Configure and Verify Single Area OSPFv2

Configure and Verify Single Area OSPFv2

CCNA Exam (200-301) blueprint includes only a single dynamic routing protocol – OSPF (Open Shortest Path First).

The protocol is simple to enable. The basic configuration of OSPF requires only a couple of commands. However, to understand how the protocol works an exam candidate must learn OSPF components, some of them are complex. CCNA exam tests knowledge of OSPF operation in a single-area network. Multi-area components are covered in CCNP-level exams.

Routing protocols help routers to exchange reachability information and calculate the best path to the remote networks. In this blog post, we will explain how OSPF routers perform these tasks.

CCNA Exam blueprint at the time of writing comprised of the topics listed below.

3.4 Configure and verify single area OSPFv2

3.4.a Neighbor adjacencies

3.4.b Point-to-point

3.4.c Broadcast (DR/BDR selection)

3.4.d Router ID

Introduction

OSPFv2 is an open standard documented in several IETF RFCs. The current revision is RFC 2328 (https://tools.ietf.org/html/rfc2328).

The exam expects knowledge of the following facts about OSPF:

  • OSPF is a link-state routing protocol
  • OSPFv2 is the current version for IPv4; IPv6 is supported by OSPFv3
  • OSPF uses IP protocol number 89
  • 2 multicast groups are reserved and used for some of the OSPFv2 protocol messages – 224.0.0.5 (AllSPFRouters) and 224.0.0.6 (AllDRRouters)
  • OSPF on Cisco devices has an administrative distance of 110

Overview and Basic Configuration

OSPF builds a link-state database (per area), which contains information about routers, their interfaces, and networks. The database content is synchronized across all routers.

Each router applies the Shortest Path algorithm to the database. As the result, the loop-free tree of the most efficient paths is derived. The router performing calculation is at the root of the tree having paths to every other router and network.

Initial OSPF configuration on a Cisco router uses 2 parameters:

  • Process ID
  • Router ID

Process ID

OSPF configuration starts with enabling it globally using “router ospf <process-id>” command.

The process ID is a locally significant number and doesn’t have to be the same on different routers in the network. It is possible to start several independent OSPF processes on a router, which will be assigned different process IDs.

The example below enables the OSPF process with an ID of 100 on a router. Basic router configuration, such as the assignment of IP addresses to interfaces, is omitted.

Router(config)# router ospf 100
Router(config-router)#

After OSPF is enabled, “show ip ospf” command confirms that the process is started.

Router# show ip ospf
 Routing Process "ospf 100" with ID 10.10.10.2
 <output is truncated>

Router ID

Router ID provides an identifier for an OSPF router in the form of an IPv4 address, which doesn’t need to be reachable by other OSPF routers and is not used in data forwarding. Ensure that the router ID is unique across the network.  Router ID associates information with the router generating it. It is also used in multiple election processes as a tie-breaker.

As Figure 1 shows Router ID is part of the OSPF header and effectively part of every OSPF packet that the router generates.

Figure 1. OSPF Header
Figure 1. OSPF Header

By default, the OSPF process will automatically assign Router ID by selecting the highest IP address of a loopback interface on the router. If there are no loopback interfaces available, then the highest IP address of a non-loopback interface is selected. As shown in Figure 2, the router has 2 physical and 2 loopback interfaces configured. Numbers are shown next to the interface name in green display the priority of interfaces for the purpose of Router ID selection.

“show ip ospf” output from the example above demonstrates that the router ID was selected to match the highest IP address of a loopback interface (10.10.10.2). The example also demonstrates that candidate interfaces for router ID selection don’t have to run OSPF.

Figure 2. OSPF Router ID Selection
Figure 2. OSPF Router ID Selection

Setting Router ID manually is a recommended best practice, that ensures that IDs are allocated to OSPF speakers in a pre-determined manner.

Let’s change router ID manually to 10.0.0.1.

Router(config)# router ospf 100
Router(config-router)# router-id 10.0.0.1
% OSPF: Reload or use "clear ip ospf process" command, for this to take effect

Router ID change requires the process restart. It will disrupt the packet flow, so it should be planned for in the production environment. To confirm that router ID is now adjusted let’s clear the OSPF process and then execute “show ip ospf” command.

Router# clear ip ospf 100 process
Reset OSPF process 100? [no]: yes
Router# show ip ospf
 Routing Process "ospf 100" with ID 10.0.0.1
 <output is truncated>

Link-State View of the Network

This section introduces some important concepts that will help to understand link-state advertisements (LSAs), the algorithm, and neighbor adjacencies described later in the article.

To visualize how OSPF sees a network, let’s use a sample network topology shown in Figure 3. All routers and networks are part of the same area.

Figure 3. Link-State Database Example – Full Network Diagram
Figure 3. Link-State Database Example – Full Network Diagram

Network Types

If more than 2 routers can attach to a network, it is a multi-access network, which can be divided into 3 subtypes:

  • Broadcast multi-access
  • Non-broadcast multi-access
  • Point-to-multipoint

A network connecting a maximum of 2 routers classified as a point-to-point network. It can be a physical point-to-point technology, or a multi-access network, such as Ethernet, administratively configured as point-to-point.

Only point-to-point and broadcast networks are listed in the blueprint of the CCNA exam. These types are commonly used and routers can auto-discover each other without any additional configuration.

For demonstration purposes, assume that yellow links (X-A, X-B, A-B) are point-to-point and blue links (A-C, B-D, C-D-Z) are multi-access broadcast networks in the sample topology shown in Figure 3.

OSPF database describes a network as a directed graph, with routers and subnets as vertices, connected to each other with the directional edges.

Let’s first re-draw the diagram displaying only routers and subnets as vertices without any connections between them.

Figure 4. Link-State Database Example – Routers and Networks as Vertices
Figure 4. Link-State Database Example – Routers and Networks as Vertices

Routers are connected bi-directionally to each other over point-to-point links, i.e. not connected via subnet vertices. We will explain how numbered point-to-point subnet vertex is connected to the routers in the next step. For now, these links are introduced between routers:

  • X -> A, A -> X
  • X -> B, B -> X
  • A -> B, B -> A

Transit Networks

Each multi-access broadcast network is a vertex on the graph if there are two or more routers connected to it. Such networks are called a transit and represented by vertices, which connect bi-directionally to the attached routers:

  • A -> N5, N5 -> A, C -> N5, N5 -> C
  • B -> N6, N6 -> B, D -> N6, N6 -> D
  • C -> N7, N7 -> C, D -> N7, N7 -> D, Z -> N7, N7 -> Z

Networks N5 and N6 have only two routers connected in this topology, however, as per our earlier assumption, the underlying data link is a multi-access broadcast network, such as Ethernet. Therefore, router pairs (A-C) and (B-D) are not connected directly as was the case on point-to-point networks. Instead, they bi-directionally connect to the transit network vertices.

Figure 5 shows the resulting connectivity.

Figure 5. Link-State Database Example – Point-to-Point and Transit Networks
Figure 5. Link-State Database Example – Point-to-Point and Transit Networks

Stub Networks

Finally, N1 and N8 are multi-access broadcast networks with each having only a single router connected. Both are considered to be stub networks and described by unidirectional connections from routers X and Z.

Numbered point-to-point subnets are also represented as stub networks, connected using directional link from each router: X -> N2, A -> N2, X -> N3, B -> N3, A -> N4, B -> N4. Point-to-point networks are not transit vertices, which is different to broadcast multi-access networks (N5, N6, and N7).

One of the reasons for this is that the physical point-to-point links can be unnumbered (when there are no IP addresses assigned to both sides), in which case no network vertex exists. Also, physical point-to-point links can have IPs allocated from different subnets on each side of the connection. In this case, each router has a unidirectional connection to the IP address on the other side, which are also represented as stubs.

The summary of new connections:

  • X -> N1
  • X -> N2, A -> N2
  • A -> N4, B -> N4
  • X -> N3, B -> N3
  • Z -> N8
Figure 6. Link-State Database Example – Stub Networks Added
Figure 6. Link-State Database Example – Stub Networks Added

Interface Cost

OSPF uses cumulative cost as the metric to compare multiple paths to the same destination. Figure 7 shows an updated diagram with associated costs displayed next to each directional edge. The cost for each vertex is calculated in the outbound direction.

Cisco routers calculate cost by dividing reference bandwidth by interface bandwidth. Consider that the reference bandwidth is 100Mbps. Interfaces of 100Mbps and higher will have a cost of 1. 10Mbps interface is 10-times slower than 100Mbps, so it will be assigned a cost of 10.

The cost value can also be manually specified using “ip ospf cost <cost-value>” interface command. As each connection between routers is represented by 2 directional edges, the cost doesn’t have to match on each side of the link. While routers connected over point-to-point links usually should have the same cost, edges from transit networks always have the cost of 0 (for example, N5 -> A).

Figure 7. Link-State Database Example – Interface Cost
Figure 7. Link-State Database Example – Interface Cost

Reference Bandwidth

As mentioned in the previous section, Cisco routers use reference bandwidth to calculate interface cost. “show ip ospf” command displays the reference bandwidth, which has default value of 100Mbps:

Router#show ip ospf
 <output is truncated>
 Reference bandwidth unit is 100 mbps

The virtual router that we are using in this lab has Gigabit interfaces, however, as the default reference bandwidth is 100Mbps, all interfaces with a speed higher than 100Mbps have the cost of 1.

The reference bandwidth should be adjusted on all routers in the network to match the highest bandwidth interface in the network.

Selecting Best Path

The best path within the area is calculated by each router applying the Dijkstra algorithm to its link-state database. A simplified overview of the algorithm is presented below. For more detailed information, refer to the RFC (https://tools.ietf.org/html/rfc2328#page-161).

The algorithm starts with a vertex representing the router performing the calculation. The distance to directly adjacent vertices (i.e. other routers or transit networks) is calculated and recorded in a candidate list.

The algorithm then changes the focus to the closest vertex from the candidate list. Its adjacent non-visited vertices are added to the candidate list along with their distances. The current vertex is now considered to be visited. It is removed from the candidate list and added to the shortest path.

The algorithm goes through the updated candidate list and selects the closest vertex. The process in the previous paragraph repeats till there will be no unvisited vertices left – as the result of the algorithm all reachable vertices will be added to the shortest-path tree.

After distance to all routers and transit networks is known, distances to stub networks are added via the corresponding router.

Neighbors and Adjacencies

Hello Protocol

Hello protocol is responsible for 2 tasks:

  • Neighbor discovery and establishment of bidirectional communication
  • Designated and Backup Designated Routers election on a broadcast multi-access network

OSPF routers automatically discover each other by periodically sending multicast Hello packets. On broadcast and point-to-point networks routers send Hello packets to the AllSPFRouters multicast group address (224.0.0.5).

The format of Hello packet is shown in Figure 8.

A router receiving any OSPF packet, including Hello packets, checks that Area is the same as locally configured on the router and that the authentication parameters are correct.

Then Hello-specific parameters are validated. Fields listed in the first line of the Hello packet must match between two routers to establish bidirectional communication:

  • Network mask must match on multi-access networks, however, is not being compared on point-to-point links.
  • Hello and Router Dead Intervals (in seconds) specify how often Hello packets are sent and how long other routers should wait for a Hello packet before declaring advertising router dead.
  • Options include a flag called E-bit. When this flag is set, the area is capable of processing External routing information, i.e. is not a stub. This flag must match between neighbors too.
Figure 8. Hello Packet
Figure 8. Hello Packet

Routers include a list of neighbors on the same network segment if they have received Hello packets from them. If a router sees itself in the list of neighbors from another router it knows that bidirectional communication is established.

Neighbors go through series of states as part of Hello protocol.

  • Down is a state when 2 neighbors haven’t seen or stopped receiving Hello packets from each other.
  • In Attempt state, available only in NBMA (Non-Broadcast Multi-Access) networks, no Hello packets were received from a manually configured neighbor. The local router sends periodical unicast Hello packets to a such neighbor.
  • Init state means that a Hello packet has been received from the neighbor, but the router hasn’t seen itself in the list of the neighbors.
  • In the 2-Way state, the router receives Hello packets from the neighbor. The local router appears in the Neighbors field of these Hello packets.

Hello protocol responsibilities end when neighbors achieve the 2-Way state. Only valid neighbors will be able to reach the 2-Way state. Further stages are controlled by the Database Exchange process and routers progressing past 2-Way are referred to as adjacent routers.

On point-to-point networks, valid neighbors always become adjacent. However, on multi-access networks adjacency is established in a dual-hub-and-spokes fashion. Hubs are called a Designated Router (DR) and Backup Designated Router (BDR).

DR and BDR on Multi-Access Broadcast networks

Designated Router and Backup Designated Routers are elected on multi-access broadcast networks to decrease the number of network adjacencies required to be built (full-mesh vs dual-hub-and-spokes).

The election is based on configurable router’s interface priority and the highest router ID serves as a tie-breaker. Numerically higher priority wins. If it is set to 0, the router is not eligible to become a DR or BDR.

Hello protocol facilitates the election process by having 3 fields within the Hello packet – DR, BDR, and Router priority. If a router joins a network and receives packets with DR and BDR populated, it will not initiate the election process even if it has a better priority. This behavior is described as being non-preemptive.

Designated Router has also an important purpose – it originates Network Link State Advertisements (LSAs) representing transit network. We will discuss LSAs after we review the next stages that lead to adjacency – Database Exchange.

Database Exchange

Neighbors that have established bidirectional communication can start a process to form OSPF adjacency and synchronize their databases. As mentioned previously, routers on point-to-point links always become adjacent and routers on multi-access networks become adjacent only with DR and BDR routers.

Routers progress through a set of states before reaching a fully synchronized state:

  • In the Exstart state, routers decide which router will be responsible for managing the database synchronization process. Router with the highest Router ID performs the master role and its neighbor operates as a slave. OSPF Database Description packets describe LSAs that constitute each router’s database. If either neighbor sees missing or newer LSA, it will add it to the Link State Request list.
  • By reaching Exstart state, the routers have already progressed through all Hello protocol stages and most of the protocol parameters are found to be compatible. During the Exstart stage, the Database Description packet MTU field is compared with the receiving router’s interface MTU. If it doesn’t match on both sides of the adjacency, one of the routers will drop the Database Description packets. This will prevent progressing to the next stages. The behavior can be disabled on Cisco routers.
  • During Exchange state routers describe their link state databases by exchanging Database Description packets. The Master increments sequence numbers and waits for the Slave to acknowledge the last sequence number received from the Master.
  • In Loading state routers send each other Link State Request packets asking the neighbor to send LSAs that were discovered during Exchange state.
  • Routers in Full state are fully adjacent and have synchronized their Link State Database.

Link State Advertisements (LSAs) describe router and network state. As reviewed in the Link-State View of the Network section earlier, OSPF sees a network as a graph of vertices connected to each other. Different types of LSAs correspond to different types of vertices, for example, a router LSA is a representation of a router vertex and a network LSA – of a transit network vertex.

We will discuss only intra-area types of LSAs (Router and Network) in this blog post. There are also other types of LSAs that exist describing inter-area and external destinations.

All LSAs share the same header. Some fields can have different values depending on the LSA type. LSA header comprises of (some of the fields are omitted in the description below and diagrams):

  • LSA Type. 1 is Router LSA, 2 is Network LSA
  • Link State ID. For Router LSA – Router ID, for Network LSA – interface IP address of the Designated Router.
  • Advertising Router. Router ID of the router originated LSA.
  • LS Age. In seconds, increments as routers transmit LSA and while it is stored in the database. Used to age out LSAs once they reach MaxAge, after which such LSAs must be re-flooded.
  • LS Sequence Number. Assigned by the originating router and is used for versioning of LSAs.

Router LSA

Router LSA describes the router’s links. Each link is described by several fields (not all fields are shown in the diagram and the description below):

  • Type. 1point-to-point, 2 – transit, and 3 – stub
  • Link ID. Depending on link type can be neighbor’s Router ID, DR’s IP address, or Network IP address.
  • Link Data. Depending on link type, identifies the local interface of the router or subnet mask (see mapping in the diagram below).
Figure 9. Router LSA
Figure 9. Router LSA

Network LSA

This LSA describes a multi-access network. Designated Router (DR) generates this LSA and lists all attached OSPF routers on the segment with which it formed an adjacency.

Link State ID in the header is DR’s IP address on the network. The mask is carried as a field with LSA, which makes it possible to identify the network address.

Figure 10. Network LSA
Figure 10. Network LSA

OSPF Packets

Earlier we have explored how OSPF sees the network, how routers describe their links and networks by generating LSAs that are flooded through the area. We also discussed how two routers synchronize their databases by becoming adjacent.

This section provides an overview of different types of packets that OSPF uses to distribute LSAs. Hello packet was introduced in the “Neighbors and Adjacencies” section. Figures 9 to 12 show the remaining types of OSPF packets.

Database Description packets are used during the Database Exchange process. The packet has fields describing interface MTU, various options controlling database exchange process, and sequence numbers. The payload consists of LSA headers, which format we reviewed in the previous section.

Figure 11. Database Description Packet
Figure 11. Database Description Packet

The next packet is the Link State Request packet. A router learns missing LSAs from received Database Description packets. To request those LSAs, the router sends a Link State Request packet which contains enough information to identify the LSA. These fields are LS Type, ID, and Advertising Router. The other LSA header fields, such as LS Age and LS Sequence Number, are not included. This means that the router is requesting the most recent version of LSA and not for the specific instance of LSA.

Figure 12. Link State Request Packet
Figure 12. Link State Request Packet

The next 2 packets are Link State Update and Acknowledgement packets. These are used to reliably flood LSAs throughout the network. Link State Update carries a list of full LSAs with their headers.

Figure 13. Link State Update Packet
Figure 13. Link State Update Packet

Link State Acknowledgement packet is used to explicitly confirm the receipt of a Link State Update packet.

Figure 14. Link State Acknowledgment Packet

Let’s finalize the configuration of our sample network and review different diagnostic commands.

OSPF Configuration and show commands

In this section, we will enable OSPF on different types of network interfaces using the sample topology we used earlier.

Point-to-Point Interfaces

Let’s enable OSPF between X, A, and B. In this topology, a Layer 3 LAN switch X connects to two WAN routers (A and B), which are also connected to each other.

Figure 15. Point-to-point network sample topology
Figure 15. Point-to-point network sample topology

Switch X configuration is shown in the listing below.

X(config)#router ospf 100
X(config-router)#network 172.16.100.0 0.0.0.3 area 0
X(config-router)#network 172.16.100.4 0.0.0.3 area 0
X(config-router)#network 10.0.0.0 0.0.0.255 area 0 

network command’s purpose is to identify interfaces that will have OSPF running and which area they will be placed in. The command uses a wildcard mask, which reverses the logic of the subnet mask. In a wildcard mask, binary 0 means “match” and 1 means “ignore”.

As subnet masks use consecutive 1s followed by consecutive 0s, it can be easily converted to wildcard mask by subtracting mask value from 255.255.255.255. For example, the hostmask of 255.255.255.255 converts to a wildcard mask of 0.0.0.0.

It is possible to use a less specific wildcard mask with a network command to match multiple interfaces with a single statement. For example, instead of the 3 commands above, we could use “network 0.0.0.0 255.255.255.255 area 0”, which would enable OSPF on all interfaces and place them into area 0.

Some data-links technologies are physically point-to-point and some of them are not. As we use Ethernet in this topology, which, by default, is treated as a multi-access network additional OSPF command is required, as shown in the listing below:

X(config)#int Gi2.12
X(config-subif)#ip address 172.16.100.1 255.255.255.252
X(config-subif)#ip ospf network point-to-point
X(config)#int Gi2.13
X(config-subif)#ip address 172.16.100.5 255.255.255.252
X(config-subif)#ip ospf network point-to-point

There is also an alternative way to enable OSPF on interfaces available in Cisco IOS-XE. Instead of performing configuration under the OSPF process, the interface-level mode can be used. Commands in OSPF process mode are still required for global parameters, such as setting router ID. The listing below demonstrates configuration on router A, a similar configuration is also applied to router B.

A(config)#router ospf 100
A(config-router)#router-id 10.0.255.1
A(config)#interface Gi2.12
A(config-subif)#ip ospf 100 area 0
A(config-subif)#ip ospf network point-to-point
A(config)#interface Gi2.23
A(config-subif)#ip ospf 100 area 0
A(config-subif)#ip ospf network point-to-point

“show ip ospf interface” command provides relevant to OSPF interface information. The network type of both interfaces is set to point-to-point with the cost of 1.

The next important information in the output below is the OSPF timers value. Hello timer defines how often Hello messages are sent and Dead interval specifies when the router will declare another one as dead without receiving hello messages. The values are automatically selected based on the network type or can be manually configured. Timers must match between neighbors.

In the example, hello and dead intervals have default values of 10 and 40.

X#show ip ospf interface
GigabitEthernet2.12 is up, line protocol is up 
  Internet Address 172.16.100.1/30, Interface ID 13, Area 0
  Attached via Network Statement
  Process ID 100, Router ID 10.0.0.1, Network Type POINT_TO_POINT, Cost: 1
  <output truncated>
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
  <output truncated>
  Neighbor Count is 1, Adjacent neighbor count is 1 
    Adjacent with neighbor 10.0.255.1
GigabitEthernet2.13 is up, line protocol is up 
  Internet Address 172.16.100.5/30, Interface ID 14, Area 0
  Attached via Network Statement
  Process ID 100, Router ID 10.0.0.1, Network Type POINT_TO_POINT, Cost: 1
  <output truncated>
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
  <output truncated>
  Neighbor Count is 1, Adjacent neighbor count is 1 
    Adjacent with neighbor 10.0.254.1

Interfaces were added using the router process “network <x> area <y>” configuration command, and this is indicated by the “Attached via Network Statement” line.

On routers A and B we used alternative configuration on the interface – “ip ospf <x> area <y>“. On these routers “Attached via Interface Enable” would be displayed instead.

“show ip ospf neighbors” command displays information about neighbors. Neighbor ID displays Router ID, and address specifies IP address of network interface over which neighbor is reachable. On point-to-point networks, neighbors always become adjacent and should be in FULL state. Because DR and BDRs are not elected on point-to-point networks priority value of 0 is set for both neighbors.

Deadtime is a count-down timer, which starts at 40 seconds and in normal conditions will not drop below 30 seconds, as hello packets are transmitted every 10 seconds.

X#show ip ospf neighbor 
Neighbor ID     Pri   State           Dead Time   Address         Interface
10.0.254.1        0   FULL/  -        00:00:34    172.16.100.6    GigabitEthernet2.13
10.0.255.1        0   FULL/  -        00:00:39    172.16.100.2    GigabitEthernet2.12

Broadcast Multi-Access Network Interfaces

Let’s now finalize the configuration of the network topology by enabling connections between WAN routers (A <> C, B <> D), and connectivity between WAN routers C, D, and a switch Z.

Figure 16. Sample Network Diagram
Figure 16. Sample Network Diagram

The commands used for the configuration are similar to the ones shown in the previous sections. All remaining network connections are broadcast multi-access networks, which is the default OSPF network type on Ethernet interfaces. We will omit the configuration from the previous examples that set the network type to point-to-point.

Earlier, we used interface-based configuration on routers A and B. We will apply interface-level commands for additional interfaces.

A
interface Gi2.24
 ip ospf 100 area 0

B
interface Gi2.35
 ip ospf 100 area 0

For the remaining routers, we will use the router process-based configuration. For demonstration purposes, we will set router IDs as some random values to demonstrate that these addresses are neither required to be reachable over OSPF nor belong to any of the router’s interfaces. And instead of specifying individual network statements for each interface, we will use 1 wide statement that will enable OSPF on all interfaces at once.

C
router ospf 44
 router-id 4.4.4.4
 network 0.0.0.0 255.255.255.255 area 0

D
router ospf 55
 router-id 55.55.55.55
 network 0.0.0.0 255.255.255.255 area 0

Z
router ospf 66
 router-id 66.6.6.6
 network 0.0.0.0 255.255.255.255 area 0

The next example shows “show ip ospf interface” command output on router Z. Both interfaces have OSPF network type of broadcast, which is the default for Ethernet. A manually configured router ID of 66.6.6.6 is also displayed.

Z#show ip ospf interface
GigabitEthernet2.456 is up, line protocol is up 
  Internet Address 10.0.2.2/29, Interface ID 12, Area 0
  Attached via Network Statement
  Process ID 66, Router ID 66.6.6.6, Network Type BROADCAST, Cost: 1
  <output truncated>
  Transmit Delay is 1 sec, State DR, Priority 1
  Designated Router (ID) 66.6.6.6, Interface address 10.0.2.2
  Backup Designated router (ID) 55.55.55.55, Interface address 10.0.2.3
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
  <output truncated>
  Neighbor Count is 2, Adjacent neighbor count is 2 
    Adjacent with neighbor 4.4.4.4
    Adjacent with neighbor 55.55.55.55  (Backup Designated Router)
GigabitEthernet2.2 is up, line protocol is up 
  Internet Address 10.0.3.1/24, Interface ID 11, Area 0
  Attached via Network Statement
  Process ID 66, Router ID 66.6.6.6, Network Type BROADCAST, Cost: 1
  <output truncated>
  Transmit Delay is 1 sec, State DR, Priority 1
  Designated Router (ID) 66.6.6.6, Interface address 10.0.3.1
  No backup designated router on this network
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
  <output truncated>
  Neighbor Count is 0, Adjacent neighbor count is 0 

“State DR” means that the router performs the role of the Designated Router on the network segment. Backup DR will have a state listed as BDR, and all other routers will be in DROTHER state. “Priority 1” is the default priority, so the router with the highest Router ID is elected as DR if all routers start at the same time. As the process is not preemptive, the role of DR can be performed by the router with a smaller priority or Router ID value if it starts before other routers.

Information about Designated Router and Backup Designated Routers is displayed next, followed by Hello and Dead timer settings.

The last lines of output list information about neighbors and adjacencies on the interface. Both DR and BDR become adjacent with all neighbors on the network. Routers that are neither DR nor BDR will display all routers on the segment as neighbors, however, establish adjacencies only with DR and BDR.

Link State Database

In this section, we will explore the link state database on router Z.

“show ip ospf database” command displays the content of the database. For the purpose of CCNA exam preparation, the example focuses on a single-area topology.

Z#show ip ospf database

            OSPF Router with ID (66.6.6.6) (Process ID 66)

                Router Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum Link count
4.4.4.4         4.4.4.4         64          0x80000014 0x00EFCE 2         
10.0.0.1        10.0.0.1        1655        0x80000005 0x00F639 5         
10.0.254.1      10.0.254.1      116         0x8000000A 0x00B55B 5         
10.0.255.1      10.0.255.1      336         0x80000007 0x00DE3B 5         
55.55.55.55     55.55.55.55     64          0x80000011 0x00B077 2         
66.6.6.6        66.6.6.6        208         0x8000000C 0x0071D4 2         

                Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
10.0.2.1        4.4.4.4         209         0x80000002 0x00C617
10.0.254.1      10.0.254.1      300         0x80000001 0x00C27F
10.0.255.1      10.0.255.1      1730        0x80000002 0x00B753

Router LSA

Each router generates a Router LSA, with Link ID matching the generating router’s ID. 6 LSAs are displayed matching number of routers in our topology. To understand link count, review the previous section called “Link-State View of the Network” and Figure 6, where each outbound arrow from a router is counted as a link.

For example, let’s review in detail the content of router LSA with ID 10.0.255.1 (Router A). Below is part of Figure 6 focusing on router A.

Figure 17. Router LSA Example Topology
Figure 17. Router LSA Example Topology

“show ip ospf database router <router-id>” command displays detailed information about router LSA. As the link-state database is the same on all routers we can gather output on any routers in the same area. In the example below, the command is launched on router Z.

Z#show ip ospf database router 10.0.255.1

            OSPF Router with ID (66.6.6.6) (Process ID 66)

                Router Link States (Area 0)

  LS age: 142
  Options: (No TOS-capability, DC)
  LS Type: Router Links
  Link State ID: 10.0.255.1
  Advertising Router: 10.0.255.1
  LS Seq Number: 80000006
  Checksum: 0xE03A
  Length: 84
  Number of Links: 5

    Link connected to: a Transit Network
     (Link ID) Designated Router address: 10.0.255.1
     (Link Data) Router Interface address: 10.0.255.1
      Number of MTID metrics: 0
       TOS 0 Metrics: 1

    Link connected to: another Router (point-to-point)
     (Link ID) Neighboring Router ID: 10.0.254.1
     (Link Data) Router Interface address: 172.16.100.9
      Number of MTID metrics: 0
       TOS 0 Metrics: 1

    Link connected to: a Stub Network
     (Link ID) Network/subnet number: 172.16.100.8
     (Link Data) Network Mask: 255.255.255.252
      Number of MTID metrics: 0
       TOS 0 Metrics: 1

    Link connected to: another Router (point-to-point)
     (Link ID) Neighboring Router ID: 10.0.0.1
     (Link Data) Router Interface address: 172.16.100.2
      Number of MTID metrics: 0
       TOS 0 Metrics: 1

    Link connected to: a Stub Network
     (Link ID) Network/subnet number: 172.16.100.0
     (Link Data) Network Mask: 255.255.255.252
      Number of MTID metrics: 0
       TOS 0 Metrics: 1

The links in the output are shown in the following order:

  • A -> N5 (A is BDR on this network, so the output displays its own IP address as DR)
  • A -> B (A has point-to-point connectivity to B over N4; this is described by this link and additional link from A to N4 listed below)
  • A -> N4 (numbered subnet for the point-to-point link is represented as a connection to a stub network)
  • A -> X
  • A -> N2

Network LSA

The next example focuses on the network LSA which represents a transit network. To display network LSA, run “show ip ospf database network <id>” command. For this example, we will use the N7 network (10.0.2.0/29) connecting routers C, D, and Z.

Figure 18. Network LSA Example Topology
Figure 18. Network LSA Example Topology

Network LSA ID matches the IP address of Designated Router (router Z) on this network and it lists router IDs of attached routers. The output shows routers Z, C, and D as attached to N7.

Z#show ip ospf database network 10.0.2.2

            OSPF Router with ID (66.6.6.6) (Process ID 66)

                Net Link States (Area 0)

  LS age: 1435
  Options: (No TOS-capability, DC)
  LS Type: Network Links
  Link State ID: 10.0.2.2 (address of Designated Router)
  Advertising Router: 66.6.6.6
  LS Seq Number: 80000002
  Checksum: 0x7325
  Length: 36
  Network Mask: /29
        Attached Router: 66.6.6.6
        Attached Router: 4.4.4.4
        Attached Router: 55.55.55.55

Network mask (/29) is also stored as part of the network LSA, which together with Link State ID represented by DR’s IP address can be used to obtain network IP prefix – 10.0.2.0/29.

represented by DR’s IP address can be used to obtain network IP prefix – 10.0.2.0/29.

Self-Test Questions

How OSPF router ID is selected if it's not manually configured?
The highest IP address on a loopback interface. If there are no loopback interfaces, select the highest IP address assigned to a physical interface.
What OSPF uses to compare multiple paths to a destination?
By combining costs of interfaces through each path. Each interface’s cost reflects how many times its bandwidth is smaller than a reference bandwidth. If interface speed is faster or the same as the reference value, then 1 is used as cost.
What is the difference between neighbors and adjacent routers?
Neighbors are the router that can communicate with each other and have matching parameters. Adjacency is formed between neighbors for the purpose of exchanging routing information. On multi-access networks, some of the neighbors don’t establish adjacency between each other.
What are 2 main tasks of OSPF Hello protocol?
Neighbor discovery and DR election
Explain what is router and network LSAs?
Link State Advertisement is a unit of information that is stored in each router’s Link State Database. Each router LSA represents a router and its links. Network LSA describes a transit network and lists routers connected to it.

Interpret JSON Encoded Data

In this blog post, we will discuss the JavaScript Object Notation (JSON) data format. The target audience is CCNA and CCNP candidates preparing for the exams.

Interpret JSON Encoded Data

The content provides fundamental overview of the following topics:

CCNA exam

6.7 Interpret JSON encoded data

CCNP ENCOR exam

6.2 Construct valid JSON encoded file

JSON Overview

JSON is an open standard text-based file format to store and exchange serialized data. Serialization is the process of converting an object into a format that can be stored or transported to later recreate it.

JSON was originally derived from JavaScript, however, many other programming languages can interpret and generate JSON data. Figure 1 shows how JSON components fit together.

JSON text can represent one of the following values (orange and blue circles):

  • String
  • Number
  • Literal name (false, true, null)
  • Array
  • Object
Figure 1. JSON Values, Objects and Arrays
Figure 1. JSON Values, Objects and Arrays

JSON simple values

Strings, numbers, and literals

The simple values can represent some text or number and cannot contain other values. For example, below are examples of valid JSON texts:

Listing 1

"I'm a JSON"
100
true
null

As per RFC 8259, JSON text can be represented by any serialized value. Some specifications of JSON require that valid JSON text must be an object or an array.

Note that the string values must be enclosed in quotation marks.

JSON structured data values

Structural characters

JSON values that represent structured data (blue circles) created using 6 structural characters listed below:

  • Square brackets [] – beginning and end of an array
  • Curly brackets {} – beginning and end of an object
  • Colon : – Name separator
  • Comma , – Value separator

JSON allows the use of whitespaces, such as spaces, tabs, and new lines to format the text for readability. Contrasted to Python, indentation is used only for readability.

Array

An array contains zero or multiple ordered elements. Elements don’t have to be of the same type.

Listing 2

[ "abc", 23, null ]

Object

An object contains zero or multiple members, separated by commas. Each member is in the name: value format. Name must be unique within an object.

Listing 3

{ 
    "address": "192.168.8.1", 
    "mask": "255.255.255.255" 
}

Nested Objects and Arrays

Arrays and objects can contain both simple values, other arrays, and other objects.

For instance, below is the object, as we can see it starts with an opening curly brace. The object contains 2 members with name tags of “primary_address” and “secondary_address”. Each of the member’s value is another object that consists of 2 more members, named “address” and “mask”.

Listing 4

{ 
    "primary_address": 
    {
        "address": "192.168.8.1", 
        "mask": "255.255.255.255"
    },
    "secondary_address": 
    {
        "address": "192.168.9.1", 
        "mask": "255.255.255.255"
    },
}

Let’s create an array that will contain 2 objects representing addresses. The opening square bracket starts the definition of an array. Then we wrap each of the members from the previous example into curly brackets to create an object, as array stores elements – not members consisting of name: value pairs.

Listing 5

[ 
    {
        "primary_address": 
        {
            "address": "192.168.8.1", 
            "mask": "255.255.255.255"
        }
    },
        "secondary_address": 
        {
            "address": "192.168.9.1", 
            "mask": "255.255.255.255"
        },
    }
]

How to interpret JSON encoded data

In one of the previous blog posts dedicated to REST API, we’ve programmatically extracted a JSON representation of an interface from the IOS-XE router. This listing below shows several router’s interfaces, so we can have some arrays in the example.

Listing 6

{
  "Cisco-IOS-XE-native:interface": {
    "GigabitEthernet": [
      {
        "name": "1",
        "ip": {
          "address": {
            "primary": {
              "address": "192.168.7.4",
              "mask": "255.255.255.0"
            }
          }
        },
        "mop": {
          "enabled": false,
          "sysid": false
        },
        "Cisco-IOS-XE-ethernet:negotiation": {
          "auto": true
        }
      },
      {
        "name": "2",
        "shutdown": [
          null
        ],
        "mop": {
          "enabled": false,
          "sysid": false
        },
        "Cisco-IOS-XE-ethernet:negotiation": {
          "auto": true
        }
      }
    ]
  }
}

Let’s interpret this document. Figure 2 shows the structure of the JSON code from the example above.

The top-level object (#1) has a single member with the name of “Cisco-IOS-XE-native:interface”. This member’s value is another object (#2).

The object #2 also has a single member named “GigabitEthernet”, whose value is an array (#3).

Array contains 2 elements – object #4 and object #5.

Object #4 has 4 members, with the following names:

  • “name”
  • “ip”
  • “mop”
  • “Cisco-IOS-XE-ethernet:negotiation”

Member called “name” has a string value of “1”. The next member named “ip” has an object (#6) as a value. Object #6 has a single member with the name of “address” having another object (#7) as a value.

The pattern of finding array elements and object members should be apparent by now.

Figure 2. Cisco IOS-XE RESTCONF JSON interpretation example
Figure 2. Cisco IOS-XE RESTCONF JSON interpretation example

How to construct JSON encoded data

Online Tools

The easiest way to create a JSON encoded data is to use one of the available online JSON editors. For example, one is available via this URL. It automatically checks JSON file syntax, which can be useful to find a missing bracket. The other feature of this tool is the ability to auto-format code into a compact format or full format (with line breaks and indentation, as shown in the previous example).

The screenshot of the tool with JSON text from the previous example is shown below.

Figure 3. JSON Editor Online
Figure 3. JSON Editor Online

Python Collections Overview

To continue with the following examples, we recommend checking this article (URL) for a brief quick start and Python installation instructions.

Let’s discuss several Python fundamental topics before proceeding with the practical examples.

  • Data Structures: lists and dictionaries

Lists and dictionaries are examples of collections in Python. Python’s JSON module maps lists to JSON arrays, and dictionaries to JSON objects.

The syntax is identical between matching pairs of data structures, as shown in Figure 4.

Figure 4. Mapping of JSON structured data to Python collections
Figure 4. Mapping of JSON structured data to Python collections

The listing below shows an example of a list and a dictionary definition in Python.

A list is defined in Python using square brackets. Python uses None instead of null literal in JSON.

The dictionary is wrapped with curly brackets and has familiar from JSON example syntax. JSON’s name tag (value just before the colon) corresponds to a dictionary key in Python. It is followed by a colon and a value, which is in our example a string.

Listing 7

sample_list = [ "abc", 23, None ]
sample_dictionary = { "address": "192.168.8.1", "mask": "255.255.255.255" }

Let start interactive Python prompt to demonstrate how to work with lists and dictionaries.

Listing 8

c:\PythonExamples>python
Python 3.8.3 (tags/v3.8.3:6f8c832, May 13 2020, 22:20:19) [MSC v.1925 32 bit (Intel)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> sample_list = [ "abc", 23, None ]
>>> sample_dictionary = { "address": "192.168.8.1", "mask": "255.255.255.255" }

Both lists and dictionaries can be passed to print() method, which will display their string representation.

Listing 9

>>> print(sample_list)
['abc', 23, None]
>>> print(sample_dictionary)
{'address': '192.168.8.1', 'mask': '255.255.255.255'}

We can access individual elements in a list using their index position.

Listing 10

>>> print(sample_list[0])
abc
>>> print(sample_list[1])
23

To extract values for a specific dictionary key, we can use the key’s name as an index.

Listing 11

>>> print(sample_dictionary["address"])
192.168.8.1
>>> print(sample_dictionary["mask"])
255.255.255.255
  • Working with files

We will save and read JSON files to and from a file saved on the disk in the next examples.

To open a file for read access in Python the following code is used:

Listing 12

with open("json_test.json","r") as json_file:
    … some code that makes use of json_file

To open the same file for write access, use “w” instead of “r” as a parameter for the open() function. Use of keyword “with” ensures that the file is properly closed after the use.

Decoding JSON in Python example

Python module called json provides JSON encoding and decoding capabilities. There are 2 methods performing these functions:

  • dumps – Python data structure to JSON text
  • loads – JSON text into Python data structure

Let’s create a text file containing JSON text from Listing 6 and save it as json_ios_xe.json.

As the next step, we will create a file named json_example.py that will have the following Python code in it.

Listing 13

import json

with open("json_ios_xe_interfaces.json", "r") as json_file:
    json_file_content = json_file.read()
decoded_json = json.loads(json_file_content)

print(decoded_json)
print()
print(type(decoded_json))

Line #1 imports json module, so we can use its feature in our code.

The code in line #3 opens our file for read-only access. The access to the file content is provided via json_file variable. The code in line #4 reads-in content of the file into a string variable.

Line #5 uses json.loads() function to read the string representation of JSON text. The returned value is assigned to the decoded_json variable. As the JSON text is a JSON object, the decoded_json object will be a Python dictionary.

Line #7 prints the Python dictionary, followed by an empty line created by line #8. Finally, line #9 prints out the type of decoded_json object, so we can validate that it is in fact a Python dictionary.

Let’s run the code and see the result.

Listing 14

c:\PythonExamples>python json_example.py
{'Cisco-IOS-XE-native:interface': {'GigabitEthernet': [{'name': '1', 'ip': {'address': {'primary': {'address': '192.168.7.4', 'mask': '255.255.255.0'}}}, 'mop': {'enabled': False, 'sysid': False}, 'Cisco-IOS-XE-ethernet:negotiation': {'auto': True}}, {'name': '2', 'shutdown': [None], 'mop': {'enabled': False, 'sysid': False}, 'Cisco-IOS-XE-ethernet:negotiation': {'auto': True}}]}}

<class 'dict'>

Encoding to JSON in Python example

In this example, we will use the dictionary created in the previous example, change the IP address to “192.168.7.5” and will encode it as another JSON file.

The first task is to identify the full path to the IP address. We have several nested layers of hierarchy within the outer-most dictionary. To access inner dictionaries and lists we will append [<index_or_key_name>] to the parent identifier.

Full path to value of ‘address’ key will be:

Listing 15

decoded_json['Cisco-IOS-XE-native:interface']['GigabitEthernet'][0]['ip']['address']['primary']['address']

In the example above the index of [0] is used, as the ‘GigabitEthernet’ key has the value of a list and we are interested in the first element.

Below is the full listing of a program code that changes the IP address and saves it as a new JSON file on the disk.

Listing 16

import json

with open("json_ios_xe.json", "r") as json_file:
    json_file_content = json_file.read()

decoded_json = json.loads(json_file_content)

decoded_json['Cisco-IOS-XE-native:interface']['GigabitEthernet'][0]['ip']['address']['primary']['address'] = \
    "192.168.7.5"

encoded_json_compact = json.dumps(decoded_json)
encoded_json_indented = json.dumps(decoded_json, indent = 4)

with open("json_ios_xe_compact.json", "w") as json_file:
    json_file.write(encoded_json_compact)

with open("json_ios_xe_indented.json", "w") as json_file:
    json_file.write(encoded_json_indented)

Line #8 sets the value to a new IP address. Lines #11 and #12 create a string containing JSON text, it passes our modified dictionary called decoded_json to json.dumps() function. The example demonstrates that the named parameter called “indent” can be passed to the dumps() method to perform the formatting of the JSON file.

Line #15 and #18 saving the resulted text to files on the disk.

Let’s run the code and see the result.

Listing 17

c:\PythonExamples>python json_example.py

Two new files are created in c:\PythonExamples folder, as shown in the screenshot below.

Figure 5. JSON text decoded by Python's json.dumps()
Figure 5. JSON text decoded by Python’s json.dumps()

Self-Test Questions

List 6 types of value types that JSON text can represent?
String, number, Boolean (false, true), null, array, and object.
Describe JSON array and the process of defining one.
A JSON array contains ordered elements and defined using square brackets. For example, [ “abc”, 23, null ]
Describe JSON object and the process of defining one.
A JSON object contains members separated by a comma. Each member has a name and value separated by a colon. It is defined using curly brackets. For example, { “address”: “192.168.8.1”, “mask”: “255.255.255.255” }
Name Python types that are mapped to JSON's array and object
Python’s list maps to JSON array, and Python’s dictionary maps to a JSON object
What Python's module is responsible for encoding and decoding of JSON-formatted data?
json module. To decode use json.loads() and to encode – json.dumps().

Describe characteristics of REST-based APIs

In this blog post, we will discuss REST-based APIs. We will also demonstrate how to use such APIs with step-by-step scenarios using a Cisco virtual router running on the ESXi platform.

This article aims to help CCNA candidates in preparing for the following exam topic:

6.5 Describe characteristics of REST-based APIs (CRUD, HTTP verbs, and data encoding)

APIs and Representational State Transfer (REST)

Application Programming Interface (API)

API of an application or a service specifies how other applications can access and change its information. For example, a service may expect certain parameters to be specified when a client application makes a request. The service generates some output as a response, which is also part of API.

A network device manufacture develops and maintains API. CCNA candidates should understand how to use APIs from the client perspective. Automation scripts and software use APIs that network devices expose.

Command-Line Interface (CLI) cannot be classified as API. It provides means to change how a device operates, but its primary purpose is to interact with a user, i.e. not with another program. CLI, however, can be used in automation scripts, which interactively send and parse command output.

SNMP operation fits the definition of API. However, it didn’t receive wide adoption in network automation and is mostly used in read-only monitoring.

Cisco devices and controllers expose RESTful APIs, i.e. APIs that meet specific architectural criteria. We will discuss this type of API in the following section.

RESTful API

REST defines a set of architectural guidelines that were defined by Roy Fielding in his dissertation.

REST is not a protocol and doesn’t provide specific implementation details. For example, it doesn’t mandate the use of HTTP, which is, however, is most often used and often associated with REST APIs.

REST defines a set of constraints that must be met for a web service to be considered RESTful. The full list of constraints is:

  • Must have client-server architecture.
  • RESTful services must have a uniform interface.
  • The client must track the state of the session and send request containing all information required to process such a request. The server must not store user session context information.
  • The server must state whether information can be cached on the client.
  • The system must have a hierarchical layered design.
  • The server can send executable code to a client to extend its functionality.

RESTful API constraints provide multiple benefits for an application and are important for an API designer to follow. However, for a network engineer, the main areas of focus are centered around how to access and change information behind API.

REST Resources and Representation

In REST API a resource is any type of information that can have a name. For example, a network interface or an access list can be used as resources in API.

A resource is identified with a Uniform Resource Identifier (URI). Type of URI that specifies a location and access protocol of a resource is called Unified Resource Locator (URL). When a client sends a request to REST API, it must include a resource identifier. For example, if HTTP is used as protocol, the URL of https://fastreroute.com/category/ccna consists of the URI scheme of HTTPS, followed by colon, authority “//”, hostname – fastreroute.com, and resource identifier (or path) – /category/ccna.

Representation of a resource is a self-describing state of a resource at a specific moment. The server provides a representation of a resource to the client, which can perform different operations on the resource. For example, the representation of the resource identified with the URL in the previous paragraph is an HTML page that contains all CCNA posts of the blog. REST APIs can return representation as a serialized object, for example, in (JavaScript Object Notation) JSON format.

CRUD and HTTP Verbs

CRUD stands for 4 generic types of operations that can be applied to data:

  • Create
  • Read
  • Update
  • Delete 

HTTP request methods, also called verbs, can be mapped to CRUD operations. For example, in an HTTP-based RESTful API, a client can change the parameters of a network interface by using the HTTP PATCH method. We will show how it can be done in the example section.

HTTP GET method corresponds to Read operation. The server responds with a representation of a resource identified by URI.

HTTP POST verb Creates a child or subordinate to resource specified in URI.

HTTP PUT maps to both Update and Create operations. If a resource specified in the PUT request exists on the server, it should be replaced with the one in the request. If the resource doesn’t exist, PUT can create it.

HTTP PATCH verb can also perform the Update operation. PATCH contains instructions on how to update a resource, while PUT contains a modified copy of a resource.

HTTP DELETE maps to Delete operation.

REST API Example: CSR1000v

Let’s apply concepts from the previous section to practice. The next few sections will show how to perform each of CRUD operations with REST-like API provided by Cisco IOS-XE routers.

This API is based on RESTCONF. It can return the representation of resources in XML or JSON formats. RESTCONF uses YANG, which is modeling language describing a router’s configuration and operation states.

Both RESTCONF and YANG are described in RFCs:

IOS-XE Configuration for RESTCONF

In our example, we will generate API requests to a CSR1000v IOS-XE router running on ESXi.

Our router runs IOS-XE version 16.9.5 with the following configuration applied:

interface GigabitEthernet1
 ip address 192.168.7.4 255.255.255.0
 no shutdown
aaa new-model
aaa authentication login default local
aaa authorization exec default local

username admin secret ciscocisco
username admin privilege 15
enable secret ciscocisco

ip http server
ip http authentication local
ip http secure-server
restconf

Refer for details to the Cisco configuration guide, which is available via this URL.

Postman Client Setup

We will use free tier features of software called Postman (https://www.postman.com/).

Postman helps with testing and discovery of API prior to writing automation programs. The automation scripts can be written using programming languages, such as Python with requests library.

Download the software for the platform of your choice. We use the Windows version of Postman in the next examples and the screenshots.

Start Postman and disable SSL certificate validation, as we are going to use the router’s IP address and self-signed certificate in our examples:

Figure 1. Postman - Disable SSL Certificate Verification
Figure 1. Postman – Disable SSL Certificate Verification

Read with HTTP GET

In the first example, we will send a simple GET request to obtain a list of interfaces of the router.

Figure 2. REST API READ
Figure 2. REST API READ

The next figure shows the sequence of steps creating the request in Postman that returns the list of interfaces of the router. The username and password values must match ones configured on the router.

In this example, the URL of https://192.168.7.4/restconf/data/Cisco-IOS-XE-native:native/interface/ consists of the following components:

  • https – URI scheme and protocol
  • // – authority
  • 192.168.7.4 – hostname or IP address of the router
  • /restconf/data/Cisco-IOS-XE-native:native/interface/ – path or resource ID
Figure 3. Postman –GET Request Parameters
Figure 3. Postman –GET Request Parameters

The result of the request is shown in the next screenshot. The server replied back with a 200 OK message and a representation of its interfaces in XML format.

Figure 4. Postman – Read list of the Router's Interfaces in XML Format
Figure 4. Postman – Read list of the Router’s Interfaces in XML Format

To switch to JSON we can adjust the request by modifying Headers as shown in Figure 5. Accept key is set to value of application/yang-data+json. The response looks very similar to the one in Figure 4, as both XML and JSON represent the same resource – a list of interfaces of the router.

Figure 5. Postman – Read list of the Router's Interfaces in JSON Format
Figure 5. Postman – Read list of the Router’s Interfaces in JSON Format

Create new interface with HTTP POST

As the next step, let’s create a new loopback interface using the HTTP POST verb. Figure 6 demonstrates a message exchange between the client using URI representing a list of interfaces and the POST method containing the JSON representation of the new loopback interface. The server returns HTTP response with the code of 201 (created).

Figure 6. Cisco IOS-XE REST API Create an Interface with HTTP POST
Figure 6. Cisco IOS-XE REST API Create an Interface with HTTP POST

Figure 7 shows Postman configuration for this request.

Figure 7. Postman - Create an Interface with HTTP POST
Figure 7. Postman – Create an Interface with HTTP POST

The listing below shows JSON representation of the interface:

{
  "Cisco-IOS-XE-native:Loopback": {
    "name": "1",
    "description": "Test",
    "ip": {
      "address": {
        "primary": {
          "address": "192.168.8.1",
          "mask": "255.255.255.255"
        }
      }
    }
  }
}

The router has its configuration updated with new Loopback1 interface:

ROUTER#show run interface Loopback1
!
interface Loopback1
 description Test
 ip address 192.168.8.1 255.255.255.255
!

Update interface description with HTTP PATCH

In this example, we will create a query that sets the GigabitEthernet1 interface’s description. Figure 8 shows the message exchange between the PC and the router. URI includes interface name, as PATCH is used to apply partial updates to an existing interface.

Figure 8. REST API Update with HTTP PATCH
Figure 8. REST API Update with HTTP PATCH

Postman query configuration steps are shown in Figure 9. Note that authorization settings must be set in the same way as done in the HTTP GET example.

Figure 9. Postman – Updating Interface Description using HTTP PATCH
Figure 9. Postman – Updating Interface Description using HTTP PATCH

The listing below shows JSON representation of the description change:

{
  "Cisco-IOS-XE-native:GigabitEthernet": {
    "description": "Very Important Interface",
  }
}

The router has its configuration updated with a description:

ROUTER#show run interface GigabitEthernet1
!
interface GigabitEthernet1
 description Very Important Interface
 ip address 192.168.7.4 255.255.255.0
 negotiation auto
 no mop enabled
 no mop sysid
!

Delete interface description with HTTP DELETE

The final example will delete the Loopback interface using the HTTP DELETE verb. Figure 8 shows the message exchange, which identifies the resource that we want to delete.

Figure 8. REST API Delete with HTTP DELETE
Figure 8. REST API Delete with HTTP DELETE

Figure 9 shows configuration parameters in Postman.

Figure 9. Postman – Deleting Interface with HTTP DELETE
Figure 9. Postman – Deleting Interface with HTTP DELETE

And the listing below demonstrates that the interface doesn’t exist anymore:

Router#show run interface Loopback1
                                  ^
% Invalid input detected at '^' marker.

Self-Test Questions

What is REST and RESTful API?
REpresentational State Transfer (REST) is an architectural style that defines a set of constraints to create APIs. RESTful API is an API that meets all the constraints.
Does RESTful API have to be HTTP-based?
No, REST doesn’t mandate the use of any specific protocols.
What is the difference between Resource and Representation in REST?
A resource is a named piece of information, while a representation of the resource is a description of the resource at a specific moment.
Map CRUD operations to HTTP verbs
Create – POST or PUT.
Read – GET.
Update – PATCH or PUT (by replace).
Delete – DELETE

Explain the role of DHCP and DNS within the network

In this blog post, we will cover the role of 2 important services – DHCP and DNS. The CCNA exam includes the following topics that we will explore in detail:

4.3 Explain the role of DHCP and DNS within the network

4.6 Configure and verify DHCP client and relay

Domain Name System

Domain Name System (DNS) is a naming protocol for hosts and services on the Internet. It is also a client-server application that maintains and provides access to DNS records. Many Internet services, such as web browsing and email delivery, rely on DNS service.

In addition to its role of naming hosts on the Internet, DNS is also often used by organizations to support their internal applications. For example, Microsoft Active Directory is a directory service that requires DNS to store its records. In such scenarios, the internal records are not exposed to the Internet.

Domains and FQDNs

Hosts are uniquely identified by their Fully Qualified Domain Name (FQDN). For example, server1.sales.fastreroute.com is a fully qualified domain name of a server. The name consists of 2 parts separated by a dot:

  • Hostname portion, or server1
  • Domain portion, or sales.fastreroute.com

The domain component is hierarchical, with the parent domains specified on the right side. In the example above, domain .com is a parent domain of fastreroute.com, which in turn is a parent domain of sales.fastreroute.com.

To understand domain hierarchy, a file system can be used as an analogy, in which folders are replaced with domains and files with hosts. Domains can contain sub-domains or hostnames, in the same way as a file-system folder can contain subfolders or files.

Name Servers

Name server functionality can be implemented as an operating system component, an application, or Software-As-A-Service (SAAS). For example, BIND is one of the most popular DNS servers on the Internet and is available on Unix-like operating systems. Windows platforms have a DNS server built-in into the server operating system.

Public cloud providers offer managed DNS service, for example, AWS offers Route53, which can provide advanced features beyond traditional DNS servers.  Cisco routers can be configured to act as a DNS server too. We will provide an example of how to set it up in this blog post.

A name server can act as an authoritative server or name resolver, or both at the same time. The authoritative server role focuses on storing naming information in DNS zones. The resolver role is about providing requested information after receiving a query from a client. We will discuss these roles in detail in the next two sections.

Authoritative Name Servers and Zones

An authoritative name server stores a DNS zone for a specific domain subtree and doesn’t rely on querying other name servers for entries in this zone. A domain hierarchy defines a logical structure of a namespace, while zones are actual files or databases storing the DNS data.

The very top zone in the hierarchy of public DNS is called the root zone. It contains pointers on how to find information about domains such as .com, .net, and different country codes. These domains are called Top-Level Domains (TLDs).

The root zone is serviced by 13 groups of DNS servers, which are also called root hints. Each group contains geographically distributed servers that share the same anycast IP address and allocated a letter of the alphabet as hostname, in the root-server.net domain. The location of these servers on the world map can be checked here, scroll down to see members within each cluster, and their location.

When an organization registers a domain name, for example, fastreroute.com, the parent domain (.com) delegates administrative control over fastreroute.com and all domains under it to the organization. If no further delegation is done, then the zone fastreroute.com will store all entries in the domain and all subdomains under it.

Administrators of fastreroute.com can delegate control of a subdomain sales.fastreroute.com to the sales department. A different set of DNS servers can host the zone for sales.fastreroute.com and all subdomains under it, such as us.sales.fastreroute.com.

If we continue the analogy with the file system, delegation is similar to creating a link or shortcut that will redirect users to another file server. This server, in turn, can create shortcuts to other file servers and so on.

Name Resolvers and Query Types

Name resolution is the process of a DNS client sending a query and DNS server replying to it. The most commonly used type of request is to resolve hostnames to IP addresses. Some name servers can perform only name resolution functionality and do not host any zones, i.e. not being authoritative for any domain namespaces.

There are 2 modes that name resolvers can operate in – recursive and iterative. A recursive server can perform additional queries to another server if it doesn’t have the required information locally. Recursive name resolvers can also cache answers, so the subsequent queries can be serviced using a local cache. An iterative resolver, instead of doing all the queries on the client behalf, can return an address of another name server for the client to query directly.

Record types

DNS stores information in domain zones using several types of records. SOA record contains authoritative zone information, administrative contacts, and different timers. NS record contains pointers to authoritative DNS servers.

“A” record maps a hostname to an IPv4 address. AAAA record is the IPv6 version of A record. PTR record stores reversed A record, so one can resolve a hostname by using an IP address.

CNAME record keeps hostname to hostname mapping and also often called alias record. MX record is used to specify the SMTP mail server for a domain. TXT record stores a piece of text information.

Check this article on Wikipedia with the full list of DNS record types.

Cisco Routers and Switches as a DNS Client

Cisco devices can be configured as a DNS client. The device has multiple system services such as, Smart Licensing and NTP servers, that use hostnames and need to figure out the IP addresses. Hostname and domain name is also used to create RSA keys for services, such as the SSH server.

The following configuration commands configure DNS client functionality:

hostname edgerouter1
ip name-server 8.8.8.8 8.8.4.4
ip domain name fastreroute.com

In this example, the router will have FQDN of edgerouter1.fastreroute.com. It will use two Google’s name servers in the specified order and it will also append suffix fastreroute.com if only a hostname is specified in various commands.

To display name server information, validate cache and enable debugging, use the following 3 commands:

show ip dns servers
show hosts
debug ip domain

Cisco Routers and Switches as DNS Server

It is possible to configure Cisco routers to provide DNS server functionality. To enable it use the following command:

ip dns server

By default, the server will use name servers configured on the router, as shown in the earlier example, to perform query forwarding. It is possible to create conditional forwarding patterns useful when you might want to use internal DNS servers for some queries and ISP’s DNS servers for Internet access at the remote branch. The configuration guide on the Cisco website provides more information for such a configuration.

It is also possible to create static entries that can be useful for different testing scenarios:

ip host test.local.lab 1.2.3.4

In this example, the router will reply with the IP address of 1.2.3.4 to clients that are trying to resolve “test.local.lab” via the Cisco router.

Dynamic Host Configuration Protocol (DHCP)

A host needs an IP address to communicate on the network. An address can be assigned to a device via manual configuration or dynamic assignment. Administrators manually configure IP addresses on servers and network devices that expect static IP addresses. DHCP server dynamically assigns IP addresses to workstations and client devices, as they don’t expect inbound connections and manual configuration would be time-consuming and unpractical.

DHCP Client-Server Communication

When a DHCP client starts up, it broadcasts a discover message looking for a DHCP server. As the client doesn’t have an IP address during bootstrap, all communications described below use broadcasts and can only communicate on the same broadcast domain (VLAN).

If any of the DHCP servers received a discover message from the client, they reply with an offer of IP address for the client to use. The client receives one or many replies, in which case it usually uses the first one, and sends a request back to the server confirming that it accepts offered IP address. Finally, the server sends an acknowledgment to the client to complete the address negotiation process.

This handshake uses 4 messages: DHCP Discover, DHCP Offer, DHCP Request, DHCP Ack. It can be memorized by using acronym DORA (Discover, Offer, Request, Acknowledgment).

DHCP Pools and Leases

An administrator creates a pool of IP addresses for the DHCP server to allocate individual addresses from. Addresses must be returned back to the pool after a period of time or a client must request a lease renewal.

Multiple settings, such as subnet mask, default gateway, DNS server and domain, and lease duration can be managed on a pool level. Cisco devices acting as DHCP servers use the pool configuration mode for subnets and individual IP address reservations.

DHCP lease or binding is created when a client has been allocated an IP address from a pool. The lease is provided for a specific time. The client will attempt to renew the lease at the predetermined periods prior to the lease expiration.

Printers often need to have the same IP address. Instead of configuring printers manually, an administrator can configure a DHCP server to reserve an IP address for a specific MAC address. Such a lease is called DHCP reservation.

DHCP Client Configuration on Cisco Devices

DHCP client configuration is usually done on Internet-facing interfaces.

interface GigabitEthernet0
 ip address dhcp

ip route 0.0.0.0 0.0.0.0 dhcp

The example above configures the GigabitEthernet0 interface to acquire its IP address dynamically via DHCP. The optional “ip route” command enables the use of the default gateway sent by the DHCP server.

DHCP Relay Configuration on Cisco Devices

As we discovered earlier, DHCP is based on broadcast communications. As broadcasts are contained within a subnet boundary, clients must be placed into the same subnet as the DHCP server or DHCP server must have multiple interfaces to be placed into every subnet. Both scenarios are not optimal and don’t scale well.

To address this DHCP relay can be configured on a switch. DHCP relay listens for DHCP messages on the interfaces where it is enabled. If a relay sees a broadcast, it processes the message and then sends it as a unicast directly to the DHCP server. Further communications flow via DHCP relay, which also encodes source IP address of the interface where the query from the client was received, so the DHCP server knows from which address pool to allocate the address.

DHCP relay or often called “ip helper”, is configured using the following commands:

interface Vlan100
 ip helper-address 192.168.1.10

In this example, the DHCP broadcasts received from clients in VLAN 100 will be forwarded to the DHCP server with an IP address of 192.168.1.10.

DHCP Server Configuration on Cisco Devices

In SOHO networks, no traditional servers may be available to perform the DHCP server role. In these scenarios, a router can be configured as a DHCP server. The configuration consists of defining a DHCP pool with its settings and excluding certain IP addresses from allocation.

The configuration commands to create a network pool:

ip dhcp excluded-address 192.168.10.1 192.18.10.10

ip dhcp pool VLAN-10
 network 192.168.10.0 255.255.255.0
 default-router 192.168.10.1
 dns-server 192.168.10.1

To create a reservation for a device, its MAC address needs to be specified:

ip dhcp pool PRINTER-01
 host 192.168.10.9 255.255.255.0
 client-identifier abcd.efab.cdef
 default-router 192.168.10.1
 dns-server 192.168.10.1

To validate assigned IP addresses and see debug messages:

show ip dhcp binding
debug ip dhcp server packets
debug ip dhcp server events

Recommended Resources

Check other articles on our website.

Self-Test Questions

What is the difference between recursive and iterative modes of DNS resolver operation?
Resolver in recursive mode performs queries on client behalf and returns requested information, while iterative resolver will send a referral to the client, so it can perform further queries on its own.
What is the difference between A and CNAME DNS resource records?
“A” record is used to store a mapping of hostname to IP address, while CNAME stores hostname (alias) to hostname mapping.
List 4 messages used in DHCP communication between client and server?
Discover, Offer, Response and Acknowledgement (DORA)
Explain what is the purpose of a DHCP relay?
DHCP communication uses broadcast messages which are not forwarded by the routers. DHCP relay services can be provided by a router with an interface in the same network as clients. DHCP relay translates broadcast communication with the client into unicast communication with the DHCP server.

Determine how a router makes a forwarding decision

In this blog post, we will discover how a Cisco router selects the best route to use for packet forwarding. The CCNA exam includes the following topics which we will cover in detail:

3.2 Determine how a router makes a forwarding decision by default

• 3.2.a Longest match

• 3.2.b Administrative distance

• 3.2.c Routing protocol metric

Exam blueprint lists selection criteria in the order of preference that a router uses when choosing the best path among multiple available options. However, to compile the routing table the process is reversed.

Firstly, each routing protocol selects the best route using its own metric comparison procedure. If there are more than one candidate routes from different protocols, then administrative distances are compared and only one protocol installs its route into the routing table. In some cases, a routing protocol, instead of preferring a single path, can use multiple next-hops for the same network to split the load between several links.

The forwarding decision is then based only on the longest match, as the routing table is already filtered of all but the best routes. The router looks for the longest match for a destination and prefers more specific IP prefix routes over broader ones.

To describe these options in this blog post, we will follow the bottom-up approach, i.e. starting with protocol choice, then moving to inter-protocol choice, and finally performing the longest match comparison.

Sample network

Figure 1 shows a sample diagram with a router selecting the best path to forward traffic to a host with the IP address of 10.1.1.25. By the end of this post, you will be able to identify the path router A will select. In the next several sections we will discuss these selection steps one by one.

Figure 1. Determine how a router makes a forwarding decision
Figure 1. Determine how a router makes a forwarding decision

Routing Protocol Metric

Dynamic routing protocols calculate and use a numerical value to describe the cost of a path to a destination. This number is called a metric and it is specific to each routing protocol. Metric values of two different routing protocols are not compared with each other. All routing protocols either use different properties of the path or use different calculations.

For example, some protocols use a simple metric like the number of routers or hops that a packet needs to cross to get to the remote network. If two peers advertise routes to such a network, the one that has a smaller number of hops is chosen. Some other protocols can use bandwidth as its path cost.

Table 1 lists different routing protocols and the metric that they use.

ProtocolMetric
RIPNumber of routers in path - hop count.
OSPF, IS-ISCumulative value that is based on bandwidth with smaller bandwidth accumulating more cost.
EIGRPComposite metric that is based on multiple parameters – delay, bandwidth, utilization and reliability. Only first two parameters are used. Calculated as sum of transit links delays and smallest bandwidth across the path.
BGPNumber of Autonomous Systems (or routing domains) to reach a destination can be considered a metric that is visible end to end.

Table 1. Routing Protocol Metrics

Interior Gateway Protocols (IGP) Metric

IGP metrics with the exception of RIP provide a good measurement of path performance. They are based on static link parameters, such as bandwidth and delay. Only EIGRP metric calculation formula can include dynamic link features, such as utilization and reliability, however, they are not used by default.

IGP protocols also prefer routes that were injected into the protocol internally. This mostly comprises of routes which routers have interfaces in. External routes are represented by routes injected by redistribution from another protocol or a static route. For example, OSPF selects intra-area routes, then inter-area routes, and finally external routes. This selection happens before metric comparison.

Exterior Gateway Protocols (EGP) Metric

BGP has a different objective when choosing the best path. As the protocol is used between different organizations, it was designed to include multiple attributes that can be used to influence and communicate the desired traffic flow. The BGP path selection process consists of more than 10 steps. Many of the attributes are statically configured to influence the selection process and represent an administrative view of path cost, as opposed to IGP’s calculation based on some objective evaluation of the path performance.

The routing domain controlled by a single organization in BGP is called an Autonomous System. As a route propagates from the injecting router it is being updated and includes AS numbers of all routers it has traversed. AS_PATH attribute stores this information. Member AS count in AS_PATH can be used to compare different routes. The shorter AS_PATH is preferred over a longer one. The other attributes that BGP routers exchange and can be used to affect the best path selection include LOCAL_PREF, MED, ORIGIN, and closest IGP metric to the next hop.

Example of the best route selection using routing protocol metric

In the sample topology, router A can see 2 paths to 10.1.1.0/24 in its EIGRP topology table. As shown in Figure 2, the path via D has a cost of 1024 and path via E – 2048. EIGRP process on router A chooses path via D as a candidate route. The next section will describe the process the router goes through to decide if EIGRP should be allowed to install its route.

Figure 2. Selecting a route using routing protocol metric
Figure 2. Selecting a route using routing protocol metric

Administrative Distance

Administrative Distance is a tie-breaker that is used when there are two or more candidate routes of the same length but learned via different routing protocols. Only one version of these routes to the same network will be installed into the routing table.

Administrative Distance is a pre-configured numerical value of the trustworthiness of a routing information source. More preferred protocols have smaller administrative distance numbers.

ProtocolAdministrative DistanceNotes
Directly connected network0The networks that router has interface in. Cannot be changed.
Static1Manually created routes. Can be increased to create a floating static routes.
EIGRP (summary route)5Cisco proprietary Interior Gateway Protocol. Routes of this type are visible only on the router that creates a summary in EIGRP. Layer 3 loop prevention mechanism.
eBGP20Standard-based Exterior Gateway Protocol. Assigned to routes that are learned from external BGP neighbors.
EIGRP90Cisco proprietary Interior Gateway Protocol.
IGRP100Obsolete Cisco proprietary Interior Gateway Protocol.
OSPF110Standard-based Interior Gateway Protocol.
IS-IS115Standard-based Interior Gateway Protocol.
RIP120Standard-based Interior Gateway Protocol.
EIGRP (external)170Cisco proprietary Interior Gateway Protocol. The routes that are redistributed into EIGRP installed with higher AD. Layer 3 loop prevention mechanism.
iBGP200Standard-based Exterior Gateway Protocol. Assigned to routes learned from internal BGP peers.
OMP251Cisco proprietary protocol used in SD-WAN between vEdges. High Administrative Distance value makes the router to prefer routes learned via service (LAN) side.

Table 2. Default Administrative Distances

Directly connected networks and static routes

As table 1 shows, directly connected networks have the lowest administrative distance. A router has an interface in each of the connected networks.

Static routes, by default, are more preferred than any dynamically learned route of the same prefix length. By changing a static route’s administrative distance to be numerically higher than dynamic routing protocol is a common way to provide backup connectivity. In this configuration, if a dynamic route is no longer available, a static route replaces it and provides a secondary path. Such a route is called a floating static route.

Interior Gateway Protocols (IGP) Administrative Distance

The default administrative distance values rank IGP protocols in the following order of preference: EIGRP, OSPF, IS-IS, and RIP. With the exception of RIP, the priority doesn’t mean that one protocol is more reliable or accurate than another.

In many networks, there is a single IGP, so having default preference for OSPF over IS-IS doesn’t make a difference. However, in some situations, such as networks merge or transition to different protocol an administrator may run several IGPs at the same time. In such networks, the default administrative distances can be adjusted to make one protocol more preferred than another. It is recommended to test the settings in a lab, as incorrect configuration can cause different issues, such as network loops and non-predictable traffic paths.

Exterior Gateway Protocol (EGP) Administrative Distance

There is only a single non-obsolete Exterior Gateway Protocol – Border Gateway Protocol (BGP). If a router doesn’t run any other dynamic routing protocols, then as with IGPs, its default administrative distance value doesn’t affect the route selection process.

However, in enterprise networks, it is common to run BGP along with one of the IGPs. For example, a company can exchange routes via BGP with its Internet or WAN providers. At the same time, internally it can run OSPF or EIGRP. In such scenarios, the routes can be divided into external and internal.  BGP is authoritative for the external, and IGP – for the internal routes.

Default Administrative Distance of external BGP routes ensures that a router will not start preferring a route to external networks via adjacent IGP router, which can often advertise such network back if there is more than one router performing redistribution between protocols.

Differently, IBGP peers have an administrative distance of 200, which is higher than any IGP’s route AD. This causes a router to use IGP as the source of truth for the internal destinations.

Interestingly, in some cases, internal BGP can overtake external BGP routes even if the latter has a lower administrative distance. The reason for it is that the BGP process performs its own evaluation when selecting the best path before placing the route into the routing table. For example, BGP routes received via internal peer can have a better value of Local Preference and as the result more preferred over the same route learned via external peer, which would be installed with AD of 20.  As the best route is from an internal BGP peer, it will be installed into the routing table with AD of 200.

Example of the best router selection based on Administrative Distance

Following our previous example, as shown in Figure 3, after EIGRP selected path via D, we left with 3 possible paths, via B, C, and D. Both B and D want to install the same network – 10.1.1.0/24 into the routing table. Administrative distance is used to decide which one is better. As EIGRP has better administrative distance (90) than internal BGP (200), the path via B is selected. This selection happens before any packet forwarding decisions are made as part of router protocol convergence. Both routes (10.0.0.0/8 and 10.1.1.0/24) are now installed into the routing table. The next step for the router is to perform selection based on the longest match.

Figure 3. Selecting a route based on Administrative Distance

Longest Match

All unicast routing protocols lookup routes using the destination IP address of a packet. The longest match refers to the process of identifying the route to the most specific network that the packet matches.

For example, the default route or route to 0.0.0.0/0 matches every packet. Next hop of such routes is often called gateway of last resort because it is the least preferred route, which is used only if no other matching routes exist.

The most specific route is a host route with a prefix length of 32 (or subnet mask of 255.255.255.255). For example, 192.168.100.25/32 is a host route, and packets sent to that specific host will be always following this route.

The important difference of the longest match from the other two steps is that the router compares two different routes, with one being a superset of another. Both networks will appear in the routing table. Such a situation often exists when there is summarization being performed in the network, which is the process of combining multiple routes into a single one.

Example of the best route selection based on the longest match

In our example network, in Figure 4, router A needs to choose between 2 routes: statically configured 10.0.0.0/8 and dynamically learned 10.1.1.0/24. The /24 route is more specific and is a longer match.

Figure 4. Selecting the best route based on the longest match
Figure 4. Selecting the best route based on the longest match

Importance of identifying IP address range of a subnet

When evaluating a packet against multiple routes, identify the network part of the IP prefix and what is the useable range of addresses it contains. For example, let’s say you have a route to 192.168.0.0/16 and a route to 192.168.20.0/23. You need to identify which of these two routes a packet with the destination of 192.168.21.200 will match.

It may look like the packet matches only the first wider prefix – 192.168.0.0/16. However, 192.168.20.0/23 has the range of useable addresses between 192.168.20.1 and 192.168.21.254, which destination of 192.168.21.200 being part of it. Because /23 is a longer match than /16, the second route will be preferred.

Self-Test Questions

Which field of IP packet router uses for forwarding?
Destination IP address.
What is a floating static route?
By default, static routes are more preferred than any dynamic routes. Floating static route is a technique of making the route less preferred by increasing its administrative distance with the aim to use it as a backup option when the dynamic route is not reachable.
Do routers compare metrics calculated by different routing protocols?
False, only metrics of the same protocol are compared.
Can one see 2 routes with different administrative distances to exactly the same network in the routing table?
False, only routing protocol with the lowest administrative distance is allowed to install its route into the routing table.
If there are multiple routes of the different length matching a packet, which one router will use?
The route to the network that is most specific i.e. has the longest prefix length.
Consider the situation in which this article’s sample network used eBGP between router A and B. How this would affect the best path selection?
The A>B path would become the best path. In the Administrative Distance comparison step, eBGP with its default AD of 20 would win EIGRP’s AD of 90. It would then be installed into the routing table and is still more specific than 10.0.0.0/8.

Describe Characteristics of Network Topology Architectures

New CCNA exam blueprint includes the following exam topics:

1.2 Describe characteristics of network topology architectures

1.2.a 2 tier

1.2.b 3 tier

1.2.c Spine-leaf

1.2.d WAN

1.2.e Small office/home office (SOHO)

1.2.f On-premises and cloud

We wrote a blog post about 2-tier and 3-tier campus network architecture, which is one of the topics of the older version of the CCNA exam. The content is still relevant, so we will provide only summary information here for completeness. Other topics that will be covered in this post include data center leaf-and-spine architecture, WAN topologies, small office/home office networks, and comparison between on-premises and cloud environments.

LAN Design

2-tier vs 3-tier

Campus networks design defines the following tiers or layers:

  • Access
  • Distribution
  • Core

Access tier provides connectivity for the end-users. The access layer requires high-port density capable to deliver Power-over-Ethernet (POE). Switches at the access layer connect to the distribution layer switches and should not be connected to each other. As access switches have direct visibility into devices that connect to them, security access checks, such as 802.1x authentication, and QoS traffic classification are usually performed at this tier.

The distribution tier is responsible for connecting access switches together. Distribution switches usually have high-speed fiber (and less often copper) ports. Traditionally, VLAN’s or subnet’s default gateway functions were provided by distribution layer switches. For this reason, different types of security enforcement, such as inter-VLAN ACLs were implemented on this layer. In modern networks, however, it is also common to see access layer switches configured as default gateways for VLANs.

Core tier connects distribution switches together when there is a requirement to have a 3rd level of the hierarchy. The main responsibility of this layer is to route traffic as fast as possible over multiple redundant paths.

Figure 1 shows a 2-tier design. This architecture comprises only of access and combined distribution-core tiers. It is also referred to as a collapsed core design. The switches on the top perform distribution tier features by providing uplink connectivity for access layer switches. The core feature, or connecting distribution switches together, is implemented by 1 link between these two switches. When the new access layer switches added to the network, it is possible to introduce additional distribution switches to accommodate the expansion.

Figure 1. 2-tier Network Architecture
Figure 1. 2-tier Network Architecture

As the number of distribution switches goes up, establishing full-mesh connectivity becomes difficult. Implementing a dedicated set of core devices, so each distribution switch only needs to connect to them can be a good alternative. 3-tier architecture has all 3 layers implemented, as shown in Figure 2.

Figure 2. 3-tier Network Architecture
Figure 2. 3-tier Network Architecture

Data Center Design

Physical topologies

A typical data center consists of multiple server racks connected together. Physical cabling usually follows one of two patterns:

  • Top-Of-Rack (TOR)
  • End-Of-Row (EOR)

Top-Of-Rack implies that each rack has a single or pair of switches usually installed on the top. The servers are connected to these switches, so all internal cabling stays inside the rack. Top-Of-Rack switches then connect to aggregation switches outside of the rack. End-Of-Row, on the other hand, indicates that only certain racks, for example, first and last rack in each row, have high-port-density switches installed. Servers are then connected using a cross-rack cabling system to these End-Of-Row switches.

Figure 3. Top-Of-Rack vs. End-Of-Rack
Figure 3. Top-Of-Rack vs. End-Of-Rack

Both topologies have their pros and cons in different scenarios. For example, TOR design requires extra switches to be placed into each rack but has simplified cable management. The TOR switches may be underutilized depending on a number of servers within each rack. EOR topology requires more cables to be installed between racks as port requirements within each rack grow. Racks also should be adjacent to each other, so adding an additional rack may not be as easily accomplished as in TOR design.

Data center design requirements

Data centers host physical and virtual servers. Communication between servers within the data center network produces east-west traffic. It includes traffic between applications and databases, different replication types between servers, and file exchange.

There is a much higher demand for east-west bandwidth in a data center compared to a campus network, which usually doesn’t have much client-to-client communication.

Horizontal scalability, or ability to expand by adding new switches, is another requirement of a data center network. To accommodate an increase in a number of racks, the network must provide ways to connect new switches without affecting available bandwidth for the existing switches.

To address these requirements, the leaf-and-spine design is commonly used to build data centers. This connectivity pattern came from telecommunication circuit switching systems and called the Clos network.

Spine-leaf architecture

The leaf-and-spine topology consists of 2 layers – leaf layer and spine layer. In such topology, every device on one layer connects to every single device on another. No direct links exist between devices located on the same layer. Collectively, network devices on both layers form so-called switch fabric.

Figure 4. Leaf and Spine Architecture
Figure 4. Leaf and Spine Architecture

Leaf switches are the access layer of the data center. The servers plug only into leaf switches. The links between leaf and spine switches are point-to-point Layer 3 links and all actively forwarding traffic.

This architecture provides predictable bandwidth between pair of any leaf switches. For example, in figure 4, each leaf switch has 4 uplinks. If each link is 100Gbps, then each leaf switch can provide 400Gbps of uplink bandwidth available to servers connected to it. With 48 10Gbps access ports on leaf switch, the oversubscription ratio is 480/400Gbps or 1.2 to 1. This ratio is preserved even if a number of leaf switches grow, so the network can scale horizontally. If more bandwidth is required, additional spine switches can be added.

Two Cisco data center solutions use leaf-and-spine topology – Cisco ACI and programmable VXLAN EVPN fabrics. Check our article on Cisco ACI foundation.

WAN

WAN or Wide Area Network provides connectivity between offices and remote branches of a company. There are 2 broad categories of WAN networks, which differ by how different sites can communicate with each other, – multi-access and point-to-point networks.

Multi-access vs Point-to-Point WAN

In the multi-access network, the Service Provider (SP) network connects WAN sites in a full-mesh scheme. Depending on the SP infrastructure, this design can provide better performance because of direct site-to-site connectivity. In Figure 5, an example of a multi-access network is shown. All three sites can reach each other directly.

Examples of multi-access networks include:

  • Layer 3 MPLS service
  • Metro Ethernet E-LAN service (L2 VPLS)
  • Older WAN technologies, such as Frame Relay and ATM

VPN-based WANs, such as DMVPN and SD-WAN

Figure 5. Multi-Access WAN Design
Figure 5. Multi-Access WAN Design

Point-to-point connections provide direct connectivity between two sites. Such services have advantages such as simplified bandwidth planning and QoS configuration. It can also provide very high bandwidth when there is dedicated fiber connectivity between sites.

It is still possible to route traffic between spokes via a central hub. For example, in Figure 6 Site B can communicate to Site C by traversing site A. This will increase the load on Site A links and can add delay.

Figure 6. Point-to-Point WAN Design
Figure 6. Point-to-Point WAN Design

Examples of point-to-point connections include:

  • Metro Ethernet E-Line service (L2 MPLS-based or dedicated physical fiber or DWDM)
  • VPN-based site-to-site links

Many networks can combine these types of connectivity, for example, large offices can connect over dedicated fiber links to a data center, which has connectivity to the L3 MPLS network connecting smaller sites together.

Layer 2 vs Layer 3 WAN

WAN topologies can also be classified as Layer 2 or Layer 3. The difference between the two is how the service provider network is seen by the customer.

Layer 2 WAN looks like an Ethernet switch in multi-access or as a piece of wire in point-to-point setup. Some Layer 2 services allow 802.1q tagging, so multiple VLANs can be transported over the same link. Metro Ethernet E-LAN (VPLS), E-Line, and direct fiber links are all example of Layer 2 services. Figure 7 shows two variations of using a layer 2 service provider network.

Network on the top part of Figure 7 has edge routers deployed at each site. These routers create Layer 3 boundaries for devices behind them. The WAN-facing interfaces on the routers are in the same VLAN and IP subnet. The benefit of such setup is that a company can use its routing protocol of choice without relying on its support by the service provider.

Network on the bottom part of Figure 7 extends a single Layer 2 subnet to site devices using Layer 2 switches. This topology is rarely used to extend VLANs containing end-user devices due to a lack of practical use. However, it is often used to extend server VLANs when an application requires Layer 2 adjacency across different sites.

Figure 7. Layer 2 WAN Design Options
Figure 7. Layer 2 WAN Design Options

Layer 3 WAN appears like a router managed by the service provider. A site router needs to communicate to the provider network which networks it has behind it. Routing information can be either statically configured by the provider or dynamically exchanged. Service providers may not support routing protocol that is used internally by the customer, for example, EIGRP is rarely supported by Service Providers due to its proprietary nature. L3 MPLS VPN is the most commonly used Layer 3 WAN service.

Figure 8. Layer 3 WAN Design Options
Figure 8. Layer 3 WAN Design Options

Small Office/Home Office (SOHO)

SOHO networks are usually designed to meet requirements such as reducing the number of devices and minimizing the complexity of configuration while maintaining enterprise-level security. In many cases, VPN-based solutions over the Internet is the most practical way to provide access to enterprise resources.

Depending on the protocol stack used in the rest of the network, there are 3 available Cisco platforms to choose from:

  • Cisco IOS/IOS-XE based
  • Cisco SD-WAN
  • Meraki MX-based

All three stacks include compact devices with built-in Ethernet switch, built-in WiFi options, and a WAN interface (or two) with 4G backup. Check our article about different SD-WAN platforms.

There are two design options available with SOHO that relate to security.

Centralized Internet vs Local Internet Breakout (Split-tunneling)

Two options are different in what traffic is sent over a VPN tunnel to the corporate VPN gateway.

Centralized option forces all traffic to be sent over the tunnel. This includes Internet traffic which breaks out via the data center, which has a full set of security services available to ensure that there is the same level of security protection available to SOHO users.

With the split-tunnel option, only traffic to the company data center and offices is sent over the tunnel. Internet traffic is not tunneled and sent directly via a local Internet Service Provider. As a result, security inspection must be performed locally by the device.

On-Premises vs Cloud

Data centers traditionally hosted centralized enterprise infrastructure. It is referred to as on-premises infrastructure, which implies that companies have full control over the network, compute, storage, and software components.

As public cloud offerings gained popularity, many organizations shifted their workload out of data centers. Compared to on-premises data centers, public clouds offer very good scalability and rapid deployment with a consumption-based billing model.

In this blog post, we covered different cloud resources from the previous CCNA exam blueprint.

Self-Test Questions

What is the difference between 2-tier and 3-tier network architecture for campus networks?
Both implement functionality of access, distribution, and core layers. 2-tier has distribution and core layers combined in 1. 3-tier has all 3 layers.
Which tier or layer of campus network architecture is responsible for performing 802.1x authentication and QoS classification?
Access layer
Which tier or layer of campus network architecture is responsible for inter-connecting switches that have end-user devices connected to them?
Distribution layer
What communication type is referred to as east-west?
Traffic between servers within the data center
Which devices have interface connected to each other in leaf and spine topology?
Only leaf-to-spine. No leaf-to-leaf and spine-to-spine links exist.
Provide an example of multi-access WAN topology?
MPLS VPN, Metro Ethernet E-LAN, Frame Relay, ATM, DMVPN, and SD-WAN
What are different design options available for Internet breakout for SOHO?
Centralized and local (split-tunnel) Internet breakout

Describe Wireless Principles CCNA

The new CCNA exam now includes topics from the discontinued CCNA Wireless exam. The current blueprint includes the topics listed below.

1.11 Describe wireless principles

1.11.a Nonoverlapping Wi-Fi channels

1.11.b SSID

1.11.c RF

1.11.d Encryption

5.9 Describe wireless security protocols (WPA, WPA2, and WPA3)

We will divide these topics into several blog posts – this one will focus on radio fundamental topics and the following posts will cover SSIDs, security protocols, and encryption. The purpose of the series of short articles is to help CCNA candidates with exam preparation.

Frequency

A radio signal is propagated in the form of a wave. One of the most important characteristics of a wave is its frequency.  As figure 1 demonstrates, radio wave propagates in repeating cycles, with frequency calculated as a 1 full cycle per second. The frequency of 1 cycle per second is called 1 Hertz. The full cycle also constitutes a wave’s length. Measurement can be performed between any adjacent points of the same phase, for example, in figure 1 the orange wave’s cycle is measured between zero crossings and the blue’s one is between two crests. Lower frequencies have longer wavelengths and can travel further if the same amount of power is applied. For example, to provide some perspective of the actual size, a wave of a frequency of 1 Hertz has a length of 343m or 1125ft, 2.4GHz – 12.5cm or 4.92 inch, 5Ghz – 6cm or 2.36 inch.

Figure 1. Wireless Network Concepts – RF characteristics
Figure 1. Wireless Network Concepts – RF characteristics

Frequencies between 20 kilohertz (kHz) and 300 gigahertz (GHz) are classified as radio frequencies. FM/AM radio, television, DECT phones, and microwave ovens are all operating in the radio frequency range.

802.11 wireless network devices exchange data by transmitting and receiving radio signals in portions of 2 frequency bands – 2.4GHz and 5GHz. Many countries allow unlicensed use of subsets of these frequencies, but there are regulations restricting channel use and maximum transmit power. There are also restrictions on indoor vs outdoor use and even requirements for dynamic switching away from the specific channels when weather radars are discovered. A specific region that the device is certified to work in is called a regulatory domain.

Radio Channels

Radio Channel numbers provide a simple reference to a specific frequency within a band. For example, channel 1 of the 2.4GHz band corresponds to the center frequency of 2412MHz. It is easier to remember channel 1 than its value of 2412MHz. Channel 2 has a center frequency of 2417MHz, or plus additional 5MHz.

Each channel has a range of frequencies to the left and to the right of the center frequency. Channel 1 from our example above has a range of frequencies between 2401 to 2423MHz. The channel’s range is 22MHz, however, their center frequencies are only 5MHz apart. The reason behind this is that the standard uses 5MHz channels for numbering. Devices, on the other hand, use 22MHz or 20MHz-wide channels. We will clarify the difference between 20MHz and 22MHz channels in the following section.

Manual setting of a channel number is usually not required; Wireless LAN Controller will perform required adjustments dynamically to ensure that there are no overlaps between adjacent access points. However, it is important to know the number of available non-overlapping channels when performing wireless network design and site surveys.

DSSS vs OFDM (or 22MHz vs 20MHz)

Direct-Sequence Spread Spectrum (DSSS) is a modulation technique that uses the whole 22-MHz-wide channel to send information. DSSS was introduced with 802.11b standard and 2.4GHz channels frequency ranges were standardized to match its requirement of 22MHz wide-channels. DSSS supports a maximum of 11Mbps.

Orthogonal Frequency-Division Multiplexing (OFDM) uses a different approach by splitting each 20MHz range into multiple smaller sub-channels or carriers. It was introduced with 802.11a for 5GHz and later in 802.11g for use in 2.4GHz. OFDM replaced DSSS as it was capable to provide higher bandwidth. As with DSSS, a single device can transmit at a time, as different sub-carriers in OFDM cannot be used at the same time by multiple transmitters.

Recently released 802.11ax standard or Wi-Fi 6 provides an ability to divide and share these smaller sub-channels between different devices at the same time. The updated OFDM modulation scheme in Wi-Fi 6 is called Orthogonal Frequency-Division Multiplexing Access (OFDMA).

2.4GHz Channels

The table below shows all available 2.4GHz channels. Countries in North America use only the first 11, while the majority of other countries allow the use of 2 additional channels.

Channel NumberCenter Frequency (MHz)
12412
22417
32422
42427
52432
62437
72442
82447
92452
102457
112462
122467
132472

Table 1. 2.4GHz Channels

There are only 3 non-overlapping channels in the 2.4GHz range – 1, 6, and 11. There is also channel 14 (2484Mhz), but it can be used only in Japan with 802.11b.

5GHz

5GHz range has several subranges available, which are called Unlicensed National Information Infrastructure (U-NII) bands:

  • U-NII-1: 5.150-5.250GHz (4 channels)
  • U-NII-2: 5.250-5.350GHz (4 channels)
  • U-NII-2 Extended: 5.470-5.725GHz (11 channels)
  • U-NII-3: 5.725-5.850GHz (5 channels)

None of the standards for 5GHz don’t support DSSS with its 22MHz channels. Only OFDM and 20MHz-wide channels are used. 802.11n and later 802.11ac allowed bonding of 20MHz channels together to form 40MHz, 80MHz and even 160MHz channels to provide more bandwidth.

The table below shows a larger number of channels that are available in the 5GHz band. Compared to 2.4GHz, the channels don’t overlap, so the whole 2.4GHz range would only take 3 lines if we would remove all overlapping channels.

Numbering is still based on 5MHz increments. Channel 1 starts at 5000MHz, this explains why the first configurable channel number is 36, it corresponds to 5180MHz center frequency (5000 + 36×5).

Channel NumberCenter Frequency (MHz)Band Designation (US FCC)
365180U-NII-1
405200U-NII-1
445220U-NII-1
485240U-NII-1
525260U-NII-2
565280U-NII-2
605300U-NII-2
645320U-NII-2
1005500U-NII-2 Extended
1045520U-NII-2 Extended
1085540U-NII-2 Extended
1125560U-NII-2 Extended
1165580U-NII-2 Extended
1205600U-NII-2 Extended
1245620U-NII-2 Extended
1285640U-NII-2 Extended
1325660U-NII-2 Extended
1365680U-NII-2 Extended
1405700U-NII-2 Extended
1495745U-NII-3
1535765U-NII-3
1575785U-NII-3
1615805U-NII-3
1655825U-NII-3

Table 2. 5GHz Channels

The channel availability and power restrictions depend on regulatory domain.

An easy way to check the number of channels that an AP will support in a specific country is based on the following procedure. Navigate to Cisco’s online tool to find out what regulatory domain country is in. Then check the datasheet for the access point. Look for the “Frequency band and 20-MHz operating channels” section of the datasheet. It will list the number of channels supported in different regulatory domains.

Signal Power

Signal power is measured in watts. Radio waves can propagate further when a higher level of transmit power is applied. Amplitude describes signal strength and is a distance between a crest and a trough of the radio wave as shown in figure 1. Typical power levels in wireless networks are measured in milliwatts (1/1000 of a watt). For example, the maximum available transmit power setting for the Catalyst 9130 access point is 200mW in 2.4GHz and 400mW in 5GHz ranges.

Units of Measurement

Power levels can also be represented using a relative value in decibels compared to 1mW (dBm). This measurement is based on a logarithmic scale. Imagine that you want to compare 4 power values in milliwatts with values of 1mW, 10mW, 20mW, 100mW, and 1000mW (1 Watt) by drawing them on a bar chart. Due to the large difference between values we cannot fit 1000mW value into the chart.

Figure 2. RF Signal Power Bar Chart – Linear Scale
Figure 2. RF Signal Power Bar Chart – Linear Scale

The logarithmic scale allows representing these values evenly by comparing how it changed instead of absolute values. A simplified way to transfer from mW to dB and vice versa is based on adding (or removing) 3dBm when the value in mW doubles (or halves). Similarly, add (or remove) 10dBm when the value in mW increases by ten (or decreases by ten).

Let’s re-map the previous values on a bar chart with a logarithmic scale. The first value of 1mW is the same as our reference value of 1mW in dBm. As there is no change in power value 1mW is translated to 0 dBm. Then there is a tenfold increase to 10mW, which means we need to add 10dBm and the final value is 10dBm. The next value of 20mW is two times larger than 10mW, so we need to add 3dBm which gives us 13dBm.

100mW is tenfold increase from 10mW (10dBm), so we add another 10dBm to get 20dBm. The final value of 1000mW is tenfold increase from 100mW (20dBm); by adding another 10dBm we will get value of 30dBm for 1000mW. The result is shown on figure 3.

Figure 3. RF Signal Power Bar Chart – Logarithmic Scale
Figure 3. RF Signal Power Bar Chart – Logarithmic Scale

dBm can also be negative values to represent values that are smaller than 1mW. For example, -3dBm can be calculated as half of 1mW, which equals to 0.5mW. Refer to this Wikipedia article about logarithmic calculations for more information.

EIRP

Regulations usually specify value called Effective Isotropic Radiated Power (EIRP). EIRP measures actual signal strength as it is emitted by the antenna. For example, transmit power can be low and within allowed limit, however, the antenna can amplify this signal to be higher than the legal threshold.

EIRP represents adjusted signal strength by loss in the cable between an access point and antenna, and gain provided by antenna. It is calculated using the following formula in dBm:

EIRP = transmit power – cable loss + antenna gain

Modulation Techniques

The purpose of a wireless network is to transfer data. We know that there are different parameters that characterize a radio wave. The process of changing radio waves parameters to encode the data in the radio signal is called modulation. The reverse process performed by the receiver is to extract this data back from the signal is called demodulation.

Wireless networks use 2 parameters of radio wave to encode data:

  • Phase
  • Amplitude

Phase

Radio waves follow the same repeating pattern. As shown in figure 4, a phase starts at zero-crossing (0°) and then reaches a peak (90°), then back to zero-crossing (180°) and reaching the trough (270°). Then it repeats after reaching the next zero-crossing (360° or 0°). Phase modulation is based on changing this pattern.

We will discuss 2 types of phase modulations – BPSK and QPSK. Binary Phase Shift Keying (BPSK) can encode a single bit – 0 or 1. As shown in the figure below, the orange wave travels using its normal pattern. No change to a pattern means 0. If the wave is then rotated by 180°, the receiver knows that value 1 is now being transmitted. In figure 4, rotation from 0° to 180° can be visually represented by inserting the third blue pattern into the placeholder. The figure shows a simplified representation of the phase shifts using a single wave cycle. The actual implementation is timer-based and spans several cycles.

Quadrature Phase Shift Keying (QPSK) can carry 2 bits of information – 00, 01, 10, and 11. To do this additional two patterns from our diagram will be used to do 90° or 270° rotation.

Figure 4. Phase Modulation
Figure 4. Phase Modulation

Amplitude

The second parameter that can be changed to encode information is amplitude. The transmitter can increase and decrease the power to change the amplitude of the signal. Quadrature Amplitude Modulation (QAM) is a modulation scheme that combines QPSK together with amplitude modulation.

With 4 phase shifts of QPSK 2 bits can be encoded. If at the same time 4 different levels of power can be applied to signal, we will get another 2 bits. This way we have 4 bits in total or 16 possible combinations. This QAM is called 16-QAM.

By increasing the number of available phase shifts and amplitude levels, more information can be packed into the signal. For example, there are 64-QAM (8 phase shifts x 8 amplitudes), 256-QAM (16 x 16).

Self-Test Questions

What is frequency of a radio wave?
Frequency of 1 Hertz is used to describe a wave that oscillates perform one full cycle per second. Frequency of 2.4GHz means that the wave repeats its cycle 2,400,000,000 times per second.
What is DSSS and OFDM; and how are they different?
Both provide a way to encode data to signal. Direct-Sequence Spread Spectrum uses whole channels of 22MHz and was used in earlier 802.11b standard. Orthogonal Frequency-Division Multiplexing subdivides the channel of 20MHz into smaller carrier channels and is used in standards introduced after 802.11b. It also provides higher bandwidth.
How many channels in 2.4GHz band are available in North America and the rest of the world; how many of them don't overlap?
11 in North America and 13 in the rest of the world. Only 3 non-overlapping channels.
What are 4 bands available within 5GHz range; and what is the maximum number of non-overlapping channels available in each of these 4 bands?
• U-NII-1: 5.150-5.250GHz (4 channels)

• U-NII-2: 5.250-5.350GHz (4 channels)

• U-NII-2 Extended: 5.470-5.725GHz (11 channels)

• U-NII-3: 5.725-5.850GHz (5 channels)
Convert 2mW to dBm; 10mW to dBm?
3dBm; 10dBm
Formula for EIRP calculation?
EIRP = transmit power – cable loss + antenna gain
What are 2 properties of radio waves that are used to encode data in wireless networks?
• Phase

• Amplitude

Compare Physical Interface and Cabling Types CCNA

Physical interface and cabling types is another topic from the current CCNA exam blueprint. Network engineers must know what the physical connectivity options exist, understand their limitations in speed and bandwidth. Power over Ethernet (PoE) is another related and important topic, as many critical devices are now dependent on network-delivered power. Network vendors and IEEE work to identify and standardize new ways to support higher power demands.

CCNA Exam test knowledge of these topics:

1.3 Compare physical interface and cabling types

1.3.a Single-mode fiber, multimode fiber, copper

1.3.b Connections (Ethernet shared media and point-to-point)

1.3.c Concepts of PoE

This first section is dedicated to types of physical interfaces available in Cisco LAN switches. The further sections present cabling and POE details.

Physical Interfaces

Cisco network devices can have either fixed ports or hot-pluggable transceivers slots. Figure 1 shows a Cisco Catalyst 9200 switch with 48x 10/100/1000 copper POE-enabled ports and an extension module, C9200-NM-4X which provides 4x SFP/SFP+ slots (on the right).

Cisco Catalyst 9200 switch with 4x 10GE SFP module
Figure 1. Cisco Catalyst 9200 switch with 4x 10GE SFP module
Courtesy of Cisco Systems, Inc. Unauthorized use not permitted

Different types of transceivers can be inserted into an SFP slot. For example, C9200-NM-4X module shown in Figure 1, can accept 1Gbps SFP modules and 10Gbps SFP+ modules. Figure 2 below shows SFP modules on the left and direct-attach Twinax copper cable on the right. This cable combines 2 connected SFPs and is a cost-effective way to connect devices in the same or adjacent racks.

SFPs and Direct-Attach Twinax Cables
Figure 2. SFPs and Direct-Attach Twinax Cables
Courtesy of Cisco Systems, Inc. Unauthorized use not permitted

Modern Catalyst switches, such as Catalyst 9000 series, have 2 types of copper interfaces:

  • 10/100/1000Mbps
  • Multigigabit with speed up to 10Gbps

Both types of interfaces support several standards and can negotiate different speeds with the connected device. For example, 10/100/1000 copper ports of Catalyst 9200 switch shown in Figure 1 support 10Base-T, 100-BaseTX and 1000Base-T. Multi-gigabit ports can negotiate 100Mbps, 1Gbps, 2.5Gbps, 5Gbps, and 10Gbps.

802.3 Standards

IEEE 802.3 family of standards defines physical interface specifications for the wired Ethernet. The table below shows some of the 802.3 standards.

StandardSpecificationPhysical Media
802.310Base-TUTP Cat 3 or higher
802.3u100Base-TXUTP Cat 5 or higher
802.3ab1000Base-TUTP Cat 5 or higher
802.3z*1G over fiberDifferent types of fiber
802.3bzMultirate 2.5G/5GUTP Cat 5E or higher
802.3an10G Base-TUTP Cat 6 (55m), Cat 6A
802.3ae**10G over fiberDifferent types of fiber
802.3by25GbpsDifferent types of fiber, twinax
802.3ba40Gbps/100GbpsDifferent types of fiber, twinax

Table 1. 802.3 Standards, Speed and Physical Media

*802.3z standard is called Ethernet over Fiber-Optic at 1Gbit/s and references multiple other standards. The example of commonly used options are 1000Base-SX (multi-mode fiber) and 1000Base-LX (multi-mode/single-mode fiber). Check this Wikipedia article for the full list.

**Has references to multiple standards depending on fiber type. The most commonly used options are 10GBase-SR, 10GBase-LR. Check this Wikipedia article for the full list.

Small Form-factor Pluggable Transceivers (SFPs)

SFPs are network interface modules. Their specifications are developed and maintained by industry vendors group, i.e. not by IEEE. While the modules manufactured by different companies should be compatible, many vendors, including Cisco, support only their own branded SFPs. QSFP has a larger size and the picture below shows the difference between SFPs and QSFPs modules, as well as switch-side sockets. In this example, it is a Catalyst 9300 48-SFP+ port switch with a C9300-NM-2Q network module (accepting 2x QSFP+ modules).

Catalyst 9300 with SFPs (on the left) and QSFPs (on the right)
Figure 3. Catalyst 9300 with SFPs (on the left) and QSFPs (on the right)
Courtesy of Cisco Systems, Inc. Unauthorized use not permitted

The table below lists different types of SFPs along with the supported speed. To confirm if a specific module can be used in a specific Cisco device use the transceiver compatibility tool available here.

NameSpeed
SFP1 Gbps
SFP+10 Gbps
SFP2825 Gbps
QSFP40 Gbps
QSFP2840/100 Gbps
QSFP-DD100/400 Gbps

Table 2. SFPs and Speed

Unshielded Twisted Pair

Copper connectivity is based on Unshielded Twisted Pair (UTP) cabling of different categories. A higher category number refers to the newer standard and better parameters. An Ethernet cable consists of 8 wires, which are twisted together in pairs. The maximum distance for copper cabling is 100m. The connector is called 8P8C and also commonly referred to as RJ45.  There are 2 standards defining how individual wires are terminated within the connector – T568A and T568B. Refer to Wikipedia article for further information on pin-outs.

End devices have MDI (Medium Dependent Interfaces) ports and switches have MDI-X ports. -X means that the receive and transmit pairs are switched. To connect MDI to MDI-X straight-through cable is used. This cable has connectors with the same pin-out scheme used on both sides – either T568A or T568B. To connect MDI to MDI (host to host back-to-back), or MDI-X to MDI-X (switch to switch) crossover cable is required. A crossover cable has a connector with T568A pin-out on one side and T568B pin-out on another side.

Many modern switches can automatically switch their ports between MDI-X and MDI. They can use straight-through cables to connect to each other and don’t require a crossover cable.

Optical Fiber

Optical fiber cabling is usually more expensive to install, however, it has many benefits when compared to copper. In most cases, fiber cables can provide higher bandwidth over greater distances.

Fiber cabling is divided into 2 types:

  • Multi-mode with categories of cables OM1, OM2, OM3, OM4 and OM5
  • Single-mode of two types – OS1 and OS2

A fiber cable has a core and cladding around it. Multi-mode cable’s core is either 50 or 62.5 micrometers in diameter with 125 micrometers cladding. For comparison, human hair has a diameter between 20-40 micrometers. Single-mode cable’s core is thinner – between 8 and 10.5 micrometers in diameter with the same size 125 micrometers cladding. Multi-mode transmitters use a wavelength of 850nm and 1300nm; single-mode is 1310 or 1550 nm based. Cisco publishes information for each SFP on maximum supported distance based on cabling characteristics. These datasheets can be accessed via the Cisco transceiver compatibility tool. A very detailed comparison table of multimode cables is available here.

Single-mode cabling can cover much greater distances than multi-mode cables. See “Modal dispersion” article on Wikipedia explaining physics behind this.

Multimode OM numbers, as UTP categories, are better with larger number and provide better speed and distance. Single-mode OS1 is for indoor use/shorter distances and OS2 is for outdoor/long distance-use.

Connectors

Cisco fiber SFPs and some QSFPs have a duplex LC connector. Some QSFPs can also have MPO connectors. Check this article on Wikipedia with photos and specifications of different types of connectors.

Power Over Ethernet (POE)

Cisco Catalyst switches perform role of Power Sourcing Equipment (PSE). Cisco IP Phones, Access Points and other end devices are Powered Devices (PDs). Standards and data sheets usually list 2 power values: 

  • delivered on the switch port (PSE)
  • received at the end device (PD)

The value at PD is always smaller than at PSE due to the power dissipation in cabling.

Standards

Cisco introduced its proprietary technology before IEEE standardized the POE. Cisco inline power can provide up to 10W at the PSE. Switch sends a fast link pulse to detect power enabled device, which then sends a link pulse back. The switch and device negotiate the final power level via Layer 2 capability exchange protocol – Cisco Discovery Protocol (CDP). Original Cisco inline power switches and end devices reached their End-Of-Support dates a long time ago and are replaced with newer platforms using POE standards described below.

In 2003 IEEE released the first POE standard – 802.3af. The standard isn’t compatible with Cisco’s proprietary implementation. PSE can deliver a maximum of 15.40W with available power at PD of 12.95W. This specification defined PD detection and classification mechanisms using electrical signaling. PD has an option to signal to the switch which class it belongs to. With this information, the switch knows how much power it should deliver. As table 3 shows, 802.3af defined 3 classes and class 0, which means that no classification is supported.

Power (PSE side)SpecificationClass
4WIEEE 802.3af Type 1Class 1
7WIEEE 802.3af Type 1Class 2
10WCisco inline-power
15.4WIEEE 802.3af Type 1Class 3
15.4WIEEE 802.3af Type 1Class 0 (not classified)
30WIEEE 802.3at Type 2Class 4
45WIEEE 802.3bt Type 3Class 5
60WIEEE 802.3bt Type 3Class 6
60WCisco UPOE
75WIEEE 802.3bt Type 4Class 7
90WIEEE 802.3bt Type 4Class 8
90WCisco UPOE+

Table 3. POE Wattage and Associated Standards

In 2009 IEEE released the new 802.3at standard. Devices supporting it were called Type 2 or POE+. PSEs and PDs complying with earlier 802.3af standard were labeled as Type 1 devices. 802.3at provides up to 30W/25.50W of power. Power levels of 30W and higher have additional stage negotiations using either electrical signals or layer 2 capability exchange protocols, such as LLDP and CDP.

Standard is backward compatible and supports 802.3af Class 1-3 devices. New Class 4 is allocated for 30W devices. 802.3at is widely used. Current generation of access switches, such as Catalyst 9200, and modern access points supporting it. Both 802.3af and 802.3at use only 2 pairs of wires in 4-pair UTP cable to provide power.

New use cases emerged, for example, smart buildings with POE-enabled lighting and network-powered display screens. These devices demanded more power. In 2011, Cisco introduced proprietary Universal Power over Ethernet (UPOE) technology to support up to 60W with the use of all 4 pairs in UTP cable. IEEE released 802.3bt standard in 2018 with up to 90W of power at PSE. The standard introduced Type 3 devices (60W) and Type 4 devices (90W). IEEE standard also made use of all 4.

Cisco UPOE and IEEE 802.bt Type 3 both deliver 60W but operate differently. Cisco publishes a list of UPOE Catalyst switches and line cards that comply with 802.3bt. Cisco proprietary UPOE+ was released to support 90W. UPOE+ switch modules can support 802.3bt Type 4 devices.

Some switches and line cards from Catalyst 9300 and 9400 families support UPOE and UPOE+. Catalyst 9200 switches support only POE+ (802.3at).

Self-test Questions

What are the 2 types of copper ports Catalyst 9000 series switches support?
• 10/100/1000Mbps

• Multigigabit – 100Mbps and 1/2.5/5/10Gbps
What are 2 types of fiber cabling?
• Multi-mode (OM1, OM2, OM3, OM4 and OM5)

• Single-mode (OS1 and OS2)
What are 2 roles a device can perform in POE configuration?
• Power Sourcing Equipment (PSE) – the switch providing power

• Powered Devices (PDs) – end device consuming power

Cisco DNA Center

This article describes the role and functions of Cisco DNA Center in the context of CCNA exam blueprint requirements.

Relevant CCNA exam topics are available here:

  • Explain the role and function of network components: Controllers (Cisco DNA Center and WLC*)
  • Compare traditional campus device management with Cisco DNA Center enabled device management

* Wireless LAN Controllers functions were discussed in the blog post dedicated to wireless devices, however, this article will use WLCs along with other types of controllers for comparison.

DNA Center Overview

Cisco DNA Center is a management software and a controller for SD-Access. At the time of the writing, it is available only as a hardware appliance. DNA Center is positioned in Cisco’s product line as the replacement for Cisco APIC-EM. It can also replace Cisco Prime Infrastructure.

There are 3 available options of hardware appliances to choose from:

  • DN2-HW-APL (C220 M5, 44 cores) – up to 1000 devices
  • DN2-HW-APL-L (C220 M5, 56 cores) – up to 2000 devices
  • DN2-HW-APL-XL (C480 M5, 112 cores) – up to 5000 devices

Cisco supports a single node deployment or a cluster of 3 appliances for high availability.

DNA Center can operate with 2 types of networks:

  • Traditional campus networks
  • SD-Access fabric

Traditional Networks

DNA Center can work with non-SD-Access networks similar to traditional network management software. Policy-driven automation is available in this mode, but it is optional. Assurance and analytics functionality can be opened with even only read-only access to the network and provide a safe way to get familiar and to evaluate DNA Center’s features.

SD-Access Fabric

Cisco introduced a new paradigm for medium- to large- size enterprise networks called intent-based networking. In this architecture, an administrator communicates intent to the controller or requesting “what” he wants to achieve. He doesn’t need to specify device-specific instructions (“how?”) for the changes to be applied. A controller accepts instructions from an administrator via GUI or from an application via API and then applies configuration to the devices it controls.

Software-Defined Access or SD-Access is an implementation of this paradigm. We’ve published an article called SD-Access Components and it explains functions of DNA Center only briefly; this blog post is expanding its coverage. SD-Access has multiple underlying protocols to provide scalable and flexible, but relatively complex virtualized network infrastructure. DNA Center is the key that hides the complexity by providing a level of abstraction that allows network operators to focus their attention on more high-level configuration concepts, such as policies.

Role in the network

In SD-Access fabric, DNA Center plays a more essential role compared to one in the non-SDA network. With SD-Access fabric, while the underlay network can be built manually, the overlay networks are created and operated via DNA Center. In the traditional network, an administrator can decide which tasks should be performed by DNA Center and which ones are to be done directly on the device.

DNA Center has ability to perform many tasks in the network lifecycle:

  • Day 0. Onboarding and discovery. During this stage DNA Center can be used for zero-touch provisioning (ZTP) with Plug and Play (PnP) protocol
  • Day 1. Provisioning. Policy-based templates can be defined and applied to multiple devices grouped into a hierarchy of sites
  • Day 2, N. Operation via policy configuration, monitoring, troubleshooting, and software patching. DNA Center has multiple features simplifying network operations tasks, including, Software and Image Management, zero-touch RMA

Controller operations

Management plane

A network controller can use many protocols to interact with the network devices and this communication is referred to as Southbound connectivity. DNA Center can use multiple management protocols, for example, CLI, Netconf or SNMP. To provide some comparison with other controllers – Cisco SD-WAN uses Netconf to push configuration from vManage to vEdge devices and Cisco WLC uses CAPWAP protocol to communicate with access points.

End devices, such as switches and routers run normal IOS-XE software. Their configuration mode can be accessed locally and changes pushed from DNA Center can be observed via a device’s configuration files.

Control plane

Cisco DNA Center in both modes of operations is distributed across switches, access points and routers. It keeps the network devices in charge of their control plane operation. The network will continue to function if the DNA Center appliance is not reachable. For example, it doesn’t participate in dynamic route propagation or reflection, as vSmarts in SD-WAN.

Data plane

Cisco DNA Center doesn’t perform transit data forwarding functions. In comparison, Cisco Wireless LAN Controller can switch traffic in certain deployment modes.

Features and Functions

DNA Center functions and features can be divided into 4 groups, as shown in Figure 1.

Figure 1. DNA Center Features and Functions
Figure 1. DNA Center Features and Functions

Automation

This group of features is responsible for performing operational and provisioning tasks without applying the configuration manually to the devices. Some of the examples are available below.

Network Design and Profiles

Logical separation of the network into a hierarchy of regions and sites. The profiles, which include common parameters, such as DNS, DHCP server details, are then associated with this logical containers, so all sites under them inherit the settings.

Software Image Management (SWIM)

This feature ensures that consistent software image versions are deployed to devices in the network. DNA Center performs checks prior and post-installation. For example, free space on the flash memory is one of such checks.

Network Plug and Play (PnP)

A very useful feature when the number of deployed devices is high. A device just needs to be plugged in and receive an IP address to receive its configuration automatically. To locate DNA Center several discovery methods are supported, such as using a DHCP option and a DNS name.

QoS Configuration Automation

One of the challenging aspects of the day-to-day operation of the network is QoS policy implementation. Applications on the network can change or new ones are added. If the network is managed manually, keeping configuration up-to-date with properly classified traffic and its preferred treatment can consume a lot of time. Different hardware QoS implementation on different models of devices further increases the complexity.

DNA Center provides an intuitive user interface that allows the administrator to select one of the pre-defined application templates and to choose if its business-relevant or not. Then scope, or which devices should have this policy, is selected and configuration is applied to the network.

Assurance

Another function of a controller is to provide centralized monitoring. DNA Center component responsible for it is called DNA Assurance. It provides many unique features, such as the correlation of different types of information; focused 360 views for the network devices and clients; and retrospective view with Network time travel feature.

Dashboards

There are multiple dashboards available each focusing on different aspects of network health. Performance of business-relevant applications, clients and network devices is monitored and top issues are displayed.

Device 360, Client 360 and Network Time Travel

These features provide a device-centric view of a device or a client. It provides an administrator with ability to quickly access relevant to an endpoint or device information and its health score. For example, it simplifies troubleshooting when a user complains about application performance. By using the search function to quickly locate the user and his device, an administrator can identify if there are issues with the network reachability, such as poor RF signal or packet drops.

It also usually takes some time after an issue occurs and before an administrator starts working on the ticket. By that time, an alert can be cleared out making troubleshooting more difficult. Network Time Travel allows focusing the device view on a specific time in the past (up to 14 days) to see events and alerts that were active at that time.

Path Trace

Path Trace visually displays every device in the path between two IP addresses across the network. It can optionally include information about devices that can be blocking the traffic with access lists, as well as interface and QoS (Quality of Service) statistics.

AI Network Analytics

Analytics powered by Artificial Intelligence/Machine Learning algorithms helps to proactively identify issues. First, the network-specific baseline is gathered and learning occurs. This information is then used to evaluate anomalies to alert the administrator of a possible issue.

SD-Access

This group of functions is specific to SD-Access. Includes functions required to perform the SD-Access controller’s management features for fabric infrastructure and fabric wireless.

Fabric Assurance

DNA Center provides additional monitoring features for fabric, such as the correlation of fabric’s underlay and overlay, reachability between fabric edge, control and border nodes.

Group-based Policy Configuration

DNA Center integrates with Cisco ISE (Identity Service Engine) to enable the use of identity-based policies using Cisco TrustSec. Group-based Policy configuration allows an administrator to configure group and policy management from the user interface of the DNA Center, which then communicates with ISE and fabric.

The main purpose of this feature is to let network devices to infer user identity without relying on IP address or VLAN information mapping. For example, when a user or a device is authenticated with ISE, traffic from this device is marked with a special tag called SGT (Security/Scalable Group Tag). SD-Access places this tag into VXLAN header, so other devices can tell which user or group this datagram belongs to and use this information to apply security and QoS policies.

Platform

In the management plane section, we introduced the concept of Southbound protocols in Software Defined Networks, i.e. from the controller to end devices, such as switches and routers. Northbound protocols, as their name suggests are working in the opposite direction, and are responsible for communication from external services to the controller for 3rd party integration. Cisco DNA Center supports REST (Representational State Transfer) APIs for such integration.

Integration with Service Management Platforms

Cisco DNA Center can be integrated via API with Service Management Platforms. This integration provides the ability to interact with platforms such as ServiceNow. For example, the Software Imaging feature of the DNA Center can log a change request in ServiceNow and perform image push only once it is approved. Another use case can be automated ticket logging when DNA Center discovers an issue.

IPAM Integration

IP Address management provides centralized management of IP pool allocation. Integrating with such a system allows DNA Center to reserve pools for workflows.

Self-test questions

What are 2 types of networks that DNA Center can work with?
• Traditional networks as a management platform

• SD-Access fabric as a controller and a management platform
DNA Center supports Southbound and Northbound protocols. What are they?
• Southbound protocols are responsible for communication from a controller to managed devices

• Northbound protocols or APIs provide access to the controller from external systems

Explain Role and Function of Network Components – Part 3 – Routers, Firewalls, and IPSs

This is the third article about the roles and functions of different network components (clock on the links for the first and second parts). In this part we will discuss operations of devices deployed on the network edge – Routers, Firewalls and Intrusion Protection Systems (IPSs).

Network edge provides connectivity between the company’s branch offices, data centers, remote workers, business partners, and the Internet. These devices must support a variety of transport technologies and provide security services.

There are two main types of edge connectivity:

  • Internet
  • WAN

Internet connectivity due to its public nature needs higher security control and devices such as firewalls, IPSs are usually deployed to enable the perimeter protection. Wide Area Network (WAN) in many environments was traditionally considered as a trusted network with only routers installed at the edge of each campus and branch.

In general, WAN links are more expensive and may not be available at every location. WAN connectivity is usually backed by agreed service level contracts and has guaranteed bandwidth and predictable latency. On the other hand, Internet links are cheap and offer more bandwidth, but no end-to-end service performance guarantees.

VPN tunneling over the Internet is used as a backup WAN connectivity method in many networks. Newer technologies, such as Cisco SD-WAN often use several Internet connections – as primary and backup WAN transport. SD-WAN routers can actively monitor links performance end-to-end and re-route traffic automatically based on the configured policy.

With these trends, the dividing line between WAN and Internet becomes less clear. Implementing security services on SD-WAN routers or installing firewalls behind it can be a reasonable choice.

Routers

The main function of a router is to perform Layer 3 forwarding or in most networks route IP (or IPv6) packets. Routers can run dynamic routing protocols to find the best paths to remote networks.

As we discussed in part 1 of this series, a Layer 3 Switch performs a similar function.

What is the difference between a Layer 3 switch and a router?

Historically, switches performed only Layer 2 functions and routers were responsible for Layer 3 operations. Topologies, such as router on a stick for inter-VLAN routing, were often deployed. Figure 1 displays a sample network demonstrating how the traffic between VLAN 10 and VLAN 20 hairpins via a router.

Figure 1. Router on a stick
Figure 1. Router on a stick

With the introduction of Layer 3 functionality in switches, inter-VLAN routing functionality was moved to them from routers. The term Layer 3 switching is used to describe fast, hardware-accelerated routing.

For example, aggregation-level router, such as Cisco ASR 1002-HX has a performance of up to 78Mpps, which is outperformed by the entry-level Catalyst C9200-24PXG access switch capable of switching up to 262 Mpps (million packets per second).

There is a balance between flexibility and performance. Routers are capable of providing more services and this is the reason they have lower layer 3 processing performance numbers. For example, routers support many types of WAN links (such as DSL variations and 4G LTE), can accept full Internet routing table, provide advanced QoS capability and application awareness, perform firewall zone-based services, establish VPN tunnels, act as voice gateways and many other features.

Cisco website has a tool called Feature Navigator that allows us to look up a feature that a specific platform or software version provides.

Cisco router product portfolio

Cisco routers can be grouped based on the type of location where they are typically deployed:

  • Branch routers: ISR 900, ISR 1000, ISR 4000, Meraki MX
  • WAN aggregation: ASR 1000, NCS 5000/5500
  • Datacenter and clouds: CSR 1000v, Meraki vMX100
  • Service provider routers: ASR 1000, ASR 9000, Cisco 8000 Series

Cisco router software

Previously, all enterprise Cisco routers were running the Cisco IOS software. It is now mostly replaced by IOS-XE. ISR 900 models are the only devices in the current product line that use IOS.

IOS-XE is IOS’s successor and the majority of enterprise-level devices, including ISR 1000, ISR 4000, ASR 1000 and CSR 1000v, are running it. IOS-XE is based on Linux kernel with IOS being a process called IOSd. IOS-XE and IOS share command-line syntax.

Enterprise platforms running IOS-XE can also run the SD-WAN version of the software, which allows the router to be managed by SD-WAN controllers (more information about SD-WAN platforms is available here).

Service provider routers, such as NCS 5000/5500 and ASR 9000 are running IOS XR software.

Self-test question: What are the functions of a router?
• Layer 3 (in most cases IP or IPv6) traffic forwarding
• Maintains remote network reachability information via static configuration or dynamic exchange with other routers
• Supports a wide variety of interfaces, such as Ethernet, DSL, and LTE
• Has application visibility and ability to apply granular Quality of Service policies
• Provides different services, such as VPN, firewall and VoIP services

Firewalls and Intrusion Protection Systems (IPSs)

Let’s start this section by describing the logical functions of a firewall and an intrusion protection system.

Cisco firewall and IPS functions

A firewall evaluates traffic against configured ruleset and then allows or blocks it. A stateful firewall keeps track of allowed connections and can recognize return traffic, i.e. being part of an existing session, so it can be allowed too.

An Intrusion Protection System performs the security policy enforcement on transit traffic by either comparing its content to a set of patterns or by analyzing its behavior. These pre-defined patterns are called signatures and must be regularly updated.

Traditional firewalls and IPSs

Cisco product line used to have two different types of devices – one performing the firewall functions and another one was responsible for intrusion protection. Cisco PIX and its successor ASA (and routers with security feature set enabled) were performing traditional stateful firewall functions. They had some a limited IPS feature set too. However, for the full IDS/IPS functionality, Cisco IPS appliances and hardware modules were required. After SourceFire acquisition, its standalone IPS products were also added to Cisco’s product line.

Cisco provided integration options, however, they were based on two separately managed systems running in parallel. For example, ASA could accept an expansion module providing IPS functionality connected via ASA’s backplane. Later, hardware modules were replaced by virtual software processes using ASA as a host.

Next-Generation firewalls

Many security vendors took an approach of closely integrating both types of features in a single device, which became known as a Next-Generation Firewall (NGFW). Cisco also released a unified software platform that inherited ASA code as a stateful firewall engine and Snort IPS as intrusion protection system. This software is running on the current NGFW platforms and is called Firepower Threat Detection (or FTD).

In addition to stateful firewall and IPS functions, Next-generation firewalls can also provide remote and site-to-site VPN services, malware protection and URL filtering. The intelligence behind FTD NGFW services is provided by Cisco’s TALOS group that collects and analyzes threats to develop definition updates.

All FTD software platforms can be centrally controlled by Firepower Management Center. Smaller models can be configured locally with Web-based Firepower Device Management.

Cisco firewall and IPS product portfolio

Current Cisco’s firewall and IPS product portfolio includes:

  • Firepower 1000/2100 (ASA or FTD image; locally or centrally managed)
  • Firepower 4100/9000 (ASA or FTD image; only central management for FTD)
  • Cisco NGFWv (virtual FTD – hypervisors and public clouds)
  • Cisco ASAv (virtual ASA – hypervisors and public clouds)
  • Cisco NGIPSv (for VMware)
  • ASA 5500-X
  • Meraki MX

Firewall deployment modes

Firewalls and IPSs are typically deployed on the network boundary with external networks, such as the Internet. Cisco NGFWs support 2 deployment modes:

  • Routed
  • Transparent
Figure 2. Firewall Routed vs Transparent Deployment Modes
Figure 2. Routed vs Transparent Deployment Modes

In routed mode, a firewall acts as a Layer 3 device, with each interface is assigned an IP address. Example in Figure 2 has NGFW in the routed mode option on the left. Notice that the workstation uses the INSIDE interface of the firewall as its default gateway.

On the right side, NGFW operates in transparent mode and performs the role of a Layer 2 device. It must be placed between the local network and the router, as there is no explicit configuration on the workstation, such as default gateway configuration to force the traffic to traverse the firewall.

The diagram shows that the transparent firewall is physically connected to the router ensuring that non-local traffic is not able to bypass the firewall.

In cases when such connectivity is not possible, so-called VLAN stitching can be used. To implement it, the connection between the router and the firewall external interface is allocated to different VLANs, which are stitched together by the firewall.

Self-test question: What are the functions of a Next-Gen Firewall?
• Enforce security policy by blocking or allowing packets
• Perform deep packet analysis with application awareness to provide intrusion protection
• Provide additional services, such as VPN, Malware protection and URL filtering
Self-test question: What are two deployment modes of a Next-Gen Firewall?
• Routed mode. In this mode, firewall operates similar to a router and has different IP addresses on interfaces
• Transparent mode. In this mode operates as a network switch and don’t have IP addresses assigned to data interfaces