Static Route Load Balance

How it works?

If you have two routers / two Layer3 switches connected with two L3 links (two paths) you can route with two equal static routes towards the same prefix and the router will load balance traffic across both links.

The idea is to make two same static routes on the same router but with different next-hops. The question was: Which link or which route will be used? And if the traffic will be load balanced, which mechanism will be used to share the traffic across both of links.

static route load balancing

 

ip route 10.0.0.0 255.0.0.0 192.168.10.2
ip route 10.0.0.0 255.0.0.0 192.168.11.2

What is route recursion

We are going back to networking basics with this post. In few lines below you will find most important theory that makes network gear do its job.

The main router job is to making routing decisions to be able to route packets toward their destination. Sometimes that includes recursive lookup of routing table if the next-hop value is not available via connected interface.

Routing decision on end devices

Lets have a look at routing decision that happens if we presume that we have a PC connected on our Ethernet network.

If one device wants to send a packet to another device, it first needs to find an answer to these questions:

  • Is maybe the destination IP address chunk of local subnet IP range?
    • If that is true, packet will be forwarded to the neighbour device using Layer 2 in the ARP example below.
    • If that is not the case, does the device network card configuration include a router address through which that destination can be reached? (default gateway)
  • Device then looks at his local ARP table. Does it include a MAC address associated with the destination IP address?
    • If the destination is not part of the local subnet, does the local ARP table contain the MAC address of the nearest router? (MAC address to IP address mapping of default gateway router)

Control Plane Protection in Cisco IOS

CoPP – Control Plane Protection or better Control Plain Policing. It is the only option to make some sort of flood protection or QoS for traffic going to control plane.

In the router normal operation the most important traffic is control plain traffic. Control plane traffic is traffic originated on router itself by protocol services running on it, destined to other router device on the network. In order to run properly, routers need to speak with each other. They speak with each other by rules defined in protocols and protocols are running in shape of router services.

Examples for this kind of protocols are routing protocols like BGP, EIGRP, OSPF or some other non-routing protocols like CDP etc..

CoPP

Control Plane Policing is QoS applied on ingress sub-interfacess towards Route Processor

When router is making BGP neighbour adjacency with the neighbouring router, it means that both routers are running BGP protocol service on them. BGP service is generating control plane traffic, sending that traffic to BGP neighbour and receiving control plane traffic back from the neighbour.

Usage of Control Plane Protection is important on routers receiving heavy traffic of which to many packets are forwarded to Control Plane. In that case, we can filter traffic based on predefined priority classes that we are free to define based on our specific traffic pattern.

How Encryption of Network Traffic Works?

I recently started studying again, this time as an attempt of deep-diving into some security concepts for one of my PhD courses. It’s interesting how, as much as you try to escape from it, mathematics will sooner or later catch you somewhere and you will need to learn a bit more of it. At least that happened to me…

In this process I realised that if you go beyond simple security theory and network device configuration all other stuff is pure mathematics.

The reason behind my unplanned course in mathematics is explained through the rest of this text. It will explain what is network security and where is the math needed to get network communication secure. In the end, it was actually fun.

Encryption

Encryption

If you want two distant computers to talk with each other so that nobody else can see what they are talking about, you want to make a secure network connection between them. Security in this case means that you need to connect those machines to the network and be able to make the communication a secret communication. Secret communication through public communication system is possible by using encryption.

Nagle’s algorithm

How Nagle’s algorithm is making TCP/IP better and when is ok to use it. Truth be told, Nagle should be avoided in today’s high-speed networks.

This article it’s not about mathematics, don’t be afraid. I’m running a networking blog and it’s not my intention to speak or write about anything related to mathematics. Biggest math problem that I’ve done in last few years is some simple subneting, EIGRP metric calculation and that is where I stopped with math for now.

On the other hand, I love the theory behind algorithms, specially if the algorithm is used in networking and if it is so simple and powerful as Nagle’s algorithm.

You can guess, John Nagle is the name of the fellow who created the algorithm. He found a solution for TCP/IP efficiency issue also known as “small packet problem”.

Here’s what happens:

Proxy ARP

I found different kinds of explanations about what Proxy ARP is, just few of them were understandable at first. After merging all of them this explanation came out of my networking workshop:

  • Assuming that a router has an ARP entry of some IP address, if he receives an ARP request from somebody for that IP, the router will respond with its own MAC address.
  • Proxy ARP is fairly simple technique for nodes to get MAC address of a destination host that is on a different subnet but on the same router. Same router different interface.

And this one to:

  • If we have in the network one edge router that is our way out from the local LAN network. That router has Proxy ARP enabled by default. When it receives an ARP request on his interface for a client that is not actually from that local network it will try to be helpful and it will search his routing table if that network is locally connected on some other local interface. If he finds it, it will respond with his own MAC address to tell the source that he is the way to go towards that host.

If we look at the image below, I prepared a more detailed example for those who are still a bit confused about it.

It’s a technique that enables our R7 router on the image below to proxy ARP request from C1 computer which tries to find MAC address of computer C3.

You need to note that C1 has address from /16 range and that is why it thinks that 192.168.50.50 is on the same subnet as 192.168.1.11 . If that was not the case and C1 had the address 192.168.1.11/24, it would send the ARP asking what is MAC address of default gateway. It will go to default gateway because he will know that he is not directly connected to all of network 192.168.0.0/16. We are then talking about standard routing by getting the packets from one subnet to another using routing table examination.

Mitigate DoS Attack using TCP Intercept on Cisco Router

This is really cool feature on Cisco router not usually mentioned until you dig a little deeper inside Cisco IOS. But first a bit of theory…

What is TCP SYN flood attack

TCP 3-way handshake

SYN flood DoS attack happens when many sources start to send a flood of TCP SYN packets usually with fake source IP.

This attack uses TCP 3-way handshake to reserve all server available resources with fake SYN requests not allowing legitimate users to establish connection to the server. SYN packet is the first step in TCP 3-way handshake. This is the step where client sends connection synchronization request to the server. Server receives TCP SYN from client, the server replies back with SYN ACK. SYN ACK acknowledges synchronization request.

In that moment server is waiting the client to complete the handshake by sending an ACK back to server to acknowledge the SYN ACK. With this third step, TCP session is successfully established and communication between server and client begins.

If the ACK is not received from the client side, server will wait for it for some time and then the session will timeout and get dropped. When the server deletes the session, his resources will be released.

TCP SYN flood attack

TCP SYN flood attack sends first packet of 3-way handshake SYN packet to server many times to cause the server to allocate resources for sessions that will never become established. It means that client who is attacking will never respond to server SYN ACK and the session will remain on the second step of 3-way.