Here is why we need to use Az Module for all Azure PowerShell Scripting needs

Here is why we need to use Az Module for all Azure PowerShell Scripting needs:

In the past, Azure RM module was installed into PowerShell to work with Azure. At the same time Azure portal had Azure something called Cloud Shell. The commands are different between AzureRM modules and Azure Cloud Shell.

Microsoft realized it need to come up with a new module to remove this discrepancy. This is the reason Az module was released by Microsoft in December 2018 for general availability.

Az module is cross-platform compatible. This means it works in MacOS and Linux variants now.

To install Az module in global scope, open PowerShell at elevated privilege mode and issue the following command:

Install-Module -Name Az -AllowClobber

OSPF Network Types

Stub network – A stub network has only one default path to non-local hosts and no outside network knowledge. Stub networks are essentially local area networks (LAN) that either do not connect to the outside and relay data packets internally or are dead-end LANs that know of only one network exit.

Cisco ASA Transparent Firewall

Most ASA run as routed firewall. They have interfaces that act as a layer 3 hop. This means they have an IP address configured on an interface that act as default gateway for the inside and outside networks. This means inside and outside have different subnets

The reason to have a transparent firewall is to drop it in an existing network and become as L2 device. It still does traffic filtering/inspection. You will have same IP subnet inside and outside. IP address on the firewall configured for management only. In a transparent firewall, there is no layer 3 hop between the protected and unprotected segments.

The management 0/0 interface is a Fast Ethernet interface designed for management traffic only.

To see what mode the firewall on now: #sh firewall

If on routed mode – switch it to transparent – (config)#firewall transparent

Typically, you use e0/0 for outside interface and e1/0 for inside interface. You can have multiple sub interfaces if you plan to host multiple context under one interface. Therefore, you can assign each sub interface to each context.

How to create sub interfaces:

(Conf)#int gigabitethernet 0/0.100

(Conf-subif)#vlan 100

You can use your vlan number to the sub interface

HSRP, VRRP and GLBP Redundancy Protocols

Default gateway is used by host to get out of its local subnet. Cisco provides HSRP (Hot Standby Routing Protocol), VRRP (Virtual Router Redundancy Protocol) and GLBP (Gateway Load Balancing Protocol) for first hop redundancy. In HSRP and VRRP only one router is serving as an active virtual gateway router. But the GLBP can load balance the traffic between a group of routers. All of these routers will act as active forwarders. When a client sends an address resolution protocol (ARP) request, a member router of the GLBP will send its mac address. The next such request would receive a different mac address of the GLBP member router.

How to configure HSRP:

Say you have two switches SW1 and SW2 act as an HSRP peer. You have an SVI (Switched Virtual Interface) for vlan 400.

Go to the vlan 400 interface in both of the switches and enable HSRP:

(config)#interface Vlan 400
(config-if)#standby 1 ip 10.10.1.254

At the same time SW1 and SW2 will have its own IP address too:

SW1(conf)#int vlan 400

SW1(conf-if)#ip address 10.10.1.1 255.255.255.0

SW2(conf)#int vlan 400

SW2(conf-if)#ip address 10.10.1.2 255.255.255.0

10.10.1.254 will be the virtual gateway IP address and 1 will be the group for the HSRP.

How HSRP gets it mac address

HSRP uses a predefined mac address 0000.0c07.acXX. Here XX will be the group number. Therefore the mac address of the virtual gateway will be 0000.0c07.ac01.

HSRP Authentication

HSRP also supports authentication. You can choose between plaintext or MD5 authentication. Here’s how to configure MD5:

(config)#interface Vlan 400
(config-if)#standby 1 authentication md5 key-string MyHSRPSecurityKey

HSRP Related Commands:

#sh standby – use this command to verify your HSRP configuration

#debug standby event – In case you want to debug HSRP issues

#sh standby brief – this will help you to find out most of the standby related details including which router is active and which router is standby

How Active and Standby Election Happens

By default highest priority wins and become as active HSRP device. If the priority is same then highest IP address will become as tie-breaker.

How to set priority

SW1(config)#interface Vlan 400
SW1(config-if)#standby 1 priority 120

How Preemption works in HSRP

When you enable preempt the switch with the highest priority/IP address will always become as the new active device. if not already. This means, preempt will take effect immediately, but it might be a good idea to use a delay.

SW1((config)#interface Vlan 400
SW1(config-if)#standby 1 preempt

HSRP Timers

By default HSRP takes 10 seconds (hold time) to fail over in case of the active hsrp switch goes down.

SW1(config-if)#standby 1 timers ?
<1-254> Hello interval in seconds
msec Specify hello interval in milliseconds

SW1(config-if)#standby 1 timers 1 3

here hello timer is 1 sec and hold timer is 3 sec (hold timer need to be 3 times greater than hello timer)

HSRP Versions

There are 2 versions of HSRP – v1 and v2

HSRPv1	HSRPv2
Group Numbers	0 – 255	0 – 4095
Virtual MAC address	0000.0c07.acXX (XX = group number)	0000.0c9f.fxxx (XXX = group number)
Multicast Address	224.0.0.2	224.0.0.102

If you want to configure v2:

(config)#interface Vlan 400
(config-if)#standby version 2

HSRP interface tracking

This will make sure the active router don’t have any failed interface that is critical to forward the traffic it receives. If an important interface fails, the other router/switch need to become as active

First track an interface with a number:

SW1(config)track 1 interface GigabitEthernet 0/3 line-protocol

Now reduce the priority if that interface fails:

SW2(config-if)#standby 1 track 1 decrement 55

To test this, you can shut that interface and see the other router/switch become as active HSRP device

Sometime the interface stay up but you can’t reach the upstream router. In this case, it might be a good idea to use IP SLA instead of interface tracking. IP SLA will check end to end connectivity.

Gateway of last resort/default routing

A Gateway of Last Resort or Default gateway is a route used by the router when no other known route listed in your routing table.

Router (config)# ip route 0.0.0.0 0.0.0.0 199.207.20.2

In this case the router with IP of 199.207.20.2 know more routes than any of your routers

Router (config)# ip classless

Note: ip classless means – this will transmit subnet information and don’t drop any packets if don’t know the subnet.

However the above two commands can be combined using one command:

Router (config)# ip default network 199.207.20.2

Routers normally function as default gateway for their clients.

Layer 2 Switch (Access Switch) Default Gateway configuration:

The switch should be configured with a default gateway if the switch will be managed remotely from networks not directly connected. The default gateway is the first Layer 3 device (such as a router) on the same management VLAN network to which the switch connects. The switch will forward IP packets with destination IP addresses outside the local network to the default gateway.

Enter global configuration mode.	`Access1# configure terminal`
Configure the switch default gateway.	`Access1(config)# ip default-gateway 10.150.1.100`

Cisco access-list

Useful Cisco Show Commands

Access list related show commands

#sh ip access-lists – Will show all the ip access list configured on the device. An access list by itself won’t do anything until it is applied to an interface.

How ospf routers establish neighbor relationship

OSPF routers need to establish neighbor relationship first before exchanging routing update. Each ospf enabled interface will send hello packets to dynamically discover neighbors.

VRF static and dynamic routing

Static Routing under VRF:

Say yor VRF name is “Marketing”. Your static route configuration will looks like below:

Cisco(Config)#ip route vrf Marketing 151.52.10.0 255.255.255.0 146.150.2.1

You can view this route using:

Cisco#sh ip route vrf Marketing

Dynamic Routing under VRF:

Unlike static routing protocols, dynamic routing protocols (ospf, RIP, etc) automatically exchange and distribute rout information with its neighboring routers.

First step is to enable ospf using a process id as follows and then advertise the network under that process id.

CiscoR1(config)#router ospf 1

CiscoR1(config-router)# network 146.111.20.0 0.0.0.255 area 0

first command start the routing instance 1 and the second command places the network interface that is configured for network 146.111.20.0/24 under area 0.

the above command will enable the ospf routing under global routing table.

If you happen to have VRF, these routing commands need to go under the VRF configuration.

Say you need to have two VRF instances, one for marketing and one for finance. Here is how to advertise the route under marketing VRF:

CiscoR1(config)#router ospf 1 vrf Marketing

CiscoR1(config-router)#network 146.111.20.0 0.0.0.255 area 0

CiscoR1(config-router)#capability vrf-lite

How to add a static route

Static route helps you to manually point what is you next hop to reach a different subnet prefix. For example, you want to reach a subnet 151.52.10.0/24 using a next IP of 146.150.2.1. Here is how you configure it on a router:

Cisco (config)#ip route 151.52.10.0 255.255.255.0 146.150.2.1

Static routes are mostly used on small networks and would not consume lots of processing power like dynamic routes. The above command put this static route into the global routing table. If you happen to have multiple VRF, you need to configure this under your VRF.

Say yor VRF name is “Marketing”

Cisco(Config)#ip route vrf Marketing 151.52.10.0 255.255.255.0 146.150.2.1

You can view this route using:

Cisco#sh ip route vrf Marketing