Sơ đồ bài lab:

Bài lab gồm 2 Router R1 và R2 nối với nhau qua 2 cổng FastEthernet. Chúng ta sẽ cấu hình 2 Router chạy giao thức định tuyến EIGRP để kiểm định một số điểm trong lý thuyết, bao gồm:

* Các bảng trong EIGRP: neighbors, topology, routing

* Load Balancing

* Variance

* Successor và Feasible Successor

Cấu hình R1:

!

interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address 192.168.0.1 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 192.168.1.1 255.255.255.252
duplex auto
speed auto
!
router eigrp 1
network 1.0.0.0
network 192.168.0.0
network 192.168.1.0
auto-summary
!

Cấu hình R2:

!        
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0/0
ip address 192.168.0.2 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 192.168.1.2 255.255.255.252
duplex auto
speed auto
!
router eigrp 1
network 2.0.0.0
network 192.168.0.0
network 192.168.1.0
auto-summary
!

1. Các bảng trong EIGRP

a. Neighbors table

R1#show ip eigrp neighbors
IP-EIGRP neighbors for process 1
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                            (sec)         (ms)       Cnt Num
1   192.168.1.2             Fa1/0             12 00:12:47   49   294  0  12
0   192.168.0.2             Fa0/0             14 00:12:52   38   228  0  13

R2#show ip eigrp neighbors
IP-EIGRP neighbors for process 1
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                            (sec)         (ms)       Cnt Num
1   192.168.1.1             Fa1/0             14 00:13:50   78   468  0  9
0   192.168.0.1             Fa0/0             13 00:13:54  686  4116  0  10

b. Topology table

R1#show ip eigrp topology
IP-EIGRP Topology Table for AS(1)/ID(1.1.1.1)

Codes: P – Passive, A – Active, U – Update, Q – Query, R – Reply,
       r – reply Status, s – sia Status

P 1.1.1.1/32, 1 successors, FD is 128256
        via Connected, Loopback0
P 1.0.0.0/8, 1 successors, FD is 128256
        via Summary (128256/0), Null0
P 2.0.0.0/8, 2 successors, FD is 156160
        via 192.168.0.2 (156160/128256), FastEthernet0/0
        via 192.168.1.2 (156160/128256), FastEthernet1/0
P 192.168.0.0/24, 1 successors, FD is 28160
        via Summary (28160/0), Null0
P 192.168.0.0/30, 1 successors, FD is 28160
        via Connected, FastEthernet0/0
P 192.168.1.0/24, 1 successors, FD is 28160
        via Summary (28160/0), Null0
P 192.168.1.0/30, 1 successors, FD is 28160
        via Connected, FastEthernet1/0

R2#show ip eigrp toplogy
IP-EIGRP Topology Table for AS(1)/ID(2.2.2.2)

Codes: P – Passive, A – Active, U – Update, Q – Query, R – Reply,
       r – reply Status, s – sia Status

P 2.2.2.2/32, 1 successors, FD is 128256
        via Connected, Loopback0
P 1.0.0.0/8, 2 successors, FD is 156160
        via 192.168.0.1 (156160/128256), FastEthernet0/0
        via 192.168.1.1 (156160/128256), FastEthernet1/0
P 2.0.0.0/8, 1 successors, FD is 128256
        via Summary (128256/0), Null0
P 192.168.0.0/24, 1 successors, FD is 28160
        via Summary (28160/0), Null0
P 192.168.0.0/30, 1 successors, FD is 28160
        via Connected, FastEthernet0/0
P 192.168.1.0/30, 1 successors, FD is 28160
        via Connected, FastEthernet1/0
P 192.168.1.0/24, 1 successors, FD is 28160
        via Summary (28160/0), Null0

c. Routing table

R1#show ip route
…………………………

Gateway of last resort is not set

     1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C       1.1.1.1/32 is directly connected, Loopback0
D       1.0.0.0/8 is a summary, 00:17:06, Null0
D    2.0.0.0/8 [90/156160] via 192.168.1.2, 00:17:06, FastEthernet1/0
               [90/156160] via 192.168.0.2, 00:17:06, FastEthernet0/0
     192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C       192.168.0.0/30 is directly connected, FastEthernet0/0
D       192.168.0.0/24 is a summary, 00:17:06, Null0
     192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C       192.168.1.0/30 is directly connected, FastEthernet1/0
D       192.168.1.0/24 is a summary, 00:17:03, Null0

R2#show ip route
…………………

Gateway of last resort is not set

D    1.0.0.0/8 [90/156160] via 192.168.1.1, 00:17:00, FastEthernet1/0
               [90/156160] via 192.168.0.1, 00:17:00, FastEthernet0/0
     2.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C       2.2.2.2/32 is directly connected, Loopback0
D       2.0.0.0/8 is a summary, 00:17:06, Null0
     192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C       192.168.0.0/30 is directly connected, FastEthernet0/0
D       192.168.0.0/24 is a summary, 00:17:00, Null0
     192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C       192.168.1.0/30 is directly connected, FastEthernet1/0
D       192.168.1.0/24 is a summary, 00:16:57, Null0

Bảng định tuyến sau khi bật no auto-summary:

R1(config)#router eigrp 1
R1(config-router)#no aut
R1(config-router)#no auto-summary
R1(config-router)#
*Mar  1 00:25:49.243: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.168.0.2 (FastEthernet0/0) is resync: summary configured
*Mar  1 00:25:49.247: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.168.1.2 (FastEthernet1/0) is resync: summary configured

R1#show ip route
Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
C       1.1.1.1 is directly connected, Loopback0
     2.0.0.0/32 is subnetted, 1 subnets
D       2.2.2.2 [90/156160] via 192.168.1.2, 00:01:20, FastEthernet1/0
                [90/156160] via 192.168.0.2, 00:01:20, FastEthernet0/0
     192.168.0.0/30 is subnetted, 1 subnets
C       192.168.0.0 is directly connected, FastEthernet0/0
     192.168.1.0/30 is subnetted, 1 subnets
C       192.168.1.0 is directly connected, FastEthernet1/0

R2(config)#router eigrp 1
R2(config-router)#no au
R2(config-router)#no auto-summary
R2(config-router)#
*Mar  1 00:25:01.707: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.168.0.1 (FastEthernet0/0) is resync: summary configured
*Mar  1 00:25:01.711: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.168.1.1 (FastEthernet1/0) is resync: summary configured

R2#show ip route
Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
D       1.1.1.1 [90/156160] via 192.168.1.1, 00:01:50, FastEthernet1/0
                [90/156160] via 192.168.0.1, 00:01:50, FastEthernet0/0
     2.0.0.0/32 is subnetted, 1 subnets
C       2.2.2.2 is directly connected, Loopback0
     192.168.0.0/30 is subnetted, 1 subnets
C       192.168.0.0 is directly connected, FastEthernet0/0
     192.168.1.0/30 is subnetted, 1 subnets
C       192.168.1.0 is directly connected, FastEthernet1/0

2. Load balancing

R1(config-if)#int fa0/0

Nhìn 2 bảng định tuyến trên, ta thấy đường đi đến 2 interface loopback trên 2 router đã được tự động load balancing (vì có feasible distance bằng nhau). Bây giờ ta thử thay đổi metric của 1 trong 2 đường để kiểm tra.

Nhắc lại: công thức tính Metric trong EIGRP (đơn giản) = . Bandwidth và delay ở đây được tính trên out-going interface của đường route.

Để thay đổi metric, ta có thể thay đổi bandwidth hoặc delay (nếu không cấu hình bandwidth, EIGRP mặc định interface đó có tốc độ T1 = 1.54 Mbps). Bandwidth được cấu hình trên interface chỉ có ý nghĩa để tính metric, không ảnh hưởng đến tốc độ thực tế của đường truyền.

R1(config-if)#int fa0/0
R1(config-if)#bandwidth 512

R1#show ip route
Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
C       1.1.1.1 is directly connected, Loopback0
     2.0.0.0/32 is subnetted, 1 subnets
D       2.2.2.2 [90/156160] via 192.168.1.2, 00:02:01, FastEthernet1/0
     192.168.0.0/30 is subnetted, 1 subnets
C       192.168.0.0 is directly connected, FastEthernet0/0
     192.168.1.0/30 is subnetted, 1 subnets
C       192.168.1.0 is directly connected, FastEthernet1/0

Khi show ip route lại, ta thấy trên Router R1 chỉ còn 1 đường route qua mạng 2.2.2.2

R1#show ip eigrp topo
IP-EIGRP Topology Table for AS(1)/ID(1.1.1.1)

Codes: P – Passive, A – Active, U – Update, Q – Query, R – Reply,
       r – reply Status, s – sia Status

P 2.2.2.2/32, 1 successors, FD is 156160
        via 192.168.1.2 (156160/128256), FastEthernet1/0
        via 192.168.0.2 (5130496/128256), FastEthernet0/0
P 1.1.1.1/32, 1 successors, FD is 128256
        via Connected, Loopback0
P 192.168.0.0/30, 1 successors, FD is 5002496
        via Connected, FastEthernet0/0
        via 192.168.1.2 (30720/28160), FastEthernet1/0
P 192.168.1.0/30, 1 successors, FD is 28160
        via Connected, FastEthernet1/0

Tuy nhiên, khi show ip eigrp topology, ta vẫn thấy 2 đường route, đó là vì AD của đường route qua 192.168.0.2 = 128256 < 156160 = FD của đường route qua 192.168.1.2 nên đường này trở thành Feasible Successor.

Some STP Basics
On most Cisco Catalyst switches, STP is enabled on all ports by default.   Port initialization requires upwards of 30 seconds to complete, and can take as long as 50 seconds.
This thirty second “delay” can be attributed to the time required for the port to transition from Listening to Learning and finally to Forwarding.
The Listening and Learning transitions each require about 15 seconds.
This transition period can be painful for end users waiting to gain access to the network.  To the untrained IT person it can be misdiagnosed as “some sort of network issue”.

PortFast to the Rescue
Portfast shortens the Listening and Learning states allowing the link to transition to the Forwarding state in as little as three seconds.
This translates to quicker access to the network for the end user when they power on their PC, connect a laptop to a wired port, etc.
Enabling PortFast does not disable STP on the port, it simply allows us to get to the Forwarding state much faster.

Let’s enable PortFast on switch ports 1 – 4 using the spanning-tree portfast command.  IOS provides a reminder of the possible consequences.

Looping ports Fa0/2 and Fa0/3 reveals that we still have adequate loop protection as Fa0/3 transitions to a Blocking state within ~2 seconds.  Other hosts on the switch are not affected.
In this scenario, PortFast protects against mistakes made in the wiring closet or on the off chance that two access ports would become looped under a desk.  (don’t laugh, I’ve seen it happen)
Here’s a partial output from the show spanning-tree command.

Note that Fa0/3’s Role has changed to Back.  This is helpful information as it indicates that two or more ports on the same bridge are connect together.
Fa0/3’s Status has changed to BLK, effectively blocking the loop condition .

The Tech Savvy End-User
Let’s say an end user wants to add a couple of extra network ports to their cubicle.  Instead of calling the help desk and being questioned as to what unauthorized device they are trying to connect to your LAN, they pick up an unmanaged switch from local retailer and connect it to their access port, Fa0/2.  (for the sake of this post let’s assume we’re not MAC locking ports on the switch)

What happens when two ports on the parasite switch connected to access port Fa0/2 become looped?  This partial output from show spanning-tree provides some info.

This should generate a call to the help desk as Fa0/2 immediately transitions to a Blocking state, preventing traffic from the looped parasite switch from entering the network.
Role is indicating Designated (DESG) which means that Fa0/2 is not looped with another port on this switch.  The Type field provides additional information.  Self-looped is a good indicator that something interesting is happening on Fa0/2.  No other hosts on the access switch were impacted.

Conclusions
PortFast is a great feature and can be enabled without compromising loop protection.  You should think twice about ever disabling spanning-tree.  I’ve seen a looped parasite switch bring down a 400 node network where spanning-tree had been disabled or wasn’t available on the particular switches the client has deployed.  Yet another argument for purchasing quality switches for your infrastructure.

https://learningnetwork.cisco.com/thread/8498?tstart=0

“To address questions about the future of CCNP certification, Cisco would like to alert students, instructors, customers, and partners to an upcoming announcement. At the end of January 2010, Cisco will be formally announcing a revision to the popular Cisco Certified Networking Professional curriculum and certification. It has been several years since the last revision, and changes are required to ensure the CCNP certification remains relevant to the role of enterprise networking professionals. Even as revisions are made, Cisco is committed to giving students and professionals who have begun the CCNP certification process adequate time to adjust their study plans and complete their certification. At the time of the announcement, the current CCNP curriculum and exams will not be immediately retired, consistent with past practice. Details for how the new CCNP requirements will be phased in will be included in the January announcement.

Thank you for your patience as we complete the work necessary to provide a high-quality updated curriculum and certification program. Although we cannot release further details at this time, you are welcome to contact Certification Support for other certification and training related concerns.

Best regards,

Cisco Certifications Team
“

A Cisco switch generates a small amount of network traffic as part of it’s normal housekeeping functions.
It’s important to be able to recognize normal “background noise” when looking at a packet capture.

Below is a packet capture from a Catalyst 3560.  The only device connected to the switch is  an Xp virtual machine running Wireshark.
Note the four types of packets that appear at regular intervals, STP, LOOP, DTP and CDP.  (click on the image for a larger view)

STP
A Spanning Tree Bridge Protocol Data Unit (BPDU) is sent every two seconds as part of the loop detection process.
This particular packet tells us that the root bridge is 00:22:be:21:3e:80, which also happens to be the switch we are connected to.

It is possible to prevent BPDU’s from being sent out an interface by enabling BPDU Filtering .

BPDU Filtering can be enabled globally for every port that has PortFast enabled by using the spanning-tree portfast bpdufilter default command.

Note this also disables loop detection on all access ports,  probably not a good idea under most circumstances.

LOOP
LOOP Reply is a Layer 2 keepalive packet that is sent every ten seconds by default.
The LOOP Reply verifies to IOS that the link is up.  The switch does not actually listen for a reply, it simply verifies that was able to send the packet out the interface.
Loss of three consecutive Layer 2 keepalives will cause the interface to transition to a down state.
It is possible to configure the interval between packets by using the keepalive interface configuration command.

DTP
Dynamic Trunking Protocol (DTP) is a Cisco proprietary protocol used to negotiate a common trunking mode between two switches.
A trunk link differs from an access port in that a trunk can transport more than one VLAN.
DTP packets are sent every thirty seconds by default.
If the switch port is configured as an access port using the switchport mode access command, DTP packets will not be sent from that interface.

When an access port is reconfigured as a trunk port, transmission of DTP packets will resume 30 seconds after the port is reconfigured.

CDP
Cisco Discovery Protocol (CDP) packets are sent every sixty seconds by default.
CDP provides information about the capabilities of a device to it’s connected neighbor.
CDP can be disabled and it’s not a bad idea to do so under certain circumstances especially if security is a concern.

CDP can be disabled globally with the no cdp run command.

CDP can also be disabled on a particular interface with the no cdp enable command.

It can be quite confusing and frustrating when searching the Cisco.com site for information related to the topics you are studying for the certification exams. In this post, I will include PDF documents that I found helpful in studying for site-to-site and remote access VPN setup and troubleshooting.

How Virtual Private Networks Work

An Introduction to IPSec Encryption

Configuring IKE Security Protocol

Configuring IPSec Network Security

Configuration Example 1

Common IPSec Troubleshootin Solutions

I would also recommend reading to help prepare for the ISCW overall:

CCNP ISCW Official Exam Certification Guide by Brian Morgan

CCNP Implementing Secured Converged Wide-Area Networks (ISCW 642-825) Lab Portfolio (Cisco Networking Academy) by David Kotfila

Cisco Network Professional’s Advanced Internetworking Guide by Patrick J. Conlan

CCNA Security Official Exam Certification Guide (Exam 640-553) by Michael Watkins

Start

A partir de hoy en este blog iré publicando notas, apuntes, y todo aquello que este relacionado con el networking.

Mi meta principal es logra cuantas certificaciones sean posibles (¿Alguien menciono CCIE?), pero mi meta a corto plazo sera conseguir la certificación de CCNA. Esto es todo por ahora.

~mφxαsm

Lab 3-1

Lab 3-2

Lab 3-3

Lab 3-4

Lab 3-5

Lab 3-6

Lab 3-7

Lab 3-8

Lab 3-9

Lab 3-10

Lab 3-11

Lab 3-12

Lab 4-1

Lab 4-2

Lab 5-1

Lab 5-2

Lab 5-3

Lab 5-4

Lab 5-5

Lab 5-6a

Lab 5-6b

Lab 5-6c

Lab 5-7

Lab 5-8

Lab 6-1

Lab 6-2

Lab 6-3 = Unable to complete fully due to SDM v2.5 not supporting old version 4.xx SDF file.

Lab 6-4 = Completed on the 2650XM however only IOS version 12.4 supports the SDF file (no support in 12.3 and only support for version 5 in 12.4T, yeah Cisco did not make it backward compatible for the SDF files).

So I got my ISCW Lab Portfolio and certification guide books a couple of days ago, and I am trying to tie the theory with the hands on. This lab is basic enough for me to setup (3 routers connect with serial cables). I will post my configurations below:

!!!!BEGIN – Router 1 – Step 1!!!!
interface loopback 0
ip address 172.16.2.1 255.255.255.0
exit
interface serial 2/0
ip address 192.168.12.1 255.255.255.0
no shut
exit
!!!!Router 1 – Step 2!!!!
router eigrp 1
no auto-summary
network 192.168.12.0
exit
!!!!Router 1 – Step 3!!!!
interface tunnel0
tunnel source serial 2/0
tunnel destination 192.168.23.3
ip address 172.16.13.1 255.255.255.0
exit
!!!!Router 1 – Step 4!!!!
router eigrp 2
no auto-summary
network 172.16.0.0
exit
!!!!END – Router 1!!!!

!!!!BEGIN – Router 2 – Step 1!!!!
interface serial 1/0
ip address 192.168.12.2 255.255.255.0
clock rate 128000
no shut
exit
interface serial 0/1
ip address 192.168.23.2 255.255.255.0
no shut
exit
!!!!Router 2 – Step 2!!!!
router eigrp 1
no auto-summary
network 192.168.12.0
network 192.168.23.0
exit
!!!!END – Router 2!!!!

!!!!BEGIN – Router 3 – Step 1!!!!
interface loopback 0
ip address 172.16.3.1 255.255.255.0
exit
interface serial 0/1
ip address 192.168.23.3 255.255.255.0
clock rate 8000000
no shut
exit
!!!!Router 3 – Step 2!!!!
router eigrp 1
no auto-summary
network 192.168.23.0
exit
!!!!Router 3 – Step 3!!!!
interface tunnel0
tunnel source serial 0/1
tunnel destination 192.168.12.1
ip address 172.16.13.3 255.255.255.0
exit
!!!!Router 3 – Step 4!!!!
router eigrp 2
no auto-summary
network 172.16.0.0
exit
!!!!END – Router 3!!!!

1. When R1 pings 172.16.13.3, and R1 sends the packet toward R2, what is the source address of the packet?
2. What is the destination address of the packet?
3. Is this packet encrypted using the commands you entered?

Using the “debug ip packet” command on R1, the output shows that the source is 17.16.13.1 and the destination is 172.16.13.3. It looks like R1 puts the source (172.16.13.1) and destination (172.16.13.3) IP addresses into an IP packet before encapsulating it with a GRE header. R2 removes the GRE header and processes the packet. It performs the same process as R1 when replying to the ICMP request. The packet is not encrypted.

Ok so the last blog seems to have dropped of the earth, and to be honest I’ve been so busy of late I really haven’t kept it up to date. So here I am, a new blog with a new blog host and with a custom url no less (no expense spared here !)

Work has kept me very busy of late, there has been so much going on that most days are a bit of a blur. Gladly things seem to be settling down a wee bit now so I thought it was about time I put my head down and finished my CCNP. It seems so long ago since I passed the BCMSN and I had planned to be at least three exams in by now, but it all went a bit pear shaped. So I am back on track and studying for the ISCW, yes I know some are going to say what about BSCI but I do a fair amount of routing and switching on a daily basis so I plan to do that last. Although I do a fair bit of MPLS, VPN’s, AAA and the like, this one just seemed like a nice break from the mundane and a suitable place to go next.

So….. If all goes well I’ll be updating at least once a week with my progress and anything I find that may be useful to the wider world of network persons going about their day to day. Obviously been me, there will be the odd whinge and gripe, and excitement as Apple unveil their latest products. That’s right, my passion is not just with Cisco stuff  and all things network, I am one of those mightily annoying Apple monks that feel the need to convert anyone that will listen to the enlightened ways of the Mac. Welcome !

Just when I was getting started to study for the CCNP, Cisco decided to update it so now I have to haul ass before my books are worthless. Check out the PDF for more info: CCNP-FAQ-23Sep09

I finally got my new workbook for the INE CCNP courseware.  I also own the CCIE workbook volume 1 and this seems to be on par quality wise.  I’d been struggling through the Cisco Press BSCI lab workbook but this may have saved me from it.

The CCNP topology is a little different than the CCIE topology in that the BB1 and BB2 routers aren’t included.  This means I get to recable my rack.  Once I get everything put together and complete a section or two I’ll be sure to give my review.

http://www.cisco.com/en/US/products/ps6557/products_ios_technology_home.html

http://www.cisco.com/en/US/tech/tk436/tk428/tsd_technology_support_protocol_home.html

Cisco IOS MPLS command reference

PDFs from Cisco.com

Introduction to MPLS

MPLS FAQ For Beginners

These are my ‘crib notes’ that I’ve made to serve as a last minute refresher. Please forgive the grammer / spelling as I did not develop these notes with publishing in mind

QoS

*** Theory ****

• Traffic Class: Traffic should be separated into queues. Should have a max bandwidth set as it should not eat all the bandwidth. Should have a min bandwidth to guarantee and should have prioritisation
• Variable Length Delays:
  • Queuing delay – Time packet sits in exit queue before transmission
  • processing delay – Time from incoming queue to outgoing queue
• Fixed Length Delays
  • Serialization Delay – Time it takes to put packet in hardware queue
  • Propagation Delay – Time it takes to send bits across the link (formula)
• End to End Delay – sum or Queuing, processing, serialization and propagation delay and causes jitter for audio and video streams.
• QoS Models
  • Best Effort – 1^st in, 1^st out.
  • IntServ – uses RSVP to reserve bandwidth in advance. Known as a signalling protocol. Not efficient as it waste bandwidth
  • DiffServ – uses Per Hop Behaviour (PHB). Every node makes a decision on the packet. More scalable and more preferred. Uses classification and marking
    • Classification – Identify certain types of traffic
    • Marking – Assigning a value to that class of traffic
• Marking
  • CoS Value: Layer 2 marking, 3 bits = 8. Only applied on frames being trunked as no point in CoS for traffic that is local to that node i.e. switch. CoS markings are lost at each hop. There for copy CoS to ToS
  • IP Prec – Uses ToS value which is 8 bits. MSB, first 3 bits is the IP Prec
  • DSCP – ToS byte is referred as DiffServ and the first 6 bits makes up the DSCP. It is backward compatible with IP Prec via class selector, The AF bit defines four classes and the CS bit defines drop probability (3 = highest drop probability)
    • Expedited Forwarding (EF) – Ideal for voice and video
    • Assured Forwarding – noted as AFXX
      • 1^st X = class number
      • 2^nd X = CS Value
        • Class 1: AF11 (Low drop), AF12, AF13 (High drop)
        • Class 4: AF41, AF42, AF43
• Ingress Interface
• Queuing: Congestion management technique. What packet leaves the router first. Only 1 queuing scheme per interface
  • Bandwidth: Never assign more than 75% interface bandwidth
  • Queue Limit: Packets in queue before tail drop
• FIFO – 1^st in, 1^st out. Default for greater than E1 speed.
• Round Robin – No queue has priority. Round robin a packet from each queue
• Weighted Round Robin – Like above, but can assign weight to a queue so more packets from that queue can be round robin. E.g. 2 packets from Q1 and 1 packet from Q3. No queue starvation in RR or WRR.
• Priority Queuing: Suffer from queue starvation. Has 4 queues H, M , N (Default)  and L. Don’t have lots of traffic as high, otherwise lower queues will starve.
• Weighted Fair Queuing – Default for serial interfaces running E1 or lower. WFQ does not use access lists. Packets handled based on flow. Flow can be;
  • Source and Dest IP / Port, Protocol Number, ToS

It gives priority to low-volume / small talker flow over high volume flows aka aggressive flows. Packets are dropped from high volume flows before low volume flows. WFQ dynamically builds and tear queues as needed. Max is 256 queues

• Congestive Discard Threshold (CDT) – No. Of packets in queue before dropping it from high volume conversations.
• WFQ will not work for: VI, loopback and diallers. Bridging or tunnelling, LAPB, X.25, SDLC
• Class based WFQ – Create classes and place in own queue. The assign guarantee bandwidth. No risk of queue starvation. Up to 64 queues. Use either FIFO or WRED. Uses MQC
  • MQC – Modular Command Line
    • Access List – define interesting traffic
    • Class Map – Match Access List or other criteria
    • Policy Map – Assign QoS etc to class map
    • Service Policy output – Assign the Policy Map to the interface and direction
• LLQ aka strict priority queue – Suitable for voice as it gives priority whereas CBWFQ etc don’t. It can be seen as extension of CBWFQ as it similar to setup. Uses priority command instead of bandwidth command.
• NBAR: Identify flows on network and good to use for marking and classification. Uses PDLM to keep up with new definitions etc. Requires CEF and applies to interface only. Does not support non-IP traffic, packets created or destined for the local router, MPLS packets and fragments
• Congestion Avoidance
  • Tail Drop – When the queue is fall, other packet entering the queue is dropped hence tail drop. Because of this, the sender realises the packets has been dropped and will throttle back it transmission as part of TCP detection & recovery. The sender gradually increases transmission. This leads to TCP Global Synchronisation
  • TCP Global Sync – Multiple senders will transmit at slow rate then fast rate in accordance to how full the queue is, the slow and fast typically is sync for all senders so link it either fully utilised or underutilised. To avoid this, we use RED or WRED
  • RED – Drop packets before the queue fills up, thereby avoiding tail drop that leads to TCP Sync issue. RED can drop at higher rate as the fuller the queue becomes. RED uses three values
    • Min threshold – When RED begins to drop packets
    • Max threshold – RED drops as many as it can
    • Mark Probability Denominator  - Value for how many packets can be dropped e.g. when the max threshold is met, drop 1 packet for every <MPD> packets
• WRED – Same as RED, but uses IPrec /dscp values to determine which packets are dropped so it not totally random. Enable on interface, default is IPrec, weight is 9 and MPD is 10
• Traffic Shaping – Friendly policy towards excess traffic. Good for bursty traffic. Applied only to outgoing interface
• Traffic Policing – Packets are either dropped or re-marked. Set for incoming or outgoing interface
• L2 Compression / L2 Payload Compression – uses stacker, predictor and msoft.
• Header Compression (Done at the interface and one side must be active)
  • TCP – IP and TCP header is compressed. Use with CBWFQ for good data transmissions.
  • RTP – IP (20 bytes), RTP(12 bytes) and UDP(8 bytes) headers are compressed to around 2 to 4 bytes. Use RTP HC and LLQ for voice, which is good
• Link fragmenting and interleaving – operates at L2. Sometimes we may have large data packets in the hardware queue (not software queue) and until that is sent, voice packets will have to wait. What we can do is fragment the large data packet into smaller packets and mix them with voice packets so the voice packets do not have to wait so long
• QoS over VPN – Use QoS preclassification if QoS is not based on ToS but src or dst IP ports et
• CoPPs – Protect control plane, Control Plane handles network control traffic.

• FIFO – not ideal for time sensitive traffic
• WFQ – Weighted Fair Queuing – Allows flow/stream to go through. Runs default on serial connections with E1 or less.
• CBWFQ – Class Based – Allows admin to decide what flows are transmitted first. Manual. Cant assign more than 75% of interface bandwidth as 25% is reserved for network control and routing
  • WFQ and CBWFQ can’t be running together
  • Tail drop – packet drop due to tail drop results in TCP senders reducing transmission rate., congestion is reduced, then transmission increases from all senders which means congestion again. This problem is known as  tcp global synchronisation
  • Weighted (WRED) / Random Early Detection (RED) – Helps combat TCP global synchronisation by using this instead of tail drop. RED uses IP Prec or DSCP to drop packets early before queue is full. WRED drops packet from other queues before priority queue. Ineffective against UDP!
  • Low Latency Queuing (LLQ) – Adds to CBWFQ. Allows to avoid Jitter. Used for VoIP
    • WRED and LLQ can’t work together
    • LLQ Policy = create extended access list > create a class-map and match access-list > create policy-map and assign the class-map to it > assign policy-map to interface
    • Priority Queuing – High, Med, Normal, Low.  

MCP, MCSA, MCITP, MCPD, MCSE, CCNA, CCNP, MCTS, A+, CCSP, CCVP, CCIE, OCP, OCA, VCP 310, Network+, Security+, Server+, Linux+ Vmware, ITIL, Apple, Avaya, Ciw, Citrix, Juniper, blackberry, Oracle, Sun, Java, Nortel, IBM, HP, EMC, Novell, nokia and Many more. We will use your name to take your test in our testing center, so you no need to take any training, no need to take the test or go anywhere. You can certified at home without any effort. We have 100% pass rate so we give you 100% guarantee for your All IT- certification. All that you need to do is wait for 7 business days only.
For more details visit our website, www.certxpert.com or email us at, certxperts@yahoo.com

100% assured guaranteed pass MCP, MCSA, MCSE, CCNA,MCITP, MCPD, CCNP, MCTS, A+, CCSP, CCVP, CCIE, Citrix, Juniper, blackberry OCP, OCA, VCP 310, Network+, Security+, Server+, Apple, Avaya, Ciw, Oracle, Linux+ Vmware, ITIL, Sun, Java, Nortel, IBM, HP, EMC, Novell, nokia and Many more.

Fore more details contact: www.certxpert.com

email: certxperts@gmail.com

These are my ‘crib notes’ that I’ve made to serve as a last minute refresher. Please forgive the grammer / spelling as I did not develop these notes with publishing in mind

Network Modelling

*** Theory ***

• Three Layer Model (3 Layers)
  • Core – Low latency, fast switching, Advanced QoS, Redundancy, Root Bridges
  • Distribution – Handle routing, High Speed ports,
  • Access – VLAN, Basic QoS, Traffic Filtering, Redundant uplinks, future growth, high port density

• Cisco Enterprise Architecture (6 Modules)
  • Campus – Core layer of campus network.
  • Edge – Internet connectivity, DMZ, VPNs
  • WAN – PPP, Frame, DSL, MPLS
  • Branch – Remote Office
  • Teleworker – SOHO / Mobile Users
  • Data Centre – DR
• Intelligent Information Network (Vision)
• SONA – Single Vendor and Virtualisation
  • Application Layer – How end users interact
  • Interactive Service Layer – Virtualisation
  • Network Infrastructure layer
  
  

*** Other ***

• Reconinsense Attack –Uses packet sniffers etc . Combat with switched infrastructure.
• DoS Attacks – Can use IP spoofing and DoS attacks
• Virus – requires human assistance to spread
• Worm – Saved in memory, spreads automatically
• ip inspect – is IOS firewall (formly CBAC). Inside interface inspects inbound and outside interface inspects outbound

These are my ‘crib notes’ that I’ve made to serve as a last minute refresher. Please forgive the grammer / spelling as I did not develop these notes with publishing in mind

IPSec

*** Theory ***

• DOCSIS – Standard governing how cable operators reserve bandwidth for data transfers. When modem boots up it finds a DOCSIS channel (scans for RF for QAM lock). CMTS sends 3 messages (MAP, UCD, SYNC) to modem. It then requests IP from DHCP Server. Modem gets config file via TFTP (address given by DHCP). Modem then register with CMTS and negotiates QoS etc
• ADSL – Up to 8MB DL and 1MB UL. Limited to 18,000 feet limitation. Can use phone via POTS Splitter.
  • Coding methods
    • CAP – Single Carrier Method – Divides phone line into three separate channels. (V, Upstream, Downstream) – Been replaced by DMT
    • G.Lite – one of two multicarrier methods “splitterless ADSL”. Limited to 1.5MBPS DL and 512 KBPS UL = slow
    • DMT – The 2^nd multicarrier method – Uses 256 channels to carry data
  • HDSL – Same UP/DL rate (Symmetric). Can’t use the phone
  • HDSL2 – Allows for VOIP
  • RADSL – UL/DL are adjusted dynamically
  • Satellite – Very slow.  DL 500K and UL 50K (On a clear day!)
  • Problems
    • Attenuation – Signal gets weak
    • Impedance Mismatch – Bad splice or corrosion
    • Cross talk (Inside)
    • AM Radio (Outside)
  • ATM – Uses DSLAM Switches (has DSL card) for data transport.
    • PPPoE vs PPPoA – Key difference is oA uses routing and oE uses bridging
    • PPPoE (RFC 2516) – Typically uses Chap.  Host devices uses discovery to get MAC of PPPoE Server. This creates SESSION_ID.
      • Interface setups
        • Connection to DSLAM – No IP address need and dial pool number (needed) which binds a dialler interface to an Ethernet one.
        • Dialler
          • Ip mtu 1492 – Reduce from 1500 to allow for PPPoE headers
          • Ip address negotiated – Allows for DHCP address to be given
          • Ip nat outside (if using Nat)
      • Default route should be dialler interface
      • Use dialler interface when using NAT inside for PAT.
• PPPoA – If encapsulation is running under PVC, you are running PPPoA
  • Interface Setups
    • Connecting to DSLAM (ATM 0/0)
      • No ip address
      • Dsl operating-mode auto / Auto negotiate modulation with downstream router
      • Pvc 100/120 / Like DLCI
      • Pppoe-client-dialer-pool-number-1
• RFC 1483/2684 Bridging – Easy to setup. Multiprotocol. Single user environment. Uses lots of broadcasts, not scalable, can be attacked.

These are my ‘crib notes’ that I’ve made to serve as a last minute refresher. Please forgive the grammer / spelling as I did not develop these notes with publishing in mind

IPSec

*** Theory ***

• VPNs
  • Data origin ,e.g. AH, ESP
  • Encryption
    • (S) Symmetric Encryption – Same key for enc/decryption. Aka secret key.
    • (A) Asymmetric Encryption – 2 keys. Public and Private.  Encrypt with public, decrypt with private. Private always stay local.
    • DH – Allows the exchange of secret keys over a non-secure connection
      • (S) DES is 56bit
      • (S) 3DES is 3 DES keys on top of each other. So 3 x 56 = 168bit (really 112)
      • (A) AES is the best.
• Data Integrity AH, ESP
• Anti replay AH, ESP
  • Mitigate via sequence number on packet.
  • GRE – Encapsulate packet in an IP header. Has no encryption. GRE is multiprotocol. IPSec is really IP only. So GRE over IPSec makes sense.  Can use GRE to send routing protocols over IPSec etc. GRE Encaps first then IPSec encaps
  • L2TP/PPTP – No encryption
  • IPSec – Earlier versions could not carry multicast traffic.
    • Tunnel Mode – Transparent to end host
    • Transport Mode
    • AH (Protocol 51) – Method for authentication and securing data (protects payload of packet. AH less overhead than ESP
    • ESP (protocol 50) – It authenticates, secures and encrypts. Preferred over AH
    • IKE (UDP 500) – negotiates the security parameters and authentication keys
      • Phase 1 – Agreement on methods to exchange data aka SA (Security Association). 1 SA per tunnel.
        • Aggressive Mode – Faster, but not encrypted. 3 Messages,
        • Main Mode – 6 messages. R 1 “DES or 3DES? MD5 or SHA?” R2 “DES and MD5 please” etc DH Keys, Authenticate
  • Phase 1.5 – Known as XAUTH for security
  • Phase 2 – 2 SA per 1 tunnel.
    • Quick Mode – 3 messages
    • Crypto Access List – Defines interesting traffic that starts the IKE/ IPSec process
      • Steps on Cisco Router
        • 1) Create ISAKMP policy 2) Create IPSec transform set 3) Define interesting traffic with crypto access-list 4) Create Crypto Map and apply to interface
    • Dead Peer Detection (DPD) – Keepalive for IPSec.  Sends hello every 10 seconds unless it receives a hello from peer. This means overhead because of enc ry/decryption. Can use on-demand where router sends DPD hello only prior to sending data to peer.
  • • Troubleshooting
      • MM_NO_STATE – Phase 1 attribute mismatch
      • MM_KEY_EXCH – Incorrect pre-shared key or peer IP address