45
my CCDE cheat sheets Philippe Jounin 2013

my CCDE cheat sheets

  • Upload
    semah

  • View
    108

  • Download
    5

Embed Size (px)

DESCRIPTION

my CCDE cheat sheets. Philippe Jounin 2013. Layer 2. Operation. Tunneling. L3. L2. and overlays. Security. Layer 2 Design. Performance and stabilitySecurity. Apply ACL filter on admin VLAN. HSRP active & STP Root. Modify VTP domain (or turn VTP off). Root Guard. - PowerPoint PPT Presentation

Citation preview

Page 1: my CCDE cheat sheets

my CCDE cheat sheets

Philippe Jounin 2013

Page 2: my CCDE cheat sheets

L2L3

Tunneling

and overlays

Security

Operation

Layer 2

Page 3: my CCDE cheat sheets

Layer 2 Design

BPDU GuardPort Fast

HSRP active& STP Root

Root Guard

Loop Guard or Bridge Assurance

Force access-mode (disable DTP)Choose VLAN≠1

Apply Port Security

Modify VTP domain(or turn VTP off)

Clear native VLAN

Apply ACL filter on admin VLAN

Performance and stability Security

802.1D Ehancements Spanning Tree ProtectionPortFast Enables immediate transition into forwarding state on edge portsUplinkFast Enables access switches to

maintain backup paths to rootBackboneFast Enables immediate expiration of the Max Age timer

Root Guard Prevents a port from becoming the root portBPDU Guard Disables a port if a BPDU is receivedLoop Guard Prevents a blocked port from transitioning to listening (unidirectional) after Max Age timerBPDU Filtering Disables STP on a portBridge Assurance Blocks port if it receives no BPDU

Page 4: my CCDE cheat sheets

Layer 2 Design

Spanning normalisation

• DEC STP pre-IEEE • 802.1w—Rapid STP (RSTP)• 802.1D—Classic STP • 802.1s—Multiple STP (MST)• 802.1t—802.1d maintenance

The following enhancements to 802.1(d,s,w) comprise the Cisco Spanning-Tree toolkit:• PortFast Lets the access port bypass the listening and learning phases• UplinkFast Provides 3-to-5 second convergence after link failure• BackboneFast Cuts convergence time by MaxAge for indirect failure• Loop Guard Prevents the alternate or root port from being elected unless (BPDUs) are present• Root Guard Prevents external switches from becoming the root• BPDU Guard Disables a PortFast-enabled port if a BPDU is received• BPDU Filter Prevents sending or receiving BPDUs on PortFast-enabled ports

Cisco has incorporated a number of these features into the following versions of STP:• Per-VLAN Spanning Tree Plus (PVST+)

Provides a separate 802.1D spanning tree instance for each VLAN configured in the network.This includes PortFast, UplinkFast, BackboneFast, BPDU Guard, BPDU Filter, Root Guard, and Loop Guard.• Rapid PVST+ Provides an instance of RSTP (802.1w) per VLAN. This includes PortFast, BPDU Guard, BPDU Filter, Root Guard, and Loop Guard.• MST Provides up to 16 instances of RSTP (802.1w) and combines many VLANS with the same physical and logical topology into a common RSTP instance. This includes, PortFast, BPDU Guard, BPDU Filter, Root Guard, and Loop Guard.

Spanning toolkit

Page 5: my CCDE cheat sheets

Access design STP or not STP

Page 6: my CCDE cheat sheets

L2 topologies

Page 7: my CCDE cheat sheets

Layer 3L2L3

Tunneling

and overlays

Security

Operation

Page 8: my CCDE cheat sheets

Layer 3 Design

The network must be reliable and resilient

The network must be manageable

The network must be scalable

Page 9: my CCDE cheat sheets

Layer 3 Design

Triangle vs Square

Triangles: Link/Box Failure does NOTrequire routing protocol convergence

Squares: Link/Box Failure requiresrouting protocol convergence

Page 10: my CCDE cheat sheets

OSPF in a Campus EIGRP in a Campus

ospf stub no-summary

Core

The router goes up and may advertise

default route immediately, (if a

loopack is in area 0)

eigrp stub

Queries

Immediate replies

Queries not forwarded

Queries not forwarded

Area 0

Area 10

Summaries

Page 11: my CCDE cheat sheets

OSPF as PE-CE protocol EIGRP as PE-CE protocol

Ia routes preferred

Sham-link use route with lower Cost

Set down bit (LSA 3) or domain ID (LSA 5)

Ignore routes with

down bit

AS should be the same

Metric/AS/SOO transported as communities

Pre best path point of insertion

SOO transported into EIGRP

SOO on PE : same SOO per siteSOO on CEs : one SOO per CE

Page 12: my CCDE cheat sheets

OSPF

LSA DescriptionType 1Type 2

Router Link LSA – Routers, links and costs Network Link LSA – Initiated by DR on multipoint networks - Pseudonode.

Type 3Type 4Type 5Type 7

Network Summary Link LSA – Initiated by ABRs. AS External ASBR Summary Link LSA – Advertised by ASBRs to be reachable. External Link LSA – Initiated from ASBR – OSPF external routes advertisment. NSSA External LSA - Initiated from ASBR in a NSSA area– OSPF external routes advertisment. .

Aire DescriptionBackbone StandardStubTotally StubNSSA

(Area 0) All other areas have to be linked with. Accepts LSA 4 from other areas.Receives LSA 3 & 5, initiates LSA 3,4 & 5 toward backbone area. Receives type 3 LSA and a default route (advertised as a LSA 3). initiates LSA 3. Receives a default route as a type 3 LSA, initiates LSA 3Initiates type 7 LSA, Receives LSA 3. Implicit default route for Totally NSSA.

Inter-area routes are summarized on the ABRExternal routes are summarized on the ASBRNSSA-External routes can be summarized on the ASBR or ABR

Page 13: my CCDE cheat sheets

OSPF Areas

Area 0 Std Area

External

type 1 & 2type 1 & 2

type 3type 4type 5

Area 0 Stub Area

External

type 1 & 2type 1 & 2

type 3default route

Area 0 Totally Stub Area

External

type 1 & 2type 1 & 2

default route

Page 14: my CCDE cheat sheets

OSPF Areas

Area 0 NSSA

External

type 1 & 2type 1 & 2

type 3

Area 0 Tottaly NSSA External

type 1 & 2type 1 & 2

type 5Default route

type 7

type 5Default route

type 7

Page 15: my CCDE cheat sheets

OSPF NBMA and partial mesh networks

• Set the DR priority to 0 on all partial meshed nodes

• Configure the peers manually in unicast mode

• Set the DR priority to 0 on all partial meshed nodes

• Set broadcast mode on all links

Page 16: my CCDE cheat sheets

troubleshooting adjacencies

• EIGRP• Same AS• Same primary IP subnet• Same metrics

• OSPF• Same area• Same area type• Same IP subnet and mask (not on point to point)• Same hello and dead interval• Same MTU

• IS-IS• Same area for L1 adjacencies• Different system ID• Same MTU• Same IP subnet • Same network/interface type (multipoint or point-to-point)

Page 17: my CCDE cheat sheets

IS-IS inter area

• L1/2 routers set attached bit if they are adjacent to extra area L2 routers. L1 routers receiving attached bit generate default routes toward advertising router and propagate it (transitive).

• Intra area routes are preferred oved Inter Area even if metric is greater

• L1 routes advertised by L1/2 routers to other L2 routers

• L1/2 routers may be configured to leak L2 routes into the L1 domain

System ID best practice :

Add implicit zeros into the main IP loopback : 192.168.1.24 192.168.001.024 Transfer it to XXXX.XXXX.XXXX format 192.168.001.024 1921.6800.1024 Add 49.<4 bytes area> and 00 as NSEL 1921.6800.1024 49.area.1921.6800.1024.00

Page 18: my CCDE cheat sheets

VPN backdoors

Partial mesh of sham links backbone preferredBGP backdoor IGP (internal links) preferred over eBGP

Page 19: my CCDE cheat sheets

Outgoing traffic engineering with BGP

• AS path prepending• MED• communities• selective advertisments (no backup)• specific advertisments

Route ReflectorsFollowing physical topology• Session between an RR and a nonclient should not traverse a client• Session between an RR and its client should not traverse a nonclient

Page 20: my CCDE cheat sheets

BGP confederations

FEATURESEEN IN THE CONFEDERATION

Peering partial-mesh peering between sub-autonomous systems.full-mesh peering within sub-AS (or route-reflectors)

Communications between peers

iBGP is used within each sub-AScBGP is used between sub-autonomous systems, similar to eBGP but with the following differences:•Enhancement of the AS_Path attribute •Change in the next-hop handling

Additions to the BGP attributesEnhancements to the AS_Path attribute, adding the sub-AS IDs.This enhancement is not advertised to the external Autonomous Systems.

Preserved attributes•next-hop•local preference•MED

Readvertising a learned prefix readvertised to other sub-autonomous systems if they are selected as best.

Communications with non member BGP peers

If a member of the confederation is peering with a BGP peer located in another AS, the sub-AS numbers located in the AS_Path attribute are supressed and only the confederation number is passed within the AS_Path attribute.

User of multi-hop parameter By default cBGP needs directly connected interface

Page 21: my CCDE cheat sheets

remotely triggered black hole source triggered black hole

CE 192.0.2.1/32 Null0

10.1.1.0/24

10.1.1.0/24 192.0.2.1

NOC

CE

192.0.2.1/32 Null0+ loose uRPF

192.168.1.0/24 192.0.2.1

NOC

192.168.1.0/24

Page 22: my CCDE cheat sheets

IPv6

Type Abrv ICMP Description

Router Solicitation RS 133 Sent by hosts to request an RA

Router Advertisement RA 134 Originated by routers to announce their existence

Neighbor Solicitation NS 135 Facilitates link-layer address resolution and duplicate address detection

Neighbor Advertisement

NA 136 Response to an NS

Redirect 137 Used by a router to inform a host of a better path out of the link

Page 23: my CCDE cheat sheets

IPv6 deployment scenarios

Dual Stack Hybrid Service Block

ISATAP and Manually Configured Tunnels

End to End

Native

Marking at tunnel egressQoS

mCast

IGP Single ISATAP with AnycastNo load balancingHA Single ISATAP with Anycast

load balancing after Tunnels

IPv6 hardware required,no per-user/per-appli control

Core Layer becomes access for IPv6 Tunnels

New IPv6 hardware

Page 24: my CCDE cheat sheets

High Avalability

• from http://www.sanog.org/resources/sanog14/sanog14-paresh-highavailability.pdf

HA

Reliable HardwareHigh MTBF

RedundantComponents

Non StopRouting

Rapid Failuredetection

Networkdesign

Quickconvergence

R o u t e r r e s i l i e n c y

N et w o r k r e s i l i e n c y

Page 25: my CCDE cheat sheets

ISIS

Area 1

CE 2

5.5.5.5/322.2.2.2/32

router isis net 49.0100.0000.0000.0002.00 area-password IS-IS metric-style wide (for tag TLV) log-adjacency-changes

router isis net 49.0100.0000.0000.0003.00 area-password IS-IS metric-style wide log-adjacency-changes redistribute isis ip level-2 into level-1

route-map MatchTag5

router isis net 49.0200.0000.0000.0004.00 metric-style wide log-adjacency-changes summary-add 5.5.0.0 255.255.0.0 tag 5

Area 2

CE5#sh ip route | in ^ii L1 4.4.4.4 [115/20] via 10.1.45.4, Fast1i L1 10.1.34.0/24 [115/20] via 10.1.45.4, Fast1i*L1 0.0.0.0/0 [115/10] via 10.1.45.4, Fast1

3.3.3.3/32 4.4.4.4/32

router isis net 49.0200.0000.0000.0005.00 metric-style wide log-adjacency-changes

interface Loopback2 ip address 2.2.2.2/32 ip router isisinterface FastEthernet1 ip address 10.1.23.2/24 ip router isis isis circuit-type level-1

interface Loopback3 ip address 3.3.3.3/32 ip router isisinterface FastEthernet01 ip address 10.1.23.3/24 ip router isis isis circuit-type level-1interface FastEthernet2 ip address 10.1.34.3/24 ip router isis

interface Loopback4 ip address 4.4.4.4/32 ip router isis isis tag 5interface FastEthernet1 ip address 10.1.45.4/24 ip router isis (level-1 not configured)interface FastEthernet2 ip address 10.1.34.4/24 ip router isis

interface Loopback5 ip address 5.5.5.5/32 ip router isisinterface FastEthernet1 ip address 10.1.45.5/24 ip router isis isis circuit-type level-1

CE4#sh ip route | in ^ii L2 2.2.2.2 [115/30] via 10.1.34.3, 01:51:07, Fast2i L2 3.3.3.3 [115/20] via 10.1.34.3, 03:23:20, Fast2i su 5.5.0.0/16 [115/20] via 0.0.0.0, 00:08:19, Null0i L1 5.5.5.5/32 [115/20] via 10.1.45.5, 00:08:19, Fast1i L2 10.1.23.0/24 [115/20] via 10.1.34.3, 03:23:20, Fast1

CE3#sh ip route | in ^ii L1 2.2.2.2 [115/20] via 10.1.23.2, 01:55:41, Fast0i L2 4.4.4.4 [115/20] via 10.1.34.4, 00:11:55, Fast1i L2 5.5.0.0 [115/30] via 10.1.34.4, 00:12:49, Fast1i L2 10.1.45.0/24 [115/20] via 10.1.34.4, 01:55:41, Fast1

CE2#sh ip route | i ^ii L1 3.3.3.3 [115/20] via 10.1.23.3, Fast0i ia 4.4.4.4 [115/30] via 10.1.23.3, Fast0i ia 5.5.0.0 [115/40] via 10.1.23.3, Fast0i L1 10.1.34.0/24 [115/20] via 10.1.23.3, Fast0i*L1 0.0.0.0/0 [115/10] via 10.1.23.3, Fast0

Fast 110.1.23.0/24

Fast 110.1.45.0/24

Fast 210.1.34.0/24

CE 3 CE 4 CE 5

Straightforward configuration

Summarization + leaking

Page 26: my CCDE cheat sheets

OSPF

Area 202 NSSACE1

1.1.1.1/242.2.2.2/243.3.3.3/24

Area 0

lyo-maq-2811-03#sh ip route | i ^OOE1 1.0.0.0/8 [110/124] via 10.1.34.3,Fast3O E1 2.2.0.0 [110/125] via 10.1.34.3, Fast3

interface Loopback1111 ip address 1.1.1.1 255.255.255.0interface Loopback2222 ip address 2.2.2.2 255.255.255.0interface Loopback3333 ip address 3.3.3.3 255.255.255.0router rip version 2 redistribute connected route-map Loopbacks passive-interface default no passive-interface FastEthernet1 network 10.0.0.0 no auto-summary

router rip version 2 timers basic 15 45 15 60 passive-interface default network 10.0.0.0 no auto-summaryrouter ospf 1 log-adjacency-changes area 202 nssa summary-address 3.0.0.0 255.0.0.0 not-advertise summary-address 2.2.0.0 255.255.0.0 redistribute rip metric 123 metric-type 1 subnets network 10.1.23.0 0.0.0.255 area 202

router ospf 1 log-adjacency-changes area 202 nssa summary-address 10.0.0.0 255.0.0.0 not-advertise summary-address 1.0.0.0 255.0.0.0 network 10.1.23.0 0.0.0.255 area 202 network 10.1.34.0 0.0.0.255 area 0

! Remark : ! area 10 filter-list prefix FILTER out! area 10 range 10.0.0.0 255.0.0.0 not-advertise! Only for standard Areas

router ospf 1 network 10.1.34.0 0.0.0.255 area 0

lyo-maq-2611-02#sh ip route | i ^R|^OR 1.1.1.0 [120/1] via 10.1.12.1, Fast1O 2.2.0.0/16 is a summary, Null0R 2.2.2.0/24 [120/1] via 10.1.12.1, Fast1R 3.3.3.0 [120/1] via 10.1.12.1, Fast1O IA 10.1.34.0/24 [110/2] via 10.1.23.3, Fast2

lyo-maq-2811-03#sh ip route | i ^OO N1 1.1.1.0/24 [110/124] via 10.1.23.2, Fast2O 1.0.0.0/8 is a summary, Null0O N1 2.2.0.0 [110/124] via 10.1.23.2, Fast2O N1 10.1.12.0/24 [110/124] via 10.1.23.2,Fast2

lyo-maq-2611-01#sh ip route | i ^CC 1.1.1.0 is connected, Loopback1111C 2.2.2.0 is connected, Loopback2222C 3.3.3.0 is connected, Loopback3333C 10.1.12.0/24 is connected, Fast1

Fast 110.1.12.0/24

Fast 310.1.34.0/24

Fast 210.1.23.0/24

CE 2 CE 3 CE 4

Page 27: my CCDE cheat sheets

L2L3

Tunneling

and overlays

Security

Operation

Tunneling& MPLS

Page 28: my CCDE cheat sheets

MPLS TE

How to route a flow into a tunnel

• static routing• PBR• Autoroute

• tunnel included into SPF calculation, not into the IGP other routers are unaware of the Tunnel

• default metric is the tail end IGP metric• Relative/asolute metrics OSPF similar to E1/E2 externals• LSP tail end is always routed through the tunnel• IGP+LSP load sharing available behind tail end• tail end load sharing needs 2 LSP

• Forwarding Adjacency• tunnel propagated into the IGP

Page 29: my CCDE cheat sheets

Inter Area MPLS TE

Multi domain LSP : each domain core topology should be hidden

•per-domain static ERO (next-hop loose <IP Edge>…)• CSPF stitching (CSPF calculation on each ASBR) then

ERO extended to hide core topology• backward recursive path computation

• A tree is created by destination PE (<PE><ASBR n>=cost X) and topology increased by each domain

• Stitching• Use targeting signaling

• Stacking• Inner domain uses its own LSP to tunnel border domains

LSP, targeted signaling required

Page 30: my CCDE cheat sheets

Backbone

Provider

Inter domain VPN with CSC - IGP

IGP + LDP (int e0/0 mpls ip)

vpnv4 multiphop e/i-bgp peering,

next-hop-unchanged

Inner VPN definition and routing in vpnv4

IGP ipv4 BGP redistribution into ipv4 add-family vrf inner

IGP + local loopback

Outer VPN definitionCEPE route distribution

CE1 PE1 CSC-CE1

CSC-PE1 CSC-PE2CSC-CE2 PE2

CE2

MP-iBGP session

MP-iBGP session

IPv4+ labels

IPv4+ labels

Page 31: my CCDE cheat sheets

Backbone

ProviderCE1 PE1 CSC-CE1

CSC-PE1 CSC-PE2CSC-CE2 PE2

CE2

MP-iBGP session

MP-iBGP session

IPv4+ labels

IPv4+ labels

Inter domain VPN with CSC - eBGP

mpls ip not necessaryInner VPN definition and routing in vpnv4

bgp neighbor as-overridebgp send-label

IGP + local loopback BGPneighbor bgp send-label

Outer VPN definitionCEPE route distribution

vpnv4 multiphop e/i-bgp peering,

next-hop-unchanged

Page 32: my CCDE cheat sheets

Inter domain VPN option B

interface Ethernet 1/0 mpls bgp forwarding

router bgp 1 neighbor <ASBR2> remote-as 2 neighbor <PEs> remote-as 1 no bgp default route-target filter

address-family vpnv4 neighbor <PEs> activate neighbor <PEs> next-hop-self neighbor <ASBR2> activate neighbor <ASBR2> send-community extended

One tag allocated by ASBR

Option B1 Next-hop-self methodOption B2 Redistribute connected method

eBGP : no route-target filteringiBGP : next-hop-self

Page 33: my CCDE cheat sheets

Inter domain VPN option C – eBGP + send-label

router bgp 1 neighbor <PEs> remote-as 1 neighbor <RR2> remote-as 2 neighbor <RR2> ebgp-multihop

address-family vpnv4 neighbor <PEs> activate neighbor <RR2> activate neighbor <RR2> next-hop-unchanged

RR

interface Ethernet 1/0 mpls bgp forwarding

router bgp 1 neighbor <ASBR2> remote-as 2 neighbor <RR1> remote-as 1 address-family ipv4 redistribute IGP neighbor <ASBR2> activate neighbor <ASBR2> send-label address-family vpnv4 neighbor <RR1> activate

router IGP network loopback LDP redistribute BGP 1

router bgp 1 neighbor <RR1> remote-as 1

address-family vpnv4 neighbor <RR1> activate

Tag 1 : ebgp + send-labelor IGP+LDP

Tag 2 : VPN label

Page 34: my CCDE cheat sheets

MPLS TE QoS

Uniform (mpls exp value set by ISP)

Short pipe

pipe

Page 35: my CCDE cheat sheets

L2VPN

• VPWS Virtual Private Pseudowire Services : Point to Point • L2 Protocol translation (L2.5 VPN)• tLDP session• Redundancy by nominal/backup sessions

• VPLS Virtual Protocol LAN Service (P2M)o Autodiscovery with BGPo For Cisco : VPLS = full-mesh Pseudo Wires

• H-VPLS• Full Mesh between N-PE• PW beetwen User PE and Netwok PE• redundancy with STP or PW backup between U-PE and N-PE

Page 36: my CCDE cheat sheets

L2L3

Tunneling

and overlays

Security

Operations

MonitoringManagementPerformance

Page 37: my CCDE cheat sheets

Troubleshooting high CPU Utilization

• Identify processo show proc cpu sortedo show log

• Causeso ARPo BGP o Execo SNMPo NATo TCAM full (catalyst 3550/..)

• IP Inputo show interfaces statso show interfaceso show interfaces switching

Page 38: my CCDE cheat sheets

QoS operation order

•Inbound1. QoS Policy Propagation through Border Gateway Protocol (BGP) (QPPB)2. Input common classification3. Input ACLs4. Input marking (class-based marking or Committed Access Rate (CAR))5. Input policing (through a class-based policer or CAR)6. IP Security (IPSec)7. Cisco Express Forwarding (CEF) or Fast Switching

•Outbound1. CEF or Fast Switching2. Output common classification3. Output ACLs4. Output marking5. Output policing (through a class-based policer or CAR)6. Queueing (Class-Based Weighted Fair Queueing (CBWFQ) and Low Latency Queueing (LLQ)), and Weighted Random Early Detection (WRED)

Page 39: my CCDE cheat sheets

Multipoint WAN QoS

• Remote Ingress Shapingo 95% of line rate

WAN

FR• egress shaping : 95% of smallest bandwidth

Page 40: my CCDE cheat sheets

QoS Models

12 Class model

Voice

Realtime Interactive

Multimedia Conferencing

Broadcast Video

Multimedia Streaming

Signaling

Network Control

Network Management

Transactional Data

Bulk Data

Best Effort

Scavanger

8 Class model

Voice

Interactive Video

Streaming Video

Signaling

Network Control

Critical Data

Best Effort

Scavanger

4 Class model

Realtime

Signaling / Control

Critical Data

Best Effort

Page 41: my CCDE cheat sheets

L2L3

Tunneling

and overlays

Operation

Security

Page 42: my CCDE cheat sheets

Internet Edge

• DMZ : public facing services• Private DMZ : internal services (DNS, collaboration, HTTP)

o not vulnerable to outside attackso

• infrastructure ACLs

Page 43: my CCDE cheat sheets

Internet Edge

Secure Operations• Monitor Cisco Security Advisories and Responses • Leverage Authentication, Authorization, and Accounting• Centralize Log Collection and Monitoring• Use Secure Protocols When Possible• Gain Traffic Visibility with NetFlow• Configuration Management

Data Plane• General Data Plane Hardening• Filtering Transit Traffic with Transit ACLs• Anti-Spoofing Protections• Limiting CPU Impact of Data Plane Traffic• Traffic Identification and Traceback• Access Control with VLAN Maps and Port Access Control Lists• Using Private VLANs

Page 44: my CCDE cheat sheets

Internet Edge

Management Plane• General Management Plane Hardening

• password management• restrict protocols• use secure protocols• exec-timeout• event detection (memory, cpu threshold)

• Limiting Access to the Network with Infrastructure ACLs• Securing Interactive Management Sessions• Using Authentication, Authorization, and Accounting• Fortifying the Simple Network Management Protocol• Logging Best Practices• Cisco IOS Software Configuration Management

Control Plane• General Control Plane Hardening

• filter IPCMP, fragments, source-route, disbale proxy-arp• Limiting CPU Impact of Control Plane Traffic

• filter fragment, non ip traffic, rate ICMP unreachable • Securing BGP• Securing Interior Gateway Protocols• Securing First Hop Redundancy Protocols

Page 45: my CCDE cheat sheets

Everyone wants to live on top of the mountain, but all the happiness and growth occurs while you’re climbing it.