Routing and Switching: Theory and Technical notes.

Routing and Switching: Theory and
Technical notes.
1|Page
1. Contents
2.
Background technical references: .................................................................................................. 4
2.1
) Introduction to Cisco-IOS and Junos ..................................................................................... 4
2.2
) Quagga .................................................................................................................................. 4
2.3) Fundamental Cisco Switch and Router configuration ................................................................. 4
3.
2.4
) VYOS...................................................................................................................................... 4
2.5
) Voyage Linux ......................................................................................................................... 4
Switch and Router packet processing ............................................................................................. 4
3.1) Switches ....................................................................................................................................... 4
3.2) Routers......................................................................................................................................... 4
3.3) ARP process ................................................................................................................................. 5
4.
Routing selection in standardized routers ...................................................................................... 5
4.1) Static Routing in network elements. ........................................................................................... 5
4.2) Route selection with overlapping address ranges ....................................................................... 5
4.3) Combining multiple Routing Information Bases (RIB) into a single Route Table. ....................... 6
5.
Routing information manipulation ................................................................................................. 7
5.1) Passing routes between routing processes. ................................................................................ 7
5.2) Policy Based Routing and Route-Maps. ...................................................................................... 8
5.3) Route packet filtering with Distribute-Lists. ................................................................................ 9
6.
Packet filtering with IP Access Lists. ............................................................................................... 9
7.
BGP .................................................................................................................................................. 9
7.1) Incremental Updates ................................................................................................................... 9
7.2) The BGP algorithm (STILL ONLY) basic reference –for a complete exact list refer to the
manufacturers notes) ......................................................................................................................... 9
7.3) Internal BGP vs External BGP operation (For interested readers)............................................. 10
7.4) Link failures of E-BGP vs I-BGP [4] (Not covered in the lab) ...................................................... 10
7.5) Synchronization ......................................................................................................................... 11
8.
VLans ............................................................................................................................................. 12
9.
Technical Section. ......................................................................................................................... 13
9.1) VLan config details. .................................................................................................................... 13
9.2) OSPF configuration. ................................................................................................................... 14
Router 1 (Cisco) ............................................................................................................................. 14
Router 2 (Cisco) ............................................................................................................................. 14
Router 1/2(Quagga) ...................................................................................................................... 14
Router (Junos) ............................................................................................................................... 14
9.3) OSPF diagnostics ....................................................................................................................... 15
2|Page
9.4) OSPFv3 configuration. ............................................................................................................... 15
Router (Junos) ............................................................................................................................... 16
Router (Quagga) ............................................................................................................................ 16
Router (Cisco) ................................................................................................................................ 16
9.5) OSPFv3 diagnostics ................................................................................................................... 16
9.6) Static route configuration .......................................................................................................... 16
Router (Junos) ............................................................................................................................... 16
Router (Cisco) ................................................................................................................................ 17
9.7) Static Route diagonistics. .......................................................................................................... 17
9.8) E-BGP configuration. (I-BGP configuration is similar however the internal BGP has the same AS
# as its neighbor) ............................................................................................................................... 17
Router (Cisco) (no Junipers used in the BGP section of the lab) .................................................. 17
9.9) E-BGP diagnostics. ..................................................................................................................... 18
9.10) Route-maps and setting local preference ............................................................................... 19
9.11) Redistribution .......................................................................................................................... 19
9.12) IGPs network command (cisco, Juniper is equivalent) ............................................................ 19
9.13) Enabling ipv6 routing (CISCO/QUAGGA ONLY) ....................................................................... 20
10.
Linux .......................................................................................................................................... 20
11.
An overview of potential issues in the lab. ............................................................................... 23
3|Page
2. Background technical references:
2.1 ) Introduction to Cisco-IOS and Junos
A sufficient introductory guide for IOS (Cisco user interface) and JunOS is available on the course
website Overview_of_the_Cisco_IOSv2.pdf. Please read this if you have never touched JunOS/Cisco
before. If you prefer video tutorials: great introductory youtube videos include,
https://www.youtube.com/watch?v=_9ImaU7vqiY
https://www.youtube.com/watch?v=sochotrkt98
2.2 ) Quagga
A sufficient introductory resource to Quagga may be found at Openmaniak.com/quagga.php.
Quagga’s front end resembles Cisco with a few differences for the user. It will be important to scan
over this first. Though you should have in previous years be introduced to the quagga application.
2.3) Fundamental Cisco Switch and Router configuration
A sufficient description of the fundamental Cisco based Router and Switch configurations that have
been used in the lab may be found on the course homepage. This will explain the standard
configuration, which has been altered to configure this network.
2.4 ) VYOS
Vyos is an open-source router OS with equivalent syntax to JunOS. For configuration please use the
following link as a guide. http://vyos.net/wiki/Main_Page
2.5 ) Voyage Linux
Voyage Linux is a small Debain based operating system that runs on Linux based devices. This OS can
be considered a standard Linux distribution for the purposes of brevity.
3. Switch and Router packet processing
3.1) Switches
A switch learns destination and source MAC addresses and forwards a packet out only the specific
switch-learnt port that is the path to the destination MAC address.
If a switch receives a packet that has a destination MAC address which is not currently stored in its
MAC forwarding table, then the packet is flooded out every port (in the associated VLan).
Every time a packet passes through the switch, the source MAC address is learnt (associating a
destination MAC address with a port and is placed in the switches MAC forwarding table).
3.2) Routers
When a host wishes to send a packet to another across a multi-node network, the node must initially
determine the next-hop in which to send the packet with the destination IP address.
The node consults its route table for the next-hop. If a route exists (see route selection criteria in
notes section) the forwarding-table is consulted to find an appropriate MAC address associated with
the destination IP address. If a corresponding MAC address is not found in the forwarding table then
the ARP process is initialized and the routing process is blocked until an answer is generated (or a
time-out is reached).
4|Page
Once the ARP entry is present then the node sets its L2 destination to the next-hop L2 address and
the L3 destination address that of the final nodes L3 address. The packet is thusly forwarded to the
next-hop with information about the required destination.
3.3) ARP process
In the ARP process an ARP request message (a Layer three packet) is sent with a (L2) destination of
ff:ff:ff:ff:ff:ff (ie. A broadcast message) a source MAC address, that of the senders network card (if
not spoofed) a L3 destination address of the requested host IP address to be resolved and the L3
source address of the requesting node.
Any host with the IP address which is that of the request will respond with a directed ARP reply; with
L2 source address equal to the responding nodes MAC address, L2 destination address equal to the
requestors address (found in the ARP-request) L3 source equal to the L3 address of the replying
node and the L3 destination equal to that of the requestor (also found in the ARP-request).
4. Routing selection in standardized routers
4.1) Static Routing in network elements.
To achieve a fully static routed network, a route must be added to every node in this network for every
subnet that is not directly connected to a device. For large networks this will comprise a large number
of routes which must be stored in the forwarding table. As you already know from 241, the forwarding
tables TCAM is expensive and limits the size of the routes that may be stored and looked-up in parallel.
This is important in devices that run BGP where the size of the table is around 500k routes.
To reduce the number of entries stored, the classfull address method of routing was relaxed with the
introduction of Classless Inter-Domain Routing (CIDR) and Variable Length Subnet Masks(VLSM). CIDR
or route summarization is the ability for the router to now group address classes (A,B,C,D ) into a
SuperNet to reduce the number of routes required to search through. The idea of removing the
classfull network addresses is VLSM and means now subnet information must be propagated with
routes.
The default route (the route of last resort) also reduces the lookup size.
Question for you: Given the description of the logical network (the way addresses have been
carefully chosen), how many routes are needed if maximum possible summary is used? Is this
dependent on the way the addresses have been allocated? How address assignment is performed
in practice is provided in cisco documentation and left as a future exercise for interested readers
(Not expected in this Lab).
4.2) Route selection with overlapping address ranges
Multiple routes with overlapping address spaces may be added to the routers route table. Routes are
selected on how specific they are. A route with a higher specificity of match will be selected BEFORE
a route with a less specific match. Specific in this case is the number of bits in the route that are
matched. A routable packet with destination 10.0.1.2 that enters a router with entries (10.0.0.0/24,
11.1.1.1), and (10.0.1.0/23, 12.2.2.2) will select a next hop of 12.2.2.2.
A second point that follows the first is that instead of adding every possible route that can exist you
may use the default static route. This route has lowest priority of the static routes since this is the
most generic match and thus chosen last.
5|Page
Question for you: Given a choice of,
10.0.10.0/24 route via 172.0.2.1
10.0.10.0/28 via 172.0.1.1
default via 172.0.0.1
What route would be selected if the destination address is 10.0.10.12?
4.3) Combining multiple Routing Information Bases (RIB) into a single Route Table.
Each routing process creates a table known as the Routing Information Base which contains all routes
known to that routing instance. Each RIB entry consists of a tuple (Destination Address, Destination
Mask, Next Hop). All RIB tables are combined to form the Route Table which again consists of entries
(Destination Address, Destination Mask, Next Hop).
Given the possibility that multiple processes (and multiple RIBs) will include route entries with
equivalent destination prefixes but with differing next hop, there must be some method of selecting
which route to install in the route table. The specific metric that controls this behavior is known as
the Administrative Distance, and it is unique to a routing process (and includes the static route entry).
The lower administrative distance wins the route selection criteria.
The AD are dependent on OS’s and memorizing these tables is worthless, however you should note
the general trend, Connected, Static, routing protocols (And that BGP is highly dependent on the OS).
6|Page
Figure 1. Administrative distances for IOS and JunOS. [1]
A dynamic routing protocol may be overridden by a static route following the Administrative Distance
selection criteria. In this case any failover operation of a routing protocol is consequently voided!
5. Routing information manipulation
5.1) Passing routes between routing processes.
By convention OSPF, ISIS, RIP, RIPng, OSPFv3, BGP implementations do NOT by default propagate
routes from other routing processes (including static routes), instead only within the specific process.
You must explicitly tell the router to do this via, redistribution as it is known in networking equipment
OS.
Redistribution is the process (I use this word loosely as it is not a programming process) to the router
to place all routes of a certain routing character (static, OSPF, BGP, etc) into the RIB of a second routing
process.
To discriminate between those routes that should be redistributed and those that should not, a
distribute-list, may be applied.
When redistributing intra or inter protocol routes, route metrics will need to be propagated. This is
problematic because routing protocols generally have different metric assignment methods. In this
case an “appropriate” route metric should be applied to different routes. All routes redistributed will
be labelled with a default metric, however it may be wise for the administrator to alter this.
One word of caution however; It is possible that with multiple border routers, routing loops or
suboptimal routing may occur via redistribution if the administrator has not considered the following
problems.
7|Page
181.16.2.4/30
R3
R4
181.16.2.8/30
181.16.2.0/30
IGRP
R2
RIP
178.1.10.4/30
R5
178.1.10.0/30
R1
192.168.1.0
Figure 2. Route redistribution. Examples taken directly from [2].
Consider the above network. R2 receives the 192.168.1.0 network prefix from R1 and redistribute
these into the IGRP network. The route propagates through the IGRP network and at R5 it is received.
ISSUE 1: Since the Administrative Distance for IGRP is lower than that of RIP, the IGRP route will be
installed, That is now R5 will route traffic to the 192.168.1.0 network through R4 and the IGRP
network, instead of directly to R1.
In conclusion we state that redistribution of protocols (may) break routing protocol loop prevention
mechanisms.
ISSUE 2: Consider that the routing process is now changed to OSPF, furthermore R1-R2s OSPF metric
has been altered administratively so that it now reflects a slow link with a metric of 50, furthermore
R5-R1 link is assigned metric 20. If R5 redistributes routes from IGRP the default metric is applied
which may be smaller than the current best path of 20. We now have sub-optimal routing due to not
configuring the redistributable metric with careful consideration.
In conclusion we state that redistribution of protocols (may) break the cost based routing.
The solution is to use distribute lists to filter out routes from re-entering the RIP/OSPF network –The
task of the designer or administrator.
5.2) Policy Based Routing and Route-Maps.
Policy Based Routing(PBR) is the term given when routing packet differently based on different
characteristics of packets. This is pointedly different from the idea of standard destination based
routing (conventional based on destination route). PBR may be performed on the basis of source
address, the size of the packet, the protocol of the payload, or other information available.
PBR is implemented in conventionally via Route Maps.
Conventional routers support PBR via Route Maps which are applied to interfaces for performing
either inbound or outbound route-update filtering. Several filtering actions are provided including
8|Page
setting BGP,RIP, etc metrics, along with setting next-hops, to complete filtering of route entries,
amongst a plethora of many more.
You will need to use policy based routing in this lab part 2.
5.3) Route packet filtering with Distribute-Lists.
Each node in a network may selectively filter specific routes in which to enter into their path
calculation or filter out be advertised to neighbors.
This function is configured using distribute-lists which includes an access control list, and is placed
under the (config-router#) section of the configuration hierarchy with either incoming or outgoing
routes. The astute student will notice that distribute-lists are also used previously in discriminating
routes to be redistributed between protocols.
6. Packet filtering with IP Access Lists.
Access lists define and filter out a subset of traffic which are either,
•
•
Applied to the distribute list (a way of defining the traffic specified in the distribute list).
Applied to an interface (inbound or outbound) to perform traffic (as opposed to route
updates).
7. BGP
BGP differs markedly from other conventionally implemented routing methods IS-IS,RIP,OSPF,EIGRP,
in that it is considered a Path Vector algorithm. BGP uses the path of the AS an indication to prevent
loops. A router appends its own path to any route update it receives before propagating this route
with a full AS path list to its neighbor. Any update that contains the receivers AS number in its path is
immediately dropped.
7.1) Incremental Updates
Since the full BGP table is over 500000 routes. Incremental updates are used to propagate routing
information.
Question for you: So given a route table of such high number of routes, how does a BGP router
summarize these? Is the conventional method possible with BGP?
7.2) The BGP algorithm (STILL ONLY) basic reference –for a complete exact list
refer to the manufacturers notes)
BGP uses a selection criteria to select which routes received should be placed in the BGP table. The
selection algorithm is long and listed below. The algorithm is useless to remember however the
important sections are the Local Preference, AS-PATH length and the MED.
•
•
The local preference is propagated within an AS (default is 100, highest is most desirable).
The MED (if configured) is propagated between ASes (default).
9|Page
Also please note that the WEIGHT attribute is specific to cisco (and Quagga) implementations of the
BGP. Juniper does not include this.
Local preference- is used to advertise to IBGP neighbors only about how to leave their AS (Outbound
Traffic). Paths with highest preference value are most desirable. Local preference attribute is
discretionary and therefore not all packets will be tagged with this. Local preference will only be
passed within the AS.
MED -Is used to advertise to neighboring ASes a suggestion about which path to take if the BGP AS is
multi-homed. That is if more than one connection to one or more ASs exist then this may be
propagated. This is likely to occur in major ISPs which require redundant BGP-router connections to
other ISPs.
Note: A preferred path with a downed link (at the sender or receiver) will mean that the destination is
not unreachable and so the routing process will instead uses different means to get there.
Corollary: However a static route with a downed link at the receiver or sender will mean the destination
is unreachable.
The full BGP algorithm is found at the following website.
http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13753-25.html
7.3) Internal BGP vs External BGP operation (For interested readers)
You will have learnt in NWEN302 and possibly 402 that two forms of BGP exist, E-BGP I-BGP. There is
a difference in operation between E-BGP connects AS’s, I-BGP intra-AS. Specifically these are,
•
•
A Prefix learned from E-BGP can be advertised to I-BGP neighbor and vice-versa.
A Prefix learned from one I-BGP neighbor cannot be advertised to another I-BGP neighbor.
The reason for this is that there is no AS-PATH change within the same AS and thus danger of forming
routing loops. Therefore this is not allowed.
I-BGP
E-BGP
R1
R3
R4
R2
R3 can tell R1 and R2 prefices from R4
R3 can tell R4 prefixes from R1 and R2
R3 CANNOT tell R2 prefixes from R1
7.4) Link failures of E-BGP vs I-BGP [4] (Not covered in the lab)
Link failures are different than with I-BGP.
10 | P a g e
IBGP session
X
If link R1-R2 goes down 138.39.1.1 is unreachable from R2 following IBGP rules for propagation of
routes.
If the endpoints are loopback addresses and an IGP can reroute traffic to R2 then the I-BGP connection
becomes virtual and can remain connected through the advent of the above failure.
This is typically what is desired and how this is implemented.
7.5) Synchronization
IBGP learned routes
Will not get propagate over
multiple IBGP hops ever
Will get isntalled with
synchronisation only if route
has bee learned first by IGP
(via redsitribution)
X
Given the above network, Router 2, Router 5 and Router 3 all running BGP. Router 2 has an IBGP
session peering between Router 2 and 3, router 5 does not run BGP at all. R2, and R3 neighbors over
I-BGP between Virtual Interfaces (loopback addresses), a so called “overlay network” is formed. This
implies that any intermediary router (if it wishes to route packets) SHOULD be aware of every prefix
that either node wishes to get to since a packet destined from 1 to 4 will have to propagate through
the intermediary node which does not run BGP, here Router 5. If the intermediate router does not
then a packet that arrives at R5 will be dropped.
in modern MPLS based networks internal routers ( P nodes) do not perform IP routing but MPLS
switching so they can be unaware of IP prefixes and can be not part of the iBGP mesh.
An IBGP neighbor will not install a route with synchronization enabled unless it has first learned that
route from an existing IGP (disabled by default).
11 | P a g e
8. VLans
Virtual LANs are concept to provide isolation of layer 2 packets, or broadcast domains. From a practical
perspective nodes on one Virtual LAN will not be able to communicate with a node on a second Vlan
(tagged with a second type). The Virtual LAN is supported by the IEEE 802.1Q standard. This standard
specifies a 4 byte VLan header which is appended to the middle of the Ethernet frame. You should
have become aware of VLAN tags in second year PCap assignment.
Sub-interfaces may be configured on hosts and routers which tag frames with VLan numbers.
Switches implement the notion of VLans in the following way.
•
•
•
A switch port-set (set of interfaces) may be configured to reside in a VLan in which case all
and only those ports in the VLan may communicate with each other. All ports are then
considered access ports and should be configured thusly (already default behavior). The
switch expects all traffic within an access port VLan to be untagged.
A switch port may be configured to be a trunk port in which case any number of sub-interfaces
producing VLan tagged traffic may be “switched”. A trunk port places all untagged traffic into
a single sub-interface called the default vlan. Again all traffic tagged with the same Vlan may
communicate with each other.
A trunk port may be configured to allow or deny specific VLans on an individual basis.
12 | P a g e
9. Technical Section.
In what follows is the technical details of how to configure devices. The purpose is to provide a concise
description of what is needed to complete this lab. You can find your own sources freely available on
the internet if you do not trust this work, however you will go through the same thing as myself digging
around and extracting the important parts from the complete documentation.
It is worthless (to large extent) to memorize the technical details, and furthermore I suggest learning
about new technologies/configuration as is needed based on your diagnosis of connectivity problems
using the tool set Andy Linton has summarized and your pre-existing knowledge of networking
principles you have learnt over the years. What is of value and prestige is how closely you can interpret
the requirements.
Furthermore you should be aware that IOS and JunOS follow “equivalent” configuration. It is only the
“Skin” (or how to apply the following) specifics which is different. Having said this there are a few
routing protocols that are unique to each vendor.
9.1) VLan config details.
Following this switches will need to be configured to tell them to expect these types of frames. This
is configured via the following command in cisco and similarly in Juniper switches
(config-if) switch-port mode trunk
You will see this on the switch configuration in the lab.
You will also see a list of allowed Vlan tags under each switch-port configuration. This prevents all
Vlans not specifically stated to traverse that switch port. In this way a switch can be broken up into
many virtual switches or VirtualLANs (where the terminology comes from)!!!
To allow a Vlan through a (Cisco) switch 3 conditions must be met
1. (config ) vlan {#}
2. (config-if) switchport mode trunk
3. (config-if) switchport trunk allowed vlan add {#}
(Please note that the changes made are typically effective only after around 30 seconds).
Ethernet end hosts must also be configured to expect a VLan and specifically which VLan the interface
should listen and respond too. This means that each sub interface they are known attaches an 802.1Q
tag to outgoing traffic and removes the 802.1Q tag for incoming traffic.
You can add any(upto 4096) number of VLans to a Linux interface with
ip link add link {interface id} name {string} type vlan id {Vlan #}
you will then need to bring the interface into an enabled state before it will be viewable by ifconfig.
Ifconfig {name as above} up
And then give the subinterface an address with
Ifconfig {name as above} {ip address}/{netmask}
on cisco router,
13 | P a g e
(config) interface fa {interface id}.{Vlan #}
(config-if) encapsulation dot1q {Vlan #}
(config-if) ip address {ip} {netmask}
9.2) OSPF configuration.
In-order to debug the network you must be aware of the requirements of working OSPF processes.
Question for you: OSPF may be segmented with different “areas” where the SPF calculation is
performed just within a single area and the boundary is considered to have a static cost. Why?
The fundamental OSPF connection requirements ignoring authentication are,
1.
2.
3.
4.
Both nodes participating in an OSPF connection must be in the same area.
Addresses on the same network (including subnet masks).
Network statement. For each participating interface a network statement must be present.
All routers within the network must have a unique router-id. If one is not given a default is
used which IS either the highest loopback address or the physical interface address.
Router 1 (Cisco)
#router ospf 1
!1 is an arbitrary number unique to each ospf process running
#ospf router-id A.B.C.D
#network ip-address wildcard-mask area {area number (only single area ospf is used in this
lab)}
Router 2 (Cisco)
#router ospf 1
#ospf router-id A.B.C.D
#network ip-address wildcard-mask area 0
Router 1/2(Quagga)
#router ospf
#ospf router-id A.B.C.D
#network ip-address/netmask-2-digit-format area 0.0.0.0
The area statement is for use in large multi-area networks which are beyond the scope of this lab and
course material (and don’t know how important it really in the working world) just leave it at 0.
Note: masks for the wildcard are specified opposite fashion to the netmask!
Ie 255.255.255.0 (netmask) == 0.0.0.255 (wildcard).
Router (Junos)
protocols ospf {
parameters {
router-id A.B.C.D
14 | P a g e
}
area 0 {
network network/netmask
}
}
9.3) OSPF diagnostics
Display connectivity between ospf neighbors.
•
(R1#)show ip ospf neighbor (CISCO/JUNOS)
View the OSPF RIB.
•
(R1#)show ip ospf route
9.4) OSPFv3 configuration.
The fundamental OSPFv3 connection is shown in the following, The requirements for correct
operation between nodes follows that of OSPF.
15 | P a g e
Router (Junos)
protocols ospfv3 {
parameters {
router-id 1.1.1.1
}
area 0.0.0.0 {
interface ethX.Y
}
}
Router (Quagga)
#router ospf6
(config-router)router-id 1.1.1.1 !1.1.1.1 is an arbitrary number unique to each ospf process
running, and MUST be unique across the network.
(config-router) interface interface area 0
Router (Cisco)
Router configuration differs markedly in that each interface participating the ospfv3 proves must be
explicitly stated as doing so.
(config-int) ipv6 ospfv3 1 area 0.0.0.0
#ipv6 router ospf 1
(config-router)router-id 1.1.1.1 !1.1.1.1 is an arbitrary number unique to each ospf process
running, and MUST be unique across the network.
9.5) OSPFv3 diagnostics
Display connectivity between ospf neighbors.
(R1#)show ipv6 ospfv3 neighbor
9.6) Static route configuration
Router (Junos)
Protocols static {
route X.Y.Z.0/netmask{
next-hop W.X.Y.Z
}
}
16 | P a g e
Router (Cisco)
(config) route ip-address/netmask next-hop-ip-address
9.7) Static Route diagonistics.
(R1#)show ipv6 route
(R1#)show ip route
9.8) E-BGP configuration. (I-BGP configuration is similar however the internal BGP
has the same AS # as its neighbor)
The fundamental BGP connection requirements ignoring authentication are,
1. BGP must be configured in separate sections for ipv4 and ipv6.
2. By default NO routes are propagated. All networks to be advertised must be explicitly stated
via the network statement or via redistribution.
3. You should use the neighbor activate.
Router (Cisco) (no Junipers used in the BGP section of the lab)
(config) router bgp AS#-of-this-router
(config-router)neighbor ip-address-of-neighbor AS-number-of-neighbor
(config-router)neighbor ipv6-address-of-neighbor remote-as AS-number-of-neighbor
(config-router)address-family ipv6 unicast
(config-router)neighbor ipv6-address activate
#network ipv6/netmask
In order to advertise ANY routes in BGP you need to redistribute the routes from some source or use
the network command. This is true for either ip or ipv6.
17 | P a g e
The network command in BGP is different to that in OSPF and NOT required. In BGP the network
command specifies a network should be added to the BGP routing table. This can also be performed
via redistribution instead. For exterior protocol the network command controls which networks are
advertised.
Synchronization is enabled and disabled in each address family separately.
Don’t forget any changes to BGP requires a “soft restart”
#clear ip bgp *
9.9) E-BGP diagnostics.
#show ip bgp *
#show ip bgp neighbor
There is a finite state machine that the BGP process goes through in order to form a BGP neighborship.
If a BGP stateis ACTIVE there is no current BGP neighborship and the BGP process is not exchanging
routes.
If a BGP stateis ESTABLISHED there is a working BGP neighborship.
If a BGP stateis IDLE then a neighborship is currently administratively down or awaiting the next retry
event.
If a BGP stateis OPENSENT, this node has issued an open request but has yet to hear a corresponding
open from its neighbor.
If a BGP stateis OPENCONRFIRMATION. Awaiting Keep-alive messages.
Each neighbor configured will have its own state.
18 | P a g e
9.10) Route-maps and setting local preference
Setting exiting traffic via local preference using Route-maps.
(config)# route-map LOCALPREF permit 10
(config-route-map)# set local-preference 500
(config-route-map)# router bgp 67
(config-router)# neighbor 172.31.78.8 route-map LOCALPREF in
9.11) Redistribution
As presented previously routes from each process do not by default enter each other’s routing
processes. These should be explicitly configured with the redistribution command under the routing
process that is to be redistributed into.
All interface (or networks depending on the specific syntax) that share a redistribution MUST be
included in both routing processes.
(config-router#) redistribute routeing-algorythm metric resdistributed-metric
9.12) IGPs network command (cisco, Juniper is equivalent)
(config-router#) network {network address}
Command in OSPF, RIP, OSPFv3, RIPng (NOT BGP) signals to the corresponding process two things,
1) This interface WILL participate in the routing process. All other interfaces will NOT send route
updates out interfaces without these statements.
2) The address WILL be included in routing updates sent.
19 | P a g e
ISIS does not use the network command, though routing is configured on an interface basis and
consequently enabling ISIS on an interface is possible. The decision of what to send however is
independent to the network statement.
BGP network command
In BGP the statement has different meaning. In BGP the command specifies that the local network
should be advertised. No local network is advertised unless there is a corresponding network
command. Although this statement is required for every network directly connected to the router,
all routes received by the BGP process will be propagated to all other BGP neighbors without this
command.
9.13) Enabling ipv6 routing (CISCO/QUAGGA ONLY)
You must explicitly enable ipv6 routing capabilities in cisco/quagga with the following commands in
configure mode. Juniper this is performed by default.
(config#) Ipv6 unicast-routing (cisco)
(config#) Ipv6 forwarding (quagga)
10.
Linux
In what follows is the basic usage of the Linux commands available.
Iptables
“iptables is a command-line firewall utility that uses policy chains to allow or block traffic. When a
connection tries to establish itself on your system, iptables looks for a rule in its list to match it to. If it
doesn’t find one, it resorts to the default action.”
-L
-A {INPUT/OUTPUT/FORWARD} [–p {protocol
number}] [--sport/--dport {port number}] –J
{ACCEPT/DROP}
-D {INPUT/OUTPUT/FORWARD} [–p {protocol
number}] [--sport/--dport {port number}] –J
{ACCEPT/DROP}
-F {INPUT/OUTPUT/FORWARD}
List all chains
Append a rule to the bottom of a tool chain
-p =protocol [TCP/UDP]
delete a rule to the bottom of a tool chain
-p =protocol [TCP/UDP]
Remove all rules from a chain.
Ifconfig
Diagnose and add IP configuration data.
Ifconfig {interface} {ip-address}{netmask}
Ifconfig
Set IP address
List IP addresses
Ip link
Diagnose and add virtual interfaces.
1) Ip link add link name {arbitrary name}type Create a sub-interface
vlan id {Vlan number}
20 | P a g e
2.) Bring the Vlan into the ‘up’ state (see
dealing with interfaces).
3.) Add an IP address to the Vlan.
Ip link del link name {arbitrary name}
Ip link show
Ifconfig {name} up/down
Delete sub-interface
List vlans addresses
Enable/Disable the Vlan state after Vlan
creation.
Ip route
Diagnose and add static and default routes.
Ip route show
List ip routes
Ip -6 route show
List IPv6 routes
Ip route add/del {ip network/decimal- Add/delete a ip route
netmask} via {next-hop ip address}
Ip -6 route add/del {ipv6 network/decimal- Add/delete a ipv6 route
netmask} via {ipv6 next-hop}
arp
Diagnose and add static routes.
-d A.B.C.D
Delete a mac address entry.
telnet
Determine remotely which ports are open.
telnet port-number
netstat
Determining locally which ports are open:
netstat –an
/etc/hosts.allow, /etc/hosts.deny
Local Remote-Network control:
Allow or block services to specific hosts
Synopsis
•
•
•
tcpd process that performs remote user access control, control is then passed to
inet.d.
Restricts remote access to any or all services defined in service based on IPaddress of source.
Can also be used to execute different scripts based on user identity.
21 | P a g e
Operation:
kernel iterates through hosts.allow then hosts.deny, stops at first match.
• Match in hosts.allow: ALLOW.
• Match in hosts.deny: DENY.
• Otherwise ALLOW
Advanced features:
• May
be used
Syntax Examples: (Mainly
closed
box)to execute command upon attempted login based on user
identity .
/etc/hosts.deny:
/etc/hosts.allow:
ALL: ALL
ALL: LOCAL @some_netgroup
22 | P a g e
HOST Mechanism
11.
An overview of potential issues in the lab.
Application
FireWall
Layer 3: Network Layer
FireWall
IP address/Subnet mask
Routing table
Forwarding behavior
ICMP response
Host Access Control
NAT
RPF-Filter
Layer 1: Physical Layer
HOST runtime configuration tools
Firewall
Vlan tagging
Duplex
Speed
Cisco/Juniper/Quagga
HOST configuration files
(Xinetd/Inetd)
Service Control
Layer 4: Transport Layer
Layer 2: Link Layer
Linux
iptables
iptables
Ifconfig/ip address
Ip route
Sysctl net.ipv4.ip_forwarding,
net.ipv6.conf.all.forwarding
Iptables
Sysctl net.ipv4.icmp_echo_ignore_all
Ip link add link type vlan.
Ifconfig/ip
Ifconfig/ip
Physical connection
(Straight through or Rollover -if no auto-configuration present)
Device software enabled.
Router and switch configuration
(specific to this lab)
Routing Protocol misconfiguration
Redistribution
Redistribution of specific routes
(Route-maps)
/etc/iptables/firewall.rules
(Distribution dependant)
/etc/iptables/firewall.rules (Dist. Dep.)
/etc/networking/ interface
Dist. Dep., rc.local
/etc/sysctl.conf
Missing/Incorrect route table entry
Access List on in/out interface.
Hosts.Allow/Hosts.Deny
Switching loops ((X)STP)
Vlans misconfigured
Vlans blocked by switches. (VTP, device config)
Ports shutdown
Speed incorrectly set.
23 | P a g e
Ubiquitous
[1]
http://switchingandrouting.wordpress.com/2011/07/10/administrative-distance-ad-values-incisco-juniper/
[2] http://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-routing-protocoleigrp/8606-redist.html
[3]
http://rbcciequest.wordpress.com/2008/02/27/bgp-path-selection/
[5]
http://merlot.usc.edu/cs551-m05/lectures/tentative/07a_ibgp.pdf
[6]
http://networklessons.com/bgp/bgp-synchronization/
24 | P a g e