Tuesday, April 30, 2013

IP Sec an overview

Sunday, April 28, 2013

Bhagavad Gita Part II

Tuesday, April 23, 2013

Ping using tcl in GNS3

It's always wise to use tcl script to ping all the interfaces (particularly if there are many) in Router or simulator like GNS3.
Sample script.
foreach address { } {ping $address}

Monday, April 22, 2013

TS - 642-832

1. IP security (IPSec) is built into IPv6, whereas it is an awkward add-on in IPv4. With IPv6, two devices can dynamically negotiate security parameters and build a secure tunnel between them with no user intervention.

2. A static route can be used to form an adjacency between EBGP neighbors.

3. If your AS passes traffic from another AS to the third AS, BGP should not advertise a route before all routers in your AS learn about the route via IGP. BGP waits until IGP propagates the route within the AS and advertises it to external peers. A BGP router with synchronization enabled does not install iBGP learned routes into its routing table if it is not able to validate those routes in its IGP. Issue the no synchronization command under router bgp in order to disable synchronization. This prevents BGP from validating iBGP routes in IGP.

4. The IBGP routers don’t have to be directly connected.

5. To summarize BGP prefixes into one aggregated route, use the “aggregate-address” command. When used alone, this will advertise the aggregate route, along with the individual specific routing entries. To advertise only the aggregated route, use the “summary-only” keyword.If the router learns about more than one route to the same destination, the route with the highest weight will be preferred. Weight is a cisco BGP parameter that is local to router. When terminating multiple ISP connections into the same router, weight can be used to affect which path is chosen for outbound traffic.

6. In general, all IBGP peers must be configured to be fully meshed. If they are not, then all of the IBGP routers will not have the updated information from the external BGP routers. There are two ways to overcome the scalability issues of a full IBGP mesh: route reflectors and confederations. With route reflectors, internal BGP routers peer only with the route reflector, and then the route reflectors connect with each other. This can considerably reduce the number of IBGP sessions. Another solution is the use of confederations. With confederations, the AS is broken up into smaller, more manageable sub autonomous systems.
A network in the BGP table with a next hop address of means that the network is locally originated via redistribution of IGP into BGP, or via a network or aggregate command in the BGP configuration.
If in “show ip bgp” output, the AS path ends with? We know that all the routes had been redistributed into BGP.

7. Possible reasons for OSPF routes not showing up include the use of distribute lists to control routing and no metric is configured either with redistribute command or with default-metric. Remember while redistributing into RIP or EIGRP, you should provide the metric. Here are the default seed metrics for various protocols.
RIP: infinity
EIGRP: infinity
OSPF: 20
IS-IS : 0

8. The route-map command is used to configure policy routing. A route-map is defined using syntax
R(config)#route-map map-tag [permit/deny]
The map-tag is the name or ID of route-map. This map-tag can be set to something easily recognizable name. The route-map command changes the mode on the router to the route-map configuration mode, from there conditions can be configured for the route-map.
Route-map operates similar to access lists, by examining one line at a time and when a match is found, action is taken. Route maps are different from numbered access lists because they can be modified without changing the entire list. Each route map statement is given a no . If a seq no is not specified, the first route map condition will automatically be numbered as 10. The second will automatically be numbered as 20 and so on . The optional seq no can be used to indicate the position that a  new route map is to have in the list of route maps already configured with same name.

9. Use the distribute-list command to pick and choose which routing updated a router will send or receive. By referencing an access list, the distribute-list creates a route filter. This is a set of rules that precisely controls what routes a router will send or receive in a routing update. This command is available for all IP routing protocols and can be applied to either inbound or outbound routing updates. When applied to inbound updates, the syntax for configuring a route filter is as follows.
R(config)#distribute-list access-list number in
When applied to outbound syntax can be more complicated
R(config)#distribute-list access-list number out

10.The ip helper–address command is used to have the cisco IOS software forward User  Datagram protocol(UDP) broadcasts, including BOOTP, received on an interface. DHCP protocol information is carried inside of BOOTP packets. To enable BOOTP broadcast forwarding for a set of clients, configure a helper address on the router interface closet to client. The helper address should specify the address of the DHCP server.

Note: a dhcp server can be considered as a bootp server, even though a dhcp server is more advanced.

11. To forward a Bootp/dhcp request from client to the dhcp server, the ip helper-address interface command is used . The ip helper-address can be configured to forward any UDP broadcast based  on UDP port number. By default , the ip helper-address will forward the following UDP broadcasts: DNS(port 53), time service (port 37) Trivial file transfer protocol (tftp) terminal access control access system (TACACS) service (port 49) NetBios name server (port 137), Netbios datagram server (port 138) Boot protocol (DHCP/BootP) client and server datagram (port 67 and 68) and name service (port 42).

12. DHCP is not the only critical service that uses broadcasts. Cisco routers and other devices might use broadcasts to locate TFTP servers. Some clients might need to broadcast to locate a TACACS security server. In a complex hierarchical network, clients might not reside on the same subnet as key servers. Such remote clients broadcast to locate these servers, but routers, by default, do not forward client broadcasts beyond their subnet. Some clients are unable to make a connection without services such as DHCP. For this reason, the administrator must provide DHCPand DNS servers on all subnets or use the Cisco IOS software helper address feature. Running services such as DHCP or DNS on several computers creates overhead and administrative problems, so the first option is not very appealing. When possible, administrators use the iphelper-address command to relay broadcast requests for these key User Datagram Protocol(UDP) services. By using the ip helper-address command, a router can be configured to accept a broadcast request for a UDP service and then forward it as a unicast to a specific IP address

13. A DHCP relay agent is any host that forwards DHCP packets between clients and servers. Relay agents receive DHCP messages and then generate a new DHCP message to send out on another interface. The agents forward requests and replies between clients and servers when they are not on the same physical subnet. The Cisco IOS DHCP relay agent is enabled on an interface only when the ip helper-address is configured. If multiple helper-addresses are configured, it tries to get response from first, if no response got from the first helper address then sends the request to second one.

15. While routers accept and generate broadcasts, they do not forward them. This can be quite a problem when a broadcast needs to get to a device such as a DHCP or TFTP server that's on one side of a router with other subnets on the other side. If this PC attempts to locate a DNS server with a broadcast, the broadcast will be stopped by the router and will never get to the DNS server. By configuring the ip helper-address command on the router, UDP broadcasts such as this will be translated into a unicast by the router, making the communication possible. The command should be configured on the interface that will be receiving the broadcasts.
R1( config)#int e0 R1(config-if)#ip helper-address ? A.B.C.D IP destination address
R1( config-if)#ip helper-address
This command does forward eight common UDP service broadcasts by default. TIME, port 37 TACACS, port 49 DNS, port 53 BOOTP/DHCP Server, port 67 BOOTP/DHCP Client, port 68 TFTP, port 69 NetBIOS name service, port 137 NetBIOS datagram service, port 138 That's going to cover most scenarios where the ip helper-address command will be useful, but what about those situations where the broadcast you need forwarded is not on this list? You can use the ip forward-protocol command to add any UDP port number to the list. In this particular case, ports 67 and 68 were not included, so the BOOTP packets will not be sent to the DHCP server.

16. When configuring the Router as a DHCP server you should follow these steps:
Define the pool using ip dhcp pool
Define the network to assign to client to the pool using : network network/mask
Define the lease time using lease days
Define the DNS server to resolve name/ip using: dns-server
Define the Default Gateway to assign to the client: degault-router

17. HSRP uses a priority scheme to determine which HSRP-configured router is to be the default
active router. To configure a router as the active router, you assign it a priority that is higher than
the priority of all the other HSRP-configured routers. The default priority is 100, so if you configure
just one router to have a higher priority, that router will be the default active router.
HSRP works by the exchange of multicast messages that advertise priority among HSRPconfigured
routers. When the active router fails to send a hello message within a configurable
period of time, the standby router with the highest priority becomes the active router. The transition
of packet- forwarding functions between routers is completely transparent to all hosts on the
HSRP-configured routers exchange three types of multicast messages:
Hello - The hello message conveys to other HSRP routers the router's HSRP priority and state
information. By default, an HSRP router sends hello messages every three seconds.
Coup - When a standby router assumes the function of the active router, it sends a coup message.
Resign - A router that is the active router sends this message when it is about to shut down or
when a router that has a higher priority sends a hello message.
At any time, HSRP-configured routers are in one of the following states:
Active - The router is performing packet-transfer functions.
Standby - The router is prepared to assume packet-transfer functions if the active router fails.
Speaking and listening - The router is sending and receiving hello messages.
Listening - The router is receiving hello messages.
The standby preempt interface configuration command allows the router to become the active
router when its priority is higher than all other HSRP-configured routers in this Hot Standby group.
The configurations of both routers include this command so that each router can be the standby
router for the other router. The 1 indicates that this command applies to Hot Standby group 1. If
you do not use the standby preempt command in the configuration for a router, that router cannot
become the active router.

18. Each router in an HSRP group has its own unique IP address assigned to an interface. This
address is used for all routing protocol and management traffic initiated by or destined to the
router. In addition, each router has a common gateway IP address, the virtual router address, that
is kept alive by HSRP. This address is also referred to as the HSRP address or the standby
address. Clients can point to that virtual router address as their default gateway, knowing that a
router always keeps
virtual (standby) address must be configured to be in the same IP subnet. You can assign the
HSRP address with the following interface command:
Switch( config-if)# standby group ip ip-address [secondary]
When HSRP is used on an interface that has secondary IP addresses, you can add the secondary
keyword so that HSRP can provide a redundant secondary gateway address.
You can configure a router to preempt or immediately take over the active role if its priority is the
highest at any time. Use the following interface configuration command to allow preemption:
Switch( config-if)# standby group preempt [delay seconds]
By default, the router can preempt another immediately, without delay. You can use the delay
keyword to force it to wait for seconds before becoming active. This is usually done if there are
routing protocols that need time to converge.

19. The standby preempt interface configuration command allows the router to become the active
router when its priority is higher than all other HSRP-configured routers in this Hot Standby group.
The configurations of both routers include this command so that each router can be the standby
router for the other router. The 1 indicates that this command applies to Hot Standby group 1. If
you do not use the standby preempt command in the configuration for a router, that router cannot
become the active router.

20. HSRP election is based on a priority value (0 to 255) that is configured on each router in the
group. By default, the priority is 100. The router with the highest priority value (255 is highest)
becomes the active router for the group. If all router priorities are equal or set to the default value,
the router with the highest IP address on the HSRP interface becomes the active router. To set the
priority, use the following interface configuration command:
Switch( config-if)# standby group priority priority
When HSRP is configured on an interface, the router progresses through a series of states before
becoming active. This forces a router to listen for others in a group and see where it fits into the
pecking order. The HSRP state sequence is Disabled, Init, Listen, Speak, Standby, and, finally,

21. The standby preempt interface configuration command allows the router to become the active
router when its priority is higher than all other HSRP-configured routers in this Hot Standby group.
The configurations of both routers include this command so that each router can be the standby
router for the other router. The 1 indicates that this command applies to Hot Standby group 1. If
you do not use the standby preempt command in the configuration for a router, that router cannot
become the active router.

22. If the output shows the standby router is unknown, and the active timer is
expired meaning that this router was unable to locate any other HSRP enabled routers on the
LAN. It then became the active router, with no standby router.
The technique of supplying a false ip address
GLBP performs a similar, but not identical, function for the user as the HSRP and VRRP. Both
HSRP and VRRP protocols allow multiple routers to participate in a virtual router group configured
with a virtual IP address. One member is elected to be the active router to forward packets sent to
the virtual IP address for the group. The other routers in the group are redundant until the active
router fails. With standard HSRP and VRRP, these standby routers pass no traffic in normal
operation - which is wasteful. Therefore the concept cam about for using multiple virtual router
groups, which are configured for the same set of routers. But to share the load, the hosts must be
configured for different default gateways, which results in an extra administrative burden of going
around and configuring every host and creating 2 or more groups of hosts that each use a different
default gateway.
GLBP is similar in that it provides load balancing over multiple routers (gateways) - but it can do
this using only ONE virtual IP address!!! Underneath that one virtual IP address is multiple virtual
MAC addresses, and this is how the load is balanced between the routers. Instead of the hassle of
configuring all the hosts with a static Default Gateway, you can lket them use ARP's to find their
own. Multiple gateways in a "GLBP redundancy group" respond to client Address Resolution
Protocol (ARP) requests in a shared and ordered fashion, each with their own unique virtual MAC
addresses. As such, workstation traffic is divided across all possible gateways. Each host is
configured with the same virtual IP address, and all routers in the virtual router group participate in
forwarding packets

23. The transition from IPv4 to IPv6 does not require an upgrade on all nodes at the same time. Many
transition mechanisms like dual stack, tunneling etc enable smooth integration of IPv4 to IPv6.
You can configure IPv4 as well as IPv6 Address on same router's same interface, so you can
route IPv4 route and IPv6 route simultaneously.
Here is the example to configure IPv4 and IPv6 address on the same interface:
Router( Config)#int s0/0
Router( Config-if)#ip address
Router( Config-if)#ipv6 address affe::1/64

24. STP States
To participate in STP, each port of a switch must progress through several states. A port begins its
life in a Disabled state, moving through several passive states and, finally, into an active state if
allowed to forward traffic. The STP port states are as follows: Disabled -Ports that are
administratively shut down by the network administrator, or by the system due to a fault condition,
are in the Disabled state. This state is special and is not part of the normal STP progression for a
port. Blocking - After a port initializes, it begins in the Blocking state so that no bridging loops can
form. In the Blocking state, a port cannot receive or transmit data and cannot add MAC addresses
to its address table. Instead, a port is allowed to receive only BPDUs so that the switch can hear
from other neighboring switches. In addition, ports that are put into standby mode to remove a
bridging loop enter the Blocking state. Listening - The port will be moved from Blocking to
Listening if the switch thinks that the port can be selected as a Root Port or Designated Port. In
other words, the port is on its way to begin forwarding traffic. In the Listening state, the port still
cannot send or receive data frames. However, the port is allowed to receive and send BPDUs so
that it can actively participate in the Spanning Tree topology process. Here, the port is finally
allowed to become a Root Port or Designated Port because the switch can advertise the port by
sending BPDUs to other switches. Should the port lose its Root Port or Designated Port status, it
returns to the Blocking state. Learning - After a period of time called the Forward Delay in the
Listening state, the port is allowed to move into the Learning state. The port still sends and
receives BPDUs as before. In addition, the switch can now learn new MAC addresses to add to its
address table. This gives the port an extra period of silent participation and allows the switch to
assemble at least some address table information. Forwarding -After another Forward Delay
period of time in the Learning state, the port is allowed to move into the Forwarding state. The port
can now send and receive data frames, collect MAC addresses in its address table, and send and
receive BPDUs. The port is now a fully functioning switch port within the Spanning Tree topology.

25. By default, switches with Cisco PVST and PVST+ maintain a separate spanning-tree instance for
each active VLAN configured on it. A bridge ID, consisting of the switch priority and the switch
MAC address, is associated with each instance. For each VLAN, the switch with the lowest bridge
ID becomes the root switch for that VLAN.
To configure a switch to become the root for the specified VLAN, use the spanning-tree vlan vlanid
root primary global configuration command to modify the switch priority from the default value
(32768) to a significantly lower value. When this command is entered, the switch checks the
switch priority of the root switches for each VLAN. Because of the extended system ID support,
the switch sets its own priority for the specified VLAN to 24576 if this value will cause this switch to
become the root for the specified VLAN.
If any root switch for the specified VLAN has a switch priority lower than 24576, the switch sets its
own priority for the specified VLAN to 4096 less than the lowest switch priority. 4096 is the value of
the least-significant bit of a 4-bit switch priority value.

26. Load Sharing Using STP Port Priorities
When two ports on the same switch form a loop, the STP port priority setting determines which
port is enabled and which port is in a blocking state. The priorities on a parallel trunk port can be
set so that the port carries all the traffic for a given VLAN. The trunk port with the higher priority
(lower values) for a VLAN is forwarding traffic for that VLAN. The trunk port with the lower priority
(higher values) for the same VLAN remains in a Blocking state for that VLAN. One trunk port
sends or receives all traffic for the VLAN.
Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge
Protocol Data Units) transmitted from the root bridge. If a bridge does not get a Hello BPDU after a
predefined interval (Max Age), the bridge assumes that the link to the root bridge is down. This
bridge then initiates negotiations with other bridges to reconfigure the network to re-establish a
valid network topology.
Max age takes into account that the switch at the periphery of the network should not time out the
root information under stable condition (that is, if the root is still alive). This is the value that max
age needs to take into account the total BPDU propagation delay and the message age
overestimate. As such, the formula for max age is as follows:
= End-to-end_BPDU_propa_delay + Message_age_overestimate
= 14 + 6
= 20 sec
This explains how IEEE reaches the default recommended value for max age.

27. Changing the Spanning Tree Protocol Timers T he STP timers (hello, forward delay, and max
age) are included in each BPDU. An IEEE bridge is not concerned about its local configuration of
the timers value. It will consider the value of the timers contained in the BPDU that it is receiving.
Effectively, that means only a timer configured on the root bridge of the STP is important.
Obviously, in case you would lose the root, the new root would start to impose its local timer value
to the entire network. So, even if it is not required to configure the same timer value in the entire
network, it is at least mandatory to configure any timer changes on the root bridge and on the
backup root bridge.

28. There are several STP timers, as listed below: hello: the hello time is the time between each
Bridge Protocol Data Unit (BPDU) that is sent on a port. This is equal to two seconds by default,
but can be tuned to be between one and ten seconds. forward delay: the forward delay is the time
spent in the listening and learning state. This is by default equal to 15 seconds, but can be tuned
to be between four and 30 seconds. max age: the max age timer controls the maximum length of
time a bridge port saves its configuration BPDU information. This is 20 seconds by default and can
be tuned to be between six and 40 seconds.
The STP timers (hello, forward delay, and max age) are included in each BPDU. An IEEE bridge is
not concerned about its local configuration of the timers value. It will consider the value of the
timers contained in the BPDU that it is receiving. Effectively, that means only a timer configured on
the root bridge of the STP is important. Obviously, in case you would lose the root, the new root
would start to impose its local timer value to the entire network. So, even if it is not required to
configure the same timer value in the entire network, it is at least mandatory to configure any timer
changes on the root bridge and on the backup root bridge.
In order to reduce the number of BPDU's in the spanning tree topology, the forward delay and
max-age timers should be increased. This will reduce the BPDU traffic, but it will also increase the
convergence time during a topology change.

29. The command 'show spantree statistics' is the correct IOS command to show spanning tree
statistical information.
The following list various commands to use for troubleshooting Catalyst switches:
show spantree vlan_id - Shows the current state of the spanning tree for the " vlan_id" entered
from the perspective of the switch on which it is entered.
show spantree summary - Provides a summary of connected spanning tree ports by VLAN.
show spantree statistics - Shows spanning tree statistical information.
show spantree backbonefast - Displays whether the spanning tree Backbone Fast Convergence
feature is enabled.
show spantree blockedports - Displays only the blocked ports.
show spantree portstate - Determines the current spanning tree state of a Token Ring port within a
spanning tree.
show spantree portvlancost - Shows the path cost for the VLANs on a port.
show spantree uplinkfast - Shows the uplinkfast settings.

30.When Switch port security rules violate different action can be applied:
1. Protect: Frames from the nonallowed address are dropped, but there is no log of the violation.
2. Restrict: Frames from the nonallowed address are dropped, a log message is created, and a
Simple Network Management Protocol (SNMP) trap is sent.
3. Shutdown: If any frames are seen from a nonallowed address, the interface is errdisabled, a log
entry is made, an SNMP trap is sent, and manual intervention or errdisable recovery must be used
to make the interface usable.

31.A switch can use the DHCP snooping bindings to prevent IP and MAC address spoofing attacks.
MAC spoofing attacks consist of malicious clients generating traffic by using MAC addresses that
do not belong to them. IP spoofing attacks are exactly like MAC spoofing attacks, except that the
client uses an IP address that isn't his.

32. VLAN maps, also known as VLAN ACLs or VACLs, can filter all traffic traversing a switch. VLAN
maps can be configured on the switch to filter all packets that are routed into or out of a VLAN, or
are bridged within a VLAN. VLAN maps are used strictly for security packet filtering. Unlike router
ACLs, VLAN maps are not defined by direction (input or output).
To create a VLAN map and apply it to one or more VLANs, perform these steps: Create the
standard or extended IP ACLs or named MAC extended ACLs to be applied to the VLAN. This
access-list will select the traffic that will be either forwarded or dropped by the access-map. Only
traffic matching the 'permit' condition in an access-list will be passed to the access-map for further
processing. Enter the vlan access-map access-map-name [ sequence ] global configuration
command to create a VLAN ACL map entry. Each access-map can have multiple entries. The
order of these entries is determined by the sequence. If no sequence number is entered, accessmap
entries are added with sequence numbers in increments of 10. In access map configuration
mode, optionally enter an action forward or action drop. The default is to forward traffic. Also enter
the match command to specify an IP packet or a non-IP packet (with only a known MAC address),
and to match the packet against one or more ACLs (standard or extended). Use the vlan filter
access-map-name vlan-list vlan-list global configuration command to apply a VLAN map to one
or more VLANs. A single access-map can be used on multiple VLANs.

33. Private VLANs partition a regular VLAN domain into subdomains and can have multiple VLAN
pairs, one for each subdomain. A subdomain is represented by a primary VLAN and a secondary
VLAN. All secondary (private vlan) share the same primary VLANs.
There are two types of secondary VLANs:
* Isolated VLANs-Ports within an isolated VLAN cannot communicate with each other at the Layer
2 level.
* Community VLANs-Ports within a community VLAN can communicate with each other but
cannot communicate with ports in other communities at the Layer 2 level.

34. On a multilayer switch, you can also enable Layer 3 functionality for an entire VLAN on the switch. This allows a network address to be assigned to a logical interface-that of the VLAN itself. This is useful when the switch has many ports assigned to a common VLAN, and routing is needed in and out of that VLAN.
The logical Layer 3 interface is known as an SVI . However, when it is configured, it uses the
much more intuitive interface name vlan vlan-id , as if the VLAN itself is a physical interface. First,
define or identify the VLAN interface, and then assign any Layer 3 functionality to it with the
following configuration commands:
Switch( config)# interface vlan vlan-id
Switch( config-if)# ip address ip-address mask [secondary]
The VLAN must be defined and active on the switch before the SVI can be used. Make sure the
new VLAN interface is also enabled with the no shutdown interface configuration command

35. The purpose of NSF is to enable the Layer 3 switch to continue forwarding packets from an NSF capable neighboring router when the primary route processor (RP) is failing and the backup RP is taking over. So it prevents the route flapping and it depends on FIB (Forwarding Information Base) table.

36. CDP is a device discovery protocol that runs over Layer 2 (the data link layer) on all Cisco manufactured devices (routers, bridges, access servers, and switches) and allows network management applications to discover Cisco devices that are neighbors of already known devices. With CDP, network management applications can learn the device type and the Simple Network Management Protocol (SNMP) agent address of neighboring devices running lower-layer, transparent protocols. This feature enables applications to send SNMP queries to neighboring devices. CDP runs on all media that support Subnetwork Access Protocol ( SNAP). Because CDP runs over the data-link layer only, two systems that support different network-layer protocols can learn about each other. Communication between Switch and IP Phone is performed by CDP protocol

37. Port security is especially useful in the face of MAC address flooding attacks. In these attacks, an
attacker tries to fill up a switch's CAM tables by sending a large number of frames to it with source
MAC addresses that the switch is unaware of at that time. The switch learns about these MAC
addresses and puts them in its CAM table, thinking that these MAC addresses actually exist on
the port on which it is receiving them. In reality, this port is under the attacker's control and a
machine connected to this port is being used to send frames with spoofed MAC addresses to the
switch. If the attacker keeps sending these frames in a large-enough quantity, and the switch
continues to learn of them, eventually the switch's CAM table becomes filled with entries for these
bogus MAC addresses mapped to the compromised port.
Under normal operations, when a machine receiving a frame responds to it, the switch learns that
the MAC address associated with that machine sits on the port on which it has received the
response frame. It puts this mapping in its CAM table, allowing it to send any future frames
destined for this MAC address directly to this port rather than flood all the ports on the VLAN.
However, in a situation where the CAM table is filled up, the switch is unable to create this CAM
entry. At this point, when the switch receives a legitimate frame for which it does not know which
port to forward the frame to, the switch floods all the connected ports belonging to the VLAN on
which it has received the frame. The switch continues to flood the frames with destination
addresses that do not have an entry in the CAM tables to all the ports on the VLAN associated
with the port it is receiving the frame on.