COMMON PORTS packetlife.net
TCP/UDP Port Numbers
7 Echo
19 Chargen
20-21 FTP
22 SSH/SCP
23 Telnet
25 SMTP
42 WINS Replication
43 WHOIS
49 TACACS
53 DNS
67-68 DHCP/BOOTP
69 TFTP
70 Gopher
79 Finger
80 HTTP
88 Kerberos
102 MS Exchange
110 POP3
113 Ident
119 NNTP (Usenet)
123 NTP
135 Microsoft RPC
137-139 NetBIOS
143 IMAP4
161-162 SNMP
177 XDMCP
179 BGP
201 AppleTalk
264 BGMP
318 TSP
381-383 HP Openview
389 LDAP
411-412 Direct Connect
443 HTTP over SSL
445 Microsoft DS
464 Kerberos
465 SMTP over SSL
497 Retrospect
500 ISAKMP
512 rexec
513 rlogin
514 syslog
515 LPD/LPR
520 RIP
521 RIPng (IPv6)
540 UUCP
554 RTSP
546-547 DHCPv6
560 rmonitor
563 NNTP over SSL
587 SMTP
591 FileMaker
593 Microsoft DCOM
631 Internet Printing
636 LDAP over SSL
639 MSDP (PIM)
646 LDP (MPLS)
691 MS Exchange
860 iSCSI
873 rsync
902 VMware Server
989-990 FTP over SSL
993 IMAP4 over SSL
995 POP3 over SSL
1025 Microsoft RPC
1026-1029 Windows Messenger
1080 SOCKS Proxy
1080 MyDoom
1194 OpenVPN
1214 Kazaa
1241 Nessus
1311 Dell OpenManage
1337 WASTE
1433-1434 Microsoft SQL
1512 WINS
1589 Cisco VQP
1701 L2TP
1723 MS PPTP
1725 Steam
1741 CiscoWorks 2000
1755 MS Media Server
1812-1813 RADIUS
1863 MSN
1985 Cisco HSRP
2000 Cisco SCCP
2002 Cisco ACS
2049 NFS
2082-2083 cPanel
2100 Oracle XDB
2222 DirectAdmin
2302 Halo
2483-2484 Oracle DB
2745 Bagle.H
2967 Symantec AV
3050 Interbase DB
3074 XBOX Live
3124 HTTP Proxy
3127 MyDoom
3128 HTTP Proxy
3222 GLBP
3260 iSCSI Target
3306 MySQL
3389 Terminal Server
3689 iTunes
3690 Subversion
3724 World of Warcraft
3784-3785 Ventrilo
4333 mSQL
4444 Blaster
4664 Google Desktop
4672 eMule
4899 Radmin
5000 UPnP
5001 Slingbox
5001 iperf
5004-5005 RTP
5050 Yahoo! Messenger
5060 SIP
5190 AIM/ICQ
5222-5223 XMPP/Jabber
5432 PostgreSQL
5500 VNC Server
5554 Sasser
5631-5632 pcAnywhere
5800 VNC over HTTP
5900+ VNC Server
6000-6001 X11
6112 Battle.net
6129 DameWare
6257 WinMX
6346-6347 Gnutella
6500 GameSpy Arcade
6566 SANE
6588 AnalogX
6665-6669 IRC
6679/6697 IRC over SSL
6699 Napster
6881-6999 BitTorrent
6891-6901 Windows Live
6970 Quicktime
7212 GhostSurf
7648-7649 CU-SeeMe
8000 Internet Radio
8080 HTTP Proxy
8086-8087 Kaspersky AV
8118 Privoxy
8200 VMware Server
8500 Adobe ColdFusion
8767 TeamSpeak
8866 Bagle.B
9100 HP JetDirect
9101-9103 Bacula
9119 MXit
9800 WebDAV
9898 Dabber
9988 Rbot/Spybot
9999 Urchin
10000 Webmin
10000 BackupExec
10113-10116 NetIQ
11371 OpenPGP
12035-12036 Second Life
12345 NetBus
13720-13721 NetBackup
14567 Battlefield
15118 Dipnet/Oddbob
19226 AdminSecure
19638 Ensim
20000 Usermin
24800 Synergy
25999 Xfire
27015 Half-Life
27374 Sub7
28960 Call of Duty
31337 Back Orifice
33434+ traceroute
Legend
Chat
Encrypted
Gaming
Malicious
Peer to Peer
Streaming
IANA port assignments published at http://www.iana.org/assignments/port-numbers
by Jeremy Stretch v1.1
SUBNETTING packetlife.net
Subnet Chart
CIDR Subnet Mask Addresses Wildcard
/32 255.255.255.255 1 0.0.0.0
/31 255.255.255.254 2 0.0.0.1
/30 255.255.255.252 4 0.0.0.3
/29 255.255.255.248 8 0.0.0.7
/28 255.255.255.240 16 0.0.0.15
/27 255.255.255.224 32 0.0.0.31
/26 255.255.255.192 64 0.0.0.63
/25 255.255.255.128 128 0.0.0.127
/24 255.255.255.0 256 0.0.0.255
/23 255.255.254.0 512 0.0.1.255
/22 255.255.252.0 1,024 0.0.3.255
/21 255.255.248.0 2,048 0.0.7.255
/20 255.255.240.0 4,096 0.0.15.255
/19 255.255.224.0 8,192 0.0.31.255
/18 255.255.192.0 16,384 0.0.63.255
/17 255.255.128.0 32,768 0.0.127.255
/16 255.255.0.0 65,536 0.0.255.255
/15 255.254.0.0 131,072 0.1.255.255
/14 255.252.0.0 262,144 0.3.255.255
/13 255.248.0.0 524,288 0.7.255.255
/12 255.240.0.0 1,048,576 0.15.255.255
/11 255.224.0.0 2,097,152 0.31.255.255
/10 255.192.0.0 4,194,304 0.63.255.255
/9 255.128.0.0 8,388,608 0.127.255.255
/8 255.0.0.0 16,777,216 0.255.255.255
/7 254.0.0.0 33,554,432 1.255.255.255
/6 252.0.0.0 67,108,864 3.255.255.255
/5 248.0.0.0 134,217,728 7.255.255.255
/4 240.0.0.0 268,435,456 15.255.255.255
/3 224.0.0.0 536,870,912 31.255.255.255
/2 192.0.0.0 1,073,741,824 63.255.255.255
/1 128.0.0.0 2,147,483,648 127.255.255.255
/0 0.0.0.0 4,294,967,296 255.255.255.255
Decimal to Binary
Subnet Mask
255 1111 1111
254 1111 1110
252 1111 1100
248 1111 1000
240 1111 0000
224 1110 0000
192 1100 0000
128 1000 0000
0 0000 0000
Wildcard
0 0000 0000
1 0000 0001
3 0000 0011
7 0000 0111
15 0000 1111
31 0001 1111
63 0011 1111
127 0111 1111
255 1111 1111
Subnet Proportion
Classful Ranges
A 0.0.0.0 - 127.255.255.255
B 128.0.0.0 - 191.255.255.255
C 192.0.0.0 - 223.255.255.255
D 224.0.0.0 - 239.255.255.255
E 240.0.0.0 - 255.255.255.255
Reserved Ranges
RFC1918 10.0.0.0 - 10.255.255.255
Localhost 127.0.0.0 - 127.255.255.255
RFC1918 172.16.0.0 - 172.31.255.255
RFC1918 192.168.0.0 - 192.168.255.255
Determine Usable Hosts
Total Addresses
- Subnet ID
- Broadcast Address
Usable hosts
256
- 1
- 1
254
Terminology
CIDR · Classless interdomain routing was developed to
provide more granularity than legacy classful addressing;
masks expressed in the form /XX are in CIDR notation
VLSM · Variable length subnet masks are an arbitrary length
between 0 and 32 bits; CIDR relies on VLSMs to define routes
by Jeremy Stretch v1.0
SPANNING TREE · PART 1 packetlife.net
Spanning Tree Protocols
Legacy STP PVST PVST+ RSTP RPVST+ MST
Algorithm Legacy ST Legacy ST Legacy ST Rapid ST Rapid ST Rapid ST
Definition 802.1D-1998 Cisco Cisco 802.1w,802.1D-2004
Cisco 802.1s,802.1Q-2003
Instances One Per VLAN Per VLAN One Per VLAN Configurable
Trunking N/A ISL 802.1Q, ISL N/A 802.1Q, ISL 802.1Q, ISL
Spanning Tree Instance Comparison
BPDU Format
Field Bits
Protocol ID 16
Version 8
BPDU Type 8
Flags 8
Root ID 64
Root Path Cost 32
Bridge ID 64
Port ID 16
Message Age 16
Max Age 16
Hello Time 16
Forward Delay 16
Default Timers
Hello 2s
Forward Delay 15s
Max Age 20s
Spanning Tree Specifications
Open Standards
IEEE 802.1D-1998 · Deprecated legacy STP standard
IEEE 802.1w · Introduced Rapid STP (RSTP)
IEEE 802.1D-2004 · Replaced legacy STP with RSTP
IEEE 802.1s · Introduced Multiple Spanning Tree (MST)
IEEE 802.1Q-2003 · Added MST to 802.1Q
Cisco Proprietary Implementations
PVST · Per-VLAN implementation of legacy STP
PVST+ · Added 802.1Q trunking to PVST
RPVST+ · Per-VLAN implementation of RSTP
Link Costs
Bandwidth Cost
4 Mbps 250
10 Mbps 100
16 Mbps 62
45 Mbps 39
100 Mbps 19
155 Mbps 14
622 Mbps 6
1 Gbps 4
10 Gbps 2
Port States
Legacy ST Rapid ST
Disabled Discarding
Blocking Discarding
Listening Discarding
Learning Learning
Forwarding Forwarding
Spanning Tree Operation
1 Determine root bridge The bridge advertising the lowest bridge ID becomesthe root bridge
2 Select root port Each bridge selects its primary port facing the root
3 Select designated ports One designated port is selected per segment
4 Block ports with loops All non-root and non-desginated ports are blocked
Port Roles
Legacy ST Rapid ST
Root Root
Designated Designated
Blocking Alternate
Blocking Backup
by Jeremy Stretch v2.0
SPANNING TREE · PART 2 packetlife.net
PVST+ and RPVST+ Configuration
! Set STP typespanning-tree mode {pvst | rapid-pvst}
! Bridge priorityspanning-tree vlan 1-4094 priority 32768
! Timers, in secondsspanning-tree vlan 1-4094 hello-time 2
spanning-tree vlan 1-4094 forward-time 15
spanning-tree vlan 1-4094 max-age 20
! Enabling PortFast by defaultspanning-tree portfast default
! PVST+ Enhancementsspanning-tree backbonefast
spanning-tree uplinkfast
! Interface attributesinterface FastEthernet0/1
spanning-tree [vlan 1-4094] port-priority 128
spanning-tree [vlan 1-4094] cost 19
! Manual link type specification spanning-tree link-type {point-to-point | shared}
! Enables spanning tree if running PVST+, or ! designates an edge port under RPVST+ spanning-tree portfast
! Spanning tree protection spanning-tree guard {loop | root | none}
! Per-interface toggling spanning-tree bpduguard enable
spanning-tree bpdufilter enable
MST Configuration
! Set STP typespanning-tree mode mst
! MST Configurationspanning-tree mst configuration
name MyTree
revision 1
! Map VLANs to instances instance 1 vlan 20, 30
instance 2 vlan 40, 50
! Bridge priority (per instance)spanning-tree mst 1 priority 32768
! Timers, in secondsspanning-tree mst hello-time 2
spanning-tree mst forward-time 15
spanning-tree mst max-age 20
! Maximum hops for BPDUsspanning-tree mst max-hops 20
! Interface attributesinterface FastEthernet0/1
spanning-tree mst 1 port-priority 128
spanning-tree mst 1 cost 19
Bridge ID Format
Priority · 4-bit configurable priority (configurable from 0 to 61440
in increments of 4096)
System ID Extension · 12-bit value taken from VLAN number
MAC Address · 48-bit value to ensure uniqueness
Path Selection
1 Prefer the neighbor advertising the lowest root ID
2 Prefer the neighbor advertising the lowest cost to root
3 Prefer the neighbor with the lowest bridge ID
4 Prefer the lowest sender port ID
Optional PVST+ Ehancements
PortFast Enables immediate transition into the
forwarding state on edge ports
UplinkFast Enables access switches to maintain backup
paths to root
BackboneFast Enables immediate expiration of the Max Age
timer on an indirect link failure
Spanning Tree Protection
Root Guard Prevents a port from becoming the root port
BPDU Guard Error disables a port if a BPDU is received
Loop Guard Prevents a blocked port from transitioning to
listening after the Max Age timer has expired
BPDU Filter Blocks BPDUs on an interface
RSTP Link Types
Point-to-Point Connects to exactly one other bridge (a full
duplex interface)
Shared Potentially connects to multiple bridges (a half
duplex interface)
Edge Connects to a single host; designated by
applying PortFast
Troubleshooting
show spanning-tree [summary | detail]
show spanning-tree root
show spanning-tree vlan <VLAN>
show spanning-tree interface <interface>
show spanning-tree mst [<instance>] [detail]
show spanning-tree mst configuration
show spanning-tree mst interface <interface>
by Jeremy Stretch v2.0
VLANS packetlife.net
Trunk Encapsulation
Ethernet Header
VLAN Creation
Switch(config)# vlan 100
Switch(config-vlan)# name Engineering
Access Port Configuration
Switch(config-if)# switchport mode access
Switch(config-if)# switchport nonegotiate
Switch(config-if)# switchport access vlan 100
Switch(config-if)# switchport voice vlan 150
Trunk Port Configuration
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk encapsulation dot1q
Switch(config-if)# switchport trunk allowed vlan 10,100-200
Switch(config-if)# switchport trunk native vlan 10
SVI Configuration
Switch(config)# interface vlan100
Switch(config-if)# ip address 192.168.100.1 255.255.255.0
VLAN Trunking Protocol
Domain · Common to all switches participating in VTP
Server Mode · Generates and propagates VTP advertisements to
clients; this mode is default on unconfigured switches
Client Mode · Receives and forwards advertisements from servers;
VLANs cannot be manually configured on switches in client mode
Transparent Mode · Forwards advertisements but does not
participate in VTP; VLANs must be configured manually
Pruning · VLANs not having any access ports on an end switch are
removed from the trunk to reduce flooded traffic
VTP Configuration
Switch(config)# vtp mode server
Switch(config)# vtp domain LASVEGAS
Switch(config)# vtp password Presl3y
Switch(config)# vtp version 2
Switch(config)# vtp pruning
Trunk Types
802.1Q ISL
Header Size 4 bytes 26 bytes
Trailer Size N/A 4 bytes
Standard IEEE Cisco
Maximum VLANs 4094 1000
Command dot1q isl
VLAN Numbers
0 Reserved 1004 fdnet
1 default 1005 trnet
1002 fddi-default 1006-4094 Extended
1003 tr 4095 Reserved
Terminology
Trunking · Extending multiple VLANs over the
same physical connection
Native VLAN · By default, frames in this VLAN are
untagged when sent across a trunk
Access VLAN · The VLAN to which an access port is
assigned
Voice VLAN · If configured, enables minimal
trunking to support voice traffic in addition to data
traffic on an access port
Dynamic Trunking Protocol (DTP) · Can be used
to automatically establish trunks between capable
ports; carries a security risk
Switched Virtual Interface (SVI) · A virtual
interface which provides a routed gateway into and
out of a VLAN
Switch Port Modes
trunk · Forms an unconditional trunk
dynamic desirable · Actively attempts to negotiate
a trunk with the distant end
dynamic auto · Will form a trunk only if requested
by the distant end
access · Will never form a trunk
Troubleshooting
show vlan
show interface status
show interface switchport
show interface trunk
show vtp status
show vtp password
by Jeremy Stretch v1.2
FIRST HOP REDUNDANCY packetlife.net
First Hop Redundancy Protocols
Hot Standby Router Protocol
Provides default gateway redundancy using one
active and one standby router; standardized but
licensed by Cisco
Virtual Router Redundancy Protocol
An open-standard alternative to Cisco's HSRP,
providing the same functionality
Gateway Load Balancing Protocol
Supports arbitrary load balancing in addition to
redundancy across gateways; Cisco proprietary
Protocols Comparison
HSRP VRRP GLBP
Standard RFC 2281 RFC 3768 Cisco
Load Balancing No No Yes
IPv6 Support Yes No Yes
Transport UDP 1985 IP 112 UDP 3222
Default Priority 100 100 100
Default Hello 3s 1s 3s
Multicast Group 224.0.0.2 224.0.0.18 224.0.0.102
HSRP Operation VRRP Operation GLBP Operation
HSRP Configuration
interface FastEthernet0/0
ip address 10.0.1.2 255.255.255.0
standby version {1 | 2}
standby 1 ip 10.0.1.1
standby 1 timers <hello> <dead>
standby 1 priority <priority>
standby 1 preempt
standby 1 authentication md5 key-string <password>
standby 1 track <interface> <value>
standby 1 track <object> decrement <value>
VRRP Configuration
interface FastEthernet0/0
ip address 10.0.1.2 255.255.255.0
vrrp 1 ip 10.0.1.1
vrrp 1 timers {advertise <hello> | learn}
vrrp 1 priority <priority>
vrrp 1 preempt
vrrp 1 authentication md5 key-string <password>
vrrp 1 track <object> decrement <value>
GLBP Configuration
interface FastEthernet0/0
ip address 10.0.1.2 255.255.255.0
glbp 1 ip 10.0.1.1
glbp 1 timers <hello> <dead>
glbp 1 timers redirect <redirect> <time-out>
glbp 1 priority <priority>
glbp 1 preempt
glbp 1 forwarder preempt
glbp 1 authentication md5 key-string <password>
glbp 1 load-balancing <method>
glbp 1 weighting <weight> lower <lower> upper <upper>
glbp 1 weighting track <object> decrement <value>
HSRP/GLBP Interface States
Speak · Gateway election in progress
Active · Active router/VG
Standby · Backup router/VG
Listen · Not the active router/VG
VRRP Interface States
Master · Acting as the virtual router
Backup · All non-master routers
GLBP Roles
Active Virtual Gateway (AVG) · Answers for the virtual
router and assigns virtual MAC addresses to group members
Active Virtual Forwarder (AVF) · All routers which forward
traffic for the group (may include the AVG)
GLBP Load Balancing
Round-Robin (default) · The AVG answers host ARP requests
for the virtual router with the next router in the cycle
Host-Dependent · Round-robin cycling while maintaining a
consistent AVF for each host
Weighted · GLBP weight determines the proportionate share
of hosts handled by each AVF
Troubleshooting
show standby [brief] show vrrp [brief]
show glbp [brief] show track [brief]
by Jeremy Stretch v1.0
FRAME MODE MPLS packetlife.net
Protocol Header
Label (20 bits) · Unique label value
Experimental/QoS (3 bits) · CoS-mapped QoS marking
Bottom of Stack (1 bit) · Indicates label is last in the stack
Time To Live (8 bits) · Hop counter mapped from IP TTL
Label Switched Path
Customer (C) · IP-only routers internal to customer network
Customer Edge (CE) · C routers which face PE routers
Provider Edge (PE) · LSRs which form the MPLS-IP boundary
Provider (P) · MPLS-only LSRs in provider network
MPLS Configuration
! ** Enable CEF **
ip cef
!
! ** Select label protocol **
mpls label protocol ldp
!
! ** Enable MPLS on IP interfaces **
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.252
mpls ip
! ** Raise MPLS MTU to accomodate multilabel stack **
mpls mtu 1512
Conceptual Components
Control Plane · Facilitates label exchange between
neighboring LSRs using LDP or TDP (includes the
distribution protocol and LIB)
Forwarding/Data Plane · Forwards packets based on
label or destination IP address (includes the FIB and LFIB)
Label Protocols
LDP TDP
Hello Address 224.0.0.2 255.255.255.255
Hello Port UDP 646 UDP 711
Adjacency Port TCP 646 TCP 711
Proprietary No Cisco
Terminology
Label Distribution Protocol (LDP) · Standards based
label distribution protocol defined in RFC 3036
Tag Distribution Protocol (TDP) · Cisco's proprietary
predecessor to LDP
Label Switching Router (LSR) · Any router capable of
label switching
Label-Switched Path (LSP) · The unidirectional path
through one or more LSRs taken by a label switched
packet belonging to an FEC
Forwarding Equivalence Class (FEC) · A group of
packets which are forwarded in an identical manner
Label Information Base (LIB) · Contains all labels
known by an LSR via a label distribution protocol
Forwarding Information Base (FIB) · Routing
database for unlabeled (IP) packets
Label FIB (LFIB) · Routing database for labeled packets
Interim Packet Propagation · An LSR temporarily
performs IP routing while waiting to learn the necessary
MPLS labels
Penultimate Hop Popping (PHP) · The second-to-last
LSR in an LSP removes the MPLS label so the last LSR
only has to perform an IP lookup
Troubleshooting
show mpls interfaces
show mpls ldp neighbors
show mpls ldp bindings [detail] (LIB)
show mpls forwarding-table [detail] (LFIB)
show ip cef [detail] (FIB)
debug mpls events
debug mpls ldp bindings
by Jeremy Stretch v1.0
IEEE 802.1X packetlife.net
802.1X Header
EAP Header
EAP Flow Chart
Configuration
Global Configuration
! Define a RADIUS serverradius-server host 10.0.0.100
radius-server key MyRadiusKey
! Configure 802.1X to authenticate via AAAaaa new-model
aaa authentication dot1x default group radius
! Enable 802.1X authentication globallydot1x system-auth-control
Interface Configuration
! Configure static access modeswitchport mode access
! Enable 802.1X authentication per portdot1x port-control auto
! Configure host mode (single or multi)dot1x host-mode single-host
! Configure maximum authentication attemptsdot1x max-reauth-req
! Enable periodic reauthenticationdot1x reauthentication
! Configure a guest VLANdot1x guest-vlan 123
! Configure a restricted VLANdot1x auth-fail vlan 456
dot1x auth-fail max-attempts 3
Terminology
Extensible Authentication Protocol (EAP) · A flexible
authentication framework defined in RFC 3748
EAP Over LANs (EAPOL) · The encapsulation used by 802.1X
to carry EAP across a layer two segment
Supplicant · The device on one end of a link that requests
authentication by the authenticator
Authenticator · The device that controls the status of a link;
typically a wired switch or wireless access point
Authentication Server · A backend server which
authenticates the credentials provided by supplicants (for
example, a RADIUS server)
Guest VLAN · Fallback VLAN for clients not 802.1X-capable
Restricted VLAN · Fallback VLAN for clients which fail
authentication
802.1X Packet Types
0 EAP Packet
1 EAPOL-Start
2 EAPOL-Logoff
3 EAPOL-Key
4 EAPOL-Encap-ASF-Alert
Interface Defaults
Max Auth Requests 2
Reauthentication Off
Quiet Period 60s
Reauth Period 3600s
Server Timeout 30s
Supplicant Timeout 30s
Tx Period 30s
EAP Codes
1 Request
2 Response
3 Success
4 Failure
EAP Req/Resp Types
1 Identity
2 Notification
3 Nak
4 MD5 Challenge
5 One Time Password
6 Generic Token Card
254 Expanded Types
255 Experimental
Port-Control Options
force-authorized · Port will always remain in authorized state
(default setting)
force-unauthorized · Port will always remain in unauthorized
state, ignoring authentication attempts
auto · Port is authorized only in the presence of a successfully
authenticated supplicant
Troubleshooting
show dot1x [interface <interface>]
show dot1x statistics interface <interface>
dot1x test eapol-capable [interface <interface>]
dot1x re-authenticate interface <interface>
by Jeremy Stretch v1.0
QUALITY OF SERVICE · PART 1 packetlife.net
Quality of Service Models
Best Effort · No QoS policies are implemented
Integrated Services (IntServ) · Resource Reservation Protocol (RSVP) is used to
reserve bandwidth per flow across all nodes in a path
Differentiated Services (DiffServ) · Packets are individually classified and marked;
policy decisions are made independently at each node in a path
Layer 2 QoS Markings
Medium Name Type
Ethernet Class of Service (CoS) 3-bit 802.1p field in 802.1Q header
Frame Relay Discard Eligibility (DE) 1-bit drop eligibility flag
ATM Cell Loss Priority (CLP) 1-bit drop eligibility flag
MPLS Experimental Field (EXP) 3-bit field compatible with 802.1p
IP QoS Markings
Precedence · The first three bits of the IP TOS field are evaluated; compatible with
Ethernet CoS and MPLS EXP values
DSCP · The first six bits of the IP TOS are evaluated to provide more granular
classification; backward-compatible with IP Precedence
QoS Flowchart
Terminology
Per-Hop Behavior (PHB) · The individual QoS action performed at each DiffServ
node according to its configured policy
Trust Boundary · The perimeter beyond which QoS markings are not trusted
Tail Drop · Occurs when a packet is dropped because its queue is full
Policing · Creates an artificial ceiling on the amount of bandwidth that may be
consumed; traffic exceeding the cap and be remarked or dropped
Shaping · Similar to policing but buffers excess traffic for delayed transmission;
makes more efficient use of bandwidth but introduces a delay
TCP Synchronization · Flows adjust window sizes in synch, wasting bandwidth
Per-Hop Behaviors
Class Selector (CS) · Backward-
compatible with IP Precedence values
Assured Forwarding (AF) · Four classes
with variable drop preferences
Expedited Forwarding (EF) · Provides
priority queuing for delay-sensitive traffic
Congestion Avoidance
Random Early Detection (RED) ·
Packets are randomly dropped before a
queue is full to prevent tail drop;
mitigates TCP synchronization
Weighted RED (WRED) · RED with the
added capability of recognizing
prioritized traffic by its marking
IP Type of Service (TOS)
Precedence Values
Binary Application
7 111 Reserved
6 110 Routing
5 101 Voice
4 100 Streaming Video
3 011 Call Signaling
2 010 Transactional
1 001 Bulk Data
0 000 Best Effort
DSCP Values
Binary Prec. DSCP
56 111000 7 Reserved
48 110000 6 Reserved
46 101110 5 EF
32 100000
4
CS4
34 100010 AF41
36 100100 AF42
38 100110 AF43
24 011000
3
CS3
26 011010 AF31
28 011100 AF32
30 011110 AF33
16 010000
2
CS2
18 010010 AF21
20 010100 AF22
22 010110 AF23
8 001000
1
CS1
10 001010 AF11
12 001100 AF12
14 001110 AF13
0 000000 0 BE
by Jeremy Stretch v1.2
QUALITY OF SERVICE · PART 2 packetlife.net
Queuing Comparison Chart
FIFO PQ CQ WFQ CBWFQ LLQ
Default on interfaces >2 Mbps No No <=2 Mbps No No
Number of queues 1 4 Configured Dynamic Configured Configured
Configurable classes No Yes Yes No Yes Yes
Bandwidth allocation Automatic Automatic Configured Automatic Configured Configured
Provides for minimal delay No Yes No No No Yes
Modern implementation Yes No No No Yes Yes
First In First Out (FIFO)
» Packets are transmitted in the order
they are processed
» No prioritization is provided
» Default queuing method on high-
speed (>2 Mbps) interfaces
» Configurable with the tx-ring-limit
interface configuration command
Priority Queuing (PQ)
» Provides four static queues which
cannot be reconfigured
» Higher-priority queues are always
emptied before lower-priority queues
» Lower-priority queues are at risk of
bandwidth starvation
LLQ Configuration Example
! *** Class definitions ***
class-map match-all Voice
! Matches packets by DSCP value
match dscp ef
!
class-map match-all Call-Signaling
match dscp cs3
!
class-map match-any Critical-Apps
match dscp af21 af22
! Matches packets by access list
match access-group name Mgmt_LAN
!
class-map match-all Scavenger
match dscp cs1
!
! *** Policy creation ***
policy-map Foo
class Voice
! Priority queue policed to 33%
priority percent 33
class Call-Signaling
! Allocate 5% of bandwidth
bandwidth percent 5
class Critical-Apps
bandwidth percent 20
! Extend queue size to 96 packets
queue-limit 96
class Scavenger
! Police to 64 kbps
police cir 64000
conform-action transmit
exceed-action drop
class class-default
! Enable WFQ
fair-queue
! Enable WRED
random-detect
!
! *** Policy Application ***
interface Serial0
service-policy Foo
Troubleshooting
show policy-map
show interface
show queue <interface>
show mls qos
Custom Queuing (CQ)
» Rotates through queues using
Weighted Round Robin (WRR)
» A configurable number of bytes is
processed from each queue per turn
» Prevents queue starvation but does
not support delay-sensitive traffic
Weighted Fair Queuing (WFQ)
» Queues are dynamically created per
flow to ensure fair processing
» Statistically drops packets from
agressive flows more often
» No support for delay-sensitive traffic
Class-Based WFQ (CBWFQ)
» Provides the benefits of WFQ with
administratively configured queues
» Each queue is allocated an amount or
percentage of bandwidth
» No support for delay-sensitive traffic
Low Latency Queuing (LLQ)
» CBWFQ with the addition of a policed
strict priority queue
» Highly configurable while still
supporting delay-sensitive traffic
by Jeremy Stretch v1.2
IP ACCESS LISTS packetlife.net
Standard IP ACL Syntax
! Legacy syntaxaccess-list <number> {permit | deny} <source> [log]
! Modern syntaxip access-list standard {<number> | <name>} [<sequence>] {permit | deny} <source> [log]
Actions
permit Allow matched packets
deny Deny matched packets
remark Record a config comment
evaluate Evaluate a reflexive ACL
Extended IP ACL Syntax
! Legacy syntaxaccess-list <number> {permit | deny} <protocol> <source> [<ports>] <destination> [<ports>] [<options>]
! Modern syntaxip access-list extended {<number> | <name>} [<sequence>] {permit | deny} <protocol> <source> [<ports>] <destination> [<ports>] [<options>]
ACL Numbers
1-991300-1999
IP standard
100-1992000-2699
IP extended
200-299 Protocol
300-399 DECnet
400-499 XNS
500-599 Extended XNS
600-699 Appletalk
700-799 Ethernet MAC
800-899 IPX standard
900-999 IPX extended
1000-1099 IPX SAP
1100-1199 MAC extended
1200-1299 IPX summary
TCP Options
ack Match ACK flag
fin Match FIN flag
psh Match PSH flag
rst Match RST flag
syn Match SYN flag
urg Match URG flag
established Match packets in a pre- established session
Logging Options
log Log ACL entry matches
log-input Log matches with ingress interface and source MAC
Source/Destination Definitions
any Any address
host <address> A single address
<network> <mask> Any address matched by the wildcard mask
IP Options
dscp <DSCP> Match packets with the given DSCP value
fragments Check non-initial fragments
option <option> Match packets with the specified IP option
precedence <0-7> Match packets with the given precedence value
ttl <count> Match packets with the given Time To Live
TCP/UDP Port Definitions
eq <port> Equal to neq <port> Not equal to
lt <port> Less than gt <port> Greater than
range <port> <port> Matches a range of port numbers
Miscellaneous Options
reflect <name> Create a reflexive ACL
time-range <name> Enable rule only during the specified time range
Applying ACLs to Restrict Traffic
interface FastEthernet0/0 ip access-group {<number> | <name>} {in | out}
Troubleshooting
show access-lists {<number> | <name>}
show ip access-lists {<number> | <name>}
show ip access-lists interface <interface>
show ip access-lists dynamic
show ip interface [<interface>]
show time-range [<name>]
by Jeremy Stretch v1.1
IPSEC packetlife.net
Protocols
Internet Security Association and Key Management Protocol
(ISAKMP) · A framework for the negotiation and management of
security associations between peers; traverses UDP port 500
Internet Key Exchange (IKE) · Responsible for key agreement using
public key cryptography
Encapsulating Security Payload (ESP) · Provides data encryption,
data integrity, and peer authentication; IP protocol 50
Authentication Header (AH) · Provides data integrity and peer
authentication, but not data encryption; IP protocol 51
IPsec Modes
Transport Mode · The ESP or AH header is inserted behind the IP
header; the IP header can be authenticated but not encrypted
Tunnel Mode · A new IP header is created in place of the original; this
allows for encryption of the entire original packet
Encryption Algorithms
Type Key Strength
DES Symmetric 56-bit Weak
3DES Symmetric 168-bit Medium
AES Symmetric 128, 192, or 256-bit
Strong
RSA Asymmetric 1024-bit minimum
Strong
Hashing Algorithms
Length Strength
MD5 128-bit Medium
SHA-1 160-bit Strong
IKE Phases
Phase 1 · A bidirectional ISAKMP SA is
established between peers to provide a secure
management channel; IKE is performed in main
mode or agressive mode
Phase 1.5 (optional) · Xauth can optionally be
implemented to enforce user authentication
Phase 2 · Two unidirectional IPsec SAs are
established for data transfer using separate
keys; IKE quick mode is used
Configuration
ISAKMP Policy
crypto isakmp policy 10
encryption aes 256
hash sha
authentication pre-share
group 2
lifetime 3600
ISAKMP Pre-Shared Secret Key
crypto isakmp key 0 MySecretKey address 10.0.0.2
IPsec Transform Set
crypto ipsec transform-set MyTS esp-aes 256 esp-sha-hmac mode tunnel
IPsec Profile
crypto ipsec profile MyProfile set transform-set MyTS
Virtual Tunnel Interface
interface Tunnel0
ip address 172.16.0.1 255.255.255.252
tunnel source 10.0.0.1
tunnel destination 10.0.0.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile MyProfile
Terminology
Data Integrity · Secure hashing (HMAC) is used to ensure
data has not been altered in transit
Data Confidentiality · Encryption is used to ensure data
cannot be intercepted by a third party
Data Origin Authentication · Peer authentication
Anti-replay · Sequence numbers are used to detect and
block duplicate packets
Hash-based Message Authentication Code (HMAC) · A
hash of the data and secret key used to provide message
authenticity
Diffie-Hellman · A method of establishing a shared secret
key over an insecure path using public and private keys
Troubleshooting
show crypto isakmp sa
show crypto isakmp policy
show crypto ipsec sa
show crypto ipsec transform-set
debug crypto isakmp
debug crypto ipsec
by Jeremy Stretch v1.1
TCPDUMP packetlife.net
Command Line Options
-A Print frame payload in ASCII -q Quick output
-c <count> Exit after capturing count packets -r <file> Read packets from file
-D List available interfaces -s <len> Capture up to len bytes per packet
-e Print link-level headers in the capture dump -S Print absolute TCP sequence numbers
-F <file> Use file as the filter expression -t Don't print timestamps
-G <n> Rotate the dump file every n seconds -v[v[v]] Print more verbose output
-i <iface> Specifies the capture interface -w <file> Write captured packets to file
-K Don't verify TCP checksums -x Print frame payload in hex
-L List data link types for the interface -X Print frame payload in hex and ASCII
-n Don't convert addresses to names -y <type> Specify the data link type
-p Don't capture in promiscuous mode -Z <user> Drop privileges from root to user
Capture Filter Primitives
[src|dst] host <host> Matches a host as the IP source, destination, or either
ether [src|dst] host <ehost> Matches a host as the Ethernet source, destination, or either
gateway host <host> Matches packets which used host as a gateway
[src|dst] net <network>/<len> Matches packets to or from an endpoint residing in network
[tcp|udp] [src|dst] port <port> Matches TCP or UDP packets sent to/from port
[tcp|udp] [src|dst] portrange <p1>-<p2> Matches TCP or UDP packets to/from a port in the given range
less <length> Matches packets less than or equal to length
greater <length> Matches packets greater than or equal to length
(ether|ip|ip6) proto <protocol> Matches an Ethernet, IPv4, or IPv6 protocol
(ether|ip) broadcast Matches Ethernet or IPv4 broadcasts
(ether|ip|ip6) multicast Matches Ethernet, IPv4, or IPv6 multicasts
type (mgt|ctl|data) [subtype <subtype>] Matches 802.11 frames based on type and optional subtype
vlan [<vlan>] Matches 802.1Q frames, optionally with a VLAN ID of vlan
mpls [<label>] Matches MPLS packets, optionally with a label of label
<expr> <relop> <expr> Matches packets by an arbitrary expression
Protocols
arp ip6 slip
ether link tcp
fddi ppp tr
icmp radio udp
ip rarp wlan
TCP Flags
tcp-urg tcp-rst
tcp-ack tcp-syn
tcp-push tcp-fin
Modifiers
! or not
&& or and
|| or or
Examples
udp dst port not 53 All UDP not bound for port 53
host 10.0.0.1 && host 10.0.0.2 All packets between these hosts
tcp dst port 80 or 8080 All packets to either TCP port
ICMP Types
icmp-echoreply icmp-routeradvert icmp-tstampreply
icmp-unreach icmp-routersolicit icmp-ireq
icmp-sourcequench icmp-timxceed icmp-ireqreply
icmp-redirect icmp-paramprob icmp-maskreq
icmp-echo icmp-tstamp icmp-maskreply
by Jeremy Stretch v1.0
WIRESHARK DISPLAY FILTERS · PART 1 packetlife.net
Ethernet
eth.addr eth.len eth.src
eth.dst eth.lg eth.trailer
eth.ig eth.multicast eth.type
IEEE 802.1Q
vlan.cfi vlan.id vlan.priority
vlan.etype vlan.len vlan.trailer
IPv4
ip.addr ip.fragment.overlap.conflict
ip.checksum ip.fragment.toolongfragment
ip.checksum_bad ip.fragments
ip.checksum_good ip.hdr_len
ip.dsfield ip.host
ip.dsfield.ce ip.id
ip.dsfield.dscp ip.len
ip.dsfield.ect ip.proto
ip.dst ip.reassembled_in
ip.dst_host ip.src
ip.flags ip.src_host
ip.flags.df ip.tos
ip.flags.mf ip.tos.cost
ip.flags.rb ip.tos.delay
ip.frag_offset ip.tos.precedence
ip.fragment ip.tos.reliability
ip.fragment.error ip.tos.throughput
ip.fragment.multipletails ip.ttl
ip.fragment.overlap ip.version
IPv6
ipv6.addr ipv6.hop_opt
ipv6.class ipv6.host
ipv6.dst ipv6.mipv6_home_address
ipv6.dst_host ipv6.mipv6_length
ipv6.dst_opt ipv6.mipv6_type
ipv6.flow ipv6.nxt
ipv6.fragment ipv6.opt.pad1
ipv6.fragment.error ipv6.opt.padn
ipv6.fragment.more ipv6.plen
ipv6.fragment.multipletails ipv6.reassembled_in
ipv6.fragment.offset ipv6.routing_hdr
ipv6.fragment.overlap ipv6.routing_hdr.addr
ipv6.fragment.overlap.conflict ipv6.routing_hdr.left
ipv6.fragment.toolongfragment ipv6.routing_hdr.type
ipv6.fragments ipv6.src
ipv6.fragment.id ipv6.src_host
ipv6.hlim ipv6.version
ARP
arp.dst.hw_mac arp.proto.size
arp.dst.proto_ipv4 arp.proto.type
arp.hw.size arp.src.hw_mac
arp.hw.type arp.src.proto_ipv4
arp.opcode
TCP
tcp.ack tcp.options.qs
tcp.checksum tcp.options.sack
tcp.checksum_bad tcp.options.sack_le
tcp.checksum_good tcp.options.sack_perm
tcp.continuation_to tcp.options.sack_re
tcp.dstport tcp.options.time_stamp
tcp.flags tcp.options.wscale
tcp.flags.ack tcp.options.wscale_val
tcp.flags.cwr tcp.pdu.last_frame
tcp.flags.ecn tcp.pdu.size
tcp.flags.fin tcp.pdu.time
tcp.flags.push tcp.port
tcp.flags.reset tcp.reassembled_in
tcp.flags.syn tcp.segment
tcp.flags.urg tcp.segment.error
tcp.hdr_len tcp.segment.multipletails
tcp.len tcp.segment.overlap
tcp.nxtseq tcp.segment.overlap.conflict
tcp.options tcp.segment.toolongfragment
tcp.options.cc tcp.segments
tcp.options.ccecho tcp.seq
tcp.options.ccnew tcp.srcport
tcp.options.echo tcp.time_delta
tcp.options.echo_reply tcp.time_relative
tcp.options.md5 tcp.urgent_pointer
tcp.options.mss tcp.window_size
tcp.options.mss_val
UDP
udp.checksum udp.dstport udp.srcport
udp.checksum_bad udp.length
udp.checksum_good udp.port
Operators
eq ==
ne !=
gt >
lt <
ge >=
le <=
Logic
and && Logical AND
or || Logical OR
xor ^^ Logical XOR
not ! Logical NOT
[n] [...] Substring operator
by Jeremy Stretch v1.0
WIRESHARK DISPLAY FILTERS · PART 2 packetlife.net
Frame Relay
fr.becn fr.de
fr.chdlctype fr.dlci
fr.control fr.dlcore_control
fr.control.f fr.ea
fr.control.ftype fr.fecn
fr.control.n_r fr.lower_dlci
fr.control.n_s fr.nlpid
fr.control.p fr.second_dlci
fr.control.s_ftype fr.snap.oui
fr.control.u_modifier_cmd fr.snap.pid
fr.control.u_modifier_resp fr.snaptype
fr.cr fr.third_dlci
fr.dc fr.upper_dlci
PPP
ppp.address ppp.direction
ppp.control ppp.protocol
MPLS
mpls.bottom mpls.oam.defect_location
mpls.cw.control mpls.oam.defect_type
mpls.cw.res mpls.oam.frequency
mpls.exp mpls.oam.function_type
mpls.label mpls.oam.ttsi
mpls.oam.bip16 mpls.ttl
ICMP
icmp.checksum icmp.ident icmp.seq
icmp.checksum_bad icmp.mtu icmp.type
icmp.code icmp.redir_gw
DTP
dtp.neighbor dtp.tlv_type vtp.neighbor
dtp.tlv_len dtp.version
VTP
vtp.code vtp.vlan_info.802_10_index
vtp.conf_rev_num vtp.vlan_info.isl_vlan_id
vtp.followers vtp.vlan_info.len
vtp.md vtp.vlan_info.mtu_size
vtp.md5_digest vtp.vlan_info.status.vlan_susp
vtp.md_len vtp.vlan_info.tlv_len
vtp.seq_num vtp.vlan_info.tlv_type
vtp.start_value vtp.vlan_info.vlan_name
vtp.upd_id vtp.vlan_info.vlan_name_len
vtp.upd_ts vtp.vlan_info.vlan_type
vtp.version
ICMPv6
icmpv6.all_comp icmpv6.option.name_type
icmpv6.checksum icmpv6.option.name_type.fqdn
icmpv6.checksum_bad icmpv6.option.name_x501
icmpv6.code icmpv6.option.rsa.key_hash
icmpv6.comp icmpv6.option.type
icmpv6.haad.ha_addrs icmpv6.ra.cur_hop_limit
icmpv6.identifier icmpv6.ra.reachable_time
icmpv6.option icmpv6.ra.retrans_timer
icmpv6.option.cga icmpv6.ra.router_lifetime
icmpv6.option.cga.pad_length icmpv6.recursive_dns_serv
icmpv6.option.length icmpv6.type
RIP
rip.auth.passwd rip.ip rip.route_tag
rip.auth.type rip.metric rip.routing_domain
rip.command rip.netmask rip.version
rip.family rip.next_hop
BGP
bgp.aggregator_as bgp.mp_reach_nlri_ipv4_prefix
bgp.aggregator_origin bgp.mp_unreach_nlri_ipv4_prefix
bgp.as_path bgp.multi_exit_disc
bgp.cluster_identifier bgp.next_hop
bgp.cluster_list bgp.nlri_prefix
bgp.community_as bgp.origin
bgp.community_value bgp.originator_id
bgp.local_pref bgp.type
bgp.mp_nlri_tnl_id bgp.withdrawn_prefix
HTTP
http.accept http.proxy_authorization
http.accept_encoding http.proxy_connect_host
http.accept_language http.proxy_connect_port
http.authbasic http.referer
http.authorization http.request
http.cache_control http.request.method
http.connection http.request.uri
http.content_encoding http.request.version
http.content_length http.response
http.content_type http.response.code
http.cookie http.server
http.date http.set_cookie
http.host http.transfer_encoding
http.last_modified http.user_agent
http.location http.www_authenticate
http.notification http.x_forwarded_for
http.proxy_authenticate
by Jeremy Stretch v1.0