Tuesday, January 12, 2016

Dynamic ACL


Dynamic ACL


Dynamic ACLs (also called Lock-and-key ACLs) allows users to send traffic through the router based on authentication process.

Dynamic ACLs configured are as follows:
Let's create locally on the R5 local user with password. Then configure accesss-enable autocomand to make dynamic ACLs work.
Please note that TAB key will not complete  "accesss-enable host" command!!!  


R4#
interface FastEthernet0/0
ip address 10.50.45.4 255.255.255.0
R5#
!
interface FastEthernet0/0
ip address 10.50.45.5 255.255.255.0
ip access-group TEST_DYN in
!
interface FastEthernet0/1
ip address 10.50.56.5 255.255.255.0
!
!
ip access-list extended TEST_DYN
permit ospf any any #to save our ospf session
permit tcp any host 10.50.45.5 eq telnet  #to telnet on R5 
permit icmp any any log-input #just for testing connectivity
dynamic TEST permit tcp any any log-input #permits telnet session to any host
!
ip access-list log-update threshold 1 #for monitoring access-list operation
!
username cisco password 0 cisco #creating username  with password 
!
line vty 0 4
login local #allow our user to telnet on R5
!
username cisco autocommand access-enable host #invokes access-enable command allowing to authenticate user to "turn on" dynamic ACL

Let's try:
Lets look at dynamic ACL before we initiate TCP session (telnet session in our example) through the R5:
R5(config-ext-nacl)#do sh ip access
Extended IP access list TEST_DYN
    10 permit ospf any any (11 matches)
    15 permit tcp any host 10.50.45.5 eq telnet
    20 permit icmp any any log-input
    30 Dynamic TEST permit tcp any any log-input

Telnet to R6...
R4#telnet 6.6.6.6
Trying 6.6.6.6 ...
% Destination unreachable; gateway or host down

Now let's telnet to R5's interface on which we configured dynamic ACL

R4#telnet 10.50.45.5
Trying 10.50.45.5 ... Open
User Access Verification
Username: cisco
Password:
[Connection to 10.50.45.5 closed by foreign host]
After login and password was checked R5 closed the session

Now let's see on ACL:

R5(config-ext-nacl)#do sh ip access
Extended IP access list TEST_DYN
    10 permit ospf any any (92 matches)
    15 permit tcp any host 10.50.45.5 eq telnet (84 matches)
    20 permit icmp any any log-input
    30 Dynamic TEST permit tcp any any log-input
    30   permit tcp host 10.50.45.4 any log-input  #new ACE appeared with ip address of our R4' interface

R4#telnet 6.6.6.6
Trying 6.6.6.6 ... Open
User Access Verification
Username: cisco
Password:
R6>exit
Success! ))

On R5 we can see ACL treshold and logging:
R5(config-ext-nacl)#
*Nov 19 06:16:40.931: %SEC-6-IPACCESSLOGP: list TEST_DYN permitted tcp 10.50.45.4(65223) (FastEthernet0/0 ca04.5184.0008) -> 6.6.6.6(23), 1 packet



See you. 
Best Regards!



Reflexive ACL

Reflexive ACLs works as adaptive firewall. It allows outbound traffic and allows inbound traffic in response to upper layer protocols sessions originated inside the router ( similar to content based):


We will configure Reflexive ACL on F0/1 of R5...

R5(config)#!
ip access-list extended REF_TEST_OUT
permit ospf any any #to allow OSPF
permit tcp any any reflect REF #After permitting TCP session ACL creates/reflects sessions parameters to ACL named as "REF" with ACE's statements "mirrored" or reflected to current session.
!
ip access-list extended REF_TEST
permit ospf any any
evaluate REF #this statement evaluates new reflective ACL named "REF" and  apply them "inbound" to interface
!
interface FastEthernet0/1
ip address 10.50.56.5 255.255.255.0
ip access-group REF_TEST in
ip access-group REF_TEST_OUT out

Look at the example....
here are ACLs before any tcp session occurs:
R5(config)#do sh ip access | sec REF
Reflexive IP access list REF
Extended IP access list REF_TEST
    10 permit ospf any any (121 matches)
    20 evaluate REF
Extended IP access list REF_TEST_OUT
    5 permit ospf any any
    10 permit tcp any any reflect REF (88 matches)
R5(config)#
Now we try to telnet to router R6:

R4#telnet 10.50.56.6
Trying 10.50.56.6 ... Open
User Access Verification
Username: cisco
Password:
R6>


And on R5 we can see Reflexive ACL's permit statement...
R5(config)#do sh ip access | sec REF
Reflexive IP access list REF
     permit tcp host 10.50.56.6 eq telnet host 10.50.45.4 eq 60050 (45 matches) (time left 279)
Extended IP access list REF_TEST
    10 permit ospf any any (133 matches)
    20 evaluate REF
Extended IP access list REF_TEST_OUT
    5 permit ospf any any
    10 permit tcp any any reflect REF (113 matches)

 This statement will be configured till the end of the tcp session.



See you!

Best Regards!

Wednesday, November 11, 2015

Trunking MVR multicast data question.

Hello everyone!
See diagram bellow:

I try to make both STB working in such a topology, but MVR on SW2 doesn't works well.
Have any suggestion how to..?
Both STB should work in vlan 42 because it is a unicast VLAN to receive unicast traffic from VOD server (Video On Demand), also STB get it's IP address by DHCP in VLAN 42.
I will try to find solution on cisco forums and nex step will be labbing this.
See you!

Wednesday, April 29, 2015

Routing protocols. Fundamentals.

Routing protocols. Common. 

Routing protocol is a language a router speaks with other routers to share reachability and status of networks.

Dynamic routing can sense topology changing, share this info and compensate it.

Routing protocols are built around an algorithm - step-by-step procedure to solve the problem:
-pass info
- receive info
- count optimal paths and built routing table
- process topology changing


Metric.

Metric - is a variable assigned to routes to rank them as most or least preferred.

Different routing protocols use different metrics:
- Hop count. (RIP) -Load (such metric can cause route flapping)
Bandwidth. (EIGRP) - Delay (time, packet traverse a route)
- Reliability (is changed by admin or by packet drops)
- Cost (can be defined by any policy; can be set by admin; is a generic term when speaking of route choice).
Lowest cost path = shortest path = better path.

 Convergence.

Convergence - is a bringing all route tables to a state of consistency.
Convergence time - time need for protocol to calculate the best path

Routing loop.

Routing loop -continuous circling traffic between two or more hops.

 Load balancing.

Load balancing - forwarding packets to the same destination by different paths.

Load balancing can be equal cost and unequal costper packet and per destination.



Distance vector routing protocols.

Distance vector routing protocols (algorithm - Belman-Ford, routing by rumor, RIP, EIGRP, IGRP)


Routes are advertised as vectors(distance,direction),where distance=metric, direction=next-hop router. Counting best path is distributed task.


Neighbors.

Neighbors - when routers share direct link or logical link(BGP). Distance vector protocols sends updates to neighbors. Each router must share it's updates to all neighbors (hop-by-hop updates) until routing info becomes consistent.


Updates.

Periodic updates - updates transmitted in a certain period. frequently - slow convergence, fast updates - CPU overloading

Broadcast updates - after starting the router. Updates sends to 255.255.255.255;

Full routing table updates - the router under distance vector protocol sends whole routing table to neighboring routers.

Asynchronous updates - are used in broadcast networks to prevent collisions due broadcasting updates ( by adding randomness to update period).

Triggered updates - if a metric changes for route, it immediately sends update, doesn't wait for update timer, but regular updates still occurs and router can receive bad information from a non-converged router with regular updates and erase correct information received from triggered updates.


Distance vector convergence.

Route invalidation timer/timeout for each routing entry to prevent black holes when some network goes down. Timeout is near 3 - 6 updates periods.

Reverse route and split horizon - split horizon is preventing reverse route and routing loops caused by flapping of reverse route. Split horizon can be simple and with poisoned reverse(advertise reverse routes with infinite metric).

Counting to infinity - when routes flap it can cause loop between three or more routers(imagine ring topology) and increase metric from one to another until metric becomes infinite. Split horizon doesn’t help, route just make a circle. Maximum network diameter is 15 hops.

Holddown timers - timer sets after route metric changes, until this timer expires, none of new updates will be accepted. Changing this timer will cause convergence time changing.


Link state routing protocols.

Link state routing protocols (Dijkstra algorithm and SPF ; OSPF, ISIS).


Each router generate information about itself, directly connected links (state of this links) and directly connected neighbors. Each

  1. Each router establish neighbor relationships - adjacency with each of neighboring routers
  2. Each router sends LSAs to it’s neighbors (flooding LSAs)
  3. Every router floods LSAs stored in it’s database.
  4. When all copies of all LSAs are stored in router’s database, router start SPF algorithm to count the best path.
LSA (Link state advertisements) - contains a list of router’s links with info about this link: state, metric cost, neighbors on that link .

Neighbor and Router ID (RID) - neighbor discovery procedure between routers using hello protocol, exchanging packets; RID is used to uniquely determine every router;

Hello protocol(HP) - during HP neighbors exchange hello intervals,dead timers,different flags and timers to maintain adjacency.


Link state protocol adjacency, convergence and flooding mechanism.

Adjacency - routers are fully adjacent when their databases are synchronized; adjacency is controlled by hello protocol packets used as keepalives.

Link state flooding - in link sate protocols LSAs are forwarded immediately as it’s received or updated, whereas distance vector protocols must first run its algorithm (Belman-Ford) then update route table before updates sent. LS converge faster then DV after the topology changes. Flooding is a complex process and should be efficient and without any mistakes.

Sequence Numbers - used to notify routers that database is synchronized, newest LSAs are in database. Sequencing is used to maintain actual database and not to react and no to believe wrong info in non-actual (delayed or corrupted) LSAs. There are some procedure to make flooding more reliable and easy: LSA aging, LSA sequencing, creating areas.

Sequence number(SN) space - there are some types: linear, circled, lollipop shaped sequence number spaces. It depends on SN_space how router reacting on SN closing to the maximum. Most popular questions and rules:
- Q:how router knows it’s last generated LSA’s sequence number
- A: Router R1 which sees that neighbor R2 is alive after restart, matches R2’s LSA in it’s own database and sends it to R2. R2 generating LSA with actual SN

-Q: What router does when it’s link state process is run out of sequence number because of some internal error? (Note that router was not restarted nor lost adjacency)
-A: In this situation router must wait until all it’s LSAs will be aged out

Sequence number rule: The “Jump” the router might take in sequence numbers must be limited.

Today sequence number space is fully linear. After SN reaches the maximum - routing process must flush LSAs from LSDB before restarting.

Aging - special field inside LSA’s packet incremented due flooding process by each router. Protocol define MaxAgeDiff value to match some corrupted LSAs and MaxAge value to match LSA which should be flooded to all routers and flushed from LSDB.
If LSA haven’t flushed from all databases there is mechanism that renew LSAs due some period - LSRefreshTime



Topology database, areas and autonomous systems.

Link State Database (LSDB or topological database) - each router under routing protocol process maintain topological database (stores all actual LSAs)

Information related to LSA is:
1. Age and sequence number - to manage flooding process
2. Router ID, connected networks, neighbors and link costs - to build shortest path determination.

Areas - link state protocol can not maintain network which contains thousands of routers because of big database of LSA and SPF computation. Area confine flooding and you need maintain database only for routers within that area.

ABR (Area Border Routers ) - routers connecting two areas, belong to both. To send packet to another area router should know how to reach ABR.

Autonomous System (routing domain aka “AS”)- larger areas, a group of routers under one administrative domain (can be different routing protocols).

IGP (Interior Gateway Protocol) - routing protocols run within an AS.

EGP (Exterior Gateway Protocol) - routing protocol between autonomous systems.

Friday, April 3, 2015

IPv6. Introduction to ICMPv6.

Wee already have some information about IPV6 packet structure and IPv6 addressing.
This post will be about ICMPv6 protocol. It is gonna be upper layer protocol for IPv6 packet and "next header" value of the main ipv6 protocol will be set to 58.

Header ICMPv6

After host/router decode this value it knows that the next header will be ICMPv6 header:
ICMPv6 protocol message have the next format:


Pic.1 ICMPv6 message.


Type

The "type" field value is determines which data encoded to ICMPv6 message ( ping request, ND protocol message e.t.c)
All ICMPv6 messages are divided into two common types : error messages and informational messages. Informational messages and error messages are different in it's "type" field: error messages have "type" value <128, all other values to 255 are informational.
Informational messages are: ICMPv6 request/response messages(type 128/129) , Neighbour Discovery Protocol messages (will be described in future post) .
Error messages are: Destination unreachable message (Type=1) , Packet too big (Type=2), Time Exceeded (Type=3), Parameter problem (Type=4)

Code

The "code" field depends on the type of the message. Different codes of messages of the same type have different functions.

Checksum

"Checksum" field is used to detect some data corruption in the ICMPv6 message. As you already know there is no any header shecksum inside IPv6 packet but "Checksum" field protects ICMPv6 message of any errors. 


Message body

Message body is a payload of ICMPv6 protocol message. for example there is a ICMPv6 request message sent from source to destination IPv6 addresses. You can see "Identifier", "Sequence" and "Data" field that are message body of the ICMPv6 Echo request message.



Pic.2 ICMPv6 Echo request message.



Read RFC4333 to dig deeper ad to find full information about other ICMPv6 messages values.

Saturday, March 28, 2015

IPv6 notes. IPv6 packet structure.

IPv6 packet format notes.

 IPv6 vs IPv4 differences

- address became 128 bit long
- no more fragmentation ( no fragment ID, flag, fragment ofset) fragmentation is done by the traffic source using the Path MTU discovery
- no more header checksum ( remains link-layer and transport layer checksum)
- new role for multicast addressing ("scop" field )
- anycast addresses
- autoconfiguraton of address
- header format simplification
- flexibility in using header options
- a new capability to label packets belonging to different flows with "flow label" field
- extension to support authentication and data integrity

Header structure.


IPv6 header fields

IPv6 packet header has a fixed 40-byte length. The data payload following the IPv6 header represents either the upper layer protocol or extension header chain (IPv6 options).

Version

This 8 bit length field shows us what IP protocol version is used. 

Traffic Class

This field is used to carry QOS information (the same way as IPv4)


Flow Label

Is defined in RFC 6437. Allows to separate different flows from single source to particular destination. I haven't seen any real examples of using this field nowadays, always set to zero.

Payload length

Shows us the length of the payload with all extension headers. 16-bit long field.


Next header

This 8-bit field is the pointer that shows us what upper layer protocol or extension header is following the IPv6 header.


Hop limit

This 8-bit field have replaced TTL field and plays the same role.


SA/DA

Source and destination IPv6 addresses. 128-bit long fields.


IPv6 Extensions


As described above there can be inserted an extension header chain between the IPv6 header and upper layer protocol header. The number of extension headers and it's size is limited only by MTU. All extension headers are align in 8-byte boundaries. All IPv6 extensions have TLV format (Type Length Value, where "Type" - is a pointer to the next extension header type).
There are several extension headers and here are some of them:

 Hop-by-hop extension

Identified by the ipv6  "Next header" value 0 . The order of chaining of extension header can be various but there is the rule that says that Hop-By-hop extension should be the first extension header because this header should be decoded by every node on the way of a packet containing this EH  (Extension Header). This extension can be used to provide information that should be processed by all routers (for example some forwarding instructions, using Jumbogramms)

Routing header

Identified by the ipv6  "Next header" value 43. This extension carries information similar to IPv4 Loose Source and Record Route options. Field contains the ordered list of router addresses that must be visited by the packet on the way to the destination.

Destination options

Identified by the ipv6  "Next header" value 60 . This header is used to  carry option information to the packet's destination only.

Fragment header

Identified by the ipv6  "Next header" value 44. This extension  is used to send a packet larger then Path MTU. Here you can find such fields as a "Fragment offset", "Identification" and "More flag" that usually you can find in IPv4 packet. Note, that fragmentation can be done only by the source of a packet.

 Authentication header

Identified by the ipv6  "Next header" value 51. The same as authentication data as in IPsec provides data protection.


IPv6 packet fully described in RFC2640.

Tuesday, March 24, 2015

IPv6 notes. Addressing.

 Addressing 


First every network engineer should know about IPv6 is the  IPv6 addressing.
Here some of them:
     IPv6 addresses can be Unicast, Anycasy and Multicast.

     Unicast 

Unicast address is the identifier of a single interface. Each packet sent to unicast address will be delivered to only one interface.

     Anycast 

Anycast address is the identifier for a set of interfaces(different nodes). Each packet sent to anycast address will be delivered to the "nearest" based on the routing protocol metric. Anycast addresses are taken from unicast addresses spaces.

      Multicast

Multicast address is the identifier of a set of interfaces(different nodes). Each packet sent to multicast address will be delivered to multiple interfaces which "listen" to this multicast address.

     There are no broadcast addresses in IPv6 protocol. 

     Every IPv6 interface can have multiple IPv6 addresses of any type or scope(unicast, anycast, multicast). All interfaces are required to have at least one link-local address.

     IPv6 address has a form x:x:x:x : x:x:x:x where "x"s are 1-4 hex digits (128 bits or 16 bytes at all)
     Examples:
 2001:1234:5678:9101:1121:3141:5161:7181
 2001:1234:5678:9101:0:0:5161:7181
 2001:0:0:1:0:0:0:7181
 2001:0:0:1::7181
     Here are some rules that help you make IPv6 address shorter:
      "Leading zeros" rule that says, that it is not necessary to write leading zeros in an individual field (see Example), to indicate one or more groups of 16 zero bits you can use "::" (see Example). You should remember that you can set "::" symbol only one time to show all zeros 16 bit field. You can not write IPv6 address mentioned above as 2001::1::7181 because it will be impossible to recognize the address and you can's say how match zeros you replaced by "::" symbol.
     Also you there are some form of IPv6 addresses ( within a mixed IPv4 and  IPv6 environment) x:x:x:x:x:x:d.d.d.d where "d" is a decimal ipv4 address field and "x" is a hexadecimal values.
     Examples:
 0:0:0:0:0:0:192.168.1.2             --> ::192.168.1.2
 0:0:0:0:0:FFFF:192.168.1.2        --> ::FFFF:192.168.1.2 

     IPv6 prefix can be written as IPv4 prefix <ipv6-address>/<prefix-length>
     Examples:
 FE80::1/64
 2001:1:2::1/48

    It is possible to identify address type by the high-order bits of the address:




IPv6 address can be represented as follows:






Here is IPv6 address represented as subnet prefix and host portion (as ipv4 CIDR): 







Interface Identifier (Interface ID)

 - identifies each router interface on a link. It is required for node to have unique 64-bit interface ID on a different links. For example: if  nodes within the site will be given the same global unique prefix ( global unicast address )  it required to have unique interface ID's in case getting global unicast address by stateless dhcp ("ipv6 address autoconfiguration" command). You can assign interface ID manually to interface or using EUI-64.

EUI-64

EIU-64 global identifier format of ipv6 address is ieee standard  which describe how to get interface identifier using link-layer address (http://standards.ieee.org/develop/regauth/tut/eui64.pdf) 




Unicast addresses:

unspecified 

0:0:0:0:0:0:0:0 - indicates the absence of an address. This address can not be the source address, can not be manually assigned to interface.

loopback

0:0:0:0:0:0:0:1 - loopback address may be used by a node to send ipv6 packets to itself. This address must never be forwarded by an ipv6 router. A packet received on interface with a destination address of loopback must be dropped

global unicast

Global uncast address have the next forms:
the general format of Global IPv6 unicast address 


 rfc 4291 (ipv6 address architecture) required address format:
RFC 4291 requires that all addresses, except those that start with binary value "000" (ipv6 addresses with embedded ipv4 addresses) have Interface ID that are 64-bit long  and to be constructed in Modified EUI-64 format.  







2000::/3 (prefix begins with "001" 2000::/3- 3FFF::/3)  is example of Global unicast prefix delegated by IANA (https://www.iana.org/about).







link-local

Link-local addresses are designed to address single local link of a node for interaction between nodes within a link scope such a autoconfiguration or neighbor discovery. Link-local addresses are not routed and router must not forward such a packets that have source or destination link-local addresses 
Link-local address format:
          
          FE80::/64


site local

Prefix FEC0::/10. Site local addresses are now deprecated and must no longer be supported. 

unique-local (ULA)

Prefix FC00::/7 (now used the upper half FD00/8) - comparable the ipv4 private addressing. ULA's are routable only within the routing domain, but not in the global Internet.


where prefix is FC00::/7, L - set to 1 means that prefix is locally assigned, Global ID is the globally unique prefix, Subnet ID identifies a subnet within the site. 


IPv6 addresses with embedded ipv4 addresses

- ipv4 to ipv6 compatible (deprecated)
     ::/96 addresses ::x.x.x.x where x - are ipv4 octets.     
- ipv4 to ipv6 mapping
     ::FFFF:0:0
 ::FFFF:x:x:x:x/96 where x - are ipv4 octets







Anycast addresses:

Anycast address is assigned to more than one interface (different nodes). A packet sent to the anycast address will be delivered to the "nearest" interface having that address. There is no special address space for IPv6 anycast address, anycast addresses are allocated from unicast address space.Anycast address must not be used as source address for sending IPv6 packets. Anycast address can be configured with "anycast" cisco ios command.
Another words:  any unicast address assigned to different nodes makes this address anycast with exception that when you configure anycast address on cisco router, Duplicated Address Detection (DAD) becomes automatically disabled.
(config-if)#ipv6 address x::y/z anycast


Multicast addresses:

IPv6 multicast address have the next format:
All multicast addresses begin with 1111 1111 in binary,  as FF in hex or as a prefix FF00::/8







Where : flgs - is a flag field (ff)      

- The higher order flag is reserved and must be initialized to 0 ( zero )
- T = 0 means that address is well known and permanently assigned by IANA, T=1 means that address is "dynamically" assigned (for example generated from IPv4 multicast address). 
- P flag is used for indicating, that multicast address was assigned based on a network prefix (ipv4 based, Source Specific Multicast SSM). P=1 means that T must be set to 1. 
SSM range of IPv6 addresses is FF3x::/32
- R flag  shows us that Rendezvous Point (RP) Address is embedded in IPv6 address, of course P must be set to 1 ant T must be set to 1. 
IPv6 with RP embedded address space is FF70::/32. (RFC 3956)

scop  - is a 64-bit multicast scope value. It shows us the scope of the multicast group (internal-local, link-local,site-local, organization-local e.t.c RFC4291)

Common IPv6 multicast addresses

(XX01::1 - interface local , XX02::1 all nodes in link-local scope): 
FF0x::1 - all nodes 
FF0x::2 - all routers
FF02::5 - all OSPFIGP
FF02::6 - all OSPFIGP DR
FF02::9 - all RIP 
FF02::a - all EIGRP


Solicited-node multicast address

Solicited-node multicast address is formed by taking a 24 low-order bits of node's unicast or anycast address and appending those bits to the special multicast prefix FF02::1:FFxx:xxxx/104 where xx:xxxx - those 24 low-order bits.
When you assign the unicast or anycast address to router's interface, this interface automatically "subscribes" to solicited-node multicast address corresponding to unicast address you assigned.
Cisco IOS command "show ipv6 interface <ifname>" will show you all ipv6 solicited-node multicast addresses.
Example:
IPv6 unicast address: FD00::1234:5678
IPv6 solicited-node mcast address: FF02::1:FF34:5678

Mapping multicast IPv6 address to multicast MAC-address


In IPv6 as in IPv4 you still need to have destination multicast MAC-address to send multicast IPv6 packets. To map IPv6 multicast address to MAC-address you should  append low-order 32 bits of ipv6 address to multicast mac-address whos first two octets are "3333" in hex: