Tuesday, July 26, 2011

The differences between ASA/PIX OS & Router IOS

The differences between ASA/PIX OS & Router IOS


Just to name a few major differences between Cisco Router and Firewall:

1. Everything is allowed in router unless you filter, but in Firewall, nothing is allowed unless you permit,

e.g. Outside interface in PIX/ASA doesn’t allow any inbound traffic if it’s not requested by an inside host.

2. PIX/ASA partitions network interfaces to different security levels, while in router interfaces have no difference.

3. You can not Trace-route or Telnet from a PIX/ASA.

4. Access-lists in Router are in wild-card format, while PIX/ASA uses subnet-mask instead of wild-card mask.

5. In PIX/ASA you are able to enter EXEC commands while you’re in config mode, but you need to add “DO” prefix in router for achieving the same result.

6. For PIX/ASA We don’t use “IP” keyword as much as we use in Router, cause its designed for securing IP traffic,

e.g. “show ip route” is “show route”


7. In IOS Router for dot1q tagged traffic we use “encapsulation” command (in interface mode) while in PIX/ASA we use “VLAN vlan-number”

8. Most of configuration of a Firewall is in global configuration, cause of its Policy framework, while in Router you are configuring Interfaces much more…

9.CDP is not allowed /running in ASA/PIX.

Posted by at No comments:

Thursday, May 5, 2011

BGP attributes 

BGP attributes is a metric used to describe the
characteristics of a BGP paths. Attributes are
conatained in update messages passed between BGP
peers for advertise routers.
 
BGP attributes are broadly divided into two types 
a) Well Known          
b) Optional.
 
Well Known attributes are divided into two types 
a) Mandatory            
b) Descretionary 
 
** Mandatory attributes are divided into three types 
a) AS Path      
b) Next Hop       
c) Origin
 
** Origin attributes divided into three types 
a) Internal(i)     
b) External(e)   
c) Incomplete(?)
 
** Descretionary attributes are divided into two types 
a) Local Preference         
b) Atomic Aggregate
 
Optional attributes are divided into two types 
a) Transitive                
b) Non Transitive
 
** Transitive attributes are divided into two types 
a) Aggregator                
b) Community
 
** Community attributes are divided into for types 
a) No-export
b) No advertise
c) Internet
d) Local AS.
 
&& Non transitive attributes are divided into three types
a) MED (Multi Exit Discriminator).
b) Originator
d) Cluster ID.

e: What is BGP attribute & How many types of attributes are used by BGP???
Lets start from first... I m gonna explain each attributes
one by one  
 
Well Known: 
           Well known attributes are must be recognized by
each compliant of BGP implementations. Well known attributes
are propagated to other neighbors also.
 
Optional:
         Optional attributes are recognized by some
implementation of BGP & expected that not recognized by
everyone. Optional attributes are propagated to their
neighbors based on the meanings.
 
Mandatory:
          Mandatory is BGP well known attributes. Mandatory
attributes are must be present in all update message passed
between BGP peers. It is present in route description.
 
Discretionary:
              Discretionary is BGP well known attributes.
Discretionary attributes are may be present on update message.
 
AS Path: 
        AS path is BGP well known mandatory attributes. AS
path defines the list of Autonomous System that a route has
passed through. AS path attributes are used in path
selection process & lowest path attributes will be preferred
over highest one.
 
Next-Hop:
         Next hop is BGP well known mandatory attributes. In
BGP, next hop is the IP address which is used to reach the
advertising BGP router. 
 
For EBGP, next hop is the ip address of the connection
between the peers. 
 
For IBGP, EBGP next hop address is carried into local
autonomous system.
 
Origin:
       Origin is BGP well known mandatory attributes.
Origion attributes define how BGP router learned about the
particular route. Origin attribute have three possible
values i.e. internal (i), External (e) & Incomplete (?).
 
Internal(i):
            BGP learned about the route from Interior
routing protocol.
 
External(e):
             BGP learned about the router from External BGP.
 
Incomplete(?):
            The origin of the route is unknown or learned by
some other way. The origin of incomplete occurs when routes
are redistributed into BGP.
 
 
 
Posted by at No comments:

Thursday, April 21, 2011

BGP is path vector protocol

  Path vector Algorithm

BGP assigns the first valid path as the current best path. BGP then compares the best path with the next path in the list, until BGP reaches the end of the list of valid paths. This list provides the rules that are used to determine the best path:
  1. Prefer the path with the highest WEIGHT.
    Note:  WEIGHT is a Cisco-specific parameter. It is local to the router on which it is configured.
  2. Prefer the path with the highest LOCAL_PREF.
    Note: A path without LOCAL_PREF is considered to have had the value set with the bgp default local-preference command, or to have a value of 100 by default.
  3. Prefer the path that was locally originated via a network or aggregate BGP subcommand or through redistribution from an IGP.
    Local paths that are sourced by the network or redistribute commands are preferred over local aggregates that are sourced by the aggregate-address command.
  4. Prefer the path with the shortest AS_PATH.
    Note: Be aware of these items:
    • This step is skipped if you have configured the bgp bestpath as-path ignore command.
    • An AS_SET counts as 1, no matter how many ASs are in the set.
    • The AS_CONFED_SEQUENCE and AS_CONFED_SET are not included in the AS_PATH length.
  5. Prefer the path with the lowest origin type.
    Note: IGP is lower than Exterior Gateway Protocol (EGP), and EGP is lower than INCOMPLETE.
  6. Prefer the path with the lowest multi-exit discriminator (MED).
    Note: Be aware of these items:
    • This comparison only occurs if the first (the neighboring) AS is the same in the two paths. Any confederation sub-ASs are ignored.
      In other words, MEDs are compared only if the first AS in the AS_SEQUENCE is the same for multiple paths. Any preceding AS_CONFED_SEQUENCE is ignored.
    • If bgp always-compare-med is enabled, MEDs are compared for all paths.
      You must disable this option over the entire AS. Otherwise, routing loops can occur.
    • If bgp bestpath med-confed is enabled, MEDs are compared for all paths that consist only of AS_CONFED_SEQUENCE.
      These paths originated within the local confederation.
    • THE MED of paths that are received from a neighbor with a MED of 4,294,967,295 is changed before insertion into the BGP table. The MED changes to to 4,294,967,294.
    • Paths received with no MED are assigned a MED of 0, unless you have enabled bgp bestpath med missing-as-worst .
      If you have enabled bgp bestpath med missing-as-worst, the paths are assigned a MED of 4,294,967,294.
    • The bgp deterministic med command can also influence this step.
      Refer to How BGP Routers Use the Multi-Exit Discriminator for Best Path Selection for a demonstration.
  7. Prefer eBGP over iBGP paths.
    If bestpath is selected, go to Step 9 (multipath).
    Note: Paths that contain AS_CONFED_SEQUENCE and AS_CONFED_SET are local to the confederation. Therefore, these paths are treated as internal paths. There is no distinction between Confederation External and Confederation Internal.
  8. Prefer the path with the lowest IGP metric to the BGP next hop.
    Continue, even if bestpath is already selected.
  9. Determine if multiple paths require installation in the routing table for BGP Multipath.
    Continue, if bestpath is not yet selected.
  10. When both paths are external, prefer the path that was received first (the oldest one).
    This step minimizes route-flap because a newer path does not displace an older one, even if the newer path would be the preferred route based on the next decision criteria (Steps 11, 12, and 13).
    Skip this step if any of these items is true:
    • You have enabled the bgp best path compare-routerid command.
      Note: Cisco IOS Software Releases 12.0.11S, 12.0.11SC, 12.0.11S3, 12.1.3, 12.1.3AA, 12.1.3.T, and 12.1.3.E introduced this command.
    • The router ID is the same for multiple paths because the routes were received from the same router.
    • There is no current best path.
      The current best path can be lost when, for example, the neighbor that offers the path goes down.
  11. Prefer the route that comes from the BGP router with the lowest router ID.
    The router ID is the highest IP address on the router, with preference given to loopback addresses. Also, you can use the bgp router-id command to manually set the router ID.
    Note: If a path contains route reflector (RR) attributes, the originator ID is substituted for the router ID in the path selection process.
  12. If the originator or router ID is the same for multiple paths, prefer the path with the minimum cluster list length.
    This is only present in BGP RR environments. It allows clients to peer with RRs or clients in other clusters. In this scenario, the client must be aware of the RR-specific BGP attribute.
  13. Prefer the path that comes from the lowest neighbor address.
    This address is the IP address that is used in the BGP neighbor configuration. The address corresponds to the remote peer that is used in the TCP connection with the local router.
Posted by at No comments:
Subscribe to: Posts (Atom)