Proxy ARP - quick review

Proxy arp is a feature that is recommended to disable if you have a router facing interne.

 

and better to enable only on interfaces that are working in an internal LAN.

 

 

#ip proxy-arp  [will make the router advertise itself "mac address" as the mac address of the destination needed instead of the real device]

 Disable ARP proxy globally is 

# ip arp proxy disable and under interface is 

#no ip proxy-arp 

Ok, so now what is the proxy ARP? 

It’s a feature that is enabled by default on Routers that enabled the router to direct the traffic for

network that doesn’t have Reach-ability to destination when the router interface have the route to it.

If you disable the Proxy-ARP on interface the router 1 will not be able to reach router6 loop-back interface, the reason is it won't be able to get L2 mac address Of the destination, [the reason is using ip route to exit interface of the router instead of IP address of next hop]

if you enable debug for it #debug IP packets you will see encapsulation error,

which means router failed to build Layer 2 frame

The solution

 is to

• hard-code the ARP and mac address for the destination then it will be reachable.
• Or enable the proxy ARPon interface
• Use IP route to next hop address instead of pointing to the exit interface

MULTICAST BGP EXTENSION

First Question you need to know is why?
why we need BGP extension for Multicast?
the answer is simply we need to connect and multicast between two or more Domains "Autonomous systems" and BGP uses unicast to connect to its neighbors, so you have to use AF for Multicast in order to enable the multicast via BGP.


we will work on the topology below:

Important things to have before configuring mBGP-Multicast extension are:
1.FULL IGP routing table exchanged between routers and reach-ability
2. Interfaces on order Router facing EBGP neighbor should be passive for IGP
3. run EBGP border Routers or neighboring AS
4. run iBGP and make sure from Full BGP neighbor-ship and routes exchange
till the last router in your AS but using Confederations or Route-Reflectors in our case we will
use R6 and R1 from each side to be point of reflection for incoming iBGP routes learned from Border
Routers {don't forget to make border routers to act as next-hop for all the iBGP neighbors
5. configure BGP address-family for multicasting and this will require activating commands
6.redistribution point will be the border routers in order to bring reachability between
the two domains
7. use peer groups when needed to ease up configuration
8. choose the PIM mode you have been tasked to use Standard or Cisco
9. sparse mode is the common mode used and enable MSDP
NOTE: MSDP is used because RP's are in two different domains and in order to learn about sources in other domains we will use MSDP.
10. Verify your configuration by joining one router to multicast group and ping it from the remote site
11. use #show bgp ipv4 multicast summary to see the activated neighbors
12. use #show ip mroute x.x.x.x for the group
13. use #show ip rpf
14. use #show ip pim rp mapping  to verify your RP in each domain

GRE over IPSEC

Q-Why we will use IPSEC for transporting GRE payload?
A- our scenario is to connect two remote sites that are running OSPF AREA 0
discontinuously, we will connect the two peers using GRE over IPSEC

       R-A <------>R-B <-----> R-d <----->R-e <-----> R-F <------>R-Z

let's say R-B link to R-A is in OSPF AREA 0
R-F link to R-Z is in OSPF AREA 0 

the underlying routing protocol between R-B to R-F is [EIGRP]

so back to the question why we will use IPSEC for GRE transport, the reason is GRE doesn't support  Dynamic Routing protocols because GRE is used as normal Point-to-Point.

points to focus on:
1. reachability between R-B to R-F [loopbacks included]
2. reachability between R-B to R-A and R-F to R-Z [on OSPF]


steps: 
create GRE interface [ IP address, source, destination ] use the loopback for source and destination, this will help in reroute through alternative links in case of link failures.
GRE tunnel will be have the IP MTU reduced and TCP MSS changed as well.

GRE Tunnel will run OSPF in AREA 0 to be the link between the two discontiguous Area 0 

Configure the IPSEC tunnel:
1. configure ISAKMP "phase 1"
2. configure IPSEC "phase 2"

in ISAKMP which is phase 1, we need  following that both peers must have identical :
1. authentication   [pre-shared, PKI]
2. encryption type  [AES, 3DES, DES]
3. hashing type  [ MD5, SHA, SHA256, SHA384, ...etc]
4. Diffie Hellman group  [1, 14, 15, ....etc] how many bits your router can handle
5. Life time  [this is optional you can have different on peers]

in IPSEC which is phase 2, we have the following to configure:
1. configure the peer who you will connect  with
#set peer x.x.x.x
2. configure the data you are allowed over the IPSEC by using Access-list
#permit ip source destination
if you are using tunnel mode, you will have the links between R-B to R-A and R-F to R-Z in the access list, if you are using transport mode you will have to make the source is the router loopback to destination remote router loopback, in our scenario we will use transport mode. 

3. configure the transform set which is the way you will treat your data as encryption, by data we mean the data allowed in access list.
according to your ios version it may differs for the supported :

then you will match the access list using #match address acl-name
then set the transform set #set transform set  [for the matched acl]


now that you have everything configured

you should differentiate between GRE over IPSEC and IPSEC over GRE
in GRE over IPSEC you will have to configure the CRYPTO MAP on the physical interface or interfaces while on IPSEC over GRE you will need to configure CRYPTO MAP on the tunnel interface of the GRE.


so, after you applied the CRYPTO MAP on the physical interface you can start checking and verifying the configuration for each part, so let's start :

verify reachability on the loopback interface of the two peers
Router#ping 150.1.7.7 so lo0
Sending 5, 100-byte ICMP Echos to 150.1.7.7, timeout is 2 seconds:
Packet sent with a source address of 150.1.8.8 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 7/7/8 ms
this ICMP carried via EIGRP.



verify the GRE tunnel is up and running:

verify the  ISAKMP, Quick-Mode and status is active:

verify IPSEC security association which you have parameters to check:

a. SPI outbound/inbound

b. ENCAP/DECAP and Digest values [they should be increased when you even send ICMP]

c. check the ACL or "proxy identity" for local ident and remote ident. lines

NOTE: ACL's on both sides must be mirrored.

Verify Transform set:

it must be identical on both sides:

NOTE: we are using ESP.

verify the IP Route for OSPF and you should receive routes for remote peers through the tunnel interface:

the above output shows route from R-B to R-Z and coming via tunnel 0.

traffic destined to 150.1.9.9/32 will go to tunnel0, then tunnel0 will hand it over to the source of the tunnel which is loopback0, loopback0 will use the EIGRP as underlying protocol to go to remote site loopback0, when the router choose the exit interface the packets on that interface is encrypted because we have the CRYPTO map applied on it, by the way we will have the data encrypted and sent to the remote site.

MPLS L3VPN multihomed customer AS override

Topology description:
R3 , R4 = Provider Routers / Core network for ISP [P]
R1, R5 = Provider Edge Routers [PE]
R6, R7 = Customer Edge Routers [CE]

MPLS is running across ISP network, starting from PE left side to P routers in core to PE on Right side

ISP is running OSPF as IGP, so PE's inter E0/1 and R3 and R4 all running OSPF to exchange Routes

iBGP is running between R1 and R5 to establish mBGP VPN through ISP Network MPLS

the iBGP is using R1 and R5 Loopback interfaces to establish the connection

in this Lab i used eBGP Connection between CE and PE routers

from PE side we have to configure VRF toward the CE just in case we have more than CE with same IP ranges
BGP configuration on PE will be under Address-family IPv4 VRF
BGP configuration on CE side will be normal and under global routing table

on the PE we have the redistribution if we are using other than BGP between PE and CE
but since we are running EBGP [CE to PE] and iBGP [PE to PE] then there is no need to redistribute

on the Customer edges [sites] we are using BGP with AS 250 on both CE routers
when CE [left] sends prefixes to PE [left] it will include the path attributes, PE left will send to PE right and PE [right] will send to CE [right], CE [right] will check the prefixes and finds the Path attributes of itself on the routes so it will consider it as loop and BGP loop prevention mechanism is to drop any routes that has my AS in the path to the destination [default behavior] so what to do in this case to make both CE sites connects with each other?

there are two ways:
1. Allow AS IN  [implemented on CE routers to allow self AS numbers to be with the incoming routes]
2. AS override [implemented on PE sides toward the CE neighbor and it will change the AS number with AS number similar to PE AS number]
3. BGP Site of Origin [tagging routes]


check the configuration below:

PE-LEFT#show run | section router bgp
router bgp 100
 bgp log-neighbor-changes
 neighbor 5.5.5.5 remote-as 100
 neighbor 5.5.5.5 update-source Loopback0
 !
 address-family vpnv4
  neighbor 5.5.5.5 activate
  neighbor 5.5.5.5 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf vpn
  neighbor 10.0.17.7 remote-as 250
  neighbor 10.0.17.7 activate
  neighbor 10.0.17.7 as-override
 exit-address-family
=========================================

same will be on right side PE
PE-RIGHT# show run | section router bgp
router bgp 100
 bgp log-neighbor-changes
 neighbor 1.1.1.1 remote-as 100
 neighbor 1.1.1.1 update-source Loopback0
 !
 address-family vpnv4
  neighbor 1.1.1.1 activate
  neighbor 1.1.1.1 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf vpn
  neighbor 10.0.56.6 remote-as 250
  neighbor 10.0.56.6 activate
  neighbor 10.0.56.6 as-override
 exit-address-family
PE-RIGHT#

now checking the BGP table on the CE will be like the picture below:

as you can see, we have path contains 100 100 which is the PE BGP AS number.

reachability check from CE right side to CE left side:

OSPF LSA types understanding

the most important part of OSPF understanding the getting to know LSA "link state advertisements" section

the understanding part should not only be for memorizing the LSA names

but you also need to know how to check each one of them in command line

and how is every LSA is generated and who generates the LSA


so basically as we learned that OSPF is uses hierarchical design and this is done by the backbone area 0

because all area must connect to it in order to reach the other area's


other than that, configuring areas will hide the routes from the other area and limit the LSA flooding that is happening in a single area

 so Area 0 will not advertise its LSA flooding when change done internally to other areas like area 1 and area 2


 now getting back to the LSA types we have the most important LSA:
LSA1  [ this is for all routers within the same area and each one say's i'm in this area ]
so LSA1 will be generated from all routers for every routers link to be sent to the ABR
LSA2  [ this is for IP address for DR interface within same area ]
all routers will have OSPF adjacency with the DR and BDR and they will generate LSA2 and this is only in OSPF network types where DR is elected, so its in [NMBA, Broadcast networks]
and then DR will send it to all routers so its like a map to be used internally between routers to reach each other.


LSA3  [ this is generated by the Area Border Router which has legs in two areas, and its summary for the networks advertised by the other area so its point of contact between area ]

LSA4 [ is when the ASBR gets routes from EIGRP or RIP into OSPF domain, the ASBR will send to the ABR of that area LSA1 messages and the ABR will generate LSA4 to send to next area.
LSA4 is like identified for the ASBR

LSA5   [ external routes that are coming from another router runs rip or eigrp or others ]
so when Rx redistributes EIGRP into OSPF domain it will send LSA1 to the ABR of that area, then the ABR will generate LSA5

LSA7  [ used in NSSA because routers will not allow LSA5 so it will set LSA5 to LSA7 to be allowed into OSPF domain ]

all of these LSA's can be seen under OSPF database using
#show ip ospf database     and adding its arguments to find each LSA self originated or advertised by other routers





Ok, now how to filter LSA's?

STUB = NO LSA4 NO LSA5
TOTALLY STUB = NO LSA3,4,5
NSSA= NO LSA5 but LSA7 is ok and will be translated back at the borders.
TOTALLY NSSA=  will generate LSA3 with default Route

Changing SSH port for a router

SSH by default uses port 22
on a cisco router you can change the port to another port

let's say using port 800

in this case you need to login the router and issue the command
#ip ssh port 800 rotary 1    ! this command will instruct the router SSH to use port 800 in addition to original port

then you need to tell the VTY to use the rotary group 1 so issue the command
#rotary 1

now you have to prevent the old port which is 22 from being used for SSH connection and that's can be done by ACL, so let's create ACL that will permit the port 800 and deny any other

#ip access-list extended SSH
#permit tcp any any eq 800
#deny   ip any any

then login to Line VTY again and issue the command #access-class SSH in
and this would apply the new ACL named SSH to the line VTY interface

you can add more flavours for the source you want to permit SSH connections.

now you can test connecting SSH using both ports and you should get connection refused for port 22 and connection via new port (800) should be ok.

QoS studying

I have finally started to study QoS, and since i have zero experience in QoS i spent some time trying to find the best study material
i have got some suggestions to study some books like End to End QoS and some other books, which i didn't read because the books start deep diving from the beginning, so what i did was searching youtube for some videos and i found Jeremy Cioara video which was so good check the link
the video i think is part of QoS for CCVP certification but definitely its good for CCIE R/S QoS part as well.


so let me list them down :

Videos
A. Jeremy Cioara  [ CCVP QoS ]
B. Keith Bogart [ INE Introduction to QoS for CCIE R/S]

Books
INE WorkBook [ great labs ]

Websites

Cisco QoS websites
Networklessons.com

Finally Go Back to INE Videos by Brian Mcgahan


searching bits and bites from here and there would do the trick for you when you are starting with something new, QoS is very important in CCIE R/S study and exam and in real networks as well, because your network always going to have some point of congestion and you need to resolve it with QoS.