1 / 45

my CCDE cheat sheets

my CCDE cheat sheets. Philippe Jounin 2013. Layer 2. Operation. Tunneling. L3. L2. and overlays. Security. Layer 2 Design. Performance and stability Security. Apply ACL filter on admin VLAN. HSRP active & STP Root. Modify VTP domain (or turn VTP off). Root Guard.

semah
Download Presentation

my CCDE cheat sheets

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. my CCDE cheat sheets Philippe Jounin 2013

  2. Layer 2 Operation Tunneling L3 L2 and overlays Security

  3. Layer 2 Design Performance and stability Security Apply ACL filter on admin VLAN HSRP active & STP Root Modify VTP domain (or turn VTP off) Root Guard Loop Guard or Bridge Assurance Clear native VLAN Force access-mode (disableDTP) Choose VLAN≠1 Apply Port Security BPDU Guard Port Fast

  4. Layer 2 Design Spanning normalisation • DEC STP pre-IEEE • 802.1w—Rapid STP (RSTP) • 802.1D—Classic STP • 802.1s—Multiple STP (MST) • 802.1t—802.1d maintenance Spanning toolkit The following enhancements to 802.1(d,s,w) comprise the Cisco Spanning-Tree toolkit: • PortFast Lets the access port bypass the listening and learning phases • UplinkFast Provides 3-to-5 second convergence after link failure • BackboneFast Cuts convergence time by MaxAge for indirect failure • Loop Guard Prevents the alternate or root port from being elected unless (BPDUs) are present • Root Guard Prevents external switches from becoming the root • BPDU Guard Disables a PortFast-enabled port if a BPDU is received • BPDU Filter Prevents sending or receiving BPDUs on PortFast-enabled ports Cisco has incorporated a number of these features into the following versions of STP: • Per-VLAN Spanning Tree Plus (PVST+) Provides a separate 802.1D spanning tree instance for each VLAN configured in the network.This includes PortFast, UplinkFast, BackboneFast, BPDU Guard, BPDU Filter, Root Guard, and Loop Guard. • Rapid PVST+ Provides an instance of RSTP (802.1w) per VLAN. This includes PortFast, BPDU Guard, BPDU Filter, Root Guard, and Loop Guard. • MST Provides up to 16 instances of RSTP (802.1w) and combines many VLANS with the same physical and logical topology into a common RSTP instance. This includes, PortFast, BPDU Guard, BPDU Filter, Root Guard, and Loop Guard.

  5. Access design STP or not STP

  6. L2 topologies

  7. Layer 3 Operation Tunneling L3 L2 and overlays Security

  8. Layer 3 Design The network must be reliable and resilient The network must be manageable The network must be scalable

  9. Layer 3 Design Triangle vs Square Triangles: Link/Box Failure does NOT require routing protocol convergence Squares: Link/Box Failure requires routing protocol convergence

  10. OSPF in a Campus EIGRP in a Campus Core Summaries Queries not forwarded Area 0 Area 10 Immediate replies The router goes up and may advertise default route immediately, (if a loopack is in area 0) Queries Queries not forwarded ospf stub no-summary eigrp stub

  11. OSPF as PE-CE protocol EIGRP as PE-CE protocol Sham-link  use route with lower Cost AS should be the same Metric/AS/SOO transported as communities Pre best path point of insertion SOO transported into EIGRP SOO on PE : same SOO per site SOO on CEs : one SOO per CE Ignore routes with down bit Set down bit (LSA 3) or domain ID (LSA 5) Ia routes preferred

  12. OSPF

  13. OSPF Areas Std Area Area 0 External type 1 & 2 type 1 & 2 type 3 type 4 type 5 Stub Area Area 0 External type 1 & 2 type 1 & 2 type 3 default route Totally Stub Area Area 0 External type 1 & 2 type 1 & 2 default route

  14. OSPF Areas NSSA Area 0 External type 1 & 2 type 1 & 2 type 3 type 7 type 5 Default route Tottaly NSSA Area 0 External type 1 & 2 type 1 & 2 type 7 type 5 Default route

  15. OSPF NBMA and partial mesh networks • Set the DR priority to 0 on all partial meshed nodes • Set broadcast mode on all links • Set the DR priority to 0 on all partial meshed nodes • Configure the peers manually in unicast mode

  16. troubleshooting adjacencies • EIGRP • Same AS • Same primary IP subnet • Same metrics • OSPF • Same area • Same area type • Same IP subnet and mask (not on point to point) • Same hello and dead interval • Same MTU • IS-IS • Same area for L1 adjacencies • Different system ID • Same MTU • Same IP subnet • Same network/interface type (multipoint or point-to-point)

  17. IS-IS inter area • L1/2 routers set attached bit if they are adjacent to extra area L2 routers. L1 routers receiving attached bit generate default routes toward advertising router and propagate it (transitive). • Intra area routes are preferred oved Inter Area even if metric is greater • L1 routes advertised by L1/2 routers to other L2 routers • L1/2 routers may be configured to leak L2 routes into the L1 domain System ID best practice : Add implicit zeros into the main IP loopback : 192.168.1.24  192.168.001.024 Transfer it to XXXX.XXXX.XXXX format 192.168.001.024  1921.6800.1024 Add 49.<4 bytes area> and 00 as NSEL 1921.6800.1024  49.area.1921.6800.1024.00

  18. VPN backdoors Partial mesh of sham links backbone preferred BGP backdoor  IGP (internal links) preferred over eBGP

  19. Outgoing traffic engineering with BGP Route Reflectors Following physical topology • Session between an RR and a nonclient should not traverse a client • Session between an RR and its client should not traverse a nonclient • AS path prepending • MED • communities • selective advertisments (no backup) • specific advertisments

  20. BGP confederations

  21. remotely triggered black hole source triggered black hole CE CE 192.0.2.1/32  Null0 192.168.1.0/24 192.0.2.1/32  Null0 + loose uRPF NOC NOC 10.1.1.0/24 10.1.1.0/24  192.0.2.1 192.168.1.0/24  192.0.2.1

  22. IPv6

  23. IPv6 deployment scenarios Dual Stack Hybrid Service Block Native ISATAP and Manually Configured Tunnels Marking at tunnel egress QoS End to End mCast HA IGP Single ISATAP with Anycast No load balancing Single ISATAP with Anycast load balancing after Tunnels IPv6 hardware required,no per-user/per-appli control Core Layer becomes access for IPv6 Tunnels New IPv6 hardware

  24. High Avalability • from http://www.sanog.org/resources/sanog14/sanog14-paresh-highavailability.pdf R o u t e r r e s i l i e n c y Non StopRouting Reliable Hardware High MTBF RedundantComponents HA Rapid Failuredetection Network design Quick convergence N et w o r k r e s i l i e n c y

  25. ISIS CE 2 CE 3 CE 4 CE 5 Fast 2 10.1.34.0/24 Fast 1 10.1.45.0/24 Fast 1 10.1.23.0/24 Area 1 Area 2 3.3.3.3/32 2.2.2.2/32 4.4.4.4/32 5.5.5.5/32 router isis net 49.0100.0000.0000.0002.00 area-password IS-IS metric-style wide (for tag TLV) log-adjacency-changes router isis net 49.0100.0000.0000.0003.00 area-password IS-IS metric-style wide log-adjacency-changes redistribute isis ip level-2 into level-1 route-map MatchTag5 router isis net 49.0200.0000.0000.0004.00 metric-style wide log-adjacency-changes summary-add 5.5.0.0 255.255.0.0 tag 5 router isis net 49.0200.0000.0000.0005.00 metric-style wide log-adjacency-changes interface Loopback2 ip address 2.2.2.2/32 ip router isis interface FastEthernet1 ip address 10.1.23.2/24 ip router isis isis circuit-type level-1 interface Loopback3 ip address 3.3.3.3/32 ip router isis interface FastEthernet01 ip address 10.1.23.3/24 ip router isis isis circuit-type level-1 interface FastEthernet2 ip address 10.1.34.3/24 ip router isis interface Loopback4 ip address 4.4.4.4/32 ip router isis isis tag 5 interface FastEthernet1 ip address 10.1.45.4/24 ip router isis (level-1 not configured) interface FastEthernet2 ip address 10.1.34.4/24 ip router isis interface Loopback5 ip address 5.5.5.5/32 ip router isis interface FastEthernet1 ip address 10.1.45.5/24 ip router isis isis circuit-type level-1 Straightforward configuration Summarization + leaking CE2#sh ip route | i ^i i L1 3.3.3.3 [115/20] via 10.1.23.3, Fast0 i ia 4.4.4.4 [115/30] via 10.1.23.3, Fast0 i ia 5.5.0.0 [115/40] via 10.1.23.3, Fast0 i L1 10.1.34.0/24 [115/20] via 10.1.23.3, Fast0 i*L1 0.0.0.0/0 [115/10] via 10.1.23.3, Fast0 CE4#sh ip route | in ^i i L2 2.2.2.2 [115/30] via 10.1.34.3, 01:51:07, Fast2 i L2 3.3.3.3 [115/20] via 10.1.34.3, 03:23:20, Fast2 i su 5.5.0.0/16 [115/20] via 0.0.0.0, 00:08:19, Null0 i L1 5.5.5.5/32 [115/20] via 10.1.45.5, 00:08:19, Fast1 i L2 10.1.23.0/24 [115/20] via 10.1.34.3, 03:23:20, Fast1 CE3#sh ip route | in ^i i L1 2.2.2.2 [115/20] via 10.1.23.2, 01:55:41, Fast0 i L2 4.4.4.4 [115/20] via 10.1.34.4, 00:11:55, Fast1 i L2 5.5.0.0 [115/30] via 10.1.34.4, 00:12:49, Fast1 i L2 10.1.45.0/24 [115/20] via 10.1.34.4, 01:55:41, Fast1 CE5#sh ip route | in ^i i L1 4.4.4.4 [115/20] via 10.1.45.4, Fast1 i L1 10.1.34.0/24 [115/20] via 10.1.45.4, Fast1 i*L1 0.0.0.0/0 [115/10] via 10.1.45.4, Fast1

  26. OSPF Area 202 NSSA CE1 Fast 2 10.1.23.0/24 Fast 3 10.1.34.0/24 Fast 1 10.1.12.0/24 1.1.1.1/24 2.2.2.2/24 3.3.3.3/24 Area 0 CE 2 CE 4 CE 3 interface Loopback1111 ip address 1.1.1.1 255.255.255.0 interface Loopback2222 ip address 2.2.2.2 255.255.255.0 interface Loopback3333 ip address 3.3.3.3 255.255.255.0 router rip version 2 redistribute connected route-map Loopbacks passive-interface default no passive-interface FastEthernet1 network 10.0.0.0 no auto-summary router rip version 2 timers basic 15 45 15 60 passive-interface default network 10.0.0.0 no auto-summary router ospf 1 log-adjacency-changes area 202 nssa summary-address 3.0.0.0 255.0.0.0 not-advertise summary-address 2.2.0.0 255.255.0.0 redistribute rip metric 123 metric-type 1 subnets network 10.1.23.0 0.0.0.255 area 202 router ospf 1 log-adjacency-changes area 202 nssa summary-address 10.0.0.0 255.0.0.0 not-advertise summary-address 1.0.0.0 255.0.0.0 network 10.1.23.0 0.0.0.255 area 202 network 10.1.34.0 0.0.0.255 area 0 ! Remark : ! area 10 filter-list prefix FILTER out ! area 10 range 10.0.0.0 255.0.0.0 not-advertise ! Only for standard Areas router ospf 1 network 10.1.34.0 0.0.0.255 area 0 lyo-maq-2611-01#sh ip route | i ^C C 1.1.1.0 is connected, Loopback1111 C 2.2.2.0 is connected, Loopback2222 C 3.3.3.0 is connected, Loopback3333 C 10.1.12.0/24 is connected, Fast1 lyo-maq-2611-02#sh ip route | i ^R|^O R 1.1.1.0[120/1] via 10.1.12.1, Fast1 O 2.2.0.0/16 is a summary, Null0 R 2.2.2.0/24 [120/1] via 10.1.12.1, Fast1 R 3.3.3.0 [120/1] via 10.1.12.1, Fast1 O IA 10.1.34.0/24 [110/2] via 10.1.23.3, Fast2 lyo-maq-2811-03#sh ip route | i ^O O N1 1.1.1.0/24 [110/124] via 10.1.23.2, Fast2 O 1.0.0.0/8 is a summary, Null0 O N1 2.2.0.0 [110/124] via 10.1.23.2, Fast2 O N1 10.1.12.0/24 [110/124] via 10.1.23.2,Fast2 lyo-maq-2811-03#sh ip route | i ^O OE1 1.0.0.0/8 [110/124] via 10.1.34.3,Fast3 O E1 2.2.0.0 [110/125] via 10.1.34.3, Fast3

  27. Tunneling& MPLS Operation Tunneling L3 L2 and overlays Security

  28. MPLS TE How to route a flow into a tunnel • static routing • PBR • Autoroute • tunnel included into SPF calculation, not into the IGP  other routers are unaware of the Tunnel • default metric is the tail end IGP metric • Relative/asolute metrics OSPF similar to E1/E2 externals • LSP tail end is always routed through the tunnel • IGP+LSP load sharing available behind tail end • tail end load sharing needs 2 LSP • Forwarding Adjacency • tunnel propagated into the IGP

  29. Inter Area MPLS TE Multi domain LSP : each domain core topology should be hidden • per-domain static ERO (next-hop loose <IP Edge>…) • CSPF stitching (CSPF calculation on each ASBR) then ERO extended to hide core topology • backward recursive path computation • A tree is created by destination PE (<PE><ASBR n>=cost X) and topology increased by each domain • Stitching • Use targeting signaling • Stacking • Inner domain uses its own LSP to tunnel border domains LSP, targeted signaling required

  30. Inter domain VPN with CSC - IGP vpnv4 multiphop e/i-bgp peering, next-hop-unchanged MP-iBGP session MP-iBGP session Outer VPN definition CEPE route distribution Backbone Provider IPv4+ labels IPv4+ labels CE1 CSC-CE1 CE2 CSC-CE2 PE1 PE2 CSC-PE1 CSC-PE2 IGP + local loopback IGP + LDP (int e0/0 mpls ip) Inner VPN definition and routing in vpnv4 IGP  ipv4 BGP redistribution into ipv4 add-family vrf inner

  31. Inter domain VPN with CSC - eBGP vpnv4 multiphop e/i-bgp peering, next-hop-unchanged MP-iBGP session MP-iBGP session Outer VPN definition CEPE route distribution Backbone Provider IPv4+ labels IPv4+ labels CE1 CSC-CE1 CE2 CSC-CE2 PE1 PE2 CSC-PE1 CSC-PE2 IGP + local loopback  BGP neighbor bgp send-label Inner VPN definition and routing in vpnv4 mpls ip not necessary bgp neighbor as-override bgp send-label

  32. Inter domain VPN option B interface Ethernet 1/0 mpls bgp forwarding router bgp 1 neighbor <ASBR2> remote-as 2 neighbor <PEs> remote-as 1 no bgp default route-target filter address-family vpnv4 neighbor <PEs> activate neighbor <PEs> next-hop-self neighbor <ASBR2> activate neighbor <ASBR2> send-community extended One tag allocated by ASBR eBGP : no route-target filtering iBGP : next-hop-self Option B1 Next-hop-self method Option B2 Redistribute connected method

  33. Inter domain VPN option C – eBGP + send-label RR router bgp 1 neighbor <RR1> remote-as 1 address-family vpnv4 neighbor <RR1> activate Tag 1 : ebgp + send-label or IGP+LDP Tag 2 : VPN label interface Ethernet 1/0 mpls bgp forwarding router bgp 1 neighbor <ASBR2> remote-as 2 neighbor <RR1> remote-as 1 address-family ipv4 redistribute IGP neighbor <ASBR2> activate neighbor <ASBR2> send-label address-family vpnv4 neighbor <RR1> activate router IGP network loopback LDP redistribute BGP 1 router bgp 1 neighbor <PEs> remote-as 1 neighbor <RR2> remote-as 2 neighbor <RR2> ebgp-multihop address-family vpnv4 neighbor <PEs> activate neighbor <RR2> activate neighbor <RR2> next-hop-unchanged

  34. MPLS TE QoS Uniform (mpls exp value set by ISP) Short pipe pipe

  35. L2VPN • VPWS Virtual Private Pseudowire Services : Point to Point • L2 Protocol translation (L2.5 VPN) • tLDP session • Redundancy by  nominal/backup sessions • VPLS Virtual Protocol LAN Service (P2M) • Autodiscovery with BGP • For Cisco : VPLS = full-mesh Pseudo Wires • H-VPLS • Full Mesh between N-PE • PW beetwen User PE and Netwok PE • redundancy with STP or PW backup between U-PE and N-PE

  36. OperationsMonitoringManagementPerformance Tunneling L3 L2 and overlays Security

  37. Troubleshooting high CPU Utilization • Identify process • show proc cpu sorted • show log • Causes • ARP • BGP • Exec • SNMP • NAT • TCAM full (catalyst 3550/..) • IP Input • show interfaces stats • show interfaces • show interfaces switching

  38. QoS operation order • Inbound 1. QoS Policy Propagation through Border Gateway Protocol (BGP) (QPPB) 2. Input common classification 3. Input ACLs 4. Input marking (class-based marking or Committed Access Rate (CAR)) 5. Input policing (through a class-based policer or CAR) 6. IP Security (IPSec) 7. Cisco Express Forwarding (CEF) or Fast Switching • Outbound 1. CEF or Fast Switching 2. Output common classification 3. Output ACLs 4. Output marking 5. Output policing (through a class-based policer or CAR) 6. Queueing (Class-Based Weighted Fair Queueing (CBWFQ) and Low Latency Queueing (LLQ)), and Weighted Random Early Detection (WRED)

  39. Multipoint WAN QoS WAN • Remote Ingress Shaping • 95% of line rate • egress shaping : 95% of smallest bandwidth FR

  40. QoS Models 4 Class model 8 Class model 12 Class model Realtime Voice Voice Interactive Video Realtime Interactive Multimedia Conferencing Streaming Video Broadcast Video Multimedia Streaming Signaling / Control Signaling Signaling Critical Data Network Control Network Control Critical Data Network Management Transactional Data Bulk Data Best Effort Best Effort Best Effort Scavanger Scavanger

  41. Security Operation Tunneling L3 L2 and overlays

  42. Internet Edge • DMZ : public facing services • Private DMZ : internal services (DNS, collaboration, HTTP) • not vulnerable to outside attacks • infrastructure ACLs

  43. Internet Edge Secure Operations • Monitor Cisco Security Advisories and Responses • Leverage Authentication, Authorization, and Accounting • Centralize Log Collection and Monitoring • Use Secure Protocols When Possible • Gain Traffic Visibility with NetFlow • Configuration Management Data Plane • General Data Plane Hardening • Filtering Transit Traffic with Transit ACLs • Anti-Spoofing Protections • Limiting CPU Impact of Data Plane Traffic • Traffic Identification and Traceback • Access Control with VLAN Maps and Port Access Control Lists • Using Private VLANs

  44. Internet Edge Management Plane • General Management Plane Hardening • password management • restrict protocols • use secure protocols • exec-timeout • event detection (memory, cpu threshold) • Limiting Access to the Network with Infrastructure ACLs • Securing Interactive Management Sessions • Using Authentication, Authorization, and Accounting • Fortifying the Simple Network Management Protocol • Logging Best Practices • Cisco IOS Software Configuration Management Control Plane • General Control Plane Hardening • filter IPCMP, fragments, source-route, disbale proxy-arp • Limiting CPU Impact of Control Plane Traffic • filter fragment, non ip traffic, rate ICMP unreachable • Securing BGP • Securing Interior Gateway Protocols • Securing First Hop Redundancy Protocols

  45. Everyone wants to live on top of the mountain, but all the happiness and growth occurs while you’re climbing it.

More Related