660 likes | 1.21k Views
my CCDE cheat sheets. Philippe Jounin 2013. Layer 2. Operation. Tunneling. L3. L2. and overlays. Security. Layer 2 Design. Performance and stability Security. Apply ACL filter on admin VLAN. HSRP active & STP Root. Modify VTP domain (or turn VTP off). Root Guard.
E N D
my CCDE cheat sheets Philippe Jounin 2013
Layer 2 Operation Tunneling L3 L2 and overlays Security
Layer 2 Design Performance and stability Security Apply ACL filter on admin VLAN HSRP active & STP Root Modify VTP domain (or turn VTP off) Root Guard Loop Guard or Bridge Assurance Clear native VLAN Force access-mode (disableDTP) Choose VLAN≠1 Apply Port Security BPDU Guard Port Fast
Layer 2 Design Spanning normalisation • DEC STP pre-IEEE • 802.1w—Rapid STP (RSTP) • 802.1D—Classic STP • 802.1s—Multiple STP (MST) • 802.1t—802.1d maintenance Spanning toolkit The following enhancements to 802.1(d,s,w) comprise the Cisco Spanning-Tree toolkit: • PortFast Lets the access port bypass the listening and learning phases • UplinkFast Provides 3-to-5 second convergence after link failure • BackboneFast Cuts convergence time by MaxAge for indirect failure • Loop Guard Prevents the alternate or root port from being elected unless (BPDUs) are present • Root Guard Prevents external switches from becoming the root • BPDU Guard Disables a PortFast-enabled port if a BPDU is received • BPDU Filter Prevents sending or receiving BPDUs on PortFast-enabled ports Cisco has incorporated a number of these features into the following versions of STP: • Per-VLAN Spanning Tree Plus (PVST+) Provides a separate 802.1D spanning tree instance for each VLAN configured in the network.This includes PortFast, UplinkFast, BackboneFast, BPDU Guard, BPDU Filter, Root Guard, and Loop Guard. • Rapid PVST+ Provides an instance of RSTP (802.1w) per VLAN. This includes PortFast, BPDU Guard, BPDU Filter, Root Guard, and Loop Guard. • MST Provides up to 16 instances of RSTP (802.1w) and combines many VLANS with the same physical and logical topology into a common RSTP instance. This includes, PortFast, BPDU Guard, BPDU Filter, Root Guard, and Loop Guard.
Layer 3 Operation Tunneling L3 L2 and overlays Security
Layer 3 Design The network must be reliable and resilient The network must be manageable The network must be scalable
Layer 3 Design Triangle vs Square Triangles: Link/Box Failure does NOT require routing protocol convergence Squares: Link/Box Failure requires routing protocol convergence
OSPF in a Campus EIGRP in a Campus Core Summaries Queries not forwarded Area 0 Area 10 Immediate replies The router goes up and may advertise default route immediately, (if a loopack is in area 0) Queries Queries not forwarded ospf stub no-summary eigrp stub
OSPF as PE-CE protocol EIGRP as PE-CE protocol Sham-link use route with lower Cost AS should be the same Metric/AS/SOO transported as communities Pre best path point of insertion SOO transported into EIGRP SOO on PE : same SOO per site SOO on CEs : one SOO per CE Ignore routes with down bit Set down bit (LSA 3) or domain ID (LSA 5) Ia routes preferred
OSPF Areas Std Area Area 0 External type 1 & 2 type 1 & 2 type 3 type 4 type 5 Stub Area Area 0 External type 1 & 2 type 1 & 2 type 3 default route Totally Stub Area Area 0 External type 1 & 2 type 1 & 2 default route
OSPF Areas NSSA Area 0 External type 1 & 2 type 1 & 2 type 3 type 7 type 5 Default route Tottaly NSSA Area 0 External type 1 & 2 type 1 & 2 type 7 type 5 Default route
OSPF NBMA and partial mesh networks • Set the DR priority to 0 on all partial meshed nodes • Set broadcast mode on all links • Set the DR priority to 0 on all partial meshed nodes • Configure the peers manually in unicast mode
troubleshooting adjacencies • EIGRP • Same AS • Same primary IP subnet • Same metrics • OSPF • Same area • Same area type • Same IP subnet and mask (not on point to point) • Same hello and dead interval • Same MTU • IS-IS • Same area for L1 adjacencies • Different system ID • Same MTU • Same IP subnet • Same network/interface type (multipoint or point-to-point)
IS-IS inter area • L1/2 routers set attached bit if they are adjacent to extra area L2 routers. L1 routers receiving attached bit generate default routes toward advertising router and propagate it (transitive). • Intra area routes are preferred oved Inter Area even if metric is greater • L1 routes advertised by L1/2 routers to other L2 routers • L1/2 routers may be configured to leak L2 routes into the L1 domain System ID best practice : Add implicit zeros into the main IP loopback : 192.168.1.24 192.168.001.024 Transfer it to XXXX.XXXX.XXXX format 192.168.001.024 1921.6800.1024 Add 49.<4 bytes area> and 00 as NSEL 1921.6800.1024 49.area.1921.6800.1024.00
VPN backdoors Partial mesh of sham links backbone preferred BGP backdoor IGP (internal links) preferred over eBGP
Outgoing traffic engineering with BGP Route Reflectors Following physical topology • Session between an RR and a nonclient should not traverse a client • Session between an RR and its client should not traverse a nonclient • AS path prepending • MED • communities • selective advertisments (no backup) • specific advertisments
remotely triggered black hole source triggered black hole CE CE 192.0.2.1/32 Null0 192.168.1.0/24 192.0.2.1/32 Null0 + loose uRPF NOC NOC 10.1.1.0/24 10.1.1.0/24 192.0.2.1 192.168.1.0/24 192.0.2.1
IPv6 deployment scenarios Dual Stack Hybrid Service Block Native ISATAP and Manually Configured Tunnels Marking at tunnel egress QoS End to End mCast HA IGP Single ISATAP with Anycast No load balancing Single ISATAP with Anycast load balancing after Tunnels IPv6 hardware required,no per-user/per-appli control Core Layer becomes access for IPv6 Tunnels New IPv6 hardware
High Avalability • from http://www.sanog.org/resources/sanog14/sanog14-paresh-highavailability.pdf R o u t e r r e s i l i e n c y Non StopRouting Reliable Hardware High MTBF RedundantComponents HA Rapid Failuredetection Network design Quick convergence N et w o r k r e s i l i e n c y
ISIS CE 2 CE 3 CE 4 CE 5 Fast 2 10.1.34.0/24 Fast 1 10.1.45.0/24 Fast 1 10.1.23.0/24 Area 1 Area 2 3.3.3.3/32 2.2.2.2/32 4.4.4.4/32 5.5.5.5/32 router isis net 49.0100.0000.0000.0002.00 area-password IS-IS metric-style wide (for tag TLV) log-adjacency-changes router isis net 49.0100.0000.0000.0003.00 area-password IS-IS metric-style wide log-adjacency-changes redistribute isis ip level-2 into level-1 route-map MatchTag5 router isis net 49.0200.0000.0000.0004.00 metric-style wide log-adjacency-changes summary-add 5.5.0.0 255.255.0.0 tag 5 router isis net 49.0200.0000.0000.0005.00 metric-style wide log-adjacency-changes interface Loopback2 ip address 2.2.2.2/32 ip router isis interface FastEthernet1 ip address 10.1.23.2/24 ip router isis isis circuit-type level-1 interface Loopback3 ip address 3.3.3.3/32 ip router isis interface FastEthernet01 ip address 10.1.23.3/24 ip router isis isis circuit-type level-1 interface FastEthernet2 ip address 10.1.34.3/24 ip router isis interface Loopback4 ip address 4.4.4.4/32 ip router isis isis tag 5 interface FastEthernet1 ip address 10.1.45.4/24 ip router isis (level-1 not configured) interface FastEthernet2 ip address 10.1.34.4/24 ip router isis interface Loopback5 ip address 5.5.5.5/32 ip router isis interface FastEthernet1 ip address 10.1.45.5/24 ip router isis isis circuit-type level-1 Straightforward configuration Summarization + leaking CE2#sh ip route | i ^i i L1 3.3.3.3 [115/20] via 10.1.23.3, Fast0 i ia 4.4.4.4 [115/30] via 10.1.23.3, Fast0 i ia 5.5.0.0 [115/40] via 10.1.23.3, Fast0 i L1 10.1.34.0/24 [115/20] via 10.1.23.3, Fast0 i*L1 0.0.0.0/0 [115/10] via 10.1.23.3, Fast0 CE4#sh ip route | in ^i i L2 2.2.2.2 [115/30] via 10.1.34.3, 01:51:07, Fast2 i L2 3.3.3.3 [115/20] via 10.1.34.3, 03:23:20, Fast2 i su 5.5.0.0/16 [115/20] via 0.0.0.0, 00:08:19, Null0 i L1 5.5.5.5/32 [115/20] via 10.1.45.5, 00:08:19, Fast1 i L2 10.1.23.0/24 [115/20] via 10.1.34.3, 03:23:20, Fast1 CE3#sh ip route | in ^i i L1 2.2.2.2 [115/20] via 10.1.23.2, 01:55:41, Fast0 i L2 4.4.4.4 [115/20] via 10.1.34.4, 00:11:55, Fast1 i L2 5.5.0.0 [115/30] via 10.1.34.4, 00:12:49, Fast1 i L2 10.1.45.0/24 [115/20] via 10.1.34.4, 01:55:41, Fast1 CE5#sh ip route | in ^i i L1 4.4.4.4 [115/20] via 10.1.45.4, Fast1 i L1 10.1.34.0/24 [115/20] via 10.1.45.4, Fast1 i*L1 0.0.0.0/0 [115/10] via 10.1.45.4, Fast1
OSPF Area 202 NSSA CE1 Fast 2 10.1.23.0/24 Fast 3 10.1.34.0/24 Fast 1 10.1.12.0/24 1.1.1.1/24 2.2.2.2/24 3.3.3.3/24 Area 0 CE 2 CE 4 CE 3 interface Loopback1111 ip address 1.1.1.1 255.255.255.0 interface Loopback2222 ip address 2.2.2.2 255.255.255.0 interface Loopback3333 ip address 3.3.3.3 255.255.255.0 router rip version 2 redistribute connected route-map Loopbacks passive-interface default no passive-interface FastEthernet1 network 10.0.0.0 no auto-summary router rip version 2 timers basic 15 45 15 60 passive-interface default network 10.0.0.0 no auto-summary router ospf 1 log-adjacency-changes area 202 nssa summary-address 3.0.0.0 255.0.0.0 not-advertise summary-address 2.2.0.0 255.255.0.0 redistribute rip metric 123 metric-type 1 subnets network 10.1.23.0 0.0.0.255 area 202 router ospf 1 log-adjacency-changes area 202 nssa summary-address 10.0.0.0 255.0.0.0 not-advertise summary-address 1.0.0.0 255.0.0.0 network 10.1.23.0 0.0.0.255 area 202 network 10.1.34.0 0.0.0.255 area 0 ! Remark : ! area 10 filter-list prefix FILTER out ! area 10 range 10.0.0.0 255.0.0.0 not-advertise ! Only for standard Areas router ospf 1 network 10.1.34.0 0.0.0.255 area 0 lyo-maq-2611-01#sh ip route | i ^C C 1.1.1.0 is connected, Loopback1111 C 2.2.2.0 is connected, Loopback2222 C 3.3.3.0 is connected, Loopback3333 C 10.1.12.0/24 is connected, Fast1 lyo-maq-2611-02#sh ip route | i ^R|^O R 1.1.1.0[120/1] via 10.1.12.1, Fast1 O 2.2.0.0/16 is a summary, Null0 R 2.2.2.0/24 [120/1] via 10.1.12.1, Fast1 R 3.3.3.0 [120/1] via 10.1.12.1, Fast1 O IA 10.1.34.0/24 [110/2] via 10.1.23.3, Fast2 lyo-maq-2811-03#sh ip route | i ^O O N1 1.1.1.0/24 [110/124] via 10.1.23.2, Fast2 O 1.0.0.0/8 is a summary, Null0 O N1 2.2.0.0 [110/124] via 10.1.23.2, Fast2 O N1 10.1.12.0/24 [110/124] via 10.1.23.2,Fast2 lyo-maq-2811-03#sh ip route | i ^O OE1 1.0.0.0/8 [110/124] via 10.1.34.3,Fast3 O E1 2.2.0.0 [110/125] via 10.1.34.3, Fast3
Tunneling& MPLS Operation Tunneling L3 L2 and overlays Security
MPLS TE How to route a flow into a tunnel • static routing • PBR • Autoroute • tunnel included into SPF calculation, not into the IGP other routers are unaware of the Tunnel • default metric is the tail end IGP metric • Relative/asolute metrics OSPF similar to E1/E2 externals • LSP tail end is always routed through the tunnel • IGP+LSP load sharing available behind tail end • tail end load sharing needs 2 LSP • Forwarding Adjacency • tunnel propagated into the IGP
Inter Area MPLS TE Multi domain LSP : each domain core topology should be hidden • per-domain static ERO (next-hop loose <IP Edge>…) • CSPF stitching (CSPF calculation on each ASBR) then ERO extended to hide core topology • backward recursive path computation • A tree is created by destination PE (<PE><ASBR n>=cost X) and topology increased by each domain • Stitching • Use targeting signaling • Stacking • Inner domain uses its own LSP to tunnel border domains LSP, targeted signaling required
Inter domain VPN with CSC - IGP vpnv4 multiphop e/i-bgp peering, next-hop-unchanged MP-iBGP session MP-iBGP session Outer VPN definition CEPE route distribution Backbone Provider IPv4+ labels IPv4+ labels CE1 CSC-CE1 CE2 CSC-CE2 PE1 PE2 CSC-PE1 CSC-PE2 IGP + local loopback IGP + LDP (int e0/0 mpls ip) Inner VPN definition and routing in vpnv4 IGP ipv4 BGP redistribution into ipv4 add-family vrf inner
Inter domain VPN with CSC - eBGP vpnv4 multiphop e/i-bgp peering, next-hop-unchanged MP-iBGP session MP-iBGP session Outer VPN definition CEPE route distribution Backbone Provider IPv4+ labels IPv4+ labels CE1 CSC-CE1 CE2 CSC-CE2 PE1 PE2 CSC-PE1 CSC-PE2 IGP + local loopback BGP neighbor bgp send-label Inner VPN definition and routing in vpnv4 mpls ip not necessary bgp neighbor as-override bgp send-label
Inter domain VPN option B interface Ethernet 1/0 mpls bgp forwarding router bgp 1 neighbor <ASBR2> remote-as 2 neighbor <PEs> remote-as 1 no bgp default route-target filter address-family vpnv4 neighbor <PEs> activate neighbor <PEs> next-hop-self neighbor <ASBR2> activate neighbor <ASBR2> send-community extended One tag allocated by ASBR eBGP : no route-target filtering iBGP : next-hop-self Option B1 Next-hop-self method Option B2 Redistribute connected method
Inter domain VPN option C – eBGP + send-label RR router bgp 1 neighbor <RR1> remote-as 1 address-family vpnv4 neighbor <RR1> activate Tag 1 : ebgp + send-label or IGP+LDP Tag 2 : VPN label interface Ethernet 1/0 mpls bgp forwarding router bgp 1 neighbor <ASBR2> remote-as 2 neighbor <RR1> remote-as 1 address-family ipv4 redistribute IGP neighbor <ASBR2> activate neighbor <ASBR2> send-label address-family vpnv4 neighbor <RR1> activate router IGP network loopback LDP redistribute BGP 1 router bgp 1 neighbor <PEs> remote-as 1 neighbor <RR2> remote-as 2 neighbor <RR2> ebgp-multihop address-family vpnv4 neighbor <PEs> activate neighbor <RR2> activate neighbor <RR2> next-hop-unchanged
MPLS TE QoS Uniform (mpls exp value set by ISP) Short pipe pipe
L2VPN • VPWS Virtual Private Pseudowire Services : Point to Point • L2 Protocol translation (L2.5 VPN) • tLDP session • Redundancy by nominal/backup sessions • VPLS Virtual Protocol LAN Service (P2M) • Autodiscovery with BGP • For Cisco : VPLS = full-mesh Pseudo Wires • H-VPLS • Full Mesh between N-PE • PW beetwen User PE and Netwok PE • redundancy with STP or PW backup between U-PE and N-PE
OperationsMonitoringManagementPerformance Tunneling L3 L2 and overlays Security
Troubleshooting high CPU Utilization • Identify process • show proc cpu sorted • show log • Causes • ARP • BGP • Exec • SNMP • NAT • TCAM full (catalyst 3550/..) • IP Input • show interfaces stats • show interfaces • show interfaces switching
QoS operation order • Inbound 1. QoS Policy Propagation through Border Gateway Protocol (BGP) (QPPB) 2. Input common classification 3. Input ACLs 4. Input marking (class-based marking or Committed Access Rate (CAR)) 5. Input policing (through a class-based policer or CAR) 6. IP Security (IPSec) 7. Cisco Express Forwarding (CEF) or Fast Switching • Outbound 1. CEF or Fast Switching 2. Output common classification 3. Output ACLs 4. Output marking 5. Output policing (through a class-based policer or CAR) 6. Queueing (Class-Based Weighted Fair Queueing (CBWFQ) and Low Latency Queueing (LLQ)), and Weighted Random Early Detection (WRED)
Multipoint WAN QoS WAN • Remote Ingress Shaping • 95% of line rate • egress shaping : 95% of smallest bandwidth FR
QoS Models 4 Class model 8 Class model 12 Class model Realtime Voice Voice Interactive Video Realtime Interactive Multimedia Conferencing Streaming Video Broadcast Video Multimedia Streaming Signaling / Control Signaling Signaling Critical Data Network Control Network Control Critical Data Network Management Transactional Data Bulk Data Best Effort Best Effort Best Effort Scavanger Scavanger
Security Operation Tunneling L3 L2 and overlays
Internet Edge • DMZ : public facing services • Private DMZ : internal services (DNS, collaboration, HTTP) • not vulnerable to outside attacks • infrastructure ACLs
Internet Edge Secure Operations • Monitor Cisco Security Advisories and Responses • Leverage Authentication, Authorization, and Accounting • Centralize Log Collection and Monitoring • Use Secure Protocols When Possible • Gain Traffic Visibility with NetFlow • Configuration Management Data Plane • General Data Plane Hardening • Filtering Transit Traffic with Transit ACLs • Anti-Spoofing Protections • Limiting CPU Impact of Data Plane Traffic • Traffic Identification and Traceback • Access Control with VLAN Maps and Port Access Control Lists • Using Private VLANs
Internet Edge Management Plane • General Management Plane Hardening • password management • restrict protocols • use secure protocols • exec-timeout • event detection (memory, cpu threshold) • Limiting Access to the Network with Infrastructure ACLs • Securing Interactive Management Sessions • Using Authentication, Authorization, and Accounting • Fortifying the Simple Network Management Protocol • Logging Best Practices • Cisco IOS Software Configuration Management Control Plane • General Control Plane Hardening • filter IPCMP, fragments, source-route, disbale proxy-arp • Limiting CPU Impact of Control Plane Traffic • filter fragment, non ip traffic, rate ICMP unreachable • Securing BGP • Securing Interior Gateway Protocols • Securing First Hop Redundancy Protocols
Everyone wants to live on top of the mountain, but all the happiness and growth occurs while you’re climbing it.