Cisco Exploration 2,3 & 4

CHAPTER-5-Exploration3-Thurs/Fri-MT/KG

mjlilley — Wed, 26 May 2010 04:24:13 +0000

CHAPTER-5-Exploration3-Thurs/Fri-MT/KG

5.1.1 Redundancy

Redundancy in a hierarchical network

Layer 2 redundancy improves availability of network by using alternate network paths.
In a hierarchical design, redundancy is at distribution and core layers.

5.1.2 Redundancy Issues

Layer 2 Loops

If there are multiple paths between two devices and STP is disabled a Layer 2 loop can occur.
STP is enabled on switches by default (no Layer 2 loop).
Ethernet frames = no TTL.
If broadcast frames are forwarded out more than one path it can result in an endless loop.
This process repeats until loop is broken or power turned off.
Loops = high CPU load and slow performance.
Hosts caught in network loops are not accessible to other hosts on network.
As more and more frames end up looping on network, broadcast storm occurs.

Broadcast Storms

Is caused by so many frames caught in Layer 2 loop all available bandwidth is consumed.
Broadcast storms are inevitable on looped network.
Because broadcast traffic is forwarded out every port on switch, end devices can malfunction because of high CPU requirements for sustaining high traffic load.
Broadcast storm can develop in seconds.

Duplicate Unicast Frames

Unicast frames sent onto looped network = duplicate frames arriving at destination device.
Switches are capable of detecting loops on network via Spanning Tree Protocol (STP).

Real World Loops

Loops from 2 connections to the same switch.
Loops from a connection on a 2^nd switch on same network.
Loops from 2 interconnected hubs.

5.2.1 Spanning Tree Algorithm

STP Topology

STP ensures only one logical path between all destinations on network.
STP intentionally blocks redundant paths that could cause loops. (not BPDU’s)
Bridge Protocol Data Unit frames are used by STP to prevent loops.
STP recalculates paths and unblocks necessary ports to allow redundant path to be active.

STP Algorithm

Spanning Tree Algorithm (STA) determines which switch ports on network are configured for blocking to prevent loops.
STA designates 1 switch as “root bridge” and uses it as reference point for path calculations.
All switches in STP exchange BPDU frames to determine which has lowest bridge ID (BID).
Lowest BID automatically becomes “root bridge” for STA calculations.
BID contains:
- Priority value
- MAC address of sending switch
- Optional extended system ID.
- Lowest BID value is determined by combo of fields.

After root bridge has been determined STA calculates shortest path to root bridge.
Each switch uses STA to determine which ports to block.
All traffic is prevented while STA determines best paths to root bridge from all destinations.
STA considers both path and port costs when determining which path to leave unblocked.
Path costs = sum of port cost values (port speeds) for each port along given path.
When STA finds which paths left available, configures switch ports into distinct port roles.
Root ports: Switch ports closest to root bridge.
Designated ports: All non-root ports still permitted to forward traffic on network.
Non-designated ports: All ports configured to be in blocking state to prevent loops.

The Root Bridge

Serves as reference point for spanning-tree calculations to find which redundant paths to block.

BID

After switch boots, it sends out BPDU’s containing switch BID and root ID every 2 seconds.
Default = root ID matches local BID for all switches on network.
Initially, each switch identifies itself as root bridge after bootup.
As switches forward their BPDU’s, adjacent switches in broadcast domain read the root ID info from BPDU.
If root ID from BPDU received is lower than root ID on receiving switch, this switch updates its root ID identifying other switch as root bridge.
Switch then forwards new BPDU’s with lower root ID to other adjacent switches.

Best Paths to the Root Bridge

Default port costs:
- 10-Gb/s Ethernet = 2
- 1-Gb/s Ethernet = 4
- 100-Mb/s Fast Ethernet = 19
- 10-Mb/s Ethernet = 100

To configure port cost of an interface, enter range value between 1 and 200,000,000.

5.2.2 STP BPDU

BPDU Fields

BPDU frame contains 12 fields used to convey path and priority info that STP uses to determine root bridge and paths to root bridge.
First 4 fields identify:
- Protocol
- Version
- message type
- status flags
- Next 4 fields identify:
  - root bridge
  - cost of path to root bridge
  - Last 4 fields are timer fields that determine:
    - frequency BPDU messages are sent
    - how long info received via BPDU process is retained.
    - BPDU message is encapsulated in Ethernet frame when transmitted across network.

BPDU Process

Each switch maintains local info about own BID, root ID, and path cost to root.
Switches receive BPDU frames and compare root ID from frame with local root ID.
Messages serve to indicate new root bridge on network.
Path cost updated to indicate how far away root bridge is.
If local root ID is lower than root ID received in BPDU frame, frame is discarded.
Each switch in spanning tree uses its path costs to identify best possible path to root bridge.
Priority is initial deciding factor when choosing root bridge.
If priority of all switches same, MAC address is deciding factor.

5.2.3 Bridge ID

BID Fields

BID field of BPDU frame contains 3 separate fields used during the root bridge election:
- bridge priority
- extended system ID
- MAC address.

Bridge Priority

Customizable value used to influence which switch becomes root bridge.
Switch with lowest priority (lowest BID) becomes root bridge.
Default value for priority of all Cisco switches = 32768.
Priority range = 1 to 65536 (1 is highest priority)

Extended System ID

Can be omitted in BPDU frames in certain configs.
Field contains ID of VLAN with which BPDU is associated.
When extended system ID is used, it changes # bits available for bridge priority value.
Increment for bridge priority value changes to multiples of 4096.

MAC Address

If 2 switches have same priority and extended system ID, lowest MAC address wins!
Recommended to configure desired root bridge lower priority to ensure it elected.
If new switches added to network, it does not trigger a new spanning-tree election.

5.2.4 Port Roles

Port Roles

Location of root bridge determines how port roles are calculated.
4 port roles are auto-configured during spanning-tree process.

Root Port

Exists on non-root bridge switches and is port with best path to root bridge.
Source MAC address of frames received on root port can populate MAC table.
Only one root port is allowed per bridge.

Designated Port

Exists on root and non-root bridges.
On root bridges, all switch ports are designated ports.
On non-root bridges, designated port receives and forwards frames toward the root bridge.
Only one designated port is allowed per segment.
If multiple switches exist on segment, election determines designated switch.
Designated ports can populate MAC table.

Non-designated Port

Blocked switch port that does not forward data frames or populate MAC address table.
AKA alternate port.
Non-designated ports prevent loop from occurring.

Disabled Port

Is administratively shut down.
Does not function in spanning-tree process.

More on Port Roles

STA determines which port role is assigned to each switch port.
Switch port with lowest overall path cost to root is auto assigned root port role.
All switches using spanning tree, except for root bridge, have only 1 root port defined.
If 2 switch ports have same path cost to root bridge and lowest path costs on switch, switch determines root port via lowest port ID (interface ID of switch port
Port F0/1 has a lower port ID than F0/2.

Configure Port Priority

Values range from 0 – 240, in increments of 16. (default = 128).

Port Role Decisions

Switch determines in order:
- Root port role
- designated port roles
- non-designated roles.

Root bridge auto configures all of its switch ports in designated role.

Verifying Port Roles and Port Priority

To verify port roles / priorities, use “show spanning-tree”.

5.2.5 STP Port States & BDPU Timers

To facilitate learning of logical spanning tree, each switch port transitions through 5 port states and 3 BPDU timers.
Spanning tree determined immediately after switch is finished booting up.
If switch port transitioned directly from blocking to forwarding state, port may create loop.

Blocking:
- Non-designated port and does not participate in frame forwarding.
- Port receives BPDU frames to determine who root bridge is and port roles switches play.
- Listening:
  - STP has found that port can participate in frame forwarding.
  - Port receives /transmits i own BPDU frames to tell switches that switch port is preparing to participate in active topology.
  - Learning:
    - Prepares to participate in frame forwarding and populates MAC address table.
    - Forwarding:
      - Forwards frames and sends/receives BPDU frames.
      - Disabled:
        
        State is set when switch port is administratively disabled.

PORT STATES

PortFast (Cisco technology)

Configured as access port
Port transitions from blocking to forwarding state immediately.
PortFast = “spanning-tree portfast”

5.3.1 STP Convergence

1. Elect a Root Bridge

2. Elect the Root Ports

3. Elect the designated/non designated Ports

5.3.5 STP Topology Change

STP Topology Change Notification Process

Topology change detected when port that was forwarding is going down or when port transitions to forwarding and the switch has designated port.
When change is detected, switch tells root bridge, then bridge broadcasts info to network.
Normally root port is for receiving updates only – not sending
When switch needs to signal topology change, it sends TCNs on its root port.

Broadcast Notification

Switches receive topology change BPDUs on both forwarding and blocking ports.
TC bit is set by t root for (max age + forward delay seconds)
OR 20+15=35 seconds by default.

5.4.1 STP Variants

Per VLAN Spanning Tree
Per VLAN Spanning Tree Plus
Rapid Spanning Tree Protocol
Multiple Spanning Tree Protocol

5.4.2 PVST+

Network can run an STP instance for each VLAN in network.
More than 1 trunk can block for VLAN and load sharing can be used.
Switch ports have to accommodate more bandwidth.
Tune spanning-tree parameters so half VLANs forward on each uplink trunk.
Configure 1 switch to be elected root bridge for half VLANs in network and 2nd switch root bridge for other half of VLANs.

PVST+ Bridge ID

Original 802.1D standard = 8-byte BID (2-byte bridge priority & 6-byte switch MAC address)
PVST+ requires separate instance of spanning tree run each VLAN.
PVST+ = 8-byte BID field (4 bits bridge priority field & 12-bit field extended system ID field & 6-byte switch MAC address)
BID = Priority + VLAN + MAC Address

5.4.3 RSTP

IEEE 802.1w is an evolution of 802.1D.
RSTP defines port states as discarding, learning or forwarding.
RSTP does not have blocking ports

RSTP Characteristics

Speeds recalculation of spanning tree when Layer 2 network topology changes.
RSTP can achieve convergence in as little as few hundred milliseconds.
Preferred protocol for preventing Layer 2 loops in switched network environment.
UplinkFast and BackboneFast, are not compatible with RSTP.
RSTP (802.1w) is backward compatible.
RSTP can confirm that port can safely transition to forwarding state without rely on timers.

5.4.4 Edge Ports

Switch port never intended to be connected to another switch device.
It immediately transitions to the forwarding state when enabled.
RSTP edge port that receives BPDU loses its edge port status immediately and becomes normal spanning-tree port.

5.4.5 Link Types

Non-edge ports:
- Full duplex = point-to-point
- Half duplex = shared

5.4.6 RSTP Port States

An RSTP topology change causes transition in appropriate switch ports to forwarding via explicit handshakes or proposal and agreement process and synch.
With RSTP role of port is separated from state of port.

RSTP Port Roles

Port roles and port states are able to transition independently of each other.
This allows RSTP to define standby switch port before failure or topology change.
- Root Port : Same as STP.
- Designated Port : Same as STP.
- Alternate Port : Discards if stable or changes to designated if path fails.

RSTP Proposal and Agreement Process

In IEEE 802.1D STP port must wait 2 x forward delay before transitioning port to forwarding state.
RSTP speeds up recalculation because it converges on link-by-link basis.
Rapid transition to forwarding state can only be achieved on edge ports and point-to-point links.

5.4.7 Configuring RapidPVST+

Cisco implementation of RSTP.
Supports spanning tree for each VLAN.
Rapid STP variant used in Cisco-based networks.
Rapid-PVST+ commands control configuration of VLAN spanning-tree instances.
ST instance is created when interface is assigned to VLAN and removed when last interface is moved to another VLAN.
Configure STP switch and port parameters before ST instance is created.
At least 1 switch on each loop in VLAN should be running ST, or broadcast storm can result.
Cisco 2960 supports PVST+, rapid-PVST+ and MSTP, but only 1 version can be active for all VLANs at any time.

5.4.8 Design ST for Trouble Avoidance

Know Where the Root Is

Primary function of STA is to break loops that redundant links create in bridge networks.
Perform most important part of troubleshooting before problem occurs.
Do not leave it up to STP to decide which bridge is root.
For each VLAN, identify which switch can best serve as root.
Choose powerful bridge in middle of network.
Reduce distance from clients to servers and routers.

Plan organization of redundant links.
In non-hierarchical networks tune STP cost to choose which ports to block.

For each VLAN, know which ports should be blocking in stable network.
Have network diagram that shows each physical loop and which blocked ports break loops.
Know location of redundant links to identify accidental bridging loops and cause.

Minimize the Number of Blocked Ports

1 blocking port that mistakenly transitions to forwarding can screw network.
Limit risk of STP and reduce # blocked ports as much as possible.

VTP Pruning

No need for more than 2 redundant links between 2 nodes in switched network.
Prune any VLAN that you do not need off your trunks.

Manual Pruning

VTP pruning can help, but this feature is not necessary in the core of the network. In this figure, only an access VLAN is used to connect the distribution switches to the core. In this design, only one port is blocked per VLAN. Also, with this design, you can remove all redundant links in just one step if you shut down C1 or C2.

Use Layer 3 Switching

To route approximately at speed of switching.
Layer 3 Switches:
- Build a forwarding table. (routing protocols)
- Receives/forwards packets to correct interface.
- Faster packet switching than Routers
- LANs/VLANs are no longer bridged, so there is no possibility for loop.

Keep STP Even

Do not disable STP; it is not very processor intensive.
Keep Traffic off Administrative VLAN.
Do Not Have 1 VLAN Span Entire Network
Try to segment bridging domains using high-speed Layer 3 switches.
From Cisco IOS 12.1(11b)E, VLAN 1 can be removed from trunks.

5.4.9 Troubleshoot STP

No systematic procedure to troubleshoot an STP issue.
Explore path being taken by traffic that is experiencing problem.
In-band access may not be available during bridging loop
Out-of-band access via console may be required.

Before troubleshooting bridging loop, know:
- Topology of the bridge network
- Location of the root bridge
- Location of the blocked ports and the redundant links

PortFast Configuration Error

Enable PortFast only for port or interface that connects to host.
If looped traffic is very intensive, switch has trouble transmitting BPDU that stops loop.
If switch with lower bridge priority than current root bridge attaches to PortFast-configured port it can be elected as root bridge leading to suboptimal network.
For prevention use BPDU guard to disable PortFast-configured interface if it receives BPDU.

Network Diameter Issues

Age Field restricts network diameter to 7 hops.
This issue affects convergence of spanning tree.
Take special care if planning to change STP timers from default value.

CHAPTER-6-Exploration3-Thurs/Fri-MT/KG

mjlilley — Wed, 26 May 2010 04:20:49 +0000

CHAPTER-6-Exploration3-Thurs/Fri-MT/KG

6.1.1 Inter-VLAN Routing

Introduction

Process of forwarding network traffic from one VLAN to another VLAN using router.
Traditionally, LAN routing has used routers with multiple physical interfaces. Each interface needed to be connected to a separate network and configured for a different subnet.

Traditional VLAN Routing

Uses multiple VLANs to segment network traffic into logical broadcast domains.
Connect different physical router interfaces to different physical switch ports.
Switch ports connect to router in access mode.
Static VLANs assigned to each router interface
Switch interfaces assigned to different static VLAN.
Router interface accepts traffic from VLAN associated with connecting switch interface.
Traffic can be routed to other VLANs connected to other interfaces.
Requires multiple physical interfaces on both router and switch.

“Router-on-a-stick”

Type of router config that allows single physical interface to route traffic between multiple VLANs.
Router interface configured to operate as trunk link.
Router interface connected to switch port configured in trunk mode.
Router accepts VLAN tagged traffic on trunk interface from switch and internally routes between VLANs using sub-interfaces.
Router forwards VLAN tagged traffic out the same physical interface.

Subinterfaces

= multiple virtual interfaces associated with 1 physical interface.
Configured in software on router.
Configured with IP address to operate on specific VLAN.

6.1.2 Interfaces & Sub-Interfaces

Using the Router as a Gateway

Router has each of its physical interfaces connected to unique VLAN.
Each interface configured with IP address for subnet associated with particular VLAN.
Network devices can use router as gateway to access devices connected to other VLANs.
Source device determines if destination device is local or remote to local subnet.
# of VLANs is limited to physical hardware limitations of router.

Sub-Interfaces

Virtual subinterfaces and trunk links are used.
Subinterfaces are software-based virtual interfaces that are assigned to physical interfaces.
Each subinterface is configured with own IP address, subnet mask and unique VLAN #.
This allows 1 physical interface to simultaneously be part of multiple logical networks.
If using router-on-a-stick, interface of router must be connected to trunk link on switch.
Each subinterface is assigned IP address specific to subnet it is part of.

Port Limits

Subinterfaces allow router scalability to accommodate more VLANs.

Performance

Physical interfaces have better performance when compared to using sub-interfaces.
Traffic being routed competes for bandwidth on single physical interface.
Subinterfaces are configured on multiple physical interfaces to balance traffic load.

Access Ports and Trunk Ports

Traditional inter-VLAN routing requires switch ports be configured as access ports.
Subinterfaces require switch ports configured as trunk port to accept VLAN tagged traffic.

Cost

Less $$$ to.
Consumes less switch ports on network using subinterfaces.

Complexity

Using subinterfaces results in less complex physical configuration.
Easier to troubleshoot physical connections.
Using subinterfaces with trunk port = more complex software configuration.
Harder to troubleshoot software issues.

6.3.1 Switch configuration Issues

When using traditional routing for inter-VLAN routing, ensure switch ports that connect to router interfaces are configured on correct VLANs.
Incorrect access mode or VLAN assignments.
Lack of redundant links or devices.

6.3.2 Router configuration Issues

Common inter-VLAN router config errors is connect router interface to wrong switch port.
Incorrect sub-interface assignments.

6.3.3 IP Addressing Issues

If PCs are configured with incorrect subnet mask info, it may determine other hosts are on local subnet and will not send packets to router for inter VLAN routing.

CHAPTER-7-Exploration3-Thurs/Fri-MT/KG

mjlilley — Wed, 26 May 2010 04:18:07 +0000

CHAPTER-7-Exploration3-Thurs/Fri-MT/KG

7.1.1 Wireless

Why have Wireless LANs become so popular?

Business networks are evolving to support mobility.
Most important infrastructures is WLAN.
Important benefit of wireless is reduced costs.

Wireless LANs

WLAN is an extension of Ethernet LAN.

Comparing a WLAN to a LAN

2 dominant 802 working groups:
- 802.3 Ethernet
- 802.11 wireless LAN
- Issues:
  - Wireless security
  - Wireless NICs kill battery life.

7.1.2 Wireless LAN Standards

802.11 wireless LAN = IEEE standard.
802.11 was first released, 1 – 2 Mb/s data rates in 2.4 GHz band.
IEEE 802.11a, IEEE 802.11b, IEEE 802.11g and draft 802.11n.
802.11a/g support up to 54 Mb/s
802.11b supports up to max 11 Mb/s
4^th WLAN draft, 802.11n supports 200 Mb/s+
Data rates of different WLAN standards are affected by “modulation technique”.
Direct Sequence Spread Spectrum (DSSS)
Orthogonal Frequency Division Multiplexing (OFDM) OFDM will have faster data rates
DSSS is simpler and less expensive to implement.

802.11a

OFDM modulation technique and 5 GHz band.
Less likely to experience interference than devices in 2.4 GHz (fewer consumer devices higher) Frequencies allow for use of smaller antennas.
5 GHz band frequency radio waves are more easily absorbed by obstacles.
Has slightly poorer range than either 802.11b or g.
Some countries do not permit the use of the 5 GHz band.

802.11b and 802.11g

802.11b = data rates of 1, 2, 5.5 and 11 Mb/s in 2.4 GHz ISM band (DSSS).
802.11g = higher data rates of 6, 9, 12, 18, 24, 48, and 54 Mb/s in 2.4 GHz ISM band (OFDM).
IEEE 802.11g also uses DSSS for backward compatibility with IEEE 802.11b systems.
Devices in 2.4 GHz band have better range than 5GHz band.
Transmissions in this band are not as easily obstructed as 802.11a.
Many consumer devices also use 2.4 GHz band and cause interference.

802.11n

IEEE 802.11n standard improves WLAN data rates/range without more power or RF band.
Uses multiple radios and antennae at endpoints.
Antennas broadcast on same frequency (multiple streams).
MIMO (multiple input/multiple output) splits high data-rate stream into multiple lower rate streams and broadcasts simultaneously over radios and antennae.
Max data rate of 248 Mb/s using two streams.

Wi-Fi Certification

Provided by Wi-Fi Alliance
Standards ensure devices made by different manufacturers work together.
3 orgs influencing WLAN standards:
- ITU-R regulates allocation of RF bands.
- IEEE specifies how RF is modulated to carry info.
- Wi-Fi ensures that vendors make devices that are interoperable.

IEEE 802 is managed by IEEE 802 LAN/MAN Standards Committee (LMSC).
Dominant standards IEEE 802 family are 802.3 Ethernet, 802.5 Token Ring and 802.11 Wireless LAN.

7.1.3 Wireless Infrastructure Components

Wireless NICs

Building blocks of WLAN:
- client stations
- access points
- network infrastructure
- wireless NIC

Wireless NIC uses modulation technique to encode data stream onto an RF signal.

Wireless Access Points

Connects wireless clients to wired LAN.
Client devices do not usually communicate directly with each other.
Client devices communicate with an AP.
AP converts TCP/IP data packets from 802.11 frame format to 802.3 Ethernet frame format.
In an infrastructure network clients associate with an AP to obtain network services.
Association = process of how client joins an 802.11 network.
An AP is Layer 2 device that works like a hub.
RF is shared medium and access points hear all radio traffic.
Devices that want to use medium fight for it.
Radio devices do not detect collisions.
WLAN devices are designed to avoid collisions.

CSMA/CA

AP’s use distributed coordination function (DCF) known as Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA).
Devices on WLAN sense medium for energy and wait until medium is free before sending.
When access point receives data from client, it sends an ack to client saying “hey you, yeah you, I got your stupid data don’t bother sending it again… its crap!”

Click the Hidden Nodes button in the figure.

RF signals lose their energy as they move away from point of origin.
If 2 clients that connect to same AP and are at opposite sides of its reach, they will not be able to sense each other on medium and transmitting simultaneously. (hidden node)
By using request to send/clear to send feature, it allows negotiation between client and AP.
RTS/CTS allows AP’s to allocate medium to node until it completes transmission.
When transmission is complete, other stations can request channel in same way.

7.1.4 Wireless Operation

Configurable Parameters for Wireless Endpoints

When AP is configured to allow 802.11b and 802.11g clients, it is operating in mixed mode.
For AP to support 802.11a and 802.11b/g, it must have 2nd radio to work in RF band.
Shared service set identifier = unique identifier clients use to distinguish multiple networks. Multiple AP’s on network can share an SSID.
2.4 GHz band is broken down numerous channels.
Channels have centre frequency separation of 5 MHz and bandwidth of 22 MHz.
Overlap between successive channels.
WLANs that require multiple access points use non-overlapping channels.
APs can auto select channel based on adjacent channel use.

802.11 Topologies

Building block of IEEE 802.11 WLAN architecture is basic service set (BSS).
BSS = group of stations that communicate with each other.

Ad hoc Networks

Wireless networks can operate without access points (ad hoc).
Ad hoc clients configure wireless parameters between themselves.(independent BSS (IBSS))

Basic Service Sets

AP’s provide infrastructure that adds services and improves range for clients.
Coverage area for IBSS and BSS is basic service area (BSA).

Extended Service Sets

When BSS has insufficient RF coverage, joined 1 or more via common distribution system to form extended service set (ESS).
In an ESS, a BSS is differentiated from another by BSS identifier (AP MAC address)
Coverage area = extended service area (ESA).

Common Distribution System

Allows multiple APs in an ESS to appear to be single BSS.
ESS includes common SSID to allow user to roam from AP to AP.
Cell = coverage area of single channel.
ESS should have 10 – 15 % overlap between cells in ESA.
With 15 % overlap of cells, an SSID and non-overlapping channels roaming is created.

Client and Access Point Association

Connecting to a WLAN:
- Beacons – Frames used by WLAN network to advertise itself.
- Probes – Frames used by WLAN clients to find networks.
- Authentication – A process required to logon to network.
- Association – Establishing data link between AP and WLAN client.

Beacon allows clients to learn which networks and AP’s are available in a given area.
Frames for probing, authentication and association are used only during those processes.

802.11 Join Process (Association)

Probing:
- Clients sends probe request out on multiple channels.
- Probe request specifies SSID and bit rates.
- If client is discovering available networks, it sends out probe request with no SSID.
- AP’s with broadcast SSID feature enabled respond to this type of query.

Authentication:
- NULL authentication = client asks “authenticate me” and AP responds with “yes.”
- Shared key authentication = based on Wired Equivalency Protection (WEP) key that is shared between client and AP.
- Client sends an auth request to AP.
- AP sends challenge text to client.
- Client encrypts message using shared key and sends back to AP.
- AP decrypts encrypted text using its key.
- If texts match then AP authenticates client.
- Using same WEP key in encryption and authentication process provides attacker with ability to extract and access info sent over link.

Association:
- Finalizes security/bit rate options and starts data link between AP and client.
- Client learns BSSID (AP MAC address), and AP maps logical port (AID) to client.
- Now traffic can flow between AP and client.

7.1.5 Planning Wireless LAN

Requires careful planning.
Need well-documented plan before implementing
# of users depends layout of facility, expected data rates, use of non-overlapping channels and transmit power settings.
Position APs above obstructions.
Locate APs vertically near ceiling in centre of each coverage area.
Locate APs where users are expected to be.
Always consult AP specs when planning coverage areas.
Place APs on floor plan so coverage circles overlap.

7.2.1 Threats to Wireless Security

Unauthorized Access

Security is #1 priority for people who use/administer networks.
Harder to keep wired network secure with attached wireless network.
With wireless NIC and cracking techniques, hackers need not be on property to attack.
Unauthorized access:
- War drivers
- Hackers (Crackers)
- Employees

“War driving” = driving around area with wireless laptop looking for unsecured system.

Rogue Access Points

AP placed on WLAN to interfere with normal network operation.
If configured with correct security settings, rogue AP can access client data.
Rogue AP can provide unauthorized users with info or gain access to servers and files.
Rogue AP may be installed by employees without authorization.

Man-in-the-Middle Attacks

Attackers select host as target and put themselves between target and router/gateway.
Radio signals from stations and Aps can be heard by any wireless device in BSS.
APs act like Ethernet hubs so each NIC in BSS hears all traffic.
Attackers can modify laptop NIC with special software so it accepts all traffic.
By identifying authenticated users, only legitimate devices can connect to WLAN.
Once legitimate users are known, monitor network for devices and illegal traffic.
Tools to guard WLANs include:
- Scanners – identify rogue access points and ad hoc networks
- Radio resource management (RRM) – monitors RF band activity and access point load.

Denial of Service

802.11b and g WLANs use unlicensed 2.4 GHz ISM band.
Attackers can use consumer devices to crowd RF band and create noise on all channels.
If attacker can turn NIC into an access point, it can flood BSS with clear-to-send (CTS) messages which defeat CSMA/CA function and cause constant stream of collisions.
Attacker can send series of disassociate commands that causes all stations in BSS to disconnect.
When stations disconnect they try to reassociate, which creates a burst of traffic.
All the above scenarios create unnecessary traffic and deprive legitimate users of access.

7.2.2 Wireless Security Protocols

Wireless Protocol Overview

Open authentication is really “no authentication”
Shared WEP keys proved to be flawed.
Cloaking SSIDs and filtering MAC addresses were also too weak.
WEP shared key encryption algorithm was easily cracked.
Scalability was problematic creating calls to technical support desks.
TKIP encryption and WiFi Protected Access (WPA) were created in interim..

Authenticating to the Wireless LAN

Networks that have strict security requirements have additional authentication/login to grant clients access to services.
Extensible Authentication Protocol (EAP) manages process.
Enterprise WLAN authentication process:
- 802.11 association process creates virtual port for each WLAN client at AP.
- AP blocks all data frames apart from)) 802.1x-based traffic.
- 802.1x frames carry EAP authentication packets via access point to Authentication, Authorization and Accounting (AAA) server running RADIUS protocol (maintains credentials).
- If EAP successful AAA server sends EAP success message to AP, which allows data traffic from client to access virtual port.
- Data link encryption between client and AP is established so no other WLAN client can access port.
- Easy for hackers to use software and modify MAC addresses attached to adapters.
- If SSID is not broadcast by AP, traffic eventually reveals SSID.
- To secure WLAN with MAC filtering and no SSID broadcasts = disaster!!.
- Use security method that has port-based network access control (WPA2).

Encryption

Temporal Key Integrity Protocol (TKIP)

Encryption method certified as WPA.
Provides support for legacy WLAN equipment.
TKIPs primary functions:
- Encrypts Layer 2 payload
- Does message integrity check (MIC) in encrypted packet. (Prevents tampering)

TKIP addresses known weaknesses of WEP.

Advanced Encryption Standard (AES)

Encryption method certified as WPA2 (preferred method)
Same functions as TKIP, but uses extra data from MAC header that allows destination hosts to see if non-encrypted bits have been messed with.
Adds sequence number to encrypted data header.
Encryption terminology:
- PSK or PSK2 with TKIP = WPA
- PSK or PSK2 with AES = WPA2
- PSK2 (no encryption specified) = WPA2

7.2.3 Securing access to a WLAN

Controlling Access to the Wireless LAN

3 step approach:
- SSID cloaking – Disable SSID broadcasts from access points.
- MAC address filtering – Tables manually entered on AP to allow/disallow clients.
- WLAN security implementation – WPA or WPA2.

Configure APs near outside walls of buildings to transmit on lower power settings.
MAC addresses are easily spoofed.
SSIDs are easily discovered even if access points do not broadcast them.

CHAPTER-4-Exploration3-Thurs/Fri-MT/KG

mjlilley — Wed, 19 May 2010 10:34:48 +0000

CHAPTER-4-Exploration3-Thurs/Fri-MT/KG

4.1.1 VTP Concepts

The VLAN Management Challenge

As # of switches +, admin needed to manage VLANs/ trunks becomes harder.

What is VTP?

Allows admin to configure switch to propagate VLAN configs to other switches in network.
Switch roles = VTP server or VTP client.
VTP only learns about normal-range VLANs (IDs 1 – 1005).
Extended-range VLANs (IDs +1005) are not supported by VTP.

VTP Overview

VTP server distributes/synchronizes VLAN info to VTP-enabled switch clients.
Minimizes problems caused by bad configs and config inconsistencies.
VTP stores VLAN configs in VLAN database (vlan.dat).

2 Switches

After trunk is established between 2 switches, VTP advertisements are exchanged.
Server and client exchange advertisements to ensure each has accurate record of VLAN info.
VTP advertisements are not exchanged if trunk between switches is inactive.

VTP Components

VTP Domain

= 1 or more interconnected switches.
Switches in domain share VLAN configs using VTP adds.
Router/ Layer 3 switch marks domain boundary.

VTP Advertisements

VTP uses hierarchy of adds to distribute/synchronize VLAN configs over network.

VTP Modes

VTP Server

Advertise VTP domain VLAN info to other VTP-enabled switches in same VTP domain.
Servers store VLAN info for entire domain in NVRAM.
VLANs can be created, deleted or renamed for domain at the server.

VTP Client

Function same way as VTP servers, but cannot create, change or delete VLANs.
VTP client only stores VLAN info for entire domain while switch is on.

VTP Transparent

Transparent switches forward adds to VTP clients and servers.
Transparent switches do not participate in VTP.
VLANs created, renamed or deleted on transparent switches are local to that switch only.

VTP Pruning

Increases network bandwidth by restricting flooded traffic to trunk links that traffic must use to reach destination devices.
Without pruning, switch floods traffic across all trunk links within VTP domain even if receiving switches discard them.

4.2.1 Default VTP Configuration

VTP automatically distributes/synchronizes domain and VLAN configs across network.
But you can only add switches that are in default VTP configuration.
If you add VTP-enabled switch configured with settings that outrank existing network VTP configs, changes (which may be difficult to fix) are automatically pushed through network.
Ensure only add switches that in their default VTP configuration.

VTP Version

Versions, 1, 2, 3.
Only one VTP version is allowed per VTP domain.
Default = VTP version 1.

Displaying the VTP Status

“show VTP status” displays … umm …VTP status. (Der Fred)

VTP Version

Displays VTP version switch is capable of running.

Configuration Revision

Current config revision number on this switch.

Maximum VLANs Supported Locally

Maximum number of VLANs supported locally.

Number of Existing VLANs

Number of existing VLANs. ( i’m beginning to see a bit of a pattern arising here …)

VTP Operating Mode

Can be server, client or transparent.

VTP Domain Name

Name that identifies admin domain for switch.

VTP Pruning Mode

Displays whether pruning is enabled or disabled.

VTP V2 Mode

Displays if VTP version 2 mode is enabled.

VTP Traps Generation

Displays whether VTP traps are sent to network management station.

MD5 Digest

A 16-byte checksum of VTP configuration.
Configuration last modified
Date and time of last config modification.
Displays IP address of switch that caused config change to database.

4.2.2 VTP Domains

VTP Domains

Allows separation of network into smaller management domains.
Limits extent config changes are propagated through network if error occurs.
Switch can only be member one VTP domain at any time.
Specify VTP domain before you create or modify VLANs on VTP server, otherwise VLAN info is not propagated over network.

VTP Domain Name Propagation

For VTP server/ client to participate in VTP network, it must be part of same domain.
When switches in different VTP domains, they do not swap VTP info.
Domain name propagation needs 3 VTP components: servers, clients and advertisements.

4.2.3 VTP Advertising

VTP Frame Structure

VTP adds distribute VTP domain name and VLAN config changes to VTP-enabled switches.

VTP Frame Encapsulation

VTP frame has header field and message field.
VTP info is inserted into data field of Ethernet frame.
Ethernet frame encapsulated as 802.1Q trunk frame.
Switches in domain send periodic adds out each trunk port to reserved multicast address.
Adds received by switches, who update VTP and VLAN configs as necessary.

VTP Frame Details

Destination MAC address

Address is set to 01-00-0C-CC-CC-CC (reserved multicast address for VTP messages).

LLC field (Logical link control field)

Contains destination and source service access point (DSAP & SSAP) set to value “AA”.

SNAP field

Sub-network Access Protocol (SNAP) field has an OUI set to” AAAA” and type set to “2003”.

VTP header field

Contents vary depending on VTP message type-summary, subset or request, but always contain:
- Domain name: Identifies administrative domain for switch.
- Domain name length: Length of domain name.
- Version: Set to VTP 1, 2 or 3
- Configuration revision number: current config revision # on this switch.

VTP message field

Varies depending on message type.

VTP Message Contents

VTP domain name

Identity of switch sending message, and time it was sent
MD5 digest VLAN config (max transmission unit (MTU) size for each VLAN)
Frame format: ISL or 802.1Q

VTP frames contain info for each configured VLAN:
VLAN IDs (IEEE 802.1Q)
VLAN name
VLAN type
VLAN state
Additional VLAN configuration info specific to VLAN type

VTP Revision Number

32-bit number that indicates the level of revision for VTP frame.
Default = zero.
Each time VLAN is added/ removed, configuration revision number is incremented.
Each VTP device tracks VTP configuration revision number that is assigned to it.
VTP domain name change does not increment revision number. (resets revision # to zero).
Config revision # determines whether config info received is more recent than version stored switch.

VTP Advertisements

Summary Advertisements

Summary adds contain VTP domain name, current revision # and other VTP config details.

Summary advertisements are sent:
- Every 5 mins by VTP server or client to inform current VTP config revision # for its VTP domain
- Immediately after a configuration has been made

Subset Advertisements

Contains VLAN info
Changes that trigger subset advertisement include:
- Creating or deleting VLAN
- Suspending or activating VLAN
- Changing the name of VLAN
- Changing the MTU of VLAN

(It may take multiple subset advertisements to fully update the VLAN information. )

Request Advertisements

When request advertisement is sent to VTP server in same VTP domain, the VTP server responds by sending a summary advertisement and then subset advertisement.
Request advertisements are sent if:
VTP domain name has been changed
Switch receives summary add with higher configuration revision number than its own
A subset add message is missed for some reason
Switch has been reset

4.2.5 VTP Pruning

Prevents unnecessary flooding of broadcast info from 1 VLAN over all trunks in domain.
Pruning allows switches to negotiate which VLANs are assigned to ports at end of trunks.
Prunes VLANs not assigned to ports on remote switch.
Disabled by default.
Use “ vtp pruning” in global config mode.
Enable pruning on only 1 VTP server switch in domain.

VTP Pruning

Flood traffic is stopped from entering trunk connection by not allowing specific VLAN traffic.

4.3.1 Configuring VTP

Always reset config revision number before installing previously configured switch into VTP domain.
Ensure that same password is set on all switches in domain, if not switches reject VTP adds.
Create VLAN after enabling VTP on VTP server. (VLANs created prior are removed)

CHAPTER-3-Exploration3-Thurs/Fri-MT/KG

mjlilley — Sat, 15 May 2010 01:23:30 +0000

CHAPTER-3-Exploration3-Thurs/Fri-MT/KG

3.1.1 Purpose of VLANS

Group people with resources they use regardless of geographic location.
Easier to manage specific security/bandwidth needs.

VLAN Overview

VLANs let admin create groups of logically networked devices act as an independent network.
Name VLAN to describe primary role of users for that VLAN. Eg: student VLAN
Logically segment switched networks based on functions, departments or project teams.
Geographically structure network to support home-based workers.
VLANs allow adminto implement access and security policies to user groups.

VLAN Details

VLAN is logically separate IP subnetwork.
Allow multiple IP networks and subnets to exist on same switched network.
For PC’s to have comms on same VLAN, each must have:
IP address & subnet mask(for that VLAN)
Switch must be configured with VLAN & each port must be assigned to VLAN.
Switch port with 1VLAN configured on it is called an “access port”.

Benefits of a VLAN

Security: – Groups that have sensitive data are separated from rest of network, decreasing the chances of confidential information breaches.
Cost reduction: Less expensive network upgrades.
Higher performance – Dividing into multiple logical workgroups
Broadcast storm mitigation – Reduces number of devices that act in broadcast storm.
Improved IT staff efficiency – Easier to manage network because users with similar network requirements share same VLAN.

VLAN ID Ranges

Normal Range VLANs

Used for small, medium-sized business and enterprise networks.
VLAN ID between 1 – 1005.
IDs 1002 – 1005: Used by Token Ring and FDDI VLANs.
IDs 1 and 1002 – 1005 automatically created. (cannot be removed)
Config file stored in VLAN database file( vlan.dat. in flash)
VTP helps manage VLAN configs between switches.

Extended Range VLANs

Enables service providers to extend infrastructure to more customers.
Some global enterprises are big enough for extended range VLAN IDs.
VLAN ID between 1006 – 4094.
Supports fewer VLAN features than normal range VLANs.
Saved in running config file.
VTP does not learn extended range VLANs.

255 VLANs Configurable

A single Cisco Catalyst 2960 can support up to 255 normal /extended range VLANs.
# of configured VLANs affects performance of switch hardware.

3.1.2 Types of VLANS

Implement VLANs via port-based VLANs.
Port-based VLAN is associated with port called “access VLAN”.

Data VLAN

Configured to carry only user-generated traffic.
Common practice to separate voice and management from data traffic.
A data VLAN = user VLAN.

Default VLAN

All switch ports are in default VLAN after initial boot up of switch.
All part of same broadcast domain.
Default VLAN for Cisco switches i= VLAN 1.
Cannot rename or delete VLAN 1.
Layer 2 control traffic (CDP and STP) are by default associated with VLAN 1.
Security best practice to change default VLAN to another besides VLAN 1.
VLAN trunks support transmission of traffic from more than one VLAN.

Native VLAN

Assigned to an 802.1Q trunk port.
An 802.1Q trunk port supports traffic coming from many VLANs.
The 802.1Q trunk port places untagged traffic on the native VLAN.

Management VLAN

Any VLAN configured to access management capabilities of switch.
VLAN 1 would serve as management VLAN if no unique VLAN is defined for management.
Switch can be managed via HTTP, Telnet, SSH, or SNMP.

Voice VLANs

VoIP traffic requires:
- Assured bandwidth for voice quality.
- Transmission priority.
- Routing around congested areas of network.
- < 150 milliseconds (ms) delay across network.
- Entire network has to be designed to support VoIP.

A Cisco Phone is a Switch

Cisco IP Phone has integrated 3-port 10/100 switch:
- Port 1: Connects to switch or other VoIP device.
- Port 2: Internal 10/100 interface that carries IP phone traffic.
- Port 3: Access port connects to PC/other device.

Voice VLAN enables switch ports to carry voice traffic from IP phone.
Comms between switch and IP phone is via CDP protocol.

Network Traffic Types

VLAN must accommodate the same network traffic as a LAN.

Network Management and Control Traffic

Cisco Discovery Protocol updates
Simple Network Management Protocol traffic
Remote Monitoring traffic.

IP Telephony

Signalling traffic is responsible for call setup, progress, and teardown. (end to end)
Voice traffic is data packets of actual voice conversation.

IP Multicast

Cisco IP/TV broadcasts.
Can produce large amounts of data across network.
Configure VLANs to ensure multicast traffic only goes to user devices that use service.

Normal Data

File creation and storage.
Print services and e-mail database access.
Shared network apps common to business uses.

Scavenger Class

Intended to provide less-than best-effort services to certain apps.
Applications here have little/no contribution to org objectives.(entertainment )
Includes media share apps(KaZaa, Morpheus, Groekster, Napster, iMesh),
Gaming apps (Doom, Quake, Unreal Tournament)

Switch Ports

Layer 2-only interfaces associated with physical port.
Manage physical interface and Layer 2 protocols.
Belong to 1+ VLANs.

VLAN Switch Port Modes

Assign VLANs a number ID and name.
Purpose is to associate ports with particular VLANs.
You configure the port to forward a frame to a specific VLAN.

3.1.3 Switch Port Membership Modes

Static VLAN

Ports manually assigned to VLAN.
In CLI, if you assign interface to VLAN that does not exist, new VLAN is created.

Dynamic VLAN

Not widely used in production networks.
Configured using a VLAN Membership Policy Server (VMPS).
Assign ports to VLANs dynamically, source MAC address of device.
When host moves from port on one switch to port on another switch, the switch dynamically assigns new port to proper VLAN for that host.

Voice VLAN

Port configured for voice mode to support an IP phone.
First configure VLAN for voice and VLAN for data.
Switch port provides phone with appropriate voice VLAN ID and configuration.
IP phone tags voice frames with voice VLAN ID and forwards voice traffic via voice VLAN.

3.1.4 Controlling Broadcast Domains with VLANS

After configuring VLANS, switch transmission of unicast, multicast, and broadcast traffic from host on particular VLAN are restricted to devices on that VLAN.

Intra-VLAN Communication

Communicating with device in same VLAN is called intra-VLAN communication.

Inter-VLAN Communication

Communicating with a device in another VLAN is called inter-VLAN communication.

SVI

Logical interface configured for specific VLAN.

Layer 3 Forwarding

Is the ability to route transmissions between VLANs.
Layer 3 Switch acts as router.

3.2.1 VLAN Trunks

Point-to-point link between two network devices which carry more than1 VLAN.
Allows you to extend VLANs across entire network.
Cisco supports IEEE 802.1Q.
Is a conduit for VLANs between switches and routers.
What Problem Does a Trunk Solve?

802.1Q Frame Tagging

Frame header does not contain info about which VLAN frame belongs to.
Using 802.1Q encapsulation header, tag is added to original Ethernet frame specifying VLAN to which frame belongs.

VLAN Frame Tagging Overview

Switch receives frame on port configured in access mode with static VLAN.
Switch takes apart frame and inserts VLAN tag, recalculates FCS and sends tagged frame out trunk port.

VLAN Tag Field Details

VLAN tag field contains:
- EtherType field.
- Tag control information field.
- FCS field.

EtherType field

Set to hexadecimal value of 0×8100. (tag protocol ID (TPID))
If EtherType field is set to TPID value, switch receiving frame knows to look for info in tag control info field.

Tag control information field

Contains:
- 3 bits of user priority – Used by 802.1p standard
- 1 bit of Canonical Format Identifier (CFI) – Enables Token Ring frames to use Ethernet
- 12 bits of VLAN ID (VID) – Supports up to 4096 VLAN IDs.

FCS field

After switch inserts EtherType and tag control info fields, it recalculates FCS values and inserts it into frame.

Tagged Frames on the Native VLAN

Devices that support trunking tag native VLAN traffic by default.
Control traffic sent on native VLAN should be untagged.
If an 802.1Q trunk port receives tagged frame on native VLAN, it drops frame.
Identify these devices and configure them so they don’t send tagged frames on native VLAN.
These devices include IP phones, servers, routers and non-Cisco switches.

Untagged Frames on the Native VLAN

When Cisco switch trunk port receives untagged frames it forwards frames to native VLAN.
Default native VLAN = VLAN 1.
If native VLAN has not been reconfigured, PVID value is set to VLAN 1.

Trunking Modes

On (default)

Switch port sends DTP advertisements to remote port. (“Switchport mode trunk”).
Local port advertises to remote port that it is dynamically changing to trunking state.
Local port then changes to trunking state.
Local port is in an unconditional (always on) trunking state.

Dynamic auto

Switch port sends DTP frames to remote port. (“Switchport mode dynamic auto”)
Local port advertises to remote port it is able to trunk but does not wish to go trunking state.
If both ports on switches are set ”auto” they negotiate to be in access (non-trunk) mode state.

Dynamic desirable

DTP frames sent to remote port. (“switchport mode dynamic desirable”)
Local port advertises to remote port it is able to trunk and asks remote switch port to go trunking state.
If local port detects that remote has been configured in “on, desirable, or auto mode”, local port goes trunking state.
If remote switch port is in “nonegotiate” mode, local switch port remains non-trunking port.

Turn off DTP

Turn off DTP so that local port does not send out DTP frames to remote port. (“switchport nonegotiate”)
Use this to configure trunk with switch from non cisco vendor.

CHAPTER-2-Exploration3-Thurs/Fri-MT/KG

mjlilley — Sat, 15 May 2010 01:21:45 +0000

CHAPTER-2-Exploration3-Thurs/Fri-MT/KG

2.1.1 ETHERNET NETWORKS

CSMA/CD

Ethernet signals transmitted to every host connected on LAN.
Ethernet rules = IEEE carrier sense multiple access/collision detect (CSMA/CD) technology.
CSMA/CD is only used with half-duplex comms (hubs).
Full-duplex switches do not use CSMA/CD.

Carrier Sense

Network devices that have messages to send must listen before transmitting.
If device detects signal from another device, it waits before attempting to transmit.
When no traffic detected, device transmits message.
While transmitting, device listens for traffic or collisions on LAN.

Multi-access

Latency of signals can cause two devices transmitting at same time.
When signals mix, messages are destroyed (collision has occurred).
Jumble of remaining signals continues to propagate across media.

Collision Detection

Caused when devices detects an increase in amplitude of signal above normal level.
Devices that are transmitting continue to transmit so all devices on network detect collision.

Jam Signal and Random Back-off

When collision is detected, transmitting devices send out jamming signal.
Jamming signal tells other devices of collision, so they invoke a back-off algorithm.
Back-off algorithm causes devices to stop transmitting for random amount of time, which allows collision signals to subside.
During back-off period, third device may transmit before devices involved in collision have a chance to re-transmit.

Ethernet Communications

Unicast:

Frame sent from one address to specific destination.
1 sender, 1 receiver.
HTTP, SMTP, FTP and Telnet protocols.

Broadcast:

Frame sent from one address to all other destinations.
1 sender, all connected receivers.
ARP protocol.

Multicast:

Frame sent to specific group of devices/clients.
Clients must be members of logical multicast group.
Voice/video apps, network games.

Ethernet Frame

Ethernet frame adds headers and trailers around Layer 3 PDU.

Preamble and Start Frame Delimiter Fields

Used for synchronization of sending /receiving devices.
First 8 bytes of frame are used to attract attention of receiving nodes.

Destination MAC Address Field

Identifies intended recipient.
Used by Layer 2 processes to see if frame is addressed to device.
If match then device accepts the frame.

Source MAC Address Field

Identifies frame’s originating NIC/interface.
Use by switches in lookup table

Length/Type Field

Defines exact length of frame’s data field.
Used later by Frame Check Sequence (FCS) or checksum for completeness.
Type field describes which protocol is implemented.
If value is greater than 0×0600 (1536 decimal), then contents are decoded by protocol.
if value is less than 0×0600 then value represents length of data in frame.

Data and Pad Fields

(46 to 1500 bytes) contain encapsulated data from layer 3 (PD, or IPv4) packet.
All frames must be minimum 64 bytes long (aides detection of collisions).
Used to increase size of small packet to minimum size.

Frame Check Sequence Field

Detects errors in frame via cyclic redundancy check (CRC).
Results included by sending device.
Receiving device receives frame and generates CRC to look for errors.

MAC Address

Ehernet MAC address is two-part 48-bit binary value expressed as 12 hexadecimal digits.
00-05-9A-3C-78-00, 00:05:9A:3C:78:00 or 0005.9A3C.7800.
All devices on an Ethernet LAN have MAC-addressed interfaces.
NIC uses MAC address to see if message should be passed to upper layers for processing.
Permanently encoded into ROM chip on NIC. (Burned in address (BIA).
Some vendors allow local modification of MAC address.

Organizational Unique Identifier

1st part of MAC address.
24 bits long
Identifies manufacturer of NIC card.
IEEE regulates assignment of OUI numbers.

Broadcast/multicast bit: Indicates frame is destined for all/group of end stations on LAN.
Locally administered address bit: If vendor-assigned MAC address can be modified locally, this bit should be set.

Vendor Assignment Number

24 bits long
Uniquely identifies Ethernet hardware.

Duplex Settings

Half Duplex:

Relies on one-way data flow where sending/receiving are performed separately.
Implements CSMA/CD to reduce potential for collisions and detect them when they occur.
Have performance (constant waiting)
Exist in older hardware (hubs).

Full Duplex:

Data flow is 2-way, so data can be sent /received at same time.
Enhances performance (reduces wait time).
Collision detect circuit is disabled. (end nodes use two separate circuits in cable)

Switch Port Settings

Switch port must be configured with duplex settings that match media type.
Auto = auto-negotiation. (2 ports communicate to decide best mode of operation)
Full = full-duplex mode.
Half = half-duplex mode.
Fast Ethernet and 10/100/1000 ports, default = auto.
100BASE-FX ports, default = full.
10/100/1000 ports operate half or full when set to 10 or 100 Mb/s,
10/100/1000 ports operate full when set to 1000 Mb/s,

Auto-negotiation can be unpredictable.
If auto-negotiation fails, (device = no support) Catalyst switch sets switch ports to half-duplex mode.
If switch port = full and device = half, check for FCS errors on switch full-duplex port.

Auto-MDIX

Use “mdix auto” interface config command in CLI to enable automatic medium-dependent interface crossover (auto-MDIX) feature.
When auto-MDIX enabled, switch detects required cable type and configures interfaces accordingly.
Auto-MDIX enabled by default on switches running Cisco IOS Release 12.2(18)SE or later.
Auto-MDIX disabled by default on switches running Cisco IOS Release 12.1(14)EA1 and 12.2(18)SE.

MAC Addressing and Switch MAC Address Tables

Switches use MAC addresses to send network comms to correct ports and destination hosts.
Switch must first learn which hosts are on each port to know where to transmit a unicast frame.
Switch makes MAC address table by storing MAC addresses of hosts connected to each port.
Switch then sends traffic destined for that specific host out port mapped to it.
When destination MAC address of frame is not in table, switch forwards frame out all ports, except receiving port.
In multiple switch networks, MAC address tables record multiple MAC addresses which reflect hosts beyond the next switch.

2.1.2 DESIGN CONSIDERATIONS

Bandwidth and Throughput

Collisions occur when two hosts transmit frames simultaneously.
Transmitted frames are corrupted or destroyed.
Hosts involved in collisions cannot restart transmitting until matter is resolved.

Collision Domains

To reduce number of hosts on any network segment, create separate physical network segments.
Shared media environments (hubs) are collision domains.
When host connected to switch port, connection =individual collision domain. (traffic kept separate)
Switch builds MAC address table of hosts connected to each switch port.
When 2 hosts communicate, switch uses “switching table” to make connection between ports.
Circuit is maintained until session is terminated.
Connection = micro-segment.
Switches reduce collisions/improve bandwidth on network segments because they dedicate bandwidth to each network segment.

Broadcast Domains

Switches do not filter broadcast frames.
Collection of interconnected switches forms single broadcast domain.
Routers and VLANs are used to segment collision and broadcast domains.
Broadcast domain at Layer 2 = MAC broadcast domain.
If switch receives broadcast frame, it forwards frame out each ports. (except incoming)
Broadcasts reduce network efficiency. (extra bandwidth used)
When 2 or more switches are connected, broadcast domain is increased.

Network Latency

= time frame / packet takes to travel from initial source to final destination.
Latency has at least 3 sources.

#1=Time it takes source NIC to place voltage pulses on wire plus time it takes destination NIC to interpret pulses.
Known as NIC delay. (1 microsecond for 10BASE-T NIC)

#2=Propagation delay as signal takes time to travel through cable.
Delay = 0.556 microseconds per 100m of Cat 5 UTP.
Longer cable/slower nominal velocity of propagation (NVP) = + propagation delay.
#3=latency occurs on each network device in path between two devices.

Latency depends on distance / # of devices and layer of devices.
Switches can process frame more quickly than routers.
Switches also support high transmission rates of voice, video, and data networks.
Switches use application-specific integrated circuits (ASIC) to give hardware support for networking tasks.
Port-based memory buffering, QoS and congestion management reduce network latency
Switch-based latency can be caused by overused switch fabric.
Entry-level switches = – internal throughput for + bandwidth capabilities on all ports.
Now, cause of network latency = media, routing protocol and types of apps on network.

Network Congestion

Most common causes of network congestion:
- PC’s are much faster and more powerful than those used in early LANs.
- Increasing volume of network traffic.
- High-bandwidth applications. (Desktop publishing, engineering design, video on demand)

LAN Segmentation

Bridges and Switches

Bridges used to segment LAN into 2 smaller segments.
Switches used to segment large LAN into many smaller segments.
Bridges have only a few ports for LAN connectivity, whereas switches have many.

Routers

Can be used to create broadcast domains because they do not forward broadcast traffic. This reduces broadcast traffic and provides more bandwidth for unicast comms.

2.1.2 DESIGN CONSIDERATIONS

Controlling Network Latency

Consider latency caused by each device on network when designing.
Core layer switch must support full wire speed across all ports simultaneously.
Gigabit throughput @48 ports=96Gb/s
Use of higher layer devices increases latency.
Appropriate use of Layer 3 devices helps prevent broadcast traffic in a large broadcast domain or high collision rate in large collision domain.

2.2.1 SWITCH FORWARDING METHODS

Switch Packet Forwarding Methods

Store-and-forward is only method used on current models of Cisco Catalyst switches.

Store-and-Forward Switching

When switch receives frame stores data in buffers until complete frame has been received.
During storage process, switch analyses frame for info about its destination.
Switch also does error check using Cyclic Redundancy Check (CRC) portion of frame.
Frame is then forwarded out appropriate port toward destination.
When an error is detected switch discards frame. (reduces bandwidth used by corrupt data)
Store-and-forward required for Quality of Service (QoS) analysis on converged networks.

Cut-through Switching

Switch acts on data when received, even if transmission is not complete.
Switch reads enough of frame to determine destination MAC address.
Looks up destination MAC address in switching table, determines outgoing interface port.
Switch does not perform any error checking on frame.
Faster than store-and-forward switching.
Forwards corrupt frames throughout network. (consumes bandwidth)

2.2.2 SYMMETRIC/ASYMMETRIC SWITCHING

Based on way bandwidth is allocated to switch ports.
Symmetric = ports with same bandwidth (all 100 Mb/s ports or all 1000 Mb/s ports).
Asymmetric = ports of unlike bandwidth (combo of 10 Mb/s, 100 Mb/s, 1000 Mb/s ports)

Asymmetric

Enables more bandwidth to be dedicated to server switch port to prevent bottleneck.
Allows smoother traffic flows when multiple clients are comms with server at same time.
Memory buffering needed on asymmetric switch.
To match different data rates on ports, frames kept in memory buffer and moved to port one after other as required.

Symmetric

All ports use same bandwidth.
Symmetric switching is optimized for reasonably distributed traffic load. (P2P)

2.2.3 MEMORY BUFFERING

Switch uses buffering technique to store frames before forwarding them.
Buffering also used when destination port is busy.
Memory buffering is built into hardware of switch.

Port-based Memory Buffering

Frames stored in queues linked to specific incoming/outgoing ports.
Frame transmitted to outgoing port when all frames ahead of it have been transmitted.
A single frame can delay transmission of all frames in memory due to busy destination port.
This happens even if other frames could be transmitted to open destination ports.

Shared Memory Buffering

Deposits all frames into common memory buffer which all ports on switch share.
Amount of buffer memory required by port is dynamically allocated.
Frames in buffer linked dynamically to destination port.
Lets packet be received on one port and transmitted out another, without waiting in queue.
Switch keeps map of frame to port links.
The map link is cleared after the frame has been successfully transmitted.
# of frames stored in buffer restricted by size of entire memory buffer, not port buffer.
This permits larger frames to be transmitted with fewer dropped frames.

2.2.4 Layer 2 and Layer 3 Switching

Layer 2 switch performs switching/filtering based on OSI Data Link layer (MAC address).
Layer 3 switches (Catalyst 3560) can:
- Use IP address info to make forwarding decisions.
- Learn which IP addresses are associated with which interfaces.
- Direct network traffic based on IP address info.
- Be capable of performing Layer 3 routing functions.
- Use specialised switching hardware so they route data as quickly as they can switch.

Layer 3 Switch/Router Comparison

Layer 3 switches do not completely replace need for routers on network.
Routers perform Layer 3 services that Layer 3 switches are not capable of performing.
Routers outdo Layer 3 switches because they are capable of:
- Establishing remote access connections to remote networks/devices.
- Being more flexible in support of WAN interface cards (WIC).

Layer 3 switches can provide basic routing functions in LAN and reduce need for routers.

2.3.1 COMMAND LINE INTERFACE MODES

GUI-based Alternatives to CLI

Cisco Network Assistant

PC-based GUI network management app for small /medium-sized LANs.
Configure/manage groups or standalone switches.

Cisco-View Application

Displays physical view of switch .
Set config parameters and view switch status/performance info.

Cisco Device Manager

Web-based software stored in switch memory.
Use to configure/manage switches.

SNMP Network Management

Manage switches from SNMP-compatible management station.
Switch provides comprehensive management info
Switch provides four Remote Monitoring (RMON) groups.
More common in large enterprise networks.

2.3.3 COMMAND HISTORY

Command History Buffer

Save time retyping commands by using Cisco IOS command history buffer.
Useful in helping recall long or complex commands or entries.
Command history features:
- Display contents of command buffer.
- Set command history buffer size.
- Recall previous commands stored in history buffer.
- Buffer for each config mode.

Default = command history enabled, records last 10 command lines in history buffer.
Use “show history” command to view recently entered EXEC commands.

2.3.4 SWITCH BOOT SEQUENCE

Switch loads boot loader software. (Stored in ROM and run when switch is turned on)
Boot loader:
- Performs low-level CPU initialization.
- Performs power-on self-test (POST) for CPU subsystem.
- Initializes flash file system on system board.
- Loads default OS software image into memory and boots switch.
- OS initializes interfaces using commands found in OS config file (config.text stored in flash)

Recovering from a System Crash

Boot loader provides access into switch if OS cannot be used.
Boot loader has CLI facility that provides access to files stored on Flash before OS is loaded.
From boot loader command line, enter commands to format flash file system.
Reinstall OS image or recover from lost/forgotten password.

2.3.5 PREPARE SWITCH

Prepare to Configure the Switch

Step 1:

Before starting switch, verify:
- All network cable connections are secure.
- PC/terminal connected to console port.
- HyperTerminal is running /configured correctly.

Step 2:

Attach power cable plug to switch power supply socket.
Some Catalyst switches do not have power buttons.

Step 3:

Observe boot sequence:
- When switch is turned on POST begins. (LEDs blink)
- When POST is complete SYST LED rapidly blinks green.
- If switch fails POST SYST LED turns amber. (Repair switch)

During initial start-up of switch, POST failures are reported to console and switch does not start.
If POST completes and switch = not configured before, user prompted to configure switch.

2.3.6 BASIC SWITCH CONFIG

Management Interface Considerations

To manage switch remotely, you need to assign switch IP address.
IP address is assigned to virtual interface (VLAN), and then VLAN assigned to specific port/s.
Default management = VLAN 1.
Best practice for basic switch configuration = change management to any other than VLAN 1.

Configure Management Interface

Must be in VLAN interface config mode to configure IP address /subnet mask for management VLAN.
Must use “no shutdown” command to make Layer 3 interface operational.
“Interface VLAN x” refers to Layer 3 interface associated with VLAN x.
Layer 2 switch only permits single VLAN interface to be active at any time.

Configure Default Gateway

To forward IP packets to distant networks, configure default gateway.

Mdix auto Command

Use “mdix auto” command enable automatic medium-dependent interface crossover.
Auto-MDIX feature was introduced in Cisco IOS Release 12.2(25)FX.

Configure Duplex and Speed

Use “duplex” command to specify duplex mode of operation for switch ports.
Use “speed” command to specify speed mode of operation for switch ports.
Manually set duplex mode of switch ports to avoid issues with auto-negotiation.

Managing the MAC Address Table

MAC tables include dynamic and static addresses.
Dynamic addresses = source MAC addresses that switch learns then ages when not used.
Default age out time = 300 seconds.
Network admin can specifically assign static MAC addresses to certain ports.
Static addresses are not aged out.
Static MAC addresses provide network admin complete control over access to network.
Only devices known to network admin can connect to network.
To create static mapping in MAC address table use:
- #mac-address-table static vlan {1-4096, ALL} interface

Max size of MAC address table varies with different switches.
Catalyst 2960 series switch can store up to 8,192 MAC addresses.
Other protocols limit absolute number of MAC address available to switch.

2.3.7 VERIFYING SWITCH CONFIG

“Show” command is executed from privileged EXEC mode

2.3.8 BASIC SWITCH MANAGEMENT

Backing up the Configuration

Step 1:
- Verify that TFTP server is running on network.
- Step 2:
  - Log in to switch through console port/Telnet session.
  - Enable switch and then ping TFTP server.

Step 3:
- Upload switch config to TFTP server.
- Specify IP address/hostname of TFTP server and destination filename.
- “#copy system:running-config tftp: [[[//location]/directory]/filename]

“#copy nvram:startup-config tftp:[[[//location]/directory]/filename]

Restoring the Configuration

Step 1:
- Copy config file to appropriate TFTP directory on TFTP server if not already there.
- Step 2:
  - Verify that TFTP server is running on network.
  - Step 3:
    - Log in to switch through console port/Telnet session.
    - Enable switch and then ping TFTP server.
    - Step 4:
      - Download switch config file from TFTP server.
      - Specify IP address/hostname of TFTP server and name of file to download.
      - “#copy tftp:[[[//location]/directory]/filename] system:running-config”

“#copy tftp:[[[//location]/directory]/filename] nvram:startup-config”

If config file is downloaded into running-config, command lines are executed as file is parsed.
If config file is downloaded into startup-config, switch is reloaded so changes take effect.

Clearing Configuration Information

To clear contents of startup config, use:
- #erase nvram:

#erase startup-config

Deleting a Stored Configuration File

To delete file from Flash memory, use:
- “#delete flash: “
- By default, switch prompts for confirmation when deleting file.

2.4.1 CONFIGURE PASSWORD OPTIONS

Configure Console Access

FBI estimates that businesses lose $67.2 billion annually because of computer-related crime.
If you do not secure console port properly, malicious user could compromise switch config.

Secure the Console

To secure console port from unauthorized access, use:
- # line console 0
- # password
- # login

Remove Console Password

Step 1:
- Switch from privileged EXEC to global configuration mode.
- # configure terminal
- Step 2:
  - Switch from global configuration to line configuration mode for console 0.
  - # line console 0
  - Step 3:
    - Remove password from console line.
    - #no password
    - Step 4:
      - Remove requirement to enter password at login to console line.
      - # no login
      - Step 5: Exit line configuration and return to privileged EXEC mode.
        
        #end

Configure Encrypted Passwords

Passwords (except enable secret) stored in clear text within startup/running-config.
Passwords should be encrypted, not stored in clear text format.
When:
- (CT)#service password-encryption
- All system passwords are stored in encrypted form.
- Removing password encryption does not convert encrypted passwords to readable text.
- After removing encryption, all newly set passwords are stored in clear text format.
- Encryption standard used by service password-encryption = Type 7(Very weak).
- Type 5 = more secure but must be invoked manually for each password configured.

Enable Password Recovery

Requires physical access to device.
You cannot recover passwords on Cisco device, but you are able to reset them to new value.

2.4.3 TELNET & SSH

Configuring Telnet

To re-enable Telnet protocol on 2960 switch, use:
- (config-line)#transport input telnet

(config-line)#transport input all.

Configuring SSH

SSH supports Data Encryption Standard (DES) algorithm.
DES offers 56-bit encryption, 3DES offers168-bit encryption.
Encryption standards are specified by client.
Step 1:
- #conf t
- Step 2:
  - #hostname
  - Step 3:
    - # ip domain-name
    - Step 4:
      - #crypto key generate rsa
        
        RSA keys require you to enter modulus length.
        
        Cisco recommends 1024 bits.
        
        Step 5:
        
        # end
        
        Step 6:
        
        #show ip ssh or #show ssh

Deleting RSA key pair automatically disables SSH server.
- #crypto key zeroize rsa

Configuring the SSH Server

Step 1:
- #conf t
- Step 2: (Optional, If not used, server selects latest SSH version supported by client)
  - # ip ssh version [1 or 2]
  - Step 3:
    - Configure SSH control parameters:
    - Default time-out value is 120 seconds; range is 0 to 120 seconds.
    - Default re-authenticate is 3; the range is 0 to 5.
    - Repeat step when configuring both parameters
      - #ip ssh {timeout seconds | authentication-retries #}
      - Step 4:
        
        #end
        
        Step 5:
        
        #show ip ssh or #show ssh
        
        Step 6. (Optional)
        
        Save entries in configuration file
        
        #copy run start

2.4.4 COMMON SECURITY ATTACKS

MAC Address Flooding

Common attack.
If MAC address does not exist, switch forwards frame out every port (not source)on switch.
MAC address table overflow attacks = MAC flooding attacks.
MAC address tables are limited in size.
MAC flooding bombards switch with fake source addresses until switch address table is full.
Switch then enters “fail-open mode” and broadcasts packets to all hosts on network.
Attacker can see all frames sent from victim host to other host without address table entry.
Some network attack tools can generate 155,000 MAC entries on switch per minute.

Spoofing Attacks

An attacker can spoof responses that would be sent by valid DHCP server.
DHCP spoofing device replies to client DHCP requests.
Intruder DHCP reply offers IP address and info that says intruder is default gateway.
Clients then forward packets to attacking device which sends them to desired destination.
Known as “man-in-the-middle attack”
May be undetected as intruder intercepts network data.

DHCP starvation attack

Attacker PC continually requests IP addresses from DHCP server by changing source MAC addresses.
DHCP starvation attack causes all leases on DHCP server to be allocated, preventing users from obtaining an IP address.
DHCP snooping = Cisco feature that tells which switch ports respond to DHCP requests.
Ports are identified as trusted and un-trusted.
Trusted ports can source all DHCP messages; untrusted ports can source requests only.
Trusted ports host DHCP server or uplink toward DHCP server.
If rogue device on an untrusted port sends DHCP response, port is shut down.

Step 1:
- (CT)# ip dhcp snooping
- Step 2:
  - (CT)# ip dhcp snooping vlan number [#]
  - Step 3:
    - Define ports as trusted/untrusted at interface level by defining trusted ports
    - (CIF)# ip dhcp snooping trust
    - Step 4: (Optional)
      - Limit rate an attacker can send bogus DHCP requests
      - ip dhcp snooping limit rate

CDP Attacks

CDP messages are not encrypted.
Cisco routers/switches have CDP enabled by default.
CDP is Layer 2 protocol and not propagated by routers.
CDP contains info about device. ( IP address, version, platform, capabilities and native VLAN)
Attacker can use this info to find exploits and attack your network.
Ethereal packet trace shows inside of CDP packet.
Disable CDP on devices that do not need to use it.

Telnet Attacks

Brute Force Password Attack

Attacker uses list of common passwords and program designed to establish session using each word in dictionary.
Attacker uses program that creates sequential character combos to “guess” password.
With enough time, brute force password attack can crack almost all passwords used.
Change passwords frequently and use strong passwords randomly mixing upper and lowercase letters with numerals.

DoS Attack

Attacker exploits flaw in Telnet server software running on switch.
Nuisance for admin – prevents admin performing switch management functions.
Newer Cisco IOS revisions don’t have telnet vulnerabilities. (check for newer IOS)

2.4.5 SECURITY TOOLS

Verify no weaknesses exist for an attacker to exploit.
Tools allow you to play roles of hacker and network security analyst.
Launch attack and audit results to determine how to adjust your security policies.
Modern network security tools detect remote flaws of hosts on network,
Also determine application level flaws. (missing patches)

Network Security Audit

Reveals info attacker can gather by monitoring network traffic.
Audit switch ports when switch starts flooding to determine which ports are compromised.
Timing = important factor in successful audit.

Network Penetration Testing

Identifies weaknesses within config of your networking devices.
Tests can have adverse effects on the network. ( use controlled conditions)

Network Security Tools Features

Secure network = process, not product.
Features of modern network security tool:
- Service identification: test all services running on host.
- Support of SSL services: Testing services including HTTPS, SMTPS, IMAPS.
- Non-destructive and destructive testing:
- Database of vulnerabilities: Vulnerabilities change all the time.

Network security tools need to be designed for modularity.
Large database of vulnerabilities can be maintained and uploaded to tool.
Use network security tools to:
- Capture chat messages
- Capture files from NFS traffic
- Capture HTTP requests in Common Log Format
- Capture mail messages in Berkeley mbox format
- Capture passwords
- Display captured URLs in browser in real time
- Flood a switched LAN with random MAC addresses
- Forge replies to DNS address / pointer queries
- Intercept packets on a switched LAN

2.4.5 PORT SECURITY

All switch ports/interfaces should be secured before switch is deployed.
Port security limits the number of valid MAC addresses allowed on port.

Secure MAC Address Types

Static secureaddresses: manually configured
- (CIF)# switchport port-security mac-address
- (stored in the address table and added to running configuration)
- Dynamic secure addresses: dynamically learned and stored only in address table.
  - (removed when switch restarts)
  - Sticky secure addresses: dynamically learned and saved to running config.

Sticky MAC Addresses

(CIF)# switchport port-security mac-address sticky
Interface converts all dynamic addresses (incl. old ones) to sticky and adds to running config.
If you do not save the sticky secure addresses in config file, they are lost.

Security Violation Modes

Occurs when:
- Max # of secure addresses in address table and another tries to access interface.
- Address learned on secure interface is seen on another secure interface in same VLAN.

Protect:
- When # of secure MAC addresses reaches limit allowed on port.
- Packets with unknown source addresses are dropped until enough secure MAC addresses are removed or increase # of max addresses.
- No notification of security violation is sent.

Restrict:
- When # of secure MAC addresses reaches the limit allowed on port.
- Packets with unknown source addresses are dropped until …(see protect).
- Notified security violation has occurred.
- SNMP trap is sent
- syslog message is logged
- Violation counter increments.
- Shutdown: This is default mode.
  - Port security violation causes interface to be error-disabled and turns off port LED.
  - Sends an SNMP trap, logs a syslog message and increments violation counter.

When secure port is in error-disabled state, bring it out of state by:
- (CIF)#shutdown and (CIF)#no shutdown

Verify Port Security

Check each interface to verify port security set correctly.
Check to make sure configured static MAC addresses correctly.

Verify Port Security Settings

#show port-security interface [interface-id]

Verify Secure MAC Addresses

#show port-security interface [interface-id] address

Disable Unused Ports

(CIF)#shutdown

CHAPTER-1-Exploration3-Thurs/Fri-MT/KG

mjlilley — Sun, 02 May 2010 09:04:51 +0000

CHAPTER-1-Exploration3-Thurs/Fri-MT/KG

1.1.1 HEIRARCHICAL MODEL

Networks easier to manage & expand.
Problems are solved more quickly.

ACCESS LAYER

Interfaces with end devices.
Can include routers, switches, bridges, hubs, and wireless access points.
Provide means of connecting devices to network.
Controls which devices are allowed to communicate on network.

DISTRIBUTION LAYER

Channels data received from access layer before being transmitted to core layer.
Controls flow of network traffic by using policies.
Decreases broadcast domain sizes by performing routing functions between virtual LANs.

CORELAYER

Forms High-speed backbone of internet network.
Critical for connectivity between distribution layer devices.
Must be highly available and redundant.
Connects to Internet resources.
Channels traffic from all distribution layer devices.
Forwards large amounts of data quickly.

A Hierarchical Network in a Medium-Sized Business

Logical representation makes it easy to see which switches perform which function.

Benefits of a Hierarchical Network

Scalability

The modular design of hierarchical networks allow for replication of design units.

Redundancy

As network expands, availability becomes more important.
Increase availability via redundant device implementations.
Connect access layer devices to two different distribution layer devices for path redundancy.
Connect distribution layer devices to two different core layer devices for path availability.

Performance

Gained by avoiding transmission of data via ”crappy” switches.

Security

Via Ports at access layer and policies at distribution layer.

Manageability

Simplified by consistency of switches at each level.

Maintainability

Modular = easy maintenance and scalability.

Hierarchical Network Design Principles

Network Diameter

First thing to consider when designing a hierarchical network topology.
Term used to measure # of devices.
Network diameter = # of devices that packet has to cross before it reaches i destination.
Keeping network diameter low ensures low and predictable latency between devices.
Using 3 layer hierarchical model, segmentation at distribution layer eliminates network diameter as an issue.
Network diameter is always predictable number of hops between source and destination devices.

Bandwidth Aggregation

All layers in hierarchical network model may have bandwidth aggregation.
Is the practice of considering specific bandwidth requirements of each part of hierarchy.
After bandwidth requirements of network are known, links can be aggregated.

Redundancy

One part of creating highly available network.
Redundancy =
- Double network connections between devices.
- Double network devices themselves.

Implementing redundant links = $$.
Access layer redundancy = no ( no features & $$+)
Distribution and core layer redundancy = yes

Start Design process at Access Layer

To ensure that you accommodate all network devices needing access to network.
After end devices accounted for, determine how many access layer switches are needed.
# of access layer switches and estimated traffic helps determine how many distribution layer switches are required to achieve performance and redundancy network.
# of distribution layer switches help identify how many core switches are required to maintain performance of network.

1.1.3 WHAT IS A CONVERGED NETWORK?

Legacy Equipment

Process of combining voice and video communications on a data network.
Only feasible in large enterprise orgs because of infrastructure requirements and complex management needed to make them work seamlessly.
Requires more expensive switch hardware to support additional bandwidth requirements.
Requires management for Quality of Service (QoS),
Few individuals had convergence expertise.
Legacy equipment hinders process.

Advanced Technology

Converged networks has become more popular because of advancements in technology.
Easier to implement and manage.
Less $$ to purchase.
VoIP technology used to be affordable only to enterprises and governments.
Lower implementation and management costs

New Options

No need for expensive handset phone or videoconferencing equipment.
By using inexpensive webcams, videoconferencing can be added to a soft-phone.

1.2.1 HEIRARCHICAL NETWORK SWITCHES

To select appropriate switch for layer in hierarchical network, you need specs that show:
- Target traffic flows
- User communities
- Data servers
- Data storage servers
- Take into account future bandwidth requirements.
- To accurately choose appropriate switches, perform and record traffic flow analyses on regular basis.

Traffic Flow Analysis

Process of measuring bandwidth usage on network and analysing to performance tune.
No precise definition of network traffic flow (data through network in given period of time)
Data used to determine how long continued use of existing network hardware before a necessary upgrade to accommodate additional bandwidth requirements.
When deciding which hardware to purchase, consider port densities and switch forwarding rates to ensure adequate growth capability.
Manually monitor individual switch ports to get bandwidth utilization over time.
Determine future traffic flow requirements based on capacity at peak times and where most data is generated /sent.

Analysis Tools

Automatically record traffic flow data to database and perform trend analysis.
Use software collection solutions in larger networks to perform traffic flow analysis.
Network Analysis Tools:
- Solarwinds
- Orion 8.1
- NetFlow Analysis

Use Communities Analysis

Process of identifying groupings of users and their impact on network performance.
User grouping affects port density and traffic flow. (influences network switch selection)
End users grouped according to job function (similar access to resources and applications).
Good network design factors in growth to ensure enough open switch ports before next upgrade.

Future Growth

Good network plan includes rate of personnel growth over past 5 years to anticipate future growth.
Also investigate network traffic generated by end-user applications.
Determine location of data source, identify effect of adding more users to that community.
Small business communities are:
- Supported by few switches
- Typically connected to same switch as server.
- Medium-sized businesses/enterprises communities are:
  - Supported by many switches.
  - Resources located in geographically separate areas. (Influences location of data stores/server farms)
  - If community users are using network-intensive apps with specific server, locate community close to that server. (Reduce network diameter for their comms and reduce impact of their traffic across rest of network)
  - App usage by user communities not always bound by department or location.
  - May have to analyse impact of app across many network switches to determine overall impact.

Data Stores and Data Servers Analysis

When analysing network traffic, consider where location of data stores/servers are located to determine network traffic impact.
Data stores =:
- Servers
- Storage area networks (SANs)
- Network-attached storage (NAS)
- Tape backup units
- Location where large quantities of data are stored.

Client-Server Traffic

Client-server traffic generated when client device accesses data from data stores.
Client-server traffic crosses multiple switches to reach destination.
Consider Bandwidth aggregation and switch forwarding rates to eliminate bottlenecks.

Server-Server Traffic

Generated between data storage devices on network.
Server apps generate high volumes of traffic between data stores and other servers.
Locate servers needing frequent access to resources in close proximity to each other.

Data stores located in data centres.
Data centre = secured area of building where data stores and network equipment located.
Traffic across data centre switches is very high (server-server and client-server traffic)
Switches in data centres must be higher performance than switches in access layer.
To improve performance, aggregate links to accommodate more bandwidth.
Replace slower switches with faster switches capable of handling higher traffic load.

Topology Diagrams

Graphical representation of network infrastructure.
Shows how all devices are interconnected (including switch port interconnections).
Displays redundant paths or aggregated ports between devices.
Shows where/how many switches in use on network and ID’s config.
Contains info about device densities and user communities.
Allows visual ID of potential network bottlenecks (so data collection has most impact on performance)

1.2.2 SWITCH FEATURES

Switch Form Factors

Decide between:
- Fixed configuration/modular configuration
- Stackable or non-stackable.
- Consider thickness of switch (rack units).

Fixed Configuration Switches

Cannot add features or options beyond those that originally came with switch.

Modular Switches

Offer more flexibility in their config.
Come with different sized chassis that allow different # modular line cards. (Expansion card)
Line cards contain ports
Larger chassis = support more modules

Stackable Switches

Can be interconnected using backplane cable = high-bandwidth t between switches.
“StackWise” technology allows interconnection up to 9 switches (redundant connections).
Cables connect switches via daisy chain.
Operate as single larger switch.
Desirable where fault tolerance/ bandwidth availability critical and modular = $ costly.

Port Density

= # of ports available on switch.
Fixed configuration switches = up to 48 ports on single device.
High port densities = better use of space and power.
Modular switches = very high port densities.
Catalyst 6500 = 1,000+ switch ports.

Forwarding Rates

Define processing capabilities of switch (data processed per second).
Entry-layer switches = low forwarding rates.
Enterprise-layer switches= high forwarding rates.
If switch forwarding rate is too low,switch cannot go full wire-speed across all switch ports.
Wire speed i= max data rate on each port (100 Mb/s Fast Ethernet or 1000 Mb/s Gigabit Ethernet).
Access layer switches dont operate at full wire speed because limited by uplinks to distribution layer.

Link Aggregation

Determine if enough ports on switch to aggregate to support required bandwidth.
Wire speed of an Ethernet connection depends on properties of cable, combined with lowest layer of connection protocols.
Link aggregation reduces bottlenecks by allowing up to 8 ports bound together for data comms.
Cisco uses term “EtherChannel” when talking aggregated switch ports.

Power over Ethernet (PoE)

Allows switch to deliver power to device over existing Ethernet cabling.
Used by IP phones and some wireless access points.

Layer 3 Functions

Layer 3 switches offer advanced functionality. (Routes traffic & security policies)
Layer 3 switches are also known as multilayer switches.
Ø

1.2.3 SWITCH FEATURES IN HEIRARCHICAL NETWORK

Access Layer Switch Features

Access layer switches connect end devices to network.
Access layer switches need to support port security, VLANs, Fast/Gigabit Ethernet, PoE and link aggregation.
Port security = how many or what specific devices are allowed to connect to switch.
Voice traffic on separate VLAN. (Supports + bandwidth, redundant connections, improved security ).
Access layer switches set VLANs for end devices on network.
Port speed = Fast Ethernet or Gigabit Ethernet switch ports.
Fast Ethernet adequate for IP telephony and data traffic on business networks however.
Switches that support Gigabit Ethernet = +$$.
PoE = ++$$$
Use PoE only if voice convergence required or wireless access points are difficult to power.
Link aggregation allows switch to use multiple links simultaneously.
QoS maintains prioritization of traffic.

Distribution Layer Switch Features

Provide inter-VLAN routing functions.
Distribution layer switches alleviate core switches from needing to perform task.
Switches here layer need to support Layer 3 functions.

Security Policies

Layer 3 functionality is required for advanced security policies that are applied to network traffic.
An Access Control List (ACL) prevents certain types of traffic and permit others.
ACLs control which network devices can communicate on network.
Distribution layer switches have ample processing capability to handle additional load.
Simplifies management of ACLs.

Quality of Service

Switches here need to support QoS for traffic coming from access layer.
If not all of network devices support QoS, benefits are reduced.
Switches here are under high demand due to functions they provide.
Must support redundancy for adequate availability.
Switches here are implemented in pairs to ensure availability.
Distribution layer switches should support multiple, hot swappable power supplies.

Link Aggregation

Switches here accept incoming traffic from multiple access layer switches and need to forward that traffic as fast as possible to core layer switches.
Due to this, switches here also need high-bandwidth links back to core layer switches.
Newer distribution layer switches support aggregated 10 Gigabit Ethernet (10GbE) uplinks to the core layer switches.

Core Layer Switch Features

Requires switches that can handle very high forwarding rates.
Determine forwarding rate by conducting/examining traffic flow reports and user analyses.
Identify appropriate switch to support network.

Link Aggregation

Ensure adequate bandwidth coming into core from distribution layer switches.
Switches here should support aggregated 10GbE connections.

Redundancy

Availability here is critical – build in as much redundancy as possible.
Layer 3 redundancy has faster convergence than Layer 2 redundancy if hardware fails.
Core layer switches need to support Layer 3 functions.
Core layer switches should have additional hardware redundancy features.
Switches here should have more sophisticated cooling options.

QoS

At core and network edge, mission-critical/time-sensitive traffic should receive highest QoS guarantees.
Core layer switches can be cost effect in supporting optimal use of existing bandwidth.

1.2.4 SWITCHES FOR SMALL & MEDIUM SIZED BUSINESSES

Catalyst Express 500

Entry-layer switch.
- Forwarding rates from 8.8 Gb/s to 24 Gb/s
- Layer 2 port security
- Web-based management
- Converged data/IP communications support
- Available in different fixed configurations:
  - Fast Ethernet and Gigabit Ethernet connectivity
  - Up to 24 10/100 ports with optional PoE or 12 10/100/1000 ports
  - Appropriate for access layer where high port density is not needed.
  - Suitable for small business from 20 to 250 employees.
  - NO management via Cisco IOS CLI.
  - Managed via Cisco Network Assistant or new Cisco Configuration Manager.
  - Does not support console access.

Catalyst 2960

Suitable for:
- Entry-layer enterprise
- Medium-sized business
- Branch office networks.
- Suitable for Access layer where access to power and space is limited.
  - Forwarding rates from 16 Gb/s to 32 Gb/s
  - Multilayered switching
  - QoS features support IP comms
  - Access control lists (ACLs)
  - Fast Ethernet /Gigabit Ethernet connectivity
  - Up to 48 10/100 or 10/100/1000 ports
  - Additional dual purpose gigabit uplinks
  - Does not support PoE.
  - Supports Cisco IOS CLI, web management interface and Cisco Network Assistant.
  - Supports console and auxiliary access to the switch.

Catalyst 3560

Enterprise-class switches
Access layer switches for:
- Small enterprise
- Branch-office converged network environments.
- Supports:
  - PoE
  - QoS
  - ACLs.
  - Forwarding rates of 32 Gb/s to 128 Gb/s

Available in different fixed configurations:
- Fast Ethernet and Gigabit Ethernet connectivity
- Up to 48 10/100/1000 ports
- 4 small form-factor pluggable (SFP) ports
- Optional 10 Gigabit Ethernet connectivity (Catalyst 3560-E models)
- Optional Integrated PoE

Catalyst 3750

Access layer switches in:
- Midsize orgs
- Enterprise branch offices.
- Forwarding rates from 32 Gb/s to 128 Gb/s (Catalyst 3750-E switch series).
- Supports Cisco StackWise technology. (allows connect 9 switches into one logical switch)
- Available in different stackable fixed configurations:
  - Fast Ethernet and Gigabit Ethernet connectivity
  - Up to 48 10/100/1000 ports and 4 SFP ports
  - Optional 10 Gigabit Ethernet connectivity (Catalyst 3750-E models)
  - Optional Integrated PoE

Catalyst 3750

Access layer switches in:
- Midsize orgs
- Enterprise branch offices.
- Forwarding rates from 32 Gb/s to 128 Gb/s (Catalyst 3750-E switch series).
- Supports Cisco StackWise technology.

Available in different stackable fixed configurations:
- Fast Ethernet and Gigabit Ethernet connectivity
- Up to 48 10/100/1000 ports and 4 four SFP ports
- Optional 10 Gigabit Ethernet connectivity (Catalyst 3750-E models)
- Optional Integrated PoE

Catalyst 4500

Midrange modular switching platform.
Capable of managing traffic at the distribution layer
Offers multilayer switching for:
- Enterprises
- Small- to medium-sized businesses
- Service providers.

Forwarding rates up to 136 Gb/s, the Catalyst 4500 series is.
Allows for very high port densities via addition of line cards to modular chassis. T
Offers multilayer QoS and sophisticated routing functions.

Available in different modular configurations:
- Modular 3, 6, 7, and 10 slot chassis (different layers of scalability)
- Up to 384 Fast Ethernet/Gigabit Ethernet ports available in copper or fibre
- 10 Gigabit uplinks
- PoE
- Dual, hot-swappable internal AC or DC power supplies
- Advanced hardware-assisted IP routing capabilities

Catalyst 4900

Allows very high forwarding rates.
Specialty access layer switch designed for data centres
- Supports dual, redundant, hot-swappable power supplies and fans
- Support advanced QoS features (back-end IP telephony hardware).
- Do not support StackWise or PoE.
- Available in different fixed configurations:
  - Up to 48 10/100/1000 ports with 4 x SFP ports or 48 10/100/1000 ports with 2 x 10GbE ports
  - Dual, hot-swappable internal AC or DC power supplies
  - Hot-swappable fan trays

Catalyst 6500

Optimized for secure, converged voice, video and data networks.
Manage traffic at distribution and core layers.
Highest performing Cisco switch
Supports forwarding rates up to 720 Gb/s.
Very large network environments:
- Enterprises
- Medium-sized businesses
- Service providers.

Available in different modular configurations:
- Modular 3, 4, 6, 9, and 13 slot chassis
- LAN/WAN service modules
- Supports up to:
  - 420 IEEE 802.3af Class 3 (15.4W) PoE devices
  - 1152 10/100 ports, 577 10/100/1000 ports
  - 410 SFP Gigabit Ethernet ports
  - 64 10 Gigabit Ethernet ports
  - Dual, hot-swappable internal AC or DC power supplies
  - Advanced hardware-assisted IP routing capabilities

CHAPTER-11-Exploration2-Thurs/Fri-MT/KG

mjlilley — Tue, 06 Apr 2010 04:55:33 +0000

CHAPTER-11-Exploration2-Thurs/Fri-MT/KG

11.1.2 OSPF Message Encapsulation

Data portion of OSPF message is encapsulated in packet.
Data field = one of five OSPF packet types.
OSPF packet header included with every OSPF packet, regardless of type.
OSPF packet header and packet type-specific data are encapsulated in IP packet.
In IP packet header:
Protocol field set: 89 = OSPF
Destination address set to multicast addresses: 224.0.0.5 or 224.0.0.6.
Destination MAC address set to multicast address: 01-00-5E-00-00-05 or 01-00-5E-00-00-06. (If OSPF packet is encapsulated in Ethernet frame)

11.1.4 Hello Protocol

OSPF packet Type 1 = OSPF Hello packet.
Hello packets:
- Find OSPF neighbours and establish adjacencies.
- Advertise parameters on which two routers must agree to become neighbours.
- Elect Designated Router and Backup Designated Router on multi-access networks.

Important fields:
- Type: OSPF Packet Type
- Router ID: ID of originating router
- Area ID: area from which packet originated
- Network Mask: Subnet mask associated with sending interface
- Hello Interval: number of seconds between sending router’s hellos
- Router Priority: Used in DR/BDR election
- Designated Router: Router ID of the DR
- Backup Designated Router: Router ID of the BDR
- List of Neighbours: Lists OSPF Router ID of neighbouring router(s)

Neighbour Establishment:

OSPF router determines if OSPF neighbours exist before it floods its link-states to other routers.
Info in the OSPF Hello includes Router ID of router sending Hello packet
Receiving an OSPF Hello packet on interface confirms there is another OSPF router on this link.
OSPF then establishes adjacency with the neighbour.

OSPF Hello and Dead Intervals

Before routers form an OSPF neighbour adjacency, they must agree on 3values:
- Hello interval
- Dead interval
- Network type
- Hello interval = how often an OSPF router transmits Hello packets. Default= 10secs.
- OSPF Hello packets sent as multicast to IP address 224.0.0.5.
- Multicast address allows device to ignore packet (saves CPU time on non-OSPF devices).
- Dead interval = period that router waits to receive Hello packet before declaring neighbour “down.”
- Cisco default = 4 x Hello interval. Default dead interval = 40 seconds.
- If Dead interval expires before router receives Hello packet, OSPF will remove neighbour from its link-state database.
- The router floods link-state info about the “down” neighbour out all OSPF enabled interfaces.

Electing a DR and BDR (Designated Router and Backup Designated Router)

To reduce amount of OSPF traffic on networks, OSPF elects DR and BDR.
DR responsible for updating all other OSPF routers (DROthers) when network change occurs.
BDR monitors DR and takes over as DR if current DR fails.
If routers are connected through point-to-point links no DR/BDR election occurs.

11.1.5 OSPF Link State Updates

LSUs are packets used for OSPF routing updates.
packet can contain 11 different types of Link-State Advertisements (LSAs)
An LSU contains one or more LSAs.
An LSU or LSA can be used to refer to link-state info propagated by OSPF routers.

11.1.6 Link State Algorithm

Each OSPF router keeps link-state database containing LSAs received from all other routers.
Once router received all LSAs and built local link-state database, OSPF uses Dijkstra’s SPF algorithm to create SPF tree.
SPF tree used to populate IP routing table with best paths to each network.

11.1.7 OSPF AD

Default administrative distance of OSPF = 110

11.2.1 Router OSPF command

OSPF is enabled with:
- #router ospf

Process-id = # between 1 and 65535
The process-id is locally significant and does not have to match other routers to establish adjacencies. (unlike EIGRP)

Network command:
- Router(config-router)# area

Area-id = OSPF area.
OSPF area = group of routers that share link-state info.
All OSPF routers in same area must have same link-state info in databases. (single-area OSPF)
Advantages to configuring large OSPF networks as multiple areas:
- Smaller link-state databases
- Able to isolate unstable network problems within area.

0 area =backbone area in multi-area OSPF.
The figure shows the network commands for all three routers, enabling OSPF on all interfaces. At this point all routers should be able to ping all networks.

11.2.4 OSPF Router ID

Determining the Router ID

Used to uniquely identify each router in OSPF routing domain.
Router ID = IP address.
To verify router ID use:
- show ip protocols
- show ip ospf
- show ip ospf

Router ID based on 3 criteria:
- Use IP address configured with OSPF router-id command.
- If router-id not configured, router chooses highest IP address of any of its loopback interfaces.
- If no loopback interfaces configured, router chooses highest active IP address on physical interfaces.

Highest Active IP Address

Interface does not need to be enabled for OSPF, but interface must be active (up state).

Loopback Address

Is a virtual interface and automatically in up state when configured.
Unlike physical interfaces loopbacks cannot fail. (provides stability to the OSPF process).

Router(config)#interface loopback
Router(config-if)# < subnet-mask>

OSPF router-id command

Introduced in IOS 12.0(T)
Overrides loopback and physical interface IP addresses for determining router ID

Router(config)#router ospf process-id
Router(config-router)#router-id ip-address

Modifying the Router ID

Router ID is selected when OSPF is configured with first OSPF network command.
If OSPF router-id command or the loopback address is configured after OSPF network command, the router ID will be derived from interface with highest active IP address.
The router ID can be modified by reloading router or by using:

Router#clear ip ospf process

Duplicate Router IDs

When two routers have the same router ID routing may not function properly.
IOS will display a message similar to:
- %OSPF-4-DUP_RTRID1: Detected router with duplicate router ID

To prevent/correct this problem, configure all routers to have unique OSPF router IDs.

11.2.5 Verifying OSPF

“show ip ospf neighbour” is used to verify and troubleshoot OSPF neighbour relationships.
Command output for each neighbour:
- Neighbour ID – The router ID of neighbour.
- Pri – OSPF priority of interface.
- State – OSPF state of interface.
- Dead Time – Amount of time remaining to receive an OSPF Hello packet.
- Address – IP address of neighbour’s interface to which router is directly connected.
- Interface – interface on which router has formed adjacency with neighbour.

Two routers may not form an OSPF adjacency if:
- Subnet masks do not match, causing routers to be on separate networks.
- OSPF Hello or Dead Timers do not match.
- OSPF Network Types do not match.
- There is a missing / incorrect OSPF network command.

OSPF troubleshooting commands:
- show ip protocols
- show ip ospf
- show ip ospf interface

show ip protocols:
- OSPF process ID
- Router ID,
- Advertised networks
- Neighbours router is receiving updates from
- Default administrative distance (OSPF=110).

show ip ospf:
- OSPF process ID
- Router ID.
- OSPF area info
- Time last SPF algorithm calculated.

Network that constantly changes between an up and down state = flapping link.
Flapping link causes routers constantly recalculate SPF algorithm, preventing convergence.
To minimize problem, router waits 5 seconds after receiving an LSU before running algorithm.
This called “SPF schedule delay”.
To prevent router from constantly running algorithm, additional Hold Time= 10 seconds.

show ip ospf interface:
- Verify Hello intervals
- Verify Dead intervals

11.3.1 OSPF Metric

OSPF metric = cost. (RFC 2328)
Output side of each router interface has an associated cost.
Cost configured by admin.
Lower cost = likeliness interface used to forward data traffic.
RFC 2328 does not specify which values used to determine cost.
Cisco IOS uses bandwidths of outgoing interfaces to destination network as cost value.
Cost for an interface = 10^8 / bandwidth( bps). (reference bandwidth.)
Interfaces with higher bandwidth values hsve lower calculated cost.

Reference Bandwidth

Defaults to 10^8 (100,000,000 bps / 100 Mbps).
Reference bandwidth can be modified to allow faster than 100 Mbps links lower cost.
Use “auto-cost reference-bandwidth” command when necessary so OSPF metric is consistent.

Default Bandwidth on Serial Interfaces

Use” show interface ” to view bandwidth value of interface.
Cisco routers default bandwidth value on some serial interfaces is T1 (1.544 Mbps).
Some serial interfaces may default to 128 kbps.
Always check default value.

Bandwidth value does not affect speed of link; used by routing protocols to find routing metric.
Bandwidth value should reflect actual speed of link so routing table has accurate best path info.
Verify calculated OSPF cost of interface with “show ip ospf interface”.

11.3.2 Modifying Cost of a Link

When interfaces are not actually operating at default speeds, manual modification is needed.
Both sides of link should be configured to have same value.
Use“ bandwidth interface” or “ip ospf cost interface” commands to modify value.

Bandwidth Command (modifies bandwidth)

Router(config-if)#bandwidth

Ip ospf cost Command (modifies cost)

R1(config)#interface
R1(config-if)#ip ospf cost

Bandwidth vs Ip ospf cost

Ip ospf cost command useful where non-Cisco routers use other metrics to calculate OSPF costs.
Bandwidth command uses result of cost calculation to determine cost of the link.
Ip ospf cost command bypasses calculation by directly setting cost of link to specific value.

11.4.1 Challenges in multi-access networks

Multi-access network = more than two devices on same shared media.
Point-to-point networks have only two devices on network; one at each end.
OSPF defines five network types:
- Point-to-point
- Broadcast Multiaccess
- Nonbroadcast Multiaccess (NBMA)
- Point-to-multipoint
- Virtual links

NBMA and point-to-multi-point networks include Frame Relay, ATM, and X.25 networks.

Multiple Adjacencies

Creates unnecessary # of adjacencies; excessive LSAs between routers on network.
Adjacencies = n (n – 1) / 2 where n =number of routers.

Flooding of LSAs

Link-state routers flood packets when OSPF initialized or when change in topology.
In multi-access networks this flooding can become excessive.

Designated Router (DR)

Designated Router is elected to be collection / distribution point for LSAs sent / received.
Backup Designated Router is also elected in case Designated Router fails.
All other routers become DROthers (neither DR or BDR).
Routers on multiaccess network elect DR and BDR.
DROthers only form full adjacencies with DR and BDR in network.
DROthers only send their LSAs to DR and BDR using multicast IP: 224.0.0.6 (ALLDRouters)
BDR listens to DROthers too.
DR responsible for forwarding LSAs from updating router to all other routers.
DR uses multicast address 224.0.0.5 (AllSPFRouters).
One router (DR) does all flooding of all LSAs in multi-access network.

11.4.2 DR/BDR Election Process

Topology Change

DR/BDR elections do not occur in point-to-point networks.

DR/BDR Election

Election criteria:
- DR: Router with highest OSPF interface priority.
- BDR: Router with second highest OSPF interface priority.
- If OSPF interface priorities are equal, highest router ID used.

If Router not elected as DR or BDR, it becomes a DROther.
DROthers only form FULL adjacencies with DR and BDR.
DROthers still form neighbour adjacency with any DROthers that join network. (Hello packets)

# show ip ospf neighbor : displays neighbour adjacency
# show ip ospf interface : displays ospf state (DR, BDR or DROther)

Timing of DR/BDR Election

Election held when first router with OSPF enabled interface is active on multi-access network.
Occurs when routers powered-on or OSPF network command for interface is configured.
Election process takes few seconds.
If all of routers on network have not finished booting, router with lower ID may become DR.
When DR is elected, it remains the DR until:
- DR fails.
- OSPF process on DR fails.
- Multi-access interface on DR fails.

If DR fails, BDR assumes role of DR and election held to choose new BDR.
If new router enters network after DR /BDR elected, it will not be DR / BDR even if higher ID or interface priority than current DR / BDR.
New router can be elected BDR if current DR / BDR fails.
Previous DR does not regain DR status if returns to network.
If BDR fails, election held among DROthers to see who will be new BDR.

To ensure routers you want to be DR / BDR win election:
- Boot up DR first, followed by BDR, and then all other routers.
- Shut down interface on all routers, do a no shutdown on DR, then BDR, then DROthers.
- Change OSPF interface priority to better control DR/BDR elections.

Router(config-if)#ip ospf priority {0 – 255}
0 = ineligible for DR/BDR
1= low priority
255= high priority
Priorities are interface-specific, they allow router to be DR in 1 network and DROther in another.

Topology

OSPF routing domain and a non-OSPF network = Autonomous System Boundary Router (ASBR).

R1(config)#ip route 0.0.0.0 0.0.0.0 loopback 1 (simulates connection to ISP Router)
R1(config-router)#default-information originate

O*E2 0.0.0.0/0 [110/1] via 192.168.10.10, 00:05:34, Serial0/0/1
- E2 denotes that route is an OSPF External Type 2 route.

External Type 1 (E1): Identical to cost calculations for normal OSPF internal routes.
External Type 2 (E2): Cost of an E2 route is always external cost.

Reference Bandwidth

Can be modified to accommodate faster links.
Use command on all routers so OSPF routing metric remains consistent:
- R1(config-router)#auto-cost reference-bandwidth

Modifying OSPF Intervals

OSPF Hello and Dead intervals can be modified manually:
- Router(config-if)#ip ospf hello-interval
- Router(config-if)#ip ospf dead-interval

Good practice to modify dead timer so that modifications are documented in configuration.
Verify neighbor adjacency is restored with “show ip ospf neighbor” command

CHAPTER-10-Exploration2-Thurs/Fri-MT/KG

mjlilley — Tue, 06 Apr 2010 04:47:40 +0000

CHAPTER-10-Exploration2-Thurs/Fri-MT/KG

10.1.1.1 Link-State Routing Protocols

A.K.A. shortest path first protocols which are built on Edsger Dijkstra’s SPF algorithm.

IP link-state routing protocols:
- Open Shortest Path First (OSPF)
- Intermediate System-to-Intermediate System (IS-IS)

Basic OSPF operations :
- #router ospf
- #network

Link-state routing protocols for non-IP networks:
- DEC’s DNA Phase V
- Novell’s NetWare Link Services Protocol (NLSP)

10.1.2.1 SPF Algorithm

Dijkstra’s algorithm accumulates costs along each path, between source and destination.
“Shortest path first” is in purpose of every routing algorithm.
Each router determines its own cost (own perspective) to each destination in topology.

10.1.3.1 Link-State Routing Process

For a link-state routing protocol to reach state of convergence, all routers in topology must complete generic link-state routing process:

All routers learn about own directly connected networks. (Detects interface is in up state).
All routers responsible for meeting neighbours on directly connected networks. (Exchange Hello packets with other LSR’s on directly connected networks).

Each router builds a Link-State Packet (LSP) with info on state of each directly connected link. (info = each neighbour ID, link type and bandwidth).
Each router floods LSP to all neighbours, who store all LSPs received in database. This process continues until all routers in area have received LSPs. Each router stores copy of each LSP received from neighbours in local database.
Each router uses database to construct complete map of the topology and computes the best path to each destination network ( from its own perspective). Router now has a complete map of all destinations in topology and routes to reach them. SPF algorithm is constructs map of topology and determines best path to each network.

10.1.4.1 Learning about directly connected networks

When interfaces are correctly configured and activated, router learns about its own directly connected networks.
Regardless of routing protocol, directly connected networks are now part of routing table.

Link:

Is an interface on a router.
Interface must be properly configured and in up state before protocol can learn about a link.
Interface must be included in a network statement before it can participate in routing process.

Link-State:

Information about state of links = link-states.
Link state info includes:
- The interface’s IP address and subnet mask.
- The type of network: Ethernet (broadcast) or Serial (PtoP)
- The cost of link.
- Any neighbour routers on link.

10.1.5.1 Sending Hello packets to Neighbours

Neighbour = any other router that is enabled with same link-state routing protocol.
Routers send Hello packets out its interfaces to discover any neighbours.
Neighbours reply to Hello packet with their own Hello packets.
If Router does not receive a Hello on an interface, there are no neighbours out this interface.
Neighbours form an adjacency. (Continue exchanging “hello” to monitor state of neighbour).
If router stops receiving Hello packets, then that neighbour is considered unreachable and adjacency is broken.

10.1.6.1 Building LSP’s

Each router builds a Link-State Packet (LSP) with on state of each directly connected link.
Once adjacencies are formed, router can build its link-state packets (contain info about its links).
Example of LSPs is:
- R1; Ethernet network 10.1.0.0/16; Cost 2
- R1 -> R2; Serial point-to-point network; 10.2.0.0/16; Cost 20
- R1 -> R3; Serial point-to-point network; 10.3.0.0/16; Cost 5
- R1 -> R4; Serial point-to-point network; 10.4.0.0/16; Cost 20

10.1.7.1 Flooding Link-State Packets to Neighbours

Each router floods LSP to all neighbours, who store all LSPs received in local database.
Each router floods its link-state info to all other link-state routers in routing area.
When router receives an LSP from neighbouring router, it sends that LSP out all other interfaces except interface that received LSP. (This creates flooding effect of LSPs from all routers in area).
Link-state routing protocols calculate SPF algorithm after flooding is complete (faster convergence).
LSPs are not sent periodically.

LSP only needs to be sent when:
- Initial start-up of router or routing protocol process on that router.
- There is change in topology (link down/up or neighbour adjacency established/broken)
- Info included in LSP (on top of link-state info):
  - sequence numbers
  - aging information (to help determine if already received LSP from another router )

10.1.8.1 Constructing a link state database

Each router uses database to construct a complete map of topology and computes best path to each destination network.
After link-state flooding process, each router has LSP from every router in routing area.
LSPs stored in link-state database.
Router now uses SPF algorithm to construct SPF tree.

An SPF Tree:

10.1.9.1 SPF Tree

Using shortest path info table (determined by SPF algorithm), paths are added to routing table.

10.2.1.1 Link-State Advantages

Builds a Topological Map:

Link-state routing protocols exchange link-states, so SPF algorithm can build tree of network.
Each router can independently determine shortest path to every network.

Fast Convergence:

Link-state routing protocols immediately flood the LSP out all interfaces (except interface LSP was received) prior to processing.

Event-driven Updates:

After initial flooding of LSPs, link-state routing protocols only send LSP when change in topology.
LSP contains only info regarding affected link.

Hierarchical Design:

Link-state routing protocols use areas. This creates hierarchical design and allows for better route aggregation (summarization) and isolation of routing issues within an area.

10.2.2.1 Requirements of a Link-State Routing Protocol

Modern link-state protocols designed to minimize effects on memory, CPU and bandwidth.
Multiple areas reduce size of link-state databases.
Multiple areas limit amount of link-state info flooding in routing domain and send LSPs only to needed routers.
This can help isolate unstable link to specific area in routing domain.
Routers in other areas will learn this route is down via link-state packet that does not cause them to rerun their SPF algorithm.
Routers in other areas can update their routing tables directly.

Memory:

Requirements are increased ue to the use of link-state databases and creation of SPF tree.

Processing:

Dijkstra’s/SPF algorithm requires more CPU time than distance vector algorithms/Bellman-Ford due to building a complete map of topology.

Bandwidth:

Link-state packet floods can affect available bandwidth on network. (Router start-up only)
Can be an issue on unstable networks.

There are two link-state routing protocols used for routing IP today:

10.2.3.1 Link-State Routing Protocol Comparison

OSPF= Open Shortest Path First:

Designed by in 1987 by IETF (Internet Engineering Task Force).
OSPFv2: OSPF for IPv4 networks (RFC 1247 and RFC 2328)
OSPFv3: OSPF for IPv6 networks (RFC 2740)

IS-IS= Intermediate System-to-Intermediate System:

Designed by ISO (International Organization for Standardization).
Described in ISO 10589.
DECnet Phase V. was developed at DEC (Digital Equipment Corporation).
Originally designed for t OSI protocol suite (not TCP/IP).
Integrated IS-IS( Dual IS-IS) included support for IP networks.
Used mainly by ISPs and carriers, more enterprise networks are beginning to use IS-IS.
OSPF and IS-IS share many similarities and also have many differences.

CHAPTER- 9-Exploration2-Thurs/Fri-MT/KG

mjlilley — Tue, 06 Apr 2010 04:46:22 +0000

CHAPTER- 9-Exploration2-Thurs/Fri-MT/KG

9.1.1.1 Enhanced Interior Gateway Routing Protocol

IGRP

Developed proprietarily by Cisco IGRP in 1985 (due to limitations of RIPv1)
IGRP and EIGRP use metrics of bandwidth, delay, reliability and load.
Default =bandwidth and delay.
IGRP = classful routing protocol (Bellman-Ford algorithm)
Cisco discontinued IGRP starting with IOS 12.2(13)T and 12.2(R1s4)S.

The Algorithm

Traditional distance vector routing protocols age out routing entries (Need periodic updates).
EIGRP uses Diffusing Update Algorithm (DUAL).
EIGRP does not send periodic updates and route entries do not age out.
EIGRP uses Hello protocol to monitor connection status with neighbours.
Changes in routing info (new link / unavailable link) causes triggered update.

Path Determination

RIP and IGRP must wait for another routing update with an available route to remote network.
EIGRP’s DUAL keeps topology table and routing table (Loop-free best path and backup paths)
Loop-free = neighbour does not have route to destination network that passes via this router.
If an original route = unavailable, DUAL searches topology table for valid backup path.
If one exists, route is entered into routing table.
If backup path = not exist, DUAL does a network discovery process find backup path that did not meet requirement of feasibility condition. (How much does a feasibility study cost anyway?)

Convergence

Periodic updates = unreliable nature (prone to routing loops & count-to-infinity).
To avoid this protocols use hold-down timers, which cause long convergence times.
EIGRP does not use hold-down timers.
EIGRP has faster convergence than traditional distance vector routing protocols.

9.1.2.1 EIGRP Message Format

Encapsulated data field = Type/Length/Value (TLV).
Types of TLVs:
- EIGRP Parameters
- IP Internal Routes
- IP External Routes

Packet header included in every EIGRP packet.
EIGRP packet header and TLV encapsulated in IP packet.
Protocol field = 88 (EIGRP), destination address = 224.0.0.10 (multicast).
Ethernet frame destination multicast MAC: 01-00-5E-00-00-0A.

9.1.2.2 EIGRP Message Format

EIGRP Packet Header:

Opcode specifies EIGRP packet type:
- Update
- Query
- Reply
- Hello
- Cisco routers can run multiple instances of EIGRP.
- AS # used to track instance of EIGRP.

TLV: EIGRP Parameters:

Bandwidth and delay are weighted by default (K1 and K3 fields set to 1).
Hold Time = time that receiving EIGRP neighbour should wait before determining advertising router to be down.

TLV: IP Internal:

Message used to advertise EIGRP routes within AS.
Delay = sum of delays from source to destination (units of 10 microseconds).
Bandwidth = lowest configured bandwidth of any interface along route.
Subnet mask = prefix length or #of network bits in subnet mask.

TLV: IP External:

Message used when external routes imported into EIGRP routing process.
Bottom half of IP External TLV includes all fields used in IP Internal TLV.
Maximum Transmission Unit (MTU) is not one of the metrics used by EIGRP.

MTU is included in routing updates but not used to determine routing metric.

9.1.3.1 Protocol Dependent Modules (PDM)

EIGRP is capable of routing several different protocols:
- IP
- IPX
- AppleTalk

EIGRP uses Reliable Transport Protocol (RTP)
EIGRP cannot use UDP or TCP because IPX and Apple-talk do not use TCP/IP protocols.

9.1.4.1 RTP and EIGRP Packet types

Reliable RTP = acknowledgement.
Unreliable RTP packet = no acknowledgement.
RTP can send packets either uni-cast or multicast.
EIGRP packets use reserved multicast address: 224.0.0.10.

9.1.4.2 EIGRP Packet types

Hello

Used by EIGRP to discover and form adjacencies with neighbours.
Hello packets are multicasts and use unreliable delivery.

Update and ACK

Used by EIGRP to propagate routing info.
EIGRP does not send periodic updates.
EIGRP update packets use reliable delivery.
Updates sent as multicast when required by multiple routers.
Updates sent as uni-cast when needed by only a single router.
With point-to-point links, updates are sent as uni-casts.
ACK packets are sent by EIGRP via a uni-cast address when reliable delivery is used.
RTP uses reliable delivery for EIGRP update, query, and reply packets..

Query and Reply

Used by DUAL when searching for networks.
Use reliable delivery.
Queries = multicast
Replies= uni-cast.
Neighbours must send a reply, even if they do not have a route to downed network.

9.1.5.1 Hello Protocol

EIGRP neighbours are other routers using EIGRP on shared, directly connected networks.
Neighbours are discovered and established adjacencies with using Hello packet.
EIGRP Hello packets are sent every 5 seconds.
Hold-time = max time router should wait to receive next Hello before saying” Hey …wait a sec – there’s nobody home” (unreachable).
Default hold time = 3 x “hello interval”
If hold time expires, EIGRP says “route down” and DUAL will search for new path.

9.1.6.1 Bounded Updates

Partial/bounded updates are sent only when metric for route changes.
Partial = info about route changes, instead of sending entire contents of routing table.
Bounded = sent only to routers affected by change.

9.1.7.1 DUAL

Diffusing Update Algorithm = convergence algorithm used by EIGRP.
Primary way that EIGRP prevents routing loops is with DUAL algorithm.
DUAL algorithm allows routers involved in topology change to synchronize at same time.
Routers not affected by topology changes are not involved in re-computation.

FSM:

DUAL Finite State Machine = a model of behaviour to a # of states.
DUAL FSM tracks all routes, uses metric to select loop-free paths.
Also selects routes with least cost path to put into routing table.

9.1.8.1 Administrative Distance

= Trustworthiness/Preference of route source.
EIGRP default AD = :
- 90 for internal routes
- 170 for routes imported from an external source

EIGRP = most preferred IGP by Cisco IOS because it has lowest AD

9.1.9.1 Authentication

RIPv2, EIGRP, OSPF, IS-IS and BGP can all be configured to encrypt and authenticate their routing info.
Good practice to authenticate transmitted routing info.
Ensures routers only accept routing info from other routers that have been configured with same password or authentication info.
Authentication does not encrypt the router’s routing table.

9.2.2.1 Autonomous Systems and Process IDs

Networks under admin control of a single entity using a common routing policy to Internet.
RFC 1930.
AS # assigned by Internet Assigned Numbers Authority (IANA).
32-bit AS numbers are assigned. Available AS numbers = 4 billion+.

Process ID:

EIGRP and OSPF use process ID to identify instance routing of protocol running on router.
Router(config)#router eigrp
Process ID can be assigned any 16-bit value. (1-65535)

9.2.5.1 Verifying EIGRP

EIGRP routers establish adjacencies with neighbours by exchanging EIGRP Hello packets.
Use ”show ip eigrp neighbors” command to verify adjacent neighbours.
If neighbour not listed in table:
- Check the local interface using show ip interface brief.
- Try pinging IP address of neighbour.

If ping is successful and EIGRP still does not see neighbour:
- Are both routers configured with same EIGRP process ID?
- Is directly connected network included in EIGRP network statements?
- Is passive-interface command configured to prevent EIGRP Hello packets on interface?

Use “ show ip protocols” command to verify EIGRP is enabled.

EIGRP automatically includes a null0 summary route as a child route whenever:
- There is at least one subnet that was learned via EIGRP.

and

Automatic summarization is enabled.

9.2.5.1 Verifying EIGRP

9.3.2.1 EIGRP Metrics

“Show interface” command lets you examine actual values used for bandwidth, delay, reliability, and load.

Bandwidth:

Static value may /may not reflect actual physical bandwidth of interface.
Default value can be changed by admin.

Delay (DLY):

Measure of time it takes for a packet to traverse route.
Static value based on type of link to which interface is connected.
Is measured in microseconds.
Not measured dynamically (No actual tracking of how long packets take to reach destination).
Default value can be changed by admin.

Reliability:

Measures probability that link will fail or how often link has errors.
Measured dynamically (0 -255) 1 = minimal reliability, 255 = 100% reliable.
Is calculated on a 5-minute weighted average to avoid impact of high/low error rates.

Load:

Amount of traffic utilizing link.
Measured dynamically (0 – 255). Lower load value is more desirable.
TX load and RX load

9.4.2.1 DUAL

Successor:

Neighbouring router used for packet forwarding which is least-cost route to destination network.

Feasible distance:

Lowest calculated metric to reach destination network.
FD is also known as the metric for the route.

Feasible Successor:

DUAL can converge quickly after change in topology due to backup paths to other routers.

9.4.6.1 DUAL Finite State Machine

By default, EIGRP uses t Null0 interface to discard any packets that match parent route but do not match any child routes. AKA”the bit bucket.”
Routers discard any packets that match Null0 summary route and do not match child routes.
EIGRP automatically includes a null0 summary route as a child route whenever:
- There is at least one subnet that was learned via EIGRP.
- Automatic summarization is enabled.

EIGRP automatically summarizes at major network boundaries.