CCNA Acquired!!!

About DAMN time! Passed my ICND2!

So, I know I posted hardly anything for my NA studies except for some notes. However, I’m going to take a small break from my studies, for a short while, and move onto my NP. Once I’m doing NP, I’ll be adding more and more to 3rd Layer. For now, I just have a little bit of notes.

Advertisements

IPv6 Notes

IPv6 Notes


128BIT
8octets
each octet = 16 bits
Example:
2001:0050:0000:0000:0000:0AB4:1E2B:98AA
Zero compression:
2001:0050::0AB4:1E2B:98AA
Leading Zero:
2001:50::AB4:1E2B:98AA
-------------------------------------------------------------------------------------------------------------
Unicast: One to One
Multicast: One to Many
Anycast: One to Closest
To provide easier v4 to v6 transition:

Dual Stack Routers - Routers that run both 4 and 6 at the same time. v4 clients can still use v4 internet, but also v6, and v6 to v6 and v4. ISPs will be able to translate your v4 to v6 and v6 to v4.
Tunneling 6to4 and 4to6 - if you're connecting to v6 internet with v4 host and are trying to connect to a remote v4, a 6to4 will tunnel v4 through v6 back to v4. Vice versa for 6
NAT-PT - Will NAT v6 to v4 and NAT v4 to V6 on the internet:
internal v4 can be NAT out to a v6 and vice versa
x.x.x.x:1234 -> nat -> x:x:x:x::x:1234
-------------------------------------------------------------------------------------------------------------
Link local scope address: Layer 2 domain 
----------------------------------------------
Assigned automatically as an IPv6 host comes online.
Like a 169.254.*.* ipv4 self assigned. 
However this will be assigned by a host anyway.
Will start with FE80 (1111 1110 10) followed by 54 bits of zeros (this makes the first part of the 64 bit ipv6 address)
Last 64 bits is the 48-bit Mac address with FFFE in the middle.
This address is the equivalent to an IPv4 internal address used to communicate with another host in a broadcast domain.

Unique / (Site) Local Scope Address: Organization (RFC4193) Site (RFC 3513)
----------------------------------------------
Used within Enterprise networks to ID the boundaries of their networks.
Starts with FC00::/7 1111 110(l) - 1 = Locall Assigned | 0 = Future Use
1111 110(l) - (40bit)Global ID [everyone in your organization will use this] - (16bit)subnet ID[vlans/wanlinks/etc] - (64bit)Interface ID[spliced into mac address/from dhcpv6/etc]

Global Scope Address: Internet (or internet 2) These are you public address (internet ip addresses)
----------------------------------------------
starts with 2000::/3 (001)
Global Routing Prefix is 48bits or less
Subnet ID is composed of whatever bits are left over after global routing prefix
The Primary addresses expected to compose the IPv6 internet are from the 2001::/16 subnet
Global routing prefix starts with 2xxx+48 - 64-n bits [subnet id] - last 64 is interface
example: WAN interface 2001:210:10:1::1/64 would ptp with 2001:210:10:1::2/64
-------------------------------------------------------------------------------------------------------------
router(config)#ipv6 unicast routing - turns on ipv6 routing
router(config-if)#ipv6 address x:x:x:x::x/(0-128) - assign an interface an ipv6 address.
router#ping ipv6 x:x:x:x::x - version 6 of ping
router(config)#ipv6 router rip 1 - turns on RIPng for ipv6 - after this, you don't even need to add network statements. (1 is just a process ID)
router(config-if)#ipv6 rip 1 enable - turns RIPng on the interface
----------------------------------------------
IPv6 Routing Protocols:
RIPng (rip next gen)
OSPFv3
IS-IS for IPv6
EIGRP for IPv6
MP-BGPP4

Frame Relay Notes

Just some Frame Relay notes I’ve made in my studies.


PVC Status Messages-
Active - Working
Inactive - remote problem - problem on the other side 
Deleted - Local problem (problem on the immediate device)

\\\\\
Three types of LMI: 
Cisco -default propreitary 
ANSI
Q933A
LMI Autosense used from the DTE side to determine the LMI type coming from the frame-relay provider. It sends out the three LMI messages and the LMI type based on what it recieves back.3 LMIs not recieved is the default for a time out and connection to be considered down.
router#show frame LMI - shows what type of LMI is being used, how many enq. has been sent and recieved.
\\\\\
DLCI - Data Link Connection Identifier. Frame Relay's Layer 2 address. Locally Significant only. Not advertised to other routers.
Assigned by the frame relay provider.
iARP - Inverse ARP - Dynamic Mapping - Router's service to learn the discover the FRcircuit dynamically and create frame-map statements. 
Enabled by default.

Frame map statements: Always map the local DLCI to the remote IP address.
commands:
router(config-if)#encapsulation frame-relay - to turn frame relay on an interface. (Cisco or ietf are your encapsulation options.
router#show frame map - show frame relay map statements created statically or via iARP
router(config-if)#no frame-relay inverse-arp - turn off iARP (disable dynamic mapping)
router(config-if)#frame map ip x.x.x.x(remote router) xxx(local dlci) broadcast(to send out routing updates for routing protocols since FR is an NBMA network)

Split Horizon - Rule that routes learned on an interface are not to be sent out that same interface. Split Horizon is a routing loop prevention rule. Problem in frame-relay using point to point connections.
router(config-if)#no ip split horizon - turns off the split horizon rule.
Point to Multipoint is a way to prevent this. This is done by creating logical subinterfaces off a physical interface.
router(config)#interface serial 0/0.### specify point to point or multipoint.

Congestion notification values:
FECN - Forward Explicit Congestion Notification
BECN - Backward Explicit Congestion Notification
DE - Discard Eligible
router#show frame pvc - will show you pvc interfaces, will display in/out FECN and BECN values

NAT and ACL Notes

Here are some NAT and ACL notes I’ve been taking from my studies. Want to use them for yours? Go ahead. These are just random notes however, not much context to go off of.


 

ACLs have an implicit deny at the end of each ACL.
Rules of ACLs: 1 ACL Per Interface Per Direction

Named ACL: router(config)#ip access-list <(extended)(standard)> <(1-99)(100-199)(WORD)>
router(conig-ext-nacl)#
Modify Numbers (lines) in ACLs:
router(config-ext-nacl)# <1-2147483647> [statement]
At the end for your ACL, to negate the implicit deny:
Standard: access-list (1-99) permit any
Extended: access-list (100-199) permit ip any any
-----------------------------------------------------------------------------------------------------------------
Standard (1-99) - permit or deny based on source. Apply standard ACLs as far from the source/as close to the destination as possible.
access-list (1-00) <(permit)(deny)(remark)> <Source(any)(host)(A.B.C.D)> <(cr)(wildcard)(log)>
Apply IN or OUT at router(config-if)#ip access-group (1-99) <(in)(out)>
Prevent telnet or ssh:
router(config-line)#access-class <(1-99)> <(in)(out[not reccomended btw])>
-----------------------------------------------------------------------------------------------------------------
Extended (100 - 199) - more powerful, based on port, protocol, source to destination. For efficiency, (not required) place as close to the source as possible/as far from the destination as possible. (Place INBOUND on the host's default gateway, this prevents the packet from even being routed in the first place)
access-list (100-199)
<(permit)(deny)(remark)> 
<protocol(ip)(tcp)(udp)(icmp)>
<source(any)(host)(A.B.C.D)><(wildcard)> 
<destination(any)(host)(A.B.C.D><(wildcard)>
Based on protocol:
access-list (100-199)
<(permit)(deny)(remark)>
<(tcp)(udp)(icmp)>
<source(A.B.C.D)(any)(eq)(host)(range)>
<eq(port#/name)SOURCE PORT - usually ANY since the host rolls a source itself>
<eq(port#/name)DESTINATION PORT>
examples:
access-list 100 deny tcp 192.168.1.0 0.0.0.255 any eq 23 - deny 192.168.1.0 /24 telnet
access-list 100 deny tcp 172.16.0.0 0.0.0.255 any eq 80 - deny 172.16.0.0 /24 http
access-list 100 deny udp host 10.1.2.3 any eq 69 - deny host 10.1.2.3 tftp
access-list 100 deny tcp any any eq 3724 - deny any host from World of Warcraft
access-list 100 deny udp any any eq 3724 - deny any host from World of Warcraft

Apply IN or OUT at router(config-if)#ip access-group (100-199) <(in)(out)>
-----------------------------------------------------------------------------------------------------------------
Reflexive:
router(config)#ip access-list extended WAN_FILTER
router(config-ext-nacl)# permit tcp any any established
router(config)#int WAN INTERFACE
router(config-if)#ip access-group WAN_FILTER in
-----------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------
(EXAMPLE ISP IP address: 11.22.33.44)
NAT:
Dynamic NAT - Internal IP to WAN UP - One to One Translation
as well as WAN to Internal
Least common use form of NAT

router(config-if)#ip nat inside - identifies your INTERNAL facing interface (into your network)
router(config-if)#ip nat outside - identifies your EXTERNAL facing interface (outside your network boundary to isp)
example 68.241.96.172
router(config)#ip access-list standard (name)
router(config-std-nacl)#deny 192.168.3.0 0.0.0.255 - this line denies 192.168.3.0 /24 from being translated to the internet. Will stop the host at the exiting infterface and will not reach the internet.
permit 192.168.0.0 0.0.255.255 - this line is what tells the router to translate 192.168.0.0 /16 out to the internet. This will translate an internal private IP address to an external routeable IP address onto the internet as 11.22.33.44:port number)
NAT STATEMENT:
router(config)#ip nat inside source list NAME int (external interface) overload - adding overload adds the port number to the external IP.
router#show ip nat translations will show your nat translations
-----------------------------------------------------------------------------------------------------------------
NAT Overload - Internal IP to external IP+port (commonly called PAT)
EX:<192.168.5.32:(s)[random]5634 (d)http://www.cisco.com:80> goes out WAN interface (ip 11.22.33.44), and a NAT session is created and entered from t, it is overloaded to <11.22.33.44:5634(s) http://www.cisco.com:80(d)>, packets from cisco.com come back as <11.22.33.44:5634(d)>
example(this is not a real translation table):
Web Browser checks www.cisco.com:
Inside Source _ _ _ _ _ _ _ | _ _ _ _ Outside Source _ _ _ _ _ | _ _ _ _Destination _ _ _
____________________________|__________________________________|_________________________
172.16.245.11:8523 - - - - -|- - - - -11.22.33.44:8523 - - - - | - - - 198.133.219.25:80
[HOST] [WAN] [www.cisco.com]
-------------------------------------------------------------------------------------------
A reply FROM cisco.com:
Inside Destin _ _ _ _ _ _ _ | _ _ _ _ Outside Source _ _ _ _ _ | _ _ _ _Destination _ _ _
____________________________|__________________________________|_________________________
172.16.245.11:8523- - - - - | - - - 198.133.219.25:80 - - - - -| - - 11.22.33.44:8523
[HOST] [www.cisco.com] [WAN]

-----------------------------------------------------------------------------------------------------------------
Static NAT: Create 1 to 1 IP Mappings. 1 internal IP, to 1 external IP.
or, multiple internal IPs to one external IP with unique port numbers.
Used commonly for outside IPs to access your internal ips. 
(like a webserver for example)
router(config)#ip nat inside source static 192.168.1.10 11.22.33.44 
192.168.1.10 would be seen on the internet as 11.22.33.44
router(config)#ip nat inside source static 192.168.1.10 tcp 80 WAN INTERFACE 80
any http requests (tcp 80) to 11.22.33.44 would be forwarded to 192.168.1.10
port static nat mapping is the best way to use an IP address given to you by an ISP.
-----------------------------------------------------------------------------------------------------------------
For large organizations that could use up all their ports:
router(config)#ip nat pool INTERNET_ADDRESS (list your public IP addresses) 11.22.33.44 11.22.33.45 prefix-length
router(config)#ip nat inside source list WAN_FILTER pool INTERNET_ADDESSES overload
this allows all your hosts in the network to use 11.22.33.44 and 11.22.33.45 for their nat translations.