Internet Protocol (IPv4)
Version (4 bits) - IP version (4 or 6)
Header length (4 bits) - Length of header plus any options
Type of Service (TOS) (8 bits) - Used for QoS; can also be evaluated as DiffServ Code Point (DSCP)
Total length (16 bits) - Total packet size
Identifier (16 bits) - Identifies fragments belonging to a single original packet
Fragmentations flags (3 bits) - Three flags: unused, Don't Fragment (DF), and More Fragments (MF)
Fragment offset (13 bits) - Specifies the offset of a fragment from the beginning of the original packet (in units of eight bytes)
Time to Live (TTL) (8 bits) - Tracks hop count
Protocol (8 bits) - Identifies the upper-layer protocol
Header checksum (16 bits) - Used for header error detection
Source address (32 bits)
Destination address (32 bits)
Options (variable length) - Optional attributes generated by the originator
Common IP options:
Loose source routing - A list of IP addresses (router interfaces) the packet should traverse
Strict source routing - A routing path which must be followed exactly
Record route - Routers traversed record the address of their outbound interface on the packet
Timestamp - Like record route but also includes a timestamp
Address Resolution Protocol (ARP)
ARP header:
Hardware type (16 bits) - Identifies the type of layer 2 technology (Ethernet, HDLC, etc.)
Protocol type (16 bits) - Identifies the network-layer protocol
Hardware address length (8 bits) - Length of the data link address in bytes (e.g. MAC =6)
Protocol address length (8 bits) - Length of the network address in bytes (e.g. IP = 4)
Operation (16 bits) - Packet type (request/reply type)
Sender's hardware address
Sender's network address
Target hardware address
Target network address
Cisco routers cache ARP entries for four hours by default (this can be modified with Arp timeout
at interface configuration).
Proxy ARP
Proxy Arp allows a router to issue ARP replies to one subnet on behalf of a host in another subnet, to
facilitate inter-subnet communication with a host not configured with a default gateway.
The proxy ARP reply will contain the router's own hardware address for that subnet.
Gratuitous ARP
A gratuitous ARP request is one requesting a reply for the sender's own IP address.
Gratuitous ARP can be used to check for duplicate addresses or to announce the existence of a new host.
Reverse ARP (RARP)
Reverse ARP occurs when the sender requests the network address for a given hardware address.
For purposes of initial device addressing, RARP has been superseded by BOOTP and DHCP.
Internet Control Message Protocol (ICMP)
ICMP header:
Type (8 bits)
Code (8 bits)
Checksum (16 bits)
Other fields... (variable)
Common ICMP types:
0 - Echo reply
3 - Destination unreachable
5 - Redirect
6 - Alternate host address
8 - Echo
9 - Router advertisement
10 - Router selection
11 - Time exceeded
12 - Parameter problem
13 - Timestamp
14 - Timestamp reply
30 - Traceroute
Transmission Control Protocol (TCP)
TCP header:
Source port (16 bits)
Destination port (16 bits)
Sequence number (32 bits) - Identifies the position of a segment within a stream
Acknowledgment number (32 bits) - Identifies the sequence number the source next expects to receive
Header length (4 bits)
Reserved (4 bits)
Flags (8 bits)
Window size (16 bits) - Flow control; specifies the amount of data that may be transmitted from the peer between acknowledgments
Checksum (16 bits) - Error detection for the header and payload
Urgent pointer (16 bits) - Points to the end of urgent data; used only when the URG flag is set
Options (variable)
TCP flags:
URG - Urgent data
ACK - Acknowledgment
PSH - Push
RST - Reset
SYN - Synchronize
FIN - Final
User Datagram Protocol (UDP)
UDP header:
Source port (16 bits)
Destination port (16 bits)
Length (16 bits)
Checksum (16 bits)
IPv6 Addressing
IPv6 addresses are presented in 16-bit hexadecimal groups separated by colons. For example,
3ffe:1944:0100:000a:0000:00bc:2500:0d0b.
Shorthand rules:
One group of all-zero segments can be presented with a double-colon (::)
Leading zeros in each segment may be omitted
Subnet identification is performed in CIDR (bit count) notation (/64).
::/0 indicates an all-zeros or wildcard address.
::/128 represents an unspecified address.
Address Types
IPv6 addresses can be one of three types: unicast, anycast, or multicast.
Broadcast functionality is provided by the "all-nodes" multicast address.
Address types are identified by their leading bits:
Binary Hex Type
11111111 FF00::/8 Multicast
11111110 10 FE80::/10 Link-local unicast
11111110 11 FEC0::/10 Site-local unicast (deprecated)
001 2000::/3 Global unicast (currently allocated)
Global Unicast
A global unicast address is broken into three sections:
Global routing prefix (48 bits)
Subnet ID (16 bits)
Interface ID (64 bits)
Local Unicast
Link-local unicasts are unique only to a single layer 2 link.
Site-local unicasts were defined in the original IPv6 standard but have been replaced by Unique Local
Addresses (FC00::/7) in RFC 4193.
Anycast
An anycast address is one address configured on multiple end nodes; dynamic routing will ideally
forward traffic to the "nearest" or least-cost anycast server.
Any global unicast address applied to more than one device can be considered any anycast address.
Multicast
A multicast address identifies a logical group of devices.
Multicast address structure:
Multicast prefix (8 bits) - Always 0xFF
Flags (4 bits)
Scope (4 bits)
Group ID (112 bits)
Address Scopes:
0x0 - Reserved
0x1 - Node-local
0x2 - Link-local
0x5 - Site-local
0x8 - Org-local
0xE - Global
0xF - Reserved
Embedded IPv4 Addresses
Different transition technologies have different ways of embedding an IPv4 address in an IPv6 address.
Some examples for 10.23.1.5 are:
FE80::5EFE:10.23.1.5 (ISATAP)
::FFFF:10.23.1.5 (SIIT)
FEC0:0:0:1::10.23.1.5 (TRT)
2002:0A17:0105::/48 (6to4)
IPv6 Header
IPv6 headers have a fixed 40-byte length.
Header format:
Version (4 bits) - Always set to 6
Traffic class (8 bits) - DiffServ Code Point (DSCP)
Flow label (20 bits) - An arbitrary field for differentiating traffic flows
Payload length (16 bits) - Indicates the length of the payload (header length is not included)
Next header (8 bits) - Identifies the extension header or upper-layer protocol that follows
Hop limit (8 bits) - Decrementing hop counter (TTL)
Source address (128 bits)
Destination address (128 bits)
Extension Headers
Extension headers provide for optional extended capabilities such as hop-by-hop options and IPsec encryption.
Next header values:
0 - Hop-by-hop options
43 - Routing
44 - Fragment
50 - ESP
51 - AH
59 - No next header
60 - Destination options
If a header is the last in the stack, its next header field will identify the upper-layer protocol that follows
(e.g. 6 for TCP or 17 for UDP).
RFC 1883 specifies the order in which extensions headers should appear if they are used.
ICMPv6
IPv6 implements its own version of ICMP, defined in RFC 2463.
Like ICMPv4, ICMPv6 uses type/code pairings to identify field types.
Common field types:
1 - Destination unreachable
2 - Packet too big
3 - Time exceeded
4 - Parameter problem
128 - Echo request
129 - Echo reply
130 - Group membership query
131 - Group membership report
132 - Group membership reduction
Static Routing
A routing table can be populated in three ways:
Subnets gleaned from directly connected networks
Manual configuration (static routes)
Automatically via one or more dynamic routing protocols
A route's next hop must be reachable for the route to take effect.
Configuring Static Routes
IPv4:
Router(config)# ip route
[
] [
]
Router(config)# ip route 172.16.0.0 255.255.0.0 192.168.1.1
Router(config)# ip route 10.0.0.0 255.0.0.0 Serial0/0 192.168.2.2
Specifying only an outbound interface rather than a next-hop address assumes that the destination
network is directly connected to that interface.
IPv6:
IPv6 requires the next-hop address to be specified when configuring a route destined out a broadcast
(Ethernet) interface.
Advanced Static Routing
Floating Static Routes
A floating static route is one configured with a higher administrative distance. It will only be used if more preferable routes for a destination fail.
Load Sharing
Multiple static routes can be configured to support equal-cost load sharing.
By default, Cisco Express Forwarding (CEF) performs load balancing per source-destination pair; all packets from one source to one destination will traverse one interface.
CEF also supports per-packet load balancing for IPv4 traffic.
The CEF load-balancing method can be adjusted:
Recursive Lookups
A recursive lookup occurs when a route points to a network not directly connected; one or more subsequent lookups are required to determine the next hop.
Troubleshooting Static Routes
Remember to verify both directions of traffic flow when tracing a path.
When a router or interface hardware is replaced, a new EUI-64 identifier will be used; this may require redefining a static route.
Dynamic Routing Protocols
Distance Vector Routing Protocols
The term distance vector is derived from a list (vector) of distances and directions to destinations.
Distance vector protocols include:
Routing Information Protocol (RIP)
Xerox Networking System (XNS) RIP
Novell IPX RIP
Cisco Interior Gateway Routing Protocol (IGRP)
Cisco Enhanced IGRP (EIGRP)
DEC DNA Phase IV
Appletalk Routing Table Maintenance Protocol (RTMP)
Common distance vector characteristics:
Periodic updates
Reliance on neigbhors to propagate advertisements
Broadcast updates
Full routing table updates (advertising the entire table every time)
The per-hop nature of distance vector advertisements is known as routing by rumor.
Route invalidation timers control how long a route will remain in the routing table without being confirmed by a neighbor.
Split horizon prevents routing loops by preventing the readvertisement of a route to the neighbor from which it was learned. Router A will not advertise routes learned from router B back to router B.
Poison reverse extends the concept of spit horizon by readvertising a learned route back to the neighbor with an infinite metric. Router A will advertise routes learned from router B back to router B with an infinite metric, ensuring router B knows said routes are not reachable via router A.
Holddown timers place a restriction on how often a route may be updated in the table.
Link State Routing Protocols
Link state routers all share the same complete view of the network.
Link state protocol include:
Open Shortest Path First (OSPF)
ISO Intermediate System to Intermediate System (IS-IS)
DEC DNA Phase V
Novell NetWare Link Services Protocol (NLSP)
Neighbors synchronize their databases upon forming an adjacency. Hello packets are used to form and maintain adjacencies.
Link state protocols converge faster than distance vector protocols because routes can be flooded to neighbors without having to run the routing algorithm.
Sequence numbers are used to identify the revision of an advertisement.
Advertisements are aged and will eventually expire from the database if they are not refreshed periodically.
Networks are commonly divided into link state areas to reduce demand on CPU, memory, and bandwidth required to maintain the database.
Interior and Exterior Gateway Protocols
An autonomous system (AS) is a logical network under a common administration.
Interior Gateway Protocols (IGPs) run within an autonomous system, while Exterior Gateway Protocols
(EGPs) run between autonomous systems.
Routing Information Protocol (RIP)
There are two versions of RIP:
RIPv1 - Classful
RIPv2 (or RIPng) - Classless
RIPv1 is defined in RFC 1058, and operates on UDP port 520.
RIP uses only hop count as its metric, with a maximum of 15 (a metric of 16 indicates unreachability).
Upon initialization, RIP routers issue requests for routes from neighbors. Neighbors issue responses containing their full tables.
Routers broadcast their entire table to the link-local broadcast address of 255.255.255.255 every 30 seconds (on average; a small jitter is included to prevent simultaneous flooding).
Timers
Update (30 seconds) - How often routes are advertised (+/- a small random delay)
Invalid (180 seconds) - How long a received route will stay in the table without being received again, before being marked as invalid.
Flush (240 seconds) - 60 seconds longer than the invalid timer; invalid routes will be flushed from the table when this timer is reached.
Holddown (180 seconds) - Routes will be kept in the table for this time before being replaced by an advertisement with a higher metric.
Timer configuration:
Header Format
Command (8 bits) - 1 for requests, 2 for responses
Version (8 bits)
The header is followed by 1-25 route entries, each consisting of an address family identifier (set to 2 for
IP), network address, and metric.
Configuration
Network configuration:
Designating passive interfaces:
Specifying neighbors to which advertisements should be sent as unicasts:
An offset list can be implemented to artificially increase the metric for certain routes:
Triggered extensions (defined in RFC 2091) can be enabled per interface to eliminate periodic updates:
RIPv2, RIPng, and Classless Routing
RIPv2
RIPv2 (defined in RFC 1723) expands on its predecessor to support:
<div class="MsoNormalCxSpMiddle" style="line-height: 12.0pt; mso-line-heigh