Ethernet : 38 bytes
Ethernet + 802.1q : 42 bytes
IPv4 : 20 bytes
IPv6 : 40 bytes
TCP : 20 bytes
Tcp timestamps : +12 bytes
UDP : 8 bytes
MPLS : 4 octets
mardi 29 septembre 2009
lundi 28 septembre 2009
Priority Queueing
In priority queueing, packets are assigned to one of the 4 availables queues according to protocol type, acl or entering interface. The differents queues are served in a strict priority fashion, that is when a packet has to been sent, queue 1 is always served before until limit or emptied. It could lead to bandwidth starvation (onlys queue 1 is served)
Configuration
Assign the Priority-list to an interface
interface fa1/0
priority-group list-num
Assign packet to a queue
priority-list list-num protocol protocol high|medium|normal|low list|tcp|udp list-or-proto-num
OR
priority-list list-num interface int-typ int-num high|medium|normal|low
Configure queue length
priority-list list-num limit high-limit medium-limit normal-limit low-limit
Configuration
Assign the Priority-list to an interface
interface fa1/0
priority-group list-num
Assign packet to a queue
priority-list list-num protocol protocol high|medium|normal|low list|tcp|udp list-or-proto-num
OR
priority-list list-num interface int-typ int-num high|medium|normal|low
Configure queue length
priority-list list-num limit high-limit medium-limit normal-limit low-limit
Custom Queuing
It permits to share bandwidth accross up to 16 different queues according to protocol, acl, entering interface. The sharing is done by maximum packet count by queues or average bytes count by queues.
Configuration :
Apply on interface
interface fa0/1
custom-queue-list list-num
Define queue size
custom-queue-list list-num queue queue-num limit packet-limit
OR
custom-queue-list list-num queue queue-num byte-count byte-limit
Assign packet to queues
queue-list list-number protocol protocol-name queue-number list|tcp|udp keyword-value
OR
queue-list list-number interface int-type int-num queue-number
Configuration :
Apply on interface
interface fa0/1
custom-queue-list list-num
Define queue size
custom-queue-list list-num queue queue-num limit packet-limit
OR
custom-queue-list list-num queue queue-num byte-count byte-limit
Assign packet to queues
queue-list list-number protocol protocol-name queue-number list|tcp|udp keyword-value
OR
queue-list list-number interface int-type int-num queue-number
lundi 21 septembre 2009
Integrated Routing & Bridging
IRB permits to bridge between to router interfaces, create a virtual interface (BVI) and permit to route via this BVI between the bridged interface and the other router interface.
In this lab you want to bridge between 2 vlans :
interface Ethernet0/0
no ip address
half-duplex
!
interface Ethernet0/0.16
encapsulation dot1Q 16
bridge-group 1
!
interface Ethernet0/0.36
encapsulation dot1Q 36
bridge-group 1
You now need to enable a spanning tree protocol on the group
bridge 1 protocol ieee
It's now possible to ping machine between vlan 36 and vlan 16 (same broadcast domain)
Now to route between vlan 16/36 to other router interface, you need to create a virtual interface with an IP :
interface BVI1
ip address 136.1.136.6 255.255.255.0
bridge 1 route ip
From vlan 16/36 you could now ping BVi1 and behind
In this lab you want to bridge between 2 vlans :
interface Ethernet0/0
no ip address
half-duplex
!
interface Ethernet0/0.16
encapsulation dot1Q 16
bridge-group 1
!
interface Ethernet0/0.36
encapsulation dot1Q 36
bridge-group 1
You now need to enable a spanning tree protocol on the group
bridge 1 protocol ieee
It's now possible to ping machine between vlan 36 and vlan 16 (same broadcast domain)
Now to route between vlan 16/36 to other router interface, you need to create a virtual interface with an IP :
interface BVI1
ip address 136.1.136.6 255.255.255.0
bridge 1 route ip
From vlan 16/36 you could now ping BVi1 and behind
samedi 19 septembre 2009
Policy Based Routing
The prupose is to defined a specified route different from the one in the routing table for a type of traffic.
For example 2 routers are interconnected by 2 differents links for backup purpose but you want to use the backup for FTP traffic in order to not overload the primary line.
1 Define the traffic to be matched
access-list 198 permit tcp any any eq ftp
class-map match-all PBR
match acces-group 198
2 Define the new route for the matched traffics
route-map PBR permit 10
match ip address 198
set ip next-hop X.X.X.X
3 Apply on the incoming interface
int fa0/0
ip policy route-map PBR
Remark : If you want the PBR rule applies to the traffic for/from the router itself add thje following command
ip local policy route-map PBR
Verification : you could verify matched traffic with sh route-map command
route-map PBR, permit, sequence 10
Match clauses:
ip address (access-lists): 198
Set clauses:
ip next-hop 132.1.23.3
Policy routing matches: 35 packets, 3990 bytes
route-map PBR, permit, sequence 20
Match clauses:
Set clauses:
Policy routing matches: 20 packets, 1740 bytes
For example 2 routers are interconnected by 2 differents links for backup purpose but you want to use the backup for FTP traffic in order to not overload the primary line.
1 Define the traffic to be matched
access-list 198 permit tcp any any eq ftp
class-map match-all PBR
match acces-group 198
2 Define the new route for the matched traffics
route-map PBR permit 10
match ip address 198
set ip next-hop X.X.X.X
3 Apply on the incoming interface
int fa0/0
ip policy route-map PBR
Remark : If you want the PBR rule applies to the traffic for/from the router itself add thje following command
ip local policy route-map PBR
Verification : you could verify matched traffic with sh route-map command
route-map PBR, permit, sequence 10
Match clauses:
ip address (access-lists): 198
Set clauses:
ip next-hop 132.1.23.3
Policy routing matches: 35 packets, 3990 bytes
route-map PBR, permit, sequence 20
Match clauses:
Set clauses:
Policy routing matches: 20 packets, 1740 bytes
vendredi 18 septembre 2009
Pim NBMA Mode
On the following example. A server is multicasting over a NBMA network. There is only one member of the group on R1. Pim sparse mode is configured on ethernet and serial line. R2 is the manual RP for every groups.
R1
ip multicast-routing
ip pim rp-address 150.1.2.2
interface Serial1/0
ip address 132.1.0.1 255.255.255.0
ip pim sparse-mode
interface fa0/0
ip address 132.1.17.7 255.255.255.0
ip pim sparse-mode
ip igmp join-group 228.28.28.28
R2
ip multicast-routing
ip pim rp-address 150.1.2.2
interface Serial1/0
ip address 132.1.0.2 255.255.255.0
ip pim sparse-mode
interface fa0/0
ip address 132.1.6.6 255.255.255.0
ip pim sparse-mode
int lo0
ip address 150.1.2.2
ip pim sparse-mode
R3
ip multicast-routing
ip pim rp-address 150.1.2.2
interface Serial1/0
ip address 132.1.0.3 255.255.255.0
ip pim sparse-mode
interface fa0/0
ip address 132.1.18.8 255.255.255.0
ip pim sparse-mode
The result of debug mpacket on R3 & R1 when a ping is done from r2 ethernet interface show that the packet is received from both R1 & R3
Rack1R3#*Mar 1 02:26:59.307: IP(0): s=132.1.6.6 (Serial1/0) d=228.28.28.28 id=298, ttl=
253, prot=1, len=104(100), mroute olist null
Rack1R1#*Mar 1 02:27:57.951: IP(0): s=132.1.6.6 (Serial1/0) d=228.28.28.28 (FastEtherne
t0/0) id=298, ttl=253, prot=1, len=100(100), mforward
R2 mroute shows that the OIL is s1/0 so the mcast packet is replicated on every dlci attached to s1/0:
(132.1.6.6, 228.28.28.28), 00:03:13/00:01:48, flags: T
Incoming interface: FastEthernet0/0, RPF nbr 132.1.26.6
Outgoing interface list:
Serial1/0, Forward/Sparse, 00:03:13/00:03:22
In order to avoid that use the PIM nbma-mode on R2 s1/0 interface:
interface s1/0
ip pim nbma-mode
Now, the result of debug mpacket on R3 & R1 when a ping is done from r2 ethernet interface show that the packet is received only on R1 as R3 doesn't have members.
Rack1R3#
Rack1R1#*Mar 1 02:27:57.951: IP(0): s=132.1.6.6 (Serial1/0) d=228.28.28.28 (FastEtherne
t0/0) id=298, ttl=253, prot=1, len=100(100), mforward
And R2 mroute shows that the OIL has now the the output interface s1/0 and the IP of the PIM neighbor so the mcast packet is only sent to this neighbor :
(132.1.6.6, 228.28.28.28), 00:00:16/00:03:17, flags: T
Incoming interface: FastEthernet0/0, RPF nbr 132.1.26.6
Outgoing interface list:
Serial1/0, 132.1.0.1, Forward/Sparse, 00:00:15/00:03:14
Remarks : when debugging with debug ip mpacket it's important to disable mroute-cache on every interface, otherwise only the first packet will be seen.
R1
ip multicast-routing
ip pim rp-address 150.1.2.2
interface Serial1/0
ip address 132.1.0.1 255.255.255.0
ip pim sparse-mode
interface fa0/0
ip address 132.1.17.7 255.255.255.0
ip pim sparse-mode
ip igmp join-group 228.28.28.28
R2
ip multicast-routing
ip pim rp-address 150.1.2.2
interface Serial1/0
ip address 132.1.0.2 255.255.255.0
ip pim sparse-mode
interface fa0/0
ip address 132.1.6.6 255.255.255.0
ip pim sparse-mode
int lo0
ip address 150.1.2.2
ip pim sparse-mode
R3
ip multicast-routing
ip pim rp-address 150.1.2.2
interface Serial1/0
ip address 132.1.0.3 255.255.255.0
ip pim sparse-mode
interface fa0/0
ip address 132.1.18.8 255.255.255.0
ip pim sparse-mode
The result of debug mpacket on R3 & R1 when a ping is done from r2 ethernet interface show that the packet is received from both R1 & R3
Rack1R3#*Mar 1 02:26:59.307: IP(0): s=132.1.6.6 (Serial1/0) d=228.28.28.28 id=298, ttl=
253, prot=1, len=104(100), mroute olist null
Rack1R1#*Mar 1 02:27:57.951: IP(0): s=132.1.6.6 (Serial1/0) d=228.28.28.28 (FastEtherne
t0/0) id=298, ttl=253, prot=1, len=100(100), mforward
R2 mroute shows that the OIL is s1/0 so the mcast packet is replicated on every dlci attached to s1/0:
(132.1.6.6, 228.28.28.28), 00:03:13/00:01:48, flags: T
Incoming interface: FastEthernet0/0, RPF nbr 132.1.26.6
Outgoing interface list:
Serial1/0, Forward/Sparse, 00:03:13/00:03:22
In order to avoid that use the PIM nbma-mode on R2 s1/0 interface:
interface s1/0
ip pim nbma-mode
Now, the result of debug mpacket on R3 & R1 when a ping is done from r2 ethernet interface show that the packet is received only on R1 as R3 doesn't have members.
Rack1R3#
Rack1R1#*Mar 1 02:27:57.951: IP(0): s=132.1.6.6 (Serial1/0) d=228.28.28.28 (FastEtherne
t0/0) id=298, ttl=253, prot=1, len=100(100), mforward
And R2 mroute shows that the OIL has now the the output interface s1/0 and the IP of the PIM neighbor so the mcast packet is only sent to this neighbor :
(132.1.6.6, 228.28.28.28), 00:00:16/00:03:17, flags: T
Incoming interface: FastEthernet0/0, RPF nbr 132.1.26.6
Outgoing interface list:
Serial1/0, 132.1.0.1, Forward/Sparse, 00:00:15/00:03:14
Remarks : when debugging with debug ip mpacket it's important to disable mroute-cache on every interface, otherwise only the first packet will be seen.
vendredi 4 septembre 2009
Frame-Relay Interfaces types
Physical
PVC establishment :
PVC establishment :
PVC establishment :
PVC establishment :
- LMI automatically applies all DLCI to the interface or
- frame-relay interface dlci applies the specified dlci to the interface
- Need static mapping or
- Need inverse-arp enabled on the DLCI
PVC establishment :
- frame-relay interface dlci applies the specified dlci to the interface
- No mapping needed (everything for the subnet is sent thrue pt-to-pt interface)
- Inverse arp is not needed ans disabled by default
PVC establishment :
- LMI automatically applies all DLCI to the interface or
- frame-relay interface dlci applies the specified dlci to the interface
- Need static mapping or
- Need inverse-arp enabled on the DLCI
Dot1x
The purpose is to do a minimal dot1x authentification on ethernet Ports
1 : Define Radius server
ip radius source-interface Loopback0
!
radius-server host 25.2.2.1
radius-server key CISCO
2 : Globally activate dot1x
dot1x system-auth-control
3 : Define the AAA model for dot1x only
Don't forget the login default non, otherwise it will ask for password on console and telnet login.
aaa new-model
aaa authentication login default none
aaa authentication dot1x default group radius
4: Activate dot1x on ports
interface FastEthernet1/4
switchport mode access
dot1x port-control auto
4: Verification
show dot1x
show dot1x interface
1 : Define Radius server
ip radius source-interface Loopback0
!
radius-server host 25.2.2.1
radius-server key CISCO
2 : Globally activate dot1x
dot1x system-auth-control
3 : Define the AAA model for dot1x only
Don't forget the login default non, otherwise it will ask for password on console and telnet login.
aaa new-model
aaa authentication login default none
aaa authentication dot1x default group radius
4: Activate dot1x on ports
interface FastEthernet1/4
switchport mode access
dot1x port-control auto
4: Verification
show dot1x
show dot1x interface
PPP chap authentication
Chap authentication is unidirectionnal. A router always answer to a challenge even if ppp authentication chap is not configured. So for a one-way authentication R5 authenticating R4 :
On R5
username ROUTER4 password 0 CISCO
interface Serial1/1
ip address 132.1.45.5 255.255.255.0
encapsulation ppp
ppp authentication chap
On R4
interface Serial1/1
ip address 132.1.45.4 255.255.255.0
encapsulation ppp
ppp chap hostname ROUTER4
ppp chap password CISCO
The 2 ways authentication :
On R5
username ROUTER4 password 0 CISCO
interface Serial1/1
ip address 132.1.45.5 255.255.255.0
encapsulation ppp
ppp authentication chap host
ppp chap hostname ROUTER5
On R4
username ROUTER5 password 0 CISCO
interface Serial1/1
ip address 132.1.45.4 255.255.255.0
encapsulation ppp
ppp authentication chap
ppp chap hostname ROUTER4
On R5
username ROUTER4 password 0 CISCO
interface Serial1/1
ip address 132.1.45.5 255.255.255.0
encapsulation ppp
ppp authentication chap
On R4
interface Serial1/1
ip address 132.1.45.4 255.255.255.0
encapsulation ppp
ppp chap hostname ROUTER4
ppp chap password CISCO
The 2 ways authentication :
On R5
username ROUTER4 password 0 CISCO
interface Serial1/1
ip address 132.1.45.5 255.255.255.0
encapsulation ppp
ppp authentication chap host
ppp chap hostname ROUTER5
On R4
username ROUTER5 password 0 CISCO
interface Serial1/1
ip address 132.1.45.4 255.255.255.0
encapsulation ppp
ppp authentication chap
ppp chap hostname ROUTER4
Layer 3 Etherchannel
Purpose : Etherchannel on a "no switchport" interface.
The physical interfaces should already be in "no switchport" before issuing the "channel-group" command in order to create the Layer 3 etherchannel
Ip will be placed on int port-channel interface.
The physical interfaces should already be in "no switchport" before issuing the "channel-group" command in order to create the Layer 3 etherchannel
Ip will be placed on int port-channel interface.
Etherchannel : Pagp or Lacp
Pagp or lacp are used to automatically negotiate etherchannel bundle :
Pagp (Cisco protocol):
auto : passive negotiation, other side needs too be desirable
desirable : active negotiation, other side needs too be desirable or auto.
Lacp (802.3ad)
passive : passive negotiation, other side needs to be active
active : passive negotiation, other side needs to be active or passive.
The main differences between both is Pagp only works in cisco environment whereas lacp works in mixe environment
To manually force the etherchannel, both sides have to be in on mode.
Verification
Rack1SW2#sh etherchannel 1 sum
Flags: D - down P - in port-channel
I - stand-alone s - suspended
R - Layer3 S - Layer2
U - in use
Group Port-channel Ports
-----+------------+-----------------------------------------------------------
1 Po1(SU) Fa1/7(P) Fa1/8(P) Fa1/9(P)
OR
Rack1SW2#sh etherchannel 1 port
Ports in the group:
-------------------
Port: Fa1/7
------------
Port state = Up Mstr In-Bndl
Channel group = 1 Mode = On/FEC Gcchange = 0
Port-channel = Po1 GC = 0x00010001 Pseudo port-channel = Po1
Port index = 2
Age of the port in the current state: 00d:03h:17m:20s
Port: Fa1/8
------------
Port state = Up Mstr In-Bndl
Channel group = 1 Mode = On/FEC Gcchange = 0
Port-channel = Po1 GC = 0x00010001 Pseudo port-channel = Po1
Port index = 1
Age of the port in the current state: 00d:03h:17m:20s
Pagp (Cisco protocol):
auto : passive negotiation, other side needs too be desirable
desirable : active negotiation, other side needs too be desirable or auto.
Lacp (802.3ad)
passive : passive negotiation, other side needs to be active
active : passive negotiation, other side needs to be active or passive.
The main differences between both is Pagp only works in cisco environment whereas lacp works in mixe environment
To manually force the etherchannel, both sides have to be in on mode.
Verification
Rack1SW2#sh etherchannel 1 sum
Flags: D - down P - in port-channel
I - stand-alone s - suspended
R - Layer3 S - Layer2
U - in use
Group Port-channel Ports
-----+------------+-----------------------------------------------------------
1 Po1(SU) Fa1/7(P) Fa1/8(P) Fa1/9(P)
OR
Rack1SW2#sh etherchannel 1 port
Ports in the group:
-------------------
Port: Fa1/7
------------
Port state = Up Mstr In-Bndl
Channel group = 1 Mode = On/FEC Gcchange = 0
Port-channel = Po1 GC = 0x00010001 Pseudo port-channel = Po1
Port index = 2
Age of the port in the current state: 00d:03h:17m:20s
Port: Fa1/8
------------
Port state = Up Mstr In-Bndl
Channel group = 1 Mode = On/FEC Gcchange = 0
Port-channel = Po1 GC = 0x00010001 Pseudo port-channel = Po1
Port index = 1
Age of the port in the current state: 00d:03h:17m:20s
mardi 1 septembre 2009
IP Accounting
IP Accounting is an IP service that permit to count the packet in our out an interfaces.
Let's see the differents ways of doing it :
Account for every packet :
ip accounting
Account for packets with an ip precedence set :
ip accounting precedence input
ip accounting precedence output
Account only for ouput packet
ip accounting output-packet
Account only for packets blocked by an access-list applied on the interface
ip accounting acess-violations
Verification
show ip accounting
show interface s1/0 precedence
Let's see the differents ways of doing it :
Account for every packet :
ip accounting
Account for packets with an ip precedence set :
ip accounting precedence input
ip accounting precedence output
Account only for ouput packet
ip accounting output-packet
Account only for packets blocked by an access-list applied on the interface
ip accounting acess-violations
Verification
show ip accounting
show interface s1/0 precedence
Traffic Policing : Rate-Limit or MQC Policing
Example : limiting icmp traffic to 128kbps with a permitted burst during 1/4th of the rate
Legacy traffic policing using the command rate-limit
access-list 110 permit icmp any any
access-list 110 permit ip any any
interface e0/0
rate-limit 110 128000 4000 4000 conform-action transmit exceed-action drop
128000 bps : rate-limit
4000 bytes : normal rate that could be sent at clock rate (bucket size every timeslot)
4000 bytes : exceed rate that could be sent at clock rate
Bc = Be so there is no exceed burst
Verification
show interface rate-limit
traffic policing using MQC
Cef must be activated
class-map match-all CAR
match protocol icmp
policy-map CAR
class CAR
police cir 128000 bc 4000
interface e0/0
service-policy out CAR
128000 : rate limit
4000 : normal rate that could be sent at clock rate
Be : 0
Verification
show policy-map interface
Differences
- Legacy CAR : configured Bc should include Be (Bc = excess_bits + Be)
- MQC CAR use a default Bc of 2xBe if not configured
- MQC CAR : configured Bc doesn't include Be ( Bc = excess_bits)
Legacy traffic policing using the command rate-limit
access-list 110 permit icmp any any
access-list 110 permit ip any any
interface e0/0
rate-limit 110 128000 4000 4000 conform-action transmit exceed-action drop
128000 bps : rate-limit
4000 bytes : normal rate that could be sent at clock rate (bucket size every timeslot)
4000 bytes : exceed rate that could be sent at clock rate
Bc = Be so there is no exceed burst
Verification
show interface rate-limit
traffic policing using MQC
Cef must be activated
class-map match-all CAR
match protocol icmp
policy-map CAR
class CAR
police cir 128000 bc 4000
interface e0/0
service-policy out CAR
128000 : rate limit
4000 : normal rate that could be sent at clock rate
Be : 0
Verification
show policy-map interface
Differences
- Legacy CAR : configured Bc should include Be (Bc = excess_bits + Be)
- MQC CAR use a default Bc of 2xBe if not configured
- MQC CAR : configured Bc doesn't include Be ( Bc = excess_bits)
Inscription à :
Articles (Atom)