Layer 4: Transport - Dealing with Segments!
TCP/UDP
TCP & UDP:
- ID application layer protocol: Ex TCP 80 = HTTP
- provide session multiplexing: doing two things at once
- Types of ports IANA (Internet Assigned Numbers Authority):
- well known port numbers: 0 - 1023
- servers use this so that hosts know which ports to query
- registered port numbers: 1024 - 49151
- must be registered to use this range
- ephemeral port numbers: 1025 - 65535
- hosts use this range when selecting random source port
- TCP (Transmission Control Protocol):
- Services that TCP provides (UDP does NOT):
- reliable data transfer
- before sending data, two hosts communicate to establish connection
- data sequencing
- sequence numbers in TCP header allow destination host to put segments in order
- flow control
- dest host can tell source host to incr/decr rate that data is sent
- error recovery
- TCP header:
- source & destination port
- sequence & acknowledgement number
- flag bits: ACK, SYN, FIN
- window size: flow control
- TCP 3-way handshake (initiates connections):
1) SYN: PC1 sends TCP segment to SRV1 with SYN flag set
2) SYN-ACK: SRV1 replies with TCP segment with SYN & ACK flags set
3) ACK: PC1 sends TCP segment with ACK bit set
- TCP 4-way handshake (terminates connections):
1) FIN: PC1 sends TCP segment to SRV1 with FIN flag set
2) ACK: SRV1 replies with TCP segment with ACK flag set
2) FIN: SRV1 sends TCP segment with FIN flag set
3) ACK: PC1 sends TCP segment with ACK bit set
- TCP sequencing / reliablility / flow control:
- sequencing:
- 3-way handshake, PC sends SYN with random sequence number
- SRV replies with SYN-ACK with its own random sequence number & PC's sequence number + 1
- +1 for forward acknowledgement: next segment will increment by 1 (or more)
- PC sends ACK with its sequence number incremented by 1 & SRV's sequence number + 1
- After this 3 way handshake, they continue sending ACK segments back and forth, increasing their seq. numbers
- reliability:
- if PC doesn't hear an ACK from SRV, it will send it again (re-transmit failed segments)
- Flow control:
- window size field allows to send multiple segments to send before ACK required
- dynamic adjust: window size increases until segment is dropped, then decreases until all segments go through
- UDP (User Datagram Protocol):
- connectionless
- just sends, no guarantee of delivery, no sequencing, no flow control
- UDP header:
- source port, destination port, length, checksum
- Common Ports:
- TCP:
- 20 FTP data
- 21 FTP control
- 22 SSH
- 23 Telnet
- 25 SMTP
- 80 HTTP
- 110 POP3
- 443 HTTPS
- UDP:
- 67 DHCP server
- 68 DHCP client
- 69 TFTP
- 161 SNMP agent
- 162 SNMP manager
- 514 Syslog
- TCP & UDP:
- 53 DNS
ACL
Standard & Extended ACLs (Access Control List):
- controls which hosts can access which parts of network
- packet filter
- ACL tells router what to do based on source/dest IP, source/dest layer 4 ports, etc...
- ACL configured globally on router
- ACL processed from top to bottom
- ACE (Access Control Entries) make up ACLs
- ordered sequence for ACEs
- after being created in global config mode, ACL must then be applied to an interface to take effect
- ACLs are applied inbound or outbound (filter traffic entering vs exiting)
- one outbound ACL && one inbound ACL allowed per interface
- implicit deny: if none match in ACL, router will deny
- on ALL ACLs
- standard ACLs should be applied as close to destination as possible
- extended ACLs should be applied as close to the source as possible
- ACL Types:
- Standard ACLs:
- Standard Numbered ACLs: match Source IP ONLY
- identified with a number (ACL1, ACL2, etc...)
- ACL number range: 1-99 & 1300-1999 (IP ACL)
- "access-list {deny | permit} " --> ACL to deny/permit network
- "access-list {deny | permit} host " --> ACL to deny/permit single host
- "access-list {deny | permit} any --> usually used at end of ACL to allow all unspecified traffic
- allowing 'any' is same as allowing 0.0.0.0/0
- "access-list remark <##comment/description##>"
- "show access-lists" --> see ACLs on router
- "show ip access-lists" --> see ip ACLs on router
- "ip access-group {in | out}" --> apply ACL to an interface
- CANNOT delete single entries in global config mode, can ONLY delete entire ACL
- CANNOT specify entry-number (only in ACL config mode)
- Another way to config numbered ACLs:
- uses ACL config mode
- can configure exact same way as Named ACLs, just replace with
- can more easily delete entries with "no " from ACL config mode
- can use this just to edit ACL but still use above method for creating ACL
- Standard Named ACLs: match Source IP ONLY
- identified with a name ('block_bob')
- "ip access-list standard " --> enter standard named ACL config mode
- "[entry-number] {deny | permit} " --> create ACL
- "no " --> delete entries in ACL from ACL config mode
- "show access-lists" --> see all ACLs, incl default entry numbers
- "ip access-group {in | out}" --> apply ACL to an interface
- Extended ACLs:
- Extended Numbered ACLs: match Source/Dest IP, Source/Dest Port, etc...
- ACL number range: 100-199 & 2000-2699
- "access-list [permit | deny] " --> setup ACL
- Extended Named ACLs: match Source/Dest IP, Source/Dest Port, etc...
- "ip access-list extended {name | number}" --> enter ACL config mode
- "[entry-num] [permit | deny] " --> set ACL
- add "[{eq | gt | lt | range | neq} to specify port numbers for src
- add "[{eq | gt | lt | range | neq} to specify port numbers for dest
- eq = equal to # | gt = greater than # | lt = less than # | range # # | neq #| (specify port numbers)
- ex: "deny tcp any 10.0.0.0 0.0.0.255" --> must incl wildcard-mask
- ex: "permit ip any any" --> allow all traffic
- ex: "deny udp 10.0.0.0 0.0.255.255 host 192.168.1.1" --> with 'host', wildcard not required
- ex: "deny tcp any eq 80 10.0.0.0 0.0.0.255" --> deny all traffic to port 80 on 10.0.0.0
- "show ip interface " --> see ACL status and stuff
- Editing ACLs:
- "ip access-list resequence --> resequencing entry numbers in ACLs
- ex: "ip access-list resequence 1 10 10" --> changes entry '1' to 10 and then increments all others by 10
NTP
NTP (Network Time Protocol):
- Why time is important for network devices:
- "show clock" --> see time in IOS
- "show clock detail"
- "show clock source" --> see where device gets time from (hardware calendar)
- default time = UTC (Coordinated Universal Time)
- Accurate Logs requires accurate Time --> required for accurate troubleshooting
- Syslog --> protocol used to keep device logs
- "show logging" --> see logs
- hardware clock & software clock are separate, can be configured separately
- Manual time config (Without NTP):
- Software clock:
- "clock set " --> date/month can swap possitions
- set in privileged exec mode
- ex: "clock set 14:40:00 27 Apr 2023"
- Hardware clock:
- "calendar set " --> date/month can swap possitions
- "show calendar" --> view time
- "clock update calendar" --> sync calendar to clock's time
- "clock read calendar" --> sync clock to calendar's time
- Timezone:
- configured from global config mode
- "clock timezone "
- ex: "clock timezone JST 9"
- Daylight Savings Time:
- "clock summer-time {recurring | date} "
- ex: "clock summer-time EDT recurring 2 Sunday March 02:00 1 Sunday November 02:00"
- NTP baics:
- manually config clocks not scalable & time drift will happen
- NTP allows auto sync of time over network
- NTP accuracy ~1ms over LAN or 50ms over WAN
- Stratum: distance of NTP server from original reference clock (higher stratum = less accurate)
- Reference clock: have stratum = 0, atomic clocks / GPS clocks
- NTP servers connected directly to reference clock = stratum 1
- stratum goes up to 15 (anything more isn't reliable)
- NTP servers can peer with other servers in their stratum for more accuracy
- NTP uses UDP port 123 to communicate
- 3 modes for NTP:
- Server mode
- "ntp master"
- Client mode
- "ntp server become client of server
- Symmetric Active mode
- "ntp peer "
- peer with other devices on same stratum
* NTP devices can be in all 3 modes at once
- Primary Servers = Stratum 1
- Secondary Servers = Stratum > 1
- NTP config:
- "ntp server [prefer]" --> if multiple, will store all and choose best automatically
- "show ntp associations" --> show all NTP servers configured (* = current NTP server in use, + = backup)
- "show ntp status"
- "ntp update-calendar" --> router update hardware clock with NTP
- "ntp source loopback0"
- "ntp master <#>" --> makes router its own NTP server (uses itself) --> #-1 = stratum
- default stratum for ntp master command = 8
- "ntp peer "
- NTP Authentication:
- allows NTP clients to ensure they only sync to intended servers
- "ntp authenticate" --> enable NTP authentication
- "ntp authentication-key md5 " --> key-num = 1, key = password
- "ntp trusted-key " --> specify which keys are trusted
- "ntp server key " --> specify which key is used on which server
* Must do all of these commands
DNS
DNS (Domain Name System):
- Basic Functions of DNS:
- can be configured manually or by DHCP
- A records = map names to IPv4 addresses
- AAAA records = map names to IPv6 addresses
- CNAME records = map name to another name
- standard DNS queries/responses typically use UDP 53
- only uses TCP 53 above 512 bytes
- devices save DNS server's response to local DNS cache
- "ipconfig /displaydns" --> Windows view DNS cache
- "ipconfig /flushdnp" --> Windows clear DNS cache
- "show hosts" --> shows cached name/IP mappings (Cisco IOS)
- Host file = alternative to DNS (manually configured)
- router will forward traffic to DNS
- sometimes router is DNS server (not common but the commands are for this)
- Config DNS:
- "ipconfig /all" --> verify IP parameters Windows (also see DNS server)
- "nslookup youtube.com" --> name server lookup (find IP and info on a site) Windows (see DNS server)
- Config Router to be DNS server:
- "ip dns server" --> config router to act as DNS server
- "ip host " --> config list of devices/IP mappings
- "ip name-server 8.8.8.8" --> config external server for router to use if a site is not in its table
- "ip domain lookup" --> enable router to perform DNS queries (enabled by default)
- "ip domain-lookup" --> old command, still works
- if router doesn't have ip for the site you want, it acts as DNS client and asks another server
- "show hosts" --> shows cached name/IP mappings (Cisco IOS)
- Config Router to be DNS client:
- "ip name-server 8.8.8.8" --> config R1 to use google's DNS server
- "ip domain lookup" --> enable R1 to perform DNS queries (default on)
- "ip domain name wizardnotes.com" --> optional, config default domain name
- router needs no config to forward DNS queries to servers externally
DHCP
DHCP (Dynamic Host Configuration Protocol):
- Purpose of DHCP:
- allow hosts to automatically and dynamically learn network config (IP, netmask, DNS server, default G)
- used for host devices
- routers, servers, etc... (usually) need to be manually configured, NO DHCP
- router in home = DHCP server
- "ipconfig /all"
- shows if DHCP is enabled
- preferred address (if had an address before)
- shows Lease Obtained & Lease Expires
- default gateway, DHCP server, DNS server = home router
- "ipconfig /release" --> release IP address
- DHCP servers = UDP 67
- DHCP clients = UDP 68
- Basic Functions of DHCP:
- "ipconfig /renew" --> get new IP
- 4 message exchange:
1) DHCP discover message: client asks if there are DHCP servers, need IP
- client --> server
- broadcasts MAC FFFF
- src: UDP 68, dst: UDP 67
- Bootp flags: predecessor of DHCP = 0x0000 (Unicast)
2) DHCP offer message: DHCP server offers IP, default gateway, DNS server to client
- server --> client
- unicast (knows client's MAC)
- src: UDP 67, dst: UDP 68
- Bootp flags: predecessor of DHCP = 0x0000 (Unicast)
- can send Unicast or Broadcast (would make message FFFF MAC)
- client requested Unicast in discover message, that's why
- lease time, DNS server, router (default gateway)
3) DHCP request message: confirm wanting to use IP offered
- client --> server
- broadcasts MAC FFFF
- src: UDP 68, dst: UDP 67
- Bootp flags: predecessor of DHCP = 0x0000 (Unicast)
4) DHCP Ack: confirms client can use IP
- server --> client
- unicast (knows client's MAC)
- src: UDP 67, dst: UDP 68
- Bootp flags: predecessor of DHCP = 0x0000 (Unicast)
- can send Unicast or Broadcast (would make message FFFF MAC)
- client requested Unicast in discover message, that's why
- release message: client to server unicast
- Config DHCP in Cisco IOS:
- Router as DHCP server:
- "ip dhcp excluded-address " --> optional, specify range of excluded IPs
- "ip dhcp pool " --> create pool of addresses
- separate pool for each network the router is a DHCP server for
- "network " --> enable router as DHCP server for this net.
- "dns-server 8.8.8.8" -- > config DNS server that clients will use (google's in this case)
- "domain-name " --> config domain name for network
- "default-router " --> config
- "lease 0 5 30" --> 0 days, 5 hours, 30 min ("lease infinite" is possible)
- "show ip dhcp binding" --> shows all DHCP clients currently assigned IP addresses
- Router as DHCP relay agent:
- forward clients' broadcast DHCP messages to remote DHCP server as unicast messages
- "interface g0/1" --> specify interface connected to subnet of client devices
- "ip helper-address " --> config relay (note: devices must have route to DHCP serv.)
- "show ip int g0/1" --> see config
- Router as DHCP client:
- rare, usually routers need to be servers or relay agents
- "int g0/1" --> int connected to device
- "ip address dhcp" --> enable client mode
SNMP
SNMP (Simple Network Management Protocol):
- ** Explain SNMP (Exam topics)
- SNMP Overview:
- SNMP Agent listen for messages on: UDP 161
- SNMP Manager listen for messages on: UDP 162
- industry standard protocol
- 2 devices in SNMP:
1) Managed Devices: devices being managed (routers, switches, ...)
- made up of 2 things:
1) SNMP Agent: SNMP software that runs on device
2) MIB (Management Information Base): structure containing variables managed by SNMP
- each variable has OID (object id)
- organized in hierarchical structure
2) NMS (Network Management Station): device(s) managing devices above
- NMS = SNMP server
- made up of 2 things:
1) SNMP Manager: software on NMS interacting with managed devices
2) SNMP application: interface the network admin uses to interact w NMS
- 3 operations used in SNMP:
1) managed devices notify NMS of events
2) NMS can ask devices for info about their status
3) NMS can tell devices to change their configs
- SNMP Versions:
- v1, v2c (allows NMS to retrieve more info per request), v3 (encryption & authentication)
- SNMP Messages:
- Read: request sent by NMS to read config/status of devices
- Get, GetNext, GetBulk
- Write: request sent by NMS to change config/status of devices
- Set
- Notification: sent from managed devices to NMS as alerts
- Trap (unreliable), Inform (reliable)
- Response: sent in response to previous message/request
- Response
- SNMP Config:
- "snmp-server contact setup SNMP Agent
- "snmp-server community setup SNMP Agent
- ..........
Syslog
Syslog:
- Overview:
- industry standard protocol for message logging
- log network events
- messages you get after configuring anything = Syslog messages
- Syslog & SNMP monitor & troubleshoot devices
- Syslog Message Format:
- sequence-num: time stamp: %facility-severity-MNEMONIC:description
- facility = value that indicates which process generated this message (OSPF, LINK, SYS, etc)
- severity = how serious something is
- MNEMONIC = code for message, indicates what happened (UPDOWN, CLOCKUPDATE, etc)
- description = details of everything that happened
- Syslog Facilities & Severity Levels:
- severity levels:
0) Emergency
- system is unusable
1) Alert
- action must be taken immediately
2) Critical
3) Error
4) Warning
5) Notice/Notification
- notification (significant condition)
6) Informational
7) Debugging
- Every Awesome Cisco Engineer Will Need Icecream Daily
- Syslog Logging Locations:
- Console line: in CLI connected to console port
- VTY lines: in CLI when connected to SSH/Telnet
- disabled by default
- Buffer: RAM
- "show logging"
- External server:
- listens for Syslog messages on UDP 514
- Syslog Config (Not in Exam Topics):
- "logging console 6" --> enables logging for levels 0-6 in severity
- "logging monitor informational" --> enables logging for levels 'informational' and more severe
- "logging buffered "
- logging to external server:
- "logging "
- "logging host "
- "logging trap "
- "terminal monitor" --> must be used everytime connecting to device via Telnet/SSH on router
- "line console 0"
- "logging synchronous" --> new line printed if typing is interrupted by message
- "show ip int"
- service timestamps:
- "service timestamps log "
- service sequence numbers:
- "service sequence-numbers"
- Syslog vs SNMP:
- SNMP can actively pull info from devices (NMS SNMP GET message) & actively modify (SET message)
- Syslog: retreive & organize info about SNMP managed devices
SSH
SSH (Secure SHell): remotely connect to devices
- Console Port Security:
- physically connecting to console port, can use password (default none)
- "line console 0" --> enter console line mode - because there's only a single console line, always 0
- "password ccna" --> config password
- "login" --> tells device to require users to enter password when logging in via console port
- can also make separate users with unique passwords
- "username jeremy secret ccnp" --> create username & secret
- "line console 0"
- "login local" --> tells device to require user login with a username & password
- config timer to logout after no activity:
- "exec-timeout "
- Layer 2 Management IP Address:
- IP addresses for switches SVI so they can be configured remotely
- "interface vlan 1"
- "ip address "
- "no shutdown"
- "ip default-gateway " --> allows switch to communicate outside of LAN
- Telnet:
- passwords are displayed in plain text --> can see in packet captures
- TCP 23 (device connecting listens on this port)
- "enable secret ccna"
- "username jeremy secret ccna"
- "access-list 1 permit host " --> config ACL to limit which devices can connect to VTY lines
- * VTY = Virtual TeleType
- "line vty 0 15" --> allowing 15 users to connect at once (0-16)
- "login local" -->
- "exec-timeout 5 0"
- "transport input telnet"
- alternatives: "transport input telnet ssh" --> allows both - "all" | "none" --> also options
- "access-class 1 in" --> applies ACL to the VTY lines (only allow certain hosts to access Telnet/SSH)
-* applying an ACL to an interface = "ip access-group"
- SSH:
- v1 & v2
- if device supports both v1 & v2, said to be 'v1.99'
- supports encryption and authentication
- TCP 22
- "show version"
- IOS versions that support SSH have 'K9' in the version name
- Cisco exports NPE (Non Payload Encryption) IOS versions to countries with encryption restrictions
- NPE IOS images don't support cryptographic features such as SSH
- "show ip ssh" --> show version and info on ssh
- SSH uses RSA public & private key to encrypt, decrypt & authenticate
- "ip domain name " --> FQDN (Fully Qualified Domain Name) used to name RSA keys
- FQDN = host name + domain name --> ex: SW1.youtube.com
- "crypto key generate rsa " --> enable SSH w RSA keys
- key-length must be 768 bits or greater for SSHv2
- config SSH:
- "enable secret ccna"
- "username jeremy secret ccna"
- "access-list 1 permit host " --> config ACL to limit which devices can connect to VTY lines
- "ip ssh version 2"
- "line vty 0 15" --> allowing 15 users to connect at once (0-16)
- "login local" --> enable local user authentication
- "exec-timeout 5 0"
- "transport input ssh"
- "access-class 1 in" --> applies ACL to the VTY lines (only allow certain hosts to access Telnet/SSH)
- overall steps:
- config host name
- config DNS domain name (FQDN)
- generate key pair
- enable password/username
- enable sshv2 only
- config VTY lines
- apply ACL
********* practice configuring SSH, it's in exam
FTP
FTP & TFTP:
- Purpose of FTP/TFTP:
- client-server model (copy files to and from server)
- download new version of OS to upgrade a network device
- FTP/TFTP Functions & Differences:
- TFTP:
- only copy to and from server
- no authentication, no encryption
- UDP 69
- provides reliability (built into TFTP):
- lock-step communication:
- every TFTP data message is Acknowledged
- timers are used (resend if late)
- (send message, wait for reply, repeat...)
- not as efficient as FTP but works
- 3 phases of connection:
1) Connection:
- TFTP client sends request to server
- server responds & initiates connection
2) Data Transfer:
- client & server exchange TFTP messages
- one sends, other acknowledges
3) Connection Termination:
- after last data message, final Ack to terminate
- FTP:
- TCP 20 & 21
- 21: control, send FTP commands & replies
- client initiates
- 20: data, send FTP data
- Active mode: server initiates (default)
- Passive mode: client initiates (if client firewall)
- authentication (username & password)
- FTPS (TFP over SSL/TLS) Upgrade to FTP
- SFTP --> new protocol
- clients can navigate, add, remove file directories
- IOS File Systems:
- transfering files to a Cisco device with FTP
- "show file systems"
- Cisco 'disk' = flash memory (usually)
- Cisco 'opaque' = used for internal functions
- Cisco 'nvram' = persistent RAM, startup-config here
- Cisco 'network' = external file systems (ex: FTP/TFTP)
- * filesystem types NOT on exam topics
- Using FTP/TFTP in IOS:
- "show version" --> K9 = support cryptographic features
- "show flash" --> see flash memory (OS image)
- "copy tftp: flash:" --> TFTP copy file
- "" --> enter TFTP server address
- "" --> enter file name on server (know b4)
- "" --> enter name to save on router
- "boot system " --> set OS upgrade as boot with filepath
- "write" --> save config before rebooting
- "reload" --> restart device
- "delete " --> delete old OS file
- FTP setup:
- "ip ftp username "
- "ip ftp password "
- Uname & Pwd must be same on Server side
- "copy ftp: flash:" --> FTP copy file
- all other commands Same as above