Wednesday, February 8, 2012

Cisco ICND1 Flashcard: Router RIP and IGRP

ICND1 Topic: RIP
ICND2 Topics: RIPv2 VLSM, single area OSPF, EIGRP


Routing is taking a packet from one device and sending it over the network to another device on a different network. Routing requires routers.  Routers learn about remote networks from neighbor routers (dynamic) or programmed static routes by the administrator.  All Cisco routers are classful routers, that means expecting a default subnet mask on each interface on the router, otherwise the packet will be dropped. For default routing, the command "ip classless" must be used.

Two types of interior routing protocols
Static, Default and Dynamic Routes

IP Routing requirements
  • destination address and a source address
  • routing table for destination
  • neighbor
See other article about Static Route vs. Dynamic Routes
On directly connected networks, hosts and routers find the destination MAC address for the destination IP addresses using ARP.

Strategies to prevent routing loops:

Split Horizon Rule: the router will not advertise a route back through the same interface from which the route was learned

Route Poisoning: to poison a route, set the metric to infinite; for RIP that number would be 16 for the maximum number of hops. When used with Split Horizon, this strategy is called Split-Horizon with Poison Reverse.

Holddown: holddown timer is used in route convergence, by preventing  route from reinstating the route until all routers have enough time to "age out" the route from the tables. Prevents routes from advertising bad or expired routing information.

Routing Protocols QUIZ

Most common metrics used by routing protocols to determine a network path
hop count
bandwidth - data capacity. Say 10 Mbps is better than 64 kbps leased line
delay
load
reliability - bit error rate of each network link
cost - configuraable, by default based on bandwidth
not packet length, distance.
1. What are three types of routing protocols?
a) hop count based
b) link state
c) cost based
d) distance-vector
e) advanced distance-vector (hybrid)
f) bndwidth based
answer 1. b,d,e


Name two IGP (interior gateway protocol) Distance Vector protocols: RIP, IGRP (Cisco proprietary)
  • uses hop count as a metric
  • sends entire routing table to neighbor, called routing by rumour and periodic updates
  • lower CPU overhead than link-state protocols
  • uses split horizon, route poisoning, and holddown to protect from routing loops

RIP - Routing Information Protocol
Configure RIP to run on the router:
conf t usage:
router rip
network 192.5.5.0
network 10.0.0.0 0.255.255.255
  • RIP v1 and RIP v2
  • RIP Classful
  • RIP v2 supports VLSM (variable length subnet mask), route authentication
  • distance vector protocol
  • can load balance up to 6 equal cost paths
  • uses hop count as the metric. The maximum hop count is 15, therefore 16 is infinite and unreachable
  • sends periodic update every 30 seconds
  • RIP timers include: update, invalid, holddown, flush (and garbage collection).

A handy command to create an interface to learn routes but not advertise
In router config mode usage: passive-interface interface#

IGRP - Cisco Proprietary
Interior Gateway Routing Protocol.  All routers within the same autonomous system should use the same AS number, and all routers should be Cisco if IGRP is used. IGRP was created to overcome the problems with RIP such as 15 hop count limit.  The maximum hop count for IGRP is 255 though 100 is the default. The IGRP metric (value to calculate best route) based on bandwidth and delay of the line called a composite metric; others factors optional but not required are reliability, load, maximum transmission unit (MTU). Sends a periodic update every 90s

usage: conf t
router igrp 10
network 172.16.0.0

IGRP can load balance up to six unequal links to a remote network (RIP networks must have the same hop count to load balance).


Summary 
How does RIP work in the internetwork?
RIP uses hop counts to determine the best route to a network, with an upper hop count limit of 15

Know the RIP commands
router rip
show ip route
show ip route rip

Administrative distance
Rates the trustworthiness of routing information received on a router from a neighbor; an integer between 0 to 255, where 0 is the most trusted and 255 means no traffic will pass through this route.
Default Administrative Distances
Route Source, Default Distance
Connected interface = 0
Static route = 1
EIGRP = 90
IGRP = 100
OSPF = 110
RIP = 120
External EIGRP = 170
Unknown = 255 not routable
      
What is AS, autonomous system
An AS is a group of routers that share the same routing information.

Know the difference between RIP and IGRP
Describe the metrics used. RIP only uses hop count.
Others are hop count, bandwidth, delay.

Three truths, from a quiz:
Routers evaluate the available paths to a destination
The routing process uses metrics and administrative distances when evaluating network paths
Dynamic routing occurs when information is learned using routing information that is obtained from routing protocols.

Note: the routing table is only displaying the information to the user
Routing table provides an ordered list of known network addresses.
Routing tables contain metrics that are used to determine the desirability of the route
Routing table associations tell a router that a particular destination is either directly connected to the router (C) or that it can reached via another router (the next-hop router or exit interface) on the way to the final destination

Link State Routing Protocols
Link state routing protocol respond quickly to network changes
Link state routing protocols send peridoic updates (link state refreshes) at long time intervals, about once every 30 minutes!!
In link state routing protocols, every router tries to build its own internap map of the network topology
Posted by at 12:24 PM 0 comments
Labels: , ,

ICND2 Flashcard: VLAN

ICND2 Topic: Implementing VLAN and Trunks, Improving performance with Spanning Tree, Routing between VLANs.



VLAN definition:

Short for Virtual LAN. Each switchport may be assigned to one VLAN, ports in the same VLAN share broadcasts, and there is one IP subnet per VLAN.

Reasons for implementing VLAN
- keep the broadcasts local within the same VLAN, more security
- Inter VLAN traffic can be filtered
- departmental network segmentation for example: Sales, Engineering, Marketing, HR

Static VLAN
Create separate VLAN in the switch by assigning specific ports to VLANs
More secure but no flexibility for moving in the office network

Dynmic VLAN
Permits user to move computer around and still be connected to the department's VLAN
Requires Cisco VLAN Management Policy Server; set up a list of MAC addresses and the VLANs they belong to. User can plug computer into any switch on the LAN (though the NIC card can be removed, less secure).

Trunking VLAN
If two switches have ports with two separate VLANs on both switches, the frames need a frame tag with the VLAN ID. Protocols for trunking:
ISL - Cisco only for fast ethernet or 1 Gig. Spanning Tree works.
802.1q - only one instance of spanning tree runs with 802.1q no matter the number of VLANs

Creating a VLAN and assigning ports.
How does it get added to the vlan.dat in flash, it just does!
usage: conf t
vlan 2 (creates it!)
name Test2 (name optional)

verify: show vlan brief

Assigning a switchport to a VLAN
conf t/ int fa 0/1 usage: switchport access vlan2

Inter VLAN Routing
A router is required to communicate between two different broadcast domains or VLANs. Router will not forward broadcasts, router will forward a unicast with the layer 3 address.

TRUNKING
A trunk is required to carry traffic for multiple VLAN, the IEEE protocol is 802.1q intervlan trunking. There is a practical application for VoIP, using a separate VLAN for IP phone traffic and data traffic.
The VTP or VLAN Trunking Protocol is configured
conf t
int fa 0/0.2
encapsulation dot1q
router rip
network 10.0.0.0

Trunk can carry traffic for mulitple VLANs. The switches tell each other which VLAN they belong to. The administrator has to configure one switch as the VTP Server

VTP Modes:
Server
- default for Cisco Switch
- must be server mode to create, modify or delete a VLAN
- need one switch in server mode
- propogates VLAN information to the whole network

usage: conf t
vtp domain Pod2
vtp mode server
end
Client
- sends and recevies updates about VLAN changes
- Receives information from the VTP server
- cannot modify VLAN

Transparent
- switches just pass alont the VLAN advertisements to other switches
- will not accept or send VLAN information from itself
- can create, modify, delte VLANs for itself

Adding a previously used switch on the network creates a potential issue because switches typical try to sync with a device with a higher revision number.  To clean properly clean a switch's flash memory, delete the vlan.dat file.  The safest mode to when decommissioning an old switch, and before you plug it back in to avoid damaging or destroying the present VLAN configuration, type the command

usage: vtp mode transparent
usage: show vtp status
Posted by at 6:14 AM 0 comments
Labels: ,

Tuesday, February 7, 2012

Cisco ICND1 Flashcard: Are you tech savvy about DSL, the Last Mile, NAT and PAT?

The topic of DSL was covered in the CCNA Bootcamp course as a requirement for the ICND1 Exam.

Internet Resellers
TekSavvy talk has been making the rounds lately on forums at work and online. They're in the news among the other victims of the ongoing CRTC ruling on the "usage based billing" or wholesale billing regulations from large ISPs to small ISPs. I decided to take a look at what folks were talking about - really cheap rates for high speed internet, long distance calling, residential phone and even cable at much lower rates than the standard Bell or Rogers! However the ruling will make unlimited packages impossible or too expensive, as the cost of using Bell or Internet backbone services is transferred to the consumer, say for example Bell will charge TekSavvy or Acanac an extra $22/ Mbit or 22k for 1 Gbps link. The other thing is I didn't quite understand right away, why when the TekSavvy customers had a problem and they called up TekSavvy tech support, a service call would be sent out to Bell or Rogers. Ok I get it, Bell or Rogers still provide the DSL or last mile connection. TekSavvy is an "internet reseller" or ISP.

There is a business arguement for open competition that folks are feeling very strongly about for Open Media debate and a petition. My article is purely about the electrons not the politics.  Back to the basics.

Image Source
What is DSL and the Last Mile?
The story begins with the telephone cabling we are already familiar with. It's copper and can carry 300 Hz to 1 MHz of data. However the human voice is only using the 300Hz to 3 kHz portion of the link, DSL can use the remainder 3 kHz to 1 MHz for high speed data, "always on".  DSL stands for Digital Subscriber Line, and this allows the packets to be sent over copper, owned by an ISP. It is not a shared medium, each user has his own direct connection to the DSLAM. It's scalable, adding new users does not impede the network performance. DSL can be used simultaneously as voice.

The cabling part there is also refered to as the local-loop or last-mile or the last step of the local telephone network connection. DSL may be added incrementally in any area with some distance limitations, but is not universally available everywhere in all geographic locations. Equipment required includes the CPE (Customer Premise Equipment) and DSL-Access Multiplexer (Time Division Multiplexer).  There is a physical geographic limitation of 5.5km distance for ASDL, and some folks would consider the "always on" aspect of the DLS as hackable; well whatever.


DSL can be used by a large company to support the "work at home" workers. The worker cannot connect to the enterprise network directly; instead he first connects to the ISP and then an IP connection is made from the Internet to the enterprise network.

There are two categories of DSL
DSL places the data upload and download above the 4kHz window, allowing voice and data transmission to occur simulataneously on the same DSL service.

ADSL Asychronous, higher download bandwidth than upload (less than 5.5 km distance)
VDSL, VDSL 2 is very high data rate
250 Mbps at the source
100 Mbps at 0.5km
500 Mbps at 1km
G Lite, G 992.2
ADSL, ADSL2, ADSL 2+
Consumer DSL aka G.Lite or G992.2

SDSL Synchronous, same capacity both directions
HDSL high data rate DSL
ISDN DSL(IDSL)
G.shdsl, symmetric high bit data rate DSL

In all instances, it's WAN access. It is not cable; cable is best described as a bus network topology, fiber under the street, copper to the home. (Why do I have this in my notes?)

Transceiver - connects the computer of the worker to the DSL, usually a modem with USB or Ethernet cable. Newer DSL transceiver can be installed on routers with 10/100 switch ports for home and office use.

DSLAM - located at Central Office of the carrier. DSLAM combines individual DSL connections into one high capacity link to the ISP and Internet.

Assigning an IP Address
Used to be that when you turned on your computer the ISP would assign an IP address to your computer by DHCP, and then when you were finished with your connection the computer would return the IP address to the pool. The only thing is, people don't usually turn off the computer so this IP address will almost permanently taken. I suppose if it was a work computer, the network administrator could use Private and Public IP addresses translation.

The global internet  is like a large WAN.  Servers need an IP address from  the ISP and interfaces - which are manualy assigned by the ISP or dynamically assigned.  When you have private IP address and need to go on line. The IP addresses will have to be translated by NAT from an Internal  lab to the outside world.

Next Topic:
NAT, PAT and Overloading
Posted by at 7:52 PM 2 comments
Labels: , , ,

VPN in a Nutshell

Not sure if this topic is for the CCNA Exam, ICND1, or ICND2 Exam but it was covered peripherally in the CCNA Bootcamp course and is offered as a separate course or certification for Cisco VPNs.

What is a VPN?
Definition: Virtual Private Network, for creating a private network tunneling over a public network, while maintaining confidentiality and security. It's a way to communicate through a dedicated server securely to a corporate network over the Internet. Windows NT, 2000 and XP offer native VPN support. The Cisco Router IOS has to support VPN.

VPN Client can also be setup on a Linux platform, the first of its kind. Download the network-manager-vpnc package. http://www.linuxplanet.com/linuxplanet/tutorials/6773/1

What are the Components of a VPN?
  • A real network with servers and workstations
  • An Internet connection
  • VPN gateways are endpoints to establish, maintain and control VPN connections; these could be routers, firewalls, VPN concentrators and ASA (Adaptive Security Applicance)
  • Software to manage the VPN tunnels
  • Cisco IOS software that supports VPN

How to make VPN's secure?
VPNs are inherently secure. In fact, there are certain totalitarian regimes in the world today where VPN's are absolutely banned! I suppose it is because the added security prevents the government from spying on its own people plotting a revolt. Now what I want to know is, how does the government know if someone is using a VPN, where it starts and where it ends? How do you even see a VPN signature?

VPN's are secure by virtue of encapsulation or tunneling, by transmitting data transparently from network to another through a shared infrastructure. Encryption is also used to code data into a format using a shared secret key, and then decode encrypted data into the original unencrypted format

Read more about Encryption Standards

Setting up or Connecting to the VPN
  • IPSEC gateway: the hostname or IP of the VPN server
  • IPSEC ID: the groupname
  • IPSEC secret: the shared password for the group
  • your username
  • your password
The pre shared key replaces the certificate file to form the tunnel. It sounds like a pretty serious breach if someone acquired the pre shared key so don't leave it stored on the computer in file called "my vpn shared password for the group" if you know what I'm saying.

Hardware
Cisco ASA 5500 Series offers both IPSec and SSL VPN, application inspection firewall and intrusion prevention services.

Cisco 7600 Series/ Catalyst 6500 Series IPSec VPN, requires a shared port adapter. Did I read correctly, it runs AES encryption and can carry up to 8,000 IPSec tunnels?

Configuration Commands
Here is a mishmash of commands I have to reorder in the right sequence because it is supposed to work on a Cisco 2811. It's not an actual configuration file but notes I wrote to myself as comments for things to include. Sample config file coming soon, when I can prove that it works!

It's tricky but there is useful information on HOW TO configure an IPSEC encrypted tunnel with Cisco. A lot of helpful pages on cisco.com as well.


% Prerequisites
% ip cef or ip cef distributed
% configure loopback interface
% enable SNMP notifications of L2TP session up/down; snmp-server enable traps l2tunnel session
% xconnect applied to which interface
% ip pmtu command configures the pseudowire class
% L2TPv3 data encapsulation directly over IP port 115, sessions between the same Layer 2 protocols.
% choose static or dynamic L2TPv3 sessions
% set mtu; use ipdfbit set and ip pmtu accordingly
Posted by at 8:58 AM 0 comments
Labels: ,
Subscribe to: Posts (Atom)