Netflow

Traditional
Flexible

Implementation steps:

• Configure flow record

• Configure flow exporter
• Configure flow monitor
• Apply to an interface

Configure flow monitor:

• Specify flow record

o
▪ The cache timeout tells the device to export the cache to the collector every
60 seconds
• Specify flow exporter

o
Apply to an interface:

• Ingress or egress or both

Confidential
 COPP (control plane policing)

• Police traffic to & from the router itself

• COPP processes:
o Classifying
o Queue Mapping
o Scheduling
o Queue Shaping
• Configure COPP:
o Enable qos
o Define ACLs
o Define packet classification (class-map command)

▪
o Define service policy map

▪
o Apply QoS policy

RESTCONF
Methods:

• GET
• PUT: create/replace
• POST: create
• PATCH: merge
• HEAD
• DELETE

Confidential
 • OPTIONS

IPSEC
IPSEC
Modes & protocols

• Transport mode
o AH
o ESP
o Routing is based on the original IP header
• Tunnel mode
o AH
o ESP
o New IP header will be added

Operation:

• IKEv1
o IKE phase 1
▪ Negotiate crypto settings (authentication method, encryption method, …)
▪ Perform secret key exchange (via DH algorithm)
▪ [encrypted] prove each other’s identity
▪ Note:
• 2 modes for IKE phase 1:
o Main mode (6 messages)
o Quick mode (3 messages)
• ISAKMP SA is bidirectional
o IKE phase 2
▪ Negotiate IPSec SA (transform set)
▪ Create an IPSec tunnel
▪ Note:
• IPSEC SA is unidirectional, so there will be two unidirectional IPSEC
SAs
• IKE phase 2 uses “quick mode” (3 messages)
• IKEv2
o Only 4 messages to bring up the bidirectional IKE SA and the unidirectional IPSEC SAs

Configuration (is this configuration for IKEv1 ??)

• Configure isakmp parameters

• Configure transform set parameters
• Define interesting traffic with acl
• Create and apply crypto map to an interface

GRE over IPSEC

Crypto map configuration:

• Configure isakmp parameters

• Configure transform set parameters

Confidential
 • Define interesting traffic with acl
• Create a crypto map
• Apply the crypto map onto an interface

Ipsec profile configuration:

• Configure isakmp parameters

• Configure transform set para
• Create an ipsec profile
• Apply the ipsec profile to the tunnel interface

VTI over IPSEC

Configuration:

• Configure isakmp parameters

• Configure transform set para
• Enable VTI under gre tunnel interface
o # tunnel mode ipsec
• Create an ipsec profile
• Apply the ipsec profile to the tunnel interface

NAT

HSRP

Confidential
 Administrative distance

Confidential
 ERSPAN

• Both ip addresses are configured under “dst”

Confidential
 HTTP response status code

Virtualization

Server vitualization
2 types of hypervisor:

• Type 1

o
• Type 2

o
VM migration:

Confidential
 •

Virtual switching (vSwitch)

•
• Software-based layer 2 switch
• Enable VMs to communicate
• vSwitches can’t share the same pNIC (this makes sense as pNIC has only 1 interface)
• Traffic can’t flow directly between vSwitches. Therefore, for VM1 to get to external network,
the path is:
o VM1 --- vSwitch 2 --- NGFWv --- vSwitch 1 --- pNIC1 (or pNIC2) --- Switch 1
• Some vSwitches:
o OVS: Open vSwitch (designed to be used within “server virtualization” env)
o VMware virtual switch
o Cisco Nexus 1000V
• OVS:

Confidential
 o

Containers

•
• Isolated environment for applications

Confidential
 • Contain applications & their dependencies
• Container engines are used to create, run, and manage containers. For ex:
o Docker (most popular)
o …
• About Docker engine:
o By default create a vSwitch called Docker0 with the default subnet 172.17.0.0/16

o
▪ Every container is assigned the veth (virtual ethernet interface) on Docker0
▪ Eth0 of each container is assigned an ip address in the subnet 172.17.0.0/16

NFV

• NFV architectural framework

o VIM:

Confidential
 ▪ Managing & controlling hardware resources
o VNF manager:
▪ Managing life cycle of VNFs
o NFV orchestrator:
▪ creating, maintaining, and tearing down VNF network services
• Data traffic pattern:
o North-south: traffic direction is from pNIC --- VNF --- back to pNIC
o East-west: traffic direction is from pNIC --- VNF --- another VNF … - back to pNIC
• Performance & optimization:
o Standard OVS was never designed with NFV in mind, so it doesn’t meet NFV
requirements
o OVS-DPDK

▪
o PCI passthrough

▪
o SR-IOV

Confidential
 ▪

ACL
P

• Standard ACL: 0-99, 1300-1900

• Extended ACL: 100-199, 2000-2699
• Direction:
o Inbound: before routers make forwarding decision
o Outbound: after routers make forwarding decision
• Cisco allows only 1 inbound & 1 outbound ACL per interface
• Types of ACL:
o RACL: layer 3
o PACL: layer 2
o VACL: filter VLAN
o dACL (downloadable ACL): another form of PACL
• RACL:
o Standard number acl
▪ # access-list 2 permit 10.0.0.0 0.0.0.255
▪ # ip access-group 2 in
o Standard named acl
▪ # ip access-list standard NAMEACL
▪ # 5 permit 10.0.0.0 0.0.0.255
▪ # 10 deny host 192.168.1.1
▪ # ip access-group NAMEACL in
o Extended number acl
▪ # access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 192.168.1.1 eq 80
▪ # ip access-group 100 in
o Extended name acl
▪ # ip access-list extended MYACL
▪ # permit
• PACL
o Used to filter incoming traffic to layer 2 ports (no outgoing)
o Can’t filter layer 2 control packets (CDP, VTP, …)

Confidential
 o Different usages:
▪ Filter layer 3 traffic: syntax is the same as RACL
▪ Filter layer 2 MAC address

•
• VACL:

o
• Processing order for PACL, VACL, RACL on the same VLAN
o Bridged traffic processing order (within the same VLAN)
▪ Inbound PACL on the switchport (for example, VLAN 10)
▪ Inbound VACL on the VLAN (for example, VLAN 10)
▪ Outbound VACL on the VLAN (for example, VLAN 10)
o Routed traffic processing order (across VLANs):
▪ Inbound PACL on the switchport (for example, VLAN 10)
▪ Inbound VACL on the VLAN (for example, VLAN 10)
▪ Inbound ACL on the SVI (for example, SVI 10)
▪ Outbound ACL on the SVI (for example, SVI 20)
▪ Outbound VACL on the VLAN (for example, VLAN 20)

Confidential
 Subnetting
Bits borrowed:

• 1: 128
• 2: 192
• 3: 224
• 4: 240
• 5: 248
• 6: 252
• 7: 254

Secure Administrative Access

Password type
P

• 0: clear text
• 4: sha-256
• 5: md5 (hash)
• 6: encryption
• 7: encryption
• 8: hash-based
• 9: scrypt - hash-based

Secure terminal lines

(glo2,756)

Options to secure them (console, vty, …)

• Password configured on the line

o
• Username-based authentication
o 3 ways to configure:
▪ # username {user} privilege {level} password {pass}
▪ # username {user} privilege {level} secret {pass}
▪ # username {user} privilege {level} algorithm-type {md5…} secret {password}

o
o Privilege levels:
▪ 3 privilege levels by default on Cisco IOS (glo2,761):
• Privilege level 0
• Privilege level 1
• Privilege level 15
▪ Additional configurable privilege levels: from 2 to 14

Confidential
 o
• AAA server

Confidential