Post on 19-Nov-2014
transcript
FIRST HOP REDUNDANCY packetlife.net
First Hop Redundancy Protocols
Hot Standby Router Protocol
Provides default gateway redundancy using one
active and one standby router; standardized but
licensed by Cisco
Virtual Router Redundancy Protocol
An open-standard alternative to Cisco's HSRP,
providing the same functionality
Gateway Load Balancing Protocol
Supports arbitrary load balancing in addition to
redundancy across gateways; Cisco proprietary
Protocols Comparison
HSRP VRRP GLBP
Standard RFC 2281 RFC 3768 Cisco
Load Balancing No No Yes
IPv6 Support Yes No Yes
Transport UDP 1985 IP 112 UDP 3222
Default Priority 100 100 100
Default Hello 3s 1s 3s
Multicast Group 224.0.0.2 224.0.0.18 224.0.0.102
HSRP Operation VRRP Operation GLBP Operation
HSRP Configuration
interface FastEthernet0/0 ip address 10.0.1.2 255.255.255.0 standby version {1 | 2}
standby 1 ip 10.0.1.1 standby 1 timers <hello> <dead> standby 1 priority <priority> standby 1 preempt
standby 1 authentication md5 key-string <password> standby 1 track <interface> <value> standby 1 track <object> decrement <value>
VRRP Configuration
interface FastEthernet0/0
ip address 10.0.1.2 255.255.255.0 vrrp 1 ip 10.0.1.1 vrrp 1 timers {advertise <hello> | learn}
vrrp 1 priority <priority> vrrp 1 preempt vrrp 1 authentication md5 key-string <password> vrrp 1 track <object> decrement <value>
GLBP Configuration
interface FastEthernet0/0
ip address 10.0.1.2 255.255.255.0 glbp 1 ip 10.0.1.1 glbp 1 timers <hello> <dead> glbp 1 timers redirect <redirect> <time-out> glbp 1 priority <priority> glbp 1 preempt glbp 1 forwarder preempt glbp 1 authentication md5 key-string <password> glbp 1 load-balancing <method> glbp 1 weighting <weight> lower <lower> upper <upper> glbp 1 weighting track <object> decrement <value>
HSRP/GLBP Interface States
Speak · Gateway election in progress
Active · Active router/VG
Standby · Backup router/VG
Listen · Not the active router/VG
VRRP Interface States
Master · Acting as the virtual router
Backup · All non-master routers
GLBP Roles
Active Virtual Gateway (AVG) · Answers for the virtual
router and assigns virtual MAC addresses to group members
Active Virtual Forwarder (AVF) · All routers which forward
traffic for the group (may include the AVG)
GLBP Load Balancing
Round-Robin (default) · The AVG answers host ARP requests
for the virtual router with the next router in the cycle
Host-Dependent · Round-robin cycling while maintaining a
consistent AVF for each host
Weighted · GLBP weight determines the proportionate share
of hosts handled by each AVF
Troubleshooting
show standby [brief] show vrrp [brief]
show glbp [brief] show track [brief]
by Jeremy Stretch v1.0
IEEE 802.11 WIRELESS · PART 1 packetlife.net
IEEE Standards
802.11a 802.11b 802.11g 802.11n (Draft)
Maximum Throughput 54 Mbps 11 Mbps 54 Mbps 300 Mbps
Frequency 5 GHz 2.4 GHz 2.4 GHz 2.4/5 GHz
Modulation OFDM DSSS DSSS/OFDM OFDM
Channels (FCC/ETSI) 21/19 11/13 11/13 32/32
Ratified 1999 1999 2003 N/A
WLAN Types
Ad Hoc · A WLAN between isolated stations
with no central point of control; an IBSS
Infrastructure · A WLAN attached to a wired
network via an access point; a BSS or ESS
Frame Types
Type Class
Association Management
Authentication Management
Probe Management
Beacon Management
Request To Send (RTS) Control
Clear To Send (CTS) Control
Acknowledgment (ACK) Control
Data Data
Client Association
Modulations
Scheme Modulation Throughput
DSSS
DBPSK 1 Mbps
DQPSK 2 Mbps
CCK 5.5, 11 Mbps
OFDM
BPSK 6, 9 Mbps
QPSK 12, 18 Mbps
16-QAM 24, 36 Mbps
64-QAM 48, 54 Mbps
WLAN Components
Basic Service Area (BSA) · The physical area covered by the wireless
signal of a BSS
Basic Service Set (BSS) · A set of stations and/or access points which
can directly communicate via a wireless medium
Distribution System (DS) · The wired infrastructure connecting
multiple BSSs to form an ESS
Extended Service Set (ESS) · A set of multiple BSSs connected by a DS
which appear to wireless stations as a single BSS
Independent BSS (IBSS) · An isolated BSS with no connection to a DS;
an ad hoc WLAN
Measuring RF Signal Strength
Decibel (dB) · An expression of signal strength as compared to a
reference signal; calculated as 10log10(signal/reference)
dBm · Signal strength compared to a 1 milliwatt signal
dBw · Signal strength compared to a 1 watt signal
dBi · Compares forward antenna gain to that of an isotropic antenna
Terminology
Basic Service Set Identifier (BSSID) · A MAC address (typically
belonging to an AP) which serves to uniquely identify a BSS
Service Set Identifier (SSID) · A human-friendly text string which
identifies a BSS (up to 32 characters in length)
Carrier Sense Multiple Access/Collision Avoidance (CSMA/CA) ·
The mechanism which facilitates efficient communication across a shared
wireless medium (provided by DCF or PCF)
Effective Isotropic Radiated Power (EIRP) · An expression of net
signal strength (transmitter power + antenna gain - cable loss)
by Jeremy Stretch v1.0
IEEE 802.11 WIRELESS · PART 2 packetlife.net
Distributed Coordination Function
Interframe Spacing
Short IFS (SIFS) · Used to provide minimal spacing delay
between control frames or data fragments
DCF IFS (DIFS) · Normal spacing enforced under DCF for
management and nonfragment data frames
Arbitrated IFS (AIFS) · Variable spacing calculated to
accomodate differing qualities of service (QoS)
Extended IFS (EIFS) · Extended delay imposed after
detecting errors in a received frame
Encryption Schemes
Wired Equivalent Privacy (WEP) · Deprecated encryption
mechanism which employs a flawed RC4 implementation and a
40- or 104-bit preshared encryption key
Wi-Fi Protected Access (WPA) · A temporary fix for the
flaws in WEP; implements an improved RC4-based encryption
called Temporal Key Integirty Protocol (TKIP) which can
operate on WEP-capable hardware
IEEE 802.11i (WPA2) · IEEE standard developed to replace
WPA; requires a new generation of hardware to implement
significantly stronger AES-based CCMP encryption
Client Authentication
Open · No authentication is used
Preshared Encryption Keys · Keys must be manually
entered into clients and access points before a secure
connection can be established
Lightweight EAP (LEAP) · Deprecated Cisco- proprietary
EAP method introduced to provide dynamic keying for
WEP
EAP-TLS · Employs Transport Layer Security (TLS); PKI
certificates are required on the AP and clients to provide
mutual authentication
EAP-TTLS · Clients authenticate the AP with its cert, then
form a secure tunnel inside which the client authentication
takes place; removes the requirement for a PKI cert on the
client
Protected EAP (PEAP) · A proposal by Cisco, Microsoft,
and RSA which forms a secure tunnel like EAP-TTLS and
does not require a cert on the client
EAP-FAST · Developed by Cisco to replace LEAP;
establishes a secure tunnel using a Protected Access
Credential (PAC) in the absence of PKI certs
Quality of Service Markings
WMM 802.11e 802.1p
Platinum7 6
6 5
Gold5 4
4 3
Silver3
00
Bronze2 2
1 1
Wi-Fi Multimedia (WMM) · A Wi-Fi Alliance
certification for QoS; a subset of 802.11e
802.11e · Official IEEE WLAN QoS standard ratified
in 2005; replaces WMM
802.1p · QoS markings in the 802.1Q header on
wired Ethernet LANs shown for comparison
RF Signal Interference
Reflection Scattering Absorption
Refraction Diffraction
Antenna Types
Directional · Radiates power in one or several focused directions
Omnidirectional · Radiates power uniformly across a plane
Isotropic · A theoretical antenna referenced when measuring
effective radiated power
by Jeremy Stretch v1.0
IEEE 802.1X packetlife.net
802.1X Header
EAP Header
EAP Flow Chart
Configuration
Global Configuration
! Define a RADIUS serverradius-server host 10.0.0.100
radius-server key MyRadiusKey
! Configure 802.1X to authenticate via AAAaaa new-model
aaa authentication dot1x default group radius
! Enable 802.1X authentication globallydot1x system-auth-control
Interface Configuration
! Configure static access modeswitchport mode access
! Enable 802.1X authentication per portdot1x port-control auto
! Configure host mode (single or multi)dot1x host-mode single-host
! Configure maximum authentication attemptsdot1x max-reauth-req
! Enable periodic reauthenticationdot1x reauthentication
! Configure a guest VLANdot1x guest-vlan 123
! Configure a restricted VLANdot1x auth-fail vlan 456
dot1x auth-fail max-attempts 3
Terminology
Extensible Authentication Protocol (EAP) · A flexible
authentication framework defined in RFC 3748
EAP Over LANs (EAPOL) · The encapsulation used by 802.1X
to carry EAP across a layer two segment
Supplicant · The device on one end of a link that requests
authentication by the authenticator
Authenticator · The device that controls the status of a link;
typically a wired switch or wireless access point
Authentication Server · A backend server which
authenticates the credentials provided by supplicants (for
example, a RADIUS server)
Guest VLAN · Fallback VLAN for clients not 802.1X-capable
Restricted VLAN · Fallback VLAN for clients which fail
authentication
802.1X Packet Types
0 EAP Packet
1 EAPOL-Start
2 EAPOL-Logoff
3 EAPOL-Key
4 EAPOL-Encap-ASF-Alert
Interface Defaults
Max Auth Requests 2
Reauthentication Off
Quiet Period 60s
Reauth Period 3600s
Server Timeout 30s
Supplicant Timeout 30s
Tx Period 30s
EAP Codes
1 Request
2 Response
3 Success
4 Failure
EAP Req/Resp Types
1 Identity
2 Notification
3 Nak
4 MD5 Challenge
5 One Time Password
6 Generic Token Card
254 Expanded Types
255 Experimental
Port-Control Options
force-authorized · Port will always remain in authorized state
(default setting)
force-unauthorized · Port will always remain in unauthorized
state, ignoring authentication attempts
auto · Port is authorized only in the presence of a successfully
authenticated supplicant
Troubleshooting
show dot1x [interface <interface>]
show dot1x statistics interface <interface>
dot1x test eapol-capable [interface <interface>]
dot1x re-authenticate interface <interface>
by Jeremy Stretch v1.0
IPV4 MULTICAST packetlife.net
Layer 2 Addressing
Bits 1-24 Multicast OUI of 01-00-5E
Bit 25 Always set to zero
Bits 26-48 Carried over from lower 23 bits of IP address
Terminology
Reverse Path Forwarding (RPF) · Verifies that multicast traffic travels in the
reverse direction of unicast traffic, away from the tree root
Internet Group Management Protocol (IGMP) · End hosts issue IGMP
requests to local routers to join multicast groups
Cisco Group Management Protocol (CGMP) · A proprietary protocol used by
switches to obtain multicast membership information for end hosts
IGMP Configuration
IGMP Support Router(config-if)# ip igmp [version {1|2|3}]
IGMP Snooping Switch(config)# ip igmp snooping
Protocol Independent Multicast
Dense Mode · The initial tree encompasses all multicast routers; after a period
of time, routers without IGMP members prune back branches
Sparse Mode · The tree is grown from a central rendevous point out to the
multicast source and recipients
Sparse-Dense Mode · Allows a PIM-enabled interface to function in either
sparse or dense mode per group
PIMv1 · Provides automatic RP discovery with Auto-RP (Cisco proprietary)
PIMv2 · Automatic RP discovery is accomplished by the bootstrap router
method (standards based)
PIM Configuration
ip multicast-routing!interface FastEthernet0/0 ip pim {sparse-mode | dense-mode | sparse-dense-mode } ip pim version {1 | 2}
RP Configuration
Manual ip pim rp-address <IP>
Auto-RP Mapping Agent ip pim send-rp-discovery scope <TTL>
Auto-RP Candidate ip pim send-rp-announce <interface>
BSR Candidate ip pim bsr-candidate <interface>
BSR RP Candidate ip pim rp-candidate <interface>
Ranges
224.0.0.0/24 Local network control
224.0.1.0/24 Internetwork control
232.0.0.0/8 Source-specific
233.0.0.0/8 GLOP (RFC 3180)
239.0.0.0/8 Admin-scoped
Common Groups
224.0.0.1 All hosts
224.0.0.2 All routers
224.0.1.39 Cisco RP Announce
224.0.1.40 Cisco RP Discovery
Distribution Trees
Shared · A common, static set of links
which carry all multicast traffic;
administratively constructed
Source-Rooted · Provide the shortest
paths from the source to receivers
IGMP
IGMPv1 · End hosts send requests to
local routers to receive multicast traffic
for a particular group
IGMPv2 · Adds support for dynamic
leave requests and querier election
IGMPv3 · Adds multicast source filtering
capability
IGMP Snooping · A switch passively
inspects IGMP requests to determine
which hosts should receive layer two
multicast traffic
IGMP Troubleshooting
show ip igmp
show ip igmp group
show ip igmp interface
show ip igmp snooping
ip igmp join-group
PIM Troubleshooting
show ip mroute
show ip pim interface
show ip pim neighbor
show ip pim rp [mapping]
show ip rpf <IP>
by Jeremy Stretch v1.0
IPV6 packetlife.net
Protocol Header
Version (4 bits) · Always set to 6
Traffic Class (8 bits) · A DSCP value for QoS
Flow Label (20 bits) · Identifies unique flows (optional)
Payload Length (16 bits) · Length of the payload in bytes
Next Header (8 bits) · Header or protocol which follows
Hop Limit (8 bits) · Functions as IPv4's time to live field
Source Address (128 bits) · Source IP address
Destination Address (128 bits) · Destination IP address
Address Types
Unicast · One-to-one communication
Multicast · One-to-many communication
Anycast · An address configured in multiple locations
Address Notation
Step 1 · Eliminate all leading zeros
Step 2 · Replace up to one set of consecutive zeros with a
double-colon
Address Formats
Global unicast
Link-local unicast
Multicast
EUI-64 Formation
Step 1 · Insert 0xfffe between the two halves of the MAC
Step 2 · Flip the seventh bit (universal/local flag) to 1
Special-Use Ranges
::/0 Default route
::/128 Unspecified
::1/128 Loopback
::/96 IPv4-compatible*
::FFFF:0:0/96 IPv4-mapped
2001::/32 Teredo
2001:DB8::/32 Documentation
2002::/16 6to4
FC00::/7 Unique local
FE80::/10 Link-local unicast
FEC0::/10 Site-local unicast*
FF00::/8 Multicast
* Deprecated
Extension Headers
Hop-by-hop Options (0) · Carries additional information which must be
examined by every router in the path
Routing (43) · Provides source routing functionality
Fragment (44) · Included when a packet has been fragmented by its source
Encapsulating Security Payload (50) · Provides payload encryption (IPsec)
Authentication Header (51) · Provides packet authentication (IPsec)
Destination Options (60) · Carries additional information which pertains only to
the recipient
Transition Methods
Dual Stack · Running IPv4 and IPv6 on all devices simultaneously
Tunneling · IPv6 packets are encapsulated into IPv4 using IPv6-in-IP, UDP
(Teredo), or Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)
Translation · Stateless IP/ICMP Translation (SIIT) translates IP header fields and
NAT Protocol Translation (NAT-PT) maps between IPv6 and IPv4 addresses
by Jeremy Stretch v1.1
IPSEC packetlife.net
Protocols
Internet Security Association and Key Management Protocol
(ISAKMP) · A framework for the negotiation and management of
security associations between peers; traverses UDP port 500
Internet Key Exchange (IKE) · Responsible for key agreement using
public key cryptography
Encapsulating Security Payload (ESP) · Provides data encryption,
data integrity, and peer authentication; IP protocol 50
Authentication Header (AH) · Provides data integrity and peer
authentication, but not data encryption; IP protocol 51
IPsec Modes
Transport Mode · The ESP or AH header is inserted behind the IP
header; the IP header can be authenticated but not encrypted
Tunnel Mode · A new IP header is created in place of the original; this
allows for encryption of the entire original packet
Encryption Algorithms
Type Key Strength
DES Symmetric 56-bit Weak
3DES Symmetric 168-bit Medium
AES Symmetric 128, 192, or 256-bit
Strong
RSA Asymmetric 1024-bit minimum
Strong
Hashing Algorithms
Length Strength
MD5 128-bit Medium
SHA-1 160-bit Strong
IKE Phases
Phase 1 · A bidirectional ISAKMP SA is
established between peers to provide a secure
management channel; IKE is performed in main
mode or agressive mode
Phase 1.5 (optional) · Xauth can optionally be
implemented to enforce user authentication
Phase 2 · Two unidirectional IPsec SAs are
established for data transfer using separate
keys; IKE quick mode is used
Configuration
ISAKMP Policy
crypto isakmp policy 10
encryption aes 256
hash sha
authentication pre-share
group 2
lifetime 3600
ISAKMP Pre-Shared Secret Key
crypto isakmp key 0 MySecretKey address 10.0.0.2
IPsec Transform Set
crypto ipsec transform-set MyTS esp-aes 256 esp-sha-hmac mode tunnel
IPsec Profile
crypto ipsec profile MyProfile set transform-set MyTS
Virtual Tunnel Interface
interface Tunnel0
ip address 172.16.0.1 255.255.255.252
tunnel source 10.0.0.1
tunnel destination 10.0.0.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile MyProfile
Terminology
Data Integrity · Secure hashing (HMAC) is used to ensure
data has not been altered in transit
Data Confidentiality · Encryption is used to ensure data
cannot be intercepted by a third party
Data Origin Authentication · Peer authentication
Anti-replay · Sequence numbers are used to detect and
block duplicate packets
Hash-based Message Authentication Code (HMAC) · A
hash of the data and secret key used to provide message
authenticity
Diffie-Hellman · A method of establishing a shared secret
key over an insecure path using public and private keys
Troubleshooting
show crypto isakmp sa
show crypto isakmp policy
show crypto ipsec sa
show crypto ipsec transform-set
debug crypto isakmp
debug crypto ipsec
by Jeremy Stretch v1.1
QUALITY OF SERVICE · PART 1 packetlife.net
Quality of Service Models
Best Effort · No QoS policies are implemented
Integrated Services (IntServ) · Resource Reservation Protocol (RSVP) is used to
reserve bandwidth per flow across all nodes in a path
Differentiated Services (DiffServ) · Packets are individually classified and marked;
policy decisions are made independently at each node in a path
Layer 2 QoS Markings
Medium Name Type
Ethernet Class of Service (CoS) 3-bit 802.1p field in 802.1Q header
Frame Relay Discard Eligibility (DE) 1-bit drop eligibility flag
ATM Cell Loss Priority (CLP) 1-bit drop eligibility flag
MPLS Experimental Field (EXP) 3-bit field compatible with 802.1p
IP QoS Markings
Precedence · The first three bits of the IP TOS field are evaluated; compatible with
Ethernet CoS and MPLS EXP values
DSCP · The first six bits of the IP TOS are evaluated to provide more granular
classification; backward-compatible with IP Precedence
QoS Flowchart
Terminology
Per-Hop Behavior (PHB) · The individual QoS action performed at each DiffServ
node according to its configured policy
Trust Boundary · The perimeter beyond which QoS markings are not trusted
Tail Drop · Occurs when a packet is dropped because its queue is full
Policing · Creates an artificial ceiling on the amount of bandwidth that may be
consumed; traffic exceeding the cap and be remarked or dropped
Shaping · Similar to policing but buffers excess traffic for delayed transmission;
makes more efficient use of bandwidth but introduces a delay
TCP Synchronization · Flows adjust window sizes in synch, wasting bandwidth
Per-Hop Behaviors
Class Selector (CS) · Backward-
compatible with IP Precedence values
Assured Forwarding (AF) · Four classes
with variable drop preferences
Expedited Forwarding (EF) · Provides
priority queuing for delay-sensitive traffic
Congestion Avoidance
Random Early Detection (RED) ·
Packets are randomly dropped before a
queue is full to prevent tail drop;
mitigates TCP synchronization
Weighted RED (WRED) · RED with the
added capability of recognizing
prioritized traffic by its marking
IP Type of Service (TOS)
Precedence Values
Binary Application
7 111 Reserved
6 110 Routing
5 101 Voice
4 100 Streaming Video
3 011 Call Signaling
2 010 Transactional
1 001 Bulk Data
0 000 Best Effort
DSCP Values
Binary Prec. DSCP
56 111000 7 Reserved
48 110000 6 Reserved
46 101110 5 EF
32 100000
4
CS4
34 100010 AF41
36 100100 AF42
38 100110 AF43
24 011000
3
CS3
26 011010 AF31
28 011100 AF32
30 011110 AF33
16 010000
2
CS2
18 010010 AF21
20 010100 AF22
22 010110 AF23
8 001000
1
CS1
10 001010 AF11
12 001100 AF12
14 001110 AF13
0 000000 0 BE
by Jeremy Stretch v1.2
QUALITY OF SERVICE · PART 2 packetlife.net
Queuing Comparison Chart
FIFO PQ CQ WFQ CBWFQ LLQ
Default on interfaces >2 Mbps No No <=2 Mbps No No
Number of queues 1 4 Configured Dynamic Configured Configured
Configurable classes No Yes Yes No Yes Yes
Bandwidth allocation Automatic Automatic Configured Automatic Configured Configured
Provides for minimal delay No Yes No No No Yes
Modern implementation Yes No No No Yes Yes
First In First Out (FIFO)
» Packets are transmitted in the order
they are processed
» No prioritization is provided
» Default queuing method on high-
speed (>2 Mbps) interfaces
» Configurable with the tx-ring-limit
interface configuration command
Priority Queuing (PQ)
» Provides four static queues which
cannot be reconfigured
» Higher-priority queues are always
emptied before lower-priority queues
» Lower-priority queues are at risk of
bandwidth starvation
LLQ Configuration Example
! *** Class definitions ***
class-map match-all Voice! Matches packets by DSCP value match dscp ef!class-map match-all Call-Signaling match dscp cs3!
class-map match-any Critical-Apps match dscp af21 af22
! Matches packets by access list match access-group name Mgmt_LAN
!class-map match-all Scavenger match dscp cs1!
! *** Policy creation ***policy-map Foo class Voice! Priority queue policed to 33% priority percent 33
class Call-Signaling! Allocate 5% of bandwidth bandwidth percent 5 class Critical-Apps bandwidth percent 20
! Extend queue size to 96 packets queue-limit 96 class Scavenger
! Police to 64 kbps police cir 64000 conform-action transmit exceed-action drop class class-default
! Enable WFQ fair-queue! Enable WRED random-detect!
! *** Policy Application ***interface Serial0 service-policy Foo
Troubleshooting
show policy-map
show interface
show queue <interface>
show mls qos
Custom Queuing (CQ)
» Rotates through queues using
Weighted Round Robin (WRR)
» A configurable number of bytes is
processed from each queue per turn
» Prevents queue starvation but does
not support delay-sensitive traffic
Weighted Fair Queuing (WFQ)
» Queues are dynamically created per
flow to ensure fair processing
» Statistically drops packets from
agressive flows more often
» No support for delay-sensitive traffic
Class-Based WFQ (CBWFQ)
» Provides the benefits of WFQ with
administratively configured queues
» Each queue is allocated an amount or
percentage of bandwidth
» No support for delay-sensitive traffic
Low Latency Queuing (LLQ)
» CBWFQ with the addition of a policed
strict priority queue
» Highly configurable while still
supporting delay-sensitive traffic
by Jeremy Stretch v1.2
TH
E Q
oS
BA
SE
LINE
AT
–A–G
LAN
CE
The Q
oS Baseline is a strategic docum
ent designed to unifyQ
oS within C
isco. The Q
oS Baseline provides uniform
,standards-based recom
mendations to help ensure that Q
oSproducts, designs, and deploym
ents are unified and consistent.
The Q
oS Baseline defines up to 11 classes of traffic that m
aybe view
ed as critical to a given enterprise. A sum
mary of
these classes and their respective standards-based markings
and recomm
ended QoS configurations are show
n below.
Interactive-Video
refers to IP Video-C
onferencing; Streaming
Video is either unicast or m
ulticast uni-directional video; Voice
refers to VoIP bearer traffic only (and does not include
Call-Signaling traffic).
The (L
ocally-Defined) M
ission-Criticalclass is intended for
a subset of Transactional D
ata applications that contributem
ost significantly to the business objectives (this is a non-technical assessm
ent).
The T
ransactional Data
class is intended for foreground,user-interactive applications such as database access,transaction services, interactive m
essaging, and preferreddata services.
The B
ulk Data
class is intended for background, non-interactive traffic flow
s, such as large file transfers, contentdistribution,database synchronization, backup operations,and em
ail.
The IP R
outingclass is intended for IP R
outing protocols,such as B
order Gatew
ay Protocol (BG
P), Open Shortest
Path First (OSPF), and etc.
The C
all-Signalingclass is intended for voice and/or video
signaling traffic, such as Skinny, SIP, H.323, etc.
The N
etwork M
anagement
class is intended for network
managem
ent protocols, such as SNM
P , Syslog, DN
S, etc.
Standards-based marking recom
mendations allow
for betterintegration w
ith service-pr ovider offerings as well as other
internetworking scenarios.
In Cisco IO
S Software , rate-based queuing translates to
CB
WFQ
; priority queuing is LL
Q.D
SCP-B
ased WR
ED
(based on RFC
2597) drops AFx3 before A
Fx2, and in turndrops A
Fx2 before AFx1. R
SVP
is recomm
ended (whenever supported) for V
oice and/orInteractive-V
ideo admission control
Cisco products that support Q
oS features will use these
QoS B
aseline recomm
endations for marking, scheduling,
and admission control.
The Scavenger
class is based on an Internet 2 draft thatdefines a “less-than-B
est Effort” service. In the event of link
congestion, this class will be dropped the m
ost aggressively.
The B
est Effort
class is also the default class. Unless an
application has been assigned for preferential/deferentialservice, it w
ill remain in this default class. M
ost enterpriseshave hundr eds—
if not thousands—of applications on their
networks; the m
ajority of which w
ill remain in the B
estE
ffort service class.
The Q
oS Baseline r ecom
mendations ar e intended as a
standards-based guideline for customers-not as a m
andate.C
ustomers do not have to deploy all 11 traffic classes, but
may start w
ith simple Q
oS models and expand over tim
e asbusiness needs arise, as show
n in the diagram to the right.
Copyright ©
2005 Cisco System
s, Inc. All rights reserved. C
isco, Cisco IO
S, Cisco
Systems, and the C
isco Systems logo are registered tradem
arks of Cisco System
s, Inc.and/or its affiliates in the U
.S. and certain other countries.
All other tradem
arks mentioned in this docum
ent or Web site ar e the pr oper ty of their
respective owners. T
he use of the word partner does not im
ply a partnership relationshipbetw
een Cisco and any other com
pany. (0502R)
204170.l_ET
MG
_AE
_4.05
Application
Transactional Data
Call-Signaling
Streaming Video
Interactive-Video
Voice
Netw
ork Mgm
t
Bulk Data
Scavenger
Best Effort
IP Routing
Mission-Critical
L3 ClassificationPH
BD
SCP
18AF21
24CS3
32CS4
34AF41
46EF
16CS2
10AF11
8CS1
00
48CS6
26AF31
Recomm
ended Configuration
Rate-Based Queuing + DSCP-WRED
Rate-Based Queuing + RED
RSVP + Rate-Based Queuing + RED
RSVP + Rate-Based Queuing + DSCP-WRED
RSVP Admission Control + Priority Queuing
Rate-Based Queuing + RED
Rate-Based Queuing + DSCP-WRED
No BW
Guarantee + RED
BW Guarantee Rate-Based Queuing + RED
Rate-Based Queuing + RED
Rate-Based Queuing + DSCP-WRED
RFC 2597
RFC 2474-4.2.2
RFC 2474-4.2.2
RFC 2597
RFC 3246
RFC 2474-4.2.2
RFC 2597
Internet 2
RFC 2474-4.1
RFC 2474-4.2.2
RFC 2597
ReferencingStandard
5 Class Model
Scavenger
Critical Data
Call Signaling
Best Effort
Realtime
8 Class Model
Critical Data
Video
Call Signaling
Best Effort
Voice
Bulk D
ata
Netw
ork Control
Scavenger
QoS B
aselineM
odel
Netw
ork Mgm
t
Call Signaling
Streaming Video
Transactional
Interactive-Video
Voice
IP Routing
Mission-Critical
Scavenger
Bulk D
ata
Time
Best Effort
Qu
ality o
f Service reference ca
rd
Header
LengthBest
Effort
QUALITY O
F SERVICE MO
DELS
DiffServ
Soft QoS or D
ifferentiatedService
IntServH
ard QoS or
Integrated Service(or G
uaranteed Service)R
SVP
QUALITY O
F SERVICE MECHANISM
S
Class of ServiceCoS Value
111
110
101
100
011
010
001
CoS 7
CoS 6
CoS 5
CoS 4
CoS 3
CoS 2
CoS 1
CoS 0000
Baseline
Voice Bearer
Videoconference
Call-Signalling
High-Priority Data
Medium
-Priority Data
Best Effort
IEEE 802.1p/Q
Pream.
SFDD
ASA
FCSD
ataT/L
TPID2 bytes
TCI2 bytes
PRI
CFIVLAN
ID
3 bits1 bit
12 bits
3 bits usedfor CoS
(802.1p userpriorIty)
ISL (Cisco Proprietary)
ISL Header
26 bytesEncapsulated Fram
e 1...24.5 KBytesFCS
4 bytes
DA
RES
IND
EXBPD
UType
User
AAAA03LEN
HSA
SA 2 bits used for CoS
MPLSFram
eH
eaderM
PLS Header
32 bitsIP
Header
Payload
EXPS
LabelTTL
3 bits used for CoS
Frame Relay
Frame R
elay DE (D
iscard Eligible) bit0= high priority fram
e1= low
priority frame (increased drop probability)
Flag
DLCI
DE
EA
1 bit used for CoS
Frame R
elay Header
2 bytesFlag
FCSInform
ation
C/REA
DLCI
FECNBECN
ATM
ATM CLP (Cell Loss Priority) bit
0= high priority cell1= low
priority cell (increased drop probability)
VPICLP
HEC
1 bit used for CoS
ATM H
eader5 bytes
Payload48 bytes
VCIPT
IPv4Version
FlagsFragm
ent offset
ProtocolH
eader checksumTTL
Source AddressD
estination AddressO
ptions and PaddingD
ata
IPv6Version
Payload LengthN
ext Header
Hop Lim
it
Traffic Class 1 byte
Source Address
Data
IP Precedence ValueD
escription
111N
etwork (reserved)
110Internet (reserved)
101Critical
100Flash-override
011Flash
010Im
mediate
001Priority
000R
outine
Baseline
Voice Bearer
Videoconference
Call-Signalling
High-Priority Data
Medium
-Priority Data
Best Effort
CLASSIFICATION AND M
ARKING AT THE DATA LINK LAYER
CLASSIFICATION AND M
ARKING AT THE NETW
ORK LAYER
VLAN
User CodeM
eaningXX00
Norm
al PriorityXX01
Priority 1XX10
Priority 2XX11
Highest Priority
Identification
Total lengthTO
S 1 byte
b0b1
b2b3
b4b5
b6b7
IPPrecedence
GFC
CLPH
ECVPI
PTVCI
ATM U
NI
ATM N
NI
TOS Byte (IPv4)
Traffic Class (IPv6)
- ToS Byte (IPv4) / Traffic Class (IPv6) : IP precedence
This reference card is about Differentiated Service
•Classification
•M
arking•
Congestion Managem
ent•
Congestion Avoidance•
Policing and Shaping•
Link Efficiency Mechanism
s
Priority at the Layer 2 is called Class of Service (CoS).Depending on the protocol run at the data link layer, respectively1 (Fram
e Relay, ATM), 2 (ISL) or 3 (IEEE 802.1 p/Q, M
PLS) bitsare used in order to prioritize the traffic.
Following table show
s a possible baseline when 3 bits are used.
Extension Header Info Flow
label
Destination Address
JOH
N C
OR
DIE
R A
CA
DE
MY
QO
S BASELINE
ApplicationPH
B
REFERENCES
00
00
00
00
00
10
00
00
01
00
00
00
01
10
00
00
10
00
00
00
10
10
00
00
11
00
00
00
11
10
00
00
00
10
10
00
00
11
00
00
00
11
10
00
01
00
10
00
01
01
00
00
01
01
10
00
01
10
10
00
01
11
00
00
01
11
10
00
10
00
10
00
10
01
00
00
10
01
10
00
10
11
10
00 b0
b1b2
b3b4
b5b6
b7
DSCP
Flowcontrol
IPPrecedence
TOS Byte (IPv4)
Traffic Class (IPv6)
Default
CS1
CS2
CS3
CS4
CS5
CS6
CS7
AF11
AF12
AF13
AF21
AF22
AF23
AF31
AF32
AF33
AF41
AF42
AF43
EF
PHB
DCSP Value(decim
al)
0816243240485610121418202226283034363846
TOS Value
(decimal)
0326496
128
160
192
224
404856728088
104
112
120
136
144
152
184
Drop
Probability
Low
Medium
High
Low
Medium
High
Low
Medium
High
Low
Medium
High
xx
xx
xx
00
xx
xx
xx
10
Non ECN
-Capable
ECN-Capable Transport (ECT 1)
Best Effort
Class Selector(Backw
ardCom
patibilityw
ith IPPrecedence)
AssuredForw
arding
Expedited Forwarding
xx
xx
xx
10
xx
xx
xx
11
ECN-Capable Transport (ECT 0)
Congestion Experienced (CE)
ECN: Explicit Congestion N
oticication
L3 ClassificationD
SCP
IP Routing
Interactive-Video
Streaming-Video
Mission-Critical Data
Call-Signaling
Transactional Data
Network-M
anagement
Bulk Data
Scavenger
Best-Effort
Voice
CS6
EF
AF41
CS4
AF31
CS3
AF21
CS2
AF11
CS10
48463432262428161080
- ToS Byte (IPv4) / Traffic Class (IPv6) : DSCP
Intserv
•R
FC 2212: Specification of Guaranteed Q
uality of Service,see w
ww
.ietf.org/rfc/rfc2212.txt•
RFC 2211: Specification of the Controlled-Load Network Elem
ent Service,see w
ww
.ietf.org/rfc/rfc2211.txt
ToS Byte / Traffic Class
•RFC 791: Internet Protocol Darpa Internet Program
Protocol Specification,see w
ww
.ietf.org/rfc/rfc0791.txt•
RFC 1349: Type of Service in the Internet Protocol Suite,
see ww
w.ietf.org/rfc/rfc1349.txt
•R
FC 2474: Definition of the D
ifferentiated Services Field (DS Field) in
the IPv4 and IPv6 Headers,
see ww
w.ietf.org/rfc/rfc2474.txt
DiffServ
•R
FC 3246 (previously RFC2598): An Expedited Forw
arding PHB (Per-
Hop Behavior),
see ww
w.ietf.org/rfc/rfc3246.txt
•R
FC 2597: Assured Forwarding PH
B Group,
see ww
w.ietf.org/rfc/rfc2597.txt
•R
FC 3168: The Addition of Explicit Congestion Notification (ECN
) to IP,see w
ww
.ietf.org/rfc/rfc3168.txt
Qu
ality o
f service
reference ca
rd©
v.2.0
JOH
N C
OR
DIE
R A
CA
DE
MY
ww
w.jca
cad
emy.co
m
SPANNING TREE · PART 1 packetlife.net
Spanning Tree Protocols
Legacy STP PVST PVST+ RSTP RPVST+ MST
Algorithm Legacy ST Legacy ST Legacy ST Rapid ST Rapid ST Rapid ST
Definition 802.1D-1998 Cisco Cisco 802.1w,802.1D-2004
Cisco 802.1s,802.1Q-2003
Instances One Per VLAN Per VLAN One Per VLAN Configurable
Trunking N/A ISL 802.1Q, ISL N/A 802.1Q, ISL 802.1Q, ISL
Spanning Tree Instance Comparison
BPDU Format
Field Bits
Protocol ID 16
Version 8
BPDU Type 8
Flags 8
Root ID 64
Root Path Cost 32
Bridge ID 64
Port ID 16
Message Age 16
Max Age 16
Hello Time 16
Forward Delay 16
Default Timers
Hello 2s
Forward Delay 15s
Max Age 20s
Spanning Tree Specifications
Open Standards
IEEE 802.1D-1998 · Deprecated legacy STP standard
IEEE 802.1w · Introduced Rapid STP (RSTP)
IEEE 802.1D-2004 · Replaced legacy STP with RSTP
IEEE 802.1s · Introduced Multiple Spanning Tree (MST)
IEEE 802.1Q-2003 · Added MST to 802.1Q
Cisco Proprietary Implementations
PVST · Per-VLAN implementation of legacy STP
PVST+ · Added 802.1Q trunking to PVST
RPVST+ · Per-VLAN implementation of RSTP
Link Costs
Bandwidth Cost
4 Mbps 250
10 Mbps 100
16 Mbps 62
45 Mbps 39
100 Mbps 19
155 Mbps 14
622 Mbps 6
1 Gbps 4
10 Gbps 2
Port States
Legacy ST Rapid ST
Disabled Discarding
Blocking Discarding
Listening Discarding
Learning Learning
Forwarding Forwarding
Spanning Tree Operation
1 Determine root bridge The bridge advertising the lowest bridge ID becomesthe root bridge
2 Select root port Each bridge selects its primary port facing the root
3 Select designated ports One designated port is selected per segment
4 Block ports with loops All non-root and non-desginated ports are blocked
Port Roles
Legacy ST Rapid ST
Root Root
Designated Designated
Blocking Alternate
Blocking Backup
by Jeremy Stretch v2.0
SPANNING TREE · PART 2 packetlife.net
PVST+ and RPVST+ Configuration
! Set STP typespanning-tree mode {pvst | rapid-pvst}
! Bridge priorityspanning-tree vlan 1-4094 priority 32768
! Timers, in secondsspanning-tree vlan 1-4094 hello-time 2
spanning-tree vlan 1-4094 forward-time 15spanning-tree vlan 1-4094 max-age 20
! Enabling PortFast by defaultspanning-tree portfast default
! PVST+ Enhancementsspanning-tree backbonefastspanning-tree uplinkfast
! Interface attributesinterface FastEthernet0/1 spanning-tree [vlan 1-4094] port-priority 128 spanning-tree [vlan 1-4094] cost 19
! Manual link type specification spanning-tree link-type {point-to-point | shared} ! Enables spanning tree if running PVST+, or ! designates an edge port under RPVST+ spanning-tree portfast ! Spanning tree protection spanning-tree guard {loop | root | none} ! Per-interface toggling spanning-tree bpduguard enable
spanning-tree bpdufilter enable
MST Configuration
! Set STP typespanning-tree mode mst
! MST Configurationspanning-tree mst configuration name MyTree revision 1 ! Map VLANs to instances instance 1 vlan 20, 30 instance 2 vlan 40, 50
! Bridge priority (per instance)spanning-tree mst 1 priority 32768
! Timers, in secondsspanning-tree mst hello-time 2spanning-tree mst forward-time 15spanning-tree mst max-age 20
! Maximum hops for BPDUsspanning-tree mst max-hops 20
! Interface attributesinterface FastEthernet0/1 spanning-tree mst 1 port-priority 128 spanning-tree mst 1 cost 19
Bridge ID Format
Priority · 4-bit configurable priority (configurable from 0 to 61440
in increments of 4096)
System ID Extension · 12-bit value taken from VLAN number
MAC Address · 48-bit value to ensure uniqueness
Path Selection
1 Prefer the neighbor advertising the lowest root ID
2 Prefer the neighbor advertising the lowest cost to root
3 Prefer the neighbor with the lowest bridge ID
4 Prefer the lowest sender port ID
Optional PVST+ Ehancements
PortFast Enables immediate transition into the
forwarding state on edge ports
UplinkFast Enables access switches to maintain backup
paths to root
BackboneFast Enables immediate expiration of the Max Age
timer on an indirect link failure
Spanning Tree Protection
Root Guard Prevents a port from becoming the root port
BPDU Guard Error disables a port if a BPDU is received
Loop Guard Prevents a blocked port from transitioning to
listening after the Max Age timer has expired
BPDU Filter Blocks BPDUs on an interface
RSTP Link Types
Point-to-Point Connects to exactly one other bridge (a full
duplex interface)
Shared Potentially connects to multiple bridges (a half
duplex interface)
Edge Connects to a single host; designated by
applying PortFast
Troubleshooting
show spanning-tree [summary | detail]
show spanning-tree root
show spanning-tree vlan <VLAN>
show spanning-tree interface <interface>
show spanning-tree mst [<instance>] [detail]
show spanning-tree mst configuration
show spanning-tree mst interface <interface>
by Jeremy Stretch v2.0
��������������������
��������������������� �������������������������
Application Layer
Transport Layer
Network Layer
Presentation Layer
Session Layer
Datalink Layer
Physical Layer
Application Layer
Host-to-host Layer
Internet Layer
Network AccessLayer
TCP
HTT
P
Network AccessLayer
IP
SMTP
DN
S
FTP
Oth
er
OtherUDP Version: IP version number (4 bits)IHL: Internet header length (4bits)Service: Type of service flags (1 byte)
Precedence (=absolute priority) (3 bits)Minimize delay (1 bit)Maximize throughput (1 bit)Maximize reliability (1 bit)Minimize monetary cost (1 bit)Reserved for future use (1 bit)
Total length: Total length of IP datagram (2 byte)Identification: Unique packet identifier, used to identify
the fragments of the datagram (2 bytes)Flags: Fragmentation flags, indicates if datagram
can be fragmented, and if a particularpacket is the last in the series of thefragments (3 bits)
10111110 10101100 00100001 00000011
32 bits
Netnumber Host number
190 172 33 3. . .
������������������
Hardware type: Identifies the type of hardware interface (2 bytes)Protocol Type: Identifies the type of protocol the
sending device is using (2 bytes)HLEN: Hardware Address Length (1 byte)PLEN: Protocol Address Length (1 byte)Operation: Request or reply (2 bytes)Sender HA: Sender hardware address (6 bytes)Sender IP: Sender IP address (4 bytes)Target HA: Target hardware address (6 bytes)Target IP: Target IP address (4 bytes)
Subnetmask
000000000
11111111255
11111111255
11111111255
Subnet Mask
NETIP Address
SUBNET HOST
32 bits
HLEN PLEN
0
Operation
Sender HA (0-3)
Target HA (2-5)
Target IP (0-4)
1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
Hardware type Protocol type
Sender HA (4-5) Sender IP (0-1)
Sender IP (2-3) Target HA (0-1)
IP Address ClassesNetnumber Host number
0
10
110
1110
1111
8-bit
0-126 A
128-191 B
192-223 C
224-239 D
240-255 E
Number of networks Number of hostsClass A 126 16.777.214Class B 16.384 65.534Class C 2.097.152 254
������������������
Checksum
0
Urgent pointer
Window size
Acknowledgement number
Options and Padding
Data
1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
Offset Reserved U
Destination port
A P R S F
Sequence number
Source port
Source port: Number of the port that initiates the session (2 bytes)Destination port: Number of the port for which the the transmision
is destined (2 bytes)Sequence Number: Used to reconstruct the fragmented data out of
the segments (4 bytes)Acknowledgement number: Used to acknowledge the receive of a segment (4 bytes)Offset: Size of the TCP header (4 bits)Reserved: Set to zero, reserved for future use (6 bits)Flags: (6 bits) Enables the controle functions of urgent fields (URG, 1 bit)
Acknowledgment (ACK, 1 bit)Push (PSH, 1 bit)Reset connection (RST, 1 bit)Synchronisation of sequence numbers (SYN, 1 bit)Finished sending data (FIN, 1 bit)
Window Size: Used to exchange TCP buffer sizes (2 bytes)Checksum: Checksum field (2 bytes)Urgent pointer: Points to urgent data in the data field
Only valid if the urgent flag is set (2 bytes)Options and Padding:(variable length) Options: Maximum segment size
TCP window scale Selective acknowledgment SACK-permited TCP timestamps
����������������7 Echo 25 SMTP9 Discard 53 DNS13 Daytime 80 HTTP17 Qotd 110 POP319 Chargen 119 NNTP20 FTP-data 179 BGP21 FTP-control 143 IMAP22 SSH 389 LDAP23 Telnet 443 HTTPs (s=over SSL)
646 MPLS
≤1023: Well known applications>1023: Proprietary applications and
client applications
Identification
TTL Protocol
0
Flags Fragment offset
Header checksum
Source Address
Destination Address
Options and Padding
Data
1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
Version IHL Service Total length
Fragm. Offset: Fragmentation offset field (13 bits)TTL: Time to live field (1 byte)Protocol: Protocol identifier field, identifies the
next higher layer protocol (1 byte)Header Checksum: Checksum field (2 bytes)Source Address: IP address of the source host
(4 bytes)Destination Address: IP address of the destination
host (4 bytes)Options and Padding: (Variable length)Options: Strict source route Loose source route Record route Timestamp Security
DOD OSI
Protocol:
1 ICMP2 IGMP6 TCP8 EGP9 IGRP17 UDP46 RSVP88 EIGRP89 OSPF
V1.5
TCP/IP (IPv4) reference card
JOHN CORDIER ACADEMY
�����
��������
���
��
�����
�����
��
����
Checksum
0
Length
Data
12
34
56
70
12
34
56
70
12
34
56
70
12
34
56
7
Destination port
Source port
Source port: N
umber of the port that initiates the session (2 bytes)
Destination port:
Num
ber of the port for which the
the transmision is destined
(2 bytes)Length:
Size of UD
P message
(2 bytes)Checksum
: Checksum
field (2 bytes)
7Echo
67D
HCP server
520R
IP9
Discard
68D
HCP client
646M
PLS13
Daytim
e69
TFTP17
Qotd
123N
TP19
Chargen161
SNM
P53
DN
S162
SNM
Ptrap
≤1023: Well know
n applications>1023: Proprietary applications
����
��������
����
RFC 768:
User D
atagram Protocol
StandardR
FC 791: Internet Protocol v4
StandardR
FC 792: Internet Control M
essage Protocol Standard
RFC 793:
Transmission Control Protocol
StandardR
FC 821: Sim
ple Mail Transfer Protocol
StandardR
FC 826: Ethernet Address R
esolution ProtocolStandard
RFC 854:
Telnet Protocol Specifications Standard
RFC 959:
File Transfer Protocol Standard
RFC 1157: Sim
ple Netw
ork Managem
ent Protocol StandardR
FC 3232: Assigned Num
bers Inform
ationalhttp://w
ww
.iana.org/numbers.htm
lR
FC 1771: Border Gatew
ay Protocol v4 Draft Standard
RFC 2131: D
ynamic H
ost Configuration Protocol Draft Standard
RFC 2328: O
pen Shortest Path First v2 Standard
RFC 2453: R
outing Information Protocol v2
StandardR
FC 2616: Hypertext Transfer Protocol 1.1
Draft Standard
Search for RFC’s on http://w
ww
.rfc-editor.org
Important R
FC’sInteresting linksInternet Assigned N
umbers Authority (IAN
A) http://w
ww
.iana.orgInternet Corporation for Assigned N
ames and N
umbers
(ICANN
)http://w
ww
.icann.orgR
éseaux IP Européens (RIPE)
http://ww
w.ripe.net
American R
egistry for Internet Num
bers (ARIN
)http://w
ww
.arin.netAsia Pacific N
etwork Inform
ation Center (APNIC)
http://ww
w.apnic.net
Internet Engineering Task Force (IETF)http://w
ww
.ietf.orgInstitute of Electrical and Electronics Engineers (IEEE)
http://ww
w.ieee.org
InterNIC
http://rs.internic.netInternet Architecture Board (IAB)
http://ww
w.iab.org
Internet Society (ISOC)
http://ww
w.isoc.org
Internet Software Consortium
http://w
ww
.isc.orgW
orld Wide W
eb Consortium
http://ww
w.w
3c.orgInternet M
ail Consortium
http://ww
w.im
c.orgR
FC Editor http://w
ww
.rfc-editor.orgTelindus H
igh-Tech Institute (THTI)
http://ww
w.thti.telindus.be
���
���
��������
���
��
VersionT.O
.S.
0
Total length
Source Address
12
34
56
70
12
34
56
70
12
34
56
70
12
34
56
7
IdentificationFragm
ent offset
Header checksum
IHL
Flags
Protocols=1TTL
Destination Address
Options and Padding
Header checksum
ICMP CO
DE
ICMP TYPEU
nused or depending on TYPE (see notes)
IP header + 8 octets of original datagram
TypeCode
00
Echo Reply
3Destination Unreachable
0N
etwork unreachable
1H
ost unreachable2
Requested protocol unreachable
3Port unreachable
4Fragm
entation needed, but “Don’t Fragm
ent flag set”
5Source route has failed
6D
estination network unknow
n7
Destination host unknow
n4
0Source Q
uench5
Redirect0
Redirect datagram
s for network
1R
edirect datagrams for host
80
Echo Request
90
Router advertisem
ent10
0R
outer selection11
Time Exceeded
0Tim
e-to-live exceeded1
fragment reassem
bly time exceeded
12Param
eter Problem0
Pointer indicates the error1
Missing a required option
2Bad length
���
����
�����
������
DA
SAE-TYPE
DATA
FCS
DIX Ethernet v2
IEEE 802.300 00 00
E-TYPE
DSAP AA
SSAP AAControl
SNAP
DATA
IEEE 802.2SN
AP
DSAP 06
SSAP 06Control
DATA
IEEE 802.2
FCSD
ATAD
ASA
Length
E-Type (Hex.)
08 00: IP(v4)08 06: AR
P86 D
D: IP(v6)
TCP
/IP (IP
v4)
reference ca
rd©
v.2.0
JOH
N C
OR
DIE
R A
CA
DE
MY
ww
w.jca
cad
emy.co
m
��������������������
��������������������� �������������������������
Application Layer
Transport Layer
Network Layer
Presentation Layer
Session Layer
Datalink Layer
Physical Layer
Application Layer
Host-to-host Layer
Internet Layer
Network AccessLayer
TCP
HTT
P
Network AccessLayer
IP
SMTP
DN
S
FTP
Oth
er
OtherUDP Version: IP version number (4 bits)IHL: Internet header length (4bits)Service: Type of service flags (1 byte)
Precedence (=absolute priority) (3 bits)Minimize delay (1 bit)Maximize throughput (1 bit)Maximize reliability (1 bit)Minimize monetary cost (1 bit)Reserved for future use (1 bit)
Total length: Total length of IP datagram (2 byte)Identification: Unique packet identifier, used to identify
the fragments of the datagram (2 bytes)Flags: Fragmentation flags, indicates if datagram
can be fragmented, and if a particularpacket is the last in the series of thefragments (3 bits)
10111110 10101100 00100001 00000011
32 bits
Netnumber Host number
190 172 33 3. . .
������������������
Hardware type: Identifies the type of hardware interface (2 bytes)Protocol Type: Identifies the type of protocol the
sending device is using (2 bytes)HLEN: Hardware Address Length (1 byte)PLEN: Protocol Address Length (1 byte)Operation: Request or reply (2 bytes)Sender HA: Sender hardware address (6 bytes)Sender IP: Sender IP address (4 bytes)Target HA: Target hardware address (6 bytes)Target IP: Target IP address (4 bytes)
Subnetmask
000000000
11111111255
11111111255
11111111255
Subnet Mask
NETIP Address
SUBNET HOST
32 bits
HLEN PLEN
0
Operation
Sender HA (0-3)
Target HA (2-5)
Target IP (0-4)
1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
Hardware type Protocol type
Sender HA (4-5) Sender IP (0-1)
Sender IP (2-3) Target HA (0-1)
IP Address ClassesNetnumber Host number
0
10
110
1110
1111
8-bit
0-126 A
128-191 B
192-223 C
224-239 D
240-255 E
Number of networks Number of hostsClass A 126 16.777.214Class B 16.384 65.534Class C 2.097.152 254
������������������
Checksum
0
Urgent pointer
Window size
Acknowledgement number
Options and Padding
Data
1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
Offset Reserved U
Destination port
A P R S F
Sequence number
Source port
Source port: Number of the port that initiates the session (2 bytes)Destination port: Number of the port for which the the transmision
is destined (2 bytes)Sequence Number: Used to reconstruct the fragmented data out of
the segments (4 bytes)Acknowledgement number: Used to acknowledge the receive of a segment (4 bytes)Offset: Size of the TCP header (4 bits)Reserved: Set to zero, reserved for future use (6 bits)Flags: (6 bits) Enables the controle functions of urgent fields (URG, 1 bit)
Acknowledgment (ACK, 1 bit)Push (PSH, 1 bit)Reset connection (RST, 1 bit)Synchronisation of sequence numbers (SYN, 1 bit)Finished sending data (FIN, 1 bit)
Window Size: Used to exchange TCP buffer sizes (2 bytes)Checksum: Checksum field (2 bytes)Urgent pointer: Points to urgent data in the data field
Only valid if the urgent flag is set (2 bytes)Options and Padding:(variable length) Options: Maximum segment size
TCP window scale Selective acknowledgment SACK-permited TCP timestamps
����������������7 Echo 25 SMTP9 Discard 53 DNS13 Daytime 80 HTTP17 Qotd 110 POP319 Chargen 119 NNTP20 FTP-data 179 BGP21 FTP-control 143 IMAP22 SSH 389 LDAP23 Telnet 443 HTTPs (s=over SSL)
646 MPLS
≤1023: Well known applications>1023: Proprietary applications and
client applications
Identification
TTL Protocol
0
Flags Fragment offset
Header checksum
Source Address
Destination Address
Options and Padding
Data
1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
Version IHL Service Total length
Fragm. Offset: Fragmentation offset field (13 bits)TTL: Time to live field (1 byte)Protocol: Protocol identifier field, identifies the
next higher layer protocol (1 byte)Header Checksum: Checksum field (2 bytes)Source Address: IP address of the source host
(4 bytes)Destination Address: IP address of the destination
host (4 bytes)Options and Padding: (Variable length)Options: Strict source route Loose source route Record route Timestamp Security
DOD OSI
Protocol:
1 ICMP2 IGMP6 TCP8 EGP9 IGRP17 UDP46 RSVP88 EIGRP89 OSPF
V1.5
TCP/IP (IPv4) reference card
JOHN CORDIER ACADEMY
������������������
����������������
Checksum
0
Length
Data
1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
Destination portSource port
Source port: Number of the port that initiates the session (2 bytes)Destination port: Number of the port for which the
the transmision is destined (2 bytes)Length: Size of UDP message (2 bytes)Checksum: Checksum field (2 bytes)
7 Echo 67 DHCP server 520 RIP9 Discard 68 DHCP client 646 MPLS
13 Daytime 69 TFTP17 Qotd 123 NTP19 Chargen 161 SNMP53 DNS 162 SNMPtrap
≤1023: Well known applications>1023: Proprietary applications
����������������
RFC 768: User Datagram Protocol StandardRFC 791: Internet Protocol v4 StandardRFC 792: Internet Control Message Protocol StandardRFC 793: Transmission Control Protocol StandardRFC 821: Simple Mail Transfer Protocol StandardRFC 826: Ethernet Address Resolution Protocol StandardRFC 854: Telnet Protocol Specifications StandardRFC 959: File Transfer Protocol StandardRFC 1157: Simple Network Management Protocol StandardRFC 3232: Assigned Numbers Informational
http://www.iana.org/numbers.htmlRFC 1771: Border Gateway Protocol v4 Draft StandardRFC 2131: Dynamic Host Configuration Protocol Draft StandardRFC 2328: Open Shortest Path First v2 StandardRFC 2453: Routing Information Protocol v2 StandardRFC 2616: Hypertext Transfer Protocol 1.1 Draft Standard
Search for RFC’s on http://www.rfc-editor.org
Important RFC’s Interesting linksInternet Assigned Numbers Authority (IANA) http://www.iana.orgInternet Corporation for Assigned Names and Numbers(ICANN) http://www.icann.orgRéseaux IP Européens (RIPE) http://www.ripe.netAmerican Registry for Internet Numbers (ARIN) http://www.arin.netAsia Pacific Network Information Center (APNIC) http://www.apnic.netInternet Engineering Task Force (IETF) http://www.ietf.orgInstitute of Electrical and Electronics Engineers (IEEE) http://www.ieee.orgInterNIC http://rs.internic.netInternet Architecture Board (IAB) http://www.iab.orgInternet Society (ISOC) http://www.isoc.orgInternet Software Consortium http://www.isc.orgWorld Wide Web Consortium http://www.w3c.orgInternet Mail Consortium http://www.imc.orgRFC Editor http://www.rfc-editor.orgTelindus High-Tech Institute (THTI) http://www.thti.telindus.be
�������������������
Version T.O.S.
0
Total length
Source Address
1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
Identification Fragment offset
Header checksum
IHL
Flags
Protocols=1TTL
Destination Address
Options and Padding
Header checksumICMP CODEICMP TYPE
Unused or depending on TYPE (see notes)
IP header + 8 octets of original datagram
Type Code
0 0 Echo Reply3 Destination Unreachable
0 Network unreachable1 Host unreachable2 Requested protocol unreachable3 Port unreachable4 Fragmentation needed, but “Don’t Fragment
flag set”5 Source route has failed6 Destination network unknown7 Destination host unknown
4 0 Source Quench5 Redirect
0 Redirect datagrams for network1 Redirect datagrams for host
8 0 Echo Request9 0 Router advertisement10 0 Router selection11 Time Exceeded
0 Time-to-live exceeded1 fragment reassembly time exceeded
12 Parameter Problem0 Pointer indicates the error1 Missing a required option2 Bad length
������������������
DA SA E-TYPE DATA FCS
DIX Ethernet v2
IEEE 802.300 00 00 E-TYPE
DSAP AA SSAP AA Control SNAP DATAIEEE 802.2
SNAP
DSAP 06 SSAP 06 Control DATAIEEE 802.2
FCSDATADA SA Length
E-Type (Hex.)
08 00: IP(v4) 08 06: ARP 86 DD: IP(v6)
TCP/IP (IPv4)
reference card© v.2.0
JOHN CORDIER ACADEMY
www.jcacademy.com
VLANS packetlife.net
Trunk Encapsulation
Ethernet Header
VLAN Creation
Switch(config)# vlan 100
Switch(config-vlan)# name Engineering
Access Port Configuration
Switch(config-if)# switchport mode access
Switch(config-if)# switchport nonegotiate
Switch(config-if)# switchport access vlan 100
Switch(config-if)# switchport voice vlan 150
Trunk Port Configuration
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk encapsulation dot1q
Switch(config-if)# switchport trunk allowed vlan 10,100-200
Switch(config-if)# switchport trunk native vlan 10
SVI Configuration
Switch(config)# interface vlan100
Switch(config-if)# ip address 192.168.100.1 255.255.255.0
VLAN Trunking Protocol
Domain · Common to all switches participating in VTP
Server Mode · Generates and propagates VTP advertisements to
clients; this mode is default on unconfigured switches
Client Mode · Receives and forwards advertisements from servers;
VLANs cannot be manually configured on switches in client mode
Transparent Mode · Forwards advertisements but does not
participate in VTP; VLANs must be configured manually
Pruning · VLANs not having any access ports on an end switch are
removed from the trunk to reduce flooded traffic
VTP Configuration
Switch(config)# vtp mode server
Switch(config)# vtp domain LASVEGAS
Switch(config)# vtp password Presl3y
Switch(config)# vtp version 2
Switch(config)# vtp pruning
Trunk Types
802.1Q ISL
Header Size 4 bytes 26 bytes
Trailer Size N/A 4 bytes
Standard IEEE Cisco
Maximum VLANs 4094 1000
Command dot1q isl
VLAN Numbers
0 Reserved 1004 fdnet
1 default 1005 trnet
1002 fddi-default 1006-4094 Extended
1003 tr 4095 Reserved
Terminology
Trunking · Extending multiple VLANs over the
same physical connection
Native VLAN · By default, frames in this VLAN are
untagged when sent across a trunk
Access VLAN · The VLAN to which an access port is
assigned
Voice VLAN · If configured, enables minimal
trunking to support voice traffic in addition to data
traffic on an access port
Dynamic Trunking Protocol (DTP) · Can be used
to automatically establish trunks between capable
ports; carries a security risk
Switched Virtual Interface (SVI) · A virtual
interface which provides a routed gateway into and
out of a VLAN
Switch Port Modes
trunk · Forms an unconditional trunk
dynamic desirable · Actively attempts to negotiate
a trunk with the distant end
dynamic auto · Will form a trunk only if requested
by the distant end
access · Will never form a trunk
Troubleshooting
show vlan
show interface status
show interface switchport
show interface trunk
show vtp status
show vtp password
by Jeremy Stretch v1.2
BGP · PART 1 packetlife.net
Attribute Types
Well-known Mandatory · Must be supported and propagated
Well-known Discretionary · Must be supported; propagation optional
Optional Transitive · Marked as partial if unsupported by neighbor
Optional Nontransitive · Deleted if unsupported by neighbor
Attributes
Name Type Description
Aggregator OT ID and AS of router which performed summarization
AS Path WM List of autonomous systems the advertisement has traversed
Atomic Aggregate WD Includes AS which have been dropped due to route aggregation
Cluster ID ON Originating cluster
Community OT Route tag
Local Preference WD Metric for internal neighbors to reach external paths; default 100
Multiple Exit Discriminator (MED)
ON Metric for external neighbors to reach the AS; default 0
Next Hop WM External peer in neighboring AS
Origin WM Origin type (IGP, EGP, or unknown)
Originator ID ON Identifies route reflector
Weight O Cisco proprietary, not communicated to peers; default 0
Path Selection
Order Description Preference
1 Weight Administrative preference Highest
2 Local Preference
Communicated between peers within an AS
Highest
3 Self-Originated Prefer paths originated locally True
4 AS Path Minimize AS hops Shortest
5 Origin Prefer IGP-learned routes over EGP, and EGP over unknown
IGP
6 MED Used externally to enter an AS Lowest
7 External Prefer eBGP routes over iBGP eBGP
8 IGP Cost Consider IGP attributes Lowest
9 eBGP Peering Favor more stable routes Oldest
10 Router ID Tie breaker Lowest
About BGP
Type Path Vector
Algorithm Path Selection
eBGP AD 20
iBGP AD 200
Standard RFC 4271
Protocols IP
Transport TCP 179
Authentication MD5
Terminology
Autonomous System (AS) · A logical
domain under the control of a single entity
External BGP (eBGP) · BGP neighborships
formed between autonomous systems
Internal BGP (iBGP) · BGP between peers
within a single autonomous system
Synchronization requirement · Asserts
that a route must be known by an IGP before
it may be advertised to BGP peers
Packet Types
Open Update
Keepalive Notification
Neighbor States
Idle · Neighbor is not responding
Connect · TCP session established
Open Sent · Open message sent
Open Confirm · Response received
Established · Neighborship established
Troubleshooting
show ip bgp
show ip bgp summary
show ip bgp neighbors
show ip route [bgp]
clear ip bgp * [soft]
debug ip bgp events
debug ip bgp updates
Influencing Path Selection
Weight neighbor 172.16.0.1 weight 200 Local Preference bgp default local-preference 100
MED default-metric 400 Route Map neighbor 172.16.0.1 route-map Foo
by Jeremy Stretch v1.1
BGP · PART 2 packetlife.net
Configuration Example
Router A
interface Serial1/0 description Backbone to B ip address 172.16.0.1 255.255.255.252!interface Serial1/1 description Backbone to C ip address 172.16.0.5 255.255.255.252!interface FastEthernet2/0 description LAN ip address 192.168.1.1 255.255.255.0!router bgp 65100 no synchronization network 172.16.0.0 mask 255.255.255.252 network 172.16.0.4 mask 255.255.255.252 network 192.168.1.0 neighbor South peer-group neighbor South remote-as 65200 neighbor 172.16.0.2 peer-group South neighbor 172.16.0.6 peer-group South no auto-summary
Router B
interface FastEthernet0/0 description Local to C ip address 10.0.0.1 255.255.255.252!
interface Serial1/0 description Backbone to A ip address 172.16.0.2 255.255.255.252!interface FastEthernet2/0 description LAN ip address 192.168.2.1 255.255.255.0!router ospf 100
network 10.0.0.1 0.0.0.0 area 0 network 192.168.2.0 0.0.0.255 area 1!router bgp 65200
no synchronization redistribute ospf 100 route-map LAN_Subnets neighbor 10.0.0.2 remote-as 65200 neighbor 172.16.0.1 remote-as 65100 no auto-summary!access-list 10 permit 192.168.0.0 0.0.255.255!route-map LAN_Subnets permit 10 match ip address 10 set metric 100
Router C
interface FastEthernet0/0 description Local to B ip address 10.0.0.2 255.255.255.252!
interface Serial1/0 description Backbone to A ip address 172.16.0.6 255.255.255.252!interface FastEthernet2/0 description LAN ip address 192.168.3.1 255.255.255.0!router ospf 100
network 10.0.0.2 0.0.0.0 area 0 network 192.168.3.0 0.0.0.255 area 2!router bgp 65200 no synchronization redistribute ospf 100 route-map LAN_Subnets neighbor 10.0.0.1 remote-as 65200 neighbor 172.16.0.5 remote-as 65100 no auto-summary!access-list 10 permit 192.168.0.0 0.0.255.255!route-map LAN_Subnets permit 10 match ip address 10 set metric 100
Router A Routing Table
172.16.0.0/30 is subnetted, 2 subnetsC 172.16.0.4 is directly connected, S1/1C 172.16.0.0 is directly connected, S1/0C 192.168.1.0/24 is directly connected, F2/0B 192.168.2.0/24 [20/100] via 172.16.0.2B 192.168.3.0/24 [20/100] via 172.16.0.2
Router B Routing Table
172.16.0.0/30 is subnetted, 2 subnetsB 172.16.0.4 [20/0] via 172.16.0.1C 172.16.0.0 is directly connected, S1/0 10.0.0.0/30 is subnetted, 1 subnetsC 10.0.0.0 is directly connected, F0/0B 192.168.1.0/24 [20/0] via 172.16.0.1C 192.168.2.0/24 is directly connected, F2/0O IA 192.168.3.0/24 [110/2] via 10.0.0.2, F0/0
by Jeremy Stretch v1.1
EIGRP packetlife.net
Protocol Header
Metric Formula
256 * (K1 * bw +K2 * bw
+ K3 * delay) *K5
256 - load reliability + K4
bw = 107 / Interface bandwidth in Kbps
delay = Interface delay in usecs / 10
EIGRP Configuration
Protocol Configuration
! Enable EIGRProuter eigrp <ASN>
! Add interfaces to advertise network <IP address> <wildcard mask>
! Configure K values metric weights 0 <k1> <k2> <k3> <k4> <k5>
! Disable automatic route summarization no auto-summary
! Designate passive interfaces passive-interface (<interface> | <default>)
! Enable stub routing eigrp stub [receive-only | connected | static | summary]
! Statically identify a neighboring router neighbor <IP address> <interface>
Interface Configuration
! Set maximum bandwidth EIGRP can consumeip bandwidth-percent eigrp <percentage>
! Configure manual summarization of outbound advertisementsip summary-address eigrp <ASN> <IP address> <mask> [<AD>]
! Enable MD5 authenticationip authentication mode eigrp <ASN> md5ip authentication key-chain eigrp <ASN> <key-chain>
! Configure hello and hold timersip hello-interval eigrp <ASN> <seconds>ip hold-time eigrp <ASN> <seconds>
! Disable split horizon for EIGRPno ip split-horizon eigrp <ASN>
Attributes
Type Distance Vector
Algorithm DUAL
Internal AD 90
External AD 170
Summary AD 5
Standard Cisco proprietary
Protocols IP, IPX, Appletalk
Transport IP 88
Authentication MD5
Multicast IP 224.0.0.10
Hello Timer 5 / 60
Hold Timer 15 / 180
K Defaults
K1 1
K2 0
K3 1
K4 0
K5 0
Packet Types
1 Update
3 Query
4 Reply
5 Hello
8 Acknowledge
Terminology
Reported Distance · The metric for a route
advertised by a neighbor
Feasible Distance · The distance advertised by a
neighbor plus the cost to get to that neighbor
Stuck In Active (SIA) · The condition when a
route becomes unreachable and not all queries are
answered; adjacencies with unresponsive neighbors
are reset
Passive Interface · An interface which does not
participate in EIGRP but whose network is
advertised
Stub Router · A router which does not relay
updates between neighbors or participate in
querying
Troubleshooting
show ip eigrp interfaces
show ip eigrp neighbors
show ip eigrp topology
show ip eigrp traffic
clear ip eigrp neighbors
debug ip eigrp [packet | neighbors]
by Jeremy Stretch v1.3
OSPF · PART 1 packetlife.net
Protocol Header
Metric Formula
cost =100,000,000bps*
link speed
* modifiable with 'ospf auto-cost reference-bandwidth'
Link State Advertisements
Type 1 Router Link · Lists a router's neighbors and its cost to each;
flooded throughout an area
Type 2 Network Link · Generated by a DR; lists all routers on an adjacent
segment; flooded throughout an area
Type 3 Network Summary · Generated by an ABR and sent between
areas; point of summarization
Type 4 ASBR Summary · Injected by an ABR into the backbone to
advertise the presence of an ASBR
Type 5 External Link · Generated by an ASBR and flooded throughout the
AS to advertise a route external to OSPF
Type 7 NSSA External Link · Generated by an ASBR in a not-so-stubby
area; converted into a type 5 LSA by the ABR
DR/BDR Election
· The DR serves as a common point for all
adjacencies on a multiaccess segment
· The BDR also maintains adjacencies with
all routers in case the DR fails
· Election does not occur on point-to-point
or multipoint links
· Default priority (0-255) is 1; highest
priority wins; 0 cannot be elected
· DR preemption will not occur unless the
current DR is reset
Virtual Links
· Tunnel formed to join two
areas across an intermediate
· Both end routers must share a
common area
· At least one end must reside
in area 0
· Cannot traverse stub areas
· Temporary solution; not
considered best practice
Troubleshooting
show ip route show ip ospf border-routers
show ip protocols show ip ospf virtual-links
show ip ospf interface debug ip packet
show ip ospf neighbor debug ip ospf events
show ip ospf database debug ip ospf adjacency
Attributes
Type Link-State
Algorithm Dijkstra
Metric Cost (Bandwidth)
AD 110
Standard RFC 2328, 2740
Protocols IP
Transport IP 89
Authentication Plaintext, MD5
AllSPF Address 224.0.0.5
AllDR Address 224.0.0.6
Adjacency States
1 Down 5 Exstart
2 Attempt 6 Exchange
3 Init 7 Loading
4 2-Way 8 Full
Router Types
Internal Router · All interfaces reside
within the same area
Backbone Router · A router with an
interface in area 0 (the backbone)
Area Border Router (ABR) · Connects
two or more areas
AS Boundary Router (ASBR) · Connects
to additional routing domains; typically
located in the backbone
Area Types
Standard Area · Default OSPF area type
Stub Area · External summary route (type
5) LSAs are replaced by the ABR with a
default route
Totally Stubby Area · A stub area which
also replaces summary (type 3 and 4) LSAs
with a default route
Not So Stubby Area (NSSA) · A stubby
area containing an ASBR; type 5 LSAs are
converted to type 7 within the area
External Route Types
E1 · Cost of the path to the originating
ASBR is added to the route cost
E2 (default) · Only the cost of the route as
seen by the ASBR is considered
by Jeremy Stretch v1.3
OSPF · PART 2 packetlife.net
Network Types
Nonbroadcast(NBMA)
MultipointBroadcast
MultipointNonbroadcast
Broadcast Point-to-Point
DR/BDR Eelected Yes No No Yes No
Neighbor Discovery No Yes No Yes Yes
Hello/Dead Timers 30/120 30/120 30/120 10/40 10/40
Standard RFC 2328 RFC 2328 Cisco Cisco Cisco
Supported Topology Full Mesh Any Any Full Mesh Point-to-Point
Configuration Example
RouterA
interface Serial0/0
description WAN Link
ip address 172.16.34.2 255.255.255.252
!
interface FastEthernet0/0
description Area 0
ip address 192.168.0.1 255.255.255.0
!
interface Loopback0
! Used as router ID
ip address 10.0.34.1 255.255.255.0
!
router ospf 100
! Advertising the WAN cloud to OSPF
redistribute static subnets
network 192.168.0.0 0.0.0.255 area 0
!
! Static route to the WAN cloud
ip route 172.16.0.0 255.255.192.0 172.16.34.1
RouterB
interface Ethernet0/0
description Area 0
ip address 192.168.0.2 255.255.255.0
!
interface Ethernet0/1
description Area 2
ip address 192.168.2.1 255.255.255.0
! Optional MD5 authentication configured
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 FooBar
! Give RouterB priority in DR election
ip ospf priority 100
!
interface Ethernet0/2
description Area 1
ip address 192.168.1.1 255.255.255.0
!
interface Loopback0
ip address 10.0.34.2 255.255.255.0
!
router ospf 100
! Define area 1 as a stub area
area 1 stub
! Virtual link from area 0 to area 9
area 2 virtual-link 10.0.34.3
network 192.168.0.0 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 1
network 192.168.2.0 0.0.0.255 area 2
RouterC
interface Ethernet0/0
description Area 9
ip address 192.168.9.1 255.255.255.0
!
interface Ethernet0/1
description Area 2
ip address 192.168.2.2 255.255.255.0
! Optional MD5 authentication configured
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 FooBar
! Give RouterC second priority (BDR) in election
ip ospf priority 50
!
!
!
!
!
interface Loopback0
ip address 10.0.34.3 255.255.255.0
!
router ospf 100
! Define area 9 as a totally stubby area
area 9 stub no-summary
! Virtual link from area 9 to area 0
area 2 virtual-link 10.0.34.2
network 192.168.2.0 0.0.0.255 area 2
network 192.168.9.0 0.0.0.255 area 9
!
by Jeremy Stretch v1.3
CISCO IOS VERSIONS packetlife.net
IOS Nomenclature
IOS Package Trees
Typical Release Lifecycle
First Customer Shipment (FCS) · The release is first available to
Cisco customers on CCO
EOS Notice · Notification of upcoming EOS
End of Sale (EOS) · The release is no longer orderable or included
in manufactured shipments
End of Engineering (EOE) · The last day for software fixes; only
TAC assistance is offered from this point
End of Life (EOL) · The last day for TAC support; release becomes
obsolete; upgrade is only option for support
IOS Filename
Recommended IOS
800, 1700, 2600, 2800, 3700, 3800 12.4 / 12.4T
Catalyst 2960, 3560, 3750 12.2SE
Catalyst 4500 and 4900 12.2SG
Catalyst 6500 12.2SX
7200, 7301 routers 12.4 / 12.4T / 12.2SB
7304 routers 12.2SB
7500 routers 12.4 / 12.0S
10000 routers 12.2SB
7600 routers 12.2SR
IOS Verification
Router# show version
Router# dir <filesystem>:
Router# verify <filesystem>:<image>
by Jeremy Stretch v1.1
COMMON PORTS packetlife.net
TCP/UDP Port Numbers
7 Echo
19 Chargen
20-21 FTP
22 SSH/SCP
23 Telnet
25 SMTP
42 WINS Replication
43 WHOIS
49 TACACS
53 DNS
67-68 DHCP/BOOTP
69 TFTP
70 Gopher
79 Finger
80 HTTP
88 Kerberos
102 MS Exchange
110 POP3
113 Ident
119 NNTP (Usenet)
123 NTP
135 Microsoft RPC
137-139 NetBIOS
143 IMAP4
161-162 SNMP
177 XDMCP
179 BGP
201 AppleTalk
264 BGMP
318 TSP
381-383 HP Openview
389 LDAP
411-412 Direct Connect
443 HTTP over SSL
445 Microsoft DS
464 Kerberos
465 SMTP over SSL
497 Retrospect
500 ISAKMP
512 rexec
513 rlogin
514 syslog
515 LPD/LPR
520 RIP
521 RIPng (IPv6)
540 UUCP
554 RTSP
546-547 DHCPv6
560 rmonitor
563 NNTP over SSL
587 SMTP
591 FileMaker
593 Microsoft DCOM
631 Internet Printing
636 LDAP over SSL
639 MSDP (PIM)
646 LDP (MPLS)
691 MS Exchange
860 iSCSI
873 rsync
902 VMware Server
989-990 FTP over SSL
993 IMAP4 over SSL
995 POP3 over SSL
1025 Microsoft RPC
1026-1029 Windows Messenger
1080 SOCKS Proxy
1080 MyDoom
1194 OpenVPN
1214 Kazaa
1241 Nessus
1311 Dell OpenManage
1337 WASTE
1433-1434 Microsoft SQL
1512 WINS
1589 Cisco VQP
1701 L2TP
1723 MS PPTP
1725 Steam
1741 CiscoWorks 2000
1755 MS Media Server
1812-1813 RADIUS
1863 MSN
1985 Cisco HSRP
2000 Cisco SCCP
2002 Cisco ACS
2049 NFS
2082-2083 cPanel
2100 Oracle XDB
2222 DirectAdmin
2302 Halo
2483-2484 Oracle DB
2745 Bagle.H
2967 Symantec AV
3050 Interbase DB
3074 XBOX Live
3124 HTTP Proxy
3127 MyDoom
3128 HTTP Proxy
3222 GLBP
3260 iSCSI Target
3306 MySQL
3389 Terminal Server
3689 iTunes
3690 Subversion
3724 World of Warcraft
3784-3785 Ventrilo
4333 mSQL
4444 Blaster
4664 Google Desktop
4672 eMule
4899 Radmin
5000 UPnP
5001 Slingbox
5001 iperf
5004-5005 RTP
5050 Yahoo! Messenger
5060 SIP
5190 AIM/ICQ
5222-5223 XMPP/Jabber
5432 PostgreSQL
5500 VNC Server
5554 Sasser
5631-5632 pcAnywhere
5800 VNC over HTTP
5900+ VNC Server
6000-6001 X11
6112 Battle.net
6129 DameWare
6257 WinMX
6346-6347 Gnutella
6500 GameSpy Arcade
6566 SANE
6588 AnalogX
6665-6669 IRC
6679/6697 IRC over SSL
6699 Napster
6881-6999 BitTorrent
6891-6901 Windows Live
6970 Quicktime
7212 GhostSurf
7648-7649 CU-SeeMe
8000 Internet Radio
8080 HTTP Proxy
8086-8087 Kaspersky AV
8118 Privoxy
8200 VMware Server
8500 Adobe ColdFusion
8767 TeamSpeak
8866 Bagle.B
9100 HP JetDirect
9101-9103 Bacula
9119 MXit
9800 WebDAV
9898 Dabber
9988 Rbot/Spybot
9999 Urchin
10000 Webmin
10000 BackupExec
10113-10116 NetIQ
11371 OpenPGP
12035-12036 Second Life
12345 NetBus
13720-13721 NetBackup
14567 Battlefield
15118 Dipnet/Oddbob
19226 AdminSecure
19638 Ensim
20000 Usermin
24800 Synergy
25999 Xfire
27015 Half-Life
27374 Sub7
28960 Call of Duty
31337 Back Orifice
33434+ traceroute
Legend
Chat
Encrypted
Gaming
Malicious
Peer to Peer
Streaming
IANA port assignments published at http://www.iana.org/assignments/port-numbers
by Jeremy Stretch v1.1
IP ACCESS LISTS packetlife.net
Standard IP ACL Syntax
! Legacy syntaxaccess-list <number> {permit | deny} <source> [log]
! Modern syntaxip access-list standard {<number> | <name>} [<sequence>] {permit | deny} <source> [log]
Actions
permit Allow matched packets
deny Deny matched packets
remark Record a config comment
evaluate Evaluate a reflexive ACL
Extended IP ACL Syntax
! Legacy syntaxaccess-list <number> {permit | deny} <protocol> <source> [<ports>] <destination> [<ports>] [<options>]
! Modern syntaxip access-list extended {<number> | <name>} [<sequence>] {permit | deny} <protocol> <source> [<ports>] <destination> [<ports>] [<options>]
ACL Numbers
1-991300-1999
IP standard
100-1992000-2699
IP extended
200-299 Protocol
300-399 DECnet
400-499 XNS
500-599 Extended XNS
600-699 Appletalk
700-799 Ethernet MAC
800-899 IPX standard
900-999 IPX extended
1000-1099 IPX SAP
1100-1199 MAC extended
1200-1299 IPX summary
TCP Options
ack Match ACK flag
fin Match FIN flag
psh Match PSH flag
rst Match RST flag
syn Match SYN flag
urg Match URG flag
established Match packets in a pre- established session
Logging Options
log Log ACL entry matches
log-input Log matches with ingress interface and source MAC
Source/Destination Definitions
any Any address
host <address> A single address
<network> <mask> Any address matched by the wildcard mask
IP Options
dscp <DSCP> Match packets with the given DSCP value
fragments Check non-initial fragments
option <option> Match packets with the specified IP option
precedence <0-7> Match packets with the given precedence value
ttl <count> Match packets with the given Time To Live
TCP/UDP Port Definitions
eq <port> Equal to neq <port> Not equal to
lt <port> Less than gt <port> Greater than
range <port> <port> Matches a range of port numbers
Miscellaneous Options
reflect <name> Create a reflexive ACL
time-range <name> Enable rule only during the specified time range
Applying ACLs to Restrict Traffic
interface FastEthernet0/0 ip access-group {<number> | <name>} {in | out}
Troubleshooting
show access-lists {<number> | <name>}
show ip access-lists {<number> | <name>}
show ip access-lists interface <interface>
show ip access-lists dynamic
show ip interface [<interface>]
show time-range [<name>]
by Jeremy Stretch v1.1
PHYSICAL TERMINATIONS packetlife.net
Optical Terminations
ST (Straight Tip)
SC (Subscriber Connector)
LC (Local Connector)
MT-RJ
Wireless Antennas
RP-TNC
RP-SMA
Copper Terminations
RJ-45
RJ-11
RJ-21 (25-pair)
DE-9 (Female)
DB-25 (Male)
DB-60 (Male)
GBICs
1000Base-SX/LX
1000Base-T
Cisco GigaStack
1000Base-SX/LX SFP
1000Base-T SFP
X2 (10Gig)
by Jeremy Stretch v1.1
Metacharacters (must be escaped)
^
$
(
)
<
.
*
+
?
[
{
\
|
>
Escape Character
\ Escape Character
Quantifiers
*
+
?
{3}
{3,}
{3,5}
0 or more
1 or more
0 or 1
Exactly 3
3 or more
3, 4 or 5
Quantifier Modifiers
"x" below represents a quantifier
x?
Ungreedy version of "x"
Anchors
^
\A
$
\Z
\b
\B
\<
\>
Start of string
Start of string
End of string
End of string
Word boundary
Not word boundary
Start of word
End of word
POSIX
[:upper:]
[:lower:]
[:alpha:]
[:alnum:]
[:digit:]
[:xdigit:]
[:punct:]
[:blank:]
[:space:]
[:cntrl:]
[:graph:]
[:print:]
[:word:]
Upper case letters
Lower case letters
All letters
Digits and letters
Digits
Hexadecimal digits
Punctuation
Space and tab
Blank characters
Control characters
Printed characters
Printed characters and
spaces
Digits, letters and
underscore
Character Classes
\c
\s
\S
\d
\D
\w
\W
\x
\O
Control character
White space
Not white space
Digit
Not digit
Word
Not word
Hexadecimal digit
Octal digit
Special Characters
\n
\r
\t
\v
\f
\xxx
\xhh
New line
Carriage return
Tab
Vertical tab
Form feed
Octal character xxx
Hex character hh
Pattern Modifiers
g
i
m
s
x
e
U
Global match
Case-insensitive
Multiple lines
Treat string as single line
Allow comments and
white space in pattern
Evaluate replacement
Ungreedy pattern
Available free from
AddedBytes.com
Assertions
?=
?!
?<=
?!= or ?<!
?>
?()
?()|
?#
Lookahead assertion
Negative lookahead
Lookbehind assertion
Negative lookbehind
Once-only Subexpression
Condition [if then]
Condition [if then else]
Comment
String Replacement (Backreferences)
$n
$2
$1
$`
$'
$+
$&
nth non-passive group
"xyz" in /^(abc(xyz))$/
"xyz" in /^(?:abc)(xyz)$/
Before matched string
After matched string
Last matched string
Entire matched string
Groups and Ranges
.
(a|b)
(...)
(?:...)
[abc]
[^abc]
[a-q]
[A-Q]
[0-7]
\n
Note: Ranges are inclusive.
Any character except
new line (\n)
a or b
Group
Passive Group
Range (a or b or c)
Not a or b or c
Letter between a and q
Upper case letter
between A and Q
Digit between 0 and 7
nth group/subpattern
Sample Patterns
Pattern
([A-Za-z0-9-]+)
(\d{1,2}\/\d{1,2}\/\d{4})
([^\s]+(?=\.(jpg|gif|png))\.\2)
(^[1-9]{1}$|^[1-4]{1}[0-9]{1}$|^50$)
(#?([A-Fa-f0-9]){3}(([A-Fa-f0-9]){3})?)
((?=.*\d)(?=.*[a-z])(?=.*[A-Z]).{8,15})
(\w+@[a-zA-Z_]+?\.[a-zA-Z]{2,6})
(\<(/?[^\>]+)\>)
Note: These patterns are intended for reference purposes and have not been
extensively tested. Please use with caution and test thoroughly before use.
Will Match
Letters, numbers and hyphens
Date (e.g. 21/3/2006)
jpg, gif or png image
Any number from 1 to 50 inclusive
Valid hexadecimal colour code
String with at least one upper case
letter, one lower case letter, and one
digit (useful for passwords).
Email addresses
HTML Tags
SUBNETTING packetlife.net
Subnet Chart
CIDR Subnet Mask Addresses Wildcard
/32 255.255.255.255 1 0.0.0.0
/31 255.255.255.254 2 0.0.0.1
/30 255.255.255.252 4 0.0.0.3
/29 255.255.255.248 8 0.0.0.7
/28 255.255.255.240 16 0.0.0.15
/27 255.255.255.224 32 0.0.0.31
/26 255.255.255.192 64 0.0.0.63
/25 255.255.255.128 128 0.0.0.127
/24 255.255.255.0 256 0.0.0.255
/23 255.255.254.0 512 0.0.1.255
/22 255.255.252.0 1,024 0.0.3.255
/21 255.255.248.0 2,048 0.0.7.255
/20 255.255.240.0 4,096 0.0.15.255
/19 255.255.224.0 8,192 0.0.31.255
/18 255.255.192.0 16,384 0.0.63.255
/17 255.255.128.0 32,768 0.0.127.255
/16 255.255.0.0 65,536 0.0.255.255
/15 255.254.0.0 131,072 0.1.255.255
/14 255.252.0.0 262,144 0.3.255.255
/13 255.248.0.0 524,288 0.7.255.255
/12 255.240.0.0 1,048,576 0.15.255.255
/11 255.224.0.0 2,097,152 0.31.255.255
/10 255.192.0.0 4,194,304 0.63.255.255
/9 255.128.0.0 8,388,608 0.127.255.255
/8 255.0.0.0 16,777,216 0.255.255.255
/7 254.0.0.0 33,554,432 1.255.255.255
/6 252.0.0.0 67,108,864 3.255.255.255
/5 248.0.0.0 134,217,728 7.255.255.255
/4 240.0.0.0 268,435,456 15.255.255.255
/3 224.0.0.0 536,870,912 31.255.255.255
/2 192.0.0.0 1,073,741,824 63.255.255.255
/1 128.0.0.0 2,147,483,648 127.255.255.255
/0 0.0.0.0 4,294,967,296 255.255.255.255
Decimal to Binary
Subnet Mask
255 1111 1111
254 1111 1110
252 1111 1100
248 1111 1000
240 1111 0000
224 1110 0000
192 1100 0000
128 1000 0000
0 0000 0000
Wildcard
0 0000 0000
1 0000 0001
3 0000 0011
7 0000 0111
15 0000 1111
31 0001 1111
63 0011 1111
127 0111 1111
255 1111 1111
Subnet Proportion
Classful Ranges
A 0.0.0.0 - 127.255.255.255
B 128.0.0.0 - 191.255.255.255
C 192.0.0.0 - 223.255.255.255
D 224.0.0.0 - 239.255.255.255
E 240.0.0.0 - 255.255.255.255
Reserved Ranges
RFC1918 10.0.0.0 - 10.255.255.255
Localhost 127.0.0.0 - 127.255.255.255
RFC1918 172.16.0.0 - 172.31.255.255
RFC1918 192.168.0.0 - 192.168.255.255
Determine Usable Hosts
Total Addresses
- Subnet ID
- Broadcast Address
Usable hosts
256
- 1
- 1
254
Terminology
CIDR · Classless interdomain routing was developed to
provide more granularity than legacy classful addressing;
masks expressed in the form /XX are in CIDR notation
VLSM · Variable length subnet masks are an arbitrary length
between 0 and 32 bits; CIDR relies on VLSMs to define routes
by Jeremy Stretch v1.0
TCPDUMP packetlife.net
Command Line Options
-A Print frame payload in ASCII -q Quick output
-c <count> Exit after capturing count packets -r <file> Read packets from file
-D List available interfaces -s <len> Capture up to len bytes per packet
-e Print link-level headers in the capture dump -S Print absolute TCP sequence numbers
-F <file> Use file as the filter expression -t Don't print timestamps
-G <n> Rotate the dump file every n seconds -v[v[v]] Print more verbose output
-i <iface> Specifies the capture interface -w <file> Write captured packets to file
-K Don't verify TCP checksums -x Print frame payload in hex
-L List data link types for the interface -X Print frame payload in hex and ASCII
-n Don't convert addresses to names -y <type> Specify the data link type
-p Don't capture in promiscuous mode -Z <user> Drop privileges from root to user
Capture Filter Primitives
[src|dst] host <host> Matches a host as the IP source, destination, or either
ether [src|dst] host <ehost> Matches a host as the Ethernet source, destination, or either
gateway host <host> Matches packets which used host as a gateway
[src|dst] net <network>/<len> Matches packets to or from an endpoint residing in network
[tcp|udp] [src|dst] port <port> Matches TCP or UDP packets sent to/from port
[tcp|udp] [src|dst] portrange <p1>-<p2> Matches TCP or UDP packets to/from a port in the given range
less <length> Matches packets less than or equal to length
greater <length> Matches packets greater than or equal to length
(ether|ip|ip6) proto <protocol> Matches an Ethernet, IPv4, or IPv6 protocol
(ether|ip) broadcast Matches Ethernet or IPv4 broadcasts
(ether|ip|ip6) multicast Matches Ethernet, IPv4, or IPv6 multicasts
type (mgt|ctl|data) [subtype <subtype>] Matches 802.11 frames based on type and optional subtype
vlan [<vlan>] Matches 802.1Q frames, optionally with a VLAN ID of vlan
mpls [<label>] Matches MPLS packets, optionally with a label of label
<expr> <relop> <expr> Matches packets by an arbitrary expression
Protocols
arp ip6 slip
ether link tcp
fddi ppp tr
icmp radio udp
ip rarp wlan
TCP Flags
tcp-urg tcp-rst
tcp-ack tcp-syn
tcp-push tcp-fin
Modifiers
! or not
&& or and
|| or or
Examples
udp dst port not 53 All UDP not bound for port 53
host 10.0.0.1 && host 10.0.0.2 All packets between these hosts
tcp dst port 80 or 8080 All packets to either TCP port
ICMP Types
icmp-echoreply icmp-routeradvert icmp-tstampreply
icmp-unreach icmp-routersolicit icmp-ireq
icmp-sourcequench icmp-timxceed icmp-ireqreply
icmp-redirect icmp-paramprob icmp-maskreq
icmp-echo icmp-tstamp icmp-maskreply
by Jeremy Stretch v1.0
WIRESHARK DISPLAY FILTERS · PART 1 packetlife.net
Ethernet
eth.addr eth.len eth.src
eth.dst eth.lg eth.trailer
eth.ig eth.multicast eth.type
IEEE 802.1Q
vlan.cfi vlan.id vlan.priority
vlan.etype vlan.len vlan.trailer
IPv4
ip.addr ip.fragment.overlap.conflict
ip.checksum ip.fragment.toolongfragment
ip.checksum_bad ip.fragments
ip.checksum_good ip.hdr_len
ip.dsfield ip.host
ip.dsfield.ce ip.id
ip.dsfield.dscp ip.len
ip.dsfield.ect ip.proto
ip.dst ip.reassembled_in
ip.dst_host ip.src
ip.flags ip.src_host
ip.flags.df ip.tos
ip.flags.mf ip.tos.cost
ip.flags.rb ip.tos.delay
ip.frag_offset ip.tos.precedence
ip.fragment ip.tos.reliability
ip.fragment.error ip.tos.throughput
ip.fragment.multipletails ip.ttl
ip.fragment.overlap ip.version
IPv6
ipv6.addr ipv6.hop_opt
ipv6.class ipv6.host
ipv6.dst ipv6.mipv6_home_address
ipv6.dst_host ipv6.mipv6_length
ipv6.dst_opt ipv6.mipv6_type
ipv6.flow ipv6.nxt
ipv6.fragment ipv6.opt.pad1
ipv6.fragment.error ipv6.opt.padn
ipv6.fragment.more ipv6.plen
ipv6.fragment.multipletails ipv6.reassembled_in
ipv6.fragment.offset ipv6.routing_hdr
ipv6.fragment.overlap ipv6.routing_hdr.addr
ipv6.fragment.overlap.conflict ipv6.routing_hdr.left
ipv6.fragment.toolongfragment ipv6.routing_hdr.type
ipv6.fragments ipv6.src
ipv6.fragment.id ipv6.src_host
ipv6.hlim ipv6.version
ARP
arp.dst.hw_mac arp.proto.size
arp.dst.proto_ipv4 arp.proto.type
arp.hw.size arp.src.hw_mac
arp.hw.type arp.src.proto_ipv4
arp.opcode
TCP
tcp.ack tcp.options.qs
tcp.checksum tcp.options.sack
tcp.checksum_bad tcp.options.sack_le
tcp.checksum_good tcp.options.sack_perm
tcp.continuation_to tcp.options.sack_re
tcp.dstport tcp.options.time_stamp
tcp.flags tcp.options.wscale
tcp.flags.ack tcp.options.wscale_val
tcp.flags.cwr tcp.pdu.last_frame
tcp.flags.ecn tcp.pdu.size
tcp.flags.fin tcp.pdu.time
tcp.flags.push tcp.port
tcp.flags.reset tcp.reassembled_in
tcp.flags.syn tcp.segment
tcp.flags.urg tcp.segment.error
tcp.hdr_len tcp.segment.multipletails
tcp.len tcp.segment.overlap
tcp.nxtseq tcp.segment.overlap.conflict
tcp.options tcp.segment.toolongfragment
tcp.options.cc tcp.segments
tcp.options.ccecho tcp.seq
tcp.options.ccnew tcp.srcport
tcp.options.echo tcp.time_delta
tcp.options.echo_reply tcp.time_relative
tcp.options.md5 tcp.urgent_pointer
tcp.options.mss tcp.window_size
tcp.options.mss_val
UDP
udp.checksum udp.dstport udp.srcport
udp.checksum_bad udp.length
udp.checksum_good udp.port
Operators
eq ==
ne !=
gt >
lt <
ge >=
le <=
Logic
and && Logical AND
or || Logical OR
xor ^^ Logical XOR
not ! Logical NOT
[n] [...] Substring operator
by Jeremy Stretch v1.0
WIRESHARK DISPLAY FILTERS · PART 2 packetlife.net
Frame Relay
fr.becn fr.de
fr.chdlctype fr.dlci
fr.control fr.dlcore_control
fr.control.f fr.ea
fr.control.ftype fr.fecn
fr.control.n_r fr.lower_dlci
fr.control.n_s fr.nlpid
fr.control.p fr.second_dlci
fr.control.s_ftype fr.snap.oui
fr.control.u_modifier_cmd fr.snap.pid
fr.control.u_modifier_resp fr.snaptype
fr.cr fr.third_dlci
fr.dc fr.upper_dlci
PPP
ppp.address ppp.direction
ppp.control ppp.protocol
MPLS
mpls.bottom mpls.oam.defect_location
mpls.cw.control mpls.oam.defect_type
mpls.cw.res mpls.oam.frequency
mpls.exp mpls.oam.function_type
mpls.label mpls.oam.ttsi
mpls.oam.bip16 mpls.ttl
ICMP
icmp.checksum icmp.ident icmp.seq
icmp.checksum_bad icmp.mtu icmp.type
icmp.code icmp.redir_gw
DTP
dtp.neighbor dtp.tlv_type vtp.neighbor
dtp.tlv_len dtp.version
VTP
vtp.code vtp.vlan_info.802_10_index
vtp.conf_rev_num vtp.vlan_info.isl_vlan_id
vtp.followers vtp.vlan_info.len
vtp.md vtp.vlan_info.mtu_size
vtp.md5_digest vtp.vlan_info.status.vlan_susp
vtp.md_len vtp.vlan_info.tlv_len
vtp.seq_num vtp.vlan_info.tlv_type
vtp.start_value vtp.vlan_info.vlan_name
vtp.upd_id vtp.vlan_info.vlan_name_len
vtp.upd_ts vtp.vlan_info.vlan_type
vtp.version
ICMPv6
icmpv6.all_comp icmpv6.option.name_type
icmpv6.checksum icmpv6.option.name_type.fqdn
icmpv6.checksum_bad icmpv6.option.name_x501
icmpv6.code icmpv6.option.rsa.key_hash
icmpv6.comp icmpv6.option.type
icmpv6.haad.ha_addrs icmpv6.ra.cur_hop_limit
icmpv6.identifier icmpv6.ra.reachable_time
icmpv6.option icmpv6.ra.retrans_timer
icmpv6.option.cga icmpv6.ra.router_lifetime
icmpv6.option.cga.pad_length icmpv6.recursive_dns_serv
icmpv6.option.length icmpv6.type
RIP
rip.auth.passwd rip.ip rip.route_tag
rip.auth.type rip.metric rip.routing_domain
rip.command rip.netmask rip.version
rip.family rip.next_hop
BGP
bgp.aggregator_as bgp.mp_reach_nlri_ipv4_prefix
bgp.aggregator_origin bgp.mp_unreach_nlri_ipv4_prefix
bgp.as_path bgp.multi_exit_disc
bgp.cluster_identifier bgp.next_hop
bgp.cluster_list bgp.nlri_prefix
bgp.community_as bgp.origin
bgp.community_value bgp.originator_id
bgp.local_pref bgp.type
bgp.mp_nlri_tnl_id bgp.withdrawn_prefix
HTTP
http.accept http.proxy_authorization
http.accept_encoding http.proxy_connect_host
http.accept_language http.proxy_connect_port
http.authbasic http.referer
http.authorization http.request
http.cache_control http.request.method
http.connection http.request.uri
http.content_encoding http.request.version
http.content_length http.response
http.content_type http.response.code
http.cookie http.server
http.date http.set_cookie
http.host http.transfer_encoding
http.last_modified http.user_agent
http.location http.www_authenticate
http.notification http.x_forwarded_for
http.proxy_authenticate
by Jeremy Stretch v1.0
LINUX Admin Quick Reference Jialong He
Jialong_he@bigfoot.com http://www.bigfoot.com/~jialong_he
User Management Files /etc/group /etc/passwd /etc/shadow
User account information.
/etc/bashrc /etc/profile $HOME/.bashrc $HOME/.bash_profile
bash system wide and per user init files.
/etc/csh.cshrc /etc/csh.login $HOME/.cshrc $HOME/.tcshrc $HOME/.login
tcsh system wide and per user init files.
/etc/skel template files for new users.
/etc/default default for certain commands.
/etc/redhat-release /etc/slackware-version
Redhat/Slackware version info (Linux kernel version with “uname –a”)
Commands
adduser script to create an new user interactively (slackware) or link to useradd (Redhat).
useradd, userdel, usermod
create, delete, modify an new user or update default new user information..
newusers update and create new users (batch mode).
groupadd, groupdel, groupmod
add, delete or modify group.
chage. ch fn, chsh
modify account policy (password length, expire data etc.) or finger information (full name, phone number etc.) change default login shell.
linux init=/bin/sh rw
gain root access during boot prompt without password, can be used to fix some problems. mount –w -n –o remount /
Network Configuration Files /etc/rc.d/rc.inet1 (Slackware) /etc/sysconfig/nework-scripts/ifcfg-eth0 (Redhat)
IP address, Network mask, Default gateway are in these files. May edit manually to modify network parameters.
/etc/HOSTNAME hostname is set by “/bin/hostname” during
/etc/NETWORKING (Slackware) /etc/sysconfig/network (Redhat)
boot and the name is read from these files. May change manually.
etc/resolv.conf
specify name server, DNS domain and search order. For Example: search la.asu.edu nameserver 129.219.17.200
/etc/hosts host name to IP mapping file.
/etc/host.conf
host name information look up order. Example: order hosts, bind multi on
/etc/nsswitch.conf new way to specify information source.
/etc/networks /etc/protocols /etc/services
TCP/IP services and ports mapping.
/etc/rpc RPC service name to their program numbers mapping.
Commands netconfig menu driven Ethernet setup program.
pppsetup setup PPP connection (Slackware).
ifconfig
setup Ethernet during boot, for example /sbin/ifconfig eth0 ${IPADDR} broadcast ${BROADCAST} netmask ${NETMASK} /sbin/route add -net ${NETWORK} netmask ${NETMASK} eth0 /sbin/route add default gw ${GATEWAY} netmask 0.0.0.0 metric 1
host lookup host name or IP (similar to nslookup).
dnsdomainname show DNS domain name.
arping; arp find out Ethernet address by first arping then arp.
ipchains firewall and NAT (/etc/sysconfig/ipchains on Redhat)
iptables firewall and NAT (/etc/sysconfig/iptables on Redhat)
Redhat files in /etc/sysconfig Configuration Files
keyboard keyboard map, e.g., KEYBOARD=”/usr/lib/kdb/keytables/us.map”
mouse Mouse type, e.g., MOUSETYPE=Microsoft XEMU3=yes
network network settings, contains NETWORKING=yes
HOSTNAME=hostname.domain.com
NFS File Sharing Files /etc/fstab file systems mounted during boot.
/etc/exports NFS server export list.
/etc/auto.master auto mount master file.
Commands mount mount a file system or all entries in fstab.
exportfs export file system listed in exports
showmount –e hostname
show file systems exported
Printer Configuration Files /etc/printcap /etc/printcap.local
Printer capabilities data base.
/etc/lpd.conf LPRng configuration file.
/etc/lpd.perms permissions control file for the LPRng line printer spooler
/etc/hosts.lpd Access control (BSD lpd).
/etc/hosts.equiv trusted hosts.
PRINTER Environment variable of default printer.
/dev/lp0 parallel port.
Commands lpc, lpq, lprm
line printer control program, print queue maintain
Sendmail Files
sendmail.cf sendmail.mc
“sendmail.cf” is the configuration file. “sendmail.mc” is a macro file which can be used to generate “sendmail.cf” by: m4 sendmail.mc > sendmail.cf
aliases mail aliases, must run “newaliases” after change. use :include: to include external list in a file.
access
mail access control, FEATURE(access_db) should be set in sendmail.mc. For example, in /etc/mail/access cyberpromo.com REJECT mydomain.com RELAY spam@somewhere.com DISCARD makemap hash /etc/mail/access < /etc/mail/access
/etc/mail/relay- list all host/domain accepted for relaying.
domains
Commands newaliases rebuild the data base for the mail aliases file.
makemap build access database, e.g, makemap hash access.db<access
Useful Configuration Files Files httpd.conf Apache web server configuration file.
smb.conf Samba server (file and print for Windows).
lilo.conf LILO boot loder configuration file.
syslog.conf System log daemon (syslogd) configuration.
ssh_config sshd_config
SSH client and server configuration files.
ld.so.conf default dynamic library search path (run ldconfig).
mtools.conf mtool configuration file (access DOS file).
named.conf DNS name server (BIND).
sysctl.conf kernel parameters by sysctl (Redhat).
ntp.conf net time server.
inetd.conf Internet super server.
Xinetd.conf, Xinet.d directory
Extended inetd configuration.
proftpd.conf proftpd FTP server.
amanda.conf network backup server.
/etc/pine.conf /etc/pine.conf.fixed
PINE mail client system wide settings.
Rebuild Kernel Configure Kernel Parameters make config make menuconfig make xconfig
Configuring the kernel with interactive, menu or X window interface.
Compile Kernel Source make dep make zImage make zdisk make zlilo make bzImage
Building and installing a new kernel.
Compile Modules make modules make modules_install
Building and installing modules.
Manage Modules insmod, lsmod, modinfo, modprobe, rmmod, depmod
Manage loadable modules.
Miscellaneous Files /etc/shells allowed login shells
/etc/ftpusers user names NOT allowed to use ftp.
/etc/host.allow /etc/host.deny
TCP wrapper host control files.
/etc/sysconfig (redhat)
contains system configuration files.
/dev/fd0 floppy drive A
/etc/inittab /etc/init.d
system run level control file.
Commands fromdos, todos (Slackware) dos2unix, unix2dos (Redhat)
convert text file from/to linux format.
pwck, grpck verify integrity of password and group files.
pwconv, pwunconv, grpconv, grpuncov
convert to and from shadow passwords and groups.
shadowconfig toggle shadow passwords on and off.
quota, edquota, quotacheck, quotaon, quotaoff, repquota,
Manage disk quota.
lilo -D dos set LILO default OS (default=dos in lilo.conf)
ldd find out shared library dependencies.
lsof list opened files.
fuser filename show processes that using the file.
ifdown ifup
bring up/down a network interface (Redhat)
sysctl configure kernel parameters (Redhat).
socklist list opened socked.
shutdown [–r|h] now
reboot / halt computer
nmap scan a host for opened ports.
crontab show or edit cron jobs.
sys-unconfig unconfigure system
chkconfig --list list services started at different run level.
kudzu probe for new hardware (Redhat).
rpm
rpm -i INSTALL a package rpm -e UNINSTALL a package rpm -q QUERY a package rpm -U UPDATE a package
man cmd | col –b >cmd.txt
save a man page as a text file and remove control characters.
Configure Apache 2.0 with SSL mod_ssl
(1) when compile apache, specify –enable-ssl for configure script. By default, ssl is not enabled. After compiling, use “httpd –l” to list the modules. “mod_ssl” should be in them.
(2) generate private key with command: openssl genrsa -out server.key 1024 (3) generate certificate request openssl req -new -key server.key -out server.csr (4) generate self-signed certificate openssl x509 -req -days 60 -in server.csr -signkey server.key -out server.crt (5) modify “ssl.conf” which is included in “httpd.conf”. Note, specify “httpd –DSSL”, otherwise, commented out <IfDefine SSL> in ssl.conf.
Syslog.conf Each line consists of a selector and an action. A selector has two parts: facilities and priorites, separated by a period (.),You may precede every priority with an equation sign (``='') to specify only this single priority and not any of the above. You may also (both is valid, too) precede the priority with an exclamation mark (``!'') to ignore all that priorities, either exact this one or this and any higher priority.
Example: mail.notice /var/log/mail # log to a file *.emerg @myhost.mydomain.org # log to remote host
facilities auth, auth-priv, cron, daemon, kern, lpr, mail, mark, news, syslog, user, uucp, local0 – local7.
priorities debug, info, notice, warning, err, crit, alert, emerg.
action Regular File: File with full pathname beginning with “/”.
Terminal and Console: Specify a tty, same with /dev/console. Remote Machine: @myhost.mydomain.org
IPtables (Netfilter) Command Syntax iptables [-t <table >] <command > <chain > <parameters>
Save and Restore rules /sbin/iptables-save > /etc/sysconfig/iptables /sbin/iptables-restore < /etc/sysconfig/iptables Firewall script sample http://tiger.la.asu.edu/iptables_examples.htm
Build-in Table filter This is the default table for handling network packets. Build-
in chains are: 1. INPUT — This chain applies to packets received
via a network interface. 2. OUTPUT — This chain applies to packets sent
out via the same network interface which received the packets.
3. FORWARD — This chain applies to packets received on one network interface and sent out on another.
nat This table used to alter packets that create a new connection. Build-in chains:
1. PREROUTING — This chain alters packets received via a network interface when they arrive.
2. OUTPUT — This chain alters locally -generated packets before they are routed via a network interface.
3. POSTROUTING — This chain alters packets before they are sent out via a network interface.
## Masquerade everything out ppp0. iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE ## Change source addresses to 1.2.3.4. iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4
mangle This table is used for specific types of packet alteration. Build-in chains:
1. PREROUTING — This chain alters packets received via a network interface before they are routed.
2. OUTPUT — This chain alters locally-generated packets before they are routed via a network interface.
Commands --flush | -F Flush (delete) rules in the selected chain.
--policy | -P Set default policy for a particular chain.
--list | -L List all rules in filter table, use [–t tablename] to specify other tables.
--append | -A A appends a rule to the end of the specified chain.
-insert | -I Inserts a rule in a chain at a particular point.
Other commands: (1) --new | -N (2) --delete | -D (3) --replace | -D (4) --zero | -Z (5) –check | -C (6) delete-chain | -X (7) rename-chain | -E
Parameters --proto | -p [!] name protocol: by number or name, including tcp,
udp, icmp or all . --source | -s [!] addr/mask source IP address.
--destination | -d addr/mask destination IP address.
--in-interface | -i incoming interface name, e.g. eth0 or ppp0.
--out-interface | -o outgoing interface name.
--jump | -j jump to a particular target when matching a rule. Standard options: ACCEPT, DROP, QUEUE, RETURN, REJECT. May jump to a user defined chain.
--fragment | -f match second or further fragments only.
Options for TCP and UDP protocol --sport | --source-port --dport | destination-port
source and/or destination port. Can specify a range like 0:65535, use exclamation character (!) to NOT match ports.
Options for TCP only --syn Match SYN packets.
--tcp-flags Match TCP packets with specific bits set. For example, -p tcp –tcp-flags ACK,FIN,SYN SYN will only match TCP packets that have the SYN flag set and the ACK and FIN flags unset.
Options for ICMP only --icmp-type [!] type Match specified ICMP type. Valid ICMP type can be
list by iptables –p icmp -h
Option for state module (-m state --state) ESTABLISHED The matching packet is associated with other
packets in an established connection.
RELATED The matching packet is starting a new connection related in some way to an existing connection.
NEW The matching packet is either creating a new connection or is part of a two-way connection not previously seen.
INVALID The matching packet cannot be tied to a known connection.
X Window (XFree86) Files To set screen resolution, in “Screen” section and Subsection “Display”, specify a mode. For example: Modes “1024x768” To specify screen refresh rate, in “Monitor” section, specify vertical rate. For example: VertRefresh 70-120
/etc/X11/xinit/xinitrc $HOME/.xinitrc
clients to run after X server started
/etc/X11/fs/config configure X11 font path (font server).
Commands startx start X window system.
Xconfigurator (Redhat) xfree86setup (Slackware) xf86config
setup X server and generate XF86config.
XFree86 -configure XFreee86 auto configuration (Plug-n-Play), generate a template named “XF86Config.new”
Ctrl+Alt+Del stop X server (on some system Ctrl+Alt+ESC).
Ctrl+Alt+F1 Ctrl+Alt+F7
F1 temporary switch to text mode, F7 switch back to graphic mode.
SuperProbe detect graphic hardware.
xvidtune adjust X server origin and size.
xmodmap modifying key map and mouse button map.
xhost server access control program for X.
xsetroot root window parameter setting utility for X.
xlsfonts server font list displayer for X.
xset ser preference utility for X.
XF86Config
XFree86 uses a configuration file called XF86Config for its initial setup. This file is normally located in “/etc/X11” or “/etc” directory. The XF86Config file is composed of a number of sections which may be present in any order. Each section has the form: Section "SectionName" SectionEntry ... EndSection The graphics boards are described in the Device sections, and the monitors are described in the Monitor sections. They are bound toget her by a Screen section. Keyboard and Mouse are described in InputDevice sections, although Keyboard and Pointer are still recognized. ServerLayout section is at the highest level and bind together the InputDevice and Screen sections. A special keyword called Option may be used to provide free-form data to various components of the server. The Option keyword takes either one or two string arguments. The first is the option name, and the optional second argument is the option value. All Option values must be enclosed in quotes.
File Section FontPath "path" Font path elements may be either absolute directory paths, or a font server identifier
RGBPath "path" Sets the path name for the RGB color database.
ModulePath "path" Allows you to set up multiple directories to use for storing modules loaded by the XFree86 server.
EXAMPLE Section "Files" RgbPath "/usr/X11R6/lib/X11/rgb" FontPath "unix/:7100" EndSection
Serverflags Section Option "DontZap" "boolean" Disable use Ctrl+Alt+Backspace to termin ate X server.
Option "DontZoom" "boolean" Disable use ‘Ctrl+Alt+Keypad +’ and ‘Ctrl+Alt+Keypad -’ to switch video mode.
Option "BlankTime" "time" Sets the inactivity timeout for the blanking phase of the screensaver in minutes. Default 10 min.
Option "StandbyTime" "time" Sets the inactivity timeout for the "standby" phase of DPMS mode in minutes. Default 20 min.
Option "SuspendTime" "time" Sets the inactivity timeout for the "suspend" phase of DPMS mode, default 30 min.
Option "OffTime" "time" Sets the inactivity timeout for the "off" phase of DPMS mode, default 40 min.
Option "DefaultServerLayout" "layout_id" Specify the default ServerLayout section to use. Default is the first ServerLayout section.
EXAMPLE Section "ServerFlags" Option "BlankTime" "99999" Option "StandbyTime" "99999" Option "SuspendTime" "99999" Option "OffTime" "99999" EndSection
Module Section Load "modulename" Load a module. The module name given should be the module's standard name, not the module file name.
EXAMPLE Section "Module" Load "extmod" Load "type1" EndSection
InputDevice Section There are normally at least two InputDevice sections, one for Keyboard and one for Mouse.
Identifier Specify an unique name for this input device.
Drive r Specify the name of the driver to use for this input device..
Option "CorePointer" This input device is installed as the primary pointer device.
Option "CoreKeyboard" This input device is the primary Keyboard.
EXAMPLE Section "InputDevice" Identifier "Generic Keyboard" Driver "keyboard" Option "AutoRepeat" "500 30" Option "CoreKeyboard" EndSection Section "InputDevice" Identifier "PS2 Mouse" Driver "mouse" Option "CorePointer" Option "Device" "/dev/mouse" Option "Protocol" "PS/2" Option "Emulate3Buttons" "true" EndSection
Device Section Specifies information about the video card used by the system. You must have at least one Device section in your configuration file. The active device is in ServerLayout->Screen.
Identifier Specify an unique name for this graphics card.
Driver Specify the name of the driver to use for this graphics card.
EXAMPLE Section "Device" Identifier "ATI Mach64" VendorName "ATI MACH64" VideoRam 2048 EndSection
Monitor Section Monitor section describes a monitor. There must be at least one monitor section and the active one is used in ServerLayout ->Screen.
Identifier Specify an unique name for this monitor.
HorizSync horizsync-range Gives the range(s) of horizontal sync frequencies of this monitor in kHz.
VertRefresh vertrefresh-range Gives the range(s) of vertical sync frequencies of this monitor in Hz.
EXAMPLE Section "Monitor" Identifier "Generic Monitor " VendorName "Monitor Vendor" ModelName "Monitor Model" HorizSync 31.5-56.6 VertRefresh 40-70 EndSection
Screen Section Screen Section binds Device and Monitor sections. There must be at least one Screen Section. The active one is in ServerLayout section.
Identifier Specify an unique name for this Screen Section.
Device "device-id" This specifies the Identifier of Device section to be used for this screen.
Monitor "monitor-id" This specifies the Identifier of Monitor section to be used for this screen.
DefaultDepth depth Default color depth, like 8, 16 or 24.
Option "Accel" Enables XAA (X Acceleration Architecture), default is ON.
DISPLAY SUBSECTION Each Screen section must have at least one Display Subsection which matches the depth values in DefaultDepth. Depth depth This entry specifies what color depth of this Display Subsection.
Virtual xdim ydim Specifies the virtual screen resolution to be used. ViewPort x0 y0 Sets the upper left corner of the initial display. Modes "mode-name" ... Secifies the list of video modes to use. Each mode-name specified must be in double quotes. They must correspond to those specified in the appropriate Monitor section (including implicitly referenced built -in ESA standard modes). mode can be switched with Ctrl+Alt+Keypad-Plus or Ctrl+Alt+Keypad-Minus.
EXAMPLE Section "Screen" Identifier "My Screen” Device " ATI Mach64" Monitor " Generic Monitor" DefaultDepth 16 SubSection "Display" Depth 16 Modes "1024x768" "800x600" "640x480" EndSubSection SubSection "Display" Depth 24 Modes "1024x768" "800x600" "640x480" EndSubSection EndSection
ServerLayout Section ServerLayout section binds a Screen section and one or more InputSection to form a complete configuration. The active ServerLayout section is specified in ServerFlags. If not, the first ServerLayout section is active. If no ServerLayout sections are present, the single active screen and two active (core) input devices are selected as described in the relevant sections.
Identifier An unique name for this ServerLayout Section.
Screen screen-num "screen-id" position-information The screen-id field is mandatory, and specifies the Screen section being referenced.
InputDevice "idev-id" "option" ... Normally at least two are required, one for the core pointer and the other for the primary keyboard devices.
EXAMPLE Section "ServerLayout" Identifier "Default Layout" Screen "My Screen" InputDevice "Generic Keyboard" InputDevice "PS/2 Mouse" EndSection
Unix/Linux Command Reference .com
File Commandsls – directory listingls -al – formatted listing with hidden filescd dir - change directory to dircd – change to homepwd – show current directorymkdir dir – create a directory dirrm file – delete filerm -r dir – delete directory dirrm -f file – force remove filerm -rf dir – force remove directory dir *cp file1 file2 – copy file1 to file2cp -r dir1 dir2 – copy dir1 to dir2; create dir2 if it doesn't existmv file1 file2 – rename or move file1 to file2if file2 is an existing directory, moves file1 into directory file2ln -s file link – create symbolic link link to filetouch file – create or update filecat > file – places standard input into filemore file – output the contents of filehead file – output the first 10 lines of filetail file – output the last 10 lines of filetail -f file – output the contents of file as it grows, starting with the last 10 lines
Process Managementps – display your currently active processestop – display all running processeskill pid – kill process id pidkillall proc – kill all processes named proc *bg – lists stopped or background jobs; resume a stopped job in the backgroundfg – brings the most recent job to foregroundfg n – brings job n to the foreground
File Permissionschmod octal file – change the permissions of file to octal, which can be found separately for user, group, and world by adding:
● 4 – read (r)● 2 – write (w)● 1 – execute (x)
Examples:chmod 777 – read, write, execute for allchmod 755 – rwx for owner, rx for group and worldFor more options, see man chmod.
SSHssh user@host – connect to host as userssh -p port user@host – connect to host on port port as userssh-copy-id user@host – add your key to host for user to enable a keyed or passwordless login
Searchinggrep pattern files – search for pattern in filesgrep -r pattern dir – search recursively for pattern in dircommand | grep pattern – search for pattern in the output of commandlocate file – find all instances of file
System Infodate – show the current date and timecal – show this month's calendaruptime – show current uptimew – display who is onlinewhoami – who you are logged in asfinger user – display information about useruname -a – show kernel informationcat /proc/cpuinfo – cpu informationcat /proc/meminfo – memory informationman command – show the manual for commanddf – show disk usagedu – show directory space usagefree – show memory and swap usagewhereis app – show possible locations of appwhich app – show which app will be run by default
Compressiontar cf file.tar files – create a tar named file.tar containing filestar xf file.tar – extract the files from file.tartar czf file.tar.gz files – create a tar with Gzip compressiontar xzf file.tar.gz – extract a tar using Gziptar cjf file.tar.bz2 – create a tar with Bzip2 compressiontar xjf file.tar.bz2 – extract a tar using Bzip2gzip file – compresses file and renames it to file.gzgzip -d file.gz – decompresses file.gz back to file
Networkping host – ping host and output resultswhois domain – get whois information for domaindig domain – get DNS information for domaindig -x host – reverse lookup hostwget file – download filewget -c file – continue a stopped download
InstallationInstall from source:./configuremakemake installdpkg -i pkg.deb – install a package (Debian)rpm -Uvh pkg.rpm – install a package (RPM)
ShortcutsCtrl+C – halts the current commandCtrl+Z – stops the current command, resume with fg in the foreground or bg in the backgroundCtrl+D – log out of current session, similar to exitCtrl+W – erases one word in the current lineCtrl+U – erases the whole lineCtrl+R – type to bring up a recent command!! - repeats the last commandexit – log out of current session
* use with extreme caution.
THE ONE PAGE LINUX MANUALA summary of useful Linux commands
Version 3.0 May 1999 squadron@powerup.com.au
Starting & Stopping
shutdown -h now Shutdown the system now and do notreboot
halt Stop all processes - same as above
shutdown -r 5 Shutdown the system in 5 minutes andreboot
shutdown -r now Shutdown the system now and reboot
reboot Stop all processes and then reboot - sameas above
startx Start the X system
Accessing & mounting file systems
mount -t iso9660 /dev/cdrom/mnt/cdrom
Mount the device cdromand call it cdrom under the/mnt directory
mount -t msdos /dev/hdd/mnt/ddrive
Mount hard disk “d” as amsdos file system and callit ddrive under the /mntdirectory
mount -t vfat /dev/hda1/mnt/cdrive
Mount hard disk “a” as aVFAT file system and call itcdrive under the /mntdirectory
umount /mnt/cdrom Unmount the cdrom
Finding files and text within files
find / -name fname Starting with the root directory, lookfor the file called fname
find / -name ”*fname*” Starting with the root directory, lookfor the file containing the string fname
locate missingfilename Find a file called missingfilenameusing the locate command - thisassumes you have already used thecommand updatedb (see next)
updatedb Create or update the database of fileson all file systems attached to the linuxroot directory
which missingfilename Show the subdirectory containing theexecutable file called missingfilename
grep textstringtofind/dir
Starting with the directory called dir ,look for and list all files containingtextstringtofind
The X Window System
xvidtune Run the X graphics tuning utility
XF86Setup Run the X configuration menu withautomatic probing of graphics cards
Xconfigurator Run another X configuration menu withautomatic probing of graphics cards
xf86config Run a text based X configuration menu
Moving, copying, deleting & viewing files
ls -l List files in current directory usinglong format
ls -F List files in current directory andindicate the file type
ls -laC List all files in current directory inlong format and display in columns
rm name Remove a file or directory calledname
rm -rf name Kill off an entire directory and all it’sincludes files and subdirectories
cp filename/home/dirname
Copy the file called filename to the/home/dirname directory
mv filename/home/dirname
Move the file called filename to the/home/dirname directory
cat filetoview Display the file called filetoview
man -k keyword Display man pages containingkeyword
more filetoview Display the file called filetoview onepage at a time, proceed to next pageusing the spacebar
head filetoview Display the first 10 lines of the filecalled filetoview
head -20 filetoview Display the first 20 lines of the filecalled filetoview
tail filetoview Display the last 10 lines of the filecalled filetoview
tail -20 filetoview Display the last 20 lines of the filecalled filetoview
Installing software for Linux
rpm -ihv name.rpm Install the rpm package called name
rpm -Uhv name.rpm Upgrade the rpm package calledname
rpm -e package Delete the rpm package calledpackage
rpm -l package List the files in the package calledpackage
rpm -ql package List the files and state the installedversion of the package calledpackage
rpm -i --force package Reinstall the rpm package calledname having deleted parts of it (notdeleting using rpm -e)
tar -zxvf archive.tar.gz ortar -zxvf archive.tgz
Decompress the files contained inthe zipped and tarred archive calledarchive
./configure Execute the script preparing theinstalled files for compiling
User Administration
adduser accountname Create a new user call accountname
passwd accountname Give accountname a new password
su Log in as superuser from current login
exit Stop being superuser and revert tonormal user
Little known tips and tricks
ifconfig List ip addresses for all devices onthe machine
apropos subject List manual pages for subject
usermount Executes graphical application formounting and unmounting filesystems
/sbin/e2fsck hda5 Execute the filesystem check utilityon partition hda5
fdformat /dev/fd0H1440 Format the floppy disk in device fd0
tar -cMf /dev/fd0 Backup the contents of the currentdirectory and subdirectories tomultiple floppy disks
tail -f /var/log/messages Display the last 10 lines of the systemlog.
cat /var/log/dmesg Display the file containing the boottime messages - useful for locatingproblems. Alternatively, use thedmesg command.
* wildcard - represents everything. eg.
cp from/* to will copy all files in thefrom directory to the to directory
? Single character wildcard. eg.
cp config.? /configs will copy all filesbeginning with the name config. inthe current directory to the directorynamed configs.
[xyz] Choice of character wildcards. eg.
ls [xyz]* will list all files in the currentdirectory starting with the letter x, y,or z.
linux single At the lilo prompt, start in single usermode. This is useful if you haveforgotten your password. Boot insingle user mode, then run thepasswd command.
ps List current processes
kill 123 Kill a specific process eg. kill 123
Configuration files and what they do
/etc/profile System wide environment variables forall users.
/etc/fstab List of devices and their associated mountpoints. Edit this file to add cdroms, DOSpartitions and floppy drives at startup.
/etc/motd Message of the day broadcast to all usersat login.
etc/rc.d/rc.local Bash script that is executed at the end oflogin process. Similar to autoexec.bat inDOS.
/etc/HOSTNAME Conatins full hostname including domain.
/etc/cron.* There are 4 directories that automaticallyexecute all scripts within the directory atintervals of hour, day, week or month.
/etc/hosts A list of all know host names and IPaddresses on the machine.
/etc/httpd/conf Paramters for the Apache web server
/etc/inittab Specifies the run level that the machineshould boot into.
/etc/resolv.conf Defines IP addresses of DNS servers.
/etc/smb.conf Config file for the SAMBA server. Allowsfile and print sharing with Microsoftclients.
/etc/X11/XF86Config
Config file for X-Windows.
~/.xinitrc Defines the windows manager loaded byX. ~ refers to user’s home directory.
File permissions
If the command ls -l is given, a long list of file names isdisplayed. The first column in this list details the permissionsapplying to the file. If a permission is missing for a owner,group of other, it is represented by - eg. drwxr-x—x
Read = 4
Write = 2
Execute = 1
File permissions are altered by giving thechmod command and the appropriateoctal code for each user type. eg
chmod 7 6 4 filename will make the filecalled filename R+W+X for the owner,R+W for the group and R for others.
chmod 7 5 5 Full permission for the owner, read andexecute access for the group and others.
chmod +x filename Make the file called filename executableto all users.
X Shortcuts - (mainly for Redhat)
Control|Alt + or - Increase or decrease the screenresolution. eg. from 640x480 to800x600
Alt | escape Display list of active windows
Shift|Control F8 Resize the selected window
Right click on desktopbackground
Display menu
Shift|Control Altr Refresh the screen
Shift|Control Altx Start an xterm session
Printing
/etc/rc.d/init.d/lpd start Start the print daemon
/etc/rc.d/init.d/lpd stop Stop the print daemon
/etc/rc.d/init.d/lpdstatus
Display status of the print daemon
lpq Display jobs in print queue
lprm Remove jobs from queue
lpr Print a file
lpc Printer control tool
man subject | lpr Print the manual page called subjectas plain text
man -t subject | lpr Print the manual page called subjectas Postscript output
printtool Start X printer setup interface
~/.Xdefaults Define configuration for some X-applications. ~ refers to user’s homedirectory.
Get your own Official Linux Pocket Protector - includeshandy command summary. Visit:
www.powerup.com.au/~squadron
packetlife.net
by Jeremy Stretch v2.0
IS-IS · PART 1
Type
Attributes
Algorithm
Metric
Link-State
Dijkstra
Default (10)
AD
Standard
Protocols
Transport
115
ISO 10589
IP, CLNS
Layer 2
Network Types
DIS Elected Yes
Broadcast
Neighbor Discovery Yes
Hello/Dead Timers 10/30
Adjacency Requirements
· Interface MTUs must match
· Areas must match (if level 1)
· System IDs must be unique
· Authentication must succeed
show ip route
show ip protocols
show [clns|isis] neighbor
show [clns|isis] interface
show isis database
· Levels must match
Protocol Header
IRPD
4 8 12 16
Type Length
Value ...
Packet Length
Version/Protocol ID Extension ID Length
R R R PDU Type Version
Reserved Maximum Area Addresses
NSAP Addressing Authentication Plaintext, MD5
Interdomain Part (IDP)Portion of the address used in routing between autonomous systems; assigned by ISO
Domain-Specific Part (DSP)Portion of the address relevant only within the local AS
Authority and Format Identifier (AFI)Identifies the authority which dictates the format of the address
Initial Domain Identifier (IDI)An organization belonging to the AFI
High Order DSP (HODSP)The area within the AS
System IDUnique router identifier; 48 bits for Cisco devices (often taken from a MAC address)
NSAP Selector (SEL)Identifies a network layer service; always 0x00 in a NET address
No
Point-to-Point
Yes
10/30
Troubleshooting
show isis spf-log
debug isis spf-events
debug isis adjacencies-packets
debug isis spf-statistics
debug isis update-packets
Routing Levels
Level 0
Level 1
Level 2
Used to locate end systems
Routing within an area
Backbone between areas
Level 3 Inter-AS routing
Terminology
Type-Length-Value (TLV)Variable-length modular datasets
Link State PDU (LSP)Carry TLVs encompassing link state information
DIS Election
· Highest-priority interface elected
· Highest system ID breaks SNPA tie
· Default interface priority is 64
· Current DIS may be preempted
· Highest SNPA (MAC/DLCI) breaks tie
Sequence Number Packet (SNP)Used to request and advertise LSPs; can be complete (CSNP) or partial (PSNP)
Hello PacketEstablishes and maintains neighbor adjacencies
Designated Intermediate SystemA pseudonode responsible for emulating point-to-point links across a multi-access segment
AFI IDI
47
Area
HODSP
0005.80ff.f800.0000 0001
System ID
0000.0c00.1234
SEL
00
Interdomain Part Domain-Specific Part
Condensed
NSAP
Example
packetlife.net
by Jeremy Stretch v2.0
IS-IS · PART 2TLV Types
interface FastEthernet0/0description Area 1ip address 192.168.1.2 255.255.255.0ip router isisisis circuit-type level-1!router isisnet 49.0001.0000.0000.00a2.00
interface FastEthernet0/0description Area 2ip address 192.168.2.1 255.255.255.0ip router isisisis circuit-type level-1!interface Serial1/0no ip addressencapsulation frame-relay!interface Serial1/0.1 point-to-pointdescription To Area 1ip address 10.0.0.2 255.255.255.252ip router isisisis circuit-type level-2-only! MD5 authentication (keychain not shown)isis authentication mode md5isis authentication key-chain <keychain>frame-relay interface-dlci 101!interface Serial1/0.2 point-to-pointdescription To Area 3ip address 10.0.0.9 255.255.255.252ip router isisisis circuit-type level-2-onlyframe-relay interface-dlci 103!router isisnet 49.0002.0000.0000.00b1.00
interface FastEthernet0/0description Area 1ip address 192.168.1.1 255.255.255.0ip router isisisis circuit-type level-1!interface Serial1/0no ip addressencapsulation frame-relay!interface Serial1/0.1 point-to-pointdescription To Area 2ip address 10.0.0.1 255.255.255.252ip router isisisis circuit-type level-2-only! MD5 authentication (keychain not shown)isis authentication mode md5isis authentication key-chain <keychain>frame-relay interface-dlci 101!interface Serial1/0.2 point-to-pointdescription To Area 3ip address 10.0.0.5 255.255.255.252ip router isisisis circuit-type level-2-onlyframe-relay interface-dlci 102!router isisnet 49.0001.0000.0000.00a1.00
Router A2
Router B1Router A1
10.0.0.0/30
10.0.0.4/30
10.0.0.8/30
Area 1192.168.1.0/24
Area 2192.168.2.0/24
Area 3192.168.3.0/24
B2
B3
C2
C3
A2A3
1 Area Addresses
Name
2 IS Neighbors
3 ES Neighbors
Hello, LSP
Use
LSP
L1 LSP
5 Prefix Neighbors L2 LSP
128 IP Internal Reach.
129 Protocols Supported
131 IDRPI
LSP
Hello, LSP
SNP, L2 LSP
132 IP Interface Address Hello, LSP
6 IS Neighbors
8 Padding
9 LSP Entries
Hello, L2 LSP
Hello
SNP
10 Authentication All
Name Use Name Use
Configuration Example
interface FastEthernet0/0description Area 2ip address 192.168.2.2 255.255.255.0ip router isisisis circuit-type level-1!router isisnet 49.0002.0000.0000.00b2.00
Router B2
A1
B1 C1
packetlife.net
by Jeremy Stretch v1.01
POINT-TO-POINT PROTOCOL
LCP Header
Code Identifier Length
8 16 24 32
General PPP Configuration
! Configure a peer account if authentication will be usedusername peer-hostname password password
! Configure a local IP address pool if neededip pool name first-IP last-IP
interface Serial0/0! Enable PPP encapsulationencapsulation ppp
! Enable CHAP and/or PAP for authenticationppp authentication { chap | pap } [ chap | pap ]
! Enable compressioncompress { predictor | stac }
! Enable peer IP address assignment (server side)peer default ip address { pool name | IP-address }
! Enable IP address negotiation (client side)ip address negotiated
Troubleshooting
show ppp multilink
debug ppp authentication
PPP Components
Link Control Protocol (LCP)Provides for the establishment, configuration, and maintenance of a PPP link. Protocol-independent options are negotiated by LCP.
Network Control Protocol (NCP)A separate NCP is used to negotiate the configuration of each
network layer protocol (such as IP) carried by PPP.
debug ppp { negotiation | packet }
PPP Header
Address Control Protocol
8 16 24 32
Connection Phase Flowchart
Dead Establish
Authenticate
Network
Terminate
Auth Required
No Auth
Success
Failure
Admin Shutdown
Authentication Protocols
Plaintext Authentication Protocol (PAP)Original, obsolete authentication protocol which relies on the exchange of a plaintext key to authenticate peers (RFC 1334).
Challenge Handshake Authentication Protocol (CHAP)Authenticates peers using the MD5 checksum of a pre-shared secret
key (RFC 1994).
PPP Features
Protocol Multiplexing · Multiple NCPs
Optional Compression · Stacker/predictor
Loopback Detection · Provided by LCP
Load Balancing · Multilink PPP
Optional Authentication · PAP/CHAP
Multilink PPP Configuration
! Create the multilink interfaceinterface Multilink1ip address IP-address subnet-maskppp multilink group group
! Assign physical interfaces to the multilink groupinterface Serial0/0encapsulation pppppp multilink group group
PPP Summary
Standard RFC 1661
Asynchronous serial, synchronous serial, ISDN, HSSI
Interfaces
PPP Compression Algorithms
StackerReplaces repetitive data with symbols from a dynamic dictionary (more processor-intensive)
PredictorAttempts to predict sequential data (more memory-intensive)
PPP Connection Example
LCP Configuration Request
LCP Configuration Ack
CHAP Challenge
CHAP Response
CHAP Success
IP Control Configuration Request
IP Control Configuration Ack
CDP Control Configuration Request
CDP Control Configuration Ack
packetlife.net
by Jeremy Stretch v2.0
FRAME MODE MPLSProtocol Header
MPLS Configuration
! Enable CEFip cef
! Select label protocolmpls label protocol ldp
! Enable MPLS on IP interfacesinterface FastEthernet0/0ip address 10.0.0.1 255.255.255.252mpls ip! Raise MPLS MTU to accommodate multilabel stackmpls mtu 1512
Terminology
Tag Distribution Protocol (TDP)Cisco's proprietary predecessor to LDP
Label Distribution Protocol (LDP)Standards-based label distribution protocol defined in RFC 3036
Interim Packet PropagationAn LSR temporarily falls back to IP routing while waiting to learn the necessary MPLS label(s)
Label-Switched Path (LSP)The unidirectional path through one or more LSRs taken by a label-switched packet belonging to an FEC
Forwarding Equivalence Class (FEC)A group of packets which are forwarded in an identical manner, typically by destination prefix and/or traffic class
Troubleshooting
show mpls interfaces
show mpls ldp neighbors
show mpls ldp bindings [detail] (LIB)
show mpls forwarding-table [detail] (LFIB)
show ip cef [detail] (FIB)
Label (20 bits) · Unique label value
Bottom of Stack (1 bit) · Indicates label is last in the stack
Time To Live (8 bits) · Hop counter mapped from IP TTL
Traffic Class (3 bits) · CoS-mapped QoS marking
Label
8 16 24 32
TC S TTL
L2 IP
Label stack
Label Switched Path
Customer (C) · IP-only routers internal to customer network
Provider Edge (PE) · LSRs on the MPLS-IP boundary
Provider (P) · MPLS-only LSRs in provider network
Customer Edge (CE) · C routers which face PE routers
Label Protocols
LDP
UDP/646Hello Port
224.0.0.2Hello Address
Proprietary
Adjacency Port
No
TCP/646
PE PE
LSP
Provider Network
Customer Network
P P
P
CE CEC C
TDP
UDP/711
255.255.255.255
Cisco
TCP/711
Conceptual Components
Forwarding/Data PlaneForwards packets based on label or destination IP address (includes the FIB and LFIB)
Control PlaneFacilitates label exchange between neighboring LSRs using LDP or TDP (includes the LIB)
Label Switching Router (LSR)Any router performing label switching (MPLS)
Label Information Base (LIB)Contains all labels learned by an LSR via a label distribution protocol
Forwarding Information Base (FIB)Routing database for unlabeled (IP) packets
Label FIB (LFIB)Routing database for labeled (MPLS) packets
Penultimate Hop Popping (PHP)The second-to-last LSR in an LSP removes the MPLS label so the last LSR only has to perform an IP lookup
debug mpls […]