IP Services Notes.
IP Services.
ARP: IP to MAC.
RARP: mac to IP.
Proxy ARP: IP to MAC.
ARP messages do not includes an IP header, even though it has a destination and source IP address. ARP request list a destination of 255.255.255.255.
ARP Ethertype is 0x0806.
IP Ethertype is 0x0800.
Proxy ARP uses the same message as ARP, but the ARP rquest is actually requesting a mac address that is not on the local subnet.
RARP-BOOTP-DHCP.
Both three works following this logic:
-Client broadcast.
-Server Responds.
-Server assigns IP.
RARP uses ARP messages, but the ARP request list a mac address target of its own mac address and a target IP address of 0.0.0.0.
A RARP server do a table lookup and assigns the IP mapped to that mac address.
BOOTP uses different messages encasulated on IP and UDP headers.
BOOTP also assigns:
-Subnet mask.
-Default gateway.
-DNS addresses.
Note: BOOTP requires static definitions on Server.
DHCP Is dynamic.
[ip helperaddress 10.1.2.202], is used to forward DHCP messages over different subnets.
Steps for configuring a Cisco router as DHCP server:
-Configure a DHCP pool.
-Configure the router to exclude its own IP address from the pool.
-Disable conflict logging or configure a DHCP database agent.
DHCP pool includes:
-Subnet.
-Default Gateway.
-Lease time.
-DNS domain.
-DHCP options.
The command
[ip dhcp excludedaddress] is used to exclude addresses from the pool.
[no ip dhcp conflictlogging] is used to disable conflict logging.
ip dhcp database command is used to configure a dhcp database agent.
Sample DHCP configuration.
int f0/0
ip add 10.1.1.1 255.255.255.0
ip helperaddress 10.1.2.202 ----->
UDP broadcast will be forwarded as unicast to 10.1.2.202 source will be changed to 10.1.1.255
!
ip dhcp excludedaddress 10.1.1.0 10.1.1.20
!
ip dhcp pool subnet1
network 10.1.1.0 255.255.255.0
dns-server 10.1.2.203
default-router 10.1.1.1
lease 0 0 20
NAT.
Defined on RFC 1631.
Translate Private IPs (RFC 1918) to public ip addresses (internet routable addresses).
Inside local: private ranges (inside enterprise addressing scheme).
Inside GLobal: Public IP , mapped to th inside local addresses.
Static NAT sample:
int f0/0
ip add 10.1.1.3 255.255.255.0 -----> Inside local
ip nat inside
!
int s0/0
ip add 200.1.1.251 255.255.255.0 -----> Inside global.
ip nat outside
!
ip nat inside source static 10.1.1.2 200.1.1.2
ip nat inside source static 10.1.1.1 200.1.1.1
Router examines each packet coming through the LAN interface and translate accordingly. Also examines packets coming through int s0/0.
When using static outside addresses the router also looks at the destination IP address. From inside to outside, and source from outside to inside.
Dynamic NAT.
Creates one to one mappings between inside local and inside global address, using a pool of defined address.
Dynamic NAT (Overloading/PAT).
PAT works by making large numbers of TCP and UDP flows from many Inside local nets to appear to be the same number of large flows from one hosts inside global addresses. With PAT, port numbers are also translated. Port numbers fields being 16 bits in length, 65,000 concurrent TCP/UDP flows can be supported.
Commands used to configure and verify dynamic NAT and dynamic NAT with PAT.
ip nat pool POOL1 200.1.1.1 200.1.1.2 netmask 255.255.255.252
ip nat inside source list 1 pool POOL1
accesslist 1 permit 10.1.1.0 0.0.0.255
ip nat inside source list 1 pool POOL1 overload
Verification Commands.
[show ip nat statistics].
[show ip nat translations].
[clear ip nat translations *].
[debug ip nat].
HSRP,VRRP,GLBP.
HSRP allows multiple routers to share a virtual IP and MAC address.
HSRP features.
-Virtual IP (must be on the same subnet of the router lan interface) and MAC (active on active router).
-Standby router listens to hello messages from the active router (3seconds hello, 10seconds dead interval by default).
-Highest priority determines active router, with preemption disabled by default (IOS default priority 100, range 1255).
-Supports object tracking
-255 HSRP groups per interface
-Virtual MAC of 0000.0C07.ACxx (xx > HSRP group in HEX).
-Cleartext and MD5 auth (by a keychain).
Sample HSRP config.
track 13 interface s0/0.1 lineprotocol
!
int f0/0
ip add 10.1.1.2 255.255.255.0
standby 21 ip 10.1.1.21 > (Virtual IP, group 21).
standby 21 priority 105 > (Priority for group 21).
standby 21 preempt > (enabling preemption).
standby 21 track 13 > (group 21 association to track object 13).
standby 22 ip 10.1.1.22 > (virtual IP, group 22).
standby 22 track 13 > (group 22 association to track object 13).
Second Router:
track 23 interface s0/0.1 lineprotocol
!
int f0/0
ip add 10.1.1.1 255.255.255.0
standby 21 ip 10.1.1.21
standby 21 track 23
standby 22 ip 10.1.1.22
standby 22 priority 105
standby 22 track 23 decrement 9 > (group 22 association to track object 23 ,
decrementing priority by 9 when the condition is met).
Verification commands.
[show standby f0/0].
[debug standby].
MHSRP (Multiple HSRP).
Two or more groups are configured on each HSRP LAN interface, where the configured priority determines which router will be active for each HSRP group.
VRRP (RFC 3768).
Cisco VRRP implementation features
-VRRP uses a multicast virtual mac (0000.5E00.01XX, where xx is the hex VRRP group number).
-VRRP supports object tracking (IOS mechanism).
-VRRP defaults to use preemption
-VRRP master is the same as HSRP active.
-VRRP group Ip address is the interface IP address of one of the VRRP routers.
GLBP.
-Cisco proprietary .
-Hosts points to a default gateway ip address but GLBP causes different hosts to send their traffic to one of up to four routers in a GLBP group.
-The AVG (Active virtual Gateway) assigns each router in the group a unique virtual mac address with the format 0007.B400.XXYY (xx is the GLBP group number , yy is a different number from each router [01,02,03,04].
-When clients ARP for the (virtual) IP of its default gateway, the GLBP AVG replies with one of the four possible virtual MACS.
-1024 GLBP groups four host per GLBP group.
NTP (RFC 1305).
Cisco routers and switches can be configured for the following modes:
-NTP client.
-NTP server.
-NTP symmetric active mode (router/switch mutally syncs with another NTP host).
Sample 4 router NTP config.
R1 NTP server
R2 NTP static client
R3 NTP broadcast
R4 NTP symmetric active mode
R1:
int f0/0
ntp broadcast --------> (Broadcast NTP updates on that interface).
ntp authenticationkey 1 md5 1514190900 7
ntp authenticate
ntp trustedkey 1
ntp master 7
note" this is a show run output".
R2:
ntp authenticationkey 1 md5 1545626723 7
ntp authenticate
ntp trustedkey 1
ntp clockperiod 17208144 ---> #added as part of sync proccess and should never be added manually#
ntp server 10.1.1.1
R3:
ntp broadcast client ----> #br client#
R4:
ntp authenticationkey 1 md5 000201300 7
ntp authenticate
ntp trustedkey 1
ntp clockperiod 1708233
ntp peer 10.1.1.1 -----> #This commnads imply symmetric active mode.#
Verification commands:
[show ntp associations].
[show ntp status].
SNMP
SNMP Concepts.
-SNMP agent
-SNMP manager
-MIB
SNMP Versions.
SNMPv1
-SMIv1.
-Simple auth with communities.
-MIBI Originally.
SNMPv2
-SMIv2.
-Removed requirement for communities.
-Added GetBulk and Inform messages.
-Began with MIBII.
SNMPv2c (RFC 1905).
-Allowed SNMPv1 style communities with SNMPv2 .
-Equivalent to SNMPv2.
SNMPv3.
-Better security
-Supports communities
-Uses MIBII
SNMP protocol messages:
SNMPv1 and SNMPv2 protocol messages define how a manager and agent or two managers can communicate information.
SNMP uses UDP. Response message (agent) is used to both ack receipt and supply information.
GET.
-Response message: response
-Sent by: manager
-Purpose: Request single variables value.
GetNext.
-RM: Response
-SB: manager
-P: Request for the next single MIB leaf in a MIB tree.
GetBulk.
-RM: Response
-SB: Manager
-P: Request multiple consecutive MIB variables with one Request.
Response.
-RM: none
-SB: Agent
-P: Responds GET and Set requests.
Set.
-RM: Response
-SB: manager
-P: Used to tell an agent to set a variable to a certain value.
Trap.
-RM: none
-SB: agent
-P: Used to send unsolicited information
Inform.
-RM: Response
-SB: manager
-P: Used between SNMP managers to allow MIB data to be exchanged.
MIB walk: Refers to the proccess of discovering an agent entire MIB structure.
MIBs
MIBI (RFC 1156).
MIBII (RFC 1213).
SNMPv3 sec features.
-MD5 and SHA for authentication
-DES for Encryption.
Sample SNMP config.
-Send traps to 192.168.1.100.
-Send traps for a variety of events to the snmp manager.
-Set optional information (router chassis, contactinfo and location).
-RW access to 192.168.1.0/24.
accesslist 33 permit 192.168.1.0 0.0.0.255
snmpserver community public rw 33
snmpserver location b1
snmpserver contact root.mike13@company.com
snmpserver chassisid 2511_access_server
snmpserver enable traps snmp
snmpserver enable traps hsrp
snmpserver enable traps config
snmpserver enable traps entity
snmpserver enable traps bgp
snmpserver enable traps rsvp
snmpserver enable traps framerelay
snmpserver enable traps rtr
snmpserver host 192.168.1.100 public
Syslog (RFC 5424).
Sends message (event log) to a syslog server. Uses UDP port 514(default). Sends by default all events that enter the event log. it uses cleartext messages.
Steps to configure syslog on a cisco router:
-Install syslog server with Fixed IP
-Configure logging proccess on router using the logging host command
configure severity levels (07) using the logging trap command.
Web Cache communication protocol (WCCP).
Host have no knowledge that the content engine is involved.
WCCP allows edge routers to communicate with content engine and permits router to redirect traffic to the content engine as appropriate.
WCCP uses UDP on port 2048
Up to 32 content engines can communicate with a router using WCCPv1
When more than one content engine is present the one with the lowest ip is elected as the lead engine.
In WCCPv1 only one router redirect traffic to a content engine (or cluster).
In WCCPv2 , multiple routers and multiple content engines can be configured as a wccp service group.
WCCPv1 only supports HTTP traffic (TCP,80).
WCCPv2 features.
-TCP/UDP traffic.
-TCP 80 .
-Ftp Caching.
-FTP proxy .
-Real Audio.
-Video .
-Telephony.
-Permits segmenting caching services.
-Supports multicast
-Up to 32 routers per cluster
-MD5 security for WCCP communication
-Load distribution.
[ip wccp password] is used to configure authentication
default version on cisco routers is wccpv2.
Sample WCCP config.
[ip wccp webcache groupaddress 239.128.1.100 password cisco] --->Global config.
!
int f0/0
ip wccp webcache redirect out ---> (Traffic redirection).
int f0/0
ip wccp redirect exclude in ---> (Excluding redirect)
WCCP filtering.
[ip wccp webcache redirectlist <accesslist>] ----> (global, filters traffic to certain clients).
[ip wccp webcache grouplist <accesslist>] ----> defines which type of redirect traffic the router should accepts from content engines.
IOS IP SLA.
IP SLA is based on the concept of generating traffic at specified interval, with specific options and then measuring results. Source-responder model.
IP SLA measures the following:
-Delay (one way and roundtrip).
-Jitter (Directional).
-Packet loss (Directional).
-Packet sequencing.
-Path (Hop).
-Connectivity (UDP ECHO, ICMP ECHO, ICMP PATH ECHO, TCP CONNECT).
-Server/website download time.
-Voicequality metris (mos).
IP SLA implementation steps.
-Configure SLA operation type.
-Configure threshold conditions.
-Configure responder.
-schedule/start/monitor results.
-review results (cli or snmp).
IP SLA basic config sample.
conf t
ip sla monitor 1
type udpEcho destipaddr 200.1.200.9 destport 1330
frequency 5
exit
!
ip sla monitor schedule 1 life 86400 starttime now
the command [ip sla keychain] is used to configure md5 authentication
Verification commands.
[show ip sla monitor statistic].
[show ip sla monitor configuration].
Cisco Netflow.
Netflow components.
-Records (source ip address, destination ip , source port).
-Flow monitors (applied to an interface).
-Flow Exporters.
-Flow Samplers.
Sample netflow config:
flow exporter ipv4flowexport
destination 192.168.1.110
dscp 8
transport udp 1333
!
flow monitor ipv4flow
description monitors all ipv4 trafic
record netflow ipv4 originalinput
cache timeout inactive 600
cache timeout entries 5000
statistics packet protocol
!
int f0/0
ip add 192.168.39.9 255.255.255.0
ip flow monitor ipv4flow input
Verification commands.
-[show flow record].
-[show flow monitor].
-[show flow exporter].
-[show flow interface].
RITE (Router IP Traffic Export).
RITE exports ip packets to a vlan or LAN interface for analisys. RITE does this only for traffic received on multiple WAN or LAN interfaces simultaneously (DoS attacks).
When RITE is enabled you configure it to direct copied packets to the MAC address of the IDS host or protocol analyzer.
You can filter inbound (default), outbound or both
You can filter the number of packets forwarded.
Filtering is performed with ACLs.
Sample RITE config:
conf t
ip trafficexport profile exportthis
!
int f0/0
bidirectional ---> (Bidirectional RITE)
macaddress 0018.0fad.df30 ------> (IDS mac addres).
incoming sample oneinevery 20
outgoing sample oneinevery 100
exit
!
int f0/0
ip trafficexport apply exportthis
end
EEM.
EEM config sample:
event manager applet CLICPNONST
event cli pattern "wr" sync yes
action 1.0 syslog msg "$_cli_msg command executed"
set 2.0_exit_status 1
end
RMON.
RMON sample config
[rmon event 1 log trap public description fa0.0RisingErrors Owner config]
RMON verification commands.
[show rmon alarms].
[show rmon event].
FTP.
Commands.
[ip ftp].
[ip ftp username].
[ip ftp password].
[ip ftp sourceinterface].
Sample ftp config.
(sending an exeption dump).
ip ftp username joeadmin
ip ftp password cisco
!
exception protocol ftp
exception regionsize 65536
exception dump 172.30.19.63
The command [ip ftp passive] set it to passive mode ftp connection.
TFTP server on cisco router.
Sample:
[tftpserver flash:c1700advipservicesk9mz.12424.bin alias supersecretfile.bin 11]
Secure Copy.
-Is enabled as a service.
-scp uses ssl (tcp 443).
-scp requires AAA.
-aaa authorization should be configured with the [exec] option.
-[ip scp server enable] turns scp server.
HTTP/HTTPS access.
[ip http server] global config command is used to enable http access.
http access defalt to tcp port 80.
the commnad [ip http port], is used to change the port
[ip http accessclass] is used to restrict http access.
[ip http client username] and [ip http client password] commands are used to set a unique user/pass combination.
Different authentication methods can be configued with [ip http authentication aaa | local | enable | tacacs ]
[http secureserver] is used to enable https
SSH
Steps to configure ssh:
-Configure a hostname
-Configure a domain name using [ip domain name <name>]
-Configure rsa keys using [crypto key generate rsa]
-Configure the terminal lines to permit ssh access using [transport input ssh] command.
OER and PfR.
PfR is also called Protocolindependet routing optimization (PIRO).
OER extends routers capabilities to more optimaly route traffic.
OER takes into account:
-Packet loss
-Response time
-Path availability
-Traffic load distribution
OER FivePhase operation mode:
Profile: Learns the flows of traffic that have high latency or high thoughput.
Measure: Passive/Actively collects traffic performance metrics.
Apply policy: Create low/high thresholds to define inpolicy and outof policy (OOP).
Control: Influences traffic by manipulating routing or by routing in conjuction with PBR.
Verify: Measure OOP performance and adjust policy to bring performance inpolicy
PfR learns about net performance using ip sla and netflow features.
PfR devices roles.
MC (Master controller): Desicion maker on a cluster of PfR routers.
Configured using [oer master] command
BR (Border router): Subordinate to the MC
Configured using [oer border] command.
A router can be configured as both
BR and MC routers mantain communication using keepalives.
PfR traffic classes are defined by:
-IP address
-Protocol
-Port Number
-DSCP
Active and Passive Mode.
Active MOde: PfR uses IP SLA feature. BR source probes to the MC for Dealy, jitter, reachability, or MOS (mean opinion score).
MOS = Calculates using voicelike packets generated using SLA, to measure jitter, latency, and
packet loss)..
Passive mode: PfR uses netflow information on traffic classes to make decisions.
