BSCI topics

Implement EIGRP operations

• Explain the functions and operations of EIGRP (e.g., DUAL).
  
• Configure EIGRP routing. (e.g., Stub Routing, authentication, etc.)
  
• Verify or troubleshoot EIGRP routing configurations.
  

Implement multiarea OSPF operations

• Explain the functions and operations of multiarea OSPF.
  
• Configure multiarea OSPF routing. (e.g., Stub, NSSA, authentication, etc.)
  
• Verify or troubleshoot multiarea OSPF routing configurations.
  

Describe integrated IS-IS

• Describe the features and benefits of integrated IS-IS.
  
• Configure and verify integrated IS-IS.
  

Implement Cisco IOS routing features

• Describe, configure or verify route redistribution between IP routing IGPs. (e.g., route-maps, default routes, etc.)
  
• Describe, configure or verify route filtering (i.e., distribute-lists and passive interfaces).
  
• Describe and configure DHCP services (e.g., Server, Client, IP helper address, etc.).
  

Implement BGP for enterprise ISP connectivity

• Describe the functions and operations of BGP.
  
• Configure or verify BGP operation in a non-transit AS (e.g., authentication).
  
• Configure BGP path selection. (i.e., Local Preference, AS Path, Weight or MED attributes).
  

Implement multicast forwarding

• Describe IP Multicast (e.g., Layer-3 to Layer-2 mapping, IGMP, etc.).
  
• Describe, configure, or verify IP multicast routing (i.e., PIM Sparse-Dense Mode).
  

 Implement IPv6

• Describe IPv6 addressing operations.
  
• Describe IPv6 interoperation with IPv4.
  
• Describe, configure or verify OSPF routing with IPv6 addressing.
  

Emulating ASA with Qemu+pcap in Windows

Ok, here I'm going to explain how to emulate Cisco ASA using Qemu in Windows. Actually, there are more than just Qemu+pcap involved in the process, but the basic operations are performed by exactly these programs.Well, let's begin and document the entire process of setup and using ASA with ASDM.
Download asa.zip archive and unpack it to any folder. http://rapidshare.com/files/337827123/asa.zip (another I've put on UbuntuOne server). It contains:

• Unpacked image of asa802-k8.bin. We need to unpack .bin file to specify kernel and initrd files to Qemu. The process of unpacking described good here http://blog.gns3.net/2009/12/how-to-emulate-cisco-asa;
  
• Qemu (patched with pcap support). In Windows we have to get WinPcap installed for Qemu be able to bridge ASA network adapter with OS's interface/interfaces (for example, with MS Loopback interface); In linux we need to compile Qemu with pcap support (need libpcap-dev installed);
  
• Flash file created with qemu-img (ASA will be using it as disk for file system);
• .bat files with commands for Qemu startup. They include important information about startup options and network adapters, which ASA will use and to which the ASA's interfaces will be bridged. We should mention our virtual or phisycal interfaces to which we want bridge ASA. We can see them with GNS3 cloud or option in GNS3 folder in Start menu (Windows only).

We just need to extract files from archive wherever we want and edit ASA-nolina_WIN.bat. We have to include appropriate identifiers of our interfaces (can be seen in GNS3 could or GNS3 menu in Start(Windows only)). Then double-click on .bat file.

When everything is loaded we need to telnet to it on localhost:1234 and type the following:

• modprobe e100
• ifconfig eth0 up
• ifconfig eth1 up etc.,(depends on how many interfaces we need to use/bridge);
• cd /mnt/disk0
• ./lina_monitor  or /asa/bin/lina -m for multicontext mode
  

After that we can see how ASA is loading.
Then we should configure it with folowing:

• enable
• configure t
• int eth0/0
• nameif management
• security-level 100
• ip add 192.168.200.2 255.255.255.0 (put it to network of bridged host's adapter)
• no shutdown
• management-access management

After that we should be able to successfully ping bridged interface of host. If we can't - there is a problem somewhere in configuration.

Now let's configure ASDM.
Here is a link to ASDM which I was using: ASDM 6.2

In ASA configure the following lines:

• telnet 192.168.200.1 255.255.255.255 management (here is IP address of you interface)
• http server enable
• http 192.168.200.1 255.255.255.255 management

The next step is to download and install Fiddler - small http-proxy debugger. It's needed because emulated ASA doesn't know it's real platform and "sh version" shows empty platform, but the ASDM needs to know the platform to function properly. Besides we need it to handle the buffering of http traffic and other stuff - without it we will end up with error message that this version of ASDM isn't supported or something like this.
Now, we need to set fiddler to decode HTTPS:

• fiddler --> tools --> fiddler options --> https --> check 'decrypt https traffic'

Then add a rule to fiddler to change the hardware platform to ASA5520

• Fiddler --> Rules --> Customize Rules (CTRL-R) --> add the code below:

static function OnBeforeRequest(oSession: Session)
    {
         if ((oSession.url.EndsWith("/admin/asdm_handler")) || (oSession.url.EndsWith("/admin/pdm.sgz"))){
            oSession.bBufferResponse = false;
        }
static function OnBeforeResponse(oSession: Session)
    {
         if (oSession.url.EndsWith("/admin/exec/show+version/show+curpriv/perfmon+interval+10/show+asdm+sessions/show+firewall/show+mode/changeto+system/show+admin-context")) {
            oSession.utilDecodeResponse();
            oSession.utilReplaceInResponse('Hardware:   ,','Hardware:   ASA5520,');
        }
       
        if (oSession.url.EndsWith("/admin/exec/show+version")) {
            oSession.utilDecodeResponse();
            oSession.utilReplaceInResponse('Hardware:   ,','Hardware:   ASA5510,');
        }


if (oSession.url.EndsWith("/admin/config")){

            oSession.utilReplaceInRequest("write mem","copy /noconfirm running-config disk0:/.private/startup-config");
        }
        if (oSession.url.EndsWith("/admin/exec/write+memory")){

            oSession.url.Replace("write+memory","copy+%2Fnoconfirm+running-config+disk0%3A%2F.private%2Fstartup-config");
        }

Or download the following js file and replace Fiddler's CustomRules.js with it - http://rapidshare.com/files/337830003/Fiddler_custom_rule.rar.
Also to be able to use 3DES/AES encryption through ASDM, we have to add the following parts to Fiddler .js file:
static function OnBeforeResponse(oSession: Session)
   {
      if (oSession.url.EndsWith("/admin/exec/show+version/show+curpriv/perfmon+interval+10/show+asdm+sessions/show+firewall/show+mode/changeto+system/show+admin-context")) {
         oSession.utilDecodeResponse();
         oSession.utilReplaceInResponse('Hardware:   ,','Hardware:   ASA5510,');
         oSession.utilReplaceInResponse('3DES-AES                     : Enabled','VPN-3DES-AES                 : Enabled');
         oSession.utilReplaceInResponse('ADV END SEC                  : Enabled','Advanced Endpoint Assessment : Enabled');
         oSession.utilReplaceInResponse('Serial Number: 123456789AB','Serial Number: JKX1014K074');
         oSession.utilReplaceInResponse('Running Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000','Running Activation Key: 0x70192e4e 0x507e3e04 0xa8f2f16c 0x85c40864 0x4907ef91');
    }

      if (oSession.url.EndsWith("/admin/exec/show+version")) {
         oSession.utilDecodeResponse();
         oSession.utilReplaceInResponse('Hardware:   ,','Hardware:   ASA5510,');
         oSession.utilReplaceInResponse('3DES-AES                     : Enabled','VPN-3DES-AES                 : Enabled');
         oSession.utilReplaceInResponse('ADV END SEC                  : Enabled','Advanced Endpoint Assessment : Enabled');
         oSession.utilReplaceInResponse('Serial Number: 123456789AB','Serial Number: JKX1014K074');
         oSession.utilReplaceInResponse('Running Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000','Running Activation Key: 0x70192e4e 0x507e3e04 0xa8f2f16c 0x85c40864 0x4907ef91');      
         }

      if (oSession.url.EndsWith("/admin/exec/show+activation-key")) {
         oSession.utilDecodeResponse();
         oSession.utilReplaceInResponse('Serial Number:  123456789AB','Serial Number:  JKX1014K074  ');
         oSession.utilReplaceInResponse('Running Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000','Running Activation Key: 0x70192e4e 0x507e3e04 0xa8f2f16c 0x85c40864 0x4907ef91');
         oSession.utilReplaceInResponse('Failed to retrieve flash activation key.','Permanent Flash Activation Key: 0x70192e4e 0x507e3e04 0xa8f2f16c 0x85c40864 0x4907ef91');
         oSession.utilReplaceInResponse('3DES-AES                     : Enabled','VPN-3DES-AES                 : Enabled');
         oSession.utilReplaceInResponse('ADV END SEC                  : Enabled','Advanced Endpoint Assessment : Enabled');
         }

}
Note, that function OnBeforeResponse is already exists in the file, so we have to add only additional IF statements to it.
The path to file is C:\Documents and Settings\Administrator\My Documents\Fiddler2\Scripts\CustomRules.js

Then we need to change the proxy in Java configuration. Go

• Control Panel - Java - Network Settings - use proxy: localhost:8888 - advanced "use the same proxy server for all protocols"
  

Now we should copy ASDM .bin to flash of ASA from TFTP server (simple copy tftp flash).
Then try to connect to interface of ASA via browser https. Like https://192.168.200.2/admin
I had a problem with authentication, so it would be reasonably to add user in ASA:

• username igro password cisco privilege 15

Everything should work fine to this moment.

P.S. ASDM like SDM works only on older Java versions. I use version 5 (like the last release of old 5).
P.P.S. Some problems exist with saving running-config to startup-config. We should either copy run flash:/.private/startup-config or if it doesn't work, we should use: copy run tftp and then tftp flash:/.private/startup-config. Looks like ASDM saving it without a problem.
Cheers!

Maximum length of various cable types

Interestingly, the 5 and 2 in the names 10BASE5 and 10BASE2 represent the maximum cable length.

UTP cable needs two pairs of wires for 10BASE-T and 100BASE-TX and four pairs of wires for 1000BASE-T. This section focuses on the pinouts for two-pair wiring, with four-pair wiring covered next.

Also, Gigabit Ethernet transmits and receives on each of the four wire pairs simultaneously.

Multicast addresses: Multicast addresses are used to allow a subset of devices on a LAN to communicate. When IP multicasts over an Ethernet, the multicast MAC addresses used by IP follow this format: 0100.5exx.xxxx, where any value can be used in the last half of the address.

STP, RSTP and so on.

STP (IEEE 802.1d)

STP defines messages called bridge protocol data units (BPDU), which bridges and switches use to exchange information with each other. The most common message, called a Hello BPDU, lists the sending switch’s bridge ID. By listing its own unique bridge ID, switches can tell the difference between BPDUs sent by different switches. This message also lists the bridge ID of the current root switch.

Hello interval 2 seconds.

Electing the Root Switch
Switches elect a root switch based on the bridge IDs in the BPDUs. The root switch is the switch with the lowest numeric value for the bridge ID. 

BID = Priority + MAC-address

After the election is complete, only the root switch continues to originate STP Hello BPDU messages. The other switches receive the Hellos, update the sender’s BID field (and costtoreach-the-root field), and forward the Hellos out other interfaces.

Choosing Each Switch’s Root Port
The second part of the STP process occurs when each nonroot switch chooses its one and only root port. A switch’s root port (RP) is its interface through which it has the least STP cost to reach the root switch.

Choosing the Designated Port on Each LAN Segment
STP’s final step to choose the STP topology is to choose the designated port on each LAN segment. The designated port on each LAN segment is the switch port that advertises the lowest-cost Hello onto a LAN segment. When a nonroot switch forwards a Hello, the nonroot switch sets the cost field in the Hello to that switch’s cost to reach the root. In effect, the switch with the lower cost to reach the root, among all switches connected to a segment, becomes the DP on that segment.

When I need to choose the designated port, I should calculate the cost to reach the root bridge based not on the cost of port(!!!), but based on the LINK cost!!!

Like If 2 switch connects to each other one with FastEthernet port and the other one with GigabitEthernet port, then from the perspective of any switch the link will be 19, not 4!!!

Ethernet Speed              Cost

10Mbps                          100

100Mbps                         19

1Gbps                               4

10Gbps                             2

For switch interfaces connected to hosts or routers, which do not use STP, the switch will still forward Hellos onto those interfaces

The following list summarizes the steady-state operation when nothing is currently changing in the STP topology:
1.The root creates and sends a Hello BPDU, with a cost of 0, out all its working interfaces (those in a   Forwarding State).
2. The nonroot switches receive the Hello on their root ports. After changing the Hello to list their own bridge ID as the sender’s BID, and listing that switch’s root cost, the switch forwards the Hello out all designated ports.
3. Steps 1 and 2 repeat until something changes.

Each switch relies on these periodic received Hellos from the root as a way to know that its path to the root is still working. When a switch ceases to receive the Hellos, something has failed, so the switch reacts and starts the process of changing the spanning-tree topology. Note that all switches use the timers as dictated by the root switch, which the root lists in its periodic Hello BPDU messages.

Optional STP features

PortFast
PortFast allows a switch to immediately place a port in Forwarding State when the port becomes physically active, bypassing any choices about the STP topology and bypassing the Listening and Learning States.

STP Security
The Cisco BPDU Guard feature disabling a port if any BPDUs are received on the port.

The Root Guard feature allows another switch to be connected to the interface, and participate in STP by sending and receiving BPDUs. However, when the switch interface with Root Guard enabled receives a superior BPDU from the neighboring switch—a BPDU that has a lower/better bridge ID—the switch with Root Guard reacts. Not only does the switch ignore the superior BPDU, but the switch also disables the interface, not sending or receiving frames, as long as the superior BPDUs keep arriving. If the superior BPDUs stop arriving, the switch can start using the interface again.

Rapid STP (IEEE 802.1w)
RSTP (802.1w) works just like STP (802.1d) in several ways:
■ It elects the root switch using the same parameters and tiebreakers.
■ It elects the root port on nonroot switches with the same rules.
■ It elects designated ports on each LAN segment with the same rules.
■ It places each port in either Forwarding or Blocking State, although RSTP calls the Blocking State the Discarding State.

RSTP can be deployed alongside traditional 802.1d STP switches, with RSTP features working in switches that support it, and traditional 802.1d STP features working in the switches that support only STP.

RSTP only has to wait 3*Hello (default 6 seconds). Additionally, RSTP eliminates the forward delay (default 15 seconds) time in both Listening and Learning States.

The IEEE did not attempt to make RSTP work in networks that use shared hubs, and RSTP would not improve convergence in the network on the right. RSTP calls Ethernet connections between switches links and calls Ethernet connections to end-user devices edges. RSTP does not distinguish between point-to-point and shared types for edge connections.

RSTP Port States

Discarding means that the port does not forward frames, process received frames, or learn MAC addresses, but it does listen for BPDUs. In short, it acts just like the STP Blocking State. RSTP uses an interim Learning State when moving an interface from a Discarding State to Forwarding State. However, RSTP needs to use Learning State for only a short time.

RSTP Port Roles

Both STP (802.1d) and RSTP (802.1w) use the concepts of port states and port roles. The STP process determines the role of each interface. For example, STP determines which interfaces are currently in the role of a root port or designated port. Then, STP determines the stable port state to use for interfaces in certain roles: the Forwarding State for ports in the RP or DP roles, and the Blocking State for ports in other roles.

The RSTP alternate port role identifies a switch’s best alternative to its current RP.

The other new RSTP port type, backup port, applies only when a single switch has two links

to the same segment (collision domain) .

 RSTP Convergence

The RSTP Spanning Tree Algorithm (STA) works somewhat differently than its olderpredecessor. For example, under stable conditions, every switch independently generates and sends Hello BPDUs, rather than only changing and forwarding the Hellos sent by the root switch. However, under stable conditions, the end results are the same: A switch that continues to hear the same Hellos, with the same cost and root switch BID listed, leaves the STP topology as is.

The main changes with RSTP’s version of the STA occur when changes occur in the

network. RSTP acts differently on some interfaces based on RSTP’s characterization of the
interface based on what is connected to the interface.

Edge-Type Behavior and PortFast

RSTP improves convergence for edge-type connections by immediately placing the port in Forwarding State when the link is physically active. In effect, RSTP treats these ports just like the Cisco-proprietary PortFast feature.

Link-Type Shared

RSTP doesn’t do anything differently from STP on link-type shared links.

Link-Type Point-to-Point

RSTP improves convergence over full-duplex links between switches—the links that RSTP calls “link-type point-to-point.” The first improvement made by RSTP over these types of links relates to how STP uses MaxAge. STP requires that a switch that no longer receives root BPDUs in its root port must wait for MaxAge seconds before starting convergence. MaxAge defaults to 20 seconds. RSTP recognizes the loss of the path to the root bridge, through the root port, in 3 times the Hello timer, or 6 seconds with a default Hello timer value of 2 seconds.

On Cisco switches, the STP cost is based on the actual speed of the interface, so if an interface negotiates to use a lower speed, the default STP cost reflects that lower speed per Table 2-6. If the interface negotiates to use a different speed, the switch dynamically changes the STP port cost as well.

Determining the Root Port on Nonroot Switches
Step 1 Determine all possible paths over which a frame, sent by the nonroot switch, can reach the root switch.
Step 2 For each possible path in Step 1, add the costs of all outgoing interfaces in that path.
Step 3 The lowest cost found is the cost to reach the root, and the outgoing interface is that switch’s RP.
Step 4 If the cost ties, use the port priority tiebreaker, and if that ties, use the lowest port number tiebreaker. 

Determining the Designated Port on Each LAN Segment
Step 1 For switches connected to the same LAN segment, the switch with the lowest cost to reach the root is the DP on that segment.
Step 2 In case of a tie, among the switches that tied on cost, the switch with the lowest BID becomes the DP.

IPv6

128-bit long address.

FFFF:0000:0000:0000:0000:0000:0000:FFFF  - my observation: each letter in an address is /4 for prefix length. Like(network part in bold):

• F000::1/4
• FF00::1/8, etc.
  

2000::/3 - stands for global unicast address prefix.
FD00::/8 - unique local unicast address prefix.

FE80::/10 - link local unicast address prefix. Using for functions, which don't need to leave the subnet. No specific configuration is required, because a host forms these addresses by using the first 10 bits of hex FE80 (binary 1111111010), 54 more binary 0s, and the last 64 bits being the host’s EUI-64 format interface ID. For example, hosts use this address for NDP RS messages.

FF00::/8 - stands for multicast address prefix.
FF02::/16 - multicast that stay on the local link.
::1 - represents loopback address.
:: - reserver address which can be used when host doesn't know his IPv6 address and is trying to discover it.
FF02::1:2 - reserved for hosts to be used when searching for unknown DHCP server.

Interface ID and EUI-64 Format

MAC addresses are 6 bytes (48 bits) in length, so for a host to automatically decide on a value to use in the 8-byte (64-bit) interface ID field, IPv6 cannot simply copy just the MAC address. To complete the 64-bit interface ID, IPv6 fills in 2 more bytes. Interestingly, to do so, IPv6 separates the MAC address into two 3-byte halves, and inserts hex FFFE in between the halves, to form the interface ID field, as well as setting 1 special bit to binary 1. EUI-64 format requires setting the seventh bit in the first byte of MAC-address to binary 1. The underlying reason is that Ethernet MAC addresses are listed with the low-order bits of each byte on the left, and the high-order bits on the right.

Dynamic IPv6 address autoconfiguration.

IPv6 supports two methods of dynamic configuration of IPv6 addresses. One uses a stateful DHCPv6 server and another uses stateless autoconfiguration.

Stateless autoconfiguration uses two NDP messages, namely router solicitation (RS) and router advertisement (RA) messages, to discover the IPv6 prefix used on a LAN.
The host sends the RS message as an IPv6 multicast message, asking all routers to respond to the questions “What IPv6 prefix(s) is used on this subnet?” and “What is the IPv6 address(s) of any default routers on this subnet?” IPv6 does not use broadcasts.

IPv6 Transition Options