Network Security Notes::About Network Security, Network Labs, Cisco, Microsoft...: Network Protocols

Showing posts with label Network Protocols. Show all posts

Saturday, 4 June 2016

Learn BGP Protocol: First Basic About BGP You Should Know

This blog is created for network security review, study and understanding about network related issues only! The blog is mainly focus on Network Security Notes about Network, Network Security, Network Technology, Network Labs review related Cisco and Microsoft technology ,Network Threats, Types of Network Threats, Network Alerts, Enterprise Security Policy and Audits, Security Policy and Audits,Logical Security, Physical and Logical Security, Physical Security,Cisco Products Review, Microsoft Products review, Cisco Routers, Routers Security, Console Access, Telnet Access, Network Attack, Network Attack report, Network management, Anti-virus, Network Security with Anti-virus, and All About Network Security... Thanks for your visit!

Learn BGP Protocol: First Basic About BGP You Should Know

Border Gateway Protocol (BGP) is a standardized exterior gateway protocol designed to exchange routing and reachability information among autonomous systems (AS) on the Internet.

Border Gateway Protocol (BGP) is a standardized exterior gateway protocol designed to exchange routing and reachability information among autonomous systems (AS) on the Internet. The protocol is often classified as a path vector protocol but is sometimes also classed as a distance-vector routing protocol. The Border Gateway Protocol makes routing decisions based on paths, network policies, or rule-sets configured by a network administrator and is involved in making core routing decisions.
BGP may be used for routing within an autonomous system. In this application it is referred to as Interior Border Gateway Protocol, Internal BGP, or iBGP. In contrast, the Internet application of the protocol may be referred to as Exterior Border Gateway Protocol, External BGP, or EBGP.

- The current version of BGP is version 4 (BGP4 or BGP-4) codified in RFC 4271 since 2006.
- Version 4 of BGP has been in use on the Internet since 1994. The major enhancement in version 4 was support for Classless Inter-Domain Routing and use of route aggregation to decrease the size of routing tables.

- Most Internet service providers must use BGP to establish routing between one another (especially if they are multihomed). Compare this with Signaling System 7 (SS7), which is the inter-provider core call setup protocol on the PSTN.
- Very large private IP networks use BGP internally. An example would be the joining of a number of large OSPF (Open Shortest Path First) networks where OSPF by itself would not scale to size. Another reason to use BGP is multihoming a network for better redundancy, either to multiple access points of a single ISP or to multiple ISPs.

- BGP neighbors, called peers, are established by manual configuration between routers to create a TCP session on port 179. - When BGP runs between two peers in the same autonomous system (AS), it is referred to as Internal BGP (iBGP or Interior Border Gateway Protocol). When it runs between different autonomous systems, it is called External BGP (EBGP or Exterior Border Gateway Protocol). Routers on the boundary of one AS exchanging information with another AS are called border or edge routers or simply eBGP peers and are typically connected directly, while iBGP peers can be interconnected through other intermediate routers. Other deployment topologies are also possible, such as running eBGP peering inside a VPN tunnel, allowing two remote sites to exchange routing information in a secure and isolated manner. The main difference between iBGP and eBGP peering is in the way routes that were received from one peer are propagated to other peers. For instance, new routes learned from an eBGP peer are typically redistributed to all other iBGP peers as well as all eBGP peers (if transit mode is enabled on the router). However, if new routes were learned on an iBGP peering, then they are re-advertised only to all other eBGP peers. These route-propagation rules effectively require that all iBGP peers inside an AS are interconnected in a full mesh. Filtering routes learned from peers, their transformation before redistribution to peers or before plumbing them into the routing table is typically controlled via route-maps mechanism. These are basically rules which allow the application of certain actions to routes matching certain criteria on either ingress or egress path. These rules can specify that the route is to be dropped or, alternatively, its attributes are to be modified. It is usually the responsibility of the AS administrator to provide the desired route-map configuration on a router supporting BGP.

In order to make decisions in its operations with peers, a BGP peer uses a simple finite state machine (FSM) that consists of six states: Idle; Connect; Active; OpenSent; OpenConfirm; and Established. For each peer-to-peer session, a BGP implementation maintains a state variable that tracks which of these six states the session is in. The BGP defines the messages that each peer should exchange in order to change the session from one state to another. The first state is the "Idle" state. In the "Idle" state, BGP initializes all resources, refuses all inbound BGP connection attempts and initiates a TCP connection to the peer. The second state is "Connect". In the "Connect" state, the router waits for the TCP connection to complete and transitions to the "OpenSent" state if successful. If unsuccessful, it starts the ConnectRetry timer and transitions to the "Active" state upon expiration. In the "Active" state, the router resets the ConnectRetry timer to zero and returns to the "Connect" state. In the "OpenSent" state, the router sends an Open message and waits for one in return in order to transition to the "OpenConfirm" state. Keepalive messages are exchanged and, upon successful receipt, the router is placed into the "Established" state. In the "Established" state, the router can send/receive: Keepalive; Update; and Notification messages to/from its peer.
- Idle State: Refuse all incoming BGP connections. Start the initialization of event triggers. Initiates a TCP connection with its configured BGP peer. Listens for a TCP connection from its peer. Changes its state to Connect. If an error occurs at any state of the FSM process, the BGP session is terminated immediately and returned to the Idle state. Some of the reasons why a router does not progress from the Idle state are: TCP port 179 is not open. A random TCP port over 1023 is not open. Peer address configured incorrectly on either router. AS number configured incorrectly on either router.
- Connect State: Waits for successful TCP negotiation with peer. BGP does not spend much time in this state if the TCP session has been successfully established. Sends Open message to peer and changes state to OpenSent. If an error occurs, BGP moves to the Active state. Some reasons for the error are: TCP port 179 is not open. A random TCP port over 1023 is not open. Peer address configured incorrectly on either router. AS number configured incorrectly on either router.
- Active State: If the router was unable to establish a successful TCP session, then it ends up in the Active state. BGP FSM tries to restart another TCP session with the peer and, if successful, then it sends an Open message to the peer. If it is unsuccessful again, the FSM is reset to the Idle state. Repeated failures may result in a router cycling between the Idle and Active states. Some of the reasons for this include: TCP port 179 is not open. A random TCP port over 1023 is not open. BGP configuration error. Network congestion. Flapping network interface.
- OpenSent State:BGP FSM listens for an Open message from its peer. Once the message has been received, the router checks the validity of the Open message. If there is an error it is because one of the fields in the Open message does not match between the peers, e.g., BGP version mismatch, the peering router expects a different My AS, etc. The router then sends a Notification message to the peer indicating why the error occurred. If there is no error, a Keepalive message is sent, various timers are set and the state is changed to OpenConfirm.
- OpenConfirm State: The peer is listening for a Keepalive message from its peer. If a Keepalive message is received and no timer has expired before reception of the Keepalive, BGP transitions to the Established state. If a timer expires before a Keepalive message is received, or if an error condition occurs, the router transitions back to the Idle state.
- Established State: In this state, the peers send Update messages to exchange information about each route being advertised to the BGP peer. If there is any error in the Update message then a Notification message is sent to the peer, and BGP transitions back to the Idle state. If a timer expires before a Keepalive message is received, or if an error condition occurs, the router transitions back to the Idle state.

- The BGP standard specifies a number of decision factors, more than are used by any other common routing process, for selecting NLRI (Network Layer Reachability Information) to go into the Loc-RIB (Routing Information Base). The first decision point for evaluating NLRI is that its next-hop attribute must be reachable (or resolvable). Another way of saying the next-hop must be reachable is that there must be an active route, already in the main routing table of the router, to the prefix in which the next-hop address is reachable. Next, for each neighbor, the BGP process applies various standard and implementation-dependent criteria to decide which routes conceptually should go into the Adj-RIB-In. The neighbor could send several possible routes to a destination, but the first level of preference is at the neighbor level. Only one route to each destination will be installed in the conceptual Adj-RIB-In. This process will also delete, from the Adj-RIB-In, any routes that are withdrawn by the neighbor. Whenever a conceptual Adj-RIB-In changes, the main BGP process decides if any of the neighbor's new routes are preferred to routes already in the Loc-RIB. If so, it replaces them. If a given route is withdrawn by a neighbor, and there is no other route to that destination, the route is removed from the Loc-RIB, and no longer sent, by BGP, to the main routing table manager. If the router does not have a route to that destination from any non-BGP source, the withdrawn route will be removed from the main routing table.

==>More to come about BGP protocol,Don't forget to check back later,thanks!

If you like this post, please subscribe below,thanks!

Monday, 18 July 2011

Network Security Notes: Network Protocols: Configuring OSPF Authentication Protocol

As my previous post about the Understanding OSPF Protocol and the OSPF Protocol on CISCO Routing Protocol and Concepts, you may already know much details about the OSPF Protocol. And here this post I would like to introduce you about Configuring OSPF Authentication Protocol...

Open Shortest Path First (OSPF) supports two forms of authentication: plain text and MD5. Plain text authentication should be used only when neighboring devices do not support the more secure MD5 authentication. To configure plain text authentication of OSPF packets, follow these steps:

In interface configuration mode, use the ip ospf authentication−key [key] command. The key that is specified is the plain text password that will be used for authentication.

1. Enter OSPF configuration mode using the router ospf [process id] command. Then use the area [area−id] authentication command to configure plain text authentication of OSPF packets for an area.

Referring to Figure Image below, we will configure Router A and Router B for plain text authentication of OSPF packets. Listing A and Listing B below display each router's configuration.

Figure Image:

Figure: Router A and Router B Configured for OSPF Authentication

Listing A: Router A configured to authenticate OSPF packets using plain text authentication

interface Loopback0
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.10.11.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.1 255.255.255.252
ip ospf authentication−key visaadmin
clockrate 64000
router ospf 60
area 0 authentication
network 10.10.10.0 0.0.0.255 area 10
network 10.10.11.0 0.0.0.255 area 11
network 192.168.10.0 0.0.0.255 area 0

Listing B: Router B configured to authenticate OSPF packets using plain text authentication

interface Loopback0
ip address 10.10.12.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.10.13.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.2 255.255.255.252
ip ospf authentication−key visaadmin
router ospf 50
area 0 authentication
network 10.10.12.0 0.0.0.255 area 12
network 10.10.13.0 0.0.0.255 area 13
network 192.168.10.0 0.0.0.255 area 0

In Listing A and Listing B, plain text authentication is configured to authenticate updates across area 0. By issuing the show ip ospf command, you can determine if plain text authentication is properly configured for each area. Here is an example of the output for the show ip ospf command:

Router−B#show ip ospf 50
Routing Process "ospf 50" with ID 10.10.13.1
......
Area BACKBONE(0)
Number of interfaces in this area is 1
Area has simple password authentication
SPF algorithm executed 7 times

Configure MD5 authentication of OSPF packets

To configure MD5 authentication of OSPF packets, follow the steps outlined here:

1. From interface configuration mode, enable the authentication of OSPF packets using MD5 with the following command:

ip ospf message−digest−key [key−id] md5 [key]

The value of the key−id allows passwords to be changed without having to disable authentication.

2. Enter OSPF configuration mode using the router ospf [process id] command. Then
configure MD5 authentication of OSPF packets for an area using this command:

area [area−id] authentication message−digest

This time, Routers A and B will be configured to authenticate packets across the backbone using the MD5 version of authentication. Listing C shows the configuration for Router A, and Listing D shows Router B's configuration.

Listing C: Router A configured for MD5 authentication

interface Loopback0
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.10.11.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.1 255.255.255.252
ip ospf message−digest−key 15 md5 visa
clockrate 64000
router ospf 60
area 0 authentication message−digest
network 10.10.10.0 0.0.0.255 area 10
network 10.10.11.0 0.0.0.255 area 11
network 192.168.10.0 0.0.0.255 area 0

Listing D: Router B configured for MD5 authentication

interface Loopback0
ip address 10.10.12.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.10.13.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.2 255.255.255.252
ip ospf message−digest−key 15 md5 visa
router ospf 50
area 0 authentication message−digest
network 10.10.12.0 0.0.0.255 area 12
network 10.10.13.0 0.0.0.255 area 13
network 192.168.10.0 0.0.0.255 area 0

When you use the ip ospf message−digest−key command, the key value allows the password to be changed without having to disable authentication.

Note For OSPF, authentication passwords do not have to be the same throughout the area, but the key id value and the password must be the same between neighbors.

Using the show ip ospf [process−id] command again, you can see that it now states that MD5 authentication is being used across area 0:

Router−A#sh ip ospf 60
Routing Process "ospf 60" with ID 10.10.11.1
......
Area BACKBONE(0)
Number of interfaces in this area is 1
Area has message digest authentication
SPF algorithm executed 4 times

As noted earlier, the key id value and the passwords must be the same between neighbors. If you change the key id value to a number other than 15 on Router A, authentication should not take place and OSPF should get mad. Here is the changed configuration:

interface Serial0/0
ip address 192.168.10.1 255.255.255.252
ip ospf message−digest−key 30 md5 visa
clockrate 64000
router ospf 60
area 0 authentication message−digest
network 10.10.10.0 0.0.0.255 area 10
network 10.10.11.0 0.0.0.255 area 11
network 192.168.10.0 0.0.0.255 area 0

Notice that it has been changed to a value of 30. The following lines show what OSPF has to say
about this:

Router−A#debug ip ospf events
OSPF events debugging is on
Router−A#
00:03:58: OSPF: Send with youngest Key 30
00:04:04: OSPF: Rcv pkt from 192.168.10.2, Ethernet0/0 :
Mismatch Authentication Key − No message digest key 15 on Interface

OSPF is obviously not happy. If you change the key value back, everything should again be all right.

As mentioned earlier, the key id value allows passwords to be changed without having to disable authentication. Listing E and Listing F display the configuration of Router A and Router B with multiple keys and passwords configured.

Listing E: Router A configured with multiple keys and passwords

interface Loopback0
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.10.11.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.1 255.255.255.252
ip ospf message−digest−key 15 md5 visa
ip ospf message−digest−key 20 md5 littleboy
clockrate 64000
router ospf 60
area 0 authentication message−digest
network 10.10.10.0 0.0.0.255 area 10
network 10.10.11.0 0.0.0.255 area 11
network 192.168.10.0 0.0.0.255 area 0

Listing F: Router B configured with multiple keys and passwords

interface Loopback0
ip address 10.10.12.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.10.13.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.2 255.255.255.252
ip ospf message−digest−key 15 md5 visa
ip ospf message−digest−key 20 md5 littleboy
router ospf 50
area 0 authentication message−digest
network 10.10.12.0 0.0.0.255 area 12
network 10.10.13.0 0.0.0.255 area 13
network 192.168.10.0 0.0.0.255 area 0

As a result of this configuration, Routers A and B will send duplicate copies of each OSPF packet out of their serial interfaces; one will be authenticated using key number 15, and the other will be authenticated using key number 20. After the routers each receive from each other OSPF packets authenticated with key 20, they will stop sending packets with the key number 15 and use only key number 20. At this point, you can delete key number 15, thus allowing you to change passwords without disabling authentication.

Other sites you may want to see:

Entertainment on Flixya: http://visalittleboy.flixya.com/
WWE: http://visa-wwe.blogspot.com/
The Kingdom of Wonder: http://welcome2cambodia.blogspot.com/
Daily Blogging: http://visablogging.blogspot.com/
Love Sharing: http://visa-love.blogspot.com/
NetworkSecurity: http://networksecuritynotes.blogspot.com/
About Insurance:http://visa-insurance.blogspot.com
All about Love: http://visa-love.blogspot.com/
Learning English Online: http://visa-elb.blogspot.com/
Discovery Internet: http://visa-isp.blogspot.com/

If you like this post, please subscribe below,thanks!

Thursday, 23 June 2011

Network Security Notes: Network Protocols: OSPF Protocol on CISCO Routing Protocols and Concepts

I have already posted about Understanding OSPF Protocol. And here this post, you can find out more about OSPF on CISCO Routing Protocols and Concepts Chapter 13...

Let me quote some:

Exploration Routing Protocols and ConceptsChapter 11 - Presentation Transcript

1. OSPF Routing Protocols and Concepts – Chapter 11
2. Objectives
* Describe the background and basic features of OSPF.
* Identify and apply the basic OSPF configuration commands.
* Describe, modify and calculate the metric used by OSPF.
* Describe the Designated Router/Backup Designated Router (DR/BDR) election process in multiaccess networks.
* Describe the uses of additional configuration commands in OSPF.
3. Introduction
4. Introduction to OSPF
* Background of OSPF
o Began in 1987
o 1989 OSPFv1 released in RFC 1131
o This version was experimental & never deployed
o 1991 OSPFv2 released in RFC 1247
o 1998 OSPFv2 updated in RFC 2328
o 1999 OSPFv3 published in RFC 2740
5. Introduction to OSPF
* OSPF Message Encapsulation
o OSPF packet type
+ There exist 5 types
o OSPF packet header
+ Contains - Router ID and area ID and Type code for OSPF packet type
o IP packet header
+ Contains - Source IP address, Destination IP address, & Protocol field set to 89
6. Introduction to OSPF
* OSPF Message Encapsulation
o Data link frame header
o Contains - Source MAC address and Destination MAC address
7. Introduction to OSPF
* OSPF Packet Types
8. Introduction to OSPF
* Hello Protocol
* OSPF Hello Packet
o Purpose of Hello Packet
+ Discover OSPF neighbors & establish adjacencies
+ Advertise guidelines on which routers must agree to become neighbors
+ Used by multi-access networks to elect a d esignated r outer and a b ackup d esignated r outer
9. Introduction to OSPF
* Hello Packets continued
o Contents of a Hello Packet router ID of transmitting router
* OSPF Hello Intervals
o Usually multicast (224.0.0.5)
o Sent every 30 seconds for NBMA segments
* OSPF Dead Intervals
o This is the time that must transpire before the neighbor is considered down
o Default time is 4 times the hello interval
10. Introduction to OSPF
* Hello protocol packets contain information that is used in electing
o Designated Router (DR)
+ DR is responsible for updating all other OSPF routers
o Backup Designated Router (BDR)
+ This router takes over DR’s responsibilities if DR fails
11. Introduction to OSPF
* OSPF Link-state Updates
o Purpose of a Link State Update (LSU)
+ Used to deliver link state advertisements
o Purpose of a Link State Advertisement (LSA)
+ Contains information about neighbors & path costs
12. Introduction to OSPF
* OSPF Algorithm
* OSPF routers build & maintain link-state database containing LSA received from other routers
o Information found in database is utilized upon execution of Dijkstra SPF algorithm
o SPF algorithm used to create SPF tree
o SPF tree used to populate routing table
13. Introduction to OSPF
* Administrative Distance
o Default Administrative Distance for OSPF is 110
14. Introduction to OSPF
* OSPF Authentication
o Purpose is to encrypt & authenticate routing information
o This is an interface specific configuration
o Routers will only accept routing information from other routers that have been configured with the same password or authentication information
15. Basic OSPF Configuration
* Lab Topology
* Topology used for this chapter
o Discontiguous IP addressing scheme
o Since OSPF is a classless routing protocol the subnet mask is configured in
16. Basic OSPF Configuration
* The router ospf command
* To enable OSPF on a router use the following command
o R1(config)# router ospf process-id
o Process id
+ A locally significant number between 1 and 65535
+ This means it does not have to match other OSPF routers
17. Basic OSPF Configuration
* OSPF network command
o Requires entering:
+ network address
+ wildcard mask - the inverse of the subnet mask
+ area-id - area-id refers to the OSPF area – OSPF area is a group of routers that share link state information
o Example: Router(config-router)# network network-address wildcard-ask area area-id
18. Basic OSPF Configuration
* Router ID
o This is an IP address used to identify a router
o 3 criteria for deriving the router ID
+ Use IP address configured with OSPF router-id command
# Takes precedence over loopback and physical interface addresses
+ If router-id command not used then router chooses highest IP address of any loopback interfaces
+ If no loopback interfaces are configured then the highest IP address on any active interface is used
19. Basic OSPF Configuration
* OSPF Router ID
* Commands used to verify current router ID
o Show ip protocols
o Show ip ospf
o Show ip ospf interface
20. Basic OSPF Configuration
* OSPF Router ID
* Router ID & Loopback addresses
o Highest loopback address will be used as router ID if router-id command isn’t used
o Advantage of using loopback address
+ The loopback interface cannot fail  OSPF stability
* The OSPF router-id command
o Introduced in IOS 12.0
o Command syntax
+ Router(config)#router ospfprocess-id
+ Router(config-router)#router-idip-address
* Modifying the Router ID
o Use the command Router #clear ip ospf process
21. Basic OSPF Configuration
* Verifying OSPF
* Use the show ip ospf command to verify & trouble shoot OSPF networks
* Command will display the following:
o Neighbor adjacency
+ No adjacency indicated by
# Neighboring router’s Router ID is not displayed
# A state of full is not displayed
+ Consequence of no adjacency
# No link state information exchanged
# Inaccurate SPF trees & routing tables
22. Basic OSPF Configuration
* Verifying OSPF - Additional Commands
Displays hello interval and dead interval Show ip ospf interface Displays OSPF process ID, router ID , OSPF area information & the last time SPF algorithm calculated Show ip ospf Displays OSPF process ID, router ID , networks router is advertising & administrative distance Show ip protocols Description Command
23. Basic OSPF Configuration
* Examining the routing table
* Use the show ip route command to display the routing table
o An “O’ at the beginning of a route indicates that the router source is OSPF
o Note OSPF does not automatically summarize at major network boundaries
24. OSPF Metric
* OSPF uses cost as the metric for determining the best route
o The best route will have the lowest cost
o Cost is based on bandwidth of an interface
+ Cost is calculated using the formula
# 10 8 / bandwidth
o Reference bandwidth
+ Defaults to 100Mbps
+ Can be modified using
+ Auto-cost reference-bandwidth command
25. OSPF Metric
* COST of an OSPF route
o Is the accumulated value from one router to the next
26. OSPF Metric
* Usually the actual speed of a link is different than the default bandwidth
o This makes it imperative that the bandwidth value reflects link’s actual speed
+ Reason: so routing table has best path information
* The show interface command will display interface’s bandwidth
o Most serial link default to 1.544Mbps
27. Basic OSPF Configuration
* Modifying the Cost of a link
* Both sides of a serial link should be configured with the same bandwidth
o Commands used to modify bandwidth value
+ Bandwidth command
# Example: Router(config-if)# bandwidth bandwidth-kbp s
+ ip ospf cost command – allows you to directly specify interface cost
# Example: R1(config)#interface serial 0/0/0
# R1(config-if)#ip ospf cost 1562
28. Basic OSPF Configuration
* Modifying the Cost of the link
* Difference between bandwidth command & the ip ospf cost command
o Ip ospf cost command
+ Sets cost to a specific value
o Bandwidth command
+ Link cost is calculated
29. OSPF and Multiaccess Networks
* Challenges in Multiaccess Networks
* OSPF defines five network types:
o Point-to-point
o Broadcast Multiaccess
o Nonbroadcast Multiaccess (NBMA)
o Point-to-multipoint
o Virtual links
30. OSPF in Multiaccess Networks
* 2 challenges presented by multiaccess networks
o Multiple adjacencies
o Extensive LSA flooding
31. OSPF in Multiaccess Networks
* Extensive flooding of LSAs
o For every LSA sent out there must be an acknowledgement of receipt sent back to transmitting router
o Consequence: lots of bandwidth consumed and chaotic traffic
32. OSPF in Multiaccess Networks
* Solution to LSA flooding issue is the use of
o Designated router (DR)
o Backup designated router (BDR)
* DR & BDR selection
o Routers are elected to send & receive LSA
* Sending & Receiving LSA
o DR others send LSAs via multicast 224.0.0.6 to DR & BDR
o DR forward LSA via multicast address 224.0.0.5 to all other routers
33. OSPF in Multiaccess Networks
* DR/BDR Election Process
o DR/BDR elections DO NOT occur in point to point networks
34. OSPF in Multiaccess Networks
* DR/BDR elections will take place on multiaccess networks as shown below
35. OSPF in Multiaccess Networks
* Criteria for getting elected DR/BDR
o DR: Router with the highest OSPF interface priority
o BDR : Router with the second highest OSPF interface priority
o If OSPF interface priorities are equal , the highest router ID is used to break the tie
36. OSPF in Multiaccess Networks
* Timing of DR/BDR Election
o Occurs as soon as 1 st router has its interface enabled on multiaccess network
+ When a DR is elected it remains as the DR until one of the following occurs
# The DR fails
# The OSPF process on the DR fails
# The multiaccess interface on the DR fails
37. OSPF in Multiaccess Networks
* Manipulating the election process
o If you want to influence the election of DR & BDR then do one of the following:
+ Boot up the DR first, followed by the BDR, and then boot all other routers
+ OR
+ Shut down the interface on all routers, followed by a no shutdown on the DR, then the BDR, and then all other routers
38. OSPF in Multiaccess Networks
* OSPF Interface Priority
* Manipulating the DR/BDR election process continued
o Use the ip ospf priority interface command.
o Example:Router(config-if)# ip ospf priority { 0 - 255 }
+ Priority number range 0 to 255
# 0 means the router cannot become the DR or BDR
# 1 is the default priority value
39. More OSPF Configuration
* Redistributing an OSPF Default Route
* Topology includes a link to ISP
o Router connected to ISP
+ Called an autonomous system border router
+ Used to propagate a default route
# Example of static default route:
# R1(config)# ip route 0.0.0.0 0.0.0.0 loopback 1
# Requires the use of the default-information originate command
# Example of default-information originate command:
# R1(config-router)# default-information originate
40. More OSPF Configuration
* Fine-Tuning OSPF
* Since link speeds are getting faster it may be necessary to change reference bandwidth values
o Do this using the auto-cost reference-bandwidth command
o Example:
+ R1(config-router)# auto-cost reference-bandwidth 10000
41. More OSPF Configuration
* Fine-Tuning OSPF
* Modifying OSPF timers
o Reason to modify timers
+ Faster detection of network failures
o Manually modifying Hello & Dead intervals
+ Router(config-if)# ip ospf hello-interval seconds
+ Router(config-if)# ip ospf dead-interval seconds
o Point to be made
+ Hello & Dead intervals must be the same between neighbors
42. Summary
* RFC 2328 describes OSPF link state concepts and operations
* OSPF Characteristics
o A commonly deployed link state routing protocol
o Employs DR s & BDR s on multi-access networks
+ DRs & BDRs are elected
+ DR & BDRs are used to transmit and receive LSAs
o Uses 5 packet types:
+ 1: HELLO
+ 2: D ATA B ASE D ESCRIPTION
+ 3: L INK S TATE R EQUEST
+ 4: L INK S TATE U PDATE
+ 5: L INK S TATE A CKNOWLEDGEMENT
43. Summary
* OSPF Characteristics
o Metric = cost
+ Lowest cost = best path
* Configuration
o Enable OSPF on a router using the following command
+ R1(config)# router ospf process-id
o Use the network command to define which interfaces will participate in a given OSPF process
+ Router(config-router)# network network-address wildcard-mask area area-id
44. Summary
* Verifying OSPF configuration
o Use the following commands:
+ show ip protocol
+ show ip route
+ show ip ospf interface
+ show ip ospf neighbor

More details about OSPF Protocol on CISCO Routing Protocols and Concepts...Please visit directly here...

Exploration Routing Protocols and ConceptsChapter 11

View more presentations from Jozef Janitor

Other sites you may want to see:

Entertainment on Flixya: http://visalittleboy.flixya.com/
WWE: http://visa-wwe.blogspot.com/
The Kingdom of Wonder: http://welcome2cambodia.blogspot.com/
Daily Blogging: http://visablogging.blogspot.com/
Love Sharing: http://visa-love.blogspot.com/
NetworkSecurity: http://networksecuritynotes.blogspot.com/
About Insurance:http://visa-insurance.blogspot.com
All about Love: http://visa-love.blogspot.com/
Learning English Online: http://visa-elb.blogspot.com/
Discovery Internet: http://visa-isp.blogspot.com/

If you like this post, please subscribe below,thanks!

Tuesday, 14 June 2011

Network Security Notes: Network Protocols: Understanding OSPF Protocol

As my previous post about Understanding EIGRP and IGRP Protocols. This post I want to learn about OSPF protocol.

Open Shortest Path First (OSPF) is an adaptive routing protocol for Internet Protocol (IP) networks. It uses a link state routing algorithm and falls into the group of interior routing protocols, operating within a single autonomous system (AS). It is defined as OSPF Version 2 in RFC 2328 (1998) for IPv4. The updates for IPv6 are specified as OSPF Version 3 in RFC 5340 (2008). Research into the convergence time of OSPF can be found in Stability Issues in OSPF Routing (2001).

OSPF is perhaps the most widely-used interior gateway protocol (IGP) in large enterprise networks. IS-IS, another link-state routing protocol, is more common in large service provider networks. The most widely-used exterior gateway protocol is the Border Gateway Protocol (BGP), the principal routing protocol between autonomous systems on the Internet.

OSPF is an interior gateway protocol that routes Internet Protocol (IP) packets solely within a single routing domain (autonomous system). It gathers link state information from available routers and constructs a topology map of the network. The topology determines the routing table presented to the Internet Layer which makes routing decisions based solely on the destination IP address found in IP packets. OSPF was designed to support variable-length subnet masking (VLSM) or Classless Inter-Domain Routing (CIDR) addressing models.

OSPF detects changes in the topology, such as link failures, very quickly and converges on a new loop-free routing structure within seconds. It computes the shortest path tree for each route using a method based on Dijkstra's algorithm, a shortest path first algorithm.

The link-state information is maintained on each router as a link-state database (LSDB) which is a tree-image of the entire network topology. Identical copies of the LSDB are periodically updated through flooding on all OSPF routers.

The OSPF routing policies to construct a route table are governed by link cost factors (external metrics) associated with each routing interface. Cost factors may be the distance of a router (round-trip time), network throughput of a link, or link availability and reliability, expressed as simple unitless numbers. This provides a dynamic process of traffic load balancing between routes of equal cost.

An OSPF network may be structured, or subdivided, into routing areas to simplify administration and optimize traffic and resource utilization. Areas are identified by 32-bit numbers, expressed either simply in decimal, or often in octet-based dot-decimal notation, familiar from IPv4 address notation.

By convention, area 0 (zero) or 0.0.0.0 represents the core or backbone region of an OSPF network. The identifications of other areas may be chosen at will; often, administrators select the IP address of a main router in an area as the area's identification. Each additional area must have a direct or virtual connection to the backbone OSPF area. Such connections are maintained by an interconnecting router, known as area border router (ABR). An ABR maintains separate link state databases for each area it serves and maintains summarized routes for all areas in the network.

OSPF does not use a TCP/IP transport protocol (UDP, TCP), but is encapsulated directly in IP datagrams with protocol number 89. This is in contrast to other routing protocols, such as the Routing Information Protocol (RIP), or the Border Gateway Protocol (BGP). OSPF handles its own error detection and correction functions.

OSPF uses multicast addressing for route flooding on a broadcast network link. For non-broadcast networks special provisions for configuration facilitate neighbor discovery. OSPF multicast IP packets never traverse IP routers, they never travel more than one hop. OSPF reserves the multicast addresses 224.0.0.5 for IPv4 or FF02::5 for IPv6 (all SPF/link state routers, also known as AllSPFRouters) and 224.0.0.6 for IPv4 or FF02::6 for IPv6 (all Designated Routers, AllDRouters), as specified in RFC 2328 and RFC 5340.

For routing multicast IP traffic, OSPF supports the Multicast Open Shortest Path First protocol (MOSPF) as defined in RFC 1584. Neither Cisco nor Juniper Networks include MOSPF in their OSPF implementations. PIM (Protocol Independent Multicast) in conjunction with OSPF or other IGPs, (Interior Gateway Protocol), is widely deployed.

The OSPF protocol, when running on IPv4, can operate securely between routers, optionally using a variety of authentication methods to allow only trusted routers to participate in routing. OSPFv3, running on IPv6, no longer supports protocol-internal authentication. Instead, it relies on IPv6 protocol security (IPsec).

OSPF version 3 introduces modifications to the IPv4 implementation of the protocol. Except for virtual links, all neighbor exchanges use IPv6 link-local addressing exclusively. The IPv6 protocol runs per link, rather than based on the subnet. All IP prefix information has been removed from the link-state advertisements and from the Hello discovery packet making OSPFv3 essentially protocol-independent. Despite the expanded IP addressing to 128-bits in IPv6, area and router identifications are still based on 32-bit values.

What is Link-state routing protocol?

A link-state routing protocol is one of the two main classes of routing protocols used in packet switching networks for computer communications (the other is the distance-vector routing protocol). Examples of link-state routing protocols include OSPF and IS-IS.

The link-state protocol is performed by every switching node in the network (i.e. nodes that are prepared to forward packets; in the Internet, these are called routers). The basic concept of link-state routing is that every node constructs a map of the connectivity to the network, in the form of a graph, showing which nodes are connected to which other nodes. Each node then independently calculates the next best logical path from it to every possible destination in the network. The collection of best paths will then form the node's routing table.

This contrasts with distance-vector routing protocols, which work by having each node share its routing table with its neighbors. In a link-state protocol the only information passed between nodes is connectivity related.

Link state algorithms are sometimes characterized informally as each router 'telling the world about its neighbors'.

Learn about Shortest Path First Algorithm:

OSPF uses a shorted path first algorithm in order to build and calculate the shortest path to all known destinations.The shortest path is calculated with the use of the Dijkstra algorithm. The algorithm by itself is quite complicated. This is a very high level, simplified way of looking at the various steps of the algorithm:

1. Upon initialization or due to any change in routing information, a router generates a link-state advertisement. This advertisement represents the collection of all link-states on that router.

2. All routers exchange link-states by means of flooding. Each router that receives a link-state update should store a copy in its link-state database and then propagate the update to other routers.

3. After the database of each router is completed, the router calculates a Shortest Path Tree to all destinations. The router uses the Dijkstra algorithm in order to calculate the shortest path tree. The destinations, the associated cost and the next hop to reach those destinations form the IP routing table.

4. In case no changes in the OSPF network occur, such as cost of a link or a network being added or deleted, OSPF should be very quiet. Any changes that occur are communicated through link-state packets, and the Dijkstra algorithm is recalculated in order to find the shortest path.

The algorithm places each router at the root of a tree and calculates the shortest path to each destination based on the cumulative cost required to reach that destination. Each router will have its own view of the topology even though all the routers will build a shortest path tree using the same link-state database. The following sections indicate what is involved in building a shortest path tree.

What about OSPF Cost?

The cost (also called metric) of an interface in OSPF is an indication of the overhead required to send packets across a certain interface. The cost of an interface is inversely proportional to the bandwidth of that interface. A higher bandwidth indicates a lower cost. There is more overhead (higher cost) and time delays involved in crossing a 56k serial line than crossing a 10M ethernet line. The formula used to calculate the cost is:

*cost= 10000 0000/bandwith in bps

For example, it will cost 10 EXP8/10 EXP7 = 10 to cross a 10M Ethernet line and will cost 10 EXP8/1544000 = 64 to cross a T1 line.

By default, the cost of an interface is calculated based on the bandwidth; you can force the cost of an interface with the ip ospf cost interface subconfiguration mode command.

How about Shortest Path Tree?

Assume we have the following network diagram with the indicated interface costs. In order to build the shortest path tree for RTA, we would have to make RTA the root of the tree and calculate the smallest cost for each destination.

Now Let's Compare OSPF and RIP protocols:

The rapid growth and expansion of today's networks has pushed RIP to its limits. RIP has certain limitations that can cause problems in large networks:

* RIP has a limit of 15 hops. A RIP network that spans more than 15 hops (15 routers) is considered unreachable.

* RIP cannot handle Variable Length Subnet Masks (VLSM). Given the shortage of IP addresses and the flexibility VLSM gives in the efficient assignment of IP addresses, this is considered a major flaw.

* Periodic broadcasts of the full routing table consume a large amount of bandwidth. This is a major problem with large networks especially on slow links and WAN clouds.

* RIP converges slower than OSPF. In large networks convergence gets to be in the order of minutes. RIP routers go through a period of a hold-down and garbage collection and slowly time-out information that has not been received recently. This is inappropriate in large environments and could cause routing inconsistencies.

* RIP has no concept of network delays and link costs. Routing decisions are based on hop counts. The path with the lowest hop count to the destination is always preferred even if the longer path has a better aggregate link bandwidth and less delays.

* RIP networks are flat networks. There is no concept of areas or boundaries. With the introduction of classless routing and the intelligent use of aggregation and summarization, RIP networks seem to have fallen behind.

Some enhancements were introduced in a new version of RIP called RIP2. RIP2 addresses the issues of VLSM, authentication, and multicast routing updates. RIP2 is not a big improvement over RIP (now called RIP 1) because it still has the limitations of hop counts and slow convergence which are essential in todays large networks.

OSPF, on the other hand, addresses most of the issues previously presented:

* With OSPF, there is no limitation on the hop count.

* The intelligent use of VLSM is very useful in IP address allocation.

* OSPF uses IP multicast to send link-state updates. This ensures less processing on routers that are not listening to OSPF packets. Also, updates are only sent in case routing changes occur instead of periodically. This ensures a better use of bandwidth.

* OSPF has better convergence than RIP. This is because routing changes are propagated instantaneously and not periodically.

* OSPF allows for better load balancing.

* OSPF allows for a logical definition of networks where routers can be divided into areas. This limits the explosion of link state updates over the whole network. This also provides a mechanism for aggregating routes and cutting down on the unnecessary propagation of subnet information.

* OSPF allows for routing authentication by using different methods of password authentication.

* OSPF allows for the transfer and tagging of external routes injected into an Autonomous System. This keeps track of external routes injected by exterior protocols such as BGP.

For more other details about OSPF protocol, you can find document at IETF.Org

Other sites you may want to see:

Entertainment on Flixya: http://visalittleboy.flixya.com/
WWE: http://visa-wwe.blogspot.com/
The Kingdom of Wonder: http://welcome2cambodia.blogspot.com/
Daily Blogging: http://visablogging.blogspot.com/
Love Sharing: http://visa-love.blogspot.com/
NetworkSecurity: http://networksecuritynotes.blogspot.com/
About Insurance:http://visa-insurance.blogspot.com
All about Love: http://visa-love.blogspot.com/
Learning English Online: http://visa-elb.blogspot.com/
Discovery Internet: http://visa-isp.blogspot.com/

If you like this post, please subscribe below,thanks!

Wednesday, 11 May 2011

Network Security Notes: Network Protocols: Configuring EIGRP Authentication Protocol

As my previous post about Understanding EIGRP protocol, this post I would like to share you about configuring EIGRP Authentication....

EIGRP Authentication between Router A and Router B

EIGRP authentication of packets has been supported since IOS version 11.3. EIGRP route authentication is similar to RIP version 2, but EIGRP authentication supports only the MD5 version of packet encryption.

EIGRP's authentication support may at first seem limited, but plain text authentication should be configured only when neighboring routers do not support MD5. Because EIGRP is a proprietary routing protocol developed by Cisco, it can be spoken only between two Cisco devices, so the issue of another neighboring router not supporting the MD5 cryptographic checksum of packets should never arise.

The steps for configuring authentication of EIGRP updates are similar to the steps for configuring RIP version 2 authentication:

1. Define the key chain using the command key−chain < name> in global configuration mode. This command transfers you to the key chain configuration mode.

2. Specify the key number with the key command in key chain configuration mode. You can configure multiple keys.

3. For each key, identify the key string with the key−string command.

4. Optionally, you can configure the period for which the key can be sent and received. Use the
following commands:

accept−lifetime {infinite|end−time|duration −seconds}
send−lifetime {infinite|end−time|duration seconds}

5. Exit key chain configuration mode with the exit command.

6. Under interface configuration mode, enable the authentication of EIGRP updates with this
command:

ip authentication key−chain eigrp

7. Enable MD5 authentication of EIGRP updates using the following command:

ip authentication mode eigrp md5

With the command below shows you how Router A should be configured to authenticate updates from Router B using EIGRP MD5 authentication,

Command Listing A: Router A's configuration with MD5 authentication:

key chain router−a
key 1
key−string eigrp
!
interface Loopback0
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.10.11.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.1 255.255.255.252
ip authentication mode eigrp 2 md5
ip authentication key−chain eigrp 2 router−a
clockrate 64000
!
router eigrp 2
network 10.0.0.0
network 192.168.10.0
no auto−summary
eigrp log−neighbor−changes

And the next below command here shows the configuration for Router B.

Command Listing B: Router B's configuration with MD5 authentication:

key chain router−b
key 1
key−string eigrp
!
interface Loopback0
ip address 10.10.12.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.10.13.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.2 255.255.255.252
ip authentication mode eigrp 2 md5
ip authentication key−chain eigrp 2 router−b
clockrate 64000
!
router eigrp 2
network 10.0.0.0
network 192.168.10.0
no auto−summary
eigrp log−neighbor−changes

The Command Listing A configures Router A with a key chain value of router−a, a key value of 1, and a key−string value of eigrp. The Command Listing B configures Router B with a key chain value of router−b, a key value of 1, and a key−string value of eigrp. Notice again that the key chain need not match between routers; however, the key number and the key string associated with the key value must match between routers configured to use that key value. Although debugging of encrypted EIGRP packets is somewhat limited, a few commands can be used to verify that packet encryption is taking place correctly. Two of those commands are debug eigrp packet and show ip route. The debug eigrp packet command informs you if the router has received a packet with the correct key value and key string. The output of issuing this command can be seen here:

Router−A#debug eigrp packet
EIGRP Packets debugging is on
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK)
Router−A#
EIGRP: received packet with MD5 authentication
EIGRP: received packet with MD5 authentication

Router A is receiving MD5−authenticated packets from it neighbor, Router B. However, we cannot fully determine whether or not the authentication is taking place correctly without issuing the show ip route command on Router A. This allows us to look at the route table and determine that packet authentication is taking place correctly because the routes that Router B has sent to Router A are installed into the route table. Listing 1.7 displays the output of the show ip route command.

Listing Command C: Route table of Router A with correct authentication configured:

Router−A#sh ip route
...
C 192.168.10.0/24 is directly connected, Ethernet0/0
C 10.10.10.0 is directly connected, Loopback0

C 10.10.11.0 is directly connected, Ethernet0/0
D 10.10.12.0 [90/409600] via 192.168.10.2, 00:18:36, Serial0/0
D 10.10.13.0 [90/409600] via 192.168.10.2, 00:18:36, Serial0/0
Router−A#

You can change Router A's key−string value for key 1 to see what kind of an effect this will have.
The following lines will change the key−string value for key 1 on Router A to ospf:

Router−A#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router−A(config)#key chain router−a
Router−A(config−keychain)#key 1
Router−A(config−keychain−key)#key−string ospf
Router−A(config−keychain−key)#end
Router−A#

Now that Router A has a different key string associated with key 1, you would assume that packet authentication is not taking place correctly. By issuing the debug eigrp packet command, you can see that there is indeed a problem with authentication:

Router−A#debug eigrp packet
EIGRP Packets debugging is on
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK)
Router−A#
EIGRP: received packet with MD5 authentication
EIGRP: ignored packet from 192.168.10.2 opcode = 5 (invalid
authentication)

Taking a quick look at the route table confirms that the authentication is incorrectly configured. Now that the key strings are different, no routes from Router B are installed into the route table of Router A. Listing Command C: displays the routing table of Router A.
Listing Command C:: Route table of Router A with incorrect authentication configured.

Router−A#sh ip route
...
C 192.168.10.0/24 is directly connected, Ethernet0/0
10.0.0.0/24 is subnetted, 2 subnets
C 10.10.10.0 is directly connected, Loopback0
C 10.10.11.0 is directly connected, Loopback1
Router−A#

NOTE: You can also issue the show ip eigrp neighbor command to determine if authentication is configured correctly. If authentication is correctly configured, the neighboring router will be displayed in the output of the command. If authentication is incorrectly configured, the neighbor will not be displayed in the output.

Other sites you may want to see:

Entertainment on Flixya: http://visalittleboy.flixya.com/
WWE: http://visa-wwe.blogspot.com/
The Kingdom of Wonder: http://welcome2cambodia.blogspot.com/
Daily Blogging: http://visablogging.blogspot.com/
Love Sharing: http://visa-love.blogspot.com/
NetworkSecurity: http://networksecuritynotes.blogspot.com/
About Insurance:http://visa-insurance.blogspot.com
All about Love: http://visa-love.blogspot.com/
Learning English Online: http://visa-elb.blogspot.com/
Discovery Internet: http://visa-isp.blogspot.com/

If you like this post, please subscribe below,thanks!

Friday, 4 February 2011

Network Security Notes: Network Protocols: Understanding EIGRP and IGRP Protocols

Network Security Notes: Network Protocols: Understanding EIGRP and IGRP Protocols

Enhanced Interior Gateway Routing Protocol - (EIGRP) is a Cisco proprietary routing protocol loosely based on their original IGRP. EIGRP is an advanced distance-vector routing protocol, with optimizations to minimize both the routing instability incurred after topology changes, as well as the use of bandwidth and processing power in the router. Routers that support EIGRP will automatically redistribute route information to IGRP neighbors by converting the 32 bit EIGRP metric to the 24 bit IGRP metric. Most of the routing optimizations are based on the Diffusing Update Algorithm (DUAL) work from SRI, which guarantees loop-free operation and provides a mechanism for fast convergence.

What is IGRP?

Interior Gateway Routing Protocol (IGRP) is a distance vector interior routing protocol (IGP) invented by Cisco. It is used by routers to exchange routing data within an autonomous system.

IGRP is a proprietary protocol. IGRP was created in part to overcome the limitations of RIP (maximum hop count of only 15, and a single routing metric) when used within large networks. IGRP supports multiple metrics for each route, including bandwidth, delay, load, MTU, and reliability; to compare two routes these metrics are combined together into a single metric, using a formula which can be adjusted through the use of pre-set constants. The maximum hop count of IGRP-routed packets is 255 (default 100), and routing updates are broadcast every 90 seconds (by default).

IGRP is considered a classful routing protocol. Because the protocol has no field for a subnet mask, the router assumes that all interface addresses within the same Class A, Class B, or Class C network have the same subnet mask as the subnet mask configured for the interfaces in question. This contrasts with classless routing protocols that can use variable length subnet masks. Classful protocols have become less popular as they are wasteful of IP address space.

What is Distance-vector routing protocol?

In computer communication theory relating to packet-switched networks, a distance-vector routing protocol is one of the two major classes of routing protocols, the other major class being the link-state protocol. A distance-vector routing protocol uses the Bellman-Ford algorithm to calculate paths.

A distance-vector routing protocol requires that a router informs its neighbors of topology changes periodically and, in some cases, when a change is detected in the topology of a network. Compared to link-state protocols, which require a router to inform all the nodes in a network of topology changes, distance-vector routing protocols have less computational complexity and message overhead.

Distance Vector means that Routers are advertised as vector of distance and direction. 'Direction' is represented by next hop address and exit interface, whereas 'Distance' uses metrics such as hop count.

Routers using distance vector protocol do not have knowledge of the entire path to a destination. Instead DV uses two methods:

1. Direction in which or interface to which a packet should be forwarded.
2. Distance from its destination.

Examples of distance-vector routing protocols include Routing Information Protocol Version 1 & 2, RIPv1 and RIPv2 and IGRP. EGP and BGP are not pure distance-vector routing protocols because a distance-vector protocol calculates routes based only on link costs whereas in BGP, for example, the local route preference value takes priority over the link cost.

A link-state routing protocol is one of the two main classes of routing protocols used in packet switching networks for computer communications, the other major class being the distance-vector routing protocol. Examples of link-state routing protocols include OSPF and IS-IS.

The link-state protocol is performed by every switching node in the network (i.e. nodes that are prepared to forward packets; in the Internet, these are called routers). The basic concept of link-state routing is that every node constructs a map of the connectivity to the network, in the form of a graph, showing which nodes are connected to which other nodes. Each node then independently calculates the next best logical path from it to every possible destination in the network. The collection of best paths will then form the node's routing table.

This contrasts with distance-vector routing protocols, which works by having each node share its routing table with its neighbors. In a link-state protocol the only information passed between nodes is connectivity related.

Link state algorithms are sometimes characterized by the ‘Each router tells the world about its neighbors’.

Understanding About Diffusing Update Algorithm (DUAL):

DUAL, the Diffusing Update ALgorithm, is the algorithm used by Cisco's EIGRP routing protocol to ensure that a given route is recalculated globally whenever it might cause a routing loop. According to Cisco, the full name of the algorithm is DUAL finite-state machine (DUAL FSM). EIGRP is responsible for the routing within an autonomous system and DUAL responds to changes in the routing topology and dynamically adjusts the routing tables of the router automatically.

EIGRP uses a feasibility condition to ensure that only loop-free routes are ever selected. The feasibility condition is conservative: when the condition is true, no loops can occur, but the condition might under some circumstances reject all routes to a destination although some are loop-free.

When no feasible route to a destination is available, the DUAL algorithm invokes a Diffusing Computation to ensure that all traces of the problematic route are eliminated from the network. At which point the normal Bellman-Ford algorithm is used to recover a new route.

!!! DUAL Operation:

DUAL uses three separate tables for the route calculation. These tables are created using information exchanged between the EIGRP routers. The information is different than that exchanged by link-state routing protocols. In EIGRP, the information exchanged includes the routes, the "metric" or cost of each route, and the information required to form a neighbor relationship (such as AS number, timers, and K values). The three tables and their functions in detail are as follows:

* Neighbor table contains information on all other directly connected routers. A separate table exists for each supported protocol (IP, IPX, etc). Each entry corresponds to a neighbour with the description of network interface and address. In addition, a timer is initialized to trigger the periodic detection of whether the connection is alive. This is achieved through "Hello" packets. If a "Hello" packet is not received from a neighbor for a specified time period, the router is assumed down and removed from the neighbor table.
* Topology table contains the metric (cost information) of all routes to any destination within the autonomous system. This information is received from neighboring routers contained in the Neighbor table. The primary (successor) and secondary (feasible successor) routes to a destination will be determined with the information in the topology table. Among other things, each entry in the topology table contains the following:

"FD (Feasible Distance)": The calculated metric of a route to a destination within the autonomous system.
"RD (Reported Distance)": The metric to a destination as advertised by a neighboring router. RD is used to calculate the FD, and to determine if the route meets the "feasibility condition".
Route Status: A route is marked either "active" or "passive". "Passive" routes are stable and can be used for data transmission. "Active" routes are being recalculated, and/or not available.

* Routing table contains the best route(s) to a destination (in terms of the lowest "metric"). These routes are the successors from the topology table.

DUAL evaluates the data received from other routers in the topology table and calculates the primary (successor) and secondary (feasible successor) routes. The primary path is usually the path with the lowest metric to reach the destination, and the redundant path is the path with the second lowest cost (if it meets the feasibility condition). There may be multiple successors and multiple feasible successors. Both successors and feasible successors are maintained in the topology table, but only the successors are added to the routing table and used to route packets.

For a route to become a feasible successor, its RD must be smaller than the FD of the successor. If this feasibility condition is met, there is no way that adding this route to the routing table could cause a loop.

If all the successor routes to a destination fail, the feasible successor becomes the successor and is immediately added to the routing table. If there is no feasible successor in the topology table, a query process is initiated to look for a new route.

Do you know SRI?

SRI International, founded as Stanford Research Institute, is one of the world's largest contract research institutes. Based in the United States, the trustees of Stanford University established it in 1946 as a center of innovation to support economic development in the region. It was later incorporated as an independent non-profit organization under U.S. and California laws. SRI's headquarters are in Menlo Park, California, near the Stanford University campus. Curtis Carlson, Ph.D., is SRI's president and CEO. Year 2009 revenue for SRI, including its subsidiary, Sarnoff Corporation, was approximately $470 million. As of 2010, SRI and Sarnoff employ about 1,700 staff members combined.

SRI's mission is discovery and the application of science and technology for knowledge, commerce, prosperity, and peace. It performs client-sponsored research and development for government agencies, commercial businesses, and private foundations. It also licenses its technologies, forms strategic partnerships, and creates spin-off companies. SRI's focus areas include communications and networks, computing, economic development and science and technology policy, education, energy and the environment, engineering systems, pharmaceuticals and health sciences, homeland security and national defense, materials and structures, and robotics. SRI has been awarded more than 1,000 patents and patent applications worldwide.

Understanding About Convergence (routing protocol):

Convergence is an important notion for a set of routers that engage in dynamic routing. For a set of routers to have converged, they must have collected all available topology information from each other via the implemented routing protocol, the information they gathered must not contradict any other router's topology information in the set, and it must reflect the real state of the network. In other words: In a converged network all routers "agree" on what the network topology looks like.

All Interior Gateway Protocols rely on convergence to function properly; it is the normal state of an operational autonomous system. The Exterior Gateway Routing Protocol BGP typically never converges because the Internet is too big for changes to be communicated fast enough.

Convergence process:

When a routing protocol process is enabled, a router will attempt to exchange information about the topology of the network. The extent of this information exchange, the way it is sent and received, and the type of information required vary widely depending on the routing protocol in use, see e.g. RIP, OSPF, BGP4.

A state of convergence is achieved once all routing protocol-specific information has been distributed to all routers participating in the routing protocol process. Any change in the network that affects routing tables will break the convergence temporarily until this change has been successfully communicated to all other routers.

Basic operation of EIGRP:

The data EIGRP collects is stored in three tables:

* Neighbor Table: Stores data about the neighboring routers, i.e. those directly accessible through directly connected interfaces.

* Topology Table: Confusingly named, this table does not store an overview of the complete network topology; rather, it effectively contains only the aggregation of the routing tables gathered from all directly connected neighbors. This table contains a list of destination networks in the EIGRP-routed network together with their respective metrics. Also for every destination, a successor and a feasible successor are identified and stored in the table if they exist. Every destination in the topology table can be marked either as "Passive", which is the state when the routing has stabilized and the router knows the route to the destination, or "Active" when the topology has changed and the router is in the process of (actively) updating its route to that destination.

* Routing table: Stores the actual routes to all destinations; the routing table is populated from the topology table with every destination network that has its successor and optionally feasible successor identified (if unequal-cost load-balancing is enabled using the variance command). The successors and feasible successors serve as the next hop routers for these destinations.

Unlike most other distance vector protocols, EIGRP does not rely on periodic route dumps in order to maintain its topology table. Routing information is exchanged only upon the establishment of new neighbor adjacencies, after which only changes are sent. Also, it uses route tagging.

Another useful link about EIGRP and IGRP:

Introduction to EIGRP (CISCO)

Other sites you may want to see:

Entertainment on Flixya: http://visalittleboy.flixya.com/
WWE: http://visa-wwe.blogspot.com/
The Kingdom of Wonder: http://welcome2cambodia.blogspot.com/
Daily Blogging: http://visablogging.blogspot.com/
Love Sharing: http://visa-love.blogspot.com/
NetworkSecurity: http://networksecuritynotes.blogspot.com/
About Insurance:http://visa-insurance.blogspot.com
All about Love: http://visa-love.blogspot.com/
Learning English Online: http://visa-elb.blogspot.com/
Discovery Internet: http://visa-isp.blogspot.com/

If you like this post, please subscribe below,thanks!

Network Security Notes::About Network Security, Network Labs, Cisco, Microsoft...

Link Promotion

Categories

My Community

Counter

Popular Posts

Saturday, 4 June 2016

Learn BGP Protocol: First Basic About BGP You Should Know

Monday, 18 July 2011

Network Security Notes: Network Protocols: Configuring OSPF Authentication Protocol

Thursday, 23 June 2011

Network Security Notes: Network Protocols: OSPF Protocol on CISCO Routing Protocols and Concepts

Tuesday, 14 June 2011

Network Security Notes: Network Protocols: Understanding OSPF Protocol

Wednesday, 11 May 2011

Network Security Notes: Network Protocols: Configuring EIGRP Authentication Protocol

Friday, 4 February 2011

Network Security Notes: Network Protocols: Understanding EIGRP and IGRP Protocols

Subscribe posts

Recent Posts

Site Links

Blog Archive

My Blog List

Live Traffic Feed