Chapter 3 Branch Connections1.pdf
Document Details
Tags
Full Transcript
8/4/2024 Connecting Networks v6.0 Chapter 3 Branch Connections H.Swaih 1 Chapter 3 - Sections & Objectives 3....
8/4/2024 Connecting Networks v6.0 Chapter 3 Branch Connections H.Swaih 1 Chapter 3 - Sections & Objectives 3.1 Remote Access Connections Select broadband remote access technologies to support business requirements. Compare remote access broadband connection options for small to medium-sized businesses. Select an appropriate broadband connection for a given network requirement. 3.2 PPPoE Configure a Cisco router with PPPoE. Explain how PPPoE operates. Implement a basic PPPoE connection on a client router. H.Swaih 2 1 8/4/2024 Chapter 3 - Sections & Objectives 3.3 VPNs Explain how VPNs secure site-to-site and remote access connectivity. Describe the benefits of VPN technology. Describe site-to-site and remote access VPNs. 3.4 GRE Implement a GRE tunnel. Explain the purpose and benefits of GRE tunnels. Troubleshoot a site-to-site GRE tunnel. 3.5 eBGP Implement eBGP in a single-homed remote access network. Describe basic BGP features. Explain BGP design considerations. Configure an eBGP branch connection. H.Swaih 3 Introduction to Home/SOHO Remote Access Connections H.Swaih 4 2 8/4/2024 Cable System Uses a coaxial cable that carries radio frequency (RF) signals across the network providing: – High-speed Internet access – Digital cable television – Residential telephone service. Uses hybrid fiber-coaxial (HFC) networks to enable high-speed transmission of data. – A web of fiber trunk cables connects the headend (or hub) to the nodes where optical-to-RF signal conversion takes place. H.Swaih 5 Cable System The following describes the components shown in Figure : Antenna site: The location of an antenna site is chosen for optimum reception of over-the-air, satellite, and sometimes point-to-point signals. Transportation network: A transportation network links a remote antenna site to a headend or a remote headend to the distribution network. The transportation network can be microwave, coaxial, or fiber optic. Headend: This is where signals are first received, processed, formatted, and then distributed downstream to the cable network. The headend facility is usually unmanned, under security fencing, and is similar to a telephone company central office (CO). Amplifier: This is a device that regenerates an incoming signal to extend further through the network. Cable networks use various types of amplifiers in their transportation and distribution networks. Subscriber drop: A subscriber drop connects the subscriber to the cable services. H.Swaih 6 3 8/4/2024 Cable Components Two types of equipment are required to send signals upstream and downstream on a cable system: – Cable Modem Termination System (CMTS) CMTS usually resides at the headend. CMTS modulates and demodulates the signal to and from the cable modem (CM). – Cable Modem (CM) on the subscriber end. A cable modem enables you to receive data at high speeds. Typically, the cable modem attaches to a standard Ethernet H.Swaih card in the computer. 7 What is DSL? Many years ago, research by Bell Labs identified that a typical voice conversation over a local loop only required the use of a bandwidth of 300 Hz to 3 kHz. This was enough of a frequency range for normal voice conversation – low to high. H.Swaih 8 4 8/4/2024 What is DSL? Digital Subscriber Line (DSL) is a means of providing high-speed connections over installed copper wires. – Asymmetric DSL (ADSL) provides higher downstream bandwidth to the user than upload bandwidth. The figure shows a representation of ADSL utilizes a specific bandwidth space allocation on a copper wire frequency range above the for ADSL. POTS (Plain Old Telephone System) traditional voice band, identifies the frequency range used by the typically from 26 kHz up to voice-grade telephone service. The area 1.1 MHz labeled ADSL represents the frequency space For satisfactory ADSL used by the upstream and downstream DSL signals. service, the local loop length must be less than 3.39 miles (5.46 km). – Symmetric DSL (SDSL) provides the same capacity in both directions. H.Swaih 9 DSL Connections Service providers deploy DSL connections in the last step of a local telephone network, the local loop. The connection is set up between a pair of modems on either end of a copper wire that extends between the customer premises equipment (CPE) and the DSL access multiplexer (DSLAM). Key components in the DSL connection: – Transceiver - Usually a modem in a router which connects the computer of the teleworker to the DSL. – A DSLAM is the device located at (or near) the central office (CO) of the provider and concentrates connections from multiple DSL subscribers. H.Swaih 10 5 8/4/2024 DSL Connections A DSL micro filter (also known as a DSL filter) is required to connect devices such as phones or fax machines on the DSL network. The advantage that DSL has over cable technology is that DSL is not a shared medium. Each user has a separate direct connection to the DSLAM. Adding users does not impede performance, unless the DSLAM Internet connection to the ISP, or the Internet, becomes saturated. H.Swaih 11 Wireless Connection Municipal Wireless Network Three main broadband wireless technologies: – Municipal Wi-Fi - Most municipal wireless networks use a mesh of interconnected access points. – Many municipal governments, often working with service providers, are deploying wireless networks. Some of these networks provide high speed Internet access at no cost or for substantially less than the price of other broadband services. Other cities reserve their Wi-Fi networks for official use, providing police, firefighters, and city workers remote access to the Internet and municipal networks. H.Swaih 12 6 8/4/2024 Wireless Connection – Cellular/mobile - Mobile phones use radio waves to communicate through nearby cell towers. – Three common terms are used when discussing cellular/mobile networks: Wireless Internet: A general term for Internet services from a mobile phone or from any device that uses the same technology. 2G/3G/4G wireless: Major changes to the mobile phone companies’ wireless networks through the evolution of the second, third, and fourth generations of wireless mobile technologies. Long-Term Evolution (LTE): A newer and faster technology considered to be part of 4G technology. – LTE Category 10 supports up to 450 Mb/s download and 100 Mb/s upload. H.Swaih 13 Wireless Connection Satellite Internet - Used in locations where land-based Internet access is not available. – Primary installation requirement is for the antenna to have a clear view toward the equator. Note: WiMAX has largely been replaced by LTE for mobile access, and cable or DSL for fixed access. H.Swaih 14 7 8/4/2024 Comparing Broadband Solutions Factors to consider in selecting a broadband solution: – Cable - Bandwidth shared by many users, slow data rates during high-usage hours. – DSL - Limited bandwidth that is distance sensitive (in relation to the ISP’s central office). – Fiber-to-the-Home - Requires fiber installation directly to the home. – Cellular/Mobile - Coverage is often an issue. – Wi-Fi Mesh - Most municipalities do not have a mesh network deployed. – Satellite - Expensive, limited capacity per subscriber H.Swaih 15 Introduction to PPPoE and Configuring PPPoE H.Swaih 16 8 8/4/2024 PPPoE Overview PPPoE Motivation PPP Frames Over An Ethernet Connection PPP is commonly used on serial links. ISPs often use PPP as the data link protocol over many broadband DSL connections for: 1. ISPs can use PPP to remotely assign each customer one public IPv4 address. o This means that each customer's device or router connected to the broadband service is allocated a unique, routable public IPv4 address. 2. CHAP Authentication (CHAP can be used to check customer account records) Ethernet links do not natively support PPP. – PPP over Ethernet (PPPoE) provides a solution to this problem. H.Swaih 17 PPPoE Concepts PPPoE creates a PPP tunnel over an Ethernet connection – Modem strips off the Ethernet frame. Allows PPP frames to be sent across the Ethernet cable to the ISP from the customer’s router. H.Swaih 18 9 8/4/2024 Implement PPPoE PPPoE Configuration 1. To create the PPP tunnel a dialer interface is configured. 2. A dialer interface is a virtual interface 3. The PPP configuration is placed on the 4. dialer interface, not the physical interface interface dialer number command H.Swaih 19 Implement PPPoE PPPoE Configuration 2. The PPP CHAP is then configured. ppp chap hostname name ppp chap password password The PPP CHAP configuration usually defines one-way authentication; therefore, the ISP authenticates the customer. The hostname and password configured on the customer router must match the hostname and password configured on the ISP router. H.Swaih 20 10 8/4/2024 Implement PPPoE PPPoE Configuration The physical Ethernet interface that connects to the DSL modem is then enabled with the pppoe enable interface configuration command. This command enables PPPoE and links the physical interface to the dialer interface. The dialer interface is linked to the Ethernet interface with the dialer pool number and pppoe-client dial-pool-number number interface configuration commands, using the same number. The dialer interface number does not have to match the dialer pool number. The purpose of assigning an interface to a dialer pool is to enable the router to efficiently manage and share dial-up connections among multiple interfaces ((e.g., serial, ISDN…). When an interface is assigned to a dialer pool, it can use any available dial-up connection within that pool to establish a connection H.Swaih 21 Implement PPPoE PPPoE Configuration The physical Ethernet interface connected to the DSL modem is enabled with the interface command: pppoe enable H.Swaih 22 11 8/4/2024 Implement PPPoE PPPoE Configuration 3. Dialer interface is linked to the Ethernet interface with the commands: dialer pool pppoe-client interface H.Swaih 23 Implement PPPoE PPPoE Configuration 4. The MTU should be set to 1492 to accommodate PPPoE headers. Avoiding Fragmentation: The standard Ethernet MTU is 1500 bytes, but with the additional 8 bytes of PPPoE overhead, the total frame size would exceed 1500 bytes H.Swaih 24 12 8/4/2024 Implement PPPoE PPPoE Verification Verify the Dialer Interface is Up ISP Customer 10.1.3.0/24.1.2 G0/0 R1 G0/1 G0/1 R2 R1# show ip interface brief Interface IP-Address OK? Method Status Protocol Embedded-Service-Engine0/0 unassigned YES unset administratively down down GigabitEthernet0/0 unassigned YES unset administratively down down GigabitEthernet0/1 unassigned YES unset up up Serial0/0/0 unassigned YES unset administratively down down Serial0/0/1 unassigned YES unset administratively down down Dialer2 10.1.3.1 YES IPCP up up Virtual-Access1 unassigned YES unset up up Virtual-Access2 unassigned YES unset up up R1# show ip interface brief - verify the IPv4 address automatically assigned. H.Swaih 25 Implement PPPoE PPPoE Verification Verify the MTU Size and Encapsulation R1# show interface dialer 2 Dialer2 is up, line protocol is up (spoofing) Hardware is Unknown Internet address is 10.1.3.1/32 MTU 1492 bytes, BW 56 Kbit/sec, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, LCP Closed, loopback not set Keepalive set (10 sec) DTR is pulsed for 1 seconds on reset show interface dialer - verifies the MTU and PPP encapsulation. H.Swaih 26 13 8/4/2024 Implement PPPoE PPPoE Verification Verify the R1 Routing Table R1# show ip route Gateway of last resort is 0.0.0.0 to network 0.0.0.0 S* 0.0.0.0/0 is directly connected, Dialer2 10.0.0.0/32 is subnetted, 2 subnets C 10.1.3.1 is directly connected, Dialer2 C 10.1.3.2 is directly connected, Dialer2 R1# Two /32 host routes for 10.0.0.0 have been installed in R1’s routing table. The first host route is for the address assigned to the dialer interface. The second host route is the IPv4 address of the ISP. The installation of these two host routes is the default behavior for PPPoE. H.Swaih 27 Implement PPPoE PPPoE Verification View Current PPPoE Sessions R1# show pppoe session 1 client session Uniq ID PPPoE RemMAC Port VT VA State SID LocMAC VA-st Type N/A 1 30f7.0da3.1641 Gi0/1 Di2 Vi2 UP 30f7.0da3.0da1 UP R1# show pppoe session - displays information about currently active PPPoE sessions. The output displays the local and remote Ethernet MAC addresses of both routers. H.Swaih 28 14 8/4/2024 Modifying the TCP Maximum Segment Size for PPPoE H.Swaih 29 Implement PPPoE PPPoE MTU Size 1500 bytes Ethernet MTU - 20 bytes IPv4 header - 20 bytes TCP header ----------------------------- 1460 bytes Payload (TCP MSS) TCP MSS = 1460 Accessing some web pages might be a problem with PPPoE. When the client requests a web page, a TCP three-way handshake occurs between the client and the web server. During the negotiation, the client specifies the value of its TCP maximum segment size (MSS). The TCP MSS is the maximum size of the data portion in the TCP segment. H.Swaih 30 15 8/4/2024 Implement PPPoE PPPoE MTU Size 1500 bytes Ethernet MTU - 20 bytes IPv4 header - 20 bytes TCP header ------------------------- 1460 bytes Payload (TCP MSS) 1500 bytes Ethernet MTU - 8 bytes PPPoE header - 20 bytes IPv4 header - 20 bytes TCP header ------------------------ 1452 bytes Payload (TCP MSS) PPPoE supports an MTU of only 1492 bytes in order to accommodate the additional 8-byte PPPoE header. TCP MSS = 1452 This means the TCP MSS (Maximum Segment Size) needs to be reduced by 8 bytes from 1460 bytes to 1452 bytes. H.Swaih 31 Implement PPPoE PPPoE MTU Size Verify the MTU Size on the Dialer Interface ISP Custome 10.1.3.0/24 r.1.2 G0/0 R1 G0/ G0/ R2 1 1 R1# show running-config | section interface Dialer2 interface Dialer2 mtu 1492 ip address negotiated Use show running-config command encapsulation ppp to verify PPPoE MTU. R1# config t The ip tcp adjust-mss max-segment- R1(config)# interface g0/0 size interface command prevents R1(config-if)# ip tcp adjust-mss 1452 TCP sessions from being dropped by adjusting the MSS value during the TCP 3-way handshake. H.Swaih 32 16 8/4/2024 Troubleshooting PPPoE H.Swaih 33 Implement PPPoE PPPoE Troubleshooting The following are possible causes of problems with PPPoE: – Failure in the PPP negotiation process – Failure in the PPP authentication process – Failure to adjust the TCP maximum segment size H.Swaih 34 17 8/4/2024 Implement PPPoE PPPoE Negotiation Examining the PPP Negotiation Process R1# debug ppp negotiation *Sep 20 19:05:05.239: Vi2 PPP: Phase is AUTHENTICATING, by the peer *Sep 20 19:05:05.239: Vi2 LCP: State is Open *Sep 20 19:05:05.247: Vi2 CHAP: Using hostname from interface CHAP *Sep 20 19:05:05.247: Vi2 CHAP: Using password from interface CHAP *Sep 20 19:05:05.247: Vi2 CHAP: O RESPONSE id 1 len 26 from "Fred" *Sep 20 19:05:05.255: Vi2 CHAP: I SUCCESS id 1 len 4 *Sep 20 19:05:05.259: Vi2 IPCP: Address 10.1.3.2 (0x03060A010302) *Sep 20 19:05:05.259: Vi2 IPCP: Event[Receive ConfAck] State[ACKsent to Open] *Sep 20 19:05:05.271: Vi2 IPCP: State is Open *Sep 20 19:05:05.271: Di2 IPCP: Install negotiated IP interface address 10.1.3.2 *Sep 20 19:05:05.271: Di2 Added to neighbor route AVL tree: topoid 0, address 10.1.3.2 *Sep 20 19:05:05.271: Di2 IPCP: Install route to 10.1.3.2 R1# undebug all Use the debug ppp negotiation command to verify PPP negotiation. Four possible points of failure in PPP negotiation: No response from the remote device. Link Control Protocol (LCP) not open. Authentication failure. IP Control Protocol (IPCP) failure. H.Swaih 35 Implement PPPoE PPPoE Authentication Verify the CHAP Configuration R1# show running-config | section interface Dialer2 interface Dialer2 mtu 1492 ip address negotiated encapsulation ppp dialer pool 1 ppp authentication chap callin ppp chap hostname Fred ppp chap password 0 Barney R1# H.Swaih 36 18 8/4/2024 Implement PPPoE PPPoE Authentication Verify the CHAP Username R1# debug ppp negotiation *Sep 20 19:05:05.239: Vi2 PPP: Phase is AUTHENTICATING, by the peer *Sep 20 19:05:05.239: Vi2 LCP: State is Open *Sep 20 19:05:05.247: Vi2 CHAP: Using hostname from interface CHAP *Sep 20 19:05:05.247: Vi2 CHAP: Using password from interface CHAP *Sep 20 19:05:05.247: Vi2 CHAP: O RESPONSE id 1 len 26 from "Fred" *Sep 20 19:05:05.255: Vi2 CHAP: I SUCCESS id 1 len 4 *Sep 20 19:05:05.259: Vi2 IPCP: Address 10.1.3.2 (0x03060A010302) *Sep 20 19:05:05.259: Vi2 IPCP: Event[Receive ConfAck] State[ACKsent to Open] *Sep 20 19:05:05.271: Vi2 IPCP: State is Open *Sep 20 19:05:05.271: Di2 IPCP: Install negotiated IP interface address 10.1.3.2 *Sep 20 19:05:05.271: Di2 Added to neighbor route AVL tree: topoid 0, address 10.1.3.2 *Sep 20 19:05:05.271: Di2 IPCP: Install route to 10.1.3.2 R1# undebug all Verify that the CHAP username and password are correct using debug ppp negotiation command. H.Swaih 37 Implement PPPoE PPPoE Authentication Authentication Failure Message If the CHAP username or password were incorrect, the output from the debug ppp negotiation command would show an authentication failure message such as shown in Example R1# *Sep 20 19:05:05.247: Vi2 CHAP: I FAILURE id 1 Len 26 MSG is "Authentication failure“ R1# H.Swaih 38 19 8/4/2024 Introduction to VPNs H.Swaih 39 Fundamentals of VPNs Introducing VPNs ESP (Encapsulating Security Payload) is a header used in VPNs A VPN is a private network created via tunneling over a public network, usually the Internet. A secure implementation of VPN with encryption, such as IPsec VPNs, is what is usually meant by virtual private networking. To implement VPNs, a VPN gateway is necessary - could be a router, a firewall, or a Cisco Adaptive Security Appliance (ASA). H.Swaih 40 20 8/4/2024 Fundamentals of VPNs Benefits of VPNs The benefits of a VPN include the following: Cost savings - VPNs enable organizations to use cost-effective, high-bandwidth technologies, such as DSL to connect remote offices and remote users to the main site. Scalability - Organizations are able to add large amounts of capacity without adding significant infrastructure. Compatibility with broadband technology - Allow mobile workers and telecommuters to take advantage of high-speed, broadband connectivity, such as DSL and cable, to access to their organizations’ networks. Security - VPNs can use advanced encryption and authentication protocols. H.Swaih 41 Types of VPNs Site-to-Site VPNs Site-to-site VPNs connect entire networks to each other, for example, connecting a branch office network to a company headquarters network. End hosts send and receive normal TCP/IP traffic through a VPN “gateway”. The VPN gateway is responsible for encapsulating and encrypting outbound traffic. H.Swaih 42 21 8/4/2024 Types of VPNs Remote Access VPNs A remote-access VPN supports the needs of telecommuters, mobile users, and extranet traffic. Used to connect individual hosts that must access their company network securely over the Internet. VPN client software may need to be installed on the mobile user’s end device. VPN client software, such as the Cisco AnyConnect Secure Mobility Client software. H.Swaih 43 Types of VPNs DMVPN Dynamic Multipoint VPN (DMVPN) builds a secure network that exchanges data between sites without needing to pass traffic through an organization's headquarter (hub) VPN server or router. DMVPN is built using the following technologies: – Next Hop Resolution Protocol (NHRP) - NHRP is a Layer 2 resolution and caching protocol similar to Address Resolution Protocol (ARP). NHRP creates a distributed mapping database of public IP addresses for all tunnel spokes. NHRP is a client/server protocol consisting of the NHRP hub known as the Next Hop Server (NHS) and the NHRP spokes known as the Next Hop Clients (NHCs). NHRP supports hub-and-spoke as well as spoke-to-spoke configurations. H.Swaih 44 22 8/4/2024 Types of VPNs DMVPN – Multipoint Generic Routing Encapsulation (mGRE) tunnels – Generic Routing Encapsulation (GRE) is a tunneling protocol developed by Cisco that can encapsulate a wide variety of protocol packet types inside IP tunnels. DMVPN makes use of Multipoint Generic Routing Encapsulation (mGRE) tunnel. An mGRE tunnel interface allows a single GRE interface to support multiple Ipsec tunnels. With mGRE, dynamically allocated tunnels are created through a permanent tunnel source at the hub, and dynamically allocated tunnel destinations, created as necessary, at the spokes. This reduces the size and simplifies the complexity of the configuration. – IP Security (IPsec) encryption - provides secure transport of private information over public networks, such as the Internet. H.Swaih 45 Introduction and Configuration of GRE (Generic Routing Encapsulation) H.Swaih 46 23 8/4/2024 GRE Overview GRE Introduction Generic Routing Encapsulation (GRE) is a non-secure, site-to- site VPN tunneling protocol. Developed by Cisco. GRE manages the transportation of multiprotocol and IP multicast traffic between two or more sites The most common use case for tunnels is to connect remote, geographically separated sites over an existing network, most notably routing over a public infrastructure (such as the Internet). H.Swaih 47 GRE Overview GRE Introduction When used in this manner, tunnels create VPN overlay networks between remote sites. Tunnels accomplish this by creating a virtual network (overlay network) on top of a physical underlying infrastructure (underlay network), providing a logical interface that emulates a direct physical link connecting the two sites. H.Swaih 48 24 8/4/2024 GRE Overview GRE Introduction Transport Carrier Protocol Protocol Passenger Protocol GRE tunnels provide an interface the device can use to forward data. The “data” in this sense is the passenger protocol itself, such as IPv6 or IPv4. These tunnels are comprised of three main components: 1. Delivery Header (Transport Protocol):This is the outer header, which can use IPv4 or IPv6 as the transport protocol. 2. GRE Header (Carrier Protocol) : This is the encapsulation protocol such as GRE that encapsulates the passenger protocol. 3. Payload Packet or encapsulated protocol (Passenger Protocol) – original IP packet H.Swaih 49 GRE Overview GRE Characteristics 47 x800 6 Protocol field GRE is defined as an IETF standard (RFC 2784). In the outer IP header protocol field, 47 is used to indicate GRE. GRE protocol field: GRE encapsulation uses a protocol type field in the GRE header to support the encapsulation of any OSI Layer 3 protocol: x0800 IPv4, 0x8DD IPv6 In the original (encapsulated) IP header, the "Protocol" field is set to 6, which indicates that the next-level protocol is TCP. GRE is stateless – each tunnel endpoint does not keep any information about the state or availability of the remote tunnel endpoint. GRE does not include any strong security mechanisms. GRE header, together with the tunneling IP header, creates at least 24 bytes of additional overhead for tunneled packets. H.Swaih 50 25 8/4/2024 Implement GRE Configure GRE OSPF Routing Domain 10.1.1.0/24 10.1.4.0/24 10.1.10.0/24 10.1.5.0/24 … 10.1.2.0/24 10.1.99.0/24 10.1.6.0/24 10.1.3.0/24 IP TCP Data SA: 10.1.10.55 DA: 10.1.2.105 H.Swaih 51 Implement GRE Configure GRE OSPF Routing Domain over GRE Tunnel From 10.1.10.55 to 10.1.24.33 10.1.1.0/24 10.1.10.0/24 Internet 10.1.2.0/24 10.1.3.0/24 IP TCP Data SA: 10.1.10.55 DA: 10.1.2.105 H.Swaih 52 26 8/4/2024 Implement GRE Configure GRE OSPF Routing Domain over GRE Tunnel From 10.1.10.55 to 10.1.2.105 10.1.1.0/24 10.1.10.0/24 Internet 10.1.2.0/24 10.1.3.0/24 IP GRE IP TCP Data SA: 198.133.219.87 DA: 209.165.201.1 SA: 10.1.10.55 DA: 10.1.2.105 Need to route 10.1.0.0/16 subnet over the GRE tunnel – just as if there were no other networks (Internet) between them. H.Swaih 53 Implement GRE Configure GRE 10.1.5.1/24 10.1.5.2/24 10.1.10.0/24 209.165.201.1 198.133.219.87 10.1.2.0/24 R1(config) interface serial 0/0/0 R1(config-if)# ip address 209.165.201.1 255.255.255.252 R1(config-if)# exit To implement a GRE tunnel, the network administrator must know the reachable IP addresses of the endpoints. H.Swaih 54 27 8/4/2024 Implement GRE Configure GRE There are five steps to configuring a 10.1.5.1/24 10.1.5.2/24 GRE tunnel: 10.1.10.0/24 209.165.201.1 198.133.219.87 10.1.2.0/24 R1(config) interface serial 0/0/0 R1(config-if)# ip address 209.165.201.1 255.255.255.252 R1(config-if)# exit R1(config)#interface tunnel ? Tunnel interface number R1(config) # interface tunnel 0 R1(config-if)# Step 1. Create a tunnel interface using the interface tunnel number command. H.Swaih 55 Implement GRE Configure GRE 10.1.5.1/24 10.1.5.2/24 10.1.10.0/24 209.165.201.1 198.133.219.87 10.1.2.0/24 R1(config) interface serial 0/0/0 R1(config-if)# ip address 209.165.201.1 255.255.255.252 R1(config-if)# exit R1(config) # interface tunnel 0 R1(config-if)# tunnel mode gre ip R1(config-if)# ip address 10.1.5.1 255.255.255.0 R1(config-if)# Step 2. Configure an IP address for the tunnel interface. (Usually a private address) Specifies GRE tunnel mode as the tunnel interface mode, in interface tunnel configuration mode. H.Swaih 56 28 8/4/2024 Implement GRE Configure GRE 10.1.5.1/24 10.1.5.2/24 10.1.10.0/24 209.165.201.1 198.133.219.87 10.1.2.0/24 R1(config) interface serial 0/0/0 R1(config-if)# ip address 209.165.201.1 255.255.255.252 R1(config-if)# exit R1(config)# interface tunnel 0 R1(config-if)# tunnel mode gre ip R1(config-if)# ip address 10.1.5.1 255.255.255.0 R1(config-if)# tunnel source 209.165.201.1 R1(config-if)# Note: The tunnel source and tunnel destination commands reference the IP addresses of the preconfigured physical interfaces. Step3. Specify the tunnel source IP address. H.Swaih 57 Implement GRE Configure GRE 10.1.5.1/24 10.1.5.2/24 10.1.10.0/24 209.165.201.1 198.133.219.87 10.1.2.0/24 R1(config) interface serial 0/0/0 R1(config-if)# ip address 209.165.201.1 255.255.255.252 R1(config-if)# exit R1(config) # interface tunnel 0 R1(config-if)# tunnel mode gre ip R1(config-if)# ip address 10.1.5.1 255.255.255.0 R1(config-if)# tunnel source 209.165.201.1 R1(config-if)# tunnel destination 198.133.219.87 R1(config-if)# Note: The tunnel source and tunnel destination commands reference the IP addresses of the preconfigured physical interfaces. Step 4. Specify the tunnel destination IP address. H.Swaih 58 29 8/4/2024 Implement GRE Configure GRE 10.1.5.1/24 10.1.5.2/24 10.1.10.0/24 209.165.201.1 198.133.219.87 10.1.2.0/24 R1(config) interface serial 0/0/0 R1(config-if)# ip address 209.165.201.1 255.255.255.252 R1(config-if)# exit R1(config) # interface tunnel 0 R1(config-if)# tunnel mode gre ip R1(config-if)# ip address 10.1.5.1 255.255.255.0 R1(config-if)# tunnel source 209.165.201.1 R1(config-if)# tunnel destination 198.133.219.87 R1(config-if)# exit R1(config)# router ospf 1 R1(config-router)# network 10.1.5.0 0.0.0.255 area 0 ! Tunnel interface R1(config-router)# network 10.1.10.0 0.0.0.255 area 0 ! LAN interface Step 5. Enable routing over GRE Tunnel. H.Swaih 59 Implement GRE Configure GRE 10.1.5.1/24 10.1.5.2/24 10.1.10.0/24 209.165.201.1 198.133.219.87 R2(config) interface serial 0/0/0 10.1.2.0/24 R2(config-if)# ip address 198.133.219.87 255.255.255.252 R2(config-if)# exit R2(config) # interface tunnel 0 R2(config-if)# tunnel mode gre ip R2(config-if)# ip address 10.1.5.2 255.255.255.0 R2(config-if)# tunnel source 198.133.219.87 R2(config-if)# tunnel destination 209.165.201.1 R2(config-if)# exit R2(config)# router ospf 1 enable routing R2(config-router)# network 10.1.5.0 0.0.0.255 area 0 ! Tunnel interface R2(config-router)# network 10.1.2.0 0.0.0.255 area 0 H.Swaih 60 ! LAN interface 30 8/4/2024 Implement GRE Verify GRE Use the show ip interface brief command to verify that the tunnel interface is up. Use the show interface tunnel command to verify the state of the tunnel. R1# show ip interface brief | include Tunnel Tunnel0 10.1.5.1 YES manual up up R1# R1# show interface Tunnel 0 Tunnel0 is up, line protocol is up Hardware is Tunnel Internet address is 10.1.5.1/24 MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive not set Use the Tunnel source 209.165.201.1, show interface destination tunnel command 198.133.219.87 to verify Tunnel protocol/transport GRE/IP the state of the tunnel H.Swaih 61 Implement GRE Verify GRE Use the show ip ospf neighbor command to verify that an OSPF adjacency has been established over the tunnel interface. R1# show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 198.133.219.87 0 FULL/ - 00:00:37 10.5.1.2 Tunnel0 because point to point H.Swaih 62 31 8/4/2024 Introduction to BGP H.Swaih 63 BGP Overview IGP and EGP Routing Protocols Interior Gateway Protocols (IGPs) are used to exchange routing information within a company network or an autonomous system (AS). An Exterior Gateway Protocol (EGP) is used for the exchange of routing information between autonomous systems, such as ISPs. Border Gateway Protocol (BGP) is an Exterior Gateway Protocol (EGP). – Every AS is assigned a unique 16-bit or 32-bit AS number which uniquely identifies it on the Internet. Note: Private AS numbers are also available. However, private AS numbers are beyond the scope of this course. H.Swaih 64 32 8/4/2024 BGP Overview IGP and EGP Routing Protocols As shown the Figure, AS 65002 may use the AS- path of 65003 and 65005 to reach a network within the content provider AS 65005. BGP is known as a path vector routing protocol. BGP updates are encapsulated over TCP on port 179. Therefore, BGP inherits the connection-oriented properties of TCP, which ensures that BGP updates are transmitted reliably. H.Swaih 65 BGP Overview eBGP and iBGP there are two types of BGP: External BGP (eBGP) – eBGP is the routing protocol used between routers in different autonomous systems. Internal BGP (iBGP) - iBGP is the routing protocol used between routers in the same AS. Two routers exchanging BGP routing information are known as BGP peers or BGP speakers Note: This course focuses on eBGP only. There are differences in how eBGP peers and iBGP peers operate; however, these differences are beyond the scope of this course. H.Swaih 66 33 8/4/2024 BGP Overview eBGP and iBGP iBGP and IGP serve different purposes and have different functionalities. the key difference: Interior Gateway Protocols (IGPs): ꟷ IGPs are used to distribute routing information within a single autonomous system. ꟷ Examples of IGPs include OSPF, EIGRP, IS-IS, and RIP. ꟷ IGPs are responsible for calculating the best path to reach destinations within the same AS. ꟷ IGPs use metrics like cost, bandwidth, delay, etc. to determine the best path. Internal BGP (iBGP): ꟷ iBGP is used to distribute routing information between BGP routers within the same autonomous system. ꟷ iBGP is used to share routing information learned from external BGP (eBGP) sessions with other routers in the same AS. ꟷ iBGP does not perform any path calculation or routing metric computation. ꟷ iBGP relies on the IGP running within the AS to determine the best path H.Swaih 67 to reach destinations. BGP Design Considerations When to use BGP BGP is used when an AS has connections to multiple autonomous systems. This is known as multi-homed. Each AS in the Figure is multihomed because each AS has connections to at least two other autonomous systems or BGP peers. A misconfiguration of a BGP router could have negative effects throughout the Internet. H.Swaih 68 34 8/4/2024 BGP Design Considerations When not to use BGP BGP should not be used when one of the following conditions exist: – There is a single connection to the Internet or another AS. Known as single-homed. – When there is a limited understanding of BGP. Note: Although it is recommended only in unusual situations, for the purposes of this course, you will configure single-homed BGP. H.Swaih 69 BGP Design Considerations BGP Options Three common ways an organization can implement BGP in a multi-homed environment: – Default Route Only : o ISPs advertise a default route to Company-A o The arrows indicate that the default is configured on the ISPs, not on Company- A. o This is the simplest method to implement BGP; however, because the company receives only a default route from both ISPs, suboptimal routing may occur. o For example, Company-A may choose to use ISP-1’s default route when sending packets to a destination network in ISP-2’s AS. H.Swaih 70 35 8/4/2024 BGP Design Considerations BGP Options – Default Route and ISP Routes o ISPs advertise their default route and their network to Company-A o This option allows Company-A to forward traffic to the appropriate ISP for networks advertised by that ISP. o For example, Company-A would choose ISP-1 for networks advertised by ISP-1. For all other networks, one of the two default routes can be used, which means suboptimal routing may still occur for all other Internet routes. H.Swaih 71 BGP Design Considerations BGP Options – All Internet Routes o ISPs advertise all Internet routes to Company-A. o Because Company-A receives all Internet routes from both ISPs, Company-A can determine which ISP to use as the best path to forward traffic for any network. o Although this approach solves the issue of suboptimal routing, the BGP router would o require sufficient resources to maintain well over 500,000 Internet networks. H.Swaih 72 36 8/4/2024 eBGP Branch Configuration Steps to Configure eBGP Company-A(config)# router bgp 65000 Company-A(config-router)# neighbor 209.165.201.1 remote-as 65001 Company-A(config-router)# network 198.133.219.0 mask 255.255.255.0 1. The router bgp as-number global configuration command enables BGP and identifies the AS number. 2. The neighbor ip-address remote-as as-number router configuration command identifies the BGP peer and its AS number. 3. The network network-address [mask network-mask] router configuration command enters the network-address into the local BGP table and the network to be advertised via BGP (i.e. Advertise network(s) originating from this AS). Note: The network-address does not have to be a directly connected network just reachable. networks can be summarizations H.Swaih 73 eBGP Branch Configuration BGP Sample Configuration In this single-homed BGP topology, Company-A in AS 65000 uses eBGP to advertise its 198.133.219.0/24 network to ISP-1 at AS 65001. ISP-1 advertises a default route in its eBGP updates to Company-A. Customers typically use private IPv4 address space for internal devices within their own network. Using Network Address Translation (NAT), the Company-A router translates these private IPv4 addresses to one of its public IPv4 addresses, advertised by BGP to the ISP. H.Swaih 74 37 8/4/2024 eBGP Branch Configuration BGP Sample Configuration Company-A(config)# router bgp 65000 Company-A(config-router)# neighbor 209.165.201.1 remote-as 65001 Company-A(config-router)# network 198.133.219.0 mask 255.255.255.0 ISP-1(config)# router bgp 65001 ISP-1(config-router)# neighbor 209.165.201.2 remote-as 65000 ISP-1(config-router)# network 0.0.0.0 H.Swaih 75 eBGP Branch Configuration Verify eBGP Router# show ip route to Verify routes advertised by the BGP neighbor are present in the IPv4 routing table Company-A# show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP Gateway of last resort is 209.165.201.1 to network 0.0.0.0 B* 0.0.0.0/0 [20/0] via 209.165.201.1, 00:36:03 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 198.133.219.0/24 is directly connected, GigabitEthernet0/0 L 198.133.219.1/32 is directly connected, GigabitEthernet0/0 209.165.201.0/24 is variably subnetted, 2 subnets, 2 masks C 209.165.201.0/27 is directly connected, GigabitEthernet0/1 L 209.165.201.2/32 is directly connected, GigabitEthernet0/1 H.Swaih 76 38 8/4/2024 eBGP Branch Configuration Verify eBGP Router# show ip bgp to Verify that received and advertised IPv4 networks are in the BGP table Company-A# show ip bgp BGP table version is 3, local router ID is 209.165.201.2 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path *> 0.0.0.0 209.165.201.1 0 0 65001 i *> 198.133.219.0/24 0.0.0.0 0 32768 i Company-A# The first entry 0.0.0.0 with a next hop of 209.165.201.1 is the default route advertised by ISP-1. The second entry 198.133.219.0/24 is the network advertised by the Company-A router to ISP-1. H.Swaih 77 eBGP Branch Configuration Verify eBGP Router# show ip bgp summary to verify IPv4 BGP neighbors and other BGP information Company-A# show ip bgp summary BGP router identifier 209.165.201.2, local AS number 65000 BGP table version is 3, main routing table version 3 2 network entries using 288 bytes of memory 2 path entries using 160 bytes of memory 2/2 BGP path/bestpath attribute entries using 320 bytes of memory BGP using 792 total bytes of memory BGP activity 2/0 prefixes, 2/0 paths, scan interval 60 secs Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 209.165.201.1 4 65001 66 66 3 0 0 00:56:11 1 H.Swaih 78 39