Sunday, 17 July 2022

What is ASA firewall security zones? How to configure security zones?

 By default, Cisco routers permit and forward all the packets they receive if the route is matched in their routing table. In case we want to restrict some routes.



 We have to configure some access lists but if we have a lot of access-list rules this becomes a nightmare to configure on each interface. 




.

From the above diagram, our router has two incoming access-list to deny some routes from the host's LAN. And also, our router has two access-list to prevent some routes from the internet WAN from entering our LAN network. its means we have to apply an access list to four interfaces in order to protect our LAN network. there is another solution that is better is called a security zone with an ASA firewall. 

let's see the example of how a security zone works. 





 


As you can see above, we have two security zones.

 

1.      INSIDE: which is our LAN network.

2.      OUTSIDE: Which is our WAN network (internet)

 These security zones have two simple rules. 

 

The ASA interface has been assigned to the correct security zone. Security zones have two simple rules:

Traffic coming from a high-security level to a lower security level should be permitted.

The traffic coming from a lower security level to a high-security level is should be denied.

 

Security levels – 

The ASA interface is by default in routed mode, operating at layer 3.

ASA firewall interfaces are assigned security level which is numbers between 0 to 100. The higher number, the more trust in the network connected to the ASA firewall.

 

Earlier we have seen some names like INSIDE, OUTSIDE, or DMZ

Also, note that we can assign names to the ASA interface like inside, outside, or DMZ. As soon as we assign these names to an interface, it automatically assigns a security level to itself. For example, if we have assigned a name inside an interface, it will assign 100 (Security level) to itself i.e most trusted network. If we assign the name Outside or DMZ or any other name to an interface, it will assign security level 0 automatically. These are default values and can be changed. 

It is a good practice to give a security level of 100 (maximum) to inside (most trusted network), 0(least) to outside (untrusted or public network), and 50 to DMZ (organization public device network). 

Note –  
It is not mandatory to assign a name (INSIDE, OUTSIDE, or DMZ) to the ASA interface but it is good practice to assign these names as they are simple and meaningful. 

 

 



 

 

Our LAN is our trusted network, which would have a high-security level. The WAN is untrusted so it will have a low-security level. This means that traffic from our LAN > WAN will be permitted. Traffic from the WAN to our LAN will be denied. Since the firewall is stateful, it keeps track of outgoing connections and will permit the return traffic from our LAN.

If you want to make an exception and permit traffic from the WAN to the LAN then this can be accomplished with an access list.

Most companies will have one or more servers that should be reachable from the Internet. Perhaps a mail or web server. Instead of placing these on the INSIDE, we use a third zone called the DMZ (Demilitarized Zone).

 

DMZ security level is between INSIDE and OUTSIDE.

Traffic coming from INSIDE going to OUTSIDE is permitted.

Traffic coming from DMZ going to OUTSIDE is permitted.

Traffic coming from INSIDE going to DMZ is permitted.

Traffic coming from DMZ to going to INSIDE is denied.

Traffic is coming from OUTSIDE going to INSIDE is denied.

In order to provide full connectivity between DMZ and OUTSIDE we will use access list which only permits traffic to the IP or port numbers. If something happened to one of our servers (hacked), our inside network will still secure.

Let’s see the configurations: -

 Topology:-




Goal:

configure the topology as per the diagram 

configure IP address to their ports 

configure gig1/1 to outside zone

configure gig1/3 to the inside zone

configure gig 1/2 to DMZ


ciscoasa(config)#interface gigabitEthernet 1/1

ciscoasa(config-if)#nameif outside

INFO: Security level for "outside" set to 0 by default.

ciscoasa(config-if)#ip address 192.168.30.1 255.255.255.0

ciscoasa(config-if)#no shutdown

ciscoasa(config-if)#exit


ciscoasa(config)#interface gigabitEthernet 1/3

ciscoasa(config-if)#nameif inside

INFO: Security level for "inside" set to 100 by default.

ciscoasa(config-if)#ip address 192.168.10.1 255.255.255.0

ciscoasa(config-if)#no shutdown

ciscoasa(config-if)#exit


ciscoasa(config)#interface gigabitEthernet 1/2

ciscoasa(config-if)#nameif dmz

INFO: Security level for "dmz" set to 0 by default.

ciscoasa(config-if)#ip address 192.168.20.1 255.255.255.0

ciscoasa(config-if)#no shutdown

ciscoasa(config-if)#security-level 50

ciscoasa(config-if)#exit


FROM SERVER



Router(config)#interface fastEthernet 0/0

Router(config-if)#ip address 192.168.30.2 255.255.255.0

Router(config-if)#no shutdown


%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up


Router(config-if)#exit




FROM PC

C:\>IPCONFIG


FastEthernet0 Connection:(default port)


Link-local IPv6 Address.........: FE80::2E0:B0FF:FECD:EE09

IP Address......................: 192.168.10.3

Subnet Mask.....................: 255.255.255.0

Default Gateway.................: 192.168.10.1


Bluetooth Connection:


Link-local IPv6 Address.........: ::

IP Address......................: 0.0.0.0

Subnet Mask.....................: 0.0.0.0

Default Gateway.................: 0.0.0.0


ciscoasa#show ip address

System IP Addresses:

Interface Name IP address Subnet mask Method

GigabitEthernet1/1                outside 192.168.30.1 255.255.255.0 CONFIG

GigabitEthernet1/2                 dmz 192.168.20.1 255.255.255.0 DHCP

GigabitEthernet1/3                  inside 192.168.10.1 255.255.255.0 unset



Current IP Addresses:

Interface                        Name IP address Subnet mask Method

GigabitEthernet1/1        outside     192.168.30.1 255.255.255.0 CONFIG

GigabitEthernet1/2             dmz     192.168.20.1 255.255.255.0 DHCP

GigabitEthernet1/3         inside     192.168.10.1 255.255.255.0 unset



ciscoasa#ping 192.168.10.3


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.10.3, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 0/11/25 ms



ciscoasa#ping 192.168.20.2


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.20.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 0/6/16 ms



ciscoasa#ping 192.168.30.2


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.30.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 0/10/20 ms














Wednesday, 8 June 2022

What is ASA firewall? How to configure Adaptive Security Appliance?

Introduction to firewalls

The firewall is a barrier between LAN and WAN networks (trusted and untrusted networks), we configure the firewall in the forwarding path of the network so each packet have to be checked by our firewall.




There are two kinds of firewalls one is software firewalls just like preinstalled with Microsoft Windows. The second one is the hardware firewall which we are going to see.   

 



 

From the above diagram, we have LAN with two host PC and a cisco switch. On the other hand, you can see a router that is connected to the ISP for an internet connection. We place our firewall in between to protect our LAN network.

Stateless and stateful filtering.

You can use a router as a firewall but it's not a good choice because most the router does not spend much time on filtering, the router checks the access list for the port number source and destination IP address if it matches in the entry of access-list router is going to permit or deny the packet and router do not keep track of the packet this is called stateless filtering but the firewall uses stateful filtering, the firewall keeps track of all incoming and outgoing connections.

 

ASA (Adaptive Security Appliance) is a cisco security device that combines the classic firewall with VPN, IPS (Intrusion Prevention System), and antivirus capabilities. ASA is capable of providing threat defense before most of the attacks spread into our LAN network.  

I think we have done enough talking rest of the theory we will see in the next section.

 let's see how to configure: -

Topology: -




Goal:

  • Configure the topology as per the diagram
  • Assign an IP address to the ASA interface
  • Configure nameif to the ASA interface
  • Configure the security level to the interface
  • Configure hostname to ASA Firewall
  • Configure password


ciscoasa>enable

Password:


ciscoasa(config)#interface gigabitEthernet 1/1

ciscoasa(config-if)#ip address 10.1.1.2 255.0.0.0

ciscoasa(config-if)#no shutdown

ciscoasa(config-if)#nameif inside



ciscoasa(config-if)#security-level 100

ciscoasa(config-if)#exit


ciscoasa(config)#hostname ASA-Firewall


ASA-Firewall(config)#enable password internetworks

ASA-Firewall(config)#username Admin password internetworks


ASA-Firewall(config)#end


Friday, 3 June 2022

What is Route Leaking? How to configure Leak-Map?

 The leak-map name keyword configures the stub router to advertise selected EIGRP-learned routes which are not ordinarily advertised. The name refers to a route map that matches one or more ACLs or prefix lists and permits the matched subnets or addresses to be leaked.

 

The EIGRP Stub feature is very useful when we want to prevent unnecessary EIGRP queries and want to filter a few routes that we advertise but when we want to configure our EIGRP router as a stub and still we want to make an exception to some routes (network) to advertise this is possible with the help of Leak-map.

 

In summary route-

Whenever we configure our EIGRP summary route, all the networks within the range of our summary are no longer advertised on interfacing the only this is left is a summary route, but we want to advertise some networks separately next to our summary route this can also be done with summary leak-map. Let's see how to configure the leak map.

Topology: -



Goal:

  • Configure the topology as per the diagram.
  • Assigning the IP addresses to their interfaces.
  • Configure EIGRP 1234 on all the routers.
  • Configure EIGRP STUB connected on router 3.
  • Configure Leak-Map on router 3 with the exception that network 192.168.32.1 network only advertises to all the routers. 



R1(config)#interface serial 4/0
R1(config-if)#ip address 1.1.1.1 255.0.0.0
R1(config-if)#no shutdown
R1(config-if)#exit

R1(config)#interface loopback 0
R1(config-if)#ip address 10.1.1.1 255.0.0.0
R1(config-if)#no shutdown
R1(config-if)#exit

R2(config)#interface serial 4/1
R2(config-if)#ip address 2.2.2.2 255.0.0.0
R2(config-if)#no shutdown
R2(config-if)#exit

R2(config)#interface loopback 0
R2(config-if)#ip address 20.1.1.1 255.0.0.0
R2(config-if)#no shutdown
R2(config-if)#exit

R3(config)#interface serial 4/0
R3(config-if)#ip address 1.1.1.2 255.0.0.0
R3(config-if)#no shutdown
R3(config-if)#exit

R3(config)#interface serial 4/1
R3(config-if)#ip address 2.2.2.1 255.0.0.0
R3(config-if)#no shutdown
R3(config-if)#exit

R3(config)#interface serial 4/2
R3(config-if)#ip address 3.3.3.1 255.0.0.0
R3(config-if)#no shutdown
R3(config-if)#exit

t

R4(config)#interface fastEthernet 2/1
R4(config-if)#ip address 192.168.32.1 255.255.255.0
R4(config-if)#no shutdown
R4(config-if)#no keepalive
R4(config-if)#exit

R4(config)#interface serial 4/2
R4(config-if)#ip address 3.3.3.2 255.0.0.0
R4(config-if)#no shutdown
R4(config-if)#exit

R4(config)#interface fastEthernet 0/0
R4(config-if)#ip address 192.168.30.1 255.255.255.0
R4(config-if)#no shutdown
R4(config-if)#no keepalive
R4(config-if)#exit

R4(config)#interface fastEthernet 2/0
R4(config-if)#ip address 192.168.31.1 255.255.255.0
R4(config-if)#no shutdown
R4(config-if)#no keepalive
R4(config-if)#exit

R1#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
Serial4/0                       1.1.1.1         YES manual up                    up
Loopback0                  10.1.1.1        YES manual up                    up


R2#show ip interface brief 
Interface                  IP-Address      OK? Method Status                Protocol
Serial4/1                       2.2.2.2         YES manual up                    up
Loopback0                  20.1.1.1        YES manual up                    up

R3#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
Serial4/0                  1.1.1.2         YES manual up                    up
Serial4/1                  2.2.2.1         YES manual up                    up
Serial4/2                  3.3.3.1         YES manual up                    up



R4#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            192.168.30.1    YES manual up                    up
FastEthernet2/0            192.168.31.1    YES manual up                    up
FastEthernet2/1            192.168.32.1    YES manual up                    up
Serial4/2                            3.3.3.2         YES manual up                    up





R1(config)#router eigrp 1234
R1(config-router)#network 0.0.0.0 255.255.255.255
R1(config-router)#no auto-summary
R1(config-router)#exit

*Jun  2 23:22:30.379: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1234: Neighbor 1.1.1.2 (Serial4/0) is up: new adjacency


R2(config)#router eigrp 1234
R2(config-router)#network 0.0.0.0 255.255.255.255
R2(config-router)#no auto-summary
R2(config-router)#exit

*Jun  2 23:52:39.419: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1234: Neighbor 2.2.2.1 (Serial4/1) is up: new adjacency


R3(config)#router eigrp 1234
R3(config-router)#network 0.0.0.0 255.255.255.255
R3(config-router)#no auto-summary
R3(config-router)#exit

*Jun  2 23:52:43.191: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1234: Neighbor 3.3.3.2 (Serial4/2) is resync: summary configured

*Jun  2 23:52:40.287: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1234: Neighbor 3.3.3.2 (Serial4/2) is up: new adjacency


R4(config)#router eigrp 1234.
R4(config-router)#network 0.0.0.0 255.255.255.255
R4(config-router)#no auto-summary
R4(config-router)#exit

*Jun  3 00:14:00.539: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1234: Neighbor 3.3.3.1 (Serial4/2) is up: new adjacency


R1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C    1.0.0.0/8 is directly connected, Serial4/0
D    2.0.0.0/8 [90/2681856] via 1.1.1.2, 00:04:44, Serial4/0
D    192.168.31.0/24 [90/2684416] via 1.1.1.2, 00:00:14, Serial4/0
D    3.0.0.0/8 [90/2681856] via 1.1.1.2, 00:03:45, Serial4/0
D    192.168.30.0/24 [90/2684416] via 1.1.1.2, 00:00:14, Serial4/0
D    20.0.0.0/8 [90/2809856] via 1.1.1.2, 00:04:43, Serial4/0
C    10.0.0.0/8 is directly connected, Loopback0
D    192.168.32.0/24 [90/2684416] via 1.1.1.2, 00:00:14, Serial4/0

R3(config)#router eigrp 1234
R3(config-router)#eigrp stub ?

  connected      Do advertise connected routes
  leak-map       Allow dynamic prefixes based on the leak-map
  receive-only   Set IP-EIGRP as receive only neighbor
  redistributed  Do advertise redistributed routes
  static         Do advertise static routes
  summary        Do advertise summary routes
  <cr>


R3(config-router)#eigrp stub connected

*Jun  3 00:15:23.055: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1234: Neighbor 1.1.1.1 (Serial4/0) is down: peer info changed
*Jun  3 00:15:23.055: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1234: Neighbor 2.2.2.2 (Serial4/1) is down: peer info changed
*Jun  3 00:15:23.063: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1234: Neighbor 3.3.3.2 (Serial4/2) is down: peer info changed
R3(config-router)#
*Jun  3 00:15:26.391: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1234: Neighbor 3.3.3.2 (Serial4/2) is up: new adjacency
*Jun  3 00:15:26.443: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1234: Neighbor 2.2.2.2 (Serial4/1) is up: new adjacency
*Jun  3 00:15:26.955: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1234: Neighbor 1.1.1.1 (Serial4/0) is up: new adjacency

R3(config-router)#exit




R3(config)#router eigrp 1234
R3(config-router)#eigrp stub connected leak
R3(config-router)#eigrp stub connected leak-map Route-Leak

*Jun  3 00:16:53.475: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1234: Neighbor 1.1.1.1 (Serial4/0) is down: peer info changed
*Jun  3 00:16:53.483: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1234: Neighbor 2.2.2.2 (Serial4/1) is down: peer info changed
*Jun  3 00:16:53.487: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1234: Neighbor 3.3.3.2 (Serial4/2) is down: peer info changed
*Jun  3 00:16:54.003: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1234: Neighbor 1.1.1.1 (Serial4/0) is up: new adjacency
R3(config-router)#exit
*Jun  3 00:16:54.783: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1234: Neighbor 2.2.2.2 (Serial4/1) is up: new adjacency
R3(config-router)#exit

R3(config)#route-map Route-Leak
R3(config-route-map)#match ip address 1
R3(config-route-map)#exit



*Jun  3 00:18:07.935: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1234: Neighbor 1.1.1.1 (Serial4/0) is resync: route configuration changed
*Jun  3 00:18:07.935: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1234: Neighbor 2.2.2.2 (Serial4/1) is resync: route configuration changed
*Jun  3 00:18:07.939: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1234: Neighbor 3.3.3.2 (Serial4/2) is resync: route configuration changed


R3(config)#access-list 1 permit 192.168.32.0 0.0.0.255

*Jun  3 00:18:51.583: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1234: Neighbor 1.1.1.1 (Serial4/0) is down: route configuration changed
*Jun  3 00:18:51.599: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1234: Neighbor 2.2.2.2 (Serial4/1) is down: route configuration changed
*Jun  3 00:18:51.603: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1234: Neighbor 3.3.3.2 (Serial4/2) is down: route configuration changed
*Jun  3 00:18:52.079: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1234: Neighbor 2.2.2.2 (Serial4/1) is up: new adjacency
*Jun  3 00:18:52.735: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1234: Neighbor 1.1.1.1 (Serial4/0) is up: new adjacency
*Jun  3 00:18:55.883: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1234: Neighbor 3.3.3.2 (Serial4/2) is up: new adjacency

R1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C    1.0.0.0/8 is directly connected, Serial4/0
D    2.0.0.0/8 [90/2681856] via 1.1.1.2, 00:00:09, Serial4/0
D    3.0.0.0/8 [90/2681856] via 1.1.1.2, 00:00:09, Serial4/0
C    10.0.0.0/8 is directly connected, Loopback0
D    192.168.32.0/24 [90/2684416] via 1.1.1.2, 00:00:08, Serial4/0

R1#ping 192.168.32.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.32.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/32/36 ms

R1#traceroute 192.168.32.1

Type escape sequence to abort.
Tracing the route to 192.168.32.1

  1 1.1.1.2 8 msec 8 msec 12 msec
  2 3.3.3.2 16 msec 12 msec 24 msec

R1#traceroute 192.168.32.1

Type escape sequence to abort.
Tracing the route to 192.168.32.1

  1 1.1.1.2 40 msec 20 msec 20 msec
  2 3.3.3.2 16 msec 32 msec 40 msec


R2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

D    1.0.0.0/8 [90/2681856] via 2.2.2.1, 00:00:19, Serial4/1
C    2.0.0.0/8 is directly connected, Serial4/1
D    3.0.0.0/8 [90/2681856] via 2.2.2.1, 00:00:19, Serial4/1
C    20.0.0.0/8 is directly connected, Loopback0
D    192.168.32.0/24 [90/2684416] via 2.2.2.1, 00:00:16, Serial4/1


R2#ping 192.168.32.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.32.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/27/36 ms


R2#ping 192.168.31.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.31.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R3#show ip protocols
Routing Protocol is "eigrp 1234"
  Outgoing update filter list for all interfaces is not set
  Incoming update filter list for all interfaces is not set
  Default networks flagged in outgoing updates
  Default networks accepted from incoming updates
  EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
  EIGRP maximum hopcount 100
  EIGRP maximum metric variance 1
  EIGRP stub, connected, leak-map Route-Leak
  Redistributing: eigrp 1234
  EIGRP NSF-aware route hold timer is 240s
  Automatic network summarization is not in effect
  Maximum path: 4
  Routing for Networks:
    0.0.0.0
  Routing Information Sources:
    Gateway         Distance      Last Update
    2.2.2.2               90      00:48:15
    1.1.1.1               90      00:48:12
    3.3.3.2               90      00:48:11
  Distance: internal 90 external 170


Friday, 20 May 2022

What is BGP Backdoor? How to configure BGP Backdoor?

 BGP backdoor it’s a well-known feature of the BGP which is used to change the AD (administrative distance) of eBGP. By default, external BGP (eBGP) has an administrative distance value of 20 with the help of a backdoor command you can set 200 AD. If two routing protocols is providing route information for the same destination the administrative distance is the first criterion that a router uses to determine which routing protocol to use for the best path.  The lowest AD value is a more reliable protocol and link.

 

Why do we need to change eBGP AD?

Whenever our router learns about a network (prefix) through eBGP and also with an IGP protocol like OSPF EIGRP or RIP then our router always chooses Ebgp route because Ebgp uses an administrative distance value of 20 so our router by default preferred eBGP over EIGRP AD 90, RIP AD 120, OSPF AD 110.

 In some scenarios this becomes a problem let’s see the configuration.


Topology:


Goal:

  • configure the topology as per the diagram.
  • assign the IP addresses 
  • configure EIGRP 100 on router 1 and router 3
  • advertise the interfaces
  • configure eBGP peering between router 1 and 2
  • configure eBGP peering between router 2 and router 3
  •  make sure router 1 gets the 192.168.30.1 route from serial 4/3 link via EIGRP. 
  • configure backdoor in order to get 192.168.30.1 route via serial link 4/3 from router 3.

R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 10.1.1.1 255.0.0.0
R1(config-if)#no shutdown
R1(config-if)#no keepalive
R1(config-if)#exit

R1(config)#interface serial 4/2
R1(config-if)#ip address 3.3.3.2 255.0.0.0
R1(config-if)#no shutdown
R1(config-if)#exit

R1(config)#interface loopback 0
R1(config-if)#ip address 192.168.10.1 255.255.255.255
R1(config-if)#no shutdown
R1(config-if)#exit

R2(config)#interface serial 4/0
R2(config-if)#ip address 1.1.1.2 255.0.0.0
R2(config-if)#no shutdown
R2(config-if)#exit

R2(config)#interface serial 4/1
R2(config-if)#ip address 2.2.2.1 255.0.0.0
R2(config-if)#no shutdown
R2(config-if)#exit

R2(config)#interface fastethernet 0/0
R2(config-if)#ip address 20.1.1.1 255.0.0.0
R2(config-if)#no shutdown
R2(config-if)#no keepalive

R2(config-if)#exit

R2(config)#interface loopback 0
R2(config-if)#ip address 192.168.20.1 255.255.255.255
R2(config-if)#no shutdown
R2(config-if)#exit

R3(config)#interface serial 4/1
R3(config-if)#ip address 2.2.2.2 255.0.0.0
R3(config-if)#no shutdown
R3(config-if)#exit

R3(config)#interface serial 4/2
R3(config-if)#ip address 3.3.3.1 255.0.0.0
R3(config-if)# no shutdown
R3(config-if)#exit

R3(config)#interface fastEthernet 0/0
R3(config-if)#ip address 30.1.1.1 255.0.0.0
R3(config-if)#no shutdown
R3(config-if)#no keepalive
R3(config-if)#exit



R1(config)#router eigrp 100
R1(config-router)#network 192.168.10.0
R1(config-router)#network 3.0.0.0
R1(config-router)#exit

*May 20 13:40:19.679: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 3.3.3.1 (Serial4/2) is up: new adjacency

R1(config)#router bgp 6111
R1(config-router)#neighbor 1.1.1.2 remote-as 6100
R1(config-router)#network 192.168.10.1 mask 255.255.255.255
R1(config-router)#network 10.0.0.0
R1(config-router)#exit
R1(config)#end

*May 20 13:43:29.459: %BGP-5-ADJCHANGE: neighbor 1.1.1.2 Up

R2(config)#router bgp 6100
R2(config-router)#neighbor 1.1.1.1 remote-as 6111
R2(config-router)#network 192.168.20.1 mask 255.255.255.255
R2(config-router)#neighbor 2.2.2.2 remote-as 6333
R2(config-router)#exit

 20 13:43:29.531: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Up

R3(config)#router eigrp 100
R3(config-router)#network 3.0.0.0
R3(config-router)#network 192.168.30.0
R3(config-router)#exit

*May 20 13:40:19.663: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 3.3.3.2 (Serial4/2) is up: new adjacency

R3(config)#router bgp 6333
R3(config-router)#neighbor 2.2.2.1 remote-as 6100
R3(config-router)#network 30.0.0.0
R3(config-router)#network 192.168.30.1 mask 255.255.255.255
R3(config-router)#exit
R3(config)#end

*May 20 13:42:50.559: %BGP-5-ADJCHANGE: neighbor 2.2.2.1 Up

R3#show ip route 192.168.10.1 longer-prefixes
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      192.168.10.0/32 is subnetted, 1 subnets
B        192.168.10.1 [20/0] via 2.2.2.1, 00:02:03


( as can see from the above output router 3 is getting  (R1) 192.168.10.1 route from route via serial 4/0 to serial 4/1 {2.2.2.1} R2. because of the lower AD value of eBGP )

 Let's see on  router 1 from where it's getting 192.168.30.1 network 


R1#show ip route 192.168.30.1 longer-prefixes
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      192.168.30.0/32 is subnetted, 1 subnets
B        192.168.30.1 [20/0] via 1.1.1.2, 00:01:44

( router 1 is also installing 192.168.30.1 network  from router 1 because of lower AD of eBGP)

We need to fix this with help of the BGP backdoor command.

R1(config)#router bgp 6111
R1(config-router)#network 192.168.30.1 mask 255.255.255.255 backdoor
R1(config-router)#exit

R3(config)#router bgp 6333
R3(config-router)#network 192.168.10.1 mask 255.255.255.255 backdoor



R3#show ip route 192.168.10.1 longer-prefixes
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      192.168.10.0/32 is subnetted, 1 subnets
D        192.168.10.1 [90/2297856] via 3.3.3.2, 00:38:02, Serial4/2


( as you can see after applying the backdoor command now our routers installing a new path)


A backdoor network is treated as a local network, except that it is not advertised. 

R1#show ip route 192.168.30.1 longer-prefixes
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      192.168.30.0/32 is subnetted, 1 subnets
D        192.168.30.1 [90/2297856] via 3.3.3.1, 00:02:17, Serial4/2

Wednesday, 4 May 2022

What is ARP (Address Resolution Protocol)? How ARP works?

 What is ARP (Address Resolution Protocol)?

ARP (Address Resolution Protocol) it’s a communication protocol. Networking devices used for discovering MAC (media access control) addresses, associate with an IPv4 address (internet layer address), and map the MAC addresses to IPv4 addresses this mapping is done dynamically and stored in the ARP cache. ARP works between layer 2 and layer 3 of the OSI because the MAC address exists on the data link layer and the IP address exists on the network layer.


How does ARP work?

Whenever a fresh PC (computer) connects to LAN, it will assign an IP address statically or dynamically to use for identity and for communication. When an incoming packet destined for a host machine on a particular LAN arrives at a gateway, the gateway is going to ask ARP for a MAC address that matches the IP address. There is a table called ARP cache in this table ARP mapping record.  Whenever a host asks for a MAC address in order to send a packet to another host in the LAN, ARP looks it the cache to see if their IP to MAC mapping translation is already stored. If it’s already stored then no need for ARP broadcast but if there is no translation stored then ARP sends a request for the network address (does anybody knows this IP address)

 


ARP sends broadcast a request packet to all the hosts on the LAN network and asks is there any host using this particular IP address please let me know. When a host recognizes oh it’s my IP address it will immediately send a unicast reply so ARP can update and store it in the cache table and now communication can proceed.

 

 

What happens if the host (machine) doesn’t know its own IP address?

In this situation, RARP (Reverse ARP) protocol is used for discovery. next chapter we are going to see proxy ARP and RARP.

 

What is ARP cache?

ARP cache is a table where mapping or translation is stored. The size of the ARP cache is limited and from time to time cleansed its entire entries to free its space. Mappings are stored for a few minutes. ARP frequently updates when a host changes their requested IP address.

 

 


ARP Commands

we used arp -a command to display the ARP table. It shows all the entries of the ARP cache or table.




arp -g: This command works the same as the arp -a command.

we use arp -d command when we want to delete an entry from the ARP table for a particular interface.

 




 


 


Instagram

Facebook


Twitter



LINKEDIN








What is ASA firewall security zones? How to configure security zones?

  By default, Cisco routers permit and forward all the packets they receive if the route is matched in their routing table. In case we want ...