Skip to main content

Network Services - Key concepts

First Hop Redundancy Protocols (FHRP)

HSRP, GLBP, VRRP

HSRP (Hot Standby Router Protocol): Provides redundancy by allowing one router to be active while others are standby. Technical Tip: Always configure preempt to allow a higher priority router to become active automatically when it comes back online. Use authentication to prevent rogue routers from taking over as active routers. Example:

standby 1 ip 10.1.25.22

standby 1 priority 200

standby 1 preempt

standby 1 authentication md5 key-string Cisco

GLBP (Gateway Load Balancing Protocol): Adds load balancing to FHRP by distributing traffic among multiple routers using virtual MAC addresses. Technical Tip: Prioritize the selection of Active Virtual Gateway (AVG) using the priority command, and use authentication for security. Example:

glbp 1 ip 10.1.1.100

glbp 1 priority 255

glbp 1 authentication md5 key-string Cisco

VRRP (Virtual Router Redundancy Protocol): Similar to HSRP but is an open standard. Allows routers to share a virtual IP. Technical Tip: Use object tracking to monitor links, and preempt to automatically select the higher priority router. Example:

vrrp 1 ip 10.1.12.11

vrrp 1 priority 200

vrrp 1 preempt

vrrp 1 authentication md5 Cisco

4.5.1.2 Redundancy using IPv6 RS/RA

Router Solicitation (RS) and Router Advertisement (RA) messages in IPv6 enable devices to discover the best routers for traffic. Technical Tip: Ensure correct configurations for IPv6 redundancy using RS and RA to avoid black holes.

4.5.2 Network Time Protocol (NTP)

Ensures synchronized time across the network devices.

4.5.2.1 Master, Client

Configure NTP to sync time from a master server to clients. Technical Tip: Use authentication to prevent rogue NTP servers from affecting network time synchronization.

4.5.2.2 Authentication

Enable NTP authentication to validate the source of NTP updates. Example:

ntp authenticate

ntp authentication-key 1 md5 cisco123

ntp trusted-key 1

DHCP on Cisco IOS

Client, Server, Relay

DHCP Relay: Relays DHCP requests from clients in one subnet to a DHCP server in another subnet. Technical Tip: Use the ip helper-address command to configure the relay agent.

ip helper-address 192.168.1.1

Options

DHCP options provide additional parameters such as default gateway and DNS server addresses. Technical Tip: Configure necessary DHCP options to ensure proper network configuration for clients.

SLAAC/DHCPv6 Interaction

In IPv6, SLAAC (Stateless Address Autoconfiguration) allows devices to configure their IP address automatically, while DHCPv6 assigns additional network parameters. Technical Tip: Combine SLAAC and DHCPv6 for full IPv6 address and configuration management.

Stateful, Stateless DHCPv6

Stateful DHCPv6 assigns IP addresses and other configuration data, while stateless only provides configuration data. Technical Tip: Use stateful when more control over IP addressing is needed, and stateless for simpler configurations.

DHCPv6 Prefix Delegation

Allows routers to request an IPv6 prefix from a service provider. Technical Tip: Use prefix delegation to dynamically configure and distribute prefixes to downstream routers.

IPv4 Network Address Translation (NAT)

Static NAT, PAT

Static NAT provides a one-to-one mapping of internal IP addresses to external ones. PAT (Port Address Translation) maps many internal addresses to a single external address by using port numbers. Technical Tip: Use static NAT for servers needing constant external access and PAT for regular clients.

ip nat inside source static 192.168.1.10 203.0.113.5

ip nat inside source list 1 interface serial 0 overload

Dynamic NAT, PAT

Dynamic NAT assigns external IPs from a pool, while PAT uses ports to map many internal IPs to one external. Technical Tip: Use dynamic NAT when you need multiple internal devices to access the internet without fixed IPs.

Policy-Based NAT, PAT

Policy-based NAT translates traffic based on specific policies, like source or destination. Technical Tip: Use ACLs to control which traffic gets translated and ensure proper route mappings for translated IPs.

VRF-Aware NAT, PAT

Enables NAT within Virtual Routing and Forwarding (VRF) instances, allowing different routing tables to use NAT separately. Technical Tip: Use VRF-aware NAT when deploying NAT in multi-VRF environments.

IOS-XE VRF-Aware Software Infrastructure (VASI) NAT

Allows virtual routing tables to perform NAT, enabling segregation of NAT rules across VRF instances.

Key Technical Tips:

  • Use object tracking with FHRPs like HSRP, VRRP, and GLBP to ensure seamless failover based on upstream link status.
  • Configure NTP authentication to prevent time-sync vulnerabilities.
  • Apply stateful DHCPv6 when full control over IP allocation is required and stateless for lighter configurations.
  • For NAT, use PAT to conserve public IP addresses and policy-based NAT to selectively translate traffic based on policies.
Labels:

Comments

Post a Comment

Popular posts from this blog

How to import Putty Saved Connections to mRemoteNG

Just started using mRemoteNG and its being very cool to connect to different remote connection with different protocols e.g Window Remote Desktop, VNC to Linux, SSH, HTTP connection etc. from a single application. As new user I configured some remote desktop connection which was quite easy to figure out. But when I wanted to add SSH connections, it came in my mind to import all of the saved connections in the putty. But I couldn't figure it out how can it be done, though it was quite easy and here are the steps. Open your mRemoteNG Create a folder if you want segregation of multiple networks Create a new connection Enter the IP address of remote server under connection in Config pane Under the config pane, select protocol " SSH version 2 ".  Once you select protocol to SSH version 2 you are given option to import putty sessions, as shown in the snap below. In the above snap, I have imported CSR-AWS session from my saved sessions in Putty.
1 comment
Read more

Authoritative DNS Servers Delegation and Internal DNS Explained

DNS (Domain Name System) plays a critical role in how users and systems find resources on the internet or within internal networks. Whether it's managing an internal domain in an enterprise or delegating parts of a domain for traffic distribution, DNS setups vary widely depending on needs. In this blog post, we’ll break down the different types of DNS setups, including authoritative DNS servers, DNS delegation, and how internal DNS functions within organizations. 1. Authoritative DNS Server An Authoritative DNS server is the final source of truth for a specific domain. When someone queries a domain (e.g., example.com ), the authoritative DNS server for that domain holds the DNS records (A records, CNAME, MX, etc.) and responds with the corresponding IP address. Key Points: Who can host it? Authoritative DNS servers are often hosted by domain registrars (e.g., GoDaddy, Namecheap) or cloud DNS providers (e.g., AWS Route 53, Cloudflare). However, organizations can also host their ...
Post a Comment
Read more

BGP MED: Managing Inbound Traffic with Multi-Exit Discriminator

The Multi-Exit Discriminator (MED) is used in BGP to control inbound traffic into your AS. It tells a neighboring AS which entry point into your network it should prefer when there are multiple links between your AS and the neighboring AS. The lower the MED value , the more preferred the path. MED is only honored between the same neighboring AS . Example Scenario : You are connected to ISP1 via two routers, CE1 and CE2 , and want to control which router ISP1 uses to send traffic into your AS. Network Topology : CE1 (connected to ISP1): 10.0.1.1/30 CE2 (connected to ISP1): 10.0.2.1/30 iBGP Router (Internal) connected to both CE1 (10.0.1.2/30) and CE2 (10.0.2.2/30). Configuration on CE1 (Lower MED, More Preferred) : Create a route map to set the MED to 50 for CE1: route-map SET_MED permit 10 set metric 50 Apply this route map to the neighbor in the BGP configuration for CE1: router bgp 65001 neighbor 10.0.1.1 remote-as 65000 neighbor 10.0.1.1 route-map SET_MED out Configuratio...
Post a Comment
Read more