Cisco CCNP Enterprise 300-420 ENSLD – Designing Layer 3 Campus

1. Designing Layer 3 Campus

Hello, and welcome to Designing Layer three campus. The purpose of this video is to provide an overview of the topics that will then it familiarizing you with best practices and recommendations, associating them tithe topics presented in a way so they’ll be able to take the information in this section and use it to successfully design and implement the Layer Three campus network. Let’s begin. When we speak of a Layer Three campus, we are referring to the three tiered hierarchical design, and in this first topic we look at how to separate the network function for optimum distribution to core convergence by building redundant triangles as opposed to square traffic patterns. The topics discussed here revolve around echo, cost paths, express forwarding and the considerations pertaining to loss detection using hellos and timers, including a design recognition for achieving reliable and fast convergence. There is then a detailed routing convergence discussion of cost path links within and between each of the core distribution and access layers, explaining the impact single company has on convergence, comparing the different ways in which OSPF and EIGRP handle restoring traffic flows, path selection and routing table updates.

The next topic provides recommendations on reducing CPU processing and avoiding generating unnecessary traffic by careful design of routing neighbor relationships through the access layer. The section transitions to the topic of Route Summarization and begins with defining an internal and external gateway protocol describing the interaction between the various gateway protocols within and between autonomous systems, detailing five denarius, giving an idea of when to use each routing protocol to its most beneficial result. For example, is recommended in a hub and spoke environment with many spokes because no routing adjacencies are required, making it very routing protocol in this scenario. After explaining interior exterior gateway protocols, the second proceeds with detail on route summarization, beginning with how to reduce overhead traffic and the number of routing precomputation and emphasis on summarizing at the distribution layer. Our attention is then directed to redistribution of routing with this practice for how to advertise default routes. Continuing the topic of route redistribution, this detail describing how it works along with defining and explaining the impact of transitive traffic, including an examination on how to avoid transit traffic that may be caused due to a poorly designed topology. Poorly configured filtering.

Included are comparisons with recommendations regarding OSPFEIGRP, BP and as is Another route distribution component is defensive filtering against inaccurate or inappropriate routing traffic, which plays acritical part in protecting the network from disruptions and incorrect advertisements. He next examined the use cases for passive interface configurations in how to influence fast convergence by reducing information exchange with comparisons of how each gateway protocol is affected and responds in both the local area network and Hub Oak Topologies, including describing positive feedback loops and the influence of technologies like nonstop forwarding and graceful restart. The next topic addresses coexistence of IPV Four and IPV Six in the campus net, including information on how each gateway routing protocol accommodates each Pith last topic describes both local and remote network management best practices detailing the fundamental devices that exist on the management model comparing out of band and in band management practices referencing the effect of Qu’s and network inaudible. Translation I trust that this overview has provided you some insight into what you can expect to achieves a result of following Oblation in this section. The three tiered hierarchical design separates the functions of the network into separating blocks to provide for flexibility, availability, scalability, and fault isolation.

The distributor provides for access control and policy enforcement, route aggregation, and the demarcation point between the layer two LAN subnet and the rest of the routed layer three network. The call layers of the network provide high capacity transport between the attached distribution building blocks. The access layer provides connectivity to end devices such as PCBs, poor unified communication components like, phone, email, voicemail and messaging, etc. Designing a campus network may not appear as interesting or exciting as designing an Iptlephonynet, an IP video network, or even designing a wireless network. Emerging applications like Telephony work, IP Video Network oar wireless network are built upon the campus foundation similar to the construction of our house. If the engineering at the foundation level is skipped, the house will crack and eventually fail. If the function, services and design in an enterprise network are not solid, applications that depend on the services offered by the nook like telephony, IP video and wireless communications will eventually suffer reliability and performance challenges.

2. The Benefits of Building Triangles

The benefits of building triangles for optimum distribution to core layer convergence. Build redundant triangles knots squares advantage of equal cost redundant paths for the best deterministic convergence in the equal cost path correlation triangle topology. Each switch has two roots and two associated hardware. Cisco Express Forwarding CEO Herding Adjacency entries how to build redundant links convergence that is based on the up or down state of appoint to point physical link is faster than timer based nondeterministic convergence. Instead of enabler or root loss detection using hellos and dead timers, physical link loss indicates that a path is unusable.

All traffic is rerouted tithe alternative equal cost path. Designing redundant switches with equal cost link is very good for convergence. Each switch has two routes and two CEF forwarding entries before failure. Both CEF entries are used to forward traffic for optimum distribution to call layer convergence redundant triangles not squares to take advantage of equal cost redundant parts for the best deterministic convergence. Designing redundant switches with equal cost link is very good for convergence. Each switch has two roots and two CEF forwarding entries before there is a failure. Both CEF entries are used to forward track the most reliable and fastest converging. Campus design uses a tiered design of redundant switches with redundant equal cost links in case of either a link or node failure. A hierarchical campus using redundant and equal cost path routing enables fastest restoration of all voice and data traffic flows.

Traffic flow restoration occurs in less than 200 milliseconds. Restoration will occur without having to wait for a routing protocolvergence to occur. When failure occurs, switch immediately removes forwarding entry that is associated with the lost neighbor. Forwarding was not interrupted because one valance forwarding entry is still there. No routing protocol convergence was needed before a failure. Traffic is being forwarded using both of these forwarding entries. When failure of an adjacent link or neighbor occurs, the switch hardware and software immediately REM forwarding entry that is associated with the lost neighbor. After the removal of the route and forwarding entries that associated with the lost path, the switch still has a remaining valid root and associated CEF forwarding entry. Because the switch still has an active and valid route, it does not need to trigger or wait for a routing protocol convergence the switch is immediately able to continue forwarding all traffic using the remaining CEF entry. The type takes to reroute all traffic flows in the network depends only on the time that it takes to detect the physical link failure and to date the software and associated hardware forwarding entries.

3. Routing Convergence

Routing convergence The use of equal cost path links within the core of the network and from the access switch to the distributions allows the network to recover from any single component failure without a routing convergence except one. In the case of the layer-two design, every switch in the network has redundant paths upstream and downstream except each individual distribution switch. switch. Downstream the individual distribution switch has a single downstream link to the access switch. In case of loss of the fiber connection between a distribution switch and the access switch, the network must depend on troll plane protocol to restore traffic flows. In the case of the layer two, access convergence depends on spanning tree and first hop redundancy protocol. In the case of layer 3, accessing convergence depends on routing protocol convergence. convergence. If either of the uplinks from the access layer switch fails, V convergence must occur to ensure the optimal recovery time for voice and data traffic flows on campus.

Need to optimize the routing design to ensure a minimal and deterministic convergence time the length of time it for enhanced internal gateway routing protocol open shortest path first OSPF or any routing protocol to restore traffic flows within the campus depends on the following three main factors: the time that is required to detect the loss of a valid forwarding path.

The time that is required to determine a new, best path. The more routers are involved in determining the new path, the more time it will take. The time that is required to update the routing tables and associated CEF hardware with the new routing information If the switch has redundant equal-cost paths, all three of these events are performed locally within the switch and controlled by the internal interaction of software and hardware. If there is no second equal-cost path, EIGRP or OSPF must determine a new one, and this process plays a large role in network convergence times. times. In the case of EIGRP, that is variable and primarily dependent on how many EIGRP queries the switch needs to generate and how long it takes for each of those queries to return. To calculate a feasible successor path, the time that is required for each queries to be completed depends on how far they have to propagate in the network before a definite response can be returned.

To minimize the time that is required to restore traffic flows in the case where awfully ire routing converge required, it is necessary for the design to provide strict bounds on the number and range of the queries generated. In the case of OSPF, the time that is required to flood and receive LSAs, along with the time to run the Dijkstra shortest path first SPF computation to determine the shortest path, provides a bound on the time that is required to route traffic flows. flows. Optimizing the network recovery involves tuning the design of the network to minimize the time and resources that are required to complete these two events, which limit peering across the access layer. It is recommended to allow neighbor relationships through the access layer. layer. wastes CPU processing time, generates traffic, and adds to complexity. Prevents peering by configuring distribution layer ports towards this layer as passive, routing through the access layer waste CPU processing time, generates unnecessary traffic and adds to complexity. It also prevents peering by configuring distribution layer ports towards access as passive. Distribution switches send routing packet hellos and attempt to build a neighbor relationship across the network from access layer switches to distribution layer switches on every VLAN.

Having adjacencies and sensing updates through the access switches is a waste of CPU processing time. The example shows a network with single access switch. Four unnecessary relationships will be formed, one for each VLAN. VLAN. If more VLANs were in use on the access switch, more adjacencies would come up. up. The example only has one single-axle switch. switch. With each additional switch, more adjacencies would need to be maintained. maintained. Only the neighbor relation—the link between distribution layer switches—is really needed. needed. All other neighbor relationships add complexity ahead of traffic, CPU processing time wastage and heavier load on links. By configuring ports towards the access layer as passive, you will suppress advertising of routing protocols. If a distribution switch does get a routing update or hello packet on a link, it does not need to process the update or build an adjacency.

4. Routing Protocols and Summarization

An autonomous system is a collection of routers under a common administration such as a company or an organization. An autonomous system is also known as a “routing domain.” Typical examples of an autonomous system are company’s internal network and an internet service provider. Interior and exterior routing pros Internal gateway protocols are used for intraautonomous system routing protocols. EGPs are used for inter-autonomous system routing. routing. Intra autonomous routing inside an autonomous system inter autonomous routing is routing between autonomous systems. IGS include routing information protocol EIGRP openshottestpathfirst OSPF and intermediate to intermediate system border gateway protocol is the only currently viable EGP and is the official routing protocol that is used by the Internet.

There are five individual autonomous systems in the scenario. In the figure, ISP 1 uses I-S-I-S as the IGP and interconnects with other autonomous systems and service providers. Using BGP to explicitly control how the traffic is routed ISP2 and a S that uses OSPF as the  IGP. It connects with other autonomous systems and service providers using BGP to explicitly control how the traffic is routed. a large organization that uses EIGRP as the IGP because it is multi-homed and connects to two different service providers. It uses BGP to explicitly control how the Trent enters and leaves the ASAS. ASAS. Two medium-sized organizations that use OSPF as the IGP It is also multihued. -homed. Therefore it uses BGP to explicitly control how the traffic enters and leaves the ASAE. a small organization with older routers within it. it It uses Rip as the IGP. IGP. BGP is not required because it is a single home that connects to one service provider. Instead, static routing is implemented between the as and the service provider. Obviously, you do not have a choice regarding the EGP with IGPs you have a choice. Each IGP has its own advantages and disadvantages. disadvantages.

OEF, while very scalable, is also very complex and requires advanced knowledge for proper implementation. Sips is very similar to OSPF. OSPF. EIGRP, while simple to use and quite scalable, is mostly unavailable on non-Cisco platforms. platforms. Even Rip, a seemingly obsolete protocol, has uses where it is a better choice than other IGPs. One example of a good use case for Rips is as a hub and spoiler with many spokes. This is a common scenario with a bank network using asynchronous transfer mode. mode. If you have thousands of ATMs communicating with a single hub over a routing protocol, the overhead of the protocol can break your network. network. The difference between Rip and other IGPs is that Rip does not establish adjacencies between the neighbors. neighbors. In that sense, Rip is a very quiet routing protocol and you can therefore afford a larger number of spokes communicating with a single hub. Route summarization: route summarization condenses routing information; without summarization, each router in a network must maintain a route to every destination. Networks with summarization routers can reduce some sets of routes to a single advertisement, reducing both the load on the router and the perceived complexity of the network. The importance of route summarization increases with network size.

Medium- to large-sized networks often require the use of more routing protocol features than a smaller one. smaller one. The larger the network, the more important it is to have a careful design with attention to properly scaling the reticle. routing. Stability, control, predictability, and security of routing are also important. Converged networks are increasingly used to support voice IP, telephony storage and other drop sensitive traffic, and so networks must be designed for fast routing convergence. Route summarization is one key network designed for supporting manageable and fast converging routing summarize at distribution layer hierarch routing design reduces the amount of overhead traffic and the number of routing precomputations.

Such hierarchical design is possible through proper IP address allocation in contiguous blocks that can be easily summarized by the routing protocol. To advertise a single summary route from distribution to core and beyond, it is recommended that route summarization figured at the distribution layer. If you summarize at the distribution block, fewer routes are advertised to the core and buildings. Also, there is much less interaction between routing protocol enabled nods. If there is a chain of network summaries, limit the number of peers that an EIGRP router must query or the number of link state advertisements LSAs that OSPF must process, which therefore speeds the rerouting process. process.

Summarize should be performed at the boundary where the distribution layer of each building connects to the core. core. However, this kind of integration requires a layer of three links between distribution switches. This layer three link enables the distribution node, which loses connectivity to a given virtual local area network VLAN to reroute the traffic across the link between distribution switches. For summarization to be effective, the address space that is selected for link between distribution switchers must be within the address space being summarized.

5. Default Routes, Redistribution and Filtering

The concept of originating default routes is useful for summarization in routing. Most networks use some default routing. It is wise to have the default route zero advertised dynamically the rest of the network by the router or routers that connect to the ISIS. This route advertises the path to any route that is not found in the routing table. Originating default routes using static root Internet creatures ability can lead to black holes. It is recommended to configure a static default route to the I SS and then redistribute it into IGP. If connectivity to the I sizes is lost, the edge router is advertising the route to the I SIS to all internal routers. It is generally a bad idea to con a static default route on every router. If you configure a static default route to the I is s router on every router, the next hop is the ISI s connected router rather than a directly connected peer router.

This approach can lead to black holes in the network if there is not a path to the I is s connected router. This approach also needs to be reconfigured on every router if the exit point changes or if a second I SI ESCON is added. If you use manually configured next hops, more configuration commands are needed. This approach can also lead to routing loops and is hard to change. If there are alternative parts, this static approach might fail to take advantage of them. The recommended alternative is to configure each I is s connected router static default route and redistribute it into the dynamic routing protocol. Static default route configure needs to be done only at the network edge devices. All other routers pick up the route dynamically, and Trout of the enterprise uses the closest exit. If the ISIS connected router loses connectivity to the ISIS or fails, the default route is no longer advertised in the organization.

You might use the default information originate command with options to redistribute the default route into the dynamic routing protein. The actual syntax of the command to inject a default route into an IGP depends on the IGP being used. The command in the text works for rip, OSPF, I SIS, and BGP for EIGRP. The IP default network command is used. Explicit root summarization is not the way to achieve the benefits of summarization. Various kinds of OSPF sub areas can be thought of as a simpler form of summarization. Route Redistribution sources Redistribution always encompasses routing protocols, a source, and a destination. The source protocol provides the routes that need to be redistributed, and the destination protocol receives the injected roots.

The redistribution configuration exists under the destination protocol and identifies the source protocol. Using a route map or route policy allows you to filter route attributes during the injection into the destination protocol. When redistributing between two or more routing protocols on a single router, redistribution is not transitive. In other words, when a router reduces protocol one into protocol two, and protocol two into protocol three.

The routes from protocol one are not redistributed into protocol three. Roots can be learned from different sources and then redistributed. The three possible sources are static roots, another routing protocol, or directly connected roots. Root Redistribution Exam while it is desirable that you run a single routing protocol throughout your entire IP into network multiprotocol routers common for many reasons, these reasons include company mergers, multiple departments that a group of Monet work, administrators, managers, multi-vendor environments, and transition between IGPs. However, running multiple routing protocols is often a consequence of a bad design.

In this example, routers and R Two communicate with each other using EIGRP routers. R two and R three use EBGP. In order to mutually redistribute the EBGP routes into EIGRP, use the redistribute BGP command EIGRP metrics. Similarly, in order to redistribute EIGRP routes into BGP redistribute EIGRP number command, you should use redistribution. With planning and some degree of caution, it is easy to create routing loops or break routing. With careful planning and design, you can usually avoid redistribution along with the complexity and troubles that it brings. Avoid Transit Traffic Transit traffic is external traffic passing through a network or site.

As the figure shows, poorly designed topology, poorly confiltering, or poorly configured summarization can cause suboptimal transit traffic use in a part of the network. Remote sites are generally connected with lower bandwidth than the one that is present in the network core. Remote Highly desirable as transit networks to forward the network from one place to another. Remote sites typically handle the traffic volume that is needed to be a viable routing alternative to the core network. In general, where connectivity fails, routing should not detour via a remote site. In OSPF, there is little control. Intra area traffic LSAs cannot be filtered within an area.

OSPF does not allow traffic to arbitrarily route into and then out of an area. The exception is areas zero, which can be used for transit. When another area becomes discontinuous with EIGRP, it can be desirable to configure EIG Stub routers. The Stub informs central routers that they should not use a remote site as a transit network. In addition, the use of Stub network’s damps unnecessary EIGRP queries. Speeding network converge filtering can help manage which parts of the network are available for transit in an EIGRP network. Avoid transit Traffic with BGP The most common concern about transit traffic is when a site has two Internet connections. If there is no filtering, the connections advertise routes, this advertisement can tight at risk of becoming a transit network. It should not be a problem with two connections to the same I SI because the autonomous system number is present in the BGP.

Autonomous system Path based on the autonomous system path, the I si s router ignores any routes that are advertised from the I si s to the site and then by the I SI s. When two I SI SS are involved, the site might inadvertently become a transit site. The best approach is to filter routes advertised outbound to the I SI S’s and ensure that only the company or site prefixes are advertised. Outward tagging routes with a BGP community is the best solution. All inbound routes that are received from the I SSI S should be filtered so that you accept only the routes that the ISI S should be sending you. There are many different ways you can prevent the BGP transit autonomous system session. You can use filter list with Autonomous System path access list. You can use the no export community. You can use the prefix list filtering, or you can use the distribute list filtering. Defensive filter root filtering can also be used defensively against inaccurate or inappropriate routing traffic. One problem that some organizations experience is inheriting inappropriate routes from another organization, such as a businessna. Your business partner should not be advertising your routing prefixes back to your network. Donations are not reached through the partner unless you have a very odd network design.

The default route should not beswire the partner unless the partner is providing your network with Internet connectivity. Inappropriate partner Ismans can disrupt routing without filtering. For example, a partner may define a static route to your data center. If this route leaks into your routing process, a portion of your network might think that the data center has moved to a leasing behind the router of the partner. Defensive filtering protects the network from disruptions due to incorrect estimates. You configure which routing updates your router should accept from the partner and which routing updates should be ignored. For example, you would not accept routing updates about how to get to your own prefixes or about default routing. For security reasons, you should advertise to a partner only the prefixes that you want them to be able to reach. That way, you provide the partners with the minimum information about your network. This approach also ensures that if there is an accidental leak of another partner’s roots or static routes into the dynamic routing process, the inappropriate formation will not also leak to others. The approach of blocking root advertisements is also called root hiding. Root starvation traffic cannot get to the hidden subnets from the partner unless a summary route is also present. Packet filtering access control lists should also be used to supplement security by root starvation.

6. Passive Interfaces Convergence and IPv4

In this topic we will examine the cases for the use of passive interface. Each routing protocol has its own method of convergence, and the goal of any design is to achieve fast convergence. The IP version six IPVs I GPS are very similar to their IP version four IPV, four counterparts and coexistence between IPV and IPV six routing is possible. Use cases for passive interface Passive interfaces behave differently with print routing protocols. With OSPF, the passive interface command suppresses the hello packets, so routers will not be able to build a neighbor relationship. A router will still advertise the network on the pamphlet interface. With EIGRP, the passive interface command has similar effect to OSPF then suppresses hello packets and therefore the adjacency with this Is. The passive interface command has similar effect to of and EIGRP. With Rip, the passive interface command will disable sending off multi cast updates for specific interface, but will allow listening to incoming updates from other routers that speak drip so the route still be able to receive updates and update the routing table. BGP does not support the passive interface command.

With BGP you can use filters, access lists, or distribution lists to control communication. You can also use the passive interface default command and then configure individual interfaces where adjacencies are desired. Using the no passive interface command, you can determine if passive interfaces are configured by issuing the Showrunfig or Show IP protocols commands. Avoid transit traffic over Land You added two more orders to your campus network. The amount of transit traffic has become an issue. Land devices are connected to Tura’s via switches. One common error that you can make is to include all parts through the land in the routing process enthusing them alternate parts for the whole network. Servers and PCs ensure first hop reliability through FRP. The network between PCs and first hop routers is not designed for transit. Traffic is not expected to enter distribution router, go through the land switches and enter the other distribution router. However, if you enable EIGRP on all ports, then EIGRP will treat all parts as valid. The EIGRP process will store information about the alternate parts into its topology table and propagate information to other routers in the network to prevent the links between the land and distribution from being used as transit.

Network Figure passive interfaces configuring passive EIGRP interface prevents EIGRP from assessing adjacency over that link. However, EIGRP will continue to advertise the network on that interface. This use case highlighted EIGRP, but the same guidelines also apply to OSPF and-I-S rip for hub and spoke typologies. The figure shows an example network of one hub answerable number of branches. Large hub and spoke networks can be found in bank networks where spokes are now locations such as ATMs. Spoke routers are small and will probably not be able to handle all routes from all other networks. However, the main issue will probably be on the Hub side with an increasing number of spokes, itis likely that you will overwhelm the Hub router if your network is designed incorrectly. Protocols that build adjacencies introduce considerable amount of torque between routers, which can tax the network. Because the Hub needs an adjacency withal spokes, buying a bigger router forth Hub is not always an option. Solution is to use Rip with passive interface configuration on the Hub side, rip does not establish adjacencies.

By configuring passive interfaces toward branches, you will create a configuration where the Hub learns about networks, but branches will not learn about all the other networks in the enterprise. Each branch is simply with a default route. Positive feedback Loops a routing protocol is converged when it finishes, calculate the best path to all possible destinations within a network. Sub second convergence is possible, but is convergence always better? If you configure a routing protocol to converge more quickly, you will increase the chances. Positive Feedback Loops positive feedback loops cause networks to fail to converge in the network in the figure, if the link between R Three and R Five flaps, it can have severe consequences for the whole network in certain situations. Flapping refers to a situation where one of the interfaces between routers switches quickly between the up and down states.

This flapping can be slow enough for routing adjacency to be reestablished and advertised, but as for the link to be used for sending traffic, each time that the link flaps, routing information on routers R and R Five changes. As a result, routing information also changes on all the neighbors of those two routers. For example, if router R two cannot processes all the routing information quickly enough, it will periodically drop neighbor adjacencies. When one router in the system has a flapping routing adjacency, other routers will develop the same issue. As a result, connectivity in traffic will be sporadic. To solve this problem and remove redundant links until routing converges after routing converges, you will need to figure out what problem and how to make sure that it does not happen again. Improving routing Convergence You can prevent routing issues by simply slowing down information propagation.

The simplest way to slow down the protocol is to not decrease us. If you do not have a specific need for very fast convergence, smaller networks and more capable routers decrease the probability of a network catastrophe. However, you can quickly run into trouble even on a small work. If you have enough parallel links and you decrease timers enough. Two technologies that are built into routing protocols nonstop forwarding NSF and graceful restart help to reduce the probability of a network meltdown. Normally, if a router is restarting its routing process, it will drop all the incoming packets. All applications that are impacted must retransmit the lost data. In some routers, the forwarding plane and the control plane are on physical circuits. Because of this separation, if the control plane fails or restarts the data plane can continue forwarding traffic that is based on last known good information’s is a technology that has found Cisco routers that allows this continuous forwarding to take place regardless of the state of the control plane. When the control plane resets, it sends a signal to the data plane that it should clear its tables and reset.

With NSF enabled, the signal from the control plane acts as a signal to mark the current data as stale and to begin aging out the inch. And after the control plane comes back up, routing protocol databases and routing tables need to be synchronized between routers without disturbing the packets that are being switched by the data plane on the router. This an invasion is a job fora technology that is called Graceful Restart. When two routers begin forming an essence, they exchange some form of signaling, noting that they are capable of understanding graceful restart signaling and are responded correctly. Graceful Restart is available with EIGRP.OSPF is BGP. Graceful Restart awareness is on by default. On recent versions of Cisco iOS software, coexistence fop Four and IPV Six IGP routing the Inversion six V six IGP are very similar to their IP version four IPV Four counterparts. Therefore, clarities between IPV Four and IPV Sixes lead to similar network design considerations.

Design for the future coexistence between IPV Four adapt Six routing target party if IPV Four routing is end to end, you want the same. For IPV Six, clearer design translates into easier rotation and therefore easier troubleshooting. It might not always be an option. Extra resources are needed for IPV routing. Common design options. Dot EIGRP for both IPV four and IPV six, ossify two for IPV four and OSPF three for IPV six or OSPF three for ISIS for both IPV four adapt six, either single topology or multi topology mode. The IPV Six unit cast routing command is required in Cisco iOS software to enable IPV Six routing abilities of the router. Two relevant versions of Rip version two for IPV four next generation R-I-P and G for IPHIX in operation, these two versions are very similar. The greatest difference between the two versions of Rip is arguably on the implementation side. With Ri Two, you need to enable routing on interfaces by using a network command in the router Rip configuration mode. With Rip PNG, you enable routing on an interface on per interface basis using the IPHIX rip process under Enable command.

EIGRP was originally an IPV. Four protocol. Later probabilities were extended to IPV Six. An important difference is that with EIGRP forgive Six are sourced from the link local address and destined to FFO two Althea all EIGRP routers address means that neighbors do not have to share the same global prefix except for the explicitly specified neighbors where traffic is lost with the ire. For IPV Six, the 32 bit router ID must be explicitly configured if there is no IPV Four address. From an implementation perspective, consider that earlier versions of CiscoIoftware had automatic summarization enabled. Usually, you will want to disable automatic summarization using the no Auto summary command. Also consider that earlier versions of Cisco iOS software had the EIP routing process disabled. In that case, you need to explicitly enable the routing process using the Noon command. Izzy capabilities were extended to IPB six within Cisco iOS. An operational consideration with Aziz whether you will be running single topology or multi topology mode.

With single topology mode, the IPV Four adapt Six typologies must be the same. This saves your resources since only one SP calculation is needed. With multi topology ISIS, you run two independent typologies. One SPF is calculated for IPVfour and another for IPV six. There are transition tools available to migrate between MO. However, this migration can be major project on its own. There are two relevant versions of OSPF OPV Two and OSPF Three. OSPF v two only supports IPV. Four. Opfv Three supports both IPV Four and IPV Six. However, if you use OSPF Three, both IPV Four and IPHIX, the transport that is used will be IPV Six. This evolution is all multiteology routing. In OSPF Three, OSPF Two runs its routing process per Noel. OSPF Three runs its routing process per link. This difference enables OSPF Three support for multiple instances per link, meaning that you can have more than one OSPF area per link. With OSPF Three, Cisco has removed native routing protocol authentication and instead relies on the IPV Six authentication headers. SPF v three runs over IPV six. Rip I s’s EIGRP and OSPF address families. Address families are the configuration style through which the IPV Four and IPV Six routing processes are simultaneously supported. The main design factor that you need to consider is the coexistence e V Four and IPV Six IGP ES. While you want to target parity, consider the trade-offs.

During the avers of integration, IPV Four and IPHIX can be decoupled, offering a unique opportunity to try a new design with IPV Six. Evaluate the additional resources that are required by IPV Six. Unless you have a network that requires you to use Rip, you are probably using one of the three advanced IGPs to perform in your enterprise network. From the perspective of clarity of design, you do not want to run two completely devoting protocols unless you are in transition from one protocol to another.

7. Describe Network Management Best Practices

The primary goal of the best practices for network management is to facilitate the security of all devices and hosts within the Is network architecture. This is important for any network security management and reporting strategy. Network Management Network management provides the servers, services and connectivity needed for the following logging and reporting information flows from the network devices to the management hosts, while content configurations and new software updates flow to the devices from the management hosts. The fundamental devices that exist in the management module relevant for security include the following Cosmas event monitoring, analysis and correlation system that provides network wide security intelligence and collaboration allowing quick identification and rapid reaction to threats. CS Mask collects trends and correlates logging and event information generated by routers switches, firewalls, intrusion prevention systems, Cisco Access Control servers. Axe and the management center for Cisco security agents. Isa MC Cosmas collects network condition and event information using protocols like Syslog, SNMP, Telnet, SSH and Net Flow.

In addition, Cosmas integrates with Cisco Security Manager to provide a comprehensive security monitoring and management solution that addresses configuration management, security monitoring, analysis and mitigation. Cisco Security Manager CSM Management application used to configure Firewall virtual private work, VPN and intrusion prevention services on Cisco network and security devices. CSM communicates with Cisco network and security devices using Telnet, or Https network access control. NAC Manager communicates with and manages the Cisco Rackserver provides a web based interface for creating security policies, managing online users, and acts as an authentication proxy for authentication servers on the back end such as Ax Access Control server.

Axe provides authentication authorization and accounting services for routers switches, firewalls, VPN services and clients. In addition, Axe also interfaces with external backend, active directory and LDAP location services. System Administration host provides configuration software, images and changes on devices from a central server configuration and software archive. Host provides positivize configuration and system image backup files. Network time protocol server used for time synchronization firewall VPN provides granular access control for traffic flows between the Mint hosts and the managed devices for in band management. Firewall also provides secure VPN access management module for administrators located at the campus branches and other places in the network. OB Management Best Practices The OB network segment hosts console servers, AAA servers, Management stations, analysis and correlation tools, Syslog servers, NTP, FTP network Comps management, and any other management and control services. A single OOB management network can serve enterprise network modules located at the headquarters. The out of band management network implemented at the headquarters using dedicated switches that are independent and physically disparate from the data network. The OB management may also be logically implemented with isolated and segregated VLANs outers switches.

Firewalls, IPS and other network devices connect tithe OB network through dedicated management faces. The management subnet should operate under an address space that is completely separate from the rest of the Shin data network. This facilitates the enforcement of controls such as making sure that the management net is not advertised by any routing protocols. This also enables the production network devices to block any traffic from the management subnets that appears on the production network links devices being managed by the OB management network at the headquarters connect to the management network using dedicated management interface or a spare e interface configured as a management interface. The interface connecting to the management network should be a routing protocol passive interface and they address assigned to the interface should not be advertised in the internal routing protocol used for the data network. Access lists using inbound and outbound access groups are applied to the management interface.

Only allow access to the management network from the IP address assigned to the management interface and conversely only allows us from the management network to that management interface address. In addition, only protocols that are needed forth management of these devices are permitted. These protocols could include SSH, NTP, FTP, NMP, TACs plus etc. Data traffic should never transit the devices using the connection to the management network. An explicit deny entry with the log keyword is included at the end of the access list. It on the inbound direction of the management interface. This triggers syslog events for traffic attempting to access device over the management network which is not permitted. This will provide visibility into attacks and facilitable shooting when needing to tune the access list egg. Identifying traffic which should be allowed. Inman Best Practices IB management provides management of devices over the same physical and logical infrastructure data traffic.

IB management is used for devices not located at the headquarters site and devices that do not dedicated management interface or spare interface Tobe used as a management interface. IB management network access should be deployed using these following best practices firewalls are implemented to secure the orobijment network, hosting the management and monitoring servers from the rest of the network. The firewalls only allow access from the administrative addresses of the devices being managed ignobly for the necessary protocols and ports. The firewall is configured to allow protocols such as syslog secure syslog SSH, SSL, SNL, Net Flow, IPsec and protocols needed for the NAC server to communicate with the NAC manager if NSNS is deployed. Information into the management Segment in addition to providing access control for managers located at remote sites such as the branch sites, firewalls are recommended to protect the management network from services located in the Internet edge module.

In the case of the Internet edge, any devices outside the edge firewalls deployed in the Internet edge should be protected by a firewall despite being deployed at the headquarters. The outer switches and border routers are located outside the edge firewall, therefore, their management connections should be placed in a separate firewall segment. This practice is important to contain and mitigate the compromise of any devices facing the connecting the outer switches or the border routers directly to the OB network. And without a firewall will be discouraged as it would facilitate the bypass of the firewall protection. OOB and IP Management Connection When deploying I management for remote sites, it is critical that Qu’s deployed accurately to classify and realize control and management traffic to and from these sites. This will ensure remote access and continuing service availability even under adverse network conditions such as worm outbreaks and high data rates. This illustrates OB and IB management connections tithe devices in the Internet Edge module. Since the management subnet opts under an address space that is completely separate from the rest of the production network.

All IB management access occurs through IRC address translational process on the Firewall static Nat entries aroused on the firewall to trans no routable management IPad dresses to prespecified production IP ranges that are routed in the routing protocol on their network. Static Nat entries are used to translate addresses assigned to management servers inside manager net range to addresses that are in the outside address range that are routed in the data network. In the above case, management insight addresses are translated to outside addresses within the 1024 2500 subnet rate. Remote Management Best Practices Another recommended best practice for IB management is to confirm all protecting the OOB management network for client VP and termination for administrative access. This allows administrators at the campus and remote locations to connect to the Obey management networks to access the managed servers over secure VPN tunnel. The above are best practices for enabling VPN termination for remonagement network connectivity.