One of the most important skills that a network engineer must learn and develop is troubleshooting. I have designed, configured and managed hundreds of networking projects. Its very rare to configure a network (especially complex ones) and have everything running as expected from the first shot. Most of the times a lot of troubleshooting activity needs to take place in order to bring everything up and have your network run flawlessly.

For CCNA/CCNP candidates, the troubleshooting skill is of paramount importance. In the exam, you need to analyze configurations and find what the problem and what the solution is, check debug output data to find what’s going wrong on the router or switch, and in general show your ability to troubleshoot in addition to configuring devices.

Troubleshooting, therefore is an essential skill to learn and to practice. A Cisco CCNA/CCNP engineer will need to perform a lot of it in their career. Ofcourse, if you are a newcomer in the field of networking you will not have enough time from the very beginning to develop and practice your troubleshooting skills. Also, you will not be able to “play” around on the live network of your company or of your clients in order to find out how to solve and troubleshoot problems. So my suggestion is to build a cheap home lab with 1-2 routers and a switch. The troubleshooting skills that you will acquire will be gold knowledge for your career in the future.

Below are some important characteristics of various Dynamic Routing Protocols that are used in Cisco IOS routers.

RIPv2

* Distance Vector Protocol.
* Suitable for small to medium networks.
* Average convergence speed.
* Supports VLSM.
* Supports CIDR.
* Standardized protocols (supports multi-vendor networks.)
* Multicast address for updates: 224.0.0.9
* Administrative distance: 120.
* Difficulty to Administer: Low

EIGRP

* Advanced distance vector protocol.
* Suitable for routing in large networks.
* Very high speed of convergence.
* Supports VLSM.
* Supports CIDR.
* Cisco proprietary.
* Multicast address for updates: 224.0.0.10
* Administrative Distance: internal 90, external 170.
* Difficulty to Administer: Medium

OSPFv2

* Link state protocol.
* Suitable for routing in large networks.
* High convergence speed.
* Supports VLSM.
* Supports CIDR.
* Standardized (supports multi-vendor networks.)
* Multicast address for updates: 224.0.0.5 / 224.0.0.6
* Administrative distance: 110.
* Difficulty to Administer: Medium

IS-IS

* Link state protocol.
* Suitable for routing in large networks.
* High convergence speed.
* Supports VLSM.
* Supports CIDR.
* OSI standard (it supports multi-vendor networks.)
* Administrative distance: 115.
* Difficulty to Administer: High.

BGPv4

* Path vector protocol.
* Suitable for the Internet (between Autonomous Systems or within ISP networks).
* Speed of convergence: low.
* Supports VLSM.
* Supports CIDR.
* Standard (supports multi-vendor networks.)
* Updates unicast.
* Administrative Distance: 20 eBGP, iBGP 200.
* Difficulty to Administer: High.

Some Notes about MPLS

Service Providers use MPLS networks (MultiProtocol Label Switching) to offer IP network connectivity to their clients. The usual connectivity services offered from MPLS networks are Layer3 VPNs and Layer2 VPNs (usually point-to-point Layer 2). An MPLS network makes use of two different Routing Protocols. An Interior Gateway Protocol (usually OSPF or IS-IS) and also BGPv4 which is a modified version of the regular BGP protocol and is used to carry MPLS label information within the MPLS network.

We are slowly approaching the implementation of IPv6 in a mass scale and thus we must be ready to learn some significant differences over IPv4. Also, some IP addressing terms will start to appear with increasing frequency in our day to day work. So let’s see some notable concepts that you need to know about IPv6.

– IPv6 addresses are 128 bits long and are expressed in hexadecimal numbers.

– IPv4 addresses are 32 bits long and are represented as four octets separated by periods. Each octet of the address is represented in decimal, taking a possible value between 0 and 255.
Example: 192.168.1.1

–  IPv6 addresses are 128 bits long and are expressed in hexadecimal numbers. Every four hexadecimal characters are separated by a colon.
Example: 2001:75b: a12c: 6: c0: a8: 1:1

– IPv6 uses different IP address types. One of those types is the link local address that configures itself at every interface that has enabled the IPv6 protocol. The local link interface addresses always begin with FE80.

– Similarly, multicast addresses always start with FF0x (the x represents a hexadecimal digit letter between 1 and 8).

– Zeros at the beginning of each portion of the address may be deleted. IPv6 addresses are expressed as 32 hexadecimal digits separated into 8 groups of 4 digits separated by a colon. When one of these 8 groups of digits begins with zero, it can be eliminated.

For example:
FE80: CD00: 0000: 0CDE: 1234: 0000: 5678: 0009

If we delete the zeros at the beginning of each section the address becomes:
FE80: CD00: 0: CDE: 1234: 0: 5678: 9

–  When there are zeros in several positions, they may also be deleted.
We often find addresses that have multiple sections of zero. These sections can also be suppressed to a single zero.

For example:
FE80: CD00: 0000:0000:0000:0000:0010:0127

In this scenario we can eliminate consecutive groups of zeros and also suppress leading zeros in some groups. Thus, the address becomes:
FE80: CD00 :: 10:127

The double colon expression :: tells the operating system that everything between them are all zeros.

You must be careful because you can delete an entire section only when fully made up with zeros. Also remember that the double colon expression :: can be used only once in each IP address representation.

– There is only one loopback address. IPv4 has reserved the entire network 127.0.0.0 / 8 (it is customary to use address 127.0.0.1) as the loopback address to point to the local machine.

In IPv6 there is also a loopback address, but in this case is only one and represented with :: 1

Or to put it in the conventional way (full format):
0000:0000:0000:0000:0000:0000:0000:0001

– No subnet mask is needed.
In IPv4, each port is identified by an IP address and subnet mask.
In IPv6 you can also implement subnets but this is not necessary. Of the total of 128 bits that make up an address, the first 48 identify the network prefix, the next 16 are the subnet ID, and the last 64 are the interface identifier. Since 16 bits are reserved for the local portion of subnets, in an IPv6 network it is possible to generate 65536 subnets.

– DNS service is also available in IPv6.
In IPv4 DNS service uses the A records to map IP addresses to names. In IPv6 AAAA records are used (also called Quad A). The domain ip6.arpa is used for reverse name resolution.

– IPv6 addresses can connect over IPv4 networks.
The design of IPv6 allows multiple forms of transition, enabling the development of IPv6 networks even when the route must pass through IPv4 networks. These transitional forms use tunneling over IPv4 networks. The two most popular technologies for this are Teredo and 6to4.The basic idea is that IPv6 packets are encapsulated within IPv4 packets to traverse these networks.

– Many vendors are already able to use IPv6.
Microsoft operating systems from Windows Vista and Windows 7 have IPv6 installed by default together with IPv4 (also can be installed on Windows XP, but is not there by default).
Also, Unix and Linux operating systems support IPv6 for years.
Regarding network vendors, Cisco IOS supports IPv6 many years ago, but it is not enabled by default and needs to be explicitly enabled with the command “ipv6 unicast routing”.

– Windows support for IPv6 has some peculiarities.
When a client wants to address a specific port, for example, an IP Address and Port number in Internet Explorer is separated by a colon:

http://172.16.100.1:8543

In IPv6, as the colon is part of the description of the IP address, the IP and Port separation is done using square brackets:

http:// [FE80: CD00: 0: CDE: 1234:0:2567:9AB]: 8543

This format is not supported on Windows machines because when you use colons this is interpreted as referencing an internal drive in the computer.

To solve this problem, Microsoft has established a special domain for the IPv6 address representation in Windows machines. In this way, if you reference an IPv6 address using Universal Naming Convention, the digits must be separated by dashes instead of colons and at the end of the address you must add the domain name “ipv6-literal.net”.

An example, instead of:
http:// [FE80: CD00: 0: CDE: 1234:0:2567:9AB]

You should use:
http://FE80-CD00-0-CDE-1234-0-2567-9AB.ipv6-literal.net

As e-commerce continues to proliferate and deliver profitable results, more business is being done online. The growing adoption of online retailing, Internet banking, cloud-based data storage and other commercial services represents a natural evolution of Internet use. For online businesses, however, any downtime can dramatically impact the bottom line. As a result, the growing scale and frequency of Distributed Denial of Service (DDoS) attacks are taking a toll on these businesses. While DDoS attacks may have been driven by non-economic reasons in the past, they now have monetary drivers including extortion, competitive advantage and corporate revenge.

When it comes to DDoS protection, many enterprises and Internet data center (IDC) operators have a false sense of security. They think they have secured their key services against DDoS attacks simply by deploying intrusion prevention system (IPS) devices or firewalls in front of their servers. Unfortunately, such deployments can actually expose these organizations to service outages and irate customers. When business-critical services are not available, enterprises and IDC operators lose money and damage important customer relationships. What’s more, when services are unavailable due to external attacks, it can be sensational and unwelcome front-page news—especially when the damages could have been easily prevented.

This article examines why IPS devices and firewalls fail to stop DDoS threats. It also describes how an intelligent DDoS mitigation system (IDMS) offers an ideal solution by enabling a layered defense strategy to combat both volumetric and application-layer DDoS attacks.

Why IPS Devices and Firewalls Can’t Stop DDoS Attacks

IPS devices, firewalls and other security products are essential elements of a layered-defense strategy, but they are designed to solve security problems that are fundamentally different from dedicated DDoS detection and mitigation products.

IPS devices, for example, block break-in attempts that cause data theft. Meanwhile, a firewall acts as policy enforcer to prevent unauthorized access to data. While such security products effectively address “network integrity and confidentiality”, they fail to address a fundamental concern regarding DDoS attacks—“network availability”. What’s more, IPS devices and firewalls are stateful, inline solutions,
which means they are vulnerable to DDoS attacks and often become the targets themselves.

How to fight DDoS Attacks

The ideal solution is an Intelligent DDoS Mitigation System (IDMS) that can stop both volumetric and application-layer DDoS attacks. It must also be deployable in the ISP network (in cloud) and at the enterprise or data-center edge.

Key Features of an IDMS

The limitations in IPS devices and firewalls reveal the key attributes required in an IDMS solution. An IDMS must be “stateless,” in other words, it must not track state for all connections. As mentioned earlier, a stateful device is vulnerable to DDoS and will only add to the problem. The IDMS solution must also support various deployment configurations; most importantly, it must allow for out-of-band deployments when needed. This deployment flexibility can increase the scalability of the solution, which is a requirement as the size of DDoS attacks continues to increase.

To truly address “distributed” DoS attacks, an IDMS must be a fully integrated solution that supports a distributed detection method. IPS devices leveraging single segment-based detection will miss major attacks. Moreover, an IDMS solution must not depend on signatures created after the attack has been unleashed on the targets; rather, it must support multiple attack countermeasures.

Finally, the IDMS must provide comprehensive reporting and be backed by a company that is a known industry expert in Internet-based DDoS threats. The key features of IDMS are:

- Stateless
- Inline and Out-of-Band Deployment Options
- Scalable DDoS Mitigation
- Ability to Stop “Distributed” DoS Attacks
- Multiple Attack Countermeasures
- Comprehensive Reporting
- Industry Track Record and Enterprise

Summary

To summarize, the security of a network depends on different elements which have their own purpose and scope. Network Firewalls and Intrusion Prevention Systems (IPS) are the cornerstone of the security of any network. They are excellent in enforcing the security policy and mitigating threats against unauthorized access, network integrity and confidentiality. However, they can not stop a Distributed Denial of Service attack. For this threat a more suitable defense mechanism is to use an Intelligent DDoS Mitigation System (IDMS) which detects those distributed attacks and takes proper action to stop them.