Month: September 2017

DMVPN

LAB III ( DMVPN, MGRE, NHRP, EIGRP)

  • Point-to-multipoint layer 3 overlay VPN
  • Logical hub and spoke topology
  • Direct spoke to spoke is support

DMVPN uses a combination of:

  • Multipoint GRE tunnels (mGRE)
  • Next Hop Resolution Protocol ( NHRP )
  • IPsec Crypto Profiles
  • Routing

(more…)

VPN

  • Virtual Private Network
    • Route exchange privacy
    • Path determination for packets
    • Data Security
      • IPSec IP security
    • Collection of standized protocols that provide
      • Confidentiality
      • Integrity
      • Authentication
      • Anti-Reply

(more…)

NAT64

  • Transition technique designed to allow native IPv6 hosts to access IPv4-only content.
    • (Translation technique not a tunneling technique).
  • Primarily used to allow v6 hosts to initiate connections to IPv4 content.
    • Mechanisms do exist to allow the reverse.
  • Stateful and stateless versions.
    • stateful can use any prefix
    • stateless has restriction on prefix

NAT64 and DNS64 co-existance.

  1. IPv6 host sends AAAA DNS Query
  2. DNS64 server tries AAAA lookup and fails
  3. DNS64 server successfully resolves IPv4 address
  4. DNS64 server generates AAAA DNS response of <IPv6 prefix:IPv4 adress> and sends it back to the client.

(more…)

IPv6 Tunnels

  • point-to-point tunnels
  • MCT ( manually configured tunnel )
  • GRE ( Generic Routing Encapsulation )
  • Virtual point-to-point between two IPv4 routers
  • IPv6 iGP routing protocols can run over these virtual links.

(more…)

IPv6 iGP redistribution

Similarities to IPv4

  • Redistribution takes routes from the IP routing table, not from the iGP databases.
  • Route maps can be used for filtering, metrics, route tags.
  • Admnistrative distance has not changed.
  • Options to prevent routing loops; Administrative distance, route tags, filtering.
  • Syntax is the same.

Differences to IPv4

  • Supported “match” commands in route-maps vary on iGP
    • OSPF/RIP cannot match op “route-type” with a Route-map
      • EIGRP has no problems using “route-type”
    • Route-map matching IPv6 ACLs must have IPv6 prefix as source portion and “any” as destination of ACL.
  • IPv6 redistribute connected does not include interfaces running the iGP;
    • redistribute include-connected

 

 

 

IPv6 RIPng EIGRP OSPFv3

RIPng

  • UPD port number 521
  • No autosummarization for IPv6
  • Destination address FF02::9
  • Link-Local next-hops
  • IPv6 uses IPv6 AH/ESP Authentication
  • Enable it on the interface
    • ipv6 rip CCNP enable fa0/0
  • No network command

EIGRP IPv6

  • EIGRP uses the neighbor’s link local address as the next-hop
  • Destination FF02::AA
  • Authentication relies on the IPv6 built-in authentication nad privacy
  • IPv4 defaults to auto summarization, IPv6 doesn’t
    • ipv6 unicast-routing
    • ipv6 route eigrp 100
    • (config-if)#ipv6 eigrp 100
    • eigrp router-id RID

(more…)

BGP Path Attributes

BGP Path Attributes

 

“We Love Oranges AS Oranges Mean Pure Refreshment”

PathDescription
WWeight (highest)
LLocal_pref (higest)
OOriginate (Local)
ASAS_PATH (shortest)
OORIGIN code ( igp > egp > incomplete)
MMED (lowest)
PPaths ( External > Internal)
RRID (Lowest)
R1#sh ip bgp 40.40.40.0
*Mar  1 00:17:21.323: %SYS-5-CONFIG_I: Configured from console by console
R1#sh ip bgp 40.40.40.0
BGP routing table entry for 40.40.40.0/24, version 4
Paths: (2 available, best #1, table Default-IP-Routing-Table)
  Advertised to update-groups:
     1
  30
    3.3.3.2 from 3.3.3.2 (3.3.3.2)
      Origin IGP, metric 0, localpref 100, valid, external, best
  20
    2.2.2.2 from 2.2.2.2 (20.20.20.1)
      Origin IGP, metric 0, localpref 100, valid, external

R1#sh ip bgp
BGP table version is 4, local router ID is 3.3.3.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 20.20.20.0/24    2.2.2.2                  0             0 20 i
*> 30.30.30.0/24    3.3.3.2                  0             0 30 i
*> 40.40.40.0/24    3.3.3.2                  0             0 30 i
*                   2.2.2.2                  0             0 20 i

(more…)

BGP Filtering

  • BGP filtering can be done on any routers
  • Filtering can be done inbound and outbound
  • After filtering is applied BGP neighbor must be reset or cleared for the filter to take effect
    • clear ip bgp 20.20.20.20 in/out  preferred
    • clear ip bgp *   (hard reset)
    • clear ip bgp 20.20.20.20 soft in/out

(more…)

BGP Next-hop & iBGP switching

sh ip bgp

R1#sh ip bgp
BGP table version is 6, local router ID is 10.10.10.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
     0.0.0.0          0.0.0.0                                0 i
 r>  1.1.1.0/30       20.20.20.1               0             0 20 ?
 r>  20.20.20.0/24    20.20.20.1               0             0 20 ?
 *>  30.30.30.0/24    20.20.20.1               0             0 20 ?
 *>i 40.40.40.0/24    1.1.2.2                  0    100      0 i

(more…)

BGP Routing

Injecting routes into BGP.

  • Use the network command.
    • Different than the network command in iGP; it isn’t used to listen/active interfaces.
    • the BGP network command looks for the prefix in the routing table and originates that into the BGP table.
    • If no mask is defined, IOS assumes a classful network.
    • Classful route is added if:
      • the exact route is in the ip routing table
      • Any subset of routes are in the routing table (only with auto-summery)
    • create a null0 route
      •  ip route 30.30.30.0 255.255.255.0 null0
router bgp 20
 bgp log-neighbor-changes
 network 30.30.30.0 mask 255.255.255.0
 neighbor 10.10.10.1 remote-as 10
 neighbor 10.10.10.1 ebgp-multihop 255
 neighbor 10.10.10.1 update-source Loopback1

(more…)