BGP Troubleshooting Flow

Troubleshooting BGP Route Advertisement

Troubleshooting Multihoming Outbound

Troubleshooting Multihoming Inbound

Troubleshooting Routes Missing from the Routing Table


Troubleshooting BGP Neighbor Establishment

bgp main troubleshooting

Curhatan

tanpa disadari waktu terus berjalan, berlomba oleh usia, impian belum terwujud "how to become CCIE " wow.. jalan berliku musti dihadapi. dunia network harus tidak tergantung dlm satu "konteks" hari ini saya mendapat pelajaran berharga "not just the only one" saatnya mencoba memikirkan secara luas. apa selanjutnya ?.

time to play with juniper network. JNCIS-M saya datang..... hehehehe..
mungkin tahun depan akan di coba utk CEH certified.

thinks...thinks..thinks...and do it...
sambil ngumpulin duit buat nge-lab CCIE :-P

MPLS Concepts

The two major elements of MPLS architecture are the control plane and the data plane.

• The control plane exchanges routing information (with routing protocols such as OSPF) and labels with protocols such as LDP or TDP
• The data plane is the forwarding engine

MPLS labels maintain how to forward information. They function differently depending on whether MPLS is functioning in frame-mode or cell-mode.

• In frame-mode MPLS labels are 32-bit fields inserted between the Layer 2 and Layer 3 headers. These are broken into the following
  • 20-bit label
  • 3-bit experimental field
  • 1 bit bottom-of-stack indicator
  • 8-bit TTL field
• In cell-mode the ATM header is the label

A label switch router (LSR) is a device that forwards based on labels.

An edge LSR labels and removes labels from packets.

LSRs that perform cell-mode MPLS are divided into the following categories:

• ATM LSRs if they are ATM switches. All interfaces are enabled for MPLS, and forwarding is done based only on labels.
• ATM edge LSRs if they are routers connected to an MPLS-enabled ATM network.

Forwarding equivalence class (FEC) describes the forwarding characteristic of a packet, such as the destination IP.

MPLS is used for the following applications:

• Unicast IP routing
• Multicast IP routing
• MPLS traffic engineering provides more efficient link use
• Differentiated Quality of Service
• MPLS VPNs - Separate customer routing information across the MPLS backbone
• Any Transport over MPLS - Transport Layer 2 packets over an MPLS backbone

Label Assignment and Distribution

Label Distribution Protocol (LDP) and Tag Distribution Protocol (TDP) exchange labels and store the information in the label information base (LIB).

A label is added to the IP forwarding table (forwarding information base, or FIB) to map an IP prefix to a next-hop label.

A locally generated label is added to the label forwarding information base (LFIB) and mapped to a next-hop label.

An LSP is a sequence of LSRs that forward labeled packets for a particular FEC. Each LSR swaps the top label in a packet traversing the LSP. An LSP is similar to Frame Relay or ATM virtual circuits. In cell-mode MPLS, an LSP is a virtual circuit.

Impacts of IP Aggregation

Aggregation (or summarization) should not be used on ATM LSRs because it breaks LSPs in two, which means that ATM switches would have to perform Layer 3 lookups.

Aggregation should also not be used where an end-to-end LSP is required. Typical examples of networks that require end-to-end LSPs are the following:

• A transit BGP autonomous system (AS) where core routers are not running BGP

• An MPLS VPN backbone

• An MPLS-enabled ATM network

• A network that uses MPLS TE

Frame-Mode Loop Detection

The TTL functionality in MPLS is equivalent to that of traditional IP forwarding. Furthermore, when an IP packet is labeled, the TTL value from the IP header is copied into the TTL field in the label. This is called “TTL propagation.”

TTL propagation can be disabled to hide the core routers from the end users. Disabling TTL propagation causes routers to set the value 255 into the TTL field of the label when an IP packet is labeled.

If TTL propagation is disabled, it must be disabled on all routers in an MPLS domain to prevent unexpected behavior.

TTL can be optionally disabled for forwarded traffic only, which allows administrators to use traceroute from routers to troubleshoot problems in the network.

Penultimate Hop Popping

PHP optimizes MPLS performance by reducing the number of table lookups on the egress router.

PHP is not supported on ATM devices because a label is part of the ATM cell payload and cannot be removed by the ATM switching hardware.

Per-Platform Label Allocation

There are two possible approaches for assigning labels to networks:

• Per-platform label allocation: One label is assigned to a destination network and announced to all neighbors. The label must be locally unique and valid on all incoming interfaces. This is the default operation in frame-mode MPLS.

• Per-interface label allocation: Local labels are assigned to IP destination prefixes on a per-interface basis. These labels must be unique on a per-interface basis.

MPLS Convergence

The overall convergence in an MPLS network is not affected by LDP convergence when there is a link failure.

Frame-mode MPLS uses liberal label retention mode, which enables routers to store all received labels, even if they are not being used.

These labels can be used, after the network convergence, to enable immediate establishment of an alternative LSP tunnel.

Cell-Mode Issues

Cell-mode MPLS is significantly different from frame-mode MPLS because of some ATM-specific requirements:

• ATM uses cells and not frames. A single packet may be encapsulated into multiple cells. Cells are a fixed length, which means that normal labels cannot be used because they would increase the size of a cell. The virtual path identifier/virtual channel identifier (VPI/VCI) field in the ATM header is used as the MPLS label. An LSP tunnel is therefore called a virtual circuit in ATM terminology.

• ATM switches and routers usually have a limited number of virtual circuits that they can use. MPLS establishes a full mesh of LSP tunnels (virtual circuits), which can result in an extremely large number of tunnels.

Because ATM switches cannot forward IP packets, labels cannot be asynchronously assigned and distributed.

Instead, the router initiates an ordered sequence of requests on the upstream side of the ATM network.

It is not until the request is answered with the label and assigned to destinations in the IP routing table that the forwarding table is populated.

An ordered sequence of downstream requests is followed by an ordered sequence of upstream replies. This type of operation is called downstream-on-demand allocation of labels.

Two virtual circuits can merge into one. Standard ATM virtual switching hardware does not support this situation, and as a result, segmented packets from the two sources may become interleaved.

There are two possible solutions to this problem:

• Allocate a new downstream label for each request. This solution would result in a greater number of labels.

• Buffer the cells of the second packet until all cells of the first packet are forwarded. This solution results in an increased delay of packets because of buffering.

The major benefit of VC merge is that it minimizes the number of labels (VPI/VCI values) needed in the ATM part of the network.

The major drawbacks to VC merge are as follows:

• Buffering requirements increase on the ATM LSR.

• There is an increase in delay and jitter in the ATM network.

• ATM networks under heavy load become more like frame-based networks.

Loop Detection in Cell-Mode MPLS Networks

Cell-mode MPLS uses the VPI/VCI fields in the ATM header to encode labels. These two fields do not include a TTL field. Therefore, cell-mode MPLS must use other ways of preventing routing loops.

LDP uses a hop-count TLV (type, length, value) attribute to count hops in the ATM part of the MPLS domain.

This hop count can be used to provide correct TTL handling on ATM edge LSRs on behalf of ATM LSRs that cannot process IP packets.

A maximum limit in the number of hops can also be set.

Per-Interface Label Allocation

Cell-mode MPLS defaults to using per-interface label space because ATM switches support per-interface VPI/VCI values to encode labels.

Therefore, if a single router has two parallel links to the same ATM switch, two LDP sessions are established and two separate labels are requested.

Label Distribution Parameters

The two label space options are:

• Per-interface label space, where labels must be unique for a specific input interface

• Per-platform label space, where labels must be unique for the entire platform (router)

The two options for label generation and distribution are as follows:

• Unsolicited downstream distribution of labels is used in frame-mode MPLS, where all routers can asynchronously generate local labels and propagate them to adjacent routers.

• Downstream-on-demand distribution of labels is used in cell-mode MPLS, where ATM LSRs have to request a label for destinations found in the IP routing table.

Another aspect of label distribution focuses on how labels are allocated:

• Frame-mode MPLS uses independent control mode, where all routers can start propagating labels independently of one another.

• Cell-mode MPLS requires LSRs to already have the next-hop label if they are to generate and propagate their own local labels. This option is called ordered control mode.

The last aspect of label distribution looks at labels that are received but not used:

• Frame-mode MPLS may result in multiple labels being received but only one being used. Unused labels are kept, and this mode is usually referred to as liberal label retention mode.

• Cell-mode MPLS keeps only labels that it previously requested. This mode is called conservative label retention mode.

LDP Session Establishment

LDP is a standard protocol used to exchange labels between adjacent routers. TDP) is a Cisco proprietary protocol that has the same functionality as LDP.

LDP periodically sends hello messages. The hello messages use UDP packets with a multicast destination address of 224.0.0.2 (“all routers on a subnet”) and destination port number of 646 (711 for TDP).

If another router is enabled for LDP (or TDP), it will respond by opening a TCP session with the same destination port number (646 or 711).

ATM LSRs establish the IP adjacency across the MPLS control virtual circuit, which by default has a VPI/VCI value of 0/32.

An IP routing protocol and LDP (or TDP) use this control virtual circuit to exchange IP routing information and labels.

Some Cisco devices use the Virtual Switch Interface (VSI) protocol to create entries in the LFIB table (ATM switching matrix of the data plane) based on the information in the LIB table (control plane). This protocol is used to dynamically create virtual circuits for each IP network.

How hackers find your weak spots

Stealing passwords: In this common maneuver, the hacker uses information from a social networking profile to guess a victim's password reminder question. This technique was used to hack Twitter and break into Sarah Palin's e-mail.

Friending: In this scenario, a hacker gains the trust of an individual or group and then gets them to click on links or attachments that contain malware that introduces a threat, such as the ability to exploit a weakness in a corporate system. For example, says Netragard CTO Adriel Desautels, he might strike up an online conversation about fishing and then send a photo of a boat he's thinking of buying.

Impersonation/social network squatting: In this case, the hacker tweets you, friends you or otherwise contacts you online using the name of someone you know. Then he asks you to do him a favor, like sending him a spreadsheet or giving him data from "the office." "Anything you see on a computer system can be spoofed or manipulated or augmented by a hacker," says Desautels.

Posing as an insider: Imagine all the information you could extract from an unknowing employee if you posed as an IT help desk worker or contractor. "Roughly 90% of the people we've successfully exploited during [vulnerability assessments for clients] trusted us because they thought we worked for the same company as them," Desautels says.

On the Netragard blog, he describes an exploit in which a Netragard worker posed as a contractor, befriended a group of the client's workers and set up a successful phishing scheme through which he gleaned employee credentials, eventually gaining entry to the entire corporate infrastructure.

source : computerworld.com