January 22, 2017 | Author: veracespedes | Category: N/A
Download IPexpert's Cisco CCIE R&S (v4) Written Exam Video on Demand Slides...
IPexpert’s CCIE R&S Written Video on Demand Series Instructor : Piotr Kałużny CCIE #25665
© IPexpert, Inc.
The Blueprint
Implement Layer 2 Technologies Implement IPv4 Implement IPv6 Implement MPLS Layer 3 VPNs Implement IP Multicast Implement Network Security Implement Network Services Implement Quality of Service (QoS) Troubleshoot a Network Optimize the Network Evaluate proposed changes to a Network
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
2
© IPexpert, Inc.
The Quiz •
Each section ends with a Quiz (15 questions)
•
Final Quiz contains 50 questions
•
The answers should be separated by space, always put them in the alphabetical order. Watch out for white spaces : „a b”, „b e”, „c d” „b a”, „be”, „ c d”
- OK - WRONG
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
3
© IPexpert, Inc.
Thank You!
© IPexpert, Inc.
IPexpert’s CCIE R&S Written VoD Series 1.0 Implement Layer 2 Technologies
© IPexpert, Inc.
1.01 Implement Spanning Tree (STP)
© IPexpert, Inc.
STP • Spanning Tree Protocol (802.1d)
• Used to ensure loop-free topology in a L2 domain • Builds active physical topology • Redundant paths are blocked
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
3
© IPexpert, Inc.
STP Example
S1
S2
S3 ARP
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
4
© IPexpert, Inc.
Operations of STP •
Bridge Protocol Data Units are simply STP packets
•
BPDUs are initially sent out of all enabled interfaces
•
Two types of BPDUs : 1. Hello BPDUs (used in STP operations) 2. TCN BPDUs (used in STP reconvergence)
•
STP Algorithm is a 3-step process : 1. Root Bridge Election 2. Root Port is chosen 3. Designated Ports are chosen
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
5
© IPexpert, Inc.
Operations of STP – Root Bridge • One Root per VLAN (PVST+)
• Bridge ID = (Priority+SystemID).MAC • spanning-tree extend system-id cannot be disabled
• Root Bridge ID is initially set to the Sender Bridge ID • Only lower Bridge-ID Hellos are forwarded (Superior BPDUs) • All Root Bridge ports are placed into the forwarding state
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
6
© IPexpert, Inc.
Operations of STP – Root Port • Lowest-cost path to the Root Bridge
• Path cost = BPDU cost + the receiving interface’s cost • There is only one Root Port per device
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
7
© IPexpert, Inc.
Operations of STP – Designated Ports • Only one switch is allowed to forward into a segment
• A switch port advertising the lowest-cost Hello becomes a DP • Root Port can be considered a upstream port • Designated Port can be considered a downstream port
• Both ports are bidirectional when forwarding traffic • All other inter-switch ports are blocked
• Host ports are forwarding Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
8
© IPexpert, Inc.
Operations of STP – Tie breakers •
Root Port and Designated Ports use lowest path-cost as the reference
•
What if costs are the same for multiple links?
•
Tie breakers : 1. Lowest Sender Bridge ID. If the same on multiple ports, it means that they connect to the same switch 2. Lowest Sender Bridge PortID (Priority.Port_Nr)
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
9
© IPexpert, Inc.
Example STP Topology
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
10
© IPexpert, Inc.
STP Interface States •
Ports don’t transition immediately
•
There are five STP interface states : 1. Disabled - does not participate in STP 2. Blocking - does not forward traffic, only receives BPDUS 3. Listening - does not forward traffic, sends & receives BPDUs 4. Learning - does not forward traffic, sends & receives BPDUs, populates CAM 5. Forwarding - sends traffic, sends & receives BPDUs, populates CAM
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
11
© IPexpert, Inc.
STP Timers • STP Timers are set by the Root Bridge for the entire domain (sent in Hellos) : Hello timer says says how often BPDUs are sent (2 seconds by default) Forward Delay determines how long are the Listening and Learning phases (15 seconds by default) MaxAge is kind of a hold-time for BPDUs (20 seconds by default) – how long to keep ports in the blocking state when BPDUs are not received • Each switch port keeps a copy of the last Superior BPDU received Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
12
© IPexpert, Inc.
Stable STP Topology
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
13
© IPexpert, Inc.
STP Reconvergence •
There are two types of link failures 1. Direct change (MaxAge is NOT involved) 2. Indirect change (MaxAge is involved)
•
Blocking Ports pretty much don’t count
•
If Root Port fails, the STP Algorithm starts again. Blocked ports are moved into the Listening state, BPDUs are sent etc.
•
If a Designated Port fails, TCN BPDU is generated (which always goes upstream, to the Root). The next upstream device Acknowledges it (TCA bit is set in the next forwarded Hello) Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
14
© IPexpert, Inc.
STP Reconvergence – cont. •
The TCN/TCA process starts over again. Another TCN BPDU is generated, now on this upstream switch, then the next „upper” device sends TCA and so on, so forth
•
When the TCN frame finally reaches the Root, next several Hellos will have the Toplogy Change bit set (TC flag). The TC bit will be kept to be set for the MaxAge + Forward Delay time
•
All switches that received a BPDU with the TC flag set shorten their CAM table aging time from the default 300 seconds to the Forward Delay value (15 seconds by default)
•
Prevents CAM table corruption. Does not say what happened, but that something happened (like Lassie) Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
15
© IPexpert, Inc.
STP Reconvergence Example S1 (Root)
S2 D
RP
D
D
RP
RP B
PC1
D
S3
S4
PC2
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
16
© IPexpert, Inc.
STP Reconvergence – cont. •
When a port goes into the forwarding state, TCN BPDU will be generated but only when the switch has at least one DP
•
Direct topology change takes 30 seconds by default (Listening + Learning)
•
Indirect change takes 50 seconds by default (MaxAge + Listening + Learning)
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
17
© IPexpert, Inc.
STP Configuration
© IPexpert, Inc.
STP Configuration •
Disable STP Instance no spanning-tree vlan vlan_nr
•
Root Bridge spanning-tree vlan vlan_nr root primary
•
Secondary (possible backup) Root Bridge spanning-tree vlan vlan_nr root secondary
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
19
© IPexpert, Inc.
STP Configuration - Traffic Engineering •
STP Cost spanning-tree cost cost
•
Port Priority spanning-tree port-priority priority
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
20
© IPexpert, Inc.
Configuration Verification show spanning-tree [detail|root]
- Displays STP information
show spanning-tree vlan
- Displays STP information
for a specified VLAN
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
21
© IPexpert, Inc.
STP Optimizations
© IPexpert, Inc.
STP Optimizations •
Built-in to RSTP
•
In STP, depending on the Layer 2 domain size, convergence may take even more than a minute
•
PortFast
•
UplinkFast
•
BackboneFast
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
23
© IPexpert, Inc.
PortFast
© IPexpert, Inc.
STP Optimizations - PortFast •
Used on ports connected to end-devices
•
Listening and Learning states are bypassed
•
TCN BPDUs are NOT generated
•
Can be also enabled on trunks – for example on ports connected to the ASA or IPS
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
25
© IPexpert, Inc.
PortFast Configuration
© IPexpert, Inc.
PortFast Configuration •
Per-interface spanning-tree portfast [trunk]
•
Globally on all non-trunking interfaces spanning-tree portfast default
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
27
© IPexpert, Inc.
Configuration Verification show spanning-tree interface portfast - Shows if PortFast is enabled on an interface
show spanning-tree summary
- Displays the summary
of port states of the STP section
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
28
© IPexpert, Inc.
UplinkFast
© IPexpert, Inc.
STP Optimizations - UplinkFast •
Should be used redundant uplinks
•
Accelerates election of a new Root Port
•
Listening and Learning phases are bypassed
•
Dummy multicast frames are generated that allow all switches to update their CAMs
•
Alternate Ports are non-Root Port interfaces where Root Hellos are received
on
access-layer
switches
with
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
30
© IPexpert, Inc.
UplinkFast example
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
31
© IPexpert, Inc.
UplinkFast Configuration
© IPexpert, Inc.
UplinkFast Configuration •
Global Command spanning-tree uplinkfast
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
33
© IPexpert, Inc.
Configuration Verification show spanning-tree detail
- Displays detailed information about STP
show spanning-tree summary
- Displays the summary of port states of the section
STP
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
34
© IPexpert, Inc.
BackboneFast
© IPexpert, Inc.
STP Optimizations - BackboneFast •
Inferior BPDU contains either a worse Bridge ID (higher) or, if Bridge IDs are the same, a higher Root Path Cost
•
Inferior BPDUs are generated in two conditions : 1. Root Port failed on the upstream switch 2. Designated switch’s Root Path Cost increased
•
BackboneFast is used to optimize convergence for any indirect failures, taking off the MaxAge time from the equation
•
Only triggered by the reception of an Inferior BPDU from a designated (upstream) switch Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
36
© IPexpert, Inc.
STP Optimizations - BackboneFast •
When first Hello goes missing and an Inferior BPDU has been received on a non-designated port, a Root Link Query Request is sent on all non-designated ports except the one Inferior BPDU was received on
•
If RLQ Response confirms the switch can still access the Root Bridge via a particular port, MaxAge is bypassed on the port that received the Inferior BPDU. This port will eventually go into blocking or forwarding, since usual STP rules apply
•
If RLQ Response comes negative to a port, the BPDU is aged out on this port and it goes into the Listening state
•
In case all RLQ responses suggest a different Root, STP runs from scratch Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
37
© IPexpert, Inc.
BackboneFast Example S1 (Root)
RLQ Request RLQ Response
D D
F0/1 (B)
D
F0/2 (RP)
RP D
F0/3 B
S3
S2
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
38
© IPexpert, Inc.
BackboneFast Configuration
© IPexpert, Inc.
BackboneFast Configuration •
Global Command spanning-tree backbonefast
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
40
© IPexpert, Inc.
Configuration Verification show spanning-tree backbonefast
-
Displays
STP
BackboneFast status show spanning-tree summary
- Displays the summary of port states of the
STP section
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
41
© IPexpert, Inc.
RSTP
© IPexpert, Inc.
RSTP (802.1w) •
Rapid convergence
•
PortFast, UplinkFast and BackboneFast are built-in
•
Can inter-operate with older switches (802.1d)
•
Point-to-point links are required for fast convergence. Link Type is learned from the duplex mode
•
RSTP differentiates between Port States and Port Roles
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
43
© IPexpert, Inc.
RSTP Port States •
Only Three Port States are available in RSTP : 1. Discarding (replaced Blocking) 2. Learning 3. Forwarding
•
No Listening and Disabled states
•
Blocking could mean either the state OR process in 802.1d
•
For example data packets were dropped in Listening and Learning phases
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
44
© IPexpert, Inc.
RSTP Port Roles •
Five Port Roles are available in RSTP : 1. Disabled (which was a state in 802.1d) 2. Root Port 3. Designated Port 4. Alternate Port 5. Backup Port
•
Disabled port does not participate in STP
•
Alternate Port is a non-Root port that receives Root BPDUs
•
Backup Port is a non-Root port that receives Root BPDUs from itself Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
45
© IPexpert, Inc.
RSTP Alternate Port
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
46
© IPexpert, Inc.
RSTP Backup Port
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
47
© IPexpert, Inc.
RSTP Convergence •
Each switch generates BPDUs every 2 seconds
•
BPDUs serve as keepalives – if 3 are missed a port transition occurs
•
RSTP Convergence is on a link-by-link basis
•
Proposal-Agreement mechanism
•
Proposals are sent down the DPs, Agreements are sent out of RPs
•
Only non-edge ports moving to forwarding state cause the switch to generate a Topology Change Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
48
© IPexpert, Inc.
RSTP Convergence – cont. •
In RSTP, ports start as Designated Ports in the Discarding State (which corresponds to 802.1d Listening state). This way only BPDUs can be exchanged between the switches
•
If a Superior BPDU is received on a port, a reconfiguration is triggered
•
If a received Proposal has been agreed, some ports are forced to synchronize
•
Only the following ports will be synchronized : 1. Ports in the Discarding State 2. Edge Ports Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
49
© IPexpert, Inc.
RSTP Convergence Example Lowest Bridge ID
S1
F0/0 F0/3 F0/1
S2
F0/2
S3 S4
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
50
© IPexpert, Inc.
RSTP Configuration
© IPexpert, Inc.
RSTP Configuration •
RSTP Mode spanning-tree mode rapid-pvst
•
RSTP Link Type spanning-tree link-type [point-to-point| shared]
•
Rest of commands is as with 802.1d
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
52
© IPexpert, Inc.
Configuration Verification show spanning-tree
- Displays STP information
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
53
© IPexpert, Inc.
MSTP
© IPexpert, Inc.
MSTP (802.1s) •
Multiple Spanning Tree Protocol Uses RSTP in its operations
•
Allows for mapping several VLANs into one STP Instance
•
Reduces CPU and memory burden
•
Networks usually don’t need more than a few active physical topologies
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
55
© IPexpert, Inc.
MSTP Logic Example
S1
S2
Link #1
Link #2
MST #1 VLANs 1-400
MST #2 VLANs 401-800
S3
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
56
© IPexpert, Inc.
MSTP Region •
Single MSTP Region is a collection of interconnected switches that have the same MST configuration
•
Hash of the VLANs-to-Instance mappings is sent to the neighbor along with the revision number and the name
•
Upon the reception, the neighboring device calculates its own hash (based on its local configuration), and if digests match the devices are in the same MSTP Region
•
MSTP Configuration consists of three attributes : 1. Region Name 2. Revision Number 3. Mapped VLAN range Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
57
© IPexpert, Inc.
MSTP Region Example
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
58
© IPexpert, Inc.
MSTP Configuration
© IPexpert, Inc.
MSTP Configuration •
Enable MSTP spanning-tree mode mst
•
Enter MSTP Configuration Mode spanning-tree mst configuration
•
Region, Revision Number & Mappings name region_name revision rev_nr instance inst_nr vlan vlans
•
Rest of the commands is pretty much like with STP, just remember to use the mst keyword
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
60
© IPexpert, Inc.
Example MSTP Configuration spanning-tree mst configuration name REGION_1 revision 5 instance 1 vlan 10, 11, 12 instance 2 vlan 20, 21, 22 spanning-tree mst 0-1 root primary spanning-tree mst 2 root secondary interface FastEthernet 0/1 switchport trunk encapsulation dot1q switchport mode trunk switchport trunk allowed vlan 10,11,12,20,21,22 Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
61
© IPexpert, Inc.
Configuration Verification show spanning-tree mst configuration - Displays the MSTP region configuration
show spanning-tree mst inst_id
- Displays MSTP
information for a specified region
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
62
© IPexpert, Inc.
Loop Guard
© IPexpert, Inc.
Loop Guard •
Protects against Layer 2 loops
•
Unidirectional Links may „drop” BPDUs
•
Normally, without Loop Guard, port transitions to forwarding after MaxAge + 2x Forwarding Delay, potentially causing loops
•
With Loop Guard enabled, after MaxAge expires, port is moved into the loop-inconsistent state. Loop is avoided
•
Once BPDUs start flowing again, port falls back to the STP blocking state
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
64
© IPexpert, Inc.
Loop Guard Example BPDUs
Root D
RP
S1 D
S2 D
BPDUs
BPDUs RP
B S3 Loop Guard
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
65
© IPexpert, Inc.
Loop Guard Summary & Interoperability •
Loop Guard Summary : - Works on non-designated ports not allowing them to become DPs - After MaxAge expires port moves into the loopinconsistent state - Ports are blocked on a per-VLAN basis - Protects against software failures (e.g. BPDUs are not generated)
•
Loop Guard Interoperability with other features : - Cannot be enabled on PortFast ports - Mutually exclusive with Root Guard (Root Guard works on designated ports preventing them from becoming non-designated) Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
66
© IPexpert, Inc.
Loop Guard Configuration
© IPexpert, Inc.
Loop Guard Configuration •
Per-interface spanning-tree guard loop
•
Globally, on all Root and Alternate/Blocking ports spanning-tree loopguard default
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
68
© IPexpert, Inc.
Configuration Verification show spanning-tree detail
- Displays detailed information about STP
show spanning-tree summary
- Displays the summary of port states of the section
STP
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
69
© IPexpert, Inc.
UDLD
© IPexpert, Inc.
UDLD •
Protects against Layer 2 loops when a unidirectional link has been detected (traffic can only flow one way)
•
Works along with L1 AutoNegotiation
•
AutoNegotiation takes care of Layer 1, whereas UDLD is responsible for Layer 2
•
Periodic Hellos are sent every UDLD-enabled interface
•
If Hello is echoed-back, the link is fully operational
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
71
© IPexpert, Inc.
UDLD Operations •
UDLD works for both, Copper and Fiber links
•
Two modes of operations are available : 1. Normal Mode (informational purposes) 2. Aggressive Mode (can put an interface into the err-disabled state)
•
UDLD overlaps with Loop Guard
•
UDLD is more flexible for unidirectional links
•
Only failed links are disabled
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
72
© IPexpert, Inc.
UDLD Summary •
UDLD Summary : - Detects unidirectional links - Per-port granularity (LoopGuard offers per-VLAN function) - Enabled on all redundant links - Can auto-recover using the errdisable feature - Does NOT protect against STP failures caused by problems in software
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
73
© IPexpert, Inc.
UDLD Configuration
© IPexpert, Inc.
UDLD Configuration •
Fiber Optic interfaces Normal Mode udld enable
•
Fiber Optic interfaces Aggressive Mode udld aggressive
•
Copper interfaces udld port [aggressive]
•
Remember that both ends of the link must have UDLD enabled to make it work
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
75
© IPexpert, Inc.
Configuration Verification show udld
- Displays operational status
of UDLD show spanning-tree detail
- Displays detailed information about STP
show spanning-tree summary
- Displays the summary of port states of the section
STP
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
76
© IPexpert, Inc.
BPDU Guard
© IPexpert, Inc.
BPDU Guard •
Used to terminate the STP domain
•
Devices behind ports with BPDU Guard enabled are not able to influence the STP topology
•
Enabled globally works on all PortFast ports
•
Enabled on an interface works only on this port
•
When a BPDU is received, an interface is put into the errdisabled state
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
78
© IPexpert, Inc.
BPDU Guard Configuration
© IPexpert, Inc.
BPDU Guard Configuration •
Globally, on all PortFast ports spanning-tree portfast bpduguard default
•
Per-interface spanning-tree bpduguard enable
•
Re-enabling a port shut no shut
•
Auto-Recovery errdisable recovery cause bpduguard
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
80
© IPexpert, Inc.
Configuration Verification show spanning-tree detail
- Displays detailed information about STP
show spanning-tree summary
- Displays the summary of port states of the section
STP
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
81
© IPexpert, Inc.
Root Guard
© IPexpert, Inc.
Root Guard •
Activates only when Superior BPDU is received
•
Once a Superior BPDU is received, an interface is put into the Root-Inconsistent state (which corresponds to the STP Listening phase)
•
When Superior BPDUs cease to be received, the port moves back into the STP forwarding state
•
Root Guard should be enabled on the Designated Ports
•
Remember to active this feature on all the devices where a rouge switch may connect
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
83
© IPexpert, Inc.
Root Guard Example PC1
Root D
PC2
RP
S1
S2
S3 Root Guard
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
84
© IPexpert, Inc.
Root Guard Caveats •
Root Guard caveats : - When enabled applies to all the VLANs the interface belongs to - It is not possible to enable Root Guard and Loop Guard on the same port - Should not be enabled on interfaces that are used by the UplinkFast feature
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
85
© IPexpert, Inc.
Root Guard Configuration
© IPexpert, Inc.
Root Guard Configuration •
Per-interface spanning-tree guard root
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
87
© IPexpert, Inc.
Configuration Verification show spanning-tree interface detail - Displays detailed information about STP
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
88
© IPexpert, Inc.
Storm Control
© IPexpert, Inc.
Storm Control •
Also known as traffic suppression
•
Can be configured for three traffic types separately : Unicast Multicast Broadcast
•
Counts the number of packets of a specified type received within 1-second interval. Measurements are compared to the defined threshold
•
Traffic above the threshold will be dropped
•
Multicast threshold does not block L2 control traffic like BPDUs or CDP frames Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
90
© IPexpert, Inc.
Storm Control Configuration
© IPexpert, Inc.
Storm Control Configuration •
Per-interface storm-control
{broadcast|multicast|unicast} level | bps | pps
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
92
© IPexpert, Inc.
Configuration Verification show storm-control [interface]
- Displays detailed stormcontrol suppression levels set on the interfaces
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
93
© IPexpert, Inc.
Unicast Flooding
© IPexpert, Inc.
Unicast Flooding •
L2 switches don’t have routing tables, they use CAM for traffic forwarding
•
If there is no entry in the CAM, the frame will be flooded out all ports except the one it was received on
•
Limited flooding is part of the normal switching process
•
Increased unicast flooding may suggest network abnormalities. Common reasons for flooding are : 1. Asymetric Routing 2. STP Topology Changes 3. CAM table overflow Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
95
© IPexpert, Inc.
Assymetric Routing Example VLAN 10 VLAN 20
PC1
ARP = 4 hours CAM = 5 minutes
ARP >> CAM
TRUNK
R1
S1
S2
R2
PC2 Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
96
© IPexpert, Inc.
Unicast Flooding Configuration
© IPexpert, Inc.
Unicast Flooding Configuration •
Per-interface switchport block unicast
•
Commonly used with Port Protection feature
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
98
© IPexpert, Inc.
Configuration Verification show interface switchport
- Displays operational status of a switching port
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
99
© IPexpert, Inc.
1.02 Implement VLAN and VLAN Trunking Protocol (VTP)
© IPexpert, Inc.
VLANs •
VLAN = Layer 2 network = Broadcast domain
•
Virtual LAN is just a subset of switch ports that are in the same broadcast domain
•
VLANs can span across many switches
•
Traffic does not leak between the VLANs by default
•
We have got two ways communication : 1. Bridge VLANs in Layer 2 2. Route between VLANs
to
enable
inter-VLAN
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
101
© IPexpert, Inc.
VLAN Example – 1 subnet, 2 VLANs H1
VLAN 10
10.1.1.0/24
VLAN 20
ARP
ARP
VLAN 10
VLAN 20
ARP
H1 IPexpert’s CCIE R&S Written VoD Series
H2
ARP
H3
H4
H2 102
Rev. 1700 © IPexpert, Inc.
VLAN Example – 1 VLAN, 2 subnets H1 – 10.1.1.1/24
VLAN 10
GW1 10.1.1.10/24 - PRI 10.2.2.10/24 - SEC
H2 – 10.2.2.2/24
GW2 10.2.2.20/24 - PRI
H2 – 10.2.2.2/24
GW1 10.1.1.10/24 - PRI
Static Routes : 10.1.1.0/24 -> Connected 0.0.0.0/0 -> 10.1.1.10 IPexpert’s CCIE R&S Written VoD Series
Rev. 1700 103
© IPexpert, Inc.
Switching Logic •
Separate CAM (Content Addressable Memory) for each VLAN. CAM is populated based on learned frames’s source MACs (note that mulitcasts and broadcasts should never be learned)
•
If there no is no CAM entry for a particular L2 destination, traffic will be flooded out of all ports except the one the frame was received on. More over, such flooding will occur for ALL broadcast and multicast frames (no CAM entries)
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
104
© IPexpert, Inc.
VLAN Configuration
© IPexpert, Inc.
VLAN Configuration •
Acces Port switchport mode access switchport access vlan vlan_nr
•
VLAN database vlan vlan_nr
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
106
© IPexpert, Inc.
Configuration Verification show vlan [brief]
- Displays parameters for all configured VLANs
show mac-address-table
- Displays CAM table entries
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
107
© IPexpert, Inc.
VLAN Trunking Protocol (VTP)
© IPexpert, Inc.
VTP •
Advertises VLAN information to other switches
•
Only the VLAN number and its name is advertised – port-to-VLAN assignments are NOT
•
VTP messages are only sent over the trunk links
•
There are three VTP Modes : 1. Server – generates & processes VTP Updates 2. Client – processes & forwards VTP Updates 3. Transparent – forwards VTP Updates but does not process them Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
109
© IPexpert, Inc.
VTP Operations •
Summary Advertisements are sent every 5 minutes
•
They contain a VTP domain name and revision number
•
If the revision number in the update is higher, an Advertisement Request is sent to request the VLAN list
•
VTP Advertisement is sent when : 1. The switch has been reset 2. The VTP domain name has been changed 3. The device received a Summary Advertisement with a higher revision number
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
110
© IPexpert, Inc.
VTP Operations – cont. •
Summary Advertisements are also triggered whenever a VLAN is added, deleted or updated
•
In such case Summary Advertisement is followed by several Subset Advertisement messages (that contain the VLAN information)
•
VTP messages can be processed only when VTP domain name & password (if any) match. Otherwise the trunk may not even come up (if DTP is used)
•
VLAN configuration is stored in the vlan.dat file
•
To reset the revision number change the VTP domain name to something else and then back to the original name Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
111
© IPexpert, Inc.
VTP Pruning •
Some VLANs may exist on only part of the switches
•
This may result in forwarding unnecessary traffic
•
VTP dynamically determines which switches have no ports assigned to a specific VLAN and are not in the transit path for it
•
VTP is enabled on a VTP Server for the entire domain
•
VLANs 1 and 1002-4094 are prune-ineligible
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
112
© IPexpert, Inc.
VTP Pruning Example S1
S4
VLAN 10
H1
Broadcast Packet
S2
S5 S3
VLAN 10
H2
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
113
© IPexpert, Inc.
VTP Configuration
© IPexpert, Inc.
VTP Configuration •
VTP Mode vtp mode client|server|transparent
•
VTP Domain Name vtp domain domain_name
•
VTP Authentication (MD5) vtp password password
•
VTP Pruning vtp pruning
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
115
© IPexpert, Inc.
Example VTP Configuration vtp domain IPexpert.com vtp password cciers vtp mode server
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
116
© IPexpert, Inc.
Configuration Verification show vtp status
- Displays general information about VTP
show interface pruning
- Displays information about VTP Pruning on a
particular interface
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
117
© IPexpert, Inc.
1.03 Implement trunk and trunk protocols, EtherChannel, and load-balance
© IPexpert, Inc.
Trunking •
VLANs can span across multiple switches
•
Since traffic from many VLANs can be carried over a trunk, frames must be somehow identified
•
There are two trunking protocols that can be used for this
•
ISL
•
802.1Q
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
119
© IPexpert, Inc.
ISL •
Cisco proprietary
•
Encapsulates the entire frame with a new header that is 26-bytes long (and which will contain a VLAN tag)
•
New trailer allows to recalculate CRC
•
Source MAC in this new header is set to the sending switch port’s MAC
•
Destination is a multicast address of the ISL group the receiver belongs to
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
120
© IPexpert, Inc.
802.1Q •
Open Standard
•
Inserts a 4-byte tag into the frame (802.1Q tag)
•
First two bytes are set to 0x8100 (Type field)
•
Two remaining bytes contain : - Priority field, used for QoS (3 bits) - Flag, used for compatibility with Token Ring (1 bit) - VLAN ID (12 bits)
•
Uses a concept of a Native VLAN that encompasses the following frames : - Received on access VLAN equal to Native VLAN - Untagged frames Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
121
© IPexpert, Inc.
DTP •
Trunk links can be either statically configured or negotiated
•
DTP is a Cisco proprietary point-to-point protocol that was designed for two things : - Negotiation of a trunk - Negotiation of trunking encapsulation
•
Negotiated trunks are always bi-directional
•
Manual configuration may result in inconsistencies
•
DTP will always try to negotiate ISL first
•
Routers DON’T support DTP
IPexpert’s CCIE R&S Written VoD Series
122
Rev. 1700 © IPexpert, Inc.
Switchport Mode Combinations
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
123
© IPexpert, Inc.
Trunking Configuration
© IPexpert, Inc.
Trunking Configuration •
Switchport Mode switchport mode [access|trunk|dynamic auto| dynamic desirable]
•
Manual Trunking Encapsulation switchport trunk encapsulation [dot1q|isl]
•
Native VLAN switchport trunk native vlan vlan_nr
•
Disable DTP switchport trunk nonegotiate
•
Allowed VLANs switchport trunk allowed vlan1,vlan2 … Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
125
© IPexpert, Inc.
Example Trunking Configuration int f0/1 switchport switchport switchport switchport
trunk encapsulation dot1q mode trunk trunk nonegotiate trunk native vlan 10
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
126
© IPexpert, Inc.
Configuration Verification show int trunk
- Displays interface trunk information
show int switchport
- Displays operational status of a switching port
show dtp
- Displays Dynamic Trunking Protocol information
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
127
© IPexpert, Inc.
Configuration Verification Example #1 Cat2#show Port Gi0/1 Gi0/2
interface trunk Mode Encapsulation desirable 802.1q desirable 802.1q
Port Gi0/1 Gi0/2
Vlans allowed on trunk 1-4094 1-4094
Port Gi0/1 Gi0/2
Vlans allowed and active in management domain 1-3,10 1-3,10
Port Gi0/1 Gi0/2
Vlans in spanning tree forwarding state and not pruned 1-3,10 1-3,10
Status trunking trunking
Native vlan 1 1
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
128
© IPexpert, Inc.
Configuration Verification Example #2 Cat2#show interface f0/2 switchport Name: Fa0/2 Switchport: Enabled Administrative Mode: dynamic desirable Operational Mode: static access Administrative Trunking Encapsulation: dot1q Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Voice VLAN: none Administrative private-vlan host-association: none Administrative private-vlan mapping: none Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk private VLANs: none Operational private-vlan: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Capture Mode Disabled Capture VLANs Allowed: ALL Protected: false IPexpert’s CCIE R&S Written VoD Series
129
Rev. 1700 © IPexpert, Inc.
EtherChannel
© IPexpert, Inc.
EtherChannel •
Allows to group physical interfaces and treat them as a single logical link (called PortChannel)
•
Two main purposes of using this feature are : - Increasing available bandwidth - Providing redundancy
•
Member interfaces should have the same config : - Access VLAN - Trunking Mode - Native VLAN - Speed & Duplex - Interface Type (L2/L3) Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
131
© IPexpert, Inc.
EtherChannel – cont. •
There are two types of EtherChannels – L2 and L3
•
STP will treat PortChannel as a single link
•
EC can be created manually or negotiated
•
Manual method may be less secure (STP loops)
•
Automatic negotiation can detect certain kinds of misconfiguration
•
Two dynamic negotiation protocols are available : 1. Port Aggregation Protocol (PAgP) 2. Link Aggregation Control Protocol (LACP) Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
132
© IPexpert, Inc.
PAgP •
Cisco proprietary
•
Operates in two modes : - Desirable - Auto
•
Desirable Mode actively negotiates an EC
•
Auto Mode negotiates an EC only when the far end initiates it
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
133
© IPexpert, Inc.
LACP •
Open Standard
•
Lowest System Priority (Priority.MAC) switch decides which ports will actively participate in the EtherChannel
•
Switch selects active ports based on Port Priority values (Port_Priority.Port_number)
•
Up to 8 lowest Port Priority ports is elected as active, other links are placed in a standby state
•
Operates in two modes : - Active (corresponds to PAgP’s Desirable) - Passive (corresponds to PAgP’s Auto) Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
134
© IPexpert, Inc.
EtherChannel Load-Balancing •
There are 6 different modes of load-balancing in EC : 1. Source MAC 2. Destination MAC 3. Source-Destination MAC pair 4. Source IP address 5. Destination IP address 6. Source-Destination IP address pair
•
The default load-balancing method is Source MAC
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
135
© IPexpert, Inc.
EtherChannel Load Balancing Example H1
S1
MAC-Based
H3
S2
H2
H4
H1
H3
IP-Based
R1
S1
S2
H2
R2 H4
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
136
© IPexpert, Inc.
EtherChannel Configuration
© IPexpert, Inc.
EtherChannel Configuration •
EtherChannel channel-group nr mode [desirable|auto|active| passive|on]
•
LACP System ID Priority lacp system-id nr
•
LACP Port Priority lacp port-priority nr
•
Load-Balancing port-channel load-balance [src-mac|dst-mac|srcdst-mac|src-ip| dst-ip|src-dst-ip]
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
138
© IPexpert, Inc.
Example EtherChannel Configuration interface f0/5 shut switchport mode access channel-group 1 mode desirable no shut int f0/7 shut no switchport channel-group 2 mode on no shut
int port-channel 2 ip add 10.1.1.1 255.255.255.0 IPexpert’s CCIE R&S Written VoD Series
139
Rev. 1700 © IPexpert, Inc.
Configuration Verification show etherchannel [summary]
-
show etherchannel [load-balance]
- Displays EC
Displays one-line EtherChannel information for a channel
Load-Balancing scheme
show lacp
-
Displays LACP information
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
140
© IPexpert, Inc.
1.04 Implement Ethernet Technologies
© IPexpert, Inc.
Ethernet, FastEthernet •
Ethernet refers to the family of LAN products covered by the IEEE 802.3 standard
•
Original 802.3 Ethernet - Runs at 10Mbps - Collisions were expected - CSMA/CD controls which device can transmit at a time
•
FastEthernet 802.3u - Runs at 100Mbps - 100BASE-TX is the most common standard
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
142
© IPexpert, Inc.
GigabitEthernet •
GigabitEthernet - 802.3z for optical cabling - 802.3ab for copper - Runs at 1000Mbps - Cisco devices only support CSMA/CD)
full-duplex
(no
•
Flow Control (PAUSE frames) built-in
•
PAUSE frames are generated when receiver’s queue is filled
•
Must be negotiated Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
143
© IPexpert, Inc.
Speed and Duplex
© IPexpert, Inc.
Speed and Duplex •
Autonegotiation is enabled by default
•
It is used to automatically exchange information about speed and duplex settings
•
Both sides of a link should have auto-negotiation on, or both sides should have it off
•
To disable it, statically configure speed and duplex
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
145
© IPexpert, Inc.
Speed & Duplex Configuration
© IPexpert, Inc.
Speed and Duplex Configuration •
Speed speed
•
[10|100|1000|auto]
Duplex duplex [half|full|auto]
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
147
© IPexpert, Inc.
Configuration Verification show interface status
-
Displays status of the interfaces and their
settings show interfaces capabilities
- Displays interface capabilities
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
148
© IPexpert, Inc.
PPPoE
© IPexpert, Inc.
PPPoE •
Point to Point Protocol over Ethernet
•
Defines interaction between a host PC and a broadband medium, such as Digital Subscriber Line (DSL)
•
Allows authenticated sessions over a standard Ethernet line
•
Client-Server architecture
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
150
© IPexpert, Inc.
PPPoE Mechanics •
PPPoE logic is similar to DHCP operations
•
Discovery Phase : - PPPoE Active Discovery Initiation (PADI) packet is sent - Server replies with PPPoE Active Discovery Offer (PADO) - Client sends PPPoE Active Discovery Request (PADR) - Server agress sending PPPoE Active Discovery Session-confirmation message (PADS)
•
PPP packets are now exchanged inside the Ethernet frames, a standard PPP negotiation is performed Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
151
© IPexpert, Inc.
Typical PPPoE network
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
152
© IPexpert, Inc.
PPPoE Configuration
© IPexpert, Inc.
PPPoE Configuration •
Dialer Interface interface dialer nr
•
MTU & PPP Encapsulation mtu value encapsulation ppp
•
PPP IP CP Address Negotiation ip address negotiated
•
Dialing Pool & Dialing Group dialer pool nr dialer-group nr
•
Cloning pppoe-client dial-pool-number nr Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
154
© IPexpert, Inc.
Example PPPoE Configuration interface dialer 1 encapsulation ppp ip address negotiated dialer pool 1 dialer-group 1 mtu 1492 interface E1 pppoe-client dial-pool-number 1
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
155
© IPexpert, Inc.
Configuration Verification show pppoe session
- Displays information about currently active sessions
PPPoE
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
156
© IPexpert, Inc.
1.05 Implement Switched Port Analyzer (SPAN), Remote Switched Port Analyzer (RSPAN), and flow control
© IPexpert, Inc.
SPAN, RSPAN •
SPAN is also known as port mirroring or port monitoring
•
This feature is used to copy all traffic transmitted/received on a specific port or VLAN to a single port on the same switch
•
Common applications are call recording and IDS/IPS
•
RSPAN does the same what SPAN does but the destination of an RSPAN session is on another switch than the one where the monitored traffic is being received on/transmitted from
•
A special VLAN, called RSPAN VLAN is used to carry monitored traffic between the switches (RSPAN only) Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
158
© IPexpert, Inc.
SPAN Example
F0/2
F0/10
PC
Network Analyzer Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
159
© IPexpert, Inc.
RSPAN Example
S1
RSPAN VLAN
S2
PC
RSPAN VLAN
S3
Network Analyzer Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
160
© IPexpert, Inc.
SPAN, RSPAN – cont. •
Both SPAN & RSPAN can work with transmitted and/or received traffic
•
Traffic that is received is copied before any other features, like ACLs or VACLs are applied
•
Traffic that is transmitted is already modified (ACLs, QoS, policing, etc.)
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
161
© IPexpert, Inc.
SPAN & RSPAN Configuration
© IPexpert, Inc.
SPAN & RSPAN Configuration •
SPAN monitor session session_nr source interface|vlan [both|rx|tx] monitor session session_nr destination interface [ingress vlan]
•
RSPAN monitor session session_nr source interface|vlan [both|rx|tx] [remote vlan] monitor session session_nr destination interface [ingress vlan] [remote vlan] vlan vlan_nr remote-span
•
VLAN Filtering monitor session session_nr filter vlan vlans
IPexpert’s CCIE R&S Written VoD Series
163
Rev. 1700
© IPexpert, Inc.
Example SPAN Configurations •
SPAN
monitor session 1 source interface f0/1 monitor session 1 destination interface f0/20
•
VLAN Filtering (trunk link)
monitor session 2 source interface f0/10 monitor session 2 destination interface f0/21 monitor session 2 filter vlan 100-200, 300
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
164
© IPexpert, Inc.
Example RSPAN Configuration •
Switch 1
vlan 999 remote-span monitor session 12 source vlan 10 rx monitor session 12 destination remote vlan 999
•
Switch 2
vlan 999 remote-span monitor session 12 source remote vlan 999 monitor session 12 destination interface f0/2 Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
165
© IPexpert, Inc.
Configuration Verification show monitor session session_nr
- Displays information about specified SPAN or
RSPAN session
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
166
© IPexpert, Inc.
1.06 Implement Frame Relay
© IPexpert, Inc.
Frame Relay •
L2 WAN technology
•
NBMA means more than two devices can be attached but there is no inherent broadcast capability
•
DTE – customer’s end (Frame Relay router)
•
DCE – ISP’s end (Frame Relay switch)
•
Permanent Virtual Circuit (PVC) is a pre-configured logical communication path between two DTEs
•
Data Link Connection Identifier (DLCI) is a connection identifier, usually locally significant. Global nomenclature can be also used, though Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
168
© IPexpert, Inc.
Frame Relay - LMI •
Local Management Interface (LMI) messages are ONLY exchanged between the FR switch and its directly connected DTE device
•
LMI is mainly used to advertise the VC information to the router’s main physical interface. LMI Status Enquiry packets act as keepalives
•
Three LMI Types are available : 1. Cisco 2. ANSI 3. Q-933A (ITU)
•
LMI Type must match between DCE and DTE and routers by default autosense it. DLCIs 0 & 1023 are reserved for LMI messages Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
169
© IPexpert, Inc.
Frame Relay – PVC status •
LMI advertises a PVC status for each of the configured DLCIs
•
Three PVC status codes are reported : 1. Active - PVC is usable, data frames can be sent 2. Inactive - Problem with the remote end. No data frames will sent 3. Deleted - Router has a DLCI, FR switch does not. Usually implies misconfiguration. No data frames are sent
•
The fourth code, Static, shows up if LMI has been disabled. Data frames will be sent Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
170
© IPexpert, Inc.
Frame Relay – Full Mesh •
Full Mesh = all the devices connected with each other. Before Frame Relay n(n-1)/2 connections were required, where n is the number of sites. With FR, only n-interfaces is needed
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
171
© IPexpert, Inc.
Frame Relay – Hub & Spoke •
Hub & Spoke = every branch has a VC to the Hub only. The downside is that traffic between the sites must traverse the Hub
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
172
© IPexpert, Inc.
Frame Relay Problems •
Split Horizon
•
Multicast issues
•
Other protocol-related problems
•
Solution may include subinterfaces
•
Point-to-point subinterface does not require L3 to L2 resolution
•
Multipoint subinterface supports more than two devices in the same L3 network. L3 to L2 resolution is required Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
173
© IPexpert, Inc.
Frame Relay - Controlling Speed •
Forward Explicit Congestion Notification (FECN)
•
Backward Explicit Congestion Notification (BECN)
•
FECN informs the destination so it could e.g. inform upper layers about possible delay. FECN bit can be only set by the FR switches
•
BECN is used to inform the source so it could slow down the sending rate (Adaptive Traffic Shaping must be enabled). BECN bit can be set by FR switches or the receiving router
•
For unidirectional flows FECN Adapt feature can be used – dummy frames with BECN bit set will be generated by the FECN-receiving router Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
174
© IPexpert, Inc.
Frame Relay – Discard Eligible bit •
Discard Eligible bit (DE) is used to indicate low-priority data
•
Commonly used in oversubscription scenarios
•
Both routers & Frame Relay switches can set the DE bit
•
ISP may drop DE frames before any other traffic (e.g. when congestion occurs)
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
175
© IPexpert, Inc.
Frame Relay Configuration
© IPexpert, Inc.
Frame Relay Configuration •
Encapsulation encapsulation frame-relay frame-relay map [cisco|ietf]
•
LMI frame-relay lmi-type ansi|cisco|q933a
•
Point-to-Point subinterfaces frame-relay interface-dlci DLCI_nr
•
Multipoint subinterfaces frame-relay map ip IP_addr DLCI_nr [broadcast]
•
Inverse ARP [no] frame-relay inverse-arp [IP_addr DLCI_nr] Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
177
© IPexpert, Inc.
Example Frame Relay Configuration interface serial 0 encapsulation frame-relay interface serial 0.1 point-to-point ip address 10.1.1.1 255.255.255.252 frame-relay interface-dlci 10 interface serial 0.2 multipoint ip address 10.2.2.2 255.255.255.0 frame-relay map ip 10.2.2.2 20 broadcast frame-relay map ip 10.2.2.3 30
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
178
© IPexpert, Inc.
Configuration Verification show frame-relay map
-
and about
show frame-relay pvc
Displays current Frame Relay map entries information connections
- Displays statistics about Frame Relay
Permanent Virtual Circuits debug frame-relay packet
- Displays information about packets that have over
been sent a Frame Relay interface
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
179
© IPexpert, Inc.
1.07 Implement High-Level Data Link Control (HDLC) and PPP
© IPexpert, Inc.
HDLC •
Simple L2 protocol used on point-to-point links
•
HDLC Header fields : Flag delimits start & end of each frame Address is set to 3 in decimal Control defines the frame type (Control or Data) FCS used for error detection
•
Cisco’s HDLC (proprietary) also contains Type field which is used to support different L3 protocols Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
181
© IPexpert, Inc.
PPP
© IPexpert, Inc.
PPP •
Very similar to HDLC
•
PPP uses two main components – Link Control Protocol (LCP) and Network Control Protocols e.g. IP CP Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
183
© IPexpert, Inc.
PPP LCP •
LCP is used for link management and negotiation
•
Main four LCP functions are as follows : 1. Looped Link Detection (magic number) 2. Link Quality Monitoring (LQM). Used to monitor the link’s quality – if it drops below a configured percentage, the router will shut down the link 3. Authentication (clear-text PAP or MD-5 CHAP) 4. Load Balancing (Multilink PPP). MLP balances the traffic by fragmenting each data link frame (L2 fragmentation) based on the number of parallel links or based on a configured delay
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
184
© IPexpert, Inc.
PPP Phases •
There are five different PPP Phases : 1. Link Dead (e.g. when the link fails) 2. Link Establishment (Link Control Protocol LCP) 3. Authentication (optional) 4. Network Layer Protocol (e.g. IP CP for IP) 5. Termination (closing down the connection)
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
185
© IPexpert, Inc.
PPP Configuration
© IPexpert, Inc.
PPP Configuration •
Clocking clock rate
•
Encapsulation encapsulation ppp
•
PPP Authentication ppp authentication pap|chap
•
LQM ppp quality percentage
•
Multilink PPP (MLP) interface multilink number ppp multilink ppp group number Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
187
© IPexpert, Inc.
Example PPP Configuration #1 •
Router XXX
hostname XXX username YYY password SAMEONE int serial 0 encapsulation ppp ppp authentication pap/chap
•
Router YYY
hostname YYY username XXX password SAMEONE int serial 0 encapsulation ppp ppp authentication pap/chap Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
188
© IPexpert, Inc.
Example PPP Configuration #2 interface multilink 2 ip address 10.1.1.1 255.255.255.252 encapsulation ppp ppp multilink int s0/1, int s0/2 no ip address encapsulation ppp ppp multilink ppp multilink group 2
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
189
© IPexpert, Inc.
Configuration Verification show interfaces
- Displays statistics for all configured
interfaces show ppp multilink
- Displays bundle information for Multilink PPP
debug ppp negotiation
-
Displays PPP during
packets the
negotiation
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
190
© IPexpert, Inc.
End of Section 1.0
IPexpert’s CCIE R&S Written VoD Series 2.0 Implement IPv4
© IPexpert, Inc.
2.01 Implement IP version 4 (IPv4) addressing, subnetting, and variable-length subnet masking (VLSM)
© IPexpert, Inc.
IPv4 Basics • IPv4 address uniquely identifies a device on an IP network. It is a 32-bit structure divided into four octects Written in a decimal form • IP network is a distinguished group of networking devices
• Network classes were developed to provide some structure to the way IP addresses are assigned • Each network class has a range of IP addresses and a particular class can be determined from the four highorder bits
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
3
© IPexpert, Inc.
IPv4 Network Classes • There are five network classes : 1. Class A – Range : 0.0.0.0/8 to 127.0.0.0/8 Binary : 0nnnnnnn.hhhhhhhh.hhhhhhhh.hhhhhhhh 2. Class B – Range : 128.0.0.0/16 to 191.255.0.0/16 Binary : 10nnnnnn.nnnnnnnn.hhhhhhhh.hhhhhhhh 3. Class C – Range : 192.0.0.0/24 to 223.255.255.0/24 Binary : 110nnnnn.nnnnnnnn.nnnnnnnn.hhhhhhhh 4. Class D – Range : 224.0.0.0 to 239.255.255.255 Binary : 1110xxxx.xxxxxxxx.xxxxxxxx.xxxxxxxx 5. Class E – Range : 240.0.0.0 to 255.255.255.255 Binary : 1111xxxx.xxxxxxxx.xxxxxxxx.xxxxxxxx
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
4
© IPexpert, Inc.
IPv4 Network Masks • Network mask is used to determine which portion of the IP address identifies the network (or a subnet) and which portion identifies the node • Default masks („natural”) : Class A – 255.0.0.0 or /8 Class B – 255.255.0.0 or /16 Class C – 255.255.255.0 or /24 • These masks cannot be changed, they are implicit
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
5
© IPexpert, Inc.
IPv4 Subnets & Subnetting • Subnetting allows you to create multiple logical networks that exist within a single Class A, B, or C network • A subnet mask (or a number after “/”) is used to determine the number of bits used for the subnet and host portions of the address and it is a consecutive course of 1s in binary • Subet-Zero address is indistinguishable from the natural network address. Subnet-Zero has all of its bits set to 0, and is turned on in recent IOS versions by default (ip subnet zero)
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
6
© IPexpert, Inc.
Networking Math - Subnetting 192.168.1.0/25 - 11000000.10101000.00000001.00000000 192.168.1.128/25 - 11000000.10101000.00000001.10000000
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
7
© IPexpert, Inc.
Networking Math - Subnet Number
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
8
© IPexpert, Inc.
Networking Math – Finding a Subnet 10.2.3.19 - 00001010.00000010.00000011.00010110 /29 - 11111111.11111111.11111111.11111000 Logical AND - 00001010.00000010.00000011.00010000
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
9
© IPexpert, Inc.
VLSM & CIDR • Variable Length Subnet Mask allows subnetting using an arbitrary subnet mask for different subnets • Classless Inter-Domain Routing (CIDR) is a more flexible way of allocating IP addresses because it allows for using VLSM. It depicts a more hierarchical Internet architecture, where each domain takes its IP addresses from a higher level. Introduces Summarization/Supernetting
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
10
© IPexpert, Inc.
2.02 Implement IPv4 tunneling and Generic Routing Encapsulation (GRE)
© IPexpert, Inc.
Tunneling • Tunneling is transmission of data intended for use only within a private, usually corporate network, through a public network like for example Internet • Tunneling „equals to” encapsulation
• Tunneling requires three different protocols : 1. Carrier protocol – „outer header” protocol used to transport data 2. Encapsulating protocol – wraps the original data. For example GRE, L2TP 3. Passenger protocol – original data, e.g. IP or IPX • Subway analogy Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
12
© IPexpert, Inc.
GRE • GRE (Generic Routing Encapsulation) is a tunneling protocol • Commonly used to transport multicast packets
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
13
© IPexpert, Inc.
GRE – cont. • GRE tunnels are connectionless & stateless
• Line Protocol of the tunnel interface is not „tracked” by default • Keepalives can be used to solve this problem • GRE header with no options included is 4-byte long, which totals to 24 bytes of overhead (outer IP -> 20 bytes) • GRE key can be used to provide basic authentication and to uniqely identify multiple tunnels
• GRE key adds another 4-bytes of overhead Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
14
© IPexpert, Inc.
GRE Configuration
© IPexpert, Inc.
GRE Configuration •
Tunnel Interface interface tunnel nr
•
Tunnel IP & Network ip address ip_address mask
•
Outer IP Header’s Source & Destination tunnel source ip_address tunnel destination ip_address
•
Keepalives keepalive interval retries
•
Tunnel Mode tunnel mode gre Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
16
© IPexpert, Inc.
Example GRE Configuration interface tunnel 1 ip address 172.16.1.1 255.255.255.0 tunnel source f0/1 tunnel destination 192.0.2.1 keepalive 10
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
17
© IPexpert, Inc.
Configuration Verification show interface tunnel
- Displays tunnel interface information
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
18
© IPexpert, Inc.
2.03 Implement IPv4 RIP version 2 (RIPv2)
© IPexpert, Inc.
IP Routing •
Routing is the process of forwarding packets from one interface to another (ingress and egress interface can be the same, though)
•
Routing Logic can be divided into five steps : 1. Route Lookup 2. Route Recursion 3. Packet Switching 4. Encapsulation 5. Serialization
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
20
© IPexpert, Inc.
IP Routing – Step 1 •
Step 1 – Route Lookup : Destination-based Longest-match prefix is always chosen
•
If there are multiple longest-match prefixes received from different routing protocols, only the lowest Administrative Distance prefix is placed into the routing table
•
If there is more than one longest-match prefix received from the same routing protocol, only the lowest-metric prefix is put into the RIB
•
If metrics are the same, Load Balancing occurs (account for maximum-paths command) Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
21
© IPexpert, Inc.
IP Routing – Step 1 Example •
Following routes are in the RIB : a) 10.0.0.0/8, AD 90 (EIGRP) b) 10.1.0.0/16, AD 90 (EIGRP) c) 10.1.2.0/24, AD 90 (EIGRP) d) 10.1.2.3/32, AD 110 (OSPF) e) 0.0.0.0.0/0, AD 1 (STATIC)
•
If a packet is received destined to 10.1.2.3, which route will be chosen? The answer is : 10.1.2.3/32, AD 110, although it has the worst AD (the highest)
•
If we start receiving 10.1.2.3/32 from EIGRP as well, OSPF route will be preempted Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
22
© IPexpert, Inc.
IP Routing – Step 2 •
Step 2 – Route Recursion : Finding an outgoing interface for a particular prefix
•
If 10.1.2.3 has a Next-Hop 1.2.3.4, perform route lookup for 1.2.3.4
•
If 1.2.3.4 is reachable via 5.6.7.8, perform route lookup for 5.6.7.8, and so on and so forth until one of the prefixes is listed as „directly connected”
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
23
© IPexpert, Inc.
IP Routing – Steps 3, 4 and 5 •
Step 3 – Packet Switching : Move the packet to the outgoing interface found in Step #2
•
Step 4 – Encapsulation : Encapsulate the packet into the interface’s underlaying L2 header Layer 3 to Layer 2 resolution may be required for multiaccess interfaces such as Ethernet or Frame Relay multipoint Point-to-point interfaces don’t require resolution
•
Step 5 – Serialization Serialize the packet onto the physical link Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
24
© IPexpert, Inc.
RIP •
RIP is an example of Distance-Vector protocol meaning that it periodically passes full copies of its routing table out of all protocol-enabled interfaces
•
The „Distance” means Metric whereas „Vector” refers to the Next-Hop
•
RIP version 1 : Classful Does not support VLSM No authentication Uses broadcasts
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
25
© IPexpert, Inc.
RIP – cont. •
RIP version 2 Supports VLSM Authentication Packets sent as multicast to 224.0.0.9
•
Both RIP versions run over UDP port 520
•
Metric is limited to 15 hops. Unreachable networks are denoted with metric set to 16 hops
•
RIP updates are sent every 30 seconds by default
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
26
© IPexpert, Inc.
RIP Operations •
Five discrete steps : 1. Initialization – Request packet 2. Request Received – Creating the update message 3. Response – Processing the update packet 4. Regular Routing Updates – Unsolicited Response message sent every 30 seconds 5. Triggered Routing Updates – Optional extension for WAN links. Suppresses periodic updates
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
27
© IPexpert, Inc.
RIP Timers •
Routing Timer clocks the interval between periodic routing updates, set to 30 seconds by default
•
Invalid Timer is initialized to 180 seconds whenever a new route is established and is reset to the initial value whenever an update is heard for that route
•
Flush Timer determines how long a route is advertised with an unreachable metric. Set to 240 by default
•
Holddown Timer, Cisco proprietary, kicks in after a route is received with a higher metric. Provides additional time for convergence, set to 180 seconds by default Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
28
© IPexpert, Inc.
Split Horizon •
Used to reduce probability of creating routing loops
•
This feature, when sending routing updates out of a particular interface, does not allow to include networks that were learned from updates received on that interface
•
Split Horizon is enabled on all ports except Serial Frame Relay interface (physical)
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
29
© IPexpert, Inc.
RIP Configuration
© IPexpert, Inc.
RIP Configuration •
Enabling RIP network ip_address
•
The „network” command does three things : 1. Enables sending the protocol updates 2. Enables receiving the protocol updates 3. Advertises configured networks/subnetworks
•
RIP version version 1|2
•
Passive Interface passive-interface if_name
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
31
© IPexpert, Inc.
RIP Configuration – cont. •
Disabling Auto Summarization no auto-summary
•
Interface-Level Summary ip summary-address rip
•
Unicast Updates neighbor ip_address passive-interface if_name
•
Default Route default-information originate
•
Split Horizon [no] ip split-horizon Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
32
© IPexpert, Inc.
RIP Configuration – cont. •
RIP Timers timers basic
•
Offset List offset-list
•
Source Validation no validate-update-source
•
Triggered Updates ip rip triggered
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
33
© IPexpert, Inc.
Example RIP Configuration int f0/0 ip add 172.16.1.1 255.255.255.0 int ip no ip
serial 0/0 add 172.16.100.1 255.255.255.0 ip split-horizon rip triggered
router rip version 2 no auto-sumary network 172.16.100.0 timers basic 10 60 60 80 Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
34
© IPexpert, Inc.
Configuration Verification show ip rip database
- Displays RIP databases and summary entries
show ip protocols
- Displays parameters and state of ACTIVE routing processes
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
35
© IPexpert, Inc.
2.04 Implement IPv4 Open Shortest Path First (OSPF)
© IPexpert, Inc.
OSPF – Link State Protocol •
OSPF is a Link-State protocol that uses Shortest Path First (SPF), also known as Dijkstra’s algorithm
•
All routers within an area have the same topology
•
Information about links is stored in a memory structure called Link State Database (LSDB)
•
Each of the devices uses the information stored in LSDB to calculate the best paths
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
37
© IPexpert, Inc.
OSPF Operations •
High level overview of OSPF’s operations : 1. Router ID is chosen 2. Hello Packets are exchanged 3. Neighbors vs Adjacencies - adjacency is determined by the type of routers exchanging Hellos and the type of network over which the Hellos are exchanged 4. Link State Advertisement (LSA) are flooded (exchanging topology information) 5. SPF is calcuated (the calculating device places itself as a root) 6. Routing Table is populated
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
38
© IPexpert, Inc.
OSPF Router ID •
Router ID is an OSPF device identifier and it should be always unique within a single OSPF domain
•
Router ID is chosen in the following way : 1. If the router-id command is configured, its value is used as the Router ID 2. If there is no router-id command configured, highest loopback’s IP address is chosen 3. If there are no router-id command and loopback interfaces configured, the router will pick the highest numeric IP address from all other up/up status interfaces
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
39
© IPexpert, Inc.
OSPF Messages •
OSPF sends packets encapsulating them directly using IP protocol number 89
•
There are five types of OSPF messages : 1. Hello - discovers and maintain the relationship 2. Database Description - contains summary of all LSA headers 3. Link State Request (LSR) - identifies one or more LSAs the router would like to receive 4. Link State Update (LSU) - contains the requested LSAs 5. Link State Acknowledgement - sent to confirm receipt of an LSU Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
40
© IPexpert, Inc.
OSPF Neighbors •
Discovered neighbors are stored in a neighbor table
•
Every OSPF-enabled interface listens for packets destined to the multicast address 224.0.0.5 and also sends packets with that destination
•
Following parameters must match : 1. Area 2. Timers – Hello and Dead Intervals 3. Stub Flag 4. Network Types (based on DR/BDR election) 5. MTU 6. Authentication Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
41
© IPexpert, Inc.
OSPF Network Types & Adjacencies •
OSPF Network Types affect the adjacency establishment process and required configuration
•
There are six OSPF Network Types : 1. Broadcast 2. Non-Broadcast 3. Point to Point 4. Point to Multipoint 5. Point to Multipoint Non-Broadcast 6. Loopback
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
42
© IPexpert, Inc.
OSPF Broadcast & Non-Broadcast •
Broadcast & Non-Broadcast Used on multiaccess networks Adjacencies are ONLY formed with a DR & BDR DROTHERs use 224.0.0.6 (broadcast type) DR sends Hellos to 224.0.0.5 (broadcast type)
•
DR Election Criteria : 1. Highest OSPF Priority 2. Highest OSPF Router ID
•
DR/BDR is NOT preemptive (set the OSPF Priority to 0 to exclude a particular device from the election)
•
Non-broadcast network type (default on FR multiaccess interfaces) requires the neighbor command Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
43
© IPexpert, Inc.
OSPF Point-to-point •
Point to Point Hellos are sent as multicast to 224.0.0.5 Neighboring routers automatically become adjacent NO DR/BDR Election Faster Convergence
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
44
© IPexpert, Inc.
OSPF Remaining Network Types •
Point to Multipoint & Point to Multipoint Non-Broadcast Understand that there is no L2 connectivity between the Spokes Routers advertise their IP addresses as host routes (/32) and the Next-Hop points to the Hub The Non-Broadcast version uses unicast Hellos which means that the neighbor command must be issued
•
Loopback Used on loopbacks and looped-back interfaces Interfaces are advertised as host routes (/32)
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
45
© IPexpert, Inc.
OSPF Network Types - Recap •
Recap : DR and BDR election is performed on broadcast and non-broadcast networks only Unicast updates are sent on non-broadcast and point-to-multipoint nonbroadcast networks Next-hop modifications are only performed on pointto-multipoint and point-to-multipoint non-broadcast networks
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
46
© IPexpert, Inc.
OSPF Areas •
OSPF Area is part of the network and this way it contains less topology information
•
Devices consume less memory and it takes less time to calculate SPF
•
Area 0 is called the backbone. All other areas must be connected to this area so the inter-area routes can be exchanged
•
Topology changes within one area are not propagated to other areas – inter-area routes hide topology information
•
OSPF inter-area routing uses some of the DistanceVector logic (advertised metric) Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
47
© IPexpert, Inc.
OSPF Router Types •
Area Border Router (ABR) has at least one interface connected to area 0 and is also connected to at least one other area
•
Autonomous System Boundary Router (ASBR) is a device that injects prefixes external to the OSPF domain (e.g. when performing redistribution)
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
48
© IPexpert, Inc.
OSPF Link State Advertisements (LSAs) •
LSA is just a piece of topology information that routers use to build the LSDB
•
LSAs are reliable – they are acknowledged
•
LSA sequence number and lifetime are used to determine the most current LSA
•
There are multiple Types of LSA
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
49
© IPexpert, Inc.
OSPF LSA Types •
OSPF LSA Types : LSA Type 1 (Router LSA) lists Router ID and all interface IP addresses. Generated by each router for each area it belongs to. Flooded only within a particular area LSA Type 2 (Network LSA) is created by the DR and it represents the subnet & Router IDs of all connected OSPF devices. LSA Type 2 is also known as Pseudo-node and is flooded only within a particular area LSA Type 3 (Summary LSA) is created by ABR and it identifies networks reachable outside the area, including default routes external to the area but internal to the OSPF domain. This LSA contains the cost from the ABR to the destination network Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
50
© IPexpert, Inc.
OSPF LSA Types – cont. •
OSPF LSA Types : LSA Type 4 (ASBR Summary) is created by ABR. Advertises a host route used to reach an ASBR LSA Type 5 (External LSA) is created by ASBR for external routes injected into the OSPF domain (external to the domain). Default route external to OSPF domain will be also described as LSA Type 5 LSA Type 7 (NSSA) equivalent to an external LSA (Type 5), but inside the NSSA area. Created by ASBR
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
51
© IPexpert, Inc.
OSPF LSAs Example
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
52
© IPexpert, Inc.
OSPF Area Types •
OSPF Area Types : Standard Area - accepts all LSAs Stubby Area - prevents LSAs Type 4 & 5, they are replaced with a default route. Does not allow for redistribution Totally Stubby Area - no LSAs Type 3, 4 & 5, they are replaced with a default route. Does not allow for redistribution Not So Stubby Area – same as Stubby Area (no LSAs Type 4 & 5) but it allows for redistribution using LSA Type 7. Default route is NOT automatically generated Not So Totally Stubby Area – same as Totally Stubby Area (only LSAs Type 1 & 2 are permitted) but it allows for redistribution using LSA Type 7. Default route is generated by default Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
53
© IPexpert, Inc.
OSPF Area Types Example
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
54
© IPexpert, Inc.
OSPF Cost •
Each OSPF link (interface) has assigned cost
•
By default, the interface cost is derived based on the configured bandwidth (bandwidth command)
•
The formula for this is 100Mbps/bandwidth
•
If bandwidth is higher than 1, the cost is always the same (1)
•
To modify this behavior, change 100Mbps to any configured value using the auto-cost referencebandwidth command
•
To define the cost manually use the ip ospf cost Rev. 1700 statement
IPexpert’s CCIE R&S Written VoD Series
55
© IPexpert, Inc.
OSPF Path Selection •
OSPF Path Selection : 1. Longest-match prefix 2. Route Type 3. Metric (Cost)
•
OSPF Route Types : 1. Intra-Area routes („O”) 2. Inter-Area routes („O IA”) – Area 0 routes will be preferred over routes through other areas 3. External Routes Type 1 („E1”) 4. External Routes Type 2 („E2”) 5. NSSA Routes Type 1 („N1”) 6. NSSA Routes Type 2 („N2”) Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
56
© IPexpert, Inc.
OSPF Route Types •
Intra-Area routes („O”) are paths to destinations within one of the router’s attached areas
•
Inter-Area routes („O IA”) are paths to destinations in another area but still within the OSPF domain
•
External routes („E1” or „E2”), are generally speaking routes that were redistributed to the OSPF domain from any outside Autonomous System, so they are considered to be external to the OSPF domain. Type 1 = external (redistributed) cost + cost to the ASBR. Type 2 = redistributed cost only
•
NSSA routes („N1” or „N2”) are very similar to External routes with the only exception being that they reside inside an NSSA area Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
57
© IPexpert, Inc.
OSPF Path Calculations •
SPF calculations in OSPF are performed for intra-area routes
•
The OSPF metric is sum of costs of outgoing interfaces towards the destination
•
For Inter-Area and External routes the metric is a sum of the advertised cost and the cost to the ABR/ASBR device
•
If there are two prefixes with the same length, type and cost, load balancing will occur
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
58
© IPexpert, Inc.
OSPF Path Calculations – cont. •
For Type 2 routes (External or NSSA), the end-to-end metric calculation includes the „forward metric”
•
The „forward metric” describes the cost to the ASBR and is used when there is more than one E2 route with the same metric to a destination. For example : R8#sh ip route 23.23.23.23 Routing entry for 23.23.23.0/24 Known via "ospf 1", distance 110, metric 20, type extern 2, forward metric 66 Last update from 58.0.0.5 on FastEthernet0/1, 01:41:14 ago Routing Descriptor Blocks: * 58.0.0.5, from 19.1.1.9, 01:41:14 ago, via ... Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
59
© IPexpert, Inc.
OSPF Path Calculations Example
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
60
© IPexpert, Inc.
OSPF Virtual Links •
Area 0 should be contiguous and all areas must connect to it
•
Virtual Link is a logical connection to area 0 used to : Link an area to the backbone through a nonbackbone area Connect the two parts of a partitioned backbone through a nonbackbone area
•
Once a Virtual Links is created between an ABR and an OSPF device, those two devices are considered to be ABRs
•
Transit area between both ends of a Virtual Link CANNOT be a Stub Area Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
61
© IPexpert, Inc.
OSPF Graceful Restart •
OSPF Graceful Restart is also known as Non-Stop Forwarding
•
This feature allows the router to continue forwarding the packets even when undergoing a failure
•
Two modes this feature may operate in are : 1. Restarting Mode – the OSPF router process is performing nonstop forwarding 2. Helper Mode – a neighboring router is restarting, and this router is helping in the nonstop forwarding recovery
•
Relies on CEF
IPexpert’s CCIE R&S Written VoD Series
Rev. 1700 62
© IPexpert, Inc.
OSPF Configuration
© IPexpert, Inc.
OSPF Configuration •
OSPF Process router ospf proc_nr
•
Enable OSPF network IP_address wildcard area area_nr ip ospf area area_nr [secondaries none]
•
Router ID router-id router_id
•
Hello & Dead Intervals ip ospf hello-interval value ip ospf dead-interval value ip ospf dead-interval minimal hello-multiplier multiplier Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
64
© IPexpert, Inc.
OSPF Configuration – cont. •
OSPF Network Types ip ospf network broadcast| non-broadcast| point-to-point| point-to-multipoint [non-broadcast]
•
Area Types area stub [no-summary] area nssa [no-summary] [no-redistribution] [default-information-originate] [nssa-only]
•
Default Route default-information-originate [always] Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
65
© IPexpert, Inc.
OSPF Configuration – cont. •
Virtual Link area area_nr virtual-link router_id
•
NFS nfs cisco
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
66
© IPexpert, Inc.
Example OSPF Configuration int ip ip ip
s0/0 address 192.0.2.1 255.255.255.0 ospf hello-interval 15 ospf dead-interval 60
int ip ip ip
f0/1 address 10.1.1.1 255.255.255.0 ospf 1 area 1 ospf cost 50
int loopback 0 ip address 172.16.1.1 255.255.255.0 ip ospf network point-to-point Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
67
© IPexpert, Inc.
Example OSPF Configuration – cont. router ospf 1 router-id 1.1.1.1 network 192.0.2.1 0.0.0.0 ar 0 network 172.16.1.1 0.0.0.0 ar 0 area 1 nssa default-information-originate
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
68
© IPexpert, Inc.
Configuration Verification show ip ospf neighbors
- Displays OSPF neighbor information on a perinterface basis
show ip ospf interface
-
show ip ospf
- Displays general information about OSPF routing processes
show ip ospf border-routers
- Displays the internal OSPF RIB entries to the ASBR
ABR and IPexpert’s CCIE R&S Written VoD Series
Displays OSPF-related interface information
Rev. 1700
69
© IPexpert, Inc.
Configuration Verification – cont. show ip ospf database
- Displays lists of information related to the OSPF database
show ip ospf virtual-links
- Displays virtual-links related information
show ip protocols
- Displays parameters and state of ACTIVE processes
routing
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
70
© IPexpert, Inc.
2.05 Implement IPv4 Enhanced Interior Gateway Routing Protocol (EIGRP)
© IPexpert, Inc.
EIGRP General Information •
EIGRP is a Cisco proprietary, advanced hybrid routing protocol
•
Uses Diffusing Update Algorithm (DUAL)
•
EIGRP packets use IP protocol 88 and are sent to the multicast address 224.0.0.10
•
Some packet (e.g. Updates) can be sent as unicasts as well
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
72
© IPexpert, Inc.
EIGRP Terminology •
Feasible Distance (FD) is the lowest-cost metric to a particular prefix
•
Advertised Distance (AD), also called Reported Distance (RD) is the FD from the neighbor’s perspective reported in Update message from that device
•
Successor, is a Next-Hop router with the lowest cost (FD) to a particular subnet
•
Feasible Successor (FS) is a backup Next-Hop router which meets Feasibility Condition
•
Feasibility Condition is met when RD/AD for a route is LOWER than router's current FD for the prefix Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
73
© IPexpert, Inc.
EIGRP Feasibility Condition Example
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
74
© IPexpert, Inc.
EIGRP Operations •
Three general steps that EIGRP follows are : 1. Neighbor Discovery - Hello messages are sent, and the following must match so the devices could become neighbors : Routers must be in the same primary subnet AS number must be the same Devices must pass authentication (if enabled) The K-values must match 2.
3.
Topology Exchange – Full routing tables are exchanged initially and then only partial updates are sent Routing Table Update – Based on EIGRP Topology table Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
75
© IPexpert, Inc.
EIGRP Packet Types •
There are five types of EIGRP packets : 1. Hello - Used to establish & maintain neighborship 2. ACK - Used to acknowledge Update, Query and Reply packets (Hellos and ACKs themselves are NOT acknowledged) 3. Update - Contain route updates. Can be sent as multicasts or unicasts 4. Query - Used during route computation if there is no FS for a route. Can be sent as multicasts or unicasts 5. Reply - Sent as response to Query. Reply packets are always unicasts
• EIGRP packets IPexpert’s CCIE R&S Written VoD Series
are
transported 76
using
Rev. 1700 Reliable © IPexpert, Inc.
EIGRP Neighbor Relationship •
Hello packets are sent as multicasts (although can be configured for unicasts) source of the primary IP address on an interface
•
When a Hello is received for the first time and all the parameters match, an adjacency forms and an Update packet is sent back
•
Neighbor acknowledges the Update packet and sends back its own Update to the originator
•
If ACK is not received, retransmission occurs
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
77
© IPexpert, Inc.
EIGRP Metric Calculations •
EIGRP metric = AD + cost of the link to that neighbor
•
K-values are weights for EIGRP metric components : 1. Bandwidth (lowest in the path) 2. Delay (cumulative, in tens of microseconds) 3. Load (worst along the path) 4. Reliability (worst along the path) 5. MTU
•
Only bandwidth and delay are used to calculate the metric by default (K-values are set to 1 for them and to 0 for other metric components)
•
Never change bandwidth to modify the metric – always use the delay Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
78
© IPexpert, Inc.
EIGRP Metric Calculations Example
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
79
© IPexpert, Inc.
EIGRP Load Balancing •
By default only equal-cost Load Balancing is performed with EIGRP
•
A feature that is unique to EIGRP is that it also supports unequal-cost Load Balancing (traffic share will be proportional to the ratio of metrics)
•
In order for a route to be considered for unequal-cost LB it must meet the Feasability Condition (AD of the route must be lower than FD of the Successor)
•
To enable unequal-cost Load Balancing use the variance command
•
If FD*variance is greater than the total metric of an alternate route, this route can be put into the RIB Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
80
© IPexpert, Inc.
EIGRP Query Process •
EIGRP actively searches for a lost route
•
Queries are sent ONLY if there is no FS for a route
•
A route that has lost its Successor is put into the „Active” state (valid routes are „Passive”)
•
In general, Query packet is sent to each EIGRP neighbor and if the neighboring router has a route for the queried destination it will send a Reply packet. Othwerise it will extend the Query
•
If a Reply packet is received, the topology table entry returns to the „Passive” state and Update packets are sent to the neighbors so the network could reconverge Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
81
© IPexpert, Inc.
EIGRP Query Process – cont. •
What happens when a router receiving the Query does not have an exact match in the topology table?
•
If the Query was NOT received from the Successor : Router sends a Reply with current Successor If it does not have a Successor (e.g. the route is active) it replies with an unreachable information
•
If the Query was received from the Successor : Router looks for FS and if finds one it replies with this information If no FS was found it goes active and starts querying all neighbors except the previous successor Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
82
© IPexpert, Inc.
EIGRP Query Process - Example
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
83
© IPexpert, Inc.
EIGRP Query Process - Example
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
84
© IPexpert, Inc.
EIGRP Query Process - Example
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
85
© IPexpert, Inc.
EIGRP Query Process - Example
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
86
© IPexpert, Inc.
EIGRP Query Process - Example
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
87
© IPexpert, Inc.
EIGRP Query Process – cont. •
If the topology is large, the Query process could take very long to complete (each „Active” router must wait for the Reply)
•
EIGRP has a built-in timer, called Active timer, which limits the amount of time in which a router can stay Active
•
If the Active timer expires, a route is placed into the Stuck-In-Active state which means that all the neighbors that did not answer are brought down
•
To change the Active timer value (3 minutes by default), use the timers active-time command
•
A better solution is to limit the scope of Queries
IPexpert’s CCIE R&S Written VoD Series
88
Rev. 1700 © IPexpert, Inc.
EIGRP Limiting Query Propagation •
The Query stops if there is no EXACT match in the EIGRP Topology
•
There are three ways to affect the Query propagation : 1. Summarization 2. Route Filtering 3. Stub Routers
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
89
© IPexpert, Inc.
Query Propagation - Summarization
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
90
© IPexpert, Inc.
Query Propagation – Route Filtering •
Filtered routes are not propagated
•
Queries will be extended/forwarded, but the device that has a route filtered replies saying that the prefix is unreachable
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
91
© IPexpert, Inc.
Query Propagation – Stub Routers •
Stub routers signal the neighbors not to query them (Stub routers should not be in a transit path)
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
92
© IPexpert, Inc.
EIGRP Stub Routing •
EIGRP Stubs can be used to limit the query boundary
•
Commonly implemented in Hub & Spoke scenarios
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
93
© IPexpert, Inc.
EIGRP Stub Routing – cont. •
Stub routers are configured using the eigrp stub command
•
There are a couple of different options available for this statement : connected, which advertises only the EIGRPenabled interfaces (covered by the network command) summary, which advertises auto-summaries and/or manual EIGRP summaries static, which advertises static routes that are redistributed (via the redistribute static command) receive-only, which does not allow to advertise any routes. This keyword cannot be combined with any other option Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
94
© IPexpert, Inc.
EIGRP Split Horizon •
An additional mechanism implemented to prevent routing loops
•
Split Horizon with Poison Reverse advertises a route with an unreachable metric instead of not advertising it at all
•
Three additional applications for Split Horizon are : 1. Initial routing tables exchange - Poison Reverse each prefix 2. Topology Change (when an outgoing interface for a route changes) – Poison Reverse the old route on all other interfaces 3. Queries – queries received from the Successor are not sent back to him Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
95
© IPexpert, Inc.
EIGRP Configuration
© IPexpert, Inc.
EIGRP Configuration •
EIGRP Process & Interfaces router eigrp AS_nr network ip_address wildcard
•
Auto-Summarization [no] auto-summary
•
Hello & Dead Intervals ip hello-interval eigrp AS_nr ip hold-time eigrp AS_nr
•
Unicast Hellos neighbor ip_address
•
Default Network ip default-network ip_address Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
97
© IPexpert, Inc.
EIGRP Configuration •
Split Horizon no ip split-horizon eigrp AS_nr
•
K-Values metric weights tos k1 k2 k3 k4 k5
•
Traffic Engineering delay value
•
Bandwidth Limitation ip bandwidth-percent eigrp AS_nr value
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
98
© IPexpert, Inc.
Example EIGRP Configuration router eigrp 10 no auto-summary network 172.16.1.1 0.0.0.0 network 192.0.2.1 0.0.0.0 passive-interface f0/1 int f0/1 ip address 172.16.1.1 255.255.255.0 ip hold-time eigrp 10 20 int s0/0 ip address 192.0.2.1 255.255.255.0 bandwidth 1500 no ip split-horizon eigrp 10 ip bandwidth-percent eigrp 10 20 IPexpert’s CCIE R&S Written VoD Series
99
Rev. 1700 © IPexpert, Inc.
Configuration Verification show ip eigrp neighbors
- Displays neighbors discovered by EIGRP
show ip eigrp interface
- Displays information about EIGRP-configured interfaces
show ip eigrp topology
- Displays Successors and Feasible Successors
only
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
100
© IPexpert, Inc.
Configuration Verification show ip eigrp topology all-links
-
Displays ALL IP entries in the
EIGRP topology table
show ip protocols
- Displays parameters and state of
ACTIVE routing processes
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
101
© IPexpert, Inc.
2.06 Implement IPv4 Border Gateway Protocol (BGP)
© IPexpert, Inc.
BGP General Information •
BGP is used to exchange routing information between multiple Autonomous Systems. Autonomous System is a set of devices under a single technical administration
•
BGP is a Path Vector protocol. Path is a sequence of ASs used to reach a particular Network Layer Reachability Information (NLRI), or just a prefix
•
Each Path is described by several Path Attributes (PAs). An example Path Attribute is the AS_PATH which is also used to guarantee that a particular Path is loop free
•
Generally speaking BGP is not designed to route the traffic – it only advertises a prefix and Next-Hop. IGPlearned information is used for traffic forwarding Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
103
© IPexpert, Inc.
BGP General Information Example
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
104
© IPexpert, Inc.
BGP Peerings •
Internal BGP (iBGP) session is created when two devices are in the same AS
•
External BGP (eBGP) is formed between different ASs
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
105
© IPexpert, Inc.
BGP Operations •
BGP uses TCP port 179 in its operations
•
Open messages are sent to establish the neighborship
•
The session is maintained by periodic keepalives
•
Full Routing tables are exchanged using the Update messages (there is a separate Update message for Path Attribute list-value combination)
•
Further only the incremental updates are sent
•
Networks are stored in the BGP Table and only the best route is passed to the RIB & other neighbors Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
106
© IPexpert, Inc.
BGP Next-Hop Processing •
Next-Hop is automatically changed when a BGP packet flows between external BGP speakers (it is set to the update-sending router’s IP address)
•
In BGP, the Control Plane may differ from the Data Plane
•
BGP Peers don’t have to be directly connected since TCP is used for transport
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
107
© IPexpert, Inc.
BGP Next-Hop Processing Example
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
108
© IPexpert, Inc.
BGP Next-Hop Processing – cont. •
There are three ways to resolve the Next-Hop problem : 1. IGP or static routing 2. Advertise the Next-Hop subnet via BGP (network command) 3. Modify the Next-Hop value The next-hop statement of the BGP neighbor command Route-map with the set ip next-hop option
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
109
© IPexpert, Inc.
BGP Third-Party Next-Hop
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
110
© IPexpert, Inc.
BGP Synchronization •
Legacy feature
•
Used in the past when BGP tables were redistributed into an IGP
•
Synchronization was used to ensure that before a prefix was advertised by BGP, an IGP had already known about it
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
111
© IPexpert, Inc.
BGP Synchronization Example
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
112
© IPexpert, Inc.
BGP Path Attributes •
BGP attributes can be either well-known or optional
•
Well-known attributes must be understood by every BGP implementation, there are two types of them : 1. Mandatory – must be included in every BGP Update. Examples are AS_PATH, Next-Hop and Origin 2. Discretionary – not required in every BGP Update. An example is Local Preference
•
Optional attributes does not have to be understood by every implementation, there are two types of them : 1. Transitive – should be forwarded even if not understood. An example is BGP Community 2. Non-transitive – should be removed if not understood. An example is MED Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
113
© IPexpert, Inc.
BGP Path Attributes – cont. •
BGP Path Attributes : AS_PATH – lists ASes that a particular route has traversed. Affects inbound traffic Next-Hop – an IP address used to reach a particular prefix Origin – Origin of the information. The „i” sign means interior to the AS, whereas the „?” sign means redistributed MED – used to indicate a preferred path to the AS. Affects inbound traffic, you set it outbound Local Preference – local to the AS, indicates which path is preferred to exit the AS. Affects outbound traffic, you set it inbound Weight – similar to the Local Preference, local to the device. Affects outbound Rev. 1700 traffic, you set it inbound
IPexpert’s CCIE R&S Written VoD Series
114
© IPexpert, Inc.
BGP Path Attributes – cont. •
BGP Communities are used to tag a group of prefixes that share a common characteristic
•
There are 3 predefined, well-known Communities : 1. No Export - limits a prefix to the local AS only 2. No Advertise - does not allow to advertise a prefix to ANY peer 3. Local AS - limits a prefix to the Sub-AS only (BGP Confederations)
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
115
© IPexpert, Inc.
BGP Path Selection •
To consider a prefix for best path selection, three criterias have to be met : 1. Prefixes cannot have the local AS number in the AS_PATH 2. Next-Hop has to be reachable 3. If BGP Sync is on, a prefix has to be in the RIB
•
BGP best path selection logic is „try to find a winner in the earliest step as possible”
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
116
© IPexpert, Inc.
BGP Path Selection – cont. •
There are ten steps in the best path selection process : 1. Weight (the higher, the better) 2. Local Preference (the higher, the better) 3. Locally Injected Routes (network, redistribution, summary). Local routes have NH of 0.0.0.0 4. AS_PATH (the shorter length, the better) 5. Origin (prefer „i” routes over „?”) 6. MED (lower value wins) 7. Neighbor Type (prefer eBGP over iBGP) 8. IGP metric to the Next-Hop (lower wins) 9. Oldest paths are preferred (more stable) 10. Router ID – lower value is preferred
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
117
© IPexpert, Inc.
BGP Split Horizon •
Internal BGP peerings cannot use AS_PATH mechanism to detect a loop (they are all in the same AS)
•
BGP Split Horizon rule states that updates learned from iBGP peers will not be further propagated to other internal neighbors
•
This rule is also known as Full Mesh iBGP requirement
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
118
© IPexpert, Inc.
BGP Split Horizon Example
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
119
© IPexpert, Inc.
BGP Route Reflectors •
Router Reflectors are the first method of alleviating Split Horizon rule (Full Mesh iBGP)
•
Route Reflector Servers are able to forward received routes to internal BGP neighbors
•
Router Reflector Clients are configured on the Server whereas the remaining BGP devices are called NonClients
•
Router Reflector and its clients form a Cluster
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
120
© IPexpert, Inc.
BGP Route Reflectors •
There are three rules of Route Reflection : 1. If the route was learned from a Non-Client IBGP peer, it is reflected to Clients ONLY 2. If the route was learned from a Client, it is reflected to All – Clients and Non-Clients except the originating client 3. If the route was learned from an eBGP peer, it is reflected to All Clients and Non-Clients
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
121
© IPexpert, Inc.
BGP Route Reflectors Example
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
122
© IPexpert, Inc.
BGP Route Reflectors – cont. •
Loop Detection for Router Reflection works based on two attributes – Originator ID and Cluster ID
•
Originator ID contains the Router ID of the originator of the route in the local AS
•
Cluster ID is used to detect a loop between Route Reflectors in different clusters
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
123
© IPexpert, Inc.
BGP Confederations •
Used to reduce the need for Full Mesh iBGP
•
Confederations divide an Autonomous System into the smaller ASes, called sub-Autonomous Systems
•
Peers inside the same AS are called confederation iBGP peers
•
Routers in different sub-ASes confederation eBGP peers
•
Full Mesh iBGP requirement still applies within a subAS
•
Next-Hop is NOT modified between confederation Rev. 1700 eBGP peers
IPexpert’s CCIE R&S Written VoD Series
124
are
considered
© IPexpert, Inc.
BGP Confederations Example
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
125
© IPexpert, Inc.
BGP Configuration
© IPexpert, Inc.
BGP Configuration •
Enable BGP router bgp AS_nr
•
Configure Peerings neighbor ip_address remote-as AS_nr
•
Update Source neighbor ip_address update-source if_name
•
Synchronization [no] synchronization
•
TTL Modifications neighbor ip_address ebgp-multihop [ttl] ttl neighbor ip_address disable-connected-check Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
127
© IPexpert, Inc.
BGP Configuration – cont. •
Next-Hop Modifications neighbor ip_address next-hop-self
•
Network Advertisement network ip_address mask mask
•
Path Attributes : Weight neighbor ip_address weight value set weight value
•
Path Attributes : Local Preference set local-preference value
•
Path Attributes : AS_PATH set as-path prepend as1 as2 ... Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
128
© IPexpert, Inc.
BGP Configuration – cont. •
Path Attributes : Origin set origin code
•
Path Attributes : MED set metric value
•
Path Attributes : Communities set community value neighbor ip_address send-community
•
Apply the Route-Map neighbor ip_address route-map name [in|out]
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
129
© IPexpert, Inc.
BGP Configuration – cont. •
Always Compare MED bgp always-compare-med
•
Missing MED bgp bestpath med missing-as-worst
•
Route Reflection neighbor ip_address route-reflector-client
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
130
© IPexpert, Inc.
BGP Configuration – cont. •
Confederation Peers bgp confederation peers as1 as2 ...
•
Real AS Number bgp confederation identifier
•
Soft Reconfiguration neighbor ip_address soft-configuration inbound clear ip bgp soft [in|out]
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
131
© IPexpert, Inc.
Example BGP Configuration #1
router bgp 100 nei 2.2.2.2 remote-a 200 nei 2.2.2.2 update-s lo1 nei 2.2.2.2 ebgp-mul 2
router bgp 200 nei 1.1.1.1 remote-a 100 nei 1.1.1.1 update-s lo2 nei 1.1.1.1 ebgp-mul 2
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
132
© IPexpert, Inc.
Example BGP Configuration #2
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
133
© IPexpert, Inc.
Example BGP Configuration #2 R2 router bgp 65100 bgp confederation identifier 200 bgp confederation peers 65200 neighbor 3.3.3.3 remote-as 65200 neighbor 3.3.3.3 update-source loop0 neighbor 3.3.3.3 ebgp-multihop 2 neighbor 1.1.1.1 remote-as 65100 neighbor 1.1.1.1 update-source loop0
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
134
© IPexpert, Inc.
Configuration Verification show ip bgp summary
- Displays the status of BGP neighbors
show ip bgp
- Displays the BGP table
show ip bgp community
- Displays routes that belong to specified BGP
community
show ip bgp neighbors
- Displays information about BGP and TCP to
connections neighbors show ip protocols IPexpert’s CCIE R&S Written VoD Series
135
- Displays parameters and Rev. 1700 state of ACTIVE © IPexpert, Inc.
2.07 Implement Policy Routing
© IPexpert, Inc.
Policy Routing •
Standard routing process is destination-based
•
Policy-Based Routing allows to route packets based on other fields, e.g. source IP address
•
Policy Routing always takes precedence over standard forwarding
•
Route-maps are used for configuration
•
To affect locally generated traffic a feature called Local Policy-Based Routing is used
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
137
© IPexpert, Inc.
Policy Routing – Route Maps •
„Leave after the first match logic”, same as with ACLs (order of entries IS important)
•
Each route-map ends with an implicit „deny” entry that matches all the traffic that has not been matched in previous entries („match any”)
•
A blank route-map entry also contains the „match any” statement
•
Multiple „match” arguments in the same line correspond to logical OR
•
Multiple „match” arguments within the same entry (separate lines) correspond to logical AND Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
138
© IPexpert, Inc.
Policy Routing Configuration
© IPexpert, Inc.
Policy Routing Configuration •
Route-Map & „Match” Options route-map name permit|deny [seq_nr] match ... set ...
•
„Match” Options match ip address ACL_nr match length length
•
„Set” Options set set set set set set
ip next-hop ip_address ip default next-hop ip_address interface if_name default interface if_name ip precedence value ip tos value Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
140
© IPexpert, Inc.
Policy Routing Configuration – cont. •
Reliable Policy-Based Routing ip sla monitor ... track nr ... set ip next-hop verify-availability ip track nr
•
Policy-Based Routing ip policy route-map name
•
Local Policy-Based Routing ip local policy route-map name
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
141
© IPexpert, Inc.
Example Policy Routing Configuration route-map TEST permit 10 match ip address 120 121 match length 120 120 set int null0 route-map TEST permit 20 match interface s0/0 set ip precedence 5
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
142
© IPexpert, Inc.
Case Study
• •
All IP traffic from PC 10.1.1.1 should go to ISP A Active Mode FTP from PC 10.1.1.2 should go to ISP B Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
143
© IPexpert, Inc.
Case Study - Solution • Match the appropriate traffic access-list 100 permit ip host 10.1.1.1 any access-list 150 permit tcp host 10.1.1.2 any eq 20
• Create Route-Map & Apply the Policy route-map PBR permit 10 match ip address 100 set ip next-hop 192.0.2.2 route-map PBR permit 20 match ip address 150 set interface serial0/1 int f0/0 ip policy route-map PBR Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
144
© IPexpert, Inc.
Configuration Verification show ip policy
- Displays policy route-maps
show ip local policy
- Displays the local policy route-map
show route-map
- Displays route-map information
debug ip policy
- Shows which packets are policybased routed
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
145
© IPexpert, Inc.
2.08 Implement Performance Routing (PfR) and Cisco Optimized Edge Routing (OER)
© IPexpert, Inc.
PfR •
Performance Routing (PfR) was previously known as Optimized Edge Routing (OER)
•
PfR was created to extend standard lowest-cost metric routing
•
PfR takes into account characteristics : Packet loss Response time Traffic load Path availability
the
following
traffic
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
147
© IPexpert, Inc.
PfR Components •
Main PfR components are : 1. Master Controller - processes information received from Border Routers and communicates them a routing decision 2. Border Routers actual PfR policy enforcement points
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
148
© IPexpert, Inc.
PfR Process •
Five phases of Performance Routing are : 1. Profile Phase – traffic classes are discovered (flows experiencing some performance issues) 2.
Measure Phase – traffic performance metrics are measured on Border Routers and then they are reported to the Master Controller Active measure – based on IP SLA Passive measure – based on NetFlow and interface counters
3.
Apply Policy Phase – the collected performance metrics are compared against predefined thresholds. When a threshold is crossed, an OutOf-Policy (OOP) event is generated Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
149
© IPexpert, Inc.
PfR Process – cont. •
Five phases of Performance Routing are : 4. Control Phase – policy enforcement phase. Traffic paths will be optimized by manipulating routing (e.g. injecting a static or BGP route) or by using Policy-Based Routing feature
5.
Verify Phase – verification of the optimized traffic path. If a particular traffic class still remains “OOP”, however, OER will go through all the phases once again trying to adjust the policy
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
150
© IPexpert, Inc.
PfR Configuration
© IPexpert, Inc.
PfR Configuration - Foundations •
OER Master oer master border ip_address [key-chain] kchain interface if_name internal|external
•
OER Border oer border master ip_address [key-chain] kchain local if_name
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
152
© IPexpert, Inc.
PfR Configuration – Profile Phase •
Automatic Learning oer master learn delay throughput periodic-interval time_interval monitor-period time_interval prefixes number
•
Manual Traffic Classes ip prefix-list name permit|deny ip_address/pref oer map map_name seq match ip address prefix-list name oer master policy-rules map_name Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
153
© IPexpert, Inc.
PfR Configuration – Measure Phase •
Active Monitoring oer master mode monitor active active-probe echo|udp-conn|tcp-conn
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
154
© IPexpert, Inc.
PfR Configuration – Apply Policy Phase •
The Policy oer-map map_name seq match ip address prefix-list prefix-list-name set delay {relative percent|threshold maximum} set loss {relative average|threshold maximum} oer master policy-rules map_name
•
Link Utilization oer master border ip_address interface if_name internal|external max-xmit-utilization percentage value Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
155
© IPexpert, Inc.
PfR Configuration – Control Phase •
Active Control Mode oer master mode route control oer-map map_name seq set mode route control
•
Static Route Injection oer master mode route metric static tag tag_nr
•
BGP Local Preference oer master mode route metric bgp local-pref local_pref Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
156
© IPexpert, Inc.
PfR Configuration – Verify Phase •
NetFlow
•
Logging oer master|border logging
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
157
© IPexpert, Inc.
Example PfR Configuration key-chain KCHAIN key 1 key-string ipexpert ip prefix-list PREF permit 192.0.2.0/24 oer-map OER_MAP 10 match ip address prefix-list PREF set mode monitor active
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
158
© IPexpert, Inc.
Example PfR Configuration – cont. oer master policy-rules OER active-probe tcp-conn 192.0.2.1 target-port 23 logging mode route control mode route metric static tag 2000 learn delay monitor period 10 periodic interval 60 prefixes 100 delay threshold 300 Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
159
© IPexpert, Inc.
Example PfR Configuration – cont. border 10.1.1.1 key-chain KCHAIN interface fa0/0 internal interface serial0/0 external max-xmit-utilization percentage 50 border 10.2.2.2 key-chain KCHAIN interface fa0/0 internal interface serial0/0 external max-xmit-utilization percentage 70
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
160
© IPexpert, Inc.
Example PfR Configuration – cont. key-chain KCHAIN key 1 key-string ipexpert oer border master 10.3.3.3 key-chain KCHAIN local fa0/0
route-map RED_RMAP match tag 2000 router ospf 1 redistribute static route-map RED_RMAP Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
161
© IPexpert, Inc.
Configuration Verification show oer master
- Displays information about Master Controller
show oer border
- Displays information about Border Routers and OER controlled interfaces
show oer master prefix
-
show oer master policy
- Displays policy settings on the OER Master Controller
show oer border routes
- Displays information about OERcontrolled routes
IPexpert’s CCIE R&S Written VoD Series
Displays status prefixes
162
of
monitored
Rev. 1700
© IPexpert, Inc.
2.09 Implement filtering, route redistribution, summarization, synchronization, attributes, and other advanced features
© IPexpert, Inc.
Summarization •
Route summarization is a technique of grouping IP networks together to minimize route advertisements
•
Summarization saves CPU & Memory resources and hides topology information
•
RIPv2 and EIGRP perform automatic summarization at classful network boundaries
•
Auto Summarization may cause problems when e.g. discontinuous subnets are used
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
164
© IPexpert, Inc.
Summarization Example
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
165
© IPexpert, Inc.
Summarization – cont. •
To disable Auto Summarization use the no autosummary command (works for RIP & EIGRP)
•
RIPv2 manual summarization can be configured using the ip summary-address rip statement
•
EIGRP can summarize networks to supernets, whereas RIP cannot
•
EIGRP can unsuppress the component routes so not only the summary is sent. This feature is known as Leak-Map
•
EIGRP summarization can be performed using the ip summary-address eigrp [leak-map] command Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
166
© IPexpert, Inc.
Summarization – cont. •
OSPF requires the same copy of the database within an area
•
Summarization in OSPF can only take place on ABRs (inter-area routes) and ASBRs (external routes)
•
To configure inter-area summarization on ABRs use the area area_nr range [not-advertise] command
•
To configure external route summarization on ASBRs, use the summary-address IP_address mask [notadvertise] command
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
167
© IPexpert, Inc.
Summarization – cont. •
BGP Auto Summarization to classful boundaries (autosummary) applies only to connected, static, and redistributed routes
•
Two other methods to summarize in BGP are : 1. Create a Null route and advertise it via the network statement 2. Use the aggregate-address [sumary-only] [suppress-map] command
•
The second option requires at least one subnet of the summary to exist in the BGP table
•
A catch-all route to Null0 is always created when summarizing in EIGRP, OSPF and BGP (but not in RIP) Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
168
© IPexpert, Inc.
Route Filtering
© IPexpert, Inc.
Route Filtering •
Route Filtering is a technique used to prevent propagation of routing updates
•
Possible applications are redistribution, engineering and network security
traffic
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
170
© IPexpert, Inc.
Prefix Lists •
Prefix List specifies two things : 1. Prefix with its length, e.g. 10.1.1.0/24 2. Prefix length range, e.g. „ge 25 le 32”
•
Both these things are checked during the comparison
•
An example prefix list may look like this : ip prefix-list FILTER permit 192.0.0.0/16 le 24
•
This prefix matches 192.0.100.0/25
192.0.100.0/24
but
not
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
171
© IPexpert, Inc.
Prefix Lists – cont. •
Match-ALL prefix list example : ip prefix-list MATCH_ALL permit 0.0.0.0/0 le 32
•
Match all Class A prefixes : ip prefix-list CLASS_A permit 0.0.0.0/1 ge 8 le 8
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
172
© IPexpert, Inc.
Route Filtering – RIP •
RIPv2 : Passive interface (passive-interface) Distribute-lists (distribute-list in|out). Standard ACL can only specify the routes which we want to filter. Extended ACL can also specify the source of the routing update Offset lists (offset-list). Used to manipulate the metric Administrative Distance (distance). Setting AD to 255 prevents a route from being placed in the RIB
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
173
© IPexpert, Inc.
Route Filtering – EIGRP •
EIGRP : Passive interface (passive-interface). In EIGRP it prevents forming an adjacency (no Hellos are sent) Distribute-lists (distribute-list in|out). Standard ACL can only specify the routes which we want to filter. Extended ACL can also specify the source of the routing update. Route-maps can be used to match a route metric or a tag Administrative Distance (distance). Setting AD to 255 prevents a route from being placed in the RIB
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
174
© IPexpert, Inc.
Route Filtering – OSPF •
Distance Vector protocols advertise routes from the RIB
•
Route Filtering has no effect on the topology database in link-state protocols
•
OSPF : Stub Areas LSA Type 3 Filtering (area filter-list prefix [in|out]) Summarization (area range not-advertise) Distribute-lists (distribute-list in). Work only inbound, preventing an LSA information from being put into the RIB Administrative Distance (distance). Does not affect LSA in the database. LSA Originator is a source of an update Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
175
© IPexpert, Inc.
Route Filtering – BGP •
The neighbor command or route-maps can be used for route-filtering in BGP
•
Regular Expressions (regexp) meta-characters : “.” matches any character [0-9] matches any single digit [a-z] matches any single lower-case letter [A-Z] matches any single upper-case letter “_” matches a space or the end of the AS Path list “^” matches the beginning of a string “$” matches the end of a string
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
176
© IPexpert, Inc.
Route Filtering – BGP – cont. •
Occurence Modifiers (refer to the preceding character) : “?” means one or zero times “*” means zero or any times “+” means one or any times
Regexp examples : “a*” - Any consecutive occurrence of the letter "a", which includes none. For example “”, “a”, “aa”, “aaa” “ab?a” - Matches "aa" or "aba" “[0-9]+” - Matches one digit or more
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
177
© IPexpert, Inc.
Route Filtering – BGP – cont. •
BGP : Prefix Lists (neighbor prefix-list [in|out]) Distribute-lists (neighbor distribute-list in|out). Extended ACL can match the network mask. The source portion of the ACL defines the prefix, and the destination portion, along with the destination mask, determines the prefix length Filter Lists (neighbor filter-list [in|out]). To define an AS Path ACL use the ip as-path access-list statement Route-maps (neighbor route-map [in|out]). User-defined communities can be created using the ip community-list command
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
178
© IPexpert, Inc.
Route Filtering Examples •
Example ACLs for Distribute Lists. ACL 102 matches only 30.0.0.0/22 whereas ACL 105 matches 30.0.x.0/24
access-l 102 per 30.0.0.0 0.0.0.0 255.255.252.0 0.0.0.0 access-l 105 per 30.0.0.0 0.0.255.255 255.255.255.0 0.0.0.0
•
Example AS Path regexps : .* - Matches All AS Paths ^$ - Matches all NLRIs originated in the AS ^123$ - Matches the AS_PATH with one AS 123 ^54 - Matches AS_PATH which begins with 54 ^1_4$ - Matches an AS_PATH originated in AS 4 with direct neighbor in AS 1 _50_ - Matches ASN 50 somewhere in the AS_PATH Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
179
© IPexpert, Inc.
Redistribution
© IPexpert, Inc.
Redistribution •
Redistribution allows one or more routers to take routes learned via one routing protocol and advertise those routes via another routing protocol
•
To define
•
For example, to redistribute all OSPF routes including subnets to RIP, the following configuration is required :
the source routing protocol use the redistribute command. The router statement (routing protocol process) defines the „receiving” protocol
router rip redistribute ospf 1 subnets
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
181
© IPexpert, Inc.
Redistribution – cont. •
Different routing protocols use different merics. Only OSPF assigns a default metric (20) to redistributed routes if none was specified
•
Three ways to specify a metric : 1. The metric keyword 2. The default-metric statement 3. Route-map
•
The logic of the „redistribute” command : Redistribute all the routes from the RIB that were learned by the routing protocol I am redistributing from Redistribute all connected interfaces that were designated by the network command Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
182
© IPexpert, Inc.
Route-Maps •
Route-maps can be used with redistribution to limit the prefixes that will be redistributed
•
Some additional attributes can redistributed routes (e.g. a tag)
•
All the prefixes matched in the „deny” route-map statement will be filtered
•
Always remember that there is a default „deny” entry at the end
be
set
for
the
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
183
© IPexpert, Inc.
Redistribution Problems •
If there are multiple points where redistribution is performed, some problems such as suboptimal routing or routing loops may occur
•
Always remember that the information learned from one routing domain (X) should be never announced back to this domain (X)
•
To fix problems related to redistribution we can use : Administrative Distance Route Filtering Another Redistribution
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
184
© IPexpert, Inc.
Redistribution Problems – cont. •
Administrative Distance can be configured so you can assign different AD values to different routes (distance)
•
For example, to change OSPF’s AD for external routes use the distance ospf external statement
•
EIGRP raises AD to 170 for external routes by default
•
To set AD to 169 for routes 1.2.3.0/24 and 1.2.4.0/24 received from 10.1.1.1 we would use the following configuration : access-list 2 permit host 1.2.3.0 access-list 2 permit host 1.2.4.0 router rip distance 169 10.1.1.1 0.0.0.0 2 Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
185
© IPexpert, Inc.
Redistribution Problems – cont. •
Route Filtering can be used to limit the prefixes that will be redistributed. Things like distribute-lists or route tags can be used here
•
Another redistribution may help in some certain scenarios
•
If a redistributed prefix had been already known, consider increasing the metric value so the native route is preferred
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
186
© IPexpert, Inc.
Case Study
•
Full reachability to R1’s Loopback 0 network is required Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
187
© IPexpert, Inc.
Case Study - Solution 1. Increase OSPF distance of external routes to a value higher than 120 : router ospf 1 distance ospf external 130
2. Redistribute RIP to OSPF on R2 : router ospf 1 redistribute rip subnets R5(config)#do show ip eigrp topology ... P 1.1.1.0/24, 0 successors, FD is Inaccessible via 10.1.45.4 (2560002816/2560000256), FastEthernet0/1 Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
188
© IPexpert, Inc.
Case Study - Solution 3. Tag Loopback 0 prefix on R2 : access-list 1 permit host 1.1.1.0 route-map RIP_EIGRP_TAG_RMAP permit 10 match ip address 1 set tag 120 route-map RIP_EIGRP_TAG_RMAP permit 20 router eigrp 1 redistribute rip metric 1 1 1 1 1 route-map RIP_EIGRP_TAG_RMAP
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
189
© IPexpert, Inc.
Case Study - Solution • And filter the prefix on R5 : route-map FILTER_TAGGED_RMAP deny 10 match tag 120 route-map FILTER_TAGGED_RMAP permit 20
redistribute eigrp 1 subnets route-map FILTER_TAGGED_RMAP
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
190
© IPexpert, Inc.
Question 7 Topology
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
191
© IPexpert, Inc.
Question 15 Topology
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
192
© IPexpert, Inc.
End of Section 2.0
IPexpert’s CCIE R&S Written VoD Series 3.0 Implement IPv6
© IPexpert, Inc.
3.01 Implement IP version 6 (IPv6) addressing and different addressing types
© IPexpert, Inc.
IPv6 Basics • IPv6 addresses are 128-bits long and are represented in hex • If no abbreviation is used, an IPv6 address is composed of eight colon-separated fields, each containing 4 hexdecimal numbers. For example : 2001:0000:0000:0000:0DB8:0800:200C:417B • Since IPv6 addresses are long and somewhat cumbersome to work with, there are two methods of abbreviating them
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
3
© IPexpert, Inc.
IPv6 Basics – cont. • The first method allows to replace consecutive 4-hex fields of zeros with a double colon „::” 2001:0000:0000:0000:0DB8:0800:0000:417B == 2001::0DB8:0800:0000:417A • This method can be used only once in an address, to avoid ambiguity • The second rule says that leading zeros (NOT trailing) within a 4-hex tuple can be omitted. This method can be used as many times as needed in an address 0098:0CAB:0000 == 98:CAB:0 Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
4
© IPexpert, Inc.
IPv6 Address Types • Unicast address identifies a single interface on a single device. There are three sorts of unicast addresses : Aggregatable Global Address, Link Local Address and IPv4-Compatibile IPv6 Address Aggregatable Global Address – Defined by a global routing prefix, subnet ID and interface ID. Current global addresses begin with 2 or 3 in hex, which corresponds to 2000::/3
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
5
© IPexpert, Inc.
IPv6 Interface ID • RFC 3513 states that for all unicast addresses, except those that start with binary value 000, Interface IDs are required to be 64 bits long and to be constructed in Modified EUI-64 format • The process of constructing an EUI-64 address consists of two steps : 1. Ethernet’s MAC address is divided into two equal parts, 24-bits each, and a fixed hex value „FFFE” is put between them 2. Universal/Local (U/L) bit, which is the seventh bit of the first octet in MAC address, is inverted • For interface types other than Ethernet (e.g. Serial, ATM, FR), the first MAC from the pool of MAC addresses in a router is used Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
6
© IPexpert, Inc.
IPv6 EUI-64 Interface ID Example
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
7
© IPexpert, Inc.
IPv6 Address Types – cont. Link Local Address – Used locally on a data link or multiaccess interface. Guaranteed to be unique per L2 network, assigned to each interface. Link Local addresses always begin with FE80::/10 IPv4-Compatibile IPv6 Address – Assigned to nodes that support both, IPv4 and IPv6 protocol stacks, which are used in automatic tunnels. The format of an IPv4Compatible IPv6 Address is 0:0:0:0:0:0:A.B.C.D or ::A.B.C.D, where A.B.C.D is an IPv4 address • IPv6 multicasts are a separate group of IPv6 addresses • There is no broadcast address in IPv6 and it is multicast that takes all the functions that a broadcast address would do in IPv4 world Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
8
© IPexpert, Inc.
IPv6 Multicast Address Structure
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
9
© IPexpert, Inc.
IPv6 Address Types – cont. • IPv6 multicast address examples : FF02::1 - All hosts FF02::2 - All routers FF02::A - EIGRP
• Anycast Address – A single unicast address assigned to more than one node. Packet delivery is determined by the routing protocol in use • Unspecified Address – Composed of all zeros which can be denoted as „::”. Used in the source field by a host that does not know its own address
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
10
© IPexpert, Inc.
IPv6 Addressing Configuration
© IPexpert, Inc.
IPv6 Addressing Configuration •
Enable IPv6 Unicast Routing ipv6 unicast-routing
•
IPv6 Address ipv6 address ip_add /prefix-length [eui-64]
ipv6 address 2001:0DB8:0:1::1/64 ipv6 address 2001:0DB8:0:1::/64 eui-64
•
Link Local Address ipv6 address ip_add /prefix-length link-local ipv6 address fe80::1 link-local
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
12
© IPexpert, Inc.
Configuration Verification show ipv6 interface [brief]
- Displays the usability status of interfaces configured for IPv6 and their addresses
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
13
© IPexpert, Inc.
3.02 Implement IPv6 neighbor discovery
© IPexpert, Inc.
IPv6 Neighbor Discovery • Neighbor Discovery is a messaging protocol that performs a group of different functions. It uses ICMPv6 and solicited-node multicast address in its operations • There is no ARP in IPv6
• Neighbor Discovery functions can be divided into two groups : 1. Host to Router or Router to Host interaction 2. Host to Host interaction
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
15
© IPexpert, Inc.
IPv6 Neighbor Discovery – cont. • The first group of IPv6 ND functions contain the following : Router Discovery Prefix Discovery Parameter Discovery Address Autoconfiguration Redirect • And the second group roles are : Address Resolution Duplicate Address Detection Neighbor Unreachability Detection Next-Hop Determination Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
16
© IPexpert, Inc.
ICMPv6 Message Types • There are five types of ICMPv6 messages : 1. Router Advertisement (Type 134, Code 0). Periodically sent by ROUTERS with the destination address set to all-host multicast address or FF02::1. Used to inform about three things : IPv6 prefixes used on a link MTU Whether a router is a default gateway 2. Router Solicitation (Type 133, Code 0). Sent by HOSTS to immediately receive a Router Advertisement
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
17
© IPexpert, Inc.
ICMPv6 Message Types – cont. • There are five types of ICMPv6 messages : 3. Neighbor Advertisement (Type 136, Code 0). Sent by all HOSTS. Generated periodically or in response to a Neighbor Solicitation, to inform other PCs on the network of their presence and link-layer addresses 4. Neighbor Solicitation (Type 135, Code 0). Sent by HOSTS to obtain the link layer address of other hosts right away, without waiting for the periodic Neighbor Advertisment 5. Redirect (Type 137, Code 0). Same as in IPv4, used to inform a host of a better first hop to the destination. Sent by ROUTERS Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
18
© IPexpert, Inc.
IPv6 ND Functions • There are nine functions of IPv6 Neighbor Discovery : 1. Router Discovery. A host receiving Router Advertisement builds a list of Default Routers 2. Prefix Discovery. Allows hosts to learn about their directly connected networks 3. Parameter Discovery. Includes MTU and Hop Count value that hosts should be using on that specific link 4. Stateless Address Autoconfiguration. IPv6 hosts can automatically configure itself with an IPv6 address – the prefix learned from the Router Advertisement message will become a network part, whereas Interface ID will be derived using modified EUI-64 format Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
19
© IPexpert, Inc.
IPv6 ND Functions – cont. • There are nine functions of IPv6 Neighbor Discovery : 5. Redirect. Informs hosts of a better Next-Hop to a particular destination 6. Address Resolution. Replaces ARP. Neighbor Solicitation, sent to a solicited-node multicast address, corresponds to an ARP Request whereas Neighbor Advertisement is sent as a Reply 7. Duplicate Address Detection (DAD). Used to verify uniqueness of a newly assigned IPv6 address. Neighbor Solicitation message is sent with its own IPv6 address – if a Neighbor Advertisement is received, the address is already taken Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
20
© IPexpert, Inc.
IPv6 ND Functions – cont. • There are nine functions of IPv6 Neighbor Discovery : 8. Neighbor Unreachability Detection. Used to confirm the neighbor’s reachability – either a probe message is sent waiting for a Router/Neighbor Advertisement or a high-level protocol information is utilized, such as TCP ACK 9. Next-Hop Determination. Used to determine the Next-Hop. If the destination is on-link, the next-hop address is the same as the packet's destination address. Otherwise, the sender selects a router from the Default Router List
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
21
© IPexpert, Inc.
IPv6 Neighbor Discovery Configuration
© IPexpert, Inc.
IPv6 ND Configuration •
Router Advertisement Interval ipv6 nd ra-interval value
•
Router Advertisement Lifetime ipv6 nd ra-lifetime value
•
Enabling Router Advertisements no ipv6 nd ra suppress [all]
•
Neighbor Discovery Cache Entry ipv6 neighbor ipv6_addr if_name hardware-addr
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
23
© IPexpert, Inc.
Configuration Verification show ipv6 neighbors
- Displays Neighbor Discovery Cache information
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
24
© IPexpert, Inc.
3.03 Implement basic IPv6 functionality protocols
© IPexpert, Inc.
IPv6 Functionality Protocols – ICMPv6 •
ICMPv6 also provides error reporting and diagnostic functions
•
ICMPv6 Error Messages : Type 1 – Destination Unreachable Code 0 – No route to destination Code 1 – Communication administratively prohibited Code 2 – Unassigned Code 3 – Address unreachable Code 4 – Port Unreachable
Type 2 – Packet Too Big (PMTU Discovery)
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
26
© IPexpert, Inc.
IPv6 Functionality Protocols – ICMPv6 •
ICMPv6 Error Messages : Type 3 – Time Exceeded Code 0 – Hop limit exceeded in transit Code 1 – Fragment reassembly time exceeded
Type 4 – Parameter Problem Code 0 – Erroneous header field Code 1 – Unrecognized Next Header type encountered Code 2 – IPv6 option encountered
•
ICMPv6 Diagnostic Messages : Type 128, Code 0 – Echo Request Type 129, Code 0 – Echo Reply Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
27
© IPexpert, Inc.
IPv6 Functionality Protocols – DHCPv6 •
DHCPv6 provides Stateful Autoconfiguration
•
The concept is similar as in IPv4. Messages are different : Solicit Advertise Request Reply
•
Two additional facts about DHCPv6 are : 1. Solicit and Advertise messages are sent to two well-known DHCPv6 multicast addresses 2. DHCPv6 clients listen on UDP port 546, whereas servers and relay agents listen on UDP port 547 Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
28
© IPexpert, Inc.
IPv6 Functionality Protocols – DNS,CDP •
Both DNS and CDP protocols perform the same function as in IPv4 World
•
IPv6 DNS replaces the „A” record with „AAAA”
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
29
© IPexpert, Inc.
IPv6 Functionality Protocols Configuration
© IPexpert, Inc.
Functionality Protocols Configuration •
ICMPv6 Rate-Limiting ipv6 icmp error-interval msec [bucketsize]
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
31
© IPexpert, Inc.
Configuration Verification show cdp neighbors [detail]
- Displays Cisco Discovery
Protocol information
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
32
© IPexpert, Inc.
3.04 Implement tunneling techniques
© IPexpert, Inc.
IPv6 Tunneling Techniques •
There are a couple of different Tunneling Techniques that can be used to provide communication between isolated islands of IPv6 networks :
GRE Tunnels Manual Tunnels Automatic 6to4 Tunnels ISATAP Tunnels
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
34
© IPexpert, Inc.
IPv6 GRE Tunnels •
GRE Tunnels are a point-to-point solution. The passenger protocol is distinguished based on the protocol field
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
35
© IPexpert, Inc.
IPv6 GRE Tunnels – cont. • Configuration : R1
R2
ipv6 unicast-routing
ipv6 unicast-routing
int loopback0 ip add 1.1.1.1 255...
int loopback0 ip add 2.2.2.2 255...
int tun 12 ipv6 add 2001:12::1/64 tunnel source loop 0 tunnel dest 2.2.2.2 tunnel mode gre ipv6
int tun 12 ipv6 add 2001:12::2/64 tunnel source loop 0 tunnel dest 1.1.1.1 tunnel mode gre ipv6
ipv6 route ::/0 tunn 12
ipv6 route ::/0 tunn 12 Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
36
© IPexpert, Inc.
IPv6 Manual Tunnels •
Another point-to-point solution
•
Embeds an IPv6 packet in the payload portion of an IPv4 packet with protocol type 41
•
Configuration is very similar to GRE tunnels – the only exception is the Tunnel Mode which should be set to IPv6ip
•
Use the tunnel mode ipv6ip to accomplish this
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
37
© IPexpert, Inc.
IPv6 Automatic 6to4 Tunnels •
IPv4 header is prepended with a Protocol Number 41
•
This methods offers a point-to-multipoint solution
•
Automatic 6to4 addresses always start with 2002 followed by an IPv4 address in hex. More specifically : 2002 : IPv4_Address : Subnet_ID : Interface_ID
•
Routing in Automatic Tunneling is based on the IPv4 part of the original IPv6 destination address. Source address will be taken from the tunnel source command
•
Embedded IPv4 address must be public and the IPv6 addresses assigned to hosts must come from the „site” 2002 : IPv4_Address range Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
38
© IPexpert, Inc.
IPv6 Automatic 6to4 Tunnels – cont.
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
39
© IPexpert, Inc.
IPv6 Automatic 6to4 Tunnels – cont. •
Configuration for R1 :
ipv6 unicast-routing int f0/0 ip address 1.1.1.1 255.255.255.0 int tun 12 ipv6 address 2002:0101:0101:0::1/64 tunnel source f0/0 tunnel mode ipv6ip 6to4 ipv6 route 2002::/16 tunnel 12
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
40
© IPexpert, Inc.
IPv6 ISATAP Tunnels •
Intra-Site Automatic Tunneling Protocol (ISATAP) packets are tunneled inside IPv4 packets using Protocol Number 41
•
ISATAP characteristics : Tunnel interfaces can use a normal /64 prefixes, there is no need for „2002” in the beginning Interface ID is derived based on another modified EUI-64 format – the first 32 bits are always the same and equal to 0000:5efe The remaining 32 bits are taken from the tunnel source command For example, if the tunnel source points to 1.1.1.1, the Interface ID will be equal to 0000:5efe:0101:0101 Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
41
© IPexpert, Inc.
IPv6 ISATAP Tunnels – cont. •
Example ISATAP configuration :
int loopback 0 ip address 1.1.1.1 255.255.255.0
-- Actual IPv6 address will be 2001:1111::0:5efe:0101:0101 int tunnel 12 ipv6 address 2001:1111::/64 eui-64 tunnel source loopback0 tunnel mode ipv6ip isatap ipv6 route 2001:DB8::/64 2001:1111::0:5efe:0202:0202
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
42
© IPexpert, Inc.
Configuration Verification show interfaces tunnel
- Displays tunnel interface
information
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
43
© IPexpert, Inc.
3.05 Implement OSPF version 3 (OSPFv3)
© IPexpert, Inc.
OSPFv3 •
OSPFv3 is very similar to IPv4 OSPF (OSPFv2)
•
The differences are as follows : OSPFv3 devices communicate over links and not subnets
OSPFv3 packets are sourced from linked-local addresses. This way topology information is kept independent of the network protocol in use. The only exception are Virtual Links where global IPv6 addresses are used
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
45
© IPexpert, Inc.
OSPFv3 – cont. •
The differences are as follows : Flooding Scope is explicitly defined within the LSAs :
OSPFv3 Router ID will not be automatically derived if there is no IPv4 address configured on a device. Remember that you can always set it manually using the router-id command Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
46
© IPexpert, Inc.
OSPFv3 – cont. •
The differences are as follows : Neighboring routers on a given link are always identified by a Router ID
Multiple OSPFv3 instances are allowed per link
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
47
© IPexpert, Inc.
OSPFv3 – cont. •
The differences are as follows : Two LSA Instances have been renamed : 1. LSA Type 3 -> Inter-Area Prefix LSA 2. LSA Type 4 -> Inter-Area Router LSA
Two new LSA Types were defined : 1. Link LSA (Type 8). Local to the link only, used to exchange link-local addresses and prefixes 2. Intra-Area Prefix LSA (Type 9). Carries the information about router’s prefixes and transit network
Protocol authentication is provided by IPSec, not the OSPF itself Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
48
© IPexpert, Inc.
OSPFv3 Configuration
© IPexpert, Inc.
OSPFv3 Configuration •
General Syntax ipv6 ospf ...
•
Enabling OSPFv3 ipv6 ospf nr area area_nr [instance inst_id]
•
Frame Relay Mappings frame-relay map ipv6 ip_addr dlci [broadcast]
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
50
© IPexpert, Inc.
Example OSPFv3 Configuration ipv6 unicast-routing
ipv6 router ospf 1 router-id 192.0.2.1 int loopback 0 ipv6 address 2001::/64 eui-64 ipv6 ospf 1 area 1 ipv6 ospf network point-to-point int f0/0 ipv6 address 2001:1::1/64 ipv6 ospf 1 area 0 Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
51
© IPexpert, Inc.
Configuration Verification show ipv6 ospf neighbors
- Displays OSPFv3 neighbor information
show ipv6 ospf interface
- Displays OSPFv3 interfacerelated information
show ipv6 ospf database
- Displays OSPFv3 database
show ipv6 ospf border-routers to ASBRs
show ipv6 protocols IPexpert’s CCIE R&S Written VoD Series
52
Displays internal OSPF routing table entries ABRs and
- Displays parameters and current state of the ACTIVERev. 1700 IPv6 routing protocols © IPexpert, Inc.
3.06 Implement EIGRP version 6 (EIGRPv6)
© IPexpert, Inc.
EIGRPv6 •
EIGRPv6 is very similar to EIGRP in IPv4. The only difference that is not related to the protocol configuration is that EIGRPv6 uses link-local address for the Next-Hop
•
Configuration differences are as follows : No more network command, use the ipv6 eigrp AS_nr statement to enable EIGRP EIGRP process is shutdown by default. To activate it, use the no shutdown command If there is no IPv4 address configured on a device, Router ID has to be defined manually using the eigrp router-id command Whenever the passive-interface statement is used, the interface to which this command refers to automatically starts participating in EIGRP Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
54
© IPexpert, Inc.
EIGRPv6 – cont. •
Configuration differences are as follows : There is no concept of classful routing within IPv6. Since networks cannot be automatically summarized, there is no need for the no autosummary command Route Filtering is supported by the distributelist prefix-list command. Route-maps cannot be used, however Authentication is currently performed in the same way as in IPv4 EIGRP (Key Chains), but Cisco will probably change it to IPSec in the future
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
55
© IPexpert, Inc.
Example EIGRPv6 Configuration ipv6 unicast-routing
int loopback 100 ipv6 address 3001:1:1:1::1/64 ipv6 router eigrp 10 router-id 192.0.2.1 no shutdown passive-interface loopback 0 int f0/0 ipv6 address 2001:1::/64 eui-64 ipv6 eigrp 10 ipv6 summary-address eigrp 10 3001:1:1::/62 Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
56
© IPexpert, Inc.
Configuration Verification show ipv6 eigrp neighbors
- Displays EIGRPv6 neighbor information
show ipv6 eigrp interfaces
- Displays EIGRPv6 interfacerelated information
show ipv6 eigrp topology
- Displays EIGRPv6 topology database
show ipv6 protocols
- Displays parameters and current state of the ACTIVE IPv6 routing protocols
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
57
© IPexpert, Inc.
3.07 Implement filtering and route redistribution
© IPexpert, Inc.
IPv6 Route Filtering •
Distribute Lists in IPv6 OSPF and EIGRP support only the prefix-lists
•
Configuration-wise it is the distribute-list prefixlist command
•
One unsupported feature is LSA 3 Type filtering – there is no area filter-list command in OSPFv3
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
59
© IPexpert, Inc.
IPv6 Route Redistribution •
The main difference in redistribution between IPv6 and IPv4 is that locally connected networks will NOT be advertised by default (Step #2 in IPv4)
•
To change this behavior use the include-connected keyword of the redistribute command
•
The rest is pretty much the same as in IPv4, even the Administrative Distances did not change
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
60
© IPexpert, Inc.
Case Study
•
Two-way redistribution between EIGRPv6 and OSPFv3 is going to be performed here Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
61
© IPexpert, Inc.
Case Study - Solution • Redistribute OSPFv3 -> EIGRPv6 ipv6 router eigrp 1 redistribute ospf 1 metric 1 1 1 1 1
• Verify : R4#sh ipv route eigrp IPv6 Routing Table - Default - 9 entries -- Output Omitted -ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 EX 2222:1:1::1/128 [170/2560002816] via FE80::211:93FF:FE69:AB1, FastEthernet0/0 EX 2222:1:2::1/128 [170/2560002816] via FE80::211:93FF:FE69:AB1, FastEthernet0/0 Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
62
© IPexpert, Inc.
Case Study - Solution • Add the locally connected subnet : ipv6 router eigrp 1 redistribute ospf 1 metric 1 1 1 1 1 include-conn
• Verify : R4#sh ipv route eigrp IPv6 Routing Table - Default - 10 entries EX EX
EX
-- Output Omitted -2222:1:1::1/128 [170/2560002816] via FE80::211:93FF:FE69:AB1, FastEthernet0/0 2222:1:2::1/128 [170/2560002816] via FE80::211:93FF:FE69:AB1, FastEthernet0/0 3001:1212::/64 [170/2560002816] via FE80::211:93FF:FE69:AB1, FastEthernet0/0 Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
63
© IPexpert, Inc.
Case Study - Solution • Redistribute EIGRPv6 -> OSPFv3. Only Loopback 1 network should be redistributed & tagged with 90 : ipv6 prefix-list L1_PREF seq 5 permit 2222:4:1::/64 route-map RED_RMAP permit 10 match ipv6 address prefix-list L1_PREF set tag 90 ipv6 router ospf 1 redistribute eigrp 1 route-map RED_RMAP
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
64
© IPexpert, Inc.
Case Study - Solution • Verify : R1#sh ipv router ospf IPv6 Routing Table - Default - 8 entries Codes: C - Connected, L - Local, S - Static, U - Peruser Static route B - BGP, M - MIPv6, R - RIP, I1 - ISIS L1 I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP EX - EIGRP external O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 OE2 2222:4:1::/64 [110/20], tag 90 via FE80::211:93FF:FE69:AB0, FastEthernet0/0 R1#
Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
65
© IPexpert, Inc.
End of Section 3.0
IPexpert’s CCIE R&S Written VoD Series 4.0 Implement MPLS Layer 3 VPNs
© IPexpert, Inc.
4.01 Implement Multiprotocol Label Switching (MPLS)
© IPexpert, Inc.
MPLS Basics • MPLS is a high-performance switching WAN technology
• It operates in the OSI Layer „2.5” (between Layer 2 and Layer 3) • Layer 3 header is analyzed only once, at the entrance of a MPLS network • Further forwarding decisions are made based on socalled MPLS labels • Any protocol can be carried by MPLS – either L2 like Ethernet or L3 like IPv4/6
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
3
© IPexpert, Inc.
MPLS Header Structure
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
4
© IPexpert, Inc.
MPLS Terminology • Customer Edge (CE) device is client-managed equipment
• Provider Edge (PE) device is managed by an ISP. Also known as Edge Label Switch Router (edge LSR) • Provider (P) device is also managed by an ISP – this box is internal to the provider’s network. Also known as LSR
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
5
© IPexpert, Inc.
MPLS Control Plane Basics • Before the data packets are switched across the MPLS network, the MPLS devices have to know which labels correspond to which IP prefixes on neighboring devices • Each MPLS-enabled device generates a label for every IGP-learned prefix • Labels are then advertised to the neighboring devices so they know which labels correspond to which prefixes on the adjacent routers • This way if devices R1 & R2 are directly connected and R2 generated label X for prefix Z, when R1 sends a packet destined to Z through R2, it will use X as the label Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
6
© IPexpert, Inc.
Label Distribution Protocol (LDP) •
LDP simply advertises labels for each IGP-learned prefix listed in the IP routing table
• What it basically says is : „if you want to send packets to this subnet through me, send me them using the MPLS label listed in the update I sent you” • The labels are assigned starting on the edge device which is closest to the destination prefix
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
7
© IPexpert, Inc.
LDP Example
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
8
© IPexpert, Inc.
LDP Details • LDP is a session-based protocol that uses UDP & TCP
• UDP is used for neighbor discovery and adjacency forming. Multicast Hello packets are sent to 224.0.0.2 over UDP port 646 • LDP ID of a neighbor is learned from the first received Hello packet • On each device, if the mpls ldp router-id command has not been issued, the highest IP address of all loopback interfaces will be used as LDP ID. If there is no loopbacks configured, the highest IP address of all other interfaces will be used Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
9
© IPexpert, Inc.
LDP Details – cont. • LDP ID will be used as the destination IP of a LDP TCP session by default – watch out for loopbacks • To change this IP address use the mpls ldp transportaddress command
• TCP session uses port 646 and is used to exchange the labels between the neighbors • Label entries are stored in Label Information Base (LIB) • There can be multiple entries for the same prefix if there is more than one LDP neighbor
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
10
© IPexpert, Inc.
LFIB • Only „the best” label is used in the traffic forwarding process • The decision about which label is considered to be „best” is made by the underlying IGP protocol
• The Next-Hop address learned from the IGP is looked up in the LDP neighbor table to find the corresponding MPLS Router ID • MPLS Router ID allows to find a label advertised by this device for that particular prefix • This „best” label is then stored in a separate structure called Label Forwarding Information Base (LFIB) Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
11
© IPexpert, Inc.
Populating LFIB – Example Topology
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
12
© IPexpert, Inc.
Populating LFIB – cont. • Next-Hop lookup : R2#sh ip route | in 10.1.1.0 O 10.1.1.0 [110/4] via 172.16.24.4, 00:17:02, GigabitEthernet0/1.24
• MPLS Router ID lookup : R2#sh mpls ldp neighbor Peer LDP Ident: 4.4.4.4:0; Local LDP Ident 2.2.2.2:0 TCP connection: 4.4.4.4.12712 - 2.2.2.2.646 State: Oper; Msgs sent/rcvd: 63/62; Downstream Up time: 00:40:09 LDP discovery sources: GigabitEthernet0/1.24, Src IP addr: 172.16.24.4 Addresses bound to peer LDP Ident: 172.16.24.4 172.16.46.4 4.4.4.4 Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
13
© IPexpert, Inc.
Populating LFIB – cont. • LIB lookup : R2#sh mpls ldp bindings 10.1.1.0 24 lib entry: 10.1.1.0/24, rev 28s local binding: label: 24 remote binding: lsr: 8.8.8.8:0, label: 25 remote binding: lsr: 4.4.4.4:0, label: 25
• MPLS Router ID lookup : R2#sh mpls forwarding-table 10.1.1.0 24 Local Label 24
Outgoing Prefix Bytes Label Outgoing Next Hop Label or VC or Tunnel Id Switched interface 25 10.1.1.0/24 0 Gi0/1.24 172.16.24.4
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
14
© IPexpert, Inc.
LDP Troubleshooting Note • PE directly connected interfaces always have a label generated for the subnet configured on them and NOT for the advertised one • For example, in OSPF an /24 loopback interface will be advertised as /32 by default • Breaking a Label Switched Path may result in traffic black-holing
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
15
© IPexpert, Inc.
MPLS Forwarding Plane • MPLS packet forwarding paradigm three steps : 1. Assigning labels on the edge 2. MPLS packet switching 3. Removing labels on the edge
can be divided into
(„Push” operation) („Swap” operation) („Pop” operation)
• Push operation is also known as „Label Imposition” • Pop operation is also known as „Label Disposition” • When a packet is received with a label that does not exist in the LFIB, the packet is dropped
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
16
© IPexpert, Inc.
MPLS Forwarding Plane Example
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
17
© IPexpert, Inc.
CEF • Cisco Express Forwarding (CEF), is an advanced switching technology. It consists of two key components : 1. Forwarding Information Base (FIB) 2. Adjacency Table • FIB contains all IP routes from the RIB, their Next-Hops, outgoing interfaces and a reference to the Adjacency Table. This information is stored in a special memory structure that allows for optimized lookups
• Adjacency table contains pre-built Layer 2 headers • CEF allows forwarding
for
very
efficient,
high-speed
packet
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
18
© IPexpert, Inc.
MPLS Forwarding Plane – cont. • CEF lookup on ingress Router 2 : R2#sh ip cef 10.1.1.0/24 10.1.1.0/24 nexthop 172.16.24.4 GigabitEthernet0/1.24 label 25
•
CEF & LFIB lookup on egress Router 6 :
R6(config)#do sh ip cef 10.1.1.0 10.1.1.0/24 nexthop 172.16.67.7 FastEthernet0/1 R6#sh mpls forwarding-table 10.1.1.0 24 Local Label 24
Outgoing Prefix Bytes Label Outgoing Next Hop Label or VC or Tunnel Id Switched interface No Label 10.1.1.0/24 1812 Fa0/1 172.16.67.7 Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
19
© IPexpert, Inc.
MPLS Configuration
© IPexpert, Inc.
MPLS Configuration •
Enable CEF ip cef
•
Enable MPLS Globally mpls ip
•
Enable LDP mpls label protocol ldp
•
Enable MPLS Per-Interface mpls ip
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
21
© IPexpert, Inc.
Configuration Verification show mpls ldp discovery
- Displays status of LDP discovery
show mpls ldp neighbor
- Displays status of an LDP session
show mpls ldp bindings
- Displays the contents of LIB
show mpls forwarding-table
- Displays the contents of LFIB
show ip cef
- Displays CEF FIB entries
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
22
© IPexpert, Inc.
4.02 Implement Virtual Routing and Forwarding (VRF) and MultiVRF Customer Edge (VRF-Lite)
© IPexpert, Inc.
VRF Basics • Virtual Routing and Forwarding (VRF) is just a separate (virtual) routing table on a device • VRFs are used with MPLS • VRF Lite, also known as Multi-VRF CE is a feature that does not use MPLS at all
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
24
© IPexpert, Inc.
VRF-Lite • There are a couple of methods that can be used to segment traffic at Layer 3 : Separate physical devices Access-lists Route-Filtering Policy Routing NAT • The aformentioned solutions does not scale well (cost, administrative burden) • VRF Lite can be used to overcome those limitations
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
25
© IPexpert, Inc.
VRF-Lite – cont.
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
26
© IPexpert, Inc.
VRF-Lite – cont.
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
27
© IPexpert, Inc.
VRF-Lite – cont.
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
28
© IPexpert, Inc.
VRF-Lite – cont. • Each VRF consists of a : Separate routing table Separate CEF FIB and Adjacency table Set of interfaces using this particular virtual routing table only • Packets entering a VRF-assigned interface can only follow routes and other interfaces listed in that specific VRF • Multiple technologies can be used to extend VRFs (e.g. Frame Relay, VLANs, MPLS, IPSec), since they are only locally significant • VRF configuration should be consistent end to end Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
29
© IPexpert, Inc.
VRF-Lite Configuration
© IPexpert, Inc.
VRF-Lite Configuration •
VRF Instance ip vrf vrf_name
•
Assigning an Interface ip vrf forwarding vrf_name
•
Remember that whenever a command is going to refer to a VRF, it must have the “vrf’ part included somewhere in the syntax
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
31
© IPexpert, Inc.
VRF-Aware Routing Configuration •
Static Route ip route vrf vrf_name IP_addr mask NH [global] ip route vrf VRF_100 192.0.2.0 255.255.255.0 10.1.1.1
•
RIP, EIGRP, BGP address-family ipv4 vrf
•
EIGRP autonomous-system AS_NR router eigrp 100 address-family ipv4 vrf VRF_100 autonomous-system 100 Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
32
© IPexpert, Inc.
VRF-Aware Routing Configuration •
BGP neighbor IP_addr activate router bgp 65000 no sync no auto address-family ipv4 vrf VRF_100 neighbor 192.0.2.1 remote-as 65100 neighbor 192.0.2.1 activate
•
OSPF router ospf proc_nr vrf vrf_name
router ospf 1 vrf VRF1 Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
33
© IPexpert, Inc.
Configuration Verification show ip vrf [interfaces]
- Displays VRF instances and interfaces
show ip route vrf [*]
- Displays the routing table associated with a
VRF show ip ospf proc_nr
- Displays VRF-Aware OSPF configuration
show ip eigrp vrf
- Displays VRF-Aware EIGRP configuration
show ip protocol vrf
- Displays routing protocol information Rev. 1700 a VRF © IPexpert, Inc.
associated with
IPexpert’s CCIE R&S Written VoD Series
34
Case Study
•
Goal is to achieve rechability between the sites, keeping networks in their respective VRF Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
35
© IPexpert, Inc.
Case Study - Solution ip vrf VRF_CUSTOMERS ip vrf VRF_INTERNAL interface Loopback1 ip vrf forwarding VRF_CUSTOMERS ip address 192.168.10.1 255.255.255.0 interface Loopback2 ip vrf forwarding VRF_INTERNAL ip address 192.168.20.1 255.255.255.0 interface FastEthernet0/0 ip vrf forwarding VRF_CUSTOMERS ip address 172.16.12.1 255.255.255.0 Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
36
© IPexpert, Inc.
Case Study - Solution interface FastEthernet0/1 ip vrf forwarding VRF_INTERNAL ip address 172.16.120.1 255.255.255.0 router eigrp 100 address-family ipv4 vrf VRF_INTERNAL network 172.16.120.1 0.0.0.0 network 192.168.20.1 0.0.0.0 no auto-summary autonomous-system 100 router ospf 1 vrf VRF_CUSTOMERS log-adjacency-changes network 172.16.12.1 0.0.0.0 area 0 network 192.168.10.1 0.0.0.0 area 0 IPexpert’s CCIE R&S Written VoD Series
37
Rev. 1700 © IPexpert, Inc.
Case Study - Solution R1(config)#do sh ip vrf int Interface IP-Address Lo1 192.168.10.1 Fa0/0 172.16.12.1 Lo2 192.168.20.1 Fa0/1 172.16.120.1 R2(config)#do sh ip vrf Name Default RD VRF_CUSTOMERS VRF_INTERNAL
VRF Protocol VRF_CUSTOMERS up VRF_CUSTOMERS up VRF_INTERNAL up VRF_INTERNAL up
Interfaces Lo1 Gi0/0 Lo2 Gi0/1 Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
38
© IPexpert, Inc.
Case Study - Solution R2#sh ip route vrf VRF_CUSTOMERS ospf
Routing Table: VRF_CUSTOMERS 192.168.10.0/32 is subnetted, 1 subnets O 192.168.10.1 [110/2] via 172.16.12.1, 00:05:02, GigabitEthernet0/0 R2#sh ip route vrf VRF_INTERNAL eigrp D 192.168.20.0/24 [90/156160] via 172.16.120.1, 00:00:35, GigabitEthernet0/1
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
39
© IPexpert, Inc.
Case Study - Solution R2#ping vrf VRF_CUSTOMERS 192.168.10.1 so loop1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms R2#ping vrf VRF_INTERNAL 192.168.20.1 so loop2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
40
© IPexpert, Inc.
Case Study - Solution R2#sh ip route vrf VRF_INTERNAL | be Gateway Gateway of last resort is not set C 192.168.120.0/24 is directly connected,Loopback2 172.16.0.0/24 is subnetted, 1 subnets C 172.16.120.0 is directly connected, GigabitEthernet0/1 D 192.168.20.0/24 [90/156160] via 172.16.120.1, 00:02:04, GigabitEthernet0/1
R2#ping vrf VRF_INTERNAL 192.168.10.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) IPexpert’s CCIE R&S Written VoD Series
41
Rev. 1700 © IPexpert, Inc.
4.03 Implement Layer 3 Virtual Private Networks (VPNs) on Provider Edge (PE), Provider (P), and Customer Edge (CE) routers
© IPexpert, Inc.
MPLS VPNs •
MPLS VPN is a feature that allows several sites of one customer to interconnect transparently through a service provider's network, effectively making those sites part of one private network
•
Customer routes are not advertised to the ISP’s IGP, since they could overlap
•
VRFs are used to keep the customer routes separated
•
BGP (actually MP-BGP) is used to the routing information between ingress and egress PE routers
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
43
© IPexpert, Inc.
MPLS VPNs – High-Level Overview
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
44
© IPexpert, Inc.
MPLS VPN Control Plane - CE-PE
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
45
© IPexpert, Inc.
MPLS VPN Control Plane - PE-PE •
MP-BGP (Multi-Protocol BGP) allows to re-define the existing prefixes by adding an additional field in front of them, making the prefixes unique
•
The address-family used in MPLS VPNs is called a Route Distinguisher (RD)
•
Route Distinguisher is used to make each customer prefix unique. RD is 64-bits long value pre-pended to an IPv4 prefix, which results in 96-bits long NLRI called a VPN-V4 route. Typical RD format is ASN:NN, where NN is the VRF number 65000:1:10.1.1.0/24 65000:2:10.1.1.0/24 Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
46
© IPexpert, Inc.
MPLS VPN Control Plane - PE-PE •
Route Distinguishers are configured per-VRF
•
Customer routes are then redistributed into MP-BGP from their respective VRFs, populating MP-BGP table with VPNv4 routes
•
Since the same client may use different RDs for its different sites, Route Distinguishers cannot be used to determine which VPN a prefix belongs to. Route Distinguishers must be still unique among the customers, though
•
Route Targets (RTs) are used to indicate which VPN a prefix belongs to Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
47
© IPexpert, Inc.
MPLS VPN Control Plane - PE-PE •
Route Target is an extended BGP Community
•
Export RT is used to mark a prefix when it is redistributed from VRF to MP-BGP (before it is sent to an iBGP peer)
•
Import RT is used when a route is received from an iBGP peer – only the prefixes matching the VRF’s Import RT will be redistributed into that VRF
•
If more than one Export RT was configured for a prefix, it can be then imported by VRFs in more than one VPN (Overlapping VPNs)
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
48
© IPexpert, Inc.
MPLS VPN Control Plane - PE-PE
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
49
© IPexpert, Inc.
MPLS VPN Forwarding Plane •
Each MPLS VPN data packet is assigned TWO labels
•
The outer label is used to transport the packet inside an MPLS network
•
Transport label corresponds to the destination route’s Next-Hop IP address, which was learned through the MP-BGP session – meaning to one of the PE devices
•
The inner label is used to select the proper VRF
•
Penultimate Hop Popping (PHP) causes the second to last router to pop the outer label, so that the last ultimate hop could receive a packet that only has the VPN label in the stack. This feature is triggered by the PE by sending an Implicit-Null Label (value 3) Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
50
© IPexpert, Inc.
MPLS VPN Configuration
© IPexpert, Inc.
MPLS VPN Configuration - CE •
Standard Configuration
•
OSPF Example : router ospf 1 network 192.168.1.1 0.0.0.0 area 0 network 172.16.12.1 0.0.0.0 area 0
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
52
© IPexpert, Inc.
MPLS VPN Configuration – PE-CE •
VRFs ip vrf vrf_name rd rd_value route-target import|export|both rt_value interface if_name ip vrf forwarding vrf_name ip vrf CUST-1 rd 1:1 route-target import 1:10 route-target export 1:10
•
VRF-aware IGP Example (OSPF) : router ospf 1 vrf CUST-1 network 172.16.12.2 0.0.0.0 area 0
IPexpert’s CCIE R&S Written VoD Series
53
Rev. 1700 © IPexpert, Inc.
MPLS VPN Configuration – PE-PE •
BGP neighbor IP_addr remote-as as_nr neighbor IP_addr update-source if_name
•
MP-BGP (VPNv4) address-family vpnv4 neighbor IP_addr activate neighbor IP_addr send-community
router bgp 65000 neighbor 5.5.5.5 remote-as 65000 neighbor 5.5.5.5 update-source loopback0 address-family vpnv4 neighbor 5.5.5.5 activate neighbor 5.5.5.5 send-community IPexpert’s CCIE R&S Written VoD Series
54
Rev. 1700 © IPexpert, Inc.
MPLS VPN Configuration – MPLS VPN •
VRF -> MP-BGP address-family ipv4 vrf vrf_name redistribute protocol router bgp 65000 address-family ipv4 vrf CUST-1 redistribute ospf 1 vrf CUST-1
•
MP-BGP -> VRF router protocol redistribute bgp AS_nr subnets router ospf 1 vrf CUST-1 redistribute bgp 65000 subnets Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
55
© IPexpert, Inc.
Configuration Verification show mpls ldp bindings
- Displays the contents of LIB database
show mpls forwarding-table
- Displays the contents of LFIB database
show ip bgp summary
- Displays the BGP session status
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
56
© IPexpert, Inc.
Configuration Verification – cont. show bgp vpnv4 unicast vrf|all [labels]
- Displays the MP-
BGP VPNv4 information show ip route vrf
[*]
- Displays the RIB
for a particular VRF show ip cef [vrf]
- Displays CEF FIB entries Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
57
© IPexpert, Inc.
Case Study
•
Ensure connectivity between different sites of the same customer Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
58
© IPexpert, Inc.
Case Study - Solution ip vrf CUST1 rd 65000:1 route-target export 1:1 route-target import 1:1 ip vrf CUST2 rd 65000:2 route-target both 2:2 interface GigabitEthernet0/0.12 ip vrf forwarding CUST2 ip address 172.16.12.2 255.255.255.0 interface GigabitEthernet0/0.92 ip vrf forwarding CUST1 ip address 172.16.92.2 255.255.255.0 Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
59
© IPexpert, Inc.
Case Study - Solution router ospf 2 vrf CUST2 log-adjacency-changes network 172.16.12.2 0.0.0.0 area 0 router eigrp 65000 auto-summary address-family ipv4 vrf CUST1 network 172.16.92.2 0.0.0.0 no auto-summary autonomous-system 1
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
60
© IPexpert, Inc.
Case Study - Solution R2#sh ip route ospf 2 Routing Table: CUST2
O
10.0.0.0/24 is subnetted, 1 subnets 10.1.1.0 [110/2] via 172.16.12.1, 00:00:00, GigabitEthernet0/0.12
R2#sh ip route vrf CUST1 eigrp 10.0.0.0/24 is subnetted, 1 subnets D 10.2.2.0 [90/130816] via 172.16.92.9, 00:05:54, GigabitEthernet0/0.92
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
61
© IPexpert, Inc.
Case Study - Solution router bgp 65000 no auto-summary no synchronization neighbor 6.6.6.6 remote-as 65000 neighbor 6.6.6.6 update-source Loopback0 address-family vpnv4 neighbor 6.6.6.6 activate neighbor 6.6.6.6 send-community both
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
62
© IPexpert, Inc.
Case Study - Solution R2# sh ip bgp summary BGP router identifier 2.2.2.2, local AS number 65000 BGP table version is 1, main routing table version 1 Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 6.6.6.6 4 65000 5 6 1 0 0 00:01:56 0
• Redistribute IGP into MP-BGP : address-family ipv4 vrf CUST2 redistribute ospf 2 vrf CUST2 address-family ipv4 vrf CUST1 redistribute eigrp 1 metric 100
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
63
© IPexpert, Inc.
Case Study - Solution R2#sh bgp vpnv4 unicast all labels Network Next Hop In label/Out label Route Distinguisher: 65000:1 (CUST1) 10.2.2.0/24 172.16.92.9 22/nolabel 172.16.92.0/24 0.0.0.0 21/nolabel(CUST1) Route Distinguisher: 65000:2 (CUST2) 10.1.1.0/24 172.16.12.1 20/nolabel 172.16.12.0/24 0.0.0.0 19/nolabel(CUST2)
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
64
© IPexpert, Inc.
Case Study - Solution R2#sh bgp vpnv4 unicast all BGP table version is 18, local router ID is 2.2.2.2 ... Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 65000:1 (default for vrf CUST1) *> 10.2.2.0/24 172.16.92.9 100 32768 ? *>i10.3.3.0/24 6.6.6.6 200 100 0 ? *>i172.16.68.0/24 6.6.6.6 0 100 0 ? *> 172.16.92.0/24 0.0.0.0 0 32768 ? Route Distinguisher: 65000:2 (default for vrf CUST2) *> 10.1.1.0/24 172.16.12.1 2 32768 ? *>i10.3.3.0/24 6.6.6.6 2 100 0 ? *> 172.16.12.0/24 0.0.0.0 0 32768 ? *>i172.16.67.0/24 6.6.6.6 0 100 0 ?
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
65
© IPexpert, Inc.
Case Study - Solution router ospf 2 vrf CUST2 redistribute bgp 65000 subnets router eigrp 65000 address-family ipv4 vrf CUST1 redistribute bgp 65000 metric 1 1 1 1 1
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
66
© IPexpert, Inc.
Case Study - Solution R1#sh ip ro ospf 172.16.0.0/24 is subnetted, 2 subnets O IA 172.16.67.0 [110/2] via 172.16.12.2, 00:00:25,FastEthernet0/0 10.0.0.0/24 is subnetted, 2 subnets O IA 10.3.3.0 [110/3] via 172.16.12.2, 00:00:25, FastEthernet0/0 R9#sh ip ro eigrp 172.16.0.0/24 is subnetted, 2 subnets D 172.16.68.0 [90/30720] via 172.16.92.2, 00:00:16, FastEthernet0/0 10.0.0.0/24 is subnetted, 2 subnets D 10.3.3.0 [90/158720] via 172.16.92.2, 00:00:16, FastEthernet0/0
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
67
© IPexpert, Inc.
Case Study - Solution • R2 CEF lookup : R2#sh ip cef vrf CUST2 10.3.3.8 10.3.3.0/24 nexthop 172.16.24.4 GigabitEthernet0/1 label 18 20
• Transport label lookup : R2#sh ip ro vrf CUST2 | in 10.3.3.0 B 10.3.3.0 [200/2] via 6.6.6.6, 01:30:11 R2#sh mpls ldp binding 6.6.6.6 32 lib entry: 6.6.6.6/32, rev 15 local binding: label: 18 remote binding: lsr: 172.16.45.4:0, label: 18
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
68
© IPexpert, Inc.
Case Study - Solution • R4’s verification outputs : R4# MPLS les: Fa0/0: rx: Len 122 Stack {18 0 254} {20 0 254}- ipv4 data MPLS les: Fa0/1: tx: Len 122 Stack {18 0 253} {20 0 254}- ipv4 data R4#sh mpls forwarding 6.6.6.6 Local Outgoing Prefix Label Label or VC or Tunnel Id 18 18 6.6.6.6/32
Bytes Label Switched 41404
Outgoing Next Hop interface Fa0/1 172.16.45.5
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
69
© IPexpert, Inc.
Case Study - Solution • R5’s verification outputs : R5#sh mpls forwarding 6.6.6.6 Local Outgoing Prefix Label Label or VC or Tunnel Id 18 Pop Label 6.6.6.6/32
Bytes Label Outgoing Next Hop Switched interface 19820 Fa0/1 172.16.56.6
R5# MPLS les: Fa0/0: rx: Len 122 Stack {18 0 253} {20 0 254}- ipv4 data MPLS les: Fa0/1: tx: Len 118 Stack {20 0 252} - ipv4 data
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
70
© IPexpert, Inc.
Case Study - Solution • R6’s verification output : R6#sh mpls forwarding labels 20 Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 20 No Label 10.3.3.0/24[V] 6726 Fa0/0.67 172.16.67.7
• Final ping from R1 : R1#ping 10.3.3.7 rep 1 Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 10.3.3.7, timeout is 2 seconds: ! Success rate is 100 percent (1/1),round-trip min/avg/max = 4/4/4 ms
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
71
© IPexpert, Inc.
End of Section 4.0
IPexpert’s CCIE R&S written VoD Series 5.0 Implement IP Multicast
© IPexpert, Inc.
5.00 IP Multicast Introduction
© IPexpert, Inc.
IP Multicast Introduction • How would you deliver 1Mbps video stream to five PCs?
• Unicast transmission takes 5x1Mbps = 5Mbps • Broadcasts are not forwarded by routers by default + every device in a local network would have to process the frame • Multicast would work best. Multicast is UDP-based „oneto-many” transmission technology - multicast packets are forwarded to only the devices that joined a particular multicast group • Multicast applications use a multicast IP address (class D) as the destination - multicast address can never be a source Rev. 1700 IPexpert’s CCIE R&S written VoD Series
3
© IPexpert, Inc.
Multicast Groups • We have got two types of multicast groups : 1. Special Usage 2. Transient • Special Usage group can be further subdivided into the following ranges : Permanent ranges : 224.0.0.0/24 (TTL set to 1). E.g. OSPF 224.0.0.5/6 224.0.1.0/24 (can be forwarded). E.g. Auto-RP Non-permanent ranges : 232.0.0.0/8 (Source-Specific Multicast) 233.0.0.0/8 (GLOP range) 239.0.0.0/8 (Private range) IPexpert’s CCIE R&S written VoD Series
4
Rev. 1700 © IPexpert, Inc.
Multicast L2 Address Calculation • Whenever an IP multicast address is assigned to an application, a corresponding L2 multicast address is derived • NIC will then listen to two MACs instead of just to BIA
• Every Layer 2 multicast MAC starts with 01.00.5E and 25th bit is set to 0 • Since only 23 bits are available in the multicast MAC, there will be 25 addresses that overlap (initial class D marker „1110” does not count, it is always the same) • The remaining part of the multicast MAC address is copied from the IP address (last 23 bits) Rev. 1700 IPexpert’s CCIE R&S written VoD Series
5
© IPexpert, Inc.
Multicast MAC Address Example • Our IP address is 225.192.4.9 which can be written in binary as : 11100001.11000000.00000100.00001001 - Class D - Overlap - Part that is copied into multicast MAC
– Multicast MAC : 0100.5e40.0409 • An overlapping IP could be for example 234.64.4.9 :
11101010.01000000.00000100.00001001 Rev. 1700 IPexpert’s CCIE R&S written VoD Series
6
© IPexpert, Inc.
IGMP • Internet Group Management Protocol (IGMP) works between a router and multicast client • IGMP is used to inform local multicast routers that a host wants to receive a multicast traffic for a specific group (or that it no longer wants to receive it) • Routers send periodic Host Membership Query messages to see if there are any hosts interested in multicast traffic
• On multiaccess segments only one router is responsible for sending the Queries – this device is known as IGMP Designated Querier (elected based on the lowest IP address) Rev. 1700 IPexpert’s CCIE R&S written VoD Series
7
© IPexpert, Inc.
IGMP – cont. • If there are multicast clients, they will respond with a Host Membership Report message, also known as IGMP Join • Host Membership Reports are sent to the destination IP address corresponding to the group a host wants to join
• IGMP Joins are also sent after joining a group (unsolicited Reports) • IGMP Leave is sent when a host leaves a group – router will automatically respond with a group-specific query to see if there are other hosts interested in this group. This message is not available in IGMP version 1
• IGMPv3 is a component of Source-Specific Multicasting – it adds the ability to choose a particular multicast source Rev. 1700 IPexpert’s CCIE R&S written VoD Series
8
© IPexpert, Inc.
LAN Multicast Optimizations • Switches by default flood multicast packets out of all ports in a VLAN except the port packet was received on • Two popular methods of optimizing this behavior are : 1. Cisco Group Management Protocol (CGMP) 2. IGMP Snooping CGMP is Cisco-proprietary. It forces a router to communicate the switch the multicast group it learned from IGMP so it could adjust the CAM table. This information includes two things : 1. Destination L2 multicast group MAC 2. Source IP address of the host
Rev. 1700 IPexpert’s CCIE R&S written VoD Series
9
© IPexpert, Inc.
LAN Multicast Optimizations – cont. IGMP Snooping works only with Layer 3 switches – it inspects all IGMP messages. Whenever an IGMP Join message for a new group is detected on a port, a new CAM entry is created for this multicast group and the port is added to that entry. A disadvantage is that all IGMP packets are process-switched • Neither CGMP nor IGMP Snooping works for 224.0.0.0/24 • The reason for this is that routing protocols like OSPF or EIGRP don’t generate IGMP packets • Host Membership Query message would not be answered and switch ports connected to routers would not be „reported” to CGMP or IGMP Snooping. This would result in traffic black-holing at L2 Rev. 1700 IPexpert’s CCIE R&S written VoD Series
10
© IPexpert, Inc.
IGMP, CGMP and IGMP Snooping Configuration
© IPexpert, Inc.
IGMP & LAN Optimization Configuration •
IGMP Version ip igmp version 1|2|3
•
Emulating Multicast Clients ip igmp join-group IP_address ip igmp static-group IP_address
•
CGMP ip cgmp
•
IGMP Snooping ip igmp snooping [no] ip igmp snooping vlan vlan_nr
Rev. 1700 IPexpert’s CCIE R&S written VoD Series
12
© IPexpert, Inc.
Configuration Verification show ip igmp groups
- Displays IGMP groups learned from multicast receivers
show ip igmp interface
- Displays IGMP-related information per-interface
show ip igmp snooping
- Displays IGMP Snooping configuration
Rev. 1700 IPexpert’s CCIE R&S written VoD Series
13
© IPexpert, Inc.
5.01 Implement Protocol Independent Multicast (PIM) Sparse Mode
© IPexpert, Inc.
Multicast Distribution Trees • Since multicast is a one-to-many technology, unicast forwarding logic cannot be used to forward multicast packets • Distribution Trees are used instead
• Two types of multicast trees are : 1. Source Trees 2. Shared Trees • Source Tree is always rooted at the source of the multicast traffic
• Shared Tree is always Rendezvous Point (RP)
rooted
at
the
so-called Rev. 1700
IPexpert’s CCIE R&S written VoD Series
15
© IPexpert, Inc.
Source Tree
Rev. 1700 IPexpert’s CCIE R&S written VoD Series
16
© IPexpert, Inc.
Shared Tree
Rev. 1700 IPexpert’s CCIE R&S written VoD Series
17
© IPexpert, Inc.
Reverse Path Forwarding (RPF) • RPF (Reverse Path Forwarding) mechanism is used to prevent forwarding loops in a multicast environment • Source IP address of each received multicast packet is validated by the unicast routing table
• If the route corresponding to the source is reachable through an interface other than the one on which the packet was received on, the packet is dropped • If there are multiple paths to the source (load-balancing), the highest IP address Next-Hop interface is considered to be the RPF interface
Rev. 1700 IPexpert’s CCIE R&S written VoD Series
18
© IPexpert, Inc.
RPF Example
Rev. 1700 IPexpert’s CCIE R&S written VoD Series
19
© IPexpert, Inc.
Protocol Independent Multicast (PIM) • Cisco devices use Protocol Independent Multicast (PIM) to construct the distribution trees • There are two varieties of PIM : 1. PIM Dense Mode (PIM-DM) 2. PIM Sparse Mode (PIM-SM) • PIM neighbors are discovered & maintained using PIM Hello packets • PIM Hellos are sent to multicast address 224.0.0.13 using IP Protocol Number 103 every 30 seconds by default
• The default hold-time value is 90 seconds Rev. 1700 IPexpert’s CCIE R&S written VoD Series
20
© IPexpert, Inc.
PIM Dense Mode • PIM Dense Mode uses Source Trees (also known as Shortest Path Trees or SPTs) • Dense Mode logic is based on a „push model” – flood and prune
• Routers configured for PIM-DM flood multicast traffic out of all PIM-enabled interfaces (to all PIM DM neighbors) • As a result, initially every PIM neighbor is considered to be on the Shortest Path Tree • Pruning is then used to „clean” empty branches
Rev. 1700 IPexpert’s CCIE R&S written VoD Series
21
© IPexpert, Inc.
PIM Dense Mode Example
Rev. 1700 IPexpert’s CCIE R&S written VoD Series
22
© IPexpert, Inc.
PIM Dense Mode - Pruning • Initially, every single network segment receives the multicast feed regardless of whether it needs it or not • Prune messages are used to inform upstream device that multicast traffic is not required (at the given time) • Prune message is sent in two situations : 1. When a multicast packet is received on a nonRPF interface 2. When a router has no directly connected hosts AND downstream routers listening for a particular multicast group
• Pruned interfaces are put back into the forwarding state after a 3-minute timer expires Rev. 1700 IPexpert’s CCIE R&S written VoD Series
23
© IPexpert, Inc.
Pruning Example
Rev. 1700 IPexpert’s CCIE R&S written VoD Series
24
© IPexpert, Inc.
Pruning Example – cont.
Rev. 1700 IPexpert’s CCIE R&S written VoD Series
25
© IPexpert, Inc.
Example Dense Mode Entry (10.1.1.1, 225.1.1.1), 00:01:15/00:01:20, flags: CT Incoming interface: Serial0/1, RPF nbr 0.0.0.0 Outgoing interface list: Serial 0/0, Prune/Dense, 00:01:00/00:02:00
Rev. 1700 IPexpert’s CCIE R&S written VoD Series
26
© IPexpert, Inc.
State Refresh & Graft Message • State Refresh feature is designed to stop the constant flood-and-prune behavior • State Refresh keeps the pruned state in PIM dense mode from timing out by periodically forwarding a control message down the source-based distribution tree • This feature also enables PIM DM routers to recognize topology changes (IGMP Join/Leave) before the 3-minute timer expires • Graft Message is sent to rejoin a previously pruned branch to the delivery tree
Rev. 1700 IPexpert’s CCIE R&S written VoD Series
27
© IPexpert, Inc.
Graft Message - Example
Rev. 1700 IPexpert’s CCIE R&S written VoD Series
28
© IPexpert, Inc.
PIM - Two Details • Cisco routers automatically create a (*,G) entry for each (S,G) entry (which is called a parent entry), just for design efficiency • This entry is NOT used for traffic forwarding (incoming interface will be shown as Null) • Technically speaking, Prune message is actually a Join/Prune message with the “P” flag set
Rev. 1700 IPexpert’s CCIE R&S written VoD Series
29
© IPexpert, Inc.
PIM DM & SM Common Features • Features common for PIM Dense & Sparse Mode, that apply to multi-access interfaces, are as follows : 1. Prune Override 2. PIM Assert 3. PIM Designated Router (PIM DR) Prune Override – sent to override a Prune when other devices still wants to receive the multicast feed
PIM Assert – used to choose a single device that will be responsible for forwarding multicast traffic TO a segment. The election is based on : 1. Lowest Administrative Distance 2. Lowest Metric 3. Highest IP address Rev. 1700 IPexpert’s CCIE R&S written VoD Series
30
© IPexpert, Inc.
PIM DM & SM Common Features – cont. PIM Designated Router (PIM DR) – the device with the highest Priority value, or in a tie, with the highest IP address is elected as PIM DR. In Dense Mode, PIM DR was used only with IGMPv1. In Sparse Mode, PIM DR is responsible for two things : 1. Registering active multicast sources 2. Constructing the shared tree for a particular multicast group
Rev. 1700 IPexpert’s CCIE R&S written VoD Series
31
© IPexpert, Inc.
PIM Sparse Mode • PIM Sparse Mode is based on a „pull model” • In Sparse Mode, traffic will not be forwarded to a device unless it explictly asked for this • PIM Join messages are sent towards the RP to build the shared distribution tree
• PIM-SM operations can be divided into two distinct phases : 1. Source Phase 2. Client Phase Rev. 1700 IPexpert’s CCIE R&S written VoD Series
32
© IPexpert, Inc.
PIM Sparse Mode „Client Phase” • Shared tree is created using PIM Join messages • PIM Join is generated on the Last-Hop router (directly connected to the client) just right after an IGMP Membership Report message is received. A (*,G) entry is created • An upstream router receiving this message builds its own (*,G) entry and generates another PIM Join towards the RP. Finally the RP also creates its own (*,G)
• Remember that PIM DR is responsible for generating the first PIM Join message on multiaccess segments Rev. 1700 IPexpert’s CCIE R&S written VoD Series
33
© IPexpert, Inc.
PIM-SM „Client Phase” Example
Rev. 1700 IPexpert’s CCIE R&S written VoD Series
34
© IPexpert, Inc.
PIM Sparse Mode „Source Phase” • Shortest Path Tree is created from the RP to the multicast source • First-Hop router (directly connected to the source) sends a unicast PIM Register message to the RP (on multiaccess segments it would be the PIM DR) • Rendezvous Point creates SPT to the multicast source using a PIM Join message • RP sends PIM Register Stop message to the source since traffic has just started flowing over the SPT it built (with the source) Rev. 1700 IPexpert’s CCIE R&S written VoD Series
35
© IPexpert, Inc.
PIM-SM „Source Phase”
Rev. 1700 IPexpert’s CCIE R&S written VoD Series
36
© IPexpert, Inc.
PIM SM „Source Phase” – cont.
Rev. 1700 IPexpert’s CCIE R&S written VoD Series
37
© IPexpert, Inc.
Example Sparse Mode mroute entries • Shared Tree (*.225.1.1.1), 00:01:30/00:02:10, RP 192.168.1.1, flags: S Incoming interface: Null, RPF nbr 0.0.0.0 Outgoing interface list: Serial 0/0, Forward/Sparse, 00:01:30/00:02:01
• SPT (10.1.1.1/32, 225.1.1.1), 00:01:30/00:02:01, flags T Incoming interface: Serial0/1, RPF nbr 10.3.3.3, Outgoing interface list: Null
Rev. 1700 IPexpert’s CCIE R&S written VoD Series
38
© IPexpert, Inc.
SPT Switchover • Each PIM-SM router can build the SPT between itself and the source of multicast traffic • This is used to reduce the latency and load on the RP itself • Before PIM Join can be generated to build this tree, a router needs to learn the multicast source IP address
• By default, this happens after the first multicast data packet is received on the shared tree from the RP (but the SPT Switchover threshold is configurable) • It is impossible to build the SPT initially, since source of the multicast traffic is unknown Rev. 1700 IPexpert’s CCIE R&S written VoD Series
39
© IPexpert, Inc.
SPT Switchover Example
Rev. 1700 IPexpert’s CCIE R&S written VoD Series
40
© IPexpert, Inc.
SPT Switchover Example – cont.
Rev. 1700 IPexpert’s CCIE R&S written VoD Series
41
© IPexpert, Inc.
PIM Sparse-Dense Mode • PIM Sparse-Dense Mode uses Sparse Mode for groups that have an RP configured • All other groups that have no RP information will be processed as Dense Mode traffic
Rev. 1700 IPexpert’s CCIE R&S written VoD Series
42
© IPexpert, Inc.
Protocol Independent Multicast Configuration
© IPexpert, Inc.
PIM Configuration •
Multicast Routing ip multicast-routing
•
PIM Dense, Sparse and Sparse-Dense Modes ip pim dense-mode ip pim sparse-mode ip pim sparse-dense-mode
•
Static Rendezvous Point ip pim rp-address IP_address
•
SPT Threshold ip pim spt-threshold value
Rev. 1700 IPexpert’s CCIE R&S written VoD Series
44
© IPexpert, Inc.
Configuration Verification show ip pim interface
- Displays information about the interfaces configured for PIM
show ip pim neighbor
- Displays information about discovered PIM neighbors
show ip mroute
- Displays the contents of the multicast routing table
Rev. 1700 IPexpert’s CCIE R&S written VoD Series
45
© IPexpert, Inc.
5.02 Implement PIM AutoRendezvous Point (Auto-RP), unicast Rendezvous Point (RP), and BootStrap Router (BSR)
© IPexpert, Inc.
Rendezvous Point • All PIM Sparse Mode devices need to know the RP address • Rendezvous Point information can be provided in three ways : 1. Statically (ip pim rp-address) 2. Using Auto-RP (Cisco-proprietary) 3. Using BSR (standard-based) • Static method does not scale well
Rev. 1700 IPexpert’s CCIE R&S written VoD Series
47
© IPexpert, Inc.
Auto-RP • Auto-RP uses two types of devices – candidate RPs (cRPs) and a Mapping Agent • Candidate RP sends RP-Announce messages to the reserved multicast address 224.0.1.39 (UDP port 496), to propose itself as an RP for a particular group/range • Mapping Agent learns all cRPs information (it listens to 224.0.1.39) and decides which device becomes an RP for a particular group/range (if there is more than one cRP for a group/range, the highest IP device is elected) • Mapping Agent embedds this information inside an RPDiscovery message which is then sent to 224.0.1.40 over UDP port 496. All cRPs listen to 224.0.1.40 to receive this message Rev. 1700 IPexpert’s CCIE R&S written VoD Series
48
© IPexpert, Inc.
Auto-RP Example
Rev. 1700 IPexpert’s CCIE R&S written VoD Series
49
© IPexpert, Inc.
Auto-RP Example – cont.
Rev. 1700 IPexpert’s CCIE R&S written VoD Series
50
© IPexpert, Inc.
Auto-RP Problem • If Auto-RP uses multicasts to learn the RP address, how are Auto-RP messages actually forwarded? • Auto-RP uses PIM Sparse Mode which means that there should be an RP configured for 224.0.1.39/40. We have three options to fix this problem : 1. Static RP configuration for 224.0.1.39/40 2. PIM Sparse-Dense Mode 3. Auto-RP Listener feature • Auto-RP Listener enables forwarding Auto-RP packets (only 224.0.1.39/40) as Dense Mode traffic, even if router interfaces are configured for Sparse Mode. Use the ip pim autorp listener command to configure this feature Rev. 1700 IPexpert’s CCIE R&S written VoD Series
51
© IPexpert, Inc.
BootStrap Router (BSR) Overview • BSR is somewhat similar to Auto-RP since mapping information is first collected and then distributed to other routers • Candidate RPs propose themselves as RPs to the BSR
• BSR floods this mapping information, called Candidate RP-set or RP-set, to all of its PIM neighbors inside a BootStrap Message (BSM) • RP-set is sent to 224.0.0.13 (all PIM-routers) hop-by-hop, and is further re-flooded out of all interfaces where PIM neighbors exist. There is no need for PIM since BSM packets are local to the underlying L2 network (TTL of 1) Rev. 1700 IPexpert’s CCIE R&S written VoD Series
52
© IPexpert, Inc.
BSR Example
Rev. 1700 IPexpert’s CCIE R&S written VoD Series
53
© IPexpert, Inc.
BootStrap Router (BSR) – cont. • Candidate RPs learn the BSR’s IP address from a BSM message • CRPs advertisement are sent as unicasts • Initially, all the devices configured for BSRs (candidate BSRs) elect a single BSR router • This election process is based on a higher priority value (advertised in every BSM message) • In a tie, the highest IP address wins (source IP addresses of BSM messages are compared)
Rev. 1700 IPexpert’s CCIE R&S written VoD Series
54
© IPexpert, Inc.
BootStrap Router (BSR) – cont. • Each BSR router uses a common algorithm to select the same RP address for a given multicast group • When there are multiple cRPs available for the same set of groups, a hash mask parameter can be used for loadbalancing • Every cRP gets 2^(32 – hash_mask_length) consecutive multicast groups
• There will be only ONE RP active for a given group range
Rev. 1700 IPexpert’s CCIE R&S written VoD Series
55
© IPexpert, Inc.
Auto-RP & BSR Configuration
© IPexpert, Inc.
Auto-RP & BSR Configuration •
Auto-RP Mapping Agent ip pim send-rp-discovery if_name
•
Auto-RP Candidate RP ip pim send-rp-announce if_name [group-list]
•
BSR Candidate BSR ip pim bsr-candidate if_name [hash-mask-length]
•
BSR Candidate RP ip pim rp-candidate if_name [group-list]
Rev. 1700 IPexpert’s CCIE R&S written VoD Series
57
© IPexpert, Inc.
Configuration Verification show ip pim rp
- Displays cached active RPs with associated multicast groups
show ip pim rp mappings - Displays all group-to-RP mappings the router is aware of show ip pim bsr-router
- Displays information about a BSR
show ip pim rp-hash
- Displays the RP selected for a particular group (Auto-RP & BSR)
Rev. 1700 IPexpert’s CCIE R&S written VoD Series
58
© IPexpert, Inc.
5.03 Implement Multicast Source Discovery Protocol (MSDP) 5.04 Implement interdomain multicast routing
© IPexpert, Inc.
MSDP •
Multicast Source Discovery Protocol (MSDP) is a mechanism used to connect multiple PIM-SM domains (each PIM domain has its own Rendezvous Point)
•
A newly received PIM Register message (which is denoted with „A” in the show ip mroute output) triggers sending a so-called Source Active message to all MSDP Peers
•
Source Active message contains the following : Multicast source IP address Destination group IP address Rendezvous Point IP address
•
The other-end RP can now join the multicast source Rev. 1700
IPexpert’s CCIE R&S written VoD Series
60
© IPexpert, Inc.
MSDP Example
Rev. 1700 IPexpert’s CCIE R&S written VoD Series
61
© IPexpert, Inc.
Anycast RP •
Anycast RP is a feature that allows for redundancy and load-balancing between multiple RPs
•
Anycast RP allows multiple devices to act as a RP for the same group
•
Two or more RPs are configured with the same IP address which is further advertised into the multicast domain AND the underlying IGP
•
PIM Joins will be sent to the closest RP
•
MSDP is used to keep information about multicast sources in sync (between the RPs) Rev. 1700
IPexpert’s CCIE R&S written VoD Series
62
© IPexpert, Inc.
MSDP Configuration
© IPexpert, Inc.
MSDP Configuration •
MSDP Peering ip msdp peer IP_address
•
SA Originator (Anycast RP) ip msdp originator-id if_name
Rev. 1700 IPexpert’s CCIE R&S written VoD Series
64
© IPexpert, Inc.
Configuration Verification show ip msdp peer
- Displays detailed information about MSDP peers
show ip msdp summary
- Displays MSDP peer status in a more friendly format
show ip msdp sa-cache
- Displays the learned (S,G) states learned from MSDP peersy
Rev. 1700 IPexpert’s CCIE R&S written VoD Series
65
© IPexpert, Inc.
5.05 Implement multicast tools, features, and Source-Specific Multicast
© IPexpert, Inc.
Multicast Scoping •
Multicast Scoping limits forwarding of multicast packets
•
Two methods can be used to implement this feature : 1. TTL Scoping – a multicast packet will be dropped if its TTL value is less or equal to the interfaceconfigured threshold. For configuration, use the ip multicast ttl-threshold command 2. Multicast Boundary - allows you to configure a boundary for specified multicast group ranges (applies to both data & control plane packets). For configuration, use the ip multicast boundary ACL command – an extended ACL can not only specify the group but also the source of the multicast traffic
Rev. 1700 IPexpert’s CCIE R&S written VoD Series
67
© IPexpert, Inc.
Bidirectional PIM •
Only the Shared Tree is used in Bidirectional PIM
•
Shared Tree provides a single distribution tree for all of the active sources (traffic from different sources traverse the same distribution tree)
•
In PIM Bidirectional, upstream traffic follows the same path as the downstream traffic
•
Since PIM Registration & Source Trees are not used in Bidir PIM, a new mechanism must be used to transport the traffic from the multicast source to the RP
•
This mechanism is called Designated Forwarder (DF) Rev. 1700
IPexpert’s CCIE R&S written VoD Series
68
© IPexpert, Inc.
Bidirectional PIM – cont. •
Designated Forwarder is chosen on each network segment based on the lowest-cost metric to the RP
•
The Designated Forwarder responsibilities include : Deciding what packets need to be forwarded upstream toward the Rendezvous Point Generating PIM Join/Leave messages and forwarding them towards the RP
•
Routers located on a sender-only branch will also create a (*,G) state, like with a downstream part, but the OIL list will be Null
•
PIM Register messages and Source Trees are NOT used in Bidirectional PIM Rev. 1700
IPexpert’s CCIE R&S written VoD Series
69
© IPexpert, Inc.
Bidirectional PIM Example
Rev. 1700 IPexpert’s CCIE R&S written VoD Series
70
© IPexpert, Inc.
Source-Specific Multicast (SSM) •
Source-Specific Multicast (SSM) allows multicast receivers to explicitly specify the source of the multicast traffic
•
Only Source Trees are used in SSM. No more RPs, Shared Trees, Auto-RP, BSR and MSDP
•
PIM Join is sent directly towards the multicast source
•
SSM uses multicast range 232.0.0.0/8
•
IGMPv3 is a core of SSM – it allows the clients to select the specific multicast sources (INCLUDE mode). The EXCLUDE mode reports are ignored in SSM Rev. 1700
IPexpert’s CCIE R&S written VoD Series
71
© IPexpert, Inc.
SSM & Bidirectional PIM Configuration
© IPexpert, Inc.
SSM & Bidirectional PIM Configuration •
SSM ip pim ssm default|range access-list ip igmp version 3
•
Bidirectional PIM ip pim bidir-enable
•
Bidirectional PIM Auto-RP Add the „bidir” when configuring Auto-RP
Rev. 1700 IPexpert’s CCIE R&S written VoD Series
73
© IPexpert, Inc.
Configuration Verification show ip igmp groups [detail]
- Displays IGMP groups
learned from multicast receivers
show ip igmp interface
- Displays IGMPrelated information per-interface
show ip mroute [active]
- Displays the contents of the multicast table
routing
Rev. 1700 IPexpert’s CCIE R&S written VoD Series
74
© IPexpert, Inc.
5.06 Implement IPv6 multicast, PIM, and related multicast protocols, such as Multicast Listener Discovery (MLD)
© IPexpert, Inc.
IPv6 Multicast •
IPv6 multicast address structure :
Rev. 1700 IPexpert’s CCIE R&S written VoD Series
76
© IPexpert, Inc.
Multicast Listener Discovery (MLD) •
Multicast Listener Discovery replaces IGMP
•
MLD is used by IPv6 routers to discover multicast listeners on directly attached links
•
MLD version 1 corresponds to IGMPv2
•
MLD version 2 corresponds to IGMPv3
•
MLD message types are as follows : Query Report Done (equivalent to IGMP Leave) Rev. 1700
IPexpert’s CCIE R&S written VoD Series
77
© IPexpert, Inc.
IPv6 PIM, Auto-RP, BSR •
IPv6 PIM is similar to IPv4 PIM
•
Only Sparse Mode is supported
•
Currently there is no Auto-RP in IPv6
•
IPv6 BSR allows to configure a list of Candidate RPs on the BSR
•
This may be useful in Anycast RP and Bidirectional PIM scenarios
Rev. 1700 IPexpert’s CCIE R&S written VoD Series
78
© IPexpert, Inc.
Embedded RP •
There is no MSDP in IPv6; Embedded RP feature can be used instead
•
Embedded RP allows the router to learn RP information from the multicast group destination address
•
RP must be statically configured and advertised into the IGP
Rev. 1700 IPexpert’s CCIE R&S written VoD Series
79
© IPexpert, Inc.
Embedded RP Address
•
For example, FF76:0140:2001:ABCD::5 results in an RP address 2001:ABCD::1/64.
Rev. 1700 IPexpert’s CCIE R&S written VoD Series
80
© IPexpert, Inc.
IPv6 SSM •
IPv6 SSM is exactly the same as in IPv4
•
Multicast Listener Discovery version two is used to specify the source address
•
IPv6 multicast group reserved for SSM is FF3x/96
Rev. 1700 IPexpert’s CCIE R&S written VoD Series
81
© IPexpert, Inc.
IPv6 Multicast Configuration
© IPexpert, Inc.
IPv6 Multicast Configuration •
IPv6 Multicast Routing ipv6 multicast-routing
•
IPv6 PIM [no] ipv6 pim
•
MLD ipv6 mld ...
•
Static Multicast Route ipv6 route prefix if_name next_hop multicast ipv6 route 2001:1:/64 FastEthernet0/0 FE80::200:60EA:FE10:AB29 multicast
Rev. 1700 IPexpert’s CCIE R&S written VoD Series
83
© IPexpert, Inc.
Configuration Verification show ipv6 pim interface
- Displays information about interfaces PIM
configured for show ipv6 pim neighbors
- Displays information about discovered PIM
neighbors show ipv6 pim range-list
- Displays information about IPv6 multicast range
lists show ipv6 pim bsr
- Displays BSR-related information Rev. 1700
IPexpert’s CCIE R&S written VoD Series
84
© IPexpert, Inc.
Configuration Verification show ipv6 mld interface
- Displays MLD-related information about an interface
show ipv6 mld groups
- Displays connected multicast groups learned through MLD
show ipv6 mroute
- Displays the IPv6 PIM topology table
Rev. 1700 IPexpert’s CCIE R&S written VoD Series
85
© IPexpert, Inc.
End of Section 5.0
IPexpert’s CCIE R&S Written VoD Series 6.0 Implement Network Security
© IPexpert, Inc.
6.01 Implement Access Lists
© IPexpert, Inc.
Access Lists • Not only a traffic-filtering tool
• Processed in a top-down fashion, up to the first match (order of entries important) • Implicit „deny ip any any” at the end • If you want to log, use an explicit entry with the log/loginput keyword • The log-input option includes information about ingress interface and source MAC address
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
3
© IPexpert, Inc.
Numbered vs Named Access Lists • Configuration is a little bit different (access-list for numbered and ip access-list standard/extended for named) • Named ACLs are easier in management
• Additional matching options are available, for example TCP flags or TTL value
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
4
© IPexpert, Inc.
Standard vs Extended Access Lists •
Standard ACLs test only the source IP address, with two exceptions : 1. Outbound VTY standard ACL specifies the destination address 2. For route filtering, the networks are specified
•
Extended ACLs test source & destination IPs + additional fields can also be specified (e.g. port number, ToS)
•
IOS ACLs are using wildcard masks
•
„0” means check whilst „1” means ignore the bit Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
5
© IPexpert, Inc.
Wildcard Mask Examples •
To match even networks, just remember to set last bit of the IP address to 0 : access-list 1 permit 192.168.1.0 0.0.0.254
•
To match odd networks, just remember to set last bit of the IP address to 1 : access-list 1 permit 192.168.1.1 0.0.0.254
•
254 corresponds to 11111110 in binary
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
6
© IPexpert, Inc.
Access List Configuration
© IPexpert, Inc.
Access List Configuration •
Numbered Standard ACL access-list 1-99
•
Numbered Extended ACL access-list 100-199
•
Named ACL ip access-list standard|extended name
•
Attaching an ACL to an interface ip access-group number|name in|out
•
IPv6 ACL ipv6 access-list name ipv6 traffic-filter name in|out Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
8
© IPexpert, Inc.
Example Access List Configuration •
Numbered & Named Standard ACL
access-list 2 permit host 10.1.1.1 ip access-list standard STANDARD_ACL 10 permit host 10.1.1.1
•
Extended ACL
access-list 123 permit tcp 10.1.1.1 0.0.0.0 eq 23 any gt 1023
•
Additional matching operators
ip access-list extended EXAMPLE_ACL 10 permit tcp any host 10.1.1.1 match-all +syn -fin 20 permit tcp any any eq 80 8080 Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
9
© IPexpert, Inc.
Example IPv6 Access List Configuration •
IPv6 Access List
ipv6 access-list EXAMPLE deny tcp any FEC0:0:0::/64 eq 23 int f0/1 ipv6 traffic-filter EXAMPLE in
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
10
© IPexpert, Inc.
Configuration Verification show access-list
- Displays the contents of all current access lists
show ip access-list
- Displays the contents of all current IP access lists
show ipv6 access-list
- Displays the contents of all current IPv6 access lists
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
11
© IPexpert, Inc.
6.02 Implement Zone Based Firewall
© IPexpert, Inc.
Zone Based Firewall •
Security Model operates on Security Zones
•
Policy is applied to zone-pairs
•
Zone-pairs are unidirectional
•
Inside to Outside is different from Outside to Inside
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
13
© IPexpert, Inc.
Zone Based Firewall – Zone Pairs
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
14
© IPexpert, Inc.
Zone Based Firewall •
Each interface belongs to only one security zone
•
For traffic to flow among all the interfaces in a router, all the interfaces must be a member of one security zone or another
•
By default all the traffic between zone-assigned interfaces is dropped (unless these interfaces are in the same zone)
•
Flexible policies can be created, per-flow granularity
•
Self-Zone affects traffic going from/to the router only (all is allowed by default) Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
15
© IPexpert, Inc.
Zone Based Firewall – Zones
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
16
© IPexpert, Inc.
Zone Based Firewall L7 Policies •
Used for application-level inspection
1. 2. 3. 4. 5. 6.
HTTP IMAP Instant Messenger Peer to Peer SMTP SUN RPC
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
17
© IPexpert, Inc.
Zone Based Firewall Configuration
© IPexpert, Inc.
Zone Based Firewall Configuration #1 •
Classify traffic class-map type inspect
class-map type inspect match-any ZFW_TEST_CLASS match protocol http match protocol tcp
•
Create policy policy-map type inspect
•
Four available ZFW policy actions are : 1. Inspect - stateful packet inspection 2. Pass - allow packets one-way 3. Drop - drop the packets 4. Police - rate-limit the traffic Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
19
© IPexpert, Inc.
Zone Based Firewall Configuration #2 •
Example policy-map configuration :
policy-map type inspect ZFW_IN_OUT_POL class TCP_CLASS inspect police ... class ICMP pass log
•
Create zones zone security
zone security INSIDE zone security OUTSIDE
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
20
© IPexpert, Inc.
Zone Based Firewall Configuration #3 •
Assign the interfaces to the appropriate zones interface F0/0 zone-member security zone_name
interface F0/0 zone-member security INSIDE
•
Create zone pairs zone-pair security zpair_name source src_zone destination dst_zone service-policy type inspect policy_name
zone-pair security IN_OUT source INSIDE dest OUTSIDE service-policy type inspect ZFW_INOUT_POL
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
21
© IPexpert, Inc.
Configuration Verification show policy-map type inspect
- Displays ZFW policy-map configuration
show zone security
- Displays information about created security
zones show zone-pair security
- Displays information about zone-pairs and
policies
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
22
© IPexpert, Inc.
Case Study
•
Host on the inside (10.1.1.1) should be able to access any device on the outside using SSH and HTTP
•
Any external device should be able to ping all inside networks but the “inspect” action cannot be used Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
23
© IPexpert, Inc.
Case Study - Solution •
Traffic classification
access-list access-list access-list access-list
100 100 150 151
permit permit permit permit
tcp host tcp host icmp any icmp any
10.1.1.1 any eq 22 10.1.1.1 any eq 80 any echo any echo-reply
class-map type inspect ZFW_INOUT_HOST1_CLASS match access-group 100
class-map type inspect ZFW_INOUT_ICMP_CLASS match access-group 151 class-map type inspect ZFW_OUTIN_ICMP_CLASS match access-group 150 Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
24
© IPexpert, Inc.
Case Study - Solution •
Policy creation
policy-map type inspect ZFW_INOUT_POL class type inspect ZFW_INOUT_HOST1_CLASS inspect class type inspect ZFW_INOUT_ICMP_CLASS pass policy-map type inspect ZFW_OUTIN_POL class type inspect ZFW_OUTIN_ICMP_CLASS pass
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
25
© IPexpert, Inc.
Case Study - Solution •
Zones & interface assignments
zone security INSIDE zone security OUTSIDE int f0/1 zone-member security INSIDE int s0/0 zone-member security OUTSIDE
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
26
© IPexpert, Inc.
Case Study - Solution •
Creating zone pairs and associating the policy
zone-pair security INOUT source INSIDE dest OUTSIDE service-policy type inspect ZFW_INOUT_POL zone-pair security OUTIN source OUTSIDE dest INSIDE service-policy type inspect ZFW_OUTIN_POL
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
27
© IPexpert, Inc.
6.03 Implement Unicast Reverse Path Forwarding (uRPF)
© IPexpert, Inc.
uRPF •
Verifies the source of received packets
•
Two modes of operation – Strict and Loose
•
In Strict Mode the packet must be received on the interface towards the source (based on RIB)
•
In Loose Mode it is enough if the packet’s source is anywhere in the routing table
•
Loose Mode allows to use a default route for verification
•
One caveat with uRPF is a Null route – if it is used to find a path towards the source, the received packet will be dropped Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
29
© IPexpert, Inc.
uRPF Configuration
© IPexpert, Inc.
uRPF Configuration •
Ensure that CEF is enabled ip cef
•
Loose Mode ip verify unicast source reachable-via any
•
Strict Mode ip verify unicast source reachable-via rx
•
Additional configuration options : allow-default allow-self-ping ACL_nr
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
31
© IPexpert, Inc.
Example uRPF Configuration access-list 2 permit host 192.168.1.1 interface Serial0/0 ip address 192.0.2.2 255.255.255.0 ip verify unicast source reachable-via any 2
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
32
© IPexpert, Inc.
Configuration Verification show ip interface if | in verify
- Shows if uRPF is enabled on
this interface
show cef int if
-
Displays CEF information
for a specified interface
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
33
© IPexpert, Inc.
6.04 Implement IP Source Guard
© IPexpert, Inc.
IP Source Guard •
Anti-Spoofing solution for L2 switch ports
•
Source binding entries are transformed to a port ACL
•
Source bindings are either manual or learned from DHCP Snooping
•
Filtering based on MAC addresses can be also configured, which affects IP and non-IP traffic
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
35
© IPexpert, Inc.
IP Source Guard Configuration
© IPexpert, Inc.
IP Source Guard Configuration •
Turn on DHCP Snooping ip dhcp snooping vlan vlan_nr ip dhcp snooping
•
IP address filtering ip verify source
•
IP & MAC address filtering (IP and non-IP traffic) ip dhcp snooping information option switch-port port-security ip verify source port-security
•
Manual bindings ip source binding
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
37
© IPexpert, Inc.
Example IP Source Guard Configuration ip dhcp snooping vlan 10 ip dhcp snooping vlan 20 ip dhcp snooping int f0/1 switchport access vlan 10 ip verify source int f0/2 switchport access vlan 20 ip verify source
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
38
© IPexpert, Inc.
Configuration Verification show ip verify source [interface]
- Displays IP Source Guard
configuration show ip source binding
- Shows dynamic AND static bindings in the DHCP Snooping database
show ip dhcp snooping binding
- Shows ONLY dynamic bindings (DHCP
Snooping bindings) Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
39
© IPexpert, Inc.
6.05 Implement Authentication, Authorization and Accounting (AAA)
© IPexpert, Inc.
AAA •
Security framework
•
Authentication – who you are
•
Usually RADIUS and TACACS+ protocols are used
•
RADIUS uses UDP port 1812 for authentication & authorization and UDP port 1813 for accounting
•
TACACS+ uses TCP port 49
•
RADIUS encrypts the password, TACACS+ the entire body of the packet
•
RADIUS combines authentication and authorization
IPexpert’s CCIE R&S Written VoD Series
41
Rev. 1700 © IPexpert, Inc.
AAA – cont. •
TACACS+ seperates the three AAA functions
•
TACACS+ can be used for command authorization
•
Authorization – what you can do
•
Accounting – what you did
•
Router/Switch acts as a Network Access Server (NAS)
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
42
© IPexpert, Inc.
AAA Configuration
© IPexpert, Inc.
AAA Configuration •
Enable the AAA framework aaa new-model
•
Authentication method list aaa authentication login name auth_methods aaa authentication login default
•
Authentication methods : line local enable group radius/tacacs+ none
•
AAA Servers radius-server, tacacs-server Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
44
© IPexpert, Inc.
AAA Configuration – cont. •
Authorization method lists aaa authorization exec aaa authorization commands
•
Authorization methods : if-authenticated line local group radius/tacacs+ none
aaa authorization exec default group radius if-authenticated
•
Accounting method lists aaa accounting exec aaa accounting commands
IPexpert’s CCIE R&S Written VoD Series
45
Rev. 1700 © IPexpert, Inc.
AAA Configuration – cont. •
Applying an authentication list login authentication list_name
•
Applying an authorization list authorization exec|commands list_name
•
Applying an accounting list accounting exec|commands list_name
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
46
© IPexpert, Inc.
Example AAA Configuration aaa aaa aaa aaa
new-model authentication login AUTH group tacacs+ local authorization exec AUTHOR group tacacs+ accounting exec ACC start-stop group tacacs+
tacacs-server host 10.1.1.1 key ipexpert username ipexpert password ipexpert line con 0 login authentication AUTH authorization exec AUTHOR accounting exec ACC Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
47
© IPexpert, Inc.
Configuration Verification show aaa-servers
- Display statistics related to RADIUS AAA Server
show radius server-group
- Displays properties for the RADIUS server
group show tacacs
- Displays statistics for a TACACS+ server
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
48
© IPexpert, Inc.
6.06 Implement Control Plane Policing (CoPP)
© IPexpert, Inc.
CoPP Control Plane •
IP packets are all carried in a single „pipe”
•
Transit packets are destined to something else than a device itself
•
Control Plane is a logical distinction used to describe components that build up other traffic planes
•
Control Plane packets can be divided into two groups : 1. Packets destined to the device itself, e.g. BGP, RIP 2. Layer 2 and Layer 3 non-IP packets, e.g. ARP, CDP
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
50
© IPexpert, Inc.
CoPP Policing •
Used to protect the Control Plane
•
Other traffic is also a subject to this feature, e.g. management, exception
•
Exception packets require CPU handling, examples are IPv4 packets with header options, expiring TTL, ICMP unreachables, packets requiring fragmentation
•
Usually applied for ingress traffic, although certain platforms support egress traffic too Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
51
© IPexpert, Inc.
CoPP Configuration
© IPexpert, Inc.
CoPP Configuration •
MQC class-map policy-map
•
Policy Actions available police [rate] drop
•
Enabling CoPP control-plane service-policy input|output policy_name
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
53
© IPexpert, Inc.
Example CoPP Configuration •
Routing Protocols
access-list 100 permit ospf any host 224.0.0.5 access-list 100 permit ospf any host 224.0.0.6
•
Management traffic
access-list 101 deny tcp host 10.1.1.1 any eq 22 access-list 101 permit tcp any any eq 22 access-list 101 permit tcp any any eq 23
•
Normal traffic
access-list access-list access-list access-list
102 102 102 102
permit permit permit permit
icmp any any echo icmp any any echo-reply icmp any any unreachable pim any any Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
54
© IPexpert, Inc.
Example CoPP Configuration – cont. •
Undesirable traffic
access-list 103 permit ip any any fragments access-list 103 permit udp any any eq 1434
•
Classification
class-map match-all ROUTING_CLASS match access-group 100 class-map match-all MGMT_CLASS match access-group 101 class-map match-all NORMAL_CLASS match access-group 102 class-map match-all BAD_CLASS match access-group 103 Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
55
© IPexpert, Inc.
Example CoPP Configuration – cont. •
Policy & Enabling CoPP
policy-map COPP_POL class ROUTING_CLASS police 1000000 50000 50000 conform-action transmit exceed-action transmit class MGMT_CLASS police 100000 5000 5000 conform-action transmit exceed-action drop class NORMAL_CLASS police rate 1000 pps burst 100 class BAD_CLASS drop
control-plane service-policy input COPP_POL IPexpert’s CCIE R&S Written VoD Series
56
Rev. 1700 © IPexpert, Inc.
Configuration Verification show policy-map
- Displays the contents of existing policy-maps
show policy-map control-plane - Displays the configuration and statistics for a traffic class or all traffic classes in the policy maps attached to the control-plane show control-plane features
- Displays configured controlplane features
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
57
© IPexpert, Inc.
10.07 Implement Cisco IOS Firewall
© IPexpert, Inc.
CBAC •
Cisco IOS Firewall = CBAC (Context-Based Access Control)
•
Stateful monitoring
•
Connection Table
•
Firewall ACL Bypass (FAB) – only if no connection entry is found, an ACL is examined
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
59
© IPexpert, Inc.
CBAC Connection Table
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
60
© IPexpert, Inc.
CBAC features •
Generic TCP & UDP inspection
•
Application-level inspection
•
Special protocol handling – e.g. FTP
•
Alerts notify about protocol violations or potential attacks
•
Audit-trails are used for basic traffic accounting
•
Alerts & Audit-trails appear as SYSLOG messages
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
61
© IPexpert, Inc.
CBAC Configuration
© IPexpert, Inc.
CBAC Configuration •
Create and apply an ACL, usually inbound access-list ACL_nr permit|deny ip access-group in|out
•
Enable CBAC for particular protocols ip inspect name name protocol [options]
•
Apply CBAC ip inspect name name in|out
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
63
© IPexpert, Inc.
CBAC Configuration - Tuning •
General Tuning ip ip ip ip
•
inspect inspect inspect inspect
tcp synwait-time tcp idle-time udp idle-time dns-timeout
Anti-DoS configuration ip inspect max-incomplete high|low ip inspect one-minute high|low ip inspect tcp max-incomplete host
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
64
© IPexpert, Inc.
Example CBAC Configuration ip access-list extended OUTSIDE_IN 10 permit tcp any host 192.0.2.1 eq 80 100 deny ip any any log ip inspect name CBAC tcp alert on audit-trail on ip inspect name CBAC http ip inspect name CBAC icmp router-traffic
int F0/1 ip access-group OUTSIDE_IN in ip inspect CBAC out
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
65
© IPexpert, Inc.
Configuration Verification show ip inspect config
-
Displays the complete CBAC inspection configuration
show ip inspect interfaces
-
Displays the CBAC-related interface
-
Displays existing sessions tracked and
configuration show ip inspect sessions inspected by CBAC
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
66
© IPexpert, Inc.
6.08 Implement Cisco IOS Intrusion Prevention System (IPS)
© IPexpert, Inc.
Cisco IOS IPS •
Sophisticated, signature-based security tool
•
Signature is a distinctive characteristic that identifies something
•
Inline detection sensor
•
Single packets and entire sessions are scanned
•
Cisco IOS IPS available actions are as follows : 1. Send an alarm 2. Drop the packet 3. Reset the connection 4. Deny the source or connection Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
68
© IPexpert, Inc.
Cisco IOS IPS Configuration
© IPexpert, Inc.
Cisco IOS IPS Configuration •
Decrypt the signature file (copy & paste) crypto key pubkey-chain rsa
•
Create a directory for IPS files mkdir flash:/dir_name
•
Create an IPS rule ip ips name rule_name
•
Specify the location for the signatures ip ips config location path
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
70
© IPexpert, Inc.
Cisco IOS IPS Configuration – cont. •
Retire/Enable signatures ip ips signature-category category cat_name retired true|false
•
Apply the IPS rule to an interface ip ips rule_name in|out
•
Compile and load the signatures copy flash:/file_name.pgk idconf
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
71
© IPexpert, Inc.
Example Cisco IOS IPS Configuration mkdir flash:/IPS_DIR ip ips name IPS ip ips config location flash:/IPS_DIR ip ips signature-category category all retired true category ios_ips basic retired false int g0/1 ip ips IPS in copy flash:IOS-S258-CLI-kd.pgk idconf Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
72
© IPexpert, Inc.
Configuration Verification show ip ips [config|signature]
-
Displays the IPS information
show ip ips category
-
Displays the IPS categories
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
73
© IPexpert, Inc.
6.09 Implement Secure Shell (SSH)
© IPexpert, Inc.
SSH •
Remote management protocol
•
Replaces Berkeley r-tools
•
Version 2 is most secure
•
IOS boxes support both SSH server and client
•
Used for Execution Shell (EXEC) access
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
75
© IPexpert, Inc.
SSH Mechanics •
SSH Server has one or two public keys : 1. Host key (permanent) 2. Server key (only used in SSHv1, changes hourly)
•
Public key(s) are send to the client
•
Client caches the host key
•
Client generates a random key (session key) which is encrypted using public keys and sent to back to the server. SSHv2 uses two „one-way” session keys
•
Server decrypts this key and starts using it for data Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
76
© IPexpert, Inc.
SSH Configuration
© IPexpert, Inc.
SSH Configuration •
Define hostname and domain-name hostname host_name ip domain-name domain_name
•
Generate the RSA Key pair crypto key generate rsa
•
Configure the authentication database (e.g. local) and optionally restrict Remote Management traffic to SSH username ... line 0 4 login local transport input ssh
•
Configure SSH version (optional) ip ssh version 1|2 Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
78
© IPexpert, Inc.
Example SSH Configuration hostname Europe ip domain-name ipexpert.com crypto key generate rsa username ipexpert password ipexpert line vty 0 4 login local ip ssh version 2
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
79
© IPexpert, Inc.
Configuration Verification show ip ssh
- Displays the version and configuration data for SSH
show ssh
- Displays the status of SSH Server connections
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
80
© IPexpert, Inc.
6.10 Implement 802.1x
© IPexpert, Inc.
802.1x •
Port-level authentication mechanism
•
Used along with RADIUS
•
Unauthenticated port permits only three things : 1. EAPoL frames 2. CDP 3. STP
•
Extensible Authentication Protocol carries arbitrary authentication information
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
82
© IPexpert, Inc.
802.1x components •
Three primary 802.1x components/roles
•
Supplicant (client), is an end device supporting 802.1x. For example a workstation or laptop
•
Authenticator is a policy enforcer. Examples are catalyst switch or wireless access point
•
Authentication server is a database RADIUS. For example Cisco ACS
supporting
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
83
© IPexpert, Inc.
802.1x mechanics
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
84
© IPexpert, Inc.
802.1x Configuration
© IPexpert, Inc.
802.1x Configuration •
Enable AAA framework aaa new-model
•
Define a 802.1x method list aaa authentication dot1x default group radius
•
Enable 802.1x framework dot1x system auth-control
•
Define the RADIUS Server radius-server host server_IP key key_string
•
Specify which ports 802.1x should be running on dot1x port-control auto | force-authorized | force-unauthorized Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
86
© IPexpert, Inc.
Example 802.1x Configuration aaa new-model aaa authentication dot1x default group radius radius-server host 10.1.1.1 key ipexpert dot1x system-auth-control interface FastEthernet0/1 switchport access vlan 2 switchport mode access dot1x port-control auto
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
87
© IPexpert, Inc.
Configuration Verification show dot1x [interface][details] - Displays 802.1x statistics and status
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
88
© IPexpert, Inc.
6.11 Implement NAT
© IPexpert, Inc.
NAT •
Alleviates the problem of IPv4 exhaustion
•
Modifies IP address and/or port number
•
Confusing terminology
•
Local addresses appear on the inside network
•
Global addresses appear on the outside network
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
90
© IPexpert, Inc.
NAT local/global
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
91
© IPexpert, Inc.
NAT local/global
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
92
© IPexpert, Inc.
NAT flavors & order of operations •
Static NAT - one-to-one mapping. A fixed translation slot is pre-created allowing traffic to be intiated from the post-NAT side
•
Dynamic NAT - each host gets a unique address from a defined pool, for the session’s duration
•
PAT - form of Dynamic NAT, however only a single IP address is used in conjunction with source port numbers
•
For packtes flowing outside->inside, NAT happens first, then routing. For inside->outside routing takes place first, then the NAT translation. Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
93
© IPexpert, Inc.
NAT Configuration
© IPexpert, Inc.
NAT Configuration •
General syntax for NAT ip nat inside|outside source(destination)
•
NAT Pool (Dynamic NAT) ip nat pool pool_name
•
Define the traffic which should be translated access-list route-map
•
Mark internal and external networks ip nat inside ip nat outside
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
95
© IPexpert, Inc.
Example Static NAT Configuration #1 ip nat inside source static 10.1.1.1 172.16.1.1 int f0/0 ip nat inside int f0/1 ip nat outside
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
96
© IPexpert, Inc.
Example Static NAT Configuration #1
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
97
© IPexpert, Inc.
Example Static NAT Configuration #1 Europe#show ip nat translations Pro Inside global Inside local Outside local Outside global icmp 172.16.1.1:15 10.1.1.1:15 192.0.2.1:15 192.0.2.1:15 --- 172.16.1.1 10.1.1.1 -----
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
98
© IPexpert, Inc.
Example Static NAT Configuration #2 ip nat outside source static 192.0.2.1 172.16.1.1 int f0/0 ip nat inside int f0/1 ip nat outside
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
99
© IPexpert, Inc.
Example Static NAT Configuration #2
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
100
© IPexpert, Inc.
Example Static NAT Configuration #2 Europe#show ip nat translations Pro Inside global Inside local Outside local Outside global ------172.16.1.1 192.0.2.1 icmp 10.1.1.1:37 10.1.1.1:37 172.16.1.1:37 192.0.2.1:37
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
101
© IPexpert, Inc.
Example Dynamic NAT Configuration access-list 1 permit 10.1.1.0 0.0.0.255 ip nat pool NAT_POOL 172.16.1.1 172.16.1.254 netmask 255.255.255.0 ip nat inside source list 1 pool NAT_POOL int f0/0 ip nat inside int f0/1 ip nat outside
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
102
© IPexpert, Inc.
Example PAT Configuration access-list 1 permit 10.1.1.0 0.0.0.255 ip nat inside source list 1 interface f0/1 overload int f0/0 ip nat inside int f0/1 ip nat outside
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
103
© IPexpert, Inc.
Example NAT Load-Balancing Config access-list 10 permit host 192.0.2.1 ip nat pool REAL_HOSTS_POOL 10.1.1.1 10.1.1.10 prefix-length 28 type rotary ip nat inside destination list 10 pool REAL_HOSTS_POOL
int serial0 ip nat outside int f0/1 ip nat inside
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
104
© IPexpert, Inc.
Configuration Verification show ip nat translations
- Displays active NAT translations
show ip nat statistics
- Displays NAT statistics
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
105
© IPexpert, Inc.
6.12 Implement Routing Protocol Authentication
© IPexpert, Inc.
Routing Protocol Authentication •
Two authentication methods are available – clear text and MD5
•
With MD5, hash of a packet is created and embedded inside
•
Receiving router generates its own hash and compares the two
•
If they are the same, a routing update is assumed to be trusted
•
Prevents from packet tampering
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
107
© IPexpert, Inc.
Routing Protocol Authentication Configuration
© IPexpert, Inc.
RIP Authentication Configuration •
Define the authentication method ip rip authentication mode text|md5
•
Text password ip rip authentication password
•
For MD5 first create a key-chain key-chain kchain key key_nr key-string key_string accept-lifetime send-lifetime
•
Enable MD5 authentication ip rip authentication key-chain kchain Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
109
© IPexpert, Inc.
EIGRP Authentication Configuration •
Only MD5 is supported with EIGRP ip authentication mode eigrp AS md5
•
Create a key-chain key-chain kchain key key_nr key-string key_string accept-lifetime send-lifetime
•
Enable MD5 authentication ip authentication key-chain eigrp AS kchain
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
110
© IPexpert, Inc.
OSPF Authentication Configuration •
OSPF supports three types of authentication : 1. Type 0 – Null authentication 2. Type 1 – Clear text 3. Type 2 – MD5
•
Enabling OSPF authentication per-interface ip ospf authentication
•
Enabling OSPF authentication per-area & for a VL area area_nr authentication area area_nr virtual-link
•
Configure authentication key ip ospf authentication-key ip ospf message-digest-key Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
111
© IPexpert, Inc.
BGP Authentication Configuration •
Essentially one command neighbor neighbor_IP_address password
•
The hash is placed into the TCP Header’s option 19
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
112
© IPexpert, Inc.
Example EIGRP Auth. Configuration •
Example EIGRP authentication
key chain KCHAIN key 1 key-string ipexpert interface F0/1 ip authentication mode eigrp 10 md5 ip authentication key-chain eigrp 10 KCHAIN
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
113
© IPexpert, Inc.
Configuration Verification debug ip rip
- Displays information on RIP routing transactions
show ip eigrp int detail
- Displays information about EIGRP-configured interfaces
show key-chain
- Displays authentication key information
show ip ospf interface
- Displays information about OSPF-configured interfaces
show ip bgp neighbors IPexpert’s CCIE R&S Written VoD Series
114
- Displays information about Rev. 1700 BGP and TCP © IPexpert, Inc.
6.13 Implement Device Access Control
© IPexpert, Inc.
Device Access Control •
Line password (password)
•
Enable clear-text password (enable password)
•
Password encryption (service password-encryption)
•
Enable MD5 password (enable secret)
•
Local database + Users (username secret)
•
VTY Lines can use VTY ACL (access-class nr in|out)
•
Restricting connections (transport input/output) Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
116
© IPexpert, Inc.
Device Access Control Configuration
© IPexpert, Inc.
Device Access Control Examples •
Example #1
access-list 13 permit 10.1.1.0 0.0.0.255 line vty 0 4 access-class 13 in
•
Example #2
access-list 101 permit tcp any host 10.1.1.1 eq 22
line vty 0 4 access-class 101 out
•
Example #3
line vty 1 transport input ssh IPexpert’s CCIE R&S Written VoD Series
Rev. 1700 118
© IPexpert, Inc.
Configuration Verification show line
- Displays parameters of a terminal line
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
119
© IPexpert, Inc.
6.14 Implement Security Features
© IPexpert, Inc.
Security Features – Port Security •
Used to prevent certain attacks such as CAM table overflow or MAC address spoofing
•
Two applications of this feature : 1. Identify MACs and bind them to only a specific port 2. Limit the number of MACs on a port
•
Three ways to identify MACs : 1. Static 2. Dynamic 3. Sticky
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
121
© IPexpert, Inc.
Security Features – Port Security •
A security violation occurs when : 1. Maximum number of MACs has been reached and a new device tries to access the port 2. One of the learned/configured MACs is seen on another interface in the same VLAN
•
If a violation occurs, three actions are available : 1. Shutdown the port (default action) 2. Silently discard the frame (Protect Mode) 3. Discard the frame, generate a Syslog message or an SNMP trap, increase the counter (Restrict Mode)
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
122
© IPexpert, Inc.
Port Security Configuration •
Works only on access or trunk ports switchport mode access switchport mode trunk
•
Enable Port Security switchport port-security
•
Define maximum number of MACs (one by default) switchport port-security maximum nr
•
Define a violation mode switchport port-security violation protect | restrict | shutdown
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
123
© IPexpert, Inc.
Example Port Security Configuration •
Example Port Security configuration
interface FastEthernet0/1 description Printer switchport access vlan 10 switchport mode access switchport port-security switchport port-security mac-address 0022.1ab1.7013
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
124
© IPexpert, Inc.
Configuration Verification show port-security [interface]
- Displays Port Security configuration and
entries
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
125
© IPexpert, Inc.
Configuration Verification Example Switch#show port-security int gigabitethernet0/1 Port Security : Enabled Port status : SecureUp Violation mode : Shutdown Maximum MAC Addresses : 1 Total MAC Addresses : 0 Configured MAC Addresses : 0 Aging time : 0 mins Aging type : Absolute SecureStatic address aging : Disabled Security Violation count : 0
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
126
© IPexpert, Inc.
Security Features – DHCP Snooping •
Used to inspect & filter DHCP packets
•
Trusted ports should only connect to legitimate DHCP Servers or uplink ports toward them
•
Untrusted ports are the remaining ones
•
Trusted ports allow every DHCP packet
•
Untrusted ports will block DHCP server-related messages such as DHCP OFFER, DHCP ACK or DHCP NAK
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
127
© IPexpert, Inc.
DHCP Snooping Message Validation •
DHCP packets validation on the untrusted interfaces :
1. Server-related messages (DHCP OFFER, DHCP ACK and DHCP NAK) are dropped 2. DHCP messages with a non-zero relay agent address or Option 82 are dropped 3. DHCP RELEASE/DECLINE messages are verified so a host cannot release/decline addresses leased to other hosts 4. In the DHCP DISCOVER messages the Client Hardware Identifier field must match the source MAC address of the frame (optional)
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
128
© IPexpert, Inc.
DHCP Snooping Database •
Built based on DHCP assignments from trusted ports
•
Each database entry consists of : 1. Assigned IP address 2. MAC address 3. Lease time 4. Untrusted interface number 5. VLAN this interface belong to
•
Snooping bindings are created only for the untrusted ports
•
DHCP Snooping is used as a base component for other security features like IP Source Guard or DAI Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
129
© IPexpert, Inc.
DHCP Snooping Configuration •
Enable it globally ip dhcp snooping
•
Enable it for a particular VLAN(s) ip dhcp snooping vlan VLAN_nr
•
Configure at least one trusted port ip dhcp snooping trust
•
Optionally, rate-limit the DHCP packets ip dhcp snooping limit rate rate
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
130
© IPexpert, Inc.
Example DHCP Snooping Configuration •
Example DHCP Snooping configuration
ip dhcp snooping ip dhcp snooping vlan 120 int f0/1 ip dhcp snooping trust
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
131
© IPexpert, Inc.
Configuration Verification show ip dhcp snooping
- Displays DHCP Snooping configuration
show ip dhcp snooping [interface]
- Displays DHCP Snooping
binding database
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
132
© IPexpert, Inc.
Security Features – DAI •
Dynamic ARP Inspection is used to validate ARP packets in the network (ingress packets only)
•
Used to protect from MiM and ARP Spoofing attacks
•
Mainly works based on DHCP Snooping database, but manual bindings can be also configured
•
Only the ARP packets reflecting one of the bindings will be allowed
•
Some ports should be configured as DAI-trusted, which generaly speaking disables DAI feature on them
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
133
© IPexpert, Inc.
Dynamic ARP Inspection Configuration •
Per Layer 2 domain configuration ip arp inspection vlan VLAN_nr
•
Optionally, configure a trusted port ip arp inspection trust
•
Remember that DHCP Snooping is a pre-requisite unless manual bindings have been configured (e.g. in a non-DHCP environment)
•
Manual bindings arp access-list ARP_ACL_name permit|deny ip [host] IP_addr [host] MAC_addr
ip arp inspection filter ARP_ACL_name vlan vlan Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
134
© IPexpert, Inc.
Example DAI Configuration •
Example DAI configuration
int f0/1 ip arp inspection trust ip arp inspection vlan 120
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
135
© IPexpert, Inc.
Configuration Verification show ip arp inspection [interfaces|vlan] – Displays configuration and state of DAI
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
136
© IPexpert, Inc.
End of Section 6.0
IPexpert’s CCIE R&S Written VoD Series 7.0 Implement Network Services
© IPexpert, Inc.
7.01 Implement Hot Standby Routing Protocol (HSRP) 7.03 Implement Virtual Router Redundancy Protocol (VRRP)
© IPexpert, Inc.
HSRP & VRRP • Both are examples of First Hop Redundancy Protocols (FHRP) which allow to work with Redundant Gateways • Virtual IP Address (VIP) is configured as a gateway • Only one physical device is active within a group • Active/Standby (HSRP)
• Master/Backup (VRRP) • Higher priority device becomes the primary unit
• If priorities are the same, higher IP address wins Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
3
© IPexpert, Inc.
HSRP/VRRP
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
4
© IPexpert, Inc.
HSRP • Cisco proprietary
• HSRP Hello packets are sent to multicast address 224.0.0.2 over UDP port 1985 • Virtual MAC in form of 0000.0C07.ACxy, where xy is the HSRP group number in hex • For example, HSRP group #1 uses 0000.0C07.AC01 • Active/Standby • Preemption disabled by default Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
5
© IPexpert, Inc.
VRRP • Industry Standard
• VRRP packets are sent to multicast address 224.0.0.18 using the IP protocol number 112 • Virtual MAC in form of 0000.5e00.01xy, where xy is the VRRP group number in hex • For example, HSRP group #10 uses 0000.5e00.010A • Master/Backup • Preemption enabled by default Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
6
© IPexpert, Inc.
HSRP & VRRP Common Features • Preemption
• Object Tracking • MD-5 Authentication • No inherent Load-Balancing functionality
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
7
© IPexpert, Inc.
HSRP/VRRP Configuration
© IPexpert, Inc.
HSRP/VRRP Configuration •
HSRP VIP standby group_nr ip
•
HSRP Priority standby group_nr priority
•
HSRP Tracking standby group_nr track track_obj|interface_name [decrement]
•
HSRP Preemption standby group_nr preempt
•
VRRP vrrp … Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
9
© IPexpert, Inc.
Example HSRP Configuration Router 1 : interface Ethernet0 ip address 10.1.1.1 255.255.255.0 standby 1 ip 10.1.1.100 standby 1 track Serial0 standby 1 preempt standby standby standby standby
2 2 2 2
ip 10.1.1.200 track serial 0 preempt priority 95
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
10
© IPexpert, Inc.
Example HSRP Configuration cont. Router 2 : interface Ethernet0 ip address 10.1.1.2 255.255.255.0 standby standby standby standby
1 1 1 1
ip 10.1.1.100 track Serial0 preempt priority 95
standby 2 ip 10.1.1.200 standby 2 track serial 0 standby 2 preempt
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
11
© IPexpert, Inc.
Configuration Verification show standby [brief] show vrrp [brief]
- Displays HSRP information - Displays VRRP information
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
12
© IPexpert, Inc.
7.02 Implement Gateway Load Balancing Protocol
© IPexpert, Inc.
GLBP •
Another FHRP
•
Similar function to HSRP/VRRP
•
Provides true load-balancing
•
GLBP Hellos are sent every 3 seconds
•
Packets are sent to 224.0.0.102 over UDP port 3222
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
14
© IPexpert, Inc.
GLBP Active Virtual Gateway •
One AVG per GLBP Group
•
AVG is chosen based on Priority value (the higher the better). In case of ties higher IP address wins
•
All other devices act as Backup Virtual Gateways
•
Assigns Virtual MAC addresses to the group members
•
Each group member (gateway or AVF) is responsible for forwarding packet destined to the assigned Virtual MAC
•
AVG can become a gateway (AVF) as well Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
15
© IPexpert, Inc.
GLBP Active Virtual Forwarder •
Responsible for actual traffic forwarding
•
All AVFs backup each other
•
If an AVF fails, a device with the highest weight takes over
•
This new Primary device starts forwarding traffic for two Virtual MACs
•
Backup Virtual Forwarder cannot become Active before a dely timer expires – by default 30 seconds (glbp forwarder preempt delay minimum) Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
16
© IPexpert, Inc.
GLBP Load Balancing •
Load Balancing is actually accomplished by an AVG
•
Based on Virtual MAC assignments
•
Three Load Balancing methods are available : – VMACs are assigned sequentially 2. Weighted – VMACs are assigned proportionally to the configured weights 3. Host-dependent – Guarantess a host the same VMAC as long as the number of GLBP members is the same 1. Round Robin
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
17
© IPexpert, Inc.
GLBP Load Balancing
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
18
© IPexpert, Inc.
GLBP Configuration
© IPexpert, Inc.
GLBP Configuration •
Virtual IP Address glbp group_nr ip
•
Priority and Preemption glbp group_nr priority glbp group_nr preempt
•
Load-Balancing Method glbp group_nr load-balancing
•
Weighting and Tracking glbp group_nr weighting [lower] [higher] glbp group_nr weighting track obj_nr
•
Track Object track obj_nr interface line-protocol|ip routing Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
20
© IPexpert, Inc.
Example GLBP Configuration track 1 interface S0/1 line-protocol int f0/0 glbp 1 ip 10.1.1.254 glbp 1 priority 110 glbp 1 preempt glbp 1 load-balancing weighted glbp 1 weighting 50 glbp 1 weighting track 1 decrement 50
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
21
© IPexpert, Inc.
Configuration Verification show glbp [brief]
- Displays GLBP information
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
22
© IPexpert, Inc.
Configuration Verification Example R2#sh glbp Ethernet0/0 - Group 1 State is Standby 7 state changes, last state change 00:00:59 Virtual IP address is 10.1.1.254 Hello time 3 sec, hold time 10 sec Next hello sent in 0.528 secs Redirect time 600 sec, forwarder time-out 14400 sec Preemption enabled Active is 10.1.1.1, priority 110 (expires in 9.560 sec) Standby is local Priority 100 (default) Weighting 10 (configured 10), thresholds: lower 1, upper 10 Load balancing: weighted Group members: aabb.cc00.0100 (10.1.1.2) local aabb.cc00.0200 (10.1.1.1 Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
23
© IPexpert, Inc.
Configuration Verification Example cont. There are 2 forwarders (1 active) Forwarder 1 State is Active 1 state change, last state change 00:59:30 MAC address is 0007.b400.0101 (default) Owner ID is aabb.cc00.0100 Preemption enabled, min delay 30 sec Active is local, weighting 10 Forwarder 2 State is Listen 4 state changes, last state change 00:01:09 MAC address is 0007.b400.0102 (learnt) Owner ID is aabb.cc00.0200 Time to live: 14399.532 sec (maximum 14400 sec) Preemption enabled, min delay 30 sec Active is 10.1.1.1 (primary), weighting 50 (expires in 9.532 sec) Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
24
© IPexpert, Inc.
7.04 Implement Network Time Protocol (NTP)
© IPexpert, Inc.
NTP •
Responsible for time synchronization
•
Time source (authoritative NTP server) is usually a radio/atomic clock (and it resides in Stratum 1)
•
NTP transactions are made over a polling interval, which ranges from 64 to 1024 seconds
•
Stratum defines how „far” is the authoritative NTP source
•
Lowest-stratum devices are preferred
•
NTP packets are sent over the UDP port 123 Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
26
© IPexpert, Inc.
NTP Associations •
Association is a „session” between two NTP devices
•
Three types of NTP association are available : 1. Client-Server – client requests, server replies 2. Symmetric Active/Passive – provides mutual synchronization. Also called NTP peers
3. Broadcast/Multicast – simplifies deployments
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
27
© IPexpert, Inc.
NTP Authentication •
Should be always configured for security reasons
•
Authenticates the time source, not the client
•
NTP Servers or Peers should be authenticated
•
NTP uses MD5 Authentication
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
28
© IPexpert, Inc.
NTP Configuration
© IPexpert, Inc.
NTP Configuration •
NTP Server ntp master stratum
•
NTP Client ntp server IP_address [key key_nr] ntp peer IP_address [key key_nr]
•
Source Interface ntp source if_name
•
Authentication ntp authentication-key key_nr md5 password ntp trusted-key key_nr ntp authenticate
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
30
© IPexpert, Inc.
Example NTP Configuration #1 •
NTP Server
ntp master 2 ntp source loopback 1 ntp authentication-key 1 md5 ipexpert
•
NTP Client
ntp authentication-key 1 md5 ipexpert ntp trusted-key 1 ntp authenticate ntp server 10.1.1.1 key 1
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
31
© IPexpert, Inc.
Example NTP Configuration #2 •
Symmetric Active Mode
•
R1
ntp master ntp peer 10.1.1.2
•
R2
ntp peer 10.1.1.1
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
32
© IPexpert, Inc.
Configuration Verification show ntp status
- Displays status of NTP
show ntp associations
- Displays status of NTP associations
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
33
© IPexpert, Inc.
7.05 Implement DHCP
© IPexpert, Inc.
DHCP •
Based on older BOOTP protocol
•
Client-Server architecture
•
Not only IP addresses can be assigned
•
Other configuration parameters include, but are not limited to, DNS Server and the default gateway
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
35
© IPexpert, Inc.
DHCP Structure •
Major networks form a root
•
Subnetworks form branches
•
Manual bindings form leaves
•
Not configured parameters are inherited
•
The DHCP pool is selected based on the IP subnet assigned to an interface
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
36
© IPexpert, Inc.
DHCP Operations DHCP Operations : 1. (C) DHCP Discover 2. (S) DHCP Offer 3. (C) DHCP Request 4. (S) DHCP ACK or DHCP NAK •
Client -> Server messages are sent over UDP port 67
•
Server -> Client messages are sent over UDP port 68
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
37
© IPexpert, Inc.
DHCP remaining messages •
(S) DHCP NAK – refues the requested parameters
•
(C) DHCP DECLINE – IP address is already used
•
(C) DHCP RELEASE – returns the assigned IP address
•
(C) DHCP INFORM – request for local parameters
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
38
© IPexpert, Inc.
DHCP Relay Agent •
DHCP Relay Agent forwards DHCP packets between DHCP Clients and a DHCP Server
•
Forwarded packet is a unicast
•
Used when clients are located off the server’s network
•
Special GIADDR field is used to choose the pool
•
To configure use the ip helper-address command
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
39
© IPexpert, Inc.
DHCP Configuration
© IPexpert, Inc.
DHCP Configuration •
Define a DHCP Pool ip dhcp pool
•
Specify the address range network network
•
Default Gateway, Domain-Name, DNS Server default-router IP_addr domain-name dns-server IP_addr1 IP_addr2 …
•
DHCP Lease lease days hours minutes
•
Excluded addresses (global command) ip dhcp excluded-address IP_addr1 IP_addr2 …
IPexpert’s CCIE R&S Written VoD Series
41
Rev. 1700 © IPexpert, Inc.
Example DHCP Configuration ip dhcp excluded-address 10.1.1.1 ip dhcp excluded-address 10.1.1.50 10.1.1.51 ip dhcp pool ENTIRE_POOL network 10.1.0.0 /16 domain-name ipexpert.com ip dhcp pool VLAN1_POOL network 10.1.1.0 /24 default-router 10.1.1.1 dns-server 10.1.1.50 10.1.1.51 lease 0 12 Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
42
© IPexpert, Inc.
Example DHCP Configuration #2 •
Windows manual binding
ip dhcp pool WINDOWS_POOL network 10.1.1.0/24 host 10.1.1.1 255.255.255.0 client-identifier 0100.1234.5678.12
•
Linux manual binding
ip dhcp pool LINUX_POOL network 10.1.1.0/24 host 10.1.1.1 255.255.255.0 hardware-address 0012.3456.7812
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
43
© IPexpert, Inc.
Configuration Verification show ip dhcp pool
- Displays the information about DHCP address
pools show ip dhcp database
-
Displays DHCP Server database location
show ip dhcp bindings
-
Displays DHCP Server address bindings
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
44
© IPexpert, Inc.
7.06 Implement Web Cache Communication Protocol (WCCP)
© IPexpert, Inc.
WCCP •
Used for communication with Content Engines
•
Frequently accessed content can be retrieved locally
•
Reduces bandwidth utilization on WAN links
•
Fully transparent to the users
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
46
© IPexpert, Inc.
WCCP Redirection
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
47
© IPexpert, Inc.
WCCP versions •
There are two WCCP versions – 1 and 2
•
In WCCP version 1 only one router can redirect the traffic
•
Only HTTP traffic is supported (TCP 80)
•
In WCCP version 2 multiple routers can be configured
•
Provides redirection of packets other than HTTP, for example FTP, Real Audio, HTTP on non-default port
•
Multicast and MD5 authentication are supported as well Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
48
© IPexpert, Inc.
WCCP Configuration
© IPexpert, Inc.
WCCP Configuration •
Select an interface and configure redirection interface if_name ip wccp web-cache redirect in|out
•
Exclude some traffic from being redirected access-list nr ip wccp web-cache redirect-list nr
•
Exclude ALL traffic ip wccp redirect exclude in
•
WCCP Version 2 ip wccp version 2 ip wccp web-cache group-address IP_addr [redirect-list ACL_nr] [group-list ACL_nr] ip wccp web-cache group-listen
IPexpert’s CCIE R&S Written VoD Series
50
Rev. 1700 © IPexpert, Inc.
Example WCCP Configuration
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
51
© IPexpert, Inc.
Example WCCP Configuration
ip wccp web-cache redirect in
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
52
© IPexpert, Inc.
Example WCCP Configuration
ip wccp web-cache redirect out
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
53
© IPexpert, Inc.
Example WCCP Configuration
ip wccp web-cache redirect out
ip wccp web-cache exclude in
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
54
© IPexpert, Inc.
Example WCCP Configuration #1 int f0/0 ip wccp web-cache redirect in access-list 101 deny ip 10.1.1.0 0.0.0.255 any access-list 101 permit ip any any ip wccp web-cache redirect-list 101
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
55
© IPexpert, Inc.
Example WCCP Configuration #2 ip wccp version 2 access-list 1 permit host 10.1.1.1 access-list 2 permit 192.168.0.0 0.0.0.255 ip wccp web-cache group-address 224.0.2.100 redirectlist 2 group-list 1
int f0/0 ip wccp web-cache redirect in ip wccp web-cache group-listen
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
56
© IPexpert, Inc.
Configuration Verification show ip wccp
- Displays the WCCP configuration and statistics
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
57
© IPexpert, Inc.
End of Section 7.0
IPexpert’s CCIE R&S Written VoD Series 8.0 Implement Quality of Service QoS
© IPexpert, Inc.
8.01 Implement Modular QoS CLI (MQC)
8.04 Implement Generic Traffic Shaping
© IPexpert, Inc.
Introduction to QoS • Quality of Service (QoS) is a technique used to provide better service to selected network traffic • Network traffic can be characterized by three parameters : 1. Delay (latency) – how long does it take for a packet to get to a particular destination 2. Jitter – delay variation 3. Packet loss – the amount of dropped packets
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
3
© IPexpert, Inc.
MQC Framework • MQC (Modular QoS CLI) is a framework used to configure QoS • Replaces most of the legacy QoS commands • Using Modular Quality of Service CLI is a three-step process : 1. Classyfing the traffic (class-map) 2. Defining a QoS tool/action (policy-map) 3. Enabling QoS (service-policy)
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
4
© IPexpert, Inc.
Classification & Marking • Classification allows to identify a specific traffic flow
• Marking is a way to mark identified packet flows to easy differentiate between them • Classification without marking is said to be on a per-hop basis (resource intensive) • Packets that are marked can be further easily classified end-to-end (based on the marking) • Traffic can be classified using access-list, ToS value, input interface, MAC address, QoS group, NBAR and a couple of different methods Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
5
© IPexpert, Inc.
NBAR • NBAR (Network-Based Application Recognition) classifies packets based on their payload, up to the application layer • An example may be classifying HTTP traffic based on URL or MIME Type • NBAR can be also used to discover the protocols that are running in the network
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
6
© IPexpert, Inc.
Marking Methods • Marking can be performed in Layer 2 or Layer 3
• Layer 3 marking is end-to-end • Layer 2 fields used for marking include Frame Relay DE bit, CoS (trunks only) and EXP (MPLS) • The only Layer 3 field used for marking is Type of Service (ToS) • Type of Service can be logically divided into IP Precedence and DSCP
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
7
© IPexpert, Inc.
IP Precedence
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
8
© IPexpert, Inc.
Differentiated Services Code Point
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
9
© IPexpert, Inc.
Per-Hop Behaviors (PHBs) • PHB is a suggested DSCP value (or set of DSCP values) that corresponds to recommended QoS behavior : 1. Default – used for Best Effort traffic. Three most significant DSCP bits are set to 0 2. Class Selector – provides backward compatibility with IP Precedence. Three least significant DSCP bits are set to 0 3. Assured Forwarding (AF) – defines four classes, each with three drop probability levels inside. The format for this PHB is AFxy where x is the class/queue number and y is the drop probability. To convert AFxy to decimal DSCP value use the 8x + 2y formula 4. Expedited Forwarding (EF) – describes lowlatency, low-loss and assured bandwidth service (such as Voice). EF is always DSCP 46 Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
10
© IPexpert, Inc.
Classification & Marking Configuration
© IPexpert, Inc.
Classification & Marking Configuration •
Classification class-map match-any|match-all class_name match access-group match fr-dlci match source-address-mac match destination-address-mac match cos match dscp match precedence match any
•
NBAR match protocol protocol_name
match protocol kazaa match protocol http url *video* match protocol http host ipexpert* IPexpert’s CCIE R&S WrittenVoD Series
12
Rev. 1700 © IPexpert, Inc.
Classification & Marking Configuration •
Marking policy-map policy_name set cos set dscp set precedence set fr-de set qos-group
•
Apply the QoS Policy interface if_name service-policy policy_name
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
13
© IPexpert, Inc.
Example Marking Configuration access-list 100 permit tcp any any eq 22 class-map SSH_CLASS match access-group 100 class-map VOICE_CLASS match protocol rtp audio policy-map MARKING_POL class SSH_CLASS set dscp 34 class VOICE_CLASS set dscp ef class class-default set precedence 0 int f0/0 service-policy input MARKING_POL IPexpert’s CCIE R&S WrittenVoD Series
14
Rev. 1700 © IPexpert, Inc.
Configuration Verification show class-map
- Displays all class-maps and their matching criteria
show policy-map
- Displays all configured policy-maps
show policy-map interface
- Displays traffic statistics of all classes configured on the specified interface
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
15
© IPexpert, Inc.
Congestion Management (Queuing)
© IPexpert, Inc.
Queuing • Queuing identifies how traffic from multiple streams is sent out of an interface that is currently experiencing congestion • No congestion means that no queuing is required
• Congestion management on IOS Routers works only outbound, configuration is applied to the physical interface • There are two types of queues : Software Queue - controlled by QoS. For example CBWFQ or LLQ Hardware Queue - not managable (you can change its length, though). Always FIFO. Also known as TxRing Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
17
© IPexpert, Inc.
CBWFQ • Class-Based Weighted Fair Queuing (CBWFQ) is used to configure minimum bandwidth for a class • During congestion, a particular class receives at least Class-Configured_BW/Interface_BW share
• Interface bandwidth is derived from the well-known interface-level bandwidth command • Class-Configured_BW is what you configure under a class (using the same bandwidth statement) • Upper bandwidth for a class is NOT limited – if some queues need less bandwidth during the congestion, the remaining part is proportionally allocated to other classes Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
18
© IPexpert, Inc.
CBWFQ – cont. • Bandwidth reservation is limited to 75% of the interface bandwidth by default (max-reserved-bandwidth) • There are three ways to allocate bandwidth in CBWFQ : 1. bandwidth – absolute value, in kbps 2. bandwidth percent – allocates percentage of the interface-level bandwidth (bandwidth) 3. bandwidth remaining percent – reserves percentage of the bandwidth that left (after the priority,
bandwidth,
bandwidth
percent
commands) • The first two options cannot be mixed within the same policy-map Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
19
© IPexpert, Inc.
CBWFQ – Example • We assume interface-level bandwidth configured to 200Kbps • CBWFQ calculations are as follows : Option #1 „bandwidth 100” reserves 100Kbps Option #2 „bandwidth percent 60” reserves 60%*200Kbps = 120Kbps • Now if another class is added and configured with „bandwidth remaining percent 40”, it will receive the following allocation : For #1 40%*(75%*200-100)Kbps = 20Kbps For #2 40%*(75%*200-120)Kbps = 12Kbps
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
20
© IPexpert, Inc.
LLQ • Low Latency Queuing (LLQ) is essentially CBWFQ extended by the priority queue • LLQ class will be always serviced before any other class, up to its configured bandwidth (LLQ queue is policed)
• Perfect queuing mechanism for Voice & Video packets • Bandwidth for LLQ class is reserved using the priority command • Multiple classes can be configured as LLQ, but there will be only one single priority queue that exists • Class-default is the catch-all queue that runs WFQ Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
21
© IPexpert, Inc.
MDRR • Modified Deficit Round Robin (MDRR) uses seven normal queues and one priority queue (PQ) • MDRR keeps track of extra bytes sent for each queue and adjusts how many bytes can be sent in subsequent rounds • There are two modes of MDRR priority queue : 1. Strict Priority – PQ is always emptied first 2. Alternate Priority – PQ will be served between normal queues. For example, if 0 is the PQ, queues will be served as follows : 0, 1, 0, 2, 0, 3 ... • Each MDRR queue uses two variables – Quantum Value (number of bytes that can be sent per round) and Deficit Counter (number of extra bytes that were sent) Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
22
© IPexpert, Inc.
MDRR Example
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
23
© IPexpert, Inc.
MDRR Example – cont.
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
24
© IPexpert, Inc.
Queuing Configuration
© IPexpert, Inc.
Queuing Configuration •
CBWFQ & LLQ class-map match-any|match-all class_name match ... policy-map policy_name class class_name bandwidth value bandwidth percent percentage bandwidth remaining percent percentage priority bw-kbps | percent percentage interface if_name service-policy output policy_name
•
Hardware Queue Length tx-ring-limit length Rev. 1700
IPexpert’s CCIE R&S WrittenVoD Series
26
© IPexpert, Inc.
Example CBWFQ & LLQ Configuration policy-map QOS_POL class VOICE_CLASS priority 64
// LLQ queue
class WEB_CLASS bandwidth remaining percent 50
// CBWFQ queue
class BE_CLASS bandwidth remaining percent 10
// CBWFQ queue
int f0/0 bandwidth 200 service-policy output QOS_POL
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
27
© IPexpert, Inc.
Configuration Verification show class-map
- Displays class-maps and their matching
criteria show policy-map
- Displays all configured policy-maps
show policy-map interface
- Displays traffic statistics of all classes configured on the specified interface
show queueing interface
- Displays queuing statistics of an interface Rev. 1700
IPexpert’s CCIE R&S WrittenVoD Series
28
© IPexpert, Inc.
Policing
© IPexpert, Inc.
Policing • Policing is a traffic regulation mechanism. It allows to mark or drop the packets that don’t conform to a configured rate • There are three types of Policing : Single Rate, Two-Color Single Rate, Three-Color Two Rate, Three Color •
Both Shaping and Policing are based on the Token Bucket metaphore
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
30
© IPexpert, Inc.
Token Bucket (General) • Classic Token Bucket consists of three components : Burst Committed (Bc) CIR Time Interval (Tc) • Tc = Bc / CIR • Each token represents a fixed amound of bits/bytes that can be sent • If there is not enough tokens in the bucket, the packet will be queued (shaping) or marked/dropped (policing)
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
31
© IPexpert, Inc.
Token Bucket (Policing) • Burst Committed is token bucket size in bytes
• CIR is an average rate at which we want to send the packets • Timer Interval is just an averaging interval (how many bytes can be sent over during this Tc time) • Token Arrival Rate = CIR(bps)*(T1-T0)/8
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
32
© IPexpert, Inc.
Single Rate, Two-Color Policing • Single token arrival rate („Single Rate”)
• Two actions available are either conform or exceed („Two-Color”) • Conform typically means „transmit” • Exceed action usually corresponds to „drop” (although marking is also available)
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
33
© IPexpert, Inc.
Single Rate, Two-Color Policing
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
34
© IPexpert, Inc.
Single Rate, Two-Color Policer Example • An example : CIR = 64Kbps (8KBps), Bc = 1KB
• We start with the full bucket (1KB), 400B packet arrives • Packet conforms, 600B remains • A 700B packets arrives 1 milisecond later • Token Refresh : 1/1000 [s] * 8000 [KBps] = 8 tokens • Since 608 < 700, the exceed action is taken • Bc regulates „burstiness” of traffic Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
35
© IPexpert, Inc.
Single Rate, Three-Color Policing • Single token arrival rate („Single Rate”)
• Two buckets are used • The second bucket is Be (Excess Burst) in size • One additional action available is „Violate”
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
36
© IPexpert, Inc.
Single Rate, Three-Color Policing
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
37
© IPexpert, Inc.
Two Rate, Three-Color Policing • Two buckets, two separate token arrival rates („Two Rate”) – CIR and PIR (Peak Information Rate) • Buckets are emptied backwards : 1. First PIR bucket is checked – if there is not enough tokens the violate action is taken 2. Second (if there are tokens in the PIR bucket) CIR bucket is checked – if there is not enough tokens in the CIR bucket the exceed action is taken AND tokens are removed from the PIR bucket 3. Third (if there are tokens in the CIR bucket) the conform action is taken AND tokens are removed from both PIR and CIR buckets
• In short, first the violate action is checked, then exceed and finally conform Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
38
© IPexpert, Inc.
Two Rate, Three-Color Policing
• The main advantage of Two Rate, Three-Color policer is that it allows for sustained bursts of traffic Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
39
© IPexpert, Inc.
CAR • Committed Access Rate (CAR) is another method of ratelimiting traffic • CAR relies on Single Rate, Two-Color token bucket (Bc in size), but it works differently than standard policing
• CAR Be is unrelated to Shaping/Policing Be • Extended Burst capability in CAR is based on so-called Compounded Debt parameter • Cisco recommended values for CAR are as follows : Bc = (CIR*1.5)/8 (assuming CIR is in bps) Be = 2*Bc Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
40
© IPexpert, Inc.
Policing Configuration
© IPexpert, Inc.
Policing Configuration •
Policing – Single Rate police bps [Bc] [Be] conform-action action exceed-action action [violate-action action]
•
Policing – Dual Rate police cir cir [bc conform-burst] [pir pir] [be peak-burst] [conform-action action [exceedaction action [violate-action action]]]
•
Apply the Policy service-policy input|output policy_name
•
CAR rate-limit {input | output} access-group ACL_nr bps burst-normal burst-max conform-action action exceed-action action Rev. 1700
IPexpert’s CCIE R&S WrittenVoD Series
42
© IPexpert, Inc.
Example CAR Configuration access-list 100 permit icmp any any
int f0/1 rate-limit input access-group 100 8000 1500 3000 conform-action set-prec-transmit 0 exceed-action drop
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
43
© IPexpert, Inc.
Configuration Verification show class-map
- Displays class-maps and their matching
criteria show policy-map
- Displays all configured policy-maps
show policy-map interface
- Displays traffic statistics of all classes configured on the specified interface
show interface x rate-limit
- Displays informatio about CAR for a specified
interface Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
44
© IPexpert, Inc.
Shaping
© IPexpert, Inc.
Shaping • Traffic shaping is used to control the speed of the outgoing traffic • Shaper does not mark/drop excess traffic – it buffers it • Four main characteristics of shaping are : 1. Shaping queue 2. Size of the Token Bucket is Bc + Be 3. Bc tokens are refilled every Tc (Bc = CIR * Tc) 4. One token corresponds to one bit
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
46
© IPexpert, Inc.
Token Bucket (Shaping)
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
47
© IPexpert, Inc.
Shaping Example
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
48
© IPexpert, Inc.
Shaping Configuration
© IPexpert, Inc.
Generic Traffic Shaping Configuration •
GTS (no ACL) traffic-shape rate bps [burst-size [excess-burst-size]]
•
GTS (ACL) traffic-shape group ACL_nr bps [burst-size [excess-burst-size]]
•
Adaptive Shaping traffic-shape adaptive bps
•
Example access-list 120 permit tcp any any eq 80
int f0/0 traffic-shape group 120 64000 640 640 IPexpert’s CCIE R&S WrittenVoD Series
50
Rev. 1700 © IPexpert, Inc.
FRTS Configuration •
FRTS interface if_name encapsulation frame-relay frame-relay traffic-shaping
•
Map Class map-class frame-relay map_name map-class frame-relay PVC120_CLASS frame-relay cir 256000 frame-relay bc 2560 frame-relay be 0 service-policy output LLQ_POL
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
51
© IPexpert, Inc.
FRTS Configuration – cont. •
Map Class -> DLCI frame-relay interface-dlci DLCI_nr class map_name
•
Map Class -> Interface int if_name frame-relay class map_name
•
Adaptive Shaping map-class frame-relay map_name frame-relay cir bps frame-relay adaptive-shaping [becn|foresight] frame-relay mincir bps
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
52
© IPexpert, Inc.
Class-Based Shaping Configuration •
MQC Shaping policy-map policy_name class class_name shape average bps [bc] [be]
•
MQC Adaptive Shaping policy-map policy_name class class_name shape average bps [bc] [be] shape adaptive minCIR
•
Hierarchical Shaping -> two policy-maps
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
53
© IPexpert, Inc.
Example Shaping Configuration policy-map LLQ_POL class VOICE_CLASS priority 32 policy-map SHAPE_QUEUE_POL class class-default shape average 128000 1280 service-policy LLQ_POL
int s0/1.2 service-policy output SHAPE_QUEUE_POL
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
54
© IPexpert, Inc.
Example Shaping Configuration #2 policy-map INT_SOFTWARE_POL class HTTP_CLASS bandwidth … int s0/1 service-policy output INT_SOFTWARE_POL
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
55
© IPexpert, Inc.
Configuration Verification show traffic-shape
- Displays current trafficshaping configuration
show frame-relay pvc
- Displays Frame Relay PVC statistics
show policy-map interface
- Displays traffic statistics of all classes configured on the specified interface
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
56
© IPexpert, Inc.
Congestion Avoidance
© IPexpert, Inc.
Congestion Avoidance & RED • Congestion Avoidance mechanisms manage tail of a queue • If none congestion avoidance mechanism is enabled, tail drop is performed
• Tail drop may result in TCP Global Synchronization • Congestion Avoidance doesn’t work for UDP flows • Random Early Discard (RED) drops random packets when the minimum defined queue threshold has been exceeded
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
58
© IPexpert, Inc.
WRED • RED is not supported on IOS
• WRED allows to influence a degree of „randomness” by setting drop thresholds selectively, based on IP Precedence or DSCP • Every new packet arrives, Average Queue Depth (AQD) is compared against two thresholds – min and max : 1. If AQD < min threshold, queue the packet 2. If min < AQD < max, use Packet Drop Probability 3. If AQD > max, drop the packet • Packet Drop Probability = 1/Max_Prob_Denominator Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
59
© IPexpert, Inc.
WRED Example Output Current random-detect configuration: Serial1/0 Queueing strategy:random early detection (WRED) Exp-weight-constant:9 (1/512) Mean queue depth:40 Class Random Tail drop drop 0 1401 9066 1 0 0 2 0 0 3 0 0 4 0 0 5 0 0 6 0 0 7 0 0
Minimum threshold 20 22 24 26 28 31 33 35
Maximum threshold 40 40 40 40 40 40 40 40
Mark probability 1/10 1/10 1/10 1/10 1/10 1/10 1/10 1/10
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
60
© IPexpert, Inc.
WRED Configuration
© IPexpert, Inc.
WRED Configuration •
WRED random-detect [dscp-based]
•
WRED Profile random-detect precedence|dscp value min-threshold min max-threshold min mark-prob-denominator value
•
WRED Exponential Weighting random-detect exponential-weighting-constant val
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
62
© IPexpert, Inc.
Configuration Verification show queue
- Displays contents of packets inside a particular queue
show queueing [random-detect] - Displays status of Weighted RED
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
63
© IPexpert, Inc.
Compression
© IPexpert, Inc.
Compression • Compression increases available bandwidth
• Two types of compression are : 1. Payload Compression – useful for longer packets 2. Header Compression – useful for small packets • Two most prevalent compression algorithms are called Stacker and Predictor
• Compression is generally used on slow-speed links
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
65
© IPexpert, Inc.
Compression Configuration •
Payload Compression compress stac|predictor int s0/1 compress stac
•
Frame Relay Payload Compression frame-relay payload-compression packet-by-packet | frf9 stac | data-stream stac frame-relay map ip IP DLCI [payload-compress]
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
66
© IPexpert, Inc.
Compression Configuration •
Header Compression ip tcp|rtp header-compression [passive]
•
Frame Relay Header Compression frame-relay map ip ip DLCI tcp headercompression
•
MQC Header Compression compression header ip [tcp|rtp] policy-map QOS_POL class VOICE_CLASS compression header ip rtp
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
67
© IPexpert, Inc.
Configuration Verification show compress
- Displays compression statistics
show ip tcp|rtp header-compression
- Displays TCP/RTP header
compression statistics
show policy-map interface
- Displays traffic statistics of all classes configured on the specified interface Rev. 1700
IPexpert’s CCIE R&S WrittenVoD Series
68
© IPexpert, Inc.
8.02 Implement Layer 2 QoS: Weighted Round Robin (WRR), Shaped Round Robin (SRR), and policies
© IPexpert, Inc.
Layer 2 QoS – Ingress Queuing • Cisco switches can perform not only outbound, but also inbound queuing • Catalysts 3560 have two ingress queues per port • These queues are located after a packet is classified, policed and marked • By default the second ingress queue is the Priority Queue
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
70
© IPexpert, Inc.
Ingress Queuing Mechanism • Packets are mapped to the queue based on two tables : CoS-to-Queue-ID DSCP-to-Queue-ID • Which table is used depends on the port’s Trust State • Available Trust States are : 1. DSCP (mls qos trust dscp) 2. IP Precedence (mls qos trust ip-precedence) 3. CoS (mls qos trust cos) 4. Untrusted (CoS/DSCP is set to 0). To assign specified CoS to each packet use the mls qos cos command Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
71
© IPexpert, Inc.
Ingress Queuing Mapping Example • In this example we assume that port’s Trust State is set to CoS • To display the CoS-to-Queue-ID mappings, use the show mls qos maps cos-input-q command : Cos-inputq-threshold map: cos: 0 1 2 3 4 5 6 7 -----------------------------------queue-threshold: 1-1 1-1 1-1 1-1 1-1 2-1 1-1 1-1
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
72
© IPexpert, Inc.
Ingress Queueing SRR • Shaped Round Robin (SRR) algorithm working in shared mode is used to service ingress queues • SRR logic is as follows : 1. Service the Priority Queue (which is max 40%) 2. Service all the remaining packets according to their weights (relative share) 3. If there is no Priority Queue configured, proceed according to point #2
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
73
© IPexpert, Inc.
Ingress Queueing SRR Example • We assume : Internal ring BW Priority Queue (#2) SRR weights
: 20Gbps : 20% = 20%*20Gbps = 4Gbps : 40 for queue #1 and 10 for queue #2
• Relative share : Queue #1 : 40/(10+40) = 0.8 Queue #2 : 10/(10+40) = 0.2 • Overall Reservation : Queue #1 : (20-4)*0.8Gbps = 12.8Gbps Queue #2 : 4Gbps + (20-4)*0.2Gbps = 7.2Gbps • If there was no PQ : Queue #1 : 20*0.8Gbps = 16Gbps Queue #2 : 20*0.2Gbps = 4Gbps IPexpert’s CCIE R&S WrittenVoD Series
74
Rev. 1700 © IPexpert, Inc.
Egress Queueing • Outbound queues are located after internal ring
• There are four egress queues • Priority Queue is supported but it will be always queue #1 • Egress queues may work in Shared or Shaped Mode
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
75
© IPexpert, Inc.
Egress Queueing – Shaped Mode • Each Shaped queue is guaranteed a percentage of bandwidth and is rate-limited to that amount (always) • The allocated bandwidth is inversely proportional to the configured weight
• Example Shaped Mode configuration : int f0/1 speed 100 srr-queue bandwidth shape 10 20 2 0
• Overall Result : Queue #1 : 1/10*100Mbps = 10Mbps Queue #2 : 1/20*100Mbps = 5Mbps Queue #3 : 1/2 *100Mbps = 50Mbps Queue #4 : Shared Mode IPexpert’s CCIE R&S WrittenVoD Series
76
Rev. 1700 © IPexpert, Inc.
Egress Queueing – Shared Mode • Shared Mode queues share bandwidth that remained after Shaped queues • Bandwidth is divided according to relative shares. Unused bandwidth is shared between the queues
• Example Shared Mode configuration : int f0/1 speed 100 srr-queue bandwidth shape 10 srr-queue bandwidth share 0
10 20
0 0 30 50
• In this example queues #1 and #2 operate in Shaped Mode (non-zero shape value) Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
77
© IPexpert, Inc.
Egress Queuing Shared Mode Example • Relative Share : Queue #3 : 30/(30+50) = 3/8 Queue #4 : 50/(30+50) = 5/8 • Overall Reservation : Queue #1 : 1/10*100Mbps = 10Mbps Queue #2 : 1/10*100Mbps = 10Mbps Queue #3 : 3/8*(100 – 10 – 10)Mbps = 30Mbps Queue #4 : 5/8*(100 – 10 – 10)Mbps = 50Mbps • If there was no traffic in Queue #3, Queue#4 would get 80Mbps (and vice versa)
• If Priority Queue is enabled, Shaped & Shared weight for queue #1 is ignored. PQ is always serviced first Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
78
© IPexpert, Inc.
Layer 2 Congestion Avoidance
© IPexpert, Inc.
Layer 2 Congestion Avoidance • Catalyst 3560 switches use Weighted Tail Drop (WTD)
• Three thresholds are created for each of the 6 queues : 1. Threshold #1 (configurable) 2. Threshold #2 (configurable) 3. Threshold #3 (not-configurable, equals to 100%) • Each of the thresholds has CoS/DSCP values assigned – only packets matching a particular CoS/DSCP value will be subject to that threshold • Example : Threshold #1 = 50%, CoS 0 through 4 Threshold #2 = 80%, CoS 6 • Whether to trust CoS/DSCP depends on Port Trust State Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
80
© IPexpert, Inc.
Layer 2 QoS Configuration
© IPexpert, Inc.
Layer 2 QoS Configuration •
Enable QoS mls qos
•
Ingress Queueing mls qos srr-queue input bandwidth w1 w2 mls qos srr-queue input priority-queue nr bandwidth value mls qos srr-queue input cos-map q_nr mls qos srr-queue input dscp-map q_nr
•
Egress Queuing srr-queue bandwidth shape w1 w2 w3 w4 srr-queue bandwidth share w1 w2 w3 w4 priority-queue out srr-queue bandwidth limit Rev. 1700
IPexpert’s CCIE R&S WrittenVoD Series
82
© IPexpert, Inc.
Layer 2 QoS Configuration •
WTD Threshold Mapping mls qos srr-queue input {dscp-map|cos-map} queue q_nr threshold thresh_id mls qos srr-queue output {dscp-map|cos-map} queue q_nr threshold thresh_id
•
WTD Threshold Values mls qos srr-queue input threshold q_nr v1 v2 mls qos queue-set output qset_id threshold q_nr v1 v2 int if_name queue-set qset_id
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
83
© IPexpert, Inc.
Example Layer 2 QoS Configuration mls qos srr-queue input priority-queue 1 bandwidth 20 mls qos srr-queue input bandwidth 10 40 mls qos srr-queue input cos-map queue 1 4 mls qos srr-queue input threshold 2 60 80
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
84
© IPexpert, Inc.
Configuration Verification show mls qos
- Displays global QoS configuration information
show mls qos input-queue
- Displays QoS settings for the ingress queues
show mls qos queue-set
- Displays QoS settings for the egress queues
show mls qos maps
- Displays QoS mapping information
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
85
© IPexpert, Inc.
8.03 Implement Link Fragmentation and Interleaving (LFI) for Frame Relay
© IPexpert, Inc.
LFI •
Large packets take long time to serialize on lowbandwidth WAN links – this may affect small Voice packets that are delay & jitter -sensitive
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
87
© IPexpert, Inc.
LFI – cont. •
To overcome this problem Link Fragmentation and Interleaving feature (FRF.12) can be used
•
LFI mechanics can be divided into two phases : 1. Fragmentation – packets serialized longer than 10 miliseconds are fragmented 2. Interleaving – small, non-fragmented packets are inserted between the fragments
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
88
© IPexpert, Inc.
LFI Example •
High Priority Interleaving queue packets) is always serviced first
(non-fragmented
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
89
© IPexpert, Inc.
LFI Configuration
© IPexpert, Inc.
LFI Configuration •
LFI with FRTS map-class map_name frame-relay fragment fragment_size
•
MQC-Compatible LFI frame-relay fragment end-to-end
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
91
© IPexpert, Inc.
Configuration Verification show frame-relay fragment
- Displays information about Frame-Relay
fragmentation
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
92
© IPexpert, Inc.
8.05 Implement Resource Reservation Protocol (RSVP)
© IPexpert, Inc.
Resource Reservation Protocol •
RSVP reservations are end-to-end
•
RSVP is unidirectional – if bidrectional reservation is required, both endpoints must request it
•
RSVP uses three types of messages : PATH Message RESV Message ERROR Message
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
94
© IPexpert, Inc.
Resource Reservation Protocol •
RSVP Path message contains information describing the flow, bandwidth and QoS needed for the traffic
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
95
© IPexpert, Inc.
RSVP Configuration
© IPexpert, Inc.
RSVP Configuration •
RSVP ip rsvp bandwidth total_bw single_flow_bw
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
97
© IPexpert, Inc.
Configuration Verification show ip rsvp interface
- Displays RSVP-related interface information
show ip rsvp reservation
- Displays RSVP receiver information
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
98
© IPexpert, Inc.
8.06 Implement Cisco AutoQoS
© IPexpert, Inc.
AutoQoS, AutoQoS VoIP •
AutoQoS is just a macro
•
There are two kinds of AutoQoS – VoIP and Enterprise
•
AutoQoS VoIP (IOS switches) is enabled using the auto qos voip command. Three options are available : 1. cisco-phone – trusts DSCP values 24, 26 and 46 2. cisco-softphone – same as above but for softphones 3. trust – trust CoS for L2 and DSCP for L3 port
•
AutoQos VoIP (IOS Routers) is enabled using the auto qos voip [trust] command Rev. 1700
IPexpert’s CCIE R&S WrittenVoD Series
100
© IPexpert, Inc.
AutoQoS Enterprise •
AutoQoS Enterprise is only available on IOS Routers
•
AutoQoS Enterprise works in two phases : 1. Auto-Discovery phase uses NBAR to detect applications running on the network 2. Installation phase generates templates based on the information collected in Phase I. Finally the policy is installed on the interface
•
AutoQoS-generated configurations can be manually modified
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
101
© IPexpert, Inc.
AutoQoS Configuration
© IPexpert, Inc.
AutoQoS Configuration •
AutoQoS VoIP IOS Switches auto qos voip cisco-phone|cisco-softphone|trust
•
AutoQoS VoIP IOS Routers auto qos voip [trust]
•
AutoQoS Enterprise auto discovery qos [trust] auto qos
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
103
© IPexpert, Inc.
Configuration Verification show auto qos
- Displays the interface Auto QoS commands
show auto discovery qos
- Displays types and amounts of traffic detected by NBAR
show policy-map interface
- Displays traffic statistics of all classes configured on the specified interface
Rev. 1700 IPexpert’s CCIE R&S WrittenVoD Series
104
© IPexpert, Inc.
End of Section 8.0
IPexpert’s CCIE R&S Written VoD Series 9.0 Troubleshoot a network
© IPexpert, Inc.
9.01 Troubleshoot complex Layer 2 network issues
© IPexpert, Inc.
Troubleshooting Introduction • Troubleshooting means diagnosing a problem and resolving it • Common approaches to troubleshooting include : Top-Down Bottom-Up Divide & Conquer
• The main troubleshooting tool available on Cisco IOS is a variety of show and debug commands • As a general advice, always try to approach a problem in a structured way, without skipping anything (there is no „99%” in troubleshooting) Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
3
© IPexpert, Inc.
Troubleshooting Auto-Negotiation • Both sides should have Auto-Negotiation enabled or both sides should be configured manually • Any other combination may cause Auto-Negotiation to fail • Verify how the speed & duplex settings were actually derived : - show interfaces status Port Name Status Fa0/1 connected
Vlan Duplex Speed Type 1 a-full a-100 10/100BaseTX
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
4
© IPexpert, Inc.
Verifying Basic Interface Settings R1# show interfaces eth 0 Ethernet0 is up, line protocol is up Hardware is Lance, address is 0010.7b36.1be8 (bia 0010.7b36.1be8)
• Possible causes for „down down” are as follows : Cable is not connected Cable is faulty Cable is connected to the wrong port on the far end • Possible causes for „up down” are as follows : Speed mismatch Encapsulation mismatch Disabled keepalives No clocking set on DCE IPexpert’s CCIE R&S Written VoD Series
5
Rev. 1700 © IPexpert, Inc.
Verifying Basic Interface Settings 5 minute input rate 1000 bits/sec, 2 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 2058015 packets input, 233768993 bytes, 1 no buffer Received 1880947 broadcasts, 0 runts, 0 giants, 1 throttles 3 input errors, 0 CRC, 0 frame, 0 overrun, 3 ignored 0 input packets with dribble condition detected 298036 packets output, 32280269 bytes, 0 underruns 0 output errors, 10 collisions, 0 interface resets 0 babbles, 0 late collision, 143 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
6
© IPexpert, Inc.
Verifying Basic Interface Settings • FCS, alignment, runts & collision counters are normal for half-duplex if errors/packets ratio is below 2% • FCS, alignment and runt counters should be minimal for full-duplex (and no collisions)
• Duplex mismatch results in poor performance, intermittent connectivity and packet drops Jan 20 13:26:45 %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on FastEthernet1/2(not half duplex), with TBA04251336 3/2 (half duplex)
• Other possible causes of errors in full-duplex are bad cables, NIC problems and other hardware issues Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
7
© IPexpert, Inc.
Verifying Interface Counters • Collisions (normal on half-duplex links) : Duplex mismatch • Late Collision (detected after 512th bit) : Duplex mismatch Too long Ethernet cable or segment • Cyclic Redundancy Check (CRC) Collisions Physical Layer issue • Giants (frames greater than 1518B) : Bad NIC • Runts (frames shorter than 64B) Bad NIC/cable/port IPexpert’s CCIE R&S Written VoD Series
8
Rev. 1700 © IPexpert, Inc.
Troubleshooting VLANs & Trunking • If Native VLANs are different on both ends, CDP (if enabled) should complain about it (use show logging if logging to a buffer) : *Jan 14 03:21:00: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet0/10 (1), with CAT1 FastEthernet0/13 (10)
• For troubleshooting DTP always verify administrative & operational modes : - show interface if_name switchport
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
9
© IPexpert, Inc.
Troubleshooting VTP • VTP information is always forwarded on trunk links using VLAN 1 • VTP Parameters that have to match are : VTP domain name VTP password VTP version • Since VTP domain name is sent inside a DTP packet, DTP will never negotiate a trunk between two different VTP domains • Not only a VTP Server with higher revision number can erase the entire VLAN configuration within a VTP domain, but also a VTP Client Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
10
© IPexpert, Inc.
Troubleshooting EtherChannel • The following parameters must match in order to form an EtherChannel : Speed & duplex STP values VLAN, Native VLAN Trunking mode Interface Type • When using manual configuration, don’t wait too long with configuring the other side • Make sure that Load-Balancing method chosen fits into the current topology Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
11
© IPexpert, Inc.
Troubleshooting STP • STP loops are formed when a port that should block starts forwarding traffic • Unidirectional links are often a culprit • Duplex mismatch can resemble a „unidirectional” link scenario • Never use PortFast on interfaces connected to : Switches Hubs Bridging routers
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
12
© IPexpert, Inc.
Troubleshooting STP – cont. • Disable redundant ports one by one. Generally always start with examining the blocking ports • Check if BPDUs are received (include Root Ports) : - show spanning-tree detail - debug spanning-tree bpdu CAT1# show spanning-tree detail Port 1 (GigabitEthernet0/1) of VLAN0001 is blocking Port path cost 2019, Port priority 128, Port Identifier 128.24. -- Omitted -Number of transitions to forwarding state: 1 Link type is point-to-point by default BPDU: sent 2, received 72364 Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
13
© IPexpert, Inc.
Troubleshooting STP – cont. • If problems are intermittent debug and log to the buffer : - debug spanning-tree events • Look for Port & CPU utilization : - show interfaces - show processes cpu R1# show interfaces GigabitEthernet0/1 is up, line protocol is up Hardware is Gigabit Ethernet, address is 0009.43a7.ab85 (bia 0009.43a7.ab85) MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, reliability 255/255, txload 120/255, rxload 210/255
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
14
© IPexpert, Inc.
Troubleshooting & Verification debug spanning-tree events
- Displays spanning-tree topology event debug messages
debug spanning-tree bpdu
- Displays sent and received Bridge Protocol Data Units
show processes cpu
- Displays detailed CPU utilization statistics
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
15
© IPexpert, Inc.
9.02 Troubleshoot complex Layer 3 network issues
© IPexpert, Inc.
Layer 3 Troubleshooting Introduction • In many cases the problems we may run into are not directly related to Layer 3. Examples : Mismatched MTU Inappropriate L2 config Network security features Hardware problems • IPv6 problems are pretty much the same
• When troubleshooting IPv6 remember to use „ipv6” instead of „ip” in the command syntax
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
17
© IPexpert, Inc.
Troubleshooting RIP • Lack of routes installed in the RIB may be generally caused by three things : 1. Router receives an update but does not install it 2. Route sender is not even advertising a route 3. Routing update got lost somewhere in the path between the sender and receiver • Start verifying the device’s configuration : - show run router rip, show ip protocols - debug ip rip RIP: ignored v2 packet from 10.1.1.1 (not enabled on FastEthernet0/0) RIP: ignored v2 packet from 10.1.1.1 (invalid authentication) IPexpert’s CCIE R&S Written VoD Series
18
Rev. 1700 © IPexpert, Inc.
Troubleshooting RIP – cont. • Few other RIP potential problems : Source-Validity check Distribute-lists Incompatibile RIP versions Offset-lists Split Horizon Passive-interface RIP: ignored v2 update from bad source 10.1.2.1 on FastEthernet0/0 RIP: ignored v2 packet from 10.1.1.1 (illegal version)
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
19
© IPexpert, Inc.
Troubleshooting RIP – cont. • RIP passive interface only receives updates R1# show ip protocols Routing Protocol is "rip" --Output Omitted-Routing for Networks: 10.0.0.0 Passive Interface(s) FastEthernet0/0
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
20
© IPexpert, Inc.
Troubleshooting EIGRP • Unidirectional links may prevent a neighborship from being established • Common causes : Layer 2 problems Hardware issues Filtering • Troubleshoot adjacencies : - show ip eigrp neighbors
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
21
© IPexpert, Inc.
Troubleshooting EIGRP – cont. H Address Interface Hold
1 10.1.1.2
Et0/0
11
Uptime
SRTT RTO (sec) (ms) 00:00:20 0 5000
Q Cnt 5
Seq Num 0
• Output params : H – order in which the neighbors were learned SRTT – how long does it take for an ACK to come back (0 means ACK was never received) RTO – how long to wait for an ACK before retransmitting Q Cnt – number of unicast packets queued Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
22
© IPexpert, Inc.
Troubleshooting EIGRP – cont. • EIGRP sources packets from its primary IP subnet 02:19:31.142: IP-EIGRP: Neighbor 10.1.1.1 not on common subnet for Serial0/0
• K-values must match : - debug ip eigrp packet • Stuck In Active (SIA) timer is 3 minutes by default. Watch for „DUAL-3-SIA” error console message • Troublesohot SIA : - show ip eigrp topology active - eigrp log-neighbor-changes Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
23
© IPexpert, Inc.
Troubleshooting EIGRP – cont. R1# show ip eigrp topology active
IP-EIGRP Topology Table for process 1 Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply, r - Reply status A 10.1.2.0 255.255.255.0, 1 successors, FD is 2213055 1 replies, active 0:00:55, query-origin: Multiple Origins
via 10.1.1.2 (Infinity/Infinity), r, Serial0, serno 1232 via 10.1.4.2 (Infinity/Infinity), Serial1, serno 1227
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
24
© IPexpert, Inc.
Troubleshooting EIGRP – cont. • The „inaccessible” keyword in the output of show ip eigrp topology usually indicates that a prefix has been overriden by a lower-AD route received from other routing protocol • This usually happens for EIGRP external routes, since their AD is 170 by default • EIGRP Router-ID is used on external routes to prevent routing loops • Updates received with the device’s own EIGRP Router-ID will be dropped
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
25
© IPexpert, Inc.
Troubleshooting OSPF • Basic OSPF verification : - show ip ospf neighbor - show ip ospf interface [brief] • More advanced troubleshooting : - debug ip ospf adjacency - debug condition interface OSPF adjacency events debugging is on OSPF: Rcv hello from 10.1.10.1 area 0 from FastEthernet0/0 10.1.1.1 OSPF: Mismatched hello parameters from 10.1.1.1 Dead R 40 C 40, Hello R 10 C 10 Mask R 255.255.255.0 C 255.255.255.128 Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
26
© IPexpert, Inc.
Troubleshooting OSPF – cont. • Generally always look for a FULL adjacency, but remember that devices on broadcast media will become adjacent only with the DR & BDR • Before an adjacency is formed, OSPF goes through several states Problem : Lack of any state No Hellos have been received at all Hello packet failed basic sanity checks Solution : Check L1/L2 Ping 224.0.0.5 Use show ip ospf interface & debug ip ospf adjacency IPexpert’s CCIE R&S Written VoD Series
Rev. 1700 27
© IPexpert, Inc.
Troubleshooting OSPF – cont. Problem : DOWN state Usually refers to unicast neighbors (neighbor) No Hellos received during the last Dead Interval Solution : Verify neighbor configuration Follow the steps listed for previous problem Problem : INIT state Hello has been received but no local Router-ID is seen Solution : Look for unidirectional communication Verify Layer 2 & filtering IPexpert’s CCIE R&S Written VoD Series
28
Rev. 1700 © IPexpert, Inc.
Troubleshooting OSPF – cont. Problem : TWO-WAY state All neighbors stuck in TWO-WAY Solution : Check if at least one device is configured with OSPF Priority higher than 0 Problem : EXSTART/EXCHANGE state MTU mismatch Solution : Look for broken unicast connectivity (DBD packets are sent as unicast) Avoid using ip ospf mtu-ignore Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
29
© IPexpert, Inc.
Troubleshooting OSPF – cont. Problem : LOADING state Corrupted LSAs, uncommon Solution : Contact TAC
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
30
© IPexpert, Inc.
Troubleshooting BGP • For direct peering, If Layer 1 and Layer 2 are configured correctly, verify the neighbors : - show ip bgp summary BGP table version is 1, main routing table version 1
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 10.1.1.2 4 400 0 0 0 0 0 never Active
• Another useful troubleshooting tool : - debug ip bgp BGP: 10.1.1.2 open active, local address 1.1.1.1 BGP: 10.1.1.2 open failed: Connection refused by remote host Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
31
© IPexpert, Inc.
Troubleshooting BGP – cont. • You can also verify TCP which could confirm BGP misconfiguration : - debug ip tcp transactions TCB00135978 created TCB00135978 setting property 0 16ABEA TCB00135978 bound to 1.1.1.1.13009 TCP: sending SYN, seq 3897223151, ack 0 TCP0: Connection to 10.1.1.2:179, advertising MSS 1460 TCP0: state was CLOSED -> SYNSENT [13009 -> 10.1.1.2(179)] TCP0: state was SYNSENT -> CLOSED [13009 -> 10.1.1.2(179)] TCP0: bad seg from 10.1.1.2 -- closing connection: seq 0 ack 3897223152 rcvnxt 0 rcvwnd 0 TCP0: connection closed - remote sent RST Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
32
© IPexpert, Inc.
Troubleshooting BGP – cont. • For non-direct peerings don’t hestiate to check the following things : EBGP multihop IP reachability to the neighbor (default route will NOT work) BGP: 2.2.2.2 Active open failed - no route to peer, open active delayed 13312ms (35000ms max, 60% jitter)
Also, as for direct peerings, verify BGP configuration : Correct neighbor statement The update-source command
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
33
© IPexpert, Inc.
Troubleshooting BGP – cont. • Manually configured Cluster-ID (the same) in redundant topologies may cause problems : - debug ip bgp update Jan 10 17:12:31: BGP(0): 1.1.1.1 rcv UPDATE w/ attr: nexthop 10.1.2.1, origin i, localpref 100, metric 0, originator 2.2.2.2, clusterlist 0.0.0.101, path, community, extended community Jan 10 17:12:31: BGP(0): 1.1.1.1 rcv UPDATE about 172.16.0.0/24– DENIED due to: reflected from the same cluster
• The remaining problems we may run into are usually introduced by protocol-related features (e.g. Split Horizon, BGP Sync Rule)
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
34
© IPexpert, Inc.
Troubleshooting Redistribution • Verify which routes have been added to/removed from the RIB and what was the reason for it : - debug ip routing *Jan 11 13:21:24.181: 10.1.1.0, flushing 1 *Jan 11 13:21:24.185: *Jan 11 13:21:24.185: bgp metric [20/20] *Jan 11 13:21:24.191:
RT: closer admin distance for routes RT: NET-RED 10.1.1.0/24 RT: add 10.1.1.0/24 via 1.1.1.1, RT: NET-RED 10.1.1.1/24
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
35
© IPexpert, Inc.
Troubleshooting Redistribution – cont. • Another useful command that can be used to display routing table statistics : - show ip route profile ------------------------------------------------------------------Change/ Fwd-path Prefix Nexthop Pathcount Prefix interval change add Change Change refresh ------------------------------------------------------------------0 14 14 17 17 17 1 0 0 0 0 0 2 1 1 0 0 0 3 2 2 0 0 0
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
36
© IPexpert, Inc.
Troubleshooting & Verification debug ip rip
- Displays information on RIP transactions
debug ip eigrp packet
- Displays information about EIGRP protocol packets
debug ip ospf adjacency
- Displays the information on adjacency events related to OSPF
debug condition interface
- Limits a debug output to a single interface
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
37
© IPexpert, Inc.
Troubleshooting & Verification – cont. debug ip bgp
- Displays information related to processing of BGP
debug ip tcp transactions
- Displays information on significant TCP transactions
debug ip routing
- Displays information on routing table and route cache updates
show ip route profile
- Displays routing table change statistics
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
38
© IPexpert, Inc.
9.03 Troubleshoot a network in response to application problems
© IPexpert, Inc.
Troubleshooting Application Problems •
Network performance problems are often related to Layer 1/2 issues (bad NICs, duplex mismatch)
•
Troubleshooting issues from the QoS standpoint should be approached in a structured way : 1. Verify the traffic classes : - show class-map 2.
Make sure that QoS policy is applied : - show policy-map interface brief - show mls qos
3.
Verify the actual policy : - show policy-map interface Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
40
© IPexpert, Inc.
Troubleshooting Application Problems R1# show class-map Class Map SSH_CLASS Match access-group 103 Class Map HTTP_CLASS Match protocol http Class Map F00_CLASS Match input-interface FastEthernet0/0 R1# show policy-map interface brief Service-policy input: QOS_POL interface F0/0 interface F0/1 Switch> show mls qos QoS is enabled QoS ip packet dscp rewrite is enabled Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
41
© IPexpert, Inc.
Troubleshooting Application Problems Serial0/0 Service-policy output: QOS_POL Class-map: VOICE_CLASS (match-all) 1231 packets, 78784 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: access-group name VOICE Queueing Strict Priority Output Queue: Conversation 264 Bandwidth 512 (kbps) Burst 12800 (Bytes) (pkts matched/bytes matched) 1231/78784 (total drops/bytes drops) 0/0 Class-map: HTTP_CLASS (match-all) 9390 packets, 5501312 bytes 5 minute offered rate 74000 bps, drop rate 0 bps Match: protocol http Queueing Output Queue: Conversation 265 Bandwidth 128 (kbps)Max Threshold 64 (packets) (pkts matched/bytes matched) 3012/1746960 (depth/total drops/no-buffer drops) 5/0/0 IPexpert’s CCIE R&S Written VoD Series
42
Rev. 1700 © IPexpert, Inc.
Troubleshooting Application Problems R1# show policy-map interface serial0/0 Serial0/0 Service-policy output: QOS_POL Class-map: class-default (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Traffic Shaping Target Byte Sustain Excess Interval Rate Limit bits/int bits/int (ms) 320000 2000 8000 8000 25 Queue Depth 6
Packets 1200
Bytes 654120
Packets Delayed 248
Match: any
Increment Adapt (bytes) Active 1000 -
Bytes Delayed 135185
Shaping Active yes
• If Voice/Video is used, consider tuning Tc to 10ms Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
43
© IPexpert, Inc.
Troubleshooting Application Problems •
In Layer 2, start with verifying the mapping tables
•
Don’t forget to check queuing configuration as well : 1. Ingress : - show mls qos input-queue 2.
Egress : - show mls qos if_name queuing
Switch> show mls qos input-queue Queue : 1 2 ---------------------------------------------buffers : 90 10 bandwidth : 4 4 priority : 0 10 threshold1: 100 100 threshold2: 100 100 IPexpert’s CCIE R&S Written VoD Series
44
Rev. 1700 © IPexpert, Inc.
Troubleshooting Application Problems Switch> show mls qos interface gig0/2 queueing GigabitEthernet0/2 Egress Priority Queue :enabled Shaped queue weights (absolute) : 25 0 0 0 Shared queue weights : 25 25 25 25 The port bandwidth limit : 100 (Operational Bandwidth:100.0) The port is mapped to qset : 1
•
IP SLA feature can be used to : 1. Narrow down the problem 2. Verify effectiveness of configuration amendments
•
Gather IP SLA statistics : - show ip sla statistics Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
45
© IPexpert, Inc.
Troubleshooting & Verification show mls qos
- Displays global QoS configuration information
show policy-map interface brief
- Displays information about only the active policy maps attached to an interface
show ip sla statistics
- Displays the current operational status and statistics of all Cisco IOS IP SLA operations Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
46
© IPexpert, Inc.
9.04 Troubleshoot network services
© IPexpert, Inc.
Troubleshooting FHRPs •
Most HSRP issues are related to the network itself
•
One of the most commonly seen problems is the duplicate address message :
Jan 15 21:40:09: %STANDBY-3-DUPADDR: Duplicate address 10.1.1.100 on Vlan5, sourced by 0000.0c07.ac01
•
Few things that might cause this problem : STP problems Etherchannel misconfiguration Physical layer problems
•
Standard Layer 1/2 procedures should be followed Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
48
© IPexpert, Inc.
Troubleshooting FHRPs – cont. •
If Port-Security is also configured, use BIA addresses. Troubleshoot with : - show interfaces status - show port-security
•
Another useful commands : - show standby/vrrp/glbp brief - debug standby
R2# show standby brief P indicates configured to preempt. Interface Grp Prio P State Active Standby Et0/0 1 100 Standby 10.1.1.1 local
Virtual IP 10.1.1.100
HSRP debugging is on Vlan5 Hello out 10.1.1.1 Active pri 100 ip 10.1.1.100 Vlan5 Hello in 10.1.1.2 Standby pri 100 ip 10.1.1.100 IPexpert’s CCIE R&S Written VoD Series
49
Rev. 1700 © IPexpert, Inc.
Troubleshooting NTP •
It may take a long time for NTP to synchronize
•
If problem persists, look for : ACL blocking UDP port 123 High CPU utilization NTP server reporting stratum of 15
•
Useful troubleshooting commands : - show ntp status - show ntp associations - debug ntp authentication
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
50
© IPexpert, Inc.
Troubleshooting NTP – cont. Router> show ntp status Clock is synchronized, stratum 4, reference is 10.1.1.2 nominal freq is 250.0000 Hz, actual freq is 249.9990 Hz, precision is 2**19 reference time is AFE2525E.70597B34 (13:12:17.438 PDT Sun Jan16 5 2011) clock offset is 7.33 msec, root delay is 133.36 msec root dispersion is 126.28 msec, peer dispersion is 5.98 msec Router> show ntp associations detail 10.1.1.2 configured, our_master, sane, valid, stratum 4 ref ID 192.168.1.111, time AFE252DC.1F2B3000 (13:12:19.121 PDT Sun Jan16 5 2011) our mode client, peer mode server, our poll intvl 128, peer poll intvl 128 root delay 125.50 msec, root disp 115.80, reach 377, sync dist 186.157 delay 7.86 msec, offset 11.176 msec, dispersion 3.62 precision 2**6, version 2
Router# debug ntp authentication Jan 16 13:14:49.763: Authentication failed Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
51
© IPexpert, Inc.
Troubleshooting DHCP •
Common issues : DHCP Pool is exhausted DHCP Server cannot reach Relay Agent Option 82 is enabled and makes troubles URPF used to drop packet with src IP 0.0.0.0 & dst IP 255.255.255.255 DHCP is turned off (no service dhcp)
•
DHCP Client troubleshooting : - debug dhcp packet
•
DHCP Server troubleshooting : - debug ip dhcp server Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
52
© IPexpert, Inc.
Troubleshooting WCCP •
Start with the very basic config
•
Make sure that ip wccp web-cache redirect out is applied on the appropriate interface (towards the real servers)
•
Verify : - show ip wccp
R1# show ip wccp Global WCCP information: Router information: Router Identifier: Protocol Version: Service Identifier: web-cache Number of Cache Engines: Number of routers: Total Packets Redirected:
10.1.1.1 2.0
1 1 20 Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
53
© IPexpert, Inc.
Troubleshooting WCCP – cont. •
Troubleshoot : - debug ip wccp events - debug ip wccp packets
R1# WCCP-EVNT:S00: Built new router view: 0 routers, 0 usable web caches, change # 00000001 WCCP-PKT:S00: Sending I_See_You packet to 10.1.1.2 w/ rcv_id 00000001 WCCP-EVNT:S00: Redirect_Assignment packet from 10.1.1.2 fails source check WCCP-5-SERVICEFOUND: Service web-cache acquired on Web Cache 10.1.1.2 WCCP-PKT:S00: Received valid Here_I_Am packet from 10.1.1.2 w/rcv_id 00000001 WCCP-EVNT:S00: Built new router view: 1 routers, 1 usable web caches, change # 00000002 Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
54
© IPexpert, Inc.
Troubleshooting & Verification debug standby
- Displays HSRP state changes
debug ntp authentication
- Displays debugging information on NTP authentication
debug dhcp packet
- Displays debugging information about the DHCP Client activities
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
55
© IPexpert, Inc.
Troubleshooting & Verification – cont. debug ip dhcp server
- Displays information related to DHCP Server functions
debug ip wccp events
- Displays information about significant WCCP events
debug ip wccp packets
- Displays information about every WCCP packet received or sent by the router
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
56
© IPexpert, Inc.
9.05 Troubleshoot network security
© IPexpert, Inc.
Troubleshooting CBAC •
Common issues : Inspection is not enabled for a protocol Inspection is enabled on wrong interface Inspection is enabled in wrong direction Router-generated traffic is not inspected
•
Verify : - show ip inspect session detail
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
58
© IPexpert, Inc.
Troubleshooting CBAC – cont. •
Sample output from show ip inspect session detail :
Established Sessions Session 817298C4 (10.1.1.2:11005)=>(20.1.1.1:23) tcp SIS_OPEN Created 00:00:06, Last heard 00:00:03 Bytes sent (initiator:responder) [391:123911] In SID 20.1.1.1[23:23]=>10.1.1.2[11005:11005] on ACL 100(108 matches) Half-open Sessions Session 81729A34 (10.1.1.2:11006)=>(20.1.1.1:80) http SIS_OPENING Created 00:00:03, Last heard 00:00:01 Bytes sent (initiator:responder) [0:0]
•
Don’t forget to check an ACL
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
59
© IPexpert, Inc.
Troubleshooting AAA •
Common issues : AAA server is not configured/misconfigured Key mismatch (NAS AAA) Connectivity problems (NAS AAA) Misconfigured AAA database
•
Troubleshoot AAA : - debug aaa authentication - debug aaa authorization - debug aaa accounting
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
60
© IPexpert, Inc.
Troubleshooting AAA – cont. *Jan 19 17:11:18.132: AAA/BIND(0000000E): Bind i/f *Jan 19 17:11:18.132: AAA/AUTHEN/LOGIN (0000000E): Pick method list ‘VTY’ *Jan 19 17:11:19.327: AAA: parse name=tty66 idb type=-1 tty=-1 *Jan 19 17:11:19.327: AAA: name=tty66 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=66 channel=0 *Jan 19 17:11:19.327: AAA/MEMORY: create_user (0x83C938B4) user=’ipexpert’ ruser=’NULL’ ds0=0 port=’tty66’ rem_addr=’10.1.1.1’ authen_type=ASCII service=ENABLE priv=15 initial_task_id=’0’, vrf= (id=0) *Jan 19 17:11:19.327: AAA/AUTHEN/START (4286245615): port=’tty66’ list=’’action=LOGIN service=ENABLE -- Output omitted – *Jan 19 17:11:21.103: AAA/AUTHEN(4286245615): Status=PASS
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
61
© IPexpert, Inc.
Troubleshooting AAA – cont. •
Troubleshoot RADIUS/TACACS+ : - debug radius - debug tacacs
00:37:10: RADIUS(00000015): Send Access-Request to 10.1.1.100:1645 id 1645/21, len 159 00:37:10: RADIUS: authenticator 2D 03 E5 A6 A5 30 1A 32 - F2 C5 EE E2 AC 5E 5D 22 00:37:10: RADIUS: User-Name [1] 11 "ipexpert„ 00:37:10: RADIUS: User-Password [2] 18 * 00:37:10: RADIUS: Service-Type [6] 6 Outbound [5] 00:37:10: RADIUS: Received from id 1645/21 10.1.1.100:1645, AccessAccept, len 313 00:37:10: RADIUS: authenticator E6 6E 1D 64 5A 15 FD AE - C9 60 C0 68 F5 10 E9 B7 00:37:10: RADIUS: Cisco AVpair [1] 13 "priv-lvl=15"
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
62
© IPexpert, Inc.
Troubleshooting & Verification debug aaa authentication
- Displays debug information on AAA authentication
debug aaa authorization
- Displays debug information on AAA authorization
debug aaa accounting
- Displays debug information on accountable events
debug radius
- Enables debugging for RADIUS configuration
debug tacacs
- Displays information associated with TACACS+ Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
63
© IPexpert, Inc.
End of Section 9.0
IPexpert’s CCIE R&S Written VoD Series 10.0 Optimize the Network
© IPexpert, Inc.
10.01 Implement Syslog and local logging
© IPexpert, Inc.
Syslog and local logging • Logging is the process of recording and storing the events
• Severity Levels – control which messages are logged : 0 – Emergencies 1 – Alerts 2 – Critical 3 – Errors 4 – Warnings 5 – Notifications 6 – Informational 7 – Debugging
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
3
© IPexpert, Inc.
Syslog and local logging •
Logging Destinations 1. 2. 3. 4. 5.
•
(logging console) (logging buffered) (logging monitor + terminal monitor) (snmp-server enable traps syslog + logging history) Syslog Server (logging trap) Console Internal Buffer VTY lines SNMP Server
Syslog uses UDP port 514
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
4
© IPexpert, Inc.
Syslog Configuration
© IPexpert, Inc.
Syslog Configuration •
Turning Logging on [no] logging on
•
Time Stamps service timestamps log
•
Logging facility logging facility
•
Logging Synchronous logging synchronous
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
6
© IPexpert, Inc.
Example Syslog Configuration logging buffered 4096 debugging logging console errors line console 0 logging synchronous
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
7
© IPexpert, Inc.
Configuration Verification show logging
- Displays the logging configuration and the contents of the logging
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
8
© IPexpert, Inc.
10.02 Implement IP Service Level Agreement (SLA)
© IPexpert, Inc.
IP SLA •
Formerly known as RTR
•
Performs active monitoring by generating and analyzing traffic to measure performance
•
Statistics include jitter, delay, packet loss
•
IP SLA Responder a) Allows for unidirectional measurements b) Improves accuracy – uses two timestamps allowing to neglect the probe processing time
•
IP SLA Responder works only for TCP & UDP probes Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
10
© IPexpert, Inc.
IP SLA Responder
T0 30 ms T1
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
11
© IPexpert, Inc.
IP SLA Configuration
© IPexpert, Inc.
IP SLA Configuration •
IP SLA Configuration mode ip sla nr
•
Scheduling an SLA instance ip sla schedule
•
IP SLA Responder ip sla responder
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
13
© IPexpert, Inc.
Example IP SLA Configuration ip sla 1 icmp-echo 10.1.1.1 timeout 1000 frequency 1 ip sla schedule 1 life forever start-time now
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
14
© IPexpert, Inc.
Example IP SLA Responder Configuration •
Source of the SLA probes
ip sla 2 udp-echo dest-ipaddr 10.1.1.2 1234 frequency 3 ip sla schedule 2 life 43200 start-time now
•
SLA target device
ip sla responder
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
15
© IPexpert, Inc.
Configuration Verification show ip sla configuration
- Displays configuration for all IP SLA operations
show ip sla responder
- Displays information about the IP SLA
Responder show ip sla configuration
- Displays current operational status and statistics of IP SLA
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
16
© IPexpert, Inc.
10.03 Implement NetFlow
© IPexpert, Inc.
NetFlow •
Cisco IOS statistics-gathering tool
•
Flows are identified by source & destination IP addresses, source & destination port numbers, protocol and Type of Service
•
Different NetFlow versions (e.g. 5, 7,8, 9) are available
•
Cached flows can be further send to a collecting device (NetFlow export)
•
Aggregation Cache available in version 8
•
Flow Sampling Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
18
© IPexpert, Inc.
NetFlow Configuration
© IPexpert, Inc.
NetFlow Configuration •
Enabling NetFlow ip flow ingress/egress
•
Flow Exporter ip flow-export
•
Capturing additional fields ip flow-capture
•
Flow Aggregation ip flow-aggregation
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
20
© IPexpert, Inc.
Example NetFlow Configuration •
General NetFlow configuration example :
int f0/1 ip flow ingress ip flow-export version 5 ip flow-export destination 10.1.1.1 9000 ip flow-capture icmp
•
Flow Aggregation example :
ip flow-aggregation cache destination-prefix cache entries 2048 export destination 10.1.1.1 25665 enabled int f0/0 ip flow egress Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
21
© IPexpert, Inc.
Configuration Verification show ip flow interface
- Displays the NetFlow config for an interface
show ip cache flow
- Displays the summary of NetFlow statistics
and flows show ip cache verbose flow
-
Displays the detailed summary of NetFlow statistics and flows
show ip cache flow aggregation - Displays the Aggregation Cache information and number of flows Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
22
© IPexpert, Inc.
10.04 Implement SPAN, RSPAN, and Router IP Traffic Export (RITE)
© IPexpert, Inc.
SPAN, RSPAN, RITE •
RITE is a similar feature to SPAN/RSPAN, but available on Cisco IOS routers
•
Useful for Traffic Analyzers and monitoring devices, such as IDS/IPS
•
Allows to export traffic going over WAN interfaces
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
24
© IPexpert, Inc.
RITE Configuration
© IPexpert, Inc.
RITE Configuration •
Start with creating a profile ip traffic-export profile
•
Within a profile, define the monitoring station (the device which is collecting the exported traffic) interface mac-address
•
By default all incoming traffic is exported, you can change this behavior using two methods : bidirectional incoming/outgoing access-list
•
Apply the profile to an interface (interface level) ip traffic-export apply Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
26
© IPexpert, Inc.
Example RITE Configuration •
General RITE configuration example :
ip traffic-export profile RITE_PROF interface FastEthernet 0/0 mac-address 1234.1234.5678 bidirectional int F0/1 ip traffic-export apply RITE_PROF
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
27
© IPexpert, Inc.
Configuration Verification show ip traffic-export
- Displays information related to exported IP traffic
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
28
© IPexpert, Inc.
10.05 Implement Simple Network Management Protocol (SNMP)
© IPexpert, Inc.
SNMP •
Application-Layer management monitoring and administration
•
SNMP Framework 1. Network Management Station (NMS) 2. SNMP Agent 3. Management Information Base (MIB)
•
SNMP Operations 1. Polling (GET, SET) 2. Notifications (TRAPS, INFORMS)
protocol
used
for
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
30
© IPexpert, Inc.
SNMP Polling •
SNMP Polling is a process of sending periodic queries to the network devices. It uses two different SNMP messages – GET and SET, sent over UDP port 161
•
Three types of SNMP GET operation :
1. GET, which retrieves the exact object instance from the SNMP Agent 2. GETNext – Retrieves the next object to the specified 3. GETBulk – Retrieves a large amount of object data •
SNMP SET Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
31
© IPexpert, Inc.
SNMP Polling
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
32
© IPexpert, Inc.
SNMP Notifications •
SNMP Notifications are unsolicited notifications sent to the NMS. There are two types of Notifications – TRAPS and INFORMS 1. TRAPS are unreliable, no ACKs are sent back 2. INFORMS are ACKed
•
SNMP Notifications (TRAPS and INFORMS) are sent over UDP port 162 (SNMP Polling GET/SET messages use UDP port 161)
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
33
© IPexpert, Inc.
SNMP Notifications
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
34
© IPexpert, Inc.
SNMP Versions •
SNMP Versions :
1. SNMPv1 - full Internet standard. Communitybased authentication 2. SNMPv2c - introduces GETBulk operation. Authentication based on community-strings, same as with version 1 3. SNMPv3 - lots of security enhancements. Message Integrity (HMAC MD5/SHA), Encryption (originally DES). Authentication based on usernames
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
35
© IPexpert, Inc.
SNMP Versions •
SNMP Versions :
1. SNMPv1 - full Internet standard. Communitybased authentication 2. SNMPv2c - introduces GETBulk operation. Authentication based on community-strings, same as with version 1 3. SNMPv3 - lots of security enhancements. Message Integrity (HMAC MD5/SHA), Encryption (originally DES). Authentication based on usernames
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
36
© IPexpert, Inc.
SNMP Security Model •
SNMPv3 Security Model – three different Security Levels : 1. noAuthNoPriv – no encryption; authentication based on usernames 2. authNoPriv – no encryption; authentication based on HMAC MD5/SHA 3. authPriv – DES for encryption; authentication based on HMAC MD5/SHA
•
3DES & AES are now supported
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
37
© IPexpert, Inc.
SNMP Configuration
© IPexpert, Inc.
SNMP Configuration •
The main command snmp-server
•
SNMP Polling snmp-server community … [ro|rw]
•
SNMP Notifications snmp-server enable traps … snmp-server host [traps|informs]
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
39
© IPexpert, Inc.
Example SNMP Configuration •
SNMP Polling
snmp-server community ipexpert rw
•
SNMP Notifications
snmp-server enable traps bgp snmp-server host 10.1.1.1 inform version 2c ipexpert
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
40
© IPexpert, Inc.
Configuration Verification show snmp
- Displays the status of SNMP communications
show snmp host
- Displays information about NMS and SNMP Notifications
show snmp community
- Displays SNMP Communities
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
41
© IPexpert, Inc.
10.06 Implement Cisco IOS Embedded Event Manager
© IPexpert, Inc.
EEM •
Flexible framework for system and system events monitoring
•
Event -> Action mechanism
•
EEM Components : 1. Event Detector (monitored component) 2. EEM Policy (defines actions) 3. Event Manager Server (an interface between Event Detector and EEM Policy)
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
43
© IPexpert, Inc.
EEM Event Detectors • • • •
•
CLI - monitors CLI-typed commands based on the regular expressions Syslog – allows screening syslog messages for configured regular expressions, just like the CLI ED Interface Counter – this one monitors interface counters and reacts when a threshold is crossed SNMP – allows to monitor values of different SNMP MIB objects None – None Event Detector publishes an event when the event manager run command is executed
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
44
© IPexpert, Inc.
EEM Event Policies • • • •
Executing a CLI command Generating a Syslog Message Generating an SNMP Trap Setting or modifying a named Counter
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
45
© IPexpert, Inc.
EEM Configuration
© IPexpert, Inc.
EEM Configuration •
Two types of EEM policies : - Applet (the one we are going to examine) - Script
•
Create an applet event manager applet
•
Inside an applet define an Event Detector event
•
And specify a policy action
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
47
© IPexpert, Inc.
EEM Configuration •
Remember that policies can also refer to the so-called Environment Variables
•
These variables are built-in and have a pre-defined meaning. You refer to them using a „$” sign
•
Example Environment Variables : _cli_msg _cli_msg_count
_syslog_msg
– the fully expanded message that triggered the CLI event – the number of times that a message match occurred before the event was published – they Syslog message that triggered the event Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
48
© IPexpert, Inc.
Example EEM Configuration •
Example applet #1
event manager applet EEM_SHRUN_APP event cli pattern "show run.*" sync yes action 1.0 syslog msg "$_cli_msg Cmd Executed" set 2.0 _exit_status 1
•
Example applet #2
event manager applet EEM_IFDOWN_APP event syslog pattern "Interface Loop.*, changed .*administratively down„ action 1.0 cli command “sh ssh”
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
49
© IPexpert, Inc.
Configuration Verification show event manager
- Displays information about
EEM Event Detectors debug event manager
-
Displays the output
debugging of EEM
process show event manager policy registered - Displays already registered EEM policies
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
50
© IPexpert, Inc.
10.07 Implement Remote Monitoring (RMON)
© IPexpert, Inc.
RMON •
An additional MIB module
•
Alarms are generated after a particular threshold is reached
•
Two methods of measuring MIB variables : 1. Absolute Sampling – reads the current value 2. Delta Sampling – measures the change in value
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
52
© IPexpert, Inc.
RMON Groups 1.
2. 3. 4. 5. 6. 7. 8. 9.
Statistics – contains interface statistics measured by the probe History – stores periodic statistical samples Alarm – takes statistical samples form variables. If the configured threshold is crossed, an event is generated Host – contains information about each discovered host HostTopN – contains sorted host statistics Matrix – holds statistics for conversation between two hosts Filter – used to create filters to match only specific packets Capture – allows to capture packets based on previously created filters Event – triggered by alarms Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
53
© IPexpert, Inc.
RMON Configuration
© IPexpert, Inc.
RMON Configuration •
Create an event rmon event nr [log|trap community]
•
Create an alarm rmon
alarm nr var interval [delta|absolute] rising-threshold … falling-threshold …
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
55
© IPexpert, Inc.
Example RMON Configuration rmon alarm 1 ifEntry.20.1 7 delta rising-threshold 15 5 falling-threshold 0 rmon event 5 log description “Counter increased by 15”
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
56
© IPexpert, Inc.
Configuration Verification show rmon alarm
- Displays the contents of the
router’s RMON alarm table show rmon event
- Displays the contents of the router’s RMON event table
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
57
© IPexpert, Inc.
10.08 Implement FTP
© IPexpert, Inc.
FTP •
Cisco IOS does NOT support FTP server
•
FTP Client is supported (file transfer, core dumps)
•
Following FTP Characteristics are available : 1. Passive-mode FTP (ip ftp passive) 2. User name (ip ftp username) 3. Password (ip ftp password) 4. Source Interface (ip ftp source-interface)
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
59
© IPexpert, Inc.
FTP Modes •
FTP always uses TCP port 21 for the control channel. Data port varies and depends on FTP Mode
•
Active Mode : FTP client specifies its port using a PORT command FTP server initiates the data connection from TCP port 20 to the port specified inside the PORT command
•
Passive Mode FTP Client sends a PASV command Server responds with an ephemeral port number and the FTP client initiates the data connection TCP Port 20 is not used Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
60
© IPexpert, Inc.
FTP Configuration
© IPexpert, Inc.
FTP Configuration •
For File Transfer configure at least a username and password ip ftp username ip ftp password
•
To initiate the transfer use the copy command with the ftp keyword
•
For Core Dumps specify FTP as the transfer protocol and add the server’s location exception protocol ftp exception dump IP_addr
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
62
© IPexpert, Inc.
Example FTP Client Configuration ip ip ip ip
ftp ftp ftp ftp
username ipexpert password cciers passive source-interface l0
exception protocol ftp exception dump 192.168.1.1
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
63
© IPexpert, Inc.
Configuration Verification show exception
- Displays current Exception configuration
debug ip tcp transactions
-
Displays information on significant TCP
transactions
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
64
© IPexpert, Inc.
10.09 Implement TFTP 10.10 Implement TFTP Server on router
© IPexpert, Inc.
TFTP •
Cisco IOS can act as a TFTP Server and Client
•
TFTP Server functionality is typically used for system image and configuration file transfers
•
Although TFTP protocol itself does not support any security mechanisms, Cisco IOS provides basic form of limiting the scope of users accessing a file using Access Control List
•
TFTP works over UDP port 69. The actual data transfer, however, uses an ephemeral port
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
66
© IPexpert, Inc.
TFTP Mechanics •
Client sends a Read Request (RRQ) or Write Request (WRQ) packet to the server
•
An ephemeral port for data is opened on the server side
•
The server responds with an ACK (for WRQ) or the first data packet (for RRQ)
•
Data is sent in fixed-length blocks of 512B. Each block must be ACKed before next one is sent
•
A data packet shorter than 512B signals termination of the connection
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
67
© IPexpert, Inc.
TFTP Configuration
© IPexpert, Inc.
TFTP Configuration •
For TFTP Server is essentially one command tftp-server … [alias] [acl_nr]
•
For TFTP Client use the copy command with the tftp keyword
•
A connection source interface can be also configured ip tftp source-interface
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
69
© IPexpert, Inc.
Example TFTP Configuration •
TFTP Server (192.0.2.1)
access-list 20 permit host 10.1.1.1 tftp-server flash:c1841-advsecurityk9-mz.124-8.bin alias image2 20
•
TFTP Client
int loopback 1 ip add 10.1.1.1 255.255.255.0 ip tftp source-interface loopback 1 copy tftp://192.0.2.1/image2 flash
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
70
© IPexpert, Inc.
Configuration Verification debug tftp
- Displays TFTP debugging information
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
71
© IPexpert, Inc.
10.11 Implement Secure Copy Protocol (SCP)
© IPexpert, Inc.
SCP •
Secure method of transferring files (encryption and authentication)
•
Relies on SSH protocol, runs on TCP port 22
•
AAA Authentication configured
•
Currently has been superseded by SFTP
and
authorization
must
be
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
73
© IPexpert, Inc.
SCP Configuration
© IPexpert, Inc.
SCP Configuration • •
AAA and SSH are prerequisites SSH hostname ip domain-name crypto key generate rsa
•
AAA authentication and authorization aaa new-model aaa authentication login aaa authorization exec
•
Enable SCP Server ip scp server enable
•
For SCP Client use the copy command with the scp keyword Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
75
© IPexpert, Inc.
Example SCP Configuration •
SCP Server (192.0.2.1)
aaa new-model aaa authentication login default local aaa authorization exec default local username ipexpert priv 15 password cciers hostname Europe ip domain-name ipexpert.com crypto key generate rsa ip scp server enable
•
SCP Client
copy scp://
[email protected]/file1 flash:/file1 Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
76
© IPexpert, Inc.
Configuration Verification debug ip scp
- Displays information related to troubleshooting SCP
authentication
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
77
© IPexpert, Inc.
10.12 Implement HTTP and HTTPS
© IPexpert, Inc.
HTTP •
Application-Layer protocol used for browsing web pages
•
Client-Server architecture, request-response model
•
Separate TCP session for each request in HTTP 1.0
•
Only one TCP session (keepalives), called a persistent connection in HTTP 1.1 (widely spread now)
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
79
© IPexpert, Inc.
HTTP Operations •
Nine HTTP methods are defined
•
Two most common ones are HTTP GET and HTTP POST
•
HTTP GET is used to request a specific resource
•
HTTP POST is used to submit data to the server (e.g. from an HTML form)
•
HTTP uses TCP port 80 by default
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
80
© IPexpert, Inc.
HTTPS •
HyperText Transfer Protocol Secure
•
HTTP + SSL/TLS
•
Sufficent protection with only one-way authentication
•
HTTPS URLs begin with https:// as opposed to http://
•
HTTPS uses TCP port 443 by default
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
81
© IPexpert, Inc.
HTTP and HTTPS Configuration
© IPexpert, Inc.
HTTP Configuration •
Enable HTTP Server ip http server
•
HTTP Authentication ip http authentication [local|aaa]
•
Restrict Remote Management Access ip http access-class
•
A user should have a privilege level 15 assigned (AAA authorization)
•
For lower levels use http://server_IP/level/priv_lvl/exec
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
83
© IPexpert, Inc.
HTTPS Configuration •
Disable HTTP Server (not required) no ip http server
•
Enable HTTPS Server ip http secure-server
•
Change the default port (optional) ip http secure-port
•
Specify the CipherSuites (optional) ip http secure-ciphersuite
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
84
© IPexpert, Inc.
Example HTTP & HTTPS Configuration •
HTTP Server
username ipexpert privilege 15 password ipexpert access-list 2 permit host 10.1.1.1 ip ip ip ip
•
http http http http
server port 8080 access-class 2 authentication local
HTTPS Server
ip http secure-server ip http secure-port 8443 Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
85
© IPexpert, Inc.
Configuration Verification show ip http server [status]
-
Displays details about the
current configuration of the HTTP server show ip http server secure status
- Displays the status of the HTTPS
server configuration
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
86
© IPexpert, Inc.
10.13 Implement Telnet
© IPexpert, Inc.
Telnet •
Telnet is a terminal emulation protocol
•
Can be used for remote management – provides CLI access to the remote host
•
Client-Server architecture
•
Some of the Cisco implementation supported Telnet options are as follows : - Remote Echo - Terminal Type - Terminal Speed - Remote Flow Control
•
TCP uses TCP port 23
IPexpert’s CCIE R&S Written VoD Series
Rev. 1700 88
© IPexpert, Inc.
Telnet Configuration
© IPexpert, Inc.
Telnet Configuration •
Enabling password-based Telnet access (line-mode subcommands) password login
•
Username-based authentication with a local database login local
•
Username-based authentication with AAA enabled login authentication …
•
To enable non-standard ports 3000, 5000, and 7000 rotary
•
Telnet Client settings ip telnet Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
90
© IPexpert, Inc.
Example Telnet Configuration •
Password-based Telnet authentication
line vty 0 4 password ipexpert login
•
Username-based database
Telnet
authentication
with
local
username ipexpert password cciers
line vty 0 4 login local
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
91
© IPexpert, Inc.
Configuration Verification show users terminal show tcp [brief]
- Displays information about the active lines and user location - Displays the status of TCP connections
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
92
© IPexpert, Inc.
End of Section 10.0
IPexpert’s CCIE R&S Written Video on Demand Series Addendum
© IPexpert, Inc.
Exam Overview •
The exam is 2-hours long and it consists of multiplechoice questions and simulations (approx. 100 in total)
•
No reference materials are allowed (even the Cisco documentation)
•
The Blueprint :
•
Cisco Certifications : www.cisco.com/go/certifications
•
Cisco Connection Online (CCO) account is required
www.cisco.com/go/ccie
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
2
© IPexpert, Inc.
Exam Overview – cont. •
Two changes were announced in February 2009 : Coming back to any of the previous questions is not allowed The overall exam score is reported on a scale 300-1000
•
Possible exam question formats : Multiple-choice single answer Multiple-choice multiple answer Drag-and-drop Fill-in-the-blank Testlet Simlet Simulations
IPexpert’s CCIE R&S Written VoD Series
3
Rev. 1700 © IPexpert, Inc.
Exam Policy •
At least 5 calendar days must elapse between any written exam attempt
•
Exams are not refundable
•
The lab exam must be attempted within 18 months from passing written
•
The entire exam content is Cisco’s intelectual property
•
You must accept the terms and conditions of the Cisco Certification and Confidentiality Agreement during the registration and prior to testing
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
4
© IPexpert, Inc.
Reference Books •
„CCIE Routing & Switching Exam Certification Guide, 4th edition” by Wendell Odom, Rus Healy, Denise Donohue
•
„Routing TCP/IP” by Jeff Doyle and Jennifer Carroll
•
„CCNP BCMSN Official Exam Certification Guide, 4th edition” by David Hucaby
•
„Cisco LAN Switching” by Kennedy Clark, Kevin Hamilton
•
„Deploying IPv6 Networks” by Ciprian Popoviciu, Eric Levy-Abegnoli, Patrick Grossetete Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
5
© IPexpert, Inc.
Reference Books – cont. •
„Developing IP Multicast Networks, Vol. I” by Beau Williamson
•
„MPLS Fundamentals” by Luc De Ghein
•
„Network Security Technologies and Solutions” by Yusuf Bhaiji
•
„Cisco QOS Exam Certification Guide (IP Telephony Self-Study), 2nd Edition” by Wendell Odom and Michael Cavanaugh Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
6
© IPexpert, Inc.
Preparation Timeline •
Everyone is different
•
Set yourself a rough date and try to stick with it
•
Be prepared for sacrifices
•
Study in a consistent fashion – when you learn actively you tend to forget less
•
Repeat the material often (spaced repetitions)
Rev. 1700 IPexpert’s CCIE R&S Written VoD Series
7
© IPexpert, Inc.
Strategy •
If you have already seen the product assess your knowledge – do the quizzes. If you have not started yet, take notes when going through the videos, try to understand the technology first
•
Incorporate books and the documentation (especially on areas where you are week). Do the quizzes and review the material
•
When question wording is vague, try to „eliminate” the answers you know are bad
•
Use the whiteboard (topologies, calculations) Rev. 1700
IPexpert’s CCIE R&S Written VoD Series
8
© IPexpert, Inc.
Good Luck!
© IPexpert, Inc.
