Routing + Switching
Loopguard
Loopguard come into action only when the BPD's suddenly disappeared.
It is incompatible with Root Guard.
Root Guard can only be configured on interface but LOOPGUARD on both globally as well as on interface.
Loopguard enabled ports may send BPDUs.
What it does?
Non-Designation ports cannot transition to designation port.
Only Superior BPDUs are considered.
Let's look at below image
If we disable Spanning-Tree on Switch2 then higher bpdu from Switch 1 from port Gio/1 will reach F0/20 of Switch3.
Now the two ports of Switch3 will change their role i.e. F0/22 will be blocked and F0/20 will become Root.
If we enable BPDUFILTER on F0/20 of Switch2 then it is going to filter going towards Switch3 and thus we will be able to simulate LOOPGUARD.
Switch (config)# int f0/20
# Spanning-tree guard loop
We need to wait for the Forward Delay Timer to expire and then LOOPBUARD will block the port.
To check if loopguard has been enabled or not
show spanning-tree interface f0/20 details
Bpduguard & Bpdufilter
Both can be configured globally (portfast must be enabled) as well as on interface basis.
Bpduguard : If port receives bpdu it puts it in error disable mode.
Global Configuration -- Portfast must be enabled.
Switch(config)# spanning-tree portfast bpduguard default
Interface Configuration -- Portfast isn't necessarily enabled
Switch(config-if) # spanning-tree bpduguard enable
Bpdufilter :
Global Configuration -- Portfast must be enabled.
Switch(config)# spanning-tree portfast bpdufilter default
If port receives bpdu it simply disables portfast status.
Interface Configuration -- Portfast isn't required to necessarily enabled.
Switch(if-config): spanning-tree bpdufilter enable
If BPDu received on port it simply igonores it & thus can create loop.
Broadcast & Collision Domain
Collision Domain –
A Collision Domain is a scenario in which when a device sends out a message to the network, all other devices which are included in its collision domain have to pay attention to it, no matter if it was destined for them or not.
Broadcast Domain –
A Broadcast Domain is a scenario in which when a device sends out a broadcast message, all the devices present in its broadcast domain have to pay attention to it.
All the devices connected to a hub are in a single collision and single broadcast domain.
Every port on a switch is in a different collision domain, i.e a switch is a collision domain separator. All the ports on the switch are still in a single broadcast domain.
All ports of Router are single broadcast domain as well as single collision domain.
TCP 3-way handshake
TCP uses a three-way handshake to establish a reliable connection. The connection is full duplex, and both sides synchronize (SYN) and acknowledge (ACK) each other. The exchange of these four flags is performed in three steps—SYN, SYN-ACK, and ACK.
PVSTP
STP/RSTP - 802.1d
Per-Vlan STP was developed because if all Vlans have been assigned one instant as in STP then redundant links will be blocked & no traffic flows through it.
BPDU & root port election process
Bridge Protocol Data Units (BPDUs) are frames that contain information about the spanning tree protocol (STP).
During the root election sent by all switched but after root switch election it is sent by only root switch.
Default Root Bridge Priority is 32768
What is Difference between Root port & Designated & Non -Designation Port?
Root Port: Lowest Cost to the root.
Designated Port: Lowest advertised cost to the root on the segment.
Non -Designation/Blocking Port: Higher advertised cost to the root on the segment then the designation port.
Cost of Switch as follows:
10 Mbps: 100
100 Mbps: 19
1Gbps: 4
10 Gbps: 2
Unidirectional Link Detection (UDLD)
Unidirectional Link Detection (UDLD) is a Cisco proprietary layer 2 protocol used to determine the physical status of a link. The purpose of Unidirectional Link Detection (UDLD) is to detect and deter issues that arise from Unidirectional Links. UDLD helps to prevent forwarding loops and blackholing of traffic by identifying and acting on logical one-way links that would otherwise go undetected.
Unidirectional links are more common with fiber, but may also happen with copper
Imagine that you have a dual-core fiber run between two buildings. Somewhere along the run, one of the cores gets damaged. This may leave you in a position where you have a uni-directional link. You have enough of a link to send in one direction, but not the other.
SW-1(config)#interface GigabitEthernet 0/1
SW-1(config-if) #udld port
SW-2(config)#int GigabitEthernet 0/1
SW-2(config-if) ##udld port aggressive
! Alternatively, use 'udld enable' or 'udld aggressive' to enable it globally.
Sub-layers of Data Link Layer:
The data link layer is further divided into two sub-layers, which are as follows:
Logical Link Control (LLC):
This sublayer of the data link layer deals with multiplexing, the flow of data among applications and other services, and LLC is responsible for providing error messages and acknowledgments as well.
Media Access Control (MAC):
MAC sublayer manages the device’s interaction, is responsible for addressing frames, and also controls physical media access.
The data link layer receives the information in the form of packets from the Network layer, it divides packets into frames and sends those frames bit-by-bit to the underlying physical layer.
Stuck In Active - EIGRP
The protocol used by EIGRP to establish communication between EIGRP-speaking routers is the Reliable Transport Protocol. The RTP is the Cisco protocol.
EIGRP is a reliable protocol and for each query a router sends to its neighbors it must get a reply within 3 minutes. If the router does not receive a reply to ALL its outstanding queries it will put the route in SIA (Stuck in Active) state and will kill the neighbor adjacency. By dropping the neighbor adjacency, you will lose all the routes you learned from this neighbor which means the router will start sending queries for all those routes as well.
Common causes of SIAs
1) Router has high CPU usage or memory problems that results in the router being too busy to respond or unable to allocate enough memory to process the query or build the reply packet.
2) Bad link between the routers, which allows the two routers just enough to keep the route connected and receive packets, but not enough that some packets or lost therefore some queries and replies are lost.
3) Unidirectional link, which results with traffic only flowing in one direction.
To solve this problem, two methods are used -
a) Router summarization
b) EIGRP Stub
From version 12.1 of IOS Cisco introduced a feature called Active Process Enhancement.
After 90 sec if router didn't get reply from his Neighbour, then it sends Stuck in Active (SIA) query and if it get reply Stuck in Reply (SIR) then it assumes that there is nothing wrong with Neighbour and doesn't reset the neighborship.
To disable the stuck in active timer, the following command is used -
Router(config-router) # timers active-time disable.
IP SLA
IP SLA config sets up IP SLA (Service Level Agreement Monitor) is commonly used for performance statistics like Delay, Jitter or Packet Loss in SP and Enterprise environments. However, here you can see the example of achieving WAN redundancy in the easy way (i.e. without dynamic routing protocol implementation) using IP SLA.
Define the ip SLA, protocol type, destination and source:
Router(config)#ip sla 1
Router(config-ip-sla)#icmp-echo 10.10.10.1 source-interface FastEthernet1/0
Probing parameters:
Router(config-ip-sla-echo) #timeout 2000
Router(config-ip-sla-echo) #frequency 5
Router(config-ip-sla-echo) #threshold 250
Run the probing:
Router(config)#ip sla schedule 1 start-time now life forever
Define tracking that will result with TRUE or FALSE depending on IP SLA status:
Router(config)#track 10 ip sla 1 reachability
Binding the track to static route:
Router(config)#ip route 0.0.0.0 0.0.0.0 10.10.10.1 track 10
Configuring the alternate route in case of primary is removed by track result:
Router(config)#ip route 0.0.0.0 0.0.0.0 10.10.10.2 5
"track" command next to a particular route determines the route presence in the routing table. If there is no echo response according to given parameters (IP SLA) the track statement takes the FALSE value and the route is removed from routing table leaving the lasting static route that uses another next hop thus assuring redundancy.
MTU, MSS & Window Size
MSS (maximum segment size) is like the MTU, but used with TCP at layer 4.
MSS is the maximum size that the payload can be, after subtracting space for the IP, TCP, and other headers. So, if the MTU (Maximum Transmission Unit) is 1500 bytes, and the IP and TCP headers are 20 bytes each, the MSS is 1460 bytes.
Window Size
Not all hosts can send or receive as fast as each other due to various reasons like OS, network bandwidth, network adapter etc.
The window size is a number that specifies how much data can be received at a time.
This number is sent with each TCP segment acknowledgement from the receiver. It tells how much data can be sent before waiting for acknowledgement.
TCP Flags
"FLAGS" are TCP segment used to determine what is going on in a given segment, or to tell what kind of control segment is being sent.
The "FLAG" fields are 1-bit fields [0 or 1 / Off or on] that set various conditions.
Flags can be set individually or in combination with each other. It can be used in packet analysis to determine the state of the communication at a given moment or to trace a session from beginning to end. It can also be used for malicious attacks.
There are 8 TCP Flags out of which 6 are commonly used.
SYN: used to synchronize communications
ACK: used as acknowledge a segment
FIN: used to indicate end of communication
URG: used to indicate that a particular segment should take priority over other segments and should be processed first
PUSH: sent by sending computer to indicate flushing the TCP buffer.
RST: sent to reset the connection
SPAN & RSPAN
Source Port: switchport connected to Device which has to be monitored.
Destination Port: switchport connected to Protocol Analyzer
SPAN: If same switch is having both source port & destination port.
Switch(config)# monitor session 1 source interface fa0/1-3
Switch(config)# monitor session 1 destination interface fa0/10
RSPAN: When destination port is on different switch.
You need to define vlan which will be carrying SPAN traffic.
Switch1# vlan 30
# Remote-span
Switch2# vlan 30
# Remote-span
Switch1(config)# monitor session 1 source interface fa0/1-3
Switch1(config)# monitor session 1 destination remote vlan 30 reflector-port fa0/12
Switch2# monitor session 1 source remote vlan 30
Switch2#monitor session 1 destination interface fa0/10
Important Points:
If there were intermediate switches then they would all need to be RSPAN capable.
VTP treats the RSPAN vlan like any other vlan.
Mac address learning is disable for the ESPAN vlan.
A source port can be monitored in multiple, simultaneously SPAN sessions.
A source port can be part of EtherChannel.
Routing Path Manipulation
1) Policy Based Routing
Step 1: Define Access List
ip access-list extended NEXTHOPSELF
permit ip any 4.4.4.0 0.0.0.255
Step 2: Call Access-list in Route-Map
R1(config)# route-map PBR permit 10
# Match ip address NEXTHOPSELF
# Set ip next-hop 192.168.1.1
Step 3: Put Route map on interface
R1(config)# interface fa0/0
# ip policy route-map PBR
Note: PBR affects only traffic passing from router & if you want to apply PBR for traffic originating from router then use below command.
R1(config)# ip local policy route-map PBR
2) In case of resolve issue of suboptimal routing or Routing loop.
A) If Issue is in between routing protocol than change AD value.
B) If Issue is in within routing protocol than change Metric
Note: Never redistribute routing information back into the routing protocol where it originates from ----> To achieve this use Route-Tag.
SEED METRIC
Seed metric has an important role to play during the route redistribution. When a router performs the route redistribution, it must assign a metric to the redistributed routes.
Example: If a boundary router receives a RIP route, the route has hop count as a metric & suppose this route has to be redistributed into OSPF, the boundary router must translate the hop count into a cost metric that the other OSPF routers will understand. This metric, referred to as the Seed or default metric.
EIGRP and RIP will not redistribute other protocols unless the initial metric is set manually.
EIGRP & RIP if redistributed in OSPF without metric then it will get default metric of cost 20.
BGP if redistributed in OSPF without metric then it will get default metric of cost 1.
Router on Stick
A router on a stick is one of the ways to allow routing between VLANs. That kind of setup consists of a router and a switch connected through one Ethernet link configured as an 802.1q trunk link.
Suppose we have a network of two computers in different VLANs. We have VLAN 10 and VLAN 20. To enable communication between PC1 from VLAN 10 and PC2 from VLAN 20, we can use a router on a stick approach.
Step 1: Connection between the router and the switch must be set via the trunk link.
Switch#configure terminal
Switch(config)#int Fa0/1
Switch(config-if) ##switchport mode trunk
Switch(config-if) ##switchport trunk encapsulation dot1q
Switch(config-if) ##spanning-tree portfast trunk
Step 2: create the required VLANs and configure the access ports for Hosts.
Switch#configure terminal
Switch(config)#vlan 10
Switch(config)#vlan 20
Switch(config)#int Fa0/2
Switch(config-if) switchport mode access
Switch(config-if) ##switchport access vlan 10
Switch(config-if) #exit
Switch(config)#int Fa0/3
Switch(config-if) #switchport mode access
Switch(config-if) #switchport access vlan 20
Step 3: Configure Router by setting 802.1Q encapsulation with VLAN number to which the sub-interface will belong.
Router(config)#interface GigabitEthernet0/0.1
Router(config-subif)#encapsulation dot1q 10
Router(config-subif)#ip address 10.1.10.200 255.255.255.0
Router(config-subif)#interface GigabitEthernet0/0.2
Router(config-subif)#encapsulation dot1q 20
Router(config-subif)#ip address 10.1.20.200 255.255.255.0
Router(config-subif)#int Gig0/0
Router(config-if) #no shutdown
EtherChannel
An EtherChannel is a logical interface that bundles multiple physical interfaces.
Spanning-tree sees an EtherChannel as a single interface so it won’t block redundant physical links.
If you want to configure an EtherChannel then we have three options:
PAgP (Cisco proprietary)
LACP (IEEE standard)
Manual
If you are going to create an EtherChannel you need to make sure that all interfaces have the same configuration:
Duplex.
Speed.
Native and allowed VLANs.
Switchport mode (access or trunk).
PAgP
If you want to configure PAgP there are two options you can choose from. The interface can be configured as:
Desirable: The interface will actively ask the other side to become an EtherChannel.
Auto: The interface will wait passively for the other side to ask to become an EtherChannel.
LACP
LACP is similar to PAgP but uses different terminology:
Active: The interface will actively ask the other side to become an EtherChannel.
Passive: The interface waits passively for the other side to ask to become an EtherChannel.
SW1(config)#interface range GigabitEthernet 0/1 - 2
SW1(config-if) #channel-group 1 mode desirable/active/on
SW2(config)#interface range GigabitEthernet 0/1 - 2
SW2(config-if) #channel-group 1 mode auto/passive/on
Note: You shouldn’t make any changes to the physical interfaces that belong to the EtherChannel. Always use the port-channel interface.
SW1#show EtherChannel load-balance
EtherChannel Load-Balancing Configuration:
src-mac
SW1(config)#port-channel load-balance?
dst-ip Dst IP Addr
dst-mac Dst Mac Addr
src-dst-ip Src XOR Dst IP Addr
src-dst-mac Src XOR Dst Mac Addr
src-ip Src IP Addr
src-mac Src Mac Addr
There are plenty of options to choose from, including combinations of source and/or destination MAC or IP addresses.
Packet Flow
To send packet from source to destination the following information is required.
1) Source IP
2) Destination IP
3) Source MAC
4) Destination MAC
Now usually a host connected in network will have both mac address & ip address (either statically configured or acquired by DHCP).
Also, the host knows the destination ip address and only thing it needs to figure out is destination mac address.
Here two scenarios came in picture
1) When destination host in same network.
In this case the host simply sends broadcast request to get mac address against ip address through ARP (IP address to mac).
2) When the destination host is in another network.
If that's the case then the host requests ip address of Gateway rather than destination ip address.
So, the packet is sent to Gateway and when it checks the destination ip address and finds that it's not his ip address then it will look for route lookup to find next hope and interface to reach it.
Here now there is no change in source & destination ip address but what changes is source mac address which is Gateway's mac address and destination mac address which is mac address of next hop.
Here again Gateway will make use of ARP protocol to get mac address of next hope if it doesn't have that information in its arp table.
Likewise packet travels hope by hope until it reaches its destination ip address.
DHCP Process
When a PC connects to a DHCP server, the server assigns or leases an IP address to that PC, which enables the PC, connects to the network with that leased IP address until the lease expires.
EIGRP METRIC
The composite metric consists of
– BW: the minimum bandwidth of any outgoing interface along a specific path
– Delay: the cumulative delay of all the outgoing interface along a specific path
– Load: effective load of a route on the interface
– Reliability: likelihood of successful packet transmission
– Smallest MTU along a path.
Metric = 256 * ((10^7/BW) + (DLY/10))
EIGRP considers a network route with the lowest metric to be the best route to that network.
Delay is directly proportional to Delay. Hence increasing delay will make metric big.
Bandwidth is inversely proportional to Bandwidth so increasing it will make metric small.
R1# configure terminal
R1(config)# interface gi0/1
R1(config-if) # delay 100
R1(config-if) # do show interface Gigabit0/1 | i DLY
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 1000 usec
EIGRP provides a mechanism to load balance over unequal cost paths through Variance Command. Variance is a number (1 to 128).
Variance only works on routes that are feasible successors, they can’t be successors or routes that did not pass the feasibility condition.
Advertised distance of Feasible Successor < Feasible distance of successor
The feasibility condition: To become a feasible successor your route needs to have a reported distance that is less than or equal to the successor's feasible distance.
configure terminal
router EIGRP 1
variance 2
EIGRP Loop Prevention Mechanism
By Default, EIGRP has a loop prevention mechanism which says "If I see my own router id in external routes then I am not going to accept that external routes as they are looped back to me."
Switch Virtual Interface (SVI)
A Switch Virtual Interface (SVI) is a logical interface configured on a layer 3 Switch where SVI has no physical interface and provides Layer 3 processing of packets from all switch ports associated with the VLAN.
Switch(vlan)#vlan 2
Switch(config)#interface Vlan2
Switch(config-if) #ip address 10.1.2.1 255.255.255.0
Switch(config-if) #no shutdown
SVI is showing down? How to make it up?
1) No host is assigned to SVI vlan.
2) Allow SVI vlan in trunk to another switch.
BGP Communities
A BGP community is bit of “extra information” that you can add to one of more routes which is advertised to BGP neighbors. This extra information can be used for things like route manipulation or dynamic routing policies. There are 4 well known BGP communities that you can use or you can pick a numeric value that you can use for your own policies.
Here are the 4 well known BGP communities:
Internet: advertise the prefix to all BGP neighbors.
No-Advertise: don’t advertise the prefix to any BGP neighbors.
No-Export: don’t advertise the prefix to any eBGP neighbors.
Local-AS: don’t advertise the prefix outside of the sub-AS (this one is used for BGP confederations).
BGP Confederation
BGP confederations are another way to solve the scaling problems created by the BGP full mesh requirement. BGP confederations effectively break up a large autonomous system (AS) into sub autonomous systems (sub-ASs). Each sub-AS must be uniquely identified within the confederation AS by a sub-AS number.
To the outside world, the confederation (the group of sub-ASs) will look like a single AS.
Typically, sub-AS numbers are taken from the private AS numbers between 64,512 and 65,535.
Within a sub-AS, the same internal BGP (IBGP) full mesh requirement exists. Connections to other confederations are made with standard external BGP (EBGP), and peers outside the sub-AS are treated as external.
Comentários