Category: Cisco

CCNP Route 300-101 – ICMP Unreachable and Redirects

by Samuel Mitchell, posted in Cisco, Routing & Switching

ICMP Destination Unreachable

The ICMP Destination Unreachable is a Type 3 message which is generated by the router to reflect device status being accessed.

ICMP Unreachable Type Code

0  – Network is unreachable

1 – Host is unreachable (telnet to unknown ip address on an existing interface)

2 – Protocol unreachable

3 – Port unreachable (use cisco trace route probe 1)

4 – Fragmentation need but DF set

5 – Source Routing

6 – 8 – unknown errors

9, 10, 13 – Admin Prohibited (telnet an interface with access-list filtering connection)

11, 12,14,15 – QoS, ToS, Precedence

ICMP Redirect

ICMP Redirect is a Type 5 message which routers use to advise source device of a better path.

ICMP Redirect Type Code:

  • 0 – Network
  • 1 – Host
  • 2 – Service & Network
  • 3 – Service & Host

I am covering these topics in my study preparation for CCNP and I will update this article as I go along.

CCNP Route 300-101 – RIPng

by Samuel Mitchell, posted in Cisco, Routing & Switching

RIPng (RIP next generation) is the routing protocol RIP version for IPv6.

  • Default hello messages timer: 30 seconds
  • Default dead timer: 180 seconds
  • Multicast address: FF02::9
  • Communication Protocol: UDP 521
  • Administrative distance of 120
  • RIP name is not required to be the same with the neighbors.

Configure RIPng on a Router:

  1. Enable IPv6 routing in the global mode

ipv6 unicast-routing

2. Configure RIPng

IPv6 router rip [NAME]

3. Configure interface for IPv6

ipv6 address X:X:X:X::/64 [eui-64]

or

ipv6 enable 

4. Configure interface for RIPng

ipv6 rip [NAME[ enable

output for command: show ipv6 route rip

IPv6 Routing Table – 6 entries
Codes: C – Connected, L – Local, S – Static, R – RIP, B – BGP
U – Per-user Static route, M – MIPv6
I1 – ISIS L1, I2 – ISIS L2, IA – ISIS interarea, IS – ISIS summary
O – OSPF intra, OI – OSPF inter, OE1 – OSPF ext 1, OE2 – OSPF ext 2
ON1 – OSPF NSSA ext 1, ON2 – OSPF NSSA ext 2
D – EIGRP, EX – EIGRP external
R 2222::/64 [120/2]
via FE80::C202:46FF:FED7:0, FastEthernet0/0

output for command: show ipv6 rip

RIP process “WAN”, port 521, multicast-group FF02::9, pid 218
Administrative distance is 120. Maximum paths is 16
Updates every 30 seconds, expire after 180
Holddown lasts 0 seconds, garbage collect after 120
Split horizon is on; poison reverse is off
Default routes are not generated
Periodic updates 207, trigger updates 7
Interfaces:
FastEthernet0/1
FastEthernet0/0
Redistribution:
None

output for command: show ipv6 protocol 

IPv6 Routing Protocol is “rip WAN”
Interfaces:
FastEthernet0/1
FastEthernet0/0
Redistribution:
None

output for command: show ipv6 rip next-hops

RIP process “WAN”, Next Hops
FE80::C202:46FF:FED7:0/FastEthernet0/0 [2 paths]

This article will be updated as I go along.

CCNP Route 300-101 – Unicast Reverse Path Forwarding (uRPF)

by Samuel Mitchell, posted in Cisco, Routing & Switching

Unicast Reverse Path Forwarding (uRPF) is a feature that allows the router to block unknown source IP address or spoofed IP address on an incoming interface. uRPF uses Cisco Express Forwarding (CEF) FIB to perform its function which means only CEF capable devices are supported.

uRPF has two modes:

  • Strict mode – uRPF only check source ip address of packets on configured interface.
  • Loose mode – uRPF check source ip address of packets on any interface. This mode is preferred for networks that has multiple up-links or interface.

Strict mode configuration

R1(config-if)# ip verify unicast source reachable-via rx [access-list]

The RX parameter determines the strict mode in the command

Loose mode configuration

R1(config-if)# ip verify unicast source reachable-via any [access-list]

The Any parameter determines the loose mode in the command

uRPF verification

You can verify the blocking of spoofed ip address by using the following command:

show ip interface [interface #] | section IP verify

The verification drops shows the number of drop spoofed source packets on the interface as seen in the image below.uRPF

R2 spoofed IP address 1.2.2.2 is trying to reach destination ip address 3.3.3.3 but it is blocked by R1 using uRPF. You can see R1 show command displays 5 verification drops.

You can also create an access-list to log any deny packets and assigned it to the uRPF using the following command:

! Create Extended Access-list

R1(config)# access-list 100 deny ip any any log

! Under the interface assigned access-list to the uRPF

R1(config-if)# ip verify unicast source reachable-via rx 100

for the same example of R1, the uRPF packet drop will be shown by the access list 100 log as seen below:

uRPF_accesslist-log

I hope this article helps to understand the use uRPF. 

CCNP Route 300-101 – Cisco Express Forwarding (CEF)

by Samuel Mitchell, posted in Cisco, Routing & Switching

The Cisco Express Forwarding (CEF) is a Topology-Based switching technology. It is enabled by default on most cisco router and layer 3 switches.

device(config)# ip cef

The CEF is made up of two tables:

  • Forwarding Information Base (FIB)
  • Adjacency table

Forwarding Information Base (FIB) table – maintains next-hop Layer 3 address information based on the information in the IP routing table. CEF use the FIB to make IP destination prefix-based switching decisions. The command to show FIB below:

show ip cef

Adjacency Table – maintains Layer 2 next-hop addresses for all FIB entries. If the information is not available, ARP is used to discover this information. The command to show adjacency table below:

show adjacency

Type of Adjacency That requires Special Handling

  • Null – Packets destined for a Null0 interface
  • Glean – used for directly connected routes. Tells router to check ARP table
  • Punt – used for packets that cant be forwarded by CEF. it is sent to next level switching method
  • Discard – packets discarded by access-list or other policy
  • Drop – packets cant forward because of encapsulation error or unsupported protocol.

CEF can be enabled in one of two modes:

  • Central CEF mode – When CEF mode is enabled, the CEF FIB and adjacency tables reside on the route processor, and the route processor performs the express forwarding. You can use CEF mode when line cards are not available for CEF switching, or when you need to use features not compatible with distributed CEF switching.
  • Distributed CEF (dCEF) mode – When dCEF is enabled, line cards maintain identical copies of the FIB and adjacency tables. The line cards can perform the express forwarding by themselves, relieving the main processor – Gigabit Route Processor (GRP) – of involvement in the switching operation. This is the only switching method available on the Cisco 12000 Series Router.

Packets that CEF cannot handle:

  • IP Header Option
  • Expiring TTL
  • Tunnel interface
  • Exceed MTU
  • IGMP Redirect

 

Reference:

https://www.cisco.com/c/en/us/support/docs/routers/12000-series-routers/47321-ciscoef.html#cef-ops

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipswitch_cef/configuration/15-mt/isw-cef-15-mt-book/isw-cef-overview.html?referring_site=RE&pos=1&page=https://www.cisco.com/c/en/us/support/docs/routers/12000-series-routers/47321-ciscoef.html#GUID-993D4B0C-C032-420D-8304-F56AAB1CECC6

 

CCNP Route 300-101 – IPv6 Knowledge

by Samuel Mitchell, posted in Cisco, Routing & Switching, windows, Windows server

This article is to share the knowledge about IPv6 (Internet Protocol version 6) in a simple way.

The first important knowledge you will needed to know before understanding IPv6 is that it is a 128-bit address that is represented using Hexadecimal values and it will be beneficial to know the binary and decimal equivalent.

Please see below the table showing this information:

Hex Binary Decimal
0 0000 0
1 0001 1
2 0010 2
3 0011 3
4 0100 4
5 0101 5
6 0110 6
7 0111 7
8 1000 8
9 1001 9
A 1010 10
B 1011 11
C 1100 12
D 1101 13
E 1110 14
F 1111 15

The next aspect of IPv6 Addressing to understand is that it is similar to IPv4 address where the address is split up into Octet (10.10.10.1) separated by a dot (.), IPv6 address are split up into quartet (2000:ABCD:0000:0000:0000:0000:0000:0001) separated by a colon (:). Each quartet is made up of 4 Hexadecimal number.

An example of an IPv6 address is below along with the binary of the address:

Quartet Hexadecimal Binary
1st 2000 0010 0000 0000 0000
2nd ABCD 1010 1011 1100 1101
3rd 0000 0000 0000 0000 0000
4th 0000 0000 0000 0000 0000
5th 0000 0000 0000 0000 0000
6th 0000 0000 0000 0000 0000
7th 0000 0000 0000 0000 0000
8th 0001 0000 0000 0000 0001

Shortening the IPv6 Address

there are two methods we can use to shorten the IPv6 address to make it easier to write which is also applied by supported devices.

  1. Eliminating the leading zeros
  2. Using the double colon (::) to represents multiple quartet of zeros. this can only be applied once in an IPv6 address.

let me use an example IPv6 address 2000:ABC0:00ED:0000:0000:1234:0000:0001

Applying shortening rule 1 to eliminating the leading zeros which will be:

2000 : ABC0 : 00ED : 0000 : 0000 : 1234 : 0000 : 0001
2000 : ABC0 : ED : 0 : 0 : 1234 : 0 : 1

Then we are going to apply rule 2 which is to use the double colon (::) to replace multiple quartet of zeros:

2000 : ABC0 : 0 : 0 : 1234 : 0 : 1
2000 : ABC0 :: 1234 : 0 : 1

IPv6 Prefix

The IPv6 address has two main parts to the address:

  1. Prefix (Network ID)
  2. Interface ID (Host ID)

The IPv6 Prefix is denoted by the CIDR /XX. For example 2000::/3 where /3 tells you the network portion of the IPv6 address space.

There are also subdivision of the Prefix:

  1. Registry Prefix – assigned by IANA to an RIR
  2. ISP Prefix – assigned by an RIR to an ISP
  3. Site Prefix (Global Routing Prefix) – assigned by an ISP to customer
  4. Subnet Prefix – assigned by a customer engineer internally

RIR – Regional Internet Registry

IANA – Internet Assigned Numbers Authority

IPv6 Address Types

The unspecified address is an address used by an IPv6 node that has not gotten an IPv6 address.

The Global address is the address space reserved to be routed on the internet which is assigned by the IANA.

The Multicast address is joined by IPv6 nodes depending on the class the device is apart of which will be discussed later.

The Link-local is the address automatically assigned by the IPv6 node using the EUI-64 method once the IPv6 is enabled on an interface.

Types of Address Binary Reality IPv6 method
Unspecified 0000…0 ::/128
Loopback 0000…1 ::1/128
Global 001… (first 3) 2000::/3 (2000 – 3FFF)
Multicast 1111 1111 (first 8) FF00::/8
Link-local 1111 1110 10… (first 10) FE80::/10

There is another special type of address which is the Extended Unique Identifier (EUI-64) that uses the MAC address (48-bit) as part of the IPv6 Address. The challenge with the MAC address is that it is short 16-bit so to make it 64-bit, FFFE will be place in the middle of the MAC address. Another modification that is required to derive the EUI-64 address is that the 7th bit must be flipped. To better understand this address, let me list the rules in a table:

Steps Rule Address
1 Get the Mac Address AAAA.BBBB.CCCC
2 Insert FFFE in the middle of the MAC AAAABB FFFE BBCCCC
3 Flip the 7th bit by converting the first 2 Hex to binary, flipping the 7th bit and then converting it back to Hexidecimal AA = 1010 1010

1010 1000 = A8

A8AA:BB FF:FE BB:CCCC
4 Apply the network prefix. in the example using link-local FE80::/8 FE80:0000:0000:0000:A8AA:BBFF:FEBB:CCCC /64
5 Shorten the IPv6 Address FE80::A8AA:BBFF:FEBB:CCCC /64

Local Multicast Address

IPv6 Local Multicast Address Description
FF02::1 All-node
FF02::2 all-routers
FF02::5 all-OSPF routers
FF02::6 OSPF designated routers
FF02::9 All RIP
FF02::A All-EIGRP
FF02::1:FFxx:xxxx solicited-node where x is the last 6 Hex of the IPv6 unicast address

IPv6 Node Layer 2 Communication

When a IPv6 node needs to communicate at the Layer 2 after receiving a multicast packet, the IPv6 node uses the following Layer 2 (MAC) address format:

3333 : xxxx : xxx1

where X is the last 8 Hex of the MAC address but the 8th Hex is change to 1 as shown above.

For the solicited address after the 3333, we will insert FF and then add the last 6 Hex as shown below:

3333 : FFxx : xxxx

IPv6 Address Dynamic Assignment

Stateless Address Auto Configuration (SLAAC)

  • The IPv6 address is derived using the Network prefix and adding the MAC address to it (EUI-64)
  • It used the Stateless DHCP
  • The prefix must be /64
  • There should be no DHCP IP pool configured on router

Stateful DHCP

  • The IPv6 address is dynamically assigned to the host by the DHCP server along with DNS and gateway.

Domain Name System (DNS) – RF6106

IPv6 Neighbor Discovery Protocol (NDP)

Network Discovery Protocol is defined in the RF 4861.

NDP Message Types

  • Router Solicitation (ICMPv6 type 133)
    • Asking router for information
  • Router Advertisement (ICMPv6 type 134)
    • Router responding with information
  • Neighbor Solicitation (ICMPv6 type 135)
    • Asking the neighbor for information
  • Neighbor Advertisement (ICMPv6 type 136)
    • Neighbor responding with information
  • Redirect (ICMPv6 type 137)
    • redirect of a packet

Function of NDP

  • Duplicate Address Detection (DAD)
  • Router Discovery
  • Address Configuration
  • L2 (link-level) Resolution
  • Redirection of a Packet

CCNP R&S Switch: First Hop Redundancy Protocol Inner Workings

by Samuel Mitchell, posted in Cisco, Routing & Switching

This article is to identify the important information to know about the the three (3) First Hop Redundancy Protocols (FHRP) supported on a Cisco devices.

The three FHRP are:

  • HSRP – Hot Standby Redundancy Protocol
  • VRRP – Virtual Router Redundancy Protocol
  • GLBP – Gateway Load Balancing Protocol

HSRP

  • The virtual mac address are as follows based on version:
    • v1: 0000.0c07.acXX
    • v2 : 0000.0c9f.f000 – 0000.0c9f.ffff
  • sends hello message every 3 seconds to multicast address on port UDP 1985:
    • 224.0.0.2 (v1)
    • 224.0.0.102 (v2)
  • Preemption is disabled by default
  • The HSRP virtual IP address cannot be the same as any of the devices in the group
  • The group number can be the same on the different interfaces on a device
    • v1 group range 0 – 255
    • v2 group range 0 – 4095
  •  If the priority is equal on all devices in a group, the device with the highest IP address wins.
  • v1 and v2 are not interoperable
  • Router state are either Active or Standby

VRRP

  • This protocol is an IEEE standard
  • The virtual mac address is 0000.5e00.01RR (R represents the virtual router identifier)
  • sends hello message every 1 second to multicast address 224.0.0.18 via IP protocol 112
  • Preemption is enabled by default
  • Router state are either Master or Backup
  • Protocol has the option to learn timer from the Master
    • vrrp # timer learn

GLBP

  • the virtual MAC address is 0007.b400.GGFF (G is the GLBP group number and R is the AVF number)
  • sends hello message every 3 seconds to multicast address on port UDP 3222:
    • 224.0.0.102
  • All devices will be an AVF (Active Virtual Forwarder)
  • Only one AVG (Active Virtual Gateway) will be elected
  • The AVG assign a virtual MAC address to the AVF
  • AVG is responsible for responding to ARP requests for the virtual IP address
  • load balancing methods
    • round-robin (default)
    • host-dependent
    • weighted
  • preemption is disabled by default
  • GLBP uses 3 packet types: Hello, Request and Reply

The detail listed is not exhausted but it will be updated in the future.

Passing my CCNP Switch 300-115 Exam

by Samuel Mitchell, posted in Routing & Switching

I am on a journey to certify my networking experience after years in the field by targeting the CCNP Routing & Switching certification. It is a challenging and tedious journey especially with information relating to some aspect of routing or switching which is not usually known and you will just research it on Google.

After acquiring my CCNA R&S in 2009, I decided to take a break. I ended up waiting until the certification almost expired in 2012 when I attempted the CCNA R&S composite exam on the last day in an effort to renew it but I failed miserable (which I totally regret). The expired status forced me to redo the entire CCNA R&S track ICND1 and ICND2.

I was advised not to do the composite exam because it is skills against time which will put me under pressure. I took the advise and did the exams in two parts and I was successful within one year.

With the enthusiasm after passing and achieving my CCNA R&S certification, I started on the CCNP track by tackling the CCNP R&S Switch first. After 1 month of studying and with the CCNA knowledge fresh in my mind, I took the exam and failed by a few points off. Man, this was heart rending. I decide No, this is not going to deter me. I went back after two months and did it again. Wow, the same result. This journey continued for seven (7) attempts and final I passed the exam with flying colors on November 8, 2019.

After reviewing the topics and objectives of the CCNP R&S switch 300-115 exam and seven (7) times exam experience, I formulated the following recommendations for preparing for the CCNP R&S Switch 300-115 which can apply to any Cisco exam:

  1. Know the protocol inner workings.
  2. Know the compatibility of more than one protocols working together e.g. Private-VLAN with SPAN or STP with Protected Port.
  3. Know the scenarios or cases that the features will best fit. for example Private-VLAN is good for using one IP address subnet and separating customers from each other like in an ISP case.
  4. Pay attention to the percentage or weight of each topics or sections on the blueprint and focus more on those features.
  5. Read the Cisco documentation for in dept information of each feature that is missing from other resources. this information will also help with cases or scenarios application.
  6.  Lab and practice with real gears: my recommendation:
    1. Cisco 3750: for stacking
    2. Cisco 3560 : private vlans, SVI
    3. Cisco 2960: PVLAN not supported and SVI
  7. Practice test (measureup is good)
  8. Set your Exam Date and workout a schedule from that date and stick to it.
  9. Create a Study Schedule of each topic on the exam blueprint

The resources I used to prepare:

  1. Cisco CCNP SWITCH 300-115 Hands-on Labs Exam Prep  (CBTNUggets)
  2. Cisco CCNP Routing and Switching 300-115 SWITCH
  3. CCNP Switching (300-115) Cert Prep: 1 Layer 2 Technologies – Linked Learning
  4. CCNP Switching (300-115) Cert Prep: 2 Infrastructure Security and Services – Linked Learning
  5. Cisco 3750 switch configuration guide (from Cisco docs)
  6. CCNP Routing and Switching SWITCH 300-115 Official Cert Guide (Pearson IT Certification)

I have  study notes that I will share in the coming weeks for those who are preparing for CCNP R&S Switch 300-115 exam. Although Cisco is changing their exams on February 24, 2020 , I am still aiming at completing my CCNP R&S certification before the time in which I will also earn the CCNP Enterprise certification, a plus for me.

My Exam Schedule – CCNP R&S

CCNP R&S Route – December 2019

CCNP R&S TShoot – February 2020

 

Cisco Stackwise – Stack Master Election

by Samuel Mitchell, posted in Cisco, Routing & Switching

I was study the topic on Stackwise under the CCNP R&S Switch and saw some discrepancies on the order of the stack Master Election.

I had to resort to the Cisco 3750X configuration guide to get some clarification and this is what I discovered:

The Stack master election is done in this order:

  1. The switch that is currently the stack master
  2. The switch with the highest stack member priority
  3. The switch that is not using the default interface configuration
  4.  The switch with the highest IOS feature
    1. IP services
    2. IP based
  5. The switch uptime
  6. The switch with the lowest MAC address

I hope this clarify the stack master election.

 

Link Aggregation (LAG) Port (EtherChannel – Cisco)

by Samuel Mitchell, posted in Cisco, Routing & Switching

In the field of networking, there is a concept called Link Aggregation (LAG) which is a technology of combining more than one physical link together to make one logical link. This technology is usually implemented to support link redundancy and in some case higher throughput depending on the vendor. This technology is used mostly to connect servers to switches with multiple network cards. LAG ports are mostly connected in pairs of 2 e.g. 4, 8.

in this article, we are going to focus on the vendor Cisco who calls this technology by a different name, “Etherchannel”.

There are two protocols used on the Cisco switches to support Etherchannel:

  • LACP – Link Aggregation Control Protocol (Cisco proprietary)
  • PAgP – Port Aggregation Protocol (IEEE standard)

LACP protocol

  • Active
  • Passive

PAgP protocol

  • Auto
  • Desirable

Manual – On

Etherchannel configuration

switch(config-if-range)# channel-protocol [lacp/pagp]

switch(config-if-range)# channel-group # mode [protocol]

Etherchannel load-balance

  • src-mac (default)
  • dst-mac
  • src-ip
  • dst-ip
  • src-dst-mac
  • src-dst-ip

Loadbalance configuration

switch(config)# port-channel loadbalance [balance-option]

Layer 3 Etherchannel

an Etherchannel port become layer 3 (routing) port once your disable switchport on the portchannel

switch(config)# interface port-channel 1

switch(config-if)# no switchport

Show summary of the etherchannel

Tips:

  • Configurations applied to the port-channel interface is also applied to all the physical interfaces assigned to the port-channel group.
  • Layer 3 EtherChannel interface is not allowed on LAN based switches.
  • The following ethernet port settings must be the same when configuring the EtherChannel:
    • Speed
    • Duplex
    • native VLAN
    • VLAN range
    • trunking status
    • trunking type
  • When configuring the EtherChannel modes, one side must be in an active negotiating state (Desirable or Active)
  • Maximum interface support in one etherchannel is 8 and the maximum portchannel support on a switch is 64 depending on the switch model.
  • PAgP not supported on cross stack switches.

 

Recovering from a BitLocker System Lockout after a BIOS Update

by Samuel Mitchell, posted in Microsoft, Security, windows

We had a user who was not abiding by the rules to store all the company data on the network drives to ensure it is protected and backed up by our systems.

The user’s laptop got a BIOS upgrade and unfortunately the laptop was rebooting requesting Bitlocker password. In our environment, Bitlocker passwords are registered in Active Directory upon activation but for some reason unknown to us, it was not there for this particular laptop.

Our colleague at the site, research a way to overcome this challenge and found the following solution:

  1. Download an Application that will allow you to build a bootable USB drive in DOS 32-bit. E.g. RUFUS
  2. Execute your selected application to build bootable USB drive (You might have to first format USB drive at 32-bit).
  3. Download all BIOS updates for the computer model from the vendor support site. (If you remember the previously installed BIOS version, you can download that version from the site)
  4. Boot up the computer with the bootable USB drive and run each BIOS from the command prompt (At this point, you are trying to find the BIOS version before the update was done, if you already know the version just install it).
  5. After updating the BIOS, reboot the computer to verify if Windows boots up successfully.
  6. If unsuccessful, go back to Step 4 and execute the next BIOS version file.
  1.  

    NOTE: Execute your BIOS from the latest to the oldest.