‘There are too many IBGP neighbors
BGP reflection
+ *BGP reflector can avoid using full mesh.
+ Reflector receives path from clients and non-clients
+ Selects best path
~ If best path is from client, reflect to other clients and non-clients
~ If best path is from non-client, reflect to clients only
BGP confederation (Hi
+ One AS is divided into multiple sub-ASs. In each sub-ASs, ibgp fully meshed network is used.
But, ebgp is used between sub-ASs.
chs (SQ)
display acl {acl-number/name/all}
‘An ACLs used primarily to identify traffic flow.
Basic ACL (2000-2999) (frit Destination 114)
firewall enable
‘acl number 2000
rule deny source 172.16.0.1 0.0.0.0
U/ cule {rule-id} {(deny/permit}
{fragment/logging/source} (sour-addr sour-wildcard/any)
time-range {time-name}
ME Rule-id
quit
Interface 52/0
firewall packet filter 2000 inbound
U/ firewall packet-filter(acl-number/name acl-name} {inbound/outbound}
‘Advanced ACL (3000-3999) Source,
firewall enable
‘acl number 3000
rule deny ip source 172.16.0.1 0 destination 192.168.0.0 0.0.1.255
// tule {rule-id} (deny/permit) {tep/udp/ip)
destination {dest-addr dest-wildcard/any)
destination-port operator {port} {port2-if-has)
{established/fragment/source} {our-addr sour-wildcard/any}
source-port operator {portl} {port2-if-has}
time-range {time-name}
1/ 015i Rule-id
quit
Interface $2/0
firewall packet-filter 3000 inbound
L// firewall packet-fiter {acl-number/name ack-name} {inbound/outbound)Fa
Limitation
‘An ACL-based packet firewall filters packets according to the Layer 2, 3 and 4 information in the packet header.
It cannot identify the application layer information,
+ Itcannot permit or deny packets of a user by username.
+ Itcannot authorize users.
Basic NAT
‘Maps ONE internal address to ONE external address.
‘acl number 2000
rule 0 permit source 10.0.0.0 0.0.0.255
nat address-group 1 198.76.28.11 198,76.28.20
interface Ethernet0/1.
nat outbound 2000 address-group 1 no-pat
NAPT
‘Maps MULTIPLE internal address to ONE external address. (translates both IP address and Port address)
‘acl number 2000
rule 0 permit source 10.0.0.0 0.0.0.255
nat address-group 1 198.76.28.11
interface Ethernet0/1
nat outbound 2000 address-group 1 no-pat
Easy IP
‘The NAT device uses the IP address of the outbound interface as the translated source IP address. (Like NAPT)
‘acl number 2000
rule 0 permit source 10.0.0.0 0.0.0.255
Interface Ethernet0/1
nat outbound 2000
Internal Server
Allow direct access from a public host to a private host
interface Ethernet0/1
nat server protocol tcp global 198.76.28.11 telnet inside 10.0.0.1 telnetChé (SQ)
Control plane -> Run routing protocols, STPs, link aggregation: (IP, OSPF, BGP, MSTP, LACP)
Data plane -> Forwarding packets from incoming to outgoing interface
‘Management plane > Configuration, Monitoring and troubleshooting
Software Defined Networking (SDN)
+ {sa form of network virtualization in which the control plane is separated from the data plane and implemented in
a software application.
+ This allows for a single controller to configure or manage the complete network, as opposed to each device
‘managing its own functionality and being programmed individually
Benefits
+ Service provisioning speed and agility (Hi)
+ Network flexibility and holistic (%¢) management
+ Better and more granular (sis) security
+ Provide virtual network services, lowered capital expenses (capex)
Blayers
+ Application Layer
+ Control Layer
+ Infrastructure Layer