[TOC]

TCP/IP and OSI

1. 应用层
   1. 应用层
   2. 表示层
   3. 会话层
2. 传输层-transport:TCP,UDP.提供一个基于ip的可靠传输协议TCP和努力交付的UDP
3. 网络层-network:IP.实现对数据来源去向的定位和路由
4. 数据链路
   1. 数据链路层:Ethernet,HDLC.实现对数据的基本的帧控制,差错校验等,使用MAC地址定位.
   2. 物理层:Ethernet.完成从物理设备模拟信号到数字信号的变换. 不同设备之间same-layer interaction(相同层交互),同一设备上adjacent-layer interaction(不同层交互).较底层为较高层提供服务,自底层向高层封装数据包,高层自底层解封数据包.数据段(segmen)对应传输层,数据包(packet)对应网络层,帧(frame)对应链路层.

arp(Address Resolution Protocol)

连接网络层和数据链路层的协议,提供根据ip查询MAC地址的服务.

电缆引脚

相同:交叉电缆 不同:直连电缆

CLI相关

IOS的命令行界面称为CLI.CLI有三种模式,USER模式,EXEC(也叫特权)模式,配置模式(分为很多种不同的配置模式),接口模式(配置模式的一种,但我觉得比较特别).刚进入时,为用户模式,使用enable指令进入EXEC模式,EXEC模式通常是使用各种show命令查看设备信息.EXEC模式下使用configure terminal进入全局配置模式,全局配置模式下可使用各种配置命令进入不同的子项配置模式,也可以使用interface指令单独配置某一接口,使用interface range interface num1/num2 num3进入更多接口.在配置模式中要使用show命令可以使用do show

交换机有三种连接方式,console口,auxiliary port line,virtual terminal(vty)(like Telnet和ssh).Telnet明文传输信息,不安全.要想使用ssh连接,需要给设备配置ip地址,一般在vlan接口处配置,也可以使用DHCP自动获取.

password type:

• type 0:plain text;not recommend(by default)
  • enable password
• type 7:use weak encryption algorithm;not recommend
  • service password-encryption
• type 5:use MD5 hashing;not recommend
  • enable secret
• type 8:use SHA-256 hashed secret and password salting.recommend
• type 9:recommonded by cisco

privilege

• level 0:disable,enable,exit,help,logout
• level 1:USER EXEC mode,no configure terminal
• level 15:privileged EXEC mode.

配置密码

配置模式(默认全局配置模式,for old version):

• 共享密码
  1. enable [password|secret] password-value(!特权模式密码)
  2. line console 0
  3. enable [password|secret] password-value2(!console线密码)
  4. login
  5. line aux 0
  6. login
  7. line vty 0 4(!编号0-4)(!进入vty线路模式)
  8. enable [password|secret] password-value3(!telnet登入密码)
  9. login
• 用户名密码对
  1. username name {secret|password} [level] password
     1. (!can set a privilege level for which commands they can use here)
  2. line con 0
     1. exec-timeout minites seconds
     2. login loacl
  3. line aux 0
     1. login local
     2. (!可选)no password(!删除共享密码)
  4. line vty 0 4
     1. access-class {acl-num|acl-name} {in|out}
     2. transport input {all|none(!默认值)|telnet|ssh|telnet ssh}
     3. login local
     4. (!可选)no password(!删除共享密码)

配置ssh

配置模式:

1. hostname name
2. ip domain-name domain-name
3. crypto key generate rsa [modulus modulus] (!生成rsa公私钥)(!sshv2至少需要768位密钥,IOS XE 17.11.1 need least 2048 bits)
4. (!可选)ip ssh version 2

其他命令

配置模式:

• write(!保存配置)
• save(!GNS3中vpc保存配置)
• (!rotary,allow ssh or telnet use other port)
  • ip tcp port port rotary rotary-group
  • line line line-num
  • rotary rotary-group

排错

1. console
   1. 正确的com端口,一般是最后一个
   2. 终端程序:9600波特,8数据比特,1停止比特
   3. login或login local或login authentication
2. telnet
   1. ip可达
   2. login或login local或login authentication
   3. 默认5条vty线路
   4. acl是否阻塞tcp端口23
3. ssh
   1. ssh版本要匹配
   2. login local或login authentication(aaa)
   3. sshv2,密钥长度要大于768
   4. tcp端口22

log

日志消息默认发送给通过console方式连接的用户,日志有不同的严重等级,0~7严重 等级依次递减.等级7代表debug消息.

配置

配置模式:

• logging monitor(!在IOS中启用向终端发送日志的功能)
• terminal monitor EXEC(!终端中使用表示希望接收日志)

debug

debug是和show类似的有大量可选项的命令,但很消耗计算资源,在实际生产中小心或避免使用.

• debug结束使用undedbug all指令.
• debug 按接口条件过滤时,要结束需要额外使用undebug interface interface

(最好先在测试环境使用)

configuration

1. debug interface interface
   1. debug args

环回接口

环回接口不是ip地址中的127.0.0.1环回接口,是IOS中可以创建的虚拟接口,可以分配ip并被路由,并且总是up/up状态,不能shutdown.

配置

配置模式:

• interface loopback num(!任意整数)
• (!之后可以和普通接口一样进行配置)

IP

1. 路由信息源： 路由信息源指的是路由信息的来源，可以包括直接连接的网络、静态路由配置、或是各种动态路由协议（如OSPF、BGP、EIGRP等）收 集的路由信息。这些信息源提供了网络中可达性信息的原始数据。

2. RIB（Routing Information Base，路由信息库）： RIB是路由器内部用来存储路由信息的数据库，它包含了从各种路由信息源收集来的所有路由信息。RIB中的信息包括目的网络、下一跳地址、路由的成本（如跳数、带宽等）以及路由的其他属性。路由器会根据预设的路由选择协议（如最短路径优先、路径成本最低等）从RIB中选择最优的路由信息用于构建FIB。

3. FIB（Forwarding Information Base，转发信息库）： FIB是基于RIB选出的最优路由构建的，用于实际的数据包转发。FIB通常只包含用于数据包转发决策的必要信息，如目的IP地址范围、下一跳地址和出接口。FIB是高效的，优化了查找速度，以便快速处理经过路由器的数据包。

   FIB是最佳路由的路由表,多播路由(例如ospf的hello消息),直连主机等信息.使用FIB会直接使用邻接表构建帧头.

   Network	Prefix	Adjacency

4. Adjacancy Table

   IP Address	NetHop Mac	Interface	Egress MAC

5. 路由表： 通常情况下，"路由表"这个术语可以指RIB或者是FIB，具体取决于上下文。在许多文档和命令行界面中，当我们查看“路由表”时，通常是在查看RIB，它展示了路由器知道的所有路由信息。而FIB有时被称为“转发表”或者直接是“FIB”。

ip地址用于定位,通过路由实现.路由是查找路由表,最长前缀优先的过程.

在转发查询mac地址时,查询路由表和arp缓存比较低效,cisco的CEF(cisco Express Forwarding)提供了FIB和邻接表加速此过程.

CEF

three types of packets require software handling

1. sourced or destined to the router(using control traffic or routing protocol)
2. too complex(with IP options)
3. unresolved arp entries

Address Resolution Protocol(ARP)

mapping layer 3 ip address to layer 2 mac address.Just contain next-hop to reach.

排错

show ip arp [mac-address|ip-address|vlan vlan-id|interface-id]

AD(Administrative Distance)

路由器可以从路由协议,静态路由,直连路由中接收信息填充路由表,各种协议和信息之间有优先级的差别,称为AD(管理距离).

配置

1. router {eigrp|ospf|bgp}
2. distance {eigrp ad-internal ad-external|ospf {external|inter-area|intra-area} ad|bgp external-ad internal-ad local-routes} 或在各进程下,bgp需要进地址簇: distance ad source-ip(!邻居ip???) source-ip-wildcard(!OSPF时匹配邻居RID???) [acl-number|acl-name]

• 这条指令EIGRP只会修改学到的内部路由的AD值

修改AD需要非常小心

ip地址

无子网掩码时使用网络类别,不然ip地址&子网掩码为子网网络地址.

网络类别

• A:0.0.0.0 到 127.255.255.255 (0.0.0.0 用于表示当前主机，而 127.0.0.0 子网是用于本地回环测试的回环地址).10.0.0.0子网作为私有地址
• B:128.0.0.0 到 191.255.255.255, 172.16.0.0 ~ 172.31.0.0作为私有地址
• C:192.0.0.0 到 223.255.255.255, 192.168.0.0 ~ 192.168.255.255作为私有地址

子网掩码

在同一个子网中,为不同网段使用不同掩码称为VLSM(变长子网掩码),计算是否有重叠只需计算子网广播地址是否有重叠即可.为一个子网添加一个VLSM子网,需要列出可能的子网和其广播地址,然后计算已经存在的子网和其广播地址,查看是否有冲突.格式有三种:二进制,DDN(点分十进制),CIDR(前缀)

魔法数字=256-非255非0掩码 子网ID:魔法数字倍数中最接近并小于等于IP地址的一项(从0开始) 子网广播地址:子网ID+魔法数字-1

配置

配置模式:

• ip route destination-address destination-maslk {inter ip} [ad-value]
• (!when inter and ip are set it is called Fully specified static route)
• (!when ad-value is set it is called floating static route)
• (!静态路由目的地址为以太网时,不要使用接口,因为为频繁使用arp查询mac地址导致性能降低) 接口模式:
• ip address address mask [secondary]

IPv6

• icmp升级为icmpv6,NDP(邻居发现协议)(Neighbor Discovery Protocol)代替ARP. NDP有发现路由器,发现地址信息.路由器会被要求(RS)通告(RA)自己的信息,主机通过这两种消息获取路由器信息;NS(邻居请求)和NA(邻居通告)如同arp,要求某个ipv6主机回答MAC地址,并且可以利用其检查出重复地址,这个过程叫DAD.NDP使用的是本地链路地址.
• 主要是ipv6的缩写形式./64是默认的前缀.
• 动态获取地址的方式除了DHCPv6之外多了SLAAC. 当一台主机使用SLAAC时,它需要使用NDP RS/RA消息从路由器获知ipv6前缀,然后使用EUI-64或随机生成后缀,再使用DAD确保这个地址没有被使用.NDP提供了地址前缀,前缀长度,和默认路由器的信息,最后使用无状态DHCPv6提供DNS服务器即完成了主机的网络设置.
• 路由器不是默认开启ipv6的,需要手动开启.
• 多了任播地址,几台执行相同功能的设备可以使用相同的ipv6地址.路由器只需选择离自己最近的.
• 本地链路地址对于ipv6路由来说是必要的.一般会自动生成.但手动创建接口时是一个不应该忘记的强制选项.(子接口???,tunnel,pppoe)

eui-64

1. 左24位mac:fffe:右24位mac
2. 对第7位取反(第二个数能减8减8,能减4减4,之后大于等于2的减2,不然加2)
3. 都以fe80开头 例如: MAC:08-00-27-5D-06-D6 ipv6:fe80:0a00:27ff:fe5d:6d6

配置

配置模式:

• ipv6 unicast-routing(!启用ipv6路由) 接口模式:
• ipv6 address address/prefix-length(!可以重复多次以在同一个接口上添加多个ipv6子网)
• ipv6 address 前缀(!如:2001:db8:a:a::/64) eui-64(!使用eui-64自动生成主机地址)
• ipv6 address autoconfig(!启用SLAAC)

第一跳安全

• RA保护
  • ipv6 nd raguard attach-policy [name [vlan {add|except|none|remove|all} vlan] ]
• DHCPv6保护
  • ipv6 dhcp guard attach-policy [name [vlan {add|except|none|remove|all} vlan] ]
• 绑定表
• ipv6 ND监听
• 源保护

DHCP

DHCP(dynamic host configuration protocol 动态主机配置协议)是用于自动配置ip,掩码,网关,dns的协议.DHCP设备分为3中,客户端,中继端和服务端.建议DHCP采用集中式设计,需要DHCP服务器的子网使用中继,更好控制和配置所能分配的ip地址.由于路由本身就需要知道各个网络该如何去,所以dhcp自动分配ip地址虽然有服务器功能,但设计还是仔细考虑各个子网的ip池,即子网划分.

客户端使用0.0.0.0作为源ip地址,255.255.255.255发送Discover(发现)消息,服务端会回复一个Offer(提供)消息通告可以分配的地址和其他参数.客户端收到Offer后会发送Request(请求)消息请求ip地址,如果能够分配,服务端会回复Acknowledge(确认)消息,分配ip,掩码,默认路由器,dns等.

中继会不断接收客户端信息并将源ip改为自己的ip,目的ip改为设置的helper-ip,路由数据包到服务端.

服务端有三种分配模式,动态分配(可用ip作为一个池,不断租用ip给客户端),自动分配(租用时间为无限)和静态分配(根据mac地址分配ip,已被分配ip不会再被分配).

ipv6

在ipv6中,DHCP升级为DHCPv6,不再为主机通告默认路由器,默认路由器由主机使用NDP协议发现.

配置

• 中继
  1. ip dhcp relay information trust-all
  2. ip dhcp relay information option
  3. interface interface
  4. ip helper-address server-ip(!在连接主机的接口上)
• 服务端 配置模式:
  1. ip dhcp excluded-address first last(!排除掉的地址,必须排除掉路由器接口已占有的那些地址)
  2. ip dhcp pool name(!进入dhcp池配置模式)
  3. network subnet-ip {mask|prefix-length}(!池中子网)
  4. default-router address1 address2(!默认路由器)
  5. dns-server address1 address2(!默认dns服务器)

排错

1. 由于discover消息是广播的,所以dhcp服务器和主机应当在同一子网,不然就要使用中继,中继要与dhcp服务器同一子网
2. 地址池耗尽
3. dhcp服务器冗余设置时,互相之间要能通信(???)
4. 使用show ip dhcp conflict显示重复ip,然后使用clear ip dhcp conflict *清除分配记录
5. 使用show ip dhcp binding显示分配情况,clear ip dhcp binding *清除分配情况
6. debug ip dhcp server {events|packets}

DHCP snooping

DHCP有可能会被欺骗攻击,可以使用DHCP snooping.会将信任端口(手动配置)的所有dhcp消息放行,不信任(终端)端口的DHCP服务器消息(OFFER和ACK)过滤,客户端消息经过DHCP绑定表判定,判定成功继续填充表.

配置

配置模式:

1. ip dhcp snooping

NAT

私有地址在网络中不被路由,无法定位.使用NAT技术,可以在子网内使用私有地址定位,需要连接到Internet时,将私有地址转换为可路由的单播地址.具体来说,是将ip数据报中的源修改为单播地址,PAT还会修改端口号,此时路由器还需要记住这个映射关系.思科将这个私有地址称为Inside Local(内部本地),这个单播地址(commonly address of router outside interface)称为Inside Global(内部全局).When using outside nat,outiside local means the ip addresses appears to the inside network.Outside global is the true outside address.当内部全局地址耗尽时,路由器会丢弃无法进行地址转换的包.ACL会在转换前匹配.

NAT分为三种,静态NAT,动态NAT和PAT(Port address translation).There are two types of each,inside(source) and outside(destination) NAT.

静态NAT只是单纯的为内部本地地址和内部全局地址做了映射,并且每一个映射需要手动配置.

动态NAT有一个可使用的内部全局地址池,自动完成内部本地到全局的映射,设置有分配超时时间.比静态映射稍微好一点点,所需要的内部全局地址数约等于内部本地同时访问Internet的数量.

PAT基于TCP和UDP有65535个端口,其中真正被使用的很少,所以可以通过对ip+端口同时建立动态映射来达到少量内部全局地址支持大量内部本地地址同时访问Internet.

Inside nat is common nat,translate source ip address when sending,and destination when receiving.Outside translate destination address when sending and source when receiving,used not very common.

配置

接口模式(设置nat内部和外部接口,所有NAT都需要):

• ip nat inside
• ip nat outside
• 静态NAT
  • ip nat inside source static inside-local inside-golbal [extendable (!allow one inside local address map multiple inside global address)]
    • ip nat inside source static tcp inside-local port inside-golbal port [extendable]
  • ip nat outside source static outside-global outside-local
• 动态NAT
  • ip nat pool pool-name first-address last-address netmask submask-mask
  • ip nat inside source list acl-number pool pool-name
• PAT
  • ip nat pool pool-name first-address last-address netmask submask-mask
  • ip nat inside source list acl-number {pool pool-name|interface type/number overload}

NTP

网络设备需要使用NTP(网络时间协议)来进行时钟的同步,use UDP protocol with 123 port,NTP协议中,设备分为服务端和客户端,客户端接收服务端的时钟信息并修改自身时钟,设备可以同时充当服务端和客户端.存在多个服务端时,优先级级别低者优先设备时间设置为接近的时间,再进行NTP的配置,效果更好.

stratum

quering a stratum 1 server is considered stratum 2 client.when setting multiple stratums,lower stratum is prefered.

配置

• 时间 配置模式:

  • clock timezone EST(!可以是任何值,但最好有意义.EST美国东部时间) offset(!常数,意为相比UTC(!世界协调时)多offset小时,可以为负数)
  • clock summer-time EDT(同EST) recurring

  EXEC:

  • clock set 20:59:49(!时:分:秒) October(!月) 2020(!年)

• NTP 配置模式:

  • (!客户端)ntp server {ip|hostname} [prefer] [source interface] (!指定NTP服务器用于发送和接收NTP时间同步信息的网络接口,最好使用环回接口)
  • (!服务端)ntp master stratum-number(!越低越优先)
  • ntp peer ip-address(!ntp peers act as clients and servers to each other,meaning they try to blend their to each other)

log file will contain a * next to the date if not configured a NTP.

PTP(Precicsion Time Protocol)

more precise than NTP.

after PTP is enabled in Boundary mode,all enabled poorts on connecting switches will automatically have PTP enabled.

configuration varies depending on the device type.

IGP(RIPv2, OSPF, EIGRP, IS-IS) and EGP(eBGP)

路由器之间学习路由,通告路由,选择路由,收敛路由的协议.静态路由和直连路由的信息不会用于更新路由协议的数据结构,只有邻居消息,入站路由信息,重分发路由信息会.

路由协议分为内部网关协议(IGP,适用于自洽系统(AS)内部)和外部网关协议(EGP,适用于不同自洽系统之间) 对于IGP,路由协议算法分为三大类:

• 距离矢量型(例如:RIP的跳数)
• 高级距离矢量型(EIGRP)
• 链路状态型(OSPF,ISIS(Intermediate System-to-Intermediate System))

对于EGP,BGP是不二之选了.

RIPv2

RIP使用跳数作为衡量路由优劣的距离矢量,每经过一个路由器,跳数加1.RIP基于一个短时间定时器定期向邻居发送路由信息,路由信息会被拆分,只会发送路由表中目的接口对应的不是发送目的邻居的信息.当出现路由环回时,两个路由器不停交换路由,使跳数等于16时,该路由被弃用,称为路由中毒.

配置

配置模式:

1. router rip
2. version 2
3. network net-number
4. (!可选)passive-interface(!被动模式,不发出路由更新消息)
5. (!可选)maximum-paths number(负载均衡)
6. default-information originate(RIP的默认路由通告)

OSPF

每个使用OSPF的路由器有自己的LSDB(链路状态数据库),里面保存了包含了链路状态和链路度量的LSA,LSA有7种类型.路由器需要将自己创建的LSA泛洪给OSPF邻居,直到同一区域内每台路由器的LSDB完全相同.每一台路由器使用Dijkstra SPF(shortest path first)算法处理LSDB,生成SPT(SPF Tree),视自己为根节点,得到去往每一个节点的最短路径,创建条目添加到路由表.

OSPF使用协议ID 89 .有224.0.0.5(ALLSPFRouter),224.0.0.6(ALLDRouter)或MAC地址01:00:5E:00:00:05,01:00:5E:00:00:06作为多播地址.

OSPF RID优先环回接口ip最大,其次Up物理接口ip最大,可以手动设置.

OSPF区域

OSFPF将拓扑结构网段分为多个OSPF区域,OSPF只会在OSPF区域内生效(一般来说,一个区域内路由器数量<=50).Area 0称为骨干区域,所有区域(包括普通区域和骨干区域)都必须直接或间接地连接到骨干区域(Area 0),同时连接Area 0和其他区域的路由器称为ABR,将路由重分发进OSPF域的路由器称为ASBR.骨干区域(area 0)内部的路由信息会在整个骨干区域中洪泛,这意味着骨干区域内的所有路由器都会收到来自其他路由器的路由更新.

• 所有同子网的接口在同一区域
• 区域内连续

当区域应该连续但没有时,可以将需要连接的部分使用虚链路连接,但只是临时解决方案.

OSPF邻居

OSPF有5种数据包,1. Hello 2. DBD或DDP(DataBase Description) 3.LSR(Link-State Request) 4. LSU(Link-State Update,响应LSR) 5. 确认(Link-State Acknowledgment,响应洪范的LSA)

OSPF邻居条件:

1. RID不同
2. 同一子网,除了point2point链路或虚拟链路.
3. MTU相同
4. 在同一网段内,区域ID相同
5. 在同一网段内,DR的需求相同(网段网络类型相同)
6. 在同一网段内,OSPF Hello和失效定时器相等
7. 在同一网段内,认证相同
8. 在同一网段内,路由器类型相同(末梢,非完全末梢)

OSPF邻居状态.

1. Down:未收到hello包
2. Attempt:发送但未接受到Hello
3. Init:收到Hello包,但Hello包中没有RID
4. 2-Way:已经建立双向通信,以太网的DROther的最终状态
5. ExSatrt:为LSDB选择主从设备
6. Exchange:发送DBD
7. Loading:发送LSR
8. Full:完全邻居状态.(Down和Attempt状态应该只有显式配置邻居才会出现)

OSPF有三个定时器

1. hello
2. wait(default equals dead interval)
3. dead interval(失效)

默认dead是Hello的4倍.失效时间内一直未收到邻居Hello则邻居状态变为Down.并且修改并发出LSA,区域内路由器执行SPF. 默认wait等于dead.wait时间内一直未收到DR or BDR则选举DR.

LSDB

对于IPv4,有 6 种不同的LSA:

1. Type 1 Router Links(路由器LSA):只在一个区域内泛洪,包含自身在同一区域内的每个接口的网段信息,如果是ABR,ASBR,或虚链路端点,也会标记.
2. Type 2 Networks Links(网络LSA):DR宣告多路接入网段的信息,也只在一个区域内
3. Type 3 Summary Links(network)(汇总LSA):ABR将收到的Type 1和Type 2汇总发往其他区域,此时度量为到达各网段的度量;收到area 0的Type 3,就自己生成一条新的Type 3,并且加上到宣告路由器度量给非骨干区域;而收到别的区域的Type 3,仅将其插入LSDB,不会生成新的Type 3.所以只会在骨干与非骨干之间交换.
4. Type 4 Summary Links(ASBR)(ASBR汇总LSA):ABR收到Type 5后,检查是否在自身网段,如果是,生成Type 4宣告用以定位ASBR;如果不是,收到Type 4时,会将宣告者改为自己,再宣告出去.很多Type 5也只会宣告1条Type 4.
5. Type 5 AS External Link(AS外部LSA):被重分发的外部路由.没有区域的概念,会在整个OSPF路由域内泛洪.
6. Type 7 外部NSSA LSA:见NSSA.只有执行了重分发的NSSA存在Type 7.

Type 1 会被区域间路由汇总的ABR过滤. Type 5或Type 7会被外部汇总的ABR过滤.

在没有多路接入的网段下,只需要Type 1 LSA就可以确认网络拓扑,不然,需要Type 2 LSA.

末梢区域

OSPF有4种末梢区域.末梢区域内所有路由器需要配置为末梢路由器.

1. 末梢区域:区域内禁止Type 4和Type 5 LSA.Type 5到达末梢区域ABR后,ABR生成Type 3,如果ABR配置了area 0的接口,会生成Type 3默认路由.
   1. 没有被重分发的外部路由,被默认路由代替
2. 完全末梢区域:区域内禁止Type 3,4,5.ABR收到Type 3或Type 5,会生成一条默认路由.完全末梢区域只存在区域内路由和默认路由.
   1. 除了区域内路由,所有路由被默认路由代替
3. NSSA(Not So Stubby Area):禁止Type4,5.ASBR使用Type 7在NSSA内宣告重分发的路由,到达ABR时,ABR将其转为Type 5.ABR也禁止Type 5进入区域.ABR可以配置宣告默认路由.
   1. 没有被重分发的外部路由,被默认路由代替
   2. 允许OSPF域内有自己区域ASBR重分发的路由
4. 完全NSSA:禁止Type 3,4,5.区域内禁止路由重分发.ASBR宣告路由方式和NSSA相同.
   1. 除了区域内路由,所有路由被默认路由代替
   2. 允许OSPF域内有自己区域ASBR重分发的路由

SPF

路径优先级:

1. (单个)区域内路径
2. (不同)区域间路径:所有区域间路径必须经过area 0.
3. external Type 1:$度量=重分发度量值+到达ASBR度量值$,优于Type 2.
4. external Type 2:$度量=重分发度量值$(默认外部度量类型) (外部路由的Type和LSA的Type没有关系,都是Type 5或7 LSA.)

外部Type 1,2又分为E1,N1,E2,N2(E为ASBR宣告,N为NSSA宣告).N始终优于E,N会阻止E的安装.Type 1如果度量相同会被同时安装到RIB中,Type 2会比较到达宣告ASBR的转发开销.

计算SPF树时,网络链路有三种类型:

1. 转接:邻居邻接关系已经建立,并且选举了DR
2. 点对点:在不需要选举DR的网段上,已经建立了邻居邻接关系(会多宣告一条末梢网络提供子网掩码)
3. 末梢:未建立邻居邻接关系

DR

OSPF在以太网或帧中继等多路接入网络中,由于一个网段可以有大于二个路由器,OSPF会建立过多邻居邻接关系.所以OSPF中需要选择DR(Designated Router,指定路由器)和BDR(备用指定路由器).只有DR和BDR会和其他DROther(非DR非BDR的路由器)交换LSDB.

广播网像以太网,支持广播,NBMA(非广播)例如帧中继,x.25,atm可能同一个网段有多个路由,但不支持广播,所以hello消息只能单播,但又需要DR.

选举DR时,优先级越高越优先,但默认值都为1,优先级为0时不会参与选举,其次RID越高的越优先,修改优先级控制DR更优.OSPF RID当有显式配置时显式配置优先,其次是up的环回接口上的最高者,然后是up的普通接口上的最高者.

选举DR过程和STP选举根交换机类似,也是默认不抢占的.

1. 在Hello包中发出自己的优先级和RID.
2. 收到的Hello包更优则发送更优的优先级和RID.
3. 达成一致后和DR建立邻居邻接关系.
4. 同样方式选举BDR,但DR不参与

转发地址

Type 5 LSA转发地址默认是0.0.0.0,此时所有路由器应该把数据包发给ASBR. 如果有以下情况:

1. ASBR指向的下一跳接口启用了OSPF
2. 接口不是被动接口
3. 接口网络类型是广播或非广播类型 需要将0.0.0.0改为下一跳IP地址,OSPF路由器将流量转发给转发地址.

配置

配置模式:

1. router ospf process-id(ospf进程id)
2. (!RID) router-id router-id
3. network ip-address wildcard-mask area area-id(!wildcard-mask:例如255.255.255.255,匹配所有接口,0.255.255.255,匹配所有ip第一位为ip-address第一位的接口,0.0.0.0精确匹配ip对应的接口)
4. (!宣告默认路由) default-information originate [always (!没有默认路由也宣告???)] [metric metric-value(!路由度量)] [metric-type metric-type(!路由度量类型)] (!通告静态路由)
5. (!带宽大于100M时,必须进行此设置)auto-cost reference-bandwidth 40000(!40000意味着带宽最大为40G(40000M)内正确计算开销值,40000拥有更好的跨平台特性)
6. (!负载均衡)maximum-paths number
7. (!区域启用认证)area area-id authentication [message-digest]
8. (!末梢区域) area area-id stub [no-summary]
9. (!NSSA) area area-id nssa {[default-information-originate]|[no-summary]}
10. (!区域间路由汇总)area area-id range network subnet-mask [advertise(!默认)|non-advertise] [cost metric]
11. (!外部汇总)summary-address network mask
12. (!虚链路)area area-id virtual-link end-point-RID(!对端RID或区域ID)
13. (!被动接口)passive-interface {type number|default(!默认所有接口为passive)}
14. (!区域路由过滤)area filter-list prefix name {in|out}
15. (!distribute-list in can be used to filter routes from entering the routing table from the OSPF LSDB.)
16. prefix-suppresion(!suppress the advertisement of the specific interface IP addresses (like 192.168.1.1/32) and only advertise the subnets (192.168.1.0/24))

接口模式:

• (!接口启用认证)ip ospf authentication [message-digest]
• (!明文认证密码)ip ospf authentication-key password
• (!md5认证密码)ip ospf message-digest-key key-number md5 password
• ip ospf process-id area area-id[secondearies none(!不添加辅助直连网络到LSDB)] (!代替进程下的network指令)
• ip ospf cost x(!直接设置开销值)
• ip ospf network type(!设置网络类型,例如point-to-point将邻居关系建立在唯一的相邻路由器上，减少网络的控制消息和开销)
• (!DR优先级)ip ospf priority 0-255(!要立即生效需要重启DR/BDR的ospf进程)
• (!定时器)ip ospf {hello-interval|dead-interval} 1-65535

排错

1. 邻居关系 没建立邻居关系通过show cdp neighbor
   1. 接口关闭
   2. 接口上未运行OSPF:
      1. show ip ospf interface brief(!不显示被动接口)
      2. show ip protocols
   3. 定时器:
      1. show ip ospf interface interface-type number(!查看自身)
      2. debug ip ospf hello(!查看邻居)
   4. 区域ID
      1. show ip ospf interface brief
      2. debug ip ospf adj
   5. 区域类型
      1. show ip protocols(!查看整个区域的数据统计)
      2. show ip ospf(!该路由器的详细信息)
      3. debug ip ospf hello
   6. 子网
   7. 被动接口
      1. show ip protocols
   8. 认证
      1. show ip ospf(!查看区域认证)
      2. show ip ospf interface type num(!查看接口认证和密钥ID)
      3. show run interface type num(!查看密钥字符串)
   9. ACL
      1. show ip ospf interface type num(!查看接口是否启用ACL)
      2. show access-list num/name(!查看具体ACL配置,注意末尾默认有deny all)
   10. MTU:不匹配会成功建立邻居关系,但会陷入ExStart/ExChange状态
       1. show run interface type num(!没有mtu配置则为默认1500)
       2. 可以在接口模式中使用ip ospf mtu-ignore
   11. RID重复
   12. 网络类型
       1. show ip ospf interface type num
2. 路由
   1. 接口未运行OSPF
      1. show ip protocols
   2. 更优的路由:AD表
   3. 路由过滤:OSPF的路由过滤控制的是LSDB中哪些路由进入路由表
      1. show ip protocols(!查看是否有,有哪个路由过滤器被应用)
      2. show ip {prefix-list name|access-list name|num|show route-map name}(!查看过滤器具体内容)
   4. 末梢区域
      1. show ip ospf
   5. 接口关闭
   6. DR选举错误:星形帧中继或DMVPN时,只能由中心点作DR
      1. show ip ospf interface type num(!查看Designated Router)
      2. show ip ospf interface brief(!查看哪些接口是否是DR)
   7. RID重复

ipv6

支持ipv4,ipv6双栈的ospf协议是ospfv3协议家族,与ospfv2不兼容.使用协议ID89.多播地址:FF02::05(ALLSPFRouters),FF02::06(ALLDRouters)

• SPT计算基于链路而不是子网
• 新LSA字段确定LSA泛洪范围和未知LSA类型的处理
• 删除邻居认证,改为使用IPsec(互联网络层安全协议)
• 使用ipv6链路本地地址.允许不共享子网的路由器建立邻居关系.
• 多实例
• RID必须手动指定 if there's no ipv4 address on interfaces.
• The next-hop address is shown as an IPv6 link-local address

LSA

ospfv3相比v2的区域,自治系统多了链路本地的泛洪范围. LSA Type字段由8bit扩充为16bit. 前3bit为U,S2,S1

配置

配置模式:

1. ipv6 unicast-routing
2. router ospfv3 process-id
3. (!RID) router-id router-id(!A reserved instance ID in the range 64 to 95 identifies a neighbor adjacency as being used for IPv4.)
4. (!被动接口)passive-interface {type number|default(!默认所有接口为passive)}
5. (!地址簇) address-family {ipv6|ipv4} unicast(!在使用该命令后,接口上的ospfv3会自动启用需要的地址簇.进入AF配置模式,比在ospfv3进程下的配置具有更高优先级)

接口模式:

1. ospfv3 process-id {ipv4|ipv6} area area-id
2. (!可选) ipv6 ospf cost x
3. (!可选)ip ospf priority num

排错

• show ipv6 protocols
  • PID
  • RID
  • 路由器类型(ABR,ASBR)
  • Area ID
  • 区域类型(末梢区域或NSSA?)
  • 接口及接口所属区域
• show ipv6 ospf
  • PID
  • RID
  • 路由器类型(ABR,ASBR)
  • 定时器
  • Area ID
  • 区域类型
  • 基准贷款
  • 认证
• show ipv6 ospf interface brief
  • 各接口PID
  • 各接口区域
  • 协议簇
  • DR/BDR
• show ipv6 ospf interface type num
  • 网络类型
  • 开销
  • 认证
  • 优先级
  • 定时器
  • DR ID或BDR ID
• show ipv6 ospf neighbor
  • 邻居ID
  • 邻居状态
  • 邻居接口ID
  • 对应的本地接口

EIGRP

EIGRP会使用RTP建立邻居关系,维护邻居邻接表;建立邻居关系时和邻居交换整个路由表,之后更新增量,维护自身拓扑表,使用DUAL计算最佳路由,并且完成路由的收敛.

EIGRP使用IP协议ID88,多播地址224.0.0.10,mac地址01:00:5e:00:00:0a.

1. 邻居关系

RTP之间有5种消息包 1. Hello 2. Request 3. Update 4. Query 5. Reply,接收到消息都需要发送ACK包响应,除了Hello和ACK.没有响应重传,16次重传无响应就会重置邻居关系.

有三个定时器:1. Hello 2. hold 3. active.在hold定时器时间范围内每hello定时器发送的hello包得到响应则保持邻居关系.activate见DUAL.

EIGRP区分不同路由器的ID称为RID(router id),EIGRP进程会尝试与另一个在同一子网下使用EIGRP的路由器建立邻居关系,需要认证匹配,,并且处于同一自洽系统号,然后使用名为RTP(可靠传输协议)的协议发送路由更新(整个路由表),一般来说,第一次是完整的路由更新,之后会是部分路由更新.同一自洽系统度量值K 值应该相同.

2. 拓扑表

拓扑表包含网络前缀,EIGRP邻居,RD和跳数,度量相关(负载,可靠性,总时延,最小带宽).例如:

P 10.12.1.0/24,1 successors, FD is 2816
   via Connected, GigabitEthernet0/3

或 via 10.14.1.4(5376/2616), GigabitEthernet0/2

• P代表Passive,表明结构稳定,不然为Active.
• 1 successors表示到达该子网有一个后继路由,即后面的via条数.
• 10.14.1(5376/2616)表示到10.14.1.4的Total Distance/Feasible Distance(RD)
• GigabitEthernet0/2是自己的接口

3. 度量值

EIGRP的度量值使用链路的最小带宽和累计延迟做参数,最小带宽和延迟会由通告的消息和自身设备权衡后得出.IOS不会根据物理带宽去计算,所以广域网链路的带宽需要手动设置,局域网可以默认,效果比较好.

修改bandwidth会影响所有使用bandwidth的协议,修改delay只会影响EIGRP中的总时延项.

度量=常数*[(K_1*\frac{10^7}{最小带宽}+\frac {\frac {10^7} {k_2*最小带宽} } {256-负载}+K_3*总时延+K_6*拓展属性)*\frac{K_5} {(K_4+可靠性)}]

当非宽度量模式时,$常数=256$,为宽度量时,$常数=65535$.当$K_1$,$K_3$为1,$K_2$,$K_4$,$K_5$,$K_6$为0时,满足

度量=256*\frac {10^7} {最小带宽}+\frac {总时延} {10}

宽度量适用于带宽大于10gbps的情况.后向兼容的.

4. DUAL

自身对某一特定子网的度量值叫做FD(可行距离),而可以到达该子网的邻居报告的其自身的FD称为RD,当RD小于FD时,报告RD的邻居即为该子网的feasible successor.当没有feasible successor时,会通过DUAL(弥散更新算法)查询那些不是feasible successor的邻居是否可行.feasible successor中FD最小的为successor,即装入路由表中中的路由.(reported distance is to report your feasible distance)

(这个方法很巧妙,无论最简单的环还是复杂的环,其本质也是通过某个节点通过某种路径指向了自身,而FD相当于RD+自身,此处的+可以理解为加上了到自身端口的延迟和开销.

当路由器发现某条链路出现故障时,有feasible successor,选择度量值最小的作为successor,并向路由下游邻居发送新的度量值更新包,收到更新包的路由器也递归的执行自己的DUAL. 如果没有feasible successor:

1. 拓扑表中的该路由将会变为主动状态
2. 受影响路由器会发送query包给邻居,query包是时延字段无穷大.
3. 1. 收到查询包,如果查询包来自(该查询包查询的路由)的successor邻居,那么说明(该查询包查询的路由)不可达,自身也会发送查询包给该路由下游邻居.
   2. 如果查询包不是来自被查询路由的后继,那么发送应答包,应答该路由不可达或可达路由.
4. 当收到自己发送的所有查询包对应的应答包时,完成DUAL,将路由变更为Passive状态.向上游发送应答.

当DUAL过程卡住超过Active计时器一半时间时,称为SIA(Stuck-in-Active),会向邻居发送SIA查询信息,邻居必须在Active计时器一半时间响应,否则视为邻居对来自该邻居的所有路由均返回不可达消息.

路由汇总

路由汇总EIGRP会默认安装一条丢弃路由防止路由环回.

汇总度量使用的是被汇总路由中最低的度量值.

EIGRP自动汇总在IOS 15以前自动开启,会自动汇总有类网络.实际网络中,大多不使用.

末梢路由器 and 末梢站点

当企业将路由器通过ISP接入互联网时,希望自己的路由器路由的是自己LAN中的流量,不会通过WAN口去进行路由,就需要设置末梢路由器或站点.

EIGRP末梢路由器不会宣告从其他EIGRP对等体学到的路由,默认仅宣告直连和汇总路由.可以配置仅接受或宣告重分发,直连或汇总的任意组合.

EIGRP末梢站点会向WAN口的对等体宣告LAN口上学到的路由.

路由控制

路由信息

graph LR

邻居-->入站分发列表-->DUAL-->出站分发列表-->另一个邻居
DUAL-->RIB

EIGRP可以在路由接受或宣告时使用ACL,IP前缀列表,路由映射,或网关ip地址进行匹配过滤.

EIGRP可以使用度量值偏移列表引导流量,即为满足匹配的路由度量值添加偏移量.

水平分割

不会宣告路由给路由的来源,称为水平分割.EIGRP默认启用,但在不支持全网状连接的接入介质中,必须禁用水平分割.如DMVPN(所有路由来源都是vpn隧道接口),L2VPN,帧中继.

配置

EIGRP的配置分为传统配置模式和命名配置模式.命名配置模式支持更多新特性.命名配置模式有三个层级:地址簇子模式,接口子模式和拓扑结构子模式.

• 命名配置模式

  • 创建进程
    1. router eigrp process-name
    2. (!可选) eigrp router-id RID
    3. address-family {ipv4|ipv6} {unicast|vrf vrf-name} autonomous-system as-number(!地址簇子模式)
       • network network mask
       • (!末梢路由器)eigrp stub [{connected|recive-only|redistuibuted|static|summary}] (!一般不使用可选项)
       • (!末梢站点)eigrp stub-site as-num:identifier(!as-num:identifier在站内设备上相同)(!先在接口子模式上启用末梢站点)
       • (!路由重分发默认度量)default-metric band-width delay reliability load mtu
       • no auto-summary
       • exit-address-family
  • 拓扑结构子模式
    1. topology base(!创建)
       1. (!可选)metric weights TOS(!始终为0) K1 K2 K3 K4 K5 K6(!K6宽度量模式)
       2. (!可选)maximum-paths number(!设置等价开销路由数)
       3. (!可选)variance multiplier(!设置等价开销路由距离容忍倍数,例如RD<最佳RD*multiplier的可行会加入负载均衡中)
       4. (!可选)timers active-time mins(!修改active定时器)
       5. (!路由过滤)distribute-list {acl-number|acl-name|prefix prefix-list-name|route-map route-map-name|gateway prefix-list-name} {in|out} [interface-id]
       6. (!度量值偏移)offset-list offset-value {acl-number|acl-name} {in|out} offset[interface-id]
       7. exit-af-topology(!退出)
  • 接口子模式
    • af-interface {interface-id|default}(!default上意味着所有接口的默认设置)
      • (!被动接口) passive interface
      • (!路由汇总)summary-address network mask [leak-map route-map-name(!???)] (!汇总路由,不能在default上用)
      • (!设置EIGRP协议占最大带宽)bandwidth-percent percentage
      • (!禁用水平分割)no ip split-horizon
      • (!末梢站点)stub-site wan-interface
      • (!接口时延)delay delay
      • 启用认证
        1. authentication key-chain eigrp chian-name
        2. authentication mode {md5|hmacsha-256 password}
      • 定时器
        • hello-internal seconds(!默认为5s,低速接口上是60s)
        • hold-time seconds(!默认是hello定时器的3倍)

• 传统配置模式:

  1. router eigrp ASN(!自洽系统号)
  2. (!可选) eigrp router-id RID
  3. (!可选) timers active-time mins
  4. network ip-address {wildcard-mask|}(!留空时默认网络类级别掩码,其他和OSPF相同)
  5. (!可选)eigrp router-id value (!设置EIGRP路由器ID)
  6. (!可选)maximum-paths number(!设置等价开销路由数)
  7. (!可选)variance multiplier(!设置等价开销路由距离容忍倍数,例如RD<最佳RD*multiplier的可行会加入负载均衡中)
  8. (!可选)no auto-summary(!ipv4中自动路由汇总)(!实际网络中,大多不使用)(!default on)
  9. (!路由汇总)ip summary-address eigrp as-num network mask [leak-map route-map-name]
  10. (!可选)metric weights TOS(!始终为0) K1 K2 K3 K4 K5
  11. (!末梢站点)eigrp stub [{connected|recive-only|redistuibuted|static|summary}]
  12. (!路由过滤)distribute-list {acl-number|acl-name|prefix prefix-list-name|route-map route-map-name|gateway prefix-list-name} {in|out} [interface-id]
  13. (!度量值偏移)offset-list offset-value {acl-number|acl-name} {in|out} offset[interface-id]
  • 接口模式:
    • (!被动接口)passive-interface default(!设置为被动接口,不会建立邻居关系)
    • (!认证)ip authentication key-chain eigrp as-num chian-name
    • (!认证)ip authentication mode eigrp as-num md5
    • (!hello定时器)ip hello-internal eigrp as-number seconds(!默认为5s,低速接口上是60s)
    • (!保持定时器)ip hold-time eigrp as-number seconds(!默认是hello定时器的3倍)
    • (!设置EIGRP协议占最大带宽)ip bandwidth-percent eigrp as-num percentage
    • (!禁用水平分割)no ip split-horizon eigrp as-num
    • (!接口时延)delay delay

• 认证 认证需要先创建一个密钥链,然后在接口上启用

  • 创建密钥链
    1. key chain chain-name
    2. key key-num(!标识,num<2^32-1)
    3. key-string password

排错

EIGRP邻居关系无法建立可能因为

1. 接口中断
2. AS number:show ip protocols(!当有被动接口时也会显示被动接口)
3. network语句错误:show ip eigrp interfaces(!不会显示被动接口,所以应先检查被动接口)
4. K值:show ip protocols
5. 被动接口
6. 子网不同:show ip interface(!应该就可以(???))
7. 认证:
   1. show ip eigrp interface detail interface(!查看某接口上使用的认证参数)
   2. show key chain(!查看ID和密钥,要完全匹配才可以)
   3. debug eigrp packets(!查看邻居认证配置,(missing authentication)说明邻居未配置认证,(invalid authentication)说明不匹配)
8. ACL 过滤了224.0.0.10
   1. show ip interface interface(!查看接口使用的acl名称或标号)
   2. show access-lists {num|name}(!查看acl具体信息,注意acl默认末尾deny all)
9. 定时器,hello定时器不能大于另一方的hold定时器,不然会重复震荡

EIGRP路由故障可能

1. network语句错误
2. 更优的路由信息源:AD表
3. 路由过滤:
   1. show ip protocols(!查看是否有规则,什么规则被应用到了路由过滤)
   2. show {access-lists acl|ip prefix-list|route-map}
4. 末梢配置
5. 接口处于关闭
6. 水平分割:show ip interface interface [detail]

ipv6

组播地址为FF02::A.

ipv6没有有类网络,所以没有自动汇总.

show ip变为show ipv6

配置

命名配置模式: 地址簇选择ipv6 传统配置模式:

1. ipv6 router eigrp ASN
2. (!可选)eigrp router-id id
3. 进入接口
4. ipv6 eigrp ASN

BGP

BGP分为两类,iBGP(相同AS或BGP联盟路由器之间的会话)和eBGP(不同AS路由器之间的会话).

BGP使用AS_PATH防止路由路由环回,但在iBGP中不可行,iBGP TTL设置为255,从iBGP学到的路由只发送给eBGP,从eBGP学到的路由发送给iBGP和eBGP,所以在iBGP中各路由器需要使用多跳会话(如果需要)建立全网状连接.(最好使用静态配置邻居+IGP协议)

eBGP数据包TTL设置为1,禁止多跳会话,不应该使用LoopBack 0接口作为源接口.使用AS_PATH防止路由环回.

通信

BGP使用TCP协议port:179通信,本身就需要路由寻址,可以与多跳以外的路由器建立会话,称为多跳会话,多跳会话需要使用路由器RIB中的底层路由(静态或其他路由协议的路由).会话邻居也叫对等体.

消息分为4种:

1. OPEN
   1. BGP 版本
   2. ASN
   3. 保持定时器时间
   4. BGP RID:使用32bit数字作为BGP RID作标识.
2. KEEPALIVE
   1. 保持定时器时间1/3发送KEEPALIVE消息
3. UPDATE
   1. 更新路由,也可充当KEEPALIVE消息
4. NOTIFICATION
   1. 关闭BGP会话

定时器:

1. 邻居保持定时器:至少3s,会使用建立关系双方通告的较小值,设置为0禁用Keepalive功能.默认180s.
2. 连接重试定时器

邻居关系有6个状态:

flowchart LR;

Idle(("Idle(空闲)"))-->Idle;
Idle<--发送TCP连接-->Connect(Connect);
Connect-->Connect;
Connect<--连接重试定时器超时-->Active;
Connect--握手成功-->a[Open Sent];
Active-->Idle;
Active-->Active;
Active--握手成功-->a[Open Sent];
a[Open Sent]--TCP连接关闭-->Active;
a[Open Sent]--比对不成功,发送NOTIFICATION-->Idle;
a[Open Sent]<--比对成功-->b[Open Confirm];
b[Open Confirm]-->b[Open Confirm];
b[Open Confirm]--NOTIFICATION-->Idle;
b[Open Confirm]--KEEPALIVE-->Established(((Established)));
Established-->Idle;
Established-->Established;

Open-sent比对信息

1. bgp 版本
2. open消息源ip=配置中邻居ip
3. open消息asn=配置中邻居asn
4. BGP RID唯一
5. 安全参数

路径属性

每条路径都关联PA(Path Attribute),PA有四种:

• Well-known Mandatory(周知强制属性)
  1. AS-PATH:经过的AS路径,如果自己的ASN在其中,说明产生环路.
• Well-konwn Discretionary(周知自选属性)
• Optional Transitive(可选传递属性)
• Optional NonTransitive(可选非传递属性) 所有BGP必须支持周知强制和周知自选,宣告的路径前缀必须包含周知强制.

可选非传递属性只在相邻的AS之间或本地AS之内有意义.

NLRI

NLRI(Network Layer Reachability Information,网络层可达性信息)由网络前缀,前缀长度,和特定路由的BGP PA组成.

BGP有3张表:

1. Adj-RIB-in:原始信息的NLRI,处理即清除
2. Loc-RIB:通过了有效性和下一跳检查后的NLRI.向路由表提供路由.
   1. 通过show bgp afi safi network查看特定网络的路由
3. Adj-RIB-out:处理了出站策略的NLRI
   1. show bgp afi safi neighbors ip advertised-routes

graph TB

Adj-RIB-in-->入站策略
入站策略-->Loc-RIB
network语句检查直连,静态路由或路由协议的路由-->RIB检查
RIB检查-->Loc-RIB
Loc-RIB-->下一跳检查
下一跳检查-->确定BGP最佳路径
确定BGP最佳路径-->安装到RIB
确定BGP最佳路径-->出站策略
出站策略-->Adj-RIB-out

入站和出站策略

1. 分发列表:根据标准或拓展ACL过滤
2. 前缀列表:前缀匹配规范列表
3. AS_PATH ACL:正则表达式过滤AS_PATH
   1. (!创建)ip as-path access-list acl-number {deny|permit} regex-query(!末尾包含一条隐式拒绝命令)
4. 路由映射:根据前缀属性条件匹配,修改(功能最强大)

使用路由控制技术之后一般需要刷新BGP会话后生效,分为硬重置和软重置.硬重置会关闭会话并从BGP对等体删除路由.软重置会使BGP缓存无效重新请求.

BGP拓扑

graph LR
A<--eBGP-->B
B<--iBGP-->C
C<--eBGP-->D

如果使用默认设置,A,D互相通告的网络将无法通过有效性检查,因为B不知道CD网段的路由,C不知道AB网段的路由,所以A,D没有对方网络的路由.

解决措施:

1. IGP宣告(由于跨AS,最好使用被动接口)
2. 使用network语句宣告到BGP中(???)
3. 下一跳控制

RR and 联盟

全网状连接拓展性差,引入路由反射器和联盟.负责反射路由的路由器称为RR(Route Reflector),被反射iBGP对等体的称为RR client(RR客户端),不被反射的iBGP对等体叫非RR客户端.有三条规则:

1. RR从非RR客户端收到NLRI,宣告给RR客户端,不会将NLRI宣告给非RR客户端.
2. 从RR客户端或eBGP对等体收到NLRI,发送给RR客户端和非RR客户端.

联盟是在AS内部再划分sub-AS,使内部建立eBGP会话,eBGP有AS-Path防止环回.通常使用私有ASN(64512-65535或4,200,000,000-4,294,967,294).除了防止路由环回外,整个AS内(sub-AS集合)其他行为(RR,MED,LOCAL_PREF)都像是iBGP一样.

联盟配置

1. router bgp as-number(!这个AS为私有sub-AS)
2. bgp confederation indentifier as-number(!这个AS为真实AS)
3. bgp confederation peers member-asn(!联盟AS内sub-AS外ebgp邻居的asn)

MPBGP

支持ipv6,MPLS,DMVPN,L3VPN等多协议

ipv6需要启用地址簇外,如只使用ipv6(真的会出现吗)需要显式配置RID

ipv6 over ipv4

1. 启用可用的ipv4配置和一般的ipv6配置
2. 建立ipv6邻居关系后,使用route-map映射手动设置下一跳ipv6地址.(???)

团体

团体是一种路由的可选传递属性(PA),32bit.用以标记路由和修改BGP路由策略.有4种全局团体,支持团体功能的路由器必须支持:

• Internet
• No_Advertise:不宣告给任何对等体
• No_Export:不宣告给任何eBGP对等体,但会跨越联盟(sub-AS)
• Local_AS:只在AS或sub-AS内宣告,不能跨越联盟.

团体的条件匹配:在route-map里,需要先使用 ip community-list {1-500|standard list-name|expanded listname} {permit|deny} community-pattern,然后在route-map里使用match community 1-500引用团体列表

set community bgp-community [additive(!不覆盖原有的团体)] 为某些路由设置私有团体

BGP communities are not advertised between iBGP neighbors by default.

good example

称为BGP汇总.

graph TB

A--100.64.1.0/24-->B
A--100.64.0.0/16-->B
C--100.64.2.0/24-->B
C--100.64.0.0/16-->B

BGP最佳路径

1. 权重高:Cisco定义的本地属性,在路由映射中set weight weight设置匹配前缀的权重.只在本地路由器有意义.默认为0.
2. LOCAL_PREF(本地优先级)高:周知自选属性,默认值100,0~2^32-1,只对iBGP宣告,不会宣告给eBGP.在路由映射中使用set local-prefrence preference为特定路由设置.在本地AS内有意义.
3. 本地路由器生成的
   1. 本地宣告的路由(在Loc-RIB中下一跳为0.0.0.0且标记为i)
   2. 本地聚合的路由(在Loc-RIB中下一跳为0.0.0.0且标记为?)
   3. 从BGP对等体收到的路由
4. AIGP(Accumulated IGP)度量小:可选非传递属性,在相邻的AS间有意义.路由映射中的命令:set aigp-metric {igp-metric|metric}(!igp-metric将特定路由的aigp度量设置为igp度量),aigp度量计算是递归的
   1. 有aigp的度量优于无aigp的度量
5. AS_PATH短:asset视为一个as_path.
6. 路由来源优:周知强制属性.在路由映射中使用set origin {igp|incomplete}设置.
   1. IGP(标记为'i'):使用network语句宣告的网络的路由
   2. BGP
   3. 不完整路由(标记为'?'):被IGP重分发到BGP的路由
7. MED小:可选非传递属性,在相邻的AS间有意义.默认值为0.在路由映射中可以使用set metric metric设置.
   1. 始终比较med值:忽略AS_PATH,始终比较med
   2. BGP确定性med:将相同AS_PATH分为一类,每类比较MED取最优,再把每一类的最优比较MED取最优.
8. eBGP路径优于iBGP路径
   1. eBGP对等体
   2. 联盟成员AS对等体
   3. iBGP对等体
9. 最小IGP度量:多个iBGP邻居宣告相同路由,选择igp度量值最低的
10. 对eBGP而言,选最早的
11. BGP对等体RID最小:如果是RR宣告的度量,就用ORIGINATOR_ID替换RID
12. 最小cluster_list长度:可选非传递属性,不会在AS之间宣告.as内的as_path.
13. BGP邻居IP地址最小:仅限于iBGP对等体.

未被选择的路由继续存放在Loc-RIB中.

等价多路径

最佳路径和其他路径必须在以下属性相匹配:

1. 权重
2. 本地优先级
3. AS_PATH长度
4. AS_PATH内容(联盟内容可以不同)
5. 路由来源
6. MED
7. 如果来源是BGP,必须同为iBGP或eBGP.
8. 如果来源为iBGP,则还有igp度量 才可以成为等价多路径,安装到RIB里

配置

配置模式:

1. router bgp as-number

   1. (!med默认为2^32-1)bgp bestpath med missing-as-worst(!应该在AS所有节点布置此命令)
   2. (!med默认值)default-metric metric
   3. (!始终比较med)bgp always-compare-med
   4. (!确定性med)bgp deterministic-med
   5. (!RID)bgp router-id id
   6. (!禁止ipv4地址簇自动激活)no bgp default ipv4-unicast
   7. neighbor ip remote-as as-num
      1. (!源ip)neighbor ip updatesource interface
      2. (!认证)neighbor ip password
      3. (!定时器)neighbor ip timers keepalive holdtime [minimum-holdtime]
      4. (!修改跳数)neighbor ip ebgp-multihop [TTL]
   8. address-family {ipv4|ipv6|vpnv4} {unicast|multicast} (!默认启用ipv4,使用no bgp default ipv4-unicast禁用)
      1. neighbor ip activate(if use 'no bgp default ipv4-unicast',it's compulsory)
      2. network mask subnet-mask [route-map map-name] (!标识要安装在Loc-RIB的网络前缀(重分发到BGP的路由不需要network指定))
      3. neighbor ip next-hop-self [all(!修改iBGP前缀下一跳ip)] (!需要在iBGP上设置,收到的eBGP通告下一跳将变为自身)
      4. (!RR)neighbor ip route-reflector-client
      5. (!路由汇总)aggregate-address {ip mask|prefix} [summary-only(!抑制原始组件网络宣告,并且会去掉之前的AS_PATH,新增原子聚合属性,表示该路由出现路径属性丢失,一般都要使用)] [as-set(!保留被聚合前的AS_PATH在AS_PATH的AS_SET字段,一般都不使用)] (!路由汇总总是被宣告,即使网络不可达)
      6. (!distribute list)neighbor ip {distribute-list num/name|distribute-list num/name|filter-list acl-number|router-map map-name} {in|out}
      7. (!BGP团体宣告)neighbor ip send-community [standard(!默认)|extended|both]
      8. (!最大前缀数量)neighbor ip maximum-prefix prefix-count [warning-percentage] [restart time] [warning-only(!默认关闭BGP会话,使用warning-only改为生成告警消息)]
      9. (!最佳路径)neighbor ip {weight weight(!权重)|local-preference preference(!本地优先级)}
      10. (!默认本地优先级)bgp default loacl-preference preference(!???)
      11. (!为邻居启用AIGP)neighbor ip aigp
      12. (!等价多路径)maximum-paths [ibgp] number-paths
      13. (!服务端和客户端)neighbor ip transport connection-mode {passive(!服务端)|active(!客户端)}
      14. (!终止私有ASN)neighbor ip remove-private-as

2. clear ip bgp {ip-address|*} [soft] [in|out]

BGP更新组

通过Peer Group将BGP对等体放到不同的BGP更新组,使其拥有相同的出站策略.对等体组必须同为iBGP或eBGP.

通过neighbor group-name peer-group定义对等体组,使用neighbor ip peer-group group-name关联BGP对等体和对等体组.使用peer-group group-name代替neighbor ip进行配置.

激活对等体只能使用neighbor ip activate.

BGP会默认为每个邻居生成每条路由的更新消息,会极大的消耗cpu,内存资源.使用BGP对等体组可以节约这些资源.

对等体模板

模板可继承,子覆盖父 template peer-session template-name template peer-policy template-name

inherit peer-session template-name sequence inherit peer-policy template-name sequence

排错

检查日志文件.

1. 邻居关系 show bgp ipv4 unicast neighbor [summary]
   1. 通过默认路由到达邻居
   2. 接口中断
      1. show ip interface brief
   3. 三层连接中断
      1. ping neighbor source source
   4. 邻居没有到达本地路由器的路径
   5. neighbor语句错误
      1. 如果as错误,会在active和idle之间切换
   6. ACL:TCP 179端口
      1. (!查看端口)show bgp ipv4 unicast neighbor
   7. TTL到期
      1. ebgp ttl只有1跳
      2. traceroute确定跳数
   8. 认证参数不匹配
      1. 处于Idle状态
   9. 对等体组配置错误
   10. 定时器
       1. 定时器无需匹配,会话会选择最小的定时器设置.但如果设置了最小保持时间,定时器最小值须大于等于最小保持时间
2. 路由故障 show bgp ipv4 unicast(!查看BGP路由,下一跳不为0.0.0.0时说明是从BGP对等体收到的,不然则是重分发(?),network语句(i),或summary(i))
   1. network语句错误
      1. BGP network语句宣告的网络必须位于路由表并且来源于其他路由信息源(直连,静态,或其他路由协议),mask必须完全匹配.
   2. 下一跳不可达
      1. 当路由的下一跳不可达,BGP路由也不会出现在路由表中.
      2. ping
   3. iBGP水平分割:BGP不会宣告从iBGP那里学来的路由
      1. 全网状连接
      2. RR
      3. 联盟
   4. 更优的路由
   5. 路由过滤
      1. show bgp ipv4 unicast(!查看BGP Loc-RIB是否存在某路由)
      2. show bgp ipv4 unicast neighbors ip advertisee-routes(!查看某邻居是否宣告了某路由)
      3. show ip protocols(!查看被应用的路由过滤器)
      4. show bgp ipv4 neighbors ip | include prefix|filter|Route map
3. 路径选择
   1. 非必要不使用debug
   2. debug ip routing
   3. debug ip bgp
   4. debug ip bgp update
4. ipv6
5. MP-BGP

redistribute

路由重分发负责将路由从一种路由协议进程注入另一种路由协议进程,路由只会从路由表进入路由信息库. (当路由不在路由表中,就无法进行重分发操作)

• 重分发是非传递的,被重分发到某个路由协议的路由不会再被重分发.(全网状重分发:))
• 被重分发的路由必须位于RIB中.

路由重分发点称为边界路由器.

配置

强制选项:在特定情况下必须使用的选项,不使用会导致重分发无法进行

router {eigrp|ospf|bgp} {as|process}

1. EIGRP
   1. assress-family {ipv4|ipv6} [vrf vrf-name]
      1. redistribute source-protocol [metric bandwidth delay reliability load mtu] (!强制选项) [route-map route-map-name] [include-connected(!ipv6时)]
   2. EIGRP到EIGRP的重分发会保留路径度量
2. OSPF
   1. redistribute source-protocol [subnets(!强制选项)] [metric metric] [metric-type {1|2}] [nssa-only] [tag 0-4294967295] [route-map route-map-name] [include-connected(!强制选项)]
   2. OSPF重分发到OSPF会保留路径度量
3. BGP
   1. [bgp redistribute-internal]
   2. redistribute {connected|static|eigrp as-number|ospf process-id[match {internal(!默认值)|external [1|2] (!一般match internal external 2)}]|bgp as-number} [route-map route-map-name]

(优先级:路由映射中>redistribute>default-metric)

排错

网络应该至少存在两个重分发点.

次优路由的问题需要能正确设置默认种子度量.

AD值低的协议重分发到AD高的协议时,如果存在两个以上边界路由器,要小心流量黑洞(例如EIGRP external->OSPF或当iBGP作为源),可以使用distance命令设置AD值.

始终不应该将被重分发的路由再次重分发到原始路由域中,最好的办法是设置路由标签(tag).使用route-map deny被打上某些标签的路由.

show {ip|ipv6} protocols(!显示重分发源)

路由过滤

条件匹配有ACL和前缀列表.路由映射.

ACL

IP ACL是通过识别数据包,执行某些操作的功能.可以用来过滤ip数据包,不会对帧生效,也无法应用与switchport或没有分配ip的路由端口上,出方向的ACL不能对路由器自己产生的数据包生效.ACL中的一项称为ACE(access control entry).

主要有三点:ACL的位置和方向,匹配模式,匹配行为.每个ip ACL默认有一条deny all.ACL是队列式匹配,先设先匹.

标准ACL只能匹配源ip地址,标号1-99和1300–1999,拓展ACL还可以匹配目的ip,协议,端口,TOS(type of service,服务类别,见Qos)等别的报头信息.拓展ACL匹配ip需要使用host关键字.分配在route port上的称为RACL,在switch port上的称为PACL(only supported only in hardware,and only support inbound traffic filter),在VLAN上的称为VACL.

• 将拓展ACL放在离源近的位置
• 标准ASL放在离目的更近的位置
• 变更ACL前,禁用ACL
• 更精确的ACL在前面

特殊ip:

• 224.0.0.9:520(UDP)(RIPv2)
• 224.0.0.5,224.0.0.6(ospf)
• 224.0.0.10(EIGRP)

在某些情况:拓展ACL的匹配行为会不同:

• 在匹配IGP网络时,源地址标识网络,目的标识网络区间允许的最小前缀长度. {permit|deny} protocol host source(!标识子网地址) host destination (!标识最小前缀长度)

• 在匹配BGP网络时,会像前缀匹配一样匹配ip地址和子网掩码. {permit|deny} protocol source source-wildcard(!两者一起匹配ip地址) destination destination-wildcard(!两者一起匹配子网掩码)

在非插入的情况下,最好不指定序列号,序列号会自动递增10.

interaction

bridged traffic processing order:

1. inbound PACL
2. inbound VACL
3. outbound VACL

routed traffic processing order

1. inbound PACL
2. inbound VACL
3. inbound ACL
4. outbound ACL
5. outbound VACL

配置

配置模式:

• access-list {1-99|1300-1999} {permit|deny} {ip source-wildcard(!默认为0.0.0.0)|any} (!source-wildcard中二进制为1的数可以忽略,即数据包ip(packet-ip&ip)|source-wildcard为全1时表示匹配这条ACL规则,所以当source-wildcard为全0时需要packet-ip完全等于ip).

匹配某一子网时,source-wildcard=255.255.255.255-子网对应的掩码,同理,该子网最大范围为子网ip+source-wildcard

• access-list {100-199|2000-2699} {permit|deny} protocol source-IP [source-port] dest-IP [dst-port] protocol:{ip|tcp|udp|icmp|...} IP都是ip {wc-mask(!默认为0.0.0.0)| }的格式,端口使用eq,lt,ne,gt,range x to y关键字.

(上面两种方式配置的ACL无法删除特定ACE)

1. 标准:
   1. ip access-list standard {acl-number|name}(!进入命名ACL配置模式,之后无论标准还是拓展,都从{permit|deny}开始)
   2. [sequence] {permit|deny} source source-wildcard
2. 拓展:
   1. ip access-list extended {acl-number|name}
   2. [sequence] {permit|deny} [protocol] source source-wildcard [source-port] destination destination-wildcard [dst-port] 应用于接口上:
3. 进入接口
4. (!ipv4)ip access-group {acl-number|name} {in|out}
5. (!ipv6)ip traffic-filter acl-number {in|out}

接口模式

• ip access-group group {in|out}(!在接口上以某方向启用某组ACL)
• no ip access-group(!禁用ACL)

VACL

1. vlan access-map name
2. match {ip address acl-number|acl-name}|{mac address acl-name}
3. action forward|drop|log
4. vlan filter name vlan-list(!such as 1,2-4,6)(!apply VACL)

ipv6

ipv6 ACL没有了标准和拓展之分,也没有了编号的概念(可以把只能匹配源和目的的叫做标准,可以匹配别的成为拓展),和ipv4的一样,默认规则集末尾是包含deny all的,但放行NS和NA消息,对于ACL规则来说,符合根据生产逐渐添加允许的数据包的场景.ipv6 ACL可匹配以下字段:

• 流量类别(DSCP)
• 流标签
• ipv6下一个头部标签和字段???
• 源和目的
• 上层头部细节:TCP,UDP端口号;TCP标签SYN,ACK,FIN,PUSH,URG,RST
• icmpv6类型和代码
• ipv6拓展头部和类型 ipv6对于icmpv6允许是必要的,因为路由的一部分是建立在NDP之上的,所以在末尾隐含允许icmp nd.

配置

• ipv6 access-list ACL名称 {permit | deny} 协议 源地址/源前缀长度 目标地址/目标前缀长度 源端口 目标端口 [参数选项]

前缀匹配

前缀列表用于识别特定ip地址,网络或网络区间.

前缀匹配结构包括高阶比特模式(也叫地址或网络)和高阶比特数(也叫掩码长度),一般其后带匹配长度参数.

例如:a.b.c.d/e ge/le f.代表a.b.c.d二进制前e位匹配.子网掩码ge/le f位.

配置

ip prefix-list name [seq sequence-number] {permit|deny} high-order-bit-pattern/high-order-bit-count [ge ge-value] [le le-value] (!高阶比特模式/高阶比特数 [匹配长度参数],要求:高阶比特数<ge-value<=le-value)

ipv6 prefix-list name [seq sequence-number] {permit|deny} high-order-bit-pattern/high-order-bit-count [ge ge-value] [le le-value]

在非插入的情况下,最好不指定序列号,序列号会自动递增5.

路由映射

路由映射包括 1. 序列号 2. 条件匹配规则(空则默认所有路由都匹配) 3. 处理操作 4. 可选操作

执行顺序为,依次匹配每个route-map中的条件匹配,如果匹配成功,则进行处理操作和可选操作,除非可选操作中有continue,不然停止;所有route-map都未匹配成功的执行隐含的处理操作deny(所以一般都要接一条空的permit route-map标识允许其余所有).

同一类型多个度量是or关系.多个条件匹配之间是and关系.

配置

route-map route-map-name [permit|deny] (!默认为permit) [sequence-number]

常用条件匹配选项:

1. match as-path acl-number
2. match community community-list(!bgp团体)
3. match interface interface
4. match ip address [acl-number|acl-name]
5. match {ip|ipv6} address prefix prefix-list-name
6. match local-preference(!???)
7. match metric {1-4294967295|external 1-4294967295} [+- deviation]
8. match source-protocol {bgp-asn|connected|eigrp asn|ospf process-id|static}
9. match tag tag-value

常用可选操作:

1. set操作:
   1. set as-path prepend {as-number-pattern|last-as 1-10}
   2. set ip next-hop {ip-address|peer-address self}
   3. set local-preference 0-4294967295
   4. set metric [+|-] value
   5. set origin {igp|incomplete}
   6. set tag tag-value
   7. set weight 0-65535
   8. set metric bandwidth delay reliability load mtu(!EIGRP覆盖种子度量)
2. continue(!不常使用)

PBR(Policy-Based Routing,条件转发)

根据数据包特征进行条件转发.(拓展性方面存在管理负担,缺乏网络智能,故障排查复杂!!!)

1. 协议类型(ICMP,TCP,UDP等)
2. 源IP,目的IP
3. 时延,链路速率,特定瞬时流量

配置

1. route-map route-map-name [permit|deny] [sequence-number]
2. 定义条件匹配规则
   1. match length minimum-length maximum-length(!定义数据包长度匹配)
   2. match ip address {acl-number|acl-name}
3. set ip [default] next-hop ip-address [...ip-address] (!设定default时,仅在RIB无目的地址时修改下一跳)
4. ip [local] policy router-map route-map-name(!设置local,对本地路由器生成的数据包生效)

object track

• track track-id ip route route reachability
• track track-id interface interface line-protocol
• show track [track-id]

FHRP

对第一跳路由增加冗余设计的协议,即有多个任务相同的路由器使用同一个虚拟ip地址,也可用于负载均衡.FHRP协议族包括HSRP(Hot standby redundancy protocols,Cisco proprietary),VRRP(Virtual Router Redundency Protocol),GLBP(Gateway Load Balancing Protocol).

HSRP

在HSRP中,优先级更高的路由器会成为活跃路由器,其他称为备份路由器.备份路由器会将自己的数据包路由到活跃路由器.当需要负载均衡时,可以让不同子网中的活跃路由器不同.Virtual address is configured on each HSRP-enabled interface that belongs to the same group,one of interfaces become active router.

如果没有设置抢占机制,当子网中已有一个活跃路由器时,新设置的路由器即使优先级更高也不会成为活跃路由器.

Its virtual MAC is 0000.0C07.ACxx

Default hello time and hold time:3s,10s

flowchart TB

initial--->learn
learn--->listen
listen--->speak
speak--->standby/active

HSRP配置

接口模式:

1. standby version 2(!版本需要相同)
2. standby instance-id ip virtual-ip(!VIP)
3. (!mac)standby instance-id mac-address mac-address
4. (!timers) standby instance-id timers {seconds|msec milliseconds}
5. (!authentication)standby instance-id authentication {text-password|text text-password|md5 {key-chain key-chain|key-string key-string} }
6. (!priority)standby instance-id priority num(!higher priority is preferd,then higher ip)(!100 by default)
7. (!name)standby instance-id name name
8. (!preempt)standby instance-id preempt(!抢占机制,默认no standby preempt)
9. (!track)standby instance-id track track-id decrement decrement-value(!setting preemtion first)
10. (!use bia)standby use-bia(!When you enable this command, the router uses its Burned-In Address (BIA), which is the unique MAC address physically assigned to the router’s network interface card (NIC), instead of the default virtual MAC address for HSRP.)

VRRP

operating similar to HSRP.

• master router and backup router.
• enables preemtion by default
• MAC use 0000.5e00.01xx(xx is group id in hex)
• using 224.0.0.18 for communication
• The TTL for VRRP packets must be 255(why???)
• only vrrpv3 support ipv6 in FHRPs

VRRP configure

vrrpv2:

1. vrrp instance-id ip virtual-ip(!VIP)
2. (!authentication)vrrp instance-id authentication {text-password|text text-password|md5 {key-chain key-chain|key-string key-string} }
3. (!可选)vrrp instance-id priority num(!higher priority is preferd,then higher ip)
4. (!track)vrrp instance-id track track-id decrement decrement-value(!setting preemtion first)

vrrpv3:

1. fhrp version vrrp v3
2. vrrp instance-id address-family {ipv4|ipv6}
   1. (!compatibility) vrrpv2
   2. address address
   3. priority num
   4. track track-id decrement decrement-value

GLBP

ensuring each member of GLBP group takes care of forwarding the traffic.

• AVG(active virtual gateway):replying to the ARP request with the virtual MAC of the AVF
• AVF(active virtual forwarder):receiving the virtual MAC address from AVG,then being assigned to a host

glbp supports four active ACFs and one AVG per group.A router can be an AVG and an AVF at the same time.

glbp configure

1. glbp instance-id ip virtual-ip
2. glbp instance-id preempt
3. glbp instance-id priority num
4. glbp instance-id timers {seconds|msec milliseconds}
5. glbp instance-id authentication {text-password|text text-password|md5 {key-chain key-chain|key-string key-string} }
6. (!enter interface configure)
   1. glbp instance-id load-balancing {host-dependent|round-robin|weighted}
   2. glbp instance-id weighting weight

排错

multicast

multicast provide one-to-many communication. 224.0.0.0/4(to 239.255.255.255)is for multicast addressing. rely on IGMP(Internet Group Management Protocol) and PIM(Protocol Independent Multicast).

IGMPv2 and v3

IGMP manages the joining, and leaving of multicast groups.

IGMP message's ip protocol number is 2, ttl is 1.

IGMPv3 can specify the source it would like to receive multiple traffic from for its membership report(join) by using include mode and exclude mode to filter the sources.

• type(8bit)
  • version3/2/1 membership report(called join too)
  • version2 leave group
  • general membership query,send to all hosts(224.0.0.1) to see any members are in the attached subnet.set group address to 0.0.0.0.
  • group specific query:response to a leave group message
• max response time(8bit)
• checksum(16bit)
• group address(32bit)

router with lowerst ip address is elected the IGMP Querier when more than one router is in the same LAN segment

IGMP snooping

IGMP snooping can let switch snoop IGMP report(join) message to adjust its mac address table for better multicast.

The switch listens for PIM or IGMP messages to identify which port is connected to the multicast router (mrouter) port.

IGMP membership report messages from hosts are used to identify the ports that have interested receivers.

ip to mac

mac=01005E+binary(0)+binary(ip)[-23:],the 8th bit is called I/G(individual/group)bit for the '01'.

PIM

multicast route protocol is to locate and request multicast streams from other routers,using ip protocol number 103,one of them is PIM

PIM distribution trees include source trees(also known as SPTs(shortest path trees)),and shared trees(also refered to as RPTs(rendezvous point trees),root named RP).

use (S(!server address),G(!group address)) to notate a source tree,and (*,G) to notate a share tree.Use notation on nodes of a tree.

• RPF(Reverse Path Forwarding) interface:the interface with lowest-cost path to the source.(SPT or RP).(if costs are equal,prefer higher ip)
• RPF neighbor:PIM neighbor on the RPF interface.
• Upstream/Incoming interface(IIF):flows from the receiver to the source,which is the same as RPF interface.
• Downstream/Outgoing interface(OIF):Away from the source of the tree and toward the receivers.
• LHR(last-hop router):attached to the receiver
• FHR(first-hop router):attached to the source
• MRIB(multicast RIB):contains S,G,IIF,OIFs,RPF neighbor
• MFIB(multicast FIB):
• Multicast state:composed of(S,G,IIF,OIF,and so on).

Dense mode(PIM-DM)

if a router has active receviers,the flooding tree continue to flood.If no receivers requested the multicast stream,the router sends a prune message which prunes off the branch.

prunes expire every three minutes.

not widely deployed.

Spare mode

1. receiver send an IGMP join to LHR
   1. LHR send a PIM join (*,G) to RP hop-by-hop,building a branch of the shared tree connecting RP with LHR
2. source sends a multicast packet
   1. FHR sends a unidirectional PIM register message,which encaptulates the multicast data in a PIM-SM message.
   2. RP will unicast a register stop message if there's no shared tree
   3. not so it will forwards the multicast packet down the shared tree
   4. RP send a PIM join (S,G) to FHR
   5. RP receives data down the SPT,RP sends a register stop to FHR
3. LHR receives a packet down the SPT and then the shared tree,it sends a (S,G) PIM join.
   1. if the SPT RPF differs from the RPT RPF,the LHR will receive duplicate multicast traffic,it will switch the RPF interface to the SPT RPF interface and send a (S,G) PIM prune message to the RP
4. when multiple routers exist in a lan,elect a DR.(like OSPF)
   1. higher priority is prefered(default 1)

RPF

packets need to arrive on the RPF interface(use to send unicast to the source for FHR,to the RP for the LHR),then are forwarded to OIF(interface in OIL),not so packets will be discarded.

RP

1. static need to configure on every router in the multicast domain
2. auto-RP(cisco proprietary)

   1. candidate RPs(C-RPs)

   2. RP mapping Agents(MAs)

   3. A C-RP advertise RP announcement message(higher ip is prefered)

      1. (per 60s,224.0.1.39,default group 224.0.0.0/4(con be configured))

   4. MAs join group 224.0.1.39 to receive the RP announcements.

   5. MAs advertise the RP mappings to 224.0.1.40.

      1. MA announcement contains elected RPs and group-to-RP mapping.
3. PIM Bootstrap Router
   1. highest priority and then highest ip C-BSR(candidate BSR) become BSR
   2. BSR floods BSMs(bootstrap message) hop-by-hop with address 224.0.0.13 and TTL of 1
   3. C-RP(candidate RP) unicast C-RP-Adv(candidate RP advertisement) to BSR after reveiving BSM and know the address of BSR
   4. BSR sends the list of all C-RP-Advs in its group-to-RP mapping cache per 60s.
   5. C-RPs use hashing algorithm to elect active RP.

PIM forwarder

When a specific (S,G) is received into its OIF,triggers the assert mechanism.

• router will send PIM assert message into the LAN,message is composed of its AD and metric.
• lower ad, then lower metric,then higher ip will remains,and the losing one prunes its interface.
• prunes remain three minutes on the losing router.

commonly used by PIM-DM,rarely by PIM-SM.

LAN

mac address-table reside in CAM(content addressable memory,faster ram)

几台pc通过一台交换机连接时,组成一个LAN.它们同属一个广播域(发送的所有消息会被所有同一广播域的设备接收).现在的各种链路都使用的是Ethernet(以太网标准).Ethernet规定了物理层和数据链路层的行为和标准,lan中定位使用MAC地址.

VLAN

交换机默认广播域为所有接口,可以通过设置vlan将特定某几个接口组成独立的广播域. 默认所有接口属于vlan 1. 正常范围11005,所有交换机可以正常使用,拓展范围10064094

vlan encapsulation only across trunk: TPID(Tag protocol identifier):16bit PCP(priority code point):3bit DEI(Drop eligible indicator):1bit,whether the packet can be dropped VLAN-id:12bit

配置

进入某个或某些接口:

1. switchport access vlan num
2. switchport mode access(!无1默认为native vlan)

语音vlan:

interface FastEthernet0/1 switchport access vlan 1 switchport voice vlan 1

trunk

802.1q.设置两台交换机,或一台交换机一台路由器之间,甚至一台服务器与交换机之间的接口为trunk,可以只用一条链路充当多个vlan之间的链路,可以使用DTP(Dynamic Trunking Protocol)协商.

native vlan穿越trunk不用添加头.(思科建议修改为一个没有主机连接交换机的???完全不用的vlan)

配置

接口模式:

1. switchport trunk encapsulation {dot1q|negotiate}
2. switchport mode {trunk|dynamic desirable(主动协商)|dynamic desirable auto(被动允许)}(!如果双方都是dynamic desirable,会在第一次配置的时候主动协商,但是可能会失败,最后只是access,最好有一者默认trunk)

• switchport trunk allowed vlan {[remove|add] vlan|none|all}(!不中继某些vlan)
• switchport trunk native vlan num

配置模式:

• vlan vlan-id

VTP

通告vlan配置的协议,每一次修改会增加vlan配置数据库的版本并同步到整个vtp域中.客户端不能对vlan配置

vtp修剪:trunk目的接口的所有vlan中没有某些vlan接口时过滤掉对应的vlan通告.配置在服务端.

配置

配置模式:

1. vtp mode {server|client|transparent(!透明,转发但不应用配置)|off(!禁用)}
2. vtp domain domain-name
3. vtp password passwordvalue
4. vtp pruning(vtp修剪)

交换机堆栈和机框汇聚

堆栈

将多台交换机使用堆栈接口(stacking port)通过FlexStack(-plus)组成一个逻辑交换机,一般用在接入层

机框汇聚(chassis aggregation)

使用以太网接口汇聚交换机,组成一个逻辑交换机,多用在分布层和核心层

STP, RSTP(rapid) and PVST

在设计Ethernet网络时,冗余是必要的.但二层的冗余可能导致产生环回,STP(802.1D)可以通过自动禁用某些端口解决环回问题.RSTP(802.1W)是更快速的STP,新增备份端口.PVST+(ieee in show command)是可以对不同vlan调整不同生成树的STP.rapid-pvst(rstp in show command)是使用rstp的pvst,cisco私有.mst(802.1S)是针对相似vlan只创建一个rstp实例.

BPDU

In STP,

• configuration BPDU:election(prefer low priority and then inferior mac)
• TCN BPDU

In RSTP, the BPDU type field distinguishes between RSTP BPDUs and the traditional STP BPDUs.

MST

Multiple Spanning Tree Protocol(MST) can compute 1 instance(MST instance) for one or multiple vlans(they share identical topology).MST instance 0 called IST runs on all interfaces of all swicths.

MST region is like a single switch for connected non-MST switch.

The MSTI topology is independent from the individual VLAN. It is a best practice to remove all VLANs that are part of the same MSTI when pruning is required.

配置

1. spanning-tree mode mst
2. spanning-tree mst instance-number {priority priority|root {primary|secondary} }
3. spanning-tree mst configuration
   1. instance instance-number vlan vlan-id
4. rivision version
5. name regio-name

Topology change

switch that detects a link status change sends a TCN(topology change notification).Upon receipt of the TCN,the root bridge sends a configuration BPDU with the topology change flag set. This flush out MAC addresses table for devices those have not communicated in 15s window when switch received TCN.

原理

先选举根交换机,再选举根端口,再在每个网段中选举指定端口.将拓扑结构中的图消去环变成树.

• 根开销:去往根交换机的开销总和,一台交换机BPDU消息中只有一个最小根开销,但各个端口的根开销不同
• 选举根网桥:prefer lower priority(32768 by default) and then mac address.
• 选举根端口(RP):lowest path cost and then lowest priority and the lowest mac.(cost is based on the link speed,priority is 128 by default)
• 选举指定端口(DP):not RP and lower path cost continue forward,then lower priority and mac switch continue forward.

configure

1. spanning-tree mode {pvst|rapid-pvst|mst}
2. spanning-tree vlan vlan-id {priority x|root primary|root secondary}(!x mod 4096 === 0)
3. interface interface
   1. spanning-tree [vlan vlan-id] cost x(!based on link speed by default)
   2. spanning-tree [vlan vlan-id] port-priority priority(!128 by default)

特性

1. EtherChannel(802.3AD)

多个物理链路视为同一逻辑链路,在逻辑链路上某一链路出问题时不需要STP收敛.也可用于负载均衡.

• PAgP:cisco proprietary
  • 0100:0CCCC:CCCC
• LACP
  • 0180:C200:0002

can set minimum and maxmum for 1 Etherchannel interface.

• LACP system priority choose which switch to be the primary switch for Etherchannel. Primary switch desides which interface to be active based on interface priority when more interfaces than maxmum.

2. PortFast

让端口从阻塞立刻过渡到转发状态,适用于与终端设备相连的接口

3. BPDU guard

在PortFast端口上,收到BPDU信息时,将端口禁用,保护stp安全

4.端口类型

为共享(share)则为半双工,为边缘(edge)则启用了portfast.

5. root guard

部署在指向永远也不会成为根桥的交换机的接口上.

6. bpdu filter

blocks BPDUs from being transmitted out a port.

7. loop guard

• When BPDUs are not received, the port moves to the BKN status (loop inconsistent) until BPDUs are received again.
• Loop guard is configured on root ports.

配置

接口模式:

• (!EtherChannel)
  1. channel-group number mode {on(!另一端只能为on)|desirable(!另一端可以为auto)(!use PAgP)|activate(!另一端可以为passive)(!use LACP)}
  2. (!在交换机的路由端口上时,物理和逻辑上都要使用)no switchport
• (!PortFast)
  • spanning-tree portfast [default|trunk]
• (!BPDU)
  • spanning-tree portfast bpduguard default
  • spanning-tree bpduguard {enable|disable}
• (!root guard)
  • spanning-tree guard root
• (!bpdu filter)
  • spanning-tree portfast bpdufilter default
  • spanning-tree bpdufilter enable
• (!problems with unidirectional links)
  1. stp loop guard
  2. udld ???

排错

• etherchannel points
  • configuration must match on the member interfaces.
    • port type
    • port mode
    • native vlan
    • allowed vlan
    • speed
    • duplex
    • mtu
    • load interval(???)
    • storm control
• etherchannel commands
  • show etherchannel summary
  • show interface port-channel num
  • show etherchannel port(!very detailed)
  • show {lacp|pagp} neighbor [detail]
  • show {lacp|pagp} counters

端口安全

允许某端口最多有多少个mac地址传入帧,如果违规执行定义的行为,默认是丢弃所有帧.

配置

配置模式:

1. switchport port-security
2. (!可选)switchport port-security maximum max-num
3. (!可选)switchport port-security violation {protect|restrict|shutdown}(!收到规定地址之外的帧时的动作,默认是关闭接口)
4. (!可选)switchport port-security mac-address mac-address(!允许的mac地址)
5. (!可选)switchport port-security macaddress sticky(!动态配置mac地址)
6. (!aging time)switchport port-security aging-time seconds

排错

• erase startup-config不能清楚数据库中的vlan配置,需要delete flash:vlan.dat
• vtp域要相同才能同步
• md5摘要相同(域名和密码)
• 加入新交换机,可以将交换机配置为transparent清除之前的记录,再配置为服务端或客户端
• show etherchannel summary

STP

1. 判断根交换机,根端口 show spanning-tree,show spanning-tree root查看根交换机
2. 计算根开销

3. 判断指定端口 根开销相等时判断BID,小者胜出

EtherChannel

• 关键字要匹配
• STP开销相等

Trunk

• vlan要匹配
• native vlan要匹配

其他

1. 路由器直连交换机可以在路由器上设子接口,子接口中分配ip和encapsulation,与其相连的交换机使用trunk.
2. 使用SVI(vlan虚拟接口)配置路由.相当于在每个vlan在交换机上有一个路由接口.但是不会默认配置路由协议,相当于只能在交换机有的vlan间路由.可以自己配置路由协议进行学习.(核心层和分布层)
3. 交换机也可以使用路由端口实现vlan间路由,此时这个物理端口在逻辑上就是一个路由器的端口一样使用.(点对点链路中使用)

配置

1. ROAS
   1. interface type num.num(!进入子接口)
   2. encapsulation {dot1q|negotiate} vlan num
   3. ip address ip mask
2. SVI
   1. sdm prefer lanbase-routing(!重启后分配更多资源给路由)
   2. (!可选,EXEC模式)reload
   3. ip routing(!启用ip路由)
   4. 进入需要配置的vlan接口
   5. ip address ip mask
   6. (!可选)no shutdown
3. no switchport
   1. 进入需要配置的接口
   2. no switchport
   3. ip address ip mask

Wireless

theory

• wave

  • frequency
    • hertz(Hz)
    • range as band
    • needed for the transmitted named bandwidth
    • RF(radio frequency):3kHz to 300GHz
  • phase
  • wavelength
  • RF Power

    • watts(W)

    • decibel(db):use logarithm to compare two wave's power

      Power change	db Value
      =	0db
      */2	+-3
      */10	+-10

      • dbm:dBm是指相对于1毫瓦（mW）的功率级别。它是一个绝对功率的度量标准。
        • 1 mW对应0 dBm，10 mW对应10 dBm。
      • dBi表示天线增益相对于理想各向同性天线（即在所有方向上均匀辐射能量的假想天线）的增益。
        • 例如，一个天线增益为5 dBi，意味着它比各向同性天线在最佳方向上强5 dB。
        • dBi=$dBd+2.15$
      • EIRP表示一个天线在其最大增益方向上辐射的等效功率。
        • Be regulated by government agencies in most countries
        • EIRP (dBm)=$发射功率 (dBm)+天线增益 (dBi)−馈线损耗 (dB)$
      • H plane:XY plane
      • E plane:XZ plane
      • beemwidth:the angular separation between the points in the main lobe that are down from the maximum gain by 3 dB.

    • FSPL(free space path loss)(db)=$20log_{10}(distance)+20log_{10}(frequency)+32.44$

      • the signal strength falls quickly near the transmitter but more slowly father more
      • The loss is a function of distance and frequency only

    • RSSI(received signal strength indicator):the power level of received signal should be greater than the sensitivity level of receiver.

      • be greater than the noise level
      • SNR(signal-to noise ratio,信噪比)(db):$NoiseFloor - RSSI$(higher is prefered)
      • recommended minimum SNR:20 for common,25 for voice
  • modulation.
    • frequency
    • phase
    • amptilude

  standard	2.4GHz?	5GHz?
  802.11b WiFi1	Yes	No
  802.11a WiFi2	No	Yes
  802.11g 3	Yes	No
  802.11n 4	Yes	Yes
  802.11ac 5	No	Yes
  802.11ax 6	Yes	Yes

  • 802.11会根据信号强度(距离影响强度)调整调频方式,获得不同的速率

vertical antenna need to match the receiver's antenna to make polarizations match.

pan'yu

infrastructure

• Autonomous APs:self-contained,each offering one or more fullly functional ,standalone BSSs(Basic service sets),connecting wireless SSIDs(service set identifiers,WLAN name) to wired VLAN.
• Lightweight:has to join a WLC(wireless LAN controller) to become fully functional.(cooperation named split-MAC architecture).An AP and a WLC are joined by a logical pair of CAPWAP tunnels.(every WLC can support maximum number of APs in use)
  • modes:
    • Local:offer BSSs
    • FlexConnect:forwarding data normally with or without CAPWAP tunnel connected to the WLC
    • Monitor:Its receiver acts as a dedicated sensor.In this mode, the AP continuously scans all channels for rogue devices and other wireless issues, but it does not provide any client services.
    • Sniffer:Receive 802.11 traffic from other sources,forwarding to a PC.It does not provide client services.
    • Rouge detector:This mode is used to detect rogue devices by listening for MAC addresses and comparing them against a known list. It does not provide client services.
    • Bridge:bridge between two networks
    • Flex+Bridge
    • SE-Connect:analyze wireless channels
  • deployments
    • Centrsllized wireless deployment:one large WLC
      • The RTT(round trip time) between an AP and a WLC should be less than 100ms
      • AP must operate in FlexConnect with a public Cloud WLC(means far)
        • cloud-based controller
      • 6000-64000 Aps
    • Distributed wireless deployment:many smaller WLC
      • 200-5000 APs
    • EWC(embedded wireless controller):regular APs that also run WLC software
      • controller-less deployment:100-200 APs

wlc modes(???):

• master controller mode:All new APs that join the WLAN are assigned to the master controller

AP states

flowchart TB

b[AP boots up]-->d[WLC discover]
d-->t[CAPWAP Tunnel]
t-->j[WLC join]
j-->dj[Download image]
dj-->df[Download config]
df-->r[run]
r-.->Reset

• WLC discover to build a list of candidates
  1. broadcast to the localnet
     • relay broadcast requests on UDP port 5246 to specific
       1. ip forward-protocol udp 5246
       2. interface vlan vlan
       3. ip helper-address WLC-address
  2. unicast CAPWAP Discover Request to a controller's IP over UDP port 5246 with nonvolatile memory
  3. DHCP server suggest a list of WLC addresses with DHCP option 43.
     1. option 43 hex f104.Convert each octet to hexadecimal(!example:convert 172.16.50.5 to AC10.3205)
  4. DNS request with the name CISCO-CAPWAP-CONTROLLER.localdomain
  5. reset
• select a WLC
  1. previouslt joined or been configured or primed with a primary,secondary and tertiary controller
  2. master controller
  3. least-loaded WLC

wireless configure

legacy:group APs into logical AP groups sharing a common set of WLAN and RF parameters

current:

• default-site-tags
  • AP profile:local mode
  • Flex profile
• defualt-rf-tags
  • 2.4G
  • 5G
  • 6G
• default-policy-tags
  • WLAN profile
  • Policy profile

alsso can assign the appropriate tags to the APs.

high availability with stateful switchover redundency.

roam and locate

roam between Autonomous APs:

• For the client,when client find the signal degrade and look for a stronger signal,reassociation with the new AP
• For the APs,old AP's association was canceled and new AP's association is established

roam between lightweights:For the client,it's same as roaming between autonomous APs

• Intracontroller roaming:WLC just modifies its database
  • 10ms
• Intercontroller roaming:between different WLC's APs
  • Layer 2 roaming:if the old and new WLCs are in the same vlan,the old WLC delete the association and the new WLC create an association
    • client can maintain its ip
    • 20ms
  • Layer 3 roaming:if the old and new WLCs are in different vlans,the anchor controller(original WLC) will build a new CAPWAP tunnel with the foreign controller(new WLC).The tunnel tethers the client to its original anchor controller and original IP subnet.
    • can configure a controller to be a static anchor controller for a WLAN

With the client reassociation,some problems will bring out

• DHCP
• Client authentication
  • CCKM(Cisco Centrolized Key Management):controller maintains a database of clients and keys.require CCX(Cisco Compatible Extension) from clients
  • Key caching:client maintains a list of key used with prior AP associations
  • 802.11r:client cache a portion of authentication server's key to future APs,also QoS parameters (ALL stategies requires help on client)

roam domain

one roam(up to 72 groups) can have many groups(up to 24 WLCs).if two WLCs are in the same group:

• fast roam
• CCKM
• key caching
• 802.11r
• All controllers must be configured with the same virtual interface IP address in the same Mobility Group.

if not in the same group but in the same domain:

• roam

locate

by the circles of RSS(received signal strength)

RF fingerprinting:reprents mapped area's contruction

in real-time map,green dots means associated devices,and red dots means sending requests but not being associated

authentication

1. 802.11
   1. open authentication:client need to use an 802.11 authentication request
   2. WEP:rc4密钥流对称加密
2. WPA
   1. WPA1
   2. WPA2
   3. WPA3

all WPA versions support two modes:pre-shared key(PSK) and 802.1x(also known as personal mode and enterprise mode).

WPA1 and WPA2 are not entirely safe now. 3. EAP with 802.1x(based on WPA enterprise mode)(should always use as higher as possible version)(802.x need a radius server)

客户端设备通过802.1x（通过EAPOL）认证后，会生成两种类型的密钥：用于单播通信的PMK和用于组通信的GMK。这些主密钥用于派生更具体的密钥（PTK和GTK），这些密钥对不同类型的网络流量进行加密，确保无线网络通信的安全。

1. WebAuth ways
   1. LWA with an internal database on the WLC
   2. LWA with an external database on a RADIUS or LDAP server(make sense)
   3. LWA with an external redirect after authentication
   4. splash page redirect,using an internal webpage on the WLC
   5. passthrough???

enable AAA Override to assign vlan correctly

hierarchichal LAN Design Model

1. Access layer(network edge)
2. distribution layer
   1. for layer 2,creates a boundry for STP
   2. for layer 3,provide a logical point to summarize IP routing information
3. core layer

traditionnally,use a Layer 2 access layer and layer 3 distribution layer

• restrict a vlan to a single access layer switch
• redundent layer 3 switch with FHRP

Routed access is an alternative choice

• no FHRP required
• no STP required
• Increased uplink utilization(for no STP block)
• Easier troubleshooting
• faster convergence

simplified campus tools:

• VSS(Virtual Switching System),single point of management for improved efficiency

• SWV(StackWise Virtual),clustering two physical switches into a single logical switch(distribution or core layer often)

• StackWise,stacking two or more switches into a single logical switch.(access layer often)

  • simplfied design
  • no FHRP required
  • reduced STP dependence
  • increased uplink utilization
  • easier troubleshooting
  • faster convergence
  • high availability

flowchart LR
subgraph g1[physical layout]
a[L3] & b[L3]---c[/L2/] & d[/L2/]

a---b
a---b
end

subgraph g2[Logical layout with VSS or Swv]
a2[L3]---c2[/L2/] & d2[/L2/]
a2---c2 & d2
end

subgraph g3[Logical layout with VSS or Swv and StackWise]
a3[L3]---c3[/L2/]
a3---c3
end
g1---g2---g3

High Availability Technologies

RP:router processor

some combinations that allow the network work during an RP switchover:

1. SSO and NSF
2. SSO and NSF with GR
3. SSO and NSF with NSR
4. SSO and NSF with NSR and GR:use GR for GR-aware router else use NSR for GR-unaware router

• SSO:SSO allows router with redundant RPs to checkpoint the router configuration,line card operation and Layer 2 state information from the active RP to the standby RP.
  • no Layer 3 control plane information about any neighbor router
• NSF:checkpoint FIB
• GR:allow a neighbor to be aware that the router undergoing switchover,continuing forwarding packets with invalid neighbor relationship
  • SSO/NSF-capable router
  • GR-aware router(GR helper)
  • GR-unaware router
• NSR:enable SSO checkpoint all Layer 3 information even include TCP sockets

排错

command:

• show mac address-table|address address|dynamic|vlan vlan-id
• clear mac address-table dynamic [{address mac-address}|interface interface|vlan vlan-id]
• show interfaces interface switchport
• show interfaces status

SDA(software define access)

features:

• Network automation:through the use of Cisco DNA center(Digital Network Architecture)
• Network assurance and analytics:proactive telemetry
• Host mobility:similar to LISP
• Identity service:
• policy enforcement:SGACLs(security group access control lists) provides much simpler and more scalable form based on identity
• secure segmentation:
• network virtualization:

SD-Access=Campus fabric(overlay solution)+Cisco DNA center

1. Management Layer
   1. DNA center GUI
      1. Base automation
      2. design
      3. policy
      4. provision
      5. Assurance
2. Controller Layer
   1. DNA center
      1. NCP network control platform:provides all the underlay and fabric automation using NETCONF/YANG,SNMP,SSH/Telnet and so on.And get information to the manager layer
      2. NDP network data platform:data collection and analytics and assurance.provide contextual information to NCP and ISE.
   2. ISE identity service:provide identity and policy service for the physical and network layer,using 802.1x,MAB(MAC Authentication Bypass) and WebAuth
3. Network Layer
   1. fabric overlay(recommended MTU size 9100)
      1. control plane,based on LISP.
         1. based on EID,RLOC,MS
      2. data plane,based on VXLAN.
         1. use VXLAN-GPO with VXLAN format enhanced with SGTs(scalable group tags,also referred to as TrustSec Security Group Tags)
            1. Group policy id:16bit identifier
            2. G bit(group based policy extension):SGT is carried within Group policy id when set to 1
            3. D bit(don't learn):VTEP(virtual tunnel endpoint???) must not learn the source address when set to 1
            4. A bit(policy applied):group policy has been applied when set to 1,only when G bit set to 1
      3. policy plane,based on CTS(cisco TrustSec)
         1. SGT tags are assigned to authenticated groups
         2. network policy is based on the SGT tag instead of ip or mac address
   2. underlay(settings,protocol):recommond to use layer 3 as the IGP(IS-IS is prefered).
      1. manual setting
      2. automated setting
         1. creates an IS-IS routed access campus design
4. Physical Layer

fabric overlay

flowchart TB
a["network services(WLC,DNA,ISE)"]---fabric
fabric---b["wireless/wired endpoints and users"]

There are five roles for basic devices in the fabric overlay:

1. control plane node:MS/MR,contain the settings and map EID-to-RLOC

2. Fabric border node:PxTRs,connects external Layer 3 device to the SDA fabric has three roles:

   1. Internal border:connect to known areas by the organization
   2. Default border:connect to unknown areas with a default route
   3. Internal + default border

   and one function:

   1. translate VRF and SGT infomation from one domain to another

3. Fabric edge node:connects wired endpoints to the SDA fabric

   1. be a xTR
   2. first identify and authenticate(through 802.1x) wired devices, in order to place then into a overlay host pool(SVI and VRF instance by static or DHCP) and scalable group(SGT)
   3. responsible for hosting the anycast gateway

4. Fabric WLAN controller:connects APs and wireless endpoints to the SDA fabric

   1. connects APs and wireless endpoints to the SD-Access fabric.(perform as edge and border nodes at the same time)
   2. Just use CAPWAP tunnel outside the fabric.In the fabric,data plane use VXLAN tunnel to encapsulate.
   3. The WLC is connected outside of the fabric(located in controller layer)

5. Intermediate nodes:just provide underlay service

some benefits:

1. Virtual Network(VN):provide virtualization at the device level with VRF.(cloud service)
2. Hostm pool:use SVI for each pool and EID mapping to advertise each host pool
3. Scaleble group:assign every endpoints a scalable SGT tags,meaning the policy of devices in the group is easy to manage
4. anycast gateway:SVI gateways with the same ip and mac address

WAN

从企业或个人的角度看,要使用广域网(WAN)连接远端的另一个子网,物理层上来说,需要专线;二三层上来说,需要数据链路协议,例如HDLC或PPP.要将专线与路由器连接,中间一般需要一个CSU/DSU(信道服务单元/数据服务单元)做中继.现在很多专线本身集成了适配WIC(wan接口卡)的CSU/DSU.CSU/DSU设备工作时充当DCE(数据电路终端),此时路由器充当DTE(数据终端设备).两个路由器通过wan口相连时,一方使用DTE线缆,另一方使用DCE线缆.老版IOS需要在DCE段设置clock rate配置时钟.

从ISP的角度看,要提供的互联网服务往往会跨越很大的物理距离,所以不能单纯的将所有待接入的专线全部接到一块儿,所以需要对网络进行设计.城市级别的称为MetroE(城域以太网),也被称为 carrier Ethernet(载体以太网).MetroE有3类服务,E-line,E-LAN,E-Tree.通过MPLS搭建的,也会被称为VPWS(虚拟私有线路服务),VPLS(虚拟私有LAN服务),EoMPLS(Ethernet over MPLS)(这个和E-Tree不对应).

E-Line服务会创建一条点对点的EVC(Ethernet Virtual Connection,以太网虚拟连接),表示EVC两边端点可以通信.显然,E-Line两端路由器相连的两个端口需在同一子网.E-LAN(以太局域网服务)通过全互联的方式连接所有站点,相连在E-LAN的路由器需要在同一子网.E-Tree(以太网树服务)则是部分互联,也叫星形拓扑,点到多拓扑.E-Tree的根与叶相连的接口要使用同一子网,但由于叶之间并没有直接连接,所以路由要求只能根与叶成为邻居.需要针对路由协议进行额外的配置.

HDLC

标准HDLC定义了如何在bit流中通过标志字段找到待传数据,并且通过FCS字段完成校验功能等,完成了数据链路层的工作.Cisco私有的HDLC较于标准HDLC增加了类型部分.一般串口为up时默认使用的就是HDLC.

配置

接口模式:

• encapsulation HDLC
• clock rate speed EXEC:
• show controller serial number(查看是否为DCE端)

PPP

封装结构与Cisco私有的HDLC类似.还定义了LCP(链路控制协议)和NCP(网络控制协议).LCP中有认证和多链路支持等功能.

认证

认证分为PAP和CHAP两种,PAP是明文传输的,CHAP是加密传输的.两种认证方式双方都必须配置了用户名和密码.

配置

接口模式:

1. encapsulation ppp
2. hostname name(!被配置路由器的用户名)
3. username name password password(!邻居路由器的用户名和密码)
4. ppp authentication {chap|pap|chap pap(!先使用chap,再使用pap)}
5. (pap need) ppp pap sent-username name password password(!同2)

多链路支持

链路层接口级别的负载均衡,逻辑上被视为一个三层接口,encapsulation 命令需要同时在串行接口和多链路接口启用.多链路双方接口link-num应相同,group-num应相同

配置

配置模式:

1. interface multilink link-num(!创建多链路接口) 进入逻辑接口的接口模式:
2. encapsulation ppp
3. ppp multilink
4. ip address address mask(!在该逻辑接口上配备ip和掩码)
5. ppp multilink group group-num

物理接口的接口模式:

1. encapsulation ppp
2. ppp multilink
3. no ip address
4. ppp multilink group group-num
5. !验证等在此处配置

排错

• 线路状态和协议状态均为down/down时,一般是物理层问题.
• 当线路up,协议down时
  • 两端协议均down: 使用协议不匹配(encapsulation命令不匹配) 或 PPP认证失败
  • 一端down,另一端up:使用HDLC时,up一方禁用了Keepalive
• 线路和协议均up/up时,无法路由时,问题出在第三层.当两个串口相连时,他们理应在同一子网.不然,虽然PPP链路可以ping通,但无法交换路由信息.

VRF-lite(virtual routing and forwarding)

vrf-lite是在物理路由器上创建虚拟路由器实例的技术.

VRF-lite does not support IGRP and ISIS. •VRF-lite does not support all MPLS-VRF functionality: label exchange, LDP adjacency, or labeled packets. •VRF-lite does not affect the packet switching rate. •The capability vrf-lite subcommand under router ospf should be used when configuring OSPF as the routing protocol between the PE and the CE.

配置

配置模式:

1. ip vrf name
   1. address-family {ipv4|ipv6}
   2. interface interface(!如果是子接口,必须是dot1q封装方式)
      1. ip vrf forwarding name(!分配给某vrf实例) 其余和普通配置一样,设置ip等

排错

• show ip route vrf name

MPLS

位于MPLS边缘的路由器会在数据包出入MPLS网络时,对数据包添加和移除MPLS头部,内部设备转发数据基于标签字段.MPLS VPN是SP的一项主营业务,可以不加密数据的前提下,确保一个客户的数据不会被发给另一个客户,而且不需要客户都处于同一个子网.

MPLS可以转发除IPv4以外的三层协议,还支持多种服务.

• LIB(MPLS Lable Information Base):对标路由中的RIB.
• LFIB(MPLS Lable Forwarding Information Base):对标路由中的FIB,but used for labeled packets
• LSR(Label Switch Router):MPLS域中支持MPLS的路由器,位于MPLS域边缘的称为E-LSR(Edge LSR),不在边缘的称为中间LSR.边缘LSR负责为进入域的数据包添加标签(称为Ingress E-LSR),为离开MPLS的数据包删除标签(称为Egress E-LSR).
• LSP(Label Switched Path):IP数据包穿越MPLS域所采用的累积标签路径.
  • LSPs are unidirectional.
• LDP:标签分发协议,对标路由协议.通过UDP224.0.0.2:646多播Hello包.通过TCP 646端口建立TCP会话交换标签信息.自己分配一个标签,并从邻居学习标签填充自己的LIB.最佳标签填充LFIB.

数据包穿越MPLS的过程:添加标签->添加标签到外层,删除里层标签->到达倒数第二跳,只删除标签->根据IP转发,出MPLS域 (在倒数第二跳不会继续添加标签,只会删除标签)

header

• header:20+3+1+8 bit
  • label:20bit,used to identify LSP
  • EXP:3bit,used for Qos
  • S:1bit,which when set to 1,means this is the label immediately preceding the IP header
  • TTL:8bit,like TTL in ip
    • 
    • can disable MPLS TTL propagation to allow ingress E-LSR to set the MPLS TTL to 255 to hide the MPLS network.

LDP(label distribute protocol)

when a LSR learn a new route, it will allocate a label for it and advertise this binding to its LDP neighbor.

configuration

1. mpls ip(!enabled by default)
2. mpls label protocol {ldp|tdp|both} (!ldp by default)
3. (!mpls router id)mpls ldp router-id interface [force]
4. mpls label range min max(!need to use reload)
5. mpls ldp neighbor [vrf vrf] ip-address [password [0-7] password]
6. interface interface
7. mpls ip

MPLS VPN

• CE(customer edge):客户边缘路由器
• PE(provider edge):提供商边缘路由器,边缘LSR
  • need to use multiple vrfs to learn probably overlapping ipv4 route from CEs.And redistribute them into BGP.
• RD(Router Distinguisher):路由鉴别符,64bit,8字节,拓展IP用.
  • defined in MP-BGP.Add a 64-bit RD to ipv4 prefix of a route.
  • formatted with ipv4:num or ASN:num
• RT(Route Targets):advertised in BGP Updates as BGP Extended PA.
  • 
• VPNv4:RD+ipv4地址
• P:provider 中间LSR

PE路由器通过创建VRF实例将CE路由隔离,PE以每个VRF实例生成RD,P路由器对CE透明.PE路由器重分发路由后通过MP-iBGP交换路由,P路由器不参与BGP进程.VRF中的路由全是关于VPNv4的路由.

1. CE和PE通过路由协议交换IP路由
2. PE将IP路由放入VRF的路由表
3. 将VRF中的IP路由作为VPNv4重分发到MP-BGP中
4. PE路由器通过MP-BGP交换iBGP路由
5. PE路由器将VPNv4重分发为Ip路由到特定VRF的路由协议中
6. PE与另一端CE协商IP路由

data plane

MPLS VPN先添加VPN标签(inner label),再添加MPLS标签(outer label),中间转发和MPLS过程相同,VPN label只对egress PE有意义.

• The outer label identifies the segments of the LSP between the ingress PE and theegress PE, but it does not identify how the egress PE should forward the packet.
• The inner label identifies the egress PE’s forwarding details, in particular the outgoing interface for the unlabeled packet.

configuration

1. (!Creating each VRF, RD, and RT, plus associating the customer-facing PE interfaces with the correct VRF)
   1. ip vrf vrf-name
      1. rd rd-value
      2. route-target {import|export|both} rt-value
   2. interface interface
      1. ip vrf forwarding vrf-name
2. (!Configuring the IGP between PE and CE)
3. (!Configuring mutual redistribution between the IGP and BGP)
4. (!Configuring MP-BGP between PEs)
   1. router bgp as-num
   2. neighbor ip remote-as as
   3. neighbor ip update-source source-ip
   4. address-family vpnv4
      1. neighbor ip activate

排错

1. show mpls inetrfaces
2. show mpls forawarding-table

SD-WAN

• centuralize divice configuration and network management

two solutions:

1. cisco SD-WAN

   1. SD-WAN edge devices:devices who forwards traffic
   2. vManage Network Management System(NMS):provides GUI for managing the SD-WAN solution. Performs remote software upgrades for WAN Edge, vSmart, and vBond.

   3. vSmart controller:advertising routes and data policies to edge devices

      1. use DTLS tunnel with edge devices to establish OMP(Overlay Management Protocol).
      2. advertise reachability information in the fabric
      3. implement all the control plane policies created on vManage

      OMP is a proprietary routing protocol similar to BGP

   4. vBond orchestration:authenticates and orchestrates connectivity between edge devices,NMS, and controllers every vbond has a permanent control plane over a DTLS(datagram transport layer security) tunnel with every vSmart controller.

      1. authentication
      2. NAT detection
      3. load balancing

   5. vAnalytics

2. Meraki SD-WAN:require UTM(unified threat management)

SD-WAN cloud???

CoR(cloud OnRamp):a set of functionalities addressing optimal cloud SaaS application access and IaaS connectivity.

• Policy
  • Local policy:pushed to the edge decice by the vManager
  • centralized policy
    • topology
    • VPN membership
    • AAR(application-aware routing):enhance forwarding on application-by-application basis
    • traffic data:filter traffic on an application-by-application basis,modify traffic,Qos,loss protection
• Application-aware routing:utilize BFD(bidirectional forwarding dtection) in the SD-WAN tunnels to track a tunnel's quality.

Internet and VPN

当接入WAN时,本地和ISP连接.许多ISP和连接到ISP的子网共同组成了全球互联网--Internet(:)).

企业可以使用VPN技术通过互联网技术实现WAN专线一样的服务.

VPN一般基于GRE隧道.DMVPN基于GRE和NHRP

GRE隧道可以实现端对端的vpn.

DMVPN支持一点对多点的mGRE隧道vpn,单点部分充当中心站点和NHRP(下一跳解析协议)服务器,多点部分充当分支站点(NHS)和NHRP客户端(NHC).NHRP服务端会自动帮助客户端学习客户端之间的路由,使客户端之间的消息可以经过Spoke-to-Spoke隧道,不经过中心路由器转发.

GRE可以通过IPsec实现数据安全.

GRE

最初的GRE旨在为不可路由的协议提供传输机制.GRE隧道也叫叠加网络.GRE将数据包添加IP数据包报头,将原始信息作为数据段封装起来,如果有需要,还可以对数据部分加密.

GRE隧道会对IP数据报在IP报头之前添加GRE IP报头,GRE标志的封装.

NHRP

NHRP是为NBMA网络(非广播网络,但允许多个路由器在一个网段,DMVPN也是)提供地址解析的方法(ARP),从协议地址解析到NBMA地址.服务端(NHS,next-hop server)维护地址信息,为客户端(NHC,next-hop client)提供地址查询的服务.

NBMA地址是传输网络的地址,协议地址是分配给叠加网络的地址.

NHRP数据包都必须包含NBMA地址,源协议地址,目的协议地址和NHRP消息类型.

DMVPN阶段

1. Spoke to Hub
   1. 在NHS和NHC之间建立永久VPN隧道,这个阶段所有数据包都会经过NHS.
2. Spoke to Spoke
   1. 在NHC之间按需建立VPN通道进行Spoke to Spoke通信.不允许路由汇总和多级分层之间进行Spoke-to-Spoke通信
   2. 详细流程:
      1. Spoke站点通过Spoke to Hub发送数据包到另一Spoke站点
      2. Hub发送NHRP重定向消息给Spoke站点
      3. Spoke站点通过Spoke to Hub发送NHRP解析请求给另一Spoke站点,请求建立Spoke to Spoke隧道
      4. 另一站点通过Spoke to Spoke尝试返回NHRP解析应答,如果成功,则一个方向的Spoke to Spoke建立成功,另一方向同理.
3. 分层树状Spoke to Spoke
   1. 优化Spoke to Spoke之间的路由,多级分层也可以Spoke-to-Spoke通信

There are more routing protocol restrictions with Phase 2 than DMVPN Phases 1 and 3. For example, summarization and default routing is NOT allowed at the hub, and the hub always preserves the next hop on spokes. Spokes need specific routes to each other networks.

DM-VPN链路状态:

1. INTF:隧道线路协议down
2. IKE:IPsec未通过,未建立IKE(Internet Key Exchange)会话
3. IPsec:建立IKE会话,为建立IPsec SA(Security Association)
4. NHRP:分支路由器未注册
5. Up:acc

NHRP路由控制

NHRP会覆盖某些路由的下一跳或安装新的路由.第三阶段会实行路由汇总.

FVRF

DMVPN会遇到一些问题:

1. 递归路由
   1. 传输网络和叠加网络宣告互相干扰时,如EIGRP添加了使用OSPF的传输网络接口,EIGRP通过OSPF的路由,穿过隧道建立邻居关系,然后宣告路由,然后OSPF路由失效,EIGRP邻居不可达,一直循环
2. 出站接口选择 解决办法是FVRF.

与传输网络关联的VRF称为FVRF(Front Door VRF),为每个DMVPN隧道使用FVRF是应该的.

通过DHCP分配ip的FVRF会自动安装AD值254的默认路由.

IPsec

数据安全包含三要素:

• 数据机密性:确保授权用户才能查看数据.对数据加密
• 数据完整性:仅授权用户才能修改数据.哈希能发现数据被修改与否
• 数据可用性:数据传输网络始终可用

IPsec由AH(Authentication Herder)和ESP(Encapsulating Security Payload)提供数据完整性和机密性.可以单独使用也可以组合使用.

• AH:Authentication Header,创造数字签名确保数据包不被修改.IP协议号51.
• ESP:对数据部分加密保证数据机密性.分为传输模式和隧道模式.IP协议号50.
  • 传输模式:加密和认证数据包净荷.在数据报数据与IP报头之间添加ESP报头,数据之后添加ESP尾部和ESP认证.传输模式ESP报头添加在GRE IP报头之后,GRE标志之前.(只不加密IP报头)
  • 隧道模式:在IP报头前添加新IP报头和ESP报头,尾部添加ESP尾部和ESP认证.GRE同理.(即对原始IP报头也加密)

SA(security association,安全关联)包含两台端点设备之间协商一致的安全参数,包括:

• IKE SA:控制平面,bidirectional
• IPsec SA:数据平面,单向,至少需要入站和出站两个 两台端点设备之间只能有一个IKE SA,但能有多个IPsec SA.

site-to-site ipsec

ways:

1. (!crypto maps(not good))
   1. ip access-list extended acl-name
      1. permit gre host tunnel-source-ip host tunnel-destination-ip
   2. crypto isakmp policy priority(!1 is the highest)
      1. encryption {des|3des|aes|aes 192|aes 256}(!des by default,not recommened,aes is recommoned)
      2. hash {sha|sha256|sha384|md5}(!sha by default)
      3. authentication {rsa-sig|rsa-encr|pre-share}
      4. group {1|2|5|14|15|16|19|20|24}(!recommend to use 14 or higher)
   3. crypto isakmp key keystring address address [mask]
   4. crypto ipsec transform-set transform-set-name [ESP加密] [ESP认证] [AH认证] (!各只能选一个.建议aes和sha)
      1. mode {transport|tunnel(!默认)}(!选择transport更好)
   5. crypto map map-name seq-name [ipsec-isakmp]
      1. match address acl-name
      2. set peer {hostname|ip-address}
      3. set transform-set transform-set-name [transform-set-name2] --- [transform-set-name6]
   6. any physical interface
      1. crypto map map-name
2. (!tunnel IPsec profile)
   1. crypto isakmp policy priority(!1 is the highest)
      1. encryption {des|3des|aes|aes 192|aes 256}(!des by default,not recommened,aes is recommoned)
      2. hash {sha|sha256|sha384|md5}(!sha by default)
      3. authentication {rsa-sig|rsa-encr|pre-share}
      4. group {1|2|5|14|15|16|19|20|24}(!recommend to use 14 or higher)
   2. crypto isakmp key keystring address address [mask] (!set address to 0.0.0.0 for all neighbors)
   3. crypto ipsec transform-set transform-set-name [ESP加密] [ESP认证] [AH认证] (!各只能选一个.建议aes和sha)
      1. mode {transport|tunnel(!默认)}(!选择transport更好)
   4. crypto ipsec profile profile-name
      1. set transform-set transform-set-name
   5. 进入待加密gre接口
      1. tunnel protection ipsec profile profilename [shared] (!must use interface as source)

transform set

预共享密钥认证

预共享密钥认证是实现IPsec的一种部署方法.包含:

1. IKEv2密钥环:预共享密钥的存储库

   1. crypto ikev2 keyring keyring-name
   2. peer peer-name(!一个密钥环支持多个对等体,使用不同的密码)
   3. address network mask
   4. pre-shared-key [address address] secure-key

2. IKEv2配置文件:一组不可协商的安全参数.

   1. crypto ikev2 profile ike-profile-name
   2. match identity remote address {ip-address|0.0.0.0(!match all)}
   3. (!PKI认证)identity local address ip-address(!与注册证书使用的地址匹配,建议使用环回接口)
   4. (!FVRF)match fvrf {vrf-name|any}
   5. authentication local {pre-share(!预共享密钥认证)|rsa-sig(!证书认证)}
   6. authentication remote {pre-share|rsa-sig}
   7. keyring local keyring-name

3. IPsec转换集:指定通过ESP还是AH对数据加密

   1. crypto ipsec transform-set transform-set-name [ESP加密] [ESP认证] [AH认证] (!各只能选一个.建议aes和sha)
   2. mode {transport|tunnel(!默认)}(!选择transport更好)

4. IPsec配置文件:将转换集和IKEv2配置文件关联起来.

   1. crypto ipsec profile profilename
   2. set transform-set transform-set-name
   3. set ikev2-profile ike-profile-name

5. 其他:

   1. (!数据包重放保护)crypto ipsec securityassociation replay window-size size(!默认64,cisco建议使用最大值1024)
   2. (!DPD,dead peer detection,失效对等体检测)crypto ikev2 dpd [interval-time] [retry-time] on-demand(!仅在分支路由器上配置)
   3. (NAT保活)crypto isakmp nat keepalive seconds(!分支路由器上使用)

6. 保护

   1. crypto ikev2 limit {max-in-neogotation-sa limit|max-sa limit}[outgoing] (!半开SA阈值防Dos)
   2. crypto ikev2 cookie-chanllenge chanllenge-number

7. 加密隧道接口:

   1. 进入待加密gre接口
   2. tunnel protection ipsec profile profilename [shared]

配置

单点配置模式:

1. interface tunnel num
2. (!可选)tunnel mode {gre|ipsec} {ip|ipv6}(!选择封装方式,默认为GRE)

1. ip address address mask(!分配ip和掩码)
2. tunnel source {ip-address|inerface-id}
3. tunnel destination {ip-address|hostname}(!目的路由器的物理地址)
4. (!带宽)bandwidth 1-10,000,000
5. (!keepalive)keepalive [seconds [retries] ]
6. ip mtu mtu

DMVPN(如果ipv6,ip换成ipv6)(!注意在隧道接口上配置链路本地地址):

• HUB(中心路由器):
  1. (!创建隧道接口)interface tunnel tunnel-number
  2. tunnel sourcee {ip-address|interface}(!不建议使用环回接口,会产生Qos问题)(!传输ip地址,也叫nbma地址)
  3. (!mGRE隧道)tunnel mode gre multipoint [ipv6(!ipv6时设置)]
  4. ip address ip-address subnet-mask(!子网掩码决定了隧道的可容纳数)
  5. ip nhrp network-id 0-255.255.255.255(!DMVPN网络ID,本地意义)
     1. ip nhrp registration no-unique(!使用dhcp是最好启用,或强制启用)
  6. (!密钥)tunnel key 0-4294967295
  7. (!FVRF)tunnel vrf vrf-name
  8. (!多播)ip nhrp map multicast dynamic(!多播支持,不启用则是非广播网段,启用则是广播网段)
  9. (!NHRP重定向)ip nhrp redirect
  10. bandwidth 1-10000000
  11. ip mtu mtu(!默认1400)
  12. ip tcp adjust-mss mss-size(!TCP MSS(Max Segment Size),默认1360)(!minimize the risk of fragmentation on a GRE/IP tunnel)
  13. [ip nhrp authentication password] (!启用NHRP认证机制)
  14. (!NHRP保持时间)ip nhrp holdtime 1-65535(!默认7200s,建议值600s)
  15. (!NHRP超时时间)ip nhrp registration timeout 1-65535(!默认为保持时间的1/3)
• Spoke(分支路由器):
  1. interface tunnel tunnel-number
  2. tunnel sourcee {ip-address|interface}
     1. tunnel destination ip-address(!中心路由器的nbma地址,这一步是GRE隧道建立所需)(!第一阶段DMVPN使用此命令)
     2. tunnel mode gre multipoint [ipv6(!ipv6时设置)](!第三阶段或第二阶段GRE隧道)
  3. ip address {ip-address subnet-mask|dhcp}或ipv6 address ipv6-address/prefix-length
     1. ip nhrp registrationno-unique(!使用dhcp是最好启用,或强制启用)
  4. ip nhrp network-id 1-255.255.255.255(!ID和中心路由器相同)
  5. (!第三阶段开启shortcut数据包)ip nhrp shortcut
  6. tunnel key 0-4294967295(!密钥和中心路由器相同)
  7. (!FVRF)tunnel vrf vrf-name
  8. ip nhrp nhs nhs-address nbma hub-nbma-address [multicast](!nbma地址是中心路由器的传输ip地址,nhs地址是其协议ip地址,是中心路由器第4步的ip地址)(!可以冗余设置) 或:
     1. ip nhrp map nhs-address hub-nbma-address(!映射NBMA地址为隧道ip地址)
     2. [ip nhrp map multicast [nbma-address|dynamic] ] (!映射NBMA地址为广播或多播地址)
     3. ip nhrp nhs nhs-address(!创建NHS表项将其分配给隧道IP地址???)
  9. bandwidth 1-10000000
  10. ip mtu mtu
  11. ip tcp adjust-mss mss-size(!max segment size)(!minimize the risk of fragmentation on a GRE/IP tunnel)
  12. [ip nhrp authentication password] (!启用NHRP认证机制)
  13. (!NHRP保持时间)ip nhrp holdtime 1-65535(!默认7200s,建议值600s)
  14. (!NHRP超时时间)ip nhrp registration timeout 1-65535(!默认为保持时间的1/3)
• FVRF
  1. vrf definition vrf-name(!和MPLS处不同)
  2. address-family {ipv4|ipv6}
  3. interface interface-id
     1. vrf forwarding vrf-name
     2. ip address {ipv4 mask|ipv6/prefix}
  4. ip route vrf vrf-name 0.0.0.0 0.0.0.0 next-hop-ip

排错

• show dmvpn [detail]
• show ip nhrp [brief|detail]查看nhrp缓存

LISP(Cisco Locator/ID Separation Protocol)

Be used to solve the problems of the default-free zone.

• aggreagtion issua
• traffic engineer
• multihoming
• routing instability

terminology:

• EID:the IP address of an endpoint within a LISP site
• LISP router
  • ITR(ingress tunnel router):LISP-encapsulate IP packets destined outside the LISP site
  • ETR(egress tunnel router):de-encapsulate LISP-encapsulate destined the EIDs within the LISP site
  • xTR:perform ITR and ETR at the same time
  • PITR(proxy ITR):for packets from non-LISP sites to EID destination
  • PETR(proxy ETR):for packets destined to non-LISP sites
  • PxTR:perform PITR and PETR at the same time
• RLOC(Routing locator):ipv4 or ipv6 address of an ETR facing the Internet
• MS(Map server):learn and store EID-to-prefix mapping entries in EID-to-RLOC database
• MR(Map resolver):cunsulting the MS and response requests
• MS/MR

architecture

• route by EID in LISP site,by RLOC in the Internet
• based on a pull model(only request the nessary information) in comparison with push model(push all the routes to the routers)
• Data plane
  • Outer LISP IP header
    • source RLOC IP
    • Destination RLOC IP
  • Outer LISP UDP header
    • Source port
    • Destination port
  • LISP Header
    • Flags
    • Map version
    • Instance ID:enables VRF and VPNs for virtualization and segmentation

Operation

• Map Registration and notification
  • ETR sends a map register message to the MS to register its associated EID prefix
• Map Request and Reply
  • When ITR receives the packet destined to other LISP site,if there's no matched non-default route and no matched entry in cache,send a map request to the MR
  • MR forward the request to the MS
  • MS forward the request to the ETR
  • ETR sends to the ITR a map reply
• LISP data path
  • ITR encapsulates the packet to the ETR with ITR's RLOC address as source address and ETR's RLOC address as destination address
  • ETR de-encapsulates it
• Proxy ETR
  • ITR sends a map request to the MR
  • MR responds with a negative map reply that includes a calculated non-LISP prefix(shortest prefix which matches the requested destination but does not match any LISP EIDs) and PETR's address
  • ITR add the prefix into cache and sends packets to PETR
• Proxy ITR
  • behave in the same as ITRs

Vxlan

VXLAN extends Layer 2 and Layer 3 overlay networks over a Layer 3 underlay network.(VXLAN（Virtual Extensible LAN，虚拟可扩展局域网）是一种网络技术，它允许在现有的第三层（Layer 3）网络基础设施上创建第二层（Layer 2）和第三层（Layer 3）的虚拟网络（overlay networks）)

VNI(VXLAN network identifier) of 24 bit,is to provide segmentation for Layer 2 and Layer 3.

use VTEPs(virtual tunnel endpoints) to discover VNI over the underlay Layer 3. VTEPs connect between Overlay and Underlay network and they are responsible for encapsulating frame into VXLAN packets to send across IP network (Underlay) then decapsulating when the packets leaves the VXLAN tunnel. . Each VTEP has two parts:

• Local Lan interfaces
• IP interface

VXLAN just defines VXLAN as a data plane,but it does not define a VXLAN control plane.

• VXLAN with Multicast underlay(most popular)
• VXLAN with static unicast VXLAN tunnels
• VXLAN with MP-BGP EVPN control plane(most popular)
• VXLAN with LISP control plane(campus preferred)
  • Cisco Software-Defined Access is an example

PPPoE

PPPoE可以在以太网中创建一条PPP链路.可以通过以太网启用拨号接口.

配置

• 一层
  • interface dialer number
  • 进入接口
  • dialer-pool number
  • pppoe-client dial-pool-number number
• 二层
  • 拨号接口
  • encapsulation ppp
  • ppp chap hostname name
  • ppp chap password password
  • 以太网接口
  • pppoe enable
• 三层
  • 拨号接口中
  • ip address negotiated(!自动获取)
  • mtu 1492
  • 以太网接口
  • no ip address

QOS

Qos(quality of service)系列工具管理网络流量的带宽,延迟,抖动,丢包.

Trust Boundary should be done as close to end-point as possible.

models

1. Best effort does not require qny special treatment

2. Intergrated Services use RSVP(Resource Reservation Protocol) to reserve resources for a specific application and provide CAC(call admission control) to guarantee no other IP traffic can use the reserved resources.

   but need all nodes support,build,and maintain RSVP path state for every flow.

3. Differentiated Services(DiffServ) divides IP traffic into classes and marks it.

分类和标记

首先Qos会根据数据包的字段,等进行匹配和标记(数据生成之初执行复杂匹配,标记之后进行简单匹配,节约性能),当数据包不能通过简单的判断分类时,会使用名为NBAR2(Network Based Application Recognition version 2,基于网络的应用识别)的工具.使用标记和分类Qos时需要设定Qos的信任边界,不信任接入层的终端设备的标记.

• descriptors used for classification
  • Internal:QoS group
  • Layer 1:interface or port
  • Layer 2:mac and 802.1Q/p class(CoS) bit
  • Layer 2.5:MPLS experimental(EXP) bits
  • Layer 3:DSCP(Differentiated Services Code Points),IP precedence,and ip addresses
  • Layer 4:TCP or UDP port
  • Layer 7:NBAR2

DiffServ建议了统一的DSCP标记值,有加速转发(EF),确保转发(AF),类别选择器(CS)等.加速转发即优先被路由,确保转发定义了四个独立队列,在队列中定义了三个优先级.根据标记的不同在不同队列中有不同优先级的丢弃行为.类别选择器(CS),IPP对应的值*8为对应DSCP的值

NBAR2

can recognize close to 1500 applications.

• protocol discover
• Modular QoS CLI
• use layer 3 to layer 7

mark

1. layer 2(802.1p)
   1. TPID(Tag Protocol Identifier)
   2. TCI(tag control information)

      1. PCP(Priority Code Point,mark packets as a specific CoS)

         value	Acronym	Traffic Type
         0	BK	background
         1	BE	Best effort
         2	EE	Excellent effort
         3	CA	Critical applications
         4	VI	Vedio <100ms latency and jitter
         5	VO	Vedio <10ms latency and jitter
         6	IC	Internet control
         7	NC	net control

      2. DEI(Drop Eligible Indicator) set to 1 to indicate that the frame can be dropped

      3. VLAN ID

2. layer 2.5
   1. MPLS
3. layer 3
   1. TOS
      1. IPP(3bit) before
      2. DS(DiffServ field,8bit) now PHB(per-hop behavior) is expediting,delaying,or dropping a collection of packets by BAs(Behavior Aggregate),which based on DSCP value
         1. 6bit DSCP(DiffServ Code Point)
            1. CS(Class Selector) PHB:backward compatible with IPP,higher values mean higher priority:{0|1}{0|1}{0|1}+000
               1. CS1 means Scavenger Class,less than best-effort service.
            2. DF(Default Forwarding) PHB:used for best effort:000000
            3. AF(Assured Forwarding) PHB:guaranteed bandwidth service:{000~100}+{0|1}{0|1}0,the former means IPP priority,the later means dorp probability
            4. EF(Expedited Forwarding) PHB:used for low-delay service:101110,46 in decimal
         2. 2bit ECN(Explicit Congestion Notification)

拥塞控制(队列) 和 避免

所有网络互联设备都使用队列机制.例如轮询调度,使权重更高的队列得到的带宽更多(这样还可以实现带宽控制);优先级队列,将语音数据的队列永远优先处理(语音数据量大时会导致其他队列饥饿,使用CAC解决).

依赖于TCP中的拥塞避免机制,设立丢弃一些数据包的阈值和级别,当队列满到某个阈值时,丢弃某个百分比的数据包,队列越满,丢弃越多.

legacy queue:

• FIFO(First-in,First-out)
• Round robin:multiple equal-priority FIFO
• WRR(Weighted round robin):queue receive a portion of interface bandwidth
  • CQ(Custom queuing):Cisco implementation of WRR.Causing long delay and being not support to DSCP
• PQ(Priority queuing):always serve higher-priority queue,possibly making lower-priority queue starve
• WFQ(Weighted fair queuing):divides the interface bandwidth by IPP.can't provide a fixed-bandwidth guanrantee for any particular flow.

current queue:

• CBWFQ(class-based weighted fair queuing) suitble for non-real-time data traffic.characteristics:
  • up to 256 queues
  • packet classfication
  • minimum bandwidth
  • weight
  • maximum packets limit
• LLQ CBWFQ with PQ,a single priority queue schedules all the combined traffic with multiple bandwidth guarantees and if a class is not using the bandwidth,it is shared.more suitble for real-time traffic.

aviodance tool:

• tail drop:drop when outpuit queue buffers are full without differentiated Services,causing TCP congest over and over again.
• RED(early detection):monitering the buffer depth and performs early drops on random packet
• WRED(weighted RED):RED with supports of DSCP,IPP or ECN.

整形和限速(policing and shaping)

限速工具通过检测数据包,对超过速率限制的数据包丢弃,实现限速功能.限速工具通常是ISP对企业使用,企业则需要使用整形工具,通过将达到速率限制的数据包推迟发出,达到对速率整形的目的.

1. policer and shaper
2. markdown:mark the excess traffic with a lower-priority

Token Bucket Algorithms

• CIR(Committed Information Rate,bps)
• PIR(Peak Information Rate)
• Tc(Committed Time Interval,time interval,ms):$Tc=(Bc/CIR)/1000$,recommend to 8 to 125 ms,shorter Tc reduce interpacket delay
• Bc(Committed Burst Size,bytes):the maximum amount of traffic within a Tc
• Be(excess burst size)
• Token:1 byte
• Token Bucket:sending packet takes tokens from the bucket(such as the Bc if a single bucket).if tokens of bucket are not enough,it will
  • waiting for tokens to accumulate(traffic shaping)
  • Drop(policing)
  • Mark

policers

1. Single-rate two-color single-rate:CIR two-color:Conform and exceed
2. Single-rate three-color(srTCM) another bucket to store tokens left over single-rate:CIR Three-color:Conform,exceed(over Bc but under Be) and violate
3. Two-rate three-color Two-rate:CIR and PIR(maximum rate of traffic allowed.Be Greater than CIR) Three-color:Conform,exceed(over Bc but under Be) and violate

Modular QoS CLI(MQC)

cisco's approach to implementing QoS on Cisco router.

1. class map define traffic classification
2. policy map provide QoS action for each class
3. service policy apply policy maps to interface

configure

1. class-map [match-any|match-all(!default)] class-map-name
   1. match { access-group num/name |cos cos-value-list(!CoS???) |[ip(!meaning ipv4)] dscp dscp-value-list |[ip(!meaning ipv4)] precedence precedence-list |ip rtp starting-port-number port-number-range |protocol protocol-name(!match NBAR protocol name) |qos-group qos-group-name |protocol http [url url-string|host hostnamr-str|mime mime-type] |protocol rtp [audio|vedio|payload-type payload-string] |protocol peer-to-peer-application |any }
2. policy-map policy-map-name

   1. class class-map-name

      1. set {qos-group qos-group-id |cos cos-value |[ip] precedence ipp |[ip] dscp dscp-value}
      2. police [cir] cir-in-bps [ [bc] Bc] [ [be] Be(!default equeals Bc)] [pir Pir] [comform-action action(!default transmit)] [exceed-action action(!default drop)] [violate-action action(!default drop)] (!cir,bc,be are just nonates) action:
         • drop
         • transmit
         • set-dscp-transmit
         • set-prec-transmit
         • set-cos-transmit
         • set-qos-transmit(only valid on inbound policy map)
      3. priority(!PQ)(!cannot coexist with random-detect,shape,fair-queue and bandwidth in the same class)(!don't support police in the same class???) [police-rate-in-kbps [burst-in-bytes] |percent police-rate-in-percentage |level {1|2} (!just co-exist with bandwidth remaining in the same map) |level {1|2} police-rate-in-kbps [burst-in-bytes] |level {1|2} percent police-rate-in-percentage(!relative percent,as shaper's setting) ] (!priority is only in effect only during time of congestion)
      4. bandwidth {bandwidth-in-kbps |remaining percent percentage(!relative percent,as shaper's setting) |remaining ratio ratio(!relative ratio,as shaper's setting) |percent percentage(!absolute percent) }
      5. fair-queue(!used on class-default to manage multiple flows???,require the bandwidth or shape)
      6. shape {average|peak(!not commonly used)} mean-rate-in-bps [ [Bc] [Bs] ]
      7. queue-limit queue-limit-size {cos cos-value|dscp dscp-value|IPP} percent percantage-of-packets (!require the bandwidth,shape,or priority in the same class)
      8. random-detect [dscp-based|precedence-based|cos-based] (!enables WRED,require the bandwidth or shape in the same class)

      example: class vedio or voip:priority level percent, other classes:bandwidth percent OR class vedio or voip:priority level, other classes:bandwidth remaining percent,

      default:fair,random,queue-limit,bandwidth like other classes

3. interface interface
4. service-policy [input|ouput] policy-map-name

netflow

netflow:gather statistics.Netflow has two parts that must be configured:

1. data capture:based on flow(source ip,destination ip,source port,destination port,layer3 protocol type,ToS,input logical interface)
   1. ingress
      1. ip to ip
      2. ip to MPLS
      3. frame relay
      4. ATM
   2. egress
      1. ip
      2. MPLS to ip
2. data export

flexible netflow has 4 components:

1. flow records
   1. match command is used to select key field
   2. collect command is used to select non-key field
2. flow monitors
3. flow Exporters
4. flow samplers

configure

• ip flow {ingress|egress}
• ip flow-export [version version|destination ip]

show

• show ip flow interface
• show ip flow export
• show ip cache flow

security

To address the issue,cisco creates a SAFE(secure architectural framework) to help design secure solutions based on the PINs(places in the network):

• branch
  • endpoint malware
  • rogue APs for MitM(man-in-the-middle)
  • Dos
  • unauthorized/malicious client
• campus
  • phishing
  • web-based exploit
  • unauthorized access
  • malware
  • botnet infestation
• data center
  • data extraction
  • malware
  • unauthorized access
  • botnet infestation
  • data loss
  • privilege escalation
  • reconnaissance
• edge:most important for e-commerce
  • web server vulnerrabilities
  • DDoS
  • data loss
  • MitM attack
• cloud:provide services
  • web server vulnerabilities
  • loss of access
  • data loss
  • malware
  • MitM attack
• WAN
  • malware
  • unauthorized access
  • WAN sniffing
  • MitM attack

attack continuum

1. before:establish policies and implement prevention
   • firewall
   • access control
   • identity services
2. during:detect,block and defend
   • next-generation intrusion prevention systems
   • next-generation firewall
   • malware protection
   • email and web security solution
3. after:detect,contain and remediate an attack
   • cisco advanced malware protection
   • next-generation firewall
   • malicious network behavior analysis(cisco secure network analytics)

next-generation endpoint security

1. Cisco Talos:detect,analyze and protect against known and emerging threats
2. Cisco Secure Malware Analytics:perform static file anylisis by running the files in sandbox
3. Cisco AMP(Advanced Malware Protection):malware anylisis and protection
   1. AMP cloud
   2. AMP connectors
      1. secure endpoint
      2. secure email
      3. secure web appliance
      4. AMP for network
      5. AMP for Meraki MX
   3. Threat intelligence from Talos and Secure Malware Analytics
4. Cisco Secure Client:VPN and enhanced security
5. Cisco Umbrella:OPENDNS of cisco.(anycast;)
6. Cisco WSA(secure web application):an all-in-one web gateway including a wide variety of protections that can block websites
   1. before an attack:web reputation filter,web filter and cisco AVC(application visibility and control)
   2. during an attack:cloud access security,parallel av scanning,file reputation(AMP),data loss prevention
   3. after an attack:file sandboxing(AMP),file retrospection(AMP),cognitive threat analytics
7. Cisco ESA(Secure Email):
8. Cisco Secure IPS(intrusion prevention system):
   1. IDS(intrusion detection system):passively monitor and analyze traffic for potential network intrusion attacks and log attack data for security analysis
   2. IPS:provide IDS function and automatically blocks intrusion attacks
   3. NGIPS(next generation IPS):IPS and below features
      1. real-time contextual awareness
      2. advanced threat protection
      3. intelligent security automation
      4. Unparalled performance and scalability
      5. AVC and URL filtering
9. Cisco Secure Firewall:monitor incoming and outgoing traffic and filter them
   1. NGFW(next generation firewall):firewall and below features
      1. stateful inspection
      2. integrated IPS
      3. application-level inspection
      4. leverage external security intelligence to address evoling security threats
10. Cisco Secure FMC(firewall manage center)
11. Cisco Secure Network Analytics:perform network security analysis and monitoring to automatically detect threats
    1. manager(formerly SMC(stealthwatch management console))
    2. cisco secure network analytics flow collector:collect netflow and IPFIX(ip flow information export)
    3. cisco secure network analytics flow rate license:define the volume of flows that can be collected
12. Cisco Secure Cloud Analytics:
    1. cisco sucure public cloud monitoring(formerly stealthwatch cloud public cloud monitoring):provides visibility and threat detection in AWS,GCP and Azure cloud infrasturcture.It is an SaaS-based solution.
    2. cisco secure network analytics SaaS(formerly stealthwatch cloud private network monitoring):provides visibility and threat detection for on-premises network from a cloud-SaaS solution
13. Cisco ISE(indentity services engine):security policy management platform that provides NAC(network access control) to users and devices across wired,wireless and VPN network.

NAC(network access control)

802.1x

802.1x is a port-based NAC standard that provides an authentication mechanism for LAN and WLAN. has the following components:

• EAP(Extensible authentication protocol):encapsulated transport
• EAP method(EAP type)
  • challenge-based authentication method
    • EAP-MD5:lack of authentication from supplicant to authentication server
  • TLS authentication method
    • EAP-TLS:most sucure but difficult to deploy,both need certificate
  • tunneled(refered as outer) TLS authentication method:
    • EAP-FAST(flexible authentication via secure tunneling):like PEAP but faster,support EAP chain(do not require a radius server certificate???)
      • EAP-chain:combine machine and user authentication into single authentication
    • EAP-TTLS(tunneled TLS):similar to PEAP but support more legacy inner methods
    • PEAP(protected extensible authentication methods):only server needs certificate
  • EAP inner authentication method:tunneled within PEAP,EAP-FAST and(or???) EAP-TTLS
    • EAP-GTC(generic token card)
    • EAP-MSCHAPv2(microsoft handshake authentication protocol v2)
    • EAP TLS:most secure but complex to deploy
• EAP over LAN
• RADIUS protocol

802.1x devices consists of

• supplicant:client
  • must specify the EAP method
• authenticator:A network access device such as switch,AP or WLC
  • do not need to specify the EAP method
• authentication server:usually a RADIUS server
  • must specify the EAP method

MAB(MAC authentication bypass)

port-based access control using MAC address,and it's typically used as fallback mechanism to 802.1x.

1. send an EAPoL per 30 seconds.after 3*30 seconds,fallback to MAB
2. crafts a RADIUS access-request message using the endpoint's MAC address(before fallback to MAB,don't learn mac address)
3. RADIUS server determine access level and response a Access-Accept

mac addresses is easily spoofed,MAB need to use dACLs(downloadable ACLs),dVLAN and SGTs.

web authentication

fallback for 802.1x and MAB.

need user to enter username and password.

1. LWA(Local web authentication):switch or wireless controller redirect web traffic to a locally hosted web portal
   1. guest VLAN and LWA are mutually exclusive
   2. only support ACL assignment
2. CWA(central web authentication) with cisco ISE
   1. supports CoA(change of authentication),dACL and vlan

FlexAuth(Flexvible authentication)

allow multiple authentication methods concurrently.

IBNS2.0(identity-based networking services)

combination of FlexAuth,C3PL(cisco common classification policy language) and ISE.

Cisco trustsec

next-generation access control solution using VLANs and maintaining firewall rules and ACLs with SGTs(security group tag). SGT represent the context of the user,device,use case or function to perform ingress tagging and egress filtering. SGT assignment is deliverd to the authenticator as an authorization option.

3 phases of configuration:

1. ingress classification
   1. dynamic assignment
   2. static assignment
2. propagation
   1. inline tagging:inserts tthe SGT into frame.if device don't support native tagging in hardware,the frame will be dropped.
   2. SXP propagation:SXP is a TCP-based protocol.IP-to-SGT mapping can be communicated between non-inline devices.
3. egress enforcement
   1. SGACL(security ACL)
   2. SGFW(security group firewall)

MACsec

Macsec is defined by 802.1AE, and is a layer2 hop-by-hop encryption method. encrypt egress traffic and decrypt ingress traffic for switches.

key mechanisms:

1. SAP(security association protocol):cisco proprietary
2. MKA(MACsec Key Agreement) protocol:provides the required session keys and manage the required encryption keys.

Uplink MACsec:mean a link between switchs.use SAP by default.dynamic MACsec need 802.1x authentication Downlink MACsec:mean the encryped link between an endpoint and a switch.

aaa(authentication,authenrization and accounting)

• authentication:identify
• authenrization:privileges and restictions
• accounting:track and log use access

use two protocol:

• RADIUS(remote authentication dial-in user service):prefered protocol for secure network access control
  • UDP
  • use EAP(802.1x)
• TACACS+(terminal access controller access-control system plus):more suitble for network device access control
  • TCP:49
  • will separate authentication into terminal with ((TACACS+ client) using telnet or ssh) and ((TACACS+ client with TACACS+ server) using TACACS+) aaa服务器会集中保护交换机和路由器的用户名/密码对,aaa服务器可以是一个或多个服务器组成的服务器,aaa服务器会对启用了802.1x的认证方传来的消息认证,一般交换机充当认证方,终端充当请求方,认证成功交换机就不会过滤这个端口的消息了,认证不成功请求方可以重试.用户请求通过EAPoL传输到交换机,交换机发送RADIUS或TACACS+到aaa服务器.

如果使用aaa,802.1x需要在局域网的所有设备上开启,使用EAP(类似UDP)进行通信.802.1x一般需要在连接终端用户的接口上启用.

aaa配置

!配置模式:

1. aaa new-model

3. (!tacacs-server or radius server)

   1. tacacs server name
      1. address ipv4 {hostname|ip} [auth-port port] [ari port] [acc port]
      2. key key
   2. radius server server-name
      1. address ipv4 {hostname|ip} [auth-port port] [ari port] [acc port]
      2. key key

4. ip {radius|tacacs} source-interface source-interface

5. (!enable ISE)[aaa server {radius|tacacs} dynamic-author]

   1. client ip server-key encryption-level key

6. aaa group server {radius|tacacs+} group-name

   1. server name server-name(!allow multiple servers)

7. aaa authentication login {default|line-name} method method2(!method={group group-name|local|enable})

8. aaa authenrization exec {default|line-name} method method2

9. aaa authenrization console

10. aaa authenrization commands {privilege level} {default|line-name} method method2

11. aaa authenrization config-commands(!enable all authenrization command)

12. aaa accounting exec {default|line-name} {start-stop|stop-only|wait-start} method method2(!login accounting)

13. aaa accounting commands {privilege level} {default|line-name} {start-stop|stop-only|wait-start} method method2

排错

1. 需要使用aaa new-model启用aaa

CoPP(control plane policing)

QoS policy to classify traffic into various types.

configure

• 创建acl识别流量
• 创建分类映射定义流量类别
  1. class-map [match-any|match-all] class-name
  2. match [access-group name acl-name|protocol protocol|ip prec prec|ip dscp dscp]
  3. exit
• 创建策略映射定义服务策略
  1. policy-map policy-name
  2. class class-name
  3. police [cir|rate] conform-action [transmit|drop] exceed-action [transmit|drop] violate-action [transmit|drop]
• 应用于控制平面
  1. control plane
  2. service-policy {input(!received)|output(!generated)} policy-name
  3. end

verify

device hardening

• disable topology discover tools
  • no cdp enable
  • no lldp transmit
  • no lldp receive
• enable keepalives for TCP sessions
  • service tcp-keepalive-in
  • service tcp-keepalive-out
• disable ip redirect services
  • no ip redirects
• disable proxy arp
  • no ip proxy-arp
• disable service configuration
  • no service config
• no mop enabled
• no service pad

SNMP(simple network manage protocol)

SNMP是一种网络管理协议,用于管理网络设备,被管理的网络设备运行SNMP代理,维护自身的MIB数据库,MIB里有自身的变量信息.SNMP使用GET消息获取变量,SET消息修改变量.SNMP代理还可以主动使用Trap或Inform发起通知.Trap使用UDP,不可靠.Inform也使用UDP,但实现了可靠性.

SNMPv2c对于权限的管理使用了团体机制,分为RO(read only)和RW(read write)团体,只有RW团体可以发送SET消息.SNMPv3不使用团体,而使用组,每个组都有自己的安全等级和读写权限,默认都有读权限,写权限需要手动为组添加.组的用户的安全等级需要和组匹配.SNMPv3的通知需要单独为用户设置,通知的安全等级和用户的组应相同.

• SNMP需要使用access list限制来源.
• SNMPv1 by default

配置一般步骤:

1. define the SNMP host or the NMS to send traps to
2. create an acl
3. define read-only
4. define read-write
5. define SNMP location
6. define SNMP contact

配置

SNMPv2c

配置模式:

1. 配置代理
   1. snmp-server community string RO|RW [ipv6 acl-name] [acl-name]
   2. (!可选)snmp-server location location
   3. (!可选)snmp-server contact name
2. 配置通知
   1. snmp-server host {hostname|ip-address} [inform] version 2c notification-community
   2. snmp-server enable traps [config] (!enable all traps)

SNMPv3

1. snmp-server group groupname v3 {noauth|auth|priv} [write v1default] [access [ipv6] aclname]
   • snmp-server user username groupname v3(!noauth的user)
   • snmp-server user username groupname v3 auth md5|sha password(!auth的user)
   • snmp-server user username groupname v3 priv des|3des|aes [128|192|256(!aes才需要)]encryption-key(!priv的user)
2. snmp-server host {hostname|ip-address} [informs|traps(!默认)] version 3 {noauth|auth|priv} username
3. snmp-server enable traps

IP SLA and SPAN

IP SLA

IP SLA是测量和查看各种性能和可用性的指示器.比如定时发出一个ICMP Echo消息,记录是否收到响应可以对网络可达性记录.

SPAN(switched port analyzer)

SPAN就像用于交换机上的wireshark.能将某个或某些接口上收到或发出的数据帧复制输出到某个端口作分析用.

1. SPAN目的端口只能用于同一SPAN会话
2. 目的不能作源
3. 目的端口只会用于SPAN,不能像普通端口一样通信
4. 不可以同时使用接口和vlan作源

• local switched port analyzer
• remote switched port analyzer(RSPAN):layer 2
• encapsulated remote switched port analyzer(ERSPAN):layer 3

命令

1. IP sla
   1. ip sla operation-num
      1. icmp-echo {destination-ip|destination-host-name} [source-ip {ip-address|hostname}]
         1. frequency frequency
      2. 或 http {get|raw} url [name-server ip] [version version] [source-ip {ip|host}] [source-port port] [cache {enable|disable}] [proxy proxy-url]
   2. ip sla schedule operation-num [life {forever|seconds}] [start-time {[bb:mm:ss] [month day|day month]| pending|now|after bb:mm:ss}] [ageout seconds] [recurring]
2. 1. Local SPAN
      • monitor session number source {interface type number [- last-in-range] | vlan vlan-id} [rx|tx|both] (!定义SPAN源端口或vlan,r means received,t means sent)
      • monitor session number destination interface interface-id [encapsulation replicate] (!use encapsulation replicate to dupcicate like BUDUs,CDP,VTP,DTP and so on)
      • monitor session number destination interface interface-id ingress {dot1q vlan vlan-id|untagged vlan vlan-id} (!dot1q require the packets with specified VLAN ID)(!untagged keyword accept incoming packets and associate them to the specified VLAN ID)
   2. RSPAN
      • vlan vlan-num
        • name name
        • remote-span
      • monitor session number source {interface type number [- last-in-range] | vlan vlan-id} [rx|tx|both]
      • monitor session number destination remote vlan vlan-num !or source use remote vlan vlan-num and destination use interface
   3. ERSPAN
      • monitor session span-session-number type erspan-source
        • description string
        • source {interface interface|vlan vlan-id} [,|-|both|rx|tx]
        • filter {ip acl|ipv6 acl}|vlan vlan-ID

      • destination

        • ip address ip
        • erspan-id erspan-id
        • origin ip address address
        • exit

      • exit

      • erspan ttl ttl

      • monitor session span-session-number type erspan-destination

        • destination {interface interface}
        • source
          • ip address ip
          • erspan-id erspan-id

排错

• show ip sla application
• show ip sla configuration
• show monitor erspon-source session
• show ip sla statistics sla-num(!显示统计数据)
• show ip sla history [enhanced] sla-num(!显示历史状态)

aas and 虚拟网络功能和服务

aaS(as a Service,云服务)有五个方面:

1. 按需自助服务
2. 多种网络访问
3. 资源池
4. 快速恢复能力:客户可以快速申请资源
5. 测量的服务 有三种类型:IaaS(架构即服务,比如云服务器),SaaS(软件即服务,比如网盘),PaaS(开发平台即服务,包含开发工具的云服务器??) 访问云服务从网络的角度有五种方式: 互联网云交换是由云服务提供商与客户中间新增一个互联网云交换公司负责云服务的连接

在云服务中,可以使用虚拟的路由器和防火墙,称为VNF. 把应用迁移到云服务时,需要修改DNS,DHCP和NTP

SDN

• 数据平面(data plane):也被称为转发平面,意思是为转发消息所作的工作, 主要是对各种表的查询匹配,是在ASIC芯片上进行的
• 控制平面:对数据平面的控制行为,主要是创建修改各种表
• 管理平面:telnet或ssh之类让网络工程师对设备进行管理的协议 传统的控制平面是分布式的,SDN则是集中式的,管理平面自然也是集中式的.SDN中控制平面被集中到了控制器.控制器有南向接口和北向接口.南向接口负责与数据平面设备通信,北向接口与管理平面或其他程序通信,比如集中式的OSPF.

virtualization

• VM(virtual machine):emulation of a physical server with an operating system.
  • Type 1:hypervisor directly runs on the system hardware(refered as bare metal or native)
  • Type 2:hypervisor requires a host OS.
• container:isolated environment for an application(without the operating system).
• vSwitch(virtual switch):sofware-based Layer 2 switch.cannot share the same pNIC(physical network interface cards).
  • too slow in IO for too many interrupts with an OVS(open vSiwtch)
• NFV(network function virtualization):architectual framework that defines standards to create VNF
• VNF(virtual network function):virtual of software version of an NF

IO technologies

to overcome the performance impact on throughtput due to interrupts:

• OVS-DPDK:receive data from user space bypassing the kernel
  • require one or more CPU dedicated in OVS
• PCI passthrough:bind one pNIC to a single VNF,bypassing the kernel and directly getting to the VNF.
  • entire pNIC with only one VNF
• SR-IOV(Single-root I/O virtualization):enhanced PCI that allow multiple VNFs to share one pNIC.
  • one PF(physical function) map multiple VFs(virtual functions)
  • has two modes:
    • VEB(virtual ethernet switch):VNF attached to the same pNIC is switched by the pNIC
    • VEPA(virtual ethernet port aggregator):VNF attached to the same pNIC is switched by an external switch

ENFV(cisco enterprise NFV)

running required functions as VNFs on x86-based hosts.consists of

• MANO(management and orchestration):DNA provides management and orchestration
  • design,provision,manage and monitor
• VNFs
• NFVIs(network functions vitualization infrastrcture):an operating system that provides vitualization capabilities and facilitates
  • be based on standard linux packaged with additional functions
  • components:
    • linux
    • hypervisor:based on KVM and includes QEMU
    • vswitch:OSV
    • vm lifecycle management
    • plug and play client
    • orchestration
    • HTTPS web server
    • device management
    • RBAC(role-based access control)
• hardware resources

杂项

TCAM(ternary content addressable memory)

• belong to switch
• extension of CAM
• allow for Layer 2/3 source/destination addresses.protocol,QoS marking and so on

traceroute

在 traceroute 命令的输出中，各种标志表示不同的网络错误或状态。以下是常见的标志及其含义：

1. !A - Communication Administratively Prohibited:

   • 表示通信被管理策略禁止。通常由防火墙或路由器的安全策略阻止。

2. !H - Host Unreachable:

   • 目标主机不可达。通常是由于目标主机关闭或网络配置错误引起的。

3. !N - Network Unreachable:

   • 目标网络不可达。通常表示路由器找不到目标网络的路由条目。

4. !P - Protocol Unreachable:

   • 协议不可达。目标主机不支持或没有启用指定的协议。

5. !F - Fragmentation Needed and Don't Fragment was Set:

   • 数据包需要分片，但设置了禁止分片标志。通常是由于数据包太大且中间路由器无法处理导致的。

6. !S - Source Route Failed:

   • 源路由失败。通常表示数据包的源路由选项无效或被中间设备拒绝。

7. !X - Communication Administratively Prohibited:

   • 与 !A 类似，表示通信被管理策略禁止。通常由防火墙或路由器的安全策略阻止。

8. !V - Host Precedence Violation:

   • 主机优先级违规。表示数据包的优先级设置不符合网络的优先级策略。

9. !C - Precedence Cutoff in Effect:

   • 优先级截断生效。表示数据包的优先级被降低，通常由于网络设备配置的优先级策略。

这些标志帮助网络管理员快速诊断网络路径中的问题，并采取相应的措施来解决网络连接问题。了解这些标志的含义有助于更有效地排查网络故障。

BFD

可以更快的检测邻居可达性是否正常.

配置

在router进程中: bfd interface interface 接口中:

• bfd interval 50-999 min_rx 1-999 multiplier 3-50

Automation

1. EEM(Embedded Event Manager):cisco tool

   1. if event then `action'
   2. configuration
      1. event manager applet name
      2. event event
      3. action num cli command command example:

   event manager applet LOOP0
      event syslog pattern "Interface Loopback0.* down" period 1
      action 1.0 cli command "enable"
   

2. agent-based automation tools

   1. puppet
   2. chef
   3. saltstack(agent and server mode)

3. agentless automation tools

   1. ansible
   2. puppet bolt
   3. saltstack ssh(server-only mode)

Ansible pushes the configuration to the client. Chef client pulls the configuration from the server

guestshell

Guestshell is a virtualized Linux-based environment, designed to run custom Linux applications, including Python

configuration

1. iox
2. guestshell enable [VirtualPortGroup port-number guest-ip ip-address gateway gateway-ip netmask netmask [name-server ip-address]]

use

1. guest run command

uRPF

限制和消除ip欺骗包.基于cef.

• 严格:查看ip数据包源ip地址与路由表中到达该地址的接口,是否和接受该数据包的接口相同.且不是默认路由.
• 松散:查看路由表是否有到达源ip地址的接口
• vrf:vrf中的松散模式. ip verify unicast source reachable-via {rx|any} [allow-default] [allow-self-ping] [acl]

通常在包含终端的子网中使用严格模式,在上行链路使用松散模式.

dev

flowchart TB
applications<--northbound API-->controller
controller<--southbound API-->a["data plane"]

Southbound API is based on NETCONF and XML,Northbound API is RESTful using JSON

data model

YANG

YANG is a standard for data definition language using data models.Data models are used to describe whatever can be configured on a device.

NETCONF

SNMP can't distinguish between configuration data and operational data,but NETCONF can.

• get
• get-config
• edit-config
• copy-config
• delete-config

RESTCONF

use YANG and NETCONF to provide RESTful api. Allow: DELETE, GET, HEAD, PATCH, POST, PUT, OPTIONS

• GET
• POST
• PUT
• DELETE
• OPTIONS