Summary

Samenvatting SRWE

Hoofdstuk 1 Basic Device Configuration

Switch

Initial settings

Boot sequence:

1. Power-on self test (POST) program stored in ROM, check CPU, DRAM, flash file system in flash device
2. Load boot loader, stored in ROM, run immediately after succesful POST
3. BL → performs low-level CPU init. Initializes registers (control mapping physical memory, quantity of memory, and speed)
4. Initialize flash file system on system board
5. Locates and loads default IOS OS.

Boot system command:

• Switch attempts automatic boot, using info from BOOT environment variable. If variable isn’t set, attempts load & execute of first executable file found.
• IOS OS initializes the interfaces with Cisco IOS commands from startup-config file. This file is called config.text, located in flash.
• In this example, BOOT environment var is set using the boot system global conf mode command. IOS is located in distinct folder, and path is specified. To see what current IOS boot file is set to, use ‘show boot’

Recovering from crash:

Boot loader provides access into the switch if the OS is missing or damaged. It has a cli that provides access to files in flash memory.

1. Connect console cable to console port
2. Unplug switch power cord
3. Reconnect power cord, within 15 seconds, press and hold down the Mode button while System LED flashes green.
4. Keep pressing button until system LED turns amber, then solid green. Release button.
5. Boot loader prompt appears, cmd options: format flash file system, reinstall OS, recover lost or forgotten passwd.

Switch management access

For remote access, a IP address, subnet mask, and default gateway are needed.

By default, management is controlled through VLAN 1. Default → all ports assigned to VLAN 1.

Best practice: use other VLAN for management.

1. Configure Management Interface: IPv4 addr and subnet mask applied to the management SVI of switch. (SVI = switch virtual interface)
2. Configure default gateway (for managing remote networks)
3. Verify configuration

Commands

View path of BOOT environment variable:

set

Initialize flash file system/view current flash files:

flash_init

Change BOOT environment variable path:

BOOT=flash

Configure default gateway:

ip default-gateway _192.17.99.1_

Save running config to startup config:

copy running-config startup-config

Check virtual and physical interfaces:

show ip interface brief / show ipv6 interface brief

Config ports

Duplex Communication

• Increases bandwidth efficiency, allows boths ends to transmit and recieve at the same time.
• Microsegmented LAN is created when a switch port has only one connected device while full-duplex. No collision domain associated.

• Half-duplex is comms are unidirectional. Creates performance issues, data can only flow in one direction at a time, collisiSons happen often.
• Gigabit ethernet & 10 Gb NIC’s (physical network adapter) require full-duplex. In full-duplex, collision detection on NIC is disabled.

Config at physical layer

• Port can be manually configured with duplex and speed settings. Commands are duplex and speed.

• Default setting is auto. Only operate in full-duplex when set to 1Gbps.
• Autonegotiation is useful when speed and duplex may change.
• When troubleshooting, checking duplex and speed settings is important.
• Note: Mismatched settings can cause connectivity issues.
• Fiber optic is always full-duplex

Auto-MDIX

Auto-MDIX = automatic medium-dependent interface crossover

• Automatically detects required cable connection type
• When used on an interface, interface speed and duplex must be set to auto.

Commands

Configure interface duplex:

duplex full

Configure interface speed:

speed 100

MDIX

mdix auto

Info flash file system

show flash

Display MAC-address table

show mac address-table / show mac-address-table

Check switch config

show running-config

Check interfaces of port

show interfaces ~portname (bv. show interfaces fa 0/5)

Network access layer issues

Troubleshooting (network acces layer issues)

Secure remote access

Telnet

• Uses TCP port 23
• Older protocol, uses unsecure plaintext transmission

SSH

• Secure shell → secure protocol
• Uses TCP port 22
• Provides encrypted management connection to remote device.
• To check if switch has SSH, use command show version and check for K9 in IOS filename.

Configure SSH

Router

Basic router config

Tasks that should always be performed:

conf t
hostname "Name"
enable secret class
line console 0
password cisco
login
exit
line vty "range" (i.e. 0 4)
password cisco
login
exit
service password-encryption

Banner:

banner motd $ "text" $

Configure ip:

ip address "ip-address" "subnet mask"
ipv6 address "ipv6-address" "prefix interface"

IPv4 loopback interfaces

• Logical interface internal to router.
• No physical port
• Considered a software interface, automatically in up state.
• Never connected.
• Good for testing, always available.

Interface verification commands

Display summary of all interfaces

show ip interface brief
show ipv6 interface brief

Display commands applied to interface

show running-config interface "interface-id"

Display contents of routing table

show ip route
show ipv6 route

Verify Routes

• Local host route: L
• Directly connected network: C

VLSM → zie ppt

Hoofdstuk 2: Switching Concepts

Frame forwarding

• Ingress: entering the interface
• Egress: exiting the interface

A switch forwards based on the ingress interface and the destination MAC address.

A switch uses its MAC address table to make decisions. It determines the egress port.
To do this, it has to learn which interface is coupled with which destination.

It can build the MAC address table aka Content Addressable Table (CAM) by recording source MAC address and port from incoming transmissions, and putting this in the table.

1. Learn

   • Add source MAC if not in table
   • Reset time out setting to 5 minutes.

2. Forward

   • If destination MAC is in table, forward to specified port.
   • If destination MAC is not recorded, floods all interfaces except ingress.

Note: a switch never forwards traffic to the ingress port.

Switch forwarding methods

Frame forwarding

Uses software on application-specific-integrated-circuits (ASICs) to make quick decisions.

Two methods:

1. Store-and-forward switching

   • Recieves entire frame
   • Ensures frame is valid
   • Preferred switching method

2. Cut-through switching

   • Forwards frame immediately after determining the destination MAC and egress port.

Store-and-Forward switching

• Error checking: switch will check the Frame Check Sequence (FCS) for CRC errors. Bad frames are discarded.

• Buffering: ingress interface will buffer frame while checking the FCS. Switch can adjust speeds of ingress en egress if necessary.

  

Cut-Through Switching

• Forwards frame immediately after determining the destination MAC address.
• Fragment (Frag) Free method checks destination, checks if frame is at least 64 bytes. Smaller frames are deleted to eliminate runts.

• Useful when latency under 10 microseconds is needed.
• Does not check FCS
• Can lead to bandwidth issues, if switch creates too many errors.
• No support for differing ingress and egress speeds.

Command(s)

Clear MAC address table

S# clear mac address-table dynamic

Switching domains

Collision domains

Switches eliminate collision domains and reduce congestion.

• Full duplex on the link → collision domains eliminated.

• When there’s at least one device in half duplex, there will be a collision domain.

Full duplex (uit notities): spreekt af wie welk deel van het medium gebruikt om te communiceren. Verkomt zo collisions.

Half duplex: iedereen spreekt over hetzelfde medium.

Most devices use auto-negotiation as default setting for duplex and speed.

Broadcast domains

• A broadcast domain extends across all Layer 1 or Layer 2 devices on a LAN.

  • A layer 3 device router will break the broadcast domain aka MAC broadcast domain.
  • Broadcast domain consists of all devices on the LAN that recieve broadcast traffic.

• When layer 2 switch recieves a broadcast, it floods all interfaces except ingress.

• Too many broadcasts → can cause congestion and performance loss.

• Adding layer 1 or layer 2 devices expands broadcast domain.

• Switch eliminates collision between end devices (pc’s etc.)

• If a broadcast is sent from one switch to another, the other switch will also broadcast it.

  

Alleviated Network Congestion

Switches use MAC address table and full duplex to eliminate collisions and avoid congestion.

Features that allow this:

• Fast port speeds: The more traffic a switch is supposed to handle, the higher it’s port speed will be. Faster speeds cost more, but can reduce congestion.

  • Access layer: 100 Mbps - 1 Gbps
  • Distribution layer: 100 Mbps - 1 Gbps - 100 Gbps
  • Core layer: 100 Gbps - 40 Gbps - 10 Gbps

• Fast internal switching: Use of fast internal bus or shared memory for increased performance.

• Large frame buffers: Use of large memory buffers to temporarily store more frames before having to drop them. Enables traffic from fast ingress to slower egress without loss of frames.

• High port density: Lowers cost because less switches are needed. Helps keep traffic local, which helps alleviate congestion.

SDM Switch Database Manager

Default bias template used by the SDM does not provide IPv6 address capabilities.

Commands

Verify SDM is using either dual-ipv4-and-ipv6 or lanbase-routing

S# show sdm prefer

(Use the following to assign dual-ipv4-and-ipv6 as default SDM template)

S# conf t
sConfig# sdm prefer dual-ipv4-and-ipv6 default
sConfig# end
s# reload

Hoofdstuk 3: VLANs

Overview

Definition

• VLANs are logical connections with other similar devices.

VLAN characteristics

• Provides segmentation of various groups of devices on the same switches.

• Provide manageable organization.

  • Broadcasts, multicasts and unicasts are isolated in individual VLAN.

  • Each VLAN has unique range of IP addressing.
  • Smaller broadcast domains.

VLAN benefits

Types

Default VLAN

• VLAN 1 is:

  • Default VLAN
  • Default Native VLAN
  • Default Management VLAN
  • Can’t be deleted or renamed

• Note:

  • It is recommended to assign defaults to different VLAN’s.

Data VLAN

• For user-generated traffic (email & web)
• VLAN 1 is the default.

Native VLAN

• Only used for trunk links
• All frames are tagged on an 802.1Q trunk link except for those on the native VLAN

Management VLAN

• SSH/Telnet VTY traffic
• Shouldn’t handle end user traffic.
• Usually VLAN which is SVI for Layer 2 switch

Voice VLAN

• Seperate VLAN because of voice traffic requirements

  • Assured bandwidth
  • High QoS priority (Quality of Service)
  • Able to avoid congestion
  • Delay < 150 ms from source to destination

• Entire network must be designed to support voice.

VLAN’s in a Multi-Switched Environment

Definition trunk

A trunk is a point-to-point link between two network devices.

Trunk functions

• Allow more than 1 VLAN.
• Extend VLAN across network.
• Supports all VLANs. (default)
• Supports 802.1Q trunking.

Networks without VLANs

All devices connected to the switches will receive all unicast, multicast, and broadcast traffic.

Networks with VLANs

Unicast, multicast, and broadcast traffic is confined to a VLAN. Without a Layer 3 device to connect the VLANs, devices in different VLANs cannot communicate.

VLAN identification with a tag

• IEEE 802.1Q header → 4 bytes.
• Tag created → FCS must be recalculated
• Sent to end devices → tag removed → FCS back to original number

Native VLANs and 802.1Q Tagging

• 802.1Q trunk basics:

  • Tagging is typically done on all VLANs.
  • Native VLAN was designed for legacy use.
  • Unless changed, VLAN1 is the native VLAN.
  • Both ends of a trunk link must be configured with the same native VLAN.
  • Each trunk is configured separately, so it is possible to have a different native VLANs on separate trunks.

Commands

Verify VLAN config

S# show interfaces "port" switchport

VLAN configuration

Commands

Create VLAN

S# conf t
sConfigVlan "vlan-id"
sConfigVlan# name "vlan-name"
sConfigVlan# end

Port assignment

S# conf t
sConfig# interface "interface-id"
sConfigIf# switchport mode access
sConfigIf# switchport access vlan "vlan-id"
sConfigIf# end

Verify VLAN information

S# show vlan [brief | id "vlan-id" | name "vlan-name" | summary]

Delete VLAN

Caution: Before deleting a VLAN, assign all member ports to different VLAN.

sConfig# no vlan "vlan-id"

Delete all VLANs

sConfig# delete flash.vlan.dat
/
sConfig# delete vlan.dat
S# reload

Trunk config commands

Set up

S# conf t
sConfig# interface "interface-id"
sConfigIf# switchport trunk encapsulation dot1q
sConfigIf# switchport mode trunk
sConfigIf# switchport trunk native vlan "vlan-id"
sConfigIf# switchport mode trunk allowed vlan "vlan-list"
sConfigIf# end

Verify config

show int "port" switchport

Reset trunk to access

sConfigIf# switchport mode access

Dynamic Trunking Protocol

Definition

Dynamic trunking protocol (DTP) is a protocol that lets switches automatically negotiate trunking with neighbouring devices.

Characteristics

• On by default (on Catalyst 2960 & 2950 switches)
• Dynamic auto is default.

Best practice: interfaces set to access or trunk, DTP off

Commands

Turn DTP off

sConfigIf# switchport nonegotiate

Turn DTP on

sConfigIf# switchport mode dynamic auto

Show DTP config

S# show dtp interface "interface-id"

Hoofdstuk 4: Inter-VLAN Routing

Inter-VLAN Routing Operation

Definition

Forwarding remote traffic from one VLAN to another VLAN.

Options

• Legacy Inter-VLAN routing: Legacy, doesn’t scale well

  • Relies on router with multiple ethernet interfaces. Each router interface connected to different VLAN. Router ports serve as default gateways.
  • Not scalable due to need for ports
  • No longer implemented

• Router-on-a-Stick: Acceptable for small to medium size network

  • Requires only a single physical Ethernet port

  • A 802.1q trunk, connected to trunk port on layer 2 switch. Router interface uses subinterfaces to identify routable VLANs.

  • Subinterfaces are software-based virtual interfaces. Each one associated with a physical ethernet interface. Each subinterface has own IP and VLAN assignment.
  • Not scalable over 50 VLANs.

• Layer 3 switch using switched virtual interfaces (SVI’s): Most scalable

  • SVI created for VLAN that exists on the switch. SVI performs the same for the VLAN as a router interface would, but virtual.

  • Much faster, everything hardware switched and routed
  • No need for external links. (no router)
  • Not limited to one link
  • Much lower latency
  • Expensive

Router-on-a-Stick

Requires a subinterface for each VLAN to be routed.

Config steps

1. Create and name the VLANs.
2. Create the management interface.
3. Configure access ports.
4. Configure trunking ports.

Example

Commands

Create subinterface

rConfig# interface "interface-id" "subinterface-id"
i.e. interface G0/0/1.10

Configure subinterface to respond to dot1q encapsulated traffic from specified VLAN

rConfigSubif# encapsulation dot1q "vlan-id" [native]

Configure ip of subinterface

rConfigSubif ip-address "ip-address" "subnet-mask"

After config of all subinterfaces, enable physical interface.

rConfigIf# no shutdown

Verify

R# ipconfig
R# ping
R# show ip route
R# show ip interface brief
R# show interfaces
R# show interfaces trunk

Inter-VLAN routing with Layer 3 switches

Uses Layer 3 switches, hardware-based switching. Has higher packet-processing rates than routers.

• Able to route using multiple SVI’s.
• Convert a Layer 2 switchport to a Layer 3 interface.

Config steps

1. Create the VLANs.
2. Create the SVI VLAN interfaces. This IP address will serve as the default gateway for hosts in the respective VLAN.
3. Configure access ports. Assign the appropriate port to the required VLAN.
4. Enable IP routing. Issue the ip routing global configuration command. This command must be configured to enable inter-VAN routing on a Layer 3 switch for IPv4.

Commands

Verify

pc# ping

To enable routing on a Layer 3 switch, a routed port must be configured.

A routed port is created on a Layer 3 switch by disabling the switchport feature on a Layer 2 port that is connected to another Layer 3 device.

Specifically, configuring the no switchport interface configuration command on a Layer 2 port converts it into a Layer 3 interface. Then the interface can be configured with an IPv4 configuration to connect to a router or another Layer 3 switch.

OSPF = Open Shortest Path First (routing protocol)

Troubleshooting

Issues

Hoofdstuk 5: STP Concepts

Purpose

Definition

Spanning Tree Protocol (STP) is loop-prevention network protocol that allows for redundancy while creating a loop-free Layer 2 topology.

STP blocks physical ports in a Layer 2 network, preventing frames from circling the network forever. (i.e. Broadcast storm)

IEEE 802.1D is the original IEEE MAC Bridging standard for STP.

Issues with Redundant Switch Links

• Path redundancy provides multiple network services by eliminating the possibility of a single point of failure.

• When there’s multiple connections between two devices on an Ethernet network, without spanning tree implementation on the switches, a Layer 2 loop occurs.

  • Loop can result in MAC address table instability, link saturation, and high CPU utilization. This can render a network unusable.

• Layer 2 Ethernet can’t recognize or eliminate endlessly looping frames.

  • IPv4 and IPv6 can limit this number, by decrementing TTL every time a package passes.
  • STP was developed as loop prevention for Layer 2 Ethernet.

STP is enabled by default on cisco devices.

Algorithm

Invented by Radia Perlman

Steps (using STA)

1. Selecting a Root Bridge: This bridge (switch) is the reference point for the entire network to build a spanning tree around
2. Block Redundant Paths: STP ensures that there is only one logical path between all destinations on the network by intentionally blocking redundant paths that could cause a loop.
3. Create a Loop-Free Topology: A blocked port creates a topology where each switch has only a single path to the root bridge, similar to branches on a tree that connect to the root of the tree.
4. Recalculate in case of Link Failure: STP recalculates the paths and unblocks the necessary ports to allow the redundant path to become active. STP recalculations can also occur any time a new switch or new inter-switch link is added to the network.

Switches use Bridge Protocol Data Units (BPDUs) to share info about them en their connections. Used to elect root bridge, root ports, designated ports, and alternate ports.

Each BPDU contains a bridge ID (BID) that identifies which switch sent the BPDU. BID is involved in making STA decisions as root bridge and port roles.

The BID contains a priority value, the MAC address of the switch, and an extended system ID. The lowest BID value is determined by the combination of these three fields.

• Bridge Priority: The default priority value for all Cisco switches is the decimal value 32768. The range is 0 to 61440 in increments of 4096. A lower bridge priority is preferable. A bridge priority of 0 takes precedence over all other bridge priorities.

• Extended System ID: The extended system ID value is a decimal value added to the bridge priority value in the BID to identify the VLAN for this BPDU.

• MAC address: When two switches are configured with the same priority and have the same extended system ID, the switch having the MAC address with the lowest value, expressed in hexadecimal, will have the lower BID.

• The switch with the lowest BID will become the root bridge.

  

Determine Root Path Cost

• When the root bridge has been elected for a given spanning tree instance, the STA starts determining the best paths to the root bridge from all destinations in the broadcast domain. The path information, known as the internal root path cost, is determined by the sum of all the individual port costs along the path from the switch to the root bridge.

• The default port costs are defined by the speed at which the port operates. The table shows the default port costs suggested by IEEE. Cisco switches by default use the values as defined by the IEEE 802.1D standard, also known as the short path cost, for both STP and RSTP. (rapid span tree protocol)

  Home

  This is a Quartz/Obsidian site hosting all my public notes for various purposes.
  No guarantees made just general notes or scribbles.

  Link to original

• Root port is the port which is the closest to the root bridge in terms of cost.

Elect Designated Ports

• Every segment between two switches will have one designated port. The designated port is a port on the segment that has the lowest internal root path cost to the root bridge.

• What is not a root port or a designated port becomes an alternate or blocked port.

• All ports on the root bridge are designated ports.

• One end of segment is root port, other is designated port.

• All ports to end devices → designated

• The port on the switch with the least-cost path to the root bridge is a designated port (low BID side is designated and high BID side is blocked).

STP Timers and Port States

STP convergence requires three timers.

• Hello timer: Time between BPDU’s. Default is 2 seconds.
• Forward Delay Timer: Time spent in listening and learning state. Default is 15, can be between 4 and 30 seconds (to prevent immediate loops).
• Max Age Timer: Max length of time that switch waits before attempting to change STP topology. Default is 20 seconds, can be between 6 and 40.

Default time can be changed on the root bridge.
•Hello time < Forward Delay !

•Max age > Forward Delay !

Port states

versions

STP	This is the original IEEE 802.1D
PVST+	Per-VLAN Spanning Tree (PVST+) is a Cisco enhancement of STP providing a separate 802.1D tree for each VLAN.
RSTP	Rapid Spanning Tree Protocol (RSTP) or IEEE 802.1w
Rapid PVST+	Cisco enhancement of RSTP that uses PVST+ and provides a separate instance of 802.1w per VLAN.
MSTP / MST	Multiple Spanning Tree Protocol: IEEE vlan support for enterprise use

Security

Portfast

When a switch port is configured with PortFast that port transitions from blocking to forwarding state immediately.

sConfigIf# spanning-tree portfast

BPDU Guard

BPDU guard puts the port in an error-disabled state on receipt of a BPDU. When receiving BPDUs there is another switch incorrectly connected to a “user”-port. (This port will shutdown to prevent loops)

sConfigIf# spanning-tree bpduguard enable

Hoofdstuk 6: Etherchannel

EtherChannel Operation

Definition

There are scenarios in which more bandwidth or redundancy between devices is needed than what can be provided by a single link. Multiple links could be connected between devices to increase bandwidth. However, Spanning Tree Protocol (STP) will block redundant links to prevent switching loops.

EtherChannel is a link aggregation technology that groups multiple physical Ethernet links together into one single logical link. It is used to provide fault-tolerance, load sharing, increased bandwidth, and redundancy between switches, routers, and servers.

Advantages

• Most config can be done on the EtherChannel interface, instead of on each port.
• Relies on existing switch ports
• Uses load balancing
• Creates an aggregation seen as one logical link.
• Creates redundancy. Loss of one physical link doesn’t create a change in topology.

Restrictions

• No mixing of interfaces. I.e. FastEthernet & Gigabit Ethernet.

• Only up to 8 compatibly-configured Ethernet ports per EtherChannel

• Ports on both sides must be configured the same way. I.e. as trunks.

• Each EtherChannel has a logical port chanel interface, this affects all physical interfaces that are assigned to this interface.

• All ports are required to have the same speed, duplex setting, and VLAN information.

Autonegotiation Protocols

Allow similar ports to channel dynamically.

• Port Aggregation Protocol (PAgP)

  • Sent between EtherChannel adaptable ports to negotiate forming a channel.
  • Sent every 30 seconds.
  • Modes:
    • On
    • PAgP desirable: active negotiating state → sends packets
    • PAgP auto: passive negotiating state → answers packets

• Link Aggregation Control Protocol (LACP)

  • Part of IEEE spec 802.3ad.
  • Similar to PAgP, but is an IEEE standard → can be used in multivendor environments

• Modes: - On - LACP desirable: active negotiating state → sends packets - LACP auto: passive negotiating state → answers packets

Configure EtherChannel

Requirements

• All interfaces must support EtherChannel
• All interfaces must have same speed and same duplex mode
• All interfaces must be assigned to the same VLAN or configured as trunk
• All interfaces must support same range of allowed VLANs

Config steps

1. Specify the interfaces that compose the EtherChannel group using the interface range “interface”
2. Create the port channel interface with the channel-group identifier mode active command in** interface range configuration mode**. The identifier specifies a channel group number. The mode active keywords identify this as an LACP EtherChannel configuration.
3. To change Layer 2 settings on the port channel interface, enter port channel interface configuration mode using the interface port-channel command, followed by the interface identifier.

Verify and Troubleshoot

Commands

Verify

Display the general status of the port channel interface.

S# show interfaces port-channel

Display one line of information per port channel.

S# show etherchannel summary

Display information about a specific port channel interface.

S# show etherchannel port-channel

Provide information about the role of a physical member interface of the EtherChannel.

S# show interfaces etherchannel

Hoofdstuk 7: DHCPv4

Concepts

Server and Client

• Dynamic Host Configuration Protocol v4 (DHCPv4) assigns IPv4 addresses and other network configuration information dynamically.
• A dedicated DHCPv4 server is scalable and relatively easy to manage. However, in a small branch or SOHO location, a Cisco router can be configured to provide DHCPv4 services.
• DHCPv4 server dynamically assigns, or leases, an IPv4 address from a pool of addresses for a limited period of time chosen by the server, or until the client no longer needs the address.
• Clients lease the information from the server for an administratively defined period. The lease is typically anywhere from 24 hours to a week or more. When the lease expires, the client must ask for another address, but it’s often the same.

Operation

Works in client/server mode

• The client connects to the network with leased IPv4 address until the lease expires.

• Lease mechanism ensures that unused addresses are made available again.
• Lease expired → address returned to address pool.

Steps for obtainig a Lease

DHCP request with broadcast → multiple servers are able to see if the client has answered an offer yet (and can intertrepret it as a denial).

Examenvraag : deze foto op volgorde zetten (zonder nummers)

Steps to renew a Lease

DHCPREQUEST is unicast because other servers already know that the client has an IP, only one server needs to renew this lease.

Lease time shouldn’t be too short, nor too long

• Too short → too much traffic
• Too long → too many unused IP’s

Examenvraag zelfde principe

Configure DHCPv4 Server

Config steps

1. Exclude IPv4 addresses. A single address or a range of addresses can be excluded by specifying the low-address and high-address of the range. Excluded addresses should be those addresses that are assigned to routers, servers, printers, and other devices that have been manually configured. You can also enter the command multiple times. The command is ip dhcp excluded-address low-address [high-address]

2. Define a DHCPv4 pool name. The ip dhcp pool “pool-name” command creates a pool with the specified name and puts the router in DHCPv4 configuration mode, which is identified by the prompt Router(dhcp-config)#.

3. Configure the DHCPv4 pool. The address pool and default gateway router must be configured. Use the network statement to define the range of available addresses. Use the default-router command to define the default gateway router.

Commands

Define address pool

rDhcpConfig# "network-number" ["mask" | / "prefix-length"]

Define default router or gateway

rDhcpConfig# default-router "address" ["address" ("address")]

Define dns server

rDhcpConfig# dns-server "address"  ["address" ("address")]

Define domain name

rDhcpConfig# domain-name "domain"

Define duration of lease

rDhcpConfig# lease {"days" ["hours" ["minutes"]] | infinite}

Define NetBIOS WINS server

rDhcpConfig# netbios-name-server "address"  ["address" ("address")]

Disable DHCPv4

rConfig# no service dhcp

Enable DHCPv4

rConfig# service dhcp

Verification commands

Display DHCPv4 commands configured on router

R# show running-config | section dhcp

Display list of all IPv4 addresses to MAC address bindings by DHCPv4 service

R# show ip dhcp binding

Display count information of number of DHCPv4 messages that have been sent and recieved

R# show ip dhcp server statistics

DHCPv4 Relay

Use

In a complex hierarchical network, enterprise servers are usually located centrally. These servers may provide DHCP, DNS, TFTP, and FTP services for the network. Network clients are not typically on the same subnet as those servers. In order to locate the servers and receive services, clients often use broadcast messages.

In order to get the DHCP service to work on the entire network, you have to configure a DHCPv4 Relay Agent. This is done by configuring a helper address on the router between the networks. The Relay Agent accepts broadcast requests for the DHCP service, and forwards those requests as Unicast to the helper address.

Command

Configure helper address

This is done on the interface on the side of the client.

rConfig# interface "interface"
rConfigIf# ip helper-address "ip-address"
rConfigIf# end

Other relayed broadcast services

• Time (port 37)
• TACACS (port 49)
• DNS (port 53)
• DHCP/BOOTP server (port 67)
• DHCP/BOOTP client (port 68)
• TFTP (port 69)
• NetBIOS name service (port 137)
• NetBIOS datagram service (port 138)

Hoofdstuk 8: SLAAC & DHCPv6

IPv6 recap

• GUA → Global Unicast (Unique) Address
  • Globaal routeerbaar, elke device kan eigen GUA krijgen en is dus speciek te pingen. Bij IPv4 is dit niet mogelijk. (IPv4 → public address)
• Link Local Address: Lokaal communiceren met LAN (beetje zoals privéadres bij IPv4, maar niet echt xp)
• Stateful
  • Staat bewaren, houdt bij wie welk adres heeft
• Stateless
  • Bewaart staat niet

• DHCPv6 kan Stateful en Stateless draaien

• Stateful vs Stateless

• Difference SLAAC & DHCPv6;

• Meer info → zie ppt.
  
  

SLAAC → Stateless Address Auto Configuration

Router protocol, allows a network without access to a DHCPv6 server to assign GUA’s (mandatory). With SLAAC hosts are able to create their own unique IPv6 Global Unicast Address.

• Stateless → no server maintaining network information about IP’s
• Sends periodic ICMPv6 RA messages (i.e. every 200 seconds), providing addressing and config information for hosts so they can autoconfigure themselves based on info in the RA.
• RA = Router Advertisement
• Host can send Router Sollicitation (RS) to request an RA
• SLAAC can be deployed individually, or with DHCPv6

Flags

•A flag - The Address Autoconfiguration flag signifies to use Stateless Address Autoconfiguration (SLAAC) to create an IPv6 GUA

•O flag - The Other Configuration flag signifies that additional information is available from a stateless DHCPv6 server.

•M flag - The Managed Address Configuration flag signifies to use a stateful DHCPv6 server to obtain an IPv6 GUA.

SLAAC Only Method

Flags (slide 14, vaag)

• A = 1
  • Informs client to use the IPv6 GUA prefix in RA and dynamically create its own Interface ID. Host gets networksection and prefix from router and generates host address or interface ID 64 bit.
• O = 0 and M = 0
  • Informs client to use additional info in the RA message (i.e. DNS server, MTU, …)
• Check with ipconfig

Host Process to Generate Interface ID

SLAAC → host gets 64-bit IPv6 subnet info from router RA, must generate the 64-bit interface identifier (ID).

• Randomly Generated
  • 64-bit interface ID is randomly generated by client OS.
• EUI-64
  • Host creates interface ID using its 48-bit MAC address and inserts the hex value of fffe in the middle of the address. Some operating systems default to the randomly generated interface ID instead of the EUI-64 method, due to privacy concerns. This is because the Ethernet MAC address of the host is used by EUI-64 to create the interface ID.

Duplicate Address Detection (DAD)

Ensures that GUA is unique.

• The host sends an ICMPv6 Neighbor Solicitation (NS) message with a specially constructed solicited-node multicast address containing the last 24 bits of IPv6 address of the host.

• If no other devices respond with a Neighbor Advertisement (NA) message, then the address is virtually guaranteed to be unique and can be used by the host.

• If an NA is received by the host, then the address is not unique, and the host must generate a new interface ID to use.

DHCPv6

Operation Steps

Stateful DHCPv6 does NOT require SLAAC

Stateless DHCPv6 does require SLAAC

Regardless, when an RA indicates to use DHCPv6 or stateful DHCPv6:

1. The host sends an RS message.

2. The router responds with an RA message.

3. The host sends a DHCPv6 SOLICIT message.

4. The DHCPv6 server responds with an ADVERTISE message.

5. The host responds to the DHCPv6 server.

6. The DHCPv6 server sends a REPLY message.

   

Enable Stateless DHCPv6 on an interface

Enabled using ipv6 nd other-config-flag interface configuration command setting the O flag to 1.

rConfigIf# ipv6 nd other-config-flag
rConfigIf# end

Stateful DHCPv6 Operation

If RA indicates stateful DHCPv6 method, host contacts DHCPv6 server for all config info. (Server is stateful, holds list of IPv6 address bindings)

Commands

rConfig# int "interface"
rConfigIf# ipv6 nd managed-config-flag
rConfigIf# ipv6 nd prefix default no-autoconfig
rConfigIf# end

Configure DHCPv6 Server (zie ook ppt)

Config Stateless Server

1. Enable IPv6 routing using the ipv6 unicast-routing.
2. Define a DHCPv6 pool name using the ipv6 dhcp pool POOL-NAME .
3. Configure the DHCPv6 pool with options. Include dns-server and domain-name name .
4. Bind the interface to the pool using the ipv6 dhcp server POOL-NAME .
5. Use the ipconfig /all command on the hosts

Config Stateless Client

1. Enable IPv6 routing ipv6 unicast-routing.
2. Configure the client router to create an LLA (IPv6 link-local address) with ipv6 enable command. Cisco IOS uses EUI-64 to create the Interface ID.
3. Configure the client router to use SLAAC using the ipv6 address autoconfig command.
4. Verify that the client router is assigned a GUA using the show ipv6 interface brief command.
5. Verify that the client router received other necessary DHCPv6 information such as DNS and domain name show ipv6 dhcp interface g0/0/1.

Config Stateful Server

1. Enable IPv6 routing using the ipv6 unicast-routing.
2. Define a DHCPv6 pool name ipv6 dhcp pool POOL-NAME.
3. Configure the DHCPv6 pool with options. Include the address prefix command, domain name, DNS.
4. Bind the interface to the pool ipv6 dhcp server POOL-NAME .
   5.Verify ipconfig /all command.

Config Stateful Client

1. Enable IPv6 routing ipv6 unicast-routing.
2. Configure the client router to create an LLA. An IPv6 link-local address is created on a router interface when a GUA is configured, or without a GUA using the ipv6 enable interface configuration command. Cisco IOS uses EUI-64 to create an Interface ID.
3. Configure the client router to use DHCPv6 using the ipv6 address dhcp interface config command.
4. Verify that the client router is assigned a GUA using the show ipv6 interface brief command.
5. Verify that the client router received other necessary DHCPv6 information using the show ipv6 dhcp interface g0/0/1 command.

Verification commands

Verify that the client router received other necessary DHCPv6 information:

R# show ipv6 dhcp interface "interface"

Verify the name of the DHCPv6 pool and its parameters. The command also identifies the number of active clients:

R# show ipv6 dhcp pool

Output to display the IPv6 link-local address of the client and the global unicast address assigned by the server:

R# show ipv6 dhcp binding

Hoofdstuk 10: LAN Security Concepts

Endpoint security

Popular attacks

• Distributed Denial of Service (DDoS)
  • Coordinated attack from many devices, called zombies. Intended to degrade or halt public access to an organization’s website and resources.
  • Not easy to solve, as many of the zombies could be infected devices of actual clients. This means that just blacklisting all the devices isn’t a good solution.
• Data breach
  • Attack in which an organization’s data servers are hosts are compromised to steal confidential data.
• Malware
  • This is an attack in which an organization’s hosts are infected with malicious software that cause a variety of problems. For example, ransomware such as WannaCry encrypts the data on a host and locks access to it until a ransom is paid.

Nowadays protecting a network is more difficult than it used to be. This is because of the use of BYOD policies and wireless. Systems that fall outside of the built in protection of the network can easily contain malware, and spread this on the system.

Network Security Devices

• Virtual Private Network (VPN)
  • Provides secure connection to remote users accross a public network. Can be integrated into a firewall.
  • Little to no actual protection, only protects your LAN.

• Next-Generation Firewall (NGFW)

  • Provides stateful packet inspection, application visibility and control, Next Generation Intrusion Prevention System (NGIPS), Advanced Malware Detection (AMD) and URL filtering.
    • Checks packets’ protocol, destination, source. Chooses what to drop.
    • Stateful package inspection:
      • Checks packets to see what they are, checks for malicious content.
    • Kind of like antivirus for you network, also blocks suspicious hosts. (sussy)
    • Classic firewall drops everything by default, then starts whitelisting.

• Network Access Control

  • Includes authentication, authorization and accounting (AAA). Can be implemented into appliance that manages users and devices.

notes:
VPN = TUNNEL (alles ertussen is geencrypteerd)

Commerieel = tunnel van LAN tot provider en van daar gewoon naar internet 
⇒ enkel meer veiligheid op LAN

FIREWALL ⇒ fysiek met 2 poorten ingress en egress
⇒ Welk IP welke MAC
⇒ Welk protocol op welke poort
⇒ Op basis van block en allow rules worden die packets gedropt of doorgevoerd

NGFW next generation firewall
- NGIPS next-generation intrusion prevention system
⇒ Soort van antivirus voor u network
⇒ Hosts worden geblockt
- AMP advanced malware protection
⇒ Kijkt ook naar de traffic zelf HTTP vs HTTPS JS? Etc.
⇒ Deep packet inspection

NAC network access control
⇒ Triple A
⇒ Inloggen om in het network te komen (bv TM intern eduroam
⇒ Authentication != authorization → wie ben je ←> wat mag je

Endpoint Protection

Hosts such as laptops, servers, … Particularly susceptible to malware-related attacks through email or web browsing.

Usually have traditional host-based security features.

• Antivirus/antimalware
• Host-Based Intrusion Prevention Systems (HIPSs)
• Best protected by a combination of network and host security.

• Nowadays, host-based isolation is common. Tries to protect end devices on a network from one another. Wireless Access Points (i.e. router) attempt to isolate hosts so they can’t infect each other. In this situation a VPN can also provide security.

Cisco Email Security Appliance

ESA device is designed to monitor Simple Mail Transfer Protocol (SMTP).
It is constantly updated by real-time feeds from the Cisco Talos, which detects and correlates threats and solutions by using a worldwide database monitoring system.

Gives senders a score on suspiciousness. I.e. phishing gets dropped immediately, some things end up in spam etc.

Kind of like an email firewall.

Cisco Web Security Appliance

WSA is a mitigation technology for web-based threats. WSA provides complete control over how users access the internet. Can perform blacklisting of URLs, URL-filtering, malware scanning, URL categorization, Web application filtering, and encryption and decryption of web traffic.

Access Control

No authentication: shared secret. I.e. everybody shares the same password.

Authentication: Everybody has a username and password, can be secured more with keys etc. (SSH)

AAA (Authentication, Authorization, Accounting) controls who is permitted to acces a network (authentication), what they can do (authorization), and to track what people do (accounting).

• Local or Server-Based Authentication
  • Information stored on local network device or central AAA Server.

802.1X

The IEEE 802.1X standard is a port-based access control and authentication protocol. This protocol restricts unauthorized workstations from connecting to a LAN through publicly accessible switch ports.

Layer 2 Security Threats

SSL has replaced TLS → more secure

Because the data link layer is often forgotten, it can compromise the other layers.

CIA Triad (geen leerstof)

Confidentiality, integrity, availability, if one of these is compromised, your security has failed.

• Confidentiality: keeping confidential info secure
• Integrity: ensuring that traffic remains undamaged
• Availability: always being able to access your files

Switch Attack Categories

ARP is most important

STP bv. Neppe BPDUS met lage priority sturen als attack

Examenvraag

Wat is/doet STP?

STP voorkomt loops in uw Layer 2 netwerk, voorkomt dus broadcast storms etc. Probleem bij een Layer 2 netwerk is dat de switches geen routing hebben.

Uitleg STP → zie samenvatting

STP Root Bridge can be interesting for Man in the Middle attacks because all traffic passes there.

Switch Attack Mitigation Techniques

Types of attacks → see Ppt

• MAC Address Table Flooding
• VLAN Hopping Attack
  Switchport dynamic = standard
  ⇒DTP negociation
  Client als switch ⇒ trunk

⇒ Getagde paketten kunnen sturen

• VLAN Double-Tagging Attack
  Aanvaller lid van native VLAN
  ⇒ Native vlan wordt untagged doorgestuurd ⇒ (VLAN 10 eruit en VLAN 20 over)
• DHCP Starvation Attack
  tries to lease full dhcp pool
• DHCP Spoofing Attack
  rogue DHCP server
• ARP spoofing and poisoning

Hoofdstuk 11: Switch Security Configuration

Implement Port Security

Secure Unused Ports

• All ports should be secured before production use.
• Simple method is to disable all unused ports. shutdown command

Mitigate MAC Address Table Attacks

Simples and most effective method to prevent MAC address table overflow attacks is to enable port security.

• Limits number of valid MAC addresses allowed on a port.

• By limiting allowed MAC addresses on a port to one address, able to control unauthorized access.

  

Enable Port Security

Command(s)

Enable port security

sConfigIf# switchport mode access
sConfigIf# switchport port-security
sConfigIf# end

Show current port sec settings

S# show port-security "interface"

Set max allowed MAC addresses (default is 1)

sConfigIf# switchport port-security maximum "value"

Limit and Learn MAC Addresses

For example see ppt slide 11

Port Security Aging

Used to remove secure MAC addresses without manually deleting them.

• Absolute: The secure addresses on the port are deleted after the specified aging time.
• Inactivity: The secure addresses on the port are deleted if they are inactive for a specified time.

Command(s)

Enable of disable static aging on secure port

sConfigIf# switchport port-security aging { static | time "time" | type {absolute | inactivity}}

Show changes

S# show port-security interface "interface"

Port security violation modes

Command(s)

Choose violation mode

sConfigIf# switchport port-security violation { protect | restrict | shutdown }

Check violation mode

S# show port-security interface "interface"

Ports in error-disabled State

When a port is shutdown and placed in the error-disabled state, no traffic is sent or received on that port.

Command(s)

Check port status

S# show interface "interface" | include down

Verify security

S# show port-security

Verify security specific interface

S# show port-security interface "interface"
S# show run interface "interface"

Display secure MAC addresses

S# show port-security address

Mitigate VLAN attacks

VLAN hopping attack can happen in three ways:

• Spoofing DTP messages from the attacking host to cause the switch to enter trunking mode. From here, the attacker can send traffic tagged with the target VLAN, and the switch then delivers the packets to the destination.
• Introducing a rogue switch and enabling trunking. The attacker can access all the VLANs on the victim switch from the rogue switch.
• Another type of VLAN hopping attack is a double-tagging (or double-encapsulated) attack. This attack takes advantage of the way hardware on most switches operate.

Steps to mitigate attacks:

1. Disable DTP (auto trunking) negotiations on non-trunking ports by using the switchport mode access interface configuration command.
2. Disable unused ports and put them in an unused VLAN.
3. Manually enable the trunk link on a trunking port by using the switchport mode trunk command.
4. Disable DTP (auto trunking) negotiations on trunking ports by using the switchport nonegotiate command.
5. Set the native VLAN to a VLAN other than VLAN 1 by using the switchport trunk native vlan vlan_number command.

Mitigate DHCP Attacks

DoS attacks can be mitigated using port security.

Spoofing attacks can be mitigated using DHCP snooping on trusted ports.

Snooping

Snooping filters DHCP messages and rate-limits DHCP traffic on untrusted ports.

A DHCP table is built that includes source MAC address of a device on an untrusted port, and its IP address which is assigned by the DHCP server.

Snooping is a kind of throttling, it slows down DHCP for security purposes.

It does this by slowing down untrusted ports, if there’s an attacker on an untrusted port who sends DHCP traffic, he should not be able to answer a DHCP request faster than a legitimate DHCP server.

Rogue server probeert eerst een offer te sturen voor echte server

• DHCP op onvertrouwde poorten vertragen
  ⇒DHCP reauest 2 sec tegengehouden
  ⇒Direct bij DHCP server en rogue server
  ⇒DHCP Offer 2 seconden tegengehouden bij client
  ⇒DHCP offer bij client aangekomen en DHCP offer rogue server wacht nog 2sec

Steps to implement DHCP Snooping

1. Enable DHCP snooping

   sConfig# ip dhcp snooping

2. Configure which ports are trusted

   sConfigIf# ip dhcp snooping trust

3. Limit DHCP discovery messages that a trusted interface can recieve

   sConfigIf# ip dhcp snooping limit rate packets-per-second

4. Enable DHCP snooping by VLAN, or by range of VLANs.

   sConfig# ip dhcp snooping vlan

5. Trust this info on a DHCP router

   rConfig# ip dhcp relay information trust-all

Mitigate ARP Attacks

In a typical ARP attack, a threat actor can send unsolicited ARP replies to other hosts on the subnet with the MAC Address of the threat actor and the IP address of the default gateway. To prevent ARP spoofing and the resulting ARP poisoning, a switch must ensure that only valid ARP Requests and Replies are relayed.

Dynamic ARP inspection (DAI) requires DHCP snooping & helps prevent ARP attacks by

• Not relaying invalid or gratuitous ARP Replies out to other ports in the same VLAN.
• Intercepting all ARP Requests and Replies on untrusted ports.
• Verifying each intercepted packet for a valid IP-to-MAC binding.
• Dropping and logging ARP Replies coming from invalid to prevent ARP poisoning.
• Error-disabling the interface if the configured DAI number of ARP packets is exceeded.

• Destination MAC - Checks the destination MAC address in the Ethernet header against the target MAC address in ARP body.

• Source MAC - Checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body.

• IP address - Checks the ARP body for invalid and unexpected IP addresses including addresses 0.0.0.0, 255.255.255.255, and all IP multicast addresses.

DAI Implementation

• Enable DHCP snooping globally.
• Enable DHCP spoofing on selected VLANs.
• Enable DAI on selected VLANs.
• Configure trusted interfaces for DHCP snooping and ARP inspection.

Command(s)

Global DHCP snooping

sConfig# ip dhcp snooping

Specific VLAN DHCP snooping

sConfig# ip dhcp snooping vlan "number"

DAI on selected VLANs

sConfig# ip arp inspection vlan "number"

Trust interfaces

sConfigIf# ip dhcp snooping trust
sConfigIf# ip arp inspection trust

DAI Config Example

Can also be configured to check for destination or source MAC and IP addresses.

Command(s)

Configure DAI to drop ARP packets on invalid IP

sConfig# ip arp inspection validate {[src-mac] [dst-mac] [ip]}

Mitigate STP Attacks

See PortFast and BPDU Guard

Hoofdstuk 14: Routing Concepts

Path Determination

A routers primary functions are to determine the best path to forward packets, based on info from its IP routing table.

Ipv4 Longest Match Example

Best path in routing table is known as longest match.

Longest match is chosen to forward packet.

Build the Routing Table

Directly Connected Networks

• Local interface with IP address and subnet mask
• Active (up and up)

Remote Networks

• Not directly connected to router
• Can be learned in two ways:
  • Static routes: manually configured
  • Dynamic routes: dynamically learned
• Default route is used when the routing table doesn’t contain a specific matching route, is a gateway of last resort

Packet Forwarding

Packet Forwarding Decision Process

1. Data link frame with encapsulated IP packet arrives on the ingress interface.

2. Router examines destination IP address in packet header and consults its IP routing table.

3. The router finds longest match in routing table.

4. The router encapsulates the packet in a data link frame and forwards it out the egress interface. Destination could be a device connected to the network or a next-hop router.

5. If no matching route is found, packet is dropped

   

End-to-End Packet Forwarding

See ppt slides 12-15

(serial)
⇒ No ethernet frame
⇒ P2P
⇒ NO ARP
⇒ Serial broadcast address:   0x8f

Packet Forwarding Mechanisms

Primary function of forwarding mechanisms is to encapsulate packets in the correct data link frame type for the outgoing interface. The faster a router does this, the faster the router can forward packets.

Process switching (legacy)

• Older mechanism, still available on Cisco routers

• Forwards packet to control plan, CPU determines exit interface & forwards packet

• Does this for every packet, even for stream with same destination

• Every frame uses up CPU cycles

  

Fast switching (legacy)

• Uses a fast-switching cache

• When package arrives

  • Checks cache first
  • If not found, uses process-switched and is stored in cache
  • If found, cache is reused without CPU intervention

  

Cisco Express Forwarding (CEF)

• Most recent, fastest, default Cisco IOS-packet forwarding mechanism

• Builds a Forwarding Information Base (FIB), and adjacency table.

• Table entries not packet-triggered, but change-triggered.

• After convergence, all forwarding info is available.

  

Basic Router Configuration Review

See ppt slides 21 - 24

filter commands

• section - This displays the entire section that starts with the filtering expression.
• include - This includes all output lines that match the filtering expression.
• exclude - This excludes all output lines that match the filtering expression.
• begin - This displays all the output lines from a certain point, starting with the line that matches the filtering expression.

IP Routing Table

Route Sources

Sources of routes in routing table have a code.

• L: Address assigned to a router interface
  • Zit nog niet in stacks op campus
  • Always a /32
  • Efficiently determines when it receives a package for the interface instead of one that needs to be forwarded.
• C: Directly connected network
• S: Static route, created to reach specific network
• O: Dynamically learned network, using OSPF routing protocol

• * : Candidate for default route

Routing Table Entries

Static Routes

Manually configured. Define explicit path between two networking devices.
Not automatically updated, must be manually reconfigured.

Three primary uses:

• For smaller networks which are not expected to grow much.
• Uses a single default route to represent a path to a network.
• Routes to and from stub networks.
  • Stub network: network accessed by a single route, and router has only one neighbour.
    

Also see ppt slides 30-36

Static and Dynamic Routing

Static or dynamic?

Dynamic Routing Evolution

Interior Gateway Protocols (IGPs) are routing protocols by a single organization.

BGP (Border Gateway Protocol) is used to exchange routing info between different organizations, known as Autonomous Systems (AS).

BGP is used by ISPs to route packets over the internet.
Distance vector, link-state, and path vector routing protocols refer to the type of routing algorithm used to determine best path.

Best Path

Selected by a routing protocol based on value or metric.

Common protocols and metrics

Load balancing

When router has two or more paths with equal cost, it will forward packets on both paths equally. Can increase effectiveness and performance of network.

Only EIGRP supports unequal cost load balancing.

Hoofdstuk 15: IP Static Routing

When using ipv6 static routes: ipv6 unicast-routing

Static Routes

Types of Static Routes

• Standard static route
• Default static route
• Floating static route
• Summary static route

Can be configured for IPv4 and IPv6: rConfig# ip route ipv6 route

Next-Hop options

= destination of the static route

types:

• Next-hop route: next-hop IP address
• Directly connected static route: exit interface of router
• Fully specified static route: next-hop Ip address AND exit interface

Command’s

• rConfig# ip route network-address subnet-mask { ip-address | exit-intf [ip-address]} [distance]
• rConfig# ipv6 route ipv6-prefix/prefix-length {ipv6-address | exit-intf [ipv6-address]} [distance]

Examples

see ppt slides 12-15

Fully Specified Static Route

• IPv4: Used when exit interface is a multi-access interface
• IPv6: Next-Hop address = Link-local address ⇒ Exit interface must be specified
  • (link-local address are not unique, only within a network: Exit interface must be specified to specify the network)

Command’s

• rConfig# ip route 192.168.1.0 255.255.255.0 g0/1 172.16.2.2
• rConfig# ipv6 route 2001:db8:acad:1::/64 s0/1 fe80::2

Verify

show ip route [static | {network}]
show running-config | section ip route

show ipv6 route [static | {network}]

Configure IP Default Static Routes

Default Static Route

• Matches all packets: used when no other routes match
• Connecting to service provider network or stub router

Stub Router: router with only one upstream neighbor router

Default static route in routing table (show ip route):

• S* 0.0.0.0/0 ...
• S ::/0 ...

Command’s

• rConfig# ip route 0.0.0.0 0.0.0.0 {ip-address | exit-intf}
• rConfig# ipv6 route ::/0 {ip-address | exit-intf}

IPv4 default static route = quad-zero route

Configure Floating Static Routes

Floating Static Routes

• Routes that provide a backup path (when the primary route fails)
• Configured by stating administrative distance
• Only present in the routing table if the primary route fails

Examples: primary route + floating route

Configure Static Host Routes

• Used to direct traffic to a specific destination.
• Uses a ‘full’ subnetmask: IPv4 255.255.255.255, IPv6 /128

Examples

• rConfig# ip route 209.165.200.238 255.255.255.255 198.51.100.2
• rConfig# ipv6 route 2001:db8:acad:2::238/128 2001:db8:acad:1::2

Hoofdstuk 16: Troubleshoot Static and Default Routes

Packet Processing with Static Routes

Geen match of default route
⇒ Packet gedropt
⇒ ICMP reactie:
R1: IP van interface: DESTINATION HOST UNREACHABLE

PC1-PC3
Stel 192.168.1.1 destination host unreachable
⇒R3 G0/0/0 is shutdown
⇒Route niet in routing table

PC1-PC3
Stel 172.16.2.2 destination host unreachable
⇒Probleem met R2 routes

1. PC1 address a packet to PC3 and sends it to default gateway
2. R1 decapsulates the packet and searches for a match in the routing table

• Options:
  • Match found: use static route to find next-hop address or exit interface
  • No Match, but Default Route: use default route
  • No Match: drop packet + ICMP message back to source
• option Match found:

3. R1 encapsulates the packet into a new frame and forwards it to R2
4. R2 follows the same process and forwards new frame to R3
5. R3: Destination address matches directly connected int g0/0/0
   ⇒ Searches ARP table for layer MAC address
6. If no entry exists: ARP request out of int g0/0/0
7. PC3 responds with ARP reply
8. R3 encapsulates packet into frame with MAC address PC3 as destination MAC address
9. Frame is forwarded and PC3 receives

Troubleshoot IPv4 Static and Default Route Configuration

Common trouble shooting command’s

ping
traceroute
show ip route
show ip interface brief
show cdp neighbours //list of directly connected cisco devices

other

802.1X = access control
802.1Q = trunking
802.1D = STP
802.1W = RSTP
802.3AD = LACP
wifi

VLSM:

ADR	HOSTS	PREFIX	MASK
1		/32
2	0	/31
4	2	/30	.252
8	6	/29	.248
16	14	/28	.240
32	30	/27	.224
64	62	/26	.192
128	126	/25	.128
256	254	/24	.0

final exam: