VRRP Lab

A fictional company "Kasifler", has connections to two different Service Providers, Avea (Primary) and Vodafone (Secondary).

Router R4 is the PE router for Avea and depicts the Avea network, included are some loopback networks.
Router R5 is the PE router for the Vodafone network which also has loopback interfaces to simulate networks inside Vodafone, or the Internet.

Remaining routers, R0 through R3 belong the our company Kasifler. R0 is really used for a client and test bed to control reachability to the inside/from the outside.

Our primary router R1 is connected the VRRP master, R2 and R3 being backup VRRP routers. They all have their WAN interface "tracked" and in a failure situation this is the prefered fail-over : R1 -> R2 -> R3

There is also BGP peerings with our providers, becareful not to be a transit network here! (Demonstrated with some as-path route maps)

Take down interfaces from R4 -> R1 or R4 -> R2 to test the VRRP action.


Link to Project file on Filefront

E-Carrier, G.703 [wip]

E1-Carrier is a synchronized telecom tech. which uses TDM.
An E1 frame is divided into 32 Timeslots of 64Kbps each. (8 bits sampled 8000 times a second = 64Kbps)

Timeslots 0 - 31



Physical Interface
------------------
Balanced: 120ohm 2 pair twisted wire. RJ-48 (1,2,4,5) and 8P8C connector.
Unbalanced: 75ohm coax pair. Uses BNC connectors.

Logical Presentation
--------------------
Unframed G.703: Allows usage of full bandwidth. 2.048Mbps for E1, 1.544Mbps T1.
Framed G.703: Spec defined by G.704. Timeslot 0 is used for framing, timing, synchronization and alarm signalling. Timeslot 16 is used for Signalling. The rest of the timeslots can be defined to carry data or be idle. There is also the option of using CRC-4.

Line Encoding
-------------
This is the method of physically putting 1s and 0s on the wire. These operate on Layer 2.
HDB3, High-Density Bipolar 3, mostly used in Europe
AMI, B8ZS is used in Nort America.

Clock Source
------------
You can either use clocking from the line, which is provided by your Telecom Company, or internally generated clock of your router/csu-dsu.


Good Introduction to G.703
The FAQs of Life About G.703 @ Patton

Cisco Switches VLAN/STP Instance limits

CCNP 2 more to go

Just passed the BCMSN, gearing up for MPLS/VPN stuff in ISCW. End of January target date.

CEF Fundamentals

# sh ip cef [type mod/num | vlan vlan-id] [detail]
# sh ip cef [prefix-ip prefix-mask] [longer-prefixes] [detail]
# sh adjacency [type mod/num | vlan vlan-id] [summary | detail]

GNS3 Lab w/ pfSense Firewall

Here's a lab I've been working on.
It's based on a company topology from an article on cisco.com, which has access/distribution switches with STP load-balancing between Data/Voice/Service VLANs.
I connected it to an Edge router using EIGRP inside, which then connects to a pfSense VM Appliance Firewall, which in turn connects to an ISP Router. Some good exercises to try in here, security, nat, bgp (with a second ISP connection), pppoe, etc.

802.1w Rapid Spanning Tree Protocol

Uses very similar concepts to 802.1D STP, incorporates Cisco proprietary Portfast,Uplinkfast,BackboneFast techniques, and has an overall faster convergence.

The port states and roles are decoupled to make faster & more intelligent decisions on topology. The neighboring bridges interact with each other using BPDUs instead of just passing the root bridge BPDU. A proposal/agreement mechanism which doesnt depend on any timers, is used to converge the topology, in a very fast manner.

Port Roles
Root Port
Designated
Alternate
Backup

Port States
Blocking (discarding)
Learning
Forwarding

Port Types
Edge Port (connected to a host, Portfast)
P2P (full-duplex connection to another bridge)
Shared (half-duplex)

New BPDU stuff
BPDUs are sent every 3 seconds by every bridge.
If 3 BPDU packets in a row are not heard from a neighbor, he is down.
Additions to the BPDU
Role&State of originating port.
Handles proposal / agreement mechanism
RSTP BDPU are version 2

References:
Understanding Rapid Spanning Tree Protocol (802.1w) @ Cisco
Cisco AVVID Network Infrastructure: Implementing 802.1w and 802.1s in Campus Networks Implementation Guide

PPPoE Lab w/ GNS3

This is a simple lab using a 7200 router as a PPPoE server. Which in turn is querying the Radius server. The Radius server was a VMWare pfSense appliance. This appliance is very handy for testing purposes and AFAIK is also used in production environments. Download Project Files

Spanning Tree Flavours

802.1D ieee STP (Remember from 802.1dog slow)
Uses only a single Spanning tree instance for all VLANs.

PVST Cisco proprietary. Uses a different spanning-tree instance for every VLAN.

802.1w RSTP Rapid STP
RSTP @ Cisco, very good explanation

802.1s MSTP Multiple STP
Cisco whitepaper about MST

Certification plans

CCNP 2/3 BCMSN Exam planned for : Dec 16th

While waiting for the new TSHOOT exam to be released
CCNA Security Exam planned for : 1st of February

Save VLAN.DAT in GNS/Dynamips

You know when you boot your router, the flash: is not saved and the vlan.dat that is saved on it is lost.. To remedy this, use a vlan.dat saved in nvram:

SW0(config)# vtp file nvram:/vlan.dat
SW0#dir nvram:
Directory of nvram:/

  123  -rw-        1683                      startup-config
  124  ----           5                      private-config
    1  -rw-           0                      ifIndex-table
    2  -rw-         780                      vlan.dat

There, now all your vlan/vtp config will be saved..

Etherchannel

Pagp explained and silent/non-silent modes:

Fiber Optic connectors

ST (Straight Tip)


SC (Subscriber Connector)


LC (Lucent Connector)


MT-RJ (Mechanical Transfer Registered Jack)

Reference:
Timbercon Fiber Optic Connectors
The Fiber Optic Association - Tech Topics

VLANs #1

VLANs are seperate broadcast domains.

VLAN Numbers are 1-1005 (1 and 1002-1005 are reserved)
Extended VLANs are 0-4095. (0,1 and 4095 are reserved)

ISL Trunking
Cisco proprietary protocol. Encapsulates the whole Ethernet frame.
Adding a 26 byte header and 4 byte trailer. (Total of 30 bytes)

802.1Q Trunking
Standards based. Adds a tagging field to the Ethernet Frame.
This is 4 bytes of overhead. With 2 bytes of TPID (Tag Protocol Identifier, alwasys 0x8100), 3 bits of Priority field for CoS (Class of Service), 1 bit CFI, and 12 bits of VLAN Identifier.

Has concept of Native VLan. Frames that belong to native vlan are not encapsulated with any tagging information.

Because default Ethernet frames are 1518 bytes (1500 bytes of MTU and 18 bytes Ethernet header), with the addition of 802.1Q, Ethernet frame size is increased to 1522 bytes.

Kendi CCIE Lab'ini yaratmak

4 gerçek switch, 10+ NIC, dynamips ve vmware kullanarak tüm lab ihtiyaçlarını karşılamak mümkün. Örnek:

@7200
HOWTO Connect Real Switches Using One NIC & QinQ

IPv6 in XP and v6 tunneling

@ipv6int.net

DDoS attacks history and timeline

I was a sophomore in Iowa when all this started.

Dittrich Timeline

The Cyber Crime Hall of Fame

EIGRP Load Balancing

Equal load balancing & Unequal load balancing

@IExpert

Passed the BSCI

Alright, on to the next.. BCMSN and then when the new courses become available, TSHOOT.

OSPF NSSA Tricks

Check:
@Cisco: OSPF Not-So-Stubby Area (NSSA)

EIGRP Study Notes

Features:
Advanced Distance Vector routing protocol.
DUAL Algorithm
Neighbor relations
Sends only incremantal updates
Unequal-Cost Load Sharing

Packet Types:
Hello
Update
Query
Reply
Ack

Neighborship Requirements:
Receive Hello from neighbor
AS Number must match
K values must match

Simplified Metric

            10^7            total delay
256 * ( ------------   +      in tens     ) 
        Min.BW(Kbit)      of microseconds

3 Tables
Neighbor
Topology
Routing

Feasibility condition :
For a route to be considered feasible successor, the FD > AD.

Commands
ip hello-interval eigrp as-number seconds
ip hold-time eigrp autonomous-system-number seconds
bandwidth
ip bandwidth-percent eigrp as-number percent
variance
eigrp stub { receive-only | connected | summary | static }
ip summary-address as-number address mask

BGP Best Path Selection

1) Weight (highest)
2) Local Preference (highest)
3) Self Originated
4) AS_PATH
5) Origin
6) MED (highest)
7) External Route (EBGP over IBGP)
8) IGP Cost
9) RID (lowest)
10) Neighbor IP address (lowest)

BGP Case Studies @ Cisco

BGP Attributes

Well-known Mandatory
Origin
AS-Path
Next-Hop

Well-Known Discretionary
Local-Preference
Atomic aggregate

Optional Transitive
Community
Aggregator

Optional Nontransitive
MED (Multiexit Discriminator)

BGP Case Studies @ Cisco

BGP Study Notes

Path Vector protocol, uses TCP/179 as transport.
EBGP Routes have AD of 20, IBGP have 200.

BGP Syncronization Rule: Don't use or propagate a route learned by IBGP, that is not also known by another source. (an IGP)

3 Tables: BGP Forwarding, BGP Neighbor, Routing tables.

Message Types:
Open, sent to establish adj. A keepalive is sent for confirmation.
Keepalive; sent in 60 second intervals.
Update
Notification; sent in response to errors/special conditions

Neighbor States:
Idle
Connect
Open Sent
Open Confirm
Established

Attributes:
Origin
AS-Path
Next-Hop
MED
Local Pref.
Community

Commands:
Hard/soft(w/o flap) reset
# clear ip bgp {* | address}[soft [in | out]]

Send MD5 hashed password w/ every packet
# neighbor ip-address password password

BSCI Scheduled for Nov 2nd

Yep, this should be fun!
This week I'll be doing practice labs and reviews getting ready to take this monster on monday...

Multicast over Frame Relay [WIP]

ref: http://cciethebeginning.wordpress.com/tag/nbma/

DHCP serving/relaying

Anatomy of getting an address from DHCP

1. Client broadcasts DHCP DISCOVER message
2. Server replies with DHCP OFFER
3. Client asks formally for the offered address with DHCP REQUEST
4. Server acknowledges with DHCP ACK
5. Client sends out a gratuitous ARP to check if the IP address is used, if not starts using it.

Setup a DHCP Server
# ip dhcp pool {pool_name}
# network { network } { mask | prefix }
# default-router { hostname | ip }
# dns-server { hostname | ip }
# domain-name { name }
# lease { days, hours... }
etc..

* Exclude addresses from pools with # ip dhcp exclude-address {low_address} {high_address}
** Addresses are always assigned on the interface that has an IP address in the same subnet as the pool.

Acting as DHCP Relay
Use following interface configuration command to forward certain broadcasts.

R1 (config-if) # ip help-address {destination server}

Troubleshooting
# sh ip dhcp binding
# clear ip dhcp binding
# sh ip dhcp pool
# sh ip dhcp server statistics

IS-IS Hello/Hold Timers

Default Hello timer is 10 seconds, and the default hello multiplier is 3, so Hold time is 30 seconds.
On broadcast links the DIS will be 3 times faster meaning a Hello Timer of 3.3 seconds.

In broadcast links, Hellos are sent with a multicast MAC address;
an IIH packet is sent for each Level the router belongs to.

In point-to-point links a single IIH packet is used which has a flag denoting if it's Level-1,2 or both.
Hello packets are sent to the unicast addresses.

IS-IS Authentication

1-) Clear text:

# router isis
# isis password MyPaSS

2-) Area password:

# router isis
# area-password YesAnAreaPass

3-) Domain password:

# router isis
# domain-password ThisWouldBeEasy

4-) MD5 Authentication:

Use it either under an interface or the whole router process; first create your key-chain. (Eg: keyISIS)

# interface s1/0
# isis authentication key-chain keyISIS
# isis authentication mode md5

or under router process

# router isis
# isis authentication key-chain keyISIS
# isis authentication mode md5

you can also limit it to level-1 or level-2 and send-only

# isis authentication mode md5 { level-1 | level-2 }
# isis authentication send-only { level-1 | level-2 }

IS-IS Pseudonode and DIS (Designated IS)

In IS-IS a broadcast link itself is modeled as a pseudo-node that connects all attached routers to a star topology.
The pseudo-node is represented by the DIS (Designated router)



On broadcast type links a DIS is elected for both Level-1 and Level-2, if they exist.
A router with highest priority or highest SNPA (MAC,DLCI,..) address is selected as DIS.
Default priority is 64. (can be between 0-127)
DIS election can be preempted, any priority change will take effect immediately.

There is no backup DIS (unlike OSPF) and all routers in a LAN establish adjacencies with each other and the DIS.

The DIS creates and maintains the pseudo-node LSP.
This LSP contains the adjacent ISs, just like the network lsa in OSPF.

EIGRP Stub Router

Stub routers in EIGRP will only send limited information to their ONLY neighbor, a core (EIGRP) router.
This way the router will minimize memory and processor utilization.
Also helps speeding up convergence because a stub router answers to queries as inaccessible, thus limiting the query range and preventing SIA situations.

Syntax:
eigrp stub [receive-only | connected | redistributed | static | summary]

Distance command

Filter and change AD of routes before they enter the RIB.

1-) Protocol independent "distance" command:
distance AD advertising_router_ip wildcard access-list

You can have multiple distance commands.
Also a default distance that will apply to any routes not defined in another "distance" command.

2-) Protocol dependent:

With this you can change the AD of an external/internal route for EIGRP, external/inter-area/intra-area route for OSPF and so on.

Eg:
distance ospf external 125 (sets all the external OSPF routes that are learned with and AD of 125)

OSPF Network Types

OSPF Communication:
Multicast 224.0.0.5: All OSPF Neighbors listen
224.0.0.6: Only DR and BDR listen

OSPF Network Types:

RIP Lab advises from a CCIE

These quick-and-dirty notes are not from me, I came across a post on a blog, and thought it could be useful..

So, taking note for future reference..

Opening Move:
————-
conf t
router rip
ver 2
no auto
pass def

do sh ip int br
network
no pass

!Broadcast v2 update:
———————
(config-if)#ip rip v2-broadcast

!Unicast updates:
—————–
1- send unicast updates
(config-router)#neighbor A.B.C.D “Neighbor address”
2- stop broadcast/multicast updates
passiv

Differet subnets:
—————–
(config-router)#NO validate-update-source

!check split horizon

Show commds:
————
Sh ip protocols
Routing Information Sources:
Gateway Distance Last Update

Killing the Route:
——————
1- Distribute list
2- offset list (poison the metric)
3- admin distance (poison the distance)

Reference