VPN END TO END

The diagram you provided shows a Virtual Private Network (VPN) setup that connects various
locations and users securely to a main corporate network through the internet. Here’s a simple
breakdown:

1. Main Site (Corporate Headquarters):

o This is the central network where important corporate resources are stored.
o A Cisco ASA Firewall is used to protect the network from unauthorized access,
while allowing secure connections.
2. Business Partner with a Cisco Router:
o A business partner’s network is connected to the main site over the internet using
a secure VPN tunnel through a Cisco Router. This ensures that the partner can
safely access corporate resources.
3. Regional Office with a Cisco ASA Firewall:
o Another office location connects to the main corporate network using a Cisco
ASA Firewall for security. It ensures that all data passed between this regional
office and the main office is protected.
4. SOHO (Small Office/Home Office) with a Cisco Router:
o This represents employees or small offices working from home or remote
locations. A Cisco Router is used to connect securely to the corporate network,
allowing them to access internal systems as if they were physically present at the
office.
5. Mobile Worker with Cisco AnyConnect:
o Mobile workers (employees working remotely from various locations like cafés or
on the road) use the Cisco AnyConnect VPN client on their laptops or mobile
devices to connect securely to the corporate network over the internet. This gives
them full access to corporate resources with strong encryption for security.

How It All Works:

 Each external location or user connects over the public internet using secure tunnels
(VPN) to ensure that data is encrypted and protected.
 The Cisco ASA Firewall at the main site acts as the central point, filtering incoming and
outgoing traffic to ensure security.
 Through this setup, users and offices located anywhere can safely access corporate
systems as if they were on the same private network, without exposing sensitive data to
the public internet.
Early VPNs were simple IP tunnels without authentication or encryption. One example is Generic
Routing Encapsulation (GRE), a tunneling protocol developed by Cisco. GRE allows different types of
network layer protocol packets to be encapsulated inside IP tunnels, creating a virtual point-to-point link
between remote Cisco routers over an IP network. However, GRE lacks built-in encryption, meaning it
doesn't secure the data being transmitted.

EX. page 5

Early VPNs were like "virtual tunnels" for data, but they didn't have any locks (no encryption or
security). One example is Generic Routing Encapsulation (GRE), a tool made by Cisco.

Imagine you're sending a letter inside an envelope. GRE is like that envelope—it can carry
different kinds of information through the internet. But, here's the problem: the envelope
isn't sealed, so anyone could open it and read your letter (your data), because GRE doesn't
have encryption to protect it.

So while GRE helps create a connection between remote locations (like between two
routers), it doesn't keep your information secure.

Today, VPNs typically use encryption for security, like with IPsec VPNs. To set up a VPN, you need a
VPN gateway, which can be a router, firewall, or a Cisco Adaptive Security Appliance (ASA). The ASA
is a specialized firewall device that combines several functions: firewall, VPN concentrator, and intrusion
prevention, all in one.

Here's a simple breakdown: page 7

1. VPN Gateway: This is like a door between two networks. It controls who can connect to
a private network over the internet. A VPN gateway can be a router, firewall, or special
device like a Cisco ASA.
2. IPsec VPN: This is a type of VPN that adds a lock to your data by encrypting it. It
makes sure that any information sent through the VPN is secure and can't be easily read
by anyone else.
3. ASA (Adaptive Security Appliance): This is a special all-in-one security device made
by Cisco. It works as a firewall (blocks unwanted traffic), a VPN concentrator (manages
secure VPN connections), and an intrusion prevention system (stops attacks). It's like a
powerful security guard for your network!

Here are some more specific speed benchmarks based on various tests and reports for each VPN
protocol. Keep in mind these are approximate and can vary:
 1. OpenVPN:
o TCP (Transport Control Protocol): Typically around 50-150 Mbps.
o UDP (User Datagram Protocol): Typically around 100-200 Mbps.
o Factors Affecting Speed: TCP is more reliable but can be slower; UDP is faster but less
reliable. Encryption level and server load can also impact speeds.
2. WireGuard:
o Typical Speeds: Can often achieve 200-500 Mbps or more.
o Factors Affecting Speed: Known for its high speeds due to its efficient design and
modern cryptographic methods. Performance can be very close to your base internet
speeds, depending on server and network conditions.
3. IPSec/IKEv2:
o Typical Speeds: Generally 100-300 Mbps.
o Factors Affecting Speed: Offers a good balance between security and speed. Can
perform well due to efficient encryption and handling of network changes.
4. L2TP/IPSec:
o Typical Speeds: Usually in the range of 50-150 Mbps.
o Factors Affecting Speed: The combination of L2TP and IPSec can create additional
overhead, which often results in slower speeds compared to more modern protocols.

Real-World Testing Example:

 OpenVPN UDP: Around 120 Mbps (test data from various VPN reviews).
 WireGuard: 300-450 Mbps (reported by several VPN services).
 IPSec/IKEv2: 150-250 Mbps (common range in tests).
 L2TP/IPSec: Around 80 Mbps (based on multiple tests).

A DSL modem connects a single device or router to a DSL internet service, providing internet access
over a telephone line for homes or small offices. In contrast, a Modem Bank is a collection of multiple
modems grouped together to manage many dial-up connections simultaneously, typically used in larger
organizations or service providers before broadband became common.

A DSL modem (Digital Subscriber Line modem) is a device that connects your home to the
internet using your phone line, giving you faster internet than old dial-up.

 PLDT DSL Modems:

 Huawei EchoLife HG8145V: A common modem/router provided by PLDT for their

DSL and fiber connections. It supports ADSL and VDSL technologies.
 Zyxel P-660HN-T1A: A popular ADSL2+ modem-router combo offered by PLDT for
DSL internet connections.

 Globe DSL Modems:

 ZTE ZXHN H108N: A modem/router used by Globe for their DSL subscribers. It
supports ADSL2+ technology and wireless functionality.
  Huawei HG532d: ADSL2+ modem-router that Globe provides for some of its DSL
broadband plans.

A modem bank is a big box that has lots of modems inside it, allowing many people to use the
internet at the same time through dial-up, which was used before fast internet like DSL existed.

Scalability:

 What it means: VPNs let companies easily add more users by using the internet they
already have. If they need to support more people, they can do it without buying a lot of
new equipment.
 Why it’s helpful: It’s like being able to add more chairs to a table without needing a new
table. It makes growing the company easy and cheap.

Internet infrastructure within ISPs and devices

 Broadband Connections: High-speed connections like DSL, cable, or fiber-optic,
provided by ISPs, offer the bandwidth needed for efficient VPN performance.
 Routers and Firewalls: Modern routers and firewalls with VPN support can handle
the encryption and tunneling processes required for secure connections.
 VPN Gateways: Dedicated VPN gateways manage and secure VPN traffic, ensuring
robust encryption and connectivity.
 Load Balancers: These distribute traffic across multiple servers or VPN gateways to
optimize performance and reliability.
 Content Delivery Networks (CDNs): CDNs can enhance the speed and efficiency of
data delivery over the internet, benefiting VPN users by reducing latency.
 Network Monitoring Tools: Tools that monitor network performance and security
help maintain a stable and secure VPN connection.


Compatibility with Broadband Technology:

 What it means: VPNs let people who work from home or on the go use fast internet (like
DSL or cable) to connect to their company’s network.
 Why it’s helpful: It’s like letting remote workers use their fast home internet to easily
get to work stuff. It saves money and makes working from different places more
convenient.
 Regular TCP/IP Traffic: This is just how data normally travels on the internet. It
includes things like browsing the web or sending emails. TCP/IP are the rules that help
computers talk to each other.
  Through a VPN Gateway: The VPN gateway is like a special security checkpoint. It
makes sure that the data being sent (like emails or website requests) is protected and
secure before it travels over the internet.

Security

o A Cisco ASA Firewall is used to protect the network from unauthorized access,
while allowing secure connections.

Encryption Protocols:

 AES-256 Encryption: VPNs often use AES-256 (Advanced Encryption Standard with a
256-bit key) to encrypt data. This is a strong encryption standard that makes it extremely
difficult for anyone to decipher the data without the correct key.

256-bit key for encryption and decryption

14 rounds of processing on each block

Block Size: AES processes data in fixed-size blocks of 128 bits (16 bytes).

bit= 0 or a 1

byte= contains 8 bits

 RSA Encryption: For secure key exchange, VPNs might use RSA (Rivest-Shamir-
Adleman) encryption, which ensures that the keys used to encrypt and decrypt data are
transmitted securely.

Authentication Methods:

 Two-Factor Authentication (2FA): VPN services may require an additional verification

step beyond just a password, such as a code sent to a phone or an app, enhancing security.
 Public Key Infrastructure (PKI): This method involves digital certificates and a trusted
certificate authority (CA) to verify the identity of users and devices. It helps ensure that
only authorized entities can access the VPN.

Secure Tunneling Protocols:

 OpenVPN: This open-source protocol uses SSL/TLS for key exchange and provides
robust encryption and authentication methods.
 IPSec/IKEv2: This combination of protocols ensures secure data transfer by encrypting
the data and using authentication methods to verify the identity of both ends of the
connection.
So, "regular TCP/IP traffic through a VPN gateway" means that your usual internet data is
sent through a secure checkpoint (the VPN gateway) that adds extra protection to keep it safe
while traveling.

TCP/IP stands for Transmission Control Protocol/Internet Protocol. It’s a set of rules that
computers use to communicate over the internet. Here’s what each part means:

 Transmission Control Protocol (TCP): Ensures that data sent from one computer to
another arrives correctly and in the right order.
 Internet Protocol (IP): Handles the addressing and routing of data, so it knows where to
go and how to get there.

site-to-site VPN

Together, TCP/IP makes sure that data can travel across the internet efficiently and accurately.

This image shows how two locations connect securely using a site-to-site VPN. Here's a simpler
explanation:

1. Laptop on the left: The user (or device) doesn't need to know about the VPN. They use
the internet as usual.
2. VPN devices: Special devices (routers or firewalls) at both locations create a secure
"tunnel" through the internet to protect the data.
3. Internet: The data travels over the public internet, but it's encrypted (made secure) so no
one can see or steal it.
4. Destination: On the other side, the VPN device at the remote location (like a company
office) decrypts the data and lets it into the network.

Basically, it allows two different locations (like an office and a branch) to communicate securely
over the internet without users needing to do anything special.

"Tunneling" in a VPN refers to the method used to securely send data from one point to another
over the internet. Here’s what it means:

1. Data Encapsulation: Tunneling takes your data and wraps it in a secure "tunnel." This
tunnel is like a protective layer that hides your data from anyone who might try to
intercept it.
2. Secure Path: The "tunnel" is a private path through the public internet. Even though your
data travels over the public internet, it stays secure and hidden inside this tunnel.
3. End-to-End Security: The data travels from your device to a VPN server through this
secure tunnel. Once it reaches the VPN server, it is sent to its final destination, still
protected by the tunnel.
In essence, tunneling VPNs create a private, secure path for your data to travel over the internet,
keeping it safe from eavesdropping and unauthorized access.

REMOTE USER

This image shows how a remote worker connects securely to their company network using Cisco
AnyConnect VPN. Here's a simpler explanation:

1. Remote User: The person uses their laptop with Cisco AnyConnect software to connect.
2. VPN Tunnel: The connection between the laptop and the company is protected by a
secure "tunnel" over the internet. This keeps the data safe.
3. Firewall: The company's firewall (Cisco ASA) checks the connection to make sure it's
safe and only lets in authorized users.
4. VPN Server: Once approved, the user can access the company's network and resources.

In summary, this shows how a remote user can use Cisco AnyConnect to securely connect to a
company's network via a VPN tunnel, passing through a firewall (Cisco ASA) for protection and
authentication.

HUB SPOKE

This image shows a Hub-and-Spoke VPN topology, which is a common way to connect
multiple networks or locations securely. Here’s a simple explanation of how it works:

1. Hub:
o The Hub is the central point where all the connections come together. It controls the
communication between the other locations (called spokes).
2. Spokes (A, B, C):
o These are the different locations or networks (Spoke A, Spoke B, Spoke C). They
connect to the hub, but not directly to each other.
3. Hub-to-Spoke Tunnels:
o The green lines represent secure VPN connections (or tunnels) between each spoke and
the hub. All communication between spokes must go through the hub.

How it works:

 If Spoke A wants to communicate with Spoke B, the traffic first goes to the Hub, which then
sends it to Spoke B.
 The Hub manages and secures the data traffic between the spokes, ensuring everything stays
private and controlled.
This topology is commonly used in networks where a central office (hub) needs to manage
communication between multiple branch offices (spokes).

DMVPN Hub-to-Spoke and Spoke-to-Spoke Tunnels

This image shows a Hub-and-Spoke network setup, where:

1. Hub: The central router (Hub) connects to all other routers (Spokes).
2. Spokes: These are the outer routers (Spoke A, B, and C) that connect to the Hub.
3. Green Lines (Hub-to-Spoke Tunnels): These lines show that each Spoke connects to
the Hub, so all communication usually goes through the Hub.
4. Orange Lines (Spoke-to-Spoke Tunnels): These lines show direct connections between
Spokes, allowing them to talk to each other without passing through the Hub.

In simple terms, Spokes can either talk to the Hub directly or to each other, depending on the
setup.

The key difference between DMVPN Hub-to-Spoke Tunnels and DMVPN Hub-to-Spoke and
Spoke-to-Spoke Tunnels lies in how traffic flows between the routers (spokes) in the network:

1. DMVPN Hub-to-Spoke Tunnels (Green Lines in the Image):

 Traffic Flow: All traffic between spokes must pass through the hub. This means if Spoke A
wants to communicate with Spoke B, the data first goes to the hub and then from the hub to
Spoke B.
 Use Case: This is useful when you want centralized control over all communication or security
policies, and all traffic is managed by the hub.
 Limitation: This setup can lead to higher latency because data has to travel to the hub first, even
if the spokes are geographically close to each other.

2. DMVPN Hub-to-Spoke and Spoke-to-Spoke Tunnels (Green + Orange Lines

in the Image):
 Traffic Flow: While initial communication between spokes goes through the hub to establish the
connection, once it's set up, the spokes can communicate directly with each other (Spoke-to-
Spoke). This is represented by the orange lines.
 Use Case: This setup is more efficient for spoke-to-spoke communication because it reduces
latency by allowing direct connections after the initial setup through the hub.
 Advantage: This method is more efficient for bandwidth use, as the hub is bypassed once the
direct spoke-to-spoke tunnel is established.
Summary:

 Hub-to-Spoke: All communication goes through the hub (centralized).

 Hub-to-Spoke + Spoke-to-Spoke: Spokes can connect directly to each other after an initial setup
through the hub, improving speed and reducing latency.

1. Hub Router (left side): This is the central router that acts as the main connection point.
In the diagram, it has:
o Gigabit Interface 0/0 (Gi0/0) connected with the IPv4 address 192.168.123.1.
o It's also connected to the cloud network with an IPv6 address prefix
2001:DB8::/64.
2. Spoke Routers (right side): These are remote routers that connect to the hub via the
cloud. There are two spokes:
o Spoke 1: Has an IPv4 address 192.168.123.2 on its Gigabit Interface 0/0 (Gi0/0),
and connects to the cloud.
o Spoke 2: Has an IPv4 address 192.168.123.3 on its Gigabit Interface 0/0 (Gi0/0),
and also connects to the cloud.
3. Cloud Connection: The cloud represents a network (often the internet or a VPN)
connecting the Hub to the Spokes. Both IPv6 and IPv4 addresses are used here, with the
Hub and Spokes sharing the same IPv6 network prefix 2001:DB8::/64.

Summary:

 The hub connects to two spoke routers via a cloud using both IPv4 and IPv6 addresses.
 IPv4 is used for direct router connections (e.g., Gi0/0 interfaces), while IPv6 is used as
the addressing scheme across the cloud network.

This topology is common in VPNs or MPLS networks, where the hub router manages
connections to multiple remote spokes.
24-26 (Sa Presentation and explanation)
28-29 Verifying GRE
Tunnel Verification:
The first command checks if the tunnel interface (e.g., Tunnel 0) is up and has an assigned IP address.
The second command verifies the GRE tunnel state, source and destination addresses, and supported GRE
mode.
The line protocol remains up as long as there’s a route to the tunnel destination.
Prerequisites for GRE Tunnels:
Before implementing a GRE tunnel, ensure IP connectivity exists between the physical interfaces at both
ends.
A routing protocol (e.g., OSPF) can exchange route information over the tunnel interface.
30-32 Trouble Shoot GRE
Use show ip interface brief on both routers.
Check that the tunnel interface is up and has the correct IP addresses for both the physical interface and
the tunnel interface.
Verify that the source interface on each router is also up and configured correctly

Use show ip ospf neighbor to check OSPF neighbor adjacency. NOTE: you can also use show ip route

35-38 eBGP and iBGP Comparison

eBGP and iBGP Comparison

Network Structure Overview:

• The diagram represents two Autonomous Systems (AS): AS65001 and AS65002.
• Each AS consists of multiple routers.
• The ASs are connected to each other and the broader Internet via ISPs.
Internal BGP (iBGP) Connections (Green Arrows):
• AS65001 and AS65002 have internal connections using iBGP.
• iBGP ensures routing information is exchanged within an AS.
• These blue arrows represent communication between routers within the same AS.
External BGP (eBGP) Connections (Orange Arrows):
• AS65001 and AS65002 are connected to each other via eBGP.
• eBGP facilitates routing information exchange between different ASs.
• These orange arrows indicate communication between routers in different ASs.
Connections to ISPs and the Internet:
• Both AS65001 and AS65002 connect to an ISP (also represented by orange arrows).
• The ISP, in turn, connects to the broader Internet.
• eBGP is used for communication between the ASs and the ISP.

Key Takeaways:
1. AS65001 and AS65002 are separate networks (ASs) that communicate with each other and the
Internet.
2. iBGP handles internal routing within an AS, while eBGP manages communication between ASs.
3. ISPs play a crucial role in connecting ASs to the global Interne
Overview
Purpose: eBGP is used for communication between different Autonomous Systems (ASs). An AS
represents a collection of IP networks and routers under a single administrative domain
Purpose: iBGP handles routing information exchange within a single AS.
AS – Autonomous System

MULTIHOME STRUCTURED BREAKDOWN

BGP multihome involves maintaining links to multiple Internet providers (usually 2 or 3).
Benefits of BGP Multihoming:
Redundancy: Ensures that even if one ISP fails, your network remains operational.
Optimized Routing: Allows you to choose the best path to resources based on ISP performance.
Peace of Mind: Customers can rely on a reliable network connection.

Explanation on the PIC(Multihomed)

•AS 65001 (ISP-1): Represents an Internet Service Provider (ISP). It’s connected to other ASes via BGP
(Border Gateway Protocol).
•AS 65002: Another AS, also using BGP for interconnections. Within AS 65002, there’s an internal
protocol called OSPF (Open Shortest Path First).
•AS 65003 (ISP-3): This ISP uses both BGP and EIGRP (Enhanced Interior Gateway Routing Protocol)
internally.
•AS 65004 (ISP-2): Another ISP, connected via BGP.
•AS 65005: A standalone AS, connected to AS 65004.
•Content Provider AS 65006: This AS is connected to AS 65003 via OSPF.

Key Takeaways:
1.The diagram illustrates the complexity of internet connectivity between different network service
providers and content providers.
2.BGP plays a crucial role in inter-domain routing, allowing ASes to exchange routing information.
3.OSPF and EIGRP handle intra-domain routing within specific ASes.
4.Overall, this diagram showcases the intricate web of connections that make up the global internet
39-41
DEFAULT ROUTE ONLY
Default Routes from ISPs:
The ISPs (Internet Service Providers) have configured default routes.
Company-A, however, doesn’t have its own default route—it relies on the ISPs’ defaults.
Suboptimal Routing Risk:
Since Company-A only receives default routes, it might choose the wrong ISP for certain destinations.
For instance, it could use ISP-1’s default route even when sending packets to networks in ISP-2’s A
DEFAULT ROUTE AND ISP ROUTES
Company-A and ISPs:
Company-A has multiple ISPs (Internet Service Providers).
Each ISP advertises specific networks.
Routing Decision:
For networks advertised by ISP-1, Company-A chooses ISP-1.
Otherwise, it uses one of the default routes.
But beware: suboptimal routing may happen for other Internet destinations.

In summary, it’s like picking the right road for specific destinations but taking a chance on the rest!
ALL INTERNET ROUTES
Scenario: Company-A receives all Internet routes from both ISPs (Internet Service Providers).
Benefit: Company-A can choose the best ISP for each network.
Challenge: Requires significant router resources to handle over 500,000 Internet networks.

BGP CONFIGURATION TOPOLOGY (PAGE 44-45)

The router bgp global configuration command enables BGP and identifies
the AS number for Company-A. A router can belong to only a single AS, so
only a single BGP process can run on a router.
The neighbor router configuration command identifies the BGP peer IP
address and AS number. Notice that the ISP AS number is different than the
Company-A AS number. This informs the BGP process that the neighbor is
in a different AS and is therefore an external BGP neighbor.
The network network-address [mask network-mask] router configuration
command enters the network-address into the local BGP table. The BGP
table contains all routes learned via BGP or advertised using BGP. eBGP will
then advertise the network-address to its eBGP neighbors.
The mask network-mask command parameter must be used when the
network advertised is different from its classful equivalent. In this example,
the 198.133.219.0/24 is equivalent to a class C network. Class C networks
have a /24 subnet mask, so in this case the mask option is not required. If
Customer-A were advertising the 198.133.0.0/16 network, the mask option
would be required. Otherwise, BGP would advertise the network with a /24
classful mask

POSSIBLE QUESTIONS:
what is ospf neighbor adjacency?

OSPF Neighbors:

Neighbors are routers connected to the same subnet.

They share common configuration information:
Same Area ID
Same Area type
Same subnet mask
Same timers
Same authentication
Neighbors exchange Hello packets but not routing information.
OSPF Adjacency:
Adjacency occurs after neighbors establish a basic connection.
Adjacent routers exchange full link-state databases.
They become fully adjacent and can exchange routing updates.

what is autonomous system and how does it work? and give a brief example

What is an Autonomous System (AS)?

An autonomous system is a large network or a group of interconnected networks with a unified routing
policy.
Think of it as a fundamental building block of the internet—a town’s post office responsible for
delivering mail within its boundaries.
Every computer or device connected to the internet is part of an AS.
How Does It Work?
ASes exchange routing information using the Border Gateway Protocol (BGP).
When data packets travel across the internet, they hop from AS to AS until they reach the one containing
their destination IP address.
Each AS controls a specific set of IP addresses (its “IP address space”).
Example:
Imagine Acme Co. operates an AS and controls IP address range 192.0.2.253.
If a computer sends a packet to 192.0.2.253, it eventually reaches Acme Co.'s AS.
ASes connect to each other, forming the intricate web of internet connectivity.
In summary, ASes ensure efficient data routing across interconnected networks!
What is Routing?
Routing is the process of finding a path between two or more network nodes. It’s how data gets from one
place to another across a network.
Types of Routing Protocols:
There are three main types:
Link-State: These protocols keep track of the network’s topology and use that information to make
routing decisions (e.g., OSPF).
Distance-Vector: These protocols decide based on the distance to the destination (e.g., RIP).
Hybrid: These combine elements of both link-state and distance-vector methods (e.g., EIGRP).
Why Use Multiple Routing Protocols in a Data Center?
Redundancy: Having multiple protocols ensures data flow even if one fails.
Differentiated Service: Different protocols can handle various types of traffic.
Common Problems with RIP and OSPF:
RIP:
Doesn’t scale well for large networks.
Doesn’t support variable-length subnet masks.
OSPF:
Slow convergence.
High resource consumption.
How Does BGP Work?
BGP (Border Gateway Protocol) exchanges routing and reachability info between autonomous systems
(AS) on the Internet.
It uses a path vector algorithm to determine the best route.
Distance-Vector Protocols (RIP, IGRP, EIGRP):
These protocols periodically send their entire routing tables to other routers.
All routers have the same network information for decision-making.

What is the difference between IGP and EGP?

IGP (Interior Gateway Protocol):
Used within an autonomous system (AS).
Examples: OSPF, EIGRP.
EGP (Exterior Gateway Protocol):
Used between different ASes.
Example: BGP.
eBGP Branch Configuration
Functionality:

 The image highlights the essential BGP setup needed for Company-A to communicate
externally through ISP-1. It shows the networking scheme and how private IP addresses
are handled and translated for Internet connectivity. This configuration ensures that
Company-A’s internal networks can securely and efficiently interact with external
networks via the ISP.


BGP CONFIGURATION COMMANDS

In summary:

 neighbor ... remote-as 65000 sets up the BGP connection between ISP-1 and Company-A.
 network 0.0.0.0 advertises a default route, allowing Company-A to reach the Internet via
ISP-1.

BGP Sample Configuration

While BGP is generally used in more complex, multi-homed environments for managing multiple paths,
this example simplifies things by using BGP in a single-homed context to show how Company-A can
advertise its network to ISP-1 and receive a default route for Internet access.
Since there’s only one connection to the Internet, Company-A doesn't need complex routing policies or
multiple paths. In such cases, a simple static route pointing to the ISP is usually enough for connectivity.
Key Components Explained:

1. Autonomous Systems (AS):

o AS 65000 (Company-A): Represents the network domain managed by Company-
A, which has its own distinct routing policies.
o AS 65001 (ISP-1): Represents the Internet Service Provider that facilitates
Company-A’s access to the Internet.

2. BGP (Border Gateway Protocol):

o eBGP (External BGP): Used for routing between different ASes. In this case, it's
used between Company-A and ISP-1.
3. IP Addresses:
o Company-A uses the subnet 198.133.219.0/24 for its internal network.
o ISP-1 uses the subnet 209.165.201.0/27 to connect to Company-A and the
broader Internet.
4. Routers:
o The routers in each AS have interfaces connected to each other (e.g., G0/1 on both
sides). These routers facilitate the communication between the ASes using BGP.
5. NAT (Network Address Translation):
o This is the process used by the Company-A router to map private IP addresses of
internal devices to a public IP address before sending the traffic to the ISP. This
allows multiple devices in Company-A to access the Internet using a single or
limited set of public IP addresses. The public IP is then advertised to the ISP
using BGP, making it routable on the Internet.

BGP (Border Gateway Protocol) is typically used in more complex setups, such as when a network is
multi-homed (connected to more than one ISP) to handle routing policies, path selection, and
redundancy.
ISP-1 (AS 65001) Configuration:

1. router bgp 65001:

o This command enables BGP on the ISP-1 router and assigns it to AS 65001.
2. neighbor 209.165.201.2 remote-as 65000:
o This command tells ISP-1's router to establish a BGP peering relationship with
the neighbor router at IP 209.165.201.2, which belongs to AS 65000 (the
Company-A router).
3. network 0.0.0.0:
o This command tells ISP-1’s router to advertise a default route (the network
0.0.0.0 represents the default route). This allows Company-A to send traffic to
any destination by forwarding it to ISP-1 for further routing.

Summary:

 Company-A's router (AS 65000) is peering with ISP-1's router (AS 65001) via eBGP.
 They establish communication using each other's IP addresses and specify their
respective AS numbers.
 Company-A advertises the network 198.133.219.0/24, while ISP-1 advertises a default
route (0.0.0.0), which is typical in setups where an ISP provides internet access to a
company.

1. Default Route (0.0.0.0):

 This line says: "If Company-A’s router doesn’t know where to send traffic, it should send it to
209.165.201.1," which is the ISP’s router.
 The "0 65001 i" means:
o 0: No special preference here.
o 65001: Traffic goes through ISP-1.
o i: The ISP learned this route internally.

Basically, if Company-A’s router doesn’t know where to send traffic (for example, if you’re
trying to access a website on the Internet), it sends everything to the ISP’s router.

2. 198.133.219.0/24 (Company-A’s internal network):

 This line says: "For anything within Company-A’s own network (198.133.219.0/24), keep it
inside. No need to go outside."
 The "32768" means this route has the highest preference, so it will always use this route for
local traffic.

In short:

 If traffic is for the Internet, it goes to the ISP.

 If traffic is for Company-A’s internal network, it stays within Company-A
1. BGP Router ID and AS Number:

 209.165.201.2 is Company-A’s router (like its name).

 65000 is Company-A’s network number (like its group).

2. Neighbor:

 209.165.201.1 is ISP-1’s router (the company that connects Company-A to the Internet).
 65001 is ISP-1’s network number (its group).

3. Messages:
 66 messages have been received from ISP-1.
 66 messages have been sent to ISP-1.
 This just means Company-A and ISP-1 are talking to each other and are in sync.

4. Table Version 3:
 The BGP routing table has been updated 3 times since the connection started.

5. InQ / OutQ (Queues):

 Both InQ and OutQ are 0, meaning there are no messages waiting to be processed or sent.
Everything is working smoothly.

6. Up/Down:
 The connection between Company-A and ISP-1 has been up for 56 minutes.

7. State/PfxRcd:
 The connection is healthy, and Company-A has received 1 route from ISP-1 (likely the default
route to the Internet).

Summary:
 Company-A’s router and ISP-1’s router are talking to each other.
 They’ve been connected for almost an hour, exchanged 66 messages each, and everything is
working fine with no issues. Company-A learned 1 route from ISP-1, probably to get to the
Internet.