Manual Summarization with BGP on Cisco Routers

March 22, 2018 at 8:57 pm

BGP

One of the topics that will be featured in my upcoming CBT Nuggets module, Border Gateway Protocol (BGP) – Advertising NLRI, manual route summarization in BGP. This post serves (as well as more to follow) cover the highlights of the video coverage.

There are two methods of performing aggregation with BGP on a Cisco router. You can create a static route that represents the aggregate and then advertise that route using the network command. Or, you can use the aggregate-address command.

Here is an example of the static route approach:

router bgp 65100
   network 192.168.192.0 mask 255.255.248.0
   neighbor 192.168.1.220 remote-as 65200
!
ip classless
ip route 192.168.192.0 255.255.248.0 Null0

Notice how the static route directs to the bit bucket (Null0). This is because it is not an actual network destination. It is an artificial construct to permit the route in the routing table so we can use the network command in BGP. There will be more specific entries in the routing table covered by this advertised summary and the router can follow those instructions. Should all the more specific entries be removed, then the static route has traffic discarded for the summary (this is the desired behavior, typically).

With the aggregate-address command approach, you ensure component routes of the summary exist in the BGP table (thanks to the network statement or redistribution), and the summary address is advertised via BGP. Here is an example:

router bgp 65100
 aggregate-address 192.168.192.0 255.255.248.0 summary-only
 redistribute eigrp 100
 neighbor 192.168.1.220 remote-as 65200

Note that if you forget the summary-only keyword with the aggregate-address command, you will advertise the summary as well as the specific routes. A future post will demonstrate when this approach might be useful.

An Example of a Security Exploit Due to the Native VLAN

January 18, 2018 at 8:24 pm

Native VLAN

In many of our Cisco courses, we learn that networking best practices often point to the non-use of the Native VLAN. But why is this?

It turns out there are security vulnerabilities that could result from having a VLAN not tagged across your trunk links. For example, there is the VLAN hopping attack.

Here is how this attack could work:

Step 1: A bad person at a customer site wants to send frames into a VLAN that they are not part of.

Step 2: This person double tags the frame (Q-in-Q) with the outer frame matching the native VLAN in use at the provider edge switch.

Step 3: The provider edge switch strips off the outer tag (because it matches the native VLAN), and send this frame across the trunk.

Step 4: The next switch in the path examines the frame and reads the inner VLAN tag and forwards the frame accordingly.

Notice this attack is unidirectional. The attacker can send traffic into the VLAN, but traffic will not return. Even still, this is obviously not something we want taking place.

What are possible solutions?

  • Use ISL trunks in the cloud – this becomes less and less possible as ISL trunks fade away.
  • Use a Native VLAN that is outside of the range permitted for the customer.
  • Tag the native VLAN in the cloud.

 

IPv6 Quiz – Cisco Bias

January 16, 2018 at 7:49 pm

IPv6

This latest quiz is focused on IPv6 with a bias to Cisco Systems. These questions are what one could expect on a CCNP or CCIE exam across various tracks. Enjoy!

IPv6 Quiz - Cisco Bias

Start
Congratulations - you have completed IPv6 Quiz - Cisco Bias. You scored %%SCORE%% out of %%TOTAL%%. Your performance has been rated as %%RATING%%
Your answers are highlighted below.
Return
Shaded items are complete.
12345
6End
Return

Rapid Spanning Tree Protocol (RSTP) 802.1w

December 29, 2017 at 8:10 am

rstp

Whether you are pursuing your CCNA, CCNP, CCIE, or many other Cisco Certifications, a deep knowledge of RSTP is critical. In this post, we will detail key facts for you regarding this Layer 2 loop prevention system.

  • 802.1w (RSTP) is an evolution of the classic 802.1D (STP) protocol
  • 802.1D tried to speed things up with the additions of UplinkFast, BackboneFast, and PortFast; the UplinkFast and BackboneFast features are now essentially built into RSTP, while PortFast is still a feature you enable in RSTP if desired
  • 802.1w can also revert back to 802.1D in order to interoperate with legacy bridges on a per-port basis
  • With 802.1D, once in the forwarding state, there is no way to tell from the port state whether the port is root or designated; RSTP decouples the role and the state of a port to address this issue
  • The 802.1D port states are Disabled, Blocking, Listening, Learning, Forwarding; in 802.1w these are simplified to Discarding, Learning, Forwarding
  • The port roles are expanded in 802.1w to include Backup and Alternate ports in addition to Root and Designated; these new port roles help implement the features of UplinkFast into the protocol natively
  • A Backup port receives more useful BPDUs from the same bridge it is on and is a port blocked
  • An Alternate port receives more useful BPDUs from another bridge and is a port blocked
  • RSTP now uses all six bits of the flag byte that remain in order to perform – encoding the role and state of the port that originates the BPDU and handling the proposal/agreement mechanism
  • The RSTP BPDU is now of type 2, version 2; legacy bridges must drop this new BPDU; this makes it easy for an 802.1w bridge to detect legacy bridges connected to it
  • BPDUs are sent every hello-time, and not simply relayed anymore’
  • BPDUs are now used as a keep-alive mechanism between bridges; a bridge considers that it loses connectivity to its direct neighbor root or designated bridge if it misses three BPDUs in a row; this fast aging of the information allows quick failure detection
  • To natively support the BackboneFast type behavior, RSTP accepts inferior BPDUs; when a bridge receives inferior information from its designated or root bridge, it immediately accepts it and replaces the one previously stored; this permits fast acceptance of a new Root port in the topology
  • Rapid transition is the most important feature introduced by 802.1w; RSTP is able to actively confirm that a port can safely transition to the forwarding state without having to rely on any timer configuration; in order to achieve fast convergence on a port, the protocol relies upon two new variables: edge ports and link type
  • RSTP can only achieve a rapid transition to the forwarding state on edge ports and on point-to-point links; the link type is automatically derived from the duplex mode of a port
  • A proposal/agreement process in RSTP aids in very convergence
  • The topology change notification process is overhauled in order to also aid in faster convergence and improve efficiency

For more details on these new features summarized here – check out Understanding Rapid Spanning Tree Protocol (802.1w) This document often forms the basis for plenty of RSTP-related written exam questions from CCENT to CCIE. Note that my summary document here covers most of those questions for you, however!

criers

 

An Overview of Intermediate System to Intermediate System (IS-IS)

June 20, 2016 at 11:41 pm

Intermediate System

Introducing IS-IS

Poor Intermediate System to Intermediate System (IS-IS). Open Shortest Path First (OSPF) gets all the love, and this competing Interior Gateway Protocol (IGP) is often little understood by engineers in networks today. This post will solve that for many of you, or perhaps act as a refresher if it has been a long time since you have thought about this impressive protocol.

It is not all bad news for IS-IS by the way. Part of a recent resurgence of interest has been caused by it being used as the basis for some other exciting technologies. The best example of this is Transparent Interconnection of Lots of Links (TRILL) or as Cisco calls their version, FabricPath. This layer 2 technology serves as a replacement for Spanning Tree Protocol (STP) and features the use of IS-IS as its intelligence for things like path selection and convergence. Users of TRILL are shielded from IS-IS configuration, but certainly an understanding of the protocol aids in troubleshooting and a deeper understanding.

IS-IS versus OSPF

There was a battle royal for market share when it came to the wonderful world of Interior Gateway Protocols. There were plenty that thought OSPF should rule, while others thought IS-IS. As you know, OSPF really won the battle, but it is interesting to note that many large service providers still use IS-IS today in their internal networks. Those that still love it point to how easy it can be to design and tune large networks with it.

As this post will examine in a moment, there are probably many more similarities between OSPF and IS-IS than there are differences. In fact, both use the same Dijkstra’s Shortest Path First algorithm in order to calculate best paths!

Perhaps the most shocking detail of IS-IS is the fact that it was not even developed for the routing of Internet Protocol (IP) traffic! The International Organization for Standardization (ISO) developed IS-IS for the routing of their own Connectionless Network Protocol (CLNP). In fact, at the time, many thought that IP and OSPF would be short interim solutions with CLNP and IS-IS taking over long term. Of course, IP won out, and IS-IS was quickly and easily tweaked in order to function perfectly with IP.

Integrated IS-IS

This new and improved version of IS-IS that we use today is officially referred to as Integrated IS-IS. Some use the less formal dual IS-IS when describing it. No matter what you call it – it does rock. You create your autonomous system of intermediate systems (routers) to connect end systems (workstations) that are sending and receiving packets. You typically divide your AS into smaller groups called areas. The area structure is more flexible than OSPF. You have Level 1 routers that route within an area and Level 2 systems that route between areas. If you need a device to fulfil both functions (think and ABR in OSPF), then you have what is called a Level 1/2 router.

IS-IS and OSPF

So you think the two competing IGPs might be similar? They are – just check this out:

  • Both maintain link state databases in order to function
  • Both use the Dijkstra’s Shortest Path First algorithm
  • Both use Hello packets to establish and maintain adjacencies
  • Both use a two level hierarchy
  • Both provide for address summarization between areas
  • Both use the concept of a designated router
  • Both are typically implemented with authentication in order to add security

Are you fired up to learn more about IS-IS? I hope so. I am releasing a new course this month at CBT Nuggets that will teach you even more!

Study with my passion my friends!

OSPF LSA Types and Areas

June 19, 2016 at 3:58 pm

B68pL6pIMAEwi0r

An Overview of OSPF LSA Types and Areas

In the previous post on OSPF found here, we discussed the various OSPF LSA types. Here is a quick recap of what those were:

  • Router (Type 1)
  • Network (Type 2)
  • Summary (Type 3)
  • ASBR Summary (Type 4)
  • External (Type 5)
  • NSSA External (Type 7)

If you are even slightly fuzzy on what these different LSAs are used for in OSPF, please quickly go over that previous post.

The purpose of this post if for us to discuss how these LSAs will be impacted by a multi area area design, especially one that might include special areas. What is wonderful about this exercise is the fact that it allows us to review what these special areas are for, and gives us a richer understand of exactly how they function. Of course, this is from the automatic filtering of certain LSAs from certain areas.

OSPF LSAs and Standard Areas

Think about an area 0.0.0.1 attached to the backbone area of 0.0.0.0. There are Type 1 LSAs flooding in this area 0.0.0.1. If we have broadcast segments, we also have Type 2 LSAs circulating in the area. The Area Border Router is sending LSA Type 3s into the backbone to summarize the prefix information in area 0.0.0.1. It is also taking in this information from the backbone for other areas that might exist. If there is an ASBR out there in the domain somewhere, our area 0.0.0.1 will receive Type 4 and Type 5 LSAs in order to know the location of this ASBR and the prefixes it is sharing with us. Whew! That is a lot going on. This is precisely why we have the special area types!

OSPF LSAs and the Stub Area

What is it that we want to accomplish with a stub area? We do not want to hear about those prefixes that are external to our OSPF domain. Remember what those were? Sure, they are the Type 5 LSAs. In fact, we do not even want to hear about those Type 4 LSAs that are used to call out the ASBR in the network. So the stub area is chock full of Type 1, Type 2, and Type 3 LSAs. In fact, how would this area get to one of those external prefixes it is needed to? We typically use a very special Type 3 LSA for this. This LSA represents the default route (0.0.0.0/0). It is this handy little route that allow devices in this area to get to all of those externals, in fact, to get to any prefix not specifically defined in the Routing Information Base.

OSPF LSAs and the Totally Stubby Area

Ok, with this area we want very little inside it right? Sure. So it makes sense that we are blocking those Type 4 and Type 5 once again, but now we are even blocking the Type 3 LSAs that are describing prefix information from other areas WITHIN our OSPF domain. There needs to be one big exception, however. We need a Type 3 LSA for a default route so we can actually get to other prefixes in our out of our domain.

OSPF LSAs and the Not So Stubby Area and the Totally Not So Stubby Area

Remember, the Not So Stubby Area needs to have those Type 7 LSAs. These Type 7 permit the proliferation of those external prefixes that are entering your OSPF domain thanks to this NSSA area you created. Obviously this area also has the Type 1, Type 2, and Type 3 inside it. Type 4 and Type 5 will be blocked from entering this area as you would expect. In both Juniper and Cisco environments, you can also create a Totally Not So Stubby Area by restricting Type 3s from this area.

I hope you enjoyed these last two posts on OSPF LSAs. If you still feel like you need help with this, be sure to check out my full course at CBT Nuggets.

You might also be interested in this very well rated text:

Whatever you do, study with passion my friend!

Master the OSPF LSA Types

June 18, 2016 at 12:47 pm

LSA

An Overview of OSPF LSA Types

We know that Link State Advertisements (LSA) are the life blood of an OSPF network. The flooding of these updates (and the requests for this information) allow the OSPF network to create a map of the network. This of course occurs with a little help from Dijkstra’s Shortest Path First Algorithm.

But not all OSPF LSA’s are created equal. In this post, we will examine the different types that are used within the OSPF multi area design. In the very next post here at the blog, we will recap how they are dynamically filtered when we have an OSPF domain that consists of special areas like Stub or Totally Stubby.

The Router (Type 1) LSA

We begin with what many call the “fundamental” or “building block” Link State Advertisement. The Type 1 LSA (also known as the Router LSA) is flooded within an area. It describes the interfaces of the local router that are participating in OSPF and the neighbors the local OSPF speaker has established.

The Network (Type 2) LSA

Do you remember how OSPF functions on an Ethernet (broadcast) segment? It elects a Designated Router (DR) and Backup Designated Router (BDR) in order to reduce the number of adjacencies that must be formed and the chaos that would result from a full mesh of these relationships. Well, the Type 2 LSA is sent by the Designated Router into the local area. This LSA describes all of the routers that are attached to that Ethernet segment.

The Summary (Type 3) LSA

Ready for a big difference with this LSA type? Recall that your Type 1 and Type 2 LSAs are sent within an area. We call these intra-area LSAs. Now it is time for the first of our inter-area LSAs. The Summary (Type 3) LSA is used for advertising prefixes learned from the Type 1 and Type 2 LSAs into a different area. Do you recall what device would send such an LSA? Sure, it would be the Area Border Router that separates areas.

So let’s say we have an area design like this – AREA 1-AREA 0-AREA 2. The Area 1 ABR would send the Type 3 LSAs into Area 0. It’s ABR into Area 2 would send these Type 3 LSAs into that area to provide full reachability in the OSPF domain. The Type 3 LSAs remain Type 3 LSAs during this journey, it is just OSPF costs and advertising router details that change in the advertisements. Notice also that in this example we are describing a multi area OSPF design that is not using any special area types like Stub or Totally Stubby.

The ASBR Summary (Type4) LSA

Do you recall the very special OSPF router that brings in routes from another domain (like an EIGRP domain)? It is the Autonomous System Boundary Router. In order to inform routers in different areas about the existence of this special router, the Type 4 LSA is used. This Summary LSA provides the router ID of the ASBR. So once again, the Area Border Router is responsible for shooting this information into the next area and we have another example of an inter-area LSA.

The External (Type 5) LSA

So the ASBR is the device that is brining in prefixes from other routing domains. The Type 4 LSA describes this device. But what LSA is used for the actual prefixes that are coming in from the other domain? Yes, you guessed it, it is the Type 5 LSA. The OSPF ASBR creates these LSAs and they are sent to the Area Border Routers for dissemination into the other areas. Remember, this might change if we are using special area types.

The NSSA External (Type 7) LSA

Remember that in OPSF there is a VERY special area type called a Not So Stubby Area. This area can act stub, but it can also bring in external prefixes from an ASBR. You guessed it, these prefixes are sent as Type 7 LSAs. When an ABR gets these Type 7 LSAs, it sends them alone in to the other areas as a Type 5 LSA. So the Type 7 designation is just for that very special NSSA area functionality.

Other LSA Types

Are there other LSA types? You bet there are. But we do not often encounter these. For example, a Type 6 LSA is used for Multicast OSPF and that technology never really caught on, allowing Protocol Independent Multicast to win out.

I hope you enjoyed this recap of the very important LSA types we have in OSPF. This is all detailed and demonstrated further in my latest course on OSPF for CBT Nuggets. I hope you will consider a free week subscription and checking that out. It is garnering rave reviews.

Study with passion my friends!
Cisco Learning Network Store home page