Border Gateway Protocol (BGP) – Advertising NLRI is Complete!

June 21, 2018 at 2:59 pm

BGP

I have completed the final videos and quizzes for the latest module on BGP I am recording at CBT Nuggets. Here is a recap of the videos so far!

Border Gateway Protocol (BGP) – Basic Operations (Released Jan 2018)

https://www.cbtnuggets.com/it-training/border-gateway-protocol-basic

  1. An Overview of BGP
  2. BGP Message Types
  3. BGP Message Formats
  4. BGP Neighbor States
  5. BGP Path Attributes
  6. The Origin Attribute
  7. The AS_PATH Attribute
  8. The NEXT_HOP Attribute
  9. BGP Weight
  10. BGP Best Path Selection

Border Gateway Protocol (BGP) – Peerings (Released Feb 2018)

https://www.cbtnuggets.com/it-training/border-gateway-protocol-peerings

  1. eBGP Peerings
  2. Cisco eBGP Peering Example
  3. Juniper eBGP Peering Example
  4. iBGP Peerings
  5. Cisco iBGP Peering Example
  6. Juniper iBGP Peering Example
  7. eBGP Multihop
  8. Using BGP Authentication
  9. Misc. Neighbor Options

Border Gateway Protocol (BGP) – Advertising NLRI (Released June 2018)

https://www.cbtnuggets.com/it-training/border-gateway-protocol-advertising-nlri

  1. The Cisco Network Command
  2. Cisco Troubleshooting for NLRI Reachability
  3. Redistributing NLRI in Cisco BGP
  4. Cisco BGP RIB Failures
  5. BGP Synchronization
  6. Juniper NLRI Advertisement
  7. Static Routes with Multihoming
  8. Redistributing NLRI into IGPs
  9. Using iBGP with a Stub AS
  10. Advertising a Default Route
  11. BGP Aggregation

Border Gateway Protocol (BGP) – Cisco Routing Policy Mechanisms (Releasing July 2018)

  1. An Overview of BGP Routing Policy
  2. The BGP Decision Process
  3. A Routing Policy Example
  4. InQ and OutQ
  5. Cisco IOS BGP Processes
  6. Next Hop Tracker, Event, and the Open Processes
  7. Table Versions
  8. Clearing BGP Sessions
  9. Soft Reconfiguration
  10. Route Refresh

Manual Summarization with BGP on Cisco Routers

March 22, 2018 at 8:57 pm

BGP

One of the topics that will be featured in my upcoming CBT Nuggets module, Border Gateway Protocol (BGP) – Advertising NLRI, manual route summarization in BGP. This post serves (as well as more to follow) cover the highlights of the video coverage.

There are two methods of performing aggregation with BGP on a Cisco router. You can create a static route that represents the aggregate and then advertise that route using the network command. Or, you can use the aggregate-address command.

Here is an example of the static route approach:

router bgp 65100
   network 192.168.192.0 mask 255.255.248.0
   neighbor 192.168.1.220 remote-as 65200
!
ip classless
ip route 192.168.192.0 255.255.248.0 Null0

Notice how the static route directs to the bit bucket (Null0). This is because it is not an actual network destination. It is an artificial construct to permit the route in the routing table so we can use the network command in BGP. There will be more specific entries in the routing table covered by this advertised summary and the router can follow those instructions. Should all the more specific entries be removed, then the static route has traffic discarded for the summary (this is the desired behavior, typically).

With the aggregate-address command approach, you ensure component routes of the summary exist in the BGP table (thanks to the network statement or redistribution), and the summary address is advertised via BGP. Here is an example:

router bgp 65100
 aggregate-address 192.168.192.0 255.255.248.0 summary-only
 redistribute eigrp 100
 neighbor 192.168.1.220 remote-as 65200

Note that if you forget the summary-only keyword with the aggregate-address command, you will advertise the summary as well as the specific routes. A future post will demonstrate when this approach might be useful.

An Example of a Security Exploit Due to the Native VLAN

January 18, 2018 at 8:24 pm

Native VLAN

In many of our Cisco courses, we learn that networking best practices often point to the non-use of the Native VLAN. But why is this?

It turns out there are security vulnerabilities that could result from having a VLAN not tagged across your trunk links. For example, there is the VLAN hopping attack.

Here is how this attack could work:

Step 1: A bad person at a customer site wants to send frames into a VLAN that they are not part of.

Step 2: This person double tags the frame (Q-in-Q) with the outer frame matching the native VLAN in use at the provider edge switch.

Step 3: The provider edge switch strips off the outer tag (because it matches the native VLAN), and send this frame across the trunk.

Step 4: The next switch in the path examines the frame and reads the inner VLAN tag and forwards the frame accordingly.

Notice this attack is unidirectional. The attacker can send traffic into the VLAN, but traffic will not return. Even still, this is obviously not something we want taking place.

What are possible solutions?

  • Use ISL trunks in the cloud – this becomes less and less possible as ISL trunks fade away.
  • Use a Native VLAN that is outside of the range permitted for the customer.
  • Tag the native VLAN in the cloud.

 

IPv6 Quiz – Cisco Bias

January 16, 2018 at 7:49 pm

IPv6

This latest quiz is focused on IPv6 with a bias to Cisco Systems. These questions are what one could expect on a CCNP or CCIE exam across various tracks. Enjoy!

IPv6 Quiz - Cisco Bias

Start
Congratulations - you have completed IPv6 Quiz - Cisco Bias. You scored %%SCORE%% out of %%TOTAL%%. Your performance has been rated as %%RATING%%
Your answers are highlighted below.
Return
Shaded items are complete.
12345
6End
Return

Rapid Spanning Tree Protocol (RSTP) 802.1w

December 29, 2017 at 8:10 am

rstp

Whether you are pursuing your CCNA, CCNP, CCIE, or many other Cisco Certifications, a deep knowledge of RSTP is critical. In this post, we will detail key facts for you regarding this Layer 2 loop prevention system.

  • 802.1w (RSTP) is an evolution of the classic 802.1D (STP) protocol
  • 802.1D tried to speed things up with the additions of UplinkFast, BackboneFast, and PortFast; the UplinkFast and BackboneFast features are now essentially built into RSTP, while PortFast is still a feature you enable in RSTP if desired
  • 802.1w can also revert back to 802.1D in order to interoperate with legacy bridges on a per-port basis
  • With 802.1D, once in the forwarding state, there is no way to tell from the port state whether the port is root or designated; RSTP decouples the role and the state of a port to address this issue
  • The 802.1D port states are Disabled, Blocking, Listening, Learning, Forwarding; in 802.1w these are simplified to Discarding, Learning, Forwarding
  • The port roles are expanded in 802.1w to include Backup and Alternate ports in addition to Root and Designated; these new port roles help implement the features of UplinkFast into the protocol natively
  • A Backup port receives more useful BPDUs from the same bridge it is on and is a port blocked
  • An Alternate port receives more useful BPDUs from another bridge and is a port blocked
  • RSTP now uses all six bits of the flag byte that remain in order to perform – encoding the role and state of the port that originates the BPDU and handling the proposal/agreement mechanism
  • The RSTP BPDU is now of type 2, version 2; legacy bridges must drop this new BPDU; this makes it easy for an 802.1w bridge to detect legacy bridges connected to it
  • BPDUs are sent every hello-time, and not simply relayed anymore’
  • BPDUs are now used as a keep-alive mechanism between bridges; a bridge considers that it loses connectivity to its direct neighbor root or designated bridge if it misses three BPDUs in a row; this fast aging of the information allows quick failure detection
  • To natively support the BackboneFast type behavior, RSTP accepts inferior BPDUs; when a bridge receives inferior information from its designated or root bridge, it immediately accepts it and replaces the one previously stored; this permits fast acceptance of a new Root port in the topology
  • Rapid transition is the most important feature introduced by 802.1w; RSTP is able to actively confirm that a port can safely transition to the forwarding state without having to rely on any timer configuration; in order to achieve fast convergence on a port, the protocol relies upon two new variables: edge ports and link type
  • RSTP can only achieve a rapid transition to the forwarding state on edge ports and on point-to-point links; the link type is automatically derived from the duplex mode of a port
  • A proposal/agreement process in RSTP aids in very convergence
  • The topology change notification process is overhauled in order to also aid in faster convergence and improve efficiency

For more details on these new features summarized here – check out Understanding Rapid Spanning Tree Protocol (802.1w) This document often forms the basis for plenty of RSTP-related written exam questions from CCENT to CCIE. Note that my summary document here covers most of those questions for you, however!

criers

 

An Overview of Intermediate System to Intermediate System (IS-IS)

June 20, 2016 at 11:41 pm

Intermediate System

Introducing IS-IS

Poor Intermediate System to Intermediate System (IS-IS). Open Shortest Path First (OSPF) gets all the love, and this competing Interior Gateway Protocol (IGP) is often little understood by engineers in networks today. This post will solve that for many of you, or perhaps act as a refresher if it has been a long time since you have thought about this impressive protocol.

It is not all bad news for IS-IS by the way. Part of a recent resurgence of interest has been caused by it being used as the basis for some other exciting technologies. The best example of this is Transparent Interconnection of Lots of Links (TRILL) or as Cisco calls their version, FabricPath. This layer 2 technology serves as a replacement for Spanning Tree Protocol (STP) and features the use of IS-IS as its intelligence for things like path selection and convergence. Users of TRILL are shielded from IS-IS configuration, but certainly an understanding of the protocol aids in troubleshooting and a deeper understanding.

IS-IS versus OSPF

There was a battle royal for market share when it came to the wonderful world of Interior Gateway Protocols. There were plenty that thought OSPF should rule, while others thought IS-IS. As you know, OSPF really won the battle, but it is interesting to note that many large service providers still use IS-IS today in their internal networks. Those that still love it point to how easy it can be to design and tune large networks with it.

As this post will examine in a moment, there are probably many more similarities between OSPF and IS-IS than there are differences. In fact, both use the same Dijkstra’s Shortest Path First algorithm in order to calculate best paths!

Perhaps the most shocking detail of IS-IS is the fact that it was not even developed for the routing of Internet Protocol (IP) traffic! The International Organization for Standardization (ISO) developed IS-IS for the routing of their own Connectionless Network Protocol (CLNP). In fact, at the time, many thought that IP and OSPF would be short interim solutions with CLNP and IS-IS taking over long term. Of course, IP won out, and IS-IS was quickly and easily tweaked in order to function perfectly with IP.

Integrated IS-IS

This new and improved version of IS-IS that we use today is officially referred to as Integrated IS-IS. Some use the less formal dual IS-IS when describing it. No matter what you call it – it does rock. You create your autonomous system of intermediate systems (routers) to connect end systems (workstations) that are sending and receiving packets. You typically divide your AS into smaller groups called areas. The area structure is more flexible than OSPF. You have Level 1 routers that route within an area and Level 2 systems that route between areas. If you need a device to fulfil both functions (think and ABR in OSPF), then you have what is called a Level 1/2 router.

IS-IS and OSPF

So you think the two competing IGPs might be similar? They are – just check this out:

  • Both maintain link state databases in order to function
  • Both use the Dijkstra’s Shortest Path First algorithm
  • Both use Hello packets to establish and maintain adjacencies
  • Both use a two level hierarchy
  • Both provide for address summarization between areas
  • Both use the concept of a designated router
  • Both are typically implemented with authentication in order to add security

Are you fired up to learn more about IS-IS? I hope so. I am releasing a new course this month at CBT Nuggets that will teach you even more!

Study with my passion my friends!

OSPF LSA Types and Areas

June 19, 2016 at 3:58 pm

B68pL6pIMAEwi0r

An Overview of OSPF LSA Types and Areas

In the previous post on OSPF found here, we discussed the various OSPF LSA types. Here is a quick recap of what those were:

  • Router (Type 1)
  • Network (Type 2)
  • Summary (Type 3)
  • ASBR Summary (Type 4)
  • External (Type 5)
  • NSSA External (Type 7)

If you are even slightly fuzzy on what these different LSAs are used for in OSPF, please quickly go over that previous post.

The purpose of this post if for us to discuss how these LSAs will be impacted by a multi area area design, especially one that might include special areas. What is wonderful about this exercise is the fact that it allows us to review what these special areas are for, and gives us a richer understand of exactly how they function. Of course, this is from the automatic filtering of certain LSAs from certain areas.

OSPF LSAs and Standard Areas

Think about an area 0.0.0.1 attached to the backbone area of 0.0.0.0. There are Type 1 LSAs flooding in this area 0.0.0.1. If we have broadcast segments, we also have Type 2 LSAs circulating in the area. The Area Border Router is sending LSA Type 3s into the backbone to summarize the prefix information in area 0.0.0.1. It is also taking in this information from the backbone for other areas that might exist. If there is an ASBR out there in the domain somewhere, our area 0.0.0.1 will receive Type 4 and Type 5 LSAs in order to know the location of this ASBR and the prefixes it is sharing with us. Whew! That is a lot going on. This is precisely why we have the special area types!

OSPF LSAs and the Stub Area

What is it that we want to accomplish with a stub area? We do not want to hear about those prefixes that are external to our OSPF domain. Remember what those were? Sure, they are the Type 5 LSAs. In fact, we do not even want to hear about those Type 4 LSAs that are used to call out the ASBR in the network. So the stub area is chock full of Type 1, Type 2, and Type 3 LSAs. In fact, how would this area get to one of those external prefixes it is needed to? We typically use a very special Type 3 LSA for this. This LSA represents the default route (0.0.0.0/0). It is this handy little route that allow devices in this area to get to all of those externals, in fact, to get to any prefix not specifically defined in the Routing Information Base.

OSPF LSAs and the Totally Stubby Area

Ok, with this area we want very little inside it right? Sure. So it makes sense that we are blocking those Type 4 and Type 5 once again, but now we are even blocking the Type 3 LSAs that are describing prefix information from other areas WITHIN our OSPF domain. There needs to be one big exception, however. We need a Type 3 LSA for a default route so we can actually get to other prefixes in our out of our domain.

OSPF LSAs and the Not So Stubby Area and the Totally Not So Stubby Area

Remember, the Not So Stubby Area needs to have those Type 7 LSAs. These Type 7 permit the proliferation of those external prefixes that are entering your OSPF domain thanks to this NSSA area you created. Obviously this area also has the Type 1, Type 2, and Type 3 inside it. Type 4 and Type 5 will be blocked from entering this area as you would expect. In both Juniper and Cisco environments, you can also create a Totally Not So Stubby Area by restricting Type 3s from this area.

I hope you enjoyed these last two posts on OSPF LSAs. If you still feel like you need help with this, be sure to check out my full course at CBT Nuggets.

You might also be interested in this very well rated text:

Whatever you do, study with passion my friend!