Hon'ble Prime Minister's Interaction with IT Professionals

DHCP Server and unnecessary traffic for your DHCP server.

Have you ever implemented central DHCP server for all of your network (VLANS), and you used a command "IP Helper-Address? The ip helper-address will actually forward many other UDP-based broadcasts to the address specified as tft, dns, time, netbios-ns, netbios-dgm, tacacs, bootpc, bootps etc. 

Many times it is generating unnecessary traffic for your DHCP server. Have you applied "ip forward-protocol udp ...." command to prevent this?

Voice VLAN and Port Fast Combination on Cisco Switch

The Port Fast feature is automatically enabled when voice VLAN is configured. When you disable voice VLAN, the Port Fast feature is not automatically disabled.

Why?
I will be share shortly. 

Design Tips: Guide for choose VLAN Number

Design Tip— To ensure optimal convergence for voice traffic Cisco recommends that VLAN number assignments be mapped such that the most loss-sensitive applications such as voice are assigned the lowest VLAN numbers on each physical interface, as shown in table:

Table Recommendations for VLAN Assignments 

VLAN Function	VLAN Interface
Wired_Voice_VLAN	7
Wireless_Voice_VLAN	57
Wired_Data_VLAN	107
Wireless_Multicast_VLAN	157

Not all VLANs trunked on a specific interface converge at the same time. Cisco IOS throttles the notifications for VLAN loss to the routing process (EIGRP/OSPF) at a rate of one every 100 msec. As an example, if you configure six VLANs per access switch, upon failure of an uplink, fiber traffic on the sixth VLAN converges 500 msec after the first.

Network Ready for Use Testing (NFRU)

NRFU testing is often a mandatory, final step in certifying that a new network infrastructure has been implemented correctly and is ready to carry production traffic. During NRFU testing, every device is methodically checked to ensure that it has been implemented according to the design specifications and is operating error-free. Network services are verified, devices are added as elements into NMS and Operational Support Systems (OSS) systems, and a baseline of application performance is recorded.

The testing was broken into four separate phases:

• Phase I: During this phase, device-level verification was done. This phase included activities such as serial number verification, line card checks, Cisco IOS level confirmation, and power checks.

• Phase II: This phase included logical configuration and connectivity verification. In this phase, actions such as circuit connectivity verifications, routing protocol checks, and traceroutes were performed. Multicast and QoS configurations were checked.

• Phase III: This included service verification and traffic testing. Service verification included features such as IP telephony, video, wireless, and common IP services (DHCP, DNS, NTP).

• Phase IV: This was the application testing phase. Production applications and network and security management were tested during this phase.

The tests performed in each phase were further broken into three different types:

• Tests that were performed on all Cisco routers and switches installed

• Platform/role-specific tests:

• Access layer switches

• Core layer switches

• Distribution layer switches

• Video distribution switches

• Server farm switches

• Service-specific tests

I will share reset details soon. 

 

Cisco Nexus : Executive Multiple Commands in one Go

Executing multiple CLI's in one go
CLI stands for Command line Interface

N7k-LabSW# show clock ; show switchname ; show license host-id
19:10:59.016 UTC Mon Apr 04 2016
N7k-LabSW
License hostid: VDH=TBM14354170

 # Works for configuration too:

N7k-LabSW# conf t ; hostname N7k-LabSW-DEFAULT ; end
Enter configuration commands, one per line.  End with CNTL/Z.
N7k-LabSW-DEFAULT#

How to router prevent from ARP Strom?

 How to Router Prevent from ARP Strom?
Why some ARP entry will showing in ARP Table after respective time expires?


The extra time is the jitter added to each dynamic ARP entry when it is created. Random jitter is added to the ARP cache timeout in order to avoid synchronous expiration of the ARP entries, which might trigger an ARP storm. Jitter should be a random number between 0 seconds and 30 minutes, with a maximum jitter of 30 minutes.

Bursty Traffic Identification on Switch port

Traffic bursts can cause output drops even when the interface output rate is significantly lower than the maximum interface capacity. By default, the output rates in the show interface command are averaged over five minutes, which is not adequate to capture any short-lived bursts. It is best to average them over 30 seconds. In this case, you can use Wireshark in order to capture egress traffic with the Switched Port Analyzer (SPAN), which is analyzed in order to identify the bursts.

HP 5412R Switch basic configuration - VLAN, SVI, OOBM Management Interface

OSPF Prefix Suppression

OSPF prefix-suppression is a useful feature in order to reduce the number of Link State Advertisement (LSA) that are flooded within an area. In an OSPF area which has multiple transit links between hosts and actual communication is between the hosts. There is no need to advertise the transit link LSAs to all the routers. You can only advertise the LSAs related to end hosts. By default, OSPF advertises all the LSAs that include the transit link LSAs.

OSPF prefix-suppression feature helps to overcome this behavior and reduces the number of Type 1(router) and Type 2(network) LSAs advertised.

This feature can be enabled globally on a router or on per interfaces basis.

OSPF prefix-suppression helps in faster Shortest Path First (SPF) calculation due to less number of prefixes in the database (DB). OSPF Type 3, Type 4, Type 5, or Type 7 LSAs are not suppressed.

Jitter timer in HSRP Protocol

 Jitter timers HSRP Protocol

Jitter timers are used in HSRP. They are recommended for timers running on services that work realtime and scale. Jitter timers are intended to significantly improve the reliability of HSRP, and other FHRP protocols, by reducing the chance of bunching of HSRP groups operations, and thus help reduce CPU and network traffic spikes. In the case of HSRP, a given device may have up to 4000 operational groups configured. In order to distribute the load on the device and network, the HSRP timers use a jitter. A given timer instance may take up to 20% more than the configured value. For example, for a hold time set to 15 seconds, the actual hold time may take 18 seconds.

In HSRP, the Hello timer (which sends the Hello Packet) has a negative Jitter, while the Holddown timer (which checks for failure of a peer) has a positive jitter.

Minor Stack Protocol Version Number Incompatibility Among Stack-Capable Switches

Minor Stack Protocol Version Number Incompatibility Among Stack-Capable Switches


Switches with the same major version number but with a different minor version number are considered partially compatible. When connected to a switch stack, a partially compatible switch enters version-mismatch (VM) mode and cannot join the stack as a fully functioning member. The software detects the mismatched software and tries to upgrade (or downgrade) the switch in VM mode with the switch stack image or with a tar file image from the switch stack flash memory. The software uses the automatic upgrade (auto-upgrade) and the automatic advise (auto-advise) features.

The port LEDs on switches in version-mismatch mode will also remain off. Pressing the Mode button does not change the LED mode.

OSPFv2 and OSPFv3 headers

#DoYouKnow #OSFP #Routing

All OSPFv2 packets have a common 24-byte header, and OSPFv3 packets have a common 16-byte header, that contains all information necessary to determine whether OSPF should accept the packet. The header consists of the following fields:

• Version number—The current OSPF version number. This can be either 2 or 3.
• Type—Type of OSPF packet.
• Packet length—Length of the packet, in bytes, including the header.
• Router ID—IP address of the router from which the packet originated.
• Area ID—Identifier of the area in which the packet is traveling. Each OSPF packet is associated with a single area. Packets traveling over a virtual link are labeled with the backbone area ID, 0.0.0.0. .
• Checksum—Fletcher checksum.
• Authentication—(OSPFv2 only) Authentication scheme and authentication information.
• Instance ID—(OSPFv3 only) Identifier used when there are multiple OSPFv3 realms configured on a link.

Cisco router load balancing and CEF (Cisco Express Forwarding)

#DoYouKnow #CiscoTips #Cisco

Per-destination or per-packet load-balancing depends on the type of switching scheme used for IP packets. By default, on most Cisco routers, fast switching is enabled under interfaces. This is a demand caching scheme that does per-destination load-balancing. To set per-packet load-balancing, enable process switching (or disable fast switching), use these commands:

Router(config-if)# no ip route-cache

Now the router CPU looks at every single packet and load balances on the number of routes in the routing table for the destination. This can crash a low-end router because the CPU must do all the processing.

Newer switching schemes such as Cisco Express Forwarding (CEF) allow you to do per-packet and per-destination load-balancing more quickly. However, it does imply that you have the extra resources to deal with maintaining CEF entries and adjacencies.

When you work with CEF, you could ask: Who does the load balancing, CEF or the routing protocol used? The way in which CEF works is that CEF does the switching of the packet based on the routing table which is being populated by the routing protocols.

I like cef...

#Extra tips for my blog readers:

, CEF performs the load-balancing once the routing protocol table is calculated.

Block "Botnet and Control & Command Servers" on Fortigate

Are you making same "big" mistake in Fortigate firewall configuration?  Are you blocking "Botnet & C&C Servers"? He (My friend, Security Implementation Engineer) is unaware or ignoring about configuration changes onward Forti OS 5.4. This is called "Scan Outgoing Connections to Botnet Sites".  Previously it was (5.2)  "Detect Connections to Botnet C&C Servers" in Security Profiles -> AntiVirus. but today this is available "Scan Outgoing Connections to Botnet Sites"  in Network->Interfaces->Edit Interface (WAN).  #securities #Fortigate #fortinet #securityawareness #DoYouKnow

Multicast OSPF LSA (Type 6) on Cisco router

Cisco routers do not support LSA Type 6 Multicast OSPF (MOSPF), and they generate syslog messages if they receive such packets. If the router is receiving many MOSPF packets, you might want to configure the router to ignore the packets and thus prevent a large number of syslog messages.


Commands:
#Router ospf 0.0.0.1
#ignore lsa mospf

Does ospf having backup path?

 OSPF uses the SPF algorithm. The information contained in a router’s OSPF link state database is the “MAP” that is used to calculate the best path to a remote network. However, unlike EIGRP, OSPF does not keep backup paths to routes, rather, when a route to a network goes down, the SPF algorithm is run again to determine a backup or alternate path.
Keep in mind no backup link.. if there are any dual active paths to any destination with same metric then load balancing will work (default up to 4 Path).

What Do We Mean by Link-States?

What Do We Mean by Link-States?

OSPF is a link-state protocol. We could think of a link as being an interface on the router. The state of the link is a description of that interface and of its relationship to its neighboring routers. A description of the interface would include, for example, the IP address of the interface, the mask, the type of network it is connected to, the routers connected to that network and so on. The collection of all these link-states would form a link-state database.

OSPF LSA in Details

Somedays before (last year), I have published a post about the OSPF LSAs types and definitions. Today I am going to share some more details about the SLAs as which router will generate the which LSAs:

1. 

SLA Name: Router LSA 

Link-State ID: Originating router ID of the router

Generated By: Router LSAs are generated by every router. 

2. 

SLA Name: Network LSA 

Link-State ID: Interface IP address of the DR

Generated By: Network LSAs are generated by the DR on a multi-access segment. They are the representation of the multi-access segment and all the routers attached to the segment. Segments that do not have a DR, such as point-to-point, will not have a network LSA.

3.

SLA Name: Network summary LSA

Link-State ID: Destination network number

Generated By: Network summary LSAs are generated by ABRs. 

4.

SLA Name: ASBR summary LSA

Link-State ID: Router ID of AS boundary router

Generated By: ASBR summary LSAs are also generated by the ABR. This LSA describes the location of an ASBR, not a network. 

5. 

SLA Name: AS external LSA

Link-State ID: External network number

Generated By: Autonomous System (AS) External LSAs are originated by the ASBRs and describe a network outside of the AS.

7. 

SLA Name: NSSA external LSA
Link-State ID: External network number
Generated By: Not-So-Stubby Area (NSSA) external LSAs are originated by the ASBR within the NSSA. These types of LSAs are flooded only throughout the NSSA.

I hope it will very helpful for you!

OSPF Tips - Summarization of Network

#CiscoTips #OSPF #DoYouKnow

An internal summary route is generated if at least one subnet within the area falls in the summary address range and the summarized route metric is equal to the lowest cost of all the subnets within the summary address range. Interarea summarization can only be done for the intra-area routes of connected areas, and the ABR creates a route to Null0 to avoid loops in the absence of more specific routes.

OSPF network planning tips - Summarization of network

#CiscoTips #DoYouKnow #OSPF #Design Summarization design is a process of network planning: One step fails, Network fail::: If the OSPF design includes many ABRs or ASBRs, suboptimal routing is possible. This is one of the drawbacks of summarization. Route summarization requires a good addressing plan—an assignment of subnets and addresses that are based on the OSPF area structure and lends itself to aggregation at the OSPF area borders.

FortiOS is having a site to site VPN replacement

#FortiTips #Tips #DoYouKnow
FortiOS is having a site to site VPN replacement Don't worry. This is a cool feature. FortiOS WAN optimization supports secure SSL-encrypted tunnels between FortiGate units on the WAN. Employing secure WAN Optimization tunnels can replace IPsec VPNs between sites. The result is a single, relatively simple configuration that supports optimization and privacy of communication across the WAN and uses FortiGate SSL acceleration to provide high performance.