Sunday, January 11, 2015

Cisco CCNP - 300-101 - OSPF Configuration and Verification, Peeking into the raw packets

Cisco CCNP - 300-101 - OSPF Configuration and Verification while peeking into the raw packets

So it's that time again for me to renew my Cisco Certifications. As a result, this post is based on my preparation for the CCNP Route Exam (300-101).

In this post I will be focusing on OSPF Configuration and Verification while peeking into the raw packet

Topology

This topology consists of one 2 HQ and 2 Branches routers



















HQ_DR-Area0_100:
    - Interface fa0/0 - connected to HQ_BDR-Area0_200 - IP 1.0.0.1/30 - Area 0
    - Interface fa1/0 - connected to BR-1_AREA100 - IP 1.0.0.5/30 - Area 100
    - Interface lo1 - Loopback for testing - IP 2.0.0.1/32 - Area 0

       
HQ_BDR-Area0_200
    - Interface fa0/0 - connected to HQ_DR-Area0_100 - IP 1.0.0.2/30 - Area 0
    - Interface fa1/0 - connected to HQ_DR-Area0_100 - IP 1.0.0.9/30 Area 200
    - Interface lo1 - Loopback for testing - IP 3.0.0.1/32 - Area 200
       
       
BR-1_AREA100
    - Interface fa0/0 - HQ_DR-Area0_100 - IP 1.0.0.6/30 - Area 100
    - Interface fa1/0 - connected to LAN - IP 192.168.0.1/24 - Area 100
   
    203 Server on BR-1_AREA100
        eth0 - 192.168.0.2/24
        Default Gateway - 192.168.0.1

       
BR-2_AREA200_300
    - Interface fa0/0 - connected to Internet - IP 1.0.0.10/30 - Area 200
    - Interface fa1/0 - connected to LAN - IP 172.16.0.1/24 - Area 300
    - Interface lo1 - 4.0.0.1/32 - Area 300

    Kali Host on BR-2_AREA200_300
        eth0 - 172.16.0.2/24
        Default Gateway - 172.16.0.1
   

Interface Configurations

HQ_DR-Area0_100:















HQ_BDR-Area0_200














BR-1_AREA100











BR-2_AREA200_300













OSPF Configuration

HQ_DR-Area0_100:









Above we see, the OSPF process 1
I've manually specified the "router-id" as "2.0.0.1"
I then declare the networks which should participate in this OSPF process


HQ_BDR-Area0_200









Above I've included the "virtual-link". A Virtual link is used because I have discontiguous areas. Every OSPF network must have Area 0 which is the backbone. Every other area must be connected to the backbone area. In cases where this is not so, you have to establish a virtual links
In this lab, area 300 is separated from area 0 by area 200. As a result, the virtual-link is needed.


BR-1_AREA100








BR-2_AREA200_300









Verification from HQ_DR-Area0_100

Above we see a brief view of the learned neighbors.
We know that this router is the Designated Router (DR)


Above we have a detailed view of the learned neighbors















Above the "show ip protocols" command gives us additional information from which we can validate if our OSPF configuration is working.Getting a complete view of the OSPF Database

Of course now we need to check the routing table to see what has been learnt


Looks like we have routes for both of the branch offices. The ultimate test is to ensure the two sites have full connectivity.



Ping looks good!









Traceroute looks better!!


Peeking at the raw OSPF Packets
In a previous post, I mentioned that OSPF used 5 packet types. In this post I will peek into some those packets

Hello Packet



Description Packet




Request Packet




Update Packet



Acknowledgement Packet



















Well I guess that's it for OSPF!!

Cisco CCNP - 300-101 - OSPF Advance Topics

So it's that time again for me to renew my Cisco Certifications. As a result, this post is based on my preparation for the CCNP Route Exam (300-101).

In this post I will be focusing on Advance OSPF Topics

OSPF   
    - Any network change generate LSA
    - LSA sent via multicast
    - Route decision made on total cost of path
    - Router has separate LS Database for each area
    - All routers sharing the same area have the same database
    - router id must be unique within the OSPF domain
    - Areas are 32-bit number
    - 0.0.0.0 - reserved for Backbone
    - All areas must connect through area 0
    - Uses TOS value of 0
    - Does not support route summarization on routers other than ABR or ASBR
    - Supports equal cost load balancing but not unequal cost load balancing
       

Dijkstra
    - Uses Link State Protocols
    - Shortest Path First Algorithm (SPF)
    - Link State Database
        - Created from Link State Packets
    - Path Database   
        - ID, Path cost, direction
    - Forwarding database
        - Routing table
    - All routers exchange Link State Packets (LSP)
    - Each router first consider itself as root
    -
       
OSPF Packet Types
    - Hello
        - Multicast to 224.0.0.5 on all router interfaces
        - Multicast to 224.0.0.6 used for DR and BDR
        - Discover neighbors
        - Sent every 10 seconds on Broadcast 30 seconds on NBMA
        - Used for Adjacencies

    - Database Description
        - Link state database
        - Describe the current LSDB
    - Request
        - Request part of the database
        - Response should contain only the requested update
    - Update
        - Contains detailed LSAs
        - sent in response to LSR
    - Acknowledgment
        - confirm receipt  of an LSU
   
   
LSA Types (20 byte header)
        - Type 1 - Router Link   
            - Created by each router to represent itself in each area
            - State and cost of router's links in the area
            - All links must be in a single LSA
            - Only flooded in the specific area
            - Router states whether its is ASBR, ABR or end point of  virtual link
            -
   
        - Type 2 - Network Link
            - found on broadcast networks and non broadcast network
            - only sent by designated router originates LSA
            - describes all routers attached to the network
            - flooded only through the area and more

        - Type 3 - Network Summary
            - destinations outside of the area but still within the AS
            - Originated by ABR
            - Only Intra-area routes are advertised   
            - type 4 is the ASBR information
            - routes displayed as "O IA"
            - LSA type 4 with mask 0.0.0.0
       
        - Type 4 - ASBR
            - destinations outside of the area but still within the AS
            - Originated by ABR
            - Only Intra-area routes are advertised
            - Information about ASBR
                   
        - Type 5 - External
            - Routes external to the AS
            - Default route is sent as external
           
            Types of external LSA
                - E1 - Total cost up to external destination
                - E2 - Considers only the cost of the outgoing interface to external destination
       
        - Type 7 - NSSA External
   
Designated Routers
    - Reduces traffic on Broadcast networks
    - Store and distribute neighbor information
    - Has a backup DR for redundancy
    - Uses Priority in the range 1-255, 0 is for non candidate
   
   
Types of Areas:
    - Normal
        - External links injected
    - Stub
        - Summary LSA from other areas injected
        - LSA type 5 not injected
        - Define all routers in an area as stub
        - Reduce overhead and LSA counts
    - Totally stubby (stub no summary)
        - Represents all external links
        - non-summarized internal links
    - Not so stubby (NSSA)
        - Benefits of stub area
        - when flooded into area 0 LSA type 5 become LSA type 7
   
   
Summarization
    - Done by the longest prefix
    - One summary prefix is advertised

   
Neighbor states
    - Down
        - No information received from neighbor
    - Attempt
        - No information received from neighbor but effort made to contact neighbor
        - Used when "neighbor" command is used
        - if stuck in attempt, neighbor hellos may be lost
    - Init
        - Hello packet received but router itself not listed in the packet
        - if stuck in Init state, this means one way hello messages
    - 2-Way
        - Two way communication established. Beginning of adjacency
        - stuck in 2-way is normal on broadcast networks
    - Extart
        - Determines which router will be master/slave
        - Determines the first sequence number
        - if stuck in extart check neighbor RID
    - Exchange
        - Link state is describe through the DBD packet
        - Each sequence is ack'd
        - Only one DBD packet is allowed
        - Linkstate packets are sent to request newer LSA
        - if stuck in exchange check neighbor RID
    - Loading
        - Packets are requested for the most recent LSA which were not received during the exchange
        - if stuck in loading LS request being sent but neighbor ignoring. Also check MTU mismatch
    - Full
        - All information has been exchanged
               
Manipulating OSPF
    - Change the reference bandwidth
        - uses "auto cost referemce bandwidth"
        - Cisco recommends setting the value to the same on all routers
    - setting the interface bandwidth
        - uses "bandwidth" command
    - setting the OSPF cost
        - uses "ip ospf cost"
       
       
Commands to verify OSPF
    - show ip ospf interface brief
    - show ip ospf neighbor
    - show ip ospf database
    - show ip ospf database network 16.0.0.1
    - show ip ospf database summary
    - show ip route ospf

   
References:
https://www.ietf.org/rfc/rfc2328.txt
http://www.cisco.com/networkers/nw00/pres/2205.pdf

Cisco CCNP - 300-101 - OSPF Basics

So it's that time again for me to renew my Cisco Certifications. As a result, this post is based on my preparation for the CCNP Route Exam (300-101).

In this post I will be focusing on OSPF basics

Open Shortest Path First (OSPF)
    - Uses Link-state (LS)
    - Database is called Link-state database
    - Information held in Link State Database include router IDs, interface IP address, mask and subnet, list of reachable routers
    - Each router interface exists in a single area
    - Uses Multicast Hello Messages
    - Process ID does not need to match for host to become neighbors
    - Uses Finite State Machine (FSM)
    - Uses 8 states to determine neighbors status
    - Reducing hello and dead timers can speed up convergence
   


Area Border Routers
    - Uses Area Border Routers (ABR)
    - ABRs are responsible for sharing information between different areas
    - ABRs doe not advertise detailed information. They instead advertise subnets prefix and length
    - Backbone (Area 0) is connected to all other areas
    - All communications between non backbone devices must pass through at lease 1 backbone
    - ABR keeps a copy of the Link State Database for each area attached to it
    - First network number matching an interface shown in the running config determines the interface area
    - Does not forward Type 1 or Type 2 LSA into another area
   
   

OSPF Key Terms
    - Link-state Database (LSDB) - stores topology database   
    - Shortest Path First (SPF) - The algorithym used by the protocol
    - Link-state update (LSU) - Contains detail topology information
    - Link State Advertisement (LSA) - Holds topology information. Gets sent out via LSU
    - Area - Contigious group of routers
    - Area Border Router (ABR) - Has interfaces connected to two or more areas
    - Backbone Router - Connects with other router
    - Internal Routers - Connected to only one area
    - Designated Router (DR) - Elected to perform special functions
    - Backup Designated Router (BDR) - Secondary DR Router
    - Transport - Uses TCP/UDP 89
    - Metric - cost of all outgoing interface in a route-id
    - Hello Interval - notify neighbors (10 seconds default on LAN)
    - Dead Interval - detect failed neghbors (40 seconds default on LAN)
    - Update destination address - sent to broadcast 224.0.0.5 and 224.0.0.6
    - Updates (Full or partial)
    - Authentication - MD5 and clear text
    - VLSM/classless - masks gets included in each route
    - route tags - tag for redistributed routes
    - next-hop field - manually specify a next hop router other than the one advertised
    - Manual Route Summarization - summary routes
   
   
   
Steps for choosing router id
    - router-id command takes precedence
    - if no router-id configured, highest IP on loopback interface is used
    - if no route-id or loopback interface, it uses the highest IP address on any non-loopback interface
   
   
Common OSPF configuration verification command   
    - show ip ospf interface brief - Shows OSPF enabled interface
    - show ip protocols - shows OSPF network configurations
    - show ip ospf neighbors - shows known neighbors
    - show ip ospf database - LSA for connected areas
    - show ip route-id - shows the routing table
   
   
Two classes of neighborship
    - Neighbors
    - Fully Adjacent Neighbors
   
   

The following must match for neighborship to be completed
    - router id
    - stub area flag
    - hello interval
    - dead interval
    - subnet mask
    - list of neighbors reachable on the interface
    - area id
    - router priority
    - designated router (DR) IP address
    - Backup DR IP address
    - Authentication digest
   

   
OSPF Network Types
    - Broadcast
    - Point-to-point
        - Normally serial links
        - DRs are not typically elected
    - Loopback
    - Nonbroadcast (NBMA)
    - Point-to-multipoint
    - Point-to-multipoint nonbroadcast

   
   
OSPF Virtual Links
    - two ABRs connecting to the same nonbackbone area can form neighborship
    - acts like a virtual point-to-point connection between two routers
    - ABR sends messages as unicast
    - Do Not Age (DNA) Bit is set LSAs - other routers do not expect flooded messages every 30 minutes
    - uses area virtual-link command
    - There is no interface to use for virtual links
   
   
   
References:
CCNP official Cert Guide - CCNP Routing and Switching - Route 300-101
https://www.ietf.org/rfc/rfc2328.txt
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/route_ospf.html
http://www.cisco.com/c/dam/en/us/products/collateral/ios-nx-os-software/open-shortest-path-first-ospf/prod_presentation0900aecd80310f6d.pdf
http://www.cisco.com/c/dam/en/us/products/collateral/ios-nx-os-software/open-shortest-path-first-ospf/prod_presentation0900aecd80310f71.pdf
http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/open-shortest-path-first-ospf/whitepaper_c11-668030.html
http://en.wikipedia.org/wiki/Open_Shortest_Path_First
http://www.cisco.com/networkers/nw00/pres/2205.pdf
http://www.cisco.com/networkers/nw00/pres/2206_7-5.pdf
http://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-ospf/7039-1.html

Saturday, January 10, 2015

Cisco CCNP - 300-101 - Configuring and Verifying EIGRP, Peering into the EIGRP Packets

So it's that time again for me to renew my Cisco Certifications. As a result, this post is based on my preparation for the CCNP Route Exam (300-101).

In this post I will be focusing on Configuring and Verifying EIGRP,

while Peering into the EIGRP Packets

The topology used in this lab is the topology used in the earlier post on DMVPN, GRE, NHRP


Topology



























This topology consists of one internet router, HQ and 2 Branches.

Internet Router:
    - Interface fa0/0 - connected to HQ - IP 3.0.0.1/24
    - Interface fa1/0 - connected to Branch-1 - IP 5.0.0.1/24
    - Interface fa2/0 - connected to Branch-2 - IP 4.0.0.1/24
    - Interface lo7 - Loopback for testing - IP 7.0.0.1/32
    - Interface lo8 - Loopback for testing - IP 8.0.0.1/32
       

HQ
    - Interface fa0/0 - connected to Internet - IP 3.0.0.2/24
    - Interface lo1 - Loopback for testing - IP 1.0.0.1/32
    - Interface lo2 - Loopback for testing - IP 2.0.0.1/32
    - Default Gateway - 3.0.0.1

    DMVPN IP
        - 192.168.0.1/24
       
       
Branch-1
    - Interface fa0/0 - connected to Internet - IP 5.0.0.2/24
    - Interface fa1/0 - connected to LAN - IP 10.0.0.1/24
    - Default Gateway - 5.0.0.1
   
    203 Server on Branch 1 - LAN
        eth0 - 10.0.0.2/24
        Default Gateway - 10.0.0.1

    DMVPN IP
        - 192.168.0.2/24

       
Branch-2
    - Interface fa0/0 - connected to Internet - IP 4.0.0.2/24
    - Interface fa1/0 - connected to LAN - IP 172.16.0.1/24
    - Default Gateway - 4.0.0.1

    Kali Host on Branch-2
        eth0 - 172.16.0.2/24
        Default Gateway - 172.16.0.1
       
    DMVPN IP
        - 192.168.0.3/24

This topology consists of one internet router, a HQ and 2 Branches.

Internet Router:
    - Interface fa0/0 - connected to HQ - IP 3.0.0.1/24
    - Interface fa1/0 - connected to Branch-1 - IP 5.0.0.1/24
    - Interface fa2/0 - connected to Branch-2 - IP 4.0.0.1/24
    - Interface lo7 - Loopback for testing - IP 7.0.0.1/32
    - Interface lo8 - Loopback for testing - IP 8.0.0.1/32
       

HQ
    - Interface fa0/0 - connected to Internet - IP 3.0.0.2/24
    - Interface lo1 - Loopback for testing - IP 1.0.0.1/32
    - Interface lo2 - Loopback for testing - IP 2.0.0.1/32
    - Default Gateway - 3.0.0.1

    DMVPN IP
        - 192.168.0.1/24
       
       
Branch-1
    - Interface fa0/0 - connected to Internet - IP 5.0.0.2/24
    - Interface fa1/0 - connected to LAN - IP 10.0.0.1/24
    - Default Gateway - 5.0.0.1
   
    203 Server on Branch 1 - LAN
        eth0 - 10.0.0.2/24
        Default Gateway - 10.0.0.1

    DMVPN IP
        - 192.168.0.2/24

       
Branch-2
    - Interface fa0/0 - connected to Internet - IP 4.0.0.2/24
    - Interface fa1/0 - connected to LAN - IP 172.16.0.1/24
    - Default Gateway - 4.0.0.1

    Kali Host on Branch-2
        eth0 - 172.16.0.2/24
        Default Gateway - 172.16.0.1
       
    DMVPN IP
        - 192.168.0.3/24



Key Chain Configuration




This key chain is configured on HQ, Branch-1 and Branch-2 routers. This will be used by EIGRP for authentication of neighbors. It helps to reduce the probability of anyone adding a router to the infrastructure and either learning or injecting routes or our routing process


Interface Configuration
Internet
























HQ
























While every command here is important, I am only focusing on Tunnel 0

"no ip split-horizon eigrp 1"
- For
EIGRP to work properly we need to disable split-horizon. Since this is the hub all EIGRP traffic which enters interface "tunnel 0" also will need to leave "tunnel 0". By default this is not permissible.
"ip authentication mode eigrp 1 md5"
- Telling EIGRP to used md5 hashing for authentication credentials

"ip authentication mode key-chain eigrp 1 SecurityNik"
- Use the key-chain with name SecurityNik





Branch-1
























Branch-2

























Routing Process Configuration

HQ








Branch-1








Branch-2









Verifying EIGRP is working properly on HQ router

Looks like we 2 neighbors, both learned via interface Tunnel0











The topology looks good as there are currently no routes in "A" (Active)

Taking a look at the IP protocols ...





























... we see the networks which are being routed and the routing information sources

Finally taking a look at the "show ip route"



Voilla!!

Obviously now the final test is to ensure that the hosts can actually communicate.

Verify the hosts can ping (and traceroute) each other




Ahhh, All is well now!!!


Peering into the EIGRP Packets 




In a previous post, I stated that EIGRP uses 5 packets. Let's take a peek into 4 of these packets now.

Hello

From the above we see this is an "Hello" packet


Update       


Above we see an update packet


Query


The above is a query packet

Ack


And finally we have an "ACK" packet


That's it!!

Cisco CCNP - 300-101 - Advanced EIGRP

So it's that time again for me to renew my Cisco Certifications. As a result, this post is based on my preparation for the CCNP Route Exam (300-101).


In this post I will be focusing on Advanced EIGRP topics

- Advanced Distance Vector
- Fast Convergence
- Loop Free
- Uses multicast NOT broadcast


EIGRP uses 3 branches of logic
    - Neighbor relationship which are listed in the neighbor table
    - Topology information is exchange with neighbors in the table
    - Use the topology table to find the best route
   
   
EIGRP Topology Table
    - Basic information used - prefix, prefix length, metric information, other details
    - Learned topology information is stored in the topology table
    - Topology table is analyzed to determine the best route
    - Topology data must exist before it can be sent to the neighbor
    - The local EIGRP process adds networks to its local topology via:
        - locally connected interfaces with EIGRP enabled
        - interfaces referenced in the "neighbor" command
        - redistribution of routes into EIGRP
   
    - Information is first added to the local topology table before being sent to neighbors
    - Hop count of "0" means the route is locally connected

5 EIGRP Packets
    - Hello
        - Update neighbor relationships
        - sends every 5 seconds by default on broadcast links, ethernet, etc.
        - sends every 60 seconds by default on Frame Relay, etc
        - Sourced from the primary interface
        - does not require acknowledgement
       
    - Update
        - Used as part of the data exchange process
        - Send routing updates
        - contains topology information
        - contains:
            prefix
            prefix length
            metric components (bandwidth, delay, reliability and load)
            non metric components: MTU and hop count
        - requires acknowledgement
       
    - Query
        - used when moving a route from passive to active
        - Ask neighbor about routing information
        - Requires acknowledgement
        - Sent out all interfaces except the interface of the successor
        - if the neighbour does not have the lost routes, it then sends out queries to its neighbors

    - Reply
        - Reply to query about routing information
        - Requires acknowledgement
       
    - Ack
        - Used as part of the data exchange process
        - Acknowledges the update packet
        - Ensures reliability
        - does not require acknowledgement

- The "delay" command uses units of tens-of-microseconds.
- "show ip eigrp" and "show interfaces" command uses microseconds


EIGRP update process
    - Topology information is exchange via the update packets
    - future updates are only sent as a result of some type of change in the network or the EIGRP topology, etc
    - if neighbor fail and recover, full adjacencies are formed
    - uses split horizon by default, limiting the prefixes advertised out an interface
    - uses Reliable Transport Protocol (RTP) to send updates and confirm receipt
    - On LAN updates are sent via multicast (224.0.0.10). ACK via unicast
   

Concerns for EIGRP and WAN - Frame Relay
    - Neigbors must be reachable via Layer 2 before Hello messages can be exchanged
    - Split-horizon must be disable on the interface (no ip split-horizon eigrp 10)

       
EIGRP - Controlling WAN Bandwidth
    - By default only 50% of the bandwidth assigned to the interface is used with the bandwdith command
    - Bandwdith can be changed by using "ip bandwidth-percent eigrp 10"
    - Messages are queued in memory
    - default bandwidth on serial links is 1544 kbps
    - Bandwidth must be set on both physcal interfaces and sub-interfaces
    - Set the bandwidth on point-to-point links the same as the Committed Information Rate (CIR)
   
   
Getting the best route
    - Metric is calculated from the perspective ofo both the local router and its neighbor
   
    - Feasible Distance (FD) - Used by local router to determine the best route from its perspective
      - Best route based on lowest metric (FD), minimum distance
      - Successor router is the next hop router
     
    - Reported Distance (RD) - Metric from the neighbor's perspective. Used by local router when converging
      - Reported by upstream neighbor
      - Advertised Distance is the same as Reported Distance
      - Used when falling back to an alternative route
      - used to determine if a feasible successor is loop free
   
    - Successor route is placed in the routing table
      - Has the least cost to a destination
      - next hop for forwarding packets
      - load balancing allows multiple successors
   
    - Feasible Successor
        - backup/alternative routes
        - if no feasible successor is exist, reccompute new successor
        - becomes a feasible successor if the reported distance is lower than the feasible distance
           
    - Metric calculation grows as the bandwidth decreases. Slower bandwdith results in worse metric
   
   
   
Some methods of Tuning EIGRP
    - Setting bandwidth
        - uses kilobits per second (kbps)
        - Can affect other metrics
        - if having to choose between bandwidth and delay, choose delay
        - Bandwdith command is used for other tasks on the router (SNMP, etc), delay is not as much
        - On LAN interfaces bandwdith and delay default to the speed of the interface
   
    - setting interface delay
        - uses tens-of-microseconds
    - changing metric calculation - K-values
        - can be modified as needed
        - valid values are 0-255
        - by default K1 = K3 = K1, others default to 0
          K1 = 1, K2 = 0, K3 = 1, K4 = K5 = 0
        - K-values must match before routers can become neighbor
        - Cisco recommends not to use K2, K4 or K5. Non zero value causes the devices to use load and reliability
        - Load and reliability contribute to route flapping
    - offset lists
        - allows the additions of values to the calculated metric of a route
        - first create an EIGRP offset list that define the value to add
        - uses IP ACL to permit traffic
        - Match direction of update messages
        - match interface for received or sent update
        - set interger metric for FD and RD   
        - Two important parts are ACL and offset-list
           
        #access-list 15 permit 10.0.0.0
        #router eigrp 10
        #offset-list 15 in 10 fa2/0

   
   
Load sharing
    - convergence from successor to feasable successor should occur within a second
    - multiple routes can be placed into a routing table for a specific network
    - routes are then balanced by destinations (default)
    - convergence occurs faster
    - uses "maximum-paths" or "variance" command

   
- "Show IP EIGRP topology" only shows successor and feasibile successor
- "Show IP EIGRP topology all-links" list ALL routes


Going Active
    - Process of discovering loop free alternatives when there are no feasible successor
    - routes move from passive to active when their is no feasible successor
    - Sends Query Messages to each neighbor except the neighbor in the failed route
    - if the neighbor has a passive route for the network in question, it is considered loop free
    - neighbor send Reply
    - Passive routes have successor information
      Passive routes are good routes
    - Active routes have lost their successor. No feasible successor is available. The router is actively looking for new routes.
      Active Routes are bad routes

   
Stuck-in-Active
    - Routers may wait a while before getting a Reply messages
    - active timer (3 minutes default) is used to determine how long a router must wait for a Reply Messages
    - When a router does not receive a Reply within the active timer, it is considered stuck-in-active
    - Stuck-in-active is not the state you would like your router to be in

   

Stub Routers
    - Stub routers should not forward traffic between two remote EIGRP learned subnets
    - uses "eigrp stub" command (default and uses connected and summary routes)
    - eigrp stub options [ connected, summary, static, leak-map, redistributed, receive-only ]
    - stub routers do not advertise routes learned from one neighbor to another
    - non-stub routers keeps track of stub routers
    - non-stub routers do no send query messages to none stub routers
    - will form neighborship even in "receive-only" mode
    - Queries are suppressed on neighbors

   
Router Filtering
    - Uses ACLs
          access-list 3 deny 172.16.0.0
          router eigrp 10
          distribute-list 3 out
       
    - Or prefix-list
        - Allows matching of prefix length
        - uses a tree structure
        - matches route prefix and route subnet
        - "ip prefix-list" command
          ip prefix-list SecurityNik seq 5 deny 172.16.0.0/24
          router eigrp 10
          distribute-list prefix SecurityNik out
       
    - Route maps
        - uses "distribute-list"
        - a route map command uses one ore more route map
        - commands are processed in sequential numbers
          access-list 3 deny   172.16.0.0
          route-map SecurityNik deny 10
          match ip address 3
          router eigrp 10
          distribute-list route-map SecurityNik out

        - match command can use ACL or prefix-list
        - use "show route-map" to validate config
       
       
Route Summarisation
    - used to keep routing tables small and manageable
    - conserves memory
    - can be done on any router
    - Reduces Query Scope
    - sub-optimal routing is possible
    - uses "ip summary-address eigrp asn prefix subnet-mask"
      causes route to go down then backup
    - Local summary route uses an administrative distance (AD) of 5
    - manual route sumarisation or auto summarisation
    - routers can auto-summarised
    - summary is created for each classful network
    - classful protocols like RIPv1 and IGRP) cannot support VLSM
    - Default route can be considered the best summary route
    - Auto summarisation is on by default
   
           
EIGRP Authentication
    - Used to authenticate every EIGRP messages
    - uses pre-shared key
    - a MD5 digest is generated for each message based on the pre-shared key
    - Messages are silently discarded if the digest does not match
    - Authentication must be successful before neighborship can be established
    - helps to prevent DOS
    - does not provide privacy
    - First create key chain
        (config)#key chain SecurityNik
        (config-keychain)#key 1
        (config-keychain-key)#key-string EIGRP-Auth
        (config-if)#ip authentication mode eigrp 10 md5
        (config-if)#ip authentication key-chain eigrp 10 SecurityNik
       
    - enable MD5 authenticate on the interface
    - use the key chain previously created on the interface
       
   
Reference:
CCNP official Cert Guide - CCNP Routing and Switching - Route 300-101
http://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-routing-protocol-eigrp/16406-eigrp-toc.html
http://www.cisco.com/c/en/us/td/docs/ios/12_2/ip/configuration/guide/fipr_c/1cfeigrp.html
http://www.cisco.com/c/dam/en/us/products/collateral/ios-nx-os-software/enhanced-interior-gateway-routing-protocol-eigrp/prod_presentation0900aecd80310f03.pdf
http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/enhanced-interior-gateway-routing-protocol-eigrp/whitepaper_C11-720525.html
http://www.cisco.com/c/dam/en/us/products/collateral/ios-nx-os-software/enhanced-interior-gateway-routing-protocol-eigrp/Advances_In_EIGRP.pdf

Cisco CCNP - 300-101 - Understanding EIGRP

So it's that time again for me to renew my Cisco Certifications. As a result, this post is based on my preparation for the CCNP Route Exam (300-101).


In this post I will be focusing on Understanding (refreshing my memory) EIGRP


    - Neighboring routers must be configured with the same as ASN
        eg. router eigrp 1

    - EIGRP is only enabled on interfaces matched by the network command
    - Neighbors are discovered via multicast EIGRP Hello messages
    - Advertises its connected subnet
    - Uses either wildcard mask or classful network number
    - If no wildcard mask is used, EIGRP is enabled for all configured interfaces within the classful network
   
    eg of wildcard mask. For network 10.0.0.0/24 wildcard mask is 10.0.0.0 0.0.0.255
   
    - By default EIGRP uses bandwidth and delay to calculate metric
    interface load and reliability are some of the other available options. NOT RECOMMENDED BY CISCO
    - MTU is not used in metric calculation but can be used as a tiebreaker. In this case the path with the higher MTU is selected
    - EIGRP only uses MD5 for authentication
    - Hold timer is 15 seconds (default) - Frame Relay 180 seconds
    - if no Hello messages are received from the router within the hold time, the route is considered unavailable or the neighbor is dead
    - EIGRP can use Bi-Directional Forwarding Detection (BFD) which provides subsecond detection of failure
   
   
    - Ratio for hold timer to hello timer is 3:1
    - Hello timers tell the local router what to do
    - Hold timer tell the neighbor what to do
    - Hold timer and hello timer is done per interface not per neighbor
    - setting hold timer smaller than the hello timer results in flapping routes
    - Hello and hold timers don't have to match for neighborship to be formed
   
   
   
    - Uses "Router ID" to represent each router
    - Router ID is 32 bits
    - Router ID is determined when the process starts
    - can be set with   
        "eigrp router-id x.x.x.x"
        Use the highest IP on a loopback interface
        use the highest IP on non loopback interface
    - Duplicate RIDs do not prevent routers from forming neighborship
    - RIDs are of greater importance when injecting routes
   

steps used to add routes
    - Discover neighbors via Hello Messages (default 5 seconds on LAN)
    - topology exchange in full. Partial updates thereafter
    - choose routes via the lowest metric
    - Continue to send hello messages


    - uses update messages via multicast IP 224.0.0.10 to send topology information
    - update messages are sent via Reliable Transport Protocol (RTP)
    - Full update send all routes
    - Full updates occur when neighbors first come up
    - Partial update deals with changed routes
   
   
   
Learning topology
    - list neighboring routes
    - hold all topology information learned from EIGRP neighbors
    - Choose the best routes
   
   
Preventing unwanted neighborship
    - make the interface passive. This disable sending EIGRP messages
      eg. passive-interface fa0/0
          passive-interface default
    - advertised the connected route via redistribution instead of EIGRP
   
   
EIGRP Static neighborship
    - seldom used
    - neighbor x.x.x.x out interface
    - still needs the network command
    - use show ip neighbors detail to see static configuration
    - multicast EIGRP messages are disabled
    - once configured neighbors cannot be learnt dynamically
   
   
Configuring K-Values - Metric Component
    - Uses bandwidth and delay by default
    - Formula can be changed to use link load and reliability - NOT RECOMMENDED
    - bandwidth and or delay can also be disabled
    - Available Ks are K1, K2, K3, K4, K5
    - use "metric weight" to set K-values
    - K values must match or neighborship may not be established
    - Will not form neighborship if AS does not match
   
   
   
Verifying EIGRP config
    show ip eigrp interfaces - List EIGRP enabled interfaces
    show ip protocols - shows each routing process
    show ip eigrp topology - list known EIGRP neighbors
    show ip route - shows routing table - D is for EIGRP
    sh ip eigrp traf



Reference:
CCNP official Cert Guide - CCNP Routing and Switching - Route 300-101
http://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-routing-protocol-eigrp/16406-eigrp-toc.html
http://www.cisco.com/c/en/us/td/docs/ios/12_2/ip/configuration/guide/fipr_c/1cfeigrp.html
http://www.cisco.com/c/dam/en/us/products/collateral/ios-nx-os-software/enhanced-interior-gateway-routing-protocol-eigrp/Advances_In_EIGRP.pdf
http://www.cisco.com/c/dam/en/us/products/collateral/ios-nx-os-software/enhanced-interior-gateway-routing-protocol-eigrp/prod_presentation0900aecd80310f03.pdf
http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/enhanced-interior-gateway-routing-protocol-eigrp/whitepaper_C11-720525.html

Cisco CCNP - 300-101 - Configuring and Verifying DMVPN, NHRP, GRE Tunnel while Peeking at the raw packet

So it's that time again for me to renew my Cisco Certifications. As a result, this post is based on my preparation for the CCNP Route Exam (300-101).

In this post I will be focusing on Configuring and Verifying DMVPN, NHRP, GRE Tunnel while Peeking at the raw packet

Topology



This topology consists of one internet router, a HQ and 2 Branches.

Internet Router:
    - Interface fa0/0 - connected to HQ - IP 3.0.0.1/24
    - Interface fa1/0 - connected to Branch-1 - IP 5.0.0.1/24
    - Interface fa2/0 - connected to Branch-2 - IP 4.0.0.1/24
    - Interface lo7 - Loopback for testing - IP 7.0.0.1/32
    - Interface lo8 - Loopback for testing - IP 8.0.0.1/32
       

HQ
    - Interface fa0/0 - connected to Internet - IP 3.0.0.2/24
    - Interface lo1 - Loopback for testing - IP 1.0.0.1/32
    - Interface lo2 - Loopback for testing - IP 2.0.0.1/32
    - Default Gateway - 3.0.0.1

    DMVPN IP
        - 192.168.0.1/24
       
       
Branch-1
    - Interface fa0/0 - connected to Internet - IP 5.0.0.2/24
    - Interface fa1/0 - connected to LAN - IP 10.0.0.1/24
    - Default Gateway - 5.0.0.1
   
    203 Server on Branch 1 - LAN
        eth0 - 10.0.0.2/24
        Default Gateway - 10.0.0.1

    DMVPN IP
        - 192.168.0.2/24

       
Branch-2
    - Interface fa0/0 - connected to Internet - IP 4.0.0.2/24
    - Interface fa1/0 - connected to LAN - IP 172.16.0.1/24
    - Default Gateway - 4.0.0.1

    Kali Host on Branch-2
        eth0 - 172.16.0.2/24
        Default Gateway - 172.16.0.1
       
    DMVPN IP
        - 192.168.0.3/24


Configuration before DMVP


Internet


 






















HQ














Branch-1











Branch-2











Configuration after DMVPN
HQ DMVPN Tunnel




Branch-1 DMVPN Tunnel


Branch-2 DMVPN












Verification

Now the systems have been configured, time to verify the configuration is working.

HQ



Looks good!















Still looking good!!


Branch-1


Looks good!








Still looking good!!

Branch-2


Looks good!








Still looking good!!

The final verification is to ensure the hosts in the 2 remote branches can ping (and traceroute) each other. To ensure the hosts are reachable I've enable EIGRP on the tunnel. In a future posts I will go through the EIGRP.







Ping looks good!



Traceroute looks better!! I say it looks better because this validates the path taken to get from Branch-2 to Branch-1.


Peeking into the NHRP Packets

Looks like the process of establishing communication between a Next Hop Server (NHS) and a Next Hop Resolution Client (NHC) take 2 packets
From the looks of it in the first packet I see a registration request with ID "65542".
Next I see a registration reply with ID "65542" and "Code=Success"

NHRP Registration Request





















By capturing the registration packet I've managed to determine what the password is. Obviously there is a lot more to be gained from this packet capture.

NHRP Registration Reply






















Similarly the reply code shows us all the information needed to understand the NHRP Registration/Reply process.

All is well. This lab is completed.


References:
https://tools.ietf.org/html/rfc2332
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/WAN_and_MAN/DMVPDG/DMVPN_1.html
http://www.cisco.com/c/dam/en/us/products/collateral/security/dynamic-multipoint-vpn-dmvpn/DMVPN_Overview.pdf
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/29240-dcmvpn.html