Monday, December 19, 2011

OSPF

Protocol Attributes

Protocol Type

Link-state

Algorithm

Dijsktra

Metric (IOS)

Cost (bandwidth)

Administrative Distance

110

Specification

RFC 2328, RFC 2740

Supported Protocols

IPv4 (OSPFv2), IPv6 (OSPFv3)

Transport

IP/89

Authentication

None, plain text, MD5

AllSPF Multicast Address

224.0.0.5

AllDR Multicast Address

224.0.0.6

Hello Timer

10 seconds (broadcast), 30 seconds (nonbroadcast)

Packet Types

  • Hello - Used to establish communication with directly connected neighbors
  • Database Descriptor (DBD) - Lists router IDs from which the router has an LSA and its current sequence number
  • Link State Request (LSR) - Request for an LSA
  • Link State Update (LSU) - Reply to an LSR with the requested information
  • Link State Acknowledgment (LSAck) - Used to confirm receipt of link-state information

Adjacency Formation

Contents of an OSPF hello packet:

  • Router ID - 32-bit unique number (IP address)
  • Hello/dead intervals - Timers
  • Neighbor list - List of neighboring router IDs
  • Area ID
  • Priority - Used in the DR and BDR elections
  • DR and BDR identifiers
  • Authentication (if enabled)
  • Stub Area Flag - On if this is a stub area

Neighbor states:

  • Down
  • Attempt - Used for manually configured neighbors on an NBMA link; unicast hellos sent to neighbor from which hellos have stopped being received
  • Init - Hello packet received from neighbor, but without the recipient's router ID
  • 2-Way - Bi-directional communication has been established
  • Exstart - The DR and BDR have been elected, link-state exchange starting
  • Exchange - Exchange of database descriptor (DBD) packets
  • Loading - Exchange of link-state information
  • Full - Full adjacency established

OSPF as implemented in Cisco IOS will load balance over up to four equal-cost links; configurable up to six.

Designated Router Election

Neighbors on a broadcast segment elect a designated router (DR) and backup designated router (BDR), which peer with all other routers on the segment. All non-designated routers peer only with the DR and BDR.

Multicast destinations:

  • 224.0.0.5 - All OSPF routers
  • 224.0.0.6 - All designated OSPF routers (DR and BDR only)

DRs are chosen based on priority (0 - 255). 1 is default; routers with 0 priority will never be elected. Priority ties are broken by choosing the higher router ID.

By default, DRs are elected on point-to-point Ethernet links even though this is unnecessary (Ethernet is always considered a broadcast medium). Interfaces can be manually configured to operate in point-to-point mode to prevent this.

(B)DRs are not preemptable. New election will take place only when a current (B)DR goes offline or its OSPF process is administratively restarted.

OSPF Area Types

Areas are defined to logically segment a network and reduce routing table size and complexity. All routers in an area maintain an identical topological database.

  • Standard area
  • Stub area - Will not accept external routes (type 5 LSAs); type 5 LSAs are replaced by a default route
  • Totally stubby area - Will not accept LSAs of type 3, 4, or 5; routes are replaced by the ABR with a default route; Cisco proprietary
  • Not-so-stubby area (NSSA) - Stub areas which contain one or more ASBRs; ASBRs in a NSSA generate type 7 LSAs which are then converted to type 5 by the ABR

All areas must be attached to area 0 (the backbone area) through either an ABR or a virtual link.

Stub Areas

Normal Stub Area

  • ABR replaces all external routes with a default route
  • Must be configured on all routers in the area

Totally Stubby Area

  • ABR replaces all inter-area and external routes with a default route
  • Cisco proprietary
  • Configured on ABRs; internal routers configured as normal stubs

Not-so-Stubby Area (NSSA)

  • Is a stub or totally stubby area with an ASBR
  • Advertises external routes with type 7 LSAs instead of the normal type 5
  • NSSA routes appear in the routing table as type N1 or N2 (instead of E1 or E2)
  • All routers within the area must be configured

OSPF Network Types

  • Broadcast multiaccess
  • Point-to-point
  • Point-to-multipoint broadcast
  • Point-to-multipoint nonbroadcast
  • Nonbroadcast multiaccess (NBMA)

NBMA and point-to-multipoint are standards-compliant (RFC 2328), whereas point-to-multipoint nonbroadcast, broadcast, and point-to-point implementations are Cisco proprietary.

NBMA networks utilize DRs like broadcast networks, however neighbors must be manually defined instead of being automatically discovered.


NBMA

Point-to-multipoint
broadcast

Point-to-multipoint
nonbroadcast

Broadcast

Point-to-point

DR/BDR

Yes

No

No

Yes

No

Identify neighbor?

Yes

No

Yes

No

No

Hello/dead timers

30/120

30/120

30/120

10/40

10/40

Standard

RFC

RFC

Cisco

Cisco

Cisco

Network supported

Full mesh

Any

Any

Full mesh

Point-to-point

Router Roles

  • Internal - Routers which have all interfaces in a single area
  • Backbone routers - Routers with at least one interface in area 0
  • Area Border Routers (ABRs) - Routers with at least two interfaces in different areas
  • Autonomous System Boundary Routers (ASBR) - Routers which redistribute information from an external source

Routers can fill multiple roles simultaneously (e.g. act as both a backbone router and an area border router).

Link-State Advertisements (LSAs)

  • Router link (type 1) - Lists a router's neighbors and its cost to each; flooded throughout the area
  • Network link (type 2) - Advertisement by the DR containing all routers on the segment it is adjacent to; flooded throughout the area
  • Network summary link (type 3) - ABRs generate this type of LSA to send between areas; it lists all prefixes available in an area
  • AS external ASBR summary link (type 4) - Router link LSA for ASBRs
  • External link (type 5) - Originated by an ASBR, contains a route external to OSPF
  • NSSA external (type 7) - Equivalent to a type 5 LSA, but generated by an ASBR in a not-so-stubby area (NSSA); converted to a type 5 by the ABR

Path Calculation

Adjacencies within an area are advertised with type 1 and 2 LSAs, which are passed to the backbone by an ABR as type 3 summaries. These summaries are then injected into other areas from the backbone.

OSPF will choose the path to a destination by the advertisement of the lowest LSA type, then by lowest cost.

Internal Routes

The cost to another OSPF area is calculated as the smallest cost to an ABR plus the smallest cost across the backbone.

External Routes

The cost of an external route can be evaluated two ways:

  • E1 = cost to ASBR + advertised external cost; internal routing influences path selection
  • E2 (default) = only advertised external cost is considered; internal routing is not considered in path selection

Routing Table Codes

LSA Type

Table Code

Description

1 (Router)

O

Generated by all routers; lists neighbors and costs to them; propagated within an area

2 (Network)

O

Generated by the DR on a multiaccess network; propagated within an area

3 (Inter-area summary)

O IA

Advertises summaries from one area to another

4 (ASBR Summary)

O IA

Advertises the location of an ASBR

5 (External)

O E1 or O E2

Advertises a route external to the AS

Virtual Links

All OSPF areas must be connected to the backbone area (area 0) through an ABR. Virtual links must be implemented when an area cannot be directly connected to the backbone.

Virtual links are not encouraged and should be used only as a temporary fix.

Virtual links cannot use a stub area for transit.

Monday, November 28, 2011

Cisco Best Practice - Turn off http, telnet and enable https, ssh

ip domain-name cisco.local
ip ssh version 2
no ip http server
ip http secure-server
line vty 0 15
transport input ssh

Monday, November 2, 2009

ips

Cisco IOS Intrusion Prevention System (IPS)

Intrusion Prevention replaces mere Intrusion Detection from previous IOS versions. IDS for the IOS was certainly nice (you get alerted when a security attack is occurring), but obviously, stopping an attack is much more powerful.

IPS 6.X Device Manager
------------------------
I. Device Manager

a. Intro

i. IDM lives on the sensor and gives you a GUI option for managing the device
ii. TLS/SSL

1. used to secure communications



IPS 6.X Command Line Interface
-------------------------------

I. IPS CLI

a. Overview

i. Accessing

1. SSH

2. Serial interface (console)

3. Telnet (disabled by default)




CCIE Security 2.X Verification Commands
=======================================

This is obviously a very short list. Remember, we recommend use of the Cisco Intrusion Prevention System Device Manager (IDM) for management and configuration of the device during the lab exam. While this graphical user interface (GUI) will be used for most tasks, there are still some useful and quick command line verification tasks for you here.
IPS CLI 5.1

Initial Setup

more current-config
more current-config | include COMMAND
ping
show interfaces
show version
trace

Operation

show events
show os-identification
show settings
show settings terse | begin COMMAND
show statistics
show statistics SERVICE_NAME

Sunday, September 7, 2008

IPv6 Addressing Overview

IPv6 Addressing Overview: Addressing Model and Address Types

http://rapidshare.com/files/143283052/ipv6.pdf.html

Tuesday, August 26, 2008

core ios commands

http://rapidshare.com/files/140297635/NetAP.netIOSCookbook2ndEdition.rar.html