IP Services
3.0 IP Connectivity
3.5 Describe the purpose of First Hop Redundancy Protocol
4.0 Infrastructure Services
4.4 Explain the function of SNMP in network operations
4.9 Describe the capabilities and function of TFTP/FTP in the network
First Hop Redundancy Protocol
Subnet 10.1.1.0/24 SW3 Default GW=.9 SW4 SWI SW2 .9 Single Points of Failure RI Figure 12-1 RI and the One WAN Link as Single Points of Failure “>
Subnet 10. I .1.0/24 SW3 Default GW=.9 SW4 Remote Single Points of Failure SWI SW2 .9 R4 Main Site Figure 12-2 Higher Availability but with RI Still as a Single Point of Failure “>
Subnet 10.1.1.0/24 sw3 1 Default GW=.9 SW4 1 SWI SW2 1 GO/O .9 .129 Figure 12-3 Removing All Single Points ofFailure from the Network Design “>
GW=.9 GW=.9 GW=.129 GW=.129 GO/O .9 GO/I .129 Figure 124 Balancing Traffic by Assigning Different Default Routers to Different Clients “>
All hosts act like they always have, with one default router setting that never has to change.
The default routers share a virtual IP address in the subnet, defined by the FHRP.
Hosts use the FHRP virtual IP address as their default router address.
The routers exchange FHRP protocol messages so that both agree as to which router does what work at any point in time.
When a router fails or has some other problem, the routers use the FHRP to choose which router takes over responsibilities from the failed router.
The Three Solutions for First-Hop Redundancy
First Hop Redundancy Protocol does not name any one protocol. Instead, it names a family of protocols that fill the same role
acronym HSRP VRRP GLBP Full Name Hot Standby Router Protocol Virtual Router Redundancy Protocol Gateway Load Balancing Protocol Origin Cisco RFC 5798 Cisco Redundancy Approach active/standby active/standby active/active Load Balancing Per… subnet subnet host “>
HSRP Concepts
operates with an active/standby model (also more generally called active/passive
allows two (or more) routers to cooperate
GW=.I GW=.I Host ARP Table MAC 10.1.1.1 VMACI HSRP Active .1 VMACI RI HSRP HSRP Standby Figure 12-5 All Traffic Goes to .1 (RI, Which Is Active); R2 Is Standby “>
HSRP Failover
GW=.I GW=.I GW=.I GW=.I c .9 vrMC1 VMACI .129 HSRP Active Host ARP Table MAC No Change 10.1.1.1 VMACI Figure 12-6 Packets Sent Through R2 (New Active) Once It Takes Overfor Failed RI “>
To make the switches change their MAC address table entries for VMAC1, R2 sends an Ethernet frame with VMAC1 as the source MAC address.
he frame is also a LAN broadcast, so all the switches learn a MAC table entry for VMAC1 that leads toward R2.
HSRP Load Balancing
you can configure multiple instances of HSRP in the same subnet (called multiple HSRP groups), preferring one router to be active in one group and the other router to be preferred as active in another.
Subnet 10.1.1.0/24 SW3 10.1.2.1 VLAN 2 Subnet 10.1.2.0/24 Active Subnet I Standby Subnet 2 10.1.1.1 SWI HSRP RI SW2 10.1.2.1 Active Subnet 2 Standby Subnet 1 F igure 12-7 Load Balancing with HSRP by Using Different Active Routers per Subnet “>
FHRPs are needed on any device that acts as a default router,
includes both traditional routers and Layer 3 switches.
Simple Network Management Protocol
SNMPv2c and SNMPv3
application layer protocol
provides a message format for communication between what are termed managers and agents
manager
a network management application running on a PC or server
typically being called a Network Management Station (NMS)
uses SNMP protocols to communicate with each SNMP agent.
Cisco Prime series of management products (www.cisco.com/go/prime) use SNMP (and other protocols) to manage networks.
agents
exist in the network, one per device that is managed.
software running inside each device (router, switch, and so on), with knowledge of all the variables on that device that describe the device’s configuration, status, and counters.
keeps a database of variables that make up the parameters, status, and counters for the operations of the device. This database, called the Management Information Base (MIB)
IOS on routers and switches include an SNMP agent, with built-in MIB, that can be enabled with the configuration shown later
i.e. Cisco Prime) The MB The Cisco Router and SNMP Agent Software Figure 12-8 Elements of Simple Network Management Protocol “>
SNMP Variable Reading and Writing: SNMP Get and Set
NMS typically polls the SNMP agent on each device
NMS can notify the human user in front of the PC or send emails, texts, and so on to notify the network operations staff of any issues identified by the data found by polling the devices. You can even reconfigure the device through these SNMP variables in the MIB if you permit this level of control.
NMS uses the SNMP Get, GetNext, and GetBulk messages (together referenced simply as Get messages) to ask for information from an agent.
NMS sends an SNMP Set message to write variables on the SNMP agent as a means to change the configuration of the device.
messages come in pairs, with, for instance, a Get Request asking the agent for the contents of a variable, and the Get Response supplying that information
o find out if GiO/O is UP/UP SNMP Get Request The MIB Gi0/0 Router I Figure 12-9 SNMP Get Request and Get Response Message Flow “>
NMS can analyze various statistical facts such as averages, minimums, and maximums
NMS can set thresholds for certain key variables, telling the NMS to send a notification (email, text, and so on) when a threshold is passed.
SNMP Notifications: Traps and Informs
SNMP agents can initiate communications to the NMS.
generally called notifications, use two specific SNMP messages: Trap and Inform
SNMP agents send a Trap or Inform SNMP message to the NMS to list the state of certain MIB variables when those variables reach a certain state.
y GiO/O Interface Failed! Take a Look! SNMP Trap @ The MIB Router 1 Figure 12-10 SNMP Trap Notification Process “>
SNMP Traps and Inform messages have the exact same purpose but differ in the protocol mechanisms
trap
The SNMP agent sends the Trap to the IP address of the NMS, with UDP as the transport protocol as with all SNMP messages,
less overhead than inform
Inform
Like Trap messages but with reliability added
Added to the protocol with SNMP Version 2 (SNMPv2),
use UDP but add application layer reliability
NMS must acknowledge receipt of the Inform with an SNMP Response message, or the SNMP agent will time out and resend the Inform.
The Management Information Base
Every SNMP agent has its own Management Information Base
defines variables whose values are set and updated by the agent
enable the management software to monitor/control the network device.
defines each variable as an object ID (OID)
organizes the OIDs based in part on RFC standards, and in part with vendor-proprietary variables
organizes all the variables into a hierarchy of OIDs, usually shown as a tree
Each node in the tree can be described based on the tree structure sequence, either by name or by number.
nternet I rivate 4 enterprises (I) Cisco 9 1.3.6.1.4.1.9.2.2 1.3.6.1.4.1.9.9.10 Figure 12-11 Management Information Base (MIB) “>
you could use an SNMP manager and type MIB variable 1.3.6.1.4.1.9.2.1.58.0 and click a button to get that variable, to see the current CPU usage percentage from a Cisco router
Securing SNMP
use ACLs to limit SNMP messages to those from known servers only.
can configure an IPv4 ACL to filter incoming SNMP messages that arrive in IPv4 packets and an IPv6 ACL to filter SNMP messages that arrive in IPv6 packets.
all versions of SNMP support a basic clear-text password mechanism,
SNMPv1 defined clear-text passwords called SNMP communities.
SNMP agent and the SNMP manager need prior knowledge of the same SNMP community value (called a community string)
Get messages and the Set message include the appropriate community string value, in clear text.
NMS sends a Get or Set with the correct community string, as configured on the SNMP agent, the agent processes the message.
SNMPv1 defines both a read-only community and a read-write community.
read-only (RO) community allows Get messages, and the read-write (RW) community allows both reads and writes (Gets and Sets).
RI RO Passi RI RW Pass2 O Get (?assl or Pass2 Worki) @Set (Pass2 Only Works) Figure 12-12 RO and RW Communities with the Get and Set Commands RO Passi RI RW Pass2 “>
SNMPv2, and the related Community-based SNMP Version 2 (SNMPv2c)
The original specifications for SNMPv2 did not include SNMPv1 communities
SNMPv3
security had arrived with the powerful network management protocol. SNMPv3 does away with communities and replaces them with the following features:
Message integrity: This mechanism, applied to all SNMPv3 messages, confirms whether or not each message has been changed during transit.
Authentication: This optional feature adds authentication with both a username and password, with the password never sent as clear text. Instead, it uses a hashing method like many other modern authentication processes.
Encryption (privacy): This optional feature encrypts the contents of SNMPv3 messages so that attackers who intercept the messages cannot read their contents.
FTP and TFTP
- lick here to view code image
- R2# show file systems
- File Systems:
- *
- Size(b)
- 256487424
- 262136
- 7794737152
- Free(b)
- 49238016
- 253220
- 7483719680
- copied in 187.
- Type
- opaque
- opaque
- opaque
- opaque
- network
- disk
- disk
- nvram
- opaque
- opaque
- opaque
- network
- network
- network
- network
- network
- opaque
- network
- opaque
- usbflash
- Flags
- rw
- rw
- rw
- rw
- rw
- rw
- rw
- rw
- rw
- rw
- prefixes
- archive:
- system :
- tmpsys :
- null :
- tftp:
- flasho
- flash:# flashl: nvram: sys log: xmodem : ymodem : rcp: pram: http : scp: tar: https: cns: usbflashø: 74503236 bytes 876 secs (396555 bytes/sec) “>
Opaque: To represent logical internal file systems for the convenience of internal functions and commands
Network: To represent external file systems found on different types of servers for the convenience of reference in different IOS commands
Disk: For flash
Usbflash: For USB flash
NVRAM: A special type for NVRAM memory, the default location of the startup-config file
the command more flash0:/wotemp/fred would display the contents of file fred in directory /wotemp in the first flash memory slot in the router.
many commands use a keyword that indirectly refers to a formal filename, to reduce typing. For example:
show running-config command: Refers to file system:running-config
show startup-config command: Refers to file nvram:startup-config
show flash command: Refers to default flash IFS (usually flash0:)
Upgrading IOS Images
process to upgrade an IOS image into flash memory, using the following steps:
Step 1. Obtain the IOS image from Cisco, usually by downloading the IOS image from Cisco.com using HTTP or FTP.
Step 2. Place the IOS image someplace that the router can reach. Locations include TFTP or FTP servers in the network or a USB flash drive that is then inserted into the router.
Step 3. Issue the copy command from the router, copying the file into the flash memory that usually remains with the router on a permanent basis. (Routers usually cannot boot from the IOS image in a USB flash drive.)
nternet Figure 12-13 TFTp server Router o copy tftp flash Copying an IOS Image as Part of the Cisco IOS Software Upgrade Process “>
Copying a New IOS Image to a Local IOS File System Using TFTP
ddress or name of remote host [ ] ? 2.2.2.1 Source filename [ ] ? c29øe-universa1k9-mz . SPA. 152-4. Ml.bin Destination filename [c29ee-universa1k9-mz.SPA.152-4.M1.bin ] ? Ml. bin —mz. SPA. Accessing tftp://2.2.2.1/c29ee-universa1k9-mz. Loading c29ee -universalk9 152-4.
- 9779404e 97794e4e bytes bytes ] copied in 187 . 876 secs (396555 SPA. 152-4. Ml. bin (via Gigi from 2.2.2.1 bytes/ sec) “>
copy command
works through these kinds of questions:
What is the IP address or host name of the TFTP server?
What is the name of the file?
Ask the server to learn the size of the file, and then check the local router’s flash to ask whether enough space is available for this file in flash memory.
Does the server actually have a file by that name?
Do you want the router to erase any old files in flash?
Afterward
verifies that the checksum for the file shows that no errors occurred
view the contents of the flash file system
show flash
shows the files in the default flash file system (flash0:)
- 3:38.
- 3
- 4
- ee:es.
- 5
- ee:es.
- 6
- ee:es.
- 7
- ee:es.
- 8
- 18:20.
- 9
- 21 :es.
- -#- - -length– —–date/time–
- Jul
- Jul
- Jul
- Jul
- Jul
- Jul
- Aug
- Oct
- show flash
- le4193476
- seee32e
- 1038
- 12288e
- 1697952
- 415956
- 1153
- 9779404e
- 21
- 10
- 10
- 10
- 10
- 10
- 16
- 10
- 2e15
- 2e12
- 2e12
- 2e12
- 2e12
- 2e12
- 2e12
- 2e14
- ee.
- 44 52 02 16 28 56 • 38 path +00. c29ee-universa1k9-mz . SPA cpexpress . tar home . shtml home . tar securedesktop-ios-3.1.1. ss1c1ient-win-1.1.4.176. wo-lic-l c29ee-universa1k9-mz.SPA 49238e16 bytes available (207249408 bytes used) “>
dir flash0: command lists the contents of that same file system, with similar information. (You can use the dir command to display the contents of any local IFS.)
irectory of flashe:/ 1 3 4 5 6 7 8 9 -rw- -rw- -rw- le4193476 seee32e le38 12288e 1697952 415956 1153 97794e4e Jul 21 2e15 +ee:ee Jul 10 2e12 +ee:ee Jul 10 2e12 +ee:ee Jul 10 2e12 +ee:ee Jul 10 2e12 +ee:ee Jul 10 2e12 +ee:ee Aug 16 2e12 +ee:ee Oct 10 2e14 +ee:ee c29ee-universa1 cpexpress . tar home . shtml home . tar securedesktop-i sslclient-win-l wo-lic-l c29ee-universa1 256487424 bytes total (49238e16 bytes free) “>
show flash lists the bytes used, whereas the dir command lists the total bytes (bytes used plus bytes free). know which command lists which particular total.
Verifying IOS Code Integrity with MD5
when Cisco builds a new IOS image, it calculates and publishes an MD5 hash value for that specific IOS file.
IOS verify command.
will list the MD5 hash as recalculated on your router. If both MD5 hashes are equal, the file has not changed.
ww.cisco.com Compare Download: MD5: xxxxxxx… Figure 12-14 MDS Verification of IOS Images—Concepts “>
verify 5 command generates the MD5 hash on your router,
you can include the hash value computed by Cisco as the last parameter (as shown in the example), or leave it off. If you include it, IOS will tell you if the locally computed value matches what you copied into the command. If you leave it out, the verify command lists the locally computed MD5 hash, and you have to do the picky character-by-character check of the values yourself.
lick here to view code image R2# verify 5 flashø:c29ee-universa1k9-mz.SPA.154-3.M3.bin a79e325 .MD5 of flashe:c29ee-universa1k9-mz.SPA.154-3.M3.bin Done! Verified (flashe:c29ee-universa1k9-mz . SPA. 154-3.M3. bin) = a79e325e6c “>
Copying Images with FTP
ethod TFTP FTP SCP Method (Full Name) Trivial File Transfer Protocol File Transfer Protocol Secure Copy Protocol Encrypted? No No Yes “>
copy ftp flash
- lick here to view code image
- RI* copy
- Tl.bxn
- —mz. SPA.
- 155-2.
- Tl.bxn
- —mz. SPA.
- 155-2.
- Destination filename [c29ee-universa1k9-mz .SPA.155
- -2. Tl.bin]?
- Accessing ftp
- Loading
- c29ee
- //192.168.1.17e/c29ee-universa1k9 -universalk9 [OK - I e7410736/4096 bytes ] le741e736 bytes copied in 119 . 604 secs (898e53 bytes/ sec) “>
can configure the FTP username and password on the router so that you do not have to include them in the copy command. For instance, the global configuration commands ip ftp username wendell and ip ftp password odom would have configured those values.
The FTP and TFTP Protocols
copy command, when using the tftp or ftp keyword, makes the command act as a client
FTP Protocol Basics
uses TCP
TCP port 21 and in some cases also well-known port 20.
FTP uses a client/server model for file transfer
FTP control connection—define the kinds of functions supported by FTP
allow the client to navigate around the directory structures of the server, list files, and then transfer files from the server (FTP GET) or to the server (FTP PUT).
summary of some of the FTP actions:
Navigate directories: List the current directory, change the current directory to a new directory, go back to the home directory, all on both the server and client side of the connection.
Add/remove directories: Create new directories and remove existing directories on both the client and server.
List files: List files on both the client and server.
File transfer: Get (client gets a copy of the file from the server), Put (client takes a file that exists on the client and puts a copy of the FTP server).
FTP Active and Passive Modes
may impact whether the TCP client can or cannot connect to the server and perform normal functions
user at the FTP client can choose which mode to use
FTP passive mode may be the more likely option to work.
FTP uses two types of TCP connections:
Control Connection: Used to exchange FTP commands
Data Connection: Used for sending and receiving data, both for file transfers and for output to display to a user
when a client connects to an FTP server, the client first creates the FTP control connection
server listens for new control connections on its well-known port 21
client allocates any new dynamic port (49222 in this case) and creates a TCP connection to the server
9222 192.168.1.102 TCP SYN TCP SYN ACK TCP ACK Figure 12-17 FTP Client Creates an FTP Control Connection FTP Server 192.168.1.11 “>
The FTP client allocates a currently unused dynamic port and starts listening on that port.
The client identifies that port (and its IP address) to the FTP server by sending an FTP PORT command to the server.
The server, because it also operates in active mode, expects the PORT command; the server reacts and initiates the FTP data connection to the client’s address (192.168.1.102) and port (49333).
9222 TCP control FTP PORT 192.168.1.102 49333 TCP SYN for FTP Data FTP Server 21 49160 Figure 12-18 FTP Active Mode Process to Create the Data Connection “>
Passive mode helps solve the firewall restrictions by having the FTP client initiate the FTP data connection to the server.
passive mode does not simply cause the FTP client to connect to a well-known port on the server;
The FTP client changes to use FTP passive mode, notifying the server using the FTP PASV command.
The server chooses a port to listen on for the upcoming new TCP connection, in this case TCP port 49444.
The FTP notifies the FTP client of its IP address and chosen port with the FTP PORT command.
The FTP client opens the TCP data connection to the IP address and port learned at the previous step.
92.168.1.102 49222 49160 192.168.1.11 FTP Server FTP PASV 49444 FTP PORT 192.168.1.11 49444 0 TCP SYN for FTP Data Connection Figure 12-19 FTP Passive Mode Process to Create the Data Connection “>
FTP over TLS (FTP Secure)
FTPS encrypts both the control and data connections with TLS, including the exchange of the usernames and passwords
FTPS explicit mode process:
The client creates the FTP control TCP connection to server well-known port 21.
The client initiates the use of TLS in the control connection with the FTP AUTH command.
When the user takes an action that requires an FTP data connection, the client creates an FTP data TCP connection to server well-known port 21.
The client initiates the use of TLS in the data connection with the FTP AUTH command.
92.168.1.102 192.168.1.11 FTP Server o 49222 FTP AUTH (Starts TLS) 49299 o FTP AUTH (Starts TLS) Figure 12-20 FTPS Explicit Mode Control and Data Connection Establishment “>
implicit mode process
begins with a required TLS connection, with no need for an FTP AUTH command, using well-known ports 990 (for the control connection) and 989 (for the data connection).
SFTP
uses SSH to encrypt file transfers over an SSH connection. However, the acronym SFTP does not refer to a secure version of FTP.
TFTP Protocol Basics
Trivial File Transfer Protocol uses UDP well-known port 69. Because it uses UDP, TFTP adds a feature to check each file for transmission errors by using a checksum process on each file after the transfer completes.
the code requires less space to install, which can be useful for devices with limited memory.
can Get and Put files, but it includes no commands to change directories, create/remove directories, or even to list files on the server.
does not support even simple clear-text authentication. In effect, if a TFTP server is running, it should accept requests from any TFTP client.