Escolar Documentos
Profissional Documentos
Cultura Documentos
cheat sheets
Operation
Tunneling
L3 L2
and overlays
Layer 2
Security
Layer 2 Design
Loop Guard or
Bridge Assurance Clear native VLAN
Spanning normalisation
• DEC STP pre-IEEE • 802.1w—Rapid STP (RSTP)
• 802.1D—Classic STP • 802.1s—Multiple STP (MST)
• 802.1t—802.1d maintenance
Spanning toolkit
The following enhancements to 802.1(d,s,w) comprise the Cisco Spanning-Tree toolkit:
• PortFast Lets the access port bypass the listening and learning phases
• UplinkFast Provides 3-to-5 second convergence after link failure
• BackboneFast Cuts convergence time by MaxAge for indirect failure
• Loop Guard Prevents the alternate or root port from being elected unless (BPDUs) are present
• Root Guard Prevents external switches from becoming the root
• BPDU Guard Disables a PortFast-enabled port if a BPDU is received
• BPDU Filter Prevents sending or receiving BPDUs on PortFast-enabled ports
Cisco has incorporated a number of these features into the following versions of STP:
• Per-VLAN Spanning Tree Plus (PVST+)
Provides a separate 802.1D spanning tree instance for each VLAN configured in the
network.This includes PortFast, UplinkFast, BackboneFast, BPDU Guard, BPDU
Filter, Root Guard, and Loop Guard.
• Rapid PVST+ Provides an instance of RSTP (802.1w) per VLAN. This includes PortFast, BPDU
Guard, BPDU Filter, Root Guard, and Loop Guard.
• MST Provides up to 16 instances of RSTP (802.1w) and combines many VLANS with the
same physical and logical topology into a common RSTP instance. This includes,
PortFast, BPDU Guard, BPDU Filter, Root Guard, and Loop Guard.
Access design STP or not STP
L2 topologies
Operation
Tunneling
L3 L2
and overlays
Layer 3
Security
Layer 3 Design
Triangle vs Square
Core
Summaries
Queries not
forwarded
Area 0
Area 10
The router goes up Immediate
and may advertise replies
default route Queries
immediately, (if a
loopack is in area 0)
Queries not
ospf stub no-summary forwarded
eigrp stub
OSPF as PE-CE protocol EIGRP as PE-CE protocol
Sham-link use
route with lower Cost
AS should be the same
Set down
bit (LSA 3)
or domain
ID (LSA 5)
Ia routes
preferred
OSPF
LSA Description
Type 1 Router Link LSA – Routers, links and costs
Type 2 Network Link LSA – Initiated by DR on multipoint networks - Pseudonode.
Aire Description
Backbone (Area 0) All other areas have to be linked with. Accepts LSA 4 from other areas.
Standard Receives LSA 3 & 5, initiates LSA 3,4 & 5 toward backbone area.
Stub Receives type 3 LSA and a default route (advertised as a LSA 3). initiates LSA 3.
Totally Receives a default route as a type 3 LSA, initiates LSA 3
Stub Initiates type 7 LSA, Receives LSA 3. Implicit default route for Totally NSSA.
NSSA
type 3
type 4
type 5
Area 0 Totally
Stub Area
External
type 1 & 2 type 1 & 2
default route
OSPF Areas
Area 0 NSSA
External
type 1 & 2 type 1 & 2
type 3
type 5 type 7
Default route
Area 0 Tottaly
NSSA External
type 1 & 2 type 1 & 2
type 5 type 7
Default route
OSPF NBMA and partial mesh networks
• EIGRP
• Same AS
• Same primary IP subnet
• Same metrics
• OSPF
• Same area
• Same area type
• Same IP subnet and mask (not on point to point)
• Same hello and dead interval
• Same MTU
• IS-IS
• Same area for L1 adjacencies
• Different system ID
• Same MTU
• Same IP subnet
• Same network/interface type (multipoint or point-to-point)
IS-IS inter area
• L1/2 routers set attached bit if they are adjacent to extra area L2 routers. L1
routers receiving attached bit generate default routes toward advertising router
and propagate it (transitive).
• Intra area routes are preferred oved Inter Area even if metric is greater
Route Reflectors
Following physical topology
• Session between an RR and a nonclient should not traverse a client
• Session between an RR and its client should not traverse a nonclient
• AS path prepending
• MED
• communities
• selective advertisments (no backup)
• specific advertisments
BGP confederations
CE CE
192.0.2.1/32 Null0 192.168.1.0/24
192.0.2.1/32 Null0
+ loose uRPF
NOC
NOC
10.1.1.0/24
10.1.1.0/24 192.0.2.1
192.168.1.0/24 192.0.2.1
IPv6
• from http://www.sanog.org/resources/sanog14/sanog14-paresh-highavailability.pdf
Router resiliency
HA
N et w o r k resiliency
ISIS
CE 2 CE 3 CE 4 CE 5
Fast 2 Fast 1
Fast 1 10.1.34.0/24
10.1.23.0/24 10.1.45.0/24
Straightforward configuration
CE2#sh ip route | i ^i Summarization + leaking
i L1 3.3.3.3 [115/20] via 10.1.23.3, Fast0
i ia 4.4.4.4 [115/30] via 10.1.23.3, Fast0 CE4#sh ip route | in ^i
i ia 5.5.0.0 [115/40] via 10.1.23.3, Fast0 i L2 2.2.2.2 [115/30] via 10.1.34.3, 01:51:07, Fast2
i L1 10.1.34.0/24 [115/20] via 10.1.23.3, Fast0 i L2 3.3.3.3 [115/20] via 10.1.34.3, 03:23:20, Fast2
i*L1 0.0.0.0/0 [115/10] via 10.1.23.3, Fast0 i su 5.5.0.0/16 [115/20] via 0.0.0.0, 00:08:19, Null0
i L1 5.5.5.5/32 [115/20] via 10.1.45.5, 00:08:19, Fast1
i L2 10.1.23.0/24 [115/20] via 10.1.34.3, 03:23:20, Fast1
CE3#sh ip route | in ^i CE5#sh ip route | in ^i
i L1 2.2.2.2 [115/20] via 10.1.23.2, 01:55:41, Fast0 i L1 4.4.4.4 [115/20] via 10.1.45.4, Fast1
i L2 4.4.4.4 [115/20] via 10.1.34.4, 00:11:55, Fast1 i L1 10.1.34.0/24 [115/20] via 10.1.45.4, Fast1
i L2 5.5.0.0 [115/30] via 10.1.34.4, 00:12:49, Fast1 i*L1 0.0.0.0/0 [115/10] via 10.1.45.4, Fast1
i L2 10.1.45.0/24 [115/20] via 10.1.34.4, 01:55:41, Fast1
OSPF
1.1.1.1/24 Area 0
CE 2 CE 3 CE 4
2.2.2.2/24
3.3.3.3/24
L3
Tunneling
L2
Tunneling
and overlays
& MPLS
Security
MPLS TE
• static routing
• PBR
• Autoroute
• tunnel included into SPF calculation, not into the IGP
other routers are unaware of the Tunnel
• default metric is the tail end IGP metric
• Relative/asolute metrics OSPF similar to E1/E2 externals
• LSP tail end is always routed through the tunnel
• IGP+LSP load sharing available behind tail end
• tail end load sharing needs 2 LSP
• Forwarding Adjacency
• tunnel propagated into the IGP
Inter Area MPLS TE
vpnv4 multiphop
e/i-bgp peering,
MP-iBGP session
next-hop-unchanged
MP-iBGP session
Outer VPN definition
CEPE route distribution
IPv4+ Backbone IPv4+
labels labels
CE1 CSC-CE1 Provider CSC-CE2 CE2
PE1 PE2
CSC-PE1 CSC-PE2
vpnv4 multiphop
e/i-bgp peering,
MP-iBGP session
next-hop-unchanged
MP-iBGP session
Outer VPN definition
CEPE route distribution
IPv4+ Backbone IPv4+
labels labels
CE1 CSC-CE1 Provider CSC-CE2 CE2
PE1 PE2
CSC-PE1 CSC-PE2
RR
router bgp 1
neighbor <RR1> remote-as 1
Tag 1 : ebgp + send-label
address-family vpnv4 or IGP+LDP
neighbor <RR1> activate Tag 2 : VPN label
router IGP
network loopback LDP
redistribute BGP 1
MPLS TE QoS
Short pipe
pipe
L2VPN
• H-VPLS
• Full Mesh between N-PE
• PW beetwen User PE and Netwok PE
• redundancy with STP or PW backup between U-PE and N-PE
Operations
Tunneling
Monitoring
L3 L2
and overlays
Management
Performance
Security
Troubleshooting high CPU Utilization
• Identify process
o show proc cpu sorted
o show log
• Causes
o ARP
o BGP
o Exec
o SNMP
o NAT
o TCAM full (catalyst 3550/..)
• IP Input
o show interfaces stats
o show interfaces
o show interfaces switching
QoS operation order
•Inbound
1. QoS Policy Propagation through Border Gateway Protocol (BGP) (QPPB)
2. Input common classification
3. Input ACLs
4. Input marking (class-based marking or Committed Access Rate (CAR))
5. Input policing (through a class-based policer or CAR)
6. IP Security (IPSec)
7. Cisco Express Forwarding (CEF) or Fast Switching
•Outbound
1. CEF or Fast Switching
2. Output common classification
3. Output ACLs
4. Output marking
5. Output policing (through a class-based policer or CAR)
6. Queueing (Class-Based Weighted Fair Queueing (CBWFQ) and Low
Latency Queueing (LLQ)), and Weighted Random Early Detection (WRED)
Multipoint WAN QoS
WAN
• Remote Ingress Shaping
o 95% of line rate
• egress shaping :
95% of smallest bandwidth FR
QoS Models
Voice Voice
Realtime Interactive
Interactive Video
Realtime Multimedia Conferencing
Broadcast Video
Streaming Video
Multimedia Streaming
Network Management
Critical Data
Critical Data Transactional Data
Bulk Data
Tunneling
L3 L2
and overlays
Security
Internet Edge
Secure Operations
• Monitor Cisco Security Advisories and Responses
• Leverage Authentication, Authorization, and Accounting
• Centralize Log Collection and Monitoring
• Use Secure Protocols When Possible
• Gain Traffic Visibility with NetFlow
• Configuration Management
Data Plane
• General Data Plane Hardening
• Filtering Transit Traffic with Transit ACLs
• Anti-Spoofing Protections
• Limiting CPU Impact of Data Plane Traffic
• Traffic Identification and Traceback
• Access Control with VLAN Maps and Port Access Control Lists
• Using Private VLANs
Internet Edge
Management Plane
• General Management Plane Hardening
• password management
• restrict protocols
• use secure protocols
• exec-timeout
• event detection (memory, cpu threshold)
• Limiting Access to the Network with Infrastructure ACLs
• Securing Interactive Management Sessions
• Using Authentication, Authorization, and Accounting
• Fortifying the Simple Network Management Protocol
• Logging Best Practices
• Cisco IOS Software Configuration Management
Control Plane
• General Control Plane Hardening
• filter IPCMP, fragments, source-route, disbale proxy-arp
• Limiting CPU Impact of Control Plane Traffic
• filter fragment, non ip traffic, rate ICMP unreachable
• Securing BGP
• Securing Interior Gateway Protocols
• Securing First Hop Redundancy Protocols
Everyone wants to live on top of
the mountain, but all the
happiness and growth occurs
while you’re climbing it.