Skip to main content

Posts

Showing posts from September, 2024

BGP Soft Reconfiguration vs. Route Refresh: Key Differences and Best Practices

In BGP (Border Gateway Protocol), managing route updates and reapplying new policies can sometimes be challenging, especially if you want to avoid resetting the BGP session. Two methods allow you to update routing policies without tearing down the session: BGP Soft Reconfiguration and BGP Route Refresh . While both methods serve the same purpose, they work differently and have distinct impacts on your router's resources. This post explains the key differences between Soft Reconfiguration and Route Refresh , when to use each, and why Route Refresh is preferred in most modern networks. 1. What is BGP Soft Reconfiguration? BGP Soft Reconfiguration is an older method of applying new policies (like route maps, filters, or prefix lists) without resetting the BGP session. It works by storing a local copy of all the routes received from a BGP neighbor before applying inbound policies. This local route copy allows the router to reprocess the routes when a policy change occurs. How So...

AS Path Prepending: Controlling Inbound Traffic in BGP

AS Path Prepending is a BGP feature used to make a specific path appear less preferred by artificially lengthening the AS path. This is done by adding your AS number multiple times to the AS path. It is a common method to influence inbound traffic from external networks. Longer AS Path = Less preferred route . Example Scenario : You have two ISPs: ISP1 (through CE1) and ISP2 (through CE2). You want inbound traffic from the internet to prefer ISP1 over ISP2. Network Topology : CE1 (connected to ISP1): 10.0.1.1/30 CE2 (connected to ISP2): 10.0.2.1/30 iBGP Router (Internal) connected to both CE1 (10.0.1.2/30) and CE2 (10.0.2.2/30). Configuration on CE2 (AS Path Prepending to Make ISP2 Less Preferred) : Create a route map to prepend your AS path multiple times for CE2: route-map PREPEND_AS permit 10 set as-path prepend 65001 65001 65001 Apply this route map to the neighbor in the BGP configuration for CE2: router bgp 65001 neighbor 10.0.2.1 remote-as 65002 neighbor 10.0.2.1 ro...

BGP MED: Managing Inbound Traffic with Multi-Exit Discriminator

The Multi-Exit Discriminator (MED) is used in BGP to control inbound traffic into your AS. It tells a neighboring AS which entry point into your network it should prefer when there are multiple links between your AS and the neighboring AS. The lower the MED value , the more preferred the path. MED is only honored between the same neighboring AS . Example Scenario : You are connected to ISP1 via two routers, CE1 and CE2 , and want to control which router ISP1 uses to send traffic into your AS. Network Topology : CE1 (connected to ISP1): 10.0.1.1/30 CE2 (connected to ISP1): 10.0.2.1/30 iBGP Router (Internal) connected to both CE1 (10.0.1.2/30) and CE2 (10.0.2.2/30). Configuration on CE1 (Lower MED, More Preferred) : Create a route map to set the MED to 50 for CE1: route-map SET_MED permit 10 set metric 50 Apply this route map to the neighbor in the BGP configuration for CE1: router bgp 65001 neighbor 10.0.1.1 remote-as 65000 neighbor 10.0.1.1 route-map SET_MED out Configuratio...

BGP Local Preference Controlling Outbound Traffic in BGP

In BGP, Local Preference is used to control the outbound traffic path. It helps you decide which egress point (exit point) should be used when you have multiple connections to external networks, such as ISPs. Local Preference is an attribute that is local to your AS and is shared with all iBGP peers but not with eBGP neighbors. Higher Local Preference = More preferred outbound path. Example Scenario : You have two external links: ISP1 (via CE1) and ISP2 (via CE2). You want traffic to prefer ISP1 for all outbound traffic. Network Topology : CE1 (connected to ISP1): 10.0.1.1/30 CE2 (connected to ISP2): 10.0.2.1/30 iBGP Router (Internal) connected to both CE1 (10.0.1.2/30) and CE2 (10.0.2.2/30). Configuration on CE1 (Higher Local Preference) : Create a route map to set the local preference to 200 for routes learned from CE1: route-map SET_LOCAL_PREF permit 10 set local-preference 200 In the BGP configuration for CE1, apply this route map to the neighbor: router bgp 65001 ne...

Authoritative DNS Servers Delegation and Internal DNS Explained

DNS (Domain Name System) plays a critical role in how users and systems find resources on the internet or within internal networks. Whether it's managing an internal domain in an enterprise or delegating parts of a domain for traffic distribution, DNS setups vary widely depending on needs. In this blog post, we’ll break down the different types of DNS setups, including authoritative DNS servers, DNS delegation, and how internal DNS functions within organizations. 1. Authoritative DNS Server An Authoritative DNS server is the final source of truth for a specific domain. When someone queries a domain (e.g., example.com ), the authoritative DNS server for that domain holds the DNS records (A records, CNAME, MX, etc.) and responds with the corresponding IP address. Key Points: Who can host it? Authoritative DNS servers are often hosted by domain registrars (e.g., GoDaddy, Namecheap) or cloud DNS providers (e.g., AWS Route 53, Cloudflare). However, organizations can also host their ...

Understanding SRV vs NS Records in DNS

DNS (Domain Name System) is a crucial part of how the internet works, converting domain names into IP addresses and directing traffic. Within DNS, different types of records serve specific functions. Two key types are SRV (Service Records) and NS (Name Server Records) . SRV (Service) Records SRV records are used to define the location of specific services. These records are crucial when multiple servers can provide the same service (e.g., VoIP, messaging) and a specific server needs to be selected. They contain the following components: Service & Protocol : Defines the service (e.g., _sip , _xmpp ) and protocol ( _tcp , _udp ). Priority & Weight : Direct traffic to the most preferred server. Port & Target : Specify the server's port and hostname. Example: _sip._tcp.example.com SRV 10 60 5060 sipserver.example.com NS (Name Server) Records NS records delegate the authority for a domain to specific name servers. These name servers are responsible for answering DNS queries...

Different Types of IP Addresses in F5 BIG-IP

In F5 BIG-IP systems, various types of IP addresses are used, each serving a distinct role in managing traffic, routing, and device configuration. Understanding the difference between these IP types is crucial for network engineers and system administrators. Let's break down the different types of IP addresses in F5 and how they are used. 1. Self IP A Self IP is an IP address assigned to the F5 device that represents a VLAN or subnet. It enables the BIG-IP system to communicate with other devices within the same network segment. Unlike a Virtual Server IP (VIP), users or clients do not interact directly with Self IPs. Use Cases : Communication between F5 and backend servers, routers, or other F5 devices. Routing traffic within a VLAN or across multiple VLANs. SNAT (Source NAT) and clustering of F5 devices. Example : If your network uses the subnet 192.168.10.0/24 , a Self IP like 192.168.10.10 would allow the F5 to route traffic and interact with other devices in that subnet. 2. ...

ADC vs Load Balancer Key Differences Explained

The key difference between a Load Balancing Service and an Application Delivery Controller (ADC) lies in their scope of functionality: 1. Load Balancing Service : Primary Purpose : Distributes network or application traffic across multiple servers to ensure no single server becomes overwhelmed, thus improving reliability and availability. Functionality : Focuses mainly on balancing traffic using algorithms like round-robin, least connections, or IP hash. Example Features : Layer 4 (Transport Layer) or Layer 7 (Application Layer) load balancing. Simple traffic management and server health checks. 2. Application Delivery Controller (ADC) : Primary Purpose : Provides advanced traffic management, security, optimization, and acceleration services in addition to load balancing. Functionality : ADCs not only load balance but also handle application security, SSL offloading, traffic optimization, and monitoring to enhance application performance and security. Example Features : Load balancin...

OSPF Adjacency Stuck in EXSTART on Cisco IOS XR – Issue and Solution

In a recent lab setup using Cisco IOS XR on EVE-NG, I faced a common but frustrating issue with OSPF adjacencies getting stuck in the EXSTART state. After spending considerable time troubleshooting interface MTUs and configurations, I discovered that the root cause was related to the virtual network interface type being used. This post outlines the issue, troubleshooting steps, and the eventual solution that got everything working. Issue: While configuring OSPF between two routers running Cisco IOS XR in my lab, OSPF adjacencies were getting stuck in the EXSTART state. I verified that interface configurations, MTU settings, and OSPF parameters were correct, but the problem persisted. I tried adjusting the MTU size, using the mtu-ignore command, and even checked for ACLs, but nothing seemed to resolve the issue. Troubleshooting Steps: MTU Settings: I started by verifying that both sides of the OSPF adjacency had matching MTUs. I used the default MTU and even tried different values wit...

How to Properly Clone an EVE-NG Lab with Configurations

Cloning labs in EVE-NG is a great way to duplicate setups and expand or experiment on a new copy without affecting the original lab. However, if not done correctly, the cloned lab may only copy the topology without configurations. In this guide, I’ll show you how to properly clone a lab in EVE-NG with all configurations using the EVE-NG GUI . Follow these steps to ensure that both the topology and router configurations are retained when cloning your lab. Steps to Clone an EVE-NG Lab with Configurations Save Running Configuration on All Devices In your original lab, make sure all devices have their configurations saved to NVRAM. Go into the CLI of each router and run the command: copy running-config startup-config Export All Configurations (CFGs) On the left sidebar in the EVE-NG Web UI , click on the "More Actions" option. Then select "Export all CFGs" . This step exports the configurations of all devices in the lab. Shutdown All Devices After exporting the confi...

Basic MPLS BGP and L3VPN Lab Setup

In this lab, we’ve set up a basic MPLS, BGP, and L3VPN environment, which is a great foundation for understanding how service providers build scalable networks. The lab uses the EVE-NG simulator along with Router IOS C7200-ADVENTERPRISEK9-M, Version 15.2(4)M8 to emulate a realistic MPLS environment. Below is a summary of the key components and roles of each router in the lab. MPLS Core Routers : The MPLS core consists of the routers responsible for label switching and forwarding customer traffic through the network: PE1 (Provider Edge 1) : Connects customer networks to the MPLS core and handles both MPLS and BGP routing. It also hosts VRF (Virtual Routing and Forwarding) instances for customers. PE2 (Provider Edge 2) : Functions similarly to PE1, connecting another customer network to the MPLS core. P1 (Core Router 1) and P2 (Core Router 2) : These routers serve as MPLS core routers and handle label switching but do not store or process customer routes directly. They simply f...

BGP Path Attributes iBGP vs eBGP Explained

Here’s a breakdown of BGP attributes that are either considered by iBGP neighbors only or eBGP neighbors only , along with the attributes that apply to both, but may have different behaviors or implications depending on whether the neighbor is iBGP or eBGP. Attributes Considered by iBGP Neighbors Only : These attributes are shared within an AS but may not be propagated or considered by eBGP neighbors : Local Preference : Used by : iBGP Ignored by : eBGP Description : The Local Preference (Local Pref) attribute is used to influence outbound traffic within an AS. It is not sent to eBGP neighbors . An eBGP neighbor won’t see this attribute because it’s meant for internal path selection. Example : An iBGP router receiving an update with a higher Local Preference will prefer that path, but an eBGP neighbor will not receive or consider the Local Preference attribute. Next-Hop Behavior : Used by : iBGP Modified by : eBGP Description : When advertising routes to iBGP neighbors, the Next ...

Define BGP AFI and SAFI in Brief

 AFI (Address Family Identifier): AFI is a field in BGP that identifies the network layer protocol for which BGP is advertising routes. It specifies the type of addresses being advertised, such as IPv4 or IPv6. Examples of AFI values : 1 for IPv4 2 for IPv6 SAFI (Subsequent Address Family Identifier): SAFI is a field in BGP that provides more specific information about the type of NLRI (Network Layer Reachability Information) being advertised within the AFI. It defines how the addresses within the AFI should be treated, such as unicast, multicast, or VPN routes. Examples of SAFI values : 1 for Unicast 2 for Multicast 128 for MPLS-labeled VPN (VPNv4) In Brief: AFI tells which address family is being used (e.g., IPv4 or IPv6). SAFI tells how the routes in that address family should be interpreted (e.g., unicast, multicast, or VPN).

Why We Need to Explicitly Activate the address-family ipv4

Separation of Address Families in BGP : In modern versions of Cisco IOS, BGP is designed to support multiple address families beyond just IPv4. BGP can handle: IPv4 unicast (standard routing for IPv4 addresses) IPv6 unicast (for IPv6 routing) VPNv4 and VPNv6 (for MPLS Layer 3 VPNs) Multicast for IPv4 or IPv6 And other extensions like EVPN or MPLS VPN . The address-family command is used to tell BGP which specific type of routes you want to activate. By default, no address-family is active, so you need to manually specify which ones BGP should work with. Default BGP Behavior : In older Cisco IOS versions, BGP only supported IPv4 unicast by default, so this wasn't an issue. However, newer versions of IOS require explicit activation of the IPv4 unicast address family to avoid ambiguity and to support flexibility for other address families. Without the address-family ipv4 activation, even though you configure neighbors in BGP, no routes would be exchanged because BGP doesn...

Simplified OSPF TTL Security: A Key Layer of Network Protection

OSPF TTL Security is a feature used to enhance the security of OSPF routing by limiting the range of OSPF packets to prevent them from being spoofed by unauthorized devices that are not directly connected. It ensures that OSPF packets received by a router are from legitimate neighbors within a specific TTL (Time To Live) range. How OSPF TTL Security Works: TTL Field : Every IP packet has a TTL field, which is decremented by 1 at every hop. When the TTL reaches zero, the packet is discarded. Default TTL : By default, OSPF packets have a TTL value of 255 when sent from a router. TTL Check : In OSPF TTL Security, the receiving router checks the TTL value of incoming OSPF packets. If the TTL is less than the specified threshold, the packet is discarded. Security Mechanism : The TTL security feature is particularly useful in preventing OSPF adjacency formation with routers that are multiple hops away. It ensures that only direct...

Securing OSPF: Best Practices for Everyday Networks

When implementing OSPF in everyday networks, securing the protocol is a crucial step to ensure that only trusted routers participate in the routing domain. While OSPF offers robust capabilities, it can also be vulnerable to various threats if not properly secured. In this post, we'll dive into some of the most commonly used security mechanisms like OSPF authentication, TTL security, passive interfaces, and access control lists (ACLs). These best practices not only enhance network integrity but also protect against unauthorized access and routing attacks. Let’s explore how you can fortify your OSPF deployment. 1. OSPF Authentication (MD5 or HMAC-SHA): Why : Ensures that OSPF adjacencies are formed only with trusted devices and prevents unauthorized routers from injecting malicious routes. What’s Common : MD5 authentication is still widely used due to compatibility across devices. HMAC-SHA is gaining popularity as a stronger alternative for ...

OSPF Graceful Shutdown - Deep Dive

OSPF Graceful Shutdown is a feature that allows a router to gracefully withdraw from OSPF routing without causing disruptions or routing instability in the network. When an OSPF graceful shutdown is triggered, the router informs its OSPF neighbors that it is no longer participating in OSPF. This process involves the router setting its OSPF links to a state that indicates they are down and withdrawing its routes, but without causing network flapping or re-convergence issues. Key Points: Withdrawal of Routes : The router gracefully withdraws its OSPF routes from the routing table and stops sending updates to OSPF neighbors. Minimal Disruption : OSPF gracefully informs neighbors of the change, preventing sudden route drops or instability. Network Stability : Helps maintain stability during maintenance or shutdown, avoiding the need for a full re-convergence. Manual or Automatic : Can be triggered manually for planned maintenance or implemented automatically in certain cases. Configuratio...

Why Are OSPF Loopback Interfaces Always Advertised with a /32 Prefix?

In OSPF, loopback interfaces are always advertised with a /32 prefix , even if they are configured with a different subnet mask. Here's why: 1. Loopback Interfaces Represent Stable Endpoints: Loopback interfaces are virtual interfaces that are always up, meaning they are not tied to physical hardware that could go down. In OSPF, a /32 prefix for loopback addresses indicates that it represents a specific IP address rather than a range of addresses. The /32 effectively identifies the loopback as a single stable endpoint , making it ideal for purposes like routing protocol identification and management IPs. 2. Used for Router ID: In OSPF, the Router ID is typically chosen based on the highest IP address of loopback interfaces, because loopback interfaces are always up and reliable. By advertising it with a /32 prefix , OSPF ensures that the loopback interface represents a single unique identifier, rather than a network of IPs, which is ideal for selecting the Router ID . 3. Sta...

Understanding OSPF Area Types: Stub, NSSA, Totally Stubby, and Totally NSSA

When designing an OSPF network, understanding the various area types plays a crucial role in optimizing routing efficiency and controlling the size of the routing table. OSPF areas such as Stub, NSSA (Not-So-Stubby Area), and their Cisco proprietary counterparts, Totally Stubby and Totally NSSA, each serve specific purposes in different network scenarios. These area types help reduce the amount of routing information shared within an area while controlling the advertisement of external and inter-area routes. In this post, we will explore the characteristics, use cases, and default route advertisement behavior of these OSPF areas, providing insight into how they can improve network performance and scalability. OSPF Area Type Allowed LSAs Disallowed LSAs Use Cases Key Characteristics Default Route Injection Stub Area Type 1 (Router), Type 2 (Network), Type 3 (Summary) Type 4 (ASBR Summary), Type ...