Overblog Follow this blog
Administration Create my blog
Cisco & Cisco Network Hardware News and Technology

Posts with #cisco & cisco network tag

BGP Protocol is Essential in Your IP Network

February 5 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

As we known, Border Gateway Protocol (BGP) has the reputation of being the hardest routing protocol to design, configure and maintain. But while this notion has some validity, there are situations where BGP is the only tool available to get the job done, or where deploying BGP throughout your network can increase its security or stability.

 BGP.jpg

BGP's complexity is primarily due to the large number of attributes it can attach to a route, its complex route selection rules, and the manual configuration of neighboring routers (which are discovered automatically in most other routing protocols) needed to ensure the security of the routing information exchange. Having a large number of configuration options and BGP-specific filtering mechanisms available on routers from different major vendors doesn't help either.

 

In this article, we will give you five scenarios where BGP is the best match for your network requirements.

 

Internet Service Advantages

If you're an Internet service provider (ISP), running BGP in your network is almost a must. I've seen consumer-focused ISPs that tried to get around this recommendation and used BGP solely to peer with their upstream ISPs, but they eventually had to bite the bullet and deploy BGP to increase the stability of their network, provide end-to-end quality-of-service or penetrate enterprise markets. Enterprise-focused ISPs have to run BGP from the start to support their multi-homed customers).

 

Layer 3 VPN Services

We've seen a variety of technologies used to implement Layer 3 VPN services in recent years, and MPLS-based VPNs have undoubtedly proven to be the most scalable solution, partly due to using BGP as the underlying routing protocol. Fortunately, you don't have to deploy BGP everywhere in your network if you want to deploy MPLS/VPN solutions. It's enough to deploy BGP on the Provider Edge (PE) routers that connect your VPN customers and on a few core devices that act as route servers (these devices should not be expected to forward heavy traffic loads).

 

Increasing Network Stability

Although we've met networking engineers trying to use BGP as the sole routing protocol in their networks, that's not how you should use it. Any decent BGP design should rely on another faster routing protocol (for example, OSPF, EIGRP or IS-IS) to provide core routing in the network, with BGP responsible for the edge/customer routing.

 

With the separation of core and edge routing into two routing protocols, your network core becomes more stable, as the edge problems cannot disrupt the core. This design has been used very successfully in large enterprise networks with haphazard addressing schemes that defied attempts at route summarization. It should also be used in almost all service provider environments. You should never carry your customers' routes in your core routing protocol, as customer's internal problems could quickly affect the stability of your own network.

 

We must note that it's amazing what you can see in the field. We saw an ISP running OSPF with its customers a few years ago. In that setup, a rogue or ignorant customer could have easily disrupted the whole service provider network.

 

Automatic Response to Denial-of-Service Attacks

Among other peculiarities, BGP allows you to specify any IP address as the next-hop for an IP prefix. This property is most-often used to ensure optimum routing across a BGP autonomous system. You can also use it to implement network-wide sinkholes and remote blackholes to quickly stop worms and denial-of-service attacks on your network.

 

Please note that you don't have to migrate your routing to BGP if you want to use these mechanisms. To implement remote blackholes, it's enough that you deploy BGP on strategic points in your network and link them via BGP sessions with a central router through which you'll insert the IP addresses to block.

 

Large-scale QOS or Web Caching Deployment

Not only does BGP carry a number of attributes describing the IP routes, it allows you to add extra baggage to every IP route it advertises in the form of BGP communities that are totally transparent to BGP (unless you're manually configuring route selection rules to use them) but propagated throughout the network.

 

A few technologies completely unrelated to BGP allow you to use these attributes to implement large-scale designs. For example, Quality-of-Service Policy Propagation with BGP (QPPB) allows you to set QoS bits for specific BGP destinations based on BGP communities and other BGP attributes. Similarly, you can control the Web Cache Communication Protocol (WCCP)-based web caching policy with BGP.

 

So…

Even though BGP is categorized as a complex and hard-to-configure routing protocol, its deployment in large enterprise networks can bring significant benefits, which is almost mandatory in a service provider environment.

 

Note: Introduction to the author: Ivan Pepelnjak, CCIE No. 1354, is a 25-year veteran of the networking industry. He has more than 10 years of experience in designing, installing, troubleshooting and operating large service provider and enterprise WAN and LAN networks and is currently chief technology advisor at NIL Data Communications, focusing on advanced IP-based networks and web technologies. 

---http://searchtelecom.techtarget.com/tip/5-essential-reasons-for-BGP-in-your-IP-network

More Cisco and Network Tips:

BGP Routing Protocol Tips You Need to Know

Routing Information Protocol & RIP Configuration

How to Configure IGRP (Interior Gateway Routing Protocol)?

CCNP SWITCH 642-813 Guide: Configuring IP SLA

How to Use Cisco IP SLA to Manipulate Route Forwarding Decisions?

More Technical Case from Cisco.com:

BGP Case Studies

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a00800c95bb.shtml

Read more

OSPF Metrics Troubleshooting

January 29 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

 

When implementing any routing protocol, it is vital to have a handle on how the protocol operates and makes decisions. Without this knowledge, it is almost impossible to check and make sure that the protocol is configured properly and is operating as expected. This article takes a look at the Open Shortest Path First (OSPF) routing protocol, how its metric is calculated, and how this information can be used to ensure that traffic is taking the path that is expected.

OSPF Metric Calculation

OSPF has one of the easiest metric calculations; by default, the bandwidth of the outbound interface is used to calculate each part of the route path. The default formula is shown in Figure 1:

OSPF-Metric-Formula.jpg

Figure 1 - OSPF Metric Formula

 

For example, a network contained two routers that were connected together, as shown in Figure 2:

OSPF-Metric-Sample-Topology.jpg

Figure 2 - OSPF Metric Sample Topology

 

Assuming that OSPF is configured, R1 would have an OSPF routing table entry for the network that is connected to R2’s F0/1 interface. For traffic from R1 to reach that network it would need to pass through both R1’s F0/0 interface and R2’s F0/1 interface. R2 would calculate the OSPF metric for its F0/1 interface (100,000,000 / 100,000,000 = 1) and R1 would calculate the OSPF metric for its F0/0 interface (100,000,000 / 100,000,000 = 1). Based on this information from R1’s perspective, the OSPF metric to the network off of R2’s F0/1 interface is 2.

 

It is very important to note that the bandwidth that OSPF is using in its metric calculations is based on the configured interface bandwidth using the bandwidth interface configuration mode command. The bandwidth that is configured with the bandwidth command does not have to match the physical bandwidth of the interface, and does not affect the physical bandwidth of the network. If the network administrator changed the bandwidth of R2’s F0/1 interface to 50 Mbps (bandwidth 50000) the metric for the OSPF route would change on R1, specifically, it would change to 3 (100,000,000 / 50,000,000) = 2 + 1 (R1’s F0/0 OSPF metric) = 3.

 

Another common issue that is found by network engineers in modern networks is that the reference bandwidth used in the OSPF metric calculation is rather small with the availability of 1, 10 and 100 gigabit interfaces. From the perspective of the OSPF metric, an interface with a bandwidth of 100 Mbps (1) has the same metric as one with a bandwidth of 100 Gbps (1) (The OSPF metric calculation only uses whole numbers). To remedy this, it is possible to change the reference bandwidth that the OSPF process is using for metric calculation. To change this, use the auto-cost reference-bandwidth reference-bandwidth command,

Where reference-bandwidth is set in Mbps (i.e. the default is 100). Make note that the reference bandwidth must be changed on ALL of the devices in the OSPF network.

 

To make this a little clearer, Figure 3 shows the same network using up-to-date interface bandwidths and a higher reference bandwidth:

OSPF-Reference-Bandwidth-Example.jpg

Figure 3 – OSPF Reference Bandwidth Example

 

Using these bandwidths, the OSPF metric to the network off of R2’s F0/1 interface would be calculated as follows:

R1’s F0/0 interface – 100,000,000,000 / 100,000,000 = 1,000

R2’s F0/1 interface – 100,000,000,000 / 10,000,000,000 = 10

R1’s routing table will have an entry for R2’s F0/1 network with a metric of 1010.


Most of the time when routing protocols are implemented on small simple network topologies, they work without much additional configuration. When working on networks that are larger, the complexity of the routing protocol configuration can increase; this complexity and the size of the topology can make troubleshooting very complex as well. The OSPF metric is very simple to calculate and allows even novice engineers the ability to easily trace how traffic should pass through a network. Take the time to memorize how these metrics are calculated and future troubleshooting will become easier even on complex networks.

---From http://www.petri.co.il/ospf-metrics-troubleshooting.htm

More Related OSPF Tips:

How to Fix OSPF Split Area with GRE Tunnel?

How to Configure OSPF on Cisco Routers?

How to Configure OSPF in a Single Area?

How to Troubleshoot OSPF?

OSPF, How to Configure OSPF in the Cisco IOS?

 

Read more

Cisco IOS Order of Operation

January 16 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

Here we found information on the order of operation of the different features on an interface and the packet traverses the IOS software from Cisco.com, which may not suitable for every case table. Anyway, check it whether is suitable or not.

Inside-to-Outside Outside-to-Inside

  • If IPSec then check input access list
  • decryption – for CET (Cisco Encryption Technology) or IPSec
  • check input access list
  • check input rate limits
  • input accounting
  • policy routing
  • routing
  • redirect to web cache
  • NAT inside to outside (local to global translation)
  • crypto (check map and mark for encryption)
  • check output access list
  • inspect (Context-based Access Control (CBAC))
  • TCP intercept
  • encryption
  • Queueing
  • If IPSec then check input access list
  • decryption – for CET or IPSec
  • check input access list
  • check input rate limits
  • input accounting
  • NAT outside to inside (global to local translation)
  • policy routing
  • routing
  • redirect to web cache
  • crypto (check map and mark for encryption)
  • check output access list
  • inspect CBAC
  • TCP intercept
  • encryption
  • Queueing

All right, the above we delivered is the “official version”. But there are others that were provided by some professional network engineers are pretty complete.

See the following for a larger diagram.

cisco-ios-order-operations001.jpg

More notes: Some variations in feature ordering may occur in specific router platforms, IOS software releases, and switching paths (i.e. CEF versus process-switched).

Ingress Features

Egress Features

1. Virtual Reassembly *

1. Output IOS IPS Inspection

2. IP Traffic Export (RITE)

2. Output WCCP Redirect

3. QoS Policy Propagation through BGP (QPPB)

3. NM-CIDS

4. Ingress Flexible NetFlow *

4. NAT Inside-to-Outside or NAT Enable *

5. Network Based Application Recognition (NBAR)

5. Network Based Application Recognition (NBAR)

6. Input QoS Classification

6. BGP Policy Accounting

7. Ingress NetFlow *

7. Lawful Intercept

8. Lawful Intercept

8. Check crytpo map ACL and mark for encryption

9. IOS IPS Inspection (inbound)

9. Output QoS Classification

10. Input Stateful Packet Inspection (IOS FW) *

10. Output ACL check (if not marked for encryption)

11. Check reverse crypto map ACL

11. Crypto outbound ACL check (if marked for encryption)

12. Input ACL (unless existing NetFlow record was found)

12. Output Flexible Packet Matching (FPM)

13. Input Flexible Packet Matching (FPM)

13. DoS Tracker

14. IPsec Decryption (if encrypted)

14. Output Stateful Packet Inspection (IOS FW) *

15. Crypto inbound ACL check (if packet had been encrypted)

15. TCP Intercept

16. Unicast RPF check

16. Output QoS Marking

17. Input QoS Marking

17. Output Policing (CAR)

18. Input Policing (CAR)

18. Output MAC/Precedence Accounting

19. Input MAC/Precedence Accounting

19. IPsec Encryption

20. NAT Outside-to-Inside *

20. Output ACL check (if encrypted)

21. Policy Routing

21. Egress NetFlow *

22. Input WCCP Redirect

22. Egress Flexible NetFlow *

 

23. Egress RITE

 

24. Output Queuing (CBWFQ, LLQ, WRED)

* A note about virtual-reassembly


Virtual-reassembly causes the router to internally reassemble fragmented packets. It is enabled when an interface is configured with NAT, CBAC, or “ip virtual reassembly”. Operations above marked with a * will process the reassembled version of a packet. All other operations process the individual fragments. After virtual reassembly is complete, the router forwards the original fragments, albeit in proper order. This behavior is very different from PIX/ASA/FWSM and ACE which forward the reassembled packet.

 

Thus, even if virtual-reassembly is turned on, ACLs used for input access-groups and QoS still need to be aware of how ACLs interact with fragments

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800949b8.shtml

 

Routing Features

1. Routing table lookup (if packet isn’t marked with a PBR next-hop) 2. tcp adjust-mss

NOTE: Order of Operation for IOS 12.3(8)T and Later

IOS-Order-of-Operation002.jpg

---Reference from http://etherealmind.com/cisco-ios-order-of-operation/

More Notes: A Related Best Cisco Book

Router Security Strategies: Securing IP Network Traffic Planes

router-security-strategies-securing-ip-network-traffic-plan.jpg

Router Security Strategies: Securing IP Network Traffic Planes provides a comprehensive approach to understand and implement IP traffic plane separation and protection on IP routers. This book details the distinct traffic planes of IP networks and the advanced techniques necessary to operationally secure them. This includes the data, control, management, and services planes that provide the infrastructure for IP networking. 

 

The first section provides a brief overview of the essential components of the Internet Protocol and IP networking. At the end of this section, you will understand the fundamental principles of defense in depth and breadth security as applied to IP traffic planes. Techniques to secure the IP data plane, IP control plane, IP management plane, and IP services plane are covered in detail in the second section.

 

The final section provides case studies from both the enterprise network and the service provider network perspectives. In this way, the individual IP traffic plane security techniques reviewed in the second section of the book are brought together to help you create an integrated, comprehensive defense in depth and breadth security architecture.

 

“Understanding and securing IP traffic planes are critical to the overall security posture of the IP infrastructure.  The techniques detailed in this book provide protection and instrumentation enabling operators to understand and defend against attacks. As the vulnerability economy continues to mature, it is critical for both vendors and network providers to collaboratively deliver these protections to the IP infrastructure.”

–Russell Smoak, Director, Technical Services, Security Intelligence Engineering, Cisco

 

Gregg Schudel, CCIE No. 9591, joined Cisco in 2000 as a consulting system engineer supporting the U.S. service provider organization. Gregg focuses on IP core network security architectures and technology for interexchange carriers and web services providers.

 

David J. Smith, CCIE No. 1986, joined Cisco in 1995 and is a consulting system engineer supporting the service provider organization. David focuses on IP core and edge architectures including IP routing, MPLS technologies, QoS, infrastructure security, and network telemetry.

  • Understand the operation of IP networks and routers
  • Learn about the many threat models facing IP networks, Layer 2 Ethernet switching environments, and IPsec and MPLS VPN services
  • Learn how to segment and protect each IP traffic plane by applying defense in depth and breadth principles
  • Use security techniques such as ACLs, rate limiting, IP Options filtering, uRPF, QoS, RTBH, QPPB, and many others to protect the data plane of IP and switched Ethernet networks
  • Secure the IP control plane with rACL, CoPP, GTSM, MD5, BGP and ICMP techniques and Layer 2 switched Ethernet-specific techniques
  • Protect the IP management plane with password management, SNMP, SSH, NTP, AAA, as well as other VPN management, out-of-band management, and remote access management techniques
  • Secure the IP services plane using recoloring, IP fragmentation control, MPLS label control, and other traffic classification and process control techniques

 This security book is part of the Cisco Press Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.

Note: More Reviews about this book you can see ciscopress.com

More Related Tips:

What’s the Order of Operations for Cisco IOS?

More Cisco and Networking Tips you can referto http://blog.router-switch.com/

Read more

Tutorial of HSRP Basic Configuration

December 24 2012 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

Let’s say that you have dual edge routers and you would like to provide some redundancy should one fail. You wouldn’t want to have to re-configure every device on your LAN to point to the other GW should the first one fail so this is where HSRP (Hot Standby Router Protocol) comes in handy. Here we will cover a basic HSRP configuration. Take a look at the following topology:

HSRP-Basic-Configuration.jpg

You will see that we have Router-A and Router-B adjacent to our LAN segment of 10.0.254.0/24.

 

Aside from the regular interface IP (.20 and .30 in this example) we will configure the HSRP virtual IP (.10) that both routers will have and which we will use as the GW for the devices on our LAN. We will also be tracking interface FastEthernet0/1 on both routers as this is our WAN connection and should it go down we want it to fail over to the other router. Following, is the relevant configuration for each router.

Router-A:

interface FastEthernet0/0

 ip address 10.0.254.20 255.255.255.0

 standby 1 ip 10.0.254.10

 standby 1 priority 105

 standby 1 preempt

 standby 1 track FastEthernet0/1

 

Router-B:

interface FastEthernet0/0

 ip address 10.0.254.30 255.255.255.0

 standby 1 ip 10.0.254.10

 standby 1 priority 100

 standby 1 preempt

 standby 1 track FastEthernet0/1

The lower priority on Router-B tells HSRP that Router-A should be active.

 

You should now be able to ping .10 on your LAN segment. Should you wish to manage each router you can connect to the physical address we assigned to the interface (.20 and .30).

 

We can verify its operation on each router and whether it is in active or standby mode with the ‘show standby brief’ command:

Router-A#show standby brief

                     P indicates configured to preempt.

                     |

Interface   Grp  Pri P State   Active          Standby         Virtual IP

Fa0/0       1    105 P Active  local           10.0.254.30     10.0.254.10

 

 

Router-B#show standby brief

                     P indicates configured to preempt.

                     |

Interface   Grp  Pri P State   Active          Standby         Virtual IP

Fa0/0       1    100 P Standby 10.0.254.20     local           10.0.254.10

 

More Related Reading:

How to Configure GLBP in Cisco IOS Routers?

Cisco First Hop Redundancy Protocols: HSRP, VRRP, GLBP

How to Configure GLBP?

To Know VRRP Basic Configuration

Read more

To Know VRRP Basic Configuration

December 20 2012 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

Here we will go over a basic VRRP (Virtual Router Redundancy Protocol) configuration. VRRP is very similar to the other two, HSRP and GLBP. However it is not a Cisco proprietary protocol, it is standards based. Also, it, unlike GLBP, does not provide load balancing. It is more similar to HSRP instead.

Let’s take a look at the following sample topology:
VRRP-Basic-Configuration.jpg

As in the previous two articles, Router-A and Router-B are adjacent to the LAN segment. Asside from the normal IP address on our router interfaces, you will see a few VRRP commands added in the following configs:

Router-A:

interface FastEthernet0/0

 ip address 10.0.254.20 255.255.255.0

 vrrp 1 priority 120

 vrrp 1 timers learn

 vrrp 1 ip 10.0.254.10

 

Router-B:

interface FastEthernet0/0

 ip address 10.0.254.20 255.255.255.0

 vrrp 1 priority 100

 vrrp 1 timers learn

 vrrp 1 ip 10.0.254.10


The higher priority of Router-A’s VRRP config tells it to be the active router. And, the ‘timers learn’ command, as it implies, tells the vrrp process to learn the timers of the other member(s). This is good to do in case the other router has a different interval set.

 

You should now be able to ping .10 on your LAN segment. Should you wish to connect to a specific router, you can use the normal interface IP that was configured.

 

We can verify the VRRP operation via the ‘show vrrp all’ command:

Router-A#show vrrp all

FastEthernet0/0 - Group 1

  State is Master

  Virtual IP address is 10.0.254.10

  Virtual MAC address is 0000.5e00.0101

  Advertisement interval is 1.000 sec

  Preemption enabled

  Priority is 120

  Master Router is 10.0.254.20 (local), priority is 120

  Master Advertisement interval is 1.000 sec

  Master Down interval is 3.531 sec

 

Router-B#show vrrp all

FastEthernet0/0 - Group 1

  State is Backup

  Virtual IP address is 10.0.254.10

  Virtual MAC address is 0000.5e00.0101

  Advertisement interval is 1.000 sec

  Preemption enabled

  Priority is 100

  Master Router is 10.0.254.20, priority is 120

  Master Advertisement interval is 1.000 sec

  Master Down interval is 3.609 sec (expires in 3.344 sec) Learning

 

Reading from http://esalonia.net

 

More Related Reading:

How to Configure GLBP in Cisco IOS Routers?

Cisco First Hop Redundancy Protocols: HSRP, VRRP, GLBP

How to Configure GLBP?

Read more

GLBP & GLBP Basic Configuration

December 18 2012 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

What is GLBP?

(GLBP) is supported by Cisco 1700, 2600, 3620, 3631, 3640, 3660, 3725, 3745, 7100, 7200, 7400, 7500 series. GLBP is a Cisco proprietary protocol that attempts to overcome the limitations of existing redundant router protocols (HSRP, VRRP …) by adding basic load balancing functionality.

GLBP provides load balancing over multiple routers (gateways) using a single virtual IP address and multiple virtual MAC addresses. Each host is configured with the same virtual IP address, and all routers in the virtual router group participate in forwarding packets. GLBP members communicate between each other through hello messages sent every 3 seconds to the multicast address 224.0.0.102, User Datagram Protocol (UDP) port 3222 (source and destination).

 

GLBP Features:

Load Sharing: You can configure GLBP in such a way that traffic from LAN clients can be shared by multiple routers, thereby sharing the traffic load more equitably among available routers. The load sharing available are:

  •  
    • host-dependent: Specifies a load balancing method based on the MAC address of a host where the same forwarder is always used for a particular host while the number of GLBP group members remains unchanged.
    • round-robin: Specifies a load balancing method where each virtual forwarder in turn is included in address resolution replies for the virtual IP address. This method is the default.
    • weighted: Specifies a load balancing method that is dependent.

Multiple Virtual Routers: GLBP supports up to 1024 virtual routers (GLBP groups) on each physical interface of a router, and up to 4 virtual forwarders per group.

Preemption: The redundancy scheme of GLBP enables you to preempt an active virtual gateway with a higher priority backup virtual gateway that has become available. Forwarder preemption works in a similar way, except that forwarder preemption uses weighting instead of priority and is enabled by default.

Authentication: You can use a simple text password authentication scheme between GLBP group members to detect configuration errors. A router within a GLBP group with a different authentication string than other routers will be ignored by other group members.

Tracking: Different interfaces can be tracked to decrement the GLBP weighting by varying amounts.

 

GLBP Components:

  • Active Virtual Gateway (AVG): One virtual gateway within a GLBP group is elected as the active virtual gateway, and is responsible for the operation of the protocol. This router has the highest priority value, or the highest IP address in the group, if there is no highest priority. The AVG answers all ARP requests for the virtual router address. Which MAC address it returns depends on which load-balancing algorithm it is configured to use.
  • Active Virtual Forwarder (AVF): One virtual forwarder within a GLBP group is elected as active virtual forwarder for a specified virtual MAC address, and is responsible for forwarding packets sent to that MAC address. Multiple active virtual forwarders can exist for each GLBP group.

 

GLBP States:

For a virtual gateway the state can be one of the following:

Disabled: Indicates that the virtual IP address has not been configured or learned yet, but other GLBP configuration exists.

Initial: The virtual IP address has been configured or learned but virtual gateway configuration is not complete. An interface must be up and configured to route IP, and an interface IP address must be configured.

Listen: Virtual gateway is receiving hello packets and is ready to change to the “speak” state if the active or standby virtual gateway becomes unavailable.

Speak: Virtual gateway is attempting to become the active or standby virtual gateway.

Standby: Indicates that the gateway is next in line to be the active virtual gateway (AVG).

Active: Indicates that this gateway is the AVG, and that it is responsible for responding to Address Resolution Protocol (ARP) requests for the virtual IP address.

 

For a virtual forwarder the state can be one of the following:

Disabled: Indicates that the virtual MAC address has not been assigned or learned. This is a transitory state because a virtual forwarder changing to a disabled state is deleted.

Initial: The virtual MAC address is known but virtual forwarder configuration is not complete. An interface must be up and configured to route IP, an interface IP address must be configured, and the virtual IP address must be known.

Listen: Virtual forwarder is receiving hello packets and is ready to change to the “active” state if the active virtual forwarder (AVF) becomes unavailable.

Active: Indicates that this gateway is the AVF, and that it is responsible for forwarding packets sent to the virtual forwarder MAC address.

 

GLBP Basic Configuration

GLBP (Gateway Load Balancing Protocol), like HSRP, is a Cisco proprietary protocol. The main difference is that GLBP allows for load balancing between the two routers rather than using just one and leaving the other unused until needed.

 

Have a look at the following sample topology:
GLBP-sample-topo1-GLBP-Basic-Configuration.jpg

As in the previous article, here you will see Router-A and Router-B are adjacent to our LAN segment. Asside from the normal IP address on the router interfaces, you will see the GLBP config as well:

Router-A:

interface FastEthernet0/0

 ip address 10.0.254.20 255.255.255.0

 glbp 1 ip 10.0.254.10

 glbp 1 priority 120

 glbp 1 preempt

 

Router-B:

interface FastEthernet0/0

 ip address 10.0.254.30 255.255.255.0

 glbp 1 priority 100

 glbp 1 ip 10.0.254.10

 glbp 1 preempt

 

As in the previous article, the higher priority tells it to be the active GLBP router. The difference here is that there will be load balancing occurring between the two routers. The way this works is that GLBP will elect one router to be the AVG (Active Virtual Gateway) which will in turn assign a virtual MAC address to the other GLBP routers. Next it will assign hosts to use one of the other routers which are called AVF (Active Virtual Forwarders). This is all done transparently to the end user. You will still point your devices to the virtual IP and GLBP will handle the rest. The default load balancing method for GLBP is round-robin.

 

Let’s verify the GLBP operation with the command ‘show glbp brief’:

Router-A#show glbp brief

Interface   Grp  Fwd Pri State    Address         Active router   Standby router

Fa0/0       1    -   120 Active   10.0.254.10     local           10.0.254.30

Fa0/0       1    1   -   Active   0007.b400.0101  local           -

Fa0/0       1    2   -   Listen   0007.b400.0102  10.0.254.30     -

 

Router-B#show glbp brief

Interface   Grp  Fwd Pri State    Address         Active router   Standby router

Fa0/0       1    -   100 Standby  10.0.254.10     10.0.254.20     local

Fa0/0       1    1   -   Listen   0007.b400.0101  10.0.254.20     -

Fa0/0       1    2   -   Active   0007.b400.0102  local           -

 

Above, you can see the active and standby routers as well as the virtual MAC addresses assigned to each (0007.b400.010X). Router-A is 10.0.254.20 and was assigned a virtual MAC of 0007.b400.0101. Router-B is 10.0.254.30 and was assigned a virtual MAC of 0007.b400.0102. In this example, Router-A is the AVG and Router-B is an AVF. You can add more routers to the group to increase redundancy and in turn add more AVF’s.


More GLBP Tips:

How to Configure GLBP?

GLBP Overview and Features

Read more

Cisco Communications Manager Express Overview

December 7 2012 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

With the cost of high-performance networking switching equipment coming down, the implementation of alternative voice solutions has become common. There are a number of different voice solutions that utilize the existing network to provide not only a data connection but also provide a voice connection. One of these solutions that are available is Cisco Unified Communications Manager Express (CME). Cisco Unified CME provides a solution that can fill a number of different voice requirements within a small business or branch location. As well as working in these smaller environments, the Unified CME solution can also be integrated into a larger Cisco Unified Communications Manager (CUCM) solution. This article provides a high-level overview of some of the most commonly used abilities of the Unified Communications Manager Express solution.  After this overview, hopefully you will know whether or not you are in a position to install Communications Manager Express.

 

Unified Communications Manager Express Solution

As stated in the overview, the Unified CME solution can provide not only a simple voice solution that utilizes the existing data network infrastructure, but also can provide a feature rich voice solution with support for many common business voice features. The Unified Communications Manager Express solution includes support for many features including:

  • Call Hunt
  • Call Pickup
  • Call Waiting
  • Hunt Group
  • Call Park
  • Caller ID Blocking
  • Conferencing
  • Music on Hold
  • Paging

An example of how the Unified CME solution in a small office can be deployed is shown in how-the-Unified-CME-solution-in-a-small-office-can-be-deplo.png.


As seen in the figure, all of the common connections provided by a more traditional voice solution are offered. The Unified CME solution is not only able to meet the requirements of businesses but can also be deployed by service providers. One of the available solutions includes the use of an Integrated Access Device (IAD) that is deployed within the customer premises with a connection back to an integrated device running the Unified CME software. An example of this solution is shown in a-connection-back-to-an-integrated-device-running-the-Unifi.png.


As shown in the figures, the Unified CME solution is very flexible and able to provide all of the existing functionality provided by traditional telephony solutions and offers it with a cost savings and a reasonably easy configuration.

 

Unified CME Models

The Unified CME solution can be deployed in a number of ways following familiar voice deployment models. The models supported include the Private Branch Exchange (PBX) model, the Keyswitch model and a hybrid of these two models.

 

PBX Model

The PBX model follows a deployment that mimics the traditional configuration provided by a PBX; this includes the deployment of a number of different extensions (phones) that are each assigned a unique extension. Traditionally using this model, people calling in would be routed through a receptionist or an automated attendant in order to be transferred to the correct internal extension.

 

Keyswitch Model

The Keyswitch model follows a deployment that was more common on older systems (key systems) where each of the phones in the office would have a configuration that was very similar. Each of these phones would have a button that represented each of the numbers coming into the office; any one of these phones could answer and make calls on any of the lines.

 

Hybrid Model

The hybrid model provides the ability to offer the opportunity to utilize features from both the PBX and Keyswitch models. This would include the ability for a phone to have a unique extension as well as have the ability to have access to shared lines throughout the office.

 

To Sum Up

As discussed in the article, the Unified Communications Manager Express solution can offer the ability to implement a voice solution that supports a number of different features and deployed after traditional voice models. Hopefully this article and the companion articles will provide a better idea of what is possible with this solution and how it can be implemented to take advantage of equipment that supports multiple data and voice solutions.

 

More Cisco Networking News:

Cisco, VMware Doing Further on Next-gen Cloud Infrastructure

Read more

VLAN Types

November 14 2012 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

Nowadays, there is essentially one way of implementing VLANs - port-based VLANs. A port-based VLAN is associated with a port called an access VLAN.

 

However in the network there are a number of terms for VLANs. Some terms define the type of network traffic they carry and others define a specific function a VLAN performs. The following describes common VLAN terminology:

 

Data VLAN

download--3-.png

A data VLAN is a VLAN that is configured to carry only user-generated traffic. A VLAN could carry voice-based traffic or traffic used to manage the switch, but this traffic would not be part of a data VLAN. It is common practice to separate voice and management traffic from data traffic. The importance of separating user data from switch management control data and voice traffic is highlighted by the use of a special term used to identify VLANs that only carry user data - a "data VLAN". A data VLAN is sometimes referred to as a user VLAN.

 

Default VLAN

All switch ports become a member of the default VLAN after the initial boot up of the switch. Having all the switch ports participate in the default VLAN makes them all part of the same broadcast domain. This allows any device connected to any switch port to communicate with other devices on other switch ports. The default VLAN for Cisco switches is VLAN 1.

 

VLAN 1 has all the features of any VLAN, except that you cannot rename it and you cannot delete it. Layer 2 control traffic, such as CDP and spanning tree protocol traffic, will always be associated with VLAN 1 - this cannot be changed. In the figure, VLAN 1 traffic is forwarded over the VLAN trunks connecting the S1, S2, and S3 switches. It is a security best practice to change the default VLAN to a VLAN other than VLAN 1; this entails configuring all the ports on the switch to be associated with a default VLAN other than VLAN 1. VLAN trunks support the transmission of traffic from more than one VLAN. Although VLAN trunks are mentioned throughout this section, they are explained in the next section on VLAN trunking.

 

Note: Some network administrators use the term "default VLAN" to mean a VLAN other than VLAN 1 defined by the network administrator as the VLAN that all ports are assigned to when they are not in use. In this case, the only role that VLAN 1 plays is that of handling Layer 2 control traffic for the network.

 

Native VLAN

A native VLAN is assigned to an 802.1Q trunk port. An 802.1Q trunk port supports traffic coming from many VLANs (tagged traffic) as well as traffic that does not come from a VLAN (untagged traffic). The 802.1Q trunk port places untagged traffic on the native VLAN. In the figure, the native VLAN is VLAN 99. Untagged traffic is generated by a computer attached to a switch port that is configured with the native VLAN. Native VLANs are set out in the IEEE 802.1Q specification to maintain backward compatibility with untagged traffic common to legacy LAN scenarios. For our purposes, a native VLAN serves as a common identifier on opposing ends of a trunk link. It is a best practice to use a VLAN other than VLAN 1 as the native VLAN.

  

Management VLAN

A management VLAN is any VLAN you configure to access the management capabilities of a switch. VLAN 1 would serve as the management VLAN if you did not proactively define a unique VLAN to serve as the management VLAN. You assign the management VLAN an IP address and subnet mask. A switch can be managed via HTTP, Telnet, SSH, or SNMP. Since the out-of-the-box configuration of a Cisco switch has VLAN 1 as the default VLAN, you see that VLAN 1 would be a bad choice as the management VLAN; you wouldn't want an arbitrary user connecting to a switch to default to the management VLAN. Recall that you configured the management VLAN as VLAN 99 in the Basic Switch Concepts and Configuration chapter.

 

Voice VLANs

download--2-.png
It is easy to appreciate why a separate VLAN is needed to support Voice over IP (VoIP). Imagine you are receiving an emergency call and suddenly the quality of the transmission degrades so much you cannot understand what the caller is saying. VoIPtraffic requires:

Assured bandwidth to ensure voice quality 
Transmission priority over other types of network traffic
Ability to be routed around congested areas on the network
Delay of less than 150 milliseconds (ms) across the network

To meet these requirements, the entire network has to be designed to support VoIP. The details of how to configure a network to support VoIP are beyond the scope of the course, but it is useful to summarize how a voice VLAN works between a switch, a Cisco IP phone, and a computer.

In the figure, VLAN 150 is designed to carry voice traffic. The student computer PC5 is attached to the Cisco IP phone, and the phone is attached to switch S3. PC5 is in VLAN 20, which is used for student data. The F0/18 port on S3 is configured to be in voice mode so that it will tell the phone to tag voice frames with VLAN 150. Data frames coming through theCisco IP phone from PC5 are left untagged. Data destined for PC5 coming from port F0/18 is tagged with VLAN 20 on the way to the phone, which strips the VLAN tag before the data is forwarded to PC5. Tagging refers to the addition of bytes to a field in the data frame which is used by the switch to identify which VLAN the data frame should be sent to. 
 
A Cisco Phone is a Switch
download--1-.png
The Cisco IP Phone contains an integrated three-port 10/100 switch as shown in the Figure. The ports provide dedicated connections to these devices:

Port 1 connects to the switch or other voice-over-IP (VoIP) device.
Port 2 is an internal 10/100 interface that carries the IP phone traffic.
Port 3 (access port) connects to a PC or other device.

The figure shows one way to connect an IP Phone.

The voice VLAN feature enables switch ports to carry IP voice traffic from an IP phone. When the switch is connected to an IP Phone, the switch sends messages that instruct the attached IP phone to send voice traffic tagged with the voice VLAN ID 150. The traffic from the PC attached to the IP Phone passes through the IP phone untagged. When the switch port has been configured with a voice VLAN, the link between the switch and the IP phone acts as a trunk to carry both the tagged voice traffic and untagged data traffic.
download.png

Sample Configuration
The figure shows sample output. A discussion of the Cisco IOS commands are beyond the scope of this course, but you can see that the highlighted areas in the sample output show the F0/18 interface configured with a VLAN configured for data (VLAN 20) and a VLAN configured for voice (VLAN 150). 

--- Reference from http://ccnaanswers-khim.blogspot.com/2011/05/types-of-vlans.html

More Related Networking Tips:

‘What Happens in the VLAN Stays in the VLAN?’

How Private VLANs Work?

How to Configure Private VLANs on Cisco 3560 Switches?

VLAN Trunking Protocol (VTP) & VTP Modes

Types of Networks

VLAN Switch Port Modes

Read more

Tips to Configure VLAN on a Cisco Switch

November 8 2012 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

VLAN stands for virtual LAN and technically we can say, a VLAN is a broadcast domain created by switch. When managing a switch, the management domain is always VLAN 1, the default VLAN. All ports of switch are assigned to VLAN 1 by default.  VLAN increase the performance of a network because it divide a network logically in different parts and limit the broadcasts.

 Configure-VLAN-on-a-Cisco-Switch.jpg

Any member of VLAN 2 cannot talk with any member of VLAN 3 without router but all the members of VLAN 2 and VLAN 3 can talk with other members within their VLANs.

 

This Lab will also help how VLANs can be used to separate traffic and reduce broadcast domains. 

To create a VLAN, first enter global configuration mode to run the following commands.

 

Configuration to create VLAN 2 

SwitchA(config)#configure terminal               (enter in global configuration mode) 

SwitchA(config)#vlan 2                                        (defining the vlan 2) 

SwitchA(config)#vlan 2 name marketing       (assigning the name marketing to vlan 2)

SwitchA(config)#exit        (exit from vlan 2) 

 

Configuration to create VLAN 3 

SwitchA(config)#configure terminal                 (enter in global configuration mode) 

SwitchA(config)#vlan 3                                        (defining the vlan 3) 

SwitchA(config)#vlan 3 name management      (assigning the name management to vlan 3)

SwitchA(config)#exit        (exit from vlan 3)

 

Now assigning the ports 2 and 3 to VLAN 2, it must be done from the interface mode. Enter the following commands to add port 2 and 3 to VLAN 2. 

SwitchA(config)#configure terminal                                 (enter in global configuration mode) 

SwitchA(config)#interface fastethernet 0/2                     (select the Ethernet 0 of port 2) 

SwitchA(config-if)#switchport access vlan 2                  (allot the membership of vlan 2)

SwitchA(config-if)#exit                                                        (exit from interface 2)

 

Now adding port 3 to VLAN 2 

SwitchA(config)#interface fastethernet 0/3                     (select the Ethernet 0 of port 3) 

SwitchA(config-if)#switchport access vlan 2                  (allot the membership of vlan 2)

SwitchA(config-if)#exit                                                        (exit from interface 3) 

 

Now assigning the ports 4 and 5 to VLAN 3, enter the following commands to add port 4 and 5 to VLAN 3. 

SwitchA(config)#configure terminal                                 (enter in global configuration mode) 

SwitchA(config)#interface fastethernet 0/4                     (select the Ethernet 0 of port 4) 

SwitchA(config-if)#switchport access vlan 3                  (allot the membership of vlan 3)

SwitchA(config-if)#exit                                                        (exit from interface 4) 

 

Now adding port 5 to VLAN 3 

SwitchA(config)#interface fastethernet 0/5                     (select the Ethernet 0 of port 5) 

SwitchA(config-if)#switchport access vlan 3                  (allot the membership of vlan 3)

SwitchA(config-if)#exit                                                        (exit from interface 5) 

 

More Cisco Switch Tips and Tutorials you can visit http://blog.router-switch.com/category/reviews/cisco-switches/

Read more

Cisco VTP: VLAN Trunking Protocol---VTP Versions’ Difference

November 1 2012 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

VLAN Trunking Protocol (VTP) is a Cisco Layer 2 messaging protocol that manages the addition, deletion, and renaming of VLANs on a network-wide basis. Virtual Local Area Network (VLAN) Trunk Protocol (VTP) reduces administration in a switched network. When you configure a new VLAN on one VTP server, the VLAN is distributed through all switches in the domain. This reduces the need to configure the same VLAN everywhere. VTP is a Cisco-proprietary protocol that is available on most of the Cisco Catalyst Family products.

 

VTP ensures that all switches in the VTP domain are aware of all VLANs. There are occasions, however, when VTP can create unnecessary traffic. All unknown unicasts and broadcasts in a VLAN are flooded over the entire VLAN. All switches in the network receive all broadcasts, even in situations where few users are connected in that VLAN. VTP pruning is a feature used to eliminate (or prune) this unnecessary traffic.

 

By default, all Cisco Catalyst switches are configured to be VTP servers. This is suitable for small-scale networks where the size of the VLAN information is small and easily stored in all switches (in NVRAM). In a large network, a judgment call must be made at some point when the NVRAM storage needed is wasted, because it is duplicated on every switch. At this point, the network administrator should choose a few well-equipped switches and keep them as VTP servers. Everything else participating in VTP can be turned into a client. The number of VTP servers should be chosen so as to provide the degree of redundancy desired in the network.

 

There are three version of VTP so far. VTP Version 2 (V2) is not much different than VTP Version 1 (V1). The major difference is that VTP V2 introduces the support for Token Ring VLANs. If you are using Token Ring VLANs, you need to enable VTP V2. Otherwise, there is no reason to use VTP V2. VTP version 3 differs from earlier VTP versions in that it does not directly handle VLANs. VTP version 3 is a protocol that is only responsible for distributing a list of opaque databases over an administrative domain. When enabled, VTP version 3 provides the following enhancements to previous VTP versions:

  • Support for extended VLANs.
  • Support for the creation and advertising of private VLANs.
  • Improved server authentication.
  • Protection from the "wrong" database accidentally being inserted into a VTP domain.
  • Interaction with VTP version 1 and VTP version 2.
  • Provides the ability to be configured on a per-port basis.
  • Provides the ability to propagate the VLAN database another databases.

 

Protocol Structure - VTP: VLAN Trunking Protocol

The format of the VTP header can vary depending on the type of VTP message. However, they all contain the following fields in the header:

  • VTP protocol version: 1 or 2 or 3
  • VTP message types:
    • Summary advertisements
    • Subset advertisement
    • Advertisement requests
    • VTP join messages
  • Management domain length
  • Management domain name

 

Summary Advertisements

When the switch receives a summary advertisement packet, it compares the VTP domain name to its own VTP domain name. If the name is different, the switch simply ignores the packet. If the name is the same, the switch then compares the configuration revision to its own revision. If its own configuration revision is higher or equal, the packet is ignored. If it is lower, an advertisement request is sent.

  • Followers indicate that this packet is followed by a Subset Advertisement packet.
  • The updater identity is the IP address of the switch that is the last to have incremented the configuration revision.
  • Update timestamps are the date and time of the last increment of the configuration revision.
  • Message Digest 5 (MD5) carries the VTP password if it is configured and used to authenticate the validation of a VTP update.

Summary-Advertisements.jpg 

Subset Advertisements

When you add, delete, or change a VLAN in a switch, the server switch where the changes were made increments the configuration revision and issues a summary advertisement, followed by one or several subset advertisements. A subset advertisement contains a list of VLAN information. If there are several VLANS, more than one subset advertisement may be required in order to advertise them all.

Subset-Advertisements.jpg

The following formatted example shows that each VLAN information field contains information for a different VLAN (ordered with lowered-valued ISL VLAN IDs occurring first):

Subset-Advertisements-1.jpg

Most of the fields in this packet are easy to understand. Below are two clarifications:

  • Code- The format for this is 0x02 for subset advertisement.
  • Sequence number- This is the sequence of the packet in the stream of packets following a summary advertisement. The sequence starts with 1. 

 

Advertisement Requests

A switch needs a VTP advertisement request in the following situations:

  • The switch has been reset.
  • The VTP domain name has been changed.
  • The switch has received a VTP summary advertisement with a higher configuration revision than its own.

 

Upon receipt of an advertisement request, a VTP device sends a summary advertisement, followed by one or more subset advertisements. Below is an example.

Subset-Advertisements-2.jpg

  • Code- The format for this is 0x03 for an advertisement request
  • Starts Value - This is used in cases where there are several subset advertisements. If the first (N) subset advertisement has been received and the subsequent one (N+1) has not, the Catalyst only requests advertisements from the (N+1)th one.

---Reading Resource from http://www.javvin.com/protocolVTP.html

More Cisco VTP Tips:

Cisco VTP Version 3, Is VTP Making a Comeback?

VLAN Trunking Protocol (VTP) & VTP Modes

Read more
<< < 1 2 3 4 5 6 7 > >>