# IP Services

RARP, BOOTP, and DHCP

- ARP

Ether.src = source MAC
Ether.dst = ff:ff:ff:ff:ff:ff
Ether.type = 0x0806
Sender MAC address = source MAC
Sender IP address = source IP
Target MAC address = 00:00:00:00:00:00
Target IP address = destination IP

- RARP

Ether.src = source MAC
Ether.dst = ff:ff:ff:ff:ff:ff
Ether.type = 0x0806
Sender MAC address = source MAC
Sender IP address = 0.0.0.0
Target MAC address = source MAC
Target IP address = 0.0.0.0

Request to find its own IP address.
A preconfigured RARP server is needed.

- BOOTP

Improves assignment features of RARP.
Uses UDP, so a router can relay BOOTP request to a centrally located BOOTP server.
A preconfigured BOOTP server is needed.
Supports the assignment of IP address, subnet mask, default gateway, DNS and IP address of a boot/image server.

DHCP

Building on the format of BOOTP protocols, dynamically assigns a variety of information, without requering predefinition of MAC addresses for each client.
The router relaying a DHCP request (ip helper-address) puts its own IP address in the gateway IP address (giaddr) field.

Router(config)# service dhcp
Router(config)# ip dhcp excluded-address 10.1.1.1 10.1.1.20
Router(config)# ip dhcp pool MYPOOL
Router(config-dhcp)# network 10.1.1.0 255.255.255.0
Router(config-dhcp)# domain-name lab.net
Router(config-dhcp)# dns-server 10.1.2.200
Router(config-dhcp)# default-router 10.1.1.1
Router(config-dhcp)# lease 0 0 20 ! days hours minutes


When the router forwards the DHCP request to the DHCP server changes the source IP to the broadcast subnet address.

*HSRP, VRRP, and GLBP

IP hosts can obtain a default gateway using DHCP, BOOTP, ICMP Router Discovery Protocol (IRDP), manual configuration or by running a routing protocol.

Hot Standby Router Protocol (HSRP):

- Virtual IP and virtual MAC active on the active router.
- Virtual IP must be different from any other IP address.
- Virtual MAC of 0000.0c07.acXX (XX is the hex HSRP group).
- Up to 255 HSRP groups per interface.
- Version 1 uses 224.0.0.2 and version 2 uses 224.0.0.102 (UDP destination port 1985).
- Standby routers listen for Hellos from the active router.
- The hello interval is 3 seconds and the dead interval is 10 seconds.
- Highest priority (by default 100) determines the active router.
- Preemption is disabled by default.
- Supports tracking.
- Supports clear-text and MD5 authentication.

When preemption is disabled:

- Although the priority of the active router goes below than the standby router, the active router mantains the active role.
- Only when the active router inferface fails the standby router takes the active role.

Router(config)# track 15 interface serial0/0 line-protocol
Router(config)# interface fastethernet0/0
Router(config-if)# standby 21 ip 10.1.1.21
Router(config-if)# standby 21 priority 105
Router(config-if)# standby 21 preempt
Router(config-if)# standby 21 track 15 decrement 6
Router(config-if)# standby 22 ip 10.1.1.22
Router(config-if)# standby 22 preempt
Router(config-if)# standby 22 track 15 decrement 12
Router# show standby fa0/0

Virtual Router Redundancy Protocol (VRRP):

- Virtual IP and virtual MAC active on the master router.
- Virtual IP may the same as one configured on a physical interface.
- Virtual MAC of 0000.5e00.01XX (XX is the the hex VRRP group).
- Up to 255 VRRP groups per interface.
- Uses 224.0.0.18 and IP protocol number 112.
- Backup routers listen for Hellos from the master router.
- The hello interval is 1 second and the dead interval is 3 seconds.
- Highest priority (by default 100) determines the master router.
- Preemption is enabled by default.
- Supports tracking.
- Supports clear-text and MD5 authentication.

Gateway Load Balancing Protocol (GLBP):

- Up to 4 active virtual forwarders (AVF).
- Virtual IP must be different from any other IP address.
- Virtual IP on the active virtual gateway (AVG) and load shares ARP requests between AVF.
- Individual virtual MAC on each AVF.
- Virtual MAC of 0007.b400.XXYY (XX is the hex GLBP group and YY the AVF number {01|02|03|04}).
- Up to 255 GLBP groups per interface.
- Uses 224.0.0.102 (UDP source/destination port 3222).
- Standby routers listen for Hellos from the active router.
- The hello interval is 3 seconds and the dead interval is 10 seconds.
- Preemption is disabled by default.
- Supports tracking.
- Supports clear-text and MD5 authentication.

NTP

Atomic clocks and GPS satellite transmissions provice a source of stratum 1.

Router(config)# ntp authentication-key 1 md5 MYKEY
Router(config)# ntp authenticate
Router(config)# ntp trusted-key 1
Router(config)# ntp master 7
Router(config)# ntp server 10.1.1.1
Router(config)# ntp peer 10.2.2.2 
Router(config)# int fa0/0
Router(config-if)# ntp broadcast
Router(config)# int fa0/1
Router(config-if)# ntp broadcast client
Router# show ntp status
Router# show ntp associations

SNMP

Uses UDP port 161 (traps use UDP port 162).

- SNMPv1: SMIv1, communities, MIB-I
- SNMPv2: SMIv2, communities removed, GetBulk and Inform messages, MIB-II
- SNMPv2c: Equivalent to SNMPv2, communities
- SNMPv3: Equivalent to SNMPv2, commnities, better security

SNMP Protocol Messages

Message   Version  Reply     Sent by  Purpose
Get       1        Response  Manager  Request single MIB variable
GetNext   1        Response  Manager  Request next single MIB variable
GetBulk   2        Response  Manager  Request consecutive MIB variables
Response  1        None      Agent    Reply with the information requested
Set       1        Response  Manager  Set a particular variable
Trap      1        None      Agent    Send unsolicited information
Inform    2        Response  Manager  Message between Managers (MIB exchange)

Syslog

Syslog uses UDP port 514.
logging buffered is disabled by default.
logging host 10.1.1.1 sets the syslog server.
logging trap debug limits the logging messages sent to the syslog server.

Web Cache Communication Protocol

Cisco protocol to allow transparent HTTP proxy.
Uses UDP port 2048.
WCCPv1 supports up to 32 content engines, the one with the lowest IP address is elected as the lead engine.
WCCPv2 (default version) supports:

- Supports TCP and UDP traffic other than HTTP traffic.
- Segmenting caching services provided by a caching cluster per protocol.
- Multicast, MD5 authentication, load distribution and transparent error handling.

Router(config)# ip wccp web-cache group-address 239.128.1.100 password MYPASS
Router(config)# interface fa0/0
Router(config-if)# ip wccp web-cache redirect in ! Enables redirection
Router(config)# interface fa0/1
Router(config-if)# ip wccp web-cache exclude in ! Disables redirection
Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255
Router(config)# ip wccp web-cache group-list 1 ! List of content engines
Router(config)# access-list 2 permit 192.168.2.0 0.0.0.255
Router(config)# ip wccp web-cache redirect-list 2 ! List of redirected hosts

Implementing the Cisco IOS IP Service Level Agreement (IP SLA) Feature

Allows measuring:

- Delay (one way and round trip)
- Jitter
- Packet loss
- Packet sequencing
- Path (per hop)
- Connectivity (UDP echo, ICMP echo, TCP connect)
- Server download time
- Voice-quality metrics

IP SLA control protocol between the monitor and the responder uses UDP port 1967.

Responder(config)# ip sla responder
Monitor(config)# ip sla 1
Monitor(config-ip-sla)# udp-echo 192.168.12.1 1330
Monitor(config)# ip sla schedule 1 life forever start-time now
Monitor# show ip sla statistics 1

Implementing NetFlow

c6500(config)# interface fa0/0.10
c6500(config-if)# ip flow ingress ! Software-routed (MSFC)
c6500(config)# interface fa0/1
c6500(config-if)# ip route-cache flow ! Software-routed (MSFC)
c6500(config)# ip flow-export source lo0
c6500(config)# ip flow-export destination 10.1.1.1 9996
c6500(config)# ip flow-export version 5
c6500(config)# mls netflow ! Hardware-routed (PFC)
c6500(config)# mls flow ip interface-full
c6500(config)# mls nde sender version 5 ! Netflow Data Export

Implementing Router IP Traffic Export

RITE is like SPAN for switches but for routers (only IP traffic is replicated).

Router(config)# ip traffic-export profile EXPORT
Router(conf-rite)# interface FastEthernet0/0
Router(conf-rite)# bidirectional
Router(conf-rite)# incoming sample one-in-every 5
Router(conf-rite)# outgoing sample one-in-every 5
Router(conf-rite)# mac-address aaa0.bbb.cccc
Router(config)# interface Serial0/0
Router(config-if)# ip traffic-export apply EXPORT

Implementing Cisco IOS Embedded Event Manager

Tracks and classifies events on a router and provides notifications.
EEM overlaps with RMON functionality, but is considered more powerful and flexible.

Router(config)# event manager applet CLI-copy_run_start
Router(config-applet)# event cli pattern "wr" sync yes
Router(config-applet)# action 1 syslog msg "$_cli_msg Command Executed"
Router(config-applet)# set 2 _exit_status 1
Router(config-applet)# end

Implementing Remote Monitoring

RMON enables to configure thresholds for alerting based on SNMP objects.
RMON is divided into two classes: alarms and events.
You set the rising and falling thresholds for events, and then tell RMON which alarm to trigger.

Router(config)# rmon event 1 log trap public description Fa0.0RisingErrors owner config
Router(config)# rmon event 2 log trap public description Fa0.0FallingErrors owner config
Router(config)# rmon event 3 log trap public description Se0.0RisingErrors owner config
Router(config)# rmon event 4 log trap public description Se0.0FallingErrors owner config
Router(config)# rmon alarm 20 ifInErrors.1 60 delta rising-threshold 10 1 falling-threshold 5 2 owner config
Router(config)# rmon alarm 30 ifInErrors.2 60 absolute rising-threshold 20 3 falling-threshold 10 4 owner config
Router# show rmon alarm
Router# show rmon event

Implementing and Using FTP on a Router

Router(config)# ip ftp username Joe
Router(config)# ip ftp password cisco
Router(config)# ip ftp passive
Router(config)# exception protocol ftp
Router(config)# exception region-size 65536
Router(config)# exception dump 172.30.1.1

Implementing a TFTP Server on a Router

Router(config)# tftp-server flash:c1700-advipservicesk9-mz.124-23.bin alias c1700.bin 10

Implementing Secure Copy Protocol

Router(config)# hostname Secure
Secure(config)# ip domain-name lab.net
Secure(config)# crypto key generate rsa general-keys modulus 1024
Secure(config)# aaa authentication login default local
Secure(config)# aaa authorization exec default local
Secure(config)# username admin privilege 15 secret 0 MYSECRET
Secure(config)# ip scp server enable

Implementing HTTP and HTTPS Access

Router(config)# ip http server
Router(config)# ip http port 8080
Router(config)# ip http access-class 100
Router(config)# ip http client username Joe
Router(config)# ip http client password cisco
Router(config)# ip http authentication [aaa | local | enable | tacacs]
Router(config)# ip http secure-server
Router# show ip http server secure status

Implementing Telnet Access

Router(config)# access-list 100 deny tcp any any eq 23
Router(config)# access-list 100 permit tcp any any eq 3010
Router(config)# access-list 100 deny ip any any
Router(config)# line vty 0 4
Router(config-line)# rotary 10 queued ! Telnet port == 3000 + rotary group
Router(config-line)# access-class 100 in

Implementing SSH Access

Secure(config)# access-list 100 deny tcp any any eq 22
Secure(config)# access-list 100 permit tcp any any eq 2010
Secure(config)# access-list 100 deny ip any any
Secure(config)# line vty 0 4
Secure(config-line)# rotary 10 queued ! SSH port == 2000 + rotary group
Secure(config-line)# access-class 100 in
Secure(config-line)# transport input ssh

No comments: