Skip to main content

Posts

Showing posts with the label Cisco

OSPF Adjacency Stuck in EXSTART on Cisco IOS XR – Issue and Solution

In a recent lab setup using Cisco IOS XR on EVE-NG, I faced a common but frustrating issue with OSPF adjacencies getting stuck in the EXSTART state. After spending considerable time troubleshooting interface MTUs and configurations, I discovered that the root cause was related to the virtual network interface type being used. This post outlines the issue, troubleshooting steps, and the eventual solution that got everything working. Issue: While configuring OSPF between two routers running Cisco IOS XR in my lab, OSPF adjacencies were getting stuck in the EXSTART state. I verified that interface configurations, MTU settings, and OSPF parameters were correct, but the problem persisted. I tried adjusting the MTU size, using the mtu-ignore command, and even checked for ACLs, but nothing seemed to resolve the issue. Troubleshooting Steps: MTU Settings: I started by verifying that both sides of the OSPF adjacency had matching MTUs. I used the default MTU and even tried different values wit...

How to Properly Clone an EVE-NG Lab with Configurations

Cloning labs in EVE-NG is a great way to duplicate setups and expand or experiment on a new copy without affecting the original lab. However, if not done correctly, the cloned lab may only copy the topology without configurations. In this guide, I’ll show you how to properly clone a lab in EVE-NG with all configurations using the EVE-NG GUI . Follow these steps to ensure that both the topology and router configurations are retained when cloning your lab. Steps to Clone an EVE-NG Lab with Configurations Save Running Configuration on All Devices In your original lab, make sure all devices have their configurations saved to NVRAM. Go into the CLI of each router and run the command: copy running-config startup-config Export All Configurations (CFGs) On the left sidebar in the EVE-NG Web UI , click on the "More Actions" option. Then select "Export all CFGs" . This step exports the configurations of all devices in the lab. Shutdown All Devices After exporting the confi...

Basic MPLS BGP and L3VPN Lab Setup

In this lab, we’ve set up a basic MPLS, BGP, and L3VPN environment, which is a great foundation for understanding how service providers build scalable networks. The lab uses the EVE-NG simulator along with Router IOS C7200-ADVENTERPRISEK9-M, Version 15.2(4)M8 to emulate a realistic MPLS environment. Below is a summary of the key components and roles of each router in the lab. MPLS Core Routers : The MPLS core consists of the routers responsible for label switching and forwarding customer traffic through the network: PE1 (Provider Edge 1) : Connects customer networks to the MPLS core and handles both MPLS and BGP routing. It also hosts VRF (Virtual Routing and Forwarding) instances for customers. PE2 (Provider Edge 2) : Functions similarly to PE1, connecting another customer network to the MPLS core. P1 (Core Router 1) and P2 (Core Router 2) : These routers serve as MPLS core routers and handle label switching but do not store or process customer routes directly. They simply f...

BGP Path Attributes iBGP vs eBGP Explained

Here’s a breakdown of BGP attributes that are either considered by iBGP neighbors only or eBGP neighbors only , along with the attributes that apply to both, but may have different behaviors or implications depending on whether the neighbor is iBGP or eBGP. Attributes Considered by iBGP Neighbors Only : These attributes are shared within an AS but may not be propagated or considered by eBGP neighbors : Local Preference : Used by : iBGP Ignored by : eBGP Description : The Local Preference (Local Pref) attribute is used to influence outbound traffic within an AS. It is not sent to eBGP neighbors . An eBGP neighbor won’t see this attribute because it’s meant for internal path selection. Example : An iBGP router receiving an update with a higher Local Preference will prefer that path, but an eBGP neighbor will not receive or consider the Local Preference attribute. Next-Hop Behavior : Used by : iBGP Modified by : eBGP Description : When advertising routes to iBGP neighbors, the Next ...

Why We Need to Explicitly Activate the address-family ipv4

Separation of Address Families in BGP : In modern versions of Cisco IOS, BGP is designed to support multiple address families beyond just IPv4. BGP can handle: IPv4 unicast (standard routing for IPv4 addresses) IPv6 unicast (for IPv6 routing) VPNv4 and VPNv6 (for MPLS Layer 3 VPNs) Multicast for IPv4 or IPv6 And other extensions like EVPN or MPLS VPN . The address-family command is used to tell BGP which specific type of routes you want to activate. By default, no address-family is active, so you need to manually specify which ones BGP should work with. Default BGP Behavior : In older Cisco IOS versions, BGP only supported IPv4 unicast by default, so this wasn't an issue. However, newer versions of IOS require explicit activation of the IPv4 unicast address family to avoid ambiguity and to support flexibility for other address families. Without the address-family ipv4 activation, even though you configure neighbors in BGP, no routes would be exchanged because BGP doesn...

Simplified OSPF TTL Security: A Key Layer of Network Protection

OSPF TTL Security is a feature used to enhance the security of OSPF routing by limiting the range of OSPF packets to prevent them from being spoofed by unauthorized devices that are not directly connected. It ensures that OSPF packets received by a router are from legitimate neighbors within a specific TTL (Time To Live) range. How OSPF TTL Security Works: TTL Field : Every IP packet has a TTL field, which is decremented by 1 at every hop. When the TTL reaches zero, the packet is discarded. Default TTL : By default, OSPF packets have a TTL value of 255 when sent from a router. TTL Check : In OSPF TTL Security, the receiving router checks the TTL value of incoming OSPF packets. If the TTL is less than the specified threshold, the packet is discarded. Security Mechanism : The TTL security feature is particularly useful in preventing OSPF adjacency formation with routers that are multiple hops away. It ensures that only direct...

Securing OSPF: Best Practices for Everyday Networks

When implementing OSPF in everyday networks, securing the protocol is a crucial step to ensure that only trusted routers participate in the routing domain. While OSPF offers robust capabilities, it can also be vulnerable to various threats if not properly secured. In this post, we'll dive into some of the most commonly used security mechanisms like OSPF authentication, TTL security, passive interfaces, and access control lists (ACLs). These best practices not only enhance network integrity but also protect against unauthorized access and routing attacks. Let’s explore how you can fortify your OSPF deployment. 1. OSPF Authentication (MD5 or HMAC-SHA): Why : Ensures that OSPF adjacencies are formed only with trusted devices and prevents unauthorized routers from injecting malicious routes. What’s Common : MD5 authentication is still widely used due to compatibility across devices. HMAC-SHA is gaining popularity as a stronger alternative for ...

OSPF Graceful Shutdown - Deep Dive

OSPF Graceful Shutdown is a feature that allows a router to gracefully withdraw from OSPF routing without causing disruptions or routing instability in the network. When an OSPF graceful shutdown is triggered, the router informs its OSPF neighbors that it is no longer participating in OSPF. This process involves the router setting its OSPF links to a state that indicates they are down and withdrawing its routes, but without causing network flapping or re-convergence issues. Key Points: Withdrawal of Routes : The router gracefully withdraws its OSPF routes from the routing table and stops sending updates to OSPF neighbors. Minimal Disruption : OSPF gracefully informs neighbors of the change, preventing sudden route drops or instability. Network Stability : Helps maintain stability during maintenance or shutdown, avoiding the need for a full re-convergence. Manual or Automatic : Can be triggered manually for planned maintenance or implemented automatically in certain cases. Configuratio...

Why Are OSPF Loopback Interfaces Always Advertised with a /32 Prefix?

In OSPF, loopback interfaces are always advertised with a /32 prefix , even if they are configured with a different subnet mask. Here's why: 1. Loopback Interfaces Represent Stable Endpoints: Loopback interfaces are virtual interfaces that are always up, meaning they are not tied to physical hardware that could go down. In OSPF, a /32 prefix for loopback addresses indicates that it represents a specific IP address rather than a range of addresses. The /32 effectively identifies the loopback as a single stable endpoint , making it ideal for purposes like routing protocol identification and management IPs. 2. Used for Router ID: In OSPF, the Router ID is typically chosen based on the highest IP address of loopback interfaces, because loopback interfaces are always up and reliable. By advertising it with a /32 prefix , OSPF ensures that the loopback interface represents a single unique identifier, rather than a network of IPs, which is ideal for selecting the Router ID . 3. Sta...

Understanding OSPF Area Types: Stub, NSSA, Totally Stubby, and Totally NSSA

When designing an OSPF network, understanding the various area types plays a crucial role in optimizing routing efficiency and controlling the size of the routing table. OSPF areas such as Stub, NSSA (Not-So-Stubby Area), and their Cisco proprietary counterparts, Totally Stubby and Totally NSSA, each serve specific purposes in different network scenarios. These area types help reduce the amount of routing information shared within an area while controlling the advertisement of external and inter-area routes. In this post, we will explore the characteristics, use cases, and default route advertisement behavior of these OSPF areas, providing insight into how they can improve network performance and scalability. OSPF Area Type Allowed LSAs Disallowed LSAs Use Cases Key Characteristics Default Route Injection Stub Area Type 1 (Router), Type 2 (Network), Type 3 (Summary) Type 4 (ASBR Summary), Type ...

Why Does OSPF Use Master/Slave Roles During Neighbor Synchronization?

The election of Master/Slave roles in OSPF is specifically related to the process of Database Description (DD) packet exchange during the ExStart and Exchange states. It ensures orderly and synchronized communication between OSPF neighbors. While both routers eventually synchronize their LSAs, the Master/Slave mechanism is needed to coordinate how the DD packets are exchanged. Here’s why the Master/Slave roles are important in this context: 1. Control of Database Description (DD) Packet Exchange : In OSPF, DD packets are used to describe the contents of a router’s Link-State Database (LSDB) during the initial synchronization phase. The Master/Slave roles ensure who sends the first DD packet and controls the flow of packets. The Master always initiates the sending of DD packets, while the Slave responds to them. Without this mechanism, both routers might send DD packets simultaneously, leading to collisions and confusion in the synchronization process. 2. Ensures Orderly Communi...

Does OSPF Discard Routes During DR Re-election?

No, routers do not discard all IP routes learned through OSPF during a DR re-election. The OSPF process is designed to handle DR re-election smoothly without disrupting the entire network's routing table. Here’s what happens during the process: OSPF Neighbor Relationships : When a DR re-election occurs, only the OSPF neighbor relationships with the DR and Backup Designated Router (BDR) are affected. Other routers maintain their adjacencies and routing information. Routing Table Retained : The OSPF routing table remains intact during a DR re-election. Routes learned via OSPF, which have already been installed in the routing table, are not discarded unless a topology change affects them (e.g., a failure or a new LSA indicating a different path). LSA Synchronization : The newly elected DR (or BDR) will synchronize LSAs with its neighbors. The OSPF database is re-synchronized, but this does not mean routes are discarded. The synchronization ensures that all routers on the network segme...

Recursive Routing Simplified definition

The term recursive in the context of recursive static routes refers to the process where the router has to resolve the next-hop IP address by performing multiple lookups in its routing table. Here’s how it works: When a router receives a packet destined for a particular network (e.g., 10.22.22.0/24), it checks its static route configuration. In the case of a recursive static route, the route specifies a next-hop IP address (e.g., 192.168.1.1) rather than an interface. The router then needs to look up where that next-hop IP address (192.168.1.1) is located in its routing table to find the outgoing interface . If the next-hop IP itself requires further resolution (e.g., through another lookup to figure out its outgoing interface), the router has to perform recursive lookups until it resolves the final interface. In simple terms, recursive means the router must go through multiple steps or lookups (like peeling back layers) to finally determine how to forward the packet.

How Does Traceroute Work Differently on Windows, Unix, and Network Devices?

Traceroute is a network diagnostic tool used to trace the path packets take from a source to a destination. It functions by sending packets with incrementally increasing Time-To-Live (TTL) values and receiving responses from routers along the way, allowing users to identify the hops the packets pass through. Here’s how it works on different platforms: Windows (ICMP-Based Traceroute) : Protocol : Uses ICMP at Layer 3. How It Works : Windows sends ICMP Echo Request packets with increasing TTL values. When a router receives a packet with a TTL of 1, it decrements it to 0, drops the packet, and returns an ICMP Time Exceeded message to the source. Each hop responds with this message, allowing the traceroute to document the routers. Final Step : When the packet reaches the destination, it sends an ICMP Echo Reply instead of a port unreachable message, as it's based on Layer 3 only. Unix-Based Systems (UDP-Based Traceroute) : Protocol : Uses UDP at Layer 4. How It Works : Unix-based syste...

How Does Traceroute Work: A Step-by-Step Breakdown

Traceroute is a network diagnostic tool used to track the path packets take from a source device to a destination across an IP network, helping identify routing paths and any potential delays or failures. Here’s how traceroute works: ICMP and TTL (Time-To-Live) : Traceroute sends packets with an initial TTL value of 1. The first router the packet encounters decrements the TTL by 1, causing it to reach zero. When the TTL hits zero, the router discards the packet and sends back an ICMP "TTL expired" message to the source. This helps the source router document the identity (IP address) of the responding router as part of the path. Incrementing TTL : Traceroute then increases the TTL by 1 for each subsequent packet. The second router will forward the packet to the next hop until the TTL expires, at which point it also sends a TTL expired message back to the source. The process repeats, each time documenting the responding ...

Difference Between VLSM and CIDR

  VLSM (Variable Length Subnet Mask) and CIDR (Classless Inter-Domain Routing) are both techniques for efficient IP address allocation, but they serve different purposes: VLSM (Variable Length Subnet Mask) : VLSM allows different subnets within the same network to use different subnet masks, making it possible to allocate IP addresses more efficiently based on need (i.e., smaller subnets for smaller networks, larger subnets for larger ones). Used mainly within internal networks (intra-domain) to maximize the usage of available IP space. Requires routers that support classless routing protocols (e.g., OSPF, EIGRP, or RIPv2). CIDR (Classless Inter-Domain Routing) : CIDR is a method of assigning IP addresses without adhering to the traditional class-based system (A, B, C), allowing for more flexible and hierarchical IP address allocation. CIDR is primarily used for routing between networks (inter-domain), particularly on the Internet, to reduce routing table sizes and prevent IP exh...

Understanding Classful vs. Classless Routing: Key Differences Explained

 Classful Routing: Classful routing refers to a method where routing decisions are made based on the fixed subnet mask of IP address classes (A, B, C). It doesn’t transmit subnet mask information in routing updates, assuming default subnet masks based on IP address class. This approach was commonly used in older protocols like RIPv1 and IGRP . Key Characteristics : No subnet information is shared between routers. IP addresses are divided strictly into classes (A, B, C, etc.). It doesn’t support Variable Length Subnet Masking (VLSM). Less efficient use of IP address space due to fixed class boundaries. Example : If a router sees an IP address in the range 192.168.1.0 , it assumes the default subnet mask of /24 (255.255.255.0), as per Class C rules. Classless Routing: Classless routing allows for the use of Variable Length Subnet Masking (VLSM) and sends routing updates with subnet mask information. This allows for more flexible and efficient use of IP address space. Classless rou...

MST - Best Practices for Core and Access Switch Configurations

In this post, we will configure Multiple Spanning Tree (MST) , a protocol designed to optimize spanning tree instances by mapping multiple VLANs to fewer instances. This reduces overhead on network devices, enhances scalability, and speeds up convergence. We'll configure MST on both core/root switches and access switches , ensuring that only the required VLANs are active on each switch. The configuration will focus on assigning VLANs to specific MST instances, defining root priorities, and controlling VLAN availability on trunk links between switches. This setup ensures efficient traffic flow, minimizes network downtime, and improves overall stability. We'll also define MST regions and revision numbers to maintain consistency across the network. By following this guide, you'll optimize spanning tree operations while maintaining flexibility in VLAN creation and deployment across your infrastructure. Configuration for Core-SW1 (Primary Root for Instance 1) ! Define MST re...

Understanding BPDU Guard vs. BPDU Filter: Key Differences and Use Cases

 Here's a simple guide on when to use BPDU Guard and BPDU Filter : BPDU Guard : Purpose : To protect the network from unauthorized devices or switches that could participate in the spanning tree process and potentially cause loops. When to Use : On access ports where end devices (like PCs, printers, or servers) are connected. When you want to automatically shut down a port if a BPDU is received, indicating that another switch or device with STP capabilities is connected. Ensures the network remains loop-free by disabling the port when an unexpected BPDU is detected. BPDU Filter : Purpose : To suppress the sending and receiving of BPDUs on a port, effectively preventing STP participation. When to Use : On edge ports (access ports) where you want to prevent STP interactions but don't want to shut the port down upon BPDU reception. In specific scenarios like when you are sure that no switch will be connected, but you don’t want to disrupt the port's operation if a BPDU is...

Multicast - Key concepts

Multicast Overview Multicast is a network communication method that delivers a single stream from a source to multiple destinations. It optimizes network bandwidth usage, especially in applications like video conferencing, IPTV, and stock tickers. The Internet Group Management Protocol (IGMP) is used in Layer 2 networks, while Protocol Independent Multicast (PIM) handles Layer 3 communication. Technical Tip : Multicast is UDP-based, which lacks the reliability mechanisms of TCP, such as windowing and error correction, potentially leading to duplicate packets and out-of-order delivery. Multicast Addressing Multicast addresses are in the Class D range (224.0.0.0 to 239.255.255.255) . These addresses are not assigned to individual devices but represent groups. Well-known Multicast Address Types : Local network control block (224.0.0.0/24) : Protocol control traffic within a broadcast domain. Internetwork control block (224.0.1.0...