CCIE Enterprise Infrastructure v1.0.27.03.2020

Cisco Certified
Internetwork
Expert
Enterprise
CCIE EI
Infrastructure v1.0
CCIE EI www.orhanergun.net
Cisco Certified
Internetwork
Expert Orhan Ergun
Enterprise CCDE #2014:17
CCIE EI
Infrastructure v1.0 CCIE #26567
Suraj Soni
CCIEx4 #39003
(R&S, Sec, SP & DC)
CCIE EI www.orhanergun.net
Course Content
• Module-1: Network Infrastructure
• Chapter-1: Layer 2 Protocols
• Layer 2 Protocols
• VLAN Technology
• EtherChannel
• Spanning-Tree Protocol
• Switch Administration
www.orhanergun.net
Course Content
• Module-1: Network • Module-1: Network
Infrastructure Infrastructure
• Chapter-2: Layer 3 Protocol • Chapter-2: Layer 3 Protocol
• IPv6 • EIGRP/EIGRPv6
• IPv6 Basics • Adjacency
• IPv6 Addressing • Best Path Selection
• IPv6 Address Assignment • EIGRP Load Balancing
• IPv6 Tunnelling • EIGRP Optimization and
• IPv6 Packet Types features
www.orhanergun.net
Course Content
• Chapter-2: Layer 3 Protocols • Chapter-2: Layer 3 Protocols
• OSPF/OSPFv3 • BGP
• Adjacency • iBGP & eBGP Relationship
• Network Types • BGP Path Selection
• Area Types • BGP Path Attributes
• Path Preference • BGP Communities
• OSPF Optimization & Features • BGP Optimization
• OSPF Operation • BGP Features
www.orhanergun.net
Course Content
• Chapter-2: Layer 3 Protocols • Chapter-3: Multicast
• Layer 3 Features • Layer 2 Multicast
• VRF • IGMPv2 & IGMPv3
• VRF-Lite • IGMP Snooping
• Policy Based Routing • IGMP Querier
• Bidirectional Forwarding • MLD
Detection
www.orhanergun.net
Course Content
• Module-1: Network
Infrastructure
• Chapter-3: Multicast
• Layer 3 Multicast
• PIM
• Sparse Mode
• RP Configuration
• Bidirectional PIM
• SSM
• MSDP
• PIMv6
• PIMv6 Anycast RP
www.orhanergun.net
Course Content
• Module-2: Transport • Module-2: Transport
Technology and Solutions Technology and Solutions
• Chapter-1: MPLS • Chapter-2: VPN
• MPLS Basics • GRE VPN
• MPLS Operation • Introduction to IPSEC Protocol
• MPLS L3 VPN • GRE Over IPSEC VPN
• PE-CE Routing • MGRE Over IPSEC
• MP-BGP
• VPNv4 Address Family
• VPNv6 Address Family
• VRF Route Leaking
www.orhanergun.net
Course Content
• Module-2: Transport • Module-2: Transport
Technology and Solutions Technology and Solutions
• Chapter-2: VPN • Chapter-2: VPN
• DMVPN • IKEv2 VPN
• NHRP • Introduction to IKEv2
• DMVPN Phase I • IKEv2 Configuration with Pre-
• DMVPN Phase II - EIGRP Shared Key
• DMVPN Phase III – EIGRP
• DMVPN Phase II – OSPF
• DMVPN Phase III – OSPF
• DMVPN Phase III with Dual Hub
• Troubleshooting DMVPN
www.orhanergun.net
Course Content
• Module-2: Transport
Technology and Solutions
• Chapter-2: VPN
• Flex VPN
• Introduction to Flex VPN
• Introduction to D-VTI
• Flex VPN Configuration
• MPLS Over Flex VPN
www.orhanergun.net
Course Content
• Module-3: Infrastructure • Module-3: Infrastructure
Security and Services Security and Services
• Chapter-1: Device Security on • Chapter-2: QoS
Cisco IOS • Layer 3 QoS using MQC
• AAA • CoS and DSCP Mapping
• Control Plane Policing • Classification
• Switch Security • Marking
• Router Security • NBAR
• IPv6 Security • Policing and Shaping
• IEEE 802.1x Authentication • Congestion Management and
Avoidance
www.orhanergun.net
Course Content
• Chapter-3: Network Services • Chapter-3: Network Services
• First Hop Redundancy Protocol • NTP
• HSRP • DHCP on Cisco IOS
• VRRP • DHCPv4
• GLBP • DHCP Options
• IPv6 Redundancy • SLACC/DHCPv6
• Stateful DHCPv6
www.orhanergun.net
Course Content
• Chapter-3: Network Services • Chapter-4: Network Services /
• NAT Operations
• Static NAT • IP SLA
• Dynamic NAT
• Netflow
• PAT
• Policy Based NAT
• SNMP
• VRF Aware NAT • Syslog
• NAT64 • Traffic Capture
• IOS-XE Troubleshooting
www.orhanergun.net
Course Content
Automation and Automation and
Programmability Programmability
• Chapter-1: Introduction to • Chapter-2: Ansible Basics
Python • Introduction to Ansible
• Python Language Overview • The Advantage of Ansible
• Python Pexpert Library • The Ansible Architecture
• The Python Paramiko Library • Ansible Networking Modules
• The Ansible with Cisco
www.orhanergun.net
Course Content
• Chapter-3: Ansible Advanced • Chapter-4: Network Security with
• Ansible Conditionals Python
• Ansible Loops • Pyhton Scapy
• Templates • Access List with Ansible
• Group and Host Variables • Syslog
• The Ansible include and roles
www.orhanergun.net
Course Content
• Chapter-5: Network Monitoring • Chapter-6: OpenFlow Basics
with Python • Introduction to OpenFlow
• SNMP • Mininet
• Python Visualization • Layer 2 OpenFlow switch
• Python for Cacti • The POX Controller
• Flow Based Monitoring
www.orhanergun.net
Course Content
• Chapter-7: OpenStack, • Chapter-8: Hybrid SDN
OpenDaylight and NFV • Making Network Ready
• OpenStack • Controllers
• OpenDayLight • Controller Redundancy
• NFV
www.orhanergun.net
Course Content
• Module-5: Software Defined • Module-5: Software Defined
Networking Networking
• Chapter-1: Cisco SD-WAN • Chapter-1: Cisco SD-WAN
• Design Cisco SD-WAN • WAN Edge Deployment
• Introduction to Cisco SD-WAN • Onboarding New Edge Router
• Control Plane • Orchestration with Zero Touch
• Management Plan Provisioning
• Data Plane • Plug-n-Play
• Orchestration Plane
• OMP
• TLOC
www.orhanergun.net
Course Content
• Module-5: Software Defined
Networking
• Chapter-1: Cisco SD-WAN
• Configuration Template
• Localized Policy
• Centralized Policy
www.orhanergun.net
Course Content
• Chapter-2: Cisco SD-Access • Chapter-2: Cisco SD-Access
• Design a Cisco SD-Access • SD-Access Deployment
• Introduction to Campus Network • DNA-Center Device Discovery
Fabric • DNA-Center Device Management
• Underlay and Overlay Network • Host Onboarding (Wired Host)
• Fabric Domains • Fabric Border Handoff
www.orhanergun.net
Course Content
• Chapter-2: Cisco SD-Access • Chapter-2: Cisco SD-Access
• Segmentation • Assurance
• Macro Level Segmentation using • Network and Client Health 360
VNs • Monitoring and Troubleshooting
• Introduction to Cisco ISE for SD-
Access
• DNA-Center and ISE Integration
• Micro Level Segmentation using
Cisco ISE
www.orhanergun.net
Module-1: Network
Infrastructure
www.orhanergun.net
Chapter-1: Basics of
Networks
www.orhanergun.net
Network Device Communication
There used to be a variety of network protocols that were device specific or preferred; today, almost everything is based
on Transmission Control Protocol/Internet Protocol (TCP/IP) . It is important to note that TCP/IP is based on the
conceptual Open Systems Interconnection (OSI) model that is composed of seven layers
www.orhanergun.net
Layer 2 Forwarding
• The second layer of the OSI model, the data link layer, handles addressing beneath the IP
protocol stack so that communication is directed between hosts.
• Ethernet commonly uses media access control (MAC) addresses, and other data link layer
protocols such as Frame Relay use an entirely different method of Layer 2 addressing.
www.orhanergun.net
Collision Domains
• Ethernet devices use Carrier Sense Multiple Access/Collision Detect (CSMA/CD) to ensure that only one device talks
at time in a collision domain.
www.orhanergun.net
Virtual LAN’s (VLAN)
Virtual LANs (VLANs) provide logical
segmentation by creating multiple
broadcast domains on the same network
switch.
Network devices in one VLAN cannot

communicate with devices in a different
VLAN via traditional Layer 2 or broadcast
traffic.
www.orhanergun.net
Virtual LAN’s (VLAN)
www.orhanergun.net
Access Port
• An access port is assigned to only one VLAN.
• The 802.1Q tags are not included on packets transmitted

or received on access ports.
www.orhanergun.net
Trunk Port
• Trunk ports can carry multiple VLANs.
• Upon receipt of the packet on the remote trunk link, the headers are examined, traffic is
associated to the proper VLAN, then the 802.1Q headers are removed, and traffic is forwarded
to the next port, based on MAC address for that VLAN.
www.orhanergun.net
Native VLANs
• In the 802.1Q standard, any traffic that is advertised or
received on a trunk port without the 802.1Q VLAN tag is
associated to the native VLAN.
• The default native VLAN is VLAN 1.
www.orhanergun.net
Layer 3 Forwarding
• Now that we have looked at the
mechanisms of a switch and how it
forwards Layer 2 traffic, let’s review
the process for forwarding a packet
from a Layer 3 perspective:
• Forwarding traffic to devices on the
same subnet
• Forwarding traffic to devices on a
different subnet
www.orhanergun.net
Local Network Forwarding
• Two devices that
reside on the same
subnet communicate
locally.
• As the data is
encapsulated with its
IP address, the device
detects that the
destination is on the
same network.
www.orhanergun.net
Address Resolution Protocol
• The Address Resolution
Protocol (ARP) table
provides a method of
mapping Layer 3 IP
addresses to Layer 2 MAC
addresses by storing the IP
address of a host and its
corresponding MAC address.
www.orhanergun.net
Packet Routing
As the data is encapsulated with its IP address, a device detects that its destination is on a different
network and must be routed.
The device checks its local routing table to identify its next-hop IP address, which may be learned in one of
several ways:
www.orhanergun.net
Routing Mechanisms
• From a static route entry, it can get the destination network,
subnet mask, and next-hop IP address.
• A default-gateway is a simplified static default route that just asks
for the local next-hop IP address for all network traffic.
• Routes can be learned from routing protocols.
www.orhanergun.net
IP Address Assignment
• Initially TCP/IP used with
IPv4 and 32-bit network
addresses.
• The number of devices
using public IP addresses
has increased at an
exponential rate and
depleted the number of
publicly available IP
addresses.
www.orhanergun.net
IP Address Exhausted
• To deal with the increase in
the number of addresses, a
second standard, called IPv6,
was developed in 1998; it
provides 128 bits for
addressing.
www.orhanergun.net
FORWARDING ARCHITECTURES
• The first Cisco routers would receive a packet, remove the Layer 2
information, and verify that the route existed for the destination IP
address.
www.orhanergun.net
Forwarding Architecture
• Advancements in technologies have streamlined the process so
that routers do not remove and add the Layer 2 addressing but
simply rewrite the addresses.
www.orhanergun.net
Forwarding Architecture
• When the first Cisco routers were developed, they used a mechanism
called process switching to switch the packets through the routers.
www.orhanergun.net
Process Switching
• Process switching, also
referred to as software
switching or slow path, is a
switching mechanism in
which the general- purpose
CPU on a router is in charge of
packet switching
www.orhanergun.net
Process Switching
• The types of packets that require software handling include the

following:
• Packets sourced or destined to the router (using control traffic or routing
protocols)
• Packets that are too complex for the hardware to handle (that is, IP
packets with IP options)
• Packets that require extra information that is not currently known (for
example, ARP)
www.orhanergun.net
Cisco Express Forwarding
• Cisco Express Forwarding (CEF) is a Cisco

proprietary switching mechanism developed
to keep up with the demands of evolving
network infrastructures.
www.orhanergun.net
Ternary Content Addressable Memory
(TCAM)
• A switch’s ternary content addressable memory (TCAM) allows for the
matching and evaluation of a packet on more than one field.
www.orhanergun.net
Ternary Content Addressable Memory
(TCAM)
• The TCAM entries are stored in Value, Mask, and Result (VMR)
format.
• The value indicates the fields that should be searched, such as the
IP address and protocol fields.
• The mask indicates the field that is of interest and that should be
queried.
www.orhanergun.net
Software CEF
Forwarding Information Base: The FIB is built directly from the

routing table and contains the next-hop IP address for each
destination in the network. It keeps a mirror image of the
forwarding information contained in the IP routing table.
www.orhanergun.net
Software CEF
Adjacency table: The adjacency table, also known as the Adjacency

Information Base (AIB), contains the directly connected next-hop IP
addresses and their corresponding next-hop MAC addresses, as well
as the egress interface’s MAC address.
The adjacency table is populated with data from the ARP table or
other Layer 2 protocol tables.
www.orhanergun.net
Hardware CEF
• The ASICs in hardware-based routers are expensive to design,
produce, and troubleshoot.
• ASICs allow for very high packet rates, but the trade-off is that
they are limited in their functionality because they are hardwired
to perform specific tasks.
www.orhanergun.net
Thank You !!!
www.orhanergun.net
Chapter-2: Spanning-Tree Protocol
www.orhanergun.net
Spanning-Tree Protocol
• Spanning tree is a control plane mechanism for Ethernet. It is used to
create a layer 2 topology (A tree) by placing the root switch on top of
the tree.
www.orhanergun.net
STP Modes
• 802.1D, which is the original specification
• Per-VLAN Spanning Tree (PVST)
• Per-VLAN Spanning Tree Plus (PVST+)
• 802.1W Rapid Spanning Tree Protocol (RSTP)
• 802.1S Multiple Spanning Tree Protocol (MST)
www.orhanergun.net
IEEE 802.1D STP
• The original version of STP comes from the IEEE 802.1D standards and
provides support for ensuring a loop-free topology for one VLAN.
www.orhanergun.net
802.1D Port States
• In the 802.1D STP protocol, every port transitions through the
following states:
• Disabled
• Blocking
• Listening
• Learning
• Forwarding
• Broken
www.orhanergun.net
STP Terminologies:
• Root Bridge
• Bridge Protocol Data Unit (BPDU)
• Topology Change Notification (TCN)
• Root Path Cost
• System Priority
• System-ID Extension
• Max Age Timer
• Hello Timer
• Forward Delay
www.orhanergun.net
Spanning-Tree Path Cost
Link Speed Short-Mode STP Cost Long-Mode STP Cost
10 Mbps 100 2,000,000
100 Mbps 19 200,000
1 Gbps 4 20,000
10 Gbps 2 2,000
20 Gbps 1 1,000
100 Gbps 1 200
1 Tbps 1 20
10 Tbps 1 2
www.orhanergun.net
STP Topology
www.orhanergun.net
Root Bridge Election
www.orhanergun.net
STP Topology Changes
www.orhanergun.net
RAPID SPANNING TREE PROTOCOL
• 802.1D did a decent job of preventing Layer 2 forwarding loops, but it
used only one topology tree, which introduced scalability issues.
• PVST and PVST+ were proprietary spanning protocols. The concepts in
these protocols were incorporated with other enhancements to
provide faster convergence into the IEEE 802.1W specification, known
as Rapid Spanning Tree Protocol (RSTP).
www.orhanergun.net
RSTP (802.1W) Port States
• RSTP reduces the number of port states to three:

• Discarding
• Learning
• Forwarding
www.orhanergun.net
RSTP (802.1W) Port States
• RSTP reduces the number of port states to three:

• Discarding
• Learning
• Forwarding
www.orhanergun.net
RSTP (802.1W) Port Types
• RSTP defines three types of ports that are used for building the STP
topology:
• Edge port
• Root port
• Point-to-point port
www.orhanergun.net
MST (Multiple Instance Spanning-Tree)
• In environments with thousands of VLANs, maintaining an STP state
for all the VLANs can become a burden to the switch’s processors.
• MST provides a blended approach by mapping one or multiple VLANs
onto a single STP tree, called an MST instance (MSTI).
www.orhanergun.net
MST Region Boundary
• The topology for all the MST instances is contained within the IST,
which operates internally to the MST region.
• MSTIs never interact outside the region.
• Propagating the CST (derived from the IST) at the MST region
boundary involves a feature called the PVST simulation mechanism.
www.orhanergun.net
Thank You !!!
www.orhanergun.net
Chapter-2: EtherChannel
www.orhanergun.net
EtherChannel Bundle
• EtherChannel Bundle is use to bundle multiple physical links to one
single logical link, which combines the bandwidth of multiple
interfaces together and not allowing STP to block interfaces between
switches as it is treated as one single logical interface.
A A1 A2 A1 A2 A1 A2
B B B1 B2 B1 B2
(1) LAG (2) MLAG+LAG (3) MLAG+MLAG (4) High Availability
www.orhanergun.net
Dynamic Link Aggregation Protocols
• LACP (Link Aggregation Control Protocol)
• PAgP (Port Aggregation Protocol)
www.orhanergun.net
PAgP Port Modes
• PAgP advertises messages with the multicast MAC address
0100:0CCC:CCCC and the protocol code 0x0104. PAgP can operate in
two modes:
• Auto
• Desirable
www.orhanergun.net
LACP Port Modes
• LACP advertises messages with the multicast MAC address
0180:C200:0002. LACP can operate in two modes:
• Passive
• Active
www.orhanergun.net
EtherChannel Configuration
• Etherchannel can be configured in below mentioned ways:
• Static EtherChannel
• LACP EtherChannel
• PAgP EtherChannel
www.orhanergun.net
Load Balancing Traffic with EtherChannel
Bundles
• src-ip
• dst-ip
• src-mac
• dst-mac
• src-mixed-ip-port
• dst-mixed-ip-port
• src-port
• dst-port
• src-dst-ip
• src-dest-ip-only
• src-dst-mac
• src-dst-mixed-ip-port
• src-dst-port
www.orhanergun.net
Thank You !!!
www.orhanergun.net
Module-2: Layer 3
Protocols
www.orhanergun.net
Chapter-1: IPv6
www.orhanergun.net
Reaching the next billion
• Around 4,157 billion Internet users now
• Around 54,4 % of all people in the world
• Mobile phones are Internet devices
• The Internet of Things

- How will the Internet look like in 5 - 10 years?
www.orhanergun.net
IP Address Distribution
www.orhanergun.net
IPv6 Address Basics
• IPv6 address: 128 bits
• 32 bits in IPv4
• Every subnet should be a /64

• Customer Assignment between
• /64 (1 subnet)
• /48 (65,536 subnets)
• Minimum Allocation size is /32

• 65,536 /48s
• 16,777,216 /56s
www.orhanergun.net
Address Notation
2001:0db8:003e:ef11:0000:0000:c100:004d
2001:db8:3e:ef11:0:0:c100:4d
www.orhanergun.net
IPv6 Subnetting
www.orhanergun.net
Multiple address types
Addresses Ranges Scope
Unspecified ::/128 n/a
Loopback ::1 host
IPv4-Embedded 64:ff9b::/96 n/a
Discard-Only 100::/64 n/a
Link Local fe80::/10 link
Global Unicast 2000::/3 global
Unique Local fc00::/7 global
Multicast ff00::/8 variable
www.orhanergun.net
IPv6 Address Scope
www.orhanergun.net
IPv6 Protocol Functions
• Address Autoconfiguration
- Supported by Neighbor Discovery
- Stateless - with SLAAC
- Stateful - with DHCPv6
• Neighbor Discovery Protocol

- Replaces ARP from IPv4
- Uses ICMPv6 and Multicast
- Finds the other IPv6 devices on the link - Keeps track of reachability
www.orhanergun.net
The Autoconfiguration Process
1. Make a Link-Local address
2. Check for duplicates on the link
3. Search for a router
4. Make a Global Unicast address
www.orhanergun.net
Making a Link-Local Address
www.orhanergun.net
Checking for Duplicates
www.orhanergun.net
Searching for Routers
www.orhanergun.net
Stateless Address Auto-Configuration
• The Router Advertisement message tells the host:
• Router’s address
• Zero or more link prefixes
• SLAAC allowed (yes/no)
• DHCPv6 options
• MTU size (optional)
www.orhanergun.net
Interfaces will have multiple addresses
• Unicast
• Link Local - fe80::5a55:caff:fef6:bdbf/64
• Global Unicast - 2001::5a55:caff:fef6:bdbf/64 (multiple)
• Multicast
• All Nodes - ff02::1 (scope: link)
• Solicited Node - ff02::1:fff6:bdbf (scope: link)
• Router
• All Router - ff02::2 (scope: link)
www.orhanergun.net
Verifying Reachability
www.orhanergun.net
IPv6 Header
www.orhanergun.net
IPv6 Header
www.orhanergun.net
Fragmentation
• If a packet is too big for next hop:
• “Packet too big” error message
• This is an ICMPv6 message
• Filtering ICMPv6 causes problems
• Routers don’t fragment packets with IPv6

• More efficient handling of packets in the core
• Fragmentation is being done by host
www.orhanergun.net
Path MTU Discovery
• A sender who gets this “message-too-big” ICMPv6 error tries again
with a smaller packet
• A hint of size is in the error message
• This is called Path MTU Discovery
www.orhanergun.net
Broadcast
• IPv6 has no broadcast
• There is an “all nodes” multicast group
- ff02::1
• Disadvantage of broadcast
• It wakes up all nodes
• Only a few devices are involved
• Can create broadcast storms
www.orhanergun.net
Neighbor Discovery
• IPv6 has no ARP
• Every ARP request wakes up every node
• Each ND request only wakes up a few nodes
• Replacement is called Neighbor Discovery

• Uses ICMPv6
• Uses Multicast
www.orhanergun.net
Neighbor Discovery
• ND uses 5 different ICMPv6 packet types
• ND is used by nodes:
• For address resolution
• To find neighboring routers
• To track address changes
• To check neighbor reachability
• To do Duplicate Address Detection
www.orhanergun.net
DHCPv6
www.orhanergun.net
MLD
• Multicast Listener Discovery (MLD) is an important component of IPv6
• IPv6 routers use MLD to discover multicast listeners on a directly attached
link, similar to IGMP in IPv4
• MLD is embedded in ICMPv6. Two versions exist:

• MLDv1 similar to IGMPv2
• MLDv2 similar to IGMPv3
www.orhanergun.net
Transitioning: Solving Two Problems
• Maintaining connectivity to IPv4 hosts by sharing IPv4 addresses between clients
• Extending the address space with NAT/CGN/LSN
• Translating between IPv6 and IPv4
• Provide a mechanism to connect to the emerging IPv6-only networks

• Tunnelling IPv6 packets over IPv4-only networks
www.orhanergun.net
6in4
• Manually configured tunnels towards a fixed tunnel broker like
Hurricane Electric or your own system
• Stable and predictable but not easily deployed to the huge residential
markets
• MTU might cause issues
www.orhanergun.net
6in4
www.orhanergun.net
6RD
• Encodes the IPv4 address in the IPv6 prefix
• Uses address space assigned to the operator
• The operator has full control over the relay
• Traffic is symmetric across a relay
• Can work with both public and private IPv4 space
• Needs additional software for signalling
www.orhanergun.net
6RD
www.orhanergun.net
NAT64 / DNS64
• Single-stack clients will only have IPv6
• Translator box will strip all headers and replace them with IPv4
• Usually implies address sharing on IPv4
• Requires some DNS “magic”

• Capture responses and replace A with AAAA
• Response is crafted based on target IPv4 address
www.orhanergun.net
NAT64 / DNS64
www.orhanergun.net
Best Transition Mechanism?
www.orhanergun.net
IPv6 Transition Mechanisms – Dual-Stack
• Many people state that IPv6 Dual Stack is the best transition method.
Is Really Dual Stack best deployment method ?
• Many people would recommend it, before we try to answer this

question, let’s understand how Dual-Stack works, what are the
advantages and disadvantages, what are the challenges etc.
• Dual Stack is Native IPv6 and IPv4 Service, first was defined in RFC 2893
• Having IPv6 and IPv4 at the Hosts, network, operation/support tools, content and
the application
• IPv4 applications use the IPv4 stack, and IPv6 applications use the IPv6 stack
• Routing protocols handle both IPv4 and IPv6
• Since entire network will have both IPv4 and IPv6, when it is needed
IPv4 can be removed without causing down time
Network,
Applications,
Services, CPE and
Access Networks
needs to run
Both IPv4 and IPv6
• Dual Stack is considered as Simplest solution , without any tunneling

and translation mechanism (Most deployments will need translation,
we will discuss)
• Every interface speaks both IPv4 and IPv6
• Communication is driven by DNS

• If destination address in A record, communication is done via IPv4
• If destination address in AAAA record, communication is done via IPv6
• If both A and AAAA records are replied by DNS, then IPv6 is preferred
Thank You !!!
www.orhanergun.net
Chapter-2: EIGRP
www.orhanergun.net
Introduction
• Enhanced Interior Gateway Routing Protocol (EIGRP) is an enhanced
distance vector routing protocol commonly used in enterprises
networks.
• Initially, it was a Cisco proprietary protocol, but it was released to the
Internet Engineering Task Force (IETF) through RFC 7868, which was
ratified in May 2016.
www.orhanergun.net
EIGRP FUNDAMENTALS
• EIGRP overcomes the deficiencies of other distance vector routing
protocols like RIP with features such as unequal- cost load balancing,
support for networks 255 hops away, and rapid convergence features.
www.orhanergun.net
Packets
Type Packet Function Name
Used for discovery of EIGRP neighbors and
1 Hello for detecting when a neighbor is no longer
available
Used to get specific information from one

2 Request
or more neighbors
Used to transmit routing and reachability
3 Update
information with other EIGRP neighbors
Sent out to search for another path during
4 Query convergence
5 Reply Sent in response to a query packet
www.orhanergun.net
EIGRP Terminology
www.orhanergun.net
EIGRP Terminology
• Computed Distance (CD)
- composite metric of the whole path
• Advertised Distance (AD) or Reported Distance (RD)
– composite metric of the best path from neighbor’s perspective
• Feasible Distance (FD)
– the lowest value of CD of the best path since the last transition from Active to Passive Note: It
does not always equal CD of the best path
• Feasible Successor (FS)
– the path that meets Feasibility Condition (FC), guaranteed to be loop-free by DUAL
• Feasibility Condition (FC)
- RD of the candidate path < FD
• Successor (S)
– one of FS with the lowest CD
www.orhanergun.net
Topology Table
• EIGRP contains a topology table that makes it different from a “true”
distance vector routing protocol.
• The topology table contains the following:
• Network prefix
• EIGRP neighbours that have advertised that prefix
• Metrics from each neighbour (for example, reported distance, hop count)
• Values used for calculating the metric (for example, load, reliability, total
delay, minimum bandwidth)
www.orhanergun.net
PATH METRIC CALCULATION
www.orhanergun.net
PATH METRIC CALCULATION
www.orhanergun.net
Timers
• Hello timer
• Default is 5 seconds (on multipoint) or 60 seconds (on p2p)
• Hold timer
• Default is 15 seconds (on multipoint) or 180 seconds (on p2p)
• Active timer
• Default is 3 minutes
• SIA retransmit timer
• Default is 90 seconds
www.orhanergun.net
Adjacency
• To establish adjacency the following parameters should match:
• AS number
• K-values
• Common subnet
• Authentication type/password
Automatic neighbor discovery is configured using network command.
www.orhanergun.net
Passive interface
• You can stop processing and sending any EIGRP packets on the
interface using passive-interface feature.
www.orhanergun.net
Stuck in Active
www.orhanergun.net
ROUTE SUMMARIZATION
www.orhanergun.net
Unequal cost load balancing
• EIGRP supports unequal cost load balancing
• For the path to be eligible for load balancing, the path must be FS
• Also the metric of the path must follow this inequality:
• CD of FS <= CD of S x Variance
www.orhanergun.net
Re-convergence
• If we lose Successor, two scenarios are possible:
• If there is no FS:
• The route goes to Active state
• Router sends QUERY to all neighbors
• During QUERY the route is frozen in RIB/topology table
• Local computation of FS/S is done after we receive REPLY for all queries
www.orhanergun.net
Re-convergence
• If there is FS:
• FS with the lowest CD becomes Successor*
• The route stays passive
• Results in sub-second convergence
www.orhanergun.net
Re-convergence – Query/Reply
• Query checks if neighbors have FS/S
• Query also informs neighbors about the lost path (poisons with
infinite metric) and they remove this path from the topology table
• Conditions to send a REPLY to a received QUERY:
• If we have a Successor, reply with the metric of the Successor
• If the route is already in Active state, reply with infinite metric
• If this route is NOT in the topology table, reply with infinite metric
www.orhanergun.net
Stub router
• You can mark non-transit routers as “stub”, so queries are not sent to
them.
• Default is connected + summary
• An argument indicates which routes a stub router will send to its
neighbors
• Using leak-map keyword you can leak any route in topology table
www.orhanergun.net
Named mode
• The main benefit of named mode is that the entire EIGRP

configuration is located in a single place
www.orhanergun.net
Named mode – Exclusive features
• Wide metrics
• HMAC-SHA authentication
• Add-path
• Disabling EIGRP on specific interface
• Default interface settings (af-interface default)
• Unique IPv6 behaviour
• Default tagging all internal and external routes
• Over the Top (OTP) – not covered in this presentation
• Stub site (IWAN) – not covered in this presentation
www.orhanergun.net
Named mode – Exclusive features
• Wide metrics
• HMAC-SHA authentication
• Add-path
• Disabling EIGRP on specific interface
• Default interface settings (af-interface default)
• Unique IPv6 behaviour
• Default tagging all internal and external routes
• Over the Top (OTP) – not covered in this presentation
• Stub site (IWAN) – not covered in this presentation
www.orhanergun.net
Thank You !!!
www.orhanergun.net
Chapter-3: EIGRPv6
www.orhanergun.net
Thank You !!!
www.orhanergun.net
Chapter-4: OSPF
www.orhanergun.net
Introduction
• OSPF is a link state routing protocol.
• OSPF is a non-proprietary Interior Gateway Protocol (IGP) that
overcomes the deficiencies of other distance vector routing protocols
and distributes routing information within a single OSPF routing
domain.
www.orhanergun.net
Versions of OSPF
• OSPF Version 2 (OSPFv2)
• OSPF Version 3 (OSPFv3)
www.orhanergun.net
OSPF FUNDAMENTALS
• OSPF sends to neighboring routers link-state advertisements (LSAs)
that contain the link state and link metric.
• The LSDB provides the topology of the network, in essence providing

for the router a complete map of the network.
www.orhanergun.net
SPF Calculation
www.orhanergun.net
Inter-Router Communication
• OSPF runs directly over IPv4, using its own protocol 89
• AllSPFRouters: IPv4 address 224.0.0.5 or MAC address
01:00:5E:00:00:05. All routers running OSPF should be able to receive
these packets.
• AllDRouters: IPv4 address 224.0.0.6 or MAC address
01:00:5E:00:00:06. Communication with designated routers (DRs)
uses this address.
www.orhanergun.net
OSPF Packet Types
Type Packet Name Functional Overview
These packets are for discovering and maintaining

1 Hello neighbors. Packets are sent out periodically on all OSPF
interfaces to discover new neighbors while ensuring that
other adjacent neighbors are still online.
These packets are for summarizing database contents.

2 Database description (DBD) or (DDP) Packets are exchanged when an OSPF adjacency is first being
formed. These packets are used to describe the contents of
the LSDB.
These packets are for database downloads. When a router

3 Link-state request (LSR) thinks that part of its LSDB is stale, it may request a portion
of a neighbor’s database by using this packet type.
These packets are for database updates. This is an explicit

4 Link-state update (LSU) LSA for a specific network link and normally is sent in direct
response to an LSR.
These packets are for flooding acknowledgments. These

5 Link-state ack packets are sent in response to the flooding of LSAs, thus
making flooding a reliable transport feature.
www.orhanergun.net
OSPF Hello Packets
• Hello Packets contains the following:

• Router ID
• Authentication Flag
• Area ID
• Interface address mask
• Interface Priority
• Hello Interval
• Dead Interval
• Active Neighbor
www.orhanergun.net
OSPF Neighbor States
• Down State:
• At this point both routers have no information about each other.
• In this stage OSPF learns about the local interfaces which are configured to
run the OSPF instance.
www.orhanergun.net
• Attempt/Init state:
• Neighborship building process starts from this state.
• This hello packet contains Router ID and some essential configuration values
such as area ID, hello interval, hold down timer, stub flag and MTU.
Hello
www.orhanergun.net
• Two ways state:

• Hello Packet will be exchanged along with RID between both the sides.
• DR/BDR election will take place at this stage.
Hello
Hello
www.orhanergun.net
• ExStart state:
• This is the first state in forming an adjacency
• Routers identify which router will be the master or slave for the LSDB
synchronization.
www.orhanergun.net
• Exchange state:
• During this state, routers are exchanging link states by using DBD packets.
www.orhanergun.net
• Loading state:
• LSR packets are sent to the neighbor, asking for the more recent LSAs that
have been discovered (but not received) in the Exchange state.
www.orhanergun.net
• Full state:
• Neighboring routers are fully adjacent.
We Are Neighbors Now !!!
www.orhanergun.net
DR/BDR
• DR/BDR help to remove the no. of neighborships formed on a LAN

segment and helps to avoid the duplicity.
• One Router will be Elected as DR and one as BDR, all the other
Routers will be known as DR Others.
www.orhanergun.net
DR/BDR
DR
RID: 10.10.10.10 RID: 10.10.10.10
RID: 2.2.2.2 RID: 4.4.4.4 RID: 2.2.2.2 RID: 4.4.4.4
RID: 3.3.3.3 RID: 3.3.3.3
www.orhanergun.net
DR/BDR Election
DR/BDR Election will take place be following way:
• Priority
• Router-ID
• Statically Configured
• Highest Loopback IP address
• Highest Interface IP address
www.orhanergun.net
Link Cost
• OSPF Calculates the best path based on the link cost.

• Link cost is calculated by below way:
• Reference Bandwidth can be configured manually.
www.orhanergun.net
OSPF Network Types
Type Description DR/BDR Feild Timers
Broadcast Default setting on OSPF-enabled Ethernet Yes Hello: 10
links. Wait: 40
Dead: 40
Non- broadcast Default setting on OSPF-enabled Frame Yes Hello: 30
Relay main interface or Frame Relay Wait: 120
multipoint sub-interfaces Dead: 120
Point-to- point Default setting on OSPF-enabled Frame No Hello: 10
Relay point-to- point sub-interfaces. Wait: 40
Dead: 40
Point-to- multipoint Not enabled by default on any interface No Hello: 30
type. Interface is advertised as a host Wait: 120
route (/32) and sets the next-hop address Dead: 120
to the outbound interface. Primarily used
for hub-and-spoke topologies.
www.orhanergun.net
Broadcast
• Broadcast media such as Ethernet are better defined as broadcast

multi-access to distinguish them from non- broadcast multi-access
(NBMA) networks.
FULL
TWO-WAY
DR
FULL
www.orhanergun.net
Point-to-Point Networks
• A network circuit that allows only two devices to communicate is

considered a point-to-point (P2P) network.
Point-to-Point Network
www.orhanergun.net
Point-to-Multipoint Networks
• No Automatic neighbor discovery so you need to configure OSPF neighbors yourself!
• No DR/BDR election since OSPF sees the network as a collection of point-to-point
links.
• Only a single IP subnet is used in the topology above.
Point-to-Multipoint Network
www.orhanergun.net
Areas
www.orhanergun.net
Areas
www.orhanergun.net
Multi Area
www.orhanergun.net
OSPF Route Types
• Network routes that are learned from other OSPF routers within the
same area are known as intra-area routes.
• Network routes that are learned from other OSPF routers from a
different area using an ABR are known as interarea routes.
www.orhanergun.net
LINK-STATE Advertisement Types
• OSPF uses six LSA types for IPv4 routing:

• Type 1, router LSA
• Type 2, network LSA
• Type 3, summary LSA
• Type 4, ASBR summary LSA
• Type 5, AS external LSA
• Type 7, NSSA external LSA
www.orhanergun.net
LSA Sequences
• OSPF uses the sequence number to overcome problems caused by
delays in LSA propagation in a network.
• The LSA sequence number is a 32-bit number for controlling
versioning.
www.orhanergun.net
LSA Type 1: Router Link
• Every OSPF router advertises a type 1 LSA.
• Type 1 LSAs are the essential building blocks within the LSDB.
• A type 1 LSA entry exists for each OSPF-enabled link (that is, every
interface and its attached networks).
www.orhanergun.net
LSA Type 2: Network Link
• A type 2 LSA represents a multi-access network segment that uses a
DR.
• The DR always advertises the type 2 LSA and identifies all the routers
attached to that network segment.
www.orhanergun.net
LSA Type 3: Summary Link
• Type 3 LSAs represent networks from other areas.
• The role of the ABRs is to participate in multiple OSPF areas and
ensure that the networks associated with type 1 LSAs are reachable in
the non-originating OSPF areas.
www.orhanergun.net
LSA Type 4: ASBR Summary Link
• Type 4 LSA is generated by ABR, which contain reachability
information about the ASBR.
• This LSA is flooded only outside the area, along with LSA3.
www.orhanergun.net
LSA Type 5: AS External LSA
• Type 5 LSA is generated by ASBR, which contains the reachability
information about the external prefixes.
• The scope of this LSA is entire OSPF domain.
www.orhanergun.net
LSA Type 7: NSSA External LSA
• Type 7 LSA is generated by the ASBR resides in NSSA Area.
• Scope of this LSA is limited to NSSA Area type only.
• This LSA is further converted back to Type 5 on ABR.
www.orhanergun.net
LSA Summarized
LSA Generated By Information Scope
LSA1 All Router Local Information Within Area
LSA2 DR Network Information Within Area
LSA3 ABR Summarized information Across the Areas
of LSA 1 and LSA 2
LSA4 ABR Reachability information OSPF Domain (Except the
about ASBR Area where ASBR is
connected)
LSA5 ASBR Reachability information OSPF Domain
about External Routes
LSA7 ASBR (Part of NSSA Area) Reachability information NSSA/Totally NSSA Area
about external routes
www.orhanergun.net
OSPF Area Types
• There are Special types of Areas:
• Stub Area
• Totally Stub Area
• NSSA Area
• Totally NSSA Area
www.orhanergun.net
Stub Area
• This is OSPF Special type of Area.
• This OSPF area is use to filter OSPF LSA type 5 and type 4.
• This area mainly used to filter external route information and ABR of
this area will inject a default route in the area for maintaining
reachability to external routes.
www.orhanergun.net
Totally Stub Area
• This is OSPF Special type of Area.
• This OSPF area is use to filter OSPF LSA type 5, type 4 & type 3.
• This area type is extension to Stub area, stub area can be extended to
filter type 3 LSA as well along with type 4 & 5.
www.orhanergun.net
Not So Stuby Area
• This OSPF area is use to filter OSPF LSA type 5 and type 4.
• No default route will be injected
• This Area type is used, when type 5 and 4 need to be filtered which are coming
from another area, and external routes needs to be permitted, which are
originated locally.
www.orhanergun.net
Totally Not So Stuby Area
• This OSPF area is use to filter OSPF LSA type 5, type 4 and type 3.
• This Area type is used, when type 5, 4 & 3 need to be filtered which are coming
from another area, and external routes needs to be permitted, which are
originated locally.
• Default route will be injected in the area type.
www.orhanergun.net
Area Types Summarized
LSA Types Standard Area Stub Area Totally Stub NSSA Totally NSSA
Area
LSA 1 Yes Yes Yes Yes Yes
LSA 2 Yes Yes Yes Yes Yes
LSA 3 Yes Yes Yes Yes No
LSA 4 Yes No No No No
LSA 5 Yes No No No No
LSA 7 No No No Yes Yes
Default Route No Yes Yes No Yes
www.orhanergun.net
Thank You !!!
www.orhanergun.net
Chapter-5: OSPFv3
www.orhanergun.net
IPV6 Routing Protocols
• When IPv6 routing is enabled together with IPv4 routing protocol, we

need to make sure sufficient device resources on the networking
devices
• IPv6 Routing Protocols (General Purpose routing protocols at least –

Not RPL etc.), they are very similar to their IPv4 counterpart
• There will be some differences which will be covered next

IPv4 and IPv4 Routing Protocols Side by Side
IPv4 Routing Protocols IPv6 Routing Protocols

RIPv2 RIPnG – Next Generation
OSPFv2 OSPFv3
ISIS ISIS for IPv6
EIGRP EIGRP for IPv6
BGPv4 MP-BGP
PIM PIM for IPv6
OSPF for IPv6 (OSPFv3)
• Operates very similar to OSPFv2 , both are link state protocols also other things
are similar such as the LSA flooding rules, the LSA aging mechanisms, and the
interface types (broadcast, point-to-point, point-to-multipoint, among others)
• Both OSPFv2 and OSPFv3 have two level of hierarchy (Backbone and Non-
Backbone Areas)
• OSPFv2 only supports IPv4 but OSPFv3 supports both IPv4 and IPv6
• But in OSPFv3, topology and reachability information are carried in

different LSA
• Thus, adding a loopback interface for example doesn’t trigger full SPF
run as it doesn’t change the topology of the network
• New LSA Type defined for OSPFv3

• If you make a simple change, like changing the IP address on one of

your routers then the topology itself doesn’t change
• In OSPFv2, a new type 1 LSA and perhaps a type 2 LSA have to be

flooded. Other routers that receive the new LSA(s) have to recalculate
the SPT even though the topology did not change
• In OSPFv3, they changed this by creating a separation between

prefixes and the topology
• There is no prefix information in LSA type 1 and 2, you only find

topology information in these LSAs, you don’t find any IPv6 prefixes in
them!
• Prefixes are now advertised in type 9 LSAs and the link-local addresses
that are used for next hops are advertised in type 8 LSA
• Type 8 LSAs are only flooded on the local link, type 9 LSAs are flooded
within the area.
• Neighboring routers are referred to not by IP address, but by OSPF ID,

demonstrating OSPFv3's fundamental separation of the SPF tree and
IP addressing
• OSPFv3 router IDs are not IPv4 addresses; they are merely unique 32-
bit identifiers expressed in the familiar dotted-decimal notation
• Type 1 and Type 2 LSA

repurposed , Type 8 and Type 9
LSA are added in OSPFv3 (Link
and Intra-Area Prefix
Respectively)
• Type 8 LSA is link local only,

Type 9 is Area wide
• LS Types indicates Scope as well

(E is domain wide, 0x4005)
• Inter-Area Prefix LSA:
These LSAs are IPv6 equivalent of IPv4's

Type-3 Summary LSAs. These LSAs are
originated by the ABR to specify IPv6
prefixes that belong to other areas. A
separate LSA is originated for each
address prefix
• Inter-Area Router LSA:
These LSAs are IPv6 equivalent of IPv4's

Type-4 Summary LSAs. Originated by the
ABR, the Inter-Area Router LSA describes
the route to the ASBR. Each LSA
describes a route to a single router
• Unknown LSA Type Handling : OSPFv2 routers simple discard LSAs of

an unknown type. OSPFv3 LSAs may be discarded, or optionally stored
and flooded as though they were understood.
• An OSPFv2 router forms adjacencies using its configured IPv4

interface address
• OSPFv3, however, makes use of IPv6's link-local address scope

(FE80::/10). All OSPFv3 adjacencies are formed using link-local
addresses
Thank You !!!
www.orhanergun.net
Chapter-6: BGP
www.orhanergun.net
Autonomous System (AS)
AS 100
• Collection of networks with same policy

• Single routing protocol
• Usually under single administrative control
• IGP to provide internal connectivity
www.orhanergun.net
Autonomous System (AS)
AS 100
• Identified by ‘AS number’

• Public & Private AS numbers
• Examples:
• Service provider
• Multi-homed customers
• Anyone needing policy discrimination
www.orhanergun.net
Routing flow and packet flow
packet flow
egress
accept announce
AS 1 announce
Routing flow
accept
AS2
ingress
packet flow
For networks in AS1 and AS2 to communicate:

AS1 must announce routes to AS2
AS2 must accept routes from AS1
AS2 must announce routes to AS1
AS1 must accept routes from AS2
www.orhanergun.net
Interior vs. Exterior
Routing Protocols
• Interior • Exterior
• Automatic Specifically configured
discovery peers
• Generally trust your Connecting with outside
IGP routers networks
• Routes go to all IGP
Set administrative
routers
boundaries
www.orhanergun.net
BGP Basics
• Terminology
• Protocol Basics
• Messages
• General Operation
• Peering relationships (EBGP/IBGP)
• Originating routes
www.orhanergun.net
Terminology
• Neighbor
• Configured BGP peer
• NLRI/Prefix
• NLRI - network layer reachability information
• Reachability information for a IP address & mask
• Router-ID
• Highest IP address configured on the router
• Route/Path
• NLRI advertised by a neighbor
www.orhanergun.net
Protocol Basics
Peering
A C
AS 100 AS 101
B D
• Routing protocol used between E

ASes
•if you aren’t connected to multiple AS 102
ASes, you don’t need BGP :)
• Runs over TCP
• Path vector protocol
• Incremental update www.orhanergun.net
BGP Basics ...
• Each AS originates a set of NLRI
• NLRI is exchanged between BGP peers
• Can have multiple paths for a given prefix
• Picks the best path and installs in the IP
forwarding table
• Policies applied (through attributes)
influences BGP path selection
www.orhanergun.net
BGP Peers
A C
AS 100 AS 101
110.110.0.0/24 110.110.1.0/24
B D
BGP speakers E
are called peers
Peers in different AS’s
AS 102
110.110.2.0/24
are called External Peers
eBGP TCP/IP
Peer Connection
Note: eBGP Peerswww.orhanergun.net
normally should be directly connected.
BGP Peers
A C
AS 100 AS 101
110.110.0.0/24 110.110.1.0/24
B D
BGP speakers are E

called peers
Peers in the same AS
AS 102
110.110.2.0/24
are called Internal Peers
iBGP TCP/IP
Peer Connection
Note: iBGP Peers don’t have to be directly connected.
www.orhanergun.net
BGP Peers
A C
AS 100 AS 101
110.110.0.0/24 110.110.1.0/24
B D
BGP Peers exchange E

Update messages
containing Network Layer AS 102
Reachability Information 110.110.2.0/24
(NLRI)
BGP Update
Messages
www.orhanergun.net
BGP Updates — NLRI
• Network Layer Reachability Information
• Used to advertise feasible routes
• Composed of:
• Network Prefix
• Mask Length
www.orhanergun.net
BGP Updates — Attributes
• Used to convey information associated with NLRI
• AS path
• Next hop
• Local preference
• Multi-Exit Discriminator (MED)
• Community
• Origin
• Aggregator
www.orhanergun.net
AS-Path Attribute
• Sequence of ASes a route AS 200 AS 100
120.10.0.0/16 130.10.0.0/16
has traversed
• Loop detection Network Path
130.10.0.0/16 300 200 100
• Apply policy AS 300
120.10.0.0/16 300 200
AS 400
110.10.0.0/16
Network Path
AS 500 130.10.0.0/16 300 200 100
120.10.0.0/16 300 200
110.10.0.0/16 300 400
www.orhanergun.net
Next Hop Attribute
AS 300
AS 200 192.1.1.0/30 110.10.0.0/16
120.10.0.0/16 C .1 .2 D
E
B
.2
0
Network Next-Hop Path
.0/3
192
.2.2 130.10.0.0/16 192.2.2.1 100
.1
• Next hop to reach a network
A
• Usually a local network is the next
AS 100 hop in eBGP session
130.10.0.0/16
BGP Update
Messages
www.orhanergun.net
Next Hop Attribute (more)
• IGP should carry route to next hops
• Recursive route look-up
• Unlinks BGP from actual physical topology
• Allows IGP to make intelligent forwarding decision
www.orhanergun.net
BGP Routing Information Base
BGP RIB
Network Next-Hop Path
*>i120.10.1.0/24 192.20.2.2 i
*>i120.10.3.0/24 192.20.2.2 i
router bgp 100

network 160.10.0.0 255.255.0.0
no auto-summary
D 10.10.20.0/24
D 120.10.1.0/24
D 120.10.3.0/24
R 123.22.0.0/16
S 192.10.1.0/24
BGP ‘network’ commands are normally
used to populate the BGP RIB with routes
Route Table from the Route Table
www.orhanergun.net
Types of BGP Messages
• OPEN
• To negotiate and establish peering
• UPDATE
• To exchange routing information
• KEEPALIVE
• To maintain peering session
• NOTIFICATION
• To report errors (results in session reset)
www.orhanergun.net
Internal BGP Peering (IBGP)
AS 100
D
A
B
• BGP peer within the same AS

• Not required to be directly connected
• Maintain full IBGP mesh or use Route Reflection
www.orhanergun.net
External BGP Peering (EBGP)
AS 200 AS 201
C
• Between BGP speakers in different AS

• Directly connected or peering address is reachable
www.orhanergun.net
BGP Path Attributes: Why ?
• Encoded as Type, Length & Value (TLV)
• Transitive/Non-Transitive attributes
• Some are mandatory
• Used in path selection
• To apply policy for steering traffic
www.orhanergun.net
BGP Path Attributes...
• Origin
• AS-path
• Next-hop
• Multi-Exit Discriminator (MED)
• Local preference
• BGP Community
• Others...
www.orhanergun.net
AS-PATH
• Updated by the sending router with its AS number

• Contains the list of AS numbers the update traverses.
• Used to detect routing loops
• Each time the router receives an update, if it finds its AS number, it discards
the update
www.orhanergun.net
Local Preference
• Not for EBGP, mandatory for IBGP

• Default value is 100 on Ciscos
• Local to an AS
• Used to prefer one exit over another
• Path with highest local preference wins
www.orhanergun.net
Local Preference
AS 100
110.10.0.0/16
AS 200 AS 300
D 400 700 E
A B
110.10.0.0/16 400
AS 400
> 110.10.0.0/16 700
C
www.orhanergun.net
Multi-Exit Discriminator
• Non-transitive
• Represented as a numeric value (0-0xffffffff)
• Used to convey the relative preference of entry points
• Comparable if paths are from the same AS
• Path with lower MED wins
• IGP metric can be conveyed as MED
www.orhanergun.net
Multi-Exit Discriminator (MED)
AS 300
C
preferred
192.168.1.0/24 2000 192.168.1.0/24 1000
A B
192.168.1.0/24
AS 301
www.orhanergun.net
Origin
• Conveys the origin of the prefix

• Three values:
• IGP - Generated using “network” statement
• ex: network 135.0.0.0
• EGP - Redistributed from EGP
• Incomplete - Redistribute IGP
• ex: redistribute ospf
• IGP < EGP < INCOMPLETE
www.orhanergun.net
Communities
• Transitive, Non-mandatory
• Represented as a numeric value (0-0xffffffff)
• Used to group destinations
• Each destination could be member of multiple
communities
• Flexibility to scope a set of prefixes within or
across AS for applying policy
www.orhanergun.net
Community...
Community Local Preference

201:110 110
Service Provider AS 300 201:120 120
C D
Community:201:110 Community:201:120
A B
192.68.10.0/24
Customer AS 201
www.orhanergun.net
BGP Route Selection (bestpath)
Only one path as the bestpath !
• Route has to be synchronized

Prefix in forwarding table
• Next-hop has to be accessible

Next-hop in forwarding table
• Largest weight
Local to the router
• Largest local preference

Spread within AS
• Locally sourced
Via redistribute or network statement
www.orhanergun.net
BGP Route Selection ...
• Shortest AS-path length
number of ASes in the AS-path attribute
• Lowest origin
IGP < EGP < INCOMPLETE
• Lowest MED
between paths from same AS
• External over internal
closest exit from a router
• Closest next-hop
Lower IGP metric, closer exit from as AS
• Lowest router-id
• Lowest IP address of neighbor
www.orhanergun.net
Stub AS
• Typically no need for BGP

• Point default towards the ISP
• ISP advertises the stub network to
Internet
• Policy confined within ISP policy
www.orhanergun.net
Stub AS
B
AS 201
Provider
AS 200
Customer
www.orhanergun.net
Multi-homed AS
• Only border routers speak BGP
• IBGP only between border routers
• Exterior routes must be redistributed in
a controlled fashion into IGP or use
defaults
www.orhanergun.net
Multi-homed AS
AS 400 AS 600
provider
A D provider
B C
AS 500
customer
www.orhanergun.net
Service Provider Network
• IBGP used to carry exterior routes

• IGP keeps track of topology
• Full IBGP mesh is required
www.orhanergun.net
Routing Policy
• Why?
– To steer traffic through preferred paths
– Inbound/Outbound prefix filtering
– To enforce Customer-ISP agreements
• How ?
– AS based route filtering - filter list
– Prefix based route filtering - distribute list
– BGP attribute modification - route maps
www.orhanergun.net
Route-map match & set clauses
Match Clauses Set Clauses

• AS-path • AS-path prepend
• Community • Community
• IP address • Local-Preference
• MED
• Origin
• Weight
• Others...
www.orhanergun.net
Thank You !!!
www.orhanergun.net
Chapter-7: VRF
www.orhanergun.net
Introduction
• VRF (Virtual Routing and Forwarding) is a technology that allows
multiple instances of a routing table to co-exist within the same
router at the same time.
www.orhanergun.net
VRF-Lite
• VRF-lite is a feature that enables a service provider to support two or
more VPNs, where IP addresses can be overlapped among the VPNs.
• VRF-lite uses input interfaces to distinguish routes for different VPNs
and forms virtual packet-forwarding tables by associating one or more
Layer 3 interfaces with each VRF.
www.orhanergun.net
Thank You !!!
www.orhanergun.net
Chapter-8: Policy Based
Routing
www.orhanergun.net
Thank You !!!
www.orhanergun.net
Chapter-9: IP Multicast
www.orhanergun.net
Introduction to IP Multicast
• Why multicast?
• When sending same data to multiple receivers
• Better bandwidth utilization
• Lesser host/router processing
• Receivers’ addresses unknown
www.orhanergun.net
Multicast Applications
• Many applications transmit the same

data at one time to multiple
receivers
• Broadcasts of Radio or Video
• Videoconferencing
• Shared Applications
• Advertisement, Stock, Distance
learning
• Synchronizing of distributed database,
websites
www.orhanergun.net
Unicast, Broadcast and Multicast
Broadcast: One sender, all the others as receivers

Unicast: One sender and one receiver
Multicast: One sender (potentially many senders), many receivers
www.orhanergun.net
Internet Group Management Protocol - IGMP
• How hosts tell routers about group membership

• Routers solicit group membership from directly connected hosts
• RFC 1112 specifies first version of IGMP
• IGMP v2 and IGMP v3 enhancements
• Supported on UNIX systems, PCs, and MACs
www.orhanergun.net
IGMP Protocol
• Router: sends IGMP query at regular intervals
• Hosts belonging to a multicast group must reply to query if wishing to join or stay in the
group.
• host sends an IGMP report when it joins a multicast group (Note: multiple processes on a
host can join. A report is sent only for the first process).
• No report is sent when a process leaves a group
www.orhanergun.net
IGMP Message Types
www.orhanergun.net
IGMP Packet Format
www.orhanergun.net
Leave Report
www.orhanergun.net
General Query Message
www.orhanergun.net
Multicast Protocol Basics
• Multicast Distribution Trees

• Multicast Forwarding
• Types of Multicast Protocols
• Dense Mode Protocols
• Sparse Mode Protocols
www.orhanergun.net
Multicast Distribution Trees
www.orhanergun.net
www.orhanergun.net
Characteristics of Distribution Trees

• Shared trees
• Uses less memory O(G) but you may get sub-optimal paths from source to all
receivers; may introduce extra delay
• Source or Shortest Path trees
• Uses more memory O(S x G) but you get optimal paths from source to all
receivers; minimizes delay
www.orhanergun.net
How are Distribution Trees Built?
• PIM
• Uses existing Unicast Routing Table plus Join/Prune/Graft mechanism to build tree.
• DVMRP
• Uses DVMRP Routing Table plus special Poison-Reverse mechanism to build tree.
• MOSPF
• Uses extension to OSPF’s link state mechanism to build tree.
• CBT
• Uses existing Unicast Routing Table plus Join/Prune/Graft mechanism to build tree.
www.orhanergun.net
Multicast Forwarding
• Multicast Routing is backwards from Unicast Routing
• Unicast Routing is concerned about where the packet is going.
• Multicast Routing is concerned about where the packet came from.
• Multicast Routing uses “Reverse Path Forwarding”
www.orhanergun.net
Reverse Path Forwarding (RPF)
• What is RPF?
• A router forwards a multicast datagram only if received on the up stream
interface to the source (I.e. it follows the distribution tree).
• The RPF Check
• The routing table used for multicasting is checked against the “source”
address in the multicast datagram.
• If the datagram arrived on the interface specified in the routing table for the
source address; then the RPF check succeeds.
• Otherwise, the RPF Check fails.
www.orhanergun.net
Reverse Path Forwarding (RPF)
• If the RPF check succeeds, the datagram is forwarded
• If the RPF check fails, the datagram is typically silently discarded
• When a datagram is forwarded, it is sent out each interface in the
outgoing interface list
• Packet is never forwarded back out the RPF interface!
www.orhanergun.net
Example: RPF Checking
www.orhanergun.net
Types of Multicast Protocols
• Sparse-mode
• Uses “Pull” Model
• Traffic sent only to where it is requested
• Explicit Join behavior
• Dense-mode
• Uses “Push” Model
• Traffic Flooded throughout network
• Pruned back where it is unwanted
• Flood & Prune behavior (typically every 3 minutes)
www.orhanergun.net
Multicast Protocol Review
• Currently, there are 4 multicast routing protocols:
• DVMRPv2 (Internet-draft)
• DVMRPv1 (RFC1075) is obsolete and was never used.
• MOSPF (RFC 1584) “Proposed Standard”
• PIM-DM (Internet-draft)
• CBT (Internet-draft)
• PIM-SM (RFC 2362) “Proposed Standard”
www.orhanergun.net
Dense-Mode Protocols
• DVMRP - Distance Vector Multicast Routing Protocol
• MOSPF - Multicast OSPF
• PIM DM - Protocol Independent Multicasting (Dense Mode)
www.orhanergun.net
DVMRP Overview
• Dense Mode Protocol
• Distance vector-based
• Similar to RIP
• Infinity = 32 hops
• Subnet masks in route advertisements
• DVMRP Routes used:
• For RPF Check
• To build Truncated Broadcast Trees (TBTs)
• Uses special “Poison-Reverse” mechanism
• Uses Flood and Prune operation
• Traffic initially flooded down TBT’s
• TBT branches are pruned where traffic is unwanted.
• Prunes periodically time-out causing reflooding.
www.orhanergun.net
DVMRP — Source Trees
www.orhanergun.net
PIM-DM
• Protocol Independent
• Supports all underlying unicast routing protocols including: static, RIP, IGRP,
EIGRP, IS-IS, BGP, and OSPF
• Uses reverse path forwarding
• Floods network and prunes back based on multicast group membership
• Assert mechanism used to prune off redundant flows
• Appropriate for...
• Smaller implementations and pilot networks
www.orhanergun.net
PIM-DM Flood & Prune
www.orhanergun.net
Sparse-Mode Protocols
• PIM SM
• Protocol Independent Multicasting (Sparse Mode)
• CBT - Core Based Trees
www.orhanergun.net
PIM-SM (RFC 2362)
• Supports both source and shared trees –
• Assumes no hosts want multicast traffic unless they specifically ask for it
• Uses a Rendezvous Point (RP)
• Senders and Receivers “rendezvous” at this point to learn of each others existence.
• Senders are “registered” with RP by their first-hop router.
• Receivers are “joined” to the Shared Tree (rooted at the RP) by their local Designated Router
(DR).
• Appropriate for…
• Wide scale deployment for both densely and sparsely populated groups in the
enterprise
• Optimal choice for all production networks regardless of size and membership
density.
www.orhanergun.net
PIM-SM Shared Tree Joins
www.orhanergun.net
PIM-SM Sender Registration
www.orhanergun.net
www.orhanergun.net
www.orhanergun.net
PIM-SSM
• No shared trees
• No register packets
• No RP mapping required (no RP required!)
• No RP-to-RP source discovery (MSDP)
• Requires IGMP include-source list – IGMPv3
• User-definable range
www.orhanergun.net
PIM-SSM Join
www.orhanergun.net
PIM-SSM traffic flow
www.orhanergun.net
Thank You !!!
www.orhanergun.net
Module-2: Transport
Technology & Solutions
www.orhanergun.net
Chapter-1: MPLS
www.orhanergun.net
MPLS Overview
• This session will provide the fundamentals for understanding MPLS
technology basics.
• The discussion will include MPLS evolution, terminology, functions of
labels, label format, label distribution, as well as encapsulations and
basic operation of an MPLS-enabled network.
www.orhanergun.net
Evolution of MPLS
• Origins from Tag Switching
• Proposed in IETF—Later combined with ideas from other proposals
from IBM (ARIS), Toshiba (CSR) AToM, VPLS,
DS-TE Deployed
Cisco Calls a MPLS Croup Cisco Ships Traffic Engineering

BOF at IETF to Formally Chartered MPLS TE Deployed
Standardize by IETF
Tag Switching
Cisco Ships MPLS VPN Large Scale
MPLS (Tag Deployed Deployments
Switching)
1996 1997 1998 1999 2000 2001 2004

Time
www.orhanergun.net
Why MPLS?
• Integrate best of Layer 2 and Layer 3
- Intelligence of IP Routing
- performance of high-speed switching
- Legacy service transport
- QoS
- VPN Semantics
- Link layers include:
- Ethernet, PoS, ATM, FR
www.orhanergun.net
MPLS as a Foundation for Value Added
Services
Any
Traffic IP+Optical
VPNs IP+ATM Transport
Engineering GMPLS
Over MPLS
MPLS
Network Infrastructure
www.orhanergun.net
IP Routing
www.orhanergun.net
IP Routing
Address I/F Address I/F Address I/F
Prefix Prefix Prefix
121.21 1 121.21 0 121.21 0
131.69 1 131.69 1
… … … …
Route Update
0 121.21
1 0
121.21.21.0 Data
1
121.21.21.0 Data
121.21.21.0 Data 121.21.21.0 Data
Packets Forwarded Based

on IP Address
131.69
www.orhanergun.net
Encapsulations
Frame Relay Label Header Frame Relay Label Header Layer 3 Header
PPP Header PPP Header Label Header Layer 3 Header

(Packet over SONET/SDH)
* LAN MAC Label Header MAC Header Label Header Layer 3 Header
* LAN MAC Label Header also used for MPLS packets over an ATM
Forum PVC SNAP Header. (Ethertype = 0x8847/8848)
www.orhanergun.net
Label Header for Packet Media
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Tag COS S TTL
Label = 20 bits COS/EXP = Class of Service, 3 bits

S = Bottom of Stack, 1 bit TTL = Time to Live, 8 bits
• Can be used over Ethernet, 802.3, or PPP links

• Uses two new Ethertypes/PPP PIDs (in MAC hdr)
• Contains everything needed at forwarding time
• One word per label
MTU beyond 1518 for Ethernet can be accounted for when adding labels by the “mpls mtu”
command.
www.orhanergun.net
Label Stacking
• Arrange labels in a stack
• Inner labels can be used to designate services/FECs, etc.
• E.g. VPNs, fast re-route, alternate forwarding
• Outer label used to route/switch the MPLS packets in
the network
• (e.g. for VPN, outer label used for forwarding to remote PEs and bottom label for differentiating VPN at remote PE).
• Allows building services such as: Outer Label
• MPLS VPNs TE Label

• Traffic engineering and fast re-route
• VPNs over traffic engineered core IGP Label
• Any transport over MPLS
VPN Label
Inner Label IP Header
www.orhanergun.net
Control and Forward Plane Separation
Route
RIB Routing
Updates/
Process
Adjacency
Control Plane Label Bind
MPLS
LIB Updates/
Process
Adjacency
Data Plane LFIB FIB
MPLS Traffic IP Traffic
www.orhanergun.net
Label Distribution Protocol (LDP)
• Defined in RFC 3036 and 3037
• Used to distribute labels in a MPLS network
• Forwarding Equivalence Class (FEC)
• How packets are mapped to LSPs (Label
Switched Paths)
• Advertise labels per FEC
• Reach destination a.b.c.d with label x (per IPL3DA in RIB)
• Neighbor discovery
UDP and TCP Ports

UDP port for LDP Hello messages = 646
TCP port for establishing LDP session connections = 646
www.orhanergun.net
TDP and LDP
• Tag Distribution Protocol
• Pre-cursor to LDP
• Used for Cisco tag switching
• TDP and LDP supported on the same box
• Per neighbor/link basis
• Per target basis
www.orhanergun.net
RSVP and Label Distribution
• Used in MPLS Traffic Engineering
• Additions to base RSVP signaling protocol
• Leverage the admission control mechanism
of RSVP
• Label requests are sent in PATH messages and binding is done with
RESV messages
Note: CR-LDP is another option for label distribution, but is no longer used or implemented
www.orhanergun.net
BGP-Based Label Distribution
• Used in the context of MPLS VPNs
• Need multi-protocol extensions to BGP
• Referred to at M-BGP
• Uses AFI/SAFI
• Extension to the BGP protocol in order to carry routing information about other protocols
• Multicast
• MPLS
• IPv6
• VPN-IPv4
• Labeled IPv6 unicast (6PE)
• VPN-IPv6 (6VPE)
• Exchange of Multi-Protocol NLRI must be negotiated at session set up Utilizes BGP Capabilities Advertisement
negotiation procedures
• VPN edge routers need to be BGP peers
• Label mapping info carried as part of NLRI (Network Layer Reachability Information)
www.orhanergun.net
General Context
(CE) – Customer Edge
• At Edge (ingress):
Classify packets • In Core:
Label them Forward using labels (as
opposed to IP addr)
Label indicates service
class and destination
Edge Label
Switch Router
Label Switch
(PE) – Provider Edge Router (LSR)
(P) – Provider
Label Distribution
Protocol (LDP/TDP, • At Edge (egress):
RSVP,BGP) Remove Label
(PE) – Provider Edge

www.orhanergun.net
Operation
• Traditional routing
• Each router holds entire routing table and forwards to next hop (destination based
routing); routes on L3 Destination address
• MPLS combines L3 routing with label swapping and forwarding
• MPLS Forwarding
• Label imposed at ingress (ingress to label-switched portion of network) router. Generally,
all forwarding decisions then made on label only – no routing table lookups but TFIB table
lookups.
• Tag stripped at egress
www.orhanergun.net
MPLS Example: Routing Information
In Address Out Out In Address Out Out In Address Out Out
Label Prefix I’face Label Label Prefix I’face Label Label Prefix I’face Label
121.89 1 121.89 0 121.89 0

178.69 1 178.69 1
… … … … … …
0 121.89
0
1
You Can Reach 128.89 Thru Me

You Can Reach 121.89 and 1
178.69 Thru Me
Routing Updates 178.69

You Can Reach 178.69 Thru Me
(OSPF, EIGRP, …)
www.orhanergun.net
MPLS Example: Assigning Labels
- 121.89 1 4 4 121.89 0 9 9 121.89 0 -

- 178.69 1 5 5 178.69 1 7
… … … … … … … … … … … …
0 121.89
1 0
Use Label 9 for 121.89
Use Label 4 for 121.89 and 1

Use Label 5 for 178.69
Label Distribution 178.69

Protocol (LDP) Use Label 7 for 178.69
(downstream allocation)
www.orhanergun.net
MPLS Example: Forwarding Packets
- 121.89 1 4 4 121.89 0 9 9 121.89 0 -

- 178.69 1 5 5 178.69 1 7
… … … … … … … … … … … …
MPLS network
egress point 0 121.89
0
1
121.89.25.4 Data
9 121.89.25.4 Data
1
121.89.25.4 Data 4 121.89.25.4 Data
Label Switch Forwards Based

on Label
www.orhanergun.net
MPLS
www.orhanergun.net
Why MPLS? - Major Drivers
• Provide IP VPN Services
• Scalable IP VPN service – Build once and sell many
• Managed Central Services – Building value add services and offering them across VPNs (i.e. Multicast,
Address Mgmt)
• Managing traffic on the network using MPLS Traffic Engineering
• Providing tighter SLA/QoS (Guaranteed B/W Services)
• Protecting bandwidth - Bandwidth Protection Services are enabling Service Providers to look at alternate
approaches to SONET APS
• Integrating Layer 2 & Layer 3 Infrastructure
• Layer 2 services such as Frame Relay and ATM over MPLS
• Mimic layer 2 services over a highly scalable layer 3 infrastructure
www.orhanergun.net
MPLS Application
www.orhanergun.net
MPLS Layer 3 VPN
www.orhanergun.net
Virtual Network Models
Virtual Networks
Virtual Private Networks Virtual Dialup Networks Virtual LANs
Overlay VPN Peer-to-Peer VPN
Layer-2 VPN Layer-3 VPN Access lists Split routing MPLS/VPN

(Shared router) (Dedicated router)
X.25 F/R ATM GRE IPSec
www.orhanergun.net
Overlay Network
• Provider sells a circuit service
• Customers purchases circuits to connect sites, runs IP
• N sites, (N*(N-1))/2 circuits for full mesh—expensive
Provider
• The big scalability issue
here is routing peers— (FR, ATM, etc.)
N sites, each site has N-1 peers
• Hub and spoke is popular, suffers from the same N-1
number of routing peers
• Hub and spoke with static routes is simpler, still buying N-1
circuits from hub to spokes
• Spokes distant from hubs could mean lots of long-haul
circuits
Peer Network
• Provider sells an MPLS-VPN service
• Customers purchases circuits to connect sites, runs IP Provider
• N sites, N circuits into provider (MPLS-VPN)
• Access circuits can be any media
at any point (FE, POS, ATM, T1,
dial, etc.)
• Full mesh connectivity without full mesh of L2 circuits
• Hub and spoke is also easy to build
• Spokes distant from hubs connect
to their local provider’s POP, lower access charge because of
provider’s size
• The Internet is a large peer network
MPLS L3 VPNs using BGP (RFC2547)
• End user perspective
• Virtual Private IP service
• Simple routing – just point default to provider
• Full site-site connectivity without the usual drawbacks (routing
complexity, scaling, configuration, cost)
• Major benefit for provider – scalability
VPN BVPN A
VPN C VPN C
VPN B
VPN A VPN A
VPN A VPN C
VPN B
VPN B VPN C
VPN C VPN B
www.orhanergun.net
MPLS VPN Topology
VPN C/Site 2
CEA2 22.2/16
VPN B/Site 1
CE1B1 Static CEB2
21.1/16 RIP 21.2/16
RIP
P1 PE2 VPN B/Site 2

2
CE B1 BGP
RIP PE1
P2 CEA3
Static RIP
26.2/16
CEA1 P3 BGP PE3
CEB3 VPN A/Site 2
26.1/16
VPN C/Site 1
22.2/16
VPN A/Site 1
www.orhanergun.net
VPN Routing and Forwarding
Instance (VRF)
• PE routers maintain separate routing tables
• Global routing table
• Contains all PE and P routes (perhaps BGP)
• Populated by the VPN backbone IGP
• VRF (VPN routing and forwarding)
• Routing and forwarding table associated with one or more directly connected sites (CE
routers)
• VRF is associated with any type of interface, whether logical or physical (e.g.
sub/virtual/tunnel)
• Interfaces may share the same VRF if the connected sites share the same routing information
• Not virtual routers, just virtual routing and forwarding
www.orhanergun.net
Virtual Routing and
Forwarding Instances
VPN Routing Table
• Define a unique VRF for interface 0
• Define a unique VRF for interface 1 172.12.2.0/24
VPN-A CE
• Packets will never go between int. 0 and VRF for VPN-A
1
• Uses VPNv4 to exchange VRF routing VPN-A 0
information between PE’s
1 PE
• No MPLS yet…
VRF for VPN-B
VPN-B
CE
196.12.7.0/24
Global Routing Table
VRF Route Population
Separate Physical Links
VPN1
Customer-2
CE MPLS Domain
CE
Customer-1
eBGP, EIGRP,OSPF, RIPv2,Static
PE
iBGP Domain
Separate router per Customer/VPN
• VRF is populated locally through PE and CE routing protocol exchange

RIP Version 2, OSPF, BGP-4, EIGRP, & Static routing
“connected” is also supported (i.e. Default-gateway is PE)
• Separate routing context for each VRF
routing protocol context (BGP-4 & RIP V2)
separate process (OSPF)
www.orhanergun.net
Carrying VPN Routes in BGP
• VRFs by themselves aren’t all that useful
• Need some way to get the VRF routing information off the PE and to
other Pes
• This is done with BGP
www.orhanergun.net
Additions to BGP to Carry MPLS-VPN Info
• RD: Route Distinguisher
• VPNv4 address family
• RT: Route Target
• Label
www.orhanergun.net
Route Distinguisher
• To differentiate 11.0.0.0/8 in VPN-A from 11.0.0.0/8 in VPN-B
• 64-bit quantity
• Configured as ASN:YY or IPADDR:YY
• Almost everybody uses ASN
• Purely to make a route unique
• Unique route is now RD:Ipaddr (96 bits) plus a mask on the IPAddr portion
• So customers don’t see each others routes
www.orhanergun.net
Route Target
• To control policy about who sees what routes
• 64-bit quantity (2 bytes type, 6 bytes value)
• Carried as an extended community
• Typically written as ASN:YY
• Each VRF ‘imports’ and ‘exports’ one or
more RTs
• Exported RTs are carried in VPNv4 BGP
• Imported RTs are local to the box
• A PE that imports an RT installs that route in its routing table
www.orhanergun.net
VPNv4
• In BGP for IP, 32-bit address + mask makes a unique announcement
• In BGP for MPLS-VPN, (64-bit RD + 32-bit address) + 32-bit mask makes a unique
announcement
• Since the route encoding is different, need a different address family in BGP
• VPNv4 = VPN routes for IPv4
• As opposed to IPv4 or IPv6 or multicast-RPF, etc…
• VPNv4 announcement carries a label with the route
• “If you want to reach this unique address, get me packets with this label on them”
www.orhanergun.net
MPLS Layer 3 VPN
Operations
www.orhanergun.net
VRF Population of MP-BGP
India
Turkey
CE CE
VPN-v4 update:
RD:1:27:172.16.1.0/2
BGP, OSPF, RIPv2 PE-1 4, Next-hop=PE-1 PE-2
update RT=VPN-A
172.16.1.0/24,NH=CE-1 Label=(28)
• PE routers translate into VPN-V4 route

Assigns an RD, SOO (if configured) and RT based on configuration
Re-writes Next-Hop attribute (to PE loopback)
Assigns a label based on VRF and/or interface
Sends MP-BGP update to all PE neighbors
www.orhanergun.net
VRF Population of MP-BGP
VPN-v4 update is
translated into IPv4
India address and put into VRF
VPN-A as RT=VPN-A and Turkey
optionally advertised to
CE any attached sites CE
VPN-v4 update:
PE-1 RD:1:27:172.16.1.0/2 PE-2
BGP, OSPF, RIPv2
4, Next-hop=PE-1
update
RT=VPN-A
172.16.1.0/24,NH=CE-1
Label=(28)
• Receiving PE routers translate to IPv4

Insert the route into the VRF identified by the RT
attribute (based on PE configuration)
• The label associated to the VPN-V4 address will be set on
packets forwarded towards the destination
www.orhanergun.net
MPLS/VPN Packet Forwarding
• Between PE and CE, regular IP packets (currently)
• Within the provider network—label stack
Outer label: “get this packet to the egress PE”
Inner label: “get this packet to the egress CE”
• MPLS nodes forward packets based on TOP label!!!
any subsequent labels are ignored
• Penultimate Hop Popping procedures used one hop prior to egress PE router
(shown in example)
www.orhanergun.net
MPLS/VPN Packet Forwarding
In Label FEC Out Label
- 192.168.15.1/32 41
VPN-A VRF
172.16.2.0/24,
NH=192.168.15
PE-1 .1
Label=(28)
41 28 172.16.1.27
172.16.1.27
India
Turkey
172.16.1.0/24
• Ingress PE receives normal IP packets

• PE router performs IP Longest Match from VPN
FIB, finds iBGP next-hop and imposes a stack of
labels <IGP, VPN>
www.orhanergun.net
Things to Note
• Core does not run VPNv4 BGP!
• Same principle can be used to run a BGP-free core
for an IP network
• CE does not know it’s in an MPLS-VPN
• Outer label is from LDP/RSVP
• Getting packet to egress PE is mutually independent to
MPLS-VPN
• Inner label is from BGP
• Inner label is there so the egress PE can have the same network in multiple VRFs
www.orhanergun.net
VRF Route Population
Separate Physical Links
VPN1
Customer-2
CE MPLS Domain
CE
Customer-1
eBGP, EIGRP,OSPF, RIPv2,Static
PE
iBGP Domain
Separate router per Customer/VPN
• VRF is populated locally through PE and CE routing protocol exchange

RIP Version 2, OSPF, BGP-4, EIGRP, & Static routing
“connected” is also supported (i.e. Default-gateway is PE)
• Separate routing context for each VRF
routing protocol context (BGP-4 & RIP V2)
separate process (OSPF)
www.orhanergun.net
Multi-VRF CE (VRF-lite)
•Single Physical Link
NO Labels Required
•Logical Link per VRF
•Layer-2 must support logical separation
VPN1
VPN1 • 802.1q, FR/ATM VC’s
MPLS Domain
VPN2
CE
Routing Updates PE
iBGP Domain
Single router supporting
Multiple VRF Instances
• Each VRF separation on the PE is extended to the CE

• Separation is maintained via layer-2 transport that support “logical” separation (e.g. 802.1Q,
FR/ATM VC’s
• CE router must be capable of supporting VRF’s
• CE is not required to support MPLS labels
• Routing protocol options from CE-PE remain the same (e.g. BGP, RIPv2, OSPF, EIGRP, static)
www.orhanergun.net
Customers Connecting to a Layer-3 VPN Service
• What routing protocol is supported by the carrier (CE-PE)?
• What address space do they allow for CE-PE subnet?
• What layer-2 transport is required/supported from CE-PE?
• Do they provide a QoS SLA?
• Concerning QoS, do they require DSCP or ToS settings from the CE to their PE?
• Do they manipulate DSCP/ToS based on congestion in their network?
• What other services do they have on their roadmap of “Service Offerings” (Example: IPv6, IP Multicast,
Tighter QoS SLA offering, other??)
• Understand the resiliency in the core
• Do they offer LEC diversification or “bypass”?
www.orhanergun.net
MPLS Traffic Engineering
www.orhanergun.net
Traffic Engineering - Theory
• MPLS-TE was designed to move traffic along a path other than the IGP shortest path
• Bring ATM/FR traffic engineering abilities to an IP network
• Avoid full IGP mesh and n(n – 1)/2 flooding
• Bandwidth-aware connection setup
• Fast ReRoute (FRR) is emerging as another application of MPLS-TE
• Bandwidth Protection: Allows for tighter control on bandwidth – packet loss, delay & jitter
• Minimal packet loss (msec) when a link goes down
• Can be used in conjunction with MPLS-TE for primary paths, can also be used in standalone
• Provide Virtual Leased Lines – DS-TE + QoS
• Intelligent network infrastructure for better bandwidth guarantees (DS-TE, Online Bandwidth Protection,
Voice VPNs etc)
www.orhanergun.net
The Problem with Shortest-Path
• Some links are DS3, some
are OC-3
• Router A has 40Mb of traffic for
Route F, 40Mb of traffic for Router
G
• Massive (44%) packet loss at
Router B->Router E!
Router B
Router F
35M
OC-3 b Dr OC-3
Router A ops Router E
!
Traffic DS3 Router G
b
80M
OC-3
OC-3 DS3
DS3
Router C Router D
Forwarding Traffic Down a Tunnel
• There are three ways traffic can be forwarded down a TE tunnel
• Auto-route
• Static routes
• Policy routing
• With the first two, MPLS-TE gets you unequal cost load balancing
www.orhanergun.net
Fast ReRoute
• FRR: A mechanism to minimize packet loss during a failure
• Pre-provision protection tunnels that carry traffic when a protected
resource (link/node) goes down
• Use MPLS-TE to signal the FRR protection tunnels, taking advantage of the
fact that MPLS-TE traffic doesn’t have to follow the IGP shortest path
• Used as a mechanism (along with DS-TE) for tight SLA offerings for
“Guaranteed Bandwidth Services”
www.orhanergun.net
Standardization - IETF
• MPLS Working Group
• Fast Reroute Extensions:
• draft-ietf-mpls-rsvp-lsp-fastreroute-01.txt
• Fast Reroute MIB:
• draft-ietf-mpls-fastreroute-mib-01.txt
• IETF Drafts
• Bandwidth Protection
• draft-vasseur-mpls-backup-computation-01.txt
• Path Computation (eg. Inter-AS)
• draft-vasseur-mpls-computation-rsvp-02.txt
www.orhanergun.net
Why Deploying IPv6 Over MPLS ?
• Because you already have an MPLS core and want to provide IPv6
access and transit services to your customers
• IPv6 access to IPv6 services and resources that you provide
• IPv6 access to IPv6 services and resources reachable via your network
• VPNv6 services
• Pre-existing MPLS core = IPv4 services; think coexistence
• Because you want to provide IPv6 access and transit services, and
MPLS is a cool technology to do so ? (speed, traffic engineering , QoS,
VPN, resiliency)
www.orhanergun.net
What Core? IPv4 or IPv6 Signaled LSP?
• Pre-existing MPLS core -> L2-based or IPv4-based
• Stick with what you have (L2-based/L3-based, LDP/RSVP, etc.) and use
6PE/6VPE
• New core
• Providing mixed (IPv4/IPv6) services -> IPv4-based (“4PE” is a challenge)
• IPv6-only -> No LDPv6 availability yet
• Your “only” option today is to go with a v4-based core
www.orhanergun.net
IPv6 Tunnels Configured on CE
www.orhanergun.net
IPv6 Over “Circuit_over_MPLS”
www.orhanergun.net
IPv6 Over MPLS (v6-Signalled LSP)
www.orhanergun.net
6PE (RFC 4798) —What is it?
• Provides IPv6 global connectivity over an IPv4-MPLS core
• Transitioning mechanism for providing unicast IPv6 access over IPv4-
signaled MPLS
• Coexistence mechanism for combining IPv4 and IPv6 services over an
MPLS backbone
• As other IPv6 “tunnel” technologies, it enables services such as
• “IPv6 Internet Access”
• Peer-to-peer connectivity
• Access to IPv6 services supplied by the SP itself
www.orhanergun.net
Minimum Infrastructure Upgrade for 6PE
www.orhanergun.net
6PE: The Technology
• It’s an implicit method to tie-up a v4-signalled Label Switch Path with
IPv6 routes announced via MPBGP
• Apply RFC2547bis architecture to IPv6
• IPv4/MPLS Core Infrastructure remains IPv6-unaware
• PEs are updated to support Dual Stack/6PE
• IPv6 reachability exchanged among 6PEs via MP-iBGP
• IPv6 packets transported from 6PE to 6PE inside IPv4 LSPs
www.orhanergun.net
6PE Overview
www.orhanergun.net
6VPE (RFC 4659) —What Is It?
• For VPN customers, IPv6 VPN service is exactly the same as IPv4 VPN
service
• Current 6PE is “like VPN” but this is NOT VPN – ie: global reachability
• Coexistence mechanism for combining IPv4 and IPv6 VPN services
over an MPLS backbone
• It enables services such as
• “IPv6 VPN Access”
• Carriers Supporting Carriers
• Access to IPv6 services supplied by the SP itself
www.orhanergun.net
Routing Protocols Leveraged with 6VPE
www.orhanergun.net
www.orhanergun.net
• IPv4-signalled LSP
• iBGP VPNv6 AF peering between 6VPE (PE1, PE2)
• eBGP IPv6+vrf AF peering with CE
• Only eBGP and Static Route within VRF between CE-PE
www.orhanergun.net
Multi-Protocol VRF
www.orhanergun.net
Conclusions
• IPv6 migration does not “need” MPLS but, where MPLS is deployed, it
enables attractive approaches for IPv6 integration
• Cisco IPv6 and MPLS solutions provides the broadest deployment
scenario feature set
• Cisco 6PE & 6VPE are ones such IPv6 integration approach over IPv4
MPLS, which offers IPv6 deployment at marginal cost/risk
• No upgrade/reconfiguration in IPv4/MPLS core
• IPv6 simultaneously with IPv4, IPv4 VPNs, L2 services, etc.
www.orhanergun.net
Segment Routing
www.orhanergun.net
Next Generation SP Core Network Architecture
Limitations with Traditional SP Core Network
Traditional interaction between application and network infrastructure is very

limited
Unknown Configurations on SP Core Routes Exists
Network Engineers have to find the Path Based on Application Requirement
No Application Visibility
Benefits of Next Generation SP Network
 Simple to configure and manage
 Scalable
 Programmable
 Easy to Integrate
Next Generation SP Core Network
 Interaction between application and network
offers variety of services
 MPLS Traffic Engineering used for address
optimization
 Programmability is announced
 Automation in Network and Services
 Application can directly feed its requirement in
network
Next Generation SP Core Network
Three Major Components of NG SP Core Network:

 Application
 SDN Controller
 Segment Routing
Implementation of NG SP Core Network
Implementation is divided into 3 Phases:
 Phase-1: Enable Segment Routing in MPLS Enabled

Infrastructure
 Phase-2: Insert Controller for Data Collection and
Network Programmability
 Phase-3: Augment Solution to Multiple network
domains to allow application and network
infrastructure control end to end.
Explain the Segment Routing Concept
What is Segment Routing
Segment Routing’s architecture is designed with

SDN in Mind.
Segment Routing is best as control plain for IP and
MPLS enable infrastructure
Provide best balance between distributed
intelligence and centralized optimization
Segment Routing is Source Routing, where Sources
chooses path and encoded in the packet header as
ordered list of segment.
Type of Segments
Segment is an identifier for any type of instruction:

 Service
 Context
 Locator
 IGP based forwarding construct
 BGP based forwarding construct
 Local Value or Global Index
Global Segment and Local Segment
Global Segment:
 A Unique Segment Identifier (SID) in SR domain.
 Each Node in SR domain installs this SID in its
forwarding table
 From MPLS Prospective, it’s a label value from SRGB
Local Segment
 Locally Significant between the adjacency of two
routers
 From MPLS prospective, it’s a local label value which
is allocated locally.
Global Segment – Global Label
Global Segments are distributed either as a label range +

Index or as a absolute value:
 SRGB (Segment Routing Global Block) defines the
label range.
 Index or the absolute value must be unique in entire
SR domain.
 Global Segments are global label values, simplifying
network operations.
Different Type of Segment Routing
IGP Segment
Two Type of IGP Segment:

 Prefix Segment
 Adjacency Segment
BGP Prefix Segment ID
BGP Prefix Segment ID:

 Segment Attach to a BGP Prefix
 Global Segment within SR Domain
 BGP Prefix SID attribute
Explain the Concept of SRGB
(Segment Routing Global Block)
SRGB (Segment Routing Global
Block)
Segment Routing Global Block:
 Range of labels reserved for segment routing
 Default SRGB on Cisco IOS XR is 16000 – 23999
A Prefix SID is advertise as a domain wide unique index value
The Prefix SID index points to unique label within the SRGB:
 Label = Prefix SID Index + SRGB Base (16000)
 Example: Prefix 1.1.1.1/32 with Prefix index of 32 gets the
label 16000+32 = 16032
 R1 – 1 = 16000+1 = 16001
 R2 – 2 = 16000+2 = 16002
 R3 – 3 = 16000+3 = 16003
SRGB Configuration
SRGB Configuration:
 Strongly Recommends to use same SRGB on all the
nodes
 Global Configuration or Per IGP Instance
Configuration
 SRGB Under IGP Instance is having precedence over
SRGB in Global Configuration
 Multiple IGP Instance can use same SRGB or different
non-overlapping SRGB.
 Using different SRGB is supported but it complicate
operation for users.
SRGB Allocation
Label Switching Database
Label Switching Database:
 Local Label allocation is managed by label switching database
 All the MPLS Applications like IGP, LDP, RSVP, MP-BGP, etc. must register as a
client with LSD to allocate labels.
 Default Label Ranges in Cisco IOS XR Segment Routing Capable Version:
- Label Range [0-15] – Reserved
for Special purpose
- Label Range [16-15999] –
Reserved for Static MPLS label.
- Label Range [16000-23999] –
Reserved for SRGB
- Label Range [24000 - max] –
used for dynamic label allocation
SRGB Label Range
SRGB Label Range Preservation:

 LSD Preserver Default SRGB label range [16000-23999] from IOS XR 6.0.1 onwards
 LSD allocates dynamic label from 24000
 If the configured mpls label range includes the default SRGB label range, the default
preservation is disabled.
- mpls label range 16000 64000
 Preservation of SRGB label range makes future Segment Routing activation possible
without a Reboot.
IGP Control Plane
ISIS Control Plane with Segment
Routing
IPv4 & IPv6 Control Plane
ISIS Supports Segment Routing with TLV Extension
Segment Routing is supported in Level-1, Level-2
and Multi-Level Topologies
It Supports configuration of Prefix Segment ID
(Prefix-SID) on Loopback Interfaces.
ISIS Allocates Adjacency SID for each adjacency.
It supports the advertisement of Prefix-to-SID
Mapping.
OSPF Control Plane with Segment
Routing
OSPF Segment Routing Functionality:

 Segment Routing Supports OSPFv2 Control Plane
 Segment Routing is supported based on OSPF
Extension Opaque LSA.
 It supports Multi Area OSPF Topology
 It supports configuration of Prefix SID on loopback
interfaces.
 OSPF allocates adjacency SID to each adjacency
OSPF LSA Extension for Segment
Routing
OSPF adds Router information Opaque LSA

(Type 4).
OSPF defines new Opaque LSA (Type 7) to
Advertise the SID.
Interaction between SRGB and IGP (OSPF & ISIS)
Segment Routing Global Block
(SRGB)
Default SRGB is 16000-23999.

Non-Default SRGB can be configured based on per
IGP instance or Global Configuration for all IGP
instance.
SRGB under IGP Instance has precedence over
SRGB in Global Configuration.
Multiple IGP instance can be use same SRGB or
non-overlapping different SRGB.
SRGB Interaction with ISIS
The SRGB is advertised in the ISIS Router

Capability TLV.
The SR Capability sub-TLV is included in
the Router Capability TLV.
Configuration and Verification of Segment
Routing with ISIS
IPv4: 10.10.10.0/24
IPv6: 2001:AB10:CD10:DB10::/64
Loopback: 1.1.1.1/32 Loopback: 1.1.1.2/32

Prefix SID : IPv4-10 Prefix SID : IPv4-20
router isis 1 router isis 1

net 49.0001.1111.1111.1111.00 net 49.0001.2222.2222.2222.00
address-family ipv4 unicast address-family ipv4 unicast
metric-style wide metric-style wide
segment-routing mpls segment-routing mpls
! !
metric-style wide metric-style wide
! !
interface Loopback0 interface Loopback0
prefix-sid index 10 prefix-sid index 20
! !
prefix-sid index 11 prefix-sid index 21
! !
! !
interface interface
GigabitEthernet0/0/0/0 GigabitEthernet0/0/0/0
! !
Configuration and Verification of
Segment Routing with ISIS
RP/0/0/CPU0:R1#show isis database verbose R1
IS-IS 1 (Level-1) Link State Database

LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL
R1.00-00 * 0x00000002 0x9034 833 0/0/0
Area Address: 49.0001
NLPID: 0xcc
NLPID: 0x8e
MT: Standard (IPv4 Unicast)
MT: IPv6 Unicast 0/0/0
Hostname: R1
IP Address: 1.1.1.1
IPv6 Address: 2001:ab10:cd10:db10::1
Router Cap: 1.1.1.1, D:0, S:0
Segment Routing: I:1 V:1, SRGB Base: 16000 Range: 8000
Metric: 10 IS-Extended R2.01
Interface IP Address: 10.10.10.1
LAN-ADJ-SID: F:0 B:1 V:1 L:1 S:0 weight:0 Adjacency-sid: 24000 System ID:R2
Metric: 10 IP-Extended 1.1.1.1/32
Prefix-SID Index: 10, Algorithm:0, R:0 N:1 P:0 E:0 V:0 L:0
Metric: 10 MT (IPv6 Unicast) IS-Extended R2.01
Interface IPv6 Address: 2001:ab10:cd10:db10::1
Metric: 10 MT (IPv6 Unicast) IPv6 2001:ab10:cd10:db10::/64
Segment Routing with ISIS
RP/0/0/CPU0:R2#show isis database verbose R2
IS-IS 1 (Level-1) Link State Database

LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL
R2.00-00 * 0x00000002 0x33b3 593 0/0/0
Area Address: 49.0001
NLPID: 0xcc
NLPID: 0x8e
MT: Standard (IPv4 Unicast)
MT: IPv6 Unicast 0/0/0
Hostname: R2
IP Address: 1.1.1.2
IPv6 Address: 2001:ab10:cd10:db10::2
Router Cap: 1.1.1.2, D:0, S:0
Segment Routing: I:1 V:1, SRGB Base: 16000 Range: 8000
Metric: 10 IS-Extended R2.01
Interface IP Address: 10.10.10.2
Prefix-SID Index: 20, Algorithm:0, R:0 N:1 P:0 E:0 V:0 L:0
Metric: 10 MT (IPv6 Unicast) IS-Extended R2.01
Interface IPv6 Address: 2001:ab10:cd10:db10::2
Metric: 10 MT (IPv6 Unicast) IPv6 2001:ab10:cd10:db10::/64
SRGB Interaction with OSPF
One or more SID/Label Range TLVs are

included in Router Information Opaque
LSA.
The SID/Label Range TLV contains the
range size (24 bits) and SID/Label TLV
indicating start or SRGB
Configuration and Verification of Segment
Routing with OSPF
IPv4: 10.10.10.0/24
IPv6: 2001:AB10:CD10:DB10::/64
Loopback: 1.1.1.1/32 Loopback: 1.1.1.2/32

router ospf 1 router ospf 1

router-id 1.1.1.1 router-id 2.2.2.2
segment-routing forwarding mpls segment-routing forwarding mpls
area 0 area 0
interface Loopback0 interface Loopback0
prefix-sid absolute 16010 prefix-sid absolute 16020
! !
interface GigabitEthernet0/0/0/0 interface GigabitEthernet0/0/0/0
network point-to-point network point-to-point
! !
Segment Routing with OSPF
RP/0/0/CPU0:R1#show ospf database self-originate
OSPF Router with ID (1.1.1.1) (Process ID 1)
Router Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Link count

1.1.1.1 1.1.1.1 300 0x80000002 0x003986 3
Type-10 Opaque Link Area Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Opaque ID

4.0.0.0 1.1.1.1 415 0x80000001 0x002c44 0
7.0.0.1 1.1.1.1 415 0x80000001 0x00d0bc 1
8.0.0.4 1.1.1.1 300 0x80000002 0x00d98a 4
RP/0/0/CPU0:R1#show ospf database opaque-area 4.0.0.0 self-originate
Router Information TLV: Length: 4

Capabilities:
Graceful Restart Helper Capable
Stub Router Capable
All capability bits: 0x60000000
Segment Routing Algorithm TLV: Length: 2

Algorithm: 0
Algorithm: 1
Segment Routing Range TLV: Length: 12

Range Size: 8000
SID sub-TLV: Length 3

Label: 16000
RP/0/0/CPU0:R1#show ospf database opaque-area 7.0.0.1
Extended Prefix TLV: Length: 20

Route-type: 1
AF : 0
Flags : 0x40
Prefix : 1.1.1.1/32
SID sub-TLV: Length: 8

Flags : 0x0
MTID : 0
Algo : 0
SID Index : 10
Prefix and Adjacency SID
IGP Segment Identifier – Prefix SID
Prefix SID:
 Uses SRGB [16000-23999]
 SRGB Advertised with Router Capability TLV
 Absolute Value or Index Value
- Example: Absolute value is Label value; 16010
- Example: Index value is offset from SRGB base;
Index 10  SID is 16000+10  16010

IGP Segment Identifier –
Adjacency SID
Adjacency SID:
 Uses Dynamic label Range
 Encoded as an absolute value
 Automatically allocated
 Locally significant
Segment Routing Advertisement
SR Enabled Node Advertises SR Information in following

pattern:
 SRGB [16000-23999] – Advertised as base = 16000,
range 8000.
 Prefix SID = 16010 – Advertised as prefix index of 10.
 Adjacency SID = 24010 – Advertised as a Adjacency
SID = 24010
Combining Prefix SID and Adjacency
SID
 Steer the traffic to any path in the network.
 Path is specified as list of segments in packet header.
 No path is signaled
 Single Protocol: OSPF or ISIS
Node Segment
Node Segment is a prefix segment associated with host

prefix that identifies a node.
 Equivalent to a router-ID prefix, which is a prefix
identifying a node
 Node SID is prefix SID with N-Flag set in
advertisement.
By default each configured prefix-SID is a Node SID

Node Segment with ISIS
 By default N-Flag is set on each configured prefix-SID.

 To Clear the N-Flag, Configure n-flag-clear
 N-Flag Should be cleared for Anycast SID.
prefix-sid absolute 16010 n-flag-clear

Adjacency Segment
Adjacency Segment:
 Local Segment – Local Significant
 Allocated from Dynamic Label Pool
 Automatically allocated for each adjacency
 ISIS allocates different adjacency-SID for level-1 and
level-2 adjacencies
 ISIS allocates different adjacency-SID for IPv4 and
IPv6 address family
 OSPF allocates same adjacency-SID in all areas of
multi-area adjacency
 LSD keeps the adjacency label for 30 mins, when
adjacency is down and after that it released and
allocates a new label, one adjacency is up back.
LAN Adjacency-SID
 All nodes in the LAN advertise their adjacency to a pseudo node only.
 For SR to steer traffic to each node on the LAN, an adjacency
SID is necessary to every other node on the LAN.
 LAN-Adj.-SID are associated to the adjacency to the pseudo node only.
R2
Adjacency SID to R2
R1
Adjacency SID to R3
R3
Concept of Multi-Level and Multi Area with
SR in OSPF & ISIS
Cisco Segment Routing
Terminologies
‘Advertise’
- When a node advertise a prefix, it includes that prefix in the
link-state advertisements that is generated and send to neighbor.
‘originate’
- When a node originate a prefix, it advertises a local prefix, a
prefix owned by the node.
‘Propagate’
- When a node propagates a prefix, it advertise a prefix in an area
or level that is received from some other area or level.
Multi-Area & Multilevel SID

Propagation
Segment Routing does not make
any change in how multi-area or
multilevel works.
Prefix SID’s are propagated
between area.
Adjacency SID’s are not propagated
between the area.
Multi-Area & Multilevel SID

Propagation
 When ABR or L1/L2 Router propagates a non-local
prefix with a prefix-SID
- Set PHP-Off flag
- Clear Explicit-Null flag
- ISIS set ‘Re-Advertisement’ flag
 When ABR or L1/L2 Router propagates a local prefix

with a prefix-SID
- PHP-off flag is unset (means PHP is
on)
- No Exp-null flag
- No Re-advertisement flag.
Multi-Area or Multilevel Example:
R1 Area 0 R2 Area 1 R3
R1- 1.1.1.1/32; SID 16010 [Area 0]

R2- 1.1.1.2/32; SID 16011 [Area 0]
R3- 1.1.1.3/32; SID 16012 [Area 1]
Thank You !!!
www.orhanergun.net
Chapter-2: VPN
www.orhanergun.net
Basic VPN’s
• What is VPN ?
• A Virtual Private Network [VPN] extends a private network across a public
network and enables users to send and receive data across shared or public
networks as if their computing devices were directly connected to the private
network, it can be implemented securely or un-securely, depends on the
requirements. It is technology that creates a safe and encrypted connection over
a less secure network, such as internet.
• VPN technology was developed as a way to allow remote uses and branch
offices to securely access corporate application and other resources. To ensure
safety, data travels through secure tunnel and VPN users must use
authentication methods, including passwords, tokens and other unique
identification method to gain access to the VPN.
www.orhanergun.net
VPN Protocols
• There are several different protocols used to secure users and

corporate data:
• IP Security (IPSec)
• Secure Socket Layer (SSL) and Transport Layer Security (TLS)
• Point-to-Point Tunneling Protocol (PPTP)
• Layer 2 Tunneling Protocol (L2TP)
• Open VPN
www.orhanergun.net
Site-to-site vpn
• A site-to-site VPN uses a gateway device to connect the entire network in one
location to the network in another -- usually a small branch connecting to a data
center. End-node devices in the remote location do not need VPN clients because
the gateway handles the connection. Most site-to-site VPNs connecting over the
internet use IPsec. It is also common to use carrier MPLS clouds, rather than the
public internet, as the transport for site-to-site VPNs. Here, too, it is possible to have
either Layer 3 connectivity (MPLS IP VPN) or Layer 2 (VPLS [Virtual Private Lan
Service]) running across the base transport.
www.orhanergun.net
IP Security (IPSec)
• IPSEC is a framework for a set of protocols for security at the
network or packet processing layer of network communication.
• IPSEC provide two choices of security services: Authentication
Header [AH] which essentially allows authentication of the sender
of data, and encapsulated security payload [ESP], which supports
both authentication of the sender as well as encryption of data.
The specific information associated with each of these services is
inserted into the packet in a header that follow the IP packet
header. Separate key protocols can be selected, such as ISAKMP
protocol.
www.orhanergun.net
Secured VPN using IPSEC Components
• IPSec is a framework of open standards developed by the Internet
Engineering Task Force (IETF) that provides security for transmission
of sensitive information over unprotected networks such as the
Internet. It acts at the network level and implements the following
standards:
• IPSEC
• Internet Key Exchange (IKE)
• Data Encryption Standard (DES)
• MD5 (HMAC Variant)
• SHA (HMAC Variant)
• Authentication header (AH)
• Encapsulating Security Payload (ESP)
www.orhanergun.net
Secured VPN Components (Cont.)…
• Internet Key Exchange (IKE)

• A hybrid protocol that implements Oakley and SKEME key exchanges inside the ISAKMP framework. While IKE can be used
with other protocols, its initial implementation is with the IPSec protocol. IKE provides authentication of the IPSec peers,
negotiates IPSec security associations, and establishes IPSec keys.
• Data Encryption Standard (DES)
• The Data Encryption Standard (DES) is used to encrypt packet data. Cisco IOS implements the mandatory 56-bit DES-CBC
with Explicit IV. Cipher Block Chaining (CBC) requires an initialization vector (IV) to start encryption. The IV is explicitly
given in the IPSec packet. For backwards compatibility, Cisco IOS IPSec also implements the RFC 1829 version of ESP DES-
CBC
• MD5 (HMAC variant)
• MD5 (Message Digest 5) is a hash algorithm. HMAC is a keyed hash variant used to authenticate data.
• SHA (HMAC variant)
• SHA (Secure Hash Algorithm) is a hash algorithm. HMAC is a keyed hash variant used to authenticate data.
• Authentication Header (AH)
• Authentication Header. A security protocol which provides data authentication and optional anti-replay services. AH is
embedded in the data to be protected (a full IP datagram).
• Encapsulated Secure Payload (ESP)
www.orhanergun.net
• Encapsulating Security Payload. A security protocol which provides data privacy services and optional data authentication,
Secured VPN Components (Cont.)…
• Security Association
• Security association is a description of how two or more entities will use security services in
the context of a particular security protocol (AH or ESP) to communicate securely on behalf of a
particular data flow. It includes such things as the transform and the shared secret keys to be
used for protecting the traffic.
• Transform
• Transform is the list of operations done on a dataflow to provide data authentication, data
confidentiality, and data compression. For example, one transform is the ESP protocol with the
HMAC-MD5 authentication algorithm; another transform is the AH protocol with the 56-bit DES
encryption algorithm and the ESP protocol with the HMAC-SHA authentication algorithm.
• Tunnel
• In the context of this topic, "tunnel" is a secure communication path between two peers, such as
two routers. It does not refer to using IPSec in tunnel mode.
• IPSec also works with the GRE and IPinIP Layer 3, L2F, L2TP, and SRB tunneling protocols;
however, multipoint tunnels are not supported. Other Layer 3 tunneling protocols may not be
www.orhanergun.net
supported for use with IPSec.
www.orhanergun.net
What is Encryption ?
• Data that traverses unsecured networks is open to many types of
attacks. Data can be read, altered, or forged by anybody who has
access to the route that your data takes. For example, a protocol
analyser can read packets and gain classified information. Or, a
hostile party can tamper with packets and cause damage by
hindering, reducing, or preventing network communications
within your organization.
www.orhanergun.net
Types of Encryption
www.orhanergun.net
Hashing
• Hashing is one way to enable security during the process of message
transmission when the message is intended for a particular recipient only. A
formula generates the hash, which helps to protect the security of the
transmission against tampering.
• Hashing is used to index and retrieve items in a database because it is
easier to find the item using the shortened hashed key than using the
original value.
www.orhanergun.net
Site-to-Site IPSEC VPN Architecture
• IKE Phase 1 and its Modes: Main vs Aggressive
www.orhanergun.net
Site-to-Site IPSEC VPN Architecture (Cont.)
…
• IKEv1 Phase 2
• Phase 2 is IPSec (ISAKMP) where you get into what specifics you set up in your
policies to have your keys set. This is the traffic keys themselves. And the traffic is
getting encrypted here. IPSec SA is present if everything goes well.
• Phase 2 is already expecting the key information but it comes FROM phase 1.
www.orhanergun.net
Cisco GRE VPN
• GRE tunnels provide an interface the device can use to forward data.
The “data” in this sense is the passenger protocol itself, such as IPv6
or IPv4. These tunnels are comprised of three main components:
• Delivery Header (Transport Protocol)
• GRE Header (Carrier Protocol)
• Payload Packet (Passenger Protocol)
www.orhanergun.net
GRE Application:
• GRE can be used with many different combinations of passenger and
transport protocols. However, IPv4 and IPv6 are the most common
transport protocols for GRE. For example:
• GRE can use IPv4 as the transport protocol to tunnel an IPv4 packet across the
underlying network infrastructure.
www.orhanergun.net
Why we Use GRE ?
• GRE’s support for multiple protocols and packet types makes it ideal for
solving many of the problems faced when trying to form VPNs across the
Internet. The most obvious issue is that private addressing used in the
enterprise cannot be routed across the public Internet. GRE solves this by
encapsulating the IP header with private addressing using an outer IP
header that uses public addressing.
www.orhanergun.net
Dynamic Multipoint VPN
(DMVPN)
www.orhanergun.net
What is Dynamic Multipoint VPN ?
• Dynamic Multipoint VPN (DMVPN) is a combination of GRE, NHRP, and
IPsec
• NHRP allows the peers to have dynamic addresses (ie: Dial and DSL)
with GRE / IPsec tunnels
• Backbone is a hub and spoke topology
• Allows direct spoke to spoke tunneling by auto leveling to a partial
mesh
www.orhanergun.net
Site-to-Site, DMVPN: mGRE/IPsec/NHRP
Integration, Only HUB address Is Known
192.0.0.0 255.255.255.0 LANs can have private
addressing
HUB 192.0.0.1
Static known
IP address
Dynamic
unknown
IP addresses 192.0.3.1
SPOK 192.0.3.0 255.255.255.0
E
192.0.2.0
192.0.1.1 255.255.255.0
192.0.1.0 255.255.255.0
192.0.2.1
= Static spoke-to-hub IPsec tunnels = Dynamic&Temporary Spoke-to-spoke IPsec tunnels
www.orhanergun.net
4
GRE Tunnels
• A GRE tunnel is a simple non-negotiated tunnel; GRE only
needs tunnel endpoints
• GRE encapsulate frames or packets into an other IP packet + IP
header
• GRE has only 4 to 8 bytes of overhead
• GRE tunnels exist in two main flavors:
Point-to-point (GRE)
Point-to-multipoint (mGRE)
www.orhanergun.net
GRE multipoint and DMVPN
• A GRE interface definition includes
An IP address interface Tunnel 0
ip address 192.0.0.1 255.0.0.0
A tunnel source tunnel source Dialer1
tunnel destination 172.16.0.2
A tunnel destination tunnel key 1
An optional tunnel key
• An mGRE interface definition includes
interface Tunnel 0
An IP address ip address 192.0.0.1 255.0.0.0
tunnel source Dialer1
A tunnel source tunnel mode gre multipoint
A tunnel key tunnel key 1
• mGRE interfaces do not have a tunnel destination
www.orhanergun.net
Terminology Pause
• The tunnel address is the ip address defined on the tunnel
interface
• The Non-Broadcast Multiple Access (NBMA) address is the ip
address used as tunnel source (or destination)
• Example… on router A, one configures
interface Ethernet0/0
ip address 192.16.0.1 255.255.255.0
interface Tunnel0
ip address 192.0.0.1 255.0.0.0 tunnel source
Ethernet0/0
[…]
192.0.0.1 is router A's tunnel address
192.16.0.1 is router A's NBMA address
www.orhanergun.net
mGRE Tunnels
• Single tunnel interface (mp)
Non-Broadcast Multi-Access (NBMA) Network Multiple (dynamic) tunnel
destinations Multicast/broadcast support
• Next Hop Resolution Protocol (NHRP)
VPN IP to NBMA IP address mapping
www.orhanergun.net
GRE Encapsulation
Tunnel address: Tunnel address:
192.0.0.1/24 192.0.0.2/24
NBMA address: NBMA address:
192.16.0.1/24 192.16.1.1/24
192.168.0.0/24 192.168.1.0/24
IP IP
s=192.16.0.1, GRE s=192.168.0.1, Payload
d=192.16.1.1 dst=192.168.1.1
IP IP
s=192.168.0.1, Payload s=192.168.0.1, Payload
dst=192.168.1.1 dst=192.168.1.1
www.orhanergun.net
DMVPN GRE Interfaces
• In DMVPN, the hub must have a point to mGRE
• Spokes can have a point to point GRE interface or
an mGRE interface
• This presentation will use mGRE everywhere for
consistency
• Note that point-to-point GRE interfaces prevent
spoke to spoke direct tunneling
www.orhanergun.net
mGRE Talking to a Peer
• Because mGRE tunnels do not have a tunnel
destination defined, they can not be used alone
• NHRP tells mGRE where to send the packets to
• NHRP is defined in RFC 2332
www.orhanergun.net
What is NHRP?
• NHRP is a layer two resolution protocol and cache
like ARP or Reverse ARP (Frame Relay)
• It is used in DMVPN to map a tunnel IP address to
an NBMA address
• Like ARP, NHRP can have static and dynamic
entries
• NHRP has worked fully dynamically since Release
12.2(13)T
www.orhanergun.net
How mGRE Uses
NHRP
• When a packet is routed, it is passed to the mGRE interface
along with a next-hop
• The next-hop is the tunnel address of a remote peer
• mGRE looks up the NHRP cache for the next-hop address and
retrieves the NBMA address of the remote peer
• mGRE encapsulates the packet into a GRE/IP payload
• The new packet destination is the NMBA address
• Multicast packets are only sent to specific remote peers
identified in the NHRP configuration
www.orhanergun.net
How NHRP
Works
• mGRE uses NHRP, but how does NHRP work?
• This presentation will introduce a network topology
and illustrate the associated NHRP commands
www.orhanergun.net
NHRP Registration
Dynamically Addressed Spokes
172.168.0.1/24
Physical: 172.17.0.1
Tunnel0: 10.0.0.1
Physical: (dynamic)192.16.2.1
Tunnel0: 193.0.0.12
Physical: (dynamic)192.16.1.1
Tunnel0: 193.0.0.11
Spoke B 172.168.2.1/24
Spoke A
172.168.1.1/24
www.orhanergun.net
Basic NHRP Configuration
• In order to configure an mGRE interface to use
NHRP, the following command is necessary:
ip nhrp network-id <id>
• Where <id> is a unique number (same on hub and
all spokes)
• <id> has nothing to do with tunnel key
• The network ID defines an NHRP domain
Several domains can co-exist on the same router
www.orhanergun.net
Populating the NHRP
Cache
• Three ways to populate the NHRP cache:
Manually add static entries
Hub learns via registration requests
Spokes learn via resolution requests
• We will now study “static” and
“registration”
• “Resolution” is for spoke to
spoke
www.orhanergun.net
Initial NHRP
Caches
• Initially, the hub has an empty cache
• The spoke has one static entry mapping the hub’s
tunnel address to the hub’s NBMA address:
ip nhrp map 10.0.0.1 172.17.0.1
• Multicast traffic must be sent to the hub
ip nhrp map multicast 172.17.0.1
www.orhanergun.net
The Spokes Must Register To
The Hub
• In order for the spokes to register themselves to the
hub, the hub must be declared as a Next Hop
Server (NHS):
ip nhrp nhs 192.0.0.1
ip nhrp holdtime 3600 (optional)
ip nhrp registration no-unique (optional)
• Spokes control the cache on the hub
www.orhanergun.net
Registration
Process
• The spokes send Registration-requests to the hub
• The request contains the spoke’s Tunnel and NBMA
addresses as well as the hold time and some flags
• The hub creates an entry in its NHRP cache
• The entry will be valid for the duration of the hold
time defined in the registration
• The NHS returns a registration reply
(acknowledgement)
www.orhanergun.net
Multicast Packets from
the Hub
• The hub must also send multicast traffic to all the
spokes that registered to it
• This must be done dynamically (possible since
Release 12.2(13)T)
• This is not the default
ip nhrp map multicast dynamic
www.orhanergun.net
NHRP Registration
Request
192.168.0.1/24
Physical: 172.16.0.1 NHRP Table

Tunnel0: 192.0.0.1 192.0.0.11 -> 172.16.0.1
(dynamic, mcast, hold=3600, no-unique)
IP GRE NHRP-Registration Tunnel=192.0.0.11

Physical: (dynamic)172.16.1.1 s=172.16.1.1, s=192.0.0.11 NBMA=172.16.1.1
Tunnel0: 192.0.0.11 d=172.17.0.1 dst=192.0.0.1 Hold=3600, no-unique
Spoke A
192.168.1.1/24
NHRP Table
192.0.0.1 -> 172.17.0.1
(static, mcast)
www.orhanergun.net
NHRP Functionality
• Address mapping/resolution
Static NHRP mapping
Next Hop Client (NHC) registration with
Next Hop Server (NHS)
• Packet Forwarding
Resolution of VPN to NBMA mapping
Routing: IP destination € Tunnel IP next-hop
NHRP: Tunnel IP next-hop € NBMA address
www.orhanergun.net
Routing Protocol
• The spoke needs to advertise its private network to
the hub
• Can use BGP, EIGRP, OSPF, RIP or ODR; however,
this presentation will focus on EIGRP
• Must consider several caveats
www.orhanergun.net
Spoke Hellos
• Spoke has all it needs to send hellos immediately:
Tunnel is defined
Static NHRP entry to hub is present
NHRP entry is marked for multicast
• So the spoke never waits…
www.orhanergun.net
Hub hello’s
• With its basic tunnel definition, the hub cannot
send anything (including hellos) to anyone
• It must wait NHRP for registrations to arrive
• As soon as the spokes have registered, the NHRP
is marked “Multicast” due to
ip nhrp map multicast dynamic
• The hub sends hellos to all the registered spokes

simultaneously
www.orhanergun.net
GRE and EIGRP
• The default bandwidth of a GRE tunnel is 9Kbps
• This has no influence on the traffic but…
• EIGRP will take ½ the interface bandwidth
maximum (4.5 Kbps) – this is too low
bandwidth 1000
www.orhanergun.net
Spoke EIGRP configuration
• Nothing special on the spoke
• EIGRP stub should be considered
www.orhanergun.net
Hub EIGRP
Configuration
• There are many options…
• If you want a spoke to see other spokes:
• no ip split-horizon eigrp 1
• Summarization is to be considered
• Setting the bandwidth is crucial in the hub to spoke direction
• Best-practice: Set the bandwidth the same on all nodes
www.orhanergun.net
IPsec Protection
• GRE/NHRP can build a fully functional overlay
network
• GRE is insecure; ideally, it must be protected
• The good old crypto map configuration is rather
cumbersome; DMVPN introduced tunnel protection
• Still need to define an IPsec security level
www.orhanergun.net
The IPsec Security
Policy
• A transform set must be defined:
crypto ipsec transform-set ts esp-sha-hmac esp-3des
mode transport
• An IPsec profile replaces the crypto map

crypto ipsec profile prof
set transform-set ts
• The IPsec profile is like a crypto map without “set

peer” and “match address”
www.orhanergun.net
Protecting the
tunnel
• The profile must be applied on the tunnel
tunnel protection ipsec profile prof
• Internally Cisco IOS® Software will treat this as a
dynamic crypto map and it derives the local-
address, set peer and match address
parameters from the tunnel parameters and the
NHRP cache
• This must be configured on the hub and spoke
tunnels
www.orhanergun.net
Relation Between GRE, NHRP
and IPsec
• For each NHRP cache unique NBMA address, Cisco
IOS Software will create an internal crypto map
that protects
GRE traffic
From tunnel source (NBMA) address
To NHRP entry NBMA address
• The SAs will be negotiated as soon as the cache

entry is created (static and resolved)
www.orhanergun.net
Relationship
(cont’d.)
• NHRP registration will be triggered
When the Tunnel interface comes up/up
When the tunnel source address changes
When IPsec finishes negotiating the phase 2 related to the
tunnel protection
When the registration timer expires
www.orhanergun.net
NHRP Registration
Dynamically Addressed Spokes
= permanent IPsec tunnels 192.168.0.1/24
192.0.0.11 192.16.1.1
192.0.0.12 192.16.2.1
NHRP mapping
Tunnel0: 192.0.0.1
Routing Table
(dynamic)
Tunnel0: 192.0.0.12
(dynamic)
Tunnel0: 192.0.0.11
Spoke B
Spoke A 192.168.2.1/24
192.168.1.1/24
www.orhanergun.net
Building Hub-and-Spoke tunnels
NHRP Registration
Host1 Spoke1 Hub Spoke2 Host2
IKE Initialization
IKE Initialization
IKE/IPsec Established
IKE/IPsec Established
NHRP Regist. Req.

NHRP Regist. Req.
NHRP Regist. Rep.
NHRP Regist. Rep.
Routing Adjacency
Routing Adjacency
Routing Update
Routing
Routing Update
Update
Routing Update
Encrypted
www.orhanergun.net
Encrypted
Dynamic Multipoint VPN
(DMVPN) Phases
www.orhanergun.net
DMVPN Phases
• DMVPN Phase I
• DMVPN Phase II
• DMVPN Phase III
www.orhanergun.net
DMVPN Phase I
• P2P GRE on spoke routers
• mGRE on hub router
• Default routing on spokes
• Dynamic spoke registration
• Data traffic flow through the hub
• No multicast between spoke to spoke
www.orhanergun.net
DMVPN Phase I Intialization
• Spoke attempt to send traffic to hub:
• IKE keys and IPSEC SA are established
• Spoke uses NHRP to register with hub
• Hub create NHRP mapping for spoke
• Hub create dynamic multicast map for spoke
• Hub and spoke routing updates
www.orhanergun.net
DMVPN Phase II
• Dynamic Tunnel destination
• Every spoke needs all spoke routes
• No multicast between spokes
• Data traffic spoke-to-spoke
• Next hope must be egress router
www.orhanergun.net
DMVPN Phase III
• No limits on routing Spoke-to-Spoke
• Multicast only between NHRP neighbour
• Optimal data traffic
• No restriction on routing protocol
• DMVPN Cloud 1 subnet
www.orhanergun.net
IKEv2
www.orhanergun.net
IKEv2
www.orhanergun.net
What Is IKEv2?
• IKEv2 (Internet Key Exchange version 2) is a VPN encryption protocol
that handles request and response actions.
• It makes sure the traffic is secure by establishing and handling the SA
(Security Association) attribute within an authentication suite –
usually IPSec since IKEv2 is basically based on it and built into it.
www.orhanergun.net
IKEv2 Characteristics
• IKEv2 supports IPSec’s latest encryption algorithms, alongside
multiple other encryption ciphers.
• The IKE protocol uses UDP packets and UDP port 500. Normally, four
to six packets are necessary for creating the SA.
• IKE is based on the following underlying security protocols:
• ISAKMP - Internet Security Association and Key Management Protocol
• SKEME - Versatile Secure Key Exchange Mechanism
• OAKLEY - Oakley Key Determination Protocol
www.orhanergun.net
IKEv1 vs. IKEv2
• IKEv2 offers support for remote access by default thanks to its EAP
authentication.
• IKEv2 is programmed to consume less bandwidth than IKEv1.
• The IKEv2 VPN protocol uses encryption keys for both sides, making it
more secure than IKEv1.
• IKEv2 has MOBIKE support, meaning it can resist network changes.
• IKEv1 doesn’t have built-in NAT traversal like IKEv2 does.
www.orhanergun.net
IKEv2 Advantages and Disadvantages
• Advantage: • Disadvantage:
• IKEv2 security is quite strong • Since IKEv2 only uses UDP port
since it supports multiple high- 500, a firewall or network admin
end ciphers. could block it.
• Despite its high security • IKEv2 doesn’t offer as much
standard, IKEv2 offers fast online cross-platform compatibility like
speeds. other protocols (PPTP, L2TP,
• IKEv2 can easily resist network OpenVPN, SoftEther).
changes due to its MOBIKE
support, and can automatically
restore dropped connections.
www.orhanergun.net
Conclusion
• IKEv2 is both a VPN protocol and an encryption protocol used within
the IPSec suite.
• Essentially, it’s used to established and authenticate a secured
communication between a VPN client and a VPN server.
• IKEv2 is very safe to use, as it has support for powerful encryption
ciphers, and it also improved all the security flaws that were present in
IKEv1.
www.orhanergun.net
Thank You !!!
www.orhanergun.net
Flex VPN
www.orhanergun.net
What is FlexVPN?
• IKEv2-based unified VPN technology that combines site-to-site,

remote-access, hubspoke and spoke-to-spoke topologies
www.orhanergun.net
FlexVPN highlights
• Unified CLI
• Based on and compliant to IKEv2 standard
• Unified infrastructure: leverages IOS Point-to-Point tunnel interface
• Unified features: most features available across topologies
• Key features: AAA, config-mode, dynamic routing, IPv6
• Simplified config using smart-defaults
• Interoperable with non-Cisco implementations
• Easier to learn, market and manage and spoke-to-spoke topologies
www.orhanergun.net
Flex VPN and Interfaces
www.orhanergun.net
Basic Packet Forwarding
www.orhanergun.net
Flex VPN
www.orhanergun.net
Cisco IOS FlexVPN Features and Benefits:
• Scalability: IKEv2 provides scalability feature with the help of IKEv2
Proposal, in which we can use multiple integrity, encryption & DH
group types, which creates multiple possible combinations of Phase I
Policies.
• More Secured Authentication: In IKEv2, we have a feature of IKEv2

keyring provides directional PSK, in which we can use different PSK
based on the direction of flow as well as we have a feature of Using
different Authentication types in both sides, such as PSK at one side &
RSA at another side.
www.orhanergun.net
• Transport network: FlexVPN can be deployed either over a public
internet or a private Multiprotocol Label Switching (MPLS) VPN
network.
• Deployment style: Designed for the concentration of both site-to-site

and remote access VPNs, one single FlexVPN deployment can accept
both types of connection requests at the same time.
www.orhanergun.net
www.orhanergun.net
Thank You !!!
www.orhanergun.net
MPLS Over Flex VPN
www.orhanergun.net
Thank You !!!
www.orhanergun.net
Module-3: Infrastructure
Security and Services
www.orhanergun.net
Chapter-1: Device Security
on Cisco IOS
www.orhanergun.net
AAA
www.orhanergun.net
AAA Model—Network Security Architecture
• Authentication
• Who are you?
• Authorization
• What can you do?
• What can you access?
• Accounting
• What did you do?
• How long did you do it? How often did you do it?
www.orhanergun.net
Implementation
www.orhanergun.net
Implementation Local Authentication
1. The client establishes a connection with the router.

2. The router prompts the user for a username and password.
3. The router authenticates the username and password in the local database. The user is authorized to
access the network based on information in the local database.
www.orhanergun.net
Implementation Remote Authentication
1. The client establishes a connection with the router.

2. The router prompts the user for a username and password.
3. The router passes the username and password to the Cisco Secure ACS (server or engine).
4. The Cisco Secure ACS authenticates the user. The user is authorized to access the router (administrative
access) or the network based on information found in the Cisco Secure ACS database.
www.orhanergun.net
TACACS+ and RADIUS AAA Protocols
• Two different protocols are used to
communicate between the AAA
security servers and authenticating
devices.
• Cisco Secure ACS supports both
TACACS+ and RADIUS:
• TACACS+ remains more secure than
RADIUS.
• RADIUS has a robust application
programming interface and strong
accounting.
www.orhanergun.net
Summary
• AAA services provide a higher degree of scalability than the line-level
and privileged EXEC authentication
• AAA services may be self-contained in the router or network access
server (NAS) itself. This form of authentication is also known as local
authentication
• In situations where local authentication will not scale well, such as for
many remote clients connecting to the network from different
locations, it is better to implement a remote security database.
www.orhanergun.net
Summary
• TACACS+ and RADIUS are the two predominant AAA protocols used by
Cisco security appliances, routers, and switches for implementing AAA
with a remote security database.
• The most common authentication method is the use of a username
and password. Authentication strength varies from the weakest which
is to use a database of usernames and passwords to the strongest
which is to use OTPs.
• PPP enables authentication between remote clients and servers using
PAP, CHAP, or MS-CHAP.
www.orhanergun.net
Summary
• Administrative access to a router and remote LAN access through
perimeter routers is secured using aaa comands.
www.orhanergun.net
Thank You !!!
www.orhanergun.net
Control Plane Policing
www.orhanergun.net
Control Plane Policing (CoPP)
• rACLs are great but
• Limited platform availability
• Limited granularity—permit/deny only
• Need to protect all platforms
• To achieve protection today, need to apply ACL to all interfaces
• Some platform implementation specifics
• Some packets need to be permitted but at limited rate
www.orhanergun.net
Control Plane Policing (CoPP)
• CoPP uses the Modular QoS CLI (MQC) for QoS policy definition
• Consistent approach on all boxes
• Dedicated control-plane “interface”
• Highly flexible: permit, deny, rate limit
• Extensible protection
• Changes to MQC (e.g. ACL keywords) are applicable to CoPP
www.orhanergun.net
Control Plane Policing Feature
www.orhanergun.net
Deploying CoPP
• Recommendation: develop multiple classes of control plane traffic
• Apply appropriate rate to each
• “Appropriate” will vary based on network, risk tolerance, and risk assessment
• Be careful what you rate-limit
• Flexible class definition allows extension of model
• Fragments, TOS, ARP
• One option: attempt to mimic rACL behaviour
• CoPP is a superset of rACL
• Apply rACL to a single class in CoPP
• Same limitations as with rACL: permit/deny only
www.orhanergun.net
Configuring CoPP
1. Define ACLs Classify traffic
2. Define class-maps Setup class of traffic
3. Define policy-map Assign QoS policy action to class of traffic (police,
drop)
4. Apply CoPP policy to control plane “interface” F
www.orhanergun.net
Step 1: Define ACLs
• Pre-Undesirable—traffic that is deemed “bad” or “malicious” to be denied
access to the RP
• Critical—traffic crucial to the operation of the network
• Important—traffic necessary for day-to-day operations
• Normal—traffic expected but not essential for network operations
• Post-Undesirable—traffic that is deemed “bad” or “malicious” to be denied
access to the RP
• Catch-All—all other IP traffic destined to the RP that has not been identified
• Default—all remaining non-IP traffic destined to the RP that has not been
identified G
www.orhanergun.net
Step 2: Define Class-Maps
• Create class-maps to complete the traffic-classification process
• Use the access-lists defined on the previous slides to specify which IP packets belong
in which classes
• Class-maps permit multiple match criteria, and nested class-maps
• match-any requires that packets meet only one “match” criteria to be considered “in
the class”
• match-all requires that packets meet all of the “match” criteria to be considered “in
the class”
• A “match-all” classification scheme with a simple, single-match criteria will
satisfy initial deployments
• Traffic destined to the “undesirable” class should follow a “match-any”
classification scheme
www.orhanergun.net
Step 3: Define Policy-Map
• Class-maps defined in Step 2 need to be “enforced” by using a policy-
map to specify appropriate service policies for each traffic class
www.orhanergun.net
Step 3: Define Policy-Map - Example
• For undesirable traffic types, all actions are unconditionally “drop”
regardless of rate
• For critical, important, and normal traffic types, all actions are
“transmit” to start out
• For catch-all traffic, rate-limit the amount of traffic permitted above a
certain bps
www.orhanergun.net
Step 4: Apply Policy to “Interface”
• Apply the policy-map created in Step 3 to the “control plane”
• The new global configuration CLI “control-plane” command is used to
enter “control-plane configuration mode”
• Once in control-plane configuration mode, attach the service policy to
the control plane in the “input” direction
• Input—applies the specified service policy to packets that are entering the
control plane
www.orhanergun.net
Monitoring CoPP
• “show access-list” displays hit counts on a per ACL entry (ACE) basis
• The presence of hits indicates flows for that data type to the control plane as
expected
• Large numbers of packets or an unusually rapid rate increase in packets
processed may be suspicious and should be investigated
• Lack of packets may also indicate unusual behavior or that a rule may need to
be rewritten
• “show policy-map control-plane” is invaluable for reviewing and
tuning site-specific policies and troubleshooting CoPP
• Use SNMP queries to automate the process of reviewing servicepolicy
transmit and drop rates
www.orhanergun.net
Monitoring CoPP
• “show policy-map control-plane” is invaluable for reviewing and
tuning site-specific policies and troubleshooting CoPP
• Displays dynamic information about number of packets (and bytes)
conforming or exceeding each policy definition
• Useful for ensuring that appropriate traffic types and rates are reaching the
route processor
www.orhanergun.net
Monitoring CoPP
• Use SNMP queries to automate the process of reviewing servicepolicy
transmit and drop rates
• The Cisco QoS MIB (CISCO-CLASS-BASED-QOS-MIB) provides the primary
mechanisms for MQC-based policy monitoring via SNMP
www.orhanergun.net
Control Plane Policing
www.orhanergun.net
Monitoring CoPP
• Superset of rACL: Start planning your migrations
• Provides a cross-platform methodology for protecting the control
plane
• Consistent “show” command and MIB support
• Granular: Permit, deny and rate-limit
• Platform specifics details: Centralized vs. distributed vs. hardware
www.orhanergun.net
Thank You !!!
www.orhanergun.net
Switch Security
www.orhanergun.net
Defeating a Learning Bridge’s Forwarding
Process
• MAC Flooding Alternative:
• MAC Spoofing Attacks
• Exploiting the Bridging Table:

• MAC Flooding Attacks vs. hardware
www.orhanergun.net
MAC Flooding Attacks
• Virtually all LAN switches on the market come with a finite-size
bridging table.
• Because each entry occupies a certain amount of memory, it is
practically impossible to design a switch with infinite capacity.
• This information is crucial to a LAN hacker. High-end LAN switches can
store hundreds of thousands of entries, while entry-level products
peak at a few hundred.
www.orhanergun.net
Forcing an Excessive Flooding Condition
www.orhanergun.net
Forcing an Excessive Flooding Condition
If a switch does not have an entry pointing to a destination MAC address, it floods the frame. What happens when a
switch does not have room to store a new MAC address? And what happens if an entry that was there 2 seconds
ago was just overwritten by another entry?
www.orhanergun.net
Forced Flooding
www.orhanergun.net
Forced Flooding
Host C starts running macof. The tool sends Ethernet frames to random destinations, each time modifying the
source MAC address. When the first frame with source MAC address Y arrives on port Fa0/3, it overwrites the
00:00:CAFE:00:00 entry. When the second frame arrives (source MAC Y), it overwrites the entry pointing to B.
At this point in time, all communication between 00:00:CAFE:00:00 and B now become public because of the
flooding condition that macof created.
www.orhanergun.net
MAC Spoofing Attacks
All MAC flooding tools force a switch to “fail open” to later perform selective MAC spoofing attacks. A MAC
spoofing attack consists of generating a frame from a malicious host borrowing a legitimate source MAC
address already in use on the VLAN. This causes the switch to forward frames out the incorrect port.
www.orhanergun.net
MAC Spoofing Attacks
www.orhanergun.net
Preventing MAC Flooding and Spoofing
Attacks
Fortunately, there are several ways to thwart MAC flooding and spoofing attacks. In this section, you will learn
about detecting MAC activity, port security, and unknown unicast flooding protection.
www.orhanergun.net
Port Security
To stop an attacker in his tracks, a mechanism called port security comes to the rescue. In its most basic form,
port security ties a given MAC address to a port by not allowing any other MAC address than the
preconfigured one to show up on a secured port.
www.orhanergun.net
Port Security
When a secure link goes down, MAC addresses that were associated with the port normally disappear.
However, some switches (Catalyst 6500 running a recent IOS release, for example) support sticky MAC
addresses—when the port goes down, the MAC addresses that have been learned remain associated with that
port. They can be saved in theconfiguration file.
www.orhanergun.net
Port Security
The most common and recommended port-security setting is dynamic mode with one MAC address for ports
where a single device is supposed to connect, with a drop action on violation (restrict action).
www.orhanergun.net
Unknown Unicast Flooding Protection
Some switches ship with a mechanism that can protect an entire VLAN from unicast flooding’s negative effects.
This mechanism is known as unicast flood protection. As already shown, when no entry corresponds to a
frame’s destination MAC address in the incoming VLAN, the frame is sent to all forwarding ports within the
respective VLAN, which causes flooding. Limited flooding is part of the normal switching process, but
continuous flooding causes adverse performance effects on the network. The unicast flood protection feature
can send an alert when a user-defined rate limit has been exceeded. It can also filter the traffic or shut down
the port generating the floods when it detects unknown unicast floods exceeding a certain threshold.
www.orhanergun.net
Attacking the Spanning Tree Protocol
Attack 1:
Taking Over the Root Bridge Taking over a root bridge is probably one of the most disruptive attacks. By
default, a LAN switch takes any BPDU sent from Yersinia at face value. Keep in mind that STP is trustful,
stateless, and does not provide a solid authentication mechanism. The default STP bridge priority is 32768.
Once in root attack mode, Yersinia sends a BPDU every 2 sec with the same priority as the current root bridge,
but with a slightly numerically lower MAC address, which ensures it a victory in the root-bridge election
process.
www.orhanergun.net
Countermeasure - 1
Root Guard
The root guard feature ensures that the port on which root guard is enabled is the designated port. Normally,
root bridge ports are all designated ports, unless two or more ports of the root bridge are connected. If the
bridge receives superior BPDUs on a root guard–enabled port, root guard moves this port to a root-
inconsistent state. This rootinconsistent state is effectively equal to a listening state. No traffic is forwarded
across this port. In this way, root guard enforces the position of the root bridge.
www.orhanergun.net
Countermeasure - 2
BPDU-Guard
The BPDU-guard feature allows network designers to enforce the STP domain borders and keep the active
topology predictable. Devices behind ports with BPDU-guard enabled are unable to influence the STP
topology. Such devices include hosts running Yersinia, for example. At the reception of a BPDU, BPDU-guard
disables the port. BPDU-guard transitions the port into the errdisable state, and a message is generated.
www.orhanergun.net
Attack 2:
DoS Using a Flood of Config BPDUs Attack number 2 in Yersinia (sending conf BPDUs) is extremely potent. With
the cursors GUI enabled, Yersinia generated roughly 25,000 BPDUs per second on our test machine. This
seemingly low number is more than sufficient to bring a Catalyst 6500 Supervisor Engine 720 running
12.2(18)SXF down to its knees, with 99 percent CPU utilization on the switch processor:
www.orhanergun.net
Countermeasure - 1
BPDU-Guard
BPDU-guard was introduced in the previous section. Because it completely prevents BPDUs from entering the
switch on the port on which it is enabled, the setting can help fend off this type of attack.
www.orhanergun.net
Countermeasure - 2
BPDU Filtering
There is actually another method to discard incoming and outgoing BPDUs on a given port: BPDU filtering. This
feature silently discards both incoming and outgoing BPDUs. Although extremely efficient against a brute-force
DoS attack, BPDU filtering offers an immense potential to shoot yourself in the foot.
www.orhanergun.net
Countermeasure - 3
Layer 2 PDU Rate Limiter

Available only on certain switches, such as the Supervisor Engineer 720 for the Catalyst 6500, a third option to
stop the DoS from causing damage exists. It takes the form of a hardware-based Layer 2 PDU rate limiter. It
limits the number of Layer 2 PDUs (BPDUs, DTP, Port Aggregation Protocol [PAgP], CDP, VTP frames) destined
for the supervisor engine’s processor.
www.orhanergun.net
Attack 3:
DoS Using a Flood of Config BPDUs Closely resembling the previous attack, this attack continuously generates
TCN BPDUs, forcing the root bridge to acknowledge them. What’s more, all bridges down the tree see the TC-
ACK bit set and accordingly adjust their forwarding table’s timers; this results in a wider impact to the switched
network. When the TC bit is set in BPDUs, switches adjust their bridging table’s aging timer to forward_delay
seconds. The protection is the same as before: BPDU-guard or filtering.
www.orhanergun.net
Attack 4:
Simulating a Dual-Homed Switch Yersinia can take advantage of computers equipped with two Ethernet cards
to masquerade as a dual-homed switch.
www.orhanergun.net
VLAN Hopping by Switch Spoofing
An attacker tricks a network switch into believing that it is a legitimate switch on the network needing
trunking.
Auto trunking allows the rogue station to become a member of all VLANs.
www.orhanergun.net
Spoofing the DHCP Server
An attacker activates a DHCP server on a
network segment.
The client broadcasts a request for DHCP
configuration information.
The rogue DHCP server responds before
the legitimate DHCP server can respond,
assigning attacker-defined IP configuration
information.
Host packets are redirected to the attacker
address as it emulates a default gateway
for the erroneous DHCP address provided
to the client.
www.orhanergun.net
Exploiting IPv4 ARP
Gratuitous ARP
When ARP was designed, the Ethernet adapters were not reliable. Then, when a host had a new MAC address
because its Ethernet adapter was replaced, it should have sent an unsolicited ARP reply to force an update on
all ARP tables in the other hosts. Below, host B changes its MAC address to 0000.BABE.0000 and sends an
unsolicited ARP reply to the broadcast address FFFF.FFFF.FFFF to tell hosts on the Ethernet segment to change
their binding for host B.
www.orhanergun.net
Risk Analysis for ARP
No authentication. Host B does not sign the ARP reply, and there is no integrity provided to the ARP reply.
Information leak. All hosts in the same Ethernet VLAN learn the mapping of host A. Moreover, they discover
that host A wants to talk to host B.
www.orhanergun.net
Risk Analysis for ARP
Availability issue. All hosts in the same Ethernet LAN receive the ARP request (sent in a broadcast frame) and
have to process it. A hostile attacker could send thousands of ARP request frames per second, and all hosts on
the LAN have to process these frames. This wastes network bandwidth and CPU time.
www.orhanergun.net
Mitigating an ARP Spoofing Attack
An ARP spoofing attack is severe because it breaks the wrong—but widespread —assumption that sniffing is
not possible in a switched environment.
To mitigate an ARP spoofing attack, use the following three options:
• Layer 3 switch. Can leverage the official mapping learned from DHCP and can later drop all spoofed ARP
replies based on the official mapping.
• Host. Can ignore the gratuitous ARP packets.
• Intrusion detection systems (IDS). Can keep states about all mappings and detect whether someone tries
to change an existing mapping.
www.orhanergun.net
IEEE 802.1AE
IEEE 802.1AE is a standards-based Layer 2 encryption specification, enabling wire-rate encryption at gigabit
(Gb) speeds. It provides for cryptographic confidentiality and integrity of all communications (that is, control,
data, and management frames) between two adjacent 802.1AEcapable Layer 2 Ethernet ports.
www.orhanergun.net
Shadow User in 802.1x Authentication
www.orhanergun.net
Shadow hosts blocked by 802.1AE
www.orhanergun.net
Thank You !!!
www.orhanergun.net
IPv6 Security
www.orhanergun.net
IPv6 Security Myths
Reason:
• RFC 4294 - IPv6 Node Requirements: IPsec MUST
Reality:
• RFC 6434 - IPv6 Node Requirements: IPsec SHOULD
• IPsec available. Used for security in IPv6 protocols
www.orhanergun.net
IPv6 Security Myths
Reason:
• End-2-End paradigm. Global addresses. No NAT
Reality:
• Global addressing does not imply global reachability
• You are responsible for reachability (filtering)
www.orhanergun.net
IPv6 Security Myths
Reason:
• Common LAN/VLAN use /64 network prefix
• 18,446,744,073,709,551,616 hosts
Reality:
• Brute force scanning is not possible [RFC5157]
• New scanning techniques
www.orhanergun.net
IPv6 Security Myths
Reason:
• Lack of knowledge about IPv6
Reality:
• There are tools, threats, attacks, security patches, etc.
• You have to be prepared for IPv6 attacks
www.orhanergun.net
IPv6 Security Myths
Reason:
• Routing and switching work the same way
Reality:
• Whole new addressing architecture
• Many associated new protocols
www.orhanergun.net
IPv6 Security Myths
Reason:
• Q: “Does it support IPv6?”
• A: “Yes, it supports IPv6”
Reality:
• IPv6 support is not a yes/no question
• Features missing, immature implementations, interoperability
issues
www.orhanergun.net
IPv6 Security Myths
Reason:
• Networks only designed and configured for IPv4
Reality:
• IPv6 available in many hosts, servers, and devices
• Unwanted IPv6 traffic. Protect your network
www.orhanergun.net
IPv6 Security Myths
Reason:
• Considering IPv6 completely different than IPv4
• Think there are no BCPs, resources or features
Reality:
• Use IP independent security policies
• There are BCPs, resources and features
www.orhanergun.net
Conclusions
• IPv6 is not more or less secure than IPv4
• Knowledge of the protocol is the best security

measure
www.orhanergun.net
IPv6 Header #1
www.orhanergun.net
IPv6 Header #1
IP spoofing:
Using a fake IPv6 source address
Solution:
ingress filtering and RPF
www.orhanergun.net
IPv6 Header #2
www.orhanergun.net
IPv6 Header #2
Covert Channel:
Using Traffic Class and/or Flow Label
Solution:
Inspect packets (IDS / IPS)
www.orhanergun.net
IPv6 Extension Headers
www.orhanergun.net
Extension Headers properties
Flexibility means complexity
Security devices / software must process the full chain of

headers
Firewalls must be able to filter based on Extension Headers
www.orhanergun.net
IPSec
www.orhanergun.net
IPsec Modes
www.orhanergun.net
Security Tips
Use IPS/IDS to detect scanning
Filter packets where appropriate
Be careful with routing protocols
Use "default" /64 size IPv6 subnet prefix
www.orhanergun.net
ICMPv6
www.orhanergun.net
ICMPv6 Error Messages
www.orhanergun.net
MLD (Multicast Listener Discovery)
1.Multicast related protocol, used in the local link
2.Two versions: MLDv1 and MLDv2
3.Uses ICMPv6
4.Required by NDP and “IPv6 Node Requirements”
5.IPv6 nodes use it when joining a multicast group
www.orhanergun.net
MLDv1
www.orhanergun.net
MLDv1
www.orhanergun.net
MLDv2
Mandatory for all IPv6 nodes [RFC8504]

Interoperable with MLDv1
Adds Source-Specific Multicast filters:
- Only accepted sources
- Or all sources accepted except specified ones
www.orhanergun.net
MLDv2
www.orhanergun.net
MLD Threat
Flooding of MLD messages
www.orhanergun.net
MLD Threat
Flooding of MLD messages
www.orhanergun.net
MLD Threat
Traffic amplification
www.orhanergun.net
MLD Threat
Traffic amplification
www.orhanergun.net
IPv6 DNS Configuration Attacks
Depending on answers to DNS queries
www.orhanergun.net
DHCPv6
www.orhanergun.net
DHCPv6
www.orhanergun.net
Routing Protocol Neighbours Authentication
www.orhanergun.net
Securing Routing Updates
IPsec is a general solution for IPv6 communication
- In practice not easy to use
OSPFv3 specifically states [RFC4552]:

1. ESP must be used
2. 2. Manual Keying
www.orhanergun.net
Filtering in IPv6
• Filtering IPv6 traffic is very important!

• Global Unicast Addresses
• A good addressing plan
www.orhanergun.net
DDoS factors related with IPv6
www.orhanergun.net
DDoS factors related with IPv6
www.orhanergun.net
Temporary solution…
www.orhanergun.net
Thank You !!!
www.orhanergun.net
IEEE 802.1x Authentication
www.orhanergun.net
What is 802.1x Authentication
• Standard set by the IEEE 802.1 working group.

• Describes a standard link layer protocol used for transporting higher-
level authentication protocols.
• Works between the Supplicant and the Authenticator.
• Maintains backend communication to an Authentication Server.
www.orhanergun.net
802.1x Terminologies
Supplicant – Client
Authenticator – Network Access Device
Authentication Server – AAA/Radius/Tacas
www.orhanergun.net
How it works?
Transport authentication information in the form of Extensible Authentication Protocol (EAP) payloads.
The authenticator (switch) becomes the middleman for relaying EAP received in 802.1x packets to an
authentication server by using RADIUS to carry the EAP information.
www.orhanergun.net
Radius
RADIUS – The Remote Authentication Dial In User Service
A protocol used to communicate between a network device and an authentication server or database.
Allows the communication of login and authentication information. i.e.. Username/Password, OTP, etc.
Allows the communication of arbitrary value pairs using “Vendor Specific Attributes” (VSAs).
www.orhanergun.net
802.1x Model
www.orhanergun.net
802.1x Model
RADIUS acts as the transport for EAP, from the authenticator (switch) to the authentication server (RADIUS
server)
RADIUS is also used to carry policy instructions back to the authenticator in the form of AV pairs.
www.orhanergun.net
What is Machine Authentication?
The ability of a Windows workstation to authenticate under it’s own identity, independent of the requirement
for an interactive user session.
www.orhanergun.net
What is Machine Authentication used for?
Machine authentication is used at boot time by Windows OSes to authenticate and communicate with Windows
Domain Controllers in order to pull down machine group policies.
www.orhanergun.net
Why do we care about Machine
Authentication?
Pre-802.1x this worked under the assumption that network connectivity was a given. Post-802.1x the blocking of
network access prior to 802.1x authentication breaks the machine based group policy model – UNLESS the
machine can authenticate using its own identity in 802.1x .
www.orhanergun.net
What is EAP?
EAP – The Extensible Authentication Protocol
A flexible protocol used to carry arbitrary authentication information.
www.orhanergun.net
EAP
www.orhanergun.net
EAP Methods for Client – EAP-TLS
EAP-TLS (Transport Level Security) – default setting for 802.1x client in Windows
www.orhanergun.net
EAP Methods for Client – EAP-PEAP
PEAP (Protected EAP) allows inner method

– TLS (certificate based)
– Microsoft Challenge Handshake Authentication Protocol v2 (MSCHAPv2)
(password based)
www.orhanergun.net
EAP Methods for Client – EAP-MD5
EAP-MD5 – available for wired networks only

– Doesn’t provide encrypted session between supplicant and authenticator
– Transfers password hashes in clear
www.orhanergun.net
EAP with MD5
EAP-MD5 – available for wired networks only

– Doesn’t provide encrypted session between supplicant and authenticator
– Transfers password hashes in clear
www.orhanergun.net
EAP with MD5
www.orhanergun.net
802.1x with EAP-TLS – Local Store
Certificate
• Uses both user and computer certificates
• Certificates deployed through autoenrollment, Web enrollment,
certificate import, or manual request using the Certificates snap-in
• Local computer store is always available
• The user store (for a current user) is only available after a successful
user logon
www.orhanergun.net
802.1x with EAP-TLS – Smart Card
Certificate
User must enter PIN to access the certificate on the smart card.
– PIN input is not required again on subsequent reauthentication
tries like session time-out or roaming on wireless networks.
– When roaming out of range and back in range, user will be re-
prompted for PIN.
Managing user certificates stored on local hard drives can be difficult,

and some users may move among computers.
www.orhanergun.net
802.1x with PEAP MSCHAPv2
• Password-based authentication – not all networks have a PKI
deployment.
• Single sign-on (SSO).
• Enables both machine and user authentication.
• Windows logon credentials can be automatically used (default
setting), or credentials can be provided by user.
www.orhanergun.net
802.1x Port based network access control
• Falls under 802.1 NOT 802.11
• This is a NETWORK standard, not a wireless standard
• Is PART of the 802.11i draft
• Provides Network Authentication, NOT encryption
www.orhanergun.net
Thank You !!!
www.orhanergun.net
Chapter- 2: Quality of
Service
www.orhanergun.net
Quality of Service
QoS is the ability of network to support is the ability of network to
support applications without limiting it applications without limiting it’s
function or s function or performance
ITU-T E.800: T E.800: Quality of Service is an overall Quality of Service is

an overall result of service performance, which determines result of
service performance, which determines level of service user satisfaction
www.orhanergun.net
What influences QoS ?
Every network component influences Every network component
influences QoS:
• End stations (workstations, servers, End stations (workstations,

servers, …)
• Routers, switches Routers, switches
• Links
• including links between routers and stub LANs including links
between routers and stub LANs
www.orhanergun.net
Parameters of QoS
• bandwidth bandwidth
• delay
• delay variation (Jitter)
• packet loss
www.orhanergun.net
QoS Evolution
QoS
Intelligence &
Automation
DiffServ-Aware Traffic
Engineering (DS-TE)
& L2 VPN QoS
Differentiated Services
Model
Integrated Services
Model
Best Effort
IP Model
199x 199x 199x 199x 200x 200x

Time
www.orhanergun.net
Network-Based Application Recognition
My Application is
too slow!
Link Utilization
• Intelligent Classification
Engine used in conjunction Citrix 25%
Netshow 15%
with QoS class-based Fasttrack 10%
features FTP 30%
HTTP 20%
• Protocol Discovery analyzes
application traffic patterns in real Mark Citrix as
time and Discovers which traffic Interactive traffic and
police FTP.
is running on the network
Guarantee bandwidth
for Citrix!
www.orhanergun.net
NBAR Benefit Footprint and Hardware
Support
Enterprise Enterprise Premise Service Provider Service Provider Core
Backbone Edge Aggregation Edge
• Application classification
• Precise QoS treatment
• Application statistics for bandwidth provisioning
• Top-n views
• Threshold settings
• Mapping applications to an SP’s service offering
• Cisco Catalyst 6500 • Cisco Catalyst 6500 • Cisco Catalyst 6500 Cisco Catalyst 6500 and
and 7600 Series and 7600 Series and 7600 Series 7600 Series
• MSFC • FlexWAN, MWAM • FlexWAN, MWAM • FlexWAN, MWAM
• Planned ASIC • Planned ASIC • Planned ASIC • Planned ASIC
• Cisco 7100, 7200, • Cisco 7100, 7200, • Cisco 7500 Series
and 7500 Series and 7500 Series
• Cisco 83x, 1700,
2600-2600XM, 3600,
and 3700 Series
www.orhanergun.net
NBAR – Intelligent Classification
• IP packet classifier that is capable of classifying
applications that have:
•Statically assigned TCP and UDP port numbers
•Non-TCP and non-UDP IP protocols
•Dynamically assigned TCP and UDP port numbers during connection establishment
•Classification based on deep packet inspection – NBAR’s ability to look deeper into
the packet to identify applications
•HTTP traffic by URL, host name or MIME type using regular expressions (*, ?, [ ]),
Citrix ICA traffic, RTP Payload type classification
• Currently supports 88 protocols/applications
www.orhanergun.net
610
Cisco AutoQoS Uses
Intelligence to Automate
• Automation makes it simpler to

Get a quick start on QoS deployment
Deploy QoS in the most common business scenarios
Reduce operator and configuration errors
Gain visibility into network & application performance
• Simpler implies faster and cheaper
Example Scenario: I need to add VoIP to my network
- Where do I begin for QoS on the network?
- On what should I monitor and report?
• Cisco AutoQoS drastically reduces learning, designing,
and configuration
www.orhanergun.net
611
Cisco AutoQoS–VoIP
Automatic QoS for VoIP Traffic
Configures Each Switch

or Router
• LAN & WAN -
interface Serial0
Routers & Switches
– bandwidth 256
– Ip address 10.1.61.1 • One single command enables
255.255.255.0 Cisco QoS for VoIP on a given
– auto qos voip port, interface or PVC
interface Multilink1
ip address 10.1.61.1 255.255.255.0
ip tcp header-compression iphc-format
load-interval 30
service-policy output QoS-Policy
ppp multilink
ppp multilink fragment-delay 10
ppp multilink interleave
www.orhanergun.net
612
QoS Deployment for VoIP
Consistent, end-to-end QoS for VoIP
WAN
Access Layer WAN Distribution Layer
• Classification & Trust Boundary • Intelligent Classification • Layer 3 Policing

• Marking / Remarking • Bandwidth Provisioning • Egress Scheduling
• Egress Queue Scheduling • Admission Control • (Multiple Queues with WRR)
• Buffer Management • Shaping • Priority Queuing for VOIP
• Link Fragmentation & Interleaving • Buffer Management
• Header Compression
613
Cisco AutoQoS-VoIP Framework
DiffServ Functions Automated
Fine tuning of AutoQoS-generated parameters
by user, if desired
DiffServ
QoS Feature Behavior
Function
Classification of VoIP based on packet
Classification NBAR DSCP, Port
attributes or port trust
Set L3 / L2 attributes to categorize packets

Marking Class-based marking
into a class
Congestion Provide EF treatment to voice & BE

Percentage-based LLQ, WRR
Management treatment to data
Shape to CIR to prevent burst & smooth

Shaping Class-based shaping or FRTS
traffic to Configured Rate
Link Efficiency
Header compression Reduce the VoIP bandwidth requirement
Mechanism
Link Efficiency Link fragmentation &

Reduce jitter experienced by voice packets
Mechanism interleaving
www.orhanergun.net
614
Cisco AutoQoS-VoIP
Functionality & Benefits – WAN
Functionality Benefits
Auto-determination Automatic determination of WAN settings for fragmentation and

of Wide-Area interleaving, compression, encapsulation, and Frame Relay-ATM
Network (WAN) interworking. Eliminates the need to understand QoS theory and
Settings design practices in common deployment scenarios.
Initial Policy Generation provides users an advanced starting point

Initial Policy for VoIP deployments. This reduces the time needed to establish an
Generation initial feasible QoS policy solution that includes providing QoS to
VoIP bearer traffic, signaling traffic, and best-effort data.
Syslog & SNMP traps provide visibility into the Classes of Service
Traps & Reporting deployed, and notification of abnormal events such as VoIP packet
drops.
Using Cisco Network Based Application Recognition (NBAR) for

Intelligent deep and stateful packet inspection, this feature can identify VoIP
Classification of bearer and control traffic. Simplifies QoS configurations by
Network Traffic reducing – and in some cases eliminating – the need for Access
Control Lists (ACLs).
www.orhanergun.net
615
Cisco AutoQoS-VoIP
Functionality & Benefits – LAN
Functionality Benefits
In one command, Cisco AutoQoS configures the port to prioritize voice

Simplified traffic without affecting other network traffic.
Configuration Includes the flexibility to tune Cisco AutoQoS settings for unique
network requirements.
Automatically detects Cisco IP Phones and enables Cisco AutoQoS

Automated and settings (Catalyst 2950 & 3550).
Secure Prevents malicious activity by disabling QoS settings when a Cisco IP
phone is relocated/moved.
Leverages decades of networking experience, extensive lab

performance testing, and input from a broad base of customer AVVID
Optimal VoIP installations to determine the optimal QoS configuration for typical VoIP
Performance deployments.
Uses all advanced QoS capabilities of the Cisco Catalyst switches.
End-to-End Designed to work in harmony with the Cisco AutoQoS settings on all
Interoperability other Cisco switches and routers, ensuring consistent end-to-end QoS.
www.orhanergun.net
616
Not to Forget….
Human Error is the Most Significant Contributor to Downtime
• Platform Problems
• The network
• Change management • Operating system or hardware
• Process
consistency Network
Operational 20%
Errors
40%
Software
Application
40%
AutoQoS reduces
potential for • Application bugs (I.e., DNS)
operator error • Misconfiguration
Source: Gartner Group, CNET News.com Jan 26, 2001
www.orhanergun.net
617
Understanding the Complete Cisco QoS Picture
Voice
Voice Video
Video Data
Data
CiscoAutoQoS
Cisco AutoQoS
CLI
QoSCLI
Language)
UserLanguage)
ModularQoS
CiscoQoS
Cisco QoSFeatures
Features
QoS
Manager
CiscoWorksQoS
PolicyManager
CiscoModular
TheUser
CiscoWorks
CiscoIOS
Cisco IOSSoftware
Softwareor
orCisco
CiscoCatalyst
CatalystOS
OS
(MQC––The
Policy
(MQC
Cisco
CiscoRouter
Cisco Routeror
orSwitch
Switch
www.orhanergun.net
618
QoS Mechanisms - Marking
What is Marking?
The QOS component that "colors" a packet (frame) so it can be identified and distinguished from other
packets (frames) in QOS treatment Once the packet is classified into a specific service class, marking the
packet header allows the core networking elements to apply the appropriate QoS technologies to the packet
in an efficient manner
www.orhanergun.net
QoS Mechanisms - Marking
Marking Tools
Class of Service (ISL, 802.1p)

IP Precedence
DSCP
PHB
www.orhanergun.net
Marking Techniques
There exist multiple packet marking techniques including:
Layer 3:
IPv4 IP Precedence Field
IPv4 DiffServ Differentiated Services Field
IPv6 DiffServ Differentiated Services Field
Layer 2:
MPLS Exp/CoS Field
802.1d (802.1p+q) User Priority Field
ISL User Priority Field
www.orhanergun.net
Marking Techniques
Layer 2 versus Layer 3 Marking
Layer 2 Ethernet Class of Service (CoS) settings (802.1q Header)

Three bits allow for 7 levels of classification
These levels directly correspond to IPv4 ToS values
www.orhanergun.net
IP Precedence and DiffServ Code Points
www.orhanergun.net
IP Precedence and DiffServ Code Points
•IPv4: Three Most Significant Bits of ToS byte are called IP Precedence (IPP); other
bits unused
•DiffServ: Six Most Significant Bits of ToS byte are called DiffServ Code Point
(DSCP); remaining two bits used for flow control
•DSCP is backward-compatible with IP Precedence; an instance of DSCP is a Per
Hop Behavior (PHB)
www.orhanergun.net
QoS Mechanisms - Congestion
What is Congestion?
When the offered load exceeds the capacity of a data communication path, the
resulting situation is called Congestion.
Congestion can occur at any point in the network where there are speed
mismatches or link aggregations
www.orhanergun.net
QoS Mechanisms - Congestion
Congestion Tools
Congestion Management : is done by queuing packets

Congestion Avoidance : is done by dropping packets
www.orhanergun.net
The Impact of Congestion
Packet queues at links start to grow…
Packets start dropping
Sources start re-transmitting
www.orhanergun.net
Congestion Management
- Is done by Queuing
- Queuing algorithms manage the front (scheduling) of a queue
- These algorithms control
- the order in which the packets are sent
- the usage of the router’s buffer space
www.orhanergun.net
Congestion Management
- Queuing Algorithms:
- First In First Out (FIFO)
- Priority Queuing (PQ)
- Custom Queuing (CQ)
- Weighted Fair Queuing (WFQ)
- Class-Based WFQ (CBWFQ)
- PQ-CBWFQ (LLQ)
- PQ-WFQ (IP RTP Priority)
www.orhanergun.net
Congestion Management – Graphical View
www.orhanergun.net
Queuing Algorithms – Class Based Weighted
Fair Queuing (CBWFQ)
Combines the capability to guarantee bandwidth (from CQ) with the capability
to dynamically ensure fairness to other flows within a class of traffic (from
WFQ)
www.orhanergun.net
Queuing Algorithms – Class Based Weighted
Fair Queuing (CBWFQ)
In WFQ, bandwidth allocations change continuously, as flows are added/ended
CBWFQ adds a level of administrator control to the WFQ process; administrator

can control how packets are classified
www.orhanergun.net
Queuing Algorithms – Priority Queuing-
WFQ (PQ-WFQ)
www.orhanergun.net
Queuing Algorithms – Priority Queuing-
WFQ (PQ-WFQ)
- Also known as IP RTP Priority Queuing
- To prioritise Voice traffic (on FR, PPP)
- Create a priority queue (weight=0) + BW limit
- Essentially gives the router two WFQ systems, one for normal traffic and
another for voice
- voice is serviced as strict priority in preference to other non-voice traffic.
www.orhanergun.net
Queuing Algorithms – Low Latency Queuing
(LLQ)
- Also known as Priority Queuing – CBWFQ
- Provides a single priority queue, like PQ-WFQ
- Guaranteed bandwidth for different traffic classes can be configured
- LLQ Specifies maximum bandwidth in Kbps that a flow is assured under
congestion as opposed to the minimum bandwidth guaranteed by CBWFQ
- Multiple priority classes are all enqueued in a single priority queue but
policed and rate limited individually
- Guarantees Bandwidth and Restrains flow of packets from priority class
ensuring non priority packets are not bandwidth starved
www.orhanergun.net
Queuing Algorithms – Low Latency Queuing
(LLQ)
- Also known as Priority Queuing – CBWFQ
- Provides a single priority queue, like PQ-WFQ
- Guaranteed bandwidth for different traffic classes can be configured
- LLQ Specifies maximum bandwidth in Kbps that a flow is assured under
congestion as opposed to the minimum bandwidth guaranteed by CBWFQ
- Multiple priority classes are all enqueued in a single priority queue but
policed and rate limited individually
- Guarantees Bandwidth and Restrains flow of packets from priority class
ensuring non priority packets are not bandwidth starved
www.orhanergun.net
Congestion Avoidance
 Congestion avoidance mechanisms are complementary to (and

dependant on) queuing algorithms.
 Queuing algorithms manage the front of a queue, while congestion
avoidance mechanisms manage the tail of the queue.
 Congestion Avoidance Tools
Tail Drop
RED
WRED
The Need for Congestion Avoidance: Active Queue Management (AQM)
 Dropping can occur in the edge or core due to policing or buffer exhaustion
 If a queue fills up, all packets at tail end of queue get dropped— called tail-drop
 Tail-drop results in simultaneous TCP window shrinkage of large number of sessions, resulting in “global
synchronization”
 Manage queue lengths by dropping packets when congestion is building up
 Works best with TCP-based applications, as selective dropping of packets causes the TCP windowing
mechanisms to 'throttle-back' and adjust the rate of flows to manageable rates.
Congestion Avoidance – Random Early Detection (RED)
Packets
Arriving Queue
Queue
Pointer
 The basic RED mechanism is to randomly drop packets before the

buffer is completely full
 Depending on the average queue length, the drop probability is
calculated
RED – Functional Description
 When a packet arrives, the following events occur:

The average queue size is calculated
If the average is less than the minimum queue threshold, the arriving packet is
queued
If the average is between the minimum queue threshold and the maximum
threshold, the packet is either dropped or queued, depending on the packet
drop probability
If the average queue size is greater than the maximum threshold, the packet is
automatically dropped
RED – Functional Description (Contd.)
Case 1:
Average Queue Length < Min. Thresh
Value
Max thresh Min thresh
Average queue
length
RED – Functional Description (Contd.)
Case 2: Average Queue Length

between Min. and Max. Threshold
Value
Max thresh Min thresh
pp
1-p1-p
Average queue
length
Advantages of RED
 Goal of congestion avoidance by controlling of average queue length

 The time scale from marking of packet to actual reduction in arriving packets is set appropriately
 Avoidance of global synchronization achieved by
Randomness: by randomly choosing which packets to drop we do not drop all packets at the same time, hence causing all
flows to back off in synchronously
Low-drop rate: RED begins to drop as soon as min. threshold is exceeded, and the first levels of drops are pretty low so that
only a few flows (statistically the more bandwidth demanding flows) will get dropped and obliged to back off.
 The proportion of marked packets in a connection is relative to its bandwidth share

Drawbacks of RED
 Packet loss rate independent of the bandwidth usage (completely random)
 Unfair link sharing can occur:

Even a low bandwidth TCP connection observes packet loss which prevents it from using its fair sharing of
bandwidth
A non-adaptive flow can increase the drop probability of all the other flows by sending at a fast rate
The calculation of average queue length for every packet arrival is computationally intensive
Weighted Random Early Detection (WRED)
 WRED combines RED with IP Precedence to implement multiple service classes

 Each service class has a defined min and max thresholds, and drop rates
 In a congestion situation lower class traffic can be throttled back first before higher class traffic
 RED is applied to all levels of traffic to manage congestion
WRED Attributes for Multiple Service Levels
Packet Discard Probability

Low Priority Traffic
Standard
High Priority Traffic
Service
Adjustable Profile
Premium
Slope Service
Profile
Average
Queue
Standard Premium Std and Pre Depth
Minimum Minimum Maximum
Threshold Threshold Threshold
Two Service Levels are Shown; Up to Six

Can Be Defined
QoS Mechanisms - Policing
• Limits traffic flow to a configured bit rate.

• Drops or remarks out-of-profile packets.
Web
ERP
Other
Direction of Traffic Flow
QoS Mechanisms - Shaping
• Regulates traffic flow to an average or peak bit rate.

• Commonly used where speed-mismatches exist .
FR/ATM WAN
T1/E1 128 Kbps
Bottleneck Branch
Central
Office
Site Shaping!
Direction of Traffic Flow

Traffic Policing vs. Shaping
Traffic
Traffic
Policing
Traffic Rate Traffic Rate
Time Time
Traffic
Traffic
Shaping
Traffic Rate
Traffic Rate
Time Time
Traffic Policing vs. Shaping #1
Policing Shaping
Where Applicable Ingress, Egress Egress only
Buffers Excess No Yes
Smooths Output Rate No Yes
Optional Yes No
Packet
Remarking
Advantages Controls output rate Less likely to drop excess
through drops. Avoids packets. Avoids TCP
delays due to
queuing. retransmissions.
Disadvantages Drops can lead to TCP Queuing adds delay (and
retransmits jitter)
Traffic Policing vs. Shaping #2
Policing Shaping
Token refresh rate Continuous based on Incremented at the start of a
form time interval. Requires
ula: min # of intervals.
1/
CIR
Token values Configured in bytes. Configured in bits per second
• Both shaping and policing use the token bucket metaphor.

• A token bucket has no discard or priority policy.
• Shaping and policing differ in the rate at which tokens are
replenished.
Leaky Bucket With Shaping
• Start with a bucket Incoming

Packet Rate
without tokens.
• Tokens can be added
at a bursty rate.
• Tokens are
Max
leaked at a specified
constant rate. Burst
Tokens leak
from bucket at Average
the Rate
configured
average rate.
Putting It All Together - Packet Path
4. Shaping/Queuing
queue
3. Policing/Marking 5. Payload/Header
Compression
Optional Optional
Pre- Sche- Post-
Classification queuing queue queuing
1. Packets operator duler operator
coming
in
2. Packet
carries
classification
information
queue
Putting it All together – Queue Definition
Packets
What controls the depth of the queue:

• Active Queue management (e.g., WRED)
• Tail drop (queue-limit)
Queue
What controls the output from the

queue
• Min BW guarantee
• Max BW (Shape rate)
• Excess BW (Bandwidth
Remaining percent/ratio)
• Priority Level
Link Efficiency Mechanisms:
Link-Fragmentation and Interleaving (LFI)
Serialization Voice Data

Can Cause
Excessive Delay
Data Data Data Voice Data
Problem: Large Packets “Freeze Out” Voice
 Serialization delay is the finite amount of time required to put

frames on a wire
 For links ≤ 768 kbps serialization delay is a major factor affecting
latency and jitter
 For such slow links, large data packets need to be fragmented and
interleaved with smaller, more urgent voice packets
Benefit: Reduce the Jitter and Latency in Voice Calls
Link Efficiency Mechanisms: IP RTP Header Compression
IP Packet TCP/UDP Packet IP RTP Packet

IP Header UDP Header IP RTP Header Voice
20 8 Bytes 12 Bytes
Bytes
2-5
Bytes
 Payload of a VoIP Packet ~ 20 bytes. But IP + UDP + RTP
headers ~ 40 bytes (uncompressed)!!
 For links ≤ 768 kbps serialization delay is a major factor affecting
latency and jitter
 For such slow links, large data packets need to be fragmented and
interleaved with smaller, more urgent voice packets
Stateless vs. Stateful QoS Solutions
 Stateless solutions – routers maintain no fine-grained
state about traffic. Example: DiffServ
scalable, robust
weak services
 Stateful
solutions –
routers
maintain per-
flow state.
Example:
IntServ
powerful
services
guaranteed services + high resource utilization
fine grained differentiation
Stateful Solution Complexity
 Data path
Per-flow classification
Per-flow buffer Per-flow State
management …
Per-flow scheduling
 Control path flow 1

install and maintain
flow 2
per-flow state for
Classifier Scheduler
data and control flow n
paths
Buffer
management
Question
 Can we achieve the best of two worlds, i.e., provide services

implemented by stateful networks while maintaining advantages
of stateless architectures?
Yes, in some interesting cases. DPS, CSFQ.
 Can we provide reduced state services, I.e., maintain state only for
larger granular flows rather than end-to-end flows?
Yes: Diff-Serv
Differentiated Services Architecture (RFC 2274, RFC 2275)
Ingress Interior Egress

Node Node Node
TCB PHB TCB
PHB PHB
Traffic Classification and Conditioning (TCB) Per-Hop Behavior (PHB)
Classification/Marking/Policing Queuing/Dropping
IntServ/DiffServ Integration
CBWFQ Performs
Classification, Policing
and Scheduling Core Routers
Operate in a
DiffServ Domain
RSVP
RSVP Installed on
Installed on Interface
Interface
RSVP Installed Only to

Do Admission
Control
IntServ DiffServ IntServ
Five Steps to a Successful QoS Deployment
 Step 1: Identify and Classify Applications

Mission-critical apps
Application properties and quality requirements
 Step 2: Define QoS Policies

Network topology, bottleneck/non-bottleneck links Trusted and untrusted boundary settings
 Step 3: Test QoS Policies

Baseline and Benchmarking
 Step 4: Implement Policies

Classify and mark close to the edge
Work towards the core in a phased manner
 Step 5: Monitor and Adjust

Modular QoS CLI
 MQC provides a separation between classification and features
 Platform independent way to configure QoS on cisco platforms.
 Helps in defining a QoS behavioral model. For e.g. Imposing maximum transmission rate for
a class of traffic Guaranteeing minimum rate for a class of traffic
Giving low latency to a class of traffic
Hierarchical Policies
 Support for further granularity. For e.g., police aggregate tcp traffic to 10Mb/s but simultaneously
police aggregate ftp traffic to 1Mb/s and http traffic to 3Mb/s
class-map tcp-police match protocol tcp

class-map ftp
match protocol ftp policy-map ftp-police
class ftp
police <bps> …
policy-map hierarchical-police class tcp-police
police <bps> …
service-policy ftp-police
Remember the Five ?
Identify and Classify Applications
Construct a QoS Policy (Queuing, Dropping, Signaling, etc.)
Test the QoS Policy (Lab, Portion of Network)
Adjust and Implement a QoS Policy
Management Monitor Key Network Hotspots!

Tasks
Cisco NBAR Protocol Discovery MIB
 Read/Write SNMP MIB support

 Real-time statistics on applications
 Per-interface, per-application, bi-directional (input and output) statistics
Bit rate (bps), Packet counts and Byte counts
 Top-N application views
 Application threshold settings
Service-Provider Considerations
Maximum One-Way Service-Levels

Latency ≤ 150 ms / Jitter ≤ 30 ms / Loss ≤ 1%
Enterprise
Campus
Enterprise
Service Provider Remote-Branch
DSL
Cable
Maximum One-Way  Enterprises and SPs must

SP Service-Levels cooperate and be consistent to
Latency ≤ 60 ms ensure QoS requirements for
AVVID
Jitter ≤ 20 ms
Loss ≤ 0.5%
667
Thank You !!!
www.orhanergun.net
Chapter-3: Network
Services
www.orhanergun.net
First Hop Redundancy
Protocol
www.orhanergun.net
The Need for First-Hop Redundancy
• Network hosts are
configured with a single
default gateway IP
address
• If the router whose IP
address serves as the
default gateway to the
network host fails, a
network host will be
unable to send packets
to another subnet
www.orhanergun.net
The Need for First-Hop Redundancy
• With first-hop router
redundancy, a set of routers or
Layer 3 switches work together
to present the illusion of a
single virtual router to the
hosts on the LAN.
• By sharing an IP address and a
MAC (Layer 2) address, two or
more routers can act as a single
“virtual” router
www.orhanergun.net
HSRP
www.orhanergun.net
HSRP Overview
• When frames are to be sent from the workstation to the default gateway,
the workstation uses ARP to resolve the MAC address that is associated
with the IP address of the default gateway.
• The ARP resolution will return the MAC address of the virtual router.
• Frames that are sent to the MAC address of the virtual router can then be
physically processed by an active router that is part of that virtual router
group.
• The physical router that forwards this traffic is transparent to the network hosts.
• The redundancy protocol provides the mechanism for determining which router
should take the active role in forwarding traffic and determining when that role
must be taken over by a standby router.
www.orhanergun.net
HSRP Overview
When the forwarding router
or a link to it fails
• The standby router stops
seeing hello messages
from the forwarding
router.
• The standby router
assumes the role of the
forwarding router.
• As the new forwarding
router assumes both the
IP and MAC addresses of
the virtual router, the end
stations see no disruption
in service.
www.orhanergun.net
HSRP Overview
• HSRP active and standby routers send hello messages to multicast
address 224.0.0.2 (all routers) for Version 1, or 224.0.0.102 for
Version 2, using User Datagram Protocol (UDP) port 1985.
• Hello messages are used to communicate between routers in the
HSRP group.
• All the routers in the HSRP group need to be L2 adjacent so that hello
packets can be exchanged.
www.orhanergun.net
HSRP Router Roles
All the routers in an HSRP group have specific roles and interact in
specific manners:
■ Virtual router
• An IP and MAC address pair that end devices have configured as their default
gateway.
• The active router processes all packets and frames sent to the virtual router
address.
• The virtual router processes no physical frames. There is one virtual router in
an HSRP group.
www.orhanergun.net
HSRP Router Roles
■ Active router
• Within an HSRP group, one router is elected to be the active router.
• The active router physically forwards packets sent to the MAC address of the
virtual router.
• There is one active router in an HSRP group.
www.orhanergun.net
HSRP Router Roles
• Standby router
• Listens for periodic hello messages. When the active router fails, the other
HSRP routers stop seeing hello messages from the active router.
• The standby router then assumes the role of the active router. There is one
standby router in an HSRP group.
www.orhanergun.net
HSRP Router Roles
• Other routers
• There can be more than two routers in an HSRP group, but only one active
and one standby router is possible.
• The other routers remain in the initial state, and if both the active and
standby routers fail, all routers in the group contend for the active and
standby router roles.
www.orhanergun.net
HSRP Active Router Operation
• Router A assumes the
active role and forwards all
frames addressed to the
assigned HSRP MAC
address of 0000.0c07.acxx,
where xx is the HSRP group
identifier.
www.orhanergun.net
HSRP State Transition
www.orhanergun.net
www.orhanergun.net
• When two routers participate in an election process, a priority can be
configured to determine which router should become active.
• Without specific priority configuration, each router has a default
priority of 100, and the router with the highest IP address is elected
as the active router.
www.orhanergun.net
• Regardless of other router priorities or IP addresses, an active router
will stay active by default.
• A new election will occur only if the active router is removed.
• When the standby router is removed, a new election is made to
replace the standby router.
• This behavior can change with the preempt option.
www.orhanergun.net
Forwarding Through the Active Router
www.orhanergun.net
Aligning HSRP with STP Topology
• It is a good practice to configure the same Layer 3 switch to be both the

spanning-tree root and the HSRP active router for a single VLAN.
• This approach ensures that the Layer 2 forwarding path leads directly to the
Layer 3 device that is the HSRP active gateway, thus achieving maximum
efficiency.
www.orhanergun.net
Configuring and Tuning HSRP
www.orhanergun.net
Load Sharing with HSRP
www.orhanergun.net
The Need for Interface Tracking with HSRP
• HSRP can track interfaces or objects and decrement priority if an
interface or object fails.
• Interface tracking enables the priority of a standby group router to be
automatically adjusted, based on the availability of the router
interfaces.
• When a tracked interface becomes unavailable, the HSRP priority of
the router is decreased.
www.orhanergun.net
The Need for Interface Tracking with HSRP
• When properly configured, the HSRP tracking feature ensures that a
router with an unavailable key interface will relinquish the active
router role.
• When the conditions that are defined by the object are fulfilled, the
router priority remains the same.
• As soon as the verification that is defined by the object fails, the
router priority is decremented.
• The amount of decrease can be configured.
• The default value is 10.
www.orhanergun.net
HSRP Interface Tracking
• HSRP has a
built-in
mechanism for
detecting link
failures and
starting the
HSRP reelection
process.
www.orhanergun.net
HSRP with Interface Tracking On
www.orhanergun.net
HSRP Tracking Configuration Arguments
www.orhanergun.net
HSRP and Object Tracking
www.orhanergun.net
HSRP With Object Tracking
www.orhanergun.net
Tracked objects
• Tracked objects offer a vast group of possibilities.
• A few options that are commonly available include the following
An interface
• This performs a similar function like the HSRP interface tracking mechanism,
but with advanced features. This tracking object can not only verify the
interface status (line protocol) but also whether IP routing is enabled,
whether an IP address is configured on the interface, and whether the
interface state is up, before reporting to the tracking client that the interface
is up.
www.orhanergun.net
Tracked objects
IP route
• A tracked IP-route object is considered up and reachable when a routing table
entry exists for the route and the route is accessible. To provide a common
interface to tracking clients, route metric values are normalized to the range
of 0 to 255, where 0 is connected and 255 is inaccessible. You can track route
reachability, or even metric values, to determine best-path values to the
target network.
www.orhanergun.net
Tuning HSRP Timers
• By default, the HSRP hello time is 3 seconds, and the hold time is 10
seconds, which means that the failover time could be as much as 10
seconds for clients to start communicating with the new default
gateway.
• In some cases, this interval may be excessive for application support.
www.orhanergun.net
Tuning HSRP Timers
• The hello-time and the hold-time parameters are configurable.
• To configure the time between the hello messages and the time
before other group routers declare the active or standby router to be
nonfunctioning, enter this command in the interface configuration
mode:
• Switch(config-if)# standby [ group-number ] timers [ msec ]
hellotime [ msec ] holdtime
www.orhanergun.net
HSRP Versions
There are two HSRP versions available on most Cisco routers and Layer
3 switches:
• HSRPv1 and HSRPv2.
• Version 1 is a default version on Cisco IOS devices.
• HSRPv2 allows group numbers up to 4095, thus allowing you to use
VLAN number as the group number.
www.orhanergun.net
HSRP Versions
• HSRP Version 2 must be enabled on an interface before HSRP IPv6 can
be configured.
• HSRP Version 2 will not interoperate with HSRP Version 1.
• All devices in an HSRP group must have the same version configured;
otherwise, the hello messages are not understood.
www.orhanergun.net
Thank You !!!
www.orhanergun.net
VRRP
www.orhanergun.net
Configuring Layer 3 Redundancy with VRRP
Upon completing this section, you will be able to do the following:
• Describe the idea behind VRRP
• Configure and verify VRRP
• Describe the differences between HSRP and VRRP
• Describe tracking options with VRRP
• Configure VRRP interface object tracking
www.orhanergun.net
About VRRP
• VRRP is an open standard alternative to HSRP.
• VRRP is similar to HSRP, both in operation and configuration.
• The VRRP master is analogous to the HSRP active gateway, and the
VRRP backup is analogous to the HSRP standby gateway.
www.orhanergun.net
About VRRP
• A VRRP group has one master device and one or multiple backup
devices.
• A device with the highest priority is the elected master. Priority can be
a number between 0 and 255.
• Priority value 0 has a special meaning; it indicates that the current master has
stopped participating in VRRP.
• This setting is used to trigger backup devices to quickly transition to master
without having to wait for the current master to time out.
www.orhanergun.net
About VRRP
• VRRP differs from HSRP in that it allows you to use an address of one
of the physical VRRP group members as a virtual IP address.
• In this case, the device with the used physical address is a VRRP master
whenever it is available.
• The master is the only device that sends advertisements (analogous
to HSRP hellos).
• Advertisements are sent to the 224.0.0.18 multicast address, protocol
number 112.
www.orhanergun.net
About VRRP
• The default advertisement interval is 1 second. The default hold time
is 3 seconds.
• HSRP, in comparison, has the default hello timer set to 3 seconds and
the hold timer to 10 seconds.
• Like with HSRP, load sharing is also available with VRRP. Multiple
virtual router groups can be configured
• Contrary to HSRP, preemption is enabled by default with VRRP.
www.orhanergun.net
About VRRP
www.orhanergun.net
HSRP and VRRP Differences
www.orhanergun.net
Configuring VRRP and Spotting the
Differences from HSRP
www.orhanergun.net
IP Addressing for the VRRP Configuration
www.orhanergun.net
Thank You !!!
www.orhanergun.net
GLBP
www.orhanergun.net
Introducing GLBP
• GLBP shares some concepts with VRRP and HSRP, but the terminology
differs, and its behavior is more dynamic and robust.
• Although HSRP and VRRP provide gateway resiliency only the active
router within the group forwards the traffic for the virtual MAC.
• HSRP and VRRP can accomplish load sharing by manually specifying
multiple groups and assigning multiple default gateways.
www.orhanergun.net
Introducing GLBP
• GLBP is a Cisco proprietary solution that allows for automatic
selection and simultaneous use of multiple available gateways, in
addition to automatic failover between those gateways.
• Multiple routers share the load of packets that, from a client’s
perspective, are sent to a single default gateway address.
• There is also no need to configure a specific gateway address on an
individual host. All hosts can use the same default gateway.
www.orhanergun.net
GLBP Roles
• GLBP routers are divided into two roles: a gateway and a forwarder:
• GLBP AVG (active virtual gateway)
• Members of a GLBP group elect one gateway to be the AVG for that group.
• Other group members provide a backup for the AVG when the AVG becomes
unavailable; these will be in standby state.
• The AVG assigns a virtual MAC address to each member of the GLBP group.
• The AVG listens to the ARP requests for the default gateway IP and replies
with a MAC address of one of the GLBP group members, thus load sharing
traffic among all the group members.
www.orhanergun.net
GLBP Roles
• GLBP AVF (active virtual forwarder)
• Each gateway assumes responsibility for forwarding packets that are sent to
the virtual MAC address that is assigned to that gateway by the AVG.
• These gateways are known as AVFs. There can be up to four forwarders within
a GLBP group.
• All other devices will be secondary forwarders, serving as backup if the
current AVF fails.
• Forwarders that are forwarding traffic for a specific virtual MAC are in the
active state and are called AVFs. Forwarders that are serving as backups are in
the listen state.
www.orhanergun.net
Comparing GLPB to HSRP
www.orhanergun.net
GLBP States
www.orhanergun.net
GLBP States (Gateway)
Following are the possible virtual gateway states:
• Disabled: The virtual IP address has not been configured or learned,
but there is some GLBP configuration.
• Initial: The virtual IP address has been configured or learned, but
configuration is not complete. The interface must be operational on
Layer 3 and configured to route IP.
www.orhanergun.net
GLBP States (Gateway)
• Listen: The virtual gateway is receiving hello packets. It is ready to
change to speak state if the active or standby virtual gateway
becomes unavailable.
• Speak: The virtual gateway is trying to become the active or standby
virtual gateway.
• Standby: This gateway is next in line to be the active virtual gateway.
• Active: This gateway is the AVG, and is responsible for responding to
ARP requests for the virtual IP address.
www.orhanergun.net
GLBP States (Forwarder)
The following are the possible virtual forwarder states:
• Disabled: The virtual MAC address has not been assigned or learned.
The disabled virtual forwarder will be deleted shortly. This state is
transitory only.
• Initial: The virtual MAC address is known but configuration of virtual
forwarder is not complete. The interface must be operational on Layer
3 and configured to route IP.
www.orhanergun.net
GLBP States (Forwarder)
• Listen: This virtual forwarder is receiving hello packets and is ready to
change to the active state if the active virtual forwarder becomes
unavailable.
• Active: This gateway is the AVF, and is responsible for forwarding
packets sent to the virtual forwarder’s MAC address.
www.orhanergun.net
Configuring and Verifying GLBP
www.orhanergun.net
IP Addresses Used in GLBP Configuration
www.orhanergun.net
The virtual MAC addresses of GLBP
• The virtual MAC addresses of GLBP are in the form of
0007.b4XX.XXYY.
• XXXX is a 16-bit value that represents six 0 bits, followed by a 10-bit
GLBP group number.
• YY is an 8-bit value, and it represents the virtual forwarder number.
• The AVG assigned forwarder 1 virtual MAC address of 0007.
b400.0101 and forwarder 2 virtual MAC address of 0007.b400.0102
www.orhanergun.net
GLBP Final Configuration
www.orhanergun.net
GLBP Operation (ARP Request)
www.orhanergun.net
GLBP Operation (ARP Reply)
www.orhanergun.net
GLBP Operation (Traffic Flow)
www.orhanergun.net
GLBP Operations: Failed R1 New Data Path
www.orhanergun.net
GLBP Load-Balancing Options
GLBP supports the following operational modes for load balancing
traffic across multiple default routers that are servicing the same
default gateway IP address:
• Weighted load-balancing algorithm
• The amount of load that is directed to a router depends on the weighting
value that is advertised by that router.
• Host-dependent load-balancing algorithm
• A host is guaranteed the use of the same virtual MAC address as long as that
virtual MAC address is participating in the GLBP group.
www.orhanergun.net
GLBP Load-Balancing Options
• Round-robin load-balancing algorithm
• As clients send ARP requests to resolve the MAC address of the default
gateway, the reply to each client contains the MAC address of the next
possible router in a round-robin fashion. The MAC addresses of all routers
take turns being included in address resolution replies for the default gateway
IP address.
• To configure the load-balancing option, use the following command:
• Switch(config-if)# glbp group load-balancing [ round-
robin | weighted | host-dependent ]
www.orhanergun.net
GLBP Authentication
• The key for the MD5 hash can either be given directly in the
configuration using a key string or supplied indirectly through a key
chain.
• The key string cannot exceed 100 characters in length.
www.orhanergun.net
GLBP Authentication
The following example demonstrates the configuration for GLBP
authentication:
• Router(config)# interface Ethernet0/1
• Router(config-if)# ip address 192.0.0.1
255.255.255.0
• Router(config-if)# glbp 1 authentication md5 key-
string d00b4r987654323hg
• Router(config-if)# glbp 1 ip 192.0.0.10
www.orhanergun.net
GLBP and STP
www.orhanergun.net
GLBP and STP
• With some switching topologies, the operation of STP results in
inefficient traffic paths.
• In such cases, implementation of HSRP might be preferred over GLBP
because it is easier to understand, whereas GLBP provides no
advantages.
www.orhanergun.net
Tracking and GLBP
www.orhanergun.net
Tracking and GLBP
• Changing weight affects the AVF election and the load-balancing
algorithm.
• Both values can be manipulated with object tracking.
www.orhanergun.net
GLBP Weight
• GLBP uses a weighting scheme to determine the forwarding capacity
of each router in the GLBP group.
• The weighting that is assigned to a router in the GLBP group can be
used to determine whether it will forward packets and, if so, the
proportion of hosts in the LAN for which it will forward packets.
• Thresholds can be set to disable forwarding when the weighting for a
GLBP group falls below a certain value, and when it rises above
another threshold, forwarding is automatically reenabled.
www.orhanergun.net
GLBP Weight
• By default, the GLBP virtual forwarder preemptive scheme is enabled
with a delay of 30 seconds.
• A backup virtual forwarder can become the AVF if the current AVF
weighting falls below the low weighting threshold for 30 seconds.
• To disable the GLBP forwarder preemptive scheme, use the no glbp
forwarder preempt command or change the delay by using the glbp
forwarder preempt delay minimum command.
www.orhanergun.net
GLBP Tracking Detects Interface Failure
www.orhanergun.net
GLBP Weighing Option Under Failures
www.orhanergun.net
Summary
• The redundancy protocol provides the mechanism for determining
which router should take the active role in forwarding traffic and
determining when that role must be taken over by a standby router .
• HSRP is a Cisco proprietary protocol, whereas VRRP is an industry
standard for virtual routing gateways.
• HSRP Version 1 and Version 2 active and standby routers send hello
messages to multicast address 224.0.0.2 for Version 1 and
224.0.0.102 for Version 2 on UDP port 1985.
www.orhanergun.net
Summary
• It is important that the configured active router should be the same
as the STP root bridge.
• HSRP and VRRP use the VLAN load-balancing mechanism for load
balancing.
• With the new RFC, only the Cisco implementation of VRRP supports
VRRP authentication.
www.orhanergun.net
Summary
• GLBP, by default, provides the virtual gateway and load balancing via
multiple virtual MAC addresses.
• Review all the configuration examples and troubleshooting steps for
better understanding and for exam preparation.
www.orhanergun.net
Thank You !!!
www.orhanergun.net
Network Time Protocol
NTP
www.orhanergun.net
www.orhanergun.net
What is NTP?
• NTP is one of the oldest internet protocol in current use. It is used to

synchronize the clock between network devices.
www.orhanergun.net
Importance of NTP
• If we are using Time-based Access control list

• Certificate-based authentication between server and client
• When Log messages are getting tracked to monitor the device
www.orhanergun.net
About NTP
• NTP is the perfect solution for keeping time and date up to date in all
the devices. NTP uses UDP as a transport layer protocol with a port
number of 123.
www.orhanergun.net
About NTP
• NTP uses a term called “Stratum” which is defined as the distance

between a device and authoritative time server. In another way It
means that how many hopes a device is away from authoritative time
server or reference clock.
www.orhanergun.net
About NTP
• Stratum 0 is directly maintained by the Global Positioning System,

Atomic clock and other upstream devices and no delay are associated
with it. The lower a server’s stratum the more accurate it is.
www.orhanergun.net
About NTP
www.orhanergun.net
Types of Clock
• 1 – Software Clock
• 2 – Hardware Clock
www.orhanergun.net
Software Clock
Software Clock – Software clock is the primary clock to update time

and date. Software clock can be updated from an external source like
– NTP Server, Simple NTP and hardware Clock.
www.orhanergun.net
Hardware Clock
Hardware Clock – It is an integrated clock powered by a battery.

Hardware clock can be synchronized with software clock. Hardware
clock sometimes referred a “Calendar”
www.orhanergun.net
NTP Modes
Server Mode
NTP Client Mode
NTP Symmetric active mode
www.orhanergun.net
Server Mode
In this mode devices operate as a NTP server and serve time source for
the client.
www.orhanergun.net
NTP Client Mode
Local router or switch can be synchronized by the remote server but

vice versa can’t occur.
www.orhanergun.net
NTP Symmetric Active Mode
In this mode, local router or switch and the remote server

can be synchronized with each other. This mode is used as a backup
when the remote NTP server is not available. The local router or switch
may become time source for NTP clients.
www.orhanergun.net
Thank You !!!
www.orhanergun.net
DHCPv4
www.orhanergun.net
DHCPv4 Operation
www.orhanergun.net
Configuring a DHCPv4 Server
A Cisco router running the Cisco IOS software can be configured to act as a DHCPv4 server. To set
up DHCP:
1. Exclude addresses from the pool.
2. Set up the DHCP pool name.
3. Define the range of addresses and subnet mask. Use the default-router
command for the default gateway. Optional parameters that can be included in the
pool – dns server, domain-name.
To disable DHCP, use the no service dhcp command.
www.orhanergun.net
Verifying a DHCPv4 Server
• Commands to verify DHCP:
• show running-config | section dhcp
• show ip dhcp binding
• show ip dhcp server statistics
• On the PC, issue the ipconfig /all command.
www.orhanergun.net
DHCPv4 Relay
•Using an IP helper address enables a router to forward

DHCPv4 broadcasts to the DHCPv4 server. Acting as a relay.
www.orhanergun.net
DHCPv6
www.orhanergun.net
SLAAC and DHCPv6
Stateless Address Autoconfiguration

Stateless Address Autoconfiguration (SLAAC) is a method in which a device
can obtain an IPv6 global unicast address without the services of a DHCPv6
server.
www.orhanergun.net
SLAAC and DHCPv6
SLAAC Operation
www.orhanergun.net
SLAAC and DHCPv6
SLAAC and DHCPv6
www.orhanergun.net
SLAAC and DHCPv6
SLAAC Option
www.orhanergun.net
SLAAC and DHCPv6
Stateless DHCP Option
www.orhanergun.net
SLAAC and DHCPv6
Stateful DHCP Option
www.orhanergun.net
SLAAC and DHCPv6
DHCPv6 Operations
www.orhanergun.net
Stateful DHCPv6
Verifying Stateful DHCPv6

• Verify the stateful DHCPv6 server using the following commands:
show ipv6 dhcp pool
show ipv6 dhcp binding
• Verify the stateful DHCPv6 client using the show ipv6
interface command.
www.orhanergun.net
Thank You !!!
www.orhanergun.net
Chapter-4: Network
Address Translation (NAT)
www.orhanergun.net
IPv4 Private Address Space
• IPv4 address space is not big enough to uniquely address all the devices that must be connected to
the Internet.
• Network private addresses are described in RFC 1918 and are to designed to be used within an
organization or site only.
• Private addresses are not routed by Internet routers while public addresses are.
• Private addresses can alleviate IPv4 scarcity, but because they aren’t routed by Internet devices, they
first need to be translated.
• NAT is process used to perform such translation.
www.orhanergun.net
IPv4 Private Address Space
www.orhanergun.net
What is NAT?
• NAT is a process used to translate network addresses.
• NAT’s primary use is to conserve public IPv4 addresses.
• NAT is usually implemented at border network devices, such as firewalls or routers.
• NAT allows the networks to use private addresses internally, only translating to public addresses
when needed.
• Devices within the organization can be assigned private addresses and operate with locally
unique addresses.
• When traffic must be sent or received to or from other organizations or the Internet, the border
router translates the addresses to a public and globally unique address.
www.orhanergun.net
NAT Terminology
• Inside network is the set of devices using private addresses
• Outside network refers to all other networks
• NAT includes four types of addresses:
• Inside local address
• Inside global address
• Outside local address
• Outside global address
www.orhanergun.net
NAT Terminology
www.orhanergun.net
Types of NAT
Static NAT
• Static NAT uses a one-to-one mapping of local and global addresses.
• These mappings are configured by the network administrator and remain constant.
• Static NAT is particularly useful when servers hosted in the inside network must be accessible from
the outside network.
• A network administrator can SSH to a server in the inside network by pointing the SSH client to the
proper inside global address.
www.orhanergun.net
Types of NAT
Static NAT
www.orhanergun.net
Types of NAT
Dynamic NAT
• Dynamic NAT uses a pool of public addresses and assigns them on a first-come, first-served basis.
• When an inside device requests access to an outside network, dynamic NAT assigns an available
public IPv4 address from the pool.
• Dynamic NAT requires that enough public addresses are available to satisfy the total number of
simultaneous user sessions.
www.orhanergun.net
Types of NAT
Dynamic NAT
www.orhanergun.net
Types of NAT
Port Address Translation

• Port Address Translation (PAT) maps multiple private IPv4 addresses to a single public IPv4 address or
a few addresses.
• PAT uses the pair source port and source IP address to keep track of what traffic belongs to what
internal client.
• PAT is also known as NAT overload.
• By also using the port number, PAT forwards the response packets to the correct internal device.
• The PAT process also validates that the incoming packets were requested, thus adding a degree of
security to the session.
www.orhanergun.net
Types of NAT
Comparing NAT and PAT

• NAT translates IPv4 addresses on a 1:1 basis between private IPv4 addresses and public IPv4
addresses.
• PAT modifies both the address and the port number.
• NAT forwards incoming packets to their inside destination by referring to the incoming source IPv4
address provided by the host on the public network.
• With PAT, there is generally only one or a very few publicly exposed IPv4 addresses.
• PAT is able to translate protocols that do not use port numbers, such as ICMP; each one of these
protocols is supported differently by PAT.
www.orhanergun.net
Benefits of NAT
Benefits of NAT
• Conserves the legally registered addressing scheme
• Increases the flexibility of connections to the public network
• Provides consistency for internal network addressing schemes
• Provides network security
www.orhanergun.net
Benefits of NAT
Disadvantages of NAT
• Performance is degraded
• End-to-end functionality is degraded
• End-to-end IP traceability is lost
• Tunneling is more complicated
• Initiating TCP connections can be disrupted
www.orhanergun.net
Configuring Static NAT

There are two basic tasks to perform when
configuring static NAT translations:
• Create the mapping between the inside local and
outside local addresses.
• Define which interfaces belong to the inside
network and which belong to the outside network.
www.orhanergun.net
Analyzing Static NAT
www.orhanergun.net
There are two basic tasks to perform when configuring static NAT
translations:
• Create the mapping between the inside local and outside local
addresses.
• Define which interfaces belong to the inside network and which
belong to the outside network.
www.orhanergun.net
Configuring Dynamic NAT
Dynamic NAT Operation

• The pool of public IPv4 addresses (inside global address pool) is available to any device on the inside
network on a first-come, first-served basis.
• With dynamic NAT, a single inside address is translated to a single outside address.
• The pool must be large enough to accommodate all inside devices.
• A device is unable to communicate to any external networks if no addresses are available in the pool.
www.orhanergun.net
Analyzing Dynamic NAT
www.orhanergun.net
Analyzing Dynamic NAT
www.orhanergun.net
Configuring PAT
Analyzing PAT
www.orhanergun.net
Configuring PAT
Analyzing PAT
www.orhanergun.net
Port Forwarding
Port Forwarding
• Port forwarding is the act of forwarding a network port from one network node to another.
• A packet sent to the public IP address and port of a router can be forwarded to a private IP address
and port in inside network.
• Port forwarding is helpful in situations where servers have private addresses, not reachable from the
outside networks.
www.orhanergun.net
Configuring NAT and IPv6
NAT for IPv6?

• NAT is a workaround for IPv4 address scarcity.
• IPv6 with a 128-bit address provides 340 undecillion addresses.
• Address space is not an issue for IPv6.
• IPv6 makes IPv4 public-private NAT unnecessary by design; however, IPv6 does implement a form of
private addresses, and it is implemented differently than they are for IPv4.
www.orhanergun.net
IPv6 Unique Local Addresses

• IPv6 unique local addresses (ULAs) are designed to allow IPv6 communications within a local site.
• ULAs are not meant to provide additional IPv6 address space.
• ULAs have the prefix FC00::/7, which results in a first hextet range of FC00 to FDFF.
• ULAs are also known as local IPv6 addresses (not to be confused with IPv6 link-local addresses).
www.orhanergun.net
NAT for IPv6

• IPv6 also uses NAT, but in a much different context.
• In IPv6, NAT is used to provide transparent communication between IPv6 and IPv4.
• NAT64 is not intended to be a permanent solution; it is meant to be a transition mechanism.
• Network Address Translation-Protocol Translation (NAT-PT) was another NAT-based transition
mechanism for IPv6, but is now deprecated by IETF.
• NAT64 is now recommended.
www.orhanergun.net
NAT for IPv6
www.orhanergun.net
Summary
• How NAT is used to help alleviate the depletion of the IPv4 address space.
• NAT conserves public address space and saves considerable administrative overhead in managing
adds, moves, and changes.
• NAT for IPv4, including:
• NAT characteristics, terminology, and general operations
• Different types of NAT, including static NAT, dynamic NAT, and NAT with
overloading
• Benefits and disadvantages of NAT
www.orhanergun.net
Summary
• How port forwarding can be used to access an internal devices from the Internet.
• Troubleshooting NAT using show and debug commands.
• How NAT for IPv6 is used to translate between IPv6 addresses and IPv4 addresses.
• The configuration, verification, and analysis of static NAT, dynamic NAT, and NAT with overloading.
www.orhanergun.net
Thank You !!!
www.orhanergun.net
IP SLA
www.orhanergun.net
Cisco IOS IP Service Level Agreement:
A New Direction
• Cisco solution that assures IP service levels, proactively verifies network
operation, and accurately measures network performance
• Comprehensive hardware support
• Committed Cisco partner support
• Cisco IOS Software, the world’s leading network infrastructure software
Enterprise and Small Medium Business Service Providers
Understand Network
Verify Service Levels Measure and provide
Performance &
Verify Outsourced SLAs SLAs
Ease Deployment
Access Enterprise Backbone Enterprise Service Provider Service Provider Core
Premise Edge Aggregation Edge
Cisco IOS Software

Cisco IOS IP SLAs
Understanding IP Service Levels
• Optimize IP business applications and services
• Voice over IP, Video, and VPN
• Reduce total cost of ownership
• End to end service level measurements
www.orhanergun.net
The Need for IP-Based Service Levels
PROBLEM RESULT
40% of companies delay launching new
Reduced business
applications due to network performance
productivity
concerns2
59% of companies simply add bandwidth to ensure

Increased network costs
application efficiency2
55% of companies only identify some of their Reduced understanding of

network traffic2 network behavior
Cost of application downtime and degradation is Lowered network

13K per minute for an ERP application3 performance can be costly
Cisco IOS IP SLAs Benefits
OPTIMIZED APPLICATIONS REDUCED TOTAL COST OF
& SERVICES OWNERSHIP AND OpEx
• Performance visibility
• Reduce deployment time
• Prove service levels • Lower mean time to restore and
• Enhance Customer satisfaction downtime
• Proactive identification of issues
• Enhance acceptance of business-
enforces higher reliability
critical services
Continuous
Predictable Reliable
Measurements and Metrics Automated Intelligence
Proactive
www.orhanergun.net
Cisco IOS IP SLAs Life Cycle
Understand network
Baseline network
performance baseline
performance
Confidence to deploy
Verify network readiness for
new services with Cisco IOS 2 new IP services
and applications
IP SLA capabilities.
1 Assure
application
and service
deployment
Quantify results
• Reduce deployment time 3 Fine tune and optimize
• Prove service and Ongoing measurements
application differentiation to understand behavior
• Verify service levels with proactive
• Reduce network down time 4 notification
• Manage demand for the
network
www.orhanergun.net
Cisco IOS IP SLAs Uses and Metrics
*DATA *SERVICE LEVEL
*VoIP **STREAMING
TRAFFIC AGREEMENT *AVAILABILITY
VIDEO
• Minimize • Minimize • Measure Delay, Connectivity • Minimize

Delay, Packet Delay, Packet Packet Loss, testing Delay, Packet
RE Loss Loss, Jitter Jitter
QUI Loss
• Verify QoS • One-way
RE
ME
NT
IP • Jitter
SLA • Jitter • Packet loss
• Jitter • Jitter
ME • Packet loss • Latency • Connectivity
• Packet loss • Packet loss
AS • Latency • One-way tests to IP
• Latency • Latency
UR • MOS Voice • Enhanced devices
• per QoS
ME Quality Score accuracy
NT • NTP
IP SLA for Voice over IP
• VoIP may be difficult to deploy when the network behavior is not
well understood
• Cisco IOS IP SLAs will verify network readiness and QoS
• Measure critical performance for VoIP deployment
• Real time warning of network performance degradation
• IP SLA is universally available across Cisco IOS Software routers
Standard jitter, Hardware-based

Voice quality
Packet loss, Call setup
score VoIP
latency measurements
measurements measurements
measurements
www.orhanergun.net
Cisco IOS IP SLAs for VoIP
• Voice quality measurements between any two network points on any
path
• Continuous, reliable, predictable performance monitoring
• Cisco IOS IP SLAs thresholds and hop-by-hop details isolate
problems
IP SLA Network to Server Measurements
IP SLA WAN Measurements

A A
PSTN
IP
WAN
Headquarters Branch
IP SLA End to End Measurements

www.orhanergun.net
Cisco IOS IP SLAs Example
United States, Service Provider
QoS
IP CLASS OF ONE-WAY
THROUGHPUT JITTER BANDWIDTH
SERVICE DELAY
PER AAPP
Priority Voice Packet loss

< 80 ms < 35 ms Max 75%
Traffic < 5% less
Real-Time Traffic Packet loss
< 80 ms 60%
– Video < 3%
Priority Data Packet loss
< 100 ms 30%
Traffic < 2%
Best Effort
No target No target No target 10%
Traffic
• Jitter: telephony and multi-media conferencing

• Packet Loss: telephony, multi-media conferencing, streaming media, low
latency data
• Delay: telephony, multi-media conferencing, streaming media
www.orhanergun.net
VPN SLAs and Performance Measurement
• Cisco IOS Software is an
MPLS leader
• How can SLAs be measured 192.168.1.1
with a specific VPN?
Cisco IOS IP SLA operations
are vrf-aware and measure 192.168.2.1
an SLA per VPN (PE)
Allows measurements from

a PE or multi-vrf CE router 192.168.3.1
CEs with
VRFs Red,
Blue and
Yellow.
www.orhanergun.net
Thank You !!!
www.orhanergun.net
Syslog
www.orhanergun.net
Syslog Operation
Introduction to Syslog
www.orhanergun.net
Syslog Operation
Syslog Operation
www.orhanergun.net
Syslog Operation
Syslog Message Format
www.orhanergun.net
Syslog Operation
Syslog Message Format
www.orhanergun.net
Syslog Operation
Service Timestamp
• Log messages can be time-stamped and the source address of syslog messages can be set. This
enhances real-time debugging and management.
• The service timestamps log datetime msec command entered in global
configuration mode should be entered on the device.
• In this chapter, it is assumed that the clock has been set and the service timestamps log
datetime msec command has been configured on all devices.
www.orhanergun.net
Configuring Syslog
Syslog Server
• The syslog server provides a relatively user-friendly interface for viewing syslog output.
• The server parses the output and places the messages into pre-defined columns for easy
interpretation. If timestamps are configured on the networking device sourcing the syslog
messages, then the date and time of each message displays in the syslog server output.
• Network administrators can easily navigate the large amount of data compiled on a syslog server.
www.orhanergun.net
Configuring Syslog
Default Logging
www.orhanergun.net
Configuring Syslog
Router and Switch Commands for Syslog Clients
www.orhanergun.net
Configuring Syslog
Verifying Syslog
www.orhanergun.net
SNMP
www.orhanergun.net
SNMP Operation
Introduction to SNMP
www.orhanergun.net
SNMP Operation
SNMP Operation
www.orhanergun.net
SNMP Operation
SNMP Agent Traps
www.orhanergun.net
SNMP Operation
SNMP Versions
There are several versions of SNMP, including:

• SNMPv1
• SNMPv2c
• SNMPv3
www.orhanergun.net
SNMPv1
• SNMPv1 - The Simple Network Management Protocol, a Full Internet

Standard, defined in RFC 1157.
www.orhanergun.net
SNMPv2c
• SNMPv2c - Defined in RFCs 1901 to 1908; utilizes community-string-

based Administrative Framework.
www.orhanergun.net
SNMPv3
• SNMPv3 - Interoperable standards-based protocol originally defined in
RFCs 2273 to 2275; provides secure access to devices by authenticating
and encrypting packets over the network. It includes these security
features: message integrity to ensure that a packet was not tampered
with in transit; authentication to determine that the message is from a
valid source, and encryption to prevent the contents of a message from
being read by an unauthorized source.
www.orhanergun.net
SNMP Operation
Community Strings
There are two types of community strings:
• Read-only (ro) – Provides access to the MIB variables, but does not allow these variables to be
changed, only read. Because security is so weak in version 2c, many organizations use SNMPv2c
in read-only mode.
• Read-write (rw) – Provides read and write access to all objects in the MIB.
www.orhanergun.net
SNMP Operation
Management Information Base Object ID
www.orhanergun.net
Configuring SNMP
Steps for Configuring SNMP

Step 1. (Required) Configure the community string and access level (read-only or read-write) with
the snmp-server community string ro | rw command.
Step 2. (Optional) Document the location of the device using the snmp-server location
text command.
Step 3. (Optional) Document the system contact using the snmp-server contact text
command.
www.orhanergun.net
Configuring SNMP
Steps for Configuring SNMP

Step 4. (Optional) Restrict SNMP access to NMS hosts (SNMP managers) that are permitted by an
ACL. Define the ACL and then reference the ACL with the snmp-server community
string access-list-number-or-name command.
Step 5. (Optional) Specify the recipient of the SNMP trap operations with the snmp-server
host host-id [version {1 | 2c | 3 [auth | noauth | priv]}]
community-string command. By default, no trap manager is defined.
Step 6. (Optional) Enable traps on an SNMP agent with the snmp-server enable traps
notification-types command.
www.orhanergun.net
Configuring SNMP
Verifying SNMP Configuration
www.orhanergun.net
Configuring SNMP
Security Best Practices
www.orhanergun.net
Netflow
www.orhanergun.net
NetFlow Operation
Introduction to NetFlow
www.orhanergun.net
NetFlow Operation
Purpose of NetFlow
Most organizations use NetFlow for some or all of the following key data collection purposes:
• Efficiently measuring who is using what network resources for what purpose.
• Accounting and charging back according to the resource utilization level.
• Using the measured information to do more effective network planning so that resource allocation
and deployment is well-aligned with customer requirements.
• Using the information to better structure and customize the set of available applications and services
to meet user needs and customer service requirements.
www.orhanergun.net
NetFlow Operation
Network Flows
NetFlow technology has seen several generations that provide more sophistication in defining traffic
flows, but “original NetFlow” distinguished flows using a combination of seven key fields.
• Source and destination IP address
• Source and destination port number
• Layer 3 protocol type
• Type of service (ToS) marking
• Input logical interface
www.orhanergun.net
Configuring NetFlow
NetFlow Configuration Tasks
www.orhanergun.net
Examining Traffic Patterns
Verifying NetFlow
www.orhanergun.net
NetFlow Collector Functions
www.orhanergun.net
NetFlow Analysis with a NetFlow Collector
www.orhanergun.net
Summary
• NetFlow and its most recent iteration, Flexible NetFlow, provides a means of collecting IP
operational data from IP networks.
• NetFlow provides data to enable network and security monitoring, network planning, traffic
analysis, and IP accounting.
• NetFlow collectors provide sophisticated analysis options for NetFlow data.
www.orhanergun.net
Summary
• Syslog, SNMP, and NetFlow are the tools a network administrator uses in a modern network to
manage the collection, display, and analysis of events associated with the networking devices.
• Syslog provides a rudimentary tool for collecting and displaying messages as they appear on a Cisco
device console display.
• SNMP has a very rich set of data records and data trees to both set and get information from
networking devices.
www.orhanergun.net
Thank You !!!
www.orhanergun.net

CCIE Enterprise Infrastructure v1.0.27.03.2020

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CCIE Enterprise Infrastructure v1.0.27.03.2020

Uploaded by

Copyright:

Available Formats

Cisco Certified

Enterprise CCDE #2014:17

Network devices in one VLAN cannot

• The 802.1Q tags are not included on packets transmitted

• The types of packets that require software handling include the

• Cisco Express Forwarding (CEF) is a Cisco

Forwarding Information Base: The FIB is built directly from the

Adjacency table: The adjacency table, also known as the Adjacency

• RSTP reduces the number of port states to three:

• RSTP reduces the number of port states to three:

(1) LAG (2) MLAG+LAG (3) MLAG+MLAG (4) High Availability

• The Internet of Things

• Every subnet should be a /64

• Minimum Allocation size is /32

• Neighbor Discovery Protocol

• Routers don’t fragment packets with IPv6

• Replacement is called Neighbor Discovery

• To find neighboring routers

• To track address changes

• To check neighbor reachability

• To do Duplicate Address Detection

• MLD is embedded in ICMPv6. Two versions exist:

• Provide a mechanism to connect to the emerging IPv6-only networks

• MTU might cause issues

• Requires some DNS “magic”

• Many people would recommend it, before we try to answer this

• Routing protocols handle both IPv4 and IPv6

• Dual Stack is considered as Simplest solution , without any tunneling

• Every interface speaks both IPv4 and IPv6

• Communication is driven by DNS

Used to get specific information from one

Automatic neighbor discovery is configured using network command.

• The main benefit of named mode is that the entire EIGRP

• The LSDB provides the topology of the network, in essence providing

These packets are for discovering and maintaining

These packets are for summarizing database contents.

These packets are for database downloads. When a router

These packets are for database updates. This is an explicit

These packets are for flooding acknowledgments. These

• Hello Packets contains the following:

• Two ways state:

We Are Neighbors Now !!!

• DR/BDR help to remove the no. of neighborships formed on a LAN

RID: 2.2.2.2 RID: 4.4.4.4 RID: 2.2.2.2 RID: 4.4.4.4

RID: 3.3.3.3 RID: 3.3.3.3

• OSPF Calculates the best path based on the link cost.

• Reference Bandwidth can be configured manually.

• Broadcast media such as Ethernet are better defined as broadcast

• A network circuit that allows only two devices to communicate is

• OSPF uses six LSA types for IPv4 routing:

• When IPv6 routing is enabled together with IPv4 routing protocol, we

• IPv6 Routing Protocols (General Purpose routing protocols at least –

• There will be some differences which will be covered next

IPv4 Routing Protocols IPv6 Routing Protocols

• But in OSPFv3, topology and reachability information are carried in

• New LSA Type defined for OSPFv3

• If you make a simple change, like changing the IP address on one of

• In OSPFv2, a new type 1 LSA and perhaps a type 2 LSA have to be

• In OSPFv3, they changed this by creating a separation between

• There is no prefix information in LSA type 1 and 2, you only find

• Neighboring routers are referred to not by IP address, but by OSPF ID,

• Type 1 and Type 2 LSA

• Type 8 LSA is link local only,

• LS Types indicates Scope as well