Pages

network cisco ccna gns3 certification arteq

network cisco ccna gns3 certification arteq
a network runs through it

Search insearchofthecert

Saturday, December 31, 2011

more arp...

when you ping a device for the first time (as in below) the hardware address becomes associated with the ip address and is placed in the pc's arp table, it does not get associated with the gateway router's interface mac address...

C:\>arp -a

Interface: 192.168.1.9 --- 0x2
  Internet Address      Physical Address      Type
  192.168.1.1           c0-3f-0e-ab-d1-ec     dynamic
  192.168.1.250         98-4b-e1-fb-29-40     dynamic

below is the mac-address-table entry for fa0/17, the port that this device is attached to... the arp table in the pc DOES NOT represent the hardware address of the gateway router...

sw2950_02#sh mac-add int fa0/17
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
   1    984b.e1fb.2940    DYNAMIC     Fa0/17
Total Mac Addresses for this criterion: 1
sw2950_02#

the mac address for this arp is the mac address of the device that was pinged.

Friday, December 30, 2011

process id's and areas...

there's some question floating around in the ether about how many process id's one can have in ospf, and how many areas... be misinformed no more...

r2620_02(config)#router ospf ?
  <1-65535>  Process ID

r2620_02(config)#router ospf

r2620_02(config)#router ospf 1
r2620_02(config-router)#netw 10.0.0.0 0.0.0.255 area ?
  <0-4294967295>  OSPF area ID as a decimal value
  A.B.C.D         OSPF area ID in IP address format

that would be over 4 billion AREAS, for those who can't count, and over 65,000 PROCESS ID's...

don't believe everything you see on a practice test...


Wednesday, December 28, 2011

ppp's two subnets...

at first i thought i was losing my mind, that i had some type of misconfiguration with ppp...  but i didn't...  ppp will display 2 subnets for each directly connected route; one with the mask that was designed and also a slash 32... this is the behavior of ppp...


no routing protocols, no static or default routes, and with hdlc we have:

r2620_01#sh ip route
Codes:
Gateway of last resort is not set

     1.0.0.0/24 is subnetted, 1 subnets
C       1.1.1.0 is directly connected, Loopback0
     10.0.0.0/30 is subnetted, 2 subnets
C       10.0.30.0 is directly connected, Serial0/1
C       10.0.20.0 is directly connected, Serial0/0

C    192.168.1.0/24 is directly connected, FastEthernet0/0
r2620_01#


and likewise for the routers...

r2620_02#sh ip route
Codes:
Gateway of last resort is not set

     2.0.0.0/24 is subnetted, 1 subnets
C       2.2.2.0 is directly connected, Loopback0
     10.0.0.0/30 is subnetted, 1 subnets
C       10.0.20.0 is directly connected, Serial0/0

C    192.168.1.0/24 is directly connected, FastEthernet0/0


but when you flip to ppp...

r2620_01(config-if)#do sh ip route
Codes: Gateway of last resort is not set

     1.0.0.0/24 is subnetted, 1 subnets
C       1.1.1.0 is directly connected, Loopback0
     10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C       10.0.30.0/30 is directly connected, Serial0/1
C       10.0.30.2/32 is directly connected, Serial0/1
C       10.0.20.2/32 is directly connected, Serial0/0
C       10.0.20.0/30 is directly connected, Serial0/0

C    192.168.1.0/24 is directly connected, FastEthernet0/0
r2620_01(config-if)#

r2620_03#sh ip route
Codes:
Gateway of last resort is not set

     3.0.0.0/24 is subnetted, 1 subnets
C       3.3.3.0 is directly connected, Loopback0
     172.16.0.0/30 is subnetted, 1 subnets
C       172.16.0.0 is directly connected, FastEthernet0/0
     10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C       10.0.30.0/30 is directly connected, Serial0/0
C       10.0.30.1/32 is directly connected, Serial0/0

r2620_03#

ppp is the gift that keeps on giving...

Tuesday, December 27, 2011

vtputt-putt...

normally processing of commands from the CLI happens as soon as you press enter... not so with VTP when creating a vlan... not until you exit will the command process, as seen below...

sw3550_01#debug sw-vlan vtp events
vtp events debugging is on
sw3550_01#term mon
sw3550_01#config t
sw3550_01(config)#vlan 69
sw3550_01(config-vlan)#do sh vlan brie

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/2, Fa0/4, Fa0/5, Fa0/7
                                                Fa0/8, Fa0/9, Fa0/10, Fa0/11
                                                Fa0/12, Fa0/13, Fa0/14, Fa0/15
                                                Fa0/16, Fa0/17, Fa0/18, Fa0/19
                                                Fa0/20, Fa0/22, Fa0/23, Fa0/24
                                                Gi0/1, Gi0/2
23   VLAN0023                         active
1002 fddi-default                     act/unsup
1003 trcrf-default                    act/unsup
1004 fddinet-default                  act/unsup
1005 trbrf-default                    act/unsup

sw3550_01(config-vlan)#exit
sw3550_01(config)#
now we get our debug output
Dec 27 20:10:40.615: VTP LOG RUNTIME: Transmit vtp summary, domain cisco, rev 13
, followers 1, tlv blk size 8 (inc #tlv field),
   MD5 digest calculated = 8D F5 FD E6 E2 18 EB 99 BD AC F8 2F 8B C5 00 DD

Dec 27 20:10:40.615: VTP LOG RUNTIME: Transmit vtp summary, domain cisco, rev 13
, followers 1, tlv blk size 8 (inc #tlv field),
   MD5 digest calculated = 8D F5 FD E6 E2 18 EB 99 BD AC F8 2F 8B C5 00 DD

Dec 27 20:10:40.615: VTP LOG RUNTIME: Transmit vtp summary, domain cisco, rev 13
, followers 1, tlv blk size 8 (inc #tlv field),
   MD5 digest calculated = 8D F5 FD E6 E2 18 EB 99 BD AC F8 2F 8B C5 00 DD

Dec 27 20:10:40.675: VTP LOG RUNTIME: Summary packet received, domain = cisco, r
ev = 13, followers = 1, length 80, trunk Fa0/1

Dec 27 20:10:40.675: VTP LOG RUNTIME: Validate TLVs : #tlvs 1, max blk size 4
Dec 27 20:10:40.675: VTP LOG RUNTIME: Validate TLVs : #00, val 6, len 4
Dec 27 20:10:40.675: VTP LOG RUNTIME: Summary packet rev 13 equal to domain cisc
o rev 13

Dec 27 20:10:40.679: VTP LOG RUNTIME: Subset packet received, domain = cisco, re
v = 13, seq = 1, length = 220

Dec 27 20:10:40.679: VTP LOG RUNTIME: Summary packet received, domain = cisco, r
ev = 13, followers = 1, length 80, trunk Fa0/3

sw3550_01(config)#
Dec 27 20:10:40.679: VTP LOG RUNTIME: Validate TLVs : #tlvs 1, max blk size 4
Dec 27 20:10:40.679: VTP LOG RUNTIME: Validate TLVs : #00, val 6, len 4
Dec 27 20:10:40.679: VTP LOG RUNTIME: Summary packet rev 13 equal to domain cisc
o rev 13

Dec 27 20:10:40.683: VTP LOG RUNTIME: Subset packet received, domain = cisco, re
v = 13, seq = 1, length = 220


sw3550_01(config)#do sh vlan brie
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/2, Fa0/4, Fa0/5, Fa0/7
                                                Fa0/8, Fa0/9, Fa0/10, Fa0/11
                                                Fa0/12, Fa0/13, Fa0/14, Fa0/15
                                                Fa0/16, Fa0/17, Fa0/18, Fa0/19
                                                Fa0/20, Fa0/22, Fa0/23, Fa0/24
                                                Gi0/1, Gi0/2
23   VLAN0023                         active
69   VLAN0069                         active1002 fddi-default                     act/unsup
1003 trcrf-default                    act/unsup
1004 fddinet-default                  act/unsup
1005 trbrf-default                    act/unsup
sw3550_01(config)#


so much for command processing love...

Monday, December 26, 2011

port-sex violation...

port security can be a little funky...  when a port is put into errdisabled state due to a violation and the condition is set for shut down, the port will remain in shut down...  no shut does not bring it back...

sw2950_02(config)#sw port-sex
                                              ^
% Invalid input detected at '^' marker.
sw2950_02(config)#
sw2950_02(config-if)#sw port-sec
sw2950_02(config-if)#sw port-sec mac-add aaaa.bbbb.cccc
sw2950_02(config-if)#sw port-sec vio shut
sw2950_02(config-if)#end

so i linked a cable to it that was obviously not mac address aaaa.bbbb.cccc

sw2950_02#sh port-sec
Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                (Count)       (Count)          (Count)
---------------------------------------------------------------------------
      Fa0/8              1            1                  0         Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 1024



sw2950_02#sh port-sec int fa0/8
Port Security              : Enabled
Port Status                : Secure-down
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 1
Sticky MAC Addresses       : 0
Last Source Address        : 0000.0000.0000
Security Violation Count   : 0

sw2950_02#sh int fa0/8
FastEthernet0/8 is down, line protocol is down (err-disabled)  Hardware is Fast Ethernet, address is 0009.b73f.ce88 (bia 0009.b73f.ce88)
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255

then i tried no shut...

sw2950_02(config-if)#no shit
                                        ^
% Invalid input detected at '^' marker.
sw2950_02(config-if)#no shut
sw2950_02(config-if)#do sh int fa0/8
FastEthernet0/8 is down, line protocol is down (err-disabled)
  Hardware is Fast Ethernet, address is 0009.b73f.ce88 (bia 0009.b73f.ce88)
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255

that won't get it...

sw2950_02(config)#errd recover cause security-violation
sw2950_02(config)#errd recover interval 30
sw2950_02(config)#end

you have to wait for the recovery interval to expire after setting it lower...
then...

sw2950_02#
3d10h: %PM-4-ERR_RECOVER: Attempting to recover from psecure-violation err-disab
le state on Fa0/8

sw2950_02#sh int fa0/8
FastEthernet0/8 is down, line protocol is down (notconnect)

  Hardware is Fast Ethernet, address is 0009.b73f.ce88 (bia 0009.b73f.ce88)
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,

it's no longer error disabled, and once again usable after removing the security... port security, yuck... lock up your switches...


in interface configuration mode typing shut, then no shut will also bring the errdisabled port back... go figure that one...

Sunday, December 25, 2011

lance link secret chimp...

link state/status...

every router learns about it's own link states and the state of its directly connected networks... it determines this by link UP status and ip address

every router forms adjacencies with its neighbor on directly connected networks via hello packets

every router builds a link state packet declaring the state of  each directly connected link and forwards it to its neighbor.  this lsp includes, bandwidth, neighbor id and link type

upon receipt, every router floods it's OWN neighbors with this lsp, and so on.  every router stores a copy of its neighbor's lsp's in its database


every router then constructs its OWN view of the topology and best path determination using the SPF algorithm.  a common tree is created, however, it has been defined independently by each router

linkage

Saturday, December 24, 2011

bandaid 64...

if you want to determine your own successor routes in eigrp...

r2620_03(config-if)#int fa0/0
r2620_03(config-if)#bandw 1
r2620_03(config-if)#int s0/0
r2620_03(config-if)#bandw 64
r2620_03(config-if)#do sh ip route eigrp
     172.16.0.0/16 is variably subnetted, 5 subnets, 3 masks
D       172.16.3.2/32
           [90/2560514560] via 192.168.100.2, 00:00:58, FastEthernet0/0
D       172.16.1.0/24 [90/5152000] via 192.168.10.9, 00:00:49, Serial0/0
D       172.16.3.1/32 [90/5024000] via 192.168.10.9, 00:00:49, Serial0/0
D       172.16.2.0/24 [90/4640000] via 192.168.10.9, 00:00:49, Serial0/0
D       172.16.3.0/30 [90/5024000] via 192.168.10.9, 00:00:49, Serial0/0


r2620_03(config-if)#int fa0/0
r2620_03(config-if)#bandw 64
r2620_03(config-if)#int s0/0
r2620_03(config-if)#band 1
r2620_03(config-if)#do sh ip route eigrp
     172.16.0.0/16 is variably subnetted, 5 subnets, 3 masks
D       172.16.3.2/32
           [90/40514560] via 192.168.100.2, 00:00:13, FastEthernet0/0
D       172.16.1.0/24
           [90/40130560] via 192.168.100.2, 00:00:01, FastEthernet0/0
D       172.16.3.1/32 [90/2561024000] via 192.168.10.9, 00:00:01, Serial0/0
D       172.16.2.0/24
           [90/40642560] via 192.168.100.2, 00:00:01, FastEthernet0/0
D       172.16.3.0/30
           [90/40514560] via 192.168.100.2, 00:00:01, FastEthernet0/0

r2620_03(config-if)#

the master of your successor...

below will redistribute a static route... notice the code and the AD...

r2620_01#config t
Enter configuration commands, one per line.  End with CNTL/Z.
r2620_01(config)#ip route 0.0.0.0 0.0.0.0 lo0
r2620_01(config)#router eigrp 1
r2620_01(config-router)#redistribute static
r2620_01(config-router)#

r2620_03#sh ip route eigrp
     172.16.0.0/16 is variably subnetted, 5 subnets, 3 masks
D       172.16.3.2/32
           [90/40514560] via 192.168.100.2, 00:13:08, FastEthernet0/0
D       172.16.1.0/24
           [90/40130560] via 192.168.100.2, 00:12:56, FastEthernet0/0
D       172.16.3.1/32 [90/2561024000] via 192.168.10.9, 00:12:56, Serial0/0
D       172.16.2.0/24
           [90/40642560] via 192.168.100.2, 00:12:56, FastEthernet0/0
D       172.16.3.0/30
           [90/40514560] via 192.168.100.2, 00:12:56, FastEthernet0/0
D*EX 0.0.0.0/0 [170/2560640000] via 192.168.10.9, 00:00:53, Serial0/0
r2620_03#


rip defect route propagation...

simply rip, 2 routers connected serially to 1... notice the gateway of last resort is not set...  if you follow the output you'll see default-information originate put to good use in a rip environment... might save some typing...

r2620_01(config)#do sh run | begin  router rip
router rip
 network 1.0.0.0
 network 10.0.0.0


r2620_01#sh ip route


Gateway of last resort is not set

     1.0.0.0/24 is subnetted, 1 subnets
C       1.1.1.0 is directly connected, Loopback0
R    2.0.0.0/8 [120/1] via 10.0.20.2, 00:00:20, Serial0/0
R    3.0.0.0/8 [120/1] via 10.0.30.2, 00:00:04, Serial0/1
     10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C       10.0.30.0/24 is directly connected, Serial0/1
C       10.0.30.2/32 is directly connected, Serial0/1
C       10.0.20.2/32 is directly connected, Serial0/0
C       10.0.20.0/24 is directly connected, Serial0/0

r2620_01#

r2620_02#sh ip route

Gateway of last resort is not set

R    1.0.0.0/8 [120/1] via 10.0.20.1, 00:00:27, Serial0/0
     2.0.0.0/24 is subnetted, 1 subnets
C       2.2.2.0 is directly connected, Loopback0
R    3.0.0.0/8 [120/1] via 10.0.20.1, 00:00:27, Serial0/0
     10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
R       10.0.30.0/24 [120/1] via 10.0.20.1, 00:00:27, Serial0/0
R       10.0.30.2/32 [120/1] via 10.0.20.1, 00:00:27, Serial0/0
C       10.0.20.0/24 is directly connected, Serial0/0
C       10.0.20.1/32 is directly connected, Serial0/0
r2620_02#


r2620_03#sh ip route


Gateway of last resort is not set

R    1.0.0.0/8 [120/1] via 10.0.30.1, 00:00:24, Serial0/0
R    2.0.0.0/8 [120/1] via 10.0.30.1, 00:00:24, Serial0/0
     3.0.0.0/24 is subnetted, 1 subnets
C       3.3.3.0 is directly connected, Loopback0
     10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C       10.0.30.0/24 is directly connected, Serial0/0
C       10.0.30.1/32 is directly connected, Serial0/0
R       10.0.20.2/32 [120/1] via 10.0.30.1, 00:00:24, Serial0/0
R       10.0.20.0/24 [120/1] via 10.0.30.1, 00:00:24, Serial0/0
r2620_03#

r2620_01(config)#router rip
r2620_01(config-router)#default-information originate
r2620_01(config-router)#end
r2620_01#


r2620_02#sh ip route


Gateway of last resort is 10.0.20.1 to network 0.0.0.0
R    1.0.0.0/8 [120/1] via 10.0.20.1, 00:00:11, Serial0/0
     2.0.0.0/24 is subnetted, 1 subnets
C       2.2.2.0 is directly connected, Loopback0
R    3.0.0.0/8 [120/1] via 10.0.20.1, 00:00:11, Serial0/0
     10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
R       10.0.30.0/24 [120/1] via 10.0.20.1, 00:00:11, Serial0/0
R       10.0.30.2/32 [120/1] via 10.0.20.1, 00:00:11, Serial0/0
C       10.0.20.0/24 is directly connected, Serial0/0
C       10.0.20.1/32 is directly connected, Serial0/0
R*   0.0.0.0/0 [120/1] via 10.0.20.1, 00:00:11, Serial0/0

r2620_03#sh ip route

Gateway of last resort is 10.0.30.1 to network 0.0.0.0

R    1.0.0.0/8 [120/1] via 10.0.30.1, 00:00:19, Serial0/0
R    2.0.0.0/8 [120/1] via 10.0.30.1, 00:00:19, Serial0/0
     3.0.0.0/24 is subnetted, 1 subnets
C       3.3.3.0 is directly connected, Loopback0
     10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C       10.0.30.0/24 is directly connected, Serial0/0
C       10.0.30.1/32 is directly connected, Serial0/0
R       10.0.20.2/32 [120/1] via 10.0.30.1, 00:00:19, Serial0/0
R       10.0.20.0/24 [120/1] via 10.0.30.1, 00:00:19, Serial0/0
R*   0.0.0.0/0 [120/1] via 10.0.30.1, 00:00:19, Serial0/0
r2620_03#


so rip propagated some default routes as noted by the asterisks in the output of  r2 and r3... sigh... but not on r1... this is very exciting...

r2620_01#sh ip route

Gateway of last resort is not set

     1.0.0.0/24 is subnetted, 1 subnets
C       1.1.1.0 is directly connected, Loopback0
R    2.0.0.0/8 [120/1] via 10.0.20.2, 00:00:20, Serial0/0
R    3.0.0.0/8 [120/1] via 10.0.30.2, 00:00:20, Serial0/1
     10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C       10.0.30.0/24 is directly connected, Serial0/1
C       10.0.30.2/32 is directly connected, Serial0/1
C       10.0.20.2/32 is directly connected, Serial0/0
C       10.0.20.0/24 is directly connected, Serial0/0
r2620_01#

Thursday, December 22, 2011

catnip of the day...

reow...
michael jackson says;

"i always never type full commands, my damn fat cat fingers get tired, but i do make a habit of saying the entire command in my head while typing...

for instance, when i type sh mac-add
i'm silently saying show mac dash address dash table in my head...

why? because i'm a friggin network cat; that's what we do..."

"and don't drink and subnet; you might get your vlans crossovered..."



router on a tip...

it doesn't get easier than this...

get a router a switch and 2 pc's...
connect a straight through cable from the router to a port on a switch... remove the ip address from the fa0/0 first and always, when making subinterfaces (frame and ppp too)... make two subinterfaces on the router
encap dot1q 21 means what it says; encapsulation dot1q for vlan 21...
give each sub ip's on different subnets (intervlan routing; now i got a network boner)


r2620_02#config t
Enter configuration commands, one per line.  End with CNTL/Z.
r2620_02(config)#int fa0/0.21
r2620_02(config-subif)#encap dot1q 21
r2620_02(config-subif)#ip add 192.168.21.1 255.255.255.0
r2620_02(config-subif)#no shut
r2620_02(config-subif)#int fa0/0.22
r2620_02(config-subif)#encap dot1q 22
r2620_02(config-subif)#ip add 192.168.22.1 255.255.255.0
r2620_02(config-subif)#no shut
r2620_02(config-subif)#

swich time..
make two vlans, make a trunk (assigning vlans to the trunk is optional, why, because they forward all vlan traffic by default unless otherwise slapped around), put an interface into each vlan and you got...

s2(config)#vlan 21
s2(config-vlan)#name 21
s2(config-vlan)#vlan 22
s2(config-vlan)#name 22
s2(config-vlan)#exit
s2(config)#int fa0/17
s2(config-if)#sw mode trunk
s2(config-if)#sw trunk allow vlan 21,22
s2(config-if)#exit
s2(config)#int fa0/15
s2(config-if)#sw mode acc
s2(config-if)#sw acc vlan 21

s2(config-if)#int fa0/16
s2(config-if)#sw mode acc
s2(config-if)#sw acc vlan 22

s2(config-if)#do sh vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/5
10   fac/staff                        active    Fa0/11, Fa0/12, Fa0/13, Fa0/14
20   students                         active    Fa0/18, Fa0/19, Fa0/20, Fa0/21
                                                Fa0/22, Fa0/23, Fa0/24
21   21                               active    Fa0/15
22   22                               active    Fa0/16


connect a pc to each switch port and set ip's and gateways...














and then ping the damn things... don't forget to debug ip icmp on the router, see after pc pings...

C:\Users\bosgood>ping 192.168.21.1

Pinging 192.168.21.1 with 32 bytes of data:
Reply from 192.168.21.1: bytes=32 time=2ms TTL=255
Reply from 192.168.21.1: bytes=32 time=1ms TTL=255
Reply from 192.168.21.1: bytes=32 time=1ms TTL=255
Reply from 192.168.21.1: bytes=32 time=2ms TTL=255

Ping statistics for 192.168.21.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 2ms, Average = 1ms


C:\Users\bosgood>ping 192.168.22.1

Pinging 192.168.22.1 with 32 bytes of data:
Reply from 192.168.22.1: bytes=32 time=2ms TTL=255
Reply from 192.168.22.1: bytes=32 time=2ms TTL=255
Reply from 192.168.22.1: bytes=32 time=1ms TTL=255
Reply from 192.168.22.1: bytes=32 time=1ms TTL=255

Ping statistics for 192.168.22.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 2ms, Average = 1ms

r2620_02#debug ip icmp
ICMP packet debugging is on

r2620_02#
Dec 22 18:47:13.575: ICMP: echo reply sent, src 192.168.21.1, dst 192.168.21.2
r2620_02#
Dec 22 18:47:14.575: ICMP: echo reply sent, src 192.168.21.1, dst 192.168.21.2
r2620_02#
Dec 22 18:47:15.579: ICMP: echo reply sent, src 192.168.21.1, dst 192.168.21.2
r2620_02#
Dec 22 18:47:16.583: ICMP: echo reply sent, src 192.168.21.1, dst 192.168.21.2

r2620_02#
Dec 22 18:49:39.983: ICMP: echo reply sent, src 192.168.22.1, dst 192.168.22.2
r2620_02#
Dec 22 18:49:40.987: ICMP: echo reply sent, src 192.168.22.1, dst 192.168.22.2
r2620_02#
Dec 22 18:49:41.987: ICMP: echo reply sent, src 192.168.22.1, dst 192.168.22.2
r2620_02#
Dec 22 18:49:42.991: ICMP: echo reply sent, src 192.168.22.1, dst 192.168.22.2
r2620_02#

that's a router on my...

debug vtp...

s3(config)#do sh vlan
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/3, Fa0/4, Fa0/5
10   fac/staff                        active    Fa0/11, Fa0/12, Fa0/13, Fa0/14
                                                Fa0/15, Fa0/16, Fa0/17
20   students                         active    Fa0/18, Fa0/19, Fa0/20, Fa0/21
                                                Fa0/22, Fa0/23, Fa0/24
30   guest                            active    Fa0/6, Fa0/7, Fa0/8, Fa0/9
                                                Fa0/10
99   mgmt&native                      active

s3#debug sw-vlan vtp ?
  events   vtp events
  packets  vtp packets
  pruning  vtp pruning events
  xmit     vtp packets transmitted
s3#debug sw-vlan vtp events
vtp events debugging is on
s3#
01:41:21: VTP LOG RUNTIME: Summary packet received, domain = ozlan, rev = 56, fo
llowers = 1, length 80, trunk Fa0/2

01:41:21: VTP LOG RUNTIME: Validate TLVs : #tlvs 1, max blk size 4
01:41:21: VTP LOG RUNTIME: Validate TLVs : #00, val 6, len 4
Summary packet rev 56 greater than domain ozlan rev 5
5

s3#sh vlan
01:41:21: VTP LOG RUNTIME:

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/3, Fa0/4, Fa0/5
10   fac/staff                        active    Fa0/11, Fa0/12, Fa0/13, Fa0/14
                                                Fa0/15, Fa0/16, Fa0/17
20   students                         active    Fa0/18, Fa0/19, Fa0/20, Fa0/21
                                                Fa0/22, Fa0/23, Fa0/24
30   guest                            active    Fa0/6, Fa0/7, Fa0/8, Fa0/9
                                                Fa0/10
69   VLAN0069                         active
99   mgmt&native                      active

michael jackson says...

the purpose of stp is to prevent loops in your redundant switched network, and...

the closest you can get to turning vtp off on your cisco switches is to place them in transparent mode...

bah humbug...

Wednesday, December 21, 2011

R1#terminal length 0

this command doesn't get a lot of air play and it should...  one of the very great features about cisco routers and switches is the ease of configuration achieved with a simple terminal console (or telnet) session, a word processing program and a mouse... copying start to a tftp server is a great way to back up configurations but when you're bouncing around from console, to telnet with multiple devices and you need a quick fix backup, open notepad or some such and scrape the terminal output in to it...

the crux of the matter below:

r2620_03#term length 5
r2620_03#sh run
Building configuration...

Current configuration : 1428 bytes
!
version 12.4
 --More--

i shortened the term length to illustrate this point; notice the annoying --More--...

of course you hit the space bar to race through to get where you want to be, but if you want a clean scrape to dump into notepad, get rid of  --More-- by setting the term length to 0...

 r2620_03#term length 0

this will give a clean run, without nasty  --More--

then just scroll back to the top of the output, run the mouse over the text, right click the highlighted text and copy to the buffer..  go back to the config prompt, right click and paste...  it will simply load the text as commands and dump it into the running config...


naturally, you could also edit the text before the scrape to get rid of the bad experiments first...

set the term length back to, say 25, and you'll get about a screen at a time next go...

but of course you knew this already...

etherface...

the absolute horror of it all...

when all else fails, memorize...


ethernet               10Mbs        10BaseT          IEEE 802.3     100 meters copper

fast ethernet         100Mbs      1000Base-TX           802.3u   100 meters copper

Gigabit ethernet   1000Mbps  1000Base-T             802.3ab  100 meters copper


Gigabit ethernet   1000Mbps   1000Base-LX          802.3z     5km (long haul) fiber
                                              1000Base-SX                         550m (short haul)

10GigE                10Gbps       10GBase-T              802.3an   100m copper

10GigE                10Gbps       10GBase-LR           802.3ae   25km fiber
                                               10GBase-SR                           300m

i have to wash my brain...





Monday, December 19, 2011

Wbland...

wlan


4 agencies

itu-r -  worldwide organization that manages the assignment of freq's

ieee - wireless standardization of wlan 802.11

wi-fi alliance -  industry consortium that encourages interoperability standards through wi-fi
cert program

FCC  - u.s. govt agency that regulates usage of various communication freq's

IEEE introduced wlan standards in 1997 with ratification of 802.11 next came 802.1b then 802.1a
and 802.1g

802.11b is 11 Mbps @ 2.4 Ghz with 11 channels (3 nonoverlapped)
802.11a is 54 Mbps @ 5 Ghz with 23 channels (12 nonoverlapped)
802.11g is 54 Mbps @ 2,4 Ghz with 11 channels (3 non0verlapped)

using DSSS max speed for b and g is 11Mbps (b only uses DSSS)
using OFDM max speed for a and g is 54Mbps (a only uses OFDM)

ranges in feet 802.11a highest throughput 54= distance about 75 ft lowest throughput 6=about 200
                     802.11b                             11                          150                             1            350
                     802.11g                             54                           90-100                       6            300

Ad hoc mode -  one or two or just a few more send wlan frames to each directly for short periods
Infrastructure mode -  through an AP, allows for server and  internet communication

2 submodes BSS and ESS
Basic service set uses a single AP to make a wireless LAN
Extended service set uses more than one AP, with overlapping cells to allow
   for roaming in a larger area

IBSS Independant basic service set 2 devices directly connected-no ap

encoding 3 types
FHSS frequency hopping spread spectrum uses all band freq's, hopping between unlicensed bands
   for consecutive transmissions
DSSS Direct sequence spread spectrum for use with b @ 2.4 Ghz unlicensed band
OFDM Orthogonal frequency division multiplexing (a only @ 2.4 Ghz)

Coverage area quality depends on freq, obstructions, interference, antennae, and dsss and ofdm
    when encoding through the air
    higher freq's send data faster but have smaller coverage

CSMA/CA signals from hosts sharing an AP cannot be isolated from collisions if they transmit at
   the same time

prevention
1) listen for busy freq
2) random wait timer before sending a frame to reduce chance for simultaneous sends
does this sound familiar yet?
3) when timer expires, listen again for not busy, resend frame
4) after whole frame sent, listen for acknowledgement
5) no acknowledgement, restart csma logic (step 1)

security risks
war drivers - hacker driving around to exploit insecure or weak ap's (strong authentication)
hackers - find information or deny service, often compromising end hosts as a means to get on
   the enterprise without breaching firewalls (strong encryption, and authentication
employees - who install AP's on the LAN with no security, allowing easy hacker
   access (IDS, IPS and SWAN)
rogue AP's - attacker captures packets, finds service set identifier, then sets up an AP that
   employees might associate with (IDS, IPS and SWAN)

risk reduction - mutual authentication, a secret password key on client and AP
   encryption, key and algorithm to scramble frame contents
   intrusion detection, IDS IPS and Swan (structured wireless aware architecture,
   cisco concept to detect rogues)

WEP Wired equivalency privacy - 1997 original standard provided authentication and encryption
   used static PSK's (pre-share keys) manually configured, easily cracked, only 40 bits

Cisco came up with an interim solution; dynamic keyexchange, new encryption key for each
   packet and user authentication using 802.1x instead of device authentication

WPA Wi-fi protected access - 2003 similar to Cisco interim, dynamic key exchange using TKIP
   (temporal key integrity exchange protocol) uses either 802.1x user authentication or
   device authentication with PSK) the encryption algorithm uses MIC (message integrity
   check)

802.11i WPA2 - dynamic key exchange, stronger encryption using AES (advanced encryption standard)
   and user authentication. not backward compatible with wpa or wep

implementation -
   AP parameters include SSID, RF channel and authentication
   Clients are only authentication
   802.11 is by design plug and play because of open authentication, whereas WEP and WPA
      use PSK's that must match exactly

1) verify veracity of existing wired network, connect all ap's in the same
   ESS to the same vlan
2) set up the ap as a switch, because it is a switch. however, use a straight through cable;
   ip address, mask and default-gateway
3) set up the IEEE standard (a,b,g, or combination)
   wireless channel, SSID,power
4) build a client (support the same wlan standard, it will learn the SSID from the AP)
5) verify at client end
6) configure security
7) verify client works with security enabled

i have yuck brain...

Saturday, December 17, 2011

the phone booth...

bootstraps...

not sure if odom and the rest still mention this but booting or rebooting is derived from the idea of bootstraps, or more accurately, pulling oneself up by the bootstraps... the safest way to remember what configuration settings do is to look at the boot field...  the boot field is the last four bits (all the way to the right) that comprise a number in hex normally 0x2  or ox2102 which means to boot from the config file in flash if possible...

if the last number is 0 boot to rommon, if it's 1 boot software contained in rom...

0x2142 means bypass start (config in nvram) and is mostly used in password recovery...

use show version to see the current config-register setting, ie,

Configuration register is 0x2102 (will be 0x2142 at next reload)

show run and show start do NOT show the register setting but will show manually input boot system configuration...


r2620_01#sh run
Building configuration...

Current configuration : 2049 bytes
!
! Last configuration change at 12:51:27 UTC Sat Dec 17 2011
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r2620_01
!
boot-start-marker
boot system tftp myass 255.255.255.255

my college friends and i used to refer to throwing up, as booting

Friday, December 16, 2011

beware of the glob...

the more definitions i read about this mess, the more awful and terrible they get...

inside local- the best definition i get is private address, or a private address behind the firewall ie,192.168.1.100

inside global-  the inside private address natted for the outdside by NAT/firewall; how 192.168.1.100 gets translated and shipped by the firewall as 200.0.0.10

here's where the confusion starts

outside global-  the natted address (outside the firewall) 200.0.0.10 on it's way to the ISP

outside local- whatever the ISP does with the address at this point, they may NAT it again, they may ship it as is considering they gave you outside addresses to use, etc., who knows

this whole concept has got to be the worst that cisco has ever come up with

the important point is that NAT will make your rfc1918 address routable for the wild so you can get to your porn...

Thursday, December 15, 2011

successor excess...

a successor route is the lowest cost/best path that EIGRP is currently using...  this route shows up in the neighbor table, the topology table, and the route table...

r2620_01(config-if)#do sh ip route eigrp
     2.0.0.0/24 is subnetted, 1 subnets
D       2.2.2.0 [90/156160] via 192.168.1.120, 00:07:32, FastEthernet0/0
     100.0.0.0/24 is subnetted, 1 subnets
D       100.0.0.0 [90/156160] via 192.168.1.100, 00:07:32, FastEthernet0/0
     3.0.0.0/24 is subnetted, 1 subnets
D       3.3.3.0 [90/156160] via 192.168.1.130, 00:07:32, FastEthernet0/0
r2620_01(config-if)#

r2620_01(config-if)#do sh ip eigrp topo
IP-EIGRP Topology Table for AS(1)/ID(1.1.1.1)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status
P 1.1.1.0/24, 1 successors, FD is 128256
        via Connected, Loopback0
P 2.2.2.0/24, 1 successors, FD is 156160
        via 192.168.1.120 (156160/128256), FastEthernet0/0
        via 10.0.20.2 (2297856/128256), Serial0/0
P 3.3.3.0/24, 1 successors, FD is 156160
        via 192.168.1.130 (156160/128256), FastEthernet0/0
        via 10.0.30.2 (2297856/128256), Serial0/1
P 10.0.30.0/24, 1 successors, FD is 2169856
        via Connected, Serial0/1
P 10.0.30.1/32, 0 successors, FD is Inaccessible
        via 192.168.1.130 (2172416/2169856), FastEthernet0/0
        via 10.0.20.2 (2684416/2172416), Serial0/0
        via 10.0.30.2 (2681856/2169856), Serial0/1
P 10.0.30.2/32, 1 successors, FD is 2169856
        via Rconnected (2169856/0)
P 10.0.20.2/32, 1 successors, FD is 2169856
        via Rconnected (2169856/0)
P 10.0.20.0/24, 1 successors, FD is 2169856
        via Connected, Serial0/0
P 10.0.20.1/32, 0 successors, FD is Inaccessible
        via 192.168.1.120 (2172416/2169856), FastEthernet0/0
        via 10.0.30.2 (2684416/2172416), Serial0/1
        via 10.0.20.2 (2681856/2169856), Serial0/0
P 100.0.0.0/24, 1 successors, FD is 156160
        via 192.168.1.100 (156160/128256), FastEthernet0/0
P 192.168.1.0/24, 1 successors, FD is 28160
        via Connected, FastEthernet0/0
r2620_01(config-if)#

and:
r2620_01(config-if)#do sh ip eigrp neigh
IP-EIGRP neighbors for process 1
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                            (sec)         (ms)       Cnt Num
4   192.168.1.130           Fa0/0             14 00:14:53   11   200  0  67
1   192.168.1.100           Fa0/0             12 00:14:53    8   200  0  92
0   192.168.1.120           Fa0/0             14 00:14:53 1030  5000  0  145
3   10.0.30.2                   Se0/1             11 00:47:52    3   200  0  68
2   10.0.20.2                   Se0/0             11 00:53:08    4   200  0  144
r2620_01(config-if)#

there seems to be confusion about the successor and the feasible successor...  certainly not to be confused with active in the topology table, which is according to hoyle:

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080093f07.shtml#neighbor_table


When there are no feasible successors, a route goes into Active state and a route recomputation occurs. A route recomputation commences with a router sending a query packet to all neighbors. Neighboring routers can either reply if they have feasible successors for the destination or optionally return a query indicating that they are performing a route recomputation. While in Active state, a router cannot change the next-hop neighbor it is using to forward packets. Once all replies are received for a given query, the destination can transition to Passive state and a new successor can be selected. 




the successor shows up in the route table, the topology table and the neighbor table, and the feasible successor shows in only the topology and neighbor tables


now lets eliminate the ethernet link to the layer 3 switch and reexamine 


r2620_01(config)#int fa0/0
r2620_01(config-if)#shut
r2620_01(config-if)#
Dec 15 16:23:09.798: IP-EIGRP(Default-IP-Routing-Table:1): conn_summary_depend:
FastEthernet0/0 192.168.1.0/24 0
r2620_01(config-if)#
Dec 15 16:23:09.798: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.168.1.130 (F
astEthernet0/0) is down: interface down

Dec 15 16:23:09.802: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.168.1.100 (F
astEthernet0/0) is down: interface down

Dec 15 16:23:09.806: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.168.1.120 (F
astEthernet0/0) is down: interface down

r2620_01(config-if)#
Dec 15 16:23:11.778: %LINK-5-CHANGED: Interface FastEthernet0/0, changed state t
o administratively down
Dec 15 16:23:12.778: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEtherne
t0/0, changed state to down
r2620_01(config-if)#

then
r2620_01(config-if)#do sh ip route eigrp
     2.0.0.0/24 is subnetted, 1 subnets
D       2.2.2.0 [90/2297856] via 10.0.20.2, 00:01:37, Serial0/0
     100.0.0.0/24 is subnetted, 1 subnets
D       100.0.0.0 [90/2300416] via 10.0.30.2, 00:01:37, Serial0/1
                  [90/2300416] via 10.0.20.2, 00:01:37, Serial0/0
     3.0.0.0/24 is subnetted, 1 subnets
D       3.3.3.0 [90/2297856] via 10.0.30.2, 00:01:37, Serial0/1
D    192.168.1.0/24 [90/2172416] via 10.0.30.2, 00:01:37, Serial0/1
                    [90/2172416] via 10.0.20.2, 00:01:37, Serial0/0
r2620_01(config-if)#



r2620_01(config-if)#do sh ip eigrp topo
IP-EIGRP Topology Table for AS(1)/ID(1.1.1.1)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status
P 1.1.1.0/24, 1 successors, FD is 128256
        via Connected, Loopback0
P 2.2.2.0/24, 1 successors, FD is 156160
        via 10.0.20.2 (2297856/128256), Serial0/0

P 3.3.3.0/24, 1 successors, FD is 156160
        via 10.0.30.2 (2297856/128256), Serial0/1

P 10.0.30.0/24, 1 successors, FD is 2169856
        via Connected, Serial0/1
P 10.0.30.1/32, 0 successors, FD is Inaccessible
        via 10.0.20.2 (2684416/2172416), Serial0/0
        via 10.0.30.2 (2681856/2169856), Serial0/1
P 10.0.30.2/32, 1 successors, FD is 2169856
        via Rconnected (2169856/0)
P 10.0.20.2/32, 1 successors, FD is 2169856
        via Rconnected (2169856/0)
P 10.0.20.0/24, 1 successors, FD is 2169856
        via Connected, Serial0/0
P 10.0.20.1/32, 0 successors, FD is Inaccessible
        via 10.0.30.2 (2684416/2172416), Serial0/1
        via 10.0.20.2 (2681856/2169856), Serial0/0
P 100.0.0.0/24, 2 successors, FD is 2300416
        via 10.0.20.2 (2300416/156160), Serial0/0
        via 10.0.30.2 (2300416/156160), Serial0/1

P 192.168.1.0/24, 2 successors, FD is 2172416
        via 10.0.20.2 (2172416/28160), Serial0/0
        via 10.0.30.2 (2172416/28160), Serial0/1
r2620_01(config-if)#



r2620_01(config-if)#do sh ip eigrp neigh
IP-EIGRP neighbors for process 1
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                            (sec)         (ms)       Cnt Num
3   10.0.30.2               Se0/1             11 01:13:34    2   200  0  71
2   10.0.20.2               Se0/0             10 01:18:50    3   200  0  149

r2620_01(config-if)#


the feasible's have become the successors and now they are showing up in all three tables
so there...

feasibly yours...

when EIGRP receives multiple paths to the same destination with the same prefix it adds these routes to its table and bases a best path decision upon the metrics in these updates. EIGRP determines closeness (lowest metric) as the winner and then installs the lowest metric/best path in its routing table.

THIS is the successor...

the default is four equal cost paths for determination, but this can be adjusted to include more or less paths... equal is a relative term and allowances can be determined using variance (to establish near equality)

a feasible successor is a path determined close, but not best after the calculation... this so called backup neighbor may be placed in the topology table and utilized in the event of successor failure

bandwidth and delay are EIGRP's default calculators... load, reliability and MTU can also be considered... see below...

r2620_01#sh int fa0/0
FastEthernet0/0 is up, line protocol is up
  Hardware is AmdFE, address is 000f.2394.6c40 (bia 000f.2394.6c40)
  Internet address is 192.168.1.50/24
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
  reliability 255/255, txload 1/255,
rxload 1/255


OSPF area zero hour, nine a.m...


With OSPF, area 0 is the backbone area, more than one area is not a requirement, but multiple areas in the network must connect to it.  Ethernet is a multi-access type network; the serial connections below are PPP.   In point-to-point networks, DR and BDR elections are unecessary.  In multi-access networks they are...


r2620_01#sh ip ospf neigh

Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2           1   FULL/BDR        00:00:32    192.168.1.200   FastEthernet0/
0

100.0.0.1         1   FULL/DR         00:00:39    192.168.1.100   FastEthernet0/
0
3.3.3.3           0   FULL/  -        00:00:39    10.0.30.2       Serial0/1
2.2.2.2           0   FULL/  -        00:00:33    10.0.20.2       Serial0/0
r2620_01#

so if we lose the ethernet connection to 100.0.0.1 what happens... 
first of course

r2620_01#
Dec 15 08:28:24.087: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEtherne
t0/0, changed state to down
Dec 15 08:28:24.091: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on FastEthernet0/0 f
rom FULL to DOWN, Neighbor Down: Interface down or detached
Dec 15 08:28:24.095: %OSPF-5-ADJCHG: Process 1, Nbr 100.0.0.1 on FastEthernet0/0
 from FULL to DOWN, Neighbor Down: Interface down or detached
r2620_01#

then
r2620_01#sh ip ospf neigh

Neighbor ID     Pri   State           Dead Time   Address         Interface
3.3.3.3           0   FULL/  -        00:00:34    10.0.30.2       Serial0/1
2.2.2.2           0   FULL/  -        00:00:38    10.0.20.2       Serial0/0
r2620_01#

true to form no election takes place... let's bring it back...
r2620_01#
Dec 15 08:42:45.863: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEtherne
t0/0, changed state to up
r2620_01#

then
Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2           1   INIT/DROTHER    00:00:38    192.168.1.200   FastEthernet0/
0
3.3.3.3           0   FULL/  -        00:00:35    10.0.30.2       Serial0/1
2.2.2.2           0   FULL/  -        00:00:39    10.0.20.2       Serial0/0
r2620_01#
Dec 15 08:43:25.879: %OSPF-5-ADJCHG: Process 1, Nbr 100.0.0.1 on FastEthernet0/0
 from LOADING to FULL, Loading Done
Dec 15 08:43:25.883: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on FastEthernet0/0 f
rom LOADING to FULL, Loading Done
r2620_01#

and post election after the smoke settles...

r2620_01#sh ip ospf neigh

Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2           1   FULL/BDR        00:00:35    192.168.1.200   FastEthernet0/
0
100.0.0.1         1   FULL/DR         00:00:32    192.168.1.100   FastEthernet0/
0
3.3.3.3           0   FULL/  -        00:00:32    10.0.30.2       Serial0/1
2.2.2.2           0   FULL/  -        00:00:36    10.0.20.2       Serial0/0
r2620_01#

now we'll put s0/1's network  into a different area, area 1, on both sides
router ospf 1
 log-adjacency-changes
 network 1.1.1.1 0.0.0.0 area 0
 network 10.0.20.0 0.0.0.255 area 0
 network 10.0.30.0 0.0.0.255 area 0
 network 192.168.1.0 0.0.0.255 area 0

r2620_01(config)#router ospf 1
r2620_01(config-router)#netw 10.0.30.0 0.0.0.255 area 1
r2620_01(config-router)#
Dec 15 08:50:37.531: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on Serial0/1 from FU
LL to DOWN
, Neighbor Down: Interface down or detached
r2620_01(config-router)#
Dec 15 08:50:37.535: %OSPF-6-AREACHG: 10.0.30.0/24 changed from area 0 to area1

then change the other side to area 1
r2620_03(config-router)#netw 10.0.30.0 0.0.0.255 area 1
r2620_03(config-router)#
*Mar  5 06:52:08.733: %OSPF-6-AREACHG: 10.0.30.0/24 changed from area 0 to area
1

r2620_03(config-router)#
*Mar  5 06:52:08.757: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.1 on Serial0/0 from L
OADING to FULL, Loading Done
r2620_03(config-router)# 

then back to our router r2620_01

r2620_01(config-router)#
Dec 15 08:52:57.727: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on Serial0/1 from LO
ADING to FULL, Loading Done
r2620_01(config-router)#

now we have multiple areas and the result is:

r2620_01#sh ip ospf neigh

Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2           1   FULL/BDR        00:00:34    192.168.1.200   FastEthernet0/
0
100.0.0.1         1   FULL/DR         00:00:32    192.168.1.100   FastEthernet0/
0
2.2.2.2           0   FULL/  -        00:00:36    10.0.20.2       Serial0/0
3.3.3.3           0   FULL/  -        00:00:35    10.0.30.2       Serial0/1
r2620_01#

a re-election, where multi-access wins...

Wednesday, December 14, 2011

wildassmasks...

wild card masks...  i've linked this before but the site below is truly invaluable...

http://www.dslreports.com/faq/15216

my take on it...

128 192 224 240 248 252 254 256
1      1     1     1    1     1     1     1

count em up...

255.255.255.192 = (action in the fourth octet) /26 or 24 + 2 one's
255.255.240.0 = (action in the third) /20 or 16 + 4 one's

ok, we love 256...  256 - 192 = (in the first example) 64
64 minus 1 in the fourth octet =
0.0.0.63  is the wildass

second example; 256 - 240 = 16 -1 or 15 in the third is
0.0.15.255 is the wildass
it's easier to subtract from 256 than 255, and faster... wild... 

router OSPooF...

no router OSPF 0...

a router cannot have a process id of  0
area 0 - good; process id 0 -  HULK SMASH...

good router process-id:

router ospf 1
 log-adjacency-changes
 network 1.1.1.1 0.0.0.0 area 0
 network 10.0.20.0 0.0.0.255 area 0
 network 10.0.30.0 0.0.0.255 area 0
 network 192.168.1.0 0.0.0.255 area 0

bad router process id:

r2620_01(config)#router ospf 0
                                              ^
% Invalid input detected at '^' marker.


r2620_01(config)#

good router process-id

r2620_01(config)#router ospf ?
  <1-65535>  Process ID


r2620_01(config)#router ospf

can you say what is 2^16-1?

Monday, December 12, 2011

DNS goes both ways...

DNS (port 53) uses both TCP and UDP...  you've got it memorized, those bastards won't trick you on that one... you know damn well that TCP is connection oriented and that means reliable transport among other things...  you also know UDP doesn't care, just keeps sending those 512 bytes (it can go higher, but 512 is the safe bet) whether the receiver likes it or not... look at TFTP; your IOS is counting on getting to your gear and so are you, but UDP blithely leaves any semblance of reliability up to the application layer...

so why does DNS use both?

DNS uses TCP for zone transfers because its reliability keeps the zone databases consistent.

DNS uses UDP for DNS queries... if it doesn't get a response, it will simply re-transmit after 3-5 seconds

UDP just doesn't give a shit...

Sunday, December 11, 2011

subinterface boogers...

when a subinterface is created there are boogers left behind, but they don't show up in show run or show start, they only show up when you show run interface;

r2620_03(config)#int fa0/0.1
r2620_03(config-subif)#encap dot1q 100
r2620_03(config-subif)#do sh run int fa0/0.1
Building configuration...

Current configuration : 60 bytes
!
interface FastEthernet0/0.1
 encapsulation dot1Q 100
end

r2620_03(config-subif)#exit
r2620_03(config)#no int fa0/0.1
% Not all config may be removed and may reappear after reactivating the sub-inte
rface


r2620_03(config)#do sh run int fa0/0.1
Building configuration...

Current configuration : 5 bytes
end

(this means my current configuration bytes)

r2620_03(config)#

i have subinterface boogers and ether crickets on me...

trunk funk...

to make a trunk two commands are necessary (see below for ISL)

switchport trunk encap dot1q
and
sw mode trunk

in that order for IEEE

sw3550_01(config-if)#do sh run int fa0/17
Building configuration...

Current configuration : 82 bytes
!
interface FastEthernet0/17
 switchport mode access
 speed 100
 duplex full
end

sw3550_01(config-if)#sw mode trunk
Command rejected: An interface whose trunk encapsulation is "Auto" can not be co
nfigured to "trunk" mode.

(that's a hell of an error message, it was access)
sw3550_01(config-if)#sw trunk encap dot1q
sw3550_01(config-if)#sw mode trunk
sw3550_01(config-if)#^Z
sw3550_01#sh run int fa0/17
Building configuration...

Current configuration : 119 bytes
!
interface FastEthernet0/17
 switchport trunk encapsulation dot1q
 switchport mode trunk
 speed 100
 duplex full
end

sw3550_01#

and cisco's ISL

sw3550_01(config-if)#sw trunk encap isl
sw3550_01(config-if)#sw mode trunk

sw3550_01(config-if)#do sh run int fa0/17
Building configuration...

Current configuration : 117 bytes
!
interface FastEthernet0/17
 switchport trunk encapsulation isl
 switchport mode trunk
 speed 100
 duplex full
end

sw3550_01(config-if)#

to dump the trunk, the opposite is true...

sw3550_01(config-if)#no sw trunk encap isl
Command rejected: A port which is configured to "trunk" mode can not be configur
ed to negotiate the encapsulation.

sw3550_01(config-if)#no sw mode trunk
sw3550_01(config-if)#no sw trunk encap isl
sw3550_01(config-if)#do sh run int fa0/17
Building configuration...

Current configuration : 93 bytes
!
interface FastEthernet0/17
 switchport mode dynamic desirable
 speed 100
 duplex full
end

sw3550_01(config-if)#sw mode access
sw3550_01(config-if)#do sh run int fa0/17
Building configuration...

Current configuration : 82 bytes
!
interface FastEthernet0/17
 switchport mode access
 speed 100
 duplex full
end

sw3550_01(config-if)#

funk trunk...

i wanna be that guy...


who can use a command and it is embedded in his brain...
who can read a chapter once and all the complications become native...

who can figure out the answer in the question...

who can sit at a new system and play it like a maestro...
who stops second guessing and trusts his first instinct...

instead, i am the guy who...

has to beat the shit out of a thing before it is mine...
has to take it apart and put it back together before truly understanding it...
has to read it, then spit it out in language that belongs to me...
has to cross check before finally believing it...
has to drive himself  insane before coming out the other end...

sucks to be the second guy...



Saturday, December 10, 2011

vlan creation myth...

actual cert question from reputable (nameless) cert type authority...

which of the following steps are necessary to add a new vlan to a switched network
select all that apply

a) create vlan
b) name vlan
c) configure ip address for vlan
d) add desired ports to vlan
e) add vlan to vtp domain

given answer a,b,d

WRONG...  read the question... necessary to add a new vlan
only a) is correct... of course it's pretty useless without the other stuff, but that wasn't the question... see below...

sw3550_01(config)#vlan 69
sw3550_01(config-vlan)#end
sw3550_01#sh vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                                Fa0/9, Fa0/10, Fa0/11, Fa0/12
                                                Fa0/13, Fa0/14, Fa0/15, Fa0/16
                                                Fa0/17, Fa0/18, Fa0/19, Fa0/20
                                                Fa0/22, Gi0/1, Gi0/2
2    hosts                            active
10   10                               active
69   VLAN0069                         active

note that the only requirement to CREATE a vlan is:

sw3550_01(config)#vlan 69

the others are options; the name is plugged in by default, added ports are not necessary, and the new vlan is automatically activated...

from the horse's mouth...
http://www.ciscopress.com/articles/article.asp?p=29803

VLANs are created by number, and there are two ranges of usable VLAN numbers (normal range 1–1000 and extended range 1025–4096). When a VLAN is created, you can also give it certain attributes such as a VLAN name, VLAN type, and its operational state.

be very afraid...






achille's lists...

i hate ACL's, firewalls, filters and especially window's stupid firewall...  as a network guy i figure it to be my sworn duty to allow access to the wire, to give john Q user  the unmitigated freedom of  byte exploration... a perfect world... of course it becomes evident that john Q user will eventually get himself or the network in some kind of trouble with this very freedom...  so we first open the door, then slam it shut...

the standard ACL is concerned with the source... not a lot of flexibility there...  however, standard acl's shine  when used with NAT for a quick, painless solution to get the private network users released into the wild...

extended and named acl's are another universe, providing more elegant examples of slamming the door on john Q user...

stepping back...  why are standard acl's best utilized nearest the destination, and extended acl's best utilized nearest the source, besides the fact that cisco and odom and lammle, et al, have been pounding this into our collective minds for years? processing and WAN overhead, that's why... stopping hitler at Munich, like Clemenza said...  filter that shit where it lives (extended) and block that shit before it gets in (standard)

filtering telnet is easy; just turn it off and use SSH and/or VPN instead...

disallowing ICMP onto your private network is another matter...

r2620_01(config)#ip access-list extended no_outside_pings
r2620_01(config-ext-nacl)#deny icmp any any echo log
r2620_01(config-ext-nacl)#permit ip any any
r2620_01(config-ext-nacl)#exit
r2620_01(config)#int s0/1
r2620_01(config-if)#ip access-group no_outside_pings in
r2620_01(config-if)#

then:


r2620_03#ping 10.0.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.30.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
r2620_03#


stardate log 2620_01:

r2620_01#
Dec 10 08:13:56.815: %SEC-6-IPACCESSLOGDP: list no_outside_pings denied icmp 10.
0.30.2 -> 10.0.30.1 (8/0), 5 packets
r2620_01#

but do yourself a favor... keep ping  alive on the LAN



Thursday, December 8, 2011

frame dash relay...



how to set up a frame relay lab using 3 routers...  the dirty...
 who in the hell uses frame anymore...

take two routers and call me in the morning
here we go...
  router1 will be our frame switch


frame commands per interface on frame switch... frame-relay intf-type dce is a precaution... look at the cables and you won't need those commands...
r1
interface Serial0/0
 no ip address
 encapsulation frame-relay
 clock rate 64000
 frame-relay intf-type dce
 frame-relay route 102 interface Serial0/1 103
 end

interface Serial0/1
 no ip address
 encapsulation frame-relay
 clock rate 64000
 frame-relay intf-type dce
 frame-relay route 103 interface Serial0/0 102
end

on r2
interface Serial0/0
 ip address 10.0.20.2 255.255.255.0
 encapsulation frame-relay
 frame-relay interface-dlci 102
 frame-relay lmi-type ansi
end

on r3
interface Serial0/0
 ip address 10.0.20.10 255.255.255.0
 encapsulation frame-relay
 frame-relay interface-dlci 103
 frame-relay lmi-type ansi
end

the addresses on  r2 and r3 have to be in the same subnet
the dlci's are the local dlci's on each router...

show frame route is your best friend r1 (frame switch)
r2620_01#sh frame route
Input Intf      Input Dlci      Output Intf     Output Dlci     Status
Serial0/0       102             Serial0/1       103             active
Serial0/1       103             Serial0/0       102             active

r2620_01#

r2620_01#sh frame lmi

LMI Statistics for interface Serial0/0 (Frame Relay DCE) LMI TYPE = ANSI
  Invalid Unnumbered info 0             Invalid Prot Disc 0
  Invalid dummy Call Ref 0              Invalid Msg Type 0
  Invalid Status Message 0              Invalid Lock Shift 0
  Invalid Information ID 0              Invalid Report IE Len 0
  Invalid Report Request 0              Invalid Keep IE Len 0
  Num Status Enq. Rcvd 2                Num Status msgs Sent 2
  Num Update Status Sent 0              Num St Enq. Timeouts 0

LMI Statistics for interface Serial0/1 (Frame Relay DCE) LMI TYPE = ANSI
  Invalid Unnumbered info 0             Invalid Prot Disc 0
  Invalid dummy Call Ref 0              Invalid Msg Type 0
  Invalid Status Message 0              Invalid Lock Shift 0
  Invalid Information ID 0              Invalid Report IE Len 0
  Invalid Report Request 0              Invalid Keep IE Len 0
  Num Status Enq. Rcvd 3                Num Status msgs Sent 3
  Num Update Status Sent 0              Num St Enq. Timeouts 0
r2620_01#

r2620_02#ping 10.0.20.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.20.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/56 ms
r2620_02#

r2620_02#sh fram lmi

LMI Statistics for interface Serial0/0 (Frame Relay DTE) LMI TYPE = ANSI
  Invalid Unnumbered info 0             Invalid Prot Disc 0
  Invalid dummy Call Ref 0              Invalid Msg Type 0
  Invalid Status Message 0              Invalid Lock Shift 0
  Invalid Information ID 0              Invalid Report IE Len 0
  Invalid Report Request 0              Invalid Keep IE Len 0
  Num Status Enq. Sent 806              Num Status msgs Rcvd 804
  Num Update Status Rcvd 0              Num Status Timeouts 3
  Last Full Status Req 00:00:55         Last Full Status Rcvd 00:00:55
r2620_02#

just like that... lose the ansi statement on one end and watch it drop...