How Does Internet Work

Yesterday INE finally added a Full-Scale LAB in their new CCIE Route and Switching blueprint 5 workbook.
I realized this morning that you maybe don’t want to spend half of your day (like me) configuring this topology in GNS3. Better to just take it from here and start your lab right away.

In my study process for the last year I made almost all my labs from INE on GNS3. In that way I was able to run the labs for more days in a row and not think about the money I would spent on rack rentals. Of course, you will still need some rack rentals particularly for troubleshooting sessions. For troubleshooting you need preconfigured rack because if you configure those topologies by yourself there is a big chance that you will see ticket answers and that will break the point of troubleshooting study process.

All my config sessions were done on GNS3 and this one in the next few days will be also done in GNS3. If you want to spare some time and get the topology ready, up and running in few minutes you can download it at the end of this article.

Read more and download files!

Intro

IPsec makes VPN connection possible. I enables to simulate a leased line across public Internet and thus enable us to get secure connection across unsecured environment. It enables encryption, authentication and protection of our data when sent across insecurity of the world’s biggest internetwork – Internet.

It’s the cheap way to simulate a leased line, the way to send private data across the public network without compromising privacy. The goal of IPsec is to secure services and lower the cost of data transfer. Try to compare it to pricing of data transfers across dark cables / leased lines.

There are two parts of IPsec security suite
– ESP – Encapsulating Security Payload
– AH – Authentication Header

Based on our situation we can configure two different modes of operation and here we are to make the things clear about the differences and the technology behind those modes.

IPSec Transport Mode and Tunnel Mode

Ok, this is strange! At least this was my first reaction when I saw that in one of my CCIE labs that I am trying to resolve all the links between routers are addresses with a subnet /31.

Isn’t that weird that something like this you see for this first time after couple of years in networking. For me it was. It blow my mind out. I asked my more experienced networking colleagues later but for them it seemed new too. They said at first: Ok men, that’s not possible!

Well, try to type it on router interface and you will se that it is possible. It strange for sure, but it’s possible. Router OS (Cisco IOS in this case) will try to be sure that you will use this kind of subneting only for Point-to-point links. That’s why it will issue a warning message if you apply this subnet mask on an Ethernet interface. For serial it will go without the warning.

The idea behind this is of course simple if you put it this way:

BGP prefix flapping can be caused by different issues in network. Basically every unstable network where links are unreliably and are going up and down here and there can cause BGP prefix flapping. Every prefix flap will cause some networks to became unreachable. BGP process will then need to recalculate best-path in order to hopefully find other way to get towards unreachable network.

Impact on the network can be enormous as one network prefix missing can mean that huge number of other networks will change the path on which they are reachable. In the situation of prefix flap we have the prefix going up and down all the time. After every status change all those efforts of finding new best-path are done, and when the prefix comes back, everything is calculated again and becomes like before. We have a way to cut the impact of flapping prefixes.

By implementing BGP prefix dampening. When configured, dampening will punish those prefixes that are changing state from reachable to unreachable few time in determined time period. After every flap BGP will give to that prefix a defined penalty of 1000 by default. The penalty points will immediately start to be reduced exponentially but if the prefix flaps more times in little time period he will surely collect enough point to reach Suppress Limit and BGP will at that point mark the prefix as damped. It means that it will immediately suppress the advertisement of the prefix until the penalty points do not fall below Reuse Limit which is 1000 by default. Suppress limit is 2000 by default and yes, there will be needed for prefix to flap three times in order to be suppressed by default (you need to count that the first penalty will be 1000, next one also 1000, but the first one will fall at least by 1 to 999 before second flap occurs.)

In my current studies, I did some work about security inside networking data paths. In my recent work, I tried to get some experiments done that needed to use source based routing in order to be completed. Like most of the scientific work that tries to get from paper to experiment and then to something useful, it failed at the very beginning. If I can be more precise and improve a bit the appearance of my failure here. I can do it by explaining what happened and what did I came across while researching my idea. It’s something as simple as this:

Source based routing, by the suggestion of IETF needs to be disabled by default on networking devices. At least it should be as the feature itself is recognised as a major security threat and IETF itself is trying to get rid of it.

Of course that can be considered like a stop sign in an experiment where you are relying solely on source based routing to get your thing running.   (:

When you look at the networking technology these days that’s probably IP protocol that you are talking about. Okay maybe you are new age junkie and you are probably speaking about IPv6 protocol. Either way, the very first and main principle of routing packet across data network is based on the destination IP address routing/decision making. Router is making decision on where will he send some packet based more or less solely on destination IP address. It is doing so by reading his locally built routing table of destination subnets. From that table router gets the info out of which interface will he sent the packet that is destined for some address.

O men, when you start to write about BGP it is probably the time then you seriously start questioning yourself where did I go with myself. That is probably the moment in which you realize that there is a network geek sitting somewhere inside you. At least that is what happened to me when I finished to write this huge post. Don’t be scared, it’s fun to know about this thing below.

Simple start

Every local network is managed by his own network administrator. If the network become big enough and there are more than few sub-segments inside that network there will probably be some kind of routing protocol running inside. That routing protocol will be IGP or interior gateway protocol more probably OSPF as it’s vendor independent.

When we want to connect our network to other networks across the world, we are trying to connect it to the internet. The Internet is the network connecting most of the networks today and in that way it became the biggest inter-networking system in the world. To be able to get that huge network to function and get our LANs to act jointly there must be a routing protocol that enables it.

BGP – Border Gateway Protocol is that one.

Every individual network has his own policies that are enabling that network to behave as the administrator want. When connection networks to the internet network all those policies need to be tied together with BGP protocol in order to influence outside communication entering the local network and communications initiated from the local network going outside somewhere on the internet. This is done using more that few different BGP attributes. Those attributes are forwarded across specific prefixes. Sometimes those attributes are not only forwarded but also modified on the way, one of which is the community attribute.

As the time goes by and the network with more and more virtualised servers and other devices are making that network more complicated, overlay technologies are rising to save the day for network administrators.

Virtual Extensible LAN – VXLAN is a new encapsulation technology used to run an overlay network on current Layer 3 communication network. An overlay network is considered as a practical network that is set up on the top of current layer 2 network. It also considers additional layer 3 technologies to aid flexible computer architectures. VXLAN will make sure it is very easy for network engineers to level out the right cloud computing setting while reasonably separating cloud applications and tenants. A cloud computing environment is defined as a multitenant, every tenant needs its separately configured logical network, which in return needs it’s very own network ID or identification.

What the hell that means?

What it this VXLAN doing actually. To put it simple, VXLAN can create logical network to connect your virtual machines across different networks. It is enabling us to make a layer 2 network for our VMs on top of our layer 3 network. That’s why VXLAN is a overlay technology. In “normal” network if you are connecting virtual machine to get the connection to some other virtual machine on different subnet, you need to use a layer 3 router to make a connection between networks. With VXLAN we can utilize VXLAN gateway of some sort to connect them without even exiting into physical network.

Image: VXLAN frame – taken from blog.cisco.com website