Address Resolution Protocol, used to discovery layer two address when IP address is already known. Uses protocol 0×0806 compared to Ethernet which uses 0×0800. At layer two an ARP request is a broadcast since the MAC address of the destination device is unknown, this means that the destination MAC is FF:FF:FF:FF:FF:FF. In the ARP packet itself the target MAC address is set to 00:00:00:00:00:00. The device receving the request will answer with a reply (hopefully) with its MAC address in the sender MAC address field in the ARP packet.
Uses the same message types as regular ARP. Can be used together with other methods to force traffic to go through a router even if hosts are in the same subnet, useful in a FTTH/ETTH scenario. If a host has the IP 10.1.1.100/8 with a GW of 10.1.1.1 and wants to send a packet to 10.1.2.100 they are in the same network according to subnetmask but the router with IP 10.1.1.1 might have /24 masks on these subnets. Unless proxy ARP is enabled the traffic will never reach its destination since the first host won’t know what MAC address to use as a destination.
Uses same messages as ARP but is used by hosts to discover their IP address. The host will broadcast a RARP request with a sender IP of 0.0.0.0. A RARP server has to be present on the local subnet and it has mappings of MAC addresses to IP addresses. The server will reply with the IP address that the host should use.
Partly designed to be an improvement of RARP. Encapsulated in UDP and uses different kind of messages. With a correct configuration on a router messages can be forwarded to a centrally placed server instead of using locally placed servers. Supports more information in reply like default gateway, DNS server, subnet mask and an address to a boot (image) server. Still has the burden of mapping MAC addresses to IP addresses.
The next step in dynamic addressing. Support for sending pretty much any information needed to a host including IP, gateway, subnetmask, DNS, custom options. Servers are most often centrally located and relies on the function of DHCP relay. On a cisco router DHCP relay is configured with the ip helper-address command. When the router receives a broadcast on the LAN from a host trying to find out its IP it will change the destination IP (255.255.255.255) to the IP of the DHCP server. It will also set its own IP in the gateway IP address field (GIADDR).
Hot Standby Router Protocol (HSRP)
- Cisco proprietary
- Virtual IP and virtual MAC address active on Master router
- Default hello-interval of three seconds and dead-interval of 10
- Highest priority will win (1-255), preempt not enabled by default
- Supports tracking
- Up to 255 groups per interface
- Uses virtual MAC of 0000.0C07.ACxx where xx is the group number in hex
Virtual Router Redundancy Protocol (VRRP)
- Open standard, very similar to HSRP
- Uses the virtual MAC 0000.5E00.01xx where xx is the group number in hex
- Uses preemption by default
- VRRP can use the interface IP as the VRRP IP which means only two adresses are needed instead of three
Gateway Load Balancing Protocol (GLBP)
GLBP is a Cisco proprietary protocol. The Active Virtual Gateway (AVG) assigns each router in the group a virtual MAC of the form 0007.B400.xxyy where xx is the group number and yy is the identifier for the routers
When a host ARPs for its default gateway the AVG will respond with the MAC of one of the virtual routers, this leads to load balancing
Network Time Protocol
Used to synchronize time for a host/router/server. Will most often run in client mode but a router can also be a NTP server. Uses the concept of stratum to indicate how accurate a time source is, lower stratum is better. Stratum one time sources are very accurate and most of them are atomic clocks.
Simple Network Management Protocol (SNMP)
Used to discover status and information for routers/switches/servers. Version 2C is the most commonly used. SNMP v2C is SNMP version two with version one authentication (clear text). Uses UDP for transport port 61 and 62 for SNMP traps. Cisco devices can send traps when something goes down like an interface failing. SNMP uses Management Information Bases (MIBs) to access the information, to request information from a device the OID is specified in the request. There is also a special Remote Monitoring MIB (RMON) which is used to get interface statistics and information about flows.
SNMP version 3
Supports authentication and encryption
Uses MD5 and SHA for authentication and DES for encryption
Cisco devices do not log to NVRAM by default, can be configured with logging buffered command
Uses UDP port 514 by default
Most often used to send syslog to a remote device which collects syslog from all devices
Web Cache Communication Protocol (WCCP)
Used to ease pressure on WAN links and optimize WAN links. Redirects traffic to content engine which has a cache. Uses UDP port 2048, up to 32 content engines can communicate with a single router, if more than one content engine is present the one with the lowest IP will become the lead engine. With WCCPv1 only one router can redirect the traffic for the content engines but in WCCPv2 multiple routers and content engines can be configured in a service group. WCCPv1 can only support port 80 but v2 supports other protocols as well.
- Supports TCP and UDP other than port 80, like FTP, video and telephony
- Supports multicast
- Supports multiple routers (up to 32 per cluster)
- Can use MD5 for security
- Provides load distribution
Can be used to measure delay, jitter, packet loss and other parameters. Configured with ip sla monitor command. Type of monitor and lifetime needs to be specified.
Used to monitor traffic levels and can be used to look for DDOS. Terms used in Netflow:
Records – A set of predefined and user-defined fields like the source IP and destination IP or ports for UDP/TCP.
Flow monitors – Applied to an interface, include records, a cache and optionally a flow exporter
Flow exporters – Export the cached flow information to an outside system, like a netflow collector
Flow sampler – Reduce the load by only sampling packets like very 1/1000 packets
Router IP traffic Export (RITE)
Used to export IP packets to a VLAN or LAN interface for analysis, like an IDS. Can sample packets in same way as Netflow. Redirects packets to a MAC address.
Embedded Event Manager (EEM)
Designed to make life easier for administrators by tracking and classifying events that take place on a router also provides notification for those events. EEM can be used to:
- Monitor SNMP objects
- Monitor counters
- Screen syslog messages for a pattern match (using regexp)
- Screening CLI input (using regexp)
Actions that EEM can take:
- Send an email
- Reload router
- Generate SNMP traps
- Execute IOS command
Can be used to monitor interface usage or CPU usage. Can warn if CPU rises more than x % in 60 seconds or if CPU has gone over 80%. Can also set falling thresholds.
Secure Shell (SSH)
Requires some parameters to work:
- Hostname configured
- Domain name has been set
- Generate RSA keys
- Transport input allows SSH