Cisco ICND2 – Describe IPv6 addresses

Some differences between IPv4 and IPv6:

  • Address size increased from 32bit – 128bit
  • 8 groups 4 hex characters each
  • Periods (.) replaced by colons (:)
  • Loopback 0:0:0:0:0:0:0:1 or ::1

Here is an example of a IPv6 address:

2013:0022:0000:0000:0FA1:76BB:EB67:00BB

We can make the IPv6 a little easier to read by removing consecutive zeros and replacing them with :: we can only do this once.

2013:0022::0FA1:76BB:EB67:00BB

We can take this further and drop the leading zeros, this can be done multiple of times.

2013:22::FA1:76BB:EB67:BB

IPv6-01 Making sense out of an IPv6 Address by Keith Barker
IPv6-02 Lov’n the Link Local Address by Keith Barker

Cisco ICND2 – Describe the technological requirements for running IPv6 (including: protocols, dual stack, tunneling, etc)

IPv6 is the new IP addressing scheme that will be replacing IPv4. Why? We are running out of IPv4 addresses. As technology is growing (smartphones, tablets, fridges with internet) with more and more devices being attached to the Internet via 3G/4G/Broadband etc and consuming IPv4 addresses.

Requirements for running IPv6

  • Routers and Switches must support IPv6
  • Operating system and NICs must support IPv6 (recent one do, legacy ones maybe not)
  • Its possible to run IPv4 and IPv6 using Dual Stacking
  • Tunneling for IPv6 to communicate over an IPv6 network to reach another IPv6 network

RIPng

  • Same features as the traditional RIP
  • Support for IPv6
  • Does not support authentication
  • UDP port now 521 instead of port 520
  • Multicast FF02::9
  • Run an instance of RIPng per interface
  • network command has been replaced by ipv6 rip 1 enable

EIGRPv6

  • Same features as the traditional EIGRP
  • Support for IPv6
  • Multicast FF02::A
  • network command replaced by ipv6 router eigrp 5
  • Must no shutdown the routing process

OSPFv6

  • Same features as the traditional OSPF
  • Multicast FF02::5 for OSPF routers / FF02::6 for OSPF-designated routers

Dual stack

  • Allows IPv6 and IPv4 to run alongside each other

Tunneling

  • Encapsulates IPv6 packets within IPv4
  • Allows an IPv6 to communicate over an IPv4 network to reach another IPv6 network

Cisco ICND2 – Determine the appropriate classless addressing scheme using VLSM and summarization to satisfy addressing requirements in a LAN/WAN environment

Route Summarization

Route summarization is summarising a range of subnets as one. Route summarization is commonly used in routing protocols to reduce how many entries are in a routing table and to reduce packet size. Having many routes can slow the routing process down so it is best practise to summarise where possible.

Example one

We want to summarise the following routes as one:

192.168.2.20
192.168.2.21
192.168.2.22
192.168.2.23
192.168.2.24

We’ll first convert each of these IPs to binary and find the common bits.

11000000.10101000.00000010.00010100 192.168.2.20
11000000.10101000.00000010.00010101 192.168.2.21
11000000.10101000.00000010.00010110 192.168.2.22
11000000.10101000.00000010.00010111 192.168.2.23
11000000.10101000.00000010.00011000 192.168.2.24

I have highlighted the common bits above. If we look at the last octet we’ll notice 0001 are common this equates to 4 bits if we convert these 4 bits to a subnet mask we’ll end up with 240 (128, 192, 224, 240). The summarization route will be 192.168.2.20 /28

Example two

We want to summarise the following three IPs:

172.16.0.58
172.20.0.59
172.30.0.60

Lets convert these to binary:

10101100.00010000.00000000.00111010 172.16.0.58
10101100.00010100.00000000.00111011 172.20.0.59
10101100.00011110.00000000.00111100 172.30.0.60

Highlighted are the common bits, the second octet we have four common bits 0001 – if we convert these 4 bits to a subnet mask we’ll end up with 240.

The route summarization is 172.16.0.0 255.240.0.0 or /12

WAN Links

When configuring WAN links between routers it would be a waste to assign a /24 bit subnet mask. Lets think about this, how many IPs do we need between two routers? two. One for the each end of the WAN link.

If we only need two IP addresses, which subnet mask would be the most efficient one to use? Lets have a look at the following subnet masks and how many hosts we can get from each:

128 – 126 hosts
192 – 62 hosts
224 – 30 hosts
240 – 14 hosts
248 – 6 hosts
252 – 2 hosts

We can see 252 will give us 2 hosts. The most efficient mask to use on a WAN link would be 255.255.255.252 or /30.

VLSM_Diagram

Cisco ICND2 – Calculate and apply a VLSM IP addressing design to a network

I would recommend googling some examples of VLSM and practice practice. I found the Subnet Game by Cisco very handy.

Variable Length Subnet Mask is subnetting a subnet. There are many different ways to subnet and I would recommend finding the one that works for you.

Lets subnet 192.168.2.0/24 to accommodate the following network design:

VLSM_Diagram

Always start with the highest requirement which is 100 users on RouterB.

We need at least 100 IP addresses.

Lets convert 100 to binary:

128 64 32 16 8 4 2 1
0 1 1 0 0 1 0 0

If we count from right to left, we need 7 bits to make 100 addresses (Last bit in 64 = 7 bits).

128 192 224 240 248 252 254 255
1 0 0 0 0 0 0 0

Using the above table we want to ‘save the hosts’ so counting from right to left we will want to save 7 bits and put a 1 in the 128 column. Therefore 255.255.255.128 will be our subnet mask or /25. The subnet will be 192.168.2.0 /25 (Hosts: 192.168.2.1 – 192.168.2.126).

The next largest is RouterC with 50 users, Lets convert 50 to binary:

128 64 32 16 8 4 2 1
0 0 1 1 0 0 1 0

If we count from right to left, we need 6 bits to make 50 addresses.

128 192 224 240 248 252 254 255
1 1 0 0 0 0 0 0

The subnet mask that meets this requirements is 192.168.2.128 255.255.255.192 or /26 (Hosts: 192.168.2.129 – 192.168.2.190) – This will give us 62 hosts.

Lastly RouterA has 15 users. Lets convert 15 to binary:

128 64 32 16 8 4 2 1
0 0 0 0 1 1 1 1

If we count from right to left, we need 4 bits to make 15 addresses.

128 192 224 240 248 252 254 255
1 1 1 1 0 0 0 0

This one is a little tricky, if we follow the trend from the first two routers we will reserve 4 bits making the subnet mask 255.255.255.240 /28 however, this will only give us 14 hosts (256-240=16 -2 for subnet and broadcast = 14) and not 15. Watch out of this! We in fact want to use 255.255.255.224 /27 which will give us 30 hosts.

The IP subnet for Router C will be 192.168.2.192 255.255.255.224 or /27 (Hosts: 192.168.2.193 – 192.168.2.222)

This gives us some room to expand the 192.168.2.0 subnet in the future.

Summary:

RouterB: 192.168.2.0 /25
RouterC: 192.168.2.128 /26
RouterA: 192.168.2.192 /27

Cisco ICND2 – Implement basic switch security (including: port security, unassigned ports, trunk access, etc.)

Basic switch security

In this topic we will discuss basic switch security and how we can lock down the ports on a switch. I found when using Packet Tracer the port-security didn’t work constantly and in some cases didn’t work at all.

I would recommend configuring this if possible on real equipment. Packet Tracer will accept the commands but the desired effect might not happen.

interVLA _DiagramOur three switches have 24 ports each, currently only three ports are used on each switch. With the remaining ports we will turn these into access ports to stop someone from plugging in a switch and creating a trunk link but we will also shut them down.

By default switches are in desired mode, meaning if another switch is plugged in it will trunk.

configure terminal
interface range fa0/4-fa0/24
switchport mode access
shutdown

We’ll now configure fa0/3 on Switch A to dynamically learn the connected PC’s MAC address and setup violation so the port shutdowns if an unknown MAC address such as another device is plugged into fa0/3.

configure terminal
interface fa0/3
switchport port-security 
switchport port-security mac sticky
switchport port-security violation shutdown

The sticky command is useful for the switch to detect the MAC address, we can manually set the MAC address:

configure terminal
interface fa/0/3
switchport port-security MAC

It’s possible to allow more than one MAC address assigned to a switchport:

configure terminal
interface fa0/3
switchport port-security maximum 2

Other violation modes:

switchport port-security violation restrict
switchport port-security violation protect

Restrict: This mode allows known MAC addresses to continue sending frames whilst blocking unknown MAC addresses from sending. A violation message is sent to a SNMP service if configured.

Protect: This mode allows known MAC addresses to continue sending frames whilst blocking unknown MAC addresses from sending. A violated message is not sent.

Configuring violations are all well and good but what happens if a PC hasn’t been live on a port for a while? a new PC will come along and the port may be put into a shutdown state.

We can configure how long before the MAC addresses are pruned using the aging command:

switchport port-security aging time 10

The aging timer is done in minutes, so 10 minutes in this example.

We can also prune the MAC addresses if the port has had no activity:

switchport port-security aging type inactivity

Verifying:

  • show port-security interface <interface>
  • show port-security address

Switch security practises:

  • Ensure physical access to switches is restricted
  • Set login password/enable passwords on switches and configure banners
  • Web service can be disabled if the switch supports web service (no ip http server/secure server)
  • Access-lists can be used to restrict SSH/telnet access by only allowing a specific subnet or host to SSH/telnet to the switch
  • Use SSH rather than telnet as it’s more secure – Telnet is sent in plain text, SSH is encrypted
  • Config logging to SNMP to capture violation etc

Cisco ICND2 – Interpret the output of various show and debug commands to verify the operational status of a Cisco switched network

I have covered most show commands throughout the previous topics. Therefore I will list them quickly here plus a few others:

  • show ip interface brief
  • show flash:
  • show running-config
  • show mac-address-table
  • show vlan
  • show vlan brief
  • show interface switchport
  • show interface trunk
  • show vtp status
  • show vlan
  • show spanning-tree summary
  • show spanning-tree

As I’m using PacketTracer there isn’t much in terms of debugging commands for switches. I would highly recommend using physical switches if possible and build a small network and run some debug commands.

This might be useful –  command reference from a Cisco Catalyst 2950 switch.

*If there is anything you’d like to add or feel there’s a mistake, please feel free to comment and contribute.

RSTP_Show_Spanning_Tree

Cisco ICND2 – Configure, verify, and troubleshoot RSTP operation

This topic will cover configuring, verifying and troubleshooting the rapid spanning tree protocol.

To enable rapid spanning tree protocol on our three switches:

Switch A:

configure terminal
spanning-tree mode rapid-pvst

Switch B:

configure terminal
spanning-tree mode rapid-pvst

Switch C:

configure terminal
spanning-tree mode rapid-pvst

We will also enable portfast on our access ports (PCs connected to the switches) – This will enable the ports to go straight to a forwarding state meaning the ports will instantly come up. You do not want to enable this on trunk links, this may cause issues with switching loops.

Switch A:

configure terminal
interface fa0/3
spanning-tree portfast

Switch B:

configure terminal
interface fa0/3
spanning-tree portfast

You will get a warning message about enabling portfast on trunk links.

%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc... to this
interface  when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION

%Portfast has been configured on FastEthernet0/3 but will only
have effect when the interface is in a non-trunking mode.

That’s all that’s needed to enabled rapid spanning-tree and portfast. Lets go one step further and lets force switch C become the root bridge for VLAN 1. Currently Switch B is the root.

We can do this two ways, one to set the priority of VLAN 1 to a much lower value for example 4096 or force the switch as the root.

Set the priority lower on Switch C:

configure terminal
spanning-tree vlan 1 priority 4096

Force switch as root:

configure terminal
spanning-tree vlan 1 root primary

I have gone with changing the priority to 4096, The above will only change the root bridge for VLAN 1.

Now if we do a show spanning-tree vlan 1 on Switch C:

RSTP_Show_Spanning_Tree

The above shows a show spanning-tree output from Switch C. We can see the priority address has been changed to 4096+VLAN 1 (4097) and the bridge is the root for VLAN 1.

Verifying:

To verify RSTP has been configured correctly we can go through the configuration by using the show running-config command and verifying spanning-tree mode rapid-pvst has been entered on all three switches.

The next command we can verify RSTP with is show spanning-tree, this will show what type of spanning-tree is enabled and root bridge/interface statuses.

RSTP_Show_Spanning_Tree_SwitchB

Show spanning-tree summary can be used to give a quick indication of what mode spanning tree is configured for and some other useful information such as what VLANs are taken part in spanning-tree.

RSTP_Show_Spanning_Tree_SwitchA

Troubleshooting:

  • Ensure all switches are configured for rapid-spanning tree – rapid-spanning tree is backwards compatible meaning it will match the normal spanning-tree timers and can cause slowness
  • Check cables between switches are correct – Crossover cable
  • Check you haven’t made a trunk link portfast by mistake
  • Using the verify commands above can greatly help with understanding why RSTP isn’t work (root bridge incorrect, port blocked, rapid-spanning tree not configured)