%Routers% Archives %%page%% - Network Ninja

« Older Entries

Newer Entries »

Tag Archive for 'Routers'

Enhanced Interior Gateway Routing Protocol – Scalable EIGRP – stub router

Published

Deon Botha

on September 5, 2008

in BSCI, BSCI Questions, Certification, Cisco Systems, Concepts and Constructs and Stub Router

. 0 Comments

Working from the my last couple of EIGRP posts I am going to try and crystallize some of the material found by working through questions found in Stewart, B,D., Gough, C (2008). CCNP BSCI Official Exam Certification Guide, Fourth Edition. Indianapolis: Cisco Press.

Why would you configure an EIGRP router as a stub router?

A stub router is a router with only one neighbour, a distribution layer router.

One would configure a stub router to limit the information being sent between “stub routers” and the core. A stub router is typically configured to minimize memory and processor usage.

This assists the rest of the network in that the stub router responds to queries quicker and convergence happens faster.

Resources:

Stewart, B,D., Gough, C (2008). CCNP BSCI Official Exam Certification Guide, Fourth Edition. Indianapolis: Cisco Press.

Notes and Notices:

This is a part of my personal BSCI notes and research to assist myself in learning and understanding the concepts and theory for the BSCI exam. I learn by making notes reading and writing things down and wish to file them where I can’t lose them. These notes are not to be seen, judged or mistaken for replacements to Cisco recognized and authorized training which I personally support and attend and suggest you undertake if you are going for the BSCI Certification.

Enhanced Interior Gateway Routing Protocol – Optional Configuration Commands for EIGRP – Tuning EIGRP

Published

Deon Botha

on September 2, 2008

in BSCI, BSCI Notes, Bandwidth, Certification, Cisco Systems and Hold Timer

. 0 Comments

Some South African/Anglo-African humour that is making me smile:

“Tune” to talk, especially to talk nonsense (“Are you tuning me?”)

But back to the topic at hand;

One can fine tune the EIGRP process in many ways. The most important of tuning methods would be the summarization of routes and load balancing. Other techniques however do exist and these include the frequency of the hello and hold timers and setting bandwidth.

The trade off to playing with timers would be that by decreasing hello traffic the network will take longer to notice failures, which in turn will delays convergence.

To go over some stuff from previous posts; EIGRP only sends updates when a new route is advertised or an existing route is withdrawn (changes state to down). A Link failure causes an interface to change state without delay (duh). But when a failed neighbour is not directly connected (on the other side of a Ethernet switch for example), the only way to notice failure would be that no hellos are received. The idea and concept of Neighbourship is important in EIGRP because it alerts the router to topology changes and because the router is responsible to the rest of the network to publicize the lost routes.

When fiddling with timers think about the wider ramifications. In most cases defaults are there for a reason. Instead of improving performance the opposite will most probably happen. (I.E. timers are changed per interface and changing timers on one side of a link and not the other side creates problems with neighbourship that forms and dissolves periodically).

Timer Values are based on the speed of the interface. Because the timers are assumed to be based on this speed, they will usually be the same (Timers are not communicated between neighbours and are not a requirement for neighbourship).

If Router A has a hello interval of 5 seconds and a hold time of 15 seconds (3x hello) and Router B has a hello interval of 30 seconds and a hold time of 90 seconds (3x hello), then the two routers will be neighbours for 15 seconds and then down for 15 seconds.

The Hello Timer

Tuning the Hello Timer directly affect the ability of the EIGRP Process to notice a change in the state of a neighbour. Only after a router’s interface is recognized as being down, or a router has failed to hear from a neighbour after a certain amount of time, does the router declare the neighbour dead and take action to update the Routing Table and neighbours.

For the above stated reasons, use of the

Router(config-if)#ip hello-interval eigrp autonomous-system-number seconds

command is typically used to decrease (AND NOT INCREASE) the amount of time between Hellos to ensure that the network converges QUICKER and not SLOWER (which would be done by INCREASING THE TIME). This however means MORE traffic devoted to EIGRP and more space used by EIGRP.

The defaults are as follows:

High Bandwidth links (every 5 seconds)
- Broadcast Media (Ethernet, Token Ring, FDDI)
- Point-to-Point Serial Links (PPP or HDLC Leased Circuits, Frame Relay Point-to-Point subinterfaces, and ATM)
- Point-to-point subinterfaces
- High Bandwidth (T1/E1 and greater) multipoint circuits (ISDN PRI and Frame Relay)
Lower Bandwidth Links (every 60 seconds)
- Multipoint Circuits (T1/E1 and slower, Frame Relay Multipoint interfaces, ATM multipoint interfaces, and ATM)
- Switched Virtual Circuits and ISDN BRIs

The Command to set how often hellos are sent to neighbours is applied to an interface and does not affect the ENTIRE EIGRP process:

Router(config)#interface serial 0/0 Router(config-if)#ip hello-interval eigrp autonomous-system-number seconds

To use this in an example we can change the hello timer of a WAN link, that is running on EIGRP AS 1. Doing so will not affect other interfaces running EIGRP AS 1 only this particular WAN link.

Router(config)#interface serial 0/0 Router(config-if)#ip hello-interval eigrp 1 10

The Hold Timer

The Hold Time as talked about here and is how long a router will wait for a hello before pronouncing the neighbour unavailable/dead. By Default the hold time is 3 times the hello time. TAKE NOTE that by changing the hello interval does not automatically change the hold time.

The hold timer for an interface must be changed manually using the following command:

Router(config-if)#ip hold-time eigrp autonomous-system-number seconds

Using this in the same example as above for the Hello time:

Router(config)#interface serial 0/0 Router(config-if)#ip hold-time eigrp 1 30

Authentication

EIGRP support two kinds of Authentication, simple passwords and MD5 hashes.

Simple passwords are sent as plain-text and matched to the key on the receiver. Simple passwords are not secure, because any listener can see this traffic and read the key value.
Hash keys, sent as MD5 values, are secure because the listener cannot use the value in one transmission to compute the key.

Using MD5 authentication, the router generates a had value for every EIGRP transmission and checks the hash of every received EIGRP packet.

To specify MD5 Authentication:

Router(config)#interface serial 0/0 Router(config-if)#ip authentication mode eigrp autonomous system md5

Once the MD5 authentication is set now comes the key:

Router(config-if)#ip authentication key-chain eigrp autonomous system chain-name

Then the key-chain is configured and the key is specified:

Router(config-if)#key chain chain-name Router(config-if)#key my-chain Router(config-keychain-if)#key-string key

An example using the WAN interface from above:

Router(config)#interface serial 0/0 Hello Interval Set Router(config-if)#ip hello-interval eigrp 1 10 Hold Interval Set Router(config-if)#ip hold-time eigrp 1 30 MD5 Authentication Set Router(config-if)#ip authentication mode eigrp 1 md5 MD5 Key Set Router(config-if)#ip authentication key-chain eigrp 1 My-Chain MD5 key-chain Set Router(config-if)#key chain My-Chain Router(config-if)#key 1 Router(config-keychain-if)#key-string cisco

Authentication results are not shown under show commands. A successful neighbourship means it works. You can however check command process using debug eigrp packets

Optional EIGRP Commands Over a WAN

EIGRP has some design and configuration issues when it comes to the WAN environment. In the WAN one must deal with limited capacity to a greater degree than at other points of the network (For example the LAN). EIGRP is limited in that it restricts its use of bandwidth to NO MORE than 1/2 the link capacity. This is superior to the considerations made by other protocols. Although EIGRP by default is usually sufficient, one might need to make small adjustments at times.

EIGRP Defaults in Bandwidth Utilization
Routers understand link capacity most of the time (MOST being important here). Serial interfaces are however problematic (and the exception to the rule) because they usually attach to a DSU. The router therefore assumes a default speed of 1544 kbps (which is in most cases on the WAN not true).

If the link is actually 56 kbps, then EIGRP would calculate incorrectly and -even limiting itself to 722 kbps -could saturate the link. This could result in dropped EIGRP and data packets because of congestion and dropped data.

The show interface command will allow you to check that the interface bandwidth is accurate. The output shows the configured bandwidth of the link.

The set bandwidth does not actually affect the speed of the link, but this value is used for routing protocol calculations and load calculations. Using the following command you can set the bandwidth:

Router(config)#interface serial 0/0 Router(config-if)#bandwidth speed-of-line

Configuring Bandwidth over an Non-Broadcast Multi-access (NBMA) Cloud

EIGRP plays well over WANs, including point-to-point and NBMA environments like Frame Relay and ATM. The NBMA topology can include either point-to-point subinterfaces or multipoint interfaces.

Cisco IDs three rules when configuring EIGRP over an NBMA cloud:

EIGRP traffic should not exceed the committed information rate (CIR) capacity of the virtual circuit (VC).
EIGRP aggregated traffic over all the VCs should not exceed the access line speed of the interface.
The bandwidth allocated to EIGRP on each VC must be the in the same directions.

Configuring Bandwidth over a Multipoint Network

In addition to being used in the EIGRP metric, the bandwidth command influences how EIGRP uses NBMA VCs. If a serial line has many VCs in a multipoint configuration, EIGRP will assume that each VC has an even share of the bandwidth. EIGRP will confine itself to using half that share for itself. This won’t work if a 56 kbps link has bandwidth set to 128 kbps because EIGRP will assume 64 kbps is for it’s own use.

The bandwidth command should reflect the access-link speed into the Frame Relay cloud. Your company might have five PVCs from your routers serial interface, each carrying 56 kbps. The access link will need a capacity of 5 * 56 kbps (280 kbps).

Configuring Bandwidth over a Hybrid Multipoint Network

If the multipoint network has different speeds allocated to the VCs, a more complex solution is needed.

Take the lowest CIR and multiply it by the total number of circuits. Apply the product (total) as the bandwidth of the physical interface. The problem with this configuration is that EIGRP will underutilize higher bandwidth links.
If possible, it is muse easier to configure and manage an environment that has used subinterfaces, where a VC is logically treated as a separate interface. The bandwidth command can be configured on each subinterface, which will allow different speeds on each VC. In this solution, subinterfaces are configured for each VC and the CIR is configured as the bandwidth. This is the preferred solution.

Configuring a Pure Point-to-Point Network

If there are many VCs, there might not be enough bandwidth at the access speed of the interface to support the aggregate EIGRP traffic. The subinterfaces should be configured with a bandwidth that is much lower than the real speed of the circuit. In this case, it is necessary to use the bandwidth-percent command that indicates to EIGRP that it can still function.

The ip bandwidth-percent eigrp command adjusts the percentage of capacity that EIGRP may use FROM THE default 50%. You would use the command because the bandwidth command does not reflect the TRUE speed of the link (The bandwidth command might have been altered to manipulate the routing metric and path selection of a routing protocol).

Router(config)#interface serial 0/0 Router(config-if)#ip bandwidth-percent eigrp autonomous-system-number percent

Software Study Resources:

The Command Memorizer was originally developed by a CCIE Candidate (David Bombal) for his own use and is now available to anyone who wants to use it.Command Memorizer helped him pass the CCIE Lab on the first attempt, and although I am not a CCIE candidate “officially” I have fiddling with it and finding it useful to test my command line retention and overall progress towards CCIE readiness as I do my current CCNP.The proof will be in the pudding as the Command Memorizer boasts 1000s of commands and hundreds of scenarios to test command line knowledge and retention. It has a section for EIGRP and I also like knowing where I am on my long road to Cisco.

Like most study aids / study tools this tool / aid has a specific focus. The Command Memorizer only works when used in conjunction with theoretical backing because you need to know what a command does and how it relates to the technology area. IOW You need to make the connection before you can start drilling actual commands repetitively to get them to start flowing and become second nature.

For a disclosure statement on my relationship with Configure Terminal.

Cisco Press Resources:

Stewart, B,D., Gough, C (2008). CCNP BSCI Official Exam Certification Guide, Fourth Edition. Indianapolis: Cisco Press.

Internetworking Technology Handbook – Intro to the Wan

Notes and Notices:

Enhanced Interior Gateway Routing Protocol – Optional Configuration Commands for EIGRP – Stub Routers

Published

Deon Botha

on September 1, 2008

in BSCI, BSCI Notes, Certification, Cisco Systems and Stub Router

. 0 Comments

From Cisco IOS Release 12.0 is it possible to configure remote routers as an EIGRP Stub Router. A Stub Router in EIGRP networks use EIGRP to send limited information between the STUB and the CORE routers. A Stub router is typically used on routers to minimize processor and CPU utilization (this makes it good for slower / maybe older routers)

A Stub router only has one neighbour, a Distribution layer router. The remote router only needs a default route pointing to the distribution router (everywhere else can be reached via the default route).

Configuring Stub Routers can also assist the rest of the network. Queries are responded to much quicker and convergence occurs much faster. Sometimes queries can cause delays that result in SIA. If Stub configuration is applied, the router responds to queries as inaccessible, thus limiting the scope of the query range and preventing SIA from occurring.

The command for Stub is as follows:

Router(config)#router eigrp autonomous-system-number
Router(config-router)#network network-number
Router(config-router)#eigrp stub

With the table below explaining the options available with the use of the command

To use the above an example found in the CCNP Book, the below diagram shows a network with 5 stub routers because they have no other networks connected to them and they are each connected to a Distribution layer router.

Looking at the situation between Router A and Router B.

Router A is the Distribution Layer device for Router B (10.1.100.8);
Router B only has one network connected to it (10.1.1.0).

What one would want is that Router B only knows about what is relevant to it (Stub Router) and that the routing table only consists of networks 0.0.0.0 (default gateway), 10.1.100.8 (Distribution Layer Device) and the connected network (10.1.1.0).

Similarly Router A must know about all connected stub routers.

The configuration on Router B would be:

Router(config)#router eigrp 1
Router(config-router)#network 10.0.0.0 255.0.0.0
Router(config-router)#eigrp stub

Software Study Resources:

The proof will be in the pudding as the Command Memorizer boasts 1000s of commands and hundreds of scenarios to test command line knowledge and retention. It has a section for EIGRP and I also like knowing where I am on my long road to Cisco.

For a disclosure statement on my relationship with Configure Terminal.

Cisco Press Resources:

Stewart, B,D., Gough, C (2008). CCNP BSCI Official Exam Certification Guide, Fourth Edition. Indianapolis: Cisco Press.

Notes and Notices:

Enhanced Interior Gateway Routing Protocol – Configuring EIGRP

Published

Deon Botha

on August 14, 2008

in BSCI, BSCI Notes, Certification, Cisco Systems, Concepts and Constructs and EIGRP

. 0 Comments

The basic requirements to get EIGRP running are as follows

The EIGRP Process and the the EIGRP Autonomous System (AS) number.

The EIGRP Process is the routing protocol that needs to be started on the router and the EIGRP Autonomous System (AS) number is a 16-bit arbitrary number and works by identifying and grouping routers with common AS numbers in the same administrative domain. The significance of this number is that a router will not become a neighbour with another router with a foreign/different AS.

To the enable EIGRP Process as an active routing protocol:

Router(config)#router eigrp autonomous-system-number

Used in an example

Router(config)#router eigrp 1

The Participating router interfaces can either be on one or all interfaces (EIGRP on internal interfaces and BGP on external interfaces). After the router command EIGRP is enabled but not active on any interfaces. EIGRP will not produce Hello packets not advertise the network until it is activated on particular links.

To active Interfaces to the EIGRP process one uses the network command. The network command is a pattern-matching tool (interfaces with matching IP addresses are active in EIGRP and subnets on those interfaces are advertised through EIGRP).

Router(config-router)#network network-number

Used in an Example

Router(config-router)#network 10.0.0.0

The Passive-interface command can be used on interfaces with no neighbours, or on interfaces that run another routing protocol (BGP). This command prevents EIGRP from speaking on an interface; it does not send hello packets or advertisements, neighbours are not found on passive-interfaces and routes are not exchanged. However the prefix of the passive interface is exchanged to EIGRP neighbours on other interfaces.

Router(config)#interface fastethernet 0/0
Router(config-if)#ip address 192.168.0.1 255.255.255.0
Router(config-if)#exit
Router(config)#interface fastethernet 0/1
Router(config-if)#ip address 192.168.0.2 255.255.255.0
Router(config-if)#exit
Router(config)#router eigrp 1
Router(config-router)#network 192.168.0.0 255.255.255.0
Router(config-router)#passive-interface fastethernet 0/1

Resources:

Stewart, B,D., Gough, C (2008). CCNP BSCI Official Exam Certification Guide, Fourth Edition. Indianapolis: Cisco Press.

Notes and Notices:

Enhanced Interior Gateway Routing Protocol – Tables – Neighbourship

Published

Deon Botha

on August 13, 2008

in BSCI, BSCI Questions, Certification and Cisco Systems

. 0 Comments

Working from the EIGRP Tables post and to try are crystallize some of the material found there I am working through questions found in Stewart, B,D., Gough, C (2008). CCNP BSCI Official Exam Certification Guide, Fourth Edition. Indianapolis: Cisco Press.

What conditions must be met for a router to become a neighbour?

The conditions that must be met for a router to become a neighbour are as follows:

The router must hear a Hello packet from a neighbour,
The EIGRP Autonomous System (AS) number in the Hello packet must be the same as the receiving routers EIGRP AS number,
the K-values used to calculate the metric must be the same.

Resources:

Stewart, B,D., Gough, C (2008). CCNP BSCI Official Exam Certification Guide, Fourth Edition. Indianapolis: Cisco Press.

Notes and Notices:

Enhanced Interior Gateway Routing Protocol – Tables

Published

Deon Botha

on August 8, 2008

in BSCI, BSCI Notes, Certification, Cisco Systems, Concepts and Constructs and EIGRP

. 2 Comments

EIGRP builds and maintains three tables,

A Neighbour table – used to make sure all ACKs are received.
A Topology Table – used to understand paths through the network.
An IP Routing Table – the best paths from the Topology table.

Creating the Neighbour Table

As previously stated, the neighbour table is maintained through Hello packets (These are multicast announcements that the router is alive).

Hello packets place the router into an adjacent routers’ neighbour tables.
- Reciprocal Hellos build the local Neighbour Table.
- Once the Neighbour Table is built, Hellos continue periodically to maintain neighbourship.

Each Layer-3 Protocol supported by EIGRP (IPv4, IPv6, IPX and AppleTalk) has its own separate Neighbour Table. Information about neighbours, routes, or costs are not shared between protocols.

Contents of the Neighbour Table (Resource 1, 2)

The Layer-3 Address of the neighbour (IP Address)
The interface through which the neighbours Hello was heard (fe0/1)
The holdtime (how long the neighbour table waits without hearing a Hello from a neighbour before declaring the neighbour unavailable and purging the database). Holdtime is three times (x3) the value of the Hello timer by default.
The uptime (period since the router first heard from the neighbour).
The sequence number. The neighbour table tracks all the packets sent between neighbours (both the last sequence number sent to the neighbour and the last sequence number received from the neighbour).
Retransmission timeout (RTO), the time a router will wait on a connection-orientated protocol without ACK before retransmitting the packet.
Smooth Round Trip Time (SRTT), calculates the RTO. The SRTT is the time (milliseconds) that it takes a packet to be sent to a neighbour and a reply to be received.
The number of packets in a queue, which is a means by which administrators can monitor congestion on the network.

Becoming a Neighbour

All EIGRP routers periodically announce themselves with the Hello packet using multicast (224.0.0.10). On hearing a Hello (receiving) routers add an entry in the Neighbour Table (the continued receipt of Hello packets maintain the neighbour table).

If a Hello packet is not received from a neighbour within the holdtime (3x the Hello timer) the neighbour is removed from the Neighbour Table.

LAN = Hello timer 5 seconds, Holdtimer 15 seconds.
DS1 (1.5Mbps) or slower WAN links = Hello timer 60 second, Holdtimer 180 seconds.

To become a neighbour, the following conditions must be met:

The router muse hear a Hello packet from a neighbour,
The EIGRP Autonomous System (AS) number in the Hello packet must be the same as the receiving router,
the K-values used to calculate the metric must be the same.

Creating the Topology Table

After a router knows who neighbours are, it can create a Topology Table, assign Successors and Feasible Successors for each route (The Topology Table has a record of all routes not only Successors and Feasible Successors). The other routes are referred to as possibilities.

The topology table includes the following information:

Whether the route is passive or active.
Whether an update has been sent to the neighbour.
Whether a query packet has been sent to a neighbour
- if positive at least 1 route will be market active.
Whether a query packet has been sent
- if positive another field will track whether any replies have been received from neighbours.
That a reply packet has been sent in response to a query packet from a neighbour.
Prefixes, masks, interface, next-hop, and Feasible and Advertised Distance from remote networks.

The Topology Table is built from Update Packets that are exchanged by neighbours and by Replies to Queries sent by the router.

Queries and Responses used by EIGRP are sent reliably as multicast using RTP. If a router does not hear an ACK within the allotted time, it retransmits the packet as a unicast (16 times) after which the router marks the neighbour as dead.

Each time the router sends a packet, RTP increments the sequence number by one. The router must hear an ACK from EVERY router before it can send the next packet.

When all this is done the router has an understanding of the topology, it then runs DUAL to determine the BEST PATHS to the remote network. The result is entered into the Network Table.

Maintaining the Topology Table

The Topology Table may be recalculated because

A new network is added,
Successors change,
A network is lost.

Adding a Network to the Topology Table

As soon as Router A becomes aware of the new network (right),
1. It starts sending Hello packets out the new interface.
  1. No one answers (there is no router out the interface).
    - There will be no entries in the Neighbour Table because no neighbours responded to the Hello.
    - There is however a new entry in the Topology Table because it is attached to a new network.
EIGRP, sensing a change, must send an update to all neighbours on it’s old interface, informing neighbours of the change. These updates are tracked in the Topology Table and the Neighbour Table because updates are connection-orientated and ACKs from neighbours must be received within a timeframe.
Router A has completed its work.
1. Neighbours on the old network will update their sequence numbers in their Neighbour Tables and add the new network to the Topology Table.
  1. They will calculate FD and the Successor to place in the Routing Table.

Deleting a Path or Router from the Topology Table

If a network connected to Router A is disconnected (right),
1. Router A updates its Topology Table and Routing Table and sends an update to its neighbours.
When a neighbour receives the update ,
1. it updates the neighbour table and the topology table.
The neighbour searches for an alternate route to the network. It examines the Topology table for alternatives (none will be found there is only one path).
The neighbour then sends out a query to its neighbours requesting that they look in their tables for paths to the remote network.
1. This marks the route active in the Topology Table.
The query is tracked and when all replies are in the Topology Table and Neighbour Table is updated.
DUAL (which starts as soon as network change registers) runs to determine the best path, which is placed in the routing table.
Before routers respond, routers query their own neighbours (the search for alternative paths extends or diffuses throughout the entire organization).
If no alternative is found, the neighbours reply to the query stating that they have no path.
When no router can supply a path to the network, all the routers remove the network from their Routing Table and Topology Table.

Finding an alternate path to Remote Network

The router marks the routes that were reached by sending the traffic to that neighbour.
The router looks in the topology table to determine if there is an alternate route (Feasible Successor).
If a successor is found, the router adds the feasible successor to it’s routing table. If the router did not have a feasible successor, it would have placed the route into an active state while sending queries to neighbours for an alternate path.
After interrogating the topology table, if a feasible route is found, the neighbour replies with the alternative path. This path is placed in the Topology Table.
If no answer is heard, the messages are propagated through the network.

Creating the Routing Table

The Routing Table in EIGRP is built from the Topology Table using DUAL. The Topology Table holds all routing information known to the router and from this information successors and feasible successors are selected. Successors are passed to the Routing Table and used for routing decisions.

EIGRP Path Selection

Go here for more information on the metric.

Updating the Routing Table in Passive Mode with DUAL

When a path is lost, DUAL first looks in the Topology Table for a FD; If none the router stays in passive mode (as opposed to active mode where the router actively queries for alternative paths).

The FD from Router A to Router G is 10 ( A – D – G)
The AD from Router A to Router G is 5 (advertised from Neighbour D)
- Because 10 > 5 (FD > AD). The FD meets the feasibility condition allowing it to become FD.
- If the link between Router D and Router G goes down. Router A looks in its Topology Table.
- The Alternative Routes through Routers A to D to E to G (A-D-E-G) have an AD of 19
  - Because 10 < 19 (original FD), it does not qualify as a feasible successor.
- The Path through Router D to H to F to G (D-H-F-G) has an AD of 20
  - Because 10 < 20 (original FD), it does not qualify as a feasible successor.
- The Path through Router A to E to G has an AD of 7
  - Because 10 > 7 (original FD), it does qualify as a feasible successor.
- After the link between Router D and G dies, the Routing Table would be updated from the Topology Table while the router remains in Passive Mode.

Updating the Routing Table in Active Mode with DUAL

When no alternative route is found in the Routing Table, the following actions occur. The Topology Table of Router A starts with a path (successor) of A to D to G to X. The FD is 20, and the AD from Router D is 15. When Router D dies, Router A must find an alternate path to X.

The router rejects neighbours Router B, Router C, Router E and Router F as Feasible Successors.
- Router B 20 < 27
- Router C 20 < 27
- Router E 20 = 20
- Router F 20 < 21
  - Because all neighbours have a AD greater than or equal to the successors FD. They do not meet Feasibility requirements.
Router A goes into Active Mode and sends out queries.
Both Router E and F reply
- Router E 20 > 5
- Router F 21 > 5
  - The network returns to Passive Mode. The FD is acceptable, the Topology Table and Routing Table will be updated.
  - Router E is selected as the best route based on a lower FD
The result is placed in the Routing Table as the valid neighbouring router.
Router F will be the feasible successor.

EIGRP Network Design

EIGRP is designed to work in very large networks.
EIGRP is very design Sensitive.
Scaling a network properly is a major concern.
New demands are constantly driving the networks to use applications that require more bandwidth with less delay; while networks are becoming larger and more complex.

Factors that can affect of EIGRP include:

Amount of information sent between neighbours.
Number of routers that receive updates.
distance between neighbouring routers.
number of alternative paths to remote networks

Poorly scaled EIGRP networks result in:

A stuck-in-Active route
Network Congestion
Lost routing information
Flapping routes
Retransmission
Low Router memory
Over utilized Router CPU

Other factors (poor design) cause some of these symptoms because resources are overwhelmed with assigned tasks.

EIGRP Design Issues

Major concern in scaling an organizations network is controlling advertisements and limiting query range (NB over slow WAN links). Sending less information about the network there is more bandwidth available to clients and servers. This relieves the network and speeds convergence, it provides less information for alternate paths though.

EIGRP automatically summarizes at classful network boundaries because summarization is generally helpful and EIGRP is built to recognize opportunities such as this to optimize the network (Most Admins disable auto summarization because it does not match their needs, instead manually configure it at interface level).

Certain topologies pose problems for EIGRP networks. Like the hub-and-spoke design often used between remote sites and regional offices. Popular dual-hub configuration provides redundancy and allows for potential for routers to reflect queries back to one another. Summarization and filters make network design work well while also allowing queries to be managed effectively.

Guideline to Scaling Issues

Assign addresses and organize links so that natural points for summarization exist. A hierarhical network design IOW.
Provide sufficient hardware resources (mem and CPU) on network devices.
Use sufficient bandwidth on the WAN links.
Use filters to limit advertisements.
Monitor the network.

I’m very strange. Every time I type Hello, I have a voice in my head going “Hello Kitty”. So share my pain “Hello Kitty”!

Hello Kitty
I’m going to kick myself later when I read over this post again cause this is going to get stuck in my head again.

Resources:

Stewart, B,D., Gough, C (2008). CCNP BSCI Official Exam Certification Guide, Fourth Edition. Indianapolis: Cisco Press.

Notes and Notices:

Enhanced Interior Gateway Routing Protocol – Introduction

Published

Deon Botha

on August 5, 2008

in BSCI, BSCI Notes, Certification, Cisco Systems, Concepts and Constructs and EIGRP

. 2 Comments

This is the Introduction to Enhanced Interior Gateway Routing Protocol (EIGRP) most of this paragraph you will find here; moving swiftly along EIGRP is a Cisco Proprietary distance vector routing protocol that uses the same sophisticated metric that Interior Gateway Routing Protocol (IGRP) uses plus the Diffusing Update Algorithm (DUAL) convergences algorithm for loop-free routing. EIGRP is able to converge quickly and uses little bandwidth (like OSPF) because it separates keepalives, routing information and uses reliable updates. EIGRP is sometimes referred to as a hybrid routing protocol.

EIGRP was created (maybe read modified/updated) to solve scaling limitations that IGRP faced while still keeping the advantages of distance vector routing protocols (simplicity, economy of memory usage, and economy of processor resources). EIGRP is scalable in terms of hardware resources and network capacity. EIGRP is also very quick.

I use British English there will be a few small differences in spelling versus American English (the English Cisco Uses). Example: Neighbour vs Neighbor

Neighbourship and Reliable Incremental Updates

EIGRP supports several routed protocols independently (IP, IPX, Appletalk and IPv6) This means that each routed protocol has a best path that is not shared between other routed protocols.

EIGRP produces reliable (receiver ACKs the transmission was received and understood) updates by identifying its updates using IP protocol 88.

EIGRP uses five (5) types of packets to communicate:

Hello - Identifies neighbours; Hellos sent via multicast periodically and ACK.
Update – Advertises routes. Updates sent as multicast only when there is a change.
ACK – ACK receipt of an update.
Query – Used to ask about routes for which previous best path has been lost.
- If an update indicates that a path down, multicast queries used to ask other neighbours if they still have path.
- If querying router does not receive reply from each of its neighbours, it repeats query as a unicast to each unresponsive neighbour until it either gets a reply or gives up after sixteen (16) attempts.
Reply – Used to answer query. Each neighbour responds to the query with a unicast reply indicating an alternative path or that it does not have a path.

Neighbour Discovery and Recovery

EIGRP uses a reliable update procedure; this creates two problems,

The router needs to know how many other routers exist so that it knows how many ACK to expect.
The router needs to know whether a missing advertisement should be interpreted as “no new information” or “neighbour disconnected”.

EIGRP uses neighbourship to address these problems (periodic hellos).

The first hellos build a list of neighbours (Neighbour Table).
following hellos indicate that the neighbours are still alive.

If hellos are missed (for the period of the hold time) then the neighbour is removed from the EIGRP table and routing reconverges.

The discovery process begins with multicast advertisements being sent out and individual routers replying with unicast ACK. The neighbour table tracks replies to make sure that each neighbour responds. If a neighbour does not respond with an ACK a follow-up unicast message is sent, after 16 times attempts the neighbour is removed from the neighbour table and EIGRP continues with its next task.

Sophisticated Metric

EIGRP uses a sophisticated metric that takes into account bandwidth, load, reliability, and delay. The metric equation is:

EIGRP selects paths based on the fastest path (lowest value). To do that it uses K-values (K1 to K5 in the equation). The K-values are constants(don’t change) that are used to adjust the relative contribution of the various parameters to the total metric. The EIGRP K variables are set as follows:

Bandwidth – 107 kbps divided by the slowest link along the path. Because routing protocols select the lowest metric, inverting bandwidth makes faster paths have lower costs.
Load and reliability – 8-bit calculated values based on the performance of the link. Both are multiplied by a zero K-value (neither used).
Delay – a constant value on every interface type, and is stored in terms of microseconds (serial has a delay of 20,000 microseconds and Ethernet has a delay of 1000 microseconds). EIGRP uses a sum of all delays along the path, in microseconds.

By default:

K1 = K3 = 1 and
K2 = K4 = K5 = 0 (if you followed the maths if K5=0 then the metric equals 0).

Because the metric basically = 0 which will not be useful EIGRP ignores everything outside the parentheses.

Using the default K-values the equation then becomes:

Substituting the earlier description of variables, the equation becomes 10,000,000 divided by the chokepoint (worst/slowest link along the path) bandwidth plus the sum of delays:

Exercise to crystallize

This entire section is so that I understand how EIGRP selects the route using the below diagram (from Brent D, Stewarts CCNP book) lets plug in some values and see it work.

If we want to send traffic from Router A to Router D, which path would be used?

The top path ABCD has a chokepoint bandwidth of 768 Kbps and would go along 3 serial lines and look like this in the equation:

The bottom path AED has a chokepoint bandwidth of 512 Kbps and would go across 2 serial lines and look like this in the equation:

The result is that EIGRP chooses ABCD (top path) based on bandwidth.

Diffusing Update Algorithm (DUAL)

EIGRP uses the Diffusing update Algorithm (DUAL) which is a modification to the way distance-vector routing typically works. DUAL allows routers to identify loop-free failover paths. Using the same graphic as above lets do an exercise and figure out how DUAL works.

How DUAL works is that neighbouring routers advertise costs (using the below diagram. Lets say router A wants to send a packets to Router D). The two costs advertised by neighbours are as follows:

To send a packet from A to D the Advertised Distance (AD) is either via BCD or ED and excludes the first hop.
The other advertised metric is the Feasible Distance (FD) which is to send a packet the total distance ABCD or AED.

The idea that a path through a neighbour is loop free if the neighbour is closer is called the feasibility requirement and can be restated as “using a path where the neighbour’s advertised distance is less than our feasible distance will not result in a loop”.

The neighbour with the best path will be referred to as the successor. Neighbours that meet the feasibility requirements are called feasible successors. In emergencies, EIGRP knows that using feasible successors will not cause routing loops and instantly switches to the backup path.

Using the above diagram again I am going to be trying to reach Router D. What I did was plug in values using the same equation from the above exercise, just using each individual router (A, B, C, E) to get to D.

Queries

Having a Feasible Successor provides the best convergence. A feasible successor is a backup path and can be substituted should the active path go down at any point (without the need to change state and ask neighbours for a path). Should an active path go down and no Feasible Successor exist, a router will send out queries to remaining neighbours. If a neighbour does not know of a an alternative path, it will recursively ask neighbours.

Recursive queries can loop, forcing the router to time-out the query. This is known as stuck in active (SIA). EIGRP uses split horizon (a router should not advertise a network down a link from which it learned about the network – CCNA).

Queries will continue until an answer is found or until no one is left to query. When queries are produced the router changes to an Active State (actively querying for an alternative path) and sets a timer (3 minutes default). If the timer expires before an answer is returned the router is considered SIA. SIA typically occurs because queries are not properly limited to an area.

The primary way to limit how far queries travel (called query scoping) is to summarize (also allows quick convergence).

Incremental Updates

EIGRP periodically sends hellos to maintain neighbourship, but only sends updates when a change occurs. When a route is changed or withdrawn, an incremental update is sent including only those changes.

Multicast Addressing for Updates

EIGRP sends some packets using a reliable transport protocol (RTP). An example would be EIGRP sending a single multicast hello packet with an indicator that says it need not be ACK. Other types of packets like updates indicate that packet ACK is required.

EIGRP uses both multicast and unicast addressing.

Some packets are sent using Real-Time protocol (RTP), a Cisco Proprietary (?? Can’t find a source for this ??) protocol that oversees the communication of EIGRP packets. These packets are sent with sequence numbers to make the transmission of data reliable. Hellos and ACKs do not require acknowledgement.

Incremental Updates cannot be anticipated; update, query, and reply packets must be ACK by the receiving neighbour.

Updates are sent using reliable multicast (Reserved Class D address, 224.0.0.10). When a neighbour receives a multicast, it ACKs the receipt with an unreliable unicast.

Unequal-Cost load sharing

All IP routing protocols on Cisco routers support equal-cost load sharing. EIGRP is unique in its support for unequal-cost load sharing.

Unequal-cost load balancing takes the best FD and multiplies it by variance. Any other path with an FD less than this product (the product of multiplication read answer) is used for load sharing. EIGRP also does proportional unequal-cost load sharing.

EIGRP will pass a relative portion of the traffic to each interface (60/40) allowing links to a destination to be used to carry data without saturating the slower links or limiting the faster links.

Resources:

Stewart, Brent, D. 2008, CCNP BSCI Official Exam Certification Guide, 4th Ed. Indianapolis: Cisco Press.

Have a look at EIGRP Aragoen Celtdra notes on the same section of work

Introduction to EIGRP

Internetworking Technology Handbook – EIGRP

EIGRP Technology Whitepaper

The Dual Algorithm

Notes and Notices:

BSCI Design Foundation – Routing Protocols

Published

Deon Botha

on July 25, 2008

in BGP, BSCI, BSCI Notes, CIDR, Certification, Cisco Systems, Concepts and Constructs, EIGRP, IGRP, IS-IS, OSPF, RIP, RIPv2 and VLSM

. 2 Comments

Routing protocols employ one of two basic strategies to communicate/propagate routing information:

Distance vector routing protocols work by passing copies of their routing tables to their neighbours (a.k.a routing by rumour).
Link State routing protocols work by advertising a list of neighbours and the network attachment state to their neighbours until all routers have a copy of all the lists, routers then run the Shortest Path First Algorithm to analyse all paths and determine the best paths available.

Distance vector routing are less processor and memory intensive than link state routing, but can have loops because routing decisions are made on incomplete information.

Link state routing is loop-proof because routers know all possible routes, but link state routing requires more CPU time and memory.

Classless and Classful Routing

An important characteristic of routing protocols is how they advertise their routes. Older routing protocols (RIP and IGRP) assumed the subnet mask the same as the one the receiving on the interface or that it is the default one (Class A is /8, Class B is /16 and Class C is /24). This is called classful because the assumption is based on the Class of the IP address.

Modern routing protocols (OSPF, IS-IS, and EIGRP) explicitly advertise the mask. There is no assumption made with regard to the mask, it is clearly indicated. This is called classless because no assumption is made and an address alone is not a good indicator subnet mask.

Variable Length Subnet Masks (VLSM) refers to the property of a network that allows different subnet masks to be mixed throughout the network.

Classless Interdomain Routing (CIDR) is a property of a network that allows classful networks to be aggregated.

Classless routing protocols support both VLSM and CIDR.

Interior and Exterior Gateway Protocols

Most protocols are “Interior Gateway”, meaning that they are designed to be run inside a network (inside the trusted boundaries of the company).

BGP on the other hand is an exterior gateway protocol (EGP) and is used for routing between autonomous systems (AS) on the Internet (outside the trusted boundaries of the company). As BGP is the only EGP you will have to consider using it if you connect your network to the Internet.

Convergence Times

A distinguishing characteristic of routing protocols is the speed of convergence times. To explain convergence, when a routing protocol is forwarding data, it is converged. In this state the routing protocol has shared routing table information and each router in the topology knows the best paths available. If there was a change (a router going down, another router being added, etc) this would require all routers to share information again because there are routes they do not have information on. The time between network change and forwarding would be “convergence”. This is generally classed as either slow or fast.

Fast convergence would mean that the routing protocol is able to recognize a problem on the network and fix that problem faster than a user can call to report a given problem.

Slow protocols, such as RIP and IGRP, can take up to minutes to converge when a problem occurs.

Fast protocols (OSPF, IS-IS, EIGRP) generally take less than 10 seconds to converge.

Proprietary and Open Standard Protocols

The important aspects to look for in routing protocols is speed of convergence and whether the protocol is classless (OSPF, IS-IS, and EIGRP). While OSPF and IS-IS are open standards (plays well with other vendors kit), EIGRP is Cisco proprietary (Cisco Only). Of the three protocols EIGRP is the easiest to configure and maintain but requires a pure Cisco environment to run.

Routing Protocol and the ECNM

The ECNM mentioned in previous posts can assist in showing where a particular routing protocol will run in the enterprise. Using information discussed above and using the ECNM the above diagram shows what the advanced routing protocols (EIGRP, OSPF, IS-IS) are best suited for when considering size of network, speed of convergence, VLSM, open or proprietary, and support staff knowledge needs.

The object (ideal) is to have a single routing protocol running throughout the enterprise (reality however is another story) where the enterprise edge will require BGP as the only EGP and at least one if not more of the IGPs within the enterprise boundaries depending on needs/requirements of end-points or design specifications.

In Summation

Older routing protocols (RIP, RIPv2 and IGRP) are slow because they send a full copy of their information periodically, these periodic transmissions act as both routing advertisement and keepalive message. In addition to being slow they consume a lot of bandwidth relative to their function (RIP every 30 seconds).

More modern routing protocols are faster because they separate the routing advertisements and the keepalive messages. Updates are only sent out when new networks need to be advertised or old networks need to be withdrawn; otherwise routers just need to verify that neighbours are still alive (EIGRP every 5 seconds).

RIP and IGRP

These are older distance vector routing protocols that are slow and classful. Some legacy systems (UNIX) expect to learn their default gateway by eavesdropping on RIP advertisements. If you deploy RIP use RIPv2 which is classless.

EIGRP

A modern distance vector routing protocol. It is classless and fast as well as being easy to configure and maintain. Some organizations refuse to implement proprietary standards though (EIGRP provides equivalent performance to OSPF but is easier to implement and maintain).

OSPF

OSPF is a modern classless and fast link-state routing protocol. OSPF has a steep learning curve and uses more processor time and memory than EIGRP. This is the open standard if an organization supports a heterogeneous mixture of routers or has a philosophical problem with proprietary standards.

IS-IS

This routing protocol was developed to compete with OSPF and the two are more similar than they are dissimilar. It is moderately difficult to find anyone who has experience working with IS-IS even if it is open, fast, and classless. There is still however some interest in IS-IS because it can be adapted to support MPLS and IPv6.

BGP

BGP is a routing protocol used between AS on the Internet and you will have to use it to connect your network to the Internet.

Resources:

Internetworking Technology Handbook Routing Basics

Internetworking Technology Handbook RIP

Internetworking Technology Handbook IGRP

Internetworking Technology Handbook OSPF

Internetworking Technology Handbook EIGRP

Notes and Notices:

BSCI Design Foundation – Network Models

Published

Deon Botha

on July 25, 2008

in BSCI, BSCI Notes, Certification, Cisco Systems, Concepts and Constructs, ECNM, Enterprise Architecture, IIN and SONA

. 0 Comments

Design – Hierarchical

Where networks once were non-hierarchical (layer-1 design, layer-2 design, layer-3 design) they are generally now three-layer hierarchical in design (above). Cisco has been using this model for years and it gave a high-level overview of how a reliable network could be conceived but was largely conceptual because it did not provide specific guidance on “how-to” implement certain things, like:

Implementing redundancy,
Adding Internet Access,
Accounting for remote users,
Locating workgroup and enterprise services

Design – Enterprise Composite Network Model (ECNM)

Revisions to the hierarchical design showed redundant distribution and core devices and connections to make the hierarchical model more fault tolerant. The switch block design (above) explained how redundancy fit into a network, but still did not really adequately specify other parts of the network design. This lead to the Enterprise Composite Network Model (ECNM) development to address the failures of both the hierarchical model and switch block model.

This ECNM is broken into three large pieces:

Enterprise Campus,
Enterprise Edge,
Service Provider Edge.

Enterprise Composite Network Model

ECNM – Campus

The enterprise campus looks very much like the above switch block design with some added details:

Campus Backbone (like the core layer of the hierarchical model),
Building Distribution,
Building Access,
Management,
Server Farm (Enterprise Services).

The ECNM Campus builds onto the Switch block design but gives specific guidance as to where to place servers and management equipment. Take note that the servers look like a switch block and are redundantly attached (dual-homed) to the switches (not really shown nicely in the diagram).

ECNM – Enterprise Edge

The Enterprise edge shows the connections that the enterprise has with the wide area (other networks) and include:

E-Commerce,
Remote Access,
Internet Connectivity,
WAN (Internal links to other branches).

ECNM – Service Provider Edge

The service provider edge includes the public networks that facilitate wide area (other networks) connectivity:

Internet Service Provider (ISP),
Public Switched Telephone Network (PSTN) for dialup,
Frame Relay, ATM, and PPP for private connections.

Multiplexing

Historically voice traffic used one set of circuits and data traffic another. Also if you wanted more than one “number” the telecommunications company installed another physical line to your premises. If you wanted access to a data network they installed a data line for that purpose.

With line technologies like the T-carrier system (USA, Japan, Korea) 24 pulse-code modulated (I don’t know need to ask one the engineers about this), time-division multiplexed speech signals are carried over 2 copper pairs. This type of technology saved the telecommunications companies a lot of money in building out subscriber lines. The problem with T1 as a technology is that it cannot adjust as the customer usage requirements changes (see E-carrier system for Europe and other countries).

As technology changes so does the requirements from that technology; Modern networks are designed to carry voice, video, enterprise applications, normal LAN traffic and management traffic all on the same single secure infrastructure (convergence). The traffic is forced (statistically multiplexed) to share access to the network.

Service-Orientated Network Architecture (SONA) and Intelligent Information Network (IIN)

As covered above “Multiplexing” described the idea of a converged network as a system that integrates what was previously disparate systems (voice, video, data). The traffic types usually found on a converged network would include, but may not be limited to:

voice signalling and bearer traffic,
Core application traffic (ERP and CRM),
Transactional traffic related to database interactions (SQL),
Network management traffic for monitoring and maintaining the network structure (including routing protocol traffic),
Multicast multimedia,
Other traffic (web, e-mail, file transfer).

Each of the above traffic types has its own requirements and expectations that govern its successful execution. These requirements include security, QoS, transmission capacity, and delay.

To support this kind of multiplexed traffic, Cisco routers are able to implement filtering, compression, prioritization, and policing (dedicating network capacity). Except for the filtering process these processes are collectively known as QoS.

As an alternative to QoS, Cisco has an ideal called the Intelligent Information Network (IIN). This vision describes a network that integrates network and application functionality cooperatively allowing the network to be “smart” about how it handles traffic to minimize the footprint of applications. The IIN evolution is described in three phases:

Phase 1: Integrated Transport, deals with a converged network, built along a similar fashion of the ECNM and based on open standards (cross-compatibility)
Phase 2: Integrated Services, posits virtualization of resources such as servers, storage and network access; to move to an “on-demand” model. Don’t think marketing/advertising “virtualization” think practical virtualization the ISR routers (routing, switching, voice, network management, security and wireless) designed as an aio (all-in-one) appliance and Vitalizing Servers (if you have proper designed for the job servers) you can’t be trying this on SMB servers or try recycling 10 year old technology and thinking “bargain let’s load 5 operating systems on this”.
Phase 3: Integrated Applications, using application orientated networking (AON) to make the network “aware” allowing the network to actively monitor and participate in service delivery.

Service-Orientated Network Architecture (SONA) is the practical application or “how-to” of IIN in enterprise networks. SONA breaks down IIN into three layers;

SONA Infrastructure Layer is basically the same as IIN Phase 1,
SONA interactive Services Layer maps to IIN Phase 2,
SONA Application Layer has the same concepts as IIN Phase 3.

Resources:

Aragoen Celtdra on BSCI: Network Architecture and Design

Notes and Notices:

Cisco and DDNS

Published

Deon Botha

on June 4, 2008

in Cisco Systems, Concepts and Constructs, DDNS and Support

. 3 Comments

A little off-topic (switching being topic at the moment) but I ran into this today again and wanted to jot it down quick.

WARNINGS: The commands below enable public access to internal resources. This should not be done if you do not understand Access Control Lists (ACL) and/or have a proper Firewall (not windows Firewall) installed maybe a PIX or ASA even ISA Server would do. I prefer not doing this at all because it creates a rather obvious place for network attacks to happen. You must know that these commands are what I know to work, you may disagree and I would love to hear what you do/use. I take no responsibility whatsoever as to how you use these commands and you shall be responsible for your losses or your clients losses if you do not implement this correctly or data/information is stolen.

Dynamic Domain Name Service (DDNS) is a service that lets anyone on the internet gain access to resources on a local network when that local network is connected to the internet through a Dynamic (constantly changing) IP Address connection (most ADSL connections).

To understand the concept Domain Name Service (DNS) is the mapping of IP Addresses (192.168.0.1) to human-readable computer hostnames (www.companyweb.org) that is used by routers and other networking infrastructure to delivery information as needed. The internet uses DNS so that we can go to www.google.co.za and not have to remember the IP Address for google and the million other sites online.

DDNS makes it possible for Small, Medium Business (SMB) to allow employees, customers, partners and other stakeholders access to internal resources (mail, intranet, pricelists, documents, etc) without the requirement to pay for static IP address access to the internet. This is not limited to SMB as some larger companies have dynamic connections and also use the service. There are of course security concerns and problems with DDNS.

By enabling DDNS you allow external (untrusted) access to internal (trusted) resources. This leads to not just known (employees, customers, partners and other stakeholders) visitors but unknown (random hits, hackers, etc). If you do not implement the proper security you may and probably will lose information and data without even knowing it.

On the SMB range Cisco Series Routers upward the DDNS command is supported and services like Dyndns can be configured without much hassle. There are some small things to watch out for though that I will cover below.

Step 1: Open an Account with DynDNS (Other services work with Cisco Routers). I however have only used DynDNS and I am happy with them. Check the config guide from Cisco for the other commands. Once you have the DynDNS account setup a free DynDNS hostname they have many options like your-option.domain.com and write down this and your username and password.

Step 2: Add DynDNS.org to your Host list and Statically apply your ISP DNS servers. This works best, you could just not do this but it works better if you do.

Router(config)#ip host members.dyndns.org 63.208.196.96 Router(config)#ip name-server xxx.xxx.xxx.xxx Router(config)#ip name-server xxx.xxx.xxx.xxx

Things to change xxx.xxx.xxx.xxx is your ISP DNS Server address, primary first address, secondary address second.

For those with ISPs that love changing their DNSs regularly (I know some ISPs change their DNS servers monthly, they have a list of DNSs and the active ones any given month would be any persons lucky assumption) this is great if you charge by the hour and bad for your client because they will see you every month (i.e. bad for Cisco’s image because a client thinks his Cisco kit breaks every month).

Via Etherealmind you can give OpenDNS a try. OpenDNS is DNS with a little extra as they inlcude Phising protection and spelling correction in their service.

Step 3: This is tricky because it uses a special character, play around with this and see what happens. When you get to the special character in the line press Ctrl+V to allow for the character input in IOS

Router(config)#ip ddns update method dyndns Router(DDNS-update-method)#HTTP Router(DDNS-HTTP)#http://DYNDNS-USERNAME:DYNDNS-PASSWORD@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a> Router(DDNS-update-method)#interval maximum 0 28 0 0

If you don’t get it, the special character I mentioned is the question mark, which won’t be allowed to be input without the CTRL+V. Things to Change DYNDNS-USERNAME is your DynDNS Username and DYNDNS-PASSWORD is your DynDNS Password

Step 4: On the Dialer interface (not the ATM, fastethernet, gigabitethernet interfaces). This could also be put on the Serial interface (say for a flapping link, if you have a Leased line for internet but then you would probably have a static IP address) why you would use DDNS then I dont know but it could and would probably work.

Router(config)#interface Dialer1 Router(config-if)#ip ddns update hostname your-option.domain.com Router(config-if)#ip ddns update dyndns host members.dyndns.org

Things to change your-option.domain.com is the choice for the domain you made at DynDNS like game-server.dyndns.org.

Step 5: We are doing this for a reason and the reason behind DDNS is to have a private resource available to the public internet. To achieve this in IPv4 NAT or PAT is used when a single Internet connection is available. NAT basically takes multiple internal addresses and allows all those addresses to access the internet at once through a single internet connection. For this to work you need to configure your NAT inside and NAT outside.

Router(config)#interface Dialer1 Router(config-if)#nat outside Router(config-if)#exit Router(config)#interface vlan VLAN-Number Router(config-if)#nat inside

I use a VLAN and map the VLAN to an fastethernet or gigabitethernet interface, you may or may not do it this way.

Step 6: Configure NAT extend a internal resource to the public. I am say doing this for Small Business Server 2003 (SBS) for Exchange Outlook Web Access (OWA). This uses HTTP port 80 and HTTPS port 443. Consider only doing this if you have Premium Edition (comes with ISA Server) so that you can excercise some control over what you publish and what you dont publish.

Router(config-if)#ip nat inside source list 101 interface Dialer1 overload Router(config-if)#ip nat inside source static tcp xxx.xxx.xxx.xxx 80 interface Dialer1 80 Router(config-if)#ip nat inside source static tcp xxx.xxx.xxx.xxx 443 interface Dialer1 443

Things to change here would be the xxx.xxx.xxx.xxx which is the SBS IP address (default is 192.168.16.2)

Step 7: Disable the Router HTTP and HTTPS server so that you won’t be getting the routers login page when you try access the your-option.domain.com. Which is both annoying, could break the functionality and also is a security risk.

Router(config-if)#no ip http server Router(config-if)#no ip http secure-server

This command will disable the WEB GUI!!!! If this is a problem consider not configuring DDNS. This command may break functionality because it also uses HTTP port 80 meaning that if you type the url the router wont know whether to give you OWA or WEB GUI. It’s a security problem because everyime someone comes to the external website on port 80 the router will ask for level 15 login and password (Cisco specific information and anyone that knows network kit knows this means Cisco kit lurks yonder) and they may well actually get into the router and factory-reset it for you should they be able to login or you haven’t chosen a secure password (which is not good).

Step 8: Configure ACLs (at least) for WAN traffic). Some ISR routers come with options of Firewall consider configuring that too. Disable CDP on external facing interfaces etc (IOW take due care and dilligence in setting up a proper secure router plus some more because you are letting the outside world into the private network).

Step 9: To Verify DDNS using the show commands

Router(config)#show ip ddns update

Alternatively you can use the debug command

Router(config-if)#debug ip ddns update

Step 10 :I’m not paranoid (all this talk of security), I just don’t like gambling with lady luck. Exposing any part of the internal network to the outside world is a security risk that can be mitigated (not totally) but controlled. Consider this and how to mitigate the risk before exposing something like SBS (which by all accounts is the Business Nervous System in a SMB).

Notes and Notices:

Anything free is meant to be taken with a pound of salt. I take no responsibility for loss or damage from implementation of the above commands on routers or networks without proper consultation and documentation done by myself in person with end-users. I do not suggest this configuration, by writing this I do not imply that this is a good idea to implement or configure in all situations.

In good afrikaans “Die is als voets-toets”.

Network Ninja

Tag Archive for 'Routers'

Enhanced Interior Gateway Routing Protocol – Scalable EIGRP – stub router

Enhanced Interior Gateway Routing Protocol – Optional Configuration Commands for EIGRP – Tuning EIGRP

Enhanced Interior Gateway Routing Protocol – Optional Configuration Commands for EIGRP – Stub Routers

Enhanced Interior Gateway Routing Protocol – Configuring EIGRP

Enhanced Interior Gateway Routing Protocol – Tables – Neighbourship

Enhanced Interior Gateway Routing Protocol – Tables

Enhanced Interior Gateway Routing Protocol – Introduction

BSCI Design Foundation – Routing Protocols

BSCI Design Foundation – Network Models

Cisco and DDNS

Search

About

Latest

Archives

Categories