if you have not checked out this study aid, you are missing out...
http://ankisrs.net/
if you are chasing a cert, you need anki... it's free, it works on all platforms, and you need this now... in the last hour i just scraped the entire "do i know this already q&a" from an ocg into a deck of flashcards in anki...
the beauty of this thing is that it's interactive... you rate the questions on the cards, don't cheat yourself, and the difficult ones will pop up sooner than the easy ones over time... this method will insure long term memory retention...
think of the possibilities... ios commands, osi model theory, stp enhancements, diagrams, audio, timer values, ad's, subnetting, you name it... and there are already sets that can be downloaded which have been built by others... i have no idea about the legality of this, but if you own the book i don't see an argument, and if you're not selling them, what is the infringement...
here's what i did... i opened two copies of the book... one copy was opened to the questions, and the other copy was opened to the answers... i scraped the question into the top of the card, and the answer into the bottom... i did 200 questions from the horses mouth in less than an hour...
this is just perfect for the ccent/ccna, ccnp even ccie candidate...
i'm not going to show you how to use it, you can figure it out...
i know i mentioned flash cards about a month ago, but this is a quantum leap ahead of that...
get it now and build your own study aid... concentrate on your weaknesses, hammer away...
Monday, April 30, 2012
auto qos...
either auto qos or manual configuration, never both...
remove manual qos before implementing auto qos
auto qos runs a macro that makes assumption about the network and configures according to those assumptions
auto qos:
globally enables qos
configures the switch port for incoming cos parameters
globally configures thresholds and queues
configures traffic shaping for the port on which it is enabled
dls1#sh run int f0/15
Building configuration...
Current configuration : 58 bytes
!
interface FastEthernet0/15
switchport mode access
end
dls1(config)#int f0/15
dls1(config-if)#auto qos voip cisco-phone
dls1(config-if)#do sh run int f0/15
Building configuration...
Current configuration : 399 bytes
!
interface FastEthernet0/15
switchport mode access
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
wrr-queue bandwidth 10 20 70 1
wrr-queue min-reserve 1 5
wrr-queue min-reserve 2 6
wrr-queue min-reserve 3 7
wrr-queue min-reserve 4 8
wrr-queue cos-map 1 0 1
wrr-queue cos-map 2 2 4
wrr-queue cos-map 3 3 6 7
wrr-queue cos-map 4 5
priority-queue out
end
dls1#sh mls qos int f0/15
FastEthernet0/15
trust state: trust cos
trust mode: trust cos
COS override: dis
default COS: 0
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: cisco-phone
remove manual qos before implementing auto qos
auto qos runs a macro that makes assumption about the network and configures according to those assumptions
auto qos:
globally enables qos
configures the switch port for incoming cos parameters
globally configures thresholds and queues
configures traffic shaping for the port on which it is enabled
dls1#sh run int f0/15
Building configuration...
Current configuration : 58 bytes
!
interface FastEthernet0/15
switchport mode access
end
dls1(config)#int f0/15
dls1(config-if)#auto qos voip cisco-phone
dls1(config-if)#do sh run int f0/15
Building configuration...
Current configuration : 399 bytes
!
interface FastEthernet0/15
switchport mode access
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
wrr-queue bandwidth 10 20 70 1
wrr-queue min-reserve 1 5
wrr-queue min-reserve 2 6
wrr-queue min-reserve 3 7
wrr-queue min-reserve 4 8
wrr-queue cos-map 1 0 1
wrr-queue cos-map 2 2 4
wrr-queue cos-map 3 3 6 7
wrr-queue cos-map 4 5
priority-queue out
end
dls1#sh mls qos int f0/15
FastEthernet0/15
trust state: trust cos
trust mode: trust cos
COS override: dis
default COS: 0
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: cisco-phone
Sunday, April 29, 2012
mls qos...
enabling mls qos globally...
dls1#config t
Enter configuration commands, one per line. End with CNTL/Z.
dls1(config)#mls qos
QoS: ensure flow-control on all interfaces are OFF for proper operation.
dls1(config)#do sho mls qos
QoS is enabled
dls1(config)#end
dls1#sh mls qos int f0/15
FastEthernet0/15
trust state: not trusted
trust mode: not trusted
COS override: dis
default COS: 0
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: none
dls1#
note by default the trust state is untrusted, therefore QoS markings sent by a connected device are untrusted... in other words, the receiving switch will re-mark all inbound frames to a CoS value of 0
a trust boundary is the line in the sand whereby a switch will not trust incoming QoS labels, ie, between itself and a connected pc. however, voice phones should be trusted, whereas the pc connected to the phone will not be trusted
the ip phone is seen as another switch, therefore trusted...
below, i've put mls qos trust cos, then in the next statement i added device cisco-phone... the trust state is not trusted because no phone is attached...
dls1(config-if)#mls qos trust dev cisco-phone
dls1(config-if)#do sh mls qos int f0/15
FastEthernet0/15
trust state: not trusted
trust mode: trust cos
COS override: dis
default COS: 0
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: cisco-phone
but now i connect the phone...
dls1(config-if)#do sh mls qos int f0/15
FastEthernet0/15
trust state: trust cos
trust mode: trust cos
COS override: dis
default COS: 0
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: cisco-phone
and the state moves to trusted...
dls1#config t
Enter configuration commands, one per line. End with CNTL/Z.
dls1(config)#mls qos
QoS: ensure flow-control on all interfaces are OFF for proper operation.
dls1(config)#do sho mls qos
QoS is enabled
dls1(config)#end
dls1#sh mls qos int f0/15
FastEthernet0/15
trust state: not trusted
trust mode: not trusted
COS override: dis
default COS: 0
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: none
dls1#
note by default the trust state is untrusted, therefore QoS markings sent by a connected device are untrusted... in other words, the receiving switch will re-mark all inbound frames to a CoS value of 0
a trust boundary is the line in the sand whereby a switch will not trust incoming QoS labels, ie, between itself and a connected pc. however, voice phones should be trusted, whereas the pc connected to the phone will not be trusted
the ip phone is seen as another switch, therefore trusted...
below, i've put mls qos trust cos, then in the next statement i added device cisco-phone... the trust state is not trusted because no phone is attached...
dls1(config-if)#mls qos trust dev cisco-phone
dls1(config-if)#do sh mls qos int f0/15
FastEthernet0/15
trust state: not trusted
trust mode: trust cos
COS override: dis
default COS: 0
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: cisco-phone
but now i connect the phone...
dls1(config-if)#do sh mls qos int f0/15
FastEthernet0/15
trust state: trust cos
trust mode: trust cos
COS override: dis
default COS: 0
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: cisco-phone
and the state moves to trusted...
jitter...
the perfect definition...
"jitter is the variation in delay between consecutive packets. jitter is often referred to as variation delay." browning, switch simplified...
three quarters the way through browning's book now, switch simplified, and it is a milestone in network texts... i've read quite a few along the way, but this has got to be one of the best ever
i'm sure farai tafa had a lot to do with the excellence of this read...
the kindle delivery i am not thrilled with, however... reading on this ipad is annoying at best...
this is far and away superior to anything else out there i have read on switch...
rest assured i will be getting their ccnp route book when it is time...
"jitter is the variation in delay between consecutive packets. jitter is often referred to as variation delay." browning, switch simplified...
three quarters the way through browning's book now, switch simplified, and it is a milestone in network texts... i've read quite a few along the way, but this has got to be one of the best ever
i'm sure farai tafa had a lot to do with the excellence of this read...
the kindle delivery i am not thrilled with, however... reading on this ipad is annoying at best...
this is far and away superior to anything else out there i have read on switch...
rest assured i will be getting their ccnp route book when it is time...
Labels:
ccnp,
ccnp switch,
farai tafa,
jitter,
paul browning
3 QoS models...
best effort delivery
(BE) what it says, no guarantees, all traffic treated equally, the lack of QoS
integrated services
(IntServ) rfc 1633, end-to-end QoS for real-time applications such as voice and video; explicit management of network resources for specific user packet streams
differentiated services
(DiffServ) unlike IntServ, no advance reservations required. preferred
see below for ToS evolution (this is a great intro which quickly goes deep; take human bites)
http://fengnet.com/book/ios_mpls/ch13lev1sec1.html
Figure 13-1 shows the IPv4 packet header with an 8-bit type of service
(ToS) field. The ToS field was conventionally used to provide QoS in IP
networks. However, since the advent of the Diff-Serv model, it has been
replaced by the implementation of IP Precedence or DSCP values.
Figure 13-1. IP Packet Header
The higher order 3 bits in the TOS field, shown in Figure 13-1,
map to the IP Precedence value assigned to the IP packet. The
predefined values used to identify the IP Precedence are shown in Table 13-1.
IP Precedence Value
|
Binary Value
|
Priority
|
---|---|---|
0
|
000
|
Routine
|
1
|
001
|
Priority
|
2
|
010
|
Immediate
|
3
|
011
|
Flash
|
4
|
100
|
Flash Override
|
5
|
101
|
Critical
|
6
|
110
|
Internetwork Control
|
7
|
111
|
Network Control
|
mvap, multi-vlan access port...
not a trunk...
a mulit-vlan access port is an access port set up for an ip phone that is connected to a pc
the PVID identifies the native vlan for data traffic, and the VVID (voice vlan identifier) identfifies an AUXILIARY vlan for voice. the switch uses CDP to communicate the VVID to the phone...
naturally, since 802.1q doesn't tag the native vlan, the data frames will be untagged, whereas the voice frames will carry dot1q tags. within the tagged frames there is a user priority field which contains quality of service information
by simply configuring a VVID for the phone an l2 CoS value of 5 is included
dls1(config)#int f0/13
dls1(config-if)#sw mode acc
dls1(config-if)#sw acc vlan 50
% Access VLAN does not exist. Creating vlan 50
dls1(config-if)#sw voice vlan 55
% Voice VLAN does not exist. Creating vlan 55
dls1(config-if)#sw mode acc
dls1(config-if)#spann portf
dls1(config-if)#end
dls1#sh int f0/13 sw
Name: Fa0/13
Switchport: Enabled
Administrative Mode: static access
Operational Mode: down
Administrative Trunking Encapsulation: negotiate
Negotiation of Trunking: Off
Access Mode VLAN: 50 (VLAN0050)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: 55 (VLAN0055)
a mulit-vlan access port is an access port set up for an ip phone that is connected to a pc
the PVID identifies the native vlan for data traffic, and the VVID (voice vlan identifier) identfifies an AUXILIARY vlan for voice. the switch uses CDP to communicate the VVID to the phone...
naturally, since 802.1q doesn't tag the native vlan, the data frames will be untagged, whereas the voice frames will carry dot1q tags. within the tagged frames there is a user priority field which contains quality of service information
by simply configuring a VVID for the phone an l2 CoS value of 5 is included
dls1(config)#int f0/13
dls1(config-if)#sw mode acc
dls1(config-if)#sw acc vlan 50
% Access VLAN does not exist. Creating vlan 50
dls1(config-if)#sw voice vlan 55
% Voice VLAN does not exist. Creating vlan 55
dls1(config-if)#sw mode acc
dls1(config-if)#spann portf
dls1(config-if)#end
dls1#sh int f0/13 sw
Name: Fa0/13
Switchport: Enabled
Administrative Mode: static access
Operational Mode: down
Administrative Trunking Encapsulation: negotiate
Negotiation of Trunking: Off
Access Mode VLAN: 50 (VLAN0050)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: 55 (VLAN0055)
hsrp version 2... why?
because the default is version 1? warning: ver 1 and ver 2 are not compatible...
dls1(config-if)#do sh stand
Vlan1 - Group 1
State is Active
3 state changes, last state change 3d14h
Virtual IP address is 172.16.1.3
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.436 secs
Preemption enabled
Active router is local
Standby router is 172.16.1.2, priority 90 (expires in 3.432 sec)
Priority 150 (configured 150)
IP redundancy name is "hsrp-Vl1-1" (default)
Vlan10 - Group 1
State is Active
3 state changes, last state change 3d14h
Virtual IP address is 172.16.10.3
dls1(config-if)#standby ver 2
dls1(config-if)#do sh standby
Vlan1 - Group 1 (version 2)
State is Active
3 state changes, last state change 3d14h
Virtual IP address is 172.16.1.3
Active virtual MAC address is 0000.0c9f.f001
Local virtual MAC address is 0000.0c9f.f001 (v2 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.204 secs
Preemption enabled
Active router is local
Standby router is unknown
Priority 150 (configured 150)
IP redundancy name is "hsrp-Vl1-1" (default)
Vlan10 - Group 1
State is Active
3 state changes, last state change 3d14h
Virtual IP address is 172.16.10.3
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.220 secs
--More--
i set the hsrp version as 2 for vlan 1 only... you'll have to do this for each interface...
version 2 supports groups from 0 to 4095 (vlans anybody?)
although if your network needs to support that many vlans, you may have other concerns...
also ver 2 multicasts hello's to 224.0.0.102 allowing cgmp (cisco's proprietary igmp) to function properly
it can advertise and learn millisecond timer values, and includes a 6 byte field identifying the sender of the message
and it says version 2... version 1 doesn't say version 1... i like when versions say what they are...
note: version 1 shows up as 0 in a pcap...
dls1(config-if)#do sh stand
Vlan1 - Group 1
State is Active
3 state changes, last state change 3d14h
Virtual IP address is 172.16.1.3
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.436 secs
Preemption enabled
Active router is local
Standby router is 172.16.1.2, priority 90 (expires in 3.432 sec)
Priority 150 (configured 150)
IP redundancy name is "hsrp-Vl1-1" (default)
Vlan10 - Group 1
State is Active
3 state changes, last state change 3d14h
Virtual IP address is 172.16.10.3
dls1(config-if)#standby ver 2
dls1(config-if)#do sh standby
Vlan1 - Group 1 (version 2)
State is Active
3 state changes, last state change 3d14h
Virtual IP address is 172.16.1.3
Active virtual MAC address is 0000.0c9f.f001
Local virtual MAC address is 0000.0c9f.f001 (v2 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.204 secs
Preemption enabled
Active router is local
Standby router is unknown
Priority 150 (configured 150)
IP redundancy name is "hsrp-Vl1-1" (default)
Vlan10 - Group 1
State is Active
3 state changes, last state change 3d14h
Virtual IP address is 172.16.10.3
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.220 secs
--More--
i set the hsrp version as 2 for vlan 1 only... you'll have to do this for each interface...
version 2 supports groups from 0 to 4095 (vlans anybody?)
although if your network needs to support that many vlans, you may have other concerns...
also ver 2 multicasts hello's to 224.0.0.102 allowing cgmp (cisco's proprietary igmp) to function properly
it can advertise and learn millisecond timer values, and includes a 6 byte field identifying the sender of the message
and it says version 2... version 1 doesn't say version 1... i like when versions say what they are...
note: version 1 shows up as 0 in a pcap...
Saturday, April 28, 2012
fallback bridging...
i suspect that there shouldn't be a mention of this for ccnp certification, since most indications that i'm seeing have it at ccie, even if there... but the idea is interesting...
this is simple enough... create a bridge group for legacy non-routable protocols to pass between svi's or l3 interfaces, such as decnet... (is that even out there anymore?)
dls1(config)#bridge 1 protocol vlan-bridge
dls1(config)#
that statement turns it on, then configure svi's (int vlan x) into a bridge group, say 1...
dls1(config)#int vlan 10
dls1(config-if)#bridge-group 1
dls1(config-if)#end
dls1#sh bridge
Br Group Mac Address State Type Ports
-------- ----------- ----- ---- -----
1 0009.b73f.ce87 Forward DYNAMIC Vl10 Po1
dls1#
this is very exciting... chances are you'll never need it nowadays... however, i was alarmed when i read that 3550's might treat ipv6 as a non-routable protocol (read, not ipv4) in older versions of ios...
but no, arteq, you say, this simply cannot be...
dls1#sh ipv6 proto
dls1#
good Lord...
dls1(config)#ipv6 unicast-routing
dls1(config)#do sh ipv6 proto
IPv6 Routing Protocol is "connected"
dls1(config)#
good 3550...
this is simple enough... create a bridge group for legacy non-routable protocols to pass between svi's or l3 interfaces, such as decnet... (is that even out there anymore?)
dls1(config)#bridge 1 protocol vlan-bridge
dls1(config)#
that statement turns it on, then configure svi's (int vlan x) into a bridge group, say 1...
dls1(config)#int vlan 10
dls1(config-if)#bridge-group 1
dls1(config-if)#end
dls1#sh bridge
Br Group Mac Address State Type Ports
-------- ----------- ----- ---- -----
1 0009.b73f.ce87 Forward DYNAMIC Vl10 Po1
dls1#
this is very exciting... chances are you'll never need it nowadays... however, i was alarmed when i read that 3550's might treat ipv6 as a non-routable protocol (read, not ipv4) in older versions of ios...
but no, arteq, you say, this simply cannot be...
dls1#sh ipv6 proto
dls1#
good Lord...
dls1(config)#ipv6 unicast-routing
dls1(config)#do sh ipv6 proto
IPv6 Routing Protocol is "connected"
dls1(config)#
good 3550...
sh ip cef adjacency ?
null - adjacency state for packets destined for the Null0 interface that will be dropped or silently discarded
glean - adjacency state for destinations attached via a broadcast network for which no MAC rewrite strings are available
punt - adjacency state for packets forwarded to L3 for processing, typically ip exceptions (packets with ip options)
drop - adjacency state that drops packets because they can't be cef-switched or punted to l3
discard - similar to drop, also applies to policy filtered (ie, acl's)
more from wiki: http://en.wikipedia.org/wiki/Cisco_Express_Forwarding
The adjacency table maintains layer 2 or switching information linked to a particular FIB entry, avoiding the need for an ARP request for each table lookup. There are several types of adjacencies. Some are listed below:
- Cache adjacency: This type of entry contains the correct outbound interface and the correct MAC address for its FIB entry. The MAC address is the IP address's MAC address if the destination's subnet is directly connected to the router, or is the MAC address of the router that the packet needs to be sent to if the destination's subnet is not directly connected to the router currently processing the packet.
- Receive adjacency: This type of entry handles packets whose final destinations include the router itself. This includes packets whose IP addresses are assigned to the router itself, broadcast packets, and multicasts that have set up the router itself as one of the destinations.
- Null adjacency: Handles packets destined to a NULL interface. Packets with FIB entries pointing to NULL adjacencies will normally be dropped.
- Punt adjacency: Deals with packets that require special handling or can not be switched by CEF. Such packets are forwarded to the next switching layer (generally fast switching) where they can be forwarded correctly.
- Glean adjacency: This adjacency is created when the router knows that either the destination IP's subnet is directly connected to the router itself and it does not know that destination device's MAC address, or the router knows the IP address of the router to forward a packet to for a destination, but it does not know that router's MAC address. Packets that trigger this entry will generate an ARP request.
- Discard adjacency: FIB entries pointing to this type of adjacency will be discarded.
- Drop adjacency: Packets pointing to this entry are dropped, but the prefix will be checked.
dls1#sh ip cef adj null 0 172.16.1.2
% No adjacency for 172.16.1.2 on Null0
dls1#sh ip cef adj glean
Prefix Next Hop Interface
172.16.1.0/24 attached Vlan1
172.16.10.0/24 attached Vlan10
172.16.20.0/24 attached Vlan20
172.16.30.0/24 attached Vlan30
192.168.1.0/24 attached FastEthernet0/24
dls1#sh ip cef adj punt
Prefix Next Hop Interface
dls1#sh ip cef adj drop
Prefix Next Hop Interface
240.0.0.0/4 drop
dls1#sh ip cef adj discard
Prefix Next Hop Interface
dls1#
sh ip cef...
dls1#sh ip cef
Prefix Next Hop Interface
0.0.0.0/0 no route
0.0.0.0/32 receive
172.16.1.0/24 attached Vlan1
172.16.1.0/32 receive Vlan1
172.16.1.1/32 receive Vlan1
172.16.1.2/32 attached Vlan1
172.16.1.3/32 receive
172.16.1.101/32 attached Vlan1
172.16.1.102/32 attached Vlan1
172.16.1.200/32 attached Vlan1
172.16.1.255/32 receive Vlan1
172.16.10.0/24 attached Vlan10
172.16.10.0/32 receive Vlan10
172.16.10.1/32 receive Vlan10
172.16.10.3/32 receive
172.16.10.255/32 receive Vlan10
172.16.20.0/24 attached Vlan20
172.16.20.0/32 receive Vlan20
172.16.20.1/32 receive Vlan20
172.16.20.3/32 receive
172.16.20.255/32 receive Vlan20
172.16.30.0/24 attached Vlan30
172.16.30.0/32 receive Vlan30
172.16.30.1/32 receive Vlan30
172.16.30.3/32 receive
172.16.30.255/32 receive Vlan30
192.168.1.0/24 attached FastEthernet0/24
192.168.1.0/32 receive FastEthernet0/24
192.168.1.1/32 attached FastEthernet0/24
192.168.1.2/32 attached FastEthernet0/24
192.168.1.8/32 attached FastEthernet0/24
192.168.1.100/32 receive FastEthernet0/24
192.168.1.255/32 receive FastEthernet0/24
224.0.0.0/4 drop
224.0.0.0/24 receive
240.0.0.0/4 drop
255.255.255.255/32 receive
dls1#
drop - a match drops the packet
receive - a match gets shipped to the control plane for processing
attached - a match means locally connected
resolved - a match represents a route to a host on the local subnet, or a remote subnet derived from the control plane
wildcard - does not match FIB entries and gets dropped
MLS synchronicity...
Labels:
ADJ,
arp table,
ccnp,
ccnp switch,
fib,
ip routing table,
mls
L2 port security notes...
L2 security
(after paul browning, switch simplified)
note: how he ever came up with that title, i'll never know; this book is loaded...
note: how he ever came up with that title, i'll never know; this book is loaded...
secures switch ports, protects the CAM
by limiting the amount of macs learned by a port
two essential attacks
CAM overflow
targets the fixed memory space by
flooding it with randomly generated packets
MAC spoofing
spoofs the source MAC, tricks the
switch that a host is connected to 2 ports, causes rewrites of mac
table entries resulting in a DoS on
legitimate hosts
port security implementation
static secure Mac's stored in the
Mac table and switch config
dynamic secure mac's learned by the
switch and stored in the Mac table
sticky secure Mac's, a mix of static
and dynamic, stored in the Mac table and switch config
violation results
protect – discards frames
shutdown - err-disable send syslog
message, increment violation counter
restrict – when address limit is
reached, drop frames, send syslog message, increment violation
DAI (dynamic arp inspection)
validates network ARP packets with
IP to Mac binding inspection, dropping inspection failures
ARP spoofing happens during ARP
request and reply between hosts
can be used in DHCP and non-DHCP
environments
associates trust states with each
switchport
trusted interfaces bypass inspection
all untrusted interfaces suffer DAI
inspection
DHCP snooping and IP source guard
spoofing and starving dhcp address
pool to exhaust resources
snooping uses trusted and untrusted
interfaces
packets received on untrusted ports
are dropped with invalid bindings
IP source guard typically employed
with DHCP snooping
IP source guard restricts IP traffic
on untrusted ports, and filters based on the binding database
for untrusted ports, filtering modes
are source IP, and source IP and Mac address
Vlan hopping
attempts to bypass L3 communication
between Vlans
switch spoofing – impersonates a
switch by emulating a trunk, exploits the native Vlan
mitigation – disable DTP,
disable trunk capabilities on non-trunks, prevent user data from
traversing native Vlan
double tagging – tags frames with
2 dot1q tags
mitigation – ensure trunk
native Vlan is different from user access Vlan
configure native Vlan to tag all
traffic
IBNS (Identity Based Networking
Services)
access control and policy
enforcement that is identity based
uses 802.1x, EAP and RADIUS
PVLANS
segregates traffic at L2, makes a
broadcast segment NBMA
3 types of ports – community,
isolated and promiscuos
3 types of Vlans – Primary Vlan,
Isolated Vlans, and Community Vlan
3 elements – the PVLAN, secondary
Vlans (Community and Isolated) and the promiscuous port
Port ACL's and Vlan ACL's
PACL's are supported physically and
on Etherchannel interfaces, perform access control only for
ingress in hardware only (not routed in
software, creates an ACL TCAM entry
VACL's control both bridged and
routed packets, apply to both ingress and egress indiscriminately
OTHER
Storm Control protects networks from
stroms and floods
Protected ports are similar to Pvlans
Port Blocking blocks unknown Unicasts
and Multicats
Friday, April 27, 2012
ip sla responder...
the most difficult part was getting ios versions to support this...
set up dls1 as the collector...
set up an als2 as the responder for device 172.16.1.10 (pc)
then look at the output...
dls1#sh ip sla stat
IPSLAs Latest Operation Statistics
IPSLA operation id: 1
Latest RTT: 1 milliseconds
Latest operation start time: 13:52:32 UTC Fri Apr 27 2012
Latest operation return code: OK
Number of successes: 17
Number of failures: 6
Operation time to live: Forever
the icmp output is useful describing successes and failures and round trip time... i don't have a phone set up so the jitter statistics are meaningless, other than no connection.. although, i can see real world usage for this in problematic phone diagnoses... this is very exciting, i know...
word is this is resource intensive so use sparingly...
set up dls1 as the collector...
ip sla 1
icmp-echo 172.16.1.10
ip sla schedule 1 life forever start-time now
ip sla 2
udp-jitter 172.16.1.10 5000
ip sla schedule 2 life forever start-time now
ip sla schedule 1 life forever start-time now
ip sla 2
udp-jitter 172.16.1.10 5000
ip sla schedule 2 life forever start-time now
set up an als2 as the responder for device 172.16.1.10 (pc)
ip sla responder
ip sla responder udp-echo ipaddress 172.16.1.1 port 5000
ip sla responder udp-echo ipaddress 172.16.1.1 port 5000
then look at the output...
dls1#sh ip sla stat
IPSLAs Latest Operation Statistics
IPSLA operation id: 1
Latest RTT: 1 milliseconds
Latest operation start time: 13:52:32 UTC Fri Apr 27 2012
Latest operation return code: OK
Number of successes: 17
Number of failures: 6
Operation time to live: Forever
IPSLA operation id: 2
Type of operation: udp-jitter
Latest RTT: NoConnection/Busy/Timeout
Latest operation start time: 13:51:47 UTC Fri Apr 27 2012
Latest operation return code: No connection
RTT Values:
Number Of RTT: 0 RTT Min/Avg/Max: 0/0/0 milliseconds
Latency one-way time:
Number of Latency one-way Samples: 0
Source to Destination Latency one way Min/Avg/Max: 0/0/0 milliseconds
Destination to Source Latency one way Min/Avg/Max: 0/0/0 milliseconds
Jitter Time:
Number of SD Jitter Samples: 0
Number of DS Jitter Samples: 0
Source to Destination Jitter Min/Avg/Max: 0/0/0 milliseconds
Destination to Source Jitter Min/Avg/Max: 0/0/0 milliseconds
Packet Loss Values:
Loss Source to Destination: 0
Source to Destination Loss Periods Number: 0
Source to Destination Loss Period Length Min/Max: 0/0
Source to Destination Inter Loss Period Length Min/Max: 0/0
Loss Destination to Source: 0
Destination to Source Loss Periods Number: 0
Destination to Source Loss Period Length Min/Max: 0/0
Destination to Source Inter Loss Period Length Min/Max: 0/0
Out Of Sequence: 0 Tail Drop: 0
Packet Late Arrival: 0 Packet Skipped: 0
Voice Score Values:
Calculated Planning Impairment Factor (ICPIF): 0
Mean Opinion Score (MOS): 0
Number of successes: 0
Number of failures: 23
Operation time to live: Forever
dls1#
Type of operation: udp-jitter
Latest RTT: NoConnection/Busy/Timeout
Latest operation start time: 13:51:47 UTC Fri Apr 27 2012
Latest operation return code: No connection
RTT Values:
Number Of RTT: 0 RTT Min/Avg/Max: 0/0/0 milliseconds
Latency one-way time:
Number of Latency one-way Samples: 0
Source to Destination Latency one way Min/Avg/Max: 0/0/0 milliseconds
Destination to Source Latency one way Min/Avg/Max: 0/0/0 milliseconds
Jitter Time:
Number of SD Jitter Samples: 0
Number of DS Jitter Samples: 0
Source to Destination Jitter Min/Avg/Max: 0/0/0 milliseconds
Destination to Source Jitter Min/Avg/Max: 0/0/0 milliseconds
Packet Loss Values:
Loss Source to Destination: 0
Source to Destination Loss Periods Number: 0
Source to Destination Loss Period Length Min/Max: 0/0
Source to Destination Inter Loss Period Length Min/Max: 0/0
Loss Destination to Source: 0
Destination to Source Loss Periods Number: 0
Destination to Source Loss Period Length Min/Max: 0/0
Destination to Source Inter Loss Period Length Min/Max: 0/0
Out Of Sequence: 0 Tail Drop: 0
Packet Late Arrival: 0 Packet Skipped: 0
Voice Score Values:
Calculated Planning Impairment Factor (ICPIF): 0
Mean Opinion Score (MOS): 0
Number of successes: 0
Number of failures: 23
Operation time to live: Forever
dls1#
the icmp output is useful describing successes and failures and round trip time... i don't have a phone set up so the jitter statistics are meaningless, other than no connection.. although, i can see real world usage for this in problematic phone diagnoses... this is very exciting, i know...
word is this is resource intensive so use sparingly...
ping macro...
for older code and unsupported hardware try, in global config mode... (end with @, it is saved)
dls1(config)#macro global apply ping
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.101, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 172.16.1.102, timeout is 2 seconds:
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 1/3/9 ms
dls1(config)#
dls1#sh run | beg macro
macro name ping
do ping 172.16.1.1
do ping 172.16.1.101 re 5
do ping 172.16.1.102 re 10
@
macro name ping
do ping 172.16.1.1
do ping 172.16.1.101 re 5
do ping 172.16.1.102 re 10
@
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.101, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 172.16.1.102, timeout is 2 seconds:
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 1/3/9 ms
dls1(config)#
basic ping tcl script...
dls1(tcl)#foreach VAR {
+>172.16.1.1
+>172.16.1.101
+>172.16.1.102
+>172.16.100.1
+>172.16.200.1
+>} { puts [exec "ping $VAR"] }
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.101, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.102, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.200.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
dls1(tcl)#
+> is the tcl prompt...
+>172.16.1.1
+>172.16.1.101
+>172.16.1.102
+>172.16.100.1
+>172.16.200.1
+>} { puts [exec "ping $VAR"] }
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.101, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.102, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.200.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
dls1(tcl)#
+> is the tcl prompt...
Thursday, April 26, 2012
add hsrp and test...
set the priorities on one side first all the same... the higher priority... keep it simple... once you know it's working then adjust... after a few times hsrp becomes manual labor... develop patterns for working these things out...
we know we have vlan 1 on dls1 at 172.16.1.1 and vlan 1 on dls2 as 172.16.1.2... so what virtual ip address will you pick... in the net acad lab they have you bust the ip's, ie. 172.16.1.3 and 1.4 on dls1 and dls2, just so you can have 172.16.1.1 as the virtual ip... who gives a shit... how about 172.16.1.3 or .5... i like 5 because it's glaring...
i also like putting in the priority 90 as opposed to allowing the default 100 which doesn't show up in sh run...
dls2#sh stand brie
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Vl1 1 90 P Standby 172.16.1.1 local 172.16.1.5
Vl10 1 90 P Active local unknown 172.16.10.5
Vl20 1 90 P Standby 172.16.20.1 local 172.16.20.5
Vl30 1 90 P Standby 172.16.30.1 local 172.16.30.5
dls2#
once we destroyed vlan 10 on dls1, vlan 10 on dls2 came to the rescue... don't forget when you add hosts to the access switches use the virtual ip 172.16.10.5 or whatever associated vlan...
and of course you realize that there is no new standby because vlan 10 on dls1 is still down...
we know we have vlan 1 on dls1 at 172.16.1.1 and vlan 1 on dls2 as 172.16.1.2... so what virtual ip address will you pick... in the net acad lab they have you bust the ip's, ie. 172.16.1.3 and 1.4 on dls1 and dls2, just so you can have 172.16.1.1 as the virtual ip... who gives a shit... how about 172.16.1.3 or .5... i like 5 because it's glaring...
interface Vlan1
ip address 172.16.1.1 255.255.255.0
standby 1 ip 172.16.1.5
standby 1 priority 110
standby 1 preempt
!
interface Vlan10
ip address 172.16.10.1 255.255.255.0
shutdown
standby 1 ip 172.16.10.5
standby 1 priority 110
standby 1 preempt
!
interface Vlan20
ip address 172.16.20.1 255.255.255.0
standby 1 ip 172.16.20.5
standby 1 priority 110
standby 1 preempt
!
interface Vlan30
ip address 172.16.30.1 255.255.255.0
standby 1 ip 172.16.30.5
standby 1 priority 110
standby 1 preempt
ip address 172.16.1.1 255.255.255.0
standby 1 ip 172.16.1.5
standby 1 priority 110
standby 1 preempt
!
interface Vlan10
ip address 172.16.10.1 255.255.255.0
shutdown
standby 1 ip 172.16.10.5
standby 1 priority 110
standby 1 preempt
!
interface Vlan20
ip address 172.16.20.1 255.255.255.0
standby 1 ip 172.16.20.5
standby 1 priority 110
standby 1 preempt
!
interface Vlan30
ip address 172.16.30.1 255.255.255.0
standby 1 ip 172.16.30.5
standby 1 priority 110
standby 1 preempt
dls2#sh standby brie
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Vl1 1 90 P Standby 172.16.1.1 local 172.16.1.5
Vl10 1 90 P Standby 172.16.10.1 local 172.16.10.5
Vl20 1 90 P Standby 172.16.20.1 local 172.16.20.5
Vl30 1 90 P Standby 172.16.30.1 local 172.16.30.5
dls2#
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Vl1 1 90 P Standby 172.16.1.1 local 172.16.1.5
Vl10 1 90 P Standby 172.16.10.1 local 172.16.10.5
Vl20 1 90 P Standby 172.16.20.1 local 172.16.20.5
Vl30 1 90 P Standby 172.16.30.1 local 172.16.30.5
dls2#
i also like putting in the priority 90 as opposed to allowing the default 100 which doesn't show up in sh run...
dls1#sh standby brie
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Vl1 1 110 P Active local 172.16.1.2 172.16.1.5
Vl10 1 110 P Active local 172.16.10.2 172.16.10.5
Vl20 1 110 P Active local 172.16.20.2 172.16.20.5
Vl30 1 110 P Active local 172.16.30.2 172.16.30.5
dls1#
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Vl1 1 110 P Active local 172.16.1.2 172.16.1.5
Vl10 1 110 P Active local 172.16.10.2 172.16.10.5
Vl20 1 110 P Active local 172.16.20.2 172.16.20.5
Vl30 1 110 P Active local 172.16.30.2 172.16.30.5
dls1#
dls1(config)#int vlan 10
dls1(config-if)#shut
dls1(config-if)#
*Mar 2 07:17:05.305: %HSRP-5-STATECHANGE: Vlan10 Grp 1 state Active -> Init
*Mar 2 07:17:07.310: %LINK-5-CHANGED: Interface Vlan10, changed state to admini
stratively down
*Mar 2 07:17:07.318: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, ch
anged state to down
dls1(config-if)#shut
dls1(config-if)#
*Mar 2 07:17:05.305: %HSRP-5-STATECHANGE: Vlan10 Grp 1 state Active -> Init
*Mar 2 07:17:07.310: %LINK-5-CHANGED: Interface Vlan10, changed state to admini
stratively down
*Mar 2 07:17:07.318: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, ch
anged state to down
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Vl1 1 90 P Standby 172.16.1.1 local 172.16.1.5
Vl10 1 90 P Active local unknown 172.16.10.5
Vl20 1 90 P Standby 172.16.20.1 local 172.16.20.5
Vl30 1 90 P Standby 172.16.30.1 local 172.16.30.5
dls2#
once we destroyed vlan 10 on dls1, vlan 10 on dls2 came to the rescue... don't forget when you add hosts to the access switches use the virtual ip 172.16.10.5 or whatever associated vlan...
and of course you realize that there is no new standby because vlan 10 on dls1 is still down...
warm up switch lab exercise...
does my ass look big in these ellipses...
prep
a. dls1 ports 1,2 to ports 1,2 on als1
dls1 ports 3,4 to ports 3,4 on dls2
dls1 ports 5,6 to ports 5,6 on als2
dls2 ports 1,2 to ports 1,2 on als2
dls2 ports 5,6 to ports 5,6 on als1
als1ports 3,4 to ports 3,4 on als2
b. delete vlan.dat, erase start and reload all switches
c. console each switch, set hostnames, enable secret, line cons 0 and vty's, give each vlan 1 interface 172.16.x.x /24
d. set console back to dls1
if possible open multiple telnet windows... start timer, begin
1. set dls2, als1 and als2 as clients in vtp domain test, version 2
2. set dls1 as vtp server
3. on dls1 create vlans 10,20, 30 named ten, twenty and thirty
4. verify vlans in the domain
5. on dls1 create svi's for each vlan and make all vlans root primary
6. on dls2 create svi's for each vlan and make all vlans root secondary
7. hard code trunks on every switch, dot1q where necessary, do not allow dtp
8. verify trunking
9. bundle all links between switches using only group numbers 1,2 and 3, with lacp... ensure that the numbers match on both sides of the channels... verify
10. equally distribute all non-trunked ports into vlans 10,20 and 30 on every switch... make them access ports and limit the impact of stp
verify vtp, vlans, vlan membership, trunking, channels, svi's
done
this should take less than a half hour...
a. dls1 ports 1,2 to ports 1,2 on als1
dls1 ports 3,4 to ports 3,4 on dls2
dls1 ports 5,6 to ports 5,6 on als2
dls2 ports 1,2 to ports 1,2 on als2
dls2 ports 5,6 to ports 5,6 on als1
als1ports 3,4 to ports 3,4 on als2
b. delete vlan.dat, erase start and reload all switches
c. console each switch, set hostnames, enable secret, line cons 0 and vty's, give each vlan 1 interface 172.16.x.x /24
d. set console back to dls1
if possible open multiple telnet windows... start timer, begin
1. set dls2, als1 and als2 as clients in vtp domain test, version 2
2. set dls1 as vtp server
3. on dls1 create vlans 10,20, 30 named ten, twenty and thirty
4. verify vlans in the domain
5. on dls1 create svi's for each vlan and make all vlans root primary
6. on dls2 create svi's for each vlan and make all vlans root secondary
7. hard code trunks on every switch, dot1q where necessary, do not allow dtp
8. verify trunking
9. bundle all links between switches using only group numbers 1,2 and 3, with lacp... ensure that the numbers match on both sides of the channels... verify
10. equally distribute all non-trunked ports into vlans 10,20 and 30 on every switch... make them access ports and limit the impact of stp
verify vtp, vlans, vlan membership, trunking, channels, svi's
done
this should take less than a half hour...
Labels:
ccnp,
ccnp switch,
switch exercise lab
mesh...
this is a meshed network...
ether channel links all the way around, 2 ports each, how to label them...
this speaks to design, comfort, logic, economy and sanity...
how i would label them (knowing full well that the etherchannel numbers are only locally significant)
dls1 --> als1 1 to 1 (counter clockwise)
als1 --> als2 2 to 2
als2 --> dls2 1 to 1
dls2 --> dls1 2 to 2
dls1 --> als2 3 to 3
dls2 --> als1 3 to 3
is this correct, by the cisco book... maybe, but who cares..
the point here is that this kind of thing, your logic, your method, is the correct method in a time pressure situation...
if you are not given specifics for the implementation, then have your own logic in place before you sit, stick to that logic... reuse that logic in practice so you don't waste valuable time coming up with a plan...
like an ip addressing scheme... dls1 is always 172.16.1.1 and dls2 is always 172.16.1.2... or 192.168.1.1 and 1.2 unless otherwise stipulated...
and als1 is always 1.101 and als2 is always 1.102, and so on...
make things that you can, automatic...
ether channel links all the way around, 2 ports each, how to label them...
this speaks to design, comfort, logic, economy and sanity...
how i would label them (knowing full well that the etherchannel numbers are only locally significant)
dls1 --> als1 1 to 1 (counter clockwise)
als1 --> als2 2 to 2
als2 --> dls2 1 to 1
dls2 --> dls1 2 to 2
dls1 --> als2 3 to 3
dls2 --> als1 3 to 3
is this correct, by the cisco book... maybe, but who cares..
the point here is that this kind of thing, your logic, your method, is the correct method in a time pressure situation...
if you are not given specifics for the implementation, then have your own logic in place before you sit, stick to that logic... reuse that logic in practice so you don't waste valuable time coming up with a plan...
like an ip addressing scheme... dls1 is always 172.16.1.1 and dls2 is always 172.16.1.2... or 192.168.1.1 and 1.2 unless otherwise stipulated...
and als1 is always 1.101 and als2 is always 1.102, and so on...
make things that you can, automatic...
Wednesday, April 25, 2012
etherchannel numbering...
the net acad lab wants you to label the three prong switch lab etherchannels as 1,1 2,2 and 2,1...
so dls1 has 2 channels, 1 goes to als1 and 2 goes to als2...
then the channel from als1 to als 2 is set as channel 2 connecting to channel 1...
i don't like it...
als1#sh ether summ
omitted
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(SU) LACP Fa0/7(Pd) Fa0/8(P)
2 Po2(SU) LACP Fa0/11(Pd) Fa0/12(P)
als2#sh ether summ
omitted
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(SU) LACP Fa0/11(Pd) Fa0/12(P)
2 Po2(SU) LACP Fa0/9(Pd) Fa0/10(P)
i prefer the channels connecting to each other with a measure of sanity... als1 to als2 should be 3 to 3
dls1 to als1 channel 1
dls1 to als2 channel 2
als1 to als2 channel 3
so sue me... make the numbers meaningful, not confusing...
dls1#config t
Enter configuration commands, one per line. End with CNTL/Z.
dls1(config)#int rang f0/7 - 8
dls1(config-if-range)#channel-g 1 mode active
Creating a port-channel interface Port-channel 1
dls1(config)#int rang f0/9 - 10
dls1(config-if-range)#channel-g 2 mode active
Creating a port-channel interface Port-channel 2
Enter configuration commands, one per line. End with CNTL/Z.
dls1(config)#int rang f0/7 - 8
dls1(config-if-range)#channel-g 1 mode active
Creating a port-channel interface Port-channel 1
dls1(config)#int rang f0/9 - 10
dls1(config-if-range)#channel-g 2 mode active
Creating a port-channel interface Port-channel 2
so dls1 has 2 channels, 1 goes to als1 and 2 goes to als2...
then the channel from als1 to als 2 is set as channel 2 connecting to channel 1...
i don't like it...
als1#sh ether summ
omitted
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(SU) LACP Fa0/7(Pd) Fa0/8(P)
2 Po2(SU) LACP Fa0/11(Pd) Fa0/12(P)
als2#sh ether summ
omitted
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(SU) LACP Fa0/11(Pd) Fa0/12(P)
2 Po2(SU) LACP Fa0/9(Pd) Fa0/10(P)
i prefer the channels connecting to each other with a measure of sanity... als1 to als2 should be 3 to 3
dls1 to als1 channel 1
dls1 to als2 channel 2
als1 to als2 channel 3
so sue me... make the numbers meaningful, not confusing...
Tuesday, April 24, 2012
more acro's...
plus rfc's... thanks wiki... http://en.wikipedia.org/wiki/List_of_information_technology_acronyms
Acronym | Meaning | Primary Applicability[4] | Normative Reference |
---|---|---|---|
ACK | Acknowledgement | Transport and other layers | TCP/IP, for example. RFC 793 |
ACL | Access control list | Security, application layer | Access control list, Cisco overview |
ADSL | Asymmetric digital subscriber line | Telecom | ITU-T G.992.5 Annex M, for example |
AES | Advanced Encryption Standard | Security | U.S. FIPS PUB 197 |
ANSI | American National Standards Institute | Organization | ANSI |
ARP | Address Resolution Protocol | Link layer | RFC 1122 |
ATM | Asynchronous Transfer Mode | Telecom | ATM cell description |
BGP | Border Gateway Protocol (routing protocol) | Application layer, Routers | RFC 4271 |
BSS | Basic service set (Wi-Fi) | Wireless | IEEE Std 802.11-2007 |
CAT | Category (e.g. CAT-5 cable) | Physical layer | ANSI/TIA/EIA-568-B.1-2001 |
CCITT (obs.) | Standards organization that has been replaced by ITU-T | Organization | ITU-T |
CHAP | Challenge-Handshake Authentication Protocol (PPP) | Security, telecom | RFC 1994 |
CIDR | Classless Inter-Domain Routing | Architecture | RFC 1518 RFC 1519 |
CIR | Committed Information Rate (Frame Relay) | Telecom | RFC 1490 RFC 1973 RFC 2427 |
CLI | Command line interpreter | Hardware | Catalyst 6500 Series Command Reference, 7.6, for example |
CPE | Customer premises equipment | Telecom | Telecom Glossary |
CRC | Cyclical redundancy check | Link and other layers | 24 References here. |
CRC-16-CCITT | Cyclical redundancy check (X.25, HDLC) | Link layers | Reference on CRC page. |
CSMA/CA | Carrier sense multiple access / collision avoidance | Wireless | IEEE Std 802.11 Downloads |
CSMA/CD | Carrier sense multiple access / collision detection | Physical layer | IEEE Std 802.3TM-2002 |
CSU/DSU | Channel service unit / data service unit | Telecom | Telecom Glossary |
DCE | Data communications equipment | Telecom | Telecom Glossary |
DEC (obs.) | Digital Equipment Corporation | Organization | Purchased by Compaq in 1998. Merged with Hewlett-Packard 2002. |
DES | Data Encryption Standard (obs. See AES) | Security | Federal Information Processing Standard (FIPS) FIPS-46-3 |
DHCP | Dynamic Host Configuration Protocol | Application layer, Internet Layer | RFC 2131 and others |
DNS | Domain Name System | Application layer | Over 30 RFCs here. |
DRAM | Dynamic random-access memory | Hardware | |
DSL | Digital Subscriber Line | Telecom | Telecom Glossary |
DSLAM | Digital Subscriber Line Access Muliplexor | Telecom | Telecom Glossary (proposed) |
DTE | Data Terminal Equipment | Telecom | Telecom Glossary |
EHA | Ethernet Hardware Address (MAC address) | Link layer | IEEE Std 802 IEEE OUI Assignments |
EIA | Electronics Industry Alliance | Organization | EIA |
EIGRP | Enhanced Interior Gateway Routing Protocol | Internet Layer | Cisco Doc ID: 16406 |
EOF | End Of Frame (HDLC, etc.) | Link layer | HDLC framing |
ESS | Extended service set (Wi-Fi group) | Wireless | IEEE Std 802.11-2007 |
FCC | Federal Communications Commission (US) | Organization | US FCC |
FCS | Frame check sequence (Ethernet) | Link layer | Ethernet Frame IEEE Std 802.3 |
FDDI | Fiber Distributed Data Interface | Link layer | American National Standards Institute X3T9.5 (now X3T12), ISO/IEC 9314-x |
FTP | File Transfer Protocol | Application layer | RFC 959 and others |
GBIC | Gigabit interface converter | Hardware | Seagate Specification |
Gbps | Gigabit per second | Physical layer | Gigabit per second |
HDLC | High-level Data Link Control | Link layer | ISO 13239 |
http | HyperText Transfer Protocol | Application layer | W3C Change History for HTTP |
https | HyperText Transfer Protocol Secure | Transport and other layers | SSL 3.0 Specification |
IANA | Internet Assigned Number Authority | Organization | IANA |
ICMP | Internet Control Message Protocol | Internet Layer | RFC 792 |
IDF | Intermediate distribution frame | Physical layer | Structured cabling or Telecom Glossary |
IDS | Intrusion Detection System | Security | Cisco Product Index |
IEC | Commission Electrotechnique Internationale (French) | Organization | IEC |
IEEE | Institute for Electrical and Electronic Engineers | Organization | IEEE |
IETF | Internet Engineering Task Force | Organization | IETF |
IMAP | Internet Message Access Protocol | Application layer | RFC 3501 |
IP | Internet Protocol | Internet Layer | RFC 791 RFC 1606 |
IPS | Intrusion prevention system | Security | "NIST - Guide to Intrusion Detection and Prevention Systems (IDPS)". 2007-02. Retrieved 2010-08-24. |
IS-IS | Intermediate System to Intermediate System (routing protocol) | Internet Layer | ISO/IEC 10589:2002 |
ISDN | Integrated Services Digital Network | Telecom | IEC Area 716-xx |
ISP | Internet service provider | Telecom | Telecom Glossary |
ITU-T | International Telecommunications Union | Organization | http://www.itu.int |
kbps | Kilobit per second | Physical layer | Kilobit_per_second |
LAN | Local area network | Link and other layers | Telecom Glossary |
LAPB | Link Access Procedure, Balanced (x.25) | Telecom | ITU-T Recommendation X.222 |
LAPF | Link-access procedure for frame relay | Telecom | RFC 1490 |
LLC | Logical link control | Link layer | Telecom Glossary |
MAC | Media access control | Link layer | IEEE Std 802.3 and 802.11, for example |
MAN | Metropolitan area network | Telecom | Telecom Glossary |
Mbps | Megabits per second | Physical layer | Megabit_per_second |
MC | Multiple choice | IT Professional Certification | About certification exams |
MDF | Main distribution frame | Physical layer | Glossary See also Structured cabling |
MIB | Management information base (SNMP) | Application layer | RFC 3418 |
MPLS | Multiprotocol Label Switching | network technology | |
MTU | Maximum Transmission Unit | Multiple layers | |
NAC | Network access control | Link and other layers | IEEE 802.1x |
NAT | Network Address Translation | Internet Layer | Cisco Internet Protocol Journal: A look Inside Network Address Translators |
NBMA | Non-Broadcast Multiple Access (e.g. Frame Relay ATM) | Telecom | See ATM, Frame Relay and X.25, for examples. |
NIC | Network Interface Card | Physical layer | Telecom Glossary |
NRZ | Non-return-to-zero | Physical layer | Federal Standard 1037C |
NRZI | Non-return to zero inverted | Physical layer | Federal Standard 1037C |
NVRAM | Non-volatile RAM | Hardware | Sample vendor data here |
OSI | Open System Interconnect (joint ISO and ITU standard) | Organization | ISO/IEC 9594-5:2005 Open Systems Interconnection Protocol Specifications |
OSPF | Open Shortest Path First (routing protocol) | Internet Layer | RFC 2238 |
OUI | Organization Unique Identifier | Link and other layers | IEEE OUI Assignments |
PAP | Password authentication protocol | Security | RFC 1334 |
PAT | Port address translation | Internet Layer | RFC 1918 |
PC | Personal computer (host) | Hardware | |
PCM | Pulse-code modulation | Physical layer | ITU-T G.711 |
PDU | Protocol data unit (such as segment, packet, frame, etc.) | Multiple layers | Fed Std 1037C |
POP3 | Post Office Protocol, version 3 | Application layer | RFC 1939 |
POP | Point of presence | Telecom | Telecom Glossary |
POST | Power-on self test | Hardware | Cisco Catalyst 2800 User Guide, for example |
POTS | Plain old telephone service | Telecom | Telecom Glossary |
PPP | Point-to-point Protocol | Telecom | RFC 1661 |
PPTP | Point-to-Point Tunneling Protocol | Telecom | RFC 2637 |
PTT | Public Telephone and Telegraph | Telecom | Telecom Glossary or Free Dictionary |
PVST | Per-VLAN Spanning Tree | Link layer | Cisco's introduction to Spanning Tree Protocol |
RADIUS | Remote Authentication Dial-In User Service | Security | RFC 2865 |
RAM | Random Access Memory | Physical layer | Telecom Glossary |
RARP | Reverse ARP | Link layer | RFC 903 |
RFC | Request for Comments | Multiple layers | IETF's RFC Index |
RIP | Routing Information Protocol | Internet Layer | RFC 2453, for RIP version 2 |
RLL | Run-Length Limited | Physical layer | RLL is used in a wide range of encodings. |
ROM | Read-Only Memory | Hardware | Telecom Glossary |
RSTP | Rapid Spanning Tree Protocol | Link layer | IEEE 802.1w - Rapid Reconfiguration of Spanning Tree |
RTP | Real-time Transport Protocol | Application layer | RFC 3550 |
SDLC | Synchronous Data Link Control | Link layer | Cisco Technology Handbook: SDLC and Derivatives |
SFD | Start-of-frame delimiter (Ethernet, HDLC, etc.) | Link layer | IEEE 802.3 (Ethernet), or RFC 2687 (HDLC), for examples |
SFP | Small form-factor pluggable | Hardware | Seagate Specification |
S-HTTP | Secure HTTP (rarely used) | Transport and other layers | RFC 2660 See also https |
SLARP | Serial Line ARP (Address Resolution Protocol) | Link and other layers | Archived Cisco Serial Line Encapulation extension |
SLIP | Serial Line Internet Protocol (obs.) | Telecom | RFC 1055 |
SMTP | Simple Mail Transfer Protocol | Application layer | RFC 5321 |
SNA | Systems Network Architecture (IBM) | Multiple layers | SNA Protocol Suite |
SNAP | SubNet Access Protocol | Link layer | IEEE 802 Overview and Architecture |
SNMP | Simple Network Management Protocol | Application layer | RFC 1155, RFC 3410 thru RFC 3418 and others |
SOF | Start of frame | Link layer | IEEE 802.3 (Ethernet), or RFC 2687 (HDLC), for examples |
SRAM | Static random access memory | Hardware | PC Guide's Definition |
SSH | Secure shell | Application layer | RFC 4252 |
SSID | Service set identifier (Wi-Fi) | Wireless | IEEE 802.11 |
STP | Spanning Tree Protocol | Link layer | Cisco's Introduction to Spanning Tree Protocol |
SYN (TCP) | Synchronization | Link and other layers | RFC 793 and many others |
TCP/IP | Transmission Control Protocol/Internet Protocol | Transport layer | RFC 793 and many others |
TDM | Time-division multiplexing | Physical layer | Fed Std 1037C |
TFTP | Trivial File Transfer Protocol | Application layer | RFC 1350 |
TIA | Telecommunications Industry Alliance | Organization | Telecommunications Industry Association |
UDP | User Datagram Protocol | Transport layer | RFC 768 |
USB | Universal Serial Bus | Physical and other layers | USB 3.0 Specification |
UTP | Unshielded twisted pair | Physical | Many versions are defined by TIA, such as: TIA-568-B |
VC | Virtual circuit | Transport and other layers | Telecom Glossary |
VLAN | Virtual local area network | Link layer | IEEE 802.1Q |
VLSM | Variable-length subnet masking | Architecture | RFC 1518 RFC 1519 |
VPN | Virtual private network | Application layer | Virtual Private Network Consortium |
W3C | World Wide Web Consortium | Organization | W3C |
WAN | Wide-area network | Telecom | Telecom Glossary |
WEP | Wired Equivalent Privacy | Wireless | IEEE 802.11 |
Wi-Fi | IEEE 802.11 (Wi-Fi Alliance) | Wireless | Wi-Fi Alliance |
WPA | Wi-Fi Protected Access | Security | IEEE 802.11i |
www | World Wide Web | Architecture | W3C Consortium |
Subscribe to:
Posts (Atom)