Network Model Crib Notes

These are my ‘crib notes’ that I’ve made to serve as a last minute refresher. Please forgive the grammer / spelling as I did not develop these notes with publishing in mind

Network Modelling

*** Theory ***

  • Three Layer Model (3 Layers)
    • Core – Low latency, fast switching, Advanced QoS, Redundancy, Root Bridges
    • Distribution – Handle routing, High Speed ports,
    • Access – VLAN, Basic QoS, Traffic Filtering, Redundant uplinks, future growth, high port density
  • Cisco Enterprise Architecture (6 Modules)
    • Campus – Core layer of campus network.
    • Edge – Internet connectivity, DMZ, VPNs
    • WAN – PPP, Frame, DSL, MPLS
    • Branch – Remote Office
    • Teleworker – SOHO / Mobile Users
    • Data Centre – DR
  • Intelligent Information Network (Vision)
    • SONA – Single Vendor and Virtualisation
      • Application Layer – How end users interact
      • Interactive Service Layer – Virtualisation
      • Network Infrastructure layer

    *** Other ***

    • Reconinsense Attack –Uses packet sniffers etc . Combat with switched infrastructure.
    • DoS Attacks – Can use IP spoofing and DoS attacks
    • Virus – requires human assistance to spread
    • Worm – Saved in memory, spreads automatically
    • ip inspect – is IOS firewall (formly CBAC). Inside interface inspects inbound and outside interface inspects outbound


Cable Network Crib Notes

These are my ‘crib notes’ that I’ve made to serve as a last minute refresher. Please forgive the grammer / spelling as I did not develop these notes with publishing in mind


*** Theory ***

  • DOCSIS – Standard governing how cable operators reserve bandwidth for data transfers. When modem boots up it finds a DOCSIS channel (scans for RF for QAM lock). CMTS sends 3 messages (MAP, UCD, SYNC) to modem. It then requests IP from DHCP Server. Modem gets config file via TFTP (address given by DHCP). Modem then register with CMTS and negotiates QoS etc
  • ADSL – Up to 8MB DL and 1MB UL. Limited to 18,000 feet limitation. Can use phone via POTS Splitter.
    • Coding methods
      • CAP – Single Carrier Method – Divides phone line into three separate channels. (V, Upstream, Downstream) – Been replaced by DMT
      • G.Lite – one of two multicarrier methods “splitterless ADSL”. Limited to 1.5MBPS DL and 512 KBPS UL = slow
      • DMT – The 2nd multicarrier method – Uses 256 channels to carry data
    • HDSL – Same UP/DL rate (Symmetric). Can’t use the phone
    • HDSL2 – Allows for VOIP
    • RADSL – UL/DL are adjusted dynamically
    • Satellite – Very slow.  DL 500K and UL 50K (On a clear day!)
      • Problems
        • Attenuation – Signal gets weak
        • Impedance Mismatch – Bad splice or corrosion
        • Cross talk (Inside)
        • AM Radio (Outside)
      • ATM – Uses DSLAM Switches (has DSL card) for data transport.
        • PPPoE vs PPPoA – Key difference is oA uses routing and oE uses bridging
        • PPPoE (RFC 2516) – Typically uses Chap.  Host devices uses discovery to get MAC of PPPoE Server. This creates SESSION_ID.
          • Interface setups
            • Connection to DSLAM – No IP address need and dial pool number (needed) which binds a dialler interface to an Ethernet one.
            • Dialler
              • Ip mtu 1492 – Reduce from 1500 to allow for PPPoE headers
              • Ip address negotiated – Allows for DHCP address to be given
              • Ip nat outside (if using Nat)
          • Default route should be dialler interface
          • Use dialler interface when using NAT inside for PAT.
      • PPPoA – If encapsulation is running under PVC, you are running PPPoA
        • Interface Setups
          • Connecting to DSLAM (ATM 0/0)
            • No ip address
            • Dsl operating-mode auto / Auto negotiate modulation with downstream router
            • Pvc 100/120 / Like DLCI
            • Pppoe-client-dialer-pool-number-1
      • RFC 1483/2684 Bridging – Easy to setup. Multiprotocol. Single user environment. Uses lots of broadcasts, not scalable, can be attacked.

      IPSec Crib Notes

      These are my ‘crib notes’ that I’ve made to serve as a last minute refresher. Please forgive the grammer / spelling as I did not develop these notes with publishing in mind


      *** Theory ***

      • VPNs
        • Data origin ,e.g. AH, ESP
        • Encryption
          • (S) Symmetric Encryption – Same key for enc/decryption. Aka secret key.
          • (A) Asymmetric Encryption – 2 keys. Public and Private.  Encrypt with public, decrypt with private. Private always stay local.
          • DH – Allows the exchange of secret keys over a non-secure connection
            • (S) DES is 56bit
            • (S) 3DES is 3 DES keys on top of each other. So 3 x 56 = 168bit (really 112)
            • (A) AES is the best.
      • Data Integrity AH, ESP
      • Anti replay AH, ESP
        • Mitigate via sequence number on packet.
        • GRE – Encapsulate packet in an IP header. Has no encryption. GRE is multiprotocol. IPSec is really IP only. So GRE over IPSec makes sense.  Can use GRE to send routing protocols over IPSec etc. GRE Encaps first then IPSec encaps
        • L2TP/PPTP – No encryption
        • IPSec – Earlier versions could not carry multicast traffic.
          • Tunnel Mode – Transparent to end host
          • Transport Mode
          • AH (Protocol 51) – Method for authentication and securing data (protects payload of packet. AH less overhead than ESP
          • ESP (protocol 50) – It authenticates, secures and encrypts. Preferred over AH
          • IKE (UDP 500) – negotiates the security parameters and authentication keys
            • Phase 1 – Agreement on methods to exchange data aka SA (Security Association). 1 SA per tunnel.
              • Aggressive Mode – Faster, but not encrypted. 3 Messages,
              • Main Mode – 6 messages. R 1 “DES or 3DES? MD5 or SHA?” R2 “DES and MD5 please” etc DH Keys, Authenticate
        • Phase 1.5 – Known as XAUTH for security
        • Phase 2 – 2 SA per 1 tunnel.
          • Quick Mode – 3 messages
          • Crypto Access List – Defines interesting traffic that starts the IKE/ IPSec process
            • Steps on Cisco Router
              • 1) Create ISAKMP policy 2) Create IPSec transform set 3) Define interesting traffic with crypto access-list 4) Create Crypto Map and apply to interface
          • Dead Peer Detection (DPD) – Keepalive for IPSec.  Sends hello every 10 seconds unless it receives a hello from peer. This means overhead because of enc ry/decryption. Can use on-demand where router sends DPD hello only prior to sending data to peer.
            • Troubleshooting
              • MM_NO_STATE – Phase 1 attribute mismatch
              • MM_KEY_EXCH – Incorrect pre-shared key or peer IP address

        MPLS Crib Notes

        These are my ‘crib notes’ that I’ve made to serve as a last minute refresher. Please forgive the grammer / spelling as I did not develop these notes with publishing in mind


        *** Theory ***

        • Nutshell – Tags packets so fewer layer 3 / route-table router lookups are needed. Can run in frame mode or cell (ATM) mode
        • Edge LSR (Entry / Exit points) – Performs routing lookup, assigns label and then sends to LSR. At the exit edge LSR a label lookup is done, only to realise there is no further label so the label is popped and then an IP look up is done to send the packet on its way.  These routers should be powerful. Also handles labelled and non-labelled networks
          • PHP – Instead of the exit edge LSR doing 2 lookups, we can make it more efficient by it requesting the downstream neighbour to pop the label instead so that it only has to do IP Lookup
        • LSR – Uses the label put on by edge LSR to route to next hop. No need to do route lookup. Does label lookup then a label swap
        • Label – Locally significant and identifies FEC. It is inserted between the L2 and L3 layer (aka 2.5). Local significance means multiple interfaces on the same router can use same label values. Label has 4 fields.
          • Label (20bits)
          • Experimental / CoS (3 bits) – Code of service
          • TTL (8 bits) – Time to Live
          • BOS (Bottom of stack, 1 bit) –
        • FEC – Forward Equivalent Class – Group of packets that is forward to the same next hop ip address & assigned the same level of treatment (QoS etc). Or is forwarded based on following;  Interface, IP Prec or DSCP, Src IP, Src or Dst port etc
        • Label Stack – Packet with more than 1 label. Typically used in MPLS VPNs to form encapsulations
        • pre-process – Label is binded to each route prefix. This is then shared to downstream MPLS routers using LDP, TDP , RVSP etc.
        • Process – E-LSR performs IP Lookup then assigns label (push). LSR looks up label table, swaps label to match downstream router and then forwards (swap). Exit E-LSR will remove (pop) label and send to customer. If a LSR has 2 potential next hops, the LSR will perform a label lookup in its LFIB that resides in the data plane. It will see what the upstream router has assigned as it label value and then place that value instead of it own when sending (swap)
          • Dropped packets – If a labelled packet comes in and has no entry in the FLIB. Exception is
            • Interim Packet Propagation – Time between a labelled packet arriving and time that the LSR has an entry in the FLIB for that label. In this case packet uses CEF. If not entry in FIB, then packet is finally dropped
        • Control Plane – Takes care of routing table. Label bindings are exchanged. Label binding allows LSR1 to know what label LSR2 is expecting. The control plane also has routing protocols.
          • LIB – Stores binding between local labels and FEC. Built via LDP/TDP. Sends these binding to neighbour
          • Routing Protocols
          • LDP UDP 646 (Industry and most popular) – Interface can run both LDP and TDP.
          • TDP TCP 711 (Cisco – being phased out) – Carries label information between LSR’s
          • RSVP – Reserve bandwidth for end-to-end for traffic engineering
        • Data / forwarding Plane – Handles forwarding of the traffic. Forwards by labels or address. It is a copy of the routing table but just in a different format
          • FIB – Has route table like information and is built via IGP
            • Distributed CEF – Uses multiple routers for CEF!
        • LFIB – Built by both IGP and LDP/TDP and performs the actual forwarding of labelled packets

        • LSP – Label Switch Path – The path the packet takes
        • Configuration – Must have CEF enabled. MTU should be changed to 1512. Enable MPLS via interface using  mpls ip
        • Before MPLS VPNS
          • Peer to peer – Client sends routes to ISP Edge router and that router shares it with all the other ISP routers. E.g. customer to edge is IGP. Then route redistribution into BGP to share with other routers
            • Bad – Can cause routing loops and have customers with overlapping subnets
        • Overlay – Provides VC but no routing services e.g. Frame Relay

        • MPLS VPNS – Allows MPLS for multiple customer s sharing the same ISP routers
          • VRF – Virtual Router & Forwarding Table – 1 Route table instance per customer = avoids overlapping subnets from different customers.
          • RD – Route Distinguisher – Unique 64 but attached to IP (vpnv4 prefix) & uses MPBGP on PE routers. So any overlapping subnets will have a unique prefix which mitigates this problem
          • BGP – Has attribute called RT. Route Target assigned the vpnv4 prefix

        • MTU – Must set to following otherwise could be seen as jumbo or giant frame which are frames that are dropped or fragmented.
          • PPPoE                                   = 1492
          • .1Q                                         = 1496
          • Ethernet                              = 1500
          • MPLS                                     = 1504
          • MPLS VPN                           = 1508 (As two labels are used)
          • MPLS VPNS + TE               =1512
          • Good practice for MPLS = 1512

        VLANS Crib Notes

        These are my ‘crib notes’ that I’ve made to serve as a last minute refresher. Please forgive the grammer / spelling as I did not develop these notes with publishing in mind.



        • Best practice – 1 VLAN per IP
        • Broadcast – Routers can accept and generate broadcasts, but they cannot forward them
        • VLAN 1. 1002 – 1005 are shipped by default
        • Native VLAN – Default on Cisco is VLAN 1. All unassigned hosts are on Native Vlan
        • Static VLAN – Dependent on Host Port
        • Dynamic VLAN – Dependent on Host MAC Address, uses VLAN Membership Policy Server (VMPS – uses UDP). Host can most from port to port or switch to switch and vlan assignment is based on their MAC address. Uses TFTP server to map addresses. Port fast is enabled by default for dynamic vlans. Don’t use port security. Dynamic port cannot be a trunk port
        • VLAN.dat – VLANs kept in separate file. Most delete separately not done with erase
        • Vlan database – using CTRL+Z will not save the config. Must type apply
        • Dynamic Desirable Trunking – Port is actively trying to form a trunk
        • Troubleshooting – Check port speed/duplex and check MAC table
        • ISL – Cisco own trunk protocol. Places both header & trailer in frame, then encapsulates it = overhead. No native vlans = every frame is encapsulated = overhead
          • 26 byte header + 4 byte trailer CRC = 30BYTES. Too large for switch, considered as giant frames
          • 802.1Q – No encapsulation. Adds 4 byte header to frame
          • Trunk – Port must agree on duplex, speed and encapsulation
          • Giants are frame larger than 1518 or 1522 (802.3ac). Runts are frames smaller tan 64bytes. Baby Giants are 1500 < 2000 bytes
          • Dynamic Trunking Protocol – Attempts to negotiate a trunk with remote switch. Sends DTP frames every 30 sec (overhead)
          • VLAN Design – Keep broadcasts and multicast away from core
            • End to end (80/20) – 80% of local traffic stays local and 20% go to core. These vlans must be on every access-layer switch
            • Local (20/80) – 20% local, 80% core.
            • Port status
              • Trunk – Trunk port and no DTP negotiation.
              • Dynamic Desirable – Default. Responds to DTP and becomes a trunk, otherwise access.
              • Dynamic Auto – NOT actively negotiate a trunk, but will respond to DTP and become one if remote is trunk or dynamic desirable. Trunk will not form if both port are dynamic auto


        # Show vlan brief Shows VLAN, name, status and ports. Does not show trunk ports

        # Show int trunk Shows trunk ports, mode, encapsulation, status and native vlan, allowed VLANS

        # Show vlan id 5 Shows VLAN 5 ports etc

        Wireless Crib Notes

        These are my ‘crib notes’ that I’ve made to serve as a last minute refresher. Please forgive the grammer / spelling as I did not develop these notes with publishing in mind.

        Wireless                                                                                                                                                              23/06/09

        *** Theory ****

        • WLAN – Is called a Basic Service Set BSS (Hub and Spoke). Area of coverage is called a Cell. Device associate with the wireless device. They are half duplex so uses CSMA/CA.
        • SSID – Service set identifier is case sensitive and up to 32 char.
        • AP – Access point aka WAP. Client can use to find AP;
          • Active scanning – Client sends probe request frames & wait for response
          • Passive scanning – Listens for beacons frames from AP. No probes sent
          • Authentication
            • Open system
            • Shared key  – like WEP, WEP can be hacked easily.
              • EAP/LEAP – EAP or LEAP. Leap is cisco only. It has 2-way auth between AP and client, AP uses RADIUS to auth client, Keys are dynamic (generated per authentication), not static. Better than WEP
              • WPA/WPA2 –
              • AD HOC WLAN – aka IBSS
              • Ranges
                • 802.11a – 25MBPS but can reach 54MBPS. Indoor range 100 ft. 5GHZ
                • 802.11b – 6.5MBPS upto 11MBPS. 100 ft. 2.4GHZ
                • 802.11g – 25MBPS to 11 MBPS. 100 ft. 2.4GHZ. Compatible with g hence b/g
                • 802.11n – 200MBPS upto 540MPS, 160 ft. 2.4 or 5 GHZ
                • Microwave can cause issue as it uses 2.4 GHZ band
                • Antenna
                  • Yagi Antenna – Sends signal in a single direction only. (P2P) BETWEEN AP
                  • Omni – Sends signal to all directions (P2M) BETWEEN AP AND HOSTS
                  • Cisco Unified Wireless Network – WLAN Contoller. Talks to LAP (Lightweight Access Point) via LWAPP (Lightweight Access Point Protocol) to make policy consistent. It a centralised Authority.
                  • Aironet tray utility

        VTP Crib Notes

        These are my ‘crib notes’ that I’ve made to serve as a last minute refresher. Please forgive the grammer / spelling as I did not develop these notes with publishing in mind.


        *** Theory ***

        • VTP Domain – Switch can be in 1 domain only. All switches in that domain participate in VTP (case sensitive),
        • VTP Mode
          • Server – can create, delete, modify etc (default)
          • Client – Listen to VTP Advertisement
          • Transparent – Locally significant. Does not save only passes VTP advertisements
          • VTP Version for Transparent mode
            • V1 – Will forward VTP ad only if domain and version number is same as downstream
            • V2 – will forward VTP add over it trunk port regardless of domain name. Supports token ring vlan and switching
            • VTP Advertisements: are multicasts, sent over trunk ports only. Every server change increases the revision by 1. Switch ignores VTP advertisement with lower rev number than itself. Sent after every change and summary sent every 5 minutes
            • VTP Password – case password put in secure mode. Visible. Used to protect from intruder switch as some switches can pull the domain name from null status
            • New switches – Make sure it rev is 0, otherwise if it the highest, all switch will use this vlan database even if new sw is client or server!
            • Reset revision number – Change switch to transparent and back to server or change domain to a non existant name then back to the original
            • Clients – If VLAN database becomes corrupt, it sends client advertisement request. VTP server responds with summary and subsets
            • VTP Pruning – confines broadcast (&multicast treated as broadcast) over trunk ports as trunks are members of all vlans. If SW1 has vlan ports 2-11 and SW2 has vlan 10-19, they have 10 and 11 in common. No point switches receiving broadcasts for vlan members they do not have. Enable this on VTP server only
            • Vlan.dat – delete this IN FLASH  with write erase otherwise it wont delete it as it not in NVRAM

        *** Commands ***

        • Show VTP status: Version, revision, no. Of vlans, operating mode