Embed Size (px)
Citation preview
certmaniacs_
CCNA SP 640-878 SPNGN2 Study Notes
Cisco IP NGN Architecture
Application Layer: interface between the user and the service, Mobile, Residential, Business Access.
Services Layer: Mobile Services, Video Services, Cloud Services
IP Infrastructure Layer: Access, Aggregation, IP Edge, Core
Internet Service Provider Basics
-3 important entities: Customers, Peers (two ISPs establishing a connecting and exchange traffic for free),
and -Transit Partners (SPs that charge other SPs for transit traffic through their network)
-Internet Exchange Point (IXP) � the common physical infrastructure that ISPs use to exchange Internet
traffic, usually used for peering, but transit links can be established as well
-Tier 1 ISP: The largest SPs, they peer with each other and establish the core of the Internet. Their
customers are often lower tiered ISPs.
-Tier 2 ISP: Purchase transit links from Tier 1, peer with other for cost cutting. Provide access to:
business customers (main focus), Tier 3 ISPs, and those willing to pay a high price for high speed access
-Tier 3 ISP: Purchase transit links from Tier 1 and 2, peer with regional partners for cutting cost. Focus
on region specific, low price and low speed access (home users)
Global IP Address Space Management
Internet Assigned Numbers Authority (IANA) > Regional Internet Registries (RIRs) > National/Local
Internet Registries or ISPs (NIR/LIR) > ISP > End user (end users can receive assignments from RIRs or
LIRs as well, especially large businesses/universities)
Top Level Domains � highest level in the hierarchical Domain Name System of the Internet
ccTLDs � Country Code Top Level Domains (.us, .ca)
gTLDs - Generic Top Level Domains (.com, .org, .net)
-IPs tend to be assigned in contiguous blocks for route summarization
-Provider Independent (PI): Assigned from RIR, used for network multihoming (across multiple ISPs),
results in big routing tables
-Provider Assigned (PA): -from ISPs reserved space, end user needs to renumber when changing IPs
certmaniacs_
Autonomous Systems (AS)
-2 byte number (4 bytes in RFC 4893)
-AS 1 � 56319: Public use
-AS 0, 563210-64511: Reserved by IANA
-AS 64512 � 65534: Private user
Stub AS: only connected to one AS
Multihomed AS: connected to 2 or more AS, redundant connection to the internet
Transit AS: provides connection through itself to other networks, ISPs use them
Cisco Routers, Switches, and Other Devices
VLANs
Network Design
-Issues of a poorly designed network: Failure domains (need to be limited), broadcast domains (also
should be limited in size), and large amounts of unknown MAC unicast traffic (lots of flooding), multicast
traffic on unintended ports, difficulty in management and support, possible security vulnerabilities
-a VLAN is a broadcast domain (logical network or subnet)
-should use hierarchical addressing (contiguous addressing): ease of management/troubleshooting,
fewer errors, reduced routing table entries
Network Traffic Types
Network management: BPDUs, CDP, SNMP, remote monitoring
IP Telephony
IP Multicast
Normal Data: HTTP, SMTP, SQL
certmaniacs_
Scavenger Class Data: all traffic with protocols or patterns that exceed their normal data flows (i.e.: peer-
to-peet traffic)
VLAN Creation
-many Cisco access-level switches can support up to 250 VLANs
-most have default VLAN 1 already created, all ports will be on it, CDP and Virtual Terminal Protocol (VTP)
advertisements are sent on VLAN 1 by default
VLAN Creation Config
IOS/IOS XR
#configure terminal
(config)#vlan 2
(conf-vlan)#name switchlab 99
show vlan (shows info on ALL VLANs)
show vlan id <vlan number> (shows info about a particular VLAN)
Assigning Ports to a VLAN
(config)#interface range fastethernet 0/2 � 4
(config-if-range)#switchport access vlan 2
#show vlan (verify VLAN assignments)\
#show interface fa0/2 switchport (verify VLAN membership and status)
Trunking
-transportation of frames from multiple VLANs on the same physical port
-each from has a tag that specifies to which VLAN it belongs, frames are forwarded to the proper VLAN
based on this tag info
-Cisco only supports 802.1Q on current devices
-Traffic on the native VLAN is NOT tagged, by default this is VLAN 1
802.1Q Frames and Class of Service (CoS)
-the 802.1Q tag is a 4byte field, it consists of the tag protocol ID (ethertype, set to 0x8100), the Priority fiel
d (using the 802.1p standard, values shown below), and the VLAN ID of 12 bits
Route � 000
Priority � 001
certmaniacs_
Important � 010
Flash � 011
Flash Override � 100
Critical - 101
Internetwork Control � 110
Network Control � 11
Configuring 802.1Q Trunking
(config)#interface fa0/1
(config-if)#switchport trunk allowed vlan 1,10,99
(config-if)#switchport mode trunk
(config-if)switchport trunk native vlan 99
(config-if)#switchport nonegotiate (this is considered the best practice, must be enabled AFTER switchpor
t mode is set)
#show interface fa0/11 switchport (verify trunk configuration, also below command)
#show interface fa0/11 trunk
Q in Q Tunneling
-defined as IEEE 802.1ad (also known as 802.1QinQ), allows dual-tagging and transportation of customer
VLANs over the core network
-C-Tag for customer VLAN will be placed behind a S-Tag for the service provider VLAN
Configuring Q in Q
(config)#vlan dot1q tag native (forces tags even on native VLAN)
(config)#int fa0/2
(config-if)#switchport mode dot1q-tunnel
Spanning Tree Protocol
-Cisco Catalyst switches support 4 types: PVST+, PVRST+, CST (Common STP, one root bridge regardl
ess of number of VLANs) and MSTP
certmaniacs_
PVST+ (Per VLAN Spanning Tree Plus)
-802.1D standard defines only a CST, no load sharing is possible
-PVST+ allows multiple spanning tree instances (one per VLAN), allows load sharing, but can mean a
considerable waste of CPU cycles, many BPDUs are sent
-each switch has a unique Bridge ID (BID), it includes the following fieds:
-Bridge priority: conveyed in discrete values in increments of 4096, default priority is 32768 (
lower value means higher priority)
-Extended system ID (VLAN #)
-MAC Address of the switch
-Some PVST+ rules: elect one root bridge per broadcast domain, elect one root port per non-root switch,
elect one designated port per segment
Spanning Tree Path Cost (as per current IEEE cost specifications)
10 Gbps � 2
1 Gbps � 4
100 Mbps � 19
10 Mbps - 100
Spanning Tree Decision Process
1) Lowest Bridge ID
2) Lowest aggregate root path cost
3) Lowest sender�s Bridge ID
4) Lowest port ID
-spanning tree recalculation occurs when the root bridge fails and does not send a BPDU to another
switch within the max_age time (default 20 seconds, 10 missed BPDUs)
-convergence in a spanning tree is when all the switch ports have transitioned to either forwarding or
blocking states
Rapid Spanning Tree
-specified in 802.1w standard, backwards compatible with 802.1D (original STP standard)
-negates the need for delay timers, requires full-duplex point-to-point communications
certmaniacs_
-each bridge sends BPDUs
Operational State STP Port State RSTP Port State Port Included in Active
Topology
Enabled Blocking Discarding No
Enabled Listening Discarding No
Enabled Learning Learning Yes
Enabled Forwarding Forwarding Yes
Disabled Disabled Discarding No
-rapid-pvst is the default mode on ME3400 switches, but only on NNIs (not UNIs)
Configuring Spanning Tree
(config)#spanning-tree mode rapid-pvst (sets STP mode to PVRST+)
(config)#spanning-tree vlan 10 root primary (manually set the root bridge for a spanning tree)
#show spanning-tree (verify root bridge, priority values, and status of ports in each spanning tree) (
protocol ieee = PVST+, rstp = PVRST+)
MSTP
-main purpose is to reduce the total number of spanning-tree instances (reduce CPU load of switches)
-must be enabled on each individual participating switch (not scaleable) EXACTLY THE SAME
-MST config on each switch includes: Name, revision number, VLAN association table (if these differ, the
two switches will be part of different MST regions)
Configuring MSTP
(config)#spanning-tree mst configuration
(config-mst)#name <name>
(config-mst)#revision <revision #> (any unassigned 16 bit integer)
(config-mst)#instance <instance #> vlan <vlan range> (maps VLANs to an MSTP instance)
certmaniacs_
(config-mst)#show pending (display the MSTP config to be applied)
(config-mst)#end (apply the config and exit the MSTP subconfiguration mode)
(config-mst)#show current (show the current MSTP config)
(config)#spanning-tree mst <instance #> root primary|secondary
(config)#spanning-tree extend system-id (enabled extended System ID feature)
Example:
(config)#spanning-tree mode mst
(config)#spanning-tree mst configuration
(config-mst)#name XYZ
(config-mst)#revision 1
(config-mst)#instance 1 vlan 11,21,31
(config-mst)#instance 2 vlan 12,22,32
(config-mst)#end
(config)# spanning-tree mst 2 root primary
#show spanning-tree mst configuration
PortFast
-skips regular STP port state transitions
-puts port directly into forwarding state
-If enabled globally: if port receives a BPDU it loses PortFast status and reverts to normal STP operation
-if enabled on an interface: stays in PortFast unconditionally, regardless of BPDUs received
-useful for end nodes
-safest to execute on a per VLAN basis
Per interface:
(config)#interface fa0/1
(config-if)#spanning-tree portfast
Globally:
(config)#spanning-tree portfast default
BPDU Guard
-shuts down a port if a BPDU is received
-useful for end nodes with PortFast
certmaniacs_
-prevents connection of an STP-enabled switch,
-prevents loops with switches unaware of STP
-recommendation is to enable BPDU guard globally
Per interface:
(config)#interface fa0/1
(config-if)#spanning-tree bpduguard enable
Globally:
(config)#spanning-tree portfast bpduguard default
BPDU Filter
-disabled STP on a port
-no BPDUs are sent, none are processed (except globally, where they will send a couple of BPDU are
sent when they become active, in global mode if a port receives a BPDU it will revert OUT of PortFast mo
de)
Per Interface:
(config)#int fa0/11
(config-if)#spanning-tree bpdufilter enable
Globally:
(config)#spanning-tree portfast bpdufilter default
Resilient Ethernet Protocol (REP)
-new technology for fast convergence of simple ring networks (<250ms convergence)
-NOT a replacement for STP
-VLAN load balancing
-Manual configuration for predictable failover behaviour
-Segment protocol, ports are explicitly configure to be part of a segment
-when all links in the segment are operational, a blocked port is determined so that there is no
connectivity between edge switches
-redundancy: each segment has two exits, each edge switch
Configuring REP
(config)#interface fa0/11
(config-if)#port-type nni
certmaniacs_
(config-if)#switchport mode trunk
(config-if)#rep segment 1 (this must be done for every port in the segment)
Routing Between VLANS
-Traffic cannot be switched between VLANs, which will often have different IP subnets, so routing is
necessary
-inter-VLAN routing occurs between multiple directly connected interfaces
Inter-VLAN Routing via a Router
-used when there is no Layer 3 capable switch or when centralized routing from several switches is
needed, all VLANs must pass to the router
-there must be a separate logical connection on the router for each VLAN and VLAN trunking (802.1Q)
must be enabled on those connections, this is done by creating subinterfaces on one physical interface
Configuring Inter-VLAN Routing
Switch
(config)#interface gi0/24
(config-if)#switchport mode trunk
Router (IOS)
(config)#int gi0/0/0/0.3 (will create this interface if it doesn�t already exist)
(config-if)dot1q vlan 3 (enables 802.1Q encapsulated trunking on this subinterface to the specified VLAN)
(config-if)ip address 192.168.3.1 255.255.255.0
(config)#int gi0/0/0/0.4
(config-if)#dot1q vlan 4
(config-if)ip address 192.168.4.1
#show ip route (to verify work)
Inter-VLAN Routing via Layer 3 Switch
-a MLS can make forwarding decision on both Layer 2 and 3 headers, so it knows when to switch and
when to route
-switches will need switch virtual interfaces (only one can be created per VLAN) via the (config)#interface
certmaniacs_
vlan <vlan number>
-creating a VLAN does NOT create a SVI, and vice versa
-a SVI is down if there is no port in a corresponding VLAN in an Up state
Configuring Layer 3 Switch for Inter-VLAN routing
(config)#ip|ipv6 routing (must be enabled)
(config)#vlan 3,4 (creates these VLANs)
(config)#int gi0/3
(config-if)#switchport access vlan 3
(config)#int gi0/4
(config-if)#switchport access vlan 4
(config)#int vlan 3
(config-if)#ip address 192.168.3.1 255.255.255.0
(config-if)#no shut
(config)#int vlan 4
(config-if)ip address 192.168.4.1. 255.255.255.0
(config-if)#no shut
#show ip route
#show interfaces status (shows status of physical interfaces and the VLAN they are configure for)
#show ip interface brief (show physical and logical interfaces, status, and IP addresses)
First Hop Redundancy Protocols
-generally only one gateway is configure, if this fails it results in a loss of network availability
-two gateways cannot be configured on end nodes, so it must be done on routers
-the solution is to use multiple physical gateways configured to one virtual gateway and the end nodes
use the virtual gateway
-one actual physical gateway is forwarding traffic, the others are on standby
-the standbys use the same IP and MAC address so end nodes do not detect the change
FHRP Cisco IO/IOS XE Software Cisco IOS XR Software
HSRP IPv4, IPv6 (with Version 2) IPv4
VRRP IPv4 IPv4, IPv6
certmaniacs_
GLBP IPv4, IPv6 Not supported
Hot Standby Router Protocol (HSRP)
-Cisco proprietary
-virtual router (VR) has separate IP and Mac address
-the active router handles the traffic for the virtual router
-supports priority, pre-emption (by default, router with higher priority will not pre-empt a lower priority if it is
already active), and object tracking (dynamically alter the priority of a router)
-Redundancy groups: many virtual IP addresses on the same interface, load balancing
-Active Router, Standby Router (primary backup), Standby Group (set of routers participating in HSRP
that jointly emulate a VR)
-by default hello messages are sent every 3 seconds, 10 second hold time
-if decrement amounts are not set, they will decrement by 10
Configuring HSRP on IOS XR (primary router for 2, standby for 1)
(config)#int gi0/0/0/0
(config-if)#ip address 192.0.2.3 255.255.255.0
(config)#router-hrsp
(config-router)#int gi0/0/0/0
(config-router-if)#hsrp 1 ipv4 192.0.2.1 (this is the VR IP address)
(config-router-if)#hsrp 1 priority 95
(config-router-if)#preempt
(config-router-if)#track gi0/0/0/1
(config-router-if)#hsrp 2 ipv4 192.0.2.254
(config-router-if)#hsrp 2 priority 105
(config-router-if)#hsrp 2 preempt
#show hsrp (verify HSRP configuration)
IOS (standby router on 2, primary on 1)
(config)#int ethernet 0/0
(config-if)#ip address 192.0.2.2 255.255.255.0
certmaniacs_
(config-if)#standby 1 ip address 192.0.2.1 (notice the IP matches the IOS XR config)
(config-if)#standby 1 priority 105 (IOS XR router takes priority because it�s lower)
(config-if)#standby 1 preempt
(config-if)#standby 1 track ethernet 0/1
(config-if)#standby 2 ip 192.0.2.254
(config-if)#standby 2 priority 95
(config-if)#standby 2 preempt
#show standby brief (verify HSRP configuration)
Virtual Router Redundancy Protocol
-VR has: IP address and MAC address, IP address can be shared with physical router (HSRP cannot do
this)
-active router handles traffic for VR
-VRRP MAC format: 00005E.000001 (second half is VR ID)
-has one master router and one or more backup routers, uses VRRP messages to advice that it is the
master
-supports priority, pre-emption (enabled by default), and object tracking
-same redundancy groups as HSRP: many virtual IPs on same interface, load balancing
Configuring VRRP � IOS XR
(config#int gi0/0/0/0
ip address 192.0.2.2 255.255.255.0
(config)#int gi0/0/0/0address-family ipv4vrrp 1address 192.0.2.1priority 95track interface gi0/0/0/0 10 (decrements priority by 0)
#show vrrp
IOS
(config)#interface fa0/0ip address 192.0.2.1 255.255.255.0vrrp 1 ip 192.0.2.1 (priority set to 255 automatically because the virtual IP matches the interface IP)
#show vrrp brief
Gateway Load Balancing Protocol (GLBP)
certmaniacs_
-Cisco proprietary
-VR has an IP address
-Active forwarder handles traffic for VR
-Active gateway answers ARP and ND requests from clients
-MAC address sent to clients:
-chosen from a list of active forwards
-assigned in round robin fashion
-achieves load balancing
-relieves administrative burden of configuring multiple groups and default gateway configurations that is
required with HSRP and VRRP
Configuring GLBP � IOS (NOT supported on IOS XR)
#int fa0/0ipv6 address 2001:db8:1:1::/64 eui-64 glbp 1 ipv6 autoconfig (link local address format is used for gateway address)glbp 1 preempt
Note: This config would need to be applied on all participating routers
#show glbp brief
Internal Service Provider Traffic Forwarding
-SP core network must meet following requirements:
-high speed of forwarding packets
-high availability
-fast convergence (Link State Routing Protocols)
-optimized bandwidth consumption and support for different real-time services (multicast, QoS)
-integrated security
Administrative Distance
0 - Directly Connected Interface
1 - Static Route out an interface
5 - EIGRP summary route
20 - External BGP
90 - Internal EIGRP
100 - IGRP (obsolete protocol)
110 - OSPF
115 - IS-IS
certmaniacs_
120 - RIP
170 - External EIGRP
200 - Internal BGP
255 - Unknown
Link-State Routing Protocols
-link state IGPs such as OSPF and IS-IS are used in SP environments instead of distance vector due to:
-scalability
-each router has a full picture of the topology
-updates are only sent when a topology change occurs
-LSPs react quickly to topology changes occur
-more info is communicated between routers
-LSPs use a hierarchical design (allows summarization)
-routers create neighbour relationship by exchanging hello packets
-LSP propagates LSAs (link state advertisements) rather than routing table updates
-each router floods LSAs to all routers in the area
-each router pieces together LSAs received to create link-state database (topology)
-each router uses SPF algorithm to find shortest path to each destination and places it in the routing table
Link-State Adjacency Process:
1) router sends and receives hello packets from/to neighboring router, typically multicast
2) Exchange hello packets that are subject to protocol specific parameters (same AS and area, etc.).
Routers then declare the neighbour is up when the exchange is complete
3) After adjancency formed, neighbour is put into neighbour DB, neighbors then synch LSDBs by
exchanging LSAs and confirming receipt of sent LSAs
OSPF vs IS-IS
OSPF IS-IS
-IETF standard (1988) -ISO Standard (1987)
-IPv4: OSPFv2, IPv6: OSPFv3 -supports IPv4 and IPv6
-IP ONLY as transport -Layer 2 Multicast as transport
certmaniacs_
OSPF: Hellos > Neighbor Table > LSAs > Topology Table > SPF > Routing Table
IS-IS: Hellos >Adj. DB > LSPs > LSDB > SPF > Forwarding DB
Implementing OSPF
-two layer hierarchy: area (group of contiguous networks), which are logical subdivisions of an
autonomous system (AS)
-Within each AS, a contiguous backbone area must be defined, all non-backbone areas are connected
through the backbone. The backbone always uses area 0
-Non-backbone areas: stub areas, totally stubby areas, not-so-stubby areas (NSSA)
-Routers in the backbone area are Backbone Routers, routers on the edge of an area are Area Border
Routers (ABRs), others are non-backbone, internal routers. A Backbone Router connecting to another
AS is an Autonomous System Boundary Router (ASBR)
-OSPFv3 uses link-local addresses to communicate (fe80::/10)
-OSPFv3 is enabled per link and identifies which networks (or prefixes) are attached to this link
-OSPFv3 requires the router to run Cisco Express Forwarding (CEF)
-OSPFv3 is NOT backwards compatible with OSPFv3
certmaniacs_
-OSPF router ID is a 32 bit number that uniquely identifies the router, by default this is the highest IPv4
address on an active interface when OSPF starts, can be overridden by a loopback interface or set
manually (router-id command)
-Hello and dead intervals must match between routers
-Areas and must match
-Multicast addresses � IPv4: 224.0.0.5, IPv6: FF02::5
Configuring OSPF � IOS XR
(config)#interface Loopback0ipv4 address 10.2.1.1 255.255.255.255
(config)#router ospf|ospfv3 1 (enables the OSPF process)router-id 10.2.1.1
Configuring OSPF Interfaces in a Single Area (IOS XR)
(config)#router ospf 1area 0interface Loopback0interface gi0/0/0/0 (begins OSPF participation on these two interfaces)
IOS IPv4
(config)#router ospf 1router-id 10.2.1.1network 192.168.102.0 0.0.0.255 area 0network 10.2.1.1 0.0.0.0 area 0
IOS IPv6
(config)#ipv6 unicast-routing
router ipv6 ospf 1router-id 10.2.10.1
(config� if)#ipv6 ospf 1 area 0
show protocols IOS XR verification)
show ospf|ospfv3 interface
show route|router ipv6 (IOS XR verification)
show ospf neighbor (IOS verification)
show ip|ipv6 route (IOS verification)
OSPF Load Balancing
-Can select several (must be equal cost) paths to destinations for load balancing, this can be ensured by
manually changing cost of certain links
certmaniacs_
-maximum number of paths is platform specific
Configuring OSPF Load Balancing � IOS XR
(config)#router ospf 1maximum paths 2area 0int gi0/0/0/0cost 10int gi0/0/0/1cost 10
Note: IPv6 config is the same, initiate with router ospfv3 1
IOS IPv4
(config)#router ospf 1maximum-paths 2network 192.168.101.0 0.0.0.255 area 0network 192.168.112.0 0.0.0.255 area 0
(config)#int gi0/0/0ip ospf cost 10
(config)#int gi0/0/1ip ospf cost 10
IOS IPv6
(config)#router ipv6 ospf 1maximum-paths 2
(config)#int gi0/0/0ipv6 ospf 1 area 0ipv6 ospf cost 10
(config)#int gi0/0/1ipv6 ospf 1 area 0ipv6 ospf cost 10
OSPF Authentication
-used to prevent undesired adjacencies and thus rogue routes being inserted
-OSPFv2: plaintext (avoid!) or MD5 authentication, authentication is inserted into OSPF header of every
OSPF packet is and checked by the other router
-OSPFv3 has no authentication mechanism, relies on IPSec
-In IOS XR the authentication type and key can be set at different levels (high to low): routing process,
area, interface. If authentication not configured on a lower level, it is inherited from a higher level
-In IOS/IOS XE, authentication type can be configured per area or per interface. If not configured per
interface,
it is inherited from the area config
-Authentication key is ONLY configured per interface
certmaniacs_
-OSPFv3 uses IPSec Authentication Header for authentication and integrity check, uses Encapsulating
Security Payload (ESP) for encrypting the payload (the routing updates themselves and AH)
OSPF Troubleshooting
-verify OSPF adjacencies via show ospf neighbors
-If no neighbors: verify int status, MTU, authentication, use debug ospf adj
Implementing IS-IS
IS-IS Basics
-link-state routing protocol, uses the Dijkstra algorithm the same as OSPF
-part of the OSI standard, originally used with Connectionless Network Service (CLNS), router = an
Intermediate System
-An IS-IS AS can be divided into several areas, when using multiarea design there are two levels of
routing:
-Level 1: occurs within an IS-IS area, recognizes the location of routers and builds a routing table to
reach all of them. All devices in a Level 1 area share the same area address. Routing with an area is
done by looking at the locally significant address portion (known as System ID) and choosing the lowest
cost path.
-Level 2: routers learn the location of other routing areas and build an inter-area routing table. All
routers in a level 2 routing area use the destination area address to route traffic using the lowest cost path.
IS-IS definite 3 types of routers:
-Level 1: learn abut paths within the areas they connect to (intra-area)
-Level 2: learn about paths between areas (inter-area)
-Level 1-2: learn both intra-area and inter-area paths (all routers are this by default)
-the path of connected Level 2 and Level 1-2 routers is called the backbone. All areas and the backbone
must be contiguous.
certmaniacs_
IS-IS Features
-originally designed as the IGP for Connectionless Network Service (CLNS), part of the OSI protocol suite
-uses CLNS addresses to identify routers and build the LSDB
-does not use IP for transport
-carries IPv4 and v6 routing information in its updates
CLNS Addresses
-integrated IS-IS always requires them
-NSEL is equivalent to the combination of an IP address and the upper-layer protocol in an IP header
-Most common format:
-Authority and Format Identifier (AFI) set to 49 (private address: 2 bytes)
-Area ID (4 bytes)
-System ID (6 bytes)-NSAP Selector, or NSEL (2 bytes) should be 00
-CLNS address with the NSEL set to 00 is called the Network Entity Title (NET) address
-The loopback IP address (or pseudo router ID) can be encoded into the system ID
Example:
49.0001.1921.6800.1001.00
49 .0001 .1921. .6800 .1001 .00
AFI Area System ID ------------- NSEL
IS-IS Metrics
-by default uses a narrow-style metric, limited to a 6 bit interface and a 10-bit path metric
-wide-style metrics allow a 24-bit interface and a 32-bit path metric
-metric is not bound to interface bandwidth, all the metric of all interfaces is set to 10 by default
-path metric is a cumulated metric of all links on the path to destinations
IS-IS Advantages
-Transport Multiple Protocols
-Distributed Backbone
Disadvantages
certmaniacs_
-must build SPF DB, but the default metric is fixed to 10, so it needs to be modified
Configuring IS-IS � IOS XR
(config)#router isis 1 (enable the ISIS process)net 49.0000.0100.0200.1001.00 (configures the NET address)is-type level-2-only (changes router type to Level 2)address-family ipv4|ipv6 unicastmetric-style wide
IOS
(config)#router isis 1net 49.0000.0100.0201.0001.00is-type level-2-onlymetric-style wide
Adding Interfaces to IS-IS
-interfaces must be explicitly enabled for the IS-IS process, when done, they will advertise a network on
the interface
IOS XR
(config)#router isis 1int Loopback0address-family ipv4 unicastint gi0/0/0/0address-family ipv4 unicast
#show protocols isis (verify ISIS configuration)
#show isis neighbors
#show isis interfaces
IOS
(config)#int gi0/0/0ip|ipv6 router isis 1
Configuring ISIS Load Balancing � IOS XR
-like OSPF, can select several equal cost paths to destinations, this maximum number is platform
dependent
(config)#router isis 1address-family ipv4 unicastmaximum-paths 2 (select the amount of paths you wish to use)
(config)#interface gi0/0/0/0address-family ipv4 unicastmetric 100
(config)#int gi0/0/0/1address-family ipv4 unicastmetric 100 (for load balancing to occur, the weight must match)
IOS � IPV4
(config)#router isis 1maximum-paths 2
(config)#int gi0/0isis metric 100 (further interfaces would need to be configured with the IS-IS process and the same
metric)
IOS � IPv6
(config)#router isis 1address-family ipv6 unicastmaximum-paths 2
(config)#int gi0/0isis ipv6 metric 100
-verify by viewing the routing tables
certmaniacs_
IS-IS Authentication
-like OSPF, authentication is used to prevent undesired adjacencies and rogue routes, also to prevent
changes in routing information when not desired
-plaintext (AVOID!) and MD5 authentication
-IS-IS authentication can be separately configure for two types of packets:
-authentication of hello packets � at interface level
-authentication of LSP -configured at routing process level
IS-IS Troubleshooting
-verify IS-IS adjacencies with show isis neighbors, if no neighbors: verify if interfaces are up, MTU
matches
-use debug isis packet-errors
Route Redistribution
-some networks use more than one routing protocol at the same time
-different routing protocols cannot exchange information about networks directly, this redistribution has to
be explicitly configured, one router is configured for both routing protocols (redistribution point)
-when redistributing routes, they are marked with a special tag that they are external routes (EIGRP uses
the EX tag, OSPF uses the E1 or E2 tag)
-since each protocol uses its own metric, an initial seed metric has to be configured for external networks
from the redistribution point
-when a seed metric is established, the metric increases as specified by a routing protocols
Default Seed Metrics:
RIP/EIGRP: 0 (but infinite)
OSPF: 20 (metric-type E2)
IS-IS: 0 (but NOT infinite)
BGP: set to IGP max value
Route Redistribution into OSPF
-the following protocols can be redistributed into OSPF (and v3): BGP, connected routes, EIGRP, IS-IS,
OSPF (another process), RIP, static routes
-default seed metric is 20 (from IGO) and 1 (from BGP)
certmaniacs_
-default external metric type is E2
-on IOS/IOS XE, classless subnets are NOT redistributed into OSPF by default
Configuring OSPF Route Redistribution on IOS XR
(config)#router isis 1net 49.0000.0100.0300.1001.00int gi0/0/0/0address-family ipv4 unicast
(config)#router ospf 1redistribute isis 1 metric 30 subnets (for Ithis will redistribute IS-IS into OSPF)area 0int gi0/0/0/1 (enables OSPF on an interface so routes can be redistributed)
IOS/IOS XE
(config)#router ospfredistribute isis 1 metric 30 metric-type 1 subnets (subnets command will ensure that classless subnets
are redistributed)
Route Redistribution into IS-IS
-the following protocols can be redistributed into IS-IS: BGP, connected routes, EIGRP, IS-IS (another
process), OSPF(v3), RIP, static routes
-default seed metric is 0
-redistribution for IPv4 and IPv6 is configured under an appropriate address family
Configuring ISIS Route Redistribution on IOS XR
(config)#router isis 1net 49.0000.0100.0300.1001.00address-family ipv4 unicastredistribute ospf 1 metric 20 (enables redistribution from OSPF into IS-IS)int gi0/0/0/0address-family ipv4 unicast (enables ISIS on this interface)
IOS/IOS XE
(config)#router isis 1redistribute ospf 1 metric 30 (the address-family ipv6 unicast command would need to precede this for
IPv6)
Multiprotocol Label Switching MPLS
-switching mechanism in which packets are switched based on labels (usually correspond to a destination
IP network)
-an additional header, the MPLS label, is inserted and used for MPLS switching
-Cisco Express Forwarding (CEF) is an advanced layer 3 switching technology used within a router,
defines the fastest method by which a Cisco router forwards packets from ingress to egress interfaces
-MPLS for service providers:
certmaniacs_
-being phased out, in the past it provided faster forwarding
-now a platform to engineer traffic and VPN service
-works on a core and edge layer
-MPLS for traffic engineering:
-allows ISPs to optimize network utilization
-can be used to increase fault tolerance
-MPLS VPNS:
-allows separation of customers into VPNs
-similar to virtual circuits (for example, from Frame Relay)
-allows Layer 2 or 3 VPNs
MPLS Labels
-uses a 32 bit label header inserted between Layer 2 and 3, can be used regardless of the Layer 2
protocol
MPLS Label Switch Routers
-Label Switch Routers (LSRs) forward packets based on labels and swap labels
-the last LSR in the path also removes the label and forwards the IP packet
-Edge LSR:
-labels IP packet (or imposes label) and forwards them into the MPLS domain
-forwards IP packets out of the MPLS domain
-a sequence of labels used to reach a destination is called a label-switched path (LSP)
-the penultimate LSR removes the label and forwards the IP packet to the outgress edge LSR, which
routes the packet based on its routing lookup
The diagram above shows a simple example of forwarding IP packets using MPLS, where the forwarding
is based only on packet destination IP address. LSR (Label Switched Router) A uses the destination IP
address on each packet to select the LSP, which determines the next hop and initial label for each packet
(21 and 17). When LSR B receives the packets, it uses these labels to identify the LSPs, from which it
determines the next hops (LSRs D and C) and labels (47 and 11). The egress routers (LSRs D and C)
strip off the final label and route the packet out of the network.
-the data plane on a router is responsible for forwarding packets based on decisions by routing protocols,
certmaniacs_
the MPLS data plane consists of two forwarding structured
-Forwarding Information Base (FIB): used with CEF, the FIB is populated from a routing protocol and
includes destination networks, next hops, outgoing interfaces, and pointers to Layer 2 devices, and on
MPLS will also have an outgoing label it applies when it needs to be
-Label Forwarding Information Base (LFIB): used when a labeled packet is received, in general
contains and incoming and outgoing label, outgoing interface, and next-hop router
Label Distribution Protocol
-forwarding structures that are used by MPLS have to be populated
-the FIB is populated by: routing tables and the MPLS label is added to the FIB by LDP
-the LFIB is populated by LDP, which is responsible for advertisement and redistribution of MPLS labels
between MPLS routers
-LDP is like a dynamic routing protocol for MPLS
-Adjacent routers establish a LDP session:
-MPLS routers discover neighbours using hello packets sent to 224.0.0.2 (IPv6: FF02::2) using UDP
port 646
-a MPLS enabled neighbour will respond to hello packets by established a TCP session on port 656 to
a peer router ID
-once the session is established, labels can be exchanged
Label Allocation and Advertisement
-each router generates a label for each network in a routing table, this is asynchronous and labels are
only locally significant
-for path discovery and loop avoidance, LDP relies on routing protocols
-networks originating on the outside of the MPLS domain are not assigned any label on the edge LSR,
instead the pop label is advertised (remove label and forward based on IP)
-when a router receives a label from the next hop it stores that label in the FIB, even if that neighbour is
not the next hop for a destination
-the steady state is when all of the labels are exchanged and the LIB, LFIB, and FIB are completely
populated
-it takes longer for the LDP to exchange labels than it takes a routing protocol to converge
-there is no network downtime before LDP fully exchanges labels, packets can be forwarded using the
FIB if labels are not yet available
certmaniacs_
MPLS Configuration
-In IOS XR, forwarding is enabled by enabling LDP on an interface under the MPLS LDP configuration
mode
-in IOS/IOS XE, forwarding is enabled by enabling MPLS on an interface under the interface configuration
mode
IOS XR(config)#mpls ldpint gi0/0/0/0int gi0/0/0/1
#show mpls ldp neighbour (view TCP connection information about MPLS neighbours)
#show mpls ldp bindings (show local labels for destination networks)
#show mpls ldp forwarding (displays contents of the LFIB table)
#show cef 192.168.101.0/24 (displays the FIB table)
MPLS Troubleshooting
-if labels are not redistributed, verify LDP neighbour discovery using #show mpls ldp discovery, verify that
MPLS is enabled on the adjacent router on the respective interface (use show mpls ldp interface)
-if a neighbour is discovered, verify whether the TCP sessions are established using show mpls ldp neigh
bour. If there is no session, reachability between router Loopback interfaces might be an issue (LDP
requires router IDs)
Border Gateway Protocol (BGP)
-BGP is placed in the Edge in the IP NGN Infrastructure Layer
-Autonomous System (AS): collection of networks under a single technical administration, identified by an
AS number
1-56319 � Public Use (Allocated to RIRs by IANA)
53620-64511 � reserved by IANA
64512 � 65534 � Private Use
-Design goals for interdomain routing: scalability, secure routing information exchange, support for routing
policies
-BGP is a distance vector protocol
-exchanges routing information between peers
-neighbors in the same AS (internal BGP) or a different AS (external BGP)
-reliable updates (TCP), only when triggered, and only info that has changed is transmitted
-designed to scale to huge internetwork for SPs to route traffic in the Internet
certmaniacs_
-BGP is a layer 7 application (using TCP)
Statically Defined Neighbours > Neighbours Table > Updates > BGP Table > BGP Scanner (based on
attributes > Routing Table
AS Types and Redundancy
-Transit AS: provides transit service of customer data to other autonomous systems
-Non-transit AS: a customer AS that is not allowed to transit traffic from other autonomous systems
-Stub AS: Only one link to a transit AS
-Single-homed Customers: For residential/small business, BGP is used when customers need dynamic
routing protocol, static routes used when dynamic routing not required
-Multi-homed customers: For customers that need provider-independent address space and their own AS
number, BGP is used, customers/ISPs should use filters for routing updates (avoid becoming a transit AS)
BGP Characteristics and Usage
-Reliable updates: TCP used for transport, no periodic updates (just changes), periodic keepalives to
verify connectivity, batches updates and sends them at configured intervals (avoids uncontrolled floods
when links are flapping)
-Multiprotocol support: IPv4, IPv6, multicast, MPLS VPN, and more
-designed for huge networks: supports complex routing processes, interdomain routing
-common uses: -customers connected to more than on SP, interconnect SP networks (transit links),
exchange traffic using exchange points, network core of large enterprise customers
-limitation: cannot influence the routing policies of a downstream AS, forwarding decision is based on
destination IP, source IP address does not influence the routing decision
MP-BGP
-BGP was originally only IPv4, Multiprotocol (MP) BGP establishes TCP peer sessions on both IPv4 and
v6 and can exchange MP traffic between peers: IPv4, IPv6, multicast, MPLS VPN (using address-family t
certmaniacs_
o configure protocol-specific parameters)
-Address Families: IPv4 (Unicast), IPv6 (unicast, multicast address prefix), CLNS, VPNv4 (distributes
VPNv4 prefixes for each layer 3 VPN), L2VPN
BGP Path Attributes
-path attributes are BGP�s metrics, route selection depends on these
-can be transitive (forwarded to other neighbours) or nontransitive
-can be well-known (recognized by all compliant implementations � BGPv1 � v4)
-mandatory, must be present in all update messages, i.e.: next hop, AS path, origin
-discretionary, where presence in update messages is optional, i.e.: local preference
-or can be optional (recognized by only some implementations):
-Multi-exit discriminator (MED)
Path Attributes � Weight
-local to the router
-Cisco defined (and Cisco proprietary)
-highest weight wins when multiple routes exist
-applied to routes from neighbour: either to all routes or routes defined in a filter
Path Attributes � Local Preference
-local to an AS, exchanged between IBGP peers
-well-known, optional
-influences BGP path selection for outbound traffic
-highest local preference is preferred, 100 is the default value
Path Attributes � AS Path
-sequence of autonomous systems a route has travelled
-well-known, mandatory
certmaniacs_
-primarily used for loop detection, if the path contains your AS number, the route is dropped
-also used for best path manipulation
-your AS number is prepended to the existing AS path when sent to external neighbours
Attribute Name Attribute Purpose Attribute Type
Weight Local (to router), path
selection
Cisco, local to router only
Next Hop How to reach the prefix Well-known, mandatory
Origin Path selection based on origin Well-known, mandatory
AS Path Loop prevention Well-known, mandatory
Local Preference Local (to AS) path selection Well-known, discretionary
Community Additional prefix information Optional, transitive
MED Inter-AS path selection Optional, nontransitive
Originator Path selection (who originated
prefix)
Optional, nontransitive
BGP Sessions
-BGP uses TCP for establishing a BGP session, port 179 is used and can be IPv4 or IPv6, these sessions
are established between two BGP peers (IBGP: in the same AS, EBGP, different AS)
-EBGP peers are usually reachable through a directly connected link
-IBGP peers are typically established through loopback interfaces
-BGP Session neighbour states:
-Idle: starting BGP process, initiates BGP connection with configured peers, changes to Connected
Call state
-Active: router tries to establish another TCP session, if successful goes to OpenSent state, if
unsuccessful goes to idle state
-Established: peer sends update messages, on error goes to idle state
-if stuck in an idle state, it�s likely due to: no route to neighbour, or peering with the wrong neighbour
-BGP keepalives are sent every 60 seconds by default
EBGP
-an EBGP session can form any topology
certmaniacs_
-received updates are sent to all neighbours, who are normally directly connected
-by default, EBGP peers can be only one hop away, but EBGP multihop can be configured per neighbour
IBGP
-AS path is NOT changed in BGP updates
-updates from IBGP peers are sent only to EBGP neighbours: prevents routing loops, BGP Split Horizon,
IBGP full mesh is mandatory
BGP Security
-neighbour authentication via MD5 authentication using key chains (password is hashed and then the
hash is sent, not the password)
-both routers must have the same password, used mostly for EBGP peers
-authentication BGP peers prevents DoS attacks
BGP Updates
-BGP update packet carries information:
-Network Layer Reachability Information (NLRI): prefix length, prefix (the route)
-Path attributes: Origin, AS path, next hop, local preference
-optional attributes
-MP-BGP carries additional info: IPv6 routes, VPN MPLS
BGP Path Selection
1) Highest Weight
2) Highest Local Preference
3) Route originated by Local Router (next hop: 0.0.0.0)
4) Shortest AS path
5) Lowest Origin Code (i (IBGP)< e (EBGP) < ? (incomplete, redistributed))
6) Lowest MED
certmaniacs_
7) EBGP over IBGP
8) Closest IGP neighbour
9) Oldest Date
10) Lowest Neighbour Router ID
11) Lowest Neighbour IP Address
BGP Route Propagation
-only the best routes are advertised to BGP peers
-Split horizon in effect: router never sends a route back through the same BGP session from which the
route was received
-route poisoning can be used
Advertising Local Networks (BGP)
-routers originate BGP routes in 2 different ways:
-via network config command (only if network is in routing table, prefix and mask must match)
-redistribution from another routing protocol (redistribute connected routes, routes from IGP, origin set
to incomplete)
-BGP periodically checks if originated routes are also in the routing table
BGP Config Scenario
certmaniacs_
Configuring BGP IOS XR
A(config)#router bgp 64500address-family ipv4 unicastaddress-family ipv6 unicastneighbor 192.168.107.71remote-as 64507address-family ipv4 unicastneighbour 2001:db8:192:168:107::71remote-as 64507address-family ipv6 unicast
neighbor 10.0.1.1remote-as 64500 (this is an IBGP peer)update source Loopback0 (this is Router B�s loopback)address-family ipv4 unicastneighbour 2001:db8:10:0:1::1remote-as 64500update-source Loopback0address-family ipv6 unicast
B(config)#router bgp 64500address-family ipv4 unicastaddress-family ipv6 unicastneighbor 10.7.1.1remote-as 64500 (IBGP peer)update-source Loopback0 (Router A�s loopback)address-family ipv4 unicastneighbor 2001:db8:10:7:1::1remote-as 64500update-source Loopback0address-family ipv6 unicast
#sh bgp table ipv4|ipv6 unicast (verify BGP peers)
IOS
(config)#router bgp 64507neighbor 2001:db8:192:168:107::70 remote-as 64500 (configs an EBGP peer)neighbor 192.168.107.70 remote-as 64500address-family ipv4no neighbor 2001:db8:192:168:107::70 activateneighbor 192.168.107.70 activate (these commands ensure only the IPv4 neighbor is active in the IPv4 address
family)
address-family ipv6 (the router and unicast commands are needed for enabling basic BGP)neighbor 2001:db8:102.168.107::70 activate
#show bgp summary (verify BGP peers)
Disable a BGP Peer
-disabling a neighbour shuts down communication with them, this is used for debugging, troubleshooting,
and during extensive modification of routing policies
(config-router)#neighbor <ip address> shutdown
Advertising Local Routes
-use the network command or redistribute routes from other IGPs (OSPF, etc.)
-route policy for EBGP peers is mandatory
IOS XR
(config)#int Looback10ip address 172.16.8.1 255.255.255.0no shut
certmaniacs_
(config)#router bgp 64500address-family ipv4 unicastnetwork 10.10.10.0/24
IOS
(config)#int Loopback10ip address 172.16.7.1 255.255.255.0no shut
(config)#router bgp 64507neighbor 192.168.107.70 remote-as 64500address-family ipv4
-remember that a network must be present in the routing table to be advertised to other BGP peers
Route Manipulation: Route Policy
-performed in IOS, route policies are a powerful tool for route manipulation:
-prepend AS to AS path
-replace AS from AS path
-set origin
-set weight
-set local-preference
-reject route
-and more
-IOS does not use RPL, BUT can use route map and ACLs, applied to interfaces to neighbours
Configuring Route Policies
A(config)#route-policy pass (names the route policy)pass
end-policy
A(config)#router bgp 64500address-family ipv6 unicastneighbor 2001:db8:192:168:107::71remote-as 64507address-family ipv6 unicastroute-policy pass inroute-policy pass out
-when configuring an EBGP peer, route policy configuration is mandatory under the neighbour address
family, if you do not configure route policy, no updates are sent to the EBGP peer
Verifying BGP Routes � IOS
certmaniacs_
#show route ipv4|ipv6 bgp (show BGP routes)
#show bgp ipv4|ipv6 all (show BGP prefixes)
Access Control Lists
-used for filtering (allow/deny IP traffic either in/out) and classification (IDs traffic for special handling,
such as for QofS)
-without filters, all IP traffic in/out is allowed
-ACL filter is applied to an interface either inbound or outbound
-ACLs are consulted in a top-down fashion, executes the FIRST match
-There is an IMPLICIT DENY ALL at the bottom of each ACL
Wildcard Masks
-follow an IP address in an ACL entry, specifies which bits in an IP address will be checked against the
statement
-0 means to check the corresponding bit
-1means to ignore the corresponding bit
i.e.: 192.168.146.0 0.0.0.255 means to ignore ONLY the final octet of the IP
-single IP examples: 172.16.1.1 0.0.0.0
ACL Types
-Standard ACL:
-checks source address
-not supported for IPv6 and on Cisco IOS XR
-Extended ACL:
-checks source AND destination address
-checks Layer 4 protocol
-checks source and destination port (in the case of TCP or UDP)
-ACLs can be identified by number (legacy and not for IPv6 and IOS XR), or name (recommended)
-only one ACL per interface, per protocol, and per direction is allowed
-most specific statement should be at the top, most general should be at the bottom
-due to implicit deny, ACL requires at least one permit statement
-When placing an ACL in a network:
-place standard ACLs close to the destination
certmaniacs_
-place extended ACLs close to the source
-An ACL applied to an interface does not filter traffic originating from a router (management traffic, routing
protocol traffic), you should apply an ACL to vty lines to limit admin access (Telnet, SSH) to the router
Standard ACLs
-based on source IPv4 address, only used on IOS/IOS XE
-wildcard mask used to match individual IPs or subnets
-config is done in two steps:
1) create the ACL and specific statements
2) apply to the access list to an interface
Standard ACL Configuration
(config)#ip access-list standard FILTER (creates a standard ACL with a name)10 permit 172.16.0.0 0.0.255.255
20 deny any
(config)#int gi0/1ip access-group FILTER in
#show access lists
#show ip int gi0/1 (will display IP access lists applied to the interface)
Extended ACLs
-filters traffic based on:
-source and destination IPv4/v6 address
-Layer 4 protocol
-source and destination port (UDP or TCP)
-wildcard mask used to match individual IP addresses or subnets (IPv4 only)
-config is done in two steps:
-create an access list and specify statements
-apply the access list to an interface
Well Known Port Numbers and IP Protocols
Well Known Port Number IP Protocol
20 (TCP) FTP data
certmaniacs_
21 (TCP) FTP control
22 (TCP) SSH
23 (TCP) Telnet
35 (TCP) Simple Mail Transfer Protocol (SMTP)
53 (TCP/UDP) Domain Name System (DNS)
69 (UDP) TFTP
80 (TCP) HTTP
Configuring IPv4 Extended ACLS � IOS XR
(config)#ipv4 access-list FILTER
10 permit tcp host 172.16.1.1 ge 1023 host 192.168.1.1 eq www
20 deny ipv4 any any
(config)#int gi0/0/0/1ipv4 access-group FILTER ingress
-Operators: ge = greater than, le = less than, eq = equal, neq = not equal, range
#show access-lists ipv4|ipv6
#show ipv4|ipv6 interface (verified what ACLs are applied to interfaces)
Configuring IPv6 Extended ACLS � IOS XR
(config)#ipv6 access-list FILTER
10 permit tcp 2001:db8:172:16::1/128 2001:db8:192:168::1/128 eq www
20 deny ipv6 any any
(config)#int gi0/0/0/1ipv6 access-group FILTER ingress
Service Provider Edge Filtering
-used to filter specific traffic on the edge of the network to protect it as well as the customers
-in general, IP addresses that should not been seen in a certain part of the network should be filtered
-Filtering Types
-Infrastructure ACLs: protect the infrastructure and block traffic to the router interfaces of the SP
-Antispoofing ACLs: in the inbound direction (from the SP point of view) to protect from a customer. In
the outbound direction, to protect a customer
-RFC 1918 address filtering: packets destined to or from private IP addresses should not be seen in
the Internet and should be filtered
-Filtering based on security packages: a SP can provide residential users with different security
certmaniacs_
packages, where traffic to the customer can be restricted in order to protect that customer
Configuring Inbound Antispoofing ACLs � IOS XR
(config)#ipv4 access-list ANTI_SPOOF_FILTER_IN
10 permit ipv4 209.165.202.128/28 any
20 deny ipv4 any any
(config)#int gi0/0/0/1ipv6 access-group ANTI_SPOOF_FILTER_IN ingress
-in this example, the public IPs assigned by the IP do not accept traffic back rom outside the network, as
though IPs would have been spoofed
Configuring Outbound Antispoofing ACLs � IOS XR
(config)#ipv4 access-list ANTI_SPOOF_FILTER_OUT
10 deny ipv4 209.165.202.128/28 any
20 permit ipv4 any 209.165.202.128/28
(config)#int gi0/0/0/1ipv6 access-group ANTI_SPOOF_FILTER_IN egress
-in this example, the customer is assigned the 209.165.101.128/28 subnet (and resides outside the SP
network), the outbound ACL is configured to deny traffic originating from IP addresses that have been
assigned to the customer, and allows any other traffic destined to customer-assigned address space.
This protects the customer from attacks where an attacker tries to penetrate the customer network by
spoofing IP addresses of the customers. The ACL is applied outbound on an SP edge interface
Configuring RFC 1918 IP Address Filtering � IOS XR
-prevents IP packets with private IP destination addresses from being seen in the network of the SP, it is
applied inbound on an edge interface on the SP network
(config)#ipv4 access-list ADDRESS_FILTER_IN
10 deny ipv4 any 10.0.0.0 0.255.255.255
20 deny ipv4 any 172.16.0.0 0.15.255.255
30 deny ipv4 any 192.168.0.0 0.0.255.255
80 permit ipv4 any any
(config)#int gi0/0/0/1ipv6 access-group ADDRESS_FILTER_IN ingress
Transitioning to IPv6
certmaniacs_
-Types of transition mechanisms:
-Static IPv6 Tunnels: manual IPv6 tunnels across IPv4 networks, they need to connect to tunnel
brokers that provide IPv6 tunnels and globally routed addresses
-6to4 Tunneling � uses automatic IPv6 tunnels across the IPv4 network. This technology, however, is
OBSOLETE
-IPv6 Rapid Deployment (6rd) tunnelling � similar to 6to4 tunneling, the 6rd is recommended because
it solves the issues of 6to4 tunneling
-Carrier Grade NAT (CGN) � Dual Stack (DS) Lite � IPv6 traffic goes natively over the core network,
IPv4 traffic is tunnelled over the IPv6 network of the SP, this traffic has private IPv4 addresses and must
be translated to public IPv4 via CGN devices
-NAT64 � SP that only has IPv6 services uses a NAT 64 device on the edge of their network to
translate IPv6 to IPv4 to allow access to IPv4 conetent
-Teredo Tunneling �where neither customer nor SP have IPv6, the Teredo Tunnel establishes on a
customer endpoint (PC) to Teredo Relay (a service), IPv6 is encapsulated inside UDP on top of IPv4,
however it has significant security concerns
Carrier Grade NAT (CGN)
Inside Local Address: private address assigned to a host on the inside network
Inside Global Address: A public IP address that is assigned by a SP that represents one or more inside
local address to the outside world
Outside Local Address: IP address of an outside host as it appears on the inside network, the outside
local address could be a private IP if the outside host is subject to NAT
Outside Global Address: IP address assigned to a host on the outside network by the host owner
-CGN shifts NAT function from customer premises to the SP network
-Caveats of CGN: breaks end-to-end connectivity, has potential scalability and performance issues,
makes record-keeping operations more difficult, makes hosting of services on customer side impossible
-NAT444: translating IPv4 addresses to IPv4 addresses � traverses 3 IPv4 addressing domains, packet
is translated twice
-DS-Lite: -provides tunnelling of IPv4 traffic over IPv6, and then CGN operation is performed, IPv6 traffic
travels natively
-NAT 64: assigning IPv6 addresses to customers and then translating IPv6 packets to IPv4 on the SP
edge, comes in two flavors
certmaniacs_
-Stateless NAT64: translates IPv4 header into IPv6 header (and vice versa) uses algorithmic bindings
between IPv4/IPv6 addresses. Disadvantage is that it only translates one-to-one
-Stateful NAT64: multiplexes many IPv6 devices into a single IPv4 address using PAT. A state is
created in the NAT64 device for every flow
-both are used with DNS64, which allows IPv6 hosts to retrieve the IPv6 address of IPv4 only hosts
-DNS-64: synthesizes a AAAA record, based on a received A record and on a well-known SP-assigned
translation prefix
Dual Stack
-both IPv4 and IPv6 stacks are concurrently enabled, applications can talk to both stacks, IPv6 path is
preferred
-Dual Stack IPv4 and IPv6: if an application and destination support both it chooses one address and
connects to it
Dual Stack Configuration
(config)#ipv6 unicast routing (enables IPv6 routing on the router)
(config)#int gi0/0ip address 192.168.0.1ipv6 address 2001:db8:c10:1::3/64
IPv6-in-IPv4 Tunneling
-tunneling is used to transport one network protocol over another by encapsulating packets
-routing inside the transport network is performed based on the outer IP header
-an example is Generic Routing Encapsulation (GRE)
Tunneling Solutions
-during transition, all devices can be dual stack (not all devices are under common administration, almost
twice as much admin burder)
-Manual Tunneling between 2 sites: 6in4 encapsulation, GRE encapsulation
-Dynamic tunnelling between sites and/or the rest of IPv6 internet: 6to4 (outdated), 6rd (desirable)
Manual - 6in4 Tunneling
-IPv6 traffic is sent over IPv4 via explicitly configured tunnels
-uses protocol number 41 in the IPv4 header
-tunnel interface is IPv6 stack only
-the only overhead is the IPv4 header:
certmaniacs_
IPv4 Header IPv6 Packet
Manual � GRE
-IPv6 traffic is sent over IPv6 via explicitly configured GRE tunnels
-uses protocol number 47 in the IPv4 header
-tunnel interface can be dual-stack
-overhead is the IPv4 header + GRE header
-NOT supported in IOS XR!
IPv4 Header GRE Header (20
bytes)
IPv6 Packet
6in4 Tunneling Configuration
-setting up 6in4 manual tunnel between two routers with customers using IPv6
A(config)#int Tunnel 0ipv6 address 2001:db8:3::1/64tunnel source gi0/0 (outbound interface to other router)tunnel destination 209.165.201.6tunnel mode ipv6ip (sets the 6in4 tunneling mode)
A(config)#ipv6 route 2001:db8:2::/64 Tunnel0 2001:db8:3::2/64 (creates a static IPv6 route to reach the other router�
s subnet via the tunnel)
B(config)#int Tunnel0ipv6 address 2001:db8:3::2/64
tunnel source gi0/0 (outbound interface to other router)
tunnel destination 209.165.201.1
tunnel mode ipv6ip
B(config)#ipv6 route 2001:db8:1::/64 Tunnel0 2001:db8:3::1
Automatic � 6to4 (IPv6 in IPv4)
-uses 6in4 encapsulation to tunnel IPv6 in IPv4
-to access native IPv6 networks, relay routers have to be established
-relay router should be available on reserved IP address 192.88.9.1
-IPv6 addresses must use specifically assigned prefixes � 2002::/16
-the well-known prefix is concatenated (linked together)with the IPv4 address that is assigned to the
customer, the resulting IPv6 network is assigned to the customer
-for traffic between IPv6 islands, tunnel destination is determined from IPv6 destination prefix
-for traffic to IPv6 internet, 6to4 relay router IPv4 address is known
-NO LONGER USED DUE TO: -predefined IPv6 addressing, caused problems with readdressing when
certmaniacs_
migrating to native IPv6, no guarantees for the existence of 6to4 relay routers
Automatic � 6rd
-similar to the obsolete 6to4:
-uses 6in4 encapsulation to tunnel
-customers use the assigned prefix of the server router
-border relay router is under SP control and the SP is responsible to route traffic from customers to
native IPv6 addresses
-the SP selects a GLOBALLY routable IPv6 prefix from its address psace
-the 6rd prefix is concatenated with IPv4 address that is assigned to the customer, the resulting IPv6
network is assigned to the customer
-traffic between customers: destination address falls within 6rd prefix and tunnel destination is
determined from IPv6 prefix
-Traffic to IPv6 internet: destination address does not fall within 6rd prefix and traffic is sent to
preconfigured 6rd border
-allows SPs to instantly offer IPv6 services without migrating the core network
-CE routers should be under SP administration
-supported on Cisco ISR series and Cisco ASR 1000 Series routers
Cisco IOS XR Software Architecture
-modular OS where each module provides a set of capabilities
-core bundle of modules provides the basic functionality to operate a router, optional packages may be
installed for additional functionality
Routing Modules (
BGP, OSPF)
Protocol
Modules (IP)
Application
Modules
Runs on
multiple CPUs
<--
I
I
I
certmaniacs_
Distributed
Infrastructure
<--
I
I
I
Cisco IOS XR
Kernel
<--
-each layer performs a separate set of tasks
-layers communicate with each other through the kernel
IOS XR Software capabilities
-protected memory access:
-each process has a virtual memory space
-one process cannot corrupt the memory of another
-in comparison to IOS, where all processes shared the same virtual space
-limited use of shared memory
-preemptive multitasking
-Dynamically Linked Libraries (DLLs)
-only loads active libraries
-processes share the library code
-DLLs unloaded when no longer needed
-no virtual memory/swapping
-the following platforms use IOS XR:
-CRS-1, CSR -3, ASR 9000, XR 12000 (can also use IOS)
-IOS XR High Availability Components: kernel, plane separation, fault tolerance and isolation, checkpoint
support for process restart, process-level redundancy
-Control Plane: distributes routing tasks and management of the routing information base (RIB) in
certmaniacs_
participating RPs, different routing processes can be running on different physical units
-Data Plane: -maintains the forwarding information base (FIB) changes across the participating nodes,
letting the router perform at a single forwarding entity
-Management Plane: controls the operation of the router as a single networking element
Cisco IOS XR Software Packages
-Unicast Routing Core Bundle: OS and minimum boot image, base, infra, routing, forwarding, line card
drivers
-optional packages: multicast, manageability, MPLS, security, diagnostics, field-programmable device,
documentation
-Installation of packages
-Package Installation Envelope (PIE) files are uploaded to the device
-PIE files need to be added to the system and unpackaged
-package then needs to be unpacked
-installation of new package must be committed to make it persistent across reboots
Rolling Back to a Previous Installation Operation
-rollback feature allows rollback to a specific point before the installation of new software packages
-points can be listed with show install rollback
-detailed info about a rollback: show install rollback <rollback-number> detailed
-rollback with install rollback to <rollback-number>
Installation of Software Packages
-a PIE file for multicast software is located on disk1:
#admin (enters administration EXEC mode)install add disk1:asr9k-mcast-p.pie-4.0.1 (unpacks a PIE file from the local storage device and adds the package
file to the boot device of the router)install activate disk1:asr9k-mcast-p.pie-4.0.1 (activates the multicast package that was added to the router)install commit (commits the current set of packages on the router so that these packages are used if the router is
restarted)
#show install active (displays the active software on the router)
Uninstallation of Software Packages
(admin)#Install deactivate <package name>
install remove <package name>
certmaniacs_
install remove inactive (alternate command to remove all inactive packages)
IOS XR Software Upgrades
-upgrades can be delivered without rebasing the entire image, one component upgrade does not force an
upgrade of another component
-uses same commands as installing packages
-use the optional test parameter to preview the effects of the upgrade
-downgrades are performed the same way as upgrades, add and activate an older version
-when a new package is activated, the old one is deactivated
-Software Maintenance Updates: emergency fix, installed using the same procedure as a PIE file
Installing IOS XR from the Beginning
-done because: The route processor (RP) is unable to boot IOS XR, or you want to completely replace
the existing software
-installation from the beginning is done from the ROM monitor
-special installation files with the extension .vm are used
-sometimes referred to as Turboboot, can be done from a TFTP server or from a file stored on a local disk
Turboboot
-an environmental variable that:
-automates the software installation process in the ROM monitor
-determines installation settings
-4 variable options:
-on: installs and activates IOS XR software package
-boot-device: selects the destination disk
-format | clean: specifies whether or not the files on the disk are preserved
-nodisablebreak: specifies if installation process can be prematurely terminated
-files installed from the ROMMon have a .vm extension, they include the software that is included in the
IOS XR Unicast Routing Core Bundle
certmaniacs_
Committing Configuration
-IOS XR has a two-state configuration: 1)make config changes 2)make changes persistent
-there is no difference startup or running config on IOS XR, just committed and uncommitted change
-commit (atomic): commits changes only if all changes in the target config are valid, if errors are found,
no changes take place
-commit best-effort: configures only the changes that are possible (error free)
#show running-config: contents of the active (committed) configuration
#show configuration: changes made to the target config, they have been entered but not yet committed
#show configuration merge: combined contests of the target and running config without committing the
changes
#show configuration failed: reasons for a config commit error
Config Rollback Points
-each commit generates a record with a CommitID or label
-each CommitID is a rollback point
-the commit database stores up to 100 rollback points
#show configuration commit list: view the CommitIDs for the available rollback points
#show configuration commit change <change #>
#rollback configuration to 1000000042 (rolls back to selected CommitID)
