Network PC World

In a recent lab setup using Cisco IOS XR on EVE-NG, I faced a common but frustrating issue with OSPF adjacencies getting stuck in the EXSTART state. After spending considerable time troubleshooting interface MTUs and configurations, I discovered that the root cause was related to the virtual network interface type being used. This post outlines the issue, troubleshooting steps, and the eventual solution that got everything working. Issue: While configuring OSPF between two routers running Cisco IOS XR in my lab, OSPF adjacencies were getting stuck in the EXSTART state. I verified that interface configurations, MTU settings, and OSPF parameters were correct, but the problem persisted. I tried adjusting the MTU size, using the mtu-ignore command, and even checked for ACLs, but nothing seemed to resolve the issue. Troubleshooting Steps: MTU Settings: I started by verifying that both sides of the OSPF adjacency had matching MTUs. I used the default MTU and even tried different values wit

Cloning labs in EVE-NG is a great way to duplicate setups and expand or experiment on a new copy without affecting the original lab. However, if not done correctly, the cloned lab may only copy the topology without configurations. In this guide, I’ll show you how to properly clone a lab in EVE-NG with all configurations using the EVE-NG GUI . Follow these steps to ensure that both the topology and router configurations are retained when cloning your lab. Steps to Clone an EVE-NG Lab with Configurations Save Running Configuration on All Devices In your original lab, make sure all devices have their configurations saved to NVRAM. Go into the CLI of each router and run the command: copy running-config startup-config Export All Configurations (CFGs) On the left sidebar in the EVE-NG Web UI , click on the "More Actions" option. Then select "Export all CFGs" . This step exports the configurations of all devices in the lab. Shutdown All Devices After exporting the confi

No, routers do not discard all IP routes learned through OSPF during a DR re-election. The OSPF process is designed to handle DR re-election smoothly without disrupting the entire network's routing table. Here’s what happens during the process: OSPF Neighbor Relationships : When a DR re-election occurs, only the OSPF neighbor relationships with the DR and Backup Designated Router (BDR) are affected. Other routers maintain their adjacencies and routing information. Routing Table Retained : The OSPF routing table remains intact during a DR re-election. Routes learned via OSPF, which have already been installed in the routing table, are not discarded unless a topology change affects them (e.g., a failure or a new LSA indicating a different path). LSA Synchronization : The newly elected DR (or BDR) will synchronize LSAs with its neighbors. The OSPF database is re-synchronized, but this does not mean routes are discarded. The synchronization ensures that all routers on the network segme

The term recursive in the context of recursive static routes refers to the process where the router has to resolve the next-hop IP address by performing multiple lookups in its routing table. Here’s how it works: When a router receives a packet destined for a particular network (e.g., 10.22.22.0/24), it checks its static route configuration. In the case of a recursive static route, the route specifies a next-hop IP address (e.g., 192.168.1.1) rather than an interface. The router then needs to look up where that next-hop IP address (192.168.1.1) is located in its routing table to find the outgoing interface . If the next-hop IP itself requires further resolution (e.g., through another lookup to figure out its outgoing interface), the router has to perform recursive lookups until it resolves the final interface. In simple terms, recursive means the router must go through multiple steps or lookups (like peeling back layers) to finally determine how to forward the packet.

Traceroute is a network diagnostic tool used to trace the path packets take from a source to a destination. It functions by sending packets with incrementally increasing Time-To-Live (TTL) values and receiving responses from routers along the way, allowing users to identify the hops the packets pass through. Here’s how it works on different platforms: Windows (ICMP-Based Traceroute) : Protocol : Uses ICMP at Layer 3. How It Works : Windows sends ICMP Echo Request packets with increasing TTL values. When a router receives a packet with a TTL of 1, it decrements it to 0, drops the packet, and returns an ICMP Time Exceeded message to the source. Each hop responds with this message, allowing the traceroute to document the routers. Final Step : When the packet reaches the destination, it sends an ICMP Echo Reply instead of a port unreachable message, as it's based on Layer 3 only. Unix-Based Systems (UDP-Based Traceroute) : Protocol : Uses UDP at Layer 4. How It Works : Unix-based syste

Traceroute is a network diagnostic tool used to track the path packets take from a source device to a destination across an IP network, helping identify routing paths and any potential delays or failures. Here’s how traceroute works: ICMP and TTL (Time-To-Live) : Traceroute sends packets with an initial TTL value of 1. The first router the packet encounters decrements the TTL by 1, causing it to reach zero. When the TTL hits zero, the router discards the packet and sends back an ICMP "TTL expired" message to the source. This helps the source router document the identity (IP address) of the responding router as part of the path. Incrementing TTL : Traceroute then increases the TTL by 1 for each subsequent packet. The second router will forward the packet to the next hop until the TTL expires, at which point it also sends a TTL expired message back to the source. The process repeats, each time documenting the responding

  VLSM (Variable Length Subnet Mask) and CIDR (Classless Inter-Domain Routing) are both techniques for efficient IP address allocation, but they serve different purposes: VLSM (Variable Length Subnet Mask) : VLSM allows different subnets within the same network to use different subnet masks, making it possible to allocate IP addresses more efficiently based on need (i.e., smaller subnets for smaller networks, larger subnets for larger ones). Used mainly within internal networks (intra-domain) to maximize the usage of available IP space. Requires routers that support classless routing protocols (e.g., OSPF, EIGRP, or RIPv2). CIDR (Classless Inter-Domain Routing) : CIDR is a method of assigning IP addresses without adhering to the traditional class-based system (A, B, C), allowing for more flexible and hierarchical IP address allocation. CIDR is primarily used for routing between networks (inter-domain), particularly on the Internet, to reduce routing table sizes and prevent IP exhaust

 Classful Routing: Classful routing refers to a method where routing decisions are made based on the fixed subnet mask of IP address classes (A, B, C). It doesn’t transmit subnet mask information in routing updates, assuming default subnet masks based on IP address class. This approach was commonly used in older protocols like RIPv1 and IGRP . Key Characteristics : No subnet information is shared between routers. IP addresses are divided strictly into classes (A, B, C, etc.). It doesn’t support Variable Length Subnet Masking (VLSM). Less efficient use of IP address space due to fixed class boundaries. Example : If a router sees an IP address in the range 192.168.1.0 , it assumes the default subnet mask of /24 (255.255.255.0), as per Class C rules. Classless Routing: Classless routing allows for the use of Variable Length Subnet Masking (VLSM) and sends routing updates with subnet mask information. This allows for more flexible and efficient use of IP address space. Classless routing

In this post, we will configure Multiple Spanning Tree (MST) , a protocol designed to optimize spanning tree instances by mapping multiple VLANs to fewer instances. This reduces overhead on network devices, enhances scalability, and speeds up convergence. We'll configure MST on both core/root switches and access switches , ensuring that only the required VLANs are active on each switch. The configuration will focus on assigning VLANs to specific MST instances, defining root priorities, and controlling VLAN availability on trunk links between switches. This setup ensures efficient traffic flow, minimizes network downtime, and improves overall stability. We'll also define MST regions and revision numbers to maintain consistency across the network. By following this guide, you'll optimize spanning tree operations while maintaining flexibility in VLAN creation and deployment across your infrastructure. Configuration for Core-SW1 (Primary Root for Instance 1) ! Define MST re

 Here's a simple guide on when to use BPDU Guard and BPDU Filter : BPDU Guard : Purpose : To protect the network from unauthorized devices or switches that could participate in the spanning tree process and potentially cause loops. When to Use : On access ports where end devices (like PCs, printers, or servers) are connected. When you want to automatically shut down a port if a BPDU is received, indicating that another switch or device with STP capabilities is connected. Ensures the network remains loop-free by disabling the port when an unexpected BPDU is detected. BPDU Filter : Purpose : To suppress the sending and receiving of BPDUs on a port, effectively preventing STP participation. When to Use : On edge ports (access ports) where you want to prevent STP interactions but don't want to shut the port down upon BPDU reception. In specific scenarios like when you are sure that no switch will be connected, but you don’t want to disrupt the port's operation if a BPDU is

Multicast Overview Multicast is a network communication method that delivers a single stream from a source to multiple destinations. It optimizes network bandwidth usage, especially in applications like video conferencing, IPTV, and stock tickers. The Internet Group Management Protocol (IGMP) is used in Layer 2 networks, while Protocol Independent Multicast (PIM) handles Layer 3 communication. Technical Tip : Multicast is UDP-based, which lacks the reliability mechanisms of TCP, such as windowing and error correction, potentially leading to duplicate packets and out-of-order delivery. Multicast Addressing Multicast addresses are in the Class D range (224.0.0.0 to 239.255.255.255) . These addresses are not assigned to individual devices but represent groups. Well-known Multicast Address Types : Local network control block (224.0.0.0/24) : Protocol control traffic within a broadcast domain. Internetwork control block (224.0.1.0

IPv6 Addressing IPv6 addresses are 128-bit long and written in hexadecimal format. To simplify the address, leading zeros can be omitted, and consecutive groups of zeros can be replaced with "::" (only once in an address). Technical Tip : Always remember that "::" can be used only once in an IPv6 address to avoid ambiguity. Example: Full: 2001:0db8:0000:0000:0000:ff00:0042:8329 Shortened: 2001:db8::ff00:42:8329 IPv6 Address Types Unicast : Identifies a single interface (Global, Link-Local, Unique-Local). Multicast : Packets sent to all interfaces in the group (e.g., FF00::/8). Anycast : Address assigned to multiple interfaces, routing the packet to the nearest device. Technical Tip : IPv6 doesn't support broadcast; multicast is used for similar purposes. IPv6 Stateless Autoconfiguration (SLAAC) With Stateless Address Autoconfiguration (SLAAC), hosts can configure their own IP addresses based o

First Hop Redundancy Protocols (FHRP) HSRP, GLBP, VRRP HSRP (Hot Standby Router Protocol) : Provides redundancy by allowing one router to be active while others are standby. Technical Tip : Always configure preempt to allow a higher priority router to become active automatically when it comes back online. Use authentication to prevent rogue routers from taking over as active routers. Example: standby 1 ip 10.1.25.22 standby 1 priority 200 standby 1 preempt standby 1 authentication md5 key-string Cisco GLBP (Gateway Load Balancing Protocol) : Adds load balancing to FHRP by distributing traffic among multiple routers using virtual MAC addresses. Technical Tip : Prioritize the selection of Active Virtual Gateway (AVG) using the priority command, and use authentication for security. Example: glbp 1 ip 10.1.1.100 glbp 1 priority 255 glbp 1 authentication md5 key-string Cisco VRRP (Virtual Router Redundancy Protocol) : Similar to HSRP but is an open standard. Allows rou

  Quality of Service Overview QoS is crucial for managing bandwidth, latency, jitter, and packet loss, which impact application performance, especially for real-time services like voice and video. Key quality issues include lack of bandwidth, latency (packet delay), jitter (variability in delay), and packet loss (lost data during transmission). Technical Tip : Keep latency under 150 ms for real-time traffic and packet loss below 1%. End-to-End Layer 3 QoS using MQC DiffServ QoS Model DiffServ is scalable and classifies traffic into classes, marking it for varying levels of priority. Technical Tip : Use DiffServ for efficient traffic management at the network edge for classification and marking, while relying on Per-Hop Behavior (PHB) in the core network. CoS and DSCP Mapping CoS marks traffic in Layer 2 headers, while DSCP marks it at Layer 3 for end-to-end traffic prioritization. Technical Tip : DSCP is more versatile for end-to-end QoS as CoS is limited to Layer 2 domains

  Device Management Console and VTY Console and VTY provide access to the device CLI for configuration and troubleshooting. Console is used for local access. VTY allows remote access via Telnet or SSH. TCP Keepalives : Use service tcp-keepalives-in to avoid dead Telnet or SSH sessions occupying VTY lines. Router1(config)#service tcp-keepalives-in Technical Tip : To prevent being locked out of a router due to exhausted VTY lines, configure an access list restricting VTY access. access-list 9 permit 172.25.1.1 line vty 0 4   access-class 9 in Source Interface for Telnet : Set the router to use a specific IP for outgoing Telnet connections using: ip telnet source-interface loopback0 SSH and SCP SSH : Use Secure Shell (SSH) to securely access the device. Configure SSH with RSA keys. ip domain-name example.com crypto key generate rsa modulus 1024 SCP (Secure Copy Protocol) : SC

Switch Security Features Cisco SAFE Framework Cisco SAFE is a security architectural framework designed to protect against evolving threats like phishing, malware, and ransomware. It ensures comprehensive security across the network in various "places in the network" (PINs). Next-Generation Intrusion Prevention System (NGIPS) NGIPS is an advanced system for detecting and preventing intrusion attacks. It can log, analyze, and block malicious activities. NGIPS is available in physical appliances, virtual machines, or integrated with other Cisco systems like ISR. Firepower appliances provide dedicated hardware for intrusion prevention. NGIPS Virtual (NGIPSv) is available for virtualization environments. Technical Tip : NGIPS should be strategically deployed in areas with high traffic, such as edge devices or data centers, to monitor for anomalies effectively. Next-Generation Firewall (NGFW) N

Device Security on Cisco IOS XE Control Plane Policing and Protection Control Plane Policing (CoPP) : Protects routers/switches from DoS attacks by managing control plane traffic through a separate interface (punt/inject). QoS rules are applied to control the rate of traffic, ensuring consistent performance. Example Configuration : A QoS policy for Telnet traffic limits unwanted traffic while allowing trusted hosts unrestricted access. Terminal Lines and Password Protection Access Methods : Devices can be accessed through console ports (local), auxiliary ports (remote via modem), or virtual terminals (Telnet/SSH). Password Types : Type 0 : Unencrypted, insecure. Type 5 : Stronger encryption (MD5), used with enable secret. Type 7 : Weak encryption, easily cracked. Type 8/9 : Secure passwords using modern hashing (PBKDF2, SCRYPT). Configuring Local Password Authentication Commands

  DMVPN (Dynamic Multipoint Virtual Private Network) DMVPN enables dynamic and scalable VPN connections, primarily using mGRE (Multipoint Generic Routing Encapsulation) , NHRP (Next Hop Resolution Protocol) , and optionally, IPsec for encryption. It supports hub-and-spoke topologies, with the ability to evolve into a fully meshed network. DMVPN Phases Phase 1 : Basic hub-and-spoke topology where spokes communicate through the hub. mGRE is configured on the hub, and point-to-point GRE on the spokes. Limitation : No direct spoke-to-spoke communication; all traffic passes through the hub. Routing : Spokes register their IP with the hub, and no spoke-to-spoke tunnels are formed. Phase 2 : Introduces spoke-to-spoke communication using mGRE at both the hub and spokes. Next-hop reachability is maintained, and spokes dynamically form tunnels to communicate directly. No route sum