Denial-of-Service (DoS) Attack

Denial-of-Service

•Commonly used against information stores like web sites
•Simple and usually quite effective
•Does not pose a direct threat to sensitive data
•The attacker tries to prevent a service from being used and making that service unavailable to legitimate users
•Attackers typically go for high visibility targets such as the web server, or for infrastructure targets like routers and network links



Denial-of-Service Example
If a mail server is capable of receiving and delivering 10 messages a second, an attacker simply sends 20 messages per second. The legitimate traffic (as well as a lot of the malicious traffic) will get dropped, or the mail server might stop responding entirely.
-This type of an attack may be used as a diversion while another attack is made to actually compromise systems
-In addition, administrators are likely to make mistakes during an attack and possibly change a setting that creates a vulnerability that can be further exploited

Types of Denial-of-Service Attacks

• Buffer Overflow Attacks 
• SYN Flood Attack 
• Teardrop Attacks 
• Smurf Attack 
• DNS Attacks 
• Email Attacks 
• Physical Infrastructure Attacks
• Viruses/Worms

Buffer Overflow Attacks

The most common DoS attack sends more traffic to a device than the program anticipates that someone might send Buffer Overflow.

SYN Flood Attack

• When connection sessions are initiated between a client and server in a network, a very small space exists to handle the usually rapid "hand-shaking" exchange of messages that sets up a session. 
• The session-establishing packets include a SYN field that identifies the sequence order. 
• To cause this kind of attack, an attacker can send many packets, usually from a spoofed address, thus ensuring that no response is sent.

Teardrop Attack

• Exploits the way that the Internet Protocol (IP) requires a packet that is too large for the next router to handle be divided into fragments. 
• The fragmented packet identifies an offset to the beginning of the first packet that enables the entire packet to be reassembled by the receiving system. 
• In the teardrop attack, an attacker's IP puts a confusing value in the second or later fragment. If the receiving operating system cannot cope with such fragmentation, then it can cause the system to crash.

Smurf Attack

• The attacker sends an IP ping request to a network site.
• The ping packet requests that it be broadcast to a number of hosts within that local network. 
• The packet also indicates that the request is from a different site, i.e. the victim site that is to receive the denial of service. 
• This is called IP Spoofing--the victim site becomes the address of the originating packet. 
• The result is that lots of ping replies flood back to the victim host. If the flood is big enough then the victim host will no longer be able to receive or process "real" traffic.

DNS Attacks

• A famous DNS attack was a DDoS "ping" attack. The attackers broke into machines on the Internet (popularly called "zombies") and sent streams of forged packets at the 13 DNS root servers via intermediary legitimate machines. 
• The goal was to clog the servers, and communication links on the way to the servers, so that useful traffic was gridlocked. The assault is not DNS-specific--the same attack has been used against several popular Web servers in the last few years.

Email Attacks

• When using Microsoft Outlook, a script reads your address book and sends a copy of itself to everyone listed there, thus propagating itself around the Internet. 
• The script then modifies the computer’s registry so that the script runs itself again when restarted.

Physical Infrastructure Attacks

• Someone can just simply snip your cables! Fortunately this can be quickly noticed and dealt with. 
• Other physical infrastructure attacks can include recycling systems, affecting power to systems and actual destruction of computers or storage devices. 

Viruses/Worm

• Viruses or worms, which replicate across a network in various ways, can be viewed as denial-of-service attacks where the victim is not usually specifically targeted but simply a host unlucky enough to get the virus. 
• Available bandwidth can become saturated as the virus/worm attempts to replicate itself and find new victims

Read more...

Modern Network Security Threats

Major Concepts:
•Rationale for network security
•Data confidentiality, integrity, availability
•Risks, threats, vulnerabilities and countermeasures
•Methodology of a structured attack
•Security model (McCumber cube)
•Security policies, standards and guidelines
•Selecting and implementing countermeasures
•Network security design

What is Network Security?
National Security Telecommunications and Information Systems Security Committee (NSTISSC)
Network security is the protection of information and systems and hardware that use, store, and transmit that information.
Network security encompasses those steps that are taken to ensure the confidentiality, integrity, and availability of data or resources.

Rationale for Network Security
Network security initiatives and network security specialists can be found in private and public, large and small companies and organizations. The need for network security and its growth are driven by many factors:
1.Internet connectivity is 24/7 and is worldwide
2.Increase in cyber crime
3.Impact on business and individuals
4.Legislation & liabilities
5.Proliferation of threats
6.Sophistication of threats


Business Impact
1.Decrease in productivity
2.Loss of sales revenue
3.Release of unauthorized sensitive data
4.Threat of trade secrets or formulas
5.Compromise of reputation and trust
6.Loss of communications
7.Threat to environmental and safety systems
8.Loss of time

Goals of an Information
Security Program
•Confidentiality
-Prevent the disclosure of sensitive information from unauthorized people, resources, and processes
•Integrity
-The protection of system information or processes from intentional or accidental modification
•Availability
-The assurance that systems and data are
accessible by authorized users when needed


Risk Management
•Risk Analysis
•Threats
•Vulnerabilities
•Countermeasures


Risk Assessment

•Risk assessment involves determining the likelihood that the vulnerability is a risk to the organization
•Each vulnerability can be ranked by the scale
•Sometimes calculating anticipated losses can be helpful in determining the impact of a vulnerability



Asset Identification
•Categories of assets
       -Information Assets (people, hardware, software, systems)
       -Supporting Assets (facilities, utilities, services)
       -Critical Assets (can be either of those listed above)
•Attributes of the assets need to be compiled
•Determine each item’s relative value
       -How much revenue/profit does it generate?
       -What is the cost to replace it?
       -How difficult would it be to replace?
       -How quickly can it be replaced?




Types of Network Threats

•Impersonation
•Eavesdropping
•Denial-of-service
•Packet replay
•Man-in-the-middle
•Packet modification


Vulnerability

•A network vulnerability is a weakness in a system, technology, product or policy
•In today’s environment, several organizations track, organize and test these vulnerabilities
•The US government has a contract with an organization to track and publish network vulnerabilities
•Each vulnerability is given an ID and can be reviewed by network security professionals over the Internet.
•The common vulnerability exposure (CVE) list also publishes ways to prevent the vulnerability from being attacked

Vulnerability Appraisal
•It is very important that network security specialists comprehend the importance of vulnerability appraisal
•A vulnerability appraisal is a snapshot of the current security of the organization as it now stands
•What current security weaknesses may expose the assets to these threats?
•Vulnerability scanners are tools available as free Internet downloads and as commercial products
      -These tools compare the asset against a database of known vulnerabilities and produce a discovery                                        

          report that exposes the vulnerability and assesses its severity


Risk Management Terms
•Vulnerability – a system, network or device weakness
•Threat – potential danger posed by a vulnerability
•Threat agent – the entity that indentifies a vulnerability and uses it to attack the victim
•Risk – likelihood of a threat agent taking advantage of a vulnerability and the corresponding business impact
•Exposure – potential to experience losses from a threat agent
•Countermeasure – put into place to mitigate the potential risk


Types of Attacks


Structured attack

Come from hackers who are more highly motivated and technically competent. These people know system vulnerabilities and can understand and develop exploit code and scripts. They understand, develop, and use sophisticated hacking techniques to penetrate unsuspecting businesses. These groups are often involved with the major fraud and theft cases reported to law enforcement agencies.


Unstructured attack

Consists of mostly inexperienced individuals using easily available hacking tools such as shell scripts and password crackers. Even unstructured threats that are only executed with the intent of testing and challenging a hacker’s skills can still do serious damage to a company.


External attacks

Initiated by individuals or groups working outside of a company. They do not have authorized access to the computer systems or network. They gather information in order to work their way into a network mainly from the Internet or dialup access servers.


Internal attacks

More common and dangerous. Internal attacks are initiated by someone who has authorized access to the network. According to the FBI, internal access and misuse account for 60 to 80 percent of reported incidents. These attacks often are traced to disgruntled employees.

Passive Attack
-Listen to system passwords
-Release of message content
-Traffic analysis
-Data capturing 

Active Attack
-Attempt to log into someone else’s account
-Wire taps
-Denial of services
-Masquerading
-Message modifications

Specific Network Attacks

•ARP Attack
•Brute Force Attack
•Worms
•Flooding
•Sniffers
•Spoofing
•Redirected Attacks
•Tunneling Attack
•Covert Channels

Read more...

TCP/IP Networking Basics & IP Address

Basic Router Concepts

Large amounts of bandwidth can be provided easily and relatively inexpensively in a local area network (LAN). However, providing high bandwidth between a local network and the Internet can be very expensive. Because of this expense, Internet access is usually provided by a slower-speed wide-area network (WAN) link such as a cable or DSL modem. For the WAN link to work on the Internet, the data traffic meant for the Internet needs to be separated from other WAN data and forwarded. A router usually performs the tasks of selecting and forwarding this data.

What is a Router?
A router is a device that forwards traffic between networks based on network layer information in the data and on routing tables maintained by the router. In these routing tables, a router builds up a logical picture of the overall network by gathering and exchanging information with other routers in the network. Using this information, the router chooses the best path for forwarding network traffic.Routers vary in performance and scale, number of routing protocols supported, and types of physical WAN connection they support.

Routing Information Protocol

One of the protocols used by a router to build and maintain a picture of the network is the Routing
Information Protocol (RIP). Using RIP, routers periodically update one another and check for changes to add to the routing table. RIP-2 supports subnet and multicast protocols. RIP is not required for most home applications.

Internet Protocol (IP) Addresses

Because TCP/IP networks are interconnected across the world, each computer on the Internet must have a unique address (called an IP address) to make sure that transmitted data reaches the correct destination. Blocks of addresses are assigned to organizations by the Internet Assigned Numbers Authority (IANA). Individual users and small organizations may obtain their addresses either from the IANA or from an Internet service provider (ISP). You can contact IANA at http://www.iana.org.The Internet Protocol (IP) uses a 32-bit address structure. The address is usually written in dot notation (also called dotted-decimal notation), in which each group of eight bits is written in decimal form, separated by decimal points.

For example, the following binary address:
11000011 00100010 00001100 00000111 

is normally written as:
195.34.12.7

The latter version is easier to remember and easier to enter into your computer.In addition, the 32 bits of the address are subdivided into two parts. The first part of the address identifies the network, and the second part identifies the host node or station on the network. The dividing point may vary depending on the address range and the application.

There are five standard classes of IP addresses. These address classes have different ways of determining the network and host sections of the address, allowing for different numbers of hosts on a network. Each address type begins with a unique bit pattern, which is used by the TCP/IP software to identify the address class. After the address class has been determined, the software can correctly identify the host section of the address. Below shows the three main address classes, including network and host sections of the address for each address type.

The five address classes are: 

•    Class A  

     Class A addresses can have up to 16,777,214 hosts on a single network. They use an 8-bit 

     network number and a 24-bit node number. Class A addresses are in this range: 

      1.x.x.x to 126.x.x.x. 

•    Class B  

     Class B addresses can have up to 65,354 hosts on a network. A Class B address uses a 16-bit 

     network number and a 16-bit node number. Class B addresses are in this range: 

      128.1.x.x to 191.254.x.x. 

•    Class C  

     Class C addresses can have up to 254 hosts on a network. A Class C address uses a 24-bit 

     network number and an 8-bit node number. Class C addresses are in this range: 

      192.0.1.x to 223.255.254.x. 

•    Class D  

     Class D addresses are used for multicasts (messages sent to many hosts). Class D addresses are 

     in this range: 

      224.0.0.0 to 239.255.255.255. 

•    Class E  

     Class E addresses are for experimental use. 

This addressing structure allows IP addresses to uniquely identify each physical network and each node on each physical network. 

For each unique value of the network portion of the address, the base address of the range (host address of all zeros) is known as the network address and is not usually assigned to a host. Also, the top address of the range (host address of all ones) is not assigned, but is used as the broadcast address for simultaneously sending a packet to all hosts with the same network address. 

Netmask 

In each of the address classes previously described, the size of the two parts (network address and host address) is implied by the class. This partitioning scheme can also be expressed by a netmask associated with the IP address. A netmask is a 32-bit quantity that, when logically combined (using an AND operator) with an IP address, yields the network address. For instance, the netmasks for Class A, B, and C addresses are 255.0.0.0, 255.255.0.0, and 255.255.255.0, respectively. 

For example, the address 192.168.170.237 is a Class C IP address whose network portion is the upper 24 bits. When combined (using an AND operator) with the Class C netmask, as shown here, only the network portion of the address remains: 

     11000000  10101000  10101010  11101101  (192.168.170.237) 

combined with: 

     11111111  11111111  11111111  00000000  (255.255.255.0) 

equals: 

     11000000  10101000  10101010  00000000  (192.168.170.0) 

As a shorter alternative to dotted-decimal notation, the netmask may also be expressed in terms of the number of ones from the left. This number is appended to the IP address, following a backward slash (/), as “/n.” In the example, the address could be written as 192. 168.170.237/24, indicating that the netmask is 24 ones followed by 8 zeros. 

Subnet Addressing 

By looking at the addressing structures, you can see that even with a Class C address, there are a large number of hosts per network. Such a structure is an inefficient use of addresses if each end of a routed link requires a different network number. It is unlikely that the smaller office LANs would have that many devices. You can resolve this problem by using a technique known as subnet addressing.

Subnet addressing allows us to split one IP network address into smaller multiple physical networks known as subnetworks. Some of the node numbers are used as a subnet number instead. A Class B address gives us 16 bits of node numbers translating to 64,000 nodes. Most organizations do not use 64,000 nodes, so there are free bits that can be reassigned. Subnet addressing makes use of those bits that are free, as shown below. 

A Class B address can be effectively translated into multiple Class C addresses. For example, the IP address of 172.16.0.0 is assigned, but node addresses are limited to 255 maximum, allowing eight extra bits to use as a subnet address. The IP address of 172.16.97.235 would be interpreted as IP network address 172.16, subnet number 97, and node number 235. In addition to extending the number of addresses available, subnet addressing provides other benefits. Subnet addressing allows a network manager to construct an address scheme for the network by using different subnets for other geographical locations in the network or for other departments in the organization. 

Although the preceding example uses the entire third octet for a subnet address, note that you are not restricted to octet boundaries in subnetting. To create more network numbers, you need only shift some bits from the host address to the network address. For instance, to partition a Class C network number (192.68.135.0) into two, you shift one bit from the host address to the network address. The new netmask (or subnet mask) is 255.255.255.128. The first subnet has network number 192.68.135.0 with hosts 192.68.135.1 to 129.68.135.126, and the second subnet has network number 192.68.135.128 with hosts 192.68.135.129 to 192.68.135.254.

     Note:     The number 192.68.135.127 is not assigned because it is the broadcast address 

                   of the first subnet. The number 192.68.135.128 is not assigned because it is the 

                   network address of the second subnet. 

he following table lists the additional subnet mask bits in dotted-decimal notation. To use the table, write down the original class netmask and replace the 0-value octets with the dotted-decimal value of the additional subnet bits. For example, to partition your Class C network with subnet mask 255.255.255.0 into 16 subnets (four bits), the new subnet mask becomes 255.255.255.240. 

Netmask Notation Translation Table for One Octet 

 Number of Bits   Dotted-Decimal Value 

           1                 128 

           2                 192 

           3                 224 

           4                 240 

           5                 248 

           6                 252 

           7                 254 

            8                 255 

The following table displays several common netmask values in both the dotted-decimal and the masklength formats. 

Netmask Formats 

 Dotted-Decimal        Masklength

 

  255.0.0.0                    /8 

  255.255.0.0                /16 

  255.255.255.0            /24 

  255.255.255.128         /25 

  255.255.255.192         /26 

  255.255.255.224         /27 

  255.255.255.240         /28 

  255.255.255.248         /29 

  255.255.255.252         /30 

  255.255.255.254         /31 

  255.255.255.255         /32 

So that hosts recognize local IP broadcast packets 

    When a device broadcasts to its segment neighbors, it uses a destination address of the local network address with all ones for the host address. In order for this scheme to work, all devices on the segment must agree on which bits comprise the host address. 

•   So that a local router or bridge recognizes which addresses are local and which are remote 

Private IP Addresses 

If your local network is isolated from the Internet (for example, when using Network Address Translation, NAT, which is described below), you can assign any IP addresses to the hosts without problems. However, the IANA has reserved the following three blocks of IP addresses specifically for private networks: 

     10.0.0.0 - 10.255.255.255 

     172.16.0.0 - 172.31.255.255 

     192.168.0.0 - 192.168.255.255 

Read more...

BGP (The Border Gateway Protocol)

The Border Gateway Protocol (BGP) is the protocol backing the core routing decisions on the Internet. It maintains a table of IP networks or 'prefixes' which designate network reachability among autonomous systems (AS). It is described as a path vector protocol. BGP does not use traditional Interior Gateway Protocol (IGP) metrics, but makes routing decisions based on path, network policies and/or rulesets. For this reason, it is more appropriately termed a reachability protocol rather than routing protocol.

BGP was created to replace the Exterior Gateway Protocol (EGP) protocol to allow fully decentralized routing in order to transition from the core ARPAnet model to a decentralized system that included the NSFNET backbone and its associated regional networks. This allowed the Internet to become a truly decentralized system. Since 1994, version four of the BGP has been in use on the Internet. All previous versions are now obsolete. The major enhancement in version 4 was support of Classless Inter-Domain Routing and use of route aggregationto decrease the size of routing tables. Since January 2006, version 4 is codified in RFC 4271, which went through more than 20 drafts based on the earlier RFC 1771 version 4. RFC 4271 version corrected a number of errors, clarified ambiguities and brought the RFC much closer to industry practices.

Most Internet service providers must use BGP to establish routing between one another (especially if they are multihomed). Therefore, even though most Internet users do not use it directly, BGP is one of the most important protocols of the Internet. Compare this with Signaling System 7 (SS7), which is the inter-provider core call setup protocol on the PSTN. Very large private IP networks use BGP internally. An example would be the joining of a number of large OSPF (Open Shortest Path First) networks where OSPF by itself would not scale to size. Another reason to use BGP is multihoming a network for better redundancy either to multiple access points of a single ISP (RFC 1998) or to multiple ISPs.

BGP neighbors, peers, are established by manual configuration between routers to create a TCP session on port 179. A BGP speaker will periodically send 19-byte keep-alive messages to maintain the connection (every 60 seconds by default). Among routing protocols, BGP is unique in using TCP as its transport protocol.

When BGP runs between two peers in the same autonomous system (AS), it is referred to as Internal BGP (IBGP or Interior Border Gateway Protocol). When it runs between autonomous systems, it is called External BGP (EBGP or Exterior Border Gateway Protocol). Routers on the boundary of one AS exchanging information with another AS are called border or edge routers. In the Cisco operating system, IBGP routes have an administrative distance of 200, which is less preferred than either external BGP or any interior routing protocol. Other router implementations also prefer EBGP to IGPs, and IGPs to IBGP.


Finite-state machine

In order to make decisions in its operations with other BGP peers, a BGP peer uses a simple finite state machine (FSM) that consists of six states: Idle; Connect; Active; OpenSent; OpenConfirm; and Established. For each peer-to-peer session, a BGP implementation maintains a state variable that tracks which of these six states the session is in. The BGP protocol defines the messages that each peer should exchange in order to change the session from one state to another. The first state is the “Idle” state. In the “Idle” state, BGP initializes all resources, refuses all inbound BGP connection attempts and initiates a TCP connection to the peer. The second state is “Connect”. In the “Connect” state, the router waits for the TCP connection to complete and transitions to the "OpenSent" state if successful. If unsuccessful, it starts the ConnectRetry timer and transitions to the "Active" state upon expiration. In the "Active" state, the router resets the ConnectRetry timer to zero and returns to the "Connect" state. In the "OpenSent" state, the router sends an Open message and waits for one in return. Keepalive messages are exchanged and, upon successful receipt, the router is placed into the “Established” state. In the “Established” state, the router can send/receive: Keepalive; Update; and Notification messages to/from its peer.





Idle State:

Refuse all incoming BGP connections
Start event triggers the initialization of
Initiates a TCP connection with its configured BGP peer.
Listens for a TCP connection from its peer.
Changes its state to Connect.
If an error occurs at any state of the FSM process, the BGP session is terminated immediately and returned to the Idle state. Some of the reasons why a router does not progress from the Idle state are:
TCP port 179 is not open.
A random TCP port over 1023 is not open.
Peer address configured incorrectly on either router.
AS number configured incorrectly on either router .
Connect State:
Waits for successful TCP negotiation with peer.
BGP does not spend much time in this state if the TCP session has been successfully established.
Sends Open message to peer and changes state to OpenSent.
If an error occurs, BGP moves to the Active state. Some reasons for the error are:
TCP port 179 is not open.
A random TCP port over 1023 is not open.
Peer address configured incorrectly on either router.
AS number configured incorrectly on either router.

Active State:

If the router was unable to establish a successful TCP session, then it ends up in the Active state.
BGP FSM will try to restart another TCP session with the peer and, if successful, then it will send an Open message to the peer.
If it is unsuccessful again, the FSM is reset to the Idle state.
Repeated failures may result in a router cycling between the Idle and Active states. Some of the reasons for this include:
TCP port 179 is not open.
A random TCP port over 1023 is not open.
BGP configuration error.
Network congestion.
Flapping network interface.

OpenSent State:

BGP FSM listens for an Open message from its peer.
Once the message has been received, the router checks the validity of the Open message.
If there is an error it is because one of the fields in the Open message doesn’t match between the peers, e.g. BGP version mismatch, MD5 password mismatch, the peering router expects a different My AS. The router will then send a Notification message to the peer indicating why the error occurred.
If there is no error, a Keepalive message is sent, various timers are set and the state is changed to OpenConfirm.

OpenConfirm State:

The peer is listening for a Keepalive message from its peer.
If a Keepalive message is received and no timer has expired before reception of the Keepalive, BGP transitions to the Established state.
If a timer expires before a Keepalive message is received, or if an error condition occurs, the router transitions back to the Idle state.

Established State:

In this state, the peers send Update messages to exchange information about each route being advertised to the BGP peer.
If there is any error in the Update message then a Notification message is sent to the peer, and BGP transitions back to the Idle state.
If a timer expires before a Keepalive message is received, or if an error condition occurs, the router transitions back to the Idle state.

Read more...

EIGRP (Enhanced Interior Gateway Routing Protocol)

Enhanced Interior Gateway Routing Protocol - (EIGRP) is a Cisco proprietary routing protocol loosely based on their original IGRP. EIGRP is an advanced distance-vector routing protocol, with optimizations to minimize both the routing instability incurred after topology changes, as well as the use of bandwidth and processing power in the router. Routers that support EIGRP will automatically redistribute route information to IGRP neighbors by converting the 32 bit EIGRP metric to the 24 bit IGRP metric. Most of the routing optimizations are based on the Diffusing Update Algorithm (DUAL) work from SRI, which guarantees loop-free operation and provides a mechanism for fastconvergence.


EIGRP stores data in three tables:

Neighbor Table: Stores data about the neighboring routers, i.e. those directly accessible through directly connected interfaces.

Topology Table: Confusingly named, this table does not store an overview of the complete network topology; rather, it effectively contains only the aggregation of the routing tablesgathered from all directly connected neighbors. This table contains a list of destination networks in the EIGRP-routed network together with their respective metrics. Also for every destination, a successor and a feasible successor are identified and stored in the table if they exist. Every destination in the topology table can be marked either as "Passive", which is the state when the routing has stabilized and the router knows the route to the destination, or "Active" when the topology has changed and the router is in the process of (actively) updating its route to that destination.

Routing table: Stores the actual routes to all destinations; the routing table is populated from the topology table with every destination network that has its successor and optionallyfeasible successor identified (if unequal-cost load-balancing is enabled using the variance command). The successors and feasible successors serve as the next hop routers for these destinations.

Unlike most other distance vector protocols, EIGRP does not rely on periodic route dumps in order to maintain its topology table. Routing information is exchanged only upon the establishment of new neighbor adjacency  after which only changes are sent. Also, it uses route tagging.

Bandwidth
Minimum Bandwidth (in kilobits per second) along the path from router to destination network

Load
Load (number in range 1 to 255; 255 being saturated)

Delay
Total Delay (in 10s of microseconds) along the path from router to destination network

Reliability
Reliability (number in range 1 to 255; 255 being the most reliable)

MTU
Minimum path Maximum Transmission Unit (MTU) (never used in the metric calculation)

Hop Count
Number of routers a packet passes through when routing to a remote network, used to limit the EIGRP AS.

The K Values There are five (5) K values used in the Composite metric calculation - K1 through K5. The K values only act as multipliers or modifiers in the composite metric calculation. K1 is not equal to Bandwidth, etc.

By default, only total delay and minimum bandwidth are considered when EIGRP is started on a router, but an administrator can enable or disable all the K values as needed to consider the other Vector metrics.

For the purposes of comparing routes, these are combined together in a weighted formula to produce a single overall metric:

where the various constants (K1 through K5) can be set by the user to produce varying behaviors. An important and totally non-obvious fact is that if K5 is set to zero, the term  is not used (i.e. taken as 1).

The default is for K1 and K3 to be set to 1, and the rest to zero, effectively reducing the above formula to (Bandwidth + Delay) * 256.

Obviously, these constants must be set to the same value on all routers in an EIGRP system, or permanent routing loops will probably result. Cisco routers running EIGRP will not form an EIGRP adjacency and will complain about K-values mismatch until these values are identical on these routers.

EIGRP scales Bandwidth and Delay metrics with following calculations:Bandwidth for EIGRP = 107 / Interface BandwidthDelay for EIGRP = Interface Delay / 10

On Cisco routers, the interface bandwidth is a configurable static parameter expressed in kilobits per second (setting this only affects metric calculation and not actual line bandwidth). Dividing a value of 107 kbit/s (i.e. 10 Gbit/s) by the interface bandwidth statement yields a value that is used in the weighted formula. Analogously, the interface delay is a configurable static parameter expressed in microseconds. Dividing this interface delay value by 10 yields a delay in units of tens of microseconds that is used in the weighted formula.

IGRP uses the same basic formula for computing the overall metric, the only difference is that in IGRP, the formula does not contain the scaling factor of 256. In fact, this scaling factor was introduced as a simple means to facilitate backward compatility between EIGRP and IGRP: In IGRP, the overall metric is a 24-bit value while EIGRP uses a 32-bit value to express this metric. By multiplying a 24-bit value with the factor of 256 (effectively bit-shifting it 8 bits to the left), the value is extended into 32 bits, and vice versa. This way, redistributing information between EIGRP and IGRP involves simply dividing or multiplying the metric value by a factor of 256, which is done automatically.

EIGRP also maintains a hop count for every route, however, the hop count is not used in metric calculation. It is only verified against a predefined maximum on an EIGRP router (by default it is set to 100 and can be changed to any value between 1 and 255). Routes having a hop count higher than the maximum will be advertised as unreachable by an EIGRP router.

Read more...

Static Routing Tutorial

In studying for your CCNA exam and preparing to earn this valuable certification, you may be tempted to spend little time studying static routing and head right for the more exciting dynamic routing protocols like RIP, EIGRP, and OSPF.

This is an understandable mistake, but still a mistake. Static routing is not complicated, but it’s an important topic on the CCNA exam and a valuable skill for real-world networking.

To create static routes on a Cisco router, you use the ip route command followed by the destination network, network mask, and either the next-hop IP address or the local exit interface. It’s vital to keep that last part in mind – you’re either configuring the IP address of the downstream router, or the interface on the local router that will serve as the exit interface.

Let’s say your local router has a serial0 interface with an IP address of 200.1.1.1/30, and the downstream router that will be the next hop will receive packets on its serial1 interface with an IP address of 200.1.1.2/30. The static route will be for packets destined for the 172.10.1.0 network. Either of the following ip route statements would be correct.

R1(config)#ip route 172.10.1.0 255.255.255.0 200.1.1.2 (next-hop IP address)

OR

R1(config)#ip route 172.10.1.0 255.255.255.0 serial0 ( local exit interface)

You can also write a static route that matches only one destination. This is a host route, and has 255.255.255.255 for a mask. If the above static routes should only be used to send packets to 172.10.1.1., the following commands would do the job.

R1(config)#ip route 172.10.1.1 255.255.255.255 200.1.1.2 (next-hop IP address)

OR

R1(config)#ip route 172.10.1.1 255.255.255.255 serial0 ( local exit interface)

Finally, a default static route serves as a gateway of last resort. If there are no matches for a destination in the routing table, the default route will be used. Default routes use all zeroes for both the destination and mask, and again a next-hop IP address or local exit interface can be used.

R1(config)#ip route 0.0.0.0 0.0.0.0 200.1.1.2 (next-hop IP address)

OR

R1(config)#ip route 0.0.0.0 0.0.0.0 serial0 ( local exit interface)

IP route statements seem simple enough, but the details regarding the next-hop IP address, the local exit interface, default static routes, and the syntax of the command are vital for success on CCNA exam day and in the real world.

Read more...

The Differences Between Hubs, Switches and Routers

Some technicians have a tendency to use the terms routers, hubs and switches interchangeably. One minute they're talking about a switch. Two minutes later they're discussing router settings. Throughout all of this, though, they're still looking at only the one box. Ever wonder what the difference is among these boxes? The functions of the three devices are all quite different from one another, even if at times they are all integrated into a single device. Which one do you use when? Let's take a look...


Hub, Switches, and Routers: Getting Started with Definitions

Hub is common connection point for devices in a network. Hubs are commonly used to connect segments of LAN. A hub contains multiple ports. When a packet arrives at one port, it is copied to the other ports so that all segments of the LAN can see all packets.

Switch networks, a device that filters and forwards packets between LAN segments. Switches operate at the data link layer (layer 2) and sometimes the network layer (layer 3) of the OSI Reference Model and therefore support any packet protocol. LANs that use switches to join segments are called switched LANs or, in the case of Ethernet networks, switched Ethernet LANs.

Router device that forwards data packets along networks. A router is connected to at least two networks, commonly two LANs or WANs or a LAN and its ISP.s network. Routers are located at gateways, the places where two or more networks connect. Routers use headers and forwarding tables to determine the best path for forwarding the packets, and they use protocols such as ICMP to communicate with each other and configure the best route between any two hosts.

Switch Vs Hub
Here is a tabular representation of the differences between a switch and a hub.

Switch	Hub
As per the OSI model, network switches are classified as Data Link Layer devices, i.e. they operate at Layer 2. However, certain multi-layer switches can operate at higher layers as well.	As per the OSI model, a hub is a Physical Layer device, i.e. it operates at Layer 1.
A switch is a more sophisticated network device and is more expensive than a hub.	A hub is a very primitive device and is comparatively much cheaper.
A switch is an intelligent device, it transmits the data packets from the source computer to only those network computers to which the data packets are originally intended.	A hub is a 'dumb' device to say the least. It broadcasts the data packets to each and every networked computer, and not just the target computer or set of computers to which the data packets were originally intended to be sent.
There is optimum utilization of network bandwidth in case of switches, and bandwidth wastage is minimal.	Due to their broadcast mechanism of data transmission, there is unnecessary wastage of network bandwidth which results in slow operation and data transfer speeds.
Switches are full-duplex devices, i.e. both, data transmission and reception can take place simultaneously.	Hubs are half-duplex devices, i.e. both, data transmission and reception cannot take place simultaneously.
Network security is much better with the use of a switch, as compared to a hub.	Thanks to its broadcast mechanism, network security becomes a big issue and a loophole in the case of a hub.

Router Vs Switch
Here are some points of comparison which highlight the differences between a router and a switch.

Router	Switch
Basically, a router is used to connect computers belonging to one network with those belonging to another or other networks. Thus, a router connects two or more different networks.	A switch on the other hand, connects different computers within one network.
As per the OSI model, a router is a Network Layer device, i.e. it operates at Layer 3.	Unless it is a multi-layer switch, a network switch operates at Layer 2 (Data Link Layer).
Routers are much more sophisticated and intelligent network devices, as compared to switches.	In comparison with routers, switches are less sophisticated and less intelligent.
A router works on the principle of IP addresses.	A switch works on the basis of MAC addresses.
A router's inbuilt hardware makes use of routing algorithms to compute the best possible path for routing data packets across different computer networks.	A switch does not perform any such activities.
Routers have their own inbuilt operating systems and they need to be configured before use.	Most switches do not require any prior configuration and are usually 'ready-to-use'.

Read more...