BGP - CCIE Notes

1. Within an AS, bgp peers do not need to be directly connected.
2. For routers that run ebgp, neighbors are usually directly connected.
3. ALL bgp speakers within an AS MUST establish a peer relationship unless you use Route
4. reflectors or confederations.
5. When a bgp speaker receives an update from other bgp speakers in its own AS, (via ibgp) the
6. receiving bgp speaker uses ebgp to forward the update to ebgp speakers only.
7. The BGP synchronization rule states that if an AS provides transit service to another AS, BGP
8. should not advertise a route until all of the routers within the AS have learned the route via an
9. IGP.
10. You can disable synchronization if one of the following is true:
• 1. Your AS does not pass traffic from one AS to another.
• 2. ALL the transit routers in your AS run BGP
11. The only difference between advertising a static and a default route, is that when you redistribute a
12. static, BGP sets the origin attribute of updates to incomplete.
13. Redistributing a static route is the best way to advertise a supernet because it stops the route from
14. flapping.
15. To ensure a loop free inter-domain topology, BGP does not accept updates that originated from its own AS.
16. Origin attribute- will be “i” when injected with network command in router configuration mode, “e” when learned through EGP, “?” incomplete when a route is redistributed into bgp.
17. BGP specifies that the next hop of EBGP learned routes remain unchanged into and through IBGP.

BGP Attributes

The weight attribute is a special CISCO attribute that is used in the path selection when there is more than one route to the destination. The weight attribute is local to the router on which it is assigned and is NOT propagated in routing updates. (higher more preferred), there are 3 ways to set weight:

• Access-list
• Route-map
• Neighbor weight command

The local preference attribute indicates the preferred path when there is multiple paths. (higher=better). Unlike the weight attribute, the local preference is carried with route updates and exchanged with routers in the same AS. 2 ways to set local preference:

• use the bgp default local-preference command
• route-maps

The MED attribute is a hint to EBGP peers about the preferred path into an AS when there are multiple. (lower=better). Unlike local preference, the MED is exchanged between AS’s, but a MED that comes into

an AS does not leave the AS.

The community attribute provides a way of grouping destinations to which routing decisions can be

applied. To send the attribute you MUST use the neighbor send-community router config command.

Other topics:

BGP Route Reflectors- eliminates full mesh requirement.

BGP Confederations- makes “mini- AS’s” inside of an AS.

BGP Peer groups – a group of neighbors that share the same update policies.

Brief, BGP Path Selection Process:

1. Is the Next-Hop present for the Route.
2. Prefer Largest Weight, if Cisco.
3. Prefer largest local preference, after Weight.
4. Internally Generated Routes have high preference.
5. Prefer Shortest AS Path
6. Prefer Incomplete Origin over IGP and IGP over EGP.
7. Prefer the lowest MED ( Metric )
8. Prefer closest route learned through an IGP
9. If still all stuff is same, make decisions on BGP Router IDs, lowest is always preferred.

Important BGP Commands:

Aggregate-address	Configure bgp aggregate entries
Auto-summary
Default-metric	Set metric of redistributed routes
Distance	Define admin distance
Distribute-list	Filter Networks in routing updates
Maximum-paths	Forward Packets on multiple paths
Synchronization	Perform IGP Synchronization (IBGP)
Timers	Adjust BGP Update Timers
Traffic-share	Algorithm for computing traffic share over alternate routes
Neighbor advertise-map	Specific route-map for conditional adverstisements
Neighbor advertisement-interval	Min. Interval b/w EBGP Routing Updates
Neighbor distribute-list	Filter Routes specific to neighbor
Neighbor Ebgp-multihop	Allow EBGP Neighbors not on directly connected networks
Neighbor Filter-list	Enable BGP Filters
Neighbor maximum-prefix	Max. Limit of Routes the neighbor could learn.
Neighbor next-hop-self	Disable Next-Hop Calculation for neighbor and advertise itself as the neighbor
Neighbor peer-group	Assign a Peer Group to the neighbor
Neighbor prefix-list	Filter updates from this neighbor
Neighbor remote-as	Define the AS
Neighbor remove-private-as	No Private AS #s in outbound updates
Neighbor route-map	Apply a route-map
Neighbor route-reflector-client	Enable Route-Reflection on this Router
Neighbor send-community	Send the Community Attribute to this neighbor
Neighbor shutdown	Administratively disable peering with the neighbor
Neighbor timers	BGP Neighbor specific timers
Neighbor unsuppress-map	Route-Map to selectively allow suppressed routes to that specific neighbor
Neighbor update-source	Define Source interface for the neighbor
Neighbor weight	Specify neighbor specific weight (Cisco Only)

Switching - CCIE Notes

• A Switch Port can be dynamic, static or automatic. Switch Port can be a Trunk or an Access Port.
• The Default Encapsulation Protocol for DTP is ISL.
• Native VLAN is supposed to be an Untagged VLAN which doesn’t has any VLAN information attached.
• To disable Dynamic Trunking Protocol use no negotiate
• To create an Ether channel without negotiation we use channel-group 1 mode on. This creates an ether channel without any Ether Channeling protocol (PAGP / LACP).
• Making Channel Group Mode to DESIREABLE or AUTO makes it negotiable over PAGP.
• Making Channel Group Mode to ACTIVE or PASSIVE makes it negotiable over LACP.
• Enabling DTP and issuing conflicting VTP Domain names causes the Switches to warn before enabling VLAN Trunking Protocols over the Trunk Links.
• VLAN Load Balancing can be achieved in the following ways:
• VLAN ALLOW LIST: This allows different VLANs to travel over different Trunks for better trunk efficiency and load balanced environment. Certain VLANs are allowed over one trunk and other set of VLANs can be allowed to travel over another trunk.
• MSTP VLAN Load Balancing: This allows VLAN Instance Load Balancing over different Trunks.
• STP Port Priority: By assigning different VLANs to different TRUNKs and changing the STP Port Priority.
• STP Port Cost: By assigning different VLANs to different TRUNKs and changing the STP Port COST.

• The Minimum Forward Delay time for Spanning Tree is 4 Seconds.
• Enabling Spanning Tree PortFast on interfaces causes it to bypass Listening and Learning State and directly transit into FORWARD State.
• Enabling UplinkFast Globally causes the Switch to quickly transit its root port to another port in an event of an uplink failure.
• Enabling BackboneFast Globally causes the Switch to know immediately if its path to ROOT has been broken somewhere on another switch (indirectly) and switch its path to alternate one.
• Enabling BPDU-Guard Allows an ACCESS-PORT to quickly go into PORT-INCONSISTENT (Block) State if a BPDU is received on it. This is done on all PortFast Enabled Access Ports.
• Enabling Root Guard on the Root Switch Designated Ports allows the switch to reject any Superior BPDUs received on those ports and protect itself from loosing the ROOT Role.
• BPDU Filter is an extension of BPDU-Guard in which we can define what to do if a BPDU has been received on an ACCESS-Port.
• BPDU Loop Guard allows the switch to protect itself from a sudden loss of BPDUs and go into infinite Spanning Tree Loop.
• A Multiple STP contains INSTANCES where each instance could contain a single or a group of VLANs in it.
• Configuration: spanning-tree mst configuration
• Instance 1 vlan 1-3
• Instance 2 vlan 4-6
• Instance 4 vlan 7-9

• Layer 3 Switching:

Switch Security:

Port Security

Max. Mac Address Learn Limits

Port Authentication

VLAN Hopping:

• Hacker can negotiate a TRUNK with the Switch and can move b/w VLANs easily.
• This happens because the default state of every port is Dynamic Desirable.

Private VLANs:

The common concept is VLANs within VLANs.

• Private VLANs has sub-vlans, it contains a Main VLAN called "PRIMARY-VLAN".
• Private VLANs can only be configured in a TRANSPARENT Mode.
• There can only be 1 ISOLATED or COMMUNITY VLAN per Primary VLAN.
• Private VLANs provide ISOLATION and GROUPING within a VLAN.

There are three types of sub-vlans:

• Promiscuous	It’s a port in Primary VLAN which can be reached by all Isolated and Community Ports
  Isolated	It’s a port in Primary VLAN but can't connect to any other port
  Community	It’s a group of ports in Primary VLANs which can connect to each other and they can also reach Promiscuous Port but they can't reach any ISOLATED Ports.

Configuration:

Vlan 100

Private-vlan primary

Vlan 110

Private-vlan isolated

Vlan 120

Private-vlan community

Vlan 100

Private-vlan association 110,120

Interface fast1/1

Description Private Isolated VLAN 100

Switchport mode private-vlan host

Switchport private-vlan host-association 100 110

Interface fast1/2

Description Private Community VLAN 100

Switchport mode private-vlan host

Switchport private-vlan host-association 100 120

Interface fast1/3

Description Private Community VLAN 100

Switchport mode private-vlan promiscuous

Switchport private-vlan mapping 100 110,120

Verification:

Show vlan private-vlan

Spoofing Attacks:

Ip dhcp snooping trust	Listens to ARP / DHCP Requests, makes IP to Mac Bindings Table
Ip verify source vlan dhcp-snooping port-security	Ip source guard enablement.

Spanning Tree Attacks:

Spanning-tree bpduguard enable	Blocks (shutsdown - errdisable)a Port which is not destined to receive any BPDUs
Spanning-tree guard root	Root Guard, protects a port to receive superior BPDUs on a root-guard enabled port. This is enabled only on Root and Backup-Root Switches

Best Practices:

1. Disable CDP Whenever Possible.
2. Lock down the spanning tree.
3. Disable Trunk Negotiation and use manual negotiation.
4. Place unused ports in a blackhole vlan or blocked vlan.
5. Enable SwitchPort host (enables access mode, enables portfast, disables channelgroup)
6. Use SSH whenever possible for doing Switched Configuration.

Frame Relay Notes - CCIE

1. A point-to-point sub interface can only accommodate a single DLCI at any given time. Point-to-point sub-interfaces are treated by the IOS like a physical point-to-point interface and do not need either inverse-arp or frame-relay map statements.
2. Multipoint DLCI’s rely on either inverse-arp or frame-relay map statements for proper operation.
3. You must manually clear inverse-arp with a clear frame-inarp command to remove any undesired inverse-arp entries.
4. The broadcast parameter is required for protocols such as OSPF
5. If the router is reloaded inverse-arp will be disabled for any DLCI that is used with a frame-relay map statement.
6. As a rule when configuring frame-relay map statements make note of the protocol and the DLCI specified if there are any inverse mappings for that same protocol referencing the same DLCI replace the inverse-arp entries with frame-relay map statements.
7. Rules to remember when configuring point-to-point sub-interfaces are:
• No frame-relay map statements can be used with point-to-point sub-interfaces
• One and only once DLCI can be associated with a single point-to-point interfaces
8. Without the frame-relay interface DLCI command, all DLCI’s are assigned to the physical Interface Split horizon only blocks routing updates in a hub and spoke topology
9. A Cisco IOS remedy to this split horizon problem is to disable split horizon on the hub router in a frame-relay network this can be performed at the interface configuration mode.
10. Split horizon is disabled on frame-relay physical IP interfaces split horizon is enabled on framerelay point-to-point and multi-point IP sub-interfaces.
11. OSPF is not affected by the rule of split horizon since it does not apply it.
12. A remedy to the problem of “hello mismatches” is using the Cisco IOS interface configuration command “IP OSPF network”:
13. A popular selection for OSPF networks is the point-to-multipoint option.
14. When using only physical interfaces in a hub and spoke topology you need to add a frame-relay map statement on the spoke routers to assure spoke to spoke reachability nothing needs to be done to the hub router.
15. If using point-to-point sub-interfaces each sub-interface must be configured as a separate sub net. If a physical or multipoint sub interface is being used at the hub remember to disable split horizon at the hub

Notes on IPv6

Aggregatable Global Unitcast Address	2000 - 3FFF: Original Routable Addresses
Link-Local Unicast Addresses	FE80: 1/1024th of all available for Link only, used to get Global Unicast Address via a Router or a DHCP.
Site-Local Unicast Addresses	FEC0: 1/1024th of all available IPv6 Space, its sort of Private IP Addressing Scheme. Deprecated.
Multicast Addresses	FFxx: Starts with FF, used for Multicasting.
Multicast to all hosts	FF02::1 essentially the same as 255.255.255.255

1. The Broadcast has been removed, multicasting has taken its place.
2. FrameRelay Inverse-Arp is not yet implemented, so Static Mapping should be used.
3. ICMPv6 Neighbor Discovery will ultimately replace IPv4 ARP.

ICMPv6 Neighbor Solicitation	Ask for Information about the neighbor
ICMPv6 Neighbor Advertisement	Advertise yourself to neighbor
ICMPv6 Router Solicitation	Ask for info about the Local Routers
ICMPv6 Router Advertisement	Advertise yourself as Local Router

4. Ipv6 unicast-routing enables IPv6 on a Router. It enables ICMPv6 ND and Dynamic Routing Support.
5. Debug ipv6 packet detail
6. Debug ipv6 nd

RIPng

RFC 2080 Defines Ripng for IPv6

UDP Port 521 is used instead of 520 with a Multicast Address of FF02::9

Configuration:

Interface Level : Ipv6 rip [process] enable

OSPFv3

7. Similar to OSPFv2
8. Router-id is an IPv4 Address
9. Configuration:
10. Interface Level: ipv6 ospf [process id] area [area-id]
11. Global Level: Automatically Enabled.
12. Multicast Address is: FF02::5

BGPv6

13. Same process for IPv6 as of IPv4.
14. Address-family configuration is used.

Static Tunneling:

15. GRE	The Default Tunnel Mode
    IPv6 IP	Running IPv4 to IPv6 Tunneling

Automatic Tunnels:

16. 6to4 Tunnels	IPv6 Address to IPv4 Tunneling
    ISATAP	Automatic Host to Host or Host to Router Tunneling