Friday, November 8, 2013

Network Boffin Interview Notes for Networking


BGP and Attributes
BGP Databases
1.    Neighbor database
2.    BGP database, or RIB (Routing Information Base)
3.    Routing table
BGP Message Types:
1.    Open: After a neighbor is configured, BGP sends an open message to try to establish peering with that neighbor. Includes information such as autonomous system number, router ID, and hold time.
2.    Update: Message used to transfer routing information between peers. Includes new routes, withdrawn routes, and path attributes.
3.    Keepalive: BGP peers exchange keepalive messages every 60 seconds by default. These keep the peering session active.
4.    Notification: When a problem occurs that causes a router to end the BGP peering session, a notification message is sent to the BGP neighbor and the connection is closed.

BGP Peering States
1.    Idle: No peering; router is looking for neighbor. Idle (admin) means that the neighbor relationship has been administratively shut down.
2.    Connect: TCP handshake completed.
3.    OpenSent, or Active: An open message was sent to try to establish the peering.
4.    OpenConfirm: Router has received a reply to the open message.
5.    Established: Routers have a BGP peering session. This is the desired state.

1. IDLE State :  verifying route to neighbor
BGP refuses all incoming connections. No BGP resources are allocated in Idle state, and no incoming BGP connections are allowed.
2. Connect State :
BGP waits for a TCP connection to be completed. If successful, the BGP state machine moves into OpenSent state after sending the OPEN message to the peer. Failure in this state could result in either going into Active state or Connect state, or reverting back to Idle state, depending on the failure reasons.
3. Active State : attempting connectivity to neighbor
In this state, a TCP connection is initiated to establish a BGP peer relationship. If successful, BGP sends its OPEN message to the peer and moves to OpenSent state. Failure can result in going to the Active or Idle states.
4. OpentSent State : open message sent to neighbor
After sending an OPEN message to the peer, BGP waits in this state for the OPEN reply.
If a successful reply comes in, the BGP state moves to OpenConfirm and a keepalive is sent to the peer. Failure can result in sending the BGP state back to Idle or Active.
5. OpenConfirm State : neighbor replied with open message
The BGP state machine is one step away from reaching its final state (Established).
BGP waits in this state for keepalives from the peer. If successful, the state moves to Established; otherwise, the state moves back to Idle based on the errors.

BGP Synchronization Rule
           When a BGP router receives information about a network from an IBGP neighbor, it does not use that information until a matching route is learned via an IGP or static route. It also does not advertise that route to an EBGP neighbor unless a matching route is in the routing table.
Recent IOS versions have synchronization disabled by default. It is usually safe to turn off synchronization when all routers in the autonomous system run BGP.
BGP Path Selection
It assigns various attributes to each path; these attributes can be administratively manipulated to control the path that is selected. It then examines the value of these attributes in an ordered fashion until it can narrow all the possible routes down to one path.
BGP Attributes
Well-known mandatory:
1.    Origin: How BGP learned of this network. i = by network command, e = from EGP  ? = redistributed from other source.
2.    AS path: An ordered list of all the autonomous systems through which this update has passed.
3.    Next Hop: External peer in neighboring AS
Well-known discretionary
5.    Local Preference: A value telling IBGP peers which path to select for traffic leaving the AS.
6.    Atomic Aggregate: Includes ASes which have been dropped due to route aggregation
Optional Transitive
7.    Aggregator: ID and AS of summarizing router
8.    Community: Route tag
Optional non-transitive
4.    Multi-Exit Discriminator (MED):  Metric for external neighbors to reach the local AS (default 0)
9.    Originator ID: The originator of a reflected route
10.  Cluster List: List of cluster IDs
11. Cluster ID: Originating cluster
-- Weight

WELL-KNOWN, MANDATORY
AS-path: A list of the Autonomous Systems (AS) numbers that a route passes through to reach the destination. As the update passes through an AS the AS number is inserted at the beginning of the list. The AS-path attribute has a reverse-order list of AS passed through to get to the destination.
Next-hop: The next-hop address that is used to reach the destination.
Origin: Indicates how BGP learned a particular route. There are three possible types -- IGP (route is internal to the AS), EGP (learned via EBGP), or Incomplete (origin unknown or learned in a different way).
WELL-KNOWN, DISCRETIONARY
Local Preference: Defines the preferred exit point from the local AS for a specific route.
Atomic Aggregate: Set if a router advertises an aggregate causes path attribute information to be lost.
OPTIONAL, TRANSITIVE
Aggregator: Specifies the router ID and AS of the router that originated an aggregate prefix. Used in conjunction with the atomic aggregate attribute.
Community: Used to group routes that share common properties so that policies can be applied at the group level.
OPTIONAL, NON-TRANSITIVE
Multi-exit-discriminator (MED): Indicates the preferred path into an AS to external neighbors when multiple paths exist.
A list of path attributes is contained in BGP update messages. The attribute is variable length and consists of three fields: Attribute type consisting of a 1-byte attribute flags field and a 1-byte attribute code field, Attribute length field that is 1 or 2 bytes, and a variable length attribute value field. The attribute type codes used by Cisco are: 1-origin, 2-AS-path, 3-Next-hop, 4-MED, 5-Local preference, 6-Atomic aggregate, 7-aggregator, 8-community, 9-originator-ID, and 10-cluster list.

BGP Path Selection Criteria
1.    Choose the route with the highest weight.
2.    If weight is not set, choose the route with the highest local preference.
3.    Choose routes that this router originated.
4.    Choose the path with the shortest Autonomous System path.
5.    Choose the path with the lowest origin code (i is lowest, e is next, ? is last).
6.    Choose the route with the lowest MED, if the same Autonomous System advertises the possible routes.
7.    Choose an EBGP route over an IBGP route.
8.    Choose the route through the nearest IGP neighbor as determined by the lowest IGP metric.
9.    Choose the oldest route BGP and Internet Connectivity
10.   Choose a path through the neighbor with the lowest router ID.
11.   Choose a path through the neighbor with the lowest IP address

“We Love Oranges AS Oranges Mean Pure Refreshment”

W
Weight (Highest)
L
LOCAL_PREF (Highest)
O
Originate (local) routes that are advertise through the "network" command or redistributed from an IGP.
AS
AS_PATH (shortest)
O
ORIGIN Code (IGP > EGP > Incomplete)
M
MED (lowest)
P
Paths (External > Internal)
R
RID (lowest)

BGP Confederation

This is feature is used to split an autonomous system into smaller autonomous systems or the reverse which is to combine several autonomous systems into one. Reasons of splitting might be IGP's like OSPF might not be able to handle the routes of a really big enterprise so splitting the AS into smaller will help OSPF scale better, or perhaps the enterprise wants to have separate administrative control per region and wants to control the routing policies on their specific regions

BGP uses two technologies with the goal of allowing your iBGP routers to still receive all routing updates and not require a full mesh topology.
  • BGP Route-Reflectors
    • Route-reflectors allow iBGP speakers to have a partial mesh topology while still propagating all iBGP learned routes to all iBGP speakers
    • Route-reflectors consist of route-reflector servers and route-reflector clients
    • eBGP routes learned by route-reflector servers are advertised to other eBGP neighbors, route-reflector clients and non-clients.
    • iBGP routes learned from non-clients are advertised to eBGP neighbors and route-reflector clients
    • iBGP routes learned from route-reflector clients are advertised to other clients, non-clients and eBGP neighbors.
    • needs to be configured on the route-reflector server R(config-router)#neighbor 192.168.3.4 route-reflector-client
  • BGP Confederation
    • Confederations achieve the same goal as Route-reflectors
    • This is done by dividing the main AS into several smaller sub-autonomous systems.
    • Typically  the private range used for these sub ASs are in the range 66451-65535
    • Neighbors in each sub-as must still be fully meshed
    • Confederation iBGP/eBGP peers act the same way as BGP iBGP/eBGP peers.
    • bgp confederation identifier 200, bgp confederation peers 6501
BGP RIB Failure
When BGP tries to install the bestpath prefix into Routing Information Base (RIB) (for example, the IP Routing table), RIB might reject the BGP route due to any of these reasons:
Route with better administrative distance already present in IGP. For example, if a static route already exists in IP Routing table.


EIGRP Overview
  • Fast convergence.
  • Support for VLSM.
  • Partial updates conserve network bandwidth.
  • Support for IP, AppleTalk, and IPX.
  • Runs directly over IP, using protocol number 88.
  • Support for all Layer 2 (data link layer) protocols and topologies.
  • Sophisticated metric that supports load-balancing across unequal-cost paths .
  • Use of multicast (and unicast where appropriate) instead of broadcasts.
  • Support for authentication.
  • Manual summarization at any interface.
  • Uses multicast 224.0.0.10.

EIGRP’s function is controlled by four key technologies:

Neighbor discovery and maintenance:  Periodic hello messages
The Reliable Transport Protocol (RTP):  Controls sending, tracking, and acknowledging EIGRP messages
Diffusing Update Algorithm (DUAL): Determines the best loop-free route
Protocol-independent modules (PDM): Modules are “plugins” for IP, IPX, and AppleTalk versions of EIGRP
EIGRP uses three tables:
  • The neighbor table is built from EIGRP hellos and used for reliable delivery.
  • The topology table contains EIGRP routing information for best paths and loop-free alternatives.
  • EIGRP places best routes from its topology table into the common routing table.
EIGRP Messages
  • Hello:                Identifies neighbors and serves as a keepalive mechanism
  • Update:            Reliably sends route information
  • Query:               Reliably requests specific route information
  • Reply:                Reliably responds to a query
  • ACK:                   Acknowledgment
Neighbor Discovery and Route Exchange
1.    Router A sends out a hello.
2.    Router B sends back a hello and an update. The update contains routing information.
3.    Router A acknowledges the update.
4.    Router A sends its update.
5.    Router B acknowledges.
5 seconds/15 seconds for multipoint circuits with bandwidth greater than T1 and for point-to-point media 60 seconds/180 seconds for multipoint circuits with bandwidth less than or equal to T1
Diffusing Update Algorithm (DUAL)
The path with the lowest metric is called the successor path. EIGRP paths with a lower AD than the FD of the successor path are guaranteed loop-free and called feasible successors. If the successor path is lost, the router can use the feasible successor immediately without risk of loops.
After the router has chosen a path to a network, it is passive for that route. If a successor path is lost and no feasible successor is identified, the router sends out queries on all interfaces in an attempt to identify an alternate path. It is active for that route. No successor can be chosen until the router receives a reply to all queries. If a reply is missing for 3 minutes, the router becomes stuck in active (SIA). In that case, it resets the neighbor relationship with the neighbor that did not reply.
Load Balancing
EIGRP unique is that you can configure it to proportionally load balance over unequal metric paths. The variance command is used to configure load balancing over up to six loop-free paths with a metric lower than the product of the variance and the best metric
EIGRP Authentication
1.    Configure a key chain to group the keys.
2.    Configure one or more keys within that key chain. The router checks all inbound packets against the list of keys and uses the first valid one it finds.
3.    Configure the password or authentication string for that key. Repeat Steps 2 and 3 to add more keys if desired.
4.    Optionally configure a lifetime for the keys within that key chain. If you do this, be sure that the time is synchronized between the two routers.
5.    Enable authentication and assign a key chain to an interface.
6.    Designate MD5 as the type of authentication.
EIGRP Stub
Stub routing is one way to limit queries. A stub router is one that is connected to no more than two neighbors and should never be a transit router. This feature is commonly used in a hub-and-spoke topology. When a router is configured as an EIGRP stub, it notifies its neighbors. The neighbors then do not query that router for a lost route. An EIGRP stub router still receives all routes from its neighbors by default.

OSPF Overview
Types of areas:
Backbone area: Area 0, which is attached to every other area.
Regular area:  Non-backbone area; its database contains both internal and external routes.
Stub area:  its database contains only internal routes and a default route.
Totally Stubby Area:  Cisco proprietary area designation. Its database contains routes only for its own area and a default route.
Not-so-stubby area (NSSA):  Its database contains internal routes, routes redistributed from a connected routing process, and optionally a default route.
Totally NSSA:  Cisco proprietary area designation. Its database contains only routes for its own area, routes redistributed from a connected routing process, and a default route.
OSPF defines router roles as well. One router can have multiple roles:
An internal router has all interfaces in one area. They maintain a link-state database for their own area only.
Backbone routers have at least one interface assigned to area 0.
An Area Border Router (ABR) has interfaces in two or more areas.  ABRs separates LSA flooding areas, can summarize area routes, and can source default routes. They maintain a link-state database for each area to which they are connected.
An Autonomous System Boundary Router (ASBR) has interfaces inside and outside the OSPF routing domain.
Link State Advertisements (LSA)
Each router maintains a database, called the link-state database (LSDB), containing the latest received LSAs. A separate LSDB is maintained for each area connected to the router.
OSPF LSA Types
1.    Router Link LSA: Advertises intra-area routes, Generated by each OSPF router. Flooded only within the area O
2.    Network Link LSA: Advertises routers on a multi-access link, Generated by a DR. Flooded only within the area O
3.    Network Summary LSA:  Advertises inter area routes. Generated by an ABR. Flooded to adjacent areas. O IA
4.    ASBR Summary LSA:  Advertises the route to an ASBR. Generated by an ABR. Flooded to adjacent areas. O IA
5.    External Link LSA: Advertises routes in another routing domain, Generated by an ASBR, Flooded to adjacent areas O E1–metric increases at each router as it is passed through the network. E2–metric does not increase (this is the default).
7. Not-so-stubby area (NSSA) LSA: Advertises routes in another routing domain. Generated by an ASBR O
OSPF Packets
1.    Hello: Identifies neighbors and serves as a keepalive.
2.    Link State Request (LSR): Request for a Link State Update (LSU). Contains the type of LSU requested and the ID of the router requesting it
3.    Database Description (DBD): A summary of the LSDB, including the RID and sequence number of each LSA in the LSDB.
4.    Link State Update (LSU): Contains a full LSA entry. An LSA includes topology information; for example, the RID of this router and the RID and cost to each neighbor. One LSU can contain multiple LSAs.
5.    Link State Acknowledgment (LSAck): Acknowledges all other OSPF packets (except Hellos).
OSPF traffic is multicast to either of two addresses: 224.0.0.5 for all OSPF routers or 224.0.0.6 for all OSPF DRs.
Certain parameters within the OSPF Hellos must also match for two routers to become neighbors. They include
  • Hello/dead timers
  • Area ID
  • Authentication type and password
  • Stub area flag
Establishing Neighbors and Exchanging Routes
1.    Down state: OSPF process not yet started, so no Hellos sent.
2.    Init state: Router sends Hello packets out all OSPF interfaces.
3.    Two-way state: Router receives a Hello from another router that contains its own router ID in the neighbor list. All other required elements match, so routers can become neighbors.
4.    Exstart state: If routers become adjacent (exchange routes), they determine which one starts the exchange process.
5.    Exchange state: Routers exchange DBDs listing the LSAs in their LSD by RID and sequence number.
6.    Loading state: Each router compares the DBD received to the contents of its LS database. It then sends a LSR for missing or outdated LSAs. Each router responds to its neighbor’s LSR with a Link State Update. Each LSU is acknowledged.
7.    Full state: The LSDB has been synchronized with the adjacent neighbor.
Stub and Not-So-Stubby Areas
A stub area forces its ABR to drop all external (type 5) routes and replaces them with a default route. To limit routing information even more, an area can be made totally stubby using the no-summary keyword on the ABR only. In that case, all inter-area and external routes are dropped by the ABR and replaced by a default route. The default route starts with a cost of 1; to change it, use the area default-cost command.
  • Stub areas can’t include a virtual link.
  • Stub areas can’t include an ASBR.
  • Stubbiness must be configured on all routers in the area.
  • Area 0 cannot be a stub area.
Another kind of stub area is a not-so-stubby area (NSSA). NSSA is like a stub or totally stub area but enables an ASBR within the area. External routes are advertised as type 7 routes by the ASBR. The ABR converts them to type 5 external routes when it advertises them into adjacent areas. NSSA is configured with the area nssa command under the OSPF routing process. The no-summary keyword on the ABR configures the area as totally NSSA; this is a Cisco proprietary feature. By default, the ABR does not inject a default route back into an NSSA area. Use the default-information-originate keyword on the ABR or ASBR to create this route.
Virtual Links
OSPF requires that all areas be connected to area 0 and that area 0 must be contiguous. When this is not possible, you can use a virtual link to bridge across an intermediate area. Virtual links
·         Connect areas that do not have a physical link to area 0. (This should be a temporary solution.)
·         Connect a discontiguous area 0 (when merging two company networks, for instance. This should also be a temporary solution!)

EIGRP, OSPF & BGP Strengths, weakness, operational requirements and commercial implementation

EIGRP Strengths, weakness, operational requirements and commercial implementation.

EIGRP strengths:-
Fast convergence:
EIGRP is an advance distance vector protocol, one of its core strengths is its fast network convergence capabilities, unlike other routing protocols EIGRP keeps feasible successor routes right into the routing table, this allows millisecond convergence should the successor route fail.
Flexible in summarization:
Unlike OSPF, EIGRP allows you to summarize anywhere, in bigger environments where routers are advertising hundreds of networks, route summarization can greatly enhance router's and network operational capabilities, its less taxing on CPU / memory and cheaper to run / maintain.
Unequal cost load-balancing:
EIGRP allows unequal cost load balancing, which means you can use 2 different cost links to load balance traffic, no other protocol can do this.
VLSM friendly

EIGRP weakness:-
Cisco proprietary:

EIGRP Operational requirement:-
In terms of operational requirement, EIGRP is simple to configure and inexpensive to run.
Bandwidth:
EIGRP uses partial and incremental updates, these updates are only triggered when a change occurs and when it does, it only sends the changed information to the routers affected, this greatly reduces bandwidth utilization.
Processor:
The feasible successor technology greatly reduces the total processor utilization of an AS by requiring only the routers that were affected by a topology change to perform the route re-computation. Furthermore, the route re-computation only occurs for routes that were affected. Only those data structures are accessed and used.
Memory:
EIGRP stores all routes advertised by neighbors so it can quickly fall back to the feasible successor should the successor fail, the more neighbor a router has, the more memory it is going to use.
In contrast with OSPF,  EIGRP uses less memory than OSPF, OSPF stores all of the link states for all of the areas that it is in.
EIGRP Commercial implementation:-
  • EIGRP does not require a hierarchical network design to operate efficiently.  
  • EIGRP is protocol independent, apart from ipv4 /6 it also supports IPX and AppleTalk, customers who are using these protocols can leverage the protocol independent EIGRP capabilities to achieve higher return on investments.
  • EIGRP is less complex to implement and it also offers efficient route calculations when compared with OSPF, e.g. EIGRP uses bandwidth, delay, reliability and load when calculating optimal routes where as OSPF only takes bandwidth into consideration when calculating optimal routes.
  • Keeping the above points in mind, EIGRP will be more viable commercially provided that it’s a full end to end cisco implementation; EIGRP can also redistribute routing information with other routing protocol with router redistribution or using an exterior gateway protocol (BGP).
OSPF Strengths, weakness, operational requirements and commercial implementation.
OSPF was primarily designed to address the limitations of distance vector routing protocols, mainly with slow convergence and inefficient bandwidth usage.
OSPF Strengths:
OSPF is an IETF standard:-

Topological Map / LSDB
each OSPF participating routers maintains a link-state database, this database contains all the LSA's received from other routers, OSPF uses the shortest path first algorithm to create an SFP tree from this database, the SFP tree is then used to populate the routing table with the best routes/paths  to each network
Fast convergence
One of the most attractive features of OSPF is its ability to quickly adapt to topology changes.
OSPF uses 2 mechanisms to detect topology changes,
1. Interface status changes
2. Failure to receive hello packets from its neighbor (dead timer)
Once a failure has been detected, the router that detected the failure floods the LSP to all other routers immediately, the immediate flooding of LSP in contrast to a distance vector protocol which needs to process each routing updates and update its routing table before flooding them out other interfaces makes OSPF converge must fast. (OU CCNA Course Exploration-two )
Efficient
Unlike distance vector protocols, an area routing capability is provided in OSPF (area 0), enabling an additional level of routing protection and a reduction in routing protocol traffic
Event-driven Updates
After the initial flooding of LSP's, LSP's are only sent when there is topology change and it contains only the information which has been changed, this allows efficient bandwidth usage.
Hierarchical Design
Link state protocols uses the concept of areas for efficient routing and better summarization, multiple areas create hieratical designs to network, in order to scale OSPF enabled networks properly, adopting a hierarchical design environment is one of the most important factors.
Other advantages
Supports VLSM or CIDR
Not prone to routing loops

OSPF Weakness:
Complex:
Link state protocols such as OSPF are complex to configure and implement in contrast with distance vector protocols.
Only supports IP:
Unlike EIGRP, OSPF is not platform independent.
Can only summarize at ABR:
This directly increases the cost of running OSPF in terms of resources vs. the hybrid EIGRP protocol, The larger the network, the larger the link state databases, thus more resource intensive (cpu/ memory).
OSPF Operational requirements:
CPU / memory
its memory intensive as each router maintains a local Link state database, on top of that SPF algorithm itself is very processor intensive, OSPF can only summarize at the ABR level, this makes the database even larger and costly to maintain.
Bandwidth:
In a network with substantial topology changes, flooding of LSP's can adversely affect the available bandwidth on the network, because of the summarization limitation, any instability in a network can cause issues with available bandwidth. The key with scaling OSPF networks is in designing a solid hierarchical network, if its properly designed, LSP will be limited per area resulting in less LSP's.
Designated Router
DR's exist for the purpose of reducing network traffic by providing a source for routing updates, when designing OSPF networks, one should be mindful of the operational requirements in terms of cpu/memory and bandwidth before placing DR routers as they would generally require more resources.

OSPF Commercial implementations:
OSPF is one of the most widely used protocols in the industry, within the IGP space,  its IETF standard is one core reason for its popularity, secondly its vendor independent.  Even though OSPF is resource intensive then its counterparts, however with today’s newer routers this is no longer a bottleneck.
Suitable and Unsuitable environments
OSPF suitable environment range from large to small,  because of its wide array of features: fast convergence, equal-cost-multipath, TOS routing, areas, etc, it can be used in larger and smaller networks as long as it’s designed correctly,  however OSPF has a very limited ability to express policy. A system wanting more sophisticated policies would have to be split up into separate ASes, running a policy-based EGP between them.

BGP Strengths, weakness, operational requirements and commercial implementation
BGP is an inter-Autonomous System routing protocol. The primary function of a BGP speaking system is to exchange network reachability information with other BGP systems. BGP is used to exchange routing information for the Internet and is the protocol used between Internet service providers (ISP).

BGP Strength:-
Flexibility
Unlike IGP, BGP is more of a policy definition tool rather than just a routing protocol, to select the best route, BGP assigns 11 attributes to each path, and “one of the most important path attributes is the Autonomous System path, or AS_PATH, The AS_PATH allows straightforward suppression of the    looping of routing information.  The AS_PATH serves as a powerful and versatile mechanism for policy-based routing” in addition each of these attributes can be administratively tuned for extremely granular control, in contrast IGP protocols are designed with intent to provide reachability and fast convergence.
Scalability
Unlike IGP, BGP can handle thousands of routes in its database, BGP was designed to scale with the growth of the internet, the mechanism which BGP is built have allowed it to scale to carry more than 200,000 prefixes in production networks and more than 500,000 prefixes in laboratory test. The only practical limit to the number of prefixes supported is memory in the router.
Reliability
BGP makes use of TCP for reliable transport of its traffic between  peer routers, it can also use any authentication scheme used by TCP, this greatly enhances BGP capabilities in connection establishment, maintenance and routing information accuracy.
Stability
Given the size of current internet, flapping of large number of network routes could be disastrous, to overcome this BGP has a number of features which suppresses instability, e.g. route damping, implementing various timers, soft reconfiguration and route refresh are useful for changing BGB policy without resetting the BGP session.
BGP Weakness:
Slow convergence:
BGP is the slowest protocol out of all, BGP's lack of policy synchronization often leads to convergence concerns,  the reason it is slow is by design, imagine there is a network on the internet which went down, if BGP were to trigger an update every time a network goes down to all the routers on the internet, internet would always be in a state of kiosk.
Routing table growth:
Internet is growing at an exponential rate every year, if the global routing tables grows to the point where older, less capable routers cannot cope with the memory /cpu  requirements, these routers will cease to be effective gateways between the parts they connect to, leaving network  services unreliable or even unavailable in the interim.
Load balance:
BGP does not load balance across links by default.

BGP Operational requirements:
Bandwidth and CPU requirements:
After the initial BGP connection setup, the peers exchange complete set of routing information, this is the stage where BGP requires the highest number of CPU cycles, after the initial exchange KEEPALIVE alive messages are exchanged between peers every 30 sec's the amount of CPU cycles consumed by BGP completely depends on the stability of the internet, if the internet is stable KEEPALIVE messages take a very negligible amount of CPU cycles.
Memory requirements:
BGP memory requirements  depends on how much routing information you choose to receive, if you only accept defaults routes from your providers, then it will not require more than the standard router memory, however running full tables is very intensive.
BGP Commercial implementation:
BGP being an internet protocol, it is also commonly used by enterprises other than just  ISP's, now a days more and more organizations are hosting their own internet facing web servers, emails servers, vpn servers, etc. within their own public network, the need for redundancy in production environments is obvious, thus the need for multi home connections to service providers, this is where BGP comes into play for enterprises, using BGP they advertise their public address to both ISP's, this in turn gets flooded to the rest of the internet, this way, should one ISP fail, internet will have another route to get to the enterprise public facing servers.



MPLS Basics

Basic MPLS Tutorial

MPLS is a new forwarding mechanism called “label switching” in which packets are forwarded based on labels. However, hosts are unaware about labeled packets so routers will need to add a label when entering “MPLS area” and remove that label after leaving there.
The idea of label switching is to have only the first router do an IP lookup and assign a label, then all future routes in the network can “cheat” by doing exact match “switching” based on a label. This would reduce load on the core routers, where high-performance was the most difficult to achieve, and distribute the routing lookups across lower speed edge routers.
In a traditional IP network:
* Each router performs an IP lookup (“routing”), determines a next-hop based on its routing table, and forwards the packet to that next-hop.
* Rinse and repeat for every router, each making its own independent routing decisions, until the final destination is reached.
MPLS does “label switching” instead:
* The first device does a routing lookup, just like before.
* But instead of finding a next-hop, it finds the final destination router.
* And it finds a pre-determined path from “here” to that final router.
* The router applies a “label” (or “shim”) based on this information.
* Future routers use the label to route the traffic without needing to perform any additional IP lookups.
* At the final destination router, the label is removed and the packet is delivered via normal IP routing.
Therefore in an MPLS network, data packets are assigned labels. Packet-forwarding decisions are made solely on the contents of this label, without the need to examine the packet itself.
Cisco Express Forwarding (CEF) table
To enable MPLS on a Cisco router, we must turn on CEF first so let’s analyze what lies inside a CEF table.
As you know, router uses routing protocols (like OSPF, EIGRP, RIP…), static routes and connected routes to create the Routing table (or Routing Information Base – RIB). When CEF is enabled, the router uses this table to create a more optimized table, called Forwarding Information Base (FIB), which contains the next hop and outgoing interfaces of specific routes. Although FIB table does not differ much from RIB table but the router only spends very little time to find the correct entry, resulting in a smaller forwarding delay and more packets can be proceeded per second.

How MPLS forward packets
MPLS forwards packets based on the Forwarding Information Base (FIB) and Label Forwarding Information Base (LFIB) tables. FIB and LFIB have all necessary label information as well as the outgoing interface and next-hop information.
FIB: As said above, router uses CEF to create this table. In most cases, the ingress router uses this table for incoming unlabeled packets. The router matches the destination IP address to the best prefix (network) it has in the FIB. It then injects a label and forwards that packet.
LFIB: Used by the core MPLS routers (which are not ingress and egress MPLS routers). They compare the label in the incoming packet with the label they have in their LFIB. If a match is found, the routers forward that packet based on that match. If not, the packet will be dropped. The LFIB is created by the LIB and FIB tables.
Note: All routers in MPLS domain have both FIB and LFIB tables but only edge routers use FIB (ingress router uses FIB, egress router uses LFIB and FIB)
The LIB table holds all the labels known to the LSR and associated information that could possibly be used to forward packets. However, each LSR must choose the best label to use so FIB and LFIB contain only labels of best paths. To choose the best label, LSRs rely on the routing protocol’s decision about the best route.
Label Switch Router (LSR) refers to any router that has awareness of MPLS labels, for example routers R1, R2, R3 and R4 in the below example. The entry and exit routers of an MPLS network are called edge LSR (or label edge routers – LER), which, respectively, inject (push) an MPLS label onto an incoming packet (label assignment) and remove (pop) it off the outgoing packet (label removal). An edge LSR is often a high-speed router device in the core of an MPLS network that participates in the establishment of Label Switched Paths (LSP) using the appropriate label signaling protocol and high-speed switching of the data traffic based on the established paths. In the below example, R1 and R4 are edge LSRs (LERs).
When a network’s inbound router receives traffic, it inserts an MPLS label between the IP packet and the appropriate Layer 2 header for the physical link. The label contains an index value that identifies a next-hop address for the particular LSP. When the next-hop transit router receives the packet, it uses the index in the MPLS label to determine the next-hop address for the packet and forwards the packet to the next router in the LSP.
In this example, when R1 receives a packet with a destination of 1.1.1.1 it first performs a routing lookup and assigns “label 2″ to this destination and forwards it to R2. R2 checks its Label Forwarding Information Base (LFIB) table and sees that the “outgoing” label of label 2 is label 7. It swaps label 2 with label 7 and forwards it to R3. R3 acts similarly to R2 and swaps label 7 with label 4 and forwarding it to R4. The edge router R4 removes that label and does a routing lookup to find and forward that packet to its next hop. The whole process is summarized below:
1. After OSPF convergence, all routers have information about network 1.0.0.0/8 and this information is placed in the RIB.
2. On R1, the label distribution protocol (LDP) assigns the label 11 to the network 10.0.0.0/8 and advertises the label to its neighbors.
3. Other routers running OSPF also have information about this network so they use their own LDP to assign a label to this network. They also advertise it to other neighbors by using LDP. For example, R2 advertises to R1 (and R3) that it uses label 2 for the network 1.0.0.0/8. R1 receives this information and marks it as the outing label. R3 does not use this label but it also save this label in its LIB. R3 also advertises to R2 (and R4) it uses label 7 for this network. R4 advertises to R3 it uses label 4 for this network. Notice that labels are stored in the LIB.
4. Each router uses information about the network, local label and outgoing label to build the LFIB.
Now when an incoming packet to the destination 1.1.1.1/8 arrives, the ingress router lookup in the FIB table and it learns this packet should be labeled 2. The router pushes lable 2 to that packet and forwards it to the outgoing interface to the downstream router (R2 in this case).
R2 receives a labeled packet so it lookups in the LFIB, swaps the label 2 with label 7 and forwards it to the outgoing interface. Other core LSRs proceed incoming labeled packet in the same way as R2.
The packet continues traveling to the egress LER. Because egress LER receives a labeled packet so it lookups in its LFIB table too. In the LFIB, router R4 learns that label 4 is assigned to an implicit-null (or pop label) so the router removes (pop) the label and forwards that packet to the network 10.0.0.0/8.
That is all the theory. Now let’s return to our simple example with 3 routers to see what are actually inside these tables.
LIB table of R1
LFIB table of R1
MPLS key points
  • Assignment of a particular packet to a particular FEC is done just once, as the packet enters the network.
  • Packets are “labeled” before they are forwarded to the next hop.
  • All forwarding is driven by labels.
  • No further analysis of the packet’s network layer header at subsequent hops.
  • Label is used as an index into a table which specifies the next hop and a new label. The old label is swapped with the new label and the packet is forwarded to its next hop.
It’s important to think of MPLS as having two components, the control plane and data plane. LDP is mainly used for the control plane to exchange labels. From the control plane we can build the data plane. On cisco routers this is CEF table.
Control plane: Exchanges Layer 3 routing information and labels; contains complex mechanisms to exchange routing information, such as OSPF, EIGRP, IS-IS, and BGP, and to exchange labels; such as LDP, and RSVP
Data plane: Forwards packets based on labels; has a simple forwarding engine



MPLS (Multiprotocol Label Switching) is a protocol that uses labels for packet switching. MPLS is agnostic of Layer 1 or Layer 2 protocols and can be used on any type of links. It inserts a 32-bit label in between the Layer 2 and Layer 3 headers which dubbed it as a Layer 2.5 protocol. These labels number range is 0-1,048,575. Labels 0-15 for reserved purposes therefore the usable range is 16-1,048,575. The default range in Cisco routers is from 16 - 100,000 which is good enough for big enterprises.
MPLS requires a running IGP routing protocol with a full routing table. CEF must also be enable because FIB (Forwarding Information Base) and adjacency tables are needed to build the LFIB (Label Forwarding Information Base). FIB is responsible for maintaining the next hops for the routes in the routing table while adjacency table is for the Layer 2 rewrite so that repetitive ARP requests will be avoided.
The process of how MPLS works starts by the routing protocol building the IP routing table. After that, based on the routing table the MPLS enabled router will now build its own mapping between destination ip to a label. Thirdly, using LDP (Label Distribution Protocol) the LSR's (Label Switch Routers or simply MPLS-enabled routers) in an MPLS networks share their assigned labels. Lastly, the LSR's build the LIB (Label Information Base), LFIB, and FIB based on the labels they received.

There have been two primary VPN models that have been used by Service Providers:
  • The overlay model - where the service provider provides emulated leased lines to the customer. The overlay model typically uses the virtual circuits of a Frame Relay or ATM service. The overlay model has advantages such as permitting the duplication of addresses and the isolation of the control and security planes.
  • The peer-to-peer model - where the service provider and the customer exchange Layer 3 routing information and the provider relays the data between the customer sites on the optimum path between the sites. Layer 3 MPLS VPNs permit the creation of a peer-to-peer model with many of the advantages of the overlay model, such as the duplication of addresses.


SWITCHING
Virtual LANs
A VLAN is simply an administratively defined subset of switch ports that are in the same broadcast domain.
Private VLAN
The ports in the primary VLAN are promiscuous in that they can send and receive frames with any other port, including ports assigned to secondary VLANs. Commonly accessed devices, such as routers and servers, are placed into the primary VLAN. Other ports, such as customer ports in the SP multitenant model, attach to one of the secondary VLANs.
Secondary VLANs are either community VLANs or isolated VLANs. the device is part of a set of ports that should be allowed to send frames back and forth (community VLAN ports), or whether the device port should not be allowed to talk to any other ports besides those on the primary VLAN (isolated VLAN).

VLAN Trunking Protocol
VTP advertises VLAN configuration information to neighboring switches so that the VLAN
configuration can be made on one switch, with all the other switches in the network learning the
VLAN information dynamically. VTP advertises the VLAN ID, VLAN name, and VLAN type for
each VLAN.
VTP Process and Revision Numbers
The VTP update process begins when a switch administrator, from a VTP server switch, adds,
deletes, or updates the configuration for a VLAN. When the new configuration occurs, the VTP
server increments the old VTP revision number by 1, and advertises the entire VLAN
configuration database along with the new revision number.

Spanning Tree Protocol
BPDUs
STP messages are carried by  Bridge Protocol Data Unit (BPDU) frames; BPDUs are multicast to 01:80:c2:00:00:00.
Root Bridge Election
A root bridge is elected to serve as a common reference point for the topology.
A switch's bridge ID is composed of two parts:
Bridge priority(2 bytes) - Administratively set; defaults to 32,768 (0x8000)
MAC address(6 bytes) - One of the switch's MAC addresses
All switches assume they are the root bridge at boot. The actual root bridge is the switch with the lowest
bridge ID.
Configuration BPDUs are only generated by the root bridge; all other bridges insert their own sender ID and relay them.
Root Port Election
All non-root switches must designate a single interface as the root port(the port with the best path to the root bridge).
All interfaces are assigned an 8-bit cost derived from their speed.
4 Mbps 250
10 Mbps 100
16 Mbps 62
45 Mbps 39
100 Mbps 19
155 Mbps 14
622 Mbps 6
1 Gbps 4
10 Gbps 2
The port with the lowest path cost to the root bridge is designated as the root port.
The root path cost noted in a BPDU is incremented by the cost assigned to the port on which it was received.
Designated Port Selection
If multiple switches reside on a segment, the one with the lowest root path cost has the designated port; the other ports will be set to blocking.
Designated port selection process:
  1. Lowest root bridge ID
  2. Lowest root path cost
  3. Lowest sender bridge ID
  4. Lowest sender port ID

STP States
  1. Disabled- Shutdown
  2. Blocking - The first state when an interface comes up; only receives BPDUs; indefinite duration
  3. Listening- Can send and receive BPDUs; able to participate in STP; duration specified by forward delay timer
  4. Learning- Can send and receive BPDUs and learn MAC addresses; duration specified by forward delay timer
  5. Forwarding- Normal operation; indefinite duration
STP Timers
Hello Time - The rate at which configuration BPDUs are advertised by the root bridge (default is 2 seconds)
Forward Delay - Length of time a port spends in both the listening and learning states (default is 15 seconds)
Max Age - Life of the most recent BPDU advertised from the root bridge (default is 20 seconds)

STP Types
  1. Common Spanning Tree (CST)- Defined in 802.1Q; one tree for all VLANs
  2. Per-VLAN Spanning Tree (PVST)- Cisco proprietary; one tree per VLAN
  3. Per-VLAN Spanning Tree Plus (PVST+)- PVST featuring compatibility with CST BPDUs

Root Bridge Configuration
The root bridge should be positioned centrally in the network to ensure the spanning tree forms in a predictable manner.
Two bridge ID formats are available:
802.1D Standard- 16-bit priority + unique MAC address for the VLAN
802.1t Extended- 4-bit priority multiplier + 12-bit VLAN ID + non-unique MAC address The extended ID format is enabled by default, or with spanning-tree extend system-id.
An extended system ID priority must be a multiple of 4096.

Redundant Link Convergence
PortFast- Applied to access ports to allow fast establishment of connectivity
UplinkFast- Enables fast failover to an alternate uplink toward root
BackboneFast- Enables fast convergence in the core after a topology change
BPDU Guard
BPDU guard automatically places an interface in the error-disabled state upon receipt of a BPDU.
Loop Guard
Loop guard prevents a blocked port from transitioning to the forwarding state if it stops receiving
BPDUs. Instead, the port is placed in the loop-inconsistent state and continues to block traffic.
Unidirectional Link Detection (UDLD)
UDLD can detect link failures which do no explicitly shutdown the interface (such as a unidirectional fiber link or failed intermediate media converter)

Rapid STP (RSTP)
RSTP was developed to provide a faster converging alternative to STP, and is defined in IEEE 802.1w. Like STP, RSTP can be applied as a single instance or per VLAN. A root is elected by lowest bridge ID, as in 802.1D STP RSTP provides its own set of port roles:
Root port- Same as in 802.1D
Designated port- Same as in 802.1D
Alternate port- A port with an alternate, less desirable path to root
Backup port- A port which provides an alternate, less desirable path to a segment which already has a designated port.
RSTP defines port states based on what action is taken on incoming frames:
Discarding - Frames are dropped, no addresses are learned (replaces 802.1D disabled, blocking and listening states)
Learning- Frames are dropped, but addresses are learned
Forwarding- Frames are forwarded
RSTP defines a new version of BPDU (v2) which is backward-compatible with 802.1D.
BPDUs are sent out from every switch at hello time intervals; a neighbor is assumed down if three intervals are missed.
If an RSTP switch detects a traditional (version 0) BPDU on a port, that port changes to operate in 802.1D mode.
Port types:
Edge port- A port to which a single host connects; identifi ed by enabling PortFast; loses its edge status upon receipt of a BPDU
Root port- The port with the best path to root; alternates can be identified as well
Point-to-point port - A designated port connected directly to another  switch; only full-duplex ports are eligible by default
RSTP Synchronization
All non-edge ports begin in the discarding state.
Proposal messages are used to determine the root port of a segment based on bridge priorities.
When a switch receives a proposal message on a port, it moves all other non-edge ports to the
discarding state until it sends an agreement to the sender of the proposal.
When an agreement is reached, the ports on both ends of the link begin forwarding.
This method of proposal/agreement handshakes allows the synchronization process to complete much faster than traditional STP, as no timers are needed.
Topology change BPDUs are sent only when a non-edge port transitions to forwarding.

Multiple Spanning Tree (MST)
MST was developed to offer a middle ground between CST (one instance for all VLANs) and PVST (one instance for each VLAN).
An MST region is defined by several attributes:
Configuration name (32 characters)
Configuration revision number (16-bit)
Instance-to-VLAN mapping table (up to 4096 entries)
All attributes must match for two switches to belong to the same region.
All attributes must match for two switches to belong to the same region.
An MST region is seen as a single virtual bridge byan outside CST, and runs an Internal Spanning Tree (IST) inside.
Up to 16 MST Instances (MSTIs)numbered 0 through 15 run inside an MST region; MSTI 0 is the IST.
Additional MSTIs can be created and have VLANs assi gned to them.

Multilayer Switching
Interfaces on multilayer switch are designated as switch ports (layer 2) with switchportor routed ports (layer 3) with no switchport.
Switched Virtual Interfaces (SVIs)can be defined to provide a routed interface to a VLAN.
Cisco Express Forwarding (CEF)
Traditional multilayer switching ("route once, switch many", also known as NetFlow switching or route cache switching) was done through the combination of a route processor and a switching engine.
CEF is the second generation of multilayer switching, and is enabled by default in hardware which supports it.
CEF operation relies on two components working in tandem: the layer 3 engine (routing) and the layer 3 forwarding engine (switching).
The layer 3 forwarding engine contains the Forwarding Information Base (FIB) and its Adjacency Table.
Forwarding Information Base (FIB)
The FIB is an optimized copy of the routing table, with more-specific routes listed first.
Each entry in the FIB has layer 2 and 3 next-hop addressing information associated with it.
FIB entries can be examined with show ip cef.
Packets meeting certain conditions cannot be CEF-switched and will be punted to the layer 3 engine for traditional software routing:
Expired TTL
MTU exceeded
ICMP redirect required
Unsupported encapsulation type
Compression and/or encryption is necessary
An ACL log entry must be generated
Accelerated CEF (aCEF)can be implemented in some hardware to cache portions of the FIB on each line card.
Distributed CEF (dCEF)stores the entire FIB on all capable line cards.

Adjacency Table
The adjacency table is the portion of the FIB which contains layer 2 next-hop information (MAC addresses which correspond to the layer 3 next-hop addresses).
Similar to how the FIB is built from the routing table, the adjacency table is built from the ARP table.
Adjacency information can be examined with show adjacency.
Adjacency table entries with missing or expired layer 2 addresses are placed in the CEF glean state; packets must be punted to the L3 engine so an ARP request/reply can be generated.
When a route is placed in the glean state, incoming packets will be dropped for up to two seconds as the switch awaits an ARP reply.
Other adjacency states include:
Null- Represents a null interface (black hole)
Drop- Indicates packets cannot be forwarded to the destination and should be dropped
Discard- An ACL or other policy mandates that packets be dropped
Punt- Further processing is required by the layer 3 engine
Packet Rewrite
The packet rewrite engine reconstructs the incoming packet with the appropriate next hop address information.
Fields rewritten include:
Layer 2 destination
Layer 2 source
IP TTL
IP Checksum
Layer 2 frame checksum

Fallback Bridging
Non-IP protocols are not supported by CEF.
Router, Supervisor, and Power Redundancy

Hot Standby Router Protocol (HSRP)
HSRP is Cisco proprietary, but defined in RFC 2281. HSRP routers multicast to the all-routers address 224.0.0.2on UDP port 1985. HSRP group numbers (0 - 255) are only significant to an interface.
HSRP virtual interfaces are assigned a MAC in the range  0000.0c07.acXX where the last 8 bits
represent the standby group.
Router Election
HSRP priority ranges from 0 to 255; default is 100.
The highest priority wins; highest IP wins a tie.
HSRP interface states:
Disabled
Init
Listen
Speak
Standby
Active
The default hello timer is 3 seconds; hold down timer is 10 seconds.

Virtual Router Redundancy Protocol (VRRP)
Standards-based alternative to HSRP, defined in RFC 2338.
VRRP refers to the active router as the master router; all others are in the backup state.
VRRP virtual interfaces take their MAC from the range  0000.5e00.01XX where the last eight bits
represent the group number.
VRRP advertisements are multicast to 224.0.0.18, using IP protocol 112.
VRRP advertisements are sent in 1-second intervals by default; backup routers can optionally learn the
interval from the master router.
VRRP routers will preempt the master by default if they have a higher priority.
VRRP is unable to track interfaces and concede an election.

Gateway Load Balancing Protocol (GLBP)
GLBP is Cisco proprietary, and acts like HSRP/VRRP with true load-balancing capability: all routers in a group forward traffic simultaneously. GLBP group numbers range from 0 to 1023. Priorities range from 0 to 255 (default is 100).
Timers only need to be configured on the AVG; other routers will learn from it.
Active Virtual Gateway (AVG)
The AVG has the highest priority in the GLBP group (or the highest IP address in the event of a tie); it answers all ARP requests for the group's virtual IP address.
Active Virtual Forwarder (AVF)
All routers sharing load in GLBP are AVFs.
If an AVF fails, the AVG reassigns its virtual MAC to another router.
Two timers are used to age out the virtual MAC of a failed AVF:
Redirect timer(default 600 seconds) - Determines when the AVG wi ll stop responding to
ARP requests with the MAC of the failed AVF
Timeout timer(default 4 hours) - Determines when the failed AVFis no longer expected to
return, and its virtual MAC will be flushed from the GLBP group

Load Balancing
Up to four virtual MACs can be assigned by the AVG.
Traffic can be distributed among AVFs using one of the following methods:
Round robin(default) - Each new ARP request is answered with  the next MAC address
available; traffic is distributed evenly among AVFs
Weighted- AVFs are assigned load in proportion to their weight
Host-dependent- Statically maps a requesting client to a single AVF MAC

Switch Chassis Redundancy
Redundant supervisor modes:
Route Processor Redundancy (RPR) (> 2 minutes) - The standby supervisor is only
partially initialized; when the active sup fails, the standby must reload all modules and finish
initializing itself.
Route Processor Redundancy Plus (RPR+) (>30 seconds) - The standby supervisor
boots but does not operate; when the active sup fails, the standby can take over without
reloading the modules.
Stateful Switchover (SSO)(>1 second) - Configuration and layer 2 information are stored
on both supervisors; the standby sup takes over immediately
If configuring redundancy for the first time, it must be configured manually on both supervisors.
Redundant operation can be verified with show redundancy states

Non-Stop Forwarding (NSF)
When a standby supervisor takes over, it must populate its RIB; this can be achieved quickly with Cisco's
proprietary NSF. NSF-aware neighbors provide routing information to quickly populate the new RIB.
BGP, EIGRP, OSPF, and IS-IS support NSF, but it must be enabled through manual configuration under the relevant protocol:
Redundant Power Supplies
Switches with multiple power supplies can operate i n one of two power modes:
Combined mode- The load for a single power supply may be exceeded; does not provide
redundancy.
Redundant mode (default) - Load is shared but may not exceed the  output of a single
power supply.

Securing Switch Access
Port Security
Port security can be used to restrict which or how many hosts connect to a switch port:
Violation actions:
protect - The port continues to function without logging a violation, but frames from
violating MAC addresses are dropped.
restrict - As with protect mode, frames from violating MAC addresses are dropped, but
the violation is logged.
shutdown- The port is transitioned to the error-disabled state, and no traffic is accepted.

IEEE 802.1x
Extensible Authentication Protocol Over LANs (EAPOL) is used to authenticate a connecting host to a switch via layer 2.
DHCP Snooping
DHCP Snooping prevents DHCP-influenced Man-in-the-Middle (MITM)attacks by blocking DHCP replies from untrusted ports.
IP Source Guard
IP source guard is used to mitigate IP spoofing, and relies on DHCP snooping bindings to determine the legitimacy of a source address.
Dynamic ARP Inspection (DAI)
DAI mitigates ARP spoofing attacks (ARP cache poisoning); static ARP entries or the DHCP snooping database must be used for reference.
Securing with VLANs
VACLs can filter traffic within a VLAN and do not require a routed interface.
A VACL can match traffic from a MAC, IP, or IPX access list.
Private VLANs
Private VLANs (PVLANs) can be implemented to prevent hosts within a VLAN  from communicating directly.
Primary(regular) VLANs are associated with secondary(private) VLANs.
A secondary VLAN can be one of two types:
Isolated- Hosts associated with the VLAN can only reach the primary VLAN.
Community - Hosts can communicate with the primary VLAN and other hosts within the
secondary VLAN, but not with other secondary VLANs.
PVLAN information is not communicated by VTP.
PVLAN ports are configured to operate in one of two modes:
Promiscuous- Port attaches to a router, firewall, etc; can communicate with all hosts
Host- Can only communicate with a promiscuous port, or ports within the same community
PVLAN
Host ports are associated with one primary and one secondary VLAN, whereas promiscuous ports are mapped to one primary and multiple secondary VLANs.

No comments:

Post a Comment