Route Preference
Prefix Length - The longest-matching route is preferred first.
Administrative Distance - If there are multiple routes to a destination with the same prefix length, the route learned by the protocol with the lowest administrative distance is preferred.
Metric - In the event there are multiple routes learned by the same protocol with same prefix length, the route with the lowest metric is preferred.
Also, if two or more of these routes have equal metrics then there will be load balance between paths.
EIGRP protocol number is 88 & it uses 224.0. 0.10 as its multicast address.
Cisco IOS based Router
ACL works on the sequence of rules but it filters the traffic upto transport layer only.
Cisco IOS based Router can be used as firewall by 2 methods to do stateful inspection of traffic.
Context access based control (CBAC) :
Router maintains a state table in which the sessions are maintained in memory. When a session is initiated by the device within the network, a dynamic entry is put in the state table and the outbound traffic is allowed to pass through the router(IoS based firewall).
By the help of this entry, the reply of outbound traffic can pass the router (IoS based firewall) as it has an entry for the traffic initiated within the network.
Basically it opens temporary ports on access list (applied to the inbound traffic) to allow reply packets.
Thus by this we made router to do stateful inspection of traffic.
CBAC examines the rate at which the connection has been established by which it can detect attacks like Dos attack, TCP syn attack etc. On the basis of this, CBAC mechanism can cause a connection to reestablish or drop malicious packets.
It does not inspect encrypted packets such as IPsec.
Zone-based firewall
Zone-based firewall is an advanced method of stateful firewall.
Steps :
1) Create zones and assign an interface to it.
2) Create class-map to identify type of traffic say ICMP
3) Create policy-map and assign class-map to the policy-map to to define what action must be taken on the traffic.
The action can be Inspect, Drop and Pass.
A zone-pair is configured for one direction only. Policies are defined in which traffic is identified (what type of traffic) then what action should be taken (Inspect Denied, permit). Then we have to apply this policies to a zone-pair.
NOTE : Evasion tactics can be used to bypass legacy firewall like Port Hopping & Tunneling inside another protocol as it don't have Application inspection capabilities.
Cisco ASR and ISR routers
ASR routers are for enterprises and service providers hence more features and higher performance levels compared with ISR routers.
ISR are for customers with small- or medium-sized networks.
Control Plane & Data Plane Traffic
Control Plane : Traffic either sourced from Device or destined to Device.
Data Plane : Traffic Passing Through Device
Firewall don't support Advance Routing i.e. Reverse path forwarding , Multicast, advanced features of BGP, traffic engineering of MPLS , advance QOS.
Network Latency
1) Ping Destination Server ip from Gateway to confirm if any latency issue in LAN.
2) Tracert/traceroute from source to destination and check if there is latency in between.
3) To see if router's RAM & CPU utilization is in acceptable limit.
4) Check if router interface is over utilized.
5) Request for bandwidth utilization report for circuit and also of PE router from ISP.
How Cisco ACI differs from other SDN controllers ?
Open SDN architecture separates control plane and data plane . Control plane resides on the central controller and data plane resides on switches.
If the switches lost connection to controller, it won’t function for new connections and applying traffic policies.
In CIsco ACI architecture the APIC is not control plane, rather switches still hold control plane and data plane and can function properly if the controller down.
MHSRP (Multiple HSRP)
HSRP provides redundancy through "active standby" model but drawback of this is standby router won't process any traffic as far as active is available.
In simple words just redundancy but no load sharing.
To allow optimal utilization of network infrastructure we want both router to process traffic.
Default priority of HSPR router is 100.
Now we can do load sharing on basis of subnets.
10.0.0.0/24 --> R1 is active & R2 is standby
192.168.0.0/24 --> R2 is active & R1 is standby
HSRP has to be configured on router interface connected to switch.
Also, HSRP can be configured on L3 switch on vlan.
preempt command will ensure to take active role when both routers are up.
Now let's consider R1 & R2 be two routers having connectivity to same or different internet router.
R1 Configuration
interface FastEthernet1/0.10
ip address 10.0.0.10 255.255.255.0
standby 10 ip 10.0.0.1
standby priority 101 --> Setting it as primary HSRP for group
standby preempt
standby 10 preempt delay minimum 60
standby 10 track Ethernet0/0 60
interface FastEthernet1/0.20
ip address 192.168.0.10 255.255.255.0
standby 20 ip 192.168.0.1
standby priority 95 --> Setting it as secondary HSRP for group
standby preempt delay --> detect that there is already an hsrp neighbour active before taking active role.
standby 20 preempt delay minimum 60
standby 20 track Ethernet0/0 60
--------------------------------------------------------------------------------------------------
R2 Configuration
interface FastEthernet1/0.10
ip address 10.0.0.11 255.255.255.0
standby 10 ip 10.0.0.1
standby preempt
standby 10 preempt delay minimum 60
standby 10 track Ethernet0/0 60
interface FastEthernet1/0.20
ip address 192.168.0.11 255.255.255.0
standby 20 ip 192.168.0.1
standby preempt
standby 20 preempt delay minimum 60
standby 20 track Ethernet0/0 60
Now consider the case in which you would like to do load sharing on same subnet.
So in this case we need to set default gateway 10.0.0.1 for which we want R1 as active.
Also set default gateway 10.0.0.2 for which we want R2 as active.
R1
interface FastEthernet1/0.10
ip address 10.0.0.10 255.255.255.0
standby 10 ip 10.0.0.1
Standby 20 ip 10.0.0.2
standby 10 priority 101 --> Setting it as primary HSRP for group
standby 10 preempt
standby 20 preempt
standby 10 preempt delay minimum 60
-----------------------------------------------------------------------------------------------------
R2
interface FastEthernet1/0.10
ip address 10.0.0.11 255.255.255.0
standby 10 ip 10.0.0.1
Standby 20 ip 10.0.0.2
standby 20 priority 101 --> Setting it as primary HSRP for group
standby 10 preempt
standby 20 preempt
standby 10 preempt delay minimum 60
IP SLA (Service Level Agreement Monitor)
IP SLA config is commonly used for performance statistics like Delay, Jitter or Packet Loss.
Step 1 : Let's define the ip SLA, protocol type, destination and source:
Router(config)# ip sla 1
Router(config-ip-sla)# icmp-echo 10.10.10.1 source-interface FastEthernet1/0
Step 2 : Start probing
Router(config)# ip sla schedule 1 start-time now life forever
Step 3 : Define tracking
Router(config)# track 10 ip sla 1 reachability
Step 4 : Now Bind the track to static route:
Router(config)# ip route 0.0.0.0 0.0.0.0 10.10.10.1 track 10
Configuring the alternate route in case of primary DG went down:
Router(config)#ip route 0.0.0.0 0.0.0.0 10.10.10.2 5
So here default gateway is 10.10.10.1 with default AD value of 1 . Now as long as it is reachable it will be default gateway.
Now assume 10.10.10.1 is not reachable then ipsla will mark this route down and secondary default gateway i.e. 10.10.10.2 (with AD value of 5) will be used to send traffic.
MPLS
MPLS is abbreviation for Multiprotocol Label Switching. In MPLS, data packets are be forwarded at Layer 2 (switching level) instead of traditional way of Layer 3 routing. For this reason, it is often informally described as operating at Layer 2.5.
Below are list of actions performed by MPLS Routers (LER or LSR)
Push: Adds a label (by Ingress Router)
Swap: Replace a label (by LSRs)
Pop: Removes a label (by egress Router)
Reserved Labels
Label values 0-15 are reserved, and values 4-15 are reserved for future use.
Label value 0 : It represents the IPv4 Explicit NULL Label. This label indicates that the label stack must be popped, and the packet forwarding must be based on the IPv4 header.
Label value 1 : It represents the Router Alert Label. When a received packet contains this label value at the top of the label stack, it is delivered to a local software module for processing.
Label value 2 : It represents the IPv6 Explicit NULL Label. It indicates that the label stack must be popped, and the packet forwarding must be based on the IPv6 header.
Label value 3 : It represents the Implicit NULL Label. This is a label that an LSR can assign and distribute. It indicates that the LSR pops the top label from the stack and forwards the rest of the packet (labeled or unlabeled) through the outgoing interface (as per the entry in LFIB).
PHP in MPLS
PHP (penultimate hop popping) which means to remove the label one hop before its destination. PHP removes the outermost label of an MPLS tagged packet on Label Switch Router (LSR) before sending to next Label Edge Router (LER).
Forwarding Equivalence Class (FEC)
FEC is a set of prefixes treated in the same way. FEC is used in Multiprotocol Label Switching (MPLS) to describe a set of packets with similar or identical characteristics which may be forwarded the same way.
LDP will use UDP (646) for hellos but for authentication will use TCP (646).
CEF must be enabled for MPLS to work on cisco routers.
R1(config)# mpls ip propagate-ttl
The above command is by default i.e. customer when do traceroute to it's remote office will see ISP's hops.
R1(config)# no mpls ip propagate-ttl
This prevents traceroute from seeing the internal MPLS network of IPS
R1(config)# no mpls ip propagate-ttl forwarded
This prevents traceroute from customer router to seeing the internal network.
Route Distinguisher
RD is of 64 bits and it's only purpose is to make route unique in MPBGP.
Route Target
RT are extended communities and are BGP attributes.
RT Export
Routes from this VRF will have this RT attached when inserted into MPBGP (VPNv4)
RT Import
Routes with this RT in MP-BGP (VPNv4) will be installed in RIB (Routing Information Base) of this VRF.
VPN Label
It is part of RD. It can be assigned per route or per VRF.
CEF (Cisco Express Forwarding)
Cisco Express Forwarding (CEF) is a packet-switching technique which is enable by default for most of Cisco routing platforms.
Methods used before CEF
Process Switching
Whenever a host require to send packet to host in different network it will forward it to it's Gateway (Router).
Now when router receives packet then it does two things .
1) It will first check it's routing table to look for next hop as per destination ip.
2) Now when he finds next hop then will look for interface to forward packet to it.
Now the above process is repeated for each packet hence the process is high CPU intensive and hence quite slow.
Fast Switching
This method uses the above method only but now it stores the routing info in cache. So next packet going to same destination as before then it will save CPU utilization on it's processing and directly forwads the packet.
CEF
Forwarding Information Base (FIB) : Routing information i.e. control plane information which determine next hop as per destination ip address.
Adjacent Table : Now once it has next hop information then it looks for info to find interface to forward traffic.
Routing Information Base (RIB) = Forwarding Information Base (FIB) + Adjacent Table
Now RIB is downloaded in hardware.Hence packet is routed at wired speed.
DNS
DNS uses TCP for Zone Transfer over Port: 53
It is necessary to maintain a consistent DNS database between DNS Servers. This is achieved by the TCP protocol.
This communication happens between DNS Servers only. The Zone Transfer feature of DNS Server will always use TCP protocol.
The connection is established between the DNS Server to transfer the zone data and Source and Destination DNS Servers will make sure that data is consistent by using TCP ACK bit.
DNS uses UDP for DNS Queries over Port: 53
A client computer will always send a DNS Query using UDP Protocol over Port 53. If a client computer does not get response from a DNS Server, it must re-transmit the DNS Query using the TCP after 3-5 seconds of interval.
Bidirectional Forwarding Detection (BFD)
BFD (Bidirectional Forwarding Detection) is a protocol that is able to detect link failures within milliseconds or even microseconds.
BFD runs independent from any other (routing) protocols. Once it’s up and running, you can configure protocols like OSPF, EIGRP, BGP, HSRP, MPLS LDP etc. to use BFD for link failure detection instead of their own mechanisms. When the link fails, BFD will inform the protocol.
Comments