Skip to main content

Posts

Showing posts with the label CCIE

BGP Soft Reconfiguration vs. Route Refresh: Key Differences and Best Practices

In BGP (Border Gateway Protocol), managing route updates and reapplying new policies can sometimes be challenging, especially if you want to avoid resetting the BGP session. Two methods allow you to update routing policies without tearing down the session: BGP Soft Reconfiguration and BGP Route Refresh . While both methods serve the same purpose, they work differently and have distinct impacts on your router's resources. This post explains the key differences between Soft Reconfiguration and Route Refresh , when to use each, and why Route Refresh is preferred in most modern networks. 1. What is BGP Soft Reconfiguration? BGP Soft Reconfiguration is an older method of applying new policies (like route maps, filters, or prefix lists) without resetting the BGP session. It works by storing a local copy of all the routes received from a BGP neighbor before applying inbound policies. This local route copy allows the router to reprocess the routes when a policy change occurs. How So...

AS Path Prepending: Controlling Inbound Traffic in BGP

AS Path Prepending is a BGP feature used to make a specific path appear less preferred by artificially lengthening the AS path. This is done by adding your AS number multiple times to the AS path. It is a common method to influence inbound traffic from external networks. Longer AS Path = Less preferred route . Example Scenario : You have two ISPs: ISP1 (through CE1) and ISP2 (through CE2). You want inbound traffic from the internet to prefer ISP1 over ISP2. Network Topology : CE1 (connected to ISP1): 10.0.1.1/30 CE2 (connected to ISP2): 10.0.2.1/30 iBGP Router (Internal) connected to both CE1 (10.0.1.2/30) and CE2 (10.0.2.2/30). Configuration on CE2 (AS Path Prepending to Make ISP2 Less Preferred) : Create a route map to prepend your AS path multiple times for CE2: route-map PREPEND_AS permit 10 set as-path prepend 65001 65001 65001 Apply this route map to the neighbor in the BGP configuration for CE2: router bgp 65001 neighbor 10.0.2.1 remote-as 65002 neighbor 10.0.2.1 ro...

BGP MED: Managing Inbound Traffic with Multi-Exit Discriminator

The Multi-Exit Discriminator (MED) is used in BGP to control inbound traffic into your AS. It tells a neighboring AS which entry point into your network it should prefer when there are multiple links between your AS and the neighboring AS. The lower the MED value , the more preferred the path. MED is only honored between the same neighboring AS . Example Scenario : You are connected to ISP1 via two routers, CE1 and CE2 , and want to control which router ISP1 uses to send traffic into your AS. Network Topology : CE1 (connected to ISP1): 10.0.1.1/30 CE2 (connected to ISP1): 10.0.2.1/30 iBGP Router (Internal) connected to both CE1 (10.0.1.2/30) and CE2 (10.0.2.2/30). Configuration on CE1 (Lower MED, More Preferred) : Create a route map to set the MED to 50 for CE1: route-map SET_MED permit 10 set metric 50 Apply this route map to the neighbor in the BGP configuration for CE1: router bgp 65001 neighbor 10.0.1.1 remote-as 65000 neighbor 10.0.1.1 route-map SET_MED out Configuratio...

BGP Local Preference Controlling Outbound Traffic in BGP

In BGP, Local Preference is used to control the outbound traffic path. It helps you decide which egress point (exit point) should be used when you have multiple connections to external networks, such as ISPs. Local Preference is an attribute that is local to your AS and is shared with all iBGP peers but not with eBGP neighbors. Higher Local Preference = More preferred outbound path. Example Scenario : You have two external links: ISP1 (via CE1) and ISP2 (via CE2). You want traffic to prefer ISP1 for all outbound traffic. Network Topology : CE1 (connected to ISP1): 10.0.1.1/30 CE2 (connected to ISP2): 10.0.2.1/30 iBGP Router (Internal) connected to both CE1 (10.0.1.2/30) and CE2 (10.0.2.2/30). Configuration on CE1 (Higher Local Preference) : Create a route map to set the local preference to 200 for routes learned from CE1: route-map SET_LOCAL_PREF permit 10 set local-preference 200 In the BGP configuration for CE1, apply this route map to the neighbor: router bgp 65001 ne...

OSPF Adjacency Stuck in EXSTART on Cisco IOS XR – Issue and Solution

In a recent lab setup using Cisco IOS XR on EVE-NG, I faced a common but frustrating issue with OSPF adjacencies getting stuck in the EXSTART state. After spending considerable time troubleshooting interface MTUs and configurations, I discovered that the root cause was related to the virtual network interface type being used. This post outlines the issue, troubleshooting steps, and the eventual solution that got everything working. Issue: While configuring OSPF between two routers running Cisco IOS XR in my lab, OSPF adjacencies were getting stuck in the EXSTART state. I verified that interface configurations, MTU settings, and OSPF parameters were correct, but the problem persisted. I tried adjusting the MTU size, using the mtu-ignore command, and even checked for ACLs, but nothing seemed to resolve the issue. Troubleshooting Steps: MTU Settings: I started by verifying that both sides of the OSPF adjacency had matching MTUs. I used the default MTU and even tried different values wit...

How to Properly Clone an EVE-NG Lab with Configurations

Cloning labs in EVE-NG is a great way to duplicate setups and expand or experiment on a new copy without affecting the original lab. However, if not done correctly, the cloned lab may only copy the topology without configurations. In this guide, I’ll show you how to properly clone a lab in EVE-NG with all configurations using the EVE-NG GUI . Follow these steps to ensure that both the topology and router configurations are retained when cloning your lab. Steps to Clone an EVE-NG Lab with Configurations Save Running Configuration on All Devices In your original lab, make sure all devices have their configurations saved to NVRAM. Go into the CLI of each router and run the command: copy running-config startup-config Export All Configurations (CFGs) On the left sidebar in the EVE-NG Web UI , click on the "More Actions" option. Then select "Export all CFGs" . This step exports the configurations of all devices in the lab. Shutdown All Devices After exporting the confi...

Basic MPLS BGP and L3VPN Lab Setup

In this lab, we’ve set up a basic MPLS, BGP, and L3VPN environment, which is a great foundation for understanding how service providers build scalable networks. The lab uses the EVE-NG simulator along with Router IOS C7200-ADVENTERPRISEK9-M, Version 15.2(4)M8 to emulate a realistic MPLS environment. Below is a summary of the key components and roles of each router in the lab. MPLS Core Routers : The MPLS core consists of the routers responsible for label switching and forwarding customer traffic through the network: PE1 (Provider Edge 1) : Connects customer networks to the MPLS core and handles both MPLS and BGP routing. It also hosts VRF (Virtual Routing and Forwarding) instances for customers. PE2 (Provider Edge 2) : Functions similarly to PE1, connecting another customer network to the MPLS core. P1 (Core Router 1) and P2 (Core Router 2) : These routers serve as MPLS core routers and handle label switching but do not store or process customer routes directly. They simply f...

BGP Path Attributes iBGP vs eBGP Explained

Here’s a breakdown of BGP attributes that are either considered by iBGP neighbors only or eBGP neighbors only , along with the attributes that apply to both, but may have different behaviors or implications depending on whether the neighbor is iBGP or eBGP. Attributes Considered by iBGP Neighbors Only : These attributes are shared within an AS but may not be propagated or considered by eBGP neighbors : Local Preference : Used by : iBGP Ignored by : eBGP Description : The Local Preference (Local Pref) attribute is used to influence outbound traffic within an AS. It is not sent to eBGP neighbors . An eBGP neighbor won’t see this attribute because it’s meant for internal path selection. Example : An iBGP router receiving an update with a higher Local Preference will prefer that path, but an eBGP neighbor will not receive or consider the Local Preference attribute. Next-Hop Behavior : Used by : iBGP Modified by : eBGP Description : When advertising routes to iBGP neighbors, the Next ...

Define BGP AFI and SAFI in Brief

 AFI (Address Family Identifier): AFI is a field in BGP that identifies the network layer protocol for which BGP is advertising routes. It specifies the type of addresses being advertised, such as IPv4 or IPv6. Examples of AFI values : 1 for IPv4 2 for IPv6 SAFI (Subsequent Address Family Identifier): SAFI is a field in BGP that provides more specific information about the type of NLRI (Network Layer Reachability Information) being advertised within the AFI. It defines how the addresses within the AFI should be treated, such as unicast, multicast, or VPN routes. Examples of SAFI values : 1 for Unicast 2 for Multicast 128 for MPLS-labeled VPN (VPNv4) In Brief: AFI tells which address family is being used (e.g., IPv4 or IPv6). SAFI tells how the routes in that address family should be interpreted (e.g., unicast, multicast, or VPN).

Why We Need to Explicitly Activate the address-family ipv4

Separation of Address Families in BGP : In modern versions of Cisco IOS, BGP is designed to support multiple address families beyond just IPv4. BGP can handle: IPv4 unicast (standard routing for IPv4 addresses) IPv6 unicast (for IPv6 routing) VPNv4 and VPNv6 (for MPLS Layer 3 VPNs) Multicast for IPv4 or IPv6 And other extensions like EVPN or MPLS VPN . The address-family command is used to tell BGP which specific type of routes you want to activate. By default, no address-family is active, so you need to manually specify which ones BGP should work with. Default BGP Behavior : In older Cisco IOS versions, BGP only supported IPv4 unicast by default, so this wasn't an issue. However, newer versions of IOS require explicit activation of the IPv4 unicast address family to avoid ambiguity and to support flexibility for other address families. Without the address-family ipv4 activation, even though you configure neighbors in BGP, no routes would be exchanged because BGP doesn...

Simplified OSPF TTL Security: A Key Layer of Network Protection

OSPF TTL Security is a feature used to enhance the security of OSPF routing by limiting the range of OSPF packets to prevent them from being spoofed by unauthorized devices that are not directly connected. It ensures that OSPF packets received by a router are from legitimate neighbors within a specific TTL (Time To Live) range. How OSPF TTL Security Works: TTL Field : Every IP packet has a TTL field, which is decremented by 1 at every hop. When the TTL reaches zero, the packet is discarded. Default TTL : By default, OSPF packets have a TTL value of 255 when sent from a router. TTL Check : In OSPF TTL Security, the receiving router checks the TTL value of incoming OSPF packets. If the TTL is less than the specified threshold, the packet is discarded. Security Mechanism : The TTL security feature is particularly useful in preventing OSPF adjacency formation with routers that are multiple hops away. It ensures that only direct...

Securing OSPF: Best Practices for Everyday Networks

When implementing OSPF in everyday networks, securing the protocol is a crucial step to ensure that only trusted routers participate in the routing domain. While OSPF offers robust capabilities, it can also be vulnerable to various threats if not properly secured. In this post, we'll dive into some of the most commonly used security mechanisms like OSPF authentication, TTL security, passive interfaces, and access control lists (ACLs). These best practices not only enhance network integrity but also protect against unauthorized access and routing attacks. Let’s explore how you can fortify your OSPF deployment. 1. OSPF Authentication (MD5 or HMAC-SHA): Why : Ensures that OSPF adjacencies are formed only with trusted devices and prevents unauthorized routers from injecting malicious routes. What’s Common : MD5 authentication is still widely used due to compatibility across devices. HMAC-SHA is gaining popularity as a stronger alternative for ...

OSPF Graceful Shutdown - Deep Dive

OSPF Graceful Shutdown is a feature that allows a router to gracefully withdraw from OSPF routing without causing disruptions or routing instability in the network. When an OSPF graceful shutdown is triggered, the router informs its OSPF neighbors that it is no longer participating in OSPF. This process involves the router setting its OSPF links to a state that indicates they are down and withdrawing its routes, but without causing network flapping or re-convergence issues. Key Points: Withdrawal of Routes : The router gracefully withdraws its OSPF routes from the routing table and stops sending updates to OSPF neighbors. Minimal Disruption : OSPF gracefully informs neighbors of the change, preventing sudden route drops or instability. Network Stability : Helps maintain stability during maintenance or shutdown, avoiding the need for a full re-convergence. Manual or Automatic : Can be triggered manually for planned maintenance or implemented automatically in certain cases. Configuratio...

Why Are OSPF Loopback Interfaces Always Advertised with a /32 Prefix?

In OSPF, loopback interfaces are always advertised with a /32 prefix , even if they are configured with a different subnet mask. Here's why: 1. Loopback Interfaces Represent Stable Endpoints: Loopback interfaces are virtual interfaces that are always up, meaning they are not tied to physical hardware that could go down. In OSPF, a /32 prefix for loopback addresses indicates that it represents a specific IP address rather than a range of addresses. The /32 effectively identifies the loopback as a single stable endpoint , making it ideal for purposes like routing protocol identification and management IPs. 2. Used for Router ID: In OSPF, the Router ID is typically chosen based on the highest IP address of loopback interfaces, because loopback interfaces are always up and reliable. By advertising it with a /32 prefix , OSPF ensures that the loopback interface represents a single unique identifier, rather than a network of IPs, which is ideal for selecting the Router ID . 3. Sta...

Understanding OSPF Area Types: Stub, NSSA, Totally Stubby, and Totally NSSA

When designing an OSPF network, understanding the various area types plays a crucial role in optimizing routing efficiency and controlling the size of the routing table. OSPF areas such as Stub, NSSA (Not-So-Stubby Area), and their Cisco proprietary counterparts, Totally Stubby and Totally NSSA, each serve specific purposes in different network scenarios. These area types help reduce the amount of routing information shared within an area while controlling the advertisement of external and inter-area routes. In this post, we will explore the characteristics, use cases, and default route advertisement behavior of these OSPF areas, providing insight into how they can improve network performance and scalability. OSPF Area Type Allowed LSAs Disallowed LSAs Use Cases Key Characteristics Default Route Injection Stub Area Type 1 (Router), Type 2 (Network), Type 3 (Summary) Type 4 (ASBR Summary), Type ...

Why Does OSPF Use Master/Slave Roles During Neighbor Synchronization?

The election of Master/Slave roles in OSPF is specifically related to the process of Database Description (DD) packet exchange during the ExStart and Exchange states. It ensures orderly and synchronized communication between OSPF neighbors. While both routers eventually synchronize their LSAs, the Master/Slave mechanism is needed to coordinate how the DD packets are exchanged. Here’s why the Master/Slave roles are important in this context: 1. Control of Database Description (DD) Packet Exchange : In OSPF, DD packets are used to describe the contents of a router’s Link-State Database (LSDB) during the initial synchronization phase. The Master/Slave roles ensure who sends the first DD packet and controls the flow of packets. The Master always initiates the sending of DD packets, while the Slave responds to them. Without this mechanism, both routers might send DD packets simultaneously, leading to collisions and confusion in the synchronization process. 2. Ensures Orderly Communi...