.M6.bin
| IPBase | IPBaseK9 |
| IP Voice | IPBaseK9+UCK9 |
| Adv Security | IPBaseK9+SECK9 |
| SP Services | IPBaseK9+DataK9+UCK9 |
| Enterprise Base | IPBaseK9+DataK9+UCK9 |
| Advanced IP Services | IPBaseK9+DataK9+UCK9 |
| Enterprise Services | IPBaseK9+UCK9 |
| Advanced Enterprise Services | IPBaseK9+DataK9+UCK9+SECK9 |
show license license install flash0:<filename> (permanent production license) license boot module c2900 technology-package uck9 (temp license) reload license save flash:da_licenses.lic (backup licenses) conf t license boot module c2900 technology-package uck9 disable (disable than clear) reload license clear uck9 (clear installed license) conf term #no license boot module c2900 technology-package uck9 disable (remove from config) reload
power off rtr power on - issue break command (Standard Break Key Sequence Combinations During Password Recovery) gets you into rom monitor mod rommon 1> confreg 0x2142 (ignore startup config) rommon 2> reset ... would you like to enter initial configuration dialog? [yes/no]: no into privileged mode with no password) Router>enable Router#copy startup-config running-config (doesn't admin bring up interfaces) Router#config t Router(config)#enable secret cisco Router(config)#config-register 0x2102 (normal setting) Router(config)#end Router#copy running-config startup-config
| Route Source | Administrative Distance |
|---|---|
| Connected | 0 |
| Static | 1 |
| EIGRP | 90 |
| OSPF | 110 |
| RIP | 120 |
| External EIGRP | 170 |
| Unknown | 255 |
sh ip route
sh ip route sh ip ospf rib (routing info base) sh ip eigrp topology CEF - maintains FIB - Forward info base - prefix, next hop, interface sh ip cef sh adjacency - interface, address (of neighbor) - maintains arp cache sh ip arp - addr age(min) hwaddr(mac) type(arpa) interface
rtr#conf t rtr(config)#ip routing sh ip protocolsChecking IP Routing Table
sh ip route D is EIGRP O is OSPF , O IA is OSPF Inter-Area R is RIP L is local C is connected sh ipv6 routeOSPF sh ip ospf rib EIGRP show ip eigrp topology (only sucessor or feasible successor) show ip eigrp topology all CEF quick summary tables show ip cef (shows FiB) show adjacency (adjacency table) show adjacency detail show ip arp enable cef rtr#conf term rtr(conf)#ip cef show ip int f0/0 (CEF switching is shown)
ping traceroute sh ip route <destiproute> show ip cef exact-route <srcipaddr> <destipaddr> (will tell you egress int and next hop addr)
sh int f0/0/0 (shows up/down l1 up/down l2,duplex,queue stats,l1 stats) clear counters
Hot Standby Router Protocol
cisco proprietary
active / standby
active rtr snds hello msg sent every 3 seconds
if standby rtr doesn't hear anything for hold timer (10 seconds),
standby rtr concludes r1 not available and becomes active
hsrpV2 allows hold timer to be set to milliseconds
hold timer has to be at least 3 times hello timer
hsrp elects active rtr based on rtr with highest priority
default prio is 100
tracking option allows hsrp rtr to monitor net condition
(e.g. interface status, and decrement its priority).
when tracking event is restored, original rtr stays standby
even though it (once again) has a higher priority
preempt option needs to be set to allow previously
active router to reclaim its role as the active rtr
hsrp will generate common mac addr for virt ip addr
0000.0c07.ac0a
(00000c is cisco vendor pref)
(07ac cisco says is hsrp v1)
(0a is group number)
0000.0c9f.f00a
(00000c is cisco vendor pref)
(9ff is hsrp v2)
(00a is group number)
rfc2281
224.0.0.2 (v1)
224.0.0.102 (v2)
cannot use intrfc ipaddr as virtipaddr
r1
int f0/0
standby 10 ip 10.1.1.1 (10 is group num)
standby 10 priority 110
standby 10 track serial 1/0 20 (drop prio by 20 if s1/0 goes down)
standby 10 preempt
standby version 2 (if you want timers less than 1 second)
standby 10 timers msec 100 msec 300 (hello timer 100ms, hold timer 300ms)
show standby brief
show standby (shows many details)
debug standby terse (hsrp errors, events, packets)
r2
int f0/0
standby 10 ip 10.1.1.1
(default prio is 100)
standby 10 preempt
standby version 2 (if you want timers less than 1 second)
standby 10 timers msec 100 msec 300 (hello timer 100ms, hold timer 300ms)
Virtual Router Redundancy Protocol Master Router and Backup Router Master addr can addr of phys int on Master 1 second hello timer default can do object tracking rfc3728 0000.5e00.01xx pre-empt option enabled by default MasterDownInterval = 3 * MasterAdvInterval * [(256 - VRRP_Prio)/256] not specifically set skew time is (256 - VRRP_Prio)/256 224.0.0.18 100 default prio r1 int f0/0 vrrp 10 ip 10.1.1.1 (10 is grp num) 10.1.1.1 is shared gw addr vrrp 10 priority 110 (higher prio is Master) show vrrp brief show vrrp (shows many details) r2 int f0/0 vrrp 10 ip 10.1.1.1 (10 is grp num) 10.1.1.1 is shared gw addr
| HSRP | VRRP |
|---|---|
| Cisco Proprietary | Standard |
| RFC2281 | RFC3768 |
| Active Router | Master Router |
| Standby Router | Backup Router |
| 0000.0c07.acXX (v1) 0000.0c9f.fXXX (v2) |
0000.5e00.01XX |
| Preempt Option Not Enabled by Default | Preempt Option Enabled by Default |
| Default Hello Interval: 3 sec | Default Master Advertisement Interval: 1 sec |
| Default Holdtime: 10 sec | Master Down Interval: 3*Master_Advertisement_Interval + [(256-VRRP_Priority)/256] |
| 224.0.0.2 (v1) 224.0.0.102 (v2) |
224.0.0.18 |
| Cannot Use Interface IP Addr as Virt IP Addr | Can Use Interface IP Addr as Virt IP Addr |
Gateway Load Balancing Protocol Cisco Proprietary FHRP that can load balance 1 rtr is AVG (Active Virtual Gateway) - resp to arp reqs fr hosts, and assigns virt MAC addrs to members of GLBP grp (AVFs) Redirect time is time mac addr is handed out for failed AVF (default 600 sec) Forwarder time-out is how long bkup AVF will accept frames destined for virt MAC addr of failed AVF (def 4 hours) All rtrs in group are AVF (Active Virtual Forwarder) All rtrs are standby for other rtrs. ip addrs (not just common gw ipaddr) default prio is 100 r1 int f0/0 glbp 10 ip 10.1.1.1 (10 is grp num) 10.1.1.1 is shared gw addr glbp 10 priority 110 (default is 100) glbp 10 preempt glbp 10 load-balancing host-dependent (based on mac addrs) (OR) glbp 10 load-balancing round-robin (default) (OR) glbp 10 load-balancing weight (in proportion to forwarder weighting show glbp brief show glbp
Sev lvl lower more severe 0-emergency -cond renders sys unusable 1-alerts -cond that reqs imm attn 2-critical -cond that should be addressed to prev interup in svc, less severe than alert 3-errors -error cond that does not render sys unusable 4-warnings -cond where op failed to successfully complete 5-notifications-change to system 6-info -normal sys operation 7-debugging -troubleshooting details terminal monitor (term mon) logging 192.168.10.10 (send syslog msgs to this ip) logging trap notifications (send lvl 5 and lower) show logging (shows conf and log msgs in rtr buffer) syslog fields: -------------- sequencenum - (enable using 'service sequence-numbers') timestamp - (requires 'service timestamps log [datetime | log]') facility - (e.g. %DUAL (eigrp)) sevlvl - 1 of 8 values above mnemonic - abbr desc of log msg description - detailed desc of log msg
SNMP Mgr SNMP agents contain MIBs OID identifies element of mib trap notifications v1 uses community strings v2c also used comm str with more features v3 encryption, integrity checking, auth svcs default port udp 161 snmp-server community dapasswrd ro snmp-server community daotherpw rw snmp-server location da location snmp-server contact Joe Smith snmp-server host 192.168.10.10 version 2c CCNA (snds traps to this host with commstring CCNA) snmp-server enable traps (send all traps) show snmp
info about 1-way data stream web browser session - 2 flows like cdr in voice world - who are top talkers - acct purp - security - QoS analysis what is a flow? 1 - same src ip addr 2 - same dest ip addr 3 - same src port num 4 - same dest port num 5 - same l3 proto 6 - same ToS/DSCP val 7 - same ingress interface example netflow collector - LiveAction from http://liveaction.com ip flow-export source lo0 ip flow-export version 5 ip flow-export destination 192.168.10.10 9996 (port 9996 not guaranteed) int f0/0 ip flow ingress (look at ingress flows) int s1/0 ip flow ingress show ip cache flow
MAN (Metropolitan Area Network) based on ethernet typically uses fiber optics km apart easily conn to LAN less expensive than alternatives (e.g. SONET) 10gbps (slowest), 40Gbps, 100gbps
Very Small Aperture Terminal 2way satellite connectiviter small satellite (< 3 meters) useful for locations thhat connect be wire 56kbps - 4Mbps delays are greater then expected 22300 miles up typical round-trip delay times 500ms sensitive to weather conditions
std def by ITU-R (Int Telecom Union, Radiocommunication Sector) LTE - Long-Term Evolution - commonly offered as 4G tech technically not 4G, actually like 3.9G LTE that is 4G is LTE advanced WiMax does 4G
Multiprotocol Label Switching
makes fwding decisions based on 20bit label in 32bit header
label switching used to be considered faster than ip switching
QoS usable
svc provider can easily isolate based on labels
compatible with mult prot
inserts 32bit shim header between l2 and l3 header
cpe - customer premise equipment
elsr - Edge Label Switch Router
dev at edge of mpls that adds labels to traf coming into cloud and removes
labels from traff leaving cloud. ELSR also known as PE (Provider Edge) rtr.
lsr - Label Switch Router)
dev inside mpls cloud that relabels traff and makes fwd decisions
based on thosse labels. also known a P (Provider) rtr
Nyquist theorem states min num of samples to be taken per sec should be 2x highest freq - 8000 samples 8bit samples 24 channels & 8b8tperchan+1frame bit = 193 bits *8000 samples = 1.544Mbps SF 12 frames ESF 24 frames CSU/DSU - channel svc unit/data svc unit l2 proto (e.g. PPP) runs over circ T1 - 1.544Mbps E1 - 2.048Mbps T3 - 44.7 Mbps E3 - 34.4 Mbps
Integrated Services Digital Network bri - 2b+d (d chan 16kbps) pri - t1 23b+d, e1 30b+d+framechan (2-16, 18-30, 17d) te1 (cust rtr) r ref pt - point between term adapter and non-isdn dev(e.g. pc) s/t ref point - piont between nt1 and isdn dev (rtr) - 4wire nt1 (net term 1) converts 4 wire to 2 wire u ref point - point between nt1 and wall jack (u have an nt1 in rtr) te2 - non-isdn dev te1 - isdn dev (rtr, isdn phone)
Digital Subscriber Line
uses telephone line for data transmission
ADSL asymmetric - commonly used in home env - filter separates data and phone
terms to DSL access multiplexer (DSLAM)
max 18000 feet (distorted by capacitance buildup)
conn dslam to srv prov uses atm (53 byte cells w/ 48 bytes payload)
often has dhcp and auth using pppoe (ppp over ethernet)
Load Coil - device the phone comp installs at intervals of 18000 ft to counteract
capacitance buildup
theoretical max downstream is 8 Mbps, theoretical up is 1.544 Mbpbs
SDSL Symetric
max speeds vary by serv prov. common are just over 11mbps
max 12000 feet
VDSL VeryHighBitRate
Typical down is 52Mbps
Typical up is 12Mbps
max 4000 feet to DSLAM
L2 WAN tech - frames over virt circuits (VCs) identified by DLCIs (Data Link Connection
Identifer) numbers. DLCIs locally significant.
SVC - switched virt circ brought up on demand
PVC - permanent virt circuit - always active
PointToPoint circ - single vc interconnecting 2 endpoints, both ends in same subnet
PointToMultipoint circ - conn from one endpoint to 1 or more othter endpoints. all in same IP subnet
SLA - svc lvl agreement guarantees svc lvl (CIR) committed info rate
DE (Discard Eligibility) bit set on frames sent in excess of CIR, and can be discarded by
svc provider if congestion occuring
BECN (Bckwd Explicit Congestion Notification) bit gets set by svc pvder asking sender to
slow down
FECN (Fwd Explicit Congestion Notification) bit gets set by svc pvder asking receiver to
tell sender to slow down. q922 test frame sent from rec to snd, and this is marked w BECN.
HFC (Hybrid Fiber-Coax) dist net typical upstream 5-42MHz typical downstream - 50-860MHz DOCSIS (Data-Over-Cable Svc Intrfc Spec) - stds w diff versions specifying freq ranges Euro-DOCSIS - used by many European countries
Virt Priv Ntwrk
SiteToSite VPN
RemoteAccess VPN
SSL VPN
option 1 using web browser (e.g. clientless cisco ssl vpn)
option 2 using software client
IPSec
confidentiality, data integrity, authentication, anti-replay
IKE (Intrnet key exchange) phase 1 tunnel is outer tunnel negotiate ike phase 2 tunnel
IKE phase 2 tunnel protects inner tunnel
can only handle unicast
often gre tunnel inside to handle multicast/broadcast - gre packet is unicast
- repeat for both rtrs int tunnel 1 tunnel source 10.1.1.1 tunnel destination 10.1.1.2 ip addr 172.16.1.1 255.255.255.252 sh ip int brief sh int tunnel 1
Typical wan connectors could be v.35, db-60, or 'Smart Serial - 2 conns on wic' or EIA/TIA-233 (25-pin D-connector - 64kbps foor shrt dist) HDLC - default l2 proto - cisco uses proprietary version DCE (Data Comm Equip) - end of serial cable that provides clocking DTE (Data Term Equip) - end of serial cable that receives clocking show controllers s1/0 (will show dte vs dce) show ip int brief show int s0/0 int s0/0 ip addr 10.1.1.1 255.255.255.252 bandwidth 500 (not clock speed, is metric and qos related) no shut int s0/1 (dce) ip addr 10.1.1.2 255.255.255.252 bandwidth 500 clock rate 5000000 (500kbps) no shut
l2 encaps commonly used on leased lines suports auth, compression, error checking and correction, logical multilink interface PAP - Password Auth Proto - performs one-way auth, clear text CHAP - Challenge Handshake Auth Proto - 2-way auth, sends hash of pw, better option compression -use hw compress if possible multi-link interfaces show up as virtual intrfce LCP - Link Control Protocol - used by PPP to setup maintain teardown conn NCPs - protocols used to negotiate cfg of protos being transmitted over PPP link
PAP svr cfg (srv side of 1way auth) ----------- username dausername password dapassword int s0/0 (srv side) encap ppp ppp authentication pap PAP client cfg (clent side of 1way auth) -------------- int s0/1 encap ppp ppp pap sent-username dausername password dapassword show ip int bri show int s1/0 (will show encaps, and NCPs) debug ppp authentication
on r1 ----- username R2 password daotherpass (other router name) int s0/2 ppp authentication chap on r2 ----- username R1 password daotherpass (other router name) int s1/2 ppp authentication chap
int s1/0 compress stac (or predictor or mppc - last one microsoft) show compress
does not play nice with multilink int s1/0 ppp reliable-link sh int s1/0 (if LAPB section shows up - error detection and correction is on)
does not play nice with error detection and correction int multilink 1 ip addr 10.1.1.1 255.255.255.252 ppp multilink int s1/0 no ip addr ppp multilink group 1 int s1/1 no ip addr ppp multilink group 1 sh ip int brief
LMI - local mgmt intrfc - performs signaling betwn fr rtr and fr sw
PVC active - connection info is being exchanged on both sides
inactive - lcl rtr to fr switch good. far-end rtr to fr sw not good
deleted - lcl rtr to fr sw not good
Inverse ARP - allows fr rtr to determine L3 addr at far-end of a DLCI (L2 addr)
By nature fr non-broadcast..needed for routing protos.
additional dlci or static mapping needed for full mesh topology
mesh links (n*(n-1))/2
int s1/0
encap frame-relay
frame-relay lmi-type [cisco|ansi|q933a]
frame-relay map ip 10.1.1.2 301 broadcast (to get to 10.1.1.2 use dlci 301, even if not
directly connected, disables inv arp
need to put statics for all)
show frame-relay pvc
show frame-relay map (tells what ips are accessible over LMI)
point-to-point - doesn't rely on inverse arp -------------- interface Serial1/0 no ip addr encapsulation frame-relay serial restart-delay 0 frame-relay lmi-type ansi int Serial1/0.102 point-to-point ip addr 10.1.1.1 255.255.255.0 frame-relay interface-dlci 102 ip ospf network point-to-point (configure rting proto network type) int Serial1/0.103 point-to-point ip addr 10.1.2.1 255.255.255.0 frame-relay interface-dlci 103 ip ospf network point-to-point (configure rting proto network type) ip route 0.0.0.0 0.0.0.0 Serial1/0.102 multipoint (also known as point-to-multipoint) ---------- helps with mesh and split horizon scenarios interface Serial1/0 no ip addr encapsulation frame-relay serial restart-delay 0 frame-relay lmi-type ansi int Serial1/0.1 point-to-multipoint ip addr 10.1.1.1 255.255.255.0 frame-relay map ip 10.1.1.3 103 broadcast frame-relay map ip 10.1.1.2 102 broadcast
PVC identified by VPI/VCI VPI - Virtual Path Identifier VCI - Virtual Channel Identifier