Date post: | 20-Jan-2016 |
Category: |
Documents |
Upload: | joel-kelly |
View: | 224 times |
Download: | 0 times |
my CCDE cheat sheets
Philippe Jounin 2013
L2L3
Tunneling
and overlays
Security
Operation
Layer 2
Layer 2 Design
BPDU GuardPort Fast
HSRP active& STP Root
Root Guard
Loop Guard or Bridge Assurance
Force access-mode (disable DTP)Choose VLAN≠1
Apply Port Security
Modify VTP domain(or turn VTP off)
Clear native VLAN
Apply ACL filter on admin VLAN
Performance and stability Security
802.1D Ehancements Spanning Tree ProtectionPortFast Enables immediate transition into forwarding state on edge portsUplinkFast Enables access switches to
maintain backup paths to rootBackboneFast Enables immediate expiration of the Max Age timer
Root Guard Prevents a port from becoming the root portBPDU Guard Disables a port if a BPDU is receivedLoop Guard Prevents a blocked port from transitioning to listening (unidirectional) after Max Age timerBPDU Filtering Disables STP on a portBridge Assurance Blocks port if it receives no BPDU
Layer 2 Design
Spanning normalisation
• DEC STP pre-IEEE • 802.1w—Rapid STP (RSTP)• 802.1D—Classic STP • 802.1s—Multiple STP (MST)• 802.1t—802.1d maintenance
The following enhancements to 802.1(d,s,w) comprise the Cisco Spanning-Tree toolkit:• PortFast Lets the access port bypass the listening and learning phases• UplinkFast Provides 3-to-5 second convergence after link failure• BackboneFast Cuts convergence time by MaxAge for indirect failure• Loop Guard Prevents the alternate or root port from being elected unless (BPDUs) are present• Root Guard Prevents external switches from becoming the root• BPDU Guard Disables a PortFast-enabled port if a BPDU is received• BPDU Filter Prevents sending or receiving BPDUs on PortFast-enabled ports
Cisco has incorporated a number of these features into the following versions of STP:• Per-VLAN Spanning Tree Plus (PVST+)
Provides a separate 802.1D spanning tree instance for each VLAN configured in the network.This includes PortFast, UplinkFast, BackboneFast, BPDU Guard, BPDU Filter, Root Guard, and Loop Guard.• Rapid PVST+ Provides an instance of RSTP (802.1w) per VLAN. This includes PortFast, BPDU Guard, BPDU Filter, Root Guard, and Loop Guard.• MST Provides up to 16 instances of RSTP (802.1w) and combines many VLANS with the same physical and logical topology into a common RSTP instance. This includes, PortFast, BPDU Guard, BPDU Filter, Root Guard, and Loop Guard.
Spanning toolkit
Access design STP or not STP
L2 topologies
Layer 3L2L3
Tunneling
and overlays
Security
Operation
Layer 3 Design
The network must be reliable and resilient
The network must be manageable
The network must be scalable
Layer 3 Design
Triangle vs Square
Triangles: Link/Box Failure does NOTrequire routing protocol convergence
Squares: Link/Box Failure requiresrouting protocol convergence
OSPF in a Campus EIGRP in a Campus
ospf stub no-summary
Core
The router goes up and may advertise
default route immediately, (if a
loopack is in area 0)
eigrp stub
Queries
Immediate replies
Queries not forwarded
Queries not forwarded
Area 0
Area 10
Summaries
OSPF as PE-CE protocol EIGRP as PE-CE protocol
Ia routes preferred
Sham-link use route with lower Cost
Set down bit (LSA 3) or domain ID (LSA 5)
Ignore routes with
down bit
AS should be the same
Metric/AS/SOO transported as communities
Pre best path point of insertion
SOO transported into EIGRP
SOO on PE : same SOO per siteSOO on CEs : one SOO per CE
OSPF
LSA DescriptionType 1Type 2
Router Link LSA – Routers, links and costs Network Link LSA – Initiated by DR on multipoint networks - Pseudonode.
Type 3Type 4Type 5Type 7
Network Summary Link LSA – Initiated by ABRs. AS External ASBR Summary Link LSA – Advertised by ASBRs to be reachable. External Link LSA – Initiated from ASBR – OSPF external routes advertisment. NSSA External LSA - Initiated from ASBR in a NSSA area– OSPF external routes advertisment. .
Aire DescriptionBackbone StandardStubTotally StubNSSA
(Area 0) All other areas have to be linked with. Accepts LSA 4 from other areas.Receives LSA 3 & 5, initiates LSA 3,4 & 5 toward backbone area. Receives type 3 LSA and a default route (advertised as a LSA 3). initiates LSA 3. Receives a default route as a type 3 LSA, initiates LSA 3Initiates type 7 LSA, Receives LSA 3. Implicit default route for Totally NSSA.
Inter-area routes are summarized on the ABRExternal routes are summarized on the ASBRNSSA-External routes can be summarized on the ASBR or ABR
OSPF Areas
Area 0 Std Area
External
type 1 & 2type 1 & 2
type 3type 4type 5
Area 0 Stub Area
External
type 1 & 2type 1 & 2
type 3default route
Area 0 Totally Stub Area
External
type 1 & 2type 1 & 2
default route
OSPF Areas
Area 0 NSSA
External
type 1 & 2type 1 & 2
type 3
Area 0 Tottaly NSSA External
type 1 & 2type 1 & 2
type 5Default route
type 7
type 5Default route
type 7
OSPF NBMA and partial mesh networks
• Set the DR priority to 0 on all partial meshed nodes
• Configure the peers manually in unicast mode
• Set the DR priority to 0 on all partial meshed nodes
• Set broadcast mode on all links
troubleshooting adjacencies
• EIGRP• Same AS• Same primary IP subnet• Same metrics
• OSPF• Same area• Same area type• Same IP subnet and mask (not on point to point)• Same hello and dead interval• Same MTU
• IS-IS• Same area for L1 adjacencies• Different system ID• Same MTU• Same IP subnet • Same network/interface type (multipoint or point-to-point)
IS-IS inter area
• L1/2 routers set attached bit if they are adjacent to extra area L2 routers. L1 routers receiving attached bit generate default routes toward advertising router and propagate it (transitive).
• Intra area routes are preferred oved Inter Area even if metric is greater
• L1 routes advertised by L1/2 routers to other L2 routers
• L1/2 routers may be configured to leak L2 routes into the L1 domain
System ID best practice :
Add implicit zeros into the main IP loopback : 192.168.1.24 192.168.001.024 Transfer it to XXXX.XXXX.XXXX format 192.168.001.024 1921.6800.1024 Add 49.<4 bytes area> and 00 as NSEL 1921.6800.1024 49.area.1921.6800.1024.00
VPN backdoors
Partial mesh of sham links backbone preferredBGP backdoor IGP (internal links) preferred over eBGP
Outgoing traffic engineering with BGP
• AS path prepending• MED• communities• selective advertisments (no backup)• specific advertisments
Route ReflectorsFollowing physical topology• Session between an RR and a nonclient should not traverse a client• Session between an RR and its client should not traverse a nonclient
BGP confederations
FEATURESEEN IN THE CONFEDERATION
Peering partial-mesh peering between sub-autonomous systems.full-mesh peering within sub-AS (or route-reflectors)
Communications between peers
iBGP is used within each sub-AScBGP is used between sub-autonomous systems, similar to eBGP but with the following differences:•Enhancement of the AS_Path attribute •Change in the next-hop handling
Additions to the BGP attributesEnhancements to the AS_Path attribute, adding the sub-AS IDs.This enhancement is not advertised to the external Autonomous Systems.
Preserved attributes•next-hop•local preference•MED
Readvertising a learned prefix readvertised to other sub-autonomous systems if they are selected as best.
Communications with non member BGP peers
If a member of the confederation is peering with a BGP peer located in another AS, the sub-AS numbers located in the AS_Path attribute are supressed and only the confederation number is passed within the AS_Path attribute.
User of multi-hop parameter By default cBGP needs directly connected interface
remotely triggered black hole source triggered black hole
CE 192.0.2.1/32 Null0
10.1.1.0/24
10.1.1.0/24 192.0.2.1
NOC
CE
192.0.2.1/32 Null0+ loose uRPF
192.168.1.0/24 192.0.2.1
NOC
192.168.1.0/24
IPv6
Type Abrv ICMP Description
Router Solicitation RS 133 Sent by hosts to request an RA
Router Advertisement RA 134 Originated by routers to announce their existence
Neighbor Solicitation NS 135 Facilitates link-layer address resolution and duplicate address detection
Neighbor Advertisement
NA 136 Response to an NS
Redirect 137 Used by a router to inform a host of a better path out of the link
IPv6 deployment scenarios
Dual Stack Hybrid Service Block
ISATAP and Manually Configured Tunnels
End to End
Native
Marking at tunnel egressQoS
mCast
IGP Single ISATAP with AnycastNo load balancingHA Single ISATAP with Anycast
load balancing after Tunnels
IPv6 hardware required,no per-user/per-appli control
Core Layer becomes access for IPv6 Tunnels
New IPv6 hardware
High Avalability
• from http://www.sanog.org/resources/sanog14/sanog14-paresh-highavailability.pdf
HA
Reliable HardwareHigh MTBF
RedundantComponents
Non StopRouting
Rapid Failuredetection
Networkdesign
Quickconvergence
R o u t e r r e s i l i e n c y
N et w o r k r e s i l i e n c y
ISIS
Area 1
CE 2
5.5.5.5/322.2.2.2/32
router isis net 49.0100.0000.0000.0002.00 area-password IS-IS metric-style wide (for tag TLV) log-adjacency-changes
router isis net 49.0100.0000.0000.0003.00 area-password IS-IS metric-style wide log-adjacency-changes redistribute isis ip level-2 into level-1
route-map MatchTag5
router isis net 49.0200.0000.0000.0004.00 metric-style wide log-adjacency-changes summary-add 5.5.0.0 255.255.0.0 tag 5
Area 2
CE5#sh ip route | in ^ii L1 4.4.4.4 [115/20] via 10.1.45.4, Fast1i L1 10.1.34.0/24 [115/20] via 10.1.45.4, Fast1i*L1 0.0.0.0/0 [115/10] via 10.1.45.4, Fast1
3.3.3.3/32 4.4.4.4/32
router isis net 49.0200.0000.0000.0005.00 metric-style wide log-adjacency-changes
interface Loopback2 ip address 2.2.2.2/32 ip router isisinterface FastEthernet1 ip address 10.1.23.2/24 ip router isis isis circuit-type level-1
interface Loopback3 ip address 3.3.3.3/32 ip router isisinterface FastEthernet01 ip address 10.1.23.3/24 ip router isis isis circuit-type level-1interface FastEthernet2 ip address 10.1.34.3/24 ip router isis
interface Loopback4 ip address 4.4.4.4/32 ip router isis isis tag 5interface FastEthernet1 ip address 10.1.45.4/24 ip router isis (level-1 not configured)interface FastEthernet2 ip address 10.1.34.4/24 ip router isis
interface Loopback5 ip address 5.5.5.5/32 ip router isisinterface FastEthernet1 ip address 10.1.45.5/24 ip router isis isis circuit-type level-1
CE4#sh ip route | in ^ii L2 2.2.2.2 [115/30] via 10.1.34.3, 01:51:07, Fast2i L2 3.3.3.3 [115/20] via 10.1.34.3, 03:23:20, Fast2i su 5.5.0.0/16 [115/20] via 0.0.0.0, 00:08:19, Null0i L1 5.5.5.5/32 [115/20] via 10.1.45.5, 00:08:19, Fast1i L2 10.1.23.0/24 [115/20] via 10.1.34.3, 03:23:20, Fast1
CE3#sh ip route | in ^ii L1 2.2.2.2 [115/20] via 10.1.23.2, 01:55:41, Fast0i L2 4.4.4.4 [115/20] via 10.1.34.4, 00:11:55, Fast1i L2 5.5.0.0 [115/30] via 10.1.34.4, 00:12:49, Fast1i L2 10.1.45.0/24 [115/20] via 10.1.34.4, 01:55:41, Fast1
CE2#sh ip route | i ^ii L1 3.3.3.3 [115/20] via 10.1.23.3, Fast0i ia 4.4.4.4 [115/30] via 10.1.23.3, Fast0i ia 5.5.0.0 [115/40] via 10.1.23.3, Fast0i L1 10.1.34.0/24 [115/20] via 10.1.23.3, Fast0i*L1 0.0.0.0/0 [115/10] via 10.1.23.3, Fast0
Fast 110.1.23.0/24
Fast 110.1.45.0/24
Fast 210.1.34.0/24
CE 3 CE 4 CE 5
Straightforward configuration
Summarization + leaking
OSPF
Area 202 NSSACE1
1.1.1.1/242.2.2.2/243.3.3.3/24
Area 0
lyo-maq-2811-03#sh ip route | i ^OOE1 1.0.0.0/8 [110/124] via 10.1.34.3,Fast3O E1 2.2.0.0 [110/125] via 10.1.34.3, Fast3
interface Loopback1111 ip address 1.1.1.1 255.255.255.0interface Loopback2222 ip address 2.2.2.2 255.255.255.0interface Loopback3333 ip address 3.3.3.3 255.255.255.0router rip version 2 redistribute connected route-map Loopbacks passive-interface default no passive-interface FastEthernet1 network 10.0.0.0 no auto-summary
router rip version 2 timers basic 15 45 15 60 passive-interface default network 10.0.0.0 no auto-summaryrouter ospf 1 log-adjacency-changes area 202 nssa summary-address 3.0.0.0 255.0.0.0 not-advertise summary-address 2.2.0.0 255.255.0.0 redistribute rip metric 123 metric-type 1 subnets network 10.1.23.0 0.0.0.255 area 202
router ospf 1 log-adjacency-changes area 202 nssa summary-address 10.0.0.0 255.0.0.0 not-advertise summary-address 1.0.0.0 255.0.0.0 network 10.1.23.0 0.0.0.255 area 202 network 10.1.34.0 0.0.0.255 area 0
! Remark : ! area 10 filter-list prefix FILTER out! area 10 range 10.0.0.0 255.0.0.0 not-advertise! Only for standard Areas
router ospf 1 network 10.1.34.0 0.0.0.255 area 0
lyo-maq-2611-02#sh ip route | i ^R|^OR 1.1.1.0 [120/1] via 10.1.12.1, Fast1O 2.2.0.0/16 is a summary, Null0R 2.2.2.0/24 [120/1] via 10.1.12.1, Fast1R 3.3.3.0 [120/1] via 10.1.12.1, Fast1O IA 10.1.34.0/24 [110/2] via 10.1.23.3, Fast2
lyo-maq-2811-03#sh ip route | i ^OO N1 1.1.1.0/24 [110/124] via 10.1.23.2, Fast2O 1.0.0.0/8 is a summary, Null0O N1 2.2.0.0 [110/124] via 10.1.23.2, Fast2O N1 10.1.12.0/24 [110/124] via 10.1.23.2,Fast2
lyo-maq-2611-01#sh ip route | i ^CC 1.1.1.0 is connected, Loopback1111C 2.2.2.0 is connected, Loopback2222C 3.3.3.0 is connected, Loopback3333C 10.1.12.0/24 is connected, Fast1
Fast 110.1.12.0/24
Fast 310.1.34.0/24
Fast 210.1.23.0/24
CE 2 CE 3 CE 4
L2L3
Tunneling
and overlays
Security
Operation
Tunneling& MPLS
MPLS TE
How to route a flow into a tunnel
• static routing• PBR• Autoroute
• tunnel included into SPF calculation, not into the IGP other routers are unaware of the Tunnel
• default metric is the tail end IGP metric• Relative/asolute metrics OSPF similar to E1/E2 externals• LSP tail end is always routed through the tunnel• IGP+LSP load sharing available behind tail end• tail end load sharing needs 2 LSP
• Forwarding Adjacency• tunnel propagated into the IGP
Inter Area MPLS TE
Multi domain LSP : each domain core topology should be hidden
•per-domain static ERO (next-hop loose <IP Edge>…)• CSPF stitching (CSPF calculation on each ASBR) then
ERO extended to hide core topology• backward recursive path computation
• A tree is created by destination PE (<PE><ASBR n>=cost X) and topology increased by each domain
• Stitching• Use targeting signaling
• Stacking• Inner domain uses its own LSP to tunnel border domains
LSP, targeted signaling required
Backbone
Provider
Inter domain VPN with CSC - IGP
IGP + LDP (int e0/0 mpls ip)
vpnv4 multiphop e/i-bgp peering,
next-hop-unchanged
Inner VPN definition and routing in vpnv4
IGP ipv4 BGP redistribution into ipv4 add-family vrf inner
IGP + local loopback
Outer VPN definitionCEPE route distribution
CE1 PE1 CSC-CE1
CSC-PE1 CSC-PE2CSC-CE2 PE2
CE2
MP-iBGP session
MP-iBGP session
IPv4+ labels
IPv4+ labels
Backbone
ProviderCE1 PE1 CSC-CE1
CSC-PE1 CSC-PE2CSC-CE2 PE2
CE2
MP-iBGP session
MP-iBGP session
IPv4+ labels
IPv4+ labels
Inter domain VPN with CSC - eBGP
mpls ip not necessaryInner VPN definition and routing in vpnv4
bgp neighbor as-overridebgp send-label
IGP + local loopback BGPneighbor bgp send-label
Outer VPN definitionCEPE route distribution
vpnv4 multiphop e/i-bgp peering,
next-hop-unchanged
Inter domain VPN option B
interface Ethernet 1/0 mpls bgp forwarding
router bgp 1 neighbor <ASBR2> remote-as 2 neighbor <PEs> remote-as 1 no bgp default route-target filter
address-family vpnv4 neighbor <PEs> activate neighbor <PEs> next-hop-self neighbor <ASBR2> activate neighbor <ASBR2> send-community extended
One tag allocated by ASBR
Option B1 Next-hop-self methodOption B2 Redistribute connected method
eBGP : no route-target filteringiBGP : next-hop-self
Inter domain VPN option C – eBGP + send-label
router bgp 1 neighbor <PEs> remote-as 1 neighbor <RR2> remote-as 2 neighbor <RR2> ebgp-multihop
address-family vpnv4 neighbor <PEs> activate neighbor <RR2> activate neighbor <RR2> next-hop-unchanged
RR
interface Ethernet 1/0 mpls bgp forwarding
router bgp 1 neighbor <ASBR2> remote-as 2 neighbor <RR1> remote-as 1 address-family ipv4 redistribute IGP neighbor <ASBR2> activate neighbor <ASBR2> send-label address-family vpnv4 neighbor <RR1> activate
router IGP network loopback LDP redistribute BGP 1
router bgp 1 neighbor <RR1> remote-as 1
address-family vpnv4 neighbor <RR1> activate
Tag 1 : ebgp + send-labelor IGP+LDP
Tag 2 : VPN label
MPLS TE QoS
Uniform (mpls exp value set by ISP)
Short pipe
pipe
L2VPN
• VPWS Virtual Private Pseudowire Services : Point to Point • L2 Protocol translation (L2.5 VPN)• tLDP session• Redundancy by nominal/backup sessions
• VPLS Virtual Protocol LAN Service (P2M)o Autodiscovery with BGPo For Cisco : VPLS = full-mesh Pseudo Wires
• H-VPLS• Full Mesh between N-PE• PW beetwen User PE and Netwok PE• redundancy with STP or PW backup between U-PE and N-PE
L2L3
Tunneling
and overlays
Security
Operations
MonitoringManagementPerformance
Troubleshooting high CPU Utilization
• Identify processo show proc cpu sortedo show log
• Causeso ARPo BGP o Execo SNMPo NATo TCAM full (catalyst 3550/..)
• IP Inputo show interfaces statso show interfaceso show interfaces switching
QoS operation order
•Inbound1. QoS Policy Propagation through Border Gateway Protocol (BGP) (QPPB)2. Input common classification3. Input ACLs4. Input marking (class-based marking or Committed Access Rate (CAR))5. Input policing (through a class-based policer or CAR)6. IP Security (IPSec)7. Cisco Express Forwarding (CEF) or Fast Switching
•Outbound1. CEF or Fast Switching2. Output common classification3. Output ACLs4. Output marking5. Output policing (through a class-based policer or CAR)6. Queueing (Class-Based Weighted Fair Queueing (CBWFQ) and Low Latency Queueing (LLQ)), and Weighted Random Early Detection (WRED)
Multipoint WAN QoS
• Remote Ingress Shapingo 95% of line rate
WAN
FR• egress shaping : 95% of smallest bandwidth
QoS Models
12 Class model
Voice
Realtime Interactive
Multimedia Conferencing
Broadcast Video
Multimedia Streaming
Signaling
Network Control
Network Management
Transactional Data
Bulk Data
Best Effort
Scavanger
8 Class model
Voice
Interactive Video
Streaming Video
Signaling
Network Control
Critical Data
Best Effort
Scavanger
4 Class model
Realtime
Signaling / Control
Critical Data
Best Effort
L2L3
Tunneling
and overlays
Operation
Security
Internet Edge
• DMZ : public facing services• Private DMZ : internal services (DNS, collaboration, HTTP)
o not vulnerable to outside attackso
• infrastructure ACLs
Internet Edge
Secure Operations• Monitor Cisco Security Advisories and Responses • Leverage Authentication, Authorization, and Accounting• Centralize Log Collection and Monitoring• Use Secure Protocols When Possible• Gain Traffic Visibility with NetFlow• Configuration Management
Data Plane• General Data Plane Hardening• Filtering Transit Traffic with Transit ACLs• Anti-Spoofing Protections• Limiting CPU Impact of Data Plane Traffic• Traffic Identification and Traceback• Access Control with VLAN Maps and Port Access Control Lists• Using Private VLANs
Internet Edge
Management Plane• General Management Plane Hardening
• password management• restrict protocols• use secure protocols• exec-timeout• event detection (memory, cpu threshold)
• Limiting Access to the Network with Infrastructure ACLs• Securing Interactive Management Sessions• Using Authentication, Authorization, and Accounting• Fortifying the Simple Network Management Protocol• Logging Best Practices• Cisco IOS Software Configuration Management
Control Plane• General Control Plane Hardening
• filter IPCMP, fragments, source-route, disbale proxy-arp• Limiting CPU Impact of Control Plane Traffic
• filter fragment, non ip traffic, rate ICMP unreachable • Securing BGP• Securing Interior Gateway Protocols• Securing First Hop Redundancy Protocols
Everyone wants to live on top of the mountain, but all the happiness and growth occurs while you’re climbing it.