Pick it up Spanning Tree at part II for MSTP at http://blog.internetworkexpert.com/2008/09/24/mstp-tutorial-part-ii-outside-a-region/ .


Table of Contents

BGP


Attributes

Community example

router bgp 10
  neighbor 20.20.1.1 remote-as 20
  neighbor 20.20.1.1 send-community
  neighbor 20.20.1.1 route-map dacomunity out
!
route-map dacommunity permit 10
  match ip address prefix-list dontannounce
  set community no-export
!
ip prefix-list dontannounce permit 192.168.0.0/16

Route Filter Lists examples

router bgp 20
  neighbor 20.20.1.1 remote-as 21
  neighbor 20.20.1.1 prefix-list INCOMING in
  neighbor 20.20.1.1 prefix-list OUTGOING out
!
ip prefix-list INCOMING deny 21.10.0.0/16
ip prefix-list INCOMING permit 0.0.0.0/0 le 32
ip prefix-list OUTGOING permit 21.6.0.0/16
---
router bgp 10
  neighbor 22.20.1.1 remote-as 21
  neighbor 22.20.1.1 filter-list 5 out
  neighbor 22.20.1.1 filter-list 6 in
!
ip as-path access-list 5 permit ^20$  (match up with AS list that only has 20)
ip as-path access-list 6 permit _15_  (match up with AS list that has 15 in it)

Route Map examples

router bgp 10
  neighbor 10.10.10.10 route-map infilter in
!
route-map INBOUND permit 11
  match ip address prefix-list pref1
  set local-pref 90
!
route-map INBOUND permit 22
  match ip address prefix-list pref2
  set local-pref 80
!
ip prefix-list pref1 permit 10.0.0.0/8
ip prefix-list pref2 permit 20.0.0.0/8

Additional Capabilities

http://www.iana.org/assignments/capability-codes

Route Refresh

Router sends or requests send of all routes without tearing down neighbor relationship
clear ip bgp a.b.c.d in/out

Soft Reconfiguration

Question - Why would I do this?  Pg 117 Stores prefixes received from peer prior to policy application.
router bgp 10
  neighbor 10.10.10.10 remote-as 20
  neighbor 10.10.10.10 route-map dafilter in
  neighbor 10.10.10.10 soft-reconfiguration inbound

clear ip bgp 10.10.10.10 soft in/out

Peer Groups

Group of BGP neighbor with similar items to be sent to it from this router.
router bgp 10
  neighbor dapeergrp peer-group
  neighbor dapeergrp remote-as 10
  neighbor dapeergrp update-source loopback 0 (force the source to be the loopback)
  neighbor dapeergrp send-community (group destinations with common attr)
  neighbor dapeergrp route-map outfilter out (use outfilter - not shown)
  neighbor 10.10.10.10 peer-group dapeergrp (put 10.10.10.10 in peer-group)
  neighbor 20.20.20.20 peer-group dapeergrp (put 20.20.20.20 in peer-group)
  neighbor 20.20.20.20 route-map infilter in (apply infilter to msgs fr 20.20.20.20)
  neighbor 30.30.30.30 peer-group dapeergrp

go to http://www.ittc.ku.edu/EECS/EECS_800.ira/bgp_tutorial/14.html - search for

BGP Nexthop (NBMA)

When route is advertised in NBMA (like frame relay) as if it were broadcast media, but one of the routes does not exist (e.g. no PVC), sometimes you have to do a
neighbor a.b.c.d next-hop-self
in order to make route go through the router that has the PVC(s) set up.

go to http://www.ittc.ku.edu/EECS/EECS_800.ira/bgp_tutorial/14.html - search for BGP Nexthop (NBMA).

Route Flap Dampening

RFC2439
Minimize route down/up (WITHDRAW/UPDATE) and corresponding routing propagation/CPU waste
router bgp <as-number>
  bgp dampening <half-life-time> <reuse-value> <suppress-limit> <max-suppress-time>
After flap, penalty goes up by (default) 1000.  
- When it get's to suppress-limit route propagation is suppressed.  
- Falls (exponentially) based on half-life and reuse-value.
- route propagation restarts when penalty reaches reuse-value.
- When penalty < 1/2 reuse-value, penalty set to 0 (?)

recommendations for ISPs http://www.ripe.net/docs/ripe-229.html

max-penalty = reuse-limit x 2 ^ (max-suppress-time/half-life)

bgp dampening 30 750 3000 60 is bad because
    max-penalty = 750 x 2 ^ 60/30 = 750 x 4 = 3000
    penalty will never pass 3000, thus will never suppress routes

make sure suppress-limit is less than max-penalty otherwise no flap dampening

Selective/variable dampening
bgp dampening [route-map <name>]
  route-map <name> permit 10
    match ip address prefix-list DALIST
    set dampening [<half-life-time> <reuse-value> <suppress-limit> <max-suppress-time>]
ip prefix-list DALIST permit 192.168.0.0/16 le 24  
        (accept prefix 192.168.0.0/16 with mask lengths up to 24 bits)

QUESTION EXPLAIN LE ABOVE - THOUGHT MASK LENGTH WAS DESIGNATED WITH <ipaddr>/<masklength>

http://www.cisco.com/en/US/docs/ios/12_2/iproute/command/reference/1rfbgp1.html#ip_prefix-list

recommendations for ISPs - http://www.ripe.net/docs/ripe-210.html

show ip bgp neighbor <a.b.c.d> [dampened-route | flap-statistics]

Route Reflectors

reduce number of required mesh links between iBGP peers.
router bgp 10
  neighbor 1.1.1.2 remote-as 10
  neighbor 1.1.1.3 remote-as 10
  neighbor 1.1.1.3 route-reflector-client
  neighbor 1.1.1.4 remote-as 10
  neighbor 1.1.1.4 route-reflector-client
  ...

Confederations

Smaller Private ASes, with entire group assigned confederation ID.  
QUESTION - WHAT is 1 in first network list on pg 152
router bgp 20
  bgp confederation identifier 100 (external AS seen for whole group)
  bgp confederation peers 10 (in subgroup 10)
  neighbor 1.1.1.1 remote-as 10
  neighbor 1.1.1.2 remote-as 20 (peering with rtr in subgruop 20)
  neighbor 1.1.1.5 remote-as 20

Multihoming

Preparing

  1. Multihomed to 2 ISPs needs AS number to be applied for.
  2. Decide on and deploy IGP (OSPF or ISIS).  QUESTION - Deployed between ISP and Customer?
  3. Configure iBGP to run on routers in local network which will be transit path to external connections.
    1. full or partial iBGP route mix?
    2. scaling technique (peer-groups, RRs, communities)
    3. Deploy iBGP with distance greater than IGP distance)
    4. install customer prefixes into iBGP
    5. Make iBGP dist < IGP...does network work.
    6. withdraw cust prefixes from IGP

Plan/Implement to same ISP

QUESTION - What does null0 do?  pg63 apricot01

Plan/Implement to Different ISPs

NOTE: typical RIR min alloc is /20.  announced subprefixes may not be reachable.
QUESTION - is there any way to loadbalance longer subprefixes across multiple ISPs?

Service Provider Multihoming

Internet Data Center (IDC) Multihoming

QUESTION - pg 165 Apricot01, What?

Communities - loadsharing/backup on mult inter-AS links

RFC1998 - describes using BGP communities to determine local-preference in upstream's network
Community values with particular meanings (from an ISP perspective(?)) (taken from APRICOT2004-BGP00.pdf presentation):
ASx:100 set local pref 100 preferred route
ASx:90 set local pref 90 backup route if dualhomed on ASx
ASx:80 set local pref 80 main link is to another ISP with same AS path length
ASx:70 set local pref 70 main link is to another ISP
QUESTION - pg 179 APRICOT01 - Why is there a (2nd) route-map routerD-out permit 20 in addition to the 10

2 links to same ISP - primary, backup


Move somewhere else

ISP use of communities - examples


Start at slide 192 in APRICOT01

General Switching

Hierarchical Network Model


Benefits
Principals to stay aware of

Switch Types

 

Spanning Tree

Taken from
http://en.wikipedia.org/wiki/Spanning_tree_protocol
http://blog.internetworkexpert.com/2008/07/27/mstp-tutorial-part-i-inside-a-region/
http://blog.internetworkexpert.com/2008/09/24/mstp-tutorial-part-ii-outside-a-region/

STP

  1. Select a root bridge
  2. Determine least cost paths to root bridge
  3. port states - draw picture/graph calculating states
    Root Portport on non-root bridge closest to root bridge in terms of cost
    Designated Portport on net segment closest to root bridge in terms of cost
    Non-designated portorts that block traffic in order to preserve loop free l2 topology
    Disabled Portport that is administratively shutdown
  4. Any port that is not a root or designated port can be blocked.
  5. tie breakers
    1. If multiple paths from bridge are least-cost, bridge uses neighbor bridge with lower bridge ID.  This becomes root port.
    2. If multiple paths from segment leads to least-cost path, lower bridge ID is used to forward msgs to root.  Port attaching that brige becomes designated port.
    3. finally lowest port priority is used.
Data rate STP Cost (802.1D-1998) STP Cost (802.1t-2001)
4 Mbit/s 250 5,000,000
10 Mbit/s 100 2,000,000
16 Mbit/s 62 1,250,000
100 Mbit/s 19 200,000
1 Gbit/s 4 20,000
2 Gbit/s 3 10,000
10 Gbit/s 2 2,000

BPDU

STP switch port states

STP Port Roles

Timer Comparison

 Hello(RIP-Invalid)
(OSPF-Suspicious)
Dead
(RIP-Flush)
Holddown
RIP30180 (6x)240 (8x)180
OSPF10 BMA
30 NBMA
90 (3x)120 (4x)5 second delay +
10 seconds Hold
EIGRP5
60 WAN < 1.544Mbps
15 (3x)
STP220 blocking
15 listening
15 learning
forwarding

RSTP

IEEE 802.1w (1998)
Cisco proprietary - Rapid PVST+

PVST

Per-VLAN Spanning Tree (PVST and PVST+)
show spanning-tree vlan 100

MSTP

Multiple Spanning Tree Protocol
802.1s merged with 802.1Q-2003

R-PVST

Rapid Per-VLAN Spanning Tree

PortFast and BPDU Guard

PortFast

BPDU Guard

if you see bpdu, put it into err disable (shut/no shut to clear)
spanning-tree bpduguard enable (port mode)
OR
(global mode)
spanning-tree portfast bpduguard default
spanning-tree portfast default (again global)

VLANs

VLAN setting in ethernet packet - See 802.1p/Q section in QOS Notes to see packet/header details.

Cisco VLAN Commands

Taken from http://itknowledgeexchange.techtarget.com/cisco/setting-up-a-vlan-with-the-cisco-ios/
Show vlan brief
Show interfaces switchport
Show ip interface brief
Show int trunk

And here is how you would configure a VLAN routing on your router with some show commands:

Router commands
Interface fastethernet 0/4.1
Encapsulation dot1q 10
ip address x.x.x.x y.y.y.y

Interface fastethernet 0/4.2
Encapsulation dot1q 20
ip address z.z.z.z a.a.a.a

Interface fastethernet 4
No shutdown

Show ip interface brief
Show vlans

And here is how you would configure a VLAN on your switch:

Switch commands
Interface fastethernet 0/1
switchport mode trunk

Interface fastethernet 0/2
Switchport access vlan 10
No shutdown

Interface fastethernet 0/5
Switchport access vlan 20
No shutdown

Interface vlan 10
Ip address x.x.x.x y.y.y.y
No shutdown

Interface vlan 20
Ip address x.x.x.x y.y.y.y
No shutdown

Cisco STP and VLAN Commands

sh interfaces switchport
sh spanning tree
Switch0#sh spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 24577
Address 0003.E475.0A66
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 24577 (priority 24576 sys-id-ext 1)
Address 0003.E475.0A66
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20

Interface Role Sts Cost Prio.Nbr Type
-------------------------------------
Fa0/1 Desg FWD 19 128.1 P2p
Fa0/10 Desg FWD 19 128.10 P2p
Fa0/22 Desg FWD 19 128.22 P2p
Fa0/24 Desg FWD 19 128.24 P2p
sh interface trunk
Port Mode Encapsulation Status Native vlan
Fa0/10 on 802.1q trunking 1
Fa0/24 on 802.1q trunking 1

Port Vlans allowed on trunk
Fa0/10 1-1005
Fa0/24 1-1005

Port Vlans allowed and active in management domain
Fa0/10 1,10,20
Fa0/24 1,10,20

Port Vlans in spanning tree forwarding state and not pruned
Fa0/10 1,10,20
Fa0/24 1,10,20
sh vlan brief
sh vtp status
---
int fa0/24
switchport mode trunk (trunk port passes tags, access port strips)
---
vlan 10
name <name>
(VLANS stored vlan.dot stored in FLASH)
---
int vlan 10
ip addr 10.10.10.1 255.255.255.0
---
int <interface>
switchport mode access
switchport access vlan 10
---
(set spanning tree root)---
spanning-tree vlan <x> priority
spanning-tree vlan <x> root primary
spanning-tree vlan <x> root secondary (wrks in reg STP also)

DTP (Cisco proprietary)

Dynamic Trunking Protocol (DTP)

Modes

Dynamic Auto Dynamic Desirable Trunk Access
Dynamic Auto Access Trunk Trunk Access
Dynamic Desirable Trunk Trunk Trunk Access
Trunk Trunk Trunk Trunk Not Recommended
Access Access Access Not Recommended Access
sh dtp interface

VTP (Cisco proprietary)

Comes in 3 modes
  1. Server - create & delete vlans - default - can save VLAN info…can have multiple servers
  2. Client
  3. Transparent - can create or delete vlans, but only local to transparent switch

---
vtp mode server|client|transparent
vtp domain <domainname>
vtp password <pw>
sh vtp status
Switch0#sh vtp status 
VTP Version : 2
Configuration Revision : 6
Maximum VLANs supported locally : 255
Number of existing VLANs : 7
VTP Operating Mode : Server
VTP Domain Name : davtpdoman
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x48 0x89 0x20 0xF8 0x87 0x40 0x84 0xE5
Configuration last modified by 0.0.0.0 at 3-1-93 00:44:45
Local updater ID is 0.0.0.0 (no valid interface found)

ICMP

Some types of msgs:

UDP

See IPv4 notes for the IPv4 stuff.
0 1 2 3
1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Source Port Destination Port
UDP Length UDP Checksumoptional

TCP

See IPv4 notes for the IPv4 stuff.

0 1 2 3
1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Source Port Destination Port
Sequence Number allows packets to be put back in correct order if they get misordered on transport
Acknowledgment Number lists next seq number receiver expects to receive
Data
Offset number of 32-bit words in TCP header
Reserved Ctrl bits
(flags)
  • URGent field significant
  • ACK
  • PSH - don't buffer
  • RST - Reset connection
  • SYN
  • FIN - no more data from sender
Window Sizenum of bytes sender can accept. TCP Slow Start - TCP reduces window size if segm gets dropped
Checksum Urgent Pointer
Upper Layer Data
...

Session setup and teardown

----SYN--->
<-SYN/ACK--
----ACK--->
..session..
----FIN--->
<---ACK----
<---FIN----
----ACK--->

Ports

General rules:

Some common tcp ports

HTTP

SMTP

Commands

Typical Command Sequence

Taken from rfc2821.
 S: 220 foo.com Simple Mail Transfer Service Ready
C: EHLO bar.com
S: 250-foo.com greets bar.com
S: 250-8BITMIME
S: 250-SIZE
S: 250-DSN
S: 250 HELP
C: MAIL FROM:<Smith@bar.com>
S: 250 OK
C: RCPT TO:<Jones@foo.com>
S: 250 OK
C: RCPT TO:<Green@foo.com>
S: 550 No such user here
C: RCPT TO:<Brown@foo.com>
S: 250 OK
C: DATA
S: 354 Start mail input; end with <CRLF>.<CRLF>
C: Blah blah blah...
C: ...etc. etc. etc.
C: .
S: 250 OK
C: QUIT
S: 221 foo.com Service closing transmission channel

DHCP

rfc2131 others

SMB

Server Message Block - MS file share, Samba

IDS/IPS

Snort
- BASE - front end

Load Balancers (F5 BigIP)

Monitoring

mon
nagios
rrdtool
cacti
ntop
hp openview
spectrum
zabbix

OSI and TCP/IP Network Model

OSI TCP/IP
7 Application Application - DNS, HTTP, SMTP, FTP, etc....
6 Presentation
  • coding/conversion data
  • compression
  • encryption
Application
5 Session
  • creates and maintains dialogs between src/dest apps
Application
4 Transport Transport
3 Network Internet
2 Data Link Network Access
1 Physical Network Access

Application Layer software

- Applications and Services (e.g. computer services)

Functions specified by App Layer Protocols

WAN Protocols

Leased Line or Circuit Switched

HDLC

PPP

does not impose any restrictions re: trans rate other than DTE/DCE restrictions
LCP (Link Control Protocol)
L2 encapsulation
NCP (Network Control Protocol)
Frame
Flag | Address | Control | Protocol | Data | FCS
Phases
  1. Link Establishment  LCP opens and negotiations
  2. Link quality determination (optional)  LC tests link to determin link qual is sufficient to bring upNetwork layer.  LCP can delay trans.
  3. Network layer protocol config negotiation. - NCP
---LCP Config Req-->
<--LCP Config Ack---
<----NCP Config---->
<----Echo-Request---
-----Echo-Reply----->
PPP Options
     ppp quality <percentage> (cisco interface level)      compress predictor|stack (cisco interface level)      ppp multilink (cisco interface level)
int s0/0
 encaps ppp

sh interface serial 0/0 (look for encapsulation type and 'open')
sh interfaces serial
debug ppp {packet | negotiation | error | authentication |
        compression | cbcp (errors and stats))
PAP Authentication
---username <username>, password-->
<--------accept/reject-------------
username R1 password cisco (global config - other side's
                            username, pws have to match)
ppp authenticatio pap
CHAP Authentication
<----------challenge---------------
---username <username>, password-->

<--------accept/reject-------------

SLIP

Packet-Switched

Also HDLC, PPP, SLIP

Frame Relay

FrameRelay.html

ATM

X.25


WiFi

GRE tunnels

interface tunnel1
 ip address 192.168.35.6 255.255.255.252
 tunnel source 172.25.1.5
 tunnel destination 172.26.1.6