Bgp Routing

1

How to start working with us.

Geolance is a marketplace for remote freelancers who are looking for freelance work from clients around the world.

2

Create an account.

Simply sign up on our website and get started finding the perfect project or posting your own request!

3

Fill in the forms with information about you.

Let us know what type of professional you're looking for, your budget, deadline, and any other requirements you may have!

4

Choose a professional or post your own request.

Browse through our online directory of professionals and find someone who matches your needs perfectly, or post your own request if you don't see anything that fits!

How can you get started as a PGPI? It is a standardized gateway protocol for exchanging routing information among autonomous systems on the Internet. It has been described in the Wikipedia article as the gateway of a. All true. Still, unless you are an internet engineer, it probably doesn't help much. So tell me about the difference in BGPs? Internal BGP, commonly referred to as Border Gateway Protocol, provides the routing technique which ensures Internet functionality.

Stability or flexibility

While stable, static routing with MPLS for private circuits between data centers is enough in many cases, cloud computing and the Internet of Things (IoT), which connects everything to everything with an IP address, are creating new challenges. For example, how can you ensure that your network stays flexible enough to respond quickly if one day it must provide access to thousands of different servers or sensors? "For nearly 30 years, we have been informally reaching consensus about how information should be routed across networks using BGP. But there may not be agreement anymore when it comes to future applications like IoT ."

You read that right. For decades BGP has been the absolute king of routing protocols and has always received a high score in every test. There is much to be said for stability and structure. We all remember Katrina when thousands of network engineers demonstrated that it is also possible to exploit the Internet as a giant telephone exchange (for example, to send faxes). But now we want more: we want scalability and flexibility.

The difference between BGP and BGP

Geolance is a company that provides support for those who need help understanding the technicalities of internet routing. We can provide you with all the information you need about this topic, so if it's something you're interested in learning more about, we would love to talk to you.

Many people out there, just like yourself, have questions about how internet routing works and what they should do when their website isn't working correctly. If this sounds like your situation, then let us help! Our team has years of experience providing support for customers just like yourself, so don't hesitate to reach out today!

The man behind BGP

One of those who have made significant contributions to BGP's success story is Andras Csaszar, Open Systems Consultant at Wind River. Besides his professional expertise in BGPs, he is known among peers as the author, maintainer, and editor-in-chief of "BGP: Building Reliable Networks with the Border Gateway Protocol," published in 2015.

Steps to get started with BGP

Open Systems Consulting offers training courses about the various aspects of routing protocols. Internet-based training is executed together with our pale on-site training is direct to you or offers on-site training our team at your facility. The presentations contain practical examples and exercises that help you quickly start using BGPs in virtual lab environments. If you prefer to go it alone, we recommend Andras Csaszar's book "BGP: Building Reliable Networks with the Border Gateway Protocol," covering all major BGP topics. You will find more information about his various publications here.

Historie

In this book, Andras Csaszar, the man behind BGP, has recorded his knowledge of networks and what can go wrong. The result is a practical guide that will help you avoid the most common mistakes in configuring BGP.

Tell me the Border Gateway Protocol.

BGP links autonomous systems. What's inside an Autonomous System? Like a village or city is often enclosed by a wall, all parts of an AS are strictly separated from the outside world. It has its entrance and exit points for traffic - in our analogy, this would be the BGP routers. What distinguishes BGP from other routing protocols? Unlike most other protocols, such as EIGRP and OSPF, BGP does not rely on packets to update routing tables: they exchange entire lists of network addresses and their associated next-hops (the destination) with neighbouring routers instead.

Autonomous-system peering agreements

BGP uses several techniques to speed up convergence and avoid routing loops.

Route reflectors are used by large networks with multiple Bwithrs within an AS but do not provide full-mesh connectivity between their IBGP peers; instead, they use route reflectors to improve scalability, reliability, and robustness.

Peer groups In addition to grouping individual connections into peer relationships with specific neighbouring routers, you can also group several peer relationships using a single pool of addresses shared among the peer group members. This enables highly efficient processing of updates when a member router initiates a connection or terminates one.

Reasons to use Border Gateway Protocol.

Typically, a BGP speaker will maintain multiple TCP connections with its neighbours. In addition to these session interfaces, a BGP router must be configured with at least one address from which it can originate or accept routes. This address must be explicitly listed in the local AS configuration because only addresses present in this list are permitted as outgoing source addresses for new connections. The BGP process ignores any other packets received on an interface.

Reasons you need routing policies.

Routing policies are rules that allow you to define how route updates should be handled within your network. They use matching logic to determine if they should apply specific actions based on criteria such as incoming or outgoing updates, the router the update was received from, or the neighbouring router it applies to.

The Border Gateway Protocol 4 is a network-layer transmission control protocol is used to exchange routing information between autonomous systems. Developed in the early 1990s, BGP routing tables may be considered one of the first exterior gateway protocols (EGPs). It is classless and supports CIDR - Classless Inter-Domain Routing.

BGP uses TCP port 179 for establishing connections between peers. The two endpoints of a BGP connection are called neighbours or peers. A single BGP speaker would maintain several neighbour relationships simultaneously with its neighbours, each relationship being referred to as an adjacency. For example, an interior gateway protocol (IGP) such as RIP, OSPF, or EIGRP would be used within an AS. In contrast, BGP is used to communicate with other autonomous systems, and it operates BGP autonomous systems.

BGP can be said to have a "soft-state" mechanism. In essence, this means the current status of the connection and the exchanged routes are kept for a specific time even if there is no traffic flowing on that connection. If there is no further communication within the hold time, the session, neighborship, etc., will expire and go down. The default values can be found in section 6.1 Holdtime :     * eBGP multihop: 180s     * iBGP multihop: 120s     * BGP graceful restart duration: 60 sec. As shown by these defaults, it's advisable to keep the hold time value below 120 seconds.

BGP uses four packets types

1- OPEN - used for establishing a TCP connection 2- UPDATE - contains routing information 3- NOTIFICATION - signals error conditions 4- KEEPALIVE  - is used for maintaining connections. The UPDATE message is the most important one. It consists of several path attributes encoded in a well-defined format that allows routers to make intelligent route selections when multiple paths are available to reach a given prefix. Path vectors or path attributes? Since BGPv4, the term "attribute" has been chosen over "vector" to describe individual elements of routing information. A more detailed explanation can be found here. For instance, let's consider this case where a prefix, with a specific next-hop attribute, has multiple paths available for it:

Interestingly, the UPDATE message is that BGP doesn't send its complete information in one packet, unlike most routing protocols. Instead, several UPDATE packets are sent, containing only some of the path attributes and not the entire list. If you think back to how each UPDATE packet contains just a portion of the entire path's information, this will make sense. Since we know only some of what we're looking for is contained inside each UPDATE packet, we can assume that other pieces must be distributed across various packets as well, so they must be continuously received and tracked until all pieces have been put together. The total length of an UPDATE packet can vary, but a typical value would be around 1000 bytes, obviously depending on the amount of path information that needs to be distributed.

The UPDATE message comprises a 1-byte header and a variable number of path attribute fields. The first four bits refer to the header length, which indicates how many bytes are contained. So, for example, if we have a 4-bit value of 0010 (or 2 in decimal notation), this means six path attribute fields are coming after the header field. To create an UPDATE message, we will need:

1- An UPDATE message header 2- A set of one or more attributes Path Attributes Each attribute has its specific encoding and format that can easily be quite confusing, so we'll just focus on the basics. Here's a list of the common attributes you might see when dealing with BGP: 1- Maximum-Paths [RFC6774] - This single attribute, if present in an UPDATE message, tells how many paths are contained inside. 2- Multi-Exit Discriminator (MED) [RFC4451] - this is used for Multihomed scenarios and not covered in further detail here 3- Local Preference [RFC4271] - The "Local Preference" is a well-known mandatory attribute that indicates the preferred path to reach the advertised prefix. It takes a value between 0 and 4,294,967,295, where higher values mean more preferable paths. 4- AS_Path [RFC4271] - represents a list of ASs that must be traversed to reach the destination prefix. For example, if you have a path with 3 ASs between the BGP speaker and the downstream peer, this path attribute will contain a sequence of 3 numbers from left to the right, representing these ASs. 5- Origin [RFC4271] - This is another well-known mandatory attribute used for Loop Prevention purposes, and it has three possible values: IGP - the route was interior to the originating AS EGP - originated via EGP exterior gateway protocol INCOMPLETE  - its origin cannot be determined or does not apply

6- Next Hop [RFC4271] - The "Next Hop" indicates where packets should be forwarded to reach the advertised prefix. Its value is encoded as an IPv4 address. 7- Communities [RFC1997] - These attributes are used for marking and controlling route propagation along with the Autonomous Systems. They can take one of four values: NO_EXPORT, NO_ADVERTISE (deprecated), LOCAL_AS (also deprecated), PRIVATE (a variant of NO_EXPORT) 8- Multiprotocol Reachable NLRI (MP_REACH_NLRI) [RFC4760] - This is another well-known mandatory attribute usually seen in UPDATE packets containing lists of multiple destinations contained inside BGP routes. It replaces the old NLRI attribute, which has been deprecated. This newer multiprotocol attribute also enables the encoding of IPv6 prefixes. 9- Well-Known Attributes (WK Attrs) - All BGP implementations recognize a set of well-known mandatory attributes. One of these is the "ORIGIN" attribute seen earlier. There's a detailed list available on RFC 4271, section 5.1; make sure to check it out. There are more than 20 of them!

The last UPDATE message type we'll discuss here is the KEEPALIVE packet used as a mechanism for connection keepalive and route synchronization between BGP peers. Unlike UPDATE messages, KEEPALIVES don't contain any path attributes; all they do is send periodic messages (one message per minute) to ensure the connection is up and running. If this message doesn't make it through, the local router will drop the session (don't forget we're talking about non-deterministic protocols here). Now that you know how UPDATEs are structured let's look at another essential part of BGP: Adj-RIB-In & Adj-RIB-Out. They are also referred to as Adjacent RIBs or Neighbor Tables; these are routing tables where routes received from peers are stored for further processing. Each time a new UPDATE message arrives from one of our BGP neighbours, the Routing Information Base (RIB) gets updated with the newly advertised prefixes so that further routing decisions can be made. This information is stored in two separate tables, one for IPv4 routes and another for IPv6.

The Adj-RIB-Out  (usually referenced as just RIB) is where all the best routes are kept; this is because they're chosen "dynamically" based on a few criteria like BGP path selection rules (we'll talk about these later), MEDs, or application of route maps for example. The other table, Adj-RIB-In, keeps all routes learned from our peers regardless of whether they're selected as the best paths or not; its primary purpose is to act as an to the Decision Process (we'll talk about this later). By now, you should be familiar enough with the UPDATE packets that I don't have to go into much detail here. So instead, we'll talk briefly about two types of attributes covered in the BGP path selection process: LOCAL_PREF & ATOMIC_AGGREGATE.

LOCAL_PREF is used to select the best routes among all paths received from our peers; they indicate a preference, so higher values are preferred over lower ones, for example, 100 > 90. The other attribute is called ATOMIC_AGGREGATE. Its purpose is straightforward but also very important. It prevents routing information leaks by advertising only aggregate routes (routes covering multiple more specific subnets) together with the more granular ones inside the same UPDATE message. This rule is fundamental because if not followed, routing loops might occur.

The last thing we'll cover here is BGP communities which are a simple and advantageous mechanism used to apply attributes to certain routes so that specific actions can be taken depending on the community value attached to them. Of course, a community in BGP can have a different meaning that varies from one implementation to another. However, most of the time, it's either an extended way for route filtering or a tag applied to a group of routes before passing them down into lower layers (usually IGP). In this regard, Cisco & Juniper both support the use of Standard & Extended Communities with values between 1 & 4094.

Lastly, we'll also discuss the two states a BGP connection can be in Idle and Connect. The first one is pretty self-explanatory, so I won't spend much time on it, knowing there's no data flowing through this state. The second one means something is working, and the peers are exchanging routing information with each other; of course, not all BGP implementations use this model, but old ones like Cisco do.

BGP Path Selection Process - Now that you've got a good grasp of UPDATE packets, let's move on to more complex things! One of these might be the path selection process which decides how routes will behave when multiple paths exist to reach specific prefixes or what route will be preferred if many exit links exist.

BGP path selection is very similar to IGP metric calculation, the difference being that IGP metrics are usually based on directly connected networks. In contrast, here, we consider a slightly more complex formula that also considers our neighbours' LOCAL_PREF and AS_PATH attributes. We've already mentioned these attributes before, so now it's time to cover them along with the BGP Decision Process outlined by RFC 4271. We'll not talk about much here but will focus on how MEDs work as they're crucial for many reasons, including loop prevention. Take a look at this article from Cisco if you need a quick refresher.

BGP Decision Process - The first step of the decision process is determining whether the local AS is the best path or not, which means that our loop prevention rule checks if the selected path belongs to us or not. If it's ours, we go directly to step 6. Otherwise, we skip all steps after this one and move on.

The next thing we'll look at is whether the NEXT_HOP attribute contained in an UPDATE message is reachable in our IGP routing table; clear enough, correct? If yes, check if policy matching succeeds between BGP LOCAL_PREF & IGP metric by using route maps, for example. Next up is checking how many equal-cost paths exist to reach a given prefix but keep in mind that these paths can be obtained by either removing link attributes like weight, penalizing a specific exit link or applying application-specific attributes. Finally, the last step is the hard one which sorts all paths found in step 3 based on the lowest IGP metric and selects the best one based on our LOCAL_PREF value.

BGP Decision Process - The final process now works as follows

1) Find all possible paths to reach a given prefix by removing current prefixes inside the AS_PATH attribute(s).

2) then uses BGP policies to check if it's locally allowed or disallowed to use these paths.

3) Configures each path without MED information with the lowest IGP metric among equal ones & takes only the ones that pass both previous steps into consideration. This way, we eliminate possible MEDs sent by remote ASes and select the path with the best IGP metric.

4) Once all paths have been configured, we sort them based on their AS_PATH length, preferring shorter ones over longer ones. This way, we remove any effect that multiple AS hops can have on our choice & finally display a single local preference value: LOCAL_PREF * (AS_PATH length).

5) Now that we've got all possible paths sorted, we need to pick just one that fits into our policies, which means it must be ours or match an application-specific route map.

6) Finally, if no policy has matched yet, choose the shortest path as long as previous steps haven't rejected it.

BGP Policy - All these samples are great, but how can we use them in real life? Let's take a look at some common BGP policy examples:

1) Use route maps to check whether the other neighbour is allowed or denied to advertise a given prefix.

2) Apply route maps on a per-prefix basis to shape traffic flows between two ASes using MEDs as an example. You may want to advertise your best exit link into another, which makes sense from a technical and business standpoint. However, this might not always be possible as customers usually expect their data to travel through as few as possible routers before reaching its final destination, especially if the originator of the packet is also interested in the path length.

3) Check which paths are allowed or denied based on IGP metrics & route maps.

4) Use AS_PATH attribute manipulations to remove some ASes from your AS_PATH list(s).

5) Advertise your prefixes with MEDs by sending both local preference and MED values, which might differ for each neighbour where directly connected peers usually receive higher priority. There's also a small trick you can use with BGP communities to make this easier but keep in mind that Cisco only supports the network command at the moment if you need something more flexible.

6) Finally, always remember for later. For example, don't mix private peering sessions with transit ones, resulting in routing loops.

BGP Route Reflectors - When you already have more than 30 neighbours in your AS, and you need to send updates to them, route reflectors can also help reduce the number of IBGP sessions required by creating a cluster & only requiring the RR to talk to its clients inside this cluster. We still need BGP sessions between RRs, but we no longer require our router to peer with all other routers, e.g. R4 peers with R1 for Cluster 1 and talks with R2 & R3, which it uses as its next hops for routes originating from Clusters 2 or 3. This way, we eliminate unnecessary peering sessions while keeping both stability and control over routing decisions that happen inside each cluster since they're always reflected. Route reflectors also reduce the number of IBGP connections required to an AS as you only need a single session with each one from those RRs, which saves some CPU cycles, memory & configuration time(fewer peers). To learn more about BGP route reflectors, check out this excellent article by Randy Bush.

OPNET - If you're interested in learning how to design, build and troubleshoot complex enterprise networks, then I highly recommend this free online course that covers just that. You can take it at your own pace whenever you feel like but for best results, try doing it during the weekend since it's self-paced, so there are no specific deadlines other than the ones set by yourself: Schedule. The final exam is also challenging, so don't give up if you fail it the first time.

Work process

OPNET is a proprietary commercial package widely used by ISP/Telco companies around the world to design & simulate various network applications, including OSI Layers 1, 2, 3, and 4. You can also use it for other purposes such as malware analysis or even just to learn how TCP/IP works in real life without having access to expensive routers & switches. If you download your free copy from here, you can install it either on Windows 7 32-bit OS or newer since the installer only supports that OS, which means that if you're using an older version, then I'm not sure if this guide will work for you.

System Requirements - Installing OPNET Modeler requires at least 6GB of memory because it takes up about 120MB of memory per simulated host during runtime. It also requires 2GB of disk space for the Controller node and at least 16GB to be used as a shared folder if you want to simulate more devices or use your PC's resources.

Creating A Simulation - Before starting the installation process, you must know that each simulation is divided into two main components: Modeler Client & Modeler Controller. The client is responsible for displaying the network topology. In contrast, the controller sends commands & configuration updates to each device to maintain its state, which means that all simulations are client-less by default, but there are some cases where you can use a controller.

Simulation Topologies - Since each device has its configuration file, you need to manually create the initial configuration for each one. This example is based on Cisco IOS routers, which my lab uses at home since it's what I'm most familiar with, although if you want to import Juniper or even Arista configurations, then OPNET offers scripts that will do that automatically for you(located inside SDK\Scripts folder).

The first part of the simulation consists of 3 stages: 1) Defining a network topology, 2) Initializing devices with a factory default configuration & lastly, 3)Saving the simulation so we can stop working on it without losing any progress.

Network Topology - To define a network topology, you need to use the Network Layout utility, which is located inside the OPNET Modeler directory, and each one brings up a window that's used to select/add virtual links & devices into the simulation:

Making sure that I don't break anything by mistake, meaning that I can remove it later on during troubleshooting, I'll start by removing all links between routers since we're going to build this from scratch:

Initializing Routers - This step is only required if you want to bring up a device using a specific configuration or factory default state since otherwise they will come up as 'DOWN.' Still, there are cases where you might want them disabled, for example, after doing some testing to see which one is causing a DoS attack or even PDoS so if you want to have control over this then bring up the configuration window and click on 'Define from script...' from its menu:

Configure devices - The final step consists of importing a device into the simulation by first connecting it to a pre-existing link, configuring its interface(s), setting its hostname & running the initial configuration script. Start by running the import wizard for each router which can be accessed inside OPNET Modeler's directory, and select your specific model from the drop-down list:

After clicking next, you must choose where to save your network topology file, which will store all relevant information about your simulation as links between devices, what ports they're connected to(Network Layout utility) & finally, the device's configuration file, which is an XML-based format usually containing multiple network statements:

After clicking next, you'll be asked to select your router model from a drop-down list, giving it a description and remembering what interfaces/ports you need for the simulation to work successfully:

Before we can start using Cisco IOS devices inside OPNET, we must install TFTP Server because IOS uses TFTP to download its initial configuration when booting. Suppose everything goes well, then the next time you bring up a virtual router without specifying any specific configs. In that case, it will use the default startup-config stored inside your configured TFTP server directory.

Initializing devices with factory default is very easy since you need to bring each one up inside OPNET Modeler. It will automatically activate your TFTP Server configuration to download its initial configuration file. To check the status of all devices in the simulation, then navigate to Simulation Control & click on Devices, selecting your router in case you have multiple ones:

The last thing that I'll cover here today is scripts that can be used when configuring devices if a specific task needs to be repeated. Still, instead of manually running commands for each device, this might come in handy if you already know what settings/commands must be added/modified before bringing it online. There are two types of scripts located inside the SDK\Scripts folder:

1) Startup scripts - Each device has its startup script executed when it boots up. Open it in any text editor to find out how the config will be generated per device:

router(config)#tclsh for each address { 10.100.100.100/29 10.100.101.0/24 } { <some commands for each interface goes here> } 2) Initialization scripts - These types of scripts are used instead of running specific commands one by one inside OPNET Modeler, and they run for all devices within a specific range, router model or even globally via CLI console: router(config)#tclsh app_startup global

After executing this script then, all devices inside the simulation will be initialized or restarted as appropriate:

router(config)#tclsh app_startup { <commands> }

Please note that these scripts can also be used to configure network-wide properties such as disabling IP routing with the router(config)#ip route 0.0.0.0 0.0.0.0 xxx, where xxx is your specific device's IP address!

This book is intended for network engineers who need to configure large-scale, highly available networks in OPNET Modeler.

By reading this book, you will learn how to design, implement and test an enterprise network for a data center or telecommunication company using OPNET Modeler. You will also be able to assess the impact of individual failures on your overall network design with OPNET's powerful SimEvents feature.

After reading this book, you will understand how to produce high-quality models in OPNET Modeler that accurately represent your proposed designs. Both complex configuration settings and parameter-driven simulation results are explained with the help of real-world examples to provide insights into advanced infrastructure management technologies such as routing protocols, including OSPF/OSPFv3, BGP4+, ECMP & ECMP-256, MPLS/VPNs, multicast protocols such as PIMs and IGMPv3, IPv6 migration technologies including 6PE, 6VPE & 6LR, Carrier Supporting Carrier (CSC), Virtual Private LAN Services (VPLS), FabricPath with virtual loopback interfaces for data plane encapsulation on F1 Series modules.

Designing Cisco Networks - A Practitioner's Guide to Building Scalable High-Performance Networks Using CISCO IOS is a new book that will bring you up to speed on basic design techniques and more advanced technologies for building scalable, high-performance networks using Cisco IOS Network Architectures. It also covers BGP Routing Protocol enhancements in 12.4T & 12.4XW releases which are very important!

BGP hijacking

BGP hijacking is an attack that attempts to make the advertised route more attractive for packet routing by modifying routing information. It's considered a man-in-the-middle (MITM) attack cause it modifies the BGP table on routers. The attacker inserts their prefixes into the routing tables of multiple Internet service providers, so traffic for those prefixes flows through them instead of to their legitimate destinations. For example, suppose you are operating a business with its servers in China, and someone hacked your BGP router. In that case, all internet requests from outside will be automatically routed through this person's network hosting their services. In China! This may cause significant revenue loss because customers couldn't access your services properly, and they probably won't try again after experiencing this issue! This is a perfect example of a BGP Hijacking attack, and I will show you how to protect your routers from such attacks in real life.

First, we have to conform to the following best practices.

1) Change usernames & passwords - Please set up a firm password policy which includes at least eight characters for username and password, one uppercase letter, one lowercase letter & 1 digit/unique character, e.g., r4ZiZ9MnZtHsGdP. It's also recommended that you use private keys instead of passwords on EX or VRRP interfaces because they are not transmitted across the network in cleartext form.

2) Disable CDP - It's not recommended to run CDP on an interface because of its inherent vulnerability of sending information about the router out to potentially anyone sniffing your network traffic. So if you don't have any use of it, just disable it!

3) Use MD5 keys for OSPF/BGP Authentication - Use HMAC-MD5 (Message Digest 5) authentication on BGP sessions and OSPF database exchanges between directly connected neighbours by specifying the critical chain command on interfaces under the BGP or OSPF process. Although this won't prevent any BGP hijacking attempts, at least all routers used for this attack should be configured the same way, which is very hard!

4) Configure loopback interfaces as BGP peers - This is a must because you should never peer using physical interfaces and instead use loopbacks for this purpose. You can use 1:1 NAT to allow access to your BGP neighbours from the Internet!

5) Enable BFD for faster detection of remote/down BGP neighbours - It's not crucial, but it will make sure that you detect failure scenarios sooner than later if it happens. The main idea is to keep events like "BGP neighbour down" or "BGP Admin Down" event-driven rather than wait until the router is out.

6) Configuration files should be accessible only via TFTP, ssh - Use ACLs on devices to ensure that only SSH & SCP are allowed by IP address, and make sure TFTP must be disabled!

7) Disable unused switch ports - It's not the best practice but if you have a lot of unused switch ports, just disable them instead of keeping them enabled. This is because they may open an entry in your ARP table, representing a host that doesn't exist anymore. You can also use the dynamic ARP inspection feature on Cisco switches running CatOS/IOS-XE so it will prevent any invalid entries from being injected into your network. If you don't have access to your switches, use Port Security with sticky MACs!

8) Don't forward routing packets between BGP peers - Even if you configure BGP between two routers, don't run it in IBGP/EBGP mode on the same router. This is because if your neighbour starts injecting your prefixes into its routing table, then all traffic of that prefix will also go through this device which may disrupt connectivity to desired destinations! So it's always better to use separate routers for each BGP session and never run them on the same device.

9) Implement BCP38 - This technique blocks any spoofed packets from entering or leaving an interface, e.g., Routing, DHCP, DNS, ARP, etc... The idea behind this concept is straightforward; make sure that only legitimate source IPs are allowed to send packets through your router over specific interfaces by dropping any spoofed packets. BCP38 is an excellent defence against IP Spoofing attacks, but it won't prevent any man-in-the-middle attacks!

10) Investigate the source IP before accepting an incoming connection. This concept is part of BCP38, which you can use to ensure that no attackers are trying to enter your network by spoofing address space for well-known services, e.g., 80/TCP or 53/UDP, from random networks on the Internet. If you have a BPF firewall, then this will be pretty simple to configure using ACLs! In addition, you should also consider using strict reverse path forwarding checks on your edge devices on Internet-facing interfaces to ensure that only legitimate traffic is allowed to come from the Internet and block everything else (drop). We suggest you check out this article by Aaron Woland, which provides a detailed review of BCP38!

11) Control plane policing - It's recommended that you use Control Plane Policing on all edge devices, which provides routing capabilities to avoid any DoS and DDoS attacks. The idea behind this concept is pretty simple; limit the maximum bandwidth consumed by control packets like routing updates, but allow a much more significant rate for data flows such as customer network traffic, e.g., OSPF/BGP! This will never drop legitimate TCP SYN packets. It will just police them, so they don't exceed your configured thresholds.

12) Routing should be hardware-oriented, not software-oriented. It's recommended that you use a separate router for each routing protocol, i.e., OSPF & BGP routers with all edge interfaces connected to physically separate devices from the chokepoint/aggregation layer, etc... This is because if someone compromises one of your core switches, they may inject bogus routes into your BGP tables which will cause a full route flap in most cases!

13) Don't put the management interface in a forwarding path - Management interfaces must never be part of the data plane, e.g., Routing table, Access Lists, QoS policies, etc. The reason is straightforward; if someone manages to DoS or DDoS these interfaces, this may cause an outage on your entire network, so it's always recommended to use separate routers for management purposes that should not be located at the edge of your network.

14) Use Packet Marking/Rewrite - If you want to perform QoS based on DSCP/IP precedence values, then make sure to implement a Packet Marking solution to rewrite these fields inside forwarded packets, e.g., Rewrite the Type of Service field or Precedence value according to your configured policies! You can also configure a PBR policy using route maps and ACLs with the help of Cisco's NBAR protocol inspector feature, e.g., Drop traffic from unauthorized networks, re-mark all VOIP traffic coming from authorized sources, etc... This is something you should keep in mind! Several free third-party software available on the Internet can provide this functionality, including vyOS (Cisco IOS fork) and Quagga. Now let's move on to our next section!

15) Control Plane Policing - Implementing Control Plane Policing is a good solution for your edge devices because it enables you to drop unwanted traffic based on source/destination IP addresses, TCP/UDP ports, etc... via ACLs or route maps without dropping legitimate packets, e.g., Rate limit OSPF update packets, so they don't exceed 512 Kbps during peak hours! The only problem with CPU policing is that it will not protect against application-layer attacks such as SYN Floods or HTTP Floods because it doesn't have a stateful firewall capability.

16) DoS Protection - Implementing a solution that can automatically block IP addresses on your Internet-facing firewalls is the best way to protect against any kind of DoS or DDoS attack! The Cisco ASA platform provides an integrated interface that can control access between multiple virtual contexts using ASDM policies so that you won't need dedicated physical devices for each of your contexts. In addition, there are many third-party solutions, such as CloudBees and Imperva Incapsula, which provide free plans with certain limitations. Of course, if possible, it's always recommended that you use hardware-based solutions instead of software-based ones just because they are more reliable and secure. However, I will provide you with a few software-based solutions for educational purposes as well!

17) TCP Intercept - The Cisco ASA platform has an integrated Layer 4 traffic inspection engine that can be used to drop packets based on application layer characteristics such as HTTP/HTTPS URLs, MIME types, File extensions, etc... In addition, it's also possible to establish a connection limit via ACLs or ASDM policies, so if someone tries to exceed this limit, then the packet will get dropped by the TCP intercept mechanism! This is a good feature that should always be enabled, especially on Internet-facing firewalls or IDS devices. There are many third-party free tools available, including Fishguard, snort, etc...

18) Enable TCP Intercept - Here's a basic diagram of what happens when someone tries to exceed the connection limit on your firewall or IPS device:

19) Link Fragmentation and Interleave (LFI) - This is an exciting feature that enables you to split large ethernet packets into multiple smaller ones, e.g., 1452 bytes into 2 x 712 bytes packets. Which are then reassembled on the other side! Cisco calls this "Link Fragmentation and Interleaving," so if you enable this feature on both sides of your network links, the switch will identify the incoming ethernet frame size using its hardware capabilities, e.g., A Catalyst 6500 can fragment up to 9984 Bytes, so in this case, we should set the maximum fragment size (MFS) to 1452 bytes and enable LFI! You can also configure MFS globally using the MLS ip cef global configuration command.

20) MTU - Make sure you change your network devices' Jumbo/Large MTU settings according to your ISP's specific requirements because it might cause severe performance and reliability issues if you don't do that. For this solution to work correctly, make sure you enable "IPv4 Fragmentation Needed" on both sides of your network links: This is a Cisco-proprietary solution that cannot be used on non-Cisco hardware; however, there are several third-party solutions available, including jumbo frames for your Ethernet switches!

21) Loopback Interface - It's always recommended that you have a separate loopback interface on both sides of your network links configured with an IP address in the same subnet. This will ensure that if there are any routing issues, you'll know about them via your ISP's NOC rather than waiting for someone to report them! 

22) Port Mirroring - Having good port mirroring settings is one of the most critical steps when it comes to troubleshooting or monitoring remote networks because, without this feature, it would be tough, if not impossible, to gather valuable statistics about your devices, especially in large networks where there might be hundreds of access-points connected to tens/hundreds of switches! In addition, you should also enable "Automatic Port Configuration" on your VTP domain's management switch ports to make sure the port-mirroring destination is correctly identified.

23) Auto QoS - Cisco has an excellent proprietary QoS mechanism called Autonomous Qos that enables us to classify traffic and apply appropriate service policies whenever a device or application tries to exceed its predefined limit of bandwidth/traffic priority, e.g. when someone uses more than X% of their bandwidth limit in Y amount of time. We can dynamically drop their packets until they reach back within his limits! The main advantage of this feature is that it doesn't need any configuration when accessing the Internet, enable it on your WAN links, and that's all! You can learn more about this feature in the following Cisco document:

24) Link Efficiency - This is a widely used QoS mechanism designed to reduce packet loss ratio by modifying Ethernet header fields, e.g., Interpacket Gap Time (IPGT), Pause Frames, etc... which will not affect or alter your devices' behaviour while being enabled at the same time! For example, suppose you enable "Link Efficiency Mechanism for Wireless" on your access points. In that case, they'll start using the L-SIG TXOP protection feature, which reduces signals' collisions among neighbouring wireless clients!

25) Port Isolation - If you have several VLAN configured on your network devices, then you should never forget that whenever two ports are configured to belong to the same VLAN, they become members of the LAN broadcast domain, which means there's almost no chance for these ports to remain isolated! Use port isolation to overcome this situation and make sure your critical network traffic will not be affected by unnecessary broadcasts. Cisco has an excellent document describing how to configure it on your Catalyst Switches:

26) Forward Speed - Make sure you enable "IPv4 Fast Switching" on your core/distribution Cisco switches because it will improve overall convergence time when new routes or paths are added to the routing table! This feature is enabled by default, so check if it's correctly working using either show IP interface brief or show IP route commands on your core/distribution switches.

27) Forward Delay - This feature is mainly used by Access Control Lists (ACLs) to determine how long a network prefix stays in the router's routing table, e.g. when an entry from an ACL is added to the routing table. It will stay there for a specified amount of time before it expires and gets automatically removed! In general, this feature should not be disabled on any device because it's essential when using IPv6 addresses with a built-in autoconfiguration mechanism that can alter their interface IDs overtime!!!

28) PBR - Policy-Based Routing feature enables us to use multiple routing tables with different rules and match criteria to send specific traffic over different paths knowing that our BGP routers will handle it at the central site! PBR is widely used in ISP networks for load balancing purposes because whenever a client from one location tries to communicate with another client at a remote site, then we can use PBR to forward their packets across the WAN link even if they're using dynamic routing protocols like EIGRP/OSPF/RIPv2!

29) RIB Groups - This feature is similar to "PBR." Still, it's based on several static routes inside a single routing table, which means you'll need multiple routing tables and therefore support from your leading router vendors, e.g., Cisco supports this feature only on its IOS-XR version! Just like "PBR," RIB Groups can be used to load balance traffic across multiple WAN links, and we'll configure most of the PBR features using Cisco's IOS-XR because it supports all modern routing protocols and therefore, we'll not need any redistribution between them which is a widespread practice in enterprise networks!

30) MPLS - Multiprotocol Label Switching (MPLS) changes the way how IP packets are switched/routed inside ISP or large enterprise networks, which make it harder for hackers to sniff your traffic without knowing your ISP's core addressing scheme layout (e.g., VLAN IDs, VRF instances, etc...)! This feature is widely used within pretty much every ISP network you've ever seen, and it's an ingenious way of adding traffic separation or even redundancy/resiliency into your network!

31) GRE - Generic Routing Encapsulation feature is used to encapsulate a wide range of different network-layer protocols inside an external transport protocol, e.g., it can be used to encapsulate IPv4+IPv6 packets inside an MPLS data-plane, which makes MPLS the best choice for implementing any type of VPN services including DMVPN, FlexVPN, NHRP, etc.! GRE is commonly used between PE routers to exchange IPv4/IPv6 VPN routes over MPLS backbone networks so we can use BGP as the primary routing protocol in our enterprise network design!

32) Tunnel Interfaces - This feature is used to configure any tunnel encapsulation protocol like GRE, IP-in-IP, DMVPN Phase3/4, etc... so it can be routed through your network without any interoperability issues! It's essential to understand this feature's detailed behaviour because if you do not use it carefully, you'll block all traffic between your core and edge routers, which will make your network unusable!

33) Policy-Based Routing (PBR) - This feature enables us to specify multiple static routes with different rules and match criteria to know how specific packets should be treated inside our network! The main advantage of PBR is that the BGP table doesn't need to be changed to implement new rules because every routing protocol supports different route maps, and therefore we can use external BGP sessions for this purpose!

34) Policy-Based Forwarding (PBF) - This feature is highly similar to "PBR," but it's applied on the outbound traffic mainly between your edge/access routers and WAN MPLS/Internet links! Based on the source address of a packet, you can define specific actions like load balancing or even simple redirection to an alternative interface which makes PBF very useful during some network issues with additional benefits like gaining more control over certain types of traffic because everything will be routed via your central site location.

35) Route Maps - The main idea behind using Route Maps is to control/manage routes advertised between different protocols! For example, you can use the "BGP always-compare-med" command with the "maximum-paths" option to influence which AS will be used for load balancing purposes during the BGP best-path selection process even if the route doesn't have an MPLS attribute set. In addition, route Maps are commonly used on PE-CE links to filter VPN routes before injecting them into customer routing tables. As a result, they'll only receive the routes they actually need or even change their attributes according to your requirements!

36) IP SLA - IP Service Level Agreement (SLA) is a Cisco proprietary feature that allows us to monitor IP service levels between two specific points inside our network using active traffic! The most common usage for IP SLA is to check how many packets can be sent between two sites in a specific time, the average/minimum/maximum latency, loss percentage, or jitter to ensure that our network is performing correctly during normal working conditions. Different types of IP SLA operations are available inside every Enterprise-class router. You need to be familiar with their behaviour because these features can determine if we have network connectivity issues before they affect our business!

37) Bidirectional Forwarding Detection (BFD) - This feature allows us to monitor links between BGP peers, so we'll get the fastest possible reaction time if one of these interfaces goes down by immediately triggering route sessions removal from the BGP table! BFD is considered superior to GR during the network convergence process because it's more reliable and faster, making your routing protocol decisions more accurate! You can find more information on that link regarding this feature's capabilities.

38) Cisco Express Forwarding (CEF) - This mechanism is responsible for switching packets inside our routers based on the FIB table, which means that every time the router receives a frame/packet, it will search its forwarding information base until it finds an entry associated with the destination IP address of the incoming packet. The main idea behind using CEF is to make every hardware platform switch packets between interfaces without any performance impacts, making them ideal candidates for high-availability design implementations! If you want to learn more about CEF and its features, you can check this documentation page.

39) Cisco Express Forwarding adjacency - This feature allows us to speed up the router's forwarding process by allowing it to keep a "fast adjacency" instead of using the standard "CEF adjacency," which is similar but slower! The fast adjacency uses unique hardware tables like TCAM or SRAM, which speeds up the switching process even more than the conventional FIB table. However, you may encounter some issues during your implementation if you don't use hardware that supports these types of tables because specific commands require them for this feature to work correctly! Therefore, I've written a document with detailed information about some crucial facts regarding CEF Adjacency mode, which you can find here.

40) Cisco Express Forwarding state - Another exciting fact about CEF is that it has two different states: "forwarding" and "disabled." If the router's switch path is down or there's a problem with its hardware resources, the feature will be disabled to avoid any possible problems! These types of scenarios occur on every type of platform, so you need to be familiar with them because they might affect your solution design in some specific cases! You can find more information regarding this subject based on the IOS release and hardware model inside this document.

41) Unicast RPF - This mechanism uses Reverse Path Forwarding (RPF) checks to enable unicast traffic forwarding on interfaces (or sub-interfaces) inside your router. RPF checks if the interface where the packets arrived matches its source address, which means that this feature will prevent all types of spoofed packets from entering our network! Unicast RPF combined with specific ACLs can be very effective. It can filter out single (or multiple) source addresses regardless of the packet's destination address without using additional resources to reduce CPU utilization like "source guard"! It's important to know that Cisco doesn't recommend enabling this feature on interfaces facing ISP or public networks because these are considered trusted sources. Hence, there aren't usually security problems associated with them!

Geolance is an on-demand staffing platform

We're a new kind of staffing platform that simplifies the process for professionals to find work. No more tedious job boards, we've done all the hard work for you.


Geolance is a search engine that combines the power of machine learning with human input to make finding information easier.

© Copyright 2024 Geolance. All rights reserved.