The /31 Subnet

/31 Subnet - http://www.ietf.org/rfc/rfc3021.txt

So I'm messing around with my router trying to perfect my BGP knowledge and decided to advertise a network of 210.69.1.1/24 which existed on my loopback 10 interface.

For filtering purposes I needed a longer prefix to appear in the BGP table and I decided to change the mask to /30 but as i was tying the command:

IP address 210.69.1.1 255.255.255.252

I backtracked and thought... what about 255.255.255.254

I've never used this before nor have I seen it on production and technically it should work, after all... loopbacks work with a /32 right?

So lets go for it.



Whoa, look at that warning above, now its getting interesting. Cant imagine anything going wrong but....

After advertising this network into BGP using the network command it showed up on its BGP peer as expected. All looks good so far.

Lets ping...

Ping works as expected.... so why the warning and why haven't I seen this configured before. Clearly this uses less address space over the /30. After all.. who needs a broadcast on a point to point network anyways? Maybe it's required, I'll have to look into that...

Anyways, so.... what if I configure this on a ethernet segment between two routers using my FastEthernet0/1 using 10.10.10.0 and 10.10.10.1 ? (weird & awesome)

R2 and R8 configured (I'm using secondary because i have an existing IP on there and too lazy to remove it)

And ping test???!!!

Beautiful (Pinging a zero IP is always weird)

Aight lets try this on my ASA... and BAM! ASA doesn't like /31 (I hate firewalls anyway)

Conclusion
Based on a post I read earlier this seems plausible, here' I'll paste:


This probably never caught on with providers because there was no mechanism to roll it out without readdressing your existing customers' circuits. If you are using .0/20, then your usable hosts are .1 and .2, then .5 and .6 in the next block. /31 opens up .0/.1, .2/.3, /.4/.5. . . .If there was a way to keep your existing endpoint IPs and make available p-p circuits of .3/.4, so you could just change masks and then add circuits in the "dead space"

Think, not only of all the customer reconfiguration, but route table overhauls.

It was a good idea in theory.

http://packetlife.net/blog/2008/jun/18/using-31-bit-subnets-on-point-point-links/

CCIE - written

Written done! woop woop

One more step!

CoPP

CoPP - (Control Plane Policing)

I suffered two days trying to make this work but missed a fundamenal step.

Telnet traffic passing through the control-plane which is destined for another device should have its service-policy set to "Output"

A bit of theory on CoPP
(Taken from - https://sites.google.com/site/amitsciscozone/home/qos/copp---control-plane-policing)

CoPP - Control Plane PolicingDefinitions:

• Control Plane (CP): A collection of processes that run at the process level on the route-processor (RP). These processes collectively provide high-level controls for most IOS functions.

• Central Switch Engine: A device that is responsible for high-speed routing of IP packets. It also performs high-speed input and output services for non-distributed line cards. 

• Distributed Switch Engine: A device that is responsible for high-speed routing of IP packets on distributed line cards without using resources from Central Switch Engine.

          All packets that are destined for CP must pass through the Central Switch Engine before they are forwarded to the process level. The CP and Central Switch Engine are part of the Route Processor (RP).


Overview:

The Control Plane Policing feature allows users to configure a QoS filter that manages the traffic flow of control plane packets to protect the CP of Cisco IOS routers and switches against various attacks like Denial-of-Service (DoS).

The CoPP feature treats the CP as a separate entity with its own input and output ports. Hence a set of rules can be established and associated to the input and output ports of the CP. These rules are only applied if the packets are destined for the CP or they exit from the CP.

Input CP services are executed after input port services and a routing decision on the input path have been made. CP security and packet QoS are applied on-

1. Aggregate CP Services: An aggregate level by the Central Switch Engine and applied to all CP packets received from all line cards on the router
2. Distributed CP Services: A distributed level by the Distributed Switch Engine of a line card and applied to all applied to all CP packets received from all line cards on the router.

Types of packets forwarded to CP:

The following L3 packets are forwarded to the CP and processed by aggregate and distributed control plane policing-

1. Routing protocol control packets 
2. Packets destined for the local IP address of the router
3. Packets from management protocols like SNMP, Telnet & SSH.

 Topology above 

R4

interface Loopback0
 ip address 4.4.4.4 255.255.255.255
!
interface Loopback1
 ip address 40.0.0.1 255.255.255.255
!
interface FastEthernet0/0
 ip address 10.20.0.1 255.255.255.0
!
router ospf 1
  redistribute connected subnets
 network 10.20.0.0 0.0.0.255 area 0
 default-information originate

R5

class-map match-any TELNET
 match access-group name TELNET
class-map match-any RATE.LIMIT
 match access-group name RATE.LIMIT
!
policy-map CoPP
 class TELNET
   drop
 class RATE.LIMIT
    police 8000 conform-action transmit  exceed-action drop  violate-action drop
!
interface FastEthernet0/0
 ip address 10.20.0.2 255.255.255.0
 no ip route-cache
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 10.10.0.2 255.255.255.0
 duplex auto
 speed auto
!
router ospf 1
 log-adjacency-changes
 network 10.10.0.0 0.0.0.255 area 0
 network 10.20.0.0 0.0.0.255 area 0
!
ip access-list extended RATE.LIMIT
 permit icmp host 4.4.4.4 host 6.6.6.6
ip access-list extended TELNET
 permit tcp host 4.4.4.4 host 6.6.6.6 eq telnet

R6

interface Loopback0
 ip address 6.6.6.6 255.255.255.255
!
interface FastEthernet0/1
 ip address 10.10.0.1 255.255.255.0
!
router ospf 1
 redistribute connected subnets
 network 10.10.0.0 0.0.0.255 area 0