Border Gateway Protocol (BGP) – Advertising NLRI is Complete!

June 21, 2018 at 2:59 pm


I have completed the final videos and quizzes for the latest module on BGP I am recording at CBT Nuggets. Here is a recap of the videos so far!

Border Gateway Protocol (BGP) – Basic Operations (Released Jan 2018)

  1. An Overview of BGP
  2. BGP Message Types
  3. BGP Message Formats
  4. BGP Neighbor States
  5. BGP Path Attributes
  6. The Origin Attribute
  7. The AS_PATH Attribute
  8. The NEXT_HOP Attribute
  9. BGP Weight
  10. BGP Best Path Selection

Border Gateway Protocol (BGP) – Peerings (Released Feb 2018)

  1. eBGP Peerings
  2. Cisco eBGP Peering Example
  3. Juniper eBGP Peering Example
  4. iBGP Peerings
  5. Cisco iBGP Peering Example
  6. Juniper iBGP Peering Example
  7. eBGP Multihop
  8. Using BGP Authentication
  9. Misc. Neighbor Options

Border Gateway Protocol (BGP) – Advertising NLRI (Released June 2018)

  1. The Cisco Network Command
  2. Cisco Troubleshooting for NLRI Reachability
  3. Redistributing NLRI in Cisco BGP
  4. Cisco BGP RIB Failures
  5. BGP Synchronization
  6. Juniper NLRI Advertisement
  7. Static Routes with Multihoming
  8. Redistributing NLRI into IGPs
  9. Using iBGP with a Stub AS
  10. Advertising a Default Route
  11. BGP Aggregation

Border Gateway Protocol (BGP) – Cisco Routing Policy Mechanisms (Releasing July 2018)

  1. An Overview of BGP Routing Policy
  2. The BGP Decision Process
  3. A Routing Policy Example
  4. InQ and OutQ
  5. Cisco IOS BGP Processes
  6. Next Hop Tracker, Event, and the Open Processes
  7. Table Versions
  8. Clearing BGP Sessions
  9. Soft Reconfiguration
  10. Route Refresh

Manual Summarization with BGP on Cisco Routers

March 22, 2018 at 8:57 pm


One of the topics that will be featured in my upcoming CBT Nuggets module, Border Gateway Protocol (BGP) – Advertising NLRI, manual route summarization in BGP. This post serves (as well as more to follow) cover the highlights of the video coverage.

There are two methods of performing aggregation with BGP on a Cisco router. You can create a static route that represents the aggregate and then advertise that route using the network command. Or, you can use the aggregate-address command.

Here is an example of the static route approach:

router bgp 65100
   network mask
   neighbor remote-as 65200
ip classless
ip route Null0

Notice how the static route directs to the bit bucket (Null0). This is because it is not an actual network destination. It is an artificial construct to permit the route in the routing table so we can use the network command in BGP. There will be more specific entries in the routing table covered by this advertised summary and the router can follow those instructions. Should all the more specific entries be removed, then the static route has traffic discarded for the summary (this is the desired behavior, typically).

With the aggregate-address command approach, you ensure component routes of the summary exist in the BGP table (thanks to the network statement or redistribution), and the summary address is advertised via BGP. Here is an example:

router bgp 65100
 aggregate-address summary-only
 redistribute eigrp 100
 neighbor remote-as 65200

Note that if you forget the summary-only keyword with the aggregate-address command, you will advertise the summary as well as the specific routes. A future post will demonstrate when this approach might be useful.

An Example of a Security Exploit Due to the Native VLAN

January 18, 2018 at 8:24 pm

Native VLAN

In many of our Cisco courses, we learn that networking best practices often point to the non-use of the Native VLAN. But why is this?

It turns out there are security vulnerabilities that could result from having a VLAN not tagged across your trunk links. For example, there is the VLAN hopping attack.

Here is how this attack could work:

Step 1: A bad person at a customer site wants to send frames into a VLAN that they are not part of.

Step 2: This person double tags the frame (Q-in-Q) with the outer frame matching the native VLAN in use at the provider edge switch.

Step 3: The provider edge switch strips off the outer tag (because it matches the native VLAN), and send this frame across the trunk.

Step 4: The next switch in the path examines the frame and reads the inner VLAN tag and forwards the frame accordingly.

Notice this attack is unidirectional. The attacker can send traffic into the VLAN, but traffic will not return. Even still, this is obviously not something we want taking place.

What are possible solutions?

  • Use ISL trunks in the cloud – this becomes less and less possible as ISL trunks fade away.
  • Use a Native VLAN that is outside of the range permitted for the customer.
  • Tag the native VLAN in the cloud.


IPv6 Quiz – Cisco Bias

January 16, 2018 at 7:49 pm


This latest quiz is focused on IPv6 with a bias to Cisco Systems. These questions are what one could expect on a CCNP or CCIE exam across various tracks. Enjoy!

IPv6 Quiz - Cisco Bias

Congratulations - you have completed IPv6 Quiz - Cisco Bias. You scored %%SCORE%% out of %%TOTAL%%. Your performance has been rated as %%RATING%%
Your answers are highlighted below.
Shaded items are complete.

Rapid Spanning Tree Protocol (RSTP) 802.1w

December 29, 2017 at 8:10 am


Whether you are pursuing your CCNA, CCNP, CCIE, or many other Cisco Certifications, a deep knowledge of RSTP is critical. In this post, we will detail key facts for you regarding this Layer 2 loop prevention system.

  • 802.1w (RSTP) is an evolution of the classic 802.1D (STP) protocol
  • 802.1D tried to speed things up with the additions of UplinkFast, BackboneFast, and PortFast; the UplinkFast and BackboneFast features are now essentially built into RSTP, while PortFast is still a feature you enable in RSTP if desired
  • 802.1w can also revert back to 802.1D in order to interoperate with legacy bridges on a per-port basis
  • With 802.1D, once in the forwarding state, there is no way to tell from the port state whether the port is root or designated; RSTP decouples the role and the state of a port to address this issue
  • The 802.1D port states are Disabled, Blocking, Listening, Learning, Forwarding; in 802.1w these are simplified to Discarding, Learning, Forwarding
  • The port roles are expanded in 802.1w to include Backup and Alternate ports in addition to Root and Designated; these new port roles help implement the features of UplinkFast into the protocol natively
  • A Backup port receives more useful BPDUs from the same bridge it is on and is a port blocked
  • An Alternate port receives more useful BPDUs from another bridge and is a port blocked
  • RSTP now uses all six bits of the flag byte that remain in order to perform – encoding the role and state of the port that originates the BPDU and handling the proposal/agreement mechanism
  • The RSTP BPDU is now of type 2, version 2; legacy bridges must drop this new BPDU; this makes it easy for an 802.1w bridge to detect legacy bridges connected to it
  • BPDUs are sent every hello-time, and not simply relayed anymore’
  • BPDUs are now used as a keep-alive mechanism between bridges; a bridge considers that it loses connectivity to its direct neighbor root or designated bridge if it misses three BPDUs in a row; this fast aging of the information allows quick failure detection
  • To natively support the BackboneFast type behavior, RSTP accepts inferior BPDUs; when a bridge receives inferior information from its designated or root bridge, it immediately accepts it and replaces the one previously stored; this permits fast acceptance of a new Root port in the topology
  • Rapid transition is the most important feature introduced by 802.1w; RSTP is able to actively confirm that a port can safely transition to the forwarding state without having to rely on any timer configuration; in order to achieve fast convergence on a port, the protocol relies upon two new variables: edge ports and link type
  • RSTP can only achieve a rapid transition to the forwarding state on edge ports and on point-to-point links; the link type is automatically derived from the duplex mode of a port
  • A proposal/agreement process in RSTP aids in very convergence
  • The topology change notification process is overhauled in order to also aid in faster convergence and improve efficiency

For more details on these new features summarized here – check out Understanding Rapid Spanning Tree Protocol (802.1w) This document often forms the basis for plenty of RSTP-related written exam questions from CCENT to CCIE. Note that my summary document here covers most of those questions for you, however!