Browsed by
Month: February 2012

CCIE: BGP

CCIE: BGP

Unlink IGP’s, BGP does not use metrics to select best path. Instead, BGP is vector based. This path is determined with Path Attributes (PA’s). The default PA, if no others are set is AS-PATH. Shortest path to destination prefix is the best path.

Building the neighbor relationship:

TCP Port 179 (established based on neighbor address), Open, Established, and finally Updates (contains the prefix information). If there is a problem/error a “notification” message is sent.

Keepalive is 60 and hold time is 3 times or 180sec. Sent in Open message and they DO NOT have to match. Lower of the two is used mutually.

Authentication: MD5 only
Loopbacks require extra TTL hop, so multihop may be necessary for eBGP neighbors. (iBGP TTL is 255, eBGP TTL is 1). Overcome eBGP with “ebgp-multihop 255”

Two components to the BGP Table
1) NRLI: Prefix and mask
2) PA’s (NRLI’s that share the same PA’s)

Redistribution: When redistributing INTO BGP, if the metric is set it will alter the MED PA.
Auto-summary only affects network injection locally either through redistribution or the “network” command.  

Use “aggregate-address” to preform manual summarization. AS-SET will hold a list of the unordered ASN’s in the component subnets. Without this option the AS_PATH is set to NULL. Could be good to hide originating path, bad because it can create a route loop.
A summayr can also be made with a local static route to null0 and injected with the “network” command. This will NOT suppress component subnets.

BGP Sync: Not really used today because the BGP table (full) is too big to redistribute into IGP. Use RR’s or Confeds. It was designed to prevent black-holing but in reality, is not used anymore because in order for a BGP route to be considered best an IGP has to have the route. If concerned about the number of devices that have to run BGP, you could use MPLS.

Redistribution solves the routing to black-hole and sync solves the problem of advertising a black-hole route to another AS. USE WITH CAUTION WHEN REDISTRIBUTING BGP INTO IGP. 

Without RR or Confederations, a full mesh of iBGP peers is required. If you have more than 3 BGP nodes, this would be a royal pain in the tush. Full Mesh formula is n(n-1)/2.

 (8) Node Example:  8*(8-1)/2 = 28 TCP connections! That’s too many. 

BGP: Server/Client (Use update source to force the “client”). Only necessary on one side, but it should be one both to ensure clarity.

eBGP neighbors must be directly connected. So, if your using loopbacks to peer the “disable-connected-check” command is required without modifying “eBGP-multihop”. The other option is just to modify the eBgp multihop.

Route Reflector: 

Route reflector violates the ability to learn routes from another iBGP neighbor. A new loop prevention mechanism must be used.

Originator ID: Originator of the prefix sent by the RR (used to prevent loops between the clients)
Cluster List/ID: Route reflector ID (used to prevent loops between RR’s)

Confederations:
An alternative to Route Reflectors, accomplishes the same functionality (no need for a full mesh), but is more intricate. Used for LARGE scale BGP deployments.

AS to be presented outside the Confederation (eBGP) is configured with the “bgp confederation id xxxxx”
For example my private ASN in the confed is 64512 and my public ASN is 75

router bgp 64512
bgp confederation id 75

SUB AS’s count as a single AS no matter how many sub AS’s are included in path. Lowest router-id wins metric tie.

If recursion cannot occur for the  “next-hop-ip” and “next-hop-self” is not enabled. The prefix will show in the BGP database but not in the route table because it’s not a “best” path “>”.

Another way to change the next-hop IP is using a route-map on the neighbor and “set ip next-hop x.x.x.x”. If you leave the match empty it will match all prefixes coming from the specified neighbor. This can be used in a TE use case, where the next-hop is not even the originating router.

Redistributing BGP into IGP: USE WITH CAUTION! If necessary, make sure to use AS-PATH access-list to limit the routes to the prefixes originating on the peer router. IGP’s can be overwhelmed by a full BGP Internet route table. On a side note: RIB failures in BGP are advertised to neighbors, to prevent this default behavior issue the following command under the BGP process. “BGP suppress-inactive”

iBGP into IGP redistribution is NOT recommended because of the potential of loops to occur. Remember with iBGP the as_path is NOT preserved. If you MUST do so with caution… You have been warned.

Override default behavior (not allowed to redistribute into IGP): BGP> “BGP redistribute-internal”

BGP “auto-summary” works with 1) Redistribution of routes into BGP or 2) using the network command to advertise a classful address.

BGP Best Path Selection:

1) Weight – (non-transitive/local only) Can be set per neighbor or per an inbound route-map
2) Local Preference (transitive within a single AS)- Can be set per an inbound route-map

Un-suppress on a per neighbor basis and use route-map to un-suppress/suppress globally. IN the route-map use deny on the prefix to be allowed and permit to suppress.

Local-AS: Use this is allow a peer to use a different ASN from the global. Could be used for an AS migration. “no-prepend” will remove oldAS from the sting for INCOMING prefixes. This does NOT work for advertised prefixes. “replace-as” will remove newAS from string. Finally, “dual-AS” allows for a peer to use either ASN for peering.

“Remove-private-AS” on external peers only.

BGP Timers:

BGP Scanner: Default of 60 seconds, Conditional route advertisements, next-hop check, imports routes, route dampening. Change with “bgp scan-time”

Route Refresh/Soft Reconfiguration: RR replaced Soft Reconfiguration.

Batch routing updates: Updates and keepalives change with “neighbor x.x.x.x  advertisement-interval <seconds)”.

Timers Hello/Hold: Default of 60 hello and 180 sec. hold.

BGP Fast Failover: By default, if an interface goes down the peer session will go down. This feature is good for PTP links but not so good for shared links. Disable it with “no bgp fast-external-fallover”

Fast peering: Use “neighbor x.x.x.x fall-over” iBGP or eBGP based on route availability to the peer.

BGP Nexthop trigger: Event drived and enabled by default. Change with “bgp nexthop trigger delay xx”.

CCIE: RIP

CCIE: RIP

Notes:

auto-summary in RIP affects what is advertised, but not the local RIB.
Preventing route feedback: Prevent router feedback (RIP) with static route to null0 or distribute-list (IN) on originating router.
interface> ip rip advertise (interval different than the global)
default sent out specific interface: use route-map that sets interface and default-information originate.
DON'T FORGET ABOUT ROUTE FEEDBACK IN RIP!
ACL to filter even/odd octets:
ip access permit 0.0.1.0 255.255.254.255 : permit 3rd octet odd only
ip access permit 0.0.0.0 255.255.254.255 : permit 3rd octet even only
Track route with route-map for default route injection. 

Reliable Conditional Default Routing:
R1:
track 1 ip sla 1 reachability router rip
 version 2
 default-information originate route-map SLA ip route 169.1.1.1 255.255.255.255 Null0 name BOGUS track 1
ip prefix-list SLA seq 5 permit 169.1.1.1/32
ip sla 1
 icmp-echo 204.12.17.254 source-interface FastEthernet0/0
ip sla schedule 1 life forever start-time now
!
route-map SLA permit 10
 match ip address prefix-list SLA
RIP Unicast updates:
neighbor statement and passive interface command.
Without passive interface, broadcast and multicast updates will continue to be sent. RIP Broadcast Update: interface> ip rip v2-broadcast
RIP Triggered Updates: interface> ip rip triggered  RIP Source Validation: (Do I have a path bath in the RIB?) Router RIP no validate-update-source (to disable check) 
CCIE: GRE Tunneling/Recursive Routing

CCIE: GRE Tunneling/Recursive Routing

Here is a subject and burned me in my last lab. I had a much more complex environment, but the fundamentals are the same.

Recursive routing errors occur when the tunnel destination is dynamically learned across the tunnel interface itself. Here are two simple methods to correct this behaivor.

1) Static route to the tunnel destination via any interface/path, but the tunnel interface (lower metric then a dynamic learned IGP). On the CCIE lab static routes are generally a no-no, that being said I would use method #2 or another filter method.

2) Distribution list to filter the tunnel destination from being learned via the IGP across the tunnel interface.

Example: Tunnel destination is 1.1.1.1 on R2 and 2.2.2.2 on R1

R2#
ip prefix-list RECURSIVE seq 10 deny 1.1.1.1/32
ip prefix-list RECURSIVE seq 20 permit 0.0.0.0/0 le 32

Router (eigrp,rip,ospf,bgp)
distribute-list prefix RECURSIVE out tunnel(X)

R1#
ip prefix-list RECURSIVE seq 10 deny 2.2.2.2/32
ip prefix-list RECURSIVE seq 20 permit 0.0.0.0/0 le 32

Router (eigrp,rip,ospf,bgp)
distribute-list prefix RECURSIVE out tunnel(X)

CCIE: OSPF

CCIE: OSPF

The Basics:

Link state routing protocol. Uses IP protocol 89. Hellos sent on 224.0.0.5.

Uses Dijkstra SPF algorithm independently on each router against the local LSDB to calculate the best routes.

Hellos sent every 10 seconds on LAN and 30 seconds on WAN interfaces. Dead time is 4x hello, so 40sec and 120 sec respectively.

Router ID:

1) Configured “router id”
2) Highest loopback
3) Highest non loopback interface in up/up state.

Hello Process Sanity check:

Pass authentication (verify with “debug ip ospf adj”)
Same primary subnet (no secondaries used for neighbor)
Same OSPF area
Same OSPF area type (NSSA, STUB, etc…)
No duplicate RID’s
Hello/Dead times match

One a multiaccess network (LAN), DR are used to reduce LSDB flooding. Similar in concept to BGP route reflector. DR also create a type 2 LSA for the subnet. Non-DR routers send DD to the DR using 224.0.0.6 (ALL DR), DR ack with unicast DD. DR floods a new DD packet to 224.0.0.5. Highest priority ID wins DR election. Lookback/RID is the tie-breaker.

SPF Calculation: Lowest cost to destination. Uses OUTGOING interface cost.

Design:
Using areas will allow your routers to have smallers per-area LSDB’s ,requiring less memory.
Faster SFP computation due to the small LSDB.
Link failure in one area only requires partial SPF computation in another area.
ROUTES CAN ONLY BE SUMMARIZED ON ABR AND ASBR, this helps shrink the LSDB and improve SPF computation. “summary-address” only used on ASBR, “area X range” used on ABR, make sure that the area is where the actual routes reside/originate”.

E1= Include end-to-end metric
E2= Use metric calculated by ASBR only. (DEFAULT)

The big thing to remember, is that the ABR will not pass the dense type 1 & 2 LSAs, instead using a summary LSA type 3.

Let’s review LSA types real quick.
T1: Router – RID, and interface IP, neighbors, and Stub (one router with no other neighbors) – one per router
T2: Network – Created by DR on subnet, subnet and router interface on subnet WITH DR. – one per transit network (subnet with two or more routers).
T3: Summary – Created by ABR to summarize T1 & T2. Defines subnets and cost but not the topology.
T4: ASBR Summary – Host route to reach ASBR
T5: AS External – Created by ASBR’s for external routes redistributed into OSPF.
T7: NSSA External

Stub Area:

Prevent T5 LSA’s into area and ABR advertises default. Totally stubby areas also prevent T3 LSA’s into area. NSSA, allows routers to be redistributed into the stub area as a T7.

Interface Network Types:

non-broadcast: DR/BDR election, neighbor statement required, unicast hellos, no next-hop modification, so all spokes require recursive lookup
point-to-multipoint: no DR/BDR election, no neighbor, multicast hellos to 224.0.0.5, stub endpoint advertisement (/32) instead of a transit network.

Auto-cost Reference Bandwidth: Change bandwidth on local router to see updated cost. Should be consistent across all routers to prevent SPF based loops. Interface cost= Reference Bandwidth / Interface Bandwidth (this can also be used for P-to-MP neighbor costs).

Capability-Transit: Use non-backbone areas if a shorter path exists for summary LSA (inter-area), on by default. If you want to force the traffic to take the (0) path, issue “no capability-transit” on both ends.

Demand Circuit:

On point-to-point interfaces, only one end of the demand circuit must be configured with the ip ospf demand-circuit command. Periodic hello messages are suppressed and periodic refreshes of link-state advertisements (LSAs) do not flood the demand circuit. This command allows the underlying data link layer to be closed when the topology is stable. In point-to-multipoint topology, only the multipoint end must be configured with this command.

Paranoid flooding: Every 30 minutes re-flood by default. Disable with interface level: “ip ospf flood-reduction”, verify with DoNotAge (DNA) in OSPF LSA Database.

“Flood-War” in debug is an indication of identical router-id’s competing. Loop prevention mechanism.

Conditional Default Route:

router ospf 1
 default-information originate always route-map TRACK
ip prefix-list TRACK seq 5 permit 10.17.1.0/24
!
!
route-map TRACK permit 10
 match ip address prefix-list TRACK
!
Interface fa0/1
ip add 10.17.1.1 255.255.255.0
Reliable Conditional Default:
ip sla 1
icmp-echo 10.17.1.254
timeout 2000
frequency 5
ip sla schedule1 life forever start-time now

Track 1 rtr 1
ip route 127.100.100.10 255.255.255.255 null0 track1

ip prefix-list TRACK seq 5 permit 127.100.100.10/32
Route-map TRACK permit 10
match ip address prefix TRACK
router ospf 1
default-information-originate always route-map TRACK

STUB AREAS:

Allows filtering of the database based on the role of the LSA. Stub flag is sent as part of the hellos, so they must agree.

Stub will remove external T5 LSAs and replace them with a default. T5 LSA is setting the advertising router as it’s router ID and the forward address to 0.0.0.0 In that area, if the forward is set to 0.0.0.0 traffic is directed to the advertising router id. Essentially, it requires the router-id to be found in the database via an LSA T1. This process is causing redundant information in the database due to T1, T4, T5 entires. Specifically, the T5’s and T4’s are replaced with a default.

This also implies that since T5’s are filtered, redistribution cannot occur in a STUB area. The workaround? NSSA.

Totally Stubby Areas:

“area x stub NO-SUMMARY” Inter-Area (T3’s) are removed and replaced with a default. Configured on ABR only.

 

Not So Stubby Areas (NSSA):

“area x NSSA” This generates an LSA T7 instead of a T5. These have N1 and N2 subtypes. Much like E1 and E2. N1 considers the full path where N2 considers only the ASBR metric and not the cost to get to the ASBR. 

When traversing into Area 0, the T7 is converted into a T5. NSSA does NOT automatically generate a default route, but could be added. Important to note that if there are multiple ABR’s the one with the highest Router-ID will do the translations. 

Translate T7 to T5 will instruct the ABR to NOT perserve the value in the forward address field.
“area x nssa translate type7 supress-fa”

 

Not So Totally-Stubby Areas (ARE YOU FREAKING KIDDING ME???!!!):

As if NSSA, STUB, and Totally-Stubby was not confusing enough. We have “Not so totally-stubby areas”. WTF!!!

Basically a combination of Total Stub and NSSA. T3,T4,T5 are replaced with a T3 default, but also allows redistribution into the area as T7’s.

Nuff said!

Summary Routes:

Create the summary (AREA x RANGE x.x.x.x) in the AREA WITH THE ROUTES BEING SUMMARIZED!
When a summary is created on an ABR a null 0 route is created. This could cause a black hole. Override with “no discard-route internal”.

OSPF Resource Limits:

Limit LSA’s in the database: “max-lsa 10000” NON-SELF-GENERATED
Limit Redistribution: “redistribute maximum-prefix 1000”
Limit processor: “process-min-time percent 25”

Verify with “sh ip ospf”
DNS Lookup on Neighbors: “ip ospf name-lookup”
Add local host with “ip host R1  1.1.1.1”
CCIE: EIGRP

CCIE: EIGRP

One of my favorite routing subjects to discuss. Usually, I’ll be asked what is a better IGP OSPF or EIGRP and my answer is always… it depends. There a couple compelling reasons why EIGRP is still a great IGP after so many years. Here are a few in my opinion; ease of deployment, convergence speed (without tweaks), and offset capability. Of course, there are some disadvantages; scale, ease of deployment (your not required to take a deep look at your topology like OSPF), and it’s proprietary.

The EIGRP Fundamentals:

Uses the DUAL algorithm to prevent routing loops and propagate topology information.
Split horizon/DUAL are responsible for maintaining a loop free topology. Split Horizon is disabled on frame-relay physical interfaces but, enabled on all others.
EIGRP is classless
MD5 only authentication (use “debug eigrp packet” to verify)
Constraining bandwidth and cumulative delay are the default metrics used (ToS:0, K values:10100)
EIGRP (using default K’s) Metric = 256*(Bw + Delay), EIGRP Metric = 256*((10^7 / min. Bw) + Delay)
Maximum paths is 4, the range is 1-6.

Metric Weights: Default TOS0, K1=1, K2=0, K3=1, K4=0, K5=0 (must match to form neighbor)

usec (microsecond) is the delay value on IOS routers. The EIGRP formula is 10 of usec. Delay of 100000usec is actually, 100000/10=10,000

Plug those numbers in now. 256*(1544 (t1)+12,000)
Decimals are rounded DOWN to the nearest WHOLE number.

RD: Is there neighbors metric to that interface/route.
FD:  The metric for the lowest metric path to reach subnet.
Feasibility condition: RD must be lower than FD.
Successor route: Lowest metric route.
FS: Not the successor, but can be used when the successor fails without introducing a loop.

P 155.17.146.0/24, 1 successors, FD is 2693120
        via 155.17.0.5 (FD:2693120/RD:2181120), Serial0/0/0.1

Variance: If other FS have a better metric (lower) than the product of variance multiplier * FD they are added to the RIB.

Hellos sent to 224.0.0.10 via IP protocol 88. 5 seconds on PTP/LAN and 60 seconds on multipoint links with less than 1Mbps. Dead time is 3 x the hello.

Network statement is what interface is running the EIGRP process.

“sh ip eigrp nei” “Q Count” value of 0 means no updates to be sent and the network has converged. 

Disabling split horizon on the hub can cause route replication in the topology table.

“ip default-network” can advertise default (no really but a candidate).

“ip summary-address eigrp xxx 0.0.0.0 0.0.0.0” will suppress local all other routes unless you use “leak-map”

Poison the summary (AD 255) to allow longer match without dropping via null0

 Unequal cost load balancing using Variance: 

SIA Timer: config-router> “timer active-time X” This is disabled by default, so it will continue until the end of time… Disables the timers and permits the routing wait time to remain active indefinitely.

IMPORTANCE OF EIGRP ROUTER ID: This is a new one for me. I found out that any external routes injected into EIGRP are tagged with the redistributing router’s RID. This is used for route loop prevention. You can also use this as a filter mechanism by changing a router’s ID to the originating router and preventing that prefix from entering the topology/route table. Tricky stuff!!!