Who is Office of The CISO? - How to Get Into Cybersecurity - What is a Chief Information Security Officer?
What is a SOC Analyst?
Dynamic routing terminology
Dynamic routing is a complex subject. There are many routers on different networks and all can be configured differently. It become even more complicated when you add to this each routing protocol having slightly different names for similar features, and many configurable features for each protocol.
To better understand dynamic routing, here are some explanations of common dynamic routing terms.
- Aggregated routes and addresses
- Autonomous system (AS)
- Area border router (ABR)
- Neighbor routers
- Route maps
- Access lists
- Bi-directional forwarding detection (BFD)
For more details on a term as it applies to a dynamic routing protocol, see one of Border Gateway Protocol (BGP) on page 338, Routing Information Protocol (RIP) on page 300, or Open Shortest Path First (OSPF) on page 377.
Aggregated routes and addresses
Just as an aggregate interface combines multiple interfaces into one virtual interface, an aggregate route combines multiple routes into one. This reduces the amount of space those routes require in the routing tables of the routers along that route. The trade-off is a small amount of processing to aggregate and de-aggregate the routes at either end.
The benefit of this method is that you can combine many addresses into one, potentially reducing the routing table size immensely. The weakness of this method is if there are holes in the address range you are aggregating you need to decide if its better to break it into multiple ranges, or accept the possibility of failed routes to the missing addresses.
For information on aggregated routes in BGP, see Border Gateway Protocol (BGP) on page 338, and Border Gateway Protocol (BGP) on page 338.
To manually aggregate the range of IP addresses from 192.168.1.100 to 192.168.1.103
1. Convert the addresses to binary
2. Determine the maximum number of matching bits common to the addresses.
There are 30-bits in common, with only the last 2-bits being different.
3. Record the common part of the address.
11000000 10101000 00000001 0110010X = 192.168.1.100
4. For the netmask, assume all the bits in the netmask are 1 except those that are different which are 0.
11111111 11111111 11111111 11111100 = 255.255.255.252
5. Combine the common address bits and the netmask.
Alternately the IP mask may be written as a single number:
6. As required, set variables and attributes to declare the routes have been aggregated, and what router did the aggregating.
Autonomous system (AS)
An Autonomous System (AS) is one or more connected networks that use the same routing protocol, and appear to be a single unit to any externally connected networks. For example an ISP may have a number of customer networks connected to it, but to any networks connected externally to the ISP it appears as one system or AS. An AS may also be referred to as a routing domain.
It should be noted that while OSPF routing takes place within one AS, the only part of OSPF that deals with the AS is the AS border router (ASBR).
There are multiple types of AS defined by how they are connected to other ASes. A multihomed AS is connected to at least two other ASes and has the benefit of redundancy — if one of those ASes goes down, your AS can still reach the Internet through its other connection. A stub AS only has one connection, and can be useful in specific configurations where limited access is desirable.
Each AS has a number assigned to it, known as an ASN. In an internal network, you can assign any ASN you like (a private AS number), but for networks connected to the Internet (public AS) you need to have an officially registered ASN from Internet Assigned Numbers Authority (IANA). ASNs from 1 to 64,511 are designated for public use.
NAs of January 2010, AS numbers are 4 bytes long instead of the former 2 bytes.
RFC 4893 introduced 32-bit ASNs, which FortiGate units support for BGP and OSPF.
Do you need your own AS?
The main factors in deciding if you need your own AS or if you should be part of someone else’s are:
- exchanging external routing information
- many prefixes should exist in one AS as long as they use the same routing policy
- when you use a different routing protocol than your border gateway peers (for example your ISP uses BGP, and you use OSPF)
- connected to multiple other AS (multi-homed)
You should not create an AS for each prefix on your network. Neither should you be forced into an AS just so someone else can make AS-based policy decisions on your traffic.
There can be only one AS for any prefix on the Internet. This is to prevent routing issues.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos
Cybersecurity Videos and Training Available Via: Office of The CISO Security Training Videos