BGP SynchronizationSynchronization is a technique for automatically redistributing routes between the BGP and your IGPs. The main goal of BGP synchronization is to prevent routing inconsistencies. It serves to guarantee that only entries that exist in the IGP's IP routing table are included in the BGP routing tables. The BGP rule of synchronization states that if your autonomous system is passing traffic from another AS to a third AS, BGP should not advertise a route until the entire collection of local AS routers has learned about the route via an IGP routing protocol. BGP will wait until IGP has propagated the route within the AS before advertising it to external neighbor routers. For example, suppose that a BGP router advertised a route to external network 10.10.10.0 without first allowing IGP to flood this route information throughout the local AS. If another BGP router received a packet destined for network 10.10.10.0 without receiving the update, this second router would discard the packet. BGP synchronization can be disabled, but it is only safe to do so when full mesh connectivity exists between all IBGP routers within the AS. After the entries between the tables are synchronized, routes can be redistributed between the protocols without the risk of black holes. |
Wednesday, March 25, 2009
BGP Rule of Synchronization
Tuesday, March 17, 2009
Flex Links - In Switching Environment
Flex links are layer-2 interfaces manually configuredin primary/failover
pairs. The Spanning Tree Protocol normally provides primary/failover
functionality, but it was designed for the sole purpose of preventing
loops.Flex links are used to ensure that there are backup links for
primary links.Only one of the links in a flex-link pair will be forwarding
traffic at any time.Flex links are designed for switches where you do
not wish to run spanning tree, and should be usedonly on switches
that do not run spanning tree. Should flex links be configured on a
switch running spanning tree ? The flex links will not participate in
STP.Flex links are configured on the primary interface by specifying
the backup interface with the switchport backup interface command
interface GigabitEthernet1/0/20
switchport access vlan 10
switchport backup interface Gi1/0/21
!
interface GigabitEthernet1/0/21
switchport access vlan 10
No configuration is necessary on the backup interface.
Neither of the links can be an interface that is a member of an
EtherChannel.An EtherChannel can be a flex-link backup for another
port channel.A single physical interface can be a backup to an Ether
Channel as well.The backup link does not need to be the same type
of interface as the primary. For example, a 100 Mbps interface can
be a backup for a 1 Gbps interface.
Monitoring flex links is done with the show interface switchport backup
command:
3750# sh int switchport backup
Switch Backup Interface Pairs:
Active Interface Backup Interface State
------------------------------------------------------------------------
GigabitEthernet1/0/20 GigabitEthernet1/0/21 Active Down/Backup Down
Best Regards,
Deepak Arora
Monday, March 16, 2009
BGP Session Establishment
BGP is a normal TCP application, which means that a TCP client
initiates the session to the TCP server with a SYN packet going
to the well known port of 179. If the BGP server is configured to
accept the session, a reply with SYN/ACK comes from port 179,
going to the high port that is negotiated between them. In the
case that both BGP peers attempt to establish the connection
at the sametime, RFC 4271 (A Border Gateway Protocol 4) defines
a “BGP Connection Collision Detection” mechanism, in which
essentially the session originated from the device with the higher
BGP router-id is maintained, and the secondary session is dropped.
Thursday, March 12, 2009
Storm Control
The Storm Control feature protects a LAN from being affected by
unicast, broadcast, or multicast storms that might develop.
The switch implements storm control by counting the number of
packets of a specified type received within the one-second
time interval and compares the measurement with a predefined
suppression-level threshold. Storm Control can typically enable
the administrator to control traffic by a percentage of total bandwidth
or the traffic rate at which packets are received. It is important to
note that when the rate of multicast traffic exceeds a set threshold,
all incoming traffic (broadcast, multicast, and unicast) is dropped
until the level drops below the specified threshold level.
Only spanning-tree packets are forwarded in this situation. When
broadcast and unicast thresholds are exceeded, traffic is blocked for
only the type of traffic that exceeded the threshold.
Storm Control is configured at the interface level with the following
command:
storm-control {broadcast | multicast | unicast} level {level
[level-low] | pps pps [pps-low]}
Best Regards,
Deepak Arora
Tuesday, March 10, 2009
SPANNING TREE LOOP GUARD FEATURE
As its name implies, Loop Guard is a method for ensuring that STP
loops never occur in a particular topology. Even though STP guards
against such loops as best it can, they could still occur because of
things like unidirectional link failures or switch congestion issues.
Loop Guard prevents loops conservatively by preventing alternate or
root ports from becoming DPs in the topology. If BPDUs are not
received on a non-DP, and Loop Guard is enabled, that port is moved
into the STP loop-inconsistent Blocking state, instead of the Listening /
Learning / Forwarding state.
Loop Guard operates only on ports that are considered point-to-point
by the spanning tree, and it cannot be run in conjunction with Root
Guard on an interface.
To enable Loop Guard, you can use the following global configuration
mode command:
spanning-tree loopguard default
Best Regards,
Deepak Arora
loops never occur in a particular topology. Even though STP guards
against such loops as best it can, they could still occur because of
things like unidirectional link failures or switch congestion issues.
Loop Guard prevents loops conservatively by preventing alternate or
root ports from becoming DPs in the topology. If BPDUs are not
received on a non-DP, and Loop Guard is enabled, that port is moved
into the STP loop-inconsistent Blocking state, instead of the Listening /
Learning / Forwarding state.
Loop Guard operates only on ports that are considered point-to-point
by the spanning tree, and it cannot be run in conjunction with Root
Guard on an interface.
To enable Loop Guard, you can use the following global configuration
mode command:
spanning-tree loopguard default
Best Regards,
Deepak Arora
Monday, March 9, 2009
Redistribution Basics
Route redistribution might be required in an internetwork because multiple
routing protocols must coexist in the first place. Multiple routing protocols
might be a necessity because of an interim period during conversion from
one to another, application-specific protocol requirements, political reasons,
or a lack of multivendor interoperability.
A major issue with redistribution is the seed metric to be used when the
routes enter the new routing protocol. Normally, the seed metric is generated
from the originating interface. For example, EIGRP would use the bandwidth
and delay of the originating interface to seed the metric. With redistributed
routes, however, these routes are not connected to the router. Some routing
protocols feature a default seed metric for redistribution, whereas others do not.
Here is a list of the defaults for the various protocols. Note that Infinity indicates
a seed metric must be configured; otherwise, the route will not be used by the
receiving protocol.
Protocol - Default Seed Metric
OSPF - 20; except BGP, which is 1
IS-IS - 0
RIP - Infinity
IGRP/EIGRP - Infinity
Best Regards,
Deepak Arora
routing protocols must coexist in the first place. Multiple routing protocols
might be a necessity because of an interim period during conversion from
one to another, application-specific protocol requirements, political reasons,
or a lack of multivendor interoperability.
A major issue with redistribution is the seed metric to be used when the
routes enter the new routing protocol. Normally, the seed metric is generated
from the originating interface. For example, EIGRP would use the bandwidth
and delay of the originating interface to seed the metric. With redistributed
routes, however, these routes are not connected to the router. Some routing
protocols feature a default seed metric for redistribution, whereas others do not.
Here is a list of the defaults for the various protocols. Note that Infinity indicates
a seed metric must be configured; otherwise, the route will not be used by the
receiving protocol.
Protocol - Default Seed Metric
OSPF - 20; except BGP, which is 1
IS-IS - 0
RIP - Infinity
IGRP/EIGRP - Infinity
Best Regards,
Deepak Arora
Sunday, March 8, 2009
EtherChannel - Few Words
EtherChannel allows you to bundle redundant links and treat them as a
single link, thus achieving substantial bandwidth and redundancy benefits.
It is often advisable to use an EtherChannel for key trunks in your
campus design. Notice that EtherChannel affects STP, because ordinarily
one or more of the links would be disabled to prevent a loop.
Be aware of the following guidelines for EtherChannel:
1. All Ethernet interfaces on all modules must support EtherChannel.
2. You have a maximum of eight interfaces per EtherChannel.
3. The ports do not need to be contiguous or on the same module.
4. All ports in the EtherChannel must be set for the same speed and
duplex.
5. Enable all interfaces in the EtherChannel.
6. An EtherChannel will not form if one of the ports is a Switched
Port Analyzer (SPAN) destination.
7. For Layer 3 EtherChannels, assign a Layer 3 address to the portchannel
logical interface, not the physical interfaces.
8. Assign all EtherChannel ports to the same VLAN or ensure they
are all set to the same trunk encapsulation and trunk mode.
9. The same allowed range of VLANs must be configured on all
ports in an EtherChannel.
10. Interfaces with different STP port path costs can form an
EtherChannel.
11. After an EtherChannel has been configured, a configuration made
to the physical interfaces affects the physical interfaces only.
single link, thus achieving substantial bandwidth and redundancy benefits.
It is often advisable to use an EtherChannel for key trunks in your
campus design. Notice that EtherChannel affects STP, because ordinarily
one or more of the links would be disabled to prevent a loop.
Be aware of the following guidelines for EtherChannel:
1. All Ethernet interfaces on all modules must support EtherChannel.
2. You have a maximum of eight interfaces per EtherChannel.
3. The ports do not need to be contiguous or on the same module.
4. All ports in the EtherChannel must be set for the same speed and
duplex.
5. Enable all interfaces in the EtherChannel.
6. An EtherChannel will not form if one of the ports is a Switched
Port Analyzer (SPAN) destination.
7. For Layer 3 EtherChannels, assign a Layer 3 address to the portchannel
logical interface, not the physical interfaces.
8. Assign all EtherChannel ports to the same VLAN or ensure they
are all set to the same trunk encapsulation and trunk mode.
9. The same allowed range of VLANs must be configured on all
ports in an EtherChannel.
10. Interfaces with different STP port path costs can form an
EtherChannel.
11. After an EtherChannel has been configured, a configuration made
to the physical interfaces affects the physical interfaces only.
EtherChannel load balancing can use MAC addresses, IP addresses, or
Layer 4 port numbers— either source, destination, or both source and
destination addresses.
Here is an example:
Router# configure terminal
Router(config)# interface range fastethernet 2/2 -8
Router(config-if)# channel-group 2 mode desirable
Router(config-if)# end
Best Regards,
Deepak Arora
Layer 4 port numbers— either source, destination, or both source and
destination addresses.
Here is an example:
Router# configure terminal
Router(config)# interface range fastethernet 2/2 -8
Router(config-if)# channel-group 2 mode desirable
Router(config-if)# end
Best Regards,
Deepak Arora
Saturday, March 7, 2009
Breaking Cisco Router's Level 7 password - :-( My GOD
During my CCNA studies I learned about breaking Cisco Router's Level 7 password using free Boson's Getpass utility.
It was good to know at initial stage of my carrier. Anyways .... Few months back I learned that same thing can be done by using Cisco Router itself....can you believe this ? I mean you can use Cisco router to decrypt level 7 password which was generated by another router. Lets try this out...what I am gonna do is that I'll login into one router named GABBAR and will create a local user with password. Then I am gonna enable service password encryption to encrypt this password. I'll note down the encrypted password. Later I am gonna log in into another cisco router named VEERU and then will try to decrypt the password :)...so lets have some fun
GABBAR(config)#service password-encryption
GABBAR(config)#username deepak password arora
GABBAR(config)#do sh run | in user
username deepak password 7 11080B0A0513
VEERU(config)#key chain BASANTI
VEERU(config-keychain)#key 1
VEERU(config-keychain-key)#key-string 7 11080B0A0513
VEERU(config-keychain-key)#
VEERU(config-keychain-key)#
VEERU(config-keychain-key)#do sh key chain
Key-chain BASANTI:
key 1 -- text "arora"
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]
Best Regards,
Deepak Arora
Thursday, March 5, 2009
SSH - Few Words
SSH is a client and server protocol used to log in to another computer over a network. It provides strong authentication and secure communication over a public communication network. SSH may be “more” secure many vendors implementations of SSH is vulnerable.
So lets hop on to a router and configure it :)
Before We enable and configure ssh access, you should know that before enabling ssh we need to configure hostname on router other than "router" and also we need to configure "domain name" on router. Also ssh uses tcp port 22.
Router(config)#hostname Deepak
Deepak(config)#ip domain-name deepak.com
Deepak(config)#crypto key generate rsa general-keys
The name for the keys will be: Deepak.deepak.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: Just hit enter here
% Generating 512 bit RSA keys, keys will be non-exportable...[OK]
Deepak(config)#
*Mar 1 00:03:13.563: %SSH-5-ENABLED: SSH 1.99 has been enabled
Next step is to allow ssh protocol on vty lines for access.
Deepak(config)#configure terminal
Deepak(config)#line vty 0-4
Deepak(config-line)#transport input ssh
Deepak(config)#line vty 0-4
Deepak(config-line)#transport input ssh
Now lets hop on to last few steps. It includes creating local user database and also allowing local authentication on router.
Deepak(config)#username deepak password deepak
Deepak(config)#line vty 0 4
Deepak(config-line)#login local
Deepak(config-line)#exit
Now just hop on to client router and use following command for ssh access.
Test#ssh -l deepak 1.1.1.1 ( 1.1.1.1 is just ip address of destination router to which we need
access)
Wednesday, March 4, 2009
Another IOS trick
So another IOS trick today...hmmm...it's not one that can safe your life on work but still good to know...specially when someone is going for CCIE Lab Exam. Once you enter the command " no service prompt config" the router prompt gets disappear.
Deepak(config)#no service prompt config
service prompt config
Deepak(config)#
Best Regards,
Deepak Arora
Tuesday, March 3, 2009
Monday, March 2, 2009
Things that should match to build OSPF neighborship
Here is a small but list of interesting things those should match to build and establish OSPF neighborship. So you must watch it next time if neighborship is not coming up between two ospf routers :)
OSPF must be enabled on the interfaces on each router that are connected to the same layer 2 network (w/ the network command). The neighboring primary IP addresses and masks must be in the same subnet. Authentication must pass Interfaces must be in the same area Areas must have the same area type (stubby, NSSA, etc) Must NOT have duplicate RIDs OSPF Hello and Dead timers must match on the two routers
I am not sure if some references has mentioned this but " MTU size " does creates problems as well some times and this can be avoided by running following command under ospf process -"ip ospf mtu-ignore"
Actually OSPF checks whether neighbors are using the same MTU on a common interface. This check is performed when neighbors exchange Database Descriptor (DBD) packets. If the receiving MTU in the DBD packet is higher than the IP MTU configured on the incoming interface, OSPF adjacency will not be established.
Additionally, there are a couple of items that appear to be an issue, but are not. In particular:
- The OSPF process ID (on the router ospf command) do not have to match.
- Must use the same reference bandwidth (ip ospf reference-bandwidth command)
Best Regards,
Deepak Arora
Subscribe to:
Posts (Atom)