Switching Types
- Cisco Express Forwarding (CEF)
Default switching type
“show ip cef summary”
“show ip cef exact-route 1.1.1.1 2.2.2.2”
“show ip cef 1.1.1.1 detail”
To turn off “no ip cef“ - Fast switching
Uses IP routing table for initial route lookup and stores the result in a cache
“show ip cache“ - Process switching
Queries the IP routing table directly
Causes high CPU utilization
Debug with access-list 99 (source 5.5.5.5)
R5(config)#access-list 99 permit 5.5.5.5 R5#debug ip packet 99 ### test ping R5#ping 46.46.46.46 source 5.5.5.5 repeat 2
Path Control Methods
Path control: The control of packet forwarding on a hop-by-hop basis
Path Control Configuration Points
- Routing protocol decisions
Modifying metrics
Modifying route types
Distribute Lists - Administrative distance
External Border Gateway Protocol (eBGP has AD of 20) - IP routing table
Static routes have an AD of 1
Connected routes have an AD of 0
Tunnel interfaces show up as connected routes in the IP routing table - Switching process
Overrides normal packet switching behavior (Policy Based Routing)
Can be forwarded based on something other than the destination prefix
Border Gateway Protocol (BGP)
BGP is an external gateway protocol (EGP)
Also sometimes called a reachability protocol
Public BGP AS numbers
- Assigned by the Internet Assigned Numbers Authority
- Ranges from 1 to 64,511
Private GBP AS numbers
- Range from 64,512 to 65,534
Advantages of BGP
- Route stability
- BGP is a path vector protocol, not a distance vector protocol
- Loop prevent. BGP uses the AS path to determine if there is a routing loop
Path Vector vs. Distance Vector
Path vector (GBP)
- Concerned with the number of AS to reach a destination
Distance vector (EIGRP, RIP)
- Concerned with the number of hops or distance to reach a destination
Establishing a BGP Session
- BGP routers communicate via TCP port 179
BGP states (peers go through 6 states)
- Idle
A BGP router tries to initiate a TCP connection with a peer
It also listens for an incoming connection from that peer - Connect
BGP waits for the TCP connection with the peer to be completed
Once the connection is completed, the router with the higher IP address manages the connection - Active
The active router (higher IP) starts a new TCP connection with its peer
The passive router (lower IP) listens for the new connection
Active means the peers have not yet established a GBP session. - OpenSent
Both routers perform sanity checks
If the checks don’t pass, the routers move back into the Idle state - OpenConfirm
Each BGP router waits to receive a keepalive message
Keepalive messages are sent by default every 60 seconds
The default hold time is 180 seconds - Established
BGP peers begin to exchange routing updates
Peering & Authentication
Customer request:
- Configure R1 & R4 (AS 64,477) to establish eBGP peering with ISP1 (AS 65,550)
- If a password is required, it will be set to “cisco”
R1(config)#router bgp 64477 R1(config-router)#neighbor 203.0.113.2 remote-as 65550 R1(config-router)#neighbor 203.0.113.2 password cisco R1#show bgp neighbor R1#show ip route bgp R1#show ip bgp
R4(config)#router bgp 64477 R4(config-router)#neighbor 198.51.100.2 remote-as 65550 R4(config-router)#neighbor 198.51.100.2 password cisco R4#show bgp neighbor R4#show ip route bgp R4#show ip bgp
ISP1(config)#router bgp 65550 ISP1(config-router)#neighbor 198.51.100.1 remote-as 64477 ISP1(config-router)#neighbor 198.51.100.1 password cisco ISP1(config-router)#neighbor 203.0.113.1 remote-as 64477 ISP1(config-router)#neighbor 203.0.113.1 password cisco
Mutual Redistribution with BGP, OSPF & EIGRP
BGP path attributes-
Characteristics of a BGP route that are advertised with a route
BGP Best Path Selection
- Uses both BGP path attributes and locally significant parameters
- Weight has the highest precedence
Customer Request:
- On R1, redistribute connected routes into BGP AS 64477
- Perform mutual redistribution as follows
On R1, between BGP AS 64477 and OSPF
On R4, between GBP AS 64477 and EIGRP 10
R1(config)#router bgp 64477 R1(config-router)#redistribute connected R1(config-router)#redistribute ospf 1 ### GBP into OSPF 1 R1(config)#router ospf 1 R1(config-router)#redistribute bgp 64477
R4(config)#router bgp 64477 R4(config-router)#redistribute eigrp 10 R4(config)#router eigrp 10 R4(config-router)#redistribute bgp 64477 metric 10000 10 255 1 1500
Understanding Best Path Selection
Customer request:
- Ensure ISP1 selects the path through 198.51.100.1 as its best path to the 1.0.0.0/8 prefix
- Do not make any changes to ISP1
ISP1#show ip bgp ISP1#show ip bgp 6.6.6.6 ### Check Weight, localpref, Origin, ### You can influence Origin type by "network x.x.x.x" on next hop (R4) running BGP
- Weight
Locally significant
Not advertised to other routes
Provide a way to influence outbound traffic - Local Preference
Optional path attribute that may be advertised within an AS
Used for setting a preferred path out of an AS
Default value is 100 - Shortest AS path
The path that goes through the fewest number of AS is more preferred - Origin type
Incomplete (Prefix was redistributed into GBP)
IGP. Preferred. (Prefix was advertised into GBP using the network statement) - Multi-exit Discriminator (MED)
Lower is more preferred.
When an IGP (EIGRP, OSPF or RIP) is redistributed into GBP, the metric of the IGP becomes the GBP MED.
Note*
- If the next hop for a route is not reachable, it will not get installed in the IP routing table
- A RIP failure occurs if an IGP with a lower AD already has a route in the IP routing table
- A route redistributed from an IGP into GBP will have the “incomplete” origin type
- A route advertised using the “network” statement will have the IGP origin type
- In BGP, “network” statement does not behave like EIGRP or OSPF
Static Routing
When combined with dynamic routing and redistribution, simple static routing can behave in unexpected ways.
Static route components
- Prefix (IP address, subnet mask)
- Next hop (Interface, IP address)
- Administrative distance (Default 1)
Static Route tracking using IP SLA
Customer request:
- Ensure R4 removes its existing static default route if ISP1 interface IP 198.51.100.2 becomes unreachable
R4#show ip route 0.0.0.0 ### Verify the static route R4#traceroute x.x.x.x ### Confirm the routing loop caused by the static route ### Remove static route when 198.51.100.2 is unreachable R4(config)#ip sla 1 R4(config-ip-sla)#icmp-echo 198.51.100.2 R4(config-ip-sla-echo)#timeout 5000 ### 5 seconds ### R4(config-ip-sla-echo)#frequency 5 R4(config)#ip sla schedule 1 life forever start-time now ### setup tracking (Object Tracker) R4(config)#track 1 ip sla 1 reachability ### Verify tracking R4#show track ### Manually remove existing default route and recreate with track R4(config)#no ip route 0.0.0.0 0.0.0.0 198.51.100.2 R4(config)#ip route 0.0.0.0 0.0.0.0 198.51.100.2 track 1
Why remove at static route?
- Allows a backup static route to take effect
(Floating static route)
Backup Paths using Floating Static Routes
Floating static Route
- A route with an administrative distance higher than the primary route
- AD greater than 1
Customer request:
- On R4, configure a floating static route that uses R1 interface IP 10.0.14.1 as its default gateway
- Configure this route with an AD of 4
R4(config)#ip route 0.0.0.0 0.0.0.0 10.0.14.1 4 R4#show ip route 0.0.0.0 ### Test. Shutdown primary path interface and check new path R4(cofig-if)#shutdown R4#show ip route 0.0.0.0 R4#traceroute x.x.x.x
Interface Next Hops
- Requires layer 3 to layer 2 resolution
- ARP request for each destination address
- Potential for thousands of ARP requests!
IP Address Next Hops
- One ARP request for the next hop IP address
- Far less overhead!
Customer request:
- On R5, configure a static route for the 8.0.0.0/8 prefix using Fa0/0 as the next hop interface and 10.0.56.6 as the next hop IP address
- Modify the next hop parameters if necessary to achieve IP reachability to 8.8.8.8
- Do not consult any network diagrams
R5(config)#ip route 8.0.0.0 255.0.0.0 e0/0 10.0.56.6 ### when tested not working, recreate with hop parameters modified R5(config)#no ip route 8.0.0.0 255.0.0.0 FastEthernet0/0 10.0.56.6 R5(config)#ip route 8.0.0.0 255.0.0.0 fa0/0 10.0.56.6
Static route Notes*
- Routing loops are often caused by leftover static routes.
- A prefix is an IP network and subnet mask pairing.
e.g. 192.168.0.0/24 not equal to 192.168.0.0/16 - Configuring an interface next hop requires layer 3 to layer 2 resolution of each destination address. (due to potential thousands of ARP requests, this method is not recommended)
- When both an interface and an IP address next hop are configured, the router will try to reach the next hop using that interface.
- When an IP address next hop is configured, router will verify the next hop’s network prefix is in the IP routing table before installing the route.
- If the next hop is not reachable, the route will get installed but packets will not get routed to the next hope.
- The IP SLA feature with object tracking can be used to create conditional static routes.
Configuring Path Control for Dynamic Routing Protocol
Why manipulate routing protocol decisions?
- Cause delay-sensitive traffic (e.g. VoIP) to use a low bandwidth, low delay link
- OSPF may not choose the best path (OSPF prefers intra-area route over inter-area)
Tricking Routing protocols into using alternate path
For example, EIGRP looks at bandwidth while OSPF looks at costs.
- Adding information
(advertise a summary or default route) - Removing information
(use a distribute list to block an EIGRP advertisement)
(use a Route-Map and prefix list to prevent certain prefixes from being redistributed)
Customer request:
- R1 loopback (1.1.1.1) takes the path R2->R3->R4->R5 to 5.5.5.5
- Modify existing dynamic routing protocols as necessary so that traffic takes the following path
ISP1 -> R4 -> R3 -> R6 -> R5
### Check current path to 5.5.5.5 R1#traceroute 5.5.5.5 source 1.1.1.1 ### Block OSPF inbound advertisement being installed in the routing table R1(config)#router ospf 1 R1(config-router)#distribute-list route-map RM_NO5555 in R1(config)#route-map RM_NO5555 deny R1(config-route-map)#match ip address prefix-list PL_5555 R1(config)#ip prefix-list PL_5555 permit 5.5.5.5/32 ### Create static route via ISP1 203.0.113.2 R1(config)#ip route 5.5.5.5 255.255.255.255 203.0.113.2 ### Confirm that the path to 5.5.5.5 is changed R1#ping 5.5.5.5 source 1.1.1.1
Manipulate path from R4 to R3 (prevent R4 to R5)
### Check current path to 5555 R4#traceroute 5.5.5.5 R4#show ip route 5.5.5.5 ### Check OSPF Type-7 advertisements (R4 wins over R3 so change over) R4#show ip ospf database ### Allow R3 to advertise 5.5.5.5 instead by increasing AD on R4 ### Make OSPF more preferred than EIGRP. Default EIGRP(90) is better than OSPF(110) ### Make EIGRP AD to 111 with ACL 45 R4(config)#router eigrp 10 R4(config-router)#distance 111 10.0.45.5 0.0.0.0 45 R4(config)#access-list 45 permit 5.5.5.5 0.0.0.0 ### Change distance only for this prefix
Modifying OSPF Interface Costs
OSPF chooses the path with the lowest cost
- Higher bandwidth interfaces have a lower cost
- Interface costs can be configured independent of bandwidth
Customer request:
- On R1 & R3, configure loopback 31 with the anycast address 31.31.31.31/32
- Advertise this prefix into OSPF
- Ensure the path through R1 is preferred
R1(config)#int loopback 31 R1(config-if)#ip address 31.31.31.31 255.255.255.255 R1(config)#router ospf 1 R1(config-router)#network 31.31.31.31 0.0.0.0 area 0 R3(config)#int loopback 31 R3(config-if)#ip address 31.31.31.31 255.255.255.255 R3(config)#router ospf 1 R3(config-router)#network 31.31.31.31 0.0.0.0 area 23
### Check that path with area 23 is preferred R2#show ip route 31.31.31.31 R2#show ip ospf rib 31.31.31.31 ### Check the cost of both interfaces R2#show ip ospf int br ### Lower the cost of the interface facing R1 R2(config)#int fa0/0 R2(config-if)#ip ospf cost 1
Manipulating Metrics using Offset Lists
Offset Lists
Provide a way to prefer a particular route while maintaining redundant paths
- Can be used by EIGRP or RIP
- Add to or subtract from the route metric
Customer request:
- R5 is performing equal cost load sharing to the 46.46.46.46/32 prefix
- Ensure the path to this prefix via R4 is preferred
- Do not block any route advertisements
- Do not modify the bandwidth or delay of any interface
- Do not make any configuration changes on R5 or R4
R6(config)#router eigrp 10 ### Influence the metric going towards R5 (from R6 outgoing) R6(config-router)#offset-list 46 out 46000 fa0/0 R6(config)#access-list 46 permit 46.46.46.46 0.0.0.0 ### Verify the Route metric on neighbor R5 R5#show ip route 46.46.46.46 R5#show ip eigrp topology 46.46.46.46/32
Note*
- Path control may involve tricking routing protocols into choosing alternate paths
- Methods for manipulating routing protocols include (Route maps, prefix lists, distribute lists, offset-lists, summary routes and interface costs)
- There are often multiple ways to achieve the same result (master at least two methods per protocol)
Generic Routing Encapsulation (GRE) Tunnels
- Encapsulates an IPv4 or IPv6 packet inside an IPv4 packet
- Uses IP protocol 47
- GRE tunnels are point-to-point
Tunnel Interfaces
- Shows up in the IP routing table as a connected network
- Can be configured like a normal physical interface
Customer request:
- Create a tunnel between R1 & R4 using ISP1 for transport
- Configure OSPF normal area 14 to run across the tunnel interface
- The interface must be able to support both IPv4 & IPv6 payloads
R1(config)#interface tunnel 14
R1(config-if)#ip address 14.14.14.1 255.255.255.0
R1(config-if)#tunnel source 203.0.113.1
R1(config-if)#tunnel destination 198.51.100.1 ### R4 address
R1(config-if)#tunnel mode gre ip
R4(config)#interface tunnel 14
R4(config-if)#ip address 14.14.14.4 255.255.255.0
R4(config-if)#tunnel source 198.51.100.1
R4(config-if)#tunnel destination 203.0.113.1
R4(config-if)#tunnel mode gre IP
### Run OSPF area 14 over the tunnel R1(config)#router ospf 1 R1(config-router)#network 14.14.14.1 0.0.0.0 area 14 R4(config)#router ospf 1 R4(config-router)#network 14.14.14.4 0.0.0.0 area 14 ### Verify tunnel R1#show int tunnel 14 R4#show int tunnel 14
GRE Tunnel Requirements
- Tunnel source interface or IP address
- Tunnel destination IP address
GRE Tunnels don’t scale
- Five routers requires eight tunnels!
Dynamic Multipoint VPN (DMVPN)
- Very similar to frame relay
- Multipoint GRE (mGRE)
- Next hop resolution protocol (NHRP)
- IPsec
Multipoint GRE (mGRE)
- mGRE tunnels do not specify a destination IP address
- The destination is set dynamically
Next Hop Resolution Protocol (NHRP)
- Maps a tunnel IP address to an interface IP address
- Provides layer 3 to layer 3 resolution
Example R2 (Tunnel interface: 192.168.246.2). Physical interface: 10.0.24.2
Example R4 (Tunnel interface: 192.168.246.4). Physical interface: unknown
### Configuring an NHRP Mapping R2(config-if)#ip nhrp map 192.168.246.4 10.0.24.2
Next Hop Server (NHS) example
- NHS eliminates the need for multiple NHRP IP mappings
IPsec
- Provides encryption for mGRE tunnels
Customer request:
- A dynamic multipoint VPN has been configured among R2, R4 & R6
- The DMVPN subnet is 192.168.246.0/24
- Determine which router is the hub and which are the spokes
- Determine whether the mGRE tunnels are secure
R2#show dmvpn ISP1#show ip nhrp ISP1#show crypto ipsec sa ISP1#show crypto isakmp sa
Virtual Routing and Forwarding (VRF) Lite
- Virtual IP routing table
- Virtual IP forwarding table
- Member interfaces or sub-interfaces
- Simply put it’s like a virtual router inside a physical router
Virtual Routing and Forwarding
- Isolated from the global IP routing and forwarding tables
- Useful for isolating networks without having additional routers
VRF vs. VLAN
- VLAN. Isolates broadcast domains
- VRF. Isolates layer 3 routing domains
Customer request:
- On R4 & R1, create a VRF named “test” and add the Tunnel14 interface to it
- Configure EIGRP AS 10 to run over the existing Tunnel14 interface
R4(config)#ip vrf test R4#show ip vrf R4(config)#int tunnel 14 R4(config-if)#ip vrf forwarding test % Interface Tunnel14 IPv4 disabled and address(es) removed due to disabling VRF test
### tunnel interface lost ip address and became independent R4(config-if)#ip address 14.14.14.4 255.255.255.0
### VRF with eigrp 10 R4(config)#router eigrp 10 R4(config-router)#address-family ipv4 vrf test autonomous-system 10 R4(config-router-af)#network 0.0.0.0
### confirm the VRF ip address and route no longer exist. (independent) R4#show ip route R4#show ip route vrf test
### Unable to ping as it's using global IP table R4#ping 14.14.14.1 source 14.14.14.4 % Invalid source address- IP address not on any of our up interfaces
### Must specify vrf R4#ping vrf test 14.14.14.1 source 14.14.14.4
Configure VRF too on R1
R1(config)#ip vrf test R1(config)#int tunnel 14 R1(config-if)#ip vrf forwarding test R1(config-if)#ip address 14.14.14.1 255.255.255.0 R1(config)#router eigrp 10 R1(config-router)#address-family ipv4 vrf test autonomous-system 10 R1(config-router-af)#network 0.0.0.0
### EIGRP interface also independent R1#show ip eigrp interfaces ### Check EIGRP VRF interface R1#show ip eigrp vrf test interfaces R1#show ip eigrp vrf test neighbors R1#show ip eigrp vrf test topology
Put loopback interface into VRF
R1(config)#int loopback 14 R1(config-if)#ip vrf forwarding test R1(config-if)#ip address 14.0.0.1 255.255.255.255 ### Check from neighbor R4#show ip route vrf test R4#show ip cef vrf test
Cisco Easy Virtual Network (EVN)
Multi-VRF Configuration
R1(config)#vrf definition yellow
R1(config-vrf)#vnet tag 1001
R1(config-vrf)#address-family ipv4
### Locate interface facing R8 and enable vnet trunk
R1(config-vrf-af)#do show cdp neighbor
R1(config-vrf-af)#int fa1/0
R1(config-if)#vnet trunk
### Check and confirm the sub interface yellow
R1#show vnet
Cisco EVN & VRFs
- EVN still uses VRFs
- Just like multi-VRF, EVN uses separate IP routing and forwarding tables and interfaces
Differences between EVN & manual multi-VRF setup
- VNET tag
- Automatic configuration of subinterfaces
- Automatic 802.1q trunk configuration
Note*
- GRE provides a virtual poit-to-point tunnel that can carry IPv4 or IPv6 traffic
- GRE uses IP protocol 47
- Multipoint GRE (mGRE) tunnels are point-to-multipoint and do not have a static destination endpoint
- DMVPN can consolidate multiple point-to-point connections into a single, secure NBMA network
- Must know how to setup DMVPN
- A VRF provides isolated IP routing and forwarding tables (isolate layer 3 routing domains)
- VRFs can be used to isolate traffic on shared network infrastructure
- Cisco EVN simplifies the configuration of a multi-VRF topology
Policy Based Routing (PBR)
- Explicitly sets the outgoing interface and next hop
- Can make forwarding decisions on something other than the destination prefix
Why use Policy Based Routing (PBR)
- Send traffic from an important server across high bandwidth link
- Forward traffic based on the destination protocol and port
Customer request:
- R1 loopback0 (1.1.1.1) takes the path (ISP1 -> R4 -> R3 -> R5) to 5.5.5.5
- Configure R3 to forward any traffic from R4 to R2
### Create route-map R3(config)#route-map RM_GOTOR2 permit 10 R3(config-route-map)#set ip next-hop 10.0.23.2 R3(config-route-map)#set interface OutgoingInterfaceX/X %Warning:Use P2P interface for routemap setinterface clause
### Apply route-map R3(config-route-map)#int fa0/0 R3(config-if)#ip policy route-map RM_GOTOR2 ### Verify ip policy R3#show ip policy
Configuring Policy Based Routing
Must know how to configure while you are asleep!
### STEP1. Create route map R3(config)#route-map RM_GOTOR2 permit 10 ### STEP2. Set next hop (must be reachable or else fall back to normal routing) R3(config-route-map)#set ip next-hop 10.0.23.2 ### STEP3. Set outgoing interface R3(config-route-map)#set int fa0/1 ### STEP4. Apply route-map on the incoming interface R3(config-route-map)#int fa0/0 R3(config-if)#ip policy route-map RM_GOTOR2
Customer Request
- On R7 configure and advertise the following loopbacks into OSPF area 27
Loopback1 7.0.0.1/32
Loopback2 7.0.0.2/32 - Configure routing on R2 as follows.
If a packet from 7.0.0.1 is received, forward it to R1
If a packet from 7.0.0.2 is received, forward it to R3
R7(config)#router ospf 7 R7(config-router)#network 10.0.27.0 0.0.0.15 area 27 R7(config-router)#network 7.0.0.0 0.0.0.255 area 27 R2(config)#route-map RM_SEVEN permit 10 R2(config-route-map)#match ip address 71 R2(config-route-map)#set ip next-hop 10.0.12.1 R2(config)#route-map RM_SEVEN permit 20 R2(config-route-map)#match ip address 72 R2(config-route-map)#set ip next-hop 10.0.23.3 R2(config)#access-list 71 permit 7.0.0.1 0.0.0.0 R2(config)#access-list 72 permit 7.0.0.2 0.0.0.0 ### Apply to incoming interface R2(config)#int fa1/0 R2(config-if)#ip policy route-map RM_SEVEN
### Test and confirm R7#traceroute 8.8.8.8 source 7.0.0.1 R7#traceroute 8.8.8.8 source 7.0.0.2 R7#ping 8.8.8.8 source 7.0.0.1 repeat 1000000 R2#show route-map
PBR (Matching Protocols and Ports)
Example with TCP
### STEP1. Create route-map R7(config)#route-map RM_TCP permit 10 ### STEP2. Match R7(config-route-map)#match ip address 101 ### STEP3. Set next hop R7(config-route-map)#set ip next-hop 9.9.9.9 ### Complete access-list R7(config)#access-list 101 permit tcp any any
Example with Telnet
### STEP 1 (create route-map) R7(config)#route-map RM_TCP23 permit 10 ### STEP 2 (Match) R7(config-route-map)#match ip address 101 ### STEP 3 (Set next hop) R7(config-route-map)#set ip next-hop 9.9.9.9 ### STEP 4 (create access-list to complete the route-map) R7(config)#access-list 101 permit tcp any any eq telnet
Note*
- Policy Based Routing (PBR) takes precedence over routing protocols, administrative distance, and static routes
- If the next hop is not reachable, the router will fall back to destination-based routing
- An outgoing interface can be set instead of or in addition to a next hop IP
- PBR route maps are applied on the inbound interface
Summary
- Path control is about influencing packet forwarding decisions on a per-hop-basis
- GBP allows separate AS to share routes regardless of IGP
- Must know GBP session states and how to configure eGBP peerings
- Must know how to configure and use IP SLA with static routes
- Must know how to configure distribute and offset lists and modify interface costs and AD
- Must know how to configure GRE and mGRE tunnel and understand DMVPN & Cisco EVN