Monday, December 21, 2009
MPLS Topics
* Introducing Basic MPLS Concepts
* Introducing MPLS Labels and Label Stacks
* Identifying MPLS Applications
Label Assignment and Distribution
* Discovering LDP Neighbors
* Introducing Typical Label Distribution in Frame-Mode MPLS
* Introducing Convergence in Frame-Mode MPLS
* Introducing MPLS Label Allocation, Distribution, and Retention Modes
Frame-Mode MPLS Implementation on Cisco IOS Platforms
* Introducing CEF Switching
* Configuring Frame-Mode MPLS on Cisco IOS Platforms
* Monitoring Frame-Mode MPLS on Cisco IOS Platforms
* Troubleshooting Frame-Mode MPLS on Cisco IOS Platforms
MPLS VPN Technology
* Introducing VPNs
* Categorizing VPNs
* Introducing MPLS VPN Architecture
* Introducing the MPLS VPN Routing Model
* Forwarding MPLS VPN Packets
MPLS VPN Implementation
* Using MPLS VPN Mechanisms on Cisco IOS Platforms
* Configuring VRF Tables
* Configuring an MP-BGP Session Between PE Routers
* Configuring Small-Scale Routing Protocols Between PE and CE Routers
* Monitoring MPLS VPN Operations
* Configuring OSPF as the Routing Protocol Between PE and CE routers
* Configuring BGP as the Routing Protocol Between PE and CE routers
* Troubleshooting MPLS VPNs
Complex MPLS VPNs
* Using Advanced VRF Import and Export Features
* Introducing Overlapping VPNs
* Introducing Central Services VPNs
* Introducing the Managed CE Routers Service
Internet Access and MPLS VPNs
* Introducing VPN Internet Access Topologies
* Implementing Separate Internet Access and VPN Services
* Implementing Internet Access as a Separate VPN
MPLS TE Overview
* Introducing the TE Concept
* Understanding MPLS TE Components
* Configuring MPLS TE on Cisco IOS Platforms
* Monitoring Basic MPLS TE on Cisco IOS Platforms
Monday, December 7, 2009
Private VLAN
For our sample configuration, we will take VLAN 1000 and divide it into three PVLANs – sub-VLAN 1012 (R1 and R2), sub-VLAN 1034 (R3 and R4) and sub-VLAN 1055 (router R5 only). Router R6 will be used as layer 3 device, to resolve the layer 3 communication issue. Look at the figure above for reference. We define VLAN 1000 as “Primary” and classify the ports, assigned to this VLAN, based on their types:
Promiscuous (“P”) port: Usually connects to a router. This port type is allowed to send and receive L2 frames from any other port on the VLAN
Isolated (“I”) port: This type of port is only allowed to communicate with “P”-ports – i.e., they are “stub” port. You commonly see these ports connecting to hosts.
Community (“C”) port: Community ports are allowed to talk to their buddies, sharing the same community (group) and to “P”-ports.
In order to implement sub-VLAN behavior, we need to define how packets are forwarded between different types of ports. First comes the Primary VLAN – VLAN 1000 in our example. This type of VLANs is used to forward frames downstream from “P”-ports to all other port types (“I” and “C” ports) in the system. Essentially, Primary VLAN embraces all ports in the domain, but only transports frames from the router to hosts (from “P” to “I” and “C”). Next come “Secondary” VLANs – they correspond to “Isolated” and “Community” ports. These VLANs transport frames in the opposite direction (upstream) – from “I” and “C” ports to “P” ports.
Isolated VLAN: forwards frames from “I” ports to “P” ports. Since Isolated ports do not exchange frames with each other, we can use just ONE isolated VLAN to connect all I-Port to the P-port.
Community VLANs: Transport frames between community ports (C-ports) within to the same group (community) and forward frames upstream to the P-ports of the primary VLAN.
Here is a simplified overview of how Private VLANs work:
The Primary VLAN delivers frames downstream from the router (promisc port) to all mapped hosts; The Isolated VLAN transports frames from the stub hosts upstream to the router; The Community VLANs allow bi-directional frame exchange withing a single group, in addition to forwarding frames upstream towards “P”-ports. The original Ethernet MAC address learning and forwarding procedure remain the same, as well as broadcast/multicast flooding procedure within boundaries of primary/secondary VLANs. Naturally, private VLANs could be trunked. The secondary VLAN numbers are used to tag frames, just as with regular VLANs, and the primary VLAN traffic is trunked as well. However, you need to configure Private VLAN specific settings (bindings, mappings) on every participating swtich, for it’s not possible to use VTPv2 to dissiminate that information . This due to the fact that VTPv2 has no TLVs to carry private VLANs information, and besides, private VLANs are not intended to be floodes across the whole management domain. Not to mention that using VTP in enterprise networks is usually not a good idea. Though VTPv3 was designed to overcome this limitation among others.
Let’s move to the configuration part, based on the diagram above. What we have is primary VLAN 1000, Isolated VLAN 1005 (R5) Community VLAN 1012 (R1, R2) and Community VLAN 1034 (R3, R4).
Step 1:
First, disable VTP, i.e. enable VTP transparent mode. After disabling VTP, create Primary and Secondary VLANs and bind them into PVLAN domain:
SW1:
vtp mode transparent
!
! Creating primary VLAN, which is shared among secondary’s
!
vlan 1000
private-vlan primary
!
! Community VLAN for R1 and R2: allows a “subVLAN” within a Primary VLAN
!
vlan 1012
private-vlan community
!
! Community VLAN for R3 and R4
!
vlan 1034
private-vlan community
!
! Isolated VLAN: Connects all stub hosts to router.
! Remember - only one isolated vlan per primary VLAN.
! In our case, isolates R5 only.
!
vlan 1055
private-vlan isolated
!
! Associating the primary with secondary’s
!
vlan 1000
private-vlan association 1012,1034,1055
This step is needed is to group PVLANs into a shared domain and establish a formal association (for syntax checking and VLAN type verifications). Repeat the same operations on SW2, since VTP has been disabled.
Step 2:
Configure host ports and bind them to the respective isolated PVLANs. Note that a host port belongs to different VLANs at the same time: downstream primary and upstream secondary. Also, enable trunking between switches, to allow private VLANs traffic to pass between switches.
SW1:
!
! Community port (links R1 to R2 and “P”-ports)
!
interface FastEthernet0/1
description == R1
switchport private-vlan host-association 1000 1012
switchport mode private-vlan host
spanning-tree portfast
!
! Community port (links R3 to R4 and “P”-ports)
!
interface FastEthernet0/3
description == R3
switchport private-vlan host-association 1000 1034
switchport mode private-vlan host
spanning-tree portfast
!
! Isolated port (uses isolated VLAN to talk to “P”-ports)
!
interface FastEthernet0/5
description == R5
switchport private-vlan host-association 1000 1055
switchport mode private-vlan host
spanning-tree portfast
!
! Trunk port
!
interface FastEthernet 0/13
switchport trunk encapsulation dot1q
switchport mode trunk
SW2:
interface FastEthernet0/2
description == R2
switchport private-vlan host-association 1000 1012
switchport mode private-vlan host
spanning-tree portfast
!
interface FastEthernet0/4
description == R4
switchport private-vlan host-association 1000 1034
switchport mode private-vlan host
spanning-tree portfast
!
! Trunk port
!
interface FastEthernet 0/13
switchport trunk encapsulation dot1q
switchport mode trunk
Next, Verify the configuration on SW1:
Rack1SW1#show vlan id 1012
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1012 VLAN1012 active Fa0/13
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1012 enet 101012 1500 - - - - - 0 0
Remote SPAN VLAN
----------------
Disabled
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
1000 1012 community Fa0/1
Rack1SW1#show vlan id 1034
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1034 VLAN1034 active Fa0/13
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1034 enet 101034 1500 - - - - - 0 0
Remote SPAN VLAN
----------------
Disabled
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
1000 1034 community Fa0/3
Rack1SW1#show vlan id 1055
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1055 VLAN1055 active Fa0/13
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1055 enet 101055 1500 - - - - - 0 0
Remote SPAN VLAN
----------------
Disabled
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
1000 1055 isolated Fa0/5
Rack1SW1#show interfaces fastEthernet 0/13 trunk
Port Mode Encapsulation Status Native vlan
Fa0/13 desirable 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/13 1-4094
Port Vlans allowed and active in management domain
Fa0/13 1,1000,1012,1034,1055
Port Vlans in spanning tree forwarding state and not pruned
Fa0/13 1,1000,1012,1034,1055
Verify on SW2:
Rack1SW2#show vlan id 1000
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1000 VLAN1000 active Fa0/13
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1000 enet 101000 1500 - - - - - 0 0
Remote SPAN VLAN
----------------
Disabled
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
1000 1012 community Fa0/2, Fa0/6
1000 1034 community Fa0/4, Fa0/6
1000 1055 isolated Fa0/6
Rack1SW2#show vlan id 1012
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1012 VLAN1012 active Fa0/13
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1012 enet 101012 1500 - - - - - 0 0
Remote SPAN VLAN
----------------
Disabled
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
1000 1012 community Fa0/2, Fa0/6
Rack1SW2#show vlan id 1034
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1034 VLAN1034 active Fa0/13
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1034 enet 101034 1500 - - - - - 0 0
Remote SPAN VLAN
----------------
Disabled
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
1000 1034 community Fa0/4, Fa0/6
Rack1SW2#show vlan id 1055
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1055 VLAN1055 active Fa0/13
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1055 enet 101055 1500 - - - - - 0 0
Remote SPAN VLAN
----------------
Disabled
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
1000 1055 isolated Fa0/6
Rack1SW2#show interface fastEthernet 0/13 trunk
Port Mode Encapsulation Status Native vlan
Fa0/13 desirable 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/13 1-4094
Port Vlans allowed and active in management domain
Fa0/13 1,1000,1012,1034,1055
Port Vlans in spanning tree forwarding state and not pruned
Fa0/13 1,1000,1012,1034,1055
Step 3:
Create a promiscuous port and configure downstream mappings. Here we add secondary VLANs for which traffic is received by this particular “P”-port. Primary VLAN is used to send traffic downstream to all “C” and “I” ports per their associations.
SW2:
!
! Promiscuous port, mapped to all secondary VLANs
!
interface FastEthernet0/6
description == R6
switchport private-vlan mapping 1000 1012,1034,1055
switchport mode private-vlan promiscuous
spanning-tree portfast
Verify the promiscuous port configuration:
Rack1SW2#show int fa 0/6 switch | beg private
Administrative Mode: private-vlan promiscuous
Operational Mode: private-vlan promiscuous
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: 1000 (VLAN1000) 1012 (VLAN1012) 1034 (VLAN1034) 1055 (VLAN1055)
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan:
1000 (VLAN1000) 1012 (VLAN1012) 1034 (VLAN1034) 1055 (VLAN1055)
If you need to configure an SVI on a switch to communicate with private VLAN members, you should add an interface corresponding to Primary VLAN only. Obviously that’s because all secondary VLANs are “subordinates” of primary. After an SVI has been created, you have to map the required secondary VLANs to the SVI (just like with a promiscuous port) in order to make communications possible. You may exclude some mappings from SVI interface, and limit it to communicating only with certain secondary VLANs.
SW1:
!
! SW1 SVI is mapped to all secondary VLANs
!
interface Vlan 1000
ip address 10.0.0.7 255.255.255.0
private-vlan mapping 1012,1034,1055
SW2:
!
! SW2 SVI is mapped to 1012/1034 only, so it’s cant communicate with R5
!
interface Vlan1000
ip address 10.0.0.8 255.255.255.0
private-vlan mapping 1012,1034
Now to verify the configuration, configure R1-R6 interfaces in subnet “10.0.0.0/24” and ping broadcast addresses.
Rack1R1#ping 10.0.0.255 repeat 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 10.0.0.255, timeout is 2 seconds:
Reply to request 0 from 10.0.0.7, 4 ms
Reply to request 0 from 10.0.0.2, 4 ms
Reply to request 0 from 10.0.0.6, 4 ms
Reply to request 0 from 10.0.0.8, 4 ms
Rack1R3#ping 10.0.0.255 repeat 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 10.0.0.255, timeout is 2 seconds:
Reply to request 0 from 10.0.0.7, 4 ms
Reply to request 0 from 10.0.0.4, 4 ms
Reply to request 0 from 10.0.0.6, 4 ms
Reply to request 0 from 10.0.0.8, 4 ms
Rack1R5#ping 10.0.0.255 repeat 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 10.0.0.255, timeout is 2 seconds:
Reply to request 0 from 10.0.0.7, 1 ms
Reply to request 0 from 10.0.0.6, 1 ms
Rack1R6#ping 10.0.0.255 repeat 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 10.0.0.255, timeout is 2 seconds:
Reply to request 0 from 10.0.0.1, 4 ms
Reply to request 0 from 10.0.0.7, 4 ms
Reply to request 0 from 10.0.0.2, 4 ms
Reply to request 0 from 10.0.0.5, 4 ms
Reply to request 0 from 10.0.0.3, 4 ms
Reply to request 0 from 10.0.0.4, 4 ms
Reply to request 0 from 10.0.0.8, 4 ms
Lastly, there is another feature, called protected port or “Private VLAN edge”. The feature is pretty basic and is available even on low-end Cisco switches. It allows isolating ports in the same VLAN. Specifically, all ports in a VLAN, marked as protected are prohibited from sending frames to each other (but still allowed to send frames to other (non-protected) ports within the same VLAN). Usually, ports configured as protected are also configured not to receive unknown unicast (frame with destination MAC address not in switch’s MAC table) and multicast frames flooding for added security.
Example:
interface range FastEthernet 0/1 - 2
switchport mode access
switchport protected
switchport block unicast
switchport block multicast
Tuesday, November 3, 2009
GPS vehicle tracking systems
The Global Positioning System (GPS) is the only fully functional Global Navigation Satellite System (GNSS). Utilizing a constellation of at least 24 Medium Earth Orbit satellites that transmit precise microwave signals, the system enables a GPS receiver to determine its location, speed, direction, and time. Developed by the United States Department of Defense. The satellite constellation is managed by the United States Air Force 50th Space Wing.
General Packet Radio Service (GPRS) is a packet oriented Mobile Data Service available to users of Global System for Mobile Communications (GSM). It provides data rates from 56 up to 114 kbit/s. GPRS can be used for Internet communication services such as email and World Wide Web access. GPRS is a best-effort packet switched service, as opposed to circuit switching, where a certain Quality of Service (QoS) is guaranteed during the connection for non-mobile users.
A Geographic Information System (GIS), is any system for capturing, storing, analyzing and managing data and associated attributes which are spatially referenced to Earth. This data are use for digital map representation of any part of the earth. Geographic information science is the science underlying the geographic concepts, applications and systems, taught in degree and GIS Certificate programs at many universities.
A Vehicle Tracking System is an electronic device installed in a vehicle to enable the owner or a third party to track the vehicle's location. Most modern vehicle tracking systems use Global Positioning System (GPS) modules for accurate location of the vehicle. Many systems also combine a communications component such as cellular or satellite transmitters to communicate the vehicle’s location to a remote user. Vehicle information can be viewed on electronic maps via the Internet or specialized software.
Corporations with large fleets of vehicles required some sort of system to determine where each vehicle was at any given time. Vehicle tracking systems can now also be found in consumers vehicles as a theft prevention and retrieval device. Police can follow the signal emitted by the tracking system to locate a stolen vehicle.
Now come to the point how we serve our service to you.
* Step 1: Location and time information of vehicle is received by the device from GPS satellite.
* Step 2: Device sends this information using GSM network through GPRS to the central server.
* Step 3: The NTrack application software, residing in the control station, generates reports/ alerts/ maps
* Step 4: The reports/ maps are available online through NTrack web application.
* Step 5: The fleet manager views the vehicle on the map and receives the vehicle status over internet.
* Step 6: Alternately data on the location, speed and time can be accessed by the user through a mobile phone query or through the call center
* Step 7: As and when required, fleet manager can poll data at the click of a button.
In case of theft of a vehicle, the options of "Blow horn" and "Open Doors" may be triggered-this will attract the attention of passers by. Further, the vehicle will come to a grinding halt by opting the "Engine Block" feature on the computer screen of the software. This way, the vehicle may be saved from theft/robbery and also it run your transport business more profitable.
Sunday, November 1, 2009
Inter-Switch Link
Cisco Inter-Switch Link (ISL) is a Cisco Systems proprietary protocol that maintains VLAN information as traffic flows between switches and routers, or switches and switches.ISL is Cisco's VLAN encapsulation method and supported only on Cisco's equipment through Fast and Gigabit Ethernet links. The size of an Ethernet encapsulated ISL frame can be expected to start from 94 bytes and increase up to 1548 bytes due to the overhead (additional fields) the protocol creates via encapsulation. ISL adds a 26-byte header (containing a 15-bit VLAN identifier) and a 4-byte CRC trailer to the frame. ISL functions at the Data-Link layer of the OSI model. ISL is used to maintain redundant links.
ISL is a Cisco proprietary protocol for the interconnection of multiple switches and maintenance of VLAN information as traffic goes between switches. ISL provides VLAN trunking capabilities while it maintains full wire-speed performance on Ethernet links in full-duplex or half-duplex mode. ISL operates in a point-to-point environment and can support up to 1000 VLANs. In ISL, the original frame is encapsulated and an additional header is added before the frame is carried over a trunk link. At the receiving end, the header is removed and the frame is forwarded to the assigned VLAN. ISL uses Per VLAN Spanning Tree (PVST), which runs one instance of Spanning Tree Protocol (STP) per VLAN. PVST allows the optimization of root switch placement for each VLAN and supports the load balancing of VLANs over multiple trunk links. ISL Frame- The ISL frame consists of three primary fields: the encapsulation frame (original frame), which is encapsulated by the ISL header, and the FCS at the end.
This section provides detailed descriptions of the ISL frame fields:
The DA field of the ISL packet is a 40-bit destination address. This address is a multicast address and is set at "0x01-00-0C-00-00" or "0x03-00-0c-00-00". The first 40 bits of the DA field signal the receiver that the packet is in ISL format.
The TYPE field consists of a 4-bit code. The TYPE field indicates the type of frame that is encapsulated and can be used in the future to indicate alternative encapsulations. This table provides definitions of different TYPE codes:
The USER field consists of a 4-bit code. The USER bits are used to extend the meaning of the TYPE field. The default USER field value is "0000". For Ethernet frames, the USER field bits "0" and "1" indicate the priority of the packet as it passes through the switch. Whenever traffic can be handled in a manner that allows it to be forwarded more quickly, the packets with this bit set should take advantage of the quick path. It is not required that such paths be provided.
The SA field is the source address field of the ISL packet. The field should be set to the "802.3" MAC address of the switch port that transmits the frame. It is a 48-bit value. The receiving device may ignore the SA field of the frame.
The LEN field stores the actual packet size of the original packet as a 16-bit value. The LEN field represents the length of the packet in bytes, with the exclusion of the DA, TYPE, USER, SA, LEN, and FCS fields. The total length of the excluded fields is 18 bytes, so the LEN field represents the total length minus 18 bytes.
AAAA03 (SNAP)—Subnetwork Access Protocol (SNAP) and Logical Link Control (LLC).The AAAA03 SNAP field is a 24-bit constant value of "0xAAAA03".
HSA—High Bits of Source Address.The HSA field is a 24-bit value. This field represents the upper 3 bytes (the manufacturer ID portion) of the SA field. The field must contain the value "0x00-00-0C".
VLAN—Destination Virtual LAN ID. The VLAN field is the VLAN ID of the packet. It is a 15-bit value that is used to distinguish frames on different VLANs. This field is often referred to as the "color" of the frame.
BPDU—Bridge Protocol Data Unit (BPDU) and Cisco Discovery Protocol (CDP) Indicator.
The bit in the BPDU field is set for all BPDU packets that are encapsulated by the ISL frame. The BPDUs are used by the spanning tree algorithm in order to determine information about the topology of the network. This bit is also set for CDP and VLAN Trunk Protocol (VTP) frames that are encapsulated.
The INDX field indicates the port index of the source of the packet as it exits the switch. This field is used for diagnostic purposes only, and may be set to any value by other devices. It is a 16-bit value and is ignored in received packets.
RES—Reserved for Token Ring and FDDI
The RES field is a 16-bit value. This field is used when Token Ring or FDDI packets are encapsulated with an ISL frame. In the case of Token Ring frames, the Access Control (AC) and Frame Control (FC) fields are placed here. In the case of FDDI, the FC field is placed in the Least Significant Byte (LSB) of this field. For example, an FC of "0x12" has a RES field of "0x0012". For Ethernet packets, the RES field should be set to all zeros.
The ENCAP FRAME field is the encapsulated data packet, which includes its own cyclic redundancy check (CRC) value, completely unmodified. The internal frame must have a CRC value that is valid after the ISL encapsulation fields are removed. The length of this field can be from 1 to 24,575 bytes in order to accommodate Ethernet, Token Ring, and FDDI frames. A receiving switch may strip off the ISL encapsulation fields and use this ENCAP FRAME field as the frame is received (associating the appropriate VLAN and other values with the received frame as indicated for switching purposes).
FCS—Frame Check Sequence
The FCS field consists of 4 bytes. This sequence contains a 32-bit CRC value, which is created by the sending MAC and is recalculated by the receiving MAC in order to check for damaged frames. The FCS is generated over the DA, SA, Length/Type, and Data fields. When an ISL header is attached, a new FCS is calculated over the entire ISL packet and added to the end of the frame.
The ISL frame encapsulation is 30 bytes, and the minimum FDDI packet is 17 bytes. Therefore, the minimum ISL encapsulated packet for FDDI is 47 bytes. The maximum Token Ring packet is 18,000 bytes. Therefore, the maximum ISL packet is 18,000 plus 30 bytes of ISL header, for a total of 18,030 bytes. If only Ethernet packets are encapsulated, the range of ISL frame sizes is from 94 to 1548 bytes.The biggest implication for systems that use ISL encapsulation is that the encapsulation is a total of 30 bytes, and fragmentation is not required. Therefore, if the encapsulated packet is 1518 bytes long, the ISL packet is 1548 bytes long for Ethernet. Additionally, if packets other than Ethernet packets are encapsulated, the maximum length can be greatly increased. You must consider this length change when you evaluate whether a topology can support ISL packets size.
Note: The addition of the new FCS does not alter the original FCS that is contained within the encapsulated frame.
IEEE 802.1Q
EEE 802.1Q, or VLAN Tagging, is a networking standard written by the IEEE 802.1 workgroup allowing multiple bridged networks to transparently share the same physical network link without leakage of information between networks. IEEE 802.1Q — along with its shortened form dot1q — is commonly used to refer to the encapsulation protocol used to implement this mechanism over Ethernet networks. IEEE 802.1Q defines the meaning of a Virtual LAN (VLAN) with respect to the specific conceptual model underpinning bridging at the MAC layer and to the IEEE 802.1D spanning tree protocol. This protocol allows for individual VLANs to communicate with one another with the use of a switch with layer-3 capabilities, or a router.
802.1Q does not actually encapsulate the original frame. Instead, for Ethernet II frames, it adds a 32-bit field between the source MAC address and the EtherType/Length fields of the original frame. The VLAN tag field has the following format:
16 bits 3 bits 1 bit 12 bits
TPID TCI- PCP CFI VID
* Tag Protocol Identifier (TPID): a 16-bit field set to a value of 0x8100 in order to identify the frame as an IEEE 802.1Q-tagged frame.
* Priority Code Point (PCP): a 3-bit field which refers to the IEEE 802.1p priority. It indicates the frame priority level from 0 (lowest) to 7 (highest), which can be used to prioritize different classes of traffic (voice, video, data, etc).
* Canonical Format Indicator (CFI): a 1-bit field. If the value of this field is 1, the MAC address is in non-canonical format. If the value is 0, the MAC address is in canonical format. It is always set to zero for Ethernet switches. CFI is used for compatibility between Ethernet and Token Ring networks. If a frame received at an Ethernet port has a CFI set to 1, then that frame should not be bridged to an untagged port.
* VLAN Identifier (VID): a 12-bit field specifying the VLAN to which the frame belongs. A value of 0 means that the frame doesn't belong to any VLAN; in this case the 802.1Q tag specifies only a priority and is referred to as a priority tag. A value of hex FFF is reserved for implementation use. All other values may be used as VLAN identifiers, allowing up to 4094 VLANs. On bridges, VLAN 1 is often reserved for management.
For frames using IEEE 802.2/SNAP encapsulation with an OUI field of 00-00-00 (so that the protocol ID field in the SNAP header is an EtherType), as would be the case on LANs other than Ethernet, the EtherType value in the SNAP header is set to hex 8100 and the aforementioned extra 4 bytes are appended after the SNAP header.
Because inserting this header changes the frame, 802.1Q encapsulation forces a recalculation of the original FCS field in the Ethernet trailer. It also increases the maximum frame size by 4 bytes.
Double-tagging(QinQ) can be useful for Internet Service Providers, allowing them to use VLANs internally while mixing traffic from clients that are already VLAN-tagged. The outer (next to Source MAC and representing ISP VLAN) tag comes first, followed by the inner tag. In such cases, an alternate TPID such as hex 9100, or even 9200 or 9300, sometimes may be used for the outer tag; however this is being deprecated by 802.1ad, which specifies 88a8 for service-provider outer tags.
VLAN Trunking Protocol (VTP)
Cisco Devices, VTP (VLAN Trunking Protocol) maintains VLAN configuration consistency across the entire network. VTP uses Layer 2 trunk frames to manage the addition, deletion, and renaming of VLANs on a network-wide basis from a centralized switch in the VTP server mode. VTP is responsible for synchronizing VLAN information within a VTP domain and reduces the need to configure the same VLAN information on each switch.
VTP minimizes the possible configuration inconsistencies that arise when changes are made. These inconsistencies can result in security violations, because VLANs can crossconnect when duplicate names are used. They also could become internally disconnected when they are mapped from one LAN type to another, for example, Ethernet to ATM LANE ELANs or FDDI 802.10 VLANs. VTP provides a mapping scheme that enables seamless trunking within a network employing mixed-media technologies.
VTP provides the following benefits:
* VLAN configuration consistency across the network
* Mapping scheme that allows a VLAN to be trunked over mixed media
* Accurate tracking and monitoring of VLANs
* Dynamic reporting of added VLANs across the network
* Plug-and-play configuration when adding new VLANs
As beneficial as VTP can be, it does have disadvantages that are normally related to the Spanning Tree Protocol (STP) as a bridging loop propagating throughout the network can occur. Cisco switches run an instance of STP for each VLAN, and since VTP propagates VLANs across the campus LAN, VTP effectively creates more opportunities for a bridging loop to occur.
Before creating VLANs on the switch that will be propagated via VTP, a VTP domain must first be set up. A VTP domain for a network is a set of all contiguously trunked switches with the same VTP domain name. All switches in the same management domain share their VLAN information with each other, and a switch can participate in only one VTP management domain. Switches in different domains do not share VTP information.
Using VTP, each Catalyst Family Switch advertises the following on its trunk ports:
* Management domain
* Configuration revision number
* Known VLANs and their specific parameters
There are three version of VTP so far. VTP Version 2 (V2) is not much different than VTP Version 1 (V1). The major difference is that VTP V2 introduces the support for Token Ring VLANs. If you are using Token Ring VLANs, you need to enable VTP V2. Otherwise, there is no reason to use VTP V2. VTP version 3 differs from earlier VTP versions in that it does not directly handle VLANs. VTP version 3 is a protocol that is only responsible for distributing a list of opaque databases over an administrative domain. When enabled, VTP version 3 provides the following enhancements to previous VTP versions:
* Support for extended VLANs.
* Support for the creation and advertising of private VLANs.
* Improved server authentication.
* Protection from the "wrong" database accidentally being inserted into a VTP domain.
* Interaction with VTP version 1 and VTP version 2.
* Provides the ability to be configured on a per-port basis.
* Provides the ability to propagate the VLAN database andother databases.
Virtual LAN
VLANs are created to provide the segmentation services traditionally provided by routers in LAN configurations. VLANs address issues such as scalability, security, and network management. Routers in VLAN topologies provide broadcast filtering, security, address summarization, and traffic flow management. By definition, switches may not bridge IP traffic between VLANs as it would violate the integrity of the VLAN broadcast domain. Virtual LANs are essentially Layer 2 constructs, compared with IP subnets which are Layer 3 constructs. In an environment employing VLANs, a one-to-one relationship often exists between VLANs and IP subnets, although it is possible to have multiple subnets on one VLAN or have one subnet spread across multiple VLANs. Virtual LANs and IP subnets provide independent Layer 2 and Layer 3 constructs that map to one another and this correspondence is useful during the network design process. By using VLANs, one can control traffic patterns and react quickly to relocations. VLANs provide the flexibility to adapt to changes in network requirements and allow for simplified administration.
The protocol most commonly used today in configuring virtual LANs is IEEE 802.1Q. The IEEE committee defined this method of multiplexing VLANs in an effort to provide multivendor VLAN support. Prior to the introduction of the 802.1Q standard, several proprietary protocols existed, such as Cisco's ISL (Inter-Switch Link, a variant of IEEE 802.10) and 3Com's VLT (Virtual LAN Trunk). Both ISL and IEEE 802.1Q tagging perform "explicit tagging" - the frame itself is tagged with VLAN information. ISL uses an external tagging process that does not modify the existing Ethernet frame, while 802.1Q uses a frame-internal field for tagging, and so does modify the Ethernet frame. This internal tagging is what allows IEEE 802.1Q to work on both access and trunk links: frames are standard Ethernet, and so can be handled by commodity hardware.
The IEEE 802.1Q header contains a 4-byte tag header containing a 2-byte tag protocol identifier (TPID) and a 2-byte tag control information (TCI). The TPID has a fixed value of 0x8100 that indicates that the frame carries the 802.1Q/802.1p tag information. The TCI contains the following elements:
* Three-bit user priority
* One-bit canonical format indicator (CFI)
* Twelve-bit VLAN identifier (VID)-Uniquely identifies the VLAN to which the frame belongs
The 802.1Q standard can create an interesting scenario on the network. Recalling that the maximum size for an Ethernet frame as specified by IEEE 802.3 is 1518 bytes, this means that if a maximum-sized Ethernet frame gets tagged, the frame size will be 1522 bytes, a number that violates the IEEE 802.3 standard. To resolve this issue, the 802.3 committee created a subgroup called 802.3ac to extend the maximum Ethernet size to 1522 bytes. Network devices that do not support a larger frame size will process the frame successfully but may report these anomalies as a "baby giant". Inter-Switch Link (ISL) is a Cisco proprietary protocol used to interconnect multiple switches and maintain VLAN information as traffic travels between switches on trunk links. This technology provides one method for multiplexing bridge groups (VLANs) over a high-speed backbone. It is defined for Fast Ethernet and Gigabit Ethernet, as is IEEE 802.1Q. ISL has been available on Cisco routers since Cisco IOS Software Release 11.1.
With ISL, an Ethernet frame is encapsulated with a header that transports VLAN IDs between switches and routers. ISL does add overhead to the packet as a 26-byte header containing a 10-bit VLAN ID. In addition, a 4-byte CRC is appended to the end of each frame. This CRC is in addition to any frame checking that the Ethernet frame requires. The fields in an ISL header identify the frame as belonging to a particular VLAN. A VLAN ID is added only if the frame is forwarded out a port configured as a trunk link. If the frame is to be forwarded out a port configured as an access link, the ISL encapsulation is removed.
Thursday, October 22, 2009
Static Routing
Objective:
Design & develop a computer network between 3 routers in three buildings, using static routing.
Setup:
I have taken several steps to establish static routing between routers A, B, C are given below:
Router A: Network address 192.168.1.0 is used for hosts of the router A. PC 0 and PC 1 are connected through a switch ip configuration of 192.168.1.2 and subnet mask is 255.255.255.0 and 192.168.1.3 and subnet mask is 255.255.255.0. For the cable which connects router A with router B is configured with the ip address 192.168.4.1 and subnet mask is 255.255.255.0. Gateway address used for hosts of router A network is 192.168.1.1 and subnet mask is 255.255.255.0.
Router B: Network address 192.168.2.0 is used for hosts of the router B. PC 2 and PC 3 are connected through a switch ip configuration of 192.168.2.2 and subnet mask is 255.255.255.0 and 192.168.2.3 and subnet mask is 255.255.255.0. For the cable which connects router B with router A is configured with the ip address 192.168.4.2 and subnet mask is 255.255.255.0 and for the cable which connects router B with router C is configured with the ip address 192.168.5.1 and subnet mask is 255.255.255.0. Gateway address used for hosts of router B network is 192.168.2.1 and subnet mask is 255.255.255.0.
Router C: Network address 192.168.3.0 is used for hosts of the router A. PC 4 and PC 5 are connected through a switch ip configuration of 192.168.3.2 and subnet mask is 255.255.255.0 and 192.168.3.3 and subnet mask is 255.255.255.0. For the cable which connects router C with router B is configured with the ip address 192.168.5.2 and subnet mask is 255.255.255.0. Gateway address used for hosts of router C network is 192.168.3.1 and subnet mask is 255.255.255.0.
Network Diagram:
Commands in the routers:
Defining Routes:
Router A:
Router(config)#ip route 192.168.2.0 255.255.255.0 192.168.4.2
Router(config)#ip route 192.168.3.0 255.255.255.0 192.168.4.2
Router B:
Router(config)#ip route 192.168.1.0 255.255.255.0 192.168.4.1
Router(config)#ip route 192.168.3.0 255.255.255.0 192.168.5.2
Router C:
Router(config)#ip route 192.168.2.0 255.255.255.0 192.168.5.1
Router(config)#ip route 192.168.1.0 255.255.255.0 192.168.5.1
Objective:
Design & develop a computer network between 4 routers situated in different places, using static routing with redundancy.
Setup:
I have taken several steps to establish static routing between routers A, B, C, D are given below:
Router A: Network address 192.168.1.0 is used for hosts of the router A. PC 1 is connected through a switch ip configuration of 192.168.1.2 and subnet mask is 255.255.255.0. For the cable which connects router A with router B is configured with the ip address 192.168.5.1 and subnet mask is 255.255.255.0 and router C is configured with the ip address 192.168.6.2 and subnet mask is 255.255.255.0.There is another router D and For the cable which connects router A with router D is configured with the ip address 192.168.10.1 and subnet mask is 255.255.255.0 and the gateway address used for hosts of router A network is 192.168.1.1 and subnet mask is 255.255.255.0.
Router B: Network address 192.168.3.0 is used for hosts of the router B. PC 2 is connected through a switch ip configuration of 192.168.3.2 and subnet mask is 255.255.255.0. For the cable which connects router B with router A is configured with the ip address 192.168.5.2 and subnet mask is 255.255.255.0 and router C is configured with the ip address 192.168.9.2 and subnet mask is 255.255.255.0.There is another router D and For the cable which connects router A with router D is configured with the ip address 192.168.8.1 and subnet mask is 255.255.255.0 and the gateway address used for hosts of router B network is 192.168.3.1 and subnet mask is 255.255.255.0.
Router C: Network address 192.168.2.0 is used for hosts of the router C. PC 3 is connected through a switch ip configuration of 192.168.2.2 and subnet mask is 255.255.255.0. For the cable which connects router C with router B is configured with the ip address 192.168.9.1 and subnet mask is 255.255.255.0 and router A is configured with the ip address 192.168.6.1 and subnet mask is 255.255.255.0.There is another router D and For the cable which connects router A with router D is configured with the ip address 192.168.7.2 and subnet mask is 255.255.255.0 and the gateway address used for hosts of router A network is 192.168.2.1 and subnet mask is 255.255.255.0.
Router D: Network address 192.168.4.0 is used for hosts of the router D. PC 4 is connected through a switch ip configuration of 192.168.4.2 and subnet mask is 255.255.255.0. For the cable which connects router D with router B is configured with the ip address 192.168.8.2 and subnet mask is 255.255.255.0 and router C is configured with the ip address 192.168.7.2 and subnet mask is 255.255.255.0.There is another router A and For the cable which connects router D with router A is configured with the ip address 192.168.10.2 and subnet mask is 255.255.255.0 and the gateway address used for hosts of router A network is 192.168.4.1 and subnet mask is 255.255.255.0.
Network Diagram:
Commands in the routers:
Defining Routes:
Router A:
Router(config)#ip route 192.168.2.0 255.255.255.0 192.168.6.1 10
Router(config)#ip route 192.168.2.0 255.255.255.0 192.168.10.2 11
Router(config)#ip route 192.168.2.0 255.255.255.0 192.168.5.2 12
Router(config)#ip route 192.168.3.0 255.255.255.0 192.168.5.2 13
Router(config)#ip route 192.168.3.0 255.255.255.0 192.168.10.2 14
Router(config)#ip route 192.168.3.0 255.255.255.0 192.168.6.1 15
Router(config)#ip route 192.168.4.0 255.255.255.0 192.168.10.2 16
Router(config)#ip route 192.168.4.0 255.255.255.0 192.168.5.2 17
Router(config)#ip route 192.168.4.0 255.255.255.0 192.168.6.1 18
Router B
Router(config)#ip route 192.168.4.0 255.255.255.0 192.168.8.2 10
Router(config)#ip route 192.168.4.0 255.255.255.0 192.168.9.1 11
Router(config)#ip route 192.168.4.0 255.255.255.0 192.168.5.1 12
Router(config)#ip route 192.168.1.0 255.255.255.0 192.168.5.1 13
Router(config)#ip route 192.168.1.0 255.255.255.0 192.168.9.1 14
Router(config)#ip route 192.168.1.0 255.255.255.0 192.168.8.2 15
Router(config)#ip route 192.168.2.0 255.255.255.0 192.168.9.1 16
Router(config)#ip route 192.168.2.0 255.255.255.0 192.168.8.2 17
Router(config)#ip route 192.168.2.0 255.255.255.0 192.168.5.1 18
Router C
Router(config)#ip route 192.168.1.0 255.255.255.0 192.168.6.2 10
Router(config)#ip route 192.168.1.0 255.255.255.0 192.168.9.2 11
Router(config)#ip route 192.168.1.0 255.255.255.0 192.168.7.1 12
Router(config)#ip route 192.168.4.0 255.255.255.0 192.168.7.1 13
Router(config)#ip route 192.168.4.0 255.255.255.0 192.168.9.2 14
Router(config)#ip route 192.168.4.0 255.255.255.0 192.168.6.2 15
Router(config)#ip route 192.168.3.0 255.255.255.0 192.168.9.2 16
Router(config)#ip route 192.168.3.0 255.255.255.0 192.168.7.1 17
Router(config)#ip route 192.168.3.0 255.255.255.0 192.168.6.2 18
Router D
Router(config)#ip route 192.168.2.0 255.255.255.0 192.168.7.2 10
Router(config)#ip route 192.168.2.0 255.255.255.0 192.168.10.1 11
Router(config)#ip route 192.168.2.0 255.255.255.0 192.168.8.1 12
Router(config)#ip route 192.168.3.0 255.255.255.0 192.168.8.1 13
Router(config)#ip route 192.168.3.0 255.255.255.0 192.168.10.1 14
Router(config)#ip route 192.168.3.0 255.255.255.0 192.168.7.2 15
Router(config)#ip route 192.168.1.0 255.255.255.0 192.168.10.1 16
Router(config)#ip route 192.168.1.0 255.255.255.0 192.168.7.2 17
Router(config)#ip route 192.168.1.0 255.255.255.0 192.168.8.1 18
Tuesday, October 20, 2009
IPLC
Thursday, October 15, 2009
Virtual private LAN service
Virtual private LAN service (VPLS) is a way to provide Ethernet based multipoint to multipoint communication over IP/MPLS networks. It allows geographically dispersed sites to share an Ethernet broadcast domain by connecting sites through pseudo-wires. The technologies that can be used as pseudo-wire can be Ethernet over MPLS, L2TPv3 or even GRE. There are two IETF standards track RFCs (RFC 4761 and RFC 4762) describing VPLS establishment.VPLS is a virtual private network (VPN) technology. In contrast to L2TPv3, which allows only point-to-point layer 2 tunnels, VPLS allows any-to-any (multipoint) connectivity. In a VPLS, the local area network (LAN) at each site is extended to the edge of the provider network. The provider network then emulates a switch or bridge to connect all of the customer LANs to create a single bridged LAN. Since VPLS emulates a LAN, full mesh connectivity is required. There are two methods for full mesh establishment for VPLS: using BGP and using Label Distribution Protocol (LDP). The "control plane" is the means by which provider edge (PE) routers communicate for auto-discovery and signaling. Auto-discovery refers to the process of finding other PE routers participating in the same VPN or VPLS. Signaling is the process of establishing pseudo-wires (PW). The PWs constitute the "data plane", whereby PEs send customer VPN/VPLS traffic to other PEs.
With BGP, one has auto-discovery as well as signaling. The mechanisms used are very similar to those used in establishing Layer-3 MPLS VPNs. Each PE is configured to participate in a given VPLS. The PE, through the use of BGP, simultaneously discovers all other PEs in the same VPLS, and establishes a full mesh of pseudo-wires to those PEs. With LDP, each PE router must be configured to participate in a given VPLS, and, in addition, be given the addresses of other PEs participating in the same VPLS. A full mesh of LDP sessions is then established between these PEs. LDP is then used to create an equivalent mesh of PWs between those PEs. An advantage to using PWs as the underlying technology for the data plane is that in case of failure, traffic will automatically be routed along available backup paths in the service provider's network. Failover will be much faster than could be achieved with e.g. Spanning Tree Protocol (STP). VPLS is thus a more reliable solution for linking together Ethernet networks in different locations than simply connecting a WAN link to Ethernet switches in both locations.
VPLS has significant advantages for both service providers and customers. Service providers benefit because they can generate additional revenues by offering a new Ethernet service with flexible bandwidth and sophisticated service level agreements (SLAs). VPLS is also simpler and more cost effective to operate than a traditional service. Customers benefit because they can connect all of their sites to an Ethernet VPN that provides a secure, high speed and homogenous network. Moreover, VPLS provides a logical next step in the continuing evolution of Ethernet from a 10 Mbps shared LAN protocol to a multi-Gbps global service. VPLS MPLS packets have a two-label stack. The outer label is used for normal MPLS forwarding in the service provider's network. If BGP is used to establish the VPLS, the inner label is allocated by a PE as part of a label block. If LDP is used, the inner label is a virtual circuit ID assigned by LDP when it first established a mesh between the participating PEs. Every PE keeps track of assigned inner label, and associates these with the VPLS instance.
PEs participating in a VPLS-based VPN must appear as an Ethernet bridge to connected customer edge (CE) devices. Received Ethernet frames must be treated in such a way as to ensure CEs can be simple Ethernet devices.When a PE receives a frame from a CE, it inspects the frame and learns the CE's MAC address, storing it locally along with LSP routing information. It then checks the frame's destination MAC address. If it is a broadcast frame, or the MAC address is not known to the PE, it floods the frame to all PEs in the mesh. Ethernet does not have a time to live (TTL) field in its frame header, so loop avoidance must be arranged by other means. In regular Ethernet deployments, Spanning Tree Protocol is used for this. In VPLS, loop avoidance is arranged by the following rule: A PE never forwards a frame received from a PE, to another PE. The use of a full mesh combined with split horizon forwarding guarantees a loop-free broadcast domain.VPLS is typically used to link a large number of sites together. Scalability is therefore an important issue that needs addressing.
Split horizon route advertisement
In computer networks, distance-vector routing protocols employ the split horizon route advertisement rule which prohibits a router from advertising a route back out the interface from which it was learned. Split horizon is one of the methods used to prevent routing loops due to the slow convergence times of distance-vector routing protocols.
In this example A uses B to reach C.
A will not advertise its route for C (A to B to C) back to B. On the surface, this seems redundant since B will never use A's route because it costs more than B's route to C. However, if B's route to C goes down, B could end up using A's route, which goes through B; A would send the packet right back to B, creating a loop. With split horizon, this particular loop scenario cannot happen which improves convergence time in complex, highly-redundant environments.
An additional variation of split horizon does advertise the route back to the router that is used to reach the destination, but marks the advertisement as unreachable. This is called split horizon with poison reverse.
With poison reverse, when a routing update indicates that a network is unreachable, routes are immediately removed from the routing table. This breaks erroneous, looping routes before they can propagate through the network. This approach differs from the basic split horizon rule where routes are eliminated through timeouts. Poison reverse has no benefit in networks with no redundancy (single path networks). One disadvantage to poison reverse is that it might significantly increase the size of routing announcements exchanged between neighbors. This is because all routes in the distance vector table are included in each announcement. Although this is generally not an issue on local area networks, it can cause periods of increased utilization on lower-capacity WAN connections.
Protocols using split horizon
Hot Standby Router Protocol
Hot Standby Router Protocol (HSRP) is a Cisco proprietary redundancy protocol for establishing a fault-tolerant default gateway, and has been described in detail in RFC 2281. The Virtual Router Redundancy Protocol (VRRP) is a standards-based alternative to HSRP defined in IETF standard RFC 3768. The two technologies are similar in concept, but not compatible.
The protocol establishes a framework between network routers in order to achieve default gateway failover if the primary gateway should become inaccessible,in close association with a rapid-converging routing protocol like EIGRP or OSPF. By multicasting packets, HSRP sends its hello messages to the multicast address 224.0.0.2 (all routers) using UDP port 1985, to other HSRP-enabled routers, defining priority between the routers. The primary router with the highest configured priority will act as a virtual router with a pre-defined gateway IP and will respond to the ARP request from machines connected to the LAN with the mac address 0000.0c07.acXX where XX is the group ID in hex. If the primary router should fail, the router with the next-highest priority would take over the gateway IP and answer ARP requests with the same mac address, thus achieving transparent default gateway fail-over.HSRP and VRRP are not routing protocols as they do not advertise IP routes or affect the routing table in any way.
HSRP and VRRP on some routers have the ability to trigger a failover if one or more interfaces on the router go down. This can be useful for dual branch routers each with a single serial link back to the head end. If the serial link of the primary router goes down, you would want the backup router to take over the primary functionality and thus retain connectivity to the head end.
Route poisoning
Route poisoning is a method to prevent routing loops within computer networks. Distance-vector routing protocols in computer networks use route poisoning to indicate to other routers that a route is no longer reachable and should be removed from their routing tables. A variation of route poisoning is split horizon with poison reverse whereby a router sends updates with unreachable hop counts back to the sender for every route received to help prevent routing loops. When the protocol detects an invalid route, all of the routers in the network are informed that the bad route has a hop count of 16, which stands for infinity (∞). This makes all nodes on the invalid route seem infinitely distant, resulting in preventing any of the routers from sending packets over the invalid route.
Some distance-vector routing protocols, such as RIP, use a maximum hop count to determine how many routers traffic must go through to reach the destination. Each route has a hop count number assigned to it which is incremented as the routing information is passed from router to router. A route is considered unreachable if the hop count exceeds the maximum allowed. Route poisoning is a method of quickly removing outdated routing information from other router's routing tables by changing its hop count to be unreachable (higher than the maximum number of hops allowed) and sending a routing update. In the case of RIP, the maximum hop count is 15, so to perform route poisoning on a route its hop count is changed to 16, deeming it unreachable, and a routing update is sent. When a router receives a poisoned route, it sends an update back to the router from which it received the poisoned route; this is called poison reverse. This is to ensure that all routers on a segment have received the poisoned route information.
Saturday, October 10, 2009
Virtual Routing and Forwarding (VRF)
In IP-based computer networks, Virtual Routing and Forwarding (VRF) is a technology that allows multiple instances of a routing table to co-exist within the same router at the same time. Because the routing instances are independent, the same or overlapping IP addresses can be used without conflicting with each other. Alternative meaning of VRF is a VPN Routing and Forwarding, the key element in the Cisco MPLS VPN technology.A VRF is a routing table instance, that can exist in one instance or multiple instances per each VPN on a Provider Edge (PE) router.VRF may be implemented in a network device by distinct routing tables known as forwarding information bases (FIBs), one per VRF. Alternatively, a network device may have the ability to configure different virtual routers, where each one has its own FIB that is not accessible to any other virtual router instance on the same device.
The simplest form of VRF implementation is VRF Lite. In this implementation, each router within the network participates in the virtual routing environment in a peer-based fashion. While simple to deploy and appropriate for small to medium enterprises and shared data centres, VRF Lite does not scale to the size required by global enterprises or large carriers, as there is the need to implement each VRF instance on every router. The scaling limitations of VRF Lite are resolved by the implementation of IPVPNs. In this implementation, a core backbone network is responsible for the transmission of data across the wide area between VRF instances at each edge location. IPVPNs have been traditionally deployed by carriers to provide a shared wide-area backbone network for multiple customers. They are also appropriate in large enterprise, multi-tenant and shared data centre environments.
In a typical deployment, Customer Edge (CE) routers handle local routing in a traditional fashion and disseminate routing information into Provider Edge (PE) where the routing tables are virtualised. The PE router then encapsulates the traffic, marks it to identify the VRF instance, and transmits it across the provider backbone network to the destination PE router. The destination PE router then un-encapsulates the traffic and forwards it to the CE router at the destination. The backbone network is completely transparent to the customer equipment, allowing multiple customers or user communities to utilize the common backbone network while maintaining end-to-end traffic separation.Routes across the provider backbone network are maintained using an Interior Gateway Protocol - typically iBGP. iBGP uses extended community attributes in a common routing table to differentiate the customers' routes with overlapping IP addresses. IPVPN is most commonly deployed across a Multi-protocol Label Switching (MPLS) backbone as the inherent labelling of packets in MPLS lends itself to the identification of the customer VRF. Some IPVPN implementations (notably Nortel's IP-VPN Lite) utilize a simpler IP-in-IP encapsulation over a pure IP backbone, eliminating the need to maintain and support an MPLS environment.
Monday, October 5, 2009
Generic Routing Encapsulation
GRE or Generic Routing Encapsulation - it is a tunneling protocol that was originally developed by Cisco for encapsulation of arbitrary kinds of network layer packets inside arbitrary kinds of network layer packets. This is brief tutorial on creating a GRE tunnel between two Cisco routes. Suppose that we have two sites; SiteA and SiteB. SiteA's router has interface Eth0 with the following IP address 10.0.1.1/24 and secondary IP address 1.0.1.1/24. Where the users (LAN) are connected to 10.0.1.0/24 subnet. The router has serial interface connected to the Internet (ISP). Same for SiteB, it has Eth0 with IP address 10.0.2.1/24 and secondary IP 1.0.2.1/24 where the users (LAN) are connected to 10.0.1.0/24 subnet. The router has serial interface connected to the Internet (ISP). Now we want to create a GRE tunnel in order for 10.0.1.0/24 and 10.0.2.0/24 subnets to communicate with each other.
Cisco Discovery Protocol
Cisco devices send CDP announcements to the multicast destination address 01-00-0c-cc-cc-cc (also used for other Cisco proprietary protocols such as VTP). CDP announcements (if supported and configured in IOS) are sent by default every 60 seconds on interfaces that support Subnetwork Access Protocol (SNAP) headers, including Ethernet, Frame Relay and ATM. Each Cisco device that supports CDP stores the information received from other devices in a table that can be viewed using the show cdp neighbors command. The CDP table's information is refreshed each time an announcement is received, and the holdtime for that entry is reset. The holdtime specifies how long an entry in the table will be kept - if no announcements are received from a device and the holdtime timer expires for that entry, the device's information is discarded (default 180 seconds).
The information contained in CDP announcements varies by the type of device and the version of the operating system running on it. Information contained includes the operating system version, hostname, every address for every protocol configured on the port where CDP frame is sent eg. IP address, the port identifier from which the announcement was sent, device type and model, duplex setting, VTP domain, native VLAN, power draw (for Power over Ethernet devices), and other device specific information. The details contained in these announcements is easily extended due to the use of the type-length-value (TLV) frame format. See external links for a technical definition. HP removed support for sending CDP from HP Procurve products shipping after February 2006 and all future software upgrades. Receiving CDP and showing neighbor information is still supported. CDP support was replaced with Link Layer Discovery Protocol.
Netflow
NetFlow is a network protocol developed by Cisco Systems to run on Cisco IOS-enabled equipment for collecting IP traffic information. It is proprietary and supported by platforms other than IOS, such as Juniper routers, Linux or FreeBSD and OpenBSD.
Cisco routers that have the Netflow feature enabled generate netflow records; these are exported from the router in User Datagram Protocol (UDP) or Stream Control Transmission Protocol (SCTP) packets and collected using a netflow collector. Other vendors provide similar features for their routers but with different names:
Jflow or cflowd for Juniper Networks
NetStream for 3Com/H3C
NetStream for Huawei Technology
Cflowd for Alcatel-Lucent
network flow has been defined in many ways. The traditional Cisco definition is to use a 7-tuple key, where a flow is defined as a unidirectional sequence of packets all sharing all of the following 7 values:
1. Source IP address
2. Destination IP address
3. Source port for UDP or TCP, 0 for other protocols
4. Destination port for UDP or TCP, type and code for ICMP, or 0 for other protocols
5. IP protocol
6. Ingress interface (SNMP ifIndex)
7. IP Type of Service
Flexible Netflow and IPFIX support user-defined flow keys. The router will output a flow record when it determines that the flow is finished. It does this by flow aging: when the router sees new traffic for an existing flow it resets the aging counter. Also, TCP session termination in a TCP flow causes the router to expire the flow. Routers can also be configured to output a flow record at a fixed interval even if the flow is still ongoing. In Flexible NetFlow (FNF) an administrator could actually define flow properties on the router.