For CCNA/CCNP candidates, the troubleshooting skill is of paramount importance. In the exam, you need to analyze configurations and find what the problem and what the solution is, check debug output data to find what’s going wrong on the router or switch, and in general show your ability to troubleshoot in addition to configuring devices.

Troubleshooting, therefore is an essential skill to learn and to practice. A Cisco CCNA/CCNP engineer will need to perform a lot of it in their career. Ofcourse, if you are a newcomer in the field of networking you will not have enough time from the very beginning to develop and practice your troubleshooting skills. Also, you will not be able to “play” around on the live network of your company or of your clients in order to find out how to solve and troubleshoot problems. So my suggestion is to build a cheap home lab with 1-2 routers and a switch. The troubleshooting skills that you will acquire will be gold knowledge for your career in the future.

RIPv2

* Distance Vector Protocol.
* Suitable for small to medium networks.
* Average convergence speed.
* Supports VLSM.
* Supports CIDR.
* Standardized protocols (supports multi-vendor networks.)
* Multicast address for updates: 224.0.0.9
* Administrative distance: 120.
* Difficulty to Administer: Low

EIGRP

* Advanced distance vector protocol.
* Suitable for routing in large networks.
* Very high speed of convergence.
* Supports VLSM.
* Supports CIDR.
* Cisco proprietary.
* Multicast address for updates: 224.0.0.10
* Administrative Distance: internal 90, external 170.
* Difficulty to Administer: Medium

OSPFv2

* Link state protocol.
* Suitable for routing in large networks.
* High convergence speed.
* Supports VLSM.
* Supports CIDR.
* Standardized (supports multi-vendor networks.)
* Multicast address for updates: 224.0.0.5 / 224.0.0.6
* Administrative distance: 110.
* Difficulty to Administer: Medium

IS-IS

* Link state protocol.
* Suitable for routing in large networks.
* High convergence speed.
* Supports VLSM.
* Supports CIDR.
* OSI standard (it supports multi-vendor networks.)
* Administrative distance: 115.
* Difficulty to Administer: High.

BGPv4

* Path vector protocol.
* Suitable for the Internet (between Autonomous Systems or within ISP networks).
* Speed of convergence: low.
* Supports VLSM.
* Supports CIDR.
* Standard (supports multi-vendor networks.)
* Updates unicast.
* Administrative Distance: 20 eBGP, iBGP 200.
* Difficulty to Administer: High.

Some Notes about MPLS

Service Providers use MPLS networks (MultiProtocol Label Switching) to offer IP network connectivity to their clients. The usual connectivity services offered from MPLS networks are Layer3 VPNs and Layer2 VPNs (usually point-to-point Layer 2). An MPLS network makes use of two different Routing Protocols. An Interior Gateway Protocol (usually OSPF or IS-IS) and also BGPv4 which is a modified version of the regular BGP protocol and is used to carry MPLS label information within the MPLS network.

– IPv6 addresses are 128 bits long and are expressed in hexadecimal numbers.

– IPv4 addresses are 32 bits long and are represented as four octets separated by periods. Each octet of the address is represented in decimal, taking a possible value between 0 and 255.
Example: 192.168.1.1

–  IPv6 addresses are 128 bits long and are expressed in hexadecimal numbers. Every four hexadecimal characters are separated by a colon.
Example: 2001:75b: a12c: 6: c0: a8: 1:1

– IPv6 uses different IP address types. One of those types is the link local address that configures itself at every interface that has enabled the IPv6 protocol. The local link interface addresses always begin with FE80.

– Similarly, multicast addresses always start with FF0x (the x represents a hexadecimal digit letter between 1 and 8).

– Zeros at the beginning of each portion of the address may be deleted. IPv6 addresses are expressed as 32 hexadecimal digits separated into 8 groups of 4 digits separated by a colon. When one of these 8 groups of digits begins with zero, it can be eliminated.

For example:
FE80: CD00: 0000: 0CDE: 1234: 0000: 5678: 0009

If we delete the zeros at the beginning of each section the address becomes:
FE80: CD00: 0: CDE: 1234: 0: 5678: 9

–  When there are zeros in several positions, they may also be deleted.
We often find addresses that have multiple sections of zero. These sections can also be suppressed to a single zero.

For example:
FE80: CD00: 0000:0000:0000:0000:0010:0127

In this scenario we can eliminate consecutive groups of zeros and also suppress leading zeros in some groups. Thus, the address becomes:
FE80: CD00 :: 10:127

The double colon expression :: tells the operating system that everything between them are all zeros.

You must be careful because you can delete an entire section only when fully made up with zeros. Also remember that the double colon expression :: can be used only once in each IP address representation.

– There is only one loopback address. IPv4 has reserved the entire network 127.0.0.0 / 8 (it is customary to use address 127.0.0.1) as the loopback address to point to the local machine.

In IPv6 there is also a loopback address, but in this case is only one and represented with :: 1

Or to put it in the conventional way (full format):
0000:0000:0000:0000:0000:0000:0000:0001

– No subnet mask is needed.
In IPv4, each port is identified by an IP address and subnet mask.
In IPv6 you can also implement subnets but this is not necessary. Of the total of 128 bits that make up an address, the first 48 identify the network prefix, the next 16 are the subnet ID, and the last 64 are the interface identifier. Since 16 bits are reserved for the local portion of subnets, in an IPv6 network it is possible to generate 65536 subnets.

– DNS service is also available in IPv6.
In IPv4 DNS service uses the A records to map IP addresses to names. In IPv6 AAAA records are used (also called Quad A). The domain ip6.arpa is used for reverse name resolution.

– IPv6 addresses can connect over IPv4 networks.
The design of IPv6 allows multiple forms of transition, enabling the development of IPv6 networks even when the route must pass through IPv4 networks. These transitional forms use tunneling over IPv4 networks. The two most popular technologies for this are Teredo and 6to4.The basic idea is that IPv6 packets are encapsulated within IPv4 packets to traverse these networks.

– Many vendors are already able to use IPv6.
Microsoft operating systems from Windows Vista and Windows 7 have IPv6 installed by default together with IPv4 (also can be installed on Windows XP, but is not there by default).
Also, Unix and Linux operating systems support IPv6 for years.
Regarding network vendors, Cisco IOS supports IPv6 many years ago, but it is not enabled by default and needs to be explicitly enabled with the command “ipv6 unicast routing”.

– Windows support for IPv6 has some peculiarities.
When a client wants to address a specific port, for example, an IP Address and Port number in Internet Explorer is separated by a colon:

http://172.16.100.1:8543

In IPv6, as the colon is part of the description of the IP address, the IP and Port separation is done using square brackets:

http:// [FE80: CD00: 0: CDE: 1234:0:2567:9AB]: 8543

This format is not supported on Windows machines because when you use colons this is interpreted as referencing an internal drive in the computer.

To solve this problem, Microsoft has established a special domain for the IPv6 address representation in Windows machines. In this way, if you reference an IPv6 address using Universal Naming Convention, the digits must be separated by dashes instead of colons and at the end of the address you must add the domain name “ipv6-literal.net”.

An example, instead of:
http:// [FE80: CD00: 0: CDE: 1234:0:2567:9AB]

You should use:
http://FE80-CD00-0-CDE-1234-0-2567-9AB.ipv6-literal.net

When it comes to DDoS protection, many enterprises and Internet data center (IDC) operators have a false sense of security. They think they have secured their key services against DDoS attacks simply by deploying intrusion prevention system (IPS) devices or firewalls in front of their servers. Unfortunately, such deployments can actually expose these organizations to service outages and irate customers. When business-critical services are not available, enterprises and IDC operators lose money and damage important customer relationships. What’s more, when services are unavailable due to external attacks, it can be sensational and unwelcome front-page news—especially when the damages could have been easily prevented.

This article examines why IPS devices and firewalls fail to stop DDoS threats. It also describes how an intelligent DDoS mitigation system (IDMS) offers an ideal solution by enabling a layered defense strategy to combat both volumetric and application-layer DDoS attacks.

Why IPS Devices and Firewalls Can’t Stop DDoS Attacks

IPS devices, firewalls and other security products are essential elements of a layered-defense strategy, but they are designed to solve security problems that are fundamentally different from dedicated DDoS detection and mitigation products.

IPS devices, for example, block break-in attempts that cause data theft. Meanwhile, a firewall acts as policy enforcer to prevent unauthorized access to data. While such security products effectively address “network integrity and confidentiality”, they fail to address a fundamental concern regarding DDoS attacks—“network availability”. What’s more, IPS devices and firewalls are stateful, inline solutions,
which means they are vulnerable to DDoS attacks and often become the targets themselves.

How to fight DDoS Attacks

The ideal solution is an Intelligent DDoS Mitigation System (IDMS) that can stop both volumetric and application-layer DDoS attacks. It must also be deployable in the ISP network (in cloud) and at the enterprise or data-center edge.

Key Features of an IDMS

The limitations in IPS devices and firewalls reveal the key attributes required in an IDMS solution. An IDMS must be “stateless,” in other words, it must not track state for all connections. As mentioned earlier, a stateful device is vulnerable to DDoS and will only add to the problem. The IDMS solution must also support various deployment configurations; most importantly, it must allow for out-of-band deployments when needed. This deployment flexibility can increase the scalability of the solution, which is a requirement as the size of DDoS attacks continues to increase.

To truly address “distributed” DoS attacks, an IDMS must be a fully integrated solution that supports a distributed detection method. IPS devices leveraging single segment-based detection will miss major attacks. Moreover, an IDMS solution must not depend on signatures created after the attack has been unleashed on the targets; rather, it must support multiple attack countermeasures.

Finally, the IDMS must provide comprehensive reporting and be backed by a company that is a known industry expert in Internet-based DDoS threats. The key features of IDMS are:

- Stateless
- Inline and Out-of-Band Deployment Options
- Scalable DDoS Mitigation
- Ability to Stop “Distributed” DoS Attacks
- Multiple Attack Countermeasures
- Comprehensive Reporting
- Industry Track Record and Enterprise

Summary

To summarize, the security of a network depends on different elements which have their own purpose and scope. Network Firewalls and Intrusion Prevention Systems (IPS) are the cornerstone of the security of any network. They are excellent in enforcing the security policy and mitigating threats against unauthorized access, network integrity and confidentiality. However, they can not stop a Distributed Denial of Service attack. For this threat a more suitable defense mechanism is to use an Intelligent DDoS Mitigation System (IDMS) which detects those distributed attacks and takes proper action to stop them.

In this post I will try to illustrate static routing using a small network scenario (see picture below) and explain also some other issues related with ICMP Redirects and Cisco ASA firewall.

Network Description

From the example network above, we have a Cisco ASA firewall (ASA1) protecting our internal networks from the Internet. LAN1 is a Class C network subnet (10.1.1.0/24) which has user computers connected (this might be the headquarters LAN of the Enterprise). There is also a Router (R1) serving as a WAN router to connect a distant remote office over a WAN link.

At the other side of the WAN link we have R2 which serves as the Hub router having two spokes (R3, R4). There are also two more LAN networks with user computers (LAN2 connected to R3 and LAN3 connected to R4).

The IP addresses assigned to the network are as following:

ASA1 Internal IP: 10.1.1.254

R1 IP on LAN1 network: 10.1.1.253
R1 IP on the WAN link: 192.168.1.1

R2 IP on the WAN link: 192.168.1.2
R2 IP connected with R3: 192.168.2.2
R2 IP connected with R4: 192.168.3.2

R3 IP connected with R2: 192.168.2.1
R3 IP on LAN2 network: 10.2.1.254

R4 IP connected with R2: 192.168.3.1
R4 IP on LAN3 network: 10.2.2.254

LAN1 network: 10.1.1.0/24
LAN2 network: 10.2.1.0/24
LAN3 network: 10.2.2.0/24

Traffic Flow Requirements

We need to have the following communication between networks:

• LAN1 computers need to access the Internet through the ASA and also must be able to communicate with users and servers on LAN2 and LAN3.
• LAN1 users should be able to communicate also with “transit subnets” for troubleshooting and management purposes (“transit subnets” are the point-to-point networks connecting routers between them). These “transit subnets” are 192.168.1.0/30, 192.168.2.0/30, 192.168.3.0/30.
• LAN2 and LAN3 computers need to access the Internet through the ASA and also must be able to communicate with LAN1 network.

Configuration of Static Routing

The intention of this article is to explain static routing only, so I will not get into the full configuration details of all devices in the network. I will just show snippets of commands for static routes.

The general format of a static route command on a Cisco router is:

Router(config)# ip route [destination network] [mask] [gateway address]

The command above tells the router the following information: “if you want to send a packet to the following “destination network”, then send it to this “gateway address”.

The format of a static route command on a Cisco ASA firewall is:

ASA(config)# route [interface name] [destination network] [mask] [gateway]

Now let’s see the commands needed for each router. It’s more convenient to start from the bottom up:

Router R3:

R3(config)# ip route 0.0.0.0 0.0.0.0 192.168.2.2

We just need a default route on this router to send ALL traffic towards R2 gateway address (192.168.2.2).

Router R4:

R4(config)# ip route 0.0.0.0 0.0.0.0 192.168.3.2

Similar with R3, we just need a default route on this router to send ALL traffic towards R2 gateway address (192.168.3.2).

Router R2:

! Default route
R2(config)# ip route 0.0.0.0 0.0.0.0 192.168.1.1

! Static routes to reach LAN2 and LAN3
R2(config)# ip route 10.2.1.0 255.255.255.0 192.168.2.1
R2(config)# ip route 10.2.2.0 255.255.255.0 192.168.3.1

This is a little tricky. We need both a default route (to send all upwards traffic, including traffic to the Internet, towards R1) and also we need two specific static routes to reach LAN2 and LAN3 network. The two specific static routes (two last lines) are needed for the reply packets from LAN2 and LAN3 and also for LAN1 to be able to reach LAN2/LAN3.

Router R1:

! Default Route towards ASA for Internet Traffic
R1(config)# ip route 0.0.0.0 0.0.0.0 10.1.1.254

! Static routes to reach LAN2 and LAN3
R1(config)# ip route 10.2.1.0 255.255.255.0 192.168.1.2
R1(config)# ip route 10.2.2.0 255.255.255.0 192.168.1.2

! Static routes to reach transit point-to-point networks
R1(config)# ip route 192.168.2.0 255.255.255.252 192.168.1.2
R1(config)# ip route 192.168.3.0 255.255.255.252 192.168.1.2

Firewall ASA1:

ASA1(config)# route outside 0.0.0.0 0.0.0.0 [asa gateway IP]

! Static routes to reach LAN2 and LAN3
ASA1(config)# route inside 10.2.1.0 255.255.255.0 10.1.1.253
ASA1(config)# route inside 10.2.2.0 255.255.255.0 10.1.1.253

The ASA will need a default route towards its default gateway IP (assigned by the ISP), and also two static routes to reach the distant LAN2 and LAN3 networks. You DO NOT need a static route for LAN1 network because it is directly connected to the ASA.

Default Gateway for LAN1 computers

As we said before, one of the traffic flow requirements was to access LAN2 and LAN3 networks from LAN1 computers. If I ask you what should be the default gateway address configured on LAN1 computers, most of you would answer “The ASA internal address 10.1.1.254”. However, this is WRONG. Let me explain why.

Assume you configure the default gateway address for LAN1 hosts to be the ASA address 10.1.1.254. If HostA on LAN1 wants to send traffic to the Internet, then it will send it to its default gateway address (ASA firewall) which will forward the packet to the Internet. So far so good.

However, if HostA wants to send traffic to LAN2 or LAN3 hosts, it will again send the traffic to the ASA which is supposed to send an ICMP Redirect to HostA and tell him “hey, you should really be using 10.1.1.253 to get to LAN2 or LAN3”. However, the Cisco ASA is NOT ABLE to send an ICMP Redirect like it should. Therefore, HostA will never be able to communicate with LAN2/LAN3. If the ASA was a router instead, everything would work fine because routers actually are able to send ICMP Redirects.

So, the correct answer is to configure all hosts on LAN1 network to have Default Gateway address the IP of R1 (10.1.1.253). This way, they will be able to access both the Internet and the other internal LAN networks (LAN2/LAN3).

For any questions or comments please fill out the comment form below.

To allow complete simulations, GNS3 is strongly linked with :

* Dynamips, the core program that allows Cisco IOS emulation.
* Dynagen, a text-based front-end for Dynamips.
* Qemu, a generic and open source machine emulator and virtualizer.

GNS3 is an excellent complementary tool to real labs for network engineers, administrators and people wanting to pass certifications such as CCNA, CCNP, CCIP, CCIE, JNCIA, JNCIS, JNCIE.

It can also be used to experiment features of Cisco IOS, Juniper JunOS or to check configurations that need to be deployed later on real routers.

This project is an open source, free program that may be used on multiple operating systems, including Windows, Linux, and MacOS X.
Features overview

* Design of high quality and complex network topologies.
* Emulation of many Cisco IOS router platforms, IPS, PIX and ASA firewalls, JunOS.
* Simulation of simple Ethernet, ATM and Frame Relay switches.
* Connection of the simulated network to the real world!
* Packet capture using Wireshark.

Important notice: users have to provide their own IOS/IPS/PIX/ASA/JunOS to use with GNS3.

More Info: http://www.gns3.net/

As its name suggests, the IEEE 802.3ba standard allows for Ethernet services of 40 and 100 Gbps in both LAN and WAN implementations. The initial plan for the fastest Ethernet ever was to develop the technology for the 40 Gbps to support high-speed connections between switches and core servers, while for the 100 Gbps speed the plan was to support transport trunks for Internet and Video over IP. Both standards are applicable for the transport of packets in optical fiber networks.

Of course, as in previous cases, the new standard maintains backward compatibility with the rest of the Ethernet family.

From this information, the organization has considered the implementation of IPv6 vital if we need to continue with the development of the Internet.

IPv4 addresses, with a length of 32 bits, helped to define the Internet address space that we have been using so far, and have 4,294,967,297 possible IP addresses. In January 2010 the barrier of less than 430 million IP addresses not yet allocated is what has caused this warning.

If we run out of IPv4 addresses this means a halt to the spread of the Internet which has grown in a steady pace since 1989, and that is the main business infrastructure in today’s technology. The key to overcoming this limitation: the global adoption of IPv6.

However, many experts argue that implementing NAT may extend the life of IPv4 a few more years. Personally, I believe that further delaying the full migration to IPv6 simply postpones the implementation of a technology that has long been awaiting implementation, which will enable significant improvements in the operation of the Internet while offering new services. The implementation of NAT at the ISP level will only result in limiting the services available, and also hinder the seamless operation of the Internet when IP addresses are translated.

Moreover, major Internet sectors are already operating with IPv6 (China, Japan, parts of Europe and USA), and Internet infrastructure design is ready to support the migration: there is an international backbone running in IPv6, DNS services have updated their record structure etc… in fact, there is already a fully operational IPv6 www. The full migration will simply allow further evolution of the Internet.

Of course, more important than the hardware requirements that the implementation of IPv6 will impose, are the training requirements for networking professionals. IPv6 will bring another opportunity for professionals to train and grow. There are many resources available to start learning about IPV6, some of them are listed below.

http://www.ipv6forum.com/
Number Resource Organization
http://www.ipv6actnow.org/

V5V4TGKX7PVG

The following post is intended to offer you an overview of the different types of routing protocols currently available.

Distance Vector / Link State

The above terms refer to the algorithms that govern the exchange of routing information and the way the optimal path is identified.

Distance vector protocols exchange information previously incorporated in the device’s routing table. The routers know only their immediate neighbor (one hop away). The link-state algorithms on the other hand, exchange information regarding the status of the links in the whole network topology (they have a bigger picture of the network).

Distance vector protocols require less hardware resources, but are sensitive to the formation of routing loops. Link state protocols require more hardware resources but are more efficient and converge better.

The following are distance vector protocols: RIPv1, RIPv2, IGRP, EIGRP.
The following are link-state protocols: OSPF, IS-IS.

Classless / classful.

Classful protocols publish only the address information of the destination network, not the subnet mask, which forces the device receiving the update to assume that the subnet mask is the same as that on its interface, or the default mask that corresponds to the class.

Classless routing protocols however, advertise the subnet mask together with the network address, so the receiving router has full routing information. This allows the implementation of VLSM and CIDR.

Classful protocols: RIPv1, IGRP.
Classless Protocols: RIPv2, EIGRP, OSPF, IS-IS.

Internal Routing Protocols / External Routing Protocols.
The interior routing protocols (or IGP – Interior Gateway Protocols) are designed to operate within the same administrative domain, which means that each device is “confident” about the information received from others.

Exterior routing protocols (or EGP such as BGP), however, are used to manage routing between different administrative domains. In EGP, each administrative domain is independent. It has implemented its own routing policy.

Interior routing protocols: RIPv1, RIPv2, EIGRP, OSPF, IS-IS.
Exterior Routing Protocol: BGPv4.

Every host or device on a TCP/IP network MUST have an IP address assigned in order to communicate with other devices. An IP address consists of a network part and a host part. Think about the Network part as a multi dueling Building Address number, and the Host part as your apartment number inside this building. For example, building address “Building XYZ” is the network IP address part, and “Apartment number 2” is the host address part.    

For example IP address 10.0.0.2 which identifies a single host, contains the network part 10.0.0 and the host part 2. Now, how do devices on the network know which portion is the network part and which is the host part of their assigned IP address? They know this information using the “Subnet Mask”. Every host on a TCP/IP network is configured with an IP address AND a subnet mask. The subnet mask is the one which identifies the Network Part portion of the IP address assigned to the host. For our example above, the host with IP 10.0.0.2 is assigned also a subnet mask 255.255.255.0. If you do a logical AND operation between the IP address and the subnet mask, you will find the Network potion of the address:

10.0.0.2 AND 255.255.255.0 = 10.0.0.0  (The network part is 10.0.0 and the remaining part is the host part. i.e 2 ).

Let’s see a diagram below:

From the picture above, Host A and Host B belong to the same local subnetwork (10.0.0.0/24) and are connected to the same switch together with a router interface. The router interface has also an IP address 10.0.0.254 with the same subnet mask 255.255.255.0 as the two Hosts.

Also, two other hosts (Host C, Host D) belong to another subnetwork (10.1.1.0/24) together with the second interface of the router which has address 10.1.1.254.

Each host has also a default gateway assigned (in addition to IP address and Subnet Mask). Hosts A and B must be configured with a default gateway address of the router interface which is 10.0.0.254. Similarly, Hosts C and D must be configured with a default gateway address of their router which is 10.1.1.254.

How Hosts use the Subnet Mask

When a host wants to communicate with another host, it uses its subnet mask to compare the network portion of its local network IP address with the destination network address of the packet to be sent. Before an end system can send a packet to its destination, it must first determine whether the destination address is on the local network. This is done by comparing the bits in the destination address with the network bits of its own IP address. For example, if Host A wants to send a packet to Host B, it will take the destination address 10.0.0.2 (Host B) and perform an AND operation with its subnet mask. The result will be 10.0.0.0 which will tell Host A that the destination address belongs to the same subnetwork as itself. Therefore it will NOT send the packet to the default gateway (router). Rather, Host A will perform an ARP request (Address Resolution Protocol) to find out the destination MAC address of Host B (ARP protocol maps an IP address with a MAC address). Therefore, Host A will send the packet directly to Host B through the switch without going through the router.

Now, if Host A wants to send a packet to Host C, it will take the destination address 10.1.1.1 of Host C and perform an AND operation with its subnet mask. The result will be
10.1.1.1 AND 255.255.255.0 = 10.1.1.0
which will tell Host A that the destination address has a different network portion than itself (10.1.1). Therefore Host A will have to send the packet to its default gateway (router address 10.0.0.254) in order to reach Host C on the other side of the router.