Routing Design Principles (EIGRP, OSPF, BGP)

EIGRP design principles

  • EIGRP works for arbitrary topologies for small to medium networks.
  • A flat EIGRP network doesn’t really scale beyond 400 routers and will lead to performance issuse
    • How to solve this?
      • Stub areas, summerization, route filtering limits the query scope
  • If EIGRP doesn’t have a feasible successor it will query all it’s neighbours.
    • “I don’t have a route anymore, don’t route through me, give me a viable route”.
  • BFD to optimize convergence (100ms wtih 1000 routes).
  • 2 second hello timer, 6 second hold timer ( recommended )

Multiple EIGRP design principles

  • Used to merge two networks ( Acquisitions )
  • Different administrative groups in a company
  • a way to devide large networks ( and control queries )
  • Routes are distributed between AS ( don’t loop! )

(more…)

LAB I ( OSPF over GRE with and without IPsec )

Setup:

  • R1 functions as the internet.
  • R2 is the first location with Public IP 1.1.1.2/30
  • R3 is the second location with Public IP 1.1.2.2/30

There must be a GRE tunnel configured between R2 and R3 so that OSPF can be used between them. In the example we will use a tunnel with and without IPsec.

Configuration without IPsec:

ROUTER 2:

R2:

# WAN ADDRESS
interface FastEthernet0/0
 ip address 1.1.1.2 255.255.255.0
 duplex auto
 speed auto
!

# TUNNEL ADDRESS
interface Tunnel0
 ip address 10.10.10.1 255.255.255.252
 tunnel source 1.1.1.2
 tunnel destination 1.1.2.2
!

# LAN ADDRESS
interface Loopback0
 ip address 192.168.10.1 255.255.255.0
!

# OSPF CONFIG
router ospf 1
 log-adjacency-changes
 network 10.10.10.0 0.0.0.3 area 0
 network 192.168.10.0 0.0.0.255 area 0
!

# DEFAULT ROUTE (TRAFFIC TOWARDS R3)
ip route 0.0.0.0 0.0.0.0 1.1.1.1

(more…)

Advanced STP Features

PortFast

Allows a port running STP to go directly from blocking to forwarding mode.
This will bypass the 50 second timer (20 seconds max age, 15 seconds listening, 15 seconds learning).

sh spanning-tree interface fastEthernet 0/1
SW(config)#spanning-tree portfast ?
 bpdufilter Enable portfast bpdu filter on this switch
 bpduguard Enable portfast bpdu guard on this switch
 default Enable portfast by default on all access ports

SW(config-if)#spanning-tree portfast ?
 disable Disable portfast for this interface
 trunk Enable portfast on the interface even in trunk mode
 <cr>

UplinkFast

Switch01 has two paths to the root (sw0) where one is FWD and one is BLCK.
With UplinkFast the port that could potentially reach the rootswitch is collectivly refered as an uplinkgroup (includes FWD and BLCK ports). If the FWD port goes down, the other ports will transition to FWD immediately (between 1-3 seconds).
Not recommended on core and distribuition switches making it “PortFast on the access layer”.
UplinkFast is enabled globally and for all VLANs on the switch.

(more…)

TSHOOT switch

Basics:

  • sh log
  • show interface
  • show cdp neighbors
    • show cdp neighbors details

Port Security

  • show port-security
  • show port-security interface fa0/1
  • show port-security address

Etherchannel

  • sh cdp nei
  • show etherchannel sum
  • show int portchannel

 

SNMP & NTP

SNMP – Simple network management protocol

  • Manager – Monitoring device
  • Agent – Devices being monitored
  • MIB – management information Base
  • UDP port 161
  • Uses GETs and SETs
  • SNMP Traps
    • Agent informs the manager.
  • SNMPv1 and 2c have community strings.
  • SNMPv3 has encryption and authentication.
    • auth – Group using the AuthNoPriv Security Level
      • Authentication: yes
      • Privacy ( encryption ): no
    • noauth – Group using the noAuthNoPriv Security Level
      • Authentication: no
      • Privacy ( encryption ): no
    • Priv – Group using the AuthPriv Security Level
      • Authentication: yes
      • Privacy ( encryption ): yes
  • If no read view is defined , all objects can be read.
  • If no write view is defined , no objects can be written.
  • If no notify view is defined , group members are not sent notifications.

(more…)

DMVPN

LAB III ( DMVPN, MGRE, NHRP, EIGRP)

  • Point-to-multipoint layer 3 overlay VPN
  • Logical hub and spoke topology
  • Direct spoke to spoke is support

DMVPN uses a combination of:

  • Multipoint GRE tunnels (mGRE)
  • Next Hop Resolution Protocol ( NHRP )
  • IPsec Crypto Profiles
  • Routing

(more…)

VPN

  • Virtual Private Network
    • Route exchange privacy
    • Path determination for packets
    • Data Security
      • IPSec IP security
    • Collection of standized protocols that provide
      • Confidentiality
      • Integrity
      • Authentication
      • Anti-Reply

(more…)