BGP OSPF Questions: Difference between revisions

← Older edit

BGP OSPF Questions (view source)

Revision as of 21:11, 4 November 2022

40,342 bytes removed , 1 year ago

m

→‎load balacing mehtods

Amanjosan2008

Bureaucrats, Administrators

4,400

edits

Revision as of 02:04, 20 June 2021 (view source) Amanjosan2008 (talk \| contribs) (→‎BGP) ← Older edit		Latest revision as of 21:11, 4 November 2022 (view source) Amanjosan2008 (talk \| contribs) m (→‎load balacing mehtods)
(31 intermediate revisions by the same user not shown)
Line 20: Medium branch - up to 100 users .for medium/large we should have mutlilayer architecture to provide high availiblity and resilency, Large branch - up to 200 users or more ~~= Redistribution from osfp to bgp =~~ All redistributed routes into bgp takes ad value of BGP ,inorder redistribute all the ospf routes internal ,external (E1&E2) we need to uses redisrtibute ospf process mathc internal external 1 external 2 Redistribution of bgp into Ospf will take metric one ,Reditributio of ospf into BGP take IGP metric Qos -Each router maintain two queue hardware queue works on FIFO and software queues (LLQ,CBWFQ,Flow based WFq) ,service policy applies only on software queue Use the tx-ring-limit command to tune the size of the transmit ring to a non-default value (hardware queue is last stop before the packet is transmitted) Note: An exception to these guidelines for LLQ is Frame Relay on the Cisco 7200 router and other non-Route/Switch Processor (RSP) platforms. The original implementation of LLQ over Frame Relay on these platforms did not allow the priority classes to exceed the configured rate during periods of non-congestion. Cisco IOS Software Release 12.2 removes this exception and ensures that non-conforming packets are only dropped if there is congestion. In addition, packets smaller than an FRF.12 fragmentation size are no longer sent through the fragmenting process, reducing CPU utilization. It's all based upon whether there is or is not congestion on the link. The priority queue (LLQ) will always be served first, regardless of congestion. It will be both guaranteed bandwidth AND policed if there is congestion. If there is not congestion, you may get more throughput of your priority class traffic. If the class is underutilized then the bandwidth may get used by other classes. Generally speaking this is harder to quantify than you may think. Because in normal classes, the "bandwidth" command is a minimum of what's guaranteed. So you may get MORE in varying amounts just depending on what is in the queue at any point in time of congestion. As mentioned before, policers determine whether each packet conforms or exceeds (or, optionally, violates) to the traffic configured policies and take the prescribed action. The action taken can include dropping or re-marking the packet. Conforming traffic is traffic that falls within the rate configured for the policer. Exceeding traffic is traffic that is above the policer rate but still within the burst parameters specified. Violating traffic is traffic that is above both the configured traffic rate and the burst parameters. An improvement to the single-rate two-color marker/policer algorithm is based on RFC 2697, which details the logic of a single-rate three-color marker. The single-rate three-color marker/policer uses an algorithm with two token buckets. Any unused tokens in the first bucket are placed in a second token bucket to be used as credits later for temporary bursts that might exceed the CIR. The allowance of tokens placed in this second bucket is called the excess burst (Be), and this number of tokens is placed in the bucket when Bc is full. When the Bc is not full, the second bucket contains the unused tokens. The Be is the maximum number of bits that can exceed the burst siz ~~= Queing -FIFO,PQ,WFO,CBWFQ =~~ PQ- high priorty queue is always serviced first irrrespective traffic coming fron other queue. WFQ-flow based ,each flow consist of source port ,destination port ,source and destination WFO always give prefernce smaller flows and lower packet size CBWFQ-each traffic is classifed and placed in class ,each class is allcated some amount of bandwidth ,queues are always serviced on basis amount of allocated bandwidth to queue . Random Early Detection (RED) is a congestion avoidance mechanism that takes advantage of the congestion control mechanism of TCP. By randomly dropping packets prior to periods of high congestion, RED tells the packet source to decrease its transmission rate. WRED drops packets selectively based on IP precedence. Edge routers assign IP precedences to packets as they enter the network. (WRED is useful on any output interface where you expect to have congestion. However, WRED is usually used in the core routers of a network, rather than at the edge.) WRED uses these precedences to determine how it treats different types of traffic. When a packet arrives, the following events occur: ~~1. The average queue size is calculated.~~ ~~2. If the average is less than the minimum queue threshold, the arriving packet is queued.~~ 3. If the average is between the minimum queue threshold for that type of traffic and the maximum threshold for the interface, the packet is either dropped or queued, depending on the packet drop probability for that type of traffic. ~~4. If the average queue size is greater than the maximum threshold, the packet is dropped.~~ = IPSEC = Line 68 ⟶ 30: Data \| Original IP Header \| ESP Header \| New IP Header In Transport mode only the data is encrypted, and the original IP header is places in front of the ESP header. \|--Encrypted-----\| Data ------ \| ESP Header \| Original IP Header Encryption algo -DES,3DES,AES Line 80 ⟶ 39: Phase 2 - data is tranfered based on SA parameters exhange and keys stored in SA database. Phase 1 - securty poiclies are negotiated,Diffe helman exchange ( used to genrate the preshared keys) ,authentication of remote peer Tranform sets-consist of encryption algo,authication algo,key length proposed. Line 105 ⟶ 63: Protocol 51-AH traffic udp 500-ISKMP Traffic ISAKMP: Authenticates the peers, Determines if Authentication is preshared ot RSA-ecryption, and prepares the SA which includes group(length of key in Bits) and lifetime of the tunnel. Line 136 ⟶ 93: Data packets for protocols that require Layer 7 inspection can also go through the fast path. ~~= BGP =~~ BGP SYnchronization rule -IF the AS is acting transient for other AS routes learn through BGP will not be advertized unless the all the routes learn this routes though IGP. If we turned on the synchronisation BGP router will not advertize the route learned from IBGP PEER to EBGP Peer unless that route is learned through IGP. Split horizon rule -Routes larn though IBGp nei will not be advertized to other IBGP nei . BGP path selection criterion -route is excluded if next hop is unreachable, hightest wieight, high local pref, route if locally orginated, shortest as path len, prefer lowest origin code (IGP<EGP<Unknown), lowest MED, ebgp over IBGP, between IBGP closed IGP nei, bet EBGP oldest route, lowest Router ID. BGP Message types - Keepalive, notification, open, update. Routes received from a Route-Reflector-client is reflected to other clients and non-client neighbors.So if we have two route reflectors we should also keep in separte clusters ,, to avoide loops .That means that if you have multiple RRs with different cluster ID, optimal path is selected by selecting shorter cluster list. Having multiple RRs in the same cluster creates partial connectivity during failure The first route reflector also set an additonal BGP attribute called originator id and add it to BGP router -id of client.if any router receive the route which contains its own router id will ignore the route Confedrations - Breaking As into smaller As so that they can exchange routing updates using intra confedration EBGp Seesion. ~~but on the intraconfedration EBGP session parmaters for IBGP are still preserved. (like next hop self, metric, preference)~~ Commands -under BGP process bgp confedration id x.x -Original As ~~-BGP confederation peers x.x ,y...- Need to specify the the intra confdration with in AS.~~ MED Vs AS path prepend - MED doesnot goes beyond neibor As while As path prepeend goes beyond that. BGP always compare md - compares MED for a path from neighbors in different AS. BGP Determinsic-Med -comparison of MEd for a path from differnt Peers advertize in same AS. BGP conditional advertizement uses two terms advertize-map and non-exist-map, advertize the prefix in adtervertize map only if there is no route in BGPtable defined in non-exist-map. BGP conditonal Inject and Exist map -BGP conditional Route injection advertize the specific route defined in inject map from the summary route present in exist map .Its reverse of Aggregation . SOO - Site of orgin -is used to prevent routing loops and is used to identify the site from where the route is orginated and does not readvertize same route back to the site . SOO is enabled on PE routers - marked the customer prefixes. BGP communities are used to TAG the routes and they are used to perform policy routing in upstream router. Community attribute consist of four octets. Inorder to send community We need to use send community command under BGP process. BGP community are : ~~Internet: advertise these routes to all neighbors.~~ ~~Local-as: prevent sending routes outside the local As within the confederation.~~ ~~No-Advertise: do not advertise this route to any peer, internal or external.~~ ~~No-Export: do not advertise this route to external BGP peers.~~ Local AS command can be used in while migration of As - it will genrate BGP open message which is defined in local AS. nei x.x.x. local 100 no prepend replace as dual-as.( can be used for remote peer to configue whatever AS no has configured at there side ). Peers Group -Peer groups are a way of defining templates/groups with settings for neighbor Relationships - The same policy that goes to 1 neighbor in the peer group must go to all if it case one neighbor has a slightly different config we do not use peer-group for this neighbor the idea being a group with all required bgp settings and then add the neighbors to this group so they inherit the settings. Using BGP peer group one update is sent to peer group instead of individual updates helps in optimisation of updates .Configration makes its simpler. BGP route relector -Eliminates the need of bgp full mesh ,similar to ospf DR ,BDR elecltion, only peering needs to with RR. When RR get the update from its client it sent to other RR and its client . Modify the spilt horizon rule .BGP cluster id is used as loop prevention. Does not modiy the next hope attributes. Route reflectores modify split horizon rule now routes learn through IBGP can be forwarded to other IBGP nei ,route reflectore can do . if the client is having IBGP session with multiple routereflectores so each client will receive two copies of all routes.this can create the routing loops to avoid it each route reflector and its client form cluster which is identifed by cluster id which is unique in AS. whenver particular route is reflected route reflector router id is added to cluster list attirbute and set cluster id number in cluster -list.if for any reason route is reflected back to route reflectore for some reason it will reconganize cluster id includes its own router id . and will not forward it . The BGP Link Bandwidth feature used to enable multipath load balancing for external links with unequal bandwidth capacity. This feature is enabled under an IPv4 or VPNv4 address family sessions by entering the bgp dmzlink-bw command. This feature supports both iBGP, eBGP multipath load balancing, and eiBGP multipath load balancing in Multiprotocol Label Switching (MPLS) Virtual Private Networks (VPNs). When this feature is enabled, routes learned from directly connected external neighbor are propagated through the internal BGP (iBGP) network with the bandwidth of the source external link. The link bandwidth extended community indicates the preference of an autonomous system exit link in terms of bandwidth. This extended community is applied to external links between directly connected eBGP peers by entering the neighbor dmzlink-bw command. The link bandwidth extended community attribute is propagated to iBGP peers when extended community exchange is enabled with the neighbor send-community command. It should be configured in conjuction with max path command: ~~bgp dmzlink-bw~~ ~~neighbor ip-address dmzlink-bw~~ ~~neighbor ip-address send-community [both \| extended \| standar~~ Aggreagate with AS set command - normal aggregation with summary command advertise the summary prefix only and suppress all the specific routes, so router which is performing the aggreagation will include its own AS while sending the update. So when Aggreagate with AS set command is used it will include all the AS in updates for summary prefix for those AS route performing the aggregation with AS list, this will prevent routing loop. Attribute map -can be used to modify the community received in aggregation router to none.(command) MAP. When particular is sending the prefix to router performing aggregation with community like no export attached, Aggregate router will inherit the communtiy and can cause issue to aggregate prefix while propagating, To avoid it we can modifiy the community to none using atrribute map command (aggrgate address x.x.x.x .x.x.x as-set summary only attribute map) BGP Backdor link - used to modifiy the AD for external route from 20 to 200 so that IGP learned route can be prefered over EBGP. Command will be added to router which is learning the prefises from two routing ptotocols . ~~router bgp x.x.x.x~~ ~~network x.x.x.x mask backdoor~~ ~~= OSPF =~~ ~~OSPF Packet type -Hello ,DBD ,LSR ,LSU ,LSA~~ ~~Each interface participate in OSPF send hello at 224.0.0.5~~ ~~two router to form neighborship-same area ,samehello and dead interval,same subnetmask ,authentication must same .~~ OSPF States-down,init,two way,extrat (DR ,BDR secltion),exchange (DBD contains entry of link or net type having following info link type,adv router,seq number,costoflink),if router donot have update info for link type it send LSR (loading state ),Neirouter send updated LSU again LSR router adds new entry in lSDB once all the routers have identical LSDB -routers are in full state . ~~to send request to DR and BDR (224.0.0.6 ) .~~ ~~for broadcast n/w type each ospf speaking router will be form full adjancey b/w DR, BDR and two way state b/w DR other routers.~~ ~~sh ip ospf database summary ( prefix ) will give information for type 3 inter area routes learned via ABR.~~ ~~Type 3 LSA called summary LSA doesnot mean network prefixes are summarised while propagated by ABR means topolgy information is summarised.~~ ~~EACH LSA in lSDB contains seq number ,EACH LSA is flooded after30 minutes ,each time LSA is flooded it is incremnted by one )-195~~ ~~point to point -T1,E1,neiborus are discovered automatically,hellos send at M.A 224.0.0.5 ,NO DR BDR election as there are only two routers.~~ ~~multiacess -DR ,BDR election DR failes BDR becomes DR and new BDR is elected.~~ ~~if new router added with highest priorty it will not preemt existing DR and BDR election ,if DR or BDR goes down then only selection starts.~~ ~~DR/BDR-ip ospf priority =0 for DR other~~ ~~STUB Area- All the routers in Area must agree on stub flag , does not allow type 5 and type 4 LSA.and ABR genartes default route in stub area to reach external destination.~~ ~~to cofigure stub area - area x stub~~ ~~Tottaly Stub area - removes type 3 ,4 ,5 LSA and ABR genrates inter area default route , total stubby area configured on ABR of the area.~~ ~~To configure totally stubby - on ABR area x stub no summary and other routers need to configued wth area x stub command .~~ NSSA area -was desgined to keep stub feature attribute and also allowed external routes ,ASBR will genrate type 7 LSA in NSSA and se the P bit 1 and ABR will translate type 7 to type 5 propagate in ospf domain and all routers should agree on NSSA area.ABR doesnot genrate default route automatically .so in case if we other external AS connected to other areas NSSA area will not have information for that external routes , so in that case we need to genrate defaul route mannually. NOSo-total stubby area - remove type 3 ,4 ,5 lsa , genrates type 7 LSA and ABR genrates default route .note it is not necessary for ABR to be part of total stubby NSSA it can still run NSSA for that area in ospf process. ~~Order of preference of OSPF routes- O, OIA ,E1,E2 ,N1,N2.~~ When ABR does LSA translation from Type 7 to Type 5 ,if we look for external network in an area using sh ip os database external... there are field,Advertising router and Forwading address ,Advertising address will be address of ABR which is doing the translation and Forwading address is address of ASBR. ~~Also if the forwading address field is 0.0.0.0, then traffic will be forwading to who is orginating the route .~~ if we have mutliple ABR in NSSA the ABR with highest router id will genrate type 5 LSA. this doesnot mean all the traffic will follow the ABR with highest router id because the forwading address field contains the information for the ASBR to reach external destination . ~~In case if we want to change the forwading address on ABR while tranlating from type 7 to type 5 we can use the command~~ ~~area i nssa no summary translate type 7 suppress forwading address .~~ ~~Note - in the LSA lookup if the forwading address is 0.0.0.0 so the router which is advertising the lsa and is announcing it self to use himself to reach destination.~~ ~~E1and E2 routes -E1 routes external cost is added to cost of link packet traverse ,if we have multiple ASBR then we should use marked external routes as type E1~~ if we have muliple ASBR ,then default metric to reach external network would be same propagted by both of them ,in that case each ospf speaking router will use forward metric to reach ASBR as best path.In case the forward metric is same then decision will be based on router id of ASBR. ~~that can be verified by - sh ip ospf database external XXXx.~~ ~~E2 -External cost only ,if we have single ASBR~~ ~~Note- ABR has information for all the connected area's so when genrating the type 3 SLA topogy information is summarised and~~ ~~propagated from one area to other area .~~ ~~Loop prevnetion mechanism in OSPF-Its ABR only that accespts and process the type 3 LSA if it is from backbone area .~~ area X filter-list prefix {in\|out}. Good news here \96 this command applies after all summarization has been done and filters the routing information from being used for type-3 LSA generation. It applies to all three type of prefixes: intra-area routes, inter-area routes, and summaries generated as a result of the area X range command. All information is being learned from the router\92s RIB. used to filter specific prefix in Type 3 LSA. LSA Type 5 filerting -This LSA is originated by an ASBR (router redistributing external routes) and flooded through the whole OSPF autonomous system,Important -You may filter the redistributed routes by using the command distribute-list out configured under the protocol, which is the source of redistribution or simply applying filtering with your redistribution. ~~The key thing you should remember is that non-local route filtering for OSPF is only available at ABRs and ASBRs~~ ~~Distribute list out on ABR and ASBR will filter the type 5 LSA while propagting --~~ ~~we can verify using sh ip ospf database external x.x.x.x~~ ~~Distribute list in - Will filter the information from routing table but lSA will still be propagtint to neiobor routers.~~ If we have NSSA area we want to filer type 5 SLA on ABR we can filter the forwading address using ditribute list on ABR. ( As the forwading address is copied from type 7 SLA when ABR regenrates the type 5 SLA out of it . ~~OSPF Network Types :~~ ~~1 Point to point - Supports broadcast like t1, E1 , there are only two routers no DR/BDR election ,hello and dead are 10/40~~ ~~2. Brodacast - Like ethernet ,broadacst capabilty , There is DR and BDR election ,10 and 40~~ ~~3. point to multipoint brodacast - have broadcast capabilty , NO DR and BDr election , hello/dead are 40 /130 , In case of hub and spoke topology hub will form adjancy~~ ~~with the spokes ,other spokes will not form adjancy as there is not direct layer connection so when hub receive the update from spoke it changes its next hop self while propagating the updates .~~ ~~4. Point to multipoint non brodcast - No broadcast capabilty , hello will be send as unicast ,will not be send if neighbors are not defined manually~~ ~~As there is no brodcast capabilty hellos are send as unicast and there is no DR /BDR election . hello/dead are 40 /130 ,Special next hope processing .~~ ~~Non-Broadcast is the default network type on multipoint frame-relay interface, eg a main interface.~~ 5.Non broadcast n/w - Default network type is nonbroadcast for frame-relay network , there is no broadcast capabilty , hello are send as unicast ,neibors need to define mannualy .hello /dead 30-40 ,DR and BDR election , NBMAN-(Non broadcast)-Nei needs to define mannualy ,there is slection of DR and BDR ,full mesh or partail mesh,IN NBMAN if there is DR ,BDR selction all routers should be fully meshed or DR BDR can be staticly configured on router that should have full adjancies to all routers. ~~Make sure the for non-broadcastn/w make sure hub is chossen as DR and need to define nei mannaulay to send ospf updates as unicast.~~ Note - Broadcast and non broadcast n/w , DR on receiveing the LSA's didnot change the next hop while propagating the LSA to other DR-other routers so in case of broadcast segment its fine while for non broadcaset frame relay network we need to mannualy define the layer 3 to layer 2 resoltuion to reach that neibour . ~~while in case of point-point , HDLC there is only one device at other end so layer 3 to layer 2 mapping is not required.~~ ~~6. In OSPF loopbacks are advertised as stub host and network type loopback.if the mask of loopback is /24 and we want to advertise as /24 to ospf domain we need to change the network type~~ By adjusting the hello/dead timers you can make non-compatible OSPF network types appear as neighbors via the \93show ip ospf neighbor\94 but they won\92t become \93adjacent\94 with each other. OSPF network types that use a DR (broadcast and non-broadcast) can neighbor with each other and function properly. Likewise OSPF network types (point-to-point and point-to-multipoint) that do not use a DR can neighbor with each other and function properly. But if you mix DR types with non-DR types they will not function properly (i.e. not fully adjacent). You should see in the OSPF database \93Adv Router is not-reachable\94 messages when you\92ve mixed DR and non-DR types. ~~Here is what will work:~~ ~~Broadcast to Broadcast~~ ~~Non-Broadcast to Non-Broadcast~~ ~~Point-to-Point to Point-to-Point~~ ~~Point-to-Multipoint to Point-to-Multipoint~~ ~~Broadcast to Non-Broadcast (adjust hello/dead timers)~~ ~~Point-to-Point to Point-to-Multipoint (adjust hello/dead timers)~~ ~~command lines ,~~ ~~1 sh ip os inter brief~~ ~~2. sh ip route ospf~~ ~~3. sh ip os boarder routers~~ ~~4. sh ip os da summary x.x.x - type 3~~ ~~5. sh ip os da external x.x.x.x-type 5~~ ~~6. sh ip os data router .x..x.x.x- type 1~~ ~~Sumarisation can occur on ABR and ASBR~~ ~~ABR uses area range command~~ when ABR /ASBR does sumarization it genrates null route for the summary , in case spefic prefix went unreachable for some reason and ABR has received traffic for that preifx it wll drop the traffic , if we want to avoid it use default route to forward the traffic we can use command ( no discard route internal / external) to drop the null route from routing table . ~~ASBR- Summary address x.x.x.x mask~~ ~~RFC 2328 -to learn the ospf~~ ~~virtual links --~~ All areas in an Open Shortest Path First (OSPF) autonomous system must be physically connected to the backbone area (Area 0). In some cases, where this is not possible, you can use a virtual link to connect to the backbone through a non-backbone area. You can also use virtual links to connect two parts of a partitioned backbone through a non-backbone area. The area through which you configure the virtual link, known as a transit area, must have full routing information. The transit area cannot be a stub area. The transit area cannot be a stub area, because routers in the stub area do not have routes for external destinations. Because data is sent natively, if a packet destined for an external destination is sent into a stub area which is also a transit area, then the packet is not routed correctly. The routers in the stub area do not have routes for specific external destinations. we can also use GRE link between nonbackbone area and backbone area ,run area 0 over tunneled interface but there is GRE overhead.IN case of virtul only OSPF packets are send as tunneled packet and data traffic is send as it is normal area connected to backbone area. ~~= EIGRP =~~ ~~EIGRP runs on ip protocol 88 , ospf 99~~ ~~Eigrp is hybrid protocol and has some properties of distance vector and some link state .~~ ~~Distance vector - Only knows what its directly connected neibors are advertizing and link state because it form adjancies .~~ ~~Inorder to form adjancency EIGRP AS no should be same between neihbours.~~ ~~EIGRP Multicast adress -224.0.0.10~~ ~~EIGRP is like bgp will only advertize the route which is going to install in routing table .~~ ~~EIGRP classes protocol does automatic summary by default ,so we need to disable the automatic summarisation ( no auto summary )~~ EIGRp does spilt horizon , in case of DMVPN we need to disable the split horizon so that routes learned on tunnel interface through one spoke need to advertize to other spoke through same tunnel interface . e ~~passive interface command works silghtly different in EIGRP ,it stops sending multicast/ unicast hello to nei thus prevent forming adjancies .~~ ~~Issuing a neighbour statment in eigrp on a link means it stops listen to mutlicast address so we need to specify the neighbour mannuly to other side to form adjancies.~~ ~~Timers in EIGRP is not nessescary to match to form adjancey.~~ ~~EIGRP -Metric calculation by bandwidth ,delay ,relibilty ,load MTU.~~ ~~Bandwidth is scaled as minimum bandwidth and total delay ,highest load ,lowest reliablilty while calculating composite metric .~~ ~~Feasible distance is best metric along the path and its successor metric .~~ ~~EIGRP -FD-is best metric along the path to desination router including metric to reach the neibor~~ ~~Advertised distance -toatl metric along the path advertized by up stream router .~~ ~~a router is feasible successor if AD<FD of successor~~ ~~FD is used for loop avoidance . spilt horizonrule -never advertized the route on the interface on which it is learned .~~ ~~Feasible succesors are only candidates for unequal path load balancing.~~ ~~Load balancing is done in EIGRP though unequal cost paths through variance multiplier.~~ ~~EIGRP is only routing protocol that supports load balancing across unequal path unlike like rip ,ospf ,isis.~~ ~~Fd <= FSx variance ( FD) then the path is choosen for unequal cost load balancing .~~ ~~EIGRP traffic eng.could be easily achieved by modify the delay vlaue instead of bandwidth .~~ ~~EIGRP command ( sh ip eigrp nei , sh ip eigrp nei de , sh ip eigrp topology , sh ip eigrp route)~~ ~~Equal cost load balancing the traffic is distributed based on CEF.to turn off cef on interface do ( no ip route-cache)~~ SIA -Stuck in active ,if router receive a queries for destination neworwork it taking too much time to respond be baecause of network flap or some network condtion occur route is considered in SIA state . ~~we can tune the amount of time router should wait before putting route in SIA state by timers acive-time command~~ ~~to check which routers have not replied with queries issue sh ip eigrp topolgy ,router denoted by R meaning waiting for replies.~~ ~~EIGRP perpforms auto summarization for a n/w when crossing a major n/w boundary~~ Split horizon should only be disabled on a hub site in a hub-and-spoke network. ~~no ip split-horizon eigrp x~~ ~~EIGRP router id helps in loop prevention for external routes which says if I gets the routes with orignator that is equal to my router id then I will discard the routes~~ EIGRP provides faster convergnece as it doesnot need to run dual algo in case if there is feasible successor for the path, else if router do not have route it will send the query to its neibour router which will further progates the query to there neibours if the router doesnot ~~recive the reply from the neibour before the timer expires it will mark this route in Stuck in active state and reset its neibour relationship if all its query are not answered with time time period .~~ ~~while in OSPF if the primary path goes down ,it need to send the LSA and SPF algo is run again .~~ ~~dcesor in mind.~~ ~~There is ways to bound the query domain You can do in either of 2 ways or both~~ ~~1) Using Summary routes -ip summary-address eigrp 'as' [network] [mask] [ad]~~ If RouterA sends a query message to RouterB and summarization is in use, RouterB will only have a summary router in its EIGRP topology table \96 not the exact prefix match of the query and will therefore send a network unknown response back to routerA. This stops the query process immediately at RouterB, only one hop away. ~~2) Using Stub -~~ ~~router eigrp 1~~ ~~eigrp stub ' arguments' the default arguments are connected and summary this means it~~ ~~will advertised connected and summary routes only.~~ ~~A router will inform it neighbor of it stub status during the neighbor adjacency~~ ~~forming~~ Stub routers tell their neighbors \93do not send me any queries\94. Since no queries will be sent, it is extremely effective. However, it is limited in where you can use it. It is only used in non-transit paths and star topologies. ~~3. filtering the prefix~~ please note Eigrp neighbor router will propagate query received from neighbor router only if it has the extact match for the route ints topology table, if router doesnot have exact route in toplogy table it will send the reply with route unknow to its neighbor and further query will not be propagated . ~~4.Different AS domains~~ Different EIGRP AS numbers. EIGRP processes run independently from each other, and queries from one system don\92t leak into another. However, if redistribution is configured between two processes a behavior similar to query leaking is observed. Both IGRP and EIGRP use an Autonomous System (AS) number and only routers using the same AS number can exchange routing information using that protocol. When routing information is propagated between IGRP and EIGRP, redistribution has to be manually configured because IGRP and EIGRP use different AS numbers. However, redistribution occurs automatically when both IGRP and EIGRP use the same AS number = MPLS = * Labels are locally significant between two attached devices .Once the mpls ip is enabled lables are advertised for connected interfaces and IGP learned routes. * MPLS label - 32 bit First 20 bits label value 20-22 - Experimental bits for qos 23 - BoS - bottom of stack bit to signify the bottom label in stack 24-32 - TTL vaule * MPLS label is placed between layer 2 and lyer 3 header know as shim headder. ~~Labels are locally significant between two attached devices .Once the mpls ip is enabled lables are advertised for connected interfaces and IGP learned routes.~~ * FEC-group or flow of packets that are forwaded along the same path with same treatment. * Protocol used to distribute labels are LDP, TDP and RSVP TDP is cisco propriatry. There is formation of LIB which contains local binding and remote binding from all the LSR, what extacly the remote binding need to be used based on best route in Ip routing table information is populated in LFIB. ~~MPLS label -32 bit ,first 20 bits label value .20-22 -experimental bits for qos ,23 -BoS(bottom of stack bit to signify the bottom label in stack ,24-32 (TTL vaule )~~ ~~MPLS label is palced between layer 2 and lyer 3 header know as shim headder.~~ ~~FEC-group or flow of packets that are forwaded along the same path with same treatment.~~ x Protocol used to distribute labels are LDP ,TDP and RSVP TDP is cisco propriatry.there is formation of LIB which contains local binding and remote binding from all the LSR,what extacly the remote binding need to be used based on best route in Ip routing table information is populated in LFIB. ~~LDP is used for neighbour discovery over udp port 646 on multicast address 224.0.0.2~~ ~~for neighbor adjancy on tcp port 646 .~~ ~~Label advertisemnt is for IGP connected interfaces and IGP leanred routes .~~ ~~How does router determine wheather it is ip packet or labeled - there is protocol field is layer 2 frame ,that tell router to look the cef for ip packet or to look LFIB.~~ ~~Inorder to see extract from LFIB- sh mpls forwading-table~~ ~~LFIB can be also seen as - sh mpls forwading-table prefix length~~ ~~MPLS Stack operatios (Push ,pop,swap,Untagged ,aggregate- summaristion is performed on router ,to remove the lable and perform IP lookup,)~~ ~~labels 0 to 15 are reserved lables - lable 0 is explict null lable ,lable 3 is implict null lable ,label 1 router alert, label 14 OAM alert label~~ ~~Use of Implict null lable is penultimate hop popping.~~ ~~Explict null lable is used to reserve the Qos information .~~ ~~Inorder to change the mpls lable range - mpls lable range 16 to 10 lakh~~ ~~MPLS lDP works on UDP protocol 646 and LDP hello messages are sent over multicast address 224.0.0.2~~ ~~Inroder to check labels are received or not - sh mpls ldp discovery detail~~ ~~cOMMAND LINES FOR MPLS `~~ ~~1. IP CEF~~ ~~2. MPLS LABEL PROTOCOL TDP / LDP~~ ~~3. MPLS IP~~ ~~SH MPLS LDP INTERFACE~~ ~~sh MPlS LDP NEIGHBOR~~ ~~sh MPLS FORWADING TABLE SIMMILAR TO sH IP ROUTE.~~ php-Penultimate Hope Popping which says that device next to last hop in the path is going to remove the label for the optimisation of lable lookup so that end device doesnot need to perform two looks while sending the traffic to end customer . ~~so to acomplish this router which is next to last hop send implicit null label for all its connected and loopbackinterfaces .~~ ~~Note for any destination which is one hop away in mpls forwading tabel we are going to see POP LABEL.~~ ~~P routers in the core doesnot need to know the full reachbilty of customer routing information as they just swicthed the packets based on labels .~~ FOR MPLS to work correctly we need to enable BGP next hop self command for the EBGP updates to propagate over IBGP PEER with next hop information for loopback interface .if the BGP peering is formed not over loopbacks between PE'sinstead of phyical interfaces peerring will be formed but it will lead to black hole as the pHP will cause third last hop to perform POP operation and traffic will be forwared to next to last hop as ip packet for which it doesnt have information for the destination. ~~the isssue is PHP get processed one hop too soon.~~ ~~MPLS basis consist of two comonents~~ ~~1) VRF's -separatation of customer routing information using vrf's per interface~~ ~~2)exchange of routing information using MP-BGP.~~ ~~VRF's without MPLS is called VRF lite .when using VRF's lite route distingusiher is only locally significant.~~ ~~when we create VRF's any packet that comes to interface in VRF then the routing loopkup is done on that VRF's .~~ ~~VNPV4 route- RD+IPV4 prefix (makes vpnv4 routes unique globly.(RD is 8 byte)~~ ~~mpls vpn label - PE route exchange lable for each customer route via VPNV4.~~ ~~Transport label- to tranport packet across remote PE.~~ ~~RT_route traget is used to tell the PE which VRF route belongs and its BGP extented community attribute.~~ ~~if we are running EIGRP over VRF's then we need to specify the autonomus system inside the vrf's separately else EIGRP adjancy will not be formed over EIGRP.~~ ~~Route Target export- to advertise the routes from vrf into BGP .~~ ~~Route Target import -To import the routes from BGP into VRF.~~ ~~Between the PE's routers peering will be done globaly however customer routes will be redistributed in address-famil vpnv4 .~~ ~~Please note while configuring vpnv4 we need to acitivate the vpnv4 capabilty with remote-peers.~~ ~~loop prevention mechanism for route-target -the route will not import any prefix into vrf unless it is specified .~~ ~~packet structure- Layer2 header-Transport+VPN--IP header-LAyer4 header----PAyload~~ ~~So when the traffic reaches from remote PE to PE on other side it will just refer to VPN label to see which exitinterface or VRF packet belongs too.~~ * LDP is used for neighbour discovery over udp port 646 on multicast address 224.0.0.2 ~~Steps for MPLS once basic connectvity and MPLS is enabled on interface in MPLS n/w~~ * For neighbor adjancy on tcp port 646. * Label advertisemnt is for IGP connected interfaces and IGP leanred routes. * How does router determine wheather it is ip packet or labeled - there is protocol field is layer 2 frame ,that tell router to look the cef for ip packet or to look LFIB. * In order to see extract from LFIB: sh mpls forwading-table * LFIB can be also seen as: ~~1. create VRF with route distingusiher+RT~~ sh mpls forwading-table prefix length * MPLS Stack operatios (Push, pop, swap, Untagged, aggregate - summaristion is performed on router, to remove the lable and perform IP lookup) ~~2. Assign VRF to interfaces~~ * Labels 0 to 15 are reserved lables - lable 0 is explict null lable, lable 3 is implict null lable, label 1 router alert, label 14 OAM alert label * Use of Implict null lable is penultimate hop popping. * Explict null lable is used to reserve the Qos information. * Inorder to change the mpls lable range - mpls lable range 16 to 10 lakh * MPLS LDP works on UDP protocol 646 and LDP hello messages are sent over multicast address 224.0.0.2 ~~3. RUN VRF aware routing process betweem PE to CE~~ * Inroder to check labels are received or not - sh mpls ldp discovery detail * COMMAND LINES FOR MPLS: ~~4. ESTABLISH VPNV4 PEERS~~ IP CEF ~~5. Redistriute subnet from VRF to BGP and vice versa..~~ MPLS LABEL PROTOCOL TDP / LDP MPLS IP SH MPLS LDP INTERFACE sh MPlS LDP NEIGHBOR sh MPLS FORWADING TABLE SIMMILAR TO sH IP ROUTE. * PHP - Penultimate Hope Popping which says that device next to last hop in the path is going to remove the label for the optimisation of lable lookup so that end device doesnot need to perform two looks while sending the traffic to end customer. * So to acomplish this router which is next to last hop send implicit null label for all its connected and loopbackinterfaces. * Note for any destination which is one hop away in mpls forwading tabel we are going to see POP LABEL. * P routers in the core doesnot need to know the full reachbilty of customer routing information as they just swicthed the packets based on labels. ~~SHAM links are basically creation of Virtual links between PE running BGP network and extending OSPF domain over mpls .~~ * FOR MPLS to work correctly we need to enable BGP next hop self command for the EBGP updates to propagate over IBGP PEER with next hop information for loopback interface. If the BGP peering is formed not over loopbacks between PE'sinstead of phyical interfaces peerring will be formed but it will lead to black hole as the pHP will cause third last hop to perform POP operation and traffic will be forwared to next to last hop as ip packet for which it doesnt have information for the destination. * The isssue is PHP get processed one hop too soon. * MPLS basis consist of two comonents ~~When we are running OSPF between PEto CE and rediribute ospf routes into bGP and vice versa there is addtion ospf attibutes that is attached in BGP VPNV4 routes.~~ 1) VRF's -separatation of customer routing information using vrf's per interface ~~so on other PE sidte when this routes are rediributed back from BGP to ospf these attributes helps where the redisributes routes to place in OSPF database as type 1,2 ,3,4,or 5.~~ 2) exchange of routing information using MP-BGP. * VRF's without MPLS is called VRF lite. When using VRF's lite route distingusiher is only locally significant. Additionl attributed encoded from OSPF to BGP is like expample ( OSPF domain id ) which is created by the the local process id running if the ospf process id is same as doamin id in VPNV4 prefix ,the routes are injected in OPSF database as Type 3 LSA even if they are redistributed from BGP to OSPF. * When we create VRF's any packet that comes to interface in VRF then the routing loopkup is done on that VRF's. ~~if the domain id do not match the routes are leanred as type 5 for other vpn site .~~ * VNPV4 route- RD+IPV4 prefix (makes vpnv4 routes unique globly (RD is 8 byte). So if we have backdoor link between two sites ,backdoor link is always perfered instead of MPLS,so to avoid it we create a SHAM links over PE's like GRE tunnel to extend the OSPF domain over MPLS.so when the routes are reditrbuted from BGP to OSPF as Intraarea routes rather than interarea. * mpls vpn label - PE route exchange lable for each customer route via VPNV4. * Transport label- to tranport packet across remote PE. * RT_route target is used to tell the PE which VRF route belongs and its BGP extented community attribute. ~~How to create SHAM links .~~ * If we are running EIGRP over VRF's then we need to specify the autonomus system inside the vrf's separately else EIGRP adjancy will not be formed over EIGRP. * Route Target export- to advertise the routes from vrf into BGP. ~~1. Allocate a address between the PE's reachable over mpls~~ * Route Target import -To import the routes from BGP into VRF. * Between the PE's routers peering will be done globaly however customer routes will be redistributed in address-famil vpnv4. * Please note while configuring vpnv4 we need to acitivate the vpnv4 capabilty with remote-peers. * loop prevention mechanism for route-target - the route will not import any prefix into vrf unless it is specified. * Packet structure: Layer2 header-Transport+VPN--IP header-Layer4 header----Payload * So when the traffic reaches from remote PE to PE on other side it will just refer to VPN label to see which exitinterface or VRF packet belongs too. ~~2. under OSPF for that VRf create adjancy over PE's~~ * Steps for MPLS once basic connectvity and MPLS is enabled on interface in MPLS n/w 1. Create VRF with route distingusiher+RT 2. Assign VRF to interfaces 3. RUN VRF aware routing process betweem PE to CE 4. ESTABLISH VPNV4 PEERS 5. Redistriute subnet from VRF to BGP and vice versa. * SHAM links are basically creation of Virtual links between PE running BGP network and extending OSPF domain over mpls. ~~router osps 1 vrf c~~ * When we are running OSPF between PE to CE and rediribute ospf routes into bGP and vice versa there is addtion ospf attibutes that is attached in BGP VPNV4 routes. ~~area 0 shamlink source address destination address~~ * So on other PE sidte when this routes are rediributed back from BGP to ospf these attributes helps where the redisributes routes to place in OSPF database as type 1,2,3,4,or 5. * Additional attributed encoded from OSPF to BGP is like expample ( OSPF domain id ) which is created by the the local process id running if the ospf process id is same as doamin id in VPNV4 prefix, the routes are injected in OPSF database as Type 3 LSA even if they are redistributed from BGP to OSPF. OSPF path selection creteria -if we have two routes learned as Inter area routes but one of route is leanred BY ABR in backbone area and other via ABR in over non backbone area ,prefix is always preferd by backbone area. * If the domain id do not match the routes are leanred as type 5 for other vpn site. * So if we have backdoor link between two sites, backdoor link is always perfered instead of MPLS, so to avoid it we create a SHAM links over PE's like GRE tunnel to extend the OSPF domain over MPLS. So when the routes are reditrbuted from BGP to OSPF as Intra-area routes rather than inter-area. ~~Loop prevention mechanism for OSPF changes when its being used as Layer 3 MPLS.~~ * How to create SHAM links Using OSPF Between PE/CE customer routes are sent as Type 3 LSA so this sent as DN(down) bit set so if the same route is recieved BY PE on other side it will make PE aware not to redistibute the route back in BGP. 1. Allocate a address between the PE's reachable over mpls 2. under OSPF for that VRf create adjancy over PE's router osps 1 vrf c ~~Cabailty VRF lite command under OSPF process is used to ignore down bit and TyPE 3 lSA will not installed in routing table .~~ area 0 shamlink source address destination address * OSPF path selection creteria - if we have two routes learned as Inter area routes but one of route is leanred BY ABR in backbone area and other via ABR in over non backbone area, prefix is always preferd by backbone area. ~~FOr Type 5 LSA either we need to do with DOWN bit or route TAG to prevent the loop.~~ * Loop prevention mechanism for OSPF changes when its being used as Layer 3 MPLS. * Using OSPF Between PE/CE customer routes are sent as Type 3 LSA so this sent as DN(down) bit set so if the same route is recieved BY PE on other side it will make PE aware not to redistibute the route back in BGP. * Cabailty VRF lite command under OSPF process is used to ignore down bit and TyPE 3 lSA will not installed in routing table. * For Type 5 LSA either we need to do with DOWN bit or route TAG to prevent the loop. = Switching = ~~commands~~== Commands for switching == * Note - Layer 2 header contains source mac, des mac, ether type, ether type fields tells the process next layer 3 protocol like ipv4, ipv6. sh int fa0/1 switchport ( trunk, access, administrative mode ) sh int trunk ( ports which are trunk ) sh spanning tree vlan 1 ( to check wheather traffic is forwaded in spanning tree ) * If we have layer 2 ether channel then if we do sh spanning tree output it should show individual port channel group in output rather than individually phsyical links else we have issue. ~~Note -Layer 2 header contains source mac ,des mac ,ether type ,ether type fields tells the process next layer 3 protocol like ipv4 ,ipv6.~~ * On the switch we have root port and designate port, all the traffic from root port will be forwaded towards root bridge. * If the two switches are in differnt VTP domain, as long as they have trunking set between them is correct they will not effect the broadcast domain -Good * Two ways to change priorty for root bridge ~~sh int fa0/1 switchport ( trunk ,access ,administrative mode )~~ spaniing tree vlan 2 root primary spanning tree vlan 2 priorty lesser than 32768 * In spanning tree one of election for root port on non route bridge is based path cost that is local to interface ~~sh int trunk ( ports which are trunk )~~ * In 3560 swicth by default PVST+ is enabled * Auto -Auto -results in access port ~~sh spanning tree vlan 1 ( to check wheather traffic is forwaded in spanning tree )~~ * access mode-Dynamic desirable -Access port * tunk with nonnegotiate ---auto -Because switch on left side is not sending DTP frames. * Best practises of truking -mode trunk and non negotiate, Trunk negotaition are done on DTP when using DTP both the ends should in same VTP domain ~~if we have layer 2 ether channel then if we do sh spanning tree output it should show individual port channel group in output rather than individually phsyical links else we have issue .~~ * When frame traverse the trunk link it is marked over truking protocol and on receiving end VID is removed before sending to access link == ISL and 802.1Q == ~~on the swicth we have root port and designate port ,all the traffic from root port will be forwaded towards root bridge .~~ * ISL -encapulsate entire frame, it dos not native vlan traffic, orginal frame unmodifed, ISL adds 26 byts header and 4 bytes trailer.range of isl 1-1024. ~~if the two switches are in differnt VTP domain, as long as they have trunking set between them is correct they will not effect the broadcast domain -Good~~ * 802.1Q-insert 4 byte tag, does not tag the frame that belong to native vlan, additonal tag includes priroty field, extending qos support, 4096 Vlans, 1-4096. * Inorder to maintain identical information of vlan database, VLAN information is propagatd over trunk links in same VTP domain, VTP information is advertized over trunk links only. * VTP is layer 2 messaging protocol. Three version of VTP (1,2,3). * Limitaion of VTP version 1,2 - extended VLAN funstionality was only used in when switch is configured in transparent mode, so the VTP version 3 is used. Server mode - create, del, modify, send and forward advertizements, syn vlan database, store information in nvram ~~two ways to change priorty for root bridge~~ Transparent mode - create, del, modify local Vlan, forward advertizements, no syn vlan database, store information in nvram Client mode - cannot create, del, modify vlans, forward advertizements, syn vlan database, do not store information in nvram. Important: when ver new switch is added make sure its configration revision is less than any other swiches in VTP doamin else if it is high then it will erase all the vlan information of server and client ~~spaniing tree vlan 2 root primary~~ to protect that either add switch in transpanrent mode or in differnt domain. * For VTP configration requires VTP domain ,password ,VTP mode on each switch .sh VTP status or VTP counters. ~~spanning tree vlan 2 priorty lesser than 32768~~ * VTP pruning -used to remove unnessary flooding of brodcast traffic on the network. == STP == * STP is used to avoid unwanted loops in the environment. ~~In spanning tree one of election for root port on non route bridge is based path cost that is local to interface~~ * STP created one refernce point in n/w that is called root of tree, based on rerfernce point decides whether there is redundant path in the n/w. * Layer 2 forwading - By default CAM table entries got aged out every 300 sec * We can also create static mac address table entry in cam - command (mac-address-table static mac-address VLAN id interface type) * Bridge segments collsion domain dose not segmets broadcast doamin. * Root bridge - selection is based on bPDU contains bridge id which is combination of mac address and priorty (both are chosen lower) on root bridge both the ports are DP. ~~in 3560 swicth by default PVST+ is enabled~~ * Then there is selection of root port on non root bridge. * For root port selection is based on following paramteters (lower root bride id, lowest path to root brige, lowest sender bridge id, lowest port priority, lowest port id. * For every lan segment -there is secltion of DP (selection is based on root id creteria) * 802.1d states: Disabled Blocking (listen to incoming BPDU) Listening Learning Forwading (tranmit BPDU) * Hello time - Default is 2 seconds, time interval in which subsequent configration BPDU send root bridge, for non root bridge TCN BPDU is 2 sec. * Forward delay - time interval swich port spends in listening and learning states, default time is 15 second. * Maximum age - time when max age is timed out is 20 seconds when the BPDU is aged out. * In case if any interface flap (up/down states) switch will send the TCN BPDU untill it reach root bridge, root bridge will send the configration BPDU with TC flag set and each switch will will rebuild its mac table based on forwarding delay time. Default is 300 sec. Total time is 17 seconds. * Total time the port trantion from blocking to forwadig state is 30 seconds * Port fast feature - When we enable port fast on the port so TCN BPDU is send in case of Topolgy change and port directly transtion to forwading state. So there are chances that port fast enabled port could cause STP loops if the accidently switch is installed on that port, to prevent this we use BPDU Guard along with STP. * We can manully select the root bridge: spanning tree VLAn vlanid priotry (bridge priority) * We can set mannualy to become one bridge to be root bridge: spanning tree vlan vlanid root (primary, secondary, diameter) * We can aslo set the path cost: spanning tree vlan vlanid cost * Port id is 16 bit -8 bit port priorty + 8 bit port number spanning tree vlan vlanid port priority == RSTP == ~~AUto -Auto -results in access port~~ ~~access mode-Dynamic desirable -Access port~~ ~~tunk with nonnegotiate ---auto -Becuase switch on left side is not sedning DTP frames.~~ * RSTP have rapid convergence time (discadring, listening, forwading) * RSTP works on port rules instead of rely on BPDU from root bridge. * RSTP-root port, DP, Alternate port is back up of root port (have two up links), back up port (given segment active ling fail and there is no path to reach root then back up port become active. * IN RSTP all the full duplex ports are point to point links, BPDU are exchanged between swiches in form of proposal and agreement, once the given port is selected as DP and other switch send agrements message, RSTP convergys quickly by through RSTP handhake. == HSRP/VRRP/GLBP == ~~BEst practises of truking -mode trunk and non negotiate ,Trunk negotaition are done on DTP when using DTP both the ends should in same VTP domain~~ * HSPR-Provide redudancy of the gateways ,HSRP exchange the HSRP hello message on 224.0.0.2 * VRRP-In VRRP we can use real ip add of router as virtual address, IEE standard,router with highestest priorty is master router and other acts a back and VRRP messages are send on multicast address 224.0.0.18 ,Default interval is 1 second and preemtion is enabled by default. * GLBP -uses concept of AVG and one router act as primary while other act as backup ,AVG assign virtual macs to AVF,and it is AVF's which forwrd the packets based on virual mac's assgin by AVG., ~~when frame traverse the trunk link it is marked over truking protocol and on receiving end VID is removed before sending to access link~~ * GLBP communicate over hello packets send every 3 seconds on multicast address (224.0.0.102),GLBP suppots up to 1024 vrtual routers. ~~ISL and 802.1Q~~ == MST == ~~ISL -encapulsate entire frame ,it dos not native vlan traffic ,orginal frame unmodifed ,ISL adds 26 byts header and 4 bytes trailer.range of isl 1-1024~~ * This table shows the support of MST in Catalyst switches and the minimum software required for that support. Catalyst Platform MST with RSTP -- (12.1 or higher ) ~~802.1Q-insert 4 byte tag ,does not tag the frame that belong to native vlan ,additonal tag includes priroty field ,extending qos support ,4096 VLans,1-4096~~ Catalyst 2900 XL and 3500 XL Not Available Catalyst 2950 and 3550 Cisco IOS\AE 12.1(9)EA1 Catalyst 3560 Cisco IOS 12.1(9)EA1 ~~inorder to maintain identical information of vlan database ,VLAn information is propagatd over trunk links in same VTP domain ,VTP information is advertized over trunk links only .~~ Catalyst 3750 Cisco IOS 12.1(14)EA1 Catalyst 2955 All Cisco IOS versions ~~VTP is layer 2 messaging protocol.three version of VTP (1,2,3)~~ Catalyst 2948G-L3 and 4908G-L3 Not Available Catalyst 4000, 2948G, and 2980G (Catalyst OS (CatOS)) 7.1 ~~Limitaion of VTP version 1 ,2 -extended VLan funstionality wasonly used in when switch is configured in trasnsparent mode ,so the VTP version 3 is used .~~ Catalyst 4000 and 4500 (Cisco IOS) 12.1(12c)EW Catalyst 5000 and 5500 Not Available Catalyst 6000 and 6500 (CatOS) 7.1 ~~Server mode -create ,del ,modify ,send and forward advertizements ,syn vlan database ,store information in nvram~~ Catalyst 6000 and 6500 (Cisco IOS) 12.1(11b)EX, 12.1(13)E, 12.2(14)SX Catalyst 8500 ~~transparent mode -`create ,del ,modify local Vlan ,forward advertizements,no syn vlan database, store information in nvram~~ ~~client mode -- canot create ,del ,modify vlans ,forward advertizements,syn vlan database,do not store information in nvram.~~ Important -when ver new switch is added make sure its configration revision is less than any other swiches in VTP doamin else if it is high then it will erase all the vlan information of server and client ~~to protect that either add switch in transpanrent mode or in differnt domain .~~ ~~for VTP configration requires VTP domain ,password ,VTP mode on each switch .sh VTP status or VTP counters.~~ ~~VTP pruning -used to remove unnessary flooding of brodcast traffic on the network.~~ ~~STP-is used to avoid unwanted loops in the environment .~~ ~~STP created one refernce point in n/w that is called root of tree ,based on rerfernce point decides whether there is redundant path in the n/w~~ ~~Layer 2 forwading -By default CAM table entries got aged out every 300 sec~~ ~~We can also create static mac address table entry in cam - command ( mac-address-table static mac-address VLAN id interface type )~~ ~~Bridge segments collsion domain dose not segmets broadcast doamin~~ ~~Root bridge -selection is based on bPDU contains bridge id which is combination of mac address and priorty (both are chosen lower )~~ ~~on root bridge both the ports are DP.~~ ~~then there is selection of root port on non root bridge .~~ ~~for root port selection is based on following paramteters ( lower root bride id ,lowest path to root brige ,lowest sender bridge id ,lowest port priority ,lowest port id .~~ ~~for every lan segment -there is secltion of DP (selection is based on root id creteria)~~ ~~802.1d states -Disabled ,blocking?(listen to incoming BPDU) ,listening ,learning ,forwading (tranmit BPDU)~~ ~~Hello time -Default is 2 seconds ,time interval in which subsequent configration BPDU send root bridge ,for non root bridge TCN BPDU is 2 sec .~~ ~~Forward delay -time interval swich port spends in listening and learning states ,default time is 15 second~~ ~~Maximum age --time when max age is timed out is 20 seconds when the BPDU is aged out .~~ ~~In case if any interface flap ( up /down states )switch will send the TCN BPDU untill it reach root bridge ,root bridge will send the configration BPDU with TC flag set and each switch~~ ~~will will rebuild its mac table based on forwadig delay time .(default is 300 sec) total time is 17 seconds.~~ ~~total time the port trantion from blocking to forwadig state is 30 seconds~~ Port fast feature -when we enable port fast on the port so TCN BPDU is send in case of Topolgy change and port directly transtion to forwading state .SO there are chances that port fast enabled port could cause STP loops if the accidently switch is installed on that port ,to prevnet this we use BPDU Guard along with STP. ~~We can manully select the root bridge -spanning tree VLAn vlanid priotry (bridge priority)~~ ~~we can set mannualy to become one bridge to be root bridge ( spanning tree vlan vlan id root (primary ,secondary,diameter)~~ ~~We can aslo set the path cost -spanning tree vlan vlanid cost~~ ~~port id is 16 bit -8 bit port priorty + 8 bit port number~~ ~~spannin tree vlan vlan id port priority~~ ~~RSTP have rapid convergence time ( discadring ,listening ,forwading )~~ ~~RSTP works on port rules instead of rely on BPDU from root bridge .~~ ~~RSTP-root port ,DP,alternate port is back up of root port ( have two up links ), back up port ( given segment active ling fail and there is no path to reach root then back up port become active .~~ IN RSTP all the full duplex ports are point to point links ,BPDU are exchanged between swiches in form of proposal and agreement ,once the given port is selected as DP and other switch send agrremnts message , ~~RSTP convergys qucikly by throgh RSTP handhake .~~ ~~HSPR-Provide redudancy of the gateways ,HSRP exchange the HSRP hello message on 224.0.0.2~~ VRRP-In VRRP we can use real ip add of router as virtual address ,IEE standard,router with highestest priorty is master router and other acts a back and VRRP messages are send on multicast address 224.0.0.18 ,Default interval is 1 second and preemtion is enabled by default . ~~GLBP -uses concept of AVG and one router act as primary while other act as backup ,AVG assign virtual macs to AVF,and it is AVF's which forwrd the packets based on virual mac's assgin by AVG.,~~ ~~GLBP communicate over hello packets send every 3 seconds on multicast address (224.0.0.102),GLBP suppots up to 1024 vrtual routers.~~ ~~This table shows the support of MST in Catalyst switches and the minimum software required for that support.~~ ~~Catalyst Platform MST with RSTP -- (12.1 or higher )~~ ~~Catalyst 2900 XL and 3500 XL Not Available~~ ~~Catalyst 2950 and 3550 Cisco IOS\AE 12.1(9)EA1~~ ~~Catalyst 3560 Cisco IOS 12.1(9)EA1~~ ~~Catalyst 3750 Cisco IOS 12.1(14)EA1~~ ~~Catalyst 2955 All Cisco IOS versions~~ ~~Catalyst 2948G-L3 and 4908G-L3 Not Available~~ ~~Catalyst 4000, 2948G, and 2980G (Catalyst OS (CatOS)) 7.1~~ ~~Catalyst 4000 and 4500 (Cisco IOS) 12.1(12c)EW~~ ~~Catalyst 5000 and 5500 Not Available~~ ~~Catalyst 6000 and 6500 (CatOS) 7.1~~ ~~Catalyst 6000 and 6500 (Cisco IOS) 12.1(11b)EX, 12.1(13)E, 12.2(14)SX~~ ~~Catalyst 8500~~ == Spaning tree features == Spaning tree features that helps in reducing covergence time * Portfast ~~1 .Portfast -used for access layer ports ,Ports directyly transtion to forwading state with out going to lisening and learing states .~~ Used for access layer ports, Ports directly transtion to forwading state with out going to lisening and learing states. * Uplink fast 2. uplink fast -is used in case of one of uplink goes down ,root port and alternate port forms uplink group ,if the root port goes down alternate port directyly transtion to forwading state with out going to lisening and learing states . Used in case of one of uplink goes down, Root port and alternate port forms uplink group, If the root port goes down alternate port directyly transtion to forwading state with out going to lisening and learing states. * Backbone fast In case of indirect link failure, switch on where backbone fast is enabled receice inferior BPD's from Desiganting switch anouncing it self as root bride, On receiving the inferior BPDUS it will expire the max aga time immediatelly and reconverge the toplogy. Backbone fast helps in optimisation of max-age timer, should be implemented globally. Switch determine that path to root bridge has gone down so send the RLQ out all its ports and once the root bridge recieve the RLQ and send the response back and port receving the response can transtion to forwading the state == PAGP == 3. backbone fast -In case of indirect link failure ,switch on where backbone fast is enabled receice inferior BPD's from Desiganting switch anouncing it self as root bride ,On revceving the inferior BPDUS it will expire the max aga time imidiatlly and reconverge the toplogy.Backbone fast helps in optimisation of max-age timer,should be implemented globally . ~~switch determine that path to root bridge has~~ ~~gone down so send the RLQ out all its ports and once the root bridge recieve the RLQ and send the response back and port receving the response can transtion to forwading the state~~ * Auto Places a port into a passive negotiating state, in which the port responds to PAgP packets it receives but does not start PAgP packet negotiation. This setting minimizes the transmission of PAgP packets. This mode is not supported when the EtherChannel members are from different switches in the switch stack (cross-stack EtherChannel). * Desirable ~~PAGP~~ Places a port into an active negotiating state, in which the port starts negotiations with other ports by sending PAgP packets. ~~----~~ This mode is not supported when the EtherChannel members are from different switches in the switch stack (cross-stack EtherChannel). ~~auto~~ Places a port into a passive negotiating state, in which the port responds to PAgP packets it receives but does not start PAgP packet negotiation. This setting minimizes the transmission of PAgP packets. This mode is not supported when the EtherChannel members are from different switches in the switch stack (cross-stack EtherChannel). == CISCO 3750 Stacking == ~~desirable~~ * All stack members are eligible stack masters. If the stack master becomes unavailable, the stack members that remain participate in the election of a new stack master from among themselves Places a port into an active negotiating state, in which the port starts negotiations with other ports by sending PAgP packets. This mode is not supported when the EtherChannel members are from different switches in the switch stack (cross-stack EtherChannel). * Switches should have same ios for stack memeber to be fully functional ,if there is major version misimatch then switch will not join the stack however if there is minor version mismacth it will upgrade the switch to become fully functional. * The default stack member number of a 3750 switch is 1. When it joins a switch stack, its default stack member number changes to the lowest available member number in the stack. Stack members in the same switch stack cannot have the same stack member number. Every stack member, which includes a standalone switch, retains its member number until you manually change the number or unless the number is already used by another member in the stack. == Provisioning of switch == * You can use the offline configuration feature to provision (to supply a configuration to) a new switch before it joins the switch stack. ~~--------------------------------------------------------------------------------------------------~~ * In advance, you can configure the stack member number, switch type, and interfaces associated with a switch that are not currently part of the stack. * The configuration that you create on the switch stack is called the provisioned configuration. * The switch that is added to the switch stack and that receives this configuration is called the provisioned switch. ~~CISCO 3750 STacking~~ ~~All stack members are eligible stack masters. If the stack master becomes unavailable, the stack members that remain participate in the election of a new stack master from among themselves~~ Switches should have same ios for stack memeber to be fully functional ,if there is major version misimatch then switch will not join the stack however if there is minor version mismacth it will upgrade the switch to become fully functional. The default stack member number of a 3750 switch is 1. When it joins a switch stack, its default stack member number changes to the lowest available member number in the stack. Stack members in the same switch stack cannot have the same stack member number. Every stack member, which includes a standalone switch, retains its member number until you manually change the number or unless the number is already used by another member in the stack. ~~Provisioning of switch -~~ You can use the offline configuration feature to provision (to supply a configuration to) a new switch before it joins the switch stack. In advance, you can configure the stack member number, switch type, and interfaces associated with a switch that are not currently part of the stack. The configuration that you create on the switch stack is called the provisioned configuration. The switch that is added to the switch stack and that receives this configuration is called the provisioned switch. You manually create the provisioned configuration through the switch stack-member-number provision type global configuration command. The provisioned configuration also is automatically created when a switch is added to a switch stack that runs Cisco IOS Release 12.2(20)SE or later and when no provisioned configuration exists. * You manually create the provisioned configuration through the ''switch stack-member-number provision type'' global configuration command. * The provisioned configuration also is automatically created when a switch is added to a switch stack that runs Cisco IOS Release 12.2(20)SE or later and when no provisioned configuration exists. switch 2 provision ws-c3750-48ts * Remove switch from stack~~-no switch 2 provision ws-c3750-48ts~~: no switch 2 provision ws-c3750-48ts == Spaning tree security features == ~~-------------------------------------------------------------------------------------------------~~ ~~Spaning tree security features :~~ == Spanning Tree enhancements == * Bpdu Guard Enable on the edge ports, connected to the hosts. If bpdu is reveived on these interfaces, it will put the interface in shudown state. * Bpdu Filter ~~Spanning Tree enhancements.~~ Enable on edge ports It dont send and recieve bpdu if enabled, if bpdu received, drop the bpdu, port goes, through normal stp states. * Root guard Root guard prevent the switch to become root bridge, It is enabled on the designated ports of root switch, so that if those ports listen to the superior BPDU then put that port in inconsistent state. ~~bpdu Gaurd---Enable on the edge ports , connected to the hosts. If bpdu is reveived on these interfaces , it will put the interface in shudown state.~~ * Loop Guard ~~bpdu filter---Enable on edge ports---it dont send and recieve bpdu if enabled, if bpdu received, drop the bpdu, port goes, through normal stp states.~~ Spanning Tree Loop Guard helps to prevent loops when you use fibre links. STP is not able to detect Layer 1 issue, Enable alternate ports/backup ports when Loop Guard detects that BPDUs are no longer being received on a non-designated port, the port is moved into a loop-inconsistent state instead of transitioning to the listening/learning/forwarding state and idealy it can be enabled on all the ports.should be enabled on non-designated ports. Actually, Loopguard is a method of protecting against unidirectional links. In order for spanning tree to function correctly, any link participating in the STP have to be bidirectional. If a link should become unidirectional, through a cable failure or interface fault, spanning tree could unblock a link which would cause a loop. UDLD (UniDirectional Link Detection) is a Cisco proprietary protocol that will detect this condition. Loopguard is what you would use if you didn't have Cisco switches at each end of the link in question. Based on the various design considerations, you can choose either UDLD or the loop guard feature. In regards to STP, the most noticeable difference between the two features is the absence of protection in UDLD against STP failures caused by problems in software. As a result, the designated switch does not send BPDUs. However, this type of failure is (by an order of magnitude) more rare than failures caused by unidirectional links. In return, UDLD might be more flexible in the case of unidirectional links on EtherChannel. In this case, UDLD disables only failed links, and the channel should remain functional with the links that remain. In such a failure, the loop guard puts it into loop-inconsistent state in order to block the whole channel. Additionally, loop guard does not work on shared links or in situations where the link has been unidirectional since the link-up. In the last case, the port never receives BPDU and becomes designated. Because this behaviour could be normal, this particular case is not covered by loop guard. UDLD provides protection against such a scenario. Loopguard is not able to detect misiwring problem but UDLD able to detect this and UDLD is using its own layer 1 keepalive message. * DHCP snooping - allowed confgration of trusted and untrusted ports, trusted will sorurce all the DHCP messages and untrusted will source on DHCP request, if the rouge DHCP server tries to reply the DHCP request DHCP snopping will make this port shut. root gaurd: Root guard prevent the switch to become root bridge , It is enabled on the designated ports of root switch, so that if those ports listen to the superior BPDU then put that port in inconsistent state. DHCP option 82 - in which port number is also added in DHCP request. * Spanning port security feature only works if we have configured the port in statc access/trunk port, it won't work with port in dynamic mode. Loop Gaurd: Spanning Tree Loop Guard helps to prevent loops when you use fibre links.STP is not able to detect Layer 1 issue , Enable alternate ports/backup ports when Loop Guard detects that BPDUs are no longer being received on a non-designated port, the port is moved into a loop-inconsistent state instead of transitioning to the listening/learning/forwarding state. and idealy it can be enabled on all the ports.should be enabled on non-designated ports . We can bind the mac address with switchport port security command and if we use sticky what ever mac is learned over interface it will manually add to secure cam table and also add in running config. Second option is manaul create static enriers in CAM table. * Storm control feature - used to limit the amount of unicast/mutlicast/broadcast packet recieved on interface. Simmilar to polcier in MQC. Actually, loopguard is a method of protecting against unidirectional links. In order for spanning tree to function correctly, any link participating in the STP have to be bidirectional. If a link should become unidirectional, through a cable failure or interface fault, spanning tree could unblock a link which would cause a loop. * Port based ACL - is used to apply access list on layer 2 port but its only used to filter inbound traffic. UDLD (UniDirectional Link Detection) is a Cisco proprietary protocol that will detect this condition. Loopguard is what you would use if you didn't have Cisco switches at each end of the link in question. We can also use MAC based ACL but that is only used to restrict non-IP traffic. Based on the various design considerations, you can choose either UDLD or the loop guard feature. In regards to STP, the most noticeable difference between the two features is the absence of protection in UDLD against STP failures caused by problems in software. As a result, the designated switch does not send BPDUs. However, this type of failure is (by an order of magnitude) more rare than failures caused by unidirectional links. In return, UDLD might be more flexible in the case of unidirectional links on EtherChannel. In this case, UDLD disables only failed links, and the channel should remain functional with the links that remain. In such a failure, the loop guard puts it into loop-inconsistent state in order to block the whole channel. * IP source guard (layer 2 port, Dyanmic arp inspection is for arp spoofing. Additionally, loop guard does not work on shared links or in situations where the link has been unidirectional since the link-up. In the last case, the port never receives BPDU and becomes designated. Because this behaviour could be normal, this particular case is not covered by loop guard. UDLD provides protection against such a scenario. == VLAN == ~~Loopguard is not able to detect misiwring problem but UDLD able to detect this and UDLD is using its own layer 1 keepalive message .~~ * Create a broadcast domain,PVlan allows splitting the domain into multiple isolated subdomains. * Private Vlans - Promicious, Community, Isolated * Promiciuos - Carry traffic for all the pvlans * Community Vlan - Can only talk to ports in same community vlan and its promiciuos port ~~DHCP snooping -allowed confgration of trusted and untrusted ports ,trusted will sorurce all the DHCP messages and untrusted will source on DHCP request,if~~ * Isolated - Can only talk to promicious port ~~the rouge DHCP server tries to reply the DHCP request DHCP snopping will make this port shut .~~ * Primary VLAN - The primary VLAN carries traffic from the promiscuous ports to the host ports, both isolated and community, and to other promiscuous ports. ~~DHCP option 82 -in wich port number is also added in DHCP request.~~ * For low end switches, there is command switchport mode protected act simmlar to isloated vlan, all those ports configured for protected donot talk to each other. Usually, ports configured as protected are also configured not to receive unknown unicast (frame with destination MAC address not in switch's MAC table) and multicast frames flooding for added security. == Configure == SPanning port security feature only works if we have configured the port in statc access / trunk port ,it won't work with port in dynamic mode.we can bind the mac address with switchport port security command and if we use sticky what ever mac is learned over interface it will mannualy add to secure cam table and also add in running config . vlan 1000 ~~Second option is mannaul create static enriers in CAM table .~~ Private vlan primary vlan 1012 ~~Storm control feature - used to limit the amount of unicast /mutlicast /broadcast packet recieved on interface .Simmilar to polcier in MQC.~~ private vlan community vlan 1013 ~~Port base ACL- is used to apply access list on layer 2 port but its only used to filter inbound traffic .~~ private vlan Isolated ~~We can also use MAC based ACL but that is only used to restrict non-IP traffic .~~ vlan 1000 ~~IP source guard ( layer 2 port ,Dyanmic arp inspection is for arp spoofing .~~ private vlan association 1012,1013 == Configure ports == 1. int fa0/1 swicth port private-vlan 1000,1012 -each host port is member of two vlans . switch port private-vlan host ~~VLan -create a broadcast domain,PVlan allows splitting the domain into multiple isolated subdomains .~~ ~~Private Vlans _ Promicious , Cummunity , Isolated~~ ~~Promiciuos -Carry traffic for all the pvlans~~ ~~community vlan -Can only talk to ports in same community vlan and its promiciuos port~~ ~~Isolated -Can only talk to promicious port~~ ~~Primary VLAN\97 The primary VLAN carries traffic from the promiscuous ports to the host ports, both isolated and community, and to other promiscuous ports.~~ for low end switches ,there is command switchport mode protected act simmlar to isloated vlan ,all those ports configured for protected donot talk to each other .Usually, ports configured as protected are also configured not to receive unknown unicast (frame with destination MAC address not in switch\92s MAC table) and multicast frames flooding for added security. ~~Configure -~~ ~~Vlan 1000~~ ~~Private vlan primary~~ ~~vlan 1012~~ ~~private vlan community~~ ~~vlan 1013~~ ~~private vlan ISolated~~ ~~vlan 1000~~ ~~private vlan association 1012,1013.~~ ~~configure ports~~ ~~1 int fa0/1~~ ~~swicth port private-vlan 1000,1012 -each host port is member of two vlans .~~ ~~switch port private-vlan host~~ 2. int fa0/2 switch port private-vlan 1000,1013 -isolocated port switch port private-vlan host 3. int vlan 1000 private vlan mapping 1012,1013 -promciuos port ~~This example shows how to associate community VLANs 100 through 103 and isolated VLAN 109 with primary VLAN 5:~~ ~~switch# configure terminal~~ ~~switch(config)# vlan 5~~ ~~switch(config-vlan)# private-vlan association 100-103, 109~~ ~~This example shows how to configure the Ethernet port 1/12 as a host port for a private VLAN and associate it to primary VLAN 5 and secondary VLAN 101:~~ ~~switch# configure terminal~~ ~~switch(config)# interface ethernet 1/12~~ ~~switch(config-if)# switchport mode private-vlan host~~ ~~switch(config-if)# switchport private-vlan host-association 5 101~~ * This example shows how to associate community VLANs 100 through 103 and isolated VLAN 109 with primary VLAN 5: switch# configure terminal switch(config)# vlan 5 switch(config-vlan)# private-vlan association 100-103, 109 * This example shows how to configure the Ethernet port 1/12 as a host port for a private VLAN and associate it to primary VLAN 5 and secondary VLAN 101: switch# configure terminal switch(config)# interface ethernet 1/12 switch(config-if)# switchport mode private-vlan host switch(config-if)# switchport private-vlan host-association 5 101 = Layer 2 COS = * We need to enable MLS QOS,FOr switches we can do both the inbound and outbound queing ,whenever traffic hit the ingress port switch will first do cleassifcation/marking based on port configration ,then it goes to policer if configured to trasmit/remark/drop the traffic ,then it goes to inbound queing before it is transmitted .on swicthes when we enable MLS QOS and there is no trust boundary configured it will rewrite the traffic to ZERO.ss * Ingress/EGRess -Packets are mapped to queue bases on DSCP/COS value. * If the port is an access port or Layer 3 port, you need to configure the mls qos trust dscp command. You cannot use the mls qos trust cos command because the frame from the access port or Layer 3 port does not contain dot1q or ISL tag. CoS bits are present in the dot1q or ISL frame only. * If the port is trunk port, you can configure either the mls qos trust cos or mls qos trust dscp command. The dscp-cos map table is used to calculate the CoS value if the port is configured to trust DSCP~~. Similarly, the cos-dscp map table is used to calculate the DSCP value if the port is configured to trust CoS~~. * Similarly, the cos-dscp map table is used to calculate the DSCP value if the port is configured to trust CoS. * By default, the PC sends data untagged. Untagged traffic from the device attached to the Cisco IP Phone passes through the phone unchanged, regardless of the trust state of the access port on the phone. The phone sends dot1q tagged frames with voice VLAN ID 20. Therefore, if you configure the port with the mls qos trust cos command, it trusts the CoS values of the frames from the phone (tagged frames) and sets the CoS value of the frames (untagged) from the PC to 0. After that, the CoS-DSCP map table sets the DSCP value of the packet inside the frame to 0 because the CoS-DSCP map table has DSCP value 0 for the CoS value 0. * If the packets from the PC have any specific DSCP value, that value will be reset to 0. If you configure the mls qos cos 3 command on the port, it sets the CoS value of all the frames from the PC to 3 and does not alter the CoS value of the frames from the phone. * Queing for 6500 - Receive queue -1p1q4t -One priority queue and 1 standard queue wth 4 threshold . 1p1q8t ,1q2t Transmit queue -1p3q4t ,1p7q8 = 6500 Architecture = ~~chassis~~* Chassis -6503/6503-E , 6504-E, 6506/6506-E, 6509, 6513 ( 13 slot chassis) * Cisco has introduced new E series chasis . * The first generation switching fabric was delivered by the switch fabric modules (WS-C6500-SFM and WS-C6500-SFM2), each providing a total switching capacity of 256 Gbps. * More recently, with the introduction of the Supervisor Engine 720, the crossbar switch fabric has been integrated into the Supervisor Engine 720 baseboard itself, eliminating the need for a standalone switch fabric module. ~~total~~* ~~switching~~The capacity of ~~256~~the ~~Gbps.~~new ~~More~~integrated ~~recently,~~crossbar ~~with~~switch ~~the~~fabric ~~introduction of~~on the Supervisor Engine 720, ~~the~~has ~~crossbar~~been ~~switch~~increased ~~fabric~~from 256 Gbps to 720 Gbps. * The Supervisor Engine 720-3B and Supervisor Engine 720-3BXL also maintain the same fabric capacity size of 720 Gbps. * 6509 - Sup cards on slots 5 and 6, supported sup - sup32&sup720 ~~has been integrated into the Supervisor Engine 720 baseboard itself, eliminating the need for a standalone switch fabric module.~~ * 6513-13 slots - sup cards on 7th and 8th slot, sup32&sup720 * The ~~capacity~~Supervisor ofEngine ~~the~~720-3B ~~new integrated crossbar switch fabric on the~~and Supervisor Engine 720-3BXL ~~has~~also ~~been~~maintain ~~increased~~the ~~from~~same ~~256~~fabric ~~Gbps~~capacity tosize of 720 Gbps. ~~Gbps. The Supervisor Engine 720-3B and Supervisor Engine 720-3BXL also maintain the same fabric capacity size of 720 Gbps.~~ ~~6509 - Sup cards on slots 5 and 6 ,supported sup -sup32&sup720~~ ~~6513-13 slots -sup cards on 7th and 8th slot ,sup32&sup720~~ ~~The Supervisor Engine 720-3B and Supervisor Engine 720-3BXL also maintain the same fabric capacity size of 720 Gbps.~~ 6501676 * SUP32 - This supervisor engine provides an integrated PFC3B and MSFC2a by default * Cards.supports 6700 series line cards ~~SUP32 -This supervisor engine provides an integrated PFC3B and MSFC2a by default.~~ ~~cards.supports 6700 series line cards~~ ~~SUp720-3B- same backplane capacity ,It incorporates new PFC3B for addtionnal funcationality ( mainly supports of mpls in hardware)~~ ~~Sup720-3BXl-It incorporates new PFC3BXL ,It is functionally identical to the Supervisor Engine 720-3B, but differs in its capacity~~ ~~for supporting routes and NetFlow entries.~~ ~~Sup2T-incorporates MSFC5 (control plane functions) and PFC4 (hardware accelarated data plane function) cards ,2 Tbps Switch Fabric~~ ~~PFC4 supports addtional featuers Cisco TrustSec (CTS) and Virtual Private LAN Service (VPLS).~~ ~~The 2 Tbps Switch Fabric provides 26 dedicated 20 Gbps or 40 Gbps channels to support the new 6513-E chassis~~ ~~SUP2T- All new 6900 series modules~~ ~~All new 6800 series modules (again, WS-X6816-GBIC is not one of those)~~ ~~Those 6700 series modules that are equipped either with CFC or DFC4~~ ~~Some 6100 series modules~~ ~~The control plane funations are mainly performed by route processor situated on MFSc3 itself includes running process for running~~ ~~routing protocol ,addres resoltion ,maintaing SVI's ,...~~ ~~Switch processor looks after switching funations building layer 2 cam tables .. ,all layer 2 protocols (SPaniing tree,VTP...)~~ ~~MFSC -maintains routing table does not participate in forwading the packets ,it build cef table pushed down to PFC and DFCs.~~ ~~The PFC is a daughter card that sits on the supervisor base board and contains the ASICs that are used to accelerate Layer 2 and~~ ~~Layer 3 switching in hardware.~~ ~~layer 2 funations -mac based forwading based on cam table , layer 3 functions forwading the packets using layer 3 look up.~~ ~~Classic line cards support a connection to the 32-Gbps shared bus but do not have any connections into the crossbar switch fabric.~~ ~~Classic line cards are supported by all generations of the supervisor engines, from the Supervisor Engine 1 through to the~~ * SUp720-3B - same backplane capacity, It incorporates new PFC3B for addtionnal funcationality (mainly supports of mpls in hardware) ~~Supervisor Engine 720-3BXL~~ * Sup720-3BXl - It incorporates new PFC3BXL, It is functionally identical to the Supervisor Engine 720-3B, but differs in its capacity * For supporting routes and NetFlow entries. * Sup2T - incorporates MSFC5 (control plane functions) and PFC4 (hardware accelarated data plane function) cards, 2 Tbps Switch Fabric * PFC4 supports addtional featuers Cisco TrustSec (CTS) and Virtual Private LAN Service (VPLS). * The 2 Tbps Switch Fabric provides 26 dedicated 20 Gbps or 40 Gbps channels to support the new 6513-E chassis * SUP2T- All new 6900 series modules * All new 6800 series modules (again, WS-X6816-GBIC is not one of those) * Those 6700 series modules that are equipped either with CFC or DFC4 * Some 6100 series modules * The control plane funations are mainly performed by route processor situated on MFSc3 itself includes running process for running routing protocol ,addres resoltion ,maintaing SVI's ,... ~~Modes in SUP720 -RPR -state information is not in syc -time taken to switchover is 2-4 minutes ,traffic disrupption ,IO modules are reloaded .~~ * Switch processor looks after switching functions building layer 2 cam tables .. , all layer 2 protocols (SPaniing tree,VTP...) * MFSC - maintains routing table does not participate in forwading the packets, it build cef table pushed down to PFC and DFCs. * The PFC is a daughter card that sits on the supervisor base board and contains the ASICs that are used to accelerate Layer 2 and ~~reloaded .~~ ~~RPR+-state is partially intialized ... need a addtional information to have the sytem in sych.switchover time is~~ ; Layer 3 switching in hardware. ~~30 to 60 seconds ,IO modules are not reloded .~~ ~~SSO- fully synchronised .~~ * Layer 2 funations -mac based forwading based on cam table , layer 3 functions forwading the packets using layer 3 look up. ~~do show redundancy to check the redundancy status~~ * Classic line cards support a connection to the 32-Gbps shared bus but do not have any connections into the crossbar switch fabric. * Classic line cards are supported by all generations of the supervisor engines, from the Supervisor Engine 1 through to the Supervisor Engine 720-3BXL * Modes in SUP720 RPR - state information is not in syc - time taken to switchover is 2-4 minutes, traffic disrupption, IO modules are reloaded. RPR+ - state is partially intialized. need a addtional information to have the sytem in sych. switchover time is 30 to 60 seconds, IO modules are not reloded. SSO - fully synchronised * To ~~set~~check the ~~redandancy mode~~redundancy status: show redundancy ~~keepalive-enable~~ ~~mode sso~~ ~~main-cpu~~ ~~auto-sync running-config~~ * To set the redandancy mode redundancy keepalive-enable mode sso main-cpu auto-sync running-config * Sups supporting VSS- VS-S720-10G-3C * VS-S720-10G-3CXL* Sup2T Stacking - VSS have single control plane as master while vpc is having two independent control planes ~~---------------------------------------------------------------------------------------------------------------------------------~~ ~~Stacking ,VSS have single control plane as master while vpc is having two independent control planes~~ = Nexus Archetecture = Independant control and data plane , High availiabilty - Dual SUP, Power redundancy , line card reduandancy 7009,7010,7018 7009- 9 slots -Sup on 1 and 2 ,suppport of 5 Fabric chanel ,each fab channel provides 46 Gig backplane capacity so total of 5X46=230 per slot bandwidth 7010-10 slots -Sup on 5 and 6 ,suppport of 5 Fabric chanel ,each fab channel provides 46 Gig backplane capacity so total of 5X46=230 per slot bandwidth 7018-18 slots -Sup on 9 and 10 ,suppport of 5 Fabric chanel ,each fab channel provides 46 Gig backplane capacity so total of 5X46=230 per slot bandwidth Sup supported -SUP1 which includes 4 VDC including default VDC - on default VDC you can allocate resource and perform data plane functions as well. ~~7009- 9 slots -Sup on 1 and 2 ,suppport of 5 Fabric chanel ,each fab channel provides 46 Gig backplane capacity so total of 5X46=230 per slot bandwidth~~ SUP2- 4+1 VDC - extra one is admin vdc just for allocating resoucres, not passes data. SUP2E-8+1 VDC's - Require additional licence to add extra 4 VDC. * Line cards supported - M and F series I/O module ~~7010-10 slots -Sup on 5 and 6 ,suppport of 5 Fabric chanel ,each fab channel provides 46 Gig backplane capacity so total of 5X46=230 per slot bandwidth~~ * The initial series of line cards launched by cisco for Nexus 7k series switches were M1 and F1. ~~7018-18 slots -Sup on 9 and 10 ,suppport of 5 Fabric chanel ,each fab channel provides 46 Gig backplane capacity so total of 5X46=230 per slot bandwidth~~ * M1 series line cards are basicaly used for all major layer 3 operations like MPLS, OTV, routing etc, however, the F1 series line cards are basically layer 2 cards and used for for FEX, FabricPath, FCoE etc. * If there is only F1 card in your chassis, then you can not achieve layer 3 routing. * You need to have a M1 card installed in chassis so that F1 card can send the traffic to M1 card for proxy routing. * The fabric capacity of M1 line card is 80 Gbps. * Since F1 line card dont have L3 functionality, they are cheaper and provide a fabric capacity of 230 Gbps. * Later cisco released M2 and F2 series of line cards. * A F2 series line card can also do basic Layer 3 functions, however, can not be used for OTV or MPLS. * M2 line card's fabric capacity is 240 Gbps while F2 series line cards have fabric capacity of 480 Gbps. * There are two series of Fabric modules, FAB1 and FAB2. * Each FAB1 has a maximum throughput of 46Gbps per slot meaning the total per slot bandwidth available when chassis is running on full capacity, i.e. there are five FAB1s in a single chassis would be 230Gbps. ~~Sup supported -Sup1 which includes 4 VDC including default VDC -on default VDC you can allocate resource and perform data plane functions as well .~~ * Each FAB2 has a maximum throughput of 110Gbps/slot meaning the total per slot bandwidth available when there are five FAB2s in a single chassis would be 550Gbps. * These are the FAB module capacity, however, the actual throughput from a line card is really dependent on type of line card being used and the fabric connection of the linecard being used. ~~SUP2- 4+1 VDC- extra one is admin vdc just for allocating resoucres ,not passes data .~~ ~~SUP2E-8+1 VDC's- Require additional licence to add extra 4 VDC.~~ ~~Lincards supported - M and F series I/O module~~ The initial series of line cards launched by cisco for Nexus 7k series switches were M1 and F1. M1 series line cards are basicaly used for all major layer 3 operations like MPLS, OTV, routing etc,however, the F1 series line cards are basically layer 2 cards and used for for FEX, FabricPath, FCoE etc. If there is only F1 card in your chassis, then you can not achieve layer 3 routing. You need to have a M1 card installed in chassis so that F1 card can send the traffic to M1 card for proxy routing. The fabric capacity of M1 line card is 80 Gbps. Since F1 line card dont have L3 functionality, they are cheaper and provide a fabric capacity of 230 Gbps. Later cisco released M2 and F2 series of line cards. A F2 series line card can also do basic Layer 3 functions,however,can not be used for OTV or MPLS. M2 line card's fabric capacity is 240 Gbps while F2 series line cards have fabric capacity of 480 Gbps. ~~There are two series of Fabric modules, FAB1 and FAB2.~~ Each FAB1 has a maximum throughput of 46Gbps per slot meaning the total per slot bandwidth available when chassis is running on full capacity, ie. there are five FAB1s in a single chassis would be 230Gbps. Each FAB2 has a maximum throughput of 110Gbps/slot meaning the total per slot bandwidth available when there are five FAB2s in a single chassis would be 550Gbps. These are the FAB module capacity,however, the actual throughput from a line card is really dependent on type of line card being used and the fabric connection of the linecard being used. * You can mix all cards in same vdc EXCEPT F2 card. ~~The F2 card has to be on it's own VDC. You can't mix F2 cards with M1/M2 and F1 in the same VDC. As per cisco, its a hardware limitation and it creates forwarding issues.~~ * The F2 card has to be on it's own VDC. * You can't mix F2 cards with M1/M2 and F1 in the same VDC. * As per cisco, its a hardware limitation and it creates forwarding issues. ~~M & M1Xl series are used for creating layer 3 routing functions ,creation of SVI's ,fex ,OTV ,trustsec - example-M132XP~~ ~~f- layer 2 functions,fabric path ,vpc+, FCOE -F132XP , F248XP~~ ~~The current shipping I/O module donot leaverage full bandwidth max is 80 Gig for 10 Gig module~~ ~~In Ideal design we should have pair of M1 and F1 series module per VDC~~ ~~Depending on line cards we have shared mode Vs Dedicated mode~~ ~~Shared mode - All the ports in port group share the bandwidth~~ ~~Dedicared Mode -first port in port group will get the entire bandwidth and rest of ports are disable~~ ~~example -32 Port 10 Gig IoModule -N7k-M132Xp-12 and back plane capacity of 80 gig~~ ~~Per port group will have 10 Gig bandwidth that can used as shared mode or dedicated mode~~ ~~Port group is combination of contiguous ports in odd and even numbering .~~ ~~1 Gig module require 1 Fabric ie is 46 Gig and 2 Fab for N+1 redundancy~~ ~~10 Gig -require 2 FABric and 3 for N+1 redundancy~~ ~~VoQ's -are virtual output queues ,is called virtual as it resides on Ingrees I/O module but represnt egress bandwidth capacity.~~ ~~VoQ's are managed by central arbiter.~~ ~~Nex 5000 & 5500 - Mainly used for layer 2 only .(Access layer)~~ ~~5000 -5010 ,5020~~ ~~/''ju~~ ~~5500 -5548 , layer 2 only but supports for layer 3 card as well .~~ ~~Nex2k- act as remote line cards for 7k and 5k .once we have connected the downlink ports from 7kor 5k ,enable the feature fex parent swicth will automatically discover fex switch .~~ we need to configure uplink port on parent switch with switchmode fex ,fex associate number.once the featuer is enabled and ports and cables are connected it start pulling the IOS from its parent switch.once the fex is online you can see the port number on parent swicth as int(fexassociatenumber)1/x .. . ~~Note - Downlink ports on parent switch need to configure with switchmode fex ,fex associate no ... and there is no configration required on ports on fex switch connectected uplink port.~~ ~~Nex2k -Doesnot support local swictinig... if two host in same vlan connected to 2k are tring to communicate ,then communication will happen through parent switch .~~ ~~These fexed ports are pinned to uplink connected to parent switch .All management is done from parent switch.~~ ~~two types of pinning (Static pinning & Dynamic Pinning)~~ issue with static piining -Once the uplink fail b/w nex2k and parent switch all the piined fexed port need to mannual move to other uplink to make it operational while on dynamic piining its automatically redistribued ~~Nex 5k -Support static pinning and vpc when we connect Nex 2k .~~ ~~Nex 7k - Not all the line cards support Fex , only support port channel when we connect Nex 2k to 7k~~ ~~All the fexed ports are considered as edge ports from STP point of view and there is BPDU guard is enabled on this .~~ ~~CFS- Cisco fabric services is used to syn configration and control box between chasis.~~ ~~Mangement interface is out of band connectivity as this is separte management vrf .~~ ~~VDC is virtual device context used for virtuallization of hardware ( both control plane and data plane )~~ ~~Allocate resource in VDC - can allocate M1, F1 ,M2 but not F2 cards apart from its own vdc .~~ M & M1Xl series are used for creating layer 3 routing functions, creation of SVI's, fex, OTV, trustsec - example - M132XP ~~VDC 1 is default vdc - used to create / delete / suspend other vdc ,allocate resoucres ,system wide qos , ethanalizer ,NX-Os upgrade across all the vdc .~~ f- layer 2 functions, fabric path, vpc+, FCOE -F132XP, F248XP * The current shipping I/O module do not leaverage full bandwidth max is 80 Gig for 10 Gig module ~~From default vdc we can use switchto command to move to other vdc ,switch back to return to default vdc .~~ * In Ideal design we should have pair of M1 and F1 series module per VDC * Depending on line cards we have shared mode Vs Dedicated mode Shared mode - All the ports in port group share the bandwidth Dedicared Mode - first port in port group will get the entire bandwidth and rest of ports are disable Example - 32 Port 10 Gig IoModule -N7k-M132Xp-12 and back plane capacity of 80 gig * Per port group will have 10 Gig bandwidth that can used as shared mode or dedicated mode ~~Creating an Admin VDC:~~ * Port group is combination of contiguous ports in odd and even numbering. * 1 Gig module require 1 Fabric ie is 46 Gig and 2 Fab for N+1 redundancy * 10 Gig -require 2 FABric and 3 for N+1 redundancy * VoQ's -are virtual output queues, is called virtual as it resides on Ingrees I/O module but represnt egress bandwidth capacity. Enter the system admin-vdc command after bootup. The default VDC becomes the admin VDC. All the nonglobal configuration in the default VDC is lost after you enter this command. This option is recommended for existing deployments where the default VDC is used only for administration and does not pass any traffic. * VoQ's are managed by central arbiter. * Nex 5000 & 5500 - Mainly used for layer 2 only (Access layer) You can change the default VDC to the admin VDC with the system admin-vdc migratenew vdc name command. After entering this command, the nonglobal configuration on a default VDC is migrated to the new migrated VDC. This option is recommended for existing deployments where the default VDC is used for production traffic whose downtime must be minimized. 5000 -5010, 5020 5500 -5548, layer 2 only but supports for layer 3 card as well. * Nex2k- act as remote line cards for 7k and 5k. ~~CMP port is associated in SUP 1 - used a console access to SUP as separte kickstart and system image then chasis.~~ * Once we have connected the downlink ports from 7kor 5k, enable the feature fex parent swicth will automatically discover fex switch. * We need to configure uplink port on parent switch with switchmode fex, fex associate number. * Once the featuer is enabled and ports and cables are connected it start pulling the IOS from its parent switch. * Once the fex is online you can see the port number on parent swicth as int(fexassociatenumber)1/x. Note - Downlink ports on parent switch need to configure with switchmode fex, fex associate no and there is no configration required on ports on fex switch connectected uplink port. * Nex2k -Doesnot support local swictinig... if two host in same vlan connected to 2k are tring to communicate, then communication will happen through parent switch. ~~Non default vdc has two separate user roles~~ * These fexed ports are pinned to uplink connected to parent switch. All management is done from parent switch. ~~vdc admin - has read /write access to vdc~~ ~~vdc operator -read only access to vdc.~~ ;Pinning * Two types of pinning - Static pinning & Dynamic Pinning * Issue with static piining - Once the uplink fail b/w nex2k and parent switch all the piined fexed port need to mannual move to other uplink to make it operational while on dynamic piining its automatically redistribued * Nex 5k -Support static pinning and vpc when we connect Nex 2k. ~~vdc high availiablity polciy - based on single sup / or dual Sup~~ * Nex 7k - Not all the line cards support Fex, only support port channel when we connect Nex 2k to 7k * All the fexed ports are considered as edge ports from STP point of view and there is BPDU guard is enabled on this. * CFS- Cisco fabric services is used to syn configration and control box between chasis. * Mangement interface is out of band connectivity as this is separte management vrf. ;VDC * VDC is virtual device context used for virtuallization of hardware (both control plane and data plane) * Allocate resource in VDC - can allocate M1, F1, M2 but not F2 cards apart from its own vdc. * VDC 1 is default VDC - used to create/delete/suspend other vdc, allocate resoucres, system wide qos, ethanalizer, NX-Os upgrade across all the vdc. * From default vdc we can use switchto command to move to other vdc, switch back to return to default vdc. * Creating an Admin VDC: ~~Bridge Assurance and Network Ports~~ Enter the system admin-vdc command after bootup. The default VDC becomes the admin VDC. All the nonglobal configuration in the default VDC is lost after you enter this command. This option is recommended for existing deployments where the default VDC is used only for administration and does not pass any traffic. You can change the default VDC to the admin VDC with the system admin-vdc migratenew vdc name command. Cisco NX-OS contains additional features to promote the stability of the network by protecting STP from bridging loops. Bridge assurance works in conjunction with Rapid-PVST BPDUs, and is enabled globally by default in NX-OS. Bridge assurance causes the switch to send BPDUs on all operational ports that carry a port type setting of "network", including alternate and backup ports for each hello time period. If a neighbor port stops receiving BPDUs, the port is moved into the blocking state. If the blocked port begins receiving BPDUs again, it is removed from bridge assurance blocking, and goes through normal Rapid-PVST transition. This bidirectional hello mechanism helps prevent looping conditions caused by unidirectional links or a malfunctioning switch. After entering this command, the nonglobal configuration on a default VDC is migrated to the new migrated VDC. This option is recommended for existing deployments where the default VDC is used for production traffic whose downtime must be minimized. * CMP port is associated in SUP 1 - used a console access to SUP as separte kickstart and system image then chasis. Bridge assurance works in conjunction with the spanning-tree port type command. The default port type for all ports in the switch is "normal" for backward compatibility with devices that do not yet support bridge assurance; therefore, even though bridge assurance is enabled globally, it is not active by default on these ports. The port must be configured to a spanning tree port type of "network" for bridge assurance to function on that port. Both ends of a point-to-point Rapid-PVST connection must have the switches enabled for bridge assurance, and have the connecting ports set to type "network" for bridge assurance to function properly. This can be accomplished on two switches running NX-OS, with bridge assurance on by default, and ports configured as type "network" as shown below. * Non default vdc has two separate user roles * vdc admin - has read /write access to vdc * vdc operator -read only access to vdc. * vdc high availiablity polciy - based on single sup / or dual Sup ~~Cisco Nexus 7009-- sUP IN slot 1 and Slot 2~~ ~~Cisco Nexus 7010--~~ ~~Cisco Nexus 7018--~~ ~~Line card Capacity differ in diffrent modules...~~ == Bridge Assurance and Network Ports == ~~Two type of line cards are available :~~ * Cisco NX-OS contains additional features to promote the stability of the network by protecting STP from bridging loops. ~~1) M sERIES:~~ * Bridge assurance works in conjunction with Rapid-PVST BPDUs, and is enabled globally by default in NX-OS. ~~Layer 3 cards--svi, ospf, otv, Can be layer 2, Trust Sec~~ * Bridge assurance causes the switch to send BPDUs on all operational ports that carry a port type setting of "network", including alternate and backup ports for each hello time period. ~~Fex~~ * If a neighbor port stops receiving BPDUs, the port is moved into the blocking state. * If the blocked port begins receiving BPDUs again, it is removed from bridge assurance blocking, and goes through normal Rapid-PVST transition. * This bidirectional hello mechanism helps prevent looping conditions caused by unidirectional links or a malfunctioning switch. * Bridge assurance works in conjunction with the spanning-tree port type command. * The default port type for all ports in the switch is "normal" for backward compatibility with devices that do not yet support bridge assurance; therefore, even though bridge assurance is enabled globally, it is not active by default on these ports. * The port must be configured to a spanning tree port type of "network" for bridge assurance to function on that port. * Both ends of a point-to-point Rapid-PVST connection must have the switches enabled for bridge assurance, and have the connecting ports set to type "network" for bridge assurance to function properly. * This can be accomplished on two switches running NX-OS, with bridge assurance on by default, and ports configured as type "network" as shown below. ~~2) F Series :~~ ~~Layer 2 cards only~~ ~~F2 SUPPORT fabric Path, VPC+, FCOE~~ Cisco Nexus 7009-- sUP IN slot 1 and Slot 2 Cisco Nexus 7010-- Cisco Nexus 7018-- Line card Capacity differ in different modules... * Two type of line cards are available : ~~Cisco Nexus 5k :Used Mainly layer 2 switches~~ 1) M sERIES: ~~5000--5020 and 5010~~ Layer 3 cards--svi, ospf, otv, Can be layer 2, Trust Sec Fex 2) F Series : ~~5500--5548 and 5596~~ Layer 2 cards only F2 SUPPORT fabric Path, VPC+, FCOE * Cisco Nexus 5k :Used Mainly layer 2 switches 5000--5020 and 5010 5500--5548 and 5596 * Nexus 2k: Remote line card Line 1,392 ⟶ 851: switch(config-vsan-db)# vsan <number> interface vfc <number> switch(config-vsan-db)# exit ~~= F5 Trainging =~~ ~~LTM How BIG IP process Traffic~~ ~~Node -represent the Ip address~~ ~~Pool member -combination of Ip address and port number ,in other words pool member is application server on which F5 will redirect the traffic~~ ~~Pool-combitnation of pool memeber.~~ ~~Virtual server -combination of virtual IP and port ,is also know as listner and we associate virtual server to pool members.~~ ~~= load balacing mehtods =~~ ~~static -Round robin ,ratio~~ ~~Dyanamic -LFOPD (least connection ,fastest ,observed,predective,dyanmic ratio )~~ ~~Least connection -load balacing is based on no of connection counts ,if the connection counts are equal it will use round robin~~ ~~Fastest -No of layer 7 request pending on each member.~~ ~~Observed -ration load balacing method but ratio assigned by BIG IP,No off least connections counts BIG IP assign the request and check dyanamically and assign the ratio's of the request.~~ ~~Predective -similar to oberved but assigns the ratio agressivley based on average connection counts .~~ ~~load balacing by poolmember or node .~~ ~~Priorty activation -helps to configure back sets for exsiting pool members .BIG Ip will use high priorty pool member first .~~ ~~Fallback host is only used for HTTP request ,if all the pool memebers are not availiable BIG will redirect the cilent request~~ ~~--------------------------------------------------------------------------------------~~ ~~Monitors :check the status of nodes and pool memembers ,if any pool meember resposnse time is not good or is not responding big ip will not send the request to that node.~~ ~~monitor type :~~ ~~adress check -BIG IP send ICMP request and wait for reply if there is no reply it considers nei down does not send the trafic further to that node.~~ ~~service check -will check TCP port number on which server is lisenting ,if no responce it considers down ----~~ ~~contect check -we can check if the server is resondping with right contest ,like for http requset get/http .... request is send .~~ ~~interactive check -TEST for FTP connection .once connection is open username and password is send then request is send get /file once file is recieved connection is closed .~~ ~~F5 recommends time out = 3n+1 (frquency) for setting the monitor for http~~ ~~Customization of monitor~~ ~~Assign nodes to monitor~~ ~~-------------------------------~~ ~~Profiles -defining traffic behaviour for virtual server.~~ ~~Profiles contains setting how to process traffic though virtual servers.if for certain application BIG IP load balace the traffic then it will break the client connection~~ ~~to avoid this we use perstiance profile so that return request for the cilent is send to same server.~~ persisteance profile - isconfigured for clients and group of cilents how BIG IP knows the returning client request need to send to same server ,persistance profile is confiured taking source ip address of http cookie ~~SSL termination -~~ ~~FTP profile~~ ~~All virtual servers have layer four profile includes tCP,UDP,fastl4~~ ~~Profile types -service profile ,persistance profile ,protocol profile ,ssl profile ,authentication profile ,other profiles.~~ ~~persistence types-~~ ~~----------------------------------------------------------------~~ ~~source address persistance :keeps the track of source ip address ,adminstrator can set the net mask in persitance record so that all lients in same mask will assigned to same pool member.~~ ~~Limitation -if the client address being NAted .~~ ~~Cookie persistance -only uses http protocol~~ ~~Three modes : (insert ,rewrite ,passive ) mode.~~ ~~Insert mode -BIG ip create special cookie in HTTP resonse to client .~~ ~~rewrite -pool member created blanl cookie and big ip inserts special cookie~~ ~~passive -pool memeber created special cookie and BIG IP let it pass through~~ ~~-------------------------------------------------------------------------------~~ ~~SSL Profile~~ ~~SSL is secured socket layer .~~ ~~website which uses HTTPS we need to us SSL profile as traffic is being Nated for source clients and web app is using https protocol.~~ ~~Using SSL termination BIG can decrypt the traffic and assigned to pool member.~~ ~~BIG IP contains SSL encryption hardware so all the encruption and key exchange are done in hardware .centralized certifiacte management.~~ ~~----------------------------------------------------------------------------------------~~ ~~I rule :~~ ~~is a script that direct traffic though BIG IP , based on TCl command language .I rule give controll of inbound and outbound traffic from BIg IP.~~ ~~I rule contains follwing events ( I rule name ,events ,condtion ,action )~~ ~~= Multicasting =~~ ~~Ranges~~ ~~224.0.0.0/4 - 224.0.0.0 -239.255.255.255~~ ~~Link local address - 224.0.0.0/24~~ ~~Source specifc multicast -232.0.0.0/24~~ ~~Administrativley scoped -239.0.0.0/8~~ ~~Multicast control plane work differntly than unicast routing ,it needs to know who is sender of mutlicast and to which group ,also the reciever of multicast.~~ ~~Multicast Data plane -do RPF check ( was traffic received on correct interface and bulid multicast routing table ).~~ ~~Multicast is source based routing .~~ ~~IGMP -Host on LAN singanl the router to join the mutlicast group .~~ ~~Two kind of request - (,G)-Any source who is genrating the mutlicast stream for that group -Supported by IGMP V1 and V2~~ ~~(S,G)-want to join particular source sending the mutlicast group .-IGMP version 3 support both (s,g and (,G)~~ ~~IGMP get enabled when the IP PIM [ Dense mode,sparse mode,SParse-DENSE-mode) is enabled .~~ ~~BY default IGMP version 2 is enabled .~~ ~~IP IGMP join group address can be used for testing on routers to see weather muticast traffic is recieved on router for particular group.~~ ~~ip igmp static group command can be used to mannually put the request for particular mutlicast group insteaed of reling on IGMP queriy messsage for particular group.~~ ~~PIM- used to siganl routers to bulid muticast tree ,tree could be sender to receiver or sender to rendevpoint--- receiver.~~ ~~PIM version 1 or 2 ,By default its PIM version 2 , RP information is already encoded in PIM packet in version 2. PIM version 2 has field for BSR.~~ ~~DENSE mode - Implicit join ,mutilcast traffic is send across entire network unless if some one report for not joing the particular stream.Flood and prune behiviour.~~ ~~Nighbor discovery on multiicast address 224.0.0.13 same for sparse mode as well .~~ ~~Note if we have (,G) entery then we know about reciver and if we have (S,G) entry then we know about sender as well .~~ ~~Two ways to genrate mutlicast traffic either through pinging mutlicast address or through IP SLA.~~ IN PIM dense -through RPF nei information is used to send unicast packet back to source ,message could pim prune or graft message .when the multicast source flood the traffic for particular multicast groups each multicast enable router will install (S,G entry) and (,G) entries even if they are not intersted . So in dense every router needle to install (,G ) and (S,G) entry as we canot have (S,G) untill we have (,G) entries.so if the source is active every router need to maintain the state table for mutlicasting . ~~Graft message for (S,G) entry is to unprune the mutlicast traffic as earlier it was set to prune .~~ ~~State refresh to keep the link prune as its original state .~~ SParse mode -uses explict join unless it is asked by someone to join mutlicast traffic uses RP as reference point.In case we are using source specific mutlicast we don't need RP.for Group specfic joins we need RP.Traffic is not send anywhere unless it is requested .Sparse mode uses both source based trees and shortest path trees RP needs to know the recievers and senders . DR on lan segment send (S,G) register mess age to and RP in turns reply regiester stop process and recievers on lan sengment send IGMP join and which will be converted to pim join(,G) message to RP to form RPT tree.So pim join will traverse from receiver till RP every device will have (,G) entry and from source till RP every device will have (S,G) entry.once RP knows about sender and reciver it will send (S,G) join request back to source and source would start sending the mutlicast traffic to RP then to receiver.then its up to the last hop reouter on reciever side for the optimation process weather it want to join directly to source using SPT bypassing RP. Note -When we do debug only process switchd traffic is debug if we want to debug the data plane traffic then we need to disable cef (no ip route cache),if we change the unicast routing it will also change the mutlicasting routing,To change the unicast routing we can also use Ip mroute command . ~~Source based tree- tree is bulid based on shortest path from reciver till sender.~~ ~~shared tree -tree from sender to RP and then RP till receiver.~~ ~~To check RP configured on each transient router -sh ip pim rp mapping~~ ~~RP can be assigned staticaly (ip pim rp address ) or dynamically ( auto RP and BSR)~~ ~~Auto RP -uses two data plane mutlicast address (224.0.1.39) advertised by routers willing to become RP to mapping agents ,~~ ~~224.0.1.40- chooses the RP and advertised to rest of routers for RP information.~~ ~~To stay on shared tree rather than SPT ( ip pm spt-threshold infinity)~~ ~~SParse-dense-mode -ANY group for which we have RP assigned used sparse mode for other uses dense mode.~~ RPF check is used for loop free path in mutlicast data plane ,AS per RPF check if the mutlicast packet is received on incoming interface router will check the unicast routing for source and that matches the incoming interface RPF check Passes else fail . Once the mutlicast routing table is populated router always prefer (S,G) over (*,G) and in muticast routing table we have incoming interfaces and OIL for outgoing intefrcae list if the RPF check passes mutilcast traffic is send across all interfaces in OIL. ~~On multicast router -sh ip igmp group -- shows which multicast group is active on ethernet and which receiver has joined the group~~ ~~To determine which router is IGMP querier router - sh ip igmp interface EO~~ ~~We can manauly tune the query interval and query max response time -~~ ~~query interval - ip igmp query interval 120 (default 60 sec)~~ ~~respose time - ip igmp query-max-response-time 20 (default 10 sec)~~ ~~IOS command to support which version of IGMP is - Ip igmp version 1/2~~ ~~Test commands for IGMP~~ ~~ip igmp join group~~ ~~ip igmp static group~~ ~~for sparse mode we need to assgn RP - ip pim rp address x.x.x.x~~ ~~inorder to check if there are any rp mapping - sh ip pim rp mappings~~ ~~Inoder to check for mutlicating packet conuters- sh ip mroute counters~~ ~~In sparse mode there is SPT switch over shorted path tree~~ ~~for the SPT threshold we can set the threshold on DR muticast router that is receiving the IGMP join request in gloabl config mode ip pim spt threshold (vlaue)- Value is volume of multicast feed~~ ~~if the Rpf check is failing we can still have interface to forward multicase by static mrouter ( ip mroute server mask next hop address )~~ = Security =