IS-IS Authentication

I’ve been playing recently with IS-IS Authentication and want to share informational notes.

We know that almost every IGP’s Authentication mechanism  works almost same way , but it’s little bit different in case of IS-IS.

Let’s start with Simple topology , Two Router RA & RB connected with Broadcast Network Type.

Untitled Diagram

Configuration is basic , creation of IS-IS routing process and enabling is-is instance under interface.

Router A

router isis 1

net 00.0000.0000.0002.00

interface Ethernet0/2

ip address 10.1.2.2 255.255.255.0

ip router isis 1

isis circuit-type level-2-only

Router B

router isis 1

net 00.0000.0000.0001.00

interface Ethernet0/0

ip address 10.1.2.1 255.255.255.0

ip router isis 1

Neighborship is formed

RA#show isis neighbors

Tag 1:

System Id      Type Interface   IP Address      State Holdtime Circuit Id

RB             L2   Et0/2       10.1.2.1        UP    9        RB.04              

and wee see that Router B is elected as DIS , which means it sends CSNP’s every 10 second.

Now enable authentication , there is  two options MD5 and clear-text this time we wil configure MD5 authentication.

Unlike any other IGP routing protocols , it’s possible to configure authentication separately for only neighbor adjacancy which sets MD5  Hash authentication data to “IIH” Hello PDU’s or  for LSDP which authenticates CSNP, PSNP packets which is exchanged after the neighbors form adjacancy , both can be configured same time but on different configuration level , IIH authenticaiton is should be configured under interface level and LSDB authentication should be configured under IS-IS routing intance level.

Let’s capture IS-IS LSP’s on Router A to be it more visible , there is IIH & CSNP packet without authentication.

Screen Shot 2016-04-03 at 16.49.46

Screen Shot 2016-04-03 at 16.52.43.png

No authentication information under PDU’s , you can see here that Router B which is DIS sends CSNP’s every 10 second.

Screen Shot 2016-04-03 at 16.54.22.png

RB#show int ethernet 0/0

Ethernet0/0 is up, line protocol is up

  Hardware is AmdP2, address is aabb.cc00.1000 (bia aabb.cc00.1000)

Now enable authentication for IIH under interface level.

Router B

RB(config)#key chain PASS

RB(config-keychain)# key 1

RB(config-keychain-key)#  key-string PWD

RB(config-keychain-key)#

RB(config-keychain-key)#int eth0/0

RB(config-if)#isis authentication mode md5

RB(config-if)#isis authentication key-chain PASS

Untill  Router A is enabled for authentication Router B complains that IIH Authentication is failed by syslog.

*Apr  3 13:05:03.529: %CLNS-4-AUTH_FAIL: ISIS: LAN IIH authentication failed

RA(config-keychain-key)#do show clns nei

Tag 1:

System Id      Interface   SNPA                State  Holdtime  Type Protocol

RB             Et0/2       aabb.cc00.1000      Init   22        L2   IS-IS

And adjacancy state is stuck within Init state

Router A

RA(config)#key chain PASS

RA(config-keychain)# key 1

RA(config-keychain-key)#  key-string PWD

RA(config-keychain-key)#

 RA(config-keychain-key)#int eth0/2

RA(config-if)#isis authentication mode md5

RA(config-if)#isis authentication key-chain PASS

If we dont specify Level after isis authentication command it is enabled for both Level-1-2 by default.

And for now wee see that IIH Hello packet carries authentication information.

edit.png

We can enable authentication for LSDB as well right now and have both auth mechanism together but difference between IS-IS and OSPF is that  , you can enable authentication for LSDB but if password or hash is incorrect you can still form neighborship and have neighbors in up state but routing process does not proceed LSP Packets, which is not true in case of OSPF.

Let’s remove authentication for IIH and enable it for LSDB under routing process.

Router B

RB(config-if)#int eth0/0

RB(config-if)#no isis authentication mode md5

RB(config-if)#no isis authentication key-chain PASS

RB(config-if)#router isis 1

RB(config-router)#authentication mode md5

RB(config-router)#authentication key-chain PASS

Router A

RA(config-if)#int eth0/2

RA(config-if)#no isis authentication mode md5

RA(config-if)#no isis authentication key-chain PASS

untill we configure authentication under routing proccess on Router A , Router B complains that Authentication for LSP & PSNP is failing by syslog.

*Apr  3 13:18:14.939: %CLNS-4-AUTH_FAIL: ISIS: PSNP authentication failed

*Apr  3 13:19:15.667: %CLNS-4-AUTH_FAIL: ISIS: LSP authentication failed

the reason why we don’t see CSNP authentication error here is that , CSNP’s by default is not sent untill LSDB ages out , it is DIS which sends CSNP’s every 10 second which carries sequence numbers and checksums not routes itself.

RA(config-if)#router isis 1

RA(config-router)#authentication mode md5

RA(config-router)#authentication key-chain PASS

We’ve removed authentication for IIH and enabled it for LSDB , let’s capture it

edit2.png

Now CSNP carries authentication information as well , let me configure incorrect md5 password for Router A.

Router A

RA(config)#key chain PASS

RA(config-keychain)#key 1

RA(config-keychain-key)#key-string INCORRECT

Router A complains about CSNP authentication information.

*Apr  3 13:27:14.419: %CLNS-4-AUTH_FAIL: ISIS: CSNP authentication failed

RA#show clns neighbors

Tag 1:

System Id      Interface   SNPA                State  Holdtime  Type Protocol

RB             Et0/2       aabb.cc00.1000      Up     7         L2   IS-IS

However neighborhip is in Up state , but if we advertise new network from Router B or from Router A to each other , none of them installs it in LSDB , but old information is stored in database untill it ages out.

Hope you enjoyed ,

Thanks

 

Advertisements

CCIE R&S Written , My Notes

cciie111

I Passed CCIE R&S written today and i want to share you my notes which is “hard” & “important” to remember , of course this isn’t enough to study and pass the exam , you need to read CCIE RS certification guide and read several RFCs at minimum.

Here we go 🙂

Multicast

  • Pim protocol ID = 103
  • IGMP Protocol id = 2
  • IGMPv3 report messages is sent to 224.0.0.22
  • IGMPv2 reports messages is sent to group address
  • IGMPv3 in ISM mode supports include and exclude , in SSM mode only include
  • MSDP Peers is connected Via TCP
  • If MSDP neighbors is in meshgroup RPF isn’t performed
  • FF00::/8 IPV6 Reserved multicast address range
  • Only sparse mode is supported on IPV6 Multicast
  • MLD2 supports SSM Like IGMPv3
  • Last 23 bit of ip address is used while multicast IP To mac Address mappoing , covert ip to binary and binary to hex then.
  • Only BSR is supported on IPV6 , no Auto-rp
  • PIM type field messages , 0 is hello
  1. Register
  2. Register-stop
  3. Join/Prune
  4. Bootstrap
  5. assert
  6. graft
  7. graft-ack
  8. Candidate-RP Advertisement
  9. state-refresh

QOS

  • DSCP = First 6 bit
  • IPP = First 3 bit
  • FRR DE = 1 bit
  • MPLS EXP = 3 bit
  • COS = 3 bit
  • Best effort = DSCP 0
  • EF = DSCP 46
  • LLQ Policing is working during congestion
  • Bandiwdth remaining X command = interface bandwitdth – LLQ BW
  • CBWFQ/LLQ supports 64 queues
  • CBWFQ isn’t supported on sub interfaces
  • WRED Prevents TCP Syn problem
  • WRED can’t be applied to the voice Queue.
  • ON WRED packet drop probabillity is based on , minimum threshold , maximum threshold and mark probability denominator , if the average queue depth is above the minimum threshold , RED starts packet dropping , if denominator is 100 , every 100 packet is being dropped , when the average queue will be at maximum threshold. When the average queue will be above of max threshold all packet is being dropped
  • Shaping Formula – Tc=Bc/CIR -> Bc=Tc x CIR
  • Tc in Shaping = Interval per second
  • Bc in shaping = amount of bits that could be send during Tc
  • Be in shaping = Amount of bits over Bc that could be send during Tc during idle period
  • AIR in shaping = interface port speed
  • CIR in shaping = Bc/Tc Average speed ( shaping rate )
  • Shaping on egress
  • Policing on ingress
  • IN Policing when packet is dropped , no tokens are removed from bucket
  • CAR Policing isn’t supported on , Fast etherchannel , Tunnel , PRI and CEF unsupported interfaces
  • Single tocken bucket is used when no violate-action is configured on policing , two bucket system used when violate-action is specified
  • GTS and class-based shaping using WFQ by default
  • GTS isn’t supported on PPP Multilink inteface
  • Adaptive traffic-shaping isn’t supported on class-based shaping
  • DCEF must be enabled before DTS
  • FRTS At pvc Level
  • On 3560 QOS , 2 ingres queue , Q2 is priority Queue by default
  • on 3560 QOS , 4 egress Queue , Q1 is priority Queue by default
  • on 3560 QOS , Shaped round robin ovverides sharing RR
  • Shared round robin formula of calculating allocated bandiwth ,

srr-queue bandiwt share 30 (Q1)  20 (Q2) 25 (Q3) 25 ( Q4)

on 100 Mbp/s interfaces , ( 30/100×100 = 30 mbps for Q1 )

on 10 Mbp/s interfaces , ( 30/100×10 = 3 mbps for Q1 )

L2

  • On RSTP , Tc , switch starts timer to equal value to twice the hello timer
  • On RSTP , During Tc switch flushed all mac addressed associated to ports except TCN Recieving interface
  • STP BID = 8 byte
  • 12 bits are reserved for extended-system ID in 802.1D
  • ON Mst , Configuration name = 32 byte
  • On Mst , Revision number  = 2 byte
  • On STP , If cost tie in root path  election , switch prefers lowest upstream BID , if BID tie then Lowest PID ( Port id )
  • On STP BPDUs are send every 2 sec by default
  • RSTP Sync Proccess occurs only on P2P non edge ports
  • Inter region path selection using CST on MSTP
  • With flex link , once primary ink fails every mac addresses moved to backup link , any dummy multicast packet is sent to backup link wit all mac addresses as source
  • Protected ports prevents communication on same vlan at Layer 3
  • VTP Pruning supported only on server and client mode
  • 2 – 1001 vlans are prune eligible
  • VTPv1 in transparent inspects messages and then forwards if Domain name matchs , Not same in V2
  • ISL Frame encapsulation is 30 byte!
  • Dot.1q tag is 4 byte
  • minimal size of frame with dot.1q is 68 byte

IPV6

  • FC00::/7 – Unique Local Addresses
  • 2001:/3 – Global unicast
  • FF00::/8 – Multicast
  • FE80::/10 – Link-Local
  • Router advertisements is disabled by default on ISATAP Tunnels , can be enabled with command no ipv6 nd suppress-ra
  • OSPF Multicast address = FF02::5 , FF02::6
  • EIGRPv6 Multicast address = FF02::A
  • IPv6IP Tunneling protocol id = 41

SNMP

  • SNMPv3 supports DES Encryption , in “Fututure” AES will be supported 
  • SNMP Using UDP 161/162 ports

Security

  • On ZBF , self zone by defaut in/out traffic is allowed
  • ON ZBF , Self zone doesn’t supports Application inspection
  • CBAC Session logging can be enabled via audit trails
  • Reflexive ACL Doesn’t supports protocol inspection , only TCP/UDP apps
  • Port security default violation is shutdown
  • ACL log-input keyword gives us src and dst mac & ip address logging opportunity

IOS Services

  • RMON’s has two components , Alarm and Event
  • HSRP Uses multicast on UDP 224.0.0.1 at port 1985
  • Netflow common versions , 5,9
  • On Outside to inside NAT , Routing and then inspection occurs after translation
  • VRF definition command enables multiprotocol VRF
  • GRE Protocol ID = 47
  • IPinIP protoco ID = 4
  • IPv6IP protocol id = 41
  • Tacacs using TCP port 49
  • Radius Using UDP port 1645/1812 for auth , UDP 1646 / 1813 for accounting
  • On BVI , in CRP mode Routers can bridge or route , not both at same time , But IRB allows you to Route and bridge same protocol stack on same interface.
  • On PBR , set ip next-hop verify-availability command checks if neighbor is in cdp peer and then forwards if match in table
  • Cron Timers , ” ***** ” , When zero 0 Value is issued , next timer is proccesed insead of zero 0 value place
  1. Min 0 – 59
  2. Hour 0 – 23
  3. Day of month 1 – 31
  4. Month of year 1 – 12
  5. Day of week 0 – 6 ( 0 is sunday )

Routing

  • EIGRPv6 process is disabled by default , must be enabled with no shutdown command
  • RIPng using UDP 521 port , Multicast FF02::9
  • On RIP , UDP Port 520 for transport
  • RIPv1 updates sent as broadcast
  • RIPv2 updates sent as multicast ( 224.0.0.9)
  • On RIP , Update time = 30 Sec
  • On RIP , Invalid time = 180 Sec
  • On RIP , holdown time = 180
  • On RIP , Flush time = 280
  • On RIP , metric 16 is infinite
  • On RIP , offset-list filtering ACL 0 means all routes
  • On RIP , ip rip triggered sends updates only if changes occurs in databes
  • On RIP , rip source validation accepts updates only from same subnet , can be disabled by no validate-update-source command
  • EIGRP Protocol id  = 88
  • EIGRP Multicast addr = 224.0.0.10
  • EIGRP Hello interval on NBMA – 60
  • EIGRP Hello inverval on broadcast = 5
  • EIGRP Holdtime on NBMA = 180
  • EIGRP Holdtime on broadcast = 15
  • On EIGRP , By default eigrp using 50% of interface bandiwth.
  • On EIGRP , If feasible distance * varience > FS , load balancing occurs  ( Only FS are load balancing candidates
  • On EIGRP , if no fs is in neighbor table , Query mesage is sent when router lost route
  • On EIGRP , Query messages is suppresed by stub and summarization.
  • On EIGRP , Summared routes default AD is 5
  • On OSPF , IF  Forwarding address is suppressed while translation from type 7 to type 5 lsa , traffic s forwarded through ABR!
  • On OSPF , Point-to-multipoint , hub changes next hop itself when advertising one route from spoke to another spoke , and installs /32 spoke routes on each router.
  • On OSPF , DR / BDR is elected only on BROADCAST & non-broadcast network type links
  • On OSPF , if p2p or p2m familly intetface is connected to non p2p or p2m famllly networks , neighborship comes up and LSA’s wil be exchanged but routes not installed into RIB
  • On OSPF , Hello interval on P2P & Broadcast = 10
  • On OSPF , Dead interval on P2P & Broadcast = 40
  • On OSPF , hello interval on P2M , P2M-NB , & Non-broadcast = 30
  • On OSPF , Dead interval on P2M , P2M-NB , & Non-broadcast = 120
  • On OSPF , Point-to-multipoint Non-broadcast is same as P2M but sends ellos as unicast and allows per VC Cost configuration on FRR
  • On OSPF , Loopback network-type is advertised as /32 , can be disabled with ip ospf network point-to-point command
  • On OSPF , IF Multiple ABR’s exist , ABR with higher RID will be elected as LSA type 7 to 5 translator
  • On OSPF , Default redistribute sed metric is 20
  • On OSPF with MPLS , If router runs VRF – Lite router thinks it’s PE router and checks DN-bit in ospf which is set to T3 LSA by default , we can solve it with command capability vrf-lite or set different domain-id on each PE’s which advertise T5 LSA , or simply we can configure sham-links which gives us intra-area routes on CE’s.
  • BGP Denies ospf external routes by default
  • EBGP Routes is allowed to redistribute into IGP , IBGP routes is denied by default
  • On BGP , 4 byte ASN’s on old BGP Speakers are send AS dot numbers encoded as ASN (23456)
  • On BGP , Private ASes is 64512-65535
  • On BGP , Localy originated routes have weight 32,768
  • On BGP , TTL-Security can’tbe configured with peer when already had configured ebgp-multihop
  • On BGP , in RR’s non-clients learned routes isn’t advertised to non-clients
  • On BGP , OSPF External routes osn’t redistributed into BGP by defaylt , special keyword is requried “internal , external” under redistribute statement
  • On BGP , When redistributing from IGP to BGP , metric is automaticaly copied to MED
  • BGP Community – NO-EXPORT = Don’t advertise route to EBGP Peers
  • BGP Community – NO-ADVERTISE = Don’t advertise route to any peers.
  • BGP Community – LOCAL-AS = Don’t Advertise route outside of AS
  • On MPLS , 4 byte header used in MPLS
  • LDP Neighbor discovery to UDP port 646 to 224.0.0.2

Frame Relay

  • inverse-arp Request can be disabled with no frame-relay inverse-arp command , Reply can’t be  disabled
  • InARP Is disabled when static mapping is configured , and dynamic maping is overided by static entrys
  • If 0.0.0.0 is in frame relay mapping table , it means auto-install is failed and can’t get configuration from tftp
  • auto-install happens when routers doesn’t have configuration in NVRAM
  • Frame relay gets address and TFTP information Via BootP
  • Ansi and Q933a LMI Types listens for messages on DLCI 0 , CISCO LMI Type listens on DLCI 1023

PPP

  • Once neighbors negotiate IPCP , Router adds each others /32 routes into RIB , Can be disabled this behaviour with no peer neighbor-route command
  • PAP Auth – Clear text usr , clear text pass
  • CHAP Auth – Clear text usr , MD5 hashed pass
  • PPP Adds 8 bit on PPPoFR
  • in PPP , Dialer persisten means that circuit is always up

Hope this helps.

Aaand my long time journey is starting here , moving to lab 🙂