i started lately to go through some cisco design topics, although i found it extremely boring for conf t guy like me but i will be so helpful .
The Cisco Enterprise Architecture comprises the following six major functional areas (also called modules):
■ Enterprise Campus
■ Enterprise Edge
■ Service Provider
■ Enterprise Branch
■ Enterprise Data Center
■ Enterprise Teleworker
Wednesday, December 22, 2010
Tuesday, December 14, 2010
IPv6 Notes -Part2
IPv6 Address Autoconfiguration:
■ Stateful autoconfiguration : using DHCP .
■ Stateless autoconfiguration : using EUI-64 process .
- EUI-64 :
standard places the hex value FFFE into the center of the MAC address for this purpose. Finally, EUI-64 sets the universal/local bit, which is the 7th bit in the Interface ID field of the address, to indicate global scope.
Here is an example. Given the IPv6 prefix 2001:128:1F:633 and a MAC address of
00:07:85:80:71:B8, the resulting EUI-64 address is
2001:128:1F:633:207:85FF:FE80:71B8/64
ND Messages Types:
■ Router Advertisement (RA) : Routers advertise their presence and link prefixes, MTU, and hop limits.
■ Router Solicitation (RS) : Hosts query for the presence of routers on the link.
■ Neighbor Solicitation (NS) : Hosts query for other nodes’ link-layer addresses. Used for duplicate address detection and to verify neighbor reachability.
■ Neighbor Advertisement (NA) : Sent in response to NS messages and periodically to provide information to neighbors.
■ Stateful autoconfiguration : using DHCP .
■ Stateless autoconfiguration : using EUI-64 process .
- EUI-64 :
standard places the hex value FFFE into the center of the MAC address for this purpose. Finally, EUI-64 sets the universal/local bit, which is the 7th bit in the Interface ID field of the address, to indicate global scope.
Here is an example. Given the IPv6 prefix 2001:128:1F:633 and a MAC address of
00:07:85:80:71:B8, the resulting EUI-64 address is
2001:128:1F:633:207:85FF:FE80:71B8/64
ND Messages Types:
■ Router Advertisement (RA) : Routers advertise their presence and link prefixes, MTU, and hop limits.
■ Router Solicitation (RS) : Hosts query for the presence of routers on the link.
■ Neighbor Solicitation (NS) : Hosts query for other nodes’ link-layer addresses. Used for duplicate address detection and to verify neighbor reachability.
■ Neighbor Advertisement (NA) : Sent in response to NS messages and periodically to provide information to neighbors.
Monday, December 13, 2010
IPv6 Notes -Part1
- In IPv6, as in IPv4, unicast addresses have a two-level network:host hierarchy (known in IPv6 as the prefix and interface ID).
Unicast :
Multicast :
IPv6 always begin with FF as the first octet in the address, or FF00::/8. The
second octet specifies the lifetime and scope of the multicast group. Lifetime can be permanent or
temporary. Scope can be local to any of the following:
■ Node
■ Link
■ Site
■ Organization
■ Global
ipv6 address types:
Unicast :
- Aggregatable Global Addresses:
- Link-Local Addresses:
Multicast :
IPv6 always begin with FF as the first octet in the address, or FF00::/8. The
second octet specifies the lifetime and scope of the multicast group. Lifetime can be permanent or
temporary. Scope can be local to any of the following:
■ Node
■ Link
■ Site
■ Organization
■ Global
Sunday, December 12, 2010
Multicast Notes - Part3
- IGMPv2 :
- Host Membership Query Functions:
sent by Multicast Routers LAN interfaces to determine whether a multicast group member is on
any interface.
- Host Membership Report Functions :
there are two types which sent by host, (Solicited) which is response to query msg , and (unSolicited)
when host join new group .
- Leave Group and Group-Specific Query Messages :
In IGMPv2, when a host leaves a group, it sends an IGMPv2 Leave message. When an IGMPv2 router receives a Leave message, it immediately sends a Group-Specific Query for that group. The Group-Specific Query asks only whether any remaining hosts still want to receive packets for that single multicast group. As a result, the router quickly knows whether to continue to forward traffic for that multicast group.
- IGMPv2 defines a querier election process that is used when multiple routers are connected to a subnet, The router with the lowest IP address on the subnet is elected as the IGMP querier .
Multicast Notes - Part2
Mapping IP Multicast Addresses to MAC Addresses:
01005E(24bits)+binary 0+the last 23 bits of the multicast IP address (48Bits of Mac add), for example :
multicast ip add (228.10.24.5)
01005E+0+
Last 23 Bits =0 0 0 1 0 1 0 . 0 0 0 1 1 0 0 0 . 0 0 0 0 0 1 0 1
= 0 A 1 8 0 5
Final mac address = 01-00-5E-0A-18-05
Unfortunately, this method does not provide a unique multicast MAC address for each multicast
IP address, because only the last 23 bits of the IP address are mapped to the MAC address , In fact, because 5 bits from the IP address are always mapped to 0, 25 (32) different class D IP addresses produce exactly the same MAC address.
01005E(24bits)+binary 0+the last 23 bits of the multicast IP address (48Bits of Mac add), for example :
multicast ip add (228.10.24.5)
01005E+0+
Last 23 Bits =0 0 0 1 0 1 0 . 0 0 0 1 1 0 0 0 . 0 0 0 0 0 1 0 1
= 0 A 1 8 0 5
Final mac address = 01-00-5E-0A-18-05
Unfortunately, this method does not provide a unique multicast MAC address for each multicast
IP address, because only the last 23 bits of the IP address are mapped to the MAC address , In fact, because 5 bits from the IP address are always mapped to 0, 25 (32) different class D IP addresses produce exactly the same MAC address.
Multicast Notes - Part1
1- Multicast Address Range and Structure :
- (IANA) has assigned class D IP addresses to multicast applications. The first 4 bits of the first octet for a classD address are always 1110. IP multicast addresses range from 224.0.0.0 through 239.255.255.255
- IANA has assigned several ranges of multicast IP addresses for specific types of reasons. Those types are as follows:
■ Permanent multicast groups, in the range 224.0.0.0–224.0.1.255
(divided to local "unrouted" [224.0.0.1-224.0.0.255] like routing protocols multicast ips and "routed"
[224.0.1.0-224.0.1.255] like 224.0.0.39-40 which are used by cisco Auto-RP.
■ Addresses used with Source-Specific Multicast (SSM), in the range 232.0.0.0–232.255.255.255
The purpose of these applications is to allow a host to select a source for the multicast
group. SSM makes multicast routing efficient, allows a host to select a better-quality source, and
helps network administrators minimize multicast denial-of-service (DoS) attacks.
■ GLOP addressing, in the range 233.0.0.0–233.255.255.255
It can be used by anyone who owns a registered autonomous system number (ASN) to create 256 global multicast addresses that can be owned and used by the entity.
By using a value of 233 for the first octet, and by using the ASN for the second and third octets, a
single autonomous system can create globally unique multicast addresses as defined in the GLOP
addressing RFC. For example, the autonomous system using registered ASN 5663 could covert
- (IANA) has assigned class D IP addresses to multicast applications. The first 4 bits of the first octet for a classD address are always 1110. IP multicast addresses range from 224.0.0.0 through 239.255.255.255
- IANA has assigned several ranges of multicast IP addresses for specific types of reasons. Those types are as follows:
■ Permanent multicast groups, in the range 224.0.0.0–224.0.1.255
(divided to local "unrouted" [224.0.0.1-224.0.0.255] like routing protocols multicast ips and "routed"
[224.0.1.0-224.0.1.255] like 224.0.0.39-40 which are used by cisco Auto-RP.
■ Addresses used with Source-Specific Multicast (SSM), in the range 232.0.0.0–232.255.255.255
The purpose of these applications is to allow a host to select a source for the multicast
group. SSM makes multicast routing efficient, allows a host to select a better-quality source, and
helps network administrators minimize multicast denial-of-service (DoS) attacks.
■ GLOP addressing, in the range 233.0.0.0–233.255.255.255
It can be used by anyone who owns a registered autonomous system number (ASN) to create 256 global multicast addresses that can be owned and used by the entity.
By using a value of 233 for the first octet, and by using the ASN for the second and third octets, a
single autonomous system can create globally unique multicast addresses as defined in the GLOP
addressing RFC. For example, the autonomous system using registered ASN 5663 could covert
Friday, December 10, 2010
Manual Summaries and the AS_PATH Path Attribute
The aggregate route must include the AS_PATH PA, just like it is required for every other NLRI
in the BGP table. However, to fully understand what this command does, you need to take a closer
look at the AS_PATH PA.
The AS_PATH PA consists of up to four different components, called segments, as follows:
■ AS_SEQ (short for AS Sequence)
■ AS_SET
■ AS_CONFED_SEQ (short for AS Confederation Sequence)
■ AS_CONFED_SET
The most commonly used segment is called AS_SEQ. AS_SEQ is the idea of AS_PATH , However, the aggregate-address command can create a summary route for which the AS_SEQ
must be null. When the component subnets of the summary route have differing AS_SEQ values,
the router simply can’t create an accurate representation of AS_SEQ, so it uses a null AS_SEQ.
However, this action introduces the possibility of creating routing loops, because the contents of
AS_PATH, specifically AS_SEQ, are used so that when a router receives an update, it can ignore
prefixes for which its own ASN is listed.
in the BGP table. However, to fully understand what this command does, you need to take a closer
look at the AS_PATH PA.
The AS_PATH PA consists of up to four different components, called segments, as follows:
■ AS_SEQ (short for AS Sequence)
■ AS_SET
■ AS_CONFED_SEQ (short for AS Confederation Sequence)
■ AS_CONFED_SET
The most commonly used segment is called AS_SEQ. AS_SEQ is the idea of AS_PATH , However, the aggregate-address command can create a summary route for which the AS_SEQ
must be null. When the component subnets of the summary route have differing AS_SEQ values,
the router simply can’t create an accurate representation of AS_SEQ, so it uses a null AS_SEQ.
However, this action introduces the possibility of creating routing loops, because the contents of
AS_PATH, specifically AS_SEQ, are used so that when a router receives an update, it can ignore
prefixes for which its own ASN is listed.
Thursday, December 9, 2010
IP prefix-list
that's a great topic from ccienotes.blogspot.com and i always forget it , grrrrrrr :(
ip prefix-list provides the most powerful prefix based filtering mechanism
Here is a quick little tutorial on Prefix-lists for you.
A normal access-list CANNOT check the subnet mask of a network. It can only check bits to make sure they match, nothing more. A prefix-list has an advantage over an access-list in that it CAN check BOTH bits and subnet mask - both would have to match for the network to be either permitted or denied.
For checking bits a prefix list ALWAYS goes from left to right and CANNOT skip any bits. A basic example would be this:
172.16.8.0/24
If there is only a / after the network (no le or ge) then the number after the / is BOTH bits checked and subnet mask. So in this case it will check the 24 bits from left to right (won't care about the last 8
bits) AND it will make sure that it has a 24 bit mask. BOTH the 24 bits checked and the 24 bit subnet mask must match for the network to be permitted or denied.
No we can do a range of subnet masks also that could be permitted or
denyed:
172.16.8.0/24 ge 25
If we use either the le or ge (or both le and ge) after the /, then the number directly after the / becomes ONLY bits checked and the number after the ge or le (or both) is the subnet mask. So in this case we are still going to check the first 24 bits of the network from left to right. If those match we are then going to check the subnet mask, which in this case can be GREATER THAN OR EQUAL TO 25 bits - meaning that as long as the first 24 bits of the network match the subnet mask could be 25,26,27,28,29,30,31,or 32 bits. They would all match.
We can also do:
172.16.8.0/24 le 28
Again this will check the first 24 bits of the network to make sure that they match. Then it will check to make sure that the subnet mask is LESS THAN OR EQUAL TO 28 bits. Now this isn't going to be 28 bits down to 0 bits, the subnet mask can't be any lower than the bits we are checking. So the valid range of subnet masks for this one would be 28 bits down to 24 bits (24,25,26,27,and 28). All of those would match.
We can also do both ge and le:
172.16.8.0/24 ge 25 le 27
Here again we are checking the first 24 bits to make sure they match.
Then our subnet mask must be GREATER THAN OR EQUAL TO 25 bits LESS THAN OR EQUAL TO 27 bits. Meaning that 25,26,and 27 bit subnet masks would match.
ip prefix-list provides the most powerful prefix based filtering mechanism
Here is a quick little tutorial on Prefix-lists for you.
A normal access-list CANNOT check the subnet mask of a network. It can only check bits to make sure they match, nothing more. A prefix-list has an advantage over an access-list in that it CAN check BOTH bits and subnet mask - both would have to match for the network to be either permitted or denied.
For checking bits a prefix list ALWAYS goes from left to right and CANNOT skip any bits. A basic example would be this:
172.16.8.0/24
If there is only a / after the network (no le or ge) then the number after the / is BOTH bits checked and subnet mask. So in this case it will check the 24 bits from left to right (won't care about the last 8
bits) AND it will make sure that it has a 24 bit mask. BOTH the 24 bits checked and the 24 bit subnet mask must match for the network to be permitted or denied.
No we can do a range of subnet masks also that could be permitted or
denyed:
172.16.8.0/24 ge 25
If we use either the le or ge (or both le and ge) after the /, then the number directly after the / becomes ONLY bits checked and the number after the ge or le (or both) is the subnet mask. So in this case we are still going to check the first 24 bits of the network from left to right. If those match we are then going to check the subnet mask, which in this case can be GREATER THAN OR EQUAL TO 25 bits - meaning that as long as the first 24 bits of the network match the subnet mask could be 25,26,27,28,29,30,31,or 32 bits. They would all match.
We can also do:
172.16.8.0/24 le 28
Again this will check the first 24 bits of the network to make sure that they match. Then it will check to make sure that the subnet mask is LESS THAN OR EQUAL TO 28 bits. Now this isn't going to be 28 bits down to 0 bits, the subnet mask can't be any lower than the bits we are checking. So the valid range of subnet masks for this one would be 28 bits down to 24 bits (24,25,26,27,and 28). All of those would match.
We can also do both ge and le:
172.16.8.0/24 ge 25 le 27
Here again we are checking the first 24 bits to make sure they match.
Then our subnet mask must be GREATER THAN OR EQUAL TO 25 bits LESS THAN OR EQUAL TO 27 bits. Meaning that 25,26,and 27 bit subnet masks would match.
Summery Soluations to Mutual Redistribution at Multiple Routers
let's say that we have two routers doing Mutual Redistribution between RIP and OSPF and vice versa, we can face suboptimal routing or routing loops sometimes so we have some solutions we can me make in that case:
1- Preventing Suboptimal Routes by Setting the Administrative Distance:
distance ospf external 180 on both routers to make rip routes more prefer .
2- Preventing Suboptimal Routes by Using Route Tags :
router ospf 1
redistribute rip subnets route-map tag-rip-9999
network 10.1.15.1 0.0.0.0 area 0
distribute-list route-map check-tag-9999 in
! Clause 10, a deny clause, matches all tagged 9999 routes—so those
! routes are filtered. Clause 20 permits all other routes, because with no match
! subcommand, the clause is considered to “match all.”
route-map check-tag-9999 deny 10 match tag 9999 ! route-map check-tag-9999 permit 20
! tag-rip-9999 matches all routes (it has no match command), and then
! tags them all with tag 9999. This route-map is used only for routes taken from
! RIP into OSPF.
route-map tag-rip-9999 permit 10 set tag 9999
3- Using Metrics and Metric Types to Influence Redistributed Routes :
1- Preventing Suboptimal Routes by Setting the Administrative Distance:
distance ospf external 180 on both routers to make rip routes more prefer .
2- Preventing Suboptimal Routes by Using Route Tags :
router ospf 1
redistribute rip subnets route-map tag-rip-9999
network 10.1.15.1 0.0.0.0 area 0
distribute-list route-map check-tag-9999 in
! Clause 10, a deny clause, matches all tagged 9999 routes—so those
! routes are filtered. Clause 20 permits all other routes, because with no match
! subcommand, the clause is considered to “match all.”
route-map check-tag-9999 deny 10 match tag 9999 ! route-map check-tag-9999 permit 20
! tag-rip-9999 matches all routes (it has no match command), and then
! tags them all with tag 9999. This route-map is used only for routes taken from
! RIP into OSPF.
route-map tag-rip-9999 permit 10 set tag 9999
3- Using Metrics and Metric Types to Influence Redistributed Routes :
Wednesday, December 8, 2010
6 mind openers OSPF Notes
1- After two routers discover each other by receiving Hellos from the other router, the routers
perform the following parameter checks based on the receive Hellos:
■ Must pass the authentication process
■ Must be in the same primary subnet, including same subnet mask
■ Must be in the same OSPF area
■ Must be of the same area type (stub, NSSA, and so on)
■ Must not have duplicate RIDs
■ OSPF Hello and Dead timers must be equal
■ MTU must be equal for the DD packets to be successfully sent between neighbors, but this parameter check is technically not part of the Hello process.
Broadcast to Broadcast
Non-Broadcast to Non-Broadcast
Point-to-Point to Point-to-Point
Point-to-Multipoint to Point-to-Multipoint
Broadcast to Non-Broadcast (adjust hello/dead timers)
Point-to-Point to Point-to-Multipoint (adjust hello/dead timers)
perform the following parameter checks based on the receive Hellos:
■ Must pass the authentication process
■ Must be in the same primary subnet, including same subnet mask
■ Must be in the same OSPF area
■ Must be of the same area type (stub, NSSA, and so on)
■ Must not have duplicate RIDs
■ OSPF Hello and Dead timers must be equal
■ MTU must be equal for the DD packets to be successfully sent between neighbors, but this parameter check is technically not part of the Hello process.
2-Mixing & Matching Different OSPF Network Types:
Here is a quick list of which combinations will work:Broadcast to Broadcast
Non-Broadcast to Non-Broadcast
Point-to-Point to Point-to-Point
Point-to-Multipoint to Point-to-Multipoint
Broadcast to Non-Broadcast (adjust hello/dead timers)
Point-to-Point to Point-to-Multipoint (adjust hello/dead timers)
Sunday, December 5, 2010
Frame Relay interface types
That's an awesome piece of explanation i borrowed from Marco Rizzi Blog and really it's very helpful.
There are several interface types on frame-relay, according on how you configure your serial interface and on what is the purpose you will archive:
1) physical interface
2) subinterface multipoint
3) subinterface point-to-point
Let's talk about each type..
1) Physical interfaces
-are threated as multipoint
-all DLCIs declared by lmi are assigned to physical interfaces
From a L3 point of view, all the neighbors are expected in the same subnet and you can use a static L3 to L2 mapping or inverse arp, as previously seen.
Note also that by default, on frame-relay physical interfaces the SPLIT ORIZON is disabled, useful to solve distance-vector routing protocol issues.
There are several interface types on frame-relay, according on how you configure your serial interface and on what is the purpose you will archive:
1) physical interface
2) subinterface multipoint
3) subinterface point-to-point
Let's talk about each type..
1) Physical interfaces
-are threated as multipoint
-all DLCIs declared by lmi are assigned to physical interfaces
From a L3 point of view, all the neighbors are expected in the same subnet and you can use a static L3 to L2 mapping or inverse arp, as previously seen.
Note also that by default, on frame-relay physical interfaces the SPLIT ORIZON is disabled, useful to solve distance-vector routing protocol issues.
NAT: Local and Global Definitions
Term Definitions
Cisco defines these terms as:- Inside local address—The IP address assigned to a host on the inside network. This is the address configured as a parameter of the computer OS or received via dynamic address allocation protocols such as DHCP. The address is likely not a legitimate IP address assigned by the Network Information Center (NIC) or service provider.
- Inside global address—A legitimate IP address assigned by the NIC or service provider that represents one or more inside local IP addresses to the outside world.
- Outside local address—The IP address of an outside host as it appears to the inside network. Not necessarily a legitimate address, it is allocated from an address space routable on the inside.
- Outside global address—The IP address assigned to a host on the outside network by the host owner. The address is allocated from a globally routable address or network space.
Saturday, December 4, 2010
Storing VLAN Configuration
Catalyst IOS stores VLAN and VTP configuration in one of two places—either in a Flash file
called vlan.dat or in the running configuration. (Remember that the term “Catalyst IOS” refers to
a switch that uses IOS, not the Catalyst OS, which is often called CatOS.) IOS chooses the storage
location in part based on the VTP mode, and in part based on whether the VLANs are normal range
VLANs or extended-range VLANs. Table 2-6 describes what happens based on what
configuration mode is used to configure the VLANs, the VTP mode, and the VLAN range. (Note
that VTP clients also store the VLAN configuration in vlan.dat, and they do not understand extended range VLANs.)
Subscribe to:
Posts (Atom)