Cisco IOS NetFlow Advanced Configuration Guides
NetFlow Reliable Export With SCTP (pdf)
Showing posts with label Cisco IOS. Show all posts
Showing posts with label Cisco IOS. Show all posts
Wednesday, January 21, 2009
NetFlow Reliable Export With SCTP - Cisco Systems
Cisco IOS NetFlow Advanced Configuration Guides
NetFlow Reliable Export With SCTP (pdf)
Configuring a Virtual Tunnel Interface with IP Security - Cisco Systems
This document provides a sample configuration for a virtual tunnel interface (VTI) with IP Security (IPSec). This configuration uses RIP version 2 routing protocol to propagate routes across the VTI. With a VTI, VPN traffic is forwarded to the IPSec virtual tunnel for encryption and then sent out of the physical interface. This sample configuration also demonstrates the use of Cisco Quality of Service with VTIs.
Cisco IOS IPsec High Availability - Cisco Systems
The Cisco IOS® IPsec High Availability (IPsec HA) Enhancements feature provides an infrastructure for reliable and secure networks to provide transparent availability of the VPN gateways---that is, Cisco IOS Software-based routers. This feature works well for all IP Security (IPsec)-based networks. In an Enterprise-Class Teleworker (ECT) solution, which encompasses a Dynamic Multipoint VPN (DMVPN) architecture for data gateway infrastructure and plain IPsec for management gateway infrastructure, IPsec HA can be used to provide redundancy---that is, stateful failover and rollback of the gateways to provide uninterrupted management connectivity to the spokes. For more details about ECT deployment, please refer to the link given in the references section.
Configuring DMVPN Spoke Router in Full Mesh IPsec VPN Using SDM - Cisco Systems
This document provides a sample configuration for configuring Dynamic Multipoint spoke router into a full mesh Dynamic Multipoint VPN (DMVPN). DMVPN allows users to scale large and small IPsec VPNs more effectively by combining generic routing encapsulation (GRE) tunnels, IPsec encryption, and Next Hop Resolution Protocol (NHRP). Security Device Manager (SDM) is an embedded security configuration management tool used to configure Cisco IOS Software routers with variety of security features. This sample configuration relies on SDM version 1.2 that supports hub and spoke DMVPN configurations and shows how to configure dynamic Spoke to Spoke tunnels.
Cisco IOS IPsec Accounting with Cisco IOS NetFlow - Cisco Systems
Cisco IOS NetFlow is the primary denial of service (DoS) identification, accounting, and analysis technology for IP networks at Cisco and in the networking industry. Cisco IOS NetFlow provides valuable information about network users, applications usage, timing, and traffic direction on the network. Cisco is a leader in IP traffic flow technology and invented Cisco IOS NetFlow.
Cisco IOS IPsec provides security for transmission of sensitive information over unprotected networks (ie: Internet). IPsec acts as the network layer by protecting and authenticating IP packets between participating IPsec devices ("peers"), such as Cisco routers.
This document will discuss how Cisco IOS NetFlow can be leveraged to provide accounting information in an IPsec tunneling network topology.
Stateful Failover for IPSec - Cisco Systems
Stateful failover for IP Security (IPSec) enables a router to continue processing and forwarding IPSec packets after a planned or unplanned outage occurs. Customers employ a backup (secondary) router that automatically takes over the tasks of the active (primary) router if the active router loses connectivity for any reason. This process is transparent to the user and does not require adjustment or reconfiguration of any remote peer.
Stateful failover for IPSec is designed to work in conjunction with stateful switchover (SSO) and Hot Standby Routing Protocol (HSRP). HSRP provides network redundancy for IP networks, ensuring that user traffic immediately and transparently recovers from failures in network edge devices or access circuits. That is, HSRP monitors both the inside and outside interfaces so that if either interface goes down, the whole router is deemed to be down and ownership of Internet Key Exchange (IKE) and IPSec security associations (SAs) is passed to the standby router (which transitions to the HSRP active state). SSO allows the active and standby routers to share IKE and IPSec state information so that each router has enough information to become the active router at any time. To configure stateful failover for IPSec, a network administrator should enable HSRP, assign a virtual IP address, and enable the SSO protocol.
Wednesday, August 13, 2008
Sunday, July 27, 2008
IPsec quick and dirty - Virtual Tunnel Interfaces (VTIs) - PacketLife.net
More information on configuring IPsec across Virtual Tunnel Interfaces (VTIs) is available in the IOS documentation.
Cisco Systems: An Introduction to IGRP
Introduction
In general, load balancing is the capability of a router to distribute
traffic over all the router network ports that are the same distance from the
destination address. Load balancing increases the utilization of network
segments, and so increases effective network bandwidth. There are two types of
load balancing:
- Equal cost path
- Unequal cost path
This document explains how unequal cost path load balancing works in
Enhanced Interior Gateway Routing Protocol (EIGRP).
Goals for IGRP
The IGRP protocol allows a number of gateways to coordinate their routing. Its goals are the following:
- Stable routing even in very large or complex networks. No routing loops should occur, even as transients.
- Fast response to changes in network topology.
- Low overhead. That is, IGRP itself should not use more bandwidth than what is actually needed for its task.
- Splitting traffic among several parallel routes when they are of roughly equal desirability.
- Taking into account error rates and level of traffic on different paths.
The current implementation of IGRP handles routing for TCP/IP.
However, the basic design is intended to be able to handle a variety of protocols.
Cisco Systems: An Introduction to IGRP (IP Routing)
Introduction
In general, load balancing is the capability of a router to distribute
traffic over all the router network ports that are the same distance from the
destination address. Load balancing increases the utilization of network
segments, and so increases effective network bandwidth. There are two types of
load balancing:
- Equal cost path
- Unequal cost path
Enhanced Interior Gateway Routing Protocol (EIGRP).
Goals for IGRP
The IGRP protocol allows a number of gateways to coordinate their routing. Its goals are the following:
- Stable routing even in very large or complex networks. No routing loops should occur, even as transients.
Fast response to changes in network topology. - Low overhead. That is, IGRP itself should not use more bandwidth than what is actually needed for its task.
- Splitting traffic among several parallel routes when they are of roughly equal desirability.
- Taking into account error rates and level of traffic on different paths.
The current implementation of IGRP handles routing for TCP/IP. However, the basic design is intended to be able to handle a variety of protocols.
How Does Unequal Cost Path Load Balancing (Variance) Work in IGRP and EIGRP? - Cisco Systems
Introduction
In general, load balancing is the capability of a router to distribute traffic over all the router network ports that are the same distance from the destination address. Load balancing increases the utilization of network segments, and so increases effective network bandwidth. There are two types of load balancing:
- Equal cost path
- Unequal cost path
Cisco Systems: IGRP Metric
Interior Gateway Routing Protocol (IGRP) adds together weighted values of different characteristics of the link to the network in question in order to calculate a metric. The link characteristics from which IGRP calculates a composite metric are bandwidth, delay, load, reliability, and maximum transmission unit (MTU). By default, IGRP chooses a route based on bandwidth and delay.
Network Diagram
The diagram for the given scenario is provided here:
Here is the formula used to calculate the composite metric for IGRP:
Metric = [K1 * Bandwidth + (K2 * Bandwidth)/(256-load) + K3*Delay] * [K5/(reliability + K4)]
The default constant values are K1 = K3 = 1 and K2 = K4 = K5 = 0.
If K5 = 0, the [K5/(reliability + K4)] term is not used. So, given the default values for K1 through K5, the composite metric calculation used by IGRP reduces to Metric = Bandwidth + Delay.
The K values in these formulas are constants that you are able to define with the router configuration command, metric weights tos k1 k2 k3 k4 k5 .
Note: Cisco strongly suggests that you do not change the default K parameters.
Routing Protocols Overview - Network Ninja
Routing protocols employ one of two basic strategies to communicate/propagate routing information:
Distance vector routing protocols work by passing copies of their routing tables to their neighbours (a.k.a routing by rumour).
Link State routing protocols work by advertising a list of their neighbours and the networks attachment state to their neighbours until all routers have a copy of all the lists, routers then run the Shortest Path First algorithm to analyse all paths and determine the best paths.
Distance vector routing is less processor and memory intensive than link state routing, but can have loops because routing decisions are made on incomplete information. Link state routing is loop-proof because routers know all possible routes, but link state routing requires more CPU time and memory.
Classless and Classful Routing
An important characteristic of routing protocols is how they advertise their routes. Older routing protocols (RIP and IGRP) assumed the subnet mask as the same as the one the receiving interface or that it is the default one (Class A is /8, Class B is /16 and Class C is /24). This is called classful because the assumption is based on the class of the IP address.
Modern routing protocols (OSPF, IS-IS, and EIGRP) explicitly advertise the mask. There is no assumption made with regard to the mask, it is clearly indicated. This is called classless.
Variable Length Subnet Masks (VLSM) refer to the property of a network that allows different subnet masks to be mixed throughout the network. Classless Interdomain Routing (CIDR) is a property of a network that allows classful networks to be aggregated. Classless routing protocols support VLSM and CIDR.
Interior and Exterior Gateway Protocols
Most protocols are “Interior Gateway”, meaning that they are designed to be run inside a network.
BGP on the other hand is an exterior gateway protocol (EGP) and is used for routing between autonomous systems (AS) on the Internet. As BGP is the only EGP you will have to consider using it if you connect your network to the Internet.
Convergence Times
A distinguishing characteristic of routing protocols is the speed of convergence times. These are generally classed as either slow or fast.
Fast convergence would mean that the routing protocol is able to recognize a problem on the network and fix that problem faster than a user can call to report the problem.
Slow protocols, such as RIP and IGRP, can take up to minutes to converge. Fast protocols (OSPF, IS-IS, EIGRP) generally take less than 10 seconds to converge.
Proprietary and Open Standard Protocols
The important aspects to look for in routing protocols are speed and whether they are classless (OSPF, IS-IS, and EIGRP). While OSPF and IS-IS are open standards (plays well with other vendors), EIGRP is Cisco proprietary (Cisco Only). Of the three protocols EIGRP is the easiest to configure however but requires a pure Cisco environment to run.
In Summation
Older routing protocols (RIP, RIPv2 and IGRP) are slow because they send a full copy of their information periodically, these periodic transmissions act as both routing advertisement and keepalive message. In addition to being slow they consume a lot of bandwidth relative to their function (RIP every 30 seconds).
More modern routing protocols are faster because they separate the routing advertisements and the keepalive messages. Updates are only sent out when new networks need to be advertised or old networks need to be withdrawn; otherwise routers just need to verify that neighbours are still alive (EIGRP every 5 seconds).
RIP and IGRP
These are older distance vector routing protocols that are slow and classful. Some legacy systems (UNIX) expect to learn their default gateway by eavesdropping on RIP advertisements. If you deploy RIP use RIPv2 which is classless.
EIGRP
A modern distance vector routing protocol. It is classless and fast as well as being easy to configure and maintain. Some organizations refuse to implement proprietary standards though (EIGRP provides equivalent performance to OSPF but is easier to implement and maintain).
OSPF
OSPF is a modern classless and fast link-state routing protocol. OSPF has a steep learning curve and uses more processor time and memory than EIGRP. This is the open standard if an organization supports a heterogeneous mixture of routers or has a philosophical problem with proprietary standards.
IS-IS
This routing protocol was developed to compete with OSPF and the two are more similar than they are dissimilar. It is moderately difficult to find anyone who has experience working with IS-IS even if it is open, fast, and classless. There is still however some interest in IS-IS because it can be adapted to support MPLS and IPv6.
BGP
BGP is a routing protocol used between AS on the Internet and you will have to use it to connect your network to the Internet.
Monday, July 21, 2008
EBGP load sharing - Unequal cost loadsharing - nil.com
EBGP load balancing was introduced with the BGP 4 Multipath Support feature. Initially, EBGP supported up to six maximum paths, IOS release 12.3T+ to 16.When the EBGP load balancing is enabled with the maximum-paths number router configuration command, the router with multiple EBGP sessions selects a single EBGP path as the best path (following the BGP best path selection algorithm). The selected path is marked as best in the BGP table. BGP might also select additional equivalent paths for multipath load sharing; all paths used for BGP load sharing are marked with multipath.
The BGP attributes Local Preference, Multi-Exit Discriminator, Origin and AS-Path of the selected multipath routes have to be identical to the best path. The AS-path of all multipath routes has to be an exact match of the AS-path of the best path. This requirement can be relaxed with the bgp bestpath as-path multipath-relax router configuration command, resulting in EBGP load balancing across multiple autonomous systems.
BGP performs equal-cost load balancing between all multipath routes, unless the bgp dmzlink-bw is configured within the BGP routing process and dmzlink-bw option is configured on EBGP neighbors.
Sunday, July 20, 2008
Next-hop fixup in partially-meshed NBMA networks - nil.com
If the network design requires partially-meshed NBMA network in a single IP subnet, extra configuration steps depending on the routing protocol used in the network have to be taken to ensure that the edge routers with partial connectivity can propagate the traffic according to the entries in the IP routing table.
Note: Switched WAN technologies (Frame Relay, ATM or X.25) are the most common examples of NBMA networks. You might also encounter the same limitations in private VLAN environments.
Subscribe to:
Posts (Atom)