Beruflich Dokumente
Kultur Dokumente
_
-Internet Exchange Point (IXP) the common physical infrastructure that ISPs use to exchange Internet
cs
traffic, usually used for peering, but transit links can be established as well
-Tier 1 ISP: The largest SPs, they peer with each other and establish the core of the Internet. Their
customers are often lower tiered ISPs.
ia
-Tier 2 ISP: Purchase transit links from Tier 1, peer with other for cost cutting. Provide access to:
business customers (main focus), Tier 3 ISPs, and those willing to pay a high price for high speed access
n
-Tier 3 ISP: Purchase transit links from Tier 1 and 2, peer with regional partners for cutting cost. Focus
ma
on region specific, low price and low speed access (home users)
rt
Internet Assigned Numbers Authority (IANA) > Regional Internet Registries (RIRs) > National/Local
Internet Registries or ISPs (NIR/LIR) > ISP > End user (end users can receive assignments from RIRs or
LIRs as well, especially large businesses/universities)
Top Level Domains highest level in the hierarchical Domain Name System of the Internet
ccTLDs Country Code Top Level Domains (.us, .ca)
gTLDs - Generic Top Level Domains (.com, .org, .net)
_
cs
n ia
ma
Network Design
-Issues of a poorly designed network: Failure domains (need to be limited), broadcast domains (also
ce
should be limited in size), and large amounts of unknown MAC unicast traffic (lots of flooding), multicast
traffic on unintended ports, difficulty in management and support, possible security vulnerabilities
-a VLAN is a broadcast domain (logical network or subnet)
-should use hierarchical addressing (contiguous addressing): ease of management/troubleshooting,
fewer errors, reduced routing table entries
VLAN Creation
-many Cisco access-level switches can support up to 250 VLANs
-most have default VLAN 1 already created, all ports will be on it, CDP and Virtual Terminal Protocol (VTP)
advertisements are sent on VLAN 1 by default
_
(config)#vlan 2
cs
(conf-vlan)#name switchlab 99
show vlan (shows info on ALL VLANs) ia
show vlan id <vlan number> (shows info about a particular VLAN)
Assigning Ports to a VLAN
(config)#interface range fastethernet 0/2 4
n
(config-if-range)#switchport access vlan 2
ma
Trunking
ce
Route 000
Priority 001
Important 010
Flash 011
Flash Override 100
Critical - 101
Internetwork Control 110
Network Control 11
_
(config-if)switchport trunk native vlan 99
cs
(config-if)#switchport nonegotiate (this is considered the best practice, must be enabled AFTER switchpor
t mode is set) ia
#show interface fa0/11 switchport (verify trunk configuration, also below command)
#show interface fa0/11 trunk
n
Q in Q Tunneling
ma
-defined as IEEE 802.1ad (also known as 802.1QinQ), allows dual-tagging and transportation of customer
VLANs over the core network
rt
-C-Tag for customer VLAN will be placed behind a S-Tag for the service provider VLAN
ce
Configuring Q in Q
(config)#vlan dot1q tag native (forces tags even on native VLAN)
(config)#int fa0/2
(config-if)#switchport mode dot1q-tunnel
_
elect one designated port per segment
cs
Spanning Tree Path Cost (as per current IEEE cost specifications)
ia
10 Gbps 2
1 Gbps 4
100 Mbps 19
n
10 Mbps - 100
ma
1) Lowest Bridge ID
2) Lowest aggregate root path cost
ce
-spanning tree recalculation occurs when the root bridge fails and does not send a BPDU to another
switch within the max_age time (default 20 seconds, 10 missed BPDUs)
-convergence in a spanning tree is when all the switch ports have transitioned to either forwarding or
blocking states
Operational State STP Port State RSTP Port State Port Included in Active
Topology
Enabled Blocking Discarding No
Enabled Listening Discarding No
Enabled Learning Learning Yes
Enabled Forwarding Forwarding Yes
Disabled Disabled Discarding No
-rapid-pvst is the default mode on ME3400 switches, but only on NNIs (not UNIs)
_
cs
Configuring Spanning Tree
(config)#spanning-tree mode rapid-pvst (sets STP mode to PVRST+)
ia
(config)#spanning-tree vlan 10 root primary (manually set the root bridge for a spanning tree)
#show spanning-tree (verify root bridge, priority values, and status of ports in each spanning tree) (
n
protocol ieee = PVST+, rstp = PVRST+)
ma
rt
ce
MSTP
-main purpose is to reduce the total number of spanning-tree instances (reduce CPU load of switches)
-must be enabled on each individual participating switch (not scaleable) EXACTLY THE SAME
-MST config on each switch includes: Name, revision number, VLAN association table (if these differ, the
two switches will be part of different MST regions)
Configuring MSTP
(config)#spanning-tree mst configuration
(config-mst)#name <name>
(config-mst)#revision <revision #> (any unassigned 16 bit integer)
(config-mst)#instance <instance #> vlan <vlan range> (maps VLANs to an MSTP instance)
(config-mst)#show pending (display the MSTP config to be applied)
(config-mst)#end (apply the config and exit the MSTP subconfiguration mode)
(config-mst)#show current (show the current MSTP config)
(config)#spanning-tree mst <instance #> root primary|secondary
(config)#spanning-tree extend system-id (enabled extended System ID feature)
Example:
(config)#spanning-tree mode mst
(config)#spanning-tree mst configuration
(config-mst)#name XYZ
(config-mst)#revision 1
_
(config-mst)#instance 1 vlan 11,21,31
cs
(config-mst)#instance 2 vlan 12,22,32
(config-mst)#end ia
(config)# spanning-tree mst 2 root primary
#show spanning-tree mst configuration
n
PortFast
ma
-If enabled globally: if port receives a BPDU it loses PortFast status and reverts to normal STP operation
-if enabled on an interface: stays in PortFast unconditionally, regardless of BPDUs received
ce
Per interface:
(config)#interface fa0/1
(config-if)#spanning-tree portfast
Globally:
(config)#spanning-tree portfast default
BPDU Guard
-shuts down a port if a BPDU is received
-useful for end nodes with PortFast
-prevents connection of an STP-enabled switch,
-prevents loops with switches unaware of STP
-recommendation is to enable BPDU guard globally
Per interface:
(config)#interface fa0/1
(config-if)#spanning-tree bpduguard enable
Globally:
(config)#spanning-tree portfast bpduguard default
BPDU Filter
-disabled STP on a port
_
-no BPDUs are sent, none are processed (except globally, where they will send a couple of BPDU are
cs
sent when they become active, in global mode if a port receives a BPDU it will revert OUT of PortFast mo
de) ia
Per Interface:
(config)#int fa0/11
n
(config-if)#spanning-tree bpdufilter enable
ma
Globally:
(config)#spanning-tree portfast bpdufilter default
rt
-new technology for fast convergence of simple ring networks (<250ms convergence)
-NOT a replacement for STP
-VLAN load balancing
-Manual configuration for predictable failover behaviour
-Segment protocol, ports are explicitly configure to be part of a segment
-when all links in the segment are operational, a blocked port is determined so that there is no
connectivity between edge switches
-redundancy: each segment has two exits, each edge switch
Configuring REP
(config)#interface fa0/11
(config-if)#port-type nni
(config-if)#switchport mode trunk
(config-if)#rep segment 1 (this must be done for every port in the segment)
_
-there must be a separate logical connection on the router for each VLAN and VLAN trunking (802.1Q)
cs
must be enabled on those connections, this is done by creating subinterfaces on one physical interface
Router (IOS)
(config)#int gi0/0/0/0.3 (will create this interface if it doesnt already exist)
rt
(config-if)dot1q vlan 3 (enables 802.1Q encapsulated trunking on this subinterface to the specified VLAN)
(config-if)ip address 192.168.3.1 255.255.255.0
ce
(config)#int gi0/0/0/0.4
(config-if)#dot1q vlan 4
(config-if)ip address 192.168.4.1
#show ip route (to verify work)
_
(config)#int vlan 3
cs
(config-if)#ip address 192.168.3.1 255.255.255.0
(config-if)#no shut ia
(config)#int vlan 4
(config-if)ip address 192.168.4.1. 255.255.255.0
(config-if)#no shut
n
#show ip route
ma
#show interfaces status (shows status of physical interfaces and the VLAN they are configure for)
#show ip interface brief (show physical and logical interfaces, status, and IP addresses)
rt
-generally only one gateway is configure, if this fails it results in a loss of network availability
-two gateways cannot be configured on end nodes, so it must be done on routers
-the solution is to use multiple physical gateways configured to one virtual gateway and the end nodes
use the virtual gateway
-one actual physical gateway is forwarding traffic, the others are on standby
-the standbys use the same IP and MAC address so end nodes do not detect the change
_
that jointly emulate a VR)
cs
-by default hello messages are sent every 3 seconds, 10 second hold time
ia
-if decrement amounts are not set, they will decrement by 10
n
ma
(config)#router-hrsp
(config-router)#int gi0/0/0/0
ce
_
this)
cs
-active router handles traffic for VR
-VRRP MAC format: 00005E.000001 (second half is VR ID) ia
-has one master router and one or more backup routers, uses VRRP messages to advice that it is the
master
-supports priority, pre-emption (enabled by default), and object tracking
n
-same redundancy groups as HSRP: many virtual IPs on same interface, load balancing
ma
(config#int gi0/0/0/0
ip address 192.0.2.2 255.255.255.0
ce
(config)#int
address-family
vrrp
address
priority
track
1 gi0/0/0/0
interface
95192.0.2.1
ipv4 gi0/0/0/0 10 (decrements priority by 0)
#show vrrp
IOS
(config)#interface
ip address
vrrp 1 ip 192.0.2.1
192.0.2.1
fa0/0
(priority
255.255.255.0
set to 255 automatically because the virtual IP matches the interface IP)
#show vrrp brief
_
cs
Configuring GLBP IO S (NOT supported on IOS XR)
#int
ipv6
glbp
fa0/0
address
1 ipv6
preempt
autoconfig
2001:db8:1:1::/64
(link localeui-64
address format is used for gateway address)
ia
Note: This config would need to be applied on all participating routers
#show glbp brief
n
Internal Service Provider Traffic Forwarding
ma
-high availability
-fast convergence (Link State Routing Protocols)
ce
-optimized bandwidth consumption and support for different real-time services (multicast, QoS)
-integrated security
Administrative Distance
0 - Directly Connected Interface
1 - Static Route out an interface
5 - EIGRP summary route
20 - External BGP
90 - Internal EIGRP
100 - IGRP (obsolete protocol)
110 - OSPF
115 - IS-IS
120 - RIP
170 - External EIGRP
200 - Internal BGP
255 - Unknown
_
-more info is communicated between routers
cs
-LSPs use a hierarchical design (allows summarization)ia
-routers create neighbour relationship by exchanging hello packets
-LSP propagates LSAs (link state advertisements) rather than routing table updates
-each router floods LSAs to all routers in the area
n
-each router pieces together LSAs received to create link-state database (topology)
ma
-each router uses SPF algorithm to find shortest path to each destination and places it in the routing table
rt
2) Exchange hello packets that are subject to protocol specific parameters (same AS and area, etc.).
Routers then declare the neighbour is up when the exchange is complete
3) After adjancency formed, neighbour is put into neighbour DB, neighbors then synch LSDBs by
exchanging LSAs and confirming receipt of sent LSAs
OSPF vs IS-IS
OSPF IS-IS
-IETF standard (1988) -ISO Standard (1987)
-IPv4: OSPFv2, IPv6: OSPFv3 -supports IPv4 and IPv6
-IP ONLY as transport -Layer 2 Multicast as transport
OSPF: Hellos > Neighbor Table > LSAs > Topology Table > SPF > Routing Table
IS-IS: Hellos >Adj. DB > LSPs > LSDB > SPF > Forwarding DB
Implementing OSPF
-two layer hierarchy: area (group of contiguous networks), which are logical subdivisions of an
autonomous system (AS)
-Within each AS, a contiguous backbone area must be defined, all non-backbone areas are connected
through the backbone. The backbone always uses area 0
-Non-backbone areas: stub areas, totally stubby areas, not-so-stubby areas (NSSA)
_
-Routers in the backbone area are Backbone Routers, routers on the edge of an area are Area Border
cs
Routers (ABRs), others are non-backbone, internal routers. A Backbone Router connecting to another
AS is an Autonomous System Boundary Router (ASBR) ia
n
ma
rt
ce
(config)#router
router-id 10.2.1.1
ospf|ospfv3 1 (enables the OSPF process)
_
cs
Configuring OSPF Interfaces in a Single Area (IOS XR)
(config)#router
area
interface
0 Loopback0
gi0/0/0/0
ospf 1 (begins OSPF participation on these two interfaces)
ia
n
IOS IPv4
(config)#router
router-id 10.2.1.1
network 192.168.102.0
10.2.1.1
ospf 0.0.0.0
1 0.0.0.255
area 0 area 0
ma
IOS IPv6
(config)#ipv6 unicast-routing
rt
router
router-id
ipv6 ospf
10.2.10.1
1
(config if)#ipv6 ospf 1 area 0
ce
_
IOS IPv4
cs
(config)#router
maximum-paths
network 192.168.101.0
192.168.112.0
ospf21 0.0.0.255 area 0
(config)#int
ip ospf cost
gi0/0/0
10
ia
(config)#int
ip ospf cost
gi0/0/1
10
n
IOS IPv6
ma
(config)#router
maximum-pathsipv62ospf 1
(config)#int
ipv6 ospf gi0/0/0
1 area
cost 100
(config)#int
ipv6 ospf gi0/0/1
1 area
cost 100
rt
OSPF Authentication
ce
-used to prevent undesired adjacencies and thus rogue routes being inserted
-OSPFv2: plaintext (avoid!) or MD5 authentication, authentication is inserted into OSPF header of every
OSPF packet is and checked by the other router
-OSPFv3 has no authentication mechanism, relies on IPSec
-In IOS XR the authentication type and key can be set at different levels (high to low): routing process,
area, interface. If authentication not configured on a lower level, it is inherited from a higher level
-In IOS/IOS XE, authentication type can be configured per area or per interface. If not configured per
interface,
it is inherited from the area config
-Authentication key is ONLY configured per interface
-OSPFv3 uses IPSec Authentication Header for authentication and integrity check, uses Encapsulating
Security Payload (ESP) for encrypting the payload (the routing updates themselves and AH)
OSPF Troubleshooting
-verify OSPF adjacencies via show ospf neighbors
-If no neighbors: verify int status, MTU, authentication, use debug ospf adj
_
cs
Implementing IS-IS ia
IS-IS Basics
-link-state routing protocol, uses the Dijkstra algorithm the same as OSPF
n
-part of the OSI standard, originally used with Connectionless Network Service (CLNS), router = an
ma
Intermediate System
-An IS-IS AS can be divided into several areas, when using multiarea design there are two levels of
routing:
rt
-Level 1: occurs within an IS-IS area, recognizes the location of routers and builds a routing table to
reach all of them. All devices in a Level 1 area share the same area address. Routing with an area is
ce
done by looking at the locally significant address portion (known as System ID) and choosing the lowest
cost path.
-Level 2: routers learn the location of other routing areas and build an inter-area routing table. All
routers in a level 2 routing area use the destination area address to route traffic using the lowest cost path.
CLNS Addresses
-integrated IS-IS always requires them
-NSEL is equivalent to the combination of an IP address and the upper-layer protocol in an IP header
-Most common format:
_
-Authority and Format Identifier (AFI) set to 49 (private address: 2 bytes)
cs
-Area ID (4 bytes)
-SystemSelector,
-NSAP ID (6 bytes)
or NSEL (2 bytes) should be 00 ia
-CLNS address with the NSEL set to 00 is called the Network Entity Title (NET) address
n
-The loopback IP address (or pseudo router ID) can be encoded into the system ID
Example:
ma
49.0001.1921.6800.1001.00
rt
IS-IS Metrics
-by default uses a narrow-style metric, limited to a 6 bit interface and a 10-bit path metric
-wide-style metrics allow a 24-bit interface and a 32-bit path metric
-metric is not bound to interface bandwidth, all the metric of all interfaces is set to 10 by default
-path metric is a cumulated metric of all links on the path to destinations
IS-IS Advantages
-Transport Multiple Protocols
-Distributed Backbone
Disadvantages
-must build SPF DB, but the default metric is fixed to 10, so it needs to be modified
Configuring IS-IS IOS XR
(config)#router
netmetric-style
is-type
address-family
49.0000.0100.0200.1001.00
level-2-only
isis
wide
ipv4|ipv6
1 (enable
(changes
unicast
therouter
ISIS
(configures
process)
type to Level
the NET
2) address)
IOS
(config)#router
net 49.0000.0100.0201.0001.00
is-type
metric-style
level-2-only
wide
isis 1
_
#show protocols isis (verify ISIS configuration)
cs
#show isis neighbors
#show isis interfaces ia
IOS
(config)#int
ip|ipv6 router
gi0/0/0
isis 1
n
Configuring ISIS Load Balancing IOS XR
ma
-like OSPF, can select several equal cost paths to destinations, this maximum number is platform
dependent
rt
(config)#router
address-family
maximum-paths
isisipv4
1 2unicast
(select the amount of paths you wish to use)
(config)#interface
address-family
metric 100 ipv4
gi0/0/0/0
unicast
ce
(config)#int
address-family
metric gi0/0/0/1
100 (for
ipv4
load
unicast
balancing to occur, the weight must match)
IOS IPV4
(config)#router
maximum-pathsisis 2
1
(config)#int
isis metricgi0/0
100 (further interfaces would need to be configured with the IS-IS process and the same
metric)
IOS IPv6
(config)#router
address-family
maximum-paths
isisipv6
1 2unicast
(config)#int
isis ipv6 metric
gi0/0 100
IS-IS Troubleshooting
-verify IS-IS adjacencies with show isis neighbors, if no neighbors: verify if interfaces are up, MTU
matches
_
-use debug isis packet-errors
cs
Route Redistribution ia
-some networks use more than one routing protocol at the same time
-different routing protocols cannot exchange information about networks directly, this redistribution has to
be explicitly configured, one router is configured for both routing protocols (redistribution point)
n
-when redistributing routes, they are marked with a special tag that they are external routes (EIGRP uses
ma
-since each protocol uses its own metric, an initial seed metric has to be configured for external networks
from the redistribution point
ce
-when a seed metric is established, the metric increases as specified by a routing protocols
(config)#router
redistribute
area
int 0gi0/0/0/1
isis
ospf
(enables
1 metric
1 OSPF
30 subnets
on an(for
interface
Ithis will
soredistribute
routes can IS-IS
be redistributed)
into OSPF)
IOS/IOS XE
(config)#router
redistribute isis
ospf1 metric 30 metric-type 1 subnets (subnets command will ensure that classless subnets
are redistributed)
_
cs
Route Redistribution into IS-IS ia
-the following protocols can be redistributed into IS-IS: BGP, connected routes, EIGRP, IS-IS (another
process), OSPF(v3), RIP, static routes
n
-default seed metric is 0
-redistribution for IPv4 and IPv6 is configured under an appropriate address family
ma
(config)#router
netaddress-family
address-family
int redistribute
gi0/0/0/0
49.0000.0100.0300.1001.00
isis
ospf
ipv4
1ipv4
1unicast
metric
unicast
20(enables
(enablesISIS
redistribution
on this interface)
from OSPF into IS-IS)
IOS/IOS XE
ce
(config)#router
redistribute ospf
isis 1 metric 30 (the address-family ipv6 unicast command would need to precede this for
IPv6)
_
cs
MPLS Labels
-uses a 32 bit label header inserted between Layer 2 and 3, can be used regardless of the Layer 2
ia
protocol
-the last LSR in the path also removes the label and forwards the IP packet
-Edge LSR:
rt
-labels IP packet (or imposes label) and forwards them into the MPLS domain
-forwards IP packets out of the MPLS domain
ce
The diagram above shows a simple example of forwarding IP packets using MPLS, where the forwarding
is based only on packet destination IP address. LSR (Label Switched Router) A uses the destination IP
address on each packet to select the LSP, which determines the next hop and initial label for each packet
(21 and 17). When LSR B receives the packets, it uses these labels to identify the LSPs, from which it
determines the next hops (LSRs D and C) and labels (47 and 11). The egress routers (LSRs D and C)
strip off the final label and route the packet out of the network.
-the data plane on a router is responsible for forwarding packets based on decisions by routing protocols,
the MPLS data plane consists of two forwarding structured
-Forwarding Information Base (FIB): used with CEF, the FIB is populated from a routing protocol and
includes destination networks, next hops, outgoing interfaces, and pointers to Layer 2 devices, and on
MPLS will also have an outgoing label it applies when it needs to be
-Label Forwarding Information Base (LFIB): used when a labeled packet is received, in general
contains and incoming and outgoing label, outgoing interface, and next-hop router
_
between MPLS routers
cs
-LDP is like a dynamic routing protocol for MPLS
-Adjacent routers establish a LDP session: ia
-MPLS routers discover neighbours using hello packets sent to 224.0.0.2 (IPv6: FF02::2) using UDP
port 646
-a MPLS enabled neighbour will respond to hello packets by established a TCP session on port 656 to
n
a peer router ID
ma
_
MPLS Troubleshooting
cs
-if labels are not redistributed, verify LDP neighbour discovery using #show mpls ldp discovery, verify that
MPLS is enabled on the adjacent router on the respective interface (use show mpls ldp interface)
ia
-if a neighbour is discovered, verify whether the TCP sessions are established using show mpls ldp neigh
bour. If there is no session, reachability between router Loopback interfaces might be an issue (LDP
requires router IDs)
n
ma
-Autonomous System (AS): collection of networks under a single technical administration, identified by an
AS number
ce
-Design goals for interdomain routing: scalability, secure routing information exchange, support for routing
policies
-BGP is a distance vector protocol
-exchanges routing information between peers
-neighbors in the same AS (internal BGP) or a different AS (external BGP)
-reliable updates (TCP), only when triggered, and only info that has changed is transmitted
-designed to scale to huge internetwork for SPs to route traffic in the Internet
-BGP is a layer 7 application (using TCP)
Statically Defined Neighbours > Neighbours Table > Updates > BGP Table > BGP Scanner (based on
attributes > Routing Table
_
-Transit AS: provides transit service of customer data to other autonomous systems
cs
-Non-transit AS: a customer AS that is not allowed to transit traffic from other autonomous systems
-Stub AS: Only one link to a transit AS ia
-Single-homed Customers: For residential/small business, BGP is used when customers need dynamic
routing protocol, static routes used when dynamic routing not required
n
-Multi-homed customers: For customers that need provider-independent address space and their own AS
ma
number, BGP is used, customers/ISPs should use filters for routing updates (avoid becoming a transit AS)
-Reliable updates: TCP used for transport, no periodic updates (just changes), periodic keepalives to
verify connectivity, batches updates and sends them at configured intervals (avoids uncontrolled floods
ce
MP-BGP
-BGP was originally only IPv4, Multiprotocol (MP) BGP establishes TCP peer sessions on both IPv4 and
v6 and can exchange MP traffic between peers: IPv4, IPv6, multicast, MPLS VPN (using address-family t
o configure protocol-specific parameters)
-Address Families: IPv4 (Unicast), IPv6 (unicast, multicast address prefix), CLNS, VPNv4 (distributes
VPNv4 prefixes for each layer 3 VPN), L2VPN
_
-Multi-exit discriminator (MED)
cs
Path Attributes Weight ia
-local to the router
-Cisco defined (and Cisco proprietary)
-highest weight wins when multiple routes exist
n
-applied to routes from neighbour: either to all routes or routes defined in a filter
ma
_
Community Additional prefix information Optional, transitive
cs
MED Inter-AS path selection Optional, nontransitive
Originator Path selection (who originated
ia Optional, nontransitive
prefix)
n
ma
BGP Sessions
-BGP uses TCP for establishing a BGP session, port 179 is used and can be IPv4 or IPv6, these sessions
rt
are established between two BGP peers (IBGP: in the same AS, EBGP, different AS)
-EBGP peers are usually reachable through a directly connected link
-IBGP peers are typically established through loopback interfaces
ce
IBGP
-AS path is NOT changed in BGP updates
-updates from IBGP peers are sent only to EBGP neighbours: prevents routing loops, BGP Split Horizon,
IBGP full mesh is mandatory
BGP Security
-neighbour authentication via MD5 authentication using key chains (password is hashed and then the
hash is sent, not the password)
_
-both routers must have the same password, used mostly for EBGP peers
cs
-authentication BGP peers prevents DoS attacks
n ia
ma
BGP Updates
rt
_
cs
Advertising Local Networks (BGP)
-routers originate BGP routes in 2 different ways: ia
-via network config command (only if network is in routing table, prefix and mask must match)
-redistribution from another routing protocol (redistribute connected routes, routes from IGP, origin set
to incomplete)
n
-BGP periodically checks if originated routes are also in the routing table
ma
rt
ce
neighbor
neighbour
update
remote-as
update-source
address-family
10.0.1.1
source
2001:db8:10:0:1::1
64500Loopback0
ipv4
ipv6
(this
unicast
is an(this
IBGPis Router
peer) Bs loopback)
B(config)#router
address-family
neighbor
remote-as
update-source
address-family
10.7.1.1
2001:db8:10:7:1::1
64500
bgp
ipv4
ipv6
Loopback0
ipv4
ipv6
64500
unicast
(IBGP
unicast
peer)
(Router As loopback)
IOS
(config)#router
neighbor
address-family
no neighbor
neighbor
2001:db8:192:168:107::70
192.168.107.70
192.168.107.70
bgp
2001:db8:192:168:107::70
ipv4
64507 remote-as
activate remote-as
64500
(theseactivate
commands
64500 (configs
ensure an
onlyEBGP
the IPv4
peer)
neighbor is active in the IPv4 address
family)
_
address-family
neighbor 2001:db8:102.168.107::70
ipv6 (the router and unicast
activate
commands are needed for enabling basic BGP)
cs
#show bgp summary (verify BGP peers)
ia
Disable a BGP Peer
n
-disabling a neighbour shuts down communication with them, this is used for debugging, troubleshooting,
ma
-use the network command or redistribute routes from other IGPs (OSPF, etc.)
-route policy for EBGP peers is mandatory
IOS XR
(config)#int
ip address
no shut Looback10
172.16.8.1 255.255.255.0
(config)#router
address-family
network 10.10.10.0/24
bgp
ipv4
64500
unicast
IOS
(config)#int
ip address
no shut Loopback10
172.16.7.1 255.255.255.0
(config)#router
neighbor 192.168.107.70
address-family
bgp
ipv4
64507 remote-as 64500
-remember that a network must be present in the routing table to be advertised to other BGP peers
_
-set weight
cs
-set local-preference
-reject route
-and more
ia
-IOS does not use RPL, BUT can use route map and ACLs, applied to interfaces to neighbours
n
Configuring Route Policies
ma
rt
ce
A(config)#route-policy
pass pass (names the route policy)
end-policy
A(config)#router
address-family
neighbor
remote-as
address-family
route-policy
2001:db8:192:168:107::71
64507
bgp
ipv6
pass
ipv6
64500
unicast
unicast
in
out
-when configuring an EBGP peer, route policy configuration is mandatory under the neighbour address
family, if you do not configure route policy, no updates are sent to the EBGP peer
_
Wildcard Masks
cs
-follow an IP address in an ACL entry, specifies which bits in an IP address will be checked against the
statement
-0 means to check the corresponding bit
ia
-1means to ignore the corresponding bit
i.e.: 192.168.146.0 0.0.0.255 means to ignore ONLY the final octet of the IP
n
-single IP examples: 172.16.1.1 0.0.0.0
ma
ACL Types
rt
-Standard ACL:
-checks source address
ce
-only one ACL per interface, per protocol, and per direction is allowed
-most specific statement should be at the top, most general should be at the bottom
-due to implicit deny, ACL requires at least one permit statement
-When placing an ACL in a network:
-place standard ACLs close to the destination
-place extended ACLs close to the source
-An ACL applied to an interface does not filter traffic originating from a router (management traffic, routing
protocol traffic), you should apply an ACL to vty lines to limit admin access (Telnet, SSH) to the router
Standard ACLs
-based on source IPv4 address, only used on IOS/IOS XE
-wildcard mask used to match individual IPs or subnets
-config is done in two steps:
1) create the ACL and specific statements
2) apply to the access list to an interface
_
cs
Standard ACL Configuration ia
(config)#ip
10 permitaccess-list
172.16.0.0standard
0.0.255.255
FILTER (creates a standard ACL with a name)
20 deny any
(config)#int
ip access-group
gi0/1 FILTER in
n
ma
#show ip int gi0/1 (will display IP access lists applied to the interface)
rt
Extended ACLs
ce
_
10 permit tcp host 172.16.1.1 ge 1023 host 192.168.1.1 eq www
cs
20 deny ipv4 any any
(config)#int
ipv4 access-group
gi0/0/0/1 FILTER ingress ia
-Operators: ge = greater than, le = less than, eq = equal, neq = not equal, range
#show access-lists ipv4|ipv6
(config)#int
ipv6 access-group
gi0/0/0/1 FILTER ingress
(config)#int
ipv6 access-group
gi0/0/0/1 ANTI_SPOOF_FILTER_IN ingress
-in this example, the public IPs assigned by the IP do not accept traffic back rom outside the network, as
though IPs would have been spoofed
_
(config)#ipv4 access-list ANTI_SPOOF_FILTER_OUT
cs
10 deny ipv4 209.165.202.128/28 any
(config)#int
ipv6 access-group
gi0/0/0/1 ANTI_SPOOF_FILTER_IN egress
ia
-in this example, the customer is assigned the 209.165.101.128/28 subnet (and resides outside the SP
network), the outbound ACL is configured to deny traffic originating from IP addresses that have been
n
assigned to the customer, and allows any other traffic destined to customer-assigned address space.
ma
This protects the customer from attacks where an attacker tries to penetrate the customer network by
spoofing IP addresses of the customers. The ACL is applied outbound on an SP edge interface
rt
ce
(config)#int
ipv6 access-group
gi0/0/0/1 ADDRESS_FILTER_IN ingress
Transitioning to IPv6
-Types of transition mechanisms:
-Static IPv6 Tunnels: manual IPv6 tunnels across IPv4 networks, they need to connect to tunnel
brokers that provide IPv6 tunnels and globally routed addresses
-6to4 Tunneling uses automatic IPv6 tunnels across the IPv4 network. This technology, however, is
OBSOLETE
-IPv6 Rapid Deployment (6rd) tunnelling similar to 6to4 tunneling, the 6rd is recommended because
it solves the issues of 6to4 tunneling
-Carrier Grade NAT (CGN) Dual Stack (DS) Lite IPv6 traffic goes natively over the core network,
IPv4 traffic is tunnelled over the IPv6 network of the SP, this traffic has private IPv4 addresses and must
be translated to public IPv4 via CGN devices
-NAT64 SP that only has IPv6 services uses a NAT 64 device on the edge of their network to
_
translate IPv6 to IPv4 to allow access to IPv4 conetent
cs
-Teredo Tunneling where neither customer nor SP have IPv6, the Teredo Tunnel establishes on a
customer endpoint (PC) to Teredo Relay (a service), IPv6 is encapsulated inside UDP on top of IPv4,
however it has significant security concerns
ia
Carrier Grade NAT (CGN)
n
Inside Local Address: private address assigned to a host on the inside network
ma
Inside Global Address: A public IP address that is assigned by a SP that represents one or more inside
local address to the outside world
rt
Outside Local Address: IP address of an outside host as it appears on the inside network, the outside
local address could be a private IP if the outside host is subject to NAT
ce
Outside Global Address: IP address assigned to a host on the outside network by the host owner
-NAT444: translating IPv4 addresses to IPv4 addresses traverses 3 IPv4 addressing domains, packet
is translated twice
-DS-Lite: -provides tunnelling of IPv4 traffic over IPv6, and then CGN operation is performed, IPv6 traffic
travels natively
-NAT 64: assigning IPv6 addresses to customers and then translating IPv6 packets to IPv4 on the SP
edge, comes in two flavors
-Stateless NAT64: translates IPv4 header into IPv6 header (and vice versa) uses algorithmic bindings
between IPv4/IPv6 addresses. Disadvantage is that it only translates one-to-one
-Stateful NAT64: multiplexes many IPv6 devices into a single IPv4 address using PAT. A state is
created in the NAT64 device for every flow
-both are used with DNS64, which allows IPv6 hosts to retrieve the IPv6 address of IPv4 only hosts
-DNS-64: synthesizes a AAAA record, based on a received A record and on a well-known SP-assigned
translation prefix
Dual Stack
-both IPv4 and IPv6 stacks are concurrently enabled, applications can talk to both stacks, IPv6 path is
preferred
_
-Dual Stack IPv4 and IPv6: if an application and destination support both it chooses one address and
cs
connects to it
(config)#int
ip address
ipv6 address
gi0/0
192.168.0.1
2001:db8:c10:1::3/64
n
ma
IPv6-in-IPv4 Tunneling
-tunneling is used to transport one network protocol over another by encapsulating packets
rt
-routing inside the transport network is performed based on the outer IP header
-an example is Generic Routing Encapsulation (GRE)
ce
Tunneling Solutions
-during transition, all devices can be dual stack (not all devices are under common administration, almost
twice as much admin burder)
-Manual Tunneling between 2 sites: 6in4 encapsulation, GRE encapsulation
-Dynamic tunnelling between sites and/or the rest of IPv6 internet: 6to4 (outdated), 6rd (desirable)
Manual GRE
-IPv6 traffic is sent over IPv6 via explicitly configured GRE tunnels
-uses protocol number 47 in the IPv4 header
-tunnel interface can be dual-stack
-overhead is the IPv4 header + GRE header
-NOT supported in IOS XR!
_
cs
6in4 Tunneling Configuration
-setting up 6in4 manual tunnel between two routers with customers using IPv6
ia
A(config)#int
ipv6 address
tunnel source
destination
mode Tunnel
ipv6ip
2001:db8:3::1/64
gi0/00
209.165.201.6
(sets
(outbound
the 6in4
interface
tunneling
to other
mode)router)
A(config)#ipv6 route 2001:db8:2::/64 Tunnel0 2001:db8:3::2/64 (creates a static IPv6 route to reach the other router
n
s subnet via the tunnel)
ma
B(config)#int
ipv6 addressTunnel0
2001:db8:3::2/64
Automatic 6rd
-similar to the obsolete 6to4:
-uses 6in4 encapsulation to tunnel
-customers use the assigned prefix of the server router
-border relay router is under SP control and the SP is responsible to route traffic from customers to
native IPv6 addresses
-the SP selects a GLOBALLY routable IPv6 prefix from its address psace
-the 6rd prefix is concatenated with IPv4 address that is assigned to the customer, the resulting IPv6
network is assigned to the customer
_
-traffic between customers: destination address falls within 6rd prefix and tunnel destination is
cs
determined from IPv6 prefix
-Traffic to IPv6 internet: destination address does not fall within 6rd prefix and traffic is sent to
ia
preconfigured 6rd border
-allows SPs to instantly offer IPv6 services without migrating the core network
-CE routers should be under SP administration
n
-supported on Cisco ISR series and Cisco ASR 1000 Series routers
ma
I
Distributed <--
Infrastructure
I
I
Cisco IOS XR <--
Kernel
_
cs
-each layer performs a separate set of tasks
-layers communicate with each other through the kernel
ia
IOS XR Software capabilities
n
-protected memory access:
ma
-in comparison to IOS, where all processes shared the same virtual space
-limited use of shared memory
-preemptive multitasking
ce
-Control Plane: distributes routing tasks and management of the routing information base (RIB) in
participating RPs, different routing processes can be running on different physical units
-Data Plane: -maintains the forwarding information base (FIB) changes across the participating nodes,
letting the router perform at a single forwarding entity
-Management Plane: controls the operation of the router as a single networking element
_
-Package Installation Envelope (PIE) files are uploaded to the device
cs
-PIE files need to be added to the system and unpackaged
-package then needs to be unpacked ia
-installation of new package must be committed to make it persistent across reboots
n
ma
fileinstall
to thecommit
activate
boot device
(commits
disk1:asr9k-mcast-p.pie-4.0.1
of thethe
router)
current set of packages
(activates
on the
the router
multicast
so that
package
thesethat
packages
was added
are used
to theif router)
the router is
restarted)
_
Installing IOS XR from the Beginning
cs
-done because: The route processor (RP) is unable to boot IOS XR, or you want to completely replace
the existing software ia
-installation from the beginning is done from the ROM monitor
-special installation files with the extension .vm are used
-sometimes referred to as Turboboot, can be done from a TFTP server or from a file stored on a local disk
n
ma
Turboboot
-an environmental variable that:
rt
-4 variable options:
-on: installs and activates IOS XR software package
-boot-device: selects the destination disk
-format | clean: specifies whether or not the files on the disk are preserved
-nodisablebreak: specifies if installation process can be prematurely terminated
-files installed from the ROMMon have a .vm extension, they include the software that is included in the
IOS XR Unicast Routing Core Bundle
Committing Configuration
-IOS XR has a two-state configuration: 1)make config changes 2)make changes persistent
-there is no difference startup or running config on IOS XR, just committed and uncommitted change
-commit (atomic): commits changes only if all changes in the target config are valid, if errors are found,
no changes take place
-commit best-effort: configures only the changes that are possible (error free)
_
changes
cs
#show configuration failed: reasons for a config commit error
#show configuration commit list: view the CommitIDs for the available rollback points
rt