100% found this document useful (1 vote)

406 views91 pages

Advanced Scaling BGP

BGP

Uploaded by

innovativekalu

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

100% found this document useful (1 vote)

406 views91 pages

Advanced Scaling BGP

BGP

Uploaded by

innovativekalu

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 91

Securing BGP

Vinit Jain CCIE# 22854

Twitter - @vinugenie
BRKRST-3179

Agenda

Introduction

Securing BGP Connections

Secure Inter-Domain Routing (SIDR)

ROA, BGP RPKI

Preventing BGP DDoS Attacks

MD5 Authentication, IPv6 Link-Local Peering

TTL Security, eBGP-Multihop

BGP RTBH Filtering, uRPF

BGP FlowSpec

Introduction
Housekeeping

Cell Phones

Who are you?

Service Provider
Enterprise

Advanced Class
Assume BGP Operational Experience
Basic configuration

Show commands

Understand BGP attributes

BRKRST-3179

Securing BGP
Need for Securing BGP

BGP - The Internet Protocol

Any small loophole can cause instability in Internet

Primary focus for attackers and reverse engineers to find vulnerability

Prone to Man-In-The-Middle (MITM) attacks, Dos / DDoS attacks

Common vulnerabilities

Session Hijacking
Bogus Routing
DNS Attacks

BRKRST-3179

Securing BGP
Area of focus

Authentication

Integrity

Availability

Prefix Origin Validation

AS Path Verification

BRKRST-3179

Securing BGP Connections

BGP Session Authentication

MD5 hash based authentication defined in RFC 2385

TCP Option 19 extension to enhance security using BGP MD5 authentication

Type 7 passwords in configuration Easy to break

Use service password-encryption
IOS, XR and NX-OS now support strong AES encryption

IOS XR supports HMAC-MD5 and HMAC-SHA1-12 cryptographic algorithms for

BGP Configure as part of key chain authentication

Both MD5 authentication and key chain based authentication cannot be configured
together.

BRKRST-3179

Securing BGP Connections

BGP Session Authentication Cryptographic Algorithms on IOS XR
RP/0/0/CPU0:R2(config)#key chain BGP_PWD
RP/0/0/CPU0:R2(config-BGP_PWD)#key 1
RP/0/0/CPU0:R2(config-BGP_PWD-1)#cryptographic-algorithm ?
HMAC-MD5
Configure HMAC-MD5 as cryptographic algorithm
HMAC-SHA1-12 Configure HMAC-SHA1-12 as cryptographic algorithm
HMAC-SHA1-20 Configure HMAC-SHA1-20 as cryptographic algorithm
MD5
Configure MD5 as cryptographic algorithm
SHA-1
Configure SHA-1-20 as cryptographic algorithm
RP/0/0/CPU0:R2(config-BGP_PWD-1)#cryptographic-algorithm HMAC-SHA1-12
RP/0/0/CPU0:R2(config-BGP_PWD-1)#exit
RP/0/0/CPU0:R2(config-BGP_PWD)#exit
RP/0/0/CPU0:R2(config)#router bgp 100
RP/0/0/CPU0:R2(config-bgp)#neighbor 10.1.102.10
RP/0/0/CPU0:R2(config-bgp-nbr)#keychain BGP_PWD
RP/0/0/CPU0:R2(config-bgp-nbr)#commit
BRKRST-3179

Securing BGP Connections

BGP Pass-Through

ASA / PIX offsets TCP sequence number with a random number for every TCP
session

Causes MD5 authentication to fail

ASA strips off TCP option 19

Create Acl to permit BGP traffic

Create TCP Map to allow TCP

option 19

Create class-map to match BGP

traffic

Disable seq number

randomization and Enable TCP
option 19 in glabal policy

BRKRST-3179

Securing BGP Connections

BGP Pass-Through ASA FW Configuration
access-list OUT extended permit tcp host 10.1.12.1 host 10.1.12.2 eq bgp
access-list OUT extended permit tcp host 10.1.12.2 eq bgp host 10.1.12.2
!
access-list BGP-TRAFFIC extended permit tcp host 10.1.110.2 host 10.1.110.10 eq bgp
access-list BGP-TRAFFIC extended permit tcp host 10.1.110.2 eq bgp host 10.1.110.10
!
tcp-map TCP-OPTION-19
tcp-options range 19 19 allow
!
access-group OUT in interface Outside
!
class-map BGP_TRAFFIC
match access-list BGP-TRAFFIC
!
policy-map global_policy
class BGP_TRAFFIC
set connection random-sequence-number disable
set connection advanced-options TCP-OPTION-19

BRKRST-3179

Securing BGP Connections

IPv6 BGP Peering using Link-Local Address

Link-Local address manually assigned or automatically generated with

FE80+EUI-64 format

Usually IPv6 peering - formed over Global IPv6 address

Using Link-Local address for IPv6 peering prevents:

The attacker cannot form BGP peering on link-local address

Attacker cannot communicate with the either peer over link-local address

neighbor link-local-address%Interface-name remote-as asn

BRKRST-3179

Securing BGP Connections

ebgp-multihop

BGP packets for EBGP connections are sent with TTL = 1

Default TTL value when using ebgp-multihop command is 255 (if left empty)

Attackers can spoof the packets and try to establish BGP peering if correct hopcount is not specified

For peering between two devices over loopback, use neighbor disableconnected-check command instead of ebgp-multihop 2

The directly connected devices are not two hops away

BGP performs connected check which stops it from establishing neighborship over
loopback

BRKRST-3179

Securing BGP Connections

BGP TTL Security Hack (BTSH)

Hacker

AS 100

ISP
R1

R2
Valid BGP messages
Spoofed BGP messages

Problem:

Hackers spoof BGP messages to R1 as if they are R2

R1 must use MD5 to filter out the bogus messages

MD5 validation must be done on the RP (Route Processor)

BRKRST-3179

Securing BGP Connections

BGP TTL Security Hack (BTSH)

Both sides must configure the feature

neighbor x.x.x.x ttl-security 255

Provides a lightweight mechanism to defend against most BGP spoof attacks

Does NOT replace the need for MD5 authentication!

Sender sets the TTL to 255

Receiver checks for a TTL of 254 for directly connected neighbors

A lower acceptable TTL value must be configured for multihop neighbor

May use BTSH instead of ebgp-multihop if you control both ends of the session

Packets generated by Hackers will have a TTL that is less than 255
Easy to compare the TTL value vs. the 255 threshold and discard spoofed
packets
Discards can be done at the linecard
TTL check is much cheaper than MD5
BRKRST-3179

Securing BGP Connections

Filtering using Firewall / ACL
permit tcp host 1.1.1.1 eq bgp any

AS65535

permit tcp host 1.1.1.1 any eq bgp

AS65534

. . . .

permit tcp host 1.1.1.1 eq bgp 2.2.2.2

AS65535

permit tcp host 1.1.1.1 2.2.2.2 eq bgp

AS65534

. . . .

Filter for BGP packets from specific peers

Filtering on firewall is much preferred than routers / switches
Large ACL entries consume lot of TCAM resources on routers / switches
Firewall designed and optimized to performing filtering tasks
BRKRST-3179

Securing BGP Connections

Protecting BGP Traffic with IPSec

With IPSec tunneling mechanism, the keys are refreshed from time to time

Makes it more secure method than using MD5 based authentication.

IPSec tunnel is not only having secure reachability but even the routing protocol
messages are encrypted

IPSecn tunnel can be used to protect BGP sessions from integrity violations,
replay and DoS attacks through its Authentication Header (AH).

Encapsulated Security payload (ESP) provides higher level of confidentiality.

Drawbacks only covers DoS or MiTM attack

Has additional cost of memory and CPU resources for encryption and decryption

BRKRST-3179

Secure Inter-Domain Routing

(SIDR)

Secure Inter-Domain Routing

Security Issues with Sourcing of BGP Routes

Any AS can source/announce incorrect prefixes within BGP

Either by mistake (most cases)
- Or with a malicious intent
-

In either case, AS can hijack prefixes owned by other AS

Has an impact on end-to-end data forwarding

BGP prefixes can be hijacked by

Sourcing a prefix (with better BGP metrics) that is owned by some other AS
- Sourcing a more specific for a prefix that is owned by some other AS
-

BRKRST-3179

Securing Inter-Domain Routing

Prefix Hijacking with smaller AS_PATH (same prefix)
Host
AS100

AS300
AS200
AS400

192.168.10.0/24

BRKRST-3179

Securing Inter-Domain Routing

Prefix Hijacking with more specific Prefix Length
Host
AS100

AS300

AS400

192.168.10.0/24

AS200

AS500

192.168.10.0/25

BRKRST-3179

Securing Inter-Domain Routing

BGP Prefix Origin Validation

Mechanism within BGP to identify incorrectly sourced prefixes and

prevent them from being selected as BGP Bestpaths

Provides Origin AS Validation for BGP prefixes

Solution for
YouTube accident
- 7007 accident (MAI) that affected SPRINT, UUNET and others
- Any kind of accidental announcements due to incorrect sourcing of BGP prefixes
(99% of mis-announcements fall under this category)
-

Does NOT solve BGP path hijacking related issues

Origin validation does not provide assurance of BGP aspath received in an update
message

BRKRST-3179

Secure Inter-Domain Routing

Large ISP Deployment - RPKI

Asia
Cache

in-PoP
Cache

Cust
Facing

in-PoP
Cache

Global
RPKI

NoAm
Cache

in-PoP
Cache

Cust
Facing

in-PoP
Cache

Euro
Cache

in-PoP
Cache

Cust
Facing

in-PoP
Cache

Cust
Facing

BRKRST-3179

in-PoP
Cache

Cust
Facing

Secure Inter-Domain Routing

BGP Prefix Origin Validation - Implementation

Router Modifications involves implementation of 3 SIDR drafts

Draft1: RPKI Router protocol defined in the ietf draft-sidr-rpki-rtrprotocol12.txt

Means of communication between a trusted Cache and BGP routers

Helps create and maintain within BGP a new address-family specific

digested RPKI database in form of {IP prefixes, Origin AS} tuples

Draft2: Origin Validation related BGP protocol modifications defined in

the IETF draft-ietf-sidr-pfx-validate-01.txt

Perform Origin AS validation on ASPATHS of received EBGP prefixes

Invalidate prefixes with incorrect origin AS

BRKRST-3179

Secure Inter-Domain Routing

BGP Prefix Origin Validation Implementation (contd)

Draft3: BGP RPKI origin validation state announcement defined in the

ietf draft-ietf-sidr-origin-validation-signaling-00.txt

Announce path validation state within an IBGP network

Using new extended community defined in draft-ietf-sidr-origin-validation-signaling00.txt
-

Alternate approach to using path validation state community

Implementations could translate path validation state into appropriate IBGP parameters
that influence BGP Bestpath processing using route policies
-

BRKRST-3179

RPKI Database and BGP Design

RPKI Cache
BGP Peers

Remote
Distributed RPKI
Repository
RPKI-rtr Protocol

Prefix: X.X.X.X/N-M
Origin-AS: ASN1

Prefix
Validation
Database

BGP Protocol

BGP
Table

Prefix: X.X.X.X/L
AS-PATH: ... ASN2

Router
Inline Prefix Validation
Event based validation on cache updates

Input for the RPKI database for a BGP path:

BGP prefix/mask-length (X.X.X.X/N or X:X::X/N)

Origin-AS

If a BGP prefix/mask-len has no covering ROAs in the RPKI DB, the validity of path is unknown
If the BGP prefix is covered by one or more ROAs in the RPKI database,

If any of the covering ROAs maps to the input origin-AS, the validity of the BGP route is valid
If none of the covering ROAs map to the input origin-AS, the validity of the BGP route is invalid
BRKRST-3179

Secure Inter-Domain Routing

RPKI Operation

The RPKI-Cache-to-Router connectivity can be many-to-many:

One RPKI cache can provide origin-AS validation data to multiple routers and one
router can be connected to multiple RPKI caches

A router connects to RPKI servers/caches/peers to download information in

order to build special RPKI database that can be used by BGP to validate
origin-ASes for the internet routing table

Typically, origin-AS validation will be done at ASBRs in an AS for paths

received from an outside AS (eBGP paths)

BRKRST-3179

Secure Inter-Domain Routing

RPKI Operation

The ASBRs simply mark the eBGP paths with an origin-AS validity state:

Valid: There are database prefix sets in RPKI data that covers prefix and one of them
has origin-AS number
Invalid: There are database prefix sets in RPKI data that covers prefix and none of
them has the origin-AS number
Unknown: There are no matching or covering prefixes in RPKI data
ASBR2

Invalid eBGP routes

ASBR1
Valid eBGP routes

ASBR3
Unknown eBGP routes

BRKRST-3179

Secure Inter-Domain Routing

RPKI Operation

The routers do not drop or take any other action on the invalid routes up front

It is left up to the operator to choose what to do with the path based on their origin-AS
validity state through either RPL or some other configuration CLI

The reception of eBGP paths and the reception of RPKI data are completely
decoupled

The router will not ask the RPKI caches as it receives BGP prefixes
The origin-AS validation data is mostly driven by the RPKI caches which sends data to
the routers at their own pace (initial database dump, followed by incremental updates)

If RPKI data from RPKI cache in the router covers a prefix when eBGP path is
received, BGP will be able to validate that path upon reception, marking the path
valid or invalid
If RPKI data does not have validation data covering a prefix upon receiving an
eBGP path, the BGP will mark the path with an Unknown
BRKRST-3179

Secure Inter-Domain Routing

Route Origin Authorization (ROA)

The RPKI database is a set of ROA objects aggregated from the different RPKI
cache that the router connects to
ROA objects provide a mapping between a BGP prefix block and and AS
number authorized to originate to originate that block
An RPKI cache can send any number of ROAs to the router
ROA
172.25.0.0/16-24
12343

ROA prefix-block covers BGP prefixes 172.25.0.0 with minimum mask-length

of 16 and maximum mask-length of 24
ROA covers 172.25.100.0/24
ROA does not cover 172.25.100.5/32
AS12343 is authorized to announce prefixes covered by the ROA prefix-block

BRKRST-3179

Origin-AS Validity Check

BGP Prefix / Origin-AS
10.0.1/24

AS 300

valid

BGP Prefix / Origin-AS

10.0.1/24

AS 400

invalid

BGP Prefix / Origin-AS

20.0.1/24

AS 500

unknown

RPKI Database ROAs

10/8-20

AS 100

Does not cover BGP prefix

10.0/16-24

AS 200

Cover BGP prefix

10.0/16-32

AS 300

Cover BGP prefix / Origin AS matches

RPKI Database ROAs

10/8-20

AS 100

Does not cover BGP prefix

10.0/16-24

AS 200

Cover BGP prefix

10.0/16-32

AS 300

Cover BGP prefix

RPKI Database ROAs

10/8-20

AS 100

Does not cover BGP prefix

10.0/16-24

AS 200

Does not cover BGP prefix

BRKRST-3179

Secure Inter-Domain Routing

BGP Origin-AS Validation with Updated BGP Prefixes
BGP Prefix / Origin-AS

RPKI Database ROAs

valid

10.1.1/24

AS 100

10/8-24

AS 100

invalid

20.0.0/24

AS 400

20.0/16-24

AS 300

unknown

30.1.1/24

AS 200

10.1.2/24

AS 300

invalid

When either the BGP table or the RPKI database is modified, the two databases
must be kept in sync

Incoming eBGP prefixes will be verified against the RPKI database before they
are downloaded into BGP table

BRKRST-3179

Secure Inter-Domain Routing

BGP Origin-AS Validation with RPKI DB Update
BGP Prefix / Origin-AS
unknown

10.1.1/24

AS 100

invalid

20.0.0/24

AS 400

valid

30.1.1/24

AS 200

unknown

10.1.2/24

AS 300

RPKI Database ROAs

10/8-24

AS 100

20.0/16-24

AS 300

30.0/8-24

AS 200

When a new ROA is added or removed from the data base, BGP table have to
be back-walked to verify relevant prefixes that are affected by the ROA updates

BGP table will be always in sync with RPKI database without having any
windows of time where the database are out-of-sync

BRKRST-3179

Secure Inter-Domain Routing

IBGP Signaling of Origin-AS Validity State
Validate origin-AS
Lookup RPKI DB to find any data covering
the prefix
Only matching data has origin-AS 300,
then it is marked as invalid

Derive validity state from

EXTCOMM attribute

RR
ASBR2

1.2.3.0/24
AS_PATH: ... 200

Derive validity state from

EXTCOMM attribute

eBGP
peer
ASBR1

AS
ASBR3

BRKRST-3179

Secure Inter-Domain Routing

IBGP Signaling of Origin-AS Validity State

When a BGP route is received from outside AS, ASBRs should check
this received path for origin-AS validity
ASBRs that validates the origin-AS should signal the validity state of the
route to its iBGP peers through a non-transitive BGP extended
community attribute
Upon receiving validity state information via extended community, iBGP
peers can derive the validity state without having to lookup RPKI
database
If a RR receives an validity state in EXTCOMM attribute from an ASBR,
RR should not do any prefix validation and simply forward this attribute
towards the other ASBRs inside the AS
BRKRST-3179

Secure Inter-Domain Routing

RPKI Configuration

RPKI configuration supported on both IOS and IOS XR platforms (not on NXOS)

Configuration requires:

RPKI server
TCP Port number default port 323
Refresh Time (optional)
IOS(config-router)#bgp rpki server tcp 172.16.1.100 port 8282 refresh 600
RP/0/0/CPU0:XR(config-bgp)#rpki server 172.16.1.100
RP/0/0/CPU0:XR(config-bgp-rpki-server)#transport tcp port 8282
RP/0/0/CPU0:XR(config-bgp-rpki-server)#refresh-time 600

BRKRST-3179

Secure Inter-Domain Routing

Show bgp rpki server
IOS# show bgp ipv4 unicast rpki servers
. . .
Neighbor Statistics:
Prefixes 19677
Connection attempts: 1
Connection failures: 0
Errors sent: 0
IOS XR - Show bgp rpki server summary
Errors received: 0
!
Local host: 172.16.1.138, Local port: 54334
Foreign host: 172.16.1.100, Foreign port: 8282

BRKRST-3179

Secure Inter-Domain Routing

Show bgp rpki table
IOS# show bgp ipv4 unicast rpki table
Network

Maxlen

Origin-AS Source

Neighbor

1.9.0.0/16

4788

172.16.1.100/8282

1.9.21.0/24

4788

172.16.1.100/8282

1.9.52.0/24

4788

172.16.1.100/8282

1.9.53.0/24

4788

172.16.1.100/8282

1.9.112.0/24

4788

172.16.1.100/8282

IOS XR show bgp rpki table ipv4

BRKRST-3179

Secure Inter-Domain Routing

Show bgp rpki table ipv6
RP/0/0/CPU0:R4#show bgp rpki table ipv6
Network

Maxlen

Origin-AS

Server

2001:648:2800::/48

5470

172.16.1.100

2001:660:3203::/48

2094

172.16.1.100

2001:678:3::/48

172.16.1.100

2001:67c:224::/48

51164

172.16.1.100

2001:67c:2e8::/48

3333

172.16.1.100

. . .

BRKRST-3179

Secure Inter-Domain Routing

Origin-AS Validation Results
R1#show bgp ipv4 unicast
RPKI validation codes: V valid, I invalid, N Not found
Network
Next Hop
Metric LocPrf Weight Path
I*> 1.9.0.0/24
10.1.15.5
1800
0 200 4789 4790 e
I*> 1.9.1.0/24
10.1.15.5
1800
0 200 4789 4790 e
I*> 1.9.2.0/24
10.1.15.5
1800
0 200 4789 4790 e
V*> 1.9.50.0/24
10.1.15.5
1193
0 200 4790 4788 e
V*> 1.9.51.0/24
10.1.15.5
1193
0 200 4790 4788 e
V*> 1.9.52.0/24
10.1.15.5
1193
0 200 4790 4788 e
N*> 34.1.4.0/24
10.1.15.5
1657
0 200 4789 4790 4791 e
N*> 34.1.5.0/24
10.1.15.5
1657
0 200 4789 4790 4791 e
N*> 34.1.6.0/24
10.1.15.5
1657
0 200 4789 4790 4791 e
BRKRST-3179

Secure Inter-Domain Routing

Origin-AS Validation Results
RP/0/0/CPU0:R4#show bgp origin-as validity valid
Network
Next Hop
Metric LocPrf Weight Path
*> 2.1.0.0/16
10.1.46.6
2309
0 300 3215 e
*> 2.2.0.0/16
10.1.46.6
2309
0 300 3215 e
RP/0/0/CPU0:R4#show bgp origin-as validity invalid
*> 2.12.0.0/16
10.1.46.6
2747
0 300 e
*> 2.14.0.0/16
10.1.46.6
2747
0 300 e
RP/0/0/CPU0:R4#show bgp origin-as validity not-found
*> 2.16.0.0/16
10.1.46.6
2747
0 300 e
*> 2.17.0.0/16
10.1.46.6
2747
0 300 e
BRKRST-3179

Secure Inter-Domain Routing

RPKI State Advertisement

Default behavior BGP does not advertise RPKI states to IBGP peers

This CLI at the global/global-AF level enables the iBGP signaling of validity state
through an extended-community
IOS
R1(config)#router bgp 100
R1(config-router)#address-family ipv4 unicast
R1(config-router-af)#neighbor 192.168.2.2 announce rpki state
IOS XR
RP/0/0/CPU0:R4(config)#router bgp 100
RP/0/0/CPU0:R4(config-bgp)#address-family ipv4 unicast
RP/0/0/CPU0:R4(config-bgp-af)#bgp origin-as validation signal ibgp
RP/0/0/CPU0:R4(config-bgp-af)#commit

BRKRST-3179

Secure Inter-Domain Routing

RPKI Best Path Calculation

Validity states do not affect the best path selection process by default

Can be modified using a configuration knob.

RP/0/0/CPU0:R4#show bgp rpki summary

Origin-AS validation is ENABLED globally

Origin-AS validity WILL NOT affect bestpath selection globally
Origin-AS validity signaling towards iBGP is DISABLED globally

RP/0/0/CPU0:R4(config)#router bgp 100

RP/0/0/CPU0:R4(config-bgp)#bgp bestpath origin-as use validity
RP/0/0/CPU0:R4(config-bgp)#address-family ipv4 unicast
RP/0/0/CPU0:R4(config-bgp-af)#bgp bestpath origin-as use validity

BRKRST-3179

Secure Inter-Domain Routing

Including Invalid Paths in Best Path Calculation
This CLI at the global/global-AF level allows all invalid paths to be considered
for BGP best path computation
If configured at the neighbor/neighbor-AF level (must be an eBGP neighbor),
then all invalid paths from that specific neighbor/neighbor-AF will be
considered as best path candidates
This knob only takes effect when the use origin-as validity knob is enabled.

IOS
router bgp 100
address-family ipv4 unicast
bgp bestpath prefix-validate allow-invalid

IOS XR
router bgp 100
bgp bestpath origin-as allow invalid
address-family ipv4 unicast
bgp bestpath origin-as allow invalid
neighbor 10.1.46.6
bestpath origin-as allow invalid
address-family ipv4 unicast
bestpath origin-as allow invalid
BRKRST-3179

Secure Inter-Domain Routing

Route Manipulation using Validity States - IOS
R1(config)#route-map Match_RPKI permit 10
R1(config-route-map)#match rpki valid
R1(config-route-map)#set local-preference 200
R1(config-route-map)#exit
R1(config)#route-map Match_RPKI permit 20
R1(config-route-map)#match rpki invalid
R1(config-route-map)#set local-preference 50
R1(config-route-map)#exit
R1(config)#route-map Match_RPKI permit 30
R1(config-route-map)#match rpki not-found
R1(config-route-map)#set local-preference 100
R1(config-route-map)#exit
R1(config)#router bgp 100
R1(config-router)#address-family ipv4 unicast
R1(config-router-af)#neighbor 10.1.15.5 route-map Match_RPKI in

BRKRST-3179

Secure Inter-Domain Routing

Route Manipulation using Validity States IOS XR
RP/0/0/CPU0:R4(config)#route-policy Match_RPKI
RP/0/0/CPU0:R4(config-rpl)#if validation-state is valid then
RP/0/0/CPU0:R4(config-rpl-if)#set local-preference 200
RP/0/0/CPU0:R4(config-rpl-if)#pass
RP/0/0/CPU0:R4(config-rpl-if)#exit
RP/0/0/CPU0:R4(config-rpl)#if validation-state is invalid then
RP/0/0/CPU0:R4(config-rpl-if)#drop
RP/0/0/CPU0:R4(config-rpl-if)#else
RP/0/0/CPU0:R4(config-rpl-else)#set local-preference 100
RP/0/0/CPU0:R4(config-rpl-else)#pass
RP/0/0/CPU0:R4(config-rpl-else)#exit
RP/0/0/CPU0:R4(config-rpl)#exit
RP/0/0/CPU0:R4(config)#router bgp 100
RP/0/0/CPU0:R4(config-bgp)#neighbor 10.1.46.6
RP/0/0/CPU0:R4(config-bgp-nbr)#address-family ipv4 unicast
RP/0/0/CPU0:R4(config-bgp-nbr-af)#route-policy Match_RPKI in
BRKRST-3179

Remote Triggered Black Hole

Filtering (RTBH)

Remote Triggered Black Hole Filtering

Background

Distributed Denial of Service (DDOS) attacks target network infrastructures or

computer services by sending overwhelming number of service requests to the
server from many sources.

A network under DDOS attack can face a major service and financial impact and
requires immediate mitigation.

When a network is under DDOS attack, there are many resources such as
bandwidth, CPU, memory can be used up along with the target servers service
degradation.

BRKRST-3179

Remote Triggered Black Hole Filtering

Overview

BGP Remotely Triggered Black Hole (RTBH) filtering is a security technique to

mitigate or overcome DDOS attacks.

The best approach to prevent such network wide impact is to black hole i.e. drop
the undesirable traffic.

RTBH Solution:

Destination Based
Source Based

The destination based protection is for a traffic that is destined towards a server
internal to the network. The source based protection is for traffic that is the
source of the unwanted traffic.

BRKRST-3179

Remote Triggered Black Hole Filtering

Destination Based RTBH - Configuration

Can be configured in simple 4 steps

Step 1 - Create a Static Route Destined to Null0

Step 2 - Create a Route-map or RPL

Step 3 Create a Static route towards the destination server pointing to

Null0 interface

Step 4 - Redistribute the Static Route

BRKRST-3179

Destination Based RTBH - Flow

BGP Sent 172.19.61.1 Next-Hop = 192.0.2.1
Static Route in Edge Router 192.0.2.1 = Null0

The BGP update sent

out after step 2

The static route entered

in step 1
172.19.61.1= 192.0.2.1 = Null0
What happens when the
next-hop in the routing
table is Null0?
Next-Hop of 172.19.61.1 is now equal to Null0

BRKRST-3179

Remote Triggered Black Hole Filtering

Source Based RTBH

Destination based RTBH works on destination IP addresses and only prevents

return traffic to an infected host. It is effective for connection-oriented protocols

Does not prevent traffic flooding or denial of service type traffic from an infected host

Unicast Reverse Path Forwarding (uRPF) is a similar technique that works on

source IP addresses to drop the traffic by sender at the edge of the network

uRPF performs a Forwarding Information Base (FIB) lookup for the source IP on
the router

If FIB has the information for source IP, the packet is forwarded towards the destination
If reverse path forwarding (RPF) check will fail, and the router drops the packet

ip verify unicast source reachable-via any

BRKRST-3179

BGP FlowSpec

BGP FLowSpec
DDoS Attacks
Distributed

denial-of-service (DDoS) attacks target network infrastructures or

computer services by sending overwhelming number of service requests to the
server from many sources.

Server

resources are used up in serving the fake requests resulting in denial or

degradation of legitimate service requests to be served

Addressing

DDoS attacks

Detection Detect incoming fake requests

Mitigation

o
o

Diversion Send traffic to a specialized device that removes the fake packets from the traffic
stream while retaining the legitimate packets
Return Send back the clean traffic to the server

BRKRST-3179

Remote Triggered Black Hole Filtering

Major Internet Outages

BRKRST-3179

Rremote Triggered Black Hole Filtering

The Exodus Requirement

We need a tool to drop packets based on

source IP address that can be pushed
out to over 60 routers with in 60
seconds, be longer than a thousand
lines, be modified on the fly, and work in
all your platforms filtering at line rate.
Provided by Engineers at Exodus during the Feb 2000 DOS Post Mortem

BRKRST-3179

BGP FlowSpec
Web Server

192.168.1.1

Website

Internet

BRKRST-3179

BGp FlowSpec
DDoS Attack

192.168.1.1
DDoS Traffic

Website
DDoS
Traffic

Internet

BRKRST-3179

BGP FlowSpec
Black Hole Community Provided by Provider

192.168.1.1
DDoS Traffic

Website
DDoS
Traffic

Internet

BGP : 192.168.1.1/32
Com. : 64500:666

BRKRST-3179

BGP FlowSpec
Black Hole Community Provided by Provider

192.168.1.1

Discard
192.168.1.1
DDoS Traffic

Website
DDoS
Traffic

Internet

BGP : 192.168.1.1/32
Com. : 64500:666
Discard
192.168.1.1
BRKRST-3179

BGP FlowSpec
Drawback of RTBH

Great, I have my website back online !

No more DDoS traffic on my network
But no more traffic at all on my website....

Well, maybe it was not the solution I was looking for....

BRKRST-3179

BGP FlowSpec
Policy Based Routing

Identification of DDoS traffic: based around a conditions regarding MATCH

statements

Source/Destination address
Protocol
Packet size
Etc...

Actions upon DDoS traffic

Discard

Logging
Rate-Limiting
Redirection
Etc...

Doesnt this sound as a great solution?

BRKRST-3179

BGP FlowSpec
Pros n Cons..

Good solution for

Done with hardware acceleration for carrier grade routers

Can provide chirurgical precision of match statements and actions to impose

But...

Customer need to call my provider

Customer need the provider to accept and run this filter on each of their backbone/edge
routers
Customer need to call the provider and remove the rule after!

Reality: It wont happen...

BRKRST-3179

BGP FlowSpec
FlowSpec as Alternative

Comparison with the other solutions

Makes static PBR a dynamic solution!

Allows to propagate PBR rules
Existing control plane communication channel is used

How?

By using your existing MP-BGP infrastructure

BRKRST-3179

BGP FlowSpec
Overview

RFC 5575 - A flow specification is an n-tuple consisting of several matching

criteria that can be applied to IP traffic. A given IP packet is said to match the
defined flow if it matches all the specified criteria

A flowspec is said to be n-tuple because there are multiple match cirterias that
can be defined and all the match criteria should be matched.

Traffic will not match the flowspec entry if all the tuples are not matched.

BGP FlowSpec New NLRI AFI=1 and SAFI=133

BRKRST-3179

BGP FlowSpec
DDoS Mitigation Steps

Mitigation of DDOS attacks is performed in two steps:

Diversion Send traffic to a specialized device that removes the fake packets from the
traffic stream while retaining the legitimate packets.

Define match criteria

Define action

Return Send back the clean / legitimate traffic to the server.

BRKRST-3179

BGP FlowSpec
DDoS Mitigation

DDOS Analyser

Security Controller

Sample Netflow

Enterprise
Network

DDOS Scrubber

BRKRST-3179

BGP FlowSpec
DDoS Mitigation

DDOS Analyser

Security Controller

Sample Netflow

Enterprise
Network

DDOS Scrubber

BRKRST-3179

BGP FlowSpec
DDoS Mitigation

DDOS Analyser

Security Controller

BGP flowspec
Flow: DDOS flow
Action: redirect to DDOS scruber

Enterprise
Network

DDOS Scrubber

BRKRST-3179

BGP FlowSpec NLRI based on Match Criteria

BGP Flowspec NLRI Type

QoS Match Fields

Type 1

Destination IP / IPv6 address

Type 2

Source IP / IPv6 address

Type 4

IP / IPv6 Protocol

Type 4

Source or destination port

Type 5

Destination port

Type 6

Source port

Type 7

ICMP Type

Type 8

ICMP Code

Type 9

TCP flags

Type 10

Packet length

Type 11

DCSP

Type 12

Fragmentation bits
BRKRST-3179

BGP FlowSpec
NLRI Type based on Action
Type

Description

PBR Action

0x8006

traffic-rate

Drop | Police

0x8007

traffic-action

Terminal Action + Sampling

0x8008

redirect-vrf

Redirect VRF

0x8009

traffic-marking

Set DSCP

0x0800

Redirect IP NH

Redirect IPv4 or IPv6 Next-Hop

BRKRST-3179

BGP FlowSpec
Configuration IOS XR
RP/0/0/CPU0:RR_R3(config)#class-map type traffic match-all FS_RULE
RP/0/0/CPU0:RR_R3(config-cmap)#match source-address ipv4 192.168.1.1/32
RP/0/0/CPU0:RR_R3(config-cmap)#match destination-address ipv4 192.168.5.5/32
RP/0/0/CPU0:RR_R3(config-cmap)#exit
RP/0/0/CPU0:RR_R3(config)#policy-map type pbr FS_POLICY_MAP
RP/0/0/CPU0:RR_R3(config-pmap)#class FS_RULE
RP/0/0/CPU0:RR_R3(config-pmap-c)#drop
RP/0/0/CPU0:RR_R3(config-pmap-c)#exit
Install the policies
RP/0/0/CPU0:RR_R3(config-pmap)#class class-default
locally on the hardware
RP/0/0/CPU0:RR_R3(config-pmap-c)#exit
RP/0/0/CPU0:RR_R3(config-pmap)#exit
RP/0/0/CPU0:RR_R3(config)#flowspec
RP/0/0/CPU0:RR_R3(config-flowspec)#local-install interface-all
RP/0/0/CPU0:RR_R3(config-flowspec)#address-family ipv4
RP/0/0/CPU0:RR_R3(config-flowspec-af)#service-policy type pbr FS_POLICY_MAP
RP/0/0/CPU0:RR_R3(config)#commit
BRKRST-3179

BGP FlowSpec
Configuration

Policies are defined on RR or the controller

Establish BGP peering with other routers in the network over address-family
flowspec

R2(config)#flowspec
R2(config-flowspec)#local-install interface-all
R2(config-flowspec)#address-family ipv4

BRKRST-3179

Show flowspec ipv4 nlri internal

R2#show flowspec ipv4 nlri internal
AFI: IPv4
NLRI (hex)
:0x0120C0A805050220C0A80101
Actions
:Traffic-rate: 0 bps (bgp.1)
Client Version: 0
Unsupported:
FALSE
RT:
VRF Name Cfg:
0x00
RT Cfg:
0x00
RT Registered: 0x00
RT Resolved:
0x00
Class handles:
Handle [0]:
4c9da1
Class Handle Version:
1
Sequence:
1024
. . .
Statistics
(packets/bytes)
Matched
:
8/912
Dropped
:
8/912
BRKRST-3179

Complete Your Online Session Evaluation

Give us your feedback to be

entered into a Daily Survey
Drawing. A daily winner will
receive a $750 Amazon gift card.

Complete your session surveys

through the Cisco Live mobile
app or from the Session Catalog
on CiscoLive.com/us.
Dont forget: Cisco Live sessions will be available
for viewing on-demand after the event at
CiscoLive.com/Online

BRKRST-3179

Continue Your Education

Demos in the Cisco campus

Walk-in Self-Paced Labs

Lunch & Learn

Meet the Engineer 1:1 meetings

Related sessions

BRKRST-3179

Thank you

Internet of Things (IoT) Cisco Education Offerings

Course

Description

Cisco Certification

NEW! IMINS2

An associate level instructor led training course designed to prepare you

for the CCNA Industrial certification

CCNA Industrial

Managing Industrial Networks with

Cisco Networking Technologies (IMINS)

This curriculum addresses foundational skills needed to manage and

administer networked industrial control systems. It provides plant
administrators, control system engineers and traditional network engineers
with an understanding of the networking technologies needed in today's
connected plants and enterprises

Cisco Industrial
Networking Specialist

Control Systems Fundamentals

for Industrial Networking (ICINS)

For IT and Network Engineers, covers basic concepts in Industrial Control

systems including an introduction to automation industry verticals,
automation environment and an overview of industrial control networks

Networking Fundamentals
for Industrial Control Systems (INICS)

For Industrial Engineers and Control System Technicians, covers basic IP

and networking concepts, and introductory overview of Automation
industry Protocols.

For more details, please visit: http://learningnetwork.cisco.com

Questions? Visit the Learning@Cisco Booth or contact [email protected]

BRKRST-3179

Business Transformation Cisco Education Offerings

Course

Description

Cisco Certification

For IT and Network Professionals:

Building Business Specialist Skills

Builds non-technical skills key to ensure business impact and influence.

Topics include: business analysis, finance, technology adoption and
effective communications.

Bridges IT and business impacts of mature and emerging solutions

including cloud plus Internet of Everything

Cisco Enterprise IT
Business Specialist

For Technology Sellers:

Applying Cisco Specialized Business Value
Analysis Skills

Builds skills to discover and address technology needs using a businessfocused, consultative sales approach

Cisco Business Value Specialist

Executing Advanced Cisco Business Value

Analysis and Design Techniques

Enables customer transformation through business architecture and

solution selling expertise

Cisco Certified Business

Value Practitioner

Performing Cisco Business-Focused

Transformative Architecture Engagements

Provides skills and an approach to build a strategic roadmap of IT

initiatives, aligned to business priorities

Cisco Transformative
Architecture Specialist

For more details, please visit: http://learningnetwork.cisco.com

Questions? Visit the Learning@Cisco Booth or contact [email protected]

BRKRST-3179

Security Cisco Education Offerings

Course

Description

Cisco Certification

CCIE Security

Expert Level certification in Security, for comprehensive understanding of security

architectures, technologies, controls, systems, and risks.

CCIE Security

Implementing Cisco Edge Network Security Solutions

(SENSS)

Configure Cisco perimeter edge security solutions utilizing Cisco Switches, Cisco
Routers, and Cisco Adaptive Security Appliance (ASA) Firewalls

CCNP Security

Implementing Cisco Threat Control Solutions (SITCS)

Deploy Ciscos Next Generation Firewall (NGFW) as well as Web Security, Email
Security and Cloud Web Security

Implementing Cisco Secure Access Solutions (SISAS)

Deploy Ciscos Identity Services Engine and 802.1X secure network access

Implementing Cisco Secure Mobility Solutions

(SIMOS)

Protect data traversing a public or shared infrastructure such as the Internet by

implementing and maintaining Cisco VPN solutions

Implementing Cisco Network Security (IINS 3.0)

Focuses on the design, implementation, and monitoring of a comprehensive

security policy, using Cisco IOS security features

CCNA Security

Securing Cisco Networks with Threat Detection and

Analysis (SCYBER)

Designed for security analysts who work in a Security Operations Center, the
course covers essential areas of security operations competency, including event
monitoring, security event/alarm/traffic analysis (detection), and incident response

Cisco Cybersecurity Specialist

Network Security Product Training

For official product training on Ciscos latest security products, including Adaptive
Security Appliances, NGIPS, Advanced Malware Protection, Identity Services
Engine, Email and Web Security Appliances.

For more details, please visit: www.cisco.com/go/securitytraining or http://learningnetwork.cisco.com

Questions? Visit the Learning@Cisco Booth or contact [email protected]
BRKRST-3179

R&S Related Cisco Education Offerings

Course

Description

Cisco Certification

CCIE R&S Advanced Workshops (CIERS-1 &

CIERS-2) plus
Self Assessments, Workbooks & Labs

Expert level trainings including: instructor led workshops, self

assessments, practice labs and CCIE Lab Builder to prepare candidates
for the CCIE R&S practical exam.

CCIE Routing & Switching

Implementing Cisco IP Routing v2.0

Implementing Cisco IP Switched
Networks V2.0
Troubleshooting and Maintaining
Cisco IP Networks v2.0

Professional level instructor led trainings to prepare candidates for the

CCNP R&S exams (ROUTE, SWITCH and TSHOOT). Also available in
self study eLearning formats with Cisco Learning Labs.

CCNP Routing & Switching

Interconnecting Cisco Networking Devices:

Part 2 (or combined)

Configure, implement and troubleshoot local and wide-area IPv4 and IPv6
networks. Also available in self study eLearning format with Cisco Learning
Lab.

CCNA Routing & Switching

Interconnecting Cisco Networking Devices:

Part 1

Installation, configuration, and basic support of a branch network. Also

available in self study eLearning format with Cisco Learning Lab.

CCENT Routing & Switching

For more details, please visit: http://learningnetwork.cisco.com

Questions? Visit the Learning@Cisco Booth or contact [email protected]

BRKRST-3179

Wireless Cisco Education Offerings

Course

Description

Designing Cisco Wireless Enterprise Networks

Deploying Cisco Wireless Enterprise Networks
Troubleshooting Cisco Wireless Enterprise
Networks
Securing Cisco Wireless Enterprise Networks

Professional level instructor led trainings to prepare candidates to conduct

site surveys, implement, configure and support APs and controllers in
converged Enterprise networks. Focused on 802.11 and related
technologies to design, deploy, troubleshoot as well as secure Wireless
infrastructure. Course also provide details around Cisco mobility services
Engine, Prime Infrastructure and wireless security.

CCNP Wireless Version 3.0

Implementing Cisco Unified Wireless Network

Essential

Prepares candidates to design, install, configure, monitor and conduct

basic troubleshooting tasks of a Cisco WLAN in Enterprise installations.

CCNA Wireless
(Available Now)

Deploying Basic Cisco Wireless LANs (WDBWL)

Deploying Advanced Cisco Wireless LANs

(WDAWL)

Deploying Cisco Connected Mobile Experiences

(WCMX)

Cisco Certification

Understanding of the Cisco Unified Wireless Networking for enterprise

deployment scenarios. In this course, you will learn the basics of how to
install, configure, operate, and maintain a wireless network, both as an
add-on to an existing wireless LAN (WLAN) and as a new Cisco Unified
Wireless Networking solution.
The WDAWL advanced course is designed with the goal of providing
learners with the knowledge and skills to successfully plan, install,
configure, troubleshoot, monitor, and maintain advanced Cisco wireless
LAN solutions such as QoS, salt and pepper mobility, high density
deployments, and outdoor mesh deployments in an enterprise customer
environment.
WCMX will prepare professionals to use the Cisco Unified Wireless
Network to configure, administer, manage, troubleshoot, and optimize
utilization of mobile content while gaining meaningful client analytics.

(Available March 22nd, 2016)

1.2

2.0

For more details, please visit: http://learningnetwork.cisco.com

Questions? Visit the Learning@Cisco Booth or contact [email protected]
BRKRST-3179

Design Cisco Education Offerings

Course

Description

Cisco Certification

Designing Cisco Network Service Architectures

(ARCH) Version 3.0

Provides learner with the ability to perform conceptual, intermediate, and

detailed design of a network infrastructure that supports desired capacity,
performance, availability required for converged Enterprise network
services and applications.

CCDP (Design Professional)

Designing for Cisco Internetwork Solutions

(DESGN) Version 3.0

Instructor led training focused on fundamental design methodologies used

to determine requirements for network performance, security, voice, and
wireless solutions. Prepares candidates for the CCDA certification exam.

CCDA (Design Associate)

(Available Now)

For more details, please visit: http://learningnetwork.cisco.com

Questions? Visit the Learning@Cisco Booth or contact [email protected]

BRKRST-3179

Service Provider Cisco Education Offerings

Course
Deploying Cisco Service Provider Network Routing
(SPROUTE) & Advanced (SPADVROUTE)
Implementing Cisco Service Provider Next-Generation
Core Network Services (SPCORE)

Description

Cisco Certification

SPROUTE covers the implementation of routing protocols (OSPF, IS-IS, BGP),

route manipulations, and HA routing features; SPADVROUTE covers advanced
routing topics in BGP, multicast services including PIM-SM, and IPv6;

CCNP Service Provider

SPCORE covers network services, including MPLS-LDP, MPLS traffic engineering,

QoS mechanisms, and transport technologies;

Edge Network Services (SPEDGE)

SPEDGE covers network services, including MPLS Layer 3 VPNs, Layer 2 VPNs,
and Carrier Ethernet services; all within SP IP NGN environments.

Building Cisco Service Provider Next-Generation

Networks, Part 1&2 (SPNGN1), (SPNGN2)

The two courses introduce networking technologies and solutions, including OSI
and TCP/IP models, IPv4/v6, switching, routing, transport types, security, network
management, and Cisco OS (IOS and IOS XR).

CCNA Service Provider

Implementing Cisco Service Provider Mobility UMTS

Networks (SPUMTS);
Implementing Cisco Service Provider Mobility CDMA
Networks (SPCDMA);
Implementing Cisco Service Provider Mobility LTE
Networks (SPLTE)

The three courses (SPUMTS, SPCDMA, SPLTE) cover knowledge and skills
required to understand products, technologies, and architectures that are found in
Universal Mobile Telecommunications Systems (UMTS) and Code Division Multiple
Access (CDMA) packet core networks, plus their migration to Long-Term Evolution
(LTE) Evolved Packet Systems (EPS), including Evolved Packet Core (EPC) and
Radio Access Networks (RANs).

Cisco Service Provider Mobility

CDMA to LTE Specialist;
Cisco Service Provider Mobility UMTS
to LTE Specialist

Implementing and Maintaining Cisco Technologies

Using IOS XR (IMTXR)

Service Provider/Enterprise engineers to implement, verification-test, and optimize

core/edge technologies in a Cisco IOS XR environment.

Cisco IOS XR Specialist

For more details, please visit: http://learningnetwork.cisco.com

Questions? Visit the Learning@Cisco Booth or contact [email protected]

BRKRST-3179

Collaboration Cisco Education Offerings

Course

Description

Cisco Certification

CCIE Collaboration Advanced Workshop (CIEC)

Gain expert-level skills to integrate, configure, and troubleshoot complex

collaboration networks

CCIE Collaboration

Implementing Cisco Collaboration Applications

(CAPPS)

Understand how to implement the full suite of Cisco collaboration

applications including Jabber, Cisco Unified IM and Presence, and Cisco
Unity Connection.

CCNP Collaboration

Implementing Cisco IP Telephony and Video

Part 1 (CIPTV1)

Learn how to implement Cisco Unified Communications Manager, CUBE,

and audio and videoconferences in a single-site voice and video network.

CCNP Collaboration

Implementing Cisco IP Telephony and Video

Part 2 (CIPTV2)

Obtain the skills to implement Cisco Unified Communications Manager in a

modern, multisite collaboration environment.

Troubleshooting Cisco IP Telephony and Video

(CTCOLLAB)

Troubleshoot complex integrated voice and video infrastructures

Implementing Cisco Collaboration Devices

(CICD)

Acquire a basic understanding of collaboration technologies like Cisco Call

Manager and Cisco Unified Communications Manager.

Implementing Cisco Video Network Devices

(CIVND)

Learn how to evaluate requirements for video deployments, and implement

Cisco Collaboration endpoints in converged Cisco infrastructures.

CCNA Collaboration

For more details, please visit: http://learningnetwork.cisco.com

Questions? Visit the Learning@Cisco Booth or contact [email protected]

BRKRST-3179

Data Center / Virtualization Cisco Education Offerings

Course

Description

Cisco Certification

Introducing Cisco Data Center Networking (DCICN);

Introducing Cisco Data Center Technologies (DCICT)

Learn basic data center technologies and skills to build a

data center infrastructure.

CCNA Data Center

Implementing Cisco Data Center Unified Fabric (DCUFI);

Implementing Cisco Data Center Unified Computing (DCUCI)
Designing Cisco Data Center Unified Computing (DCUDC)
Designing Cisco Data Center Unified Fabric (DCUFD)
Troubleshooting Cisco Data Center Unified Computing
(DCUCT)
Troubleshooting Cisco Data Center Unified Fabric (DCUFT)

Obtain professional level skills to design, configure,

implement, troubleshoot data center network infrastructure.

CCNP Data Center

Product Training Portfolio: DCNMM, DCAC9K, DCINX9K,

DCMDS, DCUCS, DCNX1K, DCNX5K, DCNX7K

Gain hands-on skills using Cisco solutions to configure,

deploy, manage and troubleshoot unified computing, policydriven and virtualized data center network infrastructure.

Designing the FlexPod Solution (FPDESIGN);

Implementing and Administering the FlexPod Solution
(FPIMPADM)

Learn how to design, implement and administer FlexPod

solutions

Cisco and NetApp Certified

FlexPod Specialist

For more details, please visit: http://learningnetwork.cisco.com

Questions? Visit the Learning@Cisco Booth or contact [email protected]

BRKRST-3179

Network Programmability Cisco Education Offerings

Course

Description

Cisco Certification

Integrating Business Applications with Network

Programmability (NIPBA);
Integrating Business Applications with Network
Programmability for Cisco ACI (NPIBAACI)

Learn networking concepts, and how to deploy and troubleshoot

programmable network architectures with these self-paced courses.

Cisco Business Application

Engineer Specialist Certification

Developing with Cisco Network Programmability

(NPDEV);
Developing with Cisco Network Programmability
for Cisco ACI (NPDEVACI)

Learn how to build applications for network environments and effectively

bridge the gap between IT professionals and software developers.

Cisco Network Programmability

Developer Specialist Certification

Designing with Cisco Network Programmability

(NPDES);
Designing with Cisco Network Programmability
for Cisco ACI (NPDESACI)

Learn how to expand your skill set from traditional IT infrastructure to

application integration through programmability.

Cisco Network Programmability

Design Specialist Certification

Implementing Cisco Network Programmability

(NPENG);
Implementing Cisco Network Programmability
for Cisco ACI (NPENGACI)

Learn how to implement and troubleshoot open IT infrastructure

technologies.

Cisco Network Programmability

Engineer Specialist Certification

For more details, please visit: http://learningnetwork.cisco.com

Questions? Visit the Learning@Cisco Booth or contact [email protected]

BRKRST-3179

Cloud Cisco Education Offerings

Course

Description

Cisco Certification

Understanding Cloud Fundamentals

(CLDFND)

Learn how to perform foundational tasks related to Cloud computing, and the essentials
of Cloud infrastructure

Introducing Cloud Administration

(CLDADM)

Learn the essentials of Cloud administration and operations, including how to provision,
manage, monitor, report and remediate.

Implementing and Troubleshooting the

Cisco Cloud Infrastructure (CLDINF)

Learn how to implement and troubleshoot Cisco Cloud infrastructure: compute,

network, storage.

Designing the Cisco Cloud (CLDDES)*

Learn how to design private and hybrid Clouds including infrastructure, automation,
security and virtual network services

Automating the Cisco Enterprise Cloud

(CLDAUT)*

Learn how to automate Cloud deployments provisioning IaaS (private, private with
network automation and hybrid) and applications, life cycle management

Building the Cisco Cloud with Application

Centric Infrastructure (CLDACI)*

Learn how to build Cloud infrastructures based on Cisco Application Centric

Infrastructure, including design, implementation and automation

UCS Director Foundation (UCSDF)

Learn how to manage physical and virtual infrastructure using orchestration and
automation functions of UCS Director.

CCNA Cloud

CCNP Cloud

* Available Q2CY2016
For more details, please visit: http://learningnetwork.cisco.com
Questions? Visit the Learning@Cisco Booth or contact [email protected]

BRKRST-3179

Siam Reiki Level 1 TBSRL1
No ratings yet
Siam Reiki Level 1 TBSRL1
41 pages
Islamic Values 2 Lesson Plan Q2-W5-Day1
No ratings yet
Islamic Values 2 Lesson Plan Q2-W5-Day1
4 pages
Cisco Live - IsIS Deployment in Mordern Networks
No ratings yet
Cisco Live - IsIS Deployment in Mordern Networks
94 pages
Troubleshooting BGP
100% (4)
Troubleshooting BGP
144 pages
Sample Data Classification Policy
No ratings yet
Sample Data Classification Policy
4 pages
Mikrotik Mpls
No ratings yet
Mikrotik Mpls
28 pages
AirFiber Design Guide
No ratings yet
AirFiber Design Guide
4 pages
Standards-Type Approved Equipment 201409
No ratings yet
Standards-Type Approved Equipment 201409
149 pages
IJB019 Monopole
No ratings yet
IJB019 Monopole
12 pages
Invoice Details For Plab
No ratings yet
Invoice Details For Plab
3 pages
4 Ccie Rs v5 BGP by Sikandar Gouse Moinuddin Shaik Compress
No ratings yet
4 Ccie Rs v5 BGP by Sikandar Gouse Moinuddin Shaik Compress
325 pages
Introduction To Literary Theory Syllabus
No ratings yet
Introduction To Literary Theory Syllabus
2 pages
QUIZ040404
No ratings yet
QUIZ040404
7 pages
Iot Physical Devices and Endpoints: Bahga & Madisetti, © 2015
No ratings yet
Iot Physical Devices and Endpoints: Bahga & Madisetti, © 2015
14 pages
Chap 2
No ratings yet
Chap 2
4 pages
Brkccie 3000
100% (1)
Brkccie 3000
93 pages
IPv6 Toolkit For Chapters
No ratings yet
IPv6 Toolkit For Chapters
24 pages
IPv6 Toolkit For Chapters
No ratings yet
IPv6 Toolkit For Chapters
24 pages
Modern World History - Chapter 16
No ratings yet
Modern World History - Chapter 16
52 pages
Technical Analyst
100% (1)
Technical Analyst
50 pages
04-Cisco IOS-XR Overview PDF
100% (1)
04-Cisco IOS-XR Overview PDF
90 pages
Minor Project On Customer Satisfaction Towards Airtel
No ratings yet
Minor Project On Customer Satisfaction Towards Airtel
52 pages
vPC Configuration & Verification Guide
100% (1)
vPC Configuration & Verification Guide
14 pages
BGP Troubleshooting Guide
No ratings yet
BGP Troubleshooting Guide
121 pages
Asdaf Kabupaten Kutai Kartanegara, Provinsikalimantan Timur Program Studi Keuangan Publik
No ratings yet
Asdaf Kabupaten Kutai Kartanegara, Provinsikalimantan Timur Program Studi Keuangan Publik
13 pages
IESE MBA Brochure 2016
No ratings yet
IESE MBA Brochure 2016
7 pages
Chapter - 3
No ratings yet
Chapter - 3
44 pages
Seiko 9F 8J 4J
No ratings yet
Seiko 9F 8J 4J
14 pages
Buurtzorg: Dutch Home Care Revolution
No ratings yet
Buurtzorg: Dutch Home Care Revolution
10 pages
COURSE Booking Template - Docx - Completed
No ratings yet
COURSE Booking Template - Docx - Completed
1 page
BRKMPL 1102
No ratings yet
BRKMPL 1102
98 pages
BRKACI-2125-ACI Multi-Site Architecture and Deployment PDF
No ratings yet
BRKACI-2125-ACI Multi-Site Architecture and Deployment PDF
147 pages
Ccie BGP
No ratings yet
Ccie BGP
147 pages
Configuring BGP On Cisco Routers Lab Guide PDF
No ratings yet
Configuring BGP On Cisco Routers Lab Guide PDF
106 pages
Noc-Ip Engineer JD
No ratings yet
Noc-Ip Engineer JD
11 pages
BRKRST-3371 - Advances in BGP (2013 Orlando) - 90 Mins
No ratings yet
BRKRST-3371 - Advances in BGP (2013 Orlando) - 90 Mins
112 pages
Agenda - BGP Workshop
No ratings yet
Agenda - BGP Workshop
5 pages
I Soc Africa Capacity
No ratings yet
I Soc Africa Capacity
4 pages
I Soc Africa Capacity
No ratings yet
I Soc Africa Capacity
4 pages
Cisco Stealthwatch: Cisco Threat Response Integration Guide 7.1.2
No ratings yet
Cisco Stealthwatch: Cisco Threat Response Integration Guide 7.1.2
23 pages
Bank Strategic Planning and Budgeting Process
No ratings yet
Bank Strategic Planning and Budgeting Process
18 pages
Internet Society: Advocating Open Internet
No ratings yet
Internet Society: Advocating Open Internet
2 pages
The Africa Domain Name System (DNS) Forum: Join Us and Make Your Contributions To The Future of The African DNS Industry!
No ratings yet
The Africa Domain Name System (DNS) Forum: Join Us and Make Your Contributions To The Future of The African DNS Industry!
2 pages
Troubleshooting BGP by Brad Edgeworth CCIE# 31574
No ratings yet
Troubleshooting BGP by Brad Edgeworth CCIE# 31574
103 pages
BGP Tutorial
100% (1)
BGP Tutorial
52 pages
ITIL Known Error Database
No ratings yet
ITIL Known Error Database
1 page
Advanced Troubleshooting CCIE Routing & Switching v5.0
No ratings yet
Advanced Troubleshooting CCIE Routing & Switching v5.0
24 pages
IPexpert S CCIE R S v5 Mock Lab Workbook Vol 2 Lab 5 DSG PDF
100% (1)
IPexpert S CCIE R S v5 Mock Lab Workbook Vol 2 Lab 5 DSG PDF
277 pages
Nexus Aci Practice
No ratings yet
Nexus Aci Practice
7 pages
Trivia Quiz: Environment, History, Geography, Sports, Politics
No ratings yet
Trivia Quiz: Environment, History, Geography, Sports, Politics
4 pages
CNS Unit-1
No ratings yet
CNS Unit-1
27 pages
Cisco Catalyst QoS Simplified Presentation
No ratings yet
Cisco Catalyst QoS Simplified Presentation
58 pages
Rogers Et Al., 2018
No ratings yet
Rogers Et Al., 2018
12 pages
Ucs Director Admin Guide
No ratings yet
Ucs Director Admin Guide
164 pages
Insert - Elecsys FSH.08932387500.V2.En
No ratings yet
Insert - Elecsys FSH.08932387500.V2.En
4 pages
Handbook of Ethics in Quantitative Methodology 1st Edition A. T. Panter All Chapters Instant Download
100% (4)
Handbook of Ethics in Quantitative Methodology 1st Edition A. T. Panter All Chapters Instant Download
84 pages
DayOne OSPF Enterprise
No ratings yet
DayOne OSPF Enterprise
98 pages
Should I Do My Homework Now or Wake Up Early
No ratings yet
Should I Do My Homework Now or Wake Up Early
4 pages
Implementing Cisco NX-OS Switches and Fabrics in The Data Center (DCNX) v1.0
No ratings yet
Implementing Cisco NX-OS Switches and Fabrics in The Data Center (DCNX) v1.0
3 pages
2 Modulepattern
No ratings yet
2 Modulepattern
2 pages
Cisco IOS XR Command Reference
No ratings yet
Cisco IOS XR Command Reference
138 pages
Eng9045 3683
No ratings yet
Eng9045 3683
4 pages
Demystifying 802.1x PDF
No ratings yet
Demystifying 802.1x PDF
9 pages
PSNC Intervention Motion in MVP DC FERC Case
No ratings yet
PSNC Intervention Motion in MVP DC FERC Case
16 pages
BIO101 Exam 1 Study Guide
No ratings yet
BIO101 Exam 1 Study Guide
11 pages
Migros-Online - Product Manager 80% - 100%
No ratings yet
Migros-Online - Product Manager 80% - 100%
1 page
Friends - The One With Russ
No ratings yet
Friends - The One With Russ
15 pages
d1 s4 BGP Security
No ratings yet
d1 s4 BGP Security
50 pages
ZXR10-BC-En-OSPF Protocol Principle and Configuration (OSPF Protocol Principle) - 1 51-201309
No ratings yet
ZXR10-BC-En-OSPF Protocol Principle and Configuration (OSPF Protocol Principle) - 1 51-201309
51 pages
Cisco - VPLS For Carrier Ethernet Services PDF
No ratings yet
Cisco - VPLS For Carrier Ethernet Services PDF
32 pages
Ajay Kumar Rai: Objective
No ratings yet
Ajay Kumar Rai: Objective
2 pages
CCNP - Iscw 1
No ratings yet
CCNP - Iscw 1
444 pages
Lab 5
No ratings yet
Lab 5
23 pages
BRKCRS-3146 - Advanced VPC Operation and Troubleshooting
100% (1)
BRKCRS-3146 - Advanced VPC Operation and Troubleshooting
71 pages
VPC Guide PDF
100% (4)
VPC Guide PDF
71 pages
BGP Weakness
No ratings yet
BGP Weakness
21 pages
Advanced CCIE Routing & Switching: Vol-Ii
No ratings yet
Advanced CCIE Routing & Switching: Vol-Ii
48 pages
Cisco ASR 9000 Aggregation Services Router Series Student Guide v4.0.1
100% (3)
Cisco ASR 9000 Aggregation Services Router Series Student Guide v4.0.1
1,200 pages
2 - Spadvroute 1.0 - Lab Guide
No ratings yet
2 - Spadvroute 1.0 - Lab Guide
132 pages
V 5.2 Ccie SP
No ratings yet
V 5.2 Ccie SP
61 pages
BRKRST-3320 - Troubleshooting BGP
No ratings yet
BRKRST-3320 - Troubleshooting BGP
127 pages
Enterprise Networks TAC Workshop - SD-WAN Lab Workbook - With Some Solutions FINAL
100% (1)
Enterprise Networks TAC Workshop - SD-WAN Lab Workbook - With Some Solutions FINAL
29 pages
VPC Best Practices BRKDCT-2378 PDF
No ratings yet
VPC Best Practices BRKDCT-2378 PDF
91 pages
Interview Questions Topic-Bgp
No ratings yet
Interview Questions Topic-Bgp
21 pages
BGP Attributes
No ratings yet
BGP Attributes
54 pages
Yasser Auda CCIEv5 Unprotected GRE Tunnel, Protected GRE Tunnel With IPsec - VTI
No ratings yet
Yasser Auda CCIEv5 Unprotected GRE Tunnel, Protected GRE Tunnel With IPsec - VTI
7 pages
DC - Phyton Script-Lab 2
No ratings yet
DC - Phyton Script-Lab 2
9 pages
Apstra User Guide
No ratings yet
Apstra User Guide
1,254 pages
MPLS Layer 2 VPNs Configuration Guide, Cisco IOS XE Release 3S
No ratings yet
MPLS Layer 2 VPNs Configuration Guide, Cisco IOS XE Release 3S
674 pages
Cisco IPSec VPN Troubleshooting
100% (1)
Cisco IPSec VPN Troubleshooting
96 pages
Security Nat PDF
No ratings yet
Security Nat PDF
468 pages
13.1.2 Lab - Implement BGP Communities PDF
100% (1)
13.1.2 Lab - Implement BGP Communities PDF
15 pages
Resumen Cisco Vs Juniper Commands
No ratings yet
Resumen Cisco Vs Juniper Commands
5 pages
Cisco IOS XR - Complete Getting Started Examples Guide, Part1 - 2
No ratings yet
Cisco IOS XR - Complete Getting Started Examples Guide, Part1 - 2
14 pages
Junos Troubleshooting in The NOC: Lab Guide
No ratings yet
Junos Troubleshooting in The NOC: Lab Guide
244 pages
BRKCRS 2802
No ratings yet
BRKCRS 2802
114 pages
JSPX IG 10.a-R
No ratings yet
JSPX IG 10.a-R
334 pages
ASA, FTD, and Firepower in ACI Lab Guide
No ratings yet
ASA, FTD, and Firepower in ACI Lab Guide
61 pages
Spadvroute101 Lab
No ratings yet
Spadvroute101 Lab
132 pages
BRKDCT 2378
No ratings yet
BRKDCT 2378
104 pages
Cisco-Juniper CMD Table
No ratings yet
Cisco-Juniper CMD Table
1 page
CCNPv6 ROUTE Lab6-1 BGP Config Instructor
No ratings yet
CCNPv6 ROUTE Lab6-1 BGP Config Instructor
15 pages
BGP Startup Wewedwewedwedwe
No ratings yet
BGP Startup Wewedwewedwedwe
6 pages
BCMSN30SG Vol.2 PDF
No ratings yet
BCMSN30SG Vol.2 PDF
394 pages
BGP Report
No ratings yet
BGP Report
85 pages
Apnic34 Ispixp Networkdesign - 1346077403 PDF
No ratings yet
Apnic34 Ispixp Networkdesign - 1346077403 PDF
113 pages
BGP PDF
No ratings yet
BGP PDF
83 pages
BGP Path Attributes Explained
No ratings yet
BGP Path Attributes Explained
123 pages