You are on page 1of 45

my CCDE

cheat sheets
Philippe Jounin 2013

Operation

Tunneling
L3

L2

and overlays

Security

Layer 2

Layer 2 Design
Performance and stability

Security
Apply ACL filter on admin VLAN

HSRP active
& STP Root

Root Guard
Loop Guard or
Bridge Assurance

BPDU Guard
Port Fast

Modify VTP domain


(or turn VTP off)

Clear native VLAN

Force access-mode (disable DTP)


Choose VLAN1
Apply Port Security

802.1D Ehancements

Spanning Tree Protection

PortFast
Enables immediate transition
into
forwarding state on edge ports
UplinkFast
Enables access switches to
maintain backup paths to root
BackboneFast
Enables immediate
expiration of the Max Age timer

Root Guard
Prevents a port from becoming the root
port
BPDU Guard
Disables a port if a BPDU is received
Loop Guard
Prevents a blocked port from
transitioning to
listening (unidirectional) after Max Age
timer
BPDU Filtering Disables STP on a port
Bridge Assurance Blocks port if it receives no BPDU

Layer 2 Design
Spanning normalisation
DEC STP pre-IEEE
802.1wRapid STP (RSTP)
802.1DClassic STP
802.1sMultiple STP (MST)
802.1t802.1d maintenance

Spanning toolkit
The following enhancements to 802.1(d,s,w) comprise the Cisco Spanning-Tree toolkit:
PortFast
Lets the access port bypass the listening and learning phases
UplinkFast
Provides 3-to-5 second convergence after link failure
BackboneFast
Cuts convergence time by MaxAge for indirect failure
Loop Guard
Prevents the alternate or root port from being elected unless (BPDUs) are
present
Root Guard
Prevents external switches from becoming the root
BPDU Guard
Disables a PortFast-enabled port if a BPDU is received
BPDU Filter
Prevents sending or receiving BPDUs on PortFast-enabled ports
Cisco has incorporated a number of these features into the following versions of STP:
Per-VLAN Spanning Tree Plus (PVST+)
Provides a separate 802.1D spanning tree instance for each VLAN
configured in the
network.This includes PortFast, UplinkFast, BackboneFast, BPDU Guard,
BPDU Filter,
Root Guard, and Loop Guard.
Rapid PVST+
Provides an instance of RSTP (802.1w) per VLAN. This includes PortFast,
BPDU
Guard, BPDU Filter, Root Guard, and Loop Guard.
MST
Provides up to 16 instances of RSTP (802.1w) and combines many VLANS
with the
same physical and logical topology into a common RSTP instance. This
includes,
PortFast, BPDU Guard, BPDU Filter, Root Guard, and Loop Guard.

Access design STP or not STP

L2 topologies

Operation

Tunneling
L3

L2

and overlays

Security

Layer 3

Layer 3 Design

The network must be reliable and resilient


The network must be manageable
The network must be scalable

Layer 3 Design
Triangle vs Square
Triangles: Link/Box Failure does NOT
require routing protocol convergence

Squares: Link/Box Failure requires


routing protocol convergence

OSPF in a Campus

EIGRP in a Campus

Core
Summaries
Queries not
forwarded

Area 0
Area 10
The router goes up
and may advertise
default route
immediately, (if a
loopack is in area 0)

ospf stub no-summary

Immediate
replies
Queries

Queries not
forwarded

eigrp stub

OSPF as PE-CE protocol

EIGRP as PE-CE protocol

Sham-link use route


with lower Cost

AS should be the same


Metric/AS/SOO transported as communities
Ignore
routes with
down bit

Pre best path point of insertion


SOO transported into EIGRP
SOO on PE : same SOO per site
SOO on CEs : one SOO per CE

Set down
bit (LSA 3)
or domain
ID (LSA 5)

Ia routes
preferred

OSPF
LSA

Description

Type 1
Type 2

Router Link LSA Routers, links and costs


Network Link LSA Initiated by DR on multipoint networks - Pseudonode.

Type
Type
Type
Type

Network Summary Link LSA Initiated by ABRs.


AS External ASBR Summary Link LSA Advertised by ASBRs to be reachable.
External Link LSA Initiated from ASBR OSPF external routes advertisment.
NSSA External LSA - Initiated from ASBR in a NSSA area OSPF external routes
advertisment.
.

3
4
5
7

Aire

Description

Backbon
e
Standard
Stub
Totally
Stub
NSSA

(Area 0) All other areas have to be linked with. Accepts LSA 4 from other areas.
Receives LSA 3 & 5, initiates LSA 3,4 & 5 toward backbone area.
Receives type 3 LSA and a default route (advertised as a LSA 3). initiates LSA 3.
Receives a default route as a type 3 LSA, initiates LSA 3
Initiates type 7 LSA, Receives LSA 3. Implicit default route for Totally NSSA.

Inter-area routes are summarized on the ABR


External routes are summarized on the ASBR
NSSA-External routes can be summarized on the ASBR or ABR

OSPF Areas

Area 0

Std Area
External

type 1 & 2

type 1 & 2
type 3
type 4
type 5

Area 0

Stub Area
External

type 1 & 2

type 1 & 2

type 3
default route

Area 0
type 1 & 2
default route

Totally
Stub Area
type 1 & 2

External

OSPF Areas

Area 0

NSSA
External

type 1 & 2
type 5
Default route

Area 0
type 1 & 2
type 5
Default route

type 1 & 2
type 3
type 7

Tottaly
NSSA
type 1 & 2
type 7

External

OSPF NBMA and partial mesh networks

Set the DR priority to


0 on all partial meshed
nodes
Configure the peers
manually in unicast
mode

Set the DR priority to


0 on all partial meshed
nodes
Set broadcast mode
on all links

troubleshooting adjacencies

EIGRP
Same AS
Same primary IP subnet
Same metrics
OSPF
Same area
Same area type
Same IP subnet and mask (not on point to point)
Same hello and dead interval
Same MTU
IS-IS
Same area for L1 adjacencies
Different system ID
Same MTU
Same IP subnet
Same network/interface type (multipoint or point-to-point)

IS-IS inter area

L1/2 routers set attached bit if they are adjacent to extra area L2
routers. L1 routers receiving attached bit generate default routes
toward advertising router and propagate it (transitive).
Intra area routes are preferred oved Inter Area even if metric is
greater
L1 routes advertised by L1/2 routers to other L2 routers
L1/2 routers may be configured to leak L2 routes into the L1 domain

System ID best practice :

Add implicit zeros into the main IP loopback :


192.168.1.24 192.168.001.024
Transfer it to XXXX.XXXX.XXXX format
192.168.001.024 1921.6800.1024
Add 49.<4 bytes area> and 00 as NSEL 1921.6800.1024 49.area.1921.6800.1024.0

VPN backdoors

Partial mesh of sham links


backbone preferred
BGP backdoor
IGP (internal links) preferred over eBGP

Outgoing traffic engineering with BGP

Route Reflectors
Following physical topology
Session between an RR and a nonclient should not traverse a client
Session between an RR and its client should not traverse a nonclient

AS path prepending
MED
communities
selective advertisments (no backup)
specific advertisments

BGP confederations

FEATURE

SEEN IN THE CONFEDERATION

Peering

partial-mesh peering between sub-autonomous systems.


full-mesh peering within sub-AS (or route-reflectors)

Communicationsbetween
peers

iBGP is used within each sub-AS


cBGP is used between sub-autonomous systems, similar to eBGP but
with the following differences:
Enhancement of the AS_Path attribute
Change in the next-hop handling

Additions to the BGP attributes

Enhancements to the AS_Path attribute, adding the sub-AS IDs.


This enhancement is not advertised to the external Autonomous
Systems.

Preserved attributes

next-hop
local preference
MED

Readvertising a learned prefix

readvertised to other sub-autonomous systems if they are selected as


best.

Communications with non


member BGP peers

If a member of the confederation is peering with a BGP peer located in


another AS, the sub-AS numbers located in the AS_Path attribute are
supressed and only the confederation number is passed within the
AS_Path attribute.

User of multi-hop parameter

By default cBGP needs directly connected interface

remotely triggered black hole

source triggered black

hole

CE

192.0.2.1/32 Null0

CE
192.168.1.0/24

192.0.2.1/32 Null0
+ loose uRPF

NOC
NOC

10.1.1.0/24
10.1.1.0/24 192.0.2.1

192.168.1.0/24 192.0.2.1

IPv6

Type

Abrv

ICMP

Router Solicitation

RS

133

Sent by hosts to request an RA

Router Advertisement

RA

134

Originated by routers to announce their existence

Neighbor Solicitation

NS

135

Facilitates link-layer address resolution and duplicate address detection

Neighbor
Advertisement

NA

136

Response to an NS

137

Used by a router to inform a host of a better path out of the link

Redirect

Description

IPv6 deployment scenarios

Dual Stack

QoS

Hybrid

Service Block

Native

ISATAP and Manually Configured Tunnels

End to End

Marking at tunnel egress

IGP

Single ISATAP with Anycast Single ISATAP with Anycast


No load balancing
load balancing after Tunnels

mCast
HA

IPv6 hardware required,


no per-user/per-appli control

Core Layer becomes


access for IPv6 Tunnels

New IPv6 hardware

High Avalability
from http://www.sanog.org/resources/sanog14/sanog14-pareshhighavailability.pdf

Router
Reliable Hardware
High MTBF

resiliency
Redundant
Components

Non Stop
Routing

HA

Rapid Failure
detection

N et w o r k

Network
design

Quick
convergence

resiliency

ISIS
CE 2

CE 3
Fast 2
10.1.34.0/24

Fast 1
10.1.23.0/24
2.2.2.2/32

Area 1

CE 4

3.3.3.3/32

CE 5
Fast 1
10.1.45.0/24

4.4.4.4/32

Area 2

5.5.5.5/32

router isis
net 49.0100.0000.0000.0002.00
area-password IS-IS
metric-style wide (for tag TLV)
log-adjacency-changes

router isis
net 49.0100.0000.0000.0003.00
area-password IS-IS
metric-style wide
log-adjacency-changes
redistribute isis ip level-2 into level-1
route-map MatchTag5

router isis
net 49.0200.0000.0000.0004.00
metric-style wide
log-adjacency-changes
summary-add 5.5.0.0 255.255.0.0 tag 5

router isis
net 49.0200.0000.0000.0005.00
metric-style wide
log-adjacency-changes

interface Loopback2
ip address 2.2.2.2/32
ip router isis
interface FastEthernet1
ip address 10.1.23.2/24
ip router isis
isis circuit-type level-1

interface Loopback3
ip address 3.3.3.3/32
ip router isis
interface FastEthernet01
ip address 10.1.23.3/24
ip router isis
isis circuit-type level-1
interface FastEthernet2
ip address 10.1.34.3/24
ip router isis

interface Loopback4
ip address 4.4.4.4/32
ip router isis
isis tag 5
interface FastEthernet1
ip address 10.1.45.4/24
ip router isis (level-1 not configured)
interface FastEthernet2
ip address 10.1.34.4/24
ip router isis

interface Loopback5
ip address 5.5.5.5/32
ip router isis
interface FastEthernet1
ip address 10.1.45.5/24
ip router isis
isis circuit-type level-1

Straightforward configuration
CE2#sh ip route | i ^i
i L1 3.3.3.3 [115/20] via 10.1.23.3, Fast0
i ia 4.4.4.4 [115/30] via 10.1.23.3, Fast0
i ia 5.5.0.0 [115/40] via 10.1.23.3, Fast0
i L1 10.1.34.0/24 [115/20] via 10.1.23.3, Fast0
i*L1 0.0.0.0/0 [115/10] via 10.1.23.3, Fast0

Summarization + leaking

CE3#sh ip route | in ^i
i L1 2.2.2.2 [115/20] via 10.1.23.2, 01:55:41, Fast0
i L2 4.4.4.4 [115/20] via 10.1.34.4, 00:11:55, Fast1
i L2 5.5.0.0 [115/30] via 10.1.34.4, 00:12:49, Fast1
i L2 10.1.45.0/24 [115/20] via 10.1.34.4, 01:55:41, Fast1

CE4#sh ip route | in ^i
i L2 2.2.2.2 [115/30] via 10.1.34.3, 01:51:07, Fast2
i L2 3.3.3.3 [115/20] via 10.1.34.3, 03:23:20, Fast2
i su 5.5.0.0/16 [115/20] via 0.0.0.0, 00:08:19, Null0
i L1 5.5.5.5/32 [115/20] via 10.1.45.5, 00:08:19, Fast1
i L2 10.1.23.0/24 [115/20] via 10.1.34.3, 03:23:20, Fast1
CE5#sh ip route | in ^i
i L1 4.4.4.4 [115/20] via 10.1.45.4, Fast1
i L1 10.1.34.0/24 [115/20] via 10.1.45.4, Fast1
i*L1 0.0.0.0/0 [115/10] via 10.1.45.4, Fast1

OSPF
Area 202 NSSA

CE1

Fast 2
10.1.23.0/24

Fast 1
10.1.12.0/24
1.1.1.1/24
2.2.2.2/24
3.3.3.3/24

CE 2

Fast 3
10.1.34.0/24

CE 3

Area 0

interface Loopback1111
ip address 1.1.1.1 255.255.255.0
interface Loopback2222
ip address 2.2.2.2 255.255.255.0
interface Loopback3333
ip address 3.3.3.3 255.255.255.0
router rip
version 2
redistribute connected route-map Loopbacks
passive-interface default
no passive-interface FastEthernet1
network 10.0.0.0
no auto-summary

router rip
version 2
timers basic 15 45 15 60
passive-interface default
network 10.0.0.0
no auto-summary
router ospf 1
log-adjacency-changes
area 202 nssa
summary-address 3.0.0.0 255.0.0.0 not-advertise
summary-address 2.2.0.0 255.255.0.0
redistribute rip metric 123 metric-type 1 subnets
network 10.1.23.0 0.0.0.255 area 202

router ospf 1
log-adjacency-changes
area 202 nssa
summary-address 10.0.0.0 255.0.0.0 not-advertise
summary-address 1.0.0.0 255.0.0.0
network 10.1.23.0 0.0.0.255 area 202
network 10.1.34.0 0.0.0.255 area 0

lyo-maq-2611-01#sh ip route | i ^C
C
1.1.1.0 is connected, Loopback1111
C
2.2.2.0 is connected, Loopback2222
C
3.3.3.0 is connected, Loopback3333
C
10.1.12.0/24 is connected, Fast1

lyo-maq-2611-02#sh ip route | i ^R|^O


R
1.1.1.0 [120/1] via 10.1.12.1, Fast1
O
2.2.0.0/16 is a summary, Null0
R
2.2.2.0/24 [120/1] via 10.1.12.1, Fast1
R
3.3.3.0 [120/1] via 10.1.12.1, Fast1
O IA 10.1.34.0/24 [110/2] via 10.1.23.3, Fast2

lyo-maq-2811-03#sh ip route | i ^O
O N1 1.1.1.0/24 [110/124] via 10.1.23.2, Fast2
O
1.0.0.0/8 is a summary, Null0
O N1 2.2.0.0 [110/124] via 10.1.23.2, Fast2
O N1 10.1.12.0/24 [110/124] via 10.1.23.2,Fast2

CE 4

router ospf 1
network 10.1.34.0 0.0.0.255 area 0

! Remark :
! area 10 filter-list prefix FILTER out
! area 10 range 10.0.0.0 255.0.0.0 not-advertise
! Only for standard Areas

lyo-maq-2811-03#sh ip route | i ^O
OE1 1.0.0.0/8 [110/124] via 10.1.34.3,Fast3
O E1 2.2.0.0 [110/125] via 10.1.34.3, Fast3

Operation

Tunneling
L3

L2

and overlays

Security

Tunneling
& MPLS

MPLS TE

How to route a flow into a tunnel


static routing
PBR
Autoroute
tunnel included into SPF calculation, not into the IGP
other routers are unaware of the Tunnel
default metric is the tail end IGP metric
Relative/asolute metrics OSPF similar to E1/E2 externals
LSP tail end is always routed through the tunnel
IGP+LSP load sharing available behind tail end
tail end load sharing needs 2 LSP
Forwarding Adjacency
tunnel propagated into the IGP

Inter Area MPLS TE

Multi domain LSP : each domain core topology should be


hidden
per-domain static ERO (next-hop loose <IP Edge>)
CSPF stitching (CSPF calculation on each ASBR) then
ERO extended to hide core topology
backward recursive path computation
A tree is created by destination PE (<PE><ASBR
n>=cost X) and topology increased by each domain
Stitching
Use targeting signaling
Stacking
Inner domain uses its own LSP to tunnel border domains
LSP, targeted signaling required

Inter domain VPN with CSC - IGP

vpnv4 multiphop
e/i-bgp peering,
next-hop-unchanged

MP-iBGP session
MP-iBGP session

Outer VPN definition


CEPE route distribution

IPv4+
labels
CE1

PE1

CSC-CE1

Backbone
Provider

CSC-PE1

CSC-PE2

IPv4+
labels
CSC-CE2

PE2

IGP + local loopback


IGP + LDP (int e0/0 mpls ip)
IGP ipv4 BGP redistribution
into ipv4 add-family vrf inner

Inner VPN definition


and routing in vpnv4

CE2

Inter domain VPN with CSC - eBGP

vpnv4 multiphop
e/i-bgp peering,
next-hop-unchanged

MP-iBGP session
MP-iBGP session

Outer VPN definition


CEPE route distribution

IPv4+
labels
CE1

PE1

CSC-CE1

Backbone
Provider

CSC-PE1

CSC-PE2

IPv4+
labels
CSC-CE2

PE2

IGP + local loopback BGP


neighbor bgp send-label
mpls ip not necessary
bgp neighbor as-override
bgp send-label

Inner VPN definition


and routing in vpnv4

CE2

Inter domain VPN option B

interface Ethernet 1/0


mpls bgp forwarding

One tag allocated by ASBR

router bgp 1
neighbor <ASBR2> remote-as 2
neighbor <PEs> remote-as 1
no bgp default route-target filter
address-family vpnv4
neighbor <PEs> activate
neighbor <PEs> next-hop-self
neighbor <ASBR2> activate
neighbor <ASBR2> send-community
extended

Option B1
Option B2

Next-hop-self method
Redistribute connected method

eBGP : no route-target filtering


iBGP : next-hop-self

Inter domain VPN option C eBGP + send-label

RR
router bgp 1
neighbor <RR1> remote-as 1
address-family vpnv4
neighbor <RR1> activate

Tag 1 : ebgp + send-label


or IGP+LDP
Tag 2 : VPN label
interface Ethernet 1/0
mpls bgp forwarding

router bgp 1
neighbor <PEs> remote-as 1
neighbor <RR2> remote-as 2
neighbor <RR2> ebgp-multihop
address-family vpnv4
neighbor <PEs> activate
neighbor <RR2> activate
neighbor <RR2> next-hopunchanged

router bgp 1
neighbor <ASBR2> remote-as 2
neighbor <RR1> remote-as 1
address-family ipv4
redistribute IGP
neighbor <ASBR2> activate
neighbor <ASBR2> send-label
address-family vpnv4
neighbor <RR1> activate
router IGP
network loopback LDP
redistribute BGP 1

MPLS TE QoS

Uniform (mpls exp


value set by ISP)

Short pipe

pipe

L2VPN

VPWS Virtual Private Pseudowire Services : Point to Point


L2 Protocol translation (L2.5 VPN)
tLDP session
Redundancy by nominal/backup sessions
VPLS Virtual Protocol LAN Service (P2M)
o Autodiscovery with BGP
o For Cisco : VPLS = full-mesh Pseudo Wires

H-VPLS
Full Mesh between N-PE
PW beetwen User PE and Netwok PE
redundancy with STP or PW backup between U-PE and NPE

Operations
Tunneling
L3

L2

and overlays

Security

Monitoring
Management
Performance

Troubleshooting high CPU Utilization

Identify process

o show proc cpu sorted


o show log

Causes
o ARP
o
o
o
o
o

BGP
Exec
SNMP
NAT
TCAM full (catalyst 3550/..)

IP Input
o
o
o

show interfaces stats


show interfaces
show interfaces switching

QoS operation order

Inbound
1. QoS Policy Propagation through Border Gateway Protocol (BGP)
(QPPB)
2. Input common classification
3. Input ACLs
4. Input marking (class-based marking or Committed Access Rate
(CAR))
5. Input policing (through a class-based policer or CAR)
6. IP Security (IPSec)
7. Cisco Express Forwarding (CEF) or Fast Switching
Outbound
1. CEF or Fast Switching
2. Output common classification
3. Output ACLs
4. Output marking
5. Output policing (through a class-based policer or CAR)
6. Queueing (Class-Based Weighted Fair Queueing (CBWFQ) and
Low Latency Queueing (LLQ)), and Weighted Random Early
Detection (WRED)

Multipoint WAN QoS

Remote Ingress Shaping

WAN

o 95% of line rate

egress shaping :
95% of smallest
bandwidth

FR

QoS Models

4 Class model

Realtime

8 Class model

12 Class model

Voice

Voice

Interactive Video

Streaming Video
Signaling / Control

Critical Data

Realtime Interactive
Multimedia Conferencing
Broadcast Video
Multimedia Streaming

Signaling

Signaling

Network Control

Network Control
Network Management

Critical Data

Transactional Data
Bulk Data

Best Effort

Best Effort

Best Effort

Scavanger

Scavanger

Operation

Tunneling
L3

L2

and overlays

Security

Internet Edge

DMZ : public facing services


Private DMZ : internal services (DNS, collaboration,
HTTP)
o not vulnerable to outside attacks
o

infrastructure ACLs

Internet Edge

Secure Operations

Monitor Cisco Security Advisories and Responses


Leverage Authentication, Authorization, and Accounting
Centralize Log Collection and Monitoring
Use Secure Protocols When Possible
Gain Traffic Visibility with NetFlow
Configuration Management

Data Plane

General Data Plane Hardening


Filtering Transit Traffic with Transit ACLs
Anti-Spoofing Protections
Limiting CPU Impact of Data Plane Traffic
Traffic Identification and Traceback
Access Control with VLAN Maps and Port Access Control Lists
Using Private VLANs

Internet Edge

Management Plane

General Management Plane Hardening


password management
restrict protocols
use secure protocols
exec-timeout
event detection (memory, cpu threshold)
Limiting Access to the Network with Infrastructure ACLs
Securing Interactive Management Sessions
Using Authentication, Authorization, and Accounting
Fortifying the Simple Network Management Protocol
Logging Best Practices
Cisco IOS Software Configuration Management

Control Plane

General Control Plane Hardening


filter IPCMP, fragments, source-route, disbale proxy-arp
Limiting CPU Impact of Control Plane Traffic
filter fragment, non ip traffic, rate ICMP unreachable
Securing BGP
Securing Interior Gateway Protocols
Securing First Hop Redundancy Protocols

Everyone wants to live on top of


the mountain, but all the
happiness and growth occurs
while youre climbing it.