‘There are too many IBGP neighbors BGP reflection + *BGP reflector can avoid using full mesh. + Reflector receives path from clients and non-clients + Selects best path ~ If best path is from client, reflect to other clients and non-clients ~ If best path is from non-client, reflect to clients only BGP confederation (Hi + One AS is divided into multiple sub-ASs. In each sub-ASs, ibgp fully meshed network is used. But, ebgp is used between sub-ASs. chs (SQ) display acl {acl-number/name/all} ‘An ACLs used primarily to identify traffic flow. Basic ACL (2000-2999) (frit Destination 114) firewall enable ‘acl number 2000 rule deny source 172.16.0.1 0.0.0.0 U/ cule {rule-id} {(deny/permit} {fragment/logging/source} (sour-addr sour-wildcard/any) time-range {time-name} ME Rule-id quit Interface 52/0 firewall packet filter 2000 inbound U/ firewall packet-filter(acl-number/name acl-name} {inbound/outbound} ‘Advanced ACL (3000-3999) Source, firewall enable ‘acl number 3000 rule deny ip source 172.16.0.1 0 destination 192.168.0.0 0.0.1.255 // tule {rule-id} (deny/permit) {tep/udp/ip) destination {dest-addr dest-wildcard/any) destination-port operator {port} {port2-if-has) {established/fragment/source} {our-addr sour-wildcard/any} source-port operator {portl} {port2-if-has} time-range {time-name} 1/ 015i Rule-id quit Interface $2/0 firewall packet-filter 3000 inbound L// firewall packet-fiter {acl-number/name ack-name} {inbound/outbound)Fa Limitation ‘An ACL-based packet firewall filters packets according to the Layer 2, 3 and 4 information in the packet header. It cannot identify the application layer information, + Itcannot permit or deny packets of a user by username. + Itcannot authorize users. Basic NAT ‘Maps ONE internal address to ONE external address. ‘acl number 2000 rule 0 permit source 10.0.0.0 0.0.0.255 nat address-group 1 198.76.28.11 198,76.28.20 interface Ethernet0/1. nat outbound 2000 address-group 1 no-pat NAPT ‘Maps MULTIPLE internal address to ONE external address. (translates both IP address and Port address) ‘acl number 2000 rule 0 permit source 10.0.0.0 0.0.0.255 nat address-group 1 198.76.28.11 interface Ethernet0/1 nat outbound 2000 address-group 1 no-pat Easy IP ‘The NAT device uses the IP address of the outbound interface as the translated source IP address. (Like NAPT) ‘acl number 2000 rule 0 permit source 10.0.0.0 0.0.0.255 Interface Ethernet0/1 nat outbound 2000 Internal Server Allow direct access from a public host to a private host interface Ethernet0/1 nat server protocol tcp global 198.76.28.11 telnet inside 10.0.0.1 telnetChé (SQ) Control plane -> Run routing protocols, STPs, link aggregation: (IP, OSPF, BGP, MSTP, LACP) Data plane -> Forwarding packets from incoming to outgoing interface ‘Management plane > Configuration, Monitoring and troubleshooting Software Defined Networking (SDN) + {sa form of network virtualization in which the control plane is separated from the data plane and implemented in a software application. + This allows for a single controller to configure or manage the complete network, as opposed to each device ‘managing its own functionality and being programmed individually Benefits + Service provisioning speed and agility (Hi) + Network flexibility and holistic (%¢) management + Better and more granular (sis) security + Provide virtual network services, lowered capital expenses (capex) Blayers + Application Layer + Control Layer + Infrastructure Layer