802.1 tunneling

Lets recap briefly about dot1q tunnel

Customers sometimes demand layer 2 for end-to-end connectivity over service providers network, SP uses a technique to transparently passing the different customers traffic over their layer 2 network by using an additional vlan tag called "metro tag". This technique is called Layer 2 tunneling or L2VPN.

PE switch ports connected to CE switch ports as an asymmetric link meaning that CE side can be either trunk or access ports, the PE switch port just takes the traffic receive on the port and adds a metro tag to it. 

It does not matter whether inter link trunks are ISL or dotq inside the SP network. 

SP assign a vlan to each customer over which customers vlan travels inside the SP network.

Configuration on PE switch ports on each side connected to CE switch port as as follow

#switchport access vlan 100

! this is the metro tag, make sure spanning tree is end to  end in all the SP switches for ! ! ! this vlan

#switchport mode dotq-tunnel 

! set tunnel mode

On CE switch port connected to PE switch port can be configured as static or trunk port.

Points to remember:

1. mac addresses of all host at customers side are learned in SP switch to actual pass traffic. Therefore scalability issue arises due to limited mac address learning capability of switches

2. dotq tunnel port does not support DTP and any layer 3 setting configuration.

3. CDP,STP and VTP are disable by default on the dotq tunnel ports. So that customers traffic transparently pass over SP network.

4. dotq tunnel add additional 4 byte header so MTU needs to increase to 1504 byte at SP switches. "system mtu 1504"

4. Traffic from customers side can leak inside SP network if metro tag is the native vlan of inside the SP network. To avoid such this, always tag even the native vlan traffic inside the SP network via "dot1q tag native vlan"

Advertising networks into BGP via aggregate-address

Lets try to recap BGP aggregation

Its one of the method for advertising a network into BGP domain, others are via network statement, redistribution and inject map

An aggregate prefix is only advertise when at least one subset prefix of aggregate prefix is  present in the BGP table (NOT ROUTING TABLE)

key points to remember in BGP aggregation

1. Without summary-only command, both aggregate and specific prefixes are advertise

2. "as-set" key word adds an unodered ASes list and addive community attribute from original prefixes to the new aggregated prefix as attribute.

3. "attribute-map" key word assigns attributes to the newly generated aggregated prefix. for example if aggregated prefix obtained its attribute "no-export" community from its one of the original prefix then using advertise-map this attribute can be reset as "none" community for the aggregated prefix or any attribute can be set using attribute-map.

4. "advertise-map" allows filtering of attributes which are passing to the aggregated prefix from  original prefixes based on removal of some specific prefix . for example deny specific prefix in a route map so that its attribute will not contribute to the aggregated prefix.  Though aggregate is still composed of all the original prefixes. "REMOVE THIS PREFIX SO THAT ITS ATTRIBUTE IS NOT ADDED IN THE AGGREGATED PREFIX ATTRIBUTE"

OSPF communication intercept

Lets take up this easy question

Q: Ensure that other OSPF devices running on the segment between R1 and R2 cannot intersecpt OSPF communications.

A: If other routers running ospf process were present on this ethernet segment they can able to intercept and make ospf adjacancy with R1 and R2 because of the default muticast nature of ospf adj. , LSA exchange etc. In order to avoid such cases this tasks requires to form a unicast communication between R4 and R5 so that no other devices can intercept this communication even if they are listening on multicast address 224.0.0.5 or 224.0.0.6 by enabling ospf process.

Its true that there are no devices on this segment then why this question was asked in the first place. If it was asked then we have to make sure that other devices should not intercept ospf communication if present via unicast communication between them.

So the answer is configure ospf network type which sends their packets as unicasts via neighbor statements. There are two network types which does i.e non-broadcast and point-to-multipoint non-broadcast.

BPDU filter and BPDU guard combined

Lets recap what do they do

1. BPDU filter, if it is configured at port level in that case it stops sending bpdus out and if any bpdus is received it silently discard them. But if it is globally configured with portfast then in that case it stops sending bpdus but when it receives any bpdus the portfast enable port reverts back to normal port.

2. BPDU guard, if is is configured interface level, it does not stop switch port to send bpdus out but if bpdus are received this port goes into error disable mode and can be recovered via error recovery interval and error recovery cause or manually by shut and un shut that port.

If this feature is used with spanning tree at globally in that case portfast enable port goes into error disable mode if any bpdus are received on this port.

This point is very interesting, if both bpdu filter and bpdu guard are configured on a switch port at the same time the which one take the preference.

Side note on spanning tree portfast

Spanning-tree portfast is very easy to configure. Lets recap what it does

1. This should be configured on edge ports if configured on trunk ports connected between switches create loops.

2. Switches connected to server via trunk can be configured as "spanning-tree portfast  trunk"

3. portfast enable ports skip listening and learning stages of STP

4. portfast enable ports does not generate TCN which in turn does not flush mac table.

5. This feature can also be enabled with BPDUfilter and BPDUguard. 

R1(Fa0/0)-----SW1(Fa0/0)

SW1's Fa0/0 configured with "spanning-tree portfast"

Once R1 starts sending BPDU's SW1 disables the portfast from its interface connected to R1. However after sometime when R1 stops sending BPDUs, SW1 never automatically converts portfast state from disable to enable on the same interface

SNMP traps with example EIGRP traps

First lets have a brief background on snmp trap configuration. First need to define a server where traps needs to send, then enabled all or specific trap with command "snmp-server enable traps". 

1. If all traps are enables and no traps are configure with snmp-server host command then all traps are send to that host.

2.If some specific trap is enable and no trap is configure with snmp-server host command then only that specific traps will be send.

3. If all traps are enable with command "snmp-server enable trap" but specific trap is configured with "snmp-sever host" command then only that specific trap will be send.

EIGRP generates traps only for SIA and miss match authentication. The configuration is very straight forward

snmp-server community CCIE RO

snmp-server enable traps eigrp

snmp-server host 155.24.146.100 version 2c CISCO

Side note on Reflexive Access-list

Reflexive access list are not difficult to implement though such access list are depreciated due to other various advance security mechanism are available like CBAC and ZBF. Still its a good idea to learning reflexive access list to learn advance security. In real world there an important thing to know about them goes like this

An edge router is acting as a firewall and has two interfaces inside and outside. Why is it not advisable to configure Reflexive access list on INSIDE interface like this ?

INBOUND ACL containing "reflect" statements

OUTBOUND ACL containing "evaluate" statement 

By doing this way, there can be a security rick associated with your firewall itself. The return traffic and other traffic first arrived on outside interface next it will process by the router only then it will reach to the inside OUTBOUND for EVALUATE where it decides to drop other traffic and pass the return traffic. If that other or return traffic contain malicious packets, they can cause DoS attack on the router itself so you must stop them before entering into your router. It will also save the cpu process cycles from processing unnecessary traffic.

STP port priority

Lets take an interesting question on STP port priority.

why can we only change STP port-priority with an increments of 16 ?

Earlier when 802.1t standard was not into existance port priority and port ID was considered to be 8bits each, therefore ports ID in a switch can be in range 0 -255 and port priority in the range 0 -255 with increment of 1.

When 802.1t standard was defined, it describes port priority of 4bits and port ID of 12bits,therefore ports in a switch can be upto 4096 while port priority range is still 1-256 to provide backward compatibility with the older format. However now port priority has only 4 bits and to achieve port priority range 1-256, this had to make an increment of 16 so min value of port priority now is 0 and max value is 240 (16 values) with an increament of 16. 

Here is the link to know more

http://book.chinaunix.net/special/ebook/oreilly/Understanding_Linux_Network_Internals/0596002556/understandlni-CHP-15-SECT-4.html

spanning-tree portfast Vs spanning-tree portfast trunk

Most commonly used spanning tree features but how are they different from each other.

"Spanning-tree portfast" instructs the port (on which it is configured) to skip listening and learning state and avoid generating TCN if port goes up/down but ONLY for one vlan configured on the access port.

"Spanning-tree portfast trunk" instructs the same thing on the port (on which it is configured) but for all the allowed vlans on the trunk port at the same time. Due to the nature of trunks to carry traffic for multiple vlans while access port does not, cisco has 2 different for this purpose. 

Frame Relay Encapsulation cisco or ietf

If both the connecting devices are cisco then mismatch frame relay encapsulation can work but if remote device is non cisco the cisco device has to configure with ietf FR encapsulation because non cisco device does not understand cisco.

The reference text: