Jump to content
Floatplane payments are migrating! Read more... ×
Search In
  • More options...
Find results that contain...
Find results in...
Sign in to follow this  
  • entries
    8
  • comments
    3
  • views
    1,499

About this blog

So, here is something new I would like to try ;)

 

I've wrote small configuration blogs and tiny detailed networking blogs on my own website but I'm never motivated since it takes time. I would rather be typing and mocking up example pictures to post in a a forum (such as LTT) so I can look back at my blogs and recap or revise if needed. I am not exactly very clear with writing but I find this really helps me with my studying and also showing friends, I would like to have a post to backup my examples when speaking to friends/customers/fellow college partners when explaining specific protocols, services etc...

 

I will learn when I make mistakes when trying to explain, I'll try to keep most of my own examples similar to how you would see a typical example from the relevant vendor (Microsoft sometimes over complicated examples and write 5 pages for something that could be explained in under a paragraph! xD)

 

But yeah... I'll make mistakes and would always thank those who correct my mistakes... So.... This is mainly for my own learning while at college and to maybe document things I do in a few projects at work that I get involved in. Although being in a small company (2 man team...) doesn't pay as well, I have felt like I wouldn't gain as much knowledge working in a specific role/area in IT. (Although that is my plan to go for networking for a few years)

Entries in this blog

 

A taste of python automation in networking

A few personal projects I've been working on, mainly just putting together a load of useful functions in python along with the netmiko library to pull specific data from Cisco IOS devices (mainly ISRs and Catalyst, not been designed for Nexus, ASAs, other vendors yet etc..)   I've mainly been testing some open source IPAM solutions such as netbox and PHPIPAM to see if I can do some neat little tricks and I've created a few things for both solutions on the side of my job because I want to expand my programming knowledge (have been doing a lot of python + c# lately)   Here is a basic example to connect to a cisco switch, pull the data into a kind of JSON format to be used when creating a new vlan using Netbox's API + python API module. (Beware, I'm also using a module that I have on github over at https://github.com/BSpendlove/BCPTools (follow the readme to install the library and use some of the basic functions I use in this netbox example)   from pprint import pprint from netbox import NetBox from BCPTools.BCPTFunctions import bcp_create_session from BCPTools.BCPTFunctions import bcp_show_vlans #Cisco Switch connection details for Netmiko/BCPTools conn = { 'device_type': 'cisco_ios', 'ip': '192.168.1.109', 'username': 'hume', 'password': 'cisco', 'secret': 'cisco' } ##---------------------- NETBOX API Login details ------------------------------## myToken = 'mytoken123mytoken123mytoken123mytoken123' api_login = NetBox(host='192.168.1.9', port=80, use_ssl=False, auth_token=myToken) ##------------------------------------------------------------------------------## class bcp_vlan_functions(object): def create_vlan_group(self, netbox, name, slug, checkExists=True): if checkExists == True: vlan_group = netbox.ipam.get_vlan_groups(name=name) if not vlan_group: results = netbox.ipam.create_vlan_group(name=name, slug=slug) return results if name in vlan_group[0]['name']: print(name.lower() + " has already been configured as a VLAN Group... checkExist must be False if you would like to create a duplicate VLAN Group...") print("Local Database ID for vlan group: {0} is {1}\n".format(name,str(vlan_group[0]['id']))) else: results = netbox.ipam.create_vlan_group(name=name,slug=slug) return results else: print("Create vlan function without simple duplication...\n") results = netbox.ipam.create_vlan_group(name=name,slug=slug) return results def create_vlan(self, netbox, name, vlanid, groupid): vlan_check = netbox.ipam.get_vlans(name=name) if not vlan_check: results = netbox.ipam.create_vlan(vlan_name=name,vid=vlanid,group=groupid) print("VLAN{0} ({1}) has been created...\n".format(vlanid, name)) return results if name in vlan_check[0]['name']: if not vlan_check[0]['group']: print("VLAN{0} exists in the Netbox Database although is not registered with VLAN Group: {1}... Have not performed any action...\n".format(vlanid, groupid)) #netbox.ipam.create_vlan(vlan_name=name,vid=vlanid,group=groupid) elif groupid == vlan_check[0]['group']['id']: print("VLAN{0} ({1}) is already configured in VLAN Group: {2}\n".format(vlanid, name, vlan_check[0]['group']['name'])) def get_vlan_group(self, netbox, vlanname): #Try to use either id or name to filter through VLAN groups, obviously ID is better if you have duplicate vlan group names, but with some common practice, you shouldn't configure 2 sites with the same 'VLAN group name'!!! return netbox.ipam.get_vlan_groups(name=vlanname) def save_vlans_to_netbox(self, netbox, groupname): session = bcp_create_session(conn) vlans = bcp_show_vlans(session) vlangroup = self.get_vlan_group(netbox, groupname) if not vlangroup: print("VLAN Group {0} can not be found...".format(groupname)) else: vlangroupid = vlangroup[0]['id'] for vlan in vlans: self.create_vlan(netbox, vlan['name'], vlan['vlan_id'],vlangroupid) bcp_vlan_functions().create_vlan_group(api_login,"PYTHON-TEST-NETBOX","python-test-netbox") bcp_vlan_functions().save_vlans_to_netbox(api_login, "PYTHON-TEST-NETBOX") For example, I have a switch at 192.168.1.109 with the following as the 'show vlan' output: W17BS-SW01#show vlan VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Fa1/0/1, Fa1/0/2, Fa1/0/3 Fa1/0/4, Fa1/0/6, Fa1/0/7 Fa1/0/8, Fa1/0/9, Fa1/0/10 Fa1/0/11, Fa1/0/12, Fa1/0/13 Fa1/0/14, Fa1/0/15, Fa1/0/16 Fa1/0/17, Fa1/0/18, Fa1/0/19 Fa1/0/20, Fa1/0/21, Fa1/0/22 Fa1/0/23, Fa1/0/24, Gi1/0/1 Gi1/0/2 10 IT active Fa1/0/5 20 ACCOUNTS active 30 SALES active 40 HR active 50 INTERNAL active 100 CAMERAS active 101 GUEST-WIFI active I've amended some interfaces to go in the other vlans so now my function from my BCPTools library on github will return this data as:   and now from the Netbox point of view: after running the netbox function I've created to pull the vlans from a cisco switch, and then use the API to create these vlans in the VLAN group called 'Python-test-netbox': (virtualenvironment) brandon@ubuntu:~/brandon_scripts/NETBOX_API_EXAMPLES$ python3 netbox_cisco_switch_vlans.py python-test-netbox has already been configured as a VLAN Group... checkExist must be False if you would like to create a duplicate VLAN Group... Local Database ID for vlan group: PYTHON-TEST-NETBOX is 7 VLAN1 (default) has been created... VLAN10 (IT) has been created... VLAN20 (ACCOUNTS) has been created... VLAN30 (SALES) has been created... VLAN40 (HR) has been created... VLAN50 (INTERNAL) has been created... VLAN100 (CAMERAS) has been created... VLAN101 (GUEST-WIFI) has been created... VLAN1002 (fddi-default) has been created... VLAN1003 (token-ring-default) has been created... VLAN1004 (fddinet-default) has been created... VLAN1005 (trnet-default) has been created... (obviously filtering out VLAN1 and 1002-1005 would be best but this is a just a quick dirty function to show some basics with python automation and networking/inventory purposes)  

BSpendlove

BSpendlove

 

DMVPN - Basic lab and theory

DMVPN is mentioned in the official CCNA guide and also in the CCNP (specifically Routing and Switching I'm talking here) but it isn't really listed to configure in the exam topics for the CCNP route. The exam blueprints state you need to 'Describe' but if you've ever attempted a Cisco exam before then you might know, that doesn't mean you might get a question related to the configuration side. We are going to be looking at a simple lab with some theory behind DMVPN without the encryption, but a basic explanation what DMVPN is:   DMVPN (Dynamic Multipoint VPN) isn't a protocol within itself, but is crafted by the various protocols used together to achieve what DMVPN does. It allows us to create a hub-spoke like topology with spokes being able to dynamically form a VPN between other remote spokes and the Hub. The protocols that create DMVPN:   -Multipoint GRE -NHRP -A dynamic routing protocol (common: EIGRP or OSPF)   IPSec is also a common protocol used but it isn't actually a requirement (although it is preferred since running plain GRE isn't the best idea...). Technically you don't actually need to run a dynamic routing protocol and have static routes but again it is very common to see a dynamic routing protocol. Before moving onto a basic introduction to configuration and the design, DMVPN can scale very large (thousands of remote sites) and not only allows our spokes with dynamic IP addresses to participate in the design but also the configuration is very effective instead of creating static tunnels for loads of remote sites.   The single hub topology design   This topology will use the internet as the underlay to transport our packets, although we will create an 'overlay' using multipoint GRE to carry our site traffic (10.x.x.x) using EIGRP. In DMVPN, we use the terms 'underlay' and 'overlay' a bit similar to GRE over IPSec where IPSec is used as the protocol to transport GRE otherwise we will have no protection. GRE is normally used to transport different traffic since IPSec itself can only carry unicast traffic, it you want to take advantage of multicast and other types of traffic then you can encapsulate with GRE and then send it over the IPSec tunnel as a unicast packet. In our case, we could even just use IPSec without GRE and just define the neighbors in our routing protocol so our updates and hellos etc.. are sent via unicast instead of multicast, that bypasses the learning and fun we'll see in this post!   Multipoint GRE
  Why not use typical GRE point to point tunnels? Firstly, this defeats the whole purpose what DMVPN achieves, it allows us to manage our design with ease and dynamically form tunnels with remote spokes and with the HUB. If we have a static tunnel configuration, think about it we need X amount of tunnels configured on the HUB depending how many spokes are in our design and then a tunnel from the spoke to the HUB, and then finally a tunnel from SpokeX to every single other spoke that exist if you need Spoke-Spoke communication without traffic traversing through the HUB.   Multipoint GRE allows a single tunnel configuration to then dynamically form tunnels without the need of loads of 'interface tunnel x' in the configuration. It can take the configuration of the single interface and then use NHRP to dynamically form tunnels to other routers.   NHRP   Next Hop resolution protocol is the protocol in DMVPN which makes it possible for spokes to register their public IP address according to their tunnel interface IP address whether the public facing interface is static or dynamic. Everyone explains NHRP like ARP but on the internet instead of within a local LAN. The protocol works as a server-client model where clients would point to a server to register their address (more specifically their NBMA aka Non Broadcast Multi Access). We will look at NHRP in more detail not only with configuration but also verification commands and more theory when we actually see outputs.   Dynamic Routing Protocol
As I've mentioned, a routing protocol isn't actually a requirement for DMVPN although as you may know, a dynamic routing protocol makes routing more scalable when working with a large amount of subnets/networks. We will be using EIGRP in this example.   IPSec   There are many design guides and generic guides on the web which show different methods such as using an IPSec profile directly in IOS or even having a firewall which offloads the resources for IPSec tunnels and then a router performing the GRE/NHRP etc.. In our example, I won't be using IPSec since the ipsec configuration is straight forward to lab but also very easy to setup using preshared keys, it gets more interesting when you begin to introduce a PKI server for certificates and IPSec enrollment instead of using keys/shared secrets...   Basic configuration Starting with the basic configuration of all the routers so you can follow along: Starting with a basic check, we can ping each spoke from the HUB: HUB#ping 1.0.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.0.0.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms HUB#ping 2.0.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2.0.0.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/6 ms HUB#ping 3.0.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 3.0.0.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms Firstly, lets start with some basic tunnel configuration. What we need to configure, an overlay which will use the 192.168.254.0/24 network for the tunnels to communicate. Lets go ahead and actually configure some other important commands on our HUB which will also act as the 'Next Hop Server aka NHS' for NHRP.   HUB Configuration (Phase 1) interface Tunnel0 ip address 192.168.254.1 255.255.255.0 no ip redirects ip nhrp map multicast dynamic ip nhrp network-id 10 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel key 1 ip nhrp map multicast dynamic On the hub, this command serves to map multicast packets to the mappings that are created within the NHRP database. ip nhrp network-id 10 This is similar to the tunnel key command, where we can identify specific NHRP networks but this must match on all routers, this is required in a NHRP configuration. tunnel key 1 The tunnel key command in a tunnel configuration mode allows us to define which tunnel specific packets belong to, this is important when we have multiple tunnels on the interface and as a best practice I like to specify this even with a single tunnel configuration.    Spoke Configuration (Phase 1) interface tunnel 0 ip address 192.168.254.(x) 255.255.255.0 !Spoke-1 .10, Spoke-2 .20 and Spoke-3 as .30 no ip redirects ip nhrp map 192.168.254.1 20.0.0.1 ip nhrp network-id 10 ip nhrp nhs 192.168.254.1 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel key 1   Let's capture some packets! If I shut down the tunnel interface on Spoke-1 and turn it back on, this looks like the things thing that happens relating to NHRP, which also reflects the configuration we have done. Let's look into the NHRP packet itself and then see what conversation is going on. We'll look into the interesting stuff without getting into too much depth:   Firstly, Spoke-1 sends a NHRP Registration request (to 20.0.0.1 which is the HUB), you can see this request holds some information which will build the NHRP database we will see shortly. Spoke-1 actually announces its own NBMA address and the protocol address (in our case its our tunnel: 192.168.254.10, destination to 192.168.254.1 the tunnel interface on the HUB). These NHRP requests will be sent every 1/3rd of the Hold timer which by default is 7200s (found under the 'Client Information Entry'). The client expects a reply and will keep sending out NHRP requests double time (from 1, 2, 4 etc.. to 32... that is the theory for those CCNP exam takers!)   Next, we receive a reply from 20.0.0.1 (HUB), which looks like:   If we take a quick look at RFC2332, its states that Code 0 is indeed a successful register with the NHS. The next 2 packets were actually a repeated request/successful request which we won't dive into because they look the same as the above 2 request and reply NHRP packets.   With all the spokes configured, this process happens fairly quickly in our lab environment and we can now see a populated NHRP database which can be found using: HUB#show dmvpn Interface: Tunnel0, IPv4 NHRP Details Type:Hub, NHRP Peers:3, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 1.0.0.1 192.168.254.10 UP 00:16:59 D 1 2.0.0.1 192.168.254.20 UP 00:15:08 D 1 3.0.0.1 192.168.254.30 UP 00:14:54 D HUB#ping 192.168.254.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.254.10, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 6/6/8 ms HUB#ping 192.168.254.20 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.254.20, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 6/6/8 ms HUB#ping 192.168.254.30 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.254.30, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 6/6/7 ms Do you think we would be able to ping Spoke-1 (192.168.254.10) from Spoke-2? Spoke-2#ping 192.168.254.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.254.10, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 6/12/25 ms The answer is yes! Although something happens behind the scenes. How could Spoke-2 possibly know how to get to 192.168.254.10? What happened was Spoke-2 actually send an NHRP request to its NHS (192.168.254.1). Because we have mapped the public IP address 20.0.0.1 to reach the HUB/NHS we can instantly send a request for 192.168.254.10.     You can see above, we sent our NBMA and the Tunnel address, but the destination is 192.168.254.10. We are going to practically be asking, what is the NMBA address for 192.168.254.10? Now this is the part where NHRP gets interesting, try to see if something looks different below:   If we just explain a quick overview, we send an NHRP request for 192.168.254.10 to 20.0.0.1 (which is our NHS). When the request hits the NHS, it will actually send it to the NMBA which is registered in the NHRP database (being 1.0.0.1). Spoke-1 (1.0.0.1) actually replies with its information (NMBA and Tunnel address 192.168.254.10). If we do a traceroute from Spoke-2 when the NHRP table is cleared on Spoke-2, have a look at the results that prove this:   Spoke-2#traceroute 192.168.254.10 1 192.168.254.1 9 msec 192.168.254.10 7 msec 6 msec Spoke-2#show dmvpn Interface: Tunnel0, IPv4 NHRP Details Type:Spoke, NHRP Peers:2, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 20.0.0.1 192.168.254.1 UP 00:27:00 S 1 1.0.0.1 192.168.254.10 UP 00:00:23 D Spoke-2#traceroute 192.168.254.10 1 192.168.254.10 8 msec 7 msec * If the entry is not in our NHRP database, then the first few packets/traffic will traverse through the HUB until we receive the reply with the NBMA address of Spoke-1. This is the dynamic part of DMVPN already in action, because we learn the address to send traffic to if we want to directly communicate with that Spoke.   When we start advertising our networks from the spokes, this will change and then we can start talking about the different phases that can change the flow of traffic and how routes are propagated throughout this DMVPN design. We are going to configure EIGRP to setup a relationship which each neighbor but also advertise the loopbacks into EIGRP. router eigrp 1 network 10.0.0.0 0.255.255.255 network 192.168.254.0 0.0.0.255 We can put a more granular network statement to chose what participates into EIGRP but let us keep it simple and sweet. We'll look at the phases in DMVPN which can change our traffic flow and how we learn routes. Before moving on, we can come across an issue with EIGRP neighbor flapping with the tunnels, we must include a command in our tunnel configuration on each spoke which allows us to map multicast traffic to the NBMA address of the Hub. interface tunnel 0 ip nhrp map multicast 20.0.0.1 Confirming EIGRP neighbors on the HUB: HUB#sh ip eigrp ne EIGRP-IPv4 Neighbors for AS(1) H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 2 192.168.254.30 Tu0 14 00:02:02 12 1506 0 5 1 192.168.254.20 Tu0 13 00:02:07 624 3744 0 5 0 192.168.254.10 Tu0 11 00:02:16 9 1506 0 6 EIGRP issues If we have a look at the routes that the HUB has dynamically learned via EIGRP: HUB#sh ip route eigrp 10.0.0.0/8 is variably subnetted, 11 subnets, 2 masks D 10.10.1.0/24 [90/27008000] via 192.168.254.10, 00:05:46, Tunnel0 D 10.10.2.0/24 [90/27008000] via 192.168.254.20, 00:05:38, Tunnel0 D 10.10.3.0/24 [90/27008000] via 192.168.254.30, 00:05:30, Tunnel0 There is an issue that can occur because of the default behaviour with EIGRP, if we take a look at the routing table for Spoke-3: Spoke-3#show ip route eigrp 10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks D 10.0.0.0/24 [90/27008000] via 192.168.254.1, 00:06:29, Tunnel0 D 10.0.1.0/24 [90/27008000] via 192.168.254.1, 00:06:29, Tunnel0 D 10.0.2.0/24 [90/27008000] via 192.168.254.1, 00:06:29, Tunnel0 D 10.0.3.0/24 [90/27008000] via 192.168.254.1, 00:06:29, Tunnel0 We can see routes behind the HUB (eg. loopbacks) that can successfully be reached via the Tunnel interface, the issue is with routes from other spokes. The default behaviour with EIGRP is to not advertise a route out of an interface which it was received on (eg. Tunnel 0), this is a very good example of Split Horizon which is also apart of RIP and how that protocol works. We can simply solve this with an interface command on the HUB: interface tunnel 0 no ip split-horizon eigrp 1 Looking back at the routing table for Spoke-3: Spoke-3#show ip route eigrp 10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks D 10.0.0.0/24 [90/27008000] via 192.168.254.1, 00:09:07, Tunnel0 D 10.0.1.0/24 [90/27008000] via 192.168.254.1, 00:09:07, Tunnel0 D 10.0.2.0/24 [90/27008000] via 192.168.254.1, 00:09:07, Tunnel0 D 10.0.3.0/24 [90/27008000] via 192.168.254.1, 00:09:07, Tunnel0 D 10.10.1.0/24 [90/28288000] via 192.168.254.1, 00:00:12, Tunnel0 D 10.10.2.0/24 [90/28288000] via 192.168.254.1, 00:00:12, Tunnel0   DMVPN Phases The phases are kind of steps during the DMVPN process when you have: Phase 1) Only Hub-Spoke traffic Phase 2) Spokes can then dynamically form tunnels with other spokes, no need to go through the HUB (firstly initial traffic will go through HUB because of the NHRP request) Phase 3) Spokes can dynamically reply to a NHRP request and spokes can work together without the HUB to initiate traffic between them   Phase 1 During phase 1, our traffic will ALWAYS go through the HUB because although we have turned off 'split horizon', the HUB will advertise the routes from other spokes via itself. The next hop IP address in the routing table will show the HUBs IP address as shown below: (Notice all routes are reachable via 192.168.254.1)   Spoke-1#show ip route eigrp 10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks D 10.0.0.0/24 [90/27008000] via 192.168.254.1, 00:49:16, Tunnel0 D 10.0.1.0/24 [90/27008000] via 192.168.254.1, 00:49:16, Tunnel0 D 10.0.2.0/24 [90/27008000] via 192.168.254.1, 00:49:16, Tunnel0 D 10.0.3.0/24 [90/27008000] via 192.168.254.1, 00:49:16, Tunnel0 D 10.10.2.0/24 [90/28288000] via 192.168.254.1, 00:40:05, Tunnel0 D 10.10.3.0/24 [90/28288000] via 192.168.254.1, 00:40:05, Tunnel0 If we simply use a command on the HUB, we can allow the routes to be pushed out without the HUB adding itself as the next hop to reach the network. This is also moving the DMVPN into phase 2 where direct communication between spokes don't need to transverse the HUB all the time. interface Tunnel0 no ip next-hop-self eigrp 1 Before looking into what this does, now we will take another look at the routing table: Spoke-1#show ip route eigrp 10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks D 10.0.0.0/24 [90/27008000] via 192.168.254.1, 00:00:21, Tunnel0 D 10.0.1.0/24 [90/27008000] via 192.168.254.1, 00:00:21, Tunnel0 D 10.0.2.0/24 [90/27008000] via 192.168.254.1, 00:00:21, Tunnel0 D 10.0.3.0/24 [90/27008000] via 192.168.254.1, 00:00:21, Tunnel0 D 10.10.2.0/24 [90/28288000] via 192.168.254.20, 00:00:21, Tunnel0 D 10.10.3.0/24 [90/28288000] via 192.168.254.30, 00:00:21, Tunnel0 We can now see, 10.10.2.0/24 via 192.168.254.20 and 10.10.3.0/24 via 192.168.254.30. This command will not make the HUB advertise the routes via itself. Back to Phase 3, the spoke itself can reply directly to a request because currently the request is being sent to the HUB and then the HUB is forwarding that request towards the destination.   Here is an example of a basic packet capture when Spoke-1 tries to ping 10.10.3.1 (Spoke-3):   You can see, the original source (1.0.0.1 - Spoke-1) is sent towards 20.0.0.1(HUB) and then, 20.0.0.1(HUB) sends it to 3.0.0.1(Spoke-3). To make this into Phase 3, we can simply add 2 commands on the hub and then a command on each spoke: !HUB interface tunnel 0 ip nhrp redirect ip nhrp shortcut !SPOKES interface tunnel 0 ip nhrp shortcut Its 3:34AM and I need sleep (said this an hour ago...) so will update this when I get some time tomorrow...

BSpendlove

BSpendlove

 

tac_plus (TACACS+) - Filtering the accounting file to get user total login time

I am currently working on a personal project but so far, I've created a simple python script (with many comments to try and explain what is going on!) to pull data from the default tac_plus.acct (AAA Accounting file) that is created with tac_plus.   By default this file is saved in /var/log/tac_plus.acct and records user sessions (whether it is authenticated via TACACS+ or by the local database on our cisco router (10.0.100.1). The script takes an argument used to filter the specific 'username' for the total time they have accessed this device.   The script technically pulls total time accessed to ALL devices with that username, but in my case I have only a single router configured in GNS3 with the ubunutu VM as a docker. I am looking to improve this script so I can either filter by ALL devices/IPs or a single IP matching a username.   #!/usr/bin/env python import time import sys def getUserTime(username): #Default location for accounting file below. It won't be created if AAA accounting is not #configured on the device... accFile = open('/var/log/tac_plus.acct','r') splitFile = accFile.readlines() #2 lines should involve a session (Connect + Disconnect) sessions = len(splitFile) / 2 print 'Total Sessions in accounting file: {0}\n'.format(str(sessions)) #Variables for splitting the file + counters session_index = 0 session_list = [] count = 0 user_sessions = 0 user_time_index = 0 user_time = 0 #--------------------------------------# while session_index < sessions: #Check if username exist in accounting file if any(username in s for s in splitFile[count:count+2]): #Increment user sessions, since more than 1 connect/disconnect have been found user_sessions = user_sessions + 1 #Print below is for debugging/seeing output when running the script print 'Found session for user: {0} ({1})...'.format(username, user_sessions) #Append connect/disconnect session from splitFile list to a new list of lists... if any("elapsed_time=" in t for t in splitFile[count:count+2]): session_list.append(splitFile[count:count+2]) #Counter is incremented by 2 because of session is made from: connect and disconnect count = count + 2 #Session_index tells us what session we are on in the file...Stops the while loop session_index = session_index + 1 print '\nTotal sessions for user **{0}** = {1}'.format(username, user_sessions) #Reset incase I use count again... count = 0 #For each 'session' (which we have filtered 'elapsed_time=' to a username for session in session_list: user_time_index = session[1].split() #Split all variables in disconnect session #Index 14 SHOULD be 'elapsed_time=', replace it so now we have the variable in 'user_time' user_time = user_time + int(user_time_index[14].replace('elapsed_time=','')) #using 'time' module, to output the format user_time = time.strftime('%H:%M:%S', time.gmtime(user_time)) print 'Total time logged in: ' + str(user_time) #Write to temp_time so a PHP script in /var/html/www can pull the total time for the user... new_file = open('/var/www/html/temp_time.txt','w') new_file.write(user_time) new_file.close() getUserTime(sys.argv[1]) The purpose of this was to rent out a lab (where the customer needs to log in via an access server) and be able to gather/display information regarding the total time they have spent on the lab.   So the access server can be configured with AAA (and accounting exec command) to authenticate with this linux VM. Then the customer will be able to somehow view a webpage that gathers the time he has logged in until the password is reset (and he needs to book another 24hr frame to get access again)... The basic PHP script to access this time value in the text file is: <html> <div class="lab-remain-time"> <p>User netdbackup - Total used LAB time </p> <hr> <?php $myfile = fopen("temp_time.txt", "r") or die("Unable to open: temp_time.txt"); echo fread($myfile, filesize("temp_time.txt")); ?> </div> </html   Here is an example of all of this in action:   The script can filter total sessions + total time on a username:   The best css formatting you'll ever see (php script reading the time)

BSpendlove

BSpendlove

 

GNS3 and Ubunutu VM for TACACS+

I was just testing around and finding a simple way to have a look at TACACS+ without getting a friend to obtain Cisco ACS for me. I have an Ubunutu VM that I was testing on so I thought I'd find a TACACS+ package or somewhat, many are available but I found one which is based off the original cisco TACACS+ code (doesn't provide LDAP integration but they have examples how to 'almost' fully integrate it haha)...   So this is more or less a quick post so I can look back when I need to review all the studies and such. Assuming currently we have the VM installed and updated (currently using Ubunutu Server 17.04.   sudo apt-get install tacacs+   We need to do a tiny bit of configuration for the shared secret, user/groups and then finally the device configuration to get the basics up and running. Once the package is installed, we will mainly be working in: /etc/tacacs+/tac_plus.conf.   I normally copy this file and rename it .old so I can refer back to it if needed, and clear the config file since there is many comments and I like a tidy file...  The main changes we will make is:   key = mynewsecretkey123   and then creating users/groups. We can do quite a bit (some examples in the .old conf file I mentioned to copy) but to get the bare basic configuration all up and running I'll create a user and a group (which will allow by default to permit all commands, we can define specific commands to permit/deny which is the advantage of TACACS+ compared to RADIUS.. RADIUS we can define the privilege level but I believe we can't limit specific commands...) key = oioi123 user = netdbackup { member = backup_operators } group = backup_operators { default service = permit login = file /etc/passwd enable = file /etc/passwd } A lot of people recommend to use the authentication in linux (create the user also in linux) since we can use either clear text passwords in our configuration file, or DES encryption which isn't the best...   Once we have made a change to the configuration file we'll issue:  sudo /etc/init.d/tacacs_plus restart If any errors might occur, configuration file may have a typo in.   That is practically the basic setup, we just need to create a quick user in linux. I've created the user 'netdbackup' with a password of oioi456...   Now the configuration is extremely easy on our devices, I've come across a ton of post that just tell you what to put and doesn't explain it. My VM is assigned 10.0.100.10 and the topology looks like this:   Firstly, we'll start with our basics of a local user to roll back on in the event of the tacacs+ server going offline: R1(config)#username cisco priv 15 password cisco R1(config)#enable secret cisco   Lets begin with the configuration for TACACS+ and AAA. R1(config)#tacacs-server host 10.0.100.10 !Defines our host, even when we create our AAA group, we still need to define this R1(config)#tacacs-server key oioi123 !Our key in the configuration file on the TACACS+ server R1(config)#tacacs-server directed-request !This allows users to choose which TACACS+ server to authenticate with if we have multiple R1(config)#aaa new-model !Enable AAA and give us more commands R1(config)#aaa group server tacacs+ TAC_SERVERS !We are creating a TACACS+ group and called it TAC_SERVERS R1(config-sg-tacacs+)#server 10.0.100.10 !Adding our TACACS+ server to our group to authenticate with R1(config)#aaa authentication login default group TAC_SERVERS local !Use our TACACS+ group, then fall back to local authentication R1(config)#aaa authorization exec default group TAC_SERVERS local if-authenticated !Practically allows us to authenticate with our user so we shouldn't need to enable secret/password to get into priv mode. Although beware since a few bugs exsisted in IOS 12.4 where an error message would prompt 'Authentication failed'. This command practically uses TACACS+ first, then local and finally falls back onto if we are already authenticated with the device !!!output omitted User Access Verification Username: netdbackup Password: R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#  

BSpendlove

BSpendlove

 

A guide to a Cisco R&S lab: Equipment

I've always wanted to do a post but felt like this is more appropriate for a blog post instead of on the networking forum. I've had a few people ask me on instagram + other social sites about building a lab and decided to create this so I can point them to it. Let us begin!     So, you're studying for a Cisco exam or want to get some 'real' hands on experience with Cisco equipment because either:   1) People are telling you real hardware experience is better than emulation/simulation 2) You are generally interested in learning on real hardware   Let us clear up one thing before we start talking about building a lab. There are many alternatives that can provide almost all the functionality for the R&S path (if not, everything for CCNA/CCNP) which are either free or cost a tiny investment, a bit like the money you will invest into this lab of yours!     Why would I want to build a lab?   The first thing I want to talk about is electric. Running this hardware cost money and can vary depending on the type of models of routers/switches etc you use. My personal experience is that I use my lab when I know I am going to be spending a long time on a concept, otherwise I'll just use GNS3 or a mix of GNS3 and real hardware. My equipment is off when I'm not using it and it doesn't affect my electric bill to the point that I'm considering if I should not use hardware.   Noise... Buying the most up to date models for a lab doesn't seem a good investment if you're just building a lab. While you can get routers/switches for £15 each, they can produce a LOT of noise when you populate your lab with many devices. You're probably going to go for 2nd hand equipment which could have faulty fans (still working, but they might rattle or make high pitched noises)   "I want to get real hardware because I want to plug things in..."... If you are planning on getting a lab purely for the practical feeling of actually using physical cables, you will feel different about that half-way during your studies. Sure, it doesn't take a long time to plug things in but a few factors come into play: Have you got a sufficient amount of cables for your different topologies? Are you going to make a network diagram inc. labelling the interfaces incase you want to recreate your topology with config files you already have? Can you keep up with using 40+ cables in your lab and knowing what connects to what logically? (Maybe you're not doing direct connections between devices...) A fine addition to crafting your ultimate lab from my point of view is, can you obtain IOS images for the devices you buy?   During my first few days of obtaining real hardware, I would normally check out the IOS version, figure out if I need any module cards, maybe do password recoveries (urghhh!).. My first experience before even configuring my first ever interface on a router is that I had to obtain an IOS image because someone had deleted it from the flash! (I was threatened because I didn't have a clue what I was dealing with)   Ok, I still want to build a lab but don't have a clue what to buy and how many?   You can buy sufficient equipment for your beginning CCENT/CCNA studies then invest more when you start to branch out into other areas to carry on to your CCNP. You can also be smart and buy equipment to still be used in your CCNP studies. For now, lets look at a few options   CCENT/CCNA studies (2 routers, 2 switches) 2 routers can provide: Basic routing protocol concepts You could always use other technologies to logically further split the routers so it looks like you have more Integrate with GNS3 for more routers Provide more functionality with static/dynamic routing 2 switches can provide: Basic switching concepts 802.1Q labs spanning multiple switches Personally, I think you can take a better look at slicing up unicast vs multicast vs broadcast with more flexibility... You can always substitute hardware routers with GNS3 (which will allow you to emulate IOS but also provide connectivity between emulation and hardware devices). Another option is that you can also chuck in another router since you can really find some good deals on ebay for job lots etc..   Enough with the boring stuff, lets look into models for routers and switches. Wait.... I NEED DEVICES that can run IOS 15!!! Some of the older models don't run IOS 15 (like computers and operating systems), sometimes the models are too old to either store the IOS version or don't have the hardware requirements. Now lets look...   Routers Cisco 1841: I started with these during my CCNA studies, they are very quite, have a little bit of room for expansion since they have 2 modules. Most of these on ebay come with a single WIC-1T with allows you bang out serial into your labs. This router does support IOS 15 (15.1) and depending on the IOS image you can experiment with a few other features. I use these quite a lot when I need routers for customer sites in my lab.   1760 Quite an old one so you should be able to get this for cheap on ebay! They take quite awhile to boot up, although they provide 2x WIC cards and the other 2 support VIC voice modules. Not 100% certain but I know this runs 12.3 and not 15.   2610/2612/2621/XM   Depending on your preference, the XM series replaces the 10mbps with 100mbps fast ethernet (only a single port)... I mentioned this because you can get them on ebay for about £10-15 if you look carefully and hunt down through the listings. The XM series supports a few more features and you can upgrade it (dram etc..). Using a single ethernet port, you can use subinterfaces trunked to a switch to logically have more connections. The 2610 supports up to IOS 12.3 I believe which is still ok for almost all the concepts at the CCENT/CCNA level.   2801 If you're lucky, you can find these between £25 - £40 a piece. They support more WIC modules than your 1841/2610 etc.. and allow 4x modules, although SLOT 0 only accepts VICS, 2 slots support HWIC modules and others, and SLOT 2 only accepts WICS (not HWICS)... I like that everything is at the front of the chassis so when I rack mount these, it is easy to get to inc. the console port etc.. These also support IOS 15.1   2811 Almost looks like the 2801 with modules around the back, not going into detail with this router because you can sometimes find them cheap... I mention this model because they normally are sold with a few modules preinstalled.   Switches 2950 These are extremely dirt cheap, come in many different variants (eg. just 24 x 100mbps port, 2 x gigbit uplinks, 2 x FX or SX uplinks, 12 x 100mbps port... just loads!) People literally throw these away on ebay for cheap but they can get loud! A few people recommended normally to swap these out for 2960's because they can run IOS 15 and obviously support other features. I've found 2950's on ebay with 2x gigabit links for around £12 each... or a job lot of 4x 2950's for £40-50!   2960  Lets take this opportunity to have a look at PoE. We can buy devices which support PoE that can provide power to a range of devices (most common would be IP phones). Again like the 2950, we have different variants which include 2 x gigabit ports for uplinks between switches etc.. A lot of people normally list these on ebay for around £20   3550 Now we are getting into devices known as 'Layer 3' or 'Multi-layer' switches. Unlike our 2950/2960, multilayer switches provide functionality between layer 2 and layer 3. A multilayer switch can act as a standard boring ol' switch but we can enable IP routing to practically act similar to a router. I use many multilayer switches in routing topologies to populate labs when I practiced routing protocols etc.. One key protocol that isn't support by this and another multilayer switch I'll mention is the ability to perform NAT (oh! also IPv6 & a few QoS features  ) . I believe these don't support IOS 15 but can be found on ebay between £15 - 20 a piece   3560 Practically looks like the 3550 and supports more features + higher speeds (around £15-35 a piece)   3750 The 3750 is a bit more expensive, more or less a 3560 with a few more features including stackwise. Stackwise isn't really something practical you need to learn for the exam but may be good for the real world. Again, depending on the IOS image you are limited to protocols etc.. eg. the IPBASE image doesn't support BGP..) I managed to buy 4 of these (2x PoE) for around £50 which was an absolute bargin and have taken me through CCNP studies. They are capable of even bringing you to the CCIE R&S.   There are plenty more other choices and combinations (eg. fully GNS3 and a few 3550/3560/3750's) but this is the gear that I've managed to use out in my own lab without breaking the bank. Another option is to also by a dedicated server to run GNS3 to allow more devices to run which is a valid option (or even looking at Cisco's virl... OR just using packet tracer for your CCENT/CCNA studies which many people have succeeded with)     This post will be edited some time in the future and reviewed  

BSpendlove

BSpendlove

 

CDP Basics - Cisco Discovery Protocol

CDP - Cisco discovery protocol...   A protocol that runs on Layer 2 which means it doesn't give a damn which layer 3 protocol is running on the interface! The basic concept from our point of view with CDP is that it can obtain information related to device name, interface, management IP and more!   A tiny bit of theory that isn't really required for the CCNP level is what CDP runs on. Medias must support Subnetwork access protocol (SNAP). Essentially this is a frame format which follows the common 802.3 ethernet frame and adds a header (with some new fields) which provides some information regarding what type of information is in our next header (similar to the old Ethernet frame format with the EtherType). The LLC header in our 802.3 frame would have 2 fields (DSAP and SSAP which are normally the same value, 0xAA in hex meaning a SNAP header will follow the LLC header in our frame.   In the SNAP header below, we have 2 fields: OUI (Organizational Code) which indicate a registered hex value for Cisco (0 x 00 00 0C) and the PID Protocol ID which in our case will be CDP (0 x 20 00):   SMXLL  Also, notice that we have a MAC multicast address to a well known address not only for CDP but other cisco protocols such as VTP,DTP etc..   If we move more over to the CDP message itself, take a look at a capture below:   SLXLM  We can see information that can be advertised via CDP such as:   Version, TTL (aka holdtime), the name of the device, VTP domain and more! A key thing with CDP is that it isn't a 2 way communication. Devices that originate CDP advertisements will just send them and have a care in the world what happens after that!   This CDP advertisement was sent from R2 to R1 so lets have a look what we can find in R1's CDP neighbor table by using the show cdp neighbors command.   SMXLL  Without any topology map or someone telling us, we can now conclude that on R1, we have a device called 'R2' which sent out a CDP advertisement that we received from our Fa0/0. The problem is that a switch could actually be between our routers so we can't fully depend on CDP and come to a conclusion that we our Fa0/0 is directly connected to R1's F0/0.   Now for some more theory before tweaking! CDP by default is enabled on cisco devices and has a few default parameters such as:   Advertisement is every 60s Hold timer is 180s By default, v2 advertisements are enabled (v1 pretty much doesn't send VTP management domain) and finally by default, CDP is enabled globally and on every interface   So these are pretty much the only tweaks we can do with CDP. We can change the advertisement/hold timers, change the version of CDP we advertise and disable it globally (or per interface)   Globally enabling/disabling: cdp run no cdp run   Interface level: cdp enable no cdp enable   Changing the timers in global config: cdp timer 20 cdp holdtime 60   Advertise v2 / don't cdp advertise-v2 no cdp advertise-v2   Another option we can configure with CDP is to alert us if CDP detects a duplex mismatch (since the duplex parameter of the interface is sent in the CDP message)   SMLXL  We can enable this logging in global config by: cdp log mismatch duplex   The concern with CDP is that people find it shares too much information in the message so they either: globally disable it or disable it on specific interfaces such as edge ports, ports facing ISP router/internet etc.. This is because a bit of information that people can obtain can easily do a few searches for vulnerabilities for a specific IOS version etc..   You can also perform CDP spoofing to the multicast address with different values in each message and pretty much 'overflow' the CDP table with hundreds of CDP entries, a tool is included in the Kali linux distribution to generate CDP messages as well as others such as BPDUs and more!   Here is a youtube video that substitutes this post... Excuse my explanation on SNAP during the video, I was a bit over the place! 

BSpendlove

BSpendlove

 

Basics of STP and the root bridge election

The 'wonders' of 802.1D... This is just a quick blog to discuss the CCNA level of the process of how switches in an ethernet LAN will elect the root bridge and a few other details.   Firstly, Spanning Tree Protocol (STP) is? Simply, a way to create a logical 'loop free' network in our LAN by blocking specific ports that could cause a frame to loop indefinitely in our network. I'm assuming you have a basic understanding of STP because that would be required to understand the basic root bridge election.   Getting straight into it, when you connect 2 or more switches together they will begin the process of the 'root bridge election' which can change the way frames are sent in the network or even in different VLAN's. Take a look at the example below:       Imaging we had no such thing as STP, the basic example shown is a broadcast has been sent from PC0 to SW1.   SW1 with basic switching functionality, will broadcast the frame out of all ports except the one that received the original frame, this seems very normal so far. In short story, the switches will broadcast the frame out of ports the original wasn't received on so it will be going back and fourth until someone literally comes over and literally turns the switch off, it seems extreme but remember that the switch will not broadcast that frame out of the port it was received but SW1 received a broadcast from both SW2 and SW3 (so SW1 will then broadcast the frame from SW2 out fa0/2, and the frame from SW3 to fa0/1)     So in a short story, STP will block redundant links to stop these frames from looping. You could have the switches daisy chained but that defeats the whole purpose of redundancy and that if we had multiple switches (SW1 -> SW2 -> SW3 -> SW4), if SW3's link were to go down, people connected to SW1 and SW2 wouldn't be able to talk to people on SW3 or SW4.     So what is this 'Root bridge election' or what is a root bridge?   When I first looked at the root bridge, I thought to myself does all the traffic need to go to the root bridge before being forwarded to the destination? Because that seems impractical! Of course, it was the first time I've encountered STP and I wasn't 100% wrong sort of... (but close to it!).   The path towards the root bridge from other switches are commonly the fastest (or least cost) which can be changed. The easiest way I would explain why the root bridge is needed would be along the lines of: "The root bridge allows other switches to have a destination to decide which ports to put in forwarding and which ports to block, by default the least cost (fastest path/speed) would be a preferred path to the root unless you manually configure things like costs and priority...."   Traffic will not need to travel to the root bridge first, unless it needs to travel in that direction or is the only way to get to the destination. We will talk about the different port roles and types for STP a little bit later.     Bridge Election Process   The bridge election process begins with switches exchanging messages, the Hello BPDU (Bridge protocol data unit) formally known as a configuration BPDU (a lot of people may call it a hello, because it is being sent over and over again like most Hello's in other protocols, excuse me while I refer to it as a hello BPDU for now...).   The Hello BPDU will be used to compare on each side of the link and exchange information such as:   Root Bridge ID, Sender Bridge ID, Path cost to root, Port ID and Timers (MaxAge, Hello and Forward Delay). The BPDU does contain more fields, but these are the important ones for now.. (Protocol ID will be 0x000 for IEEE 802.1D)       I believe the main focus in the CCNA is firstly focusing on the Bridge ID (BID) and what forms it. The BID is a field in the BPDU which is 8 bytes. Split into 2 parts:   Priority = 2 bytes (divided into 2 parts: 4bit Priority + 12bit VLAN ID) (interesting fact (2^12 = 4096 VLAN's anyone?) System ID Ext (MAC Address) = 6 bytes Without no configuration, we have some default values in our BPDU that are generated on switches. Such as: Each switch will think it is a root since no root has been elected yet... Each BID priority will be 32768 (VLAN1 = 32769 etc...) Hello Timer is 2 seconds default Forward Delay is 15 seconds by default Max age is 20 seconds by default   So upon BPDU messages being exchanged, what will happen since the BID priority is the same? If that ties, then it will move onto comparing the System ID (MAC Address) and will always elect the switch with the lowest MAC address as the root as shown in the example below:        In this example, we see that SW3 actually has a lower BID which then tells us that it will become the root in this election process. Ok so are BPDU's still exchanging after this simple process? Yes of course! BPDU's are actually generated from the root and will be sent down the topology similar to the picture below:       You can see that the path cost is added to as the basic 'BPDU' is sent down(logically) from the root but where do these numbers come from? STP (1998) has values which I believe you may need to remember for the CCNA exam such as:   10Mbps cost 100, 100Mbps costs 19, 1Gbps cost 4, 10 Gbps cost 2     Now that the root election process has finished, that is pretty much all done? You'd be wrong in not wanting to learn more! Since the previous examples don't really show STP's capabilities of making sure the network is loop free, let's add a redundant link in our switched LAN from SW1 to SW. The image has been changed slightly to make it easier to talk from the logical topology view (remember SW3 is still the root!).       So a redundant link has been added and BPDU's have been exchanged but wait... It seems that we understand one of the first values compared in the BPDU is the root bridge ID. SW3 and SW2 will both send a BPDU with the same Root Bridge ID?? Is the switch going to freak out? Is STP going to break? Of course, that would be a poor design if it did but it simply moves onto the next value to compare...   Sender Bridge ID - Is the Senders BID lower than mine? No.... Simply move onto the next parameter. Cost....   SW1 root path cost using gi0/1 will be 4 SW1 root path cost using fa0/1 will be 23 (because it needs to also add the cost to get to the root from the SW2 gigabit connection)     Port Roles and States   After the switch has completed this new election process with the new redundant link, we can move onto the next stage of the STP process. STP defines port roles and states to be used by root and nonroot switches. The root switch will simply put all ports in the designated role and states will be in forwarding mode (FWD), so lets focus on non-root switches.   Every non-root switch must have a root port which essentially is the lowest cost to reach the root switch. SW1 has made g0/1 the root port since it is a STP cost of 4 rather than f0/1 which would be a cost of 23. (sorry about hostname, this was issued on SW1)    Because the Root switch will generate BPDU's that are then sent down from the topology, each switch will add the cost on the BPDU before sending it out.   The BPDU sent from SW3 to SW2 is 0 then SW2 will add a cost of 4 then will be resent to SW1. SW1 will receive it on port f0/1 and will add a cost of 19 creating a total of 23. The BPDU sent from SW3 to SW1 is 0 then SW1 will add a cost of 4 then will be sent to SW2. SW2 will receive it on port f0/1 and will add a cost of 19 (23) which is a worst path than g0/2 to root. As you can see in the #show spanning-tree. It also lists on SW1 that interface fa0/1's role is Desg (Designated).   The designated role will be the port that advertises the lowest path cost to a LAN segment. Of course, ties will occur which will result in the BID's being compared and the lowest BID will be chosen. All other ports that are not a Root or Designated will be transitioned into the 'Blocking'(BLK) state as shown on SW2:           In the next blog on STP, we will talk about STP convergence, 802.1w (RSTP), PVST+, Configuring them all and tweaking STP values such as priority, cost, also I will go into depth on STP port roles and states etc.. I will be replicating this topology with 3 Cisco 2950's instead of using Packet Tracer. (PS, I wrote this on my actual blog but thought I might aswell upload it here, sorry if any formatting issues occur!)

BSpendlove

BSpendlove

 

The conversion of IP addresses (Decimal) and Binary

This is a revision of a previous blog I posted on my website with better examples and hopefully more depth into the world of binary for IP addresses and Subnetting. I will not explain how to subnet in this article but will explain why you might need to know how to convert binary to decimal (vice versa) and why it is useful.   Let's dive straight into the deep end.   Binary   Binary can be represented as either 1 or 0 (On or Off). We will be using the 'on/off' terms to make it easier to understand how to get the decimal value from our binary expression.   An IPv4 Address is constructed from 32 individual binary bits which are split in 8 bit 'sections' also know as octets. (1 octet actually equals 1 byte!) Here is an example:   192.168.0.1   Now you might feel like this isn't so daunting, an address that we are all familiar that is most probably the most commonly assigned IP address to a home router or the first device in our home network. Well, we can explore this IP address in the binary world.   The conversion for this IP address is 11000000.10101000.00000000.00000001. You will explore a method used to get this result although right now, we will focus on the structure of this binary format.   A little fact is that an IPv6 address is actually created from 128 bits but normally represented in Heaxdecimal format (0-9, A-F = total of 16 values - 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, F)   Structure   Representing the above binary result in our '8 bit' or '4 octet'.   8bits.8bits.8bits.8bits (32 bits in total) octet.octet.octet.octet   When beginning to learn the conversion, starters will want to proceed to memorize a table and even have a similar table available on screen or a piece of paper to help with the process.           Our process to convert our IP address to binary (and vice versa) will start by using this table on each octet (each 8 bits) and then follow with the second, third and finally fourth.   In our 8 bits, the bit on our right is our 'least significant bit' and on the right our 'most significant bit'. Don't get caught up too much with the maths expression until we dive deeper into the more subnetting section which will come in a later article.   A binary representation of 255 is: 11111111 (We have to add all the decimal values for each bit that is 'on' (1) which adds to 255)   If we were to work out 11111110 in decimal value (We would follow the rule to only to add the decimal values of the corresponding binary value that is 'on' or equal to 1)          So in the table above, we will only add the binary values equal to 'on' (1) which will result of the decimal number of 254. It would make sense now to try and work out our first octet of 192.168.0.1          As the same concept applies, adding our binary values that are only equal to 'on' (1) will result in a decimal number of 192. (128+64 = 192)            128 + 32 + 8 = 168          00000000 in Binary is 0 in decimal....          Remember that we only add our values when the corresponding binary value is 'on' (equal to 1)     192.168.0.1   So, if we use our 4 tables above that were used to convert our decimal to binary, we will find that this 192.168.0.1 address represented in Binary is:   11000000.10101000.00000000.00000001     Ok that is cool I guess? Although I guess we don't really need to know this since the whole point of the hardware is to automatically do this, and IP addresses are a more friendly way for us humans to use... You are certainly correct, to a degree.   A single IP address on its own doesn't really mean much to Network Engineers and such. This is where a subnet mask comes in.   Subnet Mask   Do you really need to read on? You have already figured out how to convert Decimal to Binary (and vice versa if you just apply it in reverse) but this the part where I explain why learning this can be important in specific job roles and such.   Now a subnet mask is not to be confused with 'Subnets' or 'Masking an IP address' or even a robber mask. To simplify a subnet mask, it is an address used to describe the following information about a single IP address:   Which part of the IP address is the Network ID Which part of the IP address is used for the Host ID (assigning IP's to devices)   If you want to carry on into depth with subnetting,subnet masks and using Binary/Decimal conversions into a bit more depth then feel free to suggest and comment if you would like me to create an article. I plan to create one but not soon!         Practising and Questions   Using your own table or a similar table as shown in the above demonstrations, work out the following:   Convert the following from Decimal to Binary:   192.168.10.210 172.16.34.255 10.32.47.100 192.168.43.77   Convert the following from Binary to Decimal:   11000000.10101000.01000001.00010101 00001010.00100001.00010001.10000011 10110001.11001010.11110000.00101111   How many bits in an Octet? What information does a Subnet masks provide?? How many total bits are in an IPv4 Address? How many total bits are in an IPv6 Address?   Convert these binary values and describe where you would commonly find the decimal representation (10000000, 11000000, 11100000, 11110000, 11111000, 11111100, 11111110, 11111111)

BSpendlove

BSpendlove

Sign in to follow this  
×