The mind is a powerful thing: 2010

Tuesday, December 21, 2010

Passive interface on routing update

Routing update usually updates the nearby routers about the current configuration of a router. There is a way in order not to transmit updates about the status of the router by using passive interface. Passive interface means that the interface will receive the update from other neighboring routers, but will not transmit its routing table configuration.

To apply passive interface use the command:

(config)#router rip // do it on the hub router to be a passive interface
(config-router)#passive-interface

To cancel passive interface then:
(config-router)#no passive-interface

It is possible to send updates to only a specific router neighbor. To do this, the hub router must be set in the passive interface first.
To do this type the command:

(config)#router rip
(config-router)#neighbor // will send the update to the selected neighbor.

To verify this, type the command #show ip route

Setting Authentication for routing updates

Authentication in receiving and processing a routing update is important. In this way, the received information is trusted before it is being processed. The authentication method can be done in two ways which is clear text, and MD5. When using clear text, the password that has been set can be clearly seen. When using MD5, the password is encrypted. Therefore, it is recommended to use MD5 authentication.

To set the password in routing updates:
(config)#key chain //word is used to remember the key
(config-keychain)#key //set a key number to be configured later
(config-keychain-key)#key-string //set the password for the key number

Then apply the key to an interface:
(config)# // apply the key to an interface
(config-if)#ip rip authentication mode // choose MD5 or text
(config-if)#ip rip authentication key-chain //the must be the same as the in key chain configuration, not the password

Apply the same commands above (6 commands) to the peer of the interface communicating, including the same authentication mode (md5 or text), else communication will not happen since one of the router asks for authentication and the peer will not give the password since it does not know the password. Therefore, the router will ignore packets from other router since the password is not the same (invalid authentication).

-- 22 December 2010 --

Distance Vector routing, RIPv1, RIPv2, IGRP, EIGRP

Distance vector routing protocol is a routing protocol that allows the router route an arriving packet to its distance. Distance vector uses Bellman-Ford Algorithm where it uses 2 methods to send the packet:

1. It calculates its distance to the destination by hop counting
2. It uses its vector to direct the router where to send its packet to (the next router or hop) in order to reach the destination

The DV protocol is suitable for smaller and stable environment because a DV protocol takes a long time to converge which is a drawback. Also a drawback is that DV cannot distinguish speeds of the lines. Therefore, a directly connected E1 line or a directly connected 56 kbps line will be considered the same. Another disadvantange is that RIP and IGRP broadcasts its routing table every 30 seconds and 90 seconds whether there is a change in the network topology or not. This behavior will waste unnecessary bandwidth. However, DV has its advantages which is less overhead and less computation.

To shorten the convergence of the networks and possible looping occurrences, route poisoning is applied. By using route poisoning, the maximum hop counts is limited to 15. When the hop count is 16, the packet will be dropped. Also, when a router is down, it will set the destination to it as infinity (16 hops) and will 'poisen' the route to that router.

Protocols that uses distance vector routing is RIPv1, RIPv2, IGRP and EIGRP.

The characteristics of RIPv1 are:

- updates broadcasts every 30 sec to 255.255.255.255 despite there is a change it its topology or not.
- uses classfull protocol thus not supporting VLSM
- equal cost sharing is set as a default feature
- max hop counts = 15 hops (16 hops is considered as infinite)
- does not support clear-text or MD5 authentication
- route max = 25 routes. For more than 25 routes, another packet must be generated.

The characteristics of RIPv2 are:

- updates multicasts every 30 sec to 224.0.0.9 despite there is a change it its topology or not.
- uses classless protocol thus supports VLSM
- equal cost sharing is set as a default feature
- max hop counts = 15 hops (16 hops is considered as infinite)
- does support clear-text or MD5 authentication. MD5 authentication is recommended since the password is encrypted.
- route max = 25 routes. For more than 25 routes, another packet must be generated.

The characteristics of IGRP are:

- updates broadcasts every 90 sec to 255.255.255.255 despite there is a change it its topology or not.
- uses classfull protocol thus not supporting VLSM
- this protocol is Cisco proprietary protocol
- equal cost can be enabled with variance command

The characteristics of EIGRP are:

- updates multicasts to 224.0.0.10. A full routing table multicast will be sent when an adjecency is formed. When there is a change in the network, only the change of the topology will be updated.
- uses DUAL algorithm
- equal cost can be enabled with variance command

-- 22 December 2010 --

Administrative Distance Values

Administrative distance are values that are needed to select the best route when there are more than one route to the destination, if the prefix of the route are the same. The AD with the lowest value will be selected first.Here are the administrative distance values of different routing protocols and connected networks.

Protocol	Administrative distance
Directly connected route	0
Static route to next-hop address	1
EIGRP summary route	5
External BGP	20
Internal EIGRP	90
IGRP	100
OSPF	110
IS-IS	115
RIP	120
EGP	140
ODR	160
External EIGRP	170
Internal BGP	200
DHCP-learned	254
Unknown	255

-- 22 December 2010 --

Monday, December 6, 2010

DHCP Process

Dynamic Host Configuration Protocol (DHCP) is a protocol to assign an IP address to a client that requests for an IP address.

There are 4 stages in assigning a IP address using DHCP:

1. Client to server --> DHCPDiscover. In this process the client broadcasts a request asking if there are any DHCP servers available.

2. Server to client --> DHCPOffer. Here the server chooses an IP address from its pool and sends the assigned IP address with additional information (gateway, lease time etc) to client. If there are multiple DHCP server, the client will process and accept the first offer it receives. Before the DHCP server offers the address, it will firstly make sure that the IP address is currently not used (or being given by another DHCP server) by sending 2 ping commands to the IP address with an RTO=500 ms (can be modified by the command (config)#ip dhcp ping packets and (config)#ip dhcp ping timeout). If there is no reply the IP address is clear to use, but if there is a reply the address is being used by someone and DHCP server will choose another IP address from its pool and check the ip address again before offering it to the client.

3. Client to server --> DHCPRequest. In this process, the client accepts the IP address by sending packets with the IP address to the DHCP server.

4. Server to client --> Check. If the IP address is the same as given by the server, then the DHCP server will send DHCPAck with additional info. If it is not the same, the DHCP server will take the offered address back to the pool, meaning that the client has already another IP address.

To configure DHCP service on a router type the command:
(config)#service dhcp

This will enable cisco router to do dhcp by being a DHCP server. It does not necessarily acts as a main dhcp server, but the router can act as a secondary/standby dhcp server in case the main DHCP server goes down.

To disable dhcp service simply put the command:
(config)#no service dhcp

There are several DHCP Assignment Methods which are:

1. Dynamic --> This is the default assignment method where the client is assigned an ip address for a given period of time.
2. Manual --> This method uses static mapping/binding ip addresses to mac address
3. Automatic --> In this method DHCP server chooses IP address from pool to a mac address of the client and permanently binding them

The methods of binding itself is divided in 2 ways:

1. Manual binding, where the IP address is binded to the MAC address if the host is found in the DHCP database. The binding info database is kept in the NVRAM, which means it will be kept when the router is reloaded.
2. Automatic binding, where the IP address is binded to the MAC address, but the binding database is kept on a DHCP Database Agent (a remote device e.g. tftp server).

To create binding:
(dhcp-config)#host
(dhcp-config)#hardware-address xxxx.xxxx.xxxx
(dhcp-config)#client-name

To set dhcp server database location use the command
(config)#ip dhcp database

To create dhcp pool type the command:
(config)#ip dhcp pool
(dhcp-config)#network

There is a possibility to exclude an IP range from the subnet mask to prevent that IP address being given as an DHCP ip address by typing the command:
(config)#ip dhcp exluded-address // if single ip, no high ip address required

To set the lease time of the assigned IP address:
(dhcp-config)# lease

The IP helper address is another useful feature. Basically, a host broadcasts its DHCP request to search for DHCP servers. However, routers are L3 devices which do not forward broadcasts. The IP helper is ther to resolve this problem, because the hosts' broadcasts are translated to unicasts and therefore makes it possible for the router to send the packet to the desired DHCP server destination. The router here acts as dhcp relay agent.

To configure on interface of the router of the incoming host/receiving the broadcast:
(config-if)#ip helper-address

For more advanced networks use DHCP relay agent (insert its own router information when forwarding dhcp packages in the network) called option 82:
(config)#ip dhcp relay information option

-- 9 December 2010 --

ip route, ip default-network, ip default-gateway

There are 3 ways to set a default route which is ip route, ip default-network and ip default-gateway.

ip route is mostly used as the gateway of last resort. When showing the show ip route command, the default route will be marked as S*.

ip default-network is applied for candidate default route. The ip routing must be enabled for this process to work. The command will be applied in the router to the default network. It will then notify other neigboring routers and will appear on the other routers as the default route.

To configure the default network on the main route:
(config)#ip default-network

On the other routers when show ip route, it will show the default route as
R* 0.0.0.0/0 [120/1] ...

Notice that the router will be the default route (R*) not the usual static route (S*)

ip default-gateway is used when IP routing is disabled on the router. It is basically used as a gateway from the host to the outside world.

-- 6 Dec 2010 --

Static Route, Floating Static Route and Default Static Route

Static route is used when one wants to define the routing process manually.

The static route command is as below:

(config)#ip route

On the exit interface of the router part, the interface can be defined as the type of interface (e.g. serial0, fa0/2) or it can be defined as the ip address of the outbound interface of the router. The difference is that when we set it with the type of interface, the route is configured to be directly connected (AD=0), while the option of setting the IP address of the outbound interface will be considered as static route (AD=1)

The example below shows the 2 different configuration, but has actually the same meaning:

(config)#ip route 10.10.10.10 255.255.255.255 172.168.10.10 --> static route AD=1
(config)#ip route 10.10.10.10 255.255.255.255 serial0 --> direct connected AD=0

A floating static route is a route that is used to back up a dynamic protocol. So, the floating static route will take over the routing when the dynamic protocol such as RIP or OSPF goes down for some reason on an interface. The key in setting a floating static route is the same as in configuring a static route, but adding the administrative distance of it. The AD must be higher than the current value of the dynamic protocol. If we use RIP as the protocol we must set the floating route higher than 120. A value lower than 120 will have the opposite effect; the static route will be applied in routing rather than the RIP.

The floating static route can be done with the command:

(config)#ip route

The default static route is used as a gateway of last resort. If the router does not have a routing table of an incoming packet, then the router will send the packet to according to the default static route. If this route is not set, unknown incoming packets will be dropped.

The command for default static route can be shown below:

(config)#ip route 0.0.0.0 0.0.0.0 /

The symbol for default static route will be S* --> AD=0 (directly connected)/1(static)

Sometimes when updating routing policies the routes are not updated directly. A useful way to refresh the changes is to clear the ip route, and let the router discover the table again by applying the command:

RX#clear ip route*

Sunday, December 5, 2010

Routing Table Operation

Routers use their routing tables to determine the outgoing route of the incoming packets. The routing table operation goes as follow in the following order:

1. The route with the longest prefix (or the shortest subnet mask) will be prioritized first, despite of its routing protocol. So if there is a RIP route of 172.10.10.0/28 and an OSPF route of 172.10.10.0/29, it will choose the OSPF route when sending outgoing packets because 172.10.10.0/29 (6 hosts) has a longer prefix and thus more specific hosts than the 172.10.10.0/28 (14 hosts) route.

2. If the route has the same prefix length, it will look for its administrative distance (AD) of the connection to the neighboring routes. Administrative distances are distances that are measured based on the reliability of the connection and routing protocol of one router to the other. Routes with a lower AD are considered more reliable and will be chosen over the other routes with a higher AD number.

For example, directly connected routes are considered very reliable and has therefore an AD=0. RIP routes are considered simple and not so reliable and has therefore an AD=120. OSPF are considered more reliable than RIP and is given an AD=110.

3. If (1) and (2) are the same for multiple routes, the router will look for its metrics according to its table. The metric is the cost of a route to go from the source address to the destination address. Metrics are different from each other's routing protocol.

RIP metrics uses hop counts where the path with the lowest hops of routers is considered as the shortest path. OSPF metric uses cost which is the inversely proportional bandwidth of the current connection and gets prioritized. Lower cost means a faster interface with higher speed and gets prioritized. IGRP uses a composite metric, based on a the composite of bandwidth, delay, load, reliability and max. MTU. By default, IGRP chooses its route based on bandwidth and delay only. Lowest composite metric means better connection and gets prioritized.

4. If (1) to (3) has the same values, then equal-cost load sharing will be applied, where the load will be equally shared between the multiple connections.

In any of the 4 cases above, only the best route is shown on the show ip route command. The alternative route is there when the best route is down, but the alternative route configuration will not be shown in the show ip route command.

To show the IP route type the command:
RX#show ip route

It will show the routing configuration. A B[C/D] via E (optional), F, G
where:
A = type of connection (direct, RIP, IGRP etc)
B = the destination group IP address
C = administrative distance
D = metric
E = next hop inbound interface (not the final destination)
F = length of connection
G = interface connected to

for example:

R 172.10.0.0 [120/5] via 10.20.30.40, 0:02:34, serial0

means that the connection uses RIP routing protocol to the destination 172.10.0.0 with the administrative distance of RIP=120 and the metric of 5 hops. 10.20.30.40 is the inline interface of the next hop and the router is already connected for 2 minutes and 34 seconds. The connection is connected to the serial0 of the router.

-- 6 December 2010 --

Classfull Routing Protocol vs Classless Routing Protocol

The difference between classfull routing and classless routing lies in VLSM. VLSM (Variable Length Subnet Masking) is an extended version of the standard subnet mask /8, /16, or /24. With VLSM subnet masks such as /22, /26, /27, /28 etc can be applied to the network.

Classfull routing protocol DOES NOT support VLSM. Therefore, routing using a classfull protocol can only be done with routes having standard subnet which is 255.0.0.0/8, 255.255.0.0/16, and 255.255.255.0/24. Routing protocols that use this protocol are RIPv1, IGRP.

Classless routing protocol DOES support VLSM. In this way, routing can be applied into more specific and smaller groups, and is therefore more accurate and distributes less traffic. Routing protocols that uses classless routing protocol is RIPv2, EIGRP and OSPF

-- 6 December 2010 --

Thursday, December 2, 2010

Routing Protocol vs Routed Protocol

We often hear the term routing protocol and routed protocol. These 2 protocols is sometimes confusing since they sound almost the same but have actually different meanings.

A routing protocol is a protocol that defines how routers should communicate with each other. It will send and receive information from other routers about its connection, metric, etc., in order to make the own router understand how to and where to send packets to and from other routers. The information itself will be updated if there are changes, in order to get the latest configuration system of the network. Examples of routing protocols are RIP, IGRP, EIGRP, and OSPF.

A routed protocol is a protocol that defines the format of a packet and what information it should contain in order to be able to be routed. For example, IP is a routed protocol. In an IP packet, source IP and destination IP should be available in the packet in order to be able to be read by the router, thus can be forwarded. So, a routed protocol is a packet protocol that can be routed by a rounting protocol. Other examples of a routed protocol is IPX, DECnet, Apple Talk, Banyard Vines, and Xerox Network System (XNS).

-- 3 December 2010 --

Thursday, November 25, 2010

Wireless Networking

Wireless Networking

This topic will present basic information about wireless networking which are technology, configuration, scanning, authentication, and antenna type.

Until today, wireless network technology has 4 standards which can be seen on the table below

type	802.11a	802.11b	802.11g	802.11n
throughput	up to 54 mbps	up to 11 mbps	up to 54 mbps	up to 540 mbps
frequency	5Ghz	2.4 GHz	2.4 GHz	5 GHz or 2.4 GHz

There are 2 wireless network configuration which are BSS and IBSS.
Basic Service Set (BSS) is the most common configuration where a Wireless AP communicates with its host such as PCs. To be able to recognize the AP, the client searches for access points and uses the Service Set Identifier (SSID) which is basically a case sensitive name up to 32 character. The SSID can be set in the AP to be seen public or to be hidden.
Independent Basic Service Set (IBSS) is the second configuration where the clients communicate with each other independently or peer-to-peer. This type of configuration does not need an AP.

In order for the PC to be able to communicate to the AP, a method called Scanning must be used. There are 2 types of scanning which are active and passive.
In active scanning, the client makes the initiative and sends Probe requests, asking APs to send Probe Responses and waits for the Probe Response.
In passive scanning, the client hears and waits for Probe Responses from the AP.
If there are more than 1 Probe Responses found, the user can choose which one it wants to use.

Authentication is also needed for network security purposes. It will do this after it hears the Probe Response and the selected network is chosen by the user. There are several authentications. The first one is "Open," where everyone can access the network. The second one is "Shared Key"where only users that know the key can access the network (WEP, EAP, WPA and WPA2).

The antenna type for AP consists of several types. A point-to-point antenna is an antenna that has a very small beam and is usually used to create a point-to-point connection with another AP. A directional antenna has a limited coverage for serving only specific areas of customer. An omni-directional antenna is an antenna that has coverage to every direction and is used to serve all customers near the AP. However, the radius length of the coverage is more limited than point-to-point connection for the same power.

-- 26 November 2010 --

Wednesday, November 24, 2010

Power over Ethernet (POE)

Power over Ethernet (PoE) allow devices to power up other devices or send electricity over UTP cables that has been connected to the 2 devices. Some switches has also the capability of running POE to power up IP Phones. By default, POE switch's port do attempt to find whether its peer device needs power. The IEEE standard for POE is 802.3af and 802.3at for High-Power POE.

To configure automatic detect and power inline devices type the command:
(config-if)#power inline auto

To configure specific power that needs to be given to the inline device type the command:
(config-if)#power inline consumption

To disable POE ability type the command:
(config-if)#power inline never

-- 25 November 2010 --

CoS, ToS, DiffServ, RTP Header Compression

Class of Service (CoS) is a policy to enable QoS on the network. It puts a 3 bit field in an layer-2 Ethernet frame to define the priority of the traffic. The highest priority is marked with 7 (111) and the lowest priority is marked with 0 (000). Dot1q and ISL can both provide CoS with some differences:
- ISL uses 4 bits User field, where the last 3 bits is used for CoS.
- Dot1q uses 3 bits User field used for CoS.

Type of Service (ToS) is an allocated field in the layer 3 IPv4 header to provide QoS. It consists of 8 bits with 3 precedence bits in the beginning, 3 request bits and 2 unused bits. The first 3 bits represents the priority of the packet. As in CoS, 7 means highest priority and 0 means lowest priority. 3 request bits consists of 3 different type of service which is request low delay (100), request high throughput (010), or request high reliability (001) which can also be memorized as DTR bits.

The modern version of ToS is used in DiffServ. The DS field in DiffServ uses 6 Differentiated Services Code Point (DSCP) bits and 2 Explicit Congestion Notification (ECN) bits. The 6 DSCP bits contain of Class Selector Value (3 bits) and Drop Precedence value (3 bits).

The Class Selector Value is divided into 7 classes which are:

Class 7 (111) - Network Control, used of traffic controlling such as STP and routing protocol. This is the highest priority class.

Class 6 (110) - Internetwork Control, used for same purposes in class 7 but for internetwork traffic

Class 5 (101) - Expendited Forwarding, used for voice traffic and other time critical data. This traffic has characteristics of low delay, low loss and low jitter and is given strict priority queuing above all other traffic classes.

Class 1-4 (001-100) - Assured Forwarding, used for applying QoS for certain traffic where 4 is higher priority than 3, which is higher than 2, and in return is higher than class 1.

Class 0 (000) - Best-effort forwarding, used as default for every traffic if not configured for QoS.

The Drop Precedence value is used for Assured Forwarding which defines the importance of the packet. There are only 3 values high is high (3), medium (2) and low (1). Therefore AF21 means traffic will be handled as class 2 with a low drop precedence.

RTP Header Compression can also improve VoIP quality. The compression can reduce an IP/UDP/RTP header from 40 bytes to only 2-4 bytes. The command is:
(config-if)#ip rtp header-compression

-- 25 November 2010 --

QOS, IntServ, DiffServ

Providing a good Quality of Service (QoS) for IP phones is important. Voice has a character of delay sensitive and some factors need to be considered for that which are:

1. Jitter, which is the interval of the receiving packages. For example the word hel-lo can be heard as h--ello if the jitter is bad.
2. Delay, which is the time for the data to travel from the moment one speaks and the other receives the voice signal. Large delays will provide uncomfortable conversations.
3. Packet loss, which is the amount of packets that can be dropped. Voice traffic is not packet sensitive, so it is allowed to have some packets losses but if the packets are dropped too often, the receiver is unable to identify what the speaker is saying.

The default QoS for all services is best-effort. In BE, all packets will be forwarded in the same order as they came in.

Another protocol for QoS is the Integrates Services Model (Intserv). IntServ uses Resource Reservation Protocol (RSVP), where RSVP creates and reserves a high priority path called as Guaranteed Rate Services (GRS) end-to-end before the voice traffic is being transmitted. This protocol can be disadvantageous because of the reserved bandwidth concept it uses. Therefore, if there are a lot voice traffic, the bandwidth will be reserved all for voice traffic.

To prevent unused reservations, another more advanced protocol is available which is Differentiated Services Model (DiffServ). Diffserv, does not reserve end to end bandwidth, but makes priorities based on per-hop decision. DiffServ has 2 tasks which are marking (tagging data with a value) and classification (classify the queuing and transmitting process of the data according to the marks).

To implement QoS on a switch's interface put the command:
(config-if)#mls qos

To trust incoming devices for its QoS values add the command:
(config-if)#mls qos trust

Trust CoS, DSCP and IP precedence means it will read those frames/packets and trust the QoS stated by them. However, trust device (for example trust device cisco-phone) means that the switch will only accept QoS values from a cisco phone. QoS values stated from device other than a cisco phone will be overwritten with the default configured value of QoS on the switch by the switch itself.

To see the interface's QoS settings put the command:
SWX#show mls qos interface

We can modify QoS values that comes from another device behind an IP Phone such as the PC. The command is:
(config-if)#switchport priority extend cos

If we want to trust the PC the command is:
(config-if)#switchport priority extend trust

-- 23 November 2010 --

Tuesday, November 23, 2010

Voice over IP & IP Phone

VoIP is a technology that makes voice conversations available using internet technology. VoIP can be done using IP Phones. An IP phone has 3 port one to go to the switch, another to the phone's ASIC and the other one goes to the laptop/PC. In this configuration, nothing needs to be done on the PC if it was directly connected to the switch and can send traffic.

The link between the switch and IP Phone can be configured in several ways:

1. Access Link. If this is implemented, voice traffic and data traffic will be mixed up and no priority is given to voice traffic. Frames who come first, get served first. The advantage is that there needs nothing to be done to apply this option (Default). The disadvantage is that if there are lots of data traffic, voice traffic will be disturbed by delays and this should be prevented since voice is delay sensitive.

2. Trunk link and use 802.1p. This option will tag voice traffic as high priority. It will also send traffic through its default voice native VLAN which is VLAN 0. VLAN 0 needs to be created manually, because it is sometimes not automatically created.

3. Trunk link and not tagging voice traffic (untagged). In this way, the IP phone is able to send untagged voice traffic.

4. Trunk link and specify a specific Voice VLAN. THe IP Phone will forward traffic with a specific VLAN.

To configure voice traffic in an interface put the command:
(config-if)#switchport voice vlan /dot1p/none/untagged

-- 24 November 2010 --

Gateway Load Balancing Protocol (GLBP)

Gateway Load Balancing Protocol (GLBP) is a Cisco proprietary load balancing protocol to load balance traffic between different routers. Therefore, it uses all the routers in place of letting only one router to process all traffic. GLBP routers must be placed in a router group to be able to perform.

When operating with GLBP, the host needs to point its gateway to a virtual IP address virtual router. Although the IP address is the same, the MAC address of each physical router is different. When ARP request is sent from the host, one of the routers will give their MAC address to the host and will serve that host. However, another host that comes directly after will be given another MAC address of a different router.

One of the router (with the highest priority) acts as Active Virtual Gateway (AVG). The second highest priority is set as standby, and all other routers is set into listening state. The AVG will assign a virtual MAC address to all the other routers and enables Active Virtual Forwarders (AVF). Each AVF will process packets that are sent to its virtual MAC address based on load balancing methods. If AVF on a router fails, another router will handle the request since routers can communicate with each other using the multicast IP address 224.0.0.102 and UDP port 3222.

Load balancing method in GLBP consists of 3 methods of MAC address assignments:

1. Round robin, where each router will get a packet fairly each turn. If there are 4 hosts (1,2,3,4 coming in order) and 2 routers (A,B) then host 1 will go to A, host 2 will go to B, host 3 will go to A and host 4 will go to B.
2. Host dependent, which is used if a host needs to get the same MAC address serving router.
3. Weighted, where traffic can be assigned to routers with certain weights. For example if there are 3 routers , where one router (A) has 2x capacity than other two (B,C) then the traffic can be weighted with the value 2:1:1. In that way, 2 clients will be served by router A, 1 client by router B and 1 client by router C.

To apply GLBP use the command in the interface mode:
(config-if)#glbp ip

To change GBLP priority use:
(config-if)#glbp priority

To enable preempt:
(config-if)#glbp preempt

Monday, November 22, 2010

Virtual Router Redundancy Protocol (VRRP)

VRRP (Virtual Router Redundancy Protocol) defined in RFC 2338 is a non-proprietary redundancy protocol like the Cisco's proprietary HSRP. It can be used on a multi-vendor environment. The operation of VRRP and HSRP is similar.

The differences are:
1. VRRP router knows Master router and Backup Router (as Active and Standby in HSRP). The Master router will have the virtual ip address, so that the virtual ip address is the router's real address.
2. VRRP advertisements are multicast to 224.0.0.18
3. The MAC address of VRRP virtual router is 0000.5e00.01XX, where XX is the number of the router group in hexadecimal
4. The "preempt" command in HSRP is set as default on VRRP router so that the backup router will be the master router if the priority of the routers changes.
5. VRRP has a feature called Object Tracking which is similar to HSRP Interface Tracking

-- 23 November 2010 --

HSRP Tracking

HSRP Interface Tracking is an important feature to provide redundancy on the router group and switch between them if anything unexpected happens to the active router.

The active router is the router which has the highest priority. The active router can switch to another router if the main router decreases its priority or another router is set to a higher value. Remember for direct switching, the preempt command condition needs to be enabled.

HSRP tracking is able to decrease a router priority based on its track record. It can track interfaces and decreases a router priority should the interface that is monitored go down. The command to track an specific interface is:
(config)#interface // needs to be configured on the port connecting to the host.
(config-if)#standby track

// interface is the interface of the monitored interface, e.g. interface serial 0 going to another router.
The decrement value needs to be set from 1-255, and this feature will decrease the priority number if the monitored interface goes down. The default value (if not set) is 10.

For example, we have 2 router (router A and B), where router A is the active router set with value = 150 and router B is standby with value = 140. Serial 0 to another router is monitored with HSRP track on router A, where the decrement value = 20. If the serial 0 interface is down on router A, then the priority will be decreased to 150-20 = 130. This value is lower than router B with the priority 140. Therefore, router B will immediately take over as active router. If at some point serial 0 of router A is up again, the priority value will be set back to 150 and router A will be the active router again and router B will act as standby. Watch out on setting track priority decrement values, because if the decrement value is to low e.g. on router A is set to only 5, nothing will happen if serial 0 goes down. This happens because the decrease value of router A is 150-5=145 which is still higher than router B priority of 140. Changing decrement values can be done directly on live networks and will effect immediately (for example change from 5 to 15).

There is also a possibility to monitor multiple interfaces. In this case, it will check for both interfaces and will decrement only if one of the interfaces is down, or will accumulate the total amount of values set for both interfaces if both of them go down.

To see and debug HSRP enter "#debug standby" command.

-- 23 November 2010 --

Hot StandBy Routing Protocol

HSRP (Hot Standby Routing Protocol) is a protocol that makes High-Availability available and makes almost immediate cutover to a secondary router if the primary router fails. If is defined in RFC 281. On MLS, HSRP can be configured on routed ports, SVIs and Etherchannels with IP addresses. However, to run HSRP on a L3 Switch, it must have Enhanced Mulilayer Software IMage (EMI).

HA is available because HSRP creates a virtual router complete with a virtual IP address and MAC address for HSRP router group. In that way, the host will communicate to the virtual router, without knowing the actually physical router behind it. If the primary (hot) router fails, then the virtual router will switch the traffic to a secondary (standby) router almost instantly. HSRP has also an interface tracking feature, where it can monitor interfaces on the same router group and will be able to reduce to the priority of a router if its interface is down.

HSRP has 7 states:

1. Disabled: The interface is not running HSRP at all
2. Initial (Init): Happens when a router with HSRP comes up
3. Learn: The state where a router waits to other active router's in the group and waits for its Virtual IP Address.
4. Listen: Router knows its Virtual IP address, but still listens for hello packets from other routers.
5. Speak: The router sends hello messages and participate in the election for a primary or standby router.
6. Standby: The router sends hello messages because it is a candidate to become an active router.
7. Active: The router is active and forwards packets to the Virtual IP address.

To configure a router for HSRP:
(config)#interface fa // to set interface
(config-if)#standby ip // standby command is used to do HSRP configuration, group-number is used to define the router group

To show HSRP configuration type the command:
RX#show standby

The default MAC address of the virtual router is 0000-0C07-ACXX where XX is the number of the router group in hexadecimal. So, if the router group is 26 then the hexadecimal number is 16+10 which is 1a so the default MAC address will be 0000-0C07-AC1A. To change the MAC address of the virtual router put the command:
(config-if)#standby mac-address // mac-address should be noted as XXXX.XXXX.XXXX

To change hello intervals on HSRP type the command:
(config-if)#standby timers

Router with higher priority will be the default servicing router. To change priority of a router:
(config-if)#standby priority
However, this command will not change the service directly to a more higher priority number, but will be applied if the current servicing router is restarted. To be able to switch service to the higher priority number directly, the command preempt should be used. There will be also a message on the router indicating the state change.
(config-if)#standby preempt

-- 23 November 2010 --

ICMP Router Discovery Protocol (IRDP)

ICMP Router Discovery Protocol (IRDP) is used to make High Availability or redundancy available on routers and to make switching between them in a short time. The IRDP uses RFC 1256.

IRDP generates ICMP Router Advertisements which is an ICMP message type 9 to all host. Host that hears this will set the default gateway to that router. In case of more than 1 router, the host will choose a primary router and saves the other configuration and will use it if it loses the primary router. A host itself can send an ICMP Router Solicitation (ICMP message type 10), where it will ask the IDRP router to send Router Advertisement packets to the host.

The IDRP uses real IP address and MAC address of the L3 Switch / Router. It does not use any kind of virtual addresses.

To configure put the command "(config-if)#ip irdp" in the interface mode.

- 23 November 2010 --

Inter VLAN communication using SVI

Hosts on a switch cannot communicate to each other if they use different VLANs. The traditional way in creating a communication line between different VLANs is by adding a router on a stick and creating sub-interfaces to connect both VLANs. Although this method works perfectly,

router on a stick can have its drawbacks such as loading the router processor and acting as a single point of failure.

Another way to create inter-VLAN communication is by using Switch Virtual Interface (SVI) that can be implemented on switches which have an internal route processor or called as Route Switch Module (RSM). SVI is already implemented for VLAN 1 by default.

MLS can be configured for any VLAN in a L3 Switch in order to communicate with ther VLANs.

Before creating the process, make sure the ip routing is already on by using the command:
(config)#ip routing

The first one to do is to create the VLAN and configure the ports on the proper VLANs with the command:
(config)#int fa
(config-if)#switchport mode access
(config-if)#swichport access vlan //VLANs will be created

To create the SVI is simple:
(config>#int vlan // to access the vlan interface
(config-if)#ip address // to create an ip address for the VLAN SVI
Note that the line protocol should be running and show ip config can be done to show the SVI.

The process above should be done to all VLANs at the switch if it wants to communicate. #show ip route will show the route of the switch and it can be seen that the switch has route to the different VLANs.

In order for the host to communicate with other host in different VLANs, make sure that the gateway of the hosts is the IP address of the SVI.
HOST(config)#ip route 0.0.0.0 0.0.0.0 .

After this, the hosts should be able to communicate with other hosts.

If the L3 Switch must reach another router, the port interface of the switch must be changed to routed port so that it will be able to route traffic. The command is simple which is "(config-if)#no switchport mode access" on a interface, because if the port is in the switchport access mode, then the port acts as a switch port. After that set the IP address of the port by "(config-if)#ip address ".

-- 22 November 2010 --

Sunday, November 21, 2010

Multilayer Switching (MLS)

Multilayer Switch is a special L3 switch that has the capability to route packets. There are 2 methods of doing MLS which are route caching and Cisco Express Forwarding (CEF)

Route caching devices have a routing processor and a switching engine. The first packet will be handled by the routing processor while the switch engine observes how the routing processor forwards the first packet of a flow (a unidirectional stream with the same protocol). After that, the switch takes over the process of forwarding or switching these packets in the same flow.

CEF is another method of MLS and can be found on certain hardwares only. CEF is easier on a switch's CPU than route caching. The CEF is enabled by default because it is hardware based. However, in order to run it, IP routing has to be enabled first. If the IP routing is not enabled, the command of "IPv4 CEF not running" will show up when the "#show ip cef" command is run.

CEF has 2 main components which are:

1. FIB - Forwarding Information Base which contains L3 routing information such as found in routing table
2. AT - Adjecency Table which contains L2 switching information and a MAC address table of the sender and destination hop.

CEF has 2 logical planes which are:
1. Control Plane or also known as Layer3 Engine which job is to build the FIB and AT table.
2. Data Plane also known as the hardware engine or Application-Specific Integrated Circuit (ASIC) which does the work of putting data on the memory and forwarding data to the next hop.

-- 22 November 2010 --

Friday, November 19, 2010

Network Attacks

There are several network attacks that can be done to attack one's network. A few of them are MAC address flooding attack, VLAN Hopping and Switch Spoofing.

MAC address flooding attack sends out numerous frames to the switch using different source MAC addresses. This will load the switch with processing capacity since it needs to find maintain those MAC addresses in the switching table. It will also create a denial of service (DoS), because when the memory for the MAC address table is run out, legitimate hosts will not be able to access the switch. Unnecessary bandwidth consumption is also being used since MAC address flooding will flood the network with broadcasts. From this attack, the attacker can also intercept packets with a packet sniffer, since this client can receive broadcasts from legitimate hosts. To prevent this, illegitimate hosts should be kept out of the network and should be blocked if they want to access the network. Port-based authentication and port security can be implemented to implement this prevention.

VLAN Hopping uses double VLANs to spoof the switch by using double VLANs. In order to do this, the host should be able to access the port, be placed in the native VLAN, and the switch should use dot1q. The attacker will use 2 different VLANs, where one is the native VLAN. When the switch sees a frame from a native VLAN, it will remove the VLAN tag and sends it in the network untagged (dot1q protocol). What the switch does not know is that the frame has a second VLAN tag. At this moment, the attacker's frame is free to attack other hosts for phising, trojan, virus etc using their second VLAN to attack users having the same VLAN as the second VLAN of the attacker. To prevent this, simply create a native VLAN where there are no host attached to it. In this way, every frame from the host is being inspected.

Switch spoofing uses the behavior of switches running a port in dynamic desirable mode. In this way, a switch will aggressively try to form a trunk port with its peer, without knowing who or what its peer is. The attacker can spoof the switch by acting as a switch and accepting the trunk. From this moment on, the attacker has the ability to listen traffic running through its device and can find out user names, passwords, credit card numbers etc. To prevent this, the switch should only set dynamic desirable mode or auto mode to ports that are known to have trusted switches at its peer. All other ports should be set to access mode.

Dynamic ARP Inspection (DAI)

ARP is used to find out the MAC address of a receiver based on its IP address. This is necessary in order to send frames to the correct receiver. However, this process can be manipulated by an attacker called ARP spoofing or ARP cache poisoning.

This attack uses the moment where an ARP request is sent and the receiver is asked to reply if they have the corresponding MAC address. An attacker, will reply as if they have the corresponding address and sends its MAC address to the sender. The sender will not know this manipulation and therefore accepts the MAC address of the attacker as valid and will send frames to that attacker that actually belongs to the receiver. The attacker can forward the received packages to the real destination (as if a normal process happens between the sender and receiver) to deceive the sender and receiver,. This is dangerous since the attacker has the ability to monitor, listen, and check to the frames first (including passwords!). This is also called as "man in the middle attack" because of the position of the attacker relaying frames from the sender to the receiver.

This attack can be prevented by using Dynamic ARP Inspection (DAI). In this process the switch will build a database with paired IP-MAC addresses which can be configured static or automatic based on DHCP Snooping process. DAI uses the concept of trusted and non-strusted ports as in DHCP Snooping. However, incoming frames from untrusted ports will not be automatically dropped (as what happens in DHCP Snooping), but will be checked based on IP-MAC address pairing. If it is valid, the frames will be forwarded, but if it is not valid then the frames will be dropped. If the frames comes from a trusted port, the frames will be directly forwarded without being checked for its IP-MAC address pair.

There are some recommendations of Cisco to secure the network where all ports connected to host should be set as untrusted, where ports connected to switches should be set as trusted. Ohter notes are that DAI runs only on ingress switch's ports, and DAI can be run on trunk ports or etherchannel ports.

To activate DAI:
(config)#ip arp inspection vlan

To trust ports:
(config)#int fa // configure a specific port
(config-if)#ip arp inspection trust // to create a trusted port

To validate:
(config)#ip arp inspection validate // to validate. src-mac checks whether the source of the ethernet header is the same as the source of the ARP message. dst-mac checks whether the destination of the ethernet header is the same as the destination of the ARP message. ip compares the IP header of the sender of the ARP request against the destination address of the ARP reply.

To show DAI:
SWx#show ip arp inspection

Thursday, November 18, 2010

Address Resolution Protocol

ARP stands for Address Resolution Protocol. It is used to determine a physical address or MAC address from a IP address that is known. The router or switch will then broadcast the incoming request and asks to the users "who has this IP address?". If the client does not have that address, it will ignore the packet. If the client does use that IP address, if will then reply with an answer "I have this IP address, and my MAC address is aa:bb:cc:dd:ee:ff".

A simple illustration can be explained using a house's phone number and house address. A phone number of a house can be changed. This is also the same for an IP address of a client, it can be changed easily. A house address on the other hand is physically attached to a certain location that will be always there. This is the same as MAC or physical address of the client. So, when ARP is sent, a request is done to trace a phone number and the operator (Switch) is required to find out the home address of that phone number. The operator will then knock each door simultaneously and asks to the resident whether the given phone number is their phone number.

There is also RARP which stands for reverse ARP. It used used reversely when a device want to know the IP address of a device but has only the MAC address of it. So basically it will ask to a certain home address its telephone number.

DHCP Snooping

DHCP snooping is a feature on cisco switches to prevent possible attacks from unauthorized users. The attack can be made when a client asks for a IP by sending a DHCP request. The attacker can exploit the client with giving them a fake DHCP offer and the client will simply accept it, if this offers comes first before the real trusted DHCP server accepts them (since clients accepts the first DHCP offer that comes in).

By applying DCHP Snooping, this problem can be avoided since the switch will examine the port of incoming DCHP offers. It will then determine whether the port is considered in the "trusted" category or "untrusted" category. If it is trusted, the DHCP offer will be sent to the client. If it is untrusted, the DHCP offer will be blocked, evenmore the port will be set into err-disabled mode. One important thing to remember is that by default, the switch assumes all ports untrusted, so make sure to configure trusted ports on the switch if applying DHCP snooping on the switch.

To configure dhcp snooping enter the command below:
(config)#ip dhcp snooping vlan //dhcp snooping will be done to any host in the same vlan_number

Then configure the port of the trusted DHCP server:
(config)#int fa
(config)#ip dhcp snooping trust // trust the port for sending dhcp offers. There are also other option such as limit and vlan

To add the DHCP option82 relay agent information put:
(config)#ip dhcp snooping information option

Finally, to show dhcp snooping information the command "#show ip dhcp snooping" can be used.

Private VLAN

A private VLAN is used to restrict a client so that it can only access a specific port or limited users. Each port can be configured in 3 ways:

1. Promiscuous mode where the client attached to that port can access primary and secondary VLAN clients. Usually, this mode is applied to gateway devices such as routers

2. Isolated mode where the client can only communicate with the primary VLAN and with devices in promiscuous ports., but not to the host in the same secondary VLAN (Same VLAN) or different secondary VLAN (different VLAN). Basically the client can communicate only a one-on-one relationship with the gateway.

3. Community mode where the client can communicate only with other host in the same secondary VLAN, and with devices in promiscuous ports, but not to other host in secondary VLAN (different VLAN)

The configuration of the private VLAN is shown below:

(config)#vlan
(config-vlan)#private-vlan community // it can also be set as isolated or primary
Private VLAN need to be set only on VTP transparent mode*. Then the private VLAN needs to be associated to a primary VLAN.
(config-vlan)#private association // note that the primary vlan needs to be created first, it will not create it automatically

Then the port needs to be set in private mode:
(config)#interface fast // the port that we want to set
(config)#switchport mode access // make it an access port first
(config)#switchport mode private-vlan // host is used when we want to define the port attached to the client, promiscuous is used when we want to define the port attached to the gateway device.

Virtual Access Control List

ACL can be used to filter traffic from different VLAN, however it cannot filter traffic from the same VLAN. In order to make this condition possible Virtual ACL (VACL) needs to be implemented.

For example, we want to block 4 users with the IP of 172.10.10.0/24 to communicate to other hosts.

First we need to implement access-lists by “(config)#ip access-list extended BLOCK4IP”

“(config-ext-nacl)#permit ip 172.10.10.0 0.0.0.4 172.10.10.0 0.0.0.255” and yes, it is permit, not deny, because we will define this list later in another command. The traffic that we want to filter, needs to be identified here.

Then we create the map to match the access-list made before and then block the traffic coming from that access-list. We do this by:

“(config)#vlan access-map NO_4IP 10” 10 here is the sequence number of this command to be read by the switch. If there is another command with the sequence number lower than that e.g.5, then that command will be read first. Then we match the IP address list using the acl generated before

“(config-access-map)#match ip address BLOCK4IP”

“(config-access-map)#action drop” (to drop the packet that match addresses from the acl BLOCK4IP

Then we need to forward all other iP’s other than the 4 ip addresses generated before using the command:

“(config)#vlan access-map NO_4IP 20” where we want to implement this command after the 4 ip addresses is being blocked first (sequence number = 10 is being read first). Then put the command “(config-access-map)#action forward”. If we want to implement another command between it, we can do it directly and it will be directly applied as long as we put it in the sequence between 10 and 20.

Then we need to apply the VACL not it a specific interface but in the global configuration mode. The command to apply the VLAN map is “(config)#vlan filter NO_4IP vlan 100” (suppose that we want to apply it in vlan 100)

Note that VACL act like ACL where it has an implicit deny at the end, so if the traffic is not explicitly forwarded, it will be dropped. Also, one VACL can be applied to only one VLAN.

Tuesday, November 16, 2010

Dot1x Port Based Authentication

The most known authentication for clients to the network uses port security. There is another more advanced way of authentication using dot1x authentication which is based on the IEEE 802.1x standard.

A major difference in this authentication method is that both the client/supplicant and the authenticator must be configured to handle dot1x authentication. The Authentication server must use the RADIUS/DIAMETER protocol and can not use TACACS/TACACS+ protocol. The command for activating dot1x on the switch is “dot1x system-auth-control” in the global configuration mode.

Before the client is authenticated to the network, it can only run 3 protocols which are Cisco Discovery Protocol (CDP), Spanning Tree Protocol (STP) and EAPOL (EAP over LAN). EAPOL is used to provide EAP authentication between the client and the switch, where after that the switch will forward the authentication to the RADIUS using EAP and wait for orders from the RADIUS what to do with its client. After it is authenticated, the client can run other protocols.

The next step is to configure the port for dot1x authentication. The port can have 3 types of authorization:

1. Force-authorized which will force the port to authorize all clients attempting the switch through that port. This means that there is actually no authorization at all, and is the default mode.

2. Force-unauthorized which will force the port not to authorize every client attempting to authenticate on that port.

3. Auto which will enable dot1x on the port and initially blocks the client from doing any activity besides EAPOL authentication. After the authentication is completed, then the service is given to the client.

The command on the switch’s port is as follow:

“(config-if)#dot1x port-control [auto | force-authorized | force-unauthorized]”

The client has to be configured too. For windows the configuration can be set via Startà Control Panel à Network Connections and then Check the “Enable IEEE 802.1x” checkbox and set the EAP type to MD5.

As a summary, dot1x configuration needs to be done on the switch, switch port, and the client. It can also be only used with RADIUS/DIAMETER protocols.