- Unicast is destination based
- multicast is source based
- client is application
Friday, December 6, 2013
Multicast From Learing Series
Tuesday, October 1, 2013
MISC
- Each AS contain indipenent routing policies.
- Border Gateway Protocol (BGP) is
- an interdomain routing protocol
- designed to provide loop-free routing between separate routing domains
- that contain independent routing policies (autonomous systems)
- BGP is mainly used to connect a local network to an external network to gain access to the Internet or to connect to other organizations.
- BGP uses a path-vector routing algorithm to exchange network reachability information with other BGP speaking networking devices.
- Network reachability information is exchanged between BGP peers in routing updates.
- Network reachability information contains
- the network number,
- path specific attributes,
- and the list of autonomous system numbers that a route must transit through to reach a destination network.
- BGP prevents routing loops
- by rejecting any routing update that contains the local autonomous system number
- because this indicates that the route has already traveled through that autonomous system and a loop would therefore be created.
- The BGP path-vector routing algorithm is a combination of the
- distance-vector routing algorithm and the AS-path loop detection.
- NULL vs LOOPBACK interfaces
Correct Answer by Paul Stewart - CCIE Security, CCSI on Mar 14, 2011 3:56 PM
Paul Stewart - CCIE Security, CCSI
There is a software interface called the loopback interface. However, there isn't really a null interface, but you can create null routes. A null route just indicates to the router to throw packets containing a certain destination away.
Do they offer the same function?
A loopback is used for the router ID for OSPF and EIGRP, no similar function exists with a null route. We can bring a loopback directly into the routing process by using the "network x.x.x.x" command. No similar command exists for null routes and a null route is not used for any type of router ID. Either can be used for redistribution. To redistribute a loopback, you would use the "redistribute connected". To redistribute a null route, you would use "redistribute static".
- Asymmetric Routing: Incoming and outgoing routes are different between source & destination.
Mulit Exit Discriminator (MED)
- The name of this metric for BGP versions 2 & 3 is INTER_AS_METRIC
- MED value can be configure using Route Maps
- MED is passed between iBGP peers along with an update without any change in value.
- This action
BGP
- AS Path (Autonomous System Path)
- In BGP,
- each route consist
- a network number
- information about a list of AS
- list of other path attributes
- BGP primary function:
- to exchange network reachability information with other BGP systems
- also list of AS paths
- This information can be used
- to construct a graph of AS conectivety
- routing loops at as level can be pruned
- AS level policy decisions can be enforced
Thursday, July 18, 2013
RSTP: Rapid Spanning Tree Protocol
- 3 port types
- P2P-full duplex
- Non Edge port(equal to PortFast enabled port in PVSTP)
- To allow backward compatability that port must be enable the PortFast
- PortFast enabled ports in PVST become automatically edge ports in RPVST
STP LOOP GUARD / UniDirectional Link Detection
- Loop guard is enabled on L-2 interfaces only
- Unidirectional link:
- due to stp unable to receive bpdu packets, but send the packets
- cause,
- max-age expired
- 2 switches bothe elected disignated port at same time
- Example: In case of optical channels send channel not works but receive channel is working
- Due to layer-1 issue send channel is not working
- then BPDUs from SW2 to SW3 not reached
- Blocked port on SW3 automatically Designated port after max-age timer expired
- solution is create L-1 keep alive, that can we send both incoming & outgoing on the same link
| Functionality | Loop Guard | UDLD |
|---|---|---|
| Configuration | Per-port | Per-port |
| Action granularity | Per-VLAN | Per-port |
| Autorecover | Yes | Yes, with err-disable timeout feature |
| Protection against STP failures caused by unidirectional links | Yes, when enabled on all root and alternate ports in redundant topology | Yes, when enabled on all links in redundant topology |
| Protection against STP failures caused by problems in the software (designated switch does not send BPDU) | Yes | No |
| Protection against miswiring. | No | Yes |
- Commonly run both loop guard & UDLD run at same time
- spanning-tree loopguard default / spanning-tee guard loop
- UDLD
- udld port
- udld port aggressive
STP ROOT GAURD
- check the incoming BPDU,
- if supirior BPDU comes, disable that link or close that STP instance(root inconsistant state)
- untill stop receving superior bpdu
- spanning-tree guard root
STP BPDU GUARD
- If BPDU received from end host, immediately shut down the port
- Instead of blocking BPDU(as in BPDU filter) make the port into error disable state(traffic blocked).
- After port going into error disable state, port can up
- if error disable recovery timer expires
- or, manually shutdown the port then bringsup.
- It is the more secured implementation of filtering STP.
- Also config with PortFast on global mode
- interface level will over ride global config
- to check error disable recover timer enable or not use show cmd
- show errdisable recvoery
- Enable error disable recovery timer
- errdisable recovery interval 30 on global mode (some times not enabled, verify by above cmd, then use below cmd)
- errdisable recovery cause bpdugaurd because there are so many causes the port goto errdisable state
- spanning-tree portfast bpdugaurd default
- spanning-tree bpdugaurd default
Wednesday, July 17, 2013
STP BPDU filter
- Filter incoming and outgoing BPDU
- Configure on interface and globally
- disable stp by dropping bpdu packets
- applied at access layer
- to block stp information reaching the end hosts for security pupose
- sh spannig-tree counters
- disadvantage:
- some times end host sends BPDU(run stp) at that time we can't get that bpdus due to bpdu filter
- If config with portfast on global mode, bpdu filter enable on each port fast containing port.
- and also allow the incoming bpdus, as-usually block the outgoing bpdus
Tuesday, July 16, 2013
BACKBONEFAST
- Not fast as uplinkfast due to link failure at some where else at upstream of root port
- Indirect failure, start recalculate stp
- i.e. there is a problem at upstream of root port and root bridge is not reachable.
- After a failure of upstream, upstream bridge advertise inferior BPDU(worse cost to root) to root port.
- send Root Link Query(specific for BackBoneFast & ask Do u have alternate path)
- then root port containing bridge understand there is link failure to reach root bridge,
- and expires max-age time(defaultly 20sec) and recalculate path costs
- when baackbonefast is used time to reconverge is only the listen&learn time only, no max-age
- spanning tree backbonefast on global mode
UPLINKFAST
- Uplinkfast automatically transform the state of alternate port( blocked to forward )and become root port, with out completing listening & learning state(because patch is already calculated as loop free path).
- Work only when failure of directly connected link.
- After making alternative port to root port
- spoof the CAM table from the new root port
- Does not apply at Core layer, apply at distributed & access layer
- due to the increase in cost & priority
PortFast
- PortFast doesnt disable STP on edge ports.
- Only put in blocked state
- Only send BPDU, doesnt recive BPDU
- Edge ports not subject to forward delay
- Not generate TCN (so no flush of CAM table, it cuts down the unknown unicast flooding in network)
- spanning-tree portfast default
- if enable portfast globally, every access port interfaces become portfast enabled port but not on trunk links
- some times there is a situation, enable portfast on trunk links also
- at that time use spanning-tree portfast trunk cmd used.
- If portfast enabled globally, when access port receive bpdu, it losses the portfast state and complete the listening & learning states then go to forwarding state
- But if portfast enable at interface level, port will remain in portfast state regardless of bpdu receive.
- show spanning-tree int e0/0 portfast
STP Terms
BRIDGE:
- STP is oldest protocol
- at that time no switches(or may be switches are called bridges), so throughout STP, Switch is called as Bridge.
- Instead of broadcast, all bridges are elected one bridge as Root,
- then send information to that root bridge, root will send to destination
- Other than root bridge remaining all are called Designated Bridges
Root Port:
- Present on designated bridge
- By using this port only Designated Bridges connect to Root Bridge,
- Remaining ports are Alternative Ports which are in blocked state.
- Any time only one Root Port per switch towards Root Bridge
Designated Port:
- Present on both Root & Designated Bridge
- Designated Port is a Port which is connected to Root port,
- It sends information away from Root Bridge
Path Cost:
- Based on path cost we will elect the Root/Designated Port.
- Path Cost is numerical value,
- Based on the type of connecting media (Fast Ethernet, gigabit Ethernet, etc) path cast value will be changed
| Data rate | STP Cost (802.1D-1998) | RSTP Cost (802.1D-2004 / 802.1w) |
|---|---|---|
| 4 Mbit/s | 250 | 5,000,000 |
| 10 Mbit/s | 100 | 2,000,000 |
| 16 Mbit/s | 62 | 1,250,000 |
| 100 Mbit/s | 19 | 200,000 |
| 1 Gbit/s | 4 | 20,000 |
| 2 Gbit/s | 3 | 10,000 |
| 10 Gbit/s | 2 | 2,000 |
Spanning Tree Protocol
STP:
- Root Bridge Election
- Elect one Root Port per bridge
- Elect Designated Ports on Root bridge
- Based on Bridge ID of Switch
- ID contain:
- Bridge Priority (0-61440, increment of 4094)
- System ID ( VLAN no.)
- MAC Add (become Spanning Tree MAC address)
- Lowest Bridge ID containing Switch become Root Bridge
- spanning-tree vlan [ids] priority (lowest priority number will become root bridge)
- spanning-tree vlan [ids] root [primary|secondary]
- without giving any priority value switch become root bridge
- by automatically decrease the priority value than current root bridge
Root bridge verification:
- show spanning-tree root
- show spanning-tree vlan [id]
ADDITIONAL:
it repeatedly looks for the optimal solution, selecting an “optimal” candidate every time.
Thursday, July 11, 2013
PORT COST vs PORT PRIORITY
Both parameters are used to determine which interface will be in forwarding state.
They have differences though:
Going away from the root of the tree use priority whereas, when going towards the root of the tree use cost.
Reff: https://supportforums.cisco.com/thread/16435
SPANNING TREE:
to check total path cost/priority between current designated bridge to root bridge:
show spann root [cost/priority]
To change root port(towards root bridge) use spanning-tree cost on desired port.
To change the root port on below directly connected designated bridge(which is away from root bridge), use spanning-tree priority on desired port which is place on present switch.
note: if u r confused about toward/away root bridge, avoid rackets in above and read again, then read below
Ex:
They have differences though:
- If you want to affect how to the local switch elects the root port change the cost on the links. Cost is cumulative throughout the STP domain. The higher cost is the less preferred.
- If you want to affect how downstream switch elects its root port change the priority. This is only local significant between the two directly connected switches. Highest priority is less preferred.
Going away from the root of the tree use priority whereas, when going towards the root of the tree use cost.
Reff: https://supportforums.cisco.com/thread/16435
SPANNING TREE:
to check total path cost/priority between current designated bridge to root bridge:
show spann root [cost/priority]
To change root port(towards root bridge) use spanning-tree cost on desired port.
To change the root port on below directly connected designated bridge(which is away from root bridge), use spanning-tree priority on desired port which is place on present switch.
note: if u r confused about toward/away root bridge, avoid rackets in above and read again, then read below
Ex:
- If A is root bridge, C is designated bridge reach the root bridge A via designated bridge B.
- Now we want to change the root port on B, use spanning-tree cost command on B.
- Like this u change the root port on C using cost command on C.
- Spanning-tree Priority command case is different, if we want to change the root port on C, but not use on C instead used on B.
BPDU FILTER:
- config at interface level or globally
- both have same effect disable STP on per interface basis
- this can stop STP information at incoming/outgoing interface
- Used at access layer at which end host are users
- this block the stp information reaching the end hosts
- if know (root bridge, mac add, priority), there is possibility malfunction of STP
Tuesday, July 2, 2013
TS INE V1:1.1
sh cdp neighbor
sh int status
sh vlan br
ping
--------------------------
PROBLEMS FACED:
1) In the output of sh cdp ne cmd some devices are missing based on L2 diag.
- Because, directly connected interfaces were shutdown.
- based on the L2-diag we know the directly connected devices.
- After using no shutdown on connected interfaces then only directly connected devices appear in sh cdp neigh cmd.
2) un successful of ping cmd
- some times interfaces were shutdown
- some times switches between source & destination have
sh int status
sh vlan br
ping
--------------------------
PROBLEMS FACED:
1) In the output of sh cdp ne cmd some devices are missing based on L2 diag.
- Because, directly connected interfaces were shutdown.
- based on the L2-diag we know the directly connected devices.
- After using no shutdown on connected interfaces then only directly connected devices appear in sh cdp neigh cmd.
2) un successful of ping cmd
- some times interfaces were shutdown
- some times switches between source & destination have
- required vlans are not created
- in between source to destination every switch must contain corresponding vlan
- check the required vlans & corresponding interfaces by using sh vlan br
- then create vlans according l3-diag
- create vlan around switches from diagrom
- Some interfaces of switches are connected routers but not showed in L3-dag
- easily identified by a straight line connected to 2 or more devices
- some times simply a straight line
- That inter faces are connected to switches
Subscribe to:
Posts (Atom)