Evaluating Network Gear Performance

 

Choosing the right equipment for your network is hard. Even ignoring the ever-growing roster of features one must account for when evaluating candidate hardware, it's important not to overlook performance limitations. Below are some of the most crucial characteristics to consider when doing your research.

Throughput

Throughput is the rate at which a device can convert input to output. This is different from bandwidth, which is the rate at which data travels across a medium. An Ethernet switch, for example, might have 48 ports running at an individual bandwidth of 1 Gbps each but be able to switch only a total of 12 Gbps among the ports at any given time. This is said to be the switch's maximum throughput.

 

Throughput is measured in two units: bits per second (bps) and packets per second (pps). Most people are most familiar with bits per second. This is the amount of data which flows through a particular point within a duration of one second, typically expressed as megabits (Mbps) or gigabits (Gbps) per second. Capitalization is important here. A lowercase 'b' indicates bits, whereas an uppercase 'B' indicates bytes. Speed is always measured in bits per second, with a lowercase 'b' (Kbps or Mbps).

 

Packets per second, similarly expressed most often as Kpps or Mpps, is another way of evaluating throughput. It conveys the number of packets or frames which can be processed in one second. This approach to measuring throughput is used to expose limitations of the processing power of devices, as shorter packets demand more frequent forwarding decisions. For example, a router might claim a throughput of 30 Mbps per second using full-size packets. However, it might also be limited to processing 40 Kpps. If each packet received was the minimum size of 64 bytes (512 bits), the router would be limited to just 20.48 Mbps (512 * 40,000) of throughput.

 

Cisco maintains often cited baseline performance measurements for its most popular routers and switches. If you work out the math, you can see that the Mbps numbers listed in the router performance document were derived using minimum-length (64 byte) packets. These numbers thus present a worst case scenario. Packets on a production network typically vary widely in size, and larger packets will yield higher bits-per-second rates.

 

Keep in mind that these benchmarks were taken with no features other than IP routing enabled. Adding additional features and services such as access control lists or network address translation may reduce throughput. Unfortunately, it's impractical for a vendor to list throughput rates with and without myriad features enabled, so you'll have to do some testing yourself.

Oversubscription

Ethernet switches are often built with oversubscribed backplanes. Oversubscription refers to a point of congestion within a system where the potential rate of input is greater than the potential rate of output. For example, a switch with 48 1 Gbps ports might have a backplane throughput limitation of only 16 Gbps. This means that only 16 ports can transmit at wire rate (the physical maximum throughput) at any point in time. This isn't usually a problem at the network edge, where few users or servers ever need to transmit at these speeds for a prolonged time. However, oversubscription imposes much more critical considerations in the data center or network core.

 

As an example, let's look at the 16-port 10 Gbps Ethernet module WS-X6816-10G-2T for the Cisco Catalyst 6500 switch. Although the module provides an aggregate of 160 Gbps of potential throughput, its connection to the chassis backplane is only 40 Gbps. The module is oversubscribed at a ratio of 4:1. This module should only be used in situations where the aggregate throughput demand from all interfaces is not expected to exceed 40 Gbps.

IP Route Capacity

The maximum number of routes a router can hold in its routing table is limited by the amount of available content-addressable memory (CAM). Although a low-end router may be able to run BGP and exchange routes with BGP peers, it likely won't have sufficient memory to accept the full IPv4 Internet routing table, which comprises over 400 thousand routes. (Of course, low-end routers should never be implemented in a position where they would need to receive the full routing table.) Virtual routing contexts, in which a router stores multiple copies of a route in separate forwarding tables, increase routing table size exponentially, further elevating the importance of properly sizing routers for the role they play.

Maximum Concurrent Sessions

Firewalls and intrusion prevention systems perform stateful inspection of traffic transiting from one trust zone to another. These devices must be able to keep up with the demand for throughput not only in terms of bits per second and packets per second but also in the number of concurrent stateful sessions. A single web request might trigger the initiation of one or two dozen TCP connections to various content servers from an internal host. The firewall or IPS must be able to track the state of and inspect potentially thousands of sessions at any point in time. If the device's maximum capacity is reached, attempts to open new sessions may be rejected until a number of current sessions are closed or expire. Such devices are likewise limited in how fast they can create new sessions.

 

Basics: What’s the Difference Between STP BPDU Guard and Root Guard

Courtesy - Ethereal Mind


BPDU Guard and Root Guard are enhancements to Spanning Tree Protocol (STP) enhancements that improve the reliability of the protocol to unexpected events.

Why ?

Remember that the purpose of the the Spanning Tree algorithm is to create a single path through the network to prevent loops because the Ethernet frame has no loop prevention mechanism. As a result an Ethernet network is always designed like an inverted tree like this:


There are loops in this design that are implemented for resilience ie. STP will block a given path in planned operation but an alternate path can be activated if the primary path fails.

However, STP is susceptible to various failures due to poor network design 1 or certain types of operational problems. Both BPDU Guard and Root Guard are used to enforce design discipline and ensure that the STP protocol operates as designed.

BPDU Guard

BPDU guard disables the port upon BPDU reception if PortFast is enabled on the port. This effectively denies devices connected to these ports from participating in the desgined STP thus protecting your data centre core.

Note: In the event of the BPDU being received the port will typically be shutdown in “errdisable” state and will require manually reenabling the port. Alternately you can configure the port to attempt to re-enable by configuring the “errdisable timeout”

Root Guard

Root guard allows the device to participate in STP as long as the device does not try to become the root. If root guard blocks the port, subsequent recovery is automatic. Recovery occurs as soon as the offending device ceases to send superior BPDUs.

Where ?

Because BPDU Guard and Root Guard are primarily to ensure design enforcement ( integrity / security) , they must configured in specific locations in the networks.

---

1. By “design” I mean that people add new switches in the wrong places which breaks that controlled design as shown here.

 

Realtime Chat between Cisco Routers

You might probably know that it's possible to send messages from one vty line to another on a single Cisco router.

R1#send ?
  *        All tty lines
  <0-17>   Send a message to a specific line
  aux      Auxiliary line
  console  Primary terminal line
  log      Logging destinations
  qdm      Send a message to QDM client
  vty      Virtual terminal
  xsm      Send a message to XSM client

R1#send 1
Enter message, end with CTRL/Z; abort with CTRL/C:
Hi
^Z
Send message? [confirm]

R1#

***
***
*** Message from tty0 to tty1:
***
Hi

There is a way to send automatically some custom-made udp packets from a Cisco router to a specific destination, in order to emulate the heartbeat mechanism of SixXS. Tcl seemed like a nice option, but as far as i know its implementation in Cisco IOS doesn't support extensions (Tcl doesn't have a builtin command for udp channels, so we must use an extension to enable it).

Asynchronous Serial Traffic Over User Datagram Protocol or UDPTN (UDP Telnet) is an IOS feature that provides the ability to encapsulate asynchronous data into UDP packets, and then unreliably transmit this data without needing to establish a connection with a receiving device. UDPTN is similar to Telnet in that both are used to transmit data, but UDPTN is unique in that it does not require that a connection be established with a receiving device.

Its usage is quite simple. You just have to enable udptn as an output transport under your vtys and then open a connection to the remote end.

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#line vty 0 15
R1(config-line)#transport output ssh udptn
R1(config-line)#^Z
R1#

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#line vty 0 15
R2(config-line)#transport output ssh udptn
R2(config-line)#^Z
R2#

You have various options regarding the role of each device, but usually one end is transmitting and the other end is receiving. If you need 2-way communication, then you need to enable both directions. You can use any port above 1024 or just the default 57.

R1#udptn 1.1.1.2 3740 /transmit /receive
Trying 1.1.1.2, 3740 ... Open

R2#udptn 1.1.1.1 3740 /transmit /receive
Trying 1.1.1.1, 3740 ... Open

It becomes more interesting if you send packets to a multicast/broadcast address, so everyone having an open connection there will see the data.

There are some annoying things, like that you can't see locally the entered chars, or that you get chars on top of the previous chars (you can use spaces in order to clear the line), but you can't expect the full thing.

R2#udptn 1.1.1.1 3740 /transmit /receive
Trying 1.1.1.1, 3740 ... Open
How are you doing today?     ! This was typed on R1

R1#udptn 1.1.1.2 3740 /transmit /receive
Trying 1.1.1.2, 3740 ... Open
Fine, thanks                 ! This was typed on R2

Voila! You just made it possible to have a chat with your friend at a remote Cisco router! If you want to stop the session, you can use Ctrl-Shift-6 + x and then enter the "disconnect" command.

There are 2 terminal options that can be configured under source vtys and can change the behavior of text output:

dispatch-timeout 10000 : This one makes the packets be transmitted every 10 secs
dispatch-character 13 : This one causes the current number of typed chars to be sent after you press Enter (ASCII 13). By default each char is sent immediately.

Note : Because of its ability to send raw UDP datagrams that might conflict with other protocols, UDPTN has an implicit access list that only allows UDPTN connections to UDP port 57 (default) or UDP ports greater than 1024.

If only now i could find a way to send such messages automatically, i would probably solve my initial issue. EEM doesn't provide a mechanism to feed chars into a remote session and the Tcl "typeahead/exec" solution makes the process get stuck (and i can't find a way to clear it). Any idea how to send Ctrl-Shift-6 + x?
 

Understanding Spanning Tree Protocol

Spanning-tree Protocols
802.1d (Standard Spanning-tree)
So the entire goal of spanning-tree is to create a loop free layer 2 domain. There is no TTL in a layer 2 frame so if you don’t have spanning-tree, a frame can loop forever. So the original 802.1d standard set out to fix this. There are a few main pieces to the 802.1d process. They are…

1. Elect a root bridge.
This bridge is the ‘root’ of the spanning-tree. In order to elect a root bridge, all of the switches send out BPDU (Bridge Protocol Data Units). The BPDU has a bridge priority in it which the switches use to determine which switch should be the root. The lowest ID wins. The original standard specified a bridge ID as…

 

As time progressed there became a need to create multiple spanning-trees for multiple VLANs (we’ll get to that later). So, the bridge ID format had to be changed. What they came up with was..

 

 

So, now you know why you need to have a bridge priority that’s in multiples of 4096 (if you don’t.. A total of 4 bits gives you a total of 16 values, 16 * 4096 gives you 65,536 which is the old bridge priority max value – 1).

 

So at this point, we have a mess of switches swarming around with BPDUs. If a switch receives a BPDU with a lower bridge priority it knows that it isn’t the root. At that point, it stops sending out it’s own bridge ID and starts sending out BPDUs with the better (lower) priority that it heard of. In the end, all of the switches will be forwarding BPDUs with the lowest bridge ID. At that point, the switch originating the best(lowest) bridge ID knows that it is the root bridge.

 

2. Each switch selects a root portSo now that we know which switch is the root, every non-root switch needs to select it’s root port. That is, the port with the lowest cost to the root switch. To determine this, the root port sends ‘Hellos’ out of all of it’s port every 2 seconds. When a non-root switch receives the hello, it does a couple of things. First, it reads the ‘cost’ from the hello message and updates it by adding the port cost. So if a hello came in a fast Ethernet port with a cost of 4, the switch would add 19 to it giving you a new cost of 23. After all of the hellos are sent, the switch picks it’s root port by selecting the port which had the lowest calculated cost. Now, a bit about port costs. See the table below…

Interface Speed	Original IEEE Port Cost	New IEEE port Cost
10 Mbps	100	100
100 Mbps	10	19
1000 Mbps	1	4
10000 Mbps	1	2

So as you can see, with the increase in speed came a upgrade to the port costs. Now that we have 40 gig interfaces I’m wondering if they will redo that again. At any rate, if there is a tie, say two ports that have a calculated cost of 23. The switch breaks the tie in the following fashion..

1. Pick the lowest bridge ID of switch that sent the hellos
2. Pick the lowest port priority of the switch that sent the hellos
3. Use the lowest port number of the switch that sent the hellos
(We’ll talk about port priorities in a bit) Now that we have a root port we can move onto step 3.

3. Pick a designated portThis part is pretty easy. Basically, each segment can only have one designated port. The switch that forwards the lowest cost hello onto a particular segment becomes the designated switch and the port that it uses to do that is the designated port. So, that would mean that each port on the root bridge would be a designated port. Then, ports that are neither root ports or designated ports (non-designated ports) go into blocking state. If a tie occurs, the same tiebreaker process occurs as in step 2.

At this point, we have a fully converged spanning-tree!

Normal OperationUnder normal operation the root sends hellos out of all it’s active ports. Each connected switch receives the hellos on their root ports, updates it, and forwards it out of it’s designated port (if it has one). Blocked ports receive the hellos, but never forward them.

Topology Changes
When a switch notices a topology change, it’s responsible for telling all other connected switches about the change. The most effective way to do this, is to tell the root switch so that it can tell all of the other switches. When a switch notices a topology change, it sends a TCN (topology change notification) out it’s root port. The switch will send the TCN every hello time until the upstream switch acknowledges it. The upstream switch acknowledges by sending a hello with a TCA (topology change acknowledgement). This process continues until the root becomes notified. The root will then set the TC flag on it’s hellos. When switches in the tree see the TC set in the hello from the root, they know that there has been a topology change and that they need to age out their CAM tables. Switches aging out their CAM tables is an important part of a topology change and reconvergence.

802.1D Port States

Blocking – The port is blocking all traffic with the exception of receiving STP BPDUs. The port will not forward any frames in this state.
Listening – Same as blocking but will now begin to send BPDUs.
Learning – The switch will begin to learn MAC information in this state.
Forwarding – Normal full up and up port state. Forwarding normal traffic.

TimingThere are a couple of main timers in the STP protocol. These are..
Forward Delay Timer – Default of 15 seconds
Hello – Default of 2 seconds
MaxAge – Default of 20 seconds

Spanning-Tree enhancements (Cisco Proprietary)
PortFast – Immediately puts a port into forwarding mode. Essentially disables the STP process. Should only be used for connecting to end hosts.
UplinkFast – Should be used on access layer switches connecting to distribution. Used to fail over the root port in the case of the primary root port failing. CAM entries are timed out by the access layer generating multicast frames with attached devices MACs as the source for the frames. This is different than the normal TCN process as described earlier. UplinkFast also causes the switch to increase the root priority to 49152 and set all of the ports costs to 3000.
BackboneFast – Used to detect indirect STP failures. This way the switch doesn’t have to wait MaxAge to reconverge. The feature needs to be configured on all switches in order for it to work. The switch queries it’s upstream switches when it sops receiving hellos with a RLQ (Root Link Query). If the upstream switch had a failure it can reply to the local switch so that it can converge to another port without waiting for the MaxAge to expire.

802.1w (Rapid Spanning-Tree)
Rapid spanning-tree takes 802.1d and makes it faster. In addition, they take some of the Cisco proprietary features and standardize them. Here are some of the notable changes that 802.1w makes.

-Switches only wait to miss 3 hellos on their root port prior to reconverging. This number in 802.1d was 10 (MaxAge, or 10 times hello).
-Fewer port states. 802.1w takes the number of port states from 5 (Im counting disabled) down to 3.

The new states are discarding, learning, and forwarding.
-Concept of a backup DP when a switch has multiple ports connected to the same segment.
-Standardization of the Cisco proprietary PortFast, UplinkFast, and BackboneFast.

802.1w Link TypesPoint to Point – Connects a switch to another switch in full duplex mode.
Shared – Connects a switch to a hub using half duplex
Edge – A user access port

802.1w Port roles
Root Port – The same as in 802.1d
Designated Port – The same as in 802.1d
Alternate Port – Same as the uplink fast feature, backup RP connection
Backup Port – Alternate DP port, can take over if the existing DP fails

802.1s (Multiple Spanning-Tree)
Multiple spanning-tree (MST) lets you map VLANs into a particular spanning tree. These VLANs are then considered to be part of the same MST region. MST uses the same features as RSTP for convergence, so if you are running MST, you are by default also running RSTP. Much like any other ‘group’ technology, there are several parameters that must be met before switches/vlans can become part of the same region.

-MST must be globally enabled
-The MST region name must be configured (and the same on each switch)
-Define the MST revision number (and make it the same on each switch)
-Map the same VLANs into each region (or instance)

MST can con-exist with other switches that don’t talk MST. In this case, the entire MST region appears to be a single switch to the other ‘external’ spanning-tree. The spanning-tree that connects the region to the ‘outside’ is considered to be the IST, or Internal Spanning Tree.

Spanning-tree Protection
There are several ‘protection’ mechanisms available that can be implemented in conjunction with spanning-tree to protect the spanning-tree from failure or loops.

BPDU Guard – Should be enabled on all ports that will never connect to anything but an end user port. The configuration will err-disable a port if a BPDU is received on that port. To recover from this condition the port must be shut/no shut.

Root Guard – Protects the switch from choosing the wrong RP. If a superior BPDU is heard on this port the port is placed into root-inconsistent state until the BPDUs are no longer heard.

UDLD – Unidirectional link detection is used to detect when one side (transmit or receive) is lost. States like this can cause loops and loss of connectivity. UDLD functions in two modes, aggressive and normal. Normal mode uses layer 2 messaging to determine if a switches transmission capabilities have failed. If this is detected, the switch with the failed transmit side goes into err-disable. In aggressive mode the switch tries to reconnect with the other side 8 times. If this fails, both sides go into err-disable.

Loop Guard – When a port configured with loop guard stops hearing BPDUs it goes into loop-inconsistent state rather than transitioning into forwarding.
 

Wireless 101 - Part 2

Antenna

An antenna is a device to transmit and/or receive electromagnetic waves. Electromagnetic waves are often referred to as radio waves. Most antennas are resonant devices, which operate efficiently over a relatively narrow frequency band. An antenna must be tuned (matched) to the same frequency band as the radio system to which it is connected otherwise reception and/or transmission will be impaired.

Types of antenna

There are 3 types of antennas used with mobile wireless, omnidirectional, dish and panel antennas.
+ Omnidirectional radiate equally in all directions
+ Dishes are very directional
+ Panels are not as directional as Dishes.



Decibels

Decibels (dB) are the accepted method of describing a gain or loss relationship in a communication system. If a level is stated in decibels, then it is comparing a current signal level to a previous level or preset standard level. The beauty of dB is they may be added and subtracted. A decibel relationship (for power) is calculated using the following formula:

“A” might be the power applied to the connector on an antenna, the input terminal of an amplifier or one end of a transmission line. “B” might be the power arriving at the opposite end of the transmission line, the amplifier output or the peak power in the main lobe of radiated energy from an antenna. If “A” is larger than “B”, the result will be a positive number or gain. If “A” is smaller than “B”, the result will be a negative number or loss.

You will notice that the “B” is capitalized in dB. This is because it refers to the last name of Alexander Graham Bell.

Note:

+ dBi is a measure of the increase in signal (gain) by your antenna compared to the hypothetical isotropic antenna (which uniformly distributes energy in all directions) -> It is a ratio. The greater the dBi value, the higher the gain and the more acute the angle of coverage.

+ dBm is a measure of signal power. It is the the power ratio in decibel (dB) of the measured power referenced to one milliwatt (mW). The “m” stands for “milliwatt”.

Example:

At 1700 MHz, 1/4 of the power applied to one end of a coax cable arrives at the other end. What is the cable loss in dB?

Solution:

=> Loss = 10 * (- 0.602) = – 6.02 dB

From the formula above we can calculate at 3 dB the power is reduced by half. Loss = 10 * log (1/2) = -3 dB; this is an important number to remember.

Beamwidth

The angle, in degrees, between the two half-power points (-3 dB) of an antenna beam, where more than 90% of the energy is radiated.

OFDM

OFDM was proposed in the late 1960s, and in 1970, US patent was issued. OFDM encodes a single transmission into
multiple sub-carriers. All the slow subchannel are then multiplexed into one fast combined channel.

The trouble with traditional FDM is that the guard bands waste bandwidth and thus reduce capacity. OFDM selects channels that overlap but do not interfere with each other.



OFDM works because the frequencies of the subcarriers are selected so that at each subcarrier frequency, all other subcarriers do not contribute to overall waveform.

In this example, three subcarriers are overlapped but do not interfere with each other. Notice that only the peaks of each subcarrier carry data. At the peak of each of the subcarriers, the other two subcarriers have zero amplitude.

Types of network in CCNA Wireless

+ A LAN (local area network) is a data communications network that typically connects personal computers within a very limited geographical (usually within a single building). LANs use a variety of wired and wireless technologies, standards and protocols. School computer labs and home networks are examples of LANs.

+ A PAN (personal area network) is a term used to refer to the interconnection of personal digital devices within a range of about 30 feet (10 meters) and without the use of wires or cables. For example, a PAN could be used to wirelessly transmit data from a notebook computer to a PDA or portable printer.

+ A MAN (metropolitan area network) is a public high-speed network capable of voice and data transmission within a range of about 50 miles (80 km). Examples of MANs that provide data transport services include local ISPs, cable television companies, and local telephone companies.

+ A WAN (wide area network) covers a large geographical area and typically consists of several smaller networks, which might use different computer platforms and network technologies. The Internet is the world’s largest WAN. Networks for nationwide banks and superstore chains can be classified as WANs.

Bluetooth

Bluetooth wireless technology is a short-range communications technology intended to replace the cables connecting portable and/or fixed devices while maintaining high levels of security. Connections between Bluetooth devices allow these devices to communicate wirelessly through short-range, ad hoc networks. Bluetooth operates in the 2.4 GHz unlicensed ISM band.

Note:

Industrial, scientific and medical (ISM) band is a part of the radio spectrum that can be used by anybody without a license in most countries. In the U.S, the 902-928 MHz, 2.4 GHz and 5.7-5.8 GHz bands were initially used for machines that emitted radio frequencies, such as RF welders, industrial heaters and microwave ovens, but not for radio communications. In 1985, the FCC Rules opened up the ISM bands for wireless LANs and mobile communications. Nowadays, numerous applications use this band, including cordless phones, wireless garage door openers, wireless microphones, vehicle tracking, amateur radio…

WiMAX

Worldwide Interoperability for Microwave Access (WiMax) is defined by the WiMax forum and standardized by the IEEE 802.16 suite. The most current standard is 802.16e.

Operates in two separate frequency bands, 2-11 GHz and 10-66 GHz
At the higher frequencies, line of sight (LOS) is required – point-to-point links only
In the lower region, the signals propagate without the requirement for line of sight (NLOS) to customers

Basic Service Set (BSS)

A group of stations that share an access point are said to be part of one BSS.

Extended Service Set (ESS)

Some WLANs are large enough to require multiple access points. A group of access points connected to the same WLAN are known as an ESS. Within an ESS, a client can associate with any one of many access points that use the same Extended service set identifier (ESSID). That allows users to roam about an office without losing wireless connection.

IEEE 802.11 standard

A family of standards that defines the physical layers (PHY) and the Media Access Control (MAC) layer.

* IEEE 802.11a: 54 Mbps in the 5.7 GHz ISM band
* IEEE 802.11b: 11 Mbps in the 2.4 GHz ISM band
* IEEE 802.11g: 54 Mbps in the 2.4 GHz ISM band
* IEEE 802.11i: security. The IEEE initiated the 802.11i project to overcome the problem of WEP (which has many flaws and it could be exploited easily)
* IEEE 802.11e: QoS
* IEEE 802.11f: Inter Access Point Protocol (IAPP)

More information about 802.11i:

The new security standard, 802.11i, which was ratified in June 2004, fixes all WEP weaknesses. It is divided into three main categories:

1. Temporary Key Integrity Protocol (TKIP) is a short-term solution that fixes all WEP weaknesses. TKIP can be used with old 802.11 equipment (after a driver/firmware upgrade) and provides integrity and confidentiality.
2. Counter Mode with CBC-MAC Protocol (CCMP) [RFC2610] is a new protocol, designed from ground up. It uses AES as its cryptographic algorithm, and, since this is more CPU intensive than RC4 (used in WEP and TKIP), new 802.11 hardware may be required. Some drivers can implement CCMP in software. CCMP provides integrity and confidentiality.
3. 802.1X Port-Based Network Access Control: Either when using TKIP or CCMP, 802.1X is used for authentication.

Wireless Access Points

There are two categories of Wireless Access Points (WAPs):
* Autonomous WAPs
* Lightweight WAPs (LWAPs)

Autonomous WAPs operate independently, and each contains its own configuration file and security policy. Autonomous WAPs suffer from scalability issues in enterprise environments, as a large number of independent WAPs can quickly become difficult to manage.

Lightweight WAPs (LWAPs) are centrally controlled using one or more Wireless LAN Controllers (WLCs), providing a more scalable solution than Autonomous WAPs.

Encryption

Encryption is the process of changing data into a form that can be read only by the intended receiver. To decipher the message, the receiver of the encrypted data must have the proper decryption key (password).

TKIP

TKIP stands for Temporal Key Integrity Protocol. It is basically a patch for the weakness found in WEP. The problem with the original WEP is that an attacker could recover your key after observing a relatively small amount of your traffic. TKIP addresses that problem by automatically negotiating a new key every few minutes — effectively never giving an attacker enough data to break a key. Both WEP and WPA-TKIP use the RC4 stream cipher.

TKIP Session Key

* Different for every pair
* Different for every station
* Generated for each session
* Derived from a “seed” called the passphrase

AES

AES stands for Advanced Encryption Standard and is a totally separate cipher system. It is a 128-bit, 192-bit, or 256-bit block cipher and is considered the gold standard of encryption systems today. AES takes more computing power to run so small devices like Nintendo DS don’t have it, but is the most secure option you can pick for your wireless network.

EAP

Extensible Authentication Protocol (EAP) [RFC 3748] is just the transport protocol optimized for authentication, not the authentication method itself:

” EAP is an authentication framework which supports multiple authentication methods. EAP typically runs directly over data link layers such as Point-to-Point Protocol (PPP) or IEEE 802, without requiring IP. EAP provides its own support for duplicate elimination and retransmission, but is reliant on lower layer ordering guarantees. Fragmentation is not supported within EAP itself; however, individual EAP methods may support this.” — RFC 3748, page 3

Some of the most-used EAP authentication mechanism are listed below:

* EAP-MD5: MD5-Challenge requires username/password, and is equivalent to the PPP CHAP protocol [RFC1994]. This method does not provide dictionary attack resistance, mutual authentication, or key derivation, and has therefore little use in a wireless authentication enviroment.
* Lightweight EAP (LEAP): A username/password combination is sent to a Authentication Server (RADIUS) for authentication. Leap is a proprietary protocol developed by Cisco, and is not considered secure. Cisco is phasing out LEAP in favor of PEAP.
* EAP-TLS: Creates a TLS session within EAP, between the Supplicant and the Authentication Server. Both the server and the client(s) need a valid (x509) certificate, and therefore a PKI. This method provides authentication both ways.
* EAP-TTLS: Sets up a encrypted TLS-tunnel for safe transport of authentication data. Within the TLS tunnel, (any) other authentication methods may be used. Developed by Funk Software and Meetinghouse, and is currently an IETF draft.
*EAP-FAST: Provides a way to ensure the same level of security as EAP-TLS, but without the need to manage certificates on the client or server side. To achieve this, the same AAA server on which the authentication will occur generates the client credential, called the Protected Access Credential (PAC).
* Protected EAP (PEAP): Uses, as EAP-TTLS, an encrypted TLS-tunnel. Supplicant certificates for both EAP-TTLS and EAP-PEAP are optional, but server (AS) certificates are required. Developed by Microsoft, Cisco, and RSA Security, and is currently an IETF draft.
* EAP-MSCHAPv2: Requires username/password, and is basically an EAP encapsulation of MS-CHAP-v2 [RFC2759]. Usually used inside of a PEAP-encrypted tunnel. Developed by Microsoft, and is currently an IETF draft.

RADIUS

Remote Authentication Dial-In User Service (RADIUS) is defined in [RFC2865] (with friends), and was primarily used by ISPs who authenticated username and password before the user got authorized to use the ISP’s network.

802.1X does not specify what kind of back-end authentication server must be present, but RADIUS is the “de-facto” back-end authentication server used in 802.1X.

Roaming

Roaming is the movement of a client from one AP to another while still transmitting. Roaming can be done across different mobility groups, but must remain inside the same mobility domain. There are 2 types of roaming:

A client roaming from AP1 to AP2. These two APs are in the same mobility group and mobility domain

Roaming in the same Mobility Group

A client roaming from AP1 to AP2. These two APs are in different mobility groups but in the same mobility domain

 

Wireless 101 - Part 1

In this article we will discuss about Wireless technologies mentioned in CCNA.

Wireless LAN (WLAN) is very popular nowadays. Maybe you have ever used some wireless applications on your laptop or cellphone. Wireless LANs enable users to communicate without the need of cable. Below is an example of a simple WLAN:

Each WLAN network needs a wireless Access Point (AP) to transmit and receive data from users. Unlike a wired network which operates at full-duplex (send and receive at the same time), a wireless network operates at half-duplex so sometimes an AP is referred as a Wireless Hub.





The major difference between wired LAN and WLAN is WLAN transmits data by radiating energy waves, called radio waves, instead of transmitting electrical signals over a cable.

Also, WLAN uses CSMA/CA (Carrier Sense Multiple Access with Collision Avoidance) instead of CSMA/CD for media access. WLAN can’t use CSMA/CD as a sending device can’t transmit and receive data at the same time. CSMA/CA operates as follows:

+ Listen to ensure the media is free. If it is free, set a random time before sending data
+ When the random time has passed, listen again. If the media is free, send the data. If not, set another random time again
+ Wait for an acknowledgment that data has been sent successfully
+ If no acknowledgment is received, resend the data

IEEE 802.11 standards:

Nowadays there are three organizations influencing WLAN standards. They are:

+ ITU-R: is responsible for allocation of the RF bands
+ IEEE: specifies how RF is modulated to transfer data
+ Wi-Fi Alliance: improves the interoperability of wireless products among vendors

But the most popular type of wireless LAN today is based on the IEEE 802.11 standard, which is known informally as Wi-Fi.

* 802.11a: operates in the 5.7 GHz ISM band. Maximum transmission speed is 54Mbps and approximate wireless range is 25-75 feet indoors.
* 802.11b: operates in the 2.4 GHz ISM band. Maximum transmission speed is 11Mbps and approximate wireless range is 100-200 feet indoors.
* 802/11g: operates in the 2.4 GHz ISM band. Maximum transmission speed is 54Mbps and approximate wireless range is 100-200 feet indoors.

ISM Band: The ISM (Industrial, Scientific and Medical) band, which is controlled by the FCC in the US, generally requires licensing for various spectrum use. To accommodate wireless LAN’s, the FCC has set aside bandwidth for unlicensed use including the 2.4Ghz spectrum where many WLAN products operate.

Wi-Fi: stands for Wireless Fidelity and is used to define any of the IEEE 802.11 wireless standards. The term Wi-Fi was created by the Wireless Ethernet Compatibility Alliance (WECA). Products certified as Wi-Fi compliant are interoperable with each other even if they are made by different manufacturers.



Access points can support several or all of the three most popular IEEE WLAN standards including 802.11a, 802.11b and 802.11g.

WLAN Modes:

WLAN has two basic modes of operation:

* Ad-hoc mode: In this mode devices send data directly to each other without an AP.

* Infrastructure mode: Connect to a wired LAN, supports two modes (service sets):

+ Basic Service Set (BSS): uses only a single AP to create a WLAN
+ Extended Service Set (ESS): uses more than one AP to create a WLAN, allows roaming in a larger area than a single AP. Usually there is an overlapped area between two APs to support roaming. The overlapped area should be more than 10% (from 10% to 15%) to allow users moving between two APs without losing their connections (called roaming). The two adjacent APs should use non-overlapping channels to avoid interference. The most popular non-overlapping channels are channels 1, 6 and 11 (will be explained later).

Roaming: The ability to use a wireless device and be able to move from one access point’s range to another without losing the connection.

When configuring ESS, each of the APs should be configured with the same Service Set Identifier (SSID) to support roaming function. SSID is the unique name shared among all devices on the same wireless network. In public places, SSID is set on the AP and broadcasts to all the wireless devices in range. SSIDs are case sensitive text strings and have a maximum length of 32 characters. SSID is also the minimum requirement for a WLAN to operate. In most Linksys APs (a product of Cisco), the default SSID is “linksys”.

Wireless Encoding

When a wireless device sends data, there are some ways to encode the radio signal including frequency, amplitude & phase.



Frequency Hopping Spread Spectrum(FHSS): uses all frequencies in the band, hopping to different ones after fixed time intervals. Of course the next frequency must be predetermined by the transmitter and receiver.

The main idea of this method is signals sent on different frequencies will be received at different levels of quality. By hopping to different frequencies, signals will be greatly improved the possibility that most of it will get through. For example, suppose there is another device using the 150-250 kHz range. If our device transmits in this range then the signals will be significantly interfered. By hopping at different frequencies, there is only a small interference while transmitting and it is acceptable.

Direct Sequence Spread Spectrum (DSSS): This method transmits the signal over a wider frequency band than required by multiplying the original user data with a pseudo random spreading code. The result is a wide-band signal which is very “durable” to noise. Even some bits in this signal are damaged during transmission, some statistical techniques can recover the original data without the need for retransmission.

Note: Spread spectrum here means the bandwidth used to transfer data is much wider than the bandwidth needs to transfer that data.

Traditional communication systems use narrowband signal to transfer data because the required bandwidth is minimum but the signal must have high power to cope with noise. Spread Spectrum does the opposite way when transmitting the signal with much lower power level (can transmit below the noise level) but with much wider bandwidth. Even if the noise affects some parts of the signal, the receiver can easily recover the original data with some algorithms.

Now you understand the basic concept of DSSS. Let’s discuss about the use of DSS in the 2.4 GHz unlicensed band.

The 2.4 GHz band has a bandwidth of 82 MHz, with a range from 2.402 GHz to 2.483 GHz. In the USA, this band has 11 different overlapping DSSS channels while in some other countries it can have up to 14 channels. Channels 1, 6 and 11 have least interference with each other so they are preferred over other channels.

Orthogonal Division Multiplexing (OFDM): encodes a single transmission into multiple sub-carriers to save bandwidth. OFDM selects channels that overlap but do not interfere with each other by selecting the frequencies of the subcarriers so that at each subcarrier frequency, all other subcarriers do not contribute to overall waveform.

In the picture below, notice that only the peaks of each subcarrier carry data. At the peak of each of the subcarriers, the other two subcarriers have zero amplitude.

Below is a summary of the encoding classes which are used popularly in WLAN.

Encoding	Used by
FHSS	The original 802.11 WLAN standards used FHSS, but the current standards (802.11a, 802.11b, and 802.11g) do not
DSSS	802.11b
OFDM	802.11a, 802.11g, 802.11n

WLAN Security Standards

Security is one of the most concerns of people deploying a WLAN so we should grasp them.

Wired Equivalent Privacy (WEP)

WEP is the original security protocol defined in the 802.11b standard so it is very weak comparing to newer security protocols nowadays.

WEP is based on the RC4 encryption algorithm, with a secret key of 40 bits or 104 bits being combined with a 24-bit Initialisation Vector (IV) to encrypt the data (so sometimes you will hear “64-bit” or “128-bit” WEP key). But RC4 in WEP has been found to have weak keys and can be cracked easily within minutes so it is not popular nowadays.

The weak points of WEP is the IV is too small and the secret key is static (the same key is used for both encryption and decryption in the whole communication and never expires).

Wi-Fi Protected Access (WPA)

In 2003, the Wi-Fi Alliance developed WPA to address WEP’s weaknesses. Perhaps one of the most important improvements of WPA is the Temporal Key Integrity Protocol (TKIP) encryption, which changes the encryption key dynamically for each data transmission. While still utilizing RC4 encryption, TKIP utilizes a temporal encryption key that is regularly renewed, making it more difficult for a key to be stolen. In addition, data integrity was improved through the use of the more robust hashing mechanism, the Michael Message Integrity Check (MMIC).

In general, WPA still uses RC4 encryption which is considered an insecure algorithm so many people viewed WPA as a temporary solution for a new security standard to be released (WPA2).

Wi-Fi Protected Access 2 (WPA2)

In 2004, the Wi-Fi Alliance updated the WPA specification by replacing the RC4 encryption algorithm with Advanced Encryption Standard-Counter with CBC-MAC (AES-CCMP), calling the new standard WPA2. AES is much stronger than the RC4 encryption but it requires modern hardware.

Standard	Key Distribution	Encryption
WEP	Static Pre-Shared	Weak
WPA	Dynamic	TKIP
WPA2	Both (Static & Dynamic)	AES

Wireless Interference

The 2.4 GHz & 5 GHz spectrum bands are unlicensed so many applications and devices operate on it, which cause interference. Below is a quick view of the devices operating in these bands:

+ Cordless phones: operate on 3 frequencies, 900 MHz, 2.4 GHz, and 5 GHz. As you can realize, 2.4 GHz and 5 GHz are the frequency bands of 802.11b/g and 802.11a wireless LANs.

Most of the cordless phones nowadays operate in 2.4 GHz band and they use frequency hopping spread spectrum (FHSS) technology. As explained above, FHSS uses all frequencies in the the entire 2.4 GHz spectrum while 802.11b/g uses DSSS which operates in about 1/3 of the 2.4 GHz band (1 channel) so the use of the cordless phones can cause significant interference to your WLAN.

An example of cordless phone

+ Bluetooth: same as cordless phone, Bluetooth devices also operate in the 2.4 GHz band with FHSS technology. Fortunately, Bluetooth does not cause as much trouble as cordless phone because it usually transfers data in a short time (for example you copy some files from your laptop to your cellphone via Bluetooth) within short range. Moreover, from version 1.2 Bluetooth defined the adaptive frequency hopping (AFH) algorithm. This algorithm allows Bluetooth devices to periodically listen and mark channels as good, bad, or unknown so it helps reduce the interference with our WLAN.

+ Microwaves (mostly from oven): do not transmit data but emit high RF power and heating energy. The magnetron tubes used in the microwave ovens radiate a continuous-wave-like at frequencies close to 2.45 GHz (the center burst frequency is around 2.45 – 2.46 GHz) so they can interfere with the WLAN.

+ Antenna: There are a number of 2.4 GHz antennas on the market today so they can interfere with your wireless network.

+ Metal materials or materials that conduct electricity deflect Wi-Fi signals and create blind spots in your coverage. Some of examples are metal siding and decorative metal plates.

+ Game controller, Digital Video Monitor, Wireless Video Camera, Wireless USB may also operate at 2.4 GHz and cause interference too.

CCNA Video - New Cisco certifications

Highlighting the increasing use of high-quality video traffic over the network, Cisco announced the release of the Cisco CCNA Video and Cisco Video Network Specialist certifications. CCNA Video is designed for video professionals who design, install and support video solutions on Video-Voice-over-IP networks.

The new Cisco Video Network Specialist certification enables traditional analog audiovisual (Pro A/V) specialists, as well as other networking professionals, to extend their skills to meet the growing demand for networked video job roles.

These programs expand career opportunities for employees of enterprise, government, service provider and reseller partner organizations transitioning from other areas such as routing and switching, voice and unified communications to video networking.

CCNA Video

A job-role-focused training and certification program, CCNA Video establishes an individual’s ability to deploy video endpoints, set up new users, and operate networked voice and video solutions for job duties that include configuring voice and video single-screen endpoint devices, supporting telephony and video applications, and troubleshooting. The certification also validates a candidate’s knowledge of the architecture, components, functionalities and features of Cisco Unified Communications Manager solutions. 

VIVND 200-001 and ICOMM 640-461 exams are requirements for the CCNA Video certification. Recommended training is available from Cisco and authorized Cisco Learning Partners.

Cisco Video Network Specialist

In order to prepare individuals for career opportunities as video technicians, video administrators or audiovisual installers in IP-networked environments, the Cisco Video Network Specialist certification establishes and enhances key skills including the ability to configure video single-screen endpoints, set up new user accounts, support video applications and troubleshoot networked video solutions.

The VIVND 200-001 exam is required for Cisco Video Network Specialist certification.

 

Network Management Command - Must Know

Basic and most commonly used to test the physical network

ping 192.168.0.1 -t, parameter-t is waiting for the user to interrupt the test
PING is the most commonly used commands in order to facilitate network management to use this feature, part of the route, such as: sea spiders routing

View DNS, IP, Mac
A.Win98: winipcfg
B.Win2000 more: Ipconfig / all
C.NSLOOKUP: View Hebei DNS
C:> nslookup
Default Server: ns.hesjptt.net.cn
Address: 202.99.160.68
> Server 202.99.41.2 DNS will be changed to a 41.2
> Pop.pcpop.com
Server: ns.hesjptt.net.cn
Address: 202.99.160.68
Non-authoritative answer:
Name: pop.pcpop.com
Address: 202.99.160.212

Network messenger (~) is often asked
Net send computer name / IP | * (broadcast) content, attention can not cross the network segment
net stop messenger stop messenger service, and can also be modified panel - services
the beginning of the net start messenger messenger service

4. Probing the other name of the other computer, where the group, domain and user name (the hunt for the works)
ping-a IP-t, show only NetBios name
nbtstat-a 192.168.1.1 all

5.netstat-a shows all ports open your computer
netstat-s-e a more detailed displays your network, including TCP, UDP, ICMP and IP statistics, etc.
Probe the arp binding (dynamic and static) list, all connected to my computer, display each other's IP and MAC address
arp-a


7. Bundled IP and MAC address of the proxy server side to resolve local area network within the theft of the IP! :

ARP-s 192.168.10.59 00-50-ff-6c-08-75
Delete NIC IP and MAC address binding:
arp-d NIC IP


8 Hide your computer in the Network Neighborhood (so they can not see you!)
net config server / hidden: yes
net config server / hidden: no, compared to open


9. Several net command
A. display the current list of workgroup servers net view, without the option to use the command, it will display the list of current domain or network computer.
Such as: View the shared resources on the IP can
C:> net view 192.168.10.8
Notes in the resource sharing of the shared resource name type uses 192.168.10.8
--------------------------------------
Website Services Disk
The command completed successfully.
B. View the list of user accounts on the computer net user
And C. View network link net use
For example: net use z: \ 192.168.10.8movie the movie shared directory of the IP mapped to the local Z-disk
D. Records link net session
For example:
C:> net session
Type of computer user name customers open the idle time
-------------------------------------------------- -----------------------------
\ 192.168.10.110 ROME Windows 2000 2195 0 00:03:12
\ 192.168.10.51 ROME Windows 2000 2195 0 00:00:39
The command completed successfully.


10 trace route command
A.tracert pop.pcpop.com
Addition to display the routing,
B.pathping pop.pcpop.com 325S analysis and calculation of lost packets%
In order to bring convenience to the network management, sea spiders route is designed to provide network management: ping tests, trace route (Tracert) subnet (netcalc) subnet (netcalc), whois query, the IP attribution to inquiries, domain name query (Nslookup) With these common tools, network management even easier.
 

OSPF Basics

What Is OSPF?
• Open Shortest Path First
• Link State Protocol using the Shortest Path First algorithm (Dijkstra) to calculate loop-free routes
• Used purely within the TCP/IP environment
• Designed to respond quickly to topology changes but using minimal protocol traffic
• Used in both Enterprise and Service Provider Environment
• Uses IP protocol 89
• Metric is cost, based on interface bandwidth by default (10^8 / BW in bps)
• Sends partial route updates only when there are changes
• Send hello packets every 10 sec with dead timer of 40 sec over Point to Point & Broadcast networks
• Send hello packets every 30 sec with dead timer of 120 sec over NBMA networks
• Uses multicast address 224.0.0.5 (ALL SPF Routers)
• Uses multicast address 224.0.0.6 (ALL DR Routers)

Different Types of OSFP LSAs1. Router Link State Advertisement (Type 1 LSA)
2. Network Link State Advertisement (Type 2 LSA)
3. Summary Link State Advertisement (Type 3 and Type 4 LSA)
4. External Link State Advertisement (Type 5 LSA)

Different types of OSPF Packet
1. Hello
2. Database description
3. Link State Request
4. Link State Update
5. Link State Acknowledgement

Different Types of OSPF Areas
Regular Area: ABRs forward all LSAs from backbone
• Summary LSA (summarized/non-summarized) from other areas injected
• External links injected

Stub Area: A stub area is an area with single exit point (if you need multiple exit points then configure it as NSSA) into which External LSA are not flooded
• Summary LSAs from other areas injected
• LSA type 5 not injected
• Default LSA injected into area as Summary LSA
• Define all routers in area as stub
• External link flaps will not be injected
Consolidates specific external links— default 0.0.0.0
Used in networks with a lot of LSA Type 5

Totally Stubby Area
A Totally Stubby Area Forwards Default Link 0.0.0.0
The ABR will block not only the AS External LSAs bit also all Summary LSAs, except a single Type 3 LSA to advertise the default route.

Not So Stubby Areas (NSSA)
Benefits of stub area, but ASBR is allowed

New type external LSA (type 7)
• Type 7 LSAs flooded throughout the area
• No type 5 external LSAs in the area
• Type 7 LSAs will be converted into type 5 LSAs when flooded into area 0 by ABRs
Filtering and summaries allowed at ABRs

Areas are used to make OSPF Scale
• OSPF uses a 2 level hierarchical model
• One SPF per area, flooding done per area
• Regular, Stub, Totally Stubby and NSSA Area Types
• A router has a separate LS database for each area to which it belongs
• All routers belonging to the same area should have identical databases
• SPF calculation is performed independently for each area
• LSA flooding is bounded by area
• If any link flaps in the area it takes nlogn calculations where n is the number of the links in the area

 

Free Cisco Labs for Certification

 

Looking for some practical experience with Cisco routers and switches for little to no cost? There's no shortage of free Cisco labs on the Web.

 

These sites are designed to assist network operators and Cisco certification students with common problems or challenges that crop up in configuring Cisco networks. In some instances, they may serve as teasers to get students to pay for more elaborate and comprehensive testing services.

 

Here's a sample of six free Cisco labs available either online or in person:

 

PacketLife Community Lab - Currently offline until November, the PacketLife community Lab provides free access to "modern" Cisco networking equipment for training purposes. Lab equipment and other costs are provided or sponsored by the site's owner, commercial sponsors, and voluntary contributions by community members.

 

Free Cisco Catalyst Switch Lab - This non-commercial effort provides free 24x7 access to Cisco Catalyst switches to learn networking, Cisco IOS, and prepare for certification exams. It requires no reservation or registration. Users telnet in to get 80-90 minutes per session on each console line, a one hour waiting period, and a two hour reset period. Users have many logins and sessions per day on each console, and can login to as many devices as they want that are available. Each line is timed separately.

 

Free Cisco Lab -- Free Cisco Lab is dedicated to providing educational help for students pursuing Cisco certifications. It provides exam preps, practice exams and free lab scenarios for routing, switching, security, wireless, and VOIP. It is operated by Barry Burdette, a 15-year network industry veteran who has designed, installed and maintained network infrastructure during his career.

 

Free Cisco Lab Simulators - The Ciscoconsole site has a link to free Cisco lab simulators available for download. One is the GNS3 simulator, an open source program that allows users to design complex network topologies. The program enables emulation of many Cisco IOS router platforms, IPS, PIX and ASA firewalls, and Juniper's Junos. It also simulates simple Ethernet, ATM and frame relay switches, and enables connection of the simulated network to production networks. GNS3 also performs packet capture using Wireshark. It can be run on multiple operating systems, including Windows, Linux, and MacOS X.

 

Dynamips - Dynamips is an emulator program for Cisco routers. It emulates Cisco router hardware by booting a Cisco IOS image into the emulator. Dynamips emulates Cisco 1700, 2600, 3600, 3700, and 7200 series routers for testing and experimenting with IOS features, and checking configuration before production deployment. GNS3 can be a graphical front-end for Dynamips; another front-end is Dynagen. Dynamips runs on Linux, Mac OS X or Windows.

 

Free CCNA Workbook - This site provides a free lab to those that prefer to use real equipment over emulated gear from Dynamips/Dynagen/GNS3. The lab consists of Cisco 3725, 3550 and 2950 hardware running 12.4 images of IOS. Each lab session is limited to total of three consecutive hours, which equates to eight sessions per day. Users are only permitted to schedule one session at any given time.

 

 

Collection Of Cisco Commands Used For Configuration

 

Below is collection of Cisco commands that are often used in configuration. It covers 90% of CCNA commands.

__
Basic commands

enable - Priviliged exec mode
conf t - Enters global configuration
hostname - Renames router to
exit - Back once
end - Back to #

banner motd * - Editing banner, end with *
enable secret - Set enable password to

int x - Configure interface x
ip add IP MS - Set IP and MaSk for interface
no sh - Starts interface (w/ sh close int)
clock rate - Clock rate n for serial ports
bandwidth - Set bandwidth n in kilobit

line console x - Configure line x
line vty x - Configue vty x
password x - Password x for line
login - Logs in for password

service password-encryption - Encrypts password
no ip domain-lookup - No ip domain lookup
ip default-gateway - Default gateway (when no routing)
ip default-network - Default network (when there is routing)
ip route 0.0.0.0 0.0.0.0 - Default route address to 0, from/to (x=ip or int)
ip route - Static route from/to ip or interface
ip route - is the value for administrative distance
logging trap debugging - Shows all console messages

copy run start - Copies running config to startup
erase startup - Erases startup config
delete flash: - Delete from flash memory

__
Basic sh/debug commands

sh history - Shows history
sh run/start - Shows running/start config
sh int - Shows interfaces
sh arp - Shows arp
sh ip ro - Shows ip routes
sh prot - Shows protocols
sh users - Shows users

sh ip route
sh protocols
sh interface

debug ip rip/eigrp/ospf

__
SSH and user

hostname
ip domain name
crypto generate rsa

line vty 0 4
no transport input
transport input ssh

username privilege secret - Creates xy user with privelege(0-15) password

__
DHCP commands

ip dhcp pool x - Makes a dhcp pool with name x and enters
network ip ms - Gives IP and mask for dhcp pool
ip dhcp excluded-add ip ip - Excluded addresses (ex. 192.168.1.7-10)
dns-server ip - DNS server for dhcp
domain-name x - Configures x domain name
default-router ip - The default router address (switch)
lease n - Lease time (n) for dhcp clients

DHCP for VLANs

1. Create vlans (vlan 10) and assign vlan to port
1. Create trunk link
2. Create subint (int fa0/0.10)
3. Set encapsulation dot1q and IP address
4. Make dhcp pool
5. In pool set "default route"
6. Request dhcp

Note --> default route = int ip address

__
ACLs

1-99: standard
100-199: extended
2000-2699: extended

access-list 1 permit - Permits on acl 1
access-list 101 permit - Permits on acl 101
ip access-list - ACL using a name and (config-ext-nacl)#

Example:
access-list established
access-list 1 permit tcp 192.168.1.0 0.0.255.255 any eq 80 established

lt = less than
gt = greater than
neq = not equal
eq = equal
range = range of ports

int
ip access-group - Sets ACL on interface

__
NAT/PAT commands

Static NAT
ip nat inside - On interface, inside int
ip nat outside - On interface, outside int
ip nat inside source static - Global NAT config
ip nat outside source static - Global NAT config

Dynamic PAT
ip nat pool netmask - Makes a pool from to
ip nat source list pool - Uses an ACL on pool as NAT

Port Translation
ip nat source list interface overload - Configues PAT using ACL

sh ip nat translations
sh ip nat statistics

__
Switch Port security commands

switchport mode access - Turns on access mode
switchport port-security - Enables port security
switchport port-security mac - Enables port security statically
switchport port-security maximum n - Sets maximum number of secure addresses to n
switchport port-security mac-address sticky - Enables sticky learning for MAC

__
VLANs and VTP

sh dtp interface - To determine current settings

__
STP
spanning-tree vlan 1-4094 priority
spanning-tree vlan 1-4094 root primary
spanning-tree vlan 1-4094 root secondary

__
CDP commands

cdp run - Enables CDP
no cdp run - Disables CDP
cdp enable - Enable CDP for interface
no cdp enable - Disable CDP for interface
sh cdp x - Shows CDP (x=entry/interface/neighbor)

__
RIP
router rip - Router rip config
version - Sets version
network - Sets given ips for RIP
default-information originate - Advertise static routes

Secure RIP

Int-->
ip rip auth mode md5 - Use md5 for rip
ip rip auth key-chain - Use key chain for md5 (key chain needed!)

__
EIGRP

router eigrp - Router EIGRP config with AS number
network - Sets network info for share
no auto-summary - Disables auto-summary
redistribute - Shares routes: static, rip, ospf..etc
auto-summary - Enables auto summarization
passive-interface - Disables eigrp on an interface

Interface
ip summary-address eigrp as ip ms - Manual summarization
ip hello-interval eigrp as n - Eigrp hello interval, n=seconds
ip hold-time eigrp as n - Eigrp hold-timer, n= sec from 1 to 65535

sh ip eigrp topology ip - EIGRP Topology on ip

Secure EIGRP

router rip
passice-int default
no passive-int - turn off passives

Int-->
ip auth mode eigrp md5 - Use md5 for eigrp
ip auth key-c eigrp - Use key-chain for eigrp

__
OSPF
ip ospf
network - Sets network info for share
router-id - Router ID
clear ip ospf proces - Restarts ospf
passive interface - Disables ospf on an interface
default-information originate - Advertise static routes

int -
ip ospf priority - Priority on interface
ip ospf cost - Cost of interface
auto-cost reference - Bandwith
ip ospf hello-interval - Hello interval in sec
ip ospf dead-interval - Dead interval in sec

DR (highest ospf prio) > BDR
Backup Designated Router, others are DROthers. DR updates all.

Secure OSPF

router ospf
area auth message-dig

Int-->
ip ospf message-digest-key md5
ip ospf auth message-dig

__
BGP commands

router bgp n - Sets n as AS number for the router
neighbor ip remote_as n - Identifies bgp neighbor (for CPE)
network ip mas - Sets router's network address
metric weights tos k1-k5 - Changes metric for routing

__
Frame Relay

int x
encapsulation frame-relay - Needed for subintercae too!
frame-relay map ip - Give other side's DLCI
frame-relay map ip br - Sends broadcast too
sh fr map
sh fr pvc

int . point-to-point
frame-relay interface-dlci - Self DLCI number!

__
TFTP recovery

IP_ADDRESS - IP address on the LAN interface
IP_SUBNET_MASK - Subnet mask for the LAN interface
DEFAULT_GATEWAY - Default gateway for the LAN interface
TFTP_SERVER - IP address of the TFTP serve
TFTP_FILE - Cisco IOS filename on the server
tftpdnld - download

Network Interview Questions - Part 2

Q51. What are the data units at different layers of the TCP / IP protocol suite?
Ans. The data unit created at the application layer is called a message, at the transport layer the data unit created is called either a segment or an user datagram, at the network layer the data unit created is called the datagram, at the data link layer the datagram is encapsulated in to a frame and finally transmitted as signals along the transmission media.

Q52. What is Project 802?
Ans. It is a project started by IEEE to set standards that enable intercommunication between equipment from a variety of manufacturers. It is a way for specifying functions of the physical layer, the data link layer and to some extent the network layer to allow for interconnectivity of major LAN protocols.
It consists of the following:

• 802.1 is an internetworking standard for compatibility of different LANs and MANs across protocols.
• 802.2 Logical link control (LLC) is the upper sublayer of the data link layer which is non-architecture-specific, that is remains the same for all IEEE-defined LANs.
• Media access control (MAC) is the lower sublayer of the data link layer that contains some distinct modules each carrying proprietary information specific to the LAN product being used. The modules are Ethernet LAN (802.3), Token ring LAN (802.4), Token bus LAN (802.5).
• 802.6 is distributed queue dual bus (DQDB) designed to be used in MANs.

Q53. What is Bandwidth?
Ans. Every line has an upper limit and a lower limit on the frequency of signals it can carry. This limited range is called the bandwidth.

Q54. Difference between bit rate and baud rate.
Ans. Bit rate is the number of bits transmitted during one second whereas baud rate refers to the number of signal units per second that are required to represent those bits.
baud rate = bit rate / N where N is no-of-bits represented by each signal shift.

Q55. What is MAC address?
Ans. The address for a device as it is identified at the Media Access Control (MAC) layer in the network architecture. MAC address is usually stored in ROM on the network adapter card and is unique.

Q56. What is attenuation?
Ans. The degeneration of a signal over distance on a network cable is called attenuation.

Q57. What is cladding?
Ans. A layer of a glass surrounding the center fiber of glass inside a fiber-optic cable.

Q58. What is RAID?
Ans. A method for providing fault tolerance by using multiple hard disk drives.

Q59. What is NETBIOS and NETBEUI?
Ans. NETBIOS is a programming interface that allows I/O requests to be sent to and received from a
remote computer and it hides the networking hardware from applications.
NETBEUI is NetBIOS extended user interface. A transport protocol designed by microsoft and IBM for the use on small subnets.

Q60. What is redirector?
Ans. Redirector is software that intercepts file or prints I/O requests and translates them into network requests. This comes under presentation layer.

Q61. What is Beaconing?
Ans. The process that allows a network to self-repair networks problems. The stations on the network notify the other stations on the ring when they are not receiving the transmissions. Beaconing is used in Token ring and FDDI networks.

Q62. What is terminal emulation, in which layer it comes?
Ans. Telnet is also called as terminal emulation. It belongs to application layer.

Q63. What is frame relay, in which layer it comes?
Ans. Frame relay is a packet switching technology. It will operate in the data link layer.

Q64. What do you meant by “triple X” in Networks?
Ans. The function of PAD (Packet Assembler Disassembler) is described in a document known as X.3. The standard protocol has been defined between the terminal and the PAD, called X.28; another standard protocol exists between hte PAD and the network, called X.29. Together, these three recommendations are often called “triple X”

Q65. What is SAP?
Ans. Series of interface points that allow other computers to communicate with the other layers of network protocol stack.

Q66. What is subnet?
Ans. A generic term for section of a large networks usually separated by a bridge or router.

Q67. What is Brouter?
Ans. Hybrid devices that combine the features of both bridges and routers.

Q68. How Gateway is different from Routers?
Ans. A gateway operates at the upper levels of the OSI model and translates information between two completely different network architectures or data formats.

Q69. What are the different type of networking / internetworking devices?
Ans. Repeater:
Also called a regenerator, it is an electronic device that operates only at physical layer. It receives the signal in the network before it becomes weak, regenerates the original bit pattern and puts the refreshed copy back in to the link.

Bridges:
These operate both in the physical and data link layers of LANs of same type. They divide a larger network in to smaller segments. They contain logic that allow them to keep the traffic for each segment separate and thus are repeaters that relay a frame only the side of the segment containing the intended recipent and control congestion.

Routers:
They relay packets among multiple interconnected networks (i.e. LANs of different type). They operate in the physical, data link and network layers. They contain software that enable them to determine which of the several possible paths is the best for a particular transmission.

Gateways:
They relay packets among networks that have different protocols (e.g. between a LAN and a WAN). They accept a packet formatted for one protocol and convert it to a packet formatted for another protocol before forwarding it. They operate in all seven layers of the OSI model.

Q70. What is mesh network?
Ans. A network in which there are multiple network links between computers to provide multiple
paths for data to travel.

Q71. What is passive topology?
Ans. When the computers on the network simply listen and receive the signal, they are referred to as passive because they don’t amplify the signal in any way. Example for passive topology – linear bus.

Q72. What are the important topologies for networks?
Ans. BUS topology:
In this each computer is directly connected to primary network cable in a single line.
Advantages:
Inexpensive, easy to install, simple to understand, easy to extend.

STAR topology:
In this all computers are connected using a central hub.
Advantages:
Can be inexpensive, easy to install and reconfigure and easy to trouble shoot physical problems.

RING topology:
In this all computers are connected in loop.
Advantages:
All computers have equal access to network media, installation can be simple, and signal does not degrade as much as in other topologies because each computer regenerates it.

Q73. What are major types of networks and explain
Server-based network
Peer-to-peer network.

Ans. Peer-to-peer network, computers can act as both servers sharing resources and as clients using the resources.
Server-based networks provide centralized control of network resources and rely on server computers to provide security and network administration

Q74. What is Protocol Data Unit?
Ans. The data unit in the LLC level is called the protocol data unit (PDU). The PDU contains of four fields a destination service access point (DSAP), a source service access point (SSAP), a control field and an information field. DSAP, SSAP are addresses used by the LLC to identify the protocol stacks on the receiving and sending machines that are generating and using the data. The control field specifies whether the PDU frame is a information frame (I -frame) or a supervisory frame (S – frame) or a unnumbered frame (U – frame).

Q75. What is difference between baseband and broadband transmission?
Ans. In a baseband transmission, the entire bandwidth of the cable is consumed by a single signal. In broadband transmission, signals are sent on multiple frequencies, allowing multiple signals to be sent simultaneously.

Q76. What are the possible ways of data exchange?
Ans. (i) Simplex (ii) Half-duplex (iii) Full-duplex.

Q77. What are the types of Transmission media?
Ans. Signals are usually transmitted over some transmission media that are broadly classified in to two categories.
Guided Media:
These are those that provide a conduit from one device to another that include twisted-pair, coaxial cable and fiber-optic cable. A signal traveling along any of these media is directed and is contained by the physical limits of the medium. Twisted-pair and coaxial cable use metallic that accept and transport signals in the form of electrical current. Optical fiber is a glass or plastic cable that accepts and transports signals in the form of light.
Unguided Media:
This is the wireless media that transport electromagnetic waves without using a physical conductor. Signals are broadcast either through air. This is done through radio communication, satellite communication and cellular telephony.

Q78. Difference between the communication and transmission.
Ans. Transmission is a physical movement of information and concern issues like bit polarity, synchronization, clock etc.
Communication means the meaning full exchange of information between two communication media.

Q79.The Internet Control Message Protocol occurs at what layer of the seven layer model?
Ans. Network

Q80.Which protocol resolves an IP address to a MAC address?
Ans. ARP

Q81.MIDI and MPEG are examples of what layer of the OSI seven layer model?
Ans. Presentation

Q82.What is the protocol number for UDP?
Ans. 17

Q83.Which protocol is used for booting diskless workstations?
Ans. RARP

Q84.Which layer is responsible for putting 1s and 0s into a logical group?
Ans. Physical

Q85.What does ‘P’ mean when running a Trace?
Ans. Protocol unreachable

Q86.UDP works at which layer of the DOD model?
Ans. Host to Host

Q87.What is the default encapsulation of Netware 3.12?
Ans. 802.2

Q88.Ping uses which Internet layer protocol?
Ans. ICMP

Q89.Which switching technology can reduce the size of a broadcast domain?
Ans. VLAN

Q90.What is the first step in data encapsulation?
Ans. User information is converted into data.

Q91.What is the protocol number for TCP?
Ans. 6

Q92.What do you use the Aux port for?
Ans. Modem

Q93.Repeaters work at which layer of the OSI model?
Ans. Physical

Q94.WAN stands for which of the following?
Ans. Wide Area Network

Q95.What ISDN protocol specifies concepts, terminology, and services?
Ans. I

Q96.LAN stands for which of the following?
Ans. Local Are Network

Q97.DHCP stands for
Ans. Dynamic Host Configuration Protocol

Q98.What does the acronym ARP stand for?
Ans. Address Resolution Protocol

Q99.Which layer is responsible for identifying and establishing the availability of the intended communication partner?
Ans. Application.

Q100.Which OSI layer provides mechanical, electrical, procedural for activating, maintaining physical link?
Ans. Physical