COMMON PORTS

TCP/UDP Port Numbers

7 Echo 19 Chargen 20-21 FTP 22 SSH/SCP 23 Telnet 25 SMTP 42 WINS Replication 43 WHOIS 49 TACACS 53 DNS 67-68 DHCP/BOOTP 69 TFTP 70 Gopher 79 Finger 80 HTTP 88 Kerberos 102 MS Exchange 110 POP3 113 Ident 119 NNTP (Usenet) 123 NTP 135 Microsoft RPC 137-139 NetBIOS 143 IMAP4 161-162 SNMP 177 XDMCP 179 BGP 201 AppleTalk 264 BGMP 318 TSP 381-383 HP Openview 389 LDAP 411-412 Direct Connect 443 HTTP over SSL 445 Microsoft DS 464 Kerberos 465 SMTP over SSL 497 Retrospect 500 ISAKMP 512 rexec 513 rlogin 514 syslog 515 LPD/LPR 520 RIP 521 RIPng (IPv6) 540 UUCP 554 RTSP 546-547 DHCPv6 560 rmonitor 563 NNTP over SSL 587 SMTP 591 FileMaker 593 Microsoft DCOM 631 Internet Printing 636 LDAP over SSL 639 MSDP (PIM) 646 LDP (MPLS) 691 MS Exchange 860 iSCSI 873 rsync 902 VMware Server 989-990 FTP over SSL 993 IMAP4 over SSL 995 POP3 over SSL 1025 Microsoft RPC 1026-1029 Windows Messenger 1080 SOCKS Proxy 1080 MyDoom 1194 OpenVPN 1214 Kazaa 1241 Nessus 1311 Dell OpenManage 1337 WASTE 1433-1434 Microsoft SQL 1512 WINS 1589 Cisco VQP 1701 L2TP 1723 MS PPTP 1725 Steam 1741 CiscoWorks 2000 1755 MS Media Server 1812-1813 RADIUS 1863 MSN 1985 Cisco HSRP 2000 Cisco SCCP 2002 Cisco ACS 2049 NFS 2082-2083 cPanel 2100 Oracle XDB 2222 DirectAdmin 2302 Halo 2483-2484 Oracle DB 2745 Bagle.H 2967 Symantec AV 3050 Interbase DB 3074 XBOX Live 3124 HTTP Proxy 3127 MyDoom 3128 HTTP Proxy 3222 GLBP 3260 iSCSI Target 3306 MySQL 3389 Terminal Server 3689 iTunes 3690 Subversion 3724 World of Warcraft 3784-3785 Ventrilo 4333 mSQL 4444 Blaster 4664 Google Desktop 4672 eMule 4899 Radmin 5000 UPnP 5001 Slingbox 5001 iperf 5004-5005 RTP 5050 Yahoo! Messenger 5060 SIP 5190 AIM/ICQ 5222-5223 XMPP/Jabber 5432 PostgreSQL 5500 VNC Server 5554 Sasser 5631-5632 pcAnywhere 5800 VNC over HTTP 5900+ VNC Server 6000-6001 X11 6112 Battle.net 6129 DameWare 6257 WinMX 6346-6347 Gnutella 6500 GameSpy Arcade 6566 SANE 6588 AnalogX 6665-6669 IRC 6679/6697 IRC over SSL 6699 Napster 6881-6999 BitTorrent

packetlife.net

6891-6901 Windows Live 6970 Quicktime 7212 GhostSurf 7648-7649 CU-SeeMe 8000 Internet Radio 8080 HTTP Proxy 8086-8087 Kaspersky AV 8118 Privoxy 8200 VMware Server 8500 Adobe ColdFusion 8767 TeamSpeak 8866 Bagle.B 9100 HP JetDirect 9101-9103 Bacula 9119 MXit 9800 WebDAV 9898 Dabber 9988 Rbot/Spybot 9999 Urchin 10000 Webmin 10000 BackupExec 10113-10116 NetIQ 11371 OpenPGP 12035-12036 Second Life 12345 NetBus 13720-13721 NetBackup 14567 Battlefield 15118 Dipnet/Oddbob 19226 AdminSecure 19638 Ensim 20000 Usermin 24800 Synergy 25999 Xfire 27015 Half-Life 27374 Sub7 28960 Call of Duty 31337 Back Orifice 33434+ traceroute Legend Chat Encrypted Gaming Malicious Peer to Peer Streaming

IANA port assignments published at http://www.iana.org/assignments/port-numbers

by Jeremy Stretch

v1.1

SUBNETTING
Subnet Chart CIDR Subnet Mask Addresses 1 2 4 8 16 32 64 128 256 512 1,024 2,048 4,096 8,192 16,384 32,768 65,536 131,072 262,144 524,288 1,048,576 2,097,152 4,194,304 8,388,608 16,777,216 33,554,432 67,108,864 134,217,728 268,435,456 536,870,912 1,073,741,824 2,147,483,648 4,294,967,296 Wildcard 0.0.0.0 0.0.0.1 0.0.0.3 0.0.0.7 0.0.0.15 0.0.0.31 0.0.0.63 0.0.0.127 0.0.0.255 0.0.1.255 0.0.3.255 0.0.7.255 0.0.15.255 0.0.31.255 0.0.63.255 0.0.127.255 0.0.255.255 0.1.255.255 0.3.255.255 0.7.255.255 0.15.255.255 0.31.255.255 0.63.255.255 0.127.255.255 0.255.255.255 1.255.255.255 3.255.255.255 7.255.255.255 15.255.255.255 31.255.255.255 63.255.255.255 127.255.255.255 255.255.255.255 Terminology
-

packetlife.net Decimal to Binary Subnet Mask 255 1111 1111 254 1111 1110 252 1111 1100 248 1111 1000 240 1111 0000 224 1110 0000 192 1100 0000 128 1000 0000 0 0000 0000 Wildcard 0 0000 0000 1 0000 0001 3 0000 0011 7 0000 0111 15 0000 1111 31 0001 1111 63 0011 1111 127 0111 1111 255 1111 1111

/32 255.255.255.255 /31 255.255.255.254 /30 255.255.255.252 /29 255.255.255.248 /28 255.255.255.240 /27 255.255.255.224 /26 255.255.255.192 /25 255.255.255.128 /24 255.255.255.0 /23 255.255.254.0 /22 255.255.252.0 /21 255.255.248.0 /20 255.255.240.0 /19 255.255.224.0 /18 255.255.192.0 /17 255.255.128.0 /16 255.255.0.0 /15 255.254.0.0 /14 255.252.0.0 /13 255.248.0.0 /12 255.240.0.0 /11 255.224.0.0 /10 255.192.0.0 /9 255.128.0.0 /8 255.0.0.0 /7 254.0.0.0 /6 252.0.0.0 /5 248.0.0.0 /4 240.0.0.0 /3 224.0.0.0 /2 192.0.0.0 /1 128.0.0.0 /0 0.0.0.0

Subnet Proportion

Classful Ranges A 0.0.0.0 - 127.255.255.255 B 128.0.0.0 - 191.255.255.255 C 192.0.0.0 - 223.255.255.255 D 224.0.0.0 - 239.255.255.255 E 240.0.0.0 - 255.255.255.255 Reserved Ranges RFC1918 10.0.0.0 - 10.255.255.255 Localhost 127.0.0.0 - 127.255.255.255 RFC1918 172.16.0.0 - 172.31.255.255 RFC1918 192.168.0.0 - 192.168.255.255 Determine Usable Hosts
Total Addresses Subnet ID Broadcast Address Usable hosts 256 1 1 254

CIDR Classless interdomain routing was developed to VLSM Variable length subnet masks are an arbitrary length provide more granularity than legacy classful addressing; between 0 and 32 bits; CIDR relies on VLSMs to define routes masks expressed in the form /XX are in CIDR notation

by Jeremy Stretch

v1.0

SPANNING TREE PART 1

Spanning Tree Protocols Legacy STP Algorithm Legacy ST Definition 802.1D-1998 Instances One Trunking N/A PVST Legacy ST Cisco Per VLAN ISL PVST+ Legacy ST Cisco Per VLAN 802.1Q, ISL RSTP Rapid ST 802.1w, 802.1D-2004 One N/A RPVST+ Rapid ST Cisco Per VLAN 802.1Q, ISL

packetlife.net

MST Rapid ST 802.1s, 802.1Q-2003 Configurable 802.1Q, ISL

Spanning Tree Instance Comparison

BPDU Format Field Protocol ID Version BPDU Type Flags Root ID Root Path Cost Bridge ID Port ID Message Age Max Age Hello Time Forward Delay Bits 16 8 8 8 64 32 64 16 16 16 16 16

Spanning Tree Specifications

Link Costs Bandwidth 4 Mbps 10 Mbps 16 Mbps 45 Mbps 100 Mbps 155 Mbps Cost 250 100 62 39 19 14 6 4 2

Open Standards
IEEE 802.1D-1998 Deprecated legacy STP standard IEEE 802.1w Introduced Rapid STP (RSTP) IEEE 802.1D-2004 Replaced legacy STP with RSTP IEEE 802.1s Introduced Multiple Spanning Tree (MST) IEEE 802.1Q-2003 Added MST to 802.1Q

622 Mbps 1 Gbps 10 Gbps

Port States Legacy ST Disabled Blocking Listening Learning Forwarding Rapid ST Discarding Discarding Discarding Learning Forwarding

Default Timers Hello Forward Delay Max Age 2s 15s 20s

Cisco Proprietary Implementations

PVST Per-VLAN implementation of legacy STP PVST+ Added 802.1Q trunking to PVST RPVST+ Per-VLAN implementation of RSTP

Spanning Tree Operation 1 Determine root bridge 2 Select root port The bridge advertising the lowest bridge ID becomes the root bridge Each bridge selects its primary port facing the root

Port Roles Legacy ST Root Designated Blocking Blocking Rapid ST Root Designated Alternate Backup v2.0

3 Select designated ports One designated port is selected per segment 4 Block ports with loops by Jeremy Stretch All non-root and non-desginated ports are blocked

SPANNING TREE PART 2

PVST+ and RPVST+ Configuration
! Set STP type spanning-tree mode {pvst | rapid-pvst} ! Bridge priority spanning-tree vlan 1-4094 priority 32768 ! Timers, in seconds spanning-tree vlan 1-4094 hello-time 2 spanning-tree vlan 1-4094 forward-time 15 spanning-tree vlan 1-4094 max-age 20 ! Enabling PortFast by default spanning-tree portfast default ! PVST+ Enhancements spanning-tree backbonefast spanning-tree uplinkfast ! Interface attributes interface FastEthernet0/1 spanning-tree [vlan 1-4094] port-priority 128 spanning-tree [vlan 1-4094] cost 19 ! Manual link type specification spanning-tree link-type {point-to-point | shared} ! Enables spanning tree if running PVST+, or ! designates an edge port under RPVST+ spanning-tree portfast ! Spanning tree protection spanning-tree guard {loop | root | none} ! Per-interface toggling spanning-tree bpduguard enable spanning-tree bpdufilter enable

packetlife.net Bridge ID Format

Priority 4-bit configurable priority (configurable from 0 to 61440 in increments of 4096) System ID Extension 12-bit value taken from VLAN number MAC Address 48-bit value to ensure uniqueness

Path Selection 1 Prefer the neighbor advertising the lowest root ID 2 Prefer the neighbor advertising the lowest cost to root 3 Prefer the neighbor with the lowest bridge ID 4 Prefer the lowest sender port ID Optional PVST+ Ehancements PortFast Enables
immediate transition forwarding state on edge ports paths to root into the

UplinkFast Enables access switches to maintain backup BackboneFast Enables immediate expiration of the Max Age
timer on an indirect link failure

Spanning Tree Protection Root Guard Prevents a port from becoming the root port BPDU Guard Error disables a port if a BPDU is received Loop Guard Prevents a blocked port from transitioning to
listening after the Max Age timer has expired

MST Configuration
! Set STP type spanning-tree mode mst ! MST Configuration spanning-tree mst configuration name MyTree revision 1 ! Map VLANs to instances instance 1 vlan 20, 30 instance 2 vlan 40, 50 ! Bridge priority (per instance) spanning-tree mst 1 priority 32768 ! Timers, in seconds spanning-tree mst hello-time 2 spanning-tree mst forward-time 15 spanning-tree mst max-age 20 ! Maximum hops for BPDUs spanning-tree mst max-hops 20 ! Interface attributes interface FastEthernet0/1 spanning-tree mst 1 port-priority 128 spanning-tree mst 1 cost 19

BPDU Filter Blocks BPDUs on an interface RSTP Link Types Point-to-Point Connects to exactly one other bridge (a full
duplex interface)

Shared Potentially connects to multiple bridges (a half

duplex interface)

Edge Connects to a single host; designated by

applying PortFast

Troubleshooting show spanning-tree [summary | detail] show spanning-tree root show spanning-tree vlan <VLAN> show spanning-tree interface <interface> show spanning-tree mst [<instance>] [detail] show spanning-tree mst configuration show spanning-tree mst interface <interface> v2.0

by Jeremy Stretch

VLANS
Trunk Encapsulation Ethernet Header Trunk Types

packetlife.net

802.1Q Header Size 4 bytes Trailer Size N/A Standard IEEE Maximum VLANs 4094 Command dot1q VLAN Numbers 0 Reserved

ISL 26 bytes 4 bytes Cisco 1000 isl

1004 fdnet 1005 trnet 1006-4094 Extended 4095 Reserved

VLAN Creation
Switch(config)# vlan 100 Switch(config-vlan)# name Engineering

1 default 1002 fddi-default 1003 tr

Access Port Configuration

Switch(config-if)# Switch(config-if)# Switch(config-if)# Switch(config-if)# switchport switchport switchport switchport mode access nonegotiate access vlan 100 voice vlan 150

Terminology
Trunking Extending multiple VLANs over the same physical connection Native VLAN By default, frames in this VLAN are untagged when sent across a trunk Access VLAN The VLAN to which an access port is assigned Voice VLAN If configured, enables minimal trunking to support voice traffic in addition to data traffic on an access port Dynamic Trunking Protocol (DTP) Can be used to automatically establish trunks between capable ports; carries a security risk Switched Virtual Interface (SVI) A virtual interface which provides a routed gateway into and out of a VLAN

Trunk Port Configuration

Switch(config-if)# Switch(config-if)# Switch(config-if)# Switch(config-if)# switchport switchport switchport switchport mode trunk trunk encapsulation dot1q trunk allowed vlan 10,100-200 trunk native vlan 10

SVI Configuration
Switch(config)# interface vlan100 Switch(config-if)# ip address 192.168.100.1 255.255.255.0

VLAN Trunking Protocol

Domain Common to all switches participating in VTP Server Mode Generates and propagates VTP advertisements to clients; this mode is default on unconfigured switches Client Mode Receives and forwards advertisements from servers; VLANs cannot be manually configured on switches in client mode Transparent Mode Forwards advertisements but does not participate in VTP; VLANs must be configured manually Pruning VLANs not having any access ports on an end switch are removed from the trunk to reduce flooded traffic

Switch Port Modes

trunk Forms an unconditional trunk dynamic desirable Actively attempts to negotiate a trunk with the distant end dynamic auto Will form a trunk only if requested by the distant end access Will never form a trunk

Troubleshooting show vlan

VTP Configuration
Switch(config)# Switch(config)# Switch(config)# Switch(config)# Switch(config)# vtp vtp vtp vtp vtp mode server domain LASVEGAS password Presl3y version 2 pruning

show interface status show interface switchport show interface trunk show vtp status show vtp password

by Jeremy Stretch

v1.2

FIRST HOP REDUNDANCY

First Hop Redundancy Protocols
Hot Standby Router Protocol Provides default gateway redundancy using one active and one standby router; standardized but licensed by Cisco Virtual Router Redundancy Protocol An open-standard alternative to Cisco's HSRP, providing the same functionality Gateway Load Balancing Protocol Supports arbitrary load balancing in addition to redundancy across gateways; Cisco proprietary

packetlife.net Protocols Comparison HSRP Standard RFC 2281 Load Balancing No IPv6 Support Yes Transport UDP 1985 Default Priority 100 Default Hello 3s Multicast Group 224.0.0.2 VRRP Operation VRRP RFC 3768 No No IP 112 100 1s 224.0.0.18 GLBP Cisco Yes Yes UDP 3222 100 3s 224.0.0.102

HSRP Operation

GLBP Operation

HSRP Configuration
interface FastEthernet0/0 ip address 10.0.1.2 255.255.255.0 standby version {1 | 2} standby 1 ip 10.0.1.1 standby 1 timers <hello> <dead> standby 1 priority <priority> standby 1 preempt standby 1 authentication md5 key-string <password> standby 1 track <interface> <value> standby 1 track <object> decrement <value>

HSRP/GLBP Interface States

Speak Gateway election in progress Active Active router/VG Standby Backup router/VG Listen Not the active router/VG

VRRP Interface States

Master Acting as the virtual router Backup All non-master routers

VRRP Configuration GLBP Roles

interface FastEthernet0/0 ip address 10.0.1.2 255.255.255.0 vrrp 1 ip 10.0.1.1 vrrp 1 timers {advertise <hello> | learn} vrrp 1 priority <priority> vrrp 1 preempt vrrp 1 authentication md5 key-string <password> vrrp 1 track <object> decrement <value>

Active Virtual Gateway (AVG) Answers for the virtual router and assigns virtual MAC addresses to group members Active Virtual Forwarder (AVF) All routers which forward traffic for the group (may include the AVG)

GLBP Load Balancing

Round-Robin (default) The AVG answers host ARP requests for the virtual router with the next router in the cycle Host-Dependent Round-robin cycling while maintaining a consistent AVF for each host Weighted GLBP weight determines the proportionate share of hosts handled by each AVF

GLBP Configuration
interface FastEthernet0/0 ip address 10.0.1.2 255.255.255.0 glbp 1 ip 10.0.1.1 glbp 1 timers <hello> <dead> glbp 1 timers redirect <redirect> <time-out> glbp 1 priority <priority> glbp 1 preempt glbp 1 forwarder preempt glbp 1 authentication md5 key-string <password> glbp 1 load-balancing <method> glbp 1 weighting <weight> lower <lower> upper <upper> glbp 1 weighting track <object> decrement <value>

Troubleshooting show standby [brief] show glbp [brief] show vrrp [brief] show track [brief]

by Jeremy Stretch

v1.0

FRAME MODE MPLS

Protocol Header

packetlife.net Conceptual Components

Control Plane Facilitates label exchange between neighboring LSRs using LDP or TDP (includes the distribution protocol and LIB) Forwarding/Data Plane Forwards packets based on label or destination IP address (includes the FIB and LFIB)

Label Protocols LDP

Label (20 bits) Unique label value Experimental/QoS (3 bits) CoS-mapped QoS marking Bottom of Stack (1 bit) Indicates label is last in the stack Time To Live (8 bits) Hop counter mapped from IP TTL

TDP 255.255.255.255 UDP 711 TCP 711 Cisco

Hello Address 224.0.0.2 Hello Port UDP 646 Adjacency Port TCP 646 Proprietary No

Label Switched Path

Terminology
Label Distribution Protocol (LDP) Standards based label distribution protocol defined in RFC 3036 Tag Distribution Protocol (TDP) Cisco's proprietary predecessor to LDP Label Switching Router (LSR) Any router capable of label switching Label-Switched Path (LSP) The unidirectional path through one or more LSRs taken by a label switched packet belonging to an FEC Forwarding Equivalence Class (FEC) A group of packets which are forwarded in an identical manner Label Information Base (LIB) Contains all labels known by an LSR via a label distribution protocol Forwarding Information Base database for unlabeled (IP) packets (FIB) Routing

Label FIB (LFIB) Routing database for labeled packets Customer (C) IP-only routers internal to customer network Customer Edge (CE) C routers which face PE routers Provider Edge (PE) LSRs which form the MPLS-IP boundary Provider (P) MPLS-only LSRs in provider network Interim Packet Propagation An LSR temporarily performs IP routing while waiting to learn the necessary MPLS labels Penultimate Hop Popping (PHP) The second-to-last LSR in an LSP removes the MPLS label so the last LSR only has to perform an IP lookup

MPLS Configuration
! ** Enable CEF ** ip cef ! ! ** Select label protocol ** mpls label protocol ldp ! ! ** Enable MPLS on IP interfaces ** interface FastEthernet0/0 ip address 10.0.0.1 255.255.255.252 mpls ip ! ** Raise MPLS MTU to accomodate multilabel stack ** mpls mtu 1512

Troubleshooting show mpls interfaces show mpls ldp neighbors show mpls ldp bindings [detail] (LIB) show mpls forwarding-table [detail] (LFIB) show ip cef [detail] (FIB) debug mpls events debug mpls ldp bindings v1.0

by Jeremy Stretch

IEEE 802.1X
802.1X Header Terminology

packetlife.net

Extensible Authentication Protocol (EAP) A flexible authentication framework defined in RFC 3748

EAP Header

EAP Over LANs (EAPOL) The encapsulation used by 802.1X to carry EAP across a layer two segment Supplicant The device on one end of a link that requests authentication by the authenticator

EAP Flow Chart

Authenticator The device that controls the status of a link; typically a wired switch or wireless access point Authentication Server A backend server which authenticates the credentials provided by supplicants (for example, a RADIUS server) Guest VLAN Fallback VLAN for clients not 802.1X-capable Restricted VLAN Fallback VLAN for clients which fail authentication

802.1X Packet Types 0 EAP Packet 1 EAPOL-Start 2 EAPOL-Logoff 3 EAPOL-Key 4 EAPOL-Encap-ASF-Alert Interface Defaults Max Auth Requests 2 Reauthentication Off Configuration
Global Configuration ! Define a RADIUS server radius-server host 10.0.0.100 radius-server key MyRadiusKey ! Configure 802.1X to authenticate via AAA aaa new-model aaa authentication dot1x default group radius ! Enable 802.1X authentication globally dot1x system-auth-control Interface Configuration ! Configure static access mode switchport mode access ! Enable 802.1X authentication per port dot1x port-control auto ! Configure host mode (single or multi) dot1x host-mode single-host ! Configure maximum authentication attempts dot1x max-reauth-req ! Enable periodic reauthentication dot1x reauthentication ! Configure a guest VLAN dot1x guest-vlan 123 ! Configure a restricted VLAN dot1x auth-fail vlan 456 dot1x auth-fail max-attempts 3

EAP Codes 1 Request 2 Response 3 Success 4 Failure EAP Req/Resp Types 1 Identity 2 Notification 3 Nak 4 MD5 Challenge 5 One Time Password 6 Generic Token Card 254 Expanded Types 255 Experimental

Quiet Period 60s Reauth Period 3600s Server Timeout 30s Supplicant Timeout 30s Tx Period 30s

Port-Control Options
force-authorized Port will always remain in authorized state (default setting) force-unauthorized Port will always remain in unauthorized state, ignoring authentication attempts auto Port is authorized only in the presence of a successfully authenticated supplicant

Troubleshooting show dot1x [interface <interface>] show dot1x statistics interface <interface> dot1x test eapol-capable [interface <interface>] dot1x re-authenticate interface <interface> v1.0

by Jeremy Stretch

QUALITY

OF

SERVICE PART 1
Quality of Service Models

packetlife.net IP Type of Service (TOS)

Best Effort No QoS policies are implemented Integrated Services (IntServ) Resource Reservation Protocol (RSVP) is used to reserve bandwidth per flow across all nodes in a path Differentiated Services (DiffServ) Packets are individually classified and marked; policy decisions are made independently at each node in a path

Layer 2 QoS Markings Medium Ethernet Name Class of Service (CoS) Type 3-bit 802.1p field in 802.1Q header 1-bit drop eligibility flag 1-bit drop eligibility flag 3-bit field compatible with 802.1p Precedence Values Binary 7 111 6 110 5 101 4 100 3 011 2 010 1 001 0 000 Application Reserved Routing Voice Streaming Video Call Signaling Transactional Bulk Data Best Effort DSCP Values Binary 56 111000 48 110000 46 101110 32 100000 34 100010 Terminology
Per-Hop Behavior (PHB) The individual QoS action performed at each DiffServ node according to its configured policy Trust Boundary The perimeter beyond which QoS markings are not trusted Tail Drop Occurs when a packet is dropped because its queue is full Policing Creates an artificial ceiling on the amount of bandwidth that may be consumed; traffic exceeding the cap and be remarked or dropped Shaping Similar to policing but buffers excess traffic for delayed transmission; makes more efficient use of bandwidth but introduces a delay TCP Synchronization Flows adjust window sizes in synch, wasting bandwidth

Frame Relay Discard Eligibility (DE) ATM MPLS Cell Loss Priority (CLP) Experimental Field (EXP)

IP QoS Markings
Precedence The first three bits of the IP TOS field are evaluated; compatible with Ethernet CoS and MPLS EXP values DSCP The first six bits of the IP TOS are evaluated to provide more granular classification; backward-compatible with IP Precedence

QoS Flowchart

Prec. 7 6 5

DSCP Reserved Reserved EF CS4

36 100100 38 100110 24 011000 26 011010 28 011100 30 011110 16 010000 18 010010 20 010100 22 010110 8 001000 10 001010 12 001100 14 001110 0 000000

AF41 AF42 AF43 CS3

AF31 AF32 AF33 CS2

AF21 AF22 AF23 CS1

Per-Hop Behaviors
Class Selector (CS) Backwardcompatible with IP Precedence values Assured Forwarding (AF) Four classes with variable drop preferences Expedited Forwarding (EF) Provides priority queuing for delay-sensitive traffic

Congestion Avoidance
Random Early Detection (RED) Packets are randomly dropped before a queue is full to prevent tail drop; mitigates TCP synchronization Weighted RED (WRED) RED with the added capability of recognizing prioritized traffic by its marking

AF11 AF12 AF13

BE v1.2

by Jeremy Stretch

QUALITY

OF

SERVICE PART 2
Queuing Comparison Chart FIFO PQ No 4 Yes Automatic Yes No CQ No Configured Yes Configured No No WFQ <=2 Mbps Dynamic No Automatic No No CBWFQ No

packetlife.net

LLQ No Configured Yes Configured Yes Yes

Default on interfaces >2 Mbps Number of queues 1 Configurable classes No Bandwidth allocation Automatic Provides for minimal delay No Modern implementation Yes First In First Out (FIFO)

Configured Yes Configured No Yes

Priority Queuing (PQ)

LLQ Configuration Example

! *** Class definitions *** class-map match-all Voice ! Matches packets by DSCP value match dscp ef ! class-map match-all Call-Signaling match dscp cs3 ! class-map match-any Critical-Apps match dscp af21 af22 ! Matches packets by access list match access-group name Mgmt_LAN ! class-map match-all Scavenger match dscp cs1 ! ! *** Policy creation *** policy-map Foo class Voice ! Priority queue policed to 33% priority percent 33 class Call-Signaling ! Allocate 5% of bandwidth bandwidth percent 5 class Critical-Apps bandwidth percent 20 ! Extend queue size to 96 packets queue-limit 96 class Scavenger ! Police to 64 kbps police cir 64000 conform-action transmit exceed-action drop class class-default ! Enable WFQ fair-queue ! Enable WRED random-detect ! ! *** Policy Application *** interface Serial0 service-policy Foo

Packets are transmitted in the order they are processed No prioritization is provided Default queuing method on highspeed (>2 Mbps) interfaces Configurable with the tx-ring-limit interface configuration command

Provides four static queues which cannot be reconfigured Higher-priority queues are always emptied before lower-priority queues Lower-priority queues are at risk of bandwidth starvation

Custom Queuing (CQ)

Weighted Fair Queuing (WFQ)

Rotates through queues Weighted Round Robin (WRR)

using

Queues are dynamically created per flow to ensure fair processing Statistically drops packets agressive flows more often from

A configurable number of bytes is processed from each queue per turn Prevents queue starvation but does not support delay-sensitive traffic

No support for delay-sensitive traffic

Class-Based WFQ (CBWFQ)

Low Latency Queuing (LLQ)

Troubleshooting
Provides the benefits of WFQ with administratively configured queues Each queue is allocated an amount or percentage of bandwidth No support for delay-sensitive traffic CBWFQ with the addition of a policed strict priority queue Highly configurable while supporting delay-sensitive traffic still

show policy-map show interface show queue <interface> show mls qos v1.2

by Jeremy Stretch

IP ACCESS LISTS
Standard IP ACL Syntax
! Legacy syntax access-list <number> {permit | deny} <source> [log] ! Modern syntax ip access-list standard {<number> | <name>} [<sequence>] {permit | deny} <source> [log]

packetlife.net Actions permit deny remark evaluate Allow matched packets Deny matched packets Record a config comment Evaluate a reflexive ACL

Extended IP ACL Syntax

! Legacy syntax access-list <number> {permit | deny} <protocol> <source> [<ports>] <destination> [<ports>] [<options>] ! Modern syntax ip access-list extended {<number> | <name>} [<sequence>] {permit | deny} <protocol> <source> [<ports>] <destination> [<ports>] [<options>]

ACL Numbers 1-99 IP standard 1300-1999 100-199 IP extended 2000-2699 200-299 Protocol 300-399 DECnet 400-499 XNS 500-599 Extended XNS 600-699 Appletalk 700-799 Ethernet MAC 800-899 IPX standard 900-999 IPX extended 1000-1099 IPX SAP 1100-1199 MAC extended 1200-1299 IPX summary TCP Options ack fin psh rst syn urg Match ACK flag Match FIN flag Match PSH flag Match RST flag Match SYN flag Match URG flag reflect <name> eq <port> lt <port> dscp <DSCP> fragments option <option> any host <address>

Source/Destination Definitions Any address A single address Any address matched by the wildcard mask IP Options Match packets with the given DSCP value Check non-initial fragments Match packets with the specified IP option Match packets with the given precedence value Match packets with the given Time To Live TCP/UDP Port Definitions Equal to Less than neq <port> gt <port> Not equal to Greater than

<network> <mask>

precedence <0-7> ttl <count>

range <port> <port>

Matches a range of port numbers Miscellaneous Options

Create a reflexive ACL Enable rule only during the specified time range

time-range <name>

Applying ACLs to Restrict Traffic

interface FastEthernet0/0 ip access-group {<number> | <name>} {in | out}

Troubleshooting show access-lists {<number> | <name>} show ip access-lists {<number> | <name>} show ip access-lists interface <interface> show ip access-lists dynamic show ip interface [<interface>] show time-range [<name>] v1.1

established Match packets in a preestablished session Logging Options log Log ACL entry matches

log-input Log matches with ingress interface and source MAC by Jeremy Stretch

IPSEC
Protocols
Internet Security Association and Key Management Protocol (ISAKMP) A framework for the negotiation and management of security associations between peers; traverses UDP port 500 Internet Key Exchange (IKE) Responsible for key agreement using public key cryptography Encapsulating Security Payload (ESP) Provides data encryption, data integrity, and peer authentication; IP protocol 50 Authentication Header (AH) Provides data integrity and peer authentication, but not data encryption; IP protocol 51

packetlife.net Encryption Algorithms Type DES Symmetric 3DES Symmetric AES Symmetric Key 56-bit 168-bit Strength Weak Medium

128, 192, or Strong 256-bit Strong

RSA Asymmetric 1024-bit minimum Hashing Algorithms Length MD5 128-bit SHA-1 160-bit

IPsec Modes

Strength Medium Strong

IKE Phases
Phase 1 A bidirectional ISAKMP SA is established between peers to provide a secure management channel; IKE is performed in main mode or agressive mode Transport Mode The ESP or AH header is inserted behind the IP header; the IP header can be authenticated but not encrypted Tunnel Mode A new IP header is created in place of the original; this allows for encryption of the entire original packet Phase 1.5 (optional) Xauth can optionally be implemented to enforce user authentication Phase 2 Two unidirectional IPsec SAs are established for data transfer using separate keys; IKE quick mode is used

Configuration
ISAKMP Policy crypto isakmp policy 10 encryption aes 256 hash sha authentication pre-share group 2 lifetime 3600 ISAKMP Pre-Shared Secret Key crypto isakmp key 0 MySecretKey address 10.0.0.2 IPsec Transform Set crypto ipsec transform-set MyTS esp-aes 256 esp-sha-hmac mode tunnel IPsec Profile crypto ipsec profile MyProfile set transform-set MyTS Virtual Tunnel Interface interface Tunnel0 ip address 172.16.0.1 255.255.255.252 tunnel source 10.0.0.1 tunnel destination 10.0.0.2 tunnel mode ipsec ipv4 tunnel protection ipsec profile MyProfile

Terminology
Data Integrity Secure hashing (HMAC) is used to ensure data has not been altered in transit Data Confidentiality Encryption is used to ensure data cannot be intercepted by a third party Data Origin Authentication Peer authentication Anti-replay Sequence numbers are used to detect and block duplicate packets Hash-based Message Authentication Code (HMAC) A hash of the data and secret key used to provide message authenticity Diffie-Hellman A method of establishing a shared secret key over an insecure path using public and private keys

Troubleshooting show crypto isakmp sa show crypto isakmp policy show crypto ipsec sa show crypto ipsec transform-set debug crypto isakmp debug crypto ipsec

by Jeremy Stretch

v1.1

TCPDUMP
Command Line Options -A Print frame payload in ASCII -q Quick output

packetlife.net

-c <count> Exit after capturing count packets -D -e -F <file> -G <n> List available interfaces Print link-level headers in the capture dump Use file as the filter expression Rotate the dump file every n seconds

-r <file> Read packets from file -s <len> -S -t -v[v[v]] Capture up to len bytes per packet Print absolute TCP sequence numbers Don't print timestamps Print more verbose output

-i <iface> Specifies the capture interface -K -L -n -p Don't verify TCP checksums List data link types for the interface Don't convert addresses to names Don't capture in promiscuous mode

-w <file> Write captured packets to file -x -X Print frame payload in hex Print frame payload in hex and ASCII

-y <type> Specify the data link type -Z <user> Drop privileges from root to user

Capture Filter Primitives [src|dst] host <host> ether [src|dst] host <ehost> gateway host <host> [src|dst] net <network>/<len> [tcp|udp] [src|dst] port <port> [tcp|udp] [src|dst] portrange <p1>-<p2> less <length> greater <length> (ether|ip|ip6) proto <protocol> (ether|ip) broadcast (ether|ip|ip6) multicast type (mgt|ctl|data) [subtype <subtype>] vlan [<vlan>] mpls [<label>] <expr> <relop> <expr> Protocols arp ether fddi icmp ip ip6 link ppp radio rarp TCP Flags tcp-urg tcp-ack tcp-push tcp-rst tcp-syn tcp-fin slip tcp tr udp wlan icmp-echoreply icmp-unreach icmp-sourcequench icmp-redirect icmp-echo Modifiers ! or not && or and || or or udp dst port not 53 Matches a host as the IP source, destination, or either Matches a host as the Ethernet source, destination, or either Matches packets which used host as a gateway Matches packets to or from an endpoint residing in network Matches TCP or UDP packets sent to/from port Matches TCP or UDP packets to/from a port in the given range Matches packets less than or equal to length Matches packets greater than or equal to length Matches an Ethernet, IPv4, or IPv6 protocol Matches Ethernet or IPv4 broadcasts Matches Ethernet, IPv4, or IPv6 multicasts Matches 802.11 frames based on type and optional subtype Matches 802.1Q frames, optionally with a VLAN ID of vlan Matches MPLS packets, optionally with a label of label Matches packets by an arbitrary expression Examples All UDP not bound for port 53

host 10.0.0.1 && host 10.0.0.2 All packets between these hosts tcp dst port 80 or 8080 ICMP Types icmp-routeradvert icmp-routersolicit icmp-timxceed icmp-paramprob icmp-tstamp icmp-tstampreply icmp-ireq icmp-ireqreply icmp-maskreq icmp-maskreply v1.0 All packets to either TCP port

by Jeremy Stretch

WIRESHARK DISPLAY FILTERS PART 1

Ethernet
eth.addr eth.dst eth.ig eth.len eth.lg eth.multicast eth.src eth.trailer eth.type arp.dst.hw_mac arp.dst.proto_ipv4 arp.hw.size arp.hw.type arp.opcode

packetlife.net ARP
arp.proto.size arp.proto.type arp.src.hw_mac arp.src.proto_ipv4

IEEE 802.1Q
vlan.cfi vlan.etype vlan.id vlan.len vlan.priority vlan.trailer

TCP
tcp.ack tcp.checksum tcp.checksum_bad tcp.checksum_good tcp.continuation_to tcp.dstport tcp.flags tcp.flags.ack tcp.flags.cwr tcp.flags.ecn tcp.flags.fin tcp.flags.push tcp.flags.reset tcp.flags.syn tcp.flags.urg tcp.hdr_len tcp.len tcp.nxtseq tcp.options tcp.options.cc tcp.options.ccecho tcp.options.ccnew tcp.options.qs tcp.options.sack tcp.options.sack_le tcp.options.sack_perm tcp.options.sack_re tcp.options.time_stamp tcp.options.wscale tcp.options.wscale_val tcp.pdu.last_frame tcp.pdu.size tcp.pdu.time tcp.port tcp.reassembled_in tcp.segment tcp.segment.error tcp.segment.multipletails tcp.segment.overlap tcp.segment.overlap.conflict tcp.segment.toolongfragment tcp.segments tcp.seq tcp.srcport tcp.time_delta tcp.time_relative tcp.urgent_pointer tcp.window_size

IPv4
ip.addr ip.checksum ip.checksum_bad ip.checksum_good ip.dsfield ip.dsfield.ce ip.dsfield.dscp ip.dsfield.ect ip.dst ip.dst_host ip.flags ip.flags.df ip.flags.mf ip.flags.rb ip.frag_offset ip.fragment ip.fragment.error ip.fragment.multipletails ip.fragment.overlap ip.fragment.overlap.conflict ip.fragment.toolongfragment ip.fragments ip.hdr_len ip.host ip.id ip.len ip.proto ip.reassembled_in ip.src ip.src_host ip.tos ip.tos.cost ip.tos.delay ip.tos.precedence ip.tos.reliability ip.tos.throughput ip.ttl ip.version

IPv6
ipv6.addr ipv6.class ipv6.dst ipv6.dst_host ipv6.dst_opt ipv6.flow ipv6.fragment ipv6.fragment.error ipv6.fragment.more ipv6.fragment.multipletails ipv6.fragment.offset ipv6.fragment.overlap ipv6.fragment.overlap.conflict ipv6.fragment.toolongfragment ipv6.fragments ipv6.fragment.id ipv6.hlim ipv6.hop_opt ipv6.host ipv6.mipv6_home_address ipv6.mipv6_length ipv6.mipv6_type ipv6.nxt ipv6.opt.pad1 ipv6.opt.padn ipv6.plen ipv6.reassembled_in ipv6.routing_hdr ipv6.routing_hdr.addr ipv6.routing_hdr.left ipv6.routing_hdr.type ipv6.src ipv6.src_host ipv6.version

tcp.options.echo tcp.options.echo_reply tcp.options.md5 tcp.options.mss tcp.options.mss_val

UDP
udp.checksum udp.checksum_bad udp.checksum_good udp.dstport udp.length udp.port udp.srcport

Operators
eq ne gt lt ge le == != > < >= <= not [n] ! [...] and or xor && || ^^

Logic
Logical AND Logical OR Logical XOR Logical NOT Substring operator

by Jeremy Stretch

v1.0

WIRESHARK DISPLAY FILTERS PART 2

Frame Relay
fr.becn fr.chdlctype fr.control fr.control.f fr.control.ftype fr.control.n_r fr.control.n_s fr.control.p fr.control.s_ftype fr.control.u_modifier_cmd fr.control.u_modifier_resp fr.cr fr.dc fr.de fr.dlci fr.dlcore_control fr.ea fr.fecn fr.lower_dlci fr.nlpid fr.second_dlci fr.snap.oui fr.snap.pid fr.snaptype fr.third_dlci fr.upper_dlci rip.auth.passwd rip.auth.type rip.command rip.family rip.ip rip.metric rip.netmask rip.next_hop icmpv6.all_comp icmpv6.checksum icmpv6.checksum_bad icmpv6.code icmpv6.comp icmpv6.haad.ha_addrs icmpv6.identifier icmpv6.option icmpv6.option.cga icmpv6.option.cga.pad_length icmpv6.option.length

packetlife.net ICMPv6
icmpv6.option.name_type icmpv6.option.name_type.fqdn icmpv6.option.name_x501 icmpv6.option.rsa.key_hash icmpv6.option.type icmpv6.ra.cur_hop_limit icmpv6.ra.reachable_time icmpv6.ra.retrans_timer icmpv6.ra.router_lifetime icmpv6.recursive_dns_serv icmpv6.type

RIP
rip.route_tag rip.routing_domain rip.version

PPP
ppp.address ppp.control ppp.direction ppp.protocol

MPLS
mpls.bottom mpls.cw.control mpls.cw.res mpls.exp mpls.label mpls.oam.bip16 mpls.oam.defect_location mpls.oam.defect_type mpls.oam.frequency mpls.oam.function_type mpls.oam.ttsi mpls.ttl bgp.aggregator_as bgp.aggregator_origin bgp.as_path bgp.cluster_identifier bgp.cluster_list bgp.community_as bgp.community_value icmp.seq icmp.type bgp.local_pref bgp.mp_nlri_tnl_id

BGP
bgp.mp_reach_nlri_ipv4_prefix bgp.mp_unreach_nlri_ipv4_prefix bgp.multi_exit_disc bgp.next_hop bgp.nlri_prefix bgp.origin bgp.originator_id bgp.type bgp.withdrawn_prefix

ICMP
icmp.checksum icmp.checksum_bad icmp.code icmp.ident icmp.mtu icmp.redir_gw

HTTP
http.accept http.proxy_authorization http.proxy_connect_host http.proxy_connect_port http.referer http.request http.request.method http.request.uri http.request.version http.response http.response.code http.server http.set_cookie http.transfer_encoding http.user_agent http.www_authenticate http.x_forwarded_for http.accept_encoding http.accept_language http.authbasic http.authorization http.cache_control http.connection http.content_encoding http.content_length http.content_type http.cookie http.date http.host http.last_modified http.location http.notification http.proxy_authenticate

DTP
dtp.neighbor dtp.tlv_len dtp.tlv_type dtp.version vtp.neighbor

VTP
vtp.code vtp.conf_rev_num vtp.followers vtp.md vtp.md5_digest vtp.md_len vtp.seq_num vtp.start_value vtp.upd_id vtp.upd_ts vtp.version vtp.vlan_info.802_10_index vtp.vlan_info.isl_vlan_id vtp.vlan_info.len vtp.vlan_info.mtu_size vtp.vlan_info.status.vlan_susp vtp.vlan_info.tlv_len vtp.vlan_info.tlv_type vtp.vlan_info.vlan_name vtp.vlan_info.vlan_name_len vtp.vlan_info.vlan_type

by Jeremy Stretch

v1.0