├── README.md ├── bgp-fundamentals-shortnotes.md ├── bgp-routing-policies-shortnotes.md ├── ccie_comreference.md ├── classification-marking-shortnotes.md ├── congestionmgmt-avoidance-shortnodes.md ├── device-and-network-security-shortnotes.md ├── eigrp-shortnotes.md ├── ethernet-basics-shortnotes.md ├── images ├── pic.png └── stp-bpdu.png ├── intro-multicast-shortnotes.md ├── ip-addressing-shortnotes.md ├── ip-forwarding-shortnotes.md ├── ip-services-shortnotes.md ├── isis-shortnotes.md ├── lfa-shortnotes.md ├── mpls-shortnotes.md ├── multicast-routing-shortnotes.md ├── ospf-shortnotes.md ├── quick-notes ├── bgp.md ├── device-networksec.md ├── eigrp.md ├── eth-basics.md ├── ipaddressing.md ├── ipforwarding.md ├── ipservices.md ├── isis-routing.md ├── lfa.md ├── mpls.md ├── multicast.md ├── ospf.md ├── qos.md ├── redist-summ-defroute.md ├── rip.md ├── rtp.md ├── stp.md ├── template.md ├── tunnelling.md ├── vlans-trunk.md └── wans.md ├── redist-summ-defroute-tshoot-shortnotes.md ├── rip-shortnotes.md ├── shaping-policing-lfi-shortnotes.md ├── stp-shortnotes.md ├── tunnelling-shortnotes.md ├── vlans-and-trunking-shortnotes.md └── wans-shortnotes.md /README.md: -------------------------------------------------------------------------------- 1 | # ccie-rs-notes 2 | My repo for CCIE R&S Notes 3 | -------------------------------------------------------------------------------- /bgp-fundamentals-shortnotes.md: -------------------------------------------------------------------------------- 1 | * AS Path is vector 2 | * Shortest is best route 3 | 4 | # Building BGP Neighbour Relationships 5 | 6 | * TCP 7 | * BGP Updates end goal 8 | * Explicit neighbour config 9 | * TCP 179 10 | * If no config for neighbour, request rejected 11 | * After TCP connection, BGP Open 12 | * After opens, established 13 | * Updates then exchanged 14 | 15 | * **bgp timers keepalive holdtime** - 60 and 180 default 16 | * **neighbor timers** - per neighbour 17 | * **bgp router-id**, then highest loopback, then highest IP 18 | * Update source, or outgoing int IP 19 | * Auto summ off by default 20 | * Auth is MD5, **neighbor password** 21 | 22 | ## Internal Neighbours 23 | 24 | ``` 25 | router bgp 123 26 | no sync 27 | bgp router-id 111.111.111.111 28 | bgp log-neighbor-changes 29 | neighbor 2.2.2.2 remote-as 123 30 | neighbor 2.2.2.2 updated-source loopback1 31 | neighbor 2.2.2.2 password DAVE-LIKES-BGP 32 | no auto-summary 33 | ``` 34 | 35 | ``` 36 | router bgp 123 37 | no sync 38 | bgp log-neighbor-changes 39 | neighbor my-as peer-grou 40 | neighbor my-as update-source Lo1 41 | neighbor my-as remote-as 123 42 | neighbor 1.1.1.1 peer-group my-as 43 | neighbor 2.2.2.2 peer-group my-as 44 | no auto-summ 45 | ``` 46 | 47 | * One set of updates per peer group 48 | 49 | ## External Neighbours 50 | 51 | * Single link usually 52 | * No update source 53 | * If they are, **ebgp-multihop** 54 | * Loopbacks are hop inside router (ttl of 1) 55 | 56 | ## Checks before becoming neighbours 57 | 58 | 1. Must have source of packet in neighbor config to accept packet 59 | 2. ASN must match config (unless confed) 60 | 3. RIDs must not be same 61 | 4. MD5 must pass 62 | 63 | ## Messages and Neighbour States 64 | 65 | * Idle - Not listening for TCP 66 | * Connect - Listens for TCP 67 | * Active - Listens for TCP, initiates TCP 68 | * Open Sent - Listens for TCP, Initiates TCP, TCP is up, Open Sent 69 | * Open Confirm - Listens for TCP, Initiates TCP, TCP is up, Open Sent, Open Received 70 | * Established - Listens for TCP, Initiates TCP, TCP is up, Open Sent, Open Received, Neighbor Up 71 | 72 | ## Message Types 73 | 74 | * Open - Establishes neighbours and basic parameters 75 | * Keepalive - Maintains neighbours 76 | * Update - Routing info 77 | * Notification - takes down neighbour on error 78 | 79 | ## Purposefully resetting BGP peers 80 | 81 | * **neighbor shutdown** - In config 82 | * **clear ip bgp** - Resets neighbour, closes TCP, entires in table removed for neighbour, rediscovers after 83 | 84 | # Building BGP Table 85 | 86 | * Topology table (RIB) holds learned NLRI and associated PAs 87 | * NLRI - IP PRefix and length 88 | * Does not advertise routes, advertises PAs and NLRI sharing same PAs 89 | 90 | ## INjecting Routes/Prefixes into BGP table 91 | 92 | ### Network command 93 | 94 | * Assumption of no auto-summary (default from 12.3 mainline) 95 | * Looks in current routing table for matching networks 96 | * If exists, puts NLRI into local BGP table 97 | * Connected, static or IGP match 98 | * When route withdraw, NLRI withdrawn and neighbours notified with Withdraw 99 | * **network { network-number [ mask net-mask] } [ route-map name ]** 100 | * No mask - classful 101 | * Match with no auto-summ - Must match prefix and length 102 | * Match with auto-summ - If network lasts classful, matches any subnets of classful network exists 103 | * NEXT_HOP taken from next hop of IP route 104 | * Maximum number injected by one process - Limited by NVRAM and RAM 105 | 106 | ### Redistributing from IGP, Static or Connected Route 107 | 108 | * No metric calc 109 | * Examines various PAs for est route 110 | * Apply route-map to manipulte PAs 111 | * If metric is assigned, assigns to MED 112 | * Takes in IGP routes and connected routes matched by IGP network commands 113 | * next hop either next of redist, 0.0.0.0 fo connected and routes to null0 114 | 115 | ### Impact of AutoSumm on Redist and Network command 116 | 117 | * Causes classful summary to be created if components exist 118 | * Causes BGP to summarize only routes injected because of redist on router 119 | * Does not look for classful network boundaries in topology 120 | * Does not look at BGP table routes 121 | 122 | **Redistribute** 123 | * If subnets of classful would be redistributed, do not, redist a route for classful instead 124 | * No subnets in redistribution 125 | 126 | **Network** 127 | * If network mentions classful, and any subnets of classful exist, inject route for classful network 128 | * Still injects subnets as well as classful if command matches classful and components exist 129 | 130 | ### Manual Summaries and AS_PATH PA 131 | 132 | * **aggregate-address** - Any in BGP table 133 | * Does not always suppress advertisement 134 | * Must carry AS_PATH PA 135 | * AS_SEQ 136 | * AS_SET 137 | * AS_CONFED_SEQ 138 | * AS_CONFED_SET 139 | 140 | * Aggregate creates summary with AS_SEQ null 141 | * If components have diff AS_SEQ values, AS_SEQ not aggregate 142 | * Uses AS_SET with unordered ASN lists instead 143 | 144 | * **aggregate-address** prefix mask - Advertises out aggregate 145 | * **aggregate-address** prefix mask **summary-only** - Only summary 146 | * **aggregate-address** prefix mask **summary-only as-set** - Advertises aggregate only with all ASNs in components as AS-SET 147 | 148 | Actions by aggregate command when summary route created: - 149 | * No summary if no components in BGP 150 | * If component subnets withdrawn, aggregate withdrawn 151 | * NEXT_HOP of 0.0.0.0 in local BGP table 152 | * NEXT_HOP is update source when advertised 153 | * AS_SEQ same if all summary routes have same AS_SEQ 154 | * Null if differ 155 | * as-set creates AS_SET segment, but only if null 156 | * If to eBGP peer, ASN prepended to AS_SEQ 157 | * Summary only suppresses components, suppress-map allows specific components 158 | 159 | * If static to null0 created and redist'd, effectively a summary. Does nt filter components 160 | 161 | ### Default Routes 162 | 163 | * Network command 164 | * Redistribute in 165 | * **neighbor x.x.x.x default-originate [route-map name]** 166 | 167 | **Network** 168 | * 0.0.0.0/0 must be in IP routing table, any means 169 | * Withdrawn if it disappears 170 | 171 | **Redistribution** 172 | * Requires **default-information originate** 173 | 174 | **Neighbor** 175 | * Advertises default to neighbor 176 | * Can match on IPs in table (conditional advertisement) with route-map 177 | 178 | ## Origin PA 179 | 180 | * IGP, EGP or Incomplete 181 | * Seen in **show ip bgp** 182 | * IGP - I - network, aggregate (in some cases) and neighbor default-originate 183 | * EGP - e - Shouldn't be seen 184 | * Incomplete - ? - redist, agg in some cases, default-information originate 185 | 186 | **Aggs** 187 | * If as-set option not used, origin i 188 | * If as-set used, and all components code i, code i 189 | * If as-set used and at least one component of ?, code ? 190 | 191 | # Advertising BGP routes to Neighbours 192 | 193 | ## Update Message 194 | 195 | **General Format** 196 | * Length (bytes) of Withdrawn Routes (2 bytes) 197 | * Withdrawn Routes (Variable) 198 | * Length (bytes) of PA section (2 bytes) 199 | * PA (variable) 200 | * Prefix Length and Prefix Variable (2 bytes) 201 | * Prefix Length and Prefix Variable (2 bytes) 202 | * Prefix Length and Prefix Variable (2 bytes) 203 | * Prefix Length and Prefix Variable (2 bytes) 204 | * Prefix Length and Prefix Variable (2 bytes) 205 | * ... 206 | 207 | * Withdrawn routes for informing neighbours 208 | * PA lists PA for every route (NH, AS_PATH etc) 209 | * Prefix and Length fields define each NLRI 210 | * Update Set of PAs, then send NLRI that matches PA 211 | * Separate updates needed if each NLRI has different PA 212 | 213 | ### Determining Content of Updates 214 | 215 | Rules for not including routes in updates: - 216 | * Both iBGP and eBGP - Routes not best 217 | * Both - Routes matched by deny in filtering 218 | * iBGP - iBGP learned routes (unless RR or Confed) 219 | 220 | Best route with any routing policies usually goes: - 221 | 1. Shortest AS_PATH 222 | 2. eBGP over iBGP 223 | 3. Lowest IGP metric to next hop 224 | 4. Lowest BGP RID for iBGP routes 225 | 226 | * Routes must be locally injected or reachable recursively (i.e. next hop is valid) 227 | * **next-hop-self** for iBGP usually 228 | * **next-hop-unchanged** for eBGP usually 229 | 230 | * Single RIB usually, notations to which entries were sent and received from each neighbour 231 | * **show ip bgp neighbor advertised-routes** 232 | * **show ip bgp neighbor received-routes** - Must have **soft-reconfiguration inbound** on neighbor config 233 | * " valid" means route is candidate for use 234 | 235 | # Building IP Routing Table 236 | 237 | ## Adding eBGP routes to IP Routing Table 238 | 239 | * Must be best route 240 | * AD must be lower (if learned by multiple protocols) 241 | * Default AD is 20 (only EIRGP summaries lower as far as dynamic protocols go) 242 | * 20, 200, 200 (eBGP, iBGP, Locally injected) ADs 243 | * Change for all routes with **distance bgp external internal local** 244 | * Change per route with **distance value [ip-address {wildcard-mask}} [ ip-standard-list] [ip-ext-list]** 245 | * IP and mask refer to neighbour, not rid or next hop, ACL mathces routes 246 | * NEXT_HOP in IP routing table, even if not on local router (recursive lookups) 247 | 248 | ## Backdoor routes 249 | 250 | * Used if learning routes via private link plus eBGP 251 | * **network backdoor** command 252 | * Makes BGP route a "local" route (AD 200) 253 | * Does not advertise route with BGP downstream 254 | 255 | ## Adding iBGP routes to IP Routing Table 256 | 257 | * BGP Sync as well as other two requirements 258 | * With sync disabled, same as eBGP (AD and best route) 259 | 260 | ### Sync and Redistribution 261 | 262 | * iBGP route in table can't be best unless exact prefix learned through IGP and in current routing table 263 | * Static routes do not apply to above 264 | * When sync used and OSPF is IGP, if OSPF RID different from BGP RID of advertising route, sync does not allow route 265 | 266 | ### Disabling sync and using BGP on all routers in AS 267 | 268 | * Once all routers speak iBGP, sync not needed 269 | * Full mesh requirement (or use confeds and RRs) 270 | * Avoids routing loops 271 | 272 | ### Confederations 273 | 274 | * RFC 5065 275 | * Routers go into sub-ASs 276 | * Routers into same sub-AS are confed iBGP peers 277 | * As above, different as, confed eBGP 278 | 279 | * In single sub-AS, iBGP peers must be fully meshed, works like iBGP 280 | * eBGP peers act like normal eBGP peers (can advertise to other confed sub-ASs) 281 | 282 | * COnfed AS_PATH used inside as for loop prevention 283 | * Confed adds sub-AS into AS_CONFED_SEQ, and AS_CONFED_SET (for aggs) 284 | * Usual AS PAth rules (avoid same sub-AS) 285 | 286 | * 64512 to 65535 - Private ASNs 287 | 288 | **Key Topics** 289 | * Full mesh inside sub AS 290 | * Normal eBGP for Confed eBGP 291 | * TTL normal 292 | * iBGP in other regards (eg NEXT_HOP) 293 | * Confed ASNs not used for best AS_PATH selection 294 | * Confed removes confed ASNs outside confederation 295 | 296 | **Config** 297 | 298 | * router bgp ASN is now of the sub-as 299 | * Downtime required if converting 300 | 301 | ``` 302 | router bgp sub-as 303 | bgp confederation identifier as - true ASN 304 | bgp confederation peers sub-as - Identifies neighbouring AS as another sub-as 305 | ``` 306 | 307 | ### Route Reflectors 308 | 309 | * Servers and clients 310 | * Servers allow iBGP routes from clients and advertise to other iBGP peers 311 | 312 | **Core Logic** 313 | * ONly RR uses modified rules, clients and non-clients unaware 314 | * Prefix from client - to client and non-clients 315 | * Prefix from non-client - to client, not to non-client 316 | * From eBGP - to client and non-client 317 | 318 | * Clusters of one or more RRs 319 | * Multiple clusters make sense only when physical redundancy exists 320 | * Must have one peer from an RR cluster to another RR cluster 321 | * All RRs peer directly, full mesh of iBGP RR peers 322 | * Non clients need to fully mesh with all RRs in all clusters 323 | 324 | **Avoid Routing Loops with** 325 | * CLUSTER_LIST - RRs add their cluster ID into CLUSTER_LIST PA, if own ID in CLUSTER_LIST, drop update 326 | * ORIGINATOR_ID - RID of first iBGP to advertise route, if own RID seen, drop it 327 | * Only advertise best routes - Routes reflected only if considered best 328 | 329 | * **neighbor x.x.x.x route-reflector-client** 330 | * **bgp cluster-id value** 331 | 332 | # MPBGP 333 | 334 | * VPN routes from PE to CE 335 | * Can be learned through BGP-4, EIGRP, OSPF, static routes etc 336 | * Each MP-BGP session is internal session 337 | * MP-iBGP required in MPLS VPN 338 | * With L3 VPNs, VPNv4, label info and standard communities transmitted 339 | * When Open sent, capabilities field lists what peer understands 340 | 341 | **TWo nontransitive attributes** 342 | * Multiprotocol Reachable NLRI (MP_REACH_NLRI) - new MP routes 343 | * COmmunicates set of reachable prefixes with next hop info 344 | * Multiprotocol Unreachable NLRI (MP_UNREACH_NLRI) - Revokes routes previously announced 345 | * unreachable destinations 346 | 347 | * When PE sends MP-BGP update to other PE routers, MP_REACH_NLRI contains 348 | * AF INformation - Network Layer Protocol being carried 349 | * Next-hop info - Next hop address of next router in path to destination 350 | * NLRI - Manages addition/withdrawal of MP routes and next hop, NLRI prefixes must be in same AF 351 | 352 | ## Config 353 | 354 | * Disable IPv4 unicast wiht **no bgp default ipv4-unicast** 355 | * Default context (i.e no address family) is catch all for non-vrf or v4 specific sessions 356 | * Anything into global table 357 | 358 | **Standard Config** 359 | ``` 360 | router bgp 1 361 | neighbor 194.22.15.3 remote-as 1 362 | neighbor 194.22.15.3 update-source lo0 363 | neighbor 194.22.15.3 activate 364 | ``` 365 | 366 | **AF Config** 367 | ``` 368 | router bgp 1 369 | address-family vpnv4 370 | neighbor 194.22.15.3 activate 371 | ``` 372 | 373 | * **neighbor x.x.x.x send-community extended/standard/both** - Extended only by default 374 | 375 | -------------------------------------------------------------------------------- /bgp-routing-policies-shortnotes.md: -------------------------------------------------------------------------------- 1 | # Route Filtering and Summarization 2 | 3 | * Distribution lists, prefix lists, AS_PATH filters, route maps, aggregate address 4 | * All can filter in and out updates 5 | * Peer group processes update once, not per peer 6 | * Cannot apply to single neighbour in peer group 7 | * Matching logic is on BGP update 8 | * Clear required to take effect 9 | * Clear can be soft 10 | 11 | * **neighbor distribute-list** - Standard ACL, match prfx and wildcard mask 12 | * **neighbor distribute-list** - Ext ACL, prefix, length and WC mask 13 | * **neighbor prefix-list** - Exact or first N of prefix, plus range of lengths 14 | * **neighbor filter-list** - AS_PATH 15 | * **neighbor route-map** - Prefix, length, AS_PATH, and/or PA 16 | 17 | ## Filtering on NLRI 18 | 19 | * Use Ext ACL 20 | * Most IGPs have standard ACL 21 | * Prefix and length 22 | 23 | ### Route Map Rules for NLRI filtering 24 | 25 | * Update compare to route-map, filtered or not based on clause 26 | * **deny** filters route, deny in ACL/list doesnt match route 27 | 28 | ### Soft Reconfig 29 | 30 | * **clear ip bgp { * | neighbor-address | peer-group} {soft [in | out]}** 31 | * Soft applies policy config in and out, and can be direct 32 | * Soft default for sending updates 33 | * Enable for inbound, **neighbor x.x.x.x soft-reconfiguration inbound** 34 | * Received updates stored 35 | 36 | * Config changes for local injection cant be soft \ 37 | * Just reprocesses updates 38 | 39 | ## Comparing BGP prefix lists, dist lists and route maps 40 | 41 | * Dist lists can match BGP NLRI 42 | * Prefix lists more flexible 43 | * Route maps add nothing for filtering NLRI, but can manipulate 44 | * Also combine match criteria 45 | 46 | ## Filtering Subnets of a Summary using agg command 47 | 48 | * **summary-only** key word 49 | * **supress-map** 50 | * Route map, any subnets with route-map permit suppressed 51 | * Suppressed in advertisement only 52 | 53 | ## Filtering updates by matching AS PATH PA 54 | 55 | 1. **ip as-path access-list NUMBER permit/deny REGEX** 56 | 2. **neighbor x.x.x.x filter-list AS-PATH-ACL { in | out }** 57 | 58 | ### AS PATH and segment types 59 | 60 | * AS SEQ most common, most recently added first ASN 61 | * AS_SET comma delimited, enclosed with {} 62 | * AS_CONFED_SEQ space delimited, enclosed with () 63 | * AS_CONFED_SET, comma delimiter, enclosed with {} 64 | 65 | ### Regex path matching 66 | 67 | 1. Regex of first line applied to AS_PATH of each route 68 | 2. For match NLRIs, action permit or deny 69 | 3. For unmatched, step 1 and 2 for lines 70 | 4. Any NLRI not matched is filtered 71 | 72 | **Regex characters** 73 | * ^ - Start of line 74 | * $ - EOL 75 | * | - Logical OR 76 | * _ - Any delimiter (blank, comma, SOL, EOL) 77 | * . - Any character 78 | * ? - Zero or one 79 | * * - Zero or more 80 | * + - 1 or more 81 | * (string) - Make string single entity 82 | * [string] - Wildcard for any single character 83 | 84 | * For regex on BGP route, IOS searchs AS_PATH for first instance of first item in regex, then rest of path sequentially 85 | 86 | * **show ip bgp neighbor x.x.x.x advertised-routes** - after filtering 87 | * **show ip bgp neighbor x.x.x.x received-routes** - before filtering 88 | 89 | * Match AS_CONFED with [(] and [)], as ( and ) are Regex characters 90 | 91 | # PAs and Decision Process 92 | 93 | ## Generic terms and characteristics 94 | 95 | * Well known or optional 96 | * Mandatory or discretionary 97 | * ATOMIC_AGGREGATE - Well known discretionary 98 | * AS_PATH - Well known mandatory 99 | * Transitive - Silent forward to other routers, even if unknown to self 100 | * Nontransitive - Remove PA and not propagate 101 | 102 | |Name|Description|Type| 103 | |----|-----------|----| 104 | |AS_PATH|Transitted ASNs|Well-known mandatory| 105 | |NEXT_HOP|Next Hop of NLRI|Well-known mandatory| 106 | |AGGREGATOR|RID and ASN of summarizing router|Optional transitive| 107 | |ATOMIC_AGGREGATE|Tags NLRI as being a summary|Well knon discretionary| 108 | |ORIGIN|Where route injected|Well known mandatory| 109 | |ORIGINATOR_ID|RRs for RID of original route|Optional Nontransitive| 110 | |CLUSTER_LIST|Cluster IDs of RRs|Optional nontransitive| 111 | 112 | ## BGP Decision Process 113 | 114 | 1. Next hop reachable 115 | 2. Highest admin weight, higher better 116 | 3. Local Pref - Higher better 117 | 4. Locally injected routes (network, redist or summarization) 118 | 5. Shortest AS path, ignore with **bgp bestpath as-path ignore** 119 | 6. Origin - IGP over EGP over ? 120 | 7. Smallest MED 121 | 8. Neighbour type - eBGP over iBGP (confed eBGP is still iBGP)\ 122 | 9. IGP metric to next hop 123 | 124 | * Above done before looking at maximum paths 125 | 126 | ### Final tiebreakers 127 | 128 | 10. Oldest route 129 | 11. Smallest neighbor RID (only if **bgp bestpath compare-routerid** configured) 130 | 12. Smallest neighbor ID (means router has two neighbour relationships to same touer) 131 | 132 | ## Multiple routes to IP routing table 133 | 134 | * If best path done in first 9, only one added 135 | * If best path after step 9, considers multiple 136 | * Even if multiple added, best path chosen and only one advertised 137 | 138 | # Configuring BGP policies 139 | 140 | ## NEXT_HOP reachable 141 | 142 | * **next-hop-self** 143 | * **next-hop-unchanged** 144 | 145 | ## Weight 146 | 147 | * 0 through 65535 148 | * Dfault 0 for learned, 32768 for local injection 149 | * Route map or **neighbor weight** 150 | * Route map takes preference 151 | 152 | ## Highest local pref 153 | 154 | * Default 100 155 | * **bgp default local-preference <0-4294967295>** 156 | 157 | ## Locally injected routes with Origin 158 | 159 | * With local injection weight, automatically used 160 | * For routes that might happen, would need local injection, advertisement and a route-map assigning weight 161 | * Or same NLRI from different sources (i.e. network and redistribute connected) 162 | 163 | ## Shortest AS_PATH 164 | 165 | * AS_SET - Counts as single ASN always 166 | * Confeds - Don't count 167 | * Aggregate address - See agg rules 168 | * **neighbor remove-private-as** - By router attached to private AS 169 | * **neighbor local-as no-prepend** - Can use different AS than in neighbour command 170 | * AS_PATH prepending 171 | * **bgp bestpath as-path ignore** 172 | 173 | ### Private ASNs 174 | 175 | In IOS: - 176 | * Private ASNs only removed for eBGP updates 177 | * If current AS_SEQ has priv and public, private ASNs not removed 178 | * If ASN of eBGP peer in current AS_PATH, private ASN not removed 179 | 180 | ### Prepending and route aggregation 181 | 182 | * Can prepend any ASN 183 | * Route agg can decrease path length 184 | 185 | ## Best Origin PA 186 | 187 | * **set origin** 188 | 189 | ## Smallest MED 190 | 191 | * Default 0 192 | * Sent to one AS, no further 193 | * **bgp bestpath med missing-as-worst** 194 | * Range of 0 through 2^32 -1 195 | * **bgp always-compared-med** - MED can discriminate before AS path with this (put on all routers) 196 | * **bgp deterministic-med** - Processes routes per adjacent AS, then picks best from them 197 | * Without this, just goes sequential 198 | 199 | ## eBGP over iBGP 200 | 201 | * External should always be preferred 202 | 203 | ## Smallest IGP Metric 204 | 205 | * Find shortest path to next hop 206 | 207 | ## Maximum paths 208 | 209 | * Which route is best - tiebreakers 210 | * Whether to add multiple paths - **maximum-paths** command 211 | 212 | ## Lowest BGP route ID (with one exception) 213 | 214 | 1. Examine eBGP routes only, picking routes with lowest RID 215 | 2. If only iBGP routes, lowest RID 216 | 217 | * Exception when BGP has best route to NLRI, but learned new info from other routes 218 | * Including BGP route to reach previously known prefix 219 | * Router then goes through decision process again 220 | 221 | * If gone through process and gets here again, If existing route is eBGP route, do not replacee exisitng best, even if new has smaller RID 222 | * Stops flaps 223 | * **bgp bestpath compare-routerid** - eBGP routes only 224 | 225 | ## Lowest neighbour ID 226 | 227 | * Does consider all routes again if it gets to this step first 228 | 229 | ## Max paths 230 | 231 | * Defaults to 1 232 | 233 | Rules for eBGP 234 | 1. Must have had to use tiebreaker 235 | 2. Max paths above 1 236 | 3. Only eBGP routes where adjacent ASN same is candidate 237 | 4. If more candidates exist than can be used, tiebreakers on these 238 | 239 | Rules for iBGP 240 | 1. Same as rule 1 241 | 2. maximum-paths ibgp command for this 242 | 3. Only those with differing next hops considered 243 | 4. Same as rule 4 244 | 245 | * **maximum eibgp** exist, but this is MPLS only 246 | 247 | # BGP Communities 248 | 249 | * Optional transitive 250 | * **neighbor send-community** 251 | * **ip community-list** 252 | 253 | ## Match with communty lists 254 | 255 | * Were a 32 bit decimal 256 | * When added to BGP standard RFC 1997, formatted AA:NN, still 32 bit 257 | * **ip bgp-community new-format** 258 | * Multiple entries with set or set additive 259 | * Multiple values on same community-list 260 | * Must included all values (unordered) 261 | * Extended can use regex 262 | * No more than 16 lines in standard 263 | * Many in extended 264 | 265 | ## Remove community values 266 | 267 | * **set community none** 268 | * **set comm-list COMMUNITY-LIST delete** 269 | 270 | ## Special values 271 | 272 | * Can match and also **match exact** 273 | 274 | * NO_EXPORT - FFFF:FF01 - Not out of this AS, can be to confeds 275 | * NO_ADVERT - FFFF:FF02 - Not to any other peer 276 | * LOCAL_AS - FFFF:FF03 - Not out the local confed sub-AS (also known as NO_EXPORT_SUBCONFED) 277 | 278 | # Fast Convergence Enhancements 279 | 280 | * Updates peers every 5 seconds for iBGP, 30 for eBGP 281 | * Also relies on IGP 282 | 283 | ## Fast External Neighbour Loss Detection 284 | 285 | * eBGP direct neighbours immediately torn down if connected subnet 286 | * Immediate route flush 287 | * Immediate alternative routes 288 | * Enabled by default in IOS 10.0+ 289 | 290 | ## Internal Neighbour Loss Detection 291 | 292 | * Since 12.0 293 | * **neighbor fall-over** means keepalive traffic isn't required to signal pull down neighbour quickly 294 | * Moment IP of peer removed from table, session torn down 295 | * IGP must be able to find BGP peer immeditely 296 | * If interrupted, BGP session already disconnected 297 | * Holdown/delay in BGP session deactivaiton not used 298 | 299 | ## EBGP Fast Session Deactivation 300 | 301 | * Works on all BGP session, quick detects failures of EBGP to loopbacks, or when external fallover disabled 302 | * Per neighbour 303 | * Disable fast external with **no bgp fast-external fallover** - retains quick response to interface failure 304 | * Identical to iBGP use case described 305 | * Inmplemented through fall-over command 306 | * Can reflect rule that BGP peer has to be correctly connected, with route map command matching only connected subnets 307 | 308 | -------------------------------------------------------------------------------- /classification-marking-shortnotes.md: -------------------------------------------------------------------------------- 1 | # QoS Marking 2 | 3 | * IP Header 4 | * LAN Trunking Header 5 | * FR Header 6 | * ATM Cell header 7 | 8 | ## IP Header and DSCP compared 9 | 10 | * RFC791, 1-byte tos field 11 | * ToS byte divided, high order 3 bits are IPP field 12 | 13 | |Name|IPP|Binary| 14 | |----|---|------| 15 | |Routine|0|000| 16 | |Priority|1|001| 17 | |Immediate|2|010| 18 | |Flash|3|011| 19 | |Flash Override|4|100| 20 | |Critical|5|101| 21 | |Internetwork Control|6|110| 22 | |Network Control|7|111| 23 | 24 | * Bits 3 to 6 are flags, 7 not defined 25 | * ToS byte renamed to DiffServ 26 | * IPP replaced by 6 bit field (high order 0-5) 27 | * Lower order 2 bits for QoS ECN 28 | * Replaces Precedence and TOS 29 | * ToS byte and DS field same length 30 | 31 | ## DSCP Settings and Terminology 32 | 33 | * Decimal 46 - EF 34 | 35 | ### Class Selector PHB and DSCP values 36 | 37 | * RFC2475 defines these 38 | * IPP compatible 39 | 40 | 41 | |Name|DSCP Binary|IPP Binary|IPP Name| 42 | |----|-----------|----------|--------| 43 | |Default CS0|000000|000|Routine| 44 | |CS1|001000|001|Priority| 45 | |CS2|010000|010|Immediate| 46 | |CS3|011000|011|Flash| 47 | |CS4|100000|100|Flash Override| 48 | |CS5|101000|101|Critical| 49 | |CS6|110000|110|Internetwork Control| 50 | |CS7|111000|111|Network Control| 51 | 52 | ### AF PHB and DSCP Values 53 | 54 | * Three levels of drop probabality 55 | * 4 classes 56 | * AFxy, x being queue, y being priority 57 | * Higher x - better treatment 58 | * Higher y - worse drop treatment 59 | 60 | 61 | |Queue|AFx1/Decimal/Binary|AFx2|AFx3| 62 | |-----|-------------------|----|----| 63 | |1|AF11/10/001010|AF12/12/001100|AF13/14/001110| 64 | |2|AF21/18/001010|AF22/20/010100|AF23/22/010110| 65 | |3|AF31/26/011010|AF32/28/011100|AF33/30/011110| 66 | |4|AF41/34/100010|AF42/36/100100|AF43/38/100110| 67 | 68 | * IPP can still react, but no drop prob 69 | * Decimal from name with 8x + 2y 70 | 71 | ### EF PHB and DSCP 72 | 73 | * Queue EF for low latency 74 | * Police to not starve 75 | * Decimal 46, binary 101110 76 | 77 | ## Non-IP Header Marking Fields 78 | 79 | ### Ethernet LAN CoS 80 | 81 | * 3 bit QoS field 82 | * Only with .1q or ISL 83 | * 3 most sig bits in tag control, user priority bits - .1q 84 | * 3 least sig from 1 byte user field, called CoS - ISL 85 | 86 | ### WAN Marking Fields 87 | 88 | * FR and ATM have single bit 89 | * For drop prob 90 | * Discard Eligibility - FR 91 | * Cell Loss Priority - ATM 92 | * Can be set by router or ATM/FR switch 93 | * MPLS EXP 3 bit field, remarks DSCP or IPP usually 94 | 95 | ## Locations for Marking and Matching 96 | 97 | * For classification - ingress only, only if int supports header field 98 | * For marking - egress only, as above for support 99 | 100 | # Cisco MQC 101 | 102 | * All MQC tools are "Cklass Based" 103 | 104 | ## Mechanics of MQC 105 | 106 | * Class map defines matching parameters 107 | * Policy map - PHP actions 108 | * service-policy - bind to interface 109 | 110 | ## Classification using class-maps 111 | 112 | * Match can match things like qos fields, acls, macs etc 113 | * Case sensitive names 114 | * match protocol is nbar 115 | * match any - all packets 116 | 117 | ### Multiple match commands 118 | 119 | * Up to four IPP/8 DSCP in a single match cos, match precedence or match DSCP 120 | * Matches any, not all 121 | * With multiple match, can define match-any or match-all (default match-all) 122 | * Match class matches anotehr class map (has to match both to match then) 123 | 124 | ``` 125 | class-map match-all to-nest 126 | match access-group 102 127 | match precedence 5 128 | 129 | class-map match-any nested 130 | match class to-nest 131 | match cos 5 132 | ``` 133 | 134 | ## Classification with NBAR 135 | 136 | * Can refer to host name, URL, mime type etc 137 | * Citrix 138 | * CB marking 139 | * **match protocol** 140 | * RTP matching on even number only, allowing for classification of payload (odd numbers are control traffic) 141 | 142 | # Classification and Marking Tools 143 | 144 | ## CB Marking Config 145 | 146 | * Requires CEF 147 | * MQC class maps match packets 148 | * MQC policy refers to 1 or more class maps 149 | * Enabled on itnerface with **serviice-policy in | out** 150 | * Processed sequentially, once matched goes no further 151 | * Multiple sets in one class allowed 152 | * Class-default for unmatched 153 | * With no set, packets in that class not mark 154 | 155 | Set example: - 156 | * **set [ip] precedence]** - v4 and v6, unless ip option, then v4 only 157 | * **set [ip] dscp** - as above 158 | * **set cos** 159 | * **set qos-group** 160 | * **set atm-clp** 161 | * **set fr-de** 162 | 163 | * **show policy-map NAME** - config 164 | * **show policy-map INTERFACE input/out class CLASS-NAME** - show stats about policy map on interface 165 | 166 | ``` 167 | ip cef 168 | 169 | class-map voip-rtp 170 | match protocol rtp audio 171 | 172 | class-map http-impo 173 | match http url "*important*" 174 | 175 | class-map http-not 176 | match protocol http url "*not-so*" 177 | 178 | class-map match-any NetMeet 179 | match protocol rtp payload-type 4 180 | match protocol rtp payload-type 34 181 | 182 | policy-map laundry-list 183 | class voip-rtp 184 | set ip dscp EF 185 | class NetMeet 186 | set ip dscp AF41 187 | class http-impo 188 | set ip dscp AF21 189 | class http-not 190 | set ip dscp AF23 191 | class class-default 192 | set ip dscp default 193 | 194 | int fa0/0 195 | service-policy input laundry-list 196 | ``` 197 | 198 | * **show policy-map interface NAME [vc [vpi]/vci] [dlci dlci] [input | output] [class NAME]** 199 | * Load interval sub command defines how often IOS measures packets/bit rates on interface, lower is quicker 200 | * Default 5 mins, lowest 30s 201 | 202 | ### CB Marking of CoS and DSCP 203 | 204 | ``` 205 | class-map match-any EF 206 | match dscp EF 207 | 208 | class-map AF11 209 | match dscp AF11 210 | 211 | class-map COS1 212 | match cos 1 213 | 214 | policy-map map-cos-to-dscp 215 | class cos1 216 | set dscp AF11 217 | class cos5 218 | set ip dscp ef 219 | ``` 220 | 221 | * Cannot apply cos on dot1q native ints 222 | 223 | ## NBAR 224 | 225 | * **ip nbar protocol discovery** on interface 226 | * **show ip nbar protocol-discover interface Fa0/0 stats packet-count top-n 5** 227 | * From 12.2T/12.3 protocol discovery command not required 228 | * Upgrade with PDLMs (Packet Description Language Modules) 229 | * Download, copy to flash, aadd with **ip nbar pdlm NAME** 230 | 231 | ## CB Marking Design Choices 232 | 233 | * Try and mark as close to ingress as possible 234 | * So long as device is trusted to make markings 235 | 236 | Traffic Recommendations 237 | 238 | |Type|CoS|IPP|DSCP| 239 | |----|---|---|----| 240 | |Voice Payload|5|5|EF| 241 | |Video Payload|4|4|AF41| 242 | |Voice and Video Signalling|3|3|CS3| 243 | |Mission Critical Data|3|3|AF31, 32 and 33| 244 | |Transactional data|2|2|AF21, 22, 23| 245 | |Bulk data|1|1|AF11, 12, 13| 246 | |Best Effort|0|0|BE| 247 | |Scavenger|0|0|2, 4, 6| 248 | 249 | * Try not to use four or five service classes at most 250 | 251 | ## Marking Using Policiers 252 | 253 | * Can mark based upon thresholds/contracts 254 | * Then drops if network gets full 255 | 256 | # QoS Pre-Classification 257 | 258 | * For traffic to be encrypted 259 | * ToS byte copied into tunnel header (in IPSec transport, tunnel and GRE) 260 | * NBAR cannot work on this 261 | 262 | * IOS can do pre classification instead, keeping original traffic in memory until QoS actions taken 263 | * Enable in tunnel config, VT or crypto map 264 | * **qos pre-classify** 265 | * See effects with **show interface** and **show crypto-map** 266 | 267 | * int tunnel - GRE and IPIP 268 | * int virtual-tempalte - L2F and L2TP 269 | * crypto map - IPSec 270 | 271 | # Policy Routing for Marking 272 | 273 | 1. Examine pacekts on ingress 274 | 2. matches subet of packets 275 | 3. Mark IPP or TOS 276 | 4. Might define route with set command (not required) 277 | 278 | # AutoQoS 279 | 280 | * Macro deployment 281 | 282 | ## AutoQoS for VoIP 283 | 284 | * Supported on most switches and routers 285 | * Enabled per interface 286 | * Creates global and int config 287 | * CDP detects phone prescence (soft or hardware) 288 | * On uplinks/trunks, trusts CoS or DSCP received and sets up itnerface qos 289 | 290 | ### Switches 291 | 292 | * Assumes access or uplink 293 | * **auto qos voip {cisco-phone | cisco-softphone}** 294 | * If no phone found, DSCP 0 for all traffic 295 | * If phone, trusts QoS markings 296 | 297 | On ingress, following in priority queue: - 298 | * Voice/video control 299 | * Real time video 300 | * Voice 301 | * Routing traffic 302 | * STP BPDUs 303 | 304 | * All others in normal ingress queue 305 | * On egress, voice placed in priority queue, rest among others 306 | 307 | * For uplink, **auto qos voip trust**, trusts DSCP (L3) and CoS (L2) 308 | 309 | Config created is: - 310 | * Globally enables QoS 311 | * CoS To DSCP and reverse, maps created 312 | * Priority of expedite in/out queues 313 | * CoS values mapped to queues/thresholds 314 | * As above, DSCP 315 | * Class maps and policy maps for identifying, prioritizing and policing voice 316 | 317 | ### Routers 318 | 319 | * **auto qos voip [trust]** 320 | * Config int bandwidth first 321 | * Config differs based on interface 322 | * Compression and frag on 768kbps links or lower 323 | * Traffic shaping and service policy regardless of bandwidth 324 | * On less than 768kps, encap of PPP, PPP multilink created, LFI enabled 325 | * If trust, class maps group traffic on DSCP values 326 | * If not, ACLs created to match voice, data and control 327 | * Anything else to DSCP 0 328 | 329 | ### Verifying 330 | 331 | * **show auto qos** - shows int AutoQoS commands 332 | * **show mls qos** - Modifiers to display queueing and CoS/DSCP mappings 333 | * **show policy-map interface** 334 | 335 | ## AutoQoS for Enterprise 336 | 337 | ### Discovering Traffic 338 | 339 | * **auto discovery qos [trust]** 340 | * CEF required, bandwidth configured 341 | * Trust for traffic marked already 342 | * NBAR discovers types and amounts 343 | * Show run it long enough, then apply 344 | 345 | Classification into one of then classes: - 346 | * Routing - CS6, EIGRP, OSPF 347 | * VoIP - EF, RTP Voice Media 348 | * Interactive Video - AF41, RTP video media 349 | * streamng video - CS4, real audio, netshow 350 | * control - cs4, rtcp, h323, sip 351 | * transaction - af21, sap, citrix, telnet, ssh 352 | * bulk - af11, ftp, smtp, pop3, exchange 353 | * scavenger - cs1, p2p 354 | * management - cs2, snmp syslog, dhcp, dns 355 | * best effort - all others 356 | 357 | ### Generating AutoQoS config 358 | 359 | * **auto qos** on interface 360 | * In case of DLCI, applies policy map to FR map class, applies class to DLCI 361 | * Can turn off NBAR with **no auto discovery qos** 362 | * **show auto discover qos** - list types and amounts of traffic 363 | * **show auto qos** 364 | * **show policy-map interface** 365 | -------------------------------------------------------------------------------- /ethernet-basics-shortnotes.md: -------------------------------------------------------------------------------- 1 | # RJ45 Pinouts 2 | 3 | *T568A* 4 | 5 | Pair 1 - 4 5 6 | Pair 2 - 3 6 7 | Pair 3 - 1 2 8 | Pair 4 - 7 8 9 | 10 | *T568B* 11 | 12 | Pair 1 - 4 5 13 | Pair 2 - 1 2 14 | Pair 3 - 3 6 15 | Pair 4 - 7 8 16 | 17 | Pairs 2 and 3 twisted 18 | 19 | Straightthrough is A to A, B to B 20 | 21 | X-over is A to B 22 | 23 | Automdix swaps Pairs 2 and 3 if wrong cable used 24 | 25 | # Autoneg, Speed and Duplex 26 | 27 | Detected with: - 28 | 29 | * Fast link pulses 30 | * Electic signal (if autoneg disabled) 31 | 32 | Duplex with autoneg only, Hdx chosen as default on 10/100, fdx on gig 33 | 34 | # CSMA/CD 35 | 36 | 1. Listen until ethernet nost busy (no carrier sign on Ethernet) 37 | 2. When not busy, send 38 | 3. Listens for no collisions 39 | 4. If collisions, all send jamming signal 40 | 5. After jamming, each sender of collided frame starts random timer, sends after time 41 | 6. After timers, step 1 42 | 43 | # Collision domains and switch buffering 44 | 45 | * Hubs at L1 46 | * Repeat electric signal 47 | * Forward signal from one port to all 48 | 49 | Switches buffer frames (prevents collisions). 50 | 51 | NICs uses loopback circuitry for hdx mode, transmitted frames loop back to receive on NIC 52 | 53 | # Basic switch config 54 | 55 | ``` 56 | speed { auto | 10 | 100 | 1000 } 57 | duplex { auto | half | full } 58 | ``` 59 | 60 | # Ethernet L2 Framing And Addressing 61 | 62 | DEC Intel and Xerox defined ethernet specs 63 | 64 | 802.3 MAC standard formalised details, others in 802.2 LLC 65 | 66 | 1 byte DSAP in 802.2 LLC too small. So SNAP formalised, goes after LLC header 67 | 68 | **READ BOOK FOR HEADER FIELDS, LOCATION 1026** 69 | 70 | # Types of Ethernet Addresses 71 | 72 | 6 byte macs, 3 main types 73 | 74 | I/G = least sig bit 75 | 76 | * Unicast - I/G bit set to 0 77 | * Broadcast - Always hex of FFFFFFFFFFFF 78 | * Multicast - I/G set to 1 79 | 80 | Unicast has senders mac in source field, other devices mac in dest 81 | 82 | # Ethernet address formats 83 | 84 | First half of MAC is OUI, vender assigns unique lower 3 bits 85 | 86 | Ethernet frame transmitted in user order for bytes, bits in reverse. FCS only exception 87 | 88 | Individual/Group bit - Least sig, first bit received 89 | 90 | Universal/Local bit - Next to least sig, 0 means vendor assigned address, 1 admin assigned (1 not always supported) 91 | 92 | # Protocol types and 802.3 length field 93 | 94 | Type used to use same 2 bytes as length. Ethernet type field new header begins at 1536, data limited to 1500 or less 95 | 96 | Can defined IP, IPX etc 97 | 98 | Protocol Type - dix v2 type field, values by IEEE 99 | 100 | DSAP - 1 byte, 2 high order bits reserved 101 | 102 | SNAP - 2 bytes, same as protocol type, uses DSAP of 0xAA 103 | 104 | # Switching and Bridging Logic 105 | 106 | Known unicast - frame to single port with destination 107 | 108 | Unknown - out all ports except received 109 | 110 | Broadcast - As above 111 | 112 | M'cast - As above unless snooping enabled 113 | 114 | Switches learn macs on source MAC field in frame 115 | 116 | # SPAN, RSPAN and ERSPAN 117 | 118 | SPAN - Local 119 | RSPAN - Remote dest, vlan based 120 | ERSPAN - GRE dest 121 | 122 | ## Core concept of SPAN, RSPAN and ERSPAN 123 | 124 | SPAN - Create span source and span dest on same switch 125 | 126 | RSPAN - Same source, destiantion VLAN, at RSPN dest, RSPAN vlan is source 127 | 128 | ERSPAN - Encap'd RSPAN, GRE used, available on IOS-XE, Cat6500, 7600 and Nexus. Monitoring sources are Port Channel, FE and GigE 129 | 130 | ## Restrictions and conditions 131 | 132 | * Dest ports original config overwritten, restored when removing 133 | * Dest ports removed from etherchannel 134 | * Dest don't support port security 802.1x or PVLANs 135 | * Dest ports don't support CDP, STP, VTP etc 136 | 137 | Number of conditions to work: - 138 | 139 | * Source can be one or more ports or a vlan, not a mix 140 | * 64 span dest max on a switch 141 | * Switches or routed ports can be source or dest 142 | * Don't overload ports (gig mirrored to 10mb) 143 | * Single SPAN cannot deliver traffic to dest when source is mix of SPAN, RSPAN or ERSPAN 144 | * Span dest cannot be source 145 | * Only one dest session per source 146 | * Span dest passes only span traffic 147 | * Trunks can be source 148 | * Traffic routed from VLAN to a source VLAN cannot be monitored (traffic within switch for example) 149 | 150 | Default both directions. Restrictions for in one direction: - 151 | 152 | RX - Each frame transported with modification 153 | TX - All modifications take place before transmit (eg QoS, ACL filtering etc). Some L2 frames can be exempt using encapsulation command 154 | 155 | ## Basic SPAN Config 156 | 157 | ``` 158 | monitor session 1 source interface 159 | monitor session 1 destination interface 160 | ``` 161 | 162 | ## Complex SPAN Config 163 | 164 | ``` 165 | monitor session 1 source interface Fa0/18 rx 166 | monitor session 1 source interface Fa0/19 tx 167 | monitor session 1 filter vlan 1-3, 229 <--- VLANs not to monitor 168 | monitor session 1 destination interface Fa0/24 encapsulation replicate 169 | ``` 170 | 171 | ## RSPAN Config 172 | 173 | *Source* 174 | 175 | ``` 176 | vlan 199 177 | remote span 178 | 179 | monitor session 3 source vlan 66-68 rx 180 | monitor session 3 destination remote vlan 199 181 | ``` 182 | 183 | *Intermediate* 184 | 185 | ``` 186 | vlan 199 187 | remote span 188 | 189 | monitor session 23 source vlan 9 190 | monitor session 23 destination remote vlan 199 191 | ``` 192 | 193 | *Destination* 194 | 195 | ``` 196 | vlan 199 197 | remote span 198 | 199 | monitor session 63 source remote vlan 199 200 | monitor session 63 destination interface fa0/24 201 | ``` 202 | 203 | Multiple session IDs can go across. Range of VLANs must be 1-66 204 | 205 | ## ERSPAN Config 206 | 207 | *Source* 208 | 209 | ``` 210 | monitor session 1 type erspan-source 211 | source interface gig0/1/0 rx 212 | no shutdown 213 | destination 214 | erspan-id 101 215 | ip address 10.1.1.1 216 | origin ip address 172.16.1.1 217 | ``` 218 | 219 | *Destination* 220 | 221 | ``` 222 | monitor session 2 type erspan-destination 223 | destination interface Gi2/2/1 224 | no shutdown 225 | source 226 | erspan-id 101 227 | ip address 10.1.1.1 228 | ``` 229 | 230 | Verify with show monitor session 1 231 | 232 | # VSS 233 | 234 | In Cat 6500 and 4500s running IOS-XE 235 | 236 | ## Virtual Switching System 237 | 238 | Multiple physical, one logical 239 | 240 | ## VSS Active and Standby 241 | 242 | Switches have roles in VSS, contend for active and standby 243 | 244 | VSS Active controls VSS, runs L2 and l3 protocols and management functions. Packet forwarding done locally, control traffic to active 245 | 246 | ## Virtual Switch Link 247 | 248 | Carries control and data b/w switches. Usually etherchannel, up to 8 links. Higher priority to control and management over link 249 | 250 | Data traffic load shared using standard etherchannel algorithm 251 | 252 | ## Multichassic Etherchannel 253 | 254 | Max 256 etherchannels across VSS stack 255 | 256 | ## Basic VSS config 257 | 258 | VSS domain must e between 1 and 255 259 | 260 | *Switch 1* 261 | 262 | ``` 263 | switch virtual domain 10 264 | switch 1 265 | ``` 266 | 267 | *Switch 2* 268 | 269 | ``` 270 | switch virtual domain 10 271 | switch 2 272 | ``` 273 | 274 | *Switch 1 VSL* 275 | 276 | ``` 277 | int port-chan 5 278 | switchport 279 | switch virtual link 1 280 | ``` 281 | 282 | *Switch 2 VSL* 283 | 284 | ``` 285 | int port-chan 10 286 | switchport 287 | switch virtual link 2 288 | ``` 289 | 290 | Up/down until reboot 291 | 292 | Convert switches with **switch convert mode virtual**, converted config goes to system bootflash 293 | 294 | ## Verificaiton 295 | 296 | show switch virtual - Switch domain, number and role 297 | 298 | All consoles of standby's disabled 299 | 300 | show switch virtual role - Peer 0 is local switch 301 | 302 | show switch virtual link 303 | 304 | show siwtvh cirtual link port-channel 305 | 306 | # IOS-XE 307 | 308 | Same look and feel as IOS, runs linux OS. Single daemon, additional functionality as isolated processes within OS 309 | 310 | * Symetrical multiprocesisng allowed. 311 | * Control Plane seperate from Forwarding 312 | * Processes can fail without taking out host 313 | * Can build drivers and use APIs to interact, rather than recording entire OS 314 | * Can iolsate load between planes, i.e. blades in modular chassis 315 | * Different driver for each bay/slot, so no impact on other bays or chassis 316 | * Individual driver patching possible 317 | * FFM - Forwarding and Feature Manager 318 | * FED - Forwarding Engine Driver 319 | * FFM - APIs for control plane processes, programes FED, maintains forwarding states 320 | * FED - Drivers affect data planes 321 | -------------------------------------------------------------------------------- /images/pic.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/stuh84/ccie-rs-notes/aa1dda636fb0da0feb20da3b75544603ff468586/images/pic.png -------------------------------------------------------------------------------- /images/stp-bpdu.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/stuh84/ccie-rs-notes/aa1dda636fb0da0feb20da3b75544603ff468586/images/stp-bpdu.png -------------------------------------------------------------------------------- /ip-addressing-shortnotes.md: -------------------------------------------------------------------------------- 1 | # TCP Operation 2 | 3 | Guarantees reliable delivery 4 | 5 | # UDP Operation 6 | 7 | Connectionless, acks could slow down process 8 | 9 | # IP Addressing and Subnetting 10 | 11 | ## Subnetting classful network 12 | 13 | Sie of network defined by 8, 16 or 24 its, host field shortened to creae subnets 14 | 15 | * Network - 8/16/24 bits 16 | * Subnet - 32 - network and host bits 17 | * Host - Binary zeros in mask 18 | 19 | ## Subnetting math 20 | 21 | Cisco allow zero subnet by default and broadcast subnets. Disable with **no ip subnet-zero** 22 | 23 | # CIDR, Private addresses and NAT 24 | 25 | ## CIDR 26 | 27 | RFC1517 to 1520 28 | * Improving scalability of internet routers 29 | * Aggregating routes for multiple classful nets into single entry 30 | * Contiguous blocks assigned by ISPs 31 | * Region auths assigned lare address blocks 32 | 33 | ## NAT 34 | 35 | * RFC1631 36 | * Private host to public network 37 | 38 | Inside Local - Inside enterprise (private IP usually) 39 | Inside GLobal - Inside ent, public IP 40 | Outside Local - In internet, usually private 41 | Outside Global - Internet, public 42 | 43 | ### Static NAT 44 | 45 | Maps one address to another, no IP conservation 46 | 47 | ``` 48 | int E0/0 49 | ip address 10.1.1.3 255.255.255.0 50 | ip nat inside 51 | 52 | int Se0/0 53 | ip address 8.8.8.1 255.255.255.248 54 | ip nat outside 55 | 56 | ip nat inside source static 10.1.1.1 8.8.8.2 57 | ip nat inside source static 10.1.1.2 8.8.8.3 58 | ``` 59 | 60 | NAT only for inside addresses. Static outisde config'd looks at dest of inside to outside, source of outside to inside 61 | 62 | ### DYnamic NAT without PAT 63 | 64 | One to one, from pool 65 | 66 | ### Overloading NAT with PAT 67 | 68 | Large number of TCP and UDP flows appear behind fewer IPs. 69 | 70 | Each inside global can support 65k TCP and UDP flows 71 | 72 | ### DYnamic NAT and PAT config 73 | 74 | ``` 75 | int E0/0 76 | ip address 10.1.1.1 255.255.255.0 77 | ip nat inside 78 | 79 | int Se0/0 80 | ip address 8.8.8.1 255.255.255.248 81 | ip nat outside 82 | 83 | ip nat pool fred 8.8.8.2 8.8.8.3 netmask 255.255.255.252 84 | ip nat inside source list 1 pool fred 85 | access-list 1 permit 10.1.1.0 255.255.255.0 86 | ``` 87 | 88 | PAT would be 89 | 90 | ``` 91 | ip nat inside source list 1 pool fred overload 92 | ``` 93 | 94 | # IPv6 95 | 96 | 128 bits long 97 | 98 | ## Address Format 99 | 100 | * Leading 0s replaced with :: 101 | * Pair of colons represents successive 0 fields, only once per address 102 | 103 | ## Address types 104 | 105 | * Unicast 106 | * Multicast 107 | * Anycast - Closest interface 108 | 109 | ## Address management and assignment 110 | 111 | * Static 112 | * SLAAC - Host autonomously configs, RS messages sent by host to request RAs, RFC2462 113 | * Stateful DHCPv6 - Gets v6 address from server, similar to v4, RFC 3315 114 | * Stateless DHCPv6 - SLAAC plus DHCP for TFTP, WINS etc 115 | 116 | Config choice relies on RA flags sent by routers 117 | 118 | ### SLAAC 119 | 120 | * Combines network prefix with interface ID 121 | * Router on local link sends network info in RAs with prefix and default route 122 | * Host vuilds address by adding EUI-64 to /64 prefix in RA. 123 | * Easy to renumber hosts 124 | 125 | ### Stateful DHCPv6 126 | 127 | * Similar to v4, but multicasts messages 128 | * Client detects routers using ND messages 129 | * If router found, look at RA to see if using DHCP 130 | * Managed flag in RA for DHCP 131 | * Autoconfig for none DHCP 132 | * More control 133 | * Can be used alongside SLAAC 134 | * Renumbering 135 | * Auto DNS registration of hosts 136 | * Delegated v6 prefixes to leaf CPEs 137 | 138 | ### Stateless DHCP 139 | 140 | Builds based upon SLAAC, then DHCP solicit for further info 141 | 142 | ## Transition technologies 143 | 144 | ### Dual stacks 145 | 146 | Run both v4 and v6 147 | 148 | ### Tunnelling 149 | 150 | Encaps v6 within v4 packets. Many types 151 | 152 | **Dynamic tunneling config** 153 | 154 | ``` 155 | R2 156 | 157 | int tun 23 158 | ipv6 address 23::2/64 159 | tunnel source lo0 160 | tunnel destination 3.3.3.3 161 | tunnelmode ipv6ip 162 | 163 | R3 164 | 165 | int tun 32 166 | ipv6 address 23::3/64 167 | tunnel source lo2 168 | tunnel destination 2.2.2.2 169 | tunnel mode ipv6ip 170 | ``` 171 | 172 | ### Translation 173 | 174 | AFT translates from one address family to another. V6 hosts with v4 contents. Can be stateless (reserved v6 maps to v4 automatically), can be stateful from configured range to map packets 175 | -------------------------------------------------------------------------------- /ip-forwarding-shortnotes.md: -------------------------------------------------------------------------------- 1 | # IP Forwarding 2 | 3 | * Router rx's frame, checks FCS, drops if errors 4 | * If no errors, check ethertype, extract packet, remove datalink header and trailer 5 | * For v4, header checksum verified. Not in v6 6 | * If dest IP on router, packet arrived, Analyses protocol field to pass to upper drivers 7 | * If not, TTL must be greater than 1, otherwise ICMP Time Exceeded 8 | * Check routing table 9 | * Get interface and next hop router, build new data link frame 10 | * IP header TTL/hop count updated, v4 checksum rebuilt 11 | * New datalink header and trailer 12 | 13 | # Processing Switching, Fast Switching, CEF 14 | 15 | ## Process 16 | 17 | All in CPU 18 | 19 | ## Fast Switching 20 | 21 | * 1st packet proc switched 22 | * Above adds to route cache, organized for fst lookups 23 | * Cache has dest ip, next hop and data link header info 24 | * Can overload CPU with lots of packets before cache updated 25 | * Loadbalance per dest only 26 | * Support ended in 12.2(25)S and 12.4(20)T 27 | 28 | ## CEF 29 | 30 | * L2 headers preconstructed (due to same fields always being used for many packets) 31 | * Constructed as routing table constructed (IPs of next hops and ARP/l3 to l2 mapping tables) 32 | * Dest prefixes go in FIB, optimized for fast look ups 33 | * Each entry in FIB has pointer to entry in adj table 34 | * Recursion resolved when creating FIB 35 | * FIB entries for same next hop point to same entry 36 | * Routing table no longer used unless complex processing required 37 | * Routing table is data source for FIB and ADJ 38 | * RIB is master copy of routing info 39 | * If next hop changes, only pointer in FIB needs changing 40 | * FIB contains all known dest prefixes 41 | * FIB contains additional specific entries organized as mtrie (multiway prefix tree) 42 | * CEF in software on lower end routers 43 | * In hardware using TCAM storing FIB contents on higher platforms 44 | * TCAM matches on entire contents in parallel 45 | * CEF distributed to individual line cards 46 | * v4 and v6 have different entries in adj (Proto/ether type different), so different preconstructed headers 47 | 48 | **ip cef** - Global enable 49 | **ipv6 cef** - Global enable, v4 cef must also be enabled 50 | **no ip route-cache cef** - Disable per interface 51 | 52 | ### CEF Load Sharing 53 | 54 | * Per Packet - Distributed packet-per-packet 55 | * Per Destination - Source and dest IP and other fields optionally, hashed to identify packet ath 56 | 57 | Per dest is default (some hardware CEF doesn't support per packet) 58 | 59 | * Per dest has pseudo load share table 60 | * Sits beween Fib and Adj 61 | * Contains up to 16 pointers to entries in adj 62 | * Individual load share entries populate so ratio of adj to cost of parallel routes (so 8 per path when 2 ECMP routes, 5 per path when 3 ECMP routes) 63 | * Per interface command **ip load-share { per-destination | per-packet } 64 | 65 | CEF Polarization 66 | * Multiple routers down a pat causing issues 67 | * One router loadshares between two routers 68 | * Next router could hash down one downlink (all met same criteria) 69 | * Combatted with 4B-long number called universal ID 70 | * Univ ID seeds hashing function 71 | * Different routers have different ID (different hashing results) 72 | 73 | Load-sharing algorithm multiple options 74 | * Original - Unseeded 75 | * Universal - Seeded 76 | * Tunnel - Smaller outer source/dest parts, so optimized for this 77 | * L4 port - Takes l4 info into account, based on universal 78 | 79 | ID and algoritihm specified in **ip cef load-sharing algorithm** and **ipv6 cef load-sharing algorithm** 80 | 81 | Cat6500 and others have own workarounds. Set with **mls ip cef load-sharing**. Options are: - 82 | * Default - Source, dest IP and universal ID (if supported in hardware) 83 | * Full (**mls ip cef load-sharing full**)- Source IP/Port and Dest IP/Port, prone to polarization. Only equal across paths if pths are odd. 84 | * Simple - Source an Dest IP, no universal ID 85 | * Full Simple - Not using universal ID, differs from full in all parallel paths recive equal weight, ferwer adj entiresin hardware 86 | 87 | # Multilayer Switching 88 | 89 | ## MLS Logic 90 | 91 | * VLAN ints, routed ints and L3 PortChannels 92 | * VLAN SVIs, presented in routing table as egress ints 93 | 94 | SVI States 95 | * Admin Down/Line Proto down - SVI int shut 96 | * Down/LP Down - VLAN doesnt exist or in active state 97 | * Up/Down - VLAN exists, but not allowed and in STP forwarding state 98 | * Up/Up 99 | 100 | Avoid up/down with either VLAN across at least one trunk, not pruned and STP forwarding, or at least one access/voice port config'd 101 | 102 | Switch finds next-hop MACs in CAM 103 | 104 | ## Routed Ports and port-channels in MLS 105 | 106 | * Int uses internal VLAN 107 | * On most cat platforms, can't have sub ints 108 | * No L2 switching info on port 109 | * L3 settings like a router 110 | * Aj table lists outgoing int/port channel, l2 logic not required 111 | 112 | VLANs allocated 1006 up, or 4094 down based upon **vlan internal allocation policy { ascending | descending }** 113 | 114 | **show vlan internal usage** 115 | 116 | These VLANs not in VTP domain, can be different after reboot 117 | 118 | ``` 119 | vlan 11 120 | 121 | vlan 12 122 | 123 | ip routing 124 | 125 | ipv6 unicast-routing distributed 126 | 127 | int Gi0/1 128 | no switchport 129 | no ip address 130 | channel-group 1 mode desirable 131 | 132 | int Po1 133 | ip address 192.168.1.1 255.255.255.0 134 | 135 | int Fa0/1 136 | no switchport 137 | ip address 192.168.2.1 255.255.255.0 138 | 139 | int vlan 11 140 | ip address 192.168.3.1 255.255.255.0 141 | standby 23 ip 192.168.3.254 142 | standby 23 piorirty 90 143 | standby 23 preempt 144 | standby 23 track Fa0/1 145 | ``` 146 | 147 | # Policy Routing 148 | 149 | * Use **ip policy** or **ipv6 policy** on interface 150 | * Route map specifes action 151 | * No match or deny means forwarded by routing 152 | * Match with **match ip address**, **match ipv6 address** or **match length** 153 | * set ip next hop or set ipv6 next hop - Must be in connected subnet, forwars to first address in list for which associated int is up 154 | * set ip(v6) default next hop - As above, except standard routing first (default route ignored) 155 | * set interface - Recommended on p2p only 156 | * set default int - as above, routes first 157 | * set ip df 158 | * set ip(v6) precedenc 159 | * set ip tos 160 | 161 | Evaluated in order of set ip next hop, st int, set default ip, set default interface 162 | 163 | v6 set interface stills checks for matching route first 164 | 165 | On Cat3550, 3560 and 3750, CAM needs repartitioning. Use templates of routing, access or dual-ipv4-and-ipv6-routing. Check with show sdn prefer. 166 | 167 | For 3650 and 3850, advanced template 168 | 169 | Change template with **sdm prefer template** 170 | 171 | # Routing Protocol Changes and migrations 172 | 173 | 1. Plan strategy 174 | 2. Activate new protocol, higher AD than current 175 | 3. Verify IGP adj and db 176 | 4. Deactivate current IGP 177 | 5. Remove temporary new IGP settings 178 | 179 | ## Migration Strategy 180 | 181 | * Plan boundaries/areas 182 | * Plan summarization, stub, externals 183 | * What parts of network have it 184 | * If current is link state, migrate areas first, backbone last 185 | 186 | ## Acivate New 187 | 188 | If new is DV, must have redistribution from current IGP 189 | 190 | ## Verify adj and database 191 | 192 | In DV, only advertises route if in routing table by same protocol. DV shouldn't advertise route it isn't using 193 | 194 | ## Deactivating current IGP 195 | 196 | **passive-interface default** 197 | 198 | Also protocol shutdown 199 | 200 | ## Remove new IGP settings 201 | 202 | * AD 203 | * Redistribution 204 | * EIGRP drops if AD changed 205 | 206 | ## DV in IGP migration 207 | 208 | Redist from current to DV means router can advertise from other protocol to nieghbours. MEans neighbour has full list of networks from its neighbours. 209 | 210 | Key observations: - 211 | 212 | * Prefixes from original when both original and new running 213 | * Prefixes from new when only new running 214 | * All routers know about all prefixes 215 | * Traffic routed by original when destined to running both 216 | * Routed by new when running both but destined for new 217 | * Routed by new when destined for one running new only 218 | * Routed by new when router only running new, until it reaches a router running both, then routed by original 219 | -------------------------------------------------------------------------------- /lfa-shortnotes.md: -------------------------------------------------------------------------------- 1 | # EIGRP 2 | 3 | ## Restrictions for EIGRP LFA FRR 4 | 5 | * Only paths reachable through p2p ints protection 6 | * v6 not supported 7 | 8 | ## Repair Paths Overview 9 | 10 | * Forward traffic during routing convergence 11 | * Initially only neighbouring devices aware of failure 12 | * others dont know 13 | * Device adjacent to failure should use repair paths until failure communicated 14 | * Repair paths precomputed 15 | 16 | ## LFA Computation 17 | 18 | * Pre-computed next hop route, without loop back 19 | * LFA in network failure 20 | * LFA forwards without knowing of failure 21 | * LFA computed two different ways 22 | * Per link - All prefixes through one link sheare same back up, protects next hop address 23 | * Per prefix - Protects destination address 24 | * EIGRP does prefix-based LFAs 25 | 26 | ## LFA Tie Breaking Rules 27 | 28 | * **interface-disjoint** - No LFA over same path as existing egress int 29 | * **linecard-disjoint** - As above, but same linecard 30 | * **lowest-repair-path-metric** - If metric high, eliminate 31 | * **SRLG-disjoint** - Shared Risk Link Group, eliminates in same group (could be common fibre) 32 | 33 | ## Configure 34 | 35 | **LFA FRRs per Prefix** 36 | 37 | ``` 38 | router eigrp DAVE 39 | address-family ipv4 autonomous-system 65001 40 | topology base 41 | fast-reroute per-prefix { all | route-map NAME} 42 | ``` 43 | 44 | * **show ip eigrp topology frr** 45 | 46 | **Disabling Load sharing among prefixes** 47 | 48 | * When primary path ECMP with multiple LFAs 49 | * Prefixes among LFAs 50 | * When selection of LFAs tie breaking, disable load sharing among prefixes 51 | 52 | ``` 53 | router eigrp DAVE 54 | address-family ipv4 autonomous-system 65001 55 | topology base 56 | fast-reroute load-sharing disable 57 | ``` 58 | 59 | **Enabling Tie Breaking for EIGRP LFAs** 60 | 61 | * Can assign priorities, lower better 62 | 63 | ``` 64 | router eigrp DAVE 65 | address-family ipv4 autonomous-system 65001 66 | topology base 67 | fast-reroute tie-break { interface-disjoint | linecard-disjoint | lowest-backup-path-metric | srlg-disjoint } priority-number 68 | ``` 69 | 70 | # OSPF 71 | 72 | ## Restrictions for LFA FRR 73 | 74 | * Not supported on VL headends 75 | * Only in global VPN VRF 76 | * TE cannot be protected int 77 | * TE tunnel can be in repair path, but won't verify placement 78 | * Not all routes have repair paths 79 | 80 | ## Info about LFA FRR 81 | 82 | ### LFA Repair Paths 83 | 84 | * Protecting router precomputes per-prefix repair paths 85 | * Installed in RIB 86 | * When primary fails, live traffic over stored repair path 87 | 88 | ### LFA Repair Path Attributes 89 | 90 | Default policy: - 91 | 92 | 1. srlg 93 | 2. primary-path 94 | 3. interface-disjoint 95 | 4. lowest-metric 96 | 5. linecard-disjoint 97 | 6. node-protecting 98 | 7. broadcast-interface-disjoint 99 | 100 | * SRLG - Only for locally configured groups\ 101 | * Repair paths must have different SRLG ID 102 | * Int Prottection - P2Ps have no alternate next hop 103 | * Prevents selection, protecting int 104 | * Broadcast Int Protection - If computed on same int, but next-hops different, link not protected 105 | * Node Protection - Can bypass primary path gateway router 106 | * Downstream Path - Can specify metric path msut be lower than 107 | * Linecard disjoint 108 | * Metric - Repair path with lwoest metric 109 | * ECMP Primary Paths - Can config primary attribute to specify an LFA repair path from ECMP set, or secondary to those not in ECMP set 110 | * Candidate Repair-Path Lists - Usually keeps in local RIB only best among all candidates, can specify to keep all (more memory) 111 | 112 | ## Config 113 | 114 | **Per-Prefix LFA FRR** 115 | 116 | ``` 117 | router ospf 1 118 | fast-reroute per-prefix enable prefix-priority LEVEL 119 | ``` 120 | 121 | * Low priority - All prefixes same eligibility 122 | * High priority - Only high priority protected 123 | 124 | **Specify prefixes protected** 125 | 126 | ``` 127 | route-map TEST permit 128 | match tag 11 129 | 130 | router ospf 1 131 | prefix-priority high route-map TEST 132 | ``` 133 | 134 | **Selection policy** 135 | 136 | ``` 137 | router ospf 1 138 | fast-reroute per-prefix tie-break ATTRIBUTE [required] index LEVEL 139 | ``` 140 | 141 | **List of repair paths considered** 142 | 143 | ``` 144 | router ospf 1 145 | fast-reroute keep-all-paths 146 | ``` 147 | 148 | **Prohibiting interfaces to be used as next hop** 149 | 150 | ``` 151 | int Fa0/0 152 | ip ospf fast-reroute per-prefix candidate disable 153 | ``` 154 | 155 | # BGP 156 | 157 | ## PIC Edge 158 | 159 | ### Pre-Reqs 160 | 161 | * BGP and IP/MPLS network up and running, site multihomed 162 | * Backup/alternate has unique next hop 163 | * BFD to detect link failures 164 | 165 | ### Restrictions 166 | 167 | * For BGP Multipath, PIC already supported 168 | * No BGP PIC for MPLS VPN Inter-AS Option B 169 | * v4, v6, VPNv4 and VPNv6 NLRI 170 | * If RR only in control plane, don't need BGP PIC (PIC is data plane) 171 | * If two PEs are each others alternate path, traffic loops until TTL expires 172 | * No support for NFS with SSO, ISSU is if Route Processors support it 173 | * Solves traffic forwarding only for single network failure at edge and core 174 | * Doesn't work with BGP Best External 175 | 176 | ### Benefits 177 | 178 | * Additional paths for failover 179 | * Constant convergence time 180 | * From IOS XE 3.10S up, labelled PIC and LFA FRR can be togetehr on ASR 903 181 | 182 | ### Convergence improvements 183 | 184 | **BGP Functionality** 185 | 186 | * Second best path calc'd along with primary best 187 | * Best and backup into BGP RIB 188 | 189 | **RIB Functionality** 190 | 191 | * Alternate per route installed if available 192 | * With PIC, if RIB selects route with backup, installed backup with ebst path 193 | 194 | **CEF Functionality** 195 | * Stores alt path per prefix 196 | * When primary lost, backup searched for in prefix independent manner 197 | * CEF listens to BFD 198 | 199 | **MPLS Functionality** 200 | * Siumilar to CEF 201 | * Stores alt path, switches if primary disappears 202 | 203 | 204 | * When PIC enabled, backup in RIB, IP RIB and FIB 205 | * Two type of failure 206 | * Core node/link failure (iBGP) - Failure detected through IGP convergence, detected through RIB to FIB 207 | * Local link/immediate node (eBGP) - BFD required, CEF looks for BFD events 208 | 209 | **Convergence in Data Plane** 210 | 211 | * CEF detects alt next hop for all prefixes affected by failure 212 | * Data plane convergence subsecond 213 | 214 | **Convergence in Control Plane** 215 | * Learns through IGP/BFD, withdraws prefixes 216 | * Calcs best and backups, advertises next best 217 | 218 | ### BGP FRRs role in BGP PIC 219 | 220 | * FRR provides best and backup in BGP RIB and CEF 221 | * Second best programemd into RIB and CEF, CEF programs linecard 222 | * BGP PIC means CEF can switch to other egress ports if current next hop goes down 223 | 224 | ![BGP PIC](https://raw.githubusercontent.com/stuh84/ccie-rs-notes/master/images/pic.png) 225 | 226 | ### Convergence 227 | 228 | * Happens in subseconds or seconds, dependent on if PIC enabled in line card 229 | * For platforms with CEF in line card, subsecond 230 | * For platforms with CEF in software, convergence in seconds 231 | 232 | ### Improving MPLS VPN BGP local convergence 233 | 234 | * Maintains local label for 5 minutes, ensures traffic uses backup/alternate 235 | * Improves LoC time to under a second 236 | * When link failure, traffic over backup 237 | * Overrides MPLS VPN-BGP local convergence (**protection local-prefixes**) 238 | 239 | ### Config Modes 240 | 241 | * VPNv4 AF mode protects all VRFs 242 | * VRF-IPv4 protects only v4 vrfs 243 | * Router config mode protects global table 244 | 245 | ### CEF Forwarding Recursion 246 | 247 | * Ability to find next matching path when primary goes 248 | * Need to disable when using PIC as it searches all FIB entries 249 | * BGP PIC Edge already computed backup 250 | * Recursion disabled under two conditions if PIC edge enabled 251 | * For next hops with /32 mask 252 | * Next hops directly connected 253 | * **bgp recursion host** - Disables/enables CEF recursion for BGP host routes 254 | * By default, enabled on vpnv4/v6, disabled on v4/v6 when PIC enabled 255 | * Disabled for directly connected next hops with **disable-connected-check** 256 | 257 | ### Configuration 258 | 259 | ``` 260 | router bgp 261 | address-family ipv4/vpnv4/ipv4 vrf 262 | bgp additional-paths install 263 | bgp recursion host 264 | neighbor x.x.x.x fall-ver bfd 265 | ``` 266 | 267 | * Disable PIC core - **cef table output-chain build favor memory-utlization** 268 | 269 | ## BGP Add Paths 270 | 271 | ### Benefits 272 | 273 | * Adv multiple paths for same prefix 274 | 275 | ### Functionality 276 | 277 | * Adds path ID for each path in NLRI 278 | * Similar to RD, except any AF 279 | * ID unique to peering session 280 | * generated per nettwork 281 | * Stops overriding announcements 282 | 283 | Following steps 284 | 1. Specify if device can send/rx or both, for Add Paths in AF or neighbour (capability negotiation) 285 | 2. Select candidate paths for advertisement 286 | 3. Adverise for a neighbour 287 | 288 | * Those negotiated capability grouped in a different update group from those that dont 289 | 290 | **Additional Path Slection** 291 | 292 | * **set path-selection all advertise** advertises all paths 293 | 294 | ### Guidelines and limitations 295 | 296 | * Not dynamic capability 297 | * Valid on next reset of neighbour 298 | * No tearing down of sessions 299 | 300 | ### Configure add paths 301 | 302 | ``` 303 | router bgp 65000 304 | address-family ipv4/ipv6 unicast 305 | additional-paths receive 306 | additional-paths send 307 | additional-paths selection route-map NAME 308 | ``` 309 | 310 | ### Configure BGP Add Paths per neighbour 311 | 312 | ``` 313 | router bgp 65000 314 | neighbor x.x.x.x remote-as 65001 315 | address-family ipv4/ipv6 unicast 316 | capability additional-paths receive [disable] 317 | capability additional-paths send [disable] 318 | ``` 319 | 320 | * Above overrides whats at AF level 321 | 322 | ### Peer Policy 323 | 324 | ``` 325 | router bgp 65000 326 | template peer-policy NAME 327 | capability additional-paths receive 328 | capability additional-paths send 329 | neighbor x.x.x.x remote-as 65001 330 | address-family ipv4 unicast 331 | inherit peer-policy NAME sequence-number 332 | ``` 333 | 334 | ### Filtering and setting actions for add paths 335 | 336 | * Route map to filter paths 337 | * Match on prefix of additional paths that are candidates 338 | 339 | ``` 340 | route -map NAME deny/permit 341 | set path-selection all advertise 342 | set metric 343 | ``` 344 | 345 | ## BGP NHT 346 | 347 | * Next-Hop address tracking enabled by default when IOS supports it 348 | * Event driven 349 | * Prefixes auto tracked when peers establish 350 | * Next-hop changes picked up by BGP quickly (when RIB updates) 351 | * When best path calc run in between scanner cycles, only next-hop changes tracked and processed 352 | 353 | ### Default BGP Scanner Behaviour 354 | 355 | * Monitors next hop for reachability 356 | * Polls RIB every 60s 357 | 358 | ### Selective BGP Next-hop Route Filtering 359 | 360 | * Implemented as part of selectic tracking feature 361 | * Supports NH tracking 362 | * Route map defines routes to resolve BGP next hop 363 | * **bgp nexthop** - allows config length of prefix that applies NH attribute 364 | * Route map during bestpath calc, applied to route in routing table that covers next-hop attribute for prefixes 365 | * If next-hop route fails route-map, marked as unreachable 366 | * **match ip address** and **match source-protocol** in route map 367 | 368 | ### BGP Support for Fast Peering Session Deactivation 369 | 370 | **Fast Peering Deactivation** 371 | 372 | * Event driven 373 | * Per neighbour basis 374 | * monitors session to neighbour 375 | * Adj changes detected 376 | * Terminates peering session in between default or config'd BGP scanning interval 377 | 378 | **Selective Address Tracking for BGP fast session deactivation** 379 | * Route map 380 | * **neighbor fall-over** command, determines if peering session reset when route to peer changes 381 | * Route map evaluates new route 382 | * If deny return, session reset 383 | 384 | ### Configuration 385 | 386 | * Make sure IGP convergence is quick, otherwise BGP reacts while still converging 387 | 388 | **Selective Next-Hop Route Filtering** 389 | 390 | ``` 391 | router bgp 65000 392 | address-family ipv4 unicast 393 | bgp nexthop route-map CHECK-NEXTHOP 394 | 395 | ip prefix-list FILTER seq 5 permit 0.0.0.0/0 le 25 396 | 397 | route-map CHECK-NEXTHOP deny 10 398 | match ip address prefix-list FILTER 399 | 400 | route-map CHECK-NEXTHOP permit 20 401 | ``` 402 | 403 | **Adjust delay interval for Next hop tracking** 404 | 405 | * Tune delay between full table walks to match IGP parameters 406 | * Default 5s 407 | 408 | ``` 409 | router bgp 65000 410 | address-family FAMILY 411 | bgp nexthop trigger delay TIMER - Max 100s 412 | ``` 413 | 414 | **Disabling next hop address tracking** 415 | 416 | * Enabled by default on v4 and vpnv4 417 | * Since IOS 12.2(33), by default under VPNv6 when next hop is v4 address mapped to v6 next ho paddress 418 | 419 | ``` 420 | router bgp 65000 421 | address family FAMILY 422 | no bgp nexthop trigger enable 423 | ``` 424 | 425 | ### Configuring Fast Session Decativation 426 | 427 | **Per Neighbour** 428 | 429 | ``` 430 | router bgp 65000 431 | address-family FAMILY 432 | neighbor X.X.X.X remote-as 65001 433 | neighbor X.X.X.X fall-over 434 | ``` 435 | 436 | **Selective** 437 | 438 | ``` 439 | router bgp 65000 440 | neighbor X.X.X.X remote-as 65001 441 | neighbor X.X.X.X fall-over [route-map NAME] 442 | 443 | ip prefix-list FILTER seq 5 permit 0.0.0.0/0 ge 28 444 | 445 | route-map CHECK-NEXTHOP deny 10 446 | match ip address prefix-list FILTER 447 | 448 | route-map CHECK-NEXTHOP permit 20 449 | ``` 450 | -------------------------------------------------------------------------------- /mpls-shortnotes.md: -------------------------------------------------------------------------------- 1 | # MPLS Unicast IP Forwarding 2 | 3 | * Forwarding on labels 4 | * Only considers routes in unicast table 5 | * Provides apps like VPNs and TE 6 | 7 | ## MPLS IP Forwarding Data Plane 8 | 9 | * Relies on structure and logic of CEF 10 | 11 | ### CEF Review 12 | 13 | * Routing protocols, statics and connected to create RIB 14 | * CEF creates FIB, entry for each dest IP prefix 15 | * Details next hop and int 16 | * CEF adj lists data link header 17 | * CEF optimizes FIB for smaller forwarding delay, higher PPS 18 | 19 | ### Overview of MPLS Unicast IP forwarding 20 | 21 | * LSR - Any router pushing, pop, forwarding labelled packets 22 | * Edge LSR - Processes labelled and unlabelled 23 | * Ingress E-LSR - Rx unlabelled, tx labelled 24 | * Egress E-LSR - Opposite of above 25 | * ATM-LSR - MPLS control plane, sets up VCs, forwards labelled packets as ATM cells 26 | * ATM E-LSR - Also performs ATM Segmentation And Reassembly (SAR) function 27 | 28 | ### MPLS Forwarding using FIB and LFIB 29 | 30 | * LSR uses CEF FIB and LFIB for forwarding 31 | * Label info in both, outgoing int nd next hop 32 | * FIB and LFIB differ, one for incoming unlabelled, other labelled 33 | 34 | ## MPLS Header and Label 35 | 36 | * 4 byte 37 | * Before IP header 38 | * 20-bit label field 39 | * Shim header 40 | * Label, EXP, Bottom-Of-Stack (1 means bottom) and TTL (same as IP TTL) 41 | 42 | ### MPLS TTL Field and TTL Propagation 43 | 44 | * TTL so LSRs can ignore IP header entirely 45 | * LSRs decrement TTL field 46 | * INgress E-LSR - drops IP TTL, adds label, copies TTL to MPLS TTL 47 | * LSR - TTL dropped when label swapped 48 | * Egress E-LSR - After MPLS TTL dropped, pops MPLS header, copies TTL to IP header 49 | 50 | **Disabling TTL Propagation** 51 | * Ingress E-LSR - MPLS TTL to 255 52 | * Egress E-LSR - IP TTL unchanged 53 | * Can disable it for two types of packets (disable for customers, leave on for SP routers) 54 | * **no mpls ip propagate-ttl** 55 | 56 | ## MPLS IP Forwarding: Control Plane 57 | 58 | ### MPLS LDP Basics 59 | 60 | * Adv label for each prefix in IP routing table 61 | * LDP sends messages to neighbours, with IP prefix and corresponding label 62 | * New route in table means new LDP adv 63 | * Local label assigned 64 | * MPLS LSP - labels across path 65 | * Even advertises labels back to router it received it from 66 | 67 | ### MPLS LIB feeding FIB and LFIB 68 | 69 | * LSRs store labels and info inside LIB 70 | * Best Label chosen and outgoing int 71 | * Populates info FIB and LFIB 72 | * FIB and LFIB have best labels 73 | * LIB has all labels 74 | * Uses routing protocols loop prevention, reacts to IGP choices 75 | 76 | ``` 77 | ip cef 78 | 79 | int Gi1/0/1 80 | mpls ip 81 | 82 | router eigpr 1 83 | network X.X.X.X 84 | ``` 85 | 86 | * **show mpls ldp bindings** *route* - Shows LIB entries, remote beindings and local bindings 87 | 88 | ### Examples of FIB and LFIB entires 89 | 90 | * **show mpls forwarding table** *route* - Local entry, outgoing tag, outgoing int 91 | * **show ip cef** *route* **internal** - FIB entry 92 | * **show mpls ldp bindings** - LIB entries 93 | 94 | ## LDP Reference 95 | 96 | * Uses Hellos 97 | * Multicasts on 224.0.0.2 98 | * UDP 646 99 | * List LSRs LDP ID 100 | * 32 bit dotted decimal, 2 byte label space number, always 0 for frame based 101 | * Transport address transmitted if set 102 | * IP LSR wants to use for LDP TCP connections 103 | * LDP ID if not set 104 | * After nghbr discovery, TCP to each neighbour 105 | * Port 646 106 | * Addresses must be reachable in unicast table 107 | * After TCP up, adv all local bindings of labels and prefixes 108 | * LDP ID chosen just like router ID (Config, Highest IP of loopback, Highest IP of int) 109 | 110 | # MPLS VPNs 111 | 112 | ## Solution to Duplicate IP ranges 113 | 114 | * VRFs - separates routes 115 | * CE - no knowledge of MPLS protocols, no labelled packets 116 | * PE - LSR linked to at least one CE 117 | * P - Just forwards labelled packets 118 | * Exchange to CE with eBGP, RIPv2, OSPF or EIGRP 119 | * iBGP to exchange routes 120 | * Two labels 121 | * Outer MPLS header - S-Bit = 0 - Forwarding 122 | * Inner - S-Bit = 1 - Identifies egress VRF for forwarding decision 123 | 124 | ## Control Plane 125 | 126 | ### VRF tables 127 | 128 | **Three components** 129 | * RIB 130 | * CEF FIB, populated based on VRFs RIB 131 | * Separate instance/process of routing protocol to CE, VRF support required 132 | 133 | ### MP-BGP and Route Distinguishers 134 | 135 | * RD goes in front of original BGP NLRI 136 | * Different number per customer, makes NLRI unique 137 | * MP-BGP added RDs in RFC 4364 138 | * 64-bits long, prepended onto v4 prefix (vpnv4) 139 | * RD 8 byte, some quite formatting conventions 140 | * First 2 bytes - Defines format 141 | * IOS can tell which used 142 | * **rd** command only requires lst 6 bytes as integers, infers first 2 based on that 143 | 144 | **Formats** 145 | * 2-byte-integer:4-byte-integer 146 | * 4-byte-integer:2-byte-integer 147 | * 4-byte-dotted-decimal:2-byte-integer 148 | 149 | * For all three, first should be ASN or v4 address 150 | * Second can be anything 151 | 152 | ### Route Targets 153 | 154 | * RTs are BGP Extended Community PA 155 | * Generally 8 bytes in length 156 | * Same basic format as RD 157 | * One or more per prefix 158 | * Determines which VRFs to place routes into 159 | * Export and Import, Import says what to pull into VRFs RIB 160 | * Usually single RT for import and export 161 | 162 | ### Overlapping VPNs 163 | 164 | * Works using RT 165 | * CE needs to be reachable in different VPNs 166 | * Route leaking 167 | * Multiple RTs 168 | 169 | ## MPLS VPN Configuration 170 | 171 | ``` 172 | ip vrf Cust-A 173 | rd 1:111 174 | route-target 1:100 both 175 | 176 | ip vrf Cust-B 177 | rd 2:222 178 | route-target import 2:200 179 | route-target export 2:2000 180 | 181 | int Fa0/1 182 | ip vrf forwarding Cust-A 183 | ip address 192.168.15.1 255.255.255.0 184 | 185 | int Fa0/0 186 | ip vrf forwarding Cust-B 187 | ip address 192.168.16.1 188 | 189 | router eigrp 65001 190 | address-family ipv4 vrf Cust-A 191 | autonomous-system 1 192 | network 192.168.15.1 0.0.0.0 193 | no auto-summary 194 | redistribute bgp 65001 metric 10000 1000 255 1 1500 195 | address-family ipv4 vrf Cust-B 196 | autonomous-system 1 197 | network 192.168.16.1 0.0.0.0 198 | no auto-summary 199 | redistribute bgp 65001 metric 5000 500 255 1 1500 200 | 201 | router bgp 65001 202 | address-family ipv4 vrf Cust-A 203 | redistribute eigrp 1 204 | address-family ipv4 vrf Cust-B 205 | redistribute eigrp 1 206 | 207 | router bgp 65001 208 | neighbor 3.3.3.3 remote-as 65001 209 | neighbor 3.3.3.3 update-source loop0 210 | address-family vpnv4 211 | neighbor 3.3.3.3 activate 212 | neighbor 3.3.3.3 send-community 213 | ``` 214 | 215 | * Metric in BGP is MED, i.e. from IGP 216 | * **show ip bgp vpnv4 all** 217 | * **show ip route vrf** 218 | 219 | ## MPLS VPN Data Plane 220 | 221 | * RDs allow unique preferences 222 | * RTs says routes for VRFs 223 | * Ingress PE has appropriate FIB entries 224 | * Ps and PEs need LFIB entries 225 | 226 | 1. Unlabelled packet on VRF int, VRF FIB for forwarding decision 227 | 2. Ingress PE VRF FIB with outgoing int and label stack 228 | 3. P pops outer label, pushes own label for destination 229 | 4. When PE receives it, does two LFIB lookups, pops outer, sees inner is in LFIB 230 | 231 | * Inner label for Egress PEs forwarding details, in particular outgoing int for unlabelled packet 232 | 233 | ### Building VPN label 234 | 235 | * Inner label for each router added to each customers VRF 236 | * New local labels associated with prefix, stored in LFIB 237 | * Once local labels assigned, added to BGP table entry for routes 238 | * Advertised in BGP update 239 | 240 | ### Creating LFIB Entries to Forward Packets to Egress PE 241 | 242 | * iBGP routes list next hop 243 | * LDP built for BGP next hop 244 | * Must have route for next hop 245 | * Label into LFIB 246 | 247 | ### Creating VRF FIB entries for Ingress PE 248 | 249 | * Incoming packet on VRF int 250 | * Forwarding using VRFs FIB 251 | 252 | **2 labels in fib entry** 253 | 1. PE redists route from BGP in vrf 254 | 2. PE builds VRF FIB entry for route 255 | 3. New FIB entry has VPN label too and outer label for forwarding 256 | 257 | ### PHP 258 | 259 | * Pops outer label before forwarding onto last hop 260 | * Egress PE now only looks at inner label 261 | 262 | # Other MPLS apps 263 | 264 | * FEC (Forwarding Equivalency Class) - set of packets receiving same treatment b ysingle LSR 265 | * For unicast, each v4 a FEC 266 | * For VPNs, each prefix in VRF 267 | * With QoS, one FEC different from another for same prefix potentially 268 | * Label for each FEC, different labels for different forwarding details 269 | * MPLS TE allows some packets over one LSP, some over another 270 | * FEC in this is a TE tunnel 271 | * For M'cast, extensions to PIM, exchanges FEC-to-Label Binding 272 | * MPLS QoS, extensions to TDP/LDP 273 | 274 | # Implementing Multi-VRF Customer Edge 275 | 276 | * Multiple routing tables on single rotuer 277 | * L3 separation 278 | * Internetworks with overlapping IP space 279 | * Same config commands as MPLS VPN 280 | 281 | ## VRF Lite, without MPLS 282 | 283 | * Build VRF< associate interfaces 284 | * Adds any routing protocols in VRF 285 | * Multiple VRFs on single link need sub-ints 286 | 287 | ``` 288 | ip cef 289 | 290 | ip vrf COI-1 291 | rd 11:11 292 | route-target both 11:11 293 | 294 | ip vrf COI-2 295 | rd 22:22 296 | route-target both 22:22 297 | 298 | int Se0/0/0 299 | encap frame-relay 300 | no shut 301 | desc To RouterLite2 302 | 303 | int Se0/0/0.101 point-to-point 304 | frame-relay interface-dlci 101 305 | ip vrf forwarding COI-1 306 | ip address 192.168.4.1 255.255.255.252 307 | 308 | int Se0/0/0.101 point-to-point 309 | frame-relay interface-dlci 101 310 | ip vrf forwarding COI-2 311 | ip address 192.168.4.5 255.255.255.252 312 | ``` 313 | 314 | * Usual config for rest 315 | 316 | ## VRF Lite with MPLS 317 | 318 | * Multi-VRF CE 319 | * Allows CE to have VRF awareness, remain in CE 320 | * Could be multi-tenant unit 321 | * Add VRFs to ints, routing protocols normal up sub-ints to PE 322 | * PE then does MPLS 323 | -------------------------------------------------------------------------------- /quick-notes/device-networksec.md: -------------------------------------------------------------------------------- 1 | # Messages 2 | 3 | # Protocols 4 | 5 | ## AAA 6 | 7 | * Radius - Encrypts passw, UDP, 1812/1645 (Well known/IOS default), RFC2865 8 | * TACACS - Encrypts payload, TCP, 49/49, Proprietary 9 | 10 | # Timers 11 | 12 | # Trivia 13 | 14 | * enable password and enable secret - secret stored by MD5, not affected by service pw encryp 15 | * enable secret precedence 16 | 17 | ## AAA 18 | 19 | ### Default methods 20 | 21 | * Single method way to auth user 22 | * Could be radius, could be local 23 | * List tried in order until accept or reject from method 24 | * Default login applies to all logins (Console/Telnet/Aux) 25 | 26 | ### Multiple auth methods 27 | 28 | * No limit to servers 29 | * Try first method, if does not respond, move to next 30 | * If no response for any, reject 31 | 32 | ## Layer 2 Security 33 | 34 | **Unused** 35 | * Disable CDP and DTP 36 | * Access only 37 | * BPDU and Root guard 38 | * DAI or PVLANs 39 | * Port security 40 | * 802.1x 41 | * DHCP Snooping and IP source guard 42 | 43 | ``` 44 | int Fa0/0 45 | no cdp enable 46 | switchport mode access 47 | switchport nonegotiate 48 | spanning-tree guard root 49 | spanning-tree bpduguard enable 50 | ``` 51 | 52 | **Other** 53 | * PVLANs where possible 54 | * VTP auth globally 55 | * Disabled unused ports, put in dead vlan 56 | * Avoid VLAN 1 57 | * Avoid native VLAN on trunks 58 | 59 | ## Port security 60 | * Dynamic learning, lost on reboot - switch port-security [max-value] - default 1 61 | * Static - switchport port-security mac-address ADDRESS [vlan {id | {access | voice}}] 62 | * Dynamic learning, saved (sticky) - switchport port-security mac-address sticky 63 | 64 | ## DAI 65 | 66 | * GAs can happen, b'cast dest 67 | * Can claim IP of host 68 | * Examines arps, filters inappropriate 69 | * DAI on untrusted 70 | * Inapprorpiate if 71 | * ARP reply lists source IP not DHCP assigned to device and port 72 | * As above, static 73 | * Fo reply, source MAC in header should be source MAC in ARP 74 | * As above, dest mac and target 75 | * Unexpected IPs (0.0.0.0, 255.255.255.255, multicast) 76 | * Requires DHCP snooping, for binding DB 77 | 78 | ## DHCP snooping 79 | 80 | * Table of IP and port mappings 81 | * DAI and Source guard use 82 | * Clients on untrusted, servers on trusted 83 | * Examines client messages on untrusted 84 | * Untrusted port logic 85 | * Filter all DHCP server messages 86 | * Check DHCP release, declines against binding - if IP not in table, filtered 87 | * Optionally, DHCP client hw add with source MAC 88 | 89 | ### Information Option 90 | 91 | * Op 82 inserted when snooping enabled 92 | * Contains port client connected to 93 | * DHCP packets contain giaddr field of 0.0.0.0 by default 94 | * Both show up in error messages if something misconfig 95 | * Will be dropped going between switches 96 | * Avoid with `ip dhcp snooping information option allow-untrusted` 97 | * Also `ip dhcp relay information trust-all` 98 | 99 | ## IP Soure Guard 100 | 101 | * Adds to DHCP snooping 102 | * Checks source of IP packets against db 103 | * Can check both source IP and MAC 104 | 105 | ## 802.1x Auth using EAP 106 | 107 | * Verified by Radius 108 | * Requires UN and PW 109 | * First EAP in eth frame 110 | * Supplicant to authenticator (switch) 111 | * Frames EAPoL (EAP over LAN) 112 | * Switch translates to RADIUS message 113 | * Supplicant - U/N and PW prompt to user, tx/rx EAPoL 114 | * Authenticator - EAPoL/RADIUS trans, enables/disables ports 115 | * Auth server - Stores creds, verifies rad essages 116 | 117 | ## Mac Auth Bypass 118 | 119 | * For devices without 802.1x capabilities 120 | * Supplmental auth method using EAP 121 | * Migration from port security, VRT and/or VPMs 122 | * 802.1x tries 3 EAP requests sent, if failed, guest VLAN 123 | * MAB works on this, dynamic policy from RADIUS detailing VLAN if allowed 124 | 125 | 126 | ## General L3 Considerations 127 | 128 | * Smurfs - Lots of ICMP echos, dest IP is subnet broadcast, avoid with no ip direct-broadcast 129 | * Enable uRPF with `ip verify unicast source reachable-via {rx | any } [allow-default] [allow-self-ping] [list]` 130 | * rx - strict 131 | * Fraggles similar but UDP echo 132 | 133 | * TCP Intercept 134 | * Watch mode - keep s state of tcp connections, resets if three way not complete in time period 135 | * If large number in a second (defaulf 1100 per second), new TCP filtered 136 | * Intercept - router replies instead of server, merges if handshake completes 137 | 138 | ## Classic IOS Firewall 139 | 140 | * CBAC 141 | * Inspects traffic 142 | * Based on protocol commands 143 | * Temporarily opens ports 144 | * Works on TCp and UDP 145 | * Config inspect protocols 146 | * TCP easy to handle (can recognize control channel) 147 | * UDP connectionless, so based on relative timer 148 | * Comes after ACLs 149 | * Can't protect internal attacks 150 | * Doesn't inspect local destined or source traffic 151 | * Restrictions on ecnrypted traffic 152 | * Use ip inspect (global for times and thresholds, eg ip inspection actionjackson ftp timeout 3000) 153 | * On int for inspection, apply opposite to ACL 154 | 155 | ## ZBF 156 | 157 | * MQC Style 158 | * Ints in securiy zones 159 | * Blocked bw zones 160 | * Ints talk in same zone 161 | * Ints not in zone blocked 162 | * Uses inspect class and policy maps 163 | 164 | ## CoPP 165 | 166 | * MQC, rate limits or drops 167 | * control-plane, service-policy 168 | 169 | ## IPv6 First Hop Security 170 | 171 | ### SeND 172 | 173 | * Security for NDP 174 | * Used in router discovery, DAD and addr resolution 175 | * Based on CGA (Crypto Generated Address), or non-CGAs with Certs 176 | * Auths router to act as def gw 177 | * Says what prefixes router allowed to announce 178 | 179 | ### Secure at First hop 180 | 181 | * Inspect ND traffic 182 | * L2/L3 binding 183 | * Monitor use of ND by host 184 | * Can blow RAs and rogue DHCP advertisements 185 | 186 | ### RA Guard 187 | 188 | * RA snooping exists 189 | * Switch uses upper layer info 190 | * Must be an intermediary device all traffic passes through 191 | * `ipv6 nd raguard policy NAME... device-role {host | router}` 192 | * ` int Fa0/0... ipv6 nd raguard attac-policy NAME` 193 | * If hosts, RA dropped 194 | 195 | ### DHCPv6 Guard 196 | 197 | * Blocks replies and adv from unauth servers and relays 198 | * Client messages always switched 199 | * DHCP server messagesonly if device role server 200 | * Can do source vlidation and service pref 201 | * Also server replies for permitted prefixes (match reply) 202 | * match server - matches servers allowed 203 | 204 | ### DHCPv6 Guard and Binding DB 205 | 206 | * v6 snooping builds db table of v6 neighborus 207 | * Create from sources lik DHCPv6 208 | * Validates link layer, v6 addr, prefix binding to prevent spoofing 209 | * Auto populated after enabled 210 | * Integrated with DHCPv6 guard and RA guard 211 | 212 | ### IPv6 Device Tracking 213 | 214 | * Host tracking 215 | * Neighbour table updates if host drops 216 | * Revokes access when inactive 217 | 218 | ### IPv6 Neighbour Didsocvery Inspection 219 | 220 | * Learns and secures SLAAC addresses 221 | * analyzes ND 222 | * Builds trusted binding table 223 | * Trusted if v6-to_MAC mapping verifiable 224 | 225 | ### IPv6 Source Guard 226 | 227 | * No ND or DHCP inspection 228 | * Denies traffic if not in binding table 229 | * Works with ND inspection or v6 address glean 230 | * When traffic denied, v6 glean tries to recover (Queries DHCP server or uses ND) 231 | * Recovers with DHCP_LEASEQUERY to server, DAD NS back 232 | * NA From host, DHCP LEASEQUERY_REPLY comes back 233 | 234 | ## Control Plane Protection 235 | * Host, Transit, Cef Exception 236 | * CEF required 237 | * Can drop pacekts directed to closed or non-listening TCP/UDP ports 238 | * Can limit amount of packets in control plane input queue 239 | * IPv4 only 240 | * ACLs can't be applied to control plane subints direct (used with MQC policies) 241 | * Host - Destined for RTR or its own ints 242 | * Transit - s/w switched traffic 243 | * CEF - exception (ARP, LDP, L2 keepalives etc) 244 | * Apply a policy map to `control plane {host | cef exception | transit}`, service policy on next line 245 | 246 | ## IP Source Tracker 247 | 248 | * enables tracking for dest addr on router 249 | * CEF entry created, punts to line card/port adapters CPU 250 | * `show ip source-track summary` 251 | * ip source-track address 252 | * ip source-track address-limit NUMBER 253 | * ip source-track syslog interval NUMBER 254 | * ip source-track export-interval NUMBER 255 | * 30s default 256 | 257 | # Processes 258 | 259 | ## Enable SSH 260 | 261 | 1. hostname 262 | 2. ip domain-name 263 | 3. Client auth method (local user, AAA etc) 264 | 4. Gen RSA keys 265 | 5. Specify SSH version 266 | 6. Disable telnet on VTY 267 | 7. Enable SSH on VTY (transport input ssh) 268 | 269 | ## ZBF 270 | 271 | 1. Decide zones 272 | 2. Zone pairs - traffic between zones (zone-pair security Internal source LAN destination WAN) 273 | 3. Class maps, identify traffic 274 | 4. Policies 275 | 5. Apply policy to zone pair (zone-pair .... service-policy type inspect LAN2WAN - match a policy map with type inspect) 276 | 6. Assign ints to zone 277 | 278 | # Config 279 | 280 | * `service password-encryption` - Weak, not changed in startup until copy run start or wr mem 281 | * not auto decrypted 282 | 283 | ## AAA 284 | 285 | **Default methods** 286 | 287 | ``` 288 | enable secret 5 HASH 289 | username cisco password 0 cisco 290 | aaa new-model 291 | aaa authentication enable default group radius local 292 | aaa authentication login default group radius none 293 | radius-server host 10.1.1.1 auth-port 1812 acct-port 1646 294 | radius-server host 10.1.1.2 auth-port 1645 acct-port 1646 295 | ``` 296 | 297 | **Multiple auth methods** 298 | 299 | * group radius - config'd radius 300 | * group tacacs+ - as above but tacacs 301 | * aaa group server ldap - as above, LDAP 302 | * group name - User defined 303 | * enable - Use enable pw 304 | * line - Config in line 305 | * local - Usernames in local config, U/N any case 306 | * local-case - Username in local, case sensitive user 307 | * none - auth always 308 | 309 | ``` 310 | aaa group server radius fred 311 | server 10.1.1.3 auth-port 1645 acc-port 1646 312 | server 10.1.1.4 auth-port 1645 acc-port 1646 313 | 314 | aaa new-model 315 | aaa authentication enable default group fred local 316 | ``` 317 | 318 | **Override defaults** 319 | * Can use for console, VTY and Aux 320 | 321 | ``` 322 | aaa authentication login for-console group radius line 323 | aaa authentication login for-vty group radius local 324 | 325 | line con 0 326 | password 7 84578293472 327 | login auth for-console 328 | 329 | line vty 0 4 330 | login authentication for-vty 331 | password 7 787978 332 | ``` 333 | 334 | **PPP** 335 | * PAP and CHAP can be used 336 | * Default auth use local username and pw 337 | * Use AAA with 338 | 339 | ``` 340 | aaa new-model 341 | 342 | aaa group server .... 343 | ... 344 | ... 345 | 346 | aaa authentication ppp default 347 | aaa authentication ppp NAME method1 method2 348 | int dialer 0 349 | ppp authentication chap fred 350 | ``` 351 | 352 | ## DAI 353 | 354 | ``` 355 | ip arp inspection vlan RANGE <--- global 356 | [no] ip arp inspection trust 357 | ip arp inspection filter ARP-ACL vlan RANGE [static] - defines static entries 358 | ip arp inspection validate {[src-mac] [dst-mac] [ip]} 359 | ip arp inspection limit { rate PPS [burst interval SEC] | none} - Default 15 arp messages per second 360 | ``` 361 | 362 | ## DHCP Snooping 363 | 364 | ``` 365 | ip dhcp snooping vlan RANGE 366 | [no] ip dhcp snoopint trust 367 | ip snooping binding MAC vlan VLAN IP interface INT <--- static 368 | ip dhcp snooping verify mac-address 369 | ip dhcp snooping limit rate RATE 370 | ``` 371 | 372 | ## IP Source Guard 373 | 374 | ``` 375 | ip verify source 376 | ip verify source port-security - IP and mac 377 | ip source binding MAC vlan VLAN IP interface INT <---static 378 | ``` 379 | 380 | ## 802.1x 381 | 382 | ``` 383 | aaa new-model 384 | radius-server host .... 385 | radius-server key ... 386 | aaa authentication dot1x default - radius 387 | aaa authentication dot1x group NAME 388 | dot1x system-auth-control 389 | 390 | int Fa0/0 391 | authentication port control {auto | force-authorized | force-unauthorized } 392 | ``` 393 | 394 | ## Storm control 395 | 396 | ``` 397 | int Fa0/0 398 | storm-control broadcast level pps 100 50 <--- Rising and falling thresh 399 | storm-control multicast level 0.50 0.40 (percent) 400 | storm-control unicast level 80 - same rising and falling thresh 401 | storm control trap <-- can be rate limit, trap or shutdown 402 | ``` 403 | 404 | * Doesn't work on etherchannel 405 | 406 | ## SNMP CPU and Mem thresholds 407 | 408 | **SNMP** 409 | ``` 410 | snmp-server enable traps cpu threshold 411 | process cpu threshold type {total | process | interrupt} 412 | rising PERCENT interval SECONDS [falling PERCENT interval SECONDS] 413 | process cpu statistics limit entry-perentage NUMBER [size SECONDS] 414 | ``` 415 | 416 | **Memory** 417 | ``` 418 | memory free low-watermark process threshold 419 | memory free low-watermark io threshold 420 | memory reserve critical KB 421 | ``` 422 | * Threshold = kbps free 423 | 424 | ## MAC address notifications 425 | 426 | ``` 427 | snmp-server enable traps mac-notification 428 | mac-address table notification 429 | mac-address table notification interval 60 430 | mac-address table notification history-size 100 431 | 432 | int Fa0/4 433 | snmp trap mac-notification added 434 | ``` 435 | 436 | * Genned for dynamic and secure, not self, m'cast or static 437 | 438 | ## Config changes and logging 439 | 440 | ``` 441 | archive 442 | log config 443 | logging enable 444 | logging size <1-1000> 445 | hidekeys <-- suppress pw 446 | notify syslog 447 | ``` 448 | 449 | * show archive log config NUM 450 | * show archive log config all provisioning - shows how config chanegs would appear in config mode 451 | * show archive log config statistics 452 | 453 | # Verification 454 | 455 | ``` 456 | show port-security interfaces <-- SecureUP means port up and secure 457 | 458 | show ip dhcp snooping binding 459 | 460 | show zone-pair security 461 | 462 | show policy-map control-plane 463 | 464 | show dmvpn 465 | Ent - Entires in NHRP DB for spoke 466 | Peer NBMA Address - outside IP 467 | Peer tunnel add - IP of tunnel 468 | State - up or down 469 | UpDn T - time up or down 470 | 471 | show ipv6 dhcp guard policy NAME 472 | 473 | show ipv6 neighbors binding 474 | 475 | show ipv6 nd inspection policy 476 | ``` 477 | -------------------------------------------------------------------------------- /quick-notes/eth-basics.md: -------------------------------------------------------------------------------- 1 | # Messages 2 | 3 | * MAC addressing 4 | * I/G least sign bit - 0 for unicast, 1 for multicast 5 | * U/L next least sig - 0 vendor assigned, 1 admin assigned 6 | 7 | # Trivia 8 | 9 | ## Type 10 | 11 | * DSAP and SNAP 12 | 13 | ## CAM Aging 14 | 15 | * mac-address-table aging-time SECONDS vlan 10 16 | * default 300, 0 to 1000000 seconds 17 | 18 | ## Fallback bridging 19 | 20 | * Grouping of svis and/or routed ports 21 | * BPDUs and traffic not exchanged bw different groups on switch 22 | * Switch vreates VLAN bridge STP instance 23 | * used to bridge locally separate entities together 24 | * Source mac only learn on a bridge gorup when address learnedon a vlan 25 | * Each bridge participates in different STP instance 26 | * 32 per switch 27 | * Int can only be in one 28 | * All protocols except ipv4, v6, arp, rarp, loopback and fr arp fallbac briudged 29 | 30 | ## Backup interface 31 | 32 | * int Gi1/0/24 .... media-type {sfp | rj45} autofailover 33 | 34 | ## SPAN, RSPAN, ERSPAN 35 | 36 | * SPAN - local 37 | * RSPAN - Same source, dest vlan, ar RSPAN Dest RSPAN VLAN is source 38 | * ERSPAN - Encap'd RSPAN, avail in IOS-XE, Cat 6500, Nexus, can monitor Po, FE and GigE 39 | 40 | ### Restrictions 41 | 42 | * Orig config overwritten on dest port 43 | * Dest ports removed from EC 44 | * Dest dont support 802.1x or PVLANs 45 | * Dest dont support CDP, STP, VTP 46 | * Source can be one or more ports or a vlan, not mix 47 | * 64 span dests max on switch 48 | * Single SPAN cannot deliver traffic to dest when source is mix of SPAN, RSPAN and ERSPAN 49 | * SPAN dest cant be source 50 | * Only one dest session per source 51 | * Span dest passes only span traffic 52 | * Trunks can be source 53 | * Traffic routed from VLAN to source VLAN cannot be monitored (internal traffic) 54 | * RX Traffic transported with mod 55 | * TX after ACL, QoS etc, can exempt some 56 | 57 | ## VSS 58 | 59 | * One management plane, multiple devices 60 | * SSO - Stateful Switchover 61 | * NSF 62 | * One chassis active, one standby virtual switch 63 | * Active sup manages management, (SNMP, SSH), L2 protos, l3 protocols, software data path 64 | * Active programs PFC on standby 65 | * show switch virtual - shoes mode, domain, switch number, and peer switch number and roles 66 | * show switch virtual redundancy - Switch IDs, last switchvoer, mode, sw state, uptime, IOS version, conf reg 67 | * MAC for L3 from active 68 | * Stays same after switchover, only changes on full stack reboot 69 | * Can assign virtual macs 70 | * mac-address use-virtual 71 | 72 | ### Virtual Switch Link 73 | 74 | * EC 75 | * LB'd using EC alg 76 | * Frames encap'd with Virtual Switch Header, added by egress ASIC, stripped by ingress ASIC 77 | * Carries ingress port index, dest port index, VLAN, CoS 78 | * 32 bytes long 79 | * Placed after Ethernet preamable, before L2 header 80 | * VSL must be up before bringing up VSS 81 | 82 | ### Initilization 83 | 84 | * Sup says which ports part of VSL 85 | * Config preparsed for VSL commands and INTs 86 | * Link management Protocol on each VSL link - part of VSLP, rejects unid links, exchange switch IDs 87 | 88 | ### VSS Role Resolution 89 | 90 | * Role Resolution Protocol 91 | * Determines if hw/sw versions allow vss to form 92 | * Sees whats active/standby 93 | * If hw/sw/config check fails, revert to RPR (route-processor redundancy), all modules powered down 94 | * not NSF/SSO mode 95 | * If ports shut down on one side and not other, enough to fail check 96 | 97 | ### System PFC Operating mode 98 | 99 | * v3 and 4 - support for forwarding performance level and feature set 100 | * XL/non-xl - size and capacity of different hw resources (L2/L3 tables, acl entries etc) 101 | * Can preneg XL/non-xl 102 | 103 | ### VSL Redundancy 104 | 105 | * Must use specific types of 10g/40g ports 106 | * Port must be capable of adding VSH 107 | 108 | ### Initialiation process 109 | 110 | |Number|Chassis 1|Direction|Chassis 2| 111 | |------|---------|---------|---------| 112 | |1|Initilization|N/A|Initilization| 113 | |2|Pre-Parse config|N/A|Pre-Parse Config| 114 | |3|Bring up VSL linecards and ports|N/A|Bring up VSL linecards and ports| 115 | |4|Run VSLP|1 to 2, then 2 to 1|Run VSLP| 116 | |5|Run RRP|1 to 2, then 2 to 1|Run RRP| 117 | |6|Interchassis SSO|1 to 2, then 2 to 1|Interchassis SSO| 118 | |7|Continue bootup|1 to 2, then 2 to 1|Continue bootup| 119 | 120 | * Quad-Sup uplink forwarding - Redundant sup and reundant link per chassis 121 | * Cross connects 122 | 123 | * Adaptive load balancing - combats resetting hash value when adding nw ports 124 | * port-channel has-distribution adaptive 125 | 126 | * Port channels same source index, regardless of chassis 127 | * B'casts and unknown unicasts not sent back on VSL if rx'd on one 128 | * Control traffic to AVS, redirect through VSL from SVS 129 | 130 | ### Virtual Switch Mode 131 | 132 | * Requires conversion 133 | * Chassis reloads, operates in virtual mode 134 | * Switch ID 135 | * Unique per chassis 136 | * Part of int naming 137 | * switch set switch_num 2 138 | * If misconfig, VSL formation on initlization fails 139 | * Console disabled on standby 140 | * Complete once reached SSO Stanbdy Hot Redundancy Mode 141 | 142 | * Reload members with redundancy force-switchover 143 | * redundancy reload shelf 1 144 | * redundancy reload peer 145 | 146 | ### SSO 147 | 148 | * show virtual reundancy 149 | 150 | ### RPR-WARM 151 | 152 | * Only in VSS 153 | * Sync allows in chassis standby sup to reload and take over from active 154 | * Not stateful - linecards reload during sup reload 155 | 156 | ### In chassis standby boot process 157 | 158 | * Once it knows to be standby, determines if part of VSS 159 | * If so, boots to RPR-WARM 160 | * Loads new IOS image 161 | * Sup LC 162 | * Once loaded, runs as DFC-enabled line card 163 | 164 | * First switch up is active 165 | * If both at same time, lowest switch ID 166 | * Set priority with switch NUMBER priority NUMBER, highest preferred 167 | * With preemption, SSO performed if necessary 168 | * switch 2 preempt TIMER (time after VSL comes up) 169 | * Heartbeats across VSL detect sup failure 170 | 171 | ## Stackwise 172 | 173 | * up to 9 in stack 174 | * Stackwise plus or sstackwise ports 175 | * plus on 3750x or e, 3750 non plus 176 | * Homogenous - all one type 177 | * Mixed stack - any model, or same model diff features, or both 178 | * Switch stack ID'd by Bridge ID, and if L3, router MAC (determined by master) 179 | * Stack member number 180 | * Stack number priority - highest becomes new master on failure 181 | * Master has start and running configs 182 | * Each member has copy for backup 183 | * If switch replaced with identical model, gets same config 184 | * Membership change causes no interruptions, unless stack master gone, or adding powered on switch 185 | * Powered on switches causes masters to elect n/w each aother, and other memebrs to reboot 186 | 187 | ### Election 188 | 189 | 1. Current stack master 190 | 2. Highest priority 191 | 3. Not using default int-level config 192 | 4. Highest priority feature and image combination 193 | * IP services and crypto 194 | * IP services no crypto 195 | * IP Base and crypto 196 | * IP Base no crypto 197 | 5. Lowest MAC 198 | 199 | * No preemption 200 | * If stack master changes, BID and router MAC could change 201 | * Enable persistent mac 202 | 203 | * show switch - shows switch members 204 | * default is 1 205 | * Takes lowest number when joining stack 206 | * `switch CURRENTNUM renumber NEW` 207 | * Resets config if none associated 208 | * Cannot use on provisioned switch 209 | * `switch NUM priority VALUE` 210 | * `switch NUM provision TYPE` 211 | * Enables ability to config for switch not up yet 212 | * if type doesn't match, default config applied 213 | * If numbe conflicts, renummered and applies provisioned config 214 | * SDM Mismatch 215 | * Resolved after version mismatch 216 | * All members must run IOS image and feature set to ensure compat 217 | * show platfcorm stack-manager all 218 | * Same IOS means same version 219 | * Same major versions but different minors particually comptaible 220 | * Will try to upgrade 221 | * Can advise if no image found which to use 222 | * Default stack mac addr timer disabled, member number 1, priority 1, offline config (not provisioned) 223 | 224 | 225 | ## IOS-XE 226 | 227 | * Kernel based open system 228 | * Cross platform 229 | * IOS as daemon 230 | * Each process balances among CPUs and cores 231 | * IOSd supports multiple threads 232 | * Can control apps 233 | * Common Management Enabling Technology, CLI, XML, SNMP, HTTP 234 | * Uses off the shelf drivers and Cisco-specific drivers 235 | * Wirehsark works on Cat4500 for example 236 | * All routing protocols in IOSd 237 | * 64 bit, memory above 4gb 238 | * Kernal Allocates virtual memory to IOSd, IOSd allocates memory to functions 239 | * Memory protection exists, prevents corruption between processes 240 | * FFM - Forwarding And Feature Manager 241 | * FED - Forwarding Engine Driver 242 | * FFM - APIs for Control Plane processes, programmes FED, maintains forwarding states 243 | * FED - Drivers affect data planes 244 | 245 | # Timers 246 | 247 | # Processes 248 | 249 | # Config 250 | 251 | **SPAN** 252 | ``` 253 | monitor session 1 source int 254 | monitor session 1 dest int 255 | ``` 256 | 257 | **Complex SPAN Config** 258 | ``` 259 | monitor session 1 source int Fa0/18 rx 260 | monitor session1 filter vlan 1-3, 229 <--- do not monitor 261 | monitor session 1 dest interface Fa0/24 encap replicate 262 | ``` 263 | 264 | **RSPAN** 265 | Source 266 | 267 | ``` 268 | vlan 199 269 | remote span 270 | 271 | monitor session 3 source vlan 66-68 rx 272 | monitor session 3 destination remote vlan 199 273 | ``` 274 | Destination 275 | ``` 276 | vlan 199 277 | remote span 278 | 279 | monitor session 63 source remote vlan 199 280 | monitor sesison 63 destination interface Fa0/24 281 | ``` 282 | 283 | * Range of VLANs for session IDs must be 1-66 284 | 285 | **ERSPAN** 286 | 287 | Source 288 | ``` 289 | monitor session 1 type erspan-source 290 | source interface Gi0/1/0 rx 291 | no shutdown 292 | destination 293 | erspan-id 101 294 | ip address 10.1.1.1 295 | origin ip address 172.16.1.1 296 | ``` 297 | 298 | Destination 299 | ``` 300 | monitor session 2 type erspan-destination 301 | destination interface Gi2/2/1 302 | no shutdown 303 | source 304 | erspan-id 101 305 | ip address 10.1.1.1 306 | ``` 307 | 308 | ## Conversion to Virtual Switch Mode 309 | 310 | ``` 311 | switch virtual domain 100 312 | switch 1 313 | 314 | int port-channel 1 315 | switch virtual link 1 316 | 317 | int po2 318 | switch virtual link 2 (link number same as switch ID) 319 | 320 | int Ten5/4-5 321 | channel-group 1 mode on 322 | no shut 323 | 324 | switch conver mode virtual 325 | ``` 326 | -------------------------------------------------------------------------------- /quick-notes/ipaddressing.md: -------------------------------------------------------------------------------- 1 | # Messages 2 | 3 | # Timers 4 | 5 | # Trivia 6 | 7 | ## NAT 8 | 9 | * Inside Local - Private IP 10 | * Inside Global - Public IP 11 | * Outside Local - Private IP 12 | * Outside Global - Public IP 13 | 14 | ## IPv6 15 | 16 | ### General Prefix 17 | 18 | * Defined, like a summary, changes to general affect more specific 19 | 20 | ### Extension headers 21 | 22 | * Next Header field indicates if more 23 | * Each EH can refer to upper layer or next 24 | * Includes Basic v6 header, hop by hop, destination options, routing header, AH, ESP, frag header, mobnility header etc etc 25 | * Can be matched by ACLs 26 | 27 | ### Stateful DHCP 28 | 29 | * Multicasts to FF02::1:2 30 | * Clients detect routers using ND/RS messages 31 | * Look at RA, see if Managed Config Flag 32 | * Can delegate v6 prefixes to leaf CPEs 33 | 34 | ### Stateless DHCP 35 | 36 | * Look at RA for Other Config Flag 37 | 38 | ### DHCPv6-PD 39 | 40 | * Prefix delegation - set a router to hand out subsets from a larger prefix 41 | * eg 2001:db8::/32, hand out 48s from this 42 | * v6 client picks up 48, and then uses on interface 43 | 44 | ### Transition technologies 45 | 46 | **NAT-PT** 47 | * Not recommended when host dual stacked 48 | * Static - v6 mapping to v4 address (v4 must be stable) 49 | * Dynamic - pooling, temp address, at least one static mapping for v4 dns server, ACLs determine what packets translated 50 | * PAT - Single v4 51 | * IPv4 Mapped - ACL check to see if source in ACL/list, if rule for source address translation, last 32 bits of destv6 should be v4 52 | * DNS ALG v4 converted to v6 address, dns packets translated 53 | 54 | **NAT64** 55 | * Stateless - v6 to v4 and vice versa, no state, supports v4 or v6 initiated comms 56 | * Stateful - Creates/moidfies bindings 57 | * ALG required when IP info in comms (FTP, SIP) 58 | * AFT (Address Family Translation) 59 | * Fragging done by fragging v6 datagram, and setting DF bits in v4 header, done by Stateless NAT64 translator 60 | 61 | **Stateful caveats** 62 | * No mcast 63 | * Cold redundancy 64 | * No options, routing headers etc 65 | * No VRF support 66 | * TCP/UDP only 67 | * v6 to v4, dest IP must match stateful prefix to NAT hairpin, source must not match one (dropped if so) 68 | * No route-maps 69 | * No ICMP + FTP ALGs 70 | * Only supports v6 initiation 71 | * Can't have NAT44 and 64 on same int 72 | * Source v6 add associated with v4 config'd pool 73 | * Dest v6 based on NAT64 stateful prefix or well known prefix 74 | * Translated and fw 75 | 76 | ## IPv4 Options 77 | 78 | * Options 0 and 1 exactly one octet (type field) 79 | * All others 1 octet type, length, 2 octets for data 80 | * Type is one bit copied field, two bit class, five bit option 81 | * Copied means whether to go in each fragment 82 | * Option - 0 for control, 2 for debugging and measurement 83 | * Option numbers 84 | * 0 - end of list 85 | * 1 - no operation 86 | * 2 - security - security codes 87 | * 3 - Loose Source routing - can forward to any intermediate routes to get to dest 88 | * 4 - Internet timestamp 89 | * 7 - Record route - records route datagrams take 90 | * 8 Stream Id - 4 octets 91 | * 9 - Strict Source routing - can only forward based on what source route indicated 92 | 93 | ## Static NAT and IP Aliasing 94 | * No-alias in NAT command prevents router from installing local IP alias 95 | * Router still responds to ARP for global translated IPs 96 | * Does not terminate connection itself 97 | * Essentialy means it will not respond to arp for global addresses 98 | 99 | ## Policy NAT 100 | 101 | * NAT with same dest can map to different IPs (route map) 102 | 103 | ## Stateful NAT with HSRP 104 | * State info must be transferred before state change 105 | * Has HSRP mode or active/backup mode 106 | * UDP Comms for stateful info 107 | * Can use TCP 108 | 109 | ## Stateful NAT 110 | 111 | * Allows for Inside/Outside assymetry 112 | * Works with some ALGS 113 | 114 | ## Reversible NAT 115 | * Allows comms from outside to inside, after initiation of inside to outside 116 | * `ip nat inside source route-map NAME pool NAME reversible` 117 | 118 | ## NAT Virtual INT 119 | * Removes requirement for inside outside config on different ints 120 | * `ip nat enable` on interface, nat on a stick 121 | * Dynamic has pools, staticdoesnt 122 | 123 | ## Extendable NAT 124 | * Allows one source, multipel translations 125 | * Can be used for accessing different internet conenctions 126 | 127 | # Processes 128 | 129 | # Config 130 | 131 | ## NAT 132 | 133 | **Static** 134 | 135 | ``` 136 | int E0/0 137 | ip nat inside 138 | 139 | int E0/1 140 | ip nat outside 141 | 142 | ip nat inside source static 10.1.1.1 8.8.8.1 143 | ``` 144 | 145 | **NAT pool** 146 | 147 | ``` 148 | int E0/0 149 | ip nat inside 150 | 151 | int E0/1 152 | ip nat outside 153 | 154 | ip nat pool fred 8.8.8.3 8.8.8.4 netmask 255.255.255.252 155 | ip nat inside source list 1 pool fred 156 | access-list 1 permit 10.1.1.0 255.255.255.0 157 | ``` 158 | 159 | **Overload** 160 | 161 | ``` 162 | int E0/0 163 | ip nat inside 164 | 165 | int E0/1 166 | ip nat outside 167 | 168 | access-list 1 permit 10.1.1.0 255.255.255.0 169 | ip nat inside source list 1 pool fred overload 170 | OR 171 | ip nat inside source list 1 interface E0/1 overload 172 | ``` 173 | 174 | ## Stateless NAT64 config 175 | 176 | ``` 177 | nat64 enable 178 | nat64 prefix stateless 2001:0db8:0:1::/96 <--- add 32 bit v4 to this 179 | nat64 route 203.0.113.0/24 Gi0/0/0 <--- routes v4 traffic to correct v6 int 180 | ipv6 route 2001:db8:0:1::CB00:7100/120 Gi0/0/0 <--- Routes translated packets to v4 address 181 | ``` 182 | 183 | **Multiple prefixes** 184 | ``` 185 | nat64 prerix stateless v6v4 2001:0db8:0:1::/96 <--- On interface 186 | nat64 prefix stateless v4v6 2001:db8:2::/96 <--- On interface 187 | ``` 188 | 189 | ## Stateful 190 | 191 | **Static** - As per stateless except 192 | 193 | ``` 194 | nat64 prefix stateful PREFIX/LENGTH 195 | nat64 v6v4 static V6ADDR V4ADDR 196 | ``` 197 | 198 | **Dynamic** - no static part 199 | ``` 200 | nat64 v4 pool NAME STARTIP ENDIP 201 | nat64 v6v4 list ACL pool NAME 202 | ``` 203 | 204 | ## DHCPv6-PD 205 | 206 | **Server** 207 | ``` 208 | ipv6 dhcp pool dhcpv6 209 | 210 | prefix-delegation pool dhcpv6-pool1 lifetime 1800 600 211 | 212 | ipv6 local pool dhcpv6-pool1 2001:db8:1200::/40 48 213 | 214 | int Se0/0 215 | ipv6 dhcp server dhcpv6 216 | ``` 217 | 218 | **Client** 219 | 220 | ``` 221 | int Se0/0 222 | ipv6 address autoconfig default 223 | 224 | ipv6 dhcp client pd prefix-from-provider <--- NAME 225 | 226 | int Fa0/0 227 | ipv6 address prefix-from-provider ::1:0:0:0:1/64 228 | ``` 229 | 230 | **PAT** - Add overload to above command 231 | 232 | ## General prefix 233 | 234 | ``` 235 | ipv6 general-prefix NAME prefix/length|6to4 INT 236 | 237 | int e0/0 238 | ipv6 address PREFIX-NAME sub-bits/length 239 | ``` 240 | 241 | # Policy NAT 242 | 243 | ``` 244 | access-list 102 permit tcp host 1.1.1.1 host 2.2.2.2 eq 80 245 | access-list 103 permit tcp host 1.1.1.1 host 2.2.2.2 eq 443 246 | 247 | route-map One 248 | match ip address 102 249 | set int Fa0/0 250 | 251 | route-map Two 252 | match ip address 103 253 | set int Fa0/1 254 | 255 | ip nat inside-source route-map NAME int Fa0/0 256 | ip nat inside source static 1.1.1.1 1.1.1.3 route-map NAMES 257 | ``` 258 | 259 | ## Stateful NAT with HSRP 260 | 261 | ``` 262 | int E0/0 263 | standby GROUP ip 264 | standby GROUP preempt delay ..... 265 | 266 | ip nat stateful-id NUMBER redundancy HSRPGROUP mapping-id NUM [protocol udp] [as-queuing disable] 267 | ip nat inside source route-map NAME pool NAME mapping-id NUMBER [overload] 268 | ``` 269 | 270 | ## Stateful NAT with Active/Backup 271 | 272 | ``` 273 | ip nat stateful id NUM primary IP peer IP mapping-id NUM 274 | ip nat inside source route-map NAME pool NAME mapping-id NUMBER [overload] 275 | ``` 276 | 277 | * Backup instead of primary for standby 278 | 279 | ``` 280 | ip nat inside destination LIST NUM pool NAME mapping-id ID 281 | ip nat outside source static GLOBIP LOCIP extendable mapping-id ID 282 | ``` 283 | * Above allows ALG 284 | 285 | ## NAT Default Interface 286 | 287 | ``` 288 | ip nat inside source-list ALL interface S0/0 overload --- Inbound out 289 | ip nat inside source static X.X.X.X int Se0/0 --- Outbount in to X.X.X.X 290 | ``` 291 | 292 | # Verification 293 | 294 | ``` 295 | show nat64 aliases 296 | show nat64 logging 297 | show nat64 prefix stateful 298 | show nat64 timeouts 299 | ``` 300 | 301 | ## Stateful NAT 302 | 303 | ``` 304 | show ip snat distributed verbose 305 | ``` 306 | 307 | ## Extendable NAT 308 | 309 | ``` 310 | ip nat inside source static 10.0.0.1 100.0.0.2 extendable 311 | ip nat inside source static 10.0.0.1 200.0.0.2extendable 312 | ``` 313 | -------------------------------------------------------------------------------- /quick-notes/ipforwarding.md: -------------------------------------------------------------------------------- 1 | # Messages 2 | 3 | # Timers 4 | 5 | # Trivia 6 | 7 | * FCS checked, if errors dropped 8 | * No header checksum in v6 9 | 10 | ## CEF 11 | 12 | * L2 headers preconstructed 13 | * Constructed as routing table constructed 14 | * Each enry in FIB has pointer to adj entry 15 | * Recursion resolved on FIB creation 16 | * FIB entries for same next hop point to same entry 17 | * v4 and v6 had different adj entries, diff preconscructed headers 18 | * ip cef 19 | * ipv6 cef 20 | 21 | ### Load sharing 22 | * Per packet 23 | * Per dest - default 24 | * Pseudo load share table b/w fin and adj - 16 pointers to entries in adj 25 | * Entries populate so ratio of adj to cost of parallel routes - 8 per path for 2 ECMP, 5 per path for 3 ECMP routes 26 | * `ip load-share { per-destination | per-packet }` 27 | 28 | ## Polarization 29 | 30 | * All loadshare to same link a lot of the time (all meeting same criteria) 31 | * 4B long number called universal ID used as seeding function, different per router (hence different results) 32 | * Algoritihms - Original (unseeded), Universal (seeded), Tunnel, L4 part (based on universal) 33 | * `ip cef load-sharing algorithm` and `ipv6 cef load-sharing algorithm` 34 | * On cat6500 and others, `mls ip cef load-sharing` 35 | * Default - source, dest IP, uni id 36 | * Full - Source IP/Port, Dest IP/port - polarization 37 | * Simple - Source and dest, no uni ID 38 | * Full simple - Fewer adjs in hardware, similar to Full 39 | 40 | ## Internal Vlans 41 | 42 | * 1006 and up, or 4094 down 43 | * `vlan internal allocation policy { ascending | descending }` 44 | * show vlan internal usage 45 | 46 | ## Policy routing 47 | 48 | * ip policy on interface 49 | * Route map specifies action 50 | * SDM prefer template on certain platforms (3650 and 3860 need advanced, others need routing/access/dual-ipv4-and-ipv6-routing) 51 | * show sdn prefer 52 | * set ip next hop, set int, set default ip, set default interface - Processed in this order of preference 53 | 54 | ## IP Route Profile 55 | 56 | * Collects routing table statistics 57 | * `ip route profile` 58 | * Interval for stat collect set at 5s (fixed) 59 | * Collects Forward-Path change, Prefix-Add, Next-Hop Change, Path Count Change, Prefix Refresh 60 | * `show ip route profile` 61 | 62 | # Processes 63 | 64 | # Config 65 | -------------------------------------------------------------------------------- /quick-notes/isis-routing.md: -------------------------------------------------------------------------------- 1 | # Messages 2 | 3 | ## Packet Types 4 | 5 | **Hello** 6 | * IIH - separate for L1 and L2 on b'cast 7 | * L1L2 on P2P 8 | 9 | **LSP** 10 | * Smallest standalone element in LSDB is entire LSP 11 | * No different types, all TLVs 12 | * IDd by Sys ID of originator (6 octets) 13 | * Pseudonode ID - differentiates from LSP describing router, and LSP for MA networks in which router is DIS (1 octet) 14 | * LSP Number - Fragnumber of LSP (1 octet) 15 | * Triplet is LSPID 16 | * For LSPs describing themselves, PSID 0 17 | * Seq 32 bit, starts 0x00000001, end 0xFFFFFFFF, modificaiton increments, highest most recent, no wrapover, woudl need to turn off to expire or change sys ID 18 | * MTU limits payload size 19 | * Frag required, same sys, psid, frag number increments, starts at 0 20 | * frag only by originator (so end to end MTU but be no smaller than router) 21 | * Inside LSP 22 | * adj to neighbour routers/networks 23 | * Intra/Inter are prefix 24 | * Ext prefix 25 | * Addr info about all in LSP of each router in network 26 | * Topology info about network and connected rtrs from PS LSP 27 | * Gen'd by DIS 28 | * IS-IS rtr on a level gen's 1 LSP for itself, plus a PS LSP for each network a DIS in 29 | 30 | **CSNP** 31 | * Syncs LSPs 32 | * Seq refers to range of LSPIDs 33 | * Like DBDs 34 | * Complete list of LSPs in LSDB 35 | * Rx router compares own 36 | * Multiple senf if MTU filled 37 | * Full range start swith 0000.0000.0000.00-00 (Sys ID, PSID, LSP-ID) 38 | * Ends with FFFF.FFFF.FFFF.FF-FF 39 | 40 | **PSNP** 41 | * Liek LSR and LSA 42 | * Requests an LSP or acks arrival 43 | * On P2P, req's and acks 44 | * B'cast, PSNP req, ack'd with CSNP 45 | * Native on b'cast and P2P 46 | 47 | * Try to use P2P instead of hub-spoke or p2mp 48 | * B'cast links are mcast links in IS-IS 49 | 50 | # Timers 51 | 52 | * 10s hello default, 1-65535 range 53 | * `isis hello-interval seconds [level]` 54 | * Hold down multiplier of hello, default 3 55 | * `isis hello-multiplier MULTIPLIER [level]` 56 | * Don't need to match b/w neighs 57 | * DIS 1/3 of timers 58 | * LSP remaining lifetime is 1200 sec by default (20m) 59 | * LSPs refreshed every 15m 60 | * Deleted after lifetime, empty LSP with lifetime 0 (LSP purge) 61 | * No flushing yet, ZeroAgeLifetime of 60s first 62 | 63 | 64 | # Trivia 65 | 66 | * Messages in data link frames, so no need for IP, TCP etc as transport 67 | * Adj and addr info n TLVs 68 | * Define new TLV in existing topology for new AF 69 | * NSAP for entire node 70 | * Basic address is IDP (Initial Domain Part) and DSP (Domain Specific Part) 71 | * Variable length 72 | * AFI and IDI (Authority and Format ID, and Initial Domain ID) 73 | * Indicate routing domain for node 74 | * DSP 75 | * HO-DSP - Area/part node is in 76 | * Subfields - System ID - unique to Node, 1 to 8 octets long, usually 6 77 | * SEL (NSAP Selector/NSELF) - 1 octet 78 | * Usually AFI of 49 79 | * Minimum NSAP 8 octets with AFI, Sys Id and SEL, max 20 80 | * If SEL 0, entire address IDs dest node 81 | * NSAP with Sel 0 is NET 82 | * 49.XXXX.XXXX.XXXX.XXXX.00 83 | * L2 int is Sub Network Point of Attachment 84 | * IS enumerates ints with local 1 octet num, local circuit ID, increments 1 per int, begins at 0 for cisco 85 | 86 | ## Metrics, Levels, Adj 87 | 88 | * Default - required by all IS-IS imps 89 | * Delay, expense error, and default, all calc 4 different SPF trees 90 | * Default usually only one supported 91 | * Default metric 10 - isis metric METRIC [LEVEL] to set 92 | * Originally 6 bytes wide, range of 1 to 63 for ints, path 1 to 1023 (10 bits) 93 | * Wide metrics make 24 bits per int, 32 per path 94 | * LSP for each level 95 | * L1 and L2 LSPs describe adj at each level 96 | * LSPs never leak between L1 and L2 97 | 98 | ### Adj stats 99 | 100 | * Down - No IIH from neigh 101 | * Initializing - IIH from neigh, not certain neigh rx'd own IIH 102 | * Up - IIH from nei, knwon neigh sees IIH 103 | 104 | ## Over P2P 105 | 106 | * No bidi check initally 107 | * Added 3 way handshake 108 | * Router has LCIDs (on p2p only in IIH) 109 | * On b'cast, LCID is PSID if router is DIS 110 | * Extended LCID (4 octets long) over 256 lcid originally 111 | * Auto assigned 112 | * Adj state TLV has following 113 | * Adj 3 way state 114 | * Extended LCID 115 | * Neighbour Sys ID 116 | * Neighbour Extended LCID 117 | * IETF handshake - tlv accept if: - 118 | * Neigh SysID and Ext LCID not present 119 | * Nei Sys ID matches own Sys ID, same for neigh ext lcid 120 | * All LSPs marked for flooding over P2P 121 | * CSNPs sent 122 | * Could be exchanged before LSP transmission takes place (periodic scheduling) 123 | * Unmarks LSPs already has 124 | * Don't need above as usually done - every LSP must be ack'd 125 | * Can send CSNPs to ack with `isis csnp-internval INTERVAL [level]` 126 | 127 | ## Over B'cast 128 | 129 | * 802.2 LLC, DSAP and SSP set to 0xFE 130 | * L1 packets m'cast to 0180.c200.0014, L2 to 0015 131 | * IIH detects neigh 132 | * Lists neighbouring routers on b'cast int in IIH 133 | * If own SNPA in IIH, bidi 134 | * If not, initializing 135 | 136 | ### DIS 137 | 138 | * No backup DIS 139 | * Router with highest int priority 140 | * Highest SNPA 141 | * Highest Sys ID (if on FR, ATM) 142 | * Priority in 0-127 range 143 | * `isis priority VALUE [level]` 144 | * 0 excludes 145 | * Preemptive 146 | * Performed on each rx'd IIH 147 | * All routers fully adjancent 148 | * Every router sends LSP on b'cast link 149 | * Helps routers sync 150 | * Represents in LSDB as standalone object (pseudonode) 151 | * 10s CSNP 152 | * Reference point of LSPs 153 | * No ack of LSPs, just seen in next CSNP 154 | * PSNP only for LSP req 155 | * DIS originates PS LSP 156 | * Remaining routers update LSPs to point to new PSLSP if it fails 157 | 158 | ## Areas 159 | 160 | * Nieghbouring L1s in diff areas never adj 161 | * L2 routers advertise DC'd networks and all other L1 routers from own area 162 | * IP routing info compute from L1 LSDB injected into LSP (LSPs not directly leaked) 163 | * L1 like OSPF Tottally Stubby 164 | * Flags in show isis database 165 | * ATT - For L1 router to point def route to (for when L2 Calc'd and can reach other areas besides own) 166 | * P (Partition Repair) - Heals paritioned area over L2 subdomain 167 | * O - Unable to store all LSPs in memory, so dont use computed path 168 | * Can be set on reboot, or BGP signals convergence 169 | * summary-address - under process 170 | 171 | ## Auth 172 | 173 | * IIH independent of LSP, CSNP and PSNP 174 | * Auth a TLV 175 | * LSPs not modded, so all within same area have same PW 176 | * Can pass IIH auth but fail LSP/CSNP/PSNP auth 177 | * Key IDs not carried, so only key-string needs to match 178 | 179 | ## v6 support 180 | 181 | * No different from v4 (as ISIS not v4 specific anyway) 182 | 183 | 184 | 185 | 186 | # Processes 187 | 188 | ## P2P 3 way handshake - Cisco 189 | 190 | `isis three-way-handshake cisco` 191 | 1. If router rx's IIH with 3way state down, Router A hears B, b might not hear A, state send of initializing in IIH 192 | 2. B sees initializing, knows own IIH worked, sends up state 193 | 3. When A sees IIH up, bidi confirmed 194 | 195 | ## P2P IETF 3 way 196 | 197 | `isis three-way-handshake ietf` 198 | * If no IIH from B, A sending IIH with extended LCID only, set to Router As outgoing int ID 199 | * When IIH arrives and accepted, puts B's sys ID in neigh sysid field, Ext LCID in Neighbour Ext LCID field 200 | 201 | 202 | # Config 203 | 204 | ## Auth 205 | 206 | **LAN IIH** 207 | ``` 208 | isis auth mode {text | md5 } level {1 | 2} 209 | isis auth key-chain name level-{1|2} 210 | ``` 211 | 212 | **P2P IIH** 213 | ``` 214 | isis auth mode {text | md5} 215 | isis auth key-chain name 216 | ``` 217 | 218 | **LSP, CSNP, PSNP** 219 | ``` 220 | auth mode {text | md5} level-{1 | 2} 221 | auth key-chain name level-{1|2} 222 | ``` 223 | 224 | ## IPv4 and IPv6 config 225 | 226 | ``` 227 | int lo0 228 | ip address 1.1.1.1 255.255.255.255 229 | ip route isis 230 | ipv6 address 2001:DB8:2:3::1/128 231 | ipv6 router isis 232 | 233 | int Se0/0/0 234 | ip address 10.2.34.4 255.255.255.0 235 | ip router isis 236 | ipv6 address FE80::3 link-local 237 | ipv6 address 2001:db8:2:34::3/64 238 | ipv6 router isis 239 | isis authentication mode md5 240 | isis authentication key-chain ISISAuth 241 | isis three-way-handshake ietf 242 | 243 | int Se0/0/1 244 | ip address 10.12.23.3 255.255.255.0 245 | ip router isis 246 | isis circuit-type level-2-only 247 | isis metric 100 level-2 248 | 249 | router isis 250 | net 49.0002.0000.0000.0003.00 251 | metric-style wide 252 | authentication mode md5 level-1 253 | authenticaiton key-chain ISISAuth level-1 254 | summary-address 10.2.0.0 255.255.255.0 255 | address-family ipv6 256 | summary-prefix 2001:db8:2::/32 257 | exit-address-family 258 | ``` 259 | 260 | # Verification 261 | 262 | ``` 263 | show clns - Info abotu routers NET and Integrated ISIS mode 264 | show clns is-neighbors - Neighbour info 265 | show clns neighbors - SNPA of neighbour (for HDLC and PPP, text description shown 266 | show clns interface 267 | show isis neighbors 268 | show isis database detail 269 | show ip router isis 270 | ``` 271 | -------------------------------------------------------------------------------- /quick-notes/lfa.md: -------------------------------------------------------------------------------- 1 | # Messages 2 | 3 | # Timers 4 | 5 | # Trivia 6 | 7 | ## EIGRP 8 | 9 | * Only paths reachable through P2P Ints protection 10 | * No v6 support 11 | 12 | ### LFA Comp 13 | 14 | * Pre-computed next hop route 15 | * LFA forwards without knowing of failure 16 | * Computed per link or per prefix (link only protects next hop, not destination) 17 | * EIGRP does prefix 18 | 19 | **Tie Breakers** 20 | * interface-disjoint 21 | * linecard-disjoint 22 | * lowest-repair-path-metric - If metric high, eliminate 23 | * SRLG-disjoint 24 | 25 | ## OSPF 26 | 27 | * Not supported on VL head ends 28 | * Only in global VRP 29 | * TE cannot be protected int 30 | * TE Tunnel can be in repair path, won't verify placement 31 | * Not all routes have repair paths 32 | * Precomputes per-prefix repair paths, installed in rib 33 | * When primary fails, live over stored repair path 34 | 35 | ### Attributes 36 | 37 | 1. slrg 38 | 2. primary-path 39 | 3. interface-disjoint 40 | 4. lowest-metric 41 | 5. linecard-disjoint 42 | 6. node-protecting 43 | 7. broadcast-interface-disjoint 44 | 45 | * Usually keeps in local RIB only best among all candidates, can keep more (more memory) 46 | 47 | ## BGP 48 | 49 | ### PIC Edge 50 | 51 | * BGP and IP MPLS up and running, site multihomed 52 | * Backup/alternate has unique next hop 53 | * BFD to detect link failures 54 | * For BGP multipath, PIC already supported 55 | * for v4, v6, vpnv4, vpnv6 56 | * If RR only in control plane, dont need PIC (PIC is data plane) 57 | * Doesn't support NFS with SSO, ISSU 58 | * Only for single network failure 59 | * Doesn't work with BGP Best External 60 | 61 | ### Convergence improvements 62 | 63 | * Second best path calc'd, backup into BGP RIB 64 | * Alternate route installed in RIB 65 | * Stores alt path per prefix in CEF forwarding table 66 | * CEF listens to BFD 67 | * When primary lost, backup searched in prefix independent manner 68 | * MPLS switches if primary disappears 69 | * Two types of failure, core node/link (iBGP), detected through IGP convergence 70 | * Local link/immediate node - requids BFD 71 | * Data plane convergence - CEF detects alt next hop for all prefixes affected by failure 72 | * Subsecond 73 | * Control plane - Learns thorugh IGP/BFD, withdraws prefixes 74 | 75 | ### Improving MPLS VPN local convergence 76 | 77 | * maintains local label for 5 minutes, ensures traffic uses backup/alternate 78 | * `protection local-prefixes` 79 | * VPNv4 AF - protects all VRFs 80 | * VRF-IPv4 protects only v4 vrfs 81 | * Router config mode protects global table 82 | 83 | ### CEF Forwarding Recursion 84 | 85 | * Need to disable when using PIC as it searches all FIB entries 86 | * Disabled for next hops with /32 mask and Next hops directly connected 87 | * `bgp recursion host` - for host routes 88 | * Default enabled on vpnv4 v6, disabled on v4/v6 when PIC enabled 89 | * Disable for DC'd hops with `disable-connected-check` 90 | 91 | ## BGP Add Paths 92 | 93 | * Adv mutli paths for same prefix 94 | * Adds path ID for each path in NLRI 95 | * Similar to RD, except any AF 96 | * ID unique to peering session 97 | * Gen'd per network 98 | * Stops overriding announcements 99 | * Different update groups for negotiated capability 100 | 101 | ## BGP NHT 102 | 103 | * Enabled by default on IOS 104 | * Event drive 105 | * Tracks prefixes when peers establish 106 | * Picked up when RIB updates 107 | * Best path calc run in bw scanner cycles, only next hop changes tracked and processed 108 | * Scanner monitors next hop reachability, every 60s 109 | 110 | ### Selective 111 | 112 | * Implement as part of selective tracking 113 | * Route map defines routes to resolve bgp next hop 114 | * `bgp nexthop` - Allows config length f prefix that applies NH attribute 115 | * If next-hop route fails route-map, marked as unreachable 116 | * Match IP addr or source-protocol in RM 117 | 118 | ## BGP Support for Fast Peering Session deactivation 119 | 120 | * Event driven, per neighbor, monitors session, adj changes detechted 121 | * In between BGP scanning interval 122 | 123 | ### Selective 124 | 125 | * Route map, neighbor fall-over - determines if peering session reset when route to peer changes 126 | * Route map evaluates new route 127 | * If deny return, session reset 128 | 129 | # Processes 130 | 131 | ## BGP Add paths 132 | 133 | 1. Specify if device can send/rx or both, in AF or neighbour (capability negotiation) 134 | 2. Select candidate paths 135 | 3. Advertise for a neighbour 136 | 137 | 138 | # Config 139 | 140 | ## EIGRP 141 | 142 | **LFA FRRs per Prefix** 143 | ``` 144 | router eigrp dave 145 | address-family ipv4 unicast autonomous-system 65001 146 | topology base 147 | fast-reroute per-prefix { all | route-map NAME } 148 | fast-reroute load-sharing disable - When selection of LFAs tie breaking, disable load sharing 149 | fast-reroute tie-break { interface-disjoint | linecard-disjoint | lowest-backup-path-metric | srlg-disjoint } priority-number 150 | ``` 151 | 152 | ## OSPF 153 | 154 | ``` 155 | router ospf 1 156 | fast-reroute per-prefix enable prefix-priority LEVEL - Low pri (all same eligibility), high pri (only high protected) 157 | prefix-priority high route-map TEST 158 | fast-reroute per-prefix tie-break ATTRIBUTE [required] index LEVEL 159 | fast-reroute keep-all-paths 160 | 161 | route-map TEST permit 162 | match tag 11 163 | 164 | int Fa0/0 165 | ip ospf fast-reroute per-prefix candidate disable 166 | ``` 167 | 168 | ## BGP 169 | 170 | **PIC** 171 | 172 | ``` 173 | router bgp 174 | address-family BLA 175 | bgp additional-paths install 176 | bgp recursion host 177 | neighbor X.X.X.X fall-over bfd 178 | ``` 179 | 180 | **Add Paths** 181 | ``` 182 | router bgp 65000 183 | address-family ipv4/ipv6 unicast 184 | additional-paths receive 185 | additional-paths send 186 | additional-paths selection route-map NAME 187 | ``` 188 | 189 | **Add Paths per neighbour** 190 | ``` 191 | router bgp 65000 192 | neighbor X.X.X.X remote-as 65001 193 | address-family ipv4/ipv6 unicast 194 | capability additional-paths receive [disable] 195 | capability additional-paths send [disable] 196 | ``` 197 | 198 | * Overrides AF 199 | 200 | **Peer Policy** 201 | ``` 202 | router bgp 65000 203 | template peer-policy NAME 204 | capability additional-paths receive 205 | capability additional-paths send 206 | neighbor x.x.x.x remote-as 65001 207 | address-family ipv4 unicast 208 | inherit peer-policy NAME SEQ-NUMBER 209 | ``` 210 | 211 | **Filtering add paths** 212 | * Match on prefix of add paths that are candidates 213 | * set path-selection all advertise 214 | 215 | **Selective Next-Hop Route Filtering** 216 | ``` 217 | router bgp 65000 218 | address-family ipv4 unicast 219 | bgp nexthop route-map CHECK-NEXTHOP 220 | bgp nexthop trigger delay TIMER - Max 100s, default 5s, full table walks to match IGP parameters 221 | no bgp nexthop trigger enable 222 | 223 | ip prefix-list FILTER seq 5 permit 0.0.0.0/0 le 25 224 | 225 | route-map CHECK-NEXTHOP deny 10 226 | match ip address prefix-list FILTER 227 | 228 | route-map CHECK-NEXTHOP permit 20 229 | ``` 230 | 231 | **Fast Session Deactivation** 232 | *Per neighbour* 233 | ``` 234 | router bgp 65000 235 | address-family 236 | neighbor X.X.X.X remote-as 65001 237 | neighbor X.X.X.X fall-over 238 | ``` 239 | 240 | *Selective* 241 | ``` 242 | router bgp 65000 243 | neighbor X.X.X.X remote-as 65001 244 | neighbor X.X.X.X fall-over [route-map NAME] 245 | 246 | ip prefix-list FILTER seq 5 permit 0.0.0.0/0 le 25 247 | 248 | route-map CHECK-NEXTHOP deny 10 249 | match ip address prefix-list FILTER 250 | 251 | route-map CHECK-NEXTHOP permit 20 252 | ``` 253 | -------------------------------------------------------------------------------- /quick-notes/mpls.md: -------------------------------------------------------------------------------- 1 | # Messages 2 | 3 | ## Header and label 4 | 5 | * 4 byte 6 | * Before IP Header 7 | * 20 bit label field 8 | * Label, EXP, Bottom Of Stack and TTL 9 | 10 | ## Hellos 11 | 12 | * Multicast on 224.0.0.2 13 | * UDP 646 14 | * Has LSRs LDP ID - 32 bit dotted decimal, 2 byte label space number (0 for frame based) 15 | * Transport address transmitted if set 16 | * TCP after neighbour discovery 17 | * After TCP UP, adv all loc bindings and prefixes 18 | * LDP ID like router ID 19 | 20 | # Timers 21 | 22 | # Trivia 23 | 24 | * CEF creates FIB, entry for each dest IP prefix 25 | * CEF adj lists data link header 26 | * LSR uses CEF FIB and LFIB for forwarding 27 | * Label info in both, outgoing int and next hop 28 | * FIB and LFIB differ (incoming unlabelled and labelled) 29 | * TTL - LSRs decrement, Ingress E-LSR drops IP ttl, and copies to MPLS, Egress E-LSR drops MPLS ttl, pops MPLS header, copies to IP header 30 | * Disabling TTL propagation - Ingress E-LSR, MPLS TTL to 255, egress IP TTL unchanged 31 | * `no mpls ip propagate ttl` 32 | * Labels advertised back to router rx'd from 33 | 34 | ## MPLS LIB Feeding FIB and LFIB 35 | 36 | * Best label chosen and outgoing int 37 | * populates into FIB and LFIB, both have best labels 38 | * LIB has all labels 39 | * Routing protocol loop prevention 40 | 41 | * CEF required 42 | 43 | ## VPNs 44 | 45 | * Outer - forwarding, inner Bottom of stack 1, identifies egress VRF 46 | * Three components of VRF tables, RIB, CEF FIB (based on VRFs RIB), instances/process of routing protocol to CE 47 | * RD is 64 bits long 48 | * First 2 bytes defines format 49 | * IOS infers first 2 bytes based on 6 bytes of rd command 50 | * RTs 8 bytes 51 | 52 | ## FEC 53 | 54 | * Set of packets receiving same treatment by single LSR 55 | * MPLS QoS could be different from another for same prefix 56 | * MPLS TE - fec is tunnel 57 | 58 | ## 6PE and 6VPE 59 | 60 | * Allows v6 over v4 network 61 | * For single label per prfix, 4000 max per box 62 | * Edge routers dual stack 63 | * Only static routes and BGP for v6 in VRF context 64 | * PEs use v4-mapped v6 address for v6 prefix 65 | * Next hop advertised by PE for both is v4 for v4 L3vpn routes, but with ::FFFF: prepended 66 | 67 | ### 6PE 68 | 69 | * Customers v6 prefixes inside global 70 | * v6 labels/prefixes exhanged using labelled v6 over v4 BGP between PEs 71 | 72 | ### 6VPE 73 | 74 | * customer v6 prefixes in vrf 75 | * v6 labels and precies exchanged via VPNv6 76 | 77 | ## Label filtering 78 | * Create ACL 79 | * Apply with `mpls ldp neighbour [vrf NAME] address labels accept ACL` 80 | * Will show in `show mpls ldp neighbor X.X.X.X detail` as ACL: 1 81 | * Inbound filtering 82 | 83 | ## OSPF Sham Link 84 | 85 | * Must be in VRF 86 | * Must not be advertised by ospf or BGP 87 | * Must be /32 both sides (eg loopback) 88 | 89 | ## MPLS VPN Performance Tuning 90 | * Used to take time with IGP in MP_BGP and scanner, now is instant 91 | * `neighbor x.x.x.x advertisement-interval VALUE` - default waits 5s, set to 0 to speed up 92 | * PE-BGP from VPNv4 to local VRF table - default 15s, can be 5-60s 93 | 94 | ## EIGRP SOO 95 | 96 | * For partitioned EIGRP sites 97 | * SOO ext-comm on a backdoor router interface 98 | * Back door link cannot be alt path to reach prefixes in other parition 99 | * Unqie SoO per site, hence conf'd on all PEs and CEs that support same site 100 | * IDs routes originated from a site, to prevent advertising back to source 101 | * Can filter on SoO/per site basis 102 | * Conf'd at int level 103 | * Conf'd on inbound BGP route map on PE, applied to int with `ip vrf site-map` config 104 | * Can work on back door links 105 | * Define on interface of backdoor router 106 | * Checked on eigrp update (or reply) 107 | * Process with EIGRP on PE/CE for each rx'd route that filters, based on following 108 | * Rx'd route from BGP or CE rtr contains SoO that matches SoO on int 109 | * prevents routing loops 110 | * Rx'D route from a CE that does not match SoO value 111 | * If route with SoO not matching, accepted 112 | * If route already installed but different SoO, SoO from tpology used when redist to bGP 113 | * No SoO 114 | * from int appended 115 | 116 | # Processes 117 | 118 | # Config 119 | 120 | ## 6PE 121 | 122 | ``` 123 | ip cef 124 | ipv6 cef 125 | ipv6 unicast routing 126 | 127 | router bgp 1000 128 | no sync 129 | no bgp default ipv4-unicast 130 | neighbor 10.108.1.12 remote-as 65200 131 | neighbour 10.108.1.12 update-source Lo0 132 | address-family ipv6 133 | neighbor 10.108.1.12 activate 134 | neighbor 10.108.1.12 send-label 135 | ``` 136 | 137 | ## 6VPE 138 | 139 | ``` 140 | router bgp 1000 141 | neighbor 2001::1 remote as 65202 142 | address family ipv6 vrf VPE1 143 | neighbor 2001::1 activate 144 | address family vpnv6 145 | neighbor 1.1.1.1 activate 146 | neighbor 1.1.1.1 send-community extended 147 | ``` 148 | 149 | ## OSPF Sham Link 150 | 151 | ``` 152 | router ospf 1 vrf NAME 153 | area 1 sham-link SADDR DADDR COST number 154 | ``` 155 | 156 | ## VRF for v4 and v6 157 | 158 | ``` 159 | vrf definition NAME 160 | address-family ipv4 161 | address-family ipv6 162 | 163 | int Fa0/0 164 | vrf forwarding NAME 165 | 166 | vrf upgrade-cli - makes VRFs multi AF aware 167 | ``` 168 | 169 | ## MPLS Host Routes 170 | 171 | ```` 172 | mpls ldp label 173 | allocate global host-routes 174 | ``` 175 | 176 | ## MPLS Auto Config 177 | 178 | **OSPF** 179 | ``` 180 | router ospf 1 181 | mpls ldp autoconfig [area ID] 182 | ``` 183 | 184 | * Disable per interface with `no mpls ldp igp autoconfig` 185 | * show mpls ldp discovery [detail] 186 | 187 | **ISIS** 188 | ``` 189 | router isis 190 | mpls ldp autoconfig [level-1 | level-2] 191 | ``` 192 | 193 | * As before to remove 194 | * show isis mpls ldp 195 | 196 | # Verification 197 | 198 | ``` 199 | show mpls ldp bindings ROUTE - Shows LIB entries, remote and local 200 | show mpls forwarding table ROUTE - local entry, outgoing tag and int 201 | show ip cef ROUTE internal - FIB entry 202 | ``` 203 | -------------------------------------------------------------------------------- /quick-notes/redist-summ-defroute.md: -------------------------------------------------------------------------------- 1 | # Messages 2 | 3 | # Timers 4 | 5 | # Trivia 6 | 7 | ## Route Maps 8 | 9 | * For redist, routes from current routing table 10 | 11 | ## Redistribution 12 | 13 | * OSPF default cost 20 from IGP, 1 from BGP 14 | * ISIS - 0, default type of l1 15 | 16 | ## Summarization 17 | 18 | * Eigrp - ip summary-address eigrp ASN 192.168.0.0 255.255.255.0 DISTANCE - int, or done in af-interface, plus setting summary-metric within topology base 19 | * OSPF - summary-address for ASBR, area 1 range for ABR, area is where component subnets area, not where to advertise 20 | 21 | ## Default routes 22 | 23 | * Redistribution 24 | * Static route to 0.0.0.0 with redist static - EIGRP and RIP 25 | * default-information-originate - RIP, OSPF 26 | * OSPF - any defaults in routing table, default cost 1, E2 27 | * RIP creates and advertises if no default exists or from another protocol 28 | * If static, no injection as done with redist 29 | * ip default-network - RIP,EIGRP 30 | * EIGRP - must be advertised by local router into EIGRP, flagged as candidate 31 | * RIP - no flag, no need to be advertised 32 | * summary routes - EIGRP 33 | * Creates null route on local 34 | 35 | ## Performance Routing 36 | 37 | * Interfaces 38 | * Internal - Connects to internal network, commes with PfR master controller 39 | * External - packets out network, needs at least two 40 | * Local - forms control plane, defines source to communicate to PfR MC 41 | * Auth - not optional, key chain auth 42 | * MC - Talks to and auths BRs, monitors flows, applies policies, single MC supports 10 BRs or 20 exit ints 43 | * Can run MC and BR on same device, still needs auth 44 | 45 | 46 | # Processes 47 | 48 | # Config 49 | 50 | ## AD change 51 | 52 | * distance DISTANCE - RIP 53 | * distance eigrp INTERNAL-DIST EXTERNAL-DIST 54 | * distance ospf intra-area DIST inter-area DIST external DIST 55 | 56 | ## PFR 57 | 58 | **MC** 59 | ``` 60 | key chain PFR_AUTH 61 | key 1 62 | key-string DAVE 63 | 64 | pfr master 65 | border 2.2.2.2 key-chain PFR_AUTH 66 | int Se0/0.21 internal 67 | int Fa0/0 external 68 | border 3.3.3.3 key-chain PFR_AITH 69 | int Se0/0.31 internal 70 | int Fa0/0 external 71 | ``` 72 | 73 | **BR** 74 | ``` 75 | key chain PFR_AUTH 76 | key 1 77 | key-string DAVE 78 | 79 | pfr border 80 | master 4.4.4.4 key-chain PFR_AUTH 81 | local loopback 0 82 | logging 83 | port 3950 84 | ``` 85 | 86 | 87 | # Verification 88 | 89 | ``` 90 | PFR 91 | 92 | show oer master border <--- MC Active on MC when both BRs up 93 | ``` 94 | -------------------------------------------------------------------------------- /quick-notes/rip.md: -------------------------------------------------------------------------------- 1 | # Messages 2 | 3 | * Request for full or partial update rather than waiting 4 | * No partials on cisco 5 | 6 | # Timers 7 | 8 | * 30s full table updates 9 | * Invalid after - 180s, holddown starts after 10 | * Holddown - 180s -, routing entry stays int table until holddown expires 11 | * Flushed After - 240s - reset after update - router emoves route 12 | 13 | # Trivia 14 | 15 | * UDP 520 16 | * 224.0.0.9 17 | * On demand full update once, silent until changes 18 | * triggered updats 19 | * Simple or MD5 auth 20 | * Route tags allowed 21 | * Can rewrite next hops 22 | * Updates out each int every update timer 23 | * 4 ECMP routes by default, can be bw 1 and 16 (or 32 if better platform) 24 | * Split horizon by default unless FR or ATM (seen in show ip interface) 25 | * Route poisoning means backup path found quickly 26 | * When route removed, marked as possibly down in database (can be repeatedly advertised as unreachable) 27 | * Flash/triggered updates moment change occurs 28 | * Triggered extensions - On Demand Circuits 29 | * Holddown used when updates could be lost in transit, next hop crashed, next hop router sees router as next hop (split horizon), RIP removed, summraization, next hop doesn't support poisoning 30 | * After holddown, entry unlocked, convergence 31 | * With auth, 24 routes instead of 25 per update (20 bytes for auth) 32 | * Offset lists add to metric, before or after update 33 | 34 | ## Masks 35 | 36 | * RIPv1 would send out route with no mask 37 | * Incoming interface assumes mask of rx'd interface 38 | 39 | ## V2 NH 40 | * Next hop of 0.0.0.0 in packet means user touer that sent update as NH 41 | 42 | ## RIPng 43 | 44 | * UDP 521 45 | * FF02::9 46 | * No AFI support 47 | * No auth support on IOS 48 | * Split horizon per process only 49 | * No passive ints 50 | * No static neighbours 51 | * Route entry of :: reverts send of message to next hop 52 | * Multiple processes can be run (using name) 53 | * Route poisoning activated per process 54 | * Ints can have metric-offset value (applied to all updates, i.e. RIP link cost) 55 | * Def route originated per interface 56 | 57 | ## Loop prevention 58 | 59 | * Count to infinity - sudden increase in metric, accept and update, if reaches inifinity, stop using next hop 60 | 61 | # Processes 62 | 63 | # Config 64 | 65 | ``` 66 | router rip 67 | version 2 68 | network 172.31.0.0 69 | passive-interface Lo0 - Still processes updates, just doesnt send any 70 | distribute-list BLA in/out (acl or prefix list), add int for outgoing int of route received 71 | 72 | int Fa0/0 73 | ip rip authentication mode text/md5 74 | ip rip authentication key-chain NAME 75 | ``` 76 | 77 | ``` 78 | ipv6 unicast-routing 79 | ipv6 cef 80 | 81 | int Fa0/0 82 | ipv6 address 2001::1/64 83 | ipv6 rip 1 enable 84 | ipv6 rip 1 default-information only 85 | 86 | int Se0/0 87 | ipv6 address 2001:1::1/64 88 | ipv6 rip 1 enable 89 | ipv6 rip 1 metric-offset 3 90 | 91 | ipv6 router rip 1 92 | poison-reverse 93 | ``` 94 | 95 | ## Per neighbour AD 96 | 97 | ``` 98 | distance VALUE IP MASK ACL 99 | ``` 100 | * Make mask 0.0.0.0 and IP as neighbour IP 101 | 102 | ## Conditional Default routing 103 | 104 | ``` 105 | default-information originate route-map NAME 106 | ``` 107 | * Set interface on route map sets interface adv out 108 | * Use SLA and static route for reliability 109 | 110 | ## Send and RX versions 111 | 112 | ``` 113 | int Fa0/0 114 | rip send version [1] [2] 115 | rip receive version [1] [2] 116 | -------------------------------------------------------------------------------- /quick-notes/rtp.md: -------------------------------------------------------------------------------- 1 | * RTP for audo and vid streaming, data protocol 2 | * RTCP - Control protocol 3 | * monitors transmission stats and QoS 4 | * Aids sync of streams 5 | 6 | * RTP includes timestamps, seq numbers and payload format 7 | * RTCP usually 5% of RTP bw 8 | * RTP usually initiated by peers with signalling protocol (H323, SIP, XMPP), can use SDP to neg parameters 9 | * RTP even ports, RTCP odd (i.e. next higher odd) 10 | * RTP sessions ID' by 32 bit number SSRC (sync'd source) 11 | * Five RTCP payload types 12 | * Sender report 13 | * Receiver report 14 | * Source Description 15 | * Goodbye 16 | * Application-defined packet 17 | -------------------------------------------------------------------------------- /quick-notes/stp.md: -------------------------------------------------------------------------------- 1 | # Messages 2 | 3 | * Protocl Ver in BPDU for STP of 0x00 4 | * BID - 2 byte priority then MAC 5 | 6 | # Timers 7 | 8 | * BPDU lasts for MaxAge-MessageAge seconds 9 | * MaxAge in STP default 20s 10 | 11 | # Trivia 12 | 13 | * IDs of bridge and ports, all configurable priority 14 | * Config BPDUs compared, superior based on 15 | * RBID 16 | * RPC 17 | * Sender BID 18 | * Sender PID 19 | * Receiver PID (not in BPDU, local) 20 | * Only config BPDUs compared 21 | * One RP on non-root, one DP per seg 22 | * Superior BPDUs stored that are sent/rx'd 23 | * DP Stores own, root and blocking store upstream 24 | * All claim root until superior BPDU 25 | * For BID in PVST+ and MST, priority 4 bits (4096), 12 bits for SysExId (usually vlan id), MAC Address Reduction 26 | * Seen with `spanning-tree extend system-id` 27 | 28 | ## Convergence on new topology 29 | 30 | * TC when TCN BPDU on DP, port moves to forwarding and switch has at least one DP, port goes blocking, or switch becomes root 31 | * Switches age out unused CAM, forward delay (15s) to time out CAM 32 | 33 | ## PVST and STP over trunks 34 | 35 | * STP per VLAN, differenr roots 36 | * With 802.1Q and non cisco, only CST 37 | * PVST+ runs on trunks as VLAN 1 STP instannce 38 | * CST regions bind for all vlans 39 | * CST as loop free shared seg 40 | * PVST+ BPDUs encaped in m'cast dest of 0100.0CCC.CCCD (tagged with correct VLAN) 41 | * SNAP ENCAP (ordinary BPDUs LLC) 42 | * TLV at end with VLAN number, checks for VLAN mismatches 43 | * VLAN1 on PVST+ uses standard BPDUs and PVST+ BPDU, latter only for mismatches 44 | * If access port gets BPDU with rong VLAN, type inconsistent 45 | * On trunks, If tagged, BPDU in that VLAN, if no tag, native 46 | * If PVID TLV match, processed, otherwise PVIDInconsistent, PVID = port vlan (not necessarily native) 47 | 48 | ## RSTP 49 | 50 | * Discarding 51 | * Learning 52 | * Forwarding 53 | * Alternate - Root backup 54 | * If RP lost, AP with best BPDU promoted 55 | * Backup - DP backup 56 | * Takes over if DP fails, not rapid 57 | * Three BPDUs lost on DP, one remains best, rest back to Backup Discarding 58 | * Edge or Non-Edge 59 | 60 | ### BPDU Format And Handling 61 | * Proposal/Agreement bit, and also port states 62 | * RSTP ages out BPDUs after 3 hellos, message age only a hop count 63 | * Inferior BPDUs immediately accepted, as implies a change 64 | 65 | ### Proposal/Agreement 66 | * On new link installation 67 | * Both ends designated discarding 68 | * DPs in dscarding/learning send BPDU with proposal 69 | * If one side sees BPDU now best, goes from DP to RP (stays discarding) 70 | * Proposal on RP makes all non-edge DPs int discarding (sync state) 71 | * Once done, RP to forwarding, upstream change to forwarding 72 | * Cascades 73 | 74 | ### TCN handling 75 | * BPDUs flooded with TC flag 76 | * Switch seeing TCN sets tcWhile to hello plus 1 sec on all non-edge DP and RP (except where TC learned) 77 | * Flushes macs 78 | * Sends TC flagged BPDUs on these ports until TC while expires 79 | 80 | ## RPVST+ 81 | 82 | * Non p2p switches revert to 802.1D, or PVST to legacy switches 83 | 84 | ## MST 85 | 86 | * Sys ID used 87 | * 0-4095 instances (0-15 only on 2950) 88 | * 65 active (0 plus 64 user) 89 | * Single BPDU for all info 90 | * IST is Instance 0 91 | * IST for outside region 92 | * All VLANs have same port state as IST on boundary 93 | * MST region is single switch outside it 94 | * CST has no per vlan ability 95 | * CST cost only cost of links between regions (external) 96 | * CST on region boundary merges with IST inside (CIST) 97 | * Multiple roots, one for entire region, rest per region (CIST Region Root) 98 | * CIST Root - lowest BID from all CIST switches 99 | * IST BID from IST priority, instance 0, base mac 100 | * All STP and RSTP switches in this (using only BIDs) 101 | * Non-CIST root regions, have only switches at region boundary in IST root switch election 102 | * IST root elected by lowest external RPC to CIST root, sum of all inter-region links to reach region from root 103 | * Lowest IST BID if tie 104 | * CIST Regional RP sitting on Region Root Switch is Master Port, provides connectivity to CIST root for all instances inside region 105 | 106 | ### Interop 107 | 108 | * STP and RSTP - Speak exclusively on instance 0 109 | * MSTP and PVST+ - Single represenative on behalf of region, interaction determines port roles and states for all VLANS 110 | * MST side works (as port role for all instances matches IST) 111 | * MST must deliver info to PVST+ switches so every PVST+ instance makes same choice 112 | * MST --> PVST+ - IST info replicated to PVST BPDUs on all active VLANs 113 | * PVST+ --> MST - VLAN 1 instance for entire region 114 | * MST Boundary becomes RP if BPDUs superior to bounary ports own BPDUs, but best VLAN 1 VPST+ BPDU on bounary (i.e. CIST root in PVST+ region and vlan 1) 115 | * All BPDUs checked to see if identical or superior to those in VLAN 1 116 | * If sysid ext in PVST+, cannot be identical, so would need to be at leas 4096 lower than PVST+ vlan 117 | * If not met, PVST simulation failed, port blocking 118 | * MST boundary is non-DP if incoming VLAN 1 PVST+ bpdu superior, but not enough to be root, must monitor all PVST+ BPDUs 119 | * If true, port blocking, if not met, PVST simulation declared 120 | * Best make MST region as root to all PVST+ instances 121 | 122 | ## Protecting and optimizing STP 123 | 124 | * Portfast - Not part of Sync/PA 125 | * Expects no BPDUs, otherwise portfast disabled 126 | 127 | **BPDU Guard** 128 | * Per port, or globally 129 | * err disables port on BPDU Rx 130 | * `spanning-tree bpduguard enable` 131 | * `spanning-tree portfast bpduguard default` 132 | * `spanning-tree bpduguard disable` 133 | 134 | **Root Guard** 135 | * Ignores superior BPDUs 136 | * Root Inconsistent 137 | * Blocks port until BPDU cease 138 | * Receovers when BPDUs expire (MaxAge-MessageAge in STP, 3x hello in RSTP) 139 | 140 | **BPDU Filter** 141 | * Stops Tx 142 | * Optionally stops Rx 143 | * If global configged, applies only to edge ports 144 | * 10 hellos send to start, then stops BPDUs 145 | * If BPDU Rx'd disables BPDU filter (back to 10 hellos) 146 | * If per port, just stops completely 147 | * Global along with per port bpdu guard works, received BPDU auto errdisables 148 | * Per port doesn't make sense as BPDUs auto stopped anyway 149 | 150 | **Unidirectional Link Issues** 151 | 152 | * UDLD 153 | * Echo mechanism 154 | * Switch ID and port ID in message 155 | * If Switch/Port pair doesnt appear in other switches list, broken 156 | * If own seen, looped 157 | * If UDLD message contains more than one neighbour, shared media issue 158 | * all err disabled 159 | * Normal - Attempts to reconnect 8 times if messages lost, no action 160 | * Aggressive - as above, but err disables 161 | * STP Loop Guard 162 | * Assumes if BPDUs rx'd on a port previously (i.e. on a Root or Alternate), and not working now, shouldn't be possible in working nework. Port can't be DP 163 | * Loop inconsistent, starts on loss of BPDU, stops on rx BPDU 164 | * Bridge Assurance - RPVST+ and MST only, on p2p links 165 | * BPDUs sent on all ports as hellos 166 | * Loss of BPDUs make BA-inconsistent 167 | * `spanning-tree bridge assurance` 168 | * `spanning-tree portfast network` 169 | * Dispute Mechanism 170 | * Role and state of port in RSTP and MST BPDUs 171 | * If inferior BPDU from a port claiming Designated Learning or Forwarding, moves to discarding 172 | * already exists 173 | 174 | ## Port Channels 175 | 176 | * Must have same 177 | * Speed and duplex 178 | * Same mode (trunk, access, dynamic) 179 | * Same access vlan 180 | * Same allowed/native 181 | * No span ports 182 | * Port suspended if no config match 183 | * Config changes on non-suspended members only 184 | * Ethernchannel Misconfig Gguard - BPDUs rx'd should have same source MAC. If not, ports are indiv links (doesn't help if only one BPDU rx'd over one link) 185 | 186 | 187 | # Processes 188 | 189 | ## STP Choosing Ports 190 | 191 | 1. elect root switch (lowest BID) 192 | 2. Choose RP (superior cost to root) 193 | 3. Choose DP (switch forwarding superior BPDU to segment) 194 | 195 | ## Determining RP 196 | 197 | 1. Root sends hellos (every 2s), with RBID and SBID (Root ID for both), RPC 0, SPID of egress 198 | 2. Nonroot adds port cost to RPC, superior becomes RP 199 | 3. Hellos from RP sent out DP (updated RPC, SBID, SPID and MessageAge) 200 | 4. No hellos on blocking 201 | 202 | ## Determining DP 203 | 204 | 1. Hellos onto LAN 205 | 2. Port forwarding is DP 206 | 3. Superior hellos 207 | 4. All others root or blocked 208 | 209 | ## TC 210 | 211 | 1. TC Occurs 212 | 2. TCN BPDU out RP until acked 213 | 3. Upstream switches ack with next hello, marks TCA bit 214 | 4. 1-3 until root 215 | 5. BPDU with TCA sent through rx'd port by root 216 | 6. MaxAge+ForwardDelay seconds, root sends BPDUs with TC bit set, CAM entries reset 217 | 218 | # Config 219 | 220 | ``` 221 | vtp mode server mst 222 | vtp primary mst 223 | ``` 224 | * Uses VTP to do MST region config dispersion 225 | -------------------------------------------------------------------------------- /quick-notes/template.md: -------------------------------------------------------------------------------- 1 | # Messages 2 | 3 | # Timers 4 | 5 | # Processes 6 | 7 | # Config 8 | -------------------------------------------------------------------------------- /quick-notes/tunnelling.md: -------------------------------------------------------------------------------- 1 | # Messages 2 | 3 | # Timers 4 | 5 | # Trivia 6 | 7 | * IPSec VTI - routable int, terminates IPSec, supports multicast 8 | 9 | ## DMVPN 10 | 11 | * Each spoke persisent IPSec tun to hub 12 | * Address of hub must be known by all spokes 13 | * Spokes register address as client to NHS 14 | * NHS maintains DB of public addr used by spokes 15 | * Spoke to spoke - requests to NHS for pub ip of other spoke 16 | * On Demand 17 | 18 | **Phase 1** 19 | * Simple hub and spoke 20 | * Dynamic IPs on spokes 21 | * Hubs mGRE 22 | * Spokes GRE 23 | 24 | **Phase 2** 25 | * Adds spoke-to-spoke comms 26 | * Allow with `no ip next-hop-self eigrp AS` on tunnel 27 | * No summarization 28 | * OSPF single area, limited hubs due to OSPF DR/BDR 29 | * First packet through hub process switched 30 | * All mGRE 31 | 32 | **Phase 3** 33 | * Two NHRP enhancements 34 | * NHRP Redirect - Hub to spoke, lets spoke know of better path to other spoke through hub (Conf on hub only) 35 | * NHRP Shortcut - Overwrites CEF info on spoke (configure on spoke and hub) 36 | * Make sure `no ip split-horizon eigrp ASN` on for spoke to spoke 37 | * No need for no ip next-hop-self, as NHRP will redirect regardless 38 | * Packet still send to hup unless IPSec session comes up 39 | 40 | * Routes go in as NHRP routes 41 | 42 | ### QoS 43 | 44 | * On the interface do `ip nhrp map group NAME service-policy out NAME` 45 | 46 | ## IPv6 Tunnelling 47 | 48 | * Auto 6to4 - Point to MP, 2002::/16 - Connects isolated v6 islands 49 | * V6 prefix is 2002:border-router-ipv4-address::/48 50 | * one tunnel per router 51 | * Tunnel dest not config'd 52 | * Need to route 2002::/16 over tunnel 53 | * Manual config - any addr space, P2P, dual stack required both ends, carries v6 across v4 54 | * v6 over v4 gre - UNicast addr, p2p, carries any traffic across 55 | * ISATAP - p2MP, any mcast, v6 hosts in single site 56 | * [64bit link local or global unicast prefix]:0000:5EFE:[IPv4 address of ISATAP Link] 57 | * Disables RAs by default 58 | * no ipv6 nd suppress-ra 59 | * Auto v4-compat - P2MP, ::96 address space, dual stack both ends, deprecated, use ISATAP 60 | * First 96 bits tunnel int all 0s, rremaining 32 from v4 addr 61 | 62 | ## L2 VPNs 63 | 64 | * Tagged mode - ID mathes on AC either end 65 | * VLAN match on each end 66 | * pw type of 0x0004 67 | * Every frame on PW different VLAN for each customer (VLAN = service delimiting tag) 68 | * If frame RX'd missing VLAN tag, PE prepends one 69 | * Raw Mode - Tag not always present 70 | * PW Type 0x0005 71 | * Service tags never through AC 72 | * Stripped from frame before transmitting 73 | * L2TPv3 74 | * Any l2 payload 75 | * IP Proto 115 76 | * CEF required 77 | * Has control channel 78 | * OTV - Looks like VPLS 79 | * Fault domain isolation 80 | * STP root doesn't change, each CE has own 81 | * Deployed at CE 82 | * Multicast similar to whats in L3 VPNs 83 | * like VPLS but wihtout MPLS transport 84 | * L2 LAN-E over L3, L2 or MPLS networks 85 | 86 | ## GET VPN 87 | 88 | * Encrypts through insecure networks 89 | * KS and GM 90 | * KS creates, maintains and sends policy to GM 91 | * Policy is what traffic and algs 92 | * KEK and TEK 93 | * KEK is between KS and GM, used for rekey phase 94 | * Tek for traffic 95 | * Uses ESP 96 | * RSA Key used by KS for Rekey 97 | * New TEK and KEK before TEK expires (default 3600s) 98 | * Phase authed and secure by ISAKMP SA between KS and GM 99 | * GDOI messages build SA and Encrypt GM registration, UDP port 848 100 | 101 | # Processes 102 | 103 | # Config 104 | 105 | ``` 106 | int Fa0/0 107 | xconnect 4.4.4.4 204 encapsulation { mpls | l2tpv2 | l2tpv3 } 108 | ``` 109 | 110 | ## GETVPN 111 | 112 | **KS** 113 | ``` 114 | ip domain-name cisco.com 115 | 116 | crypto key gen rsa mod 1024 117 | 118 | crypto isakmp policy 10 119 | auth pre-share 120 | 121 | crypto isakmp key GET-VPN-R5 address 10.1.25.5 122 | crypto isakmp key GET-VPN-R4 address 10.1.24.4 123 | 124 | crypto ipsec transform-set TSET esp-aes esp-sha-hmac 125 | 126 | crypto ipsec profile GETVPN-PROF 127 | set transform-set TSET 128 | 129 | crypto gdoi group GETVPN 130 | identity number 1 131 | server local 132 | 133 | rekey auth mypubkey rsa R1.cisco.com 134 | rekey transmit 10 number 2 135 | rekey transport unicast/multicast 136 | 137 | authorization address ipv4 GM-LIST 138 | 139 | sa ipsec 1 140 | profile GETVPN-PROF 141 | match address ipv4 LAN-LIST <--- what to encrypt 142 | replay counter window-size 64 143 | address ipv4 10.1.12.1 <--- KS IPs 144 | 145 | ip access-list standard GM-LIST 146 | permit 10.1.25.5 147 | permit 10.1.24.4 148 | 149 | ip access-list extended LAN-LIST 150 | deny udp any eq 848 any eq 848 151 | permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 152 | ``` 153 | 154 | **GMs** 155 | 156 | ``` 157 | crypto isakmp policy 10 158 | auth preshare 159 | 160 | crypto isakmp key GET-VPN-R5 10.1.12.1 161 | 162 | crypto gdoi group GETVPN 163 | identity number 1 164 | server address ipv4 10.1.12.1 165 | 166 | ip access-list extended DO-NOT-ENCRYPT 167 | deny tcp 192.168.4.0 0.0.0.255 eq 22 192.168.5.0 0.0.0.255 168 | 169 | crypto map CMAP-GETVPN 10 gdoi 170 | set group GETVPN 171 | match address DO-NOT-ENCRYPT 172 | 173 | int Se0/1/0.52 174 | crypto map CMAP-GETVPN 175 | ``` 176 | ## GETVPN 177 | 178 | **KS** 179 | ``` 180 | ip domain-name cisco.com 181 | 182 | crypto key gen rsa mod 1024 183 | 184 | crypto isakmp policy 10 185 | auth pre-share 186 | 187 | crypto isakmp key GET-VPN-R5 address 10.1.25.5 188 | crypto isakmp key GET-VPN-R4 address 10.1.24.4 189 | 190 | crypto ipsec transform-set TSET esp-aes esp-sha-hmac 191 | 192 | crypto ipsec profile GETVPN-PROF 193 | set transform-set TSET 194 | 195 | crypto gdoi group GETVPN 196 | identity number 1 197 | server local 198 | 199 | rekey auth mypubkey rsa R1.cisco.com 200 | rekey transmit 10 number 2 201 | rekey transport unicast/multicast 202 | 203 | authorization address ipv4 GM-LIST 204 | 205 | sa ipsec 1 206 | profile GETVPN-PROF 207 | match address ipv4 LAN-LIST <--- what to encrypt 208 | replay counter window-size 64 209 | address ipv4 10.1.12.1 <--- KS IPs 210 | 211 | ip access-list standard GM-LIST 212 | permit 10.1.25.5 213 | permit 10.1.24.4 214 | 215 | ip access-list extended LAN-LIST 216 | deny udp any eq 848 any eq 848 217 | permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 218 | ``` 219 | 220 | **GMs** 221 | 222 | ``` 223 | crypto isakmp policy 10 224 | auth preshare 225 | 226 | crypto isakmp key GET-VPN-R5 10.1.12.1 227 | 228 | crypto gdoi group GETVPN 229 | identity number 1 230 | server address ipv4 10.1.12.1 231 | 232 | ip access-list extended DO-NOT-ENCRYPT 233 | deny tcp 192.168.4.0 0.0.0.255 eq 22 192.168.5.0 0.0.0.255 234 | 235 | crypto map CMAP-GETVPN 10 gdoi 236 | set group GETVPN 237 | match address DO-NOT-ENCRYPT 238 | 239 | int Se0/1/0.52 240 | crypto map CMAP-GETVPN 241 | ``` 242 | ## GETVPN 243 | 244 | **KS** 245 | ``` 246 | ip domain-name cisco.com 247 | 248 | crypto key gen rsa mod 1024 249 | 250 | crypto isakmp policy 10 251 | auth pre-share 252 | 253 | crypto isakmp key GET-VPN-R5 address 10.1.25.5 254 | crypto isakmp key GET-VPN-R4 address 10.1.24.4 255 | 256 | crypto ipsec transform-set TSET esp-aes esp-sha-hmac 257 | 258 | crypto ipsec profile GETVPN-PROF 259 | set transform-set TSET 260 | 261 | crypto gdoi group GETVPN 262 | identity number 1 263 | server local 264 | 265 | rekey auth mypubkey rsa R1.cisco.com 266 | rekey transmit 10 number 2 267 | rekey transport unicast/multicast 268 | 269 | authorization address ipv4 GM-LIST 270 | 271 | sa ipsec 1 272 | profile GETVPN-PROF 273 | match address ipv4 LAN-LIST <--- what to encrypt 274 | replay counter window-size 64 275 | address ipv4 10.1.12.1 <--- KS IPs 276 | 277 | ip access-list standard GM-LIST 278 | permit 10.1.25.5 279 | permit 10.1.24.4 280 | 281 | ip access-list extended LAN-LIST 282 | deny udp any eq 848 any eq 848 283 | permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 284 | ``` 285 | 286 | **GMs** 287 | 288 | ``` 289 | crypto isakmp policy 10 290 | auth preshare 291 | 292 | crypto isakmp key GET-VPN-R5 10.1.12.1 293 | 294 | crypto gdoi group GETVPN 295 | identity number 1 296 | server address ipv4 10.1.12.1 297 | 298 | ip access-list extended DO-NOT-ENCRYPT 299 | deny tcp 192.168.4.0 0.0.0.255 eq 22 192.168.5.0 0.0.0.255 300 | 301 | crypto map CMAP-GETVPN 10 gdoi 302 | set group GETVPN 303 | match address DO-NOT-ENCRYPT 304 | 305 | int Se0/1/0.52 306 | crypto map CMAP-GETVPN 307 | ``` 308 | 309 | # Verification 310 | 311 | ## DMVPN 312 | 313 | ``` 314 | show dmvpn 315 | 316 | show crypto isakmp sa 317 | show crypto ipsec sa 318 | show crypto ipsec session 319 | 320 | show nhrp 321 | 322 | show crypto gdoi group NAME 323 | show crypto gdoi ks policy 324 | show crypto gdoi ks all 325 | show crypto gdoi ks members 326 | ``` 327 | 328 | 329 | -------------------------------------------------------------------------------- /quick-notes/vlans-trunk.md: -------------------------------------------------------------------------------- 1 | # Messages 2 | 3 | ## VTP v1 and v2 4 | 5 | * Summary Adv - Every 5 mins and after db mode, VTP domain, rev number, identity, time stamp, md5 sum over VLAN DB, VTP password, number of subsets to follo* Subset adv - Originated by db modifier, carries full VLAN db contents - multiple held, may need more 6 | * Adv request - Requests complete db or part, sent after advertisment or summary rx'd with higher rev number 7 | * Join - every 6 seconds, if VTP pruning active, bitfield for each VLAN in nromal range, used and unused 8 | 9 | # Timers 10 | 11 | # Trivia 12 | 13 | * Suspended VLAN drops all frames 14 | * Show current - all vlans when switch in VTP server mode, from db mode 15 | * Promisc VLAN trunk - Anything secondary VLAN changed to primary VLAN and forwarded over trunk 16 | * Isolated VLAN trunk - anything primary vlan changed to secondary and forwarded 17 | 18 | ## DTP 19 | 20 | * Modes are auto, and desirable 21 | * Auto prefers access 22 | * Desirable prefers trunk 23 | * Desirable higher priority 24 | * Carries VTP domain in messages, otherwise can't negotiate 25 | * switchport mode trunk - always trunk, helps other side 26 | * mode access- never trunks, DTP helps other side 27 | 28 | ## QinQ 29 | * switchport mode dot1q-tunnel 30 | * vlan dot1q tag native 31 | * encapsulation dot1q 10 native 32 | * show int will show admin status and operation of tunnel 33 | 34 | ## VTP 35 | 36 | * Vlan ID, name, type and state 37 | * V1, 2 and v3 (v3 in IOS only, from 12.2(52)SE and up 38 | * V1 no extended range VLANs 39 | * V2 added unknown TLV propagation 40 | * DB consistency also done at CLI input 41 | * VTP Transparent forwards messages if domain null, otherwise for its domain 42 | 43 | ### V3 44 | 45 | * Primary and secondary servers - secondary can be promoted, but only with password 46 | * Passwords stored encrypted 47 | * Extended range and PVLANs transmitted, only prune normal 48 | * Can be in off mode 49 | * Can set MST region 50 | 51 | ### Rev numbers etc 52 | 53 | * No updates sent until domain config'd 54 | * Default as server 55 | * No domain config on client, uses VTP domian of first rx'd message 56 | * VLAN config in vlan.dat 57 | * New client can change other switches VTP db if 58 | * new link is trunk 59 | * same domain 60 | * higher ev 61 | * same pw 62 | 63 | ### V3 64 | 65 | * Primary server - only vlan db sent 66 | * Clients and servers must agree on domain and primary server 67 | * No sync if dont match 68 | * one primary server per domain 69 | * Reload of pri becomes secondary on reboot 70 | * Reset rev with different VTP domain or PW 71 | * v3 reverts to v2 if v2 present 72 | * v1 not compat 73 | 74 | # Processes 75 | 76 | ##VTP 77 | 78 | * V1 and v2 update when VLAN added/deleted/update, up rev num 79 | * If v lan DB with higher rev, auto assumed new vlan DB 80 | 81 | # Config 82 | 83 | ``` 84 | switchport trunk pruning vlan [add/except/none/remove] <--- Pruning eligible list 85 | ```` 86 | -------------------------------------------------------------------------------- /quick-notes/wans.md: -------------------------------------------------------------------------------- 1 | # Messages 2 | 3 | # Timers 4 | 5 | # Trivia 6 | 7 | ## PPP 8 | 9 | ### LCP 10 | 11 | * Controls features independent of L3 protocol 12 | * Each L3 proto has NCP 13 | * IPCP does dynamic IP assignment 14 | * PPP comes up, CTS, then Data Send Read, and Data Carrier Detect to bring up physical 15 | * LCP parameter negotiation 16 | * Auth methods done with LCP 17 | * After LCP, considered up 18 | * L3 CP then begins 19 | * Features 20 | * Link Quality Monitoring 21 | * Looped link detection 22 | * L2 Load Balancing 23 | * Auth 24 | * ppp lcp predictive - Reduces neg time, predicts reponses from peers 25 | * As above but ppp ipcp predictive 26 | 27 | **LCP Process** 28 | 29 | Config-Request -> 30 | Config Reject 31 | Config Request -> 32 | Config-Nack 33 | Config Request 34 | Config-Ac 35 | 36 | * async mode interactive/dedicated 37 | * Dedicated - reserved for PPP and SLIP connections 38 | * Interactive, users prompted to connect to this interface 39 | * ppp async - sending data cross async ints 40 | * byte stuffing - ecape character placed bfore control character in data stream, then mapped to other characters that data link wont confused 41 | * XON and XOFF non-printable 42 | 43 | ### IPCP 44 | 45 | * Ignores mask requests and offers, problem with running RIP (use no ip validate source) 46 | * because RIP checks if belongs to same network as interface 47 | * Different subnet masks on interface as to source of update 48 | * Stop validating 49 | 50 | 51 | ### MLPPP 52 | 53 | * Frags each data link frame - based on link number or config'd frag delay 54 | * Header added including seq number, and flags with beginning and end frag 55 | * LFI - Puts smaller packets inside bigger packets (frags them) 56 | * ppp multilink interleave 57 | * ppp multlink fragment-delay x - Frag size indrectly, delay in ms so size = x * bw 58 | 59 | ### PPP Compression 60 | 61 | * Header or payload 62 | * Header great with VoIP (TCP/RTP) 63 | * LZ more cpu use, better ratio, predictor less cpu intensive 64 | * Just add `compression` command on interfaces 65 | 66 | ### PPPoE 67 | * hosts to aggregator 68 | 69 | # Processes 70 | 71 | # Config 72 | 73 | ## Basic LCP and PPP config 74 | 75 | ``` 76 | username R4 password 0 77 | 78 | int Se0/1/0 79 | encapsulation ppp 80 | ppp authentication chap 81 | ``` 82 | 83 | ## Multilink 84 | 85 | ``` 86 | int Multilink 1 87 | ip address 10.1.1.1 255.255.255.0 88 | encapsulation ppp 89 | ppp multilink 90 | ppp multilink group 1 91 | 92 | int Se0/1/0 93 | encapsulation ppp 94 | ppp multilink group 1 95 | 96 | int Se0/1/1 97 | encapsulation ppp 98 | ppp multilink group 1 99 | ``` 100 | 101 | ## PPP compression 102 | 103 | ``` 104 | policy-map 1 105 | class voice 106 | bandwidth 82 107 | compress header ip rtp 108 | class other 109 | bandwith 100 110 | compression header ip tcp 111 | ``` 112 | 113 | ## PPPoE 114 | 115 | **Server** 116 | ``` 117 | bba-group pppoe BBA-GROUP 118 | virtual-tempalte 1 119 | session per-mac limit 2 120 | 121 | int virtual-template 1 122 | ip address 10.0.0.1 255.255.255.0 123 | peer default ip address pool PPPOE_POOL 124 | ppp authentication chap callin 125 | 126 | username PPP password PPPpassword 127 | 128 | ip local pool PPPoE_POOL 10.0.0.2 10.0.0.254 129 | 130 | int Fa0/0 131 | no ip address 132 | pppoe enable group BBA-GROUP 133 | no shutdown 134 | ``` 135 | 136 | **Client** 137 | ``` 138 | int dialer 1 139 | dialer pool 1 140 | encapsulation ppp 141 | ip address negotiated 142 | mtu 1492 143 | ppp chap password MyPassword 144 | 145 | int Fa0/0 146 | no ip address 147 | pppoe-client dial-pool-number 1 148 | no shutdown 149 | ``` 150 | 151 | # Verification 152 | 153 | ``` 154 | show pppoe session 155 | ``` 156 | -------------------------------------------------------------------------------- /redist-summ-defroute-tshoot-shortnotes.md: -------------------------------------------------------------------------------- 1 | # Route Maps, Prefix Lists and AD 2 | 3 | ## Config of route maps 4 | 5 | * If then else logic 6 | * Sequential order 7 | * Use no match command to match all 8 | 9 | **Rules** 10 | * Each command same name, all with name in same map 11 | * Permit/deny action 12 | * Delete/insert with seq 13 | * For redist, routes from current routing table 14 | * After route matched, no processing beyond 15 | * If permitted, route redist'd 16 | * When denied, route not redist'd 17 | 18 | **When redisting** 19 | * Permit means route redist'd, or leave route in list of routes to be examined in next clause 20 | * Deny filters route or leaves in list for next clause 21 | * If using an ACL, acl deny just means not matched 22 | * Implicit deny at end 23 | 24 | ## Match commands for redist 25 | 26 | * If more than one applied, has to match all 27 | * match int - outgoing int of route 28 | * match ip address - Route and length (acl or pfx list) 29 | * match ip next hop - Use ACL 30 | * match ip route-source - Match advertising routers IP, acl 31 | * match metric - Exact, or range (plus/minus for deviation) 32 | * match route-type - internal, external, E1/N1, E2/N2, l1, l2 33 | * match tag 34 | 35 | ## Set commands 36 | 37 | * set level 38 | * set metric *value* - OSPF, RIP and IS-IS 39 | * set metric *bandwidth delay reliability loading mtu* - IGRP/EIGRP 40 | * set metric type - internal, external, type1 or 2, for ISIS or OSPF 41 | * set tag 42 | 43 | ## Prefix Lists 44 | 45 | * Redistribute must use route map with prefix list inside 46 | * Seq numbers 47 | * Logic is route's prefix must be within range of addresses implied by commands 48 | * Prefix length must match range of prefixes 49 | 50 | ## Administrative Distance 51 | 52 | * EIGRP summary is 5 53 | 54 | **Change AD** 55 | * **distance** distance - RIP 56 | * **distance eigrp** internal-dist external-dist 57 | * **distance ospf {[intra-area dist1] [inter-area dist2] [external dist3]}** 58 | 59 | # Route Redistribution 60 | 61 | ## Mechanics of Redistribute Command 62 | 63 | Full syntax is 64 | 65 | ``` 66 | redistribute protocol [process-id] [level-1 | level-1-2 | level-2] [as-number] [ metric value] [metric-type type-value] [match { internal | external 1 | external 2} ] [ tag value] [ route-map map-tag] [subnets] 67 | ``` 68 | 69 | ## With default settings 70 | 71 | * Subnets allows subnets into OSPF 72 | * OSPF default cost 20 when from IGP, 1 from BGP 73 | * Only redists from current routing table 74 | 75 | Following logic from a particular IGP 76 | * Take all routes in routing table learned by routing protocol from which routes redist'd from 77 | * Take all connected subnets matched by network commands 78 | 79 | * Subnets there, otherwise only classful taken in 80 | * Auto-summary for each network shows just classful networks 81 | 82 | ### Setting Metrics, Types and Tags 83 | 84 | 1. Route map (per route) 85 | 2. Metric option on command (all redist from protocol) 86 | 3. Default metric command (all redist routes not matched by above) 87 | 88 | * RIP - no external routes concept, no default metric 89 | * EIGRP - no default metric, external type 90 | * OSPF - 20/1 (IGP/BGP), default as E2, can be E1/E2 91 | * ISIS - 0, default type of l1, Can be L1, L2, L1/L2 or Ext 92 | 93 | ### Mutual Redist at Multiple Routers 94 | 95 | * Routers use AD for best route, but could be suboptimal 96 | * RIP route could be shortest path, but OSPF used 97 | * Need to make routers aware where routes came from 98 | * Solve by filtering or changing AD 99 | 100 | ### Preventing suboptimal routes with AD 101 | 102 | * Higher AD for redist routes 103 | * eg of **distance ospf external 180** 104 | * Can apply per route with **distance { distance-value ip-address {wildcard-mask} [ip-standard-acl] [ip-extended-list]** 105 | * IP address is advertising router 106 | * For RIP, EIGRP and IS-IS, advertising router's neighbour interface address 107 | * For OSPF, matches RID creating LSA 108 | 109 | ### Preventing suboptimal with Route Tags 110 | 111 | * Distribute list can match tags, eg 112 | 113 | ``` 114 | distribute-list route-map check-tag-9999 in 115 | redistribute ospf 1 route-map tag-ospf-9999 in 116 | ``` 117 | 118 | ### Metrics and Types for Redist routes 119 | 120 | Metric preferences: - 121 | * RIP - None 122 | * EIGRP - Internal > External 123 | * OSPF - Intra > Inter, E1, E2, tiebreaked E2 with cost to ASBR 124 | * IS-IS - L1, L2, External 125 | 126 | # Route Summarization 127 | 128 | Default workings: - 129 | * Same metric as lowest-metric component 130 | * No component subnet advertising 131 | * Not advertised if no components 132 | * LOcal summary to null0 installed 133 | * Reduce routing tables and DB size 134 | * Decrease specific info 135 | 136 | ## EIGRP 137 | 138 | * **ip summary-address eigrp** asn network-address mask [admin-distance] - interface 139 | * Distance not advertised, used on local router, determines if null placed in routing table 140 | 141 | ## OSPF 142 | 143 | * Between areas only (no LSDB differences) 144 | * ABR or ASBR 145 | * ASBR - **summary-address** {{ip-address mask} {prefix-mask}} [not-advertise] [tag value] 146 | * ABR - **area 1 range ip-address mask [advertise | not-advertise] [cost value]** 147 | * For ABR, this is area where component subnets are 148 | 149 | ## Default Routes 150 | 151 | * With IP classless, routes normal 152 | * No IP classless, router checks if part of destinations classful network in table, avoids default 153 | 154 | **Five basic methods** 155 | * Redistribution 156 | * Static route to 0.0.0.0 with redistribute static - EIGRP, RIP 157 | * **default-information-originate** - RIP, OSPF 158 | * **ip default-network** - RIP, EIGRP 159 | * Summary routes - EIGRP 160 | 161 | ### Static routes with redist 162 | 163 | * RIP and EIGRP 164 | * Both commands needs to be on same router 165 | * Metric must be default or set 166 | * Redist can have route map 167 | * EIGRP treats default as external by default 168 | 169 | ### default-information-originate 170 | 171 | * OSPF 172 | * Any defaults in routing table 173 | * Can set metric and type directly, defaults of cost 1, E2 174 | * Always keyword means advertised regardless of routing table 175 | * Supported in RIP but differences 176 | * Creates and advertises if either no default exists, or default from another protocol 177 | * If a static route, no injection as done with redistribution 178 | 179 | ### ip default-network 180 | 181 | * RIP and EIGRP 182 | * Local router must match a classful network 183 | * Classful network must be in routing table (by any means) 184 | * For EIGRP, must be advertised by local router into EIGRP 185 | * For EIGRP< flagged as candidate 186 | * RIP no flag, does not need to advertise it to use it 187 | 188 | ### Route Summarization 189 | 190 | * EIGRP only 191 | * Creates a null route on local, should be avoided 192 | * Summary to others as AD 90 (standard EIGRP) 193 | * Should set higher distance to not blackhole traffic 194 | 195 | # Performance Routing (PfR) 196 | 197 | * Routing based on load/bandwidth 198 | * OER original, prefix based optimizations 199 | * Not application specific 200 | 201 | ## Operation Phases 202 | 203 | * Runs after OER configured 204 | * Profile Phase - learns flows with high latency, traffic profiled/learned is traffic class, list of classes is MTC (monitored traffic classes) list 205 | * Measure Phase - Collect/compute performance 206 | * Apply Policy - Apply low and high thresholds 207 | * COntrol phase - Influence traffic with routing manip/PFR 208 | * Verify phase - OER verifies OOP event performance, makes adjustments to bring back in policy 209 | 210 | ## Concepts 211 | 212 | Interfaces: - 213 | * Internal - Connects to internal network, comms with device in infrastructure designated as control plane manager for PfR (Master Controller) 214 | * External - Transmitting packets out of network, must be at least two 215 | * Local - For forming control plane, defines source to communicate to master controller 216 | 217 | ## Auth 218 | 219 | * Mandated, not optional 220 | * Key-chain auth 221 | * Global config 222 | 223 | ## Operational Roles 224 | 225 | ### Master Controller 226 | 227 | * Maintains comms and auths border routers 228 | * Monitors flows 229 | * Applies policies for prefixes and exit links 230 | * MC not always in forwarding path 231 | * Must be reachable by BRs 232 | * Single MC supports 10 BRs or 20 exit ints 233 | * Can run MC and BR on same device 234 | * Still needs auth 235 | * Standalone preferred 236 | 237 | ### Border Router 238 | 239 | * Router with one or more exit links 240 | * All policy descisions/routing changes enforced 241 | * Reports prefix and transit link measurements to MC 242 | * MC inejects preferred route to alter flow 243 | 244 | ## Basic Config 245 | 246 | ### Config of MC 247 | 248 | **Auth** 249 | ``` 250 | key chain PFR_AUTH 251 | key 1 252 | key-string DAVEPERFORMS 253 | ``` 254 | 255 | **Enable process** 256 | ``` 257 | pfr master 258 | ``` 259 | 260 | **Designate internal/external ints** 261 | ``` 262 | pfr master 263 | border 2.2.2.2 key-chain PFR_AUTH 264 | interface Se0/0.21 internal 265 | interface Fa0/0 external 266 | border 3.3.3.3 key-chain PFR_AUTH 267 | interface Se0/0.31 interval 268 | interface Fa0/0 external 269 | ``` 270 | 271 | show oer master border 272 | 273 | ### BR config 274 | 275 | **Auth** 276 | ``` 277 | key chain PFR_AUTH 278 | key 1 279 | key-string DAVEPERFORMS 280 | ``` 281 | 282 | **Process** 283 | ``` 284 | pfr border 285 | master 4.4.4.4 key-chain PFR_AUTH 286 | ``` 287 | 288 | **Specify local interface** 289 | ``` 290 | pfr border 291 | local loopback 0 292 | ``` 293 | 294 | * Can use logging, and change port 295 | * **logging** under pfr border 296 | * **port 3950** under pfr border 297 | 298 | * Seen as MC Active on MC when both BRs up 299 | 300 | # Troubleshooting complex L3 issues 301 | 302 | ## Troubleshooting process 303 | 304 | **Problems at other layers** 305 | * MTU mismatch 306 | * Unidirectional link 307 | * Duplex 308 | * Error rate 309 | * L2 config 310 | * ACL 311 | * Security policy 312 | * TTL too low 313 | * Two or more l3 subnets in same VLAN 314 | 315 | **CHeck fields in IP header** 316 | * Mismatch subnet masks 317 | * Too short TTL for adj (eBGP multihop) 318 | * MTU dropping large packets 319 | * Multicast not supported/dsiabled/rate limited 320 | * Overloaded link 321 | * QoS config 322 | 323 | **Routing Problems** 324 | * Incorrect split horizon - some routes adv, others not 325 | * Incorrect redistribution - filttered, or routing loops 326 | * Protocols not adv routes when they should 327 | * Protocols no redisting routes when they should 328 | * Incorrect route filtering (masks) 329 | * EIGRP SIA 330 | * Incorrect summarizatoin 331 | * AD manip superceeding correct routing rules 332 | * Metric calc different on different routers (eg auto cost, EIGRP k) 333 | * Metric manipulation 334 | * NAT 335 | * PBR 336 | * Interface dampening 337 | * Mismatched timers dropping adj 338 | 339 | ## Commands 340 | 341 | * show ip protocols 342 | * show interfaces 343 | * show ip interfaces 344 | * show ip nat trans 345 | * show ip access-list 346 | * show ip int brief 347 | * show dampening 348 | * show logging 349 | * show policy-map 350 | * traceroute 351 | * ping and extended ping 352 | * show route-map 353 | * show standby 354 | * show vrrp 355 | * show track 356 | * show ip route 357 | -------------------------------------------------------------------------------- /rip-shortnotes.md: -------------------------------------------------------------------------------- 1 | # Introduction to Dynamic Routing 2 | 3 | **Distance Vector** 4 | 5 | * Distance = metric/feasibility 6 | * Vector = unidimensional array 7 | * Messages contain arrays of network, and distance to it 8 | * Cisco only advertise route if placed into routes routing table 9 | * No topology exchange info 10 | * Path vector for BGP (ASNs) 11 | 12 | **Link State** 13 | 14 | * Individual objects ad their interconnection 15 | * Routrs, MA networks, border touers, ASBRs 16 | * IP prefixes treate as attributes 17 | * Routers and links what matter 18 | * No modification to messages 19 | * Route summarization difficult 20 | 21 | # RIPv2 Basics 22 | 23 | * Classless 24 | * DV 25 | * Timer-driven 26 | * UDP port 520 27 | * Hop count maxed at 15 28 | * 16 hops infinite 29 | * No hellos, only routing updates 30 | * 224.0.0.9 31 | * 30s updates 32 | * Full pdates each interval 33 | * On demand circuits can send full update once, then silent until changes (RFC 2091) 34 | * Triggered updates 35 | * Simple or MD5 auth 36 | * Route tags allowed 37 | * Next hop can be rewritten 38 | * Updates sent on each interface every update timer 39 | * Advetises connected and routes in routing table 40 | * No neighbourship 41 | * Use as broadcast with **ip rip v2-broadcast** per interface (rare) 42 | 43 | Two message types, request and response. Message format same: - 44 | 45 | * 48-bit 46 | * Command field - 1 req, 2 resp 47 | * Version field - 2 for v2 48 | * Octet 3 and 4 must be zero 49 | * Address Family ID and Route Tags 50 | * IP, Subnet, Next Hop, Metric 51 | * 25 routes in single message 52 | 53 | **Request** 54 | * Requests full or partial update rather than waiting 55 | * Full update req'd by setting a route with AF ID of 0 and metric 16 56 | * Otherwise, update on networks sent 57 | * Sent on RIP startup for fulls 58 | * Also for RIP int up and **clear ip route** 59 | * No partiuals on cisco 60 | * Metric is cumilative, update on send of update, not receipt 61 | * 4 ECMP routes installed by default, can be between 1 and 16, or 32 (platform dependent) 62 | * **maximum-paths** 63 | 64 | ## Convergence And Loop Prevention 65 | 66 | **Counting To Infinity** 67 | * If next hop with suddenly increase metric, accept and update our metric 68 | * If reaches infinity, stop using next hop 69 | 70 | **Split Horizon** 71 | * No sending on received/outgoing interface for route 72 | * With Poisoned Reverse - If outgoing int matches interface in update, advertised with infinite metric 73 | 74 | **Route Poisoning** 75 | * Send infinite metric on route failure 76 | 77 | **Triggered Update** 78 | * Send moment change occurs 79 | * Only changed network sent 80 | 81 | **Update Timer** 82 | * Default 30s 83 | 84 | **Invalid After Timer** 85 | * Per route timer 86 | * Default 180s 87 | * Reset after update 88 | * If updates cease, timer expires, route invalid 89 | * Holddown then starts 90 | 91 | **Holddown** 92 | * Default 180s 93 | * Being after invalid timer hit 94 | * Routing entry stays in routing table until holddown expires 95 | 96 | **Flushed After** 97 | * Default 240s 98 | * Reset after update about network from next hop 99 | * If update about route from next hop cease 100 | * Flushed after time reaches limit, router removes route 101 | 102 | Networks chosen by least total metric. All others with higher metric ignored. One time this doesnt take place is COunting To Infinity 103 | 104 | Split Horizon enabled by default except FR and ATM, verify with **show ip interface** 105 | 106 | Route poisoning means backup path can be found quickly. While route removed, still appears in internal database, marked as possibly down. Allows routes to be repeatedly advertised as unreachable. 107 | 108 | Triggered Updates sent moment change detected. Also known as Flash Updates. 109 | 110 | Tiiggered Extensions ar On demand circuit behaviour. 111 | 112 | Holddown useful when making sure updates received can be believed (others may not know its down yet). Can happen in following: - 113 | * Updates lost in transit 114 | * Next hop router crashed 115 | * next hop router sees router as next hop, split horizon into effect 116 | * RIP removed from next hop 117 | * Summarization/filtering/passive int 118 | * Next hop doesnt support Poisoning (i.e. route will just stop being advertised) 119 | 120 | 121 | Lack of info about network tolerable for limited time (UDP). If it exceeds a time, "something happened", hence updates not accepted during this. 122 | 123 | After route invalid: - 124 | 125 | * Router declares network invalud (seen as is possibly down in **show ip route**) 126 | * Holddown started, infinite metric announced for route 127 | * No updates accepted until Holddown expires 128 | * After holddown, entry unlocked, convergence 129 | 130 | Cisco version of flushed after verified only after route moved to invalid stat. At that point, route could need to be flushed instantly. 131 | 132 | ### Converged SSO 133 | 134 | * Show ip protocols - Shows RIP settings, timers, version, neighbours and route sources 135 | * show ip route shows route age 136 | 137 | ### Convergence Extras 138 | 139 | * Tune timers 140 | * clear ip route rmoeves all routes in table along with timers 141 | 142 | ## RIPv2 Config 143 | 144 | ``` 145 | router rip 146 | version 2 147 | network 172.31.0.0 148 | ``` 149 | 150 | * Can use classful beaviour 151 | * Disable per interface with following 152 | * Sending updates - **passive-interface** 153 | * Receiving - Filter incoming routes with distribute list, updates with ACL 154 | * Advertising connected subnet - Filter outbout advertisements and interfaces as above 155 | * Limit using neighbor command (unicast updates) 156 | * Autosummarizaiton is default, **no auto-summary** 157 | 158 | **Authentication** 159 | * Multiple keys allowed in key chain 160 | * Per interface 161 | * **ip rip authentication key-chain name**, lowest seq number used 162 | * **ip rip authentication mode { text | md5 } 163 | * 24 routes per update now, 20 bytes of auth data in first route 164 | 165 | ### Next Hop and Split Horizon 166 | 167 | * **ip split-horizon** - Not on FR and ATM by default 168 | 169 | * Next-hop feature means v2 router can advertise different next hop 170 | * RFC2453 171 | * Not available on Ciscos 172 | * Used for nonzero address when on NBMA (spoke-to-spoke routing) 173 | 174 | ### Offset lits 175 | 176 | * Adds route metric, before or after sending update 177 | * ACL matches route, then add offset 178 | * Specify with in or out 179 | 180 | 181 | ### Route filtering 182 | 183 | * **distribute-list** referencing ACL or prefix 184 | * In or out, interface keyword available 185 | * If interface ommitted, applied to all updates 186 | 187 | # RIPng for IPv6 188 | 189 | * Few changes made 190 | * UDP 521 191 | * FF02::9 192 | * Metric handling increments on receipt 193 | * Route entries based on v6 MTU 194 | * No multiprotocol capability (AF ID ommitted) 195 | * Next hop field specified by separate route entry containing v6 next hop (Link Local) in v6 prefix field with metric of 255, route tag and prefix length 0 196 | * All following updates for that next hop 197 | * Route entry of :: reverts send of message to next hop 198 | * Auth by IPsec 199 | 200 | On Ciscos: - 201 | * Auth or encryption not supported 202 | * Split horizon per process only 203 | * Passive ints not supported 204 | * no static neighbours 205 | 206 | Following improvements 207 | * Multiple processes can be run (4 seems to be limit), distinguished by name (locally significant) 208 | * Route poisoning activated per process 209 | * Ints can have metric-offset value, applied to all updates (i.e. RIP now has link costs) 210 | * Def route originated per interface, can surpress updates with it 211 | 212 | ``` 213 | ipv6 unicast-routing 214 | ipv6 cef 215 | 216 | int Fa0/0 217 | ipv6 address 2001:DB8:1::1/64 218 | ipv6 rip 1 enable 219 | ipv6 rip 1 default-information only 220 | 221 | int Se0/0 222 | ipv6 address 2001:DB8:2::1/64 223 | ipv6 rip 1 enable 224 | ipv6 rip 1 metric-offset 3 225 | 226 | ipv6 router rip 1 227 | poison-reverse 228 | ``` 229 | -------------------------------------------------------------------------------- /tunnelling-shortnotes.md: -------------------------------------------------------------------------------- 1 | # GRE Tunnels 2 | 3 | * Passenger packets encap'd inside another protocol 4 | * IPSec VTI - routable interface, terminates IPsec tunnel 5 | * Support multicast 6 | 7 | **GRE Tunnel Config** 8 | 9 | ``` 10 | int lo0 11 | ip address 150.1.2.2 255.255.255.0 12 | 13 | int tun0 14 | ip address 192.168.201.2 255.255.255.0 15 | tunnel source lo0 16 | tunnel destination 150.1.3.3 17 | ``` 18 | 19 | # DMVPN Tunnels 20 | 21 | ## Operation 22 | 23 | Benefits: - 24 | * Dynamic tunnels 25 | * Reduced config 26 | * Zero touch hub config 27 | * Dynamic IPsec 28 | * Dynamic spoke-to-spoke tunnels 29 | * Supports multicast 30 | * VRF aware 31 | * Routing protocols over individual or all tunnels 32 | * Supports MPLS 33 | * Load balancing 34 | * Reroutes during outages 35 | 36 | ### Components 37 | 38 | * GRE 39 | * NHRP 40 | * Dynamic routing 41 | * IPSec 42 | 43 | ### Operation 44 | 45 | * Each spoke persisent IPsec tun to hub 46 | * No spoke to spoke with this 47 | * Address of hub must be known by all spokes 48 | * Spoke registers address as client to NHS 49 | * NHS maintains DB of public addr used by spokes 50 | * Spoke to spoke - request to NHS for pub ip of other spoke 51 | * On demand 52 | 53 | **Phase 1** 54 | * Simple hub and spoke topology 55 | * Dynamic IPs on spokes 56 | 57 | ``` 58 | crypto isakmp policy 1 59 | encryption aes 60 | authentication pre-share 61 | group 2 62 | crypto isakmp key cisco 123 address 0.0.0.0 0.0.0.0 63 | 64 | crypto ipsec transform-set TSET esp-3des esp-sha-hmac 65 | mode transport 66 | 67 | crypto ipsec profile DMVPN 68 | set transform-set ISET 69 | 70 | int Tun0 71 | ip address 172.16.145.1 255.255.255.0 72 | ip mtu 1400 73 | ip nhrp authentication cisco123 74 | ip nhrp map multicast dynamic 75 | ip nhrp network-id 12344 76 | no ip split-horizon eigrp 145 # Routes between spokes 77 | tunnel source Fa0/0 78 | tunnel mode gre multipoint 79 | tunnel key 12345 80 | tunnel protection ipsec profile DMVPN 81 | ``` 82 | 83 | **Phase 2** 84 | 85 | * Adds spoke-to-spoke comms 86 | * Allow with **no ip next-hop-self eigrp** *as* 87 | * Verify with **show crypto ipsec sa** and **show dmvpn** 88 | 89 | **Phase 3** 90 | 91 | * Fixes some Ph2 issues 92 | * Ph2 allows daisy-chaining, OSPF single area and limited hubs due to OSPF DR/BDR election 93 | * Ph2 does not allow route summarization at hub, all prefixes to all spokes to set up spoke-to-spoke 94 | * Ph2 has first packet through hub process switched 95 | * Ph3 added two NHRP enhancements 96 | * NHRP Redirect - New message, hub to spoke, lets spoke know a better path to other spoke than throug hub 97 | * NHRP Shortcut - Overwrites CEF info on spoke 98 | * Make sure using **no ip split-horizon eigrp** *asn* on for spoke to spoke 99 | * No other differences in config 100 | * NO need for **no ip next-hop-self eigrp** command 101 | 102 | # IPv6 Tunneling and related technologies 103 | 104 | ## Tunneling overview 105 | 106 | |Tunnel Mode|Topology and Address Space|Applications| 107 | |-----------|--------------------------|------------| 108 | |Auto 6-to-4|Point-to-Multipoint; 2002::/16|Connecting isolated v6 island networks| 109 | |Manually config'd|P2P, any addr space, dual stack both ends required|Carries v6 packets across v4| 110 | |v6 over v4 GRE|P2P, unicast addr, dual stack both ends|Carries v6, CLNS and other traffic| 111 | |ISATAP|P2MP, any mcast address|v6 hosts in a single site| 112 | |Automatic v4-compatible|P2MP, ::96 address space, dual stack both ends|Deprecated, use ISATAP instead| 113 | 114 | Config wise 115 | 116 | |Type|Tunnel Mode|Destination| 117 | |----|-----------|-----------| 118 | |Manual|ipv6ip|v4 address| 119 | |GRE over IPv4|gre ip|v4 address| 120 | |Auto 6to4|ipv6ip 6to4|Auto determined| 121 | |ISATAP|ipv6ip isatap|Auto determined| 122 | |Automatic v4 compatible|ipv6ip auto-tunnel|Auto determined| 123 | 124 | ### Manual config'd tunnels 125 | 126 | * P2P 127 | * Static destination 128 | * Almost v4 GRE config 129 | 130 | ``` 131 | int tun0 132 | no ip address 133 | ipv6 address 2001:DB8::1:1/64 134 | tunnel source lo0 135 | tunnel destination 172.30.20.1 136 | tunnel mode ipv6ip 137 | ``` 138 | 139 | ### Auto IPv4-Compatible Tunnels 140 | 141 | * v4-compat v6 addr for tunnel int 142 | * Taken from ::/96 space 143 | * First 96 bits tunnel int all 0s 144 | * Remaining 32 from v4 addr 145 | * Tunnel dest determined from low-order 32 bit of tunnel int 146 | * **tunnel mode ipv6ip auto-tunnel** 147 | * Not widely deployed 148 | * Doesn't conformed to global usage of v6 space 149 | * Also doesn't scale well 150 | 151 | ### IPv6-over-IPv4 GRE 152 | 153 | * Encap nonv6 traffic 154 | * Supports IPsec 155 | * P2P operation 156 | * Over v4 157 | * Only diff from manual config is **tunnel mode gre ipv6** 158 | 159 | ### Auto 6to4 Tunnels 160 | 161 | * Treat v4 as nbma cloud 162 | * Per-packet basis, encaps traffic to correct dest 163 | * Combines v6 prefix with global unique dest 6to4 border routers v4 address 164 | * Begins with 2002:border-router-IPV4-address::/48 165 | * Prefix leaves another 16 bits in 64 bit for numbering networks within site 166 | * Only one tunnel allowed per IOS router 167 | * Mode of **tunnel mode ipv6ip 6to4** 168 | * Tunnel dest not explcitly config'd 169 | * need to route 2002::/16 over tunnel (or at least other sides prefix) 170 | 171 | ``` 172 | int Fa0/0 173 | ipv6 address 2002:0a01:6401:1::1/64 174 | 175 | int Fa0/1 176 | ipv6 address 2002:0a01:6401:2::2/64 177 | 178 | int E2/0 179 | ip address 10.1.100.1 255.255.255.0 180 | 181 | int tun0 182 | no ip address 183 | ipv6 address 2001:0a01:6401::1/64 184 | tunnel source Eth2/0 185 | tunnel mode ipv6ip 6to4 186 | 187 | ipv6 route 2002::/16 tunnel 0 188 | ``` 189 | 190 | ### ISATAP Tunnels 191 | 192 | * Intra-Site Automatic Tunnel Addressing Protocol 193 | * v4 as NBMA 194 | * Addressing style differs from 6to4 195 | 196 | ``` 197 | [64-bit link-local or gloabl unicast prefix]:0000:5EFE:[IPv4 address of ISATAP link] 198 | ``` 199 | 200 | * ISATAP int id middle part 201 | 202 | Example 203 | * v6 prefix 2001:0DB8:0ABC:0DEF::/64 204 | * v4 tunnel dest 172.20.20.1 (hex AC14:1401) 205 | * 2001:0DB8:0ABC:0DEF:0000:5EFE:AC14:1401 206 | * **tunnel mode ipv6ip isatap** 207 | * v6 address derived from EUI-64 208 | * Last 32 bits of int ID from tunnel source v4 209 | * Tunnels disable RAs by default 210 | * need enabling to support client autoconf 211 | * **no ipv6 nd suppress-ra** 212 | 213 | ### SLAAC and DHCPv6 214 | 215 | * SLAAC - router and RAs in some scenarios, DHCPv6 and RAs in others 216 | 217 | ### NAT-PT 218 | 219 | * Not technically tunnelling 220 | * Gateway function, v4 to v6 and vice versa 221 | * Supports static and dynamic translations, and port translations 222 | 223 | ### NAT ALG 224 | 225 | * Allows comms at app level between two disaprate networks (one v4, one v6) 226 | 227 | ### NAT64 228 | 229 | * Transparent services to v6 users by providers 230 | * Seamless v6 migrations 231 | 232 | * NAT64 and DNS64 allows v6 client to iitate comms to v4 only server 233 | * Stateful NAT64, translates using IP header trans, algoritihms in RFC 6145 and RFC 6052 234 | * Need nat64 prefix, nat64 router and dns64 server 235 | 236 | # L2 VPNs 237 | 238 | * PWs for frames over MPLS cloud 239 | * Service has field name, emulated service 240 | * Tagged mode or raw mode 241 | 242 | ## Tagged mode 243 | 244 | * ID matches on ACs at either end 245 | * ID/VLAN match on each end 246 | * pw type of 0x0004 247 | * Every frame on PW different VLAN for each customer (Service-delimiting tag) 248 | * If frame rx'd missing VLAN TAG< PE prepends a dummy one before forwarding on PW 249 | 250 | ## Raw Mode 251 | 252 | * Tag not always present 253 | * PW type 0x0005 254 | * Service delimiting tags never through AC 255 | * Stripepd from frame before transmitting 256 | 257 | ## L2TPv3 258 | 259 | * Enhancements to L2TP 260 | * Tunnels any L2 payload 261 | * IP Proto 115 262 | * Cef must be enabled 263 | * Loopback int must have valid IP reachable from remote PE 264 | * L2TPv3 has control channel 265 | 266 | ## AToM 267 | 268 | Config 269 | ``` 270 | R2 271 | 272 | int Fa0/0 273 | xconnect 4.4.4.4 204 encapsulation mpls 274 | 275 | R4 276 | 277 | int Fa0/0 278 | xconnect 2.2.2.2 204 encapsulation mpls 279 | ``` 280 | 281 | * Encap can be L2TPv2, v3 or MPLS 282 | * **show xconnect all** 283 | * Segments, S1 customer facing port, S2 is core config 284 | 285 | ## VPLS 286 | 287 | * VPLS over GRE enables VPLS across IP network 288 | 289 | ## OTV 290 | 291 | * Looks like VPLS with MPLS transport 292 | * Multicast support similar to whats in L3 VPNs 293 | * Deployed at CE 294 | * L2 LAN-E over L3, L2 or MPLS networks 295 | * Supported in IOS XE 3.5 or later, NX-OS 6.2(2) or later 296 | * Fault domain isolation advantage 297 | * STP root doesnt change 298 | * Each CE own root 299 | * Auto detection of multihoming and ARP optimization 300 | 301 | # GET VPN 302 | 303 | * Group Encrypted Transport VPN 304 | * Encrypts through unsecure networks 305 | * IPsec for integrity/confidentiality 306 | * Key Server router, and Group Members (KS, GM) 307 | * KS creates, maintains and sends policy to GM 308 | * Policy says what traffic, and what algorithms 309 | 310 | * Two kinds of keys gen'd 311 | * Transport Encryption Key - By GM to encryp data 312 | * Key Encryption Key - Encrypts info between KS and GM 313 | 314 | * No IPsec tunnels between GMs 315 | * GM just encrypts packets that conforms to policy 316 | * Uses Encapulsating Security Payload 317 | * Original IPs to route 318 | 319 | * RSA key used by KS for Rekey 320 | * KS sends out new TEK and KEK before TEK expires (default 3600s) 321 | * Does in Rekey phase 322 | * Phase auth'd and secure by an ISAKMP SA between KS and GM 323 | * GDOI (Group Domain of Interpretation) messages (mutation of IKE) build SA and encrypt GM registration 324 | * UDP port 848 325 | 326 | ``` 327 | ip domain-name cisco.com 328 | crypto key gen rsa mod 1024 329 | 330 | crypto isakmp policy 10 331 | auth pre-share 332 | 333 | crypto isakmp key GET-VPN-R5 address 10.1.25.5 334 | crypto isakmp key GET-VPN-R4 address 10.1.24.4 335 | 336 | crypto ipsec transofmr-set TSET esp-aes esp-sha-hmac 337 | 338 | crypto ipsec profile GETVPN-PROF 339 | set transform-set TSET 340 | 341 | crypto gdoi group GETVPN 342 | identity number 1 343 | server local 344 | ``` 345 | 346 | * Rekey in two ways 347 | * Unicast - Rekey to every GM known (where m'cast not on network) 348 | * Multicast - One packet, to all GMs at once 349 | 350 | ``` 351 | rekey auth mypubkey rsa R1.cisco.com 352 | rekey transmit 10 number 2 353 | rekey transport unicast 354 | 355 | authorization address ipv4 GM-LIST 356 | ``` 357 | 358 | * GM List is ACL to limit GMs 359 | * LAN-LIST ACL says what to encrypt 360 | * Can specify window size (for time based antireplay detection) 361 | * Need KSs IP, sent down to GMs, as KS can be on different IPs (eg loopback) 362 | 363 | ``` 364 | sa ipsec 1 365 | profile GETVPN-PROF 366 | match address ipv4 LAN-LIST 367 | replay counter window-size 64 368 | address ipv4 10.1.12.1 369 | 370 | ip access-list standard GM-LIST 371 | permit 10.1.25.5 372 | permit 10.1.24.4 373 | 374 | ip access-list extended LAN-LIST 375 | deny udp any eq 848 any eq 848 376 | permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 377 | ``` 378 | 379 | **Configure Members** 380 | ``` 381 | crypto isakmp policy 10 382 | auth pre-share 383 | 384 | crypto isakmp key GET-VPN-R5 10.1.12.1 385 | 386 | crypto gdoi group GETVPN 387 | identity number 1 388 | server address ipv4 10.1.12.1 389 | 390 | ip access-list extended DO-NOT-ENCRYPT 391 | deny tcp 192.168.4.0 0.0.0.255 eq 22 192.168.5.0 0.0.0.255 392 | 393 | crypto map CMAP-GETVPN 10 gdoi 394 | set group GETVPN 395 | match address DO-NOT-ENCRYPT 396 | 397 | int Se0/1/0.52 398 | crypto map CMAP-GETVPN 399 | ``` 400 | 401 | * **show crypto gdoi group** *group-name* 402 | * **show crypto gdoi ks policy** 403 | * **show crypto gdoi ks acl** 404 | * **show crypto gdoi ks members** 405 | -------------------------------------------------------------------------------- /vlans-and-trunking-shortnotes.md: -------------------------------------------------------------------------------- 1 | # Virtual Lans 2 | 3 | Ports grouped into one broadcast domain. Should to 1-to-1 VLAN per subnet 4 | 5 | # VLAN Config 6 | 7 | VLANs can be active or suspended. Access is suspended VLAN drop all frames 8 | 9 | ## VLAN Database Mode 10 | 11 | Obsolete mode, still exists 12 | 13 | Vlans 1 to 1005, in vlan.dat in flash 14 | 15 | ``` 16 | vlan database 17 | vlan 21 18 | ``` 19 | 20 | show current - All VLANs when switch in VTP server mode 21 | 22 | show proposed 23 | 24 | apply 25 | abort - aborts changes 26 | reset - as above, but stays in VLAN DB config mode 27 | 28 | ## INts in VLANs 29 | 30 | show vlan brief - show ports in VLANs (access) 31 | 32 | ## Config mode for creating VLANs 33 | 34 | Extended range and PVLANs 35 | 36 | switchport access vlan 31 - creates VLAN 31 37 | vlan 32 38 | 39 | ## VLAN operational status 40 | 41 | state suspend - Both config modes, suspends through VTP domain 42 | shutdown - local 43 | 44 | ## PVLANs 45 | 46 | * Primary VLANs have associated Secondary VLANs 47 | * Community or isolated. 48 | * 1 Isolated per primary 49 | * Promiscious associated with primary VLAN, all secondary of primary can talk to promisc 50 | * Frame received on promisc, comm or isol always forwarded through trunk 51 | 52 | Over trunks, frame on isol/comm goes via secondary VLAN, forwarded based upon type. For Promisc, sent as primary VLAN 53 | 54 | Trunk types of Promisc and Isolated 55 | 56 | * Promisc - When frame from secondary VLAN going out trunk, VLAN tag rewritten to primary VLAN 57 | * Isolated - When primary VLAN received, sent as secondary. Relies on switch isolating ports itself 58 | 59 | ### Config 60 | 61 | ``` 62 | vlan 199 63 | private-vlan isolated 64 | 65 | vlan 101 66 | private-vlan community 67 | 68 | vlan 100 69 | private-vlan primary 70 | private-vlan association 101,199 71 | 72 | int Fa0/1 73 | switchport mode private-vlan host 74 | switchport private-vlan host association 100,101 75 | 76 | int Fa0/13 77 | switchport mode private-vlan promisc 78 | switchport private-vlan mapping 100,101,199 79 | 80 | int vlan 100 81 | private-vlan mapping 101,199 82 | ip address 10.1.1.1 255.255.255.0 83 | ``` 84 | 85 | # VLAN Trunking 86 | 87 | **ISL** 88 | 89 | * Cisco proprietary 90 | * Encapsulates 91 | * Normal and extended range 92 | * No native 93 | * 26-byte header and trailer with FCS 94 | * Source MAC of trunk used 95 | * Multicast dest of either 0100.0C00.0000 or 0300.0C00.0000 96 | * Technically SNAP-encap frame 97 | 98 | **802.1q** 99 | 100 | * IEEE defined 101 | * Tags frame 102 | * Extended range 103 | * Native VLAN 104 | * Inserts 4 byte header (after source address field) 105 | * Original frames address intact 106 | * First 2 bytes are Ethernet Type of 0x8100 107 | 108 | Native VLAN mismatches detected/blocked by PVST+ and RPVST+. CDP detects and reports 109 | 110 | ## Config 111 | 112 | Cisco use DTP. Modes are auto (negotiates but prefers access) and desirable (prefers trunk). Desirable higher priority (i.e. trunk will form if config'd on one end) 113 | 114 | 2950s and 3550s default desirable, 2960s, 3560s and 2750s default to auto 115 | 116 | DTP carries VTP domain in messages. Must match. Means different domains don't negotiate. 117 | 118 | ``` 119 | switchport 120 | switchport mode - DTP parameters 121 | switchport trunk - trunk parameters 122 | switchport access - Nontrunk parameters 123 | ``` 124 | 125 | show int trunk 126 | show int *int* trunk 127 | show int *int* switchport 128 | show dtp 129 | 130 | ## Allowed, Active and Pruned VLANs 131 | 132 | * switchport trunk allowed 133 | * VTP can prune 134 | * show int trunk shows allowed, allowed and active (PVST+ STP instance will be running on this trunk for VLANs in list), active and not pruned (no VTP/PVST+ blocked/pruned VLANs) 135 | 136 | ## Trunking Config 137 | 138 | * switchport mode 139 | * switchport nonegotiate 140 | * switchport mode trunk - Always trunks this side, DTP helps other side 141 | * switchport mode dynamic desirable - hopes to trunk 142 | * switchport mode dynamic auto - hopes for access 143 | * switchport mode access - never trunks, DTP helps other side 144 | * switchport trunk encapsulation - sets trunking type 145 | 146 | ## Trunking on routers 147 | 148 | Sub-IFs, do not need to match VLAN ID. Set it with encapsulation command. Recommend to use **encapsulation dot1q vlan-id native**, allows both untagged and CoS marked frames tagged with VLAN ID 149 | 150 | # Q-in-Q Tunneling 151 | 152 | 802.1ad (provider bridges) 153 | 802.1ah (provider backbone bridges) 154 | 155 | *vlan dot1g tag native* 156 | 157 | ``` 158 | int Fa0/1 159 | switchport mode dot1q-tunnel 160 | switchport access vlan 5 161 | l2protocol-tunnel cdp 162 | l2protocol-tunnel lldp 163 | l2protocol-tunnel stp 164 | l2protocol-tunnel vtp 165 | ``` 166 | 167 | show int fa0/1 then shows admin and operational mode of tunnel 168 | 169 | # VLAN Trunking Protocol 170 | 171 | * Advertises VLAN ID, name, VLAN type and state 172 | * Three versions, v1 and v2 on IOS and CatOS, v3 on IOS from 12.2(52)SE 173 | * v1 no extended range VLANs 174 | 175 | V2 additions 176 | 177 | * TrCRF and TrBRF type VLANs (token ring) 178 | * Unknown TLV propagation 179 | * DB consistency check done at CLI input, rather than on SNMP or VTP receive 180 | 181 | 182 | VTP transparent allows forwarding messages if domain is null, otherwise for its domain 183 | 184 | v3 additions 185 | 186 | * Primary and secondary servers - Only primary can update, secondary can be promoted to primary 187 | * Passwords stored encrypted, can be transmitted to another switch, promotion requires using it 188 | * Extended range and PVLANs, pruning only on normal range 189 | * Off mode - drops all VTP messages (per trunk or global) 190 | * Cab distribute MST region config 191 | 192 | v1 and v2 use four message types 193 | 194 | * Summary advertisement - From all switches, every 5 mins and after db mod, VTP domain name, revision number, identity of updater, time stamp of update, md5 sum over VLAN DB contents and VTP password, and number of subsets to follow 195 | * Subset advertisement - Originated by db modifier, carries full VLAN db contents. One advertisement holds multiple VLAN db entries, may need multiple subset messages 196 | * Advertisement request - To request complete vlan db or part, sent after advertisement, or whe receiving summary with higher rev number 197 | * Join - Sent every 6 seconds if VTP pruning active, contains bitfield for each VLAN in normal range, and used/unused 198 | 199 | VTP messages only on trunks 200 | 201 | ## Process and Rev Numbers 202 | 203 | * v1 and v2, update when VLAN added/deleted/updated. Rev number up by 1, entire VLAN db and rev number sent out 204 | * If VLAN db with higher rev number received, automatically assumed to be new VLAN db 205 | * Default of VTP server 206 | * No updates sent until domain config'd 207 | * No domain config on client, uses VTP domain of first rx'd message, mode config required 208 | * VLAN config stored in vlan.dat (not NVRAM) 209 | * Config db can be flash by trunks failing and changes 210 | 211 | Newly connected client can change another switches VTP db if: - 212 | 213 | * New link is trunk 214 | * Same domain name 215 | * Higher rev number 216 | * Same password 217 | 218 | VLAN db hash with current db and pw, compared to MD5 in Summary and at least one subset 219 | 220 | v3 221 | * Primary server - only vlan DB that can be sent through domain 222 | * Clients and servers must agree on domain and primary server (base MAC defined) 223 | * Secondary servers - no changes, can be promoted (**vtp primary**) 224 | * No sync if don't match 225 | * One primary server per domain. 226 | * Reload of primary makes it secondary on reboot 227 | * Can't reset revision with rev 0 and VTP transparent 228 | * Can reset with different VTP domain or pw 229 | * v3 reverts to v2 operation if v2 present 230 | * not compatible with v1 231 | 232 | ## Config 233 | 234 | ``` 235 | vtp domain DOMAIN 236 | 237 | show vtp status 238 | 239 | vtp password 240 | 241 | vtp mode server/transparent/client/off 242 | 243 | vtp version <---- 1 and 2 applies to all switches in domain, v3 done per switch (must have domain set too) 244 | ``` 245 | 246 | ## Normal and Extended Range VLANs 247 | 248 | 1-1005 supported in v1 and v2, in config or db mode 249 | 250 | Extended dont go in vlan.dat, only work in transparent mode. In v3, all info stored in vlan.dat 251 | 252 | ISL used 10 bits for VLAN ID, so couldn't do extended range. Later update to match 802.1q (12 bits) 253 | 254 | 1002-1005 - FDDI and TR 255 | 256 | ## Storing VLAN config 257 | 258 | * vlan.dat or running config (based upon vtp ver and extended vlans) 259 | * In v3, all in vlan.dat. If transparent or off, also in running config 260 | 261 | # Configuring PPPoE 262 | 263 | * Virtualizes ethernet, turns into multiple p2p between client and AC 264 | * Per-user auth 265 | * Negotiation of upper protocols (eg IPCP) 266 | * Neg of compression and link bundling 267 | * IOS Router can be client rather than setting on a host 268 | * 8 byte overhead for PPPoE (2 byte PPP, 6 byte PPPoE) 269 | * MTU 1492 270 | * MSS clamped to 1452 to fit IP an TCP headers plus 8 byte PPPoE header 271 | 272 | ``` 273 | int Fa0/0 274 | ip address 192.168.100.1 255.255.255.0 275 | ip nat inside 276 | 277 | int Fa0/1 278 | pppoe-client dial-pool-number 1 279 | 280 | int dialer1 281 | mtu 1492 282 | ip tcp adjust-mss 1452 283 | encap ppp 284 | ip address negotiated 285 | ppp chap hostname Username@ISP 286 | ppp chap password Password4ISP 287 | ip nat outside 288 | dialer pool 1 289 | 290 | ip nat inside source list 1 interface dialer 1 overload 291 | 292 | access-list 1 permit 192.168.100.0 0.0.0.255 293 | ip route 0.0.0.0 0.0.0.0 dialer1 294 | ``` 295 | 296 | **show pppoe session** 297 | **debug pppoe data/errors/events/packets** 298 | 299 | 300 | -------------------------------------------------------------------------------- /wans-shortnotes.md: -------------------------------------------------------------------------------- 1 | # L2 Protocols 2 | 3 | * For P2P links, most popular are HDLC and PPP 4 | * ISO standard for HDLC has no type field 5 | * 2-byte type added in IOS for multiple protocols 6 | * HDLC default on serial 7 | 8 | ## HDLC 9 | 10 | * Encap not shown in config 11 | * With back to back serial, router connected to DCE end of cable 12 | * Provides clcok signal for serial 13 | * **clockrate** 14 | * **show controllers** - Verify DCE or DTE 15 | 16 | ## PPP 17 | 18 | * RFC 1661 19 | 20 | |Feature|HDLC|PPP| 21 | |-------|----|---| 22 | |Error Detection|yes|yes| 23 | |Error Recovery|no|Yes (IOS defaults to not use reliable PPP feature| 24 | |Standard Protocol Type Field|No|Yes| 25 | |Default on IOS Serial links|Yes|no| 26 | |Supports sync and async links|No|yes| 27 | 28 | * RFC 1662 29 | * Defines PPP Framing using HDLC header and trailer for most parts 30 | * Adds protocol field and optional padding field 31 | * Padding field ensures even number of bytes 32 | 33 | ### PPP Link Control Protocol 34 | 35 | * Controls features independent of L3 protocol 36 | * Each L3 protocol has an NCP (network control protocol) 37 | * IPCP defines dynamic IP assignment etc 38 | 39 | * When PPP comes up (i.e. router sends a Clear TO Send, Data Send Read and Data Carrier Detect to bring up physical) 40 | * LCP parameter negotiation 41 | * Auth methods controlled by LCP, in what order 42 | * After LCP negotiation done, considered up 43 | * L3 CP then begins 44 | 45 | LCP Features 46 | 47 | * Link Quality Monitoring (LQM) - Exchange statistics about percentage errors, link dropped if below a config'd threshold 48 | * Looped link detection - Random magic number picked, if sees own, link looped, might take down 49 | * Layer 2 load balancing - MLP frags each frame into one per link 50 | * Auth - CHAP and PAP 51 | 52 | **Basic LCP and PPP config** 53 | ``` 54 | username R4 password 0 55 | rom 838 56 | 57 | int Se0/1/0 58 | ip address 10.1.34.3 255.255.255.0 59 | encapsulation ppp 60 | ppp quality 80 61 | ppp authenticaiton chap 62 | ``` 63 | 64 | ### Multilink PPP 65 | 66 | * Original for multiple ISDN B-channels 67 | * Can balance across any p2p serial link 68 | * Frag each data link frame 69 | * Based on link number or config'd frag delay 70 | * Frags sent across differet links 71 | * Header added including seq number, and flags with beginning and endging fragment 72 | * Can use multilink ints or VTs 73 | 74 | ``` 75 | int Multilink 1 76 | ip address 10.1.34.3 255.255.255.0 77 | encapsulation ppp 78 | ppp multilink 79 | ppp multilink group 1 80 | 81 | int Se0/1/0 82 | no ip address 83 | encapsulation ppp 84 | ppp multilink group 1 85 | 86 | int Se0/1/1 87 | no ip address 88 | encapsulation ppp 89 | ppp multilink group 1 90 | ``` 91 | 92 | * show int multilink1 93 | 94 | ### MLP LFI 95 | 96 | * Cisco QoS tool 97 | * Small delay-sensitive packets interleaved into big packets 98 | * Big packets fragged, small packets after portion of longer 99 | * Key elements fragmentation, interleave possibility, and queueing scheduler 100 | 101 | MLP supports LFI: - 102 | * **ppp multilink interleave** - Allows interleaving, per int 103 | * **ppp multilink fragment-delay x** - Frag size indirectly (delay in ms, size = x * bandwidth) 104 | * Can be used on one link or multiple 105 | * Queue scheduler determines next packet, often uses LLQ 106 | 107 | ``` 108 | int multilink 1 109 | bandwidth 256 110 | ip address 10.1.34.3 255.255.255.0 111 | encapsulation ppp 112 | ppp multilink group 1 113 | ppp multilink fragment-delay 10 114 | ppp multilink interleave 115 | service-policy out queue-on-dscp 116 | ``` 117 | 118 | ### PPP Compression 119 | 120 | * Can neg to use L2 payload compression, or TCP/RTP header compression 121 | * Payload better on larger packets 122 | * Header better n smaller, header compression achieves big ratios (10:1 to 20:1 compression) 123 | 124 | **PPP L2 Payload Compression** 125 | 126 | * Three options, LZS (Lempel-Ziv stacker), Microsoft P2P Compression (MPPC) and Predictor 127 | * First two use same LZ algorithm 128 | * Predictors algorithm is predictor 129 | * LZ more cpu use, better ratio 130 | 131 | * When ATM-FR interworking used, MLPS must be used, so all payload compression types supported by PPP supported for interworking 132 | 133 | |Feature|Stack|MPPC|Predictor| 134 | |-------|-----|----|----------| 135 | |Uses LZ|Yes|Yes|no| 136 | |Predictor|No|no|Yes| 137 | |HDLC|Yes|no|no| 138 | |PPP|yes|yes|yes| 139 | |FR|Yes|no|no| 140 | |ATM and ATM-to-FR interworking|Yes|yES|Yes| 141 | 142 | * Use **compression** command on each interface 143 | * After config'd, PPP starts Compression CP, negs and manages compression 144 | 145 | **Header Compression** 146 | 147 | * Two styles, TCP and RTP 148 | * 40 bytes of G.279 packets usually headers (packet 60 bytes) 149 | * Above reduces packet by more than 50% 150 | * For TCP, 40 bytes to 3 or 5, helps on smaller payloads 151 | 152 | * Legacy commands 153 | * **ip tcp header-compression [passive]** 154 | * **ip rtp header-compression [passive]** 155 | * Passive awaits negotiation, otherwise tries to enable it 156 | * All flows compressed when added 157 | 158 | * MQC 159 | 160 | ``` 161 | policy-map cb-compression 162 | class voice 163 | bandwidth 82 164 | compress header ip rtp 165 | class critical 166 | bandwidth 110 167 | compression header ip tcp 168 | 169 | int Multilink 1 170 | bandwidth 256 171 | service-policy out cb-compression 172 | ``` 173 | 174 | ## PPPoE 175 | 176 | * connects hosts to remote aggregator 177 | * Allows Network Service provider to own customer 178 | * Emulates PPP link across shared medium 179 | 180 | ### Server config 181 | 182 | * Broadband Aggregate (bba) group createdm handles incoming PPPoE config 183 | 184 | ``` 185 | bba-group pppoe BBA-GROUP 186 | virtual-template 1 187 | session per-mac limit 2 188 | ``` 189 | * Above has few macs per session (allows a drop and reconnect with a different mac, and thats it) 190 | 191 | ``` 192 | int virtual-template 1 193 | ip address 10.0.0.1 255.255.255.0 194 | peer default ip address pool PPPOE_POOL 195 | ``` 196 | 197 | * When client initiates session, router dynamically creates virtual int 198 | 199 | ``` 200 | ip local pool PPPOE_POOL 10.0.0.2 10.0.0.254 201 | ``` 202 | 203 | * Enable group on int to client 204 | ``` 205 | int Fa0/0 206 | no ip address 207 | pppoe enable group MyGroup 208 | no shutdown 209 | ``` 210 | 211 | ### Client Config 212 | 213 | ``` 214 | int dialer 1 215 | dialer pool 1 216 | encapsulation ppp 217 | ip address negotiated 218 | ``` 219 | 220 | * 8 byte header overhead, so drop MTU of dialer to 1492 221 | 222 | ``` 223 | int Dialer 1 224 | mtu 1492 225 | 226 | int Fa0/0 227 | no ip address 228 | pppoe-client dial-pool-number 1 229 | no shutdown 230 | ``` 231 | 232 | * **show pppoe session** 233 | 234 | ### Auth 235 | 236 | * PAP or CHAP, latter preferred 237 | 238 | ``` 239 | username PPP password PPPpassword 240 | 241 | int virtual-template 1 242 | ppp authentication chap callin 243 | ``` 244 | 245 | ``` 246 | int dialer 1 247 | ppp chap password MyPassword 248 | ``` 249 | 250 | # Ethernet WAN 251 | 252 | * Many solutions (VPLS, MPLS, AToM, QinQ, Metro-E) 253 | 254 | ## VPLS 255 | 256 | * Brings various WAN connections as logical ethernet network 257 | * Multipoing ethernet LAN services, referred to as Transparent LAN service (TLS) 258 | * CE communicates directly with all other CE nodes 259 | * Usually in ATM< CE node designated to be hub for all spokes 260 | 261 | * IETF VPLS links ethernet bridges with Pseudo-Wires 262 | * Operation same as IEEE 802.1 Bridges 263 | * Self learns source MAP, frames forwarded on dest 264 | * Unknown macs flooded on all ports 265 | 266 | Other functions: - 267 | * Autodiscovery of PE associated with particular VPLS instance 268 | * Signalling of PWs to interconenction VPLS VSIs 269 | * Loop avoidance 270 | * MAC address withdrawal 271 | 272 | ## Metro-Ethernet 273 | 274 | * Ethernet on MAN can be used as Ethernet, EoMPLS, or Eo Dark Fibre 275 | 276 | * MPLS-based Metro_E use MPLS in SPs network 277 | * Subscriber gets ethernet interface 278 | * Packets transported over MPLS network 279 | * Ethernet underlying technology transporting MPLS 280 | * LDP signals site-to-site inner label 281 | * RSVP-TE or LDP for outer label 282 | * Metro-E has star or mesh topology 283 | --------------------------------------------------------------------------------