Professional Documents
Culture Documents
CCIE Enterprise Infrastructure v1.0.27.03.2020
CCIE Enterprise Infrastructure v1.0.27.03.2020
Internetwork
Expert
Enterprise
CCIE EI
Infrastructure v1.0
CCIE EI www.orhanergun.net
Cisco Certified
Internetwork
Expert Orhan Ergun
CCIE EI
Infrastructure v1.0 CCIE #26567
Suraj Soni
CCIEx4 #39003
(R&S, Sec, SP & DC)
CCIE EI www.orhanergun.net
Course Content
• Module-1: Network Infrastructure
• Chapter-1: Layer 2 Protocols
• Layer 2 Protocols
• VLAN Technology
• EtherChannel
• Spanning-Tree Protocol
• Switch Administration
www.orhanergun.net
Course Content
• Module-1: Network • Module-1: Network
Infrastructure Infrastructure
• Chapter-2: Layer 3 Protocol • Chapter-2: Layer 3 Protocol
• IPv6 • EIGRP/EIGRPv6
• IPv6 Basics • Adjacency
• IPv6 Addressing • Best Path Selection
• IPv6 Address Assignment • EIGRP Load Balancing
• IPv6 Tunnelling • EIGRP Optimization and
• IPv6 Packet Types features
www.orhanergun.net
Course Content
• Module-1: Network • Module-1: Network
Infrastructure Infrastructure
• Chapter-2: Layer 3 Protocols • Chapter-2: Layer 3 Protocols
• OSPF/OSPFv3 • BGP
• Adjacency • iBGP & eBGP Relationship
• Network Types • BGP Path Selection
• Area Types • BGP Path Attributes
• Path Preference • BGP Communities
• OSPF Optimization & Features • BGP Optimization
• OSPF Operation • BGP Features
www.orhanergun.net
Course Content
• Module-1: Network • Module-1: Network
Infrastructure Infrastructure
• Chapter-2: Layer 3 Protocols • Chapter-3: Multicast
• Layer 3 Features • Layer 2 Multicast
• VRF • IGMPv2 & IGMPv3
• VRF-Lite • IGMP Snooping
• Policy Based Routing • IGMP Querier
• Bidirectional Forwarding • MLD
Detection
www.orhanergun.net
Course Content
• Module-1: Network
Infrastructure
• Chapter-3: Multicast
• Layer 3 Multicast
• PIM
• Sparse Mode
• RP Configuration
• Bidirectional PIM
• SSM
• MSDP
• PIMv6
• PIMv6 Anycast RP
www.orhanergun.net
Course Content
• Module-2: Transport • Module-2: Transport
Technology and Solutions Technology and Solutions
• Chapter-1: MPLS • Chapter-2: VPN
• MPLS Basics • GRE VPN
• MPLS Operation • Introduction to IPSEC Protocol
• MPLS L3 VPN • GRE Over IPSEC VPN
• PE-CE Routing • MGRE Over IPSEC
• MP-BGP
• VPNv4 Address Family
• VPNv6 Address Family
• VRF Route Leaking
www.orhanergun.net
Course Content
• Module-2: Transport • Module-2: Transport
Technology and Solutions Technology and Solutions
• Chapter-2: VPN • Chapter-2: VPN
• DMVPN • IKEv2 VPN
• NHRP • Introduction to IKEv2
• DMVPN Phase I • IKEv2 Configuration with Pre-
• DMVPN Phase II - EIGRP Shared Key
• DMVPN Phase III – EIGRP
• DMVPN Phase II – OSPF
• DMVPN Phase III – OSPF
• DMVPN Phase III with Dual Hub
• Troubleshooting DMVPN
www.orhanergun.net
Course Content
• Module-2: Transport
Technology and Solutions
• Chapter-2: VPN
• Flex VPN
• Introduction to Flex VPN
• Introduction to D-VTI
• Flex VPN Configuration
• MPLS Over Flex VPN
www.orhanergun.net
Course Content
• Module-3: Infrastructure • Module-3: Infrastructure
Security and Services Security and Services
• Chapter-1: Device Security on • Chapter-2: QoS
Cisco IOS • Layer 3 QoS using MQC
• AAA • CoS and DSCP Mapping
• Control Plane Policing • Classification
• Switch Security • Marking
• Router Security • NBAR
• IPv6 Security • Policing and Shaping
• IEEE 802.1x Authentication • Congestion Management and
Avoidance
www.orhanergun.net
Course Content
• Module-3: Infrastructure • Module-3: Infrastructure
Security and Services Security and Services
• Chapter-3: Network Services • Chapter-3: Network Services
• First Hop Redundancy Protocol • NTP
• HSRP • DHCP on Cisco IOS
• VRRP • DHCPv4
• GLBP • DHCP Options
• IPv6 Redundancy • SLACC/DHCPv6
• Stateful DHCPv6
www.orhanergun.net
Course Content
• Module-3: Infrastructure • Module-3: Infrastructure
Security and Services Security and Services
• Chapter-3: Network Services • Chapter-4: Network Services /
• NAT Operations
• Static NAT • IP SLA
• Dynamic NAT
• Netflow
• PAT
• Policy Based NAT
• SNMP
• VRF Aware NAT • Syslog
• NAT64 • Traffic Capture
• IOS-XE Troubleshooting
www.orhanergun.net
Course Content
• Module-4: Infrastructure • Module-4: Infrastructure
Automation and Automation and
Programmability Programmability
• Chapter-1: Introduction to • Chapter-2: Ansible Basics
Python • Introduction to Ansible
• Python Language Overview • The Advantage of Ansible
• Python Pexpert Library • The Ansible Architecture
• The Python Paramiko Library • Ansible Networking Modules
• The Ansible with Cisco
www.orhanergun.net
Course Content
• Module-4: Infrastructure • Module-4: Infrastructure
Automation and Automation and
Programmability Programmability
• Chapter-3: Ansible Advanced • Chapter-4: Network Security with
• Ansible Conditionals Python
• Ansible Loops • Pyhton Scapy
• Templates • Access List with Ansible
• Group and Host Variables • Syslog
• The Ansible include and roles
www.orhanergun.net
Course Content
• Module-4: Infrastructure • Module-4: Infrastructure
Automation and Automation and
Programmability Programmability
• Chapter-5: Network Monitoring • Chapter-6: OpenFlow Basics
with Python • Introduction to OpenFlow
• SNMP • Mininet
• Python Visualization • Layer 2 OpenFlow switch
• Python for Cacti • The POX Controller
• Flow Based Monitoring
www.orhanergun.net
Course Content
• Module-4: Infrastructure • Module-4: Infrastructure
Automation and Automation and
Programmability Programmability
• Chapter-7: OpenStack, • Chapter-8: Hybrid SDN
OpenDaylight and NFV • Making Network Ready
• OpenStack • Controllers
• OpenDayLight • Controller Redundancy
• NFV
www.orhanergun.net
Course Content
• Module-5: Software Defined • Module-5: Software Defined
Networking Networking
• Chapter-1: Cisco SD-WAN • Chapter-1: Cisco SD-WAN
• Design Cisco SD-WAN • WAN Edge Deployment
• Introduction to Cisco SD-WAN • Onboarding New Edge Router
• Control Plane • Orchestration with Zero Touch
• Management Plan Provisioning
• Data Plane • Plug-n-Play
• Orchestration Plane
• OMP
• TLOC
www.orhanergun.net
Course Content
• Module-5: Software Defined
Networking
• Chapter-1: Cisco SD-WAN
• Configuration Template
• Localized Policy
• Centralized Policy
www.orhanergun.net
Course Content
• Module-5: Software Defined • Module-5: Software Defined
Networking Networking
• Chapter-2: Cisco SD-Access • Chapter-2: Cisco SD-Access
• Design a Cisco SD-Access • SD-Access Deployment
• Introduction to Campus Network • DNA-Center Device Discovery
Fabric • DNA-Center Device Management
• Underlay and Overlay Network • Host Onboarding (Wired Host)
• Fabric Domains • Fabric Border Handoff
www.orhanergun.net
Course Content
• Module-5: Software Defined • Module-5: Software Defined
Networking Networking
• Chapter-2: Cisco SD-Access • Chapter-2: Cisco SD-Access
• Segmentation • Assurance
• Macro Level Segmentation using • Network and Client Health 360
VNs • Monitoring and Troubleshooting
• Introduction to Cisco ISE for SD-
Access
• DNA-Center and ISE Integration
• Micro Level Segmentation using
Cisco ISE
www.orhanergun.net
Module-1: Network
Infrastructure
www.orhanergun.net
Chapter-1: Basics of
Networks
www.orhanergun.net
Network Device Communication
There used to be a variety of network protocols that were device specific or preferred; today, almost everything is based
on Transmission Control Protocol/Internet Protocol (TCP/IP) . It is important to note that TCP/IP is based on the
conceptual Open Systems Interconnection (OSI) model that is composed of seven layers
www.orhanergun.net
Layer 2 Forwarding
• The second layer of the OSI model, the data link layer, handles addressing beneath the IP
protocol stack so that communication is directed between hosts.
• Ethernet commonly uses media access control (MAC) addresses, and other data link layer
protocols such as Frame Relay use an entirely different method of Layer 2 addressing.
www.orhanergun.net
Collision Domains
• Ethernet devices use Carrier Sense Multiple Access/Collision Detect (CSMA/CD) to ensure that only one device talks
at time in a collision domain.
www.orhanergun.net
Virtual LAN’s (VLAN)
Virtual LANs (VLANs) provide logical
segmentation by creating multiple
broadcast domains on the same network
switch.
www.orhanergun.net
Virtual LAN’s (VLAN)
www.orhanergun.net
Access Port
• An access port is assigned to only one VLAN.
www.orhanergun.net
Trunk Port
• Trunk ports can carry multiple VLANs.
• Upon receipt of the packet on the remote trunk link, the headers are examined, traffic is
associated to the proper VLAN, then the 802.1Q headers are removed, and traffic is forwarded
to the next port, based on MAC address for that VLAN.
www.orhanergun.net
Native VLANs
• In the 802.1Q standard, any traffic that is advertised or
received on a trunk port without the 802.1Q VLAN tag is
associated to the native VLAN.
• The default native VLAN is VLAN 1.
www.orhanergun.net
Layer 3 Forwarding
• Now that we have looked at the
mechanisms of a switch and how it
forwards Layer 2 traffic, let’s review
the process for forwarding a packet
from a Layer 3 perspective:
• Forwarding traffic to devices on the
same subnet
• Forwarding traffic to devices on a
different subnet
www.orhanergun.net
Local Network Forwarding
• Two devices that
reside on the same
subnet communicate
locally.
• As the data is
encapsulated with its
IP address, the device
detects that the
destination is on the
same network.
www.orhanergun.net
Address Resolution Protocol
• The Address Resolution
Protocol (ARP) table
provides a method of
mapping Layer 3 IP
addresses to Layer 2 MAC
addresses by storing the IP
address of a host and its
corresponding MAC address.
www.orhanergun.net
Packet Routing
As the data is encapsulated with its IP address, a device detects that its destination is on a different
network and must be routed.
The device checks its local routing table to identify its next-hop IP address, which may be learned in one of
several ways:
www.orhanergun.net
Routing Mechanisms
• From a static route entry, it can get the destination network,
subnet mask, and next-hop IP address.
• A default-gateway is a simplified static default route that just asks
for the local next-hop IP address for all network traffic.
• Routes can be learned from routing protocols.
www.orhanergun.net
IP Address Assignment
• Initially TCP/IP used with
IPv4 and 32-bit network
addresses.
• The number of devices
using public IP addresses
has increased at an
exponential rate and
depleted the number of
publicly available IP
addresses.
www.orhanergun.net
IP Address Exhausted
• To deal with the increase in
the number of addresses, a
second standard, called IPv6,
was developed in 1998; it
provides 128 bits for
addressing.
www.orhanergun.net
FORWARDING ARCHITECTURES
• The first Cisco routers would receive a packet, remove the Layer 2
information, and verify that the route existed for the destination IP
address.
www.orhanergun.net
Forwarding Architecture
• Advancements in technologies have streamlined the process so
that routers do not remove and add the Layer 2 addressing but
simply rewrite the addresses.
www.orhanergun.net
Forwarding Architecture
• When the first Cisco routers were developed, they used a mechanism
called process switching to switch the packets through the routers.
www.orhanergun.net
Process Switching
• Process switching, also
referred to as software
switching or slow path, is a
switching mechanism in
which the general- purpose
CPU on a router is in charge of
packet switching
www.orhanergun.net
Process Switching
www.orhanergun.net
Cisco Express Forwarding
www.orhanergun.net
Ternary Content Addressable Memory
(TCAM)
• A switch’s ternary content addressable memory (TCAM) allows for the
matching and evaluation of a packet on more than one field.
www.orhanergun.net
Ternary Content Addressable Memory
(TCAM)
• The TCAM entries are stored in Value, Mask, and Result (VMR)
format.
• The value indicates the fields that should be searched, such as the
IP address and protocol fields.
• The mask indicates the field that is of interest and that should be
queried.
www.orhanergun.net
Software CEF
www.orhanergun.net
Software CEF
www.orhanergun.net
Hardware CEF
• The ASICs in hardware-based routers are expensive to design,
produce, and troubleshoot.
• ASICs allow for very high packet rates, but the trade-off is that
they are limited in their functionality because they are hardwired
to perform specific tasks.
www.orhanergun.net
Thank You !!!
www.orhanergun.net
Chapter-2: Spanning-Tree Protocol
www.orhanergun.net
Spanning-Tree Protocol
• Spanning tree is a control plane mechanism for Ethernet. It is used to
create a layer 2 topology (A tree) by placing the root switch on top of
the tree.
www.orhanergun.net
STP Modes
• 802.1D, which is the original specification
• Per-VLAN Spanning Tree (PVST)
• Per-VLAN Spanning Tree Plus (PVST+)
• 802.1W Rapid Spanning Tree Protocol (RSTP)
• 802.1S Multiple Spanning Tree Protocol (MST)
www.orhanergun.net
IEEE 802.1D STP
• The original version of STP comes from the IEEE 802.1D standards and
provides support for ensuring a loop-free topology for one VLAN.
www.orhanergun.net
802.1D Port States
• In the 802.1D STP protocol, every port transitions through the
following states:
• Disabled
• Blocking
• Listening
• Learning
• Forwarding
• Broken
www.orhanergun.net
STP Terminologies:
• Root Bridge
• Bridge Protocol Data Unit (BPDU)
• Topology Change Notification (TCN)
• Root Path Cost
• System Priority
• System-ID Extension
• Max Age Timer
• Hello Timer
• Forward Delay
www.orhanergun.net
Spanning-Tree Path Cost
Link Speed Short-Mode STP Cost Long-Mode STP Cost
10 Mbps 100 2,000,000
100 Mbps 19 200,000
1 Gbps 4 20,000
10 Gbps 2 2,000
20 Gbps 1 1,000
100 Gbps 1 200
1 Tbps 1 20
10 Tbps 1 2
www.orhanergun.net
STP Topology
www.orhanergun.net
Root Bridge Election
www.orhanergun.net
STP Topology Changes
www.orhanergun.net
RAPID SPANNING TREE PROTOCOL
• 802.1D did a decent job of preventing Layer 2 forwarding loops, but it
used only one topology tree, which introduced scalability issues.
• PVST and PVST+ were proprietary spanning protocols. The concepts in
these protocols were incorporated with other enhancements to
provide faster convergence into the IEEE 802.1W specification, known
as Rapid Spanning Tree Protocol (RSTP).
www.orhanergun.net
RSTP (802.1W) Port States
www.orhanergun.net
RSTP (802.1W) Port States
www.orhanergun.net
RSTP (802.1W) Port Types
• RSTP defines three types of ports that are used for building the STP
topology:
• Edge port
• Root port
• Point-to-point port
www.orhanergun.net
MST (Multiple Instance Spanning-Tree)
• In environments with thousands of VLANs, maintaining an STP state
for all the VLANs can become a burden to the switch’s processors.
• MST provides a blended approach by mapping one or multiple VLANs
onto a single STP tree, called an MST instance (MSTI).
www.orhanergun.net
MST Region Boundary
• The topology for all the MST instances is contained within the IST,
which operates internally to the MST region.
• MSTIs never interact outside the region.
• Propagating the CST (derived from the IST) at the MST region
boundary involves a feature called the PVST simulation mechanism.
www.orhanergun.net
Thank You !!!
www.orhanergun.net
Chapter-2: EtherChannel
www.orhanergun.net
EtherChannel Bundle
• EtherChannel Bundle is use to bundle multiple physical links to one
single logical link, which combines the bandwidth of multiple
interfaces together and not allowing STP to block interfaces between
switches as it is treated as one single logical interface.
A A1 A2 A1 A2 A1 A2
B B B1 B2 B1 B2
www.orhanergun.net
Dynamic Link Aggregation Protocols
• LACP (Link Aggregation Control Protocol)
• PAgP (Port Aggregation Protocol)
www.orhanergun.net
PAgP Port Modes
• PAgP advertises messages with the multicast MAC address
0100:0CCC:CCCC and the protocol code 0x0104. PAgP can operate in
two modes:
• Auto
• Desirable
www.orhanergun.net
LACP Port Modes
• LACP advertises messages with the multicast MAC address
0180:C200:0002. LACP can operate in two modes:
• Passive
• Active
www.orhanergun.net
EtherChannel Configuration
• Etherchannel can be configured in below mentioned ways:
• Static EtherChannel
• LACP EtherChannel
• PAgP EtherChannel
www.orhanergun.net
Load Balancing Traffic with EtherChannel
Bundles
• src-ip
• dst-ip
• src-mac
• dst-mac
• src-mixed-ip-port
• dst-mixed-ip-port
• src-port
• dst-port
• src-dst-ip
• src-dest-ip-only
• src-dst-mac
• src-dst-mixed-ip-port
• src-dst-port
www.orhanergun.net
Thank You !!!
www.orhanergun.net
Module-2: Layer 3
Protocols
www.orhanergun.net
Chapter-1: IPv6
www.orhanergun.net
Reaching the next billion
• Around 4,157 billion Internet users now
• Around 54,4 % of all people in the world
• Mobile phones are Internet devices
www.orhanergun.net
IP Address Distribution
www.orhanergun.net
IPv6 Address Basics
• IPv6 address: 128 bits
• 32 bits in IPv4
www.orhanergun.net
Address Notation
2001:0db8:003e:ef11:0000:0000:c100:004d
2001:db8:3e:ef11:0:0:c100:4d
www.orhanergun.net
IPv6 Subnetting
www.orhanergun.net
Multiple address types
Addresses Ranges Scope
Unspecified ::/128 n/a
Loopback ::1 host
IPv4-Embedded 64:ff9b::/96 n/a
Discard-Only 100::/64 n/a
Link Local fe80::/10 link
Global Unicast 2000::/3 global
Unique Local fc00::/7 global
Multicast ff00::/8 variable
www.orhanergun.net
IPv6 Address Scope
www.orhanergun.net
IPv6 Protocol Functions
• Address Autoconfiguration
- Supported by Neighbor Discovery
- Stateless - with SLAAC
- Stateful - with DHCPv6
www.orhanergun.net
The Autoconfiguration Process
1. Make a Link-Local address
2. Check for duplicates on the link
3. Search for a router
4. Make a Global Unicast address
www.orhanergun.net
Making a Link-Local Address
www.orhanergun.net
Checking for Duplicates
www.orhanergun.net
Searching for Routers
www.orhanergun.net
Stateless Address Auto-Configuration
• The Router Advertisement message tells the host:
• Router’s address
• Zero or more link prefixes
• SLAAC allowed (yes/no)
• DHCPv6 options
• MTU size (optional)
www.orhanergun.net
Interfaces will have multiple addresses
• Unicast
• Link Local - fe80::5a55:caff:fef6:bdbf/64
• Global Unicast - 2001::5a55:caff:fef6:bdbf/64 (multiple)
• Multicast
• All Nodes - ff02::1 (scope: link)
• Solicited Node - ff02::1:fff6:bdbf (scope: link)
• Router
• All Router - ff02::2 (scope: link)
www.orhanergun.net
Verifying Reachability
www.orhanergun.net
IPv6 Header
www.orhanergun.net
IPv6 Header
www.orhanergun.net
Fragmentation
• If a packet is too big for next hop:
• “Packet too big” error message
• This is an ICMPv6 message
• Filtering ICMPv6 causes problems
www.orhanergun.net
Path MTU Discovery
• A sender who gets this “message-too-big” ICMPv6 error tries again
with a smaller packet
• A hint of size is in the error message
• This is called Path MTU Discovery
www.orhanergun.net
Broadcast
• IPv6 has no broadcast
• There is an “all nodes” multicast group
- ff02::1
• Disadvantage of broadcast
• It wakes up all nodes
• Only a few devices are involved
• Can create broadcast storms
www.orhanergun.net
Neighbor Discovery
• IPv6 has no ARP
• Every ARP request wakes up every node
• Each ND request only wakes up a few nodes
www.orhanergun.net
Neighbor Discovery
• ND uses 5 different ICMPv6 packet types
• ND is used by nodes:
• For address resolution
www.orhanergun.net
DHCPv6
www.orhanergun.net
MLD
• Multicast Listener Discovery (MLD) is an important component of IPv6
• IPv6 routers use MLD to discover multicast listeners on a directly attached
link, similar to IGMP in IPv4
www.orhanergun.net
Transitioning: Solving Two Problems
• Maintaining connectivity to IPv4 hosts by sharing IPv4 addresses between clients
• Extending the address space with NAT/CGN/LSN
• Translating between IPv6 and IPv4
www.orhanergun.net
6in4
• Manually configured tunnels towards a fixed tunnel broker like
Hurricane Electric or your own system
• Stable and predictable but not easily deployed to the huge residential
markets
www.orhanergun.net
6in4
www.orhanergun.net
6RD
• Encodes the IPv4 address in the IPv6 prefix
• Uses address space assigned to the operator
• The operator has full control over the relay
• Traffic is symmetric across a relay
• Can work with both public and private IPv4 space
• Needs additional software for signalling
www.orhanergun.net
6RD
www.orhanergun.net
NAT64 / DNS64
• Single-stack clients will only have IPv6
• Translator box will strip all headers and replace them with IPv4
• Usually implies address sharing on IPv4
www.orhanergun.net
NAT64 / DNS64
www.orhanergun.net
Best Transition Mechanism?
www.orhanergun.net
IPv6 Transition Mechanisms – Dual-Stack
• Many people state that IPv6 Dual Stack is the best transition method.
Is Really Dual Stack best deployment method ?
• Dual Stack is Native IPv6 and IPv4 Service, first was defined in RFC 2893
• Having IPv6 and IPv4 at the Hosts, network, operation/support tools, content and
the application
• IPv4 applications use the IPv4 stack, and IPv6 applications use the IPv6 stack
IPv6 Transition Mechanisms – Dual-Stack
• Since entire network will have both IPv4 and IPv6, when it is needed
IPv4 can be removed without causing down time
IPv6 Transition Mechanisms – Dual-Stack
Network,
Applications,
Services, CPE and
Access Networks
needs to run
Both IPv4 and IPv6
IPv6 Transition Mechanisms – Dual-Stack
www.orhanergun.net
Chapter-2: EIGRP
www.orhanergun.net
Introduction
• Enhanced Interior Gateway Routing Protocol (EIGRP) is an enhanced
distance vector routing protocol commonly used in enterprises
networks.
• Initially, it was a Cisco proprietary protocol, but it was released to the
Internet Engineering Task Force (IETF) through RFC 7868, which was
ratified in May 2016.
www.orhanergun.net
EIGRP FUNDAMENTALS
• EIGRP overcomes the deficiencies of other distance vector routing
protocols like RIP with features such as unequal- cost load balancing,
support for networks 255 hops away, and rapid convergence features.
www.orhanergun.net
Packets
Type Packet Function Name
Used for discovery of EIGRP neighbors and
1 Hello for detecting when a neighbor is no longer
available
www.orhanergun.net
EIGRP Terminology
www.orhanergun.net
EIGRP Terminology
• Computed Distance (CD)
- composite metric of the whole path
• Advertised Distance (AD) or Reported Distance (RD)
– composite metric of the best path from neighbor’s perspective
• Feasible Distance (FD)
– the lowest value of CD of the best path since the last transition from Active to Passive Note: It
does not always equal CD of the best path
• Feasible Successor (FS)
– the path that meets Feasibility Condition (FC), guaranteed to be loop-free by DUAL
• Feasibility Condition (FC)
- RD of the candidate path < FD
• Successor (S)
– one of FS with the lowest CD
www.orhanergun.net
Topology Table
• EIGRP contains a topology table that makes it different from a “true”
distance vector routing protocol.
• The topology table contains the following:
• Network prefix
• EIGRP neighbours that have advertised that prefix
• Metrics from each neighbour (for example, reported distance, hop count)
• Values used for calculating the metric (for example, load, reliability, total
delay, minimum bandwidth)
www.orhanergun.net
PATH METRIC CALCULATION
www.orhanergun.net
PATH METRIC CALCULATION
www.orhanergun.net
Timers
• Hello timer
• Default is 5 seconds (on multipoint) or 60 seconds (on p2p)
• Hold timer
• Default is 15 seconds (on multipoint) or 180 seconds (on p2p)
• Active timer
• Default is 3 minutes
• SIA retransmit timer
• Default is 90 seconds
www.orhanergun.net
Adjacency
• To establish adjacency the following parameters should match:
• AS number
• K-values
• Common subnet
• Authentication type/password
www.orhanergun.net
Passive interface
• You can stop processing and sending any EIGRP packets on the
interface using passive-interface feature.
www.orhanergun.net
Stuck in Active
www.orhanergun.net
ROUTE SUMMARIZATION
www.orhanergun.net
Unequal cost load balancing
• EIGRP supports unequal cost load balancing
• For the path to be eligible for load balancing, the path must be FS
• Also the metric of the path must follow this inequality:
• CD of FS <= CD of S x Variance
www.orhanergun.net
Re-convergence
• If we lose Successor, two scenarios are possible:
• If there is no FS:
• The route goes to Active state
• Router sends QUERY to all neighbors
• During QUERY the route is frozen in RIB/topology table
• Local computation of FS/S is done after we receive REPLY for all queries
www.orhanergun.net
Re-convergence
• If there is FS:
• FS with the lowest CD becomes Successor*
• The route stays passive
• Results in sub-second convergence
www.orhanergun.net
Re-convergence – Query/Reply
• Query checks if neighbors have FS/S
• Query also informs neighbors about the lost path (poisons with
infinite metric) and they remove this path from the topology table
• Conditions to send a REPLY to a received QUERY:
• If we have a Successor, reply with the metric of the Successor
• If the route is already in Active state, reply with infinite metric
• If this route is NOT in the topology table, reply with infinite metric
www.orhanergun.net
Stub router
• You can mark non-transit routers as “stub”, so queries are not sent to
them.
• Default is connected + summary
• An argument indicates which routes a stub router will send to its
neighbors
• Using leak-map keyword you can leak any route in topology table
www.orhanergun.net
Named mode
www.orhanergun.net
Named mode – Exclusive features
• Wide metrics
• HMAC-SHA authentication
• Add-path
• Disabling EIGRP on specific interface
• Default interface settings (af-interface default)
• Unique IPv6 behaviour
• Default tagging all internal and external routes
• Over the Top (OTP) – not covered in this presentation
• Stub site (IWAN) – not covered in this presentation
www.orhanergun.net
Named mode – Exclusive features
• Wide metrics
• HMAC-SHA authentication
• Add-path
• Disabling EIGRP on specific interface
• Default interface settings (af-interface default)
• Unique IPv6 behaviour
• Default tagging all internal and external routes
• Over the Top (OTP) – not covered in this presentation
• Stub site (IWAN) – not covered in this presentation
www.orhanergun.net
Thank You !!!
www.orhanergun.net
Chapter-3: EIGRPv6
www.orhanergun.net
Thank You !!!
www.orhanergun.net
Chapter-4: OSPF
www.orhanergun.net
Introduction
• OSPF is a link state routing protocol.
• OSPF is a non-proprietary Interior Gateway Protocol (IGP) that
overcomes the deficiencies of other distance vector routing protocols
and distributes routing information within a single OSPF routing
domain.
www.orhanergun.net
Versions of OSPF
• OSPF Version 2 (OSPFv2)
• OSPF Version 3 (OSPFv3)
www.orhanergun.net
OSPF FUNDAMENTALS
• OSPF sends to neighboring routers link-state advertisements (LSAs)
that contain the link state and link metric.
www.orhanergun.net
SPF Calculation
www.orhanergun.net
Inter-Router Communication
• OSPF runs directly over IPv4, using its own protocol 89
• AllSPFRouters: IPv4 address 224.0.0.5 or MAC address
01:00:5E:00:00:05. All routers running OSPF should be able to receive
these packets.
• AllDRouters: IPv4 address 224.0.0.6 or MAC address
01:00:5E:00:00:06. Communication with designated routers (DRs)
uses this address.
www.orhanergun.net
OSPF Packet Types
Type Packet Name Functional Overview
www.orhanergun.net
OSPF Hello Packets
www.orhanergun.net
OSPF Neighbor States
• Down State:
• At this point both routers have no information about each other.
• In this stage OSPF learns about the local interfaces which are configured to
run the OSPF instance.
www.orhanergun.net
OSPF Neighbor States
• Attempt/Init state:
• Neighborship building process starts from this state.
• This hello packet contains Router ID and some essential configuration values
such as area ID, hello interval, hold down timer, stub flag and MTU.
Hello
www.orhanergun.net
OSPF Neighbor States
Hello
Hello
www.orhanergun.net
OSPF Neighbor States
• ExStart state:
• This is the first state in forming an adjacency
• Routers identify which router will be the master or slave for the LSDB
synchronization.
www.orhanergun.net
OSPF Neighbor States
• Exchange state:
• During this state, routers are exchanging link states by using DBD packets.
www.orhanergun.net
OSPF Neighbor States
• Loading state:
• LSR packets are sent to the neighbor, asking for the more recent LSAs that
have been discovered (but not received) in the Exchange state.
www.orhanergun.net
OSPF Neighbor States
• Full state:
• Neighboring routers are fully adjacent.
www.orhanergun.net
DR/BDR
www.orhanergun.net
DR/BDR
DR
RID: 10.10.10.10 RID: 10.10.10.10
www.orhanergun.net
DR/BDR Election
DR/BDR Election will take place be following way:
• Priority
• Router-ID
• Statically Configured
• Highest Loopback IP address
• Highest Interface IP address
www.orhanergun.net
Link Cost
www.orhanergun.net
OSPF Network Types
Type Description DR/BDR Feild Timers
Broadcast Default setting on OSPF-enabled Ethernet Yes Hello: 10
links. Wait: 40
Dead: 40
Non- broadcast Default setting on OSPF-enabled Frame Yes Hello: 30
Relay main interface or Frame Relay Wait: 120
multipoint sub-interfaces Dead: 120
Point-to- point Default setting on OSPF-enabled Frame No Hello: 10
Relay point-to- point sub-interfaces. Wait: 40
Dead: 40
Point-to- multipoint Not enabled by default on any interface No Hello: 30
type. Interface is advertised as a host Wait: 120
route (/32) and sets the next-hop address Dead: 120
to the outbound interface. Primarily used
for hub-and-spoke topologies.
www.orhanergun.net
Broadcast
TWO-WAY
DR
FULL
www.orhanergun.net
Point-to-Point Networks
Point-to-Point Network
www.orhanergun.net
Point-to-Multipoint Networks
• No Automatic neighbor discovery so you need to configure OSPF neighbors yourself!
• No DR/BDR election since OSPF sees the network as a collection of point-to-point
links.
• Only a single IP subnet is used in the topology above.
Point-to-Multipoint Network
www.orhanergun.net
Areas
www.orhanergun.net
Areas
www.orhanergun.net
Multi Area
www.orhanergun.net
OSPF Route Types
• Network routes that are learned from other OSPF routers within the
same area are known as intra-area routes.
• Network routes that are learned from other OSPF routers from a
different area using an ABR are known as interarea routes.
www.orhanergun.net
LINK-STATE Advertisement Types
www.orhanergun.net
LSA Sequences
• OSPF uses the sequence number to overcome problems caused by
delays in LSA propagation in a network.
• The LSA sequence number is a 32-bit number for controlling
versioning.
www.orhanergun.net
LSA Type 1: Router Link
• Every OSPF router advertises a type 1 LSA.
• Type 1 LSAs are the essential building blocks within the LSDB.
• A type 1 LSA entry exists for each OSPF-enabled link (that is, every
interface and its attached networks).
www.orhanergun.net
LSA Type 2: Network Link
• A type 2 LSA represents a multi-access network segment that uses a
DR.
• The DR always advertises the type 2 LSA and identifies all the routers
attached to that network segment.
www.orhanergun.net
LSA Type 3: Summary Link
• Type 3 LSAs represent networks from other areas.
• The role of the ABRs is to participate in multiple OSPF areas and
ensure that the networks associated with type 1 LSAs are reachable in
the non-originating OSPF areas.
www.orhanergun.net
LSA Type 4: ASBR Summary Link
• Type 4 LSA is generated by ABR, which contain reachability
information about the ASBR.
• This LSA is flooded only outside the area, along with LSA3.
www.orhanergun.net
LSA Type 5: AS External LSA
• Type 5 LSA is generated by ASBR, which contains the reachability
information about the external prefixes.
• The scope of this LSA is entire OSPF domain.
www.orhanergun.net
LSA Type 7: NSSA External LSA
• Type 7 LSA is generated by the ASBR resides in NSSA Area.
• Scope of this LSA is limited to NSSA Area type only.
• This LSA is further converted back to Type 5 on ABR.
www.orhanergun.net
LSA Summarized
LSA Generated By Information Scope
LSA1 All Router Local Information Within Area
LSA2 DR Network Information Within Area
LSA3 ABR Summarized information Across the Areas
of LSA 1 and LSA 2
LSA4 ABR Reachability information OSPF Domain (Except the
about ASBR Area where ASBR is
connected)
LSA5 ASBR Reachability information OSPF Domain
about External Routes
LSA7 ASBR (Part of NSSA Area) Reachability information NSSA/Totally NSSA Area
about external routes
www.orhanergun.net
OSPF Area Types
• There are Special types of Areas:
• Stub Area
• Totally Stub Area
• NSSA Area
• Totally NSSA Area
www.orhanergun.net
Stub Area
• This is OSPF Special type of Area.
• This OSPF area is use to filter OSPF LSA type 5 and type 4.
• This area mainly used to filter external route information and ABR of
this area will inject a default route in the area for maintaining
reachability to external routes.
www.orhanergun.net
Totally Stub Area
• This is OSPF Special type of Area.
• This OSPF area is use to filter OSPF LSA type 5, type 4 & type 3.
• This area type is extension to Stub area, stub area can be extended to
filter type 3 LSA as well along with type 4 & 5.
www.orhanergun.net
Not So Stuby Area
• This OSPF area is use to filter OSPF LSA type 5 and type 4.
• No default route will be injected
• This Area type is used, when type 5 and 4 need to be filtered which are coming
from another area, and external routes needs to be permitted, which are
originated locally.
www.orhanergun.net
Totally Not So Stuby Area
• This OSPF area is use to filter OSPF LSA type 5, type 4 and type 3.
• This Area type is used, when type 5, 4 & 3 need to be filtered which are coming
from another area, and external routes needs to be permitted, which are
originated locally.
• Default route will be injected in the area type.
www.orhanergun.net
Area Types Summarized
LSA Types Standard Area Stub Area Totally Stub NSSA Totally NSSA
Area
LSA 1 Yes Yes Yes Yes Yes
LSA 2 Yes Yes Yes Yes Yes
LSA 3 Yes Yes Yes Yes No
LSA 4 Yes No No No No
LSA 5 Yes No No No No
LSA 7 No No No Yes Yes
Default Route No Yes Yes No Yes
www.orhanergun.net
Thank You !!!
www.orhanergun.net
Chapter-5: OSPFv3
www.orhanergun.net
IPV6 Routing Protocols
• Operates very similar to OSPFv2 , both are link state protocols also other things
are similar such as the LSA flooding rules, the LSA aging mechanisms, and the
interface types (broadcast, point-to-point, point-to-multipoint, among others)
• Both OSPFv2 and OSPFv3 have two level of hierarchy (Backbone and Non-
Backbone Areas)
• OSPFv2 only supports IPv4 but OSPFv3 supports both IPv4 and IPv6
OSPF for IPv6 (OSPFv3)
• Thus, adding a loopback interface for example doesn’t trigger full SPF
run as it doesn’t change the topology of the network
• Prefixes are now advertised in type 9 LSAs and the link-local addresses
that are used for next hops are advertised in type 8 LSA
• Type 8 LSAs are only flooded on the local link, type 9 LSAs are flooded
within the area.
OSPF for IPv6 (OSPFv3)
• OSPFv3 router IDs are not IPv4 addresses; they are merely unique 32-
bit identifiers expressed in the familiar dotted-decimal notation
OSPF for IPv6 (OSPFv3)
www.orhanergun.net
Chapter-6: BGP
www.orhanergun.net
Autonomous System (AS)
AS 100
www.orhanergun.net
Autonomous System (AS)
AS 100
accept announce
AS 1 announce
Routing flow
accept
AS2
ingress
packet flow
www.orhanergun.net
Interior vs. Exterior
Routing Protocols
• Interior • Exterior
• Automatic Specifically configured
discovery peers
• Generally trust your Connecting with outside
IGP routers networks
• Routes go to all IGP
Set administrative
routers
boundaries
www.orhanergun.net
BGP Basics
• Terminology
• Protocol Basics
• Messages
• General Operation
• Peering relationships (EBGP/IBGP)
• Originating routes
www.orhanergun.net
Terminology
• Neighbor
• Configured BGP peer
• NLRI/Prefix
• NLRI - network layer reachability information
• Reachability information for a IP address & mask
• Router-ID
• Highest IP address configured on the router
• Route/Path
• NLRI advertised by a neighbor
www.orhanergun.net
Protocol Basics
Peering
A C
AS 100 AS 101
B D
www.orhanergun.net
BGP Peers
A C
AS 100 AS 101
110.110.0.0/24 110.110.1.0/24
B D
BGP speakers E
are called peers
Peers in different AS’s
AS 102
110.110.2.0/24
are called External Peers
eBGP TCP/IP
Peer Connection
Note: eBGP Peerswww.orhanergun.net
normally should be directly connected.
BGP Peers
A C
AS 100 AS 101
110.110.0.0/24 110.110.1.0/24
B D
AS 100 AS 101
110.110.0.0/24 110.110.1.0/24
B D
(NLRI)
BGP Update
Messages
www.orhanergun.net
BGP Updates — NLRI
• Network Layer Reachability Information
• Used to advertise feasible routes
• Composed of:
• Network Prefix
• Mask Length
www.orhanergun.net
BGP Updates — Attributes
• Used to convey information associated with NLRI
• AS path
• Next hop
• Local preference
• Multi-Exit Discriminator (MED)
• Community
• Origin
• Aggregator
www.orhanergun.net
AS-Path Attribute
• Sequence of ASes a route AS 200 AS 100
120.10.0.0/16 130.10.0.0/16
has traversed
• Loop detection Network Path
130.10.0.0/16 300 200 100
• Apply policy AS 300
120.10.0.0/16 300 200
AS 400
110.10.0.0/16
Network Path
AS 500 130.10.0.0/16 300 200 100
120.10.0.0/16 300 200
110.10.0.0/16 300 400
www.orhanergun.net
Next Hop Attribute
AS 300
AS 200 192.1.1.0/30 110.10.0.0/16
120.10.0.0/16 C .1 .2 D
E
B
.2
0
Network Next-Hop Path
.0/3
192
.2.2 130.10.0.0/16 192.2.2.1 100
.1
• Next hop to reach a network
A
• Usually a local network is the next
AS 100 hop in eBGP session
130.10.0.0/16
BGP Update
Messages
www.orhanergun.net
Next Hop Attribute (more)
• IGP should carry route to next hops
• Recursive route look-up
• Unlinks BGP from actual physical topology
• Allows IGP to make intelligent forwarding decision
www.orhanergun.net
BGP Routing Information Base
BGP RIB
Network Next-Hop Path
*>i120.10.1.0/24 192.20.2.2 i
*>i120.10.3.0/24 192.20.2.2 i
www.orhanergun.net
Types of BGP Messages
• OPEN
• To negotiate and establish peering
• UPDATE
• To exchange routing information
• KEEPALIVE
• To maintain peering session
• NOTIFICATION
• To report errors (results in session reset)
www.orhanergun.net
Internal BGP Peering (IBGP)
AS 100
D
A
B
AS 200 AS 201
C
www.orhanergun.net
BGP Path Attributes: Why ?
• Encoded as Type, Length & Value (TLV)
• Transitive/Non-Transitive attributes
• Some are mandatory
• Used in path selection
• To apply policy for steering traffic
www.orhanergun.net
BGP Path Attributes...
• Origin
• AS-path
• Next-hop
• Multi-Exit Discriminator (MED)
• Local preference
• BGP Community
• Others...
www.orhanergun.net
AS-PATH
www.orhanergun.net
Local Preference
www.orhanergun.net
Local Preference
AS 100
110.10.0.0/16
AS 200 AS 300
D 400 700 E
A B
110.10.0.0/16 400
AS 400
> 110.10.0.0/16 700
C
www.orhanergun.net
Multi-Exit Discriminator
• Non-transitive
• Represented as a numeric value (0-0xffffffff)
• Used to convey the relative preference of entry points
• Comparable if paths are from the same AS
• Path with lower MED wins
• IGP metric can be conveyed as MED
www.orhanergun.net
Multi-Exit Discriminator (MED)
AS 300
C
preferred
192.168.1.0/24 2000 192.168.1.0/24 1000
A B
192.168.1.0/24
AS 301
www.orhanergun.net
Origin
www.orhanergun.net
Communities
• Transitive, Non-mandatory
• Represented as a numeric value (0-0xffffffff)
• Used to group destinations
• Each destination could be member of multiple
communities
• Flexibility to scope a set of prefixes within or
across AS for applying policy
www.orhanergun.net
Community...
C D
Community:201:110 Community:201:120
A B
192.68.10.0/24
Customer AS 201
www.orhanergun.net
BGP Route Selection (bestpath)
Only one path as the bestpath !
• Largest weight
Local to the router
• Locally sourced
Via redistribute or network statement
www.orhanergun.net
BGP Route Selection ...
• Shortest AS-path length
number of ASes in the AS-path attribute
• Lowest origin
IGP < EGP < INCOMPLETE
• Lowest MED
between paths from same AS
• External over internal
closest exit from a router
• Closest next-hop
Lower IGP metric, closer exit from as AS
• Lowest router-id
• Lowest IP address of neighbor
www.orhanergun.net
Stub AS
www.orhanergun.net
Stub AS
B
AS 201
Provider
AS 200
Customer
www.orhanergun.net
Multi-homed AS
• Only border routers speak BGP
• IBGP only between border routers
• Exterior routes must be redistributed in
a controlled fashion into IGP or use
defaults
www.orhanergun.net
Multi-homed AS
AS 400 AS 600
provider
A D provider
B C
AS 500
customer
www.orhanergun.net
Service Provider Network
www.orhanergun.net
Routing Policy
• Why?
– To steer traffic through preferred paths
– Inbound/Outbound prefix filtering
– To enforce Customer-ISP agreements
• How ?
– AS based route filtering - filter list
– Prefix based route filtering - distribute list
– BGP attribute modification - route maps
www.orhanergun.net
Route-map match & set clauses
www.orhanergun.net
Thank You !!!
www.orhanergun.net
Chapter-7: VRF
www.orhanergun.net
Introduction
• VRF (Virtual Routing and Forwarding) is a technology that allows
multiple instances of a routing table to co-exist within the same
router at the same time.
www.orhanergun.net
VRF-Lite
• VRF-lite is a feature that enables a service provider to support two or
more VPNs, where IP addresses can be overlapped among the VPNs.
• VRF-lite uses input interfaces to distinguish routes for different VPNs
and forms virtual packet-forwarding tables by associating one or more
Layer 3 interfaces with each VRF.
www.orhanergun.net
Thank You !!!
www.orhanergun.net
Chapter-8: Policy Based
Routing
www.orhanergun.net
Thank You !!!
www.orhanergun.net
Chapter-9: IP Multicast
www.orhanergun.net
Introduction to IP Multicast
• Why multicast?
• When sending same data to multiple receivers
• Better bandwidth utilization
• Lesser host/router processing
• Receivers’ addresses unknown
www.orhanergun.net
Multicast Applications
www.orhanergun.net
Unicast, Broadcast and Multicast
www.orhanergun.net
Internet Group Management Protocol - IGMP
www.orhanergun.net
IGMP Protocol
• Router: sends IGMP query at regular intervals
• Hosts belonging to a multicast group must reply to query if wishing to join or stay in the
group.
• host sends an IGMP report when it joins a multicast group (Note: multiple processes on a
host can join. A report is sent only for the first process).
• No report is sent when a process leaves a group
www.orhanergun.net
IGMP Message Types
www.orhanergun.net
IGMP Packet Format
www.orhanergun.net
Leave Report
www.orhanergun.net
General Query Message
www.orhanergun.net
Multicast Protocol Basics
www.orhanergun.net
Multicast Distribution Trees
www.orhanergun.net
Multicast Distribution Trees
www.orhanergun.net
Multicast Distribution Trees
www.orhanergun.net
Multicast Distribution Trees
How are Distribution Trees Built?
• PIM
• Uses existing Unicast Routing Table plus Join/Prune/Graft mechanism to build tree.
• DVMRP
• Uses DVMRP Routing Table plus special Poison-Reverse mechanism to build tree.
• MOSPF
• Uses extension to OSPF’s link state mechanism to build tree.
• CBT
• Uses existing Unicast Routing Table plus Join/Prune/Graft mechanism to build tree.
www.orhanergun.net
Multicast Forwarding
• Multicast Routing is backwards from Unicast Routing
• Unicast Routing is concerned about where the packet is going.
• Multicast Routing is concerned about where the packet came from.
www.orhanergun.net
Multicast Forwarding
Reverse Path Forwarding (RPF)
• What is RPF?
• A router forwards a multicast datagram only if received on the up stream
interface to the source (I.e. it follows the distribution tree).
• The RPF Check
• The routing table used for multicasting is checked against the “source”
address in the multicast datagram.
• If the datagram arrived on the interface specified in the routing table for the
source address; then the RPF check succeeds.
• Otherwise, the RPF Check fails.
www.orhanergun.net
Multicast Forwarding
Reverse Path Forwarding (RPF)
• If the RPF check succeeds, the datagram is forwarded
• If the RPF check fails, the datagram is typically silently discarded
• When a datagram is forwarded, it is sent out each interface in the
outgoing interface list
• Packet is never forwarded back out the RPF interface!
www.orhanergun.net
Multicast Forwarding
Example: RPF Checking
www.orhanergun.net
Types of Multicast Protocols
• Sparse-mode
• Uses “Pull” Model
• Traffic sent only to where it is requested
• Explicit Join behavior
• Dense-mode
• Uses “Push” Model
• Traffic Flooded throughout network
• Pruned back where it is unwanted
• Flood & Prune behavior (typically every 3 minutes)
www.orhanergun.net
Multicast Protocol Review
• Currently, there are 4 multicast routing protocols:
• DVMRPv2 (Internet-draft)
• DVMRPv1 (RFC1075) is obsolete and was never used.
• MOSPF (RFC 1584) “Proposed Standard”
• PIM-DM (Internet-draft)
• CBT (Internet-draft)
• PIM-SM (RFC 2362) “Proposed Standard”
www.orhanergun.net
Dense-Mode Protocols
• DVMRP - Distance Vector Multicast Routing Protocol
• MOSPF - Multicast OSPF
• PIM DM - Protocol Independent Multicasting (Dense Mode)
www.orhanergun.net
DVMRP Overview
• Dense Mode Protocol
• Distance vector-based
• Similar to RIP
• Infinity = 32 hops
• Subnet masks in route advertisements
• DVMRP Routes used:
• For RPF Check
• To build Truncated Broadcast Trees (TBTs)
• Uses special “Poison-Reverse” mechanism
• Uses Flood and Prune operation
• Traffic initially flooded down TBT’s
• TBT branches are pruned where traffic is unwanted.
• Prunes periodically time-out causing reflooding.
www.orhanergun.net
DVMRP — Source Trees
www.orhanergun.net
PIM-DM
• Protocol Independent
• Supports all underlying unicast routing protocols including: static, RIP, IGRP,
EIGRP, IS-IS, BGP, and OSPF
• Uses reverse path forwarding
• Floods network and prunes back based on multicast group membership
• Assert mechanism used to prune off redundant flows
• Appropriate for...
• Smaller implementations and pilot networks
www.orhanergun.net
PIM-DM Flood & Prune
www.orhanergun.net
Sparse-Mode Protocols
• PIM SM
• Protocol Independent Multicasting (Sparse Mode)
• CBT - Core Based Trees
www.orhanergun.net
PIM-SM (RFC 2362)
• Supports both source and shared trees –
• Assumes no hosts want multicast traffic unless they specifically ask for it
• Uses a Rendezvous Point (RP)
• Senders and Receivers “rendezvous” at this point to learn of each others existence.
• Senders are “registered” with RP by their first-hop router.
• Receivers are “joined” to the Shared Tree (rooted at the RP) by their local Designated Router
(DR).
• Appropriate for…
• Wide scale deployment for both densely and sparsely populated groups in the
enterprise
• Optimal choice for all production networks regardless of size and membership
density.
www.orhanergun.net
PIM-SM Shared Tree Joins
www.orhanergun.net
PIM-SM Sender Registration
www.orhanergun.net
PIM-SM Sender Registration
www.orhanergun.net
PIM-SM Sender Registration
www.orhanergun.net
PIM-SSM
• No shared trees
• No register packets
• No RP mapping required (no RP required!)
• No RP-to-RP source discovery (MSDP)
• Requires IGMP include-source list – IGMPv3
• User-definable range
www.orhanergun.net
PIM-SSM Join
www.orhanergun.net
PIM-SSM traffic flow
www.orhanergun.net
Thank You !!!
www.orhanergun.net
Module-2: Transport
Technology & Solutions
www.orhanergun.net
Chapter-1: MPLS
www.orhanergun.net
MPLS Overview
• This session will provide the fundamentals for understanding MPLS
technology basics.
• The discussion will include MPLS evolution, terminology, functions of
labels, label format, label distribution, as well as encapsulations and
basic operation of an MPLS-enabled network.
www.orhanergun.net
Evolution of MPLS
• Origins from Tag Switching
• Proposed in IETF—Later combined with ideas from other proposals
from IBM (ARIS), Toshiba (CSR) AToM, VPLS,
DS-TE Deployed
www.orhanergun.net
MPLS as a Foundation for Value Added
Services
Any
Traffic IP+Optical
VPNs IP+ATM Transport
Engineering GMPLS
Over MPLS
MPLS
Network Infrastructure
www.orhanergun.net
IP Routing
www.orhanergun.net
IP Routing
Address I/F Address I/F Address I/F
Prefix Prefix Prefix
121.21 1 121.21 0 121.21 0
131.69 1 131.69 1
… … … …
Route Update
0 121.21
1 0
121.21.21.0 Data
1
121.21.21.0 Data
121.21.21.0 Data 121.21.21.0 Data
www.orhanergun.net
Encapsulations
Frame Relay Label Header Frame Relay Label Header Layer 3 Header
* LAN MAC Label Header MAC Header Label Header Layer 3 Header
* LAN MAC Label Header also used for MPLS packets over an ATM
Forum PVC SNAP Header. (Ethertype = 0x8847/8848)
www.orhanergun.net
Label Header for Packet Media
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
MTU beyond 1518 for Ethernet can be accounted for when adding labels by the “mpls mtu”
command.
www.orhanergun.net
Label Stacking
• Arrange labels in a stack
• Inner labels can be used to designate services/FECs, etc.
• E.g. VPNs, fast re-route, alternate forwarding
• Outer label used to route/switch the MPLS packets in
the network
• (e.g. for VPN, outer label used for forwarding to remote PEs and bottom label for differentiating VPN at remote PE).
www.orhanergun.net
Control and Forward Plane Separation
Route
RIB Routing
Updates/
Process
Adjacency
Control Plane Label Bind
MPLS
LIB Updates/
Process
Adjacency
www.orhanergun.net
Label Distribution Protocol (LDP)
• Defined in RFC 3036 and 3037
• Used to distribute labels in a MPLS network
• Forwarding Equivalence Class (FEC)
• How packets are mapped to LSPs (Label
Switched Paths)
• Advertise labels per FEC
• Reach destination a.b.c.d with label x (per IPL3DA in RIB)
• Neighbor discovery
www.orhanergun.net
TDP and LDP
• Tag Distribution Protocol
• Pre-cursor to LDP
• Used for Cisco tag switching
• TDP and LDP supported on the same box
• Per neighbor/link basis
• Per target basis
www.orhanergun.net
RSVP and Label Distribution
• Used in MPLS Traffic Engineering
• Additions to base RSVP signaling protocol
• Leverage the admission control mechanism
of RSVP
• Label requests are sent in PATH messages and binding is done with
RESV messages
Note: CR-LDP is another option for label distribution, but is no longer used or implemented
www.orhanergun.net
BGP-Based Label Distribution
• Used in the context of MPLS VPNs
• Need multi-protocol extensions to BGP
• Referred to at M-BGP
• Uses AFI/SAFI
• Extension to the BGP protocol in order to carry routing information about other protocols
• Multicast
• MPLS
• IPv6
• VPN-IPv4
• Labeled IPv6 unicast (6PE)
• VPN-IPv6 (6VPE)
• Exchange of Multi-Protocol NLRI must be negotiated at session set up Utilizes BGP Capabilities Advertisement
negotiation procedures
• VPN edge routers need to be BGP peers
• Label mapping info carried as part of NLRI (Network Layer Reachability Information)
www.orhanergun.net
General Context
(CE) – Customer Edge
• At Edge (ingress):
Classify packets • In Core:
Label them Forward using labels (as
opposed to IP addr)
Label indicates service
class and destination
Edge Label
Switch Router
Label Switch
(PE) – Provider Edge Router (LSR)
(P) – Provider
Label Distribution
Protocol (LDP/TDP, • At Edge (egress):
RSVP,BGP) Remove Label
www.orhanergun.net
MPLS Example: Routing Information
In Address Out Out In Address Out Out In Address Out Out
Label Prefix I’face Label Label Prefix I’face Label Label Prefix I’face Label
0 121.89
0
1
0 121.89
1 0
MPLS network
egress point 0 121.89
0
1
121.89.25.4 Data
9 121.89.25.4 Data
1
www.orhanergun.net
MPLS
www.orhanergun.net
Why MPLS? - Major Drivers
• Provide IP VPN Services
• Scalable IP VPN service – Build once and sell many
• Managed Central Services – Building value add services and offering them across VPNs (i.e. Multicast,
Address Mgmt)
• Managing traffic on the network using MPLS Traffic Engineering
• Providing tighter SLA/QoS (Guaranteed B/W Services)
• Protecting bandwidth - Bandwidth Protection Services are enabling Service Providers to look at alternate
approaches to SONET APS
• Integrating Layer 2 & Layer 3 Infrastructure
• Layer 2 services such as Frame Relay and ATM over MPLS
• Mimic layer 2 services over a highly scalable layer 3 infrastructure
www.orhanergun.net
MPLS Application
www.orhanergun.net
MPLS Layer 3 VPN
www.orhanergun.net
Virtual Network Models
Virtual Networks
www.orhanergun.net
Overlay Network
• Provider sells a circuit service
• Customers purchases circuits to connect sites, runs IP
• N sites, (N*(N-1))/2 circuits for full mesh—expensive
Provider
• The big scalability issue
here is routing peers— (FR, ATM, etc.)
N sites, each site has N-1 peers
• Hub and spoke is popular, suffers from the same N-1
number of routing peers
• Hub and spoke with static routes is simpler, still buying N-1
circuits from hub to spokes
• Spokes distant from hubs could mean lots of long-haul
circuits
Peer Network
• Provider sells an MPLS-VPN service
• Customers purchases circuits to connect sites, runs IP Provider
• N sites, N circuits into provider (MPLS-VPN)
• Access circuits can be any media
at any point (FE, POS, ATM, T1,
dial, etc.)
• Full mesh connectivity without full mesh of L2 circuits
• Hub and spoke is also easy to build
• Spokes distant from hubs connect
to their local provider’s POP, lower access charge because of
provider’s size
• The Internet is a large peer network
MPLS L3 VPNs using BGP (RFC2547)
• End user perspective
• Virtual Private IP service
• Simple routing – just point default to provider
• Full site-site connectivity without the usual drawbacks (routing
complexity, scaling, configuration, cost)
• Major benefit for provider – scalability
VPN BVPN A
VPN C VPN C
VPN B
VPN A VPN A
VPN A VPN C
VPN B
VPN B VPN C
VPN C VPN B
www.orhanergun.net
MPLS VPN Topology
VPN C/Site 2
CEA2 22.2/16
VPN B/Site 1
CE1B1 Static CEB2
21.1/16 RIP 21.2/16
RIP
Static RIP
26.2/16
CEA1 P3 BGP PE3
CEB3 VPN A/Site 2
26.1/16
VPN C/Site 1
22.2/16
VPN A/Site 1
www.orhanergun.net
VPN Routing and Forwarding
Instance (VRF)
• PE routers maintain separate routing tables
• Global routing table
• Contains all PE and P routes (perhaps BGP)
• Populated by the VPN backbone IGP
• VRF (VPN routing and forwarding)
• Routing and forwarding table associated with one or more directly connected sites (CE
routers)
• VRF is associated with any type of interface, whether logical or physical (e.g.
sub/virtual/tunnel)
• Interfaces may share the same VRF if the connected sites share the same routing information
• Not virtual routers, just virtual routing and forwarding
www.orhanergun.net
Virtual Routing and
Forwarding Instances
VPN Routing Table
• Define a unique VRF for interface 0
• Define a unique VRF for interface 1 172.12.2.0/24
VPN-A CE
• Packets will never go between int. 0 and VRF for VPN-A
1
• Uses VPNv4 to exchange VRF routing VPN-A 0
information between PE’s
1 PE
• No MPLS yet…
VRF for VPN-B
VPN-B
CE
196.12.7.0/24
Global Routing Table
VRF Route Population
Separate Physical Links
VPN1
Customer-2
CE MPLS Domain
CE
Customer-1
eBGP, EIGRP,OSPF, RIPv2,Static
PE
iBGP Domain
www.orhanergun.net
Additions to BGP to Carry MPLS-VPN Info
• RD: Route Distinguisher
• VPNv4 address family
• RT: Route Target
• Label
www.orhanergun.net
Route Distinguisher
• To differentiate 11.0.0.0/8 in VPN-A from 11.0.0.0/8 in VPN-B
• 64-bit quantity
• Configured as ASN:YY or IPADDR:YY
• Almost everybody uses ASN
• Purely to make a route unique
• Unique route is now RD:Ipaddr (96 bits) plus a mask on the IPAddr portion
• So customers don’t see each others routes
www.orhanergun.net
Route Target
• To control policy about who sees what routes
• 64-bit quantity (2 bytes type, 6 bytes value)
• Carried as an extended community
• Typically written as ASN:YY
• Each VRF ‘imports’ and ‘exports’ one or
more RTs
• Exported RTs are carried in VPNv4 BGP
• Imported RTs are local to the box
• A PE that imports an RT installs that route in its routing table
www.orhanergun.net
VPNv4
• In BGP for IP, 32-bit address + mask makes a unique announcement
• In BGP for MPLS-VPN, (64-bit RD + 32-bit address) + 32-bit mask makes a unique
announcement
• Since the route encoding is different, need a different address family in BGP
• VPNv4 = VPN routes for IPv4
• As opposed to IPv4 or IPv6 or multicast-RPF, etc…
• VPNv4 announcement carries a label with the route
• “If you want to reach this unique address, get me packets with this label on them”
www.orhanergun.net
MPLS Layer 3 VPN
Operations
www.orhanergun.net
VRF Population of MP-BGP
India
Turkey
CE CE
VPN-v4 update:
RD:1:27:172.16.1.0/2
BGP, OSPF, RIPv2 PE-1 4, Next-hop=PE-1 PE-2
update RT=VPN-A
172.16.1.0/24,NH=CE-1 Label=(28)
www.orhanergun.net
VRF Population of MP-BGP
VPN-v4 update is
translated into IPv4
India address and put into VRF
VPN-A as RT=VPN-A and Turkey
optionally advertised to
CE any attached sites CE
VPN-v4 update:
PE-1 RD:1:27:172.16.1.0/2 PE-2
BGP, OSPF, RIPv2
4, Next-hop=PE-1
update
RT=VPN-A
172.16.1.0/24,NH=CE-1
Label=(28)
www.orhanergun.net
MPLS/VPN Packet Forwarding
• Between PE and CE, regular IP packets (currently)
• Within the provider network—label stack
Outer label: “get this packet to the egress PE”
Inner label: “get this packet to the egress CE”
• MPLS nodes forward packets based on TOP label!!!
any subsequent labels are ignored
• Penultimate Hop Popping procedures used one hop prior to egress PE router
(shown in example)
www.orhanergun.net
MPLS/VPN Packet Forwarding
In Label FEC Out Label
- 192.168.15.1/32 41
VPN-A VRF
172.16.2.0/24,
NH=192.168.15
PE-1 .1
Label=(28)
41 28 172.16.1.27
172.16.1.27
India
Turkey
172.16.1.0/24
www.orhanergun.net
VRF Route Population
Separate Physical Links
VPN1
Customer-2
CE MPLS Domain
CE
Customer-1
eBGP, EIGRP,OSPF, RIPv2,Static
PE
iBGP Domain
MPLS Domain
VPN2
CE
Routing Updates PE
iBGP Domain
Single router supporting
Multiple VRF Instances
www.orhanergun.net
MPLS Traffic Engineering
www.orhanergun.net
Traffic Engineering - Theory
• MPLS-TE was designed to move traffic along a path other than the IGP shortest path
• Bring ATM/FR traffic engineering abilities to an IP network
• Avoid full IGP mesh and n(n – 1)/2 flooding
• Bandwidth-aware connection setup
• Fast ReRoute (FRR) is emerging as another application of MPLS-TE
• Bandwidth Protection: Allows for tighter control on bandwidth – packet loss, delay & jitter
• Minimal packet loss (msec) when a link goes down
• Can be used in conjunction with MPLS-TE for primary paths, can also be used in standalone
• Provide Virtual Leased Lines – DS-TE + QoS
• Intelligent network infrastructure for better bandwidth guarantees (DS-TE, Online Bandwidth Protection,
Voice VPNs etc)
www.orhanergun.net
The Problem with Shortest-Path
• Some links are DS3, some
are OC-3
• Router A has 40Mb of traffic for
Route F, 40Mb of traffic for Router
G
• Massive (44%) packet loss at
Router B->Router E!
Router B
Router F
35M
OC-3 b Dr OC-3
Router A ops Router E
!
Traffic DS3 Router G
b
80M
OC-3
OC-3 DS3
DS3
Router C Router D
Forwarding Traffic Down a Tunnel
• There are three ways traffic can be forwarded down a TE tunnel
• Auto-route
• Static routes
• Policy routing
• With the first two, MPLS-TE gets you unequal cost load balancing
www.orhanergun.net
Fast ReRoute
• FRR: A mechanism to minimize packet loss during a failure
• Pre-provision protection tunnels that carry traffic when a protected
resource (link/node) goes down
• Use MPLS-TE to signal the FRR protection tunnels, taking advantage of the
fact that MPLS-TE traffic doesn’t have to follow the IGP shortest path
• Used as a mechanism (along with DS-TE) for tight SLA offerings for
“Guaranteed Bandwidth Services”
www.orhanergun.net
Standardization - IETF
• MPLS Working Group
• Fast Reroute Extensions:
• draft-ietf-mpls-rsvp-lsp-fastreroute-01.txt
• Fast Reroute MIB:
• draft-ietf-mpls-fastreroute-mib-01.txt
• IETF Drafts
• Bandwidth Protection
• draft-vasseur-mpls-backup-computation-01.txt
• Path Computation (eg. Inter-AS)
• draft-vasseur-mpls-computation-rsvp-02.txt
www.orhanergun.net
Why Deploying IPv6 Over MPLS ?
• Because you already have an MPLS core and want to provide IPv6
access and transit services to your customers
• IPv6 access to IPv6 services and resources that you provide
• IPv6 access to IPv6 services and resources reachable via your network
• VPNv6 services
• Pre-existing MPLS core = IPv4 services; think coexistence
• Because you want to provide IPv6 access and transit services, and
MPLS is a cool technology to do so ? (speed, traffic engineering , QoS,
VPN, resiliency)
www.orhanergun.net
What Core? IPv4 or IPv6 Signaled LSP?
• Pre-existing MPLS core -> L2-based or IPv4-based
• Stick with what you have (L2-based/L3-based, LDP/RSVP, etc.) and use
6PE/6VPE
• New core
• Providing mixed (IPv4/IPv6) services -> IPv4-based (“4PE” is a challenge)
• IPv6-only -> No LDPv6 availability yet
• Your “only” option today is to go with a v4-based core
www.orhanergun.net
IPv6 Tunnels Configured on CE
www.orhanergun.net
IPv6 Over “Circuit_over_MPLS”
www.orhanergun.net
IPv6 Over MPLS (v6-Signalled LSP)
www.orhanergun.net
6PE (RFC 4798) —What is it?
• Provides IPv6 global connectivity over an IPv4-MPLS core
• Transitioning mechanism for providing unicast IPv6 access over IPv4-
signaled MPLS
• Coexistence mechanism for combining IPv4 and IPv6 services over an
MPLS backbone
• As other IPv6 “tunnel” technologies, it enables services such as
• “IPv6 Internet Access”
• Peer-to-peer connectivity
• Access to IPv6 services supplied by the SP itself
www.orhanergun.net
Minimum Infrastructure Upgrade for 6PE
www.orhanergun.net
6PE: The Technology
• It’s an implicit method to tie-up a v4-signalled Label Switch Path with
IPv6 routes announced via MPBGP
• Apply RFC2547bis architecture to IPv6
• IPv4/MPLS Core Infrastructure remains IPv6-unaware
• PEs are updated to support Dual Stack/6PE
• IPv6 reachability exchanged among 6PEs via MP-iBGP
• IPv6 packets transported from 6PE to 6PE inside IPv4 LSPs
www.orhanergun.net
6PE Overview
www.orhanergun.net
6VPE (RFC 4659) —What Is It?
• For VPN customers, IPv6 VPN service is exactly the same as IPv4 VPN
service
• Current 6PE is “like VPN” but this is NOT VPN – ie: global reachability
• Coexistence mechanism for combining IPv4 and IPv6 VPN services
over an MPLS backbone
• It enables services such as
• “IPv6 VPN Access”
• Carriers Supporting Carriers
• Access to IPv6 services supplied by the SP itself
www.orhanergun.net
Routing Protocols Leveraged with 6VPE
www.orhanergun.net
Routing Protocols Leveraged with 6VPE
www.orhanergun.net
Routing Protocols Leveraged with 6VPE
• IPv4-signalled LSP
• iBGP VPNv6 AF peering between 6VPE (PE1, PE2)
• eBGP IPv6+vrf AF peering with CE
• Only eBGP and Static Route within VRF between CE-PE
www.orhanergun.net
Multi-Protocol VRF
www.orhanergun.net
Conclusions
• IPv6 migration does not “need” MPLS but, where MPLS is deployed, it
enables attractive approaches for IPv6 integration
• Cisco IPv6 and MPLS solutions provides the broadest deployment
scenario feature set
• Cisco 6PE & 6VPE are ones such IPv6 integration approach over IPv4
MPLS, which offers IPv6 deployment at marginal cost/risk
• No upgrade/reconfiguration in IPv4/MPLS core
• IPv6 simultaneously with IPv4, IPv4 VPNs, L2 services, etc.
www.orhanergun.net
Segment Routing
www.orhanergun.net
Next Generation SP Core Network Architecture
Limitations with Traditional SP Core Network
Global Segment:
A Unique Segment Identifier (SID) in SR domain.
Each Node in SR domain installs this SID in its
forwarding table
From MPLS Prospective, it’s a label value from SRGB
Local Segment
Locally Significant between the adjacency of two
routers
From MPLS prospective, it’s a local label value which
is allocated locally.
Global Segment – Global Label
The Prefix SID index points to unique label within the SRGB:
Label = Prefix SID Index + SRGB Base (16000)
Example: Prefix 1.1.1.1/32 with Prefix index of 32 gets the
label 16000+32 = 16032
R1 – 1 = 16000+1 = 16001
R2 – 2 = 16000+2 = 16002
R3 – 3 = 16000+3 = 16003
SRGB Configuration
SRGB Configuration:
Strongly Recommends to use same SRGB on all the
nodes
Global Configuration or Per IGP Instance
Configuration
SRGB Under IGP Instance is having precedence over
SRGB in Global Configuration
Multiple IGP Instance can use same SRGB or different
non-overlapping SRGB.
Using different SRGB is supported but it complicate
operation for users.
SRGB Allocation
Label Switching Database
Label Switching Database:
Local Label allocation is managed by label switching database
All the MPLS Applications like IGP, LDP, RSVP, MP-BGP, etc. must register as a
client with LSD to allocate labels.
Default Label Ranges in Cisco IOS XR Segment Routing Capable Version:
- Label Range [0-15] – Reserved
for Special purpose
- Label Range [16-15999] –
Reserved for Static MPLS label.
- Label Range [16000-23999] –
Reserved for SRGB
- Label Range [24000 - max] –
used for dynamic label allocation
SRGB Label Range
R2
Adjacency SID to R2
R1
Adjacency SID to R3
R3
Concept of Multi-Level and Multi Area with
SR in OSPF & ISIS
Cisco Segment Routing
Terminologies
‘Advertise’
- When a node advertise a prefix, it includes that prefix in the
link-state advertisements that is generated and send to neighbor.
‘originate’
- When a node originate a prefix, it advertises a local prefix, a
prefix owned by the node.
‘Propagate’
- When a node propagates a prefix, it advertise a prefix in an area
or level that is received from some other area or level.
Cisco Segment Routing
R1 Area 0 R2 Area 1 R3
www.orhanergun.net
Chapter-2: VPN
www.orhanergun.net
Basic VPN’s
• What is VPN ?
• A Virtual Private Network [VPN] extends a private network across a public
network and enables users to send and receive data across shared or public
networks as if their computing devices were directly connected to the private
network, it can be implemented securely or un-securely, depends on the
requirements. It is technology that creates a safe and encrypted connection over
a less secure network, such as internet.
• VPN technology was developed as a way to allow remote uses and branch
offices to securely access corporate application and other resources. To ensure
safety, data travels through secure tunnel and VPN users must use
authentication methods, including passwords, tokens and other unique
identification method to gain access to the VPN.
www.orhanergun.net
VPN Protocols
www.orhanergun.net
Site-to-site vpn
• A site-to-site VPN uses a gateway device to connect the entire network in one
location to the network in another -- usually a small branch connecting to a data
center. End-node devices in the remote location do not need VPN clients because
the gateway handles the connection. Most site-to-site VPNs connecting over the
internet use IPsec. It is also common to use carrier MPLS clouds, rather than the
public internet, as the transport for site-to-site VPNs. Here, too, it is possible to have
either Layer 3 connectivity (MPLS IP VPN) or Layer 2 (VPLS [Virtual Private Lan
Service]) running across the base transport.
www.orhanergun.net
IP Security (IPSec)
• IPSEC is a framework for a set of protocols for security at the
network or packet processing layer of network communication.
• IPSEC provide two choices of security services: Authentication
Header [AH] which essentially allows authentication of the sender
of data, and encapsulated security payload [ESP], which supports
both authentication of the sender as well as encryption of data.
The specific information associated with each of these services is
inserted into the packet in a header that follow the IP packet
header. Separate key protocols can be selected, such as ISAKMP
protocol.
www.orhanergun.net
Secured VPN using IPSEC Components
• IPSec is a framework of open standards developed by the Internet
Engineering Task Force (IETF) that provides security for transmission
of sensitive information over unprotected networks such as the
Internet. It acts at the network level and implements the following
standards:
• IPSEC
• Internet Key Exchange (IKE)
• Data Encryption Standard (DES)
• MD5 (HMAC Variant)
• SHA (HMAC Variant)
• Authentication header (AH)
• Encapsulating Security Payload (ESP)
www.orhanergun.net
Secured VPN Components (Cont.)…
www.orhanergun.net
Types of Encryption
www.orhanergun.net
Hashing
• Hashing is one way to enable security during the process of message
transmission when the message is intended for a particular recipient only. A
formula generates the hash, which helps to protect the security of the
transmission against tampering.
• Hashing is used to index and retrieve items in a database because it is
easier to find the item using the shortened hashed key than using the
original value.
www.orhanergun.net
Site-to-Site IPSEC VPN Architecture
• IKE Phase 1 and its Modes: Main vs Aggressive
www.orhanergun.net
Site-to-Site IPSEC VPN Architecture (Cont.)
…
• IKEv1 Phase 2
• Phase 2 is IPSec (ISAKMP) where you get into what specifics you set up in your
policies to have your keys set. This is the traffic keys themselves. And the traffic is
getting encrypted here. IPSec SA is present if everything goes well.
• Phase 2 is already expecting the key information but it comes FROM phase 1.
www.orhanergun.net
Cisco GRE VPN
• GRE tunnels provide an interface the device can use to forward data.
The “data” in this sense is the passenger protocol itself, such as IPv6
or IPv4. These tunnels are comprised of three main components:
• Delivery Header (Transport Protocol)
• GRE Header (Carrier Protocol)
• Payload Packet (Passenger Protocol)
www.orhanergun.net
GRE Application:
• GRE can be used with many different combinations of passenger and
transport protocols. However, IPv4 and IPv6 are the most common
transport protocols for GRE. For example:
• GRE can use IPv4 as the transport protocol to tunnel an IPv4 packet across the
underlying network infrastructure.
• GRE can use IPv4 as the transport protocol to tunnel an IPv6 packet across the
underlying network infrastructure.
• GRE can use IPv6 as the transport protocol to tunnel an IPv4 packet across the
underlying network infrastructure.
• GRE can use IPv6 as the transport protocol to tunnel an IPv6 packet across the
underlying network infrastructure.
www.orhanergun.net
Why we Use GRE ?
• GRE’s support for multiple protocols and packet types makes it ideal for
solving many of the problems faced when trying to form VPNs across the
Internet. The most obvious issue is that private addressing used in the
enterprise cannot be routed across the public Internet. GRE solves this by
encapsulating the IP header with private addressing using an outer IP
header that uses public addressing.
www.orhanergun.net
Dynamic Multipoint VPN
(DMVPN)
www.orhanergun.net
What is Dynamic Multipoint VPN ?
• Dynamic Multipoint VPN (DMVPN) is a combination of GRE, NHRP, and
IPsec
• NHRP allows the peers to have dynamic addresses (ie: Dial and DSL)
with GRE / IPsec tunnels
• Backbone is a hub and spoke topology
• Allows direct spoke to spoke tunneling by auto leveling to a partial
mesh
www.orhanergun.net
Site-to-Site, DMVPN: mGRE/IPsec/NHRP
Integration, Only HUB address Is Known
192.0.0.0 255.255.255.0 LANs can have private
addressing
HUB 192.0.0.1
Static known
IP address
Dynamic
unknown
IP addresses 192.0.3.1
SPOK 192.0.3.0 255.255.255.0
E
192.0.2.0
192.0.1.1 255.255.255.0
192.0.1.0 255.255.255.0
192.0.2.1
= Static spoke-to-hub IPsec tunnels = Dynamic&Temporary Spoke-to-spoke IPsec tunnels
www.orhanergun.net
4
GRE Tunnels
• A GRE tunnel is a simple non-negotiated tunnel; GRE only
needs tunnel endpoints
• GRE encapsulate frames or packets into an other IP packet + IP
header
• GRE has only 4 to 8 bytes of overhead
• GRE tunnels exist in two main flavors:
Point-to-point (GRE)
Point-to-multipoint (mGRE)
www.orhanergun.net
GRE multipoint and DMVPN
• A GRE interface definition includes
An IP address interface Tunnel 0
ip address 192.0.0.1 255.0.0.0
A tunnel source tunnel source Dialer1
tunnel destination 172.16.0.2
A tunnel destination tunnel key 1
An optional tunnel key
• An mGRE interface definition includes
interface Tunnel 0
An IP address ip address 192.0.0.1 255.0.0.0
tunnel source Dialer1
A tunnel source tunnel mode gre multipoint
A tunnel key tunnel key 1
www.orhanergun.net
Terminology Pause
• The tunnel address is the ip address defined on the tunnel
interface
• The Non-Broadcast Multiple Access (NBMA) address is the ip
address used as tunnel source (or destination)
• Example… on router A, one configures
interface Ethernet0/0
ip address 192.16.0.1 255.255.255.0
interface Tunnel0
ip address 192.0.0.1 255.0.0.0 tunnel source
Ethernet0/0
[…]
192.0.0.1 is router A's tunnel address
192.16.0.1 is router A's NBMA address
www.orhanergun.net
mGRE Tunnels
• Single tunnel interface (mp)
Non-Broadcast Multi-Access (NBMA) Network Multiple (dynamic) tunnel
destinations Multicast/broadcast support
• Next Hop Resolution Protocol (NHRP)
VPN IP to NBMA IP address mapping
www.orhanergun.net
GRE Encapsulation
Tunnel address: Tunnel address:
192.0.0.1/24 192.0.0.2/24
NBMA address: NBMA address:
192.16.0.1/24 192.16.1.1/24
192.168.0.0/24 192.168.1.0/24
IP IP
s=192.16.0.1, GRE s=192.168.0.1, Payload
d=192.16.1.1 dst=192.168.1.1
IP IP
s=192.168.0.1, Payload s=192.168.0.1, Payload
dst=192.168.1.1 dst=192.168.1.1
www.orhanergun.net
DMVPN GRE Interfaces
• In DMVPN, the hub must have a point to mGRE
• Spokes can have a point to point GRE interface or
an mGRE interface
• This presentation will use mGRE everywhere for
consistency
• Note that point-to-point GRE interfaces prevent
spoke to spoke direct tunneling
www.orhanergun.net
mGRE Talking to a Peer
• Because mGRE tunnels do not have a tunnel
destination defined, they can not be used alone
• NHRP tells mGRE where to send the packets to
• NHRP is defined in RFC 2332
www.orhanergun.net
What is NHRP?
• NHRP is a layer two resolution protocol and cache
like ARP or Reverse ARP (Frame Relay)
• It is used in DMVPN to map a tunnel IP address to
an NBMA address
• Like ARP, NHRP can have static and dynamic
entries
• NHRP has worked fully dynamically since Release
12.2(13)T
www.orhanergun.net
How mGRE Uses
NHRP
• When a packet is routed, it is passed to the mGRE interface
along with a next-hop
• The next-hop is the tunnel address of a remote peer
• mGRE looks up the NHRP cache for the next-hop address and
retrieves the NBMA address of the remote peer
• mGRE encapsulates the packet into a GRE/IP payload
• The new packet destination is the NMBA address
• Multicast packets are only sent to specific remote peers
identified in the NHRP configuration
www.orhanergun.net
How NHRP
Works
• mGRE uses NHRP, but how does NHRP work?
• This presentation will introduce a network topology
and illustrate the associated NHRP commands
www.orhanergun.net
NHRP Registration
Dynamically Addressed Spokes
172.168.0.1/24
Physical: 172.17.0.1
Tunnel0: 10.0.0.1
Physical: (dynamic)192.16.2.1
Tunnel0: 193.0.0.12
Physical: (dynamic)192.16.1.1
Tunnel0: 193.0.0.11
Spoke B 172.168.2.1/24
Spoke A
172.168.1.1/24
www.orhanergun.net
Basic NHRP Configuration
• In order to configure an mGRE interface to use
NHRP, the following command is necessary:
ip nhrp network-id <id>
• Where <id> is a unique number (same on hub and
all spokes)
• <id> has nothing to do with tunnel key
• The network ID defines an NHRP domain
Several domains can co-exist on the same router
www.orhanergun.net
Populating the NHRP
Cache
• Three ways to populate the NHRP cache:
Manually add static entries
Hub learns via registration requests
Spokes learn via resolution requests
• We will now study “static” and
“registration”
• “Resolution” is for spoke to
spoke
www.orhanergun.net
Initial NHRP
Caches
• Initially, the hub has an empty cache
• The spoke has one static entry mapping the hub’s
tunnel address to the hub’s NBMA address:
ip nhrp map 10.0.0.1 172.17.0.1
• Multicast traffic must be sent to the hub
ip nhrp map multicast 172.17.0.1
www.orhanergun.net
The Spokes Must Register To
The Hub
• In order for the spokes to register themselves to the
hub, the hub must be declared as a Next Hop
Server (NHS):
ip nhrp nhs 192.0.0.1
ip nhrp holdtime 3600 (optional)
ip nhrp registration no-unique (optional)
• Spokes control the cache on the hub
www.orhanergun.net
Registration
Process
• The spokes send Registration-requests to the hub
• The request contains the spoke’s Tunnel and NBMA
addresses as well as the hold time and some flags
• The hub creates an entry in its NHRP cache
• The entry will be valid for the duration of the hold
time defined in the registration
• The NHS returns a registration reply
(acknowledgement)
www.orhanergun.net
Multicast Packets from
the Hub
• The hub must also send multicast traffic to all the
spokes that registered to it
• This must be done dynamically (possible since
Release 12.2(13)T)
• This is not the default
ip nhrp map multicast dynamic
www.orhanergun.net
NHRP Registration
Request
192.168.0.1/24
Spoke A
192.168.1.1/24
NHRP Table
192.0.0.1 -> 172.17.0.1
(static, mcast)
www.orhanergun.net
NHRP Functionality
• Address mapping/resolution
Static NHRP mapping
Next Hop Client (NHC) registration with
Next Hop Server (NHS)
• Packet Forwarding
Resolution of VPN to NBMA mapping
Routing: IP destination € Tunnel IP next-hop
NHRP: Tunnel IP next-hop € NBMA address
www.orhanergun.net
Routing Protocol
• The spoke needs to advertise its private network to
the hub
• Can use BGP, EIGRP, OSPF, RIP or ODR; however,
this presentation will focus on EIGRP
• Must consider several caveats
www.orhanergun.net
Spoke Hellos
• Spoke has all it needs to send hellos immediately:
Tunnel is defined
Static NHRP entry to hub is present
NHRP entry is marked for multicast
• So the spoke never waits…
www.orhanergun.net
Hub hello’s
• With its basic tunnel definition, the hub cannot
send anything (including hellos) to anyone
• It must wait NHRP for registrations to arrive
• As soon as the spokes have registered, the NHRP
is marked “Multicast” due to
ip nhrp map multicast dynamic
www.orhanergun.net
GRE and EIGRP
• The default bandwidth of a GRE tunnel is 9Kbps
• This has no influence on the traffic but…
• EIGRP will take ½ the interface bandwidth
maximum (4.5 Kbps) – this is too low
bandwidth 1000
www.orhanergun.net
Spoke EIGRP configuration
• Nothing special on the spoke
• EIGRP stub should be considered
www.orhanergun.net
Hub EIGRP
Configuration
• There are many options…
• If you want a spoke to see other spokes:
• no ip split-horizon eigrp 1
• Summarization is to be considered
• Setting the bandwidth is crucial in the hub to spoke direction
• Best-practice: Set the bandwidth the same on all nodes
www.orhanergun.net
IPsec Protection
• GRE/NHRP can build a fully functional overlay
network
• GRE is insecure; ideally, it must be protected
• The good old crypto map configuration is rather
cumbersome; DMVPN introduced tunnel protection
• Still need to define an IPsec security level
www.orhanergun.net
The IPsec Security
Policy
• A transform set must be defined:
crypto ipsec transform-set ts esp-sha-hmac esp-3des
mode transport
www.orhanergun.net
Protecting the
tunnel
• The profile must be applied on the tunnel
tunnel protection ipsec profile prof
• Internally Cisco IOS® Software will treat this as a
dynamic crypto map and it derives the local-
address, set peer and match address
parameters from the tunnel parameters and the
NHRP cache
• This must be configured on the hub and spoke
tunnels
www.orhanergun.net
Relation Between GRE, NHRP
and IPsec
• For each NHRP cache unique NBMA address, Cisco
IOS Software will create an internal crypto map
that protects
GRE traffic
From tunnel source (NBMA) address
To NHRP entry NBMA address
www.orhanergun.net
Relationship
(cont’d.)
• NHRP registration will be triggered
When the Tunnel interface comes up/up
When the tunnel source address changes
When IPsec finishes negotiating the phase 2 related to the
tunnel protection
When the registration timer expires
www.orhanergun.net
NHRP Registration
Dynamically Addressed Spokes
= permanent IPsec tunnels 192.168.0.1/24
192.0.0.11 192.16.1.1
192.0.0.12 192.16.2.1
NHRP mapping
Physical: 192.17.0.1
Tunnel0: 192.0.0.1
Routing Table
(dynamic)
Physical: 192.16.2.1
Tunnel0: 192.0.0.12
Physical: 192.16.1.1
(dynamic)
Tunnel0: 192.0.0.11
Spoke B
Spoke A 192.168.2.1/24
192.168.1.1/24
www.orhanergun.net
Building Hub-and-Spoke tunnels
NHRP Registration
Host1 Spoke1 Hub Spoke2 Host2
IKE Initialization
IKE Initialization
IKE/IPsec Established
IKE/IPsec Established
Routing Adjacency
Routing Adjacency
Routing Update
Routing
Routing Update
Update
Routing Update
Encrypted
www.orhanergun.net
Encrypted
Dynamic Multipoint VPN
(DMVPN) Phases
www.orhanergun.net
DMVPN Phases
• DMVPN Phase I
• DMVPN Phase II
• DMVPN Phase III
www.orhanergun.net
DMVPN Phase I
• P2P GRE on spoke routers
• mGRE on hub router
• Default routing on spokes
• Dynamic spoke registration
• Data traffic flow through the hub
• No multicast between spoke to spoke
www.orhanergun.net
DMVPN Phase I Intialization
• Spoke attempt to send traffic to hub:
• IKE keys and IPSEC SA are established
• Spoke uses NHRP to register with hub
• Hub create NHRP mapping for spoke
• Hub create dynamic multicast map for spoke
• Hub and spoke routing updates
www.orhanergun.net
DMVPN Phase II
• Dynamic Tunnel destination
• Every spoke needs all spoke routes
• No multicast between spokes
• Data traffic spoke-to-spoke
• Next hope must be egress router
www.orhanergun.net
DMVPN Phase III
• No limits on routing Spoke-to-Spoke
• Multicast only between NHRP neighbour
• Optimal data traffic
• No restriction on routing protocol
• DMVPN Cloud 1 subnet
www.orhanergun.net
IKEv2
www.orhanergun.net
IKEv2
www.orhanergun.net
What Is IKEv2?
• IKEv2 (Internet Key Exchange version 2) is a VPN encryption protocol
that handles request and response actions.
• It makes sure the traffic is secure by establishing and handling the SA
(Security Association) attribute within an authentication suite –
usually IPSec since IKEv2 is basically based on it and built into it.
www.orhanergun.net
IKEv2 Characteristics
• IKEv2 supports IPSec’s latest encryption algorithms, alongside
multiple other encryption ciphers.
• The IKE protocol uses UDP packets and UDP port 500. Normally, four
to six packets are necessary for creating the SA.
• IKE is based on the following underlying security protocols:
• ISAKMP - Internet Security Association and Key Management Protocol
• SKEME - Versatile Secure Key Exchange Mechanism
• OAKLEY - Oakley Key Determination Protocol
www.orhanergun.net
IKEv1 vs. IKEv2
• IKEv2 offers support for remote access by default thanks to its EAP
authentication.
• IKEv2 is programmed to consume less bandwidth than IKEv1.
• The IKEv2 VPN protocol uses encryption keys for both sides, making it
more secure than IKEv1.
• IKEv2 has MOBIKE support, meaning it can resist network changes.
• IKEv1 doesn’t have built-in NAT traversal like IKEv2 does.
www.orhanergun.net
IKEv2 Advantages and Disadvantages
• Advantage: • Disadvantage:
• IKEv2 security is quite strong • Since IKEv2 only uses UDP port
since it supports multiple high- 500, a firewall or network admin
end ciphers. could block it.
• Despite its high security • IKEv2 doesn’t offer as much
standard, IKEv2 offers fast online cross-platform compatibility like
speeds. other protocols (PPTP, L2TP,
• IKEv2 can easily resist network OpenVPN, SoftEther).
changes due to its MOBIKE
support, and can automatically
restore dropped connections.
www.orhanergun.net
Conclusion
• IKEv2 is both a VPN protocol and an encryption protocol used within
the IPSec suite.
• Essentially, it’s used to established and authenticate a secured
communication between a VPN client and a VPN server.
• IKEv2 is very safe to use, as it has support for powerful encryption
ciphers, and it also improved all the security flaws that were present in
IKEv1.
www.orhanergun.net
Thank You !!!
www.orhanergun.net
Flex VPN
www.orhanergun.net
What is FlexVPN?
www.orhanergun.net
FlexVPN highlights
• Unified CLI
• Based on and compliant to IKEv2 standard
• Unified infrastructure: leverages IOS Point-to-Point tunnel interface
• Unified features: most features available across topologies
• Key features: AAA, config-mode, dynamic routing, IPv6
• Simplified config using smart-defaults
• Interoperable with non-Cisco implementations
• Easier to learn, market and manage and spoke-to-spoke topologies
www.orhanergun.net
Flex VPN and Interfaces
www.orhanergun.net
Basic Packet Forwarding
www.orhanergun.net
Flex VPN
www.orhanergun.net
Cisco IOS FlexVPN Features and Benefits:
• Scalability: IKEv2 provides scalability feature with the help of IKEv2
Proposal, in which we can use multiple integrity, encryption & DH
group types, which creates multiple possible combinations of Phase I
Policies.
www.orhanergun.net
Cisco IOS FlexVPN Features and Benefits:
• Transport network: FlexVPN can be deployed either over a public
internet or a private Multiprotocol Label Switching (MPLS) VPN
network.
www.orhanergun.net
Cisco IOS FlexVPN Features and Benefits:
www.orhanergun.net
Thank You !!!
www.orhanergun.net
MPLS Over Flex VPN
www.orhanergun.net
Thank You !!!
www.orhanergun.net
Module-3: Infrastructure
Security and Services
www.orhanergun.net
Chapter-1: Device Security
on Cisco IOS
www.orhanergun.net
AAA
www.orhanergun.net
AAA Model—Network Security Architecture
• Authentication
• Who are you?
• Authorization
• What can you do?
• What can you access?
• Accounting
• What did you do?
• How long did you do it? How often did you do it?
www.orhanergun.net
Implementation
www.orhanergun.net
Implementation Local Authentication
www.orhanergun.net
Implementation Remote Authentication
www.orhanergun.net
TACACS+ and RADIUS AAA Protocols
• Two different protocols are used to
communicate between the AAA
security servers and authenticating
devices.
• Cisco Secure ACS supports both
TACACS+ and RADIUS:
• TACACS+ remains more secure than
RADIUS.
• RADIUS has a robust application
programming interface and strong
accounting.
www.orhanergun.net
Summary
• AAA services provide a higher degree of scalability than the line-level
and privileged EXEC authentication
• AAA services may be self-contained in the router or network access
server (NAS) itself. This form of authentication is also known as local
authentication
• In situations where local authentication will not scale well, such as for
many remote clients connecting to the network from different
locations, it is better to implement a remote security database.
www.orhanergun.net
Summary
• TACACS+ and RADIUS are the two predominant AAA protocols used by
Cisco security appliances, routers, and switches for implementing AAA
with a remote security database.
• The most common authentication method is the use of a username
and password. Authentication strength varies from the weakest which
is to use a database of usernames and passwords to the strongest
which is to use OTPs.
• PPP enables authentication between remote clients and servers using
PAP, CHAP, or MS-CHAP.
www.orhanergun.net
Summary
• Administrative access to a router and remote LAN access through
perimeter routers is secured using aaa comands.
www.orhanergun.net
Thank You !!!
www.orhanergun.net
Control Plane Policing
www.orhanergun.net
Control Plane Policing (CoPP)
• rACLs are great but
• Limited platform availability
• Limited granularity—permit/deny only
• Need to protect all platforms
• To achieve protection today, need to apply ACL to all interfaces
• Some platform implementation specifics
• Some packets need to be permitted but at limited rate
www.orhanergun.net
Control Plane Policing (CoPP)
• CoPP uses the Modular QoS CLI (MQC) for QoS policy definition
• Consistent approach on all boxes
• Dedicated control-plane “interface”
• Highly flexible: permit, deny, rate limit
• Extensible protection
• Changes to MQC (e.g. ACL keywords) are applicable to CoPP
www.orhanergun.net
Control Plane Policing Feature
www.orhanergun.net
Deploying CoPP
• Recommendation: develop multiple classes of control plane traffic
• Apply appropriate rate to each
• “Appropriate” will vary based on network, risk tolerance, and risk assessment
• Be careful what you rate-limit
• Flexible class definition allows extension of model
• Fragments, TOS, ARP
• One option: attempt to mimic rACL behaviour
• CoPP is a superset of rACL
• Apply rACL to a single class in CoPP
• Same limitations as with rACL: permit/deny only
www.orhanergun.net
Configuring CoPP
1. Define ACLs Classify traffic
2. Define class-maps Setup class of traffic
3. Define policy-map Assign QoS policy action to class of traffic (police,
drop)
4. Apply CoPP policy to control plane “interface” F
www.orhanergun.net
Step 1: Define ACLs
• Pre-Undesirable—traffic that is deemed “bad” or “malicious” to be denied
access to the RP
• Critical—traffic crucial to the operation of the network
• Important—traffic necessary for day-to-day operations
• Normal—traffic expected but not essential for network operations
• Post-Undesirable—traffic that is deemed “bad” or “malicious” to be denied
access to the RP
• Catch-All—all other IP traffic destined to the RP that has not been identified
• Default—all remaining non-IP traffic destined to the RP that has not been
identified G
www.orhanergun.net
Step 2: Define Class-Maps
• Create class-maps to complete the traffic-classification process
• Use the access-lists defined on the previous slides to specify which IP packets belong
in which classes
• Class-maps permit multiple match criteria, and nested class-maps
• match-any requires that packets meet only one “match” criteria to be considered “in
the class”
• match-all requires that packets meet all of the “match” criteria to be considered “in
the class”
• A “match-all” classification scheme with a simple, single-match criteria will
satisfy initial deployments
• Traffic destined to the “undesirable” class should follow a “match-any”
classification scheme
www.orhanergun.net
Step 3: Define Policy-Map
• Class-maps defined in Step 2 need to be “enforced” by using a policy-
map to specify appropriate service policies for each traffic class
www.orhanergun.net
Step 3: Define Policy-Map - Example
• For undesirable traffic types, all actions are unconditionally “drop”
regardless of rate
• For critical, important, and normal traffic types, all actions are
“transmit” to start out
• For catch-all traffic, rate-limit the amount of traffic permitted above a
certain bps
www.orhanergun.net
Step 4: Apply Policy to “Interface”
• Apply the policy-map created in Step 3 to the “control plane”
• The new global configuration CLI “control-plane” command is used to
enter “control-plane configuration mode”
• Once in control-plane configuration mode, attach the service policy to
the control plane in the “input” direction
• Input—applies the specified service policy to packets that are entering the
control plane
www.orhanergun.net
Monitoring CoPP
• “show access-list” displays hit counts on a per ACL entry (ACE) basis
• The presence of hits indicates flows for that data type to the control plane as
expected
• Large numbers of packets or an unusually rapid rate increase in packets
processed may be suspicious and should be investigated
• Lack of packets may also indicate unusual behavior or that a rule may need to
be rewritten
• “show policy-map control-plane” is invaluable for reviewing and
tuning site-specific policies and troubleshooting CoPP
• Use SNMP queries to automate the process of reviewing servicepolicy
transmit and drop rates
www.orhanergun.net
Monitoring CoPP
• “show policy-map control-plane” is invaluable for reviewing and
tuning site-specific policies and troubleshooting CoPP
• Displays dynamic information about number of packets (and bytes)
conforming or exceeding each policy definition
• Useful for ensuring that appropriate traffic types and rates are reaching the
route processor
www.orhanergun.net
Monitoring CoPP
• Use SNMP queries to automate the process of reviewing servicepolicy
transmit and drop rates
• The Cisco QoS MIB (CISCO-CLASS-BASED-QOS-MIB) provides the primary
mechanisms for MQC-based policy monitoring via SNMP
www.orhanergun.net
Control Plane Policing
www.orhanergun.net
Monitoring CoPP
• Superset of rACL: Start planning your migrations
• Provides a cross-platform methodology for protecting the control
plane
• Consistent “show” command and MIB support
• Granular: Permit, deny and rate-limit
• Platform specifics details: Centralized vs. distributed vs. hardware
www.orhanergun.net
Thank You !!!
www.orhanergun.net
Switch Security
www.orhanergun.net
Defeating a Learning Bridge’s Forwarding
Process
• MAC Flooding Alternative:
• MAC Spoofing Attacks
www.orhanergun.net
MAC Flooding Attacks
• Virtually all LAN switches on the market come with a finite-size
bridging table.
• Because each entry occupies a certain amount of memory, it is
practically impossible to design a switch with infinite capacity.
• This information is crucial to a LAN hacker. High-end LAN switches can
store hundreds of thousands of entries, while entry-level products
peak at a few hundred.
www.orhanergun.net
Forcing an Excessive Flooding Condition
www.orhanergun.net
Forcing an Excessive Flooding Condition
If a switch does not have an entry pointing to a destination MAC address, it floods the frame. What happens when a
switch does not have room to store a new MAC address? And what happens if an entry that was there 2 seconds
ago was just overwritten by another entry?
www.orhanergun.net
Forced Flooding
www.orhanergun.net
Forced Flooding
Host C starts running macof. The tool sends Ethernet frames to random destinations, each time modifying the
source MAC address. When the first frame with source MAC address Y arrives on port Fa0/3, it overwrites the
00:00:CAFE:00:00 entry. When the second frame arrives (source MAC Y), it overwrites the entry pointing to B.
At this point in time, all communication between 00:00:CAFE:00:00 and B now become public because of the
flooding condition that macof created.
www.orhanergun.net
MAC Spoofing Attacks
All MAC flooding tools force a switch to “fail open” to later perform selective MAC spoofing attacks. A MAC
spoofing attack consists of generating a frame from a malicious host borrowing a legitimate source MAC
address already in use on the VLAN. This causes the switch to forward frames out the incorrect port.
www.orhanergun.net
MAC Spoofing Attacks
www.orhanergun.net
Preventing MAC Flooding and Spoofing
Attacks
Fortunately, there are several ways to thwart MAC flooding and spoofing attacks. In this section, you will learn
about detecting MAC activity, port security, and unknown unicast flooding protection.
www.orhanergun.net
Port Security
To stop an attacker in his tracks, a mechanism called port security comes to the rescue. In its most basic form,
port security ties a given MAC address to a port by not allowing any other MAC address than the
preconfigured one to show up on a secured port.
www.orhanergun.net
Port Security
When a secure link goes down, MAC addresses that were associated with the port normally disappear.
However, some switches (Catalyst 6500 running a recent IOS release, for example) support sticky MAC
addresses—when the port goes down, the MAC addresses that have been learned remain associated with that
port. They can be saved in theconfiguration file.
www.orhanergun.net
Port Security
The most common and recommended port-security setting is dynamic mode with one MAC address for ports
where a single device is supposed to connect, with a drop action on violation (restrict action).
www.orhanergun.net
Unknown Unicast Flooding Protection
Some switches ship with a mechanism that can protect an entire VLAN from unicast flooding’s negative effects.
This mechanism is known as unicast flood protection. As already shown, when no entry corresponds to a
frame’s destination MAC address in the incoming VLAN, the frame is sent to all forwarding ports within the
respective VLAN, which causes flooding. Limited flooding is part of the normal switching process, but
continuous flooding causes adverse performance effects on the network. The unicast flood protection feature
can send an alert when a user-defined rate limit has been exceeded. It can also filter the traffic or shut down
the port generating the floods when it detects unknown unicast floods exceeding a certain threshold.
www.orhanergun.net
Attacking the Spanning Tree Protocol
Attack 1:
Taking Over the Root Bridge Taking over a root bridge is probably one of the most disruptive attacks. By
default, a LAN switch takes any BPDU sent from Yersinia at face value. Keep in mind that STP is trustful,
stateless, and does not provide a solid authentication mechanism. The default STP bridge priority is 32768.
Once in root attack mode, Yersinia sends a BPDU every 2 sec with the same priority as the current root bridge,
but with a slightly numerically lower MAC address, which ensures it a victory in the root-bridge election
process.
www.orhanergun.net
Countermeasure - 1
Root Guard
The root guard feature ensures that the port on which root guard is enabled is the designated port. Normally,
root bridge ports are all designated ports, unless two or more ports of the root bridge are connected. If the
bridge receives superior BPDUs on a root guard–enabled port, root guard moves this port to a root-
inconsistent state. This rootinconsistent state is effectively equal to a listening state. No traffic is forwarded
across this port. In this way, root guard enforces the position of the root bridge.
www.orhanergun.net
Countermeasure - 2
BPDU-Guard
The BPDU-guard feature allows network designers to enforce the STP domain borders and keep the active
topology predictable. Devices behind ports with BPDU-guard enabled are unable to influence the STP
topology. Such devices include hosts running Yersinia, for example. At the reception of a BPDU, BPDU-guard
disables the port. BPDU-guard transitions the port into the errdisable state, and a message is generated.
www.orhanergun.net
Attacking the Spanning Tree Protocol
Attack 2:
DoS Using a Flood of Config BPDUs Attack number 2 in Yersinia (sending conf BPDUs) is extremely potent. With
the cursors GUI enabled, Yersinia generated roughly 25,000 BPDUs per second on our test machine. This
seemingly low number is more than sufficient to bring a Catalyst 6500 Supervisor Engine 720 running
12.2(18)SXF down to its knees, with 99 percent CPU utilization on the switch processor:
www.orhanergun.net
Countermeasure - 1
BPDU-Guard
BPDU-guard was introduced in the previous section. Because it completely prevents BPDUs from entering the
switch on the port on which it is enabled, the setting can help fend off this type of attack.
www.orhanergun.net
Countermeasure - 2
BPDU Filtering
There is actually another method to discard incoming and outgoing BPDUs on a given port: BPDU filtering. This
feature silently discards both incoming and outgoing BPDUs. Although extremely efficient against a brute-force
DoS attack, BPDU filtering offers an immense potential to shoot yourself in the foot.
www.orhanergun.net
Countermeasure - 3
www.orhanergun.net
Attacking the Spanning Tree Protocol
Attack 3:
DoS Using a Flood of Config BPDUs Closely resembling the previous attack, this attack continuously generates
TCN BPDUs, forcing the root bridge to acknowledge them. What’s more, all bridges down the tree see the TC-
ACK bit set and accordingly adjust their forwarding table’s timers; this results in a wider impact to the switched
network. When the TC bit is set in BPDUs, switches adjust their bridging table’s aging timer to forward_delay
seconds. The protection is the same as before: BPDU-guard or filtering.
www.orhanergun.net
Attacking the Spanning Tree Protocol
Attack 4:
Simulating a Dual-Homed Switch Yersinia can take advantage of computers equipped with two Ethernet cards
to masquerade as a dual-homed switch.
www.orhanergun.net
VLAN Hopping by Switch Spoofing
An attacker tricks a network switch into believing that it is a legitimate switch on the network needing
trunking.
Auto trunking allows the rogue station to become a member of all VLANs.
www.orhanergun.net
Spoofing the DHCP Server
An attacker activates a DHCP server on a
network segment.
The client broadcasts a request for DHCP
configuration information.
The rogue DHCP server responds before
the legitimate DHCP server can respond,
assigning attacker-defined IP configuration
information.
Host packets are redirected to the attacker
address as it emulates a default gateway
for the erroneous DHCP address provided
to the client.
www.orhanergun.net
Exploiting IPv4 ARP
Gratuitous ARP
When ARP was designed, the Ethernet adapters were not reliable. Then, when a host had a new MAC address
because its Ethernet adapter was replaced, it should have sent an unsolicited ARP reply to force an update on
all ARP tables in the other hosts. Below, host B changes its MAC address to 0000.BABE.0000 and sends an
unsolicited ARP reply to the broadcast address FFFF.FFFF.FFFF to tell hosts on the Ethernet segment to change
their binding for host B.
www.orhanergun.net
Risk Analysis for ARP
No authentication. Host B does not sign the ARP reply, and there is no integrity provided to the ARP reply.
Information leak. All hosts in the same Ethernet VLAN learn the mapping of host A. Moreover, they discover
that host A wants to talk to host B.
www.orhanergun.net
Risk Analysis for ARP
Availability issue. All hosts in the same Ethernet LAN receive the ARP request (sent in a broadcast frame) and
have to process it. A hostile attacker could send thousands of ARP request frames per second, and all hosts on
the LAN have to process these frames. This wastes network bandwidth and CPU time.
www.orhanergun.net
Mitigating an ARP Spoofing Attack
An ARP spoofing attack is severe because it breaks the wrong—but widespread —assumption that sniffing is
not possible in a switched environment.
• Layer 3 switch. Can leverage the official mapping learned from DHCP and can later drop all spoofed ARP
replies based on the official mapping.
• Host. Can ignore the gratuitous ARP packets.
• Intrusion detection systems (IDS). Can keep states about all mappings and detect whether someone tries
to change an existing mapping.
www.orhanergun.net
IEEE 802.1AE
IEEE 802.1AE is a standards-based Layer 2 encryption specification, enabling wire-rate encryption at gigabit
(Gb) speeds. It provides for cryptographic confidentiality and integrity of all communications (that is, control,
data, and management frames) between two adjacent 802.1AEcapable Layer 2 Ethernet ports.
www.orhanergun.net
Shadow User in 802.1x Authentication
www.orhanergun.net
Shadow hosts blocked by 802.1AE
www.orhanergun.net
Thank You !!!
www.orhanergun.net
IPv6 Security
www.orhanergun.net
IPv6 Security Myths
Reason:
• RFC 4294 - IPv6 Node Requirements: IPsec MUST
Reality:
• RFC 6434 - IPv6 Node Requirements: IPsec SHOULD
• IPsec available. Used for security in IPv6 protocols
www.orhanergun.net
IPv6 Security Myths
Reason:
• End-2-End paradigm. Global addresses. No NAT
Reality:
• Global addressing does not imply global reachability
• You are responsible for reachability (filtering)
www.orhanergun.net
IPv6 Security Myths
Reason:
• Common LAN/VLAN use /64 network prefix
• 18,446,744,073,709,551,616 hosts
Reality:
• Brute force scanning is not possible [RFC5157]
• New scanning techniques
www.orhanergun.net
IPv6 Security Myths
Reason:
• Lack of knowledge about IPv6
Reality:
• There are tools, threats, attacks, security patches, etc.
• You have to be prepared for IPv6 attacks
www.orhanergun.net
IPv6 Security Myths
Reason:
• Routing and switching work the same way
Reality:
• Whole new addressing architecture
• Many associated new protocols
www.orhanergun.net
IPv6 Security Myths
Reason:
• Q: “Does it support IPv6?”
• A: “Yes, it supports IPv6”
Reality:
• IPv6 support is not a yes/no question
• Features missing, immature implementations, interoperability
issues
www.orhanergun.net
IPv6 Security Myths
Reason:
• Networks only designed and configured for IPv4
Reality:
• IPv6 available in many hosts, servers, and devices
• Unwanted IPv6 traffic. Protect your network
www.orhanergun.net
IPv6 Security Myths
Reason:
• Considering IPv6 completely different than IPv4
• Think there are no BCPs, resources or features
Reality:
• Use IP independent security policies
• There are BCPs, resources and features
www.orhanergun.net
Conclusions
www.orhanergun.net
IPv6 Header #1
www.orhanergun.net
IPv6 Header #1
IP spoofing:
Using a fake IPv6 source address
Solution:
ingress filtering and RPF
www.orhanergun.net
IPv6 Header #2
www.orhanergun.net
IPv6 Header #2
Covert Channel:
Using Traffic Class and/or Flow Label
Solution:
Inspect packets (IDS / IPS)
www.orhanergun.net
IPv6 Extension Headers
www.orhanergun.net
Extension Headers properties
www.orhanergun.net
IPSec
www.orhanergun.net
IPsec Modes
www.orhanergun.net
Security Tips
Use IPS/IDS to detect scanning
www.orhanergun.net
ICMPv6
www.orhanergun.net
ICMPv6 Error Messages
www.orhanergun.net
MLD (Multicast Listener Discovery)
1.Multicast related protocol, used in the local link
2.Two versions: MLDv1 and MLDv2
3.Uses ICMPv6
4.Required by NDP and “IPv6 Node Requirements”
5.IPv6 nodes use it when joining a multicast group
www.orhanergun.net
MLDv1
www.orhanergun.net
MLDv1
www.orhanergun.net
MLDv2
www.orhanergun.net
MLDv2
www.orhanergun.net
MLD Threat
Flooding of MLD messages
www.orhanergun.net
MLD Threat
Flooding of MLD messages
www.orhanergun.net
MLD Threat
Traffic amplification
www.orhanergun.net
MLD Threat
Traffic amplification
www.orhanergun.net
IPv6 DNS Configuration Attacks
Depending on answers to DNS queries
www.orhanergun.net
DHCPv6
www.orhanergun.net
DHCPv6
www.orhanergun.net
Routing Protocol Neighbours Authentication
www.orhanergun.net
Securing Routing Updates
IPsec is a general solution for IPv6 communication
- In practice not easy to use
www.orhanergun.net
Filtering in IPv6
www.orhanergun.net
DDoS factors related with IPv6
www.orhanergun.net
DDoS factors related with IPv6
www.orhanergun.net
Temporary solution…
www.orhanergun.net
Thank You !!!
www.orhanergun.net
IEEE 802.1x Authentication
www.orhanergun.net
What is 802.1x Authentication
www.orhanergun.net
802.1x Terminologies
Supplicant – Client
Authenticator – Network Access Device
Authentication Server – AAA/Radius/Tacas
www.orhanergun.net
How it works?
Transport authentication information in the form of Extensible Authentication Protocol (EAP) payloads.
The authenticator (switch) becomes the middleman for relaying EAP received in 802.1x packets to an
authentication server by using RADIUS to carry the EAP information.
www.orhanergun.net
Radius
RADIUS – The Remote Authentication Dial In User Service
A protocol used to communicate between a network device and an authentication server or database.
Allows the communication of login and authentication information. i.e.. Username/Password, OTP, etc.
Allows the communication of arbitrary value pairs using “Vendor Specific Attributes” (VSAs).
www.orhanergun.net
802.1x Model
www.orhanergun.net
802.1x Model
RADIUS acts as the transport for EAP, from the authenticator (switch) to the authentication server (RADIUS
server)
RADIUS is also used to carry policy instructions back to the authenticator in the form of AV pairs.
www.orhanergun.net
What is Machine Authentication?
The ability of a Windows workstation to authenticate under it’s own identity, independent of the requirement
for an interactive user session.
www.orhanergun.net
What is Machine Authentication used for?
Machine authentication is used at boot time by Windows OSes to authenticate and communicate with Windows
Domain Controllers in order to pull down machine group policies.
www.orhanergun.net
Why do we care about Machine
Authentication?
Pre-802.1x this worked under the assumption that network connectivity was a given. Post-802.1x the blocking of
network access prior to 802.1x authentication breaks the machine based group policy model – UNLESS the
machine can authenticate using its own identity in 802.1x .
www.orhanergun.net
What is EAP?
www.orhanergun.net
EAP
www.orhanergun.net
EAP Methods for Client – EAP-TLS
EAP-TLS (Transport Level Security) – default setting for 802.1x client in Windows
www.orhanergun.net
EAP Methods for Client – EAP-PEAP
www.orhanergun.net
EAP Methods for Client – EAP-MD5
www.orhanergun.net
EAP with MD5
www.orhanergun.net
EAP with MD5
www.orhanergun.net
802.1x with EAP-TLS – Local Store
Certificate
• Uses both user and computer certificates
• Certificates deployed through autoenrollment, Web enrollment,
certificate import, or manual request using the Certificates snap-in
• Local computer store is always available
• The user store (for a current user) is only available after a successful
user logon
www.orhanergun.net
802.1x with EAP-TLS – Smart Card
Certificate
User must enter PIN to access the certificate on the smart card.
– PIN input is not required again on subsequent reauthentication
tries like session time-out or roaming on wireless networks.
– When roaming out of range and back in range, user will be re-
prompted for PIN.
www.orhanergun.net
802.1x with PEAP MSCHAPv2
• Password-based authentication – not all networks have a PKI
deployment.
• Single sign-on (SSO).
• Enables both machine and user authentication.
• Windows logon credentials can be automatically used (default
setting), or credentials can be provided by user.
www.orhanergun.net
802.1x Port based network access control
• Falls under 802.1 NOT 802.11
• This is a NETWORK standard, not a wireless standard
• Is PART of the 802.11i draft
• Provides Network Authentication, NOT encryption
www.orhanergun.net
Thank You !!!
www.orhanergun.net
Chapter- 2: Quality of
Service
www.orhanergun.net
Quality of Service
QoS is the ability of network to support is the ability of network to
support applications without limiting it applications without limiting it’s
function or s function or performance
www.orhanergun.net
What influences QoS ?
Every network component influences Every network component
influences QoS:
www.orhanergun.net
Parameters of QoS
• bandwidth bandwidth
• delay
• delay variation (Jitter)
• packet loss
www.orhanergun.net
QoS Evolution
QoS
Intelligence &
Automation
DiffServ-Aware Traffic
Engineering (DS-TE)
& L2 VPN QoS
Differentiated Services
Model
Integrated Services
Model
Best Effort
IP Model
Link Utilization
• Intelligent Classification
Engine used in conjunction Citrix 25%
Netshow 15%
with QoS class-based Fasttrack 10%
features FTP 30%
HTTP 20%
• Protocol Discovery analyzes
application traffic patterns in real Mark Citrix as
time and Discovers which traffic Interactive traffic and
police FTP.
is running on the network
Guarantee bandwidth
for Citrix!
www.orhanergun.net
NBAR Benefit Footprint and Hardware
Support
Enterprise Enterprise Premise Service Provider Service Provider Core
Backbone Edge Aggregation Edge
• Application classification
• Precise QoS treatment
• Application statistics for bandwidth provisioning
• Top-n views
• Threshold settings
• Mapping applications to an SP’s service offering
• Cisco Catalyst 6500 • Cisco Catalyst 6500 • Cisco Catalyst 6500 Cisco Catalyst 6500 and
and 7600 Series and 7600 Series and 7600 Series 7600 Series
• MSFC • FlexWAN, MWAM • FlexWAN, MWAM • FlexWAN, MWAM
• Planned ASIC • Planned ASIC • Planned ASIC • Planned ASIC
• Cisco 7100, 7200, • Cisco 7100, 7200, • Cisco 7500 Series
and 7500 Series and 7500 Series
• Cisco 83x, 1700,
2600-2600XM, 3600,
and 3700 Series
www.orhanergun.net
NBAR – Intelligent Classification
• IP packet classifier that is capable of classifying
applications that have:
•Statically assigned TCP and UDP port numbers
•Non-TCP and non-UDP IP protocols
•Dynamically assigned TCP and UDP port numbers during connection establishment
•Classification based on deep packet inspection – NBAR’s ability to look deeper into
the packet to identify applications
•HTTP traffic by URL, host name or MIME type using regular expressions (*, ?, [ ]),
Citrix ICA traffic, RTP Payload type classification
www.orhanergun.net
610
Cisco AutoQoS Uses
Intelligence to Automate
www.orhanergun.net
611
Cisco AutoQoS–VoIP
Automatic QoS for VoIP Traffic
www.orhanergun.net
612
QoS Deployment for VoIP
Consistent, end-to-end QoS for VoIP
WAN
613
Cisco AutoQoS-VoIP Framework
DiffServ Functions Automated
Fine tuning of AutoQoS-generated parameters
by user, if desired
DiffServ
QoS Feature Behavior
Function
Classification of VoIP based on packet
Classification NBAR DSCP, Port
attributes or port trust
Link Efficiency
Header compression Reduce the VoIP bandwidth requirement
Mechanism
www.orhanergun.net
614
Cisco AutoQoS-VoIP
Functionality & Benefits – WAN
Functionality Benefits
Syslog & SNMP traps provide visibility into the Classes of Service
Traps & Reporting deployed, and notification of abnormal events such as VoIP packet
drops.
www.orhanergun.net
615
Cisco AutoQoS-VoIP
Functionality & Benefits – LAN
Functionality Benefits
End-to-End Designed to work in harmony with the Cisco AutoQoS settings on all
Interoperability other Cisco switches and routers, ensuring consistent end-to-end QoS.
www.orhanergun.net
616
Not to Forget….
Human Error is the Most Significant Contributor to Downtime
• Platform Problems
• The network
• Change management • Operating system or hardware
• Process
consistency Network
Operational 20%
Errors
40%
Software
Application
40%
AutoQoS reduces
potential for • Application bugs (I.e., DNS)
operator error • Misconfiguration
Source: Gartner Group, CNET News.com Jan 26, 2001
www.orhanergun.net
617
Understanding the Complete Cisco QoS Picture
Voice
Voice Video
Video Data
Data
CiscoAutoQoS
Cisco AutoQoS
CLI
QoSCLI
Language)
UserLanguage)
ModularQoS
CiscoQoS
Cisco QoSFeatures
Features
QoS
Manager
CiscoWorksQoS
PolicyManager
CiscoModular
TheUser
CiscoWorks
CiscoIOS
Cisco IOSSoftware
Softwareor
orCisco
CiscoCatalyst
CatalystOS
OS
(MQC––The
Policy
(MQC
Cisco
CiscoRouter
Cisco Routeror
orSwitch
Switch
www.orhanergun.net
618
QoS Mechanisms - Marking
What is Marking?
The QOS component that "colors" a packet (frame) so it can be identified and distinguished from other
packets (frames) in QOS treatment Once the packet is classified into a specific service class, marking the
packet header allows the core networking elements to apply the appropriate QoS technologies to the packet
in an efficient manner
www.orhanergun.net
QoS Mechanisms - Marking
Marking Tools
www.orhanergun.net
Marking Techniques
There exist multiple packet marking techniques including:
Layer 3:
IPv4 IP Precedence Field
IPv4 DiffServ Differentiated Services Field
IPv6 DiffServ Differentiated Services Field
Layer 2:
MPLS Exp/CoS Field
802.1d (802.1p+q) User Priority Field
ISL User Priority Field
www.orhanergun.net
Marking Techniques
www.orhanergun.net
IP Precedence and DiffServ Code Points
www.orhanergun.net
IP Precedence and DiffServ Code Points
•IPv4: Three Most Significant Bits of ToS byte are called IP Precedence (IPP); other
bits unused
•DiffServ: Six Most Significant Bits of ToS byte are called DiffServ Code Point
(DSCP); remaining two bits used for flow control
•DSCP is backward-compatible with IP Precedence; an instance of DSCP is a Per
Hop Behavior (PHB)
www.orhanergun.net
QoS Mechanisms - Congestion
What is Congestion?
When the offered load exceeds the capacity of a data communication path, the
resulting situation is called Congestion.
Congestion can occur at any point in the network where there are speed
mismatches or link aggregations
www.orhanergun.net
QoS Mechanisms - Congestion
Congestion Tools
www.orhanergun.net
The Impact of Congestion
Packet queues at links start to grow…
Packets start dropping
Sources start re-transmitting
www.orhanergun.net
Congestion Management
- Is done by Queuing
- Queuing algorithms manage the front (scheduling) of a queue
- These algorithms control
- the order in which the packets are sent
- the usage of the router’s buffer space
www.orhanergun.net
Congestion Management
- Queuing Algorithms:
- First In First Out (FIFO)
- Priority Queuing (PQ)
- Custom Queuing (CQ)
- Weighted Fair Queuing (WFQ)
- Class-Based WFQ (CBWFQ)
- PQ-CBWFQ (LLQ)
- PQ-WFQ (IP RTP Priority)
www.orhanergun.net
Congestion Management – Graphical View
www.orhanergun.net
Queuing Algorithms – Class Based Weighted
Fair Queuing (CBWFQ)
Combines the capability to guarantee bandwidth (from CQ) with the capability
to dynamically ensure fairness to other flows within a class of traffic (from
WFQ)
www.orhanergun.net
Queuing Algorithms – Class Based Weighted
Fair Queuing (CBWFQ)
www.orhanergun.net
Queuing Algorithms – Priority Queuing-
WFQ (PQ-WFQ)
www.orhanergun.net
Queuing Algorithms – Priority Queuing-
WFQ (PQ-WFQ)
- Also known as IP RTP Priority Queuing
- To prioritise Voice traffic (on FR, PPP)
- Create a priority queue (weight=0) + BW limit
- Essentially gives the router two WFQ systems, one for normal traffic and
another for voice
- voice is serviced as strict priority in preference to other non-voice traffic.
www.orhanergun.net
Queuing Algorithms – Low Latency Queuing
(LLQ)
- Also known as Priority Queuing – CBWFQ
- Provides a single priority queue, like PQ-WFQ
- Guaranteed bandwidth for different traffic classes can be configured
- LLQ Specifies maximum bandwidth in Kbps that a flow is assured under
congestion as opposed to the minimum bandwidth guaranteed by CBWFQ
- Multiple priority classes are all enqueued in a single priority queue but
policed and rate limited individually
- Guarantees Bandwidth and Restrains flow of packets from priority class
ensuring non priority packets are not bandwidth starved
www.orhanergun.net
Queuing Algorithms – Low Latency Queuing
(LLQ)
- Also known as Priority Queuing – CBWFQ
- Provides a single priority queue, like PQ-WFQ
- Guaranteed bandwidth for different traffic classes can be configured
- LLQ Specifies maximum bandwidth in Kbps that a flow is assured under
congestion as opposed to the minimum bandwidth guaranteed by CBWFQ
- Multiple priority classes are all enqueued in a single priority queue but
policed and rate limited individually
- Guarantees Bandwidth and Restrains flow of packets from priority class
ensuring non priority packets are not bandwidth starved
www.orhanergun.net
Congestion Avoidance
Dropping can occur in the edge or core due to policing or buffer exhaustion
If a queue fills up, all packets at tail end of queue get dropped— called tail-drop
Tail-drop results in simultaneous TCP window shrinkage of large number of sessions, resulting in “global
synchronization”
Manage queue lengths by dropping packets when congestion is building up
Works best with TCP-based applications, as selective dropping of packets causes the TCP windowing
mechanisms to 'throttle-back' and adjust the rate of flows to manageable rates.
Congestion Avoidance – Random Early Detection (RED)
Packets
Arriving Queue
Queue
Pointer
Case 1:
Average Queue Length < Min. Thresh
Value
Max thresh Min thresh
Average queue
length
RED – Functional Description (Contd.)
pp
1-p1-p
Average queue
length
Advantages of RED
Web
ERP
Other
Direction of Traffic Flow
QoS Mechanisms - Shaping
FR/ATM WAN
T1/E1 128 Kbps
Bottleneck Branch
Central
Office
Site Shaping!
Traffic
Traffic
Policing
Traffic Rate Traffic Rate
Time Time
Traffic
Traffic
Shaping
Traffic Rate
Traffic Rate
Time Time
Traffic Policing vs. Shaping #1
Policing Shaping
Where Applicable Ingress, Egress Egress only
Optional Yes No
Packet
Remarking
Advantages Controls output rate Less likely to drop excess
through drops. Avoids packets. Avoids TCP
delays due to
queuing. retransmissions.
Disadvantages Drops can lead to TCP Queuing adds delay (and
retransmits jitter)
Traffic Policing vs. Shaping #2
Policing Shaping
Token refresh rate Continuous based on Incremented at the start of a
form time interval. Requires
ula: min # of intervals.
1/
CIR
Token values Configured in bytes. Configured in bits per second
Tokens leak
from bucket at Average
the Rate
configured
average rate.
Putting It All Together - Packet Path
4. Shaping/Queuing
queue
3. Policing/Marking 5. Payload/Header
Compression
Optional Optional
Pre- Sche- Post-
Classification queuing queue queuing
1. Packets operator duler operator
coming
in
2. Packet
carries
classification
information
queue
Putting it All together – Queue Definition
Packets
Queue
2-5
Bytes
Payload of a VoIP Packet ~ 20 bytes. But IP + UDP + RTP
headers ~ 40 bytes (uncompressed)!!
For links ≤ 768 kbps serialization delay is a major factor affecting
latency and jitter
For such slow links, large data packets need to be fragmented and
interleaved with smaller, more urgent voice packets
Stateless vs. Stateful QoS Solutions
Stateless solutions – routers maintain no fine-grained
state about traffic. Example: DiffServ
scalable, robust
weak services
Stateful
solutions –
routers
maintain per-
flow state.
Example:
IntServ
powerful
services
guaranteed services + high resource utilization
fine grained differentiation
Stateful Solution Complexity
Data path
Per-flow classification
Per-flow buffer Per-flow State
management …
Per-flow scheduling
Buffer
management
Question
Can we provide reduced state services, I.e., maintain state only for
larger granular flows rather than end-to-end flows?
Yes: Diff-Serv
Differentiated Services Architecture (RFC 2274, RFC 2275)
PHB PHB
Traffic Classification and Conditioning (TCB) Per-Hop Behavior (PHB)
Classification/Marking/Policing Queuing/Dropping
IntServ/DiffServ Integration
CBWFQ Performs
Classification, Policing
and Scheduling Core Routers
Operate in a
DiffServ Domain
RSVP
RSVP Installed on
Installed on Interface
Interface
Support for further granularity. For e.g., police aggregate tcp traffic to 10Mb/s but simultaneously
police aggregate ftp traffic to 1Mb/s and http traffic to 3Mb/s
Enterprise
Campus
Enterprise
Service Provider Remote-Branch
DSL
Cable
667
Thank You !!!
www.orhanergun.net
Chapter-3: Network
Services
www.orhanergun.net
First Hop Redundancy
Protocol
www.orhanergun.net
The Need for First-Hop Redundancy
• Network hosts are
configured with a single
default gateway IP
address
• If the router whose IP
address serves as the
default gateway to the
network host fails, a
network host will be
unable to send packets
to another subnet
www.orhanergun.net
The Need for First-Hop Redundancy
• With first-hop router
redundancy, a set of routers or
Layer 3 switches work together
to present the illusion of a
single virtual router to the
hosts on the LAN.
• By sharing an IP address and a
MAC (Layer 2) address, two or
more routers can act as a single
“virtual” router
www.orhanergun.net
HSRP
www.orhanergun.net
HSRP Overview
• When frames are to be sent from the workstation to the default gateway,
the workstation uses ARP to resolve the MAC address that is associated
with the IP address of the default gateway.
• The ARP resolution will return the MAC address of the virtual router.
• Frames that are sent to the MAC address of the virtual router can then be
physically processed by an active router that is part of that virtual router
group.
• The physical router that forwards this traffic is transparent to the network hosts.
• The redundancy protocol provides the mechanism for determining which router
should take the active role in forwarding traffic and determining when that role
must be taken over by a standby router.
www.orhanergun.net
HSRP Overview
When the forwarding router
or a link to it fails
• The standby router stops
seeing hello messages
from the forwarding
router.
• The standby router
assumes the role of the
forwarding router.
• As the new forwarding
router assumes both the
IP and MAC addresses of
the virtual router, the end
stations see no disruption
in service.
www.orhanergun.net
HSRP Overview
• HSRP active and standby routers send hello messages to multicast
address 224.0.0.2 (all routers) for Version 1, or 224.0.0.102 for
Version 2, using User Datagram Protocol (UDP) port 1985.
• Hello messages are used to communicate between routers in the
HSRP group.
• All the routers in the HSRP group need to be L2 adjacent so that hello
packets can be exchanged.
www.orhanergun.net
HSRP Router Roles
All the routers in an HSRP group have specific roles and interact in
specific manners:
■ Virtual router
• An IP and MAC address pair that end devices have configured as their default
gateway.
• The active router processes all packets and frames sent to the virtual router
address.
• The virtual router processes no physical frames. There is one virtual router in
an HSRP group.
www.orhanergun.net
HSRP Router Roles
■ Active router
• Within an HSRP group, one router is elected to be the active router.
• The active router physically forwards packets sent to the MAC address of the
virtual router.
• There is one active router in an HSRP group.
www.orhanergun.net
HSRP Router Roles
• Standby router
• Listens for periodic hello messages. When the active router fails, the other
HSRP routers stop seeing hello messages from the active router.
• The standby router then assumes the role of the active router. There is one
standby router in an HSRP group.
www.orhanergun.net
HSRP Router Roles
• Other routers
• There can be more than two routers in an HSRP group, but only one active
and one standby router is possible.
• The other routers remain in the initial state, and if both the active and
standby routers fail, all routers in the group contend for the active and
standby router roles.
www.orhanergun.net
HSRP Active Router Operation
• Router A assumes the
active role and forwards all
frames addressed to the
assigned HSRP MAC
address of 0000.0c07.acxx,
where xx is the HSRP group
identifier.
www.orhanergun.net
HSRP State Transition
www.orhanergun.net
HSRP State Transition
www.orhanergun.net
HSRP State Transition
• When two routers participate in an election process, a priority can be
configured to determine which router should become active.
• Without specific priority configuration, each router has a default
priority of 100, and the router with the highest IP address is elected
as the active router.
www.orhanergun.net
HSRP State Transition
• Regardless of other router priorities or IP addresses, an active router
will stay active by default.
• A new election will occur only if the active router is removed.
• When the standby router is removed, a new election is made to
replace the standby router.
• This behavior can change with the preempt option.
www.orhanergun.net
Forwarding Through the Active Router
www.orhanergun.net
Aligning HSRP with STP Topology
www.orhanergun.net
Load Sharing with HSRP
www.orhanergun.net
The Need for Interface Tracking with HSRP
• HSRP can track interfaces or objects and decrement priority if an
interface or object fails.
• Interface tracking enables the priority of a standby group router to be
automatically adjusted, based on the availability of the router
interfaces.
• When a tracked interface becomes unavailable, the HSRP priority of
the router is decreased.
www.orhanergun.net
The Need for Interface Tracking with HSRP
• When properly configured, the HSRP tracking feature ensures that a
router with an unavailable key interface will relinquish the active
router role.
• When the conditions that are defined by the object are fulfilled, the
router priority remains the same.
• As soon as the verification that is defined by the object fails, the
router priority is decremented.
• The amount of decrease can be configured.
• The default value is 10.
www.orhanergun.net
HSRP Interface Tracking
• HSRP has a
built-in
mechanism for
detecting link
failures and
starting the
HSRP reelection
process.
www.orhanergun.net
HSRP with Interface Tracking On
www.orhanergun.net
HSRP Tracking Configuration Arguments
www.orhanergun.net
HSRP and Object Tracking
www.orhanergun.net
HSRP With Object Tracking
www.orhanergun.net
Tracked objects
• Tracked objects offer a vast group of possibilities.
• A few options that are commonly available include the following
An interface
• This performs a similar function like the HSRP interface tracking mechanism,
but with advanced features. This tracking object can not only verify the
interface status (line protocol) but also whether IP routing is enabled,
whether an IP address is configured on the interface, and whether the
interface state is up, before reporting to the tracking client that the interface
is up.
www.orhanergun.net
Tracked objects
IP route
• A tracked IP-route object is considered up and reachable when a routing table
entry exists for the route and the route is accessible. To provide a common
interface to tracking clients, route metric values are normalized to the range
of 0 to 255, where 0 is connected and 255 is inaccessible. You can track route
reachability, or even metric values, to determine best-path values to the
target network.
www.orhanergun.net
Tuning HSRP Timers
• By default, the HSRP hello time is 3 seconds, and the hold time is 10
seconds, which means that the failover time could be as much as 10
seconds for clients to start communicating with the new default
gateway.
• In some cases, this interval may be excessive for application support.
www.orhanergun.net
Tuning HSRP Timers
• The hello-time and the hold-time parameters are configurable.
• To configure the time between the hello messages and the time
before other group routers declare the active or standby router to be
nonfunctioning, enter this command in the interface configuration
mode:
• Switch(config-if)# standby [ group-number ] timers [ msec ]
hellotime [ msec ] holdtime
www.orhanergun.net
HSRP Versions
There are two HSRP versions available on most Cisco routers and Layer
3 switches:
• HSRPv1 and HSRPv2.
• Version 1 is a default version on Cisco IOS devices.
• HSRPv2 allows group numbers up to 4095, thus allowing you to use
VLAN number as the group number.
www.orhanergun.net
HSRP Versions
• HSRP Version 2 must be enabled on an interface before HSRP IPv6 can
be configured.
• HSRP Version 2 will not interoperate with HSRP Version 1.
• All devices in an HSRP group must have the same version configured;
otherwise, the hello messages are not understood.
www.orhanergun.net
Thank You !!!
www.orhanergun.net
VRRP
www.orhanergun.net
Configuring Layer 3 Redundancy with VRRP
Upon completing this section, you will be able to do the following:
• Describe the idea behind VRRP
• Configure and verify VRRP
• Describe the differences between HSRP and VRRP
• Describe tracking options with VRRP
• Configure VRRP interface object tracking
www.orhanergun.net
About VRRP
• VRRP is an open standard alternative to HSRP.
• VRRP is similar to HSRP, both in operation and configuration.
• The VRRP master is analogous to the HSRP active gateway, and the
VRRP backup is analogous to the HSRP standby gateway.
www.orhanergun.net
About VRRP
• A VRRP group has one master device and one or multiple backup
devices.
• A device with the highest priority is the elected master. Priority can be
a number between 0 and 255.
• Priority value 0 has a special meaning; it indicates that the current master has
stopped participating in VRRP.
• This setting is used to trigger backup devices to quickly transition to master
without having to wait for the current master to time out.
www.orhanergun.net
About VRRP
• VRRP differs from HSRP in that it allows you to use an address of one
of the physical VRRP group members as a virtual IP address.
• In this case, the device with the used physical address is a VRRP master
whenever it is available.
• The master is the only device that sends advertisements (analogous
to HSRP hellos).
• Advertisements are sent to the 224.0.0.18 multicast address, protocol
number 112.
www.orhanergun.net
About VRRP
• The default advertisement interval is 1 second. The default hold time
is 3 seconds.
• HSRP, in comparison, has the default hello timer set to 3 seconds and
the hold timer to 10 seconds.
• Like with HSRP, load sharing is also available with VRRP. Multiple
virtual router groups can be configured
• Contrary to HSRP, preemption is enabled by default with VRRP.
www.orhanergun.net
About VRRP
www.orhanergun.net
HSRP and VRRP Differences
www.orhanergun.net
Configuring VRRP and Spotting the
Differences from HSRP
www.orhanergun.net
IP Addressing for the VRRP Configuration
www.orhanergun.net
Thank You !!!
www.orhanergun.net
GLBP
www.orhanergun.net
Introducing GLBP
• GLBP shares some concepts with VRRP and HSRP, but the terminology
differs, and its behavior is more dynamic and robust.
• Although HSRP and VRRP provide gateway resiliency only the active
router within the group forwards the traffic for the virtual MAC.
• HSRP and VRRP can accomplish load sharing by manually specifying
multiple groups and assigning multiple default gateways.
www.orhanergun.net
Introducing GLBP
• GLBP is a Cisco proprietary solution that allows for automatic
selection and simultaneous use of multiple available gateways, in
addition to automatic failover between those gateways.
• Multiple routers share the load of packets that, from a client’s
perspective, are sent to a single default gateway address.
• There is also no need to configure a specific gateway address on an
individual host. All hosts can use the same default gateway.
www.orhanergun.net
GLBP Roles
• GLBP routers are divided into two roles: a gateway and a forwarder:
• GLBP AVG (active virtual gateway)
• Members of a GLBP group elect one gateway to be the AVG for that group.
• Other group members provide a backup for the AVG when the AVG becomes
unavailable; these will be in standby state.
• The AVG assigns a virtual MAC address to each member of the GLBP group.
• The AVG listens to the ARP requests for the default gateway IP and replies
with a MAC address of one of the GLBP group members, thus load sharing
traffic among all the group members.
www.orhanergun.net
GLBP Roles
• GLBP AVF (active virtual forwarder)
• Each gateway assumes responsibility for forwarding packets that are sent to
the virtual MAC address that is assigned to that gateway by the AVG.
• These gateways are known as AVFs. There can be up to four forwarders within
a GLBP group.
• All other devices will be secondary forwarders, serving as backup if the
current AVF fails.
• Forwarders that are forwarding traffic for a specific virtual MAC are in the
active state and are called AVFs. Forwarders that are serving as backups are in
the listen state.
www.orhanergun.net
Comparing GLPB to HSRP
www.orhanergun.net
GLBP States
www.orhanergun.net
GLBP States (Gateway)
Following are the possible virtual gateway states:
• Disabled: The virtual IP address has not been configured or learned,
but there is some GLBP configuration.
• Initial: The virtual IP address has been configured or learned, but
configuration is not complete. The interface must be operational on
Layer 3 and configured to route IP.
www.orhanergun.net
GLBP States (Gateway)
• Listen: The virtual gateway is receiving hello packets. It is ready to
change to speak state if the active or standby virtual gateway
becomes unavailable.
• Speak: The virtual gateway is trying to become the active or standby
virtual gateway.
• Standby: This gateway is next in line to be the active virtual gateway.
• Active: This gateway is the AVG, and is responsible for responding to
ARP requests for the virtual IP address.
www.orhanergun.net
GLBP States (Forwarder)
The following are the possible virtual forwarder states:
• Disabled: The virtual MAC address has not been assigned or learned.
The disabled virtual forwarder will be deleted shortly. This state is
transitory only.
• Initial: The virtual MAC address is known but configuration of virtual
forwarder is not complete. The interface must be operational on Layer
3 and configured to route IP.
www.orhanergun.net
GLBP States (Forwarder)
• Listen: This virtual forwarder is receiving hello packets and is ready to
change to the active state if the active virtual forwarder becomes
unavailable.
• Active: This gateway is the AVF, and is responsible for forwarding
packets sent to the virtual forwarder’s MAC address.
www.orhanergun.net
Configuring and Verifying GLBP
www.orhanergun.net
IP Addresses Used in GLBP Configuration
www.orhanergun.net
The virtual MAC addresses of GLBP
• The virtual MAC addresses of GLBP are in the form of
0007.b4XX.XXYY.
• XXXX is a 16-bit value that represents six 0 bits, followed by a 10-bit
GLBP group number.
• YY is an 8-bit value, and it represents the virtual forwarder number.
• The AVG assigned forwarder 1 virtual MAC address of 0007.
b400.0101 and forwarder 2 virtual MAC address of 0007.b400.0102
www.orhanergun.net
GLBP Final Configuration
www.orhanergun.net
GLBP Operation (ARP Request)
www.orhanergun.net
GLBP Operation (ARP Reply)
www.orhanergun.net
GLBP Operation (Traffic Flow)
www.orhanergun.net
GLBP Operations: Failed R1 New Data Path
www.orhanergun.net
GLBP Load-Balancing Options
GLBP supports the following operational modes for load balancing
traffic across multiple default routers that are servicing the same
default gateway IP address:
• Weighted load-balancing algorithm
• The amount of load that is directed to a router depends on the weighting
value that is advertised by that router.
• Host-dependent load-balancing algorithm
• A host is guaranteed the use of the same virtual MAC address as long as that
virtual MAC address is participating in the GLBP group.
www.orhanergun.net
GLBP Load-Balancing Options
• Round-robin load-balancing algorithm
• As clients send ARP requests to resolve the MAC address of the default
gateway, the reply to each client contains the MAC address of the next
possible router in a round-robin fashion. The MAC addresses of all routers
take turns being included in address resolution replies for the default gateway
IP address.
• To configure the load-balancing option, use the following command:
• Switch(config-if)# glbp group load-balancing [ round-
robin | weighted | host-dependent ]
www.orhanergun.net
GLBP Authentication
• The key for the MD5 hash can either be given directly in the
configuration using a key string or supplied indirectly through a key
chain.
• The key string cannot exceed 100 characters in length.
www.orhanergun.net
GLBP Authentication
The following example demonstrates the configuration for GLBP
authentication:
• Router(config)# interface Ethernet0/1
• Router(config-if)# ip address 192.0.0.1
255.255.255.0
• Router(config-if)# glbp 1 authentication md5 key-
string d00b4r987654323hg
• Router(config-if)# glbp 1 ip 192.0.0.10
www.orhanergun.net
GLBP and STP
www.orhanergun.net
GLBP and STP
• With some switching topologies, the operation of STP results in
inefficient traffic paths.
• In such cases, implementation of HSRP might be preferred over GLBP
because it is easier to understand, whereas GLBP provides no
advantages.
www.orhanergun.net
Tracking and GLBP
www.orhanergun.net
Tracking and GLBP
• Changing weight affects the AVF election and the load-balancing
algorithm.
• Both values can be manipulated with object tracking.
www.orhanergun.net
GLBP Weight
• GLBP uses a weighting scheme to determine the forwarding capacity
of each router in the GLBP group.
• The weighting that is assigned to a router in the GLBP group can be
used to determine whether it will forward packets and, if so, the
proportion of hosts in the LAN for which it will forward packets.
• Thresholds can be set to disable forwarding when the weighting for a
GLBP group falls below a certain value, and when it rises above
another threshold, forwarding is automatically reenabled.
www.orhanergun.net
GLBP Weight
• By default, the GLBP virtual forwarder preemptive scheme is enabled
with a delay of 30 seconds.
• A backup virtual forwarder can become the AVF if the current AVF
weighting falls below the low weighting threshold for 30 seconds.
• To disable the GLBP forwarder preemptive scheme, use the no glbp
forwarder preempt command or change the delay by using the glbp
forwarder preempt delay minimum command.
www.orhanergun.net
GLBP Tracking Detects Interface Failure
www.orhanergun.net
GLBP Weighing Option Under Failures
www.orhanergun.net
Summary
• The redundancy protocol provides the mechanism for determining
which router should take the active role in forwarding traffic and
determining when that role must be taken over by a standby router .
• HSRP is a Cisco proprietary protocol, whereas VRRP is an industry
standard for virtual routing gateways.
• HSRP Version 1 and Version 2 active and standby routers send hello
messages to multicast address 224.0.0.2 for Version 1 and
224.0.0.102 for Version 2 on UDP port 1985.
www.orhanergun.net
Summary
• It is important that the configured active router should be the same
as the STP root bridge.
• HSRP and VRRP use the VLAN load-balancing mechanism for load
balancing.
• With the new RFC, only the Cisco implementation of VRRP supports
VRRP authentication.
www.orhanergun.net
Summary
• GLBP, by default, provides the virtual gateway and load balancing via
multiple virtual MAC addresses.
• Review all the configuration examples and troubleshooting steps for
better understanding and for exam preparation.
www.orhanergun.net
Thank You !!!
www.orhanergun.net
Network Time Protocol
NTP
www.orhanergun.net
www.orhanergun.net
What is NTP?
www.orhanergun.net
Importance of NTP
www.orhanergun.net
About NTP
• NTP is the perfect solution for keeping time and date up to date in all
the devices. NTP uses UDP as a transport layer protocol with a port
number of 123.
www.orhanergun.net
About NTP
www.orhanergun.net
About NTP
www.orhanergun.net
About NTP
www.orhanergun.net
Types of Clock
• 1 – Software Clock
• 2 – Hardware Clock
www.orhanergun.net
Software Clock
www.orhanergun.net
Hardware Clock
www.orhanergun.net
NTP Modes
Server Mode
NTP Client Mode
NTP Symmetric active mode
www.orhanergun.net
Server Mode
In this mode devices operate as a NTP server and serve time source for
the client.
www.orhanergun.net
NTP Client Mode
www.orhanergun.net
NTP Symmetric Active Mode
www.orhanergun.net
Thank You !!!
www.orhanergun.net
DHCPv4
www.orhanergun.net
DHCPv4 Operation
www.orhanergun.net
Configuring a DHCPv4 Server
A Cisco router running the Cisco IOS software can be configured to act as a DHCPv4 server. To set
up DHCP:
1. Exclude addresses from the pool.
2. Set up the DHCP pool name.
3. Define the range of addresses and subnet mask. Use the default-router
command for the default gateway. Optional parameters that can be included in the
pool – dns server, domain-name.
www.orhanergun.net
Verifying a DHCPv4 Server
• Commands to verify DHCP:
• show running-config | section dhcp
• show ip dhcp binding
• show ip dhcp server statistics
• On the PC, issue the ipconfig /all command.
www.orhanergun.net
DHCPv4 Relay
www.orhanergun.net
DHCPv6
www.orhanergun.net
SLAAC and DHCPv6
www.orhanergun.net
SLAAC and DHCPv6
SLAAC Operation
www.orhanergun.net
SLAAC and DHCPv6
www.orhanergun.net
SLAAC and DHCPv6
SLAAC Option
www.orhanergun.net
SLAAC and DHCPv6
www.orhanergun.net
SLAAC and DHCPv6
www.orhanergun.net
SLAAC and DHCPv6
DHCPv6 Operations
www.orhanergun.net
Stateful DHCPv6
www.orhanergun.net
Thank You !!!
www.orhanergun.net
Chapter-4: Network
Address Translation (NAT)
www.orhanergun.net
IPv4 Private Address Space
• IPv4 address space is not big enough to uniquely address all the devices that must be connected to
the Internet.
• Network private addresses are described in RFC 1918 and are to designed to be used within an
organization or site only.
• Private addresses are not routed by Internet routers while public addresses are.
• Private addresses can alleviate IPv4 scarcity, but because they aren’t routed by Internet devices, they
first need to be translated.
• NAT is process used to perform such translation.
www.orhanergun.net
IPv4 Private Address Space
www.orhanergun.net
What is NAT?
• NAT is a process used to translate network addresses.
• NAT’s primary use is to conserve public IPv4 addresses.
• NAT is usually implemented at border network devices, such as firewalls or routers.
• NAT allows the networks to use private addresses internally, only translating to public addresses
when needed.
• Devices within the organization can be assigned private addresses and operate with locally
unique addresses.
• When traffic must be sent or received to or from other organizations or the Internet, the border
router translates the addresses to a public and globally unique address.
www.orhanergun.net
NAT Terminology
• Inside network is the set of devices using private addresses
• Outside network refers to all other networks
• NAT includes four types of addresses:
• Inside local address
• Inside global address
• Outside local address
• Outside global address
www.orhanergun.net
NAT Terminology
www.orhanergun.net
Types of NAT
Static NAT
• Static NAT uses a one-to-one mapping of local and global addresses.
• These mappings are configured by the network administrator and remain constant.
• Static NAT is particularly useful when servers hosted in the inside network must be accessible from
the outside network.
• A network administrator can SSH to a server in the inside network by pointing the SSH client to the
proper inside global address.
www.orhanergun.net
Types of NAT
Static NAT
www.orhanergun.net
Types of NAT
Dynamic NAT
• Dynamic NAT uses a pool of public addresses and assigns them on a first-come, first-served basis.
• When an inside device requests access to an outside network, dynamic NAT assigns an available
public IPv4 address from the pool.
• Dynamic NAT requires that enough public addresses are available to satisfy the total number of
simultaneous user sessions.
www.orhanergun.net
Types of NAT
Dynamic NAT
www.orhanergun.net
Types of NAT
www.orhanergun.net
Types of NAT
www.orhanergun.net
Benefits of NAT
Benefits of NAT
• Conserves the legally registered addressing scheme
• Increases the flexibility of connections to the public network
• Provides consistency for internal network addressing schemes
• Provides network security
www.orhanergun.net
Benefits of NAT
Disadvantages of NAT
• Performance is degraded
• End-to-end functionality is degraded
• End-to-end IP traceability is lost
• Tunneling is more complicated
• Initiating TCP connections can be disrupted
www.orhanergun.net
Configuring Static NAT
www.orhanergun.net
Configuring Static NAT
www.orhanergun.net
Configuring Static NAT
There are two basic tasks to perform when configuring static NAT
translations:
• Create the mapping between the inside local and outside local
addresses.
• Define which interfaces belong to the inside network and which
belong to the outside network.
www.orhanergun.net
Configuring Dynamic NAT
www.orhanergun.net
Configuring Dynamic NAT
www.orhanergun.net
Configuring Dynamic NAT
www.orhanergun.net
Configuring PAT
Analyzing PAT
www.orhanergun.net
Configuring PAT
Analyzing PAT
www.orhanergun.net
Port Forwarding
Port Forwarding
• Port forwarding is the act of forwarding a network port from one network node to another.
• A packet sent to the public IP address and port of a router can be forwarded to a private IP address
and port in inside network.
• Port forwarding is helpful in situations where servers have private addresses, not reachable from the
outside networks.
www.orhanergun.net
Configuring NAT and IPv6
www.orhanergun.net
Configuring NAT and IPv6
www.orhanergun.net
Configuring NAT and IPv6
www.orhanergun.net
Configuring NAT and IPv6
www.orhanergun.net
Summary
• How NAT is used to help alleviate the depletion of the IPv4 address space.
• NAT conserves public address space and saves considerable administrative overhead in managing
adds, moves, and changes.
• NAT for IPv4, including:
• NAT characteristics, terminology, and general operations
• Different types of NAT, including static NAT, dynamic NAT, and NAT with
overloading
• Benefits and disadvantages of NAT
www.orhanergun.net
Summary
• How port forwarding can be used to access an internal devices from the Internet.
• Troubleshooting NAT using show and debug commands.
• How NAT for IPv6 is used to translate between IPv6 addresses and IPv4 addresses.
• The configuration, verification, and analysis of static NAT, dynamic NAT, and NAT with overloading.
www.orhanergun.net
Thank You !!!
www.orhanergun.net
IP SLA
www.orhanergun.net
Cisco IOS IP Service Level Agreement:
A New Direction
• Cisco solution that assures IP service levels, proactively verifies network
operation, and accurately measures network performance
• Comprehensive hardware support
• Committed Cisco partner support
• Cisco IOS Software, the world’s leading network infrastructure software
Understand Network
Verify Service Levels Measure and provide
Performance &
Verify Outsourced SLAs SLAs
Ease Deployment
Access Enterprise Backbone Enterprise Service Provider Service Provider Core
Premise Edge Aggregation Edge
www.orhanergun.net
The Need for IP-Based Service Levels
PROBLEM RESULT
40% of companies delay launching new
Reduced business
applications due to network performance
productivity
concerns2
Continuous
Predictable Reliable
Proactive
www.orhanergun.net
Cisco IOS IP SLAs Life Cycle
Understand network
Baseline network
performance baseline
performance
Confidence to deploy
Verify network readiness for
new services with Cisco IOS 2 new IP services
and applications
IP SLA capabilities.
1 Assure
application
and service
deployment
Quantify results
• Reduce deployment time 3 Fine tune and optimize
• Prove service and Ongoing measurements
application differentiation to understand behavior
• Verify service levels with proactive
• Reduce network down time 4 notification
• Manage demand for the
network
www.orhanergun.net
Cisco IOS IP SLAs Uses and Metrics
*DATA *SERVICE LEVEL
*VoIP **STREAMING
TRAFFIC AGREEMENT *AVAILABILITY
VIDEO
IP • Jitter
SLA • Jitter • Packet loss
• Jitter • Jitter
ME • Packet loss • Latency • Connectivity
• Packet loss • Packet loss
AS • Latency • One-way tests to IP
• Latency • Latency
UR • MOS Voice • Enhanced devices
• per QoS
ME Quality Score accuracy
NT • NTP
IP SLA for Voice over IP
• VoIP may be difficult to deploy when the network behavior is not
well understood
• Cisco IOS IP SLAs will verify network readiness and QoS
• Measure critical performance for VoIP deployment
• Real time warning of network performance degradation
• IP SLA is universally available across Cisco IOS Software routers
IP
WAN
Headquarters Branch
www.orhanergun.net
VPN SLAs and Performance Measurement
• Cisco IOS Software is an
MPLS leader
• How can SLAs be measured 192.168.1.1
with a specific VPN?
Cisco IOS IP SLA operations
are vrf-aware and measure 192.168.2.1
an SLA per VPN (PE)
CEs with
VRFs Red,
Blue and
Yellow.
www.orhanergun.net
Thank You !!!
www.orhanergun.net
Syslog
www.orhanergun.net
Syslog Operation
Introduction to Syslog
www.orhanergun.net
Syslog Operation
Syslog Operation
www.orhanergun.net
Syslog Operation
www.orhanergun.net
Syslog Operation
www.orhanergun.net
Syslog Operation
Service Timestamp
• Log messages can be time-stamped and the source address of syslog messages can be set. This
enhances real-time debugging and management.
• The service timestamps log datetime msec command entered in global
configuration mode should be entered on the device.
• In this chapter, it is assumed that the clock has been set and the service timestamps log
datetime msec command has been configured on all devices.
www.orhanergun.net
Configuring Syslog
Syslog Server
• The syslog server provides a relatively user-friendly interface for viewing syslog output.
• The server parses the output and places the messages into pre-defined columns for easy
interpretation. If timestamps are configured on the networking device sourcing the syslog
messages, then the date and time of each message displays in the syslog server output.
• Network administrators can easily navigate the large amount of data compiled on a syslog server.
www.orhanergun.net
Configuring Syslog
Default Logging
www.orhanergun.net
Configuring Syslog
Router and Switch Commands for Syslog Clients
www.orhanergun.net
Configuring Syslog
Verifying Syslog
www.orhanergun.net
SNMP
www.orhanergun.net
SNMP Operation
Introduction to SNMP
www.orhanergun.net
SNMP Operation
SNMP Operation
www.orhanergun.net
SNMP Operation
www.orhanergun.net
SNMP Operation
SNMP Versions
www.orhanergun.net
SNMPv1
www.orhanergun.net
SNMPv2c
www.orhanergun.net
SNMPv3
• SNMPv3 - Interoperable standards-based protocol originally defined in
RFCs 2273 to 2275; provides secure access to devices by authenticating
and encrypting packets over the network. It includes these security
features: message integrity to ensure that a packet was not tampered
with in transit; authentication to determine that the message is from a
valid source, and encryption to prevent the contents of a message from
being read by an unauthorized source.
www.orhanergun.net
SNMP Operation
Community Strings
There are two types of community strings:
• Read-only (ro) – Provides access to the MIB variables, but does not allow these variables to be
changed, only read. Because security is so weak in version 2c, many organizations use SNMPv2c
in read-only mode.
• Read-write (rw) – Provides read and write access to all objects in the MIB.
www.orhanergun.net
SNMP Operation
www.orhanergun.net
Configuring SNMP
www.orhanergun.net
Configuring SNMP
www.orhanergun.net
Configuring SNMP
www.orhanergun.net
Configuring SNMP
www.orhanergun.net
Netflow
www.orhanergun.net
NetFlow Operation
Introduction to NetFlow
www.orhanergun.net
NetFlow Operation
Purpose of NetFlow
Most organizations use NetFlow for some or all of the following key data collection purposes:
• Efficiently measuring who is using what network resources for what purpose.
• Accounting and charging back according to the resource utilization level.
• Using the measured information to do more effective network planning so that resource allocation
and deployment is well-aligned with customer requirements.
• Using the information to better structure and customize the set of available applications and services
to meet user needs and customer service requirements.
www.orhanergun.net
NetFlow Operation
Network Flows
NetFlow technology has seen several generations that provide more sophistication in defining traffic
flows, but “original NetFlow” distinguished flows using a combination of seven key fields.
• Source and destination IP address
• Source and destination port number
• Layer 3 protocol type
• Type of service (ToS) marking
• Input logical interface
www.orhanergun.net
Configuring NetFlow
www.orhanergun.net
Examining Traffic Patterns
Verifying NetFlow
www.orhanergun.net
Examining Traffic Patterns
www.orhanergun.net
Examining Traffic Patterns
www.orhanergun.net
Summary
• NetFlow and its most recent iteration, Flexible NetFlow, provides a means of collecting IP
operational data from IP networks.
• NetFlow provides data to enable network and security monitoring, network planning, traffic
analysis, and IP accounting.
• NetFlow collectors provide sophisticated analysis options for NetFlow data.
www.orhanergun.net
Summary
• Syslog, SNMP, and NetFlow are the tools a network administrator uses in a modern network to
manage the collection, display, and analysis of events associated with the networking devices.
• Syslog provides a rudimentary tool for collecting and displaying messages as they appear on a Cisco
device console display.
• SNMP has a very rich set of data records and data trees to both set and get information from
networking devices.
www.orhanergun.net
Thank You !!!
www.orhanergun.net