PHYSICAL TERMINATIONS packetlife.

net

Optical Terminations Copper Terminations GBICs

RJ-45
ST (Straight Tip)
1000Base-SX/LX

RJ-11

SC (Subscriber Connector)
1000Base-T

RJ-21 (25-pair)

LC (Local Connector)

Cisco GigaStack

MT-RJ

Wireless Antennas DE-9 (Female)

1000Base-SX/LX SFP

RP-TNC 1000Base-T SFP

DB-25 (Male)

RP-SMA
DB-60 (Male)
X2 (10Gig)

by Jeremy Stretch v1.1

COMMON PORTS packetlife.net

TCP/UDP Port Numbers

7 Echo 554 RTSP 2745 Bagle.H 6891-6901 Windows Live

19 Chargen 546-547 DHCPv6 2967 Symantec AV 6970 Quicktime
20-21 FTP 560 rmonitor 3050 Interbase DB 7212 GhostSurf
22 SSH/SCP 563 NNTP over SSL 3074 XBOX Live 7648-7649 CU-SeeMe
23 Telnet 587 SMTP 3124 HTTP Proxy 8000 Internet Radio
25 SMTP 591 FileMaker 3127 MyDoom 8080 HTTP Proxy
42 WINS Replication 593 Microsoft DCOM 3128 HTTP Proxy 8086-8087 Kaspersky AV
43 WHOIS 631 Internet Printing 3222 GLBP 8118 Privoxy
49 TACACS 636 LDAP over SSL 3260 iSCSI Target 8200 VMware Server
53 DNS 639 MSDP (PIM) 3306 MySQL 8500 Adobe ColdFusion
67-68 DHCP/BOOTP 646 LDP (MPLS) 3389 Terminal Server 8767 TeamSpeak
69 TFTP 691 MS Exchange 3689 iTunes 8866 Bagle.B
70 Gopher 860 iSCSI 3690 Subversion 9100 HP JetDirect
79 Finger 873 rsync 3724 World of Warcraft 9101-9103 Bacula
80 HTTP 902 VMware Server 3784-3785 Ventrilo 9119 MXit
88 Kerberos 989-990 FTP over SSL 4333 mSQL 9800 WebDAV
102 MS Exchange 993 IMAP4 over SSL 4444 Blaster 9898 Dabber
110 POP3 995 POP3 over SSL 4664 Google Desktop 9988 Rbot/Spybot
113 Ident 1025 Microsoft RPC 4672 eMule 9999 Urchin
119 NNTP (Usenet) 1026-1029 Windows Messenger 4899 Radmin 10000 Webmin
123 NTP 1080 SOCKS Proxy 5000 UPnP 10000 BackupExec
135 Microsoft RPC 1080 MyDoom 5001 Slingbox 10113-10116 NetIQ
137-139 NetBIOS 1194 OpenVPN 5001 iperf 11371 OpenPGP
143 IMAP4 1214 Kazaa 5004-5005 RTP 12035-12036 Second Life
161-162 SNMP 1241 Nessus 5050 Yahoo! Messenger 12345 NetBus
177 XDMCP 1311 Dell OpenManage 5060 SIP 13720-13721 NetBackup
179 BGP 1337 WASTE 5190 AIM/ICQ 14567 Battlefield
201 AppleTalk 1433-1434 Microsoft SQL 5222-5223 XMPP/Jabber 15118 Dipnet/Oddbob
264 BGMP 1512 WINS 5432 PostgreSQL 19226 AdminSecure
318 TSP 1589 Cisco VQP 5500 VNC Server 19638 Ensim
381-383 HP Openview 1701 L2TP 5554 Sasser 20000 Usermin
389 LDAP 1723 MS PPTP 5631-5632 pcAnywhere 24800 Synergy
411-412 Direct Connect 1725 Steam 5800 VNC over HTTP 25999 Xfire
443 HTTP over SSL 1741 CiscoWorks 2000 5900+ VNC Server 27015 Half-Life
445 Microsoft DS 1755 MS Media Server 6000-6001 X11 27374 Sub7
464 Kerberos 1812-1813 RADIUS 6112 Battle.net 28960 Call of Duty
465 SMTP over SSL 1863 MSN 6129 DameWare 31337 Back Orifice
497 Retrospect 1985 Cisco HSRP 6257 WinMX 33434+ traceroute
500 ISAKMP 2000 Cisco SCCP 6346-6347 Gnutella Legend
512 rexec 2002 Cisco ACS 6500 GameSpy Arcade Chat
513 rlogin 2049 NFS 6566 SANE Encrypted
514 syslog 2082-2083 cPanel 6588 AnalogX Gaming
515 LPD/LPR 2100 Oracle XDB 6665-6669 IRC
Malicious
520 RIP 2222 DirectAdmin 6679/6697 IRC over SSL
Peer to Peer
521 RIPng (IPv6) 2302 Halo 6699 Napster
Streaming
540 UUCP 2483-2484 Oracle DB 6881-6999 BitTorrent
IANA port assignments published at http://www.iana.org/assignments/port-numbers

by Jeremy Stretch v1.1

IEEE 802.1X packetlife.net
802.1X Header Terminology
1 1 2 Extensible Authentication Protocol (EAP)
Version Type Length EAP A flexible authentication framework defined in RFC 3748
EAP Over LANs (EAPOL)
EAP encapsulated by 802.1X for transport across LANs
EAP Header
Supplicant
1 1 2
The device (client) attached to an access link that requests
Code Identifier Length Data authentication by the authenticator
Authenticator
EAP Flow Chart The device that controls the status of a link; typically a
wired switch or wireless access point
Authentication
Supplicant Authenticator Server Authentication Server
A backend server which authenticates the credentials
provided by supplicants (for example, a RADIUS server)
Guest VLAN
Fallback VLAN for clients not 802.1X-capable
Restricted VLAN
Identity Request
Fallback VLAN for clients which fail authentication

802.1X Packet Types EAP Codes

Identity Response Access Request
0 EAP Packet 1 Request

Challenge Request Access Challenge 1 EAPOL-Start 2 Response

2 EAPOL-Logoff 3 Success
Challenge Response Access Request 3 EAPOL-Key 4 Failure
4 EAPOL-Encap-ASF-Alert EAP Req/Resp Types
Success Access Accept
Interface Defaults 1 Identity
EAP RADIUS Max Auth Requests 2 2 Notification

Configuration Reauthentication Off 3 Nak

Quiet Period 60s 4 MD5 Challenge
! Define a RADIUS server Global Configuration
radius-server host 10.0.0.100 Reauth Period 1hr 5 One Time Password
radius-server key MyRadiusKey
! Configure 802.1X to authenticate via AAA
Server Timeout 30s 6 Generic Token Card
aaa new-model Supplicant Timeout 30s 254 Expanded Types
aaa authentication dot1x default group radius
! Enable 802.1X authentication globally Tx Period 30s 255 Experimental
dot1x system-auth-control
Port-Control Options
! Static access mode Interface Configuration
force-authorized
switchport mode access
! Enable 802.1X authentication per port
Port will always remain in authorized state (default)
dot1x port-control auto force-unauthorized
! Configure host mode (single or multi) Always unauthorized; authentication attempts are ignored
dot1x host-mode single-host
! Configure maximum authentication attempts auto
dot1x max-reauth-req Supplicants must authenticate to gain access
! Enable periodic reauthentication
dot1x reauthentication Troubleshooting
! Configure a guest VLAN
dot1x guest-vlan 123 show dot1x [statistics] [interface <interface>]
! Configure a restricted VLAN dot1x test eapol-capable [interface <interface>]
dot1x auth-fail vlan 456
dot1x auth-fail max-attempts 3 dot1x re-authenticate interface <interface>

by Jeremy Stretch v2.0

CISCO IOS VERSIONS packetlife.net
IOS Nomenclature Release Lifecycle

Mainline 12.4(7a) EOS Notice

Maintenance Release
EOS
Individual Release
Numbered Version
EOE

T Train 12.4(9)T1 EOL

0 12 24 36 48 60 72 84 96
Maintenance Release
Months
Individual Release
New Feature Identifier First Customer Shipment (FCS)
Numbered Version The release is made available to Cisco customers on CCO
EOS Notice
Notification of upcoming EOS
S Train 12.2(25)SEB4 End of Sale (EOS)
Release The release is no longer orderable or included in
Individual Release manufactured shipments
Numbered Version End of Engineering (EOE)
The last day for software fixes; only TAC assistance is offered
from this point
IOS XR 3.2.1 End of Life (EOL)
Major Release The last day for TAC support; release becomes obsolete;
Minor Release upgrade is only option for continued support
Maintenance Release
IOS Filename

IOS Package Trees c3725-entbase-mz.124-6.T.bin

Hardware
Advanced Enterprise Services
Feature Set
Memory Location
Advanced IP Services Enterprise Services Compression Format
Maintenance Release
Individual Release
Advanced Enterprise T Designator
SP Services
Security Base
Deployment Classifications

IP Voice
Early Deployment (ED)
Offers new feature, platform, or interface support
General Deployment (GD)
IP Base A major release considered qualified for deployment on
critical devices
Limited Deployment (LD)
Advanced Enterprise Services A major release prior to reaching its GD milestone
Deferred (DF)
Known defective images; should not be installed
Advanced IP Services Enterprise Services
IOS Version Verification

IP Services show version

dir <filesystem>:

IP Base verify <filesystem>:<image>

by Jeremy Stretch v2.0

VLANS packetlife.net
Trunk Encapsulation Trunk Types
26 6 6 2 4 802.1Q ISL
ISL Dest Source Header Size 4 bytes 26 bytes
ISL Type FCS
Header MAC MAC
Trailer Size N/A 4 bytes
Dest Source Standard IEEE Cisco
Untagged Type
MAC MAC
Maximum VLANs 4094 1000
Dest Source
802.1Q 802.1Q Type VLAN Numbers
MAC MAC
6 6 4 2 0 Reserved 1004 fdnet
VLAN Creation 1 default 1005 trnet

Switch(config)# vlan 100 1002 fddi-default 1006-4094 Extended

Switch(config-vlan)# name Engineering 1003 tr 4095 Reserved

Access Port Configuration Terminology

Switch(config-if)# switchport mode access Trunking
Switch(config-if)# switchport nonegotiate Carrying multiple VLANs over the same
Switch(config-if)# switchport access vlan 100 physical connection
Switch(config-if)# switchport voice vlan 150
Native VLAN
Trunk Port Configuration By default, frames in this VLAN are untagged
when sent across a trunk
Switch(config-if)# switchport mode trunk Access VLAN
Switch(config-if)# switchport trunk encapsulation dot1q The VLAN to which an access port is assigned
Switch(config-if)# switchport trunk allowed vlan 10,20-30
Switch(config-if)# switchport trunk native vlan 10 Voice VLAN
If configured, enables minimal trunking to
SVI Configuration support voice traffic in addition to data traffic
on an access port
Switch(config)# interface vlan100
Switch(config-if)# ip address 192.168.100.1 255.255.255.0 Dynamic Trunking Protocol (DTP)
Can be used to automatically establish trunks
VLAN Trunking Protocol (VTP) between capable ports (insecure)

Domain Switched Virtual Interface (SVI)

Common to all switches participating in VTP A virtual interface which provides a routed
gateway into and out of a VLAN
Server Mode
Generates and propagates VTP advertisements to clients; Switch Port Modes
default mode on unconfigured switches
trunk
Client Mode Forms an unconditional trunk
Receives and forwards advertisements from servers; VLANs
dynamic desirable
cannot be manually configured on switches in client mode
Attempts to negotiate a trunk with the far end
Transparent Mode dynamic auto
Forwards advertisements but does not participate in VTP; Forms a trunk only if requested by the far end
VLANs must be configured manually
access
Pruning Will never form a trunk
VLANs not having any access ports on an end switch are
removed from the trunk to reduce flooded traffic Troubleshooting

VTP Configuration show vlan

show interface [status | switchport]
Switch(config)# vtp mode {server | client | transparent}
Switch(config)# vtp domain <name> show interface trunk
Switch(config)# vtp password <passsword>
Switch(config)# vtp version {1 | 2} show vtp status
Switch(config)# vtp pruning show vtp password

by Jeremy Stretch v2.0

SPANNING TREE · PART 1 packetlife.net
Spanning Tree Protocols
Legacy STP PVST PVST+ RSTP RPVST+ MST

Algorithm Legacy ST Legacy ST Legacy ST Rapid ST Rapid ST Rapid ST

802.1w, 802.1s,
Defined By 802.1D-1998 Cisco Cisco Cisco
802.1D-2004 802.1Q-2003
Instances 1 Per VLAN Per VLAN 1 Per VLAN Configurable
Trunking N/A ISL 802.1Q, ISL N/A 802.1Q, ISL 802.1Q, ISL

Spanning Tree Instance Comparison

STP PVST+ MST
Root VLAN 1,10 Root VLAN 20,30 Root MSTI 0 Root MSTI 1 Root

A B A B A B

All VLANs VLAN 1 MSTI 0 (1, 10)

x xx xx VLAN 10 x x MSTI 1 (20, 30)
VLAN 20
C C VLAN 30 C

BPDU Format Spanning Tree Specifications Link Costs

Field Bits Bandwidth Cost
802.1s 802.1Q-2003 802.1Q-2005
Protocol ID 16 4 Mbps 250
Version 8 10 Mbps 100
BPDU Type 8 802.1D-1998 802.1D-2004 16 Mbps 62
Flags 8 45 Mbps 39
Root ID 64 802.1Q-1998 802.1w 100 Mbps 19
Root Path Cost 32 155 Mbps 14
ISL PVST PVST+ RPVST+
Bridge ID 64 622 Mbps 6
Port ID 16 IEEE 802.1D-1998 · Deprecated legacy STP standard 1 Gbps 4
Message Age 16 IEEE 802.1w · Introduced RSTP 10 Gbps 2
Max Age 16 20+ Gbps 1
IEEE

IEEE 802.1D-2004 · Replaced legacy STP with RSTP

Hello Time 16 IEEE 802.1s · Introduced MST Port States
Forward Delay 16 IEEE 802.1Q-2003 · Added MST to 802.1Q Legacy ST Rapid ST

Default Timers IEEE 802.1Q-2005 · Most recent 802.1Q revision Disabled

Hello 2s PVST · Per-VLAN implementation of legacy STP Blocking Discarding

Cisco

Forward Delay 15s PVST+ · Added 802.1Q trunking to PVST Listening

Max Age 20s RPVST+ · Per-VLAN implementation of RSTP Learning Learning

Forwarding Forwarding
Spanning Tree Operation
Determine root bridge Port Roles
1
The bridge advertising the lowest bridge ID becomes the root bridge Legacy ST Rapid ST
Select root port Root Root
2
Each bridge selects its primary port facing the root
Designated Designated
Select designated ports
3 Alternate
One designated port is selected per segment
Blocking
Block ports with loops Backup
4
All non-root and non-desginated ports are blocked

by Jeremy Stretch v3.0

SPANNING TREE · PART 2 packetlife.net
PVST+ and RPVST+ Configuration Bridge ID Format
4 12 48
spanning-tree mode {pvst | rapid-pvst}
Pri Sys ID Ext MAC Address
! Bridge priority
spanning-tree vlan 1-4094 priority 32768 Priority
4-bit bridge priority (configurable from 0 to 61440 in
! Timers, in seconds
spanning-tree vlan 1-4094 hello-time 2
increments of 4096)
spanning-tree vlan 1-4094 forward-time 15 System ID Extension
spanning-tree vlan 1-4094 max-age 20 12-bit value taken from VLAN number (IEEE 802.1t)
MAC Address
! PVST+ Enhancements
spanning-tree backbonefast 48-bit unique identifier
spanning-tree uplinkfast
Path Selection
! Interface attributes 1 Bridge with lowest root ID becomes the root
interface FastEthernet0/1
spanning-tree [vlan 1-4094] port-priority 128 2 Prefer the neighbor with the lowest cost to root
spanning-tree [vlan 1-4094] cost 19
3 Prefer the neighbor with the lowest bridge ID
! Manual link type specification 4 Prefer the lowest sender port ID
spanning-tree link-type {point-to-point | shared}
Optional PVST+ Ehancements
! Enables PortFast if running PVST+, or
! designates an edge port under RPVST+ PortFast
spanning-tree portfast Enables immediate transition into the forwarding state
(designates edge ports under MST)
! Spanning tree protection
spanning-tree guard {loop | root | none} UplinkFast
Enables switches to maintain backup paths to root
! Per-interface toggling BackboneFast
spanning-tree bpduguard enable Enables immediate expiration of the Max Age timer in
spanning-tree bpdufilter enable the event of an indirect link failure

MST Configuration Spanning Tree Protection

Root Guard
spanning-tree mode mst
Prevents a port from becoming the root port
! MST Configuration BPDU Guard
spanning-tree mst configuration Error-disables a port if a BPDU is received
name MyTree
revision 1 Loop Guard
Prevents a blocked port from transitioning to listening
! Map VLANs to instances after the Max Age timer has expired
instance 1 vlan 20, 30 BPDU Filter
instance 2 vlan 40, 50 Blocks BPDUs on an interface (disables STP)
! Bridge priority (per instance) RSTP Link Types
spanning-tree mst 1 priority 32768
Point-to-Point
! Timers, in seconds Connects to exactly one other bridge (full duplex)
spanning-tree mst hello-time 2 Shared
spanning-tree mst forward-time 15
Potentially connects to multiple bridges (half duplex)
spanning-tree mst max-age 20
Edge
! Maximum hops for BPDUs Connects to a single host; designated by PortFast
spanning-tree mst max-hops 20
Troubleshooting
! Interface attributes
interface FastEthernet0/1
show spanning-tree [summary | detail | root]
spanning-tree mst 1 port-priority 128 show spanning-tree [interface | vlan]
spanning-tree mst 1 cost 19
show spanning-tree mst […]

by Jeremy Stretch v3.0

IPV4 SUBNETTING packetlife.net
Subnets Decimal to Binary
CIDR Subnet Mask Addresses Wildcard Subnet Mask Wildcard

/32 255.255.255.255 1 0.0.0.0 255 1111 1111 0 0000 0000

/31 255.255.255.254 2 0.0.0.1 254 1111 1110 1 0000 0001
/30 255.255.255.252 4 0.0.0.3 252 1111 1100 3 0000 0011
/29 255.255.255.248 8 0.0.0.7 248 1111 1000 7 0000 0111
/28 255.255.255.240 16 0.0.0.15 240 1111 0000 15 0000 1111
/27 255.255.255.224 32 0.0.0.31 224 1110 0000 31 0001 1111
/26 255.255.255.192 64 0.0.0.63 192 1100 0000 63 0011 1111
/25 255.255.255.128 128 0.0.0.127 128 1000 0000 127 0111 1111
/24 255.255.255.0 256 0.0.0.255 0 0000 0000 255 1111 1111
/23 255.255.254.0 512 0.0.1.255 Subnet Proportion
/22 255.255.252.0 1,024 0.0.3.255
/21 255.255.248.0 2,048 0.0.7.255
/20 255.255.240.0 4,096 0.0.15.255
/27
/19 255.255.224.0 8,192 0.0.31.255 /26 /28
/29
/18 255.255.192.0 16,384 0.0.63.255
/30
/17 255.255.128.0 32,768 0.0.127.255
/30
/16 255.255.0.0 65,536 0.0.255.255
/15 255.254.0.0 131,072 0.1.255.255
/14 255.252.0.0 262,144 0.3.255.255
/25
/13 255.248.0.0 524,288 0.7.255.255
/12 255.240.0.0 1,048,576 0.15.255.255
/11 255.224.0.0 2,097,152 0.31.255.255
/10 255.192.0.0 4,194,304 0.63.255.255 Classful Ranges

/9 255.128.0.0 8,388,608 0.127.255.255 A 0.0.0.0 – 127.255.255.255

/8 255.0.0.0 16,777,216 0.255.255.255 B 128.0.0.0 - 191.255.255.255

/7 254.0.0.0 33,554,432 1.255.255.255 C 192.0.0.0 - 223.255.255.255

/6 252.0.0.0 67,108,864 3.255.255.255 D 224.0.0.0 - 239.255.255.255

/5 248.0.0.0 134,217,728 7.255.255.255 E 240.0.0.0 - 255.255.255.255

/4 240.0.0.0 268,435,456 15.255.255.255 Reserved Ranges

/3 224.0.0.0 536,870,912 31.255.255.255 RFC 1918 10.0.0.0 - 10.255.255.255
/2 192.0.0.0 1,073,741,824 63.255.255.255 Localhost 127.0.0.0 - 127.255.255.255
/1 128.0.0.0 2,147,483,648 127.255.255.255 RFC 1918 172.16.0.0 - 172.31.255.255
/0 0.0.0.0 4,294,967,296 255.255.255.255 RFC 1918 192.168.0.0 - 192.168.255.255

Terminology
CIDR VLSM
Classless interdomain routing was developed to Variable-length subnet masks are an arbitrary length
provide more granularity than legacy classful between 0 and 32 bits; CIDR relies on VLSMs to define
addressing; CIDR notation is expressed as /XX routes

by Jeremy Stretch v2.0

IPV4 MULTICAST packetlife.net
Layer 2 Addressing Group Ranges
239.142.57.6 224.0.0.0/24 Local network control
11101111 10001110 00111001 00000110 224.0.1.0/24 Internetwork control

01-00-5E-0E-39-06 232.0.0.0/8 Source-specific

00000001 00000000 01011110 00001110 00111001 00000110 233.0.0.0/8 GLOP (RFC 3180)
239.0.0.0/8 Admin-scoped
Terminology
Reverse Path Forwarding (RPF) Common Groups
Verifies that multicast traffic travels in the reverse direction of 224.0.0.1 All hosts
unicast traffic, away from the tree root
224.0.0.2 All routers
Cisco Group Management Protocol (CGMP)
A proprietary protocol used by switches to obtain multicast 224.0.1.39 Cisco RP Announce
membership information for end hosts (deprecated) 224.0.1.40 Cisco RP Discovery
Internet Group Management Protocol (IGMP)
Hosts send IGMP requests to local routers to join multicast groups Distribution Trees
Shared
IGMP Configuration A common set of links which carry all
IGMP Support Router(config-if)# ip igmp [version <#>] multicast traffic; statically configured
Source-Rooted
IGMP Snooping Switch(config)# ip igmp snooping
Provides the shortest paths from the
Protocol Independent Multicast (PIM) source to receivers

Dense Mode IGMP

The initial tree encompasses all multicast routers; after a period of
time, routers without IGMP members prune back branches IGMPv1
Original IGMP specification
Sparse Mode
The tree is grown from a central rendezvous point out to the IGMPv2
multicast source and recipients Adds support for dynamic leave requests
and querier election to original IGMP
Sparse-Dense Mode
Allows a PIM-enabled interface to function in either sparse or dense IGMPv3
mode per group Adds multicast source filtering to v2
PIMv1 IGMP Snooping
Provides automatic RP discovery with Auto-RP (Cisco proprietary) A switch passively inspects IGMP
requests to determine which hosts
PIMv2 should receive multicast traffic
Automatic RP discovery is accomplished by the bootstrap router
(BSR) method (standard) IGMP Troubleshooting

PIM Configuration show ip igmp

show ip igmp group
ip multicast-routing
! show ip igmp interface
interface FastEthernet0/0
ip pim {sparse-mode | dense-mode | sparse-dense-mode} show ip igmp snooping
ip pim version {1 | 2} ip igmp join-group

RP Configuration PIM Troubleshooting

Manual ip pim rp-address <IP> show ip mroute
Auto-RP Mapping Agent ip pim send-rp-discovery scope <TTL> show ip pim interface
Auto-RP Candidate ip pim send-rp-announce <interface> show ip pim neighbor
BSR Candidate ip pim bsr-candidate <interface> show ip pim rp [mapping]
BSR RP Candidate ip pim rp-candidate <interface> show ip rpf <IP>
by Jeremy Stretch v2.0
IOS IPV4 ACCESS LISTS packetlife.net
Standard ACL Syntax Actions

! Legacy syntax permit Allow matched packets

access-list <number> {permit | deny} <source> [log] deny Deny matched packets
! Modern syntax remark Record a configuration comment
ip access-list standard {<number> | <name>}
[<sequence>] {permit | deny} <source> [log] evaluate Evaluate a reflexive ACL

Extended ACL Syntax

! Legacy syntax
access-list <number> {permit | deny} <protocol> <source> [<ports>] <destination> [<ports>] [<options>]

! Modern syntax
ip access-list extended {<number> | <name>}
[<sequence>] {permit | deny} <protocol> <source> [<ports>] <destination> [<ports>] [<options>]

ACL Numbers Source/Destination Definitions

1-99 any Any address
IP standard
1300-1999
host <address> A single address
100-199
IP extended <network> <mask> Any address matched by the wildcard mask
2000-2699
200-299 Protocol IP Options
300-399 DECnet dscp <DSCP> Match the specified IP DSCP
400-499 XNS fragments Check non-initial fragments
500-599 Extended XNS option <option> Match the specified IP option
600-699 Appletalk precedence {0-7} Match the specified IP precedence
700-799 Ethernet MAC ttl <count> Match the specified IP time to live (TTL)
800-899 IPX standard
TCP/UDP Port Definitions
900-999 IPX extended
eq <port> Equal to neq <port> Not equal to
1000-1099 IPX SAP
lt <port> Less than gt <port> Greater than
1100-1199 MAC extended
range <port> <port> Matches a range of port numbers
1200-1299 IPX summary
Miscellaneous Options
TCP Options
reflect <name> Create a reflexive ACL entry
ack Match ACK flag
time-range <name> Enable rule only during the given time range
fin Match FIN flag
psh Match PSH flag Applying ACLs to Restrict Traffic

rst Match RST flag interface FastEthernet0/0

ip access-group {<number> | <name>} {in | out}
syn Match SYN flag
urg Match URG flag Troubleshooting
Match packets in an show access-lists [<number> | <name>]
established
established session
show ip access-lists [<number> | <name>]
Logging Options show ip access-lists interface <interface>
log Log ACL entry matches show ip access-lists dynamic
Log matches including
show ip interface [<interface>]
log-input ingress interface and
source MAC address show time-range [<name>]

by Jeremy Stretch v2.0

IPV6 packetlife.net
Protocol Header Address Notation
8 16 24 32 · Eliminate leading zeros from all two-byte sets
Ver Traffic Class Flow Label · Replace up to one string of consecutive zeros
Payload Length Next Header Hop Limit with a double-colon (::)

Address Formats
Source Address
Global unicast

Global Prefix Subnet Interface ID

Destination Address 48 16 64

Link-local unicast
Version (4 bits) · Always set to 6 Interface ID
Traffic Class (8 bits) · A DSCP value for QoS
64 64
Flow Label (20 bits) · Identifies unique flows (optional)
Multicast
Payload Length (16 bits) · Length of the payload in bytes

Scope
Flags
Group ID
Next Header (8 bits) · Header or protocol which follows
8 4 4 112
Hop Limit (8 bits) · Similar to IPv4's time to live field
Source Address (128 bits) · Source IP address EUI-64 Formation

Destination Address (128 bits) · Destination IP address MAC

Address Types
EUI-64
Unicast · One-to-one communication
Multicast · One-to-many communication · Insert 0xfffe between the two halves of the MAC
Anycast · An address configured in multiple locations · Flip the seventh bit (universal/local flag) to 1

Multicast Scopes Extension Headers

1 Interface-local 5 Site-local Hop-by-hop Options (0)
Carries additional information which must be examined by every
2 Link-local 8 Org-local
router in the path
4 Admin-local E Global Routing (43)
Provides source routing functionality
Special-Use Ranges
Fragment (44)
::/0 Default route Included when a packet has been fragmented by its source
::/128 Unspecified Encapsulating Security Payload (50)
Provides payload encryption (IPsec)
::1/128 Loopback
Authentication Header (51)
::/96 IPv4-compatible* Provides packet authentication (IPsec)
::FFFF:0:0/96 IPv4-mapped Destination Options (60)
Carries additional information which pertains only to the recipient
2001::/32 Teredo
2001:DB8::/32 Documentation Transition Mechanisms
Dual Stack
2002::/16 6to4
Transporting IPv4 and IPv6 across an infrastructure simultaneously
FC00::/7 Unique local Tunneling
FE80::/10 Link-local unicast IPv6 traffic is encapsulated into IPv4 using IPv6-in-IP, UDP (Teredo),
or Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)
FEC0::/10 Site-local unicast*
Translation
FF00::/8 Multicast Stateless IP/ICMP Translation (SIIT) translates IP header fields, NAT
* Deprecated Protocol Translation (NAT-PT) maps between IPv6 and IPv4 addresses

by Jeremy Stretch v2.0

NETWORK ADDRESS TRANSLATION packetlife.net
Example Topology Address Classification
An actual address assigned to
Inside Local
an inside host
An inside address seen from
Inside Global
the outside
An actual address assigned to
FastEthernet0 FastEthernet1 Outside Global
an outside host
10.0.0.1/16 174.143.212.1/22
NAT Inside NAT Outside An outside address seen from
Outside Local
the inside
NAT Boundary Configuration Perspective
interface FastEthernet0 Local Global
ip address 10.0.0.1 255.255.0.0
ip nat inside

Location
! Inside Inside Local Inside Global
interface FastEthernet1
ip address 174.143.212.1 255.255.252.0
ip nat outside Outside Outside Local Outside Global

Static Source Translation Terminology

! One line per static translation NAT Pool

ip nat inside source static 10.0.0.19 192.0.2.1 A pool of IP addresses to be used as inside
ip nat inside source static 10.0.1.47 192.0.2.2 global or outside local addresses in translations
ip nat outside source static 174.143.212.133 10.0.0.47 Port Address Translation (PAT)
ip nat outside source static 174.143.213.240 10.0.2.181
An extension to NAT that translates information
at layer four and above, such as TCP and UDP
Dynamic Source Translation port numbers; dynamic PAT configurations
include the overload keyword
! Create an access list to match inside local addresses
access-list 10 permit 10.0.0.0 0.0.255.255 Extendable Translation
! The extendable keyword must be appended
! Create NAT pool of inside global addresses when multiple overlapping static translations are
ip nat pool MyPool 192.0.2.1 192.0.2.254 prefix-length 24 configured
!
! Combine them with a translation rule Special NAT Pool Types
ip nat inside source list 10 pool MyPool Rotary Used for load balancing
!
! Dynamic translations can be combined with static entries Match- Preserves the host portion of
ip nat inside source static 10.0.0.42 192.0.2.42 Host the address after translation

Port Address Translation (PAT) Troubleshooting

! Static layer four port translations show ip nat translations [verbose]

ip nat inside source static tcp 10.0.0.3 8080 192.0.2.1 80
show ip nat statistics
ip nat inside source static udp 10.0.0.14 53 192.0.2.2 53
ip nat outside source static tcp 174.143.212.4 23 10.0.0.8 23 clear ip nat translations
!
! Dynamic port translation with a pool NAT Translations Tuning
ip nat inside source list 11 pool MyPool overload
! ip nat translation tcp-timeout <seconds>
! Dynamic translation with interface overloading ip nat translation udp-timeout <seconds>
ip nat inside source list 11 interface FastEthernet1 overload ip nat translation max-entries <number>

Inside Destination Translation

! Create a rotary NAT pool

ip nat pool LoadBalServers 10.0.99.200 10.0.99.203 prefix-length 24 type rotary
!
! Enable load balancing across inside hosts for incoming traffic
ip nat inside destination list 12 pool LoadBalServers

by Jeremy Stretch v1.0

POINT-TO-POINT PROTOCOL packetlife.net
PPP Components PPP Summary
Link Control Protocol (LCP) Standard RFC 1661
Provides for the establishment, configuration, and maintenance of a
PPP link. Protocol-independent options are negotiated by LCP.
Asynchronous serial, synchronous
Interfaces
serial, ISDN, HSSI
Network Control Protocol (NCP)
A separate NCP is used to negotiate the configuration of each PPP Features
network layer protocol (such as IP) carried by PPP.
Protocol Multiplexing · Multiple NCPs
PPP Header Optional Authentication · PAP/CHAP
8 16 24 32
Optional Compression · Stacker/predictor
Address Control Protocol
Loopback Detection · Provided by LCP

LCP Header Load Balancing · Multilink PPP

8 16 24 32
Connection Phase Flowchart
Code Identifier Length
Auth Required
Dead Establish
Authentication Protocols
No Auth
Plaintext Authentication Protocol (PAP)
Original, obsolete authentication protocol which relies on the Terminate Authenticate
exchange of a plaintext key to authenticate peers (RFC 1334). Failure
Admin Success
Challenge Handshake Authentication Protocol (CHAP) Shutdown
Authenticates peers using the MD5 checksum of a pre-shared secret Network
key (RFC 1994).

Extensible Authentication Protocol (EAP) PPP Connection Example

Provides MD5-based authentication similar to CHAP (RFC 3748).
Could be expanded to support other EAP mechanisms as well.

General PPP Configuration LCP Configuration Request

LCP Configuration Ack

! Configure a peer account if authentication will be used
username peer-hostname password password CHAP Challenge

! Configure a local IP address pool if needed CHAP Response

ip pool name first-IP last-IP
CHAP Success
interface Serial0/0 IP Control Configuration Request
! Enable PPP encapsulation
encapsulation ppp IP Control Configuration Ack
! Enable CHAP and/or PAP for authentication
CDP Control Configuration Request
ppp authentication { chap | pap } [ chap | pap ]
! Enable compression CDP Control Configuration Ack
compress { predictor | stac }
! Enable peer IP address assignment (server side)
PPP Compression Algorithms
peer default ip address { pool name | IP-address }
! Enable IP address negotiation (client side) Stacker
ip address negotiated Replaces repetitive data with symbols from a
dynamic dictionary (more processor-intensive)
Multilink PPP Configuration Predictor
Attempts to predict sequential data (more
! Create the multilink interface
interface Multilink1
memory-intensive)
ip address IP-address subnet-mask
ppp multilink group group
Troubleshooting
show ppp multilink
! Assign physical interfaces to the multilink group
interface Serial0/0 debug ppp authentication
encapsulation ppp
ppp multilink group group
debug ppp { negotiation | packet }

by Jeremy Stretch v1.2

FIRST HOP REDUNDANCY packetlife.net
Protocols Attributes
Hot Standby Router Protocol (HSRP) HSRP VRRP GLBP
Provides default gateway redundancy using one active Standard RFC 2281 RFC 3768 Cisco
and one standby router; standardized but licensed by
Cisco Systems Load Balancing No No Yes
Virtual Router Redundancy Protocol (VRRP) IPv6 Support Yes No Yes
An open-standard alternative to Cisco's HSRP, Transport UDP/1985 IP/112 UDP/3222
providing the same functionality
Default Priority 100 100 100
Gateway Load Balancing Protocol (GLBP)
Supports arbitrary load balancing in addition to Default Hello 3 sec 1 sec 3 sec
redundancy across gateways; Cisco proprietary Multicast Group 224.0.0.2 224.0.0.18 224.0.0.102

HSRP VRRP GLBP

100 200 100 100 200 100 100 200 100

Standby Active Listen Backup Master Backup AVF AVF AVF
AVG

HSRP Configuration HSRP/GLBP Interface States

interface FastEthernet0/0 Speak · Gateway election in progress

ip address 10.0.1.2 255.255.255.0 Active · Active router/VG
standby version {1 | 2}
standby 1 ip 10.0.1.1 Standby · Backup router/VG
standby 1 timers <hello> <dead>
standby 1 priority <priority> Listen · Not the active router/VG
standby 1 preempt
standby 1 authentication md5 key-string <password> VRRP Interface States
standby 1 track <interface> <value>
Master · Acting as the virtual router
standby 1 track <object> decrement <value>
Backup · All non-master routers
VRRP Configuration
GLBP Roles
interface FastEthernet0/0
Active Virtual Gateway (AVG)
ip address 10.0.1.2 255.255.255.0
vrrp 1 ip 10.0.1.1
Answers for the virtual router and assigns
vrrp 1 timers {advertise <hello> | learn} virtual MAC addresses to group members
vrrp 1 priority <priority> Active Virtual Forwarder (AVF)
vrrp 1 preempt All routers which forward traffic for the group
vrrp 1 authentication md5 key-string <password>
vrrp 1 track <object> decrement <value> GLBP Load Balancing
Round-Robin (default)
GLBP Configuration
The AVG answers host ARP requests for the
interface FastEthernet0/0 virtual router with the next router in the cycle
ip address 10.0.1.2 255.255.255.0 Host-Dependent
glbp 1 ip 10.0.1.1 Round-robin cycling is used while a consistent
glbp 1 timers <hello> <dead>
AVF is maintained for each host
glbp 1 timers redirect <redirect> <time-out>
glbp 1 priority <priority> Weighted
glbp 1 preempt Determines the proportionate share of hosts
glbp 1 forwarder preempt handled by each AVF
glbp 1 authentication md5 key-string <password>
glbp 1 load-balancing <method> Troubleshooting
glbp 1 weighting <weight> lower <lower> upper <upper>
glbp 1 weighting track <object> decrement <value> show standby [brief] show vrrp [brief]
show glbp [brief] show track [brief]
by Jeremy Stretch v2.0
RIP packetlife.net
RIP Implementations Attributes
RIPv1 Type Distance Vector
Original RIP implementation, limited to classful routing
Algorithm Bellman-Ford
(obsolete)
RIPv2 Admin Distance 120
Introduced support for classless routing, authentication, Metric Hop count (max 15)
triggered updates, and multicast announcements (RFC 2453)
Standard RFCs 2080, 2453
RIPng (RIP Next Generation)
Extends RIPv2 to support IPv6 routing (RFC 2080); functions Protocols IPv4, IPv6
very similarly to RIPv2 and is subsequently as limited Transport UDP
Protocols Comparison Authentication Plaintext, MD5
RIPv1 RIPv2 RIPng Multicast IP 224.0.0.9/FF02::9
IP IPv4 IPv4 IPv6
Terminology
Admin Distance 120 120 120
Split Horizon
UDP Port 520 520 521 A rule that states a router may not advertise a route
back to the neighbor from which it was learned
Classless No Yes Yes
Route Poisoning
Adv. Address Broadcast 224.0.0.9 FF02::9
When a network becomes unreachable, an
Authentication None Plain, MD5 None update with an infinite metric is generated to
explicitly advertise the route as unreachable
RIPv2 Configuration
Poison Reverse
A router advertises a network as unreachable
! Enable RIPv2 IPv4 routing
through the interface on which it was learned
router rip
version 2
Timer Defaults
! Disable RIPv2 automatic summarization Update 30 sec Flush 240 sec
no auto-summary
Invalid 180 sec Hold-down 180 sec
! Designate RIPv2 interfaces by network
network network RIPv2 Interface Configuration

! Identify unicast-only neighbors ! Configure manual route summarization

neighbor IP-address ip summary-address rip network mask

! Originate a default route ! Enable MD5 authentication (RIPv2 only)

default-information originate ip rip authentication mode md5
ip rip authentication key-chain key-chain
! Designate passive interfaces
passive-interface {interface | default} RIPng Interface Configuration
! Modify timers ! Enable RIPng on the interface
timers basic update invalid hold flush ipv6 rip name enable

RIPng Configuration ! Configure manual route summarization

ipv6 rip name summary-address prefix
! Enable IPv6 routing
ipv6 unicast-routing Troubleshooting
! Enable RIPng IPv6 routing show ip[v6] protocols
ipv6 router rip name
show ip[v6] rip database
! Toggle split-horizon and poison-reverse show ip[v6] route rip
[no] split-horizon
[no] poison-reverse debug ip rip { database | events }

! Modify timers debug ipv6 rip [interface]

timers basic update invalid hold flush

by Jeremy Stretch v1.1

EIGRP packetlife.net
Protocol Header Attributes
8 16 24 32 Type Distance Vector
Version Opcode Checksum
Algorithm DUAL
Flags
Internal AD 90
Sequence Number
External AD 170
Acknowledgment Number
Summary AD 5
Autonomous System Number
Standard Cisco proprietary
Type Length
Protocols IP, IPX, Appletalk
Value
Transport IP/88
Metric Formula Authentication MD5
K2 * bw K5 Multicast IP 224.0.0.10
256 * (K1 * bw + + K3 * delay) *
256 - load rel + K4 Hello Timers 5/60
· bw = 107 / minimum path bandwidth in kbps Hold Timers 15/180
· delay = interface delay in µsecs / 10
K Defaults Packet Types
EIGRP Configuration
K1 1 1 Update
Protocol Configuration
K2 0 3 Query
! Enable EIGRP
router eigrp <ASN> K3 1 4 Reply
! Add networks to advertise K4 0 5 Hello
network <IP address> <wildcard mask>
K5 0 8 Acknowledge
! Configure K values to manipulate metric formula
metric weights 0 <k1> <k2> <k3> <k4> <k5>
Terminology
Reported Distance
! Disable automatic route summarization The metric for a route advertised by a neighbor
no auto-summary
Feasible Distance
! Designate passive interfaces The distance advertised by a neighbor plus the cost
passive-interface (<interface> | default) to get to that neighbor
Stuck In Active (SIA)
! Enable stub routing
The condition when a route becomes unreachable
eigrp stub [receive-only | connected | static | summary]
and not all queries for it are answered; adjacencies
! Statically identify neighoring routers with unresponsive neighbors are reset
neighbor <IP address> <interface> Passive Interface
An interface which does not participate in EIGRP but
Interface Configuration whose network is advertised
! Set maximum bandwidth EIGRP can consume
ip bandwidth-percent eigrp <AS> <percentage>
Stub Router
A router which advertises only a subset of routes,
! Configure manual summarization of outbound routes and is omitted from the route query process
ip summary-address eigrp <AS> <IP address> <mask> [<AD>]
Troubleshooting
! Enable MD5 authentication show ip eigrp interfaces
ip authentication mode eigrp <AS> md5
ip authentication key-chain eigrp <AS> <key-chain> show ip eigrp neighbors

! Configure hello and hold timers show ip eigrp topology

ip hello-interval eigrp <AS> <seconds> show ip eigrp traffic
ip hold-time eigrp <AS> <seconds>
clear ip eigrp neighbors
! Disable split horizon for EIGRP
no ip split-horizon eigrp <AS> debug ip eigrp [packet | neighbors]

by Jeremy Stretch v2.1

OSPF · PART 1 packetlife.net
Protocol Header Attributes
8 16 24 32 Type Link-State
Version Type Length Algorithm Dijkstra
Router ID Metric Cost (Bandwidth)
Area ID AD 110
Checksum Instance ID Reserved Standard RFC 2328, 2740
Data Protocols IP
Transport IP/89
Link State Advertisements
Authentication Plaintext, MD5
Router Link (Type 1)
Lists neighboring routers and the cost to each; flooded within an area AllSPF Address 224.0.0.5

Network Link (Type 2) AllDR Address 224.0.0.6

Generated by a DR; lists all routers on an adjacent segment; flooded
Metric Formula
within an area
Network Summary (Type 3) 100,000 Kbps*
cost =
Generated by an ABR and advertised among areas link speed
ASBR Summary (Type 4)
* modifiable with
Injected by an ABR into the backbone to advertise the presence of an ospf auto-cost reference-bandwidth
ASBR within an area
External Link (Type 5) Adjacency States
Generated by an ASBR and flooded throughout the AS to advertise a
1 Down 5 Exstart
route external to OSPF
NSSA External Link (Type 7) 2 Attempt 6 Exchange
Generated by an ASBR in a not-so-stubby area; converted into a 3 Init 7 Loading
type 5 LSA by the ABR when leaving the area
4 2-Way 8 Full
Router Types Area Types
DR/BDR Election
Internal Router Standard Area
All interfaces reside within the Default OSPF area type · The DR serves as a common point for
same area all adjacencies on a multiaccess
Stub Area segment
Backbone Router External link (type 5) LSAs are
A router with an interface in replaced with a default route · The BDR also maintains adjacencies
area 0 (the backbone) with all routers in case the DR fails
Totally Stubby Area
Area Border Router (ABR) Type 3, 4, and 5 LSAs are · Election does not occur on point-to-
Connects two or more areas replaced with a default route point or multipoint links
AS Boundary Router (ASBR) Not So Stubby Area (NSSA)
· Default priority (0-255) is 1; highest
Connects to additional routing A stub area containing an ASBR;
priority wins; 0 cannot be elected
domains; typically located in type 5 LSAs are converted to type
the backbone 7 within the area · DR preemption will not occur unless
the current DR is reset
External Route Types
E1 · Cost to the advertising ASBR plus the external cost of the route Virtual Links

E2 (Default) · Cost of the route as seen by the ASBR · Tunnel formed to join two areas
across an intermediate
Troubleshooting
· Both end routers must share a
show ip [route | protocols] show ip ospf border-routers common area
show ip ospf interface show ip ospf virtual-links · At least one end must reside in area 0
show ip ospf neighbor debug ip ospf […] · Cannot traverse stub areas

by Jeremy Stretch v2.1

OSPF · PART 2 packetlife.net
Network Types
Nonbroadcast Multipoint Multipoint
(NBMA) Broadcast Nonbroadcast Broadcast Point-to-Point

DR/BDR Elected Yes No No Yes No

Neighbor Discovery No Yes No Yes Yes
Hello/Dead Timers 30/120 30/120 30/120 10/40 10/40
Defined By RFC 2328 RFC 2328 Cisco Cisco Cisco
Supported Topology Full Mesh Any Any Full Mesh Point-to-Point

Configuration Example

interface Serial0/0 Router A

WAN Area 0 Area 9 description WAN Link
172.16.0.0/18 Backbone Totally Stubby Area ip address 172.16.34.2 255.255.255.252
!
interface FastEthernet0/0
description Area 0
ip address 192.168.0.1 255.255.255.0
A !
interface Loopback0
! Used as router ID
ip address 10.0.34.1 255.255.255.0
C !
B
router ospf 100
! Advertising the WAN cloud to OSPF
redistribute static subnets
network 192.168.0.0 0.0.0.255 area 0
!
Area 1 Area 2 ! Static route to the WAN cloud
Stub Area Standard Area ip route 172.16.0.0 255.255.192.0 172.16.34.1

Router B Router C
interface Ethernet0/0 interface Ethernet0/0
description Area 0 description Area 9
ip address 192.168.0.2 255.255.255.0 ip address 192.168.9.1 255.255.255.0
ip ospf 100 area 0 ip ospf 100 area 9
! !
interface Ethernet0/1 interface Ethernet0/1
description Area 2 description Area 2
ip address 192.168.2.1 255.255.255.0 ip address 192.168.2.2 255.255.255.0
ip ospf 100 area 2 ip ospf 100 area 2
! Optional MD5 authentication configured ! Optional MD5 authentication configured
ip ospf authentication message-digest ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 FooBar ip ospf message-digest-key 1 md5 FooBar
! Give B priority in DR election ! Give C second priority (BDR) in election
ip ospf priority 100 ip ospf priority 50
! !
interface Ethernet0/2 !
description Area 1 !
ip address 192.168.1.1 255.255.255.0 !
ip ospf 100 area 1 !
! !
interface Loopback0 interface Loopback0
ip address 10.0.34.2 255.255.255.0 ip address 10.0.34.3 255.255.255.0
! !
router ospf 100 router ospf 100
! Define area 1 as a stub area ! Define area 9 as a totally stubby area
area 1 stub area 9 stub no-summary
! Virtual link from area 0 to area 9 ! Virtual link from area 9 to area 0
area 2 virtual-link 10.0.34.3 area 2 virtual-link 10.0.34.2

by Jeremy Stretch v2.1

BGP · PART 1 packetlife.net
Attributes About BGP
Name Description Type Path Vector
Well-known Mandatory · Must be supported and propagated eBGP AD 20
1 Origin Origin type (IGP, EGP, or unknown) iBGP AD 200
List of autonomous systems which the Standard RFC 4271
2 AS Path
advertisement has traversed
Protocols IP
3 Next Hop External peer in neighboring AS
Transport TCP/179
Well-known Discretionary · Must be supported; propagation optional
Authentication MD5
Metric for internal neighbors to reach
5 Local Preference
external destinations (default 100) Terminology
Includes ASes which have been dropped Autonomous System (AS)
6 Atomic Aggregate
due to route aggregation A logical domain under the control of a
Optional Transitive · Marked as partial if unsupported by neighbor single entity

7 Aggregator ID and AS of summarizing router External BGP (eBGP)

BGP adjacencies which span autonomous
8 Community Route tag system boundaries
Optional Nontransitive · Deleted if unsupported by neighbor Internal BGP (iBGP)
BGP adjacencies formed within a single AS
Multiple Exit Metric for external neighbors to reach the
4
Discriminator (MED) local AS (default 0) Synchronization Requirement
A route must be known by an IGP before
9 Originator ID The originator of a reflected route it may be advertised to BGP peers
10 Cluster List List of cluster IDs
Packet Types
13 Cluster ID Originating cluster
Open Update
Cisco proprietary, not communicated to
-- Weight
peers (default 0) Keepalive Notification

Path Selection Neighbor States

Attribute Description Preference Idle · Neighbor is not responding
1 Weight Administrative preference Highest Active · Attempting to connect
Communicated between peers Connect · TCP session established
2 Local Preference Highest
within an AS
Open Sent · Open message sent
3 Self-originated Prefer paths originated locally True
Open Confirm · Response received
4 AS Path Minimize AS hops Shortest
Established · Adjacency established
Prefer IGP-learned routes over
5 Origin IGP
EGP, and EGP over unknown Troubleshooting
6 MED Used externally to enter an AS Lowest show ip bgp [summary]
7 External Prefer eBGP routes over iBGP eBGP show ip bgp neighbors
8 IGP Cost Consider IGP metric Lowest show ip route [bgp]
9 eBGP Peering Favor more stable routes Oldest clear ip bgp * [soft]
10 Router ID Tie breaker Lowest debug ip bgp […]

Influencing Path Selection

Weight neighbor 172.16.0.1 weight 200 Local Preference bgp default local-preference 100
MED default-metric 400 Route Map neighbor 172.16.0.1 route-map Foo
Ignore Ignore Cost
bgp bestpath as-path ignore bgp bestpath cost-community ignore
AS Path Communities

by Jeremy Stretch v2.1-r1

BGP · PART 2 packetlife.net
Configuration Example

interface Serial1/0 Router A

AS 65100 description Backbone to B
ip address 172.16.0.1 255.255.255.252
F2/0 !
A interface Serial1/1
S1/0 S1/1 description Backbone to C
ip address 172.16.0.5 255.255.255.252
!
172.16.0.0/30 interface FastEthernet2/0
172.16.0.4/30 description LAN
ip address 192.168.1.1 255.255.255.0
AS 65200 !
S1/0 S1/0 router bgp 65100
F0/0 F0/0 no synchronization
network 172.16.0.0 mask 255.255.255.252
10.0.0.0/30 network 172.16.0.4 mask 255.255.255.252
B C
network 192.168.1.0
F2/0 F2/0 neighbor South peer-group
neighbor South remote-as 65200
neighbor 172.16.0.2 peer-group South
OSPF neighbor 172.16.0.6 peer-group South
no auto-summary

interface FastEthernet0/0 Router B interface FastEthernet0/0 Router C

description Backbone to C description Backbone to B
ip address 10.0.0.1 255.255.255.252 ip address 10.0.0.2 255.255.255.252
! !
interface Serial1/0 interface Serial1/0
description Backbone to A description Backbone to A
ip address 172.16.0.2 255.255.255.252 ip address 172.16.0.6 255.255.255.252
! !
interface FastEthernet2/0 interface FastEthernet2/0
description LAN description LAN
ip address 192.168.2.1 255.255.255.0 ip address 192.168.3.1 255.255.255.0
! !
router ospf 100 router ospf 100
network 10.0.0.1 0.0.0.0 area 0 network 10.0.0.2 0.0.0.0 area 0
network 192.168.2.1 0.0.0.0 area 1 network 192.168.3.1 0.0.0.0 area 2
! !
router bgp 65200 router bgp 65200
no synchronization no synchronization
redistribute ospf 100 route-map LAN_Subnets redistribute ospf 100 route-map LAN_Subnets
neighbor 10.0.0.2 remote-as 65200 neighbor 10.0.0.1 remote-as 65200
neighbor 172.16.0.1 remote-as 65100 neighbor 172.16.0.5 remote-as 65100
no auto-summary no auto-summary
! !
access-list 10 permit 192.168.0.0 0.0.255.255 access-list 10 permit 192.168.0.0 0.0.255.255
! !
route-map LAN_Subnets permit 10 route-map LAN_Subnets permit 10
match ip address 10 match ip address 10
set metric 100 set metric 100

Router A Routing Table Router B Routing Table

172.16.0.0/30 is subnetted, 2 subnets 172.16.0.0/30 is subnetted, 2 subnets

C 172.16.0.4 is directly connected, S1/1 B 172.16.0.4 [20/0] via 172.16.0.1
C 172.16.0.0 is directly connected, S1/0 C 172.16.0.0 is directly connected, S1/0
C 192.168.1.0/24 is directly connected, F2/0 10.0.0.0/30 is subnetted, 1 subnets
B 192.168.2.0/24 [20/100] via 172.16.0.2 C 10.0.0.0 is directly connected, F0/0
B 192.168.3.0/24 [20/100] via 172.16.0.2 B 192.168.1.0/24 [20/0] via 172.16.0.1
C 192.168.2.0/24 is directly connected, F2/0
O IA 192.168.3.0/24 [110/2] via 10.0.0.2, F0/0

by Jeremy Stretch v2.1-r1

IS-IS · PART 1 packetlife.net
Protocol Header Attributes
4 8 12 16 Type Link-State
IRPD Packet Length
Algorithm Dijkstra
Version/Protocol ID Extension ID Length
Metric Default (10)
R R R PDU Type Version
AD 115
Reserved Maximum Area Addresses
Standard ISO 10589
Type Length
Protocols IP, CLNS
Value ...
Transport Layer 2

NSAP Addressing Authentication Plaintext, MD5

Interdomain Part Domain-Specific Part Routing Levels

Level 0 Used to locate end systems
NSAP AFI IDI HODSP
System ID SEL Level 1 Routing within an area
Condensed Area
Level 2 Backbone between areas
Example 47 0005.80ff.f800.0000 0001 0000.0c00.1234 00
Level 3 Inter-AS routing

Interdomain Part (IDP) Terminology

Portion of the address used in routing between autonomous
Type-Length-Value (TLV)
systems; assigned by ISO
Variable-length modular datasets
Domain-Specific Part (DSP)
Link State PDU (LSP)
Portion of the address relevant only within the local AS
Carry TLVs encompassing link state
Authority and Format Identifier (AFI) information
Identifies the authority which dictates the format of the address Sequence Number Packet (SNP)
Used to request and advertise LSPs; can
Initial Domain Identifier (IDI)
be complete (CSNP) or partial (PSNP)
An organization belonging to the AFI
Hello Packet
High Order DSP (HODSP) Establishes and maintains neighbor
The area within the AS adjacencies
System ID Designated Intermediate System
Unique router identifier; 48 bits for Cisco devices (often taken from A pseudonode responsible for emulating
a MAC address) point-to-point links across a multi-access
NSAP Selector (SEL) segment
Identifies a network layer service; always 0x00 in a NET address
Adjacency Requirements
Network Types · Interface MTUs must match
Broadcast Point-to-Point · Levels must match
DIS Elected Yes No · Areas must match (if level 1)
Neighbor Discovery Yes Yes · System IDs must be unique
Hello/Dead Timers 10/30 10/30 · Authentication must succeed
Troubleshooting DIS Election
show ip route show isis spf-log · Highest-priority interface elected
show ip protocols debug isis spf-events · Highest SNPA (MAC/DLCI) breaks tie
show [clns|isis] neighbor debug isis adjacencies-packets · Highest system ID breaks SNPA tie
show [clns|isis] interface debug isis spf-statistics · Default interface priority is 64
show isis database debug isis update-packets · Current DIS may be preempted

by Jeremy Stretch v2.0

IS-IS · PART 2 packetlife.net
TLV Types
Name Use Name Use Name Use

1 Area Addresses Hello, LSP 6 IS Neighbors Hello, L2 LSP 128 IP Internal Reach. LSP
2 IS Neighbors LSP 8 Padding Hello 129 Protocols Supported Hello, LSP
3 ES Neighbors L1 LSP 9 LSP Entries SNP 131 IDRPI SNP, L2 LSP
5 Prefix Neighbors L2 LSP 10 Authentication All 132 IP Interface Address Hello, LSP

Configuration Example

Area 1 Router A2
192.168.1.0/24 interface FastEthernet0/0
description Area 1
ip address 192.168.1.2 255.255.255.0
A3 ip router isis
A2 isis circuit-type level-1
!
router isis
A1 net 49.0001.0000.0000.00a2.00
10
0
/3

.0

Router B2
.0

.0

Area 2 Area 3
0

.4/

interface FastEthernet0/0
.0.

192.168.2.0/24 192.168.3.0/24
10

30

description Area 2
ip address 192.168.2.2 255.255.255.0
ip router isis
B2 C2 isis circuit-type level-1
10.0.0.8/30 !
B1 C1 router isis
B3 net 49.0002.0000.0000.00b2.00
C3

Router A1 Router B1
interface FastEthernet0/0 interface FastEthernet0/0
description Area 1 description Area 2
ip address 192.168.1.1 255.255.255.0 ip address 192.168.2.1 255.255.255.0
ip router isis ip router isis
isis circuit-type level-1 isis circuit-type level-1
! !
interface Serial1/0 interface Serial1/0
no ip address no ip address
encapsulation frame-relay encapsulation frame-relay
! !
interface Serial1/0.1 point-to-point interface Serial1/0.1 point-to-point
description To Area 2 description To Area 1
ip address 10.0.0.1 255.255.255.252 ip address 10.0.0.2 255.255.255.252
ip router isis ip router isis
isis circuit-type level-2-only isis circuit-type level-2-only
! MD5 authentication (keychain not shown) ! MD5 authentication (keychain not shown)
isis authentication mode md5 isis authentication mode md5
isis authentication key-chain <keychain> isis authentication key-chain <keychain>
frame-relay interface-dlci 101 frame-relay interface-dlci 101
! !
interface Serial1/0.2 point-to-point interface Serial1/0.2 point-to-point
description To Area 3 description To Area 3
ip address 10.0.0.5 255.255.255.252 ip address 10.0.0.9 255.255.255.252
ip router isis ip router isis
isis circuit-type level-2-only isis circuit-type level-2-only
frame-relay interface-dlci 102 frame-relay interface-dlci 103
! !
router isis router isis
net 49.0001.0000.0000.00a1.00 net 49.0002.0000.0000.00b1.00

by Jeremy Stretch v2.0

IPSEC packetlife.net
Protocols Encryption Algorithms
Internet Security Association and Key Management Type Key Length (Bits) Strength
Protocol (ISAKMP) DES Symmetric 56 Weak
A framework for the negotiation and management of
security associations between peers (traverses UDP/500) 3DES Symmetric 168 Medium

Internet Key Exchange (IKE) AES Symmetric 128/192/256 Strong

Responsible for key agreement using asymmetric RSA Asymmetric 1024+ Strong
cryptography
Encapsulating Security Payload (ESP) Hashing Algorithms
Provides data encryption, data integrity, and peer Length (Bits) Strength
authentication; IP protocol 50 MD5 128 Medium
Authentication Header (AH)
SHA-1 160 Strong
Provides data integrity and peer authentication, but not data
encryption; IP protocol 51 IKE Phases
IPsec Modes Phase 1
A bidirectional ISAKMP SA is established
Original between peers to provide a secure management
L2 IP TCP/UDP
Packet channel (IKE in main or aggressive mode)
Transport Phase 1.5 (optional)
L2 IP ESP/AH TCP/UDP
Mode Xauth can optionally be implemented to enforce
user authentication
Tunnel
L2 New IP ESP/AH IP TCP/UDP Phase 2
Mode
Two unidirectional IPsec SAs are established for
Transport Mode data transfer using separate keys (IKE quick
The ESP or AH header is inserted behind the IP header; the mode)
IP header can be authenticated but not encrypted
Terminology
Tunnel Mode
A new IP header is created in place of the original; this Data Integrity
allows for encryption of the entire original packet Secure hashing (HMAC) is used to ensure data
has not been altered in transit
Configuration Data Confidentiality
ISAKMP Policy Encryption is used to ensure data cannot be
crypto isakmp policy 10
encryption aes 256
intercepted by a third party
hash sha Data Origin Authentication
authentication pre-share Authentication of the SA peer
group 2
lifetime 3600 Anti-replay
Sequence numbers are used to detect and
ISAKMP Pre-Shared Key discard duplicate packets
crypto isakmp key 1 MySecretKey address 10.0.0.2 Hash Message Authentication Code (HMAC)
A hash of the data and secret key used to
IPsec Transform Set provide message authenticity
crypto ipsec transform-set MyTS esp-aes 256 esp-sha-hmac
mode tunnel Diffie-Hellman Exchange
A shared secret key is established over an
IPsec Profile insecure path using public and private keys
crypto ipsec profile MyProfile
set transform-set MyTS Troubleshooting
show crypto isakmp sa
interface Tunnel0 Virtual Tunnel Interface
ip address 172.16.0.1 255.255.255.252 show crypto isakmp policy
tunnel source 10.0.0.1
tunnel destination 10.0.0.2 show crypto ipsec sa
tunnel mode ipsec ipv4 show crypto ipsec transform-set
tunnel protection ipsec profile MyProfile
debug crypto {isakmp | ipsec}

by Jeremy Stretch v2.0

FRAME MODE MPLS packetlife.net
Protocol Header Conceptual Components
8 16 24 32 Control Plane
Label TC S TTL Facilitates label exchange between neighboring
LSRs using LDP or TDP (includes the LIB)
Forwarding/Data Plane
L2 IP Forwards packets based on label or destination
IP address (includes the FIB and LFIB)
Label stack
Label Protocols
Label (20 bits) · Unique label value LDP TDP

Traffic Class (3 bits) · CoS-mapped QoS marking Hello Address 224.0.0.2 255.255.255.255
Bottom of Stack (1 bit) · Indicates label is last in the stack Hello Port UDP/646 UDP/711
Time To Live (8 bits) · Hop counter mapped from IP TTL Adjacency Port TCP/646 TCP/711

Label Switched Path Proprietary No Cisco

Terminology
Provider Network
Label Distribution Protocol (LDP)
PE P PE Standards-based label distribution protocol
P
defined in RFC 3036

P Tag Distribution Protocol (TDP)

Cisco's proprietary predecessor to LDP
LSP
Label Switching Router (LSR)
Any router performing label switching (MPLS)

Customer Network Label-Switched Path (LSP)

The unidirectional path through one or more
LSRs taken by a label-switched packet
belonging to an FEC
CE C C CE
Forwarding Equivalence Class (FEC)
A group of packets which are forwarded in an
Customer (C) · IP-only routers internal to customer network identical manner, typically by destination prefix
Customer Edge (CE) · C routers which face PE routers and/or traffic class
Label Information Base (LIB)
Provider Edge (PE) · LSRs on the MPLS-IP boundary
Contains all labels learned by an LSR via a label
Provider (P) · MPLS-only LSRs in provider network distribution protocol

MPLS Configuration Forwarding Information Base (FIB)

Routing database for unlabeled (IP) packets
! Enable CEF Label FIB (LFIB)
ip cef Routing database for labeled (MPLS) packets
! Select label protocol Interim Packet Propagation
mpls label protocol ldp An LSR temporarily falls back to IP routing
while waiting to learn the necessary MPLS
! Enable MPLS on IP interfaces label(s)
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.252 Penultimate Hop Popping (PHP)
mpls ip The second-to-last LSR in an LSP removes the
! Raise MPLS MTU to accommodate multilabel stack MPLS label so the last LSR only has to perform
mpls mtu 1512 an IP lookup

Troubleshooting
show mpls interfaces show mpls ldp bindings [detail] (LIB) show ip cef [detail] (FIB)
show mpls ldp neighbors show mpls forwarding-table [detail] (LFIB) debug mpls […]

by Jeremy Stretch v2.0

QUALITY OF SERVICE · PART 1 packetlife.net
Quality of Service Models IP Type of Service (TOS)
Best Effort · No QoS policies are implemented
Precedence
Integrated Services (IntServ)
Resource Reservation Protocol (RSVP) is used to reserve bandwidth per-
flow across all nodes in a path Ver HL TOS Len

Differentiated Services (DiffServ)

Packets are individually classified and marked; policy decisions are made DSCP
independently by each node in a path

Layer 2 QoS Markings Precedence/DSCP

Binary DSCP Prec.
Medium Name Type

Ethernet Class of Service (CoS) 3-bit 802.1p field in 802.1Q header 56 111000 Reserved 7

Frame Relay Discard Eligibility (DE) 1-bit drop eligibility flag 48 110000 Reserved 6

ATM Cell Loss Priority (CLP) 1-bit drop eligibility flag 46 101110 EF 5

MPLS Traffic Class (TC) 3-bit field compatible with 802.1p 32 100000 CS4
34 100010 AF41
IP QoS Markings 4
36 100100 AF42
IP Precedence
The first three bits of the IP TOS field; limited to 8 traffic classes 38 100110 AF43
Differentiated Services Code Point (DSCP) 24 011000 CS3
The first six bits of the IP TOS are evaluated to provide more granular
26 011010 AF31
classification; backward-compatible with IP Precedence 3
28 011100 AF32
QoS Flowchart
30 011110 AF33
No 16 010000 CS2
Software Queue
18 010010 AF21
Scheduler

HW Yes 2
Queuing Hardware
Queue Software Queue 20 010100 AF22
Decision Queue
Full?
Software Queue 22 010110 AF23
8 001000 CS1

Terminology 10 001010 AF11

1
Per-Hop Behavior (PHB) 12 001100 AF12
The individual QoS action performed at each independent DiffServ node 14 001110 AF13
Trust Boundary · Beyond this, inbound QoS markings are not trusted 0 000000 BE 0
Tail Drop · Occurs when a packet is dropped because a queue is full
Congestion Avoidance
Policing
Imposes an artificial ceiling on the amount of bandwidth that may be Random Early Detection (RED)
consumed; traffic exceeding the policer rate is reclassified or dropped Packets are randomly dropped
before a queue is full to prevent tail
Shaping
drop; mitigates TCP
Similar to policing but buffers excess traffic for delayed transmission;
synchronization
makes more efficient use of bandwidth but introduces a delay
TCP Synchronization Weighted RED (WRED)
Flows adjust TCP window sizes in synch, making inefficient use of a link RED with the added capability of
recognizing prioritized traffic based
DSCP Per-Hop Behaviors on its marking
Class Selector (CS) · Backward-compatible with IP Precedence values Class-Based WRED (CBWRED)
Assured Forwarding (AF) · Four classes with variable drop preferences WRED employed inside a class-
based WFQ (CBWFQ) queue
Expedited Forwarding (EF) · Priority queuing for delay-sensitive traffic

by Jeremy Stretch v2.0

QUALITY OF SERVICE · PART 2 packetlife.net
Queuing Comparison
FIFO PQ CQ WFQ CBWFQ LLQ

Default on Interfaces >2 Mbps No No <=2 Mbps No No

Number of Queues 1 4 Configured Dynamic Configured Configured
Configurable Classes No Yes Yes No Yes Yes
Bandwidth Allocation Automatic Automatic Configured Automatic Configured Configured
Provides for Minimal Delay No Yes No No No Yes
Modern Implementation Yes No No No Yes Yes

First In First Out (FIFO) Priority Queuing (PQ) LLQ Config Example

High Class Definitions

Tx ! Match packets by DSCP value

Ring Medium class-map match-all Voice
match dscp ef
Normal
Hardware
!
Hardware Queue Queue class-map match-all Call-Signaling
Low match dscp cs3
· Packets are transmitted in the !
order they are processed · Provides four static queues which class-map match-any Critical-Apps
cannot be reconfigured match dscp af21 af22
· No prioritization is provided
!
· Default queuing method on high- · Higher-priority queues are ! Match packets by access list
speed (>2 Mbps) interfaces always emptied before lower- class-map match-all Scavenger
priority queues match access-group name Other
· Configurable with the tx-ring-
limit interface config command · Lower-priority queues are at risk
policy-map Foo Policy Creation
of bandwidth starvation
Custom Queuing (CQ) class Voice
Weighted Fair Queuing (WFQ) ! Priority queue policed to 33%
Queue A 500 B/cycle priority percent 33
Flow 1 class Call-Signaling
Queue B 4500 B/cycle ! Allocate 5% of bandwidth
Flow 2 bandwidth percent 5
Hardware
Queue C 1500 B/cycle Queue ... class Critical-Apps
Hardware bandwidth percent 20
· Rotates through queues using Flow n Queue ! Extend queue size to 96 packets
Weighted Round Robin (WRR) queue-limit 96
· Queues are dynamically created class Scavenger
· Processes a configurable number ! Police to 64 kbps
per flow to ensure fair processing
of bytes from each queue per turn police cir 64000
· Statistically drops packets from
· Prevents queue starvation but conform-action transmit
aggressive flows more often exceed-action drop
does not provide for delay-
sensitive traffic · No support for delay-sensitive class class-default
traffic ! Enable WFQ
Class-Based WFQ (CBWFQ) fair-queue
Low Latency Queuing (LLQ) ! Enable WRED
random-detect
Queue A 512 Kbps Min
Priority 512 Kbps Max
interface Serial0 Policy Application
Queue B 1024 Kbps Min
Queue A 512 Kbps Min ! Apply the policy in or out
Hardware service-policy output Foo
Default Remainder Queue Queue B 1024 Kbps Min

· WFQ with administratively Hardware LLQ Config Example

Default Remainder Queue
configured queues show policy-map [interface]
· Each queue is allocated an · CBWFQ with the addition of a
Show interface
amount/percentage of bandwidth policed strict-priority queue
· No support for delay-sensitive · Highly configurable while still show queue <interface>
traffic supporting delay-sensitive traffic Show mls qos

by Jeremy Stretch v2.0

VOIP BASICS packetlife.net
Pulse Code Modulation (PCM) Power Over Ethernet (PoE)
14 13.6 13.5 14 14 Cisco Inline Power (ILP)
12
12.3
12.4 12 12 Pre-standard; employs a 340 kHz tone
10 9.2 10 10 to detect devices; power needs
8 9.1 8 8 communicated via CDP
6 6.0 5.9 6 6
4
2.8 2.7
4 4 IEEE 802.3af
2 0.9 1.0
2 2 Detects power requirements of PoE
0 0 0
device by the line resistance present
Sampling Quantization Encoding
IEEE 802.3at
Sampling Uses LLDP to negotiate delivery of up
8000 discrete signal measurements are taken at equal intervals every second to 25 watts in .10 W intervals
Quantization
The level of each sample is rounded to the nearest expressible value IEEE 802.3af Classes
Encoding 0 15.4 W 3 15.4 W
Digital values are encoded as binary numbers for encapsulation
1 4W 4 Reserved
Compression (Optional)
The digital signal is compressed in real time to consume less bandwidth 2 7W

Voice Codecs IP Phone Boot Process

MOS Bandwidth Complexity Free

G.722 SB-ADPCM 4.13 48-64 kbps Medium Yes 3

G.711 PCM 4.1 64 kbps Low Yes

iLBC 4.1 15.2 kbps High Yes 2
5
G.729 CS-ACELP 3.92 8 kbps High No 1 4
G.726 ADPCM 3.85 32 kbps Medium Yes
G.729a CS-ACELP 3.7 8 kbps Medium No TFTP Server Call Server

G.728 LD-CELP 3.61 16 kbps High No 1. Power Over Ethernet (Optional)

Power is supplied via IEEE 802.3af/at or Cisco ILP
Signaling Protocols
2. VLANs Learned via CDP or LLDP
ITU-T H.323 Voice and data VLANs communicated via CDP/LLDP
Originally designed for multimedia transmission over ISDN; mature
and widely supported; peer-to-peer call control 3. IP Assignment via DHCP
The phone sends a DHCP request in the voice VLAN;
Session Initiation Protocol (SIP) the response includes an IP and DHCP option 150
Text-based, similar in nature to HTTP; defined in RFC 3261; peer-
to-peer call control 4. Configuration Retrieved via TFTP
The phone retrieves its configuration from one of the
Media Gateway Control Protocol (MGCP) TFTP servers specified in the DHCP option
Employs centralized call control; defined in RFC 3661
5. Registration
Skinny Client Control Protocol (SCCP) The phone registers with the call server(s) specified
Cisco-proprietary; limited support on gateways; centralized control in its configuration

Calculating Required Bandwidth Access Switch Port Configuration

G.711/Ethernet Example
interface FastEthernet0/1
Codec Payload
64 Kbps × 20 msec 160 B
(Bitrate × Sample Size) ! Configure data and voice access VLANs
L2 Overhead Ethernet (18) + 802.1Q (4) + 22 B switchport access vlan <VLAN>
switchport voice vlan <VLAN>
L3 Overhead IP (20) + 20 B
! Trust ingress QoS markings
L4 Overhead UDP (8) + RTP (12) + 20 B mls qos trust cos
Packets per Second 1000 msec / 20 msec × 50 pps
! Optionally pre-allocate power for the port
Total Bandwidth 88.8 Kbps power inline static [max <wattage>]

by Jeremy Stretch v1.0

WIRESHARK DISPLAY FILTERS · PART 1 packetlife.net
Ethernet ARP
eth.addr eth.len eth.src arp.dst.hw_mac arp.proto.size
eth.dst eth.lg eth.trailer arp.dst.proto_ipv4 arp.proto.type
eth.ig eth.multicast eth.type arp.hw.size arp.src.hw_mac
arp.hw.type arp.src.proto_ipv4
IEEE 802.1Q
arp.opcode
vlan.cfi vlan.id vlan.priority
vlan.etype vlan.len vlan.trailer TCP
tcp.ack tcp.options.qs
IPv4
tcp.checksum tcp.options.sack
ip.addr ip.fragment.overlap.conflict
tcp.checksum_bad tcp.options.sack_le
ip.checksum ip.fragment.toolongfragment
tcp.checksum_good tcp.options.sack_perm
ip.checksum_bad ip.fragments
tcp.continuation_to tcp.options.sack_re
ip.checksum_good ip.hdr_len
tcp.dstport tcp.options.time_stamp
ip.dsfield ip.host
tcp.flags tcp.options.wscale
ip.dsfield.ce ip.id
tcp.flags.ack tcp.options.wscale_val
ip.dsfield.dscp ip.len
tcp.flags.cwr tcp.pdu.last_frame
ip.dsfield.ect ip.proto
tcp.flags.ecn tcp.pdu.size
ip.dst ip.reassembled_in
tcp.flags.fin tcp.pdu.time
ip.dst_host ip.src
tcp.flags.push tcp.port
ip.flags ip.src_host
tcp.flags.reset tcp.reassembled_in
ip.flags.df ip.tos
tcp.flags.syn tcp.segment
ip.flags.mf ip.tos.cost
tcp.flags.urg tcp.segment.error
ip.flags.rb ip.tos.delay
tcp.hdr_len tcp.segment.multipletails
ip.frag_offset ip.tos.precedence
tcp.len tcp.segment.overlap
ip.fragment ip.tos.reliability
tcp.nxtseq tcp.segment.overlap.conflict
ip.fragment.error ip.tos.throughput
tcp.options tcp.segment.toolongfragment
ip.fragment.multipletails ip.ttl
tcp.options.cc tcp.segments
ip.fragment.overlap ip.version
tcp.options.ccecho tcp.seq
IPv6 tcp.options.ccnew tcp.srcport
ipv6.addr ipv6.hop_opt tcp.options.echo tcp.time_delta
ipv6.class ipv6.host tcp.options.echo_reply tcp.time_relative
ipv6.dst ipv6.mipv6_home_address tcp.options.md5 tcp.urgent_pointer
ipv6.dst_host ipv6.mipv6_length tcp.options.mss tcp.window_size
ipv6.dst_opt ipv6.mipv6_type tcp.options.mss_val
ipv6.flow ipv6.nxt
UDP
ipv6.fragment ipv6.opt.pad1
udp.checksum udp.dstport udp.srcport
ipv6.fragment.error ipv6.opt.padn
udp.checksum_bad udp.length
ipv6.fragment.more ipv6.plen
udp.checksum_good udp.port
ipv6.fragment.multipletails ipv6.reassembled_in
ipv6.fragment.offset ipv6.routing_hdr Operators Logic
ipv6.fragment.overlap ipv6.routing_hdr.addr eq or == and or && Logical AND
ipv6.fragment.overlap.conflict ipv6.routing_hdr.left ne or != or or || Logical OR
ipv6.fragment.toolongfragment ipv6.routing_hdr.type gt or > xor or ^^ Logical XOR
ipv6.fragments ipv6.src lt or < not or ! Logical NOT
ipv6.fragment.id ipv6.src_host ge or >= [n] […] Substring operator
ipv6.hlim ipv6.version le or <=

by Jeremy Stretch v2.0

WIRESHARK DISPLAY FILTERS · PART 2 packetlife.net
Frame Relay ICMPv6
fr.becn fr.de icmpv6.all_comp icmpv6.option.name_type.fqdn
fr.chdlctype fr.dlci icmpv6.checksum icmpv6.option.name_x501
fr.control fr.dlcore_control icmpv6.checksum_bad icmpv6.option.rsa.key_hash
fr.control.f fr.ea icmpv6.code icmpv6.option.type
fr.control.ftype fr.fecn icmpv6.comp icmpv6.ra.cur_hop_limit
fr.control.n_r fr.lower_dlci icmpv6.haad.ha_addrs icmpv6.ra.reachable_time
fr.control.n_s fr.nlpid icmpv6.identifier icmpv6.ra.retrans_timer
fr.control.p fr.second_dlci icmpv6.option icmpv6.ra.router_lifetime
fr.control.s_ftype fr.snap.oui icmpv6.option.cga icmpv6.recursive_dns_serv
fr.control.u_modifier_cmd fr.snap.pid icmpv6.option.length icmpv6.type
fr.control.u_modifier_resp fr.snaptype icmpv6.option.name_type
fr.cr fr.third_dlci
RIP
fr.dc fr.upper_dlci
rip.auth.passwd rip.ip rip.route_tag
PPP rip.auth.type rip.metric rip.routing_domain
ppp.address ppp.direction rip.command rip.netmask rip.version
ppp.control ppp.protocol rip.family rip.next_hop

MPLS BGP
mpls.bottom mpls.oam.defect_location bgp.aggregator_as bgp.mp_reach_nlri_ipv4_prefix
mpls.cw.control mpls.oam.defect_type bgp.aggregator_origin bgp.mp_unreach_nlri_ipv4_prefix
mpls.cw.res mpls.oam.frequency bgp.as_path bgp.multi_exit_disc
mpls.exp mpls.oam.function_type bgp.cluster_identifier bgp.next_hop
mpls.label mpls.oam.ttsi bgp.cluster_list bgp.nlri_prefix
mpls.oam.bip16 mpls.ttl bgp.community_as bgp.origin
bgp.community_value bgp.originator_id
ICMP
bgp.local_pref bgp.type
icmp.checksum icmp.ident icmp.seq
bgp.mp_nlri_tnl_id bgp.withdrawn_prefix
icmp.checksum_bad icmp.mtu icmp.type
icmp.code icmp.redir_gw HTTP

DTP http.accept http.proxy_authorization

http.accept_encoding http.proxy_connect_host
dtp.neighbor dtp.tlv_type vtp.neighbor
http.accept_language http.proxy_connect_port
dtp.tlv_len dtp.version
http.authbasic http.referer
VTP http.authorization http.request
vtp.code vtp.vlan_info.802_10_index http.cache_control http.request.method
vtp.conf_rev_num vtp.vlan_info.isl_vlan_id http.connection http.request.uri
vtp.followers vtp.vlan_info.len http.content_encoding http.request.version
vtp.md vtp.vlan_info.mtu_size http.content_length http.response
vtp.md5_digest vtp.vlan_info.status.vlan_susp http.content_type http.response.code
vtp.md_len vtp.vlan_info.tlv_len http.cookie http.server
vtp.seq_num vtp.vlan_info.tlv_type http.date http.set_cookie
vtp.start_value vtp.vlan_info.vlan_name http.host http.transfer_encoding
vtp.upd_id vtp.vlan_info.vlan_name_len http.last_modified http.user_agent
vtp.upd_ts vtp.vlan_info.vlan_type http.location http.www_authenticate
vtp.version http.notification http.x_forwarded_for
http.proxy_authenticate

by Jeremy Stretch v2.0