Layer 3: Network - Dealing with Packets!
IPv4
IPv4 Header:
- Version: 4 bits --> IPv4 = 0100 ; IPv6 = 0110 (measured in increments of 4 bytes)
- IHL (Internet Header Length): 4 bits --> IP header length
- DSCP (Differentiated Services Code Point): 6 bits --> used for QoS (prioritizing/delaying data)
- ECN (Explicit Congestion Notification): 2 bits --> end to end notification of network congestion without dropping packets
- optional field
- Total Length: 16 bits --> includes total length of packet (L3 header + L4 segment) --> measured in bytes
- min value = 20 bytes (IPv4 hader with no encapsulated data)
- max value = 65535 bytes (16 bits all set to 1)
- Identification: if packet is fragmented (due to being too large), this field ids which packet the fragment belongs to
- all fragments of the same packet have their own IPv4 header with same value in this field
- packets are fragmented if larger than MTU (Maximum Transmission Unit)
- MTU is usually 1500 bytes (same as max size of ethernet frame!)
- Flags: 3 bits --> bit 0: reserved, always 0 | bit 1: DF (Don't Fragment) bit, indicate a packet should not be fragmented
| bit 2: MF (More Fragments) bit, set to 1 if there are more fragments in packet, set to 0 if last packet
- MF bit = 0 if no fragments
- Fragment Offset: 13 bits --> indicate position of fragment in original unfragmented IP packet
- Time To Live: 8 bits --> prevent loops, router drops packet with TTL of 0, represents hop count
- default TTL = 64
- max TTl = 255
- Protocol: 8 bits --> indicates protocol of encapsulated layer 4 PDU (TCP value = 6 ; UDP value = 17 ; ICMP value = 1)
- OSPF (Open Shortest Path First) value = 89 (0x5900)
- Header Checksum: 16 bits --> router calculates checksum and compares to the one in this header. check for errors in the HEADER
- does not check for errors in the encapsulated data, only the header
- TCP & UDP have their own checksum fields for checking data
- Source IP Address: 32 bits
- Destination IP Address: 32 bits
- Options (if IHL > 5): indicates total length of header in 4 byte increments
- optional, rarely used
- Options value of 5 means the total length of the header = 20 bytes because 5 * 4 = 20
- minimum & maximum IPv4 header length is determined byt the 'Options' value. Min Option = 5, Max Option = 15
- minimum IPv4 header length = 20 bytes (5 * 4)
- maximum IPv4 header length = 60 bytes (15 * 4)
IPv4 Addressing (layer 3):
- Binary:
- columns: 128, 64, 32, 16, 8, 4, 2, 1
- IP addresses are 4 bytes (32 bits)
- 4 octets, 8 bits each
- ex: 192.168.1.254/24
- /24 means that the first 3 bytes (24 bits) are for the network and remaining 1 byte is for endhost
- /16 would mean the first 2 bytes for network, 2 bytes for hosts
- /8 would mean the first 1 byte for network, 3 bytes for hosts
- 5 classes of IPv4 addresses:
class A) first octet beginning with 0xxxxxxx --> first octet range = 0-127 (*1-126) --> prefix length = /8 or 255.0.0.0
- max networks = 128
- max hosts = 2^24 -2
class B) first octet beginning with 10xxxxxx --> first octet range = 128-191 --> prefix length = /16 or 255.255.0.0
- max networks = 128*128 = 16K
- max hosts = 2^16 -2
Class C) first octet beginning with 110xxxxx --> first octet range = 192-223 --> prefix length = /24 or 255.255.255.0
- max networks = 128*128*128 = 2M
- max hosts = 2^8 -2
Class D) first octet beginning with 1110xxxx --> first octet range = 224-239
- reserved for multicast addresses
Class E) first octet beginning with 1111xxxx --> first octet range = 240-255
- reserved for experimental uses
- Class A is actually made to be 1-126 because 127 is loopback and 0 is not useable (reserved)
- 127 = loopback address
- used to test network stack
- traffic sent to this address will come back to you, encapsulate and decapsulate
- first address in each host range is the network address (all 0's in the host portion of the IP)
- ex: 192.168.1.0/24
- first usable address is 192.168.1.1/24
- last address in host is broadcast address (all 255's)
- -2 from total possible host addresses (0-255 = 256 total#s), that's why it's 254, not 255 for class C
- ex: 192.168.1.255/24
- last usable address is 192.168.1.254/24
- if a frame is sent out with an IP of 192.168.1.255/24, the MAC will be FFFF.FFFF.FFFF (ARP request)
- IOS commands:
- "show ip interface brief" shows interface/port, assigned?, ok?, method, status? protocol
- status = layer 1 status (cable attached, device turned on/off)
- protocol = layer 2 status (ethernet functioning properly between devices)
- default status of Cisco routers = status administratively down
- default status of Cisco switches is NOT administratively down
- enter INTERFACE mode (for interface G0/0 to configure it):
- "interface gigabitethernet 0/0"
- "interface gigabitethernet0/0"
- "in g0/0"
- Router(config-if)# ---> what prompt looks like now
- set IP address for router:
- "ip address 10.255.255.254 255.0.0.0" --> set IP and subnet mask
- shortcut "ip add ........"
- "no shutdown" --> Cisco router default shutdown command applied, must turn this off
- shortcut "no shut"
- "do sh ip int br" --> execute from interface mode
- to setup another router/device, just type "int "
- "show interfaces g0/0" shows info of multiple layers (1-3)
- "show interfaces description" description column shows whatever you put in it
- "int g0/0"
- "description ## to SW1 ##"
- now g0/0 will show ## to SW1 ## in it's description
- Ctrl a = go to beginning of line in IOS
- "end" brings you back to privileged EXEC mode
Quiz Question 1:
IP = 43.109.23.12/8
Find the following
- network address = 43.0.0.0
- network broadcast address = 43.255.255.255
- first usable address = 43.0.0.1
- last usable address = 43.255.255.254
- max # hosts = 2^24 -2
Quiz Question 2:
IP = 129.221.23.13/16
Find the following
- network address = 129.221.0.0
- network broadcast address = 129.221.255.255
- first usable address = 129.221.0.1
- last usable address = 129.221.255.254
- max # hosts = 2^16 -2
Quiz Question 3:
IP = 209.211.3.22/24
Find the following
- network address = 209.211.3.0
- network broadcast address = 209.211.3.255
- first usable address = 209.211.3.1
- last usable address = 209.211.3.254
- max # hosts = 2^8 -2 = 254
IPv6
IPv6 (Part 1):
- Hexadecimal Review:
- 4 binary bits for 1 hex value: 1111 = F = 15
- 0b00101111 = 0x?? --> split into groups of 4, convert to dec, convert to hex
- 0b0010 = 0d2 & 0b1111 = 0d15
- 0d2 = 0x2 & 0d15 = 0xF
- therefore = 0x2F
* converting hex to binary is opposite
- Why IPv6?:
- not enough addresses in IPv4, only 4B addresses in IPv4
- VLSM & NAT have allowed IPv4 to continue to be used
- long term solution = IPv6
- IANA distributes IPv4 address space to various RIRs (Regional Internet Registries), then assign to companies
- Basics of IPv6:
- 128 bits (4xbits in IPv4 - every added bit doubles # addresses -- toooo many addresses to count)
- hex uses 1 character for every 4 bits. 128 bits/4 = 32 hex characters
- ex: 2001:db8:3333:4444:5555:6666:7777:8888
- 2001:db8:3333:4444:CCCC:DDDD:EEEE:FFFF
- leading 0s are removed normally
- 2001:db8:: (implies that the last six segments are zero)
- :: (implies all 8 segments are zero)
- ::1234:5678 (implies that the first six segments are zero)
- 2001:db8::1234:5678 (implies that the middle four segments are zero)
- 2001:0db8:0001:0000:0000:0ab9:C0A8:0102 (compressed as follows: 2001:db8:1::ab9:C0A8:102 )
- can only replace one quartet group with ::
- 2001:0db8:0000:0000:0ab9:0000:0000:0102
- compressed: 2001:0db8::0ab9:0:0:0102
- use prefix length notation, NOT subnet mask, even when config in IOS
- finding IPv6 prefix length (global unicast address):
- Global Routing Prefix: first 3 quartets - 48 bits assigned by ISP
- Subnet Identifier: 4th quartet - 16 bits
- Interface Identifier: last 4 quartets - 64 bits for hosts
- typically use /64 --> means enterprise has 16 bits to make subnets with (remaining 64 bits for hosts)
- /56 means first 14 characters (56 bits) are network portion, set rest to 0 to get net address & find prefix
- /93 is tricky, not multiple of 4 --> find where 93rd bit is, conv quartet to binary, make rest 0, re-conv to hex
- link local interfaces are auto configured when ipv6 address is added
- Config IPv6 Addresses:
- "ipv6 unicast-routing" --> enable ipv6
- "int g0/0" | "ipv6 address 2001:db8:0:0::1/64" | "no shutdown"
- "show ipv6 interface brief"
IPv6 (Part 2):
- IPv6 Modified EUI-64 Config:
- EUI (Extended Unique Identifier)
- method of converting MAC address (48 bits) into 64 bit interface identifier
- deriving IPv6 address using specified prefix & MAC address
- done automatically by router
- manually convert:
1) divide MAC in half: 1234 5678 90AB --> 1234 56 | 78 90AB
2) insert FFFE in middle 1234 56FF FE78 90AB
3) invert 7th bit 1034 56FF FE78 90AB
- 7th bit is in second hex char. hex 2 = 0010 --> that 1 is the 7th bit
- manual IPv6 address with EUI-64: "g0/0" | "ipv6 address 2001:db8::/64 eui-64" | "no shutdown"
- uses EUI-64 to plus prefix to create IPv6 address
- IPv6 Address Types:
- Global unicast: public IPv6 addresses, used over internet
- must register to use (globally unique)
- all addresses not reserved for other purposes are global unicast addresses
- Global Routing Prefix: first 3 quartets - 48 bits assigned by ISP
- Subnet Identifier: 4th quartet - 16 bits
- Interface Identifier: last 4 quartets - 64 bits for hosts
- Unique local: private addresses not used over internet, no registration required
- can route between subnets, but not internet
- all addresses beginning with FC00::/7 OR FD (first 0.5 quartet or 8 bits) = unique local address
- Global ID: next 40 bits (2.5 quartets) - should be unique so that none overlap when companies merge
- randomly generating makes them more likely globally unique
- Subnet Identifier: 4th quartet (16 bits) --> used for creating subnets
- Interface Identifier: last 64 bits (4 quartets) - used for hosts
- Link-local: auto generated
- all addresses beginning with FE80::/10
- OSPFv3 uses for neighbor adjacencies (sending LSAs)
- can be used as next hop address for static routes
- NDP (Neighbor Discovery Protocol): IPv6 replacement for ARP uses link local addresses
- "ipv6 enable" --> enables IPv6 and creates Link-Local address automatically
- all IPv6 interfaces must have a link-local address
- Multicast: sending data to multiple addresses that have joined the multicast group
- IPv6 does NOT use broadcast
- uses FF00::/8 for multicast
- multicast Scopes: how far packet should be forwarded:
- Interface-Local (FF01): packet doesn't leave local device
- Link-Local (FF02): packet stays within local subnet
- Site-Local (FF05): packet can be forwarded by routers
- Organiztion-Local (FF08): wider in scope than Site-Local (all subnets in company)
- Global (FF0E): no boundaries - can be routed over internet
- Anycast: ont to one (of many)
- no specific range, just use regular unicast address and specify it as anycast address
- "2001:db8:1:1::99/128 anycast"
- Unspecified:
- used when device doesn't know its IPv6 address yet
- :: --> all 0s
- default routes = ::/0
- Loopback:
- ::1
- used to test protocol stack on local device
- same as IPv4 127.0.0.0/8
IPv4 & IPv6 multicast addresses:
- 224.0.0.1 | FF02::1 --> for all hosts/nodes (like broadcast)
- 224.0.0.2 | FF02::2 --> for all routers
- 224.0.0.5 | FF02::5 --> for all OSPF routers
- 224.0.0.6 | FF02::6 --> for all OSPF DRs/BDRs
- 224.0.0.9 | FF02::9 --> for all RIP routers
- 224.0.0.10 | FF02::A --> for all EIGRP routers
IPv6 (Part 3):
- IPv6 Header: FIXED size of 40 bytes (vs IPv4 20-60)
- Version: 4 bits - always set to 6 (0110)
- Traffic Class: 8 bits - QoS
- Flow Label: 20 bits - ID specific traffic flows
- Payload Length: 16 bits - length of layer 4 segment IN BYTES
- Next Header: 8 bits - indicates encapsulation of next segment (TCP/UDP) (same as IPv4 protocol field)
- Hop Limit: 8 bits - decremented by 1 each hop (same as IPv4 TTL field)
- Source Address: 128 bits
- Destination Address: 128 bits
- NDP (Neighbor Discovery Protocol):
- replaces ARP
- uses Neighbor Tables (vs ARP tables)
- "show ipv6 neighbor"
- IPv6 solicited-node multicast address is calculated from a unicast address
- ff02::1:ff + last 6 hex digits of unicast address
- uses ICMPv6 and solicited-node multicast addresses to learn MACs of other hosts
- two messages:
1) NS (Neighbor Solicitation) = ICMPv6 Type 135
- NDP equivalent of ARP request
- four things inside:
1) Source IP: R1 g0/0 IP
2) Destination IP: R2 solicited-node multicast address
- R1 can auto calculate R2's solicited-node multicast address from the IPv6 address
- R1 gets the IPv6 address from when you ping R2 with it's address
3) Source MAC: R1 g0/0 MAC
4) Destination MAC: multicast MAC based on R2's solicited-node address
2) NA (Neighbor Advertisement) = ICMPv6 Type 136
- NDP equivalent of ARP reply
- four things inside:
1) Source IP: R2 g0/0 IP
2) Destination IP: R1 g0/0 IP
3) Source MAC: R2 g0/0 MAC
4) Destination MAC: R1 g0/0 MAC
- Another function of NDP allows hosts to discover routers on LAN:
- two messages:
1) RS (Router Solicitation) = ICMPv6 Type 133
- sent to multicast address ff02::2 (all routers)
- asks routers on local link to identify themselves
- sent when interface is enabled or host connected to network
2) RA (Router Advertisement) = ICMPv6 Type 134
- sent to multicast address ff02::1 (all nodes)
- router announces its presence and info
- these messages are sent in response to RS
- also sent periodically without RS being requested
- Another function of NDP allows to check if multiple hosts are using same IPv6 address
- DAD (Duplicate Address Detection):
- anytime an ipv6 int is initialized (no shutdown): DAD checks
- anytime an ipv6 address is configured on an int, DAD checks
- DAD uses NS/NA:
- sends NS to its own IPv6 address
- if no reply, confirmed it's unique
- SLAAC (Stateless Address Auto Configuration):
- another way to config IPv6 addresses
- routers/hosts use RS/RA messages to learn IPv6 prefix of local link (ex: 2001:db8::/64)
- routers/hosts then auto generate IPv6 address from the prefix
- "ipv6 address autoconfig"
- IPv6 Static Routing (on Exam Topic List):
- "ipv6 route [AD]"
- Directly Attached static route: only exit-interface specified
- "ipv6 route "
- CAN'T use Directly attached in IPv6 IFF it's on an Ethernet interface
- Recursive static route: only next-hop specified
- "ipv6 route "
- Fully Specified static route: both next-hop & interface are specified
- "ipv6 route "
- Default Route: "ipv6 route ::/0 [AD]"
- Network Route: "ipv6 route 2001:db8:0:3::/64 [AD]"
- Host Route: "ipv6 route 2001:db8:0:1::100/128 [AD]"
- Floating Static Route: "ipv6 route [AD]"
- sets up backup route in case dynamic fails (like OSPF/EIGRP) --> set AD higher than AD of dynamic
* if IPv6 is disabled, router will be able to send/receive IPv6 traffic but not route (no forwarding)
- enable IPv6 --> "ipv6 unicast-routing"
Subnetting
Subnetting (Part 1):
- CIDR (Classless Inter-Domain Routing)
- no more IP classes (class A, B, C, etc...)
- replaces IANA and wasted IPs
- IANA (Internet Assigned Numbers Authority):
- assigns IPv4 addresses/networks to companies based on their size (class A,B,C?)
- wasted IP addresses:
- class C might only use a few out of the 256 total addresses
- class B allows 65000 addresses but a company with 300 PCs will have it and waste 64700 addresses
- CIDR allows for subnetting: split networks into smaller networks = more efficient
- can use network masks of any /# instead of only /8 /16 /24
- a netmask of /26 means that 26 bits are for the network and 6 are for the hosts (30-26 = 6)
- we know that total# hosts (2^#bitsForHost) = 2^6 = 64 hosts total
- also, total# networks = 2^26 = ~67M
- equals to 255.255.255.192
- calculate like this: know /24 = 255.255.255.0 , 26 = 24+2 so add two 1's at the beginning of last octet
- 255.255.255.0 = 11111111.11111111.11111111.00000000
- 255.255.255.192 = 11111111.11111111.11111111.11000000
- then calculate the binary --> 128+64 = 192 for the last octet
- /31 netmask leaves with 0 usable addresses (2^31 -2 = 0)
- used to not be able to use this but now can use for point to point connection (2 routers)
- don't need the 'mandatory' network or broadcast address because it's just point to point dedicated
- /31 netmask = 255.255.255.254 --> only 2 addresses (255.255.255.0 & 255.255.255.1), perfect for point to point
- /32 netmask makes whole address network portion
- still useful to make a static route to one specific host (not networks)
- all CIDR Notations for 'class C' range:
- /25 = 255.255.255.128 | #hosts = 2^7 = 128 | 2 subnets (128 hosts fit into total 256 addresses 2 times)
- /26 = 255.255.255.192 | #hosts = 2^6 = 64 | 4 subnets
- /27 = 255.255.255.224 | #hosts = 2^5 = 32 | 8 subnets
- /28 = 255.255.255.240 | #hosts = 2^4 = 16 | 16 subnets
- /29 = 255.255.255.248 | #hosts = 2^3 = 8 | 32 subnets
- /30 = 255.255.255.252 | #hosts = 2^2 = 4 | 64 subnets
- /31 = 255.255.255.254 | #hosts = 2^1 = 2 | 128 subnets
- /32 = 255.255.255.255 | #hosts = 2^0 = 0 | 256 subnets
*remember -2 for usable addresses
Subnetting (Part 2):
- if there are 4 subnets of equal size and first = 192.168.1.0/26, what are the the four subnets?
- 192.168.1.0/26 | 192.168.1.0 - 192.168.1.63 | last address in each subnet = broadcast, first = network
| .00000000 .00111111
- 192.168.1.64/26 | 192.168.1.64 - 192.168.1.127 | last address in each subnet = broadcast, first = network
| .01000000 .01111111
- 192.168.1.128/26 | 192.168.1.128 - 192.168.1.191 | last address in each subnet = broadcast, first = network
| .10000000 .10111111
- 192.168.1.192/26 | 192.168.1.192 - 192.168.1.255 | last address in each subnet = broadcast, first = network
| .11000000 .11111111
- split 192.168.255.0/24 into 5 subnets:
- must use /27 becuase 32-27=5, thus 2^5 = 32 hosts and 256/32 = 8 subnets
- can't use /26 because only allows 4 subnets --> 32-26=6, 2^6=64 hosts, 256/64=4 subnets
- subnet 1: 192.168.255.0/27
- subnet 2: 192.168.255.32/27
- subnet 3: 192.168.255.64/27
- subnet 4: 192.168.255.96/27
- subnet 5: 192.168.255.128/27
- Leftover subnets: 192.168.255.160/27 | 192.168.255.192/27 | 192.168.255.224/27
- what subnet does 192.168.5.57/27 belong to?
- /27 means 2^5=32 hosts ; 256/32 = 8 subnets
- hosts are: .0 .32 .64 .96 .128 .160 .192 .224
- the address in question would belong to the .32 subnet because too big for .0 (ends at .31) and too small for .64
- therefore: 192.168.5.57/27 belongs to 192.168.5.32/27
-* this is my easy way of doing this, but can be laborious when lots of subnets
- what subnet does 192.168.29.219/29 belong to?
- normal way to calulate:
- .219 = .11011011 | there are 3 bits that belong to hosts (because 32-29=3)
- set all host bits to 0 --> .11011000 = .216
- therefore 192.168.29.219 belongs to 192.168.29.216/29
- my way of calculating:
- 32-29=3 ; 2^3=8 hosts ; 256/8=32 subnets
- 256-8=248 -8=240 -8=232 -8=224 -8=216
- therefore 192.168.29.219 belongs to 192.168.29.216/29
-* note you don't need to keep subtracting 8, you can just subtract by any factor of 8 that's larger to be faster
- all you need is the .216 number
- CIDR notations for 'Class B' range:
- /16 = 255.255.0.0 | #hosts = 2^16 = 65536 | 0 subnets
- /17 = 255.255.128.0 | #hosts = 2^15 = 32768 | 2 subnets (128 hosts fit into total 256 addresses 2 times)
- /18 = 255.255.192.0 | #hosts = 2^14 = 16384 | 4 subnets
- /19 = 255.255.224.0 | #hosts = 2^13 = 8192 | 8 subnets
- /20 = 255.255.240.0 | #hosts = 2^12 = 4096 | 16 subnets
- /21 = 255.255.248.0 | #hosts = 2^11 = 2048 | 32 subnets
- /22 = 255.255.252.0 | #hosts = 2^10 = 1024 | 64 subnets
- /23 = 255.255.254.0 | #hosts = 2^9 = 512 | 128 subnets
- /24 = 255.255.255.0 | #hosts = 2^8 = 256 | 256 subnets
- /25 = 255.255.255.128 | #hosts = 2^7 = 128 | 512 subnets
- /26 = 255.255.255.192 | #hosts = 2^6 = 64 | 1024 subnets
- /27 = 255.255.255.224 | #hosts = 2^5 = 32 | 2048 subnets
- /28 = 255.255.255.240 | #hosts = 2^4 = 16 | 4096 subnets
- /29 = 255.255.255.248 | #hosts = 2^3 = 8 | 8192 subnets
- /30 = 255.255.255.252 | #hosts = 2^2 = 4 | 16384 subnets
- /31 = 255.255.255.254 | #hosts = 2^1 = 2 | 32768 subnets
- /32 = 255.255.255.255 | #hosts = 2^0 = 0 | 65536 subnets
*remember -2 for usable addresses
*remember last 2 octets are host, but taken up by network in subnet (borrowing)
- make 80 subnets for network 172.16.0.0/16
- 2^(x subnet bits) = 80 subnets | 2^7 = 128 subnets
- /23 prefix
- 11111111.11111111.11111110.00000000 = 255.255.254.0/23
- make 250 subnets with equal hosts per subnet on 172.18.0.0/16
- 2^8 = 256 subnets
- /24 prefix --> subnet mask = 255.255.255.0
- borrowing 8 bits for network will allow 256 subnets & 254 hosts per subnet (8 bits left for hosts)
- make 500 subnets with network 172.22.0.0/16, what network prefix should be used
- 2^9 = 512 subnets --> /25 prefix (16 fixed + 9 borrowed)
- make 250 subnets with 172.18.0.0/16, what prefix?
- 2^8 = 256 subnets --> /24 prefix
- what subnet does 172.25.217.192/21 belong to?
- .217 = 11011001
- /21 means 21 bits belong to network, 16 from first 2 octets and 5 from the 3rd
- therefore the first 5 bits in the 3rd octet are fixed, the last 3 are for host
- 11011000 = 216
- therefore the host belongs to the subnet 172.25.216.0/21
- what prefix for 100 subnets (500 hosts) in 172.30.0.0/16
- 2^9 = 512 hosts w 2^7 = 128 subnets
- /23 is correct (16 fixed + 7 borrowed fixed network bits)
- what subnet does 172.21.111.201/20 belong to?
- class B --> 3rd octet
- .111 = .01101101 --> /20 means 4 subnet bits
- .01100000 = .96 (only first 4 bits fixed)
- therefore the subnet is 172.21.96.0/20
- what is the broadcast address of the network 192.168.91.78/26?
- Class C --> 4th octet
- /26 --> 2 subnet bits
- .78 = .01001110
- .01000000 = .64 = subnet
- .01111111 = .127 = broadcast address
- therefore subnet it belongs to is 192.168.91.64/26
- therefore broadcast address = 192.168.91.127
- ID network and broadcast addresses for second subnet when 172.16.0.0/16 divided into 4 subnets?
- 2^2(subnet bits) = 4 subnets --> /18 when subnetted
- 11111111.11111111.11000000.00000000 (255.255.192.0) = subnet mask
- all subnets:
- 172.16.0.0/18
- 3rd octet 00
- 172.16.64.0/18
- 3rd octet 01
- 172.16.128.0/18
- 3rd octet 10
- 172.16.192.0/18
- 3rd octet 11
- netork address for 2nd subnet = 172.16.64.0/18
- broadcast address for 2nd subnet = 172.16.127.255/18
- divide 172.30.0.0/16 into subnets of 1000 hosts each. how many subnets?
- class B --> first 2 octets fixed
- 2^10(host bits) = 1024 hosts | 6 bits left for subnet
- # subnets = 2^6 = 64 subnets
- Identify the following for 10.217.182.223/11
- Network address:
- class A --> /11 means 3 borrowed bits
- 217 = 110....... (rest don't matter, only first 3. they add to 192)
- network address = 10.192.0.0/11
- Broadcast address:
- 11011111 = 223
- broadcast address = 10.223.255.255/11
- First usable address: 10.192.0.1/11
- Last usable address: 10.223.255.254/11
- Number of host addresses (usable):
- 32-11 = 21 therefore 2^21 -2 usable host addresses
All questions related to Subnetting:
- Network ID (first IP in each network)
- Broadcast ID (last IP in each network)
- First host IP (address after Network ID)
- Last host IP (address before Broadcast ID)
- Next network (IP address after Broadcast IP)
- #IP addresses (number of IPs in each network)
- CIDR/Subnet (converting between CIDR/Subnet Mask)
# of Subnets = 2^(# subnet bits) --> subnet bits = borrowed bits
# of Hosts = 2^(# host bits - 2)
Subnetting (Part 3):
- FLSM (Fixed Length Subnet Masks):
- what we have been doing until now
- all subnets use same prefix length
- subnetting class C network into 4 subnets using /26
- VLSM (Variable Length Subnet Masks):
- create subnets of different sizes for efficiency
- steps:
1) assign largest subnet at start of address space
2) continue assigning based on largest
- 192.168.1.0/24 split into 5 subnets variable: 1) 110 hosts, 2) 45 hosts, 3) 29 hosts, 4) 8 hosts, 5) 2 hosts
- network address for 1:
- 110 hosts requires 7 host bits (2^7=128) --> 1 subnet bit, therefore /25
- ans: 192.168.1.0/25
- broadcast address for 1:
- 192.168.1.127/25 (because there are 128 host addresses (-2 for usable by hosts))
- first usable address for 1:
- 192.168.1.1/25
- last usable address for 1:
- 192.168.1.126/25
- network address for 2:
- add 1 to first subnet's broadcast address = 192.168.1.128
- but what prefix length? 2^6 = 64 hosts, 6 host bits required, thus 2 subnet bits, therfore /26 prefix
- ans: 192.168.1.128/26
- broadcast address for 2:
- 128+64(-1 because 128 is part of it too) = 191 (network address + total host addresses possible =broadcast address)
- ans: 192.168.1.191/26
- first usable address for 2:
- ans: 192.168.1.129/26
- last usable address for 2:
- ans: 192.168.1.190/26
- total usable addresses for 2: 62 (2 for broadcast and network)
********** REMEMBER 2 ADDRESSES NOT USABLE, IF YOU HAVE 8 HOSTS, CAN'T USE /29 (ONLY ALLOWS 8) REALLY NEED 16 (/28)
********** ON TEST, DON'T USE /31 PREFIX FOR POINT TO POINT, USE /30
*review this video
*** review Lab 15
ROAS
- ROAS (Router On A Stick):
- using trunking, router uses one interface, not separate for each VLAN, must config subinterfaces on one interface
- more efficient way of inter-VLAN routing
- don't need separate router interface for every VLAN
- router will tag frames after de-encapsulating, before sending again
- ex: g0/0 becomes g0/0.10, g0/0.20, g0/0.30
- one physical interface, divided logically
- to configure:
- "no shutdown"
- "interface g0/0.10"
- "encapsulation dot1q 10" (10 = vlan number)
- "ip address 192.168..... 255.255.255...."
- repeat this for every subinterface: "int g0/0.20" "encap dot1q 20" "ip add ... ..."
- physical interface will show no IP assigned to it, only subinterfaces "show ip int br" "show ip route"
- Native VLAN on a router (ROAS):
- 2 methods to config Native VLAN on router:
1) "encapsulate dot1q <10> native" (10 is the vlan id) on the subinterface (g0/0.10)
2) configure IP for Native VLAN on router's physical interface
- "no interface g0/0.10" --> delete subinterface
- "int g0/0"
- "ip add ... ..."
- this will use the physical interface ip as the native VLAN instead of creating a subinterface for it
- switch will send untagged frames to router and visa versa
- recommended to change native VLAN to unused VLAN for security. BUT you can just use the physical interface as native
Dynamic Routing
Dynamic Routing (Layer 3):
- intro to dynamic routing protocols:
- routers can advertise their routing tables to others (remove invalid route)
- if one router dies, others will auto adapt (replace route with an alternative route)
- types of dynamic routing protocols:
- IGP (Interior Gateway Protocol):
- used to share routes within a single AS (Autonomous System) like a company
- Algorithm Type (share info & determine best route)
- Distance Vector:
- sends following directly to neighbors --> known dest networks & metric to reach known dest networks
- sends distance and vector (metric for best route and next hop for vector)
- called 'routing by rumor': doesn't know info beyond its neighbors
- uses RIP (Routing Information Protocol):
- Metric: hop count: each hop to dest adds to metric
- doesn't factor in speed of cabling
- maximum hop count = 15
- uses EIGRP (Enhanced Interior Gateway Routing Protocol):
- Cisco proprietary
- Metric: bandwidth & delay (by default)
2 things used to calc metric:
- total delay values of all links in the path
- bandwidth of slowest link in route
- Link State:
- every router creates a complete connectivity map of the network (same on each router)
- each router advertises info about its interfaces (connected networks) to neighbors
- all routers develop same map of network
- each router independently uses map to calc best route to each dest
- Link State protocols use more resources, more info shared
- faster at adapting
- uses OSPF (Open Shortest Path First):
- Metric: Cost
- cost based on bandwidth
- total metric = total cost of each link in the route
- uses IS-IS (Intermediate System to Intermediate System):
- Metric: Cost
- total metric = total cost of each link in the route
- cost of each link is NOT calced automatically by default, all links have cost of 10 by default
- without config, functions SAME as RIP (hop counting)
- EGP (Exterior Gateway Protocol):
- used to share route between different ASs
- Algorithm Type (share info & determine best route):
- Path Vector: uses BGP (Border Gateway Protocol)
- Metric:
- if router learns 2+ routes via same routing protocol to same dest with same metric, both are added to routing table
- both have same cost (metric), so both are valid
- RIP would consider 2 different speed links as same, just cares about hop count
- will add 2 routes of unequal speed whereas EIGRP will NOT
- in this case, the traffic will be load balanced with ECMP
- ECMP (Equal Cost Multi-Path) load balancing
- also works with static routes not configured with a dynamic protocol
- dynamic routing protocol metrics:
- measure how far destination is (like root cost in STP)
- used to determine best route to destination
- lower metric is superior (just like lower root cost)
- administrative distance:
- another part of determining best route to destination
- used to determine which routing protocol is preferred when there are 2 that need to be connected
- lower AD is preferred:
- lower AD indicates a routing protocol is more trustworthy, more likely to choose best route
- all routing protocol AD rankings:
- directly connected: 0
- static: 1
- eBGP (External BGP): 20
- EIGRP: 90
- IGRP: 100
- OSPF: 110
- IS-IS: 115
- RIP: 120
- EIGRP (external): 170
- iBGP (International BGP): 200
- unusable route: 255
- any route with an AD of 255 is unusable: not trustworthy
* just memorise order, don't really need numbers
- these are vlues ues on Cisco devices, others might rank differently
*** metric is used to compare routes learned from SAME routing protocol
- before comparing metrics, AD is used to select best routing protocol (metric doesn't matter before choosing protocol)
* in IOS, AD and Metric are shown in the "show ip route" command:
- will show an IP and then [AD/Metric]
- ex: O 192.168.4.0/24 [110/2] via 10.0.13.2, GigabitEthernet1/0
- O = OSPF, but you can tell that also by the AD#110
* you can change AD of a routing protocol if you want one protocol to be preferred by default
* can also change AD of a static route
- make it less preferred than dynamic routing protocol to same destination by making the AD higher for static route
- makes route Floating Static Route: inactive --> see below
- ex: "ip route 10.0.0.0 255.0.0.0 10.0.13.2 100" --> the 100 is the AD manually configured on a static route
*** Network Route: a route to a network/subnet (mask length < /32)
- show as connected or static routes in router
*** Host Route: a route to a specific host (/32 mask)
- show as local routes in router
*** Floating Static Route: inactive route (not in routing table) unless route learned by dynamic routing protocol is removed
*** Default Route: 0.0.0.0 gateway of last resort, least specific route
- routes that have no match go here
- internet
*** watch ExSim question in vid 45 (day 24)
- uses most specific route (longest prefix), nothing to do with AD/Metric
* Distance Metric in IO means AD
* IOS "traceroute" command
* ipconfig /ip --> config ip in windows
* ipconfig /dg --> config default gateway in windows
RIP & EIGRP:
- not on exam topics but important
- Distance Vector:
- sends following directly to neighbors --> known dest networks & metric to reach known dest networks
- sends distance and vector (metric for best route and next hop for vector)
- called 'routing by rumor': doesn't know info beyond its neighbors
- RIP (Routing Information Protocol):
- almost never used
- RIPv1 & RIPv2 for IPv4
- v1 only uses Classful addresses (class A,B,C IPs), doesn't support VLSM or CIDR
- messages are broadcast to 255.255.255.255
- v2 supports VLSM & CIDR, incl submask info in advertisements
- messages are Multicast to 244.0.0.9
- RIPng (next gen) for IPv6
2 message types:
1) Request: ask RIP-enabled neighbor routers to send their routing table
2) Response: send local router's routing table to neighboring routers
- will share routing table every 30 sec by default
- Metric: hop count: each hop to dest adds to metric
- doesn't factor in speed of cabling
- maximum hop count = 15
- Commands:
- "router rip" --> rip config
- "version 2" --> (always do this)
- "no auto-summary" --> don't convert addresses to Classful (always do this)
- "network 10.0.0.0" --> 10.0.12.0 would convert auto to 10.0.0.0 (Classful) (only first octet must match)
- network command: tells router to look for interfaces with IP that is in specified range to activate RIP on
- activate RIP on those ints, look for adjacencies with connected RIP neighbors
- advertise network prefix of interface (NOT prefix in the network command)
- EIGRP & OSPF network commands work almost the same
- ex: "network 172.16.0.0" --> R1 looks for any interfaces that match 172.16.0.0/16
- R1 finds that G0/0 has IP 172.16.1.14/28 and activates RIP on it
- there are adjacencies, so it advertises the network IP 172.16.1.0/28 to them
- if there are no routers connected (adjacencies), config router as passive, no unnecessary advertisements
- "passive-interface g0/0" --> from rip configuration mode
- stop sending RIP ads
- will continue to advertise network prefix on interface (172.16.1.0/28) to RIP neighbors
- EIGRP & OSPF have SAME command for the same function
- "default-information originate" --> share default route (RIP config mode)
- OSPF has same command
- "maximum-paths <1-32>" --> change max paths for ECMP load balancing (default = 4)
- same command for EIGRP & OSPF
- "show ip protocols"
- can be used for RIP, EIGRP, OSPF
- "distance <1-255>" --> set AD
- can be used for RIP, EIGRP, OSPF
- EIGRP (Enhanced Interior Gateway Routing Protocol):
- was Cisco proprietary: now partially open source
- enhanced version of IGP
- messages are Multicast to 244.0.0.10
- different than RIPv2! (0.0.9)
- EIGRP is the only IGP that can do UNEQUAL-cost load balancing
- default is ECMP load balancing over 4 paths (like RIP)
- feasible distance (FD): this router's Metric value to route's destination
- reported/advertised distance: neighbor's Metric value to route's destination
- successor: route with lowest Metric to destination (BEST route)
- feasible successor: alternate route to destination (not best) which meets feasibility condition
- feasibility condition: reported distance < successor route's feasible distance
- loop prevention mechanism
- Unequal cost load balancing:
- other protocols only load balance if each route's metric is equal
- EIGRP only does unequal-cost load balancing over feasible successor route. Routes must meet feasibility req.
- if not meeting feasibility requirement, will never be load balanced, regardless of variance
- EIGRP maximum metric variance 1 (from "show ip protocol") --> '1' means only ECMP load balancing will happen
- "variance 2" --> change variance, 2 means feasible successor routes w FD up to 2x the successor route's FD can be load balanced
- Metric: bandwidth & delay (by default)
- shows as 'K' values in IOS (K2, K4, K5 = 0 by default... not used to calc Metric)
2 things used to calc metric:
- total delay values of all links in the path
- bandwidth of slowest link in route
- Commands:
- "show ip protocols"
- EIGRP routes: indicated with 'D' [90/Metric] or for external [170/Metric]
- router ID: unique IP within AS.
- determined by order of priority:
1) mangual configuration
- "eigrp router-id "
2) highest IP on a loopback interface
3) highest IP on a physical interface
- "router eigrp 1" --> '1' is the AS (Autonomous System) number, Must match between routers
- "no auto-summary"
- "passive-interface g0/0"
- "network 10.0.0.0" --> assumes classful /8 if no netmask given
- telling router to activate EIGRP on any interface with an IP in the 10.0.0.0/8 range
- router will then advertise the actual interface network prefix (could be /28, or whatever)
- "network 172.16.1.0 0.0.0.15" --> subnet mask uses Wildcard Mask
- Wildcard Mask: inverted netmask --> 255.255.255.0 becomes 0.0.0.255
- 255.255.255.240 becomes 0.0.0.15
- for EIGRP to be activated, EIGRP network address must match int IP where Wildcard Mask 0's are
- ex: R1 G0/0 IP = 172.16.1.14
10101100.00010000.00000001.00001110
- EIGRP network command = 172.16.1.0
10101100.00010000.00000001.00000000
- Wildcard Mask = 0 .0 .0.7
00000000.00000000.00000000.00000111
--> the two above DON'T match where Wildcard Mask = 0
- the 4th bit is 0 for Wildcard but two IPs above aren't same
- if EIGRP network IP were 172.16.1.8, they would match
- can keep it simple and use same prefix length as interface
- OSPF uses Wildcard Masks too
- "interface loopback <#>" --> then config IP for it
- ex: <#> = 0
- ex IP: '1.1.1.1 255.255.255.2555'
- make it a passive interface: "passive-interface loopback 0"
- loopback interface: virtual interface in router
- loopback interfaces are always be in upup state (unlike others that can fail)
- even if an interface fails, router can still be reached on loopback interface
- "show ip eigrp neighbors"
- "show ip route"
- "show ip route eigrp"
- "show ip route "
- "show ip eigrp topology" --> more detail
- can have 2 IGPs running on a router simultaneously (EIGRP & RIP for example)
- waste, no use for this
-* broadcast messages: delivered to all devices on LAN
-* multicast messages: delivered to devices that have joined specific multicast group
OSPF (Open Shortest Path First):
- Link-State dynamic routing protocol
- see above for info on these protocols
- operations of OSPF:
- uses 'Shortest Path First' algorithm AKA Dijkstra's Algorithm
- 3 versions of OSPF: v1 (old), v2 (used with IPv4), v3 (developed for IPv6... but can be used for IPv4)
- EXAM topic is only OSPFv2
- routers store info about networks in LSAs (Link State Advertisements)
- LSAs are organized into a structure called the LSDB (Link State DataBase)
- routers flood LSAs until all routers in OSPF Area develop same map of network (LSDB)
- LSA has aging timer: will flood every 30 sec by default
- each router then uses Dijkstra's algorithm to calculate its best path to the network in the LSA
- 3 steps in sharing LSAs and determining best route to each dest:
1) Becoming neighbors with other routers connected to same segment
2) exchange LSAs with neighbor routers
3) each router indep calcs best route to dest and inserts in routing table
- OSPF Areas:
- Area: set of routers and links that share same LSDB
- allows to splitnetworks into smaller sections with different LSDBs
- small networks can be single-area with no negative effects on performance
- large networks should be divided: OSPF algo takes longer to calc routes & req. more memory & proc
- EXAM topic just mentions single-area OSPF
- Area 0:
- backbone area
- all areas must connect to area 0
- Terms:
- Internal routers: routers with all interfaces in same area
- ABRs (Area Border Routers): routers with interfaces in multiple areas
- maintain separate LSDB for each area they are connected to (rec. connect max 2 areas/router)
- Backbone routers: routers connected to bacbone area (area 0)
- includes ABRs & internal backbone routers
- intra-area route: route to destination inside same OSPF area
- inter-area route: route to destination in a different OSPF area
- Rules
- OSPF areas must be Contiguous: can't split same area across different locations (just make new one)
- OSPF areas must have at least one ABR connected to backbone area
- OSPF interfaces in same subnet must be in same area: if not, won't become neighbors (no OSPF)
- router ID: unique IP within Area - determined by order of priority:
1) mangual configuration
- "router-id <1.1.1.1>" --> from OSPF config mode
- "clear ip ospf process"
- bad idea in real network but fine in lab
2) highest IP on a loopback interface
3) highest IP on a physical interface
- OSPF supports ECMP load-balancing over 4 paths by default
- "maximum-paths <1-32>" --> change max paths
- ASBR (Autonomous System Boundary Router):
- router that connects internal OSPF network to a network outside the OSPF domain
- router that is running multiple protocols and serves as a gateway to routers outside the OSPF domain and those operating with different protocols.
- The ASBR is able to import and translate different protocol routes into OSPF through a process known as redistribution.
- OSPF Config:
- "router ospf <#>" --> OSPF config mode
- router can run multiple OSPF processes at once: need to ID them <#> = process ID (ex: 1)
- usually only run one process at a time
- OSPF process ID is locally significant: routers with diff process IDs can become neighbors
- (unlike EIGRP AS#)
- process ID is totally unrelated to Area
- "network " --> activate OSPF on this interfaces that fit in this network address
- ex: "10.0.12.0 0.0.0.3 area 0"
-* for CCNA, only need to config single-area: best practice to use area 0
- network command function:
- tells OSPF to look for any interfaces with an IP contained in the range specified
- activate OSPF on the interface in the specified area
- router will try to become OSPF neighbors with other OSPF-activated neighbor routers
-* just tells router which interfaces to activate OSPF on, NOT to advertise networks
- "passive-interface g2/0" --> stop sending OSPF Hello messages
- router will still send LSAs to neighbors
- always enable this if no OSPF neighbors: limit waste
- same command for RIP & EIGRP
- "default-information originate" --> router will create new LSA and flood it for all to learn gateway
- router will also become OSPF ASBR
- "show ip protocols"
- "distance <1-255>" --> set AD
- "show ospf database" --> shows all LSAs in LSDB
- "show ip ospf interface"
OSPF (Part 2):
- OSPF Metric (Cost):
- auto calculated by dividing reference bandwidth (100Mb/s default) by interface's bandwidth (10/100/1000Mb/s, etc...)
- all values less than 1 will be converted to 1 (fast, gig, 10gig will all have same cost w default reference)
- loopback interfaces have Cost = 1 + Cost???
- ex: Reference = 100Mb/s / Interface = 10Mb/s == Cost of 10
- ex: Reference = 100Mb/s / Interface = 1000Mb/s == Cost of 1
- should set reference bandwidth higher than your fastest interface bandwidth for future upgrades
- 100,000 Mb/s is good
- Must make reference bandwidth the same on all routers
- OSPF cost to a destination = total cost of all the exit interfaces on the way to dest (same as STP Cost)
3 ways to change OSPF cost:
1) change reference bandwidth
2) manually configure Cost
3) change bandwidth: doesn't change speed of interface, but the two match by default
- bandwidth is just used to calc OSPF cost (and other calcs) --> not recommended to change
- see below for commands
- Becoming OSPF Neighbors:
- when OSPF is activated on an interface, router sends OSPF Hello messages every 10 sec by default (Hello timer)
- Hello messages are Multicast to IP 224.0.0.5 (VS RIP Multicast address = 224.0.0.9 & EIGRP = 224.0.0.10)
- OSPF messages are encapsulated in an IP header with value of 89 (0x5900) in protocol field (indicates OSPF)
7 states to becoming OSPF neighbors:
1) Down: 2 routers' interfaces are put in OSPF mode, one router (R1) sends Hello message
- first Hello message has router ID of R1 & neighbor router (R2) ID set to 0.0.0.0 (because unknown)
- state is Down because R1 doesn't know any OSPF neighbors yet
2) Init: when R2 receives Hello packet from R1, it will add an entry for R1 to its OSPF neighbor table
- R2 is now in Init state: Hello packet received but own router ID not in Hello packet
3) 2-way:
- R2 sends Hello packet back to R1 w RId of BOTH routers & R1 will then insert R2 in its OSPF neighbor table
- R1 sends another Hello packet back to R2 with BOTH router IDs
- both routers are now in 2-way state: R2 received Hello packet with it's own RID in it (confirms 2-way)
- all conditions met for the routers to become OSPF neighbors: can share LSAs to build LSDB
- in some networks: DR (Designated Router) and BDR (Backup Designated Router) will be elected
4) Exstart: Router with higher RID will become Master and initiate exchange (lower ID becomes Slave)
- choses which router will initiate exchange
- DBD (DataBase Description) packets are exchanged to decide which Router is Master & Slave
5) Exchange: routers exchange DBDs which contain list of LSAs in LSDB (basic info of LSAs, not whole thing)
- routers compare DBDs to their own LSAs to determine which LSAs they need to receive from neighbor
6) Loading: routers send LSRs (Link State Request) to request that neighbor sends any LSAs they don't have
- replying router sends back LSUs (Link State Update) message to update neighbor's LSA
- routers then send LSAck messages to acknowledge receipt of LSAs
7) Full: routers have full OSPF adjacency and identical LSDBs
- routers continue to send and listen for Hello packets (every 10 sec def.) to maintain neighbor adjacency
- neighbors will continue to share LSAs so that all routers have complete and identical LSDBs
- every time Hello packet is received, 'Dead' timer (40 sec def.) is reset
- if Dead timer counts down to 0, neighbor is removed
- routers can be neighbors in state 2 but only become adjacencies at state 7 (full)
- 3 steps in OSPF: States 1-3 = Becoming Neighbors | States 4-6 = Exchange LSAs | Calc best route w Metric
- OSPF Message Types:
- Hello
- DBD (DataBase Description)
- LSR (Link State Request)
- LSU (Link State Update)
- LSAck
- More OSPF Config:
- "show ip ospf interface "
- "show ip ospf interface brief"
- "show ip protocols"
- "show ospf neighbor" --> OSPF state, Dead timer, Address & Interface
- "auto-cost reference-bandwidth " --> set reference bandwidth from ospf config mode
- "ip ospf cost <1-65535>" --> set cost manually (takes priority over auto-calculated cost)
- "bandwidth <1-1000000 Kb/s>" --> not recommended to change bandwidth, used in mult. calcs
- always use "command ?" --> verify units that a command will change something by (time, speed, etc...)
- "int g0/0", "ip ospf 1 area 0" --> activate OSPF on interface directly (NO NEED for "network" command!)
- "router ospf 1", "passive-interface default", "no passive-interface g0/0" --> default all passive and select actives
OSPF (Part 3):
- OSPF Network Types: different connections/interfaces between routers influence OSPF behaviour
- Broadcast Network Type:
- Ethernet encapsulation
- FDDI (Fiber Distributed Data Interfaces) encapsulation
- function:
- routers dynamically discover neighbors by sending/listening for OSPF Hello messages using Multicast 224.0.0.5
- DR (Designated Router) & BDR (Backup DR) must be elected on each subnet. Only DR if no OSPF neighbors
- routers that aren't DR or BDR = DROther
- DR/BDR/DROther Order of Priority for deciding:
1) Highest OSPF interface priority
- default same on every router
2) Highest OSPF router ID
- router ID usually Loopback IP
- First place becomes DR for subnet, Second place becomes BDR, All others become DROther
- if DR goes down, BDR becomes DR, another election is held for next BDR
- DROthers stay in 2-way state
- in the broadcast network type, all routers will only form a full OSPF adjacency w DR and BDR of segment
- therefore, routers only exchange LSAs with DR and BDR
- all routers still have same LSDBs but reduces LSAs flooding the network
- purpose of DR & BDR: reduce LSAs flooding the network (take less resources)
- messages to DR & BDR use Multicast 224.0.0.6 (vs OSPF messages for all routers = 224.0.0.5)
- Point-to-Point Network Type:
- PPP (Point-to-Point Protocol) encapsulation
- HDLC (High-Level Data Link Control) encapsulation
- function:
- enabled on serial interfaces (rather than ethernet interfaces/cables)
- DCE (Data Communications Equipment): one side of serial connection that specifies clock rate of connection
- can config clock rate manually on router that the DCE side of cable is connected to
- "clock rate " --> increases by 1200 up to 2015232
-* can only be configured on router with DCE end of cable
-* THIS IS SAME AS "speed" command for ethernet interfaces.. Serial uses "clock rate"
- DTE (Data Terminal Equipment):
- routers dynamically discover neighbors by sending/listening for OSPF Hello messages using Multicast 224.0.0.5
- DR & BDR are NOT elected
- because point to point, no reason to have DR/BDR
- 2 routers form full adjacency with each other without DR/BDR
- default encapsulation for Cisco routers in point-to-piont = HDLC (cHDLC Cisco version)
- uses same default timers as broadcast networks (Hello = 10 sec, Dead = 40 sec)
-* Serial links CANNOT support broadcast network types, don't support layer 2 broadcast frames
- Non-Broadcast Network Type interfaces:
- Frame Relay encapsulation
- X.25 encapsulation
- OSPF Neighbor & Adjacency Requirements:
1) Area number must match
2) Interfaces must be in same subnet
3) OSPF process must NOT be shutdown: from OSPF config "ospf 1" command "no shutdown" (not shutdown by default)
4) OSPF router IDs must be unique: must clear OSPF process for this to take effect "clear ip ospf process"
5) Hello & Dead timers must match
6) Authentication settings must match: can config password, both routers must have same password
- "ip ospf authentication-key " --> config password (AUTHENTICATION still NOT enabled)
- "ip ospf authentication" --> enable the authentication key on the interface
- neighbor will go down when doing this, MUST match password on neighbor
7) IP MTU settings must match: Maximum size of packets (default 1500 bytes) "ip mtu <68-1500 bytes>"
- if they don't match, routers can still become neighbors BUT won't function properly
-** if neighbors are having trouble reaching full state, check MTU settings
8) OSPF network type must match: SAYS full state, BUT router will not have neighbor's loopback address in routing table
*** be abe to fix these issues
- OSPF LSA Types:
1) Type 1 - Router LSA:
- every router running OSPF generates this LSA
- IDs router w Router ID
- lists networks connected to router's OSPF-activated interfaces
2) Type 2 - Network LSA:
- generated ONLY by DR of each 'multi-access network' (broadcast network type)
- lists routers that are attached to multi-access network
3) Type 5 - AS External LSA:
- generated by ASBRs to describe routes to destinations outside of AS (OSPF domain)
- Commands:
- "ip ospf priority <0-255>" --> manually config DR by changing interface's priority (default priority = 1)
-* note: priority = 0 NOT allowed to be DR or BDR
-* note: DR/BDR election is NON-PREEMPTIVE --> once selected, won't change until their OSPF role is reset
- reset current DR to let your manually configured DR take over
- can reset by interface failing, shutdown, etc...
- should not shutdown on real network, but ok in lab
- "clear ip ospf process"
- "router-id " --> change router ID, MUST reset OSPF for this to take effect
- "clear ip ospf process" --> reset OSPF process
- "no router-id" --> set router ID to default, Don't need to reset OSPF process
- "show ip ospf neighbor" --> Nbrs F/C (F = full adjacencies, C = total count of neighbors)
- DROthers can have neighbors wihtout full adjacencies because in 2-way state w other DROthers
- "show ip ospf interface brief"
- "show interface s2/0" --> serial interface
- "clock rate " --> increases by 1200 up to 2015232
- can only be configured on router with DCE end of cable
- "show controllers " --> ex: --> will show if DCE or DTE connected
- "encapsulation ppp" --> if chaning encapsulation, must match on both ends or interface goes down
- "ip ospf network " -->
- manually change OSPF network type
- "ip ospf hello-interval " --> change default Hello timer interval
- "ip ospf dead-interval " --> change default Dead timer interval
- neighbor will go down when doing this, MUST match timers on neighbor
- "no ip ospf hello-interval" && "no ip ospf dead-interval" --> reset timers to default
- "ip ospf authentication-key " --> config password (AUTHENTICATION still NOT enabled)
- "ip ospf authentication" --> enable the authentication key on the interface
- neighbor will go down when doing this, MUST match password on neighbor
- "no ip ospf authentication" --> remove auth
- "no ip ospf authentication-key "
- "ip mtu <68-1500 bytes>" --> set MTU (Maximum size of packets that can be sent)
- "no ip mtu" --> reset MTU to default
FHRP
FHRP (First Hop Redundancy Protocols):
- allows PCs to auto switch to a backup router in case of failure of default gateway (default gateway = first hop)
- default gateway & backup router share VIP (Virtual IP address) & VMAC (Virtual MAC address)
- must config on both
- PCs are configured to use VIP & VMAC as default gateway
- active & standby routers have same VIP & VMAC (only one for both)
- if PC sends ARP request, default gateway replies with VMAC
- default gateway and backup router send Multicast Hello messages to eachother to negotiate roles
- roles to negotiate: which router is active / standby
- if standby router doesn't receive Hello messages for certain time, will become active router & assume other failed
- when standby router takes over, must update MAC address table on switches by sending gratuitous ARP replies
- Gratuitous ARP = ARP replies sent without being requested
- Sends via broadcast FFFF so that all switches receive updated MAC table (unlike normal unicast ARP replies)
- non-preemptive: current active router stays active if former active router returns online (will become standby router)
- can change so that one router will take back role (preemptive)
- HSRP (Hot Standby Router Protocol):
- Cisco proprietary
- version 1 & version 2 (adds IPv6 support & incr # groups that can be configured)
- Multicast IPv4 address & Virtual MAC address:
- version 1: 224.0.0.2 0000.0c07.acXX (XX = HSRP group number)
- version 2: 224.0.0.102 0000.0c9f.fXXX (XXX = HSRP group number)
- can config diff active router in each subnet/VLAN to load balance (Root bridge)
- VRRP (Virtual Router Redundancy Protocol):
- open standard (most routers run it)
- Master & Backup (vs active/standby)
- Multicast IPv4 address & Virtual MAC address:
- version 1: 224.0.0.18 0000.5e00.01XX (XX = VRRP group number)
- GLBP (Gateway Load Balancing Protocol):
- Cisco proprietary
- load balancing among multiple routers within a single subnet
- AVG (Active Virtual Gateway) is elected
- up to 4 AVFs (Active Virtual Forwarders) assigned by AVG (AVG can be an AVF too)
- each AVF acts as default gateway for a portion of hosts in subnet
- Multicast IPv4 address & Virtual MAC address:
- version 2: 224.0.0.102 0007.b400.XXYY (XX = GLBP group number, YY = AVF number)
- HSRP config (NOT required):
- "show standby"
- "standby version 2 "
- "standby ip " --> config virtual IP (must be same on active & standby routers)
- "standby priority " --> highest priority router will become active router
- "standby preempt"
ACLs
Standard & Extended ACLs (Access Control List):
- controls which hosts can access which parts of network
- packet filter
- ACL tells router what to do based on source/dest IP, source/dest layer 4 ports, etc...
- ACL configured globally on router
- ACL processed from top to bottom
- ACE (Access Control Entries) make up ACLs
- ordered sequence for ACEs
- after being created in global config mode, ACL must then be applied to an interface to take effect
- ACLs are applied inbound or outbound (filter traffic entering vs exiting)
- one outbound ACL && one inbound ACL allowed per interface
- implicit deny: if none match in ACL, router will deny
- on ALL ACLs
- standard ACLs should be applied as close to destination as possible
- extended ACLs should be applied as close to the source as possible
- ACL Types:
- Standard ACLs:
- Standard Numbered ACLs: match Source IP ONLY
- identified with a number (ACL1, ACL2, etc...)
- ACL number range: 1-99 & 1300-1999 (IP ACL)
- "access-list {deny | permit} " --> ACL to deny/permit network
- "access-list {deny | permit} host " --> ACL to deny/permit single host
- "access-list {deny | permit} any --> usually used at end of ACL to allow all unspecified traffic
- allowing 'any' is same as allowing 0.0.0.0/0
- "access-list remark <##comment/description##>"
- "show access-lists" --> see ACLs on router
- "show ip access-lists" --> see ip ACLs on router
- "ip access-group {in | out}" --> apply ACL to an interface
- CANNOT delete single entries in global config mode, can ONLY delete entire ACL
- CANNOT specify entry-number (only in ACL config mode)
- Another way to config numbered ACLs:
- uses ACL config mode
- can configure exact same way as Named ACLs, just replace with
- can more easily delete entries with "no " from ACL config mode
- can use this just to edit ACL but still use above method for creating ACL
- Standard Named ACLs: match Source IP ONLY
- identified with a name ('block_bob')
- "ip access-list standard " --> enter standard named ACL config mode
- "[entry-number] {deny | permit} " --> create ACL
- "no " --> delete entries in ACL from ACL config mode
- "show access-lists" --> see all ACLs, incl default entry numbers
- "ip access-group {in | out}" --> apply ACL to an interface
- Extended ACLs:
- Extended Numbered ACLs: match Source/Dest IP, Source/Dest Port, etc...
- ACL number range: 100-199 & 2000-2699
- "access-list [permit | deny] " --> setup ACL
- Extended Named ACLs: match Source/Dest IP, Source/Dest Port, etc...
- "ip access-list extended {name | number}" --> enter ACL config mode
- "[entry-num] [permit | deny] " --> set ACL
- add "[{eq | gt | lt | range | neq} to specify port numbers for src
- add "[{eq | gt | lt | range | neq} to specify port numbers for dest
- eq = equal to # | gt = greater than # | lt = less than # | range # # | neq #| (specify port numbers)
- ex: "deny tcp any 10.0.0.0 0.0.0.255" --> must incl wildcard-mask
- ex: "permit ip any any" --> allow all traffic
- ex: "deny udp 10.0.0.0 0.0.255.255 host 192.168.1.1" --> with 'host', wildcard not required
- ex: "deny tcp any eq 80 10.0.0.0 0.0.0.255" --> deny all traffic to port 80 on 10.0.0.0
- "show ip interface " --> see ACL status and stuff
- Editing ACLs:
- "ip access-list resequence --> resequencing entry numbers in ACLs
- ex: "ip access-list resequence 1 10 10" --> changes entry '1' to 10 and then increments all others by 10
NAT
NAT (Network Address Translation) Part 1:
- Private (inside local) IPv4 Addresses:
- CIDR, NAT, Private IPs = extended lifetime of IPv4
- private IPv4 ranges RFC 1918:
- 10.0.0.0/8 (10.0.0.0 - 10.255.255.255)
- 172.16.0.0/12 (172.16.0.0 - 172.31.255.255)
- 192.168.0.0/16 (192.168.0.0 - 192.168.255.255)
- Intro to NAT:
- NAT allows private IP to translate to Public IP for internet
- Inside Global = public IP
- Inside Local = private IP
- Outside Local = private IP of external server
- Outside Global = Public IP of external server
- Outside Local & Global are Same unless using Destination NAT
- private IPs don't have to be unique but public must be
- translate src and/or dest IP of packet to different IP address
- Source NAT:
- router sending data to internet changes src IP to its own interface's Public IP
- router reverses translation to send back to host
- Static NAT:
- one to one mapping of public to private IPs
- cannot map multiple hosts to same public IP
-* NOT useful for reducing public IPs used
- Static NAT Config:
- define inside interface(s) connected to internal network:
- "int g0/1"
- "ip nat inside"
- define outside interface(s) connected to external network:
- "int g0/0"
- "ip nat outside"
- config NAT translation:
- "ip nat inside source static "
- "show ip nat translations"
- "clear ip nat translation *" --> clear all translations
- won't clear static NATs
- "show ip nat statistics"
NAT Part 2:
- Dynamic NAT:
- router auto maps inside local IPs to inside global IPs
- ACL used to ID which traffic should be translated
- if src IP isn't permitted, won't be translated
- NAT pool defines available inside global IPs
- still one to one mapping
-* doesn't reduce global IPs
- NAT pool exhaustion: ran out of inside global IPs
- host will not be able to access external networks
- Dynamic NAT entries time out after inactivity
- manual clear: "clear ip nat translation"
- Dynamic NAT Config:
- define inside interface(s) connected to internal network:
- "int g0/1"
- "ip nat inside"
- define outside interface(s) connected to external network:
- "int g0/0"
- "ip nat outside"
- Define Traffic that should be translated:
- "access-list 1 permit "
- Define pool (range of addresses) of inside global IPs:
- "ip nat pool { | prefix-length <#>}"
- Map ACL to pool
- "ip nat inside source list 1 pool "
- "show ip nat statistics"
- Dynamic PAT (Port Address Translation):
- Aka: NAT Overload
- translates IP & port number
- Allows multiple to one translation!
- reduces # inside global addresses
- MOST used out of any other NAT
- Dynamic PAT (Port Address Translation):
- SAME as Dynamic NAT except one word on last command:
- "ip nat inside source list 1 pool overload"
- the overload changes it to PAT
- the pool can just be one address
- Another way to config PAT:
*- config router to use its own public IP for translation
- define inside interface(s) connected to internal network:
- SAME as Dynamic nat except NO pool (just router IP) & last command different
- "ip nat inside source list 1 interface overload"
QoS
QoS (Quality of Service) Part 1:
- IP phones / Voice VLANs:
- traditional phones: PSTN / POTS
- IP phones: VOIP
- Internal 3 Port switch:
1) uplink to external switch
2) downlink to PC
3) internally to phone itself
-* allows PC & phone to share single switchport
-* separate traffic w VLANs
- place phones in Voice VLAN - phone traffic is tagged
- "int g0/0"
- "switchport mode access"
- "switchport access vlan 10" --> Data VLAN (PC)
- "switchport voice vlan 11" --> Voice VLAN (phone)
-* even though this port carries info from 2 diff VLANs, still access port (not trunk port)
VRF
VRF (Virtual Routing & Forwarding):
- divide one physical router into multiple virtual routers (like VLANs for routers)
- each virtual router has its own routing table, functions just like VLANs for switches
- traffic can't be forwarded between VRFs (just like VLANs)
- VRF leaking can be configured to allow it
- used for one device to carry traffic from multiple customers
- ONLY router interfaces, SVIs & routed ports on multilayer switches can be configured in VRF routing table
- layer 3 only
- VRF common for MPLS
- CCNA only needs VRF-Lite (without MPLS)
- without VRF, 2 interfaces on same router cannot be in same subnet
- "ip vrf "
- "show ip vrf"
- "int g0/0"
- "ip vrf forwarding "
- between different vrf's
- "ping vrf "
- 2 messages in Ping:
- ICMP Echo Request: must know MAC to ping (will ARP if unknown)
- ICMP Echo Reply
- TTL is used to prevent loops at layer 3
Etherchannel
- layer 3 EtherChannel: group of router ports that operate as single interface
Layer 3 Switches