CCNP Study Notes 2-routing part-VPN

Source: Internet
Author: User

CCNP Study Notes 2-routing part-VPN
Review the dynamic protocol: rip vpn ospf encapsulation UDP 520 IP 88 IP 89 update address 224.0.0.9 224.0.0.10 224.0.0.5/6 use passive to implement intercommunication between the two ends of unicast neighbor and the output interface to implement unicast NBMA point to multicast unicast key complete neighbor update methods, timing 30 seconds 15% offset, trigger incremental update, trigger timing 30 minutes trigger AD 120 5 90 170 metric hops 5 k value default value (bandwidth delay) bandwidth BGP encapsulation TCP 179 update unicast update mode incremental trigger ■ RIP does not have the concept of neighbors, but the update method (Multicast and unicast) is determined only by updating the OSPF network type ), the network type is determined by the L2 link correspondence: broadcast-Ethernet P-2-O-subinterface NBMA of ppp HDLC Frame Relay-there is no layer-2 Correspondence between subinterface and multi-point non-broadcast of Frame Relay, developed for engineering purposes ◆ E IGRP features fast convergence of advanced distance vector protocol ---------- DUAL algorithm supports vlsm cidr. Compared with RIP, it does not support generating a CIDR route, but supports passing a CIDR route. x. x. x. This method cannot be used, but you can generate a redistributed to rip forwarding record. Some updates support multiple network layer protocols, such as ip ipx .. Flexible network design supports multicast, unicast Update-neighbr + local out-of-the-box interface supports manual Summary of routes. By default, it is enabled. Compared with BGP, automatic summary is disabled. 100% no loops are collected by default. (any dynamic protocol with a single configuration has no loops, redistribution is not necessary. The configuration is simple-hello time (5 seconds by default) dead Time (15 seconds). In the low-speed link MA network, hello60 seconds dead3x hello is also automatic.★Support for non-equivalent Server Load balancer ◆ the core technology of VPN-hello (three project AS numbers; authentication; k value) used between Neighbor Discovery and fault recovery) ■ build a neighbor: hello matches three items (AS number, authentication, K value), which are the same. K value, default bandwidth and delay, but if two or three K values are modified, and the other end is the default value, neighbors cannot be created. Unable to establish a neighbor: 1. The two sides of the authentication have different passwords. 2. The ACL does not open the VPN traffic. The examiner will perform the test. 3. There is no multicast (neighbor + broadcast) in the frame relay network, but the network is a multicast update, so the key neighbor cannot be created. 4. One end of unicast refers to the neighbor, but not to the other end of the 5, hello packet problem. -The Reliable Transport Protocol (RTP) is a reliable transmission technology provided by VPN to ensure that it reports data to all its neighbors. The principle is similar to TCP. It sends a data packet to the serial number and confirms it on the peer end, re-transmission if not confirmed (up to 16 retransmissions)★There are 5 kinds of packets in the network, hello, create a neighbor update, send an update route query, ask the neighbor about the route information of a specific destination, request a response, response to the detailed route information of the query packet, ACK, confirm that the reliable data packet is only available in the middle of the preceding three types, A -- UPDATE/Query/Request --> B a <-- ACK -- the first packet group of B is broadcast to B. If B is not confirmed, A is unicast and re-transmitted to B, in addition, the retransmission is not transmitted by the process, but by copying a re-transmitted packet, which is put on the interface and re-transmitted by the interface (16 times ). If there is no ACK for 16 times, the neighbor relationship will be lost. A receives B's hello neighbor again, and the AB will keep up/down. later, I will explain in detail how to solve this problem-UUA Finite State Machine selects the most important 2 points for each target to be the best loop path: 1. Save the Local Topology table to the path of all the targets and calculate the successer, feasible successer may be selected based on the FC. when successer fails, feasible successer will immediately become successer and will not send queries like neighbors. 2. When there is no FS, the successer will drop and the router will query all the neighbors. After receiving all the query replies, the router will confirm the path again to converge-the Protocol-independent module (MCM) VPN supports IP IPx appleTalk. Each protocol has its own MongoDB module and is independent of other modules. ◆ Five kinds of MESSAGE hello in China are used to establish and maintain a neighbor (keepalive is used to establish a neighbor in BGP) HELLO: 5 seconds hold: 15 M seconds; less than 1.544 m hold: update the route query in 60 seconds and ask the neighbor about the route information of a destination (generated when successer is lost and there is no fs) reply responds to the query packet's Detailed Routing Information (response to the query) ACK confirms the reliable data packet. After receiving the query, confirm the ACK, and then respond to the reply network in IGP: 1, advertise the interface route. 2. Determine the interfaces from which the local route is advertised out of the three tables of the network. ■ The neighbor table receives a hello packet (three factors AS number, authentication, and K value) and matches the corresponding factors, generate a neighbor table entry ■ the topology table places the paths generated by all neighbors in the topology table, including multiple paths from different neighbors to the same destination ■ The route table is based on the topology table, calculate the Optimal Path ◆ DUAL terminology the cost of AD neighbor to destination FD local to neighbor + next hop neighbor of ad fs sub-optimal path ◆ network x 1 measure bandwidth 1 select the minimum bandwidth of the ingress interface along the way, the sum of the latencies of the inbound interfaces along the kbps delay k3 route, and the formula for calculating the sensitivity of k4 load k2 MTU k5 metric (10 ~ 7/minimum bandwidth + total latency/10) * 256
◆ Modify Measurement Method: 1. bandwidth: Modify the bandwidth unit of XXX bits under the bandwidth interface of the ingress interface; The management traffic of VPN accounts for 1/2 of the bandwidth; latency: Modify the delay 10 of the delay interface of the ingress interface, offset list: modifies the inbound route. For example, to view the R3 metric on R1, the direction is R3-> R2-> R1, to see the effect on R1, perform offset-list step 1 on R1 F0/0 or R2 f0/0, and use the ACL to capture the network segment access-list 10 permit 33.1.1.0 2 to match, offset-list + acl number (0 indicates all paths) + in direction + metric value to be added + in interface router VPN 10 offset-list 10 in 13120 fastethennet 0/0 ◆ hold hello time 3 times 15 seconds fluctuation between 10 and 15 seconds because hello 5 seconds refresh one seq Whether the last reliable package Q interface has queue 0: normal. There are two non-zero statuses: 1. The interface bandwidth is insufficient. 2. When reliable packets need to be re-transmitted, the re-transmitted packets need to be placed on the interface. This is the smooth transition time of 1 SRTT. Each time a reliable packet is sent to the peer end, the ACK response time is RTO timeout retransmission time. ◆ show ip protocols can be used to check whether the in-out policy is implemented. The maximum number of hops is 100, and the load balancing is not equivalent, the maximum number of Server Load balancer instances (default value: 4). The advertised route. The route from which the last neighbor receives the route. ######################################## ######################################## ######################################## ######################################## # Review of default routes generated by RIP in advanced settings of network replication in China, default information originat 2 in a process, write a static redistribution to RIP 3 globally, and write a static statement to indicate the interface and then declare the interface to RIP. (a problem occurs: declaring 0.0.0.0 will include all interfaces.) ip route 1.1.1.1 255.255.255.255.255 f0/0 int f0/0 ip add 12.1.1.1 255.255.255.0 router rip network 12.1.1.0 4, global ip default-network 172.131.0.0 5, first manually create the default route to NULL0, and then manually summarize the default Route ip summary-address rip 0.0.0.0 0.0.0.0 under the interface to transfer the default route http://blog.sina.com.cn/s/blog_b38a88740101516y.html ####################################### ◆ VPN default route generation method: ###################################### 1, use ip default-netwok to delegate default first, there is a local master-class route (two methods) 1.1 write a primary static ip route 172.31.0.0 255.255.0.0 172.31.1.1 (write the peer address in the experiment is invalid and the write interface takes effect) 1.2 a local direct connection to the primary route is followed, to declare the primary route to the end of the network 172.31.0.0, global ip default-network 172.16.31.0.0, so that the router connected to and running the network can automatically generate a default route D * 172.31.0.0/16 to reach 172.31 ..... this method is not recommended ..!!!! Because primary route 2 is required, the redistribution mode is as follows: 2.1 remote R3 writes a rule pointing to null 0 ip route 0.0.0.0 0.0.0.0 null 0 2.2 The static redistribution in the router ei 10 redistribute static R1 process to see a D * EX problem is this default the AD Size is 170 3, in the process, declare an existing default ip route 0.0.0.0 0.0.0.0 null 0 router ei 10 net 0.0.0.0 remote show ip route. You can see that the default AD of D * 0.0.0.0/0 is 90. Note: this declaration of net 0.0.0.0 will declare all local routes to the OSPF process 4, generate in summary mode. Note that this method is different from the preceding three methods. The 4.1 interface with a direction is advertised to the ip summary-address of the OSPF 4.2 Interface 0 0.0.0.0 0.0.0.0 ##################################### ######################################## ####################################### Kerberos ########################## enable automatic summary by default in Apsara stack, however, when this feature is enabled, non-consecutive subnets are not supported. ◆ Compare the automatic summary of rip to find out three problems 1. Summarize which routes rip: summarize all routes (generated locally; redistributed to rip; learned from rip: only route 2 of the local network is summarized, and the number of bits in the total number of BITs in the mask is summarized to the same as that in the master class network, where is the summary of the boundaries in the same primary network as rip (the border refers to the primary network border. Within the boundary is your continuous subnet, even if the summary is also pass Detailed Routing) Main class network boundary: R1---------R2--------R3 R1 loopback: 1.1.11.1/24; R2 Lo0: 1.1.22.1/24; R3 lo0: 1.1.33.1/24 R1 R2 1.1.12.0/24 R2 R3 1.1.23.0/24 all the above routers are in the main class network of 1.0.0.0/8 If the R2------R4 R2 R4 is between 24, r1 R2 R3 will pass the detailed R2 interface connecting to R4, which is the boundary of the main class network 1.0.0.0/8 ◆ when auto summary is enabled for the vpn rip, the continuous subnet is not supported, r2 indicates that the ring ports of R1 R3 are the main network boundaries. Therefore, R2 only receives the route 1.0.0.0/8, so it cannot distinguish the routes destined for 1.1.11.0 and 1.1.33.0. Data sent to 1.1.11.0 may be sent to 1.1.33.0. Manual Summary of network replication: features: 1. Support for aggregation on interfaces (outbound routing interfaces; comparison of inbound routing interfaces with modified bandwidth) 2. After creating a summary for an interface, automatically create a summary entry pointing to null 0 to avoid loops. Null 0 is a waste bin. When the route jumps to null 0, it will be discarded. The local summary will automatically generate a route that points the summary to null 0, and AD = 5, ensure the first match and then discard it to prevent loops. 3. When each route is inaccessible, the route is automatically summarized and deleted. 4, the router that runs the summary automatically generates a measurement value for the summary (which is the smallest measurement value among all details) 5, which will suppress all details. ######################################## ######################################## ######################## Server Load balancer ############## #### non-equivalent load balancing experiment: step 1: Enable IP 2 and enable the network-wide network. For the R2 R3 Server Load balancer 3 that can be viewed, modify the R2 F2/0 interface delay 4 and enter the keyword variance + multiple (condition: the non-equivalent link must follow the FC condition, that is, the sub-optimal path AD is smaller than the FD of the optimal path.) router VPN 1 variance 2 (selection of multiples: optimal FD multiplied by multiples ≥ sub-optimal FD) 5, r2 sho ip ro 33.1.1.0 visible load distribution ratio ############################### ###################### ######################################## ######################################## ######################################## ########### Configure a WAN link ###################### different types of VPN support by default, 50% of the bandwidth is used. You can manually modify the ratio. Therefore, when configuring the network in the Wan, you need to consider half of the bandwidth of the low-speed link, whether it is sufficient for the network in the Wan, and ensure the minimum bandwidth required for the network in the network, the maximum bandwidth does not allow the full bandwidth of the VPN gateway. You need to allocate bandwidth to the outbound traffic. ◆ instance: When the T1 link is used between A and B, the bandwidth is 1.544 MB, however, the company may have purchased only 32 K of bandwidth, while the VPN gateway automatically occupies up to half of the link bandwidth, that is, it will occupy more than 700 K by default, exceeding the total bandwidth actually purchased, therefore, the bandwidth will be fully occupied during the update of the network in the network, and other traffic on the network will be congested. In this case, you need to manually modify the outbound bandwidth: bandwidth 32 under the interface ◆ use of the WAN interface bandwidth ● use of the WAN interface bandwidth in Frame Relay-the default bandwidth is T11 (1.544 M) -You can manually configure the bandwidth in each PVC. ● In frame relay, ATM, the total bandwidth of the multi-point network such as isdn pr-the bandwidth used by the physical interface by the number of neighbors (for example, the connection used in the MA network is 100 K, so the default value is 50 K, at the same time, the average bandwidth needs to be allocated when reaching the MA branch, that is, when the bandwidth of each link in the one-to-two NBMA network is 25 K) the MA network is a physical interface that corresponds to multiple physical interfaces at the peer end.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.