Thursday, June 30, 2011

step by step configuration spanning tree cisco

As we mentioned in one of our previous posts, STP was developed to allow redundancy in the L2 network while maintaining a loop free network. Today we are going to discover how STP is actually doing this function.
Step1: Electing the root bridge
What is the root bridge?
The root bridge is the master bridge of the spanning tree which all paths calculations are based upon. Each switch must have an active path to the root bridge. All bridges in the same domain must agree on the same root.The root bridge has all its ports in the forwarding state. All traffic passing from one segment to another in the network must pass the root bridge.
How is the root bridge elected?
The Bridge ID is used to determine the root bridge. The BID is a combination of the priority value (default:32768) and the MAC address of the switch. The rule is, the lower the BID the better. The lowest bridge ID becomes the root bridge.
If two or more switches happen to have the same priority (i.e. default value) the MAC address is used as a tie breaker; The bridge with the lowest MAC address becomes the root of the tree.
How to manipulate the root bridge election?
By default Cisco switches run a separate STP instance for every VLAN configured on the switch; this mode is called PVST.
In the digram below I am going to configure Switch1 as a root switch for the default VLAN (1) using two methods.
Root bridge may be elected using one of the following methods:
  • Election by chance: you can leave STP to do its work without even knowing about it. By default each bridge comes with a default priority value of 32768. In such case the bridge with the lowest MAC address will become the root bridge. This method is not recommended except in very simple network topologies.
  • Setting the Bridge priority using the command spanning-tree vlan [list] priority [value]. The list defines the instances that the new priority value applies to.
Switch1(config)#do debug spanning-tree root
Switch1(config)#spanning-tree vlan 1 priority 4096
Switch1(config)#
01:17:58: STP: VLAN0001 we are the spanning tree root
  • Using the command spanning-tree vlan [list] root [primary | secondary]. Using this command will automatically lower the priority of the switch to a very significant value in order to make sure that the switch is elected as a root switch.
Switch1(config)#spanning-tree vlan 1 root primary
Switch1(config)#
01:20:59: STP: VLAN0001 we are the spanning tree root

!-- Priority is lowered automatically as shown in the output below

Switch1(config)#do show spanning-tree vlan 1    

VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    24577
             Address     001b.90b4.6900
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    24577  (priority 24576sys-id-ext 1)
             Address     001b.90b4.6900
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 15
finally I have some links for you if you need to look for more information:
  • STP configuration guide.
  • This is a detailed great post written by Petr Lapukhov explaining PVST+ explaining almost all you need to know about PVST+.

Setting up a proxy server at home

Why would you want a secure proxy server on your home machine?
There are several good reasons for a setup like this. The primary purpose is to encrypt your network traffic. You may want to hide your browsing or chatting from your employer OR something as benign as not wanting people to see your passwords when connected to a hotspot at your local $tarbuck$. When you are browsing through your home proxy server, whomever is 'sniffing' your netowork traffic can only see lots of random packets going to your home machine. Due to the nature of these programs, you should only set this up if you have a broadband router or other NAT device in front of your home network.

The following pre-requisites will make things a lot easier:
  • Know your home machine's external IP address. For this, you'll need either a static IP address from your ISP *or* have a dynamic DNS client installed. For testing purposes, you can view it via http://www.whatismyip.com.
  • Give your home workstation a static IP address on your home network. Open up a command prompt and type 'ipconfig /all' and note the current IP address, gateway, and DNS servers. Assign your computer a static IP address that is 50 more than its current dynamic IP (that's a safe bet since most home networks would never have >50 devices connected to it, even if the broadband router has a DHCP scope larger than that). Use the existing gateway & DNS servers.
  • Know that your mom goes to college


Doing this involves four steps:
  • Installing an SSH server on your home machine. SSH is an encrypted version of telnet which also allows a function called port forwarding. It's this port forwarding that allows you to redirect your network traffic through this proxy. SSH will also function as your authentication mechanism, keeping random people from being able to use your machine as a proxy.
  • Installing a HTTP/Socks-5 proxy server on your home machine.
  • Opening up the SSH port on your home firewall AND in WindowsXP's firewall (if it exists).
  • Installing an SSH client with the appropriate port forwarding settings on your client machine (work machine, laptop, etc).
  • Configuring each application to talk through the proxy


Step 1: Installing an SSH server on your home machine


  • Download and install the SSHWindows installer from Sourceforge: http://sourceforge.net/project/showfiles.php?group_id=103886&package_id=111688, accepting all defaults.
  • Open up a command prompt (start > run > cmd) and type the following:
    cd\program files\openssh
    mkgroup -l >> etc\group
    mkpasswd -l -u %username% >> etc\passwd
    net start opensshd
    
    That will create a local ssh user group and give the current logged in user the ability to log in (the password will be the same as your windows login password - if it's blank, change it to something harder!). It will then start the ssh server service.


Step 2: Installing SpoonProxy, a Windows proxy server

  • Download spoonproxy: http://www.pi-soft.com/spoonproxy/index.shtml. It costs $19 for a 1-user home license, but there is a 30-day trial.
  • Launch spoonproxy: Start > All Programs > Spoonproxy > spoonproxy. Spoonproxy's default configuration works just fine, so just minimize it.


Step 3: Opening up ports in Windows firewall & your broadband router

  • If windows XP firewall is enabled, you need to open up the incoming SSH port. To do this, right-click on My Network Places and choose Properties. Now right-click on your primary network card and choose properties. Go to the Advanced tab and click on Settings under windows firewall. Click on the Exceptions tab and then 'Add Port'. Name: ssh Port number: 22 (TCP). Click OK, OK, OK.
  • Now you must open up the port on your broadband router. To do this, most broadband routers have a web interface. I can't walk you through this because it's slightly different on every system. You want to tunnel external port 22 to the (internal) IP address of your home computer port 22.


Step 4: Installing puTTy, a Windows SSH client on your work computer or laptop

  • Download puTTy: http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe.
  • puTTy is a free SSH client that is a single executable; there is nothing to install. Save puTTy.exe to your desktop.
  • Double-click on puTTy. First, scroll down the left column under Connections > SSH > Tunnels. From here, you need to add three ports to be forwarded. For Source Port, enter 80. For destination, type localhost:8080 then click on add
    Do the same for what you see below: 443, localhost:8081 & 1080, localhost:1080. This forwards http, https, and socks-5.



  • Now, go up to the top and click on Session. Under "host name or IP address", enter your home computer's external IP address or dynamic DNS name. Under 'saved sessions', type in "SSH home" and click on Save. This will save these connection settings for everytime you want to connect to your home machine.



    To connect, click on Open. You should be asked to accept the SSH certificate (choose 'Accept & Save'). Login using your home windows computer's login and password. You should then see a command prompt. You are now connected and set up to tunnel traffic - you can now minimize (don't close) puTTy. This session must remain open to proxy your web traffic.


Step 5: Configuring applications to go through the tunnel

  • Firefox: I recommend configuring one browser (such as firefox) to always go through the proxy, leaving your other browser to browse your corporate intranet (or access sites that you do not wish to proxy). Alternatively, you can simply tell firefox for which URLs to not use the proxy. In Firefox, go to Tools > Options > General > Connection Settings. Set up the HTTP and SSL connections as seen here:



    You should now be browsing through your home machine. Remember, the speed will be limited to your home machine's upstream connection (since your home machine is essentially downloading the web page then re-uploading it to you). If you wish to test that it's working, close puTTy. You should now be unable to browse the 'net.

    AIM and Yahoo both support SOCKS5 proxying. Simply go into the connection settings and enable socks5 proxying... server = localhost port = 1080 (default).

Done!


All you have to do is launch puTTy and connect to your home machine whenever you wish to securely browse.

Step by step Installing Hyper-V on Windows Server 2008 R2

To install Hyper-V on Windows Server 2008 R2 you can use one of the following approaches. Note that all methods require a reboot after completion.
Important note: This article does NOT deal with the tasks required to pre-configure the Hyper-V host itself. For that, please read my Prepare Your Windows Server 2008 R2 for Hyper-V Role article.

Method #1 - Through the GUI

Probably the easiest for this specific role. I would use this method.
1. Open Server Manager, wait for it to load.
2. Click on "Roles", wait for it to load.

3. On the "Before you begin" page, click "Next".

4. In the "Select Server Roles" page, click to select the Hyper-V role. Click "Next".

5. Click "Next".

6. Select all the Network Interface Cards (NICs) that you wish to assign for the Virtual Machines. Make sure you leave one NIC un-selected for host management. If you only have one NIC, select it, but make a note that it is best to have at least 2 NICS - one for the host and one for the VMs. These settings can be changed later.

7. In the "Confirm Installation Selections" page click "Install".

8. One finished, you will need to reboot the server. Click on the "Close" button, and then click "Yes" when you are prompted to reboot the server.

9. When the server reboots, log back into the server and the Server Manager should automatically load and resume the installation process.

After about a minute, you should see a message telling you that Hyper-V has installed successfully. Click "Close" to complete the wizard.

Note: Make sure you do not forget to enable the CPU Virtualization Mode and the Execute Disable bit. Again, read my Prepare Your Windows Server 2008 R2 for Hyper-V Role article. If you fail to do so, you will receive an error when attempting to start a VM.

Method #2 - Using the Command Prompt

Using the servermanagercmd.exe command is easy, and only requires 3 words... A reboot is required at the end of the installation (which can also be added to the command, making it 4 words...). However, Hyper-V network connections will need to be changed after the installation.
1. Open a Command Prompt window with elevated permissions.

2. Type:
servermanagercmd -i Hype-V
If you want to automatically reboot the server when the installation is finished, type:
servermanagercmd -i Hyper-V -restart
Easy and simple. This is probably why Microsoft decided to deprecate the usage of servermanagercmd.exe... :-(

Method #3 - Using PowerShell

In Windows Server 2008 R2, PowerShell is installed by default. However, in order to install roles with it, you need to import the Server Manager module.
1. Open a PowerShell window and type:
Import-Module servermanager
2. Once imported, type:
Add-WindowsFeature Hyper-V


If you want to automatically reboot the server when the installation is finished, type:
Add-WindowsFeature Hyper-V -restart
Easy and simple, but here too, Hyper-V network connections will need to be changed after the installation.

step by step Installing Active Directory on Windows Server 2008

Microsoft Active Directory provides the structure to centralize the network management and store information about network resources across the entire domain. Active Directory uses Domain Controllers to keep this centralized storage available to network users. In order to configure a Windows Server 2008 machine to act as Domain Controller, several considerations and prerequisites should be taken into account, and several steps should be performed. In this article I will guide you through these prerequisites and steps of creating a new Windows Server 2008 Domain Controller for a new Active Directory domain in a new forest.

Considerations when Installing a new Windows Server 2008 forest
When you install AD to create the first domain controller in a new Windows Server 2008 forest, you must keep the following considerations in mind:
  • You must make forest and domain functional level decisions that determine whether your forest and domain can contain domain controllers that run Windows 2000 Server, Windows Server 2003, or both. To read more about forest and domain functional levels please refer to the links below.
  • Domain controllers running the Microsoft Windows NT Server 4.0 operating system are NOT supported with Windows Server 2008.
  • Servers running Windows NT Server 4.0 are NOT supported by domain controllers that are running Windows Server 2008, meaning you MUST have additional DCs running Windows 2000/2003 to support older NT 4.0 servers.
  • The first Windows Server 2008 domain controller in a forest must be a global catalog server and it cannot be an RODC.

Considerations when Installing a new Windows Server 2008 domain in an existing Windows 2000/2003 forest

When you install AD to create the first domain controller in a new Windows Server 2008 domain, you must keep the following considerations in mind:
  • Before you create a new Windows Server 2008 domain in a Windows 2000/2003 forest, you must prepare the forest for Windows Server 2008 by extending the schema (that is, by running ADPREP /forestprep). To read more about ADPREP please refer to the links below or my "Windows Server 2008 ADPREP" article.
  • You must make domain functional level decisions that determine whether your domain can contain domain controllers that run Windows 2000 Server, Windows Server 2003, or both. To read more about forest and domain functional levels please refer to the links below.
  • I recommend that you host the PDC emulator operations master role in the forest root domain on a domain controller that runs Windows Server 2008. For more information about FSMO Roles, please read my "Understanding FSMO Roles in Active Directory" and "Transferring FSMO Roles" articles.

General considerations

Make sure you read and follow the requirements described in my "Active Directory on Windows Server 2008 Requirements" article.

Installing Active Directory Domain Services (AD-DS)

In Windows Server 2008, unlike previous server operating Systems, there is an additional step that needs to be taken before running DCPROMO to promote the server to Domain Controller and installing Active Directory on it. This step is the installation of Active Directory Domain Services (AD-DS) role on the server. In fact, the AD-DS role is what enables the server to act as a Domain Controller, but you will still need to run DCPROMO the regular way.
AD-DS can be installed in one of 3 methods:

Method 1 – Server Manager/Initial Configuration Tasks

Roles can and should be added from Server Manager (but they can also be initiated from the Initial Configuration Tasks wizard that auto-opens the first time you log on to the server).
  1. Open Server Manager by clicking the icon in the Quick Launch toolbar, or from the Administrative Tools folder.
  2. Wait till it finishes loading, then click on Roles > Add Roles link.

  3. In the Before you begin window, click Next.

  4. In the Select Server Roles window, click to select Active Directory Domain Services, and then click Next.

  5. In the Active Directory Domain Services window read the provided information if you want to, and then click Next.

  6. In the Confirm Installation Selections, read the provided information if you want to, and then click Next.

  7. Wait till the process completes.

  8. When it ends, click Close.

  9. Going back to Server Manager, click on the Active Directory Domain Services link, and note that there's no information linked to it, because the DCPROMO command has not been run yet.

  10. Now you can click on the DCPROMO link, or read on.
    1. To run DCPROMO, enter the command in the Run command, or click on the DCPROMO link from Server Manager > Roles > Active Directory Domain Services.

    2. Depending upon the question if AD-DS was previously installed or not, the Active Directory Domain Services Installation Wizard will appear immediately or after a short while. Click Next.

    3. Note: The Advanced features of DCPROMO will be discussed in a future article.
    4. In the Operating System Compatibility window, read the provided information and click Next.

    5. In the Choosing Deployment Configuration window, click on "Create a new domain in a new forest" and click Next.

    6. Enter an appropriate name for the new domain. Make sure you pick the right domain name, as renaming domains is a task you will not wish to perform on a daily basis. Click Next.

    7. Note: Do NOT use single label domain names such as "mydomain" or similar. You MUST pick a full domain name such as "mydomain.local" or "mydomain.com" and so on.
      The wizard will perform checks to see if the domain name is not already in use on the local network.

    8. Pick the right forest function level. Windows 2000 mode is the default, and it allows the addition of Windows 2000, Windows Server 2003 and Windows Server 2008 Domain Controllers to the forest you're creating. Read my "Understanding Windows Server 2008 Active Directory Domain and Forest Functional Levels" article for more information on that.

    9. Pick the right domain function level. Windows 2000 Native mode is the default, and it allows the addition of Windows 2000, Windows Server 2003 and Windows Server 2008 Domain Controllers to the domain you're creating.

    10. Note: If you select "Windows Server 2008" for the forest function level, you will Not be prompted to pick a domain function level. Read more about domain and forest function levels on my "Understanding Windows Server 2008 Active Directory Domain and Forest Functional Levels" article.
    11. The wizard will perform checks to see if DNS is properly configured on the local network. In this case, no DNS server has been configured, therefore, the wizard will offer to automatically install DNS on this server.

    12. Note: The first DCs must also be a Global Catalog. Also, the first DCs in a forest cannot be a Read Only Domain controller.
    13. It's most likely that you'll get a warning telling you that the server has one or more dynamic IP Addresses. Running IPCONFIG /all will show that this is not the case, because as you can clearly see, I have given the server a static IP Address. So, where did this come from? The answer is IPv6. I did not manually configure the IPv6 Address, hence the warning. In a network where IPv6 is not used, you can safely ignore this warning.

    14. You'll probably get a warning about DNS delegation. Since no DNS has been configured yet, you can ignore the message and click Yes.

    15. Next, change the paths for the AD database, log files and SYSVOL folder. For large deployments, carefully plan your DC configuration to get the maximum performance. When satisfied, click Next.

    16. Enter the password for the Active Directory Recovery Mode. This password must be kept confidential, and because it stays constant while regular domain user passwords expire (based upon the password policy configured for the domain, the default is 42 days), it does not. This password should be complex and at least 7 characters long. I strongly suggest that you do NOT use the regular administrator's password, and that you write it down and securely store it. Click Next.

    17. In the Summary window review your selections, and if required, save them to an unattend answer file. When satisfied, click Next.

    18. The wizard will begin creating the Active Directory domain, and when finished, you will need to press Finish and reboot your computer.

    19. Note: You can automate the rebooting process by checking the Reboot on Completion checkbox.
      To automate domain controller installations, you can use an answer file or you can specify unattended installation parameters at the command line. More on that in my "Creating an Unattend Installation File for DCPROMO in Windows Server 2008" article.
      Note: As written in my "Installing Active Directory on Windows 2008 Server Core" article, configuring a Windows Server 2008 Server Core machine REQUIRES you to perform an automated installation of Active Directory on that server, as there is NOT DCPROMO GUI on Server Core.
      Your server now acts as a Domain Controller. Make sure you properly back it up. You can test functionality by using AD management tools such as Active Directory Users and Computers, examine the Event Logs, services and folders and shares that have been created.

      Links

      AD DS Installation and Removal Step-by-Step Guide

  11. Method 2 – Servermanagercmd.exe

    Servermanagercmd.exe is the command prompt equivalent of the Add Roles and Add Features wizards in Server Manager. Through the use of various command line options, you can quickly and easily add or remove features and roles to or from your server, including the AD-DS role.
    To install AD-DS by using Servermanagercmd.exe, simply enter the following command in the Command Prompt window:
    Servermanagercmd.exe –I ADDS-Domain-Controller
    Let the command run and when it finishes, AD-DS will be installed on the server.

    Method 3 – Letting DCPROMO do the job

    Oh yes. If you forget to install AD-DS or simply want to skip clicking on some windows, you can run DCPROMO from the Run command and before it is executed, the server will check to see if the AD-DS binaries are installed. Since they are not, they will auto-install.

    After you complete the Add Roles Wizard, either click the link to start the Active Directory Domain Services Installation Wizard, or close Server Manager and manually run DCPROMO from the Run command.

    Running DCPROMO

    After installing the AD-DS role, we need to run DCPROMO to perform the actual Active Directory database and function installation.
    Note: This guide assumes this is the first Domain controller in the forest, thus creating a new domain in a new forest. For a guide on how to add additional Domain Controllers to existing domains, please read my upcoming "Installing Additional Windows Server 2008 Domain Controllers in your Existing Active Directory Domain" article.

IPv4/IPv6 subnetmask calculation

Well, you all know about calculation network masks and wildcard masks in the IPv4 world. But how to do it in IPv6? IPv6 has a binary numbering system, but IPv6 is hexadecimal based and now we have 340282366920938463463374607431768211456 IP addresses. So that’s the number you will find on the internet. My calculator says just 3,402408308e+38. I multiplied FFFF*FFFF*FFFF*FFFF*FFFF*FFFF*FFFF*FFFF in hexadecimal format and converted it afterwords into decimal.
With IPv4 there are a maximum of 255*255*255*255 with is 4228250625. Well you see the difference? I read it’s about 1000 addressess for each square centimeter of the earth IPv6 has.
IPv4 has 32 bits into his entire IP address. This means, there are 32 places where there can be a 1 or 0 in place.
So a binary numbers for 192.168.10.1 looks like:
11000000 => 192 => 2^7+2^6
10101000 => 168 => 2^7+2^5+2^3
00001010 => 10 => 2^3+2^1
00000001 => 1 => 2^0
And you have 192.168.29.2:
11000000 => 192 => 2^7+2^6
10101000 => 168 => 2^7+2^5+2^3
00011101 => 29 => 2^4+2^3+2^2+2^0
00000001 => 2 => 2^1
To calculate the host and network part you will “and” one ip with the subnet mask. If the mask is 255.255.192.0:
11111111 => 255
11111111 => 255
11000000 => 192
00000000 => 0
Anding the ip address with the mask:
11000000 = 192
11111111 = 255
—————
11000000 = 192
10101000 = 168
11111111 = 255
—————-
10101000 = 168
00011101 = 29
11000000 = 192
—————-
00000000 = 0
00000001 = 2
00000000 = 0
—————–
00000000 = 0
So here you will have 192.168.0.0 for the network address. As for the mask 255.255.192.0
there will be the last 14 bits for hosts on the network.
11111111.11111111.11000000.00000000
The network ranges are from 192.168.0.0 – 192.168.192.0
So you have 2 bits for the network and 14 for hosts.
11111111.11111111.00000000.00000000 = 192.168.0.0
11111111.11111111.01000000.00000000 = 192.168.64.0
11111111.11111111.10000000.00000000 = 192.168.128.0
11111111.11111111.11000000.00000000 = 192.168.192.0
Where the network address is for example:
11111111.11111111.01000000.00000000 = 192.168.64.0
The broadcast address is:
11111111.11111111.0111111.11111111 = 192.168.127.255
The first and the last usable host in the network is:
11111111.11111111.01000000.00000001 = 192.168.64.1
11111111.11111111.01111111.1111110 = 192.168.127.254
So now you have the IPv6 addressing and how to compute a netmask matching your needs. I did not found anything on the internet about it, and so i write i down myself. Well that’s not absolute true. Look at the links provided…
The network mask /64 will be:
FFFF:FFFF:FFFF:FFFF:0000:0000:0000:0000 => /64
FFFF:FFFF:FFFF:FFFF:F000:0000:0000:0000 => /68
FFFF:FFFF:FFFF:FFFF:FF00:0000:0000:0000 => /72
FFFF:FFFF:FFFF:FFFF:FFFF:0000:0000:0000 => /80
FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:0000:0000 => /96
FFFF:FFFF:FFFF:FFFF:F000:0000:0000:0000 => /68
FFFF:FFFF:FFFF:FFFF:C000:0000:0000:0000 => /69
FFFF:FFFF:FFFF:FFFF:8000:0000:0000:0000 => /70
FFFF:FFFF:FFFF:FFFF:4000:0000:0000:0000 => /65
The main thing which is important to understand is, that the quadrupples are divided into two 8 bit parts. That means, if you have the FF00 this is devided into FF which is 11111111 and 00 which is 00000000. So each /64 is half of all networks. And the next smaller unsubnetted network begins with /80 and so on, every 16 bits.
Each network “bit” represents a 4 bit value. So plus a value of 1 means you will habe 2^4=16 more networks.
So the smalles subnetmask for example these IPv6 networks:
0001:2001:00EF:0222:0003:0001:EEEA:00AA
0001:2001:00EF:0222:0003:0001:EEEA:001A
——————————————————–
FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFF:FFC0 => /121
0001:2001:00EF:0222:0003:0001:EEEA:00AA
0001:2001:00EF:0222:0003:0001:EEEA:001A
——————————————————–
FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFF:FFC0 => /121
0001:2001:00EF:0012::/64
0001:2001:00EF:0022::/64
——————————————————–
FFFF:FFFF:FFFF:FF40 => /82
Example 1:
To calculate an access-list mask for two IPv4 addresses that matches both addresses you AND these addresses:
For example:
192.168.1.10.1 and 10.11.2.3
11000000 => 192
00001010 => 10
————
00000000 => 0
10101000 => 168
00000001 => 11
————
00000000 => 0
00001010 => 10
00001011 => 11
————
00001010 => 10
00000001 => 1
00000011 => 3
————
00000001 => 1
The result is an access-list mask of 0.0.10.1 that would match both ip addresses.
The wildcard mask is a logical XOR conjunction. Means 0 XOR 1 = 1, 1 XOR 0 = 1, 0 XOR 0 = 0, 1 XOR 1 = 0. So only if there are differnt values, the result is 1.
That’s:
11000000 => 192
00001010 => 10
————
1111111 => 255
10101000 => 168
00000001 => 11
————
1111111 => 255
00001010 => 10
00001011 => 11
————
11110101 => 244
00000001 => 1
00000011 => 3
————
00000010=> 2
192.168.1.10.1 and 10.11.2.3
Networkmask: 0.0.10.1
Wildcardmask: 255.255.244.2
Example 2:
Another more common example:
192.168.43.132
192.168.45.4
access-list mask:
11000000 => 192
11000000 => 192
——————-
11000000 => 192
10101000 => 168
10101000 => 168
——————-
10101000 => 168
00101011 => 43
00101101 => 45
——————-
00101001 => 41
10000100 => 132
00000100 => 4
—————–
00000100 = > 4
The resulting access-list is:
192.168.41.4
The wildcard mask is:
11000000 => 192
11000000 => 192
——————-
00000000 => 0
10101000 => 168
10101000 => 168
——————-
00000000 = > 0
00101011 => 43
00101101 => 45
——————-
00000110 => 6
10000100 => 132
00000100 => 4
—————–
10000000 => 128
Wildcardmask 0.0.6.128
192.168.43.132
192.168.45.4
Mask: 192.168.41.4 , Wildcardmask: 0.0.6.128
Example 3
192.168.32.5
192.168.48.99
11000000 => 192
11000000 => 192
——————-
11000000 => 192
10101000 => 168
10101000 => 168
——————
10101000 => 168
00100000 => 32
00110000 => 48
—————–
00100000 => 32
00000101 => 5
01100011 => 99
—————-
00000001 => 1
Mask 192.168.32.1
Wildcardmask:
11000000 => 192
11000000 => 192
——————-
0000000 => 0
10101000 => 168
10101000 => 168
——————
00000000 => 168
00100000 => 32
00110000 => 48
—————–
00010000 => 16
00000101 => 5
01100011 => 99
—————-
01100110 => 102
0.0.16.102
Source:
http://www.internetworkexpert.com/resources/01700370.htm
http://wiki.linuxquestions.org/wiki/IPv6_deployment:addressing
http://blog.sazza.de/?p=209

OSI Seven-Layer Model

In the 1980s, the European-dominated International Standards Organization (ISO), began to develop its Open Systems Interconnection (OSI) networking suite. OSI has two major components: an abstract model of networking (the Basic Reference Model, or seven-layer model), and a set of concrete protocols. The standard documents that describe OSI are for sale and not currently available online.
Parts of OSI have influenced Internet protocol development, but none more than the abstract model itself, documented in OSI 7498 and its various addenda. In this model, a networking system is divided into layers. Within each layer, one or more entities implement its functionality. Each entity interacts directly only with the layer immediately beneath it, and provides facilities for use by the layer above it. Protocols enable an entity in one host to interact with a corresponding entity at the same layer in a remote host.


The seven layers of the OSI Basic Reference Model are (from bottom to top):

  1. The Physical Layer describes the physical properties of the various communications media, as well as the electrical properties and interpretation of the exchanged signals. Ex: this layer defines the size of Ethernet coaxial cable, the type of BNC connector used, and the termination method.
  2. The Data Link Layer describes the logical organization of data bits transmitted on a particular medium. Ex: this layer defines the framing, addressing and checksumming of Ethernet packets.
  3. The Network Layer describes how a series of exchanges over various data links can deliver data between any two nodes in a network. Ex: this layer defines the addressing and routing structure of the Internet.
  4. The Transport Layer describes the quality and nature of the data delivery. Ex: this layer defines if and how retransmissions will be used to ensure data delivery.
  5. The Session Layer describes the organization of data sequences larger than the packets handled by lower layers. Ex: this layer describes how request and reply packets are paired in a remote procedure call.
  6. The Presentation Layer describes the syntax of data being transferred. Ex: this layer describes how floating point numbers can be exchanged between hosts with different math formats.
  7. The Application Layer describes how real work actually gets done. Ex: this layer would implement file system operations.
The original Internet protocol specifications defined a four-level model, and protocols designed around it (like TCP) have difficulty fitting neatly into the seven-layer model. Most newer designs use the seven-layer model.
    The OSI Basic Reference Model has enjoyed a far greater acceptance than the OSI protocols themselves. There are several reasons for this. OSI's committee-based design process bred overgrown, unimaginative protocols that nobody ever accused of efficiency. Heavy European dominance helped protect their investments in X.25 (CONS is basically X.25 for datagram networks). Perhaps most importantly, X.25 data networks never caught people's imagination like the Internet, which, with a strong history of free, downloadable protocol specifications, has been loath to embrace yet another networking scheme where you have to pay to figure how things work.
    And why should we? OSI's biggest problem is that doesn't really offer anything new. The strongest case for its implementation comes from its status as an "international standard", but we already have a de facto international standard - the Internet. OSI protocols will be around, but its most significant contribution is the philosophy of networking represented by its layered model.
    If the Internet community has to worry about anything, it's the danger of IETF turning into another ISO - a big, overgrown standards organization run by committees, churning out thousands of pages of rubbish, and dominated by big business players more interested in preserving investments than advancing the state of the art.