Pick it up Spanning Tree at part II for MSTP at http://blog.internetworkexpert.com/2008/09/24/mstp-tutorial-part-ii-outside-a-region/
.
Table of Contents
BGP
- TCP Port 179
- Learns multi paths via intern and extern BGP speakers.
Picks best path.
- Best Path sent to external BGP neighbors.
- iBGP
works across internal backbone (e.g. between edge eBGP routers?).
Need to be fully meshed (do not pass on iBGP info from other
speakers).
- Peer with loop back address (addr never goes down)...
- eBGP
used to exchange prefixes with other ASes
- Filter (prefix-list) prefixes sent/received...
- Question
- Apricot2004-BGP00 pg 57&58 - why is network same for both AS
100 and AS 101?
- Router ID
- usually highest IP addr on router or loopback IP addr. Can
be manually set.
- Some IOS basics
- prefix-lists
to filter prefixes
- filter-lists
to filter ASNs
- route-maps
to apply policy (can be used for filtering...)
Attributes
- Next Hop
- well-known mandatory - eBGP addr of external neighbor, iBGP - Next
Hop from eBGP, for ibgp use self addr (e.g. loopback addr - neighbor <ipaddr> next-hop-self)
- recursive route look-up using IGP
- Origin
- well-known mandatory - where prefix comes from - IGP (generated by network
statement), EGP (route learned by eBGP), incomplete (redistribution of
another routing protocol)
- AS-Path
- well-known mandatory - sequence of ASes a route has traversed
- 180.10.0.0/16 300 200 100 - to get to 180.10/16 go
throught AS 300, than 200, than 100.
- Aggregator
- ip addr of rtr generated aggregated addrs
- Local
preference - used between iBGP peers to determine path to
use to exit AS. highest local preference wins for outbound
traffic
- MED
(Multi-Exit Discriminator) - optional nontransitive - used between eBGP
peers. tells external BGP peers preferred path into AS, when
there are multiple paths into AS. lowest value is preferred.
def val is 0.
- Weight
- assigned
locally on router to specify preferred path if multi paths exist out
of rtr to dest. Not really an attribute.
- neighbor
<ipaddr> weight 100 to apply weight to all
routes from a neighbor
- neighbor
<ipaddr> filter-list 3 weight 100
to apply weight filter-list routes from a neighbor
- RPF
- Reverse Path Forwarding - Check to make sure packets are
arriving
via a route that I would send route to...check for spoofing...Multicast
RPF, uRPF (unicast RPF)
- Community
- group of destinations that share some common attribute.
Common format is <local-ASN>:xx. Well
known communities include:
- internet - default all rtrs belong
- no-export - don't advert route to eBGP peers
- no-advertise - don't advert route to any peer.
- local-as - don't advert to peers outside of local AS
Community example
router bgp 10
neighbor 20.20.1.1 remote-as 20
neighbor 20.20.1.1 send-community
neighbor 20.20.1.1 route-map dacomunity out
!
route-map dacommunity permit 10
match ip address prefix-list dontannounce
set community no-export
!
ip prefix-list dontannounce permit 192.168.0.0/16
Route Filter Lists examples
router bgp 20
neighbor 20.20.1.1 remote-as
21
neighbor 20.20.1.1 prefix-list INCOMING
in
neighbor 20.20.1.1 prefix-list OUTGOING
out
!
ip prefix-list INCOMING deny
21.10.0.0/16
ip prefix-list INCOMING permit
0.0.0.0/0 le 32
ip prefix-list OUTGOING permit
21.6.0.0/16
---
router bgp 10
neighbor 22.20.1.1 remote-as
21
neighbor 22.20.1.1 filter-list 5 out
neighbor 22.20.1.1 filter-list 6 in
!
ip as-path access-list 5 permit ^20$
(match up with AS list that only has 20)
ip as-path access-list 6 permit _15_
(match up with AS list that has 15 in it)
Route Map examples
router bgp 10
neighbor 10.10.10.10 route-map infilter in
!
route-map INBOUND permit 11
match ip address prefix-list pref1
set local-pref 90
!
route-map INBOUND permit 22
match ip address prefix-list pref2
set local-pref 80
!
ip prefix-list pref1 permit 10.0.0.0/8
ip prefix-list pref2 permit 20.0.0.0/8
Additional Capabilities
http://www.iana.org/assignments/capability-codes
Route Refresh
Router sends or requests send of all routes without tearing down
neighbor relationship
clear ip bgp a.b.c.d in/out
Soft Reconfiguration
Question - Why would I do this?
Pg 117 Stores prefixes received from peer prior to policy
application.
router bgp 10
neighbor 10.10.10.10 remote-as 20
neighbor 10.10.10.10 route-map dafilter in
neighbor 10.10.10.10 soft-reconfiguration inbound
clear ip bgp 10.10.10.10 soft in/out
Peer Groups
Group of BGP neighbor with similar items to be sent to it from this router.
- Less configuring and processing from this router out...
router bgp 10
neighbor dapeergrp peer-group
neighbor dapeergrp remote-as 10
neighbor dapeergrp update-source loopback 0 (force the
source to be the loopback)
neighbor dapeergrp send-community (group destinations with
common attr)
neighbor dapeergrp route-map outfilter out (use outfilter -
not shown)
neighbor 10.10.10.10 peer-group dapeergrp (put 10.10.10.10
in peer-group)
neighbor 20.20.20.20 peer-group dapeergrp (put 20.20.20.20
in peer-group)
neighbor 20.20.20.20 route-map infilter in
(apply infilter to msgs fr 20.20.20.20)
neighbor 30.30.30.30 peer-group dapeergrp
go to http://www.ittc.ku.edu/EECS/EECS_800.ira/bgp_tutorial/14.html
- search for
BGP Nexthop (NBMA)
When route is advertised in NBMA (like frame relay) as if it were
broadcast media, but one of the routes does not exist (e.g. no PVC),
sometimes you have to do a
neighbor a.b.c.d next-hop-self
in order to make route go through the router that has the PVC(s) set up.
go to http://www.ittc.ku.edu/EECS/EECS_800.ira/bgp_tutorial/14.html
- search for BGP Nexthop (NBMA).
Route Flap Dampening
RFC2439
Minimize route down/up (WITHDRAW/UPDATE) and corresponding routing
propagation/CPU waste
router bgp <as-number>
bgp dampening <half-life-time>
<reuse-value> <suppress-limit>
<max-suppress-time>
After flap, penalty goes up by (default) 1000.
- When it get's to suppress-limit route propagation is suppressed.
- Falls (exponentially) based on half-life and reuse-value.
- route propagation restarts when penalty reaches reuse-value.
- When penalty < 1/2 reuse-value, penalty set to 0 (?)
- half-life-time
- amount of time for penalty to get back to reuse-value.
default 15 min.
- reuse-value
- value which penalty needs to fall to in order to have route
re-advertised. Default is 750.
- suppress-limit
- value of penalty when route will be suppressed.
default is 2000.
- maximum-suppress-time
- max duration to suppress a stable route. default is 4 times
half-life or 60 min.
recommendations for ISPs http://www.ripe.net/docs/ripe-229.html
max-penalty
= reuse-limit x 2 ^ (max-suppress-time/half-life)
bgp dampening 30 750 3000 60
is bad because
max-penalty = 750 x 2 ^ 60/30 = 750 x 4
= 3000
penalty will never pass 3000, thus will
never suppress routes
make sure suppress-limit is less than max-penalty otherwise no flap
dampening
Selective/variable
dampening
bgp
dampening [route-map
<name>]
route-map <name> permit 10
match ip address prefix-list DALIST
set dampening [<half-life-time>
<reuse-value> <suppress-limit>
<max-suppress-time>]
ip prefix-list DALIST permit 192.168.0.0/16 le 24
(accept
prefix 192.168.0.0/16 with mask lengths up to 24 bits)
QUESTION EXPLAIN LE
ABOVE - THOUGHT MASK LENGTH WAS DESIGNATED WITH
<ipaddr>/<masklength>
http://www.cisco.com/en/US/docs/ios/12_2/iproute/command/reference/1rfbgp1.html#ip_prefix-list
recommendations for ISPs - http://www.ripe.net/docs/ripe-210.html
show ip bgp neighbor
<a.b.c.d> [dampened-route | flap-statistics]
Route Reflectors
reduce number of required mesh links between iBGP peers.
- route-reflector sends/receives routes to client routers and
any other
routers.
- route-reflector (RR) and clients form cluster.
All client routers in cluster peer with RRs within cluster.
- RRs also peer with all other RRs in internetwork
- cluster can have more than one RR, but not totally
recommended...
- cluster-id added to update (usually router-id (addr or
loopback))
- a router may be client of RRs in different clusters for
redundancy purposes
- suggested placing RRs with phys topology (e.g. core routers
for a PoP)
router bgp 10
neighbor 1.1.1.2 remote-as 10
neighbor 1.1.1.3 remote-as 10
neighbor 1.1.1.3 route-reflector-client
neighbor 1.1.1.4 remote-as 10
neighbor 1.1.1.4 route-reflector-client
...
Confederations
Smaller Private ASes, with entire group assigned confederation ID.
- Another method to reduce iBGP mesh.
- rtrs within private AS in ful iBGP mesh.
- eBGP between private ASes.
- only main AS number seen by external ASes.
- AS-Sequence may show up with parens for private (e.g. (65004 65001) 100)
- LOCAL_PREF, MED and NEXT_HOP preserved with external peers
(outside private AS)
QUESTION - WHAT is
1 in first network list on pg 152
router
bgp 20
bgp confederation identifier 100 (external AS seen for whole
group)
bgp confederation peers 10 (in subgroup 10)
neighbor 1.1.1.1 remote-as 10
neighbor 1.1.1.2 remote-as 20 (peering with rtr in subgruop
20)
neighbor 1.1.1.5 remote-as 20
Multihoming
- Can be an issue due to typical RIR min alloc is /20.
Things may not be published.
- 'Don't do it unless consequences understood and you are
prepared to keep list current' - from APRICOT2004-BGP01.pdf pg23.
???
- For reg stub
network - no BGP, ISP advertises stub network
- For multi-homed
stub network (one ISP) - use BGP to loadshare, private AS,
ISP advertises stub net
- For multi-homed
network with 2+ ISPs -
Preparing
- Multihomed to 2 ISPs needs AS number to be applied for.
- Decide on and deploy IGP (OSPF or ISIS). QUESTION -
Deployed between ISP and Customer?
- Configure iBGP to run on routers in
local network which will be transit path to external connections.
- full or partial iBGP route mix?
- scaling technique (peer-groups, RRs,
communities)
- Deploy iBGP with distance greater than
IGP distance)
- install customer prefixes into iBGP
- Make iBGP dist < IGP...does
network work.
- withdraw cust prefixes from IGP
Plan/Implement to same ISP
QUESTION - What
does null0 do? pg63 apricot01
Plan/Implement to Different ISPs
- Use Public AS or private AS agreed to with other ISP
- Addr space comes from both upstreams or Regional Internet
Registry (RIR)
- AS will appear to come through ISPs public ASes.
Acceptable. Show inconsistent-as with show ip bgp inconsistent-as
- 1 link
primary, 2nd link backup
- announce agreggate prefix (e.g. /19) on each link, one
with longer AS PATH (prepend)
- with
loadsharing
- announce aggregate (e.g. /19) on each link.
- split and announce one split on each link (e.g. /20).
- similar config to 'same ISP - with loadsharing above'
- with more
controlled loadsharing
- link 1 - announce aggregated prefix
- link 2 - announce aggregated prefix with longer AS PATH,
announce 1 sub prefix.
- vary sub-prefixsize and AS PATH length.
- this example if more commonplace
NOTE: typical RIR min alloc is /20.
announced subprefixes may not be reachable.
QUESTION - is there
any way to loadbalance longer subprefixes across multiple ISPs?
Service Provider Multihoming
- 1 upstream, 1
local peer - connect to upstream transit provider, and
local competion to keep local traffic local
- announce aggregate prefix on each link, accept default
route only from upstream, accept all routes from local peer
- 1 upstream,
local exchange point - connect to upstream transit
provider, and local exchange point to keep local traffic local
- announce
aggregate prefix on each link, accept default route only from upstream,
accept all routes from IXP (Internet Exchange Point)
- 2 upstreams,
1 local peer
- connect to both upstream transit providers for external redundancy
and diversity (multihoming), connect to local peer to keep local
traffic local
- anounce aggregate on each link, accept
default route only from upstreams, accept all routes from local peer -
not useful in practice especialy for international links - loadsharing
is weak
- better configuration - accept default from one upstream
and partial routes from the other upstream
- partial routes - carry only routes necessry for
loadsharing, filter on AS paths.
- if upstreams do not announce defualt route, use IGP to
propagate default from edge/peering rtrs
- 2 tier1
upstreams, 2 regional upstreams, local peers
- announce
aggregate on each link, accept partial/default routes from upstreams,
accept all routes from local peer, accept all partial routes (things
via their AS, and default at higher (backup) value) from regional
upstreams
Internet Data Center (IDC) Multihoming
- For local
peers - Accept all routes in, anounce all address space out
- For upstream
ISP -
- IN
- Accept partial route from ISP with default set to lower
local-preference. Accept higher local-pref default route from
other.
- OUT - Send subprefix, and reg prefix with AS-PATH
prepend of 1 AS. From other, send reg prefix, and send
subprefix
with AS-PATH prepend of 1 AS.
QUESTION - pg 165
Apricot01, What?
Communities - loadsharing/backup on mult inter-AS links
RFC1998 - describes using BGP communities to determine local-preference
in upstream's network
Community values with particular meanings (from an ISP perspective(?))
(taken from APRICOT2004-BGP00.pdf
presentation):
ASx:100 |
set local pref 100 |
preferred route |
ASx:90 |
set local pref 90 |
backup route if dualhomed on ASx |
ASx:80 |
set local pref 80 |
main link is to another ISP with same AS path length |
ASx:70 |
set local pref 70 |
main link is to another ISP |
QUESTION - pg 179
APRICOT01 - Why is there a (2nd) route-map routerD-out permit 20 in
addition to the 10
2 links to same ISP - primary, backup
- Announce aggregate prefix on each link
- primary - standard
- backup - community
- customer sets community, ISP sets local preference based on
community match (coming from customer)
- more complicated that local preference and MEDs, but scales
better
Move somewhere
else
- default-originate
- send this router as the default route (move this somewhere else)
- IRR
(Internet Routing Registry) - large distributed repository storing info
on subnets, AS#s, BGP routing policies, etc. Maintained on
voluntary basis; inconsistent and/or out of date...(?)
ISP use of communities - examples
- suggested state public policy in IRR
- use communities to give policy control to customers; reduce
tech support burden, and misconfig likelihood
Start at slide 192 in APRICOT01
General Switching
Hierarchical Network Model
- Core
- Distribution
- routing to local vlans hapens here
- Access
Benefits
- Scalability
- Redundancy
- Performance
- Security
- Manageability
- Maintainabilty
Principals to
stay aware of
- Network Diameter - (e.g. ethernet L2 limit is 8 or timers
start getting out
of sync)
- Bandwidth Aggregation
- Redundancy
Switch Types
- Fixed config
- Stackable
- Modular (like a 6500 w/ cards)
Spanning Tree
Taken from
http://en.wikipedia.org/wiki/Spanning_tree_protocol
http://blog.internetworkexpert.com/2008/07/27/mstp-tutorial-part-i-inside-a-region/
http://blog.internetworkexpert.com/2008/09/24/mstp-tutorial-part-ii-outside-a-region/
STP
- IEEE 802.1d/802.1t
- all vlans use same STP (common spanning tree) CST
- spanning-tree multicast MAC address 01-80-C2-00-00-00
- BPDU happens every 2 seconds
- 802.1D States
- Algorithm:
- Select a root bridge
- bridge with lowest bridge ID
- bridge ID contains unique ID (e.g. mac addr), and
configurable prio #
- prio is compaired first. lowest wins. range 0-61440, default 32768
- If prios are equal, MAC addrs compaired....(lowest wins)
- Determine least cost paths to root bridge
port states - draw picture/graph calculating states |
Root Port | port on non-root bridge closest to root bridge in terms of cost |
Designated Port | port on net segment closest to root bridge in terms of cost |
Non-designated port | orts that block traffic in order to preserve loop free l2 topology |
Disabled Port | port that is administratively shutdown |
- each bridge determines cost of each possible path from
itself to root. picks one with smallest cost. Port
connecting to that path becomes root port
- bridges on a net segment figure out which bridge has
least cost path from segment to root. The port in question
becomes the designated port
for the segment
- Any port that is not
a root or designated port
can be blocked.
- tie breakers
- If multiple paths from bridge are least-cost, bridge uses
neighbor bridge with lower bridge ID. This becomes root port.
- If multiple paths from segment leads to least-cost path,
lower bridge ID
is used to forward msgs to root. Port attaching that brige
becomes
designated port.
- finally lowest port priority is used.
Data rate |
STP Cost (802.1D-1998) |
STP Cost (802.1t-2001) |
4 Mbit/s |
250 |
5,000,000 |
10 Mbit/s |
100 |
2,000,000 |
16 Mbit/s |
62 |
1,250,000 |
100 Mbit/s |
19 |
200,000 |
1 Gbit/s |
4 |
20,000 |
2 Gbit/s |
3 |
10,000 |
10 Gbit/s |
2 |
2,000 |
BPDU
- frame contains MAC addr of source addr, STP multicast
addr as dest (01:08:C2:00:00:00), and prio.
- Happens every 2 seconds
- Types of BPDUs:
- Config BPDUs, used for STP computation
- Topology
Change Notification BPDU announces changes in net topology.
Sent
to root. Root switch sets Top Change flag in normal BPDU.
- Topology Change Notification Ack
- BPDU fields
- bridge ID - 8 bytes, 2 bytes brige prio, 6 bytes mac addr.
- if mac addr reduction is used - 1st 2 bytes - 4bytes
config prio, 12 bits vlan id or MSTP instance #
STP switch port states
- blocking
- incoming BPDU can take out of Blocking - 20 second wait for BPDU
- listening
- processes BPDUs - 15
seconds - transitions when doesn't rec valid BPDU
- learning
- learning source addrs, no fwd, add addrs to switching db. - 15 seconds
- forwarding
- total time - 30-50 seconds
- disabled
STP Port Roles
- Root - fastest interface/path to root bridge
- Designated - fast path to Root
- Non-Designated - Blocking
Timer Comparison
| Hello | (RIP-Invalid) (OSPF-Suspicious) | Dead (RIP-Flush) | Holddown |
RIP | 30 | 180 (6x) | 240 (8x) | 180 |
OSPF | 10 BMA 30 NBMA | 90 (3x) | 120 (4x) | 5 second delay + 10 seconds Hold |
EIGRP | 5 60 WAN < 1.544Mbps | | | 15 (3x) |
STP | 2 | | | 20 blocking 15 listening 15 learning forwarding |
RSTP
IEEE 802.1w
(1998)
Cisco proprietary - Rapid PVST+
- 802.1D-2004 incorporates RSTP and obsoletes STP
- STP can take 30-50 seconds to respond to topology change
- RSTP typically takes 3*hello (default is 6 seconds total)
- Edge ports
- ports connecting to lan with no other bridges. Transition
directly to forwarding. Monitor for BPDUs, in case bridge is
added.
- port roles
- root - best port to get out of router
towards root
- designated - best port to get out of
segment (sort of into bridge) to get towards root
- alternate - alt path to root bridge
- backup - redundant path to seg where
another bridge port
connects
- disabled
- New BPDUs with new spanning tree info can be sent from
upstream/new bridges. If receiving bridges agree that new
info
provides better paths, than first bridge can rapidly transition to
forwarding, bypassing listening/learning
- TC bit gets set in BPDU for topology change
PVST
Per-VLAN Spanning Tree (PVST and PVST+)
- Cisco Proprietary - Extreme supports PVST+ except for
untagged or VLAN ID 1
- PVST uses ISL (Cisco Propr VLAN encaps)
- PVST+ uses 802.1Q encaps.
- in PVST+, bridge id field has to carry vlan info - add vlan num to priority
show spanning-tree vlan 100
MSTP
Multiple Spanning Tree Protocol
802.1s merged with 802.1Q-2003
- per VLAN. blocks all but one of possible alt
paths wihin each spanning tree
- encodes additional region info after standard RSTP BPDU,
and a number of MSTI (Multiple Span Tree Instance) config msgs.
- Each MSTI config msg conveys span tree info for each
instance.
- Each instance can be assigned number of config'ed VLANs.
- bridges encode MD5 digest of VLAN in MSTP BPDU.
- compatible with RSTP. RSTP bridge sees MSTP
region as single RSTP bridge.
- msg age time incr only once when span tree info enters
MST region.
- Ports at edge of MST region known as boundary ports.
Can be configured as edge ports.
- IST
- 802.1s Internal Spanning Tree - MSTI0 (see below) - default/special
STP instance 0. Carries RTSP info for IST, and files like
config name, rev #, hash
value of VLAN to STP instance mapping table (easy to
detect misconfig on neighboring switches).
- MSTI
- mult span tree instances - each MSTI may assign diff prios/costs to
switches, links, ports. MSTIs info piggybacked in IST BPDUs
in MRecord
fields (carries root prio, desig bridge prio, port prio, root path,
etc).
- MSTP
(without RSTP, STP,(R)PVST+) uses MaxHops (root is MaxHops, every
bridge decrements, when zero, BPDU is ignored, this bridge is not the
IST root(?)).
- DO NOT USE "VLAN pruning" static method of distr VLANs with
MSTP enabled. You get bad blocks.
- Do USE separate TP for each logical topology (MSTI).
R-PVST
Rapid Per-VLAN Spanning Tree
- Cisco proprietary
- combines RSTP and PVST
PortFast and BPDU Guard
PortFast
- promise end station only non bpdu
- tells port to bypass STP Listening and Learning states
spanning-tree portfast
BPDU Guard
if you see bpdu, put it into err disable (shut/no shut to clear)
spanning-tree bpduguard enable (port mode)
OR
(global mode)
spanning-tree portfast bpduguard default
spanning-tree portfast default (again global)
VLANs
VLAN setting in ethernet packet - See 802.1p/Q section
in QOS Notes to see packet/header details.
Cisco VLAN Commands
- native vlan is mgmt - untagged - reccomended you dont use
vlan 1
Taken from http://itknowledgeexchange.techtarget.com/cisco/setting-up-a-vlan-with-the-cisco-ios/
Show vlan brief
Show interfaces switchport
Show ip interface brief
Show int trunk
And here is how you would configure a VLAN routing on your
router with some show commands:
Router commands
Interface fastethernet 0/4.1
Encapsulation dot1q 10
ip address x.x.x.x y.y.y.y
Interface fastethernet 0/4.2
Encapsulation dot1q 20
ip address z.z.z.z a.a.a.a
Interface fastethernet 4
No shutdown
Show ip interface brief
Show vlans
And here is how you would configure a VLAN on your switch:
Switch commands
Interface fastethernet 0/1
switchport mode trunk
Interface fastethernet 0/2
Switchport access vlan 10
No shutdown
Interface fastethernet 0/5
Switchport access vlan 20
No shutdown
Interface vlan 10
Ip address x.x.x.x y.y.y.y
No shutdown
Interface vlan 20
Ip address x.x.x.x y.y.y.y
No shutdown
Cisco STP and VLAN Commands
sh interfaces switchport
sh spanning tree
Switch0#sh spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 24577
Address 0003.E475.0A66
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 24577 (priority 24576 sys-id-ext 1)
Address 0003.E475.0A66
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20
Interface Role Sts Cost Prio.Nbr Type
-------------------------------------
Fa0/1 Desg FWD 19 128.1 P2p
Fa0/10 Desg FWD 19 128.10 P2p
Fa0/22 Desg FWD 19 128.22 P2p
Fa0/24 Desg FWD 19 128.24 P2p
sh interface trunk
Port Mode Encapsulation Status Native vlan
Fa0/10 on 802.1q trunking 1
Fa0/24 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/10 1-1005
Fa0/24 1-1005
Port Vlans allowed and active in management domain
Fa0/10 1,10,20
Fa0/24 1,10,20
Port Vlans in spanning tree forwarding state and not pruned
Fa0/10 1,10,20
Fa0/24 1,10,20
sh vlan brief
sh vtp status
---
int fa0/24
switchport mode trunk (trunk port passes tags, access port strips)
---
vlan 10
name <name>
(VLANS stored vlan.dot stored in FLASH)
---
int vlan 10
ip addr 10.10.10.1 255.255.255.0
---
int <interface>
switchport mode access
switchport access vlan 10
---(set spanning tree root)---
spanning-tree vlan <x> priority
spanning-tree vlan <x> root primary
spanning-tree vlan <x> root secondary (wrks in reg STP also)
DTP (Cisco proprietary)
Dynamic Trunking Protocol (DTP)
- Tries to force adjacent port to become a trunk
- VLANs Only
Modes
- on - forces switch to become a trunk (switchport
mode trunk)
- auto - will not establish trunking with on
- desirable - by default all ports in this state (try to
trunk)
- off
|
Dynamic Auto |
Dynamic Desirable |
Trunk |
Access |
Dynamic Auto |
Access |
Trunk |
Trunk |
Access |
Dynamic Desirable |
Trunk |
Trunk |
Trunk |
Access |
Trunk |
Trunk |
Trunk |
Trunk |
Not Recommended |
Access |
Access |
Access |
Not Recommended |
Access |
sh dtp interface
VTP (Cisco proprietary)
Comes in 3 modes
- Server - create & delete vlans - default - can save
VLAN info…can have multiple servers
- Client
- Transparent - can create or delete vlans, but only local to
transparent switch
- Creation/deletion propagates vlans to all servers and
clients.
- revision number triggers propagation of VLAN.
- configuration rev # (0 - 2million?)
- auto incremented
- VTP refreshes DB every 5 minutes?
- Make sure vtp domain & password hash match
- UP to 4096 VLANs
---
vtp mode server|client|transparent
vtp domain <domainname>
vtp password <pw>
sh vtp status
Switch0#sh vtp status
VTP Version : 2
Configuration Revision : 6
Maximum VLANs supported locally : 255
Number of existing VLANs : 7
VTP Operating Mode : Server
VTP Domain Name : davtpdoman
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x48 0x89 0x20 0xF8 0x87 0x40 0x84 0xE5
Configuration last modified by 0.0.0.0 at 3-1-93 00:44:45
Local updater ID is 0.0.0.0 (no valid interface found)
ICMP
Some types of msgs:
- Echo/Echo Reply
- Destination Unreachable - codes include
- 0 - net unreachable
- 1 - host unreachable
- 2 - protocol unreachable
- 3 - port unreachable
- Time Exceeded (TTL decremented to 0)
- Redirect - better route is available - used when gw and
source host are on same physical net
- Source Quench - tells source to temp stop sending packets
(e.g. rtr buffer space low)
UDP
See IPv4 notes for the IPv4 stuff.
0 |
1 |
2 |
3 |
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
0 |
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
0 |
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
0 |
1 |
Source Port |
Destination Port |
UDP Length |
UDP Checksumoptional |
TCP
See IPv4 notes for the IPv4 stuff.
Session setup and teardown
----SYN--->
<-SYN/ACK--
----ACK--->
..session..
----FIN--->
<---ACK----
<---FIN----
----ACK--->
Ports
General rules:
- 0-1023 Well Known
- 1024-49151 User Defined
- 49152-66335 Dynamically assigned
Some common tcp ports
- 20 - ftp data
- 21 - ftp control
- 22 - ssh
- 23 - telnet
- 24 - smtp
- 53 - dns
- 110 - pop
HTTP
SMTP
- rfc821,
rfc2821
- TCP port 25
- MUA
- Mail User Agent
- MTA
- Mail Transfer Agent - mail is for user on another server
- MDA -
Mail Delivery Agent - mail is for user on local server.
Commands
- HELO
- IDs SMTP client to svr
- EHLO
- newer version of HELO, includes svc extensions
- MAIL FROM
- IDs sender
- RCPT TO
- IDs recipient
- DATA
- IDs body of msg
Typical Command Sequence
Taken from rfc2821.
S: 220 foo.com Simple Mail Transfer Service Ready
C: EHLO bar.com
S: 250-foo.com greets bar.com
S: 250-8BITMIME
S: 250-SIZE
S: 250-DSN
S: 250 HELP
C: MAIL FROM:<Smith@bar.com>
S: 250 OK
C: RCPT TO:<Jones@foo.com>
S: 250 OK
C: RCPT TO:<Green@foo.com>
S: 550 No such user here
C: RCPT TO:<Brown@foo.com>
S: 250 OK
C: DATA
S: 354 Start mail input; end with <CRLF>.<CRLF>
C: Blah blah blah...
C: ...etc. etc. etc.
C: .
S: 250 OK
C: QUIT
S: 221 foo.com Service closing transmission channel
DHCP
rfc2131
- Discover
- (broadcast) Are there DHCP (bootp) svrs out there?
- Offer
- (unicast?) Server response
- Request
- (broadcast) - client IDs svr and leas that client is accepting
- Ack
- (unicast) - Svr acks client that lease is finalized (NAK otherwise)
others
- Inform (Broadcast) - client asking for
local config params; already had externally configured net addr
- Release (Unicast) - client releases net
addr and cancels remaining lease
- Decline (broadcast) - client declines
use of IP addr supplied by svr
- NAK - Server indicating client's notion
of network addr is incorrect (e.g. client moved to new subnet) or
client's lease expired
SMB
Server Message Block - MS file share, Samba
IDS/IPS
Snort
- BASE - front end
Load Balancers (F5 BigIP)
Monitoring
mon
nagios
rrdtool
cacti
ntop
hp openview
spectrum
zabbix
OSI and TCP/IP Network Model
|
OSI |
TCP/IP |
7 |
Application |
Application - DNS, HTTP, SMTP, FTP, etc.... |
6 |
Presentation
- coding/conversion data
- compression
- encryption
|
Application |
5 |
Session
- creates and maintains dialogs between src/dest apps
|
Application |
4 |
Transport |
Transport |
3 |
Network |
Internet |
2 |
Data Link |
Network Access |
1 |
Physical |
Network Access |
Application Layer software
- Applications and Services (e.g. computer services)
Functions specified by App Layer Protocols
- processes at either end
- types of msgs - reqs acks, data, status, error
- syntax - field order, size, etc.
- meaning of fields
- msg dialogs - msg and responses acceptable
WAN Protocols
Leased Line or Circuit Switched
HDLC
- Flag - 01111110
- Header
- Address - usually broadcast in point-to-point
- Control (1 or 2 bytes)
- Info frame - carries upper layer info and some control
- Rec Seq #, Poll final, Send Seq #, 0
- Supervisory frame - provide control info - Rec Seq #,
Poll final, Function code, 0, 1
- Unnumbered frame - unsequenced control - Function code,
Poll final, Functoin code, 1, 1
- Protocol - IPX, IP, etc. - Cisco custom - field stolen
from data portion of frame
- Data
- FCS
- Flag - 01111110
PPP
does not impose any restrictions re: trans rate other than DTE/DCE
restrictions
LCP (Link Control Protocol)
L2 encapsulation
- sets up PPP conn adn params
- LCP terms PPP conn
- handles varying limits on packet size
- detect common misconfig edrrors
- determine link functioning properly
- LCP negotates encaps formats (authent, compress, error
detection)
NCP (Network Control Protocol)
- PPP IPCP works with IP, IPXCP works with IPX, etc…
- handles higher layer protocol
- NCP enables ISO L3 protocol
Frame
Flag | Address | Control | Protocol | Data | FCS
Phases
- Link Establishment LCP opens and negotiations
- Link quality determination (optional) LC tests
link to determin link qual is sufficient to bring upNetwork
layer. LCP can delay trans.
- Network layer protocol config negotiation. - NCP
---LCP Config Req-->
<--LCP Config Ack---
<----NCP Config---->
<----Echo-Request---
-----Echo-Reply----->
PPP Options
ppp
quality <percentage> (cisco interface level)
- Compression - Stacker (more CPU), predictor (more memory)
compress predictor|stack (cisco
interface level)
ppp
multilink (cisco interface level)
- PPP Callback
- MRU (Max Rec Unit)
- Async Contro Map (escape char)
- Magic Number
int s0/0
encaps ppp
sh interface serial 0/0 (look for encapsulation type and 'open')
sh interfaces serial
debug ppp {packet | negotiation | error | authentication |
compression | cbcp (errors and stats))
PAP Authentication
- Basic unencrypted username pw
- 2 way handshake
---username <username>,
password-->
<--------accept/reject-------------
username R1 password cisco (global config - other side's
username, pws
have to match)
ppp authenticatio pap
CHAP Authentication
- 3 way handshake
- periodic challenges
<----------challenge---------------
---username <username>,
password-->
<--------accept/reject-------------
SLIP
Packet-Switched
Also HDLC, PPP, SLIP
Frame Relay
FrameRelay.html
ATM
X.25
WiFi
GRE tunnels
interface tunnel1
ip address 192.168.35.6 255.255.255.252
tunnel source 172.25.1.5
tunnel destination 172.26.1.6