Iosciscosheets 180525165539

packetlife.
net
Unicast Routing Protocols Comparison
Router Roles Metric Formula OSPF Configuration
RIP EIGRP OSPF IS-IS BGP
OSPF
Internal Router reference-bandwidth
All interfaces reside within the same area cost = ! Create an OSPF process
Type Distance Vector Distance Vector Link State Link State Path Vector OSPFv2 Link State Advertisements link speed
[ipv6] router ospf process-ID
Backbone Router
Algorithm Bellman-Ford DUAL Dijkstra Dijkstra Path Selection Router Link (Type 1) Adjacency States
A router with at least one interface in area 0 ! Specify a router ID formatted as IPv4 dotted-decimal
Lists neighboring routers and the cost to each; 1 Down 5 ExStart
Admin Distance 120 90/170 (external)/5 (summary) 110 115 20/200 (IBGP) Area Border Router (ABR) router-id router-ID
flooded within an area
Connects two or more areas 2 Attempt 6 Exchange
Standard RFCs 2080, 2453 Cisco proprietary RFCs 2328, 5340 ISO 10589, RFC 1142 RFC 4271 Network Link (Type 2) ! Modify the default reference bandwidth
AS Boundary Router (ASBR) 3 Init 7 Loading auto-cost reference-bandwidth speed-in-mbps
Generated by a DR; lists all routers on an
Supported Protocols IPv4, IPv6 IPv4, IPv6, IPX, Appletalk IPv4, IPv6 IPv4, IPv6, CLNP IPv4, IPv6 Connects to additional routing domains
adjacent segment; flooded within an area 4 2-Way 8 Full ! Assign interfaces to areas by network (OSPFv2)
(redistribution to or from other protocols)
Transport UDP/520 IP/88 IP/89 Layer 2 TCP/179 Network Summary (Type 3) network IPv4-address wildcard-mask area area
Global Configuration
Generated by an ABR; advertises routes Area Types Message Types
Authentication Plain, MD5 MD5 Plain, MD5, AH (v3) Plain, MD5 MD5 ! Identify neighbors for NBMA links (OSPFv2)
between areas Standard Area 1 Hello 4 LS Update
Multicast Address 224.0.0.9 224.0.0.10 224.0.0.5-6 N/A N/A neighbor IPv4-address [cost 1-65535]
ASBR Summary (Type 4) Default OSPF area type 2 DB Descr. 5 LS Ack
Injected by an ABR into the backbone to Stub Area ! Configure summaries on area border routers
advertise the presence of an ASBR in a non- 3 LS Request
Terminology RIP Configuration area area range { IPv4-address subnet-mask | IPv6-prefix }
RIP backbone area
External link (type 5) LSAs are replaced with
a single default route
Split-Horizon DR/BDR Election ! Summarize external routes (ASBRs only)
! Enable RIPv2 IPv4 routing External Link (Type 5)
RIP Implementations Mitigates routing loops by ensuring a Totally Stubby Area · The DR serves as a common summary-address IPv4-address subnet-mask [not-advertise]
router rip Generated by an ASBR and flooded throughout
route is never advertised back to the Type 3, 4, and 5 LSAs are replaced with a point for all adjacencies on a summary-prefix IPv6-prefix [not-advertise]
RIPv1 version 2 the AS to advertise a route external to OSPF
neighbor from which it was learned default route multiaccess segment
Original RIP implementation, limited to Group Membership (Type 6) ! Originate a default route
Poison Reverse ! Disable RIPv2 automatic summarization Not-So-Stubby Area (NSSA) · The BDR also maintains
classful routing (obsolete) Used by Multicast OSPF; unsupported by IOS default-information originate [always]
Learned routes are advertised back to no auto-summary A stub area containing an ASBR; type 5 LSAs adjacencies with all routers in
RIPv2 their originator as explicitly invalid NSSA External Link (Type 7) are converted to type 7 within the area ! Designate stub, totally stubby, or not-so-stubby areas
! Designate RIPv2 interfaces by network case the DR fails
Introduced support for classless routing, Generated by an ASBR in a not-so-stubby area; area area { stub | nssa } [no-summary]
triggered updates, and multicast Troubleshooting network IPv4-network External Route Types · Does not occur on point-to-
converted into a type 5 LSA by the ABR when
announcements (RFC 2453) point or multipoint links ! Create a virtual link
show ip[v6] protocols ! Identify unicast-only neighbors leaving the area E1
· Default priority (0-255) is 1; area area virtual-link router-ID
RIPng (RIP Next Generation) neighbor IP-address Considers the cost to the advertising ASBR
show ip[v6] rip database OSPFv3 Link State Advertisements highest priority wins; 0 cannot
Extends RIPv2 to support IPv6 routing plus the external cost of the route
debug ip rip { database | events } ! Originate a default route be elected interface type number
(RFC 2080); functions very similarly to Name v2 Equiv. E2 (Default)
default-information originate · DR preemption will not occur
RIPv2 and is subsequently as limited debug ipv6 rip [interface] 0x2001 Router LSA Type 1 The external cost of a route as seen by the ! Enable OSPF on the interface
! Designate passive interfaces unless the current DR is reset
ASBR; internal OSPF cost is not considered ip[v6] ospf process-ID area area
RIP Configuration passive-interface {interface | default} 0x2002 Network LSA Type 2
Virtual Links ! Identify neighbors for NBMA links (OSPFv3)
0x2003 Inter-area prefix LSA Type 3 Troubleshooting
! Modify equal-cost load balancing · Tunnel formed to join two ipv6 ospf neighbor IPv6-address
interface type number 0x2004 Inter-area router LSA Type 4 show ip[v6] ospf [process] interface
maximum-paths 1-16 areas across an intermediate
Interface Configuration
! Enable RIPng on the interface 0x4005 AS-external LSA Type 5 show ip[v6] ospf [process] neighbor ! Set interface cost manually
· Both end routers must share
! Modify timers ip[v6] ospf cost 1-65535
ipv6 rip name enable 0x2006 Group membership LSA Type 6 show ip[v6] ospf border-routers a common non-stub area
timers basic update invalid hold flush
! Configure manual route summarization 0x2007 Type-7 LSA Type 7 show ip[v6] ospf database [LSA-type] · At least one end must reside ! Configure DR election priority
! Enable RIPng IPv6 routing in area 0 ip[v6] ospf priority 0-255
ip summary-address rip IPv4-address subnet-mask
ipv6 router rip name 0x0008 Link LSA N/A show ip[v6] ospf virtual-links
ipv6 rip name summary-address IPv6-prefix · Transition tool; not ideal for ! Specify network type (broadcast, point-to-point, etc.)
! Toggle split-horizon and poison-reverse 0x2009 Intra-area prefix LSA N/A debug ip[v6] ospf […] permanent designs
! Enable MD5 authentication (RIPv2 only) ip[v6] ospf network type
[no] split-horizon
ip rip authentication mode md5 Network Types ! Modify interface hello and dead intervals
[no] poison-reverse
ip rip authentication key-chain key-chain ip[v6] ospf hello-interval seconds
Nonbroadcast Multipoint Multipoint
(NBMA) Broadcast Nonbroadcast Broadcast Point-to-Point ip[v6] ospf dead-interval seconds
DR/BDR Elected Yes No No Yes No ! Enable MD5 authentication (OSPFv2)
EIGRP Configuration
EIGRP Neighbor Discovery No Yes No Yes Yes ip ospf authentication message-digest
! Enable EIGRP for an autonomous system ip ospf message-digest-key key-id md5 key-string
Hello/Dead Timers 30/120 30/120 30/120 10/40 10/40
Metric Formula [ipv6] router eigrp AS-number ! Enable IPsec authentication (OSPFv3)
Defined By RFC 2328 RFC 2328 Cisco Cisco Cisco
K2 * bw K5 ! Specify a router ID formatted in IPv4 dotted-decimal ipv6 ospf auth ipsec spi spi-number { md5 | sha1 } string
256 * (K1 * bw + + K3 * delay) * Supported Topology Full Mesh Any Any Full Mesh Point-to-Point
256 - load rel + K4 [eigrp] router-id router-ID
· bw = 107 / minimum path bandwidth in kbps ! Disable automatic classful summarization (IPv4 only)
· delay = interface delay in µsecs / 10 ISO Routing Levels IS-IS Configuration
no auto-summary Integrated IS-IS
Packet Types Default K Values Level 0 Used to locate end systems
! Enable EIGRP on interfaces by network (IPv4 only) ! Enable IS-IS routing
1 Update K1 1 network IPv4-address wildcard-mask NSAP Addressing Level 1 Routing within an area (IS-IS) router isis
3 Query K2 0 ! Modify maximum paths for equal-cost load balancing Interdomain Part Domain-Specific Part Level 2 Routing between areas (IS-IS) ! Specify one or more NET addresses
maximum-paths 1-16 Level 3 Inter-AS routing net NET
4 Reply K3 1
NSAP AFI IDI HODSP
5 Hello K4 0 ! Configure multiplier for unequal-cost load balancing System ID SEL
Terminology ! Set global routing level (default level-1-2)
Condensed Area
8 Acknowledge K5 0 variance 1-128 is-type { level-1 | level-1-2 | level-2-only }
Example 49 0005.80ff.f800.0000 0001 0000.0c00.1234 00 Type-Length-Value (TLV)
! Configure K values to manipulate the metric formula Variable-length modular datasets carried by PDUs ! Configure IPv4 route summaries
Terminology metric weights 0 k1 k2 k3 k4 k5 Interdomain Part (IDP) IS-IS Hello (IIH) summary-address IP-address subnet-mask [level]
Reported Distance Portion of the address used in routing between autonomous systems; Establish and maintain neighbor adjacencies
The metric for a route advertised by a neighbor ! Explicitly identify neighbors on NBMA links ! Configure IPv6 route summaries
assigned by ISO Link State PDU (LSP)
neighbor IP-address interface address-family ipv6
Feasible Distance Domain-Specific Part (DSP) Carry TLVs encompassing link state information summary-prefix IPv6-prefix [level]
The distance advertised by a neighbor plus the cost ! Designate passive interfaces Portion of the address relevant only within the local AS Sequence Number Packet (SNP)
to get to that neighbor passive-interface {interface | default} Authority and Format Identifier (AFI) Used to request and advertise LSPs; can be complete ! Originate a default route
Stuck In Active (SIA) Identifies the authority which dictates the format of the address (CSNP) or partial (PSNP) default-information originate
! Enable stub routing
The condition when a route becomes unreachable [eigrp] stub [receive-only | connected | static | summary | redist] Initial Domain Identifier (IDI) Network Entity Title (NET)
and not all queries for it are answered; adjacencies An organization belonging to the AFI Unique router ID; includes area ID interface type number
with unresponsive neighbors are reset High Order DSP (HODSP)
interface type number Designated Intermediate System (DIS) ! Enable IS-IS on an interface
Passive Interface The area within the AS A pseudonode responsible for emulating point-to- ip[v6] router isis
An interface which does not participate in EIGRP ! Enable EIGRP for IPv6 on the interface System ID point links across a multi-access segment
but whose network is advertised ipv6 eigrp AS-number Unique router identifier; 48 bits for Cisco devices (often taken from an ! Specify interface routing level
Stub Router Ethernet MAC address) Adjacency Requirements isis circuit-type { level-1 | level-1-2 | level-2-only }
! Set the maximum bandwidth EIGRP can consume (can be >100%)
A router which advertises only a subset of routes, · Interface MTUs must match
ip[v6] bandwidth-percent eigrp AS-number 1-999999 NSAP Selector (SEL) ! Set interface metric
and is omitted from the route query process Identifies a network layer service; always 0x00 in a NET isis [ipv6] metric { 1-16777214 | maximum }
· Levels must match
! Configure manual summarization of outbound routes
Default Timers ip summary-address eigrp AS-number IPv4-address subnet-mask [AD] Network Types · Areas must match (if level 1) ! Designate the network as point-to-point
LAN (>T1) WAN (<=T1) ipv6 summary-address eigrp AS-number IPv6-prefix [AD] Broadcast Point-to-Point · System IDs must be unique isis network point-to-point
Hello 5 sec 60 sec ! Enable MD5 authentication DIS Elected Yes No · Authentication must succeed ! Configure DIS election priority
Hold 15 sec 180 sec ip[v6] authentication mode eigrp AS-number md5 Neighbor Discovery Yes Yes isis priority 0-127 [ level-1 | level-2 ]
ip[v6] authentication key-chain eigrp AS-number key-chain DIS Election
Hello/Dead Timers 10/30 10/30 ! Modify interface hello and dead intervals
Troubleshooting · Highest-priority interface elected isis hello-interval seconds [ level-1 | level-2 ]
! Modify interface hello and hold timers
show ip[v6] eigrp {interfaces | neighbors } ip[v6] hello-interval eigrp AS-number seconds Troubleshooting · Highest SNPA (e.g. MAC or DLCI) breaks tie isis hello-multiplier 3-1000 [ level-1 | level-2 ]
show ip[v6] eigrp topology ip[v6] hold-time eigrp AS-number seconds show [clns | isis] neighbors show isis [database | spf-log] · Highest system ID breaks SNPA tie ! Enable MD5 authentication
clear ip[v6] eigrp [AS-number] neighbors ! Toggle split horizon show clns interface debug [clns | isis] […] · Default interface priority is 64 isis authentication mode md5
debug ip[v6] eigrp [neighbor] [no] ip[v6] split-horizon eigrp AS-number show isis [ipv6] topology · Current DIS may be preempted, unlike OSPF isis authentication key-chain key-chain
BGP · PART 1 packetlife.net
Attributes About BGP
Name Description Type Path Vector
Well-known Mandatory · Must be supported and propagated eBGP AD 20
1 Origin Origin type (IGP, EGP, or unknown) iBGP AD 200
List of autonomous systems which the Standard RFC 4271
2 AS Path
advertisement has traversed
Protocols IP
3 Next Hop External peer in neighboring AS
Transport TCP/179
Well-known Discretionary · Must be supported; propagation optional
Authentication MD5
Metric for internal neighbors to reach
5 Local Preference
external destinations (default 100) Terminology
Includes ASes which have been dropped Autonomous System (AS)
6 Atomic Aggregate
due to route aggregation A logical domain under the control of a
Optional Transitive · Marked as partial if unsupported by neighbor single entity
7 Aggregator ID and AS of summarizing router External BGP (eBGP)

BGP adjacencies which span autonomous
8 Community Route tag system boundaries
Optional Nontransitive · Deleted if unsupported by neighbor Internal BGP (iBGP)
BGP adjacencies formed within a single AS
Multiple Exit Metric for external neighbors to reach the
4
Discriminator (MED) local AS (default 0) Synchronization Requirement
A route must be known by an IGP before
9 Originator ID The originator of a reflected route it may be advertised to BGP peers
10 Cluster List List of cluster IDs
Packet Types
13 Cluster ID Originating cluster
Open Update
Cisco proprietary, not communicated to
-- Weight
peers (default 0) Keepalive Notification
Path Selection Neighbor States

Attribute Description Preference Idle · Neighbor is not responding
1 Weight Administrative preference Highest Active · Attempting to connect
Communicated between peers Connect · TCP session established
2 Local Preference Highest
within an AS
Open Sent · Open message sent
3 Self-originated Prefer paths originated locally True
Open Confirm · Response received
4 AS Path Minimize AS hops Shortest
Established · Adjacency established
Prefer IGP-learned routes over
5 Origin IGP
EGP, and EGP over unknown Troubleshooting
6 MED Used externally to enter an AS Lowest show ip bgp [summary]
7 External Prefer eBGP routes over iBGP eBGP show ip bgp neighbors
8 IGP Cost Consider IGP metric Lowest show ip route [bgp]
9 eBGP Peering Favor more stable routes Oldest clear ip bgp * [soft]
10 Router ID Tie breaker Lowest debug ip bgp […]
Influencing Path Selection

Weight neighbor 172.16.0.1 weight 200 Local Preference bgp default local-preference 100
MED default-metric 400 Route Map neighbor 172.16.0.1 route-map Foo
Ignore Ignore Cost
bgp bestpath as-path ignore bgp bestpath cost-community ignore
AS Path Communities
by Jeremy Stretch v2.1-r1

BGP · PART 2 packetlife.net
Configuration Example
interface Serial1/0 Router A

AS 65100 description Backbone to B
ip address 172.16.0.1 255.255.255.252
F2/0 !
A interface Serial1/1
S1/0 S1/1 description Backbone to C
ip address 172.16.0.5 255.255.255.252
!
172.16.0.0/30 interface FastEthernet2/0
172.16.0.4/30 description LAN
ip address 192.168.1.1 255.255.255.0
AS 65200 !
S1/0 S1/0 router bgp 65100
F0/0 F0/0 no synchronization
network 172.16.0.0 mask 255.255.255.252
10.0.0.0/30 network 172.16.0.4 mask 255.255.255.252
B C
network 192.168.1.0
F2/0 F2/0 neighbor South peer-group
neighbor South remote-as 65200
neighbor 172.16.0.2 peer-group South
OSPF neighbor 172.16.0.6 peer-group South
no auto-summary
interface FastEthernet0/0 Router B interface FastEthernet0/0 Router C

description Backbone to C description Backbone to B
ip address 10.0.0.1 255.255.255.252 ip address 10.0.0.2 255.255.255.252
! !
interface Serial1/0 interface Serial1/0
description Backbone to A description Backbone to A
! !
interface FastEthernet2/0 interface FastEthernet2/0
description LAN description LAN
! !
router ospf 100 router ospf 100
network 10.0.0.1 0.0.0.0 area 0 network 10.0.0.2 0.0.0.0 area 0
network 192.168.2.1 0.0.0.0 area 1 network 192.168.3.1 0.0.0.0 area 2
! !
router bgp 65200 router bgp 65200
no synchronization no synchronization
redistribute ospf 100 route-map LAN_Subnets redistribute ospf 100 route-map LAN_Subnets
neighbor 10.0.0.2 remote-as 65200 neighbor 10.0.0.1 remote-as 65200
neighbor 172.16.0.1 remote-as 65100 neighbor 172.16.0.5 remote-as 65100
no auto-summary no auto-summary
! !
access-list 10 permit 192.168.0.0 0.0.255.255 access-list 10 permit 192.168.0.0 0.0.255.255
! !
route-map LAN_Subnets permit 10 route-map LAN_Subnets permit 10
match ip address 10 match ip address 10
set metric 100 set metric 100
Router A Routing Table Router B Routing Table
172.16.0.0/30 is subnetted, 2 subnets 172.16.0.0/30 is subnetted, 2 subnets

C 172.16.0.4 is directly connected, S1/1 B 172.16.0.4 [20/0] via 172.16.0.1
C 172.16.0.0 is directly connected, S1/0 C 172.16.0.0 is directly connected, S1/0
C 192.168.1.0/24 is directly connected, F2/0 10.0.0.0/30 is subnetted, 1 subnets
B 192.168.2.0/24 [20/100] via 172.16.0.2 C 10.0.0.0 is directly connected, F0/0
B 192.168.3.0/24 [20/100] via 172.16.0.2 B 192.168.1.0/24 [20/0] via 172.16.0.1
C 192.168.2.0/24 is directly connected, F2/0
O IA 192.168.3.0/24 [110/2] via 10.0.0.2, F0/0
by Jeremy Stretch v2.1-r1

EIGRP packetlife.net
Protocol Header Attributes
8 16 24 32 Type Distance Vector
Version Opcode Checksum
Algorithm DUAL
Flags
Internal AD 90
Sequence Number
External AD 170
Acknowledgment Number
Summary AD 5
Autonomous System Number
Standard Cisco proprietary
Type Length
Protocols IP, IPX, Appletalk
Value
Transport IP/88
Metric Formula Authentication MD5
K2 * bw K5 Multicast IP 224.0.0.10
256 * (K1 * bw + + K3 * delay) *
256 - load rel + K4 Hello Timers 5/60
· bw = 107 / minimum path bandwidth in kbps Hold Timers 15/180
· delay = interface delay in µsecs / 10
K Defaults Packet Types
EIGRP Configuration
K1 1 1 Update
Protocol Configuration
K2 0 3 Query
! Enable EIGRP
router eigrp <ASN> K3 1 4 Reply
! Add networks to advertise K4 0 5 Hello
network <IP address> <wildcard mask>
K5 0 8 Acknowledge
! Configure K values to manipulate metric formula
metric weights 0 <k1> <k2> <k3> <k4> <k5>
Terminology
Reported Distance
! Disable automatic route summarization The metric for a route advertised by a neighbor
no auto-summary
Feasible Distance
! Designate passive interfaces The distance advertised by a neighbor plus the cost
passive-interface (<interface> | default) to get to that neighbor
Stuck In Active (SIA)
! Enable stub routing
The condition when a route becomes unreachable
eigrp stub [receive-only | connected | static | summary]
and not all queries for it are answered; adjacencies
! Statically identify neighoring routers with unresponsive neighbors are reset
neighbor <IP address> <interface> Passive Interface
An interface which does not participate in EIGRP but
Interface Configuration whose network is advertised
! Set maximum bandwidth EIGRP can consume
ip bandwidth-percent eigrp <AS> <percentage>
Stub Router
A router which advertises only a subset of routes,
! Configure manual summarization of outbound routes and is omitted from the route query process
ip summary-address eigrp <AS> <IP address> <mask> [<AD>]
Troubleshooting
! Enable MD5 authentication show ip eigrp interfaces
ip authentication mode eigrp <AS> md5
ip authentication key-chain eigrp <AS> <key-chain> show ip eigrp neighbors
! Configure hello and hold timers show ip eigrp topology

ip hello-interval eigrp <AS> <seconds> show ip eigrp traffic
ip hold-time eigrp <AS> <seconds>
clear ip eigrp neighbors
! Disable split horizon for EIGRP
no ip split-horizon eigrp <AS> debug ip eigrp [packet | neighbors]
by Jeremy Stretch v2.1

FIRST HOP REDUNDANCY packetlife.net
Protocols Attributes
Hot Standby Router Protocol (HSRP) HSRP VRRP GLBP
Provides default gateway redundancy using one active Standard RFC 2281 RFC 3768 Cisco
and one standby router; standardized but licensed by
Cisco Systems Load Balancing No No Yes
Virtual Router Redundancy Protocol (VRRP) IPv6 Support Yes No Yes
An open-standard alternative to Cisco's HSRP, Transport UDP/1985 IP/112 UDP/3222
providing the same functionality
Default Priority 100 100 100
Gateway Load Balancing Protocol (GLBP)
Supports arbitrary load balancing in addition to Default Hello 3 sec 1 sec 3 sec
redundancy across gateways; Cisco proprietary Multicast Group 224.0.0.2 224.0.0.18 224.0.0.102
HSRP VRRP GLBP
100 200 100 100 200 100 100 200 100

Standby Active Listen Backup Master Backup AVF AVF AVF
AVG
HSRP Configuration HSRP/GLBP Interface States
interface FastEthernet0/0 Speak · Gateway election in progress

ip address 10.0.1.2 255.255.255.0 Active · Active router/VG
standby version {1 | 2}
standby 1 ip 10.0.1.1 Standby · Backup router/VG
standby 1 timers <hello> <dead>
standby 1 priority <priority> Listen · Not the active router/VG
standby 1 preempt
standby 1 authentication md5 key-string <password> VRRP Interface States
standby 1 track <interface> <value>
Master · Acting as the virtual router
standby 1 track <object> decrement <value>
Backup · All non-master routers
VRRP Configuration
GLBP Roles
interface FastEthernet0/0
Active Virtual Gateway (AVG)
ip address 10.0.1.2 255.255.255.0
vrrp 1 ip 10.0.1.1
Answers for the virtual router and assigns
vrrp 1 timers {advertise <hello> | learn} virtual MAC addresses to group members
vrrp 1 priority <priority> Active Virtual Forwarder (AVF)
vrrp 1 preempt All routers which forward traffic for the group
vrrp 1 authentication md5 key-string <password>
vrrp 1 track <object> decrement <value> GLBP Load Balancing
Round-Robin (default)
GLBP Configuration
The AVG answers host ARP requests for the
interface FastEthernet0/0 virtual router with the next router in the cycle
ip address 10.0.1.2 255.255.255.0 Host-Dependent
glbp 1 ip 10.0.1.1 Round-robin cycling is used while a consistent
glbp 1 timers <hello> <dead>
AVF is maintained for each host
glbp 1 timers redirect <redirect> <time-out>
glbp 1 priority <priority> Weighted
glbp 1 preempt Determines the proportionate share of hosts
glbp 1 forwarder preempt handled by each AVF
glbp 1 authentication md5 key-string <password>
glbp 1 load-balancing <method> Troubleshooting
glbp 1 weighting <weight> lower <lower> upper <upper>
glbp 1 weighting track <object> decrement <value> show standby [brief] show vrrp [brief]
show glbp [brief] show track [brief]
IEEE 802.11 WLAN · PART 1 packetlife.net
IEEE Standards
802.11a 802.11b 802.11g 802.11n
Maximum Throughput 54 Mbps 11 Mbps 54 Mbps 300 Mbps

Frequency 5 GHz 2.4 GHz 2.4 GHz 2.4/5 GHz
Modulation OFDM DSSS DSSS/OFDM OFDM
Channels (FCC/ETSI) 21/19 11/13 11/13 32/32
Ratified 1999 1999 2003 2009
WLAN Types WLAN Components

Ad Hoc
ESS
A WLAN between isolated stations with IBSS BSS BSS
no central point of control; an IBSS
Infrastructure
A WLAN attached to a wired network via
an access point; a BSS or ESS
DS
Frame Types
Type Class
Association Management
Authentication Management Basic Service Area (BSA)
The physical area covered by the wireless signal of a BSS
Probe Management
Basic Service Set (BSS)
Beacon Management A set of stations and/or access points which can directly
Request to Send (RTS) Control communicate via a wireless medium
Distribution System (DS)
Clear to Send (CTS) Control
The wired infrastructure connecting multiple BSSs to form an ESS
Acknowledgment (ACK) Control Extended Service Set (ESS)
Data Data A set of multiple BSSs connected by a DS which appear to wireless
stations as a single BSS
Client Association Independent BSS (IBSS)
An isolated BSS with no connection to a DS; an ad hoc WLAN
Measuring RF Signal Strength

Probe Request
Decibel (dB)
Probe Response An expression of signal strength as compared to a reference signal;
Authentication Request calculated as 10log10(signal/reference)
Authentication Response dBm · Signal strength compared to a 1 milliwatt signal
Association Request
dBw · Signal strength compared to a 1 watt signal
Association Response
dBi · Compares forward antenna gain to that of an isotropic antenna
Modulations
Scheme Modulation Throughput Terminology
DBPSK 1 Mbps Basic Service Set Identifier (BSSID)
A MAC address which serves to uniquely identify a BSS
DSSS DQPSK 2 Mbps
Service Set Identifier (SSID)
CCK 5.5/11 Mbps A human-friendly text string which identifies a BSS; 1-32 characters
BPSK 6/9 Mbps Carrier Sense Multiple Access/Collision Avoidance (CSMA/CA)
QPSK 12/18 Mbps The mechanism which facilitates efficient communication across a
OFDM shared wireless medium (provided by DCF or PCF)
16-QAM 24/36 Mbps
Effective Isotropic Radiated Power (EIRP)
64-QAM 48/54 Mbps Net signal strength (transmitter power + antenna gain - cable loss)

IEEE 802.11 WLAN · PART 2 packetlife.net
Distributed Coordination Function (DCF)
DIFS DIFS DIFS DIFS
A Frame
B Deferral Period
C Random Backoff
D Contention Window
Interframe Spacing Client Authentication

Short IFS (SIFS) Open · No authentication is used
Used to provide minimal spacing delay between
Pre-shared Encryption Keys
control frames or data fragments
Keys are manually distributed among clients and APs
DCF IFS (DIFS) Lightweight EAP (LEAP)
Normal spacing enforced under DCF for management Cisco-proprietary EAP method introduced to provide
and non-fragment data frames dynamic keying for WEP (deprecated)
Arbitrated IFS (AIFS) EAP-TLS
Variable spacing calculated to accommodate differing Employs Transport Layer Security (TLS); PKI
qualities of service (QoS) certificates are required on the AP and clients
Extended IFS (EIFS)
EAP-TTLS
Extended delay imposed after errors are detected in a
Clients authenticate the AP via PKI, then form a secure
received frame
tunnel inside which the client authentication takes
Encryption Schemes place (clients do not need PKI certificates)
Wired Equivalent Privacy (WEP) Protected EAP (PEAP)

Flawed RC4 implementation using a 40- or 104-bit A proposal by Cisco, Microsoft, and RSA which employs
pre-shared encryption key (deprecated) a secure tunnel for client authentication like EAP-TTLS
Wi-Fi Protected Access (WPA) EAP-FAST

Implements the improved RC4-based encryption Developed by Cisco to replace LEAP; establishes a
Temporal Key Integrity Protocol (TKIP) which can secure tunnel using a Protected Access Credential
operate on WEP-capable hardware (PAC) in the absence of PKI certificates
IEEE 802.11i (WPA2) RF Signal Interference

IEEE standard developed to replace WPA; requires a
new generation of hardware to implement significantly Reflection Scattering Absorption
stronger AES-based CCMP encryption
Quality of Service Markings

WMM 802.11e 802.1p
Platinum 7/6 6/5 Refraction Diffraction

Gold 5/4 4/3
Silver 3/0 0
Bronze 2/1 2/1
Wi-Fi Multimedia (WMM)
A Wi-Fi Alliance certification for QoS; a subset of Antenna Types
802.11e QoS
Directional · Radiates power in one focused direction
IEEE 802.11e
Official IEEE WLAN QoS standard ratified in 2005; Omnidirectional
replaces WMM Radiates power uniformly across a plane
Isotropic
IEEE 802.1p
A theoretical antenna referenced when measuring
QoS markings in the 802.1Q header on wired Ethernet
effective radiated power

IEEE 802.1X packetlife.net
802.1X Header Terminology
1 1 2 Extensible Authentication Protocol (EAP)
Version Type Length EAP A flexible authentication framework defined in RFC 3748
EAP Over LANs (EAPOL)
EAP encapsulated by 802.1X for transport across LANs
EAP Header
Supplicant
1 1 2
The device (client) attached to an access link that requests
Code Identifier Length Data authentication by the authenticator
Authenticator
EAP Flow Chart The device that controls the status of a link; typically a
wired switch or wireless access point
Authentication
Supplicant Authenticator Server Authentication Server
A backend server which authenticates the credentials
provided by supplicants (for example, a RADIUS server)
Guest VLAN
Fallback VLAN for clients not 802.1X-capable
Restricted VLAN
Identity Request
Fallback VLAN for clients which fail authentication
802.1X Packet Types EAP Codes

Identity Response Access Request
0 EAP Packet 1 Request
Challenge Request Access Challenge 1 EAPOL-Start 2 Response

2 EAPOL-Logoff 3 Success
Challenge Response Access Request 3 EAPOL-Key 4 Failure
4 EAPOL-Encap-ASF-Alert EAP Req/Resp Types
Success Access Accept
Interface Defaults 1 Identity
EAP RADIUS Max Auth Requests 2 2 Notification
Configuration Reauthentication Off 3 Nak

Quiet Period 60s 4 MD5 Challenge
! Define a RADIUS server Global Configuration
radius-server host 10.0.0.100 Reauth Period 1hr 5 One Time Password
radius-server key MyRadiusKey
! Configure 802.1X to authenticate via AAA
Server Timeout 30s 6 Generic Token Card
aaa new-model Supplicant Timeout 30s 254 Expanded Types
aaa authentication dot1x default group radius
! Enable 802.1X authentication globally Tx Period 30s 255 Experimental
dot1x system-auth-control
Port-Control Options
! Static access mode Interface Configuration
force-authorized
switchport mode access
! Enable 802.1X authentication per port
Port will always remain in authorized state (default)
dot1x port-control auto force-unauthorized
! Configure host mode (single or multi) Always unauthorized; authentication attempts are ignored
dot1x host-mode single-host
! Configure maximum authentication attempts auto
dot1x max-reauth-req Supplicants must authenticate to gain access
! Enable periodic reauthentication
dot1x reauthentication Troubleshooting
! Configure a guest VLAN
dot1x guest-vlan 123 show dot1x [statistics] [interface <interface>]
! Configure a restricted VLAN dot1x test eapol-capable [interface <interface>]
dot1x auth-fail vlan 456
dot1x auth-fail max-attempts 3 dot1x re-authenticate interface <interface>

IPSEC packetlife.net
Protocols Encryption Algorithms
Internet Security Association and Key Management Type Key Length (Bits) Strength
Protocol (ISAKMP) DES Symmetric 56 Weak
A framework for the negotiation and management of
security associations between peers (traverses UDP/500) 3DES Symmetric 168 Medium
Internet Key Exchange (IKE) AES Symmetric 128/192/256 Strong

Responsible for key agreement using asymmetric RSA Asymmetric 1024+ Strong
cryptography
Encapsulating Security Payload (ESP) Hashing Algorithms
Provides data encryption, data integrity, and peer Length (Bits) Strength
authentication; IP protocol 50 MD5 128 Medium
Authentication Header (AH)
SHA-1 160 Strong
Provides data integrity and peer authentication, but not data
encryption; IP protocol 51 IKE Phases
IPsec Modes Phase 1
A bidirectional ISAKMP SA is established
Original between peers to provide a secure management
L2 IP TCP/UDP
Packet channel (IKE in main or aggressive mode)
Transport Phase 1.5 (optional)
L2 IP ESP/AH TCP/UDP
Mode Xauth can optionally be implemented to enforce
user authentication
Tunnel
L2 New IP ESP/AH IP TCP/UDP Phase 2
Mode
Two unidirectional IPsec SAs are established for
Transport Mode data transfer using separate keys (IKE quick
The ESP or AH header is inserted behind the IP header; the mode)
IP header can be authenticated but not encrypted
Terminology
Tunnel Mode
A new IP header is created in place of the original; this Data Integrity
allows for encryption of the entire original packet Secure hashing (HMAC) is used to ensure data
has not been altered in transit
Configuration Data Confidentiality
ISAKMP Policy Encryption is used to ensure data cannot be
crypto isakmp policy 10
encryption aes 256
intercepted by a third party
hash sha Data Origin Authentication
authentication pre-share Authentication of the SA peer
group 2
lifetime 3600 Anti-replay
Sequence numbers are used to detect and
ISAKMP Pre-Shared Key discard duplicate packets
crypto isakmp key 1 MySecretKey address 10.0.0.2 Hash Message Authentication Code (HMAC)
A hash of the data and secret key used to
IPsec Transform Set provide message authenticity
crypto ipsec transform-set MyTS esp-aes 256 esp-sha-hmac
mode tunnel Diffie-Hellman Exchange
A shared secret key is established over an
IPsec Profile insecure path using public and private keys
crypto ipsec profile MyProfile
set transform-set MyTS Troubleshooting
show crypto isakmp sa
interface Tunnel0 Virtual Tunnel Interface
ip address 172.16.0.1 255.255.255.252 show crypto isakmp policy
tunnel source 10.0.0.1
tunnel destination 10.0.0.2 show crypto ipsec sa
tunnel mode ipsec ipv4 show crypto ipsec transform-set
tunnel protection ipsec profile MyProfile
debug crypto {isakmp | ipsec}

IPV4 MULTICAST packetlife.net
Layer 2 Addressing Group Ranges
239.142.57.6 224.0.0.0/24 Local network control
11101111 10001110 00111001 00000110 224.0.1.0/24 Internetwork control
01-00-5E-0E-39-06 232.0.0.0/8 Source-specific
00000001 00000000 01011110 00001110 00111001 00000110 233.0.0.0/8 GLOP (RFC 3180)
239.0.0.0/8 Admin-scoped
Terminology
Reverse Path Forwarding (RPF) Common Groups
Verifies that multicast traffic travels in the reverse direction of 224.0.0.1 All hosts
unicast traffic, away from the tree root
224.0.0.2 All routers
Cisco Group Management Protocol (CGMP)
A proprietary protocol used by switches to obtain multicast 224.0.1.39 Cisco RP Announce
membership information for end hosts (deprecated) 224.0.1.40 Cisco RP Discovery
Internet Group Management Protocol (IGMP)
Hosts send IGMP requests to local routers to join multicast groups Distribution Trees
Shared
IGMP Configuration A common set of links which carry all
IGMP Support Router(config-if)# ip igmp [version <#>] multicast traffic; statically configured
Source-Rooted
IGMP Snooping Switch(config)# ip igmp snooping
Provides the shortest paths from the
Protocol Independent Multicast (PIM) source to receivers
Dense Mode IGMP

The initial tree encompasses all multicast routers; after a period of
time, routers without IGMP members prune back branches IGMPv1
Original IGMP specification
Sparse Mode
The tree is grown from a central rendezvous point out to the IGMPv2
multicast source and recipients Adds support for dynamic leave requests
and querier election to original IGMP
Sparse-Dense Mode
Allows a PIM-enabled interface to function in either sparse or dense IGMPv3
mode per group Adds multicast source filtering to v2
PIMv1 IGMP Snooping
Provides automatic RP discovery with Auto-RP (Cisco proprietary) A switch passively inspects IGMP
requests to determine which hosts
PIMv2 should receive multicast traffic
Automatic RP discovery is accomplished by the bootstrap router
(BSR) method (standard) IGMP Troubleshooting
PIM Configuration show ip igmp

show ip igmp group
ip multicast-routing
! show ip igmp interface
ip pim {sparse-mode | dense-mode | sparse-dense-mode} show ip igmp snooping
ip pim version {1 | 2} ip igmp join-group
RP Configuration PIM Troubleshooting

Manual ip pim rp-address <IP> show ip mroute
Auto-RP Mapping Agent ip pim send-rp-discovery scope <TTL> show ip pim interface
Auto-RP Candidate ip pim send-rp-announce <interface> show ip pim neighbor
BSR Candidate ip pim bsr-candidate <interface> show ip pim rp [mapping]
BSR RP Candidate ip pim rp-candidate <interface> show ip rpf <IP>
IPV6 packetlife.net
Protocol Header Address Notation
8 16 24 32 · Eliminate leading zeros from all two-byte sets
Ver Traffic Class Flow Label · Replace up to one string of consecutive zeros
Payload Length Next Header Hop Limit with a double-colon (::)
Address Formats
Source Address
Global unicast
Global Prefix Subnet Interface ID

Destination Address 48 16 64
Link-local unicast
Version (4 bits) · Always set to 6 Interface ID
Traffic Class (8 bits) · A DSCP value for QoS
64 64
Flow Label (20 bits) · Identifies unique flows (optional)
Multicast
Payload Length (16 bits) · Length of the payload in bytes
Scope
Flags
Group ID
Next Header (8 bits) · Header or protocol which follows
8 4 4 112
Hop Limit (8 bits) · Similar to IPv4's time to live field
Source Address (128 bits) · Source IP address EUI-64 Formation
Destination Address (128 bits) · Destination IP address MAC
Address Types
EUI-64
Unicast · One-to-one communication
Multicast · One-to-many communication · Insert 0xfffe between the two halves of the MAC
Anycast · An address configured in multiple locations · Flip the seventh bit (universal/local flag) to 1
Multicast Scopes Extension Headers

1 Interface-local 5 Site-local Hop-by-hop Options (0)
Carries additional information which must be examined by every
2 Link-local 8 Org-local
router in the path
4 Admin-local E Global Routing (43)
Provides source routing functionality
Special-Use Ranges
Fragment (44)
::/0 Default route Included when a packet has been fragmented by its source
::/128 Unspecified Encapsulating Security Payload (50)
Provides payload encryption (IPsec)
::1/128 Loopback
Authentication Header (51)
::/96 IPv4-compatible* Provides packet authentication (IPsec)
::FFFF:0:0/96 IPv4-mapped Destination Options (60)
Carries additional information which pertains only to the recipient
2001::/32 Teredo
2001:DB8::/32 Documentation Transition Mechanisms
Dual Stack
2002::/16 6to4
Transporting IPv4 and IPv6 across an infrastructure simultaneously
FC00::/7 Unique local Tunneling
FE80::/10 Link-local unicast IPv6 traffic is encapsulated into IPv4 using IPv6-in-IP, UDP (Teredo),
or Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)
FEC0::/10 Site-local unicast*
Translation
FF00::/8 Multicast Stateless IP/ICMP Translation (SIIT) translates IP header fields, NAT
* Deprecated Protocol Translation (NAT-PT) maps between IPv6 and IPv4 addresses

IS-IS · PART 1 packetlife.net
4 8 12 16 Type Link-State
IRPD Packet Length
Algorithm Dijkstra
Version/Protocol ID Extension ID Length
Metric Default (10)
R R R PDU Type Version
AD 115
Reserved Maximum Area Addresses
Standard ISO 10589
Type Length
Protocols IP, CLNS
Value ...
Transport Layer 2
NSAP Addressing Authentication Plaintext, MD5
Interdomain Part Domain-Specific Part Routing Levels

Level 0 Used to locate end systems
NSAP AFI IDI HODSP
System ID SEL Level 1 Routing within an area
Condensed Area
Level 2 Backbone between areas
Example 47 0005.80ff.f800.0000 0001 0000.0c00.1234 00
Level 3 Inter-AS routing
Interdomain Part (IDP) Terminology

Portion of the address used in routing between autonomous
Type-Length-Value (TLV)
systems; assigned by ISO
Variable-length modular datasets
Domain-Specific Part (DSP)
Link State PDU (LSP)
Portion of the address relevant only within the local AS
Carry TLVs encompassing link state
Authority and Format Identifier (AFI) information
Identifies the authority which dictates the format of the address Sequence Number Packet (SNP)
Used to request and advertise LSPs; can
Initial Domain Identifier (IDI)
be complete (CSNP) or partial (PSNP)
An organization belonging to the AFI
Hello Packet
High Order DSP (HODSP) Establishes and maintains neighbor
The area within the AS adjacencies
System ID Designated Intermediate System
Unique router identifier; 48 bits for Cisco devices (often taken from A pseudonode responsible for emulating
a MAC address) point-to-point links across a multi-access
NSAP Selector (SEL) segment
Identifies a network layer service; always 0x00 in a NET address
Adjacency Requirements
Network Types · Interface MTUs must match
Broadcast Point-to-Point · Levels must match
DIS Elected Yes No · Areas must match (if level 1)
Neighbor Discovery Yes Yes · System IDs must be unique
Hello/Dead Timers 10/30 10/30 · Authentication must succeed
Troubleshooting DIS Election
show ip route show isis spf-log · Highest-priority interface elected
show ip protocols debug isis spf-events · Highest SNPA (MAC/DLCI) breaks tie
show [clns|isis] neighbor debug isis adjacencies-packets · Highest system ID breaks SNPA tie
show [clns|isis] interface debug isis spf-statistics · Default interface priority is 64
show isis database debug isis update-packets · Current DIS may be preempted

IS-IS · PART 2 packetlife.net
TLV Types
Name Use Name Use Name Use
1 Area Addresses Hello, LSP 6 IS Neighbors Hello, L2 LSP 128 IP Internal Reach. LSP
2 IS Neighbors LSP 8 Padding Hello 129 Protocols Supported Hello, LSP
3 ES Neighbors L1 LSP 9 LSP Entries SNP 131 IDRPI SNP, L2 LSP
5 Prefix Neighbors L2 LSP 10 Authentication All 132 IP Interface Address Hello, LSP
Area 1 Router A2
192.168.1.0/24 interface FastEthernet0/0
description Area 1
ip address 192.168.1.2 255.255.255.0
A3 ip router isis
A2 isis circuit-type level-1
!
router isis
A1 net 49.0001.0000.0000.00a2.00
10
0
/3
.0
Router B2
.0
.0
Area 2 Area 3
0
.4/
.0.
192.168.2.0/24 192.168.3.0/24
10
30
description Area 2
ip address 192.168.2.2 255.255.255.0
ip router isis
B2 C2 isis circuit-type level-1
10.0.0.8/30 !
B1 C1 router isis
B3 net 49.0002.0000.0000.00b2.00
C3
Router A1 Router B1
interface FastEthernet0/0 interface FastEthernet0/0
description Area 1 description Area 2
ip router isis ip router isis
isis circuit-type level-1 isis circuit-type level-1
! !
interface Serial1/0 interface Serial1/0
no ip address no ip address
encapsulation frame-relay encapsulation frame-relay
! !
interface Serial1/0.1 point-to-point interface Serial1/0.1 point-to-point
description To Area 2 description To Area 1
isis circuit-type level-2-only isis circuit-type level-2-only
! MD5 authentication (keychain not shown) ! MD5 authentication (keychain not shown)
isis authentication mode md5 isis authentication mode md5
isis authentication key-chain <keychain> isis authentication key-chain <keychain>
frame-relay interface-dlci 101 frame-relay interface-dlci 101
! !
interface Serial1/0.2 point-to-point interface Serial1/0.2 point-to-point
description To Area 3 description To Area 3
isis circuit-type level-2-only isis circuit-type level-2-only
frame-relay interface-dlci 102 frame-relay interface-dlci 103
! !
router isis router isis
net 49.0001.0000.0000.00a1.00 net 49.0002.0000.0000.00b1.00

OSPF · PART 1 packetlife.net
8 16 24 32 Type Link-State
Version Type Length Algorithm Dijkstra
Router ID Metric Cost (Bandwidth)
Area ID AD 110
Checksum Instance ID Reserved Standard RFC 2328, 2740
Data Protocols IP
Transport IP/89
Link State Advertisements
Authentication Plaintext, MD5
Router Link (Type 1)
Lists neighboring routers and the cost to each; flooded within an area AllSPF Address 224.0.0.5
Network Link (Type 2) AllDR Address 224.0.0.6

Generated by a DR; lists all routers on an adjacent segment; flooded
Metric Formula
within an area
Network Summary (Type 3) 100,000 Kbps*
cost =
Generated by an ABR and advertised among areas link speed
ASBR Summary (Type 4)
* modifiable with
Injected by an ABR into the backbone to advertise the presence of an ospf auto-cost reference-bandwidth
ASBR within an area
External Link (Type 5) Adjacency States
Generated by an ASBR and flooded throughout the AS to advertise a
1 Down 5 Exstart
route external to OSPF
NSSA External Link (Type 7) 2 Attempt 6 Exchange
Generated by an ASBR in a not-so-stubby area; converted into a 3 Init 7 Loading
type 5 LSA by the ABR when leaving the area
4 2-Way 8 Full
Router Types Area Types
DR/BDR Election
Internal Router Standard Area
All interfaces reside within the Default OSPF area type · The DR serves as a common point for
same area all adjacencies on a multiaccess
Stub Area segment
Backbone Router External link (type 5) LSAs are
A router with an interface in replaced with a default route · The BDR also maintains adjacencies
area 0 (the backbone) with all routers in case the DR fails
Totally Stubby Area
Area Border Router (ABR) Type 3, 4, and 5 LSAs are · Election does not occur on point-to-
Connects two or more areas replaced with a default route point or multipoint links
AS Boundary Router (ASBR) Not So Stubby Area (NSSA)
· Default priority (0-255) is 1; highest
Connects to additional routing A stub area containing an ASBR;
priority wins; 0 cannot be elected
domains; typically located in type 5 LSAs are converted to type
the backbone 7 within the area · DR preemption will not occur unless
the current DR is reset
External Route Types
E1 · Cost to the advertising ASBR plus the external cost of the route Virtual Links
E2 (Default) · Cost of the route as seen by the ASBR · Tunnel formed to join two areas
across an intermediate
Troubleshooting
· Both end routers must share a
show ip [route | protocols] show ip ospf border-routers common area
show ip ospf interface show ip ospf virtual-links · At least one end must reside in area 0
show ip ospf neighbor debug ip ospf […] · Cannot traverse stub areas

OSPF · PART 2 packetlife.net
Network Types
Nonbroadcast Multipoint Multipoint
(NBMA) Broadcast Nonbroadcast Broadcast Point-to-Point
DR/BDR Elected Yes No No Yes No

Neighbor Discovery No Yes No Yes Yes
Hello/Dead Timers 30/120 30/120 30/120 10/40 10/40
Defined By RFC 2328 RFC 2328 Cisco Cisco Cisco
Supported Topology Full Mesh Any Any Full Mesh Point-to-Point
interface Serial0/0 Router A

WAN Area 0 Area 9 description WAN Link
172.16.0.0/18 Backbone Totally Stubby Area ip address 172.16.34.2 255.255.255.252
!
description Area 0
ip address 192.168.0.1 255.255.255.0
A !
interface Loopback0
! Used as router ID
ip address 10.0.34.1 255.255.255.0
C !
B
router ospf 100
! Advertising the WAN cloud to OSPF
redistribute static subnets
network 192.168.0.0 0.0.0.255 area 0
!
Area 1 Area 2 ! Static route to the WAN cloud
Stub Area Standard Area ip route 172.16.0.0 255.255.192.0 172.16.34.1
Router B Router C
interface Ethernet0/0 interface Ethernet0/0
ip ospf 100 area 0 ip ospf 100 area 9
! !
interface Ethernet0/1 interface Ethernet0/1
ip ospf 100 area 2 ip ospf 100 area 2
! Optional MD5 authentication configured ! Optional MD5 authentication configured
ip ospf authentication message-digest ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 FooBar ip ospf message-digest-key 1 md5 FooBar
! Give B priority in DR election ! Give C second priority (BDR) in election
ip ospf priority 100 ip ospf priority 50
! !
interface Ethernet0/2 !
description Area 1 !
ip address 192.168.1.1 255.255.255.0 !
ip ospf 100 area 1 !
! !
interface Loopback0 interface Loopback0
! !
router ospf 100 router ospf 100
! Define area 1 as a stub area ! Define area 9 as a totally stubby area
area 1 stub area 9 stub no-summary
! Virtual link from area 0 to area 9 ! Virtual link from area 9 to area 0
area 2 virtual-link 10.0.34.3 area 2 virtual-link 10.0.34.2

POINT-TO-POINT PROTOCOL packetlife.net
PPP Components PPP Summary
Link Control Protocol (LCP) Standard RFC 1661
Provides for the establishment, configuration, and maintenance of a
PPP link. Protocol-independent options are negotiated by LCP.
Asynchronous serial, synchronous
Interfaces
serial, ISDN, HSSI
Network Control Protocol (NCP)
A separate NCP is used to negotiate the configuration of each PPP Features
network layer protocol (such as IP) carried by PPP.
Protocol Multiplexing · Multiple NCPs
PPP Header Optional Authentication · PAP/CHAP
8 16 24 32
Optional Compression · Stacker/predictor
Address Control Protocol
Loopback Detection · Provided by LCP
LCP Header Load Balancing · Multilink PPP

8 16 24 32
Connection Phase Flowchart
Code Identifier Length
Auth Required
Dead Establish
Authentication Protocols
No Auth
Plaintext Authentication Protocol (PAP)
Original, obsolete authentication protocol which relies on the Terminate Authenticate
exchange of a plaintext key to authenticate peers (RFC 1334). Failure
Admin Success
Challenge Handshake Authentication Protocol (CHAP) Shutdown
Authenticates peers using the MD5 checksum of a pre-shared secret Network
key (RFC 1994).
Extensible Authentication Protocol (EAP) PPP Connection Example

Provides MD5-based authentication similar to CHAP (RFC 3748).
Could be expanded to support other EAP mechanisms as well.
General PPP Configuration LCP Configuration Request
LCP Configuration Ack

! Configure a peer account if authentication will be used
username peer-hostname password password CHAP Challenge
! Configure a local IP address pool if needed CHAP Response

ip pool name first-IP last-IP
CHAP Success
interface Serial0/0 IP Control Configuration Request
! Enable PPP encapsulation
encapsulation ppp IP Control Configuration Ack
! Enable CHAP and/or PAP for authentication
CDP Control Configuration Request
ppp authentication { chap | pap } [ chap | pap ]
! Enable compression CDP Control Configuration Ack
compress { predictor | stac }
! Enable peer IP address assignment (server side)
PPP Compression Algorithms
peer default ip address { pool name | IP-address }
! Enable IP address negotiation (client side) Stacker
ip address negotiated Replaces repetitive data with symbols from a
dynamic dictionary (more processor-intensive)
Multilink PPP Configuration Predictor
Attempts to predict sequential data (more
! Create the multilink interface
interface Multilink1
memory-intensive)
ip address IP-address subnet-mask
ppp multilink group group
Troubleshooting
show ppp multilink
! Assign physical interfaces to the multilink group
interface Serial0/0 debug ppp authentication
encapsulation ppp
ppp multilink group group
debug ppp { negotiation | packet }

RIP packetlife.net
RIP Implementations Attributes
RIPv1 Type Distance Vector
Original RIP implementation, limited to classful routing
Algorithm Bellman-Ford
(obsolete)
RIPv2 Admin Distance 120
Introduced support for classless routing, authentication, Metric Hop count (max 15)
triggered updates, and multicast announcements (RFC 2453)
Standard RFCs 2080, 2453
RIPng (RIP Next Generation)
Extends RIPv2 to support IPv6 routing (RFC 2080); functions Protocols IPv4, IPv6
very similarly to RIPv2 and is subsequently as limited Transport UDP
Protocols Comparison Authentication Plaintext, MD5
RIPv1 RIPv2 RIPng Multicast IP 224.0.0.9/FF02::9
IP IPv4 IPv4 IPv6
Terminology
Admin Distance 120 120 120
Split Horizon
UDP Port 520 520 521 A rule that states a router may not advertise a route
back to the neighbor from which it was learned
Classless No Yes Yes
Route Poisoning
Adv. Address Broadcast 224.0.0.9 FF02::9
When a network becomes unreachable, an
Authentication None Plain, MD5 None update with an infinite metric is generated to
explicitly advertise the route as unreachable
RIPv2 Configuration
Poison Reverse
A router advertises a network as unreachable
! Enable RIPv2 IPv4 routing
through the interface on which it was learned
router rip
version 2
Timer Defaults
! Disable RIPv2 automatic summarization Update 30 sec Flush 240 sec
no auto-summary
Invalid 180 sec Hold-down 180 sec
! Designate RIPv2 interfaces by network
network network RIPv2 Interface Configuration
! Identify unicast-only neighbors ! Configure manual route summarization

neighbor IP-address ip summary-address rip network mask
! Originate a default route ! Enable MD5 authentication (RIPv2 only)

default-information originate ip rip authentication mode md5
ip rip authentication key-chain key-chain
! Designate passive interfaces
passive-interface {interface | default} RIPng Interface Configuration
! Modify timers ! Enable RIPng on the interface
timers basic update invalid hold flush ipv6 rip name enable
RIPng Configuration ! Configure manual route summarization

ipv6 rip name summary-address prefix
! Enable IPv6 routing
ipv6 unicast-routing Troubleshooting
! Enable RIPng IPv6 routing show ip[v6] protocols
ipv6 router rip name
show ip[v6] rip database
! Toggle split-horizon and poison-reverse show ip[v6] route rip
[no] split-horizon
[no] poison-reverse debug ip rip { database | events }
! Modify timers debug ipv6 rip [interface]

timers basic update invalid hold flush

SPANNING TREE · PART 1 packetlife.net
Spanning Tree Protocols
Legacy STP PVST PVST+ RSTP RPVST+ MST
Algorithm Legacy ST Legacy ST Legacy ST Rapid ST Rapid ST Rapid ST

802.1w, 802.1s,
Defined By 802.1D-1998 Cisco Cisco Cisco
802.1D-2004 802.1Q-2003
Instances 1 Per VLAN Per VLAN 1 Per VLAN Configurable
Trunking N/A ISL 802.1Q, ISL N/A 802.1Q, ISL 802.1Q, ISL
Spanning Tree Instance Comparison

STP PVST+ MST
Root VLAN 1,10 Root VLAN 20,30 Root MSTI 0 Root MSTI 1 Root
A B A B A B
All VLANs VLAN 1 MSTI 0 (1, 10)

x xx xx VLAN 10 x x MSTI 1 (20, 30)
VLAN 20
C C VLAN 30 C
BPDU Format Spanning Tree Specifications Link Costs

Field Bits Bandwidth Cost
802.1s 802.1Q-2003 802.1Q-2005
Protocol ID 16 4 Mbps 250
Version 8 10 Mbps 100
BPDU Type 8 802.1D-1998 802.1D-2004 16 Mbps 62
Flags 8 45 Mbps 39
Root ID 64 802.1Q-1998 802.1w 100 Mbps 19
Root Path Cost 32 155 Mbps 14
ISL PVST PVST+ RPVST+
Bridge ID 64 622 Mbps 6
Port ID 16 IEEE 802.1D-1998 · Deprecated legacy STP standard 1 Gbps 4
Message Age 16 IEEE 802.1w · Introduced RSTP 10 Gbps 2
Max Age 16 20+ Gbps 1
IEEE
IEEE 802.1D-2004 · Replaced legacy STP with RSTP

Hello Time 16 IEEE 802.1s · Introduced MST Port States
Forward Delay 16 IEEE 802.1Q-2003 · Added MST to 802.1Q Legacy ST Rapid ST
Default Timers IEEE 802.1Q-2005 · Most recent 802.1Q revision Disabled
Hello 2s PVST · Per-VLAN implementation of legacy STP Blocking Discarding

Cisco
Forward Delay 15s PVST+ · Added 802.1Q trunking to PVST Listening
Max Age 20s RPVST+ · Per-VLAN implementation of RSTP Learning Learning

Forwarding Forwarding
Spanning Tree Operation
Determine root bridge Port Roles
1
The bridge advertising the lowest bridge ID becomes the root bridge Legacy ST Rapid ST
Select root port Root Root
2
Each bridge selects its primary port facing the root
Designated Designated
Select designated ports
3 Alternate
One designated port is selected per segment
Blocking
Block ports with loops Backup
4
All non-root and non-desginated ports are blocked

SPANNING TREE · PART 2 packetlife.net
PVST+ and RPVST+ Configuration Bridge ID Format
4 12 48
spanning-tree mode {pvst | rapid-pvst}
Pri Sys ID Ext MAC Address
! Bridge priority
spanning-tree vlan 1-4094 priority 32768 Priority
4-bit bridge priority (configurable from 0 to 61440 in
! Timers, in seconds
spanning-tree vlan 1-4094 hello-time 2
increments of 4096)
spanning-tree vlan 1-4094 forward-time 15 System ID Extension
spanning-tree vlan 1-4094 max-age 20 12-bit value taken from VLAN number (IEEE 802.1t)
MAC Address
! PVST+ Enhancements
spanning-tree backbonefast 48-bit unique identifier
spanning-tree uplinkfast
Path Selection
! Interface attributes 1 Bridge with lowest root ID becomes the root
spanning-tree [vlan 1-4094] port-priority 128 2 Prefer the neighbor with the lowest cost to root
spanning-tree [vlan 1-4094] cost 19
3 Prefer the neighbor with the lowest bridge ID
! Manual link type specification 4 Prefer the lowest sender port ID
spanning-tree link-type {point-to-point | shared}
Optional PVST+ Ehancements
! Enables PortFast if running PVST+, or
! designates an edge port under RPVST+ PortFast
spanning-tree portfast Enables immediate transition into the forwarding state
(designates edge ports under MST)
! Spanning tree protection
spanning-tree guard {loop | root | none} UplinkFast
Enables switches to maintain backup paths to root
! Per-interface toggling BackboneFast
spanning-tree bpduguard enable Enables immediate expiration of the Max Age timer in
spanning-tree bpdufilter enable the event of an indirect link failure
MST Configuration Spanning Tree Protection

Root Guard
spanning-tree mode mst
Prevents a port from becoming the root port
! MST Configuration BPDU Guard
spanning-tree mst configuration Error-disables a port if a BPDU is received
name MyTree
revision 1 Loop Guard
Prevents a blocked port from transitioning to listening
! Map VLANs to instances after the Max Age timer has expired
instance 1 vlan 20, 30 BPDU Filter
instance 2 vlan 40, 50 Blocks BPDUs on an interface (disables STP)
! Bridge priority (per instance) RSTP Link Types
spanning-tree mst 1 priority 32768
Point-to-Point
! Timers, in seconds Connects to exactly one other bridge (full duplex)
spanning-tree mst hello-time 2 Shared
spanning-tree mst forward-time 15
Potentially connects to multiple bridges (half duplex)
spanning-tree mst max-age 20
Edge
! Maximum hops for BPDUs Connects to a single host; designated by PortFast
spanning-tree mst max-hops 20
Troubleshooting
! Interface attributes
show spanning-tree [summary | detail | root]
spanning-tree mst 1 port-priority 128 show spanning-tree [interface | vlan]
spanning-tree mst 1 cost 19
show spanning-tree mst […]

SCAPY packetlife.net
Basic Commands Specifying Addresses and Values
ls()
# Explicit IP address (use quotation marks)
List all available protocols and protocol options
>>> IP(dst="192.0.2.1")
lsc()
List all available scapy command functions # DNS name to be resolved at time of transmission
conf >>> IP(dst="example.com")
Show/set scapy configuration parameters
# IP network (results in a packet template)
Constructing Packets >>> IP(dst="192.0.2.0/24")
# Setting protocol fields # Random addresses with RandIP() and RandMAC()
>>> ip=IP(src="10.0.0.1") >>> IP(dst=RandIP())
>>> ip.dst="10.0.0.2" >>> Ether(dst=RandMAC())
# Combining layers # Set a range of numbers to be used (template)
>>> l3=IP()/TCP() >>> IP(ttl=(1,30))
>>> l2=Ether()/l3
# Random numbers with RandInt() and RandLong()
# Splitting layers apart >>> IP(id=RandInt())
>>> l2.getlayer(1)
<IP frag=0 proto=tcp |<TCP |>>
Sending Packets
>>> l2.getlayer(2)
<TCP |> send(pkt, inter=0, loop=0, count=1, iface=N)
Send one or more packets at layer three
Displaying Packets sendp(pkt, inter=0, loop=0, count=1, iface=N)
Send one or more packets at layer two
# Show an entire packet
>>> (Ether()/IPv6()).show() sendpfast(pkt, pps=N, mbps=N, loop=0, iface=N)
Send packets much faster at layer two using tcpreplay
###[ Ethernet ]###
dst= ff:ff:ff:ff:ff:ff >>> send(IP(dst="192.0.2.1")/UDP(dport=53))
src= 00:00:00:00:00:00 .
type= 0x86dd Sent 1 packets.
###[ IPv6 ]### >>> sendp(Ether()/IP(dst="192.0.2.1")/UDP(dport=53))
version= 6 .
tc= 0 Sent 1 packets.
fl= 0
plen= None
Sending and Receiving Packets
nh= No Next Header
hlim= 64 sr(pkt, filter=N, iface=N), srp(…)
src= ::1 Send packets and receive replies
dst= ::1 sr1(pkt, inter=0, loop=0, count=1, iface=N), srp1(…)
Send packets and return only the first reply
# Show field types with default values
srloop(pkt, timeout=N, count=N), srploop(…)
>>> ls(UDP()) Send packets in a loop and print each reply
sport : ShortEnumField = 1025 (53)
dport : ShortEnumField = 53 (53) >>> srloop(IP(dst="packetlife.net")/ICMP(), count=3)
len : ShortField = None (None) RECV 1: IP / ICMP 174.143.213.184 > 192.168.1.140
chksum : XShortField = None (None) RECV 1: IP / ICMP 174.143.213.184 > 192.168.1.140
RECV 1: IP / ICMP 174.143.213.184 > 192.168.1.140
Fuzzing
Sniffing Packets
# Randomize fields where applicable
>>> fuzz(ICMP()).show() sniff(count=0, store=1, timeout=N)
Record packets off the wire; returns a list of packets when stopped
###[ ICMP ]###
type= <RandByte> # Capture up to 100 packets (or stop with ctrl-c)
code= 227 >>> pkts=sniff(count=100, iface="eth0")
chksum= None >>> pkts
unused= <RandInt> <Sniffed: TCP:92 UDP:7 ICMP:1 Other:0>

TCPDUMP packetlife.net
Command Line Options
-A Print frame payload in ASCII -q Quick output
-c <count> Exit after capturing count packets -r <file> Read packets from file
-D List available interfaces -s <len> Capture up to len bytes per packet
-e Print link-level headers -S Print absolute TCP sequence numbers
-F <file> Use file as the filter expression -t Don't print timestamps
-G <n> Rotate the dump file every n seconds -v[v[v]] Print more verbose output
-i <iface> Specifies the capture interface -w <file> Write captured packets to file
-K Don't verify TCP checksums -x Print frame payload in hex
-L List data link types for the interface -X Print frame payload in hex and ASCII
-n Don't convert addresses to names -y <type> Specify the data link type
-p Don't capture in promiscuous mode -Z <user> Drop privileges from root to user
Capture Filter Primitives

[src|dst] host <host> Matches a host as the IP source, destination, or either
ether [src|dst] host <ehost> Matches a host as the Ethernet source, destination, or either
gateway host <host> Matches packets which used host as a gateway
[src|dst] net <network>/<len> Matches packets to or from an endpoint residing in network
[tcp|udp] [src|dst] port <port> Matches TCP or UDP packets sent to/from port
[tcp|udp] [src|dst] portrange <p1>-<p2> Matches TCP or UDP packets to/from a port in the given range
less <length> Matches packets less than or equal to length
greater <length> Matches packets greater than or equal to length
(ether|ip|ip6) proto <protocol> Matches an Ethernet, IPv4, or IPv6 protocol
(ether|ip) broadcast Matches Ethernet or IPv4 broadcasts
(ether|ip|ip6) multicast Matches Ethernet, IPv4, or IPv6 multicasts
type (mgt|ctl|data) [subtype <subtype>] Matches 802.11 frames based on type and optional subtype
vlan [<vlan>] Matches 802.1Q frames, optionally with a VLAN ID of vlan
mpls [<label>] Matches MPLS packets, optionally with a label of label
<expr> <relop> <expr> Matches packets by an arbitrary expression
Protocols Modifiers Examples

arp ip6 slip ! or not udp dst port not 53 UDP not bound for port 53
ether link tcp && or and host 10.0.0.1 && host 10.0.0.2 Traffic between these hosts
fddi ppp tr || or or tcp dst port 80 or 8080 Packets to either TCP port
icmp radio udp ICMP Types
ip rarp wlan icmp-echoreply icmp-routeradvert icmp-tstampreply
TCP Flags icmp-unreach icmp-routersolicit icmp-ireq
tcp-urg tcp-rst icmp-sourcequench icmp-timxceed icmp-ireqreply
tcp-ack tcp-syn icmp-redirect icmp-paramprob icmp-maskreq
tcp-psh tcp-fin icmp-echo icmp-tstamp icmp-maskreply

WIRESHARK DISPLAY FILTERS · PART 1 packetlife.net
Ethernet ARP
eth.addr eth.len eth.src arp.dst.hw_mac arp.proto.size
eth.dst eth.lg eth.trailer arp.dst.proto_ipv4 arp.proto.type
eth.ig eth.multicast eth.type arp.hw.size arp.src.hw_mac
arp.hw.type arp.src.proto_ipv4
IEEE 802.1Q
arp.opcode
vlan.cfi vlan.id vlan.priority
vlan.etype vlan.len vlan.trailer TCP
tcp.ack tcp.options.qs
IPv4
tcp.checksum tcp.options.sack
ip.addr ip.fragment.overlap.conflict
tcp.checksum_bad tcp.options.sack_le
ip.checksum ip.fragment.toolongfragment
tcp.checksum_good tcp.options.sack_perm
ip.checksum_bad ip.fragments
tcp.continuation_to tcp.options.sack_re
ip.checksum_good ip.hdr_len
tcp.dstport tcp.options.time_stamp
ip.dsfield ip.host
tcp.flags tcp.options.wscale
ip.dsfield.ce ip.id
tcp.flags.ack tcp.options.wscale_val
ip.dsfield.dscp ip.len
tcp.flags.cwr tcp.pdu.last_frame
ip.dsfield.ect ip.proto
tcp.flags.ecn tcp.pdu.size
ip.dst ip.reassembled_in
tcp.flags.fin tcp.pdu.time
ip.dst_host ip.src
tcp.flags.push tcp.port
ip.flags ip.src_host
tcp.flags.reset tcp.reassembled_in
ip.flags.df ip.tos
tcp.flags.syn tcp.segment
ip.flags.mf ip.tos.cost
tcp.flags.urg tcp.segment.error
ip.flags.rb ip.tos.delay
tcp.hdr_len tcp.segment.multipletails
ip.frag_offset ip.tos.precedence
tcp.len tcp.segment.overlap
ip.fragment ip.tos.reliability
tcp.nxtseq tcp.segment.overlap.conflict
ip.fragment.error ip.tos.throughput
tcp.options tcp.segment.toolongfragment
ip.fragment.multipletails ip.ttl
tcp.options.cc tcp.segments
ip.fragment.overlap ip.version
tcp.options.ccecho tcp.seq
IPv6 tcp.options.ccnew tcp.srcport
ipv6.addr ipv6.hop_opt tcp.options.echo tcp.time_delta
ipv6.class ipv6.host tcp.options.echo_reply tcp.time_relative
ipv6.dst ipv6.mipv6_home_address tcp.options.md5 tcp.urgent_pointer
ipv6.dst_host ipv6.mipv6_length tcp.options.mss tcp.window_size
ipv6.dst_opt ipv6.mipv6_type tcp.options.mss_val
ipv6.flow ipv6.nxt
UDP
ipv6.fragment ipv6.opt.pad1
udp.checksum udp.dstport udp.srcport
ipv6.fragment.error ipv6.opt.padn
udp.checksum_bad udp.length
ipv6.fragment.more ipv6.plen
udp.checksum_good udp.port
ipv6.fragment.multipletails ipv6.reassembled_in
ipv6.fragment.offset ipv6.routing_hdr Operators Logic
ipv6.fragment.overlap ipv6.routing_hdr.addr eq or == and or && Logical AND
ipv6.fragment.overlap.conflict ipv6.routing_hdr.left ne or != or or || Logical OR
ipv6.fragment.toolongfragment ipv6.routing_hdr.type gt or > xor or ^^ Logical XOR
ipv6.fragments ipv6.src lt or < not or ! Logical NOT
ipv6.fragment.id ipv6.src_host ge or >= [n] […] Substring operator
ipv6.hlim ipv6.version le or <=

WIRESHARK DISPLAY FILTERS · PART 2 packetlife.net
Frame Relay ICMPv6
fr.becn fr.de icmpv6.all_comp icmpv6.option.name_type.fqdn
fr.chdlctype fr.dlci icmpv6.checksum icmpv6.option.name_x501
fr.control fr.dlcore_control icmpv6.checksum_bad icmpv6.option.rsa.key_hash
fr.control.f fr.ea icmpv6.code icmpv6.option.type
fr.control.ftype fr.fecn icmpv6.comp icmpv6.ra.cur_hop_limit
fr.control.n_r fr.lower_dlci icmpv6.haad.ha_addrs icmpv6.ra.reachable_time
fr.control.n_s fr.nlpid icmpv6.identifier icmpv6.ra.retrans_timer
fr.control.p fr.second_dlci icmpv6.option icmpv6.ra.router_lifetime
fr.control.s_ftype fr.snap.oui icmpv6.option.cga icmpv6.recursive_dns_serv
fr.control.u_modifier_cmd fr.snap.pid icmpv6.option.length icmpv6.type
fr.control.u_modifier_resp fr.snaptype icmpv6.option.name_type
fr.cr fr.third_dlci
RIP
fr.dc fr.upper_dlci
rip.auth.passwd rip.ip rip.route_tag
PPP rip.auth.type rip.metric rip.routing_domain
ppp.address ppp.direction rip.command rip.netmask rip.version
ppp.control ppp.protocol rip.family rip.next_hop
MPLS BGP
mpls.bottom mpls.oam.defect_location bgp.aggregator_as bgp.mp_reach_nlri_ipv4_prefix
mpls.cw.control mpls.oam.defect_type bgp.aggregator_origin bgp.mp_unreach_nlri_ipv4_prefix
mpls.cw.res mpls.oam.frequency bgp.as_path bgp.multi_exit_disc
mpls.exp mpls.oam.function_type bgp.cluster_identifier bgp.next_hop
mpls.label mpls.oam.ttsi bgp.cluster_list bgp.nlri_prefix
mpls.oam.bip16 mpls.ttl bgp.community_as bgp.origin
bgp.community_value bgp.originator_id
ICMP
bgp.local_pref bgp.type
icmp.checksum icmp.ident icmp.seq
bgp.mp_nlri_tnl_id bgp.withdrawn_prefix
icmp.checksum_bad icmp.mtu icmp.type
icmp.code icmp.redir_gw HTTP
DTP http.accept http.proxy_authorization

http.accept_encoding http.proxy_connect_host
dtp.neighbor dtp.tlv_type vtp.neighbor
http.accept_language http.proxy_connect_port
dtp.tlv_len dtp.version
http.authbasic http.referer
VTP http.authorization http.request
vtp.code vtp.vlan_info.802_10_index http.cache_control http.request.method
vtp.conf_rev_num vtp.vlan_info.isl_vlan_id http.connection http.request.uri
vtp.followers vtp.vlan_info.len http.content_encoding http.request.version
vtp.md vtp.vlan_info.mtu_size http.content_length http.response
vtp.md5_digest vtp.vlan_info.status.vlan_susp http.content_type http.response.code
vtp.md_len vtp.vlan_info.tlv_len http.cookie http.server
vtp.seq_num vtp.vlan_info.tlv_type http.date http.set_cookie
vtp.start_value vtp.vlan_info.vlan_name http.host http.transfer_encoding
vtp.upd_id vtp.vlan_info.vlan_name_len http.last_modified http.user_agent
vtp.upd_ts vtp.vlan_info.vlan_type http.location http.www_authenticate
vtp.version http.notification http.x_forwarded_for
http.proxy_authenticate

COMMON PORTS packetlife.net
TCP/UDP Port Numbers
7 Echo 554 RTSP 2745 Bagle.H 6891-6901 Windows Live

19 Chargen 546-547 DHCPv6 2967 Symantec AV 6970 Quicktime
20-21 FTP 560 rmonitor 3050 Interbase DB 7212 GhostSurf
22 SSH/SCP 563 NNTP over SSL 3074 XBOX Live 7648-7649 CU-SeeMe
23 Telnet 587 SMTP 3124 HTTP Proxy 8000 Internet Radio
25 SMTP 591 FileMaker 3127 MyDoom 8080 HTTP Proxy
42 WINS Replication 593 Microsoft DCOM 3128 HTTP Proxy 8086-8087 Kaspersky AV
43 WHOIS 631 Internet Printing 3222 GLBP 8118 Privoxy
49 TACACS 636 LDAP over SSL 3260 iSCSI Target 8200 VMware Server
53 DNS 639 MSDP (PIM) 3306 MySQL 8500 Adobe ColdFusion
67-68 DHCP/BOOTP 646 LDP (MPLS) 3389 Terminal Server 8767 TeamSpeak
69 TFTP 691 MS Exchange 3689 iTunes 8866 Bagle.B
70 Gopher 860 iSCSI 3690 Subversion 9100 HP JetDirect
79 Finger 873 rsync 3724 World of Warcraft 9101-9103 Bacula
80 HTTP 902 VMware Server 3784-3785 Ventrilo 9119 MXit
88 Kerberos 989-990 FTP over SSL 4333 mSQL 9800 WebDAV
102 MS Exchange 993 IMAP4 over SSL 4444 Blaster 9898 Dabber
110 POP3 995 POP3 over SSL 4664 Google Desktop 9988 Rbot/Spybot
113 Ident 1025 Microsoft RPC 4672 eMule 9999 Urchin
119 NNTP (Usenet) 1026-1029 Windows Messenger 4899 Radmin 10000 Webmin
123 NTP 1080 SOCKS Proxy 5000 UPnP 10000 BackupExec
135 Microsoft RPC 1080 MyDoom 5001 Slingbox 10113-10116 NetIQ
137-139 NetBIOS 1194 OpenVPN 5001 iperf 11371 OpenPGP
143 IMAP4 1214 Kazaa 5004-5005 RTP 12035-12036 Second Life
161-162 SNMP 1241 Nessus 5050 Yahoo! Messenger 12345 NetBus
177 XDMCP 1311 Dell OpenManage 5060 SIP 13720-13721 NetBackup
179 BGP 1337 WASTE 5190 AIM/ICQ 14567 Battlefield
201 AppleTalk 1433-1434 Microsoft SQL 5222-5223 XMPP/Jabber 15118 Dipnet/Oddbob
264 BGMP 1512 WINS 5432 PostgreSQL 19226 AdminSecure
318 TSP 1589 Cisco VQP 5500 VNC Server 19638 Ensim
381-383 HP Openview 1701 L2TP 5554 Sasser 20000 Usermin
389 LDAP 1723 MS PPTP 5631-5632 pcAnywhere 24800 Synergy
411-412 Direct Connect 1725 Steam 5800 VNC over HTTP 25999 Xfire
443 HTTP over SSL 1741 CiscoWorks 2000 5900+ VNC Server 27015 Half-Life
445 Microsoft DS 1755 MS Media Server 6000-6001 X11 27374 Sub7
464 Kerberos 1812-1813 RADIUS 6112 Battle.net 28960 Call of Duty
465 SMTP over SSL 1863 MSN 6129 DameWare 31337 Back Orifice
497 Retrospect 1985 Cisco HSRP 6257 WinMX 33434+ traceroute
500 ISAKMP 2000 Cisco SCCP 6346-6347 Gnutella Legend
512 rexec 2002 Cisco ACS 6500 GameSpy Arcade Chat
513 rlogin 2049 NFS 6566 SANE Encrypted
514 syslog 2082-2083 cPanel 6588 AnalogX Gaming
515 LPD/LPR 2100 Oracle XDB 6665-6669 IRC
Malicious
520 RIP 2222 DirectAdmin 6679/6697 IRC over SSL
Peer to Peer
521 RIPng (IPv6) 2302 Halo 6699 Napster
Streaming
540 UUCP 2483-2484 Oracle DB 6881-6999 BitTorrent
IANA port assignments published at http://www.iana.org/assignments/port-numbers

IOS IPV4 ACCESS LISTS packetlife.net
Standard ACL Syntax Actions
! Legacy syntax permit Allow matched packets

access-list <number> {permit | deny} <source> [log] deny Deny matched packets
! Modern syntax remark Record a configuration comment
ip access-list standard {<number> | <name>}
[<sequence>] {permit | deny} <source> [log] evaluate Evaluate a reflexive ACL
Extended ACL Syntax
! Legacy syntax
access-list <number> {permit | deny} <protocol> <source> [<ports>] <destination> [<ports>] [<options>]
! Modern syntax
ip access-list extended {<number> | <name>}
[<sequence>] {permit | deny} <protocol> <source> [<ports>] <destination> [<ports>] [<options>]
ACL Numbers Source/Destination Definitions

1-99 any Any address
IP standard
1300-1999
host <address> A single address
100-199
IP extended <network> <mask> Any address matched by the wildcard mask
2000-2699
200-299 Protocol IP Options
300-399 DECnet dscp <DSCP> Match the specified IP DSCP
400-499 XNS fragments Check non-initial fragments
500-599 Extended XNS option <option> Match the specified IP option
600-699 Appletalk precedence {0-7} Match the specified IP precedence
700-799 Ethernet MAC ttl <count> Match the specified IP time to live (TTL)
800-899 IPX standard
TCP/UDP Port Definitions
900-999 IPX extended
eq <port> Equal to neq <port> Not equal to
1000-1099 IPX SAP
lt <port> Less than gt <port> Greater than
1100-1199 MAC extended
range <port> <port> Matches a range of port numbers
1200-1299 IPX summary
Miscellaneous Options
TCP Options
reflect <name> Create a reflexive ACL entry
ack Match ACK flag
time-range <name> Enable rule only during the given time range
fin Match FIN flag
psh Match PSH flag Applying ACLs to Restrict Traffic
rst Match RST flag interface FastEthernet0/0

ip access-group {<number> | <name>} {in | out}
syn Match SYN flag
urg Match URG flag Troubleshooting
Match packets in an show access-lists [<number> | <name>]
established
established session
show ip access-lists [<number> | <name>]
Logging Options show ip access-lists interface <interface>
log Log ACL entry matches show ip access-lists dynamic
Log matches including
show ip interface [<interface>]
log-input ingress interface and
source MAC address show time-range [<name>]

IPV4 SUBNETTING packetlife.net
Subnets Decimal to Binary
CIDR Subnet Mask Addresses Wildcard Subnet Mask Wildcard
/32 255.255.255.255 1 0.0.0.0 255 1111 1111 0 0000 0000

/31 255.255.255.254 2 0.0.0.1 254 1111 1110 1 0000 0001
/30 255.255.255.252 4 0.0.0.3 252 1111 1100 3 0000 0011
/29 255.255.255.248 8 0.0.0.7 248 1111 1000 7 0000 0111
/28 255.255.255.240 16 0.0.0.15 240 1111 0000 15 0000 1111
/27 255.255.255.224 32 0.0.0.31 224 1110 0000 31 0001 1111
/26 255.255.255.192 64 0.0.0.63 192 1100 0000 63 0011 1111
/25 255.255.255.128 128 0.0.0.127 128 1000 0000 127 0111 1111
/24 255.255.255.0 256 0.0.0.255 0 0000 0000 255 1111 1111
/23 255.255.254.0 512 0.0.1.255 Subnet Proportion
/22 255.255.252.0 1,024 0.0.3.255
/21 255.255.248.0 2,048 0.0.7.255
/20 255.255.240.0 4,096 0.0.15.255
/27
/19 255.255.224.0 8,192 0.0.31.255 /26 /28
/29
/18 255.255.192.0 16,384 0.0.63.255
/30
/17 255.255.128.0 32,768 0.0.127.255
/30
/16 255.255.0.0 65,536 0.0.255.255
/15 255.254.0.0 131,072 0.1.255.255
/14 255.252.0.0 262,144 0.3.255.255
/25
/13 255.248.0.0 524,288 0.7.255.255
/12 255.240.0.0 1,048,576 0.15.255.255
/11 255.224.0.0 2,097,152 0.31.255.255
/10 255.192.0.0 4,194,304 0.63.255.255 Classful Ranges
/9 255.128.0.0 8,388,608 0.127.255.255 A 0.0.0.0 – 127.255.255.255
/8 255.0.0.0 16,777,216 0.255.255.255 B 128.0.0.0 - 191.255.255.255
/7 254.0.0.0 33,554,432 1.255.255.255 C 192.0.0.0 - 223.255.255.255
/6 252.0.0.0 67,108,864 3.255.255.255 D 224.0.0.0 - 239.255.255.255
/5 248.0.0.0 134,217,728 7.255.255.255 E 240.0.0.0 - 255.255.255.255
/4 240.0.0.0 268,435,456 15.255.255.255 Reserved Ranges

/3 224.0.0.0 536,870,912 31.255.255.255 RFC 1918 10.0.0.0 - 10.255.255.255
/2 192.0.0.0 1,073,741,824 63.255.255.255 Localhost 127.0.0.0 - 127.255.255.255
/1 128.0.0.0 2,147,483,648 127.255.255.255 RFC 1918 172.16.0.0 - 172.31.255.255
/0 0.0.0.0 4,294,967,296 255.255.255.255 RFC 1918 192.168.0.0 - 192.168.255.255
Terminology
CIDR VLSM
Classless interdomain routing was developed to Variable-length subnet masks are an arbitrary length
provide more granularity than legacy classful between 0 and 32 bits; CIDR relies on VLSMs to define
addressing; CIDR notation is expressed as /XX routes

MARKDOWN packetlife.net
Headers Blockquotes
# Text <h1>Text</h1> <blockquote>
> Lorem ipsum
<p>Lorem ipsum dolor sit amet</p>
## Text <h2>Text</h2> > dolor sit amet </blockquote>
### Text <h3>Text</h3> <blockquote>
> Lorem ipsum dolor
<p>Lorem ipsum dolor sit amet</p>
#### Text <h4>Text</h4> sit amet </blockquote>
##### Text <h5>Text</h5> <blockquote><p>Level one</p>
> Level one
> <blockquote><p>Level two</p>
###### Text <h6>Text</h6>
<blockquote><p>Level three</p>
> > Level two
</blockquote>
Lists > > </blockquote>
<ul>
> > > Level three </blockquote>
<li>Sizes</li>
* Sizes <li>Shapes</li> Inline Code
* Shapes <li>Colors
* Colors <ul> Use `<div>` tags Use <code><div></code> tags
* Blue <li>Blue</li>
`ècho ùname -a``` <code>echo ùname -a`</code>
* Green <li>Green</li>
</ul></li>
</ul>
Code Blocks
<ol> Normal text <p>Normal text</p>

<li>First</li> <pre><code>
1. First <li>Second</li> #include <stdio.h>
#include <stdio.h> </code></pre>
2. Second <li>Third
3. Third <ol>
<li>Alpha</li> Horizontal Rules
1. Alpha
2. Bravo <li>Bravo</li> * * * <hr /> - - - <hr />
</ol></li>
</ol> *** <hr /> --- <hr />
Emphasis Escapable Characters

*Emphasis* <em>Emphasis</em> \ Backslash ( ) Parantheses
_Emphasis_ <em>Emphasis</em> ` Backtick # Hash mark
**Strong** <strong>Strong</strong> * Asterisk + Plus sign
__Strong__ <strong>Strong</strong> _ Underscore - Hyphen
*Super*emphasis <em>Super</em>emphasis { } Curly braces . Period
**Super**strong <strong>Super</strong>strong [ ] Square brackets ! Exclamation
Links
[Google](http://google.com/) <a href="http://google.com/">Google</a>
[Google](http://google.com/ "Search") <a href="http://google.com/" title="Search">Google</a>
[google]: http://google.com/ "Search"

<a href="http://google.com/" title="Search">Google</a>
[Google][google]
<http://google.com> <a href="http://google.com/">http://google.com</a>
Images
![Alt text](/path/to/img.jpg) <img src="/path/to/img.jpg" alt="Alt text"/>
![Alt text](/path/to/img.jpg "Title") <img src="/path/to/img.jpg" alt="Alt text" title="Title"/>
[img1]: /path/to/img.jpg "Title"

<img src="/path/to/img.jpg" alt="Alt text" title="Title"/>
![Alt text][img1]
Markdown is available at http://daringfireball.net/projects/markdown/

MEDIAWIKI packetlife.net
Headers Code
=Text= <h1>Text</h1> <code>Text</code> <code>Text</code>
==Text== <h2>Text</h2> <code><pre>Text</pre></code> <code><pre>Text</pre></code>

===Text=== <h3>Text</h3>
Miscellaneous
====Text==== <h4>Text</h4>
<nowiki>Suppress [[wiki]] Suppress [[wiki]]
=====Text===== <h5>Text</h5> '''markup'''</nowiki> '''markup'''
======Text====== <h6>Text</h6>  
Lists Formatting
<ul> ''Text'' <i>Text</i>
<li>Sizes</li>
* Sizes <li>Shapes</li> '''Text''' <b>Text</b>
* Shapes <li>Colors '''''Text''''' <i><b>Text</b></i>
* Colors <ul>
** Blue <li>Blue</li> <ins>Text</ins> <ins>Text</ins>
** Green <li>Green</li>
</ul></li> <del>Text</del> <del>Text</del>
</ul> <tt>Text</tt> <tt>Text</tt>
<ol>
# First <li>First</li> Templates
# Second <li>Second</li>
Unnamed variables Books by {{{1}}}
# Third <li>Third</li>
</ol> Invoking the template {{Author|Palahniuk}}
<dl> Named variables Books by {{{name}}}

<dt>Term 1</dt>
<dd>Foo</dd> Invoking the template {{Author|name=Palahniuk}}
; Term 1 : Foo
<dt>Item 2</dt>
; Term 2 : Bar Categories
<dd>Bar</dd>
; Term 3 : Baz <dt>Item 3</dt> Assign object to a category [[Category:Humor]]
<dd>Baz</dd>
</dl> Link to a category [[:Category:Humor]]
Links
[[packet switching]] <a href="Packet_switching">packet switching</a>
[[packet switching|packet switched]] <a href="Packet_switching">packet switched</a>
IP [[network]]ing IP <a href="Network">networking</a>
IEEE [[802.3 (Ethernet)|]] IEEE <a href="802.3_(Ethernet)">802.3</a>
[http://google.com/] <a href="http://google.com/">http://google.com/</a>
[http://google.com/ Google] <a href="http://google.com/">Google</a>
Images
[[Image:photo.png]] <a href="Image:photo.png"><img src="photo.png" /></a>
[[Image:photo.png|Alt text]] <a href="Image:photo.png"><img src="photo.png" alt="Alt text" /></a>
[[Image:photo.png|30 px]] <a href="Image:photo.png"><img src="30px-photo.png" /></a>
[[:Image:photo.png|A photo]] <a href="Image:photo.png">A photo</a>
Tables
{| Starts a table ! Table header
|+ Table caption (optional; one per table) | Table cell
|- Begin a new row |} Table end

FRAME MODE MPLS packetlife.net
Protocol Header Conceptual Components
8 16 24 32 Control Plane
Label TC S TTL Facilitates label exchange between neighboring
LSRs using LDP or TDP (includes the LIB)
Forwarding/Data Plane
L2 IP Forwards packets based on label or destination
IP address (includes the FIB and LFIB)
Label stack
Label Protocols
Label (20 bits) · Unique label value LDP TDP
Traffic Class (3 bits) · CoS-mapped QoS marking Hello Address 224.0.0.2 255.255.255.255
Bottom of Stack (1 bit) · Indicates label is last in the stack Hello Port UDP/646 UDP/711
Time To Live (8 bits) · Hop counter mapped from IP TTL Adjacency Port TCP/646 TCP/711
Label Switched Path Proprietary No Cisco
Terminology
Provider Network
Label Distribution Protocol (LDP)
PE P PE Standards-based label distribution protocol
P
defined in RFC 3036
P Tag Distribution Protocol (TDP)

Cisco's proprietary predecessor to LDP
LSP
Label Switching Router (LSR)
Any router performing label switching (MPLS)
Customer Network Label-Switched Path (LSP)

The unidirectional path through one or more
LSRs taken by a label-switched packet
belonging to an FEC
CE C C CE
Forwarding Equivalence Class (FEC)
A group of packets which are forwarded in an
Customer (C) · IP-only routers internal to customer network identical manner, typically by destination prefix
Customer Edge (CE) · C routers which face PE routers and/or traffic class
Label Information Base (LIB)
Provider Edge (PE) · LSRs on the MPLS-IP boundary
Contains all labels learned by an LSR via a label
Provider (P) · MPLS-only LSRs in provider network distribution protocol
MPLS Configuration Forwarding Information Base (FIB)

Routing database for unlabeled (IP) packets
! Enable CEF Label FIB (LFIB)
ip cef Routing database for labeled (MPLS) packets
! Select label protocol Interim Packet Propagation
mpls label protocol ldp An LSR temporarily falls back to IP routing
while waiting to learn the necessary MPLS
! Enable MPLS on IP interfaces label(s)
ip address 10.0.0.1 255.255.255.252 Penultimate Hop Popping (PHP)
mpls ip The second-to-last LSR in an LSP removes the
! Raise MPLS MTU to accommodate multilabel stack MPLS label so the last LSR only has to perform
mpls mtu 1512 an IP lookup
Troubleshooting
show mpls interfaces show mpls ldp bindings [detail] (LIB) show ip cef [detail] (FIB)
show mpls ldp neighbors show mpls forwarding-table [detail] (LFIB) debug mpls […]

IOS ZONE-BASED FIREWALL packetlife.net
Terminology Inspection Class Configuration
Security Zone ! Match by protocol
A group of interfaces which share a common level of security class-map type inspect match-any ByProtocol
Zone Pair match protocol tcp
A unidirectional pairing of source and destination zones to which a match protocol udp
security policy is applied match protocol icmp
Inspection Policy ! Match by access list

An inspect-type policy map used to statefully filter traffic by ip access-list extended MyACL
matching one or more inspect-type class maps permit ip 10.0.0.0 255.255.0.0 any
!
Parameter Map class-map type inspect match-all ByAccessList
An optional configuration of protocol-specific parameters referenced match access-group name MyACL
by an inspection policy
Security Zones Parameter Map Configuration
parameter-map type inspect MyParameterMap

Trusted Internet
alert on
audit-trail off
dns-timeout 5
G0/0 G0/1 max-incomplete low 20000
MPLS WAN Internet
max-incomplete high 25000
icmp idle-time 3
tcp synwait-time 3
Guest Inspection Policy Actions

Drop Traffic is prevented from passing
Corporate Guest
Traffic is permitted to pass without
LAN G0/2.10 G0/2.20 Wireless LAN Pass
stateful inspection
Traffic is subjected to stateful
Inspect inspection; legitimate return traffic is
! Defining security zones permitted in the opposite direction
zone security Trusted
zone security Guest Inspection Policy Configuration
zone security Internet
policy-map type inspect MyInspectionPolicy
! Assigning interfaces to security zones ! Pass permitted stateless traffic
interface GigabitEthernet0/0 class VPN-Tunnel
zone-member security Trusted pass
! ! Inspect permitted stateful traffic
interface GigabitEthernet0/1 class Allowed-Traffic1
zone-member security Internet inspect
! ! Stateful inspection with a parameter map
interface GigabitEthernet0/2.10 class Allowed-Traffic2
zone-member security Trusted inspect MyParameterMap
! ! Drop and log unpermitted traffic
interface GigabitEthernet0/2.20 class class-default
zone-member security Guest drop log
Zone Pair Configuration Troubleshooting
! Service policies are applied to zone pairs show zone security

zone-pair security T2I source Trusted destination Internet show zone-pair security
service-policy type inspect Trusted2Internet
show policy-map type inspect
zone-pair security G2I source Guest destination Internet
service-policy type inspect Guest2Internet show class-map type inspect
show parameter-map type inspect
zone-pair security I2T source Internet destination Trusted
service-policy type inspect Internet2Trusted debug zone security events

NETWORK ADDRESS TRANSLATION packetlife.net
Example Topology Address Classification
An actual address assigned to
Inside Local
an inside host
An inside address seen from
Inside Global
the outside
An actual address assigned to
FastEthernet0 FastEthernet1 Outside Global
an outside host
10.0.0.1/16 174.143.212.1/22
NAT Inside NAT Outside An outside address seen from
Outside Local
the inside
NAT Boundary Configuration Perspective
interface FastEthernet0 Local Global
ip address 10.0.0.1 255.255.0.0
ip nat inside
Location
! Inside Inside Local Inside Global
interface FastEthernet1
ip address 174.143.212.1 255.255.252.0
ip nat outside Outside Outside Local Outside Global
Static Source Translation Terminology
! One line per static translation NAT Pool

ip nat inside source static 10.0.0.19 192.0.2.1 A pool of IP addresses to be used as inside
ip nat inside source static 10.0.1.47 192.0.2.2 global or outside local addresses in translations
ip nat outside source static 174.143.212.133 10.0.0.47 Port Address Translation (PAT)
ip nat outside source static 174.143.213.240 10.0.2.181
An extension to NAT that translates information
at layer four and above, such as TCP and UDP
Dynamic Source Translation port numbers; dynamic PAT configurations
include the overload keyword
! Create an access list to match inside local addresses
access-list 10 permit 10.0.0.0 0.0.255.255 Extendable Translation
! The extendable keyword must be appended
! Create NAT pool of inside global addresses when multiple overlapping static translations are
ip nat pool MyPool 192.0.2.1 192.0.2.254 prefix-length 24 configured
!
! Combine them with a translation rule Special NAT Pool Types
ip nat inside source list 10 pool MyPool Rotary Used for load balancing
!
! Dynamic translations can be combined with static entries Match- Preserves the host portion of
ip nat inside source static 10.0.0.42 192.0.2.42 Host the address after translation
Port Address Translation (PAT) Troubleshooting
! Static layer four port translations show ip nat translations [verbose]

ip nat inside source static tcp 10.0.0.3 8080 192.0.2.1 80
show ip nat statistics
ip nat inside source static udp 10.0.0.14 53 192.0.2.2 53
ip nat outside source static tcp 174.143.212.4 23 10.0.0.8 23 clear ip nat translations
!
! Dynamic port translation with a pool NAT Translations Tuning
ip nat inside source list 11 pool MyPool overload
! ip nat translation tcp-timeout <seconds>
! Dynamic translation with interface overloading ip nat translation udp-timeout <seconds>
ip nat inside source list 11 interface FastEthernet1 overload ip nat translation max-entries <number>
Inside Destination Translation
! Create a rotary NAT pool

ip nat pool LoadBalServers 10.0.99.200 10.0.99.203 prefix-length 24 type rotary
!
! Enable load balancing across inside hosts for incoming traffic
ip nat inside destination list 12 pool LoadBalServers

QUALITY OF SERVICE · PART 1 packetlife.net
Quality of Service Models IP Type of Service (TOS)
Best Effort · No QoS policies are implemented
Precedence
Integrated Services (IntServ)
Resource Reservation Protocol (RSVP) is used to reserve bandwidth per-
flow across all nodes in a path Ver HL TOS Len
Differentiated Services (DiffServ)

Packets are individually classified and marked; policy decisions are made DSCP
independently by each node in a path
Layer 2 QoS Markings Precedence/DSCP

Binary DSCP Prec.
Medium Name Type
Ethernet Class of Service (CoS) 3-bit 802.1p field in 802.1Q header 56 111000 Reserved 7
Frame Relay Discard Eligibility (DE) 1-bit drop eligibility flag 48 110000 Reserved 6
ATM Cell Loss Priority (CLP) 1-bit drop eligibility flag 46 101110 EF 5
MPLS Traffic Class (TC) 3-bit field compatible with 802.1p 32 100000 CS4
34 100010 AF41
IP QoS Markings 4
36 100100 AF42
IP Precedence
The first three bits of the IP TOS field; limited to 8 traffic classes 38 100110 AF43
Differentiated Services Code Point (DSCP) 24 011000 CS3
The first six bits of the IP TOS are evaluated to provide more granular
26 011010 AF31
classification; backward-compatible with IP Precedence 3
28 011100 AF32
QoS Flowchart
30 011110 AF33
No 16 010000 CS2
Software Queue
18 010010 AF21
Scheduler
HW Yes 2
Queuing Hardware
Queue Software Queue 20 010100 AF22
Decision Queue
Full?
Software Queue 22 010110 AF23
8 001000 CS1
Terminology 10 001010 AF11

1
Per-Hop Behavior (PHB) 12 001100 AF12
The individual QoS action performed at each independent DiffServ node 14 001110 AF13
Trust Boundary · Beyond this, inbound QoS markings are not trusted 0 000000 BE 0
Tail Drop · Occurs when a packet is dropped because a queue is full
Congestion Avoidance
Policing
Imposes an artificial ceiling on the amount of bandwidth that may be Random Early Detection (RED)
consumed; traffic exceeding the policer rate is reclassified or dropped Packets are randomly dropped
before a queue is full to prevent tail
Shaping
drop; mitigates TCP
Similar to policing but buffers excess traffic for delayed transmission;
synchronization
makes more efficient use of bandwidth but introduces a delay
TCP Synchronization Weighted RED (WRED)
Flows adjust TCP window sizes in synch, making inefficient use of a link RED with the added capability of
recognizing prioritized traffic based
DSCP Per-Hop Behaviors on its marking
Class Selector (CS) · Backward-compatible with IP Precedence values Class-Based WRED (CBWRED)
Assured Forwarding (AF) · Four classes with variable drop preferences WRED employed inside a class-
based WFQ (CBWFQ) queue
Expedited Forwarding (EF) · Priority queuing for delay-sensitive traffic

QUALITY OF SERVICE · PART 2 packetlife.net
Queuing Comparison
FIFO PQ CQ WFQ CBWFQ LLQ
Default on Interfaces >2 Mbps No No <=2 Mbps No No

Number of Queues 1 4 Configured Dynamic Configured Configured
Configurable Classes No Yes Yes No Yes Yes
Bandwidth Allocation Automatic Automatic Configured Automatic Configured Configured
Provides for Minimal Delay No Yes No No No Yes
Modern Implementation Yes No No No Yes Yes
First In First Out (FIFO) Priority Queuing (PQ) LLQ Config Example
High Class Definitions
Tx ! Match packets by DSCP value

Ring Medium class-map match-all Voice
match dscp ef
Normal
Hardware
!
Hardware Queue Queue class-map match-all Call-Signaling
Low match dscp cs3
· Packets are transmitted in the !
order they are processed · Provides four static queues which class-map match-any Critical-Apps
cannot be reconfigured match dscp af21 af22
· No prioritization is provided
!
· Default queuing method on high- · Higher-priority queues are ! Match packets by access list
speed (>2 Mbps) interfaces always emptied before lower- class-map match-all Scavenger
priority queues match access-group name Other
· Configurable with the tx-ring-
limit interface config command · Lower-priority queues are at risk
policy-map Foo Policy Creation
of bandwidth starvation
Custom Queuing (CQ) class Voice
Weighted Fair Queuing (WFQ) ! Priority queue policed to 33%
Queue A 500 B/cycle priority percent 33
Flow 1 class Call-Signaling
Queue B 4500 B/cycle ! Allocate 5% of bandwidth
Flow 2 bandwidth percent 5
Hardware
Queue C 1500 B/cycle Queue ... class Critical-Apps
Hardware bandwidth percent 20
· Rotates through queues using Flow n Queue ! Extend queue size to 96 packets
Weighted Round Robin (WRR) queue-limit 96
· Queues are dynamically created class Scavenger
· Processes a configurable number ! Police to 64 kbps
per flow to ensure fair processing
of bytes from each queue per turn police cir 64000
· Statistically drops packets from
· Prevents queue starvation but conform-action transmit
aggressive flows more often exceed-action drop
does not provide for delay-
sensitive traffic · No support for delay-sensitive class class-default
traffic ! Enable WFQ
Class-Based WFQ (CBWFQ) fair-queue
Low Latency Queuing (LLQ) ! Enable WRED
random-detect
Queue A 512 Kbps Min
Priority 512 Kbps Max
interface Serial0 Policy Application
Queue B 1024 Kbps Min
Queue A 512 Kbps Min ! Apply the policy in or out
Hardware service-policy output Foo
Default Remainder Queue Queue B 1024 Kbps Min
· WFQ with administratively Hardware LLQ Config Example

Default Remainder Queue
configured queues show policy-map [interface]
· Each queue is allocated an · CBWFQ with the addition of a
Show interface
amount/percentage of bandwidth policed strict-priority queue
· No support for delay-sensitive · Highly configurable while still show queue <interface>
traffic supporting delay-sensitive traffic Show mls qos

VLANS packetlife.net
Trunk Encapsulation Trunk Types
26 6 6 2 4 802.1Q ISL
ISL Dest Source Header Size 4 bytes 26 bytes
ISL Type FCS
Header MAC MAC
Trailer Size N/A 4 bytes
Dest Source Standard IEEE Cisco
Untagged Type
MAC MAC
Maximum VLANs 4094 1000
Dest Source
802.1Q 802.1Q Type VLAN Numbers
MAC MAC
6 6 4 2 0 Reserved 1004 fdnet
VLAN Creation 1 default 1005 trnet
Switch(config)# vlan 100 1002 fddi-default 1006-4094 Extended

Switch(config-vlan)# name Engineering 1003 tr 4095 Reserved
Access Port Configuration Terminology

Switch(config-if)# switchport mode access Trunking
Switch(config-if)# switchport nonegotiate Carrying multiple VLANs over the same
Switch(config-if)# switchport access vlan 100 physical connection
Switch(config-if)# switchport voice vlan 150
Native VLAN
Trunk Port Configuration By default, frames in this VLAN are untagged
when sent across a trunk
Switch(config-if)# switchport mode trunk Access VLAN
Switch(config-if)# switchport trunk encapsulation dot1q The VLAN to which an access port is assigned
Switch(config-if)# switchport trunk allowed vlan 10,20-30
Switch(config-if)# switchport trunk native vlan 10 Voice VLAN
If configured, enables minimal trunking to
SVI Configuration support voice traffic in addition to data traffic
on an access port
Switch(config)# interface vlan100
Switch(config-if)# ip address 192.168.100.1 255.255.255.0 Dynamic Trunking Protocol (DTP)
Can be used to automatically establish trunks
VLAN Trunking Protocol (VTP) between capable ports (insecure)
Domain Switched Virtual Interface (SVI)

Common to all switches participating in VTP A virtual interface which provides a routed
gateway into and out of a VLAN
Server Mode
Generates and propagates VTP advertisements to clients; Switch Port Modes
default mode on unconfigured switches
trunk
Client Mode Forms an unconditional trunk
Receives and forwards advertisements from servers; VLANs
dynamic desirable
cannot be manually configured on switches in client mode
Attempts to negotiate a trunk with the far end
Transparent Mode dynamic auto
Forwards advertisements but does not participate in VTP; Forms a trunk only if requested by the far end
VLANs must be configured manually
access
Pruning Will never form a trunk
VLANs not having any access ports on an end switch are
removed from the trunk to reduce flooded traffic Troubleshooting
VTP Configuration show vlan

show interface [status | switchport]
Switch(config)# vtp mode {server | client | transparent}
Switch(config)# vtp domain <name> show interface trunk
Switch(config)# vtp password <passsword>
Switch(config)# vtp version {1 | 2} show vtp status
Switch(config)# vtp pruning show vtp password

VOIP BASICS packetlife.net
Pulse Code Modulation (PCM) Power Over Ethernet (PoE)
14 13.6 13.5 14 14 Cisco Inline Power (ILP)
12
12.3
12.4 12 12 Pre-standard; employs a 340 kHz tone
10 9.2 10 10 to detect devices; power needs
8 9.1 8 8 communicated via CDP
6 6.0 5.9 6 6
4
2.8 2.7
4 4 IEEE 802.3af
2 0.9 1.0
2 2 Detects power requirements of PoE
0 0 0
device by the line resistance present
Sampling Quantization Encoding
IEEE 802.3at
Sampling Uses LLDP to negotiate delivery of up
8000 discrete signal measurements are taken at equal intervals every second to 25 watts in .10 W intervals
Quantization
The level of each sample is rounded to the nearest expressible value IEEE 802.3af Classes
Encoding 0 15.4 W 3 15.4 W
Digital values are encoded as binary numbers for encapsulation
1 4W 4 Reserved
Compression (Optional)
The digital signal is compressed in real time to consume less bandwidth 2 7W
Voice Codecs IP Phone Boot Process

MOS Bandwidth Complexity Free
G.722 SB-ADPCM 4.13 48-64 kbps Medium Yes 3
G.711 PCM 4.1 64 kbps Low Yes

iLBC 4.1 15.2 kbps High Yes 2
5
G.729 CS-ACELP 3.92 8 kbps High No 1 4
G.726 ADPCM 3.85 32 kbps Medium Yes
G.729a CS-ACELP 3.7 8 kbps Medium No TFTP Server Call Server
G.728 LD-CELP 3.61 16 kbps High No 1. Power Over Ethernet (Optional)

Power is supplied via IEEE 802.3af/at or Cisco ILP
Signaling Protocols
2. VLANs Learned via CDP or LLDP
ITU-T H.323 Voice and data VLANs communicated via CDP/LLDP
Originally designed for multimedia transmission over ISDN; mature
and widely supported; peer-to-peer call control 3. IP Assignment via DHCP
The phone sends a DHCP request in the voice VLAN;
Session Initiation Protocol (SIP) the response includes an IP and DHCP option 150
Text-based, similar in nature to HTTP; defined in RFC 3261; peer-
to-peer call control 4. Configuration Retrieved via TFTP
The phone retrieves its configuration from one of the
Media Gateway Control Protocol (MGCP) TFTP servers specified in the DHCP option
Employs centralized call control; defined in RFC 3661
5. Registration
Skinny Client Control Protocol (SCCP) The phone registers with the call server(s) specified
Cisco-proprietary; limited support on gateways; centralized control in its configuration
Calculating Required Bandwidth Access Switch Port Configuration

G.711/Ethernet Example
Codec Payload
64 Kbps × 20 msec 160 B
(Bitrate × Sample Size) ! Configure data and voice access VLANs
L2 Overhead Ethernet (18) + 802.1Q (4) + 22 B switchport access vlan <VLAN>
switchport voice vlan <VLAN>
L3 Overhead IP (20) + 20 B
! Trust ingress QoS markings
L4 Overhead UDP (8) + RTP (12) + 20 B mls qos trust cos
Packets per Second 1000 msec / 20 msec × 50 pps
! Optionally pre-allocate power for the port
Total Bandwidth 88.8 Kbps power inline static [max <wattage>]

CISCO IOS VERSIONS packetlife.net
IOS Nomenclature Release Lifecycle
Mainline 12.4(7a) EOS Notice

Maintenance Release
EOS
Individual Release
Numbered Version
EOE
T Train 12.4(9)T1 EOL

0 12 24 36 48 60 72 84 96
Maintenance Release
Months
Individual Release
New Feature Identifier First Customer Shipment (FCS)
Numbered Version The release is made available to Cisco customers on CCO
EOS Notice
Notification of upcoming EOS
S Train 12.2(25)SEB4 End of Sale (EOS)
Release The release is no longer orderable or included in
Individual Release manufactured shipments
Numbered Version End of Engineering (EOE)
The last day for software fixes; only TAC assistance is offered
from this point
IOS XR 3.2.1 End of Life (EOL)
Major Release The last day for TAC support; release becomes obsolete;
Minor Release upgrade is only option for continued support
Maintenance Release
IOS Filename
IOS Package Trees c3725-entbase-mz.124-6.T.bin

Hardware
Advanced Enterprise Services
Feature Set
Memory Location
Advanced IP Services Enterprise Services Compression Format
Maintenance Release
Individual Release
Advanced Enterprise T Designator
SP Services
Security Base
Deployment Classifications
IP Voice
Early Deployment (ED)
Offers new feature, platform, or interface support
General Deployment (GD)
IP Base A major release considered qualified for deployment on
critical devices
Limited Deployment (LD)
Advanced Enterprise Services A major release prior to reaching its GD milestone
Deferred (DF)
Known defective images; should not be installed
Advanced IP Services Enterprise Services
IOS Version Verification
IP Services show version

dir <filesystem>:
IP Base verify <filesystem>:<image>

PHYSICAL TERMINATIONS packetlife.net
Optical Terminations Copper Terminations GBICs
RJ-45
ST (Straight Tip)
1000Base-SX/LX
RJ-11
SC (Subscriber Connector)
1000Base-T
RJ-21 (25-pair)
LC (Local Connector)
Cisco GigaStack
MT-RJ
Wireless Antennas DE-9 (Female)
1000Base-SX/LX SFP
RP-TNC 1000Base-T SFP
DB-25 (Male)
RP-SMA
DB-60 (Male)
X2 (10Gig)

Iosciscosheets 180525165539

Uploaded by

Copyright:

Available Formats

Iosciscosheets 180525165539

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Iosciscosheets 180525165539

Uploaded by

Copyright:

Available Formats

packetlife.

7 Aggregator ID and AS of summarizing router External BGP (eBGP)

Path Selection Neighbor States

Influencing Path Selection

by Jeremy Stretch v2.1-r1

interface Serial1/0 Router A

interface FastEthernet0/0 Router B interface FastEthernet0/0 Router C

Router A Routing Table Router B Routing Table

172.16.0.0/30 is subnetted, 2 subnets 172.16.0.0/30 is subnetted, 2 subnets

by Jeremy Stretch v2.1-r1

! Configure hello and hold timers show ip eigrp topology

by Jeremy Stretch v2.1

HSRP VRRP GLBP

100 200 100 100 200 100 100 200 100

HSRP Configuration HSRP/GLBP Interface States

interface FastEthernet0/0 Speak · Gateway election in progress

Maximum Throughput 54 Mbps 11 Mbps 54 Mbps 300 Mbps

WLAN Types WLAN Components

Measuring RF Signal Strength

by Jeremy Stretch v2.2

Interframe Spacing Client Authentication

Wired Equivalent Privacy (WEP) Protected EAP (PEAP)

Wi-Fi Protected Access (WPA) EAP-FAST

IEEE 802.11i (WPA2) RF Signal Interference

Quality of Service Markings

Platinum 7/6 6/5 Refraction Diffraction

by Jeremy Stretch v2.2

802.1X Packet Types EAP Codes

Challenge Request Access Challenge 1 EAPOL-Start 2 Response

Configuration Reauthentication Off 3 Nak

by Jeremy Stretch v2.0

Internet Key Exchange (IKE) AES Symmetric 128/192/256 Strong

by Jeremy Stretch v2.0

01-00-5E-0E-39-06 232.0.0.0/8 Source-specific

Dense Mode IGMP

PIM Configuration show ip igmp

RP Configuration PIM Troubleshooting

Global Prefix Subnet Interface ID

Destination Address (128 bits) · Destination IP address MAC

Multicast Scopes Extension Headers

by Jeremy Stretch v2.0

NSAP Addressing Authentication Plaintext, MD5

Interdomain Part Domain-Specific Part Routing Levels

Interdomain Part (IDP) Terminology

by Jeremy Stretch v2.0

by Jeremy Stretch v2.0

Network Link (Type 2) AllDR Address 224.0.0.6

by Jeremy Stretch v2.1

DR/BDR Elected Yes No No Yes No

interface Serial0/0 Router A

by Jeremy Stretch v2.1

LCP Header Load Balancing · Multilink PPP

Extensible Authentication Protocol (EAP) PPP Connection Example

General PPP Configuration LCP Configuration Request

LCP Configuration Ack

! Configure a local IP address pool if needed CHAP Response

by Jeremy Stretch v1.2

! Identify unicast-only neighbors ! Configure manual route summarization

! Originate a default route ! Enable MD5 authentication (RIPv2 only)

Strong <strong>Strong</strong> * Asterisk + Plus sign

Strong <strong>Strong</strong> _ Underscore - Hyphen

Superemphasis <em>Super</em>emphasis { } Curly braces . Period

Superstrong <strong>Super</strong>strong [ ] Square brackets ! Exclamation