Overblog Follow this blog
Administration Create my blog
Cisco & Cisco Network Hardware News and Technology

Posts with #cisco & cisco network tag

Configuring NAT on Cisco ASA

April 16 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

Network address translation (NAT) allows you to translate private to public addresses. 
With CISCO ASA firewall, You can configure 2 types of NAT: 
- Dynamic NAT (including PAT - port address translation)
- Static NAT 

Nat example (Web server must send responses to a client on public/mapped address):

cisco-nat-NAT-Configuration.jpg

Dynamic NAT allows You to translate internal addresses to a predefined set or pool of public addresses You define. The "nat" command defines which internal hosts, and the "global" command defines public address range in which internal addresses will be translated. Number "1" in nat configuration defines NAT ID (number of NAT rule), and must match on "nat" and "global" command: 

ASA1(config)#nat (inside) 1 192.168.15.0 255.255.255.0                               

 ASA1(config)#global (outside) 1 193.222.168.113-193.222.168.116 255.255.255.240

 
PAT translates a range of internal addresses to 1 public address by mapping them to a different ports: 

ASA1(config)#nat (inside) 1 192.168.15.0 255.255.255.0                               

 ASA1(config)#global (outside) 1 193.222.168.113                 


Instead of ip address in a global command, it's possible to define word "interface". That way, the internal addresses will automatically be PAT-ed into the address of an outside inteface: 

 ASA1(config)#nat (inside) 1 192.168.15.0 255.255.255.0                               

 ASA1(config)#global (outside) 1 interface              

 

Static NAT, allows You to permanently map public ip address and port to an inside one (port forwarding). Along with that, cisco allows 1:1 NAT, or "mirroring", which translates all internal ports of a private address to the same ports on a public address (bi-directional). Of course, to enable traffic flow from the "outsude" to the "inside" interface, traffic also must be allowed with the Access control list. 

Port forwarding:

nat3-NAT-Configuration.jpg

Port forwarding of publicly available ports to an internal addresses. After configuring NAT, to enable traffic flow from outside to inside hosts, You must apply access-lists which will allow the traffic. Finally, to activate acl, bind it on a "outside" interface with the "access-group" command: 

ASA1(config)#static (inside,outside) tcp 209.165.201.3 http 10.2.2.28 http netmask 255.255.255.255

 ASA1(config)#static (inside,outside) tcp 209.165.201.3 ftp 10.2.2.27 ftp netmask 255.255.255.255

 ASA1(config)#static (inside,outside) tcp 209.165.201.3 smtp 10.2.2.29 smtp netmask 255.255.255.255

 

ASA1(config)#access-list outside_in_acl extended permit tcp any host 209.165.201.3 eq http

 ASA1(config)#access-list outside_in_acl extended permit tcp any host 209.165.201.3 eq ftp

 ASA1(config)#access-list outside_in_acl extended permit tcp any host 209.165.201.3 eq smtp

 

 ASA1(config)#access-group outside_in_acl in interface outside

 

Static 1:1 nat, (every public port maped to the same internal port): 

ASA1(config)#static (inside,outside) 209.165.201.4 10.2.2.45 netmask 255.255.255.255        

To allow traffic flow from lower security interface "outside", to higher security interface "inside", access control list must be applied. 

 

More Related Cisco ASA Tips:

Site-to-Site IPSEC VPN between Two Cisco ASA 5520

How to Configure Dual ISP on Cisco ASA 5505?

Cisco ASA 8.4 vs. Typical NAT/PAT Configuration

Eight Commands on a Cisco ASA Security Appliance You Should Know

VLAN Sub-Interfaces on Cisco ASA 5500 Firewall Configuration

How to Configure Cisco ASA 5505 Firewall?

Read more

Cisco STP(Switching and Spanning Tree Protocol) Basics

March 28 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

Switching is the process of using the physical address of devises to perform forwarding decisions. Switches use application specific integrated circuits (ASICs) to perform their switching function. As a consequence, amazingly fast switching speeds are accomplished. Today I will explain how switches learn the hardware address of hosts attached to them and how they use this information to perform their tasks. I will focus on the protocol designed for preventing broadcast loop existence.

 

For those of you that are new to this field, what I am talking about is the Spanning Tree Protocol (STP); I will describe its operation in details and use examples when necessary, so you can get a clear understanding of how it functions.

 

Switching Benefits

Switches are very important networking devices; they’re used to terminate hosts on the LAN. They consist of multiple Ethernet/Fast Ethernet/Gigabit Ethernet interfaces with adjustable throughput rates.

 

They can be seen as multi-lane highways with a lot of exit points. Each host is assigned a separate lane on the highway, therefore collision domains are separated per each individual switch port. No bandwidth sharing takes place and each individual host on each port is provided with independent, dedicated bandwidth. The benefits of all these are:

  • Low Latency
  • Thunder Speed
  • Low Cost

 

Why low cost? Well the answer is quite simple. Imagine having a LAN of fifty hosts. All the hosts need access to the Internet; therefore they should be connected to a router somehow. Having 50 interfaces on a router to terminate client links is inefficient and wasteful.

 

By incorporating a switch in the network, the router needs only a single interface to connect to the switch and all users reach the router’s exit point with the help of the switch’s ASIC electronics. The diagram below shows a typical LAN connection.

 typical-LAN-connection.jpg

Switch Operation

As already mentioned, switches operate at layer 2 (the data-link layer) of the OSI model. They do not need special configuration to operate; they are simple plug and play devices. You can expect a new switch out of the box to work instantly when it is powered up. Later on we’ll take a look at just how this is accomplished.

 

A layer 2 switch deals with three functions:

  • Address learning — When a switch is first switched on, it learns the MAC address of hosts attached to it and stores the MAC address and interface port association into its MAC table.
  • Forwarding — Based on the MAC address table, the switch is able to forward frames out the appropriate interfaces.
  • Loop prevention — Multiple connections between switches may exist for redundancy purposes. However these multiple connections may lead to network loops without the use of a sophisticated protocol to prevent their existence. STP is the protocol running on the switch ports to eliminate data flooding as a consequence of loops while at the same time maintaining redundancy.

 

How Does the Switch Find Host MACs?

Let’s use the diagram below to help us understand how address learning process takes place.

address-learning-process.jpg

Let’s assume that we have just powered on the switch. It has nothing in its MAC table. We connect the cables from the hosts on the switch interfaces as shown in the diagram. Host A initiates a connection towards Host D, and the following takes place:

  1. Host A (interface fe0/0) sends a frame to Host D (MAC address:0000.43c5.334c).
  2. The switch inspects the Source Address in the frame and notes in its table the MAC address of Host A along with the Interface number from which the frame originated.
  3. The switch inspects the Destination Address in the frame. Since it does not have Hosts D MAC address in its table, it constructs a broadcast frame and forwards out all interfaces except the interface from where the original frame arrived.
  4. Host D identifies itself as the expected recipient and responds back to Host A. The switch receives the respond frame on interface fe0/11 and places the SA in its table along with the interface number where the frame came from.
  5. From now on, further communication between the two hosts will be switched to the appropriate interfaces based on the MAC tables entries.

 

This process takes place every time a new host is attached on the switch and initiates traffic. The switch tries to keep its MAC table up-to-date, therefore if some hosts do not initiate traffic for a certain amount of time, the switch removes them from its table and reinserts them when they begin sending traffic.

 

Spanning Tree Protocol (STP) Operations

The Spanning Tree Protocol (STP) is responsible for identifying links in the network and shutting down the redundant ones, preventing possible network loops. In order to do so, all switches in the network exchange BPDU messages between them to agree upon the root bridge. Once they elect the root bridge, every switch has to determine which of its ports will communicate with the root port.

 

If more than one link connects to the root bridge, then one is elected as the forwarding port (Designated Port) and the others are blocked. Let us see the operation of STP with the use of an example. We will use the topology shown below to help us understand how STP operates.

how-STP-operates-copy-2.jpg

  1. The root bridge needs to be elected. Two fields combined together identify the root bridge: MAC address and Priority value. Without manual configuration all switches have the same priority therefore it is up to the MAC address to decide upon the root bridge. The switch with the lowest MAC address value is elected as the root bridge. In the diagram above Switch C is the elected root bridge.
  2. Once the root bridge is elected, each switch needs to identify a single root port – the port closest to the route bridge. This port will always be in the forwarding state. By default all ports of the route bridge are in the forwarding state. Moreover, one port per segment (called designated port) is allowed to be in the forwarding state.
  3. In our example we have 2 ports on switch A and two ports on switch B that belong to the same segment. Therefore, two of them need to be blocked to avoid loops. Since switch B has higher MAC address value (hence lower priority), its designated ports need to be blocked.
  4. The result of all this is that only one path from one switch to any other switch exists. Mission accomplished!

 

Things to Keep in Mind about STP

  • The Spanning Tree Protocol is a link management protocol that is designed to support redundant links while at the same time preventing switching loops in the network. It is quite useful and should be enabled on the switch interfaces.
  • STP has high convergence time; it can take up to one minute to converge and provide redundancy. A newer development is implemented to the STP protocol, called the Rapid Spanning Tree Protocol (RSTP). The latter retains all the tasks of STP whilst minimizing convergence time significantly.

 

More Related Topics:

How to Configure Spanning Tree Protocol (STP) on Catalyst Switches?

Switch Types and LAN Switching

Switchport Security & Configuration

Read more

Switchport Security Configuration

March 25 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

The switchport security feature (Port Security) is an important piece of the network switch security puzzle; it provides the ability to limit what addresses will be allowed to send traffic on individual switchports within the switched network.

 

Once an organization decides to utilize the switchport security feature on their networks, it is important to carefully plan before any configuration is put in place. While the switchport security feature is very useful if used correctly, it can easily be misconfigured; this misconfiguration can cause service interruption and ongoing headaches for an organization. The planning of the configuration includes determining which violation mode and operation mode to use based on the goals of the organization, as well as determining which switchports should be enabled with the feature. This article takes a look at how the switchport security feature is configured by extending on the concepts that were covered in Switchport Security.

 

Switchport Security Configuration

By default, the switchport security feature is disabled on all switchports and must be enabled. Table 1 shows the steps required to enable the switchport security feature on an interface (This can cause some confusion, but when using Cisco IOS, switchport configuration is performed while in interface configuration mode. The terms interface and switchport are interchangeable).

Enter privileged mode

router>enable

Enter global configuration mode

router#configure terminal

Enter interface configuration mode

router(config)#interface interface

Enable the switchport security feature

router(config-if)#switchport port-security

Without configuring any other specific parameters, the switchport security feature will only permit one MAC address to be learned per switchport (dynamically) and use the shutdown violation mode; this means that if a second MAC address is seen on the switchport the port will be shut down and put into the err-disabled state.

 

Table 2 shows the steps required to alter these default parameters:

Enter privileged mode

router>enable

Enter global configuration mode

router#configure terminal

Enter interface configuration mode

router(config)#interface interface

Configure the maximum number of MAC addresses allowed on a switchport (default : 1)

router(config-if)#switchport port-security maximum value

Configure the switchport violation mode (default : shutdown)

router(config-if)#switchport port-security violation {protect |restrict | shutdown}

 

As stated above, by default MAC addresses are learned on a switchport dynamically and are called dynamic MAC addresses. MAC addresses can also be configured in two other ways: statically and sticky. Static MAC addresses can be configured on a switchport to ensure that only a device with a specific MAC can utilize a switchport (for example, if the switchport location and a device are publically accessible and the organization wants to ensure only that authorized device can access the network). A sticky MAC address is a hybrid between a static and dynamic MAC address.  When it is dynamically learned, the MAC address is automatically entered into the running configuration as a static MAC address; the address is then kept in the running configuration until a reboot. On reboot, the MAC address will be lost; if the network engineer wants to keep the MAC address across a reboot a configuration save is required (copy running startup).

Table 3 shows the steps required to configure a static MAC address:

Enter global configuration mode

router#configure terminal

Enter interface configuration mode

router(config)#interface interface

Configure a static MAC address

router(config-if)#switchport port-security mac-address mac-address

 

Table 4 shows the steps required to enable the use of sticky learning on a switchport:

Enter global configuration mode

router#configure terminal

Enter interface configuration mode

router(config)#interface interface

Enabling the use of sticky MAC address learning

router(config-if)#switchport port-security mac-address sticky

 

Switchport Security Configuration Example

To wrap the configuration commands into a single example to ensure clarity, this section will show a basic switchport security example.

 

The configuration shown in Table 5 will enable the use of the switchport security feature on ports f0/1 and f0/2, statically configure the 0000.1111.2222 MAC address on the f0/1 switchport and enable sticky learning on the f0/2 switchport.

Enter global configuration mode

router#configure terminal

Enter interface configuration mode

router(config)#interface f0/1

Enabling the switchport security feature

router(config-if)#switchport port-security

Configuring a static MAC Address (0000.1111.2222) on the switchport.

router(config-if)#switchport port-security mac-address0000.1111.2222

Enter interface configuration mode

router(config)#interface f0/2

Enabling the switchport security feature

router(config-if)#switchport port-security

Configuring the use of sticky MAC address learning

router(config-if)#switchport port-security mac-address sticky

 

While the switchport security feature does not require that many commands to operate properly, it can also be misconfigured just as easily. Take the time to write down and triple-check that the proposed configuration is doing what is expected, and/or test a proposed configuration in a non-production environment. Hopefully the content in this article can be used to get started with the switchport security feature.

 

More Related Topics:

What is Switchport Security?

Switchport Security & Configuration

How to Know What Device is on What Port on a Cisco Switch?

Cisco Switch Port Security ---How to Configure Switch Security?

How to Set Port Security on a Cisco Catalyst Switch?

Read more

Benefits of Dynamic Routing

February 17 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

As a network administrator, you must also know dynamic IP routing like the back of your hand. In this article, we'll explore dynamic IP routing and you'll learn the practical information that you need to know about it.

 

Routing in General

To review from the last tip, the router learns the next hop for packets using one of two methods:

  1. Static routing: With static routing, you -- as the administrator -- manually enter the routes and tell the router, for each IP network, what next hop that traffic should be delivered to.
  2. Dynamic routing: With dynamic routing, you -- as the administrator -- configure a routing protocol on your network interfaces. Your routing protocol learns about other routers automatically. Your router and the other routers exchange routes, and each learns about the networks that the other is connected to. When new networks are added or removed, the routers update each other.

 

Static Routing Issues

With static routing, you are telling your router to send traffic with a destination IP address to a router with an IP address of x.x.x.x. This is handy for a small network with very few routes or for someone who wants to have absolute control, but it can become very cumbersome as your network grows. To keep a multi-site wide-area network fully connected (fully meshed) via static routes, you have to create a route on every router for every other router. This mean that, as you add more sites, the number of routes you have to create increases exponentially, and when sites go down or links are performing poorly, any corrections must be entered manually.

 

Benefits of Dynamic Routing

A dynamic routing protocol can resolve these issues for you. Here are some general benefits of using a dynamic routing protocol:

  • More automation: Routing updates are automatically sent to all other routers.
  • Change notification: The dynamic routing protocol may be able to reroute traffic around a link that is down or congested.
  • Greater uptime for users: Because the routing protocol has intelligence and can react faster, the users may see more uptime.
  • Greater network throughput: Because the routing protocol may be able to calculate the most responsive network link to use, the users may see less latency and more performance out of the network.
  • Less work for administrators: As the network grows, the administrator doesn't have to worry about configuring all the other routers on the network. Instead, the administrator configures the dynamic routing protocol on the new router to talk to the other routers and let them know what networks the new router has to offer.

 

Gotchas of Dynamic Routing

Don't think that dynamic routing protocols are perfect, however. Here are some possible gotchas of using dynamic routing protocols:

  • Routers may need more CPU and RAM to hold routing tables and calculate dynamic routes.
  • Dynamic routing protocols aren't perfect and can experience routing loops in some cases.
  • Dynamic routing protocols will introduce complexity to your network. You will need to understand how to configure and troubleshoot the new dynamic routing protocols.

 

Dynamic Routing Protocols

You may be wishing you had some examples of dynamic routing protocols. I'm not going to cover or compare all possible routing protocols, but let's talk about the dynamic routing protocols you need to know.

 

First off, there are the interior gateway routing protocols (IGP). These are protocols that you would use within your own network. They are the protocols that are supported by just about every router and server operating system (such as Windows 2003 Server and Linux):

  • OSPF(Open Shortest Path First)--RFC2328--is the most popular dynamic routing protocol in use today. It is an open protocol, so that any router or server operating system can run OSPF. OSPF selects the best route using "cost" as its metric. OSPF is a full-featured routing protocol and can be complex, but it can also scale to any size of network.
  • EIGRP(Enhanced Interior Gateway Routing Protocol) is a Cisco proprietary protocol. Only Cisco devices run EIGRP. EIGRP is a full-featured routing protocol, similar to OSPF. EIGRP has some great features, but unless you can guarantee that you will always have an all-Cisco network, I would recommend an open protocol like OSPF, instead. EIGRP replaced IGRP, its predecessor. With EIGRP, the metric used to select the best route is calculated using a formula that takes into account the bandwidth, reliability, load and delay of the link.
  • RIP (Routing Information Protocol) Version 2 -- RFC2453 -- is also an open source protocol. Version 2 of RIP is what you should use today as it provides support for VLSM (Variable Length Subnet Mask). RIP is the simplest and easiest routing protocol to configure, but it also has fewer features than OSPF and is limited to routing for a network with fewer than 15 hops. RIP works very well for a small network that doesn't plan on growing large, however. Another great thing about RIP is that it is commonly supported by even small routers and firewalls.

And, in a class by itself, there is Border Gateway Protocol (BGP):

  • BGP (Border Gateway Protocol) is the routing protocol of the Internet. BGP is an Exterior Gateway Protocol (EGP). What that means is that BGP is used by routers that make routing decisions on the Internet. Just because your home or work router has a connection to the Internet, you don't necessarily need BGP or want to run it. Once your router has more than one dedicated connection to the Internet from business-class providers, you may want to look at running BGP. BGP is a path-vector protocol, and it selects the best route, unlike other routing protocols. BGP uses the "AS-PATH" as its routing metric and would select the route that has the shortest path through the Internet.

 

Configuring Dynamic Routing

So all this theoretical stuff is great, right? It gives you a good foundation, but you probably want to see how to configure a dynamic routing protocol.

 

Let's say that we have the basic network, shown below:

 

 Configuring-dynamic-routing.jpg

It is our job to configure RIP between these two locations so that each network knows about the other router's networks. Assuming that all normal router IP addressing is configured and interfaces have been enabled, we need issue only a few simple commands on each router to accomplish this.

 

Here is the configuration:

Location A
Router rip 
Ver 2
No auto-summary
Network 10.1.1.0
Network 63.248.129.0

Location A
Router rip
Ver 2
No auto-summary
Network 10.2.2.0
Network 63.248.129.0

What this does is:

Enter routing configuration mode on each router.
Enable Version 2 of the RIP routing protocol.
Enable RIP routing on both the LAN and the WAN networks. This will tell the router both to advertise these networks to other routers and to try and find other routers on these networks.

 

Once completed, here is the routing table and ping output for Location A:

Location-A1.jpg

Location-A2.jpg

Location-A3.jpg

As you can see, each router knows about the other router's LAN networks through RIP (the "R" in the routing table source shows that these routes were learned through RIP). Also, each router can ping other routers' Ethernet interfaces.

 

We could have accomplished the same connectivity with only one static route on each router. However, as this network grows from two routers to 20 or 200, the time needed to administer static routing would be a horrible administrative burden.

 

As a network administrator, you should have some basic knowledge of the four most popular dynamic routing protocols in use today. If you are new at this, I recommend that you start by learning about RIP and move up to the other protocols from there.

---Resource from http://searchnetworking.techtarget.com/tip/Cisco-IOS-IP-routing-dynamic-routing

More Related Cisco and Network Tips:

Routing Information Protocol & RIP Configuration

Understanding Different Router Numbers

Understanding Cisco IOS Static Multicast Routes

Cisco IOS IP Routing: Static Routes

Read more

BGP Protocol is Essential in Your IP Network

February 5 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

As we known, Border Gateway Protocol (BGP) has the reputation of being the hardest routing protocol to design, configure and maintain. But while this notion has some validity, there are situations where BGP is the only tool available to get the job done, or where deploying BGP throughout your network can increase its security or stability.

 BGP.jpg

BGP's complexity is primarily due to the large number of attributes it can attach to a route, its complex route selection rules, and the manual configuration of neighboring routers (which are discovered automatically in most other routing protocols) needed to ensure the security of the routing information exchange. Having a large number of configuration options and BGP-specific filtering mechanisms available on routers from different major vendors doesn't help either.

 

In this article, we will give you five scenarios where BGP is the best match for your network requirements.

 

Internet Service Advantages

If you're an Internet service provider (ISP), running BGP in your network is almost a must. I've seen consumer-focused ISPs that tried to get around this recommendation and used BGP solely to peer with their upstream ISPs, but they eventually had to bite the bullet and deploy BGP to increase the stability of their network, provide end-to-end quality-of-service or penetrate enterprise markets. Enterprise-focused ISPs have to run BGP from the start to support their multi-homed customers).

 

Layer 3 VPN Services

We've seen a variety of technologies used to implement Layer 3 VPN services in recent years, and MPLS-based VPNs have undoubtedly proven to be the most scalable solution, partly due to using BGP as the underlying routing protocol. Fortunately, you don't have to deploy BGP everywhere in your network if you want to deploy MPLS/VPN solutions. It's enough to deploy BGP on the Provider Edge (PE) routers that connect your VPN customers and on a few core devices that act as route servers (these devices should not be expected to forward heavy traffic loads).

 

Increasing Network Stability

Although we've met networking engineers trying to use BGP as the sole routing protocol in their networks, that's not how you should use it. Any decent BGP design should rely on another faster routing protocol (for example, OSPF, EIGRP or IS-IS) to provide core routing in the network, with BGP responsible for the edge/customer routing.

 

With the separation of core and edge routing into two routing protocols, your network core becomes more stable, as the edge problems cannot disrupt the core. This design has been used very successfully in large enterprise networks with haphazard addressing schemes that defied attempts at route summarization. It should also be used in almost all service provider environments. You should never carry your customers' routes in your core routing protocol, as customer's internal problems could quickly affect the stability of your own network.

 

We must note that it's amazing what you can see in the field. We saw an ISP running OSPF with its customers a few years ago. In that setup, a rogue or ignorant customer could have easily disrupted the whole service provider network.

 

Automatic Response to Denial-of-Service Attacks

Among other peculiarities, BGP allows you to specify any IP address as the next-hop for an IP prefix. This property is most-often used to ensure optimum routing across a BGP autonomous system. You can also use it to implement network-wide sinkholes and remote blackholes to quickly stop worms and denial-of-service attacks on your network.

 

Please note that you don't have to migrate your routing to BGP if you want to use these mechanisms. To implement remote blackholes, it's enough that you deploy BGP on strategic points in your network and link them via BGP sessions with a central router through which you'll insert the IP addresses to block.

 

Large-scale QOS or Web Caching Deployment

Not only does BGP carry a number of attributes describing the IP routes, it allows you to add extra baggage to every IP route it advertises in the form of BGP communities that are totally transparent to BGP (unless you're manually configuring route selection rules to use them) but propagated throughout the network.

 

A few technologies completely unrelated to BGP allow you to use these attributes to implement large-scale designs. For example, Quality-of-Service Policy Propagation with BGP (QPPB) allows you to set QoS bits for specific BGP destinations based on BGP communities and other BGP attributes. Similarly, you can control the Web Cache Communication Protocol (WCCP)-based web caching policy with BGP.

 

So…

Even though BGP is categorized as a complex and hard-to-configure routing protocol, its deployment in large enterprise networks can bring significant benefits, which is almost mandatory in a service provider environment.

 

Note: Introduction to the author: Ivan Pepelnjak, CCIE No. 1354, is a 25-year veteran of the networking industry. He has more than 10 years of experience in designing, installing, troubleshooting and operating large service provider and enterprise WAN and LAN networks and is currently chief technology advisor at NIL Data Communications, focusing on advanced IP-based networks and web technologies. 

---http://searchtelecom.techtarget.com/tip/5-essential-reasons-for-BGP-in-your-IP-network

More Cisco and Network Tips:

BGP Routing Protocol Tips You Need to Know

Routing Information Protocol & RIP Configuration

How to Configure IGRP (Interior Gateway Routing Protocol)?

CCNP SWITCH 642-813 Guide: Configuring IP SLA

How to Use Cisco IP SLA to Manipulate Route Forwarding Decisions?

More Technical Case from Cisco.com:

BGP Case Studies

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a00800c95bb.shtml

Read more

OSPF Metrics Troubleshooting

January 29 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

 

When implementing any routing protocol, it is vital to have a handle on how the protocol operates and makes decisions. Without this knowledge, it is almost impossible to check and make sure that the protocol is configured properly and is operating as expected. This article takes a look at the Open Shortest Path First (OSPF) routing protocol, how its metric is calculated, and how this information can be used to ensure that traffic is taking the path that is expected.

OSPF Metric Calculation

OSPF has one of the easiest metric calculations; by default, the bandwidth of the outbound interface is used to calculate each part of the route path. The default formula is shown in Figure 1:

OSPF-Metric-Formula.jpg

Figure 1 - OSPF Metric Formula

 

For example, a network contained two routers that were connected together, as shown in Figure 2:

OSPF-Metric-Sample-Topology.jpg

Figure 2 - OSPF Metric Sample Topology

 

Assuming that OSPF is configured, R1 would have an OSPF routing table entry for the network that is connected to R2’s F0/1 interface. For traffic from R1 to reach that network it would need to pass through both R1’s F0/0 interface and R2’s F0/1 interface. R2 would calculate the OSPF metric for its F0/1 interface (100,000,000 / 100,000,000 = 1) and R1 would calculate the OSPF metric for its F0/0 interface (100,000,000 / 100,000,000 = 1). Based on this information from R1’s perspective, the OSPF metric to the network off of R2’s F0/1 interface is 2.

 

It is very important to note that the bandwidth that OSPF is using in its metric calculations is based on the configured interface bandwidth using the bandwidth interface configuration mode command. The bandwidth that is configured with the bandwidth command does not have to match the physical bandwidth of the interface, and does not affect the physical bandwidth of the network. If the network administrator changed the bandwidth of R2’s F0/1 interface to 50 Mbps (bandwidth 50000) the metric for the OSPF route would change on R1, specifically, it would change to 3 (100,000,000 / 50,000,000) = 2 + 1 (R1’s F0/0 OSPF metric) = 3.

 

Another common issue that is found by network engineers in modern networks is that the reference bandwidth used in the OSPF metric calculation is rather small with the availability of 1, 10 and 100 gigabit interfaces. From the perspective of the OSPF metric, an interface with a bandwidth of 100 Mbps (1) has the same metric as one with a bandwidth of 100 Gbps (1) (The OSPF metric calculation only uses whole numbers). To remedy this, it is possible to change the reference bandwidth that the OSPF process is using for metric calculation. To change this, use the auto-cost reference-bandwidth reference-bandwidth command,

Where reference-bandwidth is set in Mbps (i.e. the default is 100). Make note that the reference bandwidth must be changed on ALL of the devices in the OSPF network.

 

To make this a little clearer, Figure 3 shows the same network using up-to-date interface bandwidths and a higher reference bandwidth:

OSPF-Reference-Bandwidth-Example.jpg

Figure 3 – OSPF Reference Bandwidth Example

 

Using these bandwidths, the OSPF metric to the network off of R2’s F0/1 interface would be calculated as follows:

R1’s F0/0 interface – 100,000,000,000 / 100,000,000 = 1,000

R2’s F0/1 interface – 100,000,000,000 / 10,000,000,000 = 10

R1’s routing table will have an entry for R2’s F0/1 network with a metric of 1010.


Most of the time when routing protocols are implemented on small simple network topologies, they work without much additional configuration. When working on networks that are larger, the complexity of the routing protocol configuration can increase; this complexity and the size of the topology can make troubleshooting very complex as well. The OSPF metric is very simple to calculate and allows even novice engineers the ability to easily trace how traffic should pass through a network. Take the time to memorize how these metrics are calculated and future troubleshooting will become easier even on complex networks.

---From http://www.petri.co.il/ospf-metrics-troubleshooting.htm

More Related OSPF Tips:

How to Fix OSPF Split Area with GRE Tunnel?

How to Configure OSPF on Cisco Routers?

How to Configure OSPF in a Single Area?

How to Troubleshoot OSPF?

OSPF, How to Configure OSPF in the Cisco IOS?

 

Read more

Cisco IOS Order of Operation

January 16 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

Here we found information on the order of operation of the different features on an interface and the packet traverses the IOS software from Cisco.com, which may not suitable for every case table. Anyway, check it whether is suitable or not.

Inside-to-Outside Outside-to-Inside

  • If IPSec then check input access list
  • decryption – for CET (Cisco Encryption Technology) or IPSec
  • check input access list
  • check input rate limits
  • input accounting
  • policy routing
  • routing
  • redirect to web cache
  • NAT inside to outside (local to global translation)
  • crypto (check map and mark for encryption)
  • check output access list
  • inspect (Context-based Access Control (CBAC))
  • TCP intercept
  • encryption
  • Queueing
  • If IPSec then check input access list
  • decryption – for CET or IPSec
  • check input access list
  • check input rate limits
  • input accounting
  • NAT outside to inside (global to local translation)
  • policy routing
  • routing
  • redirect to web cache
  • crypto (check map and mark for encryption)
  • check output access list
  • inspect CBAC
  • TCP intercept
  • encryption
  • Queueing

All right, the above we delivered is the “official version”. But there are others that were provided by some professional network engineers are pretty complete.

See the following for a larger diagram.

cisco-ios-order-operations001.jpg

More notes: Some variations in feature ordering may occur in specific router platforms, IOS software releases, and switching paths (i.e. CEF versus process-switched).

Ingress Features

Egress Features

1. Virtual Reassembly *

1. Output IOS IPS Inspection

2. IP Traffic Export (RITE)

2. Output WCCP Redirect

3. QoS Policy Propagation through BGP (QPPB)

3. NM-CIDS

4. Ingress Flexible NetFlow *

4. NAT Inside-to-Outside or NAT Enable *

5. Network Based Application Recognition (NBAR)

5. Network Based Application Recognition (NBAR)

6. Input QoS Classification

6. BGP Policy Accounting

7. Ingress NetFlow *

7. Lawful Intercept

8. Lawful Intercept

8. Check crytpo map ACL and mark for encryption

9. IOS IPS Inspection (inbound)

9. Output QoS Classification

10. Input Stateful Packet Inspection (IOS FW) *

10. Output ACL check (if not marked for encryption)

11. Check reverse crypto map ACL

11. Crypto outbound ACL check (if marked for encryption)

12. Input ACL (unless existing NetFlow record was found)

12. Output Flexible Packet Matching (FPM)

13. Input Flexible Packet Matching (FPM)

13. DoS Tracker

14. IPsec Decryption (if encrypted)

14. Output Stateful Packet Inspection (IOS FW) *

15. Crypto inbound ACL check (if packet had been encrypted)

15. TCP Intercept

16. Unicast RPF check

16. Output QoS Marking

17. Input QoS Marking

17. Output Policing (CAR)

18. Input Policing (CAR)

18. Output MAC/Precedence Accounting

19. Input MAC/Precedence Accounting

19. IPsec Encryption

20. NAT Outside-to-Inside *

20. Output ACL check (if encrypted)

21. Policy Routing

21. Egress NetFlow *

22. Input WCCP Redirect

22. Egress Flexible NetFlow *

 

23. Egress RITE

 

24. Output Queuing (CBWFQ, LLQ, WRED)

* A note about virtual-reassembly


Virtual-reassembly causes the router to internally reassemble fragmented packets. It is enabled when an interface is configured with NAT, CBAC, or “ip virtual reassembly”. Operations above marked with a * will process the reassembled version of a packet. All other operations process the individual fragments. After virtual reassembly is complete, the router forwards the original fragments, albeit in proper order. This behavior is very different from PIX/ASA/FWSM and ACE which forward the reassembled packet.

 

Thus, even if virtual-reassembly is turned on, ACLs used for input access-groups and QoS still need to be aware of how ACLs interact with fragments

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800949b8.shtml

 

Routing Features

1. Routing table lookup (if packet isn’t marked with a PBR next-hop) 2. tcp adjust-mss

NOTE: Order of Operation for IOS 12.3(8)T and Later

IOS-Order-of-Operation002.jpg

---Reference from http://etherealmind.com/cisco-ios-order-of-operation/

More Notes: A Related Best Cisco Book

Router Security Strategies: Securing IP Network Traffic Planes

router-security-strategies-securing-ip-network-traffic-plan.jpg

Router Security Strategies: Securing IP Network Traffic Planes provides a comprehensive approach to understand and implement IP traffic plane separation and protection on IP routers. This book details the distinct traffic planes of IP networks and the advanced techniques necessary to operationally secure them. This includes the data, control, management, and services planes that provide the infrastructure for IP networking. 

 

The first section provides a brief overview of the essential components of the Internet Protocol and IP networking. At the end of this section, you will understand the fundamental principles of defense in depth and breadth security as applied to IP traffic planes. Techniques to secure the IP data plane, IP control plane, IP management plane, and IP services plane are covered in detail in the second section.

 

The final section provides case studies from both the enterprise network and the service provider network perspectives. In this way, the individual IP traffic plane security techniques reviewed in the second section of the book are brought together to help you create an integrated, comprehensive defense in depth and breadth security architecture.

 

“Understanding and securing IP traffic planes are critical to the overall security posture of the IP infrastructure.  The techniques detailed in this book provide protection and instrumentation enabling operators to understand and defend against attacks. As the vulnerability economy continues to mature, it is critical for both vendors and network providers to collaboratively deliver these protections to the IP infrastructure.”

–Russell Smoak, Director, Technical Services, Security Intelligence Engineering, Cisco

 

Gregg Schudel, CCIE No. 9591, joined Cisco in 2000 as a consulting system engineer supporting the U.S. service provider organization. Gregg focuses on IP core network security architectures and technology for interexchange carriers and web services providers.

 

David J. Smith, CCIE No. 1986, joined Cisco in 1995 and is a consulting system engineer supporting the service provider organization. David focuses on IP core and edge architectures including IP routing, MPLS technologies, QoS, infrastructure security, and network telemetry.

  • Understand the operation of IP networks and routers
  • Learn about the many threat models facing IP networks, Layer 2 Ethernet switching environments, and IPsec and MPLS VPN services
  • Learn how to segment and protect each IP traffic plane by applying defense in depth and breadth principles
  • Use security techniques such as ACLs, rate limiting, IP Options filtering, uRPF, QoS, RTBH, QPPB, and many others to protect the data plane of IP and switched Ethernet networks
  • Secure the IP control plane with rACL, CoPP, GTSM, MD5, BGP and ICMP techniques and Layer 2 switched Ethernet-specific techniques
  • Protect the IP management plane with password management, SNMP, SSH, NTP, AAA, as well as other VPN management, out-of-band management, and remote access management techniques
  • Secure the IP services plane using recoloring, IP fragmentation control, MPLS label control, and other traffic classification and process control techniques

 This security book is part of the Cisco Press Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.

Note: More Reviews about this book you can see ciscopress.com

More Related Tips:

What’s the Order of Operations for Cisco IOS?

More Cisco and Networking Tips you can referto http://blog.router-switch.com/

Read more

Tutorial of HSRP Basic Configuration

December 24 2012 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

Let’s say that you have dual edge routers and you would like to provide some redundancy should one fail. You wouldn’t want to have to re-configure every device on your LAN to point to the other GW should the first one fail so this is where HSRP (Hot Standby Router Protocol) comes in handy. Here we will cover a basic HSRP configuration. Take a look at the following topology:

HSRP-Basic-Configuration.jpg

You will see that we have Router-A and Router-B adjacent to our LAN segment of 10.0.254.0/24.

 

Aside from the regular interface IP (.20 and .30 in this example) we will configure the HSRP virtual IP (.10) that both routers will have and which we will use as the GW for the devices on our LAN. We will also be tracking interface FastEthernet0/1 on both routers as this is our WAN connection and should it go down we want it to fail over to the other router. Following, is the relevant configuration for each router.

Router-A:

interface FastEthernet0/0

 ip address 10.0.254.20 255.255.255.0

 standby 1 ip 10.0.254.10

 standby 1 priority 105

 standby 1 preempt

 standby 1 track FastEthernet0/1

 

Router-B:

interface FastEthernet0/0

 ip address 10.0.254.30 255.255.255.0

 standby 1 ip 10.0.254.10

 standby 1 priority 100

 standby 1 preempt

 standby 1 track FastEthernet0/1

The lower priority on Router-B tells HSRP that Router-A should be active.

 

You should now be able to ping .10 on your LAN segment. Should you wish to manage each router you can connect to the physical address we assigned to the interface (.20 and .30).

 

We can verify its operation on each router and whether it is in active or standby mode with the ‘show standby brief’ command:

Router-A#show standby brief

                     P indicates configured to preempt.

                     |

Interface   Grp  Pri P State   Active          Standby         Virtual IP

Fa0/0       1    105 P Active  local           10.0.254.30     10.0.254.10

 

 

Router-B#show standby brief

                     P indicates configured to preempt.

                     |

Interface   Grp  Pri P State   Active          Standby         Virtual IP

Fa0/0       1    100 P Standby 10.0.254.20     local           10.0.254.10

 

More Related Reading:

How to Configure GLBP in Cisco IOS Routers?

Cisco First Hop Redundancy Protocols: HSRP, VRRP, GLBP

How to Configure GLBP?

To Know VRRP Basic Configuration

Read more

To Know VRRP Basic Configuration

December 20 2012 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

Here we will go over a basic VRRP (Virtual Router Redundancy Protocol) configuration. VRRP is very similar to the other two, HSRP and GLBP. However it is not a Cisco proprietary protocol, it is standards based. Also, it, unlike GLBP, does not provide load balancing. It is more similar to HSRP instead.

Let’s take a look at the following sample topology:
VRRP-Basic-Configuration.jpg

As in the previous two articles, Router-A and Router-B are adjacent to the LAN segment. Asside from the normal IP address on our router interfaces, you will see a few VRRP commands added in the following configs:

Router-A:

interface FastEthernet0/0

 ip address 10.0.254.20 255.255.255.0

 vrrp 1 priority 120

 vrrp 1 timers learn

 vrrp 1 ip 10.0.254.10

 

Router-B:

interface FastEthernet0/0

 ip address 10.0.254.20 255.255.255.0

 vrrp 1 priority 100

 vrrp 1 timers learn

 vrrp 1 ip 10.0.254.10


The higher priority of Router-A’s VRRP config tells it to be the active router. And, the ‘timers learn’ command, as it implies, tells the vrrp process to learn the timers of the other member(s). This is good to do in case the other router has a different interval set.

 

You should now be able to ping .10 on your LAN segment. Should you wish to connect to a specific router, you can use the normal interface IP that was configured.

 

We can verify the VRRP operation via the ‘show vrrp all’ command:

Router-A#show vrrp all

FastEthernet0/0 - Group 1

  State is Master

  Virtual IP address is 10.0.254.10

  Virtual MAC address is 0000.5e00.0101

  Advertisement interval is 1.000 sec

  Preemption enabled

  Priority is 120

  Master Router is 10.0.254.20 (local), priority is 120

  Master Advertisement interval is 1.000 sec

  Master Down interval is 3.531 sec

 

Router-B#show vrrp all

FastEthernet0/0 - Group 1

  State is Backup

  Virtual IP address is 10.0.254.10

  Virtual MAC address is 0000.5e00.0101

  Advertisement interval is 1.000 sec

  Preemption enabled

  Priority is 100

  Master Router is 10.0.254.20, priority is 120

  Master Advertisement interval is 1.000 sec

  Master Down interval is 3.609 sec (expires in 3.344 sec) Learning

 

Reading from http://esalonia.net

 

More Related Reading:

How to Configure GLBP in Cisco IOS Routers?

Cisco First Hop Redundancy Protocols: HSRP, VRRP, GLBP

How to Configure GLBP?

Read more

GLBP & GLBP Basic Configuration

December 18 2012 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

What is GLBP?

(GLBP) is supported by Cisco 1700, 2600, 3620, 3631, 3640, 3660, 3725, 3745, 7100, 7200, 7400, 7500 series. GLBP is a Cisco proprietary protocol that attempts to overcome the limitations of existing redundant router protocols (HSRP, VRRP …) by adding basic load balancing functionality.

GLBP provides load balancing over multiple routers (gateways) using a single virtual IP address and multiple virtual MAC addresses. Each host is configured with the same virtual IP address, and all routers in the virtual router group participate in forwarding packets. GLBP members communicate between each other through hello messages sent every 3 seconds to the multicast address 224.0.0.102, User Datagram Protocol (UDP) port 3222 (source and destination).

 

GLBP Features:

Load Sharing: You can configure GLBP in such a way that traffic from LAN clients can be shared by multiple routers, thereby sharing the traffic load more equitably among available routers. The load sharing available are:

  •  
    • host-dependent: Specifies a load balancing method based on the MAC address of a host where the same forwarder is always used for a particular host while the number of GLBP group members remains unchanged.
    • round-robin: Specifies a load balancing method where each virtual forwarder in turn is included in address resolution replies for the virtual IP address. This method is the default.
    • weighted: Specifies a load balancing method that is dependent.

Multiple Virtual Routers: GLBP supports up to 1024 virtual routers (GLBP groups) on each physical interface of a router, and up to 4 virtual forwarders per group.

Preemption: The redundancy scheme of GLBP enables you to preempt an active virtual gateway with a higher priority backup virtual gateway that has become available. Forwarder preemption works in a similar way, except that forwarder preemption uses weighting instead of priority and is enabled by default.

Authentication: You can use a simple text password authentication scheme between GLBP group members to detect configuration errors. A router within a GLBP group with a different authentication string than other routers will be ignored by other group members.

Tracking: Different interfaces can be tracked to decrement the GLBP weighting by varying amounts.

 

GLBP Components:

  • Active Virtual Gateway (AVG): One virtual gateway within a GLBP group is elected as the active virtual gateway, and is responsible for the operation of the protocol. This router has the highest priority value, or the highest IP address in the group, if there is no highest priority. The AVG answers all ARP requests for the virtual router address. Which MAC address it returns depends on which load-balancing algorithm it is configured to use.
  • Active Virtual Forwarder (AVF): One virtual forwarder within a GLBP group is elected as active virtual forwarder for a specified virtual MAC address, and is responsible for forwarding packets sent to that MAC address. Multiple active virtual forwarders can exist for each GLBP group.

 

GLBP States:

For a virtual gateway the state can be one of the following:

Disabled: Indicates that the virtual IP address has not been configured or learned yet, but other GLBP configuration exists.

Initial: The virtual IP address has been configured or learned but virtual gateway configuration is not complete. An interface must be up and configured to route IP, and an interface IP address must be configured.

Listen: Virtual gateway is receiving hello packets and is ready to change to the “speak” state if the active or standby virtual gateway becomes unavailable.

Speak: Virtual gateway is attempting to become the active or standby virtual gateway.

Standby: Indicates that the gateway is next in line to be the active virtual gateway (AVG).

Active: Indicates that this gateway is the AVG, and that it is responsible for responding to Address Resolution Protocol (ARP) requests for the virtual IP address.

 

For a virtual forwarder the state can be one of the following:

Disabled: Indicates that the virtual MAC address has not been assigned or learned. This is a transitory state because a virtual forwarder changing to a disabled state is deleted.

Initial: The virtual MAC address is known but virtual forwarder configuration is not complete. An interface must be up and configured to route IP, an interface IP address must be configured, and the virtual IP address must be known.

Listen: Virtual forwarder is receiving hello packets and is ready to change to the “active” state if the active virtual forwarder (AVF) becomes unavailable.

Active: Indicates that this gateway is the AVF, and that it is responsible for forwarding packets sent to the virtual forwarder MAC address.

 

GLBP Basic Configuration

GLBP (Gateway Load Balancing Protocol), like HSRP, is a Cisco proprietary protocol. The main difference is that GLBP allows for load balancing between the two routers rather than using just one and leaving the other unused until needed.

 

Have a look at the following sample topology:
GLBP-sample-topo1-GLBP-Basic-Configuration.jpg

As in the previous article, here you will see Router-A and Router-B are adjacent to our LAN segment. Asside from the normal IP address on the router interfaces, you will see the GLBP config as well:

Router-A:

interface FastEthernet0/0

 ip address 10.0.254.20 255.255.255.0

 glbp 1 ip 10.0.254.10

 glbp 1 priority 120

 glbp 1 preempt

 

Router-B:

interface FastEthernet0/0

 ip address 10.0.254.30 255.255.255.0

 glbp 1 priority 100

 glbp 1 ip 10.0.254.10

 glbp 1 preempt

 

As in the previous article, the higher priority tells it to be the active GLBP router. The difference here is that there will be load balancing occurring between the two routers. The way this works is that GLBP will elect one router to be the AVG (Active Virtual Gateway) which will in turn assign a virtual MAC address to the other GLBP routers. Next it will assign hosts to use one of the other routers which are called AVF (Active Virtual Forwarders). This is all done transparently to the end user. You will still point your devices to the virtual IP and GLBP will handle the rest. The default load balancing method for GLBP is round-robin.

 

Let’s verify the GLBP operation with the command ‘show glbp brief’:

Router-A#show glbp brief

Interface   Grp  Fwd Pri State    Address         Active router   Standby router

Fa0/0       1    -   120 Active   10.0.254.10     local           10.0.254.30

Fa0/0       1    1   -   Active   0007.b400.0101  local           -

Fa0/0       1    2   -   Listen   0007.b400.0102  10.0.254.30     -

 

Router-B#show glbp brief

Interface   Grp  Fwd Pri State    Address         Active router   Standby router

Fa0/0       1    -   100 Standby  10.0.254.10     10.0.254.20     local

Fa0/0       1    1   -   Listen   0007.b400.0101  10.0.254.20     -

Fa0/0       1    2   -   Active   0007.b400.0102  local           -

 

Above, you can see the active and standby routers as well as the virtual MAC addresses assigned to each (0007.b400.010X). Router-A is 10.0.254.20 and was assigned a virtual MAC of 0007.b400.0101. Router-B is 10.0.254.30 and was assigned a virtual MAC of 0007.b400.0102. In this example, Router-A is the AVG and Router-B is an AVF. You can add more routers to the group to increase redundancy and in turn add more AVF’s.


More GLBP Tips:

How to Configure GLBP?

GLBP Overview and Features

Read more
<< < 1 2 3 4 5 6 7 > >>